CloudConfig

CloudConfig (meta.p6m.dev/v1alpha1) is the Custom Resource Definition (CRD) that registers a cloud account with the platform for an organization namespace. An operator reconciles Crossplane ProviderConfigs, Azure resource groups, network configuration, and identity group membership from it.

Group:    meta.p6m.dev
Version:  v1alpha1
Kind:     CloudConfig
Scope:    Namespaced

info

Each unique combination of Azure subscription and resource group name requires its own CloudConfig. Two configs with the same subscription but different resource group names are distinct, as are two configs with the same resource group name but different subscriptions.

Spec reference

All fields live directly under spec.

Required

Field	Type	Description
`type`	string	Cloud provider for this config. Must be `azure`.

Common

Field	Type	Description
`groups`	`map[string][]string`	Maps well-known team names to lists of Azure object IDs. Controls which identities are added to each team's cloud group. At least one entry in `groups.superadmins` is required — AKS cluster provisioning will fail without it.
`permissions`	`map[string][]string`	Maps well-known team names to lists of Azure role assignment names. Controls which roles each team's members receive.
`network`	object	Network configuration. See Network fields.

Azure

Field	Type	Description
`tenantId`	string	Azure Active Directory tenant ID.
`subscriptionId`	string	Azure subscription ID where resources are provisioned.
`clientId`	string	Client ID of the Azure app registration used by the platform operator.
`servicePrincipalId`	string	Object ID of the service principal used by the platform operator. This is not the application (app registration) object ID.
`resourceGroups.platform`	string	Name of the Azure resource group for platform-level resources (VNets, Key Vaults). If omitted, the operator creates one.
`resourceGroups.services`	string	Name of the Azure resource group for application services. If omitted, the operator creates one.
`superadminGroupIds`	[]string	Azure object IDs granted superadmin access. Merged with `groups.superadmins` — prefer `groups.superadmins` for new configs.
`storageRedundancySku`	enum	Redundancy SKU for managed disks and storage accounts. Default: `ZRS`. See Storage redundancy SKUs.

Network fields

Field	Type	Description
`network.networkCidr`	string (CIDR)	CIDR block for the VNet. If `clusterCidr` is not provided, the operator derives it by incrementing the prefix length by 1 (e.g. `10.0.0.0/22` → cluster `10.0.0.0/23`).
`network.clusterCidr`	string (CIDR)	CIDR block for the Kubernetes cluster subnet. If `networkCidr` is not provided, the operator derives it by decrementing the prefix length by 1 (e.g. `10.0.0.0/23` → network `10.0.0.0/22`).
`network.dnsServers`	[]string	Custom DNS server IPs injected into cluster network configuration.

Well-known team names

groups and permissions accept the following keys:

Key	Description
`developers`	Individual contributors.
`owners`	Team leads and managers.
`superadmins`	Cluster-level administrators with elevated access. At least one entry required for AKS provisioning.
`members`	Broad team membership.
`sres`	Site reliability engineers.

Storage redundancy SKUs

storageRedundancySku controls the replication strategy for all Azure managed disks and storage accounts provisioned for the organization. The default is ZRS — it provides zone-level fault tolerance (survives a single AZ failure) at a modest cost premium over LRS, making it the right default for most production workloads without requiring explicit configuration.

See Azure Storage redundancy documentation for full durability and availability parameter tables.

SKU	Full name	Replication scope	Durability
`LRS`	Locally Redundant Storage	3 copies within a single AZ in one region	11 nines
`ZRS`	Zone-Redundant Storage	3 copies across 3 AZs in one region	12 nines
`GRS`	Geo-Redundant Storage	3 local copies + 3 asynchronously replicated to a paired region	16 nines
`GZRS`	Geo-Zone-Redundant Storage	Zone-redundant in primary region + geo-replicated to paired region	Highest
`RAGRS`	Read-Access Geo-Redundant Storage	Same as GRS, secondary region always readable	16 nines
`RAGZRS`	Read-Access Geo-Zone-Redundant Storage	Same as GZRS, secondary region always readable	Highest

Guidance:

Most workloads → ZRS (default): zone-resilient at reasonable cost.
Compliance or business-critical data → GRS or GZRS: use when policy requires geo-redundancy.
Active reads from secondary region → RAGRS or RAGZRS: only if applications are built to read from the secondary endpoint.
Cost-sensitive, non-critical environments → LRS: minimum redundancy, lowest cost, no zone or regional protection.

note

Not all SKUs are available in every Azure region. Verify availability for your target region before selecting a non-default SKU.

Changing the redundancy SKU

The value in CloudConfig is the initial setting applied when storage accounts and managed disks are first provisioned. Updating storageRedundancySku changes the default for any resources created after the update — it does not trigger migration of existing resources.

Migrating existing storage accounts to a different SKU is a manual process performed in the Azure portal. Migrations can take days or weeks to complete, so plan accordingly before changing SKUs in a live environment.

Example manifest

apiVersion: meta.p6m.dev/v1alpha1
kind: CloudConfig
metadata:
  name: my-org-cluster-dev
  namespace: my-org
spec:
  type: azure
  tenantId: "00000000-0000-0000-0000-000000000000"
  subscriptionId: "11111111-1111-1111-1111-111111111111"
  clientId: "22222222-2222-2222-2222-222222222222"
  servicePrincipalId: "33333333-3333-3333-3333-333333333333"
  resourceGroups:
    platform: my-org-cluster-dev
    services: my-org-cluster-dev
  storageRedundancySku: ZRS
  groups:
    developers:
      - "44444444-4444-4444-4444-444444444444"
    owners:
      - "55555555-5555-5555-5555-555555555555"
    superadmins:
      - "66666666-6666-6666-6666-666666666666"
  permissions:
    developers:
      - my-org-developer
    owners:
      - my-org-manager
  network:
    networkCidr: "10.0.0.0/22"
    dnsServers:
      - "10.0.0.4"
      - "10.0.0.5"

Status reference

The operator populates .status after each reconciliation.

`status.azure`

Field	Description
`tenantId`	Reconciled tenant ID.
`subscriptionId`	Reconciled subscription ID.
`clientId`	Reconciled client ID.
`storageRedundancySku`	Active redundancy SKU applied to provisioned resources.
`providerConfigRef.name`	Name of the Crossplane ProviderConfig created for this config.
`clientSecretRef.name`	Name of the Kubernetes Secret holding Azure credentials.
`resourceGroups.platform.id`	Full ARM resource group ID (`/subscriptions/.../resourceGroups/...`).
`resourceGroups.platform.name`	Platform resource group name.
`resourceGroups.services.id`	Full ARM resource group ID for the services resource group.
`resourceGroups.services.name`	Services resource group name.
`networks.networkCidr`	Resolved network CIDR.
`networks.clusterCidr`	Resolved cluster CIDR (derived from `networkCidr` if not explicitly set in spec).
`networks.dnsServers`	DNS servers in use.
`cloudConfigRef`	Self-reference (`name` + `namespace`) used by downstream resources.

`status.reconcileInterval`

The operator's reconcile cadence for this resource, in seconds.

Spec reference​

Required​

Common​

Azure​

Network fields​

Well-known team names​

Storage redundancy SKUs​

Changing the redundancy SKU​

Example manifest​

Status reference​

status.azure​

status.reconcileInterval​