Erroneous RepeatedResourceWarning for Strimzi RoleBindings

brsolomon-deloitte commented 1 year ago

Checklist:

[x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
[x] I've included steps to reproduce the bug.
[x] I've pasted the output of argocd version.

Describe the bug

Deploying strimzi-kafka-operator chart version 0.34 leads to multiple RepeatedResourceWarnings despite the fact that the Helm chart only templates these out once.

CONDITION                MESSAGE                                                                                                                                                   LAST TRANSITION
RepeatedResourceWarning  Resource rbac.authorization.k8s.io/RoleBinding/elastic/strimzi-cluster-operator appeared 2 times among application resources.                             2023-05-01 15:21:10 +0000 UTC
RepeatedResourceWarning  Resource rbac.authorization.k8s.io/RoleBinding/elastic/strimzi-cluster-operator-entity-operator-delegation appeared 2 times among application resources.  2023-05-01 23:56:29 +0000 UTC
RepeatedResourceWarning  Resource rbac.authorization.k8s.io/RoleBinding/elastic/strimzi-cluster-operator-watched appeared 2 times among application resources.                     2023-05-01 23:56:29 +0000 UTC

To Reproduce

Deploy strimzi-kafka-operator using Helm-dependency pattern.

Do you see any repeated resources here? I certainly don't. I've also looked through argocd app manifests --core strimzi-kafka-operator, same thing - no duplicates.

$ cat Chart.yaml
apiVersion: v2
appVersion: 0.34.0
dependencies:
- name: strimzi-kafka-operator
  repository: https://strimzi.io/charts/
  version: 0.34.0
- name: common
  version: 2.x.x
  repository: https://charts.bitnami.com/bitnami
description: "Strimzi: Apache Kafka running on Kubernetes"
name: strimzi-kafka-operator
type: application
version: 2.0.0

$ cat values.yaml
# empty
$ helm template . | grep -B3 -A10 -F 'kind: RoleBinding'
---
# Source: strimzi-kafka-operator/charts/strimzi-kafka-operator/templates/020-RoleBinding-strimzi-cluster-operator.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: strimzi-cluster-operator
  namespace: default
  labels:
    app: strimzi
    chart: strimzi-kafka-operator-0.34.0
    component: role-binding
    release: release-name
    heritage: Helm
subjects:
--
---
# Source: strimzi-kafka-operator/charts/strimzi-kafka-operator/templates/022-RoleBinding-strimzi-cluster-operator.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: strimzi-cluster-operator-leader-election
  namespace: default
  labels:
    app: strimzi
    chart: strimzi-kafka-operator-0.34.0
    component: role-binding
    release: release-name
    heritage: Helm
subjects:
--
---
# Source: strimzi-kafka-operator/charts/strimzi-kafka-operator/templates/023-RoleBinding-strimzi-cluster-operator.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: strimzi-cluster-operator-watched
  namespace: default
  labels:
    app: strimzi
    chart: strimzi-kafka-operator-0.34.0
    component: role-binding
    release: release-name
    heritage: Helm
subjects:
--
---
# Source: strimzi-kafka-operator/charts/strimzi-kafka-operator/templates/031-RoleBinding-strimzi-cluster-operator-entity-operator-delegation.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: strimzi-cluster-operator-entity-operator-delegation
  namespace: default
  labels:
    app: strimzi
    chart: strimzi-kafka-operator-0.34.0
    component: entity-operator-role-binding
    release: release-name
    heritage: Helm
# The Entity Operator cluster role must be bound to the cluster operator service account so that it can delegate the cluster role to the Entity Operator.

Let's try another way:

$ helm template . | egrep -C10 '^  name: strimzi-cluster-operator$'
---
# Source: strimzi-kafka-operator/charts/strimzi-kafka-operator/templates/010-ServiceAccount-strimzi-cluster-operator.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: strimzi-cluster-operator
  namespace: default
  labels:
    app: strimzi
    chart: strimzi-kafka-operator-0.34.0
    component: service-account
    release: release-name
    heritage: Helm
---
# Source: strimzi-kafka-operator/charts/strimzi-kafka-operator/templates/050-ConfigMap-strimzi-cluster-operator.yaml
kind: ConfigMap
apiVersion: v1
metadata:
  name: strimzi-cluster-operator
  namespace: default
  labels:
    app: strimzi
    chart: strimzi-kafka-operator-0.34.0
    component: logging-config-map
    release: release-name
    heritage: Helm
data:
  log4j2.properties: |
    name = COConfig
--
    # This information is used to generate a Rack ID (client.rack option) that is used for consuming from the closest
    # replicas when enabled
  - nodes
  verbs:
  - get
---
# Source: strimzi-kafka-operator/charts/strimzi-kafka-operator/templates/021-ClusterRoleBinding-strimzi-cluster-operator.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: strimzi-cluster-operator
  labels:
    app: strimzi
    chart: strimzi-kafka-operator-0.34.0
    component: role-binding
    release: release-name
    heritage: Helm
subjects:
  - kind: ServiceAccount
    name: strimzi-cluster-operator
    namespace: default
--
    namespace: default
roleRef:
  kind: ClusterRole
  name: strimzi-kafka-client
  apiGroup: rbac.authorization.k8s.io
---
# Source: strimzi-kafka-operator/charts/strimzi-kafka-operator/templates/020-RoleBinding-strimzi-cluster-operator.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: strimzi-cluster-operator
  namespace: default
  labels:
    app: strimzi
    chart: strimzi-kafka-operator-0.34.0
    component: role-binding
    release: release-name
    heritage: Helm
subjects:
  - kind: ServiceAccount
    name: strimzi-cluster-operator
--
    namespace: default
roleRef:
  kind: ClusterRole
  name: strimzi-entity-operator
  apiGroup: rbac.authorization.k8s.io
---
# Source: strimzi-kafka-operator/charts/strimzi-kafka-operator/templates/060-Deployment-strimzi-cluster-operator.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: strimzi-cluster-operator
  namespace: default
  labels:
    app: strimzi
    chart: strimzi-kafka-operator-0.34.0
    component: deployment
    release: release-name
    heritage: Helm
spec:
  replicas: 1
  selector:

Expected behavior

RepeatedResourceWarning should not appear.

Screenshots

Screenshot 2023-05-01 at 9 50 24 PM

Version

$ argocd version --core
argocd: v2.6.7+5bcd846
  BuildDate: 2023-03-23T15:24:49Z
  GitCommit: 5bcd846fa16e4b19d8f477de7da50ec0aef320e5
  GitTreeState: clean
  GoVersion: go1.18.10
  Compiler: gc
  Platform: linux/amd64
argocd-server: v2.6.7+5bcd846
  BuildDate: 2023-03-23T15:24:49Z
  GitCommit: 5bcd846fa16e4b19d8f477de7da50ec0aef320e5
  GitTreeState: clean
  GoVersion: go1.18.10
  Compiler: gc
  Platform: linux/amd64
  Kustomize Version: could not get kustomize version: exec: "kustomize": executable file not found in $PATH
  Helm Version: v3.11.3+g3232493
  Kubectl Version: v0.24.2
  Jsonnet Version: v0.19.1

Logs

CONDITION                MESSAGE                                                                                                                                                   LAST TRANSITION
RepeatedResourceWarning  Resource rbac.authorization.k8s.io/RoleBinding/elastic/strimzi-cluster-operator appeared 2 times among application resources.                             2023-05-01 15:21:10 +0000 UTC
RepeatedResourceWarning  Resource rbac.authorization.k8s.io/RoleBinding/elastic/strimzi-cluster-operator-entity-operator-delegation appeared 2 times among application resources.  2023-05-01 23:56:29 +0000 UTC
RepeatedResourceWarning  Resource rbac.authorization.k8s.io/RoleBinding/elastic/strimzi-cluster-operator-watched appeared 2 times among application resources.                     2023-05-01 23:56:29 +0000 UTC

jwitko commented 1 year ago

Having this same issue at the moment

AbstractVersion commented 10 months ago

same as well, argocd v2.9.2+c5ea5c4 & 0.38.0

kubectl get RoleBinding --all-namespaces | grep "strimzi-cluster-operator"
kafka           strimzi-cluster-operator                              ClusterRole/strimzi-cluster-operator-namespaced           16d
kafka           strimzi-cluster-operator-entity-operator-delegation   ClusterRole/strimzi-entity-operator                       16d
kafka           strimzi-cluster-operator-leader-election              ClusterRole/strimzi-cluster-operator-leader-election      16d
kafka           strimzi-cluster-operator-watched                      ClusterRole/strimzi-cluster-operator-watched              16d

I have a filling that this issue occurs when someone deletes the application from one namespace to another, not sure yet though didn't have time to reproduce it.

Another key factor might be that I installed the strimzi-operator through helm along side its CRD's. Finally I have more than one applications (eg. percona-postgres, cert-manager etc.) with CRD's installed through helm and managed by argocd. that have the same behaviour once deleted and re-created.

argoproj / argo-cd

Erroneous RepeatedResourceWarning for Strimzi RoleBindings #13407