Add more detailed parameters to resource.exclusions

[h3poteto]

Summary

Add name, annotations or labels parameter to resource.exclusions argument.

Motivation

I want to exclude some Job resources, so I tried to set resource.exclusions:

apiVersion: v1
data:
  resource.exclusions: |
    - apiGroups:
      - "batch"
      kinds:
      - "Job"
      clusters:
      - "*"
kind: ConfigMap

But this parameter can only specify apiGroup, kinds and clusters, so it ignores all Job resources. I don't ignore all Job resources, I want to exclude only specific Jobs.

Next, I tried to specify argocd.argoproj.io/hook: Skip to the Jobs. This is the desired behavior, but the application status is missing and OutOfSync.

Proposal

Add name, annotations or labels to FilteredResource, and implement match functions.
https://github.com/argoproj/argo-cd/blob/476b09cbbf/util/settings/filtered_resource.go

[LeartBeqiraj]

Is this supported yet?

[unknownbanana]

We have a use-case for this feature-request.

We're trying to manage a Istio/Maistra controlplane namespace with ArgoCD. However, the Istio/Maistra operator creates NetworkPolicies and RoleBindings for several namespaces in the ControlPlaneServiceMesh. ArgoCD then detects these resources and will mark them as OutOfSync.

This is undesired behavior, since the Istio/Maistra operator is responsible for generating the resources, and since we cannot configure this behavior per namespace would have to resort to exclude all RoleBindings.

If ArgoCD would allow for exclusion based on annotations then we would be able to exclude the generated resources from ArgoCD Syncing without sacrificing current behavior where Argo Syncs RoleBindings for us.

[phj-incom]

Any updates on this? I am using kyverno to replicate resources in other namespaces, and this is causing argocd to show the generated objects as out of sync.

[AurimasNav]

Would be really nice to have for all these 3rd party product operators that do not care much about gitops style deployments (like gihtub itself: actions/actions-runner-controller#3533).

[agaudreault]

Reading all the comments above, this feature is mainly used to improve argo performance by watching less resources that are not required to show in the UI (things like Endpoints, EndpointSlice, kyverno PolicyReport, etc.) and are never expected to be created as code, such as resources created by Kubernetes controller.

If an Argo Application detects these resources and they are OutOfSync state, that would mean that these resources desired state is in git, or they are wrongly configured with the tracking method argo is configured with, but their real desired state is what the controller applies. If they are in git, but they are expected to be created and managed by a controller, you should remove them from git (with kustomize patch delete if you are using kustomize). If you want to define them partially in git, but the controller overrides some necessary initial configurations, the ignoreDifferences can be configured on the Application so the resources appear in the UI, but not out of sync. If they are caused by the tracking method, it is highly suggested to configure the tracking by annotation. If the controller adds that annotation to the object it creates, the controller behavior will need to be fixed.

[unknownbanana]

Reading all the comments above, this feature is mainly used to improve argo performance by watching less resources that are not required to show in the UI (things like Endpoints, EndpointSlice, kyverno PolicyReport, etc.) and are never expected to be created as code, such as resources created by Kubernetes controller.

If an Argo Application detects these resources and they are OutOfSync state, that would mean that these resources desired state is in git, or they are wrongly configured with the tracking method argo is configured with, but their real desired state is what the controller applies. If they are in git, but they are expected to be created and managed by a controller, you should remove them from git (with kustomize patch delete if you are using kustomize). If you want to define them partially in git, but the controller overrides some necessary initial configurations, the ignoreDifferences can be configured on the Application so the resources appear in the UI, but not out of sync. If they are caused by the tracking method, it is highly suggested to configure the tracking by annotation. If the controller adds that annotation to the object it creates, the controller behavior will need to be fixed.

For us there was no desired state in git, since the resources were generated based on a CRD. Yet Argo still picked up the generated resources and marked them as OutOfSync. We cannot be expected to have all resources in git at all times especially with controllers that generate resources based on CRs.

[agaudreault]

@unknownbanana Can you validate that the resources created by the controllers, that are not in git, don't contain the configured Argo Tracking label/annotations?

The fix here is to configure your deployed resources not to conflict with argo internal tracking and/or configure argo to use tracking by annotations.

Closing the issue because it can be resolved with existing configurations.