Skip to content

Add BaseURL & issuer overrides, CABundle #101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add BaseURL & issuer overrides, CABundle #101

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cd70e3e
remove … in favor of ...
mjudeikis Oct 9, 2025
ebdd1c4
CAbundle & friends
mjudeikis Oct 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 39 additions & 0 deletions config/crd/bases/operator.kcp.io_frontproxies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,26 @@ spec:
x-kubernetes-validations:
- message: OIDC requires ServiceAccount auth to be enabled.
rule: '!has(self.oidc) || (has(self.serviceAccount) && self.serviceAccount.enabled)'
caBundleSecretRef:
description: |-
CABundle references a v1.Secret object that contains the CA bundle
that should be used to validate the API server's TLS certificate.
The secret must contain a key named `tls.crt` that holds the PEM encoded CA certificate.
It will be merged into the "external-logical-cluster-admin-kubeconfig" kubeconfig under the `certificate-authority-data` field.
If not specified, the kubeconfig will use the CA bundle of the root shard or front-proxy referenced in the Target field.
It will NOT be used to configure the API server's own TLS certificate or any other component.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
certificateTemplates:
additionalProperties:
properties:
Expand All @@ -188,6 +208,9 @@ spec:
description: |-
Requested DNS subject alternative names. The values given here will be merged into the
DNS names determined automatically by the kcp-operator.
If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
trying to guess what DNSNames configued issuer might support.
items:
type: string
type: array
Expand All @@ -208,6 +231,22 @@ spec:
items:
type: string
type: array
issuerRef:
description: IssuerRef is a reference to the issuer for
this certificate.
properties:
group:
description: Group of the object being referred to.
type: string
kind:
description: Kind of the object being referred to.
type: string
name:
description: Name of the object being referred to.
type: string
required:
- name
type: object
privateKey:
description: |-
Private key options. These include the key algorithm and size, the used
Expand Down
19 changes: 19 additions & 0 deletions config/crd/bases/operator.kcp.io_kubeconfigs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,9 @@ spec:
description: |-
Requested DNS subject alternative names. The values given here will be merged into the
DNS names determined automatically by the kcp-operator.
If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
trying to guess what DNSNames configued issuer might support.
items:
type: string
type: array
Expand All @@ -85,6 +88,22 @@ spec:
items:
type: string
type: array
issuerRef:
description: IssuerRef is a reference to the issuer for this
certificate.
properties:
group:
description: Group of the object being referred to.
type: string
kind:
description: Kind of the object being referred to.
type: string
name:
description: Name of the object being referred to.
type: string
required:
- name
type: object
privateKey:
description: |-
Private key options. These include the key algorithm and size, the used
Expand Down
66 changes: 66 additions & 0 deletions config/crd/bases/operator.kcp.io_rootshards.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,26 @@ spec:
type: string
type: object
type: object
caBundleSecretRef:
description: |-
CABundle references a v1.Secret object that contains the CA bundle
that should be used to validate the API server's TLS certificate.
The secret must contain a key named `tls.crt` that holds the PEM encoded CA certificate.
It will be merged into the "external-logical-cluster-admin-kubeconfig" kubeconfig under the `certificate-authority-data` field.
If not specified, the kubeconfig will use the CA bundle of the root shard or front-proxy referenced in the Target field.
It will NOT be used to configure the API server's own TLS certificate or any other component.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
cache:
description: Cache configures the cache server (with a Kubernetes-like
API) used by a sharded kcp instance.
Expand Down Expand Up @@ -274,6 +294,9 @@ spec:
description: |-
Requested DNS subject alternative names. The values given here will be merged into the
DNS names determined automatically by the kcp-operator.
If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
trying to guess what DNSNames configued issuer might support.
items:
type: string
type: array
Expand All @@ -294,6 +317,22 @@ spec:
items:
type: string
type: array
issuerRef:
description: IssuerRef is a reference to the issuer for
this certificate.
properties:
group:
description: Group of the object being referred to.
type: string
kind:
description: Kind of the object being referred to.
type: string
name:
description: Name of the object being referred to.
type: string
required:
- name
type: object
privateKey:
description: |-
Private key options. These include the key algorithm and size, the used
Expand Down Expand Up @@ -485,6 +524,8 @@ spec:
type: object
type: object
clusterDomain:
description: ClusterDomain is the DNS domain for services in the cluster.
Defaults to "cluster.local" if not set.
type: string
deploymentTemplate:
description: 'Optional: DeploymentTemplate configures the Kubernetes
Expand Down Expand Up @@ -1689,6 +1730,9 @@ spec:
description: |-
Requested DNS subject alternative names. The values given here will be merged into the
DNS names determined automatically by the kcp-operator.
If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
trying to guess what DNSNames configued issuer might support.
items:
type: string
type: array
Expand All @@ -1709,6 +1753,23 @@ spec:
items:
type: string
type: array
issuerRef:
description: IssuerRef is a reference to the issuer
for this certificate.
properties:
group:
description: Group of the object being referred
to.
type: string
kind:
description: Kind of the object being referred to.
type: string
name:
description: Name of the object being referred to.
type: string
required:
- name
type: object
privateKey:
description: |-
Private key options. These include the key algorithm and size, the used
Expand Down Expand Up @@ -3198,6 +3259,11 @@ spec:
type: string
type: object
type: object
shardBaseURL:
description: |-
ShardBaseURL is the base URL under which this shard should be reachable. This is used to configure
the external URL. If not provided, the operator will use kubernetes service address to generate it.
type: string
required:
- cache
- certificates
Expand Down
46 changes: 46 additions & 0 deletions config/crd/bases/operator.kcp.io_shards.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,26 @@ spec:
type: string
type: object
type: object
caBundleSecretRef:
description: |-
CABundle references a v1.Secret object that contains the CA bundle
that should be used to validate the API server's TLS certificate.
The secret must contain a key named `tls.crt` that holds the PEM encoded CA certificate.
It will be merged into the "external-logical-cluster-admin-kubeconfig" kubeconfig under the `certificate-authority-data` field.
If not specified, the kubeconfig will use the CA bundle of the root shard or front-proxy referenced in the Target field.
It will NOT be used to configure the API server's own TLS certificate or any other component.
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
certificateTemplates:
additionalProperties:
properties:
Expand All @@ -258,6 +278,9 @@ spec:
description: |-
Requested DNS subject alternative names. The values given here will be merged into the
DNS names determined automatically by the kcp-operator.
If DNSNames is used together with IssuerRef, DNSNames will be uses as-is and not merged.
If IssuerRef is not set, DNSNames will be merged with the defaults. This is to avoid
trying to guess what DNSNames configued issuer might support.
items:
type: string
type: array
Expand All @@ -278,6 +301,22 @@ spec:
items:
type: string
type: array
issuerRef:
description: IssuerRef is a reference to the issuer for
this certificate.
properties:
group:
description: Group of the object being referred to.
type: string
kind:
description: Kind of the object being referred to.
type: string
name:
description: Name of the object being referred to.
type: string
required:
- name
type: object
privateKey:
description: |-
Private key options. These include the key algorithm and size, the used
Expand Down Expand Up @@ -428,6 +467,8 @@ spec:
certificates for this shard.
type: object
clusterDomain:
description: ClusterDomain is the DNS domain for services in the cluster.
Defaults to "cluster.local" if not set.
type: string
deploymentTemplate:
description: 'Optional: DeploymentTemplate configures the Kubernetes
Expand Down Expand Up @@ -1702,6 +1743,11 @@ spec:
type: string
type: object
type: object
shardBaseURL:
description: |-
ShardBaseURL is the base URL under which this shard should be reachable. This is used to configure
the external URL. If not provided, the operator will use kubernetes service address to generate it.
type: string
required:
- etcd
- rootShard
Expand Down
Loading