diff --git a/controllers/kamajicontrolplane_controller_resources.go b/controllers/kamajicontrolplane_controller_resources.go
index 5746e05..7004c5a 100644
--- a/controllers/kamajicontrolplane_controller_resources.go
+++ b/controllers/kamajicontrolplane_controller_resources.go
@@ -131,7 +131,7 @@ func (r *KamajiControlPlaneReconciler) createOrUpdateKubeconfig(ctx context.Cont
 	kamajiAdminKubeconfig.Namespace = tcp.Namespace
 
 	if err := r.client.Get(ctx, types.NamespacedName{Name: kamajiAdminKubeconfig.Name, Namespace: kamajiAdminKubeconfig.Namespace}, kamajiAdminKubeconfig); err != nil {
-		return errors.Wrap(err, "cannot retrieve source-of-truth for admin kubecofig")
+		return errors.Wrap(err, "cannot retrieve source-of-truth for admin kubeconfig")
 	}
 
 	err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
@@ -147,7 +147,12 @@ func (r *KamajiControlPlaneReconciler) createOrUpdateKubeconfig(ctx context.Cont
 			labels["kamaji.clastix.io/cluster"] = cluster.Name
 			labels["kamaji.clastix.io/tcp"] = tcp.Name
 
-			value, ok := kamajiAdminKubeconfig.Data["admin.conf"]
+			secretKey := "admin.conf"
+			if v, ok := kcp.GetAnnotations()[kamajiv1alpha1.KubeconfigSecretKeyAnnotation]; ok && v != "" {
+				secretKey = v
+			}
+
+			value, ok := kamajiAdminKubeconfig.Data[secretKey]
 			if !ok {
 				return errors.New("missing key from *kamajiv1alpha1.TenantControlPlane admin kubeconfig secret")
 			}
diff --git a/controllers/kamajicontrolplane_controller_tcp.go b/controllers/kamajicontrolplane_controller_tcp.go
index f570f52..1910b1c 100644
--- a/controllers/kamajicontrolplane_controller_tcp.go
+++ b/controllers/kamajicontrolplane_controller_tcp.go
@@ -24,6 +24,16 @@ func (r *KamajiControlPlaneReconciler) createOrUpdateTenantControlPlane(ctx cont
 	tcp.Name = kcp.GetName()
 	tcp.Namespace = kcp.GetNamespace()
 
+	if tcp.Annotations == nil {
+		tcp.Annotations = make(map[string]string)
+	}
+
+	if kubeconfigSecretKey := kcp.Annotations[kamajiv1alpha1.KubeconfigSecretKeyAnnotation]; kubeconfigSecretKey != "" {
+		tcp.Annotations[kamajiv1alpha1.KubeconfigSecretKeyAnnotation] = kubeconfigSecretKey
+	} else {
+		delete(tcp.Annotations, kamajiv1alpha1.KubeconfigSecretKeyAnnotation)
+	}
+
 	err := retry.RetryOnConflict(retry.DefaultRetry, func() error {
 		_, scopeErr := controllerutil.CreateOrUpdate(ctx, r.client, tcp, func() error {
 			// TenantControlPlane port