-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resources go out of synch in GitOps deployments #266
Comments
A possible solution for this is to let Capsule create or update the But we got a problem with the We got two options here: 1️⃣ not mounting Secrets but let the Operator write the content to its roots This is happening only in the scenario where a CA and related certificate is not provided, but I think it's common practice. |
the same way, as we do in https://github.com/clastix/capsule-proxy/blob/master/charts/capsule-proxy/templates/post-install-job.yaml? |
I was thinking about this, yes, but in the end, I think we can easily address this with the opinionated ArgoCD options. I tested the scenario in an ArgoCD environment: the issue is that ArgoCD doesn't play so well with the 3-way merge patch as Helm 3 does, in fact, it complains regarding the outdated Secret resources content and webhooks CA. We can easily ask ArgoCD to ignore these fields, using the spec:
destination:
namespace: capsule-system
server: https://kubernetes.default.svc
ignoreDifferences:
- group: ""
jsonPointers:
- /data
kind: Secret
name: capsule-tls
- group: ""
jsonPointers:
- /data
kind: Secret
name: capsule-ca
- group: admissionregistration.k8s.io
jsonPointers:
- /webhooks/0/clientConfig/caBundle
kind: MutatingWebhookConfiguration
name: capsule-mutating-webhook-configuration
- group: admissionregistration.k8s.io
jsonPointers:
- /webhooks/0/clientConfig/caBundle
- /webhooks/1/clientConfig/caBundle
- /webhooks/2/clientConfig/caBundle
- /webhooks/3/clientConfig/caBundle
- /webhooks/4/clientConfig/caBundle
- /webhooks/5/clientConfig/caBundle
- /webhooks/6/clientConfig/caBundle
- /webhooks/7/clientConfig/caBundle
- /webhooks/8/clientConfig/caBundle
- /webhooks/9/clientConfig/caBundle
kind: ValidatingWebhookConfiguration
name: capsule-validating-webhook-configuration
project: default
source:
path: charts/capsule
repoURL: https://github.com/clastix/capsule
targetRevision: v0.0.5
syncPolicy:
retry:
limit: 3
syncOptions:
- CreateNamespace=true Honestly, since this is just an issue with ArgoCD, I wouldn't change the code-base to fix a specific problem. @bsctl feel free to close the issue if it's good enough. |
@prometherion thanks, I think yes. Closing it. |
Bug description
Some resources continuously go out of synch when deploying with a GitOps tool, eg. ArgoCD:
capsule-ca
andcapsule-tls
secretscapsule-mutating-webhook-configuration
MutatingWebhookConfigurationcapsule-validating-webhook-configuration
ValidatingWebhookConfigurationHow to reproduce
Expected behavior
Once deployed resources should not go out of synch
Logs
Additional context
capsule --version
)helm list -n capsule-system
)kubectl version
)The text was updated successfully, but these errors were encountered: