ApplicationSet controller fail with v1alpha1.AppProject: appprojects.argoproj.io is forbidden error

[pasha-codefresh]

Error: W0626 15:42:39.415329 7 reflector.go:539] pkg/mod/k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: failed to list *v1alpha1.AppProject: appprojects.argoproj.io is forbidden: User "system:serviceaccount:argocd:argocd-applicationset-controller" cannot list resource "appprojects" in API group "argoproj.io" in the namespace "argocd"

Version is: v2.13.0+dafb37c

[T1-leiyang]

need to add list verbs for appprojects to the Role or ClusterRole of the argocd-applicationset-controller, and so far there are only get

[pasha-codefresh]

I probably will close this one, as long as it repro only in one environment, and it is working fine locally and on other cluster

[jsolana]

I can reproduce the same issue with this example

Im using:

• kind version 0.22.0
• Argocd 2.12.0-rc2
• Kubernetes: Client Version: v1.29.2, Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3, Server Version: v1.29.2

To reproduce the issue:

kind create cluster
kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.12.0-rc2/manifests/install.yaml

# cloning https://github.com/jsolana/argocd-applications.git
# cd argocd-applications

kubectl apply -f manifests/hello-applicationset.yml

As we discussed here

adding list in argocd-applicationset-controller-role.yaml fix the problem:

- apiGroups:
      - argoproj.io
    resources:
      - appprojects
    verbs:
      - get
      - list

Trying to add / delete an app, it is also missing watch capability and applicationset-controller is trigerring the next error:

13 reflector.go:147] pkg/mod/k8s.io/client-go@v0.29.6/tools/cache/reflector.go:229: Failed to watch *v1alpha1.AppProject: unknown (get appprojects.argoproj.io)

And the same, adding watch fix the problem:

argocd-applicationset-controller-role.yaml

- apiGroups:
      - argoproj.io
    resources:
      - appprojects
    verbs:
      - get
      - list
      - watch

After that, everything works as expected but I still seeing error traces in applicationset-controller's logs:

time="2024-07-02T07:29:54Z" level=error msg="informer is not a kubernetes informer" app=argocd/dev applicationset=argocd/echo-appset
time="2024-07-02T07:29:54Z" level=error msg="informer is not a kubernetes informer" app=argocd/production applicationset=argocd/echo-appset
time="2024-07-02T07:29:54Z" level=error msg="informer is not a kubernetes informer" app=argocd/staging applicationset=argocd/echo-appset
time="2024-07-02T07:29:54Z" level=error msg="informer is not a kubernetes informer" app=argocd/staging2 applicationset=argocd/echo-appset

Anything Im missing or maybe another thing to be fixed?

Thanks!

[agaudreault]

Last error logs seems related to #18905

[jsolana]

Super thanks! Is this fix gonna be available in future 2.12.0-rc4?