Argocd App Diff with --serve-side-generate and server side diff doesn't work as I expect

[jeremych1000]

Checklist:

• [x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [x] I've included steps to reproduce the bug.
• [x] I've pasted the output of argocd version.

Describe the bug

I have a repo of helm charts, and use argocd app diff to generate diffs in PRs about what's changed. For example, if I edit a helm values replicas from 2 to 3, argocd app diff will show me this. This has worked well before.

However, I also want this to validate that the YAMLs are valid. For example, replicas: apples is valid YAML, so argocd app diff won't fail. However, it will obviously fail when it gets applied to Kubernetes.

I tried to enable server side diffing for argo itself, as well as --server-side-generate for argocd app diff. I thought this meant argo tries to dryrun=server apply my invalid YAML to Kubernetes and it should error out - but it doesn't.

To Reproduce

1. Have a deployed application
2. Change the manifest to have something invalid like replicas: apples
3. Make sure server side diff is enabled on Argo
4. Run argocd app diff xyz --revision xyz --server-side-generate
5. Observe that app diff does NOT fail

Expected behavior

1. Argo app diff should fail if the desired manifest is not a valid Kubernetes manifest

Screenshots

(on the branch nonvalid)
$ argocd app diff heartbeat --loglevel debug  --server xyz --revision nonvalid --auth-token xxxxx --server-side-generate

===== apps/Deployment heartbeat/heartbeat ======
15a16
>   apples: oranges
17c18
<   replicas: 1
---
>   replicas: false

desired deployment.yaml (replicas: false +apples should both invalidate this manifest)

apiVersion: apps/v1
kind: Deployment
metadata:
  name: heartbeat
  labels:
    app.kubernetes.io/name: heartbeat
spec:
  replicas: false
  apples: oranges
  selector:
     matchLabels:
       app.kubernetes.io/name: heartbeat
  template:
    metadata:
      labels:
        app.kubernetes.io/name: heartbeat
    spec:
<...>

Version

$ argocd version
argocd: v2.11.3+3f344d5
  BuildDate: 2024-06-06T08:42:00Z
  GitCommit: 3f344d54a4e0bbbb4313e1c19cfe1e544b162598
  GitTreeState: clean
  GoVersion: go1.21.9
  Compiler: gc
  Platform: linux/amd64

Logs

[christianh814]

@jeremych1000 Are you saying you also want to lint the YAML and not just show the diff, is that correct?

I wonder if just updating the CLI with --lint would be good (instead of changing the behavior).

Or are you saying this worked before and now it's not?

[jeremych1000]

@jeremych1000 Are you saying you also want to lint the YAML and not just show the diff, is that correct?

I wonder if just updating the CLI with --lint would be good (instead of changing the behavior).

Or are you saying this worked before and now it's not?

Yes both.

I would've expected app diff with server side generate to verify the desired manifests against the Kubernetes schema - this is not the case.

A -lint option would be amazing, assuming it does validate the Kubernetes schema and not just valid YAML e.g. replicas: foobar is valid YAML but not valid Kubernetes manifest so would be invalid, and that it can be run for desired manifests i.e. against a specific revision/branch, or local chart that's WIP (likely as part of argocd app diff).

Happy to answer any further questions!

[jeremych1000]

To confirm, I would expect this to have failed (server side diff enabled, server side generate on).

===== apps/Deployment heartbeat/heartbeat ======
--- /tmp/argocd-diff2895682643/heartbeat-live.yaml  2024-06-27 13:15:11.305950685 +0000
+++ /tmp/argocd-diff2895682643/heartbeat    2024-06-27 13:15:11.305950685 +0000
@@ -13,8 +13,9 @@
   resourceVersion: "110284644"
   uid: 0c403e5b-f950-4b9a-95d3-f787b570b95c
 spec:
+  apples: oranges
   progressDeadlineSeconds: 600
-  replicas: 1
+  replicas: false
   revisionHistoryLimit: 10
   selector:
     matchLabels: