exec function working dir is the kustomization that referenced it

[natasha41575]

As discussed in #4117, this PR changes the working directory of exec functions to be the directory of the kustomization that referenced it.

@yuwenma

ALLOW_MODULE_SPAN

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: natasha41575

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [natasha41575]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[natasha41575]

/retest

[k8s-ci-robot]

@natasha41575: This PR has multiple commits, and the default merge method is: merge.
You can request commits to be squashed using the label: tide/merge-method-squash

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[KnVerey]

It occurs to me that this annotation could be set by the user, in theory. We should be overwriting it in all cases, but should we validate it just in case? i.e. throw an error if it doesn't "look like" a value we set--it's relative, or root. Or would it be an option to use an unserialized field on the FunctionSpec to more definitively prevent it from being settable by the user?

Not caused by this PR, but I'm surprised to notice that we're not doing any validation of the exec path at all. There are several restrictions on the Starlark path above.

[natasha41575]

I've added some validation to make sure its an absolute path, and not the root

use an unserialized field on the FunctionSpec to more definitively prevent it from being settable by the user

Do we need to definitively prevent the user from setting it? If the user really wants to change the working directory when running kustomize fn run, should we let them?

If so, what would that look like in the code? I may need some guidance as I've never seen that or tried to do that before.

Also, please see the above comment for why kustomize fn run needs to fall back on the current directory when this annotation is missing.

[monopole]

We shouldn't honor a user set value here. The file path annotation should be set only by kustomize as it reads.

That's what AnnotateAll does, so lgtm.

Regardless, sanity checks are always a good idea, because down the road someone will change the code.

Makes sense to fall back to cwd.

[monopole]

Just noting that AnnotateAll will overwrite anything the user put in, so we're good.

[KnVerey]

Just noting that AnnotateAll will overwrite anything the user put in, so we're good.

Unless there's a code path that doesn't run that, which as Natasha pointed out, is true of kustomize fn run--if I'm understanding correctly, the annotation would currently be honored in that code path, which we don't want.

If so, what would that look like in the code? I may need some guidance as I've never seen that or tried to do that before.

I think it would necessarily mean not using an annotation for this, but instead setting the root as a field on one of the function-related structs that are used for configuration. I'm not confident in my understanding of these code paths, but maybe the current kustomization root could be an option passed to loader creation in NewLoader within (b *Kustomizer) Run, then loadPlugin could set it on a FunctionSpec.WorkingDir field?

[natasha41575]

How important is it that kustomize fn run does not honor the annotation? What are the consequences of allowing the user to set the working dir for this case?

In any case I am looking into seeing how we might be able to do without annotations now. The solution you've proposed is probably viable; I'll push the change soon.

[natasha41575]

@monopole @KnVerey the most recent commit takes the suggested approach, and passes down the working directory through parameters and fields so that we don't have to worry about the user ever being able to set it themselves. PTAL

[KnVerey]

👍 I like this approach better. Exec plugins carry inherent risk, so the more predictable and constrained we can make their invocation the better, IMO.

[monopole]

/lgtm

thanks! holding this in the ldr smells right

[KnVerey]

Similar to the logic for having the path validations be here, right before we run the command, should the "working directory must be set" validation also go here Instead of in runfun.go?

[natasha41575]

The other entry point to the exec filter is the container runtime code, which uses the exec filter to run docker run. To do this validation here, we would have to set the working directory there was well.

Currently, the place in runfn.go, where I have the "working directory must be set" validation, is only used when running exec functions.

I will defer to your opinion on whether the container runtime code should set the working directory for exec filters as well. The PR to do so is here: #4132

[seh]

See #4350 for why this directory may not be the right choice.