Skip to main content

API Reference - QubeSec CRDs

This is a comprehensive reference for all QubeSec custom resources and their specifications.

QuantumRandomNumber

Generate cryptographically secure random bytes.

API Group & Version

qubessec.io/v1

Specification

apiVersion: qubessec.io/v1
kind: QuantumRandomNumber
metadata:
  name: my-random
  namespace: default
spec:
  numBytes: 32  # Required: 1-65536

Spec Fields

FieldTypeRequiredDescription
numBytesintegerYesNumber of random bytes to generate (1-65536)

Status Fields

FieldTypeDescription
statusstringPending, Success, or Failed
sizeintegerNumber of bytes successfully generated
fingerprintstringSHA256 fingerprint of generated data (first 10 hex chars)
lastGeneratedTimestringISO8601 timestamp of generation
errorstringError message if failed

QuantumKEMKeyPair

Generate Kyber (ML-KEM) keypairs for key encapsulation mechanism.

API Group & Version

qubessec.io/v1

Specification

apiVersion: qubessec.io/v1
kind: QuantumKEMKeyPair
metadata:
  name: my-keypair
  namespace: default
spec:
  algorithm: Kyber1024  # Required: Kyber512, Kyber768, or Kyber1024

Spec Fields

FieldTypeRequiredDescription
algorithmstringYesKyber512 (ML-KEM-512), Kyber768 (ML-KEM-768), Kyber1024 (ML-KEM-1024)

Status Fields

FieldTypeDescription
statusstringPending, Success, or Failed
fingerprintstringSHA256 fingerprint of public key (first 10 hex chars)
lastUpdateTimestringISO8601 timestamp of last update
errorstringError message if failed

Output Secret

Created as <resource-name> Secret containing:

  • public_key: Binary public key
  • private_key: Binary private key
  • metadata: JSON metadata about the keypair

QuantumEncapsulateSecret

Perform KEM encapsulation to create shared secrets.

API Group & Version

qubessec.io/v1

Specification

apiVersion: qubessec.io/v1
kind: QuantumEncapsulateSecret
metadata:
  name: my-encapsulation
  namespace: default
spec:
  algorithm: Kyber1024  # Required
  publicKeyRef:         # Required
    name: keypair-name
    namespace: default  # Optional, defaults to current namespace
  outputSecretName: my-secret  # Optional, defaults to resource name

Spec Fields

FieldTypeRequiredDescription
algorithmstringYesKyber512, Kyber768, or Kyber1024
publicKeyRef.namestringYesName of QuantumKEMKeyPair resource
publicKeyRef.namespacestringNoNamespace of keypair (default: current)
outputSecretNamestringNoSecret to store result (default: resource name)

Status Fields

FieldTypeDescription
statusstringPending, Success, or Failed
fingerprintstringSHA256 fingerprint of shared secret
ciphertextFingerprintstringSHA256 fingerprint of ciphertext
lastUpdateTimestringISO8601 timestamp
errorstringError message if failed

Output Secret

Contains:

  • shared_secret: Binary shared secret
  • ciphertext: Binary encapsulated ciphertext
  • metadata: JSON metadata

QuantumDecapsulateSecret

Perform KEM decapsulation to recover shared secrets.

API Group & Version

qubessec.io/v1

Specification

apiVersion: qubessec.io/v1
kind: QuantumDecapsulateSecret
metadata:
  name: my-decapsulation
  namespace: default
spec:
  algorithm: Kyber1024  # Required
  privateKeyRef:        # Required
    name: keypair-name
    namespace: default  # Optional
  ciphertextRef:        # Required
    name: encapsulation-resource
    namespace: default  # Optional
  outputSecretName: recovered-secret  # Optional

Spec Fields

FieldTypeRequiredDescription
algorithmstringYesKyber512, Kyber768, or Kyber1024
privateKeyRef.namestringYesName of QuantumKEMKeyPair resource
privateKeyRef.namespacestringNoNamespace of keypair
ciphertextRef.namestringYesName of QuantumEncapsulateSecret resource
ciphertextRef.namespacestringNoNamespace of encapsulation
outputSecretNamestringNoSecret to store result

Status Fields

FieldTypeDescription
statusstringPending, Success, or Failed
fingerprintstringSHA256 fingerprint of recovered secret
lastUpdateTimestringISO8601 timestamp
errorstringError message if failed

QuantumDerivedKey

Derive symmetric encryption keys from shared secrets using HKDF.

API Group & Version

qubessec.io/v1

Specification

apiVersion: qubessec.io/v1
kind: QuantumDerivedKey
metadata:
  name: my-derived-key
  namespace: default
spec:
  sharedSecretRef:      # Required
    name: shared-secret
    namespace: default  # Optional
  keyLength: 32         # Optional, default: 32 (256 bits)
  algorithm: HKDF-SHA256  # Optional, default
  info: "my-app"        # Optional, for domain separation
  outputSecretName: derived  # Optional

Spec Fields

FieldTypeRequiredDescription
sharedSecretRef.namestringYesName of shared secret source (QuantumEncapsulateSecret or QuantumDecapsulateSecret)
sharedSecretRef.namespacestringNoNamespace of shared secret
keyLengthintegerNoLength of derived key in bytes (1-32, default: 32)
algorithmstringNoKDF algorithm (currently only HKDF-SHA256)
infostringNoOptional domain separation string
outputSecretNamestringNoSecret to store result

Status Fields

FieldTypeDescription
statusstringPending, Success, or Failed
fingerprintstringSHA256 fingerprint of derived key
keyLengthintegerLength of derived key in bytes
lastUpdateTimestringISO8601 timestamp
errorstringError message if failed

QuantumSignatureKeyPair

Generate keypairs for digital signatures.

API Group & Version

qubessec.io/v1

Specification

apiVersion: qubessec.io/v1
kind: QuantumSignatureKeyPair
metadata:
  name: my-signer
  namespace: default
spec:
  algorithm: Dilithium3  # Required

Spec Fields

FieldTypeRequiredDescription
algorithmstringYesDilithium2, Dilithium3, Dilithium5, Falcon512, Falcon1024, or SPHINCS+-SHA2-*

Status Fields

FieldTypeDescription
statusstringPending, Success, or Failed
fingerprintstringSHA256 fingerprint of public key
lastUpdateTimestringISO8601 timestamp
errorstringError message if failed

Output Secret

Contains:

  • private_key: Binary private key
  • public_key: Binary public key
  • metadata: JSON metadata

QuantumSignMessage

Sign messages using a private key.

API Group & Version

qubessec.io/v1

Specification

apiVersion: qubessec.io/v1
kind: QuantumSignMessage
metadata:
  name: my-signature
  namespace: default
spec:
  privateKeyRef:           # Required
    name: keypair
    namespace: default     # Optional
  messageRef:              # Required
    name: message-secret
    namespace: default     # Optional
  algorithm: Dilithium3    # Required
  outputSecretName: sig    # Optional

Spec Fields

FieldTypeRequiredDescription
privateKeyRef.namestringYesName of QuantumSignatureKeyPair
privateKeyRef.namespacestringNoNamespace of keypair
messageRef.namestringYesName of Secret containing message
messageRef.namespacestringNoNamespace of message Secret
algorithmstringYesSignature algorithm
outputSecretNamestringNoSecret to store signature

Status Fields

FieldTypeDescription
statusstringPending, Success, or Failed
signaturestringBase64-encoded signature
messageFingerprintstringSHA256 fingerprint of signed message
lastUpdateTimestringISO8601 timestamp
errorstringError message if failed

QuantumVerifySignature

Verify signatures using a public key.

API Group & Version

qubessec.io/v1

Specification

apiVersion: qubessec.io/v1
kind: QuantumVerifySignature
metadata:
  name: my-verification
  namespace: default
spec:
  publicKeyRef:           # Required
    name: keypair
    namespace: default    # Optional
  messageRef:             # Required
    name: message-secret
    namespace: default    # Optional
  signatureRef:           # Required
    name: signature-secret
    namespace: default    # Optional
  algorithm: Dilithium3   # Required

Spec Fields

FieldTypeRequiredDescription
publicKeyRef.namestringYesName of QuantumSignatureKeyPair
publicKeyRef.namespacestringNoNamespace of keypair
messageRef.namestringYesName of Secret containing message
messageRef.namespacestringNoNamespace of message
signatureRef.namestringYesName of Secret containing signature
signatureRef.namespacestringNoNamespace of signature
algorithmstringYesSignature algorithm

Status Fields

FieldTypeDescription
statusstringValid, Invalid, Pending, or Failed
verifiedbooleanTrue if signature is valid
messageFingerprintstringSHA256 fingerprint of message
lastCheckedTimestringISO8601 timestamp of verification
errorstringError message if failed

QuantumCertificate

Generate X.509 certificates with post-quantum algorithms.

API Group & Version

qubessec.io/v1

Specification

apiVersion: qubessec.io/v1
kind: QuantumCertificate
metadata:
  name: my-cert
  namespace: default
spec:
  algorithm: Dilithium3           # Required
  certType: self-signed           # Required: self-signed, ca, or server
  commonName: "example.com"       # Required
  subjectAltNames:                # Optional
    - "example.com"
    - "*.example.com"
  organization: "My Org"          # Optional
  organizationalUnit: "IT"        # Optional
  country: "US"                   # Optional
  state: "CA"                     # Optional
  locality: "San Francisco"       # Optional
  durationDays: 365               # Optional, default: 365
  outputSecretName: cert-secret   # Optional
  parentCARef:                    # Optional, for CA-signed certs
    name: ca-resource
    namespace: default

Spec Fields

FieldTypeRequiredDescription
algorithmstringYesDilithium2, Dilithium3, Dilithium5, Falcon512, Falcon1024
certTypestringYesself-signed, ca (Certificate Authority), or server
commonNamestringYesCertificate Common Name (CN)
subjectAltNames[]stringNoSubject Alternative Names (SANs)
organizationstringNoCertificate Organization (O)
organizationalUnitstringNoCertificate OU field
countrystringNoCertificate Country Code (C)
statestringNoCertificate State (ST)
localitystringNoCertificate Locality (L)
durationDaysintegerNoCertificate validity in days (default: 365)
outputSecretNamestringNoSecret to store certificate
parentCARef.namestringNoParent CA name for signing
parentCARef.namespacestringNoParent CA namespace

Status Fields

FieldTypeDescription
statusstringPending, Success, or Failed
certPEMstringBase64-encoded PEM certificate
privateKeyPEMstringBase64-encoded private key
publicKeyPEMstringBase64-encoded public key
issuerstringCertificate issuer DN
subjectstringCertificate subject DN
notBeforestringCertificate validity start date
notAfterstringCertificate expiration date
fingerprintstringSHA256 certificate fingerprint
serialNumberstringCertificate serial number
errorstringError message if failed

Output Secret

Contains:

  • cert.pem: PEM-encoded certificate
  • key.pem: PEM-encoded private key
  • pub.pem: PEM-encoded public key
  • metadata.json: Certificate metadata

Common Status Values

Status Field Values

Pending   - Resource is being processed
Success   - Operation completed successfully
Failed    - Operation failed
Valid     - For QuantumVerifySignature: signature is valid
Invalid   - For QuantumVerifySignature: signature is invalid

Fingerprint Format

  • SHA256 hash of content
  • Base16 (hex) encoded
  • First 10 characters taken
  • Example: a1b2c3d4e5

Common Patterns

Cross-Namespace References

publicKeyRef:
  name: keypair
  namespace: other-namespace  # Requires RBAC permissions

Referencing Secrets

messageRef:
  name: my-secret  # Must exist as Kubernetes Secret
  # Secret should contain message data in .data.content or similar

Output Secret Naming

If outputSecretName is not specified:

  • QuantumKEMKeyPair → <resource-name>
  • QuantumEncapsulateSecret → <resource-name>
  • QuantumSignMessage → <resource-name>-signature
  • QuantumCertificate → <resource-name>-secret

Field Validation Rules

ResourceFieldValidation
Allmetadata.nameDNS-1123 label (lowercase alphanumeric, hyphens)
QuantumRandomNumberspec.numBytes1-65536
QuantumDerivedKeyspec.keyLength1-32
QuantumCertificatespec.durationDays1-36500
QuantumCertificatespec.country2 characters

See Also