Configuration
Overview ¶
kapp supports custom Config
resource to specify its own configuration. It’s expected to be included with your other Kubernetes configuration. Config resource is never applied to the cluster, though it follows general Kubernetes resource format. Multiple config resources are allowed.
kapp comes with built-in configuration (see it via kapp deploy-config
) that includes rules for common resources.
Format ¶
apiVersion: kapp.k14s.io/v1alpha1
kind: Config
minimumRequiredVersion: 0.23.0
rebaseRules:
- path: [spec, clusterIP]
type: copy
sources: [new, existing]
resourceMatchers:
- apiVersionKindMatcher: {apiVersion: v1, kind: Service}
ownershipLabelRules:
- path: [metadata, labels]
resourceMatchers:
- allMatcher: {}
labelScopingRules:
- path: [spec, selector]
resourceMatchers:
- apiVersionKindMatcher: {apiVersion: v1, kind: Service}
templateRules:
- resourceMatchers:
- apiVersionKindMatcher: {apiVersion: v1, kind: ConfigMap}
affectedResources:
objectReferences:
- path: [spec, template, spec, containers, {allIndexes: true}, env, {allIndexes: true}, valueFrom, configMapKeyRef]
resourceMatchers:
- apiVersionKindMatcher: {apiVersion: apps/v1, kind: Deployment}
- path: [spec, template, spec, containers, {allIndexes: true}, envFrom, {allIndexes: true}, configMapRef]
resourceMatchers:
- apiVersionKindMatcher: {apiVersion: apps/v1, kind: Deployment}
additionalLabels:
department: marketing
cost-center: mar201
diffAgainstLastAppliedFieldExclusionRules:
- path: [metadata, annotations, "deployment.kubernetes.io/revision"]
resourceMatchers:
- apiVersionKindMatcher: {apiVersion: apps/v1, kind: Deployment}
diffAgainstExistingFieldExclusionRules:
- path: [status]
resourceMatchers:
- allMatcher: {}
diffMaskRules:
- path: [data]
resourceMatchers:
- apiVersionKindMatcher: {apiVersion: v1, kind: Secret}
preflightRules:
- name: [preflight]
config:
[preflightSpecific]: [data]
minimumRequiredVersion ¶
minimumRequiredVersion
forces kapp to exit with a validation error if kapp’s version is below minimum required version. Available in v0.23.0+.
rebaseRules ¶
rebaseRules
specify origin of field values.
kapp rebase rules explicitly define how to merge resources during an update. To read more about why rebase rules are necessary, see Resource Merge Method. For examples of rebase rules in use, see HPA and Deployment rebase or PersistentVolumeClaim rebase.
rebaseRules
(array) list of rebase rulespath
(array of strings) specifies location within a resource to rebase. Mutually exclusive withpaths
. Example:[spec, clusterIP]
paths
(array ofpath
) specifies multiple locations within a resource to rebase. This is a convenience for specifying multiple rebase rules with only different paths. Mutually exclusive withpath
. Available in v0.27.0+.type
(string) specifies strategy to modify field values. Allowed values:copy
orremove
.copy
will update the field value;remove
will delete the field.sources
(array ofnew
orexisting
) specifies a preference order for the source of the referenced field value being rebased.new
refers to an updated resource from user input, whereexisting
refers to a resource already in the cluster. If the field value being rebased is not found in any of the sources provided, kapp will error. Only used withtype: copy
.
Examples:[existing, new]
– If field value is present in theexisting
resource on cluster, use that value, otherwise use the value in thenew
user input.[existing]
– Only look for field values in resources already on cluster, corresponding value you provide in new resource will be overwritten.
resourceMatchers
(array) specifies rules to find matching resources. See various resource matchers below.ytt
specifies choice as ytt for rebase rule. Available in v0.38.0+.overlayContractV1
allows to use ytt overlay to modify provided resource based on existing resource.overlay.yml
overlay YAML file.
- Following fields are accessible via
data.values
inside ytt:data.values.existing
resource from live clusterdata.values.new
resource from config (post-prep)data.values._current
resource after previous rebase rules already applied
Rebase rule to copy
the clusterIP
field value to Service
/v1
resources; if clusterIp
is present in the new
user input, use that value, otherwise use the value in existing
resource on cluster:
rebaseRules:
- path: [spec, clusterIP]
type: copy
sources: [new, existing]
resourceMatchers:
- apiVersionKindMatcher: {apiVersion: v1, kind: Service}
Rebase rule to copy
the clusterIP
and healthCheckNodePort
field values from the existing
resource on cluster, to Service
/v1
resources:
rebaseRules:
- paths:
- [spec, clusterIP]
- [spec, healthCheckNodePort]
type: copy
sources: [existing]
resourceMatchers:
- apiVersionKindMatcher: {apiVersion: v1, kind: Service}
See ytt rebase rule (included in default configuration) for retaining cluster added token secret in ServiceAccount’s secrets array.
ownershipLabelRules ¶
ownershipLabelRules
specify locations for inserting kapp generated labels. These labels allow kapp to track which resources belong to which application. For resources that describe creation of other resources (e.g. Deployment
or StatefulSet
), configuration may need to specify where to insert labels for child resources that will be created. kapp.k14s.io/disable-default-ownership-label-rules: ""
(value must be empty) annotation can be be used to exclude an individual resource from default onwership label rules.
labelScopingRules ¶
labelScopingRules
specify locations for inserting kapp generated labels that scope resources to resources within current application. kapp.k14s.io/disable-default-label-scoping-rules: ""
(as of v0.33.0+, or use kapp.k14s.io/disable-label-scoping: ""
in earlier versions) annotation can be used to exclude an individual resource from label scoping.
waitRules ¶
Available in v0.29.0+.
waitRules
specify how to wait for resources that kapp does not wait for by default. Each rule provides a way to specify which status.conditions
indicate success or failure. Once any of the condition matchers successfully match against one of the resource’s conditions, kapp will stop waiting for the matched resource and report any failures. (If this functionality is not enough to wait for resources in your use case, please reach out on Slack to discuss further.)
waitRules:
- supportsObservedGeneration: true
conditionMatchers:
- type: Failed
status: "True"
failure: true
- type: Deployed
status: "True"
success: true
resourceMatchers:
- apiVersionKindMatcher: {apiVersion: corp.com/v1, kind: DatabaseInstance}
waitRules:
- supportsObservedGeneration: true
conditionMatchers:
- type: Ready
status: "False"
failure: true
- type: Ready
status: "True"
success: true
supportsObservedGeneration: true # available at condition level from v0.47.0+
resourceMatchers:
- apiVersionKindMatcher: {apiVersion: corp.com/v1, kind: Application}
Available in v0.48.0+.
ytt waitRules
can be for Custom Resources that don’t have conditions
field in their status
. This allows users to configure arbitrary rules. is_done(resource)
method can be defined as part of a ytt waitRule to return the done state based on resource fields.
waitRules:
- ytt:
funcContractV1:
resource.star: |
def is_done(resource):
state = resource.status.currentState
if state == "Failed":
return {"done": True, "successful": False, "message": "Current state as Failed"}
elif state == "Running":
return {"done": True, "successful": True, "message": "Current state as Running"}
else:
return {"done": False, "successful": False, "message": "Not in Failed or Running state"}
end
end
resourceMatchers:
- apiVersionKindMatcher: {apiVersion: <resource-api-version>, kind: <resource-kind>}
Available in v0.50.0+
unblockChanges
can be used for conditions to unblock any dependent resources. These conditions are treated as non success/failure conditions. It can also be used along with ytt waitRules.
waitRules:
- conditionMatchers:
- type: Progressing
status: "True"
unblockChanges: true
resourceMatchers:
- apiVersionKindMatcher: {apiVersion: corp.com/v1, kind: Application}
templateRules ¶
templateRules
specify how versioned resources affect other resources. In above example, versioned config maps are said to affect deployments. Read more about versioned resources.
additionalLabels ¶
additionalLabels
specify additional labels to apply to all resources for custom uses by the user (added based on ownershipLabelRules
).
diffAgainstLastAppliedFieldExclusionRules ¶
diffAgainstLastAppliedFieldExclusionRules
specify which fields should be removed before diff-ing against last applied resource. These rules are useful for fields are “owned” by the cluster/controllers, and are only later updated. For example Deployment
resource has an annotation that gets set after a little bit of time after resource is created/updated (not during resource admission). It’s typically not necessary to use this configuration.
diffAgainstExistingFieldExclusionRules ¶
diffAgainstExistingFieldExclusionRules
specify which fields should be removed before diff-ing against a resource. These rules are useful for fields that are “owned” by the cluster/controllers, and are only updated later. For example a Custom Resource Definition
resource has a status
field that gets altered now and then, especially between a diff and the actual apply step. It’s typically not necessary to use this configuration.
diffMaskRules ¶
diffMaskRules
specify which field values should be masked in diff. By default v1/Secret
’s data
fields are masked. Currently only applied to deploy
command.
preflightRules ¶
Available in v0.61.0+.
preflightRules
specify configuration for preflight checks. Specifying the name
of a preflight check enables it; additional configuration via the config
field may be optionally provided. The contents of the config
field are specific to each preflight check.
The --preflight
flag overrides the enabled setting in the configuration:
- If a preflight check is omitted from the
--preflight
flag, it is disabled regardless of its presence in the configuration file. - If a preflight check is specified in the
--preflight
flag, it is enabled regardless of its absence in the configuration file.
changeGroupBindings ¶
Available in v0.25.0+.
changeGroupBindings
bind specified change group to resources matched by resource matchers. This is an alternative to using kapp.k14s.io/change-group
annotation to add change group to resources. See kapp deploy-config
for default bindings.
changeRuleBindings ¶
Available in v0.25.0+.
changeRuleBindings
bind specified change rules to resources matched by resource matchers. This is an alternative to using kapp.k14s.io/change-rule
annotation to add change rules to resources. See kapp deploy-config
for default bindings.
Resource matchers ¶
Resource matchers (as used by rebaseRules
, ownershipLabelRules
, labelScopingRules
, templateRules
, diffAgainstLastAppliedFieldExclusionRules
, diffAgainstExistingFieldExclusionRules
and diffMaskRules
):
allMatcher ¶
Matches all resources
allMatcher: {}
anyMatcher ¶
Matches resources that match one of matchers
anyMatcher:
matchers:
- apiVersionKindMatcher: {apiVersion: apps/v1, kind: Deployment}
- apiVersionKindMatcher: {apiVersion: extensions/v1alpha1, kind: Deployment}
notMatcher ¶
Matches any resource that does not match given matcher
notMatcher:
matcher:
apiVersionKindMatcher: {apiVersion: apps/v1, kind: Deployment}
andMatcher ¶
Matches any resource that matches all given matchers
andMatcher:
matchers:
- apiVersionKindMatcher: {apiVersion: apps/v1, kind: Deployment}
- hasNamespaceMatcher: {}
apiGroupKindMatcher ¶
apiGroupKindMatcher: {apiGroup: apps, kind: Deployment}
apiVersionKindMatcher ¶
apiVersionKindMatcher: {apiVersion: apps/v1, kind: Deployment}
kindNamespaceNameMatcher ¶
kindNamespaceNameMatcher: {kind: Deployment, namespace: mysql, name: mysql}
hasAnnotationMatcher ¶
Matches resources that have particular annotation
hasAnnotationMatcher:
keys:
- kapp.k14s.io/change-group
hasNamespaceMatcher ¶
Matches any resource that has a non-empty namespace
hasNamespaceMatcher: {}
Matches any resource with namespace that equals to one of the specified names
hasNamespaceMatcher:
names: [app1, app2]
customResourceMatcher ¶
Matches any resource that is not part of builtin k8s API groups (e.g. apps, batch, etc.). It’s likely that over time some builtin k8s resources would not be matched.
customResourceMatcher: {}
emptyFieldMatcher ¶
Available in v0.34.0+.
Matches any resource that has empty specified field
emptyFieldMatcher:
path: [aggregationRule]
Paths ¶
Path specifies location within a resource (as used rebaseRules
and ownershipLabelRules
):
[spec, clusterIP]
[spec, volumeClaimTemplates, {allIndexes: true}, metadata, labels]
[spec, volumeClaimTemplates, {index: 0}, metadata, labels]
Config wrapped in ConfigMap ¶
Available of v0.34.0+.
Config resource could be wrapped in a ConfigMap to support same deployment configuration by tools that do not understand kapp’s Config
resource directly. ConfigMap carrying kapp config must to be labeled with kapp.k14s.io/config
and have config.yml
data key. Such config maps will be applied to the cluster, unlike config given as Config
resource.
apiVersion: v1
kind: ConfigMap
metadata:
name: my-kapp-config
labels:
kapp.k14s.io/config: ""
data:
config.yml: |
apiVersion: kapp.k14s.io/v1alpha1
kind: Config
rebaseRules:
- path: [rules]
type: copy
sources: [existing, new]
resourceMatchers:
- notMatcher:
matcher:
emptyFieldMatcher:
path: [aggregationRule]
NOTE: kapp
is only affected by a Config
(whether wrapped in a ConfigMap
or not) when supplied as a direct input (i.e. as a -f
argument). Any ConfigMap
containing a Config
is already present in the target cluster has no affect whatsoever on kapp
’s behavior.
(Help improve our docs: edit this page on GitHub)