Bug 1960651

Summary: Authentication Operator should not copy app.kubernetes.io/instance label
Product: OpenShift Container Platform Reporter: Asmita <agawand>
Component: kube-apiserverAssignee: Abu Kashem <akashem>
Status: CLOSED WONTFIX QA Contact: Ke Wang <kewang>
Severity: low Docs Contact:
Priority: low    
Version: 4.6CC: akashem, aos-bugs, eparis, jokerman, kostrows, mfojtik, mharri, slaznick, surbania, tim.speetjens, william.caban, xxia
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-08-18 14:26:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Asmita 2021-05-14 13:54:11 UTC
Description of problem: Using ArgoCD to configure authentication.
We noticed that the secrets mentioned in the OAuth configuration are copied from the openshift-config namespace to the openshift-authentication namespace. This copy also contains the kubernetes.io/instance label, which makes ArgoCD think the copied secret is managed by itself, as well, and it shows this as 'out of sync'.

The situation gets worse, when auto-heal and pruning is enabled. This makes ArgoCD remove these secrets, followed by the operator, adding them back, after which ArgoCD removes them again, and so on.

As workaround we added "argocd.argoproj.io/compare-options: IgnoreExtraneous"  annotation.
To build further on my example, I defined the secret as follows:

---
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
  annotations:
    argocd.argoproj.io/compare-options: IgnoreExtraneous
spec:
  identityProviders:
    - name: local_accounts
      type: HTPasswd
      htpasswd:
        fileData:
          name: htpass-users
    - name: Active_Directory
      type: LDAP
      ldap:
        ...
        bindPassword:
          name: ad-secret

The annotations are copied to the corresponding secret which itself gets ignored. This allows me to activate the self-heal with prune option, without having the loop effect.

This solves the issue only partly, because now the secret itself (not the copy in openshift-authentication) will still not be pruned when I remove it from my configuration. Their existence will be ignored by the annotation.

While this seems to be a valid (partial) workaround,

Comment 3 Standa Laznicka 2021-05-25 07:52:47 UTC
Make ArgoCD ignore the namespaces that already contain managed payloads, we can't and won't be special-casing every project out there. If it's not possible to make ArgoCD ignore namespaces, make them add that ability.

Comment 4 Tim Speetjens 2021-05-26 06:37:57 UTC
From your comment, I understand that copying the labels and annotations from the source secret to the destination is a design decision.

What is the use case for copying that? Does the authentication operator accept any special labels or annotations in the secrets to fine tune its behaviour?

Comment 5 Tim Speetjens 2021-05-26 06:49:09 UTC
For reference, related argocd issue.

https://github.com/argoproj/argo-cd/issues/4487

Comment 12 Standa Laznicka 2022-07-21 11:10:08 UTC
Moving closer to the team dealing with APIs.

Comment 14 Michal Fojtik 2022-08-18 14:26:03 UTC
Dear reporter, 

As part of the migration of all OpenShift bugs to Red Hat Jira, we are evaluating all bugs which will result in some stale issues or those without high or urgent priority to be closed. If you believe this bug still requires engineering resolution, we kindly ask you to follow this link[1] and continue working with us in Jira by recreating the issue and providing the necessary information. Also, please provide the link to the original Bugzilla in the description.

To create an issue, follow this link:

[1] https://issues.redhat.com/secure/CreateIssueDetails!init.jspa?pid=12332330&issuetype=1&priority=10300&components=12367637

Comment 15 Red Hat Bugzilla 2023-09-15 01:34:04 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 365 days