Open snuggie12 opened 3 years ago
What is the status as of today? Kustomize added KRM functions recently.
@snuggie12 @jannfis any update? What are Argo plans to support Kustomize/KPT KRM Fn ?
The issue I referenced is closed now and I believe the documentation is located here. I think the best bet would do the sidecar approach and use the same setup I referenced with a statically built podman symlinked to docker.
Disappointingly, currently kustomize is preparing to remove their helm chart plugin and revamp it into a KRM function. If this goes through I think the best option will be to fork kustomize. Essentially my plan is to use/create golang plugins but treat them as if they were built-in. This removes any need for laptop setup or mucking with the repo server.
Slightly ranty, but all of this might get solved automatically as docker is changing up licensing and what not. Fingers crossed someone just invents a better tool to run containers that doesn't require the security exceptions.
What about building a small program that interprets docker run
commands and converts them to appropriate kubectl run
commands? Then the repo-server can intercept the calls kustomize tries make to docker
binary and, instead, (given the appropriate permissions) run containers in new temporary pods and forward stdout/stderr from there.
(I hope a pod running creating other temporary pods is not a antipattern.)
This would put some limits on the containerized KRM function plugins because the mounts
and network
options that are present in kustomize cannot work the same as in actual docker (or aliased podman), but I think that's a sensible limitation when CD is involved. --security-opt
I'd consider not necessary as kubernetes already isolates pods properly. And while kubectl run
does not support --user
it might be possible to patch it in via --overrides
.
I don't see bundling kubectl as the only option, probably instead the repo-server itself could integrate logic for running pods based on docker run
parameters, with the actual docker
command simply being a bridge to that logic in repo server.
There are multiple options implementation can take. One is that Kustomize will offer an interface what is being called to run function) another is that Argo will implement role of orchestrator - so it will run the functions on its own.
I would even consider that ArgoCD Application spec.source.plugin
could accept an KRM Fn as plugin. Some global template processing could be easily done this way on CD level.
In other word it would be even nice to chain source engines what ever way is needed/per app, ie: helm -> ... -> KRM Fn -> Kustomize -> ... -> ... etc
whatever way/order. I would mention here this project that as far as I do understnad offload some logic to plugin instead of argo: https://github.com/crumbhole/argocd-lovely-plugin
I have spent some time with the KRM Fn. Mostly some template rendering (both configuration for apps and manifests).
Overall, it would be great if ArgoCD team would update how they do see that and what is essentially going to be placed on the roadmap as of 2022.
@snuggie12 Have you made any headway with Containerized KRM functions in ArgoCD? I went through the trouble of creating one (https://github.com/kubernetes-sigs/kustomize/issues/4555) and I'm extremely disappointed it doesn't "just work" in ArgoCD. You say you got a proof of concept working, but I'm struggling to piece it all together.
@snuggie12 Have you made any headway with Containerized KRM functions in ArgoCD? I went through the trouble of creating one (kubernetes-sigs/kustomize#4555) and I'm extremely disappointed it doesn't "just work" in ArgoCD. You say you got a proof of concept working, but I'm struggling to piece it all together.
@tedtramonte have you made any progress?
@epcim I got the podman image running as a sidecar to ArgoCD, and that's about where I stopped. I've had a rough week, so it could be that, but I just can't grok the ArgoCD plugin documentation. Nothing I tried would get my Application
to run through the sidecar.
I have a branch in my Ansible repo with a dump commit that has what I've configured so far, if you want to take a look: https://gitlab.com/door-to-darkness/ansible/-/commit/f37f6af49fbdf8fa3beef787e05b118c4b0601fb
We don't really have this issue anymore so did this on personal time, but I spent a few hours and am almost there. I just need to solve one or two more podman/permissions issues and it should be working.
However, given that every other piece is working such as the sidecar itself with argocd, perhaps someone can figure out how to make the correct Dockerfile
which finishes this:
All of this gets you to the point where the sidecar is def executing kustomize build
but various issues involving mixing argocd's user with something setup for the podman user to work are coming into conflict. If I have some time I'll add the app back and paste the error I'm currently at.
Well good news/slightly embarrassing, but turns out the final change I made last night/this morning pushed it over the edge. I have it working!
That still leaves a lot of work to do to figure out which one of all my hacks are absolutely necessary. The final one that took it over the edge was using the non-minimal image of podman-static. I guess one could start from there and see if things are still busted.
If I get some free time I'll try to list out the rest of the changes, but they're all in the comments above.
I suspect the limitation of your approach is running the sidecar privileged or getting /dev/fuse
into the container, see https://www.redhat.com/sysadmin/podman-inside-kubernetes, "Rootless Podman without the privileged flag":
To eliminate the privileged flag, we need to do the following:
- Devices:
/dev/fuse
is required to use fuse-overlayfs inside of the container, this option tells Podman on the host to add/dev/fuse
to the container so that containerized Podman can use it.- Disable SELinux: SELinux does not allow containerized processes to mount all of the file systems required to run inside a container. So we need to disable SELinux on the host that is running the Kubernetes cluster.
I am still intrigued whether kubectl run
(or similar functionality baked into repo-server) might be a easier solution with less external dependencies, but did not took time to further look into this yet.
Hey, I will be pitching an alternative approach for running KRM funtions in containers at ArgoCon Europe 2023: https://colocatedeventseu2023.sched.com/event/1Jo9s/cl-lightning-talk-using-kustomize-krm-functions-to-enhance-argo-cd-application-deployments-jan-heylen-nokia
Hi, I'm considering KRM functions to work around Kustomize limitations with replacements. Did this ever get somewhere ?
last time i checked containerized KRM functions reliance on stdin/stdout makes them hard to use on kubernetes.
https://github.com/kubernetes-sigs/kustomize/pull/4921
Edit: https://github.com/argoproj/argo-cd/issues/5553#issuecomment-2118988826
there also is the hurdle that kustomize currently expects "docker run" to run containers
I believe that the issue title is a bit out of date or not so accurate because it states support KRM functions
where the body covers only Containerized KRM Functions.
There is no mention of Exec KRM functions which is still possible to run KRM functions and it only needs the binary in the system.
true, regular exec krm functions should work fine!
Summary
Starting in version 3.9.X of kustomize you can now run a custom plugin which is a container image-based KRM function. This is great since before you needed to have a
plugins
directory storing your code and having all your engineers have that setup is a pain.However, it requires you have a program called "docker" (doesn't necessarily actually need to be docker, just as long as commands like
docker pull
ordocker run
does the same thing as docker,) in your$PATH
so the container can be fetched and run.I think this would present a problem for the repo-server. There's a few things out there documenting security concerns and what not of running docker in a docker container in your environment. I personally prototyped using https://github.com/mgoltzsche/podman-static on the repo-server and it looks like it would work. FWIW, I also filed https://github.com/kubernetes-sigs/kustomize/issues/3536 but it looks like this will be closed with no change.
So yeah, essentially asking for official documentation saying whether this will be supported or not and if not maybe a work around such as a custom argo plugin or perhaps something with workflows or events can be done (I don't use those myself so not really sure.)
This should also probably be linked to #5293 since kpt is mentioned which also uses KRM functions in containers.
Motivation
The main use case I have for a KRM function is rendering dynamic data from one resource into another, but you can make a KRM function that does any style of generation or transformation in kustomize.
Proposal
If you did decide to support it, I see two options though open to any others:
docker pull
anddocker run
and I already proved the symlink concept works.