Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-7568

ignoreDifferences setting is not honored for OAuthClient resource

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      ###Issue :

      Customer has deployed a Argo CD application which deploys OAuthClient manifest. [Attached herewith a application .yaml for reference].

      Application and respective resources gets deployed without any issues. But the secret value in OAuthClient is updated on sync and every now and then.

      The generated secret value is used elsewhere and when it's automatically updated their solution stops working. Due to this, They need to update the original value manually every time, But some time later it gets updated again.

      This seems to be expected as customer is using randAlphaNum to generate a random secret value :

      ~~~
      {{- $clientSecret := randAlphaNum 24 | nospace }}
      kind: OAuthClient
      apiVersion: oauth.openshift.io/v1
      metadata:
      name: {{ printf "%s-%s" $keycloak .name }}
      secret: {{ $clientSecret }}
      redirectURIs:

      • {{ printf "https://%s/auth/realms/%s/broker/openshift-v4/endpoint" $keycloakHostname .name }}
        grantMethod: auto
        ~~~

      So In order to avoid this issue and customer has set the ignoreDifferences field in application manifest as below :

      ~~~
      ignoreDifferences:

      • kind: OAuthClient
        group: oauth.openshift.io
        jsonPointers:
      • /secret
        ~~~

      However this is not working and secret value still getting updated each time.

      They have also set the ignoreDifferences file for the KeycloakRealmIdentityProvider object which is working perfectly fine :

      ~~~
      ignoreDifferences:

      • group: v1.edp.epam.com
        jsonPointers:
      • /spec/config/clientSecret
        kind: KeycloakRealmIdentityProvider
        ~~~

      In the Helm chart this manifest is defined as follows (the $clientSecret variable is the same as used in the OAuthClient resource that is defined in the same template file):

      ~~~
      kind: KeycloakRealmIdentityProvider
      apiVersion: v1.edp.epam.com/v1
      metadata:
      name: {{ .name }}-openshift-v4
      namespace: {{ $namespace }}
      spec:
      alias: openshift-v4
      config:
      baseUrl: {{ $.Values.misc.apiUrl }}
      clientId: {{ printf "%s-%s" $keycloak .name }}
      clientSecret: {{ $clientSecret }}
      enabled: true
      firstBrokerLoginFlowAlias: autolink
      providerId: openshift-v4
      realmRef:
      kind: KeycloakRealm
      name: {{ .name }}
      ~~~

      On syncing the KeycloakRealmIdentityProvider object, despite the new random secret value generated in `desired manifest` its not updated to the `live manifest` and value remains unchanged.

      Why ignoreDifferences logic works for the KeycloakRealmIdentityProvider and does not work for the OAuthClient resource ?

      ###Workaround:

      As a workaround we suggested customer to set the *RespectIgnoreDifferences=true * sync option.

      With this ignoreDifferences logic works perfectly fine and secret value in OAuthClient (live manifest) remains unchanged.

      *###Actual Result : *

      ignoreDifferences setting is not honored for OAuthClient and secret value still getting updated each time.

      ###Expected Result :

      ignoreDifferences logic should works perfectly fine and secret value in OAuthClient (live manifest) remains unchanged.

        1. gitops-app-team-ccipf (1) (1).yaml
          72 kB

              rh-ee-anjoseph Anand Francis Joseph
              rhn-support-dkarde Dipak Karde
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: