Skip to content

All-in-one Install YAML Manifests for GitOps#115

Open
k-wall wants to merge 10 commits into
kroxylicious:mainfrom
k-wall:rendered-install-manifests
Open

All-in-one Install YAML Manifests for GitOps#115
k-wall wants to merge 10 commits into
kroxylicious:mainfrom
k-wall:rendered-install-manifests

Conversation

@k-wall

@k-wall k-wall commented Jun 19, 2026

Copy link
Copy Markdown
Member

This proposal addresses kroxylicious/kroxylicious#4016 (option 1) by publishing fully-rendered Kubernetes installation manifests as GitHub release assets.

Summary

Enable GitOps workflows by shipping single-file YAML manifests that can be directly referenced via URL, following patterns established by Strimzi and cert-manager.

New Artifacts

All artifacts follow Maven classifier naming conventions (artifactId-version-classifier.extension):

Per component (operator and admission webhook):

  • {component}-dist-{version}-install.yaml - Full install (CRDs + resources)
  • {component}-dist-{version}-crds.yaml - CRDs only (for separate lifecycle)
  • {component}-dist-{version}-examples.tar.gz - Examples (separate from install)
  • {component}-dist-{version}-examples.zip - Examples (ZIP format)

Maven coordinates:

  • Install: io.kroxylicious:{component}-dist:install:yaml
  • CRDs: io.kroxylicious:{component}-dist:crds:yaml
  • Examples: io.kroxylicious:{component}-dist:examples:{tar.gz,zip}

Key Features

  • All template variables fully substituted
  • Direct kubectl apply -f https://... installation
  • Two-stage install option (CRDs first, then operator)
  • Automatic GPG signing via maven-gpg-plugin
  • Proper Maven coordinates for deployment

Migration Path

Existing .tar.gz/.zip archives (install + examples) will be deprecated and removed in a future release (at v1.0.0 or earlier).

Users migrate to separate install manifests + examples archives.

Relates-to: kroxylicious/kroxylicious#4016

@k-wall k-wall changed the title Rendered Install Manifests for GitOps Deployments 115 - Rendered Install Manifests for GitOps Deployments Jun 19, 2026
k-wall added a commit to k-wall/kroxylicious that referenced this pull request Jun 19, 2026
Add documentation for new rendered install manifest distribution:
- New procedures for direct installation from GitHub releases
- Documentation for CRDs-first installation workflow
- Update release artifacts concepts to describe new formats
- Add deprecation notices for combined archive distributions

Both operator and admission webhook guides updated.

Relates-to: kroxylicious#4016
Relates-to: kroxylicious/design#115
Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Keith Wall <kwall@apache.org>
k-wall added a commit to k-wall/kroxylicious that referenced this pull request Jun 22, 2026
Add support for publishing single-file rendered YAML manifests as
GitHub release assets, following patterns from Strimzi and cert-manager.

New artifacts per component (operator and admission webhook):
- {component}-install-{version}.yaml - Full install (CRDs + resources)
- {component}-crds-{version}.yaml - CRDs only (separate lifecycle)
- {component}-examples-{version}.tar.gz - Examples (separate archive)

Build infrastructure:
- concat_manifests.java - JBang script to concatenate and filter YAMLs
- Maven jbang-maven-plugin executions in package phase
- Assembly descriptors for examples-only archives

Testing:
- RenderedManifestKT integration tests for both components
- Validates manifest completeness and variable substitution
- Tests both single-stage and two-stage installation workflows

All template variables are fully substituted during build.
Manifests include copyright headers and installation instructions.

Relates-to: kroxylicious#4016
Relates-to: kroxylicious/design#115
Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Keith Wall <kwall@apache.org>
k-wall added a commit to k-wall/kroxylicious that referenced this pull request Jun 22, 2026
Add documentation for new rendered install manifest distribution:
- New procedures for direct installation from GitHub releases
- Documentation for CRDs-first installation workflow
- Update release artifacts concepts to describe new formats
- Add deprecation notices for combined archive distributions

Both operator and admission webhook guides updated.

Relates-to: kroxylicious#4016
Relates-to: kroxylicious/design#115
Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Keith Wall <kwall@apache.org>
@k-wall k-wall changed the title 115 - Rendered Install Manifests for GitOps Deployments All-in-one Install YAML Manifests for GitOps Jun 22, 2026
k-wall added a commit to k-wall/kroxylicious that referenced this pull request Jun 22, 2026
Add support for publishing single-file rendered YAML manifests as
GitHub release assets, following patterns from Strimzi and cert-manager.

New artifacts per component (operator and admission webhook):
- {component}-install-{version}.yaml - Full install (CRDs + resources)
- {component}-crds-{version}.yaml - CRDs only (separate lifecycle)
- {component}-examples-{version}.tar.gz - Examples (separate archive)

Build infrastructure:
- concat_manifests.java - JBang script to concatenate and filter YAMLs
- Maven jbang-maven-plugin executions in package phase
- Assembly descriptors for examples-only archives

Testing:
- RenderedManifestKT integration tests for both components
- Validates manifest completeness and variable substitution
- Tests both single-stage and two-stage installation workflows

All template variables are fully substituted during build.
Manifests include copyright headers and installation instructions.

Relates-to: kroxylicious#4016
Relates-to: kroxylicious/design#115
Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Keith Wall <kwall@apache.org>
k-wall added a commit to k-wall/kroxylicious that referenced this pull request Jun 22, 2026
Add documentation for new rendered install manifest distribution:
- New procedures for direct installation from GitHub releases
- Documentation for CRDs-first installation workflow
- Update release artifacts concepts to describe new formats
- Add deprecation notices for combined archive distributions

Both operator and admission webhook guides updated.

Relates-to: kroxylicious#4016
Relates-to: kroxylicious/design#115
Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Keith Wall <kwall@apache.org>
k-wall added a commit to k-wall/kroxylicious that referenced this pull request Jun 22, 2026
Add support for publishing single-file rendered YAML manifests as
GitHub release assets, following patterns from Strimzi and cert-manager.

New artifacts per component (operator and admission webhook):
- {component}-install-{version}.yaml - Full install (CRDs + resources)
- {component}-crds-{version}.yaml - CRDs only (separate lifecycle)
- {component}-examples-{version}.tar.gz - Examples (separate archive)

Build infrastructure:
- concat_manifests.java - JBang script to concatenate and filter YAMLs
- Maven jbang-maven-plugin executions in package phase
- Assembly descriptors for examples-only archives

Testing:
- RenderedManifestKT integration tests for both components
- Validates manifest completeness and variable substitution
- Tests both single-stage and two-stage installation workflows

All template variables are fully substituted during build.
Manifests include copyright headers and installation instructions.

Relates-to: kroxylicious#4016
Relates-to: kroxylicious/design#115
Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Keith Wall <kwall@apache.org>
@MisterTimn

Copy link
Copy Markdown

This would definitely meet our needs with regards to GitOps deployment, we already deploy cert manager and strimzi operator in the same manner.

k-wall added 10 commits June 23, 2026 09:37
Add proposal for publishing fully-rendered Kubernetes installation
manifests as GitHub release assets to enable GitOps workflows.

Follows patterns from Strimzi and cert-manager by shipping:
- Full install manifests (CRDs + operator resources)
- CRDs-only manifests (for separate lifecycle management)
- Examples archives (separate from install manifests)

Includes 3-release deprecation plan for existing combined archives.

Relates-to: kroxylicious/kroxylicious#4016
Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Keith Wall <kwall@apache.org>
Signed-off-by: Keith Wall <kwall@apache.org>
Remove Flux-specific examples and use simpler Kustomize pattern that
works with any GitOps tool. This avoids giving the impression of
specific Flux support without automated tests to back it up.

Signed-off-by: Keith Wall <kwall@apache.org>
Reflect implementation changes:
- Use Maven classifier-based artifact naming
- Install manifests: artifactId-version-install.yaml
- CRDs manifests: artifactId-version-crds.yaml
- Examples: artifactId-version-examples.{tar.gz,zip}
- Automatic GPG signing via maven-gpg-plugin
- Proper Maven coordinates for deployment

Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Keith Wall <kwall@apache.org>
Clarify that deprecated combined archives will be removed at the
v1.0.0 milestone (or v0.24.0, whichever comes first), giving users
a clear migration target aligned with the 1.0 release.

Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Keith Wall <kwall@apache.org>
Remove reference to "final warning" - deprecation will simply be
included in release notes for v0.22.0 and v0.23.0.

Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Keith Wall <kwall@apache.org>
Rename from "rendered install manifests" to "all-in-one install YAML"
for clarity - emphasizes the single-file nature rather than the
rendering process.

Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Keith Wall <kwall@apache.org>
Lead with the primary issue: archive artifacts are incompatible with
GitOps workflows (require download/extract/commit). The inability to
use in-tree manifests (unsubstituted variables) is a secondary issue
that prevents workarounds.

Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Keith Wall <kwall@apache.org>
Correct the current situation - the archives already contain manifests
with variables substituted. The problem is the .tar.gz/.zip format
itself, not unsubstituted variables.

Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Keith Wall <kwall@apache.org>
Consolidate repetitive content - current situation now just states
what exists, motivation focuses on the problem and impact.

Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Keith Wall <kwall@apache.org>
@k-wall k-wall force-pushed the rendered-install-manifests branch from 5a524f2 to 0dc9574 Compare June 23, 2026 08:38
@k-wall k-wall marked this pull request as ready for review June 23, 2026 08:38
@k-wall k-wall requested a review from a team as a code owner June 23, 2026 08:38
k-wall added a commit to k-wall/kroxylicious that referenced this pull request Jun 23, 2026
Add support for publishing single-file rendered YAML manifests as
GitHub release assets, following patterns from Strimzi and cert-manager.

New artifacts per component (operator and admission webhook):
- {component}-install-{version}.yaml - Full install (CRDs + resources)
- {component}-crds-{version}.yaml - CRDs only (separate lifecycle)
- {component}-examples-{version}.tar.gz - Examples (separate archive)

Build infrastructure:
- concat_manifests.java - JBang script to concatenate and filter YAMLs
- Maven jbang-maven-plugin executions in package phase
- Assembly descriptors for examples-only archives

Testing:
- RenderedManifestKT integration tests for both components
- Validates manifest completeness and variable substitution
- Tests both single-stage and two-stage installation workflows

All template variables are fully substituted during build.
Manifests include copyright headers and installation instructions.

Relates-to: kroxylicious#4016
Relates-to: kroxylicious/design#115
Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Keith Wall <kwall@apache.org>
k-wall added a commit to k-wall/kroxylicious that referenced this pull request Jun 23, 2026
Add documentation for new rendered install manifest distribution:
- New procedures for direct installation from GitHub releases
- Documentation for CRDs-first installation workflow
- Update release artifacts concepts to describe new formats
- Add deprecation notices for combined archive distributions

Both operator and admission webhook guides updated.

Relates-to: kroxylicious#4016
Relates-to: kroxylicious/design#115
Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com>
Signed-off-by: Keith Wall <kwall@apache.org>
@k-wall k-wall moved this from Must Do to Want to Do in Release 0.22.0 Jun 24, 2026
@k-wall k-wall self-assigned this Jun 24, 2026
kubectl apply -f https://github.com/kroxylicious/kroxylicious/releases/download/v0.22.0/kroxylicious-operator-dist-0.22.0-install.yaml
```

**Two-stage installation (CRDs first):**

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The two-stage installation workflow implies a split-privilege scenario (cluster-admin installs CRDs, namespace-admin installs the operator). But install.yaml is defined as containing CRDs, so the namespace-admin would be re-applying cluster-scoped resources they likely don't have permissions for.

If two-stage is genuinely for split-privilege, I think the artifact split needs to follow the privilege boundary rather than the content type:

  • install.yaml — everything (for the simple single-admin case, as proposed)
  • cluster-admin.yaml — CRDs, ClusterRoles, ClusterRoleBindings, and any other cluster-scoped resources
  • namespace-admin.yaml — Deployment, Services, namespace-scoped RBAC, etc.

This diverges from cert-manager's crds.yaml naming, but it's clearer about intent and forces us to think about where RBAC resources land — not just "CRDs vs the rest" but "cluster-scoped vs namespace-scoped."

If two-stage isn't intended for split-privilege, what's the use case? Ordering alone doesn't seem to justify it since install.yaml already orders CRDs first.


**Deprecated:** These combined archives marked as deprecated in release notes.

**Removed:** Archives removed in v0.24.0 (gives users 2 releases to migrate).

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: The deprecation timeline is stated slightly differently in three places:

  • Here: "removed in v0.24.0 (gives users 2 releases to migrate)"
  • Line 167: "removed at the v1.0.0 milestone (whichever comes first: v0.24.0 or v1.0.0)"
  • Line 225: "Rationale for 3-release timeline"

The thrust is right — deprecate in v0.22.0, remove at v0.24.0 or v1.0.0 (whichever is first). But the three descriptions don't quite agree on whether it's 2 or 3 releases of notice, and this section doesn't mention the v1.0.0 accelerator. Worth a consistency pass.

2. Open a PR
3. Rename file using PR number: proposals/<PR#>-rendered-install-manifests.md
4. Update heading to include PR number
5. Push changes

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Template submission instructions still present — should be removed before merge.

@SamBarker SamBarker left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @k-wall I think the basic premiss is good, the two stage install is a wrinkle but I've come round to the idea of a single kubectl apply for install

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Must Do

Development

Successfully merging this pull request may close these issues.

3 participants