Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ApplicationSets CRD cannot be watched / listed by argocd-server SA #660

Open
dortlii opened this issue Mar 12, 2024 · 1 comment
Open

ApplicationSets CRD cannot be watched / listed by argocd-server SA #660

dortlii opened this issue Mar 12, 2024 · 1 comment

Comments

@dortlii
Copy link

dortlii commented Mar 12, 2024
edited
Loading

Describe the bug
The argocd-server pod shows a lot of errors like these:

W0312 10:33:57.113524 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1alpha1.ApplicationSet: applicationsets.argoproj.io is forbidden: User "system:serviceaccount:argocd:argocd-argocd-server" cannot list resource "applicationsets" in API group "argoproj.io" in the namespace "argocd"

E0312 10:33:57.113554 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1alpha1.ApplicationSet: failed to list *v1alpha1.ApplicationSet: applicationsets.argoproj.io is forbidden: User "system:serviceaccount:argocd:argocd-argocd-server" cannot list resource "applicationsets" in API group "argoproj.io" in the namespace "argocd"

This is because the argocd-role argocd-server doesn't include the permissions to watch and listen applicationsets.

Snippet from role yaml:

...
  - verbs:
      - create
      - get
      - list
      - watch
      - update
      - delete
      - patch
    apiGroups:
      - argoproj.io
    resources:
      - applications
      - appprojects
...

Role config of the gitops-operator without applicationsets (v1.11.0):
https://github.com/redhat-developer/gitops-operator/blob/4803ae0f7e6abc7d9583ac56df4c18b1d8eead77/config/rbac/role.yaml#L192C1-L199C19

Upstream ArgoCD role config with applicationsets (v2.9.5):
https://github.com/argoproj/argo-cd/blob/f9436641a616d277ab1f98694e5ce4c986d4ea05/manifests/base/server/argocd-server-role.yaml#L23C1-L36C10

Issue happens in OpenShift 4.13.17 with GitOps Operator v1.11.1. Applying applicationsets is working as in our usage.

To Reproduce
Steps to reproduce the behavior:

  1. Install gitops-operator v1.11.1
  2. Create ArgoCD Instance
  3. Open logs for the "argocd-server-*" pod
  4. See error

Expected behavior
The logs of the pod should not contain the error message.

Screenshots
No screenshot provided

Additional context
ArgoCD CRD YAML:

apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: argocd
spec:
  server:
    autoscale:
      enabled: false
    grpc:
      ingress:
        enabled: false
    ingress:
      enabled: false
    resources:
      limits:
        cpu: 500m
        memory: 256Mi
      requests:
        cpu: 25m
        memory: 128Mi
    route:
      enabled: true
      tls:
        termination: reencrypt
    service:
      type: ''
  grafana:
    enabled: false
    ingress:
      enabled: false
    route:
      enabled: false
  monitoring:
    enabled: false
  notifications:
    enabled: true
    resources:
      limits:
        cpu: 150m
        memory: 200Mi
      requests:
        cpu: 20m
        memory: 60Mi
  prometheus:
    enabled: false
    ingress:
      enabled: false
    route:
      enabled: false
  initialSSHKnownHosts: {}
  sso:
    dex:
      openShiftOAuth: true
      resources:
        limits:
          cpu: 150m
          memory: 512Mi
        requests:
          cpu: 20m
          memory: 256Mi
    provider: dex
  applicationSet:
    resources:
      limits:
        cpu: 150m
        memory: 200Mi
      requests:
        cpu: 20m
        memory: 60Mi
    webhookServer:
      ingress:
        enabled: false
      route:
        enabled: false
  rbac:
    defaultPolicy: ''
    policy: |
      g, system:cluster-admins, role:admin
    scopes: '[groups]'
  repo:
    resources:
      limits:
        cpu: 250m
        memory: 512Mi
      requests:
        cpu: 20m
        memory: 256Mi
  ha:
    enabled: false
    resources:
      limits:
        cpu: 150m
        memory: 256Mi
      requests:
        cpu: 20m
        memory: 128Mi
  tls:
    ca: {}
  redis:
    resources:
      limits:
        cpu: 150m
        memory: 256Mi
      requests:
        cpu: 20m
        memory: 128Mi
  controller:
    processors: {}
    resources:
      limits:
        cpu: 500m
        memory: 2Gi
      requests:
        cpu: 200m
        memory: 1Gi
    sharding: {}
@svghadi
Copy link
Member

svghadi commented Apr 1, 2024

Hi @dortlii, thanks for reporting the issue. I believe the issue is fixed in recent v1.12.0 version of gitops-operator with argoproj-labs/argocd-operator#1140 . The backport of this fix is not yet released for gitops-operator v1.11.z.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dortlii @svghadi