connaisseur icon indicating copy to clipboard operation
connaisseur copied to clipboard

Published 20 hours ago verified publisher icon sse-secure-systems

Installing the helm chart with argocd results in RepeatedResourceWarning

Open gigi206 opened this issue 1 year ago • 5 comments

Describe the bug

RepeatedResourceWarning
Resource admissionregistration.k8s.io/MutatingWebhookConfiguration//connaisseur-webhook appeared 2 times among application resources.

To reproduce:

  • Install ArgoCD
  • Apply this file (kubectl apply -f )
project: default
source:
  repoURL: 'https://sse-secure-systems.github.io/connaisseur/charts'
  targetRevision: 1.4.3
  helm:
    parameters:
      - name: deployment.replicasCount
        value: '1'
  chart: connaisseur
destination:
  server: 'https://kubernetes.default.svc'
  namespace: connaisseur
syncPolicy:
  syncOptions:
    - CreateNamespace=true
    - PruneLast=true

gigi206 avatar Aug 22 '22 19:08 gigi206

@gigi206 besides the error message what happens to the connaisseur resources? does anything spin up? do you see any errors?

xopham avatar Aug 23 '22 07:08 xopham

This issue is most likely due to helm.sh/hooks. Argo should change them to argo hooks, but seems it's not the case, hence, it tries to install the webhook twice.

If you can change the helm chart, since there's not way to configure it yet on the original one, just change the hooks for PreSync and PostSync as well fix the hook for deletion after completion. Should work just fine.

Keep in mind that the "duplicated" resource is necessary according to the ADR-5, in which the hook is in a "disarmed" state after removing resources, meaning that it doesn't have to admit himself. The webhook is then "rearmed" after the helm update.

williamokano-dh avatar Aug 23 '22 14:08 williamokano-dh

@gigi206 besides the error message what happens to the connaisseur resources? does anything spin up? do you see any errors?

It works very well but has this message in ArgoCD and I would to know if this is a problem with the chart ;) But it seems an ArgoCD issue with hook :(

gigi206 avatar Aug 23 '22 16:08 gigi206

@williamokano-dh is there any change from Connaisseur-side required to improve rollout with ArgoCD?

xopham avatar Aug 26 '22 15:08 xopham

Hi @xopham , technically ArgoCD should convert the helm hooks into ArgoCD hooks but they mention on their page that they don't support post-delete hooks, so I suppose it doesn't translate to any ArgoCD hooks, and there's no effect on the Chart.

I saw somewhere in the docs that there's a flag for Azure Container Registry, since it has different behaviour, but I couldn't find this flag on the values.yaml file.

I suppose that adding a flag to the values.yaml, such as isArgoCD, or similar, could alleviate the problem, but can cause some vendor-locking/manual configuration that could be unnoticed. I'm not quite sure how to properly address this issue.

I hardcoded the argo hooks on a copy of the charts and I'm using on my staging environment for a few time and it's working just fine.

Just for the sake of the example, I updated it to use the flag from the values.yaml as well.

https://github.com/williamokano-dh/connaisseur/blob/williamokano-dh-patch-1/helm/values.yaml#L4

https://github.com/williamokano-dh/connaisseur/blob/williamokano-dh-patch-1/helm/templates/certificate_webhook-conf.yaml#L32-L37

https://github.com/williamokano-dh/connaisseur/blob/williamokano-dh-patch-1/helm/templates/certificate_webhook-conf.yaml#L67-L71

What do you think? Would be ok to do this?

williamokano-dh avatar Aug 29 '22 11:08 williamokano-dh