Sync Windows

Sync windows are configurable windows of time where syncs will either be blocked or allowed. These are defined by a kind, which can be either allow or deny, a schedule in cron format and a duration along with one or more of either applications, namespaces and clusters. Wildcards are supported. These windows affect the running of both manual and automated syncs but allow an override for manual syncs which is useful if you are only interested in preventing automated syncs or if you need to temporarily override a window to perform a sync.

The windows work in the following way. If there are no windows matching an application then all syncs are allowed. If there are any allow windows matching an application then syncs will only be allowed when there is an active allow window. If there are any deny windows matching an application then all syncs will be denied when the deny windows are active. If there is an active matching allow and an active matching deny then syncs will be denied as deny windows override allow windows. The UI and the CLI will both display the state of the sync windows. The UI has a panel which will display different colours depending on the state. The colours are as follows. Red: sync denied, Orange: manual allowed and Green: sync allowed.

To display the sync state using the CLI:

  1. argocd app get APP

Which will return the sync state and any matching windows.

  1. Name: guestbook
  2. Project: default
  3. Server: in-cluster
  4. Namespace: default
  5. URL: http://localhost:8080/applications/guestbook
  6. Repo: https://github.com/argoproj/argocd-example-apps.git
  7. Target:
  8. Path: guestbook
  9. SyncWindow: Sync Denied
  10. Assigned Windows: deny:0 2 * * *:1h,allow:0 2 3 3 3:1h
  11. Sync Policy: Automated
  12. Sync Status: Synced to (5c2d89b)
  13. Health Status: Healthy

Windows can be created using the CLI:

  1. argocd proj windows add PROJECT \
  2. --kind allow \
  3. --schedule "0 22 * * *" \
  4. --duration 1h \
  5. --applications "*"

Alternatively, they can be created directly in the AppProject manifest:

  1. apiVersion: argoproj.io/v1alpha1
  2. kind: AppProject
  3. metadata:
  4. name: default
  5. spec:
  6. syncWindows:
  7. - kind: allow
  8. schedule: '10 1 * * *'
  9. duration: 1h
  10. applications:
  11. - '*-prod'
  12. manualSync: true
  13. - kind: deny
  14. schedule: '0 22 * * *'
  15. timeZone: "Europe/Amsterdam"
  16. duration: 1h
  17. namespaces:
  18. - default
  19. - kind: allow
  20. schedule: '0 23 * * *'
  21. duration: 1h
  22. clusters:
  23. - in-cluster
  24. - cluster1

In order to perform a sync when syncs are being prevented by a window, you can configure the window to allow manual syncs using the CLI, UI or directly in the AppProject manifest:

  1. argocd proj windows enable-manual-sync PROJECT ID

To disable

  1. argocd proj windows disable-manual-sync PROJECT ID

Windows can be listed using the CLI or viewed in the UI:

  1. argocd proj windows list PROJECT
  1. ID STATUS KIND SCHEDULE DURATION APPLICATIONS NAMESPACES CLUSTERS MANUALSYNC
  2. 0 Active allow * * * * * 1h - - prod1 Disabled
  3. 1 Inactive deny * * * * 1 3h - default - Disabled
  4. 2 Inactive allow 1 2 * * * 1h prod-* - - Enabled
  5. 3 Active deny * * * * * 1h - default - Disabled

All fields of a window can be updated using either the CLI or UI. The applications, namespaces and clusters fields require the update to contain all of the required values. For example if updating the namespaces field and it already contains default and kube-system then the new value would have to include those in the list.

  1. argocd proj windows update PROJECT ID --namespaces default,kube-system,prod1