tazuna.yaml Schema
This page describes the spec of tazuna.yaml, Tazuna’s only input file. We do not go deep here into manifest-type-specific fields (kustomize / helmfile / genesissecret / oras) or Test plugin fields. Those are covered on their own dedicated reference pages.
Root (Tazuna)
The root object of tazuna.yaml. Like a Kubernetes manifest, it has three fields: apiVersion / kind / spec.
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
apiVersion | string | - | - | When set, must be exactly tazuna.pepabo.com/v1. May be omitted. |
kind | string | - | - | When set, must be exactly Tazuna. May be omitted. |
spec | TazunaSpec | Yes | - | The body that defines Tazuna’s behavior. |
Minimal example:
apiVersion: tazuna.pepabo.com/v1
kind: Tazuna
spec:
manifests:
- name: nginx
type: kustomize
path: ./kustomize/nginx
TazunaSpec
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
minimumSupportedTazunaVersion | string | - | "" | The minimum version (semver) of the tazuna binary required to process this tazuna.yaml. See minimumSupportedTazunaVersion for details. |
manifests | [Manifest] | Yes | - | The array of Manifests Tazuna processes. An empty array is not allowed. If dependsOn is used, they run in the layer order derived from the dependency graph; otherwise in declaration order. |
context_matches | [string] | - | [] | An array of regular expressions that the current kubeconfig context name must match. If non-empty, it is evaluated before apply / destroy. |
context_match_mode | string | - | or | Evaluation mode for context_matches. Either or (match any) or and (match all). |
environments | map[string]EnvironmentSpec | - | {} | A per-environment configuration map keyed by environment name. Selected with -e/--environment <name>. See environments for details. |
tests | [TestPluginSpec] | - | [] | An array of Test plugins to run after all Manifests have been applied. |
providers | [ProviderConfig] | - | [] | The list of Secret provider declarations referenced by GenesisSecret. Write it when you use something other than the built-in default-op. |
minimumSupportedTazunaVersion
- Declares, in semver form, the minimum version of the tazuna binary that can safely process this
tazuna.yaml(e.g.1.4.0). A leadingvis accepted (v1.4.0also works). - On any operation that loads
tazuna.yaml(apply/destroy/plan/build/check/status/tags/state *, etc.), if the running tazuna’s version is below this value it exits with an error. This prevents accidentally processing atazuna.yamlthat requires newer syntax with an old binary. - When unset (empty string), there is no constraint.
- If the value is not a valid semver, it is a configuration error.
- When the running tazuna is a local build (a non-semver version such as
dev), the comparison is skipped, so that local development is not blocked by this gate.
spec:
minimumSupportedTazunaVersion: "1.4.0"
manifests: []
context_matches
- Each element must be a regular expression compilable with Go’s
regexppackage. Compilation failure is caught at thetazuna checkstage. - パターンは context 名全体に対する 完全一致 として評価されます (内部で
^(?:...)$で包まれます)。prodがpreprod-clusterに マッチすることはありません。部分一致にしたい場合は.*prod.*のように 明示的に書いてください。 - If empty or unset, the context check is skipped.
- When set,
tazuna apply/tazuna destroyverify current-context before touching the cluster. Mismatch aborts processing.
context_match_mode
or(default): matching any one ofcontext_matchesis enough.and: must match all ofcontext_matches.- Any other value is a validation error.
Example:
spec:
context_matches:
- ^staging-
- -tokyo$
context_match_mode: and
manifests: []
environments
environments is a map keyed by environment name. When you select an environment with the -e/--environment <name> flag, the selected environment’s values are used instead of the top-level context_matches / context_match_mode. It is the mechanism for safely reusing the same tazuna.yaml across multiple clusters such as staging / production.
Each entry (EnvironmentSpec) has the following fields.
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
context_matches | [string] | - | [] | The context_matches patterns to enable for this environment. It completely replaces the top-level context_matches (it does not merge). |
context_match_mode | string | - | Root value | The evaluation mode for this environment. If empty, it inherits the top-level context_match_mode; if that is also empty, it defaults to or. |
Resolution rules:
- If you do not pass
-e,environmentsis ignored and the top-levelcontext_matches/context_match_modeare used (the conventional behavior). - If you pass
-e <name>,environments.<name>is used. The top-levelcontext_matchesis not referenced. - If the environment corresponding to
-e <name>is not declared underenvironments,apply/destroy/checkexit with an error. - If
environments.<name>.context_matchesis empty (or unset), no context check is performed for that environment.
-e also becomes the value of the {{ .Environment }} template variable at the same time (see Template variables). Combined with environments, you can, for example, substitute manifest values by environment name while allowing only the contexts intended for that environment.
Example:
spec:
# used for local runs where -e is not passed
context_matches:
- ^kind-
environments:
staging:
context_matches:
- ^staging-tokyo$
- ^staging-osaka$
context_match_mode: or
production:
context_matches:
- ^prod-tokyo$
context_match_mode: and
manifests:
- name: app
type: kustomize
path: ./overlays/{{ .Environment }}
# staging クラスタに向けて apply(current-context が ^staging-* でないと中断)
$ tazuna apply -e staging
# production クラスタに向けて apply
$ tazuna apply -e production
Template Variables
tazuna.yaml (and files loaded via includes) is rendered once as a Go text/template before being parsed as YAML. This lets you inject different values per environment from a single file.
How It Works
tazunaloads the specifiedtazuna.yaml.- The entire file is interpreted as a Go template and rendered by applying the variables described below.
- The rendered string is parsed as YAML.
- Files loaded via
includesare rendered the same way, with the same variables.
Rendering happens for every operation that reads tazuna.yaml, such as apply / destroy / build / plan / check / status / tags / state *. If you do not pass -e, {{ .Environment }} expands to an empty string.
Supported Variables
| Variable | Type | Description |
|---|---|---|
{{ .Environment }} | string | The value of the -e/--environment flag. Empty string when unspecified. |
Notes
- Rendering is performed on the entire file. If you want to output
{{or}}literally as YAML values, escape them like{{ "{{" }}/{{ "}}" }}. - Referencing a nonexistent variable (e.g.
{{ .Unknown }}) causes an error during rendering. - Helmfile value files and Helm chart templates are not rendered by
tazuna(they are handled by helmfile / helm). Only thetazuna.yamlbody itself and files targeted byincludesare rendered.
Use Cases
- Switching overlays: switch the manifest path by environment name, as in
path: ./overlays/{{ .Environment }}. - Substituting namespaces or labels: e.g.
defaultNamespace: {{ .Environment }}. - Combining with
environments: substitute values with{{ .Environment }}while limiting target clusters via that environment’scontext_matches, preventing application to the wrong cluster.
Manifest
Each element of spec.manifests[]. One Manifest corresponds to “one unit to install into the cluster” handled by one backend (kustomize / helmfile / others).
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
name | string | Yes | - | Manifest 識別子。小文字英数と - のみ (DNS-1123 相当、^[a-z0-9]([a-z0-9-]*[a-z0-9])?$、最大 240 文字) で、includes 展開後の全 Manifest 間でユニーク。_metadata は予約済みで使用不可。 |
description | string | - | "" | Human-facing description. Has no effect on behavior. |
type | string | Conditional (*) | - | One of kustomize / helmfile / genesissecret / oras. |
path | string | Conditional (*) | - | A path relative to the directory in which tazuna.yaml itself resides. |
tags | [string] | - | [] | Tags used for filtering by tazuna apply --tags ... and so on. OR evaluation. |
dependsOn | [string] | - | [] | The list of Manifest names that must complete before this Manifest is applied. See dependsOn for details. |
includes | [IncludeFile] | - | [] | An entry that loads another tazuna.yaml. When set, the other Manifest-specific fields are ignored. See Using includes for details. |
kustomize | ManifestKustomize | - | null | Options referenced when type: kustomize. |
helmfile | ManifestHelmfile | - | null | Options referenced when type: helmfile. |
genesisSecret | object | - | null | Options referenced when type: genesissecret. Currently an empty object. |
oras | ManifestORAS | - | null | Options referenced when type: oras. |
tests | [TestPluginSpec] | - | [] | An array of Test plugins to run after this Manifest is applied. |
(*) When specifying includes, type / path are not required. Otherwise, type and path are required.
name
- Required.
- 使える文字種は小文字英数と
-のみ (^[a-z0-9]([a-z0-9-]*[a-z0-9])?$、最大 240 文字)。 Manifest 名は state ConfigMap 名 (tazuna-state-<name>) にそのまま使われるため、 Kubernetes リソース名として不正になる大文字や_は使えません。 _metadatais reserved for internal use and cannot be used as a Manifest name.- Must be unique across all Manifests after
includesexpansion. Duplicates fail attazuna check.
tazuna check では name のバリデーションは エラー として扱います。 tazuna apply / build / destroy では移行期間として 警告ログのみ が出る挙動に なっていますが、--sync または dependsOn を使う場合はエラー になります (不正な名前のまま state を書くと誤 prune や誤った依存解決につながるため)。 新規導入時は tazuna check で先に通しておくのが安全です。
path
- Required when not using
includes. - Interpreted as a path relative to the directory in which
tazuna.yamlitself resides, not the cwd from which the command was run. - Existence is checked at
tazuna checktime. - What
pathshould point to differs by type.
type | What path points to |
|---|---|
kustomize | A directory containing kustomization.yaml |
helmfile | A directory containing helmfile.yaml |
genesissecret | The GenesisSecret definition YAML file (not a directory) |
oras | Not used in practice. Cannot be empty due to validation, so write any directory. |
See each Manifest-type page for details.
type
- Required when not using
includes. - See Manifest type for the value list.
- Unsupported values raise a validation error.
tags
- An array of strings. Tazuna itself does not interpret the contents.
- When filtering with the
--tagsflag, only Manifests with at least one of the specified tags are targeted (OR evaluation).
dependsOn
- An array of Manifest names that must have completed before this Manifest is applied.
- Must be a name contained in the full set of Manifests after
includesexpansion. - It cannot include itself (self-dependency is rejected as a special case of a cycle).
- The overall dependency graph must not contain a cycle.
- If even one
dependsOnis used intazuna.yaml, the Runner switches to DAG mode and runs Manifests at the same dependency depth in parallel. If none is used, it runs one at a time in declaration order as before.
See DAG Execution via dependsOn for details and motivation.
Example:
spec:
manifests:
- name: cni
type: kustomize
path: ./cni
- name: cert-manager
type: helmfile
path: ./cert-manager
dependsOn: [cni]
- name: ingress
type: helmfile
path: ./ingress
dependsOn: [cni]
- name: app
type: kustomize
path: ./app
dependsOn: [cert-manager, ingress]
Providers
spec.providers[] is the list of Secret provider declarations referenced by GenesisSecret. Write it when you use something other than the built-in default-op (1Password), or when you want to line up multiple providers and select between them.
spec:
providers:
- name: primary-op
type: onepassword
onepassword: {}
- name: ops-envfile
type: envfile
envfile:
path: ./secrets/ops.env
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
name | string | Yes | - | The name referenced from a GenesisSecret’s spec.provider. default-op is a reserved name and cannot be used. |
type | string | Yes | - | The provider type. onepassword or envfile. |
onepassword | object | △ | null | Additional config used when type: onepassword (currently an empty object). |
envfile | object | △ | null | Additional config used when type: envfile. Has path. |
See Secret provider for details.
IncludeFile
Each element of manifests[].includes[]. Loads another tazuna.yaml and expands its manifests[].
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
path | string | Yes | - | Path to the tazuna.yaml to load. Written relative to the calling tazuna.yaml. |
Using includes
spec:
manifests:
- name: infra
includes:
- path: ./infra/tazuna.yaml
- path: ./addons/tazuna.yaml
- Manifests that have
includeshave their own “Manifest-body” fields (type/path/tags, etc.) ignored. includesis non-nestable. Even if the includedtazuna.yamlhas its ownincludes, those are not expanded.names of Manifests defined in the include target must also be unique across all final Manifests.- include 先ファイル内の Manifest の
pathは ルートのtazuna.yamlの ディレクトリ起点 で解決されます。include ファイル自身のディレクトリ起点 ではない点に注意してください。
Manifest-Type-Specific Fields
The fields corresponding to type (kustomize / helmfile / genesisSecret / oras) are each broken out to their own dedicated reference page.
Here we only indicate their existence and minimum role.
| Field | Role |
|---|---|
kustomize | Options for type: kustomize. Has defaultNamespace. |
helmfile | Options for type: helmfile. Has vars / includeCRDs / wait / kubeVersion and so on. |
genesisSecret | Extension point for type: genesissecret. An empty object in the current version. |
oras | Options for type: oras. Has reference / delegate. |
tests Field
For the detailed spec of TestPluginSpec (the element type of spec.tests and manifests[].tests), see Test plugin. Here we only describe placement and timing.
- Overall
tests(spec.tests): executed after all Manifests have been applied. - Per-Manifest
tests(manifests[].tests): executed immediately after that Manifest is applied.
Validation Summary
Below is the list of validations tazuna check performs against tazuna.yaml. No cluster access is involved, and anything that fails here is caught in advance.
- If
apiVersion/kindare set, they must equal the canonical values exactly. - If
spec.minimumSupportedTazunaVersionis set, it must be a valid semver and the running tazuna’s version must be at least that value (local builds skip the comparison). Note that this check runs not only oncheckbut on every operation that loadstazuna.yaml. - For each element of
spec.manifests[]:- When
includesis absent:pathandtypemust be set. typemust be a known value (kustomize/helmfile/genesissecret/oras).- The location pointed to by
pathmust exist.
- When
spec.manifests[].namemust be present, use allowed characters, be unique, and not be a reserved word.spec.manifests[].dependsOnmust reference only existing Manifest names and contain no self-reference or circular dependency.spec.context_matchesmust be compilable as regular expressions.spec.context_match_modemust be one ofor/and/ unset.- For each element of
spec.providers[]:namemust be unique and non-empty, must not bedefault-op,typemust be one ofonepassword/envfile, and it must have config consistent withtype. - For
type: helmfile: each value inhelmfile.varsmust satisfy one ofenv/static/op(see the helmfile reference page). - For
type: oras:oras.referenceis required, andoras.delegate.typemust be eitherhelmfileorkustomize. - When specifying
includes: eachinclude.pathis required and the file must exist.