argo-helm
argo-helm copied to clipboard
argoproj
User cannot sync application
Describe the bug
After updating to latest helm chart version (5.27.3) user cannot sync applications.
If I revert to 5.27.1 this works fine.
Related helm chart
argo-cd
Helm chart version
5.27.3
To Reproduce
In argocd-rbac-cm I have:
apiVersion: v1
data:
policy.csv: p, user, applications, sync, */*, allow
policy.default: ""
scopes: '[groups]'
kind: ConfigMap
In argocd-cm I have:
apiVersion: v1
data:
accounts.user: apiKey
accounts.user.enabled: "true"
admin.enabled: "true"
application.instanceLabelKey: argocd.argoproj.io/instance
exec.enabled: "false"
server.rbac.log.enforce.enable: "false"
timeout.hard.reconciliation: 0s
timeout.reconciliation: 180s
kind: ConfigMap
Then I generate a token using:
argocd account generate-token --account user
And the involved token I use with this Github action: https://github.com/marketplace/actions/argocd-application-sync-action
Github action returns this:
Run omegion/argocd-actions@v1
Run ref_name=main
Unable to find image 'ghcr.io/omegion/argocd-actions:v1' locally
v1: Pulling from omegion/argocd-actions
8663204ce13b: Pulling fs layer
45c2c68bc0f[7]: Pulling fs layer
8663[20]4ce13b: Download complete
8663204ce13b: Pull complete
45c2c68bc0f7: Verifying Checksum
45c2c68bc0f7: Download complete
45c2c68bc0f7: Pull complete
Digest: sha[25]6:d1655a36cd13bcbc696e663c15753e4edefe1c45af0f18[26]9ebba639999908be
Status: Downloaded newer image for ghcr.io/omegion/argocd-actions:v1
Error: rpc error: code = PermissionDenied desc = permission denied
While if I look at the argocd server logs I get this.
time="2023-03-26T09:56:41Z" level=info msg="received unary call /application.ApplicationService/Sync" grpc.method=Sync grpc.request.content="name:\"admin-panel\" revision:\"\" dryRun:false prune:true " grpc.service=application.ApplicationService grpc.start_time="2023-03-26T09:56:41Z" span.kind=server system=grpc
time="2023-03-26T09:56:41Z" level=warning msg="user tried to get application which they do not have access to: rpc error: code = PermissionDenied desc = permission denied: applications, get, admin-panel/admin-panel, sub: user, iat: 2023-02-28T12:24:31Z" application=admin-panel namespace=argocd project=admin-panel security=2
time="2023-03-26T09:56:41Z" level=warning msg="finished unary call with code PermissionDenied" error="rpc error: code = PermissionDenied desc = permission denied" grpc.code=PermissionDenied grpc.method=Sync grpc.service=application.ApplicationService grpc.start_time="2023-03-26T09:56:41Z" grpc.time_ms=18.551 span.kind=server system=grpc
time="2023-03-26T09:58:21Z" level=info msg="Alloc=25008 TotalAlloc=12748774 Sys=65873 NumGC=1391 Goroutines=95"
Expected behavior
That user should be able to sync application.
Screenshots
No response
Additional context
No response
Exact same issue here using terraform provider:
argocd_application.composer: Creating...
╷
│ Error: application test could not be created
│
│ with argocd_application.composer,
│ on application.tf line 1, in resource "argocd_application" "composer":
│ 1: resource "argocd_application" "composer" {
│
│ rpc error: code = PermissionDenied desc = permission denied
Reverting to 5.27.1 is solving the issue
Thank you for reporting.
The situation is reported on upstream's issue, https://github.com/argoproj/argo-cd/issues/13000 . argo-helm manages Helm Chart, not Argo CD itself, so let's follow it.👀
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}