Sql user calling every minute by ArgoCD.

[rafaeltovargarrido]

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug
We have config connector in our gke cluster to handle all the gcp resources in our infra, we use this kind sqlusers.sql.cnrm.cloud.google.com to create SQL user for our database. The issue is argo is calling the creation of the user every minute as you can see in the image I posted.

To Reproduce

apiVersion: sql.cnrm.cloud.google.com/v1beta1
kind: SQLUser
metadata:
  annotations:
    argocd.argoproj.io/sync-options: Validate=false
    cnrm.cloud.google.com/deletion-policy: abandon
  labels:
    environment: oat-dev
    part-of: datastore
    tier: database
  name: 9076c2ecaf2fccec3a719e88ccbb01a4
  namespace: oat-dev
spec:
  host: '%'
  instanceRef:
    external: instance-id
  password:
    valueFrom:
      secretKeyRef:
        key: password
        name: ds-gcp-cloud-sql-ds-secret

Expected behavior
Argo create the user and that is all.

Screenshots

Version

Paste the output from `argocd version` here.

argocd: v2.5.5+fc3eaec
BuildDate: 2022-12-16T16:34:36Z
GitCommit: fc3eaec
GitTreeState: clean
GoVersion: go1.18.9
Compiler: gc
Platform: linux/amd64
argocd-server: v2.5.5+fc3eaec
BuildDate: 2022-12-16T16:34:36Z
GitCommit: fc3eaec
GitTreeState: clean
GoVersion: go1.18.9
Compiler: gc
Platform: linux/amd64
Kustomize Version: could not get kustomize version: exec: "kustomize": executable file not found in $PATH
Helm Version: v3.10.3+g835b733
Kubectl Version: v0.24.2
Jsonnet Version: v0.18.0

Logs

Paste any relevant application logs here.

[jannfis]

I don't quite understand. Argo CD does not create any user, it will reconcile your manifests to a cluster, and from there some other controller will pick it up and do something with it.

I'm not familiar with the SQLUser API, but how does the config connector pick up changes to this resource? Is the SQLUser resource deleted somehow and then getting recreated by Argo CD, thereby triggering the creation of a user?

[rafaeltovargarrido]

If I delete all the kinds SqlUser from the manifest of argo and recreate again outside argo the calls to sql api aren't any more there.

[blakepettersson]

Can it be this that is causing your issue? https://cloud.google.com/config-connector/docs/concepts/ignore-unspecified-fields#resolve_fighting_between_config_management_tools_and

[rafaeltovargarrido]

Thanks, @blakepettersson I think you are totally right, but SQLUser doesn't support that flag.

Error from server: error when creating "SQLUser-3d242eb873908c34c7084bd5c66e2224.yaml": admission webhook "generic-defaulter.cnrm.cloud.google.com" denied the request: error validating or defaulting 'cnrm.cloud.google.com/state-into-spec' annotation: kind 'SQLUser' does not support having annotation 'cnrm.cloud.google.com/state-into-spec' set to value 'absent'

[blakepettersson]

It might be worthwhile to submit your query to the k8s-config-connector project directly, there's likely some drift between the Argo CD SQLUser definition and the reconciled SQLUser that has been created by the k8s-config-connector controller.

You can also try to turn off auto-sync for the Application containing the SQLUser definition, run refresh and see what the diff is between the live SQLUser object and whatever is in Git.

[rafaeltovargarrido]

I already try the second one and there is no such of diff. I appreciate your help will create a ticket for google.

[blakepettersson]

Could be relevant: #14426

[blakepettersson]

As well as GoogleCloudPlatform/k8s-config-connector#837