Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-3161

openshift.io/sa.scc.mcs annotation is not added to NS through Helm template

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • None
    • 1.9.1
    • None
    • False
    • None
    • False

    Description

      Description of problem:

      Case #: 03567497

      Customer Name: 

      Severity: SEV 3

      Slack thread: https://redhat-internal.slack.com/archives/CMP95ST2N/p1690371243153869 

      With namespace creation from helm template, `openshift.io/sa.scc.mcs` annotation is not getting applied in the namespace yaml. Customer has been using the standard template given on argocd official documentation. Earlier it was working fine without specifying `openshift.io/sa.scc.mcs` in annotations as it was automatically generated or added in created namespace yaml, but customer started facing issues recently.
      Normal creation of the NS successfully adds "openshift.io/sa.scc.mcs" annotation.

      Prerequisites (if any, like setup, operators/versions):

      OCP Version: 4.12
      GitOps Operator Version: 1.9.1

      Steps to Reproduce

       # <steps>

      Actual results: 

      Only with helm templates, the `openshift.io/sa.scc.mcs` does not get applied

      Expected results:

      {}`openshift.io/sa.scc.mcs` annotation is applied no matter how NS is generated

      Reproducibility (Always/Intermittent/Only Once): always

      Acceptance criteria: 

       

      Definition of Done:

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

      Values.yaml 

      namespaces:
- app
helmResourcePolicy: keep
labels:
  argocd.argoproj.io/managed-by: argocd
annotations:
  argocd.argoproj.io/sync-wave: '-1'
  openshift.io/sa.scc.mcs: null
env:
- dev
- sit
serviceAccount:
  create: true

      Templates: 

      {{- $annotations := .Values.annotations -}}
{{- $labels := .Values.labels -}}
{{- $helmResourcePolicy := .Values.helmResourcePolicy -}}
{{range $key, $val := .Values.namespaces }}
{{range $env, $envvals := $.Values.env }}
---
apiVersion: v1
kind: Namespace
metadata:
  name: "{{ $val }}-{{ $envvals }}"
  labels:
    router: "{{ $envvals }}"
    {{- include "namespace.labels" $ | nindent 4 }}
{{- with $labels }}
    {{ toYaml . | nindent 4 }}
{{- end }}
{{- with $annotations }}
  annotations:
    openshift.io/description: "{{ $val }}-{{ $envvals }}"
    openshift.io/display-name: "{{ $val }}-{{ $envvals }}"
    openshift.io/node-selector: "environment={{ $envvals }}"
    openshift.io/requester: system:admin
    openshift.io/sa.scc.supplemental-groups: 1001/10000
    openshift.io/sa.scc.uid-range: 1001/10000
    helm.sh/resource-policy: "{{ $helmResourcePolicy }}"
{{ toYaml . | indent 4 }}
{{- end }} 
      apiVersion: v1 kind: ServiceAccount metadata:   name: "{{ $val }}-sa"   namespace: "{{ $val }}-{{ $envvals }}"   labels:     "app.kubernetes.io/name": "{{ $val }}-sa"

      apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ $val }}-{{ $envvals }}-ingress
  namespace: {{ $val }}-{{ $envvals }}  
spec:
    ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            network.openshift.io/policy-group: ingress
      - podSelector: {}
    podSelector: {}
    policyTypes:
    - Ingress
{{ end }}
{{ end }}

      Attachments

        Activity

          People

            Unassigned Unassigned
            rescott1 Regina Scott
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: