feat(builtins): built-in runtime for apply-replacements and starlark (#4307)

Closes #4307

Implements a built-in runtime for curated KRM functions inside kpt,

allowing apply-replacements and starlark to run without pulling images

from Docker Hub, eliminating the external SDK dependency.

Avoids circular dependency between Porch and kpt by moving the built-in

runtime concept into kpt directly using kyaml/fn/framework instead of

krm-functions-sdk.

A thread-safe self-registration registry (internal/builtins/registry)

allows KRM function implementations to register themselves via init().

The fnruntime runner checks this registry before falling back to Docker

or WASM, preserving existing behavior for unregistered functions.

Priority order in fnruntime/runner.go:

1. pkg-context builtin (existing)

2. Builtin registry (new, no Docker needed)

3. Docker / WASM (fallback, unchanged)

- apply-replacements: ghcr.io/kptdev/krm-functions-catalog/apply-replacements

- starlark: ghcr.io/kptdev/krm-functions-catalog/starlark

- Removed dependency on krm-functions-sdk/go/fn and krm-functions-catalog/starlark

- Vendored starlark runtime locally using kyaml/yaml instead of SDK

[PASS] apply-replacements in 0s (no Docker)

[PASS] starlark in 0s (no Docker)

Signed-off-by: abdulrahman11a <abdulrahmanfikry1@gmail.com>

Author: Your Name

internal/builtins/registry/registry.go

@@ -48,7 +48,7 @@ func Lookup(imageName string) BuiltinFunction {
 	}
 	fn := registry[normalized]
 	if fn != nil && imageName != normalized {
-		klog.Warningf("WARNING: builtin function %q is being used instead of the requested image %q. "+
+		klog.V(4).Infof("builtin function %q is being used instead of the requested image %q. "+
 			"The built-in implementation may differ from the pinned version.", normalized, imageName)
 	}
 	return fn

internal/builtins/starlark/processor_test.go

@@ -21,26 +21,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"sigs.k8s.io/kustomize/kyaml/fn/framework"
 	"sigs.k8s.io/kustomize/kyaml/kio"
-	"sigs.k8s.io/kustomize/kyaml/yaml"
 )
 
-func parseResourceList(t *testing.T, input string) *framework.ResourceList {
-	t.Helper()
-	rw := &kio.ByteReader{Reader: strings.NewReader(input)}
-	nodes, err := rw.Read()
-	assert.NoError(t, err)
-
-	rl := &framework.ResourceList{Items: nodes}
-	node, err := yaml.Parse(input)
-	if err == nil {
-		fc := node.Field("functionConfig")
-		if fc != nil && fc.Value != nil {
-			rl.FunctionConfig = fc.Value
-		}
-	}
-	return rl
-}
-
 func TestProcess_SetNamespace(t *testing.T) {
 	input := `apiVersion: config.kubernetes.io/v1
 kind: ResourceList

internal/builtins/starlark/runtime/context.go

@@ -41,14 +41,24 @@ func oa() (starlark.Value, error) {
 	return interfaceToValue(openapi.Schema())
 }
 
+// allowlist of safe environment variables to expose to starlark scripts
+var allowedEnvVars = map[string]bool{
+	"HOME":     true,
+	"PATH":     true,
+	"USER":     true,
+	"HOSTNAME": true,
+}
+
 func env() (starlark.Value, error) {
 	env := map[string]interface{}{}
 	for _, e := range os.Environ() {
 		pair := strings.SplitN(e, "=", 2)
 		if len(pair) < 2 {
 			continue
 		}
-		env[pair[0]] = pair[1]
+		if allowedEnvVars[pair[0]] {
+			env[pair[0]] = pair[1]
+		}
 	}
 	value, err := util.Marshal(env)
 	if err != nil {

internal/builtins/starlark/runtime/doc.go

@@ -9,26 +9,22 @@
 // Examples: https://github.com/cruise-automation/isopod, https://qri.io/docs/starlark/starlib,
 // https://github.com/stripe/skycfg, https://github.com/k14s/ytt
 //
-// The resources are provided to the starlark program through the global variable "resourceList".
-// "resourceList" is a dictionary containing an "items" field with a list of resources.
-// The starlark modified "resourceList" is the Filter output.
+// The resources are provided to the starlark program through ctx.resource_list.
+// ctx.resource_list is a dictionary containing an "items" field with a list of resources.
+// The starlark-modified ctx.resource_list is the Filter output.
 //
-// After being run through the starlark program, the filter will copy the comments from the input
-// resources to restore them -- due to them being dropped as a result of serializing the resources
-// as starlark values.
-//
-// "resourceList" may also contain a "functionConfig" entry to configure the starlark script itself.
-// Changes made by the starlark program to the "functionConfig" will be reflected in the
+// ctx.resource_list may also contain a "functionConfig" entry to configure the starlark script
+// itself. Changes made by the starlark program to the "functionConfig" will be reflected in the
 // Filter.FunctionConfig value.
 //
 // The Filter will also format the output so that output has the preferred field ordering
 // rather than an alphabetical field ordering.
 //
-// The resourceList variable adheres to the kustomize function spec as specified by:
+// The ctx.resource_list value adheres to the kustomize function spec as specified by:
 // https://github.com/kubernetes-sigs/kustomize/blob/master/cmd/config/docs/api-conventions/functions-spec.md
 //
-// All items in the resourceList are resources represented as starlark dictionaries/
-// The items in the resourceList respect the io spec specified by:
+// All items in ctx.resource_list are resources represented as starlark dictionaries/
+// The items in ctx.resource_list respect the io spec specified by:
 // https://github.com/kubernetes-sigs/kustomize/blob/master/cmd/config/docs/api-conventions/config-io.md
 //
 // The starlark language spec can be found here:

internal/builtins/starlark/runtime/starlark.go

@@ -9,6 +9,7 @@ import (
 	"io"
 	"net/http"
 	"os"
+	"time"
 
 	"github.com/qri-io/starlib/util"
 	"go.starlark.net/resolve"
@@ -58,7 +59,6 @@ func (sf *Filter) setup() error {
 		return errors.Errorf("Filter Path, Program and URL are mutually exclusive")
 	}
 
-	// read the program from a file
 	if sf.Path != "" {
 		b, err := os.ReadFile(sf.Path)
 		if err != nil {
@@ -67,18 +67,20 @@ func (sf *Filter) setup() error {
 		sf.Program = string(b)
 	}
 
-	// read the program from a URL
 	if sf.URL != "" {
 		err := func() error {
-			resp, err := http.Get(sf.URL)
+			client := &http.Client{Timeout: 30 * time.Second}
+			resp, err := client.Get(sf.URL)
 			if err != nil {
 				return err
 			}
-
 			defer func() {
 				_ = resp.Body.Close()
 			}()
-
+			if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+				return fmt.Errorf("failed to fetch starlark program from %s: HTTP %d",
+					sf.URL, resp.StatusCode)
+			}
 			b, err := io.ReadAll(resp.Body)
 			if err != nil {
 				return err

internal/fnruntime/runner.go

@@ -86,6 +86,7 @@ func NewRunner(
 		} else if runner != nil {
 			fltr.Run = runner.Run
 		}
+
 	}
 	if fltr.Run == nil {
 		if f.Image == runneroptions.FuncGenPkgContext {
@@ -233,7 +234,7 @@ func (fr *FunctionRunner) Filter(input []*yaml.RNode) (output []*yaml.RNode, err
 			return nil, errors.ErrAlreadyHandled
 		}
 		// for builtin functions, print stderr from fnResult if available
-		if fr.fnResult.Stderr != "" {
+		if err != nil && fr.fnResult.Stderr != "" {
 			printFnStderr(fr.ctx, fr.fnResult.Stderr)
 			pr.Printf("  Exit code: %d\n\n", fr.fnResult.ExitCode)
 			return nil, errors.ErrAlreadyHandled
@@ -295,7 +296,15 @@ func (fr *FunctionRunner) do(input []*yaml.RNode) (output []*yaml.RNode, err err
 			fnResult.Stderr = execErr.Stderr
 		} else {
 			// builtin functions don't return ExecError, populate stderr from error message
-			fnResult.Stderr = err.Error()
+			if fnResult.Stderr == "" {
+				fnResult.Stderr = err.Error()
+			} else if !strings.Contains(fnResult.Stderr, err.Error()) {
+				if strings.HasSuffix(fnResult.Stderr, "\n") {
+					fnResult.Stderr += err.Error()
+				} else {
+					fnResult.Stderr += "\n" + err.Error()
+				}
+			}
 		}
 		// accumulate the results
 		fr.fnResults.Items = append(fr.fnResults.Items, *fnResult)