fluxcd/notification-controller

Kustomization not applying patch

Closed this issue · 1 comments

nab-gha commented

I have a kustomization that is meant to apply a Terraform object and patch it but the patch is not being applied, it works when applied via kubectl apply -k with a kustomization.yaml specifying the same patch it works but not using kustomization.

See https://github.com/ww-gitops/paulc-mac/tree/main/test-603/manual for the kustomize/kubectl apply that works. The kustomization apply that is failing to patch is...

kubectl get ks -n test-one enterprise-tenant-2e63d88d -o yaml
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
  creationTimestamp: "2023-11-14T15:44:36Z"
  finalizers:
  - finalizers.fluxcd.io
  generation: 20
  labels:
    templates.weave.works/name: enterprise-tenant-gitopsset-generator
    templates.weave.works/namespace: test-one
  name: enterprise-tenant-2e63d88d
  namespace: test-one
  resourceVersion: "2218122"
  uid: a25f5d97-3be1-4c58-87ec-6441734beb8b
spec:
  force: false
  interval: 1m
  patches:
  - patch: |
      - op: add
        path: "/spec/vars/6/value"
        value:
          - "org1"
          - "org2"
          - "org3"
    target:
      group: infra.contrib.fluxcd.io
      kind: Terraform
      labelSelector: app.kubernetes.io/component=keycloak-client-realms-2e63d88d
      version: v1alpha2
  path: ./test-603/per-ent-manifests/
  postBuild:
    substitute:
      centralEnv: dv
      enterprise: Ent1
      enterpriseId: 2e63d88d-969a-430e-842e-6Ffe872d00b4
      keycloakUrl: https://whatever.com
      subscriptionId: "603"
      tenantId: e988353e-91c9-4e7f-a067-99476d7755f9
  prune: true
  sourceRef:
    kind: GitRepository
    name: flux-system
    namespace: test-one
  timeout: 1m
  wait: true
status:
  conditions:
  - lastTransitionTime: "2023-11-14T17:56:34Z"
    message: Running health checks for revision main@sha1:20641bef770afd5e6b768ef19847b1e90b01b215
      with a timeout of 1m0s
    observedGeneration: 20
    reason: Progressing
    status: "True"
    type: Reconciling
  - lastTransitionTime: "2023-11-14T17:56:33Z"
    message: Reconciliation in progress
    observedGeneration: 20
    reason: Progressing
    status: Unknown
    type: Ready
  - lastTransitionTime: "2023-11-14T17:56:34Z"
    message: Running health checks for revision main@sha1:20641bef770afd5e6b768ef19847b1e90b01b215
      with a timeout of 1m0s
    observedGeneration: 20
    reason: Progressing
    status: Unknown
    type: Healthy
  inventory:
    entries:
    - id: test-one_keycloak-client-realms-2e63d88d_infra.contrib.fluxcd.io_Terraform
      v: v1alpha1
  lastAppliedRevision: main@sha1:f5c1b559bb599862a31c9f4553e4384e344f5f56
  lastAttemptedRevision: main@sha1:20641bef770afd5e6b768ef19847b1e90b01b215
  lastHandledReconcileAt: "2023-11-14T15:27:01.132135Z"
  observedGeneration: 11

And the Terraform object it applies

paulc:paulc-mac paulc [sandbox]$ kubectl get tf -n test-one keycloak-client-realms-2e63d88d -o yaml 
apiVersion: infra.contrib.fluxcd.io/v1alpha2
kind: Terraform
metadata:
  creationTimestamp: "2023-11-14T17:49:33Z"
  finalizers:
  - finalizers.tf.contrib.fluxcd.io
  generation: 1
  labels:
    app.kubernetes.io/component: keycloak-client-realms-2e63d88d
    kustomize.toolkit.fluxcd.io/name: enterprise-tenant-2e63d88d
    kustomize.toolkit.fluxcd.io/namespace: test-one
  name: keycloak-client-realms-2e63d88d
  namespace: test-one
  resourceVersion: "2214611"
  uid: b169848b-03a2-49a0-8f4d-b4d40326a618
spec:
  alwaysCleanupRunnerPod: true
  approvePlan: auto
  backendConfig:
    customConfiguration: |
      backend "azurerm" {
        storage_account_name = "some storage account"
        container_name       = "some container"
        key                  = "some state file"
        resource_group_name  = "some rg"
        subscription_id      = "some sub ID"
        tenant_id            = "some tenant ID"
      }
  destroyResourcesOnDeletion: false
  disableDriftDetection: false
  force: false
  interval: 1m
  parallelism: 0
  path: ./test-603/keycloak/empower-client-realms
  refreshBeforeApply: false
  runnerPodTemplate:
    spec:
      env:
      - name: ARM_CLIENT_ID
        valueFrom:
          secretKeyRef:
            key: value
            name: whizbang-solution-internal-svc-prnc
      - name: ARM_CLIENT_SECRET
        valueFrom:
          secretKeyRef:
            key: value
            name: whizbang-solution-internal-svc-prnc-pwd
  runnerTerminationGracePeriodSeconds: 30
  serviceAccountName: tf-runner
  sourceRef:
    kind: GitRepository
    name: flux-system
    namespace: test-one
  storeReadablePlan: human
  vars:
  - name: tenant_id
    value: e988353e-91c9-4e7f-a067-99476d7755f9
  - name: subscription_id
    value: 603
  - name: enterprise
    value: Ent1
  - name: enterprise_guid
    value: 2e63d88d-969a-430e-842e-6Ffe872d00b4
  - name: internal_environment
    value: dv
  - name: keycloak_url
    value: https://whatever.com
  - name: organizations
  varsFrom:
  - kind: Secret
    name: empower-sso-client-secret-realm
  - kind: Secret
    name: enterprise-sso-client-secret-realm
  - kind: Secret
    name: keycloak-provider-client-secret
  - kind: Secret
    name: whizbang-solution-internal-svc-creds
  workspace: default
status:
  conditions:
  - lastTransitionTime: "2023-11-14T17:49:33Z"
    message: Reconciliation in progress
    reason: Progressing
    status: Unknown
    type: Ready
nab-gha commented

I think the postbuild substitution occurs after the patches? So the label is not there when it applies the patch. Worked around this issue.