Skip to content

feat: Decoupling application sync using impersonation#17403

Merged
jannfis merged 19 commits intoargoproj:masterfrom
anandf:sync_with_impersonate
Sep 4, 2024
Merged

feat: Decoupling application sync using impersonation#17403
jannfis merged 19 commits intoargoproj:masterfrom
anandf:sync_with_impersonate

Conversation

@anandf
Copy link
Copy Markdown
Member

@anandf anandf commented Mar 5, 2024
edited
Loading

Implementation of proposal #14255
Addresses issue #7689
Related PR in gitops-engine: argoproj/gitops-engine#534

Many engineers from Red Hat worked on this effort. This PR consolidates all their effort to have a single PR/merge commit for the entire feature implementation so that it easy for maintainers to review and merge it.
CLI changes - @ishitasequeira
GUI changes - @raghavi101 @keithchong
E2E Tests - @Mangaal

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

Testing this feature

Prerequisites

  • make
  • docker
  • sed
  • kubectl
  • kind

Procedure

  1. Clone the repo and checkout the branch
git clone git@github.com:anandf/argo-cd.git
cd argo-cd
git checkout sync_with_impersonate
  1. Build the docker image and the CLI client. Push the docker image to quay.io for testing.
export QUAY_USER=<username_in_quay.io>
IMAGE_NAMESPACE=quay.io/$QUAY_USER make image build-local
docker push quay.io/$QUAY_USER/argocd:latest
ls -l ./dist/argocd
  1. Create a kind test cluster
kind create cluster --name argocd
  1. Modify the image name to use the image built and pushed in step 2.
export QUAY_USER=<username_in_quay.io> 
sed -i "s/quay.io\/argoproj\/argocd/quay.io\/$QUAY_USER\/argocd/g" manifests/install.yaml
  1. Install ArgoCD
kubectl create ns argocd
kubectl apply -f manifests/install.yaml -n argocd
kubectl config set-context --current --namespace argocd
  1. Enable the Application sync impersonation feature in argocd-cm
kubectl patch cm/argocd-cm -n argocd --type=merge -p='{"data":{"application.sync.impersonation.enabled":"true"}}'

Note: If using argocd-operator based installation, patch the ArgoCD CR as below`

oc patch argocd/openshift-gitops -n openshift-gitops --type=merge -p='{"spec": {"extraConfig" : {"application.sync.impersonation.enabled":"true"}}}'
  1. Create an AppProject called guestbook-proj
./dist/argocd proj create guestbook-proj -d https://kubernetes.default.svc,guestbook -s https://github.com/argoproj/argocd-example-apps.git --core
  1. Whitelist all cluster resources in the AppProject, so that the Application can auto create namespaces if required.
./dist/argocd proj allow-cluster-resource guestbook-proj '*' '*'
  1. Add destination service account configuration for guestbook ns as below
./dist/argocd proj add-destination-service-account guestbook-proj https://kubernetes.default.svc guestbook guestbook-deployer --core
  1. Create an argo application guestbook associated with AppProject guestbook-proj
./dist/argocd app create guestbook --core \
    --repo https://github.com/argoproj/argocd-example-apps \
    --path guestbook \
    --project guestbook-proj \
    --dest-server  https://kubernetes.default.svc \
    --dest-namespace guestbook \
    --directory-recurse \
    --sync-policy automated \
    --sync-option ServerSideApply=true
    --sync-option CreateNamespace=true
  1. Check if the application fails to sync as the service account is not created yet.
kubectl get application guestbook -n argocd -o yaml

Sample error message:

message: 'Namespace auto creation failed: namespaces "guestbook" is forbidden:
          User "system:serviceaccount:guestbook:guestbook-deployer" cannot get resource
          "namespaces" in API group "" in the namespace "guestbook"'
  1. Now create the service account guestbook-deployer in guestbook ns with the required access.
kubectl create ns guestbook
kubectl create sa guestbook-deployer -n guestbook
kubectl create rolebinding guestbook-deployer-rb -n guestbook --clusterrole cluster-admin --serviceaccount guestbook:guestbook-deployer
  1. Sync the application and see if the sync operation succeeds now.
./dist/argocd app sync argocd/guestbook --core
./dist/argocd app list --core
  1. Check the negative scenario when the sync operation fails with error when no matching SA is present.
./dist/argocd proj add-destination  guestbook-proj https://kubernetes.default.svc guestbook-dev --core

./dist/argocd app create guestbook-dev --core \
    --repo https://github.com/argoproj/argocd-example-apps \
    --path guestbook \
    --project guestbook-proj \
    --dest-server  https://kubernetes.default.svc \
    --dest-namespace guestbook-dev \
    --directory-recurse \
    --sync-policy automated \
    --sync-option ServerSideApply=true
  1. Check if the application fails to sync as the service account is not created yet.
kubectl get application guestbook-dev -n argocd -o yaml

Sample error message:

failed to find a matching service account to impersonate: no matching
      service account found for destination server https://kubernetes.default.svc
      and namespace guestbook-dev. (retried 5 times)

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jgwest jgwest jgwest left review comments

@ishitasequeira ishitasequeira ishitasequeira left review comments

@jannfis jannfis jannfis approved these changes

+1 more reviewer

@akram akram akram requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@anandf @Ampler92 @60k41p @yp28 @akram @jannfis @jgwest @ishitasequeira @Mangaal