feat: Add ignore-resources-tracking annotation to ignore resources update

[kahoulei]

This is the enhancement request to allow user ignore any resource update.

Previously we have a feature ignoreResourceUpdatesEnabled which allow user to ignore certain part of the resource manifest. But that feature does not fulfill the use case of newly created object.

When an dependent object is created, there is no old manifest to compare and therefore we always refresh in such case. This is wasting a lot of compute cycle if a cluster has a lot of dependent objects (e.g. jobs and pods created by cronjobs).

Instead, this PR introduces an annotation argocd.argoproj.io/ignore-resources-tracking so that user can use it on a specific resource and argocd can completely ignore it.

Also, this annotation will only work behind the same ignoreResourceUpdatesEnabled flag.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[kahoulei]

cc @agaudreault

[agaudreault]

I would keep the same terminology. resource tracking means it does not show up in Argo UI and this would lead to confusion

Suggested change

	AnnotationIgnoreResourcesTracking = "argocd.argoproj.io/ignore-resources-tracking"
	AnnotationIgnoreResourcesUpdate = "argocd.argoproj.io/ignore-resources-update"

[agaudreault]

I think we can save memory here and just have a bool instead. annotations like kubectl.kubernetes.io/last-applied-configuration can end up consuming a lot if you consider the number of resources argo watches

[agaudreault]

I think you should ignore only if the health status did not change.

[agaudreault]

I don't think the debug message adds much information. I would either leave it as-is, or perhaps add a log field with the values of the annotation. This way we can query logs to know what was ignored because of annotations.

Suggested change

	}).Debugf("Ignoring change of object because none of the watched resource fields have changed or annotation %v is set to true", AnnotationIgnoreResourcesTracking)
	}).Debug("Ignoring change of object because none of the watched resource fields have changed")

[agaudreault]

@kahoulei Something I was thinking but had not the time to complete was to do the same, but with an "allow" annotation instead of a "ignore". Basically, argocd.argoproj.io/apply-resources-updates: "true". When this annotation is specified, it performs the same logic as we have today: generating the hash based on configuration.

The advantage was that you dont have to always ignore the full resources, but you can laverage the ignoreResourceUpdates configurations.

[kahoulei]

@agaudreault thanks for the review.

If I understand correctly, for the resource that we want to ignore we should set argocd.argoproj.io/apply-resources-updates: "false". Is it correct?

If argocd.argoproj.io/apply-resources-updates: "true", we will just compare the generated hash as is.

[agaudreault]

@agaudreault thanks for the review.

If I understand correctly, for the resource that we want to ignore we should set argocd.argoproj.io/apply-resources-updates: "false". Is it correct?

If argocd.argoproj.io/apply-resources-updates: "true", we will just compare the generated hash as is.

Correct, if the annotation is there and is true, we would generate a hash and compare it later on. If the annotation is false or missing, then we do nothing (like what we have today)

[kahoulei]

If the annotation is false or missing, then we do nothing (like what we have today)

I thought we will generate hash if ignoreResourceUpdatesEnabled is true. So if the annotation is missing, we will generate the hash anyway? (for backward compatibility)

see https://github.com/argoproj/argo-cd/blob/master/controller/cache/cache.go#L507-L514

[kahoulei]

@agaudreault PTAL if you get a chance. Thanks!

[agaudreault]

The code can be simplified by just checking this at the end of shouldHashManifest method.
If the shouldHashManifest return true because the annotations is present for an untracked resource, then it will take the same codepath as current behavior for tracked resources.

No need to update the ResourceInfo, store booleans or annotations.

[kahoulei]

@agaudreault updated with your suggestion.

One additional change in skipResourceUpdate: since we are not going to generate hash and therefore the logic of isSameManifest need to change. So PTAL.

[agaudreault]

We simply cannot generate a hash by default or skip the resources updates for all the resources. When the annotation is not defined, the hash should not be generated. If you generate a hash by default for all resource updates, the controller will use a lot more CPU generating hashes than what you will save skipping reconcile.

I also think we should not go in a direction where non-argocd resources must have argocd annotations.

That is why I think the best approach is:

• Generate the hash only if annotation is present and true.
• (already done) Skip the resource updates if the hashes exist and the hashes match OR if the resource does not belong to any application

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 47.65%. Comparing base (355ec75) to head (e4b3837).
Report is 75 commits behind head on master.

❗ Current head e4b3837 differs from pull request most recent head bec8ffe

Please upload reports for the commit bec8ffe to get more accurate results.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #18343      +/-   ##
==========================================
+ Coverage   45.01%   47.65%   +2.64%     
==========================================
  Files         354      332      -22     
  Lines       48018    46835    -1183     
==========================================
+ Hits        21613    22317     +704     
+ Misses      23597    21669    -1928     
- Partials     2808     2849      +41     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[kahoulei]

@agaudreault I have added unit tests and they all passed. But the e2e tests are failing and looks like they are not related. Can you help me to take a look? (Sorry I am still not familiar with the e2e tests yet)

[agaudreault]

This condition should not change. If a resource does not have a hash, that means the annotation was not there (or not true), therefore we should not ignore updates.

[kahoulei]

Ok, I misunderstood your intention. So you want is the dependent object set argocd.argoproj.io/apply-resources-update=true and then use the existing ignore resources config to skip refresh. I will update the PR.

[kahoulei]

@agaudreault can you take a look if anything else I need to change?

[agaudreault]

Logic looks good. Most comments are about terminology and user documentation to polish.

[agaudreault]

Leaking implementation details on the API.

Suggested change

	// AnnotationApplyResourcesUpdate when set to true on a resource that is not tracked under an app, argocd will generate a
	// hash and apply `ignoreResourceUpdate` configuration on it. If the annotation is set to false (or not presented) on a resource
	// that is not tracked under an app, ignoreResourceUpdates configuration will not be applied.
	// AnnotationApplyResourcesUpdate when set to true on an untracked resource,
	// argo will apply `ignoreResourceUpdates` configuration on it.

[agaudreault]

Now that the code is written, I think it will be much easier for users to have the same terminology with the existing feature. wdyt?

Suggested change

	AnnotationApplyResourcesUpdate = "argocd.argoproj.io/apply-resources-update"
	AnnotationIgnoreResourceUpdates = "argocd.argoproj.io/ignore-resource-updates"

[kahoulei]

@agaudreault I think AnnotationApplyResourcesUpdate is more logical to me. AnnotationIgnoreResourceUpdates seems the invert of what we are doing and therefore we need to flip our logic if we rename it.

[agaudreault]

Only one resource

Suggested change

	isTrackedResources := appName != "" || (gvk.Group == application.Group && gvk.Kind == application.ApplicationKind)
	isTrackedResource := appName != "" || (gvk.Group == application.Group && gvk.Kind == application.ApplicationKind)

[agaudreault]

I think the concepts of tracked resources and watched resources here are mixed up. Also the user facing documentation is leaking the implementation.

Suggested change

	## Tracking Dependent Resources
	Dependent resources by default are not being tracked. Therefore, we cannot generate any hash of those objects and utilize
	the `ignoreResourceUpdates` configuration.
	If you want to track the dependent object and apply the `ignoreResourceUpdates` configuration, you can add
	`argocd.argoproj.io/apply-resources-update=true` annotation in the dependent resources manifest:
	## Ignoring updates for untracked resources
	ArgoCD will only apply `ignoreResourceUpdates` configuration to tracked resources of an application. This means dependant resources, such as a `ReplicaSet` and `Pod` created by a `Deployment`, will not ignore any updates and trigger a reconcile of the application for any changes.
	If you want to apply the `ignoreResourceUpdates` configuration to an untracked resource, you can add the
	`argocd.argoproj.io/ignore-resource-updates=true` annotation in the dependent resources manifest.

[agaudreault]

Suggested change

	Then you can update `argocd-cm` configMap to ignore the dependent resources:
	The resource updates will be ignored based on your the `ignoreResourceUpdates` configuration in the `argocd-cm` configMap:

[agaudreault]

Implementation details.

Suggested change

	Note: If you set `argocd.argoproj.io/apply-resources-update: "false"`, no hash will be generated and `ignoreResourceUpdates`
	cannot be applied on those resources.

[kahoulei]

@agaudreault I updated the doc. Thanks.

[agaudreault]

Let's make the name consistent. Make sure to validate all references

Suggested change

	AnnotationIgnoreResourcesUpdate = "argocd.argoproj.io/ignore-resources-update"
	AnnotationIgnoreResourceUpdates = "argocd.argoproj.io/ignore-resource-updates"

[agaudreault]

Code LGTM. Waiting for a before/after graph on an instance with real load before merging

[ronaknnathani]

Glad to see that this feature is being added. We have a case where we run large k8s clusters (~5k nodes) with tens of thousands of pods. Pod updates result in significant reconciliation activity and we are looking to leverage this feature.

A quick question about this change - if let's say updates on /status are ignored for an object like Pods, would the UI not show the latest Pod state in that case or would this only skip the Application reconciliation?

[kahoulei]

A quick question about this change - if let's say updates on /status are ignored for an object like Pods, would the UI not show the latest Pod state in that case or would this only skip the Application reconciliation?

@ronaknnathani the behavior is same as ignoreResourceUpdates feature.

[kahoulei]

Discussed with @agaudreault about load testing. I don't have environment to test it currently. If someone know how to load test it, please leave a comment here so that we can merge it.