Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Glossary

This page collects definitions for terms that come up frequently in this section. For more detailed specifications, see the Reference.

Tazuna-specific terms

tazuna.yaml

The single input file given to Tazuna. It carries apiVersion: tazuna.pepabo.com/v1 and kind: Tazuna, and declares the “manifests to be applied” in spec.manifests[].

Manifest

A single entry in manifests[] inside tazuna.yaml. It has name / type / path, and is processed by the Manager corresponding to its type. Note that what this refers to is different from “manifest” in the Kubernetes sense (a YAML file).

Manifest type

A string that specifies how a manifest is processed. There are five types: kustomize, helmfile, genesissecret, parallel, and oras.

Manager

A component that handles processing for a given manifest type. It provides three operations — Apply (reflect into the cluster), Destroy (remove), and Build (generate without touching the cluster) — and the Runner uses just these three to treat all backends uniformly.

Runner

The central orchestrator of Tazuna. It is responsible for loading tazuna.yaml, expanding includes, filtering by --tags, invoking Managers, and launching Test plugins.

Test plugin

A mechanism for expressing verifications you want to run before or after applying a manifest. The built-in plugins are wait-until (wait until Ready/present) and exist-nonexist (assert presence/absence). They are written under spec.manifests[].tests or spec.tests.

State

The record Tazuna uses to track “the resources it installed itself.” It is stored in ConfigMaps under the in-cluster tazuna namespace (tazuna-state-<manifest-name>).

State key

The key string that identifies a single State entry. For namespaced resources it is {manifest}/{group}/{version}/{kind}/{namespace}/{name}; for cluster-scoped resources, {manifest}/{group}/{version}/{kind}/{name}.

ContentHash

The SHA-256 hash value carried by each State entry. It is computed over the resource YAML with metadata.resourceVersion, uid, creationTimestamp, generation, managedFields, selfLink, and status excluded. Whether this hash matches or not is the decision criterion for state diff.

Diff type

The classification tazuna state diff assigns to each resource. There are four types: added, modified, removed, and always-sync.

always-sync

A Diff type that skips diff calculation and syncs every time, such as for Secrets derived from GenesisSecret. Used for targets whose changes cannot be detected via ContentHash, or for which detection should not be done. Even when the value is updated on the 1Password side, the cluster-side hash does not change, so the design is to query the Provider every time without relying on ContentHash. See GenesisSecret Schema - State and always-sync and Drift Monitoring for usage examples and operational treatment.

GenesisSecret

A declaration for generating Kubernetes Secrets from secret values stored in 1Password. It is not a Kubernetes CRD but a YAML schema that Tazuna reads. It is referenced from tazuna.yaml as a manifest with type: genesissecret.

Provider (SecretProvider)

The interface that abstracts the source from which GenesisSecret pulls secret values. Currently, an implementation for 1Password (op) is bundled.

context_matches

spec.context_matches in tazuna.yaml. An array of regular expressions the current kubeconfig context name must match — a guard against applying to the wrong cluster.

context_match_mode

The evaluation mode for context_matches: or (the default) or and.

includes

A manifests[] entry that loads another tazuna.yaml file and expands its manifests[] inline. Nesting is not allowed.

Tag (manifest tag)

A string written under manifests[].tags. Used to narrow down what gets applied, e.g. tazuna apply --tags foo,bar. Multiple tags are evaluated as an OR.

Manifest path

manifests[].path. Written as a path relative to the directory containing tazuna.yaml itself. Tazuna converts it into a path relative to the current working directory at runtime.

tazuna.hint.yaml

A hint file that declares the type and format constraints on values that helmfile’s vars may take. It is read by pkg/hint/.

Kubernetes terms (supplementary)

Below are short definitions of standard Kubernetes terms that come up frequently within Tazuna.

kubeconfig

A YAML file that bundles cluster connection information (cluster / user / context). Tazuna reads current-context from it and operates against the corresponding cluster.

context (kubeconfig context)

A kubeconfig element that combines “which user connects to which cluster” under a single name. The context name is what context_matches checks with its regular expressions.

GVK (Group/Version/Kind)

The three-tuple that uniquely identifies a Kubernetes resource kind. Tazuna’s State key also includes the GVK.

namespaced / cluster-scoped

Whether a resource belongs to a namespace or not. This is reflected in the length of the State key (5 parts or 6 parts).

ConfigMap

A built-in resource for storing arbitrary key-value data in the cluster. Used as the storage location for Tazuna’s State.

External tools

kustomize

An overlay/patch mechanism for Kubernetes manifests. Invoked from the type: kustomize Manager.

helmfile

A tool that bundles multiple Helm releases from a single YAML. Invoked from the type: helmfile Manager.

Helm

The package manager for Helm charts. Used internally by helmfile.

ORAS / OCI artifact

A standard for storing non-container artifacts — such as Kubernetes manifests — in an OCI registry. type: oras pulls them, then delegates processing to the helmfile or kustomize specified in delegate.

1Password

The secret storage that Tazuna references from GenesisSecret and helmfile.vars.op. Retrieval is done via the op command.