Describe the bug

Application resource schema doesn't allow to force autosync disabled using GitOps way and app-of-apps pattern.

I have parent Application (app-of-apps pattern) which contains child Application resources only and which have autoSync with selfHeal enabled. I need this parent Application to force child Applications to have autoSync completely disabled. I need parent Application selfHeal to disable autoSync of child applications again when somebody enables it directly in Kubernetes.

Unfortunately, autosync is disabled only when spec.syncPolicy.automated is not present on resource and I don't know how to write child Application resources in the way that ArgoCD forces it in Kubernetes with field spec.syncPolicy.automated absent.

I've tried to use spec.syncPolicy: {} and spec.syncPolicy.automated: null but none of them works in ArgoCD (it means that in both cases in Git and spec.syncPolicy.automated: {} present in Kubernetes ArgoCD consider as Synced).

Related GitHub issue:

Not possible to force autosync disabled

Reproducer

First create parent Application:

cat <<EOF | kubectl create -f-
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: app-of-apps
  namespace: argocd1
  finalizers:
  - resources-finalizer.argocd.argoproj.io
spec:
  destination:
    namespace: helm-guestbook-1
    server: https://kubernetes.default.svc
  project: default
  source:
    path: .
    repoURL: https://github.com/mrysavy/argocd-issue-autosync.git
    targetRevision: main
  syncPolicy:
    automated:
      selfHeal: true
      prune: true
EOF

My public GitHub repo contains two child Application resources, one with spec.syncPolicy: {} and the other with spec.syncPolicy.automated: null.

Now both child Applications are OutOfSync because it is specified in git.

$ argocd app list
NAME                      CLUSTER                         NAMESPACE         PROJECT  STATUS     HEALTH   SYNCPOLICY  CONDITIONS  REPO                                                  PATH            TARGET
argocd1/app-of-apps       https://kubernetes.default.svc  helm-guestbook-1  default  Synced     Healthy  Auto-Prune  <none>      https://github.com/mrysavy/argocd-issue-autosync.git  .               main
argocd1/helm-guestbook-1  https://kubernetes.default.svc  helm-guestbook-1  default  OutOfSync  Missing  <none>      <none>      https://github.com/argoproj/argocd-example-apps.git   helm-guestbook  master
argocd1/helm-guestbook-2  https://kubernetes.default.svc  helm-guestbook-2  default  OutOfSync  Missing  <none>      <none>      https://github.com/argoproj/argocd-example-apps.git   helm-guestbook  master

Than enable autoSync on both child Applications:

$ argocd app set --sync-policy auto --sync-option CreateNamespace=true helm-guestbook-1
$ argocd app set --sync-policy auto --sync-option CreateNamespace=true helm-guestbook-2

Now all Applications are Synced:

$ argocd app list
NAME                      CLUSTER                         NAMESPACE         PROJECT  STATUS  HEALTH       SYNCPOLICY  CONDITIONS  REPO                                                  PATH            TARGET
argocd1/app-of-apps       https://kubernetes.default.svc  helm-guestbook-1  default  Synced  Healthy      Auto-Prune  <none>      https://github.com/mrysavy/argocd-issue-autosync.git  .               main
argocd1/helm-guestbook-1  https://kubernetes.default.svc  helm-guestbook-1  default  Synced  Progressing  Auto        <none>      https://github.com/argoproj/argocd-example-apps.git   helm-guestbook  master
argocd1/helm-guestbook-2  https://kubernetes.default.svc  helm-guestbook-2  default  Synced  Progressing  Auto        <none>      https://github.com/argoproj/argocd-example-apps.git   helm-guestbook  master

And the problem is that although automatic synchronization on child Applications is supposed to be turned off, it is turned on, even though parent Application has selfHeal enabled.

SyncPolicy of first application from GIT:

$ argocd app manifests app-of-apps | yq 'select(.metadata.name == "helm-guestbook-1")' | yq '.spec.syncPolicy'
{}

and from Kubernetes cluster:

$ kubectl get application -n argocd1 helm-guestbook-1 -o yaml | yq '.spec.syncPolicy'
automated: {}
syncOptions:
- CreateNamespace=true

SyncPolicy of second application from GIT:

$ argocd app manifests app-of-apps | yq 'select(.metadata.name == "helm-guestbook-2")' | yq '.spec.syncPolicy'
automated: null

and from Kubernetes cluster:

$ kubectl get application -n argocd1 helm-guestbook-2 -o yaml | yq '.spec.syncPolicy'
automated: {}
syncOptions:
  - CreateNamespace=true
Expected behavior

Expected behavior is to have a possibility to enforce autosync disabled on child Application by parent Application selfHeal. Proposal could be having a flag to disable autosync in automated block, like:

  syncPolicy:
    automated:
      disabled: true           <- new flag proposal
      prune: true
      selfHeal: true

Version

argocd: v2.6.7+5bcd846.dirty
  BuildDate: 2023-03-23T17:25:30Z
  GitCommit: 5bcd846fa16e4b19d8f477de7da50ec0aef320e5
  GitTreeState: dirty
  GoVersion: go1.20.2
  Compiler: gc
  Platform: linux/amd64
argocd-server: v2.6.7+5bcd846
  BuildDate: 2023-03-23T14:57:27Z
  GitCommit: 5bcd846fa16e4b19d8f477de7da50ec0aef320e5
  GitTreeState: clean
  GoVersion: go1.18.10
  Compiler: gc
  Platform: linux/amd64
  Kustomize Version: v4.5.7 2022-08-02T16:35:54Z
  Helm Version: v3.10.3+g835b733
  Kubectl Version: v0.24.2
  Jsonnet Version: v0.19.1

is related to

GITOPS-5430 Declarative configs for enable/disable auto-sync on Applications

Assignee:: Harriet Lawrence

Reporter:: Roman Hodain

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2023/05/11 7:37 AM

Updated:: 2024/09/10 5:30 AM

Resolved:: 2024/09/03 1:31 PM

Details

Description

Describe the bug

Reproducer

Attachments

Issue Links

Activity

People

Dates