fix(argo-cd): Add missing applicaton & events create ClusterRole perms

[nxf5025]

This expands upon #1621 and provides the full fix for allowing to create applications in all namespaces.

argocd-server log before the change:

time="2022-11-07T19:47:01Z" level=warning msg="finished unary call with code PermissionDenied" error="rpc error: code = PermissionDenied desc = error creating application: applications.argoproj.io is forbidden: User \"system:serviceaccount:argocd:argocd-server\" cannot create resource \"applications\" in API group \"argoproj.io\" in the namespace \"mynamespace\"" grpc.code=PermissionDenied grpc.method=Create grpc.service=application.ApplicationService grpc.start_time="2022-11-07T19:47:00Z" grpc.time_ms=1151.638 span.kind=server system=grpc

time="2022-11-07T19:58:49Z" level=error msg="Unable to create audit event: events is forbidden: User \"system:serviceaccount:argocd:argocd-server\" cannot create resource \"events\" in API group \"\" in the namespace \"mynamespace\"" application=guestbook dest-namespace=default dest-server="https://kubernetes.default.svc" reason=ResourceCreated type=Normal

Both of the errors are cleared up with this PR.

Signed-off-by: Nick Fisher nxf5025@gmail.com

Checklist:

• I have bumped the chart version according to versioning
• I have updated the documentation according to documentation
• I have updated the chart changelog with all the changes that come with this pull request according to changelog.
• Any new values are backwards compatible and/or have sensible default.
• I have signed off all my commits as required by DCO.
• My build is green (troubleshooting builds).

Changes are automatically published when merged to main. They are not published on branches.

[EladDolev]

Hi @nxf5025 great job !

I can confirm the issue with creating events

How to reproduce the issue with creating applications ?

[nxf5025]

@EladDolev - If you take a look at the first two code blocks in the proposal you should be able to reproduce. (https://github.com/argoproj/argo-cd/blob/master/docs/proposals/003-applications-outside-argocd-namespace.md#proposal). The application creation will fail if create isn't added to the clusterrole

[EladDolev]

Well @nxf5025 reason I'm asking is because I'm unable to reproduce 😄
I can successfully create an application in non-controller namespaces either via UI or declaratively without permissions to argocd-server to do so

Looking at the proposal gives me no idea how to reproduce unfortunately...

[nxf5025]

@EladDolev Weirdly enough when I execute the examples in the code blocks of the proposal I hit the issue:

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  labels:
    argocd.argoproj.io/instance: argocd
  name: some-project
  namespace: argocd
spec:
  clusterResourceWhitelist:
    - group: '*'
      kind: '*'
  description: some project
  destinations:
    - namespace: '*'
      server: 'https://kubernetes.default.svc'
  namespaceResourceWhitelist:
    - group: '*'
      kind: '*'
  sourceNamespaces:
    - foo-ns
    - bar-ns
  sourceRepos:
    - '*'

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: some-app
  namespace: bar-ns
spec:
  project: some-project
  destination:
    namespace: default
    server: 'https://kubernetes.default.svc'
  source:
    path: helm-guestbook
    repoURL: 'https://github.com/argoproj/argocd-example-apps.git'
    targetRevision: HEAD

As soon as I add the create to the ClusterRole it clears up and the application deploys. I would honestly see this as a bug if create is not needed as I wouldn't think an application could be created without the create permission in the first place.

[EladDolev]

@nxf5025 did you set configs.params.application.namespaces: '*' ?

[nxf5025]

I set it to configs.params.application.namespaces: bar-ns

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.