ApplicationSet in any namespace RBAC issues. ClusterRoleBinding needed

[speedfl]

Checklist:

• [x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [x] I've included steps to reproduce the bug.
• [x] I've pasted the output of argocd version.

Describe the bug

When enabling ApplicationSet in any namespace appset controller failed to:

• Manage Application/ApplicationSet
• List secrets (for ArgoCD secrets)
• Create / Patch events

To Reproduce

Set up applicationset in any namespace

Expected behavior

Controller must be able to manage resources:

Solution is a mix of:

• change in the secret reconciliation to be scoped to controller namespace (no need to watch secrets at cluster scope)
• dedicated cluster role + cluster role binding for application / applicationsets / events:

rules:
  - verbs:
      - create
      - patch
    apiGroups:
      - ''
    resources:
      - events
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
    resources:
      - secrets
  - verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - argoproj.io
    resources:
      - applications
      - applicationsets/status
   - verbs:
      - get
      - list
      - patch
      - update
      - watch
    apiGroups:
      - argoproj.io
    resources:
      - applicationsets

Screenshots

N/A

Version

{
    "Version": "v2.8.0-rc7+1ee5010",
    "BuildDate": "2023-08-03T15:13:16Z",
    "GitCommit": "1ee5010d6d55c7a57fd3f3b4f0a8df893d1748bb",
    "GitTreeState": "clean",
    "GoVersion": "go1.20.6",
    "Compiler": "gc",
    "Platform": "linux/amd64",
    "KustomizeVersion": "v5.1.0 2023-06-19T16:58:18Z",
    "HelmVersion": "v3.12.1+gf32a527",
    "KubectlVersion": "v0.24.2",
    "JsonnetVersion": "v0.20.0"
}

Logs

W0804 15:19:07.263533       7 reflector.go:324] pkg/mod/k8s.io/client-go@v0.24.2/tools/cache/reflector.go:167: failed to list *v1alpha1.Application: applications.argoproj.io is forbidden: User "system:serviceaccount:argocd:argocd-applicationset-controller" cannot list resource "applications" in API group "argoproj.io" at the cluster scope

W0804 17:29:50.234513       7 reflector.go:324] pkg/mod/k8s.io/client-go@v0.24.2/tools/cache/reflector.go:167: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:argocd:argocd-applicationset-controller" cannot list resource "secrets" in API group "" at the cluster scope

[crenshaw-dev]

Maybe drop create/delete for applicationsets? I don't think the appset controller will be doing either of those directly.