Disable kyaml

stefanprodan · stefanprodan · commit 085588b63289 · 2021-01-18T14:14:23.000+02:00
Workaround for upstream bug: kubernetes-sigs/kustomize#3446 Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
diff --git a/controllers/kustomization_controller.go b/controllers/kustomization_controller.go
@@ -29,6 +29,12 @@ import (
 	"time"
 
 	securejoin "github.com/cyphar/filepath-securejoin"
+	"github.com/fluxcd/pkg/apis/meta"
+	"github.com/fluxcd/pkg/runtime/events"
+	"github.com/fluxcd/pkg/runtime/metrics"
+	"github.com/fluxcd/pkg/runtime/predicates"
+	"github.com/fluxcd/pkg/untar"
+	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 	"github.com/go-logr/logr"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	apimeta "k8s.io/apimachinery/pkg/api/meta"
@@ -47,16 +53,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
 	"sigs.k8s.io/controller-runtime/pkg/source"
 	"sigs.k8s.io/kustomize/api/filesys"
-	"sigs.k8s.io/kustomize/api/konfig"
-	"sigs.k8s.io/kustomize/api/krusty"
-	kustypes "sigs.k8s.io/kustomize/api/types"
-
-	"github.com/fluxcd/pkg/apis/meta"
-	"github.com/fluxcd/pkg/runtime/events"
-	"github.com/fluxcd/pkg/runtime/metrics"
-	"github.com/fluxcd/pkg/runtime/predicates"
-	"github.com/fluxcd/pkg/untar"
-	sourcev1 "github.com/fluxcd/source-controller/api/v1beta1"
 
 	kustomizev1 "github.com/fluxcd/kustomize-controller/api/v1beta1"
 )
@@ -506,22 +502,9 @@ func (r *KustomizationReconciler) build(kustomization kustomizev1.Kustomization,
 	}
 
 	fs := filesys.MakeFsOnDisk()
-	manifestsFile := filepath.Join(dirPath, fmt.Sprintf("%s.yaml", kustomization.GetUID()))
-
-	buildOptions := &krusty.Options{
-		DoLegacyResourceSort:   true,
-		AddManagedbyLabel:      false,
-		LoadRestrictions:       kustypes.LoadRestrictionsNone,
-		DoPrune:                false,
-		PluginConfig:           konfig.DisabledPluginConfig(),
-		UseKyaml:               false,
-		AllowResourceIdChanges: false,
-	}
-
-	k := krusty.MakeKustomizer(fs, buildOptions)
-	m, err := k.Run(dirPath)
+	m, err := buildKustomization(fs, dirPath)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("kustomize build failed: %w", err)
 	}
 
 	// check if resources are encrypted and decrypt them before generating the final YAML
@@ -543,9 +526,10 @@ func (r *KustomizationReconciler) build(kustomization kustomizev1.Kustomization,
 
 	resources, err := m.AsYaml()
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("kustomize build failed: %w", err)
 	}
 
+	manifestsFile := filepath.Join(dirPath, fmt.Sprintf("%s.yaml", kustomization.GetUID()))
 	if err := fs.WriteFile(manifestsFile, resources); err != nil {
 		return nil, err
 	}
diff --git a/controllers/kustomization_generator.go b/controllers/kustomization_generator.go
@@ -28,6 +28,7 @@ import (
 	"sigs.k8s.io/kustomize/api/k8sdeps/kunstruct"
 	"sigs.k8s.io/kustomize/api/konfig"
 	"sigs.k8s.io/kustomize/api/krusty"
+	"sigs.k8s.io/kustomize/api/resmap"
 	kustypes "sigs.k8s.io/kustomize/api/types"
 	"sigs.k8s.io/yaml"
 
@@ -222,11 +223,7 @@ func (kg *KustomizeGenerator) checksum(dirPath string) (string, error) {
 	}
 
 	fs := filesys.MakeFsOnDisk()
-	opt := krusty.MakeDefaultOptions()
-	opt.LoadRestrictions = kustypes.LoadRestrictionsNone
-	opt.DoLegacyResourceSort = true
-	k := krusty.MakeKustomizer(fs, opt)
-	m, err := k.Run(dirPath)
+	m, err := buildKustomization(fs, dirPath)
 	if err != nil {
 		return "", fmt.Errorf("kustomize build failed: %w", err)
 	}
@@ -281,3 +278,26 @@ func (kg *KustomizeGenerator) generateLabelTransformer(checksum, dirPath string)
 
 	return nil
 }
+
+// buildKustomization wraps krusty.MakeKustomizer with the following settings:
+// - disable kyaml due to critical bugs like:
+//	 - https://github.com/kubernetes-sigs/kustomize/issues/3446
+//	 - https://github.com/kubernetes-sigs/kustomize/issues/3480
+// - reorder the resources just before output (Namespaces and Cluster roles/role bindings first, CRDs before CRs, Webhooks last)
+// - load files from outside the kustomization.yaml root
+// - disable plugins except for the builtin ones
+// - prohibit changes to resourceIds, patch name/kind don't overwrite target name/kind
+func buildKustomization(fs filesys.FileSystem, dirPath string) (resmap.ResMap, error) {
+	buildOptions := &krusty.Options{
+		UseKyaml:               false,
+		DoLegacyResourceSort:   true,
+		LoadRestrictions:       kustypes.LoadRestrictionsNone,
+		AddManagedbyLabel:      false,
+		DoPrune:                false,
+		PluginConfig:           konfig.DisabledPluginConfig(),
+		AllowResourceIdChanges: false,
+	}
+
+	k := krusty.MakeKustomizer(fs, buildOptions)
+	return k.Run(dirPath)
+}
