search

redhat-cop / resource-locker-operator

Apache License 2.0
30 stars 14 forks source link

Patches cause endless reconciliation #45

Closed trevorbox closed 3 years ago

trevorbox commented 3 years ago

I have a scenario where patching a ServiceAccount with an image pull secret causes an endless reconciliation loop. It would be good to be able to ignore all fields except the ones I care about when reconciling after a patch.

In my case it seems the metadata.managedFields is constantly updating and causing the reconciliation loop. I am using OCP 4.7.

trevorbox commented 3 years ago

Here's an example I tried that causes an endless reconciliation loop on the service account...

apiVersion: redhatcop.redhat.io/v1alpha1
kind: ResourceLocker
metadata:
  name: patch-default-editor
  namespace: my-namespace-name
spec:
  serviceAccountRef:
    name: default
  patches:
  - targetObjectRef:
      apiVersion: v1
      kind: ServiceAccount
      name: default-editor
      namespace: my-namespace-name
    patchTemplate: |
      imagePullSecrets:
        - name: my-pullsecret-name
    patchType: application/strategic-merge-patch+json
    sourceObjectRefs:
    - apiVersion: v1
      kind: Namespace
      name: my-namespace-name
    id: sa-pullsecret
cnuland commented 3 years ago

Thank you for letting us know @trevorbox , I'll look into reproducing this sometime this week and get back to you on what I find.

raffaelespazzoli commented 3 years ago

@trevorbox This seems to fix the issue, please verify:

apiVersion: redhatcop.redhat.io/v1alpha1
kind: ResourceLocker
metadata:
  name: patch-default-editor
spec:
  patches:
    - id: sa-pullsecret
      patchTemplate: |
        imagePullSecrets:
        {{- range (append (index . 1).imagePullSecrets (dict "name" "my-pullsecret-name")) | uniq }}
          - name: {{ .name }}
        {{ end -}}  
      patchType: application/strategic-merge-patch+json
      sourceObjectRefs:
        - apiVersion: v1
          kind: Namespace
          name: my-namespace-name
        - apiVersion: v1
          kind: ServiceAccount
          namespace: my-namespace-name
          name: default-editor          
      targetObjectRef:
        apiVersion: v1
        kind: ServiceAccount
        name: default-editor
        namespace: my-namespace-name
  serviceAccountRef:
    name: default
trevorbox commented 3 years ago

In my case the issue was trying to put helm template logic for a ResourceLocker CR in a NamespaceConfig and deployed using Helm.... The solution was to use double printf statements to escape go template evaluation, for example {{ printf "" }}. Thanks!