proposal: Applications outside argocd namespace #6409
Conversation
Signed-off-by: jannfis <jann@mistrust.net>
jannfis
requested review from
alexmt,
jessesuen,
jgwest,
kshamajain99,
sbose78 and
mayzhang2000
Codecov Report
@@ Coverage Diff @@
## master #6409 +/- ##
=======================================
Coverage 45.98% 45.98%
=======================================
Files 226 226
Lines 27413 27413
=======================================
Hits 12605 12605
Misses 13094 13094
Partials 1714 1714
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Signed-off-by: jannfis <jann@mistrust.net>
| ## Open Questions [optional] | ||
|
|
||
| * The major open question is, how to name `Application`s in a scenario where | ||
| the K8s resource's name isn't unique anymore. |
There was a problem hiding this comment.
K8s resource's name isn't unique anymore.
Is this the resource that the user is deploying from her git repo?
There was a problem hiding this comment.
This means the name of the Application resource, whether created from Git or in another way. Where as before uniqueness was ensured by Kubernetes because no two Applications could share the same name in the same namespace, now possibly an application named foo could exist in namespace ns-foo, and another application named foo could exist in namespace ns-bar.
|
I've gone through the whole proposal and it looks like a fairly simple enhancement to the existing paradigm! |
|
@jessesuen @alexmt Can we please revisit this topic? I think it'd be an important feature to have. |
|
FWIW I really look forward to seeing this ship. |
|
looking for this feature it makes "apps of apps" such a mess if want to have tenant namespaces but having the application definition elsewhere from the actual deployments |
|
Thanks. This is indeed a great feature which we are looking for. Right now we are trying to do a similar thing with a ton of hacks: We have written a k8s controller to watch for Application CRs in all namespaces except for argocd ns, and create a new corresponding app CR in argocd ns (using parts of uid for avoiding duplication). Also we have written a validation webhook to enforce and reject App CRs created in other ns, by checking and validating the |
| field to associate themselves to the `AppProject` named `some-project`. | ||
| In the above example, the Application `some-app` would be allowed to associate | ||
| to the AppProject `some-project`, but the Application `other-app` would be | ||
| invalid. |
There was a problem hiding this comment.
One thing that is not clear in this section is that how do you define invalid? In the implementation details you have mentioned aborting reconcile, but it is not clear to users and is only discoverable in the controller logs. Should it be rejecting via a validation webhook? or letting the creation to happen, and introduce a new status for Application as Invalid and maybe also have some events?
I think the former might be more clear and less error prone for users, especially as rejection can happen with a clear message, while the latter requires users to notice that the app status is invalid and search for the reason in the events or in .status.description.
Also it is unclear in this proposal how updates to appProj is handled (e.g. when we revoke acccess with removing some soureNamespaces)? I think we should immediately recheck all affected applications (all apps created in sourceNamespaces section of updated appproj) and update their status to invalid if required.
The downside of validationwebhook is that, when an app is created in a ns which initially was allowed in sourceNamespaces, we can not notify users that it is no longer valid, and the reconcile will only fail and might confuse them.
There was a problem hiding this comment.
One thing that is not clear in this section is that how do you define invalid? In the implementation details you have mentioned aborting reconcile, but it is not clear to users and is only discoverable in the controller logs.
This would be reflected in the Application's .status field, similar to how a failed sync is reflected right now. Since it's the application controller who is updating the .status of an Application, it's also the application controller who will be enforcing whether an application will be reconciled or not. This check is happening constantly before reconciling any app, so when you remove a source namespace from the AppProject, it would not be allowed to sync anymore.
| ``` | ||
|
|
||
| * `Applications` created imperatively (e.g. through Argo CD API via UI or | ||
| CLI) will keep being created in the control plane namespace, and Argo CD |
There was a problem hiding this comment.
So what if users define apps in new ns, in this case they can create with kubectl -f file.yaml and they are not able to create the same manifest with argocd app create -f file.yaml right? wouldn't it be confusing?
There was a problem hiding this comment.
I think the corresponding command would then be argocd app create -n <namespace> -f file.yaml (or specfiying the target namespace in the YAML). The API would then show this application as <namespace>/<appname> instead of just <appname>.
| of the second application would become `barns/some-app`. This would have the | ||
| advantage to instantly have a clue about _where_ the application is coming from, | ||
| without having to resort to the Kubernetes API to inspect `.spec.namespace` | ||
| field of the app. The notation may also use a hyphen (`-`) or underscore (`_`) |
There was a problem hiding this comment.
a - should not be used as it is allowed in k8s names. See the two following conflicting examples:
name: hello
namespace: hi-all
---
name: hello-hi
namespace: all
both will be hello-hi-all if separator be a dash.
There was a problem hiding this comment.
Good catch. Thinking about this for a while :) Will come back to it later.
|
Thanks @m-yosefpor for reviewing and picking up the discussion. |
There was a problem hiding this comment.
LGTM
We've been going back and forth on this proposal for many months. Recently all maintainers agreed this should be implemented.
I think we should merge proposal,start implementing it and handle implementation details as we go.
@jessesuen , @jannfis , @wtam2018 let me know if you have any objections please.
I have commented some notes on this proposal. @jannfis has replied them with valid answers. However I think it would be great if those answers are somehow mentioned in the proposal as well. Also I think the hyphen separator mentioned in #6409 (comment) should be deleted due to described duplication error. |
|
Will RBAC be addressed? When I create an ArgoCD Application via the UI, I am constrained by the RBAC rules effecting my user. If I create an ArgoCD application by creating a YAML for an Application object and applying, it will not know my ArgoCD user and I suspect will not enforce RBAC. My use case is that multiple teams share a cluster. I want teams to be able to use the App of Apps pattern, but I want them to be restricted into only creating applications within the projects their RBAC allows and only deploying to clusters which their RBAC allows. |
|
Hi all, Was just curious and wanted to know where are we on this? |
|
Hello, any news when this feature will be released? |
|
@Paulo-B it's expected for 2.5 in August. The PR is under review. |
|
@jannfis I very much agree with the concerns of @mkaiserincomm. There is a significant risk involved if people can create Applications linking to any project in their own namespace. I think that some explicit configuration is required to allow this. For example: apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: cicd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
description: Project CICD owned by Team CICD
destinations:
- namespace: 'cicd'
allowApplications: true
server: 'https://kubernetes.default.svc'
- namespace: 'cicd-*'
allowApplications: false #default
server: 'https://kubernetes.default.svc'
sourceRepos:
- '*'This configuration would trigger ArgoCD to read any Application CRD's from the |
|
@FireDrunk This problem is solved with the new For example, with an AppProject Then an Application created in either namespace |
That looks like a perfect alternative! I would be happy to test this functionality, since we are anxiously awaiting these kinds of improvements! Is there any kind of 'event' or notification stream or any kind of monitoring solution to make it easy to find these kinds of mishaps? |
|
(The PR for testing if you want @FireDrunk :-) #9755) |
Signed-off-by: jannfis <jann@mistrust.net>
…plications-namespaces
jannfis
force-pushed
the
proposal/applications-namespaces
branch
from
3014451
to
a50f20d
Compare
|
The PR #9755 implementing this proposal will be merged soon eventually. |
* proposal: Applications outside argocd namespace Signed-off-by: jannfis <jann@mistrust.net> * Typos and add another use-case Signed-off-by: jannfis <jann@mistrust.net> * Update 003-applications-outside-argocd-namespace.md Signed-off-by: jannfis <jann@mistrust.net>
This is a proposal to enable
Applicationresources to exist outside the Argo CD control plane's namespace.Should be considered an alternative to #6405
Related issues:
Signed-off-by: jannfis jann@mistrust.net
Checklist: