Deploys external Git repositories as Kubernetes applications. Kaniko/BuildKit builds from source. Framework-aware environment variables. Dynamic storage, networking, and security context.
| Attribute | Example | Description |
|---|---|---|
namespace REQ |
my-app |
Kubernetes namespace - all generated manifests and service DNS |
port REQ |
8080 |
Container port (containerPort). Service always exposes :80 |
version |
v1.2.3 |
Image tag for build destination and deployment. Ignored if imageupdater_update_enable is set. |
service_type |
ClusterIP |
Kubernetes Service type |
command |
npm start |
Override container command. Runs as ["/bin/sh", "-c", "command"]. If empty, uses Dockerfile CMD. |
replicas |
3 |
Deployment replica count. Defaults to 1 if not set. |
imageupdater_update_enable |
true |
When enabled, image tag is omitted from Deployment (Flux/ArgoCD Image Updater manages it). Also adds newTag: latest in dev overlay. |
user_id / group_id |
10001 |
runAsUser / runAsGroup + fsGroup. Only applied when pod_security is in security_features. Must match Dockerfile USER. |
security_features |
[pod_security, read_only_fs, ...] |
List of security policies. See Security Matrix below for each option. |
pvc / pvc_name / mount_path |
true / data / /data |
Generates pvc.yaml. Creates PVC named pvc_name mounted at mount_path. All three must be set together. |
writable_directory / directory |
true / /app/tmp |
Adds emptyDir volume at directory path. Use when read_only_fs is enabled and app needs writable space beyond /tmp. Both must be set together. |
files_mount_path |
/app/static |
Mounts the static-files ConfigMap (from files/ directory) at this path as readOnly. |
hpa |
true |
Enables HorizontalPodAutoscaler. When enabled, set the attributes below. |
hpa_min_replicas / hpa_max_replicas |
2 / 10 |
HPA scaling bounds. Only used when hpa is enabled. |
hpa_cpu_target / hpa_memory_target |
80 / 80 |
HPA target utilization percentage. Only used when hpa is enabled. |
hpa_scale_up_stabilization / hpa_scale_down_stabilization |
0 / 300 |
Stabilization window in seconds before scaling up/down. Only used when hpa is enabled. |
probes |
true |
Enables liveness + readiness probes via probes-patch.yaml. Probe type depends on probe_path. |
probe_path |
/health |
If set: HTTP GET probe at this path. If empty: TCP socket probe on container port. Only used when probes is enabled. |
rbac |
true |
Creates ServiceAccount + Role + RoleBinding. If false, only bare ServiceAccount is created. |
cpu_request / mem_request |
100m / 128Mi |
Resource requests in resource-patch.yaml |
cpu_limit / mem_limit |
500m / 512Mi |
Resource limits in resource-patch.yaml |
ephemeral_storage |
1Gi |
Ephemeral storage limit in resource-patch.yaml |
startup_commands |
migrate db |
Generates files/startup.sh init script with specified commands |
configmap |
KEY=value |
Custom ENV vars appended to config/cloud.env (non-secret) |
framework_type |
python |
Controls ENV variable naming in cloud.env for each linked service. Options: spring, nodejs, python, django, flask, fastapi, rails, laravel, generic |
git_host |
github.com |
Git server hostname for clone URL |
git_owner / project |
my-org / my-repo |
Repository owner and name for build jobs |
branch |
main |
Git branch to build from |
git_folder |
/app |
Subdirectory in repo (context-sub-path for Kaniko, contextsubdir for BuildKit). If empty or "/", uses repo root. |
dockerfile |
Dockerfile.prod |
Custom Dockerfile path. If empty, defaults to "Dockerfile". |
git_token |
ghp_xxx |
Access token for private repos. BuildKit uses it in HTTPS clone URL. Stored in secret/git.env. |
| Toggle | Requires | Behavior |
|---|---|---|
pvc = true |
pvc_name + mount_path |
Generates pvc.yaml, adds PVC volumeMount in Deployment |
writable_directory = true |
directory |
Adds emptyDir volume at directory path. Common with read_only_fs for writable dirs. |
read_only_fs in security_features |
(none) | Auto-adds writable /tmp emptyDir volume. Use writable_directory for additional writable paths. |
pod_security in security_features |
user_id + group_id |
Sets runAsUser/runAsGroup/fsGroup + pod-security.kubernetes.io labels |
hpa = true |
hpa_min_replicas, hpa_max_replicas, hpa_cpu_target, hpa_memory_target, hpa_scale_up_stabilization, hpa_scale_down_stabilization |
Generates hpa.yaml with all scaling params |
probes = true |
probe_path (optional) |
If probe_path set: HTTP GET probe. If empty: TCP socket probe on container port. |
imageupdater_update_enable = true |
(none) | Omits version tag from image reference. Adds newTag: latest in dev overlay for image updater. |
rbac = true |
Link attribute rbac_link_roles |
SA + Role + RoleBinding. Cross-namespace RBAC generated per outbound link that has rbac_link_roles set (observer/operator/developer/admin). |
| Config | Options | Effect |
|---|---|---|
build_type |
kaniko or buildkit |
kaniko: git:// protocol clone, no token needed for public repos. buildkit: HTTPS clone, supports git_token for private repos. |
Each item in security_features list enables specific fields in source_code.yaml Deployment spec.
| Feature | K8s Field | Value |
|---|---|---|
pod_security |
runAsNonRoot, runAsUser, runAsGroup, fsGroup + pod-security.kubernetes.io labels | Uses user_id / group_id values |
no_host_access |
hostNetwork, hostPID, hostIPC | false |
no_privilege_escalation |
allowPrivilegeEscalation, privileged | false |
read_only_fs |
readOnlyRootFilesystem | true + auto-adds writable /tmp emptyDir volume |
drop_capabilities |
capabilities.drop | [ALL] |
seccomp |
seccompProfile.type | RuntimeDefault (applied at both pod and container level when combined with pod_security) |
framework_type controls ENV variable naming in secret/cloud.env per linked service. All values are auto-generated from linked component metadata.
| Link | spring | nodejs | python/django/flask/fastapi | rails | laravel |
|---|---|---|---|---|---|
| PostgreSQL / CNPG | SPRING_DATASOURCE_URL SPRING_DATASOURCE_USERNAME SPRING_DATASOURCE_PASSWORD |
DATABASE_URL PGHOST, PGPORT PGUSER, PGPASSWORD PGDATABASE |
DATABASE_URL | DATABASE_URL | DB_CONNECTION DB_HOST, DB_PORT DB_DATABASE DB_USERNAME DB_PASSWORD |
| MongoDB | SPRING_DATA_MONGODB_URI SPRING_DATA_MONGODB_DATABASE |
MONGODB_URI | MONGODB_URI | MONGODB_URI | - |
| RabbitMQ | SPRING_RABBITMQ_HOST SPRING_RABBITMQ_PORT SPRING_RABBITMQ_USERNAME SPRING_RABBITMQ_PASSWORD SPRING_RABBITMQ_VIRTUAL_HOST |
AMQP_URL | AMQP_URL | RABBITMQ_URL | RABBITMQ_HOST RABBITMQ_PORT RABBITMQ_USER RABBITMQ_PASSWORD RABBITMQ_VHOST |
| Valkey / Redis | SPRING_DATA_REDIS_HOST SPRING_DATA_REDIS_PORT SPRING_DATA_REDIS_PASSWORD |
REDIS_URL | REDIS_URL | REDIS_URL | REDIS_HOST REDIS_PASSWORD REDIS_PORT |
| MinIO Bucket | MINIO_HOST, MINIO_BUCKET, MINIO_ACCESS_KEY, MINIO_SECRET_KEY (same for all frameworks) | ||||
| SeaweedFS (S3) | AWS_S3_ENDPOINT AWS_S3_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_REGION |
S3_ENDPOINT S3_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_REGION |
S3_ENDPOINT_URL S3_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_DEFAULT_REGION |
S3_ENDPOINT S3_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_REGION |
AWS_ENDPOINT AWS_BUCKET AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_DEFAULT_REGION AWS_USE_PATH_STYLE_ENDPOINT |
| OTEL | OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_TRACES_ENDPOINT, OTEL_EXPORTER_OTLP_METRICS_ENDPOINT, OTEL_SERVICE_NAME + pod annotation. Python also adds PYTHONPATH (requires pythonpath link attribute). See OTEL link docs. |
||||
| Link Type | Target | Generated Output |
|---|---|---|
external_source_code-prometheus |
Prometheus | ServiceMonitor in source_code.yaml scraping /actuator/prometheus every 15s |
external_source_code-rabbitmq |
RabbitMQ (direct) | RabbitMQ connection ENVs in secret/cloud.env |
external_source_code-exchange |
RabbitMQ exchange sub-component | Framework-specific RabbitMQ connection ENVs |
external_source_code-bucket |
MinIO bucket sub-component | MINIO_HOST, MINIO_BUCKET, MINIO_ACCESS_KEY, MINIO_SECRET_KEY |
external_source_code-swbucket |
SeaweedFS bucket sub-component | Framework-specific S3-compatible ENVs |
external_source_code-database |
PostgreSQL database sub-component | Framework-specific DB connection ENVs |
external_source_code-mongo_db |
MongoDB database sub-component | Framework-specific MongoDB connection ENVs |
external_source_code-db |
CNPG database sub-component | Framework-specific DB connection ENVs (uses cluster-cnpg-rw service) |
external_source_code-valkey |
Valkey / Redis | Framework-specific Redis connection ENVs |
external_source_code-otel |
OTEL Collector | OTEL_* ENVs in cloud.env + pod auto-instrumentation annotation. Link attributes: otel_language (req), pythonpath (python only). Details |
external_source_code-pv |
SeaweedFS PV sub-component | seaweedfs-pvc.yaml + CSI volumeMount in Deployment. Link attribute mount_path controls mount location. |
| Link Type | Source | Generated Output |
|---|---|---|
kong-external_source_code |
Kong Ingress | ingress.yaml with Kong ingressClassName + optional CORS/rate-limit plugins |
apisix-external_source_code |
APISIX (direct) | Route generated on APISIX side (not in this component) |
gateway-external_source_code |
APISIX Gateway sub-component | Custom gateway routing via APISIX gateway sub-component |
istio-external_source_code |
Istio | Adds istio-injection: enabled label to namespace.yaml |
sonarqube-external_source_code |
SonarQube | solarqube-scan.yaml Job in build pipeline (code quality scan after build) |
rbac_link_roles attribute):| File | Condition | Content |
|---|---|---|
| Deploy (k8s/deploy/base/) | ||
| source_code.yaml | Always | Deployment (containerPort:{port}, image, security, volumes) + Service (port:80 → targetPort:{port}) + ServiceMonitor (if Prometheus linked) |
| namespace.yaml | Always | Namespace. Adds istio-injection: enabled label if Istio linked. |
| kustomization.yaml | Always | Kustomize: resources, secretGenerator (registry + cloud.env), configMapGenerator (static-files), patches, stacktic labels |
| rbac.yaml | Always | If rbac=true: SA + Role + RoleBinding + cross-namespace roles. If rbac=false: bare ServiceAccount only. |
| secret/cloud.env | Always (SOPS) | Secret connection ENVs (DB, MQ, S3, Redis, OTEL) - populated per linked service & framework_type |
| config/cloud.env | Always | Non-secret ENVs + custom configmap attribute values |
| secret/registry.json | Always (SOPS) | Docker registry credentials (.dockerconfigjson) |
| jobs/clean-job.yaml | Always | Cleanup Job |
| files/test_file.text | Always | Placeholder for ConfigMap mount (add real files here) |
| ingress.yaml | Kong linked | Ingress with Kong ingressClassName. Optional CORS plugin (if cors link attr), rate-limit plugin (if rate_limiting link attr). |
| pvc.yaml | pvc = true | PersistentVolumeClaim named pvc_name |
| seaweedfs-pvc.yaml | SeaweedFS PV linked | One PVC per linked SeaweedFS PV sub-component (CSI driver) |
| hpa.yaml | hpa = true | HPA with CPU + memory targets, scaleUp/scaleDown stabilization windows |
| files/startup.sh | startup_commands set | Init script from startup_commands attribute |
| Patches (k8s/deploy/base/patch/) | ||
| resource-patch.yaml | Always | CPU/memory requests+limits + ephemeral storage |
| probes-patch.yaml | probes = true | Liveness (delay:5s, period:10s) + readiness (delay:2s, period:5s). HTTP GET if probe_path set, TCP socket otherwise. |
| Build Pipeline (k8s/build/base/) | ||
| kaniko.yaml | build_type = kaniko | Kaniko build Job: git:// clone, context-sub-path from git_folder, custom dockerfile support |
| buildkit.yaml | build_type = buildkit | BuildKit build Job: HTTPS clone with git_token, contextsubdir from git_folder, custom dockerfile |
| solarqube-scan.yaml | SonarQube linked | Code quality scan Job (runs after build). Detects Java/Maven projects automatically. |
| secret/git.env | Always | Git credentials: username=git_owner, password=git_token |
| Layer | Port | Source |
|---|---|---|
| Container | {port attribute} | containerPort from port attribute |
| Service | 80 | Fixed service port, targetPort maps to container port |