Trying to retrieve application details or resource information in the web ui for an application in a namespace that is not argocd results in the following error message:
Because of the following failed request ...
... Argo server log shows the following error message:
time="2023-02-17T09:09:11Z" level=error msg="failed to get application, error=applications.argoproj.io \"composites\" not found" application=composites ns=argocd
It seems to look for the application in the argocd namespace, even though the application is deployed in the test-argocd namespace.
To Reproduce
Deploy argo with the following kustomization file
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://raw.githubusercontent.com/argoproj/argo-cd/v2.6.1/manifests/ha/install.yaml
- project.yaml
patchesStrategicMerge:
- |-
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
data:
# we use annotations for tracking ownership because this avoids certain compatibility problems
application.resourceTrackingMethod: annotation
# add an additional local user with login capabilities
accounts.alice: login
- |-
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cmd-params-cm
data:
# allow additional namespaces for deploying apps that will be used by unprivileged test users
application.namespaces: test-argocd
- |-
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
data:
policy.csv: |
# Grant the user alice permission to all actions regarding applications in 'test'
p, alice, applications, *, test/test-argocd/*, allow
# Grant the user alice permission to all actions regarding logs in 'test'
p, alice, logs, *, test/test-argocd/*, allow
# Grant the user alice permission to all actions regarding repositories in 'test'
p, alice, repositories, *, test/*, allow
# Grant the user alice permission to all actions regarding certificates in 'test'
p, alice, certificates, *, test/*, allow
# Grant the user alice permission to all actions regarding gpgkeys in 'test'
p, alice, gpgkeys, *, test/*, allow
# Grant the user alice permission to read all clusters
p, alice, clusters, get, *, allow
# Grant the user alice permission to read all projects
p, alice, projects, get, *, allow
patches:
# needed for app in any namespace feature
# see: https://github.com/argoproj/argo-cd/pull/11210
- patch: |-
- op: add
path: /rules/3/verbs/-
value: update
- op: add
path: /rules/3/verbs/-
value: create
target:
kind: ClusterRole
name: argocd-server
namespace: argocd
and the following project.yaml:
---
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: test
namespace: argocd
# Finalizer that ensures that project is not deleted until it is not referenced by any application
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
description: Test project
sourceNamespaces:
- test-argocd
# Allow manifests to deploy from any Git repos
sourceRepos:
- '*'
destinations:
- namespace: '!argocd'
server: '*'
- namespace: '!cert-manager'
server: '*'
- namespace: '!ingress-nginx'
server: '*'
- namespace: '!kube-node-lease'
server: '*'
- namespace: '!kube-public'
server: '*'
- namespace: '!kube-system'
server: '*'
- namespace: '!monitoring'
server: '*'
- namespace: '!postgres-operator'
server: '*'
- namespace: '*'
server: https://kubernetes.default.svc
# Deny all cluster-scoped resources from being created, except for Namespace
clusterResourceWhitelist:
- group: ''
kind: Namespace
The restricted user alice is only able to create applications in the test project and the test-argocd namespace. These applications should be fully readable and functional.
Checklist:
argocd version
.Describe the bug
Trying to retrieve application details or resource information in the web ui for an application in a namespace that is not
argocd
results in the following error message:Because of the following failed request ...
... Argo server log shows the following error message:
It seems to look for the application in the argocd namespace, even though the application is deployed in the
test-argocd
namespace.To Reproduce
Deploy argo with the following
kustomization
fileand the following
project.yaml
:Create the following application:
Expected behavior
The restricted user alice is only able to create applications in the
test
project and thetest-argocd
namespace. These applications should be fully readable and functional.Version