Open Source Configuration Management Tool for Kubernetes

Every good story starts with pip install


Make a root project directory which will contain all the configuration for your cluster.

$ mkdir infrastructure
$ cd infrastructure
$ pip install narrenschiff

Initialize a project and encrypt a secret

A root project is collection of smaller course projects which contain either simple app configs, workflows, or even a complex set of templated manifests. You can also easily encrypt strings and files. All sensitive information in Helm’s values.yaml override is now under the lock.

$ narrenschiff dock \
    --autogenerate \
    --location postgres/
$ narrenschiff chest stash \
    --treasure postgresPassword \
    --value "Password123!" \
    --location postgres/

Turn your manifests into templates

Power up Kubernetes manifests with Jinja templating language. You can easily add cleartext variables, or even encrypted string to them. Now you can commit Kubernetes Secret to the infrastructure repo without having to worry about secrets leaking. All secrets and files are encrypted using password and salt for better security. Even your execution workflows (i.e. Narrenschiff courses) can be turned into templates.

$ mkdir postgres/files/
$ cat > postgres/files/secret.yaml << EOF
apiVersion: v1
kind: Secret
type: Opaque
    name: postgres
    POSTGRES_PASSWORD: "{{ postgresPassword | b64enc }}"

Document your workflow

In Narrenschiff courses are YAML files in which you write your workflows. Courses should be idempotent, self-documenting infrastructure as code. They are collection of tasks which correspond to the commands which you would actually execute using kubectl, helm, or gcloud. Courses are also templated, so you can reuse your variables and secrets. If you need to repeat a task several time, simply use for loop with Jinja!

$ cat > postgres/course.yaml << EOF
- name: Add secret to default namespace
    command: apply
            - secret.yaml
        namespace: "default"

Apply changes to the cluster

Set sail. Deploy!

$ narrenschiff sail \
    --set-course postgres/course.yaml



If you need to source control your Secrets and sensitive values.yaml files Narrenschiff gives you an easy way to encrypt them

Infrastructure as Code

No more bash scripting for your Cluster, use simple YAML files to write down sequential tasks, and document your infrastructure as you go


With the help of Jinja templating language you can easily customize your manifests, and even the Narrenschiff courses – apply DRY to your infrastructure configuration also


Instead of manually executing kubectl and kustomize, or scripting them with bash, write Narrenschiff courses to document your infrastructure


With the helm module you can deploy your packaged apps, and enjoy full encryption of values.yaml file using Narrenschiff’s secretmaps


Orchestrate your cluster easily and in source controlled manner – Narrenschiff offers gcloud module to help you with automation of your workflows

But... Why?

It is really easy to encrypt values.yaml containing sensitive information, or to template your manifests. You can even use kustomize's secretGenerator in Narrenschiff. Although we consider the encrypted strings and files to be the most powerful features of Narrenschiff, it's also a "procedural/declarative task executor" or whatever you want to call it (it's YAML instead of a bash script - come to think of it, we should also have an acronym for that - YIOB - it just rolls off the tongue). So this is one more reason to use it. It's a Kubernetes configuration management tool for small businesses that were insane enough to start with Kubernetes in the first place.