Manifest Structure Reference
Purpose: For application developers, provides field-level reference for every file in customer-app-example.
Overview
This reference documents the structure and fields of each manifest file in an openCenter application repository. The structure follows the openCenter-customer-app-example pattern.
Repository Layout
my-app/
├── kustomization.yaml # Root Kustomize composition
├── namespace.yaml # Application namespace
├── gateway-resources/ # Shared Gateway API resources (optional)
│ └── gateway.yaml
├── app1/ # Raw manifest application
│ ├── deployment.yaml
│ ├── service.yaml
│ ├── httproute.yaml
│ └── networkpolicy.yaml
└── app2/ # Helm-based application
├── source.yaml # HelmRepository
└── helmrelease.yaml # HelmRelease with values
kustomization.yaml (Root)
Composes all application resources into a single deployable unit.
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- app1/
- app2/
| Field | Type | Required | Description |
|---|---|---|---|
resources | list of paths | Yes | Paths to directories or files to include |
patches | list of patch objects | No | Strategic merge or JSON patches |
images | list of image overrides | No | Override image name/tag without patching |
namespace | string | No | Override namespace for all resources (prefer targetNamespace in FluxCD Kustomization instead) |
deployment.yaml
Standard Kubernetes Deployment for stateless workloads.
| Field Path | Type | Required | Notes |
|---|---|---|---|
spec.replicas | integer | Yes | Minimum 2 for production; overridden per-environment via Kustomize |
spec.template.spec.containers[].image | string | Yes | Must use Harbor registry with pinned tag (no latest) |
spec.template.spec.containers[].resources.requests | object | Yes | Kyverno policy rejects pods without resource requests |
spec.template.spec.containers[].resources.limits | object | Yes | Set memory limit; CPU limit is optional but recommended |
spec.template.spec.containers[].livenessProbe | object | Yes | Required for proper pod lifecycle management |
spec.template.spec.containers[].readinessProbe | object | Yes | Required for traffic routing (Service won't send traffic to unready pods) |
spec.template.spec.securityContext.runAsNonRoot | boolean | Yes | Must be true; enforced by Pod Security Admission |
spec.template.spec.securityContext.seccompProfile.type | string | Yes | Must be RuntimeDefault or Localhost |
service.yaml
Exposes the Deployment to cluster-internal traffic and to HTTPRoutes.
| Field Path | Type | Required | Notes |
|---|---|---|---|
spec.selector | map | Yes | Must match Deployment pod labels |
spec.ports[].port | integer | Yes | Port exposed to other services and HTTPRoute backendRefs |
spec.ports[].targetPort | integer | Yes | Must match container port |
spec.type | string | No | Default ClusterIP. Do not use LoadBalancer — use Gateway API instead |
httproute.yaml
Gateway API HTTPRoute for external HTTPS routing.
| Field Path | Type | Required | Notes |
|---|---|---|---|
spec.parentRefs[].name | string | Yes | Name of the shared Gateway (typically platform-gateway) |
spec.parentRefs[].namespace | string | Yes | Namespace of the Gateway (typically gateway-system) |
spec.hostnames[] | list of strings | Yes | FQDN(s) for this route |
spec.rules[].matches[].path.type | string | No | PathPrefix (default) or Exact |
spec.rules[].matches[].path.value | string | No | URL path to match |
spec.rules[].backendRefs[].name | string | Yes | Service name in the same namespace |
spec.rules[].backendRefs[].port | integer | Yes | Service port number |
helmrelease.yaml (Helm-Based Applications)
FluxCD HelmRelease for applications deployed via Helm charts.
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: redis
namespace: my-app
spec:
interval: 30m
chart:
spec:
chart: redis
version: "19.x"
sourceRef:
kind: HelmRepository
name: bitnami
values:
architecture: standalone
auth:
enabled: true
existingSecret: redis-credentials
| Field Path | Type | Required | Notes |
|---|---|---|---|
spec.chart.spec.chart | string | Yes | Chart name in the HelmRepository |
spec.chart.spec.version | string | Yes | Semver range or exact version; never omit |
spec.chart.spec.sourceRef | object | Yes | References a HelmRepository in the same namespace |
spec.values | object | No | Helm values merged with chart defaults |
spec.interval | duration | Yes | How often FluxCD checks for chart updates |
networkpolicy.yaml
Restricts ingress and egress traffic for application pods.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: my-app
namespace: my-app
spec:
podSelector:
matchLabels:
app: my-app
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: gateway-system
ports:
- port: 8080
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- port: 53
protocol: UDP
| Field Path | Type | Required | Notes |
|---|---|---|---|
spec.podSelector | object | Yes | Selects pods this policy applies to |
spec.policyTypes | list | Yes | Include both Ingress and Egress for explicit control |
spec.ingress[].from | list | No | Allow traffic from Gateway namespace for HTTPRoute traffic |
spec.egress[].to | list | No | Allow DNS (port 53) at minimum; add database/API endpoints as needed |
Further Reading
- Application Patterns — When to use each resource type
- Deploying Applications — Tutorial using these manifests
- Gateway API & TLS — HTTPRoute and certificate details