akuity
Capability to enable custom plugins for Kustomize and helm plugins for kustomize
Proposed Feature
Can we add a feature to set kustomize build options to enable alpha-plugins and enable helm similar to argocd? Could this be added to an option to the kargo controller.
Motivation
We have custom transformers in kustomize to handle environment and cluster specific configuration. Having this feature will help us to transition to use kargo as our CD tool
Suggested Implementation
Can the kargo deployment be updated to enable custom kustomize plugins. Can we also incorporate with helm install as well?
We do at present no longer shell out to kustomize, but rather use the lower-level build API of it to ensure Project and Promotion boundaries are guarded, and it is safe to use for multi-tenant setups. The same applies to helm, where we use the Go equivalent of running helm template using the Helm SDK.
Furthermore, Kustomize plugins come in two (non-deprecated) flavors:
Supporting the first option within Kubernetes itself is difficult because it needs to spawn a container to be able to work. The second option has a better chance of being supported (although I potentially see dependency issues if someone were to attempt to use a Ruby script as shown in the example), but requires discussion and exploration to see if and/or how we can safely enable this.
This issue has been automatically marked as stale because it had no activity for 90 days. It will be closed if no activity occurs in the next 30 days but can be reopened if it becomes relevant again.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been automatically marked as stale because it had no activity for 90 days. It will be closed if no activity occurs in the next 30 days but can be reopened if it becomes relevant again.
I'm in the same situation, we use custom binary plugins and trying to use Kargo on manifests that use them gives external plugins disabled; unable to load external plugin errors.
Initially I was considering mounting a volume with the plugins, or using an initContainer to provision them but I see they are explicitly disabled in here https://github.com/akuity/kargo/blob/f863d4a3d62ffe8a9aa3b2b87bba8c4c6bf9ba4f/internal/promotion/runner/builtin/kustomize_builder.go#L159
I'm not sure what the security implications are if this is an opt-in setting in the controller config. I also understand that this type of plugin is listed as "slated for deprecation", but they are still widely used in a lot of places and the alternatives are still Alpha and the linked issue is weirdly "closed as not planned" : https://github.com/kubernetes/enhancements/issues/2953
All of our apps use --enable-helm --load-restrictor LoadRestrictionsNone. Based on the existence of plugin.helm.apiVersions I'm guessing --enable-helm isn't necessary as you all detect there's a helm generator? However, in order to use patches and helm values in some sort of base the load-restrictor setting is necessary.
Looks like both of these are handled? https://github.com/akuity/kargo/blob/22fe2f72b09dbecfd2609c8ce3d6e69b06485c7f/internal/promotion/runner/builtin/kustomize_builder.go#L172-L177
This issue has been automatically marked as stale because it had no activity for 90 days. It will be closed if no activity occurs in the next 30 days but can be reopened if it becomes relevant again.