Introduce sync windows as a CRD

[crenshaw-dev]

Summary

Sync windows should be defined as CRDs which are referenceable by projects, apps, and globally.

Motivation

At Intuit, we've encountered places where we'd like to define a sync window for an application without enforcing that sync window for all apps in that project (or creating a single project per app).

Others have wanted to enforce a global sync window for a whole company without either using a single project for everything (terrible for security) or duplicating sync windows across a bunch of projects.

It would also be nice to allow for self-service sync windows by non-admins. The ability to update an AppProject is effectively admin access. By separating it into a CRD, admins can allow users to create and update sync windows without granting them full admin capability.

Proposal

The CRD:

apiVersion: argoproj.io/v1alpha1
kind: SyncWindow
metadata:
  name: my-sync-window
  namespace: argocd  # there's no reason this couldn't also be in other namespaces
spec:
  syncWindows:  # allow multiple for easy transition from projects
  - kind: allow
    schedule: '10 1 * * *'
    duration: 1h
    applications:
      - '*-prod'
    manualSync: true
  - kind: deny
    schedule: '0 22 * * *'
    duration: 1h
    namespaces:
      - default
  - kind: allow
    schedule: '0 23 * * *'
    duration: 1h
    clusters:
      - in-cluster
      - cluster1

Reference from project:

apiVersion: argoproj.io/v1alpha1
kind: AppProject
spec:
  syncWindows:
  - ref:  # new field!
      name: my-sync-window

Reference from application:

apiVersion: argoproj.io/v1alpha1
kind: Application
spec:
  syncWindows:  # new field!
  - ref:
      name: my-sync-window

Reference from argocd-cm (global):

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  global.syncWindows: |
    - ref: 
        name: my-sync-window

[gmartin-flexe]

I've just run into this; our organization wants all developers to limit their deployment activity at the end of the week, but has no interest in any mechanism to do so and would rather each developer go through a modified approval process or to wait until the following week. I wanted to try sync windows to ease the situation. Unfortunately almost all applications are under the same AppProject, and only a select few people have permissions, so I can't apply a sync window for my applications.

Making it possible to define a SyncWindow resource would be great!

[todaywasawesome]

I'm interested to do some work here. Tagging myself here @todaywasawesome

[todaywasawesome]

@ilia-medvedev-codefresh Check this out. Great feature.

[agaudreault]

Few things

• In the Application, Sync Windows should be referenced by using selectors with matchLabels/matchExpression instead of a plain ref by name.

• When used in an Application, a sync windows should not contain applications, namespaces or clusters filter. Since it is
  explicitly selected in the Application, it should always apply to it.

• The sync windows that are applied in the Application are now dynamic. The application will need a view in the UI, to show all the windows that currently applies on the App.

• If the SyncWindows are created as object, I assume they should have RBAC within argo, and a UI to list, create and delete. Similar to repositories credentials, etc.

Notes: In the global cm or on the appProject, it could also be by selector or ref. But the namespaces/projects/clusters filters will now apply to all windows of the reference. Another factor that should be evaluated to decide if a selector should be used instead of a ref in the global CM or AppProject is the dynamism aspect.

Alternative suggestion

The CRD:

apiVersion: argoproj.io/v1alpha1
kind: SyncWindow
metadata:
  name: my-sync-window
  namespace: argocd  # there's no reason this couldn't also be in other namespaces
  labels:
    name: my-sync-window
    env: prod
spec:
  syncWindows:  # allow multiple
  - kind: allow
    schedule: '10 1 * * *'
    duration: 1h
    manualSync: true
  - kind: deny
    schedule: '0 22 * * *'
    duration: 1h
  - kind: allow
    schedule: '0 23 * * *'
    duration: 1h

Reference from project:

apiVersion: argoproj.io/v1alpha1
kind: AppProject
spec:
  syncWindows:
  - ref:  # new field!
      name: my-sync-window
    selectors: # Either ref or selecotrs should be used. Adding both here so it is easier to visualize
      matchLabels:
        name: my-sync-window
    # reference a sync window, but apply some restrictions.
    clusters:
      - in-cluster
      - cluster1
    namespaces:
      - default
    applications:
      - prod*

Reference from application:

apiVersion: argoproj.io/v1alpha1
kind: Application
spec:
  syncWindows:  # new field!
    selectors:
      matchLabels:
        name: my-sync-window
        env: prod

Reference from argocd-cm (global):

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: argocd
data:
  global.syncWindows: |
    - ref: 
        name: my-sync-window
      # reference a sync window, but apply some restrictions.
      clusters:
        - in-cluster
        - cluster1
      namespaces:
        - default