tls-policy

TLSPolicy CRD, GVK: net.demo.orkestra.io/v1alpha1, Kind=TLSPolicy

healthy network-suite 0.1.0 uptime 52h48m3s

Overview

tls-policy is a custom resource managed by the network-suite operator running on Orkestra. Resources of this type are namespace-scoped.

Field	Value
API Version	`net.demo.orkestra.io/v1alpha1`
Kind	`TLSPolicy`
GVR (plural)	`net.demo.orkestra.io/v1alpha1, Resource=tlspolicies`
Scope	Namespaced

Reconcile Mode

This CRD runs in dynamic mode. Orkestra works directly with the raw unstructured Kubernetes object — no Go code is required. Reconcile logic is expressed declaratively in the Katalog YAML using template expressions like {{ .spec.field }}.

The Generic Reconciler manages the full CR lifecycle: it ensures managed labels are set on every reconcile, adds and removes finalizers, runs onCreate and onReconcile template blocks, emits events, increments metrics, and reports health status.

Configuration

The operator maintains 3 worker goroutines to process reconcile events concurrently. Each worker dequeues one CR key at a time, reconciles it, and returns. The queue has a maximum depth of 100 events.

Orkestra resyncs all managed resources every 15s by re-enqueueing every CR key. This ensures drift caused by external changes is corrected even without a Kubernetes watch event.

Child Resources

When the operator reconciles a tls-policy instance it creates and manages the following Kubernetes resources on its behalf. These are owned by the CR via owner references and are deleted automatically when the CR is deleted (unless deletion protection is active).

Resources listed under onCreate are created on the first reconcile. Resources listed under onReconcile are re-applied on every reconcile cycle. A resource appearing in both phases is created once and kept in sync thereafter.

Kind	Count	Lifecycle phases
`Secret`	1	onCreate

To see the actual child resources created for a running instance, navigate to the instance's detail page from the network-suite control panel.

kubectl Reference

Use the commands below to interact with tls-policy resources from the command line.

List resources

kubectl get tlspolicy -n <namespace>

Describe a resource

kubectl describe tlspolicy <name> -n <namespace>

Get YAML

kubectl get tlspolicy <name> -n <namespace> -o yaml

Watch for changes

kubectl get tlspolicy -n <namespace> -w

Delete a resource

kubectl delete tlspolicy <name> -n <namespace>

Filter by Orkestra managed label

kubectl get tlspolicy -l orkestra.orkspace.io/managed=true -n <namespace>

Access Control

The operator holds the following RBAC permissions to manage tls-policy resources. 1 secrets, 1 tlspolicies, 1 tlspolicies/status

API Groups	Resources	Verbs
`net.demo.orkestra.io`	`tlspolicies`	`get` `list` `watch` `create` `update` `patch` `delete`
`net.demo.orkestra.io`	`tlspolicies/status`	`get` `update` `patch`
`core`	`secrets`	`get` `list` `watch` `create` `update` `patch` `delete`