search

argoproj-labs / argocd-agent

Redefining the multi cluster story of Argo CD
Apache License 2.0
79 stars 15 forks source link

AppProject informer shouldn't be cluster scoped when namespace is not set #213

Closed jannfis closed 2 weeks ago

jannfis commented 3 weeks ago

The AppProject informer should never be cluster scoped, even if the namespace is not set.

It should behave as documented here and never require cluster scoped permissions to list or watch AppProjects.

jwtty commented 3 weeks ago

For update, it's actually the agent that's reporting the error: W1101 21:12:14.421743 1 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1alpha1.AppProject: appprojects.argoproj.io is forbidden: User "system:serviceaccount:argocd:argocd-agent-agent" cannot list resource "appprojects" in API group "argoproj.io" at the cluster scope E1101 21:12:14.421772 1 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1alpha1.AppProject: failed to list *v1alpha1.AppProject: appprojects.argoproj.io is forbidden: User "system:serviceaccount:argocd:argocd-agent-agent" cannot list resource "appprojects" in API group "argoproj.io" at the cluster scope

And I'm using the argocd-agent-params cm:

+ kubectl get configmap -n argocd argocd-agent-params -o yaml
apiVersion: v1
data:
  agent.creds.userpass.path: userpass:/app/config/creds/userpass.creds
  agent.log.level: info
  agent.mode: autonomous
  agent.namespace: argocd
  agent.server.address: argocd-agent-principal.example.com
  agent.server.port: "443"
  agent.tls.client.cert-path: /app/config/tls/tls.crt
  agent.tls.client.insecure: "false"
  agent.tls.client.key-path: /app/config/tls/tls.key
  agent.tls.root-ca-path: /app/config/tls/ca.crt
kind: ConfigMap
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{"agent.creds.userpass.path":"userpass:/app/config/creds/userpass.creds","agent.log.level":"info","agent.mode":"autonomous","agent.namespace":"argocd","agent.server.address":"argocd-agent-principal.example.com","agent.server.port":"443","agent.tls.client.cert-path":"/app/config/tls/tls.crt","agent.tls.client.insecure":"false","agent.tls.client.key-path":"/app/config/tls/tls.key","agent.tls.root-ca-path":"/app/config/tls/ca.crt"},"kind":"ConfigMap","metadata":{"annotations":{},"name":"argocd-agent-params","namespace":"argocd"}}
  creationTimestamp: "2024-10-31T00:31:47Z"
  name: argocd-agent-params
  namespace: argocd
  resourceVersion: "343801"
  uid: 91f4da0d-3fd5-4b3e-bc37-50ae17f33ccf
jannfis commented 3 weeks ago

Thanks for the update!

I'm actually digging through the code and there are some more issues w.r.t. the informers and how they handle scope, which affect both principal and agent.

I'm rolling up a fix as we speak.