feat: implement 'argocd admin appset generate' to troubeshoot appsets

[alexmt]

PR implements argocd appset generate that helps troubleshooting appset issues. Examples:

argocd appset generate ~/go/src/github.com/argoproj/argo-cd/applicationset/examples/list-generator/list-

output

- apiVersion: argoproj.io/v1alpha1
  kind: Application
  metadata:
    finalizers:
    - resources-finalizer.argocd.argoproj.io
    name: engineering-dev-guestbook
  spec:
    destination:
      namespace: guestbook
      server: https://kubernetes.default.svc
    project: default
    source:
      path: applicationset/examples/list-generator/guestbook/engineering-dev
      repoURL: https://github.com/argoproj/argo-cd.git
      targetRevision: HEAD
- apiVersion: argoproj.io/v1alpha1
  kind: Application
  metadata:
    finalizers:
    - resources-finalizer.argocd.argoproj.io
    name: engineering-prod-guestbook
  spec:
    destination:
      namespace: guestbook
      server: https://kubernetes.default.svc
    project: default
    source:
      path: applicationset/examples/list-generator/guestbook/engineering-prod
      repoURL: https://github.com/argoproj/argo-cd.git
      targetRevision: HEAD

argocd appset generate ~/go/src/github.com/argoproj/argo-cd/applicationset/examples/git-generator-directory/git-directories-example.yaml

output

- apiVersion: argoproj.io/v1alpha1
  kind: Application
  metadata:
    finalizers:
    - resources-finalizer.argocd.argoproj.io
    name: argo-workflows
  spec:
    destination:
      namespace: argo-workflows
      server: https://kubernetes.default.svc
    project: my-project
    source:
      path: applicationset/examples/git-generator-directory/cluster-addons/argo-workflows
      repoURL: https://github.com/argoproj/argo-cd.git
      targetRevision: HEAD
    syncPolicy:
      syncOptions:
      - CreateNamespace=true
- apiVersion: argoproj.io/v1alpha1
  kind: Application
  metadata:
    finalizers:
    - resources-finalizer.argocd.argoproj.io
    name: prometheus-operator
  spec:
    destination:
      namespace: prometheus-operator
      server: https://kubernetes.default.svc
    project: my-project
    source:
      path: applicationset/examples/git-generator-directory/cluster-addons/prometheus-operator
      repoURL: https://github.com/argoproj/argo-cd.git
      targetRevision: HEAD
    syncPolicy:
      syncOptions:
      - CreateNamespace=true

argocd appset generate ~/go/src/github.com/argoproj/argo-cd/applicationset/examples/pull-request-generator/pull-request-example.yaml

failed output

ERRO[0000] error generating params                       error="failed to select pull request service provider: error fetching Secret token: error fetching secret /github-token: an empty namespace may not be set when a resource name is provided" generator="&{0x1400128d170 0x104833710 { [] true 0x1400126b1d0}}"
ERRO[0000] error generating application from params      error="failed to select pull request service provider: error fetching Secret token: error fetching secret /github-token: an empty namespace may not be set when a resource name is provided" generator="{nil nil nil nil nil &PullRequestGenerator{Github:&PullRequestGeneratorGithub{Owner:myorg,Repo:myrepo,API:https://git.example.com/,TokenRef:&SecretRef{SecretName:github-token,Key:token,},AppSecretName:,Labels:[preview],},GitLab:nil,Gitea:nil,BitbucketServer:nil,Filters:[]PullRequestGeneratorFilter{},RequeueAfterSeconds:nil,Template:ApplicationSetTemplate{ApplicationSetTemplateMeta:ApplicationSetTemplateMeta{Name:,Namespace:,Labels:map[string]string{},Annotations:map[string]string{},Finalizers:[],},Spec:ApplicationSpec{Source:nil,Destination:ApplicationDestination{Server:,Namespace:,Name:,},Project:,SyncPolicy:nil,IgnoreDifferences:[]ResourceIgnoreDifferences{},Info:[]Info{},RevisionHistoryLimit:nil,Sources:[]ApplicationSource{},},},Bitbucket:nil,AzureDevOps:nil,} nil nil nil nil}"
Error: failed to select pull request service provider: error fetching Secret token: error fetching secret /github-token: an empty namespace may not be set when a resource name is provided

[bunnyshell]

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

• 🚀 /bns:deploy to deploy the environment

[bunnyshell]

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

• 🚀 /bns:deploy to deploy the environment

[codecov]

Codecov Report

Attention: Patch coverage is 3.79747% with 76 lines in your changes missing coverage. Please review.

Project coverage is 55.80%. Comparing base (9af0ff5) to head (49b7245).
Report is 492 commits behind head on master.

Files with missing lines	Patch %	Lines
cmd/argocd/commands/applicationset.go	0.00%	50 Missing ⚠️
server/applicationset/applicationset.go	12.00%	22 Missing ⚠️
cmd/argocd-server/commands/argocd_server.go	0.00%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #19518      +/-   ##
==========================================
- Coverage   55.87%   55.80%   -0.08%     
==========================================
  Files         316      320       +4     
  Lines       43794    43980     +186     
==========================================
+ Hits        24471    24541      +70     
- Misses      16775    16887     +112     
- Partials     2548     2552       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[todaywasawesome]

@alexmt Part of the implementation here is with an embedded repo server, can you share how that works?

[daftping]

I wonder how this command differs from a recently merged similar PR.
#16781

[pasha-codefresh]

Amazing feature. Thank you Alex, just few small comments

[agaudreault]

I feel like this does not make a lot of sense under the admin commands. Maybe argocd appset template ./appset.yaml -o yaml would make more sense. Take a look at #16781, that has prior work to implement this feature.

[alexmt]

Agree - moved command to argocd appset generate. I've choosen to name it generate , however don't have strong opinion . Please let me know what you think

[alexmt]

@agaudreault, @daftping, Thanks for letting me know about argocd appset create --dry-run #16781! I did not know it was implemented.

My main goal is to enable customers to troubleshoot application sets. Pros of argocd admin appset generate:

• Command prints all related logs if app generation fails - currently we often have to check applicationset controller logs to understand what went wrong. ApplicationSet status is not enough
• Command prints YAML of generated applications - this enables user verify that appset is working as expected
• Command allows using local git repos using file:///<path>/<to>/<repo> (embedded repo server)

Cons:

• argocd admin appset generate works only for admins, while argocd admin appset generate works for everyone
• the argocd admin appset generate is already there so it is confusing to introduce another command

I propose to improve argocd appset create --dry-run to return error logs (if any ) and the list of generate argocd apps. We won't be able to use local git repos but it is anyway nice to have feature. If no objections I would close this PR and work on argocd appset create --dry-run improvements in another PR.

[agaudreault]

@alexmt sounds good to me! Last time I looked at it, I chose not to return the full templated app so i wouldn't change the return type of the create. By default, it won't return the template when it is not a dry run because they are generated async. I didn't want to have the create returns false results.

I think it would be better to introduce a new template command that would return the appset and the templates of generated apps. And if a name is provided instead of a file, it returns the actual data.

That was my state of mind as far as i can recall, but I'll let you judge what's best when you get in the code!

[kencochrane]

@alexmt I think closing this one and adding improvement to argocd appset create --dry-run make sense. Thank you

[alexmt]

Updated the PR with new implementation (instead of closing and reopening). The PR introduces argocd appset generate command that uses new API to generate applications/get generation error.

PTAL @agaudreault , @pasha-codefresh

[alexmt]

Change is required if user is trying to generate appset with non default project (or create with --dry-run=true flag)

[pasha-codefresh]

why not return error and build error message on cli , base on this error ? In any case you will need process error on client part, to show reasonable error when request or permissions are incorrect, i think it will be more consistent to do it also when you cant generate applications

[alexmt]

Makes sense. ErrorLog just duplicates error - removed it.

[pasha-codefresh]

LGTM, just left small comment

[agaudreault]

Nice! ❤️ Few small comments, nothing major :)

[agaudreault]

Clarify that we are only generating the rendered templates and not the apps themselves

Suggested change

	Short: "Generate apps of ApplicationSet",
	Short: "Generate apps of ApplicationSet rendered templates",

[alexmt]

thank you, applied!

[agaudreault]

Suggested change

	err := fmt.Errorf("Error generating aps for ApplicationSet %s. ApplicationSet does not have Name field set", appset)
	err := fmt.Errorf("Error generating apps for ApplicationSet %s. ApplicationSet does not have Name field set", appset)

[alexmt]

accepted suggesion

[agaudreault]

More of a question, but why are you overriding the version and kind? This should already be provided in the response object no? The client could be outdated locally and have a different ApiVersion. I think it would be better to use the value provided by the server.
Maybe adding a comment with the explanation if necessary would help future contributors.

[alexmt]

This is due to a strange behavior of go k8s client. For some reason it drops apiVersion/kind . We have to do the same workaround in other places. Example:

argo-cd/cmd/argocd/commands/app_actions.go

Line 225 in 7cf5ed0

app.Kind = application.ApplicationKind

[agaudreault]

What about RBAC for this call? It may allow to discover cluster secrets, private repos, etc. Should we restrict this to people with the "create" rbac?

[alexmt]

Agree - user must have "create" RBAC to see generated apps. I've added a check here:

argo-cd/server/applicationset/applicationset.go

Line 383 in 4cbb1a9

if err := s.checkCreatePermissions(ctx, appset, projectName); err != nil {

[alexmt]

I've addressed your comments @agaudreault, thank you! PTAL

[agaudreault]

@alexmt missing a run of codegen, then good to go 🚀

[alexmt]

@agaudreault done!