Cluster connectivity

Nyl may need to reach out to the Kubernetes API for various reasons, some of which are fundamental and others are optional.

When using Nyl as an ArgoCD plugin, to enable the plugin to reach out to the Kubernetes API, you must configure the argocd-repo-server service account with the necessary permissions. See ArgoCD Plugin for more information.

Kubernetes API versions

When Nyl invokes helm template, it must pass along a full list of all available API versions in the cluster to allow the chart to generate appropriate manifests for all the latest resources it supports via the --api-versions and --kube-version flags.

Note that when used from ArgoCD, the KUBE_VERSION and KUBE_API_VERSIONS environment variables are set by ArgoCD and Nyl will use them if available to avoid making an extra query to the Kubernetes API server. For more information, see ArgoCD Build Environment.

Lookups

Nyl provides a lookup() function that allows the Helm chart to query the Kubernetes API server for an existing resource to use in the chart. This is an optional feature that your manifests may simply decide not to rely on, however it is a powerful feature to pass and transform values from existing resources.

TODO: Implement security to prevent lookups for resources that the corresponding ArgoCD project has no access to. This will require a safe evaluation language instead of Python eval().