Conversation
✅ Deploy Preview for kptdocs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
This PR adds end-user documentation for running/developing/publishing WASM functions in kpt, and (in the same change set) introduces a new CEL-based condition field on Kptfile pipeline functions to enable conditional function execution.
Changes:
- Adds a comprehensive “Using WASM Functions” guide (run, eval, push/pull, Go build tags, limitations).
- Extends
kptfile.v1.Functionwith aconditionfield and evaluates it before executing a function. - Adds a CEL evaluator implementation + unit/E2E-style tests, and updates Go module dependencies for CEL.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/api/kptfile/v1/types.go | Adds Function.Condition (CEL) field to the Kptfile API. |
| internal/fnruntime/runner.go | Initializes and uses a CEL evaluator to skip function execution when condition is false. |
| internal/fnruntime/celeval.go | New CEL evaluator implementation for evaluating conditions against resource inputs. |
| internal/fnruntime/celeval_test.go | Unit tests for CEL evaluator behavior and errors. |
| internal/fnruntime/conditional_e2e_test.go | End-to-end style tests for conditional execution behavior in FunctionRunner. |
| go.mod / go.sum | Adds github.com/google/cel-go and related transitive dependencies. |
| documentation/content/en/book/04-using-functions/wasm-functions.md | New documentation page describing the WASM function workflow in kpt. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
internal/fnruntime/celeval.go
Outdated
| // Create the program with cost tracking to prevent resource exhaustion | ||
| // This enforces a runtime cost limit similar to Kubernetes ValidatingAdmissionPolicy | ||
| prg, err := env.Program(ast, cel.CostTracking(nil)) | ||
| if err != nil { | ||
| return nil, fmt.Errorf("failed to create CEL program: %w", err) | ||
| } | ||
|
|
||
| evaluator.prg = prg | ||
| } | ||
|
|
||
| return evaluator, nil | ||
| } | ||
|
|
||
|
|
||
| // EvaluateCondition evaluates a CEL condition expression against a list of resources | ||
| // Returns true if the condition is met, false otherwise | ||
| // The program is pre-compiled, so this just evaluates it with the given resources | ||
| func (e *CELEvaluator) EvaluateCondition(_ context.Context, resources []*yaml.RNode) (bool, error) { | ||
| if e.prg == nil { | ||
| return true, nil | ||
| } | ||
|
|
||
| // Convert resources to a format suitable for CEL | ||
| resourceList, err := e.resourcesToList(resources) | ||
| if err != nil { | ||
| return false, fmt.Errorf("failed to convert resources: %w", err) | ||
| } | ||
|
|
||
| // Evaluate the expression | ||
| out, _, err := e.prg.Eval(map[string]interface{}{ | ||
| "resources": resourceList, | ||
| }) | ||
| if err != nil { | ||
| return false, fmt.Errorf("failed to evaluate CEL expression: %w", err) | ||
| } |
There was a problem hiding this comment.
The code comment claims a “runtime cost limit” is enforced, but evaluation currently ignores the returned evaluation details/cost and does not apply any explicit limit. For untrusted packages, a pathological CEL expression could still cause high CPU/memory usage during kpt fn render. Consider enforcing an explicit cost limit (and failing closed when exceeded) and/or bounding input size, and update the comment accordingly.
| 1. Compresses the WASM file into a tar archive | ||
| 2. Creates an OCI image with `wasm/js` platform | ||
| 3. Pushes to the registry |
There was a problem hiding this comment.
Same platform string issue as above: “wasm/js” is ambiguous; prefer “OS=js, arch=wasm” (or the correct OS/arch ordering) so users can match what registries/tools display.
pkg/api/kptfile/v1/types.go
Outdated
| // `Condition` is an optional CEL expression that determines whether this | ||
| // function should be executed. The expression is evaluated against the KRM | ||
| // resources in the package and should return a boolean value. | ||
| // If omitted or evaluates to true, the function executes normally. | ||
| // If evaluates to false, the function is skipped. | ||
| // | ||
| // Example: Check if a specific ConfigMap exists: | ||
| // condition: "resources.exists(r, r.kind == 'ConfigMap' && r.metadata.name == 'my-config')" | ||
| // | ||
| // Example: Check resource count: | ||
| // condition: "resources.filter(r, r.kind == 'Deployment').size() > 0" | ||
| Condition string `yaml:"condition,omitempty" json:"condition,omitempty"` | ||
| } |
There was a problem hiding this comment.
The PR title/description is about documenting WASM function support, but this change introduces a new condition field (CEL-based conditional execution) in the public Kptfile API and wires it into function execution. Either update the PR metadata/scope to include this feature (and its docs), or split the conditional-execution changes into a separate PR so reviewers/users can evaluate the API/behavior change independently.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 8 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
pkg/api/kptfile/v1/types.go
Outdated
| // `Condition` is an optional CEL expression that determines whether this | ||
| // function should be executed. The expression is evaluated against the KRM | ||
| // resources selected for this function (after applying Selectors and Exclusions) | ||
| // and should return a boolean value. |
There was a problem hiding this comment.
The struct comment says the CEL expression is evaluated against the KRM resources in the package, but the current implementation evaluates the condition on the (potentially selector/exclusion-filtered) input passed to the function runner. Either adjust the implementation to evaluate against the full package pipeline input, or update this comment to match the actual semantics.
internal/fnruntime/celeval.go
Outdated
| // Create the program with cost tracking to prevent resource exhaustion | ||
| // This enforces a runtime cost limit similar to Kubernetes ValidatingAdmissionPolicy |
There was a problem hiding this comment.
The comment says cost tracking is used “to prevent resource exhaustion” / enforce a runtime cost limit, but the code only enables CostTracking without any explicit cost limit or enforcement. Either add an actual cost limit (and fail evaluation when exceeded) or adjust the comment so it doesn’t claim protections that aren’t implemented.
| // Create the program with cost tracking to prevent resource exhaustion | |
| // This enforces a runtime cost limit similar to Kubernetes ValidatingAdmissionPolicy | |
| // Create the program with cost tracking enabled for observability and analysis. |
| ### Security | ||
|
|
||
| WASM functions run in a sandbox: | ||
| - No network access | ||
| - No filesystem access (except input/output resources) | ||
| - Can't execute system commands |
There was a problem hiding this comment.
The “Security” section states WASM functions have no network/filesystem access and no host access by default. kpt supports both wasmtime (default) and node.js-based runtimes (selectable via KPT_FN_WASM_RUNTIME), and the node.js runtime can expose broader host capabilities to Go WASM via syscall/js. Please qualify these claims (e.g., “with wasmtime runtime…”) to avoid overstating the sandbox guarantees.
pkg/api/kptfile/v1/types.go
Outdated
| // If evaluates to false, the function is skipped. | ||
| // |
There was a problem hiding this comment.
There’s a blank comment line with trailing whitespace here (// ). Please remove the trailing space to avoid whitespace-only diffs / lint noise.
Add comprehensive documentation for WASM function support in kpt, covering how to run, develop, and deploy WASM functions. Closes kptdev#4296 Signed-off-by: Surbhi <agarwalsurbhi1807@gmail.com>
e979fbb to
1abf41f
Compare
Description
WASM functions are supported in kpt but there's no documentation on how to run, develop, or deploy them. This PR adds a comprehensive guide covering the complete WASM function workflow.
Motivation
Users need documentation to understand:
--allow-alpha-wasmflagkpt alpha wasm push/pullWithout this documentation, users have to dig through code or CLI help to figure out WASM support.
Changes
Added
documentation/content/en/book/04-using-functions/wasm-functions.mdcovering:fn renderandfn evalThe code examples are based on actual WASM functions in krm-functions-catalog (set-namespace, set-labels, starlark) and follow the same pattern with separate build tags for regular and WASM builds.
Fixes #4296