[Feature] Helmfile KCL Plugin

[Peefy]

Background

KCL, which is specifically used for configuration writing and policy verification in cloud-native and Kubernetes scenarios. However, it is obviously not enough to use only one language for Kubernetes configuration management until we find Helmfile.

One of the core issues to be addressed by KCL is to enhance configuration tools and provide declarative configuration verification and editing capabilities, serving to a certain extent as a glue layer for Configuration as Data (CaC) and Configuration as Data (CaD). Besides, KCL is a Python-like domain language with enhancement schema models and multiple override strategies for transforming configuration data without out-of-band access to the host filesystem and networking.

For example, the following image shows how KCL can be applied to cloud-native configuration and policy scenarios to generate, mutate, and validate Kubernetes manifests.

Core Concepts of KCL

The core concepts of KCL are Config, Schema, Lambda, and Rule.

• Config

• Schema

• Lambda

• Rule

In KCL, lambda is designed to be "pure" (for example, it prohibits modifying features such as closure variables), which means that executing the same function multiple times will yield the same results, which naturally conforms to some design specifications of the KRM Function.

In addition, we have completed initial KCL plugin support for KPT, Helm, and Kustomize.

• Kustomize KCL Plugin
• Helm KCL Plugin
• KPT KCL Plugin

For these tools, KCL has the same KRM KCL user interface.

Design

KRM KCL Function

A KRM KCL function contains as follows

where:

• input items: The input list of KRM resources to operate on.
• output items: The output list obtained from adding, removing, or modifying items in the input.
• functionConfig: An optional meta resource containing the arguments to this invocation of the function.
• results: An optional meta resource emitted by the function for observability and debugging purposes.

KRM KCL Spec follows the KRM Function Spec

Function Config

# kcl-fn-config.yaml
apiVersion: krm.kcl.dev/v1alpha1
kind: KCLRun
metadata:
  name: set-annotation
spec:
  # EDIT THE SOURCE! 
  source: |
     # One line KCL transformer.
     [item | {metadata.annotations: {"managed-by" = "helmfile-kcl"}} for item in option("resource_list").items]

Besides, we can use a ConfigMap to store the KCL source. To use a ConfigMap as the functionConfig, the KCL script source must be specified in the data.source field. Additional parameters can be specified in the data field.

Here's an example:

apiVersion: v1
kind: ConfigMap
metadata:
  name: set-replicas
data:
  replicas: "5"
  source: |
    resources = option("resource_list")
    setReplicas = lambda items, replicas {
       [item | {
          spec.replicas = int(replicas)
       } if item.kind == "Deployment" and item.apiVersion == "apps/v1" else {} for item in items]
    }
    setReplicas(resources.items or [], resources.functionConfig.data.replicas)

In the example above, the script accesses the replicas parameters using option("resource_list").functionConfig.data.replicas.
To use a KCLRun as the functionConfig, the KCL source must be specified in the source field. Additional parameters can be specified in the params field. The params field supports any complex data structure as long as it can be represented in YAML.

apiVersion: krm.kcl.dev/v1alpha1
kind: KCLRun
metadata:
  name: conditionally-add-annotations
params:
  toMatch:
    config.kubernetes.io/local-config: "true"
  toAdd:
    configmanagement.gke.io/managed: disabled
spec:
  source: |
    resource = option("resource_list")
    items = resource.items
    params = resource.functionConfig.params
    toMatch = params.toMatch
    toAdd = params.toAdd
    [item | {
       # If all annotations are matched, patch more annotations
       if all key, value in toMatch {
            item.metadata.annotations[key] == value
       }:
           metadata.annotations: toAdd
    } for item in items]

Helmfile KCL Plugin User Interface

• helmfile.yaml with KCL transformers and validators (Ref: https://helmfile.readthedocs.io/en/latest/advanced-features/#transformers)

repositories:
- name: prometheus-community
  url: https://prometheus-community.github.io/helm-charts

releases:
- name: prom-norbac-ubuntu
  namespace: prometheus
  chart: prometheus-community/prometheus
  set:
  - name: rbac.create
    value: false
  transformers:
  # Use KRM KCL Plugin to mutate or validate Kubernetes manifests.
  - apiVersion: krm.kcl.dev/v1alpha1
    kind: KCLRun
    metadata:
      annotations:
        config.kubernetes.io/function: |
          container:
            image: docker.io/peefyxpf/kustomize-kcl:v0.1.1
    # EDIT THE SOURCE!
    # This should be your KCL code which preloads the `ResourceList` to `option("resource_list").
    spec:
      # code source
      source: |
        [resource | {if resource.kind == "Deployment": metadata.annotations: {"managed-by" = "helmfile-kcl"}} for resource in option("resource_list").items]
      # source: path/to/file
      # source: oci://
      # source: git://

Besides, the source of KCL code can come from files, gits, and oci sources. Usually, users do not need to write too much KCL code. We provide many out-of-the-box models, including label/annotation mutation, sidecar injection, and so on

Helmfile KCL Plugin Implementation

TODO:

Reference

• KPT: https://github.com/GoogleContainerTools/kpt
• KPT KCL SDK Issue: [Feature Request] Support functions written by KCL and its SDKs for KPT  kptdev/kpt#3671
• KRM Function: https://github.com/kubernetes-sigs/kustomize/blob/master/cmd/config/docs/api-conventions/functions-spec.md#krm-functions-specification
• kpt-functions-catalog: https://github.com/GoogleContainerTools/kpt-functions-catalog
• A KPT go function catalog: https://github.com/GoogleContainerTools/kpt-functions-catalog/tree/master/functions/go/set-namespace
• Kustomize: https://github.com/kubernetes-sigs/kustomize
• Build Custom Kustomize Plugin With Containerized KRM function: https://thirumurthi.hashnode.dev/build-custom-kustomize-plugin-with-containerized-krm-function
• Helm: https://github.com/helm/helm
• Helm Schema Generation Plugin: https://github.com/holgerjh/helm-schema
• Helm Diff Plugin: https://github.com/databus23/helm-diff
• Helm S3 Plugin: https://github.com/hypnoglow/helm-s3
• Validating Helm Chart Values with JSON Schemas: https://www.arthurkoziel.com/validate-helm-chart-values-with-json-schemas/
• Score Helm Chart: https://github.com/score-spec/score-helm-charts
• Helmfile: https://github.com/helmfile/helmfile
• Crossplane: https://github.com/crossplane/crossplane
• keptn: https://github.com/keptn/keptn
• Kubernetes Resource Model (KRM): https://github.com/kubernetes/design-proposals-archive/blob/main/architecture/resource-management.md
• ArgoCD: https://github.com/argoproj/argo-cd
• Terragrunt: https://terragrunt.gruntwork.io/
• Grafana Helm charts: https://github.com/grafana/helm-charts
• Grafana Jsonnet libs: https://github.com/grafana/jsonnet-libs
• Grafana Tanka based on Jsonnet: https://github.com/grafana/tanka
• Grafana Tanka Helm integration: https://tanka.dev/helm#helm-support
• Prometheus Kubernetes Manifests based on Jsonnet: https://github.com/prometheus-operator/kube-prometheus
• https://www.reddit.com/r/kubernetes/comments/118bmwu/helm_or_kustomize_for_my_situation/
• https://www.reddit.com/r/kubernetes/comments/119jolm/separate_repository_for_helm_charts_vs_integrated/
• https://www.reddit.com/r/kubernetes/comments/xx0e6h/why_we_use_cue_and_not_helm/
• Why we use cue not helm: https://cloudplane.org/blog/why-cue
• External Secret: https://external-secrets.io/v0.7.2/
• Kubescape: https://github.com/kubescape/kubescape
• https://github.com/GoogleContainerTools/kpt-functions-catalog/blob/master/functions/go/starlark/starlark/config.go
• OPA Libary: https://open-policy-agent.github.io/gatekeeper-library/website/