argo-cd icon indicating copy to clipboard operation
argo-cd copied to clipboard

Published 20 hours ago verified publisher icon argoproj

feat: Decoupling application sync using impersonation

Open anandf opened this issue 11 months ago • 4 comments

Implementation of proposal https://github.com/argoproj/argo-cd/pull/14255 Addresses issue https://github.com/argoproj/argo-cd/issues/7689

Many engineers from Red Hat worked on this effort. This PR consolidates all their effort to have a single PR/merge commit for the entire feature implementation so that it easy for maintainers to review and merge it. CLI changes - @ishitasequeira GUI changes - @raghavi101 @keithchong E2E Tests - @Mangaal

Checklist:

  • [x] Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • [x] The title of the PR states what changed and the related issues number (used for the release note).
  • [x] The title of the PR conforms to the Toolchain Guide
  • [ ] I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • [x] I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • [x] Does this PR require documentation updates?
  • [x] I've updated documentation as required by this PR.
  • [x] I have signed off all my commits as required by DCO
  • [x] I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • [x] My build is green (troubleshooting builds).
  • [x] My new feature complies with the feature status guidelines.
  • [x] I have added a brief description of why this PR is necessary and/or what this PR solves.
  • [x] Optional. My organization is added to USERS.md.
  • [ ] Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

Testing this feature

Prerequisites

  • make
  • docker
  • sed
  • kubectl
  • kind

Procedure

  1. Clone the repo and checkout the branch
git clone [email protected]:anandf/argo-cd.git
cd argo-cd
git checkout sync_with_impersonate
  1. Build the docker image and the CLI client. Push the docker image to quay.io for testing.
export QUAY_USER=<username_in_quay.io>
IMAGE_NAMESPACE=quay.io/$QUAY_USER make image build-local
docker push quay.io/$QUAY_USER/argocd:latest
ls -l ./dist/argocd
  1. Create a kind test cluster
kind create cluster --name argocd
  1. Modify the image name to use the image built and pushed in step 2.
export QUAY_USER=<username_in_quay.io> 
sed -i "s/quay.io\/argoproj\/argocd/quay.io\/$QUAY_USER\/argocd/g" manifests/install.yaml
  1. Install ArgoCD
kubectl create ns argocd
kubectl apply -f manifests/install.yaml -n argocd
kubectl config set-context --current --namespace argocd
  1. Enable the Application sync impersonation feature in argocd-cm
kubectl patch cm/argocd-cm -n argocd --type=merge -p='{"data":{"application.sync.impersonation.enabled":"true"}}'
  1. Create an App project
./dist/argocd proj create guestbook-proj -d https://kubernetes.default.svc,guestbook -s https://github.com/argoproj/argocd-example-apps.git --core
  1. Add destination service account configuration for guestbook ns as below
./dist/argocd proj add-destination-service-account guestbook-proj https://kubernetes.default.svc guestbook guestbook-deployer --core
  1. Create an argo application guestbook associated with AppProject guestbook-proj 
./dist/argocd app create guestbook --core \
    --repo https://github.com/argoproj/argocd-example-apps \
    --path guestbook \
    --project guestbook-proj \
    --dest-server  https://kubernetes.default.svc \
    --dest-namespace guestbook \
    --directory-recurse \
    --sync-policy automated \
    --sync-option ServerSideApply=true
  1. Check if the application fails to sync as the service account is not created yet.
kubectl get application guestbook -n argocd -o yaml

Sample error message:

message: 'Namespace auto creation failed: namespaces "guestbook" is forbidden:
          User "system:serviceaccount:guestbook:guestbook-deployer" cannot get resource
          "namespaces" in API group "" in the namespace "guestbook"'
  1. Now create the service account guestbook-deployer in guestbook ns with the required access.
kubectl create ns guestbook
kubectl create sa guestbook-deployer -n guestbook
kubectl create rolebinding guestbook-deployer-rb -n guestbook --clusterrole cluster-admin --serviceaccount guestbook:guestbook-deployer
  1. Sync the application and see if the sync operation succeeds now.
./dist/argocd app sync argocd/guestbook --core
./dist/argocd app list --core
  1. Check the negative scenario when the sync operation fails with error when no matching SA is present.
./dist/argocd proj add-destination-service-account guestbook-proj https://kubernetes.default.svc guestbook-dev guestbook-deployer --core

./dist/argocd app create guestbook-dev --core \
    --repo https://github.com/argoproj/argocd-example-apps \
    --path guestbook \
    --project guestbook-proj \
    --dest-server  https://kubernetes.default.svc \
    --dest-namespace guestbook-dev \
    --directory-recurse \
    --sync-policy automated \
    --sync-option ServerSideApply=true
  1. Check if the application fails to sync as the service account is not created yet.
kubectl get application guestbook-dev -n argocd -o yaml

Sample error message:

failed to find a matching service account to impersonate: no matching
      service account found for destination server https://kubernetes.default.svc guestbook-dev
      in target namespace guestbook-dev (retried 5 times)

anandf avatar Mar 05 '24 13:03 anandf

Codecov Report

Attention: Patch coverage is 15.78947% with 128 lines in your changes missing coverage. Please review.

Please upload report for BASE (master@e612199). Learn more about missing BASE report.

Files Patch % Lines
cmd/argocd/commands/project.go 0.00% 96 Missing :warning:
cmd/util/project.go 0.00% 15 Missing :warning:
pkg/apis/application/v1alpha1/app_project_types.go 10.00% 8 Missing and 1 partial :warning:
controller/sync.go 79.16% 2 Missing and 3 partials :warning:
util/settings/settings.go 66.66% 1 Missing and 1 partial :warning:
server/settings/settings.go 0.00% 1 Missing :warning:
Additional details and impacted files 
@@            Coverage Diff            @@
##             master   #17403   +/-   ##
=========================================
  Coverage          ?   55.79%           
=========================================
  Files             ?      316           
  Lines             ?    43943           
  Branches          ?        0           
=========================================
  Hits              ?    24518           
  Misses            ?    16870           
  Partials          ?     2555

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Mar 20 '24 09:03 codecov[bot]

Happy to see the progress! when this is planned to be released? any estimation? :)

Ampler92 avatar May 21 '24 16:05 Ampler92

Hello @anandf @jannfis @ishitasequeira @akram

am I able to get or build an image including this functionality to test it as well?

Thanks for the info :)

Ampler92 avatar Aug 07 '24 13:08 Ampler92

Hello @anandf @jannfis @ishitasequeira @akram

am I able to get or build an image including this functionality to test it as well?

Thanks for the info :)

You can try with my test image quay.io/anjoseph/argocd:latest. I have also provided the instructions to build and test the image in the PR description.

anandf avatar Aug 08 '24 09:08 anandf