9 |
10 | 
11 |
12 | ## Solutions built with Carvel
13 |
14 | Below is a list of solutions where Carvel is being used as a component.
15 |
16 | **[Revng](https://rev.ng/)**
17 |
18 | Revng is a small company with expertise in compilers, emulation and binary analysis. Revng uses ytt as a flexible templating tool to generate the configuration for [orchestra](https://github.com/revng/orchestra), their meta build system/package manager.
19 |
20 | **[VMware](https://www.vmware.com)**
21 |
22 | VMware uses Carvel as their package management tooling for [their Kubernetes offerings](https://tanzu.vmware.com/products), such as [Tanzu Mission Control](https://tanzu.vmware.com/mission-control) (TMC) and [Tanzu Kubernetes Grid](https://tanzu.vmware.com/kubernetes-grid) (TKG).
23 |
24 | ## Adding your organization to the list of adopters
25 |
26 | If you are using Carvel and would like to be included in the list of Carvel Adopters, add an SVG version of your logo to
27 | the `logos` directory in this repo and submit a pull request with your change. Name the image file something that
28 | reflects your company (e.g., if your company is called Acme, name the image acme.svg).
29 | See [this PR](https://github.com/vmware-tanzu/carvel/pull/4) for an example.
30 |
--------------------------------------------------------------------------------
/proposals/imgpkg/001-bundles/workflow.md:
--------------------------------------------------------------------------------
1 | # Making a bundle
2 |
3 | ## team builds a bundle
4 |
5 | instead of providing users with tgz with config, we want to serve that artifact off of registry
6 |
7 | ```bash
8 | # for example, in CI
9 | cd app/
10 | kbld -f <(ytt ...) --lock-output .imgpkg/images.yml # build images.yml as we do today
11 | imgpkg push -b registry.vendor.com/app-staging:v0.5.0 -f .
12 |
13 | # relocate all external depedencies into registry.com
14 | imgpkg copy -b registry.vendor.com/app-staging:v0.5.0 --to-repo registry.vendor.com/app-prod
15 | ```
16 |
17 | ---
18 | # Consuming bundle
19 |
20 | ## without relocation
21 |
22 | (see below for relocation)
23 |
24 | ```bash
25 | # potentially auth to registry for pulling bundle
26 | export IMGPKG_REGISTRY_HOSTNAME=registry.com
27 | export IMGPKG_REGISTRY_USERNAME=foo
28 | export IMGPKG_REGISTRY_PASSWORD=bar
29 |
30 | imgpkg pull -b registry.vendor.com/app-prod:v0.5.0 -o /tmp/app
31 |
32 | cd /tmp/app
33 | edit /tmp/app-values/values.yml # create specific data values
34 | kapp deploy -a cf -f <(ytt -f config/ -f /tmp/app-values/values.yml | kbld -f .imgpkg/images.yml)
35 | ```
36 |
37 |
38 | ## ... or with relocation first
39 |
40 | ```bash
41 | # potentially auth to registry for pushing bundle
42 | export IMGPKG_REGISTRY_HOSTNAME=registry.customer.com
43 | export IMGPKG_REGISTRY_USERNAME=foo
44 | export IMGPKG_REGISTRY_PASSWORD=bar
45 |
46 | imgpkg copy -b registry.vendor.com/app-prod:v0.5.0 --to-repo registry.customer.com/app
47 | imgpkg pull -b registry.customer.com/app:v0.5.0 -o /tmp/app
48 |
49 | cd /tmp/app
50 | edit /tmp/app-values/values.yml
51 | kapp deploy -a cf -f <(ytt -f config/ -f /tmp/app-values/values.yml | kbld -f .imgpkg/images.yml)
52 | ```
53 |
54 |
55 | ## ... or with air-gapped relocation
56 |
57 | ```bash
58 | imgpkg copy -b registry.vendor.com/app-prod:v0.5.0 --to-tar app-v0.5.0.tar
59 | # transport tarball to the bunker ...
60 |
61 | # from the bunker ...
62 | imgpkg copy --tar app-v0.5.0.tar --to-repo registry.customer.com/app
63 | imgpkg pull -b registry.customer.com/app:v0.5.0 -o /tmp/app
64 |
65 | cd /tmp/app
66 | edit /tmp/app-values/values.yml
67 | kapp deploy -a cf -f <(ytt -f config/ -f /tmp/app-values/values.yml | kbld -f .imgpkg/images.yml)
68 | ```
69 |
--------------------------------------------------------------------------------
/proposals/ytt/001-schemas/example-partial-dex.yaml:
--------------------------------------------------------------------------------
1 | #! https://github.com/helm/charts/blob/21e2e1b1f2656c785ece0ec741b047b21539d7b1/stable/dex/values.yaml
2 | #@schema/match data_values=True
3 | ---
4 | config:
5 | #@schema/validate prefix="https://"
6 | #@schema/example "http://dex.example.com:8080"
7 | issuer: ""
8 | storage:
9 | #@schema/validate enum=["kubernetes"]
10 | type: kubernetes
11 | config:
12 | inCluster: true
13 | logger:
14 | #@schema/validate enum=["debug", "info", "error"]
15 | level: debug
16 |
17 | web:
18 | #@schema/doc "port is taken from ports section above"
19 | #@schema/validate format="ipv4"
20 | address: 0.0.0.0
21 | tlsCert: /etc/dex/tls/https/server/tls.crt
22 | tlsKey: /etc/dex/tls/https/server/tls.key
23 | #@schema/default []
24 | allowedOrigins:
25 | - ""
26 |
27 | grpc:
28 | #@schema/doc "port is taken from ports section above"
29 | #@schema/validate format="ipv4"
30 | address: 127.0.0.1
31 | tlsCert: /etc/dex/tls/grpc/server/tls.crt
32 | tlsKey: /etc/dex/tls/grpc/server/tls.key
33 | tlsClientCA: /etc/dex/tls/grpc/ca/tls.crt
34 |
35 | #@schema/default []
36 | connectors:
37 | -
38 | #@schema/validate enum=["github", "slack"]
39 | type: github
40 | #@schema/example "github"
41 | id: ""
42 | #@schema/example "Github"
43 | name: ""
44 |
45 | #@ def gh_config_example():
46 | clientID: xxxxxxxxxxxxxxx
47 | clientSecret: yyyyyyyyyyyyyyyyyyyyy
48 | redirectURI: https://dex.minikube.local:5556/callback
49 | org: kubernetes
50 | #@ end
51 |
52 | #@schema/type "map"
53 | #@schema/example gh_config_example()
54 | config: {}
55 |
56 | oauth2:
57 | alwaysShowLoginScreen: false
58 | skipApprovalScreen: true
59 |
60 | expiry:
61 | #@schema/validate format="duration"
62 | signingKeys: "6h"
63 | #@schema/validate format="duration"
64 | idTokens: "24h"
65 |
66 | #@schema/default []
67 | staticClients:
68 | - name: ""
69 | #@schema/example "example-app"
70 | id: ""
71 | #@schema/default []
72 | redirectURIs:
73 | #@schema/example "http://192.168.42.219:31850/oauth2/callback"
74 | - ""
75 | secret: ""
76 |
77 | enablePasswordDB: true
78 |
79 | #@schema/default []
80 | staticPasswords:
81 | - userID: ""
82 | username: ""
83 | #@schema/validate format="email"
84 | email: ""
85 | #@schema/validate regexp="^\$.+\$.+\$.+$"
86 | #@schema/example ("$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W", "bcrypt hash of the string 'password'"")
87 | hash: ""
88 |
89 | frontend:
90 | #@schema/example "https://example.com/yourlogo.png"
91 | logoURL: ""
92 |
--------------------------------------------------------------------------------
/logos/vmware.svg:
--------------------------------------------------------------------------------
1 |
12 |
--------------------------------------------------------------------------------
/logos/revng.svg:
--------------------------------------------------------------------------------
1 |
2 |
3 |
27 |
--------------------------------------------------------------------------------
/GOVERNANCE.md:
--------------------------------------------------------------------------------
1 | :warning: This document is under construction.
2 |
3 | # Backlog Management
4 | We use [ZenHub for backlog
5 | management](https://app.zenhub.com/workspaces/carvel-backlog-6013063a24147d0011410709)
6 | (note: ZenHub requires GitHub authorization). The backlog is configured as a
7 | single, consolidated backlog. If you're interested in only seeing a specific tool's
8 | backlog then we recommend using the filters accordingly.
9 |
10 | ## How the Backlog is Organized
11 | The below graphic is an overview of how issues flow through our backlog:
12 | 
13 |
14 | | Column (State) | Description | Labels Used | How does an issue progress from this column? Where does it go next? |
15 | | --- | --- | --- | --- |
16 | | New Issues | Issues to be reviewed and labeled by the Carvel maintainer team in order to determine the next steps. | * `carvel-triage` (add)Optional configuration if using a private registry that has all cf-for-k8s images relocated to
705 | #@ see docs/platform_operators/system-registry.md
706 | #@ '''
707 | #@schema/doc documentation
708 | system_registry:
709 | ```
710 |
711 |
712 |
713 | ### @schema/example
714 |
715 | Captures an exemplary value for the annotated node.
716 |
717 | ```yaml
718 | @schema/example sample_value
719 | ```
720 |
721 | - `sample_value` (_type matching the node_) — a sample value that illustrates a common use. The value must be of the
722 | effective type of the node; to specify a value of another type is an error.
723 | - due to current limitations within `ytt`'s annotation system, only one example can be given: this annotation cannot
724 | be repeated. To supply multiple examples, use the [`@schema/examples`](#schemaexamples) annotation.
725 |
726 | _Example:_
727 |
728 | ```yaml
729 | #@schema/example "my_domain.example.com"
730 | system_domain: ""
731 | ```
732 |
733 | __
734 |
735 |
736 | ### @schema/examples
737 |
738 | Captures multiple exemplary values for the annotated node.
739 |
740 | ```yaml
741 | @schema/examples (exampleA_description, exampleA_value)[, (exampleB_description, exampleB_value)]
742 | ```
743 |
744 | - `(exampleX_description, exampleX_value)` ([`tuple`](https://github.com/google/starlark-go/blob/master/doc/spec.md#tuples)) —
745 | the example pair:
746 | - `exampleX_description` (`string`) — naming and describing the purpose or impact of the example value.
747 | - `exampleX_value` (_type matching the node_) — a sample value that illustrates a common use. The value must be of the
748 | effective type of the node; to specify a value of another type is an error.
749 |
750 |
751 | _Example 1: Simple examples_
752 |
753 | ```yaml
754 | #@schema/examples ("One domain across the foundation", ["apps.example.com"]), ("Multi-tenant foundation", ["pets.com", "nile.com"] )
755 | apps_domain: []
756 | ```
757 |
758 | __
759 |
760 | _Example 2: Complex examples_
761 |
762 | Illustrates how different databases require different amounts of configuration.
763 |
764 | ```yaml
765 | #@ def postgres_example():
766 | name: uaa
767 | host: uaa-db.svc.cluster.local
768 | user: postgres
769 | secretRef:
770 | name: uaa-db-creds
771 | #@ end
772 |
773 | #@ def mysql_example():
774 | name: uaa
775 | adapter: mysql
776 | host: uaa-db.svc.cluster.local
777 | port: 3306
778 | user: root
779 | secretRef:
780 | name: uaa-db-creds
781 | #@ end
782 |
783 | #@schema/examples ("Postgres", postgres_example()), ("MySQL", mysql_example())
784 | databases: []
785 | ```
786 |
787 |
788 | ### @schema/deprecated
789 |
790 | Marks a node as targeted for removal while still remaining defined and used.
791 |
792 | ```yaml
793 | @schema/deprecated notice
794 | ```
795 |
796 | - `notice` (`string`) — a message elaborating on the reason for the deprication, how to prepare for
797 | the removal (e.g. migrate to using a newly introduced value), and possibly a version-based timeline
798 | for when the removal will happen.
799 |
800 | Notes:
801 | - when a value is specified for the node outside of the schema, a standardized warning that includes
802 | `notice` will be output to standard error, and evaluation continues.
803 |
804 | _Example:_
805 |
806 | ```yaml
807 | load_balancer:
808 | #@schema/deprecated "Will be removed in 2.0.0; in that version, specify `null` for `load_balancer` to disable."
809 | enable: true
810 | static_ip: ""
811 | ```
812 |
813 | __
814 |
815 | ### @schema/removed
816 |
817 | ```yaml
818 | @schema/removed remedy
819 | ```
820 |
821 | - `remedy` (`string`) — a message providing next step instructions on how to repair the document/configuration.
822 |
823 | Notes:
824 | - when a value is specified for the node outside of the schema, a standardized warning that includes
825 | `remedy` will be output to standard error, and evaluation stops.
826 |
827 | _Example:_
828 |
829 | ```yaml
830 | load_balancer:
831 | #@schema/removed "Was removed as of 2.0.0; specify `null` for `load_balancer` to disable."
832 | enable: true
833 | static_ip: ""
834 | ```
835 |
836 |
837 | ## Part 7: Validating Documents
838 |
839 | Beyond specifying a type for a value, one can specify more dynamic constraints on the value via validations.
840 |
841 | ### @schema/validate
842 |
843 | ```yaml
844 | @schema/validate [...user-provided-funcs,] [...builtin-kwargs]
845 | ```
846 |
847 | This annotation specifies how to validate value. `@schema/validate` will provide a set of keyword arguments which map to built-in validations, such as `max`, `max_len`, etc., but will also accept user-defined validation functions. Less common validators will also be provided via a `validations` library. For example,
848 |
849 | ```yaml
850 | #@ def number_is_even(num): return (num % 2 == 0, "Number is not even")
851 |
852 | #@schema/validate number_is_even, min=2
853 | replicas: 6
854 | ```
855 |
856 | will use the `min` predefined validator as well as the user-provided `number_is_even` function for validations. Function arguments should have a signature which matches the signature of custom functions passed to [`@overlay/assert`](https://github.com/k14s/ytt/blob/develop/docs/lang-ref-ytt-overlay.md).
857 |
858 | Full list of builtin validations exposed via kwargs (all have 2nd form: a tuple of value and error message):
859 |
860 | - min=int
861 | - max=int
862 | - min_len=int
863 | - max_len=int
864 | - enum=[string|int|...]: any set of values
865 | - regexp=string (TBD or pattern?) -> golang regexp
866 | - format=string (mostly copied from JSON Schema)
867 | - date-time: Date and time together, for example, 2018-11-13T20:20:39+00:00.
868 | - time: New in draft 7 Time, for example, 20:20:39+00:00
869 | - date: New in draft 7 Date, for example, 2018-11-13.
870 | - email: Internet email address, see RFC 5322, section 3.4.1.
871 | - hostname: Internet host name, see RFC 1034, section 3.1.
872 | - ip: IPv4 or IPv6
873 | - ipv4: IPv4 address, according to dotted-quad ABNF syntax as defined in RFC 2673, section 3.2.
874 | - ipv6: IPv6 address, as defined in RFC 2373, section 2.2.
875 | - uri: A universal resource identifier (URI), according to RFC3986.
876 | - port: >= 0 && <= 65535
877 | - percent: k8s's IsValidPercent e.g. "10%"
878 | - duration: Golang's duration e.g. "10h"
879 | - not_null=bool to verify value is not null
880 | - unique=bool to verify value contains unique elements (TBD?)
881 | - starts_with=string to verify string has prefix
882 | - ends_with=string to verify string has suffix
883 | - TBD
884 |
885 | Full list of builtin validations included in a library:
886 |
887 | - ...kwargs validations as functions...
888 | - base64.decodable()
889 | - json.decodable()
890 | - yaml.decodable()
891 | - regexp.is_valid()
892 |
893 | String values, by default, have `@schema/validate min_len=1` validation added.
894 |
895 | #### Validation Documentation
896 |
897 | Configuration Consumers are more likely to provide valid values if they are aware
898 | of what defines valid.
899 |
900 | For this reason, validations should provide user-friendly documentation that makes
901 | this clear:
902 | - concise phrase that describes a valid value;
903 | - a short list of common example valid values;
904 | - citation to canonical definition.
905 |
906 | TBD.
907 |
908 | Sketch:
909 | - invoke the validation function with no arguments
910 | - if it returns a `string` that is documentation (including the name)
911 | - if it returns an error, discard and replace with default documentation (e.g. "Validation: "+str(validation_func))
912 | - first class `ytt` Schema functions can include this behavior
913 | - 3rd party functions can be wrapped in a function (or lambda expression) to decorate this behavior:
914 | ```python
915 | def is_valid_ip(val="__yttdoc__"):
916 | if val != "__yttdoc__":
917 | return thirdPartyLib.valid_ip(val)
918 | else:
919 | return "Valid IP: a well-formed IPv4 (RFC 2673, section 3.2) or IPv6 address (RFC 2373, section 2.2)."
920 | end
921 | ```
922 |
923 | **Implementation considerations:**
924 |
925 |
926 | As part of the implementation of the validation feature we should use some of the knowledge from the Type Checking
927 | implemented before.
928 | - Isolation of packages like yamlmeta from external dependencies
929 |
930 | This package is intended as a place for the yaml internal structures
931 | - Eventually it make sense to implement the validation near the Schemas and also move the Type Check to the same package
932 |
933 | When implementing we should consider to create a walker that iterate over the YAML document to do the Check or the Validation depending on the action we want to perform in a given moment
934 |
935 | ## Part 8: Command-Line Interface Interactions
936 |
937 | :::warning
938 | There is active User Research into how to more effectively communicate with `ytt` users. Findings from that research
939 | should trump whatever "requirements" are specified below.
940 | :::
941 |
942 | Schema violation messages should be:
943 | - readable — easy/quick to determine the nature and details of the violation.
944 | - actionable — clear what step would need to be taken to fix the violation.
945 | - complete — no other context is required to fix the violation.
946 | - supportive — informs, without blame.
947 |
948 | To get there, consider these principles:
949 | - convey concisely — the fewer words written, the more words read.
950 | - be consistent — use the same word for the same concept; the same layout for the same kind of message.
951 | - prioritize position of information — place more important information in a more prominent spot.
952 | - be empathetic — use words the user must already know; when you cannot, define it or point to a definition.
953 |
954 | ### Type Violations
955 |
956 | When a value given is malformed (wrong structure/type) `ytt` will report these violations and stop processing.
957 |
958 | Type violations can come from:
959 | - an incorrectly formed explicit default value (i.e. the value of `@schema/default`)
960 | - a data value (noted below: all `@data/values` documents are implied overlays)
961 |
962 | `schema.yml`
963 | ```yaml=
964 | #@schema/definition name="data/values"
965 | ---
966 | system_domain: ""
967 |
968 | load_balancer:
969 | enabled: true
970 | external_ip: ""
971 | ```
972 |
973 | `values.yml`
974 | ```yaml=
975 | #@data/values
976 | ---
977 | system_domain: false
978 | load_balancer: true
979 | ```
980 |
981 | ```
982 | $ ytt -f schema.yml -f values.yml
983 | ytt: Error: ...
984 |
985 | Result of values.yml did not pass "data/values" schema:
986 |
987 | values.yml:3 | system_domain:
988 | | ^^^ found: boolean
989 | | expected: string (by schema.yml:3)
990 | ```
991 |
992 | **Note:**
993 | - the document at `values.yml:2` implies `@overlay/match by=overlay.all` and `@overlay/match-child-defaults missing_ok=True`
994 | - `values.yml` has two overlay operations: merge of `system_domain` and merge of `load_balancer`.
995 | - there are, in fact, two type violations. However, `ytt` stops after the first overlay operation fails.
996 |
997 | ### Validation Violations
998 |
999 | ## Part 9: Interactions with Existing Features
1000 |
1001 | ### Changes to Data Values
1002 |
1003 |
1004 | #### Data Value Overlays Become More Permissive
1005 |
1006 | Prior to Schemas, Data Values protected against mistakes like typo'ed key names through the strict merge of additional data values documents: to successfully merge a new key, it must be marked as `@overlay/match missing_ok=True`.
1007 |
1008 | The responsibility to ensure key names are valid are shifted from Data Values to Schema.
1009 |
1010 | When schema is present, Data Values documents imply an automatic merge of new keys. This is equivalent to all `@data/values` documents being annotated with `@overlay/match-child-defaults missing_ok=True`.
1011 |
1012 | This behavior should not result in an error if a Data Values document _already_ is annotated this way.
1013 |
1014 |
1015 | #### All Data Values Become Overlays
1016 |
1017 | Before Schema, the first YAML document annotated with `@data/values` effectively defined both an implied schema and defaults.
1018 |
1019 | With Schema, the base data values document is produced by collecting all the net default values from the schema, itself.
1020 |
1021 | `ytt` will automatically convert _all_ data values into overlays.
1022 |
1023 |
1024 | ### Overlays
1025 |
1026 | Schema aims to provide the earliest possible and actionable feedback so that Configuration Consumers can successfully complete their task in the shortest possible duration.
1027 |
1028 | When one or more schema violation(s) occur after a Data Value overlay operation, `ytt` should:
1029 | 1. display the current state of the violating portion of the document; (it's quite possible, this data does not appear anywhere else)
1030 | 2. report the violation(s); and
1031 | 3. stop processing.
1032 |
1033 |
1034 | ### Overlays of Schema
1035 |
1036 | TBD
1037 |
1038 | - It must be possible to extend Schema (i.e. add new items)
1039 | - When do Configuration Consumers need to modify Schema?
1040 | - they add templates that require additional data values
1041 | - soften or remove overzealous validations
1042 | - when overlays on templates change the type of the expected data values
1043 |
1044 | ## Open Questions
1045 |
1046 | - Given that Data Values all become overlays, now all array items require a `@overlay/append`
1047 | - this will be a negative UX for brand new users as it lights a number of tool features just so that I can specify an array for my library. :(
1048 | - this has been a pain
1049 | - How could we assign line numbers to YAML nodes that are generated from Starlark code?
1050 | - how common of a situation is this?
1051 | - becomes more important when referencing nodes in schema because our violation messages depend on naming the type/structure declaration by line number.
1052 | - Overlaying Schema implies the need for meta to be copied along
1053 | - Documentation could be enhanced if validation rules were included. How could validation authors provide documentation for their validation?
1054 | - provide a magic string for the input and the function returns documentation?
1055 | - function always returns documentation as part of return value?
1056 | - How should schema work with ytt libraries?
1057 | - How do we support data values that are targeting a dependency library?
1058 | - How will code defined in a schema file make its way into the execution context of the target "template"?
1059 | - e.g. function supporting validation
1060 | - idea: could we capture the "globals" resulting from the execution of the schema "template" and feed those into the target "template"'s execution context?
1061 | - there are expressions/statements to consume during the schema "template" construction... but other expression/statements that need to be made available to target "templates".
1062 | - Should we support generating `ytt` Schema from other popular sources (e.g. JSON Schema, OpenAPI v3 schema)?
1063 | - how to add more things to schema? (via overlays similar to data values)
1064 | - provide programmatic schema.apply() (similar to overlay.apply)
1065 | - respect schema for data values set via cmd line flags/env vars
1066 | - add --data-values-schema-inspect (similar to --data-values-inspect)
1067 | - a component team introduces breaking change… how do we discover that happened? (is that a use case that's in scope for ytt?)
1068 | - schema diff
1069 | - as a Configuration Consumer, what drives me asking for a diff? what am I looking for?
1070 | - what do we get from YAML diffing tools?
1071 | - what is the gap between the need and what we get with diffing tools?
1072 | - using extensions for ytt types.
1073 | - https://github.com/k14s/ytt/issues/51
1074 |
1075 |
1076 | # Sample Usage
1077 |
1078 | Vetting of User eXperience by way of examples.
1079 |
1080 | ## Common Use Cases
1081 |
1082 | Expectedly common situations that invoke more than one feature, illustrating proper interactions.
1083 |
1084 | ### Mutually Exclusive Map Configuration
1085 |
1086 | ## Edge Cases
1087 |
1088 | Situations that stretch the capabilities of the feature set.
1089 |
1090 | ### Prometheus Label Set Rewriting
1091 |
1092 | Prometheus includes a feature allowing operators to articulate label rewritting rules for metrics.
1093 | This feature is used throughout Prometheus' configuration. It is centered around a structure
1094 | known as a "relabeling".
1095 |
1096 | Defining edits that operate on runtime text is frought with errors.
1097 | - a minor typo of a keyword,
1098 | - a regular expression that fails only in certain cases, or
1099 | - a sometimes required configuration being omitted
1100 |
1101 | This example illustrates how Schema would enhance the Prometheus User's configuration experience.
1102 |
1103 | Sources:
1104 | - https://github.com/prometheus-community/helm-charts/blob/451448b53/charts/kube-prometheus-stack/values.yaml
1105 | - https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config
1106 |
1107 | ```yaml=
1108 | #! ==- Relabel Config -==
1109 | #!
1110 |
1111 | #@ def replace_has_target_label(relabel):
1112 | #@ if relabel.action == "replace" and "targetLabel" not in relabel:
1113 | #@ return (False, "'targetLabel' not found on replace relabel rule")
1114 | #@ end
1115 | #@ end
1116 |
1117 | #@ def non_hashmod_has_regex(relabel):
1118 | #@ if relabel.action in ["replace", "keep", "drop", "labelmap", "labeldrop", "labelkeep"] and \
1119 | #@ "regex" not in relabel:
1120 | #@ return (False, "'regex' not found on {} relabel rule".format(relabel.action))
1121 | #@ end
1122 | #@ end
1123 |
1124 | #! As of Prometheus 2.22, there are 200+ meta labels
1125 | #@ known_meta_labels = {
1126 | #@ "__meta_azure_machine_id": True,
1127 | #@ "__meta_azure_machine_location": True,
1128 | #@ "__meta_azure_machine_name": True,
1129 | #@ "__meta_azure_machine_os_type": True,
1130 | #@ "__meta_azure_machine_private_ip": True,
1131 | #! ... and many more
1132 | #@ }
1133 | #@ def known_meta_label(label):
1134 | #@ if label.startswith("__meta_"):
1135 | #@ if known_meta_labels[label] == None:
1136 | #@ return (False,
1137 | #@ "{} is not a known meta label (did you mean {}?)"\
1138 | #@ .format(label, spelling.nearest(label, known_meta_labels.keys())))
1139 | #@ end
1140 | #@ end
1141 | #@ end
1142 |
1143 | ---
1144 | #@ def relabeling():
1145 | #@schema/title "Source labels"
1146 | #@ doc = '''
1147 | #@ The source labels select values from existing labels. Their content is concatenated
1148 | #@ using the configured separator and matched against the configured regular expression
1149 | #@ for the replace, keep, and drop actions.
1150 | #@ '''
1151 | #@schema/doc doc
1152 | sourceLabels:
1153 | #@schema/validate known_meta_label, regexp=("[a-zA-Z_][a-zA-Z0-9_]*", "letters and numbers, starting with a letter")
1154 | - ""
1155 |
1156 | #@schema/title "Source Label Separator"
1157 | #@schema/doc "Separator placed between concatenated source label values."
1158 | separator: ;
1159 |
1160 | #@schema/title "Target Label"
1161 | #@ doc = '''
1162 | #@ Label to which the resulting value is written in a replace action.
1163 | #@ It is mandatory for replace actions. Regex capture groups are available.
1164 | #@ '''
1165 | #@schema/doc
1166 | #@schema/key missing_ok=True
1167 | #@schema/validate regexp=("[a-zA-Z_][a-zA-Z0-9_]*", "letters and numbers, starting with a letter")
1168 | targetLabel: ""
1169 |
1170 | #@schema/title "Extraction regex"
1171 | #@schema/doc "Regular expression against which the extracted value is matched."
1172 | #@schema/key missing_ok=True
1173 | #@schema/validate regexp.is_valid
1174 | regex: ^(.*)$
1175 |
1176 | #@schema.title ""
1177 | #@schema/key missing_ok=True
1178 | modulus: 0
1179 |
1180 | replacement: $1
1181 |
1182 | #@schema/validate enum=["replace", "keep", "drop", "hashmod", "labelmap", "labeldrop", "labelkeep"]
1183 | action: replace
1184 | #@ end
1185 |
1186 | #@ def relabelings():
1187 | #@schema/validate replace_has_target_label, non_hashmod_has_regex
1188 | - #@ relabeling()
1189 | #@ end
1190 |
1191 | #! metrics_path is required to match upstream rules and charts
1192 | #@ def metrics_path_relabel():
1193 | sourceLabels: [__metrics_path__]
1194 | targetLabel: metrics_path
1195 | #@ end
1196 |
1197 | ---
1198 | kubelet:
1199 | serviceMonitor:
1200 |
1201 | #@schema/title "Scrape interval"
1202 | #@schema/doc "If not set, the Prometheus default scrape interval is used."
1203 | #@schema/validate format="duration"
1204 | #@schema/key missing_ok=True
1205 | interval: ""
1206 |
1207 | #@schema/doc "relabel configs to apply to cAdvisor metric samples before ingestion."
1208 | cAdvisorMetricRelabelings: #@ relabelings()
1209 |
1210 | #@schema/doc "relabel configs to apply to probe metric samples before ingestion."
1211 | probesMetricRelabelings: #@ relabelings()
1212 |
1213 | #@schema/doc "relabel configs to apply to cAdvisor samples before ingestion."
1214 | #@schema/default [metrics_path_relabel()]
1215 | cAdvisorRelabelings: #@ relabelings()
1216 |
1217 | #@schema/doc "relabel configs to apply to probe samples before ingestion."
1218 | #@schema/default [metrics_path_relabel()]
1219 | probesRelabelings: #@ relabelings()
1220 |
1221 | #@schema/doc "relabel configs to apply to resource samples before ingestion."
1222 | #@schema/default [metrics_path_relabel()]
1223 | resourceRelabelings: #@ relabelings()
1224 |
1225 | #@schema/doc "relabel configs to apply to metric samples before ingestion."
1226 | metricRelabelings: #@ relabelings()
1227 |
1228 | #@schema/doc "relabel configs to apply to samples before ingestion."
1229 | #@schema/default [metrics_path_relabel()]
1230 | relabelings: #@ relabelings()
1231 | ```
1232 |
1233 | Pros:
1234 | - demonstrates the leverage functions bring: to extract the concept of a "relabeling", attach defaults and validations,
1235 | and use widely.
1236 | - trickier configuration (e.g. regular expressions, exact meta label names, string formats) are not just caught earlier,
1237 | but with context for more actionable error messages.
1238 | - ...
1239 |
1240 | Cons:
1241 | - validation rules across the map + the map is an array item ==> the definition of "relabeling" had to be extracted and scoped to a separate document.
1242 | - ...
1243 |
1244 |
1245 | ## Migration of Existing Configuration
1246 | ### Cloud Foundry for Kubernetes
1247 |
1248 | Cloud Foundry for Kubernetes — at the time of writing — is the most sophisticated use of `ytt` known.
1249 | In the absence of the Schema feature specified in this document, the CF for K8s project has written
1250 | their own custom validation logic.
1251 |
1252 | With `ytt` Schemas, _all_ existing validation logic ought to be absorbed into the schema definition.
1253 |
1254 | Specifically:
1255 | - "required" parameters : all string values imply a `@schema/validate min_len=1` by default
1256 | - a "non empty array" is `@schema/validate min_len=1`
1257 | - _(others ?)_
1258 |
1259 | ```yaml=
1260 | #@schema/definition name="data/values"
1261 | ---
1262 | #@schema/doc "your system domain"
1263 | #@schema/example "system.cf.example.com"
1264 | #@schema/validate format="hostname"
1265 | system_domain: ""
1266 |
1267 | #@schema/title "Application Domains"
1268 | #@schema/example ["apps.cf.example.com"]
1269 | #@schema/validate min_len=1
1270 | app_domains:
1271 | -
1272 | #@schema/validate format="hostname"
1273 | ""
1274 |
1275 | #@schema/title "Application Log Distinations"
1276 | app_log_destinations: []
1277 |
1278 | #@schema/title "Cloud Foundry Administrator Password"
1279 | #@schema/doc "password for admin user (in plain text)"
1280 | cf_admin_password:
1281 |
1282 | load_balancer:
1283 | enable: true
1284 | #@schema/title "Load Balancer Static IP"
1285 | #@schema/doc "Reserved static IP for Load Balancer"
1286 | #@schema/validation format="ip"
1287 | static_ip: ""
1288 |
1289 | system_certificate:
1290 | #@schema/title "System Certificate"
1291 | #@ doc = '''\
1292 | #@ Certificate for the wildcard subdomain of the system domain.
1293 | #@ For example, CN=*.system.cf.example.com
1294 | #@ '''
1295 | #@schema/doc doc
1296 | #@schema/validate base64.decodable
1297 | crt: ""
1298 | #@schema/title "Private Key"
1299 | #@schema/doc "Private key for the system certificate"
1300 | #@schema/validate base64.decodable
1301 | key: ""
1302 | #@schema/title "CA Certificate"
1303 | #@schema/doc "CA certificate used to sign the system certificate"
1304 | #@schema/validate base64.decodable
1305 | ca: ""
1306 |
1307 | workloads_certificate:
1308 | #@schema/title "Applications Certificate"
1309 | #@ doc = '''\
1310 | #@ Certificate for the wildcard subdomain of the applications domain.
1311 | #@ For example, CN=*.apps.cf.example.co
1312 | #@ '''
1313 | #@schema/doc doc
1314 | #@schema/validate base64.decodable
1315 | crt: ""
1316 | #@schema/title "Private Key"
1317 | #@schema/doc "Private key for the applications certificate"
1318 | #@schema/validate base64.decodable
1319 | key: ""
1320 | #@schema/title "CA Certificate"
1321 | #@schema/doc "CA certificate used to sign the applications certificate"
1322 | #@schema/validate base64.decodable
1323 | ca: ""
1324 |
1325 | gateway:
1326 | #@schema/doc "When true, automatically upgrades incoming HTTP connections to HTTPS"
1327 | https_only: true
1328 |
1329 | capi:
1330 | #@schema/title "CAPI DB"
1331 | #@schema/doc "Database for Cloud API"
1332 | database:
1333 | #@schema/validation enum=["postgres", "mysql2"]
1334 | adapter: postgres
1335 | encryption_key: ""
1336 | host: "cf-db-postgresql.cf-db.svc.cluster.local"
1337 | #@schema/examples [("Postgres", 5432), ("MySQL", 3306)]
1338 | port: 5432
1339 | user: cloud_controller
1340 | #@schema/doc "DB user password in plain text"
1341 | password: ""
1342 | name: cloud_controller
1343 | #@schema/doc "Plain text ca certificate if tls should be used"
1344 | ca_cert: ""
1345 | log_level: info
1346 |
1347 | uaa:
1348 | #@schema/title "UAA DB"
1349 | #@schema/doc "Database for User Authentication and Authorization service"
1350 | database:
1351 | #@schema/validation enum=["postgres", "mysql2"]
1352 | adapter: postgres
1353 | encryption_key: ""
1354 | host: "cf-db-postgresql.cf-db.svc.cluster.local"
1355 | #@schema/examples [("Postgres", 5432), ("MySQL", 3306)]
1356 | port: 5432
1357 | user: uaa
1358 | #@schema/doc "DB user password in plain text"
1359 | password: ""
1360 | name: uaa
1361 | #@schema/doc "Plain text ca certificate if tls should be used"
1362 | ca_cert: ""
1363 |
1364 | app_registry:
1365 | #@schema/validate format="hostname"
1366 | hostname: ""
1367 | repository_prefix: ""
1368 | username: ""
1369 | password: ""
1370 |
1371 | remove_resource_requirements: false
1372 | add_metrics_server_components: false
1373 | allow_prometheus_metrics_access: false
1374 | use_external_dns_for_wildcard: false
1375 | enable_automount_service_account_token: false
1376 | metrics_server_prefer_internal_kubelet_address: false
1377 | use_first_party_jwt_tokens: false
1378 |
1379 | #@schema/title "CF Blobstore"
1380 | #@schema/doc "configuration for the blobstore holding buildpacks, droplets, packages, etc."
1381 | blobstore:
1382 | endpoint: "http://cf-blobstore-minio.cf-blobstore.svc.cluster.local:9000"
1383 | region: "''"
1384 | access_key_id: "admin"
1385 | secret_access_key: ""
1386 | package_directory_key: "cc-packages"
1387 | droplet_directory_key: "cc-droplets"
1388 | resource_directory_key: "cc-resources"
1389 | buildpack_directory_key: "cc-buildpacks"
1390 | aws_signature_version: "2"
1391 |
1392 | #@ doc = '''\
1393 | #@ optional configuration if using a private registry that has all cf-for-k8s images relocated to
1394 | #@ see
1785 | Example:
1786 | Schema for "data/values"
1758 |
1759 |
1760 |
1794 |
1795 | fields:
1796 | - name: username
1797 | title:
1798 | example:
1799 | - value: admin
1800 | description: null
1801 | - name: db_url
1802 | title: Full URL to the external database.
1803 | ```
1804 |
1805 | `docs.html.txt`
1806 | ```htmlmixed=
1807 | (@ load("@ytt:data", "data") @)
1808 |
1809 |
1810 | ```
1811 |
1812 | ```shell
1813 | $ ytt --schema-inspect -f schema.yml --output html
1814 | ```
1815 |
1816 |
1817 | # Additional References
1818 |
1819 | - 🔒 [Cloud Foundry for Kubernetes Configuration and Versioning Scheme](https://docs.google.com/document/d/1q4QyaElEX3KtIeGjwPmZpxsJpgsxin9sx7M0T4qBiW0)
1820 | - Sorbet (a typing system in Ruby): https://sorbet.org/docs/type-assertions
1821 | - Kubernetes users requesting JSON Schema: https://github.com/kubernetes/kubernetes/issues/14987
1822 | - JSON Schema Validation: https://json-schema.org/draft/2019-09/json-schema-validation.html
1823 |
1824 | # Closed Questions
1825 |
1826 | - _Is there a feasible way for a validation rule to get access to its siblings?_ **not now.** [details](https://github.com/k14s/design-docs/pull/1#discussion_r521425869)
1827 | - _Are there needs around versioning schema?_ **Not for the foreseable future.** [details](https://github.com/k14s/design-docs/pull/1#discussion_r521426706)
1828 | - _With the addition of a schema, the first data values file no longer serves that role. Could we improve the UX of adding multiple data value files by not requiring subsequent data values to be overlays?_ **Yes, which should be covered in [Part 8: Interactions with Existing Features](#Part-8-Interactions-with-Existing-Features).
1829 | - _Could a user include both a data/value + schema/amend in the same file?_ **For now, no.... but maybe** [details](https://github.com/k14s/design-docs/pull/1#discussion_r521433218)
1830 |
1831 |
--------------------------------------------------------------------------------
1761 |
1763 |
1764 |
1765 | Name Description Details Example
1762 |
1766 |
1771 | username
1767 | Database username
1768 |
1769 |
1770 |
1772 |
1777 |
1778 |
1779 |
1773 |
1774 |
1775 |
1776 |
1780 |
1792 | (@ end -@)
1793 | username
1781 | User Name used to log into the database.
1782 |
1783 | The account in the database system to authenticate as.
1784 |
1791 |
1787 | admin
1788 |
1789 |
1790 |