Closed j-be closed 1 month ago
Is there any insight as to when this will be remediated? I'm affected by this and unable to revert to older version due to other issues.
I ran into this problem with the WebUI when installing from core-install.yaml
and logging in using argo login --core
. I'm only piling on because it doesn't seem to be limited to just the WebUI. See #18464 as already mentioned and some other commands as well:
❯ argocd app diff myapp
ERRO[0000] finished unary call with code Unknown error="error getting cached app managed resources: NOAUTH Authentication required." grpc.code=Unknown grpc.method=ManagedResources grpc.service=application.ApplicationService grpc.start_time="2024-07-04T08:54:24-07:00" grpc.time_ms=97.836 span.kind=server system=grpc
FATA[0000] rpc error: code = Unknown desc = error getting cached app managed resources: NOAUTH Authentication required.
This looks to be https://github.com/argoproj/argo-cd/issues/3130.
I updated from 2.10.0 to 2.10.13 to fix another issue and ran into this.
IMO, this shouldn't have been applied on a patch release to 2.10. It substantially changes the underlying configuration, adds tooling, etc. I would strongly advocate for a rollback on 2.10 at least. The underlying security issue existed for years and it didn't need to be rushed into a patch release on a stable branch.
As to a fix for 2.11 and forward - the cli doesn't seem to have a way to set a redis password at runtime and should likely read it from a default location under normal circumstances.
There is a workaround documented here if you both need latest release and core. I suspect this can also be done with the built-in redis via Kustomize if you're managing argo with argo but I have not had time to try yet.
The following Kustomize patch appears to do the trick. Tested with 2.11.4 but should also work with 2.10.x.
Unfortunately the changes to the redis container are brittle. If the args list changes, the patch needs to be updated. I attempted to use deleteFromPrimitiveList
but it appears to be buggy when the key to delete doesn't currently exist and will re-add it, which results in constant sync churn of adding/removing the redis password flag. It is very possible there's a cleaner way to do this.
Include as an explicit SMP:
patchesStrategicMerge:
- overlays/redis-nopassword.yaml
Describe the bug
Note: This report explicitly only targets
ArgoCD Core
as described at https://argo-cd.readthedocs.io/en/stable/operator-manual/core/. I do not know if and/or under which circumstances a full deploy is affected too.When upgrading to any 2.10 release after 2.10.9 or any 2.11 release, the local WebUI (
argocd admin dashboard -n "${NAMESPACE}"
) is unable to fetch child resources and breaks when trying to show resources (as in "click on them to see the overlay with all the details") withNOAUTH Authentication required.
:I tried to reset Redis credentials as described here - had no effect.
To Reproduce
argocd admin dashboard -n "${NAMESPACE}"
Expected behavior
Screenshots
When clicking on any resource that is not
kind: Application
:The WebUI does not show child resources. As an example, the
kind: Deployment
look like:Version
2.10.10
,2.10.11
,2.11.0
,2.11.1
,2.11.2
- all affected