argocd-operator icon indicating copy to clipboard operation
argocd-operator copied to clipboard
verified publisher icon argoproj-labs

ArgoCD /temp access denied

Open amayacitta opened this issue 8 months ago • 1 comments

I've deployed ArgoCD using the operator on version v0.12.0. When mounting persistent storage /tmp in a standard way following the docs.

repo: volumes: - name: repo-storage persistentVolumeClaim: claimName: argocd-repo-server-pvc volumeMounts: - mountPath: /tmp name: repo-storage

The repo pod crashes and loops, the log throws

Defaulted container "argocd-repo-server" out of: argocd-repo-server, copyutil (init) time="2025-03-24T17:28:26Z" level=info msg="ArgoCD Repository Server is starting" built="2024-08-16T16:42:13Z" commit=26b2039a55b9bdf807a70d344af8ade5171d3d39 port=8081 version=v2.12.1+26b2039 time="2025-03-24T17:28:26Z" level=info msg="Generating self-signed TLS certificate for this session" time="2025-03-24T17:28:26Z" level=fatal msg="failed to initialize the repo service: mkdir /tmp/_argocd-repo: permission denied"

According to this its due to the container using the wrong security context. https://github.com/argoproj/argo-cd/discussions/12313

How do we go about changing this when using the operator? I cant find a spec in the docs to modify to fsGroup: 999.

Looking at the pod directly, we have the following. I assume its mounting as the wrong user to have write permissions.

securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault

amayacitta avatar Mar 24 '25 17:03 amayacitta

@amayacitta I have tried this, and it seems to be working for me. Can you share what argo-cd CR and if you used the latest release or how you tried it?

anandrkskd avatar Jun 23 '25 07:06 anandrkskd

@anandrkskd - thanks for the help, I'll set this up again and report back.

amayacitta avatar Jun 25 '25 20:06 amayacitta

Ok, this is for a downstream implimentation of ArgoCD which is packaged by Broadcom using Carvel on their "supervisor" cluster using vSphere pods. I've found a number of issues with their implimentation and will probably abandon it and do this using Argo's native orperator in a normal/confirmant K8 cluster.

As its downstream, there is not much you can do, sorry for wasting your time. Broadcom will not support it either as its "experimental" for them - so I will close this off and do it the native way as you have already tested.

amayacitta avatar Jul 07 '25 10:07 amayacitta