Skip to content

Additional Template Information

Note

Make sure to read the "Introduction to Templates" section before continuing. It provides important context for the information that follows.

Variables

Sveltos automatically fetches these resources, so we do not need to include them in the TemplateResourceRefs section. They are immediately available for use in the templates through the specified alias.

Resources Available for CAPI Clusters

Resource Alias
CAPI Cluster instance Cluster
CAPI Cluster infrastructure provider InfrastructureProvider
CAPI Cluster kubeadm provider KubeadmControlPlane

Resources Available for SveltosClusters

Resource Alias
Sveltos registered clusters, the SveltosCluster instance Cluster

Retrieving Management Cluster Resources

Sveltos can retrieve any resource from the management cluster. To do this, include the templateResourceRefs in the Spec section of the ClusterProfile/Profile resource.

To access any of these resources in your template, use getResource "<alias>", where the alias is the identifier specified in the templateResourceRefs section.

Example: Accessing a Secret

This ClusterProfile retrieves a Secret named autoscaler from the management cluster and assigns it the alias AutoscalerSecret.

apiVersion: config.projectsveltos.io/v1beta1
kind: ClusterProfile
metadata:
  name: deploy-resources
spec:
  ...
  templateResourceRefs:
  - resource:
      kind: Secret
      name: autoscaler
    identifier: AutoscalerSecret
  ...

We can reference this Secret in a template using the getResource function with its alias.

  name: autoscaler
  namespace: {{ (getResource "AutoscalerSecret").metadata.namespace }}
data:
  token: {{ (getResource "AutoscalerSecret").data.token }}
  ca.crt: {{ $data:=(getResource "AutoscalerSecret").data }} {{ (index $data "ca.crt") }}

Role Based Access Control (RBAC)

Sveltos adheres to the least privilege principle concept. That means, by default, Sveltos does not have all the necessary permissions to fetch resources from the management cluster. Therefore, when using templateResourceRefs, we need to provide Sveltos with the correct RBAC definition.

Granting the necessary RBAC permissions to Sveltos is a simple process. The Sveltos ServiceAccount is tied to the addon-controller-role-extra ClusterRole. To grant Sveltos the necessary permissions, simply edit the role.

If the ClusterProfile is created by a tenant administrator as part of a multi-tenant setup, Sveltos acts on behalf of (impersonate) the ServiceAccount that represents the tenant. This ensures the Kubernetes RBACs are enforced, which restricts the tenant's access to only authorised resources.

templateResourceRefs: Namespace and Name

When using the templateResourceRefs field to locate resources in the management cluster, the namespace field is optional.

  1. If a namespace is provided (like default), Sveltos will look for the resource in the specified namespace
  2. If the namespace field is blank, Sveltos will search for the resource in the same namespace as the management cluster

The name field in templateResourceRefs can be expressed as a template. It allows users to dynamically generate names based on the information available during the deployment.

Available cluster information:

  • cluster namespace: .Cluster.metadata.namespace
  • cluster name: .Cluster.metadata.name
  • cluster type: .Cluster.kind

For example, the below template creates a name by combining the cluster's namespace and name.

name: "{{ .Cluster.metadata.namespace }}-{{ .Cluster.metadata.name }}"

Embedding Go Templates in Sveltos

When incorporating Go template logic into Sveltos templates, utilise the escape syntax '{{`<YOUR GO TEMPLATE>`}}'. This ensures that the code is treated as a Go template rather than a Sveltos template.

Embedding Go Templates in Sveltos

apiVersion: v1
kind: ConfigMap
metadata:
  name: meilisearch-proxy-secrets
  namespace: default
  annotations:
    projectsveltos.io/template: ok
data:
  secrets.yaml: |
    {{ $cluster := .Cluster.metadata.name }}
    {{- range $env := (list "production" "staging") }}
    ---
    apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
      name: meilisearch-proxy
      namespace: {{ $env }}
    spec:
      refreshInterval: 1h
      secretStoreRef:
        kind: ClusterSecretStore
        name: vault-backend
      target:
        name: meilisearch-proxy
        template:
          engineVersion: v2
          data:
            MEILISEARCH_HOST: https://meilisearch.{{ $cluster }}
            MEILISEARCH_MASTER_KEY: '{{`{{ .master_key }}`}}'
            PROXY_MASTER_KEY_OVERRIDE: "false"
            CACHE_ENGINE: "redis"
            CACHE_TTL: "300"
            CACHE_URL: "redis://meilisearch-proxy-redis:6379"
            PORT: "80"
            LOG_LEVEL: "info"
      data:
        - secretKey: 'master_key'
          remoteRef:
            key: 'search'
            property: '{{ $env }}.master_key'
    {{- end }}

Learn More

  1. Example - Helm Chart and Resources as Templates: Checkout the template examples here
  2. Helm Charts: See the "Example: Express Helm Values as Templates" section in here
  3. YAML & JSON: Refer to the "Example Template with Git Repository/Bucket Content" section in here
  4. Kustomize: Substitution and templating are explained here