Patch Traits

Patch is a very common pattern of trait definitions, i.e. the app operators can amend/patch attributes to the component instance (normally the workload) to enable certain operational features such as sidecar or node affinity rules (and this should be done before the resources applied to target cluster).

This pattern is extremely useful when the component definition is provided by third-party component provider (e.g. software distributor) so app operators do not have privilege to change its template.

Below is an example for node-affinity trait:

The patch trait above assumes the target component instance have spec.template.spec.affinity field. Hence, we need to use appliesToWorkloads to enforce the trait only applies to those workload types have this field.

Another important field is podDisruptive, this patch trait will patch to the pod template field, so changes on any field of this trait will cause the pod to restart, We should add podDisruptive and make it to be true to tell users that applying this trait will cause the pod to restart.

Now the users could declare they want to add node affinity rules to the component instance as below:

  1. apiVersion: core.oam.dev/v1alpha2
  3. kind: Application
  5. metadata:
  7.   name: testapp
  9. spec:
  11.   components:
  13.     - name: express-server
  15.       type: webservice
  17.       properties:
  19.         image: oamdev/testapp:v1
  21.       traits:
  23.         - type: "node-affinity"
  25.           properties:
  27.             affinity:
  29.               server-owner: ["owner1","owner2"]
  31.               resource-pool: ["pool1","pool2","pool3"]
  33.             tolerations:
  35.               resource-pool: "broken-pool1"
  37.               server-owner: "old-owner"

By default, patch trait in KubeVela leverages the CUE merge operation. It has following known constraints though:

  • Can not handle conflicts.
    • For example, if a component instance already been set with value replicas=5, then any patch trait to patch replicas field will fail, a.k.a you should not expose replicas field in its component definition schematic.
  • Array list in the patch will be merged following the order of index. It can not handle the duplication of the array list members. This could be fixed by another feature below.

Strategy Patch

Strategy Patch is effective by adding annotation, and supports the following two ways

1. With +patchKey=<key_name> annotation

  • if a duplicated key is found, the patch data will be merge with the existing values;
  • if no duplication found, the patch will append into the array list.

The example of strategy patch trait with ‘patchKey’ will like below:

  1. apiVersion: core.oam.dev/v1beta1
  3. kind: TraitDefinition
  5. metadata:
  7.   annotations:
  9.     definition.oam.dev/description: "add sidecar to the app"
  11.   name: sidecar
  13. spec:
  15.   appliesToWorkloads:
  17.     - deployments.apps
  19.   podDisruptive: true
  21.   schematic:
  23.     cue:
  25.       template: |
  27.         patch: {
  29.             // +patchKey=name
  31.             spec: template: spec: containers: [parameter]
  33.         }
  35.         parameter: {
  37.             name:  string
  39.             image: string
  41.             command?: [...string]
  43.         }

In above example we defined patchKey is name which is the parameter key of container name. In this case, if the workload don’t have the container with same name, it will be a sidecar container append into the spec.template.spec.containers array list. If the workload already has a container with the same name of this sidecar trait, then merge operation will happen instead of append (which leads to duplicated containers).

If patch and outputs both exist in one trait definition, the patch operation will be handled first and then render the outputs.

  1. apiVersion: core.oam.dev/v1beta1
  3. kind: TraitDefinition
  5. metadata:
  7.   annotations:
  9.     definition.oam.dev/description: "expose the app"
  11.   name: expose
  13. spec:
  15.   appliesToWorkloads:
  17.     - deployments.apps
  19.   podDisruptive: true
  21.   schematic:
  23.     cue:
  25.       template: |
  27.         patch: {spec: template: metadata: labels: app: context.name}
  29.         outputs: service: {
  31.             apiVersion: "v1"
  33.             kind:       "Service"
  35.             metadata: name: context.name
  37.             spec: {
  39.                 selector: app: context.name
  41.                 ports: [
  43.                     for k, v in parameter.http {
  45.                         port:       v
  47.                         targetPort: v
  49.                     },
  51.                 ]
  53.             }
  55.         }
  57.         parameter: {
  59.             http: [string]: int
  61.         }

So the above trait which attaches a Service to given component instance will patch an corresponding label to the workload first and then render the Service resource based on template in outputs.

2. With +patchStrategy=retainkeys annotation

Similar to strategy in K8s strategic merge patch

In some scenarios that the entire object needs to be replaced, retainkeys strategy is the best choice. the example as follows:

Assume the Deployment is the base resource

Now want to replace rollingUpdate strategy with a new strategy, you can write the patch trait like below

  1. apiVersion: core.oam.dev/v1alpha2
  3. kind: TraitDefinition
  5. metadata:
  7.   name: recreate
  9. spec:
  11.   appliesToWorkloads:
  13.     - deployments.apps
  14.   extension:
  16.     template: |-
  18.       patch: {
  20.          spec: {
  22.               // +patchStrategy=retainKeys
  24.               strategy: type: "Recreate"
  26.            }
  28.       }

Then the base resource becomes as follows

  1. apiVersion: apps/v1
  3. kind: Deployment
  5. metadata:
  7.   name: retainkeys-demo
  9. spec:
  11.   selector:
  13.     matchLabels:
  15.       app: nginx
  17.   strategy:
  19.     type: Recreate
  21.   template:
  23.     metadata:
  25.       labels:
  27.         app: nginx
  29.     spec:
  31.       containers:
  33.       - name: retainkeys-demo-ctr
  35.         image: nginx

Patch trait is in general pretty useful to separate operational concerns from the component definition, here are some more examples.

  1. apiVersion: core.oam.dev/v1alpha2
  3. kind: TraitDefinition
  5. metadata:
  7.   annotations:
  9.     definition.oam.dev/description: "Add virtual group labels"
  11.   name: virtualgroup
  13. spec:
  15.   appliesToWorkloads:
  17.     - deployments.apps
  19.   podDisruptive: true
  21.   schematic:
  23.     cue:
  25.       template: |
  27.         patch: {
  29.             spec: template: {
  31.                 metadata: labels: {
  33.                     if parameter.scope == "namespace" {
  35.                         "app.namespace.virtual.group": parameter.group
  37.                     }
  39.                     if parameter.scope == "cluster" {
  41.                         "app.cluster.virtual.group": parameter.group
  43.                     }
  45.                 }
  47.             }
  49.         }
  51.         parameter: {
  53.             group: *"default" | string
  55.             scope:  *"namespace" | string
  57.         }

Then it could be used like:

Add Annotations

Similar to common labels, you could also patch the component instance with annotations. The annotation value should be a JSON string.

  1. apiVersion: core.oam.dev/v1beta1
  3. kind: TraitDefinition
  5. metadata:
  7.   annotations:
  9.     definition.oam.dev/description: "Specify auto scale by annotation"
  11.   name: kautoscale
  13. spec:
  15.   appliesToWorkloads:
  17.     - deployments.apps
  19.   podDisruptive: false
  21.   schematic:
  23.     cue:
  25.       template: |
  27.         import "encoding/json"
  32.         patch: {
  34.             metadata: annotations: {
  36.                 "my.custom.autoscale.annotation": json.Marshal({
  38.                     "minReplicas": parameter.min
  40.                     "maxReplicas": parameter.max
  42.                 })
  44.             }
  46.         }
  48.         parameter: {
  50.             min: *1 | int
  52.             max: *3 | int
  54.         }

Inject system environments into Pod is also very common use case.

  1. apiVersion: core.oam.dev/v1beta1
  3. kind: TraitDefinition
  5. metadata:
  7.   annotations:
  10.   name: env
  12. spec:
  14.   appliesToWorkloads:
  16.     - deployments.apps
  18.   podDisruptive: true
  20.   schematic:
  22.     cue:
  24.       template: |
  26.         patch: {
  28.             spec: template: spec: {
  30.                 // +patchKey=name
  32.                 containers: [{
  34.                     name: context.name
  36.                     // +patchKey=name
  38.                     env: [
  40.                         for k, v in parameter.env {
  42.                             name:  k
  44.                             value: v
  46.                         },
  48.                     ]
  50.                 }]
  52.             }
  54.         }
  59.         parameter: {
  61.             env: [string]: string
  63.         }

Inject ServiceAccount Based on External Auth Service

In this example, the service account was dynamically requested from an authentication service and patched into the service.

This example put UID token in HTTP header but you can also use request body if you prefer.

  1. apiVersion: core.oam.dev/v1beta1
  3. kind: TraitDefinition
  5. metadata:
  7.   annotations:
  9.     definition.oam.dev/description: "dynamically specify service account"
  11.   name: service-account
  13. spec:
  15.   appliesToWorkloads:
  17.     - deployments.apps
  19.   podDisruptive: true
  21.   schematic:
  23.     cue:
  25.       template: |
  27.         processing: {
  29.             output: {
  31.                 credentials?: string
  33.             }
  35.             http: {
  37.                 method: *"GET" | string
  39.                 url:    parameter.serviceURL
  41.                 request: {
  43.                     header: {
  45.                         "authorization.token": parameter.uidtoken
  47.                     }
  49.                 }
  51.             }
  53.         }
  55.         patch: {
  57.             spec: template: spec: serviceAccountName: processing.output.credentials
  59.         }
  64.         parameter: {
  66.             uidtoken:   string
  68.             serviceURL: string
  70.         }

The processing.http section is an advanced feature that allow trait definition to send a HTTP request during rendering the resource. Please refer to Execute HTTP Request in Trait Definition section for more details.

is useful to pre-define operations in an image and run it before app container.

Below is an example:

The usage could be:

  1. apiVersion: core.oam.dev/v1beta1
  3. kind: Application
  5. metadata:
  7.   name: testapp
  9. spec:
  11.   components:
  13.     - name: express-server
  15.       type: webservice
  17.       properties:
  19.         image: oamdev/testapp:v1
  21.       traits:
  23.         - type: "init-container"
  25.           properties:
  27.             name:  "install-container"
  29.             image: "busybox"
  31.             command:
  33.             - wget
  35.             - "-O"
  37.             - "/work-dir/index.html"
  39.             - http://info.cern.ch
  41.             mountName: "workdir"
  43.             appMountPath:  "/usr/share/nginx/html"