0

I am trying to use Kustomize to do a Patch Strategic merge on the following yaml.

y1:

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: storage-admin-policy
  namespace: cnrm-system
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: storage-admin
    namespace: cnrm-system
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - serviceAccount:mysten-sui.svc.id.goog[monitoring/thanos-compactor]

y2:

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: storage-admin-policy
  namespace: cnrm-system
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: storage-admin
    namespace: cnrm-system
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - serviceAccount:mysten-sui.svc.id.goog[monitoring/test-compactor]

I am using the following kustoomization file:

resources:
- y1.yaml

patchesStrategicMerge:
- y2.yaml

My requirement is that, I want the YAML to be clubbed something like this:

apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: storage-admin-policy
  namespace: cnrm-system
spec:
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    name: storage-admin
    namespace: cnrm-system
  bindings:
    - role: roles/iam.workloadIdentityUser
      members:
        - serviceAccount:mysten-sui.svc.id.goog[monitoring/test-compactor]
    - role: roles/iam.workloadIdentityUser
      members:
        - serviceAccount:mysten-sui.svc.id.goog[monitoring/thanos-compactor]
Siegfred V.
  • 1,143
  • 3
  • 12
Pavan
  • 31
  • 6

2 Answers2

0

StrategicMerge cannot append to arbitrary lists as per https://github.com/kubernetes-sigs/kustomize/issues/3265#issuecomment-733335803.

You could instead try a json6902 patch as shown here: Patching list in kubernetes manifest with Kustomize.

Joibel
  • 1
  • 2
  • Thanks, it works. My workflow is designed in such a way that the jsonpatch is appended to to the kustomization.yaml multiple times. Is there any way that customization can skip duplicates? – Pavan Sep 11 '22 at 08:53
0

It's actually possible to change the patch strategy in Kustomize using the Kustomize openapi to merge lists.

However, this exact CR iam.cnrm.cloud.google.com/v1beta1/IAMPolicy will not work because according to its schema, the bindings field doesn't have a unique key to be used with x-kubernetes-patch-merge-key.

If it had something like this, it could work, but unfortunately, it doesn't have it.

bindings:
- id: xyz
  role: roles/iam.workloadIdentityUser
  members:
    - serviceAccount:mysten-sui.svc.id.goog[monitoring/test-compactor]

More details about using OpenAPI in Kustomize: Set OpenAPI patch strategy for Kubernetes Custom Resources.

Ahmed AbouZaid
  • 2,151
  • 1
  • 13
  • 9