kpt
kpt copied to clipboard
kptdev
gatekeeper on duplicated nested packages merges the validation
Expected behavior
The gatekeeper validation does not work as expected when running on nested packages in a mono repo where the nested packages are the same.
env/prod/app <-- contains contraint violation
env/stage/app <-- is ok
In a setup like this, I expect an error to be reported on the prod app.
Actual behavior
No error is reported. Probably because it is overshadowed by the stage app.
Information
Using 0.2.1 of https://catalog.kpt.dev/gatekeeper/v0.2/ kpt version: 1.0.0-beta.24
Steps to reproduce the behavior
https://github.com/bluebrown/kpt-gatekeeper-issue
This issue was probably opened in the wrong repo. Sorry about that. Maybe we can move it.
This is the right repo to open issues for the kpt function catalog! Thanks.
Thanks for filing the issue @bluebrown I tried out your examples and can reproduce the problems. I stabbed on some of the source code and I agree with you that the stage directory "overshadowed" the results from expected "FAILED" to unexpected "PASS".
The root cause is that 'gatekeeper' cannot correctly identify the resources of same GroupVersionKindNamespaceName from different subpackages, so the prod/deployment.yaml (bad) are overridden by the stage/deployment.yaml (good).
To fix this issue, the gatekeeper should switch its framework library from kyaml/framework to kpt-function-sdk/go/fn (what other KRM functions use). The kpt-function-sdk/go/fn better handles the corner cases like this for nested kpt packages. It can distinguish the resources of same GVKNN, track them separately and write them back to the right sub directory (if the manifests are changed).
Our team is currently stretched thin so we encourage more contributors to help improving the KRM functions. @bluebrown If you'd like to help fixing this, I am happy to share more pointers and help releasing the functions once it's done.
Overall I think this is a good first issue for new contributors. added the "good first issue" label.
