Naiserator is a Kubernetes operator that handles the lifecycle of nais.io/Application
and nais.io/Naisjob
.
The main goal of Naiserator is to simplify application deployment by providing a high-level abstraction tailored for the Nais platform.
When an Application
resource is created in Kubernetes, usually with Nais deploy,
Naiserator will generate several other Kubernetes resources that work together to form a complete deployment.
The contents of these resources are heavily dependent on per-cluster and per-application configuration.
Resources will remain in Kubernetes until the Application
resource is deleted, upon which they will be removed.
Additionally, any unneeded resources will be automatically deleted upon next deploy
if disabled by feature flags or is lacking in a application manifest.
Kubernetes built-ins:
Deployment
,Job
orCronJob
that runs program executables,HorizontalPodAutoscaler
for automatic application scaling,Ingress
adding TLS termination and virtualhost support,NetworkPolicy
for firewall configuration,PodDisruptionBudget
for controlling how the application should be shut down or restart by Kubernetes,PodMonitor
for Prometheus integration,Role
andRoleBinding
needed for Leader election sidecar,Secret
for stuff that shouldn't be shared with anyone,ServiceAccount
for granting correct permissions to managed resources,Service
which points to the application endpoint.
Nais resources for external system provisioning:
AivenApplication
for Aivenator,AzureAdApplication
for Azurerator,IDPortenClient
andMaskinportenClient
for Digdirator,Jwker
for Jwker,Stream
for Kafkarator.
Google CNRM resources for Google Cloud Platform provisioning:
BigQueryDataset
for BigQuery,IAMServiceAccount
,IAMPolicy
andIAMPolicyMember
for workload identity,PubSubSubscription
for PubSub,SQLInstance
,SQLUser
andSqlDatabase
for Cloud SQL,StorageBucket
andStorageBucketAccessControl
for Storage Buckets.
The entire specification for the manifest is generated by Naiserator's companion library, liberator, and committed to the Nais end-user documentation.
Runs on Kubernetes v1.30.0 or later.
When GCP features are enabled, Naiserator must run on Google Kubernetes Engine together with CNRM.
See charts/naiserator
for a installable Helm chart.
- The Go programming language, version indicated by go.mod
- liberator
- goimports
- Docker Desktop or other Docker release compatible with Kubernetes
- Kubernetes, either through minikube or a local cluster
Try these:
make test
make golden_file_test
make build
make local
Whenever an Application is deployed, a deployment event message is sent to a Kafka topic. There's a few prerequisites to develop with this enabled locally:
- Protobuf installed
- An instance of kafka to test against. Use
docker-compose up
to bring up a local instance. - Enable this feature by passing
-kafka-enabled=true
when starting Naiserator.
Whenever the Protobuf definition is updated you can update using make proto
. It will download the definitions, compile
and place them in the correct packages.
The image is signed "keylessly" (is that a word?) using Sigstore cosign. To verify its authenticity run
cosign verify \
--certificate-identity "https://github.com/nais/naiserator/.github/workflows/deploy.yaml@refs/heads/master" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/nais/naiserator/naiserator@sha256:<shasum>
The images are also attested with SBOMs in the CycloneDX format. You can verify these by running
cosign verify-attestation --type cyclonedx \
--certificate-identity "https://github.com/nais/naiserator/.github/workflows/deploy.yaml@refs/heads/master" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
ghcr.io/nais/naiserator/naiserator@sha256:<shasum>