search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
17.72k stars 5.4k forks source link

App of Apps: allow setting an child app to have no automatic sync #16866

Open bh-tt opened 9 months ago

bh-tt commented 9 months ago

Checklist:

Describe the bug When deploying an app-of-apps pattern, I'd like to enforce the automatic sync policy on the child apps, even when that sync policy is 'no automatic sync'. Right now the only way to describe no sync is to leave out the .spec.syncPolicy setting, which resolves to an app without .spec.syncPolicy due to defaults, which means the sync policy can be manually changed to something else and ArgoCD will still consider the child app to be Synced.

Note: this is likely caused by #16092.

To Reproduce

  1. Create a functional Application with .spec.syncPolicy set to {} (or that does not have it at all)
  2. Commit it to a repo
  3. Create an Application in argocd referencing that repository/path, and sync it so that it deploys the child Application to the cluster
  4. Manually change the syncpolicy to automated (prune/selfheal does not matter)
  5. The parent app will consider the child app to be in sync, despite the added .spec.syncPolicy field compared to Git.

Example apps:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: parent
spec:
  project: default
  source:
    repoURL: https://gitlab.example.com/test/argocd-configs.git
    path: apps
  destination:
    name: in-cluster
    namespace: argocd
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: child-app
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: default
  source:
    repoURL: https://gitlab.example.com/test/argocd-configs.git
    path: apps/test
  destination:
    name: in-cluster
    namespace: default

Expected behavior I expect to be able to set a sync policy for a child app and that argocd will show the app as OutOfSync when the child app syncPolicy deviates from the git-defined syncPolicy.

Screenshots

Version

argocd: v2.9.3+6eba5be
  BuildDate: 2023-12-01T23:24:09Z
  GitCommit: 6eba5be864b7e031871ed7698f5233336dfe75c7
  GitTreeState: clean
  GoVersion: go1.21.4
  Compiler: gc
  Platform: linux/amd64
WARN[0000] Failed to invoke grpc call. Use flag --grpc-web in grpc calls. To avoid this warning message, use flag --grpc-web. 
argocd-server: v2.9.3+6eba5be
  BuildDate: 2023-12-01T23:05:50Z
  GitCommit: 6eba5be864b7e031871ed7698f5233336dfe75c7
  GitTreeState: clean
  GoVersion: go1.21.3
  Compiler: gc
  Platform: linux/amd64
  Kustomize Version: v5.2.1 2023-10-19T20:13:51Z
  Helm Version: v3.13.2+g2a2fb3b
  Kubectl Version: v0.24.2
  Jsonnet Version: v0.20.0

Logs

Paste any relevant application logs here.

Potential fixes If it is not possible to fix #16092 (with a sync option enforcing that the live manifest matches the desired manifest exactly or something), I think an added field like .spec.syncPolicy.automated.enabled may be needed, to allow disabling automatic sync without leaving .spec.syncPolicy as a whole empty.

bh-tt commented 9 months ago

Note that setting .spec.syncPolicy: {} still resolves to an application that does not have the key at all (due to defaults?). The same goes for setting .spec.syncPolicy.syncOptions to a value or setting .spec.syncPolicy.automated: null, the last one does not detect any differences despite the key having different values for desired and live manifests.

username-here10 commented 1 month ago

I'm facing the same problem. Using v2.10.5+ When I set

syncPolicy: null

argocd does not detect manual changes to the application manifest. However when I change the manifest in git from

syncPolicy: automated: {}

To:

syncPolicy: null

Changes are detected.