search

redhat-developer / gitops-operator

An operator that gets you an ArgoCD for cluster configuration out-of-the-box on OpenShift along with the UI for visualizing environments.
Apache License 2.0
151 stars 281 forks source link

ApplicationSets CRD cannot be watched / listed by argocd-server SA #660

Open dortlii opened 7 months ago

dortlii commented 7 months ago

Describe the bug The argocd-server pod shows a lot of errors like these:

W0312 10:33:57.113524 1 reflector.go:324] pkg/mod/k8s.io/client-go@v0.24.17/tools/cache/reflector.go:167: failed to list *v1alpha1.ApplicationSet: applicationsets.argoproj.io is forbidden: User "system:serviceaccount:argocd:argocd-argocd-server" cannot list resource "applicationsets" in API group "argoproj.io" in the namespace "argocd"

E0312 10:33:57.113554 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.24.17/tools/cache/reflector.go:167: Failed to watch v1alpha1.ApplicationSet: failed to list v1alpha1.ApplicationSet: applicationsets.argoproj.io is forbidden: User "system:serviceaccount:argocd:argocd-argocd-server" cannot list resource "applicationsets" in API group "argoproj.io" in the namespace "argocd"

This is because the argocd-role argocd-server doesn't include the permissions to watch and listen applicationsets.

Snippet from role yaml:

...
  - verbs:
      - create
      - get
      - list
      - watch
      - update
      - delete
      - patch
    apiGroups:
      - argoproj.io
    resources:
      - applications
      - appprojects
...

Role config of the gitops-operator without applicationsets (v1.11.0): https://github.com/redhat-developer/gitops-operator/blob/4803ae0f7e6abc7d9583ac56df4c18b1d8eead77/config/rbac/role.yaml#L192C1-L199C19

Upstream ArgoCD role config with applicationsets (v2.9.5): https://github.com/argoproj/argo-cd/blob/f9436641a616d277ab1f98694e5ce4c986d4ea05/manifests/base/server/argocd-server-role.yaml#L23C1-L36C10

Issue happens in OpenShift 4.13.17 with GitOps Operator v1.11.1. Applying applicationsets is working as in our usage.

To Reproduce Steps to reproduce the behavior:

  1. Install gitops-operator v1.11.1
  2. Create ArgoCD Instance
  3. Open logs for the "argocd-server-*" pod
  4. See error

Expected behavior The logs of the pod should not contain the error message.

Screenshots No screenshot provided

Additional context ArgoCD CRD YAML:

apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: argocd
spec:
  server:
    autoscale:
      enabled: false
    grpc:
      ingress:
        enabled: false
    ingress:
      enabled: false
    resources:
      limits:
        cpu: 500m
        memory: 256Mi
      requests:
        cpu: 25m
        memory: 128Mi
    route:
      enabled: true
      tls:
        termination: reencrypt
    service:
      type: ''
  grafana:
    enabled: false
    ingress:
      enabled: false
    route:
      enabled: false
  monitoring:
    enabled: false
  notifications:
    enabled: true
    resources:
      limits:
        cpu: 150m
        memory: 200Mi
      requests:
        cpu: 20m
        memory: 60Mi
  prometheus:
    enabled: false
    ingress:
      enabled: false
    route:
      enabled: false
  initialSSHKnownHosts: {}
  sso:
    dex:
      openShiftOAuth: true
      resources:
        limits:
          cpu: 150m
          memory: 512Mi
        requests:
          cpu: 20m
          memory: 256Mi
    provider: dex
  applicationSet:
    resources:
      limits:
        cpu: 150m
        memory: 200Mi
      requests:
        cpu: 20m
        memory: 60Mi
    webhookServer:
      ingress:
        enabled: false
      route:
        enabled: false
  rbac:
    defaultPolicy: ''
    policy: |
      g, system:cluster-admins, role:admin
    scopes: '[groups]'
  repo:
    resources:
      limits:
        cpu: 250m
        memory: 512Mi
      requests:
        cpu: 20m
        memory: 256Mi
  ha:
    enabled: false
    resources:
      limits:
        cpu: 150m
        memory: 256Mi
      requests:
        cpu: 20m
        memory: 128Mi
  tls:
    ca: {}
  redis:
    resources:
      limits:
        cpu: 150m
        memory: 256Mi
      requests:
        cpu: 20m
        memory: 128Mi
  controller:
    processors: {}
    resources:
      limits:
        cpu: 500m
        memory: 2Gi
      requests:
        cpu: 200m
        memory: 1Gi
    sharding: {}
svghadi commented 6 months ago

Hi @dortlii, thanks for reporting the issue. I believe the issue is fixed in recent v1.12.0 version of gitops-operator with https://github.com/argoproj-labs/argocd-operator/pull/1140 . The backport of this fix is not yet released for gitops-operator v1.11.z.