george-angel/spec.md

## spec.md

      
      Raw
    
  
              spec.md
            
          
    kube-applier v3
server

one running instance
watches/applies namespaces in parallel
replace git-sync with go-git (https://github.com/go-git/go-git)

applied namespace

roleBinding KA's/SA as ns admin
secret called kube-applier.io

strongbox-key
git-token


CRD instance

dry_run
prune
prune_blacklist
full_run_interval
repository
repository_path


refs
repository
You can specify the git repository describing your namespace
repository_path
Path to the namespace definition within your repository
git-token
One git token you provide that both grants access to your base
repository and any private bases you might pull via Kuatomize
Problems

How do you auth to multiple private repositories, go-git suggests using
personal tokens to auth for clone. We allow each namespace to specify a
single token. And suggest they use a user account (human or machine).
Obscure last-applied annotation from Secret resources

kubernetes/kubernetes#23564
kubernetes/kubernetes#29923


Work out how to "watch" with go-git
go-git doesn't implement filters right now, won't work with strongobx:
go-git/go-git#95