Identity Domain

The Identity domain manages identity and access management for the Control Plane through Keycloak integration. It provisions identity providers, realms, and service-account clients in a declarative, Kubernetes-native way.

Custom Resources

Client

Client is the Schema for the clients API

Group: identity.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

ClientSpec

Appears in: Client

ClientSpec defines the desired state of Client

Field	Type	Default	Validation
clientId	string	—	Required
clientSecret	string	—	Required
realm	ObjectRef	—	Required

ObjectRef

Appears in: ClientSpec, RealmSpec

ObjectRef is a reference to a Kubernetes object It is similar to types.NamespacedName but has the required json tags for serialization

Field	Type	Default	Validation
name	string	—	Required
namespace	string	—	Required
uid	string	—	Optional

ClientStatus

Appears in: Client

ClientStatus defines the observed state of Client

Field	Type	Default	Validation
conditions	Condition[]	—	Optional
issuerUrl	string	—	Required

Condition

Appears in: ClientStatus, IdentityProviderStatus, RealmStatus

Field	Type	Default	Validation
lastTransitionTime	string	—	Required, Format: date-time
message	string	—	Required, maxLength: 32768
observedGeneration	integer	—	Optional, Format: int64, minimum: 0
reason	string	—	Required, minLength: 1, maxLength: 1024, pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
status	string	—	Required, Enum: True \| False \| Unknown
type	string	—	Required, maxLength: 316, pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$

IdentityProvider

IdentityProvider is the Schema for the identityproviders API

Group: identity.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

IdentityProviderSpec

Appears in: IdentityProvider

IdentityProviderSpec defines the desired state of IdentityProvider

Field	Type	Default	Validation
adminClientId	string	—	Required
adminPassword	string	—	Required
adminUrl	string	—	Required
adminUserName	string	—	Required

IdentityProviderStatus

Appears in: IdentityProvider

IdentityProviderStatus defines the observed state of IdentityProvider

Field	Type	Default	Validation
adminConsoleUrl	string	—	Optional
adminTokenUrl	string	—	Required
adminUrl	string	—	Required
conditions	Condition[]	—	Optional

Realm

Realm is the Schema for the realms API

Group: identity.cp.ei.telekom.de · Version: v1 · Scope: Namespaced

RealmSpec

Appears in: Realm

RealmSpec defines the desired state of Realm

Field	Type	Default	Validation
identityProvider	ObjectRef	—	Required

RealmStatus

Appears in: Realm

RealmStatus defines the observed state of Realm

Field	Type	Default	Validation
adminClientId	string	—	Required
adminPassword	string	—	Required
adminTokenUrl	string	—	Required
adminUrl	string	—	Required
adminUserName	string	—	Required
conditions	Condition[]	—	Optional
issuerUrl	string	—	Required

Domain Interactions

• Admin domain — Zones define which identity provider to use.
• Organization domain — Team creation provisions identity clients.
• Application domain — Application creation provisions identity clients.
• Event domain — EventConfig provisioning creates identity clients for OAuth2 token exchange.
• Secret Manager — Resolves secret references before provisioning clients in Keycloak.

Related Pages

• Architecture: Gateway Domain
• Architecture: Organization Domain