openshift-applier: Allow some content to be "created" instead of "applied" for idempotency about casl-ansible HOT 3 CLOSED

@InfoSec812 Applying/creating an object only once isn't the same as being "idempotent". By skipping it on consecutive runs basically means that no changes whatsoever will ever be applied beyond the first run (and hence rather than updating an object, it needs to be deleted and re-created). That's not how the openshift-applier is designed to work. The recommendation here is to rather fix the cause for why it cannot be re-applied multiple times. As discussed on this particular issue, the secrets are re-generated because the template actually asked for them to be. Hence, if the template is "fixed" to not do so, it can be re-applied multiple times without causing the effect described as problems.

BTW: there's a new PR out that simplifies the overall openshift-applier implementation and it allows for greater flexibility around the action - i.e.: apply v.s. create. Check it out: #102

CC @etsauer @sherl0cks

from casl-ansible.

Do you have a suggested method to configure the template to not regenerate the secret? As far as I know, if the secret is present in the template without hard-coded parameter values, the secret will be regenerated. I suppose that we could hard-code those values, but that would put credentials into the inventory and the git repo (a bad practice).

from casl-ansible.

@InfoSec812 closing out this issue as done as PR #102 should take care of this. Please give the latest version of the openshift-applier a try (please read the README carefully to understand the file_action and template_action change). If that doesn't meet the need for apply v.s. create, please let us know.

Also; another change is in progress re: a filter/tag (along the lines of the whitelist aspect Justin brought up), so that should benefit you as well.

from casl-ansible.