search

crumbhole / argocd-lovely-plugin

A plugin to make Argo CD behave like we'd like.
BSD 3-Clause "New" or "Revised" License
355 stars 22 forks source link

v1.0.1 breaks dynamic Chart.yaml names #507

Closed nerdingas-armaitis closed 2 weeks ago

nerdingas-armaitis commented 3 weeks ago

Hi,

I have an app of apps with bunch of argocd applications and couple of them have dynamic names. This worked perfectly fine on 1.0.0, but is now broken on 1.0.1. Maybe the order of name check vs interpolation has changed?

It still displays name of application correctly in the argocd ui even on 1.0.1.

Application definition:

kind: Application
metadata:
  name: app-<vault:xxx/data/xxx~xxx>-xxx

Error in the logs:

ComparisonError: Failed to load target state: failed to generate manifest for source 1 of 1: rpc error: code = Unknown desc = Manifest generation error (cached): plugin sidecar failed. error generating manifests in cmp: rpc error: code = Unknown desc = error generating manifests: `argocd-lovely-plugin` failed exit status 1: 2024/06/10 12:33:15 exit status 1: Error: validation: chart.metadata.name "app-<vault:xxx/data/xxx~xxx>-xxx" is invalid

Work around: rollback to 1.0.0

Joibel commented 3 weeks ago

Is this an application part of an app of apps? You're running it through lovely-vault? I wonder if lovely-vault is broken - are there any logs from the container other than this? The changelog is only for dependencies, so I can't see a likely candidate for breaking this.

nerdingas-armaitis commented 3 weeks ago

yes - application is part of an app of apps. yes - app of apps is using lovely-vault for deployment (I think that was the only way to get dynamic names to work)

I have also looked at the changelog and could not see anything incriminating. Maybe its the helm version changes in the dockerfile?

I have tried rolling forward and backwards couple of times and it always behaves the same.

These are the only logs from the lovely-plugin container.

10/06/2024, 13:21:21.650    
time="2024-06-10T12:21:21Z" level=info msg="Generating manifests with no request-level timeout"

10/06/2024, 13:21:21.650    
time="2024-06-10T12:21:21Z" level=info msg=argocd-lovely-plugin dir=/tmp/_cmp_server/7aa0ba20-e903-4243-99fb-ebfb381f4042/kubernetes/xxx execID=dca77

10/06/2024, 13:21:23.859    
time="2024-06-10T12:21:23Z" level=error msg="`argocd-lovely-plugin` failed exit status 1: 2024/06/10 12:21:23 exit status 1: Error: validation: chart.metadata.name \"xxx-<vault:xxx>-xxx\" is invalid" execID=dca77

10/06/2024, 13:21:23.865    
time="2024-06-10T12:21:23Z" level=error msg="finished streaming call with code Unknown" error="error generating manifests: `argocd-lovely-plugin` failed exit status 1: 2024/06/10 12:21:23 exit status 1: Error: validation: chart.metadata.name \"xxx-<vault:xxx>-xxx\" is invalid" grpc.code=Unknown grpc.method=GenerateManifest grpc.service=plugin.ConfigManagementPluginService grpc.start_time="2024-06-10T12:21:21Z" grpc.time_ms=2419.062 span.kind=server system=grpc
Joibel commented 3 weeks ago

Seeing as I don't really know what is going on, can you see if 1.0.3 does any better for you?

nerdingas-armaitis commented 3 weeks ago

Just tried 1.0.3 - same issue

Joibel commented 3 weeks ago

Thanks for trying

nerdingas-armaitis commented 2 weeks ago

I have done some trials with custom built image and it looks like upgrading helm dependency in the dockerfile to 3.14.1+ is what breaks the functionality. 

ARG HELM_VERSION=v3.14.1

Helm change log for 3.14.1 just mentions a security fix, looks like they started validating chart names:

https://github.com/helm/helm/compare/v3.14.0...v3.14.1

Joibel commented 2 weeks ago

But this is an application, not a Chart.yaml?

nerdingas-armaitis commented 2 weeks ago

you are right, it is also in the chart name

Chart.yaml

apiVersion: v2
name: xxx-<vault:xxx~xxx>-xxx
version: 0.0.1
Joibel commented 2 weeks ago

So, the app-of-apps is a Chart in itself. Can you elaborate on the directory structure of this application, in particular where the Chart.yaml(s) are?

nerdingas-armaitis commented 2 weeks ago

argocd application (/applications/argocd.yaml) which deploys app of apps (/argocd/yaml/app-of-apps.yaml) definition as part of itself app-of-apps has an xxx-<vault:xxx~xxx>-xxx application (/applications/yyy.yaml) xxx-<vault:xxx~xxx>-xxx application defines a chart (/yyy/Chart.yaml) named xxx-<vault:xxx~xxx>-xxx

is that a non recommended/supported way?

Joibel commented 2 weeks ago

I only care about the application structure of the one application that is causing issues.

Is that a the last of these, or the app of apps?

The structure of the failing application has a Chart.yaml in the root directory with a vault substituted name in it?

nerdingas-armaitis commented 2 weeks ago

correct, it is the yyy application that is causing the issue (not the app of apps) yes, the failing application is just a Chart.yaml (with a vault substituted name) that has a dependency defined (the actual chart) + values.yaml in a directory

Chart.yaml

apiVersion: v2
name: xxx-<vault:xxx~xxx>-xxx
version: 0.0.1

dependencies:
  - name: zzz
    version: 1.2.3
    repository: zzz
Joibel commented 2 weeks ago

So, this worked before Helmet 3.14.1 because the helm template expansion could work because it just didn't care about the name at that stage. It now cares about the name.

Template expansion happens before the vault substitution with lovely-vault out of the box. It "worked" because all the places the helm name were used inside your templates got substituted after expansion, and everything was doozy.

So, you have a couple of options:

nerdingas-armaitis commented 2 weeks ago

Thanks, that seems to work even in 1.0.3.

I had to move the definitions from the root folder to ./chart folder for the pre-processor to work, but otherwise all good.

definition in the app if anyone ever encounters this:

    plugin:
      name: lovely-vault
      env:
        - name: LOVELY_PREPROCESSORS_YAML
          value: |-
            chart:
            - "argocd-vault-replacer < Chart.tpl > Chart.yaml"