gitops-operator
gitops-operator copied to clipboard
redhat-developer
ApplicationSets CRD cannot be watched / listed by argocd-server SA
Describe the bug
The argocd-server pod shows a lot of errors like these:
W0312 10:33:57.113524 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1alpha1.ApplicationSet: applicationsets.argoproj.io is forbidden: User "system:serviceaccount:argocd:argocd-argocd-server" cannot list resource "applicationsets" in API group "argoproj.io" in the namespace "argocd"
E0312 10:33:57.113554 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1alpha1.ApplicationSet: failed to list *v1alpha1.ApplicationSet: applicationsets.argoproj.io is forbidden: User "system:serviceaccount:argocd:argocd-argocd-server" cannot list resource "applicationsets" in API group "argoproj.io" in the namespace "argocd"
This is because the argocd-role argocd-server doesn't include the permissions to watch and listen applicationsets.
Snippet from role yaml:
...
- verbs:
- create
- get
- list
- watch
- update
- delete
- patch
apiGroups:
- argoproj.io
resources:
- applications
- appprojects
...
Role config of the gitops-operator without applicationsets (v1.11.0):
https://github.com/redhat-developer/gitops-operator/blob/4803ae0f7e6abc7d9583ac56df4c18b1d8eead77/config/rbac/role.yaml#L192C1-L199C19
Upstream ArgoCD role config with applicationsets (v2.9.5):
https://github.com/argoproj/argo-cd/blob/f9436641a616d277ab1f98694e5ce4c986d4ea05/manifests/base/server/argocd-server-role.yaml#L23C1-L36C10
Issue happens in OpenShift 4.13.17 with GitOps Operator v1.11.1. Applying applicationsets is working as in our usage.
To Reproduce Steps to reproduce the behavior:
- Install gitops-operator v1.11.1
- Create ArgoCD Instance
- Open logs for the "argocd-server-*" pod
- See error
Expected behavior The logs of the pod should not contain the error message.
Screenshots No screenshot provided
Additional context ArgoCD CRD YAML:
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: argocd
spec:
server:
autoscale:
enabled: false
grpc:
ingress:
enabled: false
ingress:
enabled: false
resources:
limits:
cpu: 500m
memory: 256Mi
requests:
cpu: 25m
memory: 128Mi
route:
enabled: true
tls:
termination: reencrypt
service:
type: ''
grafana:
enabled: false
ingress:
enabled: false
route:
enabled: false
monitoring:
enabled: false
notifications:
enabled: true
resources:
limits:
cpu: 150m
memory: 200Mi
requests:
cpu: 20m
memory: 60Mi
prometheus:
enabled: false
ingress:
enabled: false
route:
enabled: false
initialSSHKnownHosts: {}
sso:
dex:
openShiftOAuth: true
resources:
limits:
cpu: 150m
memory: 512Mi
requests:
cpu: 20m
memory: 256Mi
provider: dex
applicationSet:
resources:
limits:
cpu: 150m
memory: 200Mi
requests:
cpu: 20m
memory: 60Mi
webhookServer:
ingress:
enabled: false
route:
enabled: false
rbac:
defaultPolicy: ''
policy: |
g, system:cluster-admins, role:admin
scopes: '[groups]'
repo:
resources:
limits:
cpu: 250m
memory: 512Mi
requests:
cpu: 20m
memory: 256Mi
ha:
enabled: false
resources:
limits:
cpu: 150m
memory: 256Mi
requests:
cpu: 20m
memory: 128Mi
tls:
ca: {}
redis:
resources:
limits:
cpu: 150m
memory: 256Mi
requests:
cpu: 20m
memory: 128Mi
controller:
processors: {}
resources:
limits:
cpu: 500m
memory: 2Gi
requests:
cpu: 200m
memory: 1Gi
sharding: {}
Hi @dortlii, thanks for reporting the issue. I believe the issue is fixed in recent v1.12.0 version of gitops-operator with https://github.com/argoproj-labs/argocd-operator/pull/1140 . The backport of this fix is not yet released for gitops-operator v1.11.z.
