Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot use an existingSecret for persistence with multiple namespaces #2812

Open
lens0021 opened this issue Jul 8, 2024 · 0 comments
Open

Cannot use an existingSecret for persistence with multiple namespaces #2812

lens0021 opened this issue Jul 8, 2024 · 0 comments
Labels
argo-workflows bug

Comments

@lens0021
Copy link

lens0021 commented Jul 8, 2024

Describe the bug

When singleNamespace: false, It seems workflow-controller and server look for the existingSecret in its own namespace, but they have no permission to get it.

Related helm chart

argo-workflows

Helm chart version

0.40.10

To Reproduce

  1. I had a secret which has the username and password of a PostgreSQL instance.
  2. I've set up a workflow-controller and a server in argo-workflows namespace with the following values: 
    # Some details omitted
controller:
  workflowNamespaces: ["foo", "bar"]
  persistence:
    nodeStatusOffLoad: true
    archive: true
    archiveTTL: 3d
    postgresql:
      host: argo-workflows-postgresql.argo-workflows.svc.cluster.local
      port: 5432
      database: postgres
      tableName: argo_workflows
      userNameSecret:
        name: my-existing-secret
        key: POSTGRESQL_USERNAME
      passwordSecret:
        name: my-existing-secret
        key: POSTGRESQL_PASSWORD

Expected behavior

The controller should be started.

Screenshots

No response

Additional context

The logs from the controller:

time="2024-07-08T08:55:12.195Z" level=info msg="Persistence configuration enabled"
time="2024-07-08T08:55:12.198Z" level=warning msg="Non-transient error: secrets "my-existing-secret" is forbidden: User "system:serviceaccount:argo-workflows:argo-workflows-workflow-controller" cannot get resource "secrets" in API group "" in the namespace "argo-workflows""
time="2024-07-08T08:55:12.198Z" level=fatal msg="Failed to update config: secrets "my-existing-secret" is forbidden: User "system:serviceaccount:argo-workflows:argo-workflows-workflow-controller" cannot get resource "secrets" in API group "" in the namespace "argo-workflows""
Stream closed EOF for argo-workflows/argo-workflows-workflow-controller-6c98cbdcf5-v9ckp (controller)

It seems {{ template "argo-workflows.controller.fullname" . }} is a clusterRole when singleNamespace: false, so

argo-helm/charts/argo-workflows/templates/controller/workflow-controller-cluster-roles.yaml

Lines 129 to 137 in 186065e

resourceNames:
{{- if .Values.controller.persistence.postgresql }}
- {{ .Values.controller.persistence.postgresql.userNameSecret.name }}
- {{ .Values.controller.persistence.postgresql.passwordSecret.name }}
{{- end}}
{{- if .Values.controller.persistence.mysql }}
- {{ .Values.controller.persistence.mysql.userNameSecret.name }}
- {{ .Values.controller.persistence.mysql.passwordSecret.name }}
{{- end}}
will also be in culster scope.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
argo-workflows bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@agilgur5 @lens0021