[pull] main from nephio-project:main

.prow.yaml

@@ -119,6 +119,86 @@ postsubmits:
               - key: .dockerconfigjson
                 path: config.json
 
+  - name: build-push-argocd-kpt-repo-plugin-dev-image
+    cluster: default
+    always_run: true
+    branches:
+    - "main"
+    annotations:
+      description: Build and Push ArgoCD KPT Repo Plugin Dev Image to DockerHub
+    decorate: true
+    decoration_config:
+      censor_secrets: true
+    max_concurrency: 1
+    extra_refs:
+    - org: nephio-project
+      repo: nephio
+      base_ref: main
+      path_alias: "nephio_build"
+    spec:
+      containers:
+      - name: kaniko
+        image: gcr.io/kaniko-project/executor:debug
+        command:
+        - "/bin/sh"
+        - "-c"
+        - |
+          executor --context=/home/prow/go/src/nephio_build/gitops-tools/kpt-argocd-cmp/kpt-repo/ --dockerfile=Dockerfile --destination=nephio/kpt-repo-plugin:${BUILD_ID} --destination=nephio/kpt-repo-plugin:latest
+        volumeMounts:
+          - name: kaniko-secret
+            mountPath: /kaniko/.docker/
+        resources:
+          requests:
+            cpu: 1
+            memory: 1Gi
+      volumes:
+        - name: kaniko-secret
+          secret:
+            secretName: regcred
+            items:
+              - key: .dockerconfigjson
+                path: config.json
+
+  - name: build-push-argocd-kpt-render-plugin-dev-image
+    cluster: default
+    always_run: true
+    branches:
+    - "main"
+    annotations:
+      description: Build and Push ArgoCD KPT Render Plugin Dev Image to DockerHub
+    decorate: true
+    decoration_config:
+      censor_secrets: true
+    max_concurrency: 1
+    extra_refs:
+    - org: nephio-project
+      repo: nephio
+      base_ref: main
+      path_alias: "nephio_build"
+    spec:
+      containers:
+      - name: kaniko
+        image: gcr.io/kaniko-project/executor:debug
+        command:
+        - "/bin/sh"
+        - "-c"
+        - |
+          executor --context=/home/prow/go/src/nephio_build/gitops-tools/kpt-argocd-cmp/kpt-render/ --dockerfile=Dockerfile --destination=nephio/kpt-render-plugin:${BUILD_ID} --destination=nephio/kpt-render-plugin:latest
+        volumeMounts:
+          - name: kaniko-secret
+            mountPath: /kaniko/.docker/
+        resources:
+          requests:
+            cpu: 1
+            memory: 1Gi
+      volumes:
+        - name: kaniko-secret
+          secret:
+            secretName: regcred
+            items:
+              - key: .dockerconfigjson
+                path: config.json
+
   - name: build-push-o2-ims-operator-dev-image
     cluster: default
     always_run: true

gitops-tools/kpt-argocd-cmp/README.md

@@ -0,0 +1,16 @@
+# kpt-argocd-cmp
+Nephio heavily relies on kpt to package, render, mutate, validate and generate Kubernetes objects. ArgoCD doesn't currently have a built-in plugin to handle installation of manifests, and, as such, this repo introduces a plugin specifically built to render the kpt package pipeline properly. It consists of two [Conifg Management Plugins](https://argo-cd.readthedocs.io/en/stable/operator-manual/config-management-plugins/) (CMPs) for ArgoCD that handle the creation of package applications and local configs.
+
+This work is adapted from the [treactor-krm-functions/argo](https://github.com/treactor/treactor-krm-functions/tree/main/argo) PoC.
+
+## kpt-repo
+This plugin creates an "app-of-apps" style ArgoCD Application that takes a source repository and looks for Kptfiles to create ArgoCD applications for the cooresponding packages.
+
+## kpt-render
+The applications created by `kpt-repo` will target a second plugin, `kpt-render`, that filters out KRM files with the `config.kubernetes.io/local-config: "true"` annotation, or,  that are Kustomize files. This deals with a primary limitation of ArgoCD, where for plain yaml packages, it will attempt to install the `local-config` manifests into the destination cluster.  
+
+## patch.sh
+This file applies the plugins to the `argocd-repo-server` pod, using the images created via the corresponding Dockerfiles and pushed to a registery. Once patched, `argo-repo-server` will deploy containers for each plugin based on the images provided. 
+
+## Usage
+In order for one to use the plugin, our prefered method is to target `kpt-repo` as the plugin for an ArgoCD Application. This mapping works in our use case as this "app-of-apps" Application represents a repository source and cluster destination. There are other methods to target CMPs (such as discovery rules) that are outside of the scope of this work.

gitops-tools/kpt-argocd-cmp/kpt-render/Dockerfile

@@ -0,0 +1,25 @@
+ARG BUILDER_IMAGE=golang:1.23.5
+ARG BASE_IMAGE=quay.io/argoproj/argocd:v3.0.6
+
+FROM --platform=$BUILDPLATFORM ${BUILDER_IMAGE} AS build
+
+ENV CGO_ENABLED=0
+ENV GO111MODULE=on
+
+WORKDIR /go/src/kpt-render
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY main.go ./
+
+ARG TARGETOS
+ARG TARGETARCH
+RUN GOOS="$TARGETOS" GOARCH="$TARGETARCH" go build -trimpath -ldflags="-s -w" -o /usr/local/bin/kpt-render
+
+FROM ${BASE_IMAGE}
+
+COPY --from=build /usr/local/bin/kpt-render /usr/local/bin/kpt-render
+
+WORKDIR /home/argocd/cmp-server/config
+COPY kpt-render-plugin.yaml ./plugin.yaml

gitops-tools/kpt-argocd-cmp/kpt-render/Makefile

@@ -0,0 +1,31 @@
+#  Copyright 2025 The Nephio Authors.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+IMAGE_TAG ?= latest
+REGISTRY ?= docker.io/nephio
+IMAGE_NAME ?= kpt-render-plugin
+IMG ?= $(REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG)
+
+include ../../../detect-container-runtime.mk
+include ../../../default-go.mk
+include ../../../default-help.mk
+
+##@ Container images
+.PHONY: docker-build
+docker-build:  ## Build a container image from the local Dockerfile
+	$(CONTAINER_RUNTIME) buildx build --load --tag  ${IMG} -f ./Dockerfile ./
+
+.PHONY: docker-push
+docker-push: docker-build ## Build and push the container image
+	$(CONTAINER_RUNTIME) push ${IMG}

gitops-tools/kpt-argocd-cmp/kpt-render/go.mod

@@ -0,0 +1,36 @@
+module github.com/treactor/treactor-kpt-functions/argo/kpt-render
+
+go 1.23.5
+
+require github.com/GoogleContainerTools/kpt-functions-sdk/go/fn v0.0.0-20250605065354-afe329cf801e
+
+require (
+	github.com/GoogleContainerTools/kpt-functions-sdk/go/api v0.0.0-20250605065354-afe329cf801e // indirect
+	github.com/PuerkitoBio/purell v1.1.1 // indirect
+	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/go-errors/errors v1.0.1 // indirect
+	github.com/go-logr/logr v1.2.0 // indirect
+	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonreference v0.19.6 // indirect
+	github.com/go-openapi/swag v0.21.1 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/gnostic v0.5.7-v3refs // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/stretchr/testify v1.8.0 // indirect
+	github.com/xlab/treeprint v1.1.0 // indirect
+	golang.org/x/net v0.7.0 // indirect
+	golang.org/x/text v0.7.0 // indirect
+	google.golang.org/protobuf v1.28.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/apimachinery v0.24.0 // indirect
+	k8s.io/klog/v2 v2.60.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20220401212409-b28bf2818661 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.13.7-0.20220418212550-9d5491c2e20c // indirect
+)