Resource Templates

Resource Templates are an important component of Konfig's security and governance story. They enable the ability to overlay defaults and restrict fields on a given Resource type for Workloads. They also help to abstract infrastructure complexity from developers.

Defining useful Resource Templates allows platform or operations teams to provide developers a self-serve experience while maintaining an organization's best practices and standards. This lets organizations establish a golden path, or enforced standards for architecture, tech stack, and infrastructure configuration. This, in turn, enhances developer efficiency, reduces sprawl, and helps organizations meet regulatory and compliance requirements or adhere to internal controls. Resource Templates, combined with Platforms and Domains, provide a flexible model for balancing enterprise standards with developer autonomy.

Organizational Golden Paths

A golden path is an opinionated and supported way of building something within your organization—sort of like a blueprint. It outlines the preferred tools, technologies, and processes to follow, aiming to streamline development, improve consistency, and reduce fragmentation and tech debt. Think of it as a well-trodden path that guides developers towards efficient and effective outcomes.

Resource Templates can be as rigid or as flexible as an organization desires. A template may specify default values for a Resource while allowing developers to override them. Alternatively, a template may specify default values and prohibit developers from changing them. Often, however, templates are somewhere in the middle—specifying sane defaults for some fields which can be overridden when necessary and enforcing organization requirements for others.

Currently, Triggers and Resources support templating.

Infrastructure Governance

Resource Templates are designed to allow an organization to centrally manage standard Resource configurations, hiding complexity from developers and making it easier to ensure organizational requirements are enforced, such as encryption standards, high availability, or data sovereignty.

Creating Resource Templates

Resource Templates live in your GitLab organization near your Control Plane repository. They look very similar to the actual Resources themselves but live in a konfig-templates namespace in the Control Plane and will not create the Resources when applied. Below is an example showing a Resource Template for a Cloud Storage bucket called multi-region which enforces object versioning and multi-region storage class. It allows the lifecycleRule field to be set set by developers.

apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
  name: multi-region
  namespace: konfig-templates
  annotations:
    konfig.realkinetic.com/allowed: "lifecycleRule"
    konfig.realkinetic.com/access_role: "roles/storage.objectCreator"
    konfig.realkinetic.com/runtime_variables: "BUCKET_NAME=metadata.name"
    konfig.realkinetic.com/immutable_keys: "location,resourceID"
spec:
  versioning:
    enabled: true
  storageClass: MULTI_REGIONAL

Editing Templates

Editing Resource Templates after Resources are created using them may result in downstream changes. These changes will be applied the next time the Workload reconciles, which is not predicable. It is best practice to create a copy of the Resource Template, change the name, and migrate consumers over when you are ready to.

Some fields are immutable and will not be able to be modified. Test thoroughly before attempting in production.

Supported Annotations

The following annotations are supported and allow customizing the behavior of Resource Templates.

konfig.realkinetic.com/allowed

The allowed annotation is used to allow end users of the template the ability to set and/or override fields on the Resource. The value supports comma-delimited jsonpath to supply a list of allowed fields.

konfig.realkinetic.com/access_role

The access_role annotation specifies a default IAM role for their Workload service account to bind to. This field can be overridden when specified on the Resource itself.

konfig.realkinetic.com/runtime_variables

The runtime_variables annotation provides default environment variables to be mounted on the consuming Workload's runtime. This field can be overridden when specified on the Resource itself.

konfig.realkinetic.com/immutable_keys

The immutable_keys annotation tells Konfig which keys to remove from the Resource prior to updating it. Not specifying them can result in terminal errors. The immutable keys will be specified in the documentation on the Resource.

Using Resource Templates

A Resource Template is specified by setting the konfig.realkinetic.com/template annotation on the Resource claim. If this is not set, default will be used.

apiVersion: konfig.realkinetic.com/v1alpha8
kind: Workload
metadata:
  name: WORKLOAD_NAME
spec:
  runtime:
    ... # Removed for brevity
  resources:
    - apiVersion: sql.cnrm.cloud.google.com/v1beta1
      kind: SQLInstance
      metadata:
        name: [RESOURCE NAME]
        annotations:
          konfig.realkinetic.com/template: my-template

Creating Resource Templates​

Supported Annotations​

konfig.realkinetic.com/allowed​

konfig.realkinetic.com/access_role​

konfig.realkinetic.com/runtime_variables​

konfig.realkinetic.com/immutable_keys​

Using Resource Templates​