argo-cd icon indicating copy to clipboard operation
argo-cd copied to clipboard

Published 20 hours ago verified publisher icon argoproj

Show if secrets change in the CLI diff

Open Petrosz007 opened this issue 1 year ago • 4 comments

Summary

When running argocd app diff it would be good to have an indication if kubernetes secrets would change.

This functionality was previously removed in #1442. I think that having the option to show that kubernetes secrets will change would be useful (even when not showing what the actual secrets are and just showing *****).

Motivation

Our use case is running argocd app diff <argocd_app_name> --revision refs/pull/<PR_NAME>/merge during our pull requests to see what would change in our deployments. There were cases where we modified only kubernetes secrets in a PR, but the CLI returned there there would be no diff, because it skips diffing secrets.

Proposal

I'm not familiar with the project's codebase, but I think that the web UI already has this functionality. It already shows in the App Diff when secret will change its contents.

Based on the previous ticket and PR (#1442 and #1459) I'd imagine that the CLI had this functionality on the past, but it was removed with that if statement. Maybe adding a new flag to the diff command could skip this removal of the secret objects and let them be diffed.

Petrosz007 avatar Oct 05 '23 12:10 Petrosz007

We have lost a little bit of time on that one, and knowing that secrets resources will be added, removed is actually an info we would like to have (we are using argocd diff for our PR reviews).

Waiting for this feature to be worked on and potentially released, we have added a note in the doc, because it's not really specified anywhere today (or, we didn't find it). https://github.com/argoproj/argo-cd/pull/15950/files

ario0 avatar Oct 13 '23 07:10 ario0

Hi, thanks for opening this issue! I was just in the process of debugging the exact same behavior on our Argo CD instances: the diff is not shown when using the CLI with argocd app diff, but gets rendered correctly in the Web UI.

This is quite surprising since I assumed the CLI and Web UI talk to the same API for fetching the diff - apparently not?

jacksgt avatar Oct 24 '23 08:10 jacksgt

@alexmt @marcb1

Could you elaborate why showing secrets was removed in https://github.com/argoproj/argo-cd/pull/1459 ? There is no explanation in the MR and the code only has the following comment, which I don't understand:

// Don't bother comparing secrets, argo-cd doesn't have access to k8s secret data

I locally built a version of argocd without that if-branch and comparing secret data works just fine.

jacksgt avatar Nov 29 '23 15:11 jacksgt

I came to +1 this idea. We also have an argo bot which shows diffs in PRs and have gotten burned not knowing about their existence.

Reading the comment in the PR, I think they're saying you can't read the content of the Secret in the cluster from the CLI so there was no point showing the resource in the diff. However, even if it can't read the content, can it read .metadata? I think knowing you're going from 1 to 2 secrets or from 4 to 0 secrets is still useful information. If it exists in both you could still say there's a potential change.

I'd even settle for a notification saying the manifest I produced in my branch has a Secret at all.

Also, this was in 2019. Perhaps a lot of this changes with server side diffing and we can bring it back?

snuggie12 avatar Jan 04 '24 19:01 snuggie12

Was surprised to not see the changes to a secret as well. Would be wonderful to get it working.

begemotik avatar Jan 19 '24 16:01 begemotik

We need reviewers / approvers on this PR: https://github.com/argoproj/argo-cd/pull/16483

jacksgt avatar Jan 26 '24 08:01 jacksgt