Initial commit

Author: felixgborrego

README.md

@@ -0,0 +1,35 @@
+# Kubectl Plugin to Add Support for Environment Variable Evaluation in Kustomize
+
+This plugin is a `kubectl` plugin that adds support for evaluating environment variables in Kustomize overlays.
+
+![image](docs/envkustomize.png) 
+## Why This Plugin?
+
+I've used Kustomize extensively over the years, and I've always missed the ability to evaluate environment variables in overlays. The recommended approach, using patches and overlays, is just too much work when managing a large fleet of clusters. It can be a pain even for basic tasks like patching an image name!
+
+This plugin is largely a response to the frustrations described here:
+
+* [ConfigMapGenerator should not load values from the build environment](https://github.com/kubernetes-sigs/kustomize/issues/4731)
+* [Reddit discussion on passing dynamic values to Kustomize](https://www.reddit.com/r/kubernetes/comments/116hze5/how_to_pass_dynamic_values_to_kustomize/)
+* [ArgoCD issue on dynamic values](https://github.com/argoproj/argo-cd/issues/1705)
+
+## How Does It Work?
+
+The plugin is a lightweight wrapper around the official Kustomize API (krusty) [Kustomizer](https://github.com/kubernetes-sigs/kustomize/blob/master/api/krusty/kustomizer.go). It replaces the original filesystem loader with a custom one that evaluates environment variables before loading the file.
+
+## How to Use It?
+
+```bash
+# You need to run it in a valid Kustomize overlay folder like this:
+cd examples
+kubectl envkustomize render
+# Check the rendered.yaml file generated in the same folder
+```
+
+### Evaluations Supported
+
+* Basic environment variables replacement: `${{{ VAR }}}`
+* Load of environment variables from `.env` files or from the environment itself (using a prefix to avoid loading all environment variables and to avoid conflicts)
+* Load secrets from GCP Secret Manager (Welcome PRs to add AWS Secrets Manager and Azure Key Vault support)
+* Expand environment with `${{{env-expand://ENV_}}}` to inject automatically all environment variables starting with `ENV_`
+* Support for environment variables substitution even inside helm charts (or other external resources as long as they are referenced in the kustomize overlay)

cmd/render.go

@@ -0,0 +1,18 @@
+package cmd
+
+import "github.com/spf13/cobra"
+import "kubectl-envkustomize/pkg"
+
+var renderCmd = &cobra.Command{
+	Use:   "render",
+	Short: "Render kustomize manifests",
+	Long:  `Render kustomize manifests from the environment configurations. To run this command you meed an .env and kustomization.yaml file on the current directory.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		envFile, _ := cmd.Flags().GetString("env-file")
+		pkg.RenderCmd(envFile)
+	},
+}
+
+func init() {
+	renderCmd.Flags().StringP("env-file", "e", ".env", "Path to the environment file")
+}

cmd/root.go

@@ -0,0 +1,17 @@
+package cmd
+
+import "github.com/spf13/cobra"
+
+var rootCmd = &cobra.Command{
+	Use:   "kubectl-envkustomize",
+	Short: "Kubectl env kustomize plugin",
+	Long:  `Kustomize with env support`,
+}
+
+func Execute() error {
+	return rootCmd.Execute()
+}
+
+func init() {
+	rootCmd.AddCommand(renderCmd)
+}

docs/envkustomize.png

@@ -0,0 +1,41 @@
+# example to make envoy serve a static file
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: envoy-config
+data:
+  envoy.yaml: |
+    static_resources:
+      listeners:
+        - name: listener_0
+          address:
+            socket_address:
+              address: 0.0.0.0
+              port_value: 8080
+          filter_chains:
+            - filters:
+                - name: envoy.filters.network.http_connection_manager
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                    stat_prefix: ingress_http
+                    route_config:
+                      name: local_route
+                      virtual_hosts:
+                        - name: local_service
+                          domains: ["*"]
+                          routes:
+                            - match:
+                                prefix: "/"
+                              direct_response:
+                                status: 200
+                                body:
+                                  filename: /etc/envoy/static-file.html
+                    http_filters:
+                      - name: envoy.filters.http.router
+  static-file.html: |
+    <html>
+      <body>
+        <h1> ${{{ ENV_KUBECTL_WELCOME_TEXT }}} </h1>
+        <p>This is a static file served by Envoy.</p>
+      </body>
+    </html>

examples/configmap.yaml

@@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: envoy-deployment
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: envoy
+  template:
+    metadata:
+      labels:
+        app: envoy
+    spec:
+      containers:
+        - name: envoy
+          image: ${{{ ENV_KUBECTL_ENVOY_IMAGE }}} # Example injecting environment variables dynamically
+          ports:
+            - containerPort: 8080
+          volumeMounts:
+            - name: envoy-config
+              mountPath: /etc/envoy/envoy.yaml
+              subPath: envoy.yaml
+            - name: static-file
+              mountPath: /etc/envoy/static-file.html
+              subPath: static-file.html
+          # Example setting resources dynamically from environment variables
+          resources:
+            requests:
+              memory: "${{{ ENV_KUBECTL_MEMORY_REQUEST }}}"
+              cpu: "${{{ ENV_KUBECTL_CPU_REQUEST }}}"
+            limits:
+              memory: "${{{ ENV_KUBECTL_CPU_LIMIT }}}"
+              cpu: "${{{ ENV_KUBECTL_CPU_LIMIT }}}"
+
+
+          env:
+            # Example injecting environment variables dynamically
+            - name: ENVOY_LOG_LEVEL
+              value: ${{{ ENV_KUBECTL_ENVOY_LOG_LEVEL }}}
+
+            # Example injecting ALL environment variables with a prefix dynamically
+            # check the rendered.yaml to see the result!
+            - name: ${{{env-expand://ENV_KUBECTL_ENVOY}}}
+              value: ${{{env-expand://ENV_KUBECTL_ENVOY}}}
+      volumes:
+        - name: envoy-config
+          configMap:
+            name: envoy-config
+            items:
+              - key: envoy.yaml
+                path: envoy.yaml
+        - name: static-file
+          configMap:
+            name: envoy-config
+            items:
+              - key: static-file.html
+                path: static-file.html
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: envoy-service
+spec:
+  selector:
+    app: envoy
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080

examples/deploy.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: test-namespace
+
+resources:
+  - deploy.yaml
+  - configmap.yaml
+  - pull-image-secret.yaml

examples/kustomization.yaml

@@ -0,0 +1,8 @@
+# Example rendering secrets using environment variables
+apiVersion: v1
+data:
+  .dockerconfigjson: ${{{ ENV_KUBECTL_SECRET_DOCKERCONFIGJSON }}}
+kind: Secret
+metadata:
+  name: secret-dockerconfigjson
+type: kubernetes.io/dockerconfigjson

examples/pull-image-secret.yaml

@@ -0,0 +1,126 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: envoy-deployment
+  namespace: test-namespace
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: envoy
+  template:
+    metadata:
+      labels:
+        app: envoy
+    spec:
+      containers:
+      - env:
+        - name: ENVOY_LOG_LEVEL
+          value: debug
+        - name: ENV_KUBECTL_ENVOY_IMAGE
+          value: envoyproxy/envoy:v1.24.0
+        - name: ENV_KUBECTL_ENVOY_LOG_LEVEL
+          value: debug
+        - name: ENV_KUBECTL_ENVOY_TEST1
+          value: value1
+        - name: ENV_KUBECTL_ENVOY_TEST2
+          value: value2
+        - name: ENV_KUBECTL_ENVOY_TEST3
+          value: value3
+        image: envoyproxy/envoy:v1.24.0
+        name: envoy
+        ports:
+        - containerPort: 8080
+        resources:
+          limits:
+            cpu: 250m
+            memory: 250m
+          requests:
+            cpu: 100m
+            memory: 128Mi
+        volumeMounts:
+        - mountPath: /etc/envoy/envoy.yaml
+          name: envoy-config
+          subPath: envoy.yaml
+        - mountPath: /etc/envoy/static-file.html
+          name: static-file
+          subPath: static-file.html
+      volumes:
+      - configMap:
+          items:
+          - key: envoy.yaml
+            path: envoy.yaml
+          name: envoy-config
+        name: envoy-config
+      - configMap:
+          items:
+          - key: static-file.html
+            path: static-file.html
+          name: envoy-config
+        name: static-file
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: envoy-service
+  namespace: test-namespace
+spec:
+  ports:
+  - port: 80
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: envoy
+---
+apiVersion: v1
+data:
+  envoy.yaml: |
+    static_resources:
+      listeners:
+        - name: listener_0
+          address:
+            socket_address:
+              address: 0.0.0.0
+              port_value: 8080
+          filter_chains:
+            - filters:
+                - name: envoy.filters.network.http_connection_manager
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                    stat_prefix: ingress_http
+                    route_config:
+                      name: local_route
+                      virtual_hosts:
+                        - name: local_service
+                          domains: ["*"]
+                          routes:
+                            - match:
+                                prefix: "/"
+                              direct_response:
+                                status: 200
+                                body:
+                                  filename: /etc/envoy/static-file.html
+                    http_filters:
+                      - name: envoy.filters.http.router
+  static-file.html: |
+    <html>
+      <body>
+        <h1> Welcome to env kubectl </h1>
+        <p>This is a static file served by Envoy.</p>
+      </body>
+    </html>
+kind: ConfigMap
+metadata:
+  name: envoy-config
+  namespace: test-namespace
+---
+apiVersion: v1
+data:
+  .dockerconfigjson: bXkgc2VjcmV0
+kind: Secret
+metadata:
+  name: secret-dockerconfigjson
+  namespace: test-namespace
+type: kubernetes.io/dockerconfigjson
+
+---

examples/rendered.yaml

@@ -0,0 +1,61 @@
+module kubectl-envkustomize
+
+go 1.22.4
+
+require (
+	cloud.google.com/go/auth v0.7.2 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.3 // indirect
+	cloud.google.com/go/compute/metadata v0.5.0 // indirect
+	cloud.google.com/go/iam v1.1.11 // indirect
+	cloud.google.com/go/secretmanager v1.13.4 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-errors/errors v1.4.2 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.4 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/s2a-go v0.1.8 // indirect
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
+	github.com/googleapis/gax-go/v2 v2.13.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/spf13/cobra v1.8.1 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/xlab/treeprint v1.2.0 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
+	go.opentelemetry.io/otel v1.28.0 // indirect
+	go.opentelemetry.io/otel/metric v1.28.0 // indirect
+	go.opentelemetry.io/otel/trace v1.28.0 // indirect
+	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
+	golang.org/x/crypto v0.25.0 // indirect
+	golang.org/x/net v0.27.0 // indirect
+	golang.org/x/oauth2 v0.21.0 // indirect
+	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	google.golang.org/api v0.189.0 // indirect
+	google.golang.org/genproto v0.0.0-20240722135656-d784300faade // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240722135656-d784300faade // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240722135656-d784300faade // indirect
+	google.golang.org/grpc v1.65.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
+	sigs.k8s.io/kustomize/api v0.17.3 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.17.2 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
+)