-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Combine files in a multisource repo (#12471 #12485) #12508
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #12508 +/- ##
==========================================
+ Coverage 49.45% 49.46% +0.01%
==========================================
Files 273 271 -2
Lines 48662 48140 -522
==========================================
- Hits 24066 23813 -253
+ Misses 22235 21960 -275
- Partials 2361 2367 +6 ☔ View full report in Codecov by Sentry. |
There's a lot of code duplicated from I think once the copyFrom logic is there and I both have a clearer view of how stuff works and I'm more comfortable with the logics here, I will see how can I clean this mess up. And I'm also planning to address the LintGo failing test later. |
I've got the following errors while running
And the String operator for ApplicationSources is defined at
IIRC I haven't fiddled with this part, and I'm not really sure what might have caused those test errors. |
I think the PR looks feature-complete right now, unit tests are also passing. The place I couldn't find the tests for are the changes in the Docs are still to be adjusted. |
Docs are updated as well. @ishitasequeira, could you please review it? |
Will review it today. |
This is looking really cool! We'll probably want some e2e tests to validate a few base use cases for this feature. |
One thought that comes to my mind is, are we allowing a nested access of referenced sources for
I think this can lead to a lot of concerns. We should probably not allow |
Currently that does make sense, however I'm considering another feature, where the output of a source can be referenced in another source building on this feature. Adding something like a I think, as of right now, putting a warning into the documentation is more effective. Also, I think adding O_EXCL helps here with overwriting files:
|
I don't understand why the tests are broken, before i've synced the branch to master, everything was green. |
I don't really understand why the e2e test
And the most interesting part is, I've reverted to a commit prior to my changes, and it still fails the same way as shown above:
|
@gczuczy that test is flaky. I have an open PR to try to fix that. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Partial review
I'm eagerly waiting for the merge of this PR. Keep up the good work! |
Here's a simplistic test example:
This application has a kustomization in one repo, and one of the There was another internal test, which is rather complicated, it deploys an ArgoCD ecosystem with a superchart, ArgoCD and ArgoWorkflows as a subchart, with a fair amount of secrets, for which we're using AVP to acquire. The gist of that secret are the following two snippets: For the
Here the chart has The environment-specific values.yaml is passed to the AVP plugin through the
So, helm is using the environment-specific values from a separate repo and its output is fed to AVP, which is taking care of the |
This is fair. I think there's a balance to be struck (e.g. pass things from Application to Helm in a way that takes advantage of an existing Helm feature instead of adding something entirely new, or implementing lifecycle hooks that map cleanly to Helm hooks). In general, I think it's best to cling tightly to other tools' designs and augment them only where there's a really strong value-add (like private values files with public Helm charts).
100%, I think AVP is a great tool and definitely has solid use-cases. I agree that its overuse for problems which are better solved by other tools is the anti-pattern.
My hope is that, over time, common charts will rely more on secretRefs and less on values-injected secrets. At a higher level, I think operators instead of Helm charts to install many common tools might make sense.
Agreed. Some of the issue-specific threads discuss ways we could implement smaller features to solve very specific problems without opening the gates too far or making repo-server excessively complex (for the current maintainer resources).
The chicken-egg bootstrap problem is real. I agree that ideally a GitOps tool should be able to declaratively spin up/down your clusters with no user intervention. But someone has to hold the keys, and without native secrets support, I'm not sure Argo CD should be the tool holding the keys (yet).
100%. In some parallel universe, there's an Argo CD team which can provide robust, secure, first-class secrets handling support. I just don't think we have that capacity right now.
tbh, I think fileParameters is a great example of a one-off, small feature which may be worth the effort. It could probably piggy-back on a lot of the code that already exists for valueFiles. Again, thanks all for the great discussion! |
@crenshaw-dev Thank you! I'm going to take that input and might look into opening a PR in the future that might focus on |
Hi there, thanks for the great discussion. As maintainer of helm-secrets, I would also not longer recommend todo secrets-injection outside of Kubernetes (doesn't matter, if you are using ArgoCD, Gitlab CI or GitHub Action). However, FluxCD as well as ArgoCD side-kick project ArgoCD Vault Plugin are supporting this anti-pattern as well. There is also an other problem with secret controllers: If the secret is changed, the application need a poke. This can be covered by https://github.com/stakater/Reloader. Then, you need 2 new tools the go out of the anti-pattern. I guess that the main reason, why people prefer this anti-pattern: The alternatives are complex, not easy to maintain. Anyways, while the main purpose of helm-secrets is secret inject, It can be also used for alternative informations. If we are looking are AWS IRSA or Azure Workload Identity, both solution are great to omit secrets at all. Instead secrets, now we have the requirement to annotate the service account with the AWS Role ARN or Azure Client ID. In most setups, the role is created via Terraform, and some poor guy has the task to pass the information from Unlike secrets, annotations are not a dedicated resource and there no known Kubernetes controller for this. This includes external-secrets-operator which needs for example the client id of Azure Managed Identity. Keep in mind. Secret Handling is only one part, Information Handling the other one. |
True, and that's the main reason I wanted to do a quick poll - non-secret CMP use cases don't implicate the secrets anti-pattern. But I think the number of those use cases is currently too small to justify the maintenance burden. I also wonder how many of those use cases might be addressed by mutating webhooks? I haven't thought too much about it, but if the job is fundamentally to inject some static cluster-specific bit of information into resources, it seems like a mutating webhook might be a suitable tool. |
For what it’s worth, we use the approach @jkroepke mentioned:
While it’s true that this needs two tools, the maintenance overhead for both these is extremely low (at least for us), and, most importantly, reloader is completely decoupled from the deployment tooling. This enables us to make debugging in our development clusters much easier since reloader will also restart workloads when a referenced ConfigMap or Secret changes because we manually edited it to later persist these changes, if they are correct. I think it is important here that ArgoCD will almost never be the only tool, so we’ll have to take that into consideration when making decisions about the project. „One tool, one job“ comes to mind, and for me, Argo is clearly the „deploy manifests, potentially templated with helm and/or kustomize“. As such, supporting the usage of existing features of these tools is good, adding to them might not be the right direction. I believe this is also what @crenshaw-dev is leaning towards - please correct me if I got that wrong. |
That would be a great and tool agnostic idea. The gag is, both IRSA and Azure Workload Identity are mutating webhooks already. Of course, we can build an other mutating webhooks controller and chain them together. |
@crenshaw-dev Naming AVP approach "anti-pattern" you contradicted with this:
In my case we have dozen of clusters running external and have no access to Vault - therefore we cannot use operators. Approach with encrypting helm value files is looking ugly for me, not saying about probability of accidentally commit decrypted file to a public repository. But I believe this feature is not about secrets at all. I would vote to have this feature. As for complexity of "repo-server" I'd say it always the question of bаlance. From the other hand - why that change don't add complexity but this do? |
Yep, that's a good summary. Not to say Argo CD can't be a good tool for doing things beyond "render manifests and deploy," just that it's always a question of whether the juice is worth the squeeze.
Personally, I think those docs are due for an update. My opinion about secret management is that it belongs in either an encrypted-at-rest solution like SealedSecrets or an on-cluster secrets operator rather than in Argo CD. At least for now.
iirc the |
What capabilities does our plugin have today:
Issues:
|
Signed-off-by: Gergely Czuczy <gergely.czuczy@sap.com>
Signed-off-by: Gergely Czuczy <gergely.czuczy@sap.com>
Signed-off-by: Gergely Czuczy <gergely.czuczy@sap.com>
Hi all, I understand that the proposal from this PR provides more features than this simple ask and could lead to many anti-patterns, or prevent the argoCD community to migrate to cleaner approaches. But we should probably consider some of the use cases as there might be quick wins, Thank you for the hard work! As argoCD users, we really appreciate the discussions and debates that are leading to a better solution. |
I get the thought process on this being an anti-pattern. I think that makes perfect sense when you control the creation of the helm/kustomize. This gets more tricky when you are not in control. We currently only use ArgoCD to handle deploying supporting infrastructure, and not our apps. This means we are restricted by what is done in the upstream helm/kustomize. Not all projects follow best practices. I found 3 different projects, we use, that store secrets in ConfigMaps. Currently we are getting by without this PR (though it would be nice to have). If AVP is ruled an anti pattern, and not supported moving forward, it would create a lot of work for my team if we wanted to continue using ArgoCD. I believe I would be able to open PRs to upstream projects to hopefully update their projects, but if those got denied it would mean maintaining our own copies of their projects and keeping up with their updates. That would introduce a lot of work, and may cause us to look for a solution other than ArgoCD. If that was the case it may be that our use case is just not the intended use case for ArgoCD, and that would be fine. If the intended use case for ArgoCD is to handle upstream helm/kustomize, and not just custom, I think that is worth thinking about. All you great folks do the work though, and know what you can/can't take on. I just wanted to share my view point, as I feel that the others didn't share it exactly. I am super grateful for all the work put into this project. |
@alexgenon I agree, that feature would be a relatively intuitive, maintainable, and impactful feature. I'd definitely welcome that change!
100%. I wonder if the problem is more that these open source charts/kustomize bases can't support secret refs (not enough maintenance resources) or don't actually see it as a problem.
I think that's just a general Kubernetes anti-pattern. Secrets should be stored in Secrets.
That's a fair analysis. In my opinion, "safe, robust secrets injection" lies outside what the Argo CD team can currently offer. To provide a strong core product, I think we should encourage folks to adopt the much more compatible solution of external secrets operators. Some won't be able to make that switch, but I don't think that's a problem the Argo team is currently well-positioned to solve. |
Added documentation for fileParameters in a helm source Application or the --helm-set-file cli option from argoproj#2751. Added a note about argoproj#13220 so users are aware. argoproj#12508 aims to remove this limitation so the warning can probably be removed with that.
Added documentation for fileParameters in a helm source Application or the --helm-set-file cli option from argoproj#2751. Added a note about argoproj#13220 so users are aware. argoproj#12508 aims to remove this limitation so the warning can probably be removed with that. Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Hi guys this was indeed a great discussion. As a argocd user, I'm curious about one thing: what happens next? |
consider if going for alternative og live with the decision |
ArgoCD 2.11: This comes with something that looks similar to the feature discussed here. - https://argo-cd.readthedocs.io/en/latest/user-guide/multiple_sources/ |
The multi-source docs haven't changed appreciably since v2.8 AFAICT, this feature is adding a from:
- ref: $values1
sourcePath: "dev/values.yaml"
destinationPath: "env-values.yaml" |
This PR would have expanded the multi-source support. The problem with multi-source is, it's not working with plugins, and many people need plugins and multisources, that's how this PR was born. Our usecase was AVP for secrets specifically. |
Hello, I ended up here after noticing multisource isn't compatible with helm-secrets. What's the point to have multisource, if no plugins can be used to decrypt values ? Who stores it sensible values unencrypted ? |
@reachfivejenkins There‘s other ways to deploy secrets, e.g. with external-secrets. The point of multi-source as it is is to provide multi source applications to whoever can use them in the current state. |
Been using this configuration for helm-secrets and multi-source for quite some time and it's working nicely for us. |
I looked at it, but we are using SOPS with googleKMS, i doesn't look compatible. |
Could you please take this discussion to the appropriate forum/Q&A/discussion? This is already a PR with lots of on-topic discussion that only gets harder to parse with more and more unrelated comments. Thank you! |
Added documentation for fileParameters in a helm source Application or the --helm-set-file cli option from argoproj#2751. Added a note about argoproj#13220 so users are aware. argoproj#12508 aims to remove this limitation so the warning can probably be removed with that. Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Fixes #12471
Fixes #12476
Fixes #7189
Fixes #13220
Fixes #14521
Note on DCO:
If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.
Checklist: