ApplicationSet: `applicationsSync: create-update` still deletes applications

[jaredhancock31]

Checklist:

• [x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [x] I've included steps to reproduce the bug.
• [x] I've pasted the output of argocd version.

Describe the bug

When using a list generator in an AppSet, I wanted to exercise the applicationsSync policy to see if adding an element to the list out of band would be reverted by the AppSet controller. If I mutate the generator's list manually in this way, the additional elements always get deleted.

From my understanding of the documentation, the create-update should not prune anything, correct?

To Reproduce

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: dp-set
  namespace: argocd
spec:
  goTemplate: true
  generators:
    - list:
        elements:
          - dpName: "foo-0"
            targetNs: "slot-0"
  syncPolicy:
    applicationsSync: create-update
  template:
    metadata:
      name: '{{.dpName}}'
    spec:
      destination:
        server: 'https://kubernetes.default.svc'
        namespace: '{{.targetNs}}'
      project: default
      source:
        chart: echo-server
        repoURL: https://ealenn.github.io/charts
        targetRevision: 0.4.0
      syncPolicy:
        syncOptions:
          - CreateNamespace=true
        automated:
          prune: false
          selfHeal: true

• I committed the example above to git. All works as expected from here.
• Then I manually patch the generator's list to have a second element via kubectl. The 2nd application starts coming up in the new namespace.
• After a few seconds the AppSet controller deletes the 2nd element.

Expected behavior

Seems like the intent of the applicationsSync would suggest that the 2nd element (added OOB) would not get pruned.

My assumption is that this is because the applicationsSync policy is evaluated between syncs from source control, as opposed to diffing the actual resource in etcd. Is that correct?

From my interpretation of the docs, it looks at when the generator's output has changed and in this scenario it technically has, albeit from outside source control. I understand that this is kind of an abnormal case, so just trying to better understand the behavior.

Version

argoCD version: 2.8.0 helm chart version: 5.43.4

Logs

time="2024-01-11T17:59:49Z" level=info msg="created Application" app=foo-1 appSet=dp-set
time="2024-01-11T17:59:49Z" level=info msg="end reconcile" applicationset=argocd/dp-set requeueAfter=0s
time="2024-01-11T17:59:50Z" level=info msg="generated 1 applications" generator="{&ListGenerator{Elements:[]JSON{{[123 34 100 112 78 97 109 101 34 58 34 102 111 111 45 48 34 44 34 116 97 114 103 101 116 78 115 34 58 34 115 108 111 116 45 48 34 125]},},Template:ApplicationSetTemplate{ApplicationSetTemplateMeta:ApplicationSetTemplateMeta{Name:,Namespace:,Labels:map[string]string{},Annotations:map[string]string{},Finalizers:[],},Spec:ApplicationSpec{Source:nil,Destination:ApplicationDestination{Server:,Namespace:,Name:,},Project:,SyncPolicy:nil,IgnoreDifferences:[]ResourceIgnoreDifferences{},Info:[]Info{},RevisionHistoryLimit:nil,Sources:[]ApplicationSource{},},},ElementsYaml:,} nil nil nil nil nil nil nil nil nil}"
time="2024-01-11T17:59:50Z" level=info msg="unchanged Application" app=foo-0 appSet=dp-set
time="2024-01-11T17:59:50Z" level=info msg="Deleted application" app=foo-1 appSet=dp-set
time="2024-01-11T17:59:50Z" level=info msg="end reconcile" applicationset=argocd/dp-set requeueAfter=0s

[dtrouillet]

Hi,

I experiment the same trouble with the same scenario.

[dtrouillet]

For information, I got the solution. Please check if you have "applicationsetcontroller.policy" parameters on your applicationset controller (or in your configmap named "argocd-cmd-params-cm").

If this parameter is set, it takes the precedences :

If the controller parameter --policy is set, it takes precedence on the field applicationsSync. It is possible to allow per ApplicationSet sync policy by setting variable ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_POLICY_OVERRIDE to argocd-cmd-params-cm applicationsetcontroller.enable.policy.override or directly with controller parameter --enable-policy-override (default to false).

It works for me. Have a nice day

[andrii-korotkov-verkada]

@jaredhancock31, does the solution work for you?