ContainerImage.Pinniped/deploy_carvel/_dev.SCRATCH/kapp-controller.release.yaml

2663 lines
117 KiB
YAML
Raw Normal View History

---
apiVersion: v1
kind: Namespace
metadata:
name: kapp-controller
---
apiVersion: v1
kind: Namespace
metadata:
name: kapp-controller-packaging-global
---
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
name: v1alpha1.data.packaging.carvel.dev
spec:
group: data.packaging.carvel.dev
groupPriorityMinimum: 100
service:
name: packaging-api
namespace: kapp-controller
version: v1alpha1
versionPriority: 100
---
apiVersion: v1
kind: Service
metadata:
name: packaging-api
namespace: kapp-controller
spec:
ports:
- port: 443
protocol: TCP
targetPort: api
selector:
app: kapp-controller
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: internalpackagemetadatas.internal.packaging.carvel.dev
spec:
group: internal.packaging.carvel.dev
names:
kind: InternalPackageMetadata
listKind: InternalPackageMetadataList
plural: internalpackagemetadatas
singular: internalpackagemetadata
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
categories:
description: Classifiers of the package (optional; Array of strings)
items:
type: string
type: array
displayName:
description: Human friendly name of the package (optional; string)
type: string
iconSVGBase64:
description: Base64 encoded icon (optional; string)
type: string
longDescription:
description: Long description of the package (optional; string)
type: string
maintainers:
description: List of maintainer info for the package. Currently only
supports the name key. (optional; array of maintner info)
items:
properties:
name:
type: string
type: object
type: array
providerName:
description: Name of the entity distributing the package (optional;
string)
type: string
shortDescription:
description: Short desription of the package (optional; string)
type: string
supportDescription:
description: Description of the support available for the package
(optional; string)
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: internalpackages.internal.packaging.carvel.dev
spec:
group: internal.packaging.carvel.dev
names:
kind: InternalPackage
listKind: InternalPackageList
plural: internalpackages
singular: internalpackage
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
capacityRequirementsDescription:
description: 'System requirements needed to install the package. Note:
these requirements will not be verified by kapp-controller on installation.
(optional; string)'
type: string
includedSoftware:
description: IncludedSoftware can be used to show the software contents
of a Package. This is especially useful if the underlying versions
do not match the Package version
items:
description: IncludedSoftware contains the underlying Software Contents
of a Package
properties:
description:
type: string
displayName:
type: string
version:
type: string
type: object
type: array
kappControllerVersionSelection:
description: KappControllerVersionSelection specifies the versions
of kapp-controller which can install this package
properties:
constraints:
type: string
type: object
kubernetesVersionSelection:
description: KubernetesVersionSelection specifies the versions of
k8s which this package can be installed on
properties:
constraints:
type: string
type: object
licenses:
description: Description of the licenses that apply to the package
software (optional; Array of strings)
items:
type: string
type: array
refName:
description: The name of the PackageMetadata associated with this
version Must be a valid PackageMetadata name (see PackageMetadata
CR for details) Cannot be empty
type: string
releaseNotes:
description: Version release notes (optional; string)
type: string
releasedAt:
description: Timestamp of release (iso8601 formatted string; optional)
format: date-time
nullable: true
type: string
template:
properties:
spec:
properties:
canceled:
description: Cancels current and future reconciliations (optional;
default=false)
type: boolean
cluster:
description: Specifies that app should be deployed to destination
cluster; by default, cluster is same as where this resource
resides (optional; v0.5.0+)
properties:
kubeconfigSecretRef:
description: Specifies secret containing kubeconfig (required)
properties:
key:
description: Specifies key that contains kubeconfig
(optional)
type: string
name:
description: Specifies secret name within app's namespace
(required)
type: string
type: object
namespace:
description: Specifies namespace in destination cluster
(optional)
type: string
type: object
deploy:
items:
properties:
kapp:
description: Use kapp to deploy resources
properties:
delete:
description: Configuration for delete command (optional)
properties:
rawOptions:
description: Pass through options to kapp delete
(optional)
items:
type: string
type: array
type: object
inspect:
description: 'Configuration for inspect command
(optional) as of kapp-controller v0.31.0, inspect
is disabled by default add rawOptions or use an
empty inspect config like `inspect: {}` to enable'
properties:
rawOptions:
description: Pass through options to kapp inspect
(optional)
items:
type: string
type: array
type: object
intoNs:
description: Override namespace for all resources
(optional)
type: string
mapNs:
description: Provide custom namespace override mapping
(optional)
items:
type: string
type: array
rawOptions:
description: Pass through options to kapp deploy
(optional)
items:
type: string
type: array
type: object
type: object
type: array
fetch:
items:
properties:
git:
description: Uses git to clone repository
properties:
lfsSkipSmudge:
description: Skip lfs download (optional)
type: boolean
ref:
description: Branch, tag, commit; origin is the
name of the remote (optional)
type: string
refSelection:
description: Specifies a strategy to resolve to
an explicit ref (optional; v0.24.0+)
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
secretRef:
description: 'Secret with auth details. allowed
keys: ssh-privatekey, ssh-knownhosts, username,
password (optional) (if ssh-knownhosts is not
specified, git will not perform strict host checking)'
properties:
name:
description: Object is expected to be within
same namespace
type: string
type: object
subPath:
description: Grab only portion of repository (optional)
type: string
url:
description: http or ssh urls are supported (required)
type: string
type: object
helmChart:
description: Uses helm fetch to fetch specified chart
properties:
name:
description: 'Example: stable/redis'
type: string
repository:
properties:
secretRef:
properties:
name:
description: Object is expected to be within
same namespace
type: string
type: object
url:
description: Repository url; scheme of oci://
will fetch experimental helm oci chart (v0.19.0+)
(required)
type: string
type: object
version:
type: string
type: object
http:
description: Uses http library to fetch file
properties:
secretRef:
description: 'Secret to provide auth details (optional)
Secret may include one or more keys: username,
password'
properties:
name:
description: Object is expected to be within
same namespace
type: string
type: object
sha256:
description: Checksum to verify after download (optional)
type: string
subPath:
description: Grab only portion of download (optional)
type: string
url:
description: 'URL can point to one of following
formats: text, tgz, zip http and https url are
supported; plain file, tgz and tar types are supported
(required)'
type: string
type: object
image:
description: Pulls content from Docker/OCI registry
properties:
secretRef:
description: 'Secret may include one or more keys:
username, password, token. By default anonymous
access is used for authentication.'
properties:
name:
description: Object is expected to be within
same namespace
type: string
type: object
subPath:
description: Grab only portion of image (optional)
type: string
tagSelection:
description: Specifies a strategy to choose a tag
(optional; v0.24.0+) if specified, do not include
a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
url:
description: 'Docker image url; unqualified, tagged,
or digest references supported (required) Example:
username/app1-config:v0.1.0'
type: string
type: object
imgpkgBundle:
description: Pulls imgpkg bundle from Docker/OCI registry
(v0.17.0+)
properties:
image:
description: Docker image url; unqualified, tagged,
or digest references supported (required)
type: string
secretRef:
description: 'Secret may include one or more keys:
username, password, token. By default anonymous
access is used for authentication.'
properties:
name:
description: Object is expected to be within
same namespace
type: string
type: object
tagSelection:
description: Specifies a strategy to choose a tag
(optional; v0.24.0+) if specified, do not include
a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
type: object
inline:
description: Pulls content from within this resource;
or other resources in the cluster
properties:
paths:
additionalProperties:
type: string
description: Specifies mapping of paths to their
content; not recommended for sensitive values
as CR is not encrypted (optional)
type: object
pathsFrom:
description: Specifies content via secrets and config
maps; data values are recommended to be placed
in secrets (optional)
items:
properties:
configMapRef:
properties:
directoryPath:
description: Specifies where to place
files found in secret (optional)
type: string
name:
type: string
type: object
secretRef:
properties:
directoryPath:
description: Specifies where to place
files found in secret (optional)
type: string
name:
type: string
type: object
type: object
type: array
type: object
path:
description: Relative path to place the fetched artifacts
type: string
type: object
type: array
noopDelete:
description: Deletion requests for the App will result in
the App CR being deleted, but its associated resources will
not be deleted (optional; default=false; v0.18.0+)
type: boolean
paused:
description: Pauses _future_ reconciliation; does _not_ affect
currently running reconciliation (optional; default=false)
type: boolean
serviceAccountName:
description: Specifies that app should be deployed authenticated
via given service account, found in this namespace (optional;
v0.6.0+)
type: string
syncPeriod:
description: Specifies the length of time to wait, in time
+ unit format, before reconciling. Always >= 30s. If value
below 30s is specified, 30s will be used. (optional; v0.9.0+;
default=30s)
type: string
template:
items:
properties:
cue:
properties:
inputExpression:
description: Cue expression for single path component,
can be used to unify ValuesFrom into a given field
(optional)
type: string
outputExpression:
description: Cue expression to output, default will
export all visible fields (optional)
type: string
paths:
description: Explicit list of files/directories
(optional)
items:
type: string
type: array
valuesFrom:
description: Provide values (optional)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects
a field of the app: only annotations,
labels, uid, name and namespace
are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running
KappController version, defaults
(empty) to retrieving the current
running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running
KubernetesAPIs from cluster, defaults
(empty) to retrieving the APIs
from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running
Kubernetes version from cluster,
defaults (empty) to retrieving
the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
helmTemplate:
description: Use helm template command to render helm
chart
properties:
kubernetesAPIs:
description: 'Optional: Use kubernetes group/versions
resources available in the live cluster'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get Kubernetes version,
defaults (empty) to retrieving the version from
the cluster. Can be manually overridden to a value
instead.'
properties:
version:
type: string
type: object
name:
description: Set name explicitly, default is App
CR's name (optional; v0.13.0+)
type: string
namespace:
description: Set namespace explicitly, default is
App CR's namespace (optional; v0.13.0+)
type: string
path:
description: Path to chart (optional; v0.13.0+)
type: string
valuesFrom:
description: One or more secrets, config maps, paths
that provide values (optional)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects
a field of the app: only annotations,
labels, uid, name and namespace
are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running
KappController version, defaults
(empty) to retrieving the current
running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running
KubernetesAPIs from cluster, defaults
(empty) to retrieving the APIs
from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running
Kubernetes version from cluster,
defaults (empty) to retrieving
the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
jsonnet:
description: TODO implement jsonnet
type: object
kbld:
description: Use kbld to resolve image references to
use digests
properties:
paths:
items:
type: string
type: array
type: object
kustomize:
description: TODO implement kustomize
type: object
sops:
description: Use sops to decrypt *.sops.yml files (optional;
v0.11.0+)
properties:
age:
properties:
privateKeysSecretRef:
description: Secret with private armored PGP
private keys (required)
properties:
name:
type: string
type: object
type: object
paths:
description: Lists paths to decrypt explicitly (optional;
v0.13.0+)
items:
type: string
type: array
pgp:
description: Use PGP to decrypt files (required)
properties:
privateKeysSecretRef:
description: Secret with private armored PGP
private keys (required)
properties:
name:
type: string
type: object
type: object
type: object
ytt:
description: Use ytt to template configuration
properties:
fileMarks:
description: Control metadata about input files
passed to ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/
for more details
items:
type: string
type: array
ignoreUnknownComments:
description: Ignores comments that ytt doesn't recognize
(optional; default=false)
type: boolean
inline:
description: Specify additional files, including
data values (optional)
properties:
paths:
additionalProperties:
type: string
description: Specifies mapping of paths to their
content; not recommended for sensitive values
as CR is not encrypted (optional)
type: object
pathsFrom:
description: Specifies content via secrets and
config maps; data values are recommended to
be placed in secrets (optional)
items:
properties:
configMapRef:
properties:
directoryPath:
description: Specifies where to place
files found in secret (optional)
type: string
name:
type: string
type: object
secretRef:
properties:
directoryPath:
description: Specifies where to place
files found in secret (optional)
type: string
name:
type: string
type: object
type: object
type: array
type: object
paths:
description: Lists paths to provide to ytt explicitly
(optional)
items:
type: string
type: array
strict:
description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md
(optional; default=false)
type: boolean
valuesFrom:
description: Provide values via ytt's --data-values-file
(optional; v0.19.0-alpha.9)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects
a field of the app: only annotations,
labels, uid, name and namespace
are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running
KappController version, defaults
(empty) to retrieving the current
running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running
KubernetesAPIs from cluster, defaults
(empty) to retrieving the APIs
from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running
Kubernetes version from cluster,
defaults (empty) to retrieving
the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
type: object
type: array
type: object
required:
- spec
type: object
valuesSchema:
description: valuesSchema can be used to show template values that
can be configured by users when a Package is installed in an OpenAPI
schema format.
properties:
openAPIv3:
nullable: true
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
version:
description: Package version; Referenced by PackageInstall; Must be
valid semver (required) Cannot be empty
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: apps.kappctrl.k14s.io
spec:
group: kappctrl.k14s.io
names:
categories:
- carvel
kind: App
listKind: AppList
plural: apps
singular: app
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Friendly description
jsonPath: .status.friendlyDescription
name: Description
type: string
- description: Last time app started being deployed. Does not mean anything was
changed.
jsonPath: .status.deploy.startedAt
name: Since-Deploy
type: date
- description: Time since creation
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: 'An App is a set of Kubernetes resources. These resources could
span any number of namespaces or could be cluster-wide (e.g. CRDs). An App
is represented in kapp-controller using a App CR. The App CR comprises of
three main sections: spec.fetch declare source for fetching configuration
and OCI images spec.template declare templating tool and values spec.deploy
declare deployment tool and any deploy specific configuration'
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
canceled:
description: Cancels current and future reconciliations (optional;
default=false)
type: boolean
cluster:
description: Specifies that app should be deployed to destination
cluster; by default, cluster is same as where this resource resides
(optional; v0.5.0+)
properties:
kubeconfigSecretRef:
description: Specifies secret containing kubeconfig (required)
properties:
key:
description: Specifies key that contains kubeconfig (optional)
type: string
name:
description: Specifies secret name within app's namespace
(required)
type: string
type: object
namespace:
description: Specifies namespace in destination cluster (optional)
type: string
type: object
deploy:
items:
properties:
kapp:
description: Use kapp to deploy resources
properties:
delete:
description: Configuration for delete command (optional)
properties:
rawOptions:
description: Pass through options to kapp delete (optional)
items:
type: string
type: array
type: object
inspect:
description: 'Configuration for inspect command (optional)
as of kapp-controller v0.31.0, inspect is disabled by
default add rawOptions or use an empty inspect config
like `inspect: {}` to enable'
properties:
rawOptions:
description: Pass through options to kapp inspect (optional)
items:
type: string
type: array
type: object
intoNs:
description: Override namespace for all resources (optional)
type: string
mapNs:
description: Provide custom namespace override mapping (optional)
items:
type: string
type: array
rawOptions:
description: Pass through options to kapp deploy (optional)
items:
type: string
type: array
type: object
type: object
type: array
fetch:
items:
properties:
git:
description: Uses git to clone repository
properties:
lfsSkipSmudge:
description: Skip lfs download (optional)
type: boolean
ref:
description: Branch, tag, commit; origin is the name of
the remote (optional)
type: string
refSelection:
description: Specifies a strategy to resolve to an explicit
ref (optional; v0.24.0+)
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
secretRef:
description: 'Secret with auth details. allowed keys: ssh-privatekey,
ssh-knownhosts, username, password (optional) (if ssh-knownhosts
is not specified, git will not perform strict host checking)'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
subPath:
description: Grab only portion of repository (optional)
type: string
url:
description: http or ssh urls are supported (required)
type: string
type: object
helmChart:
description: Uses helm fetch to fetch specified chart
properties:
name:
description: 'Example: stable/redis'
type: string
repository:
properties:
secretRef:
properties:
name:
description: Object is expected to be within same
namespace
type: string
type: object
url:
description: Repository url; scheme of oci:// will fetch
experimental helm oci chart (v0.19.0+) (required)
type: string
type: object
version:
type: string
type: object
http:
description: Uses http library to fetch file
properties:
secretRef:
description: 'Secret to provide auth details (optional)
Secret may include one or more keys: username, password'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
sha256:
description: Checksum to verify after download (optional)
type: string
subPath:
description: Grab only portion of download (optional)
type: string
url:
description: 'URL can point to one of following formats:
text, tgz, zip http and https url are supported; plain
file, tgz and tar types are supported (required)'
type: string
type: object
image:
description: Pulls content from Docker/OCI registry
properties:
secretRef:
description: 'Secret may include one or more keys: username,
password, token. By default anonymous access is used for
authentication.'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
subPath:
description: Grab only portion of image (optional)
type: string
tagSelection:
description: Specifies a strategy to choose a tag (optional;
v0.24.0+) if specified, do not include a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
url:
description: 'Docker image url; unqualified, tagged, or
digest references supported (required) Example: username/app1-config:v0.1.0'
type: string
type: object
imgpkgBundle:
description: Pulls imgpkg bundle from Docker/OCI registry (v0.17.0+)
properties:
image:
description: Docker image url; unqualified, tagged, or digest
references supported (required)
type: string
secretRef:
description: 'Secret may include one or more keys: username,
password, token. By default anonymous access is used for
authentication.'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
tagSelection:
description: Specifies a strategy to choose a tag (optional;
v0.24.0+) if specified, do not include a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
type: object
inline:
description: Pulls content from within this resource; or other
resources in the cluster
properties:
paths:
additionalProperties:
type: string
description: Specifies mapping of paths to their content;
not recommended for sensitive values as CR is not encrypted
(optional)
type: object
pathsFrom:
description: Specifies content via secrets and config maps;
data values are recommended to be placed in secrets (optional)
items:
properties:
configMapRef:
properties:
directoryPath:
description: Specifies where to place files found
in secret (optional)
type: string
name:
type: string
type: object
secretRef:
properties:
directoryPath:
description: Specifies where to place files found
in secret (optional)
type: string
name:
type: string
type: object
type: object
type: array
type: object
path:
description: Relative path to place the fetched artifacts
type: string
type: object
type: array
noopDelete:
description: Deletion requests for the App will result in the App
CR being deleted, but its associated resources will not be deleted
(optional; default=false; v0.18.0+)
type: boolean
paused:
description: Pauses _future_ reconciliation; does _not_ affect currently
running reconciliation (optional; default=false)
type: boolean
serviceAccountName:
description: Specifies that app should be deployed authenticated via
given service account, found in this namespace (optional; v0.6.0+)
type: string
syncPeriod:
description: Specifies the length of time to wait, in time + unit
format, before reconciling. Always >= 30s. If value below 30s is
specified, 30s will be used. (optional; v0.9.0+; default=30s)
type: string
template:
items:
properties:
cue:
properties:
inputExpression:
description: Cue expression for single path component, can
be used to unify ValuesFrom into a given field (optional)
type: string
outputExpression:
description: Cue expression to output, default will export
all visible fields (optional)
type: string
paths:
description: Explicit list of files/directories (optional)
items:
type: string
type: array
valuesFrom:
description: Provide values (optional)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects a field
of the app: only annotations, labels,
uid, name and namespace are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running KappController
version, defaults (empty) to retrieving
the current running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running KubernetesAPIs
from cluster, defaults (empty) to retrieving
the APIs from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running Kubernetes
version from cluster, defaults (empty)
to retrieving the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
helmTemplate:
description: Use helm template command to render helm chart
properties:
kubernetesAPIs:
description: 'Optional: Use kubernetes group/versions resources
available in the live cluster'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get Kubernetes version, defaults
(empty) to retrieving the version from the cluster. Can
be manually overridden to a value instead.'
properties:
version:
type: string
type: object
name:
description: Set name explicitly, default is App CR's name
(optional; v0.13.0+)
type: string
namespace:
description: Set namespace explicitly, default is App CR's
namespace (optional; v0.13.0+)
type: string
path:
description: Path to chart (optional; v0.13.0+)
type: string
valuesFrom:
description: One or more secrets, config maps, paths that
provide values (optional)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects a field
of the app: only annotations, labels,
uid, name and namespace are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running KappController
version, defaults (empty) to retrieving
the current running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running KubernetesAPIs
from cluster, defaults (empty) to retrieving
the APIs from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running Kubernetes
version from cluster, defaults (empty)
to retrieving the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
jsonnet:
description: TODO implement jsonnet
type: object
kbld:
description: Use kbld to resolve image references to use digests
properties:
paths:
items:
type: string
type: array
type: object
kustomize:
description: TODO implement kustomize
type: object
sops:
description: Use sops to decrypt *.sops.yml files (optional;
v0.11.0+)
properties:
age:
properties:
privateKeysSecretRef:
description: Secret with private armored PGP private
keys (required)
properties:
name:
type: string
type: object
type: object
paths:
description: Lists paths to decrypt explicitly (optional;
v0.13.0+)
items:
type: string
type: array
pgp:
description: Use PGP to decrypt files (required)
properties:
privateKeysSecretRef:
description: Secret with private armored PGP private
keys (required)
properties:
name:
type: string
type: object
type: object
type: object
ytt:
description: Use ytt to template configuration
properties:
fileMarks:
description: Control metadata about input files passed to
ytt (optional; v0.18.0+) see https://carvel.dev/ytt/docs/latest/file-marks/
for more details
items:
type: string
type: array
ignoreUnknownComments:
description: Ignores comments that ytt doesn't recognize
(optional; default=false)
type: boolean
inline:
description: Specify additional files, including data values
(optional)
properties:
paths:
additionalProperties:
type: string
description: Specifies mapping of paths to their content;
not recommended for sensitive values as CR is not
encrypted (optional)
type: object
pathsFrom:
description: Specifies content via secrets and config
maps; data values are recommended to be placed in
secrets (optional)
items:
properties:
configMapRef:
properties:
directoryPath:
description: Specifies where to place files
found in secret (optional)
type: string
name:
type: string
type: object
secretRef:
properties:
directoryPath:
description: Specifies where to place files
found in secret (optional)
type: string
name:
type: string
type: object
type: object
type: array
type: object
paths:
description: Lists paths to provide to ytt explicitly (optional)
items:
type: string
type: array
strict:
description: Forces strict mode https://github.com/k14s/ytt/blob/develop/docs/strict.md
(optional; default=false)
type: boolean
valuesFrom:
description: Provide values via ytt's --data-values-file
(optional; v0.19.0-alpha.9)
items:
properties:
configMapRef:
properties:
name:
type: string
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldPath:
description: 'Required: Selects a field
of the app: only annotations, labels,
uid, name and namespace are supported.'
type: string
kappControllerVersion:
description: 'Optional: Get running KappController
version, defaults (empty) to retrieving
the current running version.. Can be manually
supplied instead.'
properties:
version:
type: string
type: object
kubernetesAPIs:
description: 'Optional: Get running KubernetesAPIs
from cluster, defaults (empty) to retrieving
the APIs from the cluster. Can be manually
supplied instead, e.g ["group/version",
"group2/version2"]'
properties:
groupVersions:
items:
type: string
type: array
type: object
kubernetesVersion:
description: 'Optional: Get running Kubernetes
version from cluster, defaults (empty)
to retrieving the version from the cluster.
Can be manually supplied instead.'
properties:
version:
type: string
type: object
name:
type: string
type: object
type: array
type: object
path:
type: string
secretRef:
properties:
name:
type: string
type: object
type: object
type: array
type: object
type: object
type: array
type: object
status:
properties:
conditions:
items:
properties:
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, this should be a short, machine understandable
string that gives the reason for condition's last transition.
If it reports "ResizeStarted" that means the underlying persistent
volume is being resized.
type: string
status:
type: string
type:
description: ConditionType represents reconciler state
type: string
required:
- status
- type
type: object
type: array
consecutiveReconcileFailures:
type: integer
consecutiveReconcileSuccesses:
type: integer
deploy:
properties:
error:
type: string
exitCode:
type: integer
finished:
type: boolean
kapp:
description: KappDeployStatus contains the associated AppCR deployed
resources
properties:
associatedResources:
description: AssociatedResources contains the associated App
label, namespaces and GKs
properties:
groupKinds:
items:
description: GroupKind specifies a Group and a Kind,
but does not force a version. This is useful for
identifying concepts during lookup stages without
having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
label:
type: string
namespaces:
items:
type: string
type: array
type: object
type: object
startedAt:
format: date-time
type: string
stderr:
type: string
stdout:
type: string
updatedAt:
format: date-time
type: string
type: object
fetch:
properties:
error:
type: string
exitCode:
type: integer
startedAt:
format: date-time
type: string
stderr:
type: string
stdout:
type: string
updatedAt:
format: date-time
type: string
type: object
friendlyDescription:
type: string
inspect:
properties:
error:
type: string
exitCode:
type: integer
stderr:
type: string
stdout:
type: string
updatedAt:
format: date-time
type: string
type: object
managedAppName:
type: string
observedGeneration:
description: Populated based on metadata.generation when controller
observes a change to the resource; if this value is out of data,
other status fields do not reflect latest state
format: int64
type: integer
template:
properties:
error:
type: string
exitCode:
type: integer
stderr:
type: string
updatedAt:
format: date-time
type: string
type: object
usefulErrorMessage:
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: packageinstalls.packaging.carvel.dev
spec:
group: packaging.carvel.dev
names:
categories:
- carvel
kind: PackageInstall
listKind: PackageInstallList
plural: packageinstalls
shortNames:
- pkgi
singular: packageinstall
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: PackageMetadata name
jsonPath: .spec.packageRef.refName
name: Package name
type: string
- description: PackageMetadata version
jsonPath: .status.version
name: Package version
type: string
- description: Friendly description
jsonPath: .status.friendlyDescription
name: Description
type: string
- description: Time since creation
jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: A Package Install is an actual installation of a package and
its underlying resources on a Kubernetes cluster. It is represented in kapp-controller
by a PackageInstall CR. A PackageInstall CR must reference a Package CR.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
canceled:
description: Canceled when set to true will stop all active changes
type: boolean
cluster:
description: Specifies that Package should be deployed to destination
cluster; by default, cluster is same as where this resource resides
(optional)
properties:
kubeconfigSecretRef:
description: Specifies secret containing kubeconfig (required)
properties:
key:
description: Specifies key that contains kubeconfig (optional)
type: string
name:
description: Specifies secret name within app's namespace
(required)
type: string
type: object
namespace:
description: Specifies namespace in destination cluster (optional)
type: string
type: object
noopDelete:
description: When NoopDelete set to true, PackageInstall deletion
should delete PackageInstall/App CR but preserve App's associated
resources.
type: boolean
packageRef:
description: Specifies the name of the package to install (required)
properties:
refName:
type: string
versionSelection:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
paused:
description: Paused when set to true will ignore all pending changes,
once it set back to false, pending changes will be applied
type: boolean
serviceAccountName:
description: Specifies service account that will be used to install
underlying package contents
type: string
syncPeriod:
description: Controls frequency of App reconciliation in time + unit
format. Always >= 30s. If value below 30s is specified, 30s will
be used.
type: string
values:
description: Values to be included in package's templating step (currently
only included in the first templating step) (optional)
items:
properties:
secretRef:
properties:
key:
type: string
name:
type: string
type: object
type: object
type: array
type: object
status:
properties:
conditions:
items:
properties:
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, this should be a short, machine understandable
string that gives the reason for condition's last transition.
If it reports "ResizeStarted" that means the underlying persistent
volume is being resized.
type: string
status:
type: string
type:
description: ConditionType represents reconciler state
type: string
required:
- status
- type
type: object
type: array
friendlyDescription:
type: string
lastAttemptedVersion:
description: LastAttemptedVersion specifies what version was last
attempted to be installed. It does _not_ indicate it was successfully
installed.
type: string
observedGeneration:
description: Populated based on metadata.generation when controller
observes a change to the resource; if this value is out of data,
other status fields do not reflect latest state
format: int64
type: integer
usefulErrorMessage:
type: string
version:
description: TODO this is desired resolved version (not actually deployed)
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
packaging.carvel.dev/global-namespace: kapp-controller-packaging-global
name: packagerepositories.packaging.carvel.dev
spec:
group: packaging.carvel.dev
names:
categories:
- carvel
kind: PackageRepository
listKind: PackageRepositoryList
plural: packagerepositories
shortNames:
- pkgr
singular: packagerepository
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Time since creation
jsonPath: .metadata.creationTimestamp
name: Age
type: date
- description: Friendly description
jsonPath: .status.friendlyDescription
name: Description
type: string
name: v1alpha1
schema:
openAPIV3Schema:
description: A package repository is a collection of packages and their metadata.
Similar to a maven repository or a rpm repository, adding a package repository
to a cluster gives users of that cluster the ability to install any of the
packages from that repository.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
fetch:
properties:
git:
description: Uses git to clone repository containing package list
properties:
lfsSkipSmudge:
description: Skip lfs download (optional)
type: boolean
ref:
description: Branch, tag, commit; origin is the name of the
remote (optional)
type: string
refSelection:
description: Specifies a strategy to resolve to an explicit
ref (optional; v0.24.0+)
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
secretRef:
description: 'Secret with auth details. allowed keys: ssh-privatekey,
ssh-knownhosts, username, password (optional) (if ssh-knownhosts
is not specified, git will not perform strict host checking)'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
subPath:
description: Grab only portion of repository (optional)
type: string
url:
description: http or ssh urls are supported (required)
type: string
type: object
http:
description: Uses http library to fetch file containing packages
properties:
secretRef:
description: 'Secret to provide auth details (optional) Secret
may include one or more keys: username, password'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
sha256:
description: Checksum to verify after download (optional)
type: string
subPath:
description: Grab only portion of download (optional)
type: string
url:
description: 'URL can point to one of following formats: text,
tgz, zip http and https url are supported; plain file, tgz
and tar types are supported (required)'
type: string
type: object
image:
description: Image url; unqualified, tagged, or digest references
supported (required)
properties:
secretRef:
description: 'Secret may include one or more keys: username,
password, token. By default anonymous access is used for
authentication.'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
subPath:
description: Grab only portion of image (optional)
type: string
tagSelection:
description: Specifies a strategy to choose a tag (optional;
v0.24.0+) if specified, do not include a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
url:
description: 'Docker image url; unqualified, tagged, or digest
references supported (required) Example: username/app1-config:v0.1.0'
type: string
type: object
imgpkgBundle:
description: Pulls imgpkg bundle from Docker/OCI registry
properties:
image:
description: Docker image url; unqualified, tagged, or digest
references supported (required)
type: string
secretRef:
description: 'Secret may include one or more keys: username,
password, token. By default anonymous access is used for
authentication.'
properties:
name:
description: Object is expected to be within same namespace
type: string
type: object
tagSelection:
description: Specifies a strategy to choose a tag (optional;
v0.24.0+) if specified, do not include a tag in url key
properties:
semver:
properties:
constraints:
type: string
prereleases:
properties:
identifiers:
items:
type: string
type: array
type: object
type: object
type: object
type: object
inline:
description: Pull content from within this resource; or other
resources in the cluster
properties:
paths:
additionalProperties:
type: string
description: Specifies mapping of paths to their content;
not recommended for sensitive values as CR is not encrypted
(optional)
type: object
pathsFrom:
description: Specifies content via secrets and config maps;
data values are recommended to be placed in secrets (optional)
items:
properties:
configMapRef:
properties:
directoryPath:
description: Specifies where to place files found
in secret (optional)
type: string
name:
type: string
type: object
secretRef:
properties:
directoryPath:
description: Specifies where to place files found
in secret (optional)
type: string
name:
type: string
type: object
type: object
type: array
type: object
type: object
paused:
description: Paused when set to true will ignore all pending changes,
once it set back to false, pending changes will be applied
type: boolean
syncPeriod:
description: Controls frequency of PackageRepository reconciliation
type: string
required:
- fetch
type: object
status:
properties:
conditions:
items:
properties:
message:
description: Human-readable message indicating details about
last transition.
type: string
reason:
description: Unique, this should be a short, machine understandable
string that gives the reason for condition's last transition.
If it reports "ResizeStarted" that means the underlying persistent
volume is being resized.
type: string
status:
type: string
type:
description: ConditionType represents reconciler state
type: string
required:
- status
- type
type: object
type: array
consecutiveReconcileFailures:
type: integer
consecutiveReconcileSuccesses:
type: integer
deploy:
properties:
error:
type: string
exitCode:
type: integer
finished:
type: boolean
kapp:
description: KappDeployStatus contains the associated AppCR deployed
resources
properties:
associatedResources:
description: AssociatedResources contains the associated App
label, namespaces and GKs
properties:
groupKinds:
items:
description: GroupKind specifies a Group and a Kind,
but does not force a version. This is useful for
identifying concepts during lookup stages without
having partially valid types
properties:
group:
type: string
kind:
type: string
required:
- group
- kind
type: object
type: array
label:
type: string
namespaces:
items:
type: string
type: array
type: object
type: object
startedAt:
format: date-time
type: string
stderr:
type: string
stdout:
type: string
updatedAt:
format: date-time
type: string
type: object
fetch:
properties:
error:
type: string
exitCode:
type: integer
startedAt:
format: date-time
type: string
stderr:
type: string
stdout:
type: string
updatedAt:
format: date-time
type: string
type: object
friendlyDescription:
type: string
observedGeneration:
description: Populated based on metadata.generation when controller
observes a change to the resource; if this value is out of data,
other status fields do not reflect latest state
format: int64
type: integer
template:
properties:
error:
type: string
exitCode:
type: integer
stderr:
type: string
updatedAt:
format: date-time
type: string
type: object
usefulErrorMessage:
type: string
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
kapp-controller.carvel.dev/version: v0.47.0
kbld.k14s.io/images: |
- origins:
- local:
path: /home/runner/work/kapp-controller/kapp-controller
- git:
dirty: true
remoteURL: https://github.com/carvel-dev/kapp-controller
sha: 2165849357e783c711ff11e500a8a763c3a7b0a5
tags:
- v0.47.0
url: ghcr.io/carvel-dev/kapp-controller@sha256:f07bedf5d757115462cac09c76ad5b10abcad5f2d7d89e093e4637f1027938d6
name: kapp-controller
namespace: kapp-controller
spec:
replicas: 1
revisionHistoryLimit: 0
selector:
matchLabels:
app: kapp-controller
template:
metadata:
labels:
app: kapp-controller
spec:
containers:
- args:
- -packaging-global-namespace=kapp-controller-packaging-global
- -enable-api-priority-and-fairness=True
- -tls-cipher-suites=
env:
- name: KAPPCTRL_MEM_TMP_DIR
value: /etc/kappctrl-mem-tmp
- name: KAPPCTRL_SIDECAREXEC_SOCK
value: /etc/kappctrl-mem-tmp/sidecarexec.sock
- name: KAPPCTRL_SYSTEM_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KAPPCTRL_API_PORT
value: "10350"
image: ghcr.io/carvel-dev/kapp-controller@sha256:f07bedf5d757115462cac09c76ad5b10abcad5f2d7d89e093e4637f1027938d6
name: kapp-controller
ports:
- containerPort: 10350
name: api
protocol: TCP
resources:
requests:
cpu: 120m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
volumeMounts:
- mountPath: /etc/kappctrl-mem-tmp
name: template-fs
- mountPath: /home/kapp-controller
name: home
- args:
- --sidecarexec
env:
- name: KAPPCTRL_SIDECAREXEC_SOCK
value: /etc/kappctrl-mem-tmp/sidecarexec.sock
- name: IMGPKG_ACTIVE_KEYCHAINS
value: gke,aks,ecr
image: ghcr.io/carvel-dev/kapp-controller@sha256:f07bedf5d757115462cac09c76ad5b10abcad5f2d7d89e093e4637f1027938d6
name: kapp-controller-sidecarexec
resources:
requests:
cpu: 120m
memory: 100Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: false
runAsNonRoot: true
volumeMounts:
- mountPath: /etc/kappctrl-mem-tmp
name: template-fs
- mountPath: /home/kapp-controller
name: home
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: empty-sa
serviceAccount: kapp-controller-sa
volumes:
- emptyDir:
medium: Memory
name: template-fs
- emptyDir:
medium: Memory
name: home
- emptyDir: {}
name: empty-sa
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kapp-controller-sa
namespace: kapp-controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kapp-controller-cluster-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
- apiGroups:
- kappctrl.k14s.io
resources:
- apps
- apps/status
verbs:
- '*'
- apiGroups:
- packaging.carvel.dev
resources:
- packageinstalls
- packageinstalls/status
- packageinstalls/finalizers
verbs:
- '*'
- apiGroups:
- packaging.carvel.dev
resources:
- packagerepositories
- packagerepositories/status
verbs:
- '*'
- apiGroups:
- internal.packaging.carvel.dev
resources:
- internalpackagemetadatas
verbs:
- '*'
- apiGroups:
- data.packaging.carvel.dev
resources:
- packagemetadatas
- packagemetadatas/status
verbs:
- '*'
- apiGroups:
- internal.packaging.carvel.dev
resources:
- internalpackages
verbs:
- '*'
- apiGroups:
- data.packaging.carvel.dev
resources:
- packages
- packages/status
verbs:
- '*'
- apiGroups:
- ""
resources:
- configmaps
verbs:
- '*'
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- update
- get
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- watch
- get
- update
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- list
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- prioritylevelconfigurations
- flowschemas
verbs:
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kapp-controller-user-role
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
- apiGroups:
- kappctrl.k14s.io
resources:
- apps
- apps/status
verbs:
- '*'
- apiGroups:
- packaging.carvel.dev
resources:
- packageinstalls
- packageinstalls/status
- packageinstalls/finalizers
verbs:
- '*'
- apiGroups:
- ""
resources:
- configmaps
verbs:
- '*'
- apiGroups:
- packaging.carvel.dev
resources:
- packagerepositories
- packagerepositories/status
verbs:
- get
- list
- watch
- apiGroups:
- internal.packaging.carvel.dev
resources:
- internalpackagemetadatas
verbs:
- get
- list
- watch
- apiGroups:
- data.packaging.carvel.dev
resources:
- packagemetadatas
- packagemetadatas/status
verbs:
- get
- list
- watch
- apiGroups:
- internal.packaging.carvel.dev
resources:
- internalpackages
verbs:
- get
- list
- watch
- apiGroups:
- data.packaging.carvel.dev
resources:
- packages
- packages/status
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kapp-controller-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kapp-controller-cluster-role
subjects:
- kind: ServiceAccount
name: kapp-controller-sa
namespace: kapp-controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: pkg-apiserver:system:auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: kapp-controller-sa
namespace: kapp-controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pkgserver-auth-reader
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: kapp-controller-sa
namespace: kapp-controller