Open karlkfi opened 2 years ago
Explicit dep with depends-on works, so it's just apply-time-mutation that doesn't (weird!).
$ kpt live apply
namespace/test unchanged
1 resource(s) applied. 0 created, 1 unchanged, 0 configured, 0 failed
pod/pod-a created
1 resource(s) applied. 1 created, 0 unchanged, 0 configured, 0 failed
pod/pod-b created
1 resource(s) applied. 1 created, 0 unchanged, 0 configured, 0 failed
apply-time-mutation works if the source namespace is specified. So it's just the implicit namespace resolution that breaks graph sorting.
Root cause:
graph.Sort
only uses mutation.ReadAnnotation
, which returns an empty Namespace, if not specified by the user. The implicit namespace resolution is performed in ApplyTimeMutator.Mutate
.
Unfortunately, the easy solution of moving implicit namespace resolution into mutation.ReadAnnotation
doesn't work, because it needs to know whether the Source and Target are both namespaced. This would require using the mapper to resolve the resource schemas. If we try to use the mapper in graph.Sort
it would fail for resources that haven't had their CRD applied yet.
So this is another issue with mapping lookups happening up front instead of lazily as-needed. Changing that, to resolve sort order after every apply, would be a significant change...
Also unfortunate is that we can't reject SourceRefs without an explicit namespace without knowing if the resource is namespaced or not...
Possible workarounds:
- Disable implicit namespace resolution
Today, all the namespaced objects sent from Config Sync to cli-utils have the metadata.namespace
field explicitly set.
Is it reasonable to expect this from other users of cli-utils ?
Today, all the namespaced objects sent from Config Sync to cli-utils have the metadata.namespace field explicitly set. Is it reasonable to expect this from other users of cli-utils ?
cli-utils already requires this.
This problem here is with apply-time-mutation annotations which were initially designed to support inferring the namespace of dependencies from the namespace of the dependent object. However, it does look like disabling implicit namespace resolution for apply-time-mutation is the easier path forward, and would align with the requirement on the objects themselves.
cli-utils already requires this.
I don't think this is true. I tested with kapply
built from the master, which doesn't require the metadata.namespace
field of a Deployment object to be explicitly set.
The Applier runs the Valdator which runs the validateNamespace
method, passing in the list of CRDs in the set and the mapper.
The valdiator should error if it's namespace-scoped with no namespace or cluster-scoped with a namespace.
https://github.com/kubernetes-sigs/cli-utils/blob/master/pkg/object/validate.go#L124
Accurately speaking, Applier.Run
requires the metadata.namespace
field of a namespaced object to be explicitly set.
kapply does not require this, since it sets the metadata.namespace
field of a namespaced object if it is missing.
Thanks for clarifying. I don't know if having kapply do that really helps us test, but it might be trying to duplicate kpt and kubectl behavior.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
/remove-lifecycle rotten
Short term fix is to disable implicit namespaces, since they don't work as-is: https://github.com/kubernetes-sigs/cli-utils/pull/482
Long term fix is unknown.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
/remove-lifecycle rotten /lifecycle frozen
Resources:
Output (from kpt using cli-utils master):
Problem: