feat(appset): Support more than two child generators for matrix generator

[huynhsontung]

Closes #14182

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• Optional. My organization is added to USERS.md.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.

Please see Contribution FAQs if you have questions about your pull-request.

[crenshaw-dev]

I feel like we should have a controller-level configurable max for number of children in a matrix generator. We're close to having ApplicationSets manageable by non-admins, and it would be good to have a way for admins to mitigate denial of service via bonkers-level matrix generators.

[codecov]

Codecov Report

Attention: Patch coverage is 86.04651% with 6 lines in your changes missing coverage. Please review.

Please upload report for BASE (master@40c6077). Learn more about missing BASE report.
Report is 318 commits behind head on master.

Files with missing lines	Patch %	Lines
applicationset/generators/matrix.go	82.35%	3 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##             master   #14189   +/-   ##
=========================================
  Coverage          ?   55.80%           
=========================================
  Files             ?      320           
  Lines             ?    44411           
  Branches          ?        0           
=========================================
  Hits              ?    24782           
  Misses            ?    17066           
  Partials          ?     2563           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[huynhsontung]

@crenshaw-dev Sounds reasonable. There is no precedent for generator configuration at the controller level. How about a controller flag called max-matrix-children with the default of 0 for an unlimited number of children? Unless we want it configurable on the fly through a ConfigMap.

[crenshaw-dev]

I'm wavering between default of 2 (no change of behavior for people upgrading) and default of 0. I think default 2 makes sense if we want people to be able to provide users create/update privileges on appsets as soon as we button down the remaining admin-only features.

We could make it a controller flag/env var and let users set it via argocd-cmd-params-cm.

[huynhsontung]

Do we allow a value of 1? The code does handle this case but intuitively it doesn't really make sense. If not, any value less than 2 will be parsed as unlimited.

Edit: There is already an error when using a matrix generator with only 1 child. Any value less than 2 will be unlimited then.

[huynhsontung]

@crenshaw-dev I have made the max matrix children configurable through NewMatrixGenerator() with the default value of 2. Let me know if there is anything that needs changing before I move on to updating the docs.

[crenshaw-dev]

Sounds reasonable! I'd say carry on with docs.

[huynhsontung]

@crenshaw-dev I updated the manifest to allow setting the limit in the config map and updated the docs.

[crenshaw-dev]

Thanks for your patience on the review! Small things. Targeting this for 2.9.

[huynhsontung]

I had to change those messages a bit to also reflect #14573

[huynhsontung]

@crenshaw-dev Are there any updates on this PR? I can resolve the merge conflicts if it's ready to merge.

[ishitasequeira]

One minor comment. Overall code LGTM!!

[ishitasequeira]

It might be useful to log a separate configuration error if value of maxChildren is 1 or less.

[huynhsontung]

When maxChildren is 1 or less, it's considered no limit. The default value for maxChildren is 2.

[blakepettersson]

Not a showstopper but that sounds un-intuitive IMO - could we not say that no limit only applies if maxChildren < 0?

[huynhsontung]

I would prefer to have maxChildren < 1 to avoid using negative values. The param reposerver.git.lsremote.parallelism.limit has the same logic where any values less than 1 mean unlimited.

plus we don't have to update the docs and tests this way

[jdeus]

What's the ETA on this ?

[ptr1120]

Hello, can we still expect that this support of >2 matrix steps will be reviewed and merged as stated in the roadmap. Since I am having a need for 3 steps and the parameter transfer between nested matrix steps has issues, I am still searching for any solution.

[sathieu]

@crenshaw-dev I have made the max matrix children configurable through NewMatrixGenerator() with the default value of 2. Let me know if there is anything that needs changing before I move on to updating the docs.

Can this default be changed to a higher value? Maybe 100 or 10?

[jdeus]

So are we waiting another year here ?

[huynhsontung]

Can this default be changed to a higher value? Maybe 100 or 10?

@sathieu I chose this default value of 2 to mirror the same limit of the current version of the matrix generator. I'm fine with having a higher value or even unlimited as a default.

[mihaigalos]

Would this not be easier solved using a Plugin Generator?
One can then programatically compose the generators the way they're required.

[blakepettersson]

Minor comment, but otherwise LGTM

[blakepettersson]

@crenshaw-dev do you still have concerns about this PR?

stale

[crenshaw-dev]

Dismissing my review as stale, since I don't have time to re-review right now. At a glance, no major concerns.

[steve-todorov]

@crenshaw-dev any updates on merging and releasing this feature?

[it2008018]

Is there any chance of merging this PR? we are looking for this feature to be available asap.

[blakepettersson]

@it2008018 for that to happen, the merge conflicts need to be fixed from @huynhsontung.

Once that happens, we can push for someone to review and merge it.

Even if this gets merged tomorrow, this would not be "available asap" since this would come into 2.14, which is slated for next February.

[it2008018]

@blakepettersson will look forward for it to be merged :) @huynhsontung will it be possible for you to resolve conflicts?

[blakepettersson]

@huynhsontung if you do not have time to work on it, I can take on the mantle and get the necessary reviews for it to be merged.

[huynhsontung]

I don't know how to get the config in this case. This method is used in argocd appset create --dry-run and argocd appset generate. I think not setting a limit here makes sense.

[huynhsontung]

@blakepettersson I have resolved all the conflicts