Conversation
…d along with a mutated label Signed-off-by: Ciaran Johnston <ciaran.johnston@ericsson.com>
There was a problem hiding this comment.
Pull request overview
Adds an interactive Bash demo script to showcase using kpt to package, mutate (via a function pipeline), render, and kpt live apply the Headlamp Kubernetes UI onto a local kind cluster, then print an access token and clean up.
Changes:
- Introduces
headlamp-demo.shwith step-by-step prompts to create akindcluster, fetch Headlamp manifests, and initialize akptpackage. - Adds a
set-labelsmutator pipeline to change thek8s-applabel and runskpt fn render. - Deploys with
kpt live, starts a localkubectl port-forward, prints a service account token, and performs teardown.
Comments suppressed due to low confidence (1)
headlamp-demo.sh:147
- The PR description says there should be a prompt to continue after each step, but Step 6 immediately exits (triggering the EXIT trap cleanup) without a final confirmation/pause. If the intent is to let the presenter keep Headlamp open after Step 5, consider moving cleanup out of the EXIT trap into an explicit Step 6 action gated by a final prompt (or add a pause in Step 6 before exiting).
# ─── Step 6 ───────────────────────────────────────────────────────────────────
banner "Step 6: Cleanup"
# The EXIT trap handles cleanup; just print a message and exit cleanly.
echo -e "${BOLD}Demo complete. Cluster deleted and package removed.${RESET}"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if [[ -n "${PORT_FORWARD_PID}" ]]; then | ||
| kill "${PORT_FORWARD_PID}" 2>/dev/null || true | ||
| fi | ||
| kind delete cluster --name kpt-demo 2>/dev/null || true | ||
| rm -rf "${HEADLAMP_DIR}" | ||
| } |
There was a problem hiding this comment.
rm -rf "${HEADLAMP_DIR}" runs on every script exit and will unconditionally delete a headlamp/ directory next to the script, even if it existed before the demo. This is destructive if the repo already contains user data at that path. Consider using a unique temp directory (e.g., via mktemp -d) or track whether the directory was created by this run and only remove it in that case (optionally prompting before deletion).
| echo -e "${GREEN}> Generating headlamp-admin-crb.yaml${RESET}" | ||
| cat > headlamp-admin-crb.yaml <<'EOF' | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: ClusterRoleBinding | ||
| metadata: | ||
| name: headlamp-admin | ||
| roleRef: | ||
| apiGroup: rbac.authorization.k8s.io | ||
| kind: ClusterRole | ||
| name: cluster-admin | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| name: headlamp-admin | ||
| namespace: kube-system | ||
| EOF |
There was a problem hiding this comment.
The script installs a ClusterRoleBinding to cluster-admin for the headlamp-admin service account. Even for a demo, this grants full cluster control and is risky if someone runs the script against a non-throwaway kubeconfig context. Prefer using the minimal RBAC recommended by Headlamp (or at least add a prominent warning and a safety check to ensure the current context is the kind-kpt-demo cluster before applying).
| echo "" | ||
| echo -e "${GREEN}> kubectl port-forward -n kube-system service/headlamp 8080:80 &${RESET}" | ||
| kubectl port-forward -n kube-system service/headlamp 8080:80 & | ||
| PORT_FORWARD_PID=$! |
There was a problem hiding this comment.
kubectl port-forward ... & is started in the background, but set -e won’t catch failures from a backgrounded process (e.g., service not ready, port 8080 already in use). The script will still print the URL/token even if port-forward immediately exits. Consider waiting briefly and verifying the process is still alive (kill -0 $PORT_FORWARD_PID), or retrying until the service endpoints are ready, failing the script if port-forward can’t be established.
| PORT_FORWARD_PID=$! | |
| PORT_FORWARD_PID=$! | |
| # Give port-forward a moment to start and then verify it is still running. | |
| sleep 2 | |
| if ! kill -0 "${PORT_FORWARD_PID}" 2>/dev/null; then | |
| echo "Error: kubectl port-forward failed to start or exited early. See output above for details." >&2 | |
| exit 1 | |
| fi |
| run mkdir -p "${HEADLAMP_DIR}" | ||
| cd "${HEADLAMP_DIR}" | ||
|
|
||
| run curl -sLO https://raw.githubusercontent.com/kubernetes-sigs/headlamp/main/kubernetes-headlamp.yaml |
There was a problem hiding this comment.
The manifest is fetched from Headlamp’s main branch, which can change at any time and break the demo unexpectedly. For a repeatable demo, consider pinning the URL to a specific release tag or commit SHA (and optionally verifying a checksum).
| echo -e "\033[0;31m${BOLD}An error occurred. Running cleanup...${RESET}" | ||
| fi | ||
| if [[ -n "${PORT_FORWARD_PID}" ]]; then | ||
| kill "${PORT_FORWARD_PID}" 2>/dev/null || true |
There was a problem hiding this comment.
Cleanup does kill "${PORT_FORWARD_PID}" without confirming the PID is still the port-forward process. If kubectl port-forward exits early, that PID could theoretically be reused and the cleanup might kill an unrelated process. Consider checking the process is still running and matches the expected command before killing (or run port-forward in the foreground and terminate it explicitly).
| kill "${PORT_FORWARD_PID}" 2>/dev/null || true | |
| if ps -p "${PORT_FORWARD_PID}" -o command= 2>/dev/null | grep -qE 'kubectl(\.exe)?[[:space:]].*port-forward'; then | |
| kill "${PORT_FORWARD_PID}" 2>/dev/null || true | |
| fi |
Signed-off-by: Ciaran Johnston <ciaran.johnston@ericsson.com>
Create a script that runs as a demo, performing the following steps with a prompt request to continue after eaxh step:
step 1:
step 2:
step 3:
step 4:
step 5:
kubectl create token headlamp-admin -n kube-system
step 6:
this script is intended for use to demonstrate in a simple way how kpt can be applied quickly and easily to automate and manage an existing application with a KRM YAML for deployment.