Missing rights on ApplicationSet resource for application controller service account
Describe the bug
Hello,
When performing an argocd installation using the chart, namespace-scoped (createClusterRoles: false), we can't sync ApplicationSet in the cluster as the role defined for the application controller is missing this resource. An error is displayed as the application controller can't create applicationsets
Related helm chart
argo-cd
Helm chart version
7.6.8
To Reproduce
- Install the chart argo-cd with value createClusterRoles: false
- Create an app referencing a repo containing an applicationset
- See the error as in the screenshot below
Expected behavior
The applicationset should be correctly created.
Screenshots
Additional context
No response
I'm not sure that this is actually unexpected behavior. My understanding of namespaced mode is that Argo CD comes with roles for each component to manage their own resources and do nothing else. There's no GitOps management out of the box. After installing the namespaced-mode Argo CD, you're expected to add cluster configurations for anywhere you want to deploy to.
I'm inferring all this from looking at the manifests, I could be missing something.
One of the usual use cases it to have ArgoCD deployed on a control plane cluster, managing applicative remote clusters. In my case, we have several namespaced instances, each managing their set of clusters.
In such case, we expect to deploy in-cluster only Applications and ApplicationSets. Other ressources are deployed on the target remote clusters. I would find it difficult to explain that we can use applications and not applicationsets.
I think this use case is common enough to not force all users to redefine their roles on top to allow it.
Fair point, especially when it's possible to create (certain) AppSets via the API.
If the goal is to allow people to fully manage Argo CD's own config out of the box, we'd want to add write access for these as well:
grep -E "^kind: " manifests/namespace-install.yaml | uniq | sort | awk '{print $2}'
ConfigMap
Deployment
NetworkPolicy
Role
RoleBinding
Secret
Service
ServiceAccount
StatefulSet
If the goal is feature parity between API-managed resources and GitOps managed resources, I think the list is this:
Applications
ApplicationSets
AppProjects
Secrets
I've added a topic to the next contributors meeting. We'll pick a strategy and then make the changes. Probably need some docs around this.
Should we list secrets in the gitops option ? Are there still people pushing secrets in git ? 😁 Could we advise ExternalSecret or no secrets at all if we go for a solution without external dependency?
Agreed on Secrets.
Contributors call says lets add Applications access.
We probably need some upstream docs on the intent of namespaced mode. i.e. you can GitOps-managed Argo CRDs in the argocd namespace out of the box, but for anything else you're going to have to configure your own access.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Up
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Merged upstream, pending release
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.