Closed nerdingas-armaitis closed 2 weeks ago
Is this an application part of an app of apps? You're running it through lovely-vault? I wonder if lovely-vault is broken - are there any logs from the container other than this? The changelog is only for dependencies, so I can't see a likely candidate for breaking this.
yes - application is part of an app of apps. yes - app of apps is using lovely-vault for deployment (I think that was the only way to get dynamic names to work)
I have also looked at the changelog and could not see anything incriminating. Maybe its the helm version changes in the dockerfile?
I have tried rolling forward and backwards couple of times and it always behaves the same.
These are the only logs from the lovely-plugin container.
10/06/2024, 13:21:21.650
time="2024-06-10T12:21:21Z" level=info msg="Generating manifests with no request-level timeout"
10/06/2024, 13:21:21.650
time="2024-06-10T12:21:21Z" level=info msg=argocd-lovely-plugin dir=/tmp/_cmp_server/7aa0ba20-e903-4243-99fb-ebfb381f4042/kubernetes/xxx execID=dca77
10/06/2024, 13:21:23.859
time="2024-06-10T12:21:23Z" level=error msg="`argocd-lovely-plugin` failed exit status 1: 2024/06/10 12:21:23 exit status 1: Error: validation: chart.metadata.name \"xxx-<vault:xxx>-xxx\" is invalid" execID=dca77
10/06/2024, 13:21:23.865
time="2024-06-10T12:21:23Z" level=error msg="finished streaming call with code Unknown" error="error generating manifests: `argocd-lovely-plugin` failed exit status 1: 2024/06/10 12:21:23 exit status 1: Error: validation: chart.metadata.name \"xxx-<vault:xxx>-xxx\" is invalid" grpc.code=Unknown grpc.method=GenerateManifest grpc.service=plugin.ConfigManagementPluginService grpc.start_time="2024-06-10T12:21:21Z" grpc.time_ms=2419.062 span.kind=server system=grpc
Seeing as I don't really know what is going on, can you see if 1.0.3 does any better for you?
Just tried 1.0.3 - same issue
Thanks for trying
I have done some trials with custom built image and it looks like upgrading helm dependency in the dockerfile to 3.14.1+ is what breaks the functionality.
ARG HELM_VERSION=v3.14.1
Helm change log for 3.14.1 just mentions a security fix, looks like they started validating chart names:
But this is an application, not a Chart.yaml?
you are right, it is also in the chart name
Chart.yaml
apiVersion: v2
name: xxx-<vault:xxx~xxx>-xxx
version: 0.0.1
So, the app-of-apps is a Chart in itself. Can you elaborate on the directory structure of this application, in particular where the Chart.yaml(s) are?
argocd application (/applications/argocd.yaml) which deploys app of apps (/argocd/yaml/app-of-apps.yaml) definition as part of itself app-of-apps has an xxx-<vault:xxx~xxx>-xxx application (/applications/yyy.yaml) xxx-<vault:xxx~xxx>-xxx application defines a chart (/yyy/Chart.yaml) named xxx-<vault:xxx~xxx>-xxx
is that a non recommended/supported way?
I only care about the application structure of the one application that is causing issues.
Is that a the last of these, or the app of apps?
The structure of the failing application has a Chart.yaml in the root directory with a vault substituted name in it?
correct, it is the yyy application that is causing the issue (not the app of apps) yes, the failing application is just a Chart.yaml (with a vault substituted name) that has a dependency defined (the actual chart) + values.yaml in a directory
Chart.yaml
apiVersion: v2
name: xxx-<vault:xxx~xxx>-xxx
version: 0.0.1
dependencies:
- name: zzz
version: 1.2.3
repository: zzz
So, this worked before Helmet 3.14.1 because the helm template expansion could work because it just didn't care about the name at that stage. It now cares about the name.
Template expansion happens before the vault substitution with lovely-vault
out of the box. It "worked" because all the places the helm name were used inside your templates got substituted after expansion, and everything was doozy.
So, you have a couple of options:
LOVELY_PREPROCESSORS
to do the name substitution before helm gets invoked. If you have stronger bash skills you might be able to sanely do this in place, but in the interests of getting on with other stuff I'm going to suggest you have a Chart.tpl and do LOVELY_PREPROCESSORS: "argocd-vault-replacer < Chart.tpl > Chart.yaml"
. This suggestion comes to you completely untested. You're most welcome.Thanks, that seems to work even in 1.0.3.
I had to move the definitions from the root folder to ./chart folder for the pre-processor to work, but otherwise all good.
definition in the app if anyone ever encounters this:
plugin:
name: lovely-vault
env:
- name: LOVELY_PREPROCESSORS_YAML
value: |-
chart:
- "argocd-vault-replacer < Chart.tpl > Chart.yaml"
Hi,
I have an app of apps with bunch of argocd applications and couple of them have dynamic names. This worked perfectly fine on 1.0.0, but is now broken on 1.0.1. Maybe the order of name check vs interpolation has changed?
It still displays name of application correctly in the argocd ui even on 1.0.1.
Application definition:
Error in the logs:
Work around: rollback to 1.0.0