search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
18.06k stars 5.52k forks source link

When removing a key value pair from a secret Argo-CD does not delete the key value pair, it sets the value to null and leaves the key #9368

Open patrickcamargo opened 2 years ago

patrickcamargo commented 2 years ago

Checklist:

Describe the bug When I remove a key value pair from a secret in my helm chart that contains many key value pairs, Argo-CD shows the secret as out of sync as expected, however when syncing in the change Argo-CD does NOT delete the key value pair and instead sets the value to null and shows the key value pair as removed (when viewed in the UI) but within Kubernetes the secret actually still exists as a key with a null value associated with it. I have tried syncing the deletion of the secret with Prune and/or Force with no luck. The only method I've found to be successful is to delete secret entirely (all the key value pairs) and then syncing it back in.

To Reproduce Starting with this helm chart syncd in: apiVersion: v1 kind: Secret metadata: name: my-secrets type: Opaque stringData: TEST: "value" FOO: "bar"

Commit and check in this change: (removing the FOO key value pair) apiVersion: v1 kind: Secret metadata: name: my-secrets type: Opaque stringData: TEST: "value"

FOO: "bar"

Expected behavior Argo-CD will show this as out of sync (it does) and syncing this change in argo-cd will delete the key value pair from the secret.

Actual behavior The key value pair shows as deleted in the argo-cd UI and when checking via kubectl kubectl describe my-secret I see that the key value pair still exists only as a null value now:

kubectl describe secret my-secrets Name: my-secrets Namespace: default Labels: app.kubernetes.io/instance=secrets Annotations:

Type: Opaque

Data

FOO: 0 bytes TEST: 5 bytes

Screenshots Out of sync view in Argo-CD diff

Sync'd in and deleted view: syncd-deleted

kubectl command to verify secret was altered correctly, key still exists with null value: kubectl-still-present-as-null

Version argocd: v2.2.3+987f665 BuildDate: 2022-01-18T17:53:49Z GitCommit: 987f6659b88e656a8f6f8feef87f4dd467d53c44 GitTreeState: clean GoVersion: go1.16.11 Compiler: gc Platform: linux/amd64 argocd-server: v2.3.3+07ac038 BuildDate: 2022-03-30T00:06:18Z GitCommit: 07ac038a8f97a93b401e824550f0505400a8c84e GitTreeState: clean GoVersion: go1.17.6 Compiler: gc Platform: linux/amd64 Ksonnet Version: v0.13.1 Kustomize Version: v4.4.1 2021-11-11T23:36:27Z Helm Version: v3.8.0+gd141386 Kubectl Version: v0.23.1 Jsonnet Version: v0.18.0

jdomag commented 2 years ago

We hit this bug today as well argo 2.3.2

janosmiko commented 2 years ago

I also faced the same issue.

I tried to use the annotation below but didn't help.

argocd.argoproj.io/sync-options: Replace=true
oisin88 commented 1 year ago

Has anyone found a fix for this yet?

harikrongali commented 1 year ago

@crenshaw-dev is this a regression?

crenshaw-dev commented 1 year ago

@harikrongali it could be. Someone would have to go back and confirm whether it behaved differently in a previous version. Regardless, seems like a bug.

rshiva777 commented 1 year ago

Facing same issue on argocd v2.6, looks like a bug ?

jjaygohil commented 7 months ago

Facing similar issue.

jjaygohil commented 7 months ago

We used argocd.argoproj.io/sync-options: Replace=true annotation on secret to work around this issue.

meisfrancis commented 5 months ago

Any update on this issue?

Elyytscha commented 2 months ago

hitting the same issue

oivindoh commented 1 week ago

Indeed - still present on v2.12.6+4dab5bd