Skip to content

Automated kubeconfig generation & rotation for GitOps integration #1574

New issue
New issue
Open
Open
Automated kubeconfig generation & rotation for GitOps integration#1574
Labels
blocked-needs-validationIssue need triage and validation
@nicotruc

Description

@nicotruc
nicotruc
opened on Aug 10, 2025

Describe the feature

When implementing GitOps with Capsule (e.g., using FluxCD), namespace creation must be delegated through the Capsule proxy, which grants permission to a ServiceAccount via impersonation.
Currently, this requires a manual step: generating a kubeconfig using the provided script, and then referencing it in every GitOps tool configuration.
Example from the guide:

apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
  name: my-tenant
  namespace: my-tenant
spec:
  kubeConfig:
    secretRef:
      name: gitops-reconciler-kubeconfig
      key: kubeconfig
  sourceRef:
    kind: GitRepository
    name: my-tenant
  path: config

This manual step adds friction, introduces potential human error, and prevents fully automated GitOps onboarding. Additionally, static ServiceAccount tokens may become a security concern if not rotated regularly.
The feature request:
Enable Capsule to automatically generate, store, and rotate the kubeconfig required for GitOps reconciliation, removing any manual setup.

What would the new user story look like?

How would the new interaction with Capsule look like? E.g.

Example flow with the new feature:

  1. Tenant owner creates a new Tenant.
  2. Tenant owner applies GitOps configuration (e.g., FluxCD Kustomization).
  3. Capsule automatically generates the required kubeconfig for the Tenant’s GitOps ServiceAccount, creates a Secret in the appropriate namespace and sets up automatic token rotation and updates the Secret transparently.
  4. GitOps controller consumes the Secret with no manual intervention.
  5. Namespace creation via Capsule proxy works out of the

Expected behavior

  • No manual kubeconfig generation: Capsule handles creation of the kubeconfig Secret automatically when a Tenant is created or on demand.
  • Automatic token rotation: Capsule rotates the ServiceAccount token and updates the kubeconfig Secret without user intervention.
  • Plug-and-play GitOps: GitOps tools like FluxCD can start reconciling immediately after Tenant creation.
  • Improved security: Reduced risk from stale ServiceAccount tokens.

Metadata

Metadata

Assignees

No one assigned

    Labels

    blocked-needs-validationIssue need triage and validation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions