search

kubernetes-monitoring / kubernetes-mixin

A set of Grafana dashboards and Prometheus alerts for Kubernetes.
Apache License 2.0
2.08k stars 597 forks source link

build: stronger pinning of jsonnet dependencies? #762

Open flokli opened 2 years ago

flokli commented 2 years ago

It seems this project uses jsonnet-builder as a way to manage jsonnet dependencies.

I peeked at the jsonnetfile.json in the repo:

{
  "version": 1,
  "dependencies": [
    {
      "source": {
        "git": {
          "remote": "https://github.com/grafana/grafonnet-lib.git",
          "subdir": "grafonnet"
        }
      },
      "version": "master"
    },
    {
      "source": {
        "git": {
          "remote": "https://github.com/grafana/jsonnet-libs.git",
          "subdir": "grafana-builder"
        }
      },
      "version": "master"
    }
  ],
  "legacyImports": false
}

This just seems to use the master branch, but doesn't use any strong pinning.

This means, it's not possible to ensure the same outputs are produced, or building in a sandbox where network access is blocked (except for dependencies where the hash is already provided upfront).

Does jsonnet-builder provide some sort of lockfile, or could you use their vendoring function instead of loosely tracking master?

arajkumar commented 2 years ago

Hey, have you come across any problem due to this?

jsonnet bundler(jb) does have a way to pin the dependencies. Look at https://github.com/prometheus-operator/kube-prometheus/blob/main/jsonnetfile.lock.json for example.

flokli commented 2 years ago

Hey, have you come across any problem due to this?

Yes, I can't build this project in a sandboxed environment without network access. If you'd either ship the dependencies vendored-in, or commit a lockfile with hashes, that should work.