Identity Domain

The Identity domain manages identity and access management for the Control Plane through Keycloak integration. It provisions identity providers, realms, and service-account clients in a declarative, Kubernetes-native way.

Custom Resources

Client

Client is the Schema for the clients API

Group: identity.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

ClientSpec

Appears in: Client

ClientSpec defines the desired state of Client

Field	Type	Default	Validation
clientId	string	—	Required
clientSecret	string	—	Required
realm	ObjectRef	—	Required

ObjectRef

Appears in: ClientSpec, RealmSpec

ObjectRef is a reference to a Kubernetes object It is similar to types.NamespacedName but has the required json tags for serialization

Field	Type	Default	Validation
name	string	—	Required
namespace	string	—	Required
uid	string	—	Optional

ClientStatus

Appears in: Client

ClientStatus defines the observed state of Client

Field	Type	Default	Validation
clientUid	string	—	Optional
conditions	Condition[]	—	Optional
issuerUrl	string	—	Required
rotatedClientSecret	string	—	Optional
rotatedSecretExpiresAt	string	—	Optional, Format: date-time
secretExpiresAt	string	—	Optional, Format: date-time

Condition

Appears in: ClientStatus, IdentityProviderStatus, RealmStatus

Field	Type	Default	Validation
lastTransitionTime	string	—	Required, Format: date-time
message	string	—	Required, maxLength: 32768
observedGeneration	integer	—	Optional, Format: int64, minimum: 0
reason	string	—	Required, minLength: 1, maxLength: 1024, pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
status	string	—	Required, Enum: True \| False \| Unknown
type	string	—	Required, maxLength: 316, pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

IdentityProvider

IdentityProvider is the Schema for the identityproviders API

Group: identity.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

IdentityProviderSpec

Appears in: IdentityProvider

IdentityProviderSpec defines the desired state of IdentityProvider

Field	Type	Default	Validation
adminClientId	string	—	Required
adminPassword	string	—	Required
adminUrl	string	—	Required
adminUserName	string	—	Required

IdentityProviderStatus

Appears in: IdentityProvider

IdentityProviderStatus defines the observed state of IdentityProvider

Field	Type	Default	Validation
adminConsoleUrl	string	—	Optional
adminTokenUrl	string	—	Required
adminUrl	string	—	Required
conditions	Condition[]	—	Optional

Realm

Realm is the Schema for the realms API

Group: identity.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

RealmSpec

Appears in: Realm

RealmSpec defines the desired state of Realm

Field	Type	Default	Validation
claims	Claims[]	—	Optional
identityProvider	ObjectRef	—	Required
secretRotation	SecretRotation	—	Optional

Claims

Appears in: RealmSpec

Claims defines claims that are added to all tokens issued for clients in this realm. Each claim can be a static value (HardcodedClaim) or derived from a Keycloak session note (SessionNote). The controller manages a dedicated Keycloak client scope with protocol mappers for each claim.

Field	Type	Default	Validation
name	string	—	Required, minLength: 1
type	string	HardcodedClaim	Optional, Enum: HardcodedClaim \| SessionNote
value	string	—	Optional

SecretRotation

Appears in: RealmSpec

SecretRotation configures the Keycloak client-secret rotation policy for this realm. When set, the controller ensures a client-policy profile + policy with the given grace period exists in Keycloak. When nil, the controller does not manage rotation policy.

Field	Type	Default	Validation
expirationPeriod	string	—	Required
gracePeriod	string	—	Required
remainingRotationPeriod	string	—	Required

RealmStatus

Appears in: Realm

RealmStatus defines the observed state of Realm

Field	Type	Default	Validation
adminClientId	string	—	Required
adminPassword	string	—	Required
adminTokenUrl	string	—	Required
adminUrl	string	—	Required
adminUserName	string	—	Required
conditions	Condition[]	—	Optional
issuerUrl	string	—	Required

Secret Rotation Support

When a Realm is configured with a secretRotation policy, the Identity domain provisions a Keycloak client-policy that enables graceful secret rotation for opted-in clients. During rotation:

1. The current secret is moved to a "rotated" slot in Keycloak
2. A new secret is set as the primary credential
3. Both secrets are accepted until the grace period expires

Individual clients can opt out via the identity.cp.ei.telekom.de/disable-secret-rotation: "true" annotation.

Domain Interactions

• Admin domain — Zones define which identity provider to use.
• Organization domain — Team creation provisions identity clients.
• Application domain — Application creation provisions identity clients.
• Event domain — EventConfig provisioning creates identity clients for OAuth2 token exchange.
• Secret Manager — Resolves secret references before provisioning clients in Keycloak.

Related Pages

• Architecture: Gateway Domain
• Architecture: Organization Domain