feat: remove build dependency on dockerd

Dockerfile

@@ -7,6 +7,12 @@ ARG KUBECTL_IMAGE
 ARG CLUSTERCTL_V0_3_IMAGE
 ARG CLUSTERCTL_V0_4_IMAGE
 ARG CLUSTERCTL_V1_1_IMAGE
+ARG KPT_FN_SEARCH_REPLACE_IMAGE
+ARG KPT_FN_SET_ANNOTATIONS_IMAGE
+ARG KPT_FN_SET_NAMESPACE_IMAGE
+ARG KPT_FN_CREATE_SETTERS_IMAGE
+ARG KPT_FN_APPLY_SETTERS_IMAGE
+ARG KPT_FN_STARLARK_IMAGE
 
 FROM $GOLANG_IMAGE as golang
 FROM $KPT_IMAGE as kpt
@@ -15,6 +21,12 @@ FROM $KUBECTL_IMAGE as kubectl
 FROM $CLUSTERCTL_V0_3_IMAGE as clusterctl-v0_3
 FROM $CLUSTERCTL_V0_4_IMAGE as clusterctl-v0_4
 FROM $CLUSTERCTL_V1_1_IMAGE as clusterctl-v1_1
+FROM $KPT_FN_SEARCH_REPLACE_IMAGE as kpt-fn-search-replace
+FROM $KPT_FN_SET_ANNOTATIONS_IMAGE as kpt-fn-set-annotations
+FROM $KPT_FN_SET_NAMESPACE_IMAGE as kpt-fn-set-namespace
+FROM $KPT_FN_CREATE_SETTERS_IMAGE as kpt-fn-create-setters
+FROM $KPT_FN_APPLY_SETTERS_IMAGE as kpt-fn-apply-setters
+FROM $KPT_FN_STARLARK_IMAGE as kpt-fn-starlark
 
 FROM golang as tools
 RUN apk add -U git build-base curl bash docker
@@ -24,15 +36,25 @@ COPY --link --from=kubectl /opt/bitnami/kubectl/bin/kubectl /usr/local/bin/kubec
 COPY --link --from=clusterctl-v0_3 /clusterctl /usr/local/bin/clusterctl-v0_3
 COPY --link --from=clusterctl-v0_4 /clusterctl /usr/local/bin/clusterctl-v0_4
 COPY --link --from=clusterctl-v1_1 /clusterctl /usr/local/bin/clusterctl-v1_1
+COPY --link --from=kpt-fn-search-replace /usr/local/bin/function /usr/local/bin/kpt-fn-search-replace
+COPY --link --from=kpt-fn-set-annotations /usr/local/bin/function /usr/local/bin/kpt-fn-set-annotations
+COPY --link --from=kpt-fn-set-namespace /usr/local/bin/function /usr/local/bin/kpt-fn-set-namespace
+COPY --link --from=kpt-fn-create-setters /usr/local/bin/function /usr/local/bin/kpt-fn-create-setters
+COPY --link --from=kpt-fn-apply-setters /usr/local/bin/function /usr/local/bin/kpt-fn-apply-setters
+COPY --link --from=kpt-fn-starlark /usr/local/bin/function /usr/local/bin/kpt-fn-starlark
 
 FROM tools as kpt-sink-render-from-url
-ARG DOCKER_HOST
-ENV DOCKER_HOST=${DOCKER_HOST}
 ARG PACKAGE_PATH
 ARG RESOURCES_URL
-RUN curl -L "${RESOURCES_URL}" | kpt fn sink "/pkg"
-COPY --link ${PACKAGE_PATH}/Kptfile /pkg/Kptfile
-RUN kpt fn render --truncate-output=false /pkg && rm /pkg/Kptfile
+ARG REPO_KPTFILE="./Kptfile"
+COPY --link ${REPO_KPTFILE} /pkgs/Kptfile
+RUN curl -L "${RESOURCES_URL}" | kpt fn sink "/pkgs/${PACKAGE_PATH}"
+COPY --link ${PACKAGE_PATH}/Kptfile /pkgs/${PACKAGE_PATH}/Kptfile
+RUN sed -i 's|image: gcr.io/kpt-fn/\(.*\):.*|exec: /usr/local/bin/kpt-fn-\1|' /pkgs/Kptfile
+RUN sed -i 's|image: gcr.io/kpt-fn/\(.*\):.*|exec: /usr/local/bin/kpt-fn-\1|' /pkgs/${PACKAGE_PATH}/Kptfile
+RUN kpt fn render --allow-exec --truncate-output=false "/pkgs"
+RUN rm "/pkgs/${PACKAGE_PATH}/Kptfile"
+RUN cp -r "/pkgs/${PACKAGE_PATH}" /pkg
 
 FROM scratch as pkg
 COPY --link --from=kpt-sink-render-from-url /pkg /
@@ -74,20 +96,21 @@ FROM scratch as cluster-api-provider-upstream
 COPY --link --from=clusterctl-provider-kpt-sink /pkg /
 
 FROM tools as cluster-api-provider-pkg-render
-ARG DOCKER_HOST
-ENV DOCKER_HOST=${DOCKER_HOST}
 ARG CLUSTERCTL
 ARG PROVIDER_TYPE
 ARG PROVIDER_NAME
 ARG PROVIDER_VERSION
 ARG CAPI_API_GROUP
 ARG PKG_PATH="cluster-api/${CAPI_API_GROUP}/${PROVIDER_TYPE}/${PROVIDER_NAME}"
 ARG KPTFILE_SRC="${PKG_PATH}/Kptfile"
+COPY --link ./Kptfile /kpt-files/Kptfile
 COPY --link cluster-api/Kptfile /kpt-files/cluster-api/Kptfile
 COPY --link ${KPTFILE_SRC} /kpt-files/${KPTFILE_SRC}
 COPY --link --from=cluster-api-provider-upstream / /kpt-files/${PKG_PATH}
-RUN kpt pkg init /kpt-files
-RUN kpt fn render --truncate-output=false /kpt-files
+RUN sed -i 's|image: gcr.io/kpt-fn/\(.*\):.*|exec: /usr/local/bin/kpt-fn-\1|' /kpt-files/Kptfile
+RUN sed -i 's|image: gcr.io/kpt-fn/\(.*\):.*|exec: /usr/local/bin/kpt-fn-\1|' /kpt-files/cluster-api/Kptfile
+RUN sed -i 's|image: gcr.io/kpt-fn/\(.*\):.*|exec: /usr/local/bin/kpt-fn-\1|' "/kpt-files/${KPTFILE_SRC}"
+RUN kpt fn render --allow-exec --truncate-output=false /kpt-files
 RUN cp -r "/kpt-files/${PKG_PATH}" /pkg
 RUN find /pkg -type f -name 'Kptfile' -delete
 
@@ -129,21 +152,22 @@ FROM scratch as cluster-api-cluster-upstream
 COPY --link --from=clusterctl-cluster-kpt-sink /pkg /
 
 FROM tools as cluster-api-cluster-pkg-render
-ARG DOCKER_HOST
-ENV DOCKER_HOST=${DOCKER_HOST}
 ARG CLUSTERCTL
 ARG PROVIDER_TYPE
 ARG PROVIDER_NAME
 ARG PROVIDER_VERSION
 ARG CAPI_API_GROUP
 ARG PKG_PATH="cluster-api/${CAPI_API_GROUP}/cluster/${PROVIDER_NAME}"
 ARG KPTFILE_SRC="${PKG_PATH}/Kptfile"
+COPY --link ./Kptfile /kpt-files/Kptfile
 COPY --link cluster-api/Kptfile /kpt-files/cluster-api/Kptfile
 COPY --link ${KPTFILE_SRC} /kpt-files/${KPTFILE_SRC}
 COPY --link --from=cluster-api-cluster-upstream / /kpt-files/${PKG_PATH}
 RUN sed -i 's/apply-setters/create-setters/' "/kpt-files/${KPTFILE_SRC}"
-RUN kpt pkg init /kpt-files
-RUN kpt fn render --truncate-output=false /kpt-files
+RUN sed -i 's|image: gcr.io/kpt-fn/\(.*\):.*|exec: /usr/local/bin/kpt-fn-\1|' /kpt-files/Kptfile
+RUN sed -i 's|image: gcr.io/kpt-fn/\(.*\):.*|exec: /usr/local/bin/kpt-fn-\1|' /kpt-files/cluster-api/Kptfile
+RUN sed -i 's|image: gcr.io/kpt-fn/\(.*\):.*|exec: /usr/local/bin/kpt-fn-\1|' "/kpt-files/${KPTFILE_SRC}"
+RUN kpt fn render --allow-exec --truncate-output=false /kpt-files
 RUN cp -r "/kpt-files/${PKG_PATH}" /pkg
 RUN find /pkg -type f -name 'Kptfile' -delete
 

Kptfile

@@ -0,0 +1,83 @@
+apiVersion: kpt.dev/v1
+kind: Kptfile
+metadata:
+  name: pkgs
+info:
+  description: |
+    This package is for maintenance on the `pkgs` repository as a whole.
+    It is not intended to be consumed as a package of resources for deployment.
+pipeline:
+  mutators:
+  - name: create-setters-for-all-flags
+    image: gcr.io/kpt-fn/search-replace:unstable
+    configMap:
+      by-value-regex: '--([\w-]*)=(.*)'
+      put-comment: 'kpt-set: --${1}=${${1}}'
+  - name: remove-caBundle-placeholders
+    image: gcr.io/kpt-fn/starlark:unstable
+    configMap:
+      source: |
+        def removecabundles(resources):
+          for resource in resources:
+            webhooks = resource.get("webhooks")
+            if not webhooks:
+              continue
+
+            print("removecabundles is processing resource", resource["kind"], resource["metadata"]["name"])
+            for webhook in webhooks:
+              if not webhook.get("clientConfig"):
+                continue
+              if not webhook["clientConfig"].get("caBundle"):
+                continue
+
+              print("removecabundles is processing webhook", webhook["name"])
+
+              webhook["clientConfig"].pop("caBundle")
+
+          for resource in resources:
+            spec = resource.get("spec")
+            if not spec:
+              continue
+
+            conversion = spec.get("conversion")
+            if not conversion:
+              continue
+
+            webhook = conversion.get("webhook")
+            if not webhook:
+              continue
+
+            clientConfig = webhook.get("clientConfig")
+            if not clientConfig:
+              continue
+
+            clientConfig.pop("caBundle", "noexist")
+
+        removecabundles(ctx.resource_list["items"])
+  - name: add-port-protocol
+    image: gcr.io/kpt-fn/starlark:unstable
+    configMap:
+      source: |
+        def addportprotocol(resources):
+          for resource in resources:
+            spec = resource.get("spec")
+            if not spec:
+              continue
+
+            ports = spec.get("ports")
+            if not ports:
+              continue
+
+            for port in ports:
+              port.setdefault("protocol", "TCP")
+
+        addportprotocol(ctx.resource_list["items"])
+  - name: remove-creation-timestamp
+    image: gcr.io/kpt-fn/starlark:unstable
+    configMap:
+      source: |
+        def removecreationtimestamp(resources):
+          for resource in resources:
+            resource["metadata"].pop("creationTimestamp", "null")
+
+        removecreationtimestamp(ctx.resource_list["items"])

cert-manager/cert-manager/deployment_cert-manager-cainjector.yaml

@@ -25,8 +25,8 @@ spec:
     spec:
       containers:
       - args:
-        - --v=2
-        - --leader-election-namespace=kube-system
+        - --v=2 # kpt-set: --v=${v}
+        - --leader-election-namespace=kube-system # kpt-set: --leader-election-namespace=${leader-election-namespace}
         env:
         - name: POD_NAMESPACE
           valueFrom:

cert-manager/cert-manager/deployment_cert-manager-webhook.yaml

@@ -25,11 +25,11 @@ spec:
     spec:
       containers:
       - args:
-        - --v=2
-        - --secure-port=10250
-        - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
-        - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca
-        - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc
+        - --v=2 # kpt-set: --v=${v}
+        - --secure-port=10250 # kpt-set: --secure-port=${secure-port}
+        - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE) # kpt-set: --dynamic-serving-ca-secret-namespace=${dynamic-serving-ca-secret-namespace}
+        - --dynamic-serving-ca-secret-name=cert-manager-webhook-ca # kpt-set: --dynamic-serving-ca-secret-name=${dynamic-serving-ca-secret-name}
+        - --dynamic-serving-dns-names=cert-manager-webhook,cert-manager-webhook.cert-manager,cert-manager-webhook.cert-manager.svc # kpt-set: --dynamic-serving-dns-names=${dynamic-serving-dns-names}
         env:
         - name: POD_NAMESPACE
           valueFrom:

cert-manager/cert-manager/deployment_cert-manager.yaml

@@ -29,9 +29,9 @@ spec:
     spec:
       containers:
       - args:
-        - --v=2
-        - --cluster-resource-namespace=$(POD_NAMESPACE)
-        - --leader-election-namespace=kube-system
+        - --v=2 # kpt-set: --v=${v}
+        - --cluster-resource-namespace=$(POD_NAMESPACE) # kpt-set: --cluster-resource-namespace=${cluster-resource-namespace}
+        - --leader-election-namespace=kube-system # kpt-set: --leader-election-namespace=${leader-election-namespace}
         env:
         - name: POD_NAMESPACE
           valueFrom:

cert-manager/cert-manager/service_cert-manager-webhook.yaml

@@ -13,6 +13,7 @@ spec:
   - name: https
     port: 443
     targetPort: 10250
+    protocol: TCP
   selector:
     app.kubernetes.io/component: webhook
     app.kubernetes.io/instance: cert-manager

cert-manager/customresourcedefinition_certificaterequests.cert-manager.io.yaml

@@ -11,7 +11,6 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:

cluster-api/Kptfile

@@ -2,6 +2,10 @@ apiVersion: kpt.dev/v1
 kind: Kptfile
 metadata:
   name: cluster-api
+info:
+  description: |
+    This package is for maintenance on the packages under `cluster-api`.
+    It is not intended to be consumed as a package of resources for deployment.
 pipeline:
   mutators:
   - name: normalize-feature-gates-flag
@@ -24,11 +28,6 @@ pipeline:
     configMap:
       by-value-regex: '(.*)(capi-webhook-system)(.*)'
       put-comment: 'kpt-set: ${1}${capi-webhook-system-namespace}${3}'
-  - name: create-setters-for-all-flags
-    image: gcr.io/kpt-fn/search-replace:unstable
-    configMap:
-      by-value-regex: '--([\w-]*)=(.*)'
-      put-comment: 'kpt-set: --${1}=${${1}}'
   - name: add-paused-fields
     image: gcr.io/kpt-fn/search-replace:unstable
     configMap:
@@ -54,62 +53,3 @@ pipeline:
     - kind: Issuer
     - namespace: capi-webhook-system
       kind: Deployment
-  - name: remove-caBundle-placeholders
-    image: gcr.io/kpt-fn/starlark:unstable
-    configMap:
-      source: |
-        def removecabundles(resources):
-          for resource in resources:
-            webhooks = resource.get("webhooks")
-            if not webhooks:
-              continue
-
-            print("removecabundles is processing resource", resource["kind"], resource["metadata"]["name"])
-            for webhook in webhooks:
-              if not webhook.get("clientConfig"):
-                continue
-              if not webhook["clientConfig"].get("caBundle"):
-                continue
-
-              print("removecabundles is processing webhook", webhook["name"])
-
-              webhook["clientConfig"].pop("caBundle")
-
-          for resource in resources:
-            spec = resource.get("spec")
-            if not spec:
-              continue
-
-            conversion = spec.get("conversion")
-            if not conversion:
-              continue
-
-            webhook = conversion.get("webhook")
-            if not webhook:
-              continue
-
-            clientConfig = webhook.get("clientConfig")
-            if not clientConfig:
-              continue
-
-            clientConfig.pop("caBundle", "noexist")
-
-        removecabundles(ctx.resource_list["items"])
-  - name: add-port-protocol
-    image: gcr.io/kpt-fn/starlark:unstable
-    configMap:
-      source: |
-        def addportprotocol(resources):
-          for resource in resources:
-            spec = resource.get("spec")
-            if not spec:
-              continue
-
-            ports = spec.get("ports")
-            if not ports:
-              continue
-
-            for port in ports:
-              port.setdefault("protocol", "TCP")
-
-        addportprotocol(ctx.resource_list["items"])

cluster-api/v1alpha3/bootstrap/kubeadm/capi-kubeadm-bootstrap-system/deployment_capi-kubeadm-bootstrap-controller-manager.yaml

@@ -1,7 +1,6 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  creationTimestamp: null
   labels:
     cluster.x-k8s.io/provider: bootstrap-kubeadm
     clusterctl.cluster.x-k8s.io: ""

cluster-api/v1alpha3/bootstrap/kubeadm/capi-kubeadm-bootstrap-system/rolebinding_capi-kubeadm-bootstrap-leader-election-rolebinding.yaml

@@ -1,7 +1,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  creationTimestamp: null
   labels:
     cluster.x-k8s.io/provider: bootstrap-kubeadm
     clusterctl.cluster.x-k8s.io: ""

cluster-api/v1alpha3/bootstrap/kubeadm/capi-webhook-system/deployment_capi-kubeadm-bootstrap-controller-manager.yaml

@@ -1,7 +1,6 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  creationTimestamp: null
   labels:
     cluster.x-k8s.io/provider: bootstrap-kubeadm
     clusterctl.cluster.x-k8s.io: ""

cluster-api/v1alpha3/bootstrap/kubeadm/clusterrole_capi-kubeadm-bootstrap-system-capi-kubeadm-bootstrap-manager-role.yaml

@@ -1,7 +1,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  creationTimestamp: null
   labels:
     cluster.x-k8s.io/provider: bootstrap-kubeadm
     clusterctl.cluster.x-k8s.io: ""

cluster-api/v1alpha3/bootstrap/kubeadm/clusterrolebinding_capi-kubeadm-bootstrap-system-capi-kubeadm-bootstrap-manager-rolebinding.yaml

@@ -1,7 +1,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  creationTimestamp: null
   labels:
     cluster.x-k8s.io/provider: bootstrap-kubeadm
     clusterctl.cluster.x-k8s.io: ""

cluster-api/v1alpha3/bootstrap/kubeadm/clusterrolebinding_capi-kubeadm-bootstrap-system-capi-kubeadm-bootstrap-proxy-rolebinding.yaml

@@ -1,7 +1,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  creationTimestamp: null
   labels:
     cluster.x-k8s.io/provider: bootstrap-kubeadm
     clusterctl.cluster.x-k8s.io: ""

cluster-api/v1alpha3/bootstrap/kubeadm/customresourcedefinition_kubeadmconfigs.bootstrap.cluster.x-k8s.io.yaml

@@ -4,7 +4,6 @@ metadata:
   annotations:
     cert-manager.io/inject-ca-from: capi-webhook-system/capi-kubeadm-bootstrap-serving-cert # kpt-set: ${capi-webhook-system-namespace}/capi-kubeadm-bootstrap-serving-cert
     controller-gen.kubebuilder.io/version: v0.2.9
-  creationTimestamp: null
   labels:
     cluster.x-k8s.io/provider: bootstrap-kubeadm
     cluster.x-k8s.io/v1alpha2: v1alpha2