search

kapicorp / kapitan

Generic templated configuration management for Kubernetes, Terraform and other things
https://kapitan.dev
Apache License 2.0
1.8k stars 198 forks source link

[WIP] Explicitly defining permissions for files in the compiled directory #1118

Closed metacoma closed 2 weeks ago

metacoma commented 7 months ago

Fixes #506

Proposed Changes

Include permissions in the input section to explicitly define access rights for files in compiled directories

Example:

      kapitan:
        compile:
          - input_paths:
              - templates/scripts
            output_path: scripts
            input_type: jinja2
            permissions:
              -
                # https://docs.python.org/3/library/glob.html
                # recursive search
                pattern: my_script
                # https://docs.python.org/3/library/os.html?#os.chmod
                mode: 0o700

How it works:

$ kapitan init
$ kapitan compile
$ ls -ltr compiled/my_target/scripts/my_script.sh
 -rwx------ 1 kapitan kapitan 99 Jan 18 14:59 compiled/my_target/scripts/my_script.sh
$ compiled/my_target/scripts/my_script.sh
Running for target my_target
compiled/my_target/scripts

This PR is in a very early stage. If this approach for setting file permissions is acceptable, I will continue to work on it; otherwise, let's discuss alternatives.

Docs and Tests

ademariag commented 7 months ago

Hello @metacoma, sorry for the long delay.

I'll tell you what I would like for us to go in this regard :)

I'd like to change the behaviour a little of how we create these files, for instance adopting this pattern.

instead of:

local kapitan = import 'lib/kapitan.libjsonnet';
{
  ["apply.sh"]: kapitan.jinja2_template(
    "template/apply.sh", 
    {})
}

I would like us to move towards something like 

local kapitan = import 'lib/kapitan.libjsonnet';
{
  ["apply.sh"]: { 
    "content": kapitan.jinja2_template("template/apply.sh", {}),
    "metadata": {
      "mode": 0o700
    }
}

The reasoning behind this is that I would like to change the behaviour of other things within kapitan, for instance be able to produce from a single "compile output" multiple types of files (i.e. .md, .json, .sh)

metadata could be expanded in the future to allow for more features.

@metacoma @ramaro WDYT?

ademariag commented 2 weeks ago

Closing in favor of a different approach