Closed trevorbox closed 3 years ago
Here's an example I tried that causes an endless reconciliation loop on the service account...
apiVersion: redhatcop.redhat.io/v1alpha1
kind: ResourceLocker
metadata:
name: patch-default-editor
namespace: my-namespace-name
spec:
serviceAccountRef:
name: default
patches:
- targetObjectRef:
apiVersion: v1
kind: ServiceAccount
name: default-editor
namespace: my-namespace-name
patchTemplate: |
imagePullSecrets:
- name: my-pullsecret-name
patchType: application/strategic-merge-patch+json
sourceObjectRefs:
- apiVersion: v1
kind: Namespace
name: my-namespace-name
id: sa-pullsecret
Thank you for letting us know @trevorbox , I'll look into reproducing this sometime this week and get back to you on what I find.
@trevorbox This seems to fix the issue, please verify:
apiVersion: redhatcop.redhat.io/v1alpha1
kind: ResourceLocker
metadata:
name: patch-default-editor
spec:
patches:
- id: sa-pullsecret
patchTemplate: |
imagePullSecrets:
{{- range (append (index . 1).imagePullSecrets (dict "name" "my-pullsecret-name")) | uniq }}
- name: {{ .name }}
{{ end -}}
patchType: application/strategic-merge-patch+json
sourceObjectRefs:
- apiVersion: v1
kind: Namespace
name: my-namespace-name
- apiVersion: v1
kind: ServiceAccount
namespace: my-namespace-name
name: default-editor
targetObjectRef:
apiVersion: v1
kind: ServiceAccount
name: default-editor
namespace: my-namespace-name
serviceAccountRef:
name: default
In my case the issue was trying to put helm template logic for a ResourceLocker CR in a NamespaceConfig and deployed using Helm....
The solution was to use double printf statements to escape go template evaluation, for example {{ printf "
I have a scenario where patching a ServiceAccount with an image pull secret causes an endless reconciliation loop. It would be good to be able to ignore all fields except the ones I care about when reconciling after a patch.
In my case it seems the metadata.managedFields is constantly updating and causing the reconciliation loop. I am using OCP 4.7.