Accessing app details in different namespace than argocd results in error

[Nusiko]

Checklist:

• [x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [x] I've included steps to reproduce the bug.
• [x] I've pasted the output of argocd version.

Describe the bug

Trying to retrieve application details or resource information in the web ui for an application in a namespace that is not argocd results in the following error message:

Because of the following failed request ...

... Argo server log shows the following error message:

time="2023-02-17T09:09:11Z" level=error msg="failed to get application, error=applications.argoproj.io \"composites\" not found" application=composites ns=argocd

It seems to look for the application in the argocd namespace, even though the application is deployed in the test-argocd namespace.

To Reproduce

Deploy argo with the following kustomization file

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- https://raw.githubusercontent.com/argoproj/argo-cd/v2.6.1/manifests/ha/install.yaml
- project.yaml

patchesStrategicMerge:
- |-
  apiVersion: v1
  kind: ConfigMap
  metadata:
    name: argocd-cm
  data:
    # we use annotations for tracking ownership because this avoids certain compatibility problems
    application.resourceTrackingMethod: annotation
    # add an additional local user with login capabilities
    accounts.alice: login
- |-
  apiVersion: v1
  kind: ConfigMap
  metadata:
    name: argocd-cmd-params-cm
  data:
    # allow additional namespaces for deploying apps that will be used by unprivileged test users
    application.namespaces: test-argocd
- |-
  apiVersion: v1
  kind: ConfigMap
  metadata:
    name: argocd-rbac-cm
  data:
    policy.csv: |
      # Grant the user alice permission to all actions regarding applications in 'test'
      p, alice, applications, *, test/test-argocd/*, allow
      # Grant the user alice permission to all actions regarding logs in 'test'
      p, alice, logs, *, test/test-argocd/*, allow
      # Grant the user alice permission to all actions regarding repositories in 'test'
      p, alice, repositories, *, test/*, allow
      # Grant the user alice permission to all actions regarding certificates in 'test'
      p, alice, certificates, *, test/*, allow
      # Grant the user alice permission to all actions regarding gpgkeys in 'test'
      p, alice, gpgkeys, *, test/*, allow
      # Grant the user alice permission to read all clusters
      p, alice, clusters, get, *, allow
      # Grant the user alice permission to read all projects
      p, alice, projects, get, *, allow

patches:
# needed for app in any namespace feature
# see: https://github.com/argoproj/argo-cd/pull/11210
- patch: |-
    - op: add
      path: /rules/3/verbs/-
      value: update
    - op: add
      path: /rules/3/verbs/-
      value: create
  target:
    kind: ClusterRole
    name: argocd-server

namespace: argocd

and the following project.yaml:

---
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: test
  namespace: argocd
   # Finalizer that ensures that project is not deleted until it is not referenced by any application
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  description: Test project

  sourceNamespaces:
  - test-argocd

  # Allow manifests to deploy from any Git repos
  sourceRepos:
  - '*'

  destinations:
  - namespace: '!argocd'
    server: '*'
  - namespace: '!cert-manager'
    server: '*'
  - namespace: '!ingress-nginx'
    server: '*'
  - namespace: '!kube-node-lease'
    server: '*'
  - namespace: '!kube-public'
    server: '*'
  - namespace: '!kube-system'
    server: '*'
  - namespace: '!monitoring'
    server: '*'
  - namespace: '!postgres-operator'
    server: '*'
  - namespace: '*'
    server: https://kubernetes.default.svc

# Deny all cluster-scoped resources from being created, except for Namespace
  clusterResourceWhitelist:
  - group: ''
    kind: Namespace

Create the following application:

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: guestbook
  namespace: test-argocd
spec:
  destination:
    namespace: default
    server: https://kubernetes.default.svc
  project: test
  source:
    path: helm-guestbook
    repoURL: https://github.com/argoproj/argocd-example-apps.git
    targetRevision: master

Expected behavior

The restricted user alice is only able to create applications in the test project and the test-argocd namespace. These applications should be fully readable and functional.

Version

argocd: v2.6.1+3f143c9.dirty
  BuildDate: 2023-02-08T22:29:25Z
  GitCommit: 3f143c9307f99a61bf7049a2b1c7194699a7c21b
  GitTreeState: dirty
  GoVersion: go1.19.5
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v2.6.1+3f143c9
  BuildDate: 2023-02-08T18:51:05Z
  GitCommit: 3f143c9307f99a61bf7049a2b1c7194699a7c21b
  GitTreeState: clean
  GoVersion: go1.18.10
  Compiler: gc
  Platform: linux/amd64
  Kustomize Version: v4.5.7 2022-08-02T16:35:54Z
  Helm Version: v3.10.3+g835b733
  Kubectl Version: v0.24.2
  Jsonnet Version: v0.19.1

[quentinlacrouts]

Any update on this ? We are facing the same issue