Feat: Add a namespaced trust bundle CRD alongside the cluster-scoped Bundle

[asmaoune]

Summary

We would like to propose a namespaced trust-bundle CRD (NamespacedBundle) to let users manage local trust (their internal CAs) without cluster-admin rights, while keeping the existing cluster-scoped Bundle for global trust.

This issue outlines three alternative designs for how a NamespacedBundle could be consumed and how it could compose with existing bundles.

Problem

• Today, managing trusted CA bundles per team/tenant typically requires editing a cluster-scoped Bundle, which demands elevated permissions and central coordination
• Multi-tenant clusters need a safer, least-privilege way for teams to manage local trust anchors (their internal CAs) while still leveraging global trust roots provided by platform admins (e.g., public CAs or org-wide CAs)

Goals

• Introduce a namespaced resource NamespacedBundle
• Keep RBAC minimal and predictable for users (ideally reads/writes only within the same namespace for namespaced resources)

Proposed Designs (3 options)

Option 1 — Namespaced bundle with an explicit allowlist of consumer namespaces

A NamespacedBundle is defined in namespace A but declares an allowlist of other namespaces (B, C, …) that may consume it. The controller would need to write the rendered ConfigMap/Secret into those target namespaces.

Option 2 — Add NamespacedBundle that can reference cluster-wide bundles (no lateral namespaced references)

Introduce a NamespacedBundle that:

• Reads and renders only within its own namespace

• Can include one or more cluster-scoped Bundle(s) via something like bundleRef, but cannot reference another NamespacedBundle

Option 3 — Namespaced bundles may reference other namespaced bundles across namespaces (where permitted)

Allow a NamespacedBundle in namespace A to include another NamespacedBundle in namespace B

[erikgb]

This appears like a duplicate of #131. Which is blocked on our ongoing migration from Bundle -> ClusterBundle. Cross-namespace references are discouraged in Kubernetes.

[asmaoune]

@erikgb So solution 2 will be better, what do you think ?

Also, do you have an idea about how much time the migration from Bundle to ClusterBundle will take ?

[erikgb]

So solution 2 will be better, what do you think ?

Yes, as far as I can understand, your other options will imply cross-namespace references.

Also, do you have an idea about how much time the migration from Bundle to ClusterBundle will take ?

The foundation is there, but we still need to "connect loose wires". I don't want to promise anything, but my personal goal has always been KubeCon NA 2025 in November. But we are short on maintainers willing to review my trust-manager PRs right now, so it is already delayed.

[asmaoune]

So solution 2 will be better, what do you think ?

Yes, as far as I can understand, your other options will imply cross-namespace references.

Also, do you have an idea about how much time the migration from Bundle to ClusterBundle will take ?

The foundation is there, but we still need to "connect loose wires". I don't want to promise anything, but my personal goal has always been KubeCon NA 2025 in November. But we are short on maintainers willing to review my trust-manager PRs right now, so it is already delayed.

Ok, thanks