Refer to these instructions to install Kapp Controller on a TKG cluster provisioned with TKr for vSphere 7.x.
Prerequisites
See Workflow for Installing Standard Packages on TKr for vSphere 7.x.
Install Kapp Controller
Important: These instructions are specific to TKrs for vSphere 7.x. TKrs for vSphere 8.x already include the Kapp Controller package. Do not manually install Kapp Controller on a TKr for vSphere 8.x.
Install Kapp Controller.
- Create a binding to run the Kapp Controller pod.
kubectl create clusterrolebinding default-tkg-admin-privileged-binding --clusterrole=cluster-admin --group=system:authenticated
Expected result:clusterrolebinding.rbac.authorization.k8s.io/default-tkg-admin-privileged-binding created
- Prepare
kapp-controller.yaml
.See
- Install Kapp Controller.
kubectl apply -f kapp-controller.yaml
- Verify Kapp Controller installation.
kubectl get all -n tkg-system
Sample result:NAME READY STATUS RESTARTS AGE pod/kapp-controller-b7576ddd-p8s87 2/2 Running 0 5m33s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/packaging-api ClusterIP 198.201.96.77 <none> 443/TCP 5m34s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/kapp-controller 1/1 1 1 5m33s
- Verify the Carvel custom resource.
kubectl get crd | grep carvel
Example result:internalpackagemetadatas.internal.packaging.carvel.dev 2024-03-12T08:27:21Z internalpackages.internal.packaging.carvel.dev 2024-03-12T08:27:21Z packageinstalls.packaging.carvel.dev 2024-03-12T08:27:21Z packagerepositories.packaging.carvel.dev 2024-03-12T08:27:22Z
kapp-controller.yaml
The following kapp-controller.yaml
includes required securityContext
settings.
--- apiVersion: v1 kind: Namespace metadata: name: tkg-system --- apiVersion: v1 kind: Namespace metadata: name: kapp-controller-packaging-global --- apiVersion: apiregistration.k8s.io/v1 kind: APIService metadata: name: v1alpha1.data.packaging.carvel.dev spec: group: data.packaging.carvel.dev groupPriorityMinimum: 100 service: name: packaging-api namespace: tkg-system version: v1alpha1 versionPriority: 100 --- apiVersion: v1 kind: Service metadata: name: packaging-api namespace: tkg-system spec: ports: - port: 443 protocol: TCP targetPort: api selector: app: kapp-controller --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: internalpackagemetadatas.internal.packaging.carvel.dev spec: group: internal.packaging.carvel.dev names: kind: InternalPackageMetadata listKind: InternalPackageMetadataList plural: internalpackagemetadatas singular: internalpackagemetadata scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: categories: description: Classifiers of the package (optional; Array of strings) items: type: string type: array displayName: description: Human friendly name of the package (optional; string) type: string iconSVGBase64: description: Base64 encoded icon (optional; string) type: string longDescription: description: Long description of the package (optional; string) type: string maintainers: description: List of maintainer info for the package. Currently only supports the name key. (optional; array of maintner info) items: properties: name: type: string type: object type: array providerName: description: Name of the entity distributing the package (optional; string) type: string shortDescription: description: Short desription of the package (optional; string) type: string supportDescription: description: Description of the support available for the package (optional; string) type: string type: object required: - spec type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: internalpackages.internal.packaging.carvel.dev spec: group: internal.packaging.carvel.dev names: kind: InternalPackage listKind: InternalPackageList plural: internalpackages singular: internalpackage scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: capacityRequirementsDescription: description: 'System requirements needed to install the package. Note: these requirements will not be verified by kapp-controller on installation. (optional; string)' type: string includedSoftware: description: IncludedSoftware can be used to show the software contents of a Package. This is especially useful if the underlying versions do not match the Package version items: description: IncludedSoftware contains the underlying Software Contents of a Package properties: description: type: string displayName: type: string version: type: string type: object type: array kappControllerVersionSelection: description: KappControllerVersionSelection specifies the versions of kapp-controller which can install this package properties: constraints: type: string type: object kubernetesVersionSelection: description: KubernetesVersionSelection specifies the versions of k8s which this package can be installed on properties: constraints: type: string type: object licenses: description: Description of the licenses that apply to the package software (optional; Array of strings) items: type: string type: array refName: description: The name of the PackageMetadata associated with this version Must be a valid PackageMetadata name (see PackageMetadata CR for details) Cannot be empty type: string releaseNotes: description: Version release notes (optional; string) type: string releasedAt: description: Timestamp of release (iso8601 formatted string; optional) format: date-time nullable: true type: string template: properties: spec: properties: canceled: description: Cancels current and future reconciliations (optional; default=false) type: boolean cluster: description: Specifies that app should be deployed to destination cluster; by default, cluster is same as where this resource resides (optional; v0.5.0+) properties: kubeconfigSecretRef: description: Specifies secret containing kubeconfig (required) properties: key: description: Specifies key that contains kubeconfig (optional) type: string name: description: Specifies secret name within app's namespace (required) type: string type: object namespace: description: Specifies namespace in destination cluster (optional) type: string type: object deploy: items: properties: kapp: description: Use kapp to deploy resources properties: delete: description: Configuration for delete command (optional) properties: rawOptions: description: Pass through options to kapp delete (optional) items: type: string type: array type: object inspect: description: 'Configuration for inspect command (optional) as of kapp-controller v0.31.0, inspect is disabled by default add rawOptions or use an empty inspect config like `inspect: {}` to enable' properties: rawOptions: description: Pass through options to kapp inspect (optional) items: type: string type: array type: object intoNs: description: Override namespace for all resources (optional) type: string mapNs: description: Provide custom namespace override mapping (optional) items: type: string type: array rawOptions: description: Pass through options to kapp deploy (optional) items: type: string type: array type: object type: object type: array fetch: items: properties: git: description: Uses git to clone repository properties: lfsSkipSmudge: description: Skip lfs download (optional) type: boolean ref: description: Branch, tag, commit; origin is the name of the remote (optional) type: string refSelection: description: Specifies a strategy to resolve to an explicit ref (optional; v0.24.0+) properties: semver: properties: constraints: type: string prereleases: properties: identifiers: items: type: string type: array type: object type: object type: object secretRef: description: 'Secret with auth details. allowed keys: ssh-privatekey, ssh-knownhosts, username, password (optional) (if ssh-knownhosts is not specified, git will not perform strict host checking)' properties: name: description: Object is expected to be within same namespace type: string type: object subPath: description: Grab only portion of repository (optional) type: string url: description: http or ssh urls are supported (required) type: string type: object helmChart: description: Uses helm fetch to fetch specified chart properties: name: description: 'Example: stable/redis' type: string repository: properties: secretRef: properties: name: description: Object is expected to be within same namespace type: string type: object url: description: Repository url; scheme of oci:// will fetch experimental helm oci chart (v0.19.0+) (required) type: string type: object version: type: string type: object http: description: Uses http library to fetch file properties: secretRef: description: 'Secret to provide auth details (optional) Secret may include one or more keys: username, password' properties: name: description: Object is expected to be within same namespace type: string type: object sha256: description: Checksum to verify after download (optional) type: string subPath: description: Grab only portion of download (optional) type: string url: description: 'URL can point to one of following formats: text, tgz, zip http and https url are supported; plain file, tgz and tar types are supported (required)' type: string type: object image: description: Pulls content from Docker/OCI registry properties: secretRef: description: 'Secret may include one or more keys: username, password, token. By default anonymous access is used for authentication.' properties: name: description: Object is expected to be within same namespace type: string type: object subPath: description: Grab only portion of image (optional) type: string tagSelection: description: Specifies a strategy to choose a tag (optional; v0.24.0+) if specified, do not include a tag in url key properties: semver: properties: constraints: type: string prereleases: properties: identifiers: items: type: string type: array type: object type: object type: object url: description: 'Docker image url; unqualified, tagged, or digest references supported (required) Example: username/app1-config:v0.1.0' type: string type: object imgpkgBundle: description: Pulls imgpkg bundle from Docker/OCI registry (v0.17.0+) properties: image: description: Docker image url; unqualified, tagged, or digest references supported (required) type: string secretRef: description: 'Secret may include one or more keys: username, password, token. By default anonymous access is used for authentication.' properties: name: description: Object is expected to be within same namespace type: string type: object tagSelection: description: Specifies a strategy to choose a tag (optional; v0.24.0+) if specified, do not include a tag in url key properties: semver: properties: constraints: type: string prereleases: properties: identifiers: items: type: string type: array type: object type: object type: object type: object inline: description: Pulls content from within this resource; or other resources in the cluster properties: paths: additionalProperties: type: string description: Specifies mapping of paths to their content; not recommended for sensitive values as CR is not encrypted (optional) type: object pathsFrom: description: Specifies content via secrets and config maps; data values are recommended to be placed in secrets (optional) items: properties: configMapRef: properties: directoryPath: description: Specifies where to place files found in secret (optional) type: string name: type: string type: object secretRef: properties: directoryPath: description: Specifies where to place files found in secret (optional) type: string name: type: string type: object type: object type: array type: object path: description: Relative path to place the fetched artifacts type: string type: object type: array noopDelete: description: Deletion requests for the App will result in the App CR being deleted, but its associated resources will not be deleted (optional; default=false; v0.18.0+) type: boolean paused: description: Pauses _future_ reconciliation; does _not_ affect currently running reconciliation (optional; default=false) type: boolean serviceAccountName: description: Specifies that app should be deployed authenticated via given service account, found in this namespace (optional; v0.6.0+) type: string syncPeriod: description: Specifies the length of time to wait, in time + unit format, before reconciling. Always >= 30s. If value below 30s is specified, 30s will be used. (optional; v0.9.0+; default=30s) type: string template: items: properties: cue: properties: inputExpression: description: Cue expression for single path component, can be used to unify ValuesFrom into a given field (optional) type: string outputExpression: description: Cue expression to output, default will export all visible fields (optional) type: string paths: description: Explicit list of files/directories (optional) items: type: string type: array valuesFrom: description: Provide values (optional) items: properties: configMapRef: properties: name: type: string type: object downwardAPI: properties: items: items: properties: fieldPath: description: 'Required: Selects a field of the app: only annotations, labels, uid, name and namespace are supported.' type: string kappControllerVersion: description: 'Optional: Get running KappController version, defaults (empty) to retrieving the current running version.. Can be manually supplied instead.' properties: version: type: string type: object kubernetesAPIs: description: 'Optional: Get running KubernetesAPIs from cluster, defaults (empty) to retrieving the APIs from the cluster. Can be manually supplied instead, e.g ["group/version", "group2/version2"]' properties: groupVersions: items: type: string type: array type: object kubernetesVersion: description: 'Optional: Get running Kubernetes version from cluster, defaults (empty) to retrieving the version from the cluster. Can be manually supplied instead.' properties: version: type: string type: object name: type: string type: object type: array type: object path: type: string secretRef: properties: name: type: string type: object type: object type: array type: object helmTemplate: description: Use helm template command to render helm chart properties: kubernetesAPIs: description: 'Optional: Use kubernetes group/versions resources available in the live cluster' properties: groupVersions: items: type: string type: array type: object kubernetesVersion: description: 'Optional: Get Kubernetes version, defaults (empty) to retrieving the version from the cluster. Can be manually overridden to a value instead.' properties: version: type: string type: object name: description: Set name explicitly, default is App CR's name (optional; v0.13.0+) type: string namespace: description: Set namespace explicitly, default is App CR's namespace (optional; v0.13.0+) type: string path: description: Path to chart (optional; v0.13.0+) type: string valuesFrom: description: One or more secrets, config maps, paths that provide values (optional) items: properties: configMapRef: properties: name: type: string type: object downwardAPI: properties: items: items: properties: fieldPath: description: 'Required: Selects a field of the app: only annotations, labels, uid, name and namespace are supported.' type: string kappControllerVersion: description: 'Optional: Get running KappController version, defaults (empty) to retrieving the current running version.. Can be manually supplied instead.' properties: version: type: string type: object kubernetesAPIs: description: 'Optional: Get running KubernetesAPIs from cluster, defaults (empty) to retrieving the APIs from the cluster. Can be manually supplied instead, e.g ["group/version", "group2/version2"]' properties: groupVersions: items: type: string type: array type: object kubernetesVersion: description: 'Optional: Get running Kubernetes version from cluster, defaults (empty) to retrieving the version from the cluster. Can be manually supplied instead.' properties: version: type: string type: object name: type: string type: object type: array type: object path: type: string secretRef: properties: name: type: string type: object type: object type: array type: object jsonnet: description: TODO implement jsonnet type: object kbld: description: Use kbld to resolve image references to use digests properties: paths: items: type: string type: array type: object kustomize: description: TODO implement kustomize type: object sops: description: Use sops to decrypt *.sops.yml files (optional; v0.11.0+) properties: age: properties: privateKeysSecretRef: description: Secret with private armored PGP private keys (required) properties: name: type: string type: object type: object paths: description: Lists paths to decrypt explicitly (optional; v0.13.0+) items: type: string type: array pgp: description: Use PGP to decrypt files (required) properties: privateKeysSecretRef: description: Secret with private armored PGP private keys (required) properties: name: type: string type: object type: object type: object ytt: description: Use ytt to template configuration properties: fileMarks: description: Control metadata about input files passed to ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/ for more details items: type: string type: array ignoreUnknownComments: description: Ignores comments that ytt doesn't recognize (optional; default=false) type: boolean inline: description: Specify additional files, including data values (optional) properties: paths: additionalProperties: type: string description: Specifies mapping of paths to their content; not recommended for sensitive values as CR is not encrypted (optional) type: object pathsFrom: description: Specifies content via secrets and config maps; data values are recommended to be placed in secrets (optional) items: properties: configMapRef: properties: directoryPath: description: Specifies where to place files found in secret (optional) type: string name: type: string type: object secretRef: properties: directoryPath: description: Specifies where to place files found in secret (optional) type: string name: type: string type: object type: object type: array type: object paths: description: Lists paths to provide to ytt explicitly (optional) items: type: string type: array strict: description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md (optional; default=false) type: boolean valuesFrom: description: Provide values via ytt's --data-values-file (optional; v0.19.0-alpha.9) items: properties: configMapRef: properties: name: type: string type: object downwardAPI: properties: items: items: properties: fieldPath: description: 'Required: Selects a field of the app: only annotations, labels, uid, name and namespace are supported.' type: string kappControllerVersion: description: 'Optional: Get running KappController version, defaults (empty) to retrieving the current running version.. Can be manually supplied instead.' properties: version: type: string type: object kubernetesAPIs: description: 'Optional: Get running KubernetesAPIs from cluster, defaults (empty) to retrieving the APIs from the cluster. Can be manually supplied instead, e.g ["group/version", "group2/version2"]' properties: groupVersions: items: type: string type: array type: object kubernetesVersion: description: 'Optional: Get running Kubernetes version from cluster, defaults (empty) to retrieving the version from the cluster. Can be manually supplied instead.' properties: version: type: string type: object name: type: string type: object type: array type: object path: type: string secretRef: properties: name: type: string type: object type: object type: array type: object type: object type: array type: object required: - spec type: object valuesSchema: description: valuesSchema can be used to show template values that can be configured by users when a Package is installed in an OpenAPI schema format. properties: openAPIv3: nullable: true type: object x-kubernetes-preserve-unknown-fields: true type: object version: description: Package version; Referenced by PackageInstall; Must be valid semver (required) Cannot be empty type: string type: object required: - spec type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: apps.kappctrl.k14s.io spec: group: kappctrl.k14s.io names: categories: - carvel kind: App listKind: AppList plural: apps singular: app scope: Namespaced versions: - additionalPrinterColumns: - description: Friendly description jsonPath: .status.friendlyDescription name: Description type: string - description: Last time app started being deployed. Does not mean anything was changed. jsonPath: .status.deploy.startedAt name: Since-Deploy type: date - description: Time since creation jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: 'An App is a set of Kubernetes resources. These resources could span any number of namespaces or could be cluster-wide (e.g. CRDs). An App is represented in kapp-controller using a App CR. The App CR comprises of three main sections: spec.fetch – declare source for fetching configuration and OCI images spec.template – declare templating tool and values spec.deploy – declare deployment tool and any deploy specific configuration' properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: canceled: description: Cancels current and future reconciliations (optional; default=false) type: boolean cluster: description: Specifies that app should be deployed to destination cluster; by default, cluster is same as where this resource resides (optional; v0.5.0+) properties: kubeconfigSecretRef: description: Specifies secret containing kubeconfig (required) properties: key: description: Specifies key that contains kubeconfig (optional) type: string name: description: Specifies secret name within app's namespace (required) type: string type: object namespace: description: Specifies namespace in destination cluster (optional) type: string type: object deploy: items: properties: kapp: description: Use kapp to deploy resources properties: delete: description: Configuration for delete command (optional) properties: rawOptions: description: Pass through options to kapp delete (optional) items: type: string type: array type: object inspect: description: 'Configuration for inspect command (optional) as of kapp-controller v0.31.0, inspect is disabled by default add rawOptions or use an empty inspect config like `inspect: {}` to enable' properties: rawOptions: description: Pass through options to kapp inspect (optional) items: type: string type: array type: object intoNs: description: Override namespace for all resources (optional) type: string mapNs: description: Provide custom namespace override mapping (optional) items: type: string type: array rawOptions: description: Pass through options to kapp deploy (optional) items: type: string type: array type: object type: object type: array fetch: items: properties: git: description: Uses git to clone repository properties: lfsSkipSmudge: description: Skip lfs download (optional) type: boolean ref: description: Branch, tag, commit; origin is the name of the remote (optional) type: string refSelection: description: Specifies a strategy to resolve to an explicit ref (optional; v0.24.0+) properties: semver: properties: constraints: type: string prereleases: properties: identifiers: items: type: string type: array type: object type: object type: object secretRef: description: 'Secret with auth details. allowed keys: ssh-privatekey, ssh-knownhosts, username, password (optional) (if ssh-knownhosts is not specified, git will not perform strict host checking)' properties: name: description: Object is expected to be within same namespace type: string type: object subPath: description: Grab only portion of repository (optional) type: string url: description: http or ssh urls are supported (required) type: string type: object helmChart: description: Uses helm fetch to fetch specified chart properties: name: description: 'Example: stable/redis' type: string repository: properties: secretRef: properties: name: description: Object is expected to be within same namespace type: string type: object url: description: Repository url; scheme of oci:// will fetch experimental helm oci chart (v0.19.0+) (required) type: string type: object version: type: string type: object http: description: Uses http library to fetch file properties: secretRef: description: 'Secret to provide auth details (optional) Secret may include one or more keys: username, password' properties: name: description: Object is expected to be within same namespace type: string type: object sha256: description: Checksum to verify after download (optional) type: string subPath: description: Grab only portion of download (optional) type: string url: description: 'URL can point to one of following formats: text, tgz, zip http and https url are supported; plain file, tgz and tar types are supported (required)' type: string type: object image: description: Pulls content from Docker/OCI registry properties: secretRef: description: 'Secret may include one or more keys: username, password, token. By default anonymous access is used for authentication.' properties: name: description: Object is expected to be within same namespace type: string type: object subPath: description: Grab only portion of image (optional) type: string tagSelection: description: Specifies a strategy to choose a tag (optional; v0.24.0+) if specified, do not include a tag in url key properties: semver: properties: constraints: type: string prereleases: properties: identifiers: items: type: string type: array type: object type: object type: object url: description: 'Docker image url; unqualified, tagged, or digest references supported (required) Example: username/app1-config:v0.1.0' type: string type: object imgpkgBundle: description: Pulls imgpkg bundle from Docker/OCI registry (v0.17.0+) properties: image: description: Docker image url; unqualified, tagged, or digest references supported (required) type: string secretRef: description: 'Secret may include one or more keys: username, password, token. By default anonymous access is used for authentication.' properties: name: description: Object is expected to be within same namespace type: string type: object tagSelection: description: Specifies a strategy to choose a tag (optional; v0.24.0+) if specified, do not include a tag in url key properties: semver: properties: constraints: type: string prereleases: properties: identifiers: items: type: string type: array type: object type: object type: object type: object inline: description: Pulls content from within this resource; or other resources in the cluster properties: paths: additionalProperties: type: string description: Specifies mapping of paths to their content; not recommended for sensitive values as CR is not encrypted (optional) type: object pathsFrom: description: Specifies content via secrets and config maps; data values are recommended to be placed in secrets (optional) items: properties: configMapRef: properties: directoryPath: description: Specifies where to place files found in secret (optional) type: string name: type: string type: object secretRef: properties: directoryPath: description: Specifies where to place files found in secret (optional) type: string name: type: string type: object type: object type: array type: object path: description: Relative path to place the fetched artifacts type: string type: object type: array noopDelete: description: Deletion requests for the App will result in the App CR being deleted, but its associated resources will not be deleted (optional; default=false; v0.18.0+) type: boolean paused: description: Pauses _future_ reconciliation; does _not_ affect currently running reconciliation (optional; default=false) type: boolean serviceAccountName: description: Specifies that app should be deployed authenticated via given service account, found in this namespace (optional; v0.6.0+) type: string syncPeriod: description: Specifies the length of time to wait, in time + unit format, before reconciling. Always >= 30s. If value below 30s is specified, 30s will be used. (optional; v0.9.0+; default=30s) type: string template: items: properties: cue: properties: inputExpression: description: Cue expression for single path component, can be used to unify ValuesFrom into a given field (optional) type: string outputExpression: description: Cue expression to output, default will export all visible fields (optional) type: string paths: description: Explicit list of files/directories (optional) items: type: string type: array valuesFrom: description: Provide values (optional) items: properties: configMapRef: properties: name: type: string type: object downwardAPI: properties: items: items: properties: fieldPath: description: 'Required: Selects a field of the app: only annotations, labels, uid, name and namespace are supported.' type: string kappControllerVersion: description: 'Optional: Get running KappController version, defaults (empty) to retrieving the current running version.. Can be manually supplied instead.' properties: version: type: string type: object kubernetesAPIs: description: 'Optional: Get running KubernetesAPIs from cluster, defaults (empty) to retrieving the APIs from the cluster. Can be manually supplied instead, e.g ["group/version", "group2/version2"]' properties: groupVersions: items: type: string type: array type: object kubernetesVersion: description: 'Optional: Get running Kubernetes version from cluster, defaults (empty) to retrieving the version from the cluster. Can be manually supplied instead.' properties: version: type: string type: object name: type: string type: object type: array type: object path: type: string secretRef: properties: name: type: string type: object type: object type: array type: object helmTemplate: description: Use helm template command to render helm chart properties: kubernetesAPIs: description: 'Optional: Use kubernetes group/versions resources available in the live cluster' properties: groupVersions: items: type: string type: array type: object kubernetesVersion: description: 'Optional: Get Kubernetes version, defaults (empty) to retrieving the version from the cluster. Can be manually overridden to a value instead.' properties: version: type: string type: object name: description: Set name explicitly, default is App CR's name (optional; v0.13.0+) type: string namespace: description: Set namespace explicitly, default is App CR's namespace (optional; v0.13.0+) type: string path: description: Path to chart (optional; v0.13.0+) type: string valuesFrom: description: One or more secrets, config maps, paths that provide values (optional) items: properties: configMapRef: properties: name: type: string type: object downwardAPI: properties: items: items: properties: fieldPath: description: 'Required: Selects a field of the app: only annotations, labels, uid, name and namespace are supported.' type: string kappControllerVersion: description: 'Optional: Get running KappController version, defaults (empty) to retrieving the current running version.. Can be manually supplied instead.' properties: version: type: string type: object kubernetesAPIs: description: 'Optional: Get running KubernetesAPIs from cluster, defaults (empty) to retrieving the APIs from the cluster. Can be manually supplied instead, e.g ["group/version", "group2/version2"]' properties: groupVersions: items: type: string type: array type: object kubernetesVersion: description: 'Optional: Get running Kubernetes version from cluster, defaults (empty) to retrieving the version from the cluster. Can be manually supplied instead.' properties: version: type: string type: object name: type: string type: object type: array type: object path: type: string secretRef: properties: name: type: string type: object type: object type: array type: object jsonnet: description: TODO implement jsonnet type: object kbld: description: Use kbld to resolve image references to use digests properties: paths: items: type: string type: array type: object kustomize: description: TODO implement kustomize type: object sops: description: Use sops to decrypt *.sops.yml files (optional; v0.11.0+) properties: age: properties: privateKeysSecretRef: description: Secret with private armored PGP private keys (required) properties: name: type: string type: object type: object paths: description: Lists paths to decrypt explicitly (optional; v0.13.0+) items: type: string type: array pgp: description: Use PGP to decrypt files (required) properties: privateKeysSecretRef: description: Secret with private armored PGP private keys (required) properties: name: type: string type: object type: object type: object ytt: description: Use ytt to template configuration properties: fileMarks: description: Control metadata about input files passed to ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/ for more details items: type: string type: array ignoreUnknownComments: description: Ignores comments that ytt doesn't recognize (optional; default=false) type: boolean inline: description: Specify additional files, including data values (optional) properties: paths: additionalProperties: type: string description: Specifies mapping of paths to their content; not recommended for sensitive values as CR is not encrypted (optional) type: object pathsFrom: description: Specifies content via secrets and config maps; data values are recommended to be placed in secrets (optional) items: properties: configMapRef: properties: directoryPath: description: Specifies where to place files found in secret (optional) type: string name: type: string type: object secretRef: properties: directoryPath: description: Specifies where to place files found in secret (optional) type: string name: type: string type: object type: object type: array type: object paths: description: Lists paths to provide to ytt explicitly (optional) items: type: string type: array strict: description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md (optional; default=false) type: boolean valuesFrom: description: Provide values via ytt's --data-values-file (optional; v0.19.0-alpha.9) items: properties: configMapRef: properties: name: type: string type: object downwardAPI: properties: items: items: properties: fieldPath: description: 'Required: Selects a field of the app: only annotations, labels, uid, name and namespace are supported.' type: string kappControllerVersion: description: 'Optional: Get running KappController version, defaults (empty) to retrieving the current running version.. Can be manually supplied instead.' properties: version: type: string type: object kubernetesAPIs: description: 'Optional: Get running KubernetesAPIs from cluster, defaults (empty) to retrieving the APIs from the cluster. Can be manually supplied instead, e.g ["group/version", "group2/version2"]' properties: groupVersions: items: type: string type: array type: object kubernetesVersion: description: 'Optional: Get running Kubernetes version from cluster, defaults (empty) to retrieving the version from the cluster. Can be manually supplied instead.' properties: version: type: string type: object name: type: string type: object type: array type: object path: type: string secretRef: properties: name: type: string type: object type: object type: array type: object type: object type: array type: object status: properties: conditions: items: properties: message: description: Human-readable message indicating details about last transition. type: string reason: description: Unique, this should be a short, machine understandable string that gives the reason for condition's last transition. If it reports "ResizeStarted" that means the underlying persistent volume is being resized. type: string status: type: string type: description: ConditionType represents reconciler state type: string required: - status - type type: object type: array consecutiveReconcileFailures: type: integer consecutiveReconcileSuccesses: type: integer deploy: properties: error: type: string exitCode: type: integer finished: type: boolean kapp: description: KappDeployStatus contains the associated AppCR deployed resources properties: associatedResources: description: AssociatedResources contains the associated App label, namespaces and GKs properties: groupKinds: items: description: GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying concepts during lookup stages without having partially valid types properties: group: type: string kind: type: string required: - group - kind type: object type: array label: type: string namespaces: items: type: string type: array type: object type: object startedAt: format: date-time type: string stderr: type: string stdout: type: string updatedAt: format: date-time type: string type: object fetch: properties: error: type: string exitCode: type: integer startedAt: format: date-time type: string stderr: type: string stdout: type: string updatedAt: format: date-time type: string type: object friendlyDescription: type: string inspect: properties: error: type: string exitCode: type: integer stderr: type: string stdout: type: string updatedAt: format: date-time type: string type: object managedAppName: type: string observedGeneration: description: Populated based on metadata.generation when controller observes a change to the resource; if this value is out of data, other status fields do not reflect latest state format: int64 type: integer template: properties: error: type: string exitCode: type: integer stderr: type: string updatedAt: format: date-time type: string type: object usefulErrorMessage: type: string type: object required: - spec type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: packageinstalls.packaging.carvel.dev spec: group: packaging.carvel.dev names: categories: - carvel kind: PackageInstall listKind: PackageInstallList plural: packageinstalls shortNames: - pkgi singular: packageinstall scope: Namespaced versions: - additionalPrinterColumns: - description: PackageMetadata name jsonPath: .spec.packageRef.refName name: Package name type: string - description: PackageMetadata version jsonPath: .status.version name: Package version type: string - description: Friendly description jsonPath: .status.friendlyDescription name: Description type: string - description: Time since creation jsonPath: .metadata.creationTimestamp name: Age type: date name: v1alpha1 schema: openAPIV3Schema: description: A Package Install is an actual installation of a package and its underlying resources on a Kubernetes cluster. It is represented in kapp-controller by a PackageInstall CR. A PackageInstall CR must reference a Package CR. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: canceled: description: Canceled when set to true will stop all active changes type: boolean cluster: description: Specifies that Package should be deployed to destination cluster; by default, cluster is same as where this resource resides (optional) properties: kubeconfigSecretRef: description: Specifies secret containing kubeconfig (required) properties: key: description: Specifies key that contains kubeconfig (optional) type: string name: description: Specifies secret name within app's namespace (required) type: string type: object namespace: description: Specifies namespace in destination cluster (optional) type: string type: object noopDelete: description: When NoopDelete set to true, PackageInstall deletion should delete PackageInstall/App CR but preserve App's associated resources. type: boolean packageRef: description: Specifies the name of the package to install (required) properties: refName: type: string versionSelection: properties: constraints: type: string prereleases: properties: identifiers: items: type: string type: array type: object type: object type: object paused: description: Paused when set to true will ignore all pending changes, once it set back to false, pending changes will be applied type: boolean serviceAccountName: description: Specifies service account that will be used to install underlying package contents type: string syncPeriod: description: Controls frequency of App reconciliation in time + unit format. Always >= 30s. If value below 30s is specified, 30s will be used. type: string values: description: Values to be included in package's templating step (currently only included in the first templating step) (optional) items: properties: secretRef: properties: key: type: string name: type: string type: object type: object type: array type: object status: properties: conditions: items: properties: message: description: Human-readable message indicating details about last transition. type: string reason: description: Unique, this should be a short, machine understandable string that gives the reason for condition's last transition. If it reports "ResizeStarted" that means the underlying persistent volume is being resized. type: string status: type: string type: description: ConditionType represents reconciler state type: string required: - status - type type: object type: array friendlyDescription: type: string lastAttemptedVersion: description: LastAttemptedVersion specifies what version was last attempted to be installed. It does _not_ indicate it was successfully installed. type: string observedGeneration: description: Populated based on metadata.generation when controller observes a change to the resource; if this value is out of data, other status fields do not reflect latest state format: int64 type: integer usefulErrorMessage: type: string version: description: TODO this is desired resolved version (not actually deployed) type: string type: object required: - spec type: object served: true storage: true subresources: status: {} --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: packaging.carvel.dev/global-namespace: kapp-controller-packaging-global name: packagerepositories.packaging.carvel.dev spec: group: packaging.carvel.dev names: categories: - carvel kind: PackageRepository listKind: PackageRepositoryList plural: packagerepositories shortNames: - pkgr singular: packagerepository scope: Namespaced versions: - additionalPrinterColumns: - description: Time since creation jsonPath: .metadata.creationTimestamp name: Age type: date - description: Friendly description jsonPath: .status.friendlyDescription name: Description type: string name: v1alpha1 schema: openAPIV3Schema: description: A package repository is a collection of packages and their metadata. Similar to a maven repository or a rpm repository, adding a package repository to a cluster gives users of that cluster the ability to install any of the packages from that repository. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: properties: fetch: properties: git: description: Uses git to clone repository containing package list properties: lfsSkipSmudge: description: Skip lfs download (optional) type: boolean ref: description: Branch, tag, commit; origin is the name of the remote (optional) type: string refSelection: description: Specifies a strategy to resolve to an explicit ref (optional; v0.24.0+) properties: semver: properties: constraints: type: string prereleases: properties: identifiers: items: type: string type: array type: object type: object type: object secretRef: description: 'Secret with auth details. allowed keys: ssh-privatekey, ssh-knownhosts, username, password (optional) (if ssh-knownhosts is not specified, git will not perform strict host checking)' properties: name: description: Object is expected to be within same namespace type: string type: object subPath: description: Grab only portion of repository (optional) type: string url: description: http or ssh urls are supported (required) type: string type: object http: description: Uses http library to fetch file containing packages properties: secretRef: description: 'Secret to provide auth details (optional) Secret may include one or more keys: username, password' properties: name: description: Object is expected to be within same namespace type: string type: object sha256: description: Checksum to verify after download (optional) type: string subPath: description: Grab only portion of download (optional) type: string url: description: 'URL can point to one of following formats: text, tgz, zip http and https url are supported; plain file, tgz and tar types are supported (required)' type: string type: object image: description: Image url; unqualified, tagged, or digest references supported (required) properties: secretRef: description: 'Secret may include one or more keys: username, password, token. By default anonymous access is used for authentication.' properties: name: description: Object is expected to be within same namespace type: string type: object subPath: description: Grab only portion of image (optional) type: string tagSelection: description: Specifies a strategy to choose a tag (optional; v0.24.0+) if specified, do not include a tag in url key properties: semver: properties: constraints: type: string prereleases: properties: identifiers: items: type: string type: array type: object type: object type: object url: description: 'Docker image url; unqualified, tagged, or digest references supported (required) Example: username/app1-config:v0.1.0' type: string type: object imgpkgBundle: description: Pulls imgpkg bundle from Docker/OCI registry properties: image: description: Docker image url; unqualified, tagged, or digest references supported (required) type: string secretRef: description: 'Secret may include one or more keys: username, password, token. By default anonymous access is used for authentication.' properties: name: description: Object is expected to be within same namespace type: string type: object tagSelection: description: Specifies a strategy to choose a tag (optional; v0.24.0+) if specified, do not include a tag in url key properties: semver: properties: constraints: type: string prereleases: properties: identifiers: items: type: string type: array type: object type: object type: object type: object inline: description: Pull content from within this resource; or other resources in the cluster properties: paths: additionalProperties: type: string description: Specifies mapping of paths to their content; not recommended for sensitive values as CR is not encrypted (optional) type: object pathsFrom: description: Specifies content via secrets and config maps; data values are recommended to be placed in secrets (optional) items: properties: configMapRef: properties: directoryPath: description: Specifies where to place files found in secret (optional) type: string name: type: string type: object secretRef: properties: directoryPath: description: Specifies where to place files found in secret (optional) type: string name: type: string type: object type: object type: array type: object type: object paused: description: Paused when set to true will ignore all pending changes, once it set back to false, pending changes will be applied type: boolean syncPeriod: description: Controls frequency of PackageRepository reconciliation type: string required: - fetch type: object status: properties: conditions: items: properties: message: description: Human-readable message indicating details about last transition. type: string reason: description: Unique, this should be a short, machine understandable string that gives the reason for condition's last transition. If it reports "ResizeStarted" that means the underlying persistent volume is being resized. type: string status: type: string type: description: ConditionType represents reconciler state type: string required: - status - type type: object type: array consecutiveReconcileFailures: type: integer consecutiveReconcileSuccesses: type: integer deploy: properties: error: type: string exitCode: type: integer finished: type: boolean kapp: description: KappDeployStatus contains the associated AppCR deployed resources properties: associatedResources: description: AssociatedResources contains the associated App label, namespaces and GKs properties: groupKinds: items: description: GroupKind specifies a Group and a Kind, but does not force a version. This is useful for identifying concepts during lookup stages without having partially valid types properties: group: type: string kind: type: string required: - group - kind type: object type: array label: type: string namespaces: items: type: string type: array type: object type: object startedAt: format: date-time type: string stderr: type: string stdout: type: string updatedAt: format: date-time type: string type: object fetch: properties: error: type: string exitCode: type: integer startedAt: format: date-time type: string stderr: type: string stdout: type: string updatedAt: format: date-time type: string type: object friendlyDescription: type: string observedGeneration: description: Populated based on metadata.generation when controller observes a change to the resource; if this value is out of data, other status fields do not reflect latest state format: int64 type: integer template: properties: error: type: string exitCode: type: integer stderr: type: string updatedAt: format: date-time type: string type: object usefulErrorMessage: type: string type: object required: - spec type: object served: true storage: true subresources: status: {} --- apiVersion: apps/v1 kind: Deployment metadata: annotations: kapp-controller.carvel.dev/version: v0.45.2 kbld.k14s.io/images: | - origins: - local: path: /home/runner/work/kapp-controller/kapp-controller - git: dirty: true remoteURL: https://github.com/carvel-dev/kapp-controller sha: e3beee23d49899bfc681c9d980c1a3bdc0fa14ac tags: - v0.45.2 url: ghcr.io/carvel-dev/kapp-controller@sha256:d5c5b259d10f8a561fe6717a735ceb053ccb13320f55428977d1d8df46b9bc0d name: kapp-controller namespace: tkg-system spec: replicas: 1 revisionHistoryLimit: 0 selector: matchLabels: app: kapp-controller template: metadata: labels: app: kapp-controller spec: containers: - args: - -packaging-global-namespace=kapp-controller-packaging-global - -enable-api-priority-and-fairness=True - -tls-cipher-suites= env: - name: KAPPCTRL_MEM_TMP_DIR value: /etc/kappctrl-mem-tmp - name: KAPPCTRL_SIDECAREXEC_SOCK value: /etc/kappctrl-mem-tmp/sidecarexec.sock - name: KAPPCTRL_SYSTEM_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: KAPPCTRL_API_PORT value: "10350" image: ghcr.io/carvel-dev/kapp-controller@sha256:d5c5b259d10f8a561fe6717a735ceb053ccb13320f55428977d1d8df46b9bc0d name: kapp-controller ports: - containerPort: 10350 name: api protocol: TCP resources: requests: cpu: 120m memory: 100Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /etc/kappctrl-mem-tmp name: template-fs - mountPath: /home/kapp-controller name: home - args: - --sidecarexec env: - name: KAPPCTRL_SIDECAREXEC_SOCK value: /etc/kappctrl-mem-tmp/sidecarexec.sock - name: IMGPKG_ACTIVE_KEYCHAINS value: gke,aks,ecr image: ghcr.io/carvel-dev/kapp-controller@sha256:d5c5b259d10f8a561fe6717a735ceb053ccb13320f55428977d1d8df46b9bc0d name: kapp-controller-sidecarexec resources: requests: cpu: 120m memory: 100Mi securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: false runAsNonRoot: true seccompProfile: type: RuntimeDefault volumeMounts: - mountPath: /etc/kappctrl-mem-tmp name: template-fs - mountPath: /home/kapp-controller name: home - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: empty-sa serviceAccount: kapp-controller-sa volumes: - emptyDir: medium: Memory name: template-fs - emptyDir: medium: Memory name: home - emptyDir: {} name: empty-sa --- apiVersion: v1 kind: ServiceAccount metadata: name: kapp-controller-sa namespace: tkg-system