Spaces can not properly be created by ArgoCD, resources show as OutOfSync

[juv]

Hello,

I try to create acccounts and spaces in a GitOps way with ArgoCD (version 2.0.0).
To me it looks like the Space and also implicitly the namespace for that Space is created successfully by ArgoCD:

> kubectl get space johns-space
NAME          OWNER           CREATED AT
johns-space   johns-account   2021-06-16T10:25:39Z

> kubectl get namespace johns-space
NAME          STATUS    AGE
johns-space   Active    5m41s

The problem is that ArgoCD can not recognize the live manifest of the Space resource and shows that the resource is OutOfSync and disappears from the ArgoCD web ui occasionally:

The same problem occured when I tried to add an Account from resource tenancy.kiosk.sh/Account. When using the config.kiosk.sh/Account resource, ArgoCD can sync the resources and ends up in Sync ok state.

The documentation outlines that tenancy.kiosk.sh is some kind of virtual api extension and is not persisted to etcd.

Any idea on how to fix this problem?

[FabianKramm]

@juv thanks for creating this issue! I assume the problem is that kiosk currently does not support watch on spaces and accounts (you can see that via kubectl get spaces --watch which will produce an error), but ArgoCD requires that to check resource status. As a workaround you can create namespaces that use a label kiosk.sh/account: account-name for now, but we'll implement the watch endpoint soon which should fix this issue

[FabianKramm]

@juv we just released v0.2.8-beta.0 which adds support for watching spaces and accounts. Would be great if you could verify if your problem is fixed with that version

[juv]

@FabianKramm thanks for the quick response! I will give an update asap.

Two more questions for general clarification on how to create accounts and spaces in a GitOps fashion:
If I want ArgoCD to create Kiosk accounts, would I rather create a tenancy.kiosk.sh/Account or config.kiosk.sh/Account resource?

If tenancy.kiosk.sh is not persisted in etcd, how will a tenancy.kiosk.sh/Account or tenancy.kiosk.sh/Space "survive"/be available after Kiosk pod was rescheduled, crashed, etc.?

[FabianKramm]

@juv for accounts it does not really matter, you can use either tenancy.kiosk.sh/Account or config.kiosk.sh/Account as the tenancy one just maps 1:1 to the config one. However, if kiosk for some reason is unavailable, you can still use the config one while you cannot use the tenancy one anymore, so this would be a slight advantage.

The way it works is basically that kiosk rewrites an existing and persisted Namespace or config Account into a Space or tenancy Account. This "conversion" is completely stateless and required information for conversion is stored on the persisted object itself (like the account label on a namespace for example), so it doesn't matter if you have multiple replicas of kiosk running, a pod was restarted or rescheduled. In general, these virtual resources have the advantage that kiosk can inject custom logic like creating resources on space creation or filtering spaces you are not allowed to see in a list operation etc.

[juv]

@FabianKramm it looks like the version v0.2.8-beta.0 fixes this problem!
Logs and ArgoCD events look good.

[FabianKramm]

@juv great, thanks for your confirmation!