search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.9k stars 5.46k forks source link

Introduce sync windows as a CRD #11755

Open crenshaw-dev opened 1 year ago

crenshaw-dev commented 1 year ago

Summary

Sync windows should be defined as CRDs which are referenceable by projects, apps, and globally.

Motivation

At Intuit, we've encountered places where we'd like to define a sync window for an application without enforcing that sync window for all apps in that project (or creating a single project per app).

Others have wanted to enforce a global sync window for a whole company without either using a single project for everything (terrible for security) or duplicating sync windows across a bunch of projects.

It would also be nice to allow for self-service sync windows by non-admins. The ability to update an AppProject is effectively admin access. By separating it into a CRD, admins can allow users to create and update sync windows without granting them full admin capability.

Proposal

The CRD:

apiVersion: argoproj.io/v1alpha1
kind: SyncWindow
metadata:
  name: my-sync-window
  namespace: argocd  # there's no reason this couldn't also be in other namespaces
spec:
  syncWindows:  # allow multiple for easy transition from projects
  - kind: allow
    schedule: '10 1 * * *'
    duration: 1h
    applications:
      - '*-prod'
    manualSync: true
  - kind: deny
    schedule: '0 22 * * *'
    duration: 1h
    namespaces:
      - default
  - kind: allow
    schedule: '0 23 * * *'
    duration: 1h
    clusters:
      - in-cluster
      - cluster1

Reference from project:

apiVersion: argoproj.io/v1alpha1
kind: AppProject
spec:
  syncWindows:
  - ref:  # new field!
      name: my-sync-window
      namespace: argocd

Reference from application:

apiVersion: argoproj.io/v1alpha1
kind: Application
spec:
  syncWindows:  # new field!
  - ref:
      name: my-sync-window
      namespace: argocd

Reference from argocd-cm (global):

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  global.syncWindows:
  - ref:
      name: my-sync-window
      namespace: argocd
gmartin-flexe commented 1 year ago

I've just run into this; our organization wants all developers to limit their deployment activity at the end of the week, but has no interest in any mechanism to do so and would rather each developer go through a modified approval process or to wait until the following week. I wanted to try sync windows to ease the situation. Unfortunately almost all applications are under the same AppProject, and only a select few people have permissions, so I can't apply a sync window for my applications.

Making it possible to define a SyncWindow resource would be great!