Skip to content

Commit

Permalink
Backport of [NET-10547] openshift: re-order SCC volume list for Argo …
Browse files Browse the repository at this point in the history
…sync into release/1.3.x (#4234)

backport of commit cd0cd19

Co-authored-by: Michael Zalimeni <[email protected]>
  • Loading branch information
hc-github-team-consul-core and zalimeni authored Aug 6, 2024
1 parent 37ac56b commit 617104d
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 4 deletions.
4 changes: 4 additions & 0 deletions .changelog/4227.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
```release-note:bug
openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior.
This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical.
```
11 changes: 8 additions & 3 deletions charts/consul/templates/client-securitycontextconstraints.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ metadata:
annotations:
kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required
to run the consul client.
# Iff. allowHostDirVolumePlugin is true, hostPath must be included in volumes (see below).
{{- if .Values.client.dataDirectoryHostPath }}
allowHostDirVolumePlugin: true
{{- else }}
Expand Down Expand Up @@ -44,13 +45,17 @@ supplementalGroups:
type: MustRunAs
users: []
volumes:
# This list must be in alphabetical order to match the post-reconcile order enforced by OpenShift admission hooks.
# Furthermore, hostPath must be included explicitly if allowHostDirVolumePlugin is true, as it will otherwise be
# added by OpenShift. It must be excluded if allowHostDirVolumePlugin is false per OpenShift requirements.
# This avoids false positives in change detection by third-party diff tools (e.g. ArgoCD) that respect list order.
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
{{- if .Values.client.dataDirectoryHostPath }}
- hostPath
{{- end }}
- persistentVolumeClaim
- projected
- secret
{{- end}}
7 changes: 6 additions & 1 deletion charts/consul/templates/cni-securitycontextconstraints.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ metadata:
annotations:
kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required
to run consul-cni.
# Iff. allowHostDirVolumePlugin is true, hostPath must be included in volumes (see below).
allowHostDirVolumePlugin: true
allowHostIPC: false
allowHostNetwork: false
Expand Down Expand Up @@ -40,11 +41,15 @@ supplementalGroups:
type: MustRunAs
users: []
volumes:
# This list must be in alphabetical order to match the post-reconcile order enforced by OpenShift admission hooks.
# Furthermore, hostPath must be included explicitly if allowHostDirVolumePlugin is true, as it will otherwise be
# added by OpenShift. It must be excluded if allowHostDirVolumePlugin is false per OpenShift requirements.
# This avoids false positives in change detection by third-party diff tools (e.g. ArgoCD) that respect list order.
- configMap
- downwardAPI
- emptyDir
- hostPath
- persistentVolumeClaim
- projected
- secret
- hostPath
{{- end }}

0 comments on commit 617104d

Please sign in to comment.