score-compose patch templates

Since score-compose version 0.27.0, as Platform Engineers you can override or patch the default Workload manifests generated by score-compose generate. Seemlessly for your Developers, by using score-compose init --patch-templates.

Each template file is evaluated as a Golang text/template and should output a yaml/json encoded array of patches. Each patch is an object with required op (set or delete), patch (a dot-separated json path), a value if the op == set, and an optional description for showing in the logs.

For example, to inject more security for each Workload you can use this template score-compose/unprivileged.tpl:

{{ range $name, $spec := .Workloads }}
{{ range $cname, $_ := $spec.containers }}
- op: set
  path: services.{{ $name }}-{{ $cname }}.read_only
  value: true
- op: set
  path: services.{{ $name }}-{{ $cname }}.user
  value: "65532"
- op: set
  path: services.{{ $name }}-{{ $cname }}.cap_drop
  value: ["ALL"]
{{ end }}
{{ end }}

You can run this command to use this patch template:

score-compose init --patch-templates https://raw.githubusercontent.com/score-spec/community-patchers/refs/heads/main/score-compose/unprivileged.tpl

And then the generate command will use it for the generated compose.yaml file:

score-compose generate score.yaml

A list of patch templates shared by the community can be found here. Users are encouraged to use them and contribute to this growing list of patch templates.