The APIKey resource allows you to create and manage API keys for authenticating with the StreamNative Cloud API.
apiVersion: resource.streamnative.io/v1alpha1
kind: APIKey
metadata:
name: my-apikey
namespace: default
spec:
apiServerRef:
name: my-connection
instanceName: my-pulsar-instance
serviceAccountName: my-service-account
description: "API Key for automation"
expirationTime: "2025-12-31T23:59:59Z"| Field | Type | Description | Required |
|---|---|---|---|
spec.apiServerRef |
LocalObjectReference | Reference to a StreamNativeCloudConnection in the same namespace | Yes |
spec.instanceName |
string | Name of the instance this API key is for | No |
spec.serviceAccountName |
string | Name of the service account this API key is for | Yes |
spec.description |
string | User-defined description of the API key | No |
spec.expirationTime |
string | Timestamp defining when this API key will expire | No |
spec.revoke |
boolean | Indicates whether this API key should be revoked | No |
spec.encryptionKey |
object | Contains the public key used to encrypt the token | No |
spec.exportPlaintextToken |
boolean | Indicates whether the plaintext token should be exported as Kubernetes secret if the Pulsar Resources Operator managed the private key. (Default: false) | No |
| Field | Type | Description |
|---|---|---|
status.conditions |
[]Condition | Current state of the APIKey |
status.observedGeneration |
int64 | Last observed generation |
status.keyId |
string | Unique identifier for the API key |
status.issuedAt |
string | Timestamp when the key was issued |
status.expiresAt |
string | Timestamp when the key expires |
status.token |
string | The plaintext security token issued for the key (available only after creation) |
status.encryptedToken |
object | The encrypted security token if an encryption key was provided |
status.revokedAt |
string | Timestamp when the key was revoked, if applicable |
For each APIKey resource, the operator creates and manages two types of Secrets:
-
Private Key Secret: Contains the RSA private key used for decrypting tokens, only if no
encryptionKeyprovided- Name format:
<apikey-name>-private-key - Contains key:
private-key
- Name format:
-
Token Secret: Contains the decrypted API token for authentication, only if no
encryptionKeyprovided, andexportPlaintextTokentotrue- Name format:
<apikey-name>-token - Contains key:
token - Includes labels:
resources.streamnative.io/apikey: Name of the APIKeyresources.streamnative.io/key-id: Unique identifier of the APIKey
- Name format:
API keys provide authentication credentials for service accounts to access the StreamNative Cloud API. They can be used in automated workflows, CI/CD pipelines, or any system that needs to interact with StreamNative Cloud resources.
To create an API key, you need:
- A StreamNativeCloudConnection resource configured with valid credentials
- An existing service account for which the API key will be created
apiVersion: resource.streamnative.io/v1alpha1
kind: APIKey
metadata:
name: my-automation-key
namespace: default
spec:
apiServerRef:
name: my-connection
instanceName: my-pulsar-instance
serviceAccountName: my-service-account
description: "API Key for CI/CD pipeline"
expirationTime: "2026-01-01T00:00:00Z"You can mount the token secret in your application pods:
apiVersion: v1
kind: Pod
metadata:
name: my-app
spec:
containers:
- name: app
image: my-app-image
volumeMounts:
- name: apikey-volume
mountPath: /etc/apikey
readOnly: true
volumes:
- name: apikey-volume
secret:
secretName: my-automation-key-tokenThe application can then read the token from /etc/apikey/token.
To revoke an API key, update the spec.revoke field to true:
apiVersion: resource.streamnative.io/v1alpha1
kind: APIKey
metadata:
name: my-automation-key
namespace: default
spec:
apiServerRef:
name: my-connection
instanceName: my-pulsar-instance
serviceAccountName: my-service-account
revoke: trueOnce revoked, the API key can no longer be used for authentication.