Infrastructure

CloudProvider

Represents cloud credentials and provider-specific configuration. Referenced by LatticeCluster via providerRef.

group: lattice.dev version: v1alpha1 scope: namespaced

Credential Modes

CloudProvider supports two mutually exclusive ways to supply credentials. If both are set, ESO mode takes priority.

Manual credentialsSecretRef

You create a Kubernetes Secret and reference it directly. The controller reads from that Secret as-is.

ESO credentials

Uses the same ResourceSpec as LatticeService secrets. The controller creates an ExternalSecret that syncs credentials from a ClusterSecretStore into <name>-credentials in lattice-system. Pair with credentialData to reshape values using ${secret.*} templating.

Examples

aws-manual.yaml 
apiVersion: lattice.dev/v1alpha1
kind: CloudProvider
metadata:
  name: aws-prod
spec:
  type: aws
  region: us-east-1
  credentialsSecretRef:          # manual mode
    name: aws-prod-creds
  aws:
    vpcId: vpc-0abc123def456
    subnetIds:
      - subnet-a
      - subnet-b
    sshKeyName: my-key
    roleArn: arn:aws:iam::ACCOUNT:role/lattice-role
aws-eso.yaml 
apiVersion: lattice.dev/v1alpha1
kind: CloudProvider
metadata:
  name: aws-prod
spec:
  type: aws
  region: us-east-1
  credentials:                    # ESO mode
    type: secret
    id: infrastructure/aws/prod
    params:
      provider: vault-prod
      keys:
        - access_key_id
        - secret_access_key
  aws:
    vpcId: vpc-0abc123def456
    subnetIds:
      - subnet-a
      - subnet-b
openstack-eso-with-template.yaml 
apiVersion: lattice.dev/v1alpha1
kind: CloudProvider
metadata:
  name: openstack-prod
spec:
  type: openstack
  credentials:                    # ESO mode
    type: secret
    id: infrastructure/openstack/credentials
    params:
      provider: vault-prod
      keys:
        - username
        - password
        - auth_url
  credentialData:                 # template the synced values
    clouds.yaml: |
      clouds:
        openstack:
          auth:
            username: "${secret.credentials.username}"
            password: "${secret.credentials.password}"
            auth_url: "${secret.credentials.auth_url}"
  openstack:
    authUrl: https://openstack.example.com:5000/v3
proxmox-manual.yaml 
apiVersion: lattice.dev/v1alpha1
kind: CloudProvider
metadata:
  name: homelab
spec:
  type: proxmox
  credentialsSecretRef:          # manual mode
    name: proxmox-creds
  proxmox:
    serverUrl: https://pve.local:8006
    node: pve-01
    storage: local-lvm

Spec

CloudProvider spec fields
Field Type Description
type CloudProviderType Cloud provider type.
region string? Cloud region (e.g., us-east-1). Required for cloud providers, ignored for on-prem.
credentialsSecretRef SecretRef? Manual mode. Reference to an existing Kubernetes Secret containing provider credentials. Mutually exclusive with credentials.
credentials ResourceSpec? ESO mode. The controller creates an ExternalSecret that syncs credentials from a ClusterSecretStore. Same ResourceSpec as LatticeService secrets. Mutually exclusive with credentialsSecretRef.
credentialData map<string, string>? Template data for reshaping credentials. Each key becomes a key in the resulting K8s Secret. Values can use ${secret.credentials.KEY} to inject secret values. Only valid when credentials is set.
aws AwsProviderConfig? AWS-specific configuration.
proxmox ProxmoxProviderConfig? Proxmox-specific configuration.
openstack OpenStackProviderConfig? OpenStack-specific configuration.
labels map<string, string> Arbitrary labels for provider selection and filtering.

CloudProviderType

AWS Amazon Web Services. Requires IAM credentials or role ARN.
Proxmox Proxmox VE hypervisor. Requires API token or user credentials.
OpenStack OpenStack cloud platform. Requires Keystone auth URL and credentials.
Docker Local Docker provider for development and testing. No credentials required.

AwsProviderConfig

AwsProviderConfig fields
Field Type Description
vpcId string? Existing VPC ID. If not set, a new VPC is created.
subnetIds []string? Existing subnet IDs. If not set, new subnets are created.
sshKeyName string? EC2 SSH key pair name for node access.
roleArn string? IAM role ARN to assume for provisioning operations.

ProxmoxProviderConfig

ProxmoxProviderConfig fields
Field Type Description
serverUrl string Proxmox API server URL (e.g., https://pve.local:8006).
node string? Target Proxmox node name. If not set, the scheduler chooses.
storage string? Storage backend for VM disks (e.g., local-lvm).

OpenStackProviderConfig

OpenStackProviderConfig fields
Field Type Description
authUrl string Keystone authentication endpoint URL.
networkId string? Existing Neutron network ID.
floatingIpPool string? Floating IP pool name for external access.

Status

CloudProvider status fields
Field Type Description
phase CloudProviderPhase Current phase: Pending, Ready, or Failed.
message string? Human-readable status message.
lastValidated string? ISO 8601 timestamp of last successful credential validation.
clusterCount u32 Number of LatticeCluster resources referencing this provider.