Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error listing applications #1000

Open
roelandvanbatenburg opened this issue Jan 8, 2025 · 4 comments
Open

Error listing applications #1000

roelandvanbatenburg opened this issue Jan 8, 2025 · 4 comments
Labels
bug Something isn't working

Comments

@roelandvanbatenburg
Copy link

Describe the bug

Using the install.yml file with the latest version the argocd-image-updater reports that it cannot list the applications:

time="2025-01-08T00:08:15Z" level=info msg="argocd-image-updater v0.15.2+abc0072 starting [loglevel:DEBUG, interval:2m0s, healthport:8080]"
time="2025-01-08T00:08:15Z" level=warning msg="commit message template at /app/config/commit.template does not exist, using default"
time="2025-01-08T00:08:15Z" level=debug msg="Successfully parsed commit message template"
time="2025-01-08T00:08:15Z" level=debug msg="rate limiting is disabled" prefix=europe-west4-docker.pkg.dev registry="https://europe-west4-docker.pkg.dev"
time="2025-01-08T00:08:15Z" level=info msg="Loaded 1 registry configurations from /app/config/registries.conf"
time="2025-01-08T00:08:15Z" level=debug msg="Creating in-cluster Kubernetes client"
time="2025-01-08T00:08:15Z" level=info msg="ArgoCD configuration: [apiKind=kubernetes, server=argocd-server.argo-cd, auth_token=false, insecure=false, grpc_web=false, plaintext=false]"
time="2025-01-08T00:08:15Z" level=info msg="Starting health probe server TCP port=8080"
time="2025-01-08T00:08:15Z" level=info msg="Starting metrics server on TCP port=8081"
time="2025-01-08T00:08:15Z" level=info msg="Warming up image cache"
time="2025-01-08T00:08:15Z" level=error msg="error while communicating with ArgoCD" argocd_server=argocd-server.argo-cd grpc_web=false grpc_webroot= insecure=false plaintext=false
time="2025-01-08T00:08:15Z" level=debug msg="Starting askpass server"
time="2025-01-08T00:08:15Z" level=error msg="error while communicating with ArgoCD" argocd_server=argocd-server.argo-cd grpc_web=false grpc_webroot= insecure=false plaintext=false
time="2025-01-08T00:08:15Z" level=error msg="Error: error listing applications: applications.argoproj.io is forbidden: User \"system:serviceaccount:argo-cd:argocd-image-updater\" cannot list resource \"applications\" in API group \"argoproj.io\" at the cluster scope"

I think the permissions are correct (unmodified from the install.yaml file):

❯ k get ClusterRole argocd-image-updater -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRole","metadata":{"annotations":{},"labels":{"app.kubernetes.io/component":"controller","app.kubernetes.io/name":"argocd-image-updater","app.kubernetes.io/part-of":"argocd-image-updater"},"name":"argocd-image-updater"},"rules":[{"apiGroups":[""],"resources":["events"],"verbs":["create"]},{"apiGroups":["argoproj.io"],"resources":["applications"],"verbs":["get","list","update","patch"]}]}
  creationTimestamp: "2025-01-08T00:08:09Z"
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/name: argocd-image-updater
    app.kubernetes.io/part-of: argocd-image-updater
  name: argocd-image-updater
  resourceVersion: "564902743"
  uid: bbf3e721-6709-42e6-827d-64963f8a589b
rules:
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
- apiGroups:
  - argoproj.io
  resources:
  - applications
  verbs:
  - get
  - list
  - update
  - patch
❯ k get ClusterRoleBinding argocd-image-updater -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"annotations":{},"labels":{"app.kubernetes.io/component":"controller","app.kubernetes.io/name":"argocd-image-updater","app.kubernetes.io/part-of":"argocd-image-updater"},"name":"argocd-image-updater"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"argocd-image-updater"},"subjects":[{"kind":"ServiceAccount","name":"argocd-image-updater","namespace":"argocd"}]}
  creationTimestamp: "2025-01-08T00:08:11Z"
  labels:
    app.kubernetes.io/component: controller
    app.kubernetes.io/name: argocd-image-updater
    app.kubernetes.io/part-of: argocd-image-updater
  name: argocd-image-updater
  resourceVersion: "564902766"
  uid: 61304127-c574-4781-b35f-13ea7a8d575b
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: argocd-image-updater
subjects:
- kind: ServiceAccount
  name: argocd-image-updater
  namespace: argocd

To Reproduce

Steps to reproduce the behavior:

  • See above

Expected behavior

image-updater retrieves a list of applications.

Version

0.15.2

@roelandvanbatenburg roelandvanbatenburg added the bug Something isn't working label Jan 8, 2025
@Sovietaced
Copy link
Contributor

There seem to be a bunch of breaking changes that weren't communicated but I fixed this by installing the new cluster roles and cluster role bindings described here: https://github.com/argoproj-labs/argocd-image-updater/blob/master/manifests/base/rbac/argocd-image-updater-clusterrole.yaml

@roelandvanbatenburg
Copy link
Author

Thanks for your reply!

Those are equal to https://github.com/argoproj-labs/argocd-image-updater/blob/master/manifests/install.yaml#L29, so that did not help, unfortunately.

@chengfang
Copy link
Collaborator

I just tried the install steps in https://argocd-image-updater.readthedocs.io/en/latest/install/installation/, and works fine and apps are being updated:

  Normal  Scheduled  112s  default-scheduler  Successfully assigned argocd/argocd-image-updater-74b45c75df-6p2hw to k3d-argo-latest-server-0
  Normal  Pulling    112s  kubelet            Pulling image "quay.io/argoprojlabs/argocd-image-updater:v0.15.2"
  Normal  Pulled     101s  kubelet            Successfully pulled image "quay.io/argoprojlabs/argocd-image-updater:v0.15.2" in 11.179s (11.179s including waiting). Image size: 92183858 bytes.
  Normal  Created    101s  kubelet            Created container argocd-image-updater
  Normal  Started    101s  kubelet            Started container argocd-image-updater

Did you install image-updater in the same namespace as argo-cd control plane?

@roelandvanbatenburg
Copy link
Author

Yes, it is in the same namespace as argo-cd. Shouldn't really matter as the ClusterRole says it can read from there anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants