Document Kustomization.spec.kubeConfig for Cluster API

api/v1beta1/kustomization_types.go

@@ -50,6 +50,7 @@ type KustomizationSpec struct {
  Interval metav1.Duration `json:"interval"`
 
  // The KubeConfig for reconciling the Kustomization on a remote cluster.
+ // Apply, Prune, HealthCheck, and Delete are all functional.
  // +optional
  KubeConfig *KubeConfig `json:"kubeConfig,omitempty"`
 
@@ -125,9 +126,19 @@ type Decryption struct {
 // KubeConfig references a Kubernetes secret generated by CAPI.
 // that contains a kubeconfig file.
 type KubeConfig struct {
- // The secret name containing a 'value' key
- // with the kubeconfig file as the value.
- // Ref: https:/kubernetes-sigs/cluster-api/blob/release-0.3/util/secret/consts.go#L24
+ // The secret name containing a 'value' key with the kubeconfig file as the value.
+ // This secret must be in the same Namespace as the Kustomization.
+ // KubeConfig secrets maintained by Cluster API bootstrap providers can be used here.
+ // (ex: If your CAPI Cluster's name is `stage-env`, set this to `stage-env-kubeconfig`.
+ // Ensure the Kustomization is in the same Namespace as the Cluster object.
+ // Ref: https:/kubernetes-sigs/cluster-api/blob/release-0.3/util/secret/consts.go#L24)
+ // The reconciliation clients are regularly refreshed from the Secret, so
+ // rotating kubeconfigs for KaaS control-planes from cloud-providers are supported.
+ // These kubeconfigs follow the same design constraints as Cluster API.
+ // It is recommended that kubeconfigs be self-contained, and the Secret be
+ // regularly updated if credentials such as a cloud-access-token expire.
+ // Cloud-specific `cmd-path` auth helpers will not function without adding
+ // binaries and credentials to the kustomize-controller Pod.
  // +required
  SecretRef corev1.LocalObjectReference `json:"secretRef,omitempty"`
 }