Kustomize API Proposal: Add an example with components

[apyrgio]

Add a WIP example that showcases how components can be used. This example is purposefully similar to the multibases example, to showcase what's the current shortcoming of overlays, namely that we currently can't combine overlays that point to the same common base. Also, this example uses the KustomizationPatch notation to define a component, as seen in #2168.

For convenience, you can see the rendered example here.

[k8s-ci-robot]

Hi @apyrgio. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[apyrgio]

For those who are not aware of the on-going discussion on this subject, let me add a preface:

This PR has been sent as a follow-up to a live discussion regarding composition support in Kustomize (#1251). See here for more details. Its purpose is to showcase how components would work, based on @pgpx's #2168 PR.

Feel free to comment on anything that seems off with this design, or if there's a use-case that you feel is not covered.

For instance, what I feel is not covered is the handling of relative paths. In this example, it's the secrets for LDAP/reCAPTCHA/etc. Since components are reusable, and probably provided by the upstream, they should be treated as read-only. So, we shouldn't store files in them so that the generators can pick them up. Instead, it may be better to resolve the file paths relative to the top-level overlay.

This of course is of lesser importance to the actual issue, but I'm mentioning it here for completeness.

[apyrgio]

Also, in case it's not clear. For those wandering if the example would work if we simply switched:

kind: KustomizationPatch

with:

kind: Kustomization

resources:
  - ../../base

the answer is:

$ kustomize build overlays/dev
Error: accumulating resources: recursed merging from path '../../components/recaptcha': may not add resource with an already registered id: apps_v1_Deployment|~X|example

The reason is that Kustomize processes overlays in parallel, so if two overlays point to the same base, it will create two copies of it but will not be able to merge them.

[monopole]

/ok-to-test

[ioandr]

Hey there,

this is an update with regard to the action item from the previous community meeting: as agreed, with @apyrgio we have worked on a second iteration of the example document that describes Κustomize components.

We now provide 2 solutions to the same problem, one without and one with Kustomize components. We hope that they adequately highlight the value of the composition feature.

cc @pwittrock @monopole

[pwittrock]

@ioandr Thanks!

[pwittrock]

apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

[ioandr]

Done.

[pwittrock]

Probably makes sense to have components separate from resources.

components:
- ../../components/external_db
- ../../components/recaptcha

[ioandr]

Our approach was to stay as close as possible to the existing interface of kustomization files.

Since the bases keyword was also absorbed by resources quite recently we believe it is more straight forward to have the resources keyword cover all cases, including components.
Aside, such a change might have implications in the size and complexity of #2168.

In any case, we are definitely open to iterate on this and reach a common understanding.

[pgpx]

A Component (aka KustomizationPatch) effectively become the parent resource of the resources that come before it in the resources list. They could be moved to a separate components list, which I think could then be evaluated as if it was appended to the end of the resources list. I guess this would make things a little clearer (and maybe opportunities for checking that only the correct types are in each list), and probably wouldn't make the code that much more complicated. The disadvantage is that you wouldn't be able to add any resources to be evaluated after the components, but I can't think of any examples that would actually need that (and the examples don't), so maybe that isn't a real concern?

[pgpx]

I implemented support for a components list on a separate branch in my fork - doesn't seem to bad, with most of the added complexity needed to limit each kind to their own list. The code definitely could do with a slightly more extensive refactor if components is preferred, but I didn't do that now just to minimise the extent of the changes.

[pwittrock]

I think this is reasonable for now. It has an alpha apiVersion so we aren't commitment to keeping the API in this form.

[pgpx]

Should I merge that in to the main PR branch? I still need to make the change so make it use alpha instead of beta.

[pgpx]

I rebased the components branch and added v1alpha1 support.

[pwittrock]

apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

[ioandr]

Done.

[pwittrock]

apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

[ioandr]

Done.

[pwittrock]

apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Customization

[ioandr]

Done, s/Customization/Kustomization

[pwittrock]

Yup, silly auto correct.

[pwittrock]

overlay -> variant

[ioandr]

Done.

[pgpx]

Maybe use a configMapGenerator in one of the components to show that it would work as well? Something like the following (or use a files: generator):

Suggested change

	patchesStrategicMerge:
	configMapGenerator:
	- name: conf
	behavior: merge
	literals:
	- ldap.conf=|
	endpoint=ldap://ldap.example.com
	bindDN=cn=admin,dc=example,dc=com
	pass=/var/run/secrets/ldap/ldappass.txt

[apyrgio]

Sure, let's spice this up.

[pwittrock]

Would you clarify in the doc if the ordering matters? I assume it doesn't, but would be good to clarify that resources behaves like a set.

[pwittrock]

Let's move forward with this as there have been no objections.

WDYT of the following proposal:

• Create a KEP for this under kubernetes/enhancements. This gives visibility to folks who follow that repo
  • You don't need to fill out all the KEP sections. Delete those that don't seem relevant.
  • Copy and paste contents from this document into the KEP
  • Link the KEP in this PR description
  • Message sig-cli in Slack, mentioning @pwittrock and @soltysh
  • Post KEP to sig-cli mailing list
  • Add to next weeks sig-cli agenda
• Update the implementation PR (don't block on the KEP, since this has already had extensive discussion)
  • Link the implementation PR (code) in the description of this PR (docs)
  • Add any tests that are missing
    • Test that ordering doesn't matter of resources, patches, components
    • Test for conflicting components -- e.g. specify different values for the same annotation, patch the same resource with different values
    • Test ordering with namePrefix / suffix
    • Test components specifying the same ConfigMap / Secret generator -- are they merged, overridden, error?
  • Update with changes from this PR
• Show up to sig-cli meetings until the feature is completed and part of a release

After the above are complete, let's merge this PR so the new capabilities are documented.

Consider promoting your new feature on twitter.

[pwittrock]

/lgtm

[pwittrock]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: apyrgio, pwittrock

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [pwittrock]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[pgpx]

@pwittrock The ordering of Components does matter, because they are applied to the resources and components that came before them in the list (resources or components). Other resources (Kustomizations and files) are independent of each other. I guess that might be another argument to use components because then we can say that the order is significant for that list, but resources can then behave as a set (otherwise if we just have resources then order will matter).

[pwittrock]

Hm, my guess is that we want components to apply to all resources in the list -- otherwise I'd expect subtle bugs. Its not clear from looking at the resource list what is a resources vs a path vs a component.

Otherwise we might want a more explicit expression of what is applied and where.

Perhaps components should have a protocol as part of the URI so it is more clear.

kind: Kustomization
resources:
- https+component://github.com/....
- file+component://something

[apyrgio]

@pwittrock Indeed, it makes sense to spin this feature request into a separate KEP. Thanks for breaking down the process to steps, they seem pretty solid. We’ll follow them and try to have something ready by this Wednesday.

[monopole]

/hold
Looks good, no big objections, but would like clarity on resources:

Currently, it's a list, not a set, and don't want to change that accidentally.

[apyrgio]

It seems that the semantics of the components field are as important as how the Component kind will work, so let's weigh in on this:

I think we agree that components are a special case of overlays, that can modify the same set of resources without "cloning" them. In this example, the resources are the Deployment and ConfigMap, and the components extend those, without caring much for their order. However, if two components alter the same field, then we need a way to resolve this conflict. It seems that the most intuitive way to resolve it is by "applying" the components sequentially, which is what @pgpx's PR does.

Now, as for how we can communicate this to the users. I think that the proposal for a separate components field works well in this case, because we can put the components there and document that order matters. I also think that users can adapt to this field easily, because there's already a field that behaves similarly; the patches field. Thus, the elevator pitch to existing users could be, to some extent, "what patches do to resources, components do to kustomizations". Hopefully that clarifies things a bit.

[apyrgio]

I have updated the example to demonstrate how the components field would work, and to correct some omissions.

[monopole]

/lgtm

looks like fun, thanks for working on this.
The examples are terrific.

[monopole]

/lgtm

make ux happy

[apyrgio]

Just a quick note here; I'm a bit worried that there will be people who will go through the examples of Kustomize, see this example and try to use it. However, the corresponding functionality has not yet been merged. Should we warn in the example that this is a work in progress?

[apyrgio]

Me, @ioandr and @pgpx have written the requested KEP. See kubernetes/enhancements#1803 for more details.