Diffing: RPC PermissionDenied
Opened this issue · 3 comments
Using a docker image >= v1.5.3 I get following issue during the argo diff operation
10:28AM INF check result error="rpc error: code = PermissionDenied desc = permission denied" app=myapp app_name=myapp app_path=application/myapp/manifests check="generating diff for app" event_id=59 repo=kubechecks-test result=
The token used to connect to my argocd installation has admin permissions and the debug log doesn't provide any more info on that topic.
PS: Images older than v1.5.3 can run the diff but always detect "created" instead of "modified". For example when changing replica counts in plain manifests.
Interesting! The "permission denied" should be resolved with #187 , and will be released shortly.
The second issue (modifications look like creations) is strange. does the "myapp" app exist in argocd already, and is functional? if it's in git but not yet in the cluster, that would explain why kubechecks thinks you're creating the resources. otherwise there's something else we need to track down here. anything interesting going on with that app?
I identified the root cause. We use the "Applications in any namespace" feature. A team could deploy an Argo Application in their namespace and then it get synced to argo.
Documentation: app-any-namespace
This causes Kubechecks to always say that any modifications are "added" even when something is modified or deleted.
I started to move the applications into the argocd namespace and it's running fine now
Example - Not working (App Manifest in team ns)
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: app3-manifests
namespace: app3
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: app3
server: https://kubernetes.default.svc
project: team-apps
source:
repoURL: https://xyz.net/argo-bootstrap.git
path: application/app3-manifest/manifests
syncPolicy:
automated:
selfHeal: true
Example - Working (Application manifest in argocd ns)
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: app3-manifests
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: app3
server: https://kubernetes.default.svc
project: team-apps
source:
repoURL: https://xyz.net/argo-bootstrap.git
path: application/app3-manifest/manifests
syncPolicy:
automated:
selfHeal: true
Ah! ok, that makes sense. Let me see if there's a quick fix to that