datree icon indicating copy to clipboard operation
datree copied to clipboard
verified publisher icon datreeio

Ensure Argo CD Application avoid unnecessary manifests generation

Open noaabarki opened this issue 3 years ago • 0 comments

Describe the solution you'd like

We want to add a new default rule to Argo policy that verifies the usage of manifest-generate-paths annotations. For instance the following manifest configured the manifest-generate-paths with the path ..

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: my-project
  namespace: argocd 
  annotations: 
     argocd.argoproj.io/manifest-generate-paths: . # <------
spec:
  source:
    repoURL: "XXX"
    targetRevision: HEAD
    path: kube/

Requirements

  • The rule should be OFF be default.
  • The rule identifier should be ARGO_APPLICATION_MISSING_GENERATE_MANIFESTS_ANNOTATION.

How to create new default rule?

  1. Write the rule logic in JSON schema (but in yaml format). For you convenience you can use our online yaml schema validator tool.
  2. Add the new rule as default rule:
    1. Add new entry in the pkg/defaultRules/defaultRules.yaml.
    2. Increase the minItems++, maxItems++, maximum++ properties of rules in pkg/defaultRules/defaultRulesSchema.json
  3. Hooray! Submit a PR 🙂

Guidelines

  • The implementation require Golang and JSON schema basic level.
  • All default rules are written in JSON schema and located in defaultRules package.
  • The validation itself is happening in the JsonSchemaValidator package function ValidateYamlSchema. The validation process happens in bl/evaluation/evaluator.go -> *evaluateRule(..)*for every configuration that exists in every file that exists in a given path.
  • Checkout rules CONTAINERS_MISSING_CPU_REQUEST_KEY and ARGO_APP_PROJECT_INCORRECT_NAMESPACE_VALUE as references.

📖 The reason behind the rule

Instead of Argo CD watching a repository for changes, Argo CD supports Git webhook notifications from GitHub, GitLab, Bitbucket, etc. When using webhooks, it’s recommended to annotate with a path (using argocd.argoproj.io/manifest-generate-paths) the Application manifest. This way, whenever a webhook notifies Argo CD about a new commit Argo will inspect the changed files listed in the webhook payload and we regenerate only the manifests that are located under this path. read more

💡 Why use Argo CD webhooks?

When using mono-repositories/large repositories containing source code it’s recommended to automatically sync Argo CD with webhooks events.

The reason why is because Argo CD, by default, pulls changes from the repository every 3 minutes. For any new commit Argo CD will be triggered to sync the state, to do so Argo fetches the latest changes in the repository, caches the repository, and generates the manifests in the repository. When this happens, Argo invalidates the cached manifests for all applications since it does not assume that the generated manifests depend only on application-related directory files. However, in mono-repositories, this is often the case and this can trigger a “sync” event to all applications.

To eliminate this and avoid unnecessary delay Argo CD can be configured to receive webhook events.

noaabarki avatar Aug 07 '22 13:08 noaabarki