Manifest Generation error

[rahul-captionh]

Checklist:

• [ ] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [ ] I've included steps to reproduce the bug.
• [ ] I've pasted the output of argocd version.

Describe the bug

To Reproduce

Expected behavior

Screenshots

Version

Paste the output from `argocd version` here.

Logs

Paste any relevant application logs here.

[crenshaw-dev]

@rahul-captionh can you add details?

[rahul-captionh]

Sync PHASE Error MESSAGE ComparisonError: rpc error: code = PermissionDenied desc = helm repos https://charts.bitnami.com/bitnami are not permitted in project ''

[rahul-captionh]

Everything was working fine, this morning we started to get above error, and when I try to render manifest using ARGOCD , it failed and asked me to create a bug with stack trace.

We use helm template to create application set and argo deploys the application in a project

[rahul-captionh]

This is another error rpc error: code = Unknown desc = Manifest generation error (cached): rpc error: code = PermissionDenied desc = helm repos https://marketplace.azurecr.io/helm/v1/repo are not permitted in project ''

[crenshaw-dev]

What version are you running?

[rahul-captionh]

v2.8.0+50b2f03.dirty

On May 30, 2023, at 2:24 PM, Michael Crenshaw @.***> wrote:

What version are you running?

— Reply to this email directly, view it on GitHubhttps://github.com/argoproj/argo-cd/issues/13833#issuecomment-1568878806, or unsubscribehttps://github.com/notifications/unsubscribe-auth/A4VBKR6OJWXH4DIGZBA7QFLXIY3NNANCNFSM6AAAAAAYUGDBSA. You are receiving this because you were mentioned.Message ID: @.***>

CONFIDENTIALITY NOTICE: The information in this message, and any attachment, is intended for the sole use of the individual and entity to whom it is addressed. This information may be privileged, confidential, and protected from disclosure. If you are not the intended recipient you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it, or its contents, is strictly prohibited. If you think that you have received this message in error please notify the sender and destroy all copies of this communication and any attachments. Thank you.

[crenshaw-dev]

It's because of this: https://github.com/argoproj/argo-cd/pull/12255

If you're running the master branch in a production environment, definitely switch over to a stable version. :-)

@blakepettersson, is it possible that your change introduced validation that didn't previously exist?

[blakepettersson]

@crenshaw-dev it looks like from wherever GenerateManifest is being called from, the app project is not being populated in the GenerateManifest call. If I have to take a guess, these applications belong to the default project, but for whatever reason that's not being properly substituted when calling GenerateManifest...

@rahul-captionh can you explain in detail what you mean with "We use helm template to create application set and argo deploys the application in a project"? At which stage does this fail? And to which AppProject does these applications belong to? Logs / stacktraces would be super helpful here.

[rahul-captionh]

Guys,

This was working and is still working half the time. I am putting the pod logs from argo server here and this is what repeating every second

ime="2023-05-31T06:07:28Z" level=error msg="finished unary call with code Unknown" error="Manifest generation error (cached): rpc error: code = PermissionDenied desc = helm repos https://charts.bitnami.com/bitnami are not permitted in project ''" grpc.code=Unknown grpc.method=GenerateManifest grpc.service=repository.RepoServerService grpc.start_time="2023-05-31T06:07:28Z" grpc.time_ms=260.903 span.kind=server system=grpc time="2023-05-31T06:07:28Z" level=info msg="manifest error cache hit: &ApplicationSource{RepoURL:git@github.com:baylabs/ops-saas.git,Path:cluster/caption-services,TargetRevision:HEAD,Helm:&ApplicationSourceHelm{ValueFiles:[common/values-services-finalizer.yaml common/values-common.yaml variants/non-prod/values-non-prod.yaml envs/uat-eastus/values-settings.yaml envs/uat-eastus/values-settings-finalizer.yaml envs/uat-eastus/values-version.yaml],Parameters:[]HelmParameter{},ReleaseName:,Values:,FileParameters:[]HelmFileParameter{},Version:,PassCredentials:false,IgnoreMissingValueFiles:false,SkipCrds:false,},Kustomize:nil,Directory:nil,Plugin:nil,Chart:,Ref:,}/22d559705632f91aad9c84bc57d4b710e136e42d" time="2023-05-31T06:07:28Z" level=error msg="finished unary call with code Unknown" error="Manifest generation error (cached): rpc error: code = PermissionDenied desc = helm repos https://charts.bitnami.com/bitnami are not permitted in project ''" grpc.code=Unknown grpc.method=GenerateManifest grpc.service=repository.RepoServerService grpc.start_time="2023-05-31T06:07:28Z" grpc.time_ms=266.075 span.kind=server system=grpc time="2023-05-31T06:07:28Z" level=error msg="finished unary call with code Unknown" error="Manifest generation error (cached): rpc error: code = PermissionDenied desc = helm repos https://charts.bitnami.com/bitnami are not permitted in project ''" grpc.code=Unknown grpc.method=GenerateManifest grpc.service=repository.RepoServerService grpc.start_time="2023-05-31T06:07:28Z" grpc.time_ms=268.417 span.kind=server system=grpc time="2023-05-31T06:07:28Z" level=info msg="manifest error cache hit: &ApplicationSource{RepoURL:git@github.com:baylabs/ops-saas.git,Path:cluster/caption-services,TargetRevision:HEAD,Helm:&ApplicationSourceHelm{ValueFiles:[common/values-services-integration-webpub.yaml common/values-common.yaml variants/non-prod/values-non-prod.yaml envs/dev-eastus/values-settings.yaml envs/dev-eastus/values-settings-integration-webpub.yaml envs/dev-eastus/values-version.yaml],Parameters:[]HelmParameter{},ReleaseName:,Values:,FileParameters:[]HelmFileParameter{},Version:,PassCredentials:false,IgnoreMissingValueFiles:false,SkipCrds:false,},Kustomize:nil,Directory:nil,Plugin:nil,Chart:,Ref:,}/22d559705632f91aad9c84bc57d4b710e136e42d" time="2023-05-31T06:07:28Z" level=error msg="finished unary call with code Unknown" error="Manifest generation error (cached): rpc error: code = PermissionDenied desc = helm repos https://charts.bitnami.com/bitnami are not permitted in project ''" grpc.code=Unknown grpc.method=GenerateManifest grpc.service=repository.RepoServerService grpc.start_time="2023-05-31T06:07:28Z" grpc.time_ms=9.064 span.kind=server system=grpc time="2023-05-31T06:07:28Z" level=info msg="manifest error cache hit: &ApplicationSource{RepoURL:git@github.com:baylabs/ops-saas.git,Path:cluster/rabbitmq,TargetRevision:HEAD,Helm:&ApplicationSourceHelm{ValueFiles:[common/values-common.yaml variants/non-prod/values-non-prod.yaml envs/uat-eastus/values-settings.yaml envs/uat-eastus/values-replicas.yaml],Parameters:[]HelmParameter{},ReleaseName:,Values:,FileParameters:[]HelmFileParameter{},Version:,PassCredentials:false,IgnoreMissingValueFiles:false,SkipCrds:false,},Kustomize:nil,Directory:nil,Plugin:nil,Chart:,Ref:,}/22d559705632f91aad9c84bc57d4b710e136e42d" time="2023-05-31T06:07:28Z" level=error msg="finished unary call with code Unknown" error="Manifest generation error (cached): rpc error: code = PermissionDenied desc = helm repos https://marketplace.azurecr.io/helm/v1/repo are not permitted in project ''" grpc.code=Unknown grpc.method=GenerateManifest grpc.service=repository.RepoServerService grpc.start_time="2023-05-31T06:07:28Z" grpc.time_ms=8.777 span.kind=server system=grpc time="2023-05-31T06:07:28Z" level=info msg="manifest error cache miss: &ApplicationSource{RepoURL:git@github.com:baylabs/ops-saas.git,Path:cluster/caption-services,TargetRevision:HEAD,Helm:&ApplicationSourceHelm{ValueFiles:[common/values-services-curator.yaml common/values-common.yaml variants/non-prod/values-non-prod.yaml envs/dev-eastus/values-settings.yaml envs/dev-eastus/values-settings-curator.yaml envs/dev-eastus/values-version.yaml],Parameters:[]HelmParameter{},ReleaseName:,Values:,FileParameters:[]HelmFileParameter{},Version:,PassCredentials:false,IgnoreMissingValueFiles:false,SkipCrds:false,},Kustomize:nil,Directory:nil,Plugin:nil,Chart:,Ref:,}/22d559705632f91aad9c84bc57d4b710e136e42d" time="2023-05-31T06:07:28Z" level=info msg="manifest error cache hit: &ApplicationSource{RepoURL:git@github.com:baylabs/ops-saas.git,Path:cluster/caption-services,TargetRevision:HEAD,Helm:&ApplicationSourceHelm{ValueFiles:[common/values-services-adminux-api.yaml common/values-common.yaml variants/non-prod/values-non-prod.yaml envs/uat-eastus/values-settings.yaml envs/uat-eastus/values-settings-adminux-api.yaml envs/uat-eastus/values-version.yaml],Parameters:[]HelmParameter{},ReleaseName:,Values:,FileParameters:[]HelmFileParameter{},Version:,PassCredentials:false,IgnoreMissingValueFiles:false,SkipCrds:false,},Kustomize:nil,Directory:nil,Plugin:nil,Chart:,Ref:,}/22d559705632f91aad9c84bc57d4b710e136e42d" time="2023-05-31T06:07:28Z" level=error msg="finished unary call with code Unknown" error="Manifest generation error (cached): rpc error: code = PermissionDenied desc = helm repos https://charts.bitnami.com/bitnami are not permitted in project ''" grpc.code=Unknown grpc.method=GenerateManifest grpc.service=repository.RepoServerService grpc.start_time="2023-05-31T06:07:28Z" grpc.time_ms=12.223 span.kind=server system=grpc time="2023-05-31T06:07:28Z" level=info msg="manifest error cache miss: &ApplicationSource{RepoURL:git@github.com:baylabs/ops-saas.git,Path:cluster/caption-services,TargetRevision:HEAD,Helm:&ApplicationSourceHelm{ValueFiles:[common/values-services-integration-api.yaml common/values-common.yaml variants/non-prod/values-non-prod.yaml envs/uat-eastus/values-settings.yaml envs/uat-eastus/values-settings-integration-api.yaml envs/uat-eastus/values-version.yaml],Parameters:[]HelmParameter{},ReleaseName:,Values:,FileParameters:[]HelmFileParameter{},Version:,PassCredentials:false,IgnoreMissingValueFiles:false,SkipCrds:false,},Kustomize:nil,Directory:nil,Plugin:nil,Chart:,Ref:,}/22d559705632f91aad9c84bc57d4b710e136e42d" time="2023-05-31T06:07:28Z" level=info msg="manifest cache hit: &ApplicationSource{RepoURL:git@github.com:baylabs/ops-saas.git,Path:cluster/mowoli,TargetRevision:HEAD,Helm:&ApplicationSourceHelm{ValueFiles:[common/values-common.yaml variants/non-prod/values-non-prod.yaml envs/sqa-eastus/values-settings.yaml envs/sqa-eastus/values-version.yaml],Parameters:[]HelmParameter{},ReleaseName:,Values:,FileParameters:[]HelmFileParameter{},Version:,PassCredentials:false,IgnoreMissingValueFiles:false,SkipCrds:false,},Kustomize:nil,Directory:nil,Plugin:nil,Chart:,Ref:,}/22d559705632f91aad9c84bc57d4b710e136e42d" time="2023-05-31T06:07:28Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=GenerateManifest grpc.service=repository.RepoServerService grpc.start_time="2023-05-31T06:07:28Z" grpc.time_ms=7.226 span.kind=server system=grpc time="2023-05-31T06:07:28Z" level=info msg="manifest error cache miss: &ApplicationSource{RepoURL:git@github.com:baylabs/ops-saas.git,Path:cluster/caption-services,TargetRevision:HEAD,Helm:&ApplicationSourceHelm{ValueFiles:[common/values-services-ingestion-api.yaml common/values-common.yaml variants/non-prod/values-non-prod.yaml envs/uat-eastus/values-settings.yaml envs/uat-eastus/values-settings-ingestion-api.yaml envs/uat-eastus/values-version.yaml],Parameters:[]HelmParameter{},ReleaseName:,Values:,FileParameters:[]HelmFileParameter{},Version:,PassCredentials:false,IgnoreMissingValueFiles:false,SkipCrds:false,},Kustomize:nil,Directory:nil,Plugin:nil,Chart:,Ref:,}/22d559705632f91aad9c84bc57d4b710e136e42d" time="2023-05-31T06:07:28Z" level=info msg="manifest error cache hit: &ApplicationSource{RepoURL:git@github.com:-------------HEAD,Helm:&ApplicationSourceHelm{ValueFiles:[variants/non-prod/values-non-prod.yaml envs/dev-eastus/values-settings.yaml],Parameters:[]HelmParameter{},ReleaseName:,Values:,FileParameters:[]HelmFileParameter{},Version:,PassCredentials:false,IgnoreMissingValueFiles:false,SkipCrds:false,},Kustomize:nil,Directory:nil,Plugin:nil,Chart:,Ref:,}/22d559705632f91aad9c84bc57d4b710e136e42d" time="2023-05-31T06:07:28Z" level=info msg="manifest error cache hit and reset: &

[rahul-captionh]

This is log for argued applications controller

time="2023-05-31T07:19:29Z" level=info msg="Update successful" application=argocd/affiliate-api-dev time="2023-05-31T07:19:29Z" level=info msg="Reconciliation completed" application=argocd/affiliate-api-dev dedup_ms=0 dest-name= dest-namespace=caption-services-dev dest-server="https://kubernetes.default.svc" diff_ms=28 fields.level=2 git_ms=97 health_ms=0 live_ms=1 settings_ms=0 sync_ms=0 time_ms=1101 time="2023-05-31T07:19:29Z" level=info msg="Refreshing app status (comparison expired, requesting refresh. reconciledAt: 2023-05-31 07:16:28 +0000 UTC, expiry: 3m0s), level (2)" application=argocd/rabbitmq-uat time="2023-05-31T07:19:29Z" level=info msg="Comparing app state (cluster: https://kubernetes.default.svc, namespace: rabbitmq-uat)" application=argocd/rabbitmq-uat time="2023-05-31T07:19:29Z" level=info msg="Update successful" application=argocd/rabbitmq-sqa time="2023-05-31T07:19:29Z" level=info msg="Reconciliation completed" application=argocd/rabbitmq-sqa dedup_ms=0 dest-name= dest-namespace=rabbitmq-sqa dest-server="https://kubernetes.default.svc" diff_ms=5 fields.level=2 git_ms=262 health_ms=0 live_ms=0 settings_ms=0 sync_ms=0 time_ms=1111 time="2023-05-31T07:19:29Z" level=info msg="Refreshing app status (comparison expired, requesting refresh. reconciledAt: 2023-05-31 07:16:28 +0000 UTC, expiry: 3m0s), level (2)" application=argocd/patientux-api-sqa time="2023-05-31T07:19:29Z" level=info msg="Comparing app state (cluster: https://kubernetes.default.svc, namespace: caption-services-sqa)" application=argocd/patientux-api-sqa time="2023-05-31T07:19:29Z" level=info msg="Update successful" application=argocd/endpoint-dimse-sqa time="2023-05-31T07:19:29Z" level=info msg="Reconciliation completed" application=argocd/endpoint-dimse-sqa dedup_ms=0 dest-name= dest-namespace=caption-services-sqa dest-server="https://kubernetes.default.svc" diff_ms=11 fields.level=2 git_ms=16 health_ms=0 live_ms=0 settings_ms=0 sync_ms=0 time_ms=928 time="2023-05-31T07:19:29Z" level=info msg="Refreshing app status (comparison expired, requesting refresh. reconciledAt: 2023-05-31 07:16:29 +0000 UTC, expiry: 3m0s), level (2)" application=argocd/root time="2023-05-31T07:19:29Z" level=info msg="Comparing app state (cluster: https://kubernetes.default.svc, namespace: argocd)" application=argocd/root time="2023-05-31T07:19:29Z" level=info msg="Update successful" application=argocd/ingestion-api-uat time="2023-05-31T07:19:29Z" level=info msg="Reconciliation completed" application=argocd/ingestion-api-uat dedup_ms=0 dest-name= dest-namespace=caption-services-uat dest-server="https://kubernetes.default.svc" diff_ms=4 fields.level=2 git_ms=389 health_ms=0 live_ms=0 settings_ms=0 sync_ms=0 time_ms=1242 time="2023-05-31T07:19:29Z" level=info msg="Refreshing app status (comparison expired, requesting refresh. reconciledAt: 2023-05-31 07:16:28 +0000 UTC, expiry: 3m0s), level (2)" application=argocd/integration-api-dev time="2023-05-31T07:19:29Z" level=info msg="Comparing app state (cluster: https://kubernetes.default.svc, namespace: caption-services-dev)" application=argocd/integration-api-dev time="2023-05-31T07:19:29Z" level=info msg="getRepoObjs stats" application=argocd/application-api-sqa build_options_ms=0 helm_ms=0 plugins_ms=0 repo_ms=0 time_ms=21 unmarshal_ms=20 version_ms=0

[rahul-captionh]

this is manifest for creating argocd project

apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: name: dev spec: clusterResourceWhitelist:

• group: "" kind: "" description: Dev Environment destinations:
• name: "" namespace: "-dev" server: "*" sourceRepos:
• "*" status: {}

[rahul-captionh]

this is manifest for applicationset

---

apiVersion: argoproj.io/v1alpha1 kind: ApplicationSet metadata: name: caption-services-dev spec: generators:

• matrix: generators:

  • list: elements:
    • env: dev

  • list: elements:

    • service: adminux-api

    • service: affiliate-api

    • service: application-api

    • service: audit

    • service: callerux-api

    • service: clinical-api

    • service: curator

    • service: endpoint-dimse

    • service: eng-support

    • service: scannerux-api

    • service: userexp-api template: metadata: name: "{{service}}-{{env}}" spec: project: "{{env}}" source: repoURL: git@github.com:xxxxxxxx/ops-saas.git targetRevision: HEAD path: cluster/xxxxx-services helm: valueFiles:

      • common/values-services-{{service}}.yaml
      • common/values-common.yaml
      • variants/non-prod/values-non-prod.yaml
      • "envs/{{env}}-eastus/values-settings.yaml"
      • "envs/{{env}}-eastus/values-settings-{{service}}.yaml"
      • "envs/{{env}}-eastus/values-version.yaml" destination: namespace: "caption-services-{{env}}" server: https://kubernetes.default.svc syncPolicy: automated: prune: true selfHeal: true syncOptions:
  • CreateNamespace=true

[blakepettersson]

So you have an ApplicationSet looking like this, where the project name is templated out with {{env}}, as well as having values paths prefixed with envs/{{ env }}-eastus/

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: caption-services-dev
spec:
  generators:
    - matrix:
      generators:
        - list:
          elements:
            - env: dev
        - list:
          elements:
            - service: adminux-api
            - service: affiliate-api
            - service: application-api
            - service: audit
            - service: callerux-api
            - service: clinical-api
            - service: curator
            - service: endpoint-dimse
            - service: eng-support
            - service: scannerux-api
            - service: userexp-api
  template:
    metadata:
      name: "{{service}}-{{env}}"
    spec:
      project: "{{env}}"
      source:
        repoURL: [git@github.com](mailto:git@github.com):xxxxxxxx/ops-saas.git
        targetRevision: HEAD
        path: cluster/xxxxx-services
      helm:
        valueFiles:
          - common/values-services-{{service}}.yaml
          - common/values-common.yaml
          - variants/non-prod/values-non-prod.yaml
          - "envs/{{env}}-eastus/values-settings.yaml"
          - "envs/{{env}}-eastus/values-settings-{{service}}.yaml"
          - "envs/{{env}}-eastus/values-version.yaml"
      destination:
        namespace: "caption-services-{{env}}"
        server: https://kubernetes.default.svc/
      syncPolicy:
        automated:
        prune: true
        selfHeal: true
        syncOptions:
          - CreateNamespace=true

And you have a single app project

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: dev
spec:
clusterResourceWhitelist:
  - group: ""
description: Dev Environment
destinations:
  - name: ""
namespace: "-dev"
server: ""
sourceRepos:
  - ""

Where it's failing I see envs/uat-eastus/ as a path, and I'm guessing there is a project entry with the same name. Does a project with the name uat exist? Also for the dev AppProject you have an empty sourceRepos entry, which wouldn't match anything. This should be able to be remedied by setting "*" (match anything)

I guess there has been some inadvertent validation introduced with #12255 for generating a manifest, namely that: 1) The project should exist (if none is specified it will be the default project) 2) The sourceRepos list should have at least one entry that matches a given Helm repo ("*" is fine, but can be made more specific)

[rahul-captionh]

but this works intermittently, I think uat-esatus project exists , ok can you help me straighten this out, is holding up all deployments

[rahul-captionh]

---

apiVersion: argoproj.io/v1alpha1 kind: AppProject metadata: name: dev spec: clusterResourceWhitelist:

• group: "" kind: "" description: Dev Environment destinations:
• name: "" namespace: "-dev" server: "*" sourceRepos:
• "*" status: {}

[rahul-captionh]

this is my actual configuration

[rahul-captionh]

guys , this was deployed as part of crd, how do I roll back the argocd version

[rahul-captionh]

It's because of this: #12255

If you're running the master branch in a production environment, definitely switch over to a stable version. :-)

@blakepettersson, is it possible that your change introduced validation that didn't previously exist?

We had deployed this using crd, I think version got upgraded and we really have not changed in constraints on validation

[rahul-captionh]

We are getting lot of sync errors

[rahul-captionh]

actually , when copying to GitHub, it looses the * in sourcerepolist and it just puts ""

[rahul-captionh]

I am adding screenshot

[rahul-captionh]

[rahul-captionh]

this is what is happening

[blakepettersson]

@rahul-captionh that is indeed helpful, for the audit-sqa app can you post a screenshot of the App Details? I'm specifically interested in which project it belongs to. As well, can you post screenshots of the other AppProjects (sqa, uat)?

[rahul-captionh]

I will post , all the apps are getting built using helm chart , which posted earlier , also this happens at random , regardless of project or app , it becomes ok , when synced three to four times manually

[rahul-captionh]

How do I downgrade argo without loosing my configuration and apps

[rahul-captionh]

I have configured source repos as * but still this issue affects across the projects randomly

applicationcontroller log has following log

[blakepettersson]

it becomes ok , when synced three to four times manually

@rahul-captionh that could indicate that the application controller pods and/or the repo server pods are not all on the same version.

If you list the application controller and the repo server pods, that can help indicate if that's the case

kubectl get pod -n argocd

kubectl describe pod -n argocd argocd-application-controller
kubectl describe pod -n argocd argocd-repo-server

In any case, I tried to reproduce this locally from master but have been so far unable to:

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: foobar
  namespace: argocd
spec:
  clusterResourceWhitelist:
    - group: '*'
      kind: '*'
  destinations:
    - namespace: '*'
      server: '*'
  sourceRepos:
    - '*'
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: guestbook
  namespace: argocd
spec:
  syncPolicy:
    automated:
      prune: true
    syncOptions:
      - CreateNamespace=true
      - PrunePropagationPolicy=foreground
      - PruneLast=true
  destination:
    server: https://kubernetes.default.svc
    namespace: guestbook
  project: foobar
  source:
    repoURL: https://github.com/argoproj/argocd-example-apps.git
    path: helm-dependency

[Nctllnty]

I also encountered the same problem

[blakepettersson]

@Nctllnty do you have any more info (e.g logs, stacktraces, see above)?

[rahul-captionh]

I agree with black about versions mismatch, what we found is all the pods were showing image as argocd:latest, but seemed that argocd-server was at 2.8 and other may be different, I statically assigned 2.6.8 on all the deployments and statefulstates and everything works fine.

[blakepettersson]

What I think could be a legitimate issue is if an AppProject has a set of sourceRepos which are more restrictive than *, and it also has Helm public dependencies (repos with credentials would not work with 2.7x due to the fact they get filtered out before ending up on the repo server) . Whereas before something like this would work, thanks to the fact that there is no authentication on charts.helm.sh, I think it's likely that the below example would fail with the current HEAD but not in 2.7x. I need to verify this on my end though.

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: foobar
  namespace: argocd
spec:
  clusterResourceWhitelist:
    - group: '*'
      kind: '*'
  destinations:
    - namespace: '*'
      server: '*'
  sourceRepos:
    - 'https://github.com/argoproj/**'
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: guestbook
  namespace: argocd
spec:
  syncPolicy:
    automated:
      prune: true
    syncOptions:
      - CreateNamespace=true
      - PrunePropagationPolicy=foreground
      - PruneLast=true
  destination:
    server: https://kubernetes.default.svc
    namespace: guestbook
  project: foobar
  source:
    repoURL: https://github.com/argoproj/argocd-example-apps.git
    path: helm-dependency

# Chart.yaml
apiVersion: v2
name: wordpress
type: application
version: 0.1.0
appVersion: "1.0"

dependencies:
- name: wordpress
  version: 9.0.3
  repository: https://charts.helm.sh/stable

[blakepettersson]

Yup, confirmed. What are your thoughts on this @crenshaw-dev?

[crenshaw-dev]

I think we discussed this in a contributors meeting, but @blakepettersson I think we should probably stick with old behavior (all public helm charts are okay) and just document it very clearly. If someone needs more restrictive behavior, they can introduce a new flag somewhere to enable it.

[otherguy]

I'm seeing this as well, after I upgraded from 2.7.6 to 2.8.0-rc1. For me it's not intermittent, the application refuses to apply.

The reason, in my case, seems to be related to subcharts, as noted by @blakepettersson here. I'm applying this chart: https://github.com/robusta-dev/robusta/blob/master/helm/robusta/Chart.yaml which has https://prometheus-community.github.io/helm-charts referenced as a subchart with a condition. The condition evaluates to false in my case (--set enablePrometheusStack=false) and, prior to ArgoCD 2.8.0, the parent chart applied correctly.

Note that it makes no difference whether I'm allowing https://prometheus-community.github.io/helm-charts as a source in the AppProject - the error stays the same!

If the validation does stay as restrictive as it is now, it should take conditions into account -- the subchart in question does not need to be applied at all in my case, and any error related to it is a false positive.

[crenshaw-dev]

Yeah, I think we have to revert to less-restrictive. Evaluating conditions would in itself likely be a non-trivial chore.