Install Kapp Controller Using Kubectl (vSphere 7 only)
This topic explains how to manually install the Kapp Controller to enable installing Tanzu packages in Supervisor-deployed workload clusters running on vSphere 7.
The Kapp Controller component is required to install, customize, and update Tanzu Packages on TKG clusters.
Workload clusters that run on vSphere 7-compatible TKrs do not have the Kapp Controller pre-installed, so you must install it manually as described below. Workload clusters running on vSphere 8-compatible TKrs already have Kapp Controller installed.
See the TKr Release Notes for TKr version compatibility with vSphere versions.
Also see the upstream Kapp Controller installation instructions for additional guidance and troubleshooting.
To manually install Kapp Controller on a TKG cluster that is running a vSphere 7-compatible TKr:
-
List the available Kapp Controller versions in the repository.
imgpkg tag list -i projects.registry.vmware.com/tkg/kapp-controllerThe command returns all available Kapp Controller package versions.
Tags Name v0.16.0_vmware.1 v0.18.0_vmware.1 v0.23.0_vmware.1 v0.25.0_vmware.1 v0.30.0_vmware.1 v0.30.1_vmware.1 v0.38.4_vmware.1 v0.38.5_vmware.2 v0.41.5_vmware.1 v0.41.7_vmware.1 v0.45.2_vmware.1 11 tags SucceededNote: It is recommended that you install the latest version of Kapp Controller, which for this repository is v0.45.2_vmware.1. If you experience an error using this version, try version v0.30.1_vmware.1.
-
Create the
kapp-controller.yamlfile.- Copy the code in Kapp Controller Manifest below.
- Typically you do not need to change any configuration code, but the embedded
descriptionfield can guide any customizations.
-
Install Kapp Controller.
kubectl apply -f kapp-controller.yaml -
Verify the installation of Kapp Controller.
kubectl get pods -AYou should see the following.
tkg-system kapp-controller-... 1/1 Running 0 16m
Kapp Controller Manifest
The code to use for your kapp-controller.yaml file depends on the Kubernetes version that your management cluster runs, and whether it uses Pod Security Policy (PSP) objects or the Pod Security Admission controller.
Starting with TKr v1.25, the Pod Security Admission (PSA) controller replaces PSPs. For more information, refer to the TKr Release Notes.
Manifest for Kubernetes v1.25 or later
If you are using TKr v1.25 or later, which requires PSA, use the following kapp-controller.yaml to install the Kapp Controller.
If you are using TKr v1.26 or later, which enforces PSA restricted mode, in addition to using the following kapp-controller.yaml, you also need to create a binding to run the pod. (The pod runs in the tkg-system namespace which cannot be edited, hence the need for a binding.) The following example uses a clusterrolebinding which means it applies cluster-wide. For tighter security, use a rolebinding.
kubectl create clusterrolebinding default-tkg-admin-privileged-binding --clusterrole=cluster-admin --group=system:authenticated
Below is the kapp-controller.yaml manifest for TKr v1.25 and later.
---
apiVersion: v1
kind: Namespace
metadata:
name: tkg-system
---
apiVersion: v1
kind: Namespace
metadata:
name: kapp-controller-packaging-global
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.data.packaging.carvel.dev
spec:
group: data.packaging.carvel.dev
groupPriorityMinimum: 100
service:
name: packaging-api
namespace: tkg-system
version: v1alpha1
versionPriority: 100
---
apiVersion: v1
kind: Service
metadata:
name: packaging-api
namespace: tkg-system
spec:
ports:
- port: 443
protocol: TCP
targetPort: api
selector:
app: kapp-controller
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: internalpackagemetadatas.internal.packaging.carvel.dev
spec:
group: internal.packaging.carvel.dev
names:
kind: InternalPackageMetadata
listKind: InternalPackageMetadataList
plural: internalpackagemetadatas
singular: internalpackagemetadata
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
categories:
description: Classifiers of the package (optional; Array of strings)
items:
type: string
type: array
displayName:
description: Human friendly name of the package (optional; string)
type: string
iconSVGBase64:
description: Base64 encoded icon (optional; string)
type: string
longDescription:
description: Long description of the package (optional; string)
type: string
maintainers:
description: List of maintainer info for the package. Currently only
supports the name key. (optional; array of maintner info)
items:
properties:
name:
type: string
type: object
type: array
providerName:
description: Name of the entity distributing the package (optional;
string)
type: string
shortDescription:
description: Short desription of the package (optional; string)
type: string
supportDescription:
description: Description of the support available for the package
(optional; string)
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: internalpackages.internal.packaging.carvel.dev
spec:
group: internal.packaging.carvel.dev
names:
kind: InternalPackage
listKind: InternalPackageList
plural: internalpackages
singular: internalpackage
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
capacityRequirementsDescription:
description: 'System requirements needed to install the package. Note:
these requirements will not be verified by kapp-controller on installation.
(optional; string)'
type: string
includedSoftware:
description: IncludedSoftware can be used to show the software contents
of a Package. This is especially useful if the underlying versions
do not match the Package version
items:
description: IncludedSoftware contains the underlying Software Contents
of a Package
properties:
description:
type: string
displayName:
type: string
version:
type: string
type: object
type: array
kappControllerVersionSelection:
description: KappControllerVersionSelection specifies the versions
of kapp-controller which can install this package
properties:
constraints:
type: string
type: object
kubernetesVersionSelection:
description: KubernetesVersionSelection specifies the versions of
k8s which this package can be installed on
properties:
constraints:
type: string
type: object
licenses:
description: Description of the licenses that apply to the package
software (optional; Array of strings)
items:
type: string
type: array
refName:
description: The name of the PackageMetadata associated with this
version Must be a valid PackageMetadata name (see PackageMetadata
CR for details) Cannot be empty
type: string
releaseNotes:
description: Version release notes (optional; string)
type: string
releasedAt:
description: Timestamp of release (iso8601 formatted string; optional)
format: date-time
nullable: true
type: string
template:
properties:
spec:
properties:
canceled:
description: Cancels current and future reconciliations (optional;
default=false)
type: boolean
cluster:
description: Specifies that app should be deployed to destination
cluster; by default, cluster is same as where this resource
resides (optional; v0.5.0+)
properties:
kubeconfigSecretRef:
description: Specifies secret containing kubeconfig (required)
properties:
key:
description: Specifies key that contains kubeconfig
(optional)
type: string
name:
description: Specifies secret name within app's namespace
(required)
type: string
type: object
namespace:
description: Specifies namespace in destination cluster
(optional)
type: string
type: object
deploy:
items:
properties:
kapp:
description: Use kapp to deploy resources
properties:
delete:
description: Configuration for delete command (optional)
properties:
rawOptions:
description: Pass through options to kapp delete
(optional)
items:
type: string
type: array
type: object
inspect:
description: 'Configuration for inspect command
(optional) as of kapp-controller v0.31.0, inspect
is disabled by default add rawOptions or use an
empty inspect config like `inspect: {}` to enable'
properties:
rawOptions:
description: Pass through options to kapp inspect
(optional)
items:
type: string
type: array
type: object
intoNs:
description: Override namespace for all resources
(optional)
type: string
mapNs:
description: Provide custom namespace override mapping
(optional)
items:
type: string
type: array
rawOptions:
description: Pass through options to kapp deploy
(optional)
items:
type: string
type: array
type: object
type: object
type: array
fetch:
items:
properties:
git:
description: Uses git to clone repository
properties:
lfsSkipSmudge:
description: Skip lfs download (optional)
type: boolean
ref:
description: Branch, tag, commit; origin is the
name of the remote (optional)
type: string
refSelection:
description: Specifies a strategy to resolve to
an explicit ref (optional; v0.24.0+)
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
secretRef:
description: 'Secret with auth details. allowed
keys: ssh-privatekey, ssh-knownhosts, username,
password (optional) (if ssh-knownhosts is not
specified, git will not perform strict host checking)'
properties:
name:
description: Object is expected to be within
same namespace
type: string
type: object
subPath:
description: Grab only portion of repository (optional)
type: string
url:
description: http or ssh urls are supported (required)
type: string
type: object
helmChart:
description: Uses helm fetch to fetch specified chart
properties:
name:
description: 'Example: stable/redis'
type: string
repository:
properties:
secretRef:
properties:
name:
description: Object is expected to be within
same namespace
type: string
type: object
url:
description: Repository url; scheme of oci://
will fetch experimental helm oci chart (v0.19.0+)
(required)
type: string
type: object
version:
type: string
type: object
http:
description: Uses http library to fetch file
properties:
secretRef:
description: 'Secret to provide auth details (optional)
Secret may include one or more keys: username,
password'
properties:
name:
description: Object is expected to be within
same namespace
type: string
type: object
sha256:
description: Checksum to verify after download (optional)
type: string
subPath:
description: Grab only portion of download (optional)
type: string
url:
description: 'URL can point to one of following
formats: text, tgz, zip http and https url are
supported; plain file, tgz and tar types are supported
(required)'
type: string
type: object
image:
description: Pulls content from Docker/OCI registry
properties:
secretRef:
description: 'Secret may include one or more keys:
username, password, token. By default anonymous
access is used for authentication.'
properties:
name:
description: Object is expected to be within
same namespace
type: string
type: object
subPath:
description: Grab only portion of image (optional)
type: string
tagSelection:
description: Specifies a strategy to choose a tag
(optional; v0.24.0+) if specified, do not include
a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
url:
description: 'Docker image url; unqualified, tagged,
or digest references supported (required) Example:
username/app1-config:v0.1.0'
type: string
type: object
imgpkgBundle:
description: Pulls imgpkg bundle from Docker/OCI registry
(v0.17.0+)
properties:
image:
description: Docker image url; unqualified, tagged,
or digest references supported (required)
type: string
secretRef:
description: 'Secret may include one or more keys:
username, password, token. By default anonymous
access is used for authentication.'
properties:
name:
description: Object is expected to be within
same namespace
type: string
type: object
tagSelection:
description: Specifies a strategy to choose a tag
(optional; v0.24.0+) if specified, do not include
a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
type: object
inline:
description: Pulls content from within this resource;
or other resources in the cluster
properties:
paths:
additionalProperties:
type: string
description: Specifies mapping of paths to their
content; not recommended for sensitive values
as CR is not encrypted (optional)
type: object
pathsFrom:
description: Specifies content via secrets and config
maps; data values are recommended to be placed
in secrets (optional)
items:
properties:
configMapRef:
properties:
directoryPath:
description: Specifies where to place
files found in secret (optional)
type: string
name:
type: string
type: object
secretRef:
properties:
directoryPath:
description: Specifies where to place
files found in secret (optional)
type: string
name:
type: string
type: object
type: object
type: array
type: object
path:
description: Relative path to place the fetched artifacts
type: string
type: object
type: array
noopDelete:
description: Deletion requests for the App will result in
the App CR being deleted, but its associated resources will
not be deleted (optional; default=false; v0.18.0+)
type: boolean
paused:
description: Pauses _future_ reconciliation; does _not_ affect
currently running reconciliation (optional; default=false)
type: boolean
serviceAccountName:
description: Specifies that app should be deployed authenticated
via given service account, found in this namespace (optional;
v0.6.0+)
type: string
syncPeriod:
description: Specifies the length of time to wait, in time
+ unit format, before reconciling. Always >= 30s. If value
below 30s is specified, 30s will be used. (optional; v0.9.0+;
default=30s)
type: string
template:
items:
properties:
cue:
properties:
inputExpression:
description: Cue expression for single path component,
can be used to unify ValuesFrom into a given field
(optional)
type: string
outputExpression:
description: Cue expression to output, default will
export all visible fields (optional)
type: string
paths:
description: Explicit list of files/directories
(optional)
items:
type: string
type: array
valuesFrom:
description: Provide values (optional)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects
a field of the app: only annotations,
labels, uid, name and namespace
are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running
KappController version, defaults
(empty) to retrieving the current
running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running
KubernetesAPIs from cluster, defaults
(empty) to retrieving the APIs
from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running
Kubernetes version from cluster,
defaults (empty) to retrieving
the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
helmTemplate:
description: Use helm template command to render helm
chart
properties:
kubernetesAPIs:
description: 'Optional: Use kubernetes group/versions
resources available in the live cluster'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get Kubernetes version,
defaults (empty) to retrieving the version from
the cluster. Can be manually overridden to a value
instead.'
properties:
version:
type: string
type: object
name:
description: Set name explicitly, default is App
CR's name (optional; v0.13.0+)
type: string
namespace:
description: Set namespace explicitly, default is
App CR's namespace (optional; v0.13.0+)
type: string
path:
description: Path to chart (optional; v0.13.0+)
type: string
valuesFrom:
description: One or more secrets, config maps, paths
that provide values (optional)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects
a field of the app: only annotations,
labels, uid, name and namespace
are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running
KappController version, defaults
(empty) to retrieving the current
running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running
KubernetesAPIs from cluster, defaults
(empty) to retrieving the APIs
from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running
Kubernetes version from cluster,
defaults (empty) to retrieving
the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
jsonnet:
description: TODO implement jsonnet
type: object
kbld:
description: Use kbld to resolve image references to
use digests
properties:
paths:
items:
type: string
type: array
type: object
kustomize:
description: TODO implement kustomize
type: object
sops:
description: Use sops to decrypt *.sops.yml files (optional;
v0.11.0+)
properties:
age:
properties:
privateKeysSecretRef:
description: Secret with private armored PGP
private keys (required)
properties:
name:
type: string
type: object
type: object
paths:
description: Lists paths to decrypt explicitly (optional;
v0.13.0+)
items:
type: string
type: array
pgp:
description: Use PGP to decrypt files (required)
properties:
privateKeysSecretRef:
description: Secret with private armored PGP
private keys (required)
properties:
name:
type: string
type: object
type: object
type: object
ytt:
description: Use ytt to template configuration
properties:
fileMarks:
description: Control metadata about input files
passed to ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/
for more details
items:
type: string
type: array
ignoreUnknownComments:
description: Ignores comments that ytt doesn't recognize
(optional; default=false)
type: boolean
inline:
description: Specify additional files, including
data values (optional)
properties:
paths:
additionalProperties:
type: string
description: Specifies mapping of paths to their
content; not recommended for sensitive values
as CR is not encrypted (optional)
type: object
pathsFrom:
description: Specifies content via secrets and
config maps; data values are recommended to
be placed in secrets (optional)
items:
properties:
configMapRef:
properties:
directoryPath:
description: Specifies where to place
files found in secret (optional)
type: string
name:
type: string
type: object
secretRef:
properties:
directoryPath:
description: Specifies where to place
files found in secret (optional)
type: string
name:
type: string
type: object
type: object
type: array
type: object
paths:
description: Lists paths to provide to ytt explicitly
(optional)
items:
type: string
type: array
strict:
description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md
(optional; default=false)
type: boolean
valuesFrom:
description: Provide values via ytt's --data-values-file
(optional; v0.19.0-alpha.9)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects
a field of the app: only annotations,
labels, uid, name and namespace
are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running
KappController version, defaults
(empty) to retrieving the current
running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running
KubernetesAPIs from cluster, defaults
(empty) to retrieving the APIs
from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running
Kubernetes version from cluster,
defaults (empty) to retrieving
the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
type: object
type: array
type: object
required:
- spec
type: object
valuesSchema:
description: valuesSchema can be used to show template values that
can be configured by users when a Package is installed in an OpenAPI
schema format.
properties:
openAPIv3:
nullable: true
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
version:
description: Package version; Referenced by PackageInstall; Must be
valid semver (required) Cannot be empty
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: apps.kappctrl.k14s.io
spec:
group: kappctrl.k14s.io
names:
categories:
- carvel
kind: App
listKind: AppList
plural: apps
singular: app
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Friendly description
jsonPath: .status.friendlyDescription
name: Description
type: string
- description: Last time app started being deployed. Does not mean anything was
changed.
jsonPath: .status.deploy.startedAt
name: Since-Deploy
type: date
- description: Time since creation
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: 'An App is a set of Kubernetes resources. These resources could
span any number of namespaces or could be cluster-wide (e.g. CRDs). An App
is represented in kapp-controller using a App CR. The App CR comprises of
three main sections: spec.fetch – declare source for fetching configuration
and OCI images spec.template – declare templating tool and values spec.deploy
– declare deployment tool and any deploy specific configuration'
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
canceled:
description: Cancels current and future reconciliations (optional;
default=false)
type: boolean
cluster:
description: Specifies that app should be deployed to destination
cluster; by default, cluster is same as where this resource resides
(optional; v0.5.0+)
properties:
kubeconfigSecretRef:
description: Specifies secret containing kubeconfig (required)
properties:
key:
description: Specifies key that contains kubeconfig (optional)
type: string
name:
description: Specifies secret name within app's namespace
(required)
type: string
type: object
namespace:
description: Specifies namespace in destination cluster (optional)
type: string
type: object
deploy:
items:
properties:
kapp:
description: Use kapp to deploy resources
properties:
delete:
description: Configuration for delete command (optional)
properties:
rawOptions:
description: Pass through options to kapp delete (optional)
items:
type: string
type: array
type: object
inspect:
description: 'Configuration for inspect command (optional)
as of kapp-controller v0.31.0, inspect is disabled by
default add rawOptions or use an empty inspect config
like `inspect: {}` to enable'
properties:
rawOptions:
description: Pass through options to kapp inspect (optional)
items:
type: string
type: array
type: object
intoNs:
description: Override namespace for all resources (optional)
type: string
mapNs:
description: Provide custom namespace override mapping (optional)
items:
type: string
type: array
rawOptions:
description: Pass through options to kapp deploy (optional)
items:
type: string
type: array
type: object
type: object
type: array
fetch:
items:
properties:
git:
description: Uses git to clone repository
properties:
lfsSkipSmudge:
description: Skip lfs download (optional)
type: boolean
ref:
description: Branch, tag, commit; origin is the name of
the remote (optional)
type: string
refSelection:
description: Specifies a strategy to resolve to an explicit
ref (optional; v0.24.0+)
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
secretRef:
description: 'Secret with auth details. allowed keys: ssh-privatekey,
ssh-knownhosts, username, password (optional) (if ssh-knownhosts
is not specified, git will not perform strict host checking)'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
subPath:
description: Grab only portion of repository (optional)
type: string
url:
description: http or ssh urls are supported (required)
type: string
type: object
helmChart:
description: Uses helm fetch to fetch specified chart
properties:
name:
description: 'Example: stable/redis'
type: string
repository:
properties:
secretRef:
properties:
name:
description: Object is expected to be within same
namespace
type: string
type: object
url:
description: Repository url; scheme of oci:// will fetch
experimental helm oci chart (v0.19.0+) (required)
type: string
type: object
version:
type: string
type: object
http:
description: Uses http library to fetch file
properties:
secretRef:
description: 'Secret to provide auth details (optional)
Secret may include one or more keys: username, password'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
sha256:
description: Checksum to verify after download (optional)
type: string
subPath:
description: Grab only portion of download (optional)
type: string
url:
description: 'URL can point to one of following formats:
text, tgz, zip http and https url are supported; plain
file, tgz and tar types are supported (required)'
type: string
type: object
image:
description: Pulls content from Docker/OCI registry
properties:
secretRef:
description: 'Secret may include one or more keys: username,
password, token. By default anonymous access is used for
authentication.'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
subPath:
description: Grab only portion of image (optional)
type: string
tagSelection:
description: Specifies a strategy to choose a tag (optional;
v0.24.0+) if specified, do not include a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
url:
description: 'Docker image url; unqualified, tagged, or
digest references supported (required) Example: username/app1-config:v0.1.0'
type: string
type: object
imgpkgBundle:
description: Pulls imgpkg bundle from Docker/OCI registry (v0.17.0+)
properties:
image:
description: Docker image url; unqualified, tagged, or digest
references supported (required)
type: string
secretRef:
description: 'Secret may include one or more keys: username,
password, token. By default anonymous access is used for
authentication.'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
tagSelection:
description: Specifies a strategy to choose a tag (optional;
v0.24.0+) if specified, do not include a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
type: object
inline:
description: Pulls content from within this resource; or other
resources in the cluster
properties:
paths:
additionalProperties:
type: string
description: Specifies mapping of paths to their content;
not recommended for sensitive values as CR is not encrypted
(optional)
type: object
pathsFrom:
description: Specifies content via secrets and config maps;
data values are recommended to be placed in secrets (optional)
items:
properties:
configMapRef:
properties:
directoryPath:
description: Specifies where to place files found
in secret (optional)
type: string
name:
type: string
type: object
secretRef:
properties:
directoryPath:
description: Specifies where to place files found
in secret (optional)
type: string
name:
type: string
type: object
type: object
type: array
type: object
path:
description: Relative path to place the fetched artifacts
type: string
type: object
type: array
noopDelete:
description: Deletion requests for the App will result in the App
CR being deleted, but its associated resources will not be deleted
(optional; default=false; v0.18.0+)
type: boolean
paused:
description: Pauses _future_ reconciliation; does _not_ affect currently
running reconciliation (optional; default=false)
type: boolean
serviceAccountName:
description: Specifies that app should be deployed authenticated via
given service account, found in this namespace (optional; v0.6.0+)
type: string
syncPeriod:
description: Specifies the length of time to wait, in time + unit
format, before reconciling. Always >= 30s. If value below 30s is
specified, 30s will be used. (optional; v0.9.0+; default=30s)
type: string
template:
items:
properties:
cue:
properties:
inputExpression:
description: Cue expression for single path component, can
be used to unify ValuesFrom into a given field (optional)
type: string
outputExpression:
description: Cue expression to output, default will export
all visible fields (optional)
type: string
paths:
description: Explicit list of files/directories (optional)
items:
type: string
type: array
valuesFrom:
description: Provide values (optional)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects a field
of the app: only annotations, labels,
uid, name and namespace are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running KappController
version, defaults (empty) to retrieving
the current running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running KubernetesAPIs
from cluster, defaults (empty) to retrieving
the APIs from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running Kubernetes
version from cluster, defaults (empty)
to retrieving the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
helmTemplate:
description: Use helm template command to render helm chart
properties:
kubernetesAPIs:
description: 'Optional: Use kubernetes group/versions resources
available in the live cluster'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get Kubernetes version, defaults
(empty) to retrieving the version from the cluster. Can
be manually overridden to a value instead.'
properties:
version:
type: string
type: object
name:
description: Set name explicitly, default is App CR's name
(optional; v0.13.0+)
type: string
namespace:
description: Set namespace explicitly, default is App CR's
namespace (optional; v0.13.0+)
type: string
path:
description: Path to chart (optional; v0.13.0+)
type: string
valuesFrom:
description: One or more secrets, config maps, paths that
provide values (optional)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects a field
of the app: only annotations, labels,
uid, name and namespace are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running KappController
version, defaults (empty) to retrieving
the current running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running KubernetesAPIs
from cluster, defaults (empty) to retrieving
the APIs from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running Kubernetes
version from cluster, defaults (empty)
to retrieving the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
jsonnet:
description: TODO implement jsonnet
type: object
kbld:
description: Use kbld to resolve image references to use digests
properties:
paths:
items:
type: string
type: array
type: object
kustomize:
description: TODO implement kustomize
type: object
sops:
description: Use sops to decrypt *.sops.yml files (optional;
v0.11.0+)
properties:
age:
properties:
privateKeysSecretRef:
description: Secret with private armored PGP private
keys (required)
properties:
name:
type: string
type: object
type: object
paths:
description: Lists paths to decrypt explicitly (optional;
v0.13.0+)
items:
type: string
type: array
pgp:
description: Use PGP to decrypt files (required)
properties:
privateKeysSecretRef:
description: Secret with private armored PGP private
keys (required)
properties:
name:
type: string
type: object
type: object
type: object
ytt:
description: Use ytt to template configuration
properties:
fileMarks:
description: Control metadata about input files passed to
ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/
for more details
items:
type: string
type: array
ignoreUnknownComments:
description: Ignores comments that ytt doesn't recognize
(optional; default=false)
type: boolean
inline:
description: Specify additional files, including data values
(optional)
properties:
paths:
additionalProperties:
type: string
description: Specifies mapping of paths to their content;
not recommended for sensitive values as CR is not
encrypted (optional)
type: object
pathsFrom:
description: Specifies content via secrets and config
maps; data values are recommended to be placed in
secrets (optional)
items:
properties:
configMapRef:
properties:
directoryPath:
description: Specifies where to place files
found in secret (optional)
type: string
name:
type: string
type: object
secretRef:
properties:
directoryPath:
description: Specifies where to place files
found in secret (optional)
type: string
name:
type: string
type: object
type: object
type: array
type: object
paths:
description: Lists paths to provide to ytt explicitly (optional)
items:
type: string
type: array
strict:
description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md
(optional; default=false)
type: boolean
valuesFrom:
description: Provide values via ytt's --data-values-file
(optional; v0.19.0-alpha.9)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects a field
of the app: only annotations, labels,
uid, name and namespace are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running KappController
version, defaults (empty) to retrieving
the current running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running KubernetesAPIs
from cluster, defaults (empty) to retrieving
the APIs from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running Kubernetes
version from cluster, defaults (empty)
to retrieving the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
type: object
type: array
type: object
status:
properties:
conditions:
items:
properties:
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, this should be a short, machine understandable
string that gives the reason for condition's last transition.
If it reports "ResizeStarted" that means the underlying persistent
volume is being resized.
type: string
status:
type: string
type:
description: ConditionType represents reconciler state
type: string
required:
- status
- type
type: object
type: array
consecutiveReconcileFailures:
type: integer
consecutiveReconcileSuccesses:
type: integer
deploy:
properties:
error:
type: string
exitCode:
type: integer
finished:
type: boolean
kapp:
description: KappDeployStatus contains the associated AppCR deployed
resources
properties:
associatedResources:
description: AssociatedResources contains the associated App
label, namespaces and GKs
properties:
groupKinds:
items:
description: GroupKind specifies a Group and a Kind,
but does not force a version. This is useful for
identifying concepts during lookup stages without
having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
label:
type: string
namespaces:
items:
type: string
type: array
type: object
type: object
startedAt:
format: date-time
type: string
stderr:
type: string
stdout:
type: string
updatedAt:
format: date-time
type: string
type: object
fetch:
properties:
error:
type: string
exitCode:
type: integer
startedAt:
format: date-time
type: string
stderr:
type: string
stdout:
type: string
updatedAt:
format: date-time
type: string
type: object
friendlyDescription:
type: string
inspect:
properties:
error:
type: string
exitCode:
type: integer
stderr:
type: string
stdout:
type: string
updatedAt:
format: date-time
type: string
type: object
managedAppName:
type: string
observedGeneration:
description: Populated based on metadata.generation when controller
observes a change to the resource; if this value is out of data,
other status fields do not reflect latest state
format: int64
type: integer
template:
properties:
error:
type: string
exitCode:
type: integer
stderr:
type: string
updatedAt:
format: date-time
type: string
type: object
usefulErrorMessage:
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: packageinstalls.packaging.carvel.dev
spec:
group: packaging.carvel.dev
names:
categories:
- carvel
kind: PackageInstall
listKind: PackageInstallList
plural: packageinstalls
shortNames:
- pkgi
singular: packageinstall
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: PackageMetadata name
jsonPath: .spec.packageRef.refName
name: Package name
type: string
- description: PackageMetadata version
jsonPath: .status.version
name: Package version
type: string
- description: Friendly description
jsonPath: .status.friendlyDescription
name: Description
type: string
- description: Time since creation
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: A Package Install is an actual installation of a package and
its underlying resources on a Kubernetes cluster. It is represented in kapp-controller
by a PackageInstall CR. A PackageInstall CR must reference a Package CR.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
canceled:
description: Canceled when set to true will stop all active changes
type: boolean
cluster:
description: Specifies that Package should be deployed to destination
cluster; by default, cluster is same as where this resource resides
(optional)
properties:
kubeconfigSecretRef:
description: Specifies secret containing kubeconfig (required)
properties:
key:
description: Specifies key that contains kubeconfig (optional)
type: string
name:
description: Specifies secret name within app's namespace
(required)
type: string
type: object
namespace:
description: Specifies namespace in destination cluster (optional)
type: string
type: object
noopDelete:
description: When NoopDelete set to true, PackageInstall deletion
should delete PackageInstall/App CR but preserve App's associated
resources.
type: boolean
packageRef:
description: Specifies the name of the package to install (required)
properties:
refName:
type: string
versionSelection:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
paused:
description: Paused when set to true will ignore all pending changes,
once it set back to false, pending changes will be applied
type: boolean
serviceAccountName:
description: Specifies service account that will be used to install
underlying package contents
type: string
syncPeriod:
description: Controls frequency of App reconciliation in time + unit
format. Always >= 30s. If value below 30s is specified, 30s will
be used.
type: string
values:
description: Values to be included in package's templating step (currently
only included in the first templating step) (optional)
items:
properties:
secretRef:
properties:
key:
type: string
name:
type: string
type: object
type: object
type: array
type: object
status:
properties:
conditions:
items:
properties:
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, this should be a short, machine understandable
string that gives the reason for condition's last transition.
If it reports "ResizeStarted" that means the underlying persistent
volume is being resized.
type: string
status:
type: string
type:
description: ConditionType represents reconciler state
type: string
required:
- status
- type
type: object
type: array
friendlyDescription:
type: string
lastAttemptedVersion:
description: LastAttemptedVersion specifies what version was last
attempted to be installed. It does _not_ indicate it was successfully
installed.
type: string
observedGeneration:
description: Populated based on metadata.generation when controller
observes a change to the resource; if this value is out of data,
other status fields do not reflect latest state
format: int64
type: integer
usefulErrorMessage:
type: string
version:
description: TODO this is desired resolved version (not actually deployed)
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
packaging.carvel.dev/global-namespace: kapp-controller-packaging-global
name: packagerepositories.packaging.carvel.dev
spec:
group: packaging.carvel.dev
names:
categories:
- carvel
kind: PackageRepository
listKind: PackageRepositoryList
plural: packagerepositories
shortNames:
- pkgr
singular: packagerepository
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Time since creation
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: Friendly description
jsonPath: .status.friendlyDescription
name: Description
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: A package repository is a collection of packages and their metadata.
Similar to a maven repository or a rpm repository, adding a package repository
to a cluster gives users of that cluster the ability to install any of the
packages from that repository.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
fetch:
properties:
git:
description: Uses git to clone repository containing package list
properties:
lfsSkipSmudge:
description: Skip lfs download (optional)
type: boolean
ref:
description: Branch, tag, commit; origin is the name of the
remote (optional)
type: string
refSelection:
description: Specifies a strategy to resolve to an explicit
ref (optional; v0.24.0+)
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
secretRef:
description: 'Secret with auth details. allowed keys: ssh-privatekey,
ssh-knownhosts, username, password (optional) (if ssh-knownhosts
is not specified, git will not perform strict host checking)'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
subPath:
description: Grab only portion of repository (optional)
type: string
url:
description: http or ssh urls are supported (required)
type: string
type: object
http:
description: Uses http library to fetch file containing packages
properties:
secretRef:
description: 'Secret to provide auth details (optional) Secret
may include one or more keys: username, password'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
sha256:
description: Checksum to verify after download (optional)
type: string
subPath:
description: Grab only portion of download (optional)
type: string
url:
description: 'URL can point to one of following formats: text,
tgz, zip http and https url are supported; plain file, tgz
and tar types are supported (required)'
type: string
type: object
image:
description: Image url; unqualified, tagged, or digest references
supported (required)
properties:
secretRef:
description: 'Secret may include one or more keys: username,
password, token. By default anonymous access is used for
authentication.'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
subPath:
description: Grab only portion of image (optional)
type: string
tagSelection:
description: Specifies a strategy to choose a tag (optional;
v0.24.0+) if specified, do not include a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
url:
description: 'Docker image url; unqualified, tagged, or digest
references supported (required) Example: username/app1-config:v0.1.0'
type: string
type: object
imgpkgBundle:
description: Pulls imgpkg bundle from Docker/OCI registry
properties:
image:
description: Docker image url; unqualified, tagged, or digest
references supported (required)
type: string
secretRef:
description: 'Secret may include one or more keys: username,
password, token. By default anonymous access is used for
authentication.'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
tagSelection:
description: Specifies a strategy to choose a tag (optional;
v0.24.0+) if specified, do not include a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
type: object
inline:
description: Pull content from within this resource; or other
resources in the cluster
properties:
paths:
additionalProperties:
type: string
description: Specifies mapping of paths to their content;
not recommended for sensitive values as CR is not encrypted
(optional)
type: object
pathsFrom:
description: Specifies content via secrets and config maps;
data values are recommended to be placed in secrets (optional)
items:
properties:
configMapRef:
properties:
directoryPath:
description: Specifies where to place files found
in secret (optional)
type: string
name:
type: string
type: object
secretRef:
properties:
directoryPath:
description: Specifies where to place files found
in secret (optional)
type: string
name:
type: string
type: object
type: object
type: array
type: object
type: object
paused:
description: Paused when set to true will ignore all pending changes,
once it set back to false, pending changes will be applied
type: boolean
syncPeriod:
description: Controls frequency of PackageRepository reconciliation
type: string
required:
- fetch
type: object
status:
properties:
conditions:
items:
properties:
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, this should be a short, machine understandable
string that gives the reason for condition's last transition.
If it reports "ResizeStarted" that means the underlying persistent
volume is being resized.
type: string
status:
type: string
type:
description: ConditionType represents reconciler state
type: string
required:
- status
- type
type: object
type: array
consecutiveReconcileFailures:
type: integer
consecutiveReconcileSuccesses:
type: integer
deploy:
properties:
error:
type: string
exitCode:
type: integer
finished:
type: boolean
kapp:
description: KappDeployStatus contains the associated AppCR deployed
resources
properties:
associatedResources:
description: AssociatedResources contains the associated App
label, namespaces and GKs
properties:
groupKinds:
items:
description: GroupKind specifies a Group and a Kind,
but does not force a version. This is useful for
identifying concepts during lookup stages without
having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
label:
type: string
namespaces:
items:
type: string
type: array
type: object
type: object
startedAt:
format: date-time
type: string
stderr:
type: string
stdout:
type: string
updatedAt:
format: date-time
type: string
type: object
fetch:
properties:
error:
type: string
exitCode:
type: integer
startedAt:
format: date-time
type: string
stderr:
type: string
stdout:
type: string
updatedAt:
format: date-time
type: string
type: object
friendlyDescription:
type: string
observedGeneration:
description: Populated based on metadata.generation when controller
observes a change to the resource; if this value is out of data,
other status fields do not reflect latest state
format: int64
type: integer
template:
properties:
error:
type: string
exitCode:
type: integer
stderr:
type: string
updatedAt:
format: date-time
type: string
type: object
usefulErrorMessage:
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
kapp-controller.carvel.dev/version: v0.45.2
kbld.k14s.io/images: |
- origins:
- local:
path: /home/runner/work/kapp-controller/kapp-controller
- git:
dirty: true
remoteURL: https://github.com/carvel-dev/kapp-controller
sha: e3beee23d49899bfc681c9d980c1a3bdc0fa14ac
tags:
- v0.45.2
url: ghcr.io/carvel-dev/kapp-controller@sha256:d5c5b259d10f8a561fe6717a735ceb053ccb13320f55428977d1d8df46b9bc0d
name: kapp-controller
namespace: tkg-system
spec:
replicas: 1
revisionHistoryLimit: 0
selector:
matchLabels:
app: kapp-controller
template:
metadata:
labels:
app: kapp-controller
spec:
containers:
- args:
- -packaging-global-namespace=kapp-controller-packaging-global
- -enable-api-priority-and-fairness=True
- -tls-cipher-suites=
env:
- name: KAPPCTRL_MEM_TMP_DIR
value: /etc/kappctrl-mem-tmp
- name: KAPPCTRL_SIDECAREXEC_SOCK
value: /etc/kappctrl-mem-tmp/sidecarexec.sock
- name: KAPPCTRL_SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KAPPCTRL_API_PORT
value: "10350"
image: ghcr.io/carvel-dev/kapp-controller@sha256:d5c5b259d10f8a561fe6717a735ceb053ccb13320f55428977d1d8df46b9bc0d
name: kapp-controller
ports:
- containerPort: 10350
name: api
protocol: TCP
resources:
requests:
cpu: 120m
memory: 100Mi
volumeMounts:
- mountPath: /etc/kappctrl-mem-tmp
name: template-fs
- mountPath: /home/kapp-controller
name: home
- args:
- --sidecarexec
env:
- name: KAPPCTRL_SIDECAREXEC_SOCK
value: /etc/kappctrl-mem-tmp/sidecarexec.sock
- name: IMGPKG_ACTIVE_KEYCHAINS
value: gke,aks,ecr
image: ghcr.io/carvel-dev/kapp-controller@sha256:d5c5b259d10f8a561fe6717a735ceb053ccb13320f55428977d1d8df46b9bc0d
name: kapp-controller-sidecarexec
resources:
requests:
cpu: 120m
memory: 100Mi
volumeMounts:
- mountPath: /etc/kappctrl-mem-tmp
name: template-fs
- mountPath: /home/kapp-controller
name: home
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: empty-sa
serviceAccount: kapp-controller-sa
volumes:
- emptyDir:
medium: Memory
name: template-fs
- emptyDir:
medium: Memory
name: home
- emptyDir: {}
name: empty-sa
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kapp-controller-sa
namespace: tkg-system
Manifest for Kubernetes v1.24 or earlier
If you are using TKr v1.24 or earlier, which requires PodSecurityPolicy (PSP) objects, use the following example kapp-controller.yaml to install the Kapp Controller:
---
apiVersion: v1
kind: Namespace
metadata:
name: tkg-system
---
apiVersion: v1
kind: Namespace
metadata:
name: kapp-controller-packaging-global
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.data.packaging.carvel.dev
spec:
group: data.packaging.carvel.dev
groupPriorityMinimum: 100
service:
name: packaging-api
namespace: tkg-system
version: v1alpha1
versionPriority: 100
---
apiVersion: v1
kind: Service
metadata:
name: packaging-api
namespace: tkg-system
spec:
ports:
- port: 443
protocol: TCP
targetPort: api
selector:
app: kapp-controller
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: tanzu-system-kapp-ctrl-restricted
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- configMap
- emptyDir
- projected
- secret
- downwardAPI
- persistentVolumeClaim
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: internalpackagemetadatas.internal.packaging.carvel.dev
spec:
group: internal.packaging.carvel.dev
names:
kind: InternalPackageMetadata
listKind: InternalPackageMetadataList
plural: internalpackagemetadatas
singular: internalpackagemetadata
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
categories:
description: Classifiers of the package (optional; Array of strings)
items:
type: string
type: array
displayName:
description: Human friendly name of the package (optional; string)
type: string
iconSVGBase64:
description: Base64 encoded icon (optional; string)
type: string
longDescription:
description: Long description of the package (optional; string)
type: string
maintainers:
description: List of maintainer info for the package. Currently only
supports the name key. (optional; array of maintner info)
items:
properties:
name:
type: string
type: object
type: array
providerName:
description: Name of the entity distributing the package (optional;
string)
type: string
shortDescription:
description: Short desription of the package (optional; string)
type: string
supportDescription:
description: Description of the support available for the package
(optional; string)
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: internalpackages.internal.packaging.carvel.dev
spec:
group: internal.packaging.carvel.dev
names:
kind: InternalPackage
listKind: InternalPackageList
plural: internalpackages
singular: internalpackage
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
capacityRequirementsDescription:
description: 'System requirements needed to install the package. Note:
these requirements will not be verified by kapp-controller on installation.
(optional; string)'
type: string
includedSoftware:
description: IncludedSoftware can be used to show the software contents
of a Package. This is especially useful if the underlying versions
do not match the Package version
items:
description: IncludedSoftware contains the underlying Software Contents
of a Package
properties:
description:
type: string
displayName:
type: string
version:
type: string
type: object
type: array
kappControllerVersionSelection:
description: KappControllerVersionSelection specifies the versions
of kapp-controller which can install this package
properties:
constraints:
type: string
type: object
kubernetesVersionSelection:
description: KubernetesVersionSelection specifies the versions of
k8s which this package can be installed on
properties:
constraints:
type: string
type: object
licenses:
description: Description of the licenses that apply to the package
software (optional; Array of strings)
items:
type: string
type: array
refName:
description: The name of the PackageMetadata associated with this
version Must be a valid PackageMetadata name (see PackageMetadata
CR for details) Cannot be empty
type: string
releaseNotes:
description: Version release notes (optional; string)
type: string
releasedAt:
description: Timestamp of release (iso8601 formatted string; optional)
format: date-time
nullable: true
type: string
template:
properties:
spec:
properties:
canceled:
description: Cancels current and future reconciliations (optional;
default=false)
type: boolean
cluster:
description: Specifies that app should be deployed to destination
cluster; by default, cluster is same as where this resource
resides (optional; v0.5.0+)
properties:
kubeconfigSecretRef:
description: Specifies secret containing kubeconfig (required)
properties:
key:
description: Specifies key that contains kubeconfig
(optional)
type: string
name:
description: Specifies secret name within app's namespace
(required)
type: string
type: object
namespace:
description: Specifies namespace in destination cluster
(optional)
type: string
type: object
deploy:
items:
properties:
kapp:
description: Use kapp to deploy resources
properties:
delete:
description: Configuration for delete command (optional)
properties:
rawOptions:
description: Pass through options to kapp delete
(optional)
items:
type: string
type: array
type: object
inspect:
description: 'Configuration for inspect command
(optional) as of kapp-controller v0.31.0, inspect
is disabled by default add rawOptions or use an
empty inspect config like `inspect: {}` to enable'
properties:
rawOptions:
description: Pass through options to kapp inspect
(optional)
items:
type: string
type: array
type: object
intoNs:
description: Override namespace for all resources
(optional)
type: string
mapNs:
description: Provide custom namespace override mapping
(optional)
items:
type: string
type: array
rawOptions:
description: Pass through options to kapp deploy
(optional)
items:
type: string
type: array
type: object
type: object
type: array
fetch:
items:
properties:
git:
description: Uses git to clone repository
properties:
lfsSkipSmudge:
description: Skip lfs download (optional)
type: boolean
ref:
description: Branch, tag, commit; origin is the
name of the remote (optional)
type: string
refSelection:
description: Specifies a strategy to resolve to
an explicit ref (optional; v0.24.0+)
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
secretRef:
description: 'Secret with auth details. allowed
keys: ssh-privatekey, ssh-knownhosts, username,
password (optional) (if ssh-knownhosts is not
specified, git will not perform strict host checking)'
properties:
name:
description: Object is expected to be within
same namespace
type: string
type: object
subPath:
description: Grab only portion of repository (optional)
type: string
url:
description: http or ssh urls are supported (required)
type: string
type: object
helmChart:
description: Uses helm fetch to fetch specified chart
properties:
name:
description: 'Example: stable/redis'
type: string
repository:
properties:
secretRef:
properties:
name:
description: Object is expected to be within
same namespace
type: string
type: object
url:
description: Repository url; scheme of oci://
will fetch experimental helm oci chart (v0.19.0+)
(required)
type: string
type: object
version:
type: string
type: object
http:
description: Uses http library to fetch file
properties:
secretRef:
description: 'Secret to provide auth details (optional)
Secret may include one or more keys: username,
password'
properties:
name:
description: Object is expected to be within
same namespace
type: string
type: object
sha256:
description: Checksum to verify after download (optional)
type: string
subPath:
description: Grab only portion of download (optional)
type: string
url:
description: 'URL can point to one of following
formats: text, tgz, zip http and https url are
supported; plain file, tgz and tar types are supported
(required)'
type: string
type: object
image:
description: Pulls content from Docker/OCI registry
properties:
secretRef:
description: 'Secret may include one or more keys:
username, password, token. By default anonymous
access is used for authentication.'
properties:
name:
description: Object is expected to be within
same namespace
type: string
type: object
subPath:
description: Grab only portion of image (optional)
type: string
tagSelection:
description: Specifies a strategy to choose a tag
(optional; v0.24.0+) if specified, do not include
a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
url:
description: 'Docker image url; unqualified, tagged,
or digest references supported (required) Example:
username/app1-config:v0.1.0'
type: string
type: object
imgpkgBundle:
description: Pulls imgpkg bundle from Docker/OCI registry
(v0.17.0+)
properties:
image:
description: Docker image url; unqualified, tagged,
or digest references supported (required)
type: string
secretRef:
description: 'Secret may include one or more keys:
username, password, token. By default anonymous
access is used for authentication.'
properties:
name:
description: Object is expected to be within
same namespace
type: string
type: object
tagSelection:
description: Specifies a strategy to choose a tag
(optional; v0.24.0+) if specified, do not include
a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
type: object
inline:
description: Pulls content from within this resource;
or other resources in the cluster
properties:
paths:
additionalProperties:
type: string
description: Specifies mapping of paths to their
content; not recommended for sensitive values
as CR is not encrypted (optional)
type: object
pathsFrom:
description: Specifies content via secrets and config
maps; data values are recommended to be placed
in secrets (optional)
items:
properties:
configMapRef:
properties:
directoryPath:
description: Specifies where to place
files found in secret (optional)
type: string
name:
type: string
type: object
secretRef:
properties:
directoryPath:
description: Specifies where to place
files found in secret (optional)
type: string
name:
type: string
type: object
type: object
type: array
type: object
path:
description: Relative path to place the fetched artifacts
type: string
type: object
type: array
noopDelete:
description: Deletion requests for the App will result in
the App CR being deleted, but its associated resources will
not be deleted (optional; default=false; v0.18.0+)
type: boolean
paused:
description: Pauses _future_ reconciliation; does _not_ affect
currently running reconciliation (optional; default=false)
type: boolean
serviceAccountName:
description: Specifies that app should be deployed authenticated
via given service account, found in this namespace (optional;
v0.6.0+)
type: string
syncPeriod:
description: Specifies the length of time to wait, in time
+ unit format, before reconciling. Always >= 30s. If value
below 30s is specified, 30s will be used. (optional; v0.9.0+;
default=30s)
type: string
template:
items:
properties:
cue:
properties:
inputExpression:
description: Cue expression for single path component,
can be used to unify ValuesFrom into a given field
(optional)
type: string
outputExpression:
description: Cue expression to output, default will
export all visible fields (optional)
type: string
paths:
description: Explicit list of files/directories
(optional)
items:
type: string
type: array
valuesFrom:
description: Provide values (optional)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects
a field of the app: only annotations,
labels, uid, name and namespace
are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running
KappController version, defaults
(empty) to retrieving the current
running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running
KubernetesAPIs from cluster, defaults
(empty) to retrieving the APIs
from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running
Kubernetes version from cluster,
defaults (empty) to retrieving
the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
helmTemplate:
description: Use helm template command to render helm
chart
properties:
kubernetesAPIs:
description: 'Optional: Use kubernetes group/versions
resources available in the live cluster'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get Kubernetes version,
defaults (empty) to retrieving the version from
the cluster. Can be manually overridden to a value
instead.'
properties:
version:
type: string
type: object
name:
description: Set name explicitly, default is App
CR's name (optional; v0.13.0+)
type: string
namespace:
description: Set namespace explicitly, default is
App CR's namespace (optional; v0.13.0+)
type: string
path:
description: Path to chart (optional; v0.13.0+)
type: string
valuesFrom:
description: One or more secrets, config maps, paths
that provide values (optional)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects
a field of the app: only annotations,
labels, uid, name and namespace
are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running
KappController version, defaults
(empty) to retrieving the current
running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running
KubernetesAPIs from cluster, defaults
(empty) to retrieving the APIs
from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running
Kubernetes version from cluster,
defaults (empty) to retrieving
the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
jsonnet:
description: TODO implement jsonnet
type: object
kbld:
description: Use kbld to resolve image references to
use digests
properties:
paths:
items:
type: string
type: array
type: object
kustomize:
description: TODO implement kustomize
type: object
sops:
description: Use sops to decrypt *.sops.yml files (optional;
v0.11.0+)
properties:
age:
properties:
privateKeysSecretRef:
description: Secret with private armored PGP
private keys (required)
properties:
name:
type: string
type: object
type: object
paths:
description: Lists paths to decrypt explicitly (optional;
v0.13.0+)
items:
type: string
type: array
pgp:
description: Use PGP to decrypt files (required)
properties:
privateKeysSecretRef:
description: Secret with private armored PGP
private keys (required)
properties:
name:
type: string
type: object
type: object
type: object
ytt:
description: Use ytt to template configuration
properties:
fileMarks:
description: Control metadata about input files
passed to ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/
for more details
items:
type: string
type: array
ignoreUnknownComments:
description: Ignores comments that ytt doesn't recognize
(optional; default=false)
type: boolean
inline:
description: Specify additional files, including
data values (optional)
properties:
paths:
additionalProperties:
type: string
description: Specifies mapping of paths to their
content; not recommended for sensitive values
as CR is not encrypted (optional)
type: object
pathsFrom:
description: Specifies content via secrets and
config maps; data values are recommended to
be placed in secrets (optional)
items:
properties:
configMapRef:
properties:
directoryPath:
description: Specifies where to place
files found in secret (optional)
type: string
name:
type: string
type: object
secretRef:
properties:
directoryPath:
description: Specifies where to place
files found in secret (optional)
type: string
name:
type: string
type: object
type: object
type: array
type: object
paths:
description: Lists paths to provide to ytt explicitly
(optional)
items:
type: string
type: array
strict:
description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md
(optional; default=false)
type: boolean
valuesFrom:
description: Provide values via ytt's --data-values-file
(optional; v0.19.0-alpha.9)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects
a field of the app: only annotations,
labels, uid, name and namespace
are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running
KappController version, defaults
(empty) to retrieving the current
running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running
KubernetesAPIs from cluster, defaults
(empty) to retrieving the APIs
from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running
Kubernetes version from cluster,
defaults (empty) to retrieving
the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
type: object
type: array
type: object
required:
- spec
type: object
valuesSchema:
description: valuesSchema can be used to show template values that
can be configured by users when a Package is installed in an OpenAPI
schema format.
properties:
openAPIv3:
nullable: true
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
version:
description: Package version; Referenced by PackageInstall; Must be
valid semver (required) Cannot be empty
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: apps.kappctrl.k14s.io
spec:
group: kappctrl.k14s.io
names:
categories:
- carvel
kind: App
listKind: AppList
plural: apps
singular: app
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Friendly description
jsonPath: .status.friendlyDescription
name: Description
type: string
- description: Last time app started being deployed. Does not mean anything was
changed.
jsonPath: .status.deploy.startedAt
name: Since-Deploy
type: date
- description: Time since creation
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: 'An App is a set of Kubernetes resources. These resources could
span any number of namespaces or could be cluster-wide (e.g. CRDs). An App
is represented in kapp-controller using a App CR. The App CR comprises of
three main sections: spec.fetch – declare source for fetching configuration
and OCI images spec.template – declare templating tool and values spec.deploy
– declare deployment tool and any deploy specific configuration'
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
canceled:
description: Cancels current and future reconciliations (optional;
default=false)
type: boolean
cluster:
description: Specifies that app should be deployed to destination
cluster; by default, cluster is same as where this resource resides
(optional; v0.5.0+)
properties:
kubeconfigSecretRef:
description: Specifies secret containing kubeconfig (required)
properties:
key:
description: Specifies key that contains kubeconfig (optional)
type: string
name:
description: Specifies secret name within app's namespace
(required)
type: string
type: object
namespace:
description: Specifies namespace in destination cluster (optional)
type: string
type: object
deploy:
items:
properties:
kapp:
description: Use kapp to deploy resources
properties:
delete:
description: Configuration for delete command (optional)
properties:
rawOptions:
description: Pass through options to kapp delete (optional)
items:
type: string
type: array
type: object
inspect:
description: 'Configuration for inspect command (optional)
as of kapp-controller v0.31.0, inspect is disabled by
default add rawOptions or use an empty inspect config
like `inspect: {}` to enable'
properties:
rawOptions:
description: Pass through options to kapp inspect (optional)
items:
type: string
type: array
type: object
intoNs:
description: Override namespace for all resources (optional)
type: string
mapNs:
description: Provide custom namespace override mapping (optional)
items:
type: string
type: array
rawOptions:
description: Pass through options to kapp deploy (optional)
items:
type: string
type: array
type: object
type: object
type: array
fetch:
items:
properties:
git:
description: Uses git to clone repository
properties:
lfsSkipSmudge:
description: Skip lfs download (optional)
type: boolean
ref:
description: Branch, tag, commit; origin is the name of
the remote (optional)
type: string
refSelection:
description: Specifies a strategy to resolve to an explicit
ref (optional; v0.24.0+)
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
secretRef:
description: 'Secret with auth details. allowed keys: ssh-privatekey,
ssh-knownhosts, username, password (optional) (if ssh-knownhosts
is not specified, git will not perform strict host checking)'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
subPath:
description: Grab only portion of repository (optional)
type: string
url:
description: http or ssh urls are supported (required)
type: string
type: object
helmChart:
description: Uses helm fetch to fetch specified chart
properties:
name:
description: 'Example: stable/redis'
type: string
repository:
properties:
secretRef:
properties:
name:
description: Object is expected to be within same
namespace
type: string
type: object
url:
description: Repository url; scheme of oci:// will fetch
experimental helm oci chart (v0.19.0+) (required)
type: string
type: object
version:
type: string
type: object
http:
description: Uses http library to fetch file
properties:
secretRef:
description: 'Secret to provide auth details (optional)
Secret may include one or more keys: username, password'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
sha256:
description: Checksum to verify after download (optional)
type: string
subPath:
description: Grab only portion of download (optional)
type: string
url:
description: 'URL can point to one of following formats:
text, tgz, zip http and https url are supported; plain
file, tgz and tar types are supported (required)'
type: string
type: object
image:
description: Pulls content from Docker/OCI registry
properties:
secretRef:
description: 'Secret may include one or more keys: username,
password, token. By default anonymous access is used for
authentication.'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
subPath:
description: Grab only portion of image (optional)
type: string
tagSelection:
description: Specifies a strategy to choose a tag (optional;
v0.24.0+) if specified, do not include a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
url:
description: 'Docker image url; unqualified, tagged, or
digest references supported (required) Example: username/app1-config:v0.1.0'
type: string
type: object
imgpkgBundle:
description: Pulls imgpkg bundle from Docker/OCI registry (v0.17.0+)
properties:
image:
description: Docker image url; unqualified, tagged, or digest
references supported (required)
type: string
secretRef:
description: 'Secret may include one or more keys: username,
password, token. By default anonymous access is used for
authentication.'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
tagSelection:
description: Specifies a strategy to choose a tag (optional;
v0.24.0+) if specified, do not include a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
type: object
inline:
description: Pulls content from within this resource; or other
resources in the cluster
properties:
paths:
additionalProperties:
type: string
description: Specifies mapping of paths to their content;
not recommended for sensitive values as CR is not encrypted
(optional)
type: object
pathsFrom:
description: Specifies content via secrets and config maps;
data values are recommended to be placed in secrets (optional)
items:
properties:
configMapRef:
properties:
directoryPath:
description: Specifies where to place files found
in secret (optional)
type: string
name:
type: string
type: object
secretRef:
properties:
directoryPath:
description: Specifies where to place files found
in secret (optional)
type: string
name:
type: string
type: object
type: object
type: array
type: object
path:
description: Relative path to place the fetched artifacts
type: string
type: object
type: array
noopDelete:
description: Deletion requests for the App will result in the App
CR being deleted, but its associated resources will not be deleted
(optional; default=false; v0.18.0+)
type: boolean
paused:
description: Pauses _future_ reconciliation; does _not_ affect currently
running reconciliation (optional; default=false)
type: boolean
serviceAccountName:
description: Specifies that app should be deployed authenticated via
given service account, found in this namespace (optional; v0.6.0+)
type: string
syncPeriod:
description: Specifies the length of time to wait, in time + unit
format, before reconciling. Always >= 30s. If value below 30s is
specified, 30s will be used. (optional; v0.9.0+; default=30s)
type: string
template:
items:
properties:
cue:
properties:
inputExpression:
description: Cue expression for single path component, can
be used to unify ValuesFrom into a given field (optional)
type: string
outputExpression:
description: Cue expression to output, default will export
all visible fields (optional)
type: string
paths:
description: Explicit list of files/directories (optional)
items:
type: string
type: array
valuesFrom:
description: Provide values (optional)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects a field
of the app: only annotations, labels,
uid, name and namespace are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running KappController
version, defaults (empty) to retrieving
the current running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running KubernetesAPIs
from cluster, defaults (empty) to retrieving
the APIs from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running Kubernetes
version from cluster, defaults (empty)
to retrieving the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
helmTemplate:
description: Use helm template command to render helm chart
properties:
kubernetesAPIs:
description: 'Optional: Use kubernetes group/versions resources
available in the live cluster'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get Kubernetes version, defaults
(empty) to retrieving the version from the cluster. Can
be manually overridden to a value instead.'
properties:
version:
type: string
type: object
name:
description: Set name explicitly, default is App CR's name
(optional; v0.13.0+)
type: string
namespace:
description: Set namespace explicitly, default is App CR's
namespace (optional; v0.13.0+)
type: string
path:
description: Path to chart (optional; v0.13.0+)
type: string
valuesFrom:
description: One or more secrets, config maps, paths that
provide values (optional)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects a field
of the app: only annotations, labels,
uid, name and namespace are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running KappController
version, defaults (empty) to retrieving
the current running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running KubernetesAPIs
from cluster, defaults (empty) to retrieving
the APIs from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running Kubernetes
version from cluster, defaults (empty)
to retrieving the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
jsonnet:
description: TODO implement jsonnet
type: object
kbld:
description: Use kbld to resolve image references to use digests
properties:
paths:
items:
type: string
type: array
type: object
kustomize:
description: TODO implement kustomize
type: object
sops:
description: Use sops to decrypt *.sops.yml files (optional;
v0.11.0+)
properties:
age:
properties:
privateKeysSecretRef:
description: Secret with private armored PGP private
keys (required)
properties:
name:
type: string
type: object
type: object
paths:
description: Lists paths to decrypt explicitly (optional;
v0.13.0+)
items:
type: string
type: array
pgp:
description: Use PGP to decrypt files (required)
properties:
privateKeysSecretRef:
description: Secret with private armored PGP private
keys (required)
properties:
name:
type: string
type: object
type: object
type: object
ytt:
description: Use ytt to template configuration
properties:
fileMarks:
description: Control metadata about input files passed to
ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/
for more details
items:
type: string
type: array
ignoreUnknownComments:
description: Ignores comments that ytt doesn't recognize
(optional; default=false)
type: boolean
inline:
description: Specify additional files, including data values
(optional)
properties:
paths:
additionalProperties:
type: string
description: Specifies mapping of paths to their content;
not recommended for sensitive values as CR is not
encrypted (optional)
type: object
pathsFrom:
description: Specifies content via secrets and config
maps; data values are recommended to be placed in
secrets (optional)
items:
properties:
configMapRef:
properties:
directoryPath:
description: Specifies where to place files
found in secret (optional)
type: string
name:
type: string
type: object
secretRef:
properties:
directoryPath:
description: Specifies where to place files
found in secret (optional)
type: string
name:
type: string
type: object
type: object
type: array
type: object
paths:
description: Lists paths to provide to ytt explicitly (optional)
items:
type: string
type: array
strict:
description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md
(optional; default=false)
type: boolean
valuesFrom:
description: Provide values via ytt's --data-values-file
(optional; v0.19.0-alpha.9)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects a field
of the app: only annotations, labels,
uid, name and namespace are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running KappController
version, defaults (empty) to retrieving
the current running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running KubernetesAPIs
from cluster, defaults (empty) to retrieving
the APIs from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running Kubernetes
version from cluster, defaults (empty)
to retrieving the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
type: object
type: array
type: object
status:
properties:
conditions:
items:
properties:
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, this should be a short, machine understandable
string that gives the reason for condition's last transition.
If it reports "ResizeStarted" that means the underlying persistent
volume is being resized.
type: string
status:
type: string
type:
description: ConditionType represents reconciler state
type: string
required:
- status
- type
type: object
type: array
consecutiveReconcileFailures:
type: integer
consecutiveReconcileSuccesses:
type: integer
deploy:
properties:
error:
type: string
exitCode:
type: integer
finished:
type: boolean
kapp:
description: KappDeployStatus contains the associated AppCR deployed
resources
properties:
associatedResources:
description: AssociatedResources contains the associated App
label, namespaces and GKs
properties:
groupKinds:
items:
description: GroupKind specifies a Group and a Kind,
but does not force a version. This is useful for
identifying concepts during lookup stages without
having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
label:
type: string
namespaces:
items:
type: string
type: array
type: object
type: object
startedAt:
format: date-time
type: string
stderr:
type: string
stdout:
type: string
updatedAt:
format: date-time
type: string
type: object
fetch:
properties:
error:
type: string
exitCode:
type: integer
startedAt:
format: date-time
type: string
stderr:
type: string
stdout:
type: string
updatedAt:
format: date-time
type: string
type: object
friendlyDescription:
type: string
inspect:
properties:
error:
type: string
exitCode:
type: integer
stderr:
type: string
stdout:
type: string
updatedAt:
format: date-time
type: string
type: object
managedAppName:
type: string
observedGeneration:
description: Populated based on metadata.generation when controller
observes a change to the resource; if this value is out of data,
other status fields do not reflect latest state
format: int64
type: integer
template:
properties:
error:
type: string
exitCode:
type: integer
stderr:
type: string
updatedAt:
format: date-time
type: string
type: object
usefulErrorMessage:
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: packageinstalls.packaging.carvel.dev
spec:
group: packaging.carvel.dev
names:
categories:
- carvel
kind: PackageInstall
listKind: PackageInstallList
plural: packageinstalls
shortNames:
- pkgi
singular: packageinstall
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: PackageMetadata name
jsonPath: .spec.packageRef.refName
name: Package name
type: string
- description: PackageMetadata version
jsonPath: .status.version
name: Package version
type: string
- description: Friendly description
jsonPath: .status.friendlyDescription
name: Description
type: string
- description: Time since creation
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: A Package Install is an actual installation of a package and
its underlying resources on a Kubernetes cluster. It is represented in kapp-controller
by a PackageInstall CR. A PackageInstall CR must reference a Package CR.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
canceled:
description: Canceled when set to true will stop all active changes
type: boolean
cluster:
description: Specifies that Package should be deployed to destination
cluster; by default, cluster is same as where this resource resides
(optional)
properties:
kubeconfigSecretRef:
description: Specifies secret containing kubeconfig (required)
properties:
key:
description: Specifies key that contains kubeconfig (optional)
type: string
name:
description: Specifies secret name within app's namespace
(required)
type: string
type: object
namespace:
description: Specifies namespace in destination cluster (optional)
type: string
type: object
noopDelete:
description: When NoopDelete set to true, PackageInstall deletion
should delete PackageInstall/App CR but preserve App's associated
resources.
type: boolean
packageRef:
description: Specifies the name of the package to install (required)
properties:
refName:
type: string
versionSelection:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
paused:
description: Paused when set to true will ignore all pending changes,
once it set back to false, pending changes will be applied
type: boolean
serviceAccountName:
description: Specifies service account that will be used to install
underlying package contents
type: string
syncPeriod:
description: Controls frequency of App reconciliation in time + unit
format. Always >= 30s. If value below 30s is specified, 30s will
be used.
type: string
values:
description: Values to be included in package's templating step (currently
only included in the first templating step) (optional)
items:
properties:
secretRef:
properties:
key:
type: string
name:
type: string
type: object
type: object
type: array
type: object
status:
properties:
conditions:
items:
properties:
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, this should be a short, machine understandable
string that gives the reason for condition's last transition.
If it reports "ResizeStarted" that means the underlying persistent
volume is being resized.
type: string
status:
type: string
type:
description: ConditionType represents reconciler state
type: string
required:
- status
- type
type: object
type: array
friendlyDescription:
type: string
lastAttemptedVersion:
description: LastAttemptedVersion specifies what version was last
attempted to be installed. It does _not_ indicate it was successfully
installed.
type: string
observedGeneration:
description: Populated based on metadata.generation when controller
observes a change to the resource; if this value is out of data,
other status fields do not reflect latest state
format: int64
type: integer
usefulErrorMessage:
type: string
version:
description: TODO this is desired resolved version (not actually deployed)
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
packaging.carvel.dev/global-namespace: kapp-controller-packaging-global
name: packagerepositories.packaging.carvel.dev
spec:
group: packaging.carvel.dev
names:
categories:
- carvel
kind: PackageRepository
listKind: PackageRepositoryList
plural: packagerepositories
shortNames:
- pkgr
singular: packagerepository
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Time since creation
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: Friendly description
jsonPath: .status.friendlyDescription
name: Description
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: A package repository is a collection of packages and their metadata.
Similar to a maven repository or a rpm repository, adding a package repository
to a cluster gives users of that cluster the ability to install any of the
packages from that repository.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
fetch:
properties:
git:
description: Uses git to clone repository containing package list
properties:
lfsSkipSmudge:
description: Skip lfs download (optional)
type: boolean
ref:
description: Branch, tag, commit; origin is the name of the
remote (optional)
type: string
refSelection:
description: Specifies a strategy to resolve to an explicit
ref (optional; v0.24.0+)
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
secretRef:
description: 'Secret with auth details. allowed keys: ssh-privatekey,
ssh-knownhosts, username, password (optional) (if ssh-knownhosts
is not specified, git will not perform strict host checking)'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
subPath:
description: Grab only portion of repository (optional)
type: string
url:
description: http or ssh urls are supported (required)
type: string
type: object
http:
description: Uses http library to fetch file containing packages
properties:
secretRef:
description: 'Secret to provide auth details (optional) Secret
may include one or more keys: username, password'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
sha256:
description: Checksum to verify after download (optional)
type: string
subPath:
description: Grab only portion of download (optional)
type: string
url:
description: 'URL can point to one of following formats: text,
tgz, zip http and https url are supported; plain file, tgz
and tar types are supported (required)'
type: string
type: object
image:
description: Image url; unqualified, tagged, or digest references
supported (required)
properties:
secretRef:
description: 'Secret may include one or more keys: username,
password, token. By default anonymous access is used for
authentication.'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
subPath:
description: Grab only portion of image (optional)
type: string
tagSelection:
description: Specifies a strategy to choose a tag (optional;
v0.24.0+) if specified, do not include a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
url:
description: 'Docker image url; unqualified, tagged, or digest
references supported (required) Example: username/app1-config:v0.1.0'
type: string
type: object
imgpkgBundle:
description: Pulls imgpkg bundle from Docker/OCI registry
properties:
image:
description: Docker image url; unqualified, tagged, or digest
references supported (required)
type: string
secretRef:
description: 'Secret may include one or more keys: username,
password, token. By default anonymous access is used for
authentication.'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
tagSelection:
description: Specifies a strategy to choose a tag (optional;
v0.24.0+) if specified, do not include a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
type: object
inline:
description: Pull content from within this resource; or other
resources in the cluster
properties:
paths:
additionalProperties:
type: string
description: Specifies mapping of paths to their content;
not recommended for sensitive values as CR is not encrypted
(optional)
type: object
pathsFrom:
description: Specifies content via secrets and config maps;
data values are recommended to be placed in secrets (optional)
items:
properties:
configMapRef:
properties:
directoryPath:
description: Specifies where to place files found
in secret (optional)
type: string
name:
type: string
type: object
secretRef:
properties:
directoryPath:
description: Specifies where to place files found
in secret (optional)
type: string
name:
type: string
type: object
type: object
type: array
type: object
type: object
paused:
description: Paused when set to true will ignore all pending changes,
once it set back to false, pending changes will be applied
type: boolean
syncPeriod:
description: Controls frequency of PackageRepository reconciliation
type: string
required:
- fetch
type: object
status:
properties:
conditions:
items:
properties:
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, this should be a short, machine understandable
string that gives the reason for condition's last transition.
If it reports "ResizeStarted" that means the underlying persistent
volume is being resized.
type: string
status:
type: string
type:
description: ConditionType represents reconciler state
type: string
required:
- status
- type
type: object
type: array
consecutiveReconcileFailures:
type: integer
consecutiveReconcileSuccesses:
type: integer
deploy:
properties:
error:
type: string
exitCode:
type: integer
finished:
type: boolean
kapp:
description: KappDeployStatus contains the associated AppCR deployed
resources
properties:
associatedResources:
description: AssociatedResources contains the associated App
label, namespaces and GKs
properties:
groupKinds:
items:
description: GroupKind specifies a Group and a Kind,
but does not force a version. This is useful for
identifying concepts during lookup stages without
having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
label:
type: string
namespaces:
items:
type: string
type: array
type: object
type: object
startedAt:
format: date-time
type: string
stderr:
type: string
stdout:
type: string
updatedAt:
format: date-time
type: string
type: object
fetch:
properties:
error:
type: string
exitCode:
type: integer
startedAt:
format: date-time
type: string
stderr:
type: string
stdout:
type: string
updatedAt:
format: date-time
type: string
type: object
friendlyDescription:
type: string
observedGeneration:
description: Populated based on metadata.generation when controller
observes a change to the resource; if this value is out of data,
other status fields do not reflect latest state
format: int64
type: integer
template:
properties:
error:
type: string
exitCode:
type: integer
stderr:
type: string
updatedAt:
format: date-time
type: string
type: object
usefulErrorMessage:
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
kapp-controller.carvel.dev/version: v0.45.2
kbld.k14s.io/images: |
- origins:
- local:
path: /home/runner/work/kapp-controller/kapp-controller
- git:
dirty: true
remoteURL: https://github.com/carvel-dev/kapp-controller
sha: e3beee23d49899bfc681c9d980c1a3bdc0fa14ac
tags:
- v0.45.2
url: ghcr.io/carvel-dev/kapp-controller@sha256:d5c5b259d10f8a561fe6717a735ceb053ccb13320f55428977d1d8df46b9bc0d
name: kapp-controller
namespace: tkg-system
spec:
replicas: 1
revisionHistoryLimit: 0
selector:
matchLabels:
app: kapp-controller
template:
metadata:
labels:
app: kapp-controller
spec:
containers:
- args:
- -packaging-global-namespace=kapp-controller-packaging-global
- -enable-api-priority-and-fairness=True
- -tls-cipher-suites=
env:
- name: KAPPCTRL_MEM_TMP_DIR
value: /etc/kappctrl-mem-tmp
- name: KAPPCTRL_SIDECAREXEC_SOCK
value: /etc/kappctrl-mem-tmp/sidecarexec.sock
- name: KAPPCTRL_SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KAPPCTRL_API_PORT
value: "10350"
image: ghcr.io/carvel-dev/kapp-controller@sha256:d5c5b259d10f8a561fe6717a735ceb053ccb13320f55428977d1d8df46b9bc0d
name: kapp-controller
ports:
- containerPort: 10350
name: api
protocol: TCP
resources:
requests:
cpu: 120m
memory: 100Mi
volumeMounts:
- mountPath: /etc/kappctrl-mem-tmp
name: template-fs
- mountPath: /home/kapp-controller
name: home
- args:
- --sidecarexec
env:
- name: KAPPCTRL_SIDECAREXEC_SOCK
value: /etc/kappctrl-mem-tmp/sidecarexec.sock
- name: IMGPKG_ACTIVE_KEYCHAINS
value: gke,aks,ecr
image: ghcr.io/carvel-dev/kapp-controller@sha256:d5c5b259d10f8a561fe6717a735ceb053ccb13320f55428977d1d8df46b9bc0d
name: kapp-controller-sidecarexec
resources:
requests:
cpu: 120m
memory: 100Mi
volumeMounts:
- mountPath: /etc/kappctrl-mem-tmp
name: template-fs
- mountPath: /home/kapp-controller
name: home
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: empty-sa
serviceAccount: kapp-controller-sa
volumes:
- emptyDir:
medium: Memory
name: template-fs
- emptyDir:
medium: Memory
name: home
- emptyDir: {}
name: empty-sa
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kapp-controller-sa
namespace: tkg-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kapp-controller-cluster-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
- apiGroups:
- kappctrl.k14s.io
resources:
- apps
- apps/status
verbs:
- '*'
- apiGroups:
- packaging.carvel.dev
resources:
- packageinstalls
- packageinstalls/status
- packageinstalls/finalizers
verbs:
- '*'
- apiGroups:
- packaging.carvel.dev
resources:
- packagerepositories
- packagerepositories/status
verbs:
- '*'
- apiGroups:
- internal.packaging.carvel.dev
resources:
- internalpackagemetadatas
verbs:
- '*'
- apiGroups:
- data.packaging.carvel.dev
resources:
- packagemetadatas
- packagemetadatas/status
verbs:
- '*'
- apiGroups:
- internal.packaging.carvel.dev
resources:
- internalpackages
verbs:
- '*'
- apiGroups:
- data.packaging.carvel.dev
resources:
- packages
- packages/status
verbs:
- '*'
- apiGroups:
- ""
resources:
- configmaps
verbs:
- '*'
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- update
- get
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- watch
- get
- update
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- list
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- prioritylevelconfigurations
- flowschemas
verbs:
- list
- watch
- apiGroups:
- policy
resources:
- podsecuritypolicies
resourceNames:
- tanzu-system-kapp-ctrl-restricted
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kapp-controller-user-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
- apiGroups:
- kappctrl.k14s.io
resources:
- apps
- apps/status
verbs:
- '*'
- apiGroups:
- packaging.carvel.dev
resources:
- packageinstalls
- packageinstalls/status
- packageinstalls/finalizers
verbs:
- '*'
- apiGroups:
- ""
resources:
- configmaps
verbs:
- '*'
- apiGroups:
- packaging.carvel.dev
resources:
- packagerepositories
- packagerepositories/status
verbs:
- get
- list
- watch
- apiGroups:
- internal.packaging.carvel.dev
resources:
- internalpackagemetadatas
verbs:
- get
- list
- watch
- apiGroups:
- data.packaging.carvel.dev
resources:
- packagemetadatas
- packagemetadatas/status
verbs:
- get
- list
- watch
- apiGroups:
- internal.packaging.carvel.dev
resources:
- internalpackages
verbs:
- get
- list
- watch
- apiGroups:
- data.packaging.carvel.dev
resources:
- packages
- packages/status
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kapp-controller-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kapp-controller-cluster-role
subjects:
- kind: ServiceAccount
name: kapp-controller-sa
namespace: tkg-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: pkg-apiserver:system:auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: kapp-controller-sa
namespace: tkg-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pkgserver-auth-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: kapp-controller-sa
namespace: tkg-system
