The Espejote tool ('big mirror' in Spanish) manages arbitrary resources in a Kubernetes cluster.
It allows a GitOps workflow while still being able to depend on in-cluster resources.

Espejote: An in-cluster templating controller

Installation

In-cluster using kubectl

kubectl apply -k config/crd
kubectl apply -k config/default

Image signature verification

Espejote images are signed using Cosign. Espejote uses the Keyless signing feature of Cosign using the GitHub Action token for attestation.

You can verify the image signatures using the Cosign CLI:

TAG=vX.X.X
cosign verify "ghcr.io/vshn/espejote:${TAG}" \
  --certificate-identity "https://github.com/vshn/espejote/.github/workflows/release.yml@refs/tags/${TAG}" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

CLI using Homebrew

Works on macOS and Linux.

brew install vshn/tap/espejote

CLI using go get

go install github.com/vshn/espejote@latest

Usage

Espejote manages resources by server-side applying rendered Jsonnet manifests to the cluster. It allows fine-grained control over external context used to rendering the resources and the triggers that cause the resources to be applied.

espejote CLI docs are available here.

API (CRD) documentation is available here.

espejote.libsonnet documentation is available here.

Annotated examples are available:

• Admission: OpenShift 4 Cluster Autoscaler Patch
• ManagedResource: OpenShift 4 Node Disruption Policies
• We're working on more examples, stay tuned!

The original idea and design document is available here.