From 617104d489ab6fb4672c1437852ef4f74699d1fa Mon Sep 17 00:00:00 2001 From: hc-github-team-consul-core Date: Tue, 6 Aug 2024 10:48:59 -0400 Subject: [PATCH] Backport of [NET-10547] openshift: re-order SCC volume list for Argo sync into release/1.3.x (#4234) backport of commit cd0cd19303bc4328fada8e63c8b990020b4a05d1 Co-authored-by: Michael Zalimeni --- .changelog/4227.txt | 4 ++++ .../templates/client-securitycontextconstraints.yaml | 11 ++++++++--- .../templates/cni-securitycontextconstraints.yaml | 7 ++++++- 3 files changed, 18 insertions(+), 4 deletions(-) create mode 100644 .changelog/4227.txt diff --git a/.changelog/4227.txt b/.changelog/4227.txt new file mode 100644 index 0000000000..feb7844aae --- /dev/null +++ b/.changelog/4227.txt @@ -0,0 +1,4 @@ +```release-note:bug +openshift: order SecurityContextConstraint volumes alphabetically to match OpenShift behavior. +This ensures that diff detection tools like ArgoCD consider the source and reconciled resources to be identical. +``` diff --git a/charts/consul/templates/client-securitycontextconstraints.yaml b/charts/consul/templates/client-securitycontextconstraints.yaml index 07e7711384..c14dd1c991 100644 --- a/charts/consul/templates/client-securitycontextconstraints.yaml +++ b/charts/consul/templates/client-securitycontextconstraints.yaml @@ -13,6 +13,7 @@ metadata: annotations: kubernetes.io/description: {{ template "consul.fullname" . }}-client are the security context constraints required to run the consul client. +# Iff. allowHostDirVolumePlugin is true, hostPath must be included in volumes (see below). {{- if .Values.client.dataDirectoryHostPath }} allowHostDirVolumePlugin: true {{- else }} @@ -44,13 +45,17 @@ supplementalGroups: type: MustRunAs users: [] volumes: +# This list must be in alphabetical order to match the post-reconcile order enforced by OpenShift admission hooks. +# Furthermore, hostPath must be included explicitly if allowHostDirVolumePlugin is true, as it will otherwise be +# added by OpenShift. It must be excluded if allowHostDirVolumePlugin is false per OpenShift requirements. +# This avoids false positives in change detection by third-party diff tools (e.g. ArgoCD) that respect list order. - configMap - downwardAPI - emptyDir -- persistentVolumeClaim -- projected -- secret {{- if .Values.client.dataDirectoryHostPath }} - hostPath {{- end }} +- persistentVolumeClaim +- projected +- secret {{- end}} diff --git a/charts/consul/templates/cni-securitycontextconstraints.yaml b/charts/consul/templates/cni-securitycontextconstraints.yaml index 2c09dba9b8..cb60104cf0 100644 --- a/charts/consul/templates/cni-securitycontextconstraints.yaml +++ b/charts/consul/templates/cni-securitycontextconstraints.yaml @@ -13,6 +13,7 @@ metadata: annotations: kubernetes.io/description: {{ template "consul.fullname" . }}-cni are the security context constraints required to run consul-cni. +# Iff. allowHostDirVolumePlugin is true, hostPath must be included in volumes (see below). allowHostDirVolumePlugin: true allowHostIPC: false allowHostNetwork: false @@ -40,11 +41,15 @@ supplementalGroups: type: MustRunAs users: [] volumes: +# This list must be in alphabetical order to match the post-reconcile order enforced by OpenShift admission hooks. +# Furthermore, hostPath must be included explicitly if allowHostDirVolumePlugin is true, as it will otherwise be +# added by OpenShift. It must be excluded if allowHostDirVolumePlugin is false per OpenShift requirements. +# This avoids false positives in change detection by third-party diff tools (e.g. ArgoCD) that respect list order. - configMap - downwardAPI - emptyDir +- hostPath - persistentVolumeClaim - projected - secret -- hostPath {{- end }}