openshift: re-order SCC volume list for Argo sync

Due to logic in OpenShift's admissions hook that force-reorders explicit
and implicit entries in this list, our `SecurityContextConstraints`
entries will never successfully sync via tools like ArgoCD, which expect
an exact input and output match when diff'ing.

More details on the problem addressed by this change and potential
future improvements to avoid it in the future can be found in
#4208 (see comments).

charts/consul/templates/client-securitycontextconstraints.yaml

@@ -44,13 +44,17 @@ supplementalGroups:
   type: MustRunAs
 users: []
 volumes:
+# This list must be in alphabetical order to match the post-reconcile order enforced by OpenShift admission hooks.
+# Furthermore, hostPath must be included explicitly if allowHostDirVolumePlugin is true, as it will otherwise be
+# added by OpenShift. It must be excluded if allowHostDirVolumePlugin is false per OpenShift requirements.
+# Both of these are necessary ensure successful change detection by third-party diff tools like ArgoCD.
 - configMap
 - downwardAPI
 - emptyDir
-- persistentVolumeClaim
-- projected
-- secret
 {{- if .Values.client.dataDirectoryHostPath }}
 - hostPath
 {{- end }}
+- persistentVolumeClaim
+- projected
+- secret
 {{- end}}

charts/consul/templates/cni-securitycontextconstraints.yaml

@@ -40,11 +40,15 @@ supplementalGroups:
   type: MustRunAs
 users: []
 volumes:
+# This list must be in alphabetical order to match the post-reconcile order enforced by OpenShift admission hooks.
+# Furthermore, hostPath must be included explicitly if allowHostDirVolumePlugin is true, as it will otherwise be
+# added by OpenShift. It must be excluded if allowHostDirVolumePlugin is false per OpenShift requirements.
+# Both of these are necessary ensure successful change detection by third-party diff tools like ArgoCD.
 - configMap
 - downwardAPI
 - emptyDir
+- hostPath
 - persistentVolumeClaim
 - projected
 - secret
-- hostPath
 {{- end }}