Install Kapp Controller Using Kubectl (vSphere 7 only)

This topic explains how to manually install the Kapp Controller to enable installing Tanzu packages in Supervisor-deployed workload clusters running on vSphere 7.

The Kapp Controller component is required to install, customize, and update Tanzu Packages on TKG clusters.

Workload clusters that run on vSphere 7-compatible TKrs do not have the Kapp Controller pre-installed, so you must install it manually as described below. Workload clusters running on vSphere 8-compatible TKrs already have Kapp Controller installed.

See the TKr Release Notes for TKr version compatibility with vSphere versions.

Also see the upstream Kapp Controller installation instructions for additional guidance and troubleshooting.

To manually install Kapp Controller on a TKG cluster that is running a vSphere 7-compatible TKr:

  1. List the available Kapp Controller versions in the repository.

    imgpkg tag list -i projects.registry.vmware.com/tkg/kapp-controller
    

    The command returns all available Kapp Controller package versions.

    Tags
    
    Name
    v0.16.0_vmware.1
    v0.18.0_vmware.1
    v0.23.0_vmware.1
    v0.25.0_vmware.1
    v0.30.0_vmware.1
    v0.30.1_vmware.1
    v0.38.4_vmware.1
    v0.38.5_vmware.2
    v0.41.5_vmware.1
    v0.41.7_vmware.1
    v0.45.2_vmware.1
    
    11 tags
    
    Succeeded
    
    

    Note: It is recommended that you install the latest version of Kapp Controller, which for this repository is v0.45.2_vmware.1. If you experience an error using this version, try version v0.30.1_vmware.1.

  2. Create the kapp-controller.yaml file.

    1. Copy the code in Kapp Controller Manifest below.
    2. Typically you do not need to change any configuration code, but the embedded description field can guide any customizations.
  3. Install Kapp Controller.

    kubectl apply -f kapp-controller.yaml
    
  4. Verify the installation of Kapp Controller.

    kubectl get pods -A
    

    You should see the following.

    tkg-system         kapp-controller-...            1/1     Running    0      16m
    

Kapp Controller Manifest

The code to use for your kapp-controller.yaml file depends on the Kubernetes version that your management cluster runs, and whether it uses Pod Security Policy (PSP) objects or the Pod Security Admission controller.

Starting with TKr v1.25, the Pod Security Admission (PSA) controller replaces PSPs. For more information, refer to the TKr Release Notes.

Manifest for Kubernetes v1.25 or later

If you are using TKr v1.25 or later, which requires PSA, use the following kapp-controller.yaml to install the Kapp Controller.

If you are using TKr v1.26 or later, which enforces PSA restricted mode, in addition to using the following kapp-controller.yaml, you also need to create a binding to run the pod. (The pod runs in the tkg-system namespace which cannot be edited, hence the need for a binding.) The following example uses a clusterrolebinding which means it applies cluster-wide. For tighter security, use a rolebinding.

kubectl create clusterrolebinding default-tkg-admin-privileged-binding --clusterrole=cluster-admin --group=system:authenticated

Below is the kapp-controller.yaml manifest for TKr v1.25 and later.

---
apiVersion: v1
kind: Namespace
metadata:
  name: tkg-system
---
apiVersion: v1
kind: Namespace
metadata:
  name: kapp-controller-packaging-global
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  name: v1alpha1.data.packaging.carvel.dev
spec:
  group: data.packaging.carvel.dev
  groupPriorityMinimum: 100
  service:
    name: packaging-api
    namespace: tkg-system
  version: v1alpha1
  versionPriority: 100
---
apiVersion: v1
kind: Service
metadata:
  name: packaging-api
  namespace: tkg-system
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: api
  selector:
    app: kapp-controller
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: internalpackagemetadatas.internal.packaging.carvel.dev
spec:
  group: internal.packaging.carvel.dev
  names:
    kind: InternalPackageMetadata
    listKind: InternalPackageMetadataList
    plural: internalpackagemetadatas
    singular: internalpackagemetadata
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            properties:
              categories:
                description: Classifiers of the package (optional; Array of strings)
                items:
                  type: string
                type: array
              displayName:
                description: Human friendly name of the package (optional; string)
                type: string
              iconSVGBase64:
                description: Base64 encoded icon (optional; string)
                type: string
              longDescription:
                description: Long description of the package (optional; string)
                type: string
              maintainers:
                description: List of maintainer info for the package. Currently only
                  supports the name key. (optional; array of maintner info)
                items:
                  properties:
                    name:
                      type: string
                  type: object
                type: array
              providerName:
                description: Name of the entity distributing the package (optional;
                  string)
                type: string
              shortDescription:
                description: Short desription of the package (optional; string)
                type: string
              supportDescription:
                description: Description of the support available for the package
                  (optional; string)
                type: string
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: internalpackages.internal.packaging.carvel.dev
spec:
  group: internal.packaging.carvel.dev
  names:
    kind: InternalPackage
    listKind: InternalPackageList
    plural: internalpackages
    singular: internalpackage
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            properties:
              capacityRequirementsDescription:
                description: 'System requirements needed to install the package. Note:
                  these requirements will not be verified by kapp-controller on installation.
                  (optional; string)'
                type: string
              includedSoftware:
                description: IncludedSoftware can be used to show the software contents
                  of a Package. This is especially useful if the underlying versions
                  do not match the Package version
                items:
                  description: IncludedSoftware contains the underlying Software Contents
                    of a Package
                  properties:
                    description:
                      type: string
                    displayName:
                      type: string
                    version:
                      type: string
                  type: object
                type: array
              kappControllerVersionSelection:
                description: KappControllerVersionSelection specifies the versions
                  of kapp-controller which can install this package
                properties:
                  constraints:
                    type: string
                type: object
              kubernetesVersionSelection:
                description: KubernetesVersionSelection specifies the versions of
                  k8s which this package can be installed on
                properties:
                  constraints:
                    type: string
                type: object
              licenses:
                description: Description of the licenses that apply to the package
                  software (optional; Array of strings)
                items:
                  type: string
                type: array
              refName:
                description: The name of the PackageMetadata associated with this
                  version Must be a valid PackageMetadata name (see PackageMetadata
                  CR for details) Cannot be empty
                type: string
              releaseNotes:
                description: Version release notes (optional; string)
                type: string
              releasedAt:
                description: Timestamp of release (iso8601 formatted string; optional)
                format: date-time
                nullable: true
                type: string
              template:
                properties:
                  spec:
                    properties:
                      canceled:
                        description: Cancels current and future reconciliations (optional;
                          default=false)
                        type: boolean
                      cluster:
                        description: Specifies that app should be deployed to destination
                          cluster; by default, cluster is same as where this resource
                          resides (optional; v0.5.0+)
                        properties:
                          kubeconfigSecretRef:
                            description: Specifies secret containing kubeconfig (required)
                            properties:
                              key:
                                description: Specifies key that contains kubeconfig
                                  (optional)
                                type: string
                              name:
                                description: Specifies secret name within app's namespace
                                  (required)
                                type: string
                            type: object
                          namespace:
                            description: Specifies namespace in destination cluster
                              (optional)
                            type: string
                        type: object
                      deploy:
                        items:
                          properties:
                            kapp:
                              description: Use kapp to deploy resources
                              properties:
                                delete:
                                  description: Configuration for delete command (optional)
                                  properties:
                                    rawOptions:
                                      description: Pass through options to kapp delete
                                        (optional)
                                      items:
                                        type: string
                                      type: array
                                  type: object
                                inspect:
                                  description: 'Configuration for inspect command
                                    (optional) as of kapp-controller v0.31.0, inspect
                                    is disabled by default add rawOptions or use an
                                    empty inspect config like `inspect: {}` to enable'
                                  properties:
                                    rawOptions:
                                      description: Pass through options to kapp inspect
                                        (optional)
                                      items:
                                        type: string
                                      type: array
                                  type: object
                                intoNs:
                                  description: Override namespace for all resources
                                    (optional)
                                  type: string
                                mapNs:
                                  description: Provide custom namespace override mapping
                                    (optional)
                                  items:
                                    type: string
                                  type: array
                                rawOptions:
                                  description: Pass through options to kapp deploy
                                    (optional)
                                  items:
                                    type: string
                                  type: array
                              type: object
                          type: object
                        type: array
                      fetch:
                        items:
                          properties:
                            git:
                              description: Uses git to clone repository
                              properties:
                                lfsSkipSmudge:
                                  description: Skip lfs download (optional)
                                  type: boolean
                                ref:
                                  description: Branch, tag, commit; origin is the
                                    name of the remote (optional)
                                  type: string
                                refSelection:
                                  description: Specifies a strategy to resolve to
                                    an explicit ref (optional; v0.24.0+)
                                  properties:
                                    semver:
                                      properties:
                                        constraints:
                                          type: string
                                        prereleases:
                                          properties:
                                            identifiers:
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                      type: object
                                  type: object
                                secretRef:
                                  description: 'Secret with auth details. allowed
                                    keys: ssh-privatekey, ssh-knownhosts, username,
                                    password (optional) (if ssh-knownhosts is not
                                    specified, git will not perform strict host checking)'
                                  properties:
                                    name:
                                      description: Object is expected to be within
                                        same namespace
                                      type: string
                                  type: object
                                subPath:
                                  description: Grab only portion of repository (optional)
                                  type: string
                                url:
                                  description: http or ssh urls are supported (required)
                                  type: string
                              type: object
                            helmChart:
                              description: Uses helm fetch to fetch specified chart
                              properties:
                                name:
                                  description: 'Example: stable/redis'
                                  type: string
                                repository:
                                  properties:
                                    secretRef:
                                      properties:
                                        name:
                                          description: Object is expected to be within
                                            same namespace
                                          type: string
                                      type: object
                                    url:
                                      description: Repository url; scheme of oci://
                                        will fetch experimental helm oci chart (v0.19.0+)
                                        (required)
                                      type: string
                                  type: object
                                version:
                                  type: string
                              type: object
                            http:
                              description: Uses http library to fetch file
                              properties:
                                secretRef:
                                  description: 'Secret to provide auth details (optional)
                                    Secret may include one or more keys: username,
                                    password'
                                  properties:
                                    name:
                                      description: Object is expected to be within
                                        same namespace
                                      type: string
                                  type: object
                                sha256:
                                  description: Checksum to verify after download (optional)
                                  type: string
                                subPath:
                                  description: Grab only portion of download (optional)
                                  type: string
                                url:
                                  description: 'URL can point to one of following
                                    formats: text, tgz, zip http and https url are
                                    supported; plain file, tgz and tar types are supported
                                    (required)'
                                  type: string
                              type: object
                            image:
                              description: Pulls content from Docker/OCI registry
                              properties:
                                secretRef:
                                  description: 'Secret may include one or more keys:
                                    username, password, token. By default anonymous
                                    access is used for authentication.'
                                  properties:
                                    name:
                                      description: Object is expected to be within
                                        same namespace
                                      type: string
                                  type: object
                                subPath:
                                  description: Grab only portion of image (optional)
                                  type: string
                                tagSelection:
                                  description: Specifies a strategy to choose a tag
                                    (optional; v0.24.0+) if specified, do not include
                                    a tag in url key
                                  properties:
                                    semver:
                                      properties:
                                        constraints:
                                          type: string
                                        prereleases:
                                          properties:
                                            identifiers:
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                      type: object
                                  type: object
                                url:
                                  description: 'Docker image url; unqualified, tagged,
                                    or digest references supported (required) Example:
                                    username/app1-config:v0.1.0'
                                  type: string
                              type: object
                            imgpkgBundle:
                              description: Pulls imgpkg bundle from Docker/OCI registry
                                (v0.17.0+)
                              properties:
                                image:
                                  description: Docker image url; unqualified, tagged,
                                    or digest references supported (required)
                                  type: string
                                secretRef:
                                  description: 'Secret may include one or more keys:
                                    username, password, token. By default anonymous
                                    access is used for authentication.'
                                  properties:
                                    name:
                                      description: Object is expected to be within
                                        same namespace
                                      type: string
                                  type: object
                                tagSelection:
                                  description: Specifies a strategy to choose a tag
                                    (optional; v0.24.0+) if specified, do not include
                                    a tag in url key
                                  properties:
                                    semver:
                                      properties:
                                        constraints:
                                          type: string
                                        prereleases:
                                          properties:
                                            identifiers:
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                      type: object
                                  type: object
                              type: object
                            inline:
                              description: Pulls content from within this resource;
                                or other resources in the cluster
                              properties:
                                paths:
                                  additionalProperties:
                                    type: string
                                  description: Specifies mapping of paths to their
                                    content; not recommended for sensitive values
                                    as CR is not encrypted (optional)
                                  type: object
                                pathsFrom:
                                  description: Specifies content via secrets and config
                                    maps; data values are recommended to be placed
                                    in secrets (optional)
                                  items:
                                    properties:
                                      configMapRef:
                                        properties:
                                          directoryPath:
                                            description: Specifies where to place
                                              files found in secret (optional)
                                            type: string
                                          name:
                                            type: string
                                        type: object
                                      secretRef:
                                        properties:
                                          directoryPath:
                                            description: Specifies where to place
                                              files found in secret (optional)
                                            type: string
                                          name:
                                            type: string
                                        type: object
                                    type: object
                                  type: array
                              type: object
                            path:
                              description: Relative path to place the fetched artifacts
                              type: string
                          type: object
                        type: array
                      noopDelete:
                        description: Deletion requests for the App will result in
                          the App CR being deleted, but its associated resources will
                          not be deleted (optional; default=false; v0.18.0+)
                        type: boolean
                      paused:
                        description: Pauses _future_ reconciliation; does _not_ affect
                          currently running reconciliation (optional; default=false)
                        type: boolean
                      serviceAccountName:
                        description: Specifies that app should be deployed authenticated
                          via given service account, found in this namespace (optional;
                          v0.6.0+)
                        type: string
                      syncPeriod:
                        description: Specifies the length of time to wait, in time
                          + unit format, before reconciling. Always >= 30s. If value
                          below 30s is specified, 30s will be used. (optional; v0.9.0+;
                          default=30s)
                        type: string
                      template:
                        items:
                          properties:
                            cue:
                              properties:
                                inputExpression:
                                  description: Cue expression for single path component,
                                    can be used to unify ValuesFrom into a given field
                                    (optional)
                                  type: string
                                outputExpression:
                                  description: Cue expression to output, default will
                                    export all visible fields (optional)
                                  type: string
                                paths:
                                  description: Explicit list of files/directories
                                    (optional)
                                  items:
                                    type: string
                                  type: array
                                valuesFrom:
                                  description: Provide values (optional)
                                  items:
                                    properties:
                                      configMapRef:
                                        properties:
                                          name:
                                            type: string
                                        type: object
                                      downwardAPI:
                                        properties:
                                          items:
                                            items:
                                              properties:
                                                fieldPath:
                                                  description: 'Required: Selects
                                                    a field of the app: only annotations,
                                                    labels, uid, name and namespace
                                                    are supported.'
                                                  type: string
                                                kappControllerVersion:
                                                  description: 'Optional: Get running
                                                    KappController version, defaults
                                                    (empty) to retrieving the current
                                                    running version.. Can be manually
                                                    supplied instead.'
                                                  properties:
                                                    version:
                                                      type: string
                                                  type: object
                                                kubernetesAPIs:
                                                  description: 'Optional: Get running
                                                    KubernetesAPIs from cluster, defaults
                                                    (empty) to retrieving the APIs
                                                    from the cluster. Can be manually
                                                    supplied instead, e.g ["group/version",
                                                    "group2/version2"]'
                                                  properties:
                                                    groupVersions:
                                                      items:
                                                        type: string
                                                      type: array
                                                  type: object
                                                kubernetesVersion:
                                                  description: 'Optional: Get running
                                                    Kubernetes version from cluster,
                                                    defaults (empty) to retrieving
                                                    the version from the cluster.
                                                    Can be manually supplied instead.'
                                                  properties:
                                                    version:
                                                      type: string
                                                  type: object
                                                name:
                                                  type: string
                                              type: object
                                            type: array
                                        type: object
                                      path:
                                        type: string
                                      secretRef:
                                        properties:
                                          name:
                                            type: string
                                        type: object
                                    type: object
                                  type: array
                              type: object
                            helmTemplate:
                              description: Use helm template command to render helm
                                chart
                              properties:
                                kubernetesAPIs:
                                  description: 'Optional: Use kubernetes group/versions
                                    resources available in the live cluster'
                                  properties:
                                    groupVersions:
                                      items:
                                        type: string
                                      type: array
                                  type: object
                                kubernetesVersion:
                                  description: 'Optional: Get Kubernetes version,
                                    defaults (empty) to retrieving the version from
                                    the cluster. Can be manually overridden to a value
                                    instead.'
                                  properties:
                                    version:
                                      type: string
                                  type: object
                                name:
                                  description: Set name explicitly, default is App
                                    CR's name (optional; v0.13.0+)
                                  type: string
                                namespace:
                                  description: Set namespace explicitly, default is
                                    App CR's namespace (optional; v0.13.0+)
                                  type: string
                                path:
                                  description: Path to chart (optional; v0.13.0+)
                                  type: string
                                valuesFrom:
                                  description: One or more secrets, config maps, paths
                                    that provide values (optional)
                                  items:
                                    properties:
                                      configMapRef:
                                        properties:
                                          name:
                                            type: string
                                        type: object
                                      downwardAPI:
                                        properties:
                                          items:
                                            items:
                                              properties:
                                                fieldPath:
                                                  description: 'Required: Selects
                                                    a field of the app: only annotations,
                                                    labels, uid, name and namespace
                                                    are supported.'
                                                  type: string
                                                kappControllerVersion:
                                                  description: 'Optional: Get running
                                                    KappController version, defaults
                                                    (empty) to retrieving the current
                                                    running version.. Can be manually
                                                    supplied instead.'
                                                  properties:
                                                    version:
                                                      type: string
                                                  type: object
                                                kubernetesAPIs:
                                                  description: 'Optional: Get running
                                                    KubernetesAPIs from cluster, defaults
                                                    (empty) to retrieving the APIs
                                                    from the cluster. Can be manually
                                                    supplied instead, e.g ["group/version",
                                                    "group2/version2"]'
                                                  properties:
                                                    groupVersions:
                                                      items:
                                                        type: string
                                                      type: array
                                                  type: object
                                                kubernetesVersion:
                                                  description: 'Optional: Get running
                                                    Kubernetes version from cluster,
                                                    defaults (empty) to retrieving
                                                    the version from the cluster.
                                                    Can be manually supplied instead.'
                                                  properties:
                                                    version:
                                                      type: string
                                                  type: object
                                                name:
                                                  type: string
                                              type: object
                                            type: array
                                        type: object
                                      path:
                                        type: string
                                      secretRef:
                                        properties:
                                          name:
                                            type: string
                                        type: object
                                    type: object
                                  type: array
                              type: object
                            jsonnet:
                              description: TODO implement jsonnet
                              type: object
                            kbld:
                              description: Use kbld to resolve image references to
                                use digests
                              properties:
                                paths:
                                  items:
                                    type: string
                                  type: array
                              type: object
                            kustomize:
                              description: TODO implement kustomize
                              type: object
                            sops:
                              description: Use sops to decrypt *.sops.yml files (optional;
                                v0.11.0+)
                              properties:
                                age:
                                  properties:
                                    privateKeysSecretRef:
                                      description: Secret with private armored PGP
                                        private keys (required)
                                      properties:
                                        name:
                                          type: string
                                      type: object
                                  type: object
                                paths:
                                  description: Lists paths to decrypt explicitly (optional;
                                    v0.13.0+)
                                  items:
                                    type: string
                                  type: array
                                pgp:
                                  description: Use PGP to decrypt files (required)
                                  properties:
                                    privateKeysSecretRef:
                                      description: Secret with private armored PGP
                                        private keys (required)
                                      properties:
                                        name:
                                          type: string
                                      type: object
                                  type: object
                              type: object
                            ytt:
                              description: Use ytt to template configuration
                              properties:
                                fileMarks:
                                  description: Control metadata about input files
                                    passed to ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/
                                    for more details
                                  items:
                                    type: string
                                  type: array
                                ignoreUnknownComments:
                                  description: Ignores comments that ytt doesn't recognize
                                    (optional; default=false)
                                  type: boolean
                                inline:
                                  description: Specify additional files, including
                                    data values (optional)
                                  properties:
                                    paths:
                                      additionalProperties:
                                        type: string
                                      description: Specifies mapping of paths to their
                                        content; not recommended for sensitive values
                                        as CR is not encrypted (optional)
                                      type: object
                                    pathsFrom:
                                      description: Specifies content via secrets and
                                        config maps; data values are recommended to
                                        be placed in secrets (optional)
                                      items:
                                        properties:
                                          configMapRef:
                                            properties:
                                              directoryPath:
                                                description: Specifies where to place
                                                  files found in secret (optional)
                                                type: string
                                              name:
                                                type: string
                                            type: object
                                          secretRef:
                                            properties:
                                              directoryPath:
                                                description: Specifies where to place
                                                  files found in secret (optional)
                                                type: string
                                              name:
                                                type: string
                                            type: object
                                        type: object
                                      type: array
                                  type: object
                                paths:
                                  description: Lists paths to provide to ytt explicitly
                                    (optional)
                                  items:
                                    type: string
                                  type: array
                                strict:
                                  description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md
                                    (optional; default=false)
                                  type: boolean
                                valuesFrom:
                                  description: Provide values via ytt's --data-values-file
                                    (optional; v0.19.0-alpha.9)
                                  items:
                                    properties:
                                      configMapRef:
                                        properties:
                                          name:
                                            type: string
                                        type: object
                                      downwardAPI:
                                        properties:
                                          items:
                                            items:
                                              properties:
                                                fieldPath:
                                                  description: 'Required: Selects
                                                    a field of the app: only annotations,
                                                    labels, uid, name and namespace
                                                    are supported.'
                                                  type: string
                                                kappControllerVersion:
                                                  description: 'Optional: Get running
                                                    KappController version, defaults
                                                    (empty) to retrieving the current
                                                    running version.. Can be manually
                                                    supplied instead.'
                                                  properties:
                                                    version:
                                                      type: string
                                                  type: object
                                                kubernetesAPIs:
                                                  description: 'Optional: Get running
                                                    KubernetesAPIs from cluster, defaults
                                                    (empty) to retrieving the APIs
                                                    from the cluster. Can be manually
                                                    supplied instead, e.g ["group/version",
                                                    "group2/version2"]'
                                                  properties:
                                                    groupVersions:
                                                      items:
                                                        type: string
                                                      type: array
                                                  type: object
                                                kubernetesVersion:
                                                  description: 'Optional: Get running
                                                    Kubernetes version from cluster,
                                                    defaults (empty) to retrieving
                                                    the version from the cluster.
                                                    Can be manually supplied instead.'
                                                  properties:
                                                    version:
                                                      type: string
                                                  type: object
                                                name:
                                                  type: string
                                              type: object
                                            type: array
                                        type: object
                                      path:
                                        type: string
                                      secretRef:
                                        properties:
                                          name:
                                            type: string
                                        type: object
                                    type: object
                                  type: array
                              type: object
                          type: object
                        type: array
                    type: object
                required:
                - spec
                type: object
              valuesSchema:
                description: valuesSchema can be used to show template values that
                  can be configured by users when a Package is installed in an OpenAPI
                  schema format.
                properties:
                  openAPIv3:
                    nullable: true
                    type: object
                    x-kubernetes-preserve-unknown-fields: true
                type: object
              version:
                description: Package version; Referenced by PackageInstall; Must be
                  valid semver (required) Cannot be empty
                type: string
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: apps.kappctrl.k14s.io
spec:
  group: kappctrl.k14s.io
  names:
    categories:
    - carvel
    kind: App
    listKind: AppList
    plural: apps
    singular: app
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - description: Friendly description
      jsonPath: .status.friendlyDescription
      name: Description
      type: string
    - description: Last time app started being deployed. Does not mean anything was
        changed.
      jsonPath: .status.deploy.startedAt
      name: Since-Deploy
      type: date
    - description: Time since creation
      jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: 'An App is a set of Kubernetes resources. These resources could
          span any number of namespaces or could be cluster-wide (e.g. CRDs). An App
          is represented in kapp-controller using a App CR. The App CR comprises of
          three main sections: spec.fetch – declare source for fetching configuration
          and OCI images spec.template – declare templating tool and values spec.deploy
          – declare deployment tool and any deploy specific configuration'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            properties:
              canceled:
                description: Cancels current and future reconciliations (optional;
                  default=false)
                type: boolean
              cluster:
                description: Specifies that app should be deployed to destination
                  cluster; by default, cluster is same as where this resource resides
                  (optional; v0.5.0+)
                properties:
                  kubeconfigSecretRef:
                    description: Specifies secret containing kubeconfig (required)
                    properties:
                      key:
                        description: Specifies key that contains kubeconfig (optional)
                        type: string
                      name:
                        description: Specifies secret name within app's namespace
                          (required)
                        type: string
                    type: object
                  namespace:
                    description: Specifies namespace in destination cluster (optional)
                    type: string
                type: object
              deploy:
                items:
                  properties:
                    kapp:
                      description: Use kapp to deploy resources
                      properties:
                        delete:
                          description: Configuration for delete command (optional)
                          properties:
                            rawOptions:
                              description: Pass through options to kapp delete (optional)
                              items:
                                type: string
                              type: array
                          type: object
                        inspect:
                          description: 'Configuration for inspect command (optional)
                            as of kapp-controller v0.31.0, inspect is disabled by
                            default add rawOptions or use an empty inspect config
                            like `inspect: {}` to enable'
                          properties:
                            rawOptions:
                              description: Pass through options to kapp inspect (optional)
                              items:
                                type: string
                              type: array
                          type: object
                        intoNs:
                          description: Override namespace for all resources (optional)
                          type: string
                        mapNs:
                          description: Provide custom namespace override mapping (optional)
                          items:
                            type: string
                          type: array
                        rawOptions:
                          description: Pass through options to kapp deploy (optional)
                          items:
                            type: string
                          type: array
                      type: object
                  type: object
                type: array
              fetch:
                items:
                  properties:
                    git:
                      description: Uses git to clone repository
                      properties:
                        lfsSkipSmudge:
                          description: Skip lfs download (optional)
                          type: boolean
                        ref:
                          description: Branch, tag, commit; origin is the name of
                            the remote (optional)
                          type: string
                        refSelection:
                          description: Specifies a strategy to resolve to an explicit
                            ref (optional; v0.24.0+)
                          properties:
                            semver:
                              properties:
                                constraints:
                                  type: string
                                prereleases:
                                  properties:
                                    identifiers:
                                      items:
                                        type: string
                                      type: array
                                  type: object
                              type: object
                          type: object
                        secretRef:
                          description: 'Secret with auth details. allowed keys: ssh-privatekey,
                            ssh-knownhosts, username, password (optional) (if ssh-knownhosts
                            is not specified, git will not perform strict host checking)'
                          properties:
                            name:
                              description: Object is expected to be within same namespace
                              type: string
                          type: object
                        subPath:
                          description: Grab only portion of repository (optional)
                          type: string
                        url:
                          description: http or ssh urls are supported (required)
                          type: string
                      type: object
                    helmChart:
                      description: Uses helm fetch to fetch specified chart
                      properties:
                        name:
                          description: 'Example: stable/redis'
                          type: string
                        repository:
                          properties:
                            secretRef:
                              properties:
                                name:
                                  description: Object is expected to be within same
                                    namespace
                                  type: string
                              type: object
                            url:
                              description: Repository url; scheme of oci:// will fetch
                                experimental helm oci chart (v0.19.0+) (required)
                              type: string
                          type: object
                        version:
                          type: string
                      type: object
                    http:
                      description: Uses http library to fetch file
                      properties:
                        secretRef:
                          description: 'Secret to provide auth details (optional)
                            Secret may include one or more keys: username, password'
                          properties:
                            name:
                              description: Object is expected to be within same namespace
                              type: string
                          type: object
                        sha256:
                          description: Checksum to verify after download (optional)
                          type: string
                        subPath:
                          description: Grab only portion of download (optional)
                          type: string
                        url:
                          description: 'URL can point to one of following formats:
                            text, tgz, zip http and https url are supported; plain
                            file, tgz and tar types are supported (required)'
                          type: string
                      type: object
                    image:
                      description: Pulls content from Docker/OCI registry
                      properties:
                        secretRef:
                          description: 'Secret may include one or more keys: username,
                            password, token. By default anonymous access is used for
                            authentication.'
                          properties:
                            name:
                              description: Object is expected to be within same namespace
                              type: string
                          type: object
                        subPath:
                          description: Grab only portion of image (optional)
                          type: string
                        tagSelection:
                          description: Specifies a strategy to choose a tag (optional;
                            v0.24.0+) if specified, do not include a tag in url key
                          properties:
                            semver:
                              properties:
                                constraints:
                                  type: string
                                prereleases:
                                  properties:
                                    identifiers:
                                      items:
                                        type: string
                                      type: array
                                  type: object
                              type: object
                          type: object
                        url:
                          description: 'Docker image url; unqualified, tagged, or
                            digest references supported (required) Example: username/app1-config:v0.1.0'
                          type: string
                      type: object
                    imgpkgBundle:
                      description: Pulls imgpkg bundle from Docker/OCI registry (v0.17.0+)
                      properties:
                        image:
                          description: Docker image url; unqualified, tagged, or digest
                            references supported (required)
                          type: string
                        secretRef:
                          description: 'Secret may include one or more keys: username,
                            password, token. By default anonymous access is used for
                            authentication.'
                          properties:
                            name:
                              description: Object is expected to be within same namespace
                              type: string
                          type: object
                        tagSelection:
                          description: Specifies a strategy to choose a tag (optional;
                            v0.24.0+) if specified, do not include a tag in url key
                          properties:
                            semver:
                              properties:
                                constraints:
                                  type: string
                                prereleases:
                                  properties:
                                    identifiers:
                                      items:
                                        type: string
                                      type: array
                                  type: object
                              type: object
                          type: object
                      type: object
                    inline:
                      description: Pulls content from within this resource; or other
                        resources in the cluster
                      properties:
                        paths:
                          additionalProperties:
                            type: string
                          description: Specifies mapping of paths to their content;
                            not recommended for sensitive values as CR is not encrypted
                            (optional)
                          type: object
                        pathsFrom:
                          description: Specifies content via secrets and config maps;
                            data values are recommended to be placed in secrets (optional)
                          items:
                            properties:
                              configMapRef:
                                properties:
                                  directoryPath:
                                    description: Specifies where to place files found
                                      in secret (optional)
                                    type: string
                                  name:
                                    type: string
                                type: object
                              secretRef:
                                properties:
                                  directoryPath:
                                    description: Specifies where to place files found
                                      in secret (optional)
                                    type: string
                                  name:
                                    type: string
                                type: object
                            type: object
                          type: array
                      type: object
                    path:
                      description: Relative path to place the fetched artifacts
                      type: string
                  type: object
                type: array
              noopDelete:
                description: Deletion requests for the App will result in the App
                  CR being deleted, but its associated resources will not be deleted
                  (optional; default=false; v0.18.0+)
                type: boolean
              paused:
                description: Pauses _future_ reconciliation; does _not_ affect currently
                  running reconciliation (optional; default=false)
                type: boolean
              serviceAccountName:
                description: Specifies that app should be deployed authenticated via
                  given service account, found in this namespace (optional; v0.6.0+)
                type: string
              syncPeriod:
                description: Specifies the length of time to wait, in time + unit
                  format, before reconciling. Always >= 30s. If value below 30s is
                  specified, 30s will be used. (optional; v0.9.0+; default=30s)
                type: string
              template:
                items:
                  properties:
                    cue:
                      properties:
                        inputExpression:
                          description: Cue expression for single path component, can
                            be used to unify ValuesFrom into a given field (optional)
                          type: string
                        outputExpression:
                          description: Cue expression to output, default will export
                            all visible fields (optional)
                          type: string
                        paths:
                          description: Explicit list of files/directories (optional)
                          items:
                            type: string
                          type: array
                        valuesFrom:
                          description: Provide values (optional)
                          items:
                            properties:
                              configMapRef:
                                properties:
                                  name:
                                    type: string
                                type: object
                              downwardAPI:
                                properties:
                                  items:
                                    items:
                                      properties:
                                        fieldPath:
                                          description: 'Required: Selects a field
                                            of the app: only annotations, labels,
                                            uid, name and namespace are supported.'
                                          type: string
                                        kappControllerVersion:
                                          description: 'Optional: Get running KappController
                                            version, defaults (empty) to retrieving
                                            the current running version.. Can be manually
                                            supplied instead.'
                                          properties:
                                            version:
                                              type: string
                                          type: object
                                        kubernetesAPIs:
                                          description: 'Optional: Get running KubernetesAPIs
                                            from cluster, defaults (empty) to retrieving
                                            the APIs from the cluster. Can be manually
                                            supplied instead, e.g ["group/version",
                                            "group2/version2"]'
                                          properties:
                                            groupVersions:
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        kubernetesVersion:
                                          description: 'Optional: Get running Kubernetes
                                            version from cluster, defaults (empty)
                                            to retrieving the version from the cluster.
                                            Can be manually supplied instead.'
                                          properties:
                                            version:
                                              type: string
                                          type: object
                                        name:
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              path:
                                type: string
                              secretRef:
                                properties:
                                  name:
                                    type: string
                                type: object
                            type: object
                          type: array
                      type: object
                    helmTemplate:
                      description: Use helm template command to render helm chart
                      properties:
                        kubernetesAPIs:
                          description: 'Optional: Use kubernetes group/versions resources
                            available in the live cluster'
                          properties:
                            groupVersions:
                              items:
                                type: string
                              type: array
                          type: object
                        kubernetesVersion:
                          description: 'Optional: Get Kubernetes version, defaults
                            (empty) to retrieving the version from the cluster. Can
                            be manually overridden to a value instead.'
                          properties:
                            version:
                              type: string
                          type: object
                        name:
                          description: Set name explicitly, default is App CR's name
                            (optional; v0.13.0+)
                          type: string
                        namespace:
                          description: Set namespace explicitly, default is App CR's
                            namespace (optional; v0.13.0+)
                          type: string
                        path:
                          description: Path to chart (optional; v0.13.0+)
                          type: string
                        valuesFrom:
                          description: One or more secrets, config maps, paths that
                            provide values (optional)
                          items:
                            properties:
                              configMapRef:
                                properties:
                                  name:
                                    type: string
                                type: object
                              downwardAPI:
                                properties:
                                  items:
                                    items:
                                      properties:
                                        fieldPath:
                                          description: 'Required: Selects a field
                                            of the app: only annotations, labels,
                                            uid, name and namespace are supported.'
                                          type: string
                                        kappControllerVersion:
                                          description: 'Optional: Get running KappController
                                            version, defaults (empty) to retrieving
                                            the current running version.. Can be manually
                                            supplied instead.'
                                          properties:
                                            version:
                                              type: string
                                          type: object
                                        kubernetesAPIs:
                                          description: 'Optional: Get running KubernetesAPIs
                                            from cluster, defaults (empty) to retrieving
                                            the APIs from the cluster. Can be manually
                                            supplied instead, e.g ["group/version",
                                            "group2/version2"]'
                                          properties:
                                            groupVersions:
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        kubernetesVersion:
                                          description: 'Optional: Get running Kubernetes
                                            version from cluster, defaults (empty)
                                            to retrieving the version from the cluster.
                                            Can be manually supplied instead.'
                                          properties:
                                            version:
                                              type: string
                                          type: object
                                        name:
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              path:
                                type: string
                              secretRef:
                                properties:
                                  name:
                                    type: string
                                type: object
                            type: object
                          type: array
                      type: object
                    jsonnet:
                      description: TODO implement jsonnet
                      type: object
                    kbld:
                      description: Use kbld to resolve image references to use digests
                      properties:
                        paths:
                          items:
                            type: string
                          type: array
                      type: object
                    kustomize:
                      description: TODO implement kustomize
                      type: object
                    sops:
                      description: Use sops to decrypt *.sops.yml files (optional;
                        v0.11.0+)
                      properties:
                        age:
                          properties:
                            privateKeysSecretRef:
                              description: Secret with private armored PGP private
                                keys (required)
                              properties:
                                name:
                                  type: string
                              type: object
                          type: object
                        paths:
                          description: Lists paths to decrypt explicitly (optional;
                            v0.13.0+)
                          items:
                            type: string
                          type: array
                        pgp:
                          description: Use PGP to decrypt files (required)
                          properties:
                            privateKeysSecretRef:
                              description: Secret with private armored PGP private
                                keys (required)
                              properties:
                                name:
                                  type: string
                              type: object
                          type: object
                      type: object
                    ytt:
                      description: Use ytt to template configuration
                      properties:
                        fileMarks:
                          description: Control metadata about input files passed to
                            ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/
                            for more details
                          items:
                            type: string
                          type: array
                        ignoreUnknownComments:
                          description: Ignores comments that ytt doesn't recognize
                            (optional; default=false)
                          type: boolean
                        inline:
                          description: Specify additional files, including data values
                            (optional)
                          properties:
                            paths:
                              additionalProperties:
                                type: string
                              description: Specifies mapping of paths to their content;
                                not recommended for sensitive values as CR is not
                                encrypted (optional)
                              type: object
                            pathsFrom:
                              description: Specifies content via secrets and config
                                maps; data values are recommended to be placed in
                                secrets (optional)
                              items:
                                properties:
                                  configMapRef:
                                    properties:
                                      directoryPath:
                                        description: Specifies where to place files
                                          found in secret (optional)
                                        type: string
                                      name:
                                        type: string
                                    type: object
                                  secretRef:
                                    properties:
                                      directoryPath:
                                        description: Specifies where to place files
                                          found in secret (optional)
                                        type: string
                                      name:
                                        type: string
                                    type: object
                                type: object
                              type: array
                          type: object
                        paths:
                          description: Lists paths to provide to ytt explicitly (optional)
                          items:
                            type: string
                          type: array
                        strict:
                          description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md
                            (optional; default=false)
                          type: boolean
                        valuesFrom:
                          description: Provide values via ytt's --data-values-file
                            (optional; v0.19.0-alpha.9)
                          items:
                            properties:
                              configMapRef:
                                properties:
                                  name:
                                    type: string
                                type: object
                              downwardAPI:
                                properties:
                                  items:
                                    items:
                                      properties:
                                        fieldPath:
                                          description: 'Required: Selects a field
                                            of the app: only annotations, labels,
                                            uid, name and namespace are supported.'
                                          type: string
                                        kappControllerVersion:
                                          description: 'Optional: Get running KappController
                                            version, defaults (empty) to retrieving
                                            the current running version.. Can be manually
                                            supplied instead.'
                                          properties:
                                            version:
                                              type: string
                                          type: object
                                        kubernetesAPIs:
                                          description: 'Optional: Get running KubernetesAPIs
                                            from cluster, defaults (empty) to retrieving
                                            the APIs from the cluster. Can be manually
                                            supplied instead, e.g ["group/version",
                                            "group2/version2"]'
                                          properties:
                                            groupVersions:
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        kubernetesVersion:
                                          description: 'Optional: Get running Kubernetes
                                            version from cluster, defaults (empty)
                                            to retrieving the version from the cluster.
                                            Can be manually supplied instead.'
                                          properties:
                                            version:
                                              type: string
                                          type: object
                                        name:
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              path:
                                type: string
                              secretRef:
                                properties:
                                  name:
                                    type: string
                                type: object
                            type: object
                          type: array
                      type: object
                  type: object
                type: array
            type: object
          status:
            properties:
              conditions:
                items:
                  properties:
                    message:
                      description: Human-readable message indicating details about
                        last transition.
                      type: string
                    reason:
                      description: Unique, this should be a short, machine understandable
                        string that gives the reason for condition's last transition.
                        If it reports "ResizeStarted" that means the underlying persistent
                        volume is being resized.
                      type: string
                    status:
                      type: string
                    type:
                      description: ConditionType represents reconciler state
                      type: string
                  required:
                  - status
                  - type
                  type: object
                type: array
              consecutiveReconcileFailures:
                type: integer
              consecutiveReconcileSuccesses:
                type: integer
              deploy:
                properties:
                  error:
                    type: string
                  exitCode:
                    type: integer
                  finished:
                    type: boolean
                  kapp:
                    description: KappDeployStatus contains the associated AppCR deployed
                      resources
                    properties:
                      associatedResources:
                        description: AssociatedResources contains the associated App
                          label, namespaces and GKs
                        properties:
                          groupKinds:
                            items:
                              description: GroupKind specifies a Group and a Kind,
                                but does not force a version.  This is useful for
                                identifying concepts during lookup stages without
                                having partially valid types
                              properties:
                                group:
                                  type: string
                                kind:
                                  type: string
                              required:
                              - group
                              - kind
                              type: object
                            type: array
                          label:
                            type: string
                          namespaces:
                            items:
                              type: string
                            type: array
                        type: object
                    type: object
                  startedAt:
                    format: date-time
                    type: string
                  stderr:
                    type: string
                  stdout:
                    type: string
                  updatedAt:
                    format: date-time
                    type: string
                type: object
              fetch:
                properties:
                  error:
                    type: string
                  exitCode:
                    type: integer
                  startedAt:
                    format: date-time
                    type: string
                  stderr:
                    type: string
                  stdout:
                    type: string
                  updatedAt:
                    format: date-time
                    type: string
                type: object
              friendlyDescription:
                type: string
              inspect:
                properties:
                  error:
                    type: string
                  exitCode:
                    type: integer
                  stderr:
                    type: string
                  stdout:
                    type: string
                  updatedAt:
                    format: date-time
                    type: string
                type: object
              managedAppName:
                type: string
              observedGeneration:
                description: Populated based on metadata.generation when controller
                  observes a change to the resource; if this value is out of data,
                  other status fields do not reflect latest state
                format: int64
                type: integer
              template:
                properties:
                  error:
                    type: string
                  exitCode:
                    type: integer
                  stderr:
                    type: string
                  updatedAt:
                    format: date-time
                    type: string
                type: object
              usefulErrorMessage:
                type: string
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: packageinstalls.packaging.carvel.dev
spec:
  group: packaging.carvel.dev
  names:
    categories:
    - carvel
    kind: PackageInstall
    listKind: PackageInstallList
    plural: packageinstalls
    shortNames:
    - pkgi
    singular: packageinstall
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - description: PackageMetadata name
      jsonPath: .spec.packageRef.refName
      name: Package name
      type: string
    - description: PackageMetadata version
      jsonPath: .status.version
      name: Package version
      type: string
    - description: Friendly description
      jsonPath: .status.friendlyDescription
      name: Description
      type: string
    - description: Time since creation
      jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: A Package Install is an actual installation of a package and
          its underlying resources on a Kubernetes cluster. It is represented in kapp-controller
          by a PackageInstall CR. A PackageInstall CR must reference a Package CR.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            properties:
              canceled:
                description: Canceled when set to true will stop all active changes
                type: boolean
              cluster:
                description: Specifies that Package should be deployed to destination
                  cluster; by default, cluster is same as where this resource resides
                  (optional)
                properties:
                  kubeconfigSecretRef:
                    description: Specifies secret containing kubeconfig (required)
                    properties:
                      key:
                        description: Specifies key that contains kubeconfig (optional)
                        type: string
                      name:
                        description: Specifies secret name within app's namespace
                          (required)
                        type: string
                    type: object
                  namespace:
                    description: Specifies namespace in destination cluster (optional)
                    type: string
                type: object
              noopDelete:
                description: When NoopDelete set to true, PackageInstall deletion
                  should delete PackageInstall/App CR but preserve App's associated
                  resources.
                type: boolean
              packageRef:
                description: Specifies the name of the package to install (required)
                properties:
                  refName:
                    type: string
                  versionSelection:
                    properties:
                      constraints:
                        type: string
                      prereleases:
                        properties:
                          identifiers:
                            items:
                              type: string
                            type: array
                        type: object
                    type: object
                type: object
              paused:
                description: Paused when set to true will ignore all pending changes,
                  once it set back to false, pending changes will be applied
                type: boolean
              serviceAccountName:
                description: Specifies service account that will be used to install
                  underlying package contents
                type: string
              syncPeriod:
                description: Controls frequency of App reconciliation in time + unit
                  format. Always >= 30s. If value below 30s is specified, 30s will
                  be used.
                type: string
              values:
                description: Values to be included in package's templating step (currently
                  only included in the first templating step) (optional)
                items:
                  properties:
                    secretRef:
                      properties:
                        key:
                          type: string
                        name:
                          type: string
                      type: object
                  type: object
                type: array
            type: object
          status:
            properties:
              conditions:
                items:
                  properties:
                    message:
                      description: Human-readable message indicating details about
                        last transition.
                      type: string
                    reason:
                      description: Unique, this should be a short, machine understandable
                        string that gives the reason for condition's last transition.
                        If it reports "ResizeStarted" that means the underlying persistent
                        volume is being resized.
                      type: string
                    status:
                      type: string
                    type:
                      description: ConditionType represents reconciler state
                      type: string
                  required:
                  - status
                  - type
                  type: object
                type: array
              friendlyDescription:
                type: string
              lastAttemptedVersion:
                description: LastAttemptedVersion specifies what version was last
                  attempted to be installed. It does _not_ indicate it was successfully
                  installed.
                type: string
              observedGeneration:
                description: Populated based on metadata.generation when controller
                  observes a change to the resource; if this value is out of data,
                  other status fields do not reflect latest state
                format: int64
                type: integer
              usefulErrorMessage:
                type: string
              version:
                description: TODO this is desired resolved version (not actually deployed)
                type: string
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    packaging.carvel.dev/global-namespace: kapp-controller-packaging-global
  name: packagerepositories.packaging.carvel.dev
spec:
  group: packaging.carvel.dev
  names:
    categories:
    - carvel
    kind: PackageRepository
    listKind: PackageRepositoryList
    plural: packagerepositories
    shortNames:
    - pkgr
    singular: packagerepository
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - description: Time since creation
      jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    - description: Friendly description
      jsonPath: .status.friendlyDescription
      name: Description
      type: string
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: A package repository is a collection of packages and their metadata.
          Similar to a maven repository or a rpm repository, adding a package repository
          to a cluster gives users of that cluster the ability to install any of the
          packages from that repository.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            properties:
              fetch:
                properties:
                  git:
                    description: Uses git to clone repository containing package list
                    properties:
                      lfsSkipSmudge:
                        description: Skip lfs download (optional)
                        type: boolean
                      ref:
                        description: Branch, tag, commit; origin is the name of the
                          remote (optional)
                        type: string
                      refSelection:
                        description: Specifies a strategy to resolve to an explicit
                          ref (optional; v0.24.0+)
                        properties:
                          semver:
                            properties:
                              constraints:
                                type: string
                              prereleases:
                                properties:
                                  identifiers:
                                    items:
                                      type: string
                                    type: array
                                type: object
                            type: object
                        type: object
                      secretRef:
                        description: 'Secret with auth details. allowed keys: ssh-privatekey,
                          ssh-knownhosts, username, password (optional) (if ssh-knownhosts
                          is not specified, git will not perform strict host checking)'
                        properties:
                          name:
                            description: Object is expected to be within same namespace
                            type: string
                        type: object
                      subPath:
                        description: Grab only portion of repository (optional)
                        type: string
                      url:
                        description: http or ssh urls are supported (required)
                        type: string
                    type: object
                  http:
                    description: Uses http library to fetch file containing packages
                    properties:
                      secretRef:
                        description: 'Secret to provide auth details (optional) Secret
                          may include one or more keys: username, password'
                        properties:
                          name:
                            description: Object is expected to be within same namespace
                            type: string
                        type: object
                      sha256:
                        description: Checksum to verify after download (optional)
                        type: string
                      subPath:
                        description: Grab only portion of download (optional)
                        type: string
                      url:
                        description: 'URL can point to one of following formats: text,
                          tgz, zip http and https url are supported; plain file, tgz
                          and tar types are supported (required)'
                        type: string
                    type: object
                  image:
                    description: Image url; unqualified, tagged, or digest references
                      supported (required)
                    properties:
                      secretRef:
                        description: 'Secret may include one or more keys: username,
                          password, token. By default anonymous access is used for
                          authentication.'
                        properties:
                          name:
                            description: Object is expected to be within same namespace
                            type: string
                        type: object
                      subPath:
                        description: Grab only portion of image (optional)
                        type: string
                      tagSelection:
                        description: Specifies a strategy to choose a tag (optional;
                          v0.24.0+) if specified, do not include a tag in url key
                        properties:
                          semver:
                            properties:
                              constraints:
                                type: string
                              prereleases:
                                properties:
                                  identifiers:
                                    items:
                                      type: string
                                    type: array
                                type: object
                            type: object
                        type: object
                      url:
                        description: 'Docker image url; unqualified, tagged, or digest
                          references supported (required) Example: username/app1-config:v0.1.0'
                        type: string
                    type: object
                  imgpkgBundle:
                    description: Pulls imgpkg bundle from Docker/OCI registry
                    properties:
                      image:
                        description: Docker image url; unqualified, tagged, or digest
                          references supported (required)
                        type: string
                      secretRef:
                        description: 'Secret may include one or more keys: username,
                          password, token. By default anonymous access is used for
                          authentication.'
                        properties:
                          name:
                            description: Object is expected to be within same namespace
                            type: string
                        type: object
                      tagSelection:
                        description: Specifies a strategy to choose a tag (optional;
                          v0.24.0+) if specified, do not include a tag in url key
                        properties:
                          semver:
                            properties:
                              constraints:
                                type: string
                              prereleases:
                                properties:
                                  identifiers:
                                    items:
                                      type: string
                                    type: array
                                type: object
                            type: object
                        type: object
                    type: object
                  inline:
                    description: Pull content from within this resource; or other
                      resources in the cluster
                    properties:
                      paths:
                        additionalProperties:
                          type: string
                        description: Specifies mapping of paths to their content;
                          not recommended for sensitive values as CR is not encrypted
                          (optional)
                        type: object
                      pathsFrom:
                        description: Specifies content via secrets and config maps;
                          data values are recommended to be placed in secrets (optional)
                        items:
                          properties:
                            configMapRef:
                              properties:
                                directoryPath:
                                  description: Specifies where to place files found
                                    in secret (optional)
                                  type: string
                                name:
                                  type: string
                              type: object
                            secretRef:
                              properties:
                                directoryPath:
                                  description: Specifies where to place files found
                                    in secret (optional)
                                  type: string
                                name:
                                  type: string
                              type: object
                          type: object
                        type: array
                    type: object
                type: object
              paused:
                description: Paused when set to true will ignore all pending changes,
                  once it set back to false, pending changes will be applied
                type: boolean
              syncPeriod:
                description: Controls frequency of PackageRepository reconciliation
                type: string
            required:
            - fetch
            type: object
          status:
            properties:
              conditions:
                items:
                  properties:
                    message:
                      description: Human-readable message indicating details about
                        last transition.
                      type: string
                    reason:
                      description: Unique, this should be a short, machine understandable
                        string that gives the reason for condition's last transition.
                        If it reports "ResizeStarted" that means the underlying persistent
                        volume is being resized.
                      type: string
                    status:
                      type: string
                    type:
                      description: ConditionType represents reconciler state
                      type: string
                  required:
                  - status
                  - type
                  type: object
                type: array
              consecutiveReconcileFailures:
                type: integer
              consecutiveReconcileSuccesses:
                type: integer
              deploy:
                properties:
                  error:
                    type: string
                  exitCode:
                    type: integer
                  finished:
                    type: boolean
                  kapp:
                    description: KappDeployStatus contains the associated AppCR deployed
                      resources
                    properties:
                      associatedResources:
                        description: AssociatedResources contains the associated App
                          label, namespaces and GKs
                        properties:
                          groupKinds:
                            items:
                              description: GroupKind specifies a Group and a Kind,
                                but does not force a version.  This is useful for
                                identifying concepts during lookup stages without
                                having partially valid types
                              properties:
                                group:
                                  type: string
                                kind:
                                  type: string
                              required:
                              - group
                              - kind
                              type: object
                            type: array
                          label:
                            type: string
                          namespaces:
                            items:
                              type: string
                            type: array
                        type: object
                    type: object
                  startedAt:
                    format: date-time
                    type: string
                  stderr:
                    type: string
                  stdout:
                    type: string
                  updatedAt:
                    format: date-time
                    type: string
                type: object
              fetch:
                properties:
                  error:
                    type: string
                  exitCode:
                    type: integer
                  startedAt:
                    format: date-time
                    type: string
                  stderr:
                    type: string
                  stdout:
                    type: string
                  updatedAt:
                    format: date-time
                    type: string
                type: object
              friendlyDescription:
                type: string
              observedGeneration:
                description: Populated based on metadata.generation when controller
                  observes a change to the resource; if this value is out of data,
                  other status fields do not reflect latest state
                format: int64
                type: integer
              template:
                properties:
                  error:
                    type: string
                  exitCode:
                    type: integer
                  stderr:
                    type: string
                  updatedAt:
                    format: date-time
                    type: string
                type: object
              usefulErrorMessage:
                type: string
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    kapp-controller.carvel.dev/version: v0.45.2
    kbld.k14s.io/images: |
      - origins:
        - local:
            path: /home/runner/work/kapp-controller/kapp-controller
        - git:
            dirty: true
            remoteURL: https://github.com/carvel-dev/kapp-controller
            sha: e3beee23d49899bfc681c9d980c1a3bdc0fa14ac
            tags:
            - v0.45.2
        url: ghcr.io/carvel-dev/kapp-controller@sha256:d5c5b259d10f8a561fe6717a735ceb053ccb13320f55428977d1d8df46b9bc0d
  name: kapp-controller
  namespace: tkg-system
spec:
  replicas: 1
  revisionHistoryLimit: 0
  selector:
    matchLabels:
      app: kapp-controller
  template:
    metadata:
      labels:
        app: kapp-controller
    spec:
      containers:
      - args:
        - -packaging-global-namespace=kapp-controller-packaging-global
        - -enable-api-priority-and-fairness=True
        - -tls-cipher-suites=
        env:
        - name: KAPPCTRL_MEM_TMP_DIR
          value: /etc/kappctrl-mem-tmp
        - name: KAPPCTRL_SIDECAREXEC_SOCK
          value: /etc/kappctrl-mem-tmp/sidecarexec.sock
        - name: KAPPCTRL_SYSTEM_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: KAPPCTRL_API_PORT
          value: "10350"
        image: ghcr.io/carvel-dev/kapp-controller@sha256:d5c5b259d10f8a561fe6717a735ceb053ccb13320f55428977d1d8df46b9bc0d
        name: kapp-controller
        ports:
        - containerPort: 10350
          name: api
          protocol: TCP
        resources:
          requests:
            cpu: 120m
            memory: 100Mi
        volumeMounts:
        - mountPath: /etc/kappctrl-mem-tmp
          name: template-fs
        - mountPath: /home/kapp-controller
          name: home
      - args:
        - --sidecarexec
        env:
        - name: KAPPCTRL_SIDECAREXEC_SOCK
          value: /etc/kappctrl-mem-tmp/sidecarexec.sock
        - name: IMGPKG_ACTIVE_KEYCHAINS
          value: gke,aks,ecr
        image: ghcr.io/carvel-dev/kapp-controller@sha256:d5c5b259d10f8a561fe6717a735ceb053ccb13320f55428977d1d8df46b9bc0d
        name: kapp-controller-sidecarexec
        resources:
          requests:
            cpu: 120m
            memory: 100Mi
        volumeMounts:
        - mountPath: /etc/kappctrl-mem-tmp
          name: template-fs
        - mountPath: /home/kapp-controller
          name: home
        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
          name: empty-sa
      serviceAccount: kapp-controller-sa
      volumes:
      - emptyDir:
          medium: Memory
        name: template-fs
      - emptyDir:
          medium: Memory
        name: home
      - emptyDir: {}
        name: empty-sa
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kapp-controller-sa
  namespace: tkg-system

Manifest for Kubernetes v1.24 or earlier

If you are using TKr v1.24 or earlier, which requires PodSecurityPolicy (PSP) objects, use the following example kapp-controller.yaml to install the Kapp Controller:

---
apiVersion: v1
kind: Namespace
metadata:
  name: tkg-system
---
apiVersion: v1
kind: Namespace
metadata:
  name: kapp-controller-packaging-global
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  name: v1alpha1.data.packaging.carvel.dev
spec:
  group: data.packaging.carvel.dev
  groupPriorityMinimum: 100
  service:
    name: packaging-api
    namespace: tkg-system
  version: v1alpha1
  versionPriority: 100
---
apiVersion: v1
kind: Service
metadata:
  name: packaging-api
  namespace: tkg-system
spec:
  ports:
  - port: 443
    protocol: TCP
    targetPort: api
  selector:
    app: kapp-controller
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: tanzu-system-kapp-ctrl-restricted
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
    - ALL
  volumes:
    - configMap
    - emptyDir
    - projected
    - secret
    - downwardAPI
    - persistentVolumeClaim
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: MustRunAs
    ranges:
      - min: 1
        max: 65535
  fsGroup:
    rule: MustRunAs
    ranges:
      - min: 1
        max: 65535
  readOnlyRootFilesystem: false
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: internalpackagemetadatas.internal.packaging.carvel.dev
spec:
  group: internal.packaging.carvel.dev
  names:
    kind: InternalPackageMetadata
    listKind: InternalPackageMetadataList
    plural: internalpackagemetadatas
    singular: internalpackagemetadata
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            properties:
              categories:
                description: Classifiers of the package (optional; Array of strings)
                items:
                  type: string
                type: array
              displayName:
                description: Human friendly name of the package (optional; string)
                type: string
              iconSVGBase64:
                description: Base64 encoded icon (optional; string)
                type: string
              longDescription:
                description: Long description of the package (optional; string)
                type: string
              maintainers:
                description: List of maintainer info for the package. Currently only
                  supports the name key. (optional; array of maintner info)
                items:
                  properties:
                    name:
                      type: string
                  type: object
                type: array
              providerName:
                description: Name of the entity distributing the package (optional;
                  string)
                type: string
              shortDescription:
                description: Short desription of the package (optional; string)
                type: string
              supportDescription:
                description: Description of the support available for the package
                  (optional; string)
                type: string
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: internalpackages.internal.packaging.carvel.dev
spec:
  group: internal.packaging.carvel.dev
  names:
    kind: InternalPackage
    listKind: InternalPackageList
    plural: internalpackages
    singular: internalpackage
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            properties:
              capacityRequirementsDescription:
                description: 'System requirements needed to install the package. Note:
                  these requirements will not be verified by kapp-controller on installation.
                  (optional; string)'
                type: string
              includedSoftware:
                description: IncludedSoftware can be used to show the software contents
                  of a Package. This is especially useful if the underlying versions
                  do not match the Package version
                items:
                  description: IncludedSoftware contains the underlying Software Contents
                    of a Package
                  properties:
                    description:
                      type: string
                    displayName:
                      type: string
                    version:
                      type: string
                  type: object
                type: array
              kappControllerVersionSelection:
                description: KappControllerVersionSelection specifies the versions
                  of kapp-controller which can install this package
                properties:
                  constraints:
                    type: string
                type: object
              kubernetesVersionSelection:
                description: KubernetesVersionSelection specifies the versions of
                  k8s which this package can be installed on
                properties:
                  constraints:
                    type: string
                type: object
              licenses:
                description: Description of the licenses that apply to the package
                  software (optional; Array of strings)
                items:
                  type: string
                type: array
              refName:
                description: The name of the PackageMetadata associated with this
                  version Must be a valid PackageMetadata name (see PackageMetadata
                  CR for details) Cannot be empty
                type: string
              releaseNotes:
                description: Version release notes (optional; string)
                type: string
              releasedAt:
                description: Timestamp of release (iso8601 formatted string; optional)
                format: date-time
                nullable: true
                type: string
              template:
                properties:
                  spec:
                    properties:
                      canceled:
                        description: Cancels current and future reconciliations (optional;
                          default=false)
                        type: boolean
                      cluster:
                        description: Specifies that app should be deployed to destination
                          cluster; by default, cluster is same as where this resource
                          resides (optional; v0.5.0+)
                        properties:
                          kubeconfigSecretRef:
                            description: Specifies secret containing kubeconfig (required)
                            properties:
                              key:
                                description: Specifies key that contains kubeconfig
                                  (optional)
                                type: string
                              name:
                                description: Specifies secret name within app's namespace
                                  (required)
                                type: string
                            type: object
                          namespace:
                            description: Specifies namespace in destination cluster
                              (optional)
                            type: string
                        type: object
                      deploy:
                        items:
                          properties:
                            kapp:
                              description: Use kapp to deploy resources
                              properties:
                                delete:
                                  description: Configuration for delete command (optional)
                                  properties:
                                    rawOptions:
                                      description: Pass through options to kapp delete
                                        (optional)
                                      items:
                                        type: string
                                      type: array
                                  type: object
                                inspect:
                                  description: 'Configuration for inspect command
                                    (optional) as of kapp-controller v0.31.0, inspect
                                    is disabled by default add rawOptions or use an
                                    empty inspect config like `inspect: {}` to enable'
                                  properties:
                                    rawOptions:
                                      description: Pass through options to kapp inspect
                                        (optional)
                                      items:
                                        type: string
                                      type: array
                                  type: object
                                intoNs:
                                  description: Override namespace for all resources
                                    (optional)
                                  type: string
                                mapNs:
                                  description: Provide custom namespace override mapping
                                    (optional)
                                  items:
                                    type: string
                                  type: array
                                rawOptions:
                                  description: Pass through options to kapp deploy
                                    (optional)
                                  items:
                                    type: string
                                  type: array
                              type: object
                          type: object
                        type: array
                      fetch:
                        items:
                          properties:
                            git:
                              description: Uses git to clone repository
                              properties:
                                lfsSkipSmudge:
                                  description: Skip lfs download (optional)
                                  type: boolean
                                ref:
                                  description: Branch, tag, commit; origin is the
                                    name of the remote (optional)
                                  type: string
                                refSelection:
                                  description: Specifies a strategy to resolve to
                                    an explicit ref (optional; v0.24.0+)
                                  properties:
                                    semver:
                                      properties:
                                        constraints:
                                          type: string
                                        prereleases:
                                          properties:
                                            identifiers:
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                      type: object
                                  type: object
                                secretRef:
                                  description: 'Secret with auth details. allowed
                                    keys: ssh-privatekey, ssh-knownhosts, username,
                                    password (optional) (if ssh-knownhosts is not
                                    specified, git will not perform strict host checking)'
                                  properties:
                                    name:
                                      description: Object is expected to be within
                                        same namespace
                                      type: string
                                  type: object
                                subPath:
                                  description: Grab only portion of repository (optional)
                                  type: string
                                url:
                                  description: http or ssh urls are supported (required)
                                  type: string
                              type: object
                            helmChart:
                              description: Uses helm fetch to fetch specified chart
                              properties:
                                name:
                                  description: 'Example: stable/redis'
                                  type: string
                                repository:
                                  properties:
                                    secretRef:
                                      properties:
                                        name:
                                          description: Object is expected to be within
                                            same namespace
                                          type: string
                                      type: object
                                    url:
                                      description: Repository url; scheme of oci://
                                        will fetch experimental helm oci chart (v0.19.0+)
                                        (required)
                                      type: string
                                  type: object
                                version:
                                  type: string
                              type: object
                            http:
                              description: Uses http library to fetch file
                              properties:
                                secretRef:
                                  description: 'Secret to provide auth details (optional)
                                    Secret may include one or more keys: username,
                                    password'
                                  properties:
                                    name:
                                      description: Object is expected to be within
                                        same namespace
                                      type: string
                                  type: object
                                sha256:
                                  description: Checksum to verify after download (optional)
                                  type: string
                                subPath:
                                  description: Grab only portion of download (optional)
                                  type: string
                                url:
                                  description: 'URL can point to one of following
                                    formats: text, tgz, zip http and https url are
                                    supported; plain file, tgz and tar types are supported
                                    (required)'
                                  type: string
                              type: object
                            image:
                              description: Pulls content from Docker/OCI registry
                              properties:
                                secretRef:
                                  description: 'Secret may include one or more keys:
                                    username, password, token. By default anonymous
                                    access is used for authentication.'
                                  properties:
                                    name:
                                      description: Object is expected to be within
                                        same namespace
                                      type: string
                                  type: object
                                subPath:
                                  description: Grab only portion of image (optional)
                                  type: string
                                tagSelection:
                                  description: Specifies a strategy to choose a tag
                                    (optional; v0.24.0+) if specified, do not include
                                    a tag in url key
                                  properties:
                                    semver:
                                      properties:
                                        constraints:
                                          type: string
                                        prereleases:
                                          properties:
                                            identifiers:
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                      type: object
                                  type: object
                                url:
                                  description: 'Docker image url; unqualified, tagged,
                                    or digest references supported (required) Example:
                                    username/app1-config:v0.1.0'
                                  type: string
                              type: object
                            imgpkgBundle:
                              description: Pulls imgpkg bundle from Docker/OCI registry
                                (v0.17.0+)
                              properties:
                                image:
                                  description: Docker image url; unqualified, tagged,
                                    or digest references supported (required)
                                  type: string
                                secretRef:
                                  description: 'Secret may include one or more keys:
                                    username, password, token. By default anonymous
                                    access is used for authentication.'
                                  properties:
                                    name:
                                      description: Object is expected to be within
                                        same namespace
                                      type: string
                                  type: object
                                tagSelection:
                                  description: Specifies a strategy to choose a tag
                                    (optional; v0.24.0+) if specified, do not include
                                    a tag in url key
                                  properties:
                                    semver:
                                      properties:
                                        constraints:
                                          type: string
                                        prereleases:
                                          properties:
                                            identifiers:
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                      type: object
                                  type: object
                              type: object
                            inline:
                              description: Pulls content from within this resource;
                                or other resources in the cluster
                              properties:
                                paths:
                                  additionalProperties:
                                    type: string
                                  description: Specifies mapping of paths to their
                                    content; not recommended for sensitive values
                                    as CR is not encrypted (optional)
                                  type: object
                                pathsFrom:
                                  description: Specifies content via secrets and config
                                    maps; data values are recommended to be placed
                                    in secrets (optional)
                                  items:
                                    properties:
                                      configMapRef:
                                        properties:
                                          directoryPath:
                                            description: Specifies where to place
                                              files found in secret (optional)
                                            type: string
                                          name:
                                            type: string
                                        type: object
                                      secretRef:
                                        properties:
                                          directoryPath:
                                            description: Specifies where to place
                                              files found in secret (optional)
                                            type: string
                                          name:
                                            type: string
                                        type: object
                                    type: object
                                  type: array
                              type: object
                            path:
                              description: Relative path to place the fetched artifacts
                              type: string
                          type: object
                        type: array
                      noopDelete:
                        description: Deletion requests for the App will result in
                          the App CR being deleted, but its associated resources will
                          not be deleted (optional; default=false; v0.18.0+)
                        type: boolean
                      paused:
                        description: Pauses _future_ reconciliation; does _not_ affect
                          currently running reconciliation (optional; default=false)
                        type: boolean
                      serviceAccountName:
                        description: Specifies that app should be deployed authenticated
                          via given service account, found in this namespace (optional;
                          v0.6.0+)
                        type: string
                      syncPeriod:
                        description: Specifies the length of time to wait, in time
                          + unit format, before reconciling. Always >= 30s. If value
                          below 30s is specified, 30s will be used. (optional; v0.9.0+;
                          default=30s)
                        type: string
                      template:
                        items:
                          properties:
                            cue:
                              properties:
                                inputExpression:
                                  description: Cue expression for single path component,
                                    can be used to unify ValuesFrom into a given field
                                    (optional)
                                  type: string
                                outputExpression:
                                  description: Cue expression to output, default will
                                    export all visible fields (optional)
                                  type: string
                                paths:
                                  description: Explicit list of files/directories
                                    (optional)
                                  items:
                                    type: string
                                  type: array
                                valuesFrom:
                                  description: Provide values (optional)
                                  items:
                                    properties:
                                      configMapRef:
                                        properties:
                                          name:
                                            type: string
                                        type: object
                                      downwardAPI:
                                        properties:
                                          items:
                                            items:
                                              properties:
                                                fieldPath:
                                                  description: 'Required: Selects
                                                    a field of the app: only annotations,
                                                    labels, uid, name and namespace
                                                    are supported.'
                                                  type: string
                                                kappControllerVersion:
                                                  description: 'Optional: Get running
                                                    KappController version, defaults
                                                    (empty) to retrieving the current
                                                    running version.. Can be manually
                                                    supplied instead.'
                                                  properties:
                                                    version:
                                                      type: string
                                                  type: object
                                                kubernetesAPIs:
                                                  description: 'Optional: Get running
                                                    KubernetesAPIs from cluster, defaults
                                                    (empty) to retrieving the APIs
                                                    from the cluster. Can be manually
                                                    supplied instead, e.g ["group/version",
                                                    "group2/version2"]'
                                                  properties:
                                                    groupVersions:
                                                      items:
                                                        type: string
                                                      type: array
                                                  type: object
                                                kubernetesVersion:
                                                  description: 'Optional: Get running
                                                    Kubernetes version from cluster,
                                                    defaults (empty) to retrieving
                                                    the version from the cluster.
                                                    Can be manually supplied instead.'
                                                  properties:
                                                    version:
                                                      type: string
                                                  type: object
                                                name:
                                                  type: string
                                              type: object
                                            type: array
                                        type: object
                                      path:
                                        type: string
                                      secretRef:
                                        properties:
                                          name:
                                            type: string
                                        type: object
                                    type: object
                                  type: array
                              type: object
                            helmTemplate:
                              description: Use helm template command to render helm
                                chart
                              properties:
                                kubernetesAPIs:
                                  description: 'Optional: Use kubernetes group/versions
                                    resources available in the live cluster'
                                  properties:
                                    groupVersions:
                                      items:
                                        type: string
                                      type: array
                                  type: object
                                kubernetesVersion:
                                  description: 'Optional: Get Kubernetes version,
                                    defaults (empty) to retrieving the version from
                                    the cluster. Can be manually overridden to a value
                                    instead.'
                                  properties:
                                    version:
                                      type: string
                                  type: object
                                name:
                                  description: Set name explicitly, default is App
                                    CR's name (optional; v0.13.0+)
                                  type: string
                                namespace:
                                  description: Set namespace explicitly, default is
                                    App CR's namespace (optional; v0.13.0+)
                                  type: string
                                path:
                                  description: Path to chart (optional; v0.13.0+)
                                  type: string
                                valuesFrom:
                                  description: One or more secrets, config maps, paths
                                    that provide values (optional)
                                  items:
                                    properties:
                                      configMapRef:
                                        properties:
                                          name:
                                            type: string
                                        type: object
                                      downwardAPI:
                                        properties:
                                          items:
                                            items:
                                              properties:
                                                fieldPath:
                                                  description: 'Required: Selects
                                                    a field of the app: only annotations,
                                                    labels, uid, name and namespace
                                                    are supported.'
                                                  type: string
                                                kappControllerVersion:
                                                  description: 'Optional: Get running
                                                    KappController version, defaults
                                                    (empty) to retrieving the current
                                                    running version.. Can be manually
                                                    supplied instead.'
                                                  properties:
                                                    version:
                                                      type: string
                                                  type: object
                                                kubernetesAPIs:
                                                  description: 'Optional: Get running
                                                    KubernetesAPIs from cluster, defaults
                                                    (empty) to retrieving the APIs
                                                    from the cluster. Can be manually
                                                    supplied instead, e.g ["group/version",
                                                    "group2/version2"]'
                                                  properties:
                                                    groupVersions:
                                                      items:
                                                        type: string
                                                      type: array
                                                  type: object
                                                kubernetesVersion:
                                                  description: 'Optional: Get running
                                                    Kubernetes version from cluster,
                                                    defaults (empty) to retrieving
                                                    the version from the cluster.
                                                    Can be manually supplied instead.'
                                                  properties:
                                                    version:
                                                      type: string
                                                  type: object
                                                name:
                                                  type: string
                                              type: object
                                            type: array
                                        type: object
                                      path:
                                        type: string
                                      secretRef:
                                        properties:
                                          name:
                                            type: string
                                        type: object
                                    type: object
                                  type: array
                              type: object
                            jsonnet:
                              description: TODO implement jsonnet
                              type: object
                            kbld:
                              description: Use kbld to resolve image references to
                                use digests
                              properties:
                                paths:
                                  items:
                                    type: string
                                  type: array
                              type: object
                            kustomize:
                              description: TODO implement kustomize
                              type: object
                            sops:
                              description: Use sops to decrypt *.sops.yml files (optional;
                                v0.11.0+)
                              properties:
                                age:
                                  properties:
                                    privateKeysSecretRef:
                                      description: Secret with private armored PGP
                                        private keys (required)
                                      properties:
                                        name:
                                          type: string
                                      type: object
                                  type: object
                                paths:
                                  description: Lists paths to decrypt explicitly (optional;
                                    v0.13.0+)
                                  items:
                                    type: string
                                  type: array
                                pgp:
                                  description: Use PGP to decrypt files (required)
                                  properties:
                                    privateKeysSecretRef:
                                      description: Secret with private armored PGP
                                        private keys (required)
                                      properties:
                                        name:
                                          type: string
                                      type: object
                                  type: object
                              type: object
                            ytt:
                              description: Use ytt to template configuration
                              properties:
                                fileMarks:
                                  description: Control metadata about input files
                                    passed to ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/
                                    for more details
                                  items:
                                    type: string
                                  type: array
                                ignoreUnknownComments:
                                  description: Ignores comments that ytt doesn't recognize
                                    (optional; default=false)
                                  type: boolean
                                inline:
                                  description: Specify additional files, including
                                    data values (optional)
                                  properties:
                                    paths:
                                      additionalProperties:
                                        type: string
                                      description: Specifies mapping of paths to their
                                        content; not recommended for sensitive values
                                        as CR is not encrypted (optional)
                                      type: object
                                    pathsFrom:
                                      description: Specifies content via secrets and
                                        config maps; data values are recommended to
                                        be placed in secrets (optional)
                                      items:
                                        properties:
                                          configMapRef:
                                            properties:
                                              directoryPath:
                                                description: Specifies where to place
                                                  files found in secret (optional)
                                                type: string
                                              name:
                                                type: string
                                            type: object
                                          secretRef:
                                            properties:
                                              directoryPath:
                                                description: Specifies where to place
                                                  files found in secret (optional)
                                                type: string
                                              name:
                                                type: string
                                            type: object
                                        type: object
                                      type: array
                                  type: object
                                paths:
                                  description: Lists paths to provide to ytt explicitly
                                    (optional)
                                  items:
                                    type: string
                                  type: array
                                strict:
                                  description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md
                                    (optional; default=false)
                                  type: boolean
                                valuesFrom:
                                  description: Provide values via ytt's --data-values-file
                                    (optional; v0.19.0-alpha.9)
                                  items:
                                    properties:
                                      configMapRef:
                                        properties:
                                          name:
                                            type: string
                                        type: object
                                      downwardAPI:
                                        properties:
                                          items:
                                            items:
                                              properties:
                                                fieldPath:
                                                  description: 'Required: Selects
                                                    a field of the app: only annotations,
                                                    labels, uid, name and namespace
                                                    are supported.'
                                                  type: string
                                                kappControllerVersion:
                                                  description: 'Optional: Get running
                                                    KappController version, defaults
                                                    (empty) to retrieving the current
                                                    running version.. Can be manually
                                                    supplied instead.'
                                                  properties:
                                                    version:
                                                      type: string
                                                  type: object
                                                kubernetesAPIs:
                                                  description: 'Optional: Get running
                                                    KubernetesAPIs from cluster, defaults
                                                    (empty) to retrieving the APIs
                                                    from the cluster. Can be manually
                                                    supplied instead, e.g ["group/version",
                                                    "group2/version2"]'
                                                  properties:
                                                    groupVersions:
                                                      items:
                                                        type: string
                                                      type: array
                                                  type: object
                                                kubernetesVersion:
                                                  description: 'Optional: Get running
                                                    Kubernetes version from cluster,
                                                    defaults (empty) to retrieving
                                                    the version from the cluster.
                                                    Can be manually supplied instead.'
                                                  properties:
                                                    version:
                                                      type: string
                                                  type: object
                                                name:
                                                  type: string
                                              type: object
                                            type: array
                                        type: object
                                      path:
                                        type: string
                                      secretRef:
                                        properties:
                                          name:
                                            type: string
                                        type: object
                                    type: object
                                  type: array
                              type: object
                          type: object
                        type: array
                    type: object
                required:
                - spec
                type: object
              valuesSchema:
                description: valuesSchema can be used to show template values that
                  can be configured by users when a Package is installed in an OpenAPI
                  schema format.
                properties:
                  openAPIv3:
                    nullable: true
                    type: object
                    x-kubernetes-preserve-unknown-fields: true
                type: object
              version:
                description: Package version; Referenced by PackageInstall; Must be
                  valid semver (required) Cannot be empty
                type: string
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: apps.kappctrl.k14s.io
spec:
  group: kappctrl.k14s.io
  names:
    categories:
    - carvel
    kind: App
    listKind: AppList
    plural: apps
    singular: app
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - description: Friendly description
      jsonPath: .status.friendlyDescription
      name: Description
      type: string
    - description: Last time app started being deployed. Does not mean anything was
        changed.
      jsonPath: .status.deploy.startedAt
      name: Since-Deploy
      type: date
    - description: Time since creation
      jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: 'An App is a set of Kubernetes resources. These resources could
          span any number of namespaces or could be cluster-wide (e.g. CRDs). An App
          is represented in kapp-controller using a App CR. The App CR comprises of
          three main sections: spec.fetch – declare source for fetching configuration
          and OCI images spec.template – declare templating tool and values spec.deploy
          – declare deployment tool and any deploy specific configuration'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            properties:
              canceled:
                description: Cancels current and future reconciliations (optional;
                  default=false)
                type: boolean
              cluster:
                description: Specifies that app should be deployed to destination
                  cluster; by default, cluster is same as where this resource resides
                  (optional; v0.5.0+)
                properties:
                  kubeconfigSecretRef:
                    description: Specifies secret containing kubeconfig (required)
                    properties:
                      key:
                        description: Specifies key that contains kubeconfig (optional)
                        type: string
                      name:
                        description: Specifies secret name within app's namespace
                          (required)
                        type: string
                    type: object
                  namespace:
                    description: Specifies namespace in destination cluster (optional)
                    type: string
                type: object
              deploy:
                items:
                  properties:
                    kapp:
                      description: Use kapp to deploy resources
                      properties:
                        delete:
                          description: Configuration for delete command (optional)
                          properties:
                            rawOptions:
                              description: Pass through options to kapp delete (optional)
                              items:
                                type: string
                              type: array
                          type: object
                        inspect:
                          description: 'Configuration for inspect command (optional)
                            as of kapp-controller v0.31.0, inspect is disabled by
                            default add rawOptions or use an empty inspect config
                            like `inspect: {}` to enable'
                          properties:
                            rawOptions:
                              description: Pass through options to kapp inspect (optional)
                              items:
                                type: string
                              type: array
                          type: object
                        intoNs:
                          description: Override namespace for all resources (optional)
                          type: string
                        mapNs:
                          description: Provide custom namespace override mapping (optional)
                          items:
                            type: string
                          type: array
                        rawOptions:
                          description: Pass through options to kapp deploy (optional)
                          items:
                            type: string
                          type: array
                      type: object
                  type: object
                type: array
              fetch:
                items:
                  properties:
                    git:
                      description: Uses git to clone repository
                      properties:
                        lfsSkipSmudge:
                          description: Skip lfs download (optional)
                          type: boolean
                        ref:
                          description: Branch, tag, commit; origin is the name of
                            the remote (optional)
                          type: string
                        refSelection:
                          description: Specifies a strategy to resolve to an explicit
                            ref (optional; v0.24.0+)
                          properties:
                            semver:
                              properties:
                                constraints:
                                  type: string
                                prereleases:
                                  properties:
                                    identifiers:
                                      items:
                                        type: string
                                      type: array
                                  type: object
                              type: object
                          type: object
                        secretRef:
                          description: 'Secret with auth details. allowed keys: ssh-privatekey,
                            ssh-knownhosts, username, password (optional) (if ssh-knownhosts
                            is not specified, git will not perform strict host checking)'
                          properties:
                            name:
                              description: Object is expected to be within same namespace
                              type: string
                          type: object
                        subPath:
                          description: Grab only portion of repository (optional)
                          type: string
                        url:
                          description: http or ssh urls are supported (required)
                          type: string
                      type: object
                    helmChart:
                      description: Uses helm fetch to fetch specified chart
                      properties:
                        name:
                          description: 'Example: stable/redis'
                          type: string
                        repository:
                          properties:
                            secretRef:
                              properties:
                                name:
                                  description: Object is expected to be within same
                                    namespace
                                  type: string
                              type: object
                            url:
                              description: Repository url; scheme of oci:// will fetch
                                experimental helm oci chart (v0.19.0+) (required)
                              type: string
                          type: object
                        version:
                          type: string
                      type: object
                    http:
                      description: Uses http library to fetch file
                      properties:
                        secretRef:
                          description: 'Secret to provide auth details (optional)
                            Secret may include one or more keys: username, password'
                          properties:
                            name:
                              description: Object is expected to be within same namespace
                              type: string
                          type: object
                        sha256:
                          description: Checksum to verify after download (optional)
                          type: string
                        subPath:
                          description: Grab only portion of download (optional)
                          type: string
                        url:
                          description: 'URL can point to one of following formats:
                            text, tgz, zip http and https url are supported; plain
                            file, tgz and tar types are supported (required)'
                          type: string
                      type: object
                    image:
                      description: Pulls content from Docker/OCI registry
                      properties:
                        secretRef:
                          description: 'Secret may include one or more keys: username,
                            password, token. By default anonymous access is used for
                            authentication.'
                          properties:
                            name:
                              description: Object is expected to be within same namespace
                              type: string
                          type: object
                        subPath:
                          description: Grab only portion of image (optional)
                          type: string
                        tagSelection:
                          description: Specifies a strategy to choose a tag (optional;
                            v0.24.0+) if specified, do not include a tag in url key
                          properties:
                            semver:
                              properties:
                                constraints:
                                  type: string
                                prereleases:
                                  properties:
                                    identifiers:
                                      items:
                                        type: string
                                      type: array
                                  type: object
                              type: object
                          type: object
                        url:
                          description: 'Docker image url; unqualified, tagged, or
                            digest references supported (required) Example: username/app1-config:v0.1.0'
                          type: string
                      type: object
                    imgpkgBundle:
                      description: Pulls imgpkg bundle from Docker/OCI registry (v0.17.0+)
                      properties:
                        image:
                          description: Docker image url; unqualified, tagged, or digest
                            references supported (required)
                          type: string
                        secretRef:
                          description: 'Secret may include one or more keys: username,
                            password, token. By default anonymous access is used for
                            authentication.'
                          properties:
                            name:
                              description: Object is expected to be within same namespace
                              type: string
                          type: object
                        tagSelection:
                          description: Specifies a strategy to choose a tag (optional;
                            v0.24.0+) if specified, do not include a tag in url key
                          properties:
                            semver:
                              properties:
                                constraints:
                                  type: string
                                prereleases:
                                  properties:
                                    identifiers:
                                      items:
                                        type: string
                                      type: array
                                  type: object
                              type: object
                          type: object
                      type: object
                    inline:
                      description: Pulls content from within this resource; or other
                        resources in the cluster
                      properties:
                        paths:
                          additionalProperties:
                            type: string
                          description: Specifies mapping of paths to their content;
                            not recommended for sensitive values as CR is not encrypted
                            (optional)
                          type: object
                        pathsFrom:
                          description: Specifies content via secrets and config maps;
                            data values are recommended to be placed in secrets (optional)
                          items:
                            properties:
                              configMapRef:
                                properties:
                                  directoryPath:
                                    description: Specifies where to place files found
                                      in secret (optional)
                                    type: string
                                  name:
                                    type: string
                                type: object
                              secretRef:
                                properties:
                                  directoryPath:
                                    description: Specifies where to place files found
                                      in secret (optional)
                                    type: string
                                  name:
                                    type: string
                                type: object
                            type: object
                          type: array
                      type: object
                    path:
                      description: Relative path to place the fetched artifacts
                      type: string
                  type: object
                type: array
              noopDelete:
                description: Deletion requests for the App will result in the App
                  CR being deleted, but its associated resources will not be deleted
                  (optional; default=false; v0.18.0+)
                type: boolean
              paused:
                description: Pauses _future_ reconciliation; does _not_ affect currently
                  running reconciliation (optional; default=false)
                type: boolean
              serviceAccountName:
                description: Specifies that app should be deployed authenticated via
                  given service account, found in this namespace (optional; v0.6.0+)
                type: string
              syncPeriod:
                description: Specifies the length of time to wait, in time + unit
                  format, before reconciling. Always >= 30s. If value below 30s is
                  specified, 30s will be used. (optional; v0.9.0+; default=30s)
                type: string
              template:
                items:
                  properties:
                    cue:
                      properties:
                        inputExpression:
                          description: Cue expression for single path component, can
                            be used to unify ValuesFrom into a given field (optional)
                          type: string
                        outputExpression:
                          description: Cue expression to output, default will export
                            all visible fields (optional)
                          type: string
                        paths:
                          description: Explicit list of files/directories (optional)
                          items:
                            type: string
                          type: array
                        valuesFrom:
                          description: Provide values (optional)
                          items:
                            properties:
                              configMapRef:
                                properties:
                                  name:
                                    type: string
                                type: object
                              downwardAPI:
                                properties:
                                  items:
                                    items:
                                      properties:
                                        fieldPath:
                                          description: 'Required: Selects a field
                                            of the app: only annotations, labels,
                                            uid, name and namespace are supported.'
                                          type: string
                                        kappControllerVersion:
                                          description: 'Optional: Get running KappController
                                            version, defaults (empty) to retrieving
                                            the current running version.. Can be manually
                                            supplied instead.'
                                          properties:
                                            version:
                                              type: string
                                          type: object
                                        kubernetesAPIs:
                                          description: 'Optional: Get running KubernetesAPIs
                                            from cluster, defaults (empty) to retrieving
                                            the APIs from the cluster. Can be manually
                                            supplied instead, e.g ["group/version",
                                            "group2/version2"]'
                                          properties:
                                            groupVersions:
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        kubernetesVersion:
                                          description: 'Optional: Get running Kubernetes
                                            version from cluster, defaults (empty)
                                            to retrieving the version from the cluster.
                                            Can be manually supplied instead.'
                                          properties:
                                            version:
                                              type: string
                                          type: object
                                        name:
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              path:
                                type: string
                              secretRef:
                                properties:
                                  name:
                                    type: string
                                type: object
                            type: object
                          type: array
                      type: object
                    helmTemplate:
                      description: Use helm template command to render helm chart
                      properties:
                        kubernetesAPIs:
                          description: 'Optional: Use kubernetes group/versions resources
                            available in the live cluster'
                          properties:
                            groupVersions:
                              items:
                                type: string
                              type: array
                          type: object
                        kubernetesVersion:
                          description: 'Optional: Get Kubernetes version, defaults
                            (empty) to retrieving the version from the cluster. Can
                            be manually overridden to a value instead.'
                          properties:
                            version:
                              type: string
                          type: object
                        name:
                          description: Set name explicitly, default is App CR's name
                            (optional; v0.13.0+)
                          type: string
                        namespace:
                          description: Set namespace explicitly, default is App CR's
                            namespace (optional; v0.13.0+)
                          type: string
                        path:
                          description: Path to chart (optional; v0.13.0+)
                          type: string
                        valuesFrom:
                          description: One or more secrets, config maps, paths that
                            provide values (optional)
                          items:
                            properties:
                              configMapRef:
                                properties:
                                  name:
                                    type: string
                                type: object
                              downwardAPI:
                                properties:
                                  items:
                                    items:
                                      properties:
                                        fieldPath:
                                          description: 'Required: Selects a field
                                            of the app: only annotations, labels,
                                            uid, name and namespace are supported.'
                                          type: string
                                        kappControllerVersion:
                                          description: 'Optional: Get running KappController
                                            version, defaults (empty) to retrieving
                                            the current running version.. Can be manually
                                            supplied instead.'
                                          properties:
                                            version:
                                              type: string
                                          type: object
                                        kubernetesAPIs:
                                          description: 'Optional: Get running KubernetesAPIs
                                            from cluster, defaults (empty) to retrieving
                                            the APIs from the cluster. Can be manually
                                            supplied instead, e.g ["group/version",
                                            "group2/version2"]'
                                          properties:
                                            groupVersions:
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        kubernetesVersion:
                                          description: 'Optional: Get running Kubernetes
                                            version from cluster, defaults (empty)
                                            to retrieving the version from the cluster.
                                            Can be manually supplied instead.'
                                          properties:
                                            version:
                                              type: string
                                          type: object
                                        name:
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              path:
                                type: string
                              secretRef:
                                properties:
                                  name:
                                    type: string
                                type: object
                            type: object
                          type: array
                      type: object
                    jsonnet:
                      description: TODO implement jsonnet
                      type: object
                    kbld:
                      description: Use kbld to resolve image references to use digests
                      properties:
                        paths:
                          items:
                            type: string
                          type: array
                      type: object
                    kustomize:
                      description: TODO implement kustomize
                      type: object
                    sops:
                      description: Use sops to decrypt *.sops.yml files (optional;
                        v0.11.0+)
                      properties:
                        age:
                          properties:
                            privateKeysSecretRef:
                              description: Secret with private armored PGP private
                                keys (required)
                              properties:
                                name:
                                  type: string
                              type: object
                          type: object
                        paths:
                          description: Lists paths to decrypt explicitly (optional;
                            v0.13.0+)
                          items:
                            type: string
                          type: array
                        pgp:
                          description: Use PGP to decrypt files (required)
                          properties:
                            privateKeysSecretRef:
                              description: Secret with private armored PGP private
                                keys (required)
                              properties:
                                name:
                                  type: string
                              type: object
                          type: object
                      type: object
                    ytt:
                      description: Use ytt to template configuration
                      properties:
                        fileMarks:
                          description: Control metadata about input files passed to
                            ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/
                            for more details
                          items:
                            type: string
                          type: array
                        ignoreUnknownComments:
                          description: Ignores comments that ytt doesn't recognize
                            (optional; default=false)
                          type: boolean
                        inline:
                          description: Specify additional files, including data values
                            (optional)
                          properties:
                            paths:
                              additionalProperties:
                                type: string
                              description: Specifies mapping of paths to their content;
                                not recommended for sensitive values as CR is not
                                encrypted (optional)
                              type: object
                            pathsFrom:
                              description: Specifies content via secrets and config
                                maps; data values are recommended to be placed in
                                secrets (optional)
                              items:
                                properties:
                                  configMapRef:
                                    properties:
                                      directoryPath:
                                        description: Specifies where to place files
                                          found in secret (optional)
                                        type: string
                                      name:
                                        type: string
                                    type: object
                                  secretRef:
                                    properties:
                                      directoryPath:
                                        description: Specifies where to place files
                                          found in secret (optional)
                                        type: string
                                      name:
                                        type: string
                                    type: object
                                type: object
                              type: array
                          type: object
                        paths:
                          description: Lists paths to provide to ytt explicitly (optional)
                          items:
                            type: string
                          type: array
                        strict:
                          description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md
                            (optional; default=false)
                          type: boolean
                        valuesFrom:
                          description: Provide values via ytt's --data-values-file
                            (optional; v0.19.0-alpha.9)
                          items:
                            properties:
                              configMapRef:
                                properties:
                                  name:
                                    type: string
                                type: object
                              downwardAPI:
                                properties:
                                  items:
                                    items:
                                      properties:
                                        fieldPath:
                                          description: 'Required: Selects a field
                                            of the app: only annotations, labels,
                                            uid, name and namespace are supported.'
                                          type: string
                                        kappControllerVersion:
                                          description: 'Optional: Get running KappController
                                            version, defaults (empty) to retrieving
                                            the current running version.. Can be manually
                                            supplied instead.'
                                          properties:
                                            version:
                                              type: string
                                          type: object
                                        kubernetesAPIs:
                                          description: 'Optional: Get running KubernetesAPIs
                                            from cluster, defaults (empty) to retrieving
                                            the APIs from the cluster. Can be manually
                                            supplied instead, e.g ["group/version",
                                            "group2/version2"]'
                                          properties:
                                            groupVersions:
                                              items:
                                                type: string
                                              type: array
                                          type: object
                                        kubernetesVersion:
                                          description: 'Optional: Get running Kubernetes
                                            version from cluster, defaults (empty)
                                            to retrieving the version from the cluster.
                                            Can be manually supplied instead.'
                                          properties:
                                            version:
                                              type: string
                                          type: object
                                        name:
                                          type: string
                                      type: object
                                    type: array
                                type: object
                              path:
                                type: string
                              secretRef:
                                properties:
                                  name:
                                    type: string
                                type: object
                            type: object
                          type: array
                      type: object
                  type: object
                type: array
            type: object
          status:
            properties:
              conditions:
                items:
                  properties:
                    message:
                      description: Human-readable message indicating details about
                        last transition.
                      type: string
                    reason:
                      description: Unique, this should be a short, machine understandable
                        string that gives the reason for condition's last transition.
                        If it reports "ResizeStarted" that means the underlying persistent
                        volume is being resized.
                      type: string
                    status:
                      type: string
                    type:
                      description: ConditionType represents reconciler state
                      type: string
                  required:
                  - status
                  - type
                  type: object
                type: array
              consecutiveReconcileFailures:
                type: integer
              consecutiveReconcileSuccesses:
                type: integer
              deploy:
                properties:
                  error:
                    type: string
                  exitCode:
                    type: integer
                  finished:
                    type: boolean
                  kapp:
                    description: KappDeployStatus contains the associated AppCR deployed
                      resources
                    properties:
                      associatedResources:
                        description: AssociatedResources contains the associated App
                          label, namespaces and GKs
                        properties:
                          groupKinds:
                            items:
                              description: GroupKind specifies a Group and a Kind,
                                but does not force a version.  This is useful for
                                identifying concepts during lookup stages without
                                having partially valid types
                              properties:
                                group:
                                  type: string
                                kind:
                                  type: string
                              required:
                              - group
                              - kind
                              type: object
                            type: array
                          label:
                            type: string
                          namespaces:
                            items:
                              type: string
                            type: array
                        type: object
                    type: object
                  startedAt:
                    format: date-time
                    type: string
                  stderr:
                    type: string
                  stdout:
                    type: string
                  updatedAt:
                    format: date-time
                    type: string
                type: object
              fetch:
                properties:
                  error:
                    type: string
                  exitCode:
                    type: integer
                  startedAt:
                    format: date-time
                    type: string
                  stderr:
                    type: string
                  stdout:
                    type: string
                  updatedAt:
                    format: date-time
                    type: string
                type: object
              friendlyDescription:
                type: string
              inspect:
                properties:
                  error:
                    type: string
                  exitCode:
                    type: integer
                  stderr:
                    type: string
                  stdout:
                    type: string
                  updatedAt:
                    format: date-time
                    type: string
                type: object
              managedAppName:
                type: string
              observedGeneration:
                description: Populated based on metadata.generation when controller
                  observes a change to the resource; if this value is out of data,
                  other status fields do not reflect latest state
                format: int64
                type: integer
              template:
                properties:
                  error:
                    type: string
                  exitCode:
                    type: integer
                  stderr:
                    type: string
                  updatedAt:
                    format: date-time
                    type: string
                type: object
              usefulErrorMessage:
                type: string
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: packageinstalls.packaging.carvel.dev
spec:
  group: packaging.carvel.dev
  names:
    categories:
    - carvel
    kind: PackageInstall
    listKind: PackageInstallList
    plural: packageinstalls
    shortNames:
    - pkgi
    singular: packageinstall
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - description: PackageMetadata name
      jsonPath: .spec.packageRef.refName
      name: Package name
      type: string
    - description: PackageMetadata version
      jsonPath: .status.version
      name: Package version
      type: string
    - description: Friendly description
      jsonPath: .status.friendlyDescription
      name: Description
      type: string
    - description: Time since creation
      jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: A Package Install is an actual installation of a package and
          its underlying resources on a Kubernetes cluster. It is represented in kapp-controller
          by a PackageInstall CR. A PackageInstall CR must reference a Package CR.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            properties:
              canceled:
                description: Canceled when set to true will stop all active changes
                type: boolean
              cluster:
                description: Specifies that Package should be deployed to destination
                  cluster; by default, cluster is same as where this resource resides
                  (optional)
                properties:
                  kubeconfigSecretRef:
                    description: Specifies secret containing kubeconfig (required)
                    properties:
                      key:
                        description: Specifies key that contains kubeconfig (optional)
                        type: string
                      name:
                        description: Specifies secret name within app's namespace
                          (required)
                        type: string
                    type: object
                  namespace:
                    description: Specifies namespace in destination cluster (optional)
                    type: string
                type: object
              noopDelete:
                description: When NoopDelete set to true, PackageInstall deletion
                  should delete PackageInstall/App CR but preserve App's associated
                  resources.
                type: boolean
              packageRef:
                description: Specifies the name of the package to install (required)
                properties:
                  refName:
                    type: string
                  versionSelection:
                    properties:
                      constraints:
                        type: string
                      prereleases:
                        properties:
                          identifiers:
                            items:
                              type: string
                            type: array
                        type: object
                    type: object
                type: object
              paused:
                description: Paused when set to true will ignore all pending changes,
                  once it set back to false, pending changes will be applied
                type: boolean
              serviceAccountName:
                description: Specifies service account that will be used to install
                  underlying package contents
                type: string
              syncPeriod:
                description: Controls frequency of App reconciliation in time + unit
                  format. Always >= 30s. If value below 30s is specified, 30s will
                  be used.
                type: string
              values:
                description: Values to be included in package's templating step (currently
                  only included in the first templating step) (optional)
                items:
                  properties:
                    secretRef:
                      properties:
                        key:
                          type: string
                        name:
                          type: string
                      type: object
                  type: object
                type: array
            type: object
          status:
            properties:
              conditions:
                items:
                  properties:
                    message:
                      description: Human-readable message indicating details about
                        last transition.
                      type: string
                    reason:
                      description: Unique, this should be a short, machine understandable
                        string that gives the reason for condition's last transition.
                        If it reports "ResizeStarted" that means the underlying persistent
                        volume is being resized.
                      type: string
                    status:
                      type: string
                    type:
                      description: ConditionType represents reconciler state
                      type: string
                  required:
                  - status
                  - type
                  type: object
                type: array
              friendlyDescription:
                type: string
              lastAttemptedVersion:
                description: LastAttemptedVersion specifies what version was last
                  attempted to be installed. It does _not_ indicate it was successfully
                  installed.
                type: string
              observedGeneration:
                description: Populated based on metadata.generation when controller
                  observes a change to the resource; if this value is out of data,
                  other status fields do not reflect latest state
                format: int64
                type: integer
              usefulErrorMessage:
                type: string
              version:
                description: TODO this is desired resolved version (not actually deployed)
                type: string
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    packaging.carvel.dev/global-namespace: kapp-controller-packaging-global
  name: packagerepositories.packaging.carvel.dev
spec:
  group: packaging.carvel.dev
  names:
    categories:
    - carvel
    kind: PackageRepository
    listKind: PackageRepositoryList
    plural: packagerepositories
    shortNames:
    - pkgr
    singular: packagerepository
  scope: Namespaced
  versions:
  - additionalPrinterColumns:
    - description: Time since creation
      jsonPath: .metadata.creationTimestamp
      name: Age
      type: date
    - description: Friendly description
      jsonPath: .status.friendlyDescription
      name: Description
      type: string
    name: v1alpha1
    schema:
      openAPIV3Schema:
        description: A package repository is a collection of packages and their metadata.
          Similar to a maven repository or a rpm repository, adding a package repository
          to a cluster gives users of that cluster the ability to install any of the
          packages from that repository.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            properties:
              fetch:
                properties:
                  git:
                    description: Uses git to clone repository containing package list
                    properties:
                      lfsSkipSmudge:
                        description: Skip lfs download (optional)
                        type: boolean
                      ref:
                        description: Branch, tag, commit; origin is the name of the
                          remote (optional)
                        type: string
                      refSelection:
                        description: Specifies a strategy to resolve to an explicit
                          ref (optional; v0.24.0+)
                        properties:
                          semver:
                            properties:
                              constraints:
                                type: string
                              prereleases:
                                properties:
                                  identifiers:
                                    items:
                                      type: string
                                    type: array
                                type: object
                            type: object
                        type: object
                      secretRef:
                        description: 'Secret with auth details. allowed keys: ssh-privatekey,
                          ssh-knownhosts, username, password (optional) (if ssh-knownhosts
                          is not specified, git will not perform strict host checking)'
                        properties:
                          name:
                            description: Object is expected to be within same namespace
                            type: string
                        type: object
                      subPath:
                        description: Grab only portion of repository (optional)
                        type: string
                      url:
                        description: http or ssh urls are supported (required)
                        type: string
                    type: object
                  http:
                    description: Uses http library to fetch file containing packages
                    properties:
                      secretRef:
                        description: 'Secret to provide auth details (optional) Secret
                          may include one or more keys: username, password'
                        properties:
                          name:
                            description: Object is expected to be within same namespace
                            type: string
                        type: object
                      sha256:
                        description: Checksum to verify after download (optional)
                        type: string
                      subPath:
                        description: Grab only portion of download (optional)
                        type: string
                      url:
                        description: 'URL can point to one of following formats: text,
                          tgz, zip http and https url are supported; plain file, tgz
                          and tar types are supported (required)'
                        type: string
                    type: object
                  image:
                    description: Image url; unqualified, tagged, or digest references
                      supported (required)
                    properties:
                      secretRef:
                        description: 'Secret may include one or more keys: username,
                          password, token. By default anonymous access is used for
                          authentication.'
                        properties:
                          name:
                            description: Object is expected to be within same namespace
                            type: string
                        type: object
                      subPath:
                        description: Grab only portion of image (optional)
                        type: string
                      tagSelection:
                        description: Specifies a strategy to choose a tag (optional;
                          v0.24.0+) if specified, do not include a tag in url key
                        properties:
                          semver:
                            properties:
                              constraints:
                                type: string
                              prereleases:
                                properties:
                                  identifiers:
                                    items:
                                      type: string
                                    type: array
                                type: object
                            type: object
                        type: object
                      url:
                        description: 'Docker image url; unqualified, tagged, or digest
                          references supported (required) Example: username/app1-config:v0.1.0'
                        type: string
                    type: object
                  imgpkgBundle:
                    description: Pulls imgpkg bundle from Docker/OCI registry
                    properties:
                      image:
                        description: Docker image url; unqualified, tagged, or digest
                          references supported (required)
                        type: string
                      secretRef:
                        description: 'Secret may include one or more keys: username,
                          password, token. By default anonymous access is used for
                          authentication.'
                        properties:
                          name:
                            description: Object is expected to be within same namespace
                            type: string
                        type: object
                      tagSelection:
                        description: Specifies a strategy to choose a tag (optional;
                          v0.24.0+) if specified, do not include a tag in url key
                        properties:
                          semver:
                            properties:
                              constraints:
                                type: string
                              prereleases:
                                properties:
                                  identifiers:
                                    items:
                                      type: string
                                    type: array
                                type: object
                            type: object
                        type: object
                    type: object
                  inline:
                    description: Pull content from within this resource; or other
                      resources in the cluster
                    properties:
                      paths:
                        additionalProperties:
                          type: string
                        description: Specifies mapping of paths to their content;
                          not recommended for sensitive values as CR is not encrypted
                          (optional)
                        type: object
                      pathsFrom:
                        description: Specifies content via secrets and config maps;
                          data values are recommended to be placed in secrets (optional)
                        items:
                          properties:
                            configMapRef:
                              properties:
                                directoryPath:
                                  description: Specifies where to place files found
                                    in secret (optional)
                                  type: string
                                name:
                                  type: string
                              type: object
                            secretRef:
                              properties:
                                directoryPath:
                                  description: Specifies where to place files found
                                    in secret (optional)
                                  type: string
                                name:
                                  type: string
                              type: object
                          type: object
                        type: array
                    type: object
                type: object
              paused:
                description: Paused when set to true will ignore all pending changes,
                  once it set back to false, pending changes will be applied
                type: boolean
              syncPeriod:
                description: Controls frequency of PackageRepository reconciliation
                type: string
            required:
            - fetch
            type: object
          status:
            properties:
              conditions:
                items:
                  properties:
                    message:
                      description: Human-readable message indicating details about
                        last transition.
                      type: string
                    reason:
                      description: Unique, this should be a short, machine understandable
                        string that gives the reason for condition's last transition.
                        If it reports "ResizeStarted" that means the underlying persistent
                        volume is being resized.
                      type: string
                    status:
                      type: string
                    type:
                      description: ConditionType represents reconciler state
                      type: string
                  required:
                  - status
                  - type
                  type: object
                type: array
              consecutiveReconcileFailures:
                type: integer
              consecutiveReconcileSuccesses:
                type: integer
              deploy:
                properties:
                  error:
                    type: string
                  exitCode:
                    type: integer
                  finished:
                    type: boolean
                  kapp:
                    description: KappDeployStatus contains the associated AppCR deployed
                      resources
                    properties:
                      associatedResources:
                        description: AssociatedResources contains the associated App
                          label, namespaces and GKs
                        properties:
                          groupKinds:
                            items:
                              description: GroupKind specifies a Group and a Kind,
                                but does not force a version.  This is useful for
                                identifying concepts during lookup stages without
                                having partially valid types
                              properties:
                                group:
                                  type: string
                                kind:
                                  type: string
                              required:
                              - group
                              - kind
                              type: object
                            type: array
                          label:
                            type: string
                          namespaces:
                            items:
                              type: string
                            type: array
                        type: object
                    type: object
                  startedAt:
                    format: date-time
                    type: string
                  stderr:
                    type: string
                  stdout:
                    type: string
                  updatedAt:
                    format: date-time
                    type: string
                type: object
              fetch:
                properties:
                  error:
                    type: string
                  exitCode:
                    type: integer
                  startedAt:
                    format: date-time
                    type: string
                  stderr:
                    type: string
                  stdout:
                    type: string
                  updatedAt:
                    format: date-time
                    type: string
                type: object
              friendlyDescription:
                type: string
              observedGeneration:
                description: Populated based on metadata.generation when controller
                  observes a change to the resource; if this value is out of data,
                  other status fields do not reflect latest state
                format: int64
                type: integer
              template:
                properties:
                  error:
                    type: string
                  exitCode:
                    type: integer
                  stderr:
                    type: string
                  updatedAt:
                    format: date-time
                    type: string
                type: object
              usefulErrorMessage:
                type: string
            type: object
        required:
        - spec
        type: object
    served: true
    storage: true
    subresources:
      status: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    kapp-controller.carvel.dev/version: v0.45.2
    kbld.k14s.io/images: |
      - origins:
        - local:
            path: /home/runner/work/kapp-controller/kapp-controller
        - git:
            dirty: true
            remoteURL: https://github.com/carvel-dev/kapp-controller
            sha: e3beee23d49899bfc681c9d980c1a3bdc0fa14ac
            tags:
            - v0.45.2
        url: ghcr.io/carvel-dev/kapp-controller@sha256:d5c5b259d10f8a561fe6717a735ceb053ccb13320f55428977d1d8df46b9bc0d
  name: kapp-controller
  namespace: tkg-system
spec:
  replicas: 1
  revisionHistoryLimit: 0
  selector:
    matchLabels:
      app: kapp-controller
  template:
    metadata:
      labels:
        app: kapp-controller
    spec:
      containers:
      - args:
        - -packaging-global-namespace=kapp-controller-packaging-global
        - -enable-api-priority-and-fairness=True
        - -tls-cipher-suites=
        env:
        - name: KAPPCTRL_MEM_TMP_DIR
          value: /etc/kappctrl-mem-tmp
        - name: KAPPCTRL_SIDECAREXEC_SOCK
          value: /etc/kappctrl-mem-tmp/sidecarexec.sock
        - name: KAPPCTRL_SYSTEM_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: KAPPCTRL_API_PORT
          value: "10350"
        image: ghcr.io/carvel-dev/kapp-controller@sha256:d5c5b259d10f8a561fe6717a735ceb053ccb13320f55428977d1d8df46b9bc0d
        name: kapp-controller
        ports:
        - containerPort: 10350
          name: api
          protocol: TCP
        resources:
          requests:
            cpu: 120m
            memory: 100Mi
        volumeMounts:
        - mountPath: /etc/kappctrl-mem-tmp
          name: template-fs
        - mountPath: /home/kapp-controller
          name: home
      - args:
        - --sidecarexec
        env:
        - name: KAPPCTRL_SIDECAREXEC_SOCK
          value: /etc/kappctrl-mem-tmp/sidecarexec.sock
        - name: IMGPKG_ACTIVE_KEYCHAINS
          value: gke,aks,ecr
        image: ghcr.io/carvel-dev/kapp-controller@sha256:d5c5b259d10f8a561fe6717a735ceb053ccb13320f55428977d1d8df46b9bc0d
        name: kapp-controller-sidecarexec
        resources:
          requests:
            cpu: 120m
            memory: 100Mi
        volumeMounts:
        - mountPath: /etc/kappctrl-mem-tmp
          name: template-fs
        - mountPath: /home/kapp-controller
          name: home
        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
          name: empty-sa
      serviceAccount: kapp-controller-sa
      volumes:
      - emptyDir:
          medium: Memory
        name: template-fs
      - emptyDir:
          medium: Memory
        name: home
      - emptyDir: {}
        name: empty-sa
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kapp-controller-sa
  namespace: tkg-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kapp-controller-cluster-role
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - serviceaccounts/token
  verbs:
  - create
- apiGroups:
  - kappctrl.k14s.io
  resources:
  - apps
  - apps/status
  verbs:
  - '*'
- apiGroups:
  - packaging.carvel.dev
  resources:
  - packageinstalls
  - packageinstalls/status
  - packageinstalls/finalizers
  verbs:
  - '*'
- apiGroups:
  - packaging.carvel.dev
  resources:
  - packagerepositories
  - packagerepositories/status
  verbs:
  - '*'
- apiGroups:
  - internal.packaging.carvel.dev
  resources:
  - internalpackagemetadatas
  verbs:
  - '*'
- apiGroups:
  - data.packaging.carvel.dev
  resources:
  - packagemetadatas
  - packagemetadatas/status
  verbs:
  - '*'
- apiGroups:
  - internal.packaging.carvel.dev
  resources:
  - internalpackages
  verbs:
  - '*'
- apiGroups:
  - data.packaging.carvel.dev
  resources:
  - packages
  - packages/status
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - '*'
- apiGroups:
  - apiregistration.k8s.io
  resources:
  - apiservices
  verbs:
  - update
  - get
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - list
  - watch
  - get
  - update
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  verbs:
  - list
  - watch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - list
  - watch
- apiGroups:
  - authorization.k8s.io
  resources:
  - subjectaccessreviews
  verbs:
  - create
- apiGroups:
  - flowcontrol.apiserver.k8s.io
  resources:
  - prioritylevelconfigurations
  - flowschemas
  verbs:
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - podsecuritypolicies
  resourceNames:
  - tanzu-system-kapp-ctrl-restricted
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kapp-controller-user-role
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - get
- apiGroups:
  - ""
  resources:
  - serviceaccounts/token
  verbs:
  - create
- apiGroups:
  - kappctrl.k14s.io
  resources:
  - apps
  - apps/status
  verbs:
  - '*'
- apiGroups:
  - packaging.carvel.dev
  resources:
  - packageinstalls
  - packageinstalls/status
  - packageinstalls/finalizers
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - '*'
- apiGroups:
  - packaging.carvel.dev
  resources:
  - packagerepositories
  - packagerepositories/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - internal.packaging.carvel.dev
  resources:
  - internalpackagemetadatas
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - data.packaging.carvel.dev
  resources:
  - packagemetadatas
  - packagemetadatas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - internal.packaging.carvel.dev
  resources:
  - internalpackages
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - data.packaging.carvel.dev
  resources:
  - packages
  - packages/status
  verbs:
  - get
  - list
  - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: kapp-controller-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kapp-controller-cluster-role
subjects:
- kind: ServiceAccount
  name: kapp-controller-sa
  namespace: tkg-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: pkg-apiserver:system:auth-delegator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- kind: ServiceAccount
  name: kapp-controller-sa
  namespace: tkg-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: pkgserver-auth-reader
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
  name: kapp-controller-sa
  namespace: tkg-system
check-circle-line exclamation-circle-line close-line
Scroll to top icon