kubernetes

Description

The kubernetes provider allows you to deploy container modules to Kubernetes clusters, and adds the helm and kubernetes module types.

For usage information, please refer to the guides section. A good place to start is the Remote Kubernetes guide guide if you're connecting to remote clusters. The Getting Started guide is also helpful as an introduction.

Note that if you're using a local Kubernetes cluster (e.g. minikube or Docker Desktop), the local-kubernetes provider simplifies (and automates) the configuration and setup quite a bit.

Below is the full schema reference for the provider configuration. For an introduction to configuring a Garden project with providers, please look at our configuration guide.

The reference is divided into two sections. The first section contains the complete YAML schema, and the second section describes each schema key.

Complete YAML Schema

The values in the schema below are the default values.

providers:
- # List other providers that should be resolved before this one.
dependencies: []
# If specified, this provider will only be used in the listed environments. Note that an empty array effectively
# disables the provider. To use a provider in all environments, omit this field.
environments:
# Choose the mechanism for building container images before deploying. By default your local Docker daemon is
# used, but you can set it to `cluster-buildkit` or `kaniko` to sync files to the cluster, and build container
# images there. This removes the need to run Docker locally, and allows you to share layer and image caches
# between multiple developers, as well as between your development and CI workflows.
#
# For more details on all the different options and what makes sense to use for your setup, please check out the
# [in-cluster building guide](https://docs.garden.io/guides/in-cluster-building).
#
# **Note:** The `cluster-docker` mode has been deprecated and will be removed in a future release!
buildMode: local-docker
# Configuration options for the `cluster-buildkit` build mode.
clusterBuildkit:
# Enable rootless mode for the cluster-buildkit daemon, which runs the daemon with decreased privileges.
# Please see [the buildkit docs](https://github.com/moby/buildkit/blob/master/docs/rootless.md) for caveats when
# using this mode.
rootless: false
# Exposes the `nodeSelector` field on the PodSpec of the BuildKit deployment. This allows you to constrain the
# BuildKit daemon to only run on particular nodes.
#
# [See here](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) for the official Kubernetes
# guide to assigning Pods to nodes.
nodeSelector: {}
# Configuration options for the `kaniko` build mode.
kaniko:
# Specify extra flags to use when building the container image with kaniko. Flags set on `container` modules
# take precedence over these.
extraFlags:
# Change the kaniko image (repository/image:tag) to use when building in kaniko mode.
image: 'gcr.io/kaniko-project/executor:v1.6.0-debug'
# Choose the namespace where the Kaniko pods will be run. Set to `null` to use the project namespace.
#
# **IMPORTANT: The default namespace will change to the project namespace instead of the garden-system namespace
# in an upcoming release!**
namespace: garden-system
# Exposes the `nodeSelector` field on the PodSpec of the Kaniko pods. This allows you to constrain the Kaniko
# pods to only run on particular nodes.
#
# [See here](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) for the official Kubernetes
# guide to assigning Pods to nodes.
nodeSelector:
# Specify tolerations to apply to each Kaniko Pod. Useful to control which nodes in a cluster can run builds.
tolerations:
- # "Effect" indicates the taint effect to match. Empty means match all taint effects. When specified,
# allowed values are "NoSchedule", "PreferNoSchedule" and "NoExecute".
effect:
# "Key" is the taint key that the toleration applies to. Empty means match all taint keys.
# If the key is empty, operator must be "Exists"; this combination means to match all values and all keys.
key:
# "Operator" represents a key's relationship to the value. Valid operators are "Exists" and "Equal".
# Defaults to
# "Equal". "Exists" is equivalent to wildcard for value, so that a pod can tolerate all taints of a
# particular category.
operator: Equal
# "TolerationSeconds" represents the period of time the toleration (which must be of effect "NoExecute",
# otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate
# the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately)
# by the system.
tolerationSeconds:
# "Value" is the taint value the toleration matches to. If the operator is "Exists", the value should be
# empty,
# otherwise just a regular string.
value:
# A default hostname to use when no hostname is explicitly configured for a service.
defaultHostname:
# Defines the strategy for deploying the project services.
# Default is "rolling update" and there is experimental support for "blue/green" deployment.
# The feature only supports modules of type `container`: other types will just deploy using the default strategy.
deploymentStrategy: rolling
# Require SSL on all `container` module services. If set to true, an error is raised when no certificate is
# available for a configured hostname on a `container` module.
forceSsl: false
# References to `docker-registry` secrets to use for authenticating with remote registries when pulling
# images. This is necessary if you reference private images in your module configuration, and is required
# when configuring a remote Kubernetes environment with buildMode=local.
imagePullSecrets:
- # The name of the Kubernetes secret.
name:
# The namespace where the secret is stored. If necessary, the secret may be copied to the appropriate
# namespace before use.
namespace: default
# Resource requests and limits for the in-cluster builder, container registry and code sync service. (which are
# automatically installed and used when `buildMode` is `cluster-docker` or `kaniko`).
resources:
# Resource requests and limits for the in-cluster builder. It's important to consider which build mode you're
# using when configuring this.
#
# When `buildMode` is `kaniko`, this refers to _each Kaniko pod_, i.e. each individual build, so you'll want to
# consider the requirements for your individual image builds, with your most expensive/heavy images in mind.
#
# When `buildMode` is `cluster-buildkit`, this applies to the BuildKit deployment created in _each project
# namespace_. So think of this as the resource spec for each individual user or project namespace.
#
# When `buildMode` is `cluster-docker`, this applies to the single Docker Daemon that is installed and run
# cluster-wide. This is shared across all users and builds in the cluster, so it should be resourced
# accordingly, factoring in how many concurrent builds you expect and how heavy your builds tend to be. **Note
# that the cluster-docker build mode has been deprecated!**
builder:
limits:
# CPU limit in millicpu.
cpu: 4000
# Memory limit in megabytes.
memory: 8192
# Ephemeral storage limit in megabytes.
ephemeralStorage:
requests:
# CPU request in millicpu.
cpu: 100
# Memory request in megabytes.
memory: 512
# Ephemeral storage request in megabytes.
ephemeralStorage:
# Resource requests and limits for the in-cluster image registry. Built images are pushed to this registry,
# so that they are available to all the nodes in your cluster.
#
# This is shared across all users and builds, so it should be resourced accordingly, factoring
# in how many concurrent builds you expect and how large your images tend to be.
registry:
limits:
# CPU limit in millicpu.
cpu: 2000
# Memory limit in megabytes.
memory: 4096
# Ephemeral storage limit in megabytes.
ephemeralStorage:
requests:
# CPU request in millicpu.
cpu: 200
# Memory request in megabytes.
memory: 512
# Ephemeral storage request in megabytes.
ephemeralStorage:
# Storage parameters to set for the in-cluster builder, container registry and code sync persistent volumes
# (which are automatically installed and used when `buildMode` is `cluster-docker` or `kaniko`).
#
# These are all shared cluster-wide across all users and builds, so they should be resourced accordingly,
# factoring in how many concurrent builds you expect and how large your images and build contexts tend to be.
storage:
# Storage parameters for the in-cluster Docker registry volume. Built images are stored here, so that they
# are available to all the nodes in your cluster.
#
# Only applies when `buildMode` is set to `cluster-docker` or `kaniko`, ignored otherwise.
registry:
# Volume size in megabytes.
size: 20480
# Storage class to use for the volume.
storageClass: null
# One or more certificates to use for ingress.
tlsCertificates:
- # A unique identifier for this certificate.
name:
# A list of hostnames that this certificate should be used for. If you don't specify these, they will be
# automatically read from the certificate.
hostnames:
# A reference to the Kubernetes secret that contains the TLS certificate and key for the domain.
secretRef:
# The name of the Kubernetes secret.
name:
# The namespace where the secret is stored. If necessary, the secret may be copied to the appropriate
# namespace before use.
namespace: default
# Set to `cert-manager` to configure [cert-manager](https://github.com/jetstack/cert-manager) to manage this
# certificate. See our
# [cert-manager integration guide](https://docs.garden.io/advanced/cert-manager-integration) for details.
managedBy:
# cert-manager configuration, for creating and managing TLS certificates. See the
# [cert-manager guide](https://docs.garden.io/advanced/cert-manager-integration) for details.
certManager:
# Automatically install `cert-manager` on initialization. See the
# [cert-manager integration guide](https://docs.garden.io/advanced/cert-manager-integration) for details.
install: false
# The email to use when requesting Let's Encrypt certificates.
email:
# The type of issuer for the certificate (only ACME is supported for now).
issuer: acme
# Specify which ACME server to request certificates from. Currently Let's Encrypt staging and prod servers are
# supported.
acmeServer: letsencrypt-staging
# The type of ACME challenge used to validate hostnames and generate the certificates (only HTTP-01 is supported
# for now).
acmeChallengeType: HTTP-01
# Exposes the `nodeSelector` field on the PodSpec of system services. This allows you to constrain the system
# services to only run on particular nodes.
#
# [See here](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) for the official Kubernetes guide
# to assigning Pods to nodes.
systemNodeSelector: {}
# For setting tolerations on the registry-proxy when using in-cluster building.
# The registry-proxy is a DaemonSet that proxies connections to the docker registry service on each node.
#
# Use this only if you're doing in-cluster building and the nodes in your cluster
# have [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
registryProxyTolerations:
- # "Effect" indicates the taint effect to match. Empty means match all taint effects. When specified,
# allowed values are "NoSchedule", "PreferNoSchedule" and "NoExecute".
effect:
# "Key" is the taint key that the toleration applies to. Empty means match all taint keys.
# If the key is empty, operator must be "Exists"; this combination means to match all values and all keys.
key:
# "Operator" represents a key's relationship to the value. Valid operators are "Exists" and "Equal". Defaults
# to
# "Equal". "Exists" is equivalent to wildcard for value, so that a pod can tolerate all taints of a
# particular category.
operator: Equal
# "TolerationSeconds" represents the period of time the toleration (which must be of effect "NoExecute",
# otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate
# the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately)
# by the system.
tolerationSeconds:
# "Value" is the taint value the toleration matches to. If the operator is "Exists", the value should be
# empty,
# otherwise just a regular string.
value:
# The name of the provider plugin to use.
name: kubernetes
# The kubectl context to use to connect to the Kubernetes cluster.
context:
# The registry where built containers should be pushed to, and then pulled to the cluster when deploying services.
#
# Important: If you specify this in combination with in-cluster building, you must make sure `imagePullSecrets`
# includes authentication with the specified deployment registry, that has the appropriate write privileges
# (usually full write access to the configured `deploymentRegistry.namespace`).
deploymentRegistry:
# The hostname (and optionally port, if not the default port) of the registry.
hostname:
# The port where the registry listens on, if not the default.
port:
# The namespace in the registry where images should be pushed.
namespace: _
# The ingress class to use on configured Ingresses (via the `kubernetes.io/ingress.class` annotation)
# when deploying `container` services. Use this if you have multiple ingress controllers in your cluster.
ingressClass:
# The external HTTP port of the cluster's ingress controller.
ingressHttpPort: 80
# The external HTTPS port of the cluster's ingress controller.
ingressHttpsPort: 443
# Path to kubeconfig file to use instead of the system default. Must be a POSIX-style path.
kubeconfig:
# Specify which namespace to deploy services to, and optionally annotations/labels to apply to the namespace.
#
# You can specify a string as a shorthand for `name: <name>`. Defaults to `<project name>-<environment
# namespace>`.
#
# Note that the framework may generate other namespaces as well with this name as a prefix. Also note that if the
# namespace previously exists, Garden will attempt to add the specified labels and annotations. If the user does
# not have permissions to do so, a warning is shown.
namespace:
# A valid Kubernetes namespace name. Must be a valid RFC1035/RFC1123 (DNS) label (may contain lowercase letters,
# numbers and dashes, must start with a letter, and cannot end with a dash) and must not be longer than 63
# characters.
name:
# Map of annotations to apply to the namespace when creating it.
annotations:
# Map of labels to apply to the namespace when creating it.
labels:
# Set this to `nginx` to install/enable the NGINX ingress controller.
setupIngressController: false

Configuration Keys

providers[]

Type

Default

Required

array[object]

[]

No

providers[].dependencies[]

providers > dependencies

List other providers that should be resolved before this one.

Type

Default

Required

array[string]

[]

No

Example:

providers:
- dependencies:
- exec

providers[].environments[]

providers > environments

If specified, this provider will only be used in the listed environments. Note that an empty array effectively disables the provider. To use a provider in all environments, omit this field.

Type

Required

array[string]

No

Example:

providers:
- environments:
- dev
- stage

providers[].buildMode

providers > buildMode

Choose the mechanism for building container images before deploying. By default your local Docker daemon is used, but you can set it to cluster-buildkit or kaniko to sync files to the cluster, and build container images there. This removes the need to run Docker locally, and allows you to share layer and image caches between multiple developers, as well as between your development and CI workflows.

For more details on all the different options and what makes sense to use for your setup, please check out the in-cluster building guide.

Note: The cluster-docker mode has been deprecated and will be removed in a future release!

Type

Default

Required

string

"local-docker"

No

providers[].clusterBuildkit

providers > clusterBuildkit

Configuration options for the cluster-buildkit build mode.

Type

Required

object

No

providers[].clusterBuildkit.rootless

providers > clusterBuildkit > rootless

Enable rootless mode for the cluster-buildkit daemon, which runs the daemon with decreased privileges. Please see the buildkit docs for caveats when using this mode.

Type

Default

Required

boolean

false

No

providers[].clusterBuildkit.nodeSelector

providers > clusterBuildkit > nodeSelector

Exposes the nodeSelector field on the PodSpec of the BuildKit deployment. This allows you to constrain the BuildKit daemon to only run on particular nodes.

See here for the official Kubernetes guide to assigning Pods to nodes.

Type

Default

Required

object

{}

No

Example:

providers:
- clusterBuildkit:
...
nodeSelector:
disktype: ssd

providers[].clusterDocker

providers > clusterDocker

Deprecated: This field will be removed in a future release.

Configuration options for the cluster-docker build mode.

Type

Required

object

No

providers[].clusterDocker.enableBuildKit

providers > clusterDocker > enableBuildKit

Deprecated: This field will be removed in a future release.

Enable BuildKit support. This should in most cases work well and be more performant, but we're opting to keep it optional until it's enabled by default in Docker.

Type

Default

Required

boolean

false

No

providers[].kaniko

providers > kaniko

Configuration options for the kaniko build mode.

Type

Required

object

No

providers[].kaniko.extraFlags[]

providers > kaniko > extraFlags

Specify extra flags to use when building the container image with kaniko. Flags set on container modules take precedence over these.

Type

Required

array[string]

No

providers[].kaniko.image

providers > kaniko > image

Change the kaniko image (repository/image:tag) to use when building in kaniko mode.

Type

Default

Required

string

"gcr.io/kaniko-project/executor:v1.6.0-debug"

No

providers[].kaniko.namespace

providers > kaniko > namespace

Choose the namespace where the Kaniko pods will be run. Set to null to use the project namespace.

IMPORTANT: The default namespace will change to the project namespace instead of the garden-system namespace in an upcoming release!

Type

Default

Required

string

"garden-system"

No

providers[].kaniko.nodeSelector

providers > kaniko > nodeSelector

Exposes the nodeSelector field on the PodSpec of the Kaniko pods. This allows you to constrain the Kaniko pods to only run on particular nodes.

See here for the official Kubernetes guide to assigning Pods to nodes.

Type

Required

object

No

providers[].kaniko.tolerations[]

providers > kaniko > tolerations

Specify tolerations to apply to each Kaniko Pod. Useful to control which nodes in a cluster can run builds.

Type

Default

Required

array[object]

[]

No

providers[].kaniko.tolerations[].effect

providers > kaniko > tolerations > effect

"Effect" indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are "NoSchedule", "PreferNoSchedule" and "NoExecute".

Type

Required

string

No

providers[].kaniko.tolerations[].key

providers > kaniko > tolerations > key

"Key" is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be "Exists"; this combination means to match all values and all keys.

Type

Required

string

No

providers[].kaniko.tolerations[].operator

providers > kaniko > tolerations > operator

"Operator" represents a key's relationship to the value. Valid operators are "Exists" and "Equal". Defaults to "Equal". "Exists" is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

Type

Default

Required

string

"Equal"

No

providers[].kaniko.tolerations[].tolerationSeconds

providers > kaniko > tolerations > tolerationSeconds

"TolerationSeconds" represents the period of time the toleration (which must be of effect "NoExecute", otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

Type

Required

string

No

providers[].kaniko.tolerations[].value

providers > kaniko > tolerations > value

"Value" is the taint value the toleration matches to. If the operator is "Exists", the value should be empty, otherwise just a regular string.

Type

Required

string

No

providers[].defaultHostname

providers > defaultHostname

A default hostname to use when no hostname is explicitly configured for a service.

Type

Required

string

No

Example:

providers:
- defaultHostname: "api.mydomain.com"

providers[].deploymentStrategy

providers > deploymentStrategy

Experimental: this is an experimental feature and the API might change in the future.

Defines the strategy for deploying the project services. Default is "rolling update" and there is experimental support for "blue/green" deployment. The feature only supports modules of type container: other types will just deploy using the default strategy.

Type

Default

Required

string

"rolling"

No

providers[].forceSsl

providers > forceSsl

Require SSL on all container module services. If set to true, an error is raised when no certificate is available for a configured hostname on a container module.

Type

Default

Required

boolean

false

No

providers[].imagePullSecrets[]

providers > imagePullSecrets

References to docker-registry secrets to use for authenticating with remote registries when pulling images. This is necessary if you reference private images in your module configuration, and is required when configuring a remote Kubernetes environment with buildMode=local.

Type

Default

Required

array[object]

[]

No

providers[].imagePullSecrets[].name

providers > imagePullSecrets > name

The name of the Kubernetes secret.

Type

Required

string

Yes

Example:

providers:
- imagePullSecrets:
- name: "my-secret"

providers[].imagePullSecrets[].namespace

providers > imagePullSecrets > namespace

The namespace where the secret is stored. If necessary, the secret may be copied to the appropriate namespace before use.

Type

Default

Required

string

"default"

No

providers[].resources

providers > resources

Resource requests and limits for the in-cluster builder, container registry and code sync service. (which are automatically installed and used when buildMode is cluster-docker or kaniko).

Type

Default

Required

object

{"builder":{"limits":{"cpu":4000,"memory":8192},"requests":{"cpu":100,"memory":512}},"registry":{"limits":{"cpu":2000,"memory":4096},"requests":{"cpu":200,"memory":512}},"sync":{"limits":{"cpu":500,"memory":512},"requests":{"cpu":100,"memory":90}}}

No

providers[].resources.builder

providers > resources > builder

Resource requests and limits for the in-cluster builder. It's important to consider which build mode you're using when configuring this.

When buildMode is kaniko, this refers to each Kaniko pod, i.e. each individual build, so you'll want to consider the requirements for your individual image builds, with your most expensive/heavy images in mind.

When buildMode is cluster-buildkit, this applies to the BuildKit deployment created in each project namespace. So think of this as the resource spec for each individual user or project namespace.

When buildMode is cluster-docker, this applies to the single Docker Daemon that is installed and run cluster-wide. This is shared across all users and builds in the cluster, so it should be resourced accordingly, factoring in how many concurrent builds you expect and how heavy your builds tend to be. Note that the cluster-docker build mode has been deprecated!

Type

Default

Required

object

{"limits":{"cpu":4000,"memory":8192},"requests":{"cpu":100,"memory":512}}

No

providers[].resources.builder.limits

providers > resources > builder > limits

Type

Default

Required

object

{"cpu":4000,"memory":8192}

No

providers[].resources.builder.limits.cpu

providers > resources > builder > limits > cpu

CPU limit in millicpu.

Type

Default

Required

number

4000

No

Example:

providers:
- resources:
...
builder:
...
limits:
...
cpu: 4000

providers[].resources.builder.limits.memory

providers > resources > builder > limits > memory

Memory limit in megabytes.

Type

Default

Required

number

8192

No

Example:

providers:
- resources:
...
builder:
...
limits:
...
memory: 8192

providers[].resources.builder.limits.ephemeralStorage

providers > resources > builder > limits > ephemeralStorage

Ephemeral storage limit in megabytes.

Type

Required

number

No

Example:

providers:
- resources:
...
builder:
...
limits:
...
ephemeralStorage: 8192

providers[].resources.builder.requests

providers > resources > builder > requests

Type

Default

Required

object

{"cpu":100,"memory":512}

No

providers[].resources.builder.requests.cpu

providers > resources > builder > requests > cpu

CPU request in millicpu.

Type

Default

Required

number

100

No

Example:

providers:
- resources:
...
builder:
...
requests:
...
cpu: 100

providers[].resources.builder.requests.memory

providers > resources > builder > requests > memory

Memory request in megabytes.

Type

Default

Required

number

512

No

Example:

providers:
- resources:
...
builder:
...
requests:
...
memory: 512

providers[].resources.builder.requests.ephemeralStorage

providers > resources > builder > requests > ephemeralStorage

Ephemeral storage request in megabytes.

Type

Required

number

No

Example:

providers:
- resources:
...
builder:
...
requests:
...
ephemeralStorage: 8192

providers[].resources.registry

providers > resources > registry

Resource requests and limits for the in-cluster image registry. Built images are pushed to this registry, so that they are available to all the nodes in your cluster.

This is shared across all users and builds, so it should be resourced accordingly, factoring in how many concurrent builds you expect and how large your images tend to be.

Type

Default

Required

object

{"limits":{"cpu":2000,"memory":4096},"requests":{"cpu":200,"memory":512}}

No

providers[].resources.registry.limits

providers > resources > registry > limits

Type

Default

Required

object

{"cpu":2000,"memory":4096}

No

providers[].resources.registry.limits.cpu

providers > resources > registry > limits > cpu

CPU limit in millicpu.

Type

Default

Required

number

2000

No

Example:

providers:
- resources:
...
registry:
...
limits:
...
cpu: 2000

providers[].resources.registry.limits.memory

providers > resources > registry > limits > memory

Memory limit in megabytes.

Type

Default

Required

number

4096

No

Example:

providers:
- resources:
...
registry:
...
limits:
...
memory: 4096

providers[].resources.registry.limits.ephemeralStorage

providers > resources > registry > limits > ephemeralStorage

Ephemeral storage limit in megabytes.

Type

Required

number

No

Example:

providers:
- resources:
...
registry:
...
limits:
...
ephemeralStorage: 8192

providers[].resources.registry.requests

providers > resources > registry > requests

Type

Default

Required

object

{"cpu":200,"memory":512}

No

providers[].resources.registry.requests.cpu

providers > resources > registry > requests > cpu

CPU request in millicpu.

Type

Default

Required

number

200

No

Example:

providers:
- resources:
...
registry:
...
requests:
...
cpu: 200

providers[].resources.registry.requests.memory

providers > resources > registry > requests > memory

Memory request in megabytes.

Type

Default

Required

number

512

No

Example:

providers:
- resources:
...
registry:
...
requests:
...
memory: 512

providers[].resources.registry.requests.ephemeralStorage

providers > resources > registry > requests > ephemeralStorage

Ephemeral storage request in megabytes.

Type

Required

number

No

Example:

providers:
- resources:
...
registry:
...
requests:
...
ephemeralStorage: 8192

providers[].resources.sync

providers > resources > sync

Deprecated: This field will be removed in a future release.

Resource requests and limits for the code sync service, which we use to sync build contexts to the cluster ahead of building images. This generally is not resource intensive, but you might want to adjust the defaults if you have many concurrent users.

Type

Default

Required

object

{"limits":{"cpu":500,"memory":512},"requests":{"cpu":100,"memory":90}}

No

providers[].resources.sync.limits

providers > resources > sync > limits

Deprecated: This field will be removed in a future release.

Type

Default

Required

object

{"cpu":500,"memory":512}

No

providers[].resources.sync.limits.cpu

providers > resources > sync > limits > cpu

Deprecated: This field will be removed in a future release.

CPU limit in millicpu.

Type

Default

Required

number

500

No

Example:

providers:
- resources:
...
sync:
...
limits:
...
cpu: 500

providers[].resources.sync.limits.memory

providers > resources > sync > limits > memory

Deprecated: This field will be removed in a future release.

Memory limit in megabytes.

Type

Default

Required

number

512

No

Example:

providers:
- resources:
...
sync:
...
limits:
...
memory: 512

providers[].resources.sync.limits.ephemeralStorage

providers > resources > sync > limits > ephemeralStorage

Deprecated: This field will be removed in a future release.

Ephemeral storage limit in megabytes.

Type

Required

number

No

Example:

providers:
- resources:
...
sync:
...
limits:
...
ephemeralStorage: 8192

providers[].resources.sync.requests

providers > resources > sync > requests

Deprecated: This field will be removed in a future release.

Type

Default

Required

object

{"cpu":100,"memory":90}

No

providers[].resources.sync.requests.cpu

providers > resources > sync > requests > cpu

Deprecated: This field will be removed in a future release.

CPU request in millicpu.

Type

Default

Required

number

100

No

Example:

providers:
- resources:
...
sync:
...
requests:
...
cpu: 100

providers[].resources.sync.requests.memory

providers > resources > sync > requests > memory

Deprecated: This field will be removed in a future release.

Memory request in megabytes.

Type

Default

Required

number

90

No

Example:

providers:
- resources:
...
sync:
...
requests:
...
memory: 90

providers[].resources.sync.requests.ephemeralStorage

providers > resources > sync > requests > ephemeralStorage

Deprecated: This field will be removed in a future release.

Ephemeral storage request in megabytes.

Type

Required

number

No

Example:

providers:
- resources:
...
sync:
...
requests:
...
ephemeralStorage: 8192

providers[].storage

providers > storage

Storage parameters to set for the in-cluster builder, container registry and code sync persistent volumes (which are automatically installed and used when buildMode is cluster-docker or kaniko).

These are all shared cluster-wide across all users and builds, so they should be resourced accordingly, factoring in how many concurrent builds you expect and how large your images and build contexts tend to be.

Type

Default

Required

object

{"builder":{"size":20480,"storageClass":null},"nfs":{"storageClass":null},"registry":{"size":20480,"storageClass":null},"sync":{"size":10240,"storageClass":null}}

No

providers[].storage.builder

providers > storage > builder

Deprecated: This field will be removed in a future release.

Storage parameters for the data volume for the in-cluster Docker Daemon.

Only applies when buildMode is set to cluster-docker, ignored otherwise.

Type

Default

Required

object

{"size":20480,"storageClass":null}

No

providers[].storage.builder.size

providers > storage > builder > size

Deprecated: This field will be removed in a future release.

Volume size in megabytes.

Type

Default

Required

number

20480

No

providers[].storage.builder.storageClass

providers > storage > builder > storageClass

Deprecated: This field will be removed in a future release.

Storage class to use for the volume.

Type

Default

Required

string

null

No

providers[].storage.nfs

providers > storage > nfs

Deprecated: This field will be removed in a future release.

Storage parameters for the NFS provisioner, which we automatically create for the sync volume, unless you specify a storageClass for the sync volume. See the below sync parameter for more.

Only applies when buildMode is set to cluster-docker or kaniko, ignored otherwise.

Type

Default

Required

object

{"storageClass":null}

No

providers[].storage.nfs.storageClass

providers > storage > nfs > storageClass

Deprecated: This field will be removed in a future release.

Storage class to use as backing storage for NFS .

Type

Default

Required

string

null

No

providers[].storage.registry

providers > storage > registry

Storage parameters for the in-cluster Docker registry volume. Built images are stored here, so that they are available to all the nodes in your cluster.

Only applies when buildMode is set to cluster-docker or kaniko, ignored otherwise.

Type

Default

Required

object

{"size":20480,"storageClass":null}

No

providers[].storage.registry.size

providers > storage > registry > size

Volume size in megabytes.

Type

Default

Required

number

20480

No

providers[].storage.registry.storageClass

providers > storage > registry > storageClass

Storage class to use for the volume.

Type

Default

Required

string

null

No

providers[].storage.sync

providers > storage > sync

Deprecated: This field will be removed in a future release.

Storage parameters for the code sync volume, which build contexts are synced to ahead of running in-cluster builds.

Important: The storage class configured here has to support ReadWriteMany access. If you don't specify a storage class, Garden creates an NFS provisioner and provisions an NFS volume for the sync data volume.

Only applies when buildMode is set to cluster-docker, ignored otherwise.

Type

Default

Required

object

{"size":10240,"storageClass":null}

No

providers[].storage.sync.size

providers > storage > sync > size

Deprecated: This field will be removed in a future release.

Volume size in megabytes.

Type

Default

Required

number

10240

No

providers[].storage.sync.storageClass

providers > storage > sync > storageClass

Deprecated: This field will be removed in a future release.

Storage class to use for the volume.

Type

Default

Required

string

null

No

providers[].tlsCertificates[]

providers > tlsCertificates

One or more certificates to use for ingress.

Type

Default

Required

array[object]

[]

No

providers[].tlsCertificates[].name

providers > tlsCertificates > name

A unique identifier for this certificate.

Type

Required

string

Yes

Example:

providers:
- tlsCertificates:
- name: "www"

providers[].tlsCertificates[].hostnames[]

providers > tlsCertificates > hostnames

A list of hostnames that this certificate should be used for. If you don't specify these, they will be automatically read from the certificate.

Type

Required

array[hostname]

No

Example:

providers:
- tlsCertificates:
- hostnames:
- www.mydomain.com

providers[].tlsCertificates[].secretRef

providers > tlsCertificates > secretRef

A reference to the Kubernetes secret that contains the TLS certificate and key for the domain.

Type

Required

object

No

Example:

providers:
- tlsCertificates:
- secretRef:
name: my-tls-secret
namespace: default

providers[].tlsCertificates[].secretRef.name

providers > tlsCertificates > secretRef > name

The name of the Kubernetes secret.

Type

Required

string

Yes

Example:

providers:
- tlsCertificates:
- secretRef:
name: my-tls-secret
namespace: default
...
name: "my-secret"

providers[].tlsCertificates[].secretRef.namespace

providers > tlsCertificates > secretRef > namespace

The namespace where the secret is stored. If necessary, the secret may be copied to the appropriate namespace before use.

Type

Default

Required

string

"default"

No

providers[].tlsCertificates[].managedBy

providers > tlsCertificates > managedBy

Set to cert-manager to configure cert-manager to manage this certificate. See our cert-manager integration guide for details.

Type

Required

string

No

Example:

providers:
- tlsCertificates:
- managedBy: "cert-manager"

providers[].certManager

providers > certManager

cert-manager configuration, for creating and managing TLS certificates. See the cert-manager guide for details.

Type

Required

object

No

providers[].certManager.install

providers > certManager > install

Automatically install cert-manager on initialization. See the cert-manager integration guide for details.

Type

Default

Required

boolean

false

No

providers[].certManager.email

providers > certManager > email

The email to use when requesting Let's Encrypt certificates.

Type

Required

string

Yes

Example:

providers:
- certManager:
...

providers[].certManager.issuer

providers > certManager > issuer

The type of issuer for the certificate (only ACME is supported for now).

Type

Default

Required

string

"acme"

No

Example:

providers:
- certManager:
...
issuer: "acme"

providers[].certManager.acmeServer

providers > certManager > acmeServer

Specify which ACME server to request certificates from. Currently Let's Encrypt staging and prod servers are supported.

Type

Default

Required

string

"letsencrypt-staging"

No

Example:

providers:
- certManager:
...
acmeServer: "letsencrypt-staging"

providers[].certManager.acmeChallengeType

providers > certManager > acmeChallengeType

The type of ACME challenge used to validate hostnames and generate the certificates (only HTTP-01 is supported for now).

Type

Default

Required

string

"HTTP-01"

No

Example:

providers:
- certManager:
...
acmeChallengeType: "HTTP-01"

providers[].systemNodeSelector

providers > systemNodeSelector

Exposes the nodeSelector field on the PodSpec of system services. This allows you to constrain the system services to only run on particular nodes.

See here for the official Kubernetes guide to assigning Pods to nodes.

Type

Default

Required

object

{}

No

Example:

providers:
- systemNodeSelector:
disktype: ssd

providers[].registryProxyTolerations[]

providers > registryProxyTolerations

For setting tolerations on the registry-proxy when using in-cluster building. The registry-proxy is a DaemonSet that proxies connections to the docker registry service on each node.

Use this only if you're doing in-cluster building and the nodes in your cluster have taints.

Type

Default

Required

array[object]

[]

No

providers[].registryProxyTolerations[].effect

providers > registryProxyTolerations > effect

"Effect" indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are "NoSchedule", "PreferNoSchedule" and "NoExecute".

Type

Required

string

No

providers[].registryProxyTolerations[].key

providers > registryProxyTolerations > key

"Key" is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be "Exists"; this combination means to match all values and all keys.

Type

Required

string

No

providers[].registryProxyTolerations[].operator

providers > registryProxyTolerations > operator

"Operator" represents a key's relationship to the value. Valid operators are "Exists" and "Equal". Defaults to "Equal". "Exists" is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

Type

Default

Required

string

"Equal"

No

providers[].registryProxyTolerations[].tolerationSeconds

providers > registryProxyTolerations > tolerationSeconds

"TolerationSeconds" represents the period of time the toleration (which must be of effect "NoExecute", otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

Type

Required

string

No

providers[].registryProxyTolerations[].value

providers > registryProxyTolerations > value

"Value" is the taint value the toleration matches to. If the operator is "Exists", the value should be empty, otherwise just a regular string.

Type

Required

string

No

providers[].name

providers > name

The name of the provider plugin to use.

Type

Default

Required

string

"kubernetes"

Yes

Example:

providers:
- name: "kubernetes"

providers[].context

providers > context

The kubectl context to use to connect to the Kubernetes cluster.

Type

Required

string

Yes

Example:

providers:
- context: "my-dev-context"

providers[].deploymentRegistry

providers > deploymentRegistry

The registry where built containers should be pushed to, and then pulled to the cluster when deploying services.

Important: If you specify this in combination with in-cluster building, you must make sure imagePullSecrets includes authentication with the specified deployment registry, that has the appropriate write privileges (usually full write access to the configured deploymentRegistry.namespace).

Type

Required

object

No

providers[].deploymentRegistry.hostname

providers > deploymentRegistry > hostname

The hostname (and optionally port, if not the default port) of the registry.

Type

Required

string

Yes

Example:

providers:
- deploymentRegistry:
...
hostname: "gcr.io"

providers[].deploymentRegistry.port

providers > deploymentRegistry > port

The port where the registry listens on, if not the default.

Type

Required

number

No

providers[].deploymentRegistry.namespace

providers > deploymentRegistry > namespace

The namespace in the registry where images should be pushed.

Type

Default

Required

string

"_"

No

Example:

providers:
- deploymentRegistry:
...
namespace: "my-project"

providers[].ingressClass

providers > ingressClass

The ingress class to use on configured Ingresses (via the kubernetes.io/ingress.class annotation) when deploying container services. Use this if you have multiple ingress controllers in your cluster.

Type

Required

string

No

providers[].ingressHttpPort

providers > ingressHttpPort

The external HTTP port of the cluster's ingress controller.

Type

Default

Required

number

80

No

providers[].ingressHttpsPort

providers > ingressHttpsPort

The external HTTPS port of the cluster's ingress controller.

Type

Default

Required

number

443

No

providers[].kubeconfig

providers > kubeconfig

Path to kubeconfig file to use instead of the system default. Must be a POSIX-style path.

Type

Required

posixPath

No

providers[].namespace

providers > namespace

Specify which namespace to deploy services to, and optionally annotations/labels to apply to the namespace.

You can specify a string as a shorthand for name: <name>. Defaults to <project name>-<environment namespace>.

Note that the framework may generate other namespaces as well with this name as a prefix. Also note that if the namespace previously exists, Garden will attempt to add the specified labels and annotations. If the user does not have permissions to do so, a warning is shown.

Type

Required

`object

string`

No

providers[].namespace.name

providers > namespace > name

A valid Kubernetes namespace name. Must be a valid RFC1035/RFC1123 (DNS) label (may contain lowercase letters, numbers and dashes, must start with a letter, and cannot end with a dash) and must not be longer than 63 characters.

Type

Required

string

No

providers[].namespace.annotations

providers > namespace > annotations

Map of annotations to apply to the namespace when creating it.

Type

Required

object

No

providers[].namespace.labels

providers > namespace > labels

Map of labels to apply to the namespace when creating it.

Type

Required

object

No

providers[].setupIngressController

providers > setupIngressController

Set this to nginx to install/enable the NGINX ingress controller.

Type

Default

Required

string

false

No

Outputs

The following keys are available via the ${providers.<provider-name>} template string key for kubernetes providers.

${providers.<provider-name>.outputs.app-namespace}

The primary namespace used for resource deployments.

Type

string

${providers.<provider-name>.outputs.default-hostname}

The default hostname configured on the provider.

Type

string

${providers.<provider-name>.outputs.metadata-namespace}

Deprecated: This field will be removed in a future release.

The namespace used for Garden metadata (currently always the same as app-namespace).