CRDs do not get the correct tracking annotation

[mikebryant]

Checklist:

• [x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [x] I've included steps to reproduce the bug.
• [ ] I've pasted the output of argocd version.

Describe the bug

CustomResourceDefinition objects do not get the argocd.argoproj.io/tracking-id annotation, as described in the docs

We want to explicitly allowlist CRDs for certain AppProjects using a kyverno policy so we can delegate control, without allowing someone to modify any CRD. ( clusterResourceWhitelist only lets us do this by type, not by name)

We were hoping to use the tracking annotation to specify which were allowed for which projects - but have now found it's not available

To Reproduce

Deploy a CRD

Expected behavior

CustomResourceDefinitions should have this annotation added

Screenshots

Version

Paste the output from `argocd version` here.

v2.9.5

Logs

Paste any relevant application logs here.

Debugging

It looks like it's explicitly exclude here but there's no indication as to why

[mikebryant]

Also see https://github.com/argoproj/argo-cd/issues/12208

[sedflix]

I'm facing the same issue. CRD doesn't contain any tracking labels or annotations. Therefore "FailOnSharedResource=true" doesn't work with CRD; the one resource on which it's a must.

Is there any particular reason why no tracking labels or annotations are present on CRDs?

[mjgallag]

I would also prefer they be tracked as not tracking them appears to be causing reconciliation delays upon creation, particularly with charts that contain only CRDs (likely an edge case) such as istio-base where the first reconciliation only sees some of them and then you have to wait 5mins for rest to appear even though they were established less then a second after the initial reconciliation. Seems not tracking was done over concerns of deletion but we could block deletion by default while still tracking.

[faust64]

I'm just noticing the same thing: no tracking annotations on CRDs that were installed by ArgoCD. Moreover, I observed that if my Application used to install some CustomResourceDefinition, then I remove that from my code: ArgoCD doesn't tell me my app is OutOfSync. Doesn't seem to realize that CRD was ever part of my Application.

[todaywasawesome]

Recommendations from contributors meeting

• Docs update to let people know tracking is not done here for the reasons @jessesuen outlined in the above comment (https://github.com/argoproj/argo-cd/issues/613)
• Create a mechanism for shared resources warning, this is fairly heavy lifting for a small feature.
• Create a mechanism for shared resource dependency management between multiple applications (pretty hard problem).
• Create a flag to opt-in to CRD tracking and deletion with clarity of what would happen, maybe assume prune false.

[ftmiro]

I think I'm facing an issue related to the tracking-id for CRDs as well:

• We have an Application (App1) creating CRDs, that we deployed when the ArgoCD instance was using the label method.
• We switched the ArgoCD instance to the tracking-id.
• We made some changes in the CRD definition that is being installed by the App1 and we observe that the App keeps in OutOfSync status and we can't get the CRDs synchronized while all the other resources defined in the Application gets properly Synced.

[andrii-korotkov-verkada]

What are the argocd versions you use now?

[sedflix]

I'm using ArgoCD v2.12.4 right now.