Allow shared ownership of in-cluster objects applied with kubectl

Introduce an annotation that configures kustomize-controller to co-manage objects applied with kubectl.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

api/v1beta2/kustomization_types.go

@@ -34,6 +34,7 @@ const (
 	KustomizationFinalizer    = "finalizers.fluxcd.io"
 	MaxConditionMessageLength = 20000
 	DisabledValue             = "disabled"
+	MergeValue                = "merge"
 )
 
 // KustomizationSpec defines the configuration to calculate the desired state from a Source using Kustomize.

controllers/kustomization_controller.go

@@ -745,6 +745,9 @@ func (r *KustomizationReconciler) apply(ctx context.Context, manager *ssa.Resour
 				OperationType: metav1.ManagedFieldsOperationUpdate,
 			},
 		},
+		Exclusions: map[string]string{
+			fmt.Sprintf("%s/ssa", kustomizev1.GroupVersion.Group): kustomizev1.MergeValue,
+		},
 	}
 
 	// contains only CRDs and Namespaces

docs/spec/v1beta2/kustomization.md

@@ -336,18 +336,15 @@ patching fails due to immutable fields changes.
 The controller can be told to reconcile the Kustomization outside of the specified interval
 by annotating the Kustomization object with:
 
-```go
-const (
-	// ReconcileAtAnnotation is the annotation used for triggering a
-	// reconciliation outside of the defined schedule.
-	ReconcileAtAnnotation string = "reconcile.fluxcd.io/requestedAt"
-)
+```yaml
+reconcile.fluxcd.io/requestedAt: "2022-03-02T13:59:52.758922834Z"
 ```
 
 On-demand execution example:
 
 ```sh
-kubectl annotate --overwrite kustomization/podinfo reconcile.fluxcd.io/requestedAt="$(date +%s)"
+kubectl annotate --field-manager=flux-client-side-apply --overwrite \
+kustomization/podinfo reconcile.fluxcd.io/requestedAt="$(date +%s)"
 ```
 
 List all Kubernetes objects reconciled from a Kustomization:
@@ -360,24 +357,29 @@ kubectl get all --all-namespaces \
 
 You can configure the controller to ignore in-cluster resources by labeling or annotating them:
 
-```sh
-kubectl annotate service/podinfo kustomize.toolkit.fluxcd.io/reconcile=disabled
+```yaml
+kustomize.toolkit.fluxcd.io/reconcile: disabled
 ```
 
 Note that when the `kustomize.toolkit.fluxcd.io/reconcile` annotation is set to `disabled`,
 the controller will no longer apply changes from source, nor will it prune the resource.
 To resume reconciliation, set the annotation to `enabled` or remove it.
 
-If you use kubectl to edit an object managed by Flux,
-all changes will be undone when kustomize-controller reconciles a
-Flux Kustomization containing that object.
-n order for kustomize-controller to preserve fields added with kubectl,
-you have to specify a field manager named `flux-client-side-apply` e.g.:
+If you use kubectl to edit an object managed by Flux, all changes will be undone when
+the controller reconciles a Flux Kustomization containing that object.
+In order to preserve fields added with kubectl, you have to specify a field manager
+named `flux-client-side-apply` e.g.:
 
 ```sh
 kubectl apply --field-manager=flux-client-side-apply
 ```
 
+Another option is to annotate or label objects with:
+
+```yaml
+kustomize.toolkit.fluxcd.io/ssa: merge
+```
+
 Note that the fields defined in manifests will always be overridden,
 the above procedure works only for adding new fields that don’t overlap with the desired state.
 

go.mod

@@ -14,7 +14,7 @@ require (
 	github.com/fluxcd/pkg/apis/kustomize v0.3.1
 	github.com/fluxcd/pkg/apis/meta v0.10.2
 	github.com/fluxcd/pkg/runtime v0.12.5
-	github.com/fluxcd/pkg/ssa v0.14.1
+	github.com/fluxcd/pkg/ssa v0.15.0
 	github.com/fluxcd/pkg/testserver v0.2.0
 	github.com/fluxcd/pkg/untar v0.1.0
 	github.com/fluxcd/source-controller/api v0.21.2
@@ -30,7 +30,7 @@ require (
 	k8s.io/apiextensions-apiserver v0.23.2
 	k8s.io/apimachinery v0.23.2
 	k8s.io/client-go v0.23.2
-	sigs.k8s.io/cli-utils v0.28.0
+	sigs.k8s.io/cli-utils v0.29.2
 	sigs.k8s.io/controller-runtime v0.11.1
 	sigs.k8s.io/kustomize/api v0.11.2
 	sigs.k8s.io/kustomize/kyaml v0.13.3

go.sum

@@ -275,8 +275,8 @@ github.com/fluxcd/pkg/apis/meta v0.10.2 h1:pnDBBEvfs4HaKiVAYgz+e/AQ8dLvcgmVfSeBr
 github.com/fluxcd/pkg/apis/meta v0.10.2/go.mod h1:KQ2er9xa6koy7uoPMZjIjNudB5p4tXs+w0GO6fRcy7I=
 github.com/fluxcd/pkg/runtime v0.12.5 h1:/8+0UBnSHbO9DVG9IFTjc37lwofsixGbs5WpHso8n5s=
 github.com/fluxcd/pkg/runtime v0.12.5/go.mod h1:gspNvhAqodZgSmK1ZhMtvARBf/NGAlxmaZaIOHkJYsc=
-github.com/fluxcd/pkg/ssa v0.14.1 h1:AZxM1VJusAV0r0GgtR43Z8NUI2luV68C/7I0/g28D6c=
-github.com/fluxcd/pkg/ssa v0.14.1/go.mod h1:9HfCfy4COdRt/Ck4T4BPPc3i8MgFZFRlY+Bcm+8vMCw=
+github.com/fluxcd/pkg/ssa v0.15.0 h1:zBAo/kL8+/jbN7u4Z0MF5OUkadEEQGvxVcn3qh0zQjk=
+github.com/fluxcd/pkg/ssa v0.15.0/go.mod h1:FReVLGi6gdtXFn0+3JAELUESz6wX2tsNpovfNq5eRUA=
 github.com/fluxcd/pkg/testserver v0.2.0 h1:Mj0TapmKaywI6Fi5wvt1LAZpakUHmtzWQpJNKQ0Krt4=
 github.com/fluxcd/pkg/testserver v0.2.0/go.mod h1:bgjjydkXsZTeFzjz9Cr4heGANr41uTB1Aj1Q5qzuYVk=
 github.com/fluxcd/pkg/untar v0.1.0 h1:k97V/xV5hFrAkIkVPuv5AVhyxh1ZzzAKba/lbDfGo6o=
@@ -1503,8 +1503,8 @@ rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.25/go.mod h1:Mlj9PNLmG9bZ6BHFwFKDo5afkpWyUISkb9Me0GnK66I=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.27/go.mod h1:tq2nT0Kx7W+/f2JVE+zxYtUhdjuELJkVpNz+x/QN5R4=
-sigs.k8s.io/cli-utils v0.28.0 h1:gsvwqygoXlW2y8CmKdflQJNZp1Yhi4geATW3/Ei7oYc=
-sigs.k8s.io/cli-utils v0.28.0/go.mod h1:WDVRa5/eQBKntG++uyKdyT+xU7MLdCR4XsgseqL5uX4=
+sigs.k8s.io/cli-utils v0.29.2 h1:SaYo2C1xd0MVv65NQXZ6tIqT1W1iWy8CGmC+VnxQGWs=
+sigs.k8s.io/cli-utils v0.29.2/go.mod h1:WDVRa5/eQBKntG++uyKdyT+xU7MLdCR4XsgseqL5uX4=
 sigs.k8s.io/controller-runtime v0.11.0/go.mod h1:KKwLiTooNGu+JmLZGn9Sl3Gjmfj66eMbCQznLP5zcqA=
 sigs.k8s.io/controller-runtime v0.11.1 h1:7YIHT2QnHJArj/dk9aUkYhfqfK5cIxPOX5gPECfdZLU=
 sigs.k8s.io/controller-runtime v0.11.1/go.mod h1:KKwLiTooNGu+JmLZGn9Sl3Gjmfj66eMbCQznLP5zcqA=