Skip to content

SYSTEM Cited by 1 source

Kustomize

Kustomize is a Kubernetes-native configuration-customisation tool that composes raw Kubernetes manifests via overlays + generators rather than templating. It ships as a standalone binary and is built into kubectl as kubectl apply -k. Its core primitives are kustomization.yaml (the root of an overlay description), configMapGenerator / secretGenerator (produce ConfigMaps / Secrets from files, optionally with a hash suffix on the name), patches (strategic-merge or JSON-patch overrides for upstream manifests), and helmCharts (inflate a Helm chart inline as an overlay component, gated behind the --enable-helm build option).

Stub page — expand on future Kustomize-internals sources.

How Kustomize composes with Helm

Kustomize is a direct peer to Helm — they are alternative packaging layers for Kubernetes manifests, and both can be used independently. They compose when Kustomize wraps a Helm chart via helmCharts entries in kustomization.yaml:

# kustomization.yaml (excerpt)
configMapGenerator:
  - name: connect-streams
    files:
      - config/first-names.yaml
      - config/last-names.yaml
generatorOptions:
  disableNameSuffixHash: false   # produce hash-suffixed CM names

helmCharts:
  - name: connect
    repo: https://charts.redpanda.com
    version: 3.1.0
    releaseName: redpanda-connect-streams
    namespace: redpanda-connect
    includeCRDs: true
    valuesFile: streams-mode.yaml

Precondition for use under Argo CD: set kustomize.buildOptions: --enable-helm --load-restrictor LoadRestrictionsNone on the argocd-cm ConfigMap and restart repo-server + application-controller. Without --enable-helm, the build fails because Helm chart inflation is off by default in Kustomize for security reasons (Helm chart execution is Turing- complete templating).

Canonical ConfigMap-hash-rollout mechanism

When disableNameSuffixHash: false (the default), configMapGenerator appends a content-hash suffix to the generated ConfigMap name: connect-streams becomes connect-streams-abc123def. Any consumer that references the generated ConfigMap by name gets the hashed name substituted during kustomize build — meaning when the underlying file contents change, the ConfigMap name changes, which forces Kubernetes to treat it as a new object, which triggers a rolling restart of every pod that mounts it.

Canonicalised on the wiki as ConfigMap hash rollout — the mechanism by which Kustomize turns "edit a config file" into "roll the pods" without additional operator intervention.

Seen in

  • sources/2025-12-02-redpanda-operationalize-redpanda-connect-with-gitops — canonical wiki instance of Kustomize wrapping a Helm chart
  • ConfigMap-hash-driven rolling restart in a GitOps Argo CD deployment. The tutorial demonstrates the patterns/kustomize-wraps-helm-chart pattern as the substrate for Redpanda Connect Streams-mode pipelines: each pipeline YAML file becomes a file-entry in configMapGenerator, the Helm chart for Redpanda Connect is inflated via helmCharts, and Argo CD auto-detects the kustomization.yaml to pick the Kustomize toolchain. Verbatim mechanism: "Kustomize generated a new hashed ConfigMap name when the pipeline configuration changed and rewrote the Helm chart references so the deployment points to the new hash. ArgoCD then executed a rolling restart with graceful component shutdown to minimize the data loss."
Last updated · 470 distilled / 1,213 read