-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support preventing hook deletion when Application sync is terminated #3502
Comments
I don't think we want to encourage a pattern where normal application resources are made into a hook, simply to achieve ordering. Even in Helm, a resource which has the https://helm.sh/docs/topics/charts_hooks/#hook-resources-are-not-managed-with-corresponding-releases
Similarly, Argo CD hooks are not considered part of Argo CD application resources, and features like drift detection and health assessments do not work. So the solution should involve not having to resort to adding My current thought is that we specially treat Namespaces as something that needs to be installed before sync hooks. |
As a reference point, it's generally considered an anti-pattern in Helm to include Namspace resource as part of a chart. The decision in issue helm/helm#6794, introduced an option to create namespaces on-the-fly as part of However, in the case of GitOps, "packaging" namespace-agnostic charts is less of a requirement, and Namespaces are often declared in git, adjacent to the application resources, and acceptable/expected to be created as part of the deploy. The problem is that it does not allow PreSync hooks to run, which generally need to run in the namespace of the Application. This lends itself to the argument for Argo CD to have special treatment of Namespace resources, as being created at the beginning of a deploy before hooks. This makes the behavior more consistent with the |
#2737 describes the related issue. Helm deletes hooks after all hooks after done. This allows having hooks with dependencies e.g. Job + ServiceAccount |
@chancez i'm not sure if this is an option for you, but a workaround is that instead of
|
I completely agree. I dislike it a lot, but I'm consuming a chart I didn't write (jupyterhub), which makes it difficult to adapt without diverging from upstream. That said, I've considering using a variation of kustomize & helm to better support this, but it's simply not something I'm ready to commit to just yet. I've also just disabled the hook it was creating as I didn't need it anymore for other unrelated reasons, so I was able to remove the helm hook annotations on my namespace and it still succeeds.
I think this makes sense. I also think it might make sense to simply have the ability to create a namespace if it doesn't exist from the ArgoCD application configuration in the
@jessesuen I didn't write the chart, so I can't change the annotations on the resources being created without forking it or going down a custom config management plugin route (which I'm still considering). I wish there was a better way to support modifying off-the-shelf helm charts without having to fork them or use a custom config management plugin, but I'm not sure how much could be done about that. Having first class support for json patches via argocd could be a potential approach, or even potentially reusing kustomize transformers for it. Ideally it would be possible though even if you're not using kustomize. |
@chancez app1: contains ns and app2 -> app2: contains What I want is a single app which has only |
This doesn't just affect namespace creation, the prometheus operator creates a service account, role, and role binding to run an application then removes them. However, argocd just purges them immediately after they are created. I couldn't care less about namespaces, but for other things it just has to match the helm behavior. |
@jdfalk I recall hitting that as well, I can't even remember how I got around it because I eventually just moved to using kustomize for prometheus-operator and at that point I had everything as raw YAML files so I could just tweak the hook annotations or remove them. Good point bringing that up. |
This needs to be resolved, it's causing more and more issues for us and pretty soon we are going to have to switch to flux because this isn't production ready. |
The namespace auto-creation feature should improve the situation. Argo CD can automatically create namespace before start executing hooks. This does not seem to be enough, since namespace auto-creation does not allow to configure namespace details such as annotation and labels. We've discussed several ways to address it:
First approach looks more like a hack. The main difference between hooks and resources is that hooks are ephemeral and supposed to be created/delete on the fly during the syncing process. The namespace should not be marked as a hook just because it should be created before hooks. Second looks better since it is solving the root cause limitation - ability to create namespace before everything else, but kind of compete with waves feature. We want to try to find a way to avoid a new annotation. So the final proposal is to treat Namespace and CRD as exceptions and execute both before any other resources that reference Namespace/CRD. The way it would be implemented opens the door to introduce user specified dependencies between resources. I'm hoping we won't need it to avoid make synchronization more difficult. |
Two changes to Argo CD are being made:
|
For now there is no version of ArgoCD that allows the creation of CRD using PreSync, is that right? At least in v1.5 when CRD has PreSync or helm hook, CRD is created in the cluster but the release keeps syncing forever, never creating the others resources. The enhancement in v1.8 (#4354) will allow CRD to be installed even if there is some hook defined on it? Or it will be needed some feature like #4331? |
correct
For CRDs (i'm not talking about CR instances), we ignore hooks completely and they are installed up front. These features have been implemented in v1.8. Closing |
Just to validate that I read this correctly, the fixes made so far do not provide a fix voor de 'delete prevention' but only provide a solution to sync the resource at the right time in the sync. Am I correct? @jessesuen @igorcezar @alexandrfox |
#2678 Summary
ArgoCD converts helm hooks into argocd hooks, which get deleted if an Application sync is canceled. This can cause problems if your using hooks that require a namespace to be created, as you must also set your namespace to be created as a hook, such that the namespace is created prior to your job hooks, otherwise they fail to be created because the namespace doesn't exist yet. This causes an issue though when you cancel a running sync, as it will cause ArgoCD to delete the namespace, which isn't usually a desired behavior.
Create a chart with a template for creating the namespace as a helm hook. If you cancel a running sync the entire namespace will be deleted.
Motivation
Initially, I only added the helm hook annotations to my namespace because I have other hooks which run in a namespace (jobs), and argocd failed to deploy my Application without these annotations on my namespace because the jobs would be ordered prior to my namespace being created without it (the jobs run in tje preSync phase, while the namespace is created in the sync phase).
Proposal
I see one of two options:
argocd.argoproj.io/sync-options
to prevent deleting running hooks in the general case. For helm based apps, it could use"helm.sh/resource-policy": keep
as a synonym for the new sync-option to prevent deleting of running hooks.I also think it's quite likely that it might make sense to always order namespaces before preSync, sync, and postSync by default. That may also help, but if people are using hooks already, it won't help prevent the deletion issue, only the ordering issue.
@jessesuen we discussed this a bit in slack https://argoproj.slack.com/archives/CASHNF6MS/p1588095718030500
The text was updated successfully, but these errors were encountered: