argo-cd: Ignoring Extraneous Resources doesn't improve app's overall sync status

Describe the bug

We configure our openshift identity providers resources using argocd. Extra Secrets are created in the openshift-authentication namespace by the operator. We followed https://argoproj.github.io/argo-cd/user-guide/compare-options/#ignoring-resources-that-are-extraneous to ignore these secrets but our Application keeps being marked as “OutOfSync”.

As you can see in the screenshot bellow the status the resource are correctly ignored but the application keeps being in OutOfSync.

To Reproduce

Here is our argocd application yaml:

---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: idp
  namespace: argocd
  annotations:
    argocd.argoproj.io/compare-options: IgnoreExtraneous
    argocd.argoproj.io/sync-options: Prune=false
spec:
  destination:
    namespace: default
    server: https://kubernetes.default.svc
  project: cicd
  source:
    path: sbx/application/idp
    plugin:
      name: encrypted-yaml
    repoURL: http://<our internal repo>/projects.git
    targetRevision: cicd
  syncPolicy:
    automated:
      prune: false
      selfHeal: false

Here is our idp configuration:

---
apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
    - name: local_accounts
      mappingMethod: claim
      type: HTPasswd
      htpasswd:
        fileData:
          name: htpass-users
    - name: Active_Directory
      mappingMethod: claim
      type: LDAP
      ldap:
        attributes:
          id:
            - dn
          email:
            - mail
          name:
            - cn
          preferredUsername:
            - sAMAccountName
        bindDN: "<redacted>"
        bindPassword:
          name: ad-secret
        insecure: true
        url: "ldap://<redacted>?sAMAccountName"

Expected behavior

The project should be marked as in sync.

Screenshots

Here is a screenshot of the project: image

Here is a screenshot of the sync status: image

Version

argocd: v1.6.1+159674e
  BuildDate: 2020-06-19T00:39:46Z
  GitCommit: 159674ee844a378fb98fe297006bf7b83a6e32d2
  GitTreeState: clean
  GoVersion: go1.14.1
  Compiler: gc
  Platform: linux/amd64

Logs

Hitting refresh, here is the logs from the application controller:

time="2020-10-05T16:17:15Z" level=info msg="Refreshing app status (normal refresh requested), level (2)" application=idp
time="2020-10-05T16:17:15Z" level=info msg="Refreshing app status (controller refresh requested), level (1)" application=cicd-applications
time="2020-10-05T16:17:15Z" level=info msg="Comparing app state (cluster: https://kubernetes.default.svc, namespace: default)" application=idp
time="2020-10-05T16:17:16Z" level=info msg="getRepoObjs stats" application=idp build_options_ms=0 helm_ms=0 plugins_ms=0 repo_ms=0 time_ms=77 unmarshal_ms=76 version_ms=0
time="2020-10-05T16:17:16Z" level=info msg="Skipping auto-sync: need to prune extra resources only but automated prune is disabled" application=idp
time="2020-10-05T16:17:16Z" level=info msg="Update successful" application=idp
time="2020-10-05T16:17:16Z" level=info msg="Reconciliation completed" application=idp dedup_ms=0 dest-namespace=default dest-server="https://kubernetes.default.svc" diff_ms=3 fields.level=2 git_ms=77 health_ms=0 live_ms=1 settings_ms=0 sync_ms=0 time_ms=97

Thank you for you help !

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Reactions: 21
  • Comments: 32 (13 by maintainers)

Commits related to this issue

Most upvoted comments

Is there a way to hide the ignored resources in the interface as well?

The two annotations

      argocd.argoproj.io/compare-options: IgnoreExtraneous
      argocd.argoproj.io/sync-options: Prune=false

work very well. Resources created by the operator are not deleted/synchronized during the synchronization process.

However, the resources still appear in the interface and make the application very confusing. 2022-06-14 12_44_48-

+12
RSBlek on Jun 14, 2022

Yes, would also like an option to exclude a resource entirely. In this case they are resources created by helm from an application that defines a helm chart via the k3s HelmChart CRD …

ignoreDifferences but without the jsonPointers basically … or a functioning root (/) jsonPointer … ?

  ignoreDifferences:
  - group: core
    kind: Secret
    name: concourse-postgresql
    jsonPointers:
    - /
+12
frimik on Dec 25, 2020

These annotations are supposed to be put on the resources you want to ignore and avoid pruning (i.e. the Secrets), not on the application spec.

  annotations:
    argocd.argoproj.io/compare-options: IgnoreExtraneous
    argocd.argoproj.io/sync-options: Prune=false

How did these resources end up with the Argo CD tracking label? Were they at one point deployed using Argo CD?

Argo app manages a user-created secret. Redhat operator copies that secret to another namespace and renames it, but copies the original secret along with the label that Argocd puts on it 😃 So, from Argocd’s point of view, the openshift-managed secret was created by it as well (though not true). I can raise an issue with redhat, I guess, as well, and ask to stop copying the labels from the original resource, but they might have a legit explanation for such a behavior. So, like I mentioned above, I think Argo app spec should have an option to exclude such resources

+7
reggie-k on Nov 26, 2020

Creating the original secrets with the IgnoreExtranous compare-option seems to be a valid workaround for the openshift-config related secrets:

The annotation is copied to the v4-0-config-user-idp-1-bind-password secret in theopenshift-authentication namespace, so the compare option is now effective on both itself and the declared secret (ad-secret in openshift-config). Unfortunately, this breaks purging of openshift-config secrets that are no longer used. Probably deleting it manually, is acceptable given that identity providers should not change too often.

---
apiVersion: v1
kind: Secret
metadata:
  annotations:
    argocd.argoproj.io/compare-options: IgnoreExtraneous
    description: Bind password to access AD
  name: ad-secret
  namespace: openshift-config
type: Opaque
data:
  bindPassword: KioqKg==
+4
timspeetjens on May 12, 2021

I think that for such resources, that are being created without user’s control (kustomize is still a case of user control, but redhat operators aren’t), the option should be available on the argo-app itself. Probably something like :

    syncPolicy:
      ignoreExtraneous:
         resourceNameRegex: <some regex matching the resource name>
         namespace: <the namespace name, as in those cases it differs from the targetNamespace of the app>
+3
reggie-k on Nov 26, 2020

The extra resources are created by the operator so we have no control on their content (they are recreated by openshift if we try to remove them). Is there a way to exclude them in argocd from the application as we have no control on their content ?

I will do maybe a PR to improve the documentation because This can be done by adding this annotation:in https://argoproj.github.io/argo-cd/user-guide/compare-options/#ignoring-resources-that-are-extraneous doesn’t tell us where to add these annotations

+3
jfroche on Oct 5, 2020

Any news on the issue apart from changing the docs? Experiencing the same with OCP 4.5 oauth + console customizations

+2
reggie-k on Nov 26, 2020
Read more comments on GitHub
← argo-cd: ignoreDifferences in namespaceSelector in Webhook
argo-cd: "invalid session token: failed to verify signature: failed to verify id token signature" with argocd v2.5.2 and dex v2.35.x →