search

jlewi / notes

Various notes about software and systems
2 stars 1 forks source link

kpt pruning #2

Open jlewi opened 1 year ago

jlewi commented 1 year ago

What is the right way to use kpt so we get pruning on subsequent installs?

hydrate:
    mkdir -p .build/hydrated
    rm -rf .build/hydrated/*
    kustomize build -o .build/hydrated manifests/projects

apply: hydrate
    kpt live init --inventory-id=starlingai --namespace=config-control .build/hydrated
    kpt live apply \
        --context=gke_$(PROJECT)_us-central1_krmapihost-$(NAME) \
        .build/hydrated

Didn't seem to work. Is setting inventory-id not sufficient? Do we also need to set name with init?

jlewi commented 1 year ago

I tried the following

        if not os.path.exists(os.path.join(app_dir, "resourcegroup.yaml")):
            subprocess.check_call(["kpt", f"--context={context}", "live", "init", f"--namespace={namespace}", app_dir])
        subprocess.check_call(["kpt", f"--context={context}", "live", "apply", f"--namespace={namespace}", app_dir])

The problem is we delete the directory each time we do hydration because we want to get rid of any resources that have been deleted. This ends up deleting the resourcegroup.yaml which gets stored inside the directory.

Then when we rerun init we create a new resourcegroup.yaml file which has a new inventory id. We then get errors like the following

namespace/gateway apply skipped: inventory policy prevented actuation (strategy: Apply, status: NoMatch, policy: MustMatch)

So kpt isn't acquiring the resources because the resource has changed.

jlewi commented 1 year ago

Setting name and inventory id didn't work

  subprocess.check_call(["kpt", f"--context={context}", f"--name={subdir}", f"--inventory-id={subdir}", "live", "init", f"--namespace={namespace}", app_dir])
        subprocess.check_call(["kpt", f"--context={context}", "live", "apply", f"--namespace={namespace}", app_dir])

Same error

gateway.gateway.networking.k8s.io/platform apply skipped: inventory policy prevented actuation (strategy: Apply, status: NoMatch, policy: MustMatch)

Here is the contents of resourcegroup.yaml

apiVersion: kpt.dev/v1alpha1
kind: ResourceGroup
metadata:
  name: gateway
  namespace: gateway
  labels:
    cli-utils.sigs.k8s.io/inventory-id: gateway

And the resource in the cluster.

kubectl -n gateway get resourcegroup -o yaml gateway
apiVersion: kpt.dev/v1alpha1
kind: ResourceGroup
metadata:
  creationTimestamp: "2023-04-26T23:20:02Z"
  generation: 2
  labels:
    cli-utils.sigs.k8s.io/inventory-id: gateway
  name: gateway
  namespace: gateway
  resourceVersion: "77074329"
  uid: 006f404a-a72e-48ce-ba0c-c6a65f9abede
spec: {}
status:
  observedGeneration: 0

It looks like this doesn't match the inventory-id field set on the resources e.g.

 config.k8s.io/owning-inventory: fooid

related issue: https://github.com/GoogleContainerTools/kpt/issues/2488

jlewi commented 1 year ago

I did

kubectl -n gateway edit managedcertificate platform

And changed the annotation to

 config.k8s.io/owning-inventory: gateway

The reconcile then seemed to work.