-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proposal: support multiple sources for an Application #8322
proposal: support multiple sources for an Application #8322
Conversation
Codecov Report
@@ Coverage Diff @@
## master #8322 +/- ##
==========================================
- Coverage 44.96% 44.92% -0.05%
==========================================
Files 212 212
Lines 25264 25264
==========================================
- Hits 11361 11350 -11
- Misses 12296 12310 +14
+ Partials 1607 1604 -3
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall, looks great! Most comments are just looking for clarification. I think the most interesting part is around the details of what Helm+external values will look like.
Just a hint - not sure about this is within the scope of this proposal. |
Stupid questions:
thanks |
Please find my comments on the respective questions:
|
Hello all, Thanks |
@romuduck We discussed in the contributor experience meeting today and the team was fairly confident in meeting the 2.4 release for this one. There's some more design work they wanted to do. I marked it for the 2.4 milestone which is slated for May. |
chart: elasticsearch | ||
``` | ||
|
||
### Add `externalValues` field in helm section of Application Spec |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unless I'm missing something, the proposed design allows using additional sources only with Helm. However I think we have two common use cases here that can be useful for any config management tool:
- Provide additional set of file that are needed to generate manifests ( like values.yaml for helm template )
- Create an application that is combined with several helm charts/kustomizes. Right now users are forced to create several apps or use some config management tool to combine two sources.
First use case is easier. We just let use define multiple sources. In this case Argo CD would generate manifests from all sources and merge them in one list:
spec:
# application that consists of MongoDB and ElasticSearch resources
sources:
- repoURL: https://github.com/helm/charts
targetRevision: master
path: incubator/mongodb
- repoURL: https://github.com/helm/charts
targetRevision: master
path: incubator/elasticsearch
To enable the second use case I propose to make path/chart
field optional: if it is missing then manifests are not generated for the source. In order to make repo files accessible for other sources user would have to provide a ref
that might be referenced in other sources.
spec:
sources:
- repoURL: https://github.com/my-org/my-repo # path is missing so no manifests are generated
targetRevision: master
ref: myRepo # repo is available via symlink "my-repo"
- repoURL: https://github.com/helm/charts
targetRevision: master
path: incubator/elasticsearch # path "incubator/elasticsearch" is used to generate manifests
helm:
valueFiles:
- $myRepo/values.yaml # values.yaml is located in source with reference name $myRepo
This way we can cover Helm use-case without introducing Helm specific settings and other use cases as well. WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @alexmt, the idea above sounds good. I just had a small question.
For the second use case, I was thinking how adding multiple files would work. For example, (expanding on your example above)
spec:
sources:
- repoURL: https://github.com/my-org/my-repo # path is missing so no manifests are generated
targetRevision: master
ref: myRepo # repo is available via symlink "my-repo"
- repoURL: https://github.com/helm/charts
targetRevision: master
path: incubator/elasticsearch # path "incubator/elasticsearch" is used to generate manifests
ref: repoES
helm:
valueFiles:
- $myRepo/values.yaml # values.yaml is located in source with reference name $myRepo
- gen_values.yaml # values file present in the current source
- $repoES/esValues.yaml # values file present in the current source
Would we support adding values files from current source using it's ref $repoES
(e.g. $repoES/esValues.yaml
) and also without it's ref (e.g. gen_values.yaml
)?
Also, would the referenced source (for e.g. $myRepo
) need to be declared before using them in other sources?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm thinking the Argo CD would just resolve $<refName>
to the absolute path where the repo is cloned. To reference values file from current source user would just use a relative path (same as now). The source needs reference only if some other source needs to use file from it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be REALLY nice if value file "pointers" also could have a branch (like the application itself has) - so for development f.ex. - you'd point an application at a 'testing' branc - and the values file then also to an equivalent testing branch in its repo.
Thats how we typicly test applications before we merge them - by adding them - pointing to the devel branch for testing via argocd - but today - our values files HAVE to be in master branch - as we use the path hack from above (where the repo is in /tmp/.../ - because its a repo we already have added).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@KlavsKlavsen this should be covered by the targetRevision
field. The only caveat is that it won't be possible to reference two revisions of the same branch. This limitation will be removed after switching to Config Management Plugins though.
Signed-off-by: ishitasequeira <isequeir@redhat.com>
Signed-off-by: ishitasequeira <isequeir@redhat.com>
Signed-off-by: ishitasequeira <isequeir@redhat.com>
* add to approvers Signed-off-by: pashavictorovich <pavel@codefresh.io> * watch opts move to struct Signed-off-by: pashavictorovich <pavel@codefresh.io> * watch opts move to struct Signed-off-by: pashavictorovich <pavel@codefresh.io> Signed-off-by: ishitasequeira <isequeir@redhat.com>
* fix: application resource APIs must enforce project restrictions Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * Fix unit tests Signed-off-by: jannfis <jann@mistrust.net> Co-authored-by: jannfis <jann@mistrust.net> Signed-off-by: ishitasequeira <isequeir@redhat.com>
* chore: fix imports Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * chore: fix unit test Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * chore: keep changes minimal Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * chore: fix another test Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> Signed-off-by: ishitasequeira <isequeir@redhat.com>
* add to approvers Signed-off-by: pashavictorovich <pavel@codefresh.io> * print tables additional tests Signed-off-by: pashavictorovich <pavel@codefresh.io> * move to %q Signed-off-by: pashavictorovich <pavel@codefresh.io> Signed-off-by: ishitasequeira <isequeir@redhat.com>
Signed-off-by: rishabh625 <rishabhmishra625@gmail.com> Signed-off-by: ishitasequeira <isequeir@redhat.com>
sources: | ||
- repoURL: https://github.com/my-org/my-repo # path is missing so no manifests are generated | ||
targetRevision: master | ||
ref: myRepo # repo is available via symlink "my-repo" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the connection done via symlink, or via a variable which Argo CD will populate in some set of fields?
Symlink is simple and easy to understand, but I'm not sure whether all relevant Helm/Kustomize features will permit out-of-bound symlinking.
Variables make sense, we just need to make sure our sensitive-path sanitization logic is working correctly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest using variables because we are doing it already. Users can specify the env variable e.g. in helm file params etc and Argo CD performs substitution:
argo-cd/reposerver/repository/repository.go
Line 752 in 0ff1ada
resolvedPath, _, err := pathutil.ResolveFilePath(appPath, repoRoot, env.Envsubst(p.Path), q.GetValuesFileSchemes()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That same env
variable gets used for --set
and --set-string
, so I think it would be trivial to leak the randomized repo paths.
We could augment env
with the path variable. But that would be a Helm-specific solution. We'd have to write additional features to support Kustomize, and we'd have to ask CMP authors to please use the variables responsibly and avoid leaking the values to users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Hi @crenshaw-dev, are we good to merge the PR? |
@ishitasequeira I have some concerns that only apply if we plan to use |
Its sounds so good! We were waiting this for decades! 🤝 |
@crenshaw-dev I'm assuming you are concerned about security, right? I agree. We should not allow resolving references in every spec field. Let's limit it to |
Yep! With that limitation, I think security should be fine. Will approve/merge. |
* proposal: support multiple sources for an Application Signed-off-by: ishitasequeira <isequeir@redhat.com> * addressed PR comments Signed-off-by: ishitasequeira <isequeir@redhat.com> * update summary Signed-off-by: ishitasequeira <isequeir@redhat.com> * feat: move watch params to struct (argoproj#8819) * add to approvers Signed-off-by: pashavictorovich <pavel@codefresh.io> * watch opts move to struct Signed-off-by: pashavictorovich <pavel@codefresh.io> * watch opts move to struct Signed-off-by: pashavictorovich <pavel@codefresh.io> Signed-off-by: ishitasequeira <isequeir@redhat.com> * Merge pull request from GHSA-2f5v-8r3f-8pww * fix: application resource APIs must enforce project restrictions Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * Fix unit tests Signed-off-by: jannfis <jann@mistrust.net> Co-authored-by: jannfis <jann@mistrust.net> Signed-off-by: ishitasequeira <isequeir@redhat.com> * chore: fix imports and unit tests (argoproj#8857) * chore: fix imports Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * chore: fix unit test Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * chore: keep changes minimal Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * chore: fix another test Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> Signed-off-by: ishitasequeira <isequeir@redhat.com> * feat: operation result and history table tests (argoproj#8887) * add to approvers Signed-off-by: pashavictorovich <pavel@codefresh.io> * print tables additional tests Signed-off-by: pashavictorovich <pavel@codefresh.io> * move to %q Signed-off-by: pashavictorovich <pavel@codefresh.io> Signed-off-by: ishitasequeira <isequeir@redhat.com> * fix: corrected applicationset binary name in manifests (argoproj#8954) Signed-off-by: rishabh625 <rishabhmishra625@gmail.com> Signed-off-by: ishitasequeira <isequeir@redhat.com> * Update proposed design to add 'ref' field instead of externalValuesField Signed-off-by: ishitasequeira <isequeir@redhat.com> * remove unwanted changes from PR added while rebase Signed-off-by: ishitasequeira <isequeir@redhat.com> Co-authored-by: pasha-codefresh <pavel@codefresh.io> Co-authored-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> Co-authored-by: jannfis <jann@mistrust.net> Co-authored-by: Michael Crenshaw <michael@crenshaw.dev> Co-authored-by: rishabh625 <43094970+rishabh625@users.noreply.github.com> Signed-off-by: asingh51 <Ashutosh_Singh@intuit.com>
Can't wait .. thanks contributors |
* proposal: support multiple sources for an Application Signed-off-by: ishitasequeira <isequeir@redhat.com> * addressed PR comments Signed-off-by: ishitasequeira <isequeir@redhat.com> * update summary Signed-off-by: ishitasequeira <isequeir@redhat.com> * feat: move watch params to struct (argoproj#8819) * add to approvers Signed-off-by: pashavictorovich <pavel@codefresh.io> * watch opts move to struct Signed-off-by: pashavictorovich <pavel@codefresh.io> * watch opts move to struct Signed-off-by: pashavictorovich <pavel@codefresh.io> Signed-off-by: ishitasequeira <isequeir@redhat.com> * Merge pull request from GHSA-2f5v-8r3f-8pww * fix: application resource APIs must enforce project restrictions Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * Fix unit tests Signed-off-by: jannfis <jann@mistrust.net> Co-authored-by: jannfis <jann@mistrust.net> Signed-off-by: ishitasequeira <isequeir@redhat.com> * chore: fix imports and unit tests (argoproj#8857) * chore: fix imports Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * chore: fix unit test Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * chore: keep changes minimal Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> * chore: fix another test Signed-off-by: Michael Crenshaw <michael@crenshaw.dev> Signed-off-by: ishitasequeira <isequeir@redhat.com> * feat: operation result and history table tests (argoproj#8887) * add to approvers Signed-off-by: pashavictorovich <pavel@codefresh.io> * print tables additional tests Signed-off-by: pashavictorovich <pavel@codefresh.io> * move to %q Signed-off-by: pashavictorovich <pavel@codefresh.io> Signed-off-by: ishitasequeira <isequeir@redhat.com> * fix: corrected applicationset binary name in manifests (argoproj#8954) Signed-off-by: rishabh625 <rishabhmishra625@gmail.com> Signed-off-by: ishitasequeira <isequeir@redhat.com> * Update proposed design to add 'ref' field instead of externalValuesField Signed-off-by: ishitasequeira <isequeir@redhat.com> * remove unwanted changes from PR added while rebase Signed-off-by: ishitasequeira <isequeir@redhat.com> Co-authored-by: pasha-codefresh <pavel@codefresh.io> Co-authored-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> Co-authored-by: jannfis <jann@mistrust.net> Co-authored-by: Michael Crenshaw <michael@crenshaw.dev> Co-authored-by: rishabh625 <43094970+rishabh625@users.noreply.github.com> Signed-off-by: wojtekidd <wojtek.cichon@protonmail.com>
is PR-6280 will be part of the new multiple sources for an application? |
@chenfli that PR had some shortcomings which this proposal addressed. We do expect that this feature will be in 2.5. |
Is there a PR for this feature yet? |
@KlavsKlavsen not yet. Will post on the main issue thread when that happens! |
Hello @ishitasequeira , is the feature available in v2.4? I saw another PR related to this proposal marked for 2.5. While v2.4 release note mentions it. |
@romuduck it will not be available until 2.5. Ishita has a draft PR open for it. |
Thanks @crenshaw-dev and @ishitasequeira ... Enjoy holidays in case :-) |
PR is here for those following. |
is it released for v2.5.1 ?
It's failing , I followed an example that I saw above . |
It's targeted for 2.6. |
Note the singular/plural spelling of "source/sources" (also maps vs. array of maps): For single source apps:
For multi source apps:
|
This is a proposal for supporting multiple sources for an Application.
Related issues:
Signed-off-by: ishitasequeira isequeir@redhat.com
Note on DCO:
If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.
Checklist: