New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: enable metadata to be set on namespaces #10672
Conversation
b81cf12
to
80b32fe
Compare
Codecov ReportBase: 45.60% // Head: 45.63% // Increases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## master #10672 +/- ##
==========================================
+ Coverage 45.60% 45.63% +0.03%
==========================================
Files 237 238 +1
Lines 28933 28953 +20
==========================================
+ Hits 13194 13214 +20
+ Misses 13922 13920 -2
- Partials 1817 1819 +2
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
This needs argoproj/gitops-engine#465 to first be merged |
cc597fb
to
02be7d9
Compare
eb364b9
to
8ae495e
Compare
617bc6b
to
14ab182
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@blakepettersson thanks so much for this!
Can you add docs? Specifically I'd be interested in:
- field documented in docs/operator-manual/application.yaml
- explanation of what happens if I add this field but do not set
CreateNamespace=true
- explanation of what happens if I add this field, but the application manifests contain a conflicting definition of the namespace
- explanation of what happens if I change the metadata in the Application manifest after the namespace is created
I think that covers all the edge cases.
ab7ce42
to
1293cc4
Compare
da81b85
to
8bbfacc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this!
Please check my comments below and here as I believe that we need to better handle the conflict cases and not just replace labels and annotations in namespaces. Maybe returning an error?
controller/should_namespace_sync.go
Outdated
|
||
labelsDiffer := !reflect.DeepEqual(un.GetLabels(), managedNamespaceMetadata.Labels) | ||
if labelsDiffer { | ||
un.SetLabels(managedNamespaceMetadata.Labels) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would replace any existing labels with the provided ones. We discussed about raising an error whenever a conflict is found.
controller/should_namespace_sync.go
Outdated
|
||
annotationsDiffer := !reflect.DeepEqual(un.GetAnnotations(), managedNamespaceMetadata.Annotations) | ||
if annotationsDiffer { | ||
un.SetAnnotations(managedNamespaceMetadata.Annotations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would replace any existing annotations with the provided ones. We discussed about raising an error whenever a conflict is found.
@leoluz what are your thoughts on my comment in #10288?
My thinking is that in case of a conflict on a namespace, it seems a bit heavy-handed to block the whole sync of an application. On the other hand, as you say, it's not fully desirable to just overwrite annotations and labels on a given namespace. That's why I'm thinking "emit a warning, and don't modify the namespace, but do carry on with the other manifests in the meantime". This leads to another question; how would we best handle / tell users how to migrate existing namespaces to use To prevent causing an error (or warning), I'm guessing we'll need to note that a user will first need to manually set the resource tracking label (or annotation)? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To avoid replacing existing labels/annotations from namespaces we could use the new server-side apply feature to allow k8s handle creating the proper patch.
The idea is that you don’t have to retrieve the whole object from k8s then mutate it and try to apply it back. You can provide a partial manifest and kubernetes will take care of updating just the required portion.
To enable SSA apply flag in Argo CD is just a matter of adding this annotation in the namespace:
argocd.argoproj.io/sync-options: ServerSideApply=true
This way k8s will figure out the labels/annotations that are managed by Argo CD and leave existing ones intact
I think the Server Side Apply approach is generally solid (thanks again for your help @leoluz!). There seems to be a few caveats though, none of which should be a major showstopper but more as an FYI. Before pushing my changes, I just want to gather your thoughts/opinions on the following:
From what I can see with the SSA approach, if ArgoCD "adopts" an existing namespace and we would then want to remove a preexisting field from the adopted namespace, we'd first need to change its value, and then remove it in two separate syncs. So, imagine we have a pre-existing namespace as below: apiVersion: v1
kind: Namespace
metadata:
name: foobar
annotations:
foo: bar
abc: 123 If we want to manage the apiVersion: argoproj.io/v1alpha1
kind: Application
spec:
syncPolicy:
managedNamespaceMetadata:
annotations:
abc: 123 # adding this is informational with SSA; this would be sticking around in any case until we set a new value
foo: remove-me
syncOptions:
- CreateNamespace=true Once that has been synced, we're ok to remove apiVersion: argoproj.io/v1alpha1
kind: Application
spec:
syncPolicy:
managedNamespaceMetadata:
annotations:
abc: 123 # adding this is informational with SSA; this would be sticking around in any case until we set a new value
syncOptions:
- CreateNamespace=true
It doesn't seem like SSA has any effect if For the first issue that's a matter of documenting the behaviour. As for the second issue we'll need to raise an error and prevent the syncing from happening. WDYT @leoluz @crenshaw-dev? |
That is correct. The example you gave is great and can be added to a future documentation 👍🏻
I think that is expected. ManagedNamespaces will run as pre-sync hooks. This means that if a namespace is provided as part of the application's manifests, it will override what was defined in the |
1b72cc3
to
3fc2a52
Compare
Alright, so now I've modified the namespace sync to make use of SSA, and updated the docs accordingly. I've also squashed my commits since it started looking a bit messy. I still need to figure out what's going on with the integration tests, they seem a bit flaky 🤔 |
fdd94f0
to
2c9679a
Compare
@blakepettersson I merged the gitops-engine PR and updated the go.mod file in this PR. However the build is failing with some e2e test error. Can you please double check if this isn't a real problem? Maybe it is a good idea to update this branch with current |
046d167
to
a9da61e
Compare
Signed-off-by: pashavictorovich <pavel@codefresh.io>
Signed-off-by: pashavictorovich <pavel@codefresh.io>
Signed-off-by: pashavictorovich <pavel@codefresh.io>
Signed-off-by: pashavictorovich <pavel@codefresh.io>
This builds upon the work that @pasha-codefresh did in argoproj#10288. The main differences between this PR and the previous one is that we use SSA to diff between different versions of the namespace, as well as having a slightly different API in gitops-engine for setting the namespace modifier. We now also set the ownership of the namespace in ArgoCD. Closes argoproj#4628 Closes argoproj#6215 Closes argoproj#7799 Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
For now, only allow namespaces managed with `managedNamespaceMetadata` to have tracking set by Argo. Ideally we'd like new namespaces to also be tracked by Argo, but there's currently an issue with a failing integration test. Also wrap error message if setting the app instance errors on the namespace. Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
If `hasManagedMetadata` is set, `true` should always be returned. Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
Signed-off-by: Leonardo Luz Almeida <leonardo_almeida@intuit.com>
a9da61e
to
d76f316
Compare
@leoluz there were some unrelated failures before, I've seen at least the first one to have been a bit flaky in the past: time="2022-11-03T21:03:37Z" level=error msg="`../../dist/argocd app sync test-immutable-change --timeout 10 --prune --plaintext --server 127.0.0.1:8088 --auth-token *** --insecure` failed exit status 1: time=\"2022-11-03T21:03:37Z\" level=fatal msg=\"Operation has completed with phase: Failed\"" execID=bd820
app_management_test.go:379: failed expectation: error
--- FAIL: TestImmutableChange (2.95s) and
All the tests pass now in any case 👍 |
Thanks again @leoluz! 🎉🎉 |
was this included in the 2.5.2 version just released? Docs don't mention it but since it was merged to master then ... maybe ;-) |
@lukpep this is targeting 2.6. |
* namespace labels Signed-off-by: pashavictorovich <pavel@codefresh.io> * create namespace should support annotations Signed-off-by: pashavictorovich <pavel@codefresh.io> * handle also modification hook Signed-off-by: pashavictorovich <pavel@codefresh.io> * regenerate entity on modify hook Signed-off-by: pashavictorovich <pavel@codefresh.io> * manifests Signed-off-by: pashavictorovich <pavel@codefresh.io> * feat: enable metadata to be set on namespaces This builds upon the work that @pasha-codefresh did in argoproj#10288. The main differences between this PR and the previous one is that we use SSA to diff between different versions of the namespace, as well as having a slightly different API in gitops-engine for setting the namespace modifier. We now also set the ownership of the namespace in ArgoCD. Closes argoproj#4628 Closes argoproj#6215 Closes argoproj#7799 Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> * fix: don't always track namespaces For now, only allow namespaces managed with `managedNamespaceMetadata` to have tracking set by Argo. Ideally we'd like new namespaces to also be tracked by Argo, but there's currently an issue with a failing integration test. Also wrap error message if setting the app instance errors on the namespace. Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> * fix: always return true with `hasManagedMetadata` If `hasManagedMetadata` is set, `true` should always be returned. Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> * docs: add clarifying docs on resource tracking Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> * style: pr tweaks Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> * fix: re-add label unsetting Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> * Update gitops-engine to current master Signed-off-by: Leonardo Luz Almeida <leonardo_almeida@intuit.com> Signed-off-by: pashavictorovich <pavel@codefresh.io> Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> Signed-off-by: Leonardo Luz Almeida <leonardo_almeida@intuit.com> Co-authored-by: pashavictorovich <pavel@codefresh.io> Co-authored-by: Leonardo Luz Almeida <leonardo_almeida@intuit.com>
* namespace labels Signed-off-by: pashavictorovich <pavel@codefresh.io> * create namespace should support annotations Signed-off-by: pashavictorovich <pavel@codefresh.io> * handle also modification hook Signed-off-by: pashavictorovich <pavel@codefresh.io> * regenerate entity on modify hook Signed-off-by: pashavictorovich <pavel@codefresh.io> * manifests Signed-off-by: pashavictorovich <pavel@codefresh.io> * feat: enable metadata to be set on namespaces This builds upon the work that @pasha-codefresh did in argoproj#10288. The main differences between this PR and the previous one is that we use SSA to diff between different versions of the namespace, as well as having a slightly different API in gitops-engine for setting the namespace modifier. We now also set the ownership of the namespace in ArgoCD. Closes argoproj#4628 Closes argoproj#6215 Closes argoproj#7799 Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> * fix: don't always track namespaces For now, only allow namespaces managed with `managedNamespaceMetadata` to have tracking set by Argo. Ideally we'd like new namespaces to also be tracked by Argo, but there's currently an issue with a failing integration test. Also wrap error message if setting the app instance errors on the namespace. Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> * fix: always return true with `hasManagedMetadata` If `hasManagedMetadata` is set, `true` should always be returned. Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> * docs: add clarifying docs on resource tracking Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> * style: pr tweaks Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> * fix: re-add label unsetting Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> * Update gitops-engine to current master Signed-off-by: Leonardo Luz Almeida <leonardo_almeida@intuit.com> Signed-off-by: pashavictorovich <pavel@codefresh.io> Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com> Signed-off-by: Leonardo Luz Almeida <leonardo_almeida@intuit.com> Co-authored-by: pashavictorovich <pavel@codefresh.io> Co-authored-by: Leonardo Luz Almeida <leonardo_almeida@intuit.com> Signed-off-by: emirot <emirot.nolan@gmail.com>
This builds upon the work that @pasha-codefresh did in #10288.
The main differences between this PR and the previous one is that we use
SSA to diff between different versions of the namespace, as well as
having a slightly different API in gitops-engine for setting the
namespace modifier.
We now also set the ownership of the namespace in ArgoCD (if
managedNamespaceMetadata
is set).Fix #4628
Fix #6215
Fix #7799
Checklist: