search

CCI-MOC / moc-infra-config

0 stars 3 forks source link

configure argocd to deploy configuration from this repo #5

Closed naved001 closed 4 months ago

naved001 commented 5 months ago

we'll create an app that creates other apps

https://argo-cd.readthedocs.io/en/stable/operator-manual/cluster-bootstrapping/

naved001 commented 5 months ago

argocd likes to label things it's managing and the label was conflicting with a label we used for all of our longhorn resources, so argocd recommends that we change it.

https://argo-cd.readthedocs.io/en/stable/faq/#why-is-my-app-out-of-sync-even-after-syncing

The documentation says we can edit the configmap argocd-cm to change the value for application.instanceLabelKey to argocd.argoproj.io/instance but because we installed the openshift-gitops operator we cannot directly update the configmap. Instead we need to modify the resource argocd/openshift-gitops in the openshift-gitops namespace. We update the spec to add a key extraConfig that includes our updates.

.
.
spec:
  extraConfig:
    application.instanceLabelKey: argocd/openshift-gitops

https://access.redhat.com/solutions/6970884

naved001 commented 5 months ago

@larsks I am running into another issue where the serviceaccount that argocd uses doesn't have the correct permissions to manage some resources.

one or more objects failed to apply, reason: error when patching "/dev/shm/3585490436": operatorconfigs.operator.external-secrets.io "cluster" is forbidden: User "system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller" cannot patch resource "operatorconfigs" in API group "operator.external-secrets.io" in the namespace "external-secrets-operator"

one or more objects failed to apply, reason: error when patching "/dev/shm/2706284727": services "longhorn-recovery-backend" is forbidden: User "system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller" cannot patch resource "services" in API group "" in the namespace "longhorn-system"

The application controller logs indicate the same thing:

time="2024-06-25T16:56:05Z" level=info msg="Adding resource result, status: 'SyncFailed', phase: 'Failed', message: 'error when patching \"/dev/shm/955127854\": clustersecretstores.external-secrets.io \"aws-secret-store\" is forbidden: User \"system:serviceaccount:openshift-gitops:openshift-gitops-argocd-application-controller\" cannot patch resource \"clustersecretstores\" in API group \"external-secrets.io\" at the cluster scope'" application=openshift-gitops/cluster-resources-moc-infra kind=ClusterSecretStore name=aws-secret-store namespace=openshift-gitops phase=Sync syncId=00014-BMPIj

larsks commented 5 months ago

Right, you will need to set up some RBAC for argocd (see e.g. 1, 2).