Skip to content

Argo CD : checksum support for the install url #12266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Argo CD : checksum support for the install url #12266

wants to merge 1 commit into from
+26 −17

Conversation

voondo
Copy link

@voondo voondo commented May 28, 2025
edited
Loading

What type of PR is this?
/kind bug

What this PR does / why we need it:
It allows the argocd deployment which was broken.

Which issue(s) this PR fixes:
Fixes #12223

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Add argocd_install_checksum: str, to define the checksum of `argocd_install_url`

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels May 28, 2025
@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented May 28, 2025
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

  • ✅ login: voondo / name: Romain Lalaut (149e20d)

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label May 28, 2025
@k8s-ci-robot k8s-ci-robot requested review from ErikJiang and mzaian May 28, 2025 14:55
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: voondo
Once this PR has been reviewed and has the lgtm label, please assign ant31 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot
Copy link
Contributor

Welcome @voondo!

It looks like this is your first PR to kubernetes-sigs/kubespray 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/kubespray has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels May 28, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @voondo. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@voondo voondo force-pushed the argocd-checksum branch from 889a898 to e07339b Compare May 28, 2025 14:59
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels May 28, 2025
@ErikJiang
Copy link
Member

I noticed that there are no tests related to enabling ArgoCD in tests/files.
Would you like to add some?

@yankay
Copy link
Member

yankay commented May 29, 2025

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 29, 2025
@tico88612
Copy link
Member

tico88612 commented May 30, 2025
edited
Loading

At most, it can be related #12223, but not fixed.
Because there is still no checksum here.

@voondo voondo force-pushed the argocd-checksum branch from e07339b to 060210d Compare May 30, 2025 08:26
@voondo
Copy link
Author

voondo commented May 30, 2025

@tico88612 is it better now ?

@ErikJiang I'm not sure how to add a test for that. Add a file like this ?

# tests/files/debian12-argocd.yml
cloud_image: debian-12
argocd_enabled: true

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels May 30, 2025
@voondo voondo changed the title roles/kubernetes-apps/argocd/tasks/main.yml : sha256 to checksum Argo CD : checksum support for the install url May 30, 2025
@tico88612
Copy link
Member

@voondo NACK.
You should add the checksum in roles/kubespray-defaults/defaults/main/checksums.yml, and add the download information in roles/kubespray-defaults/defaults/main/download.yml

FYI: #11763

@voondo voondo force-pushed the argocd-checksum branch from 060210d to 739882f Compare May 30, 2025 09:23
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels May 30, 2025
@voondo
Copy link
Author

voondo commented May 30, 2025

@tico88612 done

@voondo voondo force-pushed the argocd-checksum branch from 739882f to 149e20d Compare May 30, 2025 09:57
spantaleev added a commit to spantaleev/kubespray that referenced this pull request Jun 5, 2025
@spantaleev
Do not choke if the download_file task is invoked without a checksum
626795e 
Previously (before 800c84d),
`download_file` tasks were invoked with a `sha256` (not a `checksum` parameter)
and if not provided, downloads were done without verifying checksums.

That patch changed things (`sha256` -> `checksums`), but it seems like unintentionally
also made `checksum` required (no more `omit` fallbacks).
At least some invocations of `download_file` do not provide a `checksum`, as reported
here (for the ArgoCD addon): kubernetes-sigs#12223

The failure behavior is also appaling, because the download task (which references `checksum`)
has `no_log` enabled by default (via the `unsafe_show_logs` variable, defaulting to `false`),
so users would see a failing download, but could not easily figure out that it's actually an "undefined variable" error.

While checksum support for ArgoCD is being added in kubernetes-sigs#12266
it's probably better to restore the ability to invoke `download_file` without `checksum`, so that:

- any other current no-`checksum` callers (like ArgoCD) would be instantly made to work again
- any future calls without `checksum` would work, and not choke silently (due to `no_log`)
@spantaleev spantaleev mentioned this pull request Jun 5, 2025
Closed
@ErikJiang
Copy link
Member

@voondo I don't think we need to add a new file for this.
We could simply add argocd_enabled: true to the existing test file at:
https://github.com/kubernetes-sigs/kubespray/blob/master/tests/files/debian12-cilium.yml

@tico88612 What do you think?

VannTen
VannTen reviewed Jun 13, 2025
View reviewed changes
roles/kubespray_defaults/vars/main/checksums.yml
Comment on lines +1359 to +1361
argocd_install_checksums:
no_arch:
2.14.5: sha256:247ccda29c9faac4e0c8598680f5ebefff9911e957e3aeaf838eb4bbf455f2f4
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If possible, could you wire this up in scripts/components_hash_update ? So that we have a way to automate the hash update (see scripts/get_node_ids.sh to get the graphql ID)

@tico88612 tico88612 mentioned this pull request Jun 20, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@VannTen VannTen VannTen left review comments

@ErikJiang ErikJiang Awaiting requested review from ErikJiang

@mzaian mzaian Awaiting requested review from mzaian

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ArgoCD manifests fails to download because of missing checksum
6 participants
@voondo @k8s-ci-robot @ErikJiang @yankay @tico88612 @VannTen