No duplicate app validation for apps created by ApplicationSets

[Aransh]

Describe the bug

If an app is generated via an ApplicationSet (list generator in my case), seems ArgoCD does not validate that a duplicate app with the same exact name already exists. In our architecture we use a single ArgoCD server to manage several clusters, due to mistakes made by both devs and devops, we already had several incidents where due to using the same exact name of an app on the same cluster, the app will be practically installed twice, with both installations intermittently overwriting each other. From what I've seen, if you create a duplicate app without an applicationset, it will refuse to sync and throw an error (which is great), but if done through an application set:

1. You might not notice until you figure out the configuration is constantly changing
2. Once you do figure it out, you can not fix it without causing some damage, as trying to remove one of the apps will lead to all resources being removed, and only then recreated by the remaining app

To Reproduce

Create an applicationSet, use a list generator to create an app Create a second applicationSet, and use a list generator to create an app with the same name, but different configuration Watch as they endlessly fight over control Try to remove one, and see how the resources experience a downtime

Not sure if relevant, but in our case this has happened with applicationSets deployed by "app of apps", on 2 separate branches.

Expected behavior

The applicationSet refuses to sync, stating this argo server already contains an app with this generated name

Version

  BuildDate: 2023-09-13T22:00:14Z
  GitCommit: c27929928104dc37b937764baf65f38b78930e59
  GitTreeState: dirty
  GoVersion: go1.21.1
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v2.8.0+804d4b8
  BuildDate: 2023-08-07T14:25:33Z
  GitCommit: 804d4b8ca6bc4c2cf02c5c971aa923ec5b8623f0
  GitTreeState: clean
  GoVersion: go1.20.6
  Compiler: gc
  Platform: linux/amd64
  Kustomize Version: v5.1.0 2023-06-19T16:58:18Z
  Helm Version: v3.12.1+gf32a527
  Kubectl Version: v0.24.2
  Jsonnet Version: v0.20.0

[rumstead]

I suggest we add an annotation with the parent applicationset name + namespace that can be checked before the controller updates an application. The annotation could also be used to generate a list of child applications from the cli (similar to #13456 and the follow-up #15423).

Happy to contribute something.

[jiz4oh]

also encountered the issue and i had accidentally removed our production application 😭

[blakepettersson]

See #16883

[baileydoestech]

Also experienced this, mistakenly called two application sets the same name and produced to delete a production application.

Are there any eyes on the PR above getting merged?

[markussanness]

This happened to us as well with duplicate ApplicationSet names. We deployed some ApplicationSets that conflicted with others, which resulted in creation of the new set with warnings on both old and new, but on each refresh it deleted everything and restarted it all. It managed to restart everything twice before I managed to fix the naming.

This was production.

It seems a little destructive to destroy everything the second a duplicate application set is deployed, instead of warning us only.

[andrii-korotkov-verkada]

ArgoCD versions 2.10 and below have reached EOL. Can you upgrade and let us know if the issue is still present, please?

[Aransh]

@andrii-korotkov-verkada Just tested on 2.13, same as before indeed. The ApplicationSet shows a warning for the duplicate app, but doesn't actively stop it from being synced as happens without an ApplicationSet, causing a constant overwrite battle between both ApplicationSets