-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Combine files in a multisource repo (#12471 #12485) #12508
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12508 +/- ##
==========================================
+ Coverage 49.45% 49.46% +0.01%
==========================================
Files 273 271 -2
Lines 48662 48140 -522
==========================================
- Hits 24066 23813 -253
+ Misses 22235 21960 -275
- Partials 2361 2367 +6 ☔ View full report in Codecov by Sentry. |
There's a lot of code duplicated from I think once the copyFrom logic is there and I both have a clearer view of how stuff works and I'm more comfortable with the logics here, I will see how can I clean this mess up. And I'm also planning to address the LintGo failing test later. |
I've got the following errors while running
And the String operator for ApplicationSources is defined at
IIRC I haven't fiddled with this part, and I'm not really sure what might have caused those test errors. |
I think the PR looks feature-complete right now, unit tests are also passing. The place I couldn't find the tests for are the changes in the Docs are still to be adjusted. |
Docs are updated as well. @ishitasequeira, could you please review it? |
Will review it today. |
This is looking really cool! We'll probably want some e2e tests to validate a few base use cases for this feature. |
One thought that comes to my mind is, are we allowing a nested access of referenced sources for
I think this can lead to a lot of concerns. We should probably not allow |
Currently that does make sense, however I'm considering another feature, where the output of a source can be referenced in another source building on this feature. Adding something like a I think, as of right now, putting a warning into the documentation is more effective. Also, I think adding O_EXCL helps here with overwriting files:
|
I don't understand why the tests are broken, before i've synced the branch to master, everything was green. |
I don't really understand why the e2e test
And the most interesting part is, I've reverted to a commit prior to my changes, and it still fails the same way as shown above:
|
@gczuczy that test is flaky. I have an open PR to try to fix that. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Partial review
I'm eagerly waiting for the merge of this PR. Keep up the good work! |
Here's a simplistic test example:
This application has a kustomization in one repo, and one of the There was another internal test, which is rather complicated, it deploys an ArgoCD ecosystem with a superchart, ArgoCD and ArgoWorkflows as a subchart, with a fair amount of secrets, for which we're using AVP to acquire. The gist of that secret are the following two snippets: For the
Here the chart has The environment-specific values.yaml is passed to the AVP plugin through the
So, helm is using the environment-specific values from a separate repo and its output is fed to AVP, which is taking care of the |
What capabilities does our plugin have today:
Issues:
|
Signed-off-by: Gergely Czuczy <gergely.czuczy@sap.com>
Signed-off-by: Gergely Czuczy <gergely.czuczy@sap.com>
Signed-off-by: Gergely Czuczy <gergely.czuczy@sap.com>
Hi all, I understand that the proposal from this PR provides more features than this simple ask and could lead to many anti-patterns, or prevent the argoCD community to migrate to cleaner approaches. But we should probably consider some of the use cases as there might be quick wins, Thank you for the hard work! As argoCD users, we really appreciate the discussions and debates that are leading to a better solution. |
I get the thought process on this being an anti-pattern. I think that makes perfect sense when you control the creation of the helm/kustomize. This gets more tricky when you are not in control. We currently only use ArgoCD to handle deploying supporting infrastructure, and not our apps. This means we are restricted by what is done in the upstream helm/kustomize. Not all projects follow best practices. I found 3 different projects, we use, that store secrets in ConfigMaps. Currently we are getting by without this PR (though it would be nice to have). If AVP is ruled an anti pattern, and not supported moving forward, it would create a lot of work for my team if we wanted to continue using ArgoCD. I believe I would be able to open PRs to upstream projects to hopefully update their projects, but if those got denied it would mean maintaining our own copies of their projects and keeping up with their updates. That would introduce a lot of work, and may cause us to look for a solution other than ArgoCD. If that was the case it may be that our use case is just not the intended use case for ArgoCD, and that would be fine. If the intended use case for ArgoCD is to handle upstream helm/kustomize, and not just custom, I think that is worth thinking about. All you great folks do the work though, and know what you can/can't take on. I just wanted to share my view point, as I feel that the others didn't share it exactly. I am super grateful for all the work put into this project. |
@alexgenon I agree, that feature would be a relatively intuitive, maintainable, and impactful feature. I'd definitely welcome that change!
100%. I wonder if the problem is more that these open source charts/kustomize bases can't support secret refs (not enough maintenance resources) or don't actually see it as a problem.
I think that's just a general Kubernetes anti-pattern. Secrets should be stored in Secrets.
That's a fair analysis. In my opinion, "safe, robust secrets injection" lies outside what the Argo CD team can currently offer. To provide a strong core product, I think we should encourage folks to adopt the much more compatible solution of external secrets operators. Some won't be able to make that switch, but I don't think that's a problem the Argo team is currently well-positioned to solve. |
Added documentation for fileParameters in a helm source Application or the --helm-set-file cli option from argoproj#2751. Added a note about argoproj#13220 so users are aware. argoproj#12508 aims to remove this limitation so the warning can probably be removed with that.
Added documentation for fileParameters in a helm source Application or the --helm-set-file cli option from argoproj#2751. Added a note about argoproj#13220 so users are aware. argoproj#12508 aims to remove this limitation so the warning can probably be removed with that. Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Hi guys this was indeed a great discussion. As a argocd user, I'm curious about one thing: what happens next? |
consider if going for alternative og live with the decision |
ArgoCD 2.11: This comes with something that looks similar to the feature discussed here. - https://argo-cd.readthedocs.io/en/latest/user-guide/multiple_sources/ |
The multi-source docs haven't changed appreciably since v2.8 AFAICT, this feature is adding a from:
- ref: $values1
sourcePath: "dev/values.yaml"
destinationPath: "env-values.yaml" |
This PR would have expanded the multi-source support. The problem with multi-source is, it's not working with plugins, and many people need plugins and multisources, that's how this PR was born. Our usecase was AVP for secrets specifically. |
Hello, I ended up here after noticing multisource isn't compatible with helm-secrets. What's the point to have multisource, if no plugins can be used to decrypt values ? Who stores it sensible values unencrypted ? |
@reachfivejenkins There‘s other ways to deploy secrets, e.g. with external-secrets. The point of multi-source as it is is to provide multi source applications to whoever can use them in the current state. |
Been using this configuration for helm-secrets and multi-source for quite some time and it's working nicely for us. |
I looked at it, but we are using SOPS with googleKMS, i doesn't look compatible. |
Could you please take this discussion to the appropriate forum/Q&A/discussion? This is already a PR with lots of on-topic discussion that only gets harder to parse with more and more unrelated comments. Thank you! |
Added documentation for fileParameters in a helm source Application or the --helm-set-file cli option from argoproj#2751. Added a note about argoproj#13220 so users are aware. argoproj#12508 aims to remove this limitation so the warning can probably be removed with that. Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
I don't know in which discussion i should write. How is this going? I need that feature for secret and configmap replacing. I did my own replacer that uses kubernetes secrets and configmaps and realize that argocd is the limitation. |
This is not going. @crenshaw-dev personally thinks that this is antipattern :) You know it's like JSON format don't have comments because the author didn't like how some people use them. As @crenshaw-dev is a PM for the whole Argo you can estimate probability of merging this PR. so we shouldn't use such approach. To be a serious - you can separate secret management from app management and not use helm_template in favor of avp plugin. This is quite easy - just another argocd app. Also you can try ESM. |
but this is easier for me. I changed my script a bit today and fixed some other issues. The only problem is that it does not work with the external value files. Using a url is stupid because it won't be updated when you change the values file. |
It might be easier for you, but that means additional maintenance efforts are needed. One of the maintainers has clearly stated that that is not going to happen for now. I can understand that this is not what you would like, but it’s a maintainer decision we all have to respect. Instead of complaining about that, let’s work together as a community to find solutions that the maintainers are happy to support that help us do what we want. |
So if you think that it is antipattern and you need some more maintenance efforts so how to use your product properly? I always thought that using secret managers for storing secrets is best practice but here in thread where guy made this possible for using secrets in argocd in way that I and he is preferred other guys say "This is antipattern" I don't know what to do. How I need to use gitops approach with all the tools if
If argocd and gitops is the NEW way of managing deployments, so why it has this kind of problems that maintainers do not want to resolve |
@Lawliet2012 You can always manage secrets with another tool and then use them in your containers. Different ways have been shown here already, a quick recap: Deploy secrets without ArgoCDA lot of helm charts enable this with an `existingSecret` value, for example the [bitnami/postgresql](https://github.com/bitnami/charts/blob/aeecba3c132c3bc89a9877300f235222985287e7/bitnami/postgresql/values.yaml#L155) chart.To do so:
For your use case, it sounds like you're using Hashicorp Vault, so I recommend to take a look at the external-secrets operator. We're using it with great success.
This problem is already resolved. ArgoCD however is not the tool to resolve it and there is a clear decision that it will not become that tool. Please stop accusing maintainers of not wanting to resolve issues, they have shown a lot of patience in this issue to explain why this is not going to happen: It is not part of what ArgoCD's core "mission" is and it would be a lot of effort to maintain. With that decision, there is no issue to resolve anymore since other ways exist to achieve what has been discussed here. |
I think it's partially that the main maintainer sees it as an antipattern, but also that the feature is actually more generic than the secrets management case, and complex enough to draw significant resources from the project that they don't have, to maintain the feature (and all that could be built on top of that). And both reasons "collide" somehow, "coincidentally". That is my take, and I do think it's fair, if a bit of a bummer because (imo) it really would be a killer feature, but given the stance I don't see a reason to argue, it is what it is and the reasons above are valid as they are, regardless of how I agree or not, at any rate. Just my 2c |
@
Again - you can still use AVP plugin. But not together with helm and multiple values templating. Just step a side, create simple yaml files with the path to the secret create ArgoCD app with simple yaml sidecar plugin. It also works with simple helm chart(but rendering with AVP plugin not I prefer to use this approach to manage everything with one tool - ArgoCD (and in one place). If you don't want to spend more time configuring ArgoCD apps you can try external-secrets like @morremeyer mentioned. ArgoCD team cannot turn something to an antipattern. But they have every right not to implement any feature if they feel this is not in the product scope. The same as we can use any other approach to manage secrets with or without ArgoCD. |
Fixes #12471
Fixes #12476
Fixes #7189
Fixes #13220
Fixes #14521
Note on DCO:
If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.
Checklist: