search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
18.07k stars 5.53k forks source link

User system:serviceaccount:argocd:argocd-redis cannot create resource secrets #21000

Open DjarallahBrahim opened 5 days ago

DjarallahBrahim commented 5 days ago

Checklist:

Describe the bug

i deployed a GKE cluster with terraform and installed argocd stable version, my pods are KO: argocd-application-controller: secret "argocd-redis" not found: CreateContainerConfigError argocd-redis: kubectl logs -n argocd pod/argocd-redis-6cbf9bf4c5-kl49q -c secret-init Checking for initial Redis password in secret argocd/argocd-redis at key auth. time="2024-11-29T12:23:15Z" level=fatal msg="secrets is forbidden: User \"system:serviceaccount:argocd:argocd-redis\" cannot create resource \"secrets\" in API group \"\" in the namespace \"argocd\""

To Reproduce

create a simple GKE cluster with admin cluster role and deploy argocd with terraform:

# Apply the manifest to the Kubernetes cluster resource "kubectl_manifest" "argocd" { depends_on = [ kubectl_manifest.namespace, ] count = length(data.kubectl_file_documents.argocd.documents) yaml_body = element(data.kubectl_file_documents.argocd.documents, count.index) override_namespace = "argocd" } data "http" "argocd_manifest" { url = "https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml" }

Expected behavior

All the pods of argoCD are UP

Screenshots

image

image

Version

stable

Logs

kubectl logs -n argocd pod/argocd-redis-6cbf9bf4c5-kl49q -c secret-init Checking for initial Redis password in secret argocd/argocd-redis at key auth. time="2024-11-29T12:23:15Z" level=fatal msg="secrets is forbidden: User \"system:serviceaccount:argocd:argocd-redis\" cannot create resource \"secrets\" in API group \"\" in the namespace \"argocd\""

DjarallahBrahim commented 5 days ago

i solved this after i found a nother issue ticket #18356

Now i'm having the same problem with argocd-server:

E1129 16:07:22.391166 7 reflector.go:140] pkg/mod/k8s.io/client-go@v0.26.11/tools/cache/reflector.go:169: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:argocd:argocd-server" cannot list resource "secrets" in API group "" in the namespace "argocd" W1129 16:07:32.309506 7 reflector.go:424] pkg/mod/k8s.io/client-go@v0.26.11/tools/cache/reflector.go:169: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:argocd:argocd-server" cannot list resource "configmaps" in API group "" in the namespace "argocd" E1129 16:07:32.309849 7 reflector.go:140] pkg/mod/k8s.io/client-go@v0.26.11/tools/cache/reflector.go:169: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:argocd:argocd-server" cannot list resource "configmaps" in API group "" in the namespace "argocd"

i tried to add same egresse rule for argocd-repo-server-network-policy but it did not work !

andrii-korotkov-verkada commented 5 days ago

What's your ArgoCD version?

andrii-korotkov-verkada commented 5 days ago

When upgrading, did you upgrade manifests as well?

DjarallahBrahim commented 4 days ago

@andrii-korotkov-verkada

i'm using stable version: https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml

argocd version

argocd version argocd: v2.11.0+d3f33c0 BuildDate: 2024-05-07T16:01:41Z GitCommit: d3f33c00197e7f1d16f2a73ce1aeced464b07175 GitTreeState: clean GoVersion: go1.21.9 Compiler: gc Platform: linux/amd64

logs from argo-server:

idden: User "system:serviceaccount:argocd:argocd-server" cannot list resource "configmaps" in API group "" in the namespace "argocd" W1130 16:55:45.041973 6 reflector.go:424] pkg/mod/k8s.io/client-go@v0.26.11/tools/cache/reflector.go:169: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:argocd:argocd-server" cannot list resource "secrets" in API group "" in the namespace "argocd" E1130 16:55:45.042013 6 reflector.go:140] pkg/mod/k8s.io/client-go@v0.26.11/tools/cache/reflector.go:169: Failed to watch *v1.Secret: failed to list *v1.Secret: secrets is forbidden: User "system:serviceaccount:argocd:argocd-server" cannot list resource "secrets" in API group "" in the namespace "argocd"

permission of my terraform user account:

image

thank you

andrii-korotkov-verkada commented 3 days ago

You have to check roles and cluster roles for argocd server that come with the install manifests. Maybe Terraform install is missing those permissions. Let me know what you find out.