search

score-spec / score-compose

Reference implementation for docker-compose target platform support
https://score.dev/
Apache License 2.0
445 stars 40 forks source link

[feature request] Have a way to patch workload/service #142

Open mathieu-benoit opened 3 months ago

mathieu-benoit commented 3 months ago

I have this use case where I want to inject "security context" for each workload / service in my generated compose.yaml file.

Today, I need to manually do that:

cat <<EOF > compose.override.yaml
services:
  ${WORKLOAD_NAME}-${CONTAINER_NAME}:
    read_only: true
    cap_drop:
      - ALL
    user: "1000"
EOF

But when I have multiple workloads or containers, this is a bit painful.

A post-processing yq command may be able to help too, but same approach, not user friendly.

Do we have an opportunity to introduce a new provisioner type (or something else) in order to patch a workload or a service directly in score-compose generate?

astromechza commented 3 months ago

@mathieu-benoit what kind of expression language do you suggest? how complex should it be?

Tools like jq and yq are very good at what they do, so we will never do something of equivalent complexity, but there is room for something simple potentially using the existing Go template language?

We wouldn't use a provisioner or workload resource like humanitec does, because it breaks the Score resource contracts but we could do something specific to score compose here?

mathieu-benoit commented 3 months ago

using the existing Go template language

Yeah, I think this would be a great experience, consistent with the existing provisioners too.

jq/yq could still be used outside score-compose but this feels disconnected and not a consistent experience for end users.