From 18ed9ce1cc81cfaf01caef70ecb4dcd6664ce25a Mon Sep 17 00:00:00 2001 From: Michael Zalimeni Date: Thu, 1 Aug 2024 19:38:50 -0400 Subject: [PATCH] openshift: re-order SCC volume list for Argo sync Due to logic in OpenShift's admissions hook that force-reorders explicit and implicit entries in this list, our `SecurityContextConstraints` entries will never successfully sync via tools like ArgoCD, which expect an exact input and output match when diff'ing. More details on the problem addressed by this change and potential future improvements to avoid it in the future can be found in https://github.com/hashicorp/consul-k8s/issues/4208 (see comments). --- .../templates/client-securitycontextconstraints.yaml | 10 +++++++--- .../templates/cni-securitycontextconstraints.yaml | 6 +++++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/charts/consul/templates/client-securitycontextconstraints.yaml b/charts/consul/templates/client-securitycontextconstraints.yaml index 07e7711384..9573fc4239 100644 --- a/charts/consul/templates/client-securitycontextconstraints.yaml +++ b/charts/consul/templates/client-securitycontextconstraints.yaml @@ -44,13 +44,17 @@ supplementalGroups: type: MustRunAs users: [] volumes: +# This list must be in alphabetical order to match the post-reconcile order enforced by OpenShift admission hooks. +# Furthermore, hostPath must be included explicitly if allowHostDirVolumePlugin is true, as it will otherwise be +# added by OpenShift. It must be excluded if allowHostDirVolumePlugin is false per OpenShift requirements. +# Both of these are necessary ensure successful change detection by third-party diff tools like ArgoCD. - configMap - downwardAPI - emptyDir -- persistentVolumeClaim -- projected -- secret {{- if .Values.client.dataDirectoryHostPath }} - hostPath {{- end }} +- persistentVolumeClaim +- projected +- secret {{- end}} diff --git a/charts/consul/templates/cni-securitycontextconstraints.yaml b/charts/consul/templates/cni-securitycontextconstraints.yaml index 2c09dba9b8..0042e71103 100644 --- a/charts/consul/templates/cni-securitycontextconstraints.yaml +++ b/charts/consul/templates/cni-securitycontextconstraints.yaml @@ -40,11 +40,15 @@ supplementalGroups: type: MustRunAs users: [] volumes: +# This list must be in alphabetical order to match the post-reconcile order enforced by OpenShift admission hooks. +# Furthermore, hostPath must be included explicitly if allowHostDirVolumePlugin is true, as it will otherwise be +# added by OpenShift. It must be excluded if allowHostDirVolumePlugin is false per OpenShift requirements. +# Both of these are necessary ensure successful change detection by third-party diff tools like ArgoCD. - configMap - downwardAPI - emptyDir +- hostPath - persistentVolumeClaim - projected - secret -- hostPath {{- end }}