fix: add explicit conversion.strategy to CRDs to prevent ArgoCD drift#69
Open
jsabalete wants to merge 1 commit intokyverno:mainfrom
Open
fix: add explicit conversion.strategy to CRDs to prevent ArgoCD drift#69jsabalete wants to merge 1 commit intokyverno:mainfrom
jsabalete wants to merge 1 commit intokyverno:mainfrom
Conversation
jsabalete
force-pushed
the
fix/crd-conversion-strategy
branch
from
62f96db to
fa145d7
Compare
Kubernetes automatically injects `spec.conversion.strategy: None` when a CRD is applied without a conversion field. Since the chart templates do not include this field, ArgoCD detects a permanent diff between the desired state (no conversion field) and the live state (conversion.strategy: None), causing the Application to remain OutOfSync indefinitely. This is particularly problematic when using ApplicationSet with RollingSync, as the OutOfSync state blocks progressive deployment of subsequent phases. Fixes kyverno/kyverno#15116 Signed-off-by: Javi Sabalete <javi.sabalete@enverus.com>
jsabalete
force-pushed
the
fix/crd-conversion-strategy
branch
from
fa145d7 to
5f2edbe
Compare
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When deploying Kyverno via ArgoCD + Helm, CRDs remain permanently OutOfSync after upgrading to chart version 3.7.x.
Kubernetes automatically injects
spec.conversion.strategy: Nonewhen a CRD is applied without aconversionfield. Since the chart templates do not include this field, ArgoCD detects a permanent diff between the desired state (no conversion field) and the live state (conversion.strategy: None).This is particularly problematic when using ApplicationSet with RollingSync, as the OutOfSync state on phase-0 (kyverno) blocks progressive deployment of all subsequent phases.
Fix
spec.conversion.strategy: Noneto all CRD templates incharts/kyverno-api/templates/crds/Makefilehelm-charttarget to inject the field during CRD generationAffected CRDs
All 11 CRDs under
policies.kyverno.io:Verification
Compared helm-rendered CRD (desired) vs live cluster object (stripping runtime fields). The only structural diff was the missing
spec.conversionfield.Fixes kyverno/kyverno#15116