argocd-image-updater icon indicating copy to clipboard operation
argocd-image-updater copied to clipboard

Published 20 hours ago verified publisher icon argoproj-labs

Fails to list applications when installed by helm-chart and createClusterRoles not enabled

Open nabadger opened this issue 1 year ago • 3 comments

Describe the bug I've upgraded from 0.12.0 to 0.15.0.

Previously no cluster roles were required.

Upon startup, i get the following errors

ttime="2024-10-30T12:53:25Z" level=error msg="error while communicating with ArgoCD" argocd_server=argocd-server.argocd grpc_web=true grpc_webroot= insecure=false plaintext=false
time="2024-10-30T12:53:25Z" level=error msg="Error: error listing applications: applications.argoproj.io is forbidden: User \"system:serviceaccount:argocd:argocd-image-updater\"

This is when running in kubernetes-api mode (so the initial complaints about ArgoCD are also strange...)

To Reproduce

Run the latest image against official helm chart and ensure createClusterRoles: false.

Expected behavior

I would expect the role-bindings shipped with the helm chart should work. I'm also curious to know why the clusterrole needs update/patch?

Additional context

I'm not sure whether this is a helm-chart issue, or whether the actual code should support only handling applications from the deployed namespace (in our case argocd). All of our application resources are in this namespace.

Ideally it would be nice to have the option here. That still might be covered by the RBAC though rather than app-code, so could still be a helm issue.

I believe the error comes from https://github.com/argoproj-labs/argocd-image-updater/blob/a5acd25853dd19a5186c1cc3801bf9e5cfa052dc/pkg/argocd/argocd.go#L35 and is a result of https://github.com/argoproj-labs/argocd-image-updater/pull/854

Version v.015.0 - was not present in v0.12.0

nabadger avatar Oct 30 '24 13:10 nabadger

I'm experiencing the same problem, our current setup does not allowed to create Cluster scope roles and bindings. It would be great if cross namespace application support could be optional.

borja00 avatar Nov 21 '24 11:11 borja00

+1

mysiki avatar Nov 25 '24 22:11 mysiki

Same issue here, we're deploying instances of image-updater per namespace, and we'd like to keep that level of isolation between namespaces.

If this is related to #854, then we might need a flag that tells image-updater whether it's namespaced or not.

fad3t avatar Dec 13 '24 14:12 fad3t