Fix rbac error listing Secrets at cluster scope. (#38)

* Fix rbac error listing Secrets at cluster scope. The Secret Watch established in the ApplicationSet controller is global, and rbac for global secrets was recently removed resulting in a broken controller. To work past this and avoid re-introducing global Secret watch RBAC, the Manager's cache is now limited to only the namespace in which it is running. This implies that any attempts to use the client outside that namespace will not work. However this should be safe as we work with Applications and Secrets, both of which should not exist beyond the ArgoCD namespace where we're running. * Remove concept of a default namespace.
argoproj · Sep 17, 2020 · f117f9b · f117f9b
1 parent dfb56ff
commit f117f9b
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/main.go b/main.go
@@ -6,6 +6,8 @@ import (
 	"github.com/argoproj-labs/applicationset/pkg/generators"
 	"github.com/argoproj-labs/applicationset/pkg/services"
 	argov1alpha1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"sigs.k8s.io/controller-runtime/pkg/cache"
+
 	"os"
 
 	"k8s.io/apimachinery/pkg/runtime"
@@ -51,9 +53,23 @@ func main() {
 
 	ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
 
+	// Determine the namespace we're running in. Normally injected into the pod as an env
+	// var via the Kube downward API configured in the Deployment.
+	// Developers running the binary locally will need to remember to set the NAMESPACE environment variable.
+	ns := os.Getenv("NAMESPACE")
+	if len(ns) == 0 {
+		setupLog.Info("Please set NAMESPACE environment variable to match where you are running the applicationset controller")
+		os.Exit(1)
+	}
+	setupLog.Info("using argocd namespace", "namespace", ns)
+
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
 		Scheme:                 scheme,
 		MetricsBindAddress:     metricsAddr,
+		// Our cache and thus watches and client queries are restricted to the namespace we're running in. This assumes
+		// the applicationset controller is in the same namespace as argocd, which should be the same namespace of
+		// all cluster Secrets and Applications we interact with.
+		NewCache: cache.MultiNamespacedCacheBuilder([]string{ns}),
 		HealthProbeBindAddress: probeBindAddr,
 		Port:                   9443,
 		LeaderElection:         enableLeaderElection,

diff --git a/manifests/base/deployment.yaml b/manifests/base/deployment.yaml
@@ -21,4 +21,9 @@ spec:
           image: registry.cn-hangzhou.aliyuncs.com/appcenter/argocd-applicationset:v0.1.0
           imagePullPolicy: Always
           name: argocd-applicationset-controller
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
       serviceAccountName: argocd-applicationset-controller