Bug 1960651 - Authentication Operator should not copy app.kubernetes.io/instance label [NEEDINFO]
Summary: Authentication Operator should not copy app.kubernetes.io/instance label
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Abu Kashem
QA Contact: Ke Wang
Depends On:
TreeView+ depends on / blocked
Reported: 2021-05-14 13:54 UTC by Asmita
Modified: 2022-08-18 14:26 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-08-18 14:26:03 UTC
Target Upstream Version:
agawand: needinfo? (slaskawi)
agawand: needinfo? (akashem)

Attachments (Terms of Use)

Description Asmita 2021-05-14 13:54:11 UTC
Description of problem: Using ArgoCD to configure authentication.
We noticed that the secrets mentioned in the OAuth configuration are copied from the openshift-config namespace to the openshift-authentication namespace. This copy also contains the kubernetes.io/instance label, which makes ArgoCD think the copied secret is managed by itself, as well, and it shows this as 'out of sync'.

The situation gets worse, when auto-heal and pruning is enabled. This makes ArgoCD remove these secrets, followed by the operator, adding them back, after which ArgoCD removes them again, and so on.

As workaround we added "argocd.argoproj.io/compare-options: IgnoreExtraneous"  annotation.
To build further on my example, I defined the secret as follows:

apiVersion: config.openshift.io/v1
kind: OAuth
  name: cluster
    argocd.argoproj.io/compare-options: IgnoreExtraneous
    - name: local_accounts
      type: HTPasswd
          name: htpass-users
    - name: Active_Directory
      type: LDAP
          name: ad-secret

The annotations are copied to the corresponding secret which itself gets ignored. This allows me to activate the self-heal with prune option, without having the loop effect.

This solves the issue only partly, because now the secret itself (not the copy in openshift-authentication) will still not be pruned when I remove it from my configuration. Their existence will be ignored by the annotation.

While this seems to be a valid (partial) workaround,

Comment 3 Standa Laznicka 2021-05-25 07:52:47 UTC
Make ArgoCD ignore the namespaces that already contain managed payloads, we can't and won't be special-casing every project out there. If it's not possible to make ArgoCD ignore namespaces, make them add that ability.

Comment 4 Tim Speetjens 2021-05-26 06:37:57 UTC
From your comment, I understand that copying the labels and annotations from the source secret to the destination is a design decision.

What is the use case for copying that? Does the authentication operator accept any special labels or annotations in the secrets to fine tune its behaviour?

Comment 5 Tim Speetjens 2021-05-26 06:49:09 UTC
For reference, related argocd issue.


Comment 12 Standa Laznicka 2022-07-21 11:10:08 UTC
Moving closer to the team dealing with APIs.

Comment 14 Michal Fojtik 2022-08-18 14:26:03 UTC
Dear reporter, 

As part of the migration of all OpenShift bugs to Red Hat Jira, we are evaluating all bugs which will result in some stale issues or those without high or urgent priority to be closed. If you believe this bug still requires engineering resolution, we kindly ask you to follow this link[1] and continue working with us in Jira by recreating the issue and providing the necessary information. Also, please provide the link to the original Bugzilla in the description.

To create an issue, follow this link:

[1] https://issues.redhat.com/secure/CreateIssueDetails!init.jspa?pid=12332330&issuetype=1&priority=10300&components=12367637

Note You need to log in before you can comment on or make changes to this bug.