Patch resources of the chart without changing the chart

[ilya-lesikov]

Problem

If the third-party chart does not allow modifications of some resources (e. g. no way to specify securityContext for Pod), then chart consumers must fork the chart and modify it themselves.

Solution (if you have one)

Provide a way to easily patch rendered chart resources on-the-fly. Might look like this:

$ cat patch.yaml
- selector:
    chart: mychart
    resourceName: myapp
    resourceKind: Deployment
  patch: |
    <patch>
$ werf converge --patch patch.yaml

We could also provide a way to automatically apply patches that are distributed with the chart, so that the user can have a parent chart with patches for the resources in the dependent child charts.

Additional information

Helm 3 has a --post-renderer flag which might help with this, but it has its issues:

1. Chart developers can't enforce usage of specific post-renderer with a specific configuration for their chart. They must provide instructions to the chart consumers on how to manually set up the post-renderer and how to run it.
2. Ability to use any language to patch resources results in chart consumers potentially required to learn many different languages just for Kubernetes manifest patching.

[PSanetra]

This was the first feature request I had in mind when I thought about how to improve helm!

As another idea to consider: Maybe it was also possible to support KRM functions. See https://github.com/kubernetes-sigs/kustomize/blob/master/cmd/config/docs/api-conventions/functions-spec.md and https://kpt.dev/book/02-concepts/03-functions

[ryou90]

That would be a great feature. Is there a timeline for this feature?

[alexey-igrychev]

This is a must-have feature and we plan to add it this year (soon).

[ryou90]

Thanks for your quick reply. This feature will be a absoluty game changer.
This would make it unnecessary to fork third party helm charts, as you can modify them in-place. That would simplify so many things :)

Ideally, as already mentioned above, I would like the idea of including the patches in bundles.

Should it also be possible for the specific patch only to be executed depending on the specific environment?

[alexey-igrychev]

Certainly, patches will be environment-specific and can be used similarly to values files. Before implementation, we’ll draft a proposal and post it in this issue so we can discuss the details and consider your suggestions.