search

argoproj / argo-helm

ArgoProj Helm Charts
https://argoproj.github.io/argo-helm/
Apache License 2.0
1.77k stars 1.88k forks source link

Simplify RBAC Configuration for ApplicationSets in Any Namespace #2919

Open Skaronator opened 2 months ago

Skaronator commented 2 months ago

Is your feature request related to a problem?

I'm working on enabling both Applications and ApplicationSets in any namespace, which requires extensive configuration due to security constraints.

There’s one area in the Helm chart that could be simplified for this setup:

Currently, you need to set a configuration in configs.params to enable ApplicationSets in any namespace. However, after doing this, I encountered an RBAC permissions issue where the ApplicationSet controller lacks the correct permissions:

W0912 08:37:18.346201       7 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1alpha1.Application: applications.argoproj.io is forbidden: User "system:serviceaccount:ops:argocd-applicationset-controller" cannot list resource "applications" in API group "argoproj.io" at the cluster scope
E0912 08:37:18.346268       7 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1alpha1.Application: failed to list *v1alpha1.Application: applications.argoproj.io is forbidden: User "system:serviceaccount:ops:argocd-applicationset-controller" cannot list resource "applications" in API group "argoproj.io" at the cluster scope

Upon reviewing the Helm chart code, I found that setting applicationSet.allowAnyNamespace to true is also required to grant the necessary RBAC permissions.

This dual configuration adds complexity to the setup process. Simplifying this within the Helm chart would be beneficial.

Related helm chart

argo-cd

Describe the solution you'd like

Once configs.params.applicationsetcontroller.namespaces is configured, the Helm chart should automatically provision the correct RBAC permissions. This would effectively set applicationSet.allowAnyNamespace to true without requiring additional manual configuration steps. This automation would simplify the setup process and reduce the risk of misconfiguration.

Describe alternatives you've considered

No response

Additional context

No response

github-actions[bot] commented 1 week ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Skaronator commented 1 week ago

Bump