Description of problem: oc process intervenes with the declared desired namespace in the manifest and strips out the namespace when it is hardcoded and not passed via a template parameter. How reproducible: Can be reproduced with any Template that uses resources with a hardcoded namespace. Steps to Reproduce: To prepare aws-account-operator for deployment, there's a ConfigMap that is required[0]. As you can see in L14[1] the namespace is hardcoded to aws-account-operator. Run `make predeploy` or `make create-ou-map` manually to get the configmap deployed. Actual results: The ConfigMap is getting created in the "default" namespace rather than aws-account-operator ns, which is hardcoded in the manifest. However, if we convert the hardcoded namespace to use a template parameter ${NAMESPACE} and pass it from the oc process it works properly. For instance: oc process --local -p ROOT=${OSD_STAGING_1_OU_ROOT_ID} -p BASE=${OSD_STAGING_1_OU_BASE_ID} -p NAMESPACE=aws-account-operator -p ACCOUNTLIMIT="0" -f hack/templates/aws.managed.openshift.io_v1alpha1_configmap.tmpl | oc apply -f -` Then, the ConfigMap appears in the aws-account-operator namespace. After some investigation into the templating code, I found that this is intentional[2][3]. Expected results: I am a new hire, so I assumed that the namespace would be retained after the serialization of the object along with the rest of the metadata since it's the desired state that we have explicitly specified in the manifest. After discussing this behaviour with some of our colleagues, we can't understand why this is happening. Thank you in advance! [0]https://github.com/openshift/aws-account-operator/blob/master/hack/templates/aws.managed.openshift.io_v1alpha1_configmap.tmpl [1]https://github.com/openshift/aws-account-operator/blob/master/hack/templates/aws.managed.openshift.io_v1alpha1_configmap.tmpl#L14 [2]https://github.com/openshift/library-go/blob/master/pkg/template/templateprocessing/template.go#L86 [3]https://github.com/openshift/library-go/blob/master/pkg/template/templateprocessing/template.go#L113
Sending this over to build team who owns templating mechanics.
@pratis I have spent sometime investigating and interviewing some of my colleges and these are my findings: The behavior to remove the namespace field was introduced in this PR: https://github.com/openshift/origin/pull/698/files#diff-4c6785786c3eaa4a21b69e4a2a47830bb533b95d63b5b6c5bf69bc7e2d76625cR53 There is not an explicit reason why was introduced but I agree with my colleges that it made sense since hardcoding namespaces will certainly cause the template to only work in a few environments that happen to match that namespace. By removing it from the rendered resource it will allow the current namespace to be used for the apply operation. This behavior was improved if the value was parametrized with this PR https://github.com/openshift/origin/pull/12918 where the documentation was also updated to reflect the expected behavior. Please find the documentation on the API talking about this here: https://docs.openshift.com/container-platform/4.7/rest_api/template_apis/template-template-openshift-io-v1.html#specification see under the objects property. Hope this helps you understand and feel free to follow up with any other question.
Closing as "not a bug", feel free to re-open if my answer above is not sufficient.