From cd0cd19303bc4328fada8e63c8b990020b4a05d1 Mon Sep 17 00:00:00 2001 From: Michael Zalimeni Date: Thu, 1 Aug 2024 19:38:50 -0400 Subject: [PATCH] openshift: re-order SCC volume list for Argo sync Due to logic in OpenShift's admissions hook that force-reorders explicit and implicit entries in this list, our `SecurityContextConstraints` entries will never successfully sync via tools like ArgoCD, which expect an exact input and output match when diff'ing. More details on the problem addressed by this change and potential future improvements to avoid it in the future can be found in https://github.com/hashicorp/consul-k8s/issues/4208 (see comments). --- .changelog/4227.txt | 4 ++++ .../templates/client-securitycontextconstraints.yaml | 11 ++++++++--- .../templates/cni-securitycontextconstraints.yaml | 7 ++++++- 3 files changed, 18 insertions(+), 4 deletions(-) create mode 100644 .changelog/4227.txt diff --git a/.changelog/4227.txt b/.changelog/4227.txt new file mode 100644 index 0000000000..feb7844aae --- /dev/null +++ b/.changelog/4227.txt @@ -0,0 +1,4 @@ +```release-note:bug +openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior. +This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical. +``` diff --git a/charts/consul/templates/client-securitycontextconstraints.yaml b/charts/consul/templates/client-securitycontextconstraints.yaml index 07e7711384..c14dd1c991 100644 --- a/charts/consul/templates/client-securitycontextconstraints.yaml +++ b/charts/consul/templates/client-securitycontextconstraints.yaml @@ -13,6 +13,7 @@ metadata: annotations: kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required to run the consul client. +# Iff. allowHostDirVolumePlugin is true, hostPath must be included in volumes (see below). {{- if .Values.client.dataDirectoryHostPath }} allowHostDirVolumePlugin: true {{- else }} @@ -44,13 +45,17 @@ supplementalGroups: type: MustRunAs users: [] volumes: +# This list must be in alphabetical order to match the post-reconcile order enforced by OpenShift admission hooks. +# Furthermore, hostPath must be included explicitly if allowHostDirVolumePlugin is true, as it will otherwise be +# added by OpenShift. It must be excluded if allowHostDirVolumePlugin is false per OpenShift requirements. +# This avoids false positives in change detection by third-party diff tools (e.g. ArgoCD) that respect list order. - configMap - downwardAPI - emptyDir -- persistentVolumeClaim -- projected -- secret {{- if .Values.client.dataDirectoryHostPath }} - hostPath {{- end }} +- persistentVolumeClaim +- projected +- secret {{- end}} diff --git a/charts/consul/templates/cni-securitycontextconstraints.yaml b/charts/consul/templates/cni-securitycontextconstraints.yaml index 2c09dba9b8..cb60104cf0 100644 --- a/charts/consul/templates/cni-securitycontextconstraints.yaml +++ b/charts/consul/templates/cni-securitycontextconstraints.yaml @@ -13,6 +13,7 @@ metadata: annotations: kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required to run consul-cni. +# Iff. allowHostDirVolumePlugin is true, hostPath must be included in volumes (see below). allowHostDirVolumePlugin: true allowHostIPC: false allowHostNetwork: false @@ -40,11 +41,15 @@ supplementalGroups: type: MustRunAs users: [] volumes: +# This list must be in alphabetical order to match the post-reconcile order enforced by OpenShift admission hooks. +# Furthermore, hostPath must be included explicitly if allowHostDirVolumePlugin is true, as it will otherwise be +# added by OpenShift. It must be excluded if allowHostDirVolumePlugin is false per OpenShift requirements. +# This avoids false positives in change detection by third-party diff tools (e.g. ArgoCD) that respect list order. - configMap - downwardAPI - emptyDir +- hostPath - persistentVolumeClaim - projected - secret -- hostPath {{- end }}