Skip to content

fix: kustomize components + monorepos #23486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jun 24, 2025
Merged

fix: kustomize components + monorepos #23486

merged 5 commits into from
Jun 24, 2025

Conversation

blakepettersson
Copy link
Member

@blakepettersson blakepettersson commented Jun 19, 2025
edited
Loading

With #21674 the ability to ignore Kustomize component directories if they do not exist got introduced. This generally works fine, but the securejoin check is a bit too strict - we want to ensure that no-one can break out of the repo, but the current implementation doesn't allow for breaking outside the kustomization folder. This breaks the usage of this feature when using it for a monorepo.

This PR loosens the check to allow for traversals up to the repo root. We use the new os.Root functionality to ensure that users can't break outside the repo. Path traversals are still relative from the path where the kustomize source is located.

This should be cherry-picked for 3.0 and 3.1.

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@blakepettersson blakepettersson requested a review from a team as a code owner June 19, 2025 10:51
@bunnyshell Bunnyshell
Copy link

bunnyshell bot commented Jun 19, 2025
edited
Loading

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

  • 🚀 /bns:deploy to deploy the environment

@blakepettersson blakepettersson force-pushed the fix/kustomize-components-and-monorepos branch from dfcbd24 to 186d8ed Compare June 19, 2025 10:52
@blakepettersson
fix: kustomize components + monorepos
49adac8 
With argoproj#21674 the ability to ignore Kustomize component directories if they
do not exist got introduced. This generally works fine, but the
`securejoin` check is a bit too strict - we want to ensure that no-one
can break out of the repo, but the current implementation doesn't allow
for breaking outside the kustomization folder. This breaks the usage of
this feature when using it for a monorepo.

This PR loosens the check to allow for traversals up to the repo root. We
use the new `os.Root` functionality to ensure that users can't break
outside the repo. Path traversals are still relative from the kustomize
repo.

Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
@blakepettersson blakepettersson force-pushed the fix/kustomize-components-and-monorepos branch from 186d8ed to 49adac8 Compare June 19, 2025 10:58
@blakepettersson
chore: let's keep the pre-existing error
2d370ed 
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
@blakepettersson
chore: lint
3c6edc6 
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
@codecov Codecov
Copy link

codecov bot commented Jun 19, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 50.00000% with 4 lines in your changes missing coverage. Please review.

Project coverage is 60.27%. Comparing base (2ae9f43) to head (af65c6f).
Report is 75 commits behind head on master.

Files with missing lines Patch % Lines
util/kustomize/kustomize.go 50.00% 3 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #23486      +/-   ##
==========================================
+ Coverage   59.96%   60.27%   +0.30%     
==========================================
  Files         342      344       +2     
  Lines       58807    59089     +282     
==========================================
+ Hits        35263    35613     +350     
+ Misses      20671    20598      -73     
- Partials     2873     2878       +5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@blakepettersson
fix: don't forget to defer close
4ccee1f 
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
@blakepettersson
chore: lint
af65c6f 
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
crenshaw-dev
crenshaw-dev approved these changes Jun 24, 2025
View reviewed changes
Copy link
Member

@crenshaw-dev crenshaw-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

The cherry-pick might be tough since os.Root is new, but worth trying.

@crenshaw-dev crenshaw-dev merged commit e37c3db into argoproj:master Jun 24, 2025
29 checks passed
@blakepettersson
Copy link
Member Author

Let's find out :)

@blakepettersson
Copy link
Member Author

/cherry-pick release-3.0

@blakepettersson
Copy link
Member Author

/cherry-pick release-3.1

gcp-cherry-pick-bot bot pushed a commit that referenced this pull request Jun 24, 2025
@blakepettersson
fix: kustomize components + monorepos (#23486)
fb05de7 
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
gcp-cherry-pick-bot bot pushed a commit that referenced this pull request Jun 24, 2025
@blakepettersson
fix: kustomize components + monorepos (#23486)
3193232 
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
This was referenced Jun 24, 2025
Merged
Merged
blakepettersson added a commit that referenced this pull request Jun 24, 2025
@gcp-cherry-pick-bot @blakepettersson
fix: kustomize components + monorepos (cherry-pick #23486) (#23540)
4a7e581 
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
Co-authored-by: Blake Pettersson <blake.pettersson@gmail.com>
blakepettersson added a commit that referenced this pull request Jun 24, 2025
@gcp-cherry-pick-bot @blakepettersson
fix: kustomize components + monorepos (cherry-pick #23486) (#23539)
06fd506 
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
Co-authored-by: Blake Pettersson <blake.pettersson@gmail.com>
cjcocokrisp pushed a commit to cjcocokrisp/argo-cd that referenced this pull request Jun 24, 2025
@blakepettersson @cjcocokrisp
fix: kustomize components + monorepos (argoproj#23486)
08b09b7 
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
@blakepettersson blakepettersson deleted the fix/kustomize-components-and-monorepos branch July 12, 2025 19:12
cardoe added a commit to cardoe/argo-cd that referenced this pull request Jul 21, 2025
@cardoe
feat(kustomize): add support for components by reference
5c0ddf6 
Following argoproj#21674 which allowed ignoring components and argoproj#23486 which
allowed having components specified in a monorepo, this allows
specifying components by reference the same way that helm values files
can be specified. This is useful for people that store components in
branches or are doing testing by using branches against the main
application components.

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
cardoe added a commit to cardoe/argo-cd that referenced this pull request Jul 21, 2025
@cardoe
feat(kustomize): add support for components by reference (argoproj#23872
1f20259 
)

This is an implmentation of argoproj#23873. Following argoproj#21674 which allowed
ignoring components and argoproj#23486 which allowed having components
specified in a monorepo, this allows specifying components by reference
the same way that helm values files can be specified. Today kustomize
supports having URL references to components but ArgoCD has no concept
of this and does not detect that the component might have changed.
Using the reference form ArgoCD is aware of the changes to components
and can re-run any sync that is configured. This is useful for people
that store components in branches or are doing testing by using
branches against the main application components. Fixes argoproj#23872

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
@cardoe cardoe mentioned this pull request Jul 21, 2025
Open
14 tasks
cardoe added a commit to cardoe/argo-cd that referenced this pull request Jul 21, 2025
@cardoe
feat(kustomize): add support for components by reference (argoproj#23872
2f3f911 
)

This is an implmentation of argoproj#23873. Following argoproj#21674 which allowed
ignoring components and argoproj#23486 which allowed having components
specified in a monorepo, this allows specifying components by reference
the same way that helm values files can be specified. Today kustomize
supports having URL references to components but ArgoCD has no concept
of this and does not detect that the component might have changed.
Using the reference form ArgoCD is aware of the changes to components
and can re-run any sync that is configured. This is useful for people
that store components in branches or are doing testing by using
branches against the main application components. Fixes argoproj#23872

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
cardoe added a commit to cardoe/argo-cd that referenced this pull request Jul 21, 2025
@cardoe
feat(kustomize): add support for components by reference (argoproj#23872
2695c70 
)

This is an implmentation of argoproj#23873. Following argoproj#21674 which allowed
ignoring components and argoproj#23486 which allowed having components
specified in a monorepo, this allows specifying components by reference
the same way that helm values files can be specified. Today kustomize
supports having URL references to components but ArgoCD has no concept
of this and does not detect that the component might have changed.
Using the reference form ArgoCD is aware of the changes to components
and can re-run any sync that is configured. This is useful for people
that store components in branches or are doing testing by using
branches against the main application components. Fixes argoproj#23872

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
cardoe added a commit to cardoe/argo-cd that referenced this pull request Jul 22, 2025
@cardoe
feat(kustomize): add support for components by reference (argoproj#23872
5f1805a 
)

This is an implmentation of argoproj#23873. Following argoproj#21674 which allowed
ignoring components and argoproj#23486 which allowed having components
specified in a monorepo, this allows specifying components by reference
the same way that helm values files can be specified. Today kustomize
supports having URL references to components but ArgoCD has no concept
of this and does not detect that the component might have changed.
Using the reference form ArgoCD is aware of the changes to components
and can re-run any sync that is configured. This is useful for people
that store components in branches or are doing testing by using
branches against the main application components. Fixes argoproj#23872

Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
enneitex pushed a commit to enneitex/argo-cd that referenced this pull request Aug 24, 2025
@blakepettersson @enneitex
fix: kustomize components + monorepos (argoproj#23486)
e1340ba 
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
Signed-off-by: enneitex <etienne.divet@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crenshaw-dev crenshaw-dev crenshaw-dev approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@blakepettersson @crenshaw-dev