Open jcstryker opened 3 years ago
I've tried to reproduce it and noticed that machine-learning-platform
project has roles admin
and jenkins
but not ci-cd
. Tried to generate token for jenkins
role and was able to successfully create app. It is possible that ci-cd
was deleted ?
I think I copied the wrong yaml, here is the manifest right out of the cluster
kind: AppProject
metadata:
creationTimestamp: "2021-02-02T22:27:37Z"
generation: 2
managedFields:
- apiVersion: argoproj.io/v1alpha1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:spec:
.: {}
f:clusterResourceWhitelist: {}
f:description: {}
f:destinations: {}
f:sourceRepos: {}
manager: kubectl-client-side-apply
operation: Update
time: "2021-02-02T22:27:37Z"
- apiVersion: argoproj.io/v1alpha1
fieldsType: FieldsV1
fieldsV1:
f:spec:
f:roles: {}
manager: argocd-server
operation: Update
time: "2021-02-02T22:28:18Z"
name: machine-learning-platform
namespace: argocd
resourceVersion: "1634800"
selfLink: /apis/argoproj.io/v1alpha1/namespaces/argocd/appprojects/machine-learning-platform
uid: a7acb4f7-eca6-4564-bdd4-487c37109a58
spec:
clusterResourceWhitelist:
- group: '*'
kind: '*'
description: Project for MLP applications managed by the MLP team
destinations:
- namespace: ...
server: https://kubernetes.default.svc
- namespace: ...
server: https://kubernetes.default.svc
- namespace: argocd
server: https://kubernetes.default.svc
roles:
- description: MLP Project role for Admins
groups:
- ...
name: admin
policies:
- p, proj:machine-learning-platform:admin, applications, *, machine-learning-platform/*,
allow
- description: MLP Project role for CICD
jwtTokens:
- iat: 1612304898
id: 2195d4c1-284f-4baa-a949-dacea3c86ec5
name: ci-cd
policies:
- p, proj:machine-learning-platform:ci-cd, applications, *, machine-learning-platform/*,
allow
sourceRepos:
- '*'
The ci-cd role is definitly there and lists a token, still getting the permission denied
@alexmt can you share how you reproduced it? maybe I am doing something wrong
I tried this again with v1.8.4 and got an interesting new error
FATA[0000] rpc error: code = Unauthenticated desc = invalid session: JWT token for role 'admin' issued at '1612552250' does not exist in project 'machine-learning-platform'
FATA[0000] rpc error: code = Unauthenticated desc = invalid session: JWT token for role 'admin' issued at '1612552250' does not exist in project 'machine-learning-platform'
That looks like another issue. Trying to reproduce a theory
roles:
- description: MLP Project role for Admins
groups:
- redacted
jwtTokens:
- iat: 1612553791
id: test
- iat: 1612552250
id: d57c8f6a-60f8-4760-8ba5-e76699d373fd
- iat: 1612552167
id: jenkins
name: admin
policies:
- p, proj:machine-learning-platform:admin, applications, *, machine-learning-platform/mlp-buildandtrain,
allow
sourceRepos:
- '*'
Token is definitely there in the CR
seeing the same in 1.8.5
still seeing this issue in v1.8.7
Checklist:
argocd version
.Describe the bug
WIth
v1.8.3
I am getting this error when attempting to create/sync an application using project tokens. Seems similar to #1019The same process/yaml worked in
v1.7.6
To Reproduce
I have created a project using this project yaml and running
kubectl create -f project.yaml
:I then create a project token using this command
which returns successfully
I then attempt to create this application using this manifest:
command:
where I then recieve this error
Expected behavior
I would expect the application to get created properly, instead of permission denied
Screenshots
If applicable, add screenshots to help explain your problem.
Version
Logs