Kustomize: How to cause a generator to actually merge an object instead of duplicating

Question

I'm using kustomize to manage my argocd manifests.

My structure looks like this:

argocd
├── base
│   ├── argocd-ui-ingress.yaml
│   └── kustomization.yaml
└── overlays
    └── dev
        ├── argocd-cm-patch.yaml
        ├── argocd-repo-server-ksops-patch.yaml
        ├── ksops-secret-generator.yaml
        ├── kustomization.yaml
        └── secret-argocd-notifications.yaml
    └── prod
        ├── argocd-cm-patch.yaml
        ├── argocd-repo-server-ksops-patch.yaml
        ├── ksops-secret-generator.yaml
        ├── kustomization.yaml
        └── secret-argocd-notifications.yaml

This is my overlays/dev/kustomization.yaml file:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- https://raw.githubusercontent.com/argoproj/argo-cd/v2.3.2/manifests/install.yaml
- ../../base

patchesStrategicMerge:
  - argocd-cm-patch.yaml
  - argocd-repo-server-ksops-patch.yaml

patches:
- patch: |-
    - op: add
      path: /spec/rules/0/host
      value: argocd.foo.com
    - op: add
      path: /spec/tls/0/hosts/0
      value: argocd.foo.com
  target:
    kind: Ingress
    name: argocd-ui

generators:
  - ksops-secret-generator.yaml

This is my ksops-secret-generator.yaml file:

# Create a local Kubernetes Secret
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
  name: ksops-secret-generator
files:
  - secret-argocd-notifications.yaml

And lastly, my secret-argocd-notifications.yaml looks like this:

apiVersion: v1
kind: Secret
metadata:
    name: argocd-notifications-secret
    namespace: argocd
data:
    foo: [ENC]...

Since it's a sops-encrypted file, I'm using ksops plugin to generate the usable Secret resource.

The problem that I'm having currently, is that the remote resource I'm using (https://raw.githubusercontent.com/argoproj/argo-cd/v2.3.2/manifests/install.yaml), already includes a Secret named argocd-notifications-secret. So when I run kustomize build overlays/dev --enable-alpha-plugins, I get two Secret resources named argocd-notifications-secret. One from my local file that gets generated through the ksops-secret-generator, and the one that is included in the remote manifest.

I tried to solve this by adding the replace (and also merge, got the same result) behavior annotation to my local file:

    annotations:
        kustomize.config.k8s.io/behavior: replace

But ended with this error:

Error: merging from generator &{0xc000d4c0a0 <nil>}: id resid.ResId{Gvk:resid.Gvk{Group:"", Version:"v1", Kind:"Secret", isClusterScoped:false}, Name:"argocd-notifications-secret", Namespace:"argocd"} does not exist; cannot merge or replace

I also can't add my local file under patchesStrategicMerge section, because then it just adds the raw sops encrypted file (without using the generator at all).

Is there a way to handle that scenario?

score 2 · Accepted Answer · answered Apr 05 '22 at 22:14

Apparently this was all a red-herring. The main issue turned out to be the namespace directive that was on the argocd-notifications-secret overlay. After removing it, I re-added the below annotation:

    annotations:
        kustomize.config.k8s.io/behavior: merge

And it worked.

Credit to this quick turnaround is due to the CNCF Slack #argo-cd channel. Thread here

Kustomize: How to cause a generator to actually merge an object instead of duplicating

1 Answers1