score-compose patch templates

patch templates of score-compose

  2 minute read  

Overview

A common requirement is for Platform Engineers to slightly modify or adjust the output of the conversion process, and this seemlessly for their Developers. This can be done by providing one or more patching templates at init time. These patching templates generate JSON patches which are applied on top of the output compose file, just before being written. Patching templates have access to the current compose spec as .Compose, the map of workload name to Score Spec as .Workloads, and can use any functions from Masterminds/sprig.

In this way, you can extend the behavior of the score-compose implementation.

Each template file is evaluated as a Golang text/template and should output a yaml/json encoded array of patches. Each patch is an object with required op (set or delete), patch (a dot-separated json path, use backslash to escape), a value if the op is set, and an optional description for showing in the logs.

Example of paths:

services.some\.thing     # patches the some.thing service
services.foo.ports.0     # modifies the first item in the ports array
services.foo.ports.-1    # adds to the end of the ports array
something.:0000.xyz      # patches the xyz item in the "0000" item of something (: escapes a numeric index)

Example

Here is a concrete example showing how to inject more security for each Workload by using this template score-compose/unprivileged.tpl:

{{ range $name, $spec := .Workloads }}
{{ range $cname, $_ := $spec.containers }}
- op: set
  path: services.{{ $name }}-{{ $cname }}.read_only
  value: true
- op: set
  path: services.{{ $name }}-{{ $cname }}.user
  value: "65532"
- op: set
  path: services.{{ $name }}-{{ $cname }}.cap_drop
  value: ["ALL"]
{{ end }}
{{ end }}

Use a patch template

Run this command to import this patch template:

score-compose init --patch-templates https://raw.githubusercontent.com/score-spec/community-patchers/refs/heads/main/score-compose/unprivileged.tpl

Run the generate command:

score-compose generate score.yaml

And then see that this patch template was applied on the final generated compose.yaml file.

Write your own patch template

A list of patch templates shared by the community can be found here. Users are encouraged to use them and contribute to this growing list of patch templates.

Last modified June 15, 2025: CLI: `--namespace` and `--generate-namespace` (#191) (5668fc1)