Initial ApplicationSet

[Thijmen]

Hi there,

First and foremost: thank you for this tool! I like it and I think it works pretty well, however there's something I'd like to run by you.

My ArgoCD cluster has one initial ApplicationSet, which looks more or less like this;

---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: apps
  labels:
    app: apps
spec:
  goTemplate: true
  generators:
    - git:
        repoURL: git@github.com:Thijmen/some-argocd.git
        revision: HEAD
        files:
          - path: k8s/core/**/config.json
          - path: k8s/infra/**/config.json
          - path: k8s/services/**/config.json
  template:
    metadata:
      name: apps-{{ normalize (index .path.segments 1) }}-{{ normalize (index .path.segments 2) }}
      labels:
        app: apps
    spec:
      project: default
      syncPolicy:
        automated:
          prune: true
      destination:
        name: in-cluster
        namespace: argocd
      source:
        repoURL: git@github.com:Thijmen/some-argocd.git
        targetRevision: HEAD
        path: "{{ .path.path }}"

So what happens now with the following workflow:

name: Argo CD Diff Preview

on:
  pull_request:
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write

    steps:
      - uses: actions/checkout@v4
        with:
          path: pull-request

      - uses: actions/checkout@v4
        with:
          ref: main
          path: main
      - name: Prepare secrets
        run: |
          mkdir secrets
          cat > secrets/secret.yaml << EOF
          apiVersion: v1
          kind: Secret
          metadata:
            name: private-repo
            namespace: argocd
            labels:
              argocd.argoproj.io/secret-type: repo-creds
          stringData:
            type: git
            url: git@github.com/${{ github.repository }}
            sshPrivateKey: |
          $(echo "${{ secrets.REPO_ACCESS_SSH_PRIVATE_KEY }}" | sed 's/^/    /')
          EOF

      - name: Generate Diff
        run: |
          docker run \
            --network=host \
            -v /var/run/docker.sock:/var/run/docker.sock \
            -v $(pwd)/main:/base-branch \
            -v $(pwd)/pull-request:/target-branch \
            -v $(pwd)/secrets:/secrets \
            -v $(pwd)/output:/output \
            -e TARGET_BRANCH=refs/pull/${{ github.event.number }}/merge \
            -e REPO=${{ github.repository }} \
            dagandersen/argocd-diff-preview:v0.1.22 \
            --debug

      - name: Post diff as comment
        run: |
          gh pr comment ${{ github.event.number }} --repo ${{ github.repository }} --body-file output/diff.md --edit-last || \
          gh pr comment ${{ github.event.number }} --repo ${{ github.repository }} --body-file output/diff.md
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

If I create a valid app in k8s/services/test/app.yml - the tool shows it's going to add an app. However - this is incorrect, due to my filter for config.json. Is there any way to make that work with this tool too?

[Thijmen]

What I've done is, I put the applicationset as bootstrap.yaml and provided --file-regex '^bootstrap/applicationset\.yaml$' \ to the workflow. That seems to work - but is this the right thing to do?

Edit: unfortunately, that did not work - I assume because it tries to fetch everything from "HEAD" - as opposed to the latest commit (of that PR in that case). What is the best option here?

[dag-andersen]

Hi @Thijmen!

First and foremost: thank you for this tool!

No problem!! 🚀

Just to clear up some assumptions. Can I assume that both the ApplicationSet, apps, and the GitHub workflow are stored in the so-called Thijmen/some-argocd repo? :)

If I create a valid app in k8s/services/test/app.yml - the tool shows it's going to add an app. However - this is incorrect, due to my filter for config.json. Is there any way to make that work with this tool too?

If you create an Argo CD Application in k8s/services/test/app.yml, the Application will be rendered (and shown as "added"). Not because of the ApplicationSet, but just because argocd-diff-preview finds it in the local file system.

The tool assumes that you want to render all the changed apps in the repo (not only those managed by ApplicationSets). The Application may not be deployed by your cluster, but argocd-diff-preview has no way of knowing which apps you will deploy and which you won't. So it just assumes that you don't store Applications in your repo that are not going to be deployed.

What I've done is, I put the applicationset as bootstrap.yaml and provided --file-regex '^bootstrap/applicationset.yaml$' \ to the workflow. That seems to work - but is this the right thing to do?

It depends on what you are trying to do :) If you only want to render that single ApplicationSet and nothing else, then yes, I would use one of the Application selectors [docs] - and here I think the --file-regex should work fine (otherwise something is wrong 🤔).

I assume because it tries to fetch everything from "HEAD" - as opposed to the latest commit (of that PR in that case). What is the best option here?

Each application is rendered twice: once on your base branch (main) and once on your target branch (PR), and each will have a different revision/targetRevision. You can read more information about it [here].

I hope that clarified a few things. Let me know if you have any further questions :)

[Thijmen]

Just to clear up some assumptions. Can I assume that both the ApplicationSet, apps, and the GitHub workflow are stored in the so-called Thijmen/some-argocd repo? :)

Yes, that's correct!

It is clear to me that I don't need to tinker around with the revision/targetRevision: however, is that also the case for my case?

It seems I do everything correct - but for example a new image.tag of a helm chart (and thus a deployment gets updated) is not to be seen - how can I debug this to find out where the culprit lies?

[dag-andersen]

It seems I do everything correct - but for example a new image.tag of a helm chart (and thus a deployment gets updated) is not to be seen - how can I debug this to find out where the culprit lies?

@Thijmen Unfortunately that is hard for me to answer, since I don't know your structure and where this image tag is set.

However, here are a few debugging suggestions:

1. Enable debug logging with --debug - this will show you (print) exactly which Applications/ApplicationSets are being discovered, and how they're being patched. (It might be a bit hard to understand the logs, but at least you can verify that some "patching" is happening)

2. Mount the temp folder and check what apps are being rendered. If you run the container with -v $(PWD)/temp:/temp and --debug, you will see these two files: ./temp/base-branch.yaml and ./temp/target-branch.yaml. These contain all the applications that are going to be rendered for each branch. If you changed anything in any of these apps, you should be able to see them there.