Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/stefanprodan/kustomizer
An experimental package manager for distributing Kubernetes configuration as OCI artifacts.
https://github.com/stefanprodan/kustomizer
kubernetes package-manager
Last synced: 12 days ago
JSON representation
An experimental package manager for distributing Kubernetes configuration as OCI artifacts.
- Host: GitHub
- URL: https://github.com/stefanprodan/kustomizer
- Owner: stefanprodan
- License: apache-2.0
- Created: 2020-05-03T13:54:40.000Z (over 4 years ago)
- Default Branch: main
- Last Pushed: 2023-07-22T14:20:45.000Z (over 1 year ago)
- Last Synced: 2024-09-14T13:28:58.185Z (about 2 months ago)
- Topics: kubernetes, package-manager
- Language: Go
- Homepage: https://kustomizer.dev
- Size: 1.36 MB
- Stars: 286
- Watchers: 5
- Forks: 13
- Open Issues: 8
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
README
# kustomizer
[](https://goreportcard.com/report/github.com/stefanprodan/kustomizer)
[](https://github.com/stefanprodan/kustomizer/actions)
[](https://codecov.io/gh/stefanprodan/kustomizer)
[](https://github.com/stefanprodan/kustomizer/blob/main/LICENSE)
[](https://github.com/stefanprodan/kustomizer/releases)
Kustomizer is an experimental package manager for distributing Kubernetes configuration as OCI artifacts.
It offers commands to publish, fetch, diff, customize, validate, apply and prune Kubernetes resources.
Kustomizer relies on [server-side apply](https://kubernetes.io/docs/reference/using-api/server-side-apply/)
and requires a Kubernetes cluster **v1.20** or newer.
## Install
The Kustomizer CLI is available as a binary executable for all major platforms,
the binaries can be downloaded from GitHub [releases](https://github.com/stefanprodan/kustomizer/releases).
The binaries checksums are signed with Cosign
and each release comes with a Software Bill of Materials (SBOM) in SPDX format.
Install the latest release on macOS or Linux with Homebrew:
```bash
brew install stefanprodan/tap/kustomizer
```
For other installation methods,
see [kustomizer.dev/install](https://kustomizer.dev/install/).
## Get started
To get started with Kustomizer please visit the documentation website at [kustomizer.dev](https://kustomizer.dev/).
## Concepts
### OCI Artifacts
Kustomizer offers a way to distribute Kubernetes configuration using container registries.
It can package Kubernetes manifests in an OCI image and store them in a container registry,
right next to your applications' images.
Kustomizer comes with commands for managing OCI artifacts:
- `kustomizer push artifact oci://: -k [-f] [-p]`
- `kustomizer tag artifact oci://: `
- `kustomizer list artifacts oci:// --semver `
- `kustomizer pull artifact oci://:`
- `kustomizer inspect artifact oci://:`
- `kustomizer diff artifact `
Kustomizer is compatible with Docker Hub, GHCR, ACR, ECR, GCR, Artifactory,
self-hosted Docker Registry and others. For auth, it uses the credentials from `~/.docker/config.json`.
#### Sign & Verify Artifacts
Kustomizer can sign and verify artifacts using [sigstore/cosign](https://github.com/sigstore/cosign) either with
static keys, Cloud KMS or keyless signatures
(when running [Kustomizer with GitHub Actions](https://kustomizer.dev/github-actions/#publish-signed-artifacts)):
- `kustomizer push artifact --sign --cosign-key `
- `kustomizer pull artifact --verify --cosign-key `
- `kustomizer inspect artifact --verify --cosign-key `
For an example on how to secure your Kubernetes supply chain with Kustomizer and Cosign
please see [this guide](https://kustomizer.dev/guides/secure-supply-chain/).
### Resource Inventories
Kustomizer offers a way for grouping Kubernetes resources.
It generates an inventory which keeps track of the set of resources applied together.
The inventory is stored inside the cluster in a `ConfigMap` object and contains metadata
such as the resources provenance and revision.
The Kustomizer garbage collector uses the inventory to keep track of the applied resources
and prunes the Kubernetes objects that were previously applied but are missing from the current revision.
You specify an inventory name and namespace at apply time, and then you can use Kustomizer to
list, diff, update, and delete inventories:
- `kustomizer apply inventory [--artifact ] [-f] [-p] -k`
- `kustomizer diff inventory [-a] [-f] [-p] -k`
- `kustomizer get inventories --namespace `
- `kustomizer inspect inventory --namespace `
- `kustomizer delete inventory --namespace `
When applying resources from OCI artifacts, Kustomizer saves the artifacts URL and
the image SHA-2 digest in the inventory. For deterministic and repeatable apply operations,
you could use digests instead of tags.
### Encryption at rest
Kustomizer has builtin support for encrypting and decrypting Kubernetes configuration (packaged as OCI artifacts)
using [age](https://github.com/FiloSottile/age) asymmetric keys.
To securely distribute sensitive Kubernetes configuration to trusted users,
you can encrypt the artifacts with their age public keys:
- `kustomizer push artifact oci://: --age-recipients `
Users can access the artifacts by decrypting them with their age private keys:
- `kustomizer inspect artifact oci://: --age-identities `
- `kustomizer pull artifact oci://: --age-identities `
- `kustomizer apply inventory [--artifact ] --age-identities `
- `kustomizer diff inventory [--artifact ] --age-identities `
## Contributing
Kustomizer is [Apache 2.0 licensed](LICENSE) and accepts contributions via GitHub pull requests.