New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support label and annotation selectors in replacement source/targets #4075
Comments
@marshall007: This issue is currently awaiting triage. SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I can see the use case for filtering replacement targets by |
@natasha41575 I was under the impression that a selector must match exactly 1 or 0 resources (the latter case resulting in a no-op). However, after further experimentation it seems like the behavior is inconsistent. It appears that there are cases where if the specified GVKNN I can see the case for strictly enforcing that a single resource is matched by the In our case, we provide The option to have the "no-op" behavior for unmatched replacement sources would be handy because we can wrap the user-provided resources/kustomization in a "last-mile" kustomization that conditionally applies patches/replacements if annotated by the user (and importantly, wouldn't break if they aren't provided). Here is an example I threw together which demonstrates our use-case (essentially client-side sidecar injection + |
Was just about to add that "no-op" for unmatched replacement source/targets should be the default behavior as this would align with the behavior of unmatched [edit]: never mind, I don't think there is a regression. Unmatched patch targets do still no-op in I think we need to take a step back and determine what the desirable default behavior is for unmatched targets in general and apply that consistently to patches, replacements, etc. My opinion is that the default should be a "no-op" with a configurable boolean flag |
If you have the time, please do file a separate issue for what happened here. I have a hunch about what caused that to happen and I think it can be fixed.
I totally agree that it makes sense for an unmatched replacement
IMO this should throw an error as well and it is a bug that it doesn't.
I am hesitant to add configuration boolean flags. I think we should be very careful about what we make configurable; adding too many knobs will eventually pile up into something increasingly complex and difficult to understand. |
You bet, see #4078.
I don't see this case as different from the unmatched patch source/target case. I think of
I think the big difference between
Definitely agree, but in this particular case I see the addition of Consider if you have
|
@natasha41575 I'm noticing today additional syntax for selectors that work in replacements:
- source:
# ...
targets:
- select:
kind: ValidatingWebhookConfiguration|MutatingWebhookConfiguration
name: cert-manager-*
fieldPaths:
- metadata.annotations.[cert-manager.io/inject-ca-from-secret]
options:
delimiter: /
index: 0 |
I agree with making target config consistent across replacements and patches, but aren't label and annotation selectors already supported in targets? The TargetSelector type embeds a Selector, which has those fields. Could this just be a test/docs gap? I'm not convinced about source though. I think @natasha41575 is right that source is analogous to the patch itself, which in the Somewhat of a sidenote: The desired behavior could be built fairly easily with the kyaml functions framework. We need to make custom transformers easier to use (as briefly outlined in our roadmap) so that we can feel confident in recommending them as a solution to use cases that have complex, effectively conditional, logic to apply. |
@KnVerey I don't disagree with your conclusion regarding custom transformers being the preferred solution here, but just wanted to clarify a couple points:
Our intent with this component is that users would only apply it to groups of resources where each group contains only one "public endpoint" (i.e. annotated resource). I could be wrong, but I think if you included these replacements as a component in multiple child kustomizations that they would not "bubble up" and conflict with each other. But yes, to have a robust solution we would need some way to select each annotated
We do the first replacement to guard against a user-defined patch or replacement on top of the
You could imagine a generic mechanism that would just allow us to sub-select source/target resources based on matching values between resources (rather than the static That all seems well out of scope for |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
#4229 has merged which supports label and annotation selectors in targets. As discussed above, we don't think it makes sense to support in sources, so I am closing this issue as fixed. |
Is your feature request related to a problem? Please describe.
We have identified several scenarios where we were previously using strategic merge patches with hard-coded values that can be made more robust by using
replacements
targeting array values byname
. For example, manipulating service and container port values.Unfortunately,
replacements
does not support filtering sources and targets bylabelSelector
andannotationSelector
.Describe the solution you'd like
For consistency, I think it would make sense to have better parity between patch
target
and replacementsource
/target
. I couldn't find any obvious reason why label and annotation selectors would not be available onreplacements
too.The text was updated successfully, but these errors were encountered: