search

argoproj / argo-helm

ArgoProj Helm Charts
https://argoproj.github.io/argo-helm/
Apache License 2.0
1.77k stars 1.88k forks source link

Application In Any Namespace: server cannot create application #2107

Open speedfl opened 1 year ago

speedfl commented 1 year ago

Describe the bug

When using Application in any namespace to create an Application using the UI you need to use the Edit as Yaml and create your application in the desired namespace.

However when doing this following error occured:

Unable to create application: error creating application: applications.argoproj.io is forbidden: User "system:serviceaccount:argocd:argocd-server" cannot create resource "applications" in API group "argoproj.io" in the namespace "team-cd"

Related helm chart

argo-cd

Helm chart version

5.36.1

To Reproduce

  1. Enable Application in any namespace
  2. Go in UI
  3. Create App
  4. Edit as Yaml:
  5. Create following manifest
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: team-guestbook
  namespace: team-cd     # This namespace must be enabled in the list of namespace
  labels:
    project: team
spec:
  destination:
    namespace: team-guestbook
    server: https://kubernetes.default.svc
  project: team
  source:
    path: guestbook
    repoURL: https://github.com/speedfl/argocd-example-apps.git
    targetRevision: HEAD
  1. Click on save

Expected behavior

The server should be able to create Application in the namespace (edit, delete works)

Screenshots

No response

Additional context

Creating following permission helps

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: application-admin
rules:
- apiGroups:
  - argoproj.io
  resources:
  - applications
  verbs:
  - create
  - get
  - list
  - watch
  - update
  - delete
  - patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: argocd-sever-application-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: application-admin
subjects:
- kind: ServiceAccount
  name: argocd-server
  namespace: argocd

Let me lnow if you need me to work on it to add this permission to the helm chart

speedfl commented 1 year ago

Any news ?

kbumsik commented 1 year ago

Hi, I tried this too and got the same problem.

By looking at the similar issue in the upstream, it seems that ArgoCD upstream itself is not yet ready for providing the feature in stable way: https://github.com/argoproj/argo-cd/issues/11638

And neither the chart as well. It seems that it requires some modification in both ClusterRole and ComfigMap.

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

speedfl commented 1 day ago

Reopening the issue as it is still blocking