Kapitan is an open source configuration management tool for Kubernetes, Terraform, and complex infrastructure systems. It helps teams generate, organize, reuse, and validate configuration across environments using an inventory-driven model, templates (Jsonnet, Jinja2, Kadet), and integrations with Helm, Kustomize, CUE, and external references.
Kapitan provides native secrets management (GPG, AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault) and is designed for Platform Engineering and GitOps workflows.
- Website: https://kapitan.dev
- Documentation: https://kapitan.dev/getting_started/
- Community:
#kapitanon Kubernetes Slack - Sponsor: GitHub Sponsors
The fastest way to try Kapitan is with the Kapitan Reference repository:
git clone https://github.com/kapicorp/kapitan-reference.git kapitan-templates
cd kapitan-templates
./kapitan compileFor a minimal project from a cookiecutter template:
pip3 install cruft
cruft create https://github.com/kapicorp/kapitan-reference --checkout cookiecutter --no-inputKapitan lets you model infrastructure configuration with reusable inventory classes and targets, then compile that data into manifests, scripts, documentation, and Terraform resources. Instead of copying values across Helm values files, Kustomize overlays, and Terraform variables, you define everything once in the Kapitan inventory and let each input type generate the files it needs.
docker run -t --rm -v $(pwd):/src:delegated kapicorp/kapitan -hOn Linux, add -u $(id -u) to preserve file permissions.
Kapitan requires Python 3.10 or newer.
pip3 install --user --upgrade kapitanSee the full installation guide for platform-specific steps.
Kapitan turns a hierarchical inventory and a set of input templates into compiled configuration files ready for deployment.
- Define reusable classes and per-environment targets in YAML.
- Write templates with your preferred tools.
- Run
kapitan compile. - Deploy the generated output from the
compiled/directory.
- Secret management: GPG, HashiCorp Vault, AWS KMS, GCP KMS, Azure Key Vault
- Remote dependencies: Git, HTTP, ORAS (OCI registry)
- Validation: JSON Schema, TOML, YAML linting
- GitOps-friendly: compiles to fully rendered, plain-text output
- You manage the same application across many environments (dev, staging, prod, regions) and want a single source of truth.
- You need to reuse configuration fragments across targets without copy-paste.
- You want to combine multiple templating tools in one pipeline.
- You need native secret management embedded in the same configuration workflow.
- You prefer a compile step that generates fully rendered output before deployment.
- Helm alone is sufficient if you only need to template a single chart with values files and do not share complex configuration across many services.
- Kustomize alone is sufficient if your environment differences are mostly patches and overlays on a small set of bases.
- Plain YAML with a CD tool is sufficient if you have very few environments and simple configuration with little reuse.
- Terraform alone is sufficient if you only manage infrastructure resources and do not need a broader multi-language configuration layer.
Kapitan is actively maintained by KapiCorp and the open source community. Releases are published regularly with release notes. The project uses an MIT license.
We welcome contributions. Please open an issue or pull request to get started.
If you discover a security issue, please open a private security advisory or contact the maintainers directly.
- Ask questions in the
#kapitanSlack channel. - Read the FAQ.
- Open a GitHub Discussion or Issue.
- Tesoro — Kubernetes admission controller for Kapitan secrets.
- Kapitan Reference — working examples to get started.
- Kapitan Generators — reusable generators for common patterns.