feat: Add ignore-resources-tracking annotation to ignore resources update

[kahoulei]

This is the enhancement request to allow user ignore any resource update.

Previously we have a feature ignoreResourceUpdatesEnabled which allow user to ignore certain part of the resource manifest. But that feature does not fulfill the use case of newly created object.

When an dependent object is created, there is no old manifest to compare and therefore we always refresh in such case. This is wasting a lot of compute cycle if a cluster has a lot of dependent objects (e.g. jobs and pods created by cronjobs).

Instead, this PR introduces an annotation argocd.argoproj.io/ignore-resources-tracking so that user can use it on a specific resource and argocd can completely ignore it.

Also, this annotation will only work behind the same ignoreResourceUpdatesEnabled flag.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[kahoulei]

cc @agaudreault

[agaudreault]

I would keep the same terminology. resource tracking means it does not show up in Argo UI and this would lead to confusion

Suggested change

	AnnotationIgnoreResourcesTracking = "argocd.argoproj.io/ignore-resources-tracking"
	AnnotationIgnoreResourcesUpdate = "argocd.argoproj.io/ignore-resources-update"

[agaudreault]

I think we can save memory here and just have a bool instead. annotations like kubectl.kubernetes.io/last-applied-configuration can end up consuming a lot if you consider the number of resources argo watches

[agaudreault]

I think you should ignore only if the health status did not change.

[agaudreault]

I don't think the debug message adds much information. I would either leave it as-is, or perhaps add a log field with the values of the annotation. This way we can query logs to know what was ignored because of annotations.

Suggested change

	}).Debugf("Ignoring change of object because none of the watched resource fields have changed or annotation %v is set to true", AnnotationIgnoreResourcesTracking)
	}).Debug("Ignoring change of object because none of the watched resource fields have changed")

[agaudreault]

@kahoulei Something I was thinking but had not the time to complete was to do the same, but with an "allow" annotation instead of a "ignore". Basically, argocd.argoproj.io/apply-resources-updates: "true". When this annotation is specified, it performs the same logic as we have today: generating the hash based on configuration.

The advantage was that you dont have to always ignore the full resources, but you can laverage the ignoreResourceUpdates configurations.

[kahoulei]

@agaudreault thanks for the review.

If I understand correctly, for the resource that we want to ignore we should set argocd.argoproj.io/apply-resources-updates: "false". Is it correct?

If argocd.argoproj.io/apply-resources-updates: "true", we will just compare the generated hash as is.

[agaudreault]

@agaudreault thanks for the review.

If I understand correctly, for the resource that we want to ignore we should set argocd.argoproj.io/apply-resources-updates: "false". Is it correct?

If argocd.argoproj.io/apply-resources-updates: "true", we will just compare the generated hash as is.

Correct, if the annotation is there and is true, we would generate a hash and compare it later on. If the annotation is false or missing, then we do nothing (like what we have today)

[kahoulei]

If the annotation is false or missing, then we do nothing (like what we have today)

I thought we will generate hash if ignoreResourceUpdatesEnabled is true. So if the annotation is missing, we will generate the hash anyway? (for backward compatibility)

see https://github.com/argoproj/argo-cd/blob/master/controller/cache/cache.go#L507-L514

[kahoulei]

@agaudreault PTAL if you get a chance. Thanks!

[agaudreault]

The code can be simplified by just checking this at the end of shouldHashManifest method.
If the shouldHashManifest return true because the annotations is present for an untracked resource, then it will take the same codepath as current behavior for tracked resources.

No need to update the ResourceInfo, store booleans or annotations.

[kahoulei]

@agaudreault updated with your suggestion.

One additional change in skipResourceUpdate: since we are not going to generate hash and therefore the logic of isSameManifest need to change. So PTAL.

[agaudreault]

We simply cannot generate a hash by default or skip the resources updates for all the resources. When the annotation is not defined, the hash should not be generated. If you generate a hash by default for all resource updates, the controller will use a lot more CPU generating hashes than what you will save skipping reconcile.

I also think we should not go in a direction where non-argocd resources must have argocd annotations.

That is why I think the best approach is:

• Generate the hash only if annotation is present and true.
• (already done) Skip the resource updates if the hashes exist and the hashes match OR if the resource does not belong to any application

[codecov]

Codecov Report

Attention: Patch coverage is 90.90909% with 1 line in your changes missing coverage. Please review.

Project coverage is 50.69%. Comparing base (3d77d9c) to head (d5313a1).
Report is 563 commits behind head on master.

Files with missing lines	Patch %	Lines
controller/cache/cache.go	90.90%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #18343      +/-   ##
==========================================
- Coverage   50.69%   50.69%   -0.01%     
==========================================
  Files         315      315              
  Lines       43381    43389       +8     
==========================================
+ Hits        21991    21995       +4     
- Misses      18882    18888       +6     
+ Partials     2508     2506       -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[kahoulei]

@agaudreault I have added unit tests and they all passed. But the e2e tests are failing and looks like they are not related. Can you help me to take a look? (Sorry I am still not familiar with the e2e tests yet)

[agaudreault]

This condition should not change. If a resource does not have a hash, that means the annotation was not there (or not true), therefore we should not ignore updates.

[kahoulei]

Ok, I misunderstood your intention. So you want is the dependent object set argocd.argoproj.io/apply-resources-update=true and then use the existing ignore resources config to skip refresh. I will update the PR.

[agaudreault]

Logic looks good. Most comments are about terminology and user documentation to polish.

[agaudreault]

Leaking implementation details on the API.

Suggested change

	// AnnotationApplyResourcesUpdate when set to true on a resource that is not tracked under an app, argocd will generate a
	// hash and apply `ignoreResourceUpdate` configuration on it. If the annotation is set to false (or not presented) on a resource
	// that is not tracked under an app, ignoreResourceUpdates configuration will not be applied.
	// AnnotationApplyResourcesUpdate when set to true on an untracked resource,
	// argo will apply `ignoreResourceUpdates` configuration on it.

[agaudreault]

Now that the code is written, I think it will be much easier for users to have the same terminology with the existing feature. wdyt?

Suggested change

	AnnotationApplyResourcesUpdate = "argocd.argoproj.io/apply-resources-update"
	AnnotationIgnoreResourceUpdates = "argocd.argoproj.io/ignore-resource-updates"

[kahoulei]

@agaudreault I think AnnotationApplyResourcesUpdate is more logical to me. AnnotationIgnoreResourceUpdates seems the invert of what we are doing and therefore we need to flip our logic if we rename it.

[agaudreault]

Only one resource

Suggested change

	isTrackedResources := appName != "" || (gvk.Group == application.Group && gvk.Kind == application.ApplicationKind)
	isTrackedResource := appName != "" || (gvk.Group == application.Group && gvk.Kind == application.ApplicationKind)

[agaudreault]

I think the concepts of tracked resources and watched resources here are mixed up. Also the user facing documentation is leaking the implementation.

Suggested change

	## Tracking Dependent Resources
	Dependent resources by default are not being tracked. Therefore, we cannot generate any hash of those objects and utilize
	the `ignoreResourceUpdates` configuration.
	If you want to track the dependent object and apply the `ignoreResourceUpdates` configuration, you can add
	`argocd.argoproj.io/apply-resources-update=true` annotation in the dependent resources manifest:
	## Ignoring updates for untracked resources
	ArgoCD will only apply `ignoreResourceUpdates` configuration to tracked resources of an application. This means dependant resources, such as a `ReplicaSet` and `Pod` created by a `Deployment`, will not ignore any updates and trigger a reconcile of the application for any changes.
	If you want to apply the `ignoreResourceUpdates` configuration to an untracked resource, you can add the
	`argocd.argoproj.io/ignore-resource-updates=true` annotation in the dependent resources manifest.

[agaudreault]

Suggested change

	Then you can update `argocd-cm` configMap to ignore the dependent resources:
	The resource updates will be ignored based on your the `ignoreResourceUpdates` configuration in the `argocd-cm` configMap:

[agaudreault]

Implementation details.

Suggested change

	Note: If you set `argocd.argoproj.io/apply-resources-update: "false"`, no hash will be generated and `ignoreResourceUpdates`
	cannot be applied on those resources.

[kahoulei]

@agaudreault I updated the doc. Thanks.

[agaudreault]

Let's make the name consistent. Make sure to validate all references

Suggested change

	AnnotationIgnoreResourcesUpdate = "argocd.argoproj.io/ignore-resources-update"
	AnnotationIgnoreResourceUpdates = "argocd.argoproj.io/ignore-resource-updates"

[agaudreault]

Code LGTM. Waiting for a before/after graph on an instance with real load before merging

[ronaknnathani]

Glad to see that this feature is being added. We have a case where we run large k8s clusters (~5k nodes) with tens of thousands of pods. Pod updates result in significant reconciliation activity and we are looking to leverage this feature.

A quick question about this change - if let's say updates on /status are ignored for an object like Pods, would the UI not show the latest Pod state in that case or would this only skip the Application reconciliation?

[kahoulei]

A quick question about this change - if let's say updates on /status are ignored for an object like Pods, would the UI not show the latest Pod state in that case or would this only skip the Application reconciliation?

@ronaknnathani the behavior is same as ignoreResourceUpdates feature.

[kahoulei]

Discussed with @agaudreault about load testing. I don't have environment to test it currently. If someone know how to load test it, please leave a comment here so that we can merge it.

[langesven]

Ok so I tested this in our environment because we've been having issues with high CPU load of the application controller and last we looked into it there was quite a bit of reconciliation activity going on due to the numerous CronJob resources we have that trigger quite frequently.
CronJobs spawn Jobs spawn Pods, none of which are really relevant for reconciliation of our resources as far as I'm concerned so this proposed change here seemed to cover our situation quite well.

I created a custom build on top of v2.11.4 as that was what we were running.
Settings diverging from defaults are as follows

  timeout.reconciliation: 300s
  timeout.reconciliation.jitter: 120s
  resource.ignoreResourceUpdatesEnabled: "true"
  resource.customizations.ignoreResourceUpdates.all: |
    jsonPointers:
      - /status
  resource.customizations.ignoreResourceUpdates.ConfigMap: |
    jqPathExpressions:
      # different operators are using this to communicate their leadership
      # it is updated very frequently and causes a lot of noise
      - '.metadata.annotations."control-plane.alpha.kubernetes.io/leader"'
  resource.customizations.ignoreResourceUpdates.autoscaling_HorizontalPodAutoscaler: |
    jsonPointers:
      - /metadata/annotations/autoscaling.alpha.kubernetes.io~1behavior
      - /metadata/annotations/autoscaling.alpha.kubernetes.io~1conditions
      - /metadata/annotations/autoscaling.alpha.kubernetes.io~1metrics
      - /metadata/annotations/autoscaling.alpha.kubernetes.io~1current-metrics
  resource.customizations.ignoreResourceUpdates.apps_ReplicaSet: |
    jsonPointers:
      - /metadata/annotations/deployment.kubernetes.io~desired-replicas
      - /metadata/annotations/deployment.kubernetes.io~max-replicas
      - /metadata/annotations/deployment.kubernetes.io~revision

We used to run at default 3min reconcile window but it made the load even worse and the only reason I'd need it is for ArgoCD to see updates quickly, resources don't really drift often enough for anything else to be relevant. This cluster runs about 750 ArgoCD Applications and captures about 31k resources (argocd_cluster_api_resource_objects) at 6GB memory, 3 CPU request and 12GB memory, no CPU (but node has 4 CPUs) limits for the argocd-application-controller

Baseline (w/o patch)

Patched version with majority of the cronjobs annotated

I didn't run it for super long, I can definitely repeat that if needed. The CPU load didn't go down as much as I hoped it would and I clearly still have an out of memory issue going on, but overall the amount of reconciles dropped in half and the average CPU is slightly less but that could just be random.

If anyone wants to see other graphs/stats or wants a repeat of tests with anything else I can likely set this up.

[agaudreault]

@langesven awesome! thanks for your post! @crenshaw-dev ready to merge. Can you re-trigger the status check. It seems like they failed for an unrelated issue.

[nebojsa-prodana]

Hello, we are impacted heavily by dependent resource-triggered reconciliations. We are observing thousands of pod related reconcile events - this is a serious blocker for future ArgoCD adoption for us as already at about 200 apps spread across a few dozen clusters the extraneous reconciliation events are causing ArgoCD to be very memory hungry. Argocd controller pods are getting OOMKilled with 12GB of RAM given to each of 6 pods.

It'd be great if this can make it into v2.12. 🙏

[crenshaw-dev]

@agaudreault do you think this rephrasing and the slightly clarified annotation key would be better?

[shanilempel]

Any chance this feature can make it into v2.12?

[llavaud]

Hello,
Today I have the following configuration to ignore all updates on status field:

      resource.customizations.ignoreResourceUpdates.all: |
        jsonPointers:
          - /status

There is no way to ignore status update globally for child resources ? I have to set the annotation on every objects ?

[agaudreault]

There is no way to ignore status update globally for child resources ? I have to set the annotation on every objects ?

Yes. Validating this on all resources (and not only on the resources tracked by argo) will simply use too much CPU as most resource's watch event should not cause a reconcile. If they do, you might want to check if you have orphan resources enabled or implement a mutation webhook to add this annotations to all resources of a kind in case they are a bad actor.

[lpugoy]

Hi. I have a question about the shouldHashManifest function. The way I understand it, the hashing will be done for resources that are tracked by Argo CD. If the resource is not tracked, Argo CD will use the value of the annotation argocd.argoproj.io/ignore-resource-updates. But in that case, if the annotation is true then the resource will be hashed. Shouldn't the behavior be to not hash the resource if it is ignored?

From the discussion I can see that it was proposed that the annotation argocd.argoproj.io/apply-resources-updates be used instead. It looks like the logic for that was implemented but the old annotation was kept. I'm not too familiar with the code so maybe this is the correct behavior. Thank you.

[agaudreault]

@lpugoy if the annotation is true, then it will be evaluated against the configured ignoreResourceUpdates, and based on what changed in the update, it may be ignored or not. Whether it is hashed or not is an implementation details that does not need to be surfaced to the end users (but we require to hash resources in order to evaluate the ignore difference).

[lpugoy]

Thanks @agaudreault. Still don't fully understand but thanks for taking a second look. 👍