feat(14638): Set managed-by label on installed resources (Alpha)

[jmilic1]

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

• Closes Optionally add app.kubernetes.io/managed-by label to all resources #14638
• Created argocd resources did not have app.kubernetes.io/managed-by label set. Kubernetes recommends having multiple labels on resources, one of which is the managed-by label. If the new resource does not have the label set, it should now default to argocd.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• Optional. My organization is added to USERS.md.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.

Please see Contribution FAQs if you have questions about your pull-request.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 49.52%. Comparing base (7fe1263) to head (9ca4aca).
Report is 29 commits behind head on master.

❗ Current head 9ca4aca differs from pull request most recent head 6a3795d. Consider uploading reports for the commit 6a3795d to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #14945      +/-   ##
==========================================
- Coverage   49.57%   49.52%   -0.05%     
==========================================
  Files         273      269       -4     
  Lines       48314    47025    -1289     
==========================================
- Hits        23951    23291     -660     
+ Misses      22000    21449     -551     
+ Partials     2363     2285      -78     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[lindhe]

If the new resource does not have the label set, it should now default to argocd

I think that if the user has opted in to use this feature, the label should be set always. If the label already exists with another value, overwrite it!

1. What does the label indicate? It indicates who manages the resource. And who is managing the resource? Well, Argo is, for sure (or else this code does not matter). So why not make sure it's set correctly?
2. It is very common that Helm charts set that label, which is usually a good thing but in our case it would be misleading to leave it unchanged.

[lindhe]

I think it would be a good idea to have this be opt-in rather than changing the default. That will make it a lot easier to merge, since it wouldn't be a breaking change.

[blakepettersson]

In the case of Helm applications app.kubernetes.io/managed-by will be Helm, even though de-facto it is Argo CD that is doing the management. I'm not sure what the right thing to do is here tbh. Either Argo CD should overwrite it and set argocd, or leave as-is. 🤔

[jmilic1]

I like what @lindhe suggested with making this opt-in. Other than making this PR a non-breaking change, anybody who uses this feature in the future will know what's going on because they will explicitly choose to use it.

This way, I feel like maintainers who want to be able to filter their k8s resources by ones managed by argo will want managed-by: helm to be overwritten with argocd.
Thoughts?

[lindhe]

Yes, exactly why I think we should have this as an opt-in! If we can offload this design choice to the users, it's all for the better.

[blakepettersson]

Apart from the issue above it generally LGTM 👍 It'd also be good to add an E2E test that checks that this label is set for all manifests managed by an application.

[lindhe]

How hard would it be to make this enforced on a project level (i.e. "set this label for all resources deployed by applications in project x")?

[jmilic1]

How hard would it be to make this enforced on a project level (i.e. "set this label for all resources deployed by applications in project x")?

I am assuming we are adding our new option to argocd-repo-server?

If so, I believe your suggestion is more than doable. I would go an extra mile and let users add multiple projects e.g. argocd-repo-server --managed-by-argo stringArray, but then it seems like a lot of work to name all of my projects if I want all of them to opt-in.

Do you think this is too tedious? If so, is it good or legit practice in these situations to interpret an empty array as "Write this label on all of my projects"?

[lindhe]

If so, I believe your suggestion is more than doable.

Great to hear! It is my opinion that we should try to get the basic functionality merged first (as on opt-in 😉) and then we create a follow-up PR for making it possible on a project-basis. That keeps things agile and minimal.

[lindhe]

🎉

[blakepettersson]

and then we create a follow-up PR for making it possible on a project-basis

IMO I think this should be all-or-nothing; if we are to have any flags at all then I think Jura's approach is the way to go. At some point in the future this should be the default for all manifests managed by Argo CD.

[jmilic1]

I need help figuring out what happened with this test

It'd also be good to add an E2E test that checks that this label is set for all manifests managed by an application.

Can you point me to the bit of code which creates a new argocd repo server in e2e test setup or where the new flag can be set for an already existing repo server which these tests use?
I'm a bit lost on these e2e tests in general because I've never actually seen any yet in my career 😬, but if it won't take too much time out of the PR, with some guidance, I'd like to write some for experience sake.

[blakepettersson]

I need help figuring out what happened with this test

I think you'll need to run make codegen for the corresponding documentation to be generated for the repo-server.

[blakepettersson]

Can you point me to the bit of code which creates a new argocd repo server in e2e test setup or where the new flag can be set for an already existing repo server which these tests use?

Yeah this one is a bit tricky 😄

You'd need to do something like the following:

1. In manifests/base/repo-server/argocd-repo-server-deployment.yaml you'll need to add ARGOCD_REPO_SERVER_MANAGED_BY_ARGO in the env params, so it can be managed from argocd-cmd-params-cm
2. In e2e/fixture/fixture.go add a toggle, so that managed-by can be toggled from the e2e tests.
3. The same file has a RestartRepoServer() method which you can use in the e2e tests

[blakepettersson]

If you want Current Status: Alpha (Since v2.8.0) you'd have to add it here and run make codegen, so that the docs matches what is in the command.

You could also attempt to add the exact same string in docs/operator-manual/server-commands/argocd-repo-server.md without running make codegen, but if they differ you'll bump into the same issue as previously.

[jmilic1]

I'm having trouble writing the e2e test and/or setting up test infrastructure to support the new env variable. Can someone take a look?

[blakepettersson]

Seems like you're doing everything right @jmilic1. I took a look at RestartRepoServer() and it seems like the whole thing is wrapped in if IsRemote() {, which I don't think is necessary.. can you try removing the if block and see how it goes?

[jmilic1]

Seems like you're doing everything right @jmilic1. I took a look at RestartRepoServer() and it seems like the whole thing is wrapped in if IsRemote() {, which I don't think is necessary.. can you try removing the if block and see how it goes?

Looking at all the uses of RestartRepoServer() in code, I'm noticing it is always used like:

doSomething(){
   if fixture.IsLocal(){
      ...
   } else {
      fixture.RestartRepoServer()
   }
}

It seems to me like fixture.RestartRepoServer() might only work if someone creates a test environment by following test/remote/README.md and creating a remote environment instead of creating a local one.

This way, tests complete no matter if you are running the environment locally or remotely.
The pipelines might create the environment locally, which means they cannot use RestartRepoServer() so they fail with error Error from server (NotFound): deployments.apps \"argocd-repo-server\" not found"

[blakepettersson]

@jmilic1 I think the kubectl commands in RestartRepoServer are not running in the correct namespace. If you see how the kubectl commands elsewhere in fixture.go are running, they all run in TestNamespace() (the namespace where Argo CD is running in the E2E tests).. so we can probably keep the old behaviour for RestartRepoServer and add an else where it'll otherwise execute in the TestNamespace() context.

[jmilic1]

@blakepettersson I think I did what you mentioned, but it's still failing. Can you take a look?

[jmilic1]

Bump for the this. Not sure what to do to correct e2e tests

[blakepettersson]

@jmilic1 sorry about the delay, I'm on paternity leave so I haven't had much focus re: Argo CD. I took a look anyways and the E2E test are indeed run with Goreman instead of k8s.

A workaround for this is to instead set the variable through the Makefile and not to attempt a restart of the repo-server.

When I did that locally I got this:

                Error Trace:    /go/src/github.com/argoproj/argo-cd/test/e2e/app_management_test.go:2833
                                                        /go/src/github.com/argoproj/argo-cd/test/e2e/fixture/app/consequences.go:47
                                                        /go/src/github.com/argoproj/argo-cd/test/e2e/app_management_test.go:2824
                Error:          Not equal:
                                expected: "argo-cd"
                                actual  : "argocd"

                                Diff:
                                --- Expected
                                +++ Actual
                                @@ -1 +1 @@

[blakepettersson]

Add this line in the Makefile in the start-e2e-local task and you should be good to go

	ARGOCD_REPO_SERVER_MANAGED_BY_ARGO=true \

[lindhe]

My dudes, I just realized something!

In Helm, there are a handful of Built-in Objects. One of them is Release.Service and is described as "The service that is rendering the present template". Using that object is in-fact the recommended way to set the app.kubernetes.io/managed-by label, according to Helm.

I do not think we should set .Release.Service instead of putting the label there ourselves, considering Argo CD renders manifests from other sources than Helm charts too. But I wanted to bring it up here, because perhaps it would make sense to set that object in Argo CD so that "Helm knows who is rendering the chart". While that work would probably belong to another PR, maybe that is something we can take into consideration when implementing this PR.

It could possibly impact this feature, if for example it becomes an internal struggle between Argo CD trying to apply a Helm chart that sets managed-by=Helm and this feature trying to set managed-by=argocd. And if we can inform Helm that Release.Service is indeed argocd, then the two worlds would align.

I'm not sure this makes any sense, it was just a thought that stuck me that I wanted to bring up.

[lindhe]

@jmilic1 and @blakepettersson: I notice this has stalled. Can I help somehow to power through the last bit so we can pass the finish line here? 🙂

[lets-call-n-walk]

I am also interested in seeing this to completion for our company. Would be happy to help in any way that I can.

[lets-call-n-walk]

@blakepettersson @lindhe @jmilic1 I fixed the checks in this PR. Just trying to get this past the 99% mark. Let me know if this is not proper etiquette or something.

[jmilic1]

@lets-call-n-walk Nope, you're good. I failed to see where my code was failing and got overwhelmed from dealing with tests I had to wait on for half an hour. Still, it's my bad for not responding.

If you can get your tests working, be my guest on finishing this

[ChristianCiach]

Maybe it would nice to make the value argocd configurable, for use-cases like this: #19531