This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Kluctl GitOps

Kluctl Controller documentation.

GitOps in Kluctl is implemented through the Kluctl Controller, which must be installed to your target cluster.

The Kluctl Controller is a Kubernetes operator which implements the KluctlDeployment custom resource. This resource allows to define a Kluctl deployment that should be constantly reconciled (re-deployed) whenever the deployment changes.

It is suggested to read through the GitOps Recipe to get a basic understanding of how to use it.

Motivation and Philosophy

Kluctl tries its best to implement all its features via Kluctl projects, meaning that the deployments are, at least theoretically, deployable from the CLI at all times. The Kluctl Controller does not add functionality on top of that and thus does not couple your deployments to a running controller.

Instead, the KluctlDeployment custom resource acts as an interface to the deployment. It tries to offer the same functionality and options as offered by the CLI, but through a custom resource instead of a CLI invocation.

As an example, arguments passed via -a arg=value can be passed to the custom resource via the spec.args field. The same applies to options like --dry-run, which equals to spec.dryRun: true in the custom resource. Check the documentation of KluctlDeployment for more such options.

GitOps Commands

Kluctl GitOps deployments can be controlled via the Kluctl CLI interface, e.g. with kluctl gitops deploy --namespace my-ns --name my-deployment, which will trigger a deployment and wait for it to finish.

See commands and the GitOps recipe for more details.

Kluctl Webui

The same deployments can also be controlled and monitored via the Kluctl Webui.

Installation

Installation instructions can be found here

Design

The reconciliation process consists of multiple steps which are constantly repeated:

  • clone the root Kluctl project via Git
  • prepare the Kluctl deployment by rendering the whole deployment
  • deploy the specified target via kluctl deploy if the rendered resources changed
  • prune orphaned objects via kluctl prune
  • validate the deployment status via kluctl validate
  • drift-detection is performed to allow the Kluctl Webui to show drift.

Reconciliation is performed on a configurable interval. A single reconciliation iteration will first clone and prepare the project. Only when the rendered resources indicate a change (by using a hash internally), the controller will initiate a deployment. After the deployment, the controller will also perform pruning (only if prune: true is set).

When the KluctlDeployment is removed from the cluster, the controller cal also delete all resources belonging to that deployment. This will only happen if delete: true is set.

Deletion and pruning is based on the discriminator of the given target.

A KluctlDeployment can be suspended. While suspended, the controller will skip reconciliation, including deletion and pruning.

The API design of the controller can be found at kluctldeployment.gitops.kluctl.io/v1beta1.

Example

After installing the Kluctl Controller, we can create a KluctlDeployment that automatically deploys the Microservices Demo.

Create a KluctlDeployment that uses the demo project source to deploy the test target to the same cluster that the controller runs on.

apiVersion: gitops.kluctl.io/v1beta1
kind: KluctlDeployment
metadata:
  name: microservices-demo-test
  namespace: kluctl-system
spec:
  interval: 10m
  source:
    git:
      url: https://github.com/kluctl/kluctl-examples.git
      path: "./microservices-demo/3-templating-and-multi-env/"
  timeout: 2m
  target: test
  context: default
  prune: true

This example will deploy a fully-fledged microservices application with multiple backend services, frontends and databases, all via one single KluctlDeployment.

To deploy the same Kluctl project to another target (e.g. prod), simply create the following resource.

apiVersion: gitops.kluctl.io/v1beta1
kind: KluctlDeployment
metadata:
  name: microservices-demo-prod
  namespace: kluctl-system
spec:
  interval: 10m
  source:
    git:
      url: https://github.com/kluctl/kluctl-examples.git
      path: "./microservices-demo/3-templating-and-multi-env/"
  timeout: 2m
  target: prod
  context: default
  prune: true

1 - Installation

Installing the Kluctl Controller

The controller can be installed via two available options.

Using the “install” sub-command

The kluctl controller install command can be used to install the controller. It will use an embedded version of the Controller Kluctl deployment project found here.

Using a Kluctl deployment

To manage and install the controller via Kluctl, you can use a Git include in your own deployment:

deployments:
  - git:
      url: https://github.com/kluctl/kluctl.git
      subDir: install/controller
      ref:
        tag: v2.26.0

2 - Specs

Kluctl Controller specs

2.1 - v1beta1 specs

gitops.kluctl.io/v1beta1 documentation

gitops.kluctl.io/v1beta1

This is the v1beta1 API specification for defining continuous delivery pipelines of Kluctl Deployments.

Specification

2.1.1 - KluctlDeployment

KluctlDeployment documentation

The KluctlDeployment API defines a deployment of a target from a Kluctl Project.

Example

apiVersion: gitops.kluctl.io/v1beta1
kind: KluctlDeployment
metadata:
  name: microservices-demo-prod
spec:
  interval: 5m
  source:
    git:
      url: https://github.com/kluctl/kluctl-examples.git
      path: "./microservices-demo/3-templating-and-multi-env/"
  timeout: 2m
  target: prod
  context: default
  prune: true
  delete: true
  manual: true

In the above example a KluctlDeployment is being created that defines the deployment based on the Kluctl project.

The deployment is performed every 5 minutes. It will deploy the prod target and then prune orphaned objects afterward.

When the KluctlDeployment gets deleted, delete: true will cause the controller to actually delete the target resources.

It uses the default context provided by the default service account and thus overrides the context specified in the target definition.

Spec fields

source

The KluctlDeployment spec.source specifies the source repository to be used. Example:

Multiple source types are supported, as described in the following subsections.

Git source

Specifies a Git repository to load the project source from.

Example:

apiVersion: gitops.kluctl.io/v1beta1
kind: KluctlDeployment
metadata:
  name: example
spec:
  source:
    git:
      url: https://github.com/kluctl/kluctl-examples.git
      path: path/to/project
      ref:
        branch: my-branch
  credentials:
    git:
      - host: github.com
        path: kluctl/*
        secretRef:
          name: git-credentials
  ...

The url specifies the git clone url. It can either be a https or a git/ssh url. Git/Ssh url will require a secret to be provided with credentials.

The path specifies the subdirectory where the Kluctl project is located.

The ref provides the Git reference to be used. The ref field has the same format as in git includes.

See Git authentication for details on authentication via the spec.credentials.git field.

OCI source

Specifies a OCI artifact to load the project source from. The artifact must have been pushed via the kluctl oci push command.

Example:

apiVersion: gitops.kluctl.io/v1beta1
kind: KluctlDeployment
metadata:
  name: example
spec:
  source:
    oci:
      url: oci://ghcr.io/kluctl/kluctl-examples/simple
      path: my-subdir
      ref:
        tag: latest
  credentials:
    oci:
      - registry: ghcr.io
        repository: kluctl/**
        secretRef:
          name: oci-credentials
  ...

The url specifies the OCI repository url. It must use the oci:// scheme. It is not allowed to add tags or digests to the url. Instead, use the dedicated ref field.

The path specifies the subdirectory where the Kluctl project is located.

The ref provides the Git reference to be used. The ref field has the same format as in oci includes.

See OCI authentication for details on authentication via the spec.credentials.oci field.

interval

See Reconciliation.

deployInterval

If set, the controller will periodically force a deployment, even if the rendered manifests have not changed. See Reconciliation for more details.

timeout

The maximum time granted for the all the work needed to perform in a reconciliation. If timeout is not specified, then the value of deployInterval is used as the default value, but only if it is set. If deployInterval is not set, then the value of interval is used as default.

When a reconciliation takes longer then the determined timeout value, then the reconciliation is aborted with an error.

suspend

See Reconciliation.

target

spec.target specifies the target to be deployed. It must exist in the Kluctl projects kluctl.yaml targets list.

This field is optional and can be omitted if the referenced Kluctl project allows deployments without targets.

targetNameOverride

spec.targetNameOverride will set or override the name of the target. This is equivalent to passing --target-name-override to kluctl deploy.

context

spec.context will override the context used while deploying. This is equivalent to passing --context to kluctl deploy.

deployMode

By default, the operator will perform a full deployment, which is equivalent to using the kluctl deploy command. As an alternative, the controller can be instructed to only perform a kluctl poke-images command. Please see poke-images for details on the command. To do so, set spec.deployMode field to poke-images.

Example:

apiVersion: gitops.kluctl.io/v1beta1
kind: KluctlDeployment
metadata:
  name: microservices-demo-prod
spec:
  interval: 5m
  source:
    git:
      url: https://github.com/kluctl/kluctl-examples.git
      path: "./microservices-demo/3-templating-and-multi-env/"
  timeout: 2m
  target: prod
  context: default
  deployMode: poke-images

prune

To enable pruning, set spec.prune to true. This will cause the controller to run kluctl prune after each successful deployment.

delete

To enable deletion, set spec.delete to true. This will cause the controller to run kluctl delete when the KluctlDeployment gets deleted.

manual

spec.manual enables manually approved/triggered deployments. This means, that deployments are performed in dry-run mode until the most recent deployment is approved.

This feature is most useful in combination with the Kluctl Webui, which offers a visualisation and proper actions for this feature.

Internally, approval happens by setting spec.manualObjectsHash to the objects hash of the approved command result.

args

spec.args is an object representing arguments passed to the deployment. Example:

apiVersion: gitops.kluctl.io/v1beta1
kind: KluctlDeployment
metadata:
  name: example
spec:
  interval: 5m
  source:
    git:
      url: https://github.com/kluctl/kluctl-examples.git
      path: "./microservices-demo/3-templating-and-multi-env/"
  timeout: 2m
  target: prod
  context: default
  args:
    arg1: value1
    arg2: value2
    arg3:
      k1: v1
      k2: v2

The above example is equivalent to calling kluctl deploy -t prod -a arg1=value1 -a arg2=value2.

images

spec.images specifies a list of fixed images to be used by image.get_image(...). Example:

apiVersion: gitops.kluctl.io/v1beta1
kind: KluctlDeployment
metadata:
  name: example
spec:
  interval: 5m
  source:
    git:
      url: https://example.com
  timeout: 2m
  target: prod
  images:
    - image: nginx
      resultImage: nginx:1.21.6
      namespace: example-namespace
      deployment: Deployment/example
    - image: registry.gitlab.com/my-org/my-repo/image
      resultImage: registry.gitlab.com/my-org/my-repo/image:1.2.3

The above example will cause the images.get_image("nginx") invocations of the example Deployment to return nginx:1.21.6. It will also cause all images.get_image("registry.gitlab.com/my-org/my-repo/image") invocations to return registry.gitlab.com/my-org/my-repo/image:1.2.3.

The fixed images provided here take precedence over the ones provided in the target definition.

spec.images is equivalent to calling kluctl deploy -t prod --fixed-image=nginx:example-namespace:Deployment/example=nginx:1.21.6 ... and to kluctl deploy -t prod --fixed-images-file=fixed-images.yaml with fixed-images.yaml containing:

images:
- image: nginx
  resultImage: nginx:1.21.6
  namespace: example-namespace
  deployment: Deployment/example
- image: registry.gitlab.com/my-org/my-repo/image
  resultImage: registry.gitlab.com/my-org/my-repo/image:1.2.3

dryRun

spec.dryRun is a boolean value that turns the deployment into a dry-run deployment. This is equivalent to calling kluctl deploy -t prod --dry-run.

noWait

spec.noWait is a boolean value that disables all internal waiting (hooks and readiness). This is equivalent to calling kluctl deploy -t prod --no-wait.

forceApply

spec.forceApply is a boolean value that causes kluctl to solve conflicts via force apply. This is equivalent to calling kluctl deploy -t prod --force-apply.

replaceOnError and forceReplaceOnError

spec.replaceOnError and spec.forceReplaceOnError are both boolean values that cause kluctl to perform a replace after a failed apply. forceReplaceOnError goes a step further and deletes and recreates the object in question. These are equivalent to calling kluctl deploy -t prod --replace-on-error and kluctl deploy -t prod --force-replace-on-error.

abortOnError

spec.abortOnError is a boolean value that causes kluctl to abort as fast as possible in case of errors. This is equivalent to calling kluctl deploy -t prod --abort-on-error.

includeTags, excludeTags, includeDeploymentDirs and excludeDeploymentDirs

spec.includeTags and spec.excludeTags are lists of tags to be used in inclusion/exclusion logic while deploying. These are equivalent to calling kluctl deploy -t prod --include-tag <tag1> and kluctl deploy -t prod --exclude-tag <tag2>.

spec.includeDeploymentDirs and spec.excludeDeploymentDirs are lists of relative deployment directories to be used in inclusion/exclusion logic while deploying. These are equivalent to calling kluctl deploy -t prod --include-tag <tag1> and kluctl deploy -t prod --exclude-tag <tag2>.

Reconciliation

The KluctlDeployment spec.interval tells the controller at which interval to try reconciliations. The interval time units are s, m and h e.g. interval: 5m, the minimum value should be over 60 seconds.

At each reconciliation run, the controller will check if any rendered objects have been changes since the last deployment and then perform a new deployment if changes are detected. Changes are tracked via a hash consisting of all rendered objects.

To enforce periodic full deployments even if nothing has changed, spec.deployInterval can be used to specify an interval at which forced deployments must be performed by the controller.

The KluctlDeployment reconciliation can be suspended by setting spec.suspend to true. Suspension will however not prevent manual reconciliation requests via the kluctl gitops sub-commands.

Manual requests/reconciliation

The controller can be told to reconcile the KluctlDeployment outside of the specified interval by using the kluctl gitops sub-commands.

On-demand reconciliation example:

$ kluctl gitops deploy --namespace my-namespace --name my-deployment

You can also perform manual requests while temporarily overriding deployment configurations, e.g.:

$ kluctl gitops deploy --namespace my-namespace --name my-deployment --force-apply

Local source overrides are also possible, allowing you to test changes before pushing them:

$ kluctl gitops diff --namespace my-namespace --name my-deployment --local-git-override=github.com/exaple-org/example-project=/local/path/to/modified/repo

When --namespace and --name are omitted, the CLI will try to auto-detect the deployment on the current cluster and suggest the auto-detected deployment to you.

Kubeconfigs and RBAC

As Kluctl is meant to be a CLI-first tool, it expects a kubeconfig to be present while deployments are performed. The controller will generate such kubeconfigs on-the-fly before performing the actual deployment.

The kubeconfig can be generated from 3 different sources:

  1. The default impersonation service account specified at controller startup (via --default-service-account)
  2. The service account specified via spec.serviceAccountName in the KluctlDeployment
  3. The secret specified via spec.kubeConfig in the KluctlDeployment.

The behavior/functionality of 1. and 2. is comparable to how the kustomize-controller handles impersonation, with the difference that a kubeconfig with a “default” context is created in-between.

spec.kubeConfig will simply load the kubeconfig from data.value of the specified secret.

Kluctl targets specify a context name that is expected to be present in the kubeconfig while deploying. As the context found in the generated kubeconfig does not necessarily have the correct name, spec.context can be used to while deploying. This is especially useful when using service account based kubeconfigs, as these always have the same context with the name “default”.

Here is an example of a deployment that uses the service account “prod-service-account” and overrides the context appropriately (assuming the Kluctl cluster config for the given target expects a “prod” context):

apiVersion: gitops.kluctl.io/v1beta1
kind: KluctlDeployment
metadata:
  name: example
  namespace: kluctl-system
spec:
  interval: 10m
  source:
    git:
      url: https://github.com/kluctl/kluctl-examples.git
      path: "./microservices-demo/3-templating-and-multi-env/"
  target: prod
  serviceAccountName: prod-service-account
  context: default

Credentials

A KluctlDeployment can specify multiple sets of credentials for different kind of repositories and registries. These are specified through the spec.credentials field, which specifies multiple list of credentials.

Git authentication

Git authentication can be specified via spec.credentials.git, which is a list of credential configs. Each entry specifies information to match Git repositories and a reference to a Kubernetes secret.

Each time the controller needs to access a git repository, it will iterate through this list and pick the first one matching.

Example:

...
spec:
  source:
    git:
      url: https://github.com/my-org/my-repo.git
  credentials:
    git:
      - host: github.com
        path: my-org/*
        secretRef:
          name: my-git-secrets
...

Each entry has the following fields:

host is required and specifies the hostname to apply this set of credentials. It can also be set to *, meaning that it will match all git hosts. * will however be ignored for https based urls to avoid leaking credentials.

path is optional and allows to filter for different paths on the same host. This is for example useful when public Git providers are used, for example github.com. For these, you can for example use my-org/* as pattern to tell the controller that it should use this set of credentials only for projects below the my-org GitHub organisation.

secretRef is required and specifies the name of the secret that contains the actual credentials.

The following authentication types are supported through the referenced secret.

Basic access authentication

To authenticate towards a Git repository over HTTPS using basic access authentication (in other words: using a username and password), the referenced Secret is expected to contain .data.username and .data.password values.

---
apiVersion: v1
kind: Secret
metadata:
  name: basic-access-auth
type: Opaque
data:
  username: <BASE64>
  password: <BASE64>

HTTPS Certificate Authority

To provide a Certificate Authority to trust while connecting with a Git repository over HTTPS, the referenced Secret can contain a .data.caFile value.

---
apiVersion: v1
kind: Secret
metadata:
  name: https-ca-credentials
  namespace: default
type: Opaque
data:
  caFile: <BASE64>

SSH authentication

To authenticate towards a Git repository over SSH, the referenced Secret is expected to contain identity and known_hosts fields. With the respective private key of the SSH key pair, and the host keys of the Git repository.

---
apiVersion: v1
kind: Secret
metadata:
  name: ssh-credentials
type: Opaque
stringData:
  identity: |
    -----BEGIN OPENSSH PRIVATE KEY-----
    ...
    -----END OPENSSH PRIVATE KEY-----    
  known_hosts: |
    github.com ecdsa-sha2-nistp256 AAAA...    

Helm Repository authentication

Kluctl allows to integrate Helm Charts in two different ways. One is to pre-pull charts and put them into version control, making it unnecessary to pull them at deploy time. This option also means that you don’t have to take any special care on the controller side.

The other way is to let Kluctl pull Helm Charts at deploy time. In that case, you have to ensure that the controller has the necessary access to the Helm repositories.

Helm Repository authentication can be specified via spec.credentials.helm, which is a list of credential configs. Each entry specifies information to match Helm repositories and a reference to a Kubernetes secret.

Each time the controller needs to access a Helm repository, it will iterate through this list and pick the first one matching.

Example:

...
spec:
  source:
    git:
      url: https://github.com/my-org/my-repo.git
  credentials:
    helm:
      - host: my-repo.com
        path: some-path/*
        secretRef:
          name: my-helm-secrets
...

Each entry has the following fields:

host is required and specifies the hostname to apply this set of credentials.

path is optional and allows to filter for different paths on the same host. The behavior is identical to how Git credentials handle it.

secretRef is required and specifies the name of the secret that contains the actual credentials.

The following authentication types are supported through the referenced secret.

Basic access authentication

To authenticate towards a Helm repository over HTTP/HTTPS using basic access authentication (in other words: using a username and password), the referenced Secret is expected to contain .data.username and .data.password values.

apiVersion: v1
kind: Secret
metadata:
  name: my-helm-creds
  namespace: kluctl-system
stringData:
  username: my-user
  password: my-password

TLS authentication

For TLS authentication, see the following example secret:

apiVersion: v1
kind: Secret
metadata:
  name: my-helm-creds
  namespace: kluctl-system
data:
  certFile: <BASE64>
  keyFile: <BASE64>
  # NOTE: The following values can be supplied without the above values and for all other (e.g. basic) authentication types as well
  caFile: <BASE64>
  insecureSkipTlsVerify: "true" # this field is optional
  passCredentialsAll: "true" # this field is optional

certFile and keyFile optionally specify a client certificate and key pair to use for client certificate based authentication. caFile specifies a CA bundle to use when TSL/https verification is performed.

If insecureSkipTlsVerify is set to true, TLS verification is skipped.

If passCredentialsAll is set to true, Kluctl will pass credentials to all domains. See https://helm.sh/docs/helm/helm_repo_add/ for details.

OCI registry authentication

OCI registry authentication can be specified via spec.credentials.oci, which is a list of credential configs. Each entry specifies information to match OCI registries and a reference to a Kubernetes secret.

Each time the controller needs to access an OCI registry, it will iterate through this list and pick the first one matching. This also includes OCI registry usages via the Helm integration.

Example:

...
spec:
  source:
    git:
      url: https://github.com/my-org/my-repo.git
  credentials:
    oci:
      - registry: docker.com
        repository: my-org/*
        secretRef:
          name: my-oci-secrets
...

Each entry has the following fields:

registry is required and specifies the registry name to apply this set of credentials.

repository is optional and allows to filter for different repositories in the same registry. Wildcards can also be used. If omitted, all repositories on the specified registry will match.

secretRef is required and specifies the name of the secret that contains the actual credentials.

The following authentication types are supported through the referenced secret.

Basic access authentication

To authenticate towards an OCI registry over HTTP/HTTPS using basic access authentication (in other words: using a username and password), the referenced Secret is expected to contain .data.username and .data.password values.

apiVersion: v1
kind: Secret
metadata:
  name: my-oci-secrets
  namespace: kluctl-system
stringData:
  username: my-user
  password: my-password

Token based authentication

To authenticate via a bearer token, use specify .data.token in the referenced secret.

apiVersion: v1
kind: Secret
metadata:
  name: my-oci-secrets
  namespace: kluctl-system
stringData:
  token: my-token

TLS authentication

For TLS authentication, see the following example secret:

apiVersion: v1
kind: Secret
metadata:
  name: my-oci-creds
  namespace: kluctl-system
data:
  certFile: <BASE64>
  keyFile: <BASE64>
  # NOTE: The following values can be supplied without the above values and for all other (e.g. basic) authentication types as well
  caFile: <BASE64>
  insecureSkipTlsVerify: "true" # this field is optional
  plainHttp: "true" # this field is optional

certFile and keyFile optionally specify a client certificate and key pair to use for client certificate based authentication. caFile specifies a CA bundle to use when TSL/https verification is performed.

If insecureSkipTlsVerify is set to true, TLS verification is skipped.

If plainHttp if set to true, HTTPS is disabled and HTTP is used instead.

Deprecated ways of credentials configurations

Kluctl still supports the deprecated spec.source.credentials, spec.source.secretRef and spec.helmCredentials fields in the v1beta1 api version. These fields are however deprecated and will be removed in the next version bump.

Secrets Decryption

Kluctl offers a SOPS Integration that allows to use encrypted manifests and variable sources in Kluctl deployments. Decryption by the controller is also supported and currently mirrors how the Secrets Decryption configuration of the Flux Kustomize Controller. To configure it in the KluctlDeployment, simply set the decryption field in the spec:

apiVersion: gitops.kluctl.io/v1beta1
kind: KluctlDeployment
metadata:
  name: example
  namespace: kluctl-system
spec:
  decryption:
    provider: sops
    secretRef:
      name: sops-keys
  ...

The sops-keys Secret has the same format as in the Flux Kustomize Controller.

AWS KMS with IRSA

In addition to the AWS KMS Secret Entry in the secret and the global AWS KMS authentication via the controller’s service account, the Kluctl controller also supports using the IRSA role of the impersonated service account of the KluctlDeployment (specified via serviceAccountName in the spec or --default-service-account):

apiVersion: v1
kind: ServiceAccount
metadata:
  name: kluctl-deployment
  namespace: kluctl-system
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::123456:role/my-irsa-enabled-role
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kluctl-deployment
  namespace: kluctl-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  # watch out, don't use cluster-admin if you don't trust the deployment
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: kluctl-deployment
    namespace: kluctl-system
---
apiVersion: gitops.kluctl.io/v1beta1
kind: KluctlDeployment
metadata:
  name: example
  namespace: kluctl-system
spec:
  serviceAccountName: kluctl-deployment
  decryption:
    provider: sops
    # you can also leave out the secretRef if you don't provide addinional keys
    secretRef:
      name: sops-keys
  ...

Status

When the controller completes a deployments, it reports the result in the status sub-resource.

A successful reconciliation sets the ready condition to true.

...
status:
  conditions:
  - lastTransitionTime: "2022-07-07T11:48:14Z"
    message: "deploy: ok"
    reason: ReconciliationSucceeded
    status: "True"
    type: Ready
  lastDeployResult:
    ...
  lastPruneResult:
    ...
  lastValidateResult:
    ...

You can wait for the controller to complete a reconciliation with:

$ kubectl wait kluctldeployment/backend --for=condition=ready

A failed reconciliation sets the ready condition to false:

...
status:
  conditions:
  - lastTransitionTime: "2022-05-04T10:18:11Z"
    message: target invalid-name not found in kluctl project
    reason: PrepareFailed
    status: "False"
    type: Ready
  lastDeployResult:
    ...
  lastPruneResult:
    ...
  lastValidateResult:
    ...

Note that the lastDeployResult, lastPruneResult and lastValidateResult are only updated on a successful reconciliation.

3 - Metrics

OpenMetrics-compatible export of controller metrics

3.1 - v1beta1 metrics

gitops.kluctl.io/v1beta1 metrics

Prometheus Metrics

The controller exports several metrics in the OpenMetrics compatible format. They can be scraped by all sorts of monitoring solutions (e.g. Prometheus) or stored in a database. Because the controller is based on controller-runtime, all the default metrics as well as the following controller-specific custom metrics are exported:

3.1.1 - Metrics of the KluctlDeployment Controller

KluctlDeployment documentation

Exported Metrics References

Metrics nameTypeDescription
deployment_duration_secondsHistogramHow long a single deployment takes in seconds.
number_of_changed_objectsGaugeHow many objects have been changed by a single deployment.
number_of_deleted_objectsGaugeHow many objects have been deleted by a single deployment.
number_of_errorsGaugeHow many errors are related to a single deployment.
number_of_imagesGaugeNumber of images of a single deployment.
number_of_orphan_objectsGaugeHow many orphans are related to a single deployment.
number_of_warningsGaugeHow many warnings are related to a single deployment.
prune_duration_secondsHistogramHow long a single prune takes in seconds.
validate_duration_secondsHistogramHow long a single validate takes in seconds.
deployment_interval_secondsGaugeThe configured deployment interval of a single deployment.
dry_run_enabledGaugeIs dry-run enabled for a single deployment.
last_object_statusGaugeLast object status of a single deployment. Zero means failure and one means success.
prune_enabledGaugeIs pruning enabled for a single deployment.
delete_enabledGaugeIs deletion enabled for a single deployment.
source_specGaugeThe configured source spec of a single deployment exported via labels.

4 - Kluctl Controller API reference

Kluctl Controller API reference

Packages:

gitops.kluctl.io/v1beta1

Package v1beta1 contains API Schema definitions for the gitops.kluctl.io v1beta1 API group.

Resource Types:

    Decryption

    (Appears on: KluctlDeploymentSpec)

    Decryption defines how decryption is handled for Kubernetes manifests.

    FieldDescription
    provider
    string

    Provider is the name of the decryption engine.

    secretRef
    LocalObjectReference
    (Optional)

    The secret name containing the private OpenPGP keys used for decryption.

    serviceAccount
    string
    (Optional)

    ServiceAccount specifies the service account used to authenticate against cloud providers. This is currently only usable for AWS KMS keys. The specified service account will be used to authenticate to AWS by signing a token in an IRSA compliant way.

    HelmCredentials

    (Appears on: KluctlDeploymentSpec)

    FieldDescription
    secretRef
    LocalObjectReference

    SecretRef holds the name of a secret that contains the Helm credentials. The secret must either contain the fields credentialsId which refers to the credentialsId found in https://kluctl.io/docs/kluctl/reference/deployments/helm/#private-repositories or an url used to match the credentials found in Kluctl projects helm-chart.yaml files. The secret can either container basic authentication credentials via username and password or TLS authentication via certFile and keyFile. caFile can be specified to override the CA to use while contacting the repository. The secret can also contain insecureSkipTlsVerify: "true", which will disable TLS verification. passCredentialsAll: "true" can be specified to make the controller pass credentials to all requests, even if the hostname changes in-between.

    KluctlDeployment

    KluctlDeployment is the Schema for the kluctldeployments API

    FieldDescription
    metadata
    Kubernetes meta/v1.ObjectMeta
    Refer to the Kubernetes API documentation for the fields of the metadata field.
    spec
    KluctlDeploymentSpec


    source
    ProjectSource

    Specifies the project source location

    sourceOverrides
    []SourceOverride
    (Optional)

    Specifies source overrides

    credentials
    ProjectCredentials
    (Optional)

    Credentials specifies the credentials used when pulling sources

    decryption
    Decryption
    (Optional)

    Decrypt Kubernetes secrets before applying them on the cluster.

    interval
    Kubernetes meta/v1.Duration

    The interval at which to reconcile the KluctlDeployment. Reconciliation means that the deployment is fully rendered and only deployed when the result changes compared to the last deployment. To override this behavior, set the DeployInterval value.

    retryInterval
    Kubernetes meta/v1.Duration
    (Optional)

    The interval at which to retry a previously failed reconciliation. When not specified, the controller uses the Interval value to retry failures.

    deployInterval
    SafeDuration
    (Optional)

    DeployInterval specifies the interval at which to deploy the KluctlDeployment, even in cases the rendered result does not change.

    validateInterval
    SafeDuration
    (Optional)

    ValidateInterval specifies the interval at which to validate the KluctlDeployment. Validation is performed the same way as with ‘kluctl validate -t ’. Defaults to the same value as specified in Interval. Validate is also performed whenever a deployment is performed, independent of the value of ValidateInterval

    timeout
    Kubernetes meta/v1.Duration
    (Optional)

    Timeout for all operations. Defaults to ‘Interval’ duration.

    suspend
    bool
    (Optional)

    This flag tells the controller to suspend subsequent kluctl executions, it does not apply to already started executions. Defaults to false.

    helmCredentials
    []HelmCredentials
    (Optional)

    HelmCredentials is a list of Helm credentials used when non pre-pulled Helm Charts are used inside a Kluctl deployment. DEPRECATED this field is deprecated and will be removed in the next API version bump. Use spec.credentials.helm instead.

    serviceAccountName
    string
    (Optional)

    The name of the Kubernetes service account to use while deploying. If not specified, the default service account is used.

    kubeConfig
    KubeConfig
    (Optional)

    The KubeConfig for deploying to the target cluster. Specifies the kubeconfig to be used when invoking kluctl. Contexts in this kubeconfig must match the context found in the kluctl target. As an alternative, specify the context to be used via ‘context’

    target
    string
    (Optional)

    Target specifies the kluctl target to deploy. If not specified, an empty target is used that has no name and no context. Use ‘TargetName’ and ‘Context’ to specify the name and context in that case.

    targetNameOverride
    string
    (Optional)

    TargetNameOverride sets or overrides the target name. This is especially useful when deployment without a target.

    context
    string
    (Optional)

    If specified, overrides the context to be used. This will effectively make kluctl ignore the context specified in the target.

    args
    k8s.io/apimachinery/pkg/runtime.RawExtension
    (Optional)

    Args specifies dynamic target args.

    images
    []github.com/kluctl/kluctl/v2/pkg/types.FixedImage
    (Optional)

    Images contains a list of fixed image overrides. Equivalent to using ‘–fixed-images-file’ when calling kluctl.

    dryRun
    bool
    (Optional)

    DryRun instructs kluctl to run everything in dry-run mode. Equivalent to using ‘–dry-run’ when calling kluctl.

    noWait
    bool
    (Optional)

    NoWait instructs kluctl to not wait for any resources to become ready, including hooks. Equivalent to using ‘–no-wait’ when calling kluctl.

    forceApply
    bool
    (Optional)

    ForceApply instructs kluctl to force-apply in case of SSA conflicts. Equivalent to using ‘–force-apply’ when calling kluctl.

    replaceOnError
    bool
    (Optional)

    ReplaceOnError instructs kluctl to replace resources on error. Equivalent to using ‘–replace-on-error’ when calling kluctl.

    forceReplaceOnError
    bool
    (Optional)

    ForceReplaceOnError instructs kluctl to force-replace resources in case a normal replace fails. Equivalent to using ‘–force-replace-on-error’ when calling kluctl.

    abortOnError
    bool
    (Optional)

    ForceReplaceOnError instructs kluctl to abort deployments immediately when something fails. Equivalent to using ‘–abort-on-error’ when calling kluctl.

    includeTags
    []string
    (Optional)

    IncludeTags instructs kluctl to only include deployments with given tags. Equivalent to using ‘–include-tag’ when calling kluctl.

    excludeTags
    []string
    (Optional)

    ExcludeTags instructs kluctl to exclude deployments with given tags. Equivalent to using ‘–exclude-tag’ when calling kluctl.

    includeDeploymentDirs
    []string
    (Optional)

    IncludeDeploymentDirs instructs kluctl to only include deployments with the given dir. Equivalent to using ‘–include-deployment-dir’ when calling kluctl.

    excludeDeploymentDirs
    []string
    (Optional)

    ExcludeDeploymentDirs instructs kluctl to exclude deployments with the given dir. Equivalent to using ‘–exclude-deployment-dir’ when calling kluctl.

    deployMode
    string
    (Optional)

    DeployMode specifies what deploy mode should be used. The options ‘full-deploy’ and ‘poke-images’ are supported. With the ‘poke-images’ option, only images are patched into the target without performing a full deployment.

    validate
    bool
    (Optional)

    Validate enables validation after deploying

    prune
    bool
    (Optional)

    Prune enables pruning after deploying.

    delete
    bool
    (Optional)

    Delete enables deletion of the specified target when the KluctlDeployment object gets deleted.

    manual
    bool
    (Optional)

    Manual enables manual deployments, meaning that the deployment will initially start as a dry run deployment and only after manual approval cause a real deployment

    manualObjectsHash
    string
    (Optional)

    ManualObjectsHash specifies the rendered objects hash that is approved for manual deployment. If Manual is set to true, the controller will skip deployments when the current reconciliation loops calculated objects hash does not match this value. There are two ways to use this value properly. 1. Set it manually to the value found in status.lastObjectsHash. 2. Use the Kluctl Webui to manually approve a deployment, which will set this field appropriately.

    status
    KluctlDeploymentStatus

    KluctlDeploymentSpec

    (Appears on: KluctlDeployment)

    FieldDescription
    source
    ProjectSource

    Specifies the project source location

    sourceOverrides
    []SourceOverride
    (Optional)

    Specifies source overrides

    credentials
    ProjectCredentials
    (Optional)

    Credentials specifies the credentials used when pulling sources

    decryption
    Decryption
    (Optional)

    Decrypt Kubernetes secrets before applying them on the cluster.

    interval
    Kubernetes meta/v1.Duration

    The interval at which to reconcile the KluctlDeployment. Reconciliation means that the deployment is fully rendered and only deployed when the result changes compared to the last deployment. To override this behavior, set the DeployInterval value.

    retryInterval
    Kubernetes meta/v1.Duration
    (Optional)

    The interval at which to retry a previously failed reconciliation. When not specified, the controller uses the Interval value to retry failures.

    deployInterval
    SafeDuration
    (Optional)

    DeployInterval specifies the interval at which to deploy the KluctlDeployment, even in cases the rendered result does not change.

    validateInterval
    SafeDuration
    (Optional)

    ValidateInterval specifies the interval at which to validate the KluctlDeployment. Validation is performed the same way as with ‘kluctl validate -t ’. Defaults to the same value as specified in Interval. Validate is also performed whenever a deployment is performed, independent of the value of ValidateInterval

    timeout
    Kubernetes meta/v1.Duration
    (Optional)

    Timeout for all operations. Defaults to ‘Interval’ duration.

    suspend
    bool
    (Optional)

    This flag tells the controller to suspend subsequent kluctl executions, it does not apply to already started executions. Defaults to false.

    helmCredentials
    []HelmCredentials
    (Optional)

    HelmCredentials is a list of Helm credentials used when non pre-pulled Helm Charts are used inside a Kluctl deployment. DEPRECATED this field is deprecated and will be removed in the next API version bump. Use spec.credentials.helm instead.

    serviceAccountName
    string
    (Optional)

    The name of the Kubernetes service account to use while deploying. If not specified, the default service account is used.

    kubeConfig
    KubeConfig
    (Optional)

    The KubeConfig for deploying to the target cluster. Specifies the kubeconfig to be used when invoking kluctl. Contexts in this kubeconfig must match the context found in the kluctl target. As an alternative, specify the context to be used via ‘context’

    target
    string
    (Optional)

    Target specifies the kluctl target to deploy. If not specified, an empty target is used that has no name and no context. Use ‘TargetName’ and ‘Context’ to specify the name and context in that case.

    targetNameOverride
    string
    (Optional)

    TargetNameOverride sets or overrides the target name. This is especially useful when deployment without a target.

    context
    string
    (Optional)

    If specified, overrides the context to be used. This will effectively make kluctl ignore the context specified in the target.

    args
    k8s.io/apimachinery/pkg/runtime.RawExtension
    (Optional)

    Args specifies dynamic target args.

    images
    []github.com/kluctl/kluctl/v2/pkg/types.FixedImage
    (Optional)

    Images contains a list of fixed image overrides. Equivalent to using ‘–fixed-images-file’ when calling kluctl.

    dryRun
    bool
    (Optional)

    DryRun instructs kluctl to run everything in dry-run mode. Equivalent to using ‘–dry-run’ when calling kluctl.

    noWait
    bool
    (Optional)

    NoWait instructs kluctl to not wait for any resources to become ready, including hooks. Equivalent to using ‘–no-wait’ when calling kluctl.

    forceApply
    bool
    (Optional)

    ForceApply instructs kluctl to force-apply in case of SSA conflicts. Equivalent to using ‘–force-apply’ when calling kluctl.

    replaceOnError
    bool
    (Optional)

    ReplaceOnError instructs kluctl to replace resources on error. Equivalent to using ‘–replace-on-error’ when calling kluctl.

    forceReplaceOnError
    bool
    (Optional)

    ForceReplaceOnError instructs kluctl to force-replace resources in case a normal replace fails. Equivalent to using ‘–force-replace-on-error’ when calling kluctl.

    abortOnError
    bool
    (Optional)

    ForceReplaceOnError instructs kluctl to abort deployments immediately when something fails. Equivalent to using ‘–abort-on-error’ when calling kluctl.

    includeTags
    []string
    (Optional)

    IncludeTags instructs kluctl to only include deployments with given tags. Equivalent to using ‘–include-tag’ when calling kluctl.

    excludeTags
    []string
    (Optional)

    ExcludeTags instructs kluctl to exclude deployments with given tags. Equivalent to using ‘–exclude-tag’ when calling kluctl.

    includeDeploymentDirs
    []string
    (Optional)

    IncludeDeploymentDirs instructs kluctl to only include deployments with the given dir. Equivalent to using ‘–include-deployment-dir’ when calling kluctl.

    excludeDeploymentDirs
    []string
    (Optional)

    ExcludeDeploymentDirs instructs kluctl to exclude deployments with the given dir. Equivalent to using ‘–exclude-deployment-dir’ when calling kluctl.

    deployMode
    string
    (Optional)

    DeployMode specifies what deploy mode should be used. The options ‘full-deploy’ and ‘poke-images’ are supported. With the ‘poke-images’ option, only images are patched into the target without performing a full deployment.

    validate
    bool
    (Optional)

    Validate enables validation after deploying

    prune
    bool
    (Optional)

    Prune enables pruning after deploying.

    delete
    bool
    (Optional)

    Delete enables deletion of the specified target when the KluctlDeployment object gets deleted.

    manual
    bool
    (Optional)

    Manual enables manual deployments, meaning that the deployment will initially start as a dry run deployment and only after manual approval cause a real deployment

    manualObjectsHash
    string
    (Optional)

    ManualObjectsHash specifies the rendered objects hash that is approved for manual deployment. If Manual is set to true, the controller will skip deployments when the current reconciliation loops calculated objects hash does not match this value. There are two ways to use this value properly. 1. Set it manually to the value found in status.lastObjectsHash. 2. Use the Kluctl Webui to manually approve a deployment, which will set this field appropriately.

    KluctlDeploymentStatus

    (Appears on: KluctlDeployment)

    KluctlDeploymentStatus defines the observed state of KluctlDeployment

    FieldDescription
    reconcileRequestResult
    ManualRequestResult
    (Optional)
    diffRequestResult
    ManualRequestResult
    (Optional)
    deployRequestResult
    ManualRequestResult
    (Optional)
    pruneRequestResult
    ManualRequestResult
    (Optional)
    validateRequestResult
    ManualRequestResult
    (Optional)
    observedGeneration
    int64
    (Optional)

    ObservedGeneration is the last reconciled generation.

    observedCommit
    string

    ObservedCommit is the last commit observed

    conditions
    []Kubernetes meta/v1.Condition
    (Optional)
    projectKey
    github.com/kluctl/kluctl/lib/git/types.ProjectKey
    (Optional)
    targetKey
    github.com/kluctl/kluctl/v2/pkg/types/result.TargetKey
    (Optional)
    lastObjectsHash
    string
    (Optional)
    lastManualObjectsHash
    string
    (Optional)
    lastPrepareError
    string
    (Optional)
    lastDiffResult
    k8s.io/apimachinery/pkg/runtime.RawExtension
    (Optional)

    LastDiffResult is the result summary of the last diff command

    lastDeployResult
    k8s.io/apimachinery/pkg/runtime.RawExtension
    (Optional)

    LastDeployResult is the result summary of the last deploy command

    lastValidateResult
    k8s.io/apimachinery/pkg/runtime.RawExtension
    (Optional)

    LastValidateResult is the result summary of the last validate command

    lastDriftDetectionResult
    k8s.io/apimachinery/pkg/runtime.RawExtension

    LastDriftDetectionResult is the result of the last drift detection command optional

    lastDriftDetectionResultMessage
    string

    LastDriftDetectionResultMessage contains a short message that describes the drift optional

    KubeConfig

    (Appears on: KluctlDeploymentSpec)

    KubeConfig references a Kubernetes secret that contains a kubeconfig file.

    FieldDescription
    secretRef
    SecretKeyReference

    SecretRef holds the name of a secret that contains a key with the kubeconfig file as the value. If no key is set, the key will default to ‘value’. The secret must be in the same namespace as the Kustomization. It is recommended that the kubeconfig is self-contained, and the secret is regularly updated if credentials such as a cloud-access-token expire. Cloud specific cmd-path auth helpers will not function without adding binaries and credentials to the Pod that is responsible for reconciling the KluctlDeployment.

    LocalObjectReference

    (Appears on: Decryption, HelmCredentials, ProjectCredentialsGit, ProjectCredentialsGitDeprecated, ProjectCredentialsHelm, ProjectCredentialsOci, ProjectSource)

    FieldDescription
    name
    string

    Name of the referent.

    ManualRequest

    (Appears on: ManualRequestResult)

    ManualRequest is used in json form inside the manual request annotations

    FieldDescription
    requestValue
    string
    overridesPatch
    k8s.io/apimachinery/pkg/runtime.RawExtension
    (Optional)

    ManualRequestResult

    (Appears on: KluctlDeploymentStatus)

    FieldDescription
    request
    ManualRequest
    startTime
    Kubernetes meta/v1.Time
    endTime
    Kubernetes meta/v1.Time
    (Optional)
    reconcileId
    string
    resultId
    string
    (Optional)
    commandError
    string
    (Optional)

    ProjectCredentials

    (Appears on: KluctlDeploymentSpec)

    FieldDescription
    git
    []ProjectCredentialsGit
    (Optional)

    Git specifies a list of git credentials

    oci
    []ProjectCredentialsOci
    (Optional)

    Oci specifies a list of OCI credentials

    helm
    []ProjectCredentialsHelm
    (Optional)

    Helm specifies a list of Helm credentials

    ProjectCredentialsGit

    (Appears on: ProjectCredentials)

    FieldDescription
    host
    string

    Host specifies the hostname that this secret applies to. If set to ‘’, this set of credentials applies to all hosts. Using ‘’ for http(s) based repositories is not supported, meaning that such credentials sets will be ignored. You must always set a proper hostname in that case.

    path
    string
    (Optional)

    Path specifies the path to be used to filter Git repositories. The path can contain wildcards. These credentials will only be used for matching Git URLs. If omitted, all repositories are considered to match.

    secretRef
    LocalObjectReference

    SecretRef specifies the Secret containing authentication credentials for the git repository. For HTTPS git repositories the Secret must contain ‘username’ and ‘password’ fields. For SSH git repositories the Secret must contain ‘identity’ and ‘known_hosts’ fields.

    ProjectCredentialsGitDeprecated

    (Appears on: ProjectSource)

    FieldDescription
    host
    string

    Host specifies the hostname that this secret applies to. If set to ‘’, this set of credentials applies to all hosts. Using ‘’ for http(s) based repositories is not supported, meaning that such credentials sets will be ignored. You must always set a proper hostname in that case.

    pathPrefix
    string
    (Optional)

    PathPrefix specifies the path prefix to be used to filter source urls. Only urls that have this prefix will use this set of credentials.

    secretRef
    LocalObjectReference

    SecretRef specifies the Secret containing authentication credentials for the git repository. For HTTPS git repositories the Secret must contain ‘username’ and ‘password’ fields. For SSH git repositories the Secret must contain ‘identity’ and ‘known_hosts’ fields.

    ProjectCredentialsHelm

    (Appears on: ProjectCredentials)

    FieldDescription
    host
    string

    Host specifies the hostname that this secret applies to.

    path
    string
    (Optional)

    Path specifies the path to be used to filter Helm urls. The path can contain wildcards. These credentials will only be used for matching URLs. If omitted, all URLs are considered to match.

    secretRef
    LocalObjectReference

    SecretRef specifies the Secret containing authentication credentials for the Helm repository. The secret can either container basic authentication credentials via username and password or TLS authentication via certFile and keyFile. caFile can be specified to override the CA to use while contacting the repository. The secret can also contain insecureSkipTlsVerify: "true", which will disable TLS verification. passCredentialsAll: "true" can be specified to make the controller pass credentials to all requests, even if the hostname changes in-between.

    ProjectCredentialsOci

    (Appears on: ProjectCredentials)

    FieldDescription
    registry
    string

    Registry specifies the hostname that this secret applies to.

    repository
    string
    (Optional)

    Repository specifies the org and repo name in the format ‘org-name/repo-name’. Both ‘org-name’ and ‘repo-name’ can be specified as ‘*’, meaning that all names are matched.

    secretRef
    LocalObjectReference

    SecretRef specifies the Secret containing authentication credentials for the oci repository. The secret must contain ‘username’ and ‘password’.

    ProjectSource

    (Appears on: KluctlDeploymentSpec)

    FieldDescription
    git
    ProjectSourceGit
    (Optional)

    Git specifies a git repository as project source

    oci
    ProjectSourceOci
    (Optional)

    Oci specifies an OCI repository as project source

    url
    string
    (Optional)

    Url specifies the Git url where the project source is located DEPRECATED this field is deprecated and will be removed in the next API version bump. Use spec.git.url instead.

    ref
    github.com/kluctl/kluctl/lib/git/types.GitRef
    (Optional)

    Ref specifies the branch, tag or commit that should be used. If omitted, the default branch of the repo is used. DEPRECATED this field is deprecated and will be removed in the next API version bump. Use spec.git.ref instead.

    path
    string
    (Optional)

    Path specifies the sub-directory to be used as project directory DEPRECATED this field is deprecated and will be removed in the next API version bump. Use spec.git.path instead.

    secretRef
    LocalObjectReference

    SecretRef specifies the Secret containing authentication credentials for See ProjectSourceCredentials.SecretRef for details DEPRECATED this field is deprecated and will be removed in the next API version bump. Use spec.credentials.git instead. WARNING using this field causes the controller to pass http basic auth credentials to ALL repositories involved. Use spec.credentials.git with a proper Host field instead.

    credentials
    []ProjectCredentialsGitDeprecated
    (Optional)

    Credentials specifies a list of secrets with credentials DEPRECATED this field is deprecated and will be removed in the next API version bump. Use spec.credentials.git instead.

    ProjectSourceGit

    (Appears on: ProjectSource)

    FieldDescription
    url
    string

    URL specifies the Git url where the project source is located. If the given Git repository needs authentication, use spec.credentials.git to specify those.

    ref
    github.com/kluctl/kluctl/lib/git/types.GitRef
    (Optional)

    Ref specifies the branch, tag or commit that should be used. If omitted, the default branch of the repo is used.

    path
    string
    (Optional)

    Path specifies the sub-directory to be used as project directory

    ProjectSourceOci

    (Appears on: ProjectSource)

    FieldDescription
    url
    string

    Url specifies the Git url where the project source is located. If the given OCI repository needs authentication, use spec.credentials.oci to specify those.

    ref
    github.com/kluctl/kluctl/v2/pkg/types.OciRef
    (Optional)

    Ref specifies the tag to be used. If omitted, the “latest” tag is used.

    path
    string
    (Optional)

    Path specifies the sub-directory to be used as project directory

    SafeDuration

    (Appears on: KluctlDeploymentSpec)

    FieldDescription
    Duration
    Kubernetes meta/v1.Duration

    SecretKeyReference

    (Appears on: KubeConfig)

    SecretKeyReference contains enough information to locate the referenced Kubernetes Secret object in the same namespace. Optionally a key can be specified. Use this type instead of core/v1 SecretKeySelector when the Key is optional and the Optional field is not applicable.

    FieldDescription
    name
    string

    Name of the Secret.

    key
    string
    (Optional)

    Key in the Secret, when not specified an implementation-specific default key is used.

    SourceOverride

    (Appears on: KluctlDeploymentSpec)

    FieldDescription
    repoKey
    github.com/kluctl/kluctl/lib/git/types.RepoKey
    url
    string
    isGroup
    bool
    (Optional)

    This page was automatically generated with gen-crd-api-reference-docs