ArgoCD: drift: randAlphaNum

[volker-raschek]

Hey,
I've deployed harbor with ArgoCD. I receive several notifications, that harbor has been successfully synced, even though nothing has been changed.

I investigated some time to analyze the issue and found that the chart has some defaults implemented to generate random alpha numeric strings. For example in core-secret.yaml.

  {{- if not .Values.core.existingSecret }}
  secret: {{ .Values.core.secret | default (include "harbor.secretKeyHelper" (dict "key" "secret" "data" $existingSecret.data)) | default (randAlphaNum 16) | b64enc | quote }}
  {{- end }}

Every time ArgoCD renders the helm chart, there is a new generic alphanumeric value. This causes ArgoCD to detect a drift and restore the original state. It should now be clear that this pattern leads to a forced sync. Otherwise, the helm documentation describes it quite well:

Tip

In the event you always want to roll your deployment, you can use a similar annotation step as above, instead replacing with a random string so it always changes and causes the deployment to roll.
https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments

Basically, I have no problem at all with the approach of using a random string there. However, nowhere does it say that this leads to a drift through ArgoCD.

I would suggest updating the documentation here and pointing out to other users what this leads to. The current workaround is to ignore all instances where a default is defined by a random string.

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: harbor
spec:
  project: default
  ignoreDifferences:
  - kind: Secret
    jsonPointers:
    # harbor-core
    - /data/secret
    - /data/CSRF_KEY
    # registry-secret
    - /data/REGISTRY_HTTP_SECRET 
    # jobservice-secret 
    - /data/JOBSERVICE_SECRET

Volker

[WoahitsJoe]

Noticing this as well in ArgoCD and on Harbor version 2.13.2