Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Diffing: RPC PermissionDenied #191

Open
mar-ki opened this issue Apr 9, 2024 · 3 comments
Open

Diffing: RPC PermissionDenied #191

mar-ki opened this issue Apr 9, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@mar-ki
Copy link

mar-ki commented Apr 9, 2024

Using a docker image >= v1.5.3 I get following issue during the argo diff operation

10:28AM INF check result error="rpc error: code = PermissionDenied desc = permission denied" app=myapp app_name=myapp app_path=application/myapp/manifests check="generating diff for app" event_id=59 repo=kubechecks-test result=

The token used to connect to my argocd installation has admin permissions and the debug log doesn't provide any more info on that topic.

PS: Images older than v1.5.3 can run the diff but always detect "created" instead of "modified". For example when changing replica counts in plain manifests.
@djeebus
Copy link
Collaborator

djeebus commented Apr 11, 2024

Interesting! The "permission denied" should be resolved with #187 , and will be released shortly.

The second issue (modifications look like creations) is strange. does the "myapp" app exist in argocd already, and is functional? if it's in git but not yet in the cluster, that would explain why kubechecks thinks you're creating the resources. otherwise there's something else we need to track down here. anything interesting going on with that app?

@djeebus djeebus added the bug Something isn't working label Apr 11, 2024
@mar-ki
Copy link
Author

mar-ki commented Apr 12, 2024
edited

I identified the root cause. We use the "Applications in any namespace" feature. A team could deploy an Argo Application in their namespace and then it get synced to argo.
Documentation: app-any-namespace

This causes Kubechecks to always say that any modifications are "added" even when something is modified or deleted.

I started to move the applications into the argocd namespace and it's running fine now

Example - Not working (App Manifest in team ns)

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: app3-manifests
  namespace: app3
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  destination:
    namespace: app3
    server: https://kubernetes.default.svc
  project: team-apps
  source:
    repoURL: https://xyz.net/argo-bootstrap.git
    path: application/app3-manifest/manifests
  syncPolicy:
    automated:
      selfHeal: true

Example - Working (Application manifest in argocd ns)

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: app3-manifests
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  destination:
    namespace: app3
    server: https://kubernetes.default.svc
  project: team-apps
  source:
    repoURL: https://xyz.net/argo-bootstrap.git
    path: application/app3-manifest/manifests
  syncPolicy:
    automated:
      selfHeal: true

@djeebus
Copy link
Collaborator

djeebus commented Apr 12, 2024

Ah! ok, that makes sense. Let me see if there's a quick fix to that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@djeebus @mar-ki