search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
18.01k stars 5.49k forks source link

Openshift authorization.openshift.io resources are not clickable in list view and not visible in tree view and not syncable #4519

Open peterbosalliandercom opened 4 years ago

peterbosalliandercom commented 4 years ago

With argocd version 1.7.7 we experience the following.

The following resources (openshift resources in this case) are not clickable image

and then not visible at all in the tree view. image

and by this the syncing is not working.

Update: This wasn't working in 1.6.1 (just tested) and now still not working in 1.7.7 Another change that we did is using the helm 3 version instead of 2. Further testing: it also is not working for clusterrolebindings. It looks to me that it has to do with Openshift resources in general

jessesuen commented 4 years ago

Could you share anything from the chome developer console when clicking on the resource? Is there an exception?

jessesuen commented 4 years ago

Not sure if you can share, butt what would also really help is the /resource-tree API payload response returned, which you can get from the developer console. You will want to redact information from that.

peterbosalliandercom commented 4 years ago

We get this error: {"error":"RoleBinding authorization.openshift.io jenkins-deploy not found as part of application openshift-generic-vs-ocp-dev-nb","code":3}

peterbosalliandercom commented 4 years ago

Looks to me that the group is not supported? Was looking in the source code: https://github.com/argoproj/argo-cd/blob/master/server/application/application.go

found := tree.FindNode(q.Group, q.Kind, q.Namespace, q.ResourceName)
if found == nil {
    return nil, nil, nil, status.Errorf(codes.InvalidArgument, "%s %s %s not found as part of application %s", q.Kind, q.Group, q.ResourceName, *q.Name)
}
peterbosalliandercom commented 4 years ago

The resource-tree does not return authorization.openshift.io as part of the tree, but it does return the rbac.authorization.k8s.io. Is there any reason for that? Don't know if this has to do with Openshift (we are running 4.5.9 now) . Could you please explain how this resource-tree is populated? We do not use any rbac rules. We are using these ones: policy.csv: | p, role:org-admin, applications, , /, allow p, role:org-admin, clusters, get, , allow p, role:org-admin, repositories, get, , allow p, role:org-admin, repositories, create, , allow p, role:org-admin, repositories, update, , allow p, role:org-admin, repositories, delete, , allow

jopit commented 4 years ago

I can investigate this, please assign to me

jopit commented 4 years ago

I've put together a minimal app to reproduce this: https://github.com/jopit/argocd-4519 which has an authorization.openshift.io role and a rolebinding

I created the app in argocd with autosync off, and before it is synchronized, the authorization.openshift.io resources do show in the tree view, but they disappear after synchronizing.

I'm continuing to investigate.

Role and rolebinding

kind: Role
apiVersion: authorization.openshift.io/v1
metadata:
  name: example-role
rules:
- apiGroups: [""]
  attributeRestrictions: null
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
---
kind: RoleBinding
apiVersion: authorization.openshift.io/v1
metadata:
  name: example-rolebinding
subjects:
- kind: User
  name: example-user
roleRef:
  name: example-role

/resource-tree before sync

{
  "nodes": [
    {
      "group": "apps",
      "version": "v1",
      "kind": "Deployment",
      "namespace": "default",
      "name": "argocd-4519"
    },
    {
      "group": "authorization.openshift.io",
      "version": "v1",
      "kind": "Role",
      "namespace": "default",
      "name": "example-role"
    },
    {
      "group": "authorization.openshift.io",
      "version": "v1",
      "kind": "RoleBinding",
      "namespace": "default",
      "name": "example-rolebinding"
    },
    {
      "version": "v1",
      "kind": "Service",
      "namespace": "default",
      "name": "argocd-4519"
    }
  ]
}

/resource-tree after sync

{
  "nodes": [
    {
      "version": "v1",
      "kind": "Service",
      "namespace": "default",
      "name": "argocd-4519",
      "uid": "5acd59a3-0155-41c9-8161-fefc0b4e3ec3",
      "networkingInfo": {
        "targetLabels": {
          "app": "argocd-4519"
        }
      },
      "resourceVersion": "30211",
      "health": {
        "status": "Healthy"
      },
      "createdAt": "2020-11-06T14:47:37Z"
    },
    {
      "group": "discovery.k8s.io",
      "version": "v1beta1",
      "kind": "EndpointSlice",
      "namespace": "default",
      "name": "argocd-4519-sr546",
      "uid": "460a6068-d827-4a0c-ab0e-815678e6e302",
      "parentRefs": [
        {
          "kind": "Service",
          "namespace": "default",
          "name": "argocd-4519",
          "uid": "5acd59a3-0155-41c9-8161-fefc0b4e3ec3"
        }
      ],
      "resourceVersion": "30287",
      "createdAt": "2020-11-06T14:47:37Z"
    },
    {
      "version": "v1",
      "kind": "Endpoints",
      "namespace": "default",
      "name": "argocd-4519",
      "uid": "25b61858-308e-4df2-9522-0f9ceef77b0c",
      "parentRefs": [
        {
          "kind": "Service",
          "namespace": "default",
          "name": "argocd-4519",
          "uid": "5acd59a3-0155-41c9-8161-fefc0b4e3ec3"
        }
      ],
      "resourceVersion": "30212",
      "createdAt": "2020-11-06T14:47:37Z"
    },
    {
      "group": "apps",
      "version": "v1",
      "kind": "Deployment",
      "namespace": "default",
      "name": "argocd-4519",
      "uid": "3141d63c-c65d-4945-99a3-d06bdd61621e",
      "info": [
        {
          "name": "Revision",
          "value": "Rev:1"
        }
      ],
      "resourceVersion": "30289",
      "health": {
        "status": "Healthy"
      },
      "createdAt": "2020-11-06T14:47:37Z"
    },
    {
      "group": "apps",
      "version": "v1",
      "kind": "ReplicaSet",
      "namespace": "default",
      "name": "argocd-4519-6f5669ff58",
      "uid": "d923ea56-ffd9-4739-9fc7-d12c61ad94d1",
      "parentRefs": [
        {
          "group": "apps",
          "kind": "Deployment",
          "namespace": "default",
          "name": "argocd-4519",
          "uid": "3141d63c-c65d-4945-99a3-d06bdd61621e"
        }
      ],
      "info": [
        {
          "name": "Revision",
          "value": "Rev:1"
        }
      ],
      "resourceVersion": "30288",
      "health": {
        "status": "Healthy"
      },
      "createdAt": "2020-11-06T14:47:37Z"
    },
    {
      "version": "v1",
      "kind": "Pod",
      "namespace": "default",
      "name": "argocd-4519-6f5669ff58-44ndf",
      "uid": "f6a4127f-318b-4161-8e97-7c35bc92e835",
      "parentRefs": [
        {
          "group": "apps",
          "kind": "ReplicaSet",
          "namespace": "default",
          "name": "argocd-4519-6f5669ff58",
          "uid": "d923ea56-ffd9-4739-9fc7-d12c61ad94d1"
        }
      ],
      "info": [
        {
          "name": "Status Reason",
          "value": "Running"
        },
        {
          "name": "Containers",
          "value": "1/1"
        }
      ],
      "networkingInfo": {
        "labels": {
          "app": "argocd-4519",
          "pod-template-hash": "6f5669ff58"
        }
      },
      "resourceVersion": "30285",
      "images": [
        "quay.io/app-sre/nginx"
      ],
      "health": {
        "status": "Healthy"
      },
      "createdAt": "2020-11-06T14:47:37Z"
    }
  ]
}
peterbosalliandercom commented 3 years ago

@jopit any news on this?

peterbosalliandercom commented 3 years ago

@alexec any news on this?

dlmorais-pbh commented 3 years ago

Hi, I'm having a related issue, that I think may be the same problem as this one.

I'm also trying to create a ClusterRoleBinding, like below:

apiVersion: authorization.openshift.io/v1
kind: ClusterRoleBinding
metadata:
  name: devops-pv
  namespace: default
roleRef:
  kind: ClusterRole
  name: system:persistent-volume-provisioner
subjects:
- kind: Group
  name: <redacted>

Right after I create it, ArgoCD appears like that:

image

Looking at the created ClusterRoleBinding inside Openshift, it looks to me that Openshift is mutating the object with apiVersion "authorization.openshift.io/v1" transforming it into a object with apiVersion "rbac.authorization.k8s.io/v1". Look the yaml below:

  1. the last applied configuration is exactly the one I sent thru ArgoCD sync operation.
  2. the managedFields, the manager is "openshift-apiserver" and not "argocd-application-controller".
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: devops-pv
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/devops-pv
  uid: 353209b1-dcc6-4995-91d3-04922da014cc
  resourceVersion: '204415717'
  creationTimestamp: '2021-05-07T11:52:07Z'
  labels:
    app.kubernetes.io/instance: namespaces
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: >
      {"apiVersion":"authorization.openshift.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"labels":{"app.kubernetes.io/instance":"namespaces"},"name":"devops-pv"},"roleRef":{"kind":"ClusterRole","name":"system:persistent-volume-provisioner"},"subjects":[{"kind":"Group","name":"<redacted>"}]}
  managedFields:
    - manager: openshift-apiserver
      operation: Update
      apiVersion: rbac.authorization.k8s.io/v1
      time: '2021-05-07T11:52:07Z'
      fieldsType: FieldsV1
<...>

I think the problem here is related to this mutation.

I also tried to create the object with apiVersion "rbac.authorization.k8s.io/v1" directly, but using this one ArgoCD fails to sync with another error.

namespaces "*" not found

The name "*" is because the application is configured to this pseudo-all-namespaces in order to be able to create namespaces and other cluster-wide configurations:

project: openshift
source:
  repoURL: '<redacted>'
  path: ./
  targetRevision: master
destination:
  server: 'https://kubernetes.default.svc'
  namespace: '*'
syncPolicy: {}