-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Expose OPA warnings to ArgoCD UI #11856
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: Sergey-Kizimov <sergey.kizimov@hiya.com>
240ebdd
to
ba17c86
Compare
any plans to merge/release it in the nearby future ? |
@soanni86 I'm advocating to get Intuit time for reviewing this by 2.7 RC1. |
Got it approved, just waiting for the review ticket to make it into one of my sprints. |
@Sergey-Kizimov I was trying to validate the changes in my local, however, the manifest still gets synced with a warning. Not sure If my Admission Review spec is correct. Can you provide the opa policy spec for testing? |
@ashutosh16 do you mean "synced without a warning"? I think the expectation is that the sync happens, you just get a warning in the UI. |
I used the following OPA manifests:
warnings.rego
|
@ashutosh16 Do you need any help? |
@Sergey-Kizimov Sorry for the delayed response, I tried to verify in my local setup but couldn't see the warning, not sure if my configuration is bad. Would you have some time to do the quick zoom, I'm available in CNCF slack with handle @ashutosh |
@Sergey-Kizimov I'm able to verify the changes in my local. however, I would need some more explanation on the feature.
opa.movI'd suggest we should persist the sync result in the App condition or display it as a warning icon on the resource in Tree View. |
I agree that it's weird for the warning to apply on only one sync. But how would we know whether the warning still applies for subsequent syncs? |
In this scenario, Argocd's warning message depends on Kubernetes reporting the message back to Argocd. It does not fit in this case because subsequent sync actions do not yield warning messages to argocd/kubectl. I'm not certain if this is an implicit behavior of the opa/validation webhook.
|
I think it’s easy to store the warning message, I’m just not sure how to clear it when it’s no longer relevant, because Argo CD has no insight into whether the warning is still relevant (as far as I know). |
This is the expected behavior for the OPA, the kube-api server does not send a request to the OPA if the resource is not changed. |
Here is the next step, we can do to get this PR merge. The PR warns the end-user when OPA waning is generated however it gets confusing when the resource is not modified and the no-ops sync warning is lost. I think It'd be better to log the warning in the audit log in case users want to audit and track the changes.
|
@ashutosh16, thank you, I can do that |
@Sergey-Kizimov I had one concern on the gitops-engine PR. Otherwise lgtm! |
What is the situation? I hope this feature will be here soon. |
Closes #9256
Description
The PR implement exposing OPA warning to Argo CD UI
The changes depend on gitops-engine PR
Warnings in the ArgoCD UI will look like this:
Probably makes sense to add a warning icon to affected resources, but I need some assistance with this.
Note on DCO:
If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.
Checklist: