score-compose
score-compose copied to clipboard
score-spec
[feature request] Have a way to patch workload/service
I have this use case where I want to inject "security context" for each workload / service in my generated compose.yaml file.
Today, I need to manually do that:
cat <<EOF > compose.override.yaml
services:
${WORKLOAD_NAME}-${CONTAINER_NAME}:
read_only: true
cap_drop:
- ALL
user: "1000"
EOF
But when I have multiple workloads or containers, this is a bit painful.
A post-processing yq command may be able to help too, but same approach, not user friendly.
Do we have an opportunity to introduce a new provisioner type (or something else) in order to patch a workload or a service directly in score-compose generate?
@mathieu-benoit what kind of expression language do you suggest? how complex should it be?
Tools like jq and yq are very good at what they do, so we will never do something of equivalent complexity, but there is room for something simple potentially using the existing Go template language?
We wouldn't use a provisioner or workload resource like humanitec does, because it breaks the Score resource contracts but we could do something specific to score compose here?
using the existing Go template language
Yeah, I think this would be a great experience, consistent with the existing provisioners too.
jq/yq could still be used outside score-compose but this feels disconnected and not a consistent experience for end users.
Coming in with https://github.com/score-spec/score-compose/pull/276, great to see!
This is now released and available:
- https://github.com/score-spec/score-k8s/releases/tag/0.4.0
- https://github.com/score-spec/score-compose/releases/tag/0.27.0
We also started a repo as a library of examples for and by the community: https://github.com/score-spec/community-patchers.
Please, give it a try and share your feedback with us in Slack.