oc apply on existing resource doesn't lookup variables

[gwiersma]

Hi,

I have tested the operator with the following ConfigMap:

apiVersion: v1
kind: ConfigMap
metadata:
  name: complex-injection-test
  annotations:
    "redhat-cop.redhat.io/patch": |
       data:
         route: "{{ (lookup "route.openshift.io/v1" "Route" "test" "test").spec.host }}"
         kleine: "{{ (lookup "v1" "Secret" "test" "geheim").data.name | b64dec }}"
data:
  kleine: dwerg
  route: leer

At this point the ConfigMap doesn't exist. When i create the CM with oc apply -f, the CM is created succesfully and the values are being injected:

apiVersion: v1
data:
  kleine: rita
  route: test-test.apps.<domain>.com
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"kleine":"dwerg","route":"leer"},"kind":"ConfigMap","metadata":{"annotations":{"redhat-cop.redhat.io/patch":"data:\n  route: \"{{ (lookup \"route.openshift.io/v1\" \"Route\" \"test\" \"test\").spec.host }}\"\n  kleine: \"{{ (lookup \"v1\" \"Secret\" \"test\" \"geheim\").data.name | b64dec }}\"\n"},"name":"complex-injection-test","namespace":"test"}}
    redhat-cop.redhat.io/patch: |
      data:
        route: "{{ (lookup "route.openshift.io/v1" "Route" "test" "test").spec.host }}"
        kleine: "{{ (lookup "v1" "Secret" "test" "geheim").data.name | b64dec }}"
  creationTimestamp: "2022-06-30T13:40:21Z"
  name: complex-injection-test
  namespace: test
  resourceVersion: "44040538"
  uid: 612d4a6b-e95c-400a-8200-0205091fefc9

When i apply the same CM again with an oc apply, the values are overwritten with the default values in the CM. No lookups are being executed:

After apply:

apiVersion: v1
data:
  kleine: dwerg
  route: leer
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"kleine":"dwerg","route":"leer"},"kind":"ConfigMap","metadata":{"annotations":{"redhat-cop.redhat.io/patch":"data:\n  route: \"{{ (lookup \"route.openshift.io/v1\" \"Route\" \"test\" \"test\").spec.host }}\"\n  kleine: \"{{ (lookup \"v1\" \"Secret\" \"test\" \"geheim\").data.name | b64dec }}\"\n"},"name":"complex-injection-test","namespace":"test"}}
    redhat-cop.redhat.io/patch: |
      data:
        route: "{{ (lookup "route.openshift.io/v1" "Route" "test" "test").spec.host }}"
        kleine: "{{ (lookup "v1" "Secret" "test" "geheim").data.name | b64dec }}"
  creationTimestamp: "2022-06-30T13:40:21Z"
  name: complex-injection-test
  namespace: test
  resourceVersion: "44042975"
  uid: 612d4a6b-e95c-400a-8200-0205091fefc9

Is this a bug or is this normal behaviour?

[gwiersma]

It works when you don't specify anything in .data, it does work. But this doesn't match the docs.

[QuingKhaos]

@gwiersma this is the expected behavior of creation-time patches, which only operate on resource creation (CREATE operation in the MutatingWebhookConfiguration). If you really need to operator on resource updates too, you should consider using a runtime patch which works on resources no matter they are newly created or updated and enforces the values from your patch, which seems to be your goal.