Reference: BootstrapConfig CRD¶
The BootstrapConfig is a Custom Resource Definition (CRD) that acts as a
cluster-level template for provisioning new namespaces. It is typically managed
by platform administrators.
As a developer, you will usually not create your own BootstrapConfig. Instead,
your ProjectBootstrap resource will reference a pre-existing, shared
BootstrapConfig, such as default. This reference page details the fields
available within a BootstrapConfig for advanced users or administrators who
may need to inspect or define a new template.
Specification (spec)¶
The spec block of a BootstrapConfig resource defines the template for
security, resource allocation, GitOps integration, and more.
| Field | Type | Description |
|---|---|---|
sizes |
map[string]object |
Required. A map of predefined size profiles for resource quotas and limit ranges. A ProjectBootstrap must reference one of these sizes. |
rules |
[]object |
Required. An array of RBAC PolicyRule objects that define the permissions for the deployment service account created in the new namespace. |
networkPolicies |
map[string]object |
Optional. A map of default Kubernetes NetworkPolicySpec objects to be created in the new namespace. A default-deny policy is always included. |
labels |
map[string]string |
Optional. A map of labels to be automatically applied to the new namespace. |
annotations |
map[string]string |
Optional. A map of annotations to be automatically applied to the new namespace. |
git |
object |
Required. Defines the configuration for Git repository integration, such as the GitHub organization and template repository to use. |
vault |
object |
Required. Defines the configuration for integrating with the central OpenBao/Vault store for secrets management. |
externalSecretsStore |
object |
Required. A SecretStoreSpec that defines the template for the ClusterSecretStore to be created for the new namespace. |
openTelemetry |
object |
Optional. Defines the default configuration for the OpenTelemetry Collector sidecar for applications in the namespace. |
additionalRoles |
map[string][]object |
Optional. A map of additional RBAC Roles that can be created in the namespace and referenced by a ProjectBootstrap. |
Configuration Details¶
spec.sizes¶
The sizes map allows administrators to define tiered resource allocation
profiles. Each key in the map represents a size name (e.g., default, large)
that can be referenced by a ProjectBootstrap. The value contains two objects:
limitRange: A standard KubernetesLimitRangeSpecthat sets default resource requests and limits for containers in the namespace.resourceQuota: A standard KubernetesResourceQuotaSpecthat sets the total amount of resources (CPU, memory, storage, object counts) that the namespace can consume.
spec.git¶
This section configures the integration with a Git provider. For GitHub, it
specifies the owner (organization), a template repository to use for new
projects, and a secretRef containing credentials for the GitHub API.
spec.vault¶
This section defines how the operator interacts with the central OpenBao/Vault store to manage credentials and other secrets required for the namespace's operation. It includes the server URL, authentication role, and paths for storing namespace-specific data.
spec.externalSecretsStore¶
This block contains a standard SecretStoreSpec from the External Secrets
Operator. The operator uses this as a template to create a ClusterSecretStore
for the new namespace, enabling applications within that namespace to sync
secrets from the central vault.