No Declarative Plugins anymore! - And documentation is not reflecting newest version for CMP

[rufreakde]

CMP in configmap is deprecated since version 2.5.

https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/2.4-2.5/#argocd-cm-plugins-cmps-are-deprecated

Documentation example is not reflecting newest version: https://github.com/argoproj/argocd-example-apps/blob/53e28ff20cc530b9ada2173fbbd64d48338583ba/plugins/kustomized-helm/README.md?plain=1#L11

https://argo-cd.readthedocs.io/en/stable/operator-manual/config-management-plugins/

For example we use but this simple configuration will not work anymore in the future.

  configManagementPlugins: |
    - name: kustomize-build-with-helm
      generate:
        command: [ "sh", "-c" ]
        args: [ "kustomize build --enable-helm" ]

[rufreakde]

It is also a big issue that there is no way to configure simple plugins in a declarative way anymore. Without a custom image...

[rufreakde]

I think this is a big problem? Any updates here how to continue with a declarative plugin setup? Or if one can enable helm for kustomize by default?

EDIT: linked the update

[crenshaw-dev]

Without a custom image

You can still make plugins work without a custom image. Just use the Argo image (or any other existing image) and load the plugin config in via a ConfigMap mount.

I think this is a big problem?

The given error could be due to a variety of problems. Can you post your plugin config?

[rufreakde]

@crenshaw-dev the error recovered. It appeared when we upgraded to 2.7.11 version of argoCD where the argocd-cm cmp is disabled. But it recovered itself without anything on our side.

The plugin is still defined in the argocd-cm Configmap.

---
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-cm
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-wave: "-10"
data:
...
  configManagementPlugins: |
    - name: kustomize-build-with-helm
      generate:
        command: [ "sh", "-c" ]
        args: [ "kustomize build --enable-helm" ]

I think for our declarative approach it is not possible. As we do not have a "copy" of the argoCD installation manifests anywhere. We just install the following: https://github.com/argoproj/argo-cd/releases

#e.g.
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.8.0/manifests/install.yaml

We always use stock defaults and this is perfect for our needs all "special configurations" we added through argocd-cm for example. Which is an ArgoApplication that syncs automatically. So it means that whenever we update argoCD applies our configs on its own again very convenient. Especially for the devops colleagues that do the upgrade.

So from what I understood we would need to download the manifest

https://raw.githubusercontent.com/argoproj/argo-cd/v2.8.0/manifests/install.yaml

And modify the Configmap mounts to consume something like this:

apiVersion: v1
kind: ConfigMap
metadata:
  name: kustomize-build-with-helm
data:
  plugin.yaml: |
    apiVersion: argoproj.io/v1alpha1
    kind: ConfigManagementPlugin
    metadata:
      # The name of the plugin must be unique within a given Argo CD instance.
      name: kustomize-build-with-helm
    spec:
      version: v1.0
      # The init command runs in the Application source directory at the beginning of each manifest generation. The init
      # command can output anything. A non-zero status code will fail manifest generation.
      init:
        # Init always happens immediately before generate, but its output is not treated as manifests.
        # This is a good place to, for example, download chart dependencies.
        command: [sh]
        args: [-c, 'echo "Initializing plugin..."']
      # The generate command runs in the Application source directory each time manifests are generated. Standard output
      # must be ONLY valid Kubernetes Objects in either YAML or JSON. A non-zero exit code will fail manifest generation.
      # Error output will be sent to the UI, so avoid printing sensitive information (such as secrets).
      generate:
        command: [sh, -c]
        args: [ "kustomize build --enable-helm" ]
        # If set to `true` then the plugin receives repository files with original file mode. Dangerous since the repository
        # might have executable files. Set to true only if you trust the CMP plugin authors.
        preserveFileMode: false

possible solution

Would the simplest solution not be a "default optional configmap" in the argoCD manifests? So we can just deploy this again with our argoapp but with a very specific name so the mount happens automatically instead. Very similar to the argocd-cm but just a argocd-cmp for example.

[rufreakde]

So from the manifest the CMP-Server is running in the argocd-repo pod:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/component: repo-server
    app.kubernetes.io/name: argocd-repo-server
    app.kubernetes.io/part-of: argocd
  name: argocd-repo-server
spec:
  ...
    spec:
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchLabels:
                  app.kubernetes.io/name: argocd-repo-server
              topologyKey: kubernetes.io/hostname
            weight: 100
          - podAffinityTerm:
              labelSelector:
                matchLabels:
                  app.kubernetes.io/part-of: argocd
              topologyKey: kubernetes.io/hostname
            weight: 5
      automountServiceAccountToken: false
      containers:
      - args:
        - /usr/local/bin/argocd-repo-server
        env:
        - name: ARGOCD_RECONCILIATION_TIMEOUT
          valueFrom:
            configMapKeyRef:
              key: timeout.reconciliation
              name: argocd-cm
              optional: true
...
        volumeMounts:
        - mountPath: /app/config/ssh
          name: ssh-known-hosts
...
        - mountPath: /helm-working-dir
          name: helm-working-dir
        - mountPath: /home/argocd/cmp-server/plugins # PLUGIN MOUNT
          name: plugins
      initContainers:
      - command:
        - /bin/cp
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server # PLUGIN SERVER START?
        image: quay.io/argoproj/argocd:v2.8.0
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          seccompProfile:
            type: RuntimeDefault
        volumeMounts:
        - mountPath: /var/run/argocd
          name: var-files
      serviceAccountName: argocd-repo-server
      volumes:
      - configMap:
          name: argocd-ssh-known-hosts-cm
        name: ssh-known-hosts
...
      - name: argocd-repo-server-tls
        secret:
          items:
          - key: tls.crt
            path: tls.crt
          - key: tls.key
            path: tls.key
          - key: ca.crt
            path: ca.crt
          optional: true
          secretName: argocd-repo-server-tls
      - emptyDir: {}
        name: var-files
      - emptyDir: {}
        name: plugins # EMPTY DIR? Why not:
       ---
      - name: plugins
        configMap:
          name: argocd-cmp
          optional: true # mark the source ConfigMap as optional
---

[crenshaw-dev]

I would just use a Kustomize overlay to patch the sidecar onto the repo-server.

[rufreakde]

I would just use a Kustomize overlay to patch the sidecar onto the repo-server.

That is a possible workaround yes. But we did not plan to introduce a locally maintained kustomize. Are there any contributor guides for argoCD. Maybe I could create a PR to make the argocd-cmp configmap optional instead of an emptyDir?

[crenshaw-dev]

we did not plan to introduce a locally maintained kustomize

I think that's a mistake... if you're customizing things, it makes sense to build an overlay.

Maybe I could create a PR to make the argocd-cmp configmap optional instead of an emptyDir?

I'm not sure what you mean. How could the ConfigMap be optional?

Are there any contributor guides for argoCD

There are, but they're all code focused. If you're just putting up a docs PR, it's as simple as fork, clone, edit, push, PR. :-)

[mehdibenfeguir]

any simple method to allow the plugin in cm to be used in newest argocd version ?

[rufreakde]

@mehdibenfeguir

any simple method to allow the plugin in cm to be used in newest argocd version ?

Sorry I did not have time to create a PR to apply the configMap change as default. You can use kustomize to overwrite the

      - name: plugins
        configMap:
          name: argocd-cmp
          optional: true

section it is currently just an empty

      - emptyDir: {}
        name: plugins # EMPTY DIR? Why not:

It would also be awesome if you share the kustomize patches since I am not sure when and if my proposed chenges would come :)

[mehdibenfeguir]

Not sure if I'm understanding your solution well but this is what I'm using right now

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
  labels:
    app.kubernetes.io/name: argocd-cm
    app.kubernetes.io/part-of: argocd
data:
  configManagementPlugins: |
    - name: kustomized-helm
      init:
        command: ["/bin/sh", "-c"]
        args: ["helm dependency build || true"]
      generate:
        command: ["/bin/sh", "-c"]
        args: ["helm template ../../helm_base -f ../../helm_base/values-$ARGOCD_ENV_MYENV.yaml -n focal-$ARGOCD_ENV_MYENV --name-template $ARGOCD_APP_NAME --include-crds > ../../helm_base/all.yml && kustomize build"] 

how can I get this to work with the latest version of argocd which has plugins using configmaps deprecated