kpt icon indicating copy to clipboard operation
kpt copied to clipboard

Published 20 hours ago verified publisher icon kptdev

Allow mounts and network access in render pipelines

Open howardjohn opened this issue 2 years ago • 3 comments

Describe your problem

pipelines used by kpt fn render should allow mounts and network access.

There is some discussion in https://kpt.dev/book/04-using-functions/02-imperative-function-execution?id=privileged-execution.

I would argue this degrades the user experience dramatically. Consider an extremely common use case - rendering helm charts. I want to define some function config like:

data:
  name: ingress-nginx
  chart: ingress-nginx
  repository: https://kubernetes.github.io/ingress-nginx
  values:
    foo: bar
  version: 3.25.x

And then have the chart rendered and stored as a local yaml file (which can then be further mutated by pipeline).

Because of restrictions on network access (and mount is useful for cache and local helm charts), this is impossible.

That leaves a few choices:

  • Use kpt fn eval. If I am using kpt, I of course want a declarative setup, so clearly I am going to need to add some tooling here to do this... and now I have invented a poor version of kpt fn render...
  • Do not use helm. Not an option for most users, this is how 99.9% of applications are distributed.
  • Do not use kpt. Strongly not preferred :slightly_smiling_face:

IMO these alternatives show that it would be a huge improvement to allow this access. If it requires kpt fn render --allow-unsafe or whatever, no problem.. but right now render is hindered enough such

Related discussions:

  • https://github.com/GoogleContainerTools/kpt/issues/1181 - I don't think this will enable the ease of use expected, unless there is a dramatic shift in the helm ecosystem such that all helm charts are available as docker images.
  • https://github.com/GoogleContainerTools/kpt/issues/1531
  • https://github.com/GoogleContainerTools/kpt/issues/1151

howardjohn avatar Aug 14 '21 21:08 howardjohn

Poor mans solution as a makefile:

generate: ## re-generate all manifests
	@mkdir -p $$HOME/.khelm
	cd manifests; find -name khelm.yaml | xargs -I{} $(KPT) fn eval \
		--image mgoltzsche/khelm:v2  --network --mount "type=bind,src=$$HOME/.khelm,dst=/helm,rw=true" --as-current-user \
		--fn-config {}
	kpt fn render manifests

howardjohn avatar Aug 14 '21 21:08 howardjohn

We're unlikely to allow mounts. That won't work with packages fetched via the package orchestrator.

We're considering how to pass arbitrary files as input. #3118

Network access may still be necessary and possible.

bgrant0607 avatar Jul 22 '22 18:07 bgrant0607

An alternative take on rendering Helm charts in declarative pipelines can be found here: https://github.com/michaelvl/krm-functions/blob/main/docs/render-helm-chart.md

michaelvl avatar Jul 06 '23 18:07 michaelvl