Details
-
Bug
-
Resolution: Done
-
Major
-
None
-
1.9.1
-
None
-
False
-
None
-
False
Description
Description of problem:
Case #: 03567497
Customer Name:
Severity: SEV 3
Slack thread: https://redhat-internal.slack.com/archives/CMP95ST2N/p1690371243153869
With namespace creation from helm template, `openshift.io/sa.scc.mcs` annotation is not getting applied in the namespace yaml. Customer has been using the standard template given on argocd official documentation. Earlier it was working fine without specifying `openshift.io/sa.scc.mcs` in annotations as it was automatically generated or added in created namespace yaml, but customer started facing issues recently.
Normal creation of the NS successfully adds "openshift.io/sa.scc.mcs" annotation.
Prerequisites (if any, like setup, operators/versions):
OCP Version: 4.12
GitOps Operator Version: 1.9.1
Steps to Reproduce
# <steps>
Actual results:
Only with helm templates, the `openshift.io/sa.scc.mcs` does not get applied
Expected results:
{}`openshift.io/sa.scc.mcs` annotation is applied no matter how NS is generated
Reproducibility (Always/Intermittent/Only Once): always
Acceptance criteria:
Definition of Done:
Build Details:
Additional info (Such as Logs, Screenshots, etc):
Values.yaml
namespaces: - app helmResourcePolicy: keep labels: argocd.argoproj.io/managed-by: argocd annotations: argocd.argoproj.io/sync-wave: '-1' openshift.io/sa.scc.mcs: null env: - dev - sit serviceAccount: create: true
Templates:
{{- $annotations := .Values.annotations -}} {{- $labels := .Values.labels -}} {{- $helmResourcePolicy := .Values.helmResourcePolicy -}} {{range $key, $val := .Values.namespaces }} {{range $env, $envvals := $.Values.env }} --- apiVersion: v1 kind: Namespace metadata: name: "{{ $val }}-{{ $envvals }}" labels: router: "{{ $envvals }}" {{- include "namespace.labels" $ | nindent 4 }} {{- with $labels }} {{ toYaml . | nindent 4 }} {{- end }} {{- with $annotations }} annotations: openshift.io/description: "{{ $val }}-{{ $envvals }}" openshift.io/display-name: "{{ $val }}-{{ $envvals }}" openshift.io/node-selector: "environment={{ $envvals }}" openshift.io/requester: system:admin openshift.io/sa.scc.supplemental-groups: 1001/10000 openshift.io/sa.scc.uid-range: 1001/10000 helm.sh/resource-policy: "{{ $helmResourcePolicy }}" {{ toYaml . | indent 4 }} {{- end }}
apiVersion: v1 kind: ServiceAccount metadata: name: "{{ $val }}-sa" namespace: "{{ $val }}-{{ $envvals }}" labels: "app.kubernetes.io/name": "{{ $val }}-sa"
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: {{ $val }}-{{ $envvals }}-ingress namespace: {{ $val }}-{{ $envvals }} spec: ingress: - from: - namespaceSelector: matchLabels: network.openshift.io/policy-group: ingress - podSelector: {} podSelector: {} policyTypes: - Ingress {{ end }} {{ end }}