Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fails to list applications when installed by helm-chart and createClusterRoles not enabled #902

Open
nabadger opened this issue Oct 30, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@nabadger
Copy link

Describe the bug
I've upgraded from 0.12.0 to 0.15.0.

Previously no cluster roles were required.

Upon startup, i get the following errors

ttime="2024-10-30T12:53:25Z" level=error msg="error while communicating with ArgoCD" argocd_server=argocd-server.argocd grpc_web=true grpc_webroot= insecure=false plaintext=false
time="2024-10-30T12:53:25Z" level=error msg="Error: error listing applications: applications.argoproj.io is forbidden: User \"system:serviceaccount:argocd:argocd-image-updater\"

This is when running in kubernetes-api mode (so the initial complaints about ArgoCD are also strange...)

To Reproduce

Run the latest image against official helm chart and ensure createClusterRoles: false.

Expected behavior

I would expect the role-bindings shipped with the helm chart should work. I'm also curious to know why the clusterrole needs update/patch?

Additional context

I'm not sure whether this is a helm-chart issue, or whether the actual code should support only handling applications from the deployed namespace (in our case argocd). All of our application resources are in this namespace.

Ideally it would be nice to have the option here. That still might be covered by the RBAC though rather than app-code, so could still be a helm issue.

I believe the error comes from

appList, err := client.ListApplications(v1.NamespaceAll)

and is a result of #854

Version
v.015.0 - was not present in v0.12.0

@nabadger nabadger added the bug Something isn't working label Oct 30, 2024
@borja00
Copy link

borja00 commented Nov 21, 2024

I'm experiencing the same problem, our current setup does not allowed to create Cluster scope roles and bindings. It would be great if cross namespace application support could be optional.

@mysiki
Copy link

mysiki commented Nov 25, 2024

+1

@fad3t
Copy link

fad3t commented Dec 13, 2024

Same issue here, we're deploying instances of image-updater per namespace, and we'd like to keep that level of isolation between namespaces.

If this is related to #854, then we might need a flag that tells image-updater whether it's namespaced or not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

4 participants