Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow mounts and network access in render pipelines #2450

Open
howardjohn opened this issue Aug 14, 2021 · 3 comments
Open

Allow mounts and network access in render pipelines #2450

howardjohn opened this issue Aug 14, 2021 · 3 comments
Labels
area/hydrate enhancement New feature or request p1 triaged Issue has been triaged by adding an `area/` label

Comments

@howardjohn
Copy link
Contributor

Describe your problem

pipelines used by kpt fn render should allow mounts and network access.

There is some discussion in https://kpt.dev/book/04-using-functions/02-imperative-function-execution?id=privileged-execution.

I would argue this degrades the user experience dramatically. Consider an extremely common use case - rendering helm charts. I want to define some function config like:

data:
  name: ingress-nginx
  chart: ingress-nginx
  repository: https://kubernetes.github.io/ingress-nginx
  values:
    foo: bar
  version: 3.25.x

And then have the chart rendered and stored as a local yaml file (which can then be further mutated by pipeline).

Because of restrictions on network access (and mount is useful for cache and local helm charts), this is impossible.

That leaves a few choices:

  • Use kpt fn eval. If I am using kpt, I of course want a declarative setup, so clearly I am going to need to add some tooling here to do this... and now I have invented a poor version of kpt fn render...
  • Do not use helm. Not an option for most users, this is how 99.9% of applications are distributed.
  • Do not use kpt. Strongly not preferred 🙂

IMO these alternatives show that it would be a huge improvement to allow this access. If it requires kpt fn render --allow-unsafe or whatever, no problem.. but right now render is hindered enough such

Related discussions:
@howardjohn howardjohn added the enhancement New feature or request label Aug 14, 2021
@howardjohn
Copy link
Contributor Author

Poor mans solution as a makefile:

generate: ## re-generate all manifests
	@mkdir -p $$HOME/.khelm
	cd manifests; find -name khelm.yaml | xargs -I{} $(KPT) fn eval \
		--image mgoltzsche/khelm:v2  --network --mount "type=bind,src=$$HOME/.khelm,dst=/helm,rw=true" --as-current-user \
		--fn-config {}
	kpt fn render manifests

@howardjohn howardjohn mentioned this issue Aug 15, 2021
Closed
@phanimarupaka phanimarupaka added the triaged Issue has been triaged by adding an `area/` label label Aug 18, 2021
@mgoltzsche mgoltzsche mentioned this issue Oct 18, 2021
Merged
@droot droot added the p1 label May 27, 2022
@mgoltzsche mgoltzsche mentioned this issue Jun 24, 2022
Closed
@bgrant0607
Copy link
Contributor

We're unlikely to allow mounts. That won't work with packages fetched via the package orchestrator.

We're considering how to pass arbitrary files as input. #3118

Network access may still be necessary and possible.

@bgrant0607 bgrant0607 mentioned this issue Jul 22, 2022
Open
@mortent mortent added this to kpt Jan 21, 2023
@mortent mortent moved this to Backlog in kpt Jan 25, 2023
@droot droot mentioned this issue Feb 9, 2023
Open
@michaelvl
Copy link
Contributor

michaelvl commented Jul 6, 2023
edited
Loading

An alternative take on rendering Helm charts in declarative pipelines can be found here: https://github.com/michaelvl/krm-functions/blob/main/docs/render-helm-chart.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/hydrate enhancement New feature or request p1 triaged Issue has been triaged by adding an `area/` label
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@droot @howardjohn @michaelvl @bgrant0607 @phanimarupaka