Endless Sync Loop when installing Helm Chart via ArgoCD #4114
Comments
|
|
|
Issues go stale after 90d of inactivity. |
jetstack-bot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. |
jetstack-bot
added
lifecycle/rotten
|
Had the same problem after adding it to argocd using kustomize. In my case, I added the following patch: patchesJson6902:
- target:
group: admissionregistration.k8s.io
version: v1
kind: ValidatingWebhookConfiguration
name: cert-manager-webhook
patch: |-
- op: add
path: /webhooks/0/namespaceSelector/matchExpressions/-
value:
key: control-plane
operator: DoesNotExist |
|
Rotten issues close after 30d of inactivity. |
|
@jetstack-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/reopen |
|
@wallrj: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
jetstack-bot
removed
the
lifecycle/rotten
|
@jstewart612 Thanks for the PR and apologies for not replying sooner. Would you be able to work around this some other way? Or could you use any of the work arounds described in: |
|
I worked around this using ArgoCD IgnoreDifferences. This way you won't have to change the cert-manager resources. See the ArgoCD Docs for more information ignoreDifferences:
- group: admissionregistration.k8s.io
kind: ValidatingWebhookConfiguration
name: cert-manager-webhook
jqPathExpressions:
- .webhooks[].namespaceSelector.matchExpressions[] | select(.key == "control-plane")edit: On 23 September 2023 it looks like Microsoft Azure (AKS) added an extra ignoreDifferences:
- group: admissionregistration.k8s.io
kind: ValidatingWebhookConfiguration
name: cert-manager-webhook
jqPathExpressions:
- .webhooks[].namespaceSelector.matchExpressions[] | select(.key == "control-plane")
- .webhooks[].namespaceSelector.matchExpressions[] | select(.key == "kubernetes.azure.com/managedby") |
|
It'd be nice if #4114 (comment) was documented in the installation instructions somewhere. -- I'd consider that a "fix' for this. Alternatively, perhaps we can just get this fixed in ArgoCD: |
|
Issues go stale after 90d of inactivity. |
jetstack-bot
added
the
lifecycle/stale
|
I found another alternative. In their documentation AKS & microsoft explain you can disable the I simply dropped this into my helm configuration webhook:
validatingWebhookConfigurationAnnotations:
admissions.enforcer/disabled: "true"And the diff is gone. I know AKS doesn't recommend you doing this since it can affect protected namespaces but given this webhook is configured to only affect cert-manager CRD's and not vanilla k8s resources this is a better solution for people like me who uses |
|
Stale issues rot after 30d of inactivity. |
jetstack-bot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. |
|
@jetstack-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
* argocd self-manage * infra name * policy * root-on root * name * argocd app and values * exclude values * exclude * multi sources * root path for values * ref * syncOptions * root-app-infra * root-app-infra no * move values * allow resource in proj * better excl * new path * rm values * * in exclude * argocd name * application.namespaces: "*" * ingress-nginx-values.yaml * ext-dns different ns * - CreateNamespace=true * ns * ns * ext-dns chart * conf extdns * parms for ext-dns * annotation nginx * no id * v1.11.1cert-manage * cluster-issuer * cert-manager-issuers * thanos * monitoring * objstoreConfig * healthz * grafana * auth * prom * - ServerSideApply=true * cert-manager/cert-manager#4114 * port * 19291 * multicluster * Main Org. * dash1 * no need for app for dash * exclude dashes from root * dash name * dash app * ns * remove app * dash2 * all mixin dashes * rename * newline * 2 * more dah * fix some dash * more dasj * more dash * pvv dash * pv * last dash * fixes * kyverno * https://kyverno.github.io/kyverno/ * kyverno2 * replace true * policy * exclude * appset * workload * tabs * description * infra proj * typo * proj * ( * argocd ingress * typo * ingressClassName * vcluster helm chart * path * sources * url * https://charts.loft.sh * policy vc* * cluster name * test * fixed dahs * single source for vcluster * prom on workload * move to appset * proper prom * proj * ns * path * no node-expo * - ServerSideApply=true * remove clusters * vc34 * better prome * nodeExporter: enabled: false * 5-6 * 123 * use argocd-app * disable argo self-manage * re-enable * replace=true * - ServerSideApply=true * annotations: argocd.argoproj.io/sync-wave: "5" * disabled * move * mapServices * prometheus-sample-app * nane * pullpolicy * docker pull ams0/prometheus-sample-app * capi-operator * only capi-op * - * root-app-infra exclude * ns * ns2 * repo * cluster-api-operator * operato * ignore diff * ingorediff * InfrastructureProvider * test * '' * 1 * "" * no infra * azure * X * comment * no core * capi machinepool * wave * different strategy * spaces * disabled capi-operator * gitops/management/argocd/argocd-values.yaml * gitignore * readme * readme * k8sis.fun * k8sis.fun * Added imdb app * capz policy * readme * policy for capz cluster * no precondition * replace branch * helm req * capz appset --------- Co-authored-by: Alessandro Vozza <alessandro.vozza@microsoft.com> Co-authored-by: Joaquin Rodriguez <rjoaquin@microsoft.com>
|
/reopen We should document the work around for this in: xref: cert-manager/website#320 |
|
@wallrj: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi @wallrj Thanks |
|
@wallrj |
|
Rotten issues close after 30d of inactivity. |
|
@jetstack-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Describe the bug:
Helm chart's ValidatingWebhookConfiguration is missing a configuration section which Kubernetes adds in on Azure Kubernetes Service to every ValidatingWebhookConfiguration which causes ArgoCD to place the Helm chart into a constant sync loop and never become healthy.
Expected behaviour:
This ValidatingWebhookConfiguration
Steps to reproduce the bug:
Install this Application CRD on your cluster running ArgoCD 2.0.3 on an Azure Kubernetes Service cluster:
Once you do, this section will repeatedly want to delete webhooks[0].namespaceSelector.matchExpressions[2]:
Anything else we need to know?:
Nope.
Environment details::
/kind bug
The text was updated successfully, but these errors were encountered: