- # List other providers that should be resolved before this one.
# If specified, this provider will only be used in the listed environments. Note that an empty array effectively
# disables the provider. To use a provider in all environments, omit this field.
# Choose the mechanism for building container images before deploying. By default your local Docker daemon is
# used, but you can set it to `cluster-buildkit` or `kaniko` to sync files to the cluster, and build container
# images there. This removes the need to run Docker locally, and allows you to share layer and image caches
# between multiple developers, as well as between your development and CI workflows.
# For more details on all the different options and what makes sense to use for your setup, please check out the
# [in-cluster building guide](https://docs.garden.io/guides/in-cluster-building).
# **Note:** The `cluster-docker` mode has been deprecated and will be removed in a future release!
# Configuration options for the `cluster-buildkit` build mode.
# Enable rootless mode for the cluster-buildkit daemon, which runs the daemon with decreased privileges.
# Please see [the buildkit docs](https://github.com/moby/buildkit/blob/master/docs/rootless.md) for caveats when
# Exposes the `nodeSelector` field on the PodSpec of the BuildKit deployment. This allows you to constrain the
# BuildKit daemon to only run on particular nodes.
# [See here](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) for the official Kubernetes
# guide to assigning Pods to nodes.
# Setting related to Jib image builds.
# In some cases you may need to push images built with Jib to the remote registry via Kubernetes cluster, e.g.
# if you don't have connectivity or access from where Garden is being run. In that case, set this flag to true,
# but do note that the build will take considerably take longer to complete! Only applies when using in-cluster
# Configuration options for the `kaniko` build mode.
# Specify extra flags to use when building the container image with kaniko. Flags set on `container` modules
# take precedence over these.
# Change the kaniko image (repository/image:tag) to use when building in kaniko mode.
image: 'gcr.io/kaniko-project/executor:v1.6.0-debug'
# Choose the namespace where the Kaniko pods will be run. Set to `null` to use the project namespace.
# **IMPORTANT: The default namespace will change to the project namespace instead of the garden-system namespace
# in an upcoming release!**
# Exposes the `nodeSelector` field on the PodSpec of the Kaniko pods. This allows you to constrain the Kaniko
# pods to only run on particular nodes.
# [See here](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) for the official Kubernetes
# guide to assigning Pods to nodes.
# Specify tolerations to apply to each Kaniko Pod. Useful to control which nodes in a cluster can run builds.
- # "Effect" indicates the taint effect to match. Empty means match all taint effects. When specified,
# allowed values are "NoSchedule", "PreferNoSchedule" and "NoExecute".
# "Key" is the taint key that the toleration applies to. Empty means match all taint keys.
# If the key is empty, operator must be "Exists"; this combination means to match all values and all keys.
# "Operator" represents a key's relationship to the value. Valid operators are "Exists" and "Equal".
# "Equal". "Exists" is equivalent to wildcard for value, so that a pod can tolerate all taints of a
# "TolerationSeconds" represents the period of time the toleration (which must be of effect "NoExecute",
# otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate
# the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately)
# "Value" is the taint value the toleration matches to. If the operator is "Exists", the value should be
# otherwise just a regular string.
# A default hostname to use when no hostname is explicitly configured for a service.
# Sets the deployment strategy for `container` services.
# The default is `"rolling"`, which performs rolling updates. There is also experimental support for blue/green
# deployments (via the `"blue-green"` strategy).
# Note that this setting only applies to `container` services (and not, for example, `kubernetes` or `helm`
deploymentStrategy: rolling
# Configuration options for dev mode.
# Specifies default settings for dev mode syncs (e.g. for `container`, `kubernetes` and `helm` services).
# These are overridden/extended by the settings of any individual dev mode sync specs for a given module or
# Dev mode is enabled when running the `garden dev` command, and by setting the `--dev` flag on the `garden
# See the [Code Synchronization guide](https://docs.garden.io/guides/code-synchronization-dev-mode) for more
# Specify a list of POSIX-style paths or glob patterns that should be excluded from the sync.
# Any exclusion patterns defined in individual dev mode sync specs will be applied in addition to these
# `.git` directories and `.garden` directories are always ignored.
# The default permission bits, specified as an octal, to set on files at the sync target. Defaults to 0600
# (user read/write). See the [Mutagen
# docs](https://mutagen.io/documentation/synchronization/permissions#permissions) for more information.
# The default permission bits, specified as an octal, to set on directories at the sync target. Defaults to
# 0700 (user read/write). See the [Mutagen
# docs](https://mutagen.io/documentation/synchronization/permissions#permissions) for more information.
# Set the default owner of files and directories at the target. Specify either an integer ID or a string name.
# See the [Mutagen docs](https://mutagen.io/documentation/synchronization/permissions#owners-and-groups) for
# Set the default group on files and directories at the target. Specify either an integer ID or a string name.
# See the [Mutagen docs](https://mutagen.io/documentation/synchronization/permissions#owners-and-groups) for
# Require SSL on all `container` module services. If set to true, an error is raised when no certificate is
# available for a configured hostname on a `container` module.
# References to `docker-registry` secrets to use for authenticating with remote registries when pulling
# images. This is necessary if you reference private images in your module configuration, and is required
# when configuring a remote Kubernetes environment with buildMode=local.
- # The name of the Kubernetes secret.
# The namespace where the secret is stored. If necessary, the secret may be copied to the appropriate
# Resource requests and limits for the in-cluster builder, container registry and code sync service. (which are
# automatically installed and used when `buildMode` is `cluster-docker` or `kaniko`).
# Resource requests and limits for the in-cluster builder. It's important to consider which build mode you're
# using when configuring this.
# When `buildMode` is `kaniko`, this refers to _each Kaniko pod_, i.e. each individual build, so you'll want to
# consider the requirements for your individual image builds, with your most expensive/heavy images in mind.
# When `buildMode` is `cluster-buildkit`, this applies to the BuildKit deployment created in _each project
# namespace_. So think of this as the resource spec for each individual user or project namespace.
# When `buildMode` is `cluster-docker`, this applies to the single Docker Daemon that is installed and run
# cluster-wide. This is shared across all users and builds in the cluster, so it should be resourced
# accordingly, factoring in how many concurrent builds you expect and how heavy your builds tend to be. **Note
# that the cluster-docker build mode has been deprecated!**
# Memory limit in megabytes.
# Ephemeral storage limit in megabytes.
# CPU request in millicpu.
# Memory request in megabytes.
# Ephemeral storage request in megabytes.
# Resource requests and limits for the in-cluster image registry. Built images are pushed to this registry,
# so that they are available to all the nodes in your cluster.
# This is shared across all users and builds, so it should be resourced accordingly, factoring
# in how many concurrent builds you expect and how large your images tend to be.
# Memory limit in megabytes.
# Ephemeral storage limit in megabytes.
# CPU request in millicpu.
# Memory request in megabytes.
# Ephemeral storage request in megabytes.
# Storage parameters to set for the in-cluster builder, container registry and code sync persistent volumes
# (which are automatically installed and used when `buildMode` is `cluster-docker` or `kaniko`).
# These are all shared cluster-wide across all users and builds, so they should be resourced accordingly,
# factoring in how many concurrent builds you expect and how large your images and build contexts tend to be.
# Storage parameters for the in-cluster Docker registry volume. Built images are stored here, so that they
# are available to all the nodes in your cluster.
# Only applies when `buildMode` is set to `cluster-docker` or `kaniko`, ignored otherwise.
# Volume size in megabytes.
# Storage class to use for the volume.
# One or more certificates to use for ingress.
- # A unique identifier for this certificate.
# A list of hostnames that this certificate should be used for. If you don't specify these, they will be
# automatically read from the certificate.
# A reference to the Kubernetes secret that contains the TLS certificate and key for the domain.
# The name of the Kubernetes secret.
# The namespace where the secret is stored. If necessary, the secret may be copied to the appropriate
# Set to `cert-manager` to configure [cert-manager](https://github.com/jetstack/cert-manager) to manage this
# [cert-manager integration guide](https://docs.garden.io/advanced/cert-manager-integration) for details.
# cert-manager configuration, for creating and managing TLS certificates. See the
# [cert-manager guide](https://docs.garden.io/advanced/cert-manager-integration) for details.
# Automatically install `cert-manager` on initialization. See the
# [cert-manager integration guide](https://docs.garden.io/advanced/cert-manager-integration) for details.
# The email to use when requesting Let's Encrypt certificates.
# The type of issuer for the certificate (only ACME is supported for now).
# Specify which ACME server to request certificates from. Currently Let's Encrypt staging and prod servers are
acmeServer: letsencrypt-staging
# The type of ACME challenge used to validate hostnames and generate the certificates (only HTTP-01 is supported
acmeChallengeType: HTTP-01
# Exposes the `nodeSelector` field on the PodSpec of system services. This allows you to constrain the system
# services to only run on particular nodes.
# [See here](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/) for the official Kubernetes guide
# to assigning Pods to nodes.
# For setting tolerations on the registry-proxy when using in-cluster building.
# The registry-proxy is a DaemonSet that proxies connections to the docker registry service on each node.
# Use this only if you're doing in-cluster building and the nodes in your cluster
# have [taints](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
registryProxyTolerations:
- # "Effect" indicates the taint effect to match. Empty means match all taint effects. When specified,
# allowed values are "NoSchedule", "PreferNoSchedule" and "NoExecute".
# "Key" is the taint key that the toleration applies to. Empty means match all taint keys.
# If the key is empty, operator must be "Exists"; this combination means to match all values and all keys.
# "Operator" represents a key's relationship to the value. Valid operators are "Exists" and "Equal". Defaults
# "Equal". "Exists" is equivalent to wildcard for value, so that a pod can tolerate all taints of a
# "TolerationSeconds" represents the period of time the toleration (which must be of effect "NoExecute",
# otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate
# the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately)
# "Value" is the taint value the toleration matches to. If the operator is "Exists", the value should be
# otherwise just a regular string.
# The name of the provider plugin to use.
# The kubectl context to use to connect to the Kubernetes cluster.
# The registry where built containers should be pushed to, and then pulled to the cluster when deploying services.
# Important: If you specify this in combination with in-cluster building, you must make sure `imagePullSecrets`
# includes authentication with the specified deployment registry, that has the appropriate write privileges
# (usually full write access to the configured `deploymentRegistry.namespace`).
# The hostname (and optionally port, if not the default port) of the registry.
# The port where the registry listens on, if not the default.
# The namespace in the registry where images should be pushed.
# The ingress class to use on configured Ingresses (via the `kubernetes.io/ingress.class` annotation)
# when deploying `container` services. Use this if you have multiple ingress controllers in your cluster.
# The external HTTP port of the cluster's ingress controller.
# The external HTTPS port of the cluster's ingress controller.
# Path to kubeconfig file to use instead of the system default. Must be a POSIX-style path.
# Specify which namespace to deploy services to, and optionally annotations/labels to apply to the namespace.
# You can specify a string as a shorthand for `name: <name>`. Defaults to `<project name>-<environment
# Note that the framework may generate other namespaces as well with this name as a prefix. Also note that if the
# namespace previously exists, Garden will attempt to add the specified labels and annotations. If the user does
# not have permissions to do so, a warning is shown.
# A valid Kubernetes namespace name. Must be a valid RFC1035/RFC1123 (DNS) label (may contain lowercase letters,
# numbers and dashes, must start with a letter, and cannot end with a dash) and must not be longer than 63
# Map of annotations to apply to the namespace when creating it.
# Map of labels to apply to the namespace when creating it.
# Set this to `nginx` to install/enable the NGINX ingress controller.
setupIngressController: false