Add ability to kubectl apply objects using `--validate=false`

[jessesuen]

For a certain class of group kinds, it is necessary to kubectl apply them using the --validate=false flag. Examples of this are kubernetes types which uses RawExtension, such as ServiceCatalog.

This feature request is to allow a user to disable validation of an object when running kubectl apply for an entire group/kind. For example, all users would naturally want to disable validation for servicecatalog.k8s.io/ServiceCatalog.

This feature request is closely related to the new feature for custom health assessments, in that the configuration option for disabling validation would be a peer option to the health lua script.

[jessesuen]

The Propsed solution for this is to leverage the upcoming sync-options feature:

metadata:
  annotations:
    argocd.argoproj.io/sync-options: Validate=false

[alexec]

@jessesuen. Now having attempted to get my test working, I don't think this feature can be implemented in Argo CD.

--validate=true: If true, use a schema to validate the input before sending it

Key part - "before sending". With --validate=false the manifests pass dry-run, but the server still rejects the manifest when they are applied.

[jessesuen]

Easy test for this:

$ k apply -f /tmp/invalid-cm.yaml
error: error validating "/tmp/invalid-cm.yaml": error validating data: ValidationError(ConfigMap): unknown field "foo" in io.k8s.api.core.v1.ConfigMap; if you choose to ignore these errors, turn validation off with --validate=false

$ k apply -f /tmp/invalid-cm.yaml --validate=false
configmap/test-cm created

$ cat /tmp/invalid-cm.yaml
kind: ConfigMap
apiVersion: v1
metadata:
  name: test-cm
foo: bar

[alexec]

Fixed in v1.2

[yann-soubeyrand]

Hi @alexec, In some situations, you can't add the annotation introduced in v1.2 directly on the resource (for example when using an upstream Helm chart like cert-manager) and it would be great if one could disable validation at the application level. What do you think?

[alexec]

You’re think an app level flag?

[yann-soubeyrand]

@alexec yes, having an application option to disable validation for all the resources it deploys would be great (actually this is the way cert-manager is meant to be deployed on Kubernetes versions until 1.15: https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html). At first, I thought the annotations was to be put on the Argo CD application resource but I then realized that it's to be put directly on the resources one doesn't want to be validated, which is not possible in case of an untouched upstream chart.

[alexec]

@yann-soubeyrand options:-

1. I only need to execute --validate=false on a manual basis or rarely (current PR).
2. I always need to execute it (changes needs).
3. I need both option 1 and 2 (changes needs).

Please provide rationale.

[yann-soubeyrand]

@alexec 1 is my only use case (at least for me for the moment; I've no use case for 2 or 3 yet, and I think I can live with adding the validate: false sync policy on every applications if I need 2 ;-)).