cannot create Argocd Cluster: rpc error: code = PermissionDenied
exocode opened this issue · 1 comments
Maybe someone can help me to get provider-argocd running, please.
I followed the tutorial in the readme and always end up in a PermissionDenied
error.
What happened?
Each provider-argo
resource I try to install is not syncing or creating argocd clusters or projects.
For example applying the cluster:
kubectl apply -f https://raw.githubusercontent.com/crossplane-contrib/provider-argocd/main/examples/cluster/cluster.yaml
results in:
kubectl describe clusters.cluster.argocd.crossplane.io example-cluster
Message: create failed: cannot create Argocd Cluster: rpc error: code = PermissionDenied desc = permission denied: clusters, create, https://kubernetes.default.svc, sub: provider-argocd, iat: 2022-01-31T00:31:22Z
Reason: ReconcileError
Status: False
Type: Synced
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning CannotCreateExternalResource 1s (x12 over 12s) managed/cluster cannot create Argocd Cluster: rpc error: code = PermissionDenied desc = permission denied: clusters, create, https://kubernetes.default.svc, sub: provider-argocd, iat: 2022-01-31T00:31:22Z
How can we reproduce it?
Simply follow all steps in the readme. Only difference I did was using minikube
instad of kind
Sidenotes:
-
I also found out, that the
ProviderConfig
in the/examples/provider
differs slightly (in the Readmespec.plainText: false
not mentioned. -
How to install crossplane is not declared in the docs, yes it's obvious, but would be nice when following the steps
- I installed it by
helm upgrade --install crossplane crossplane-stable/crossplane --namespace crossplane-system --create-namespace --wait
- I installed it by
-
Installing the provider-argocd is not mentioned in the docs, I know this is also obvious, but is also breaking the installation flow slightly.
- I installed the
provider-argo
via manifest, like mentioned in one of the issues: (#17 (comment))
- I installed the
-
I created my ArgoCD
user
by patching the ArgoCDconfigMap
:
kubectl patch configmap/argocd-cm -n argocd --type merge -p '{"data":{"accounts.provider-argocd":"apiKey, login"}}'
What environment did it happen in?
Crossplane version: helm.sh/chart=crossplane-1.6.1
Crossplane Provider argocd version:
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: argocd-provider
annotations:
argocd.argoproj.io/sync-wave: "-46"
spec:
package: "crossplane/provider-argocd:v0.1.0"
I hope I didn't forgot anything.
It would be awesome to finish the installation process successfully.
Thank you in advance
Ok I found out how solve that puzzle:
ArgoCD does not allow creating resources, because the user I created is not allowed. In the Argo docs say, I can create Argo specific RBAC rules, so I had to add them in the argocd-rbac-cm
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-rbac-cm
namespace: argocd
labels:
app.kubernetes.io/name: argocd-rbac-cm
app.kubernetes.io/part-of: argocd
data:
policy.default: "role:admin" # or something like below
# policy.csv: |
# p, role:provider, applications, *, */*, allow
# p, role:provider, clusters, *, *, allow
# p, role:provider, projects, *, *, allow
# p, role:provider, repositories, *, *, allow
# g, provider-argocd, role:provider
I can also patch it:
kubectl patch configmap/argocd-rbac-cm -n argocd --type merge -p '{"data":{"policy.default":"role:admin"}}'
All fixed.
But it would still be nice adding these steps to the docs:
installing Crossplane:
helm upgrade --install crossplane crossplane-stable/crossplane --namespace crossplane-system --create-namespace --wait
creating user:
`kubectl patch configmap/argocd-cm -n argocd --type merge -p '{"data":{"accounts.provider-argocd":"apiKey, login"}}'
allow doing everything (for testing):
kubectl patch configmap/argocd-rbac-cm -n argocd --type merge -p '{"data":{"policy.default":"role:admin"}}'
I propose a pull request