Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Controller ClusterRole missing permissions #13341

Open
4 tasks done
menzbua opened this issue Jul 12, 2024 · 2 comments
Open
4 tasks done

Controller ClusterRole missing permissions #13341

menzbua opened this issue Jul 12, 2024 · 2 comments
Labels
area/agent Argo Agent that runs for HTTP and Plugin templates area/controller Controller issues, panics area/manifests area/templates/http type/bug type/regression Regression from previous behavior (a specific type of bug) type/support User support issue - likely not a bug
Milestone
v3.5.x patches

Comments

@menzbua
Copy link

menzbua commented Jul 12, 2024
edited by agilgur5
Loading

Pre-requisites

  • I have double-checked my configuration
  • I have tested with the :latest image tag (i.e. quay.io/argoproj/workflow-controller:latest) and can confirm the issue still exists on :latest. If not, I have explained why, in detail, in my description below.
  • I have searched existing issues and could not find a match for this bug
  • I'd like to contribute the fix myself (see contributing guide)

What happened? What did you expect to happen?

Describe the bug

Hi,

I have a problem with Argo workflows HTTP Template. When I run a workflow with using this template, the workflow lasts for 30 seconds or many minutes until it is finished. I researched the behavior and found an error message in the workflow-controller pod:

time="2024-07-11T11:35:07.711Z" level=warning msg="error updating taskset" error="failed patching taskset: workflowtasksets.argoproj.io \"http-template-5bskv\" is forbidden: User \"system:serviceaccount:argocd:argo-workflows-workflow-controller\" cannot patch resource \"workflowtasksets/status\" in API group \"argoproj.io\" in the namespace \"argocd\"" namespace=argocd workflow=http-template-5bskv

I've installed Argo workflows using the latest Helm-Chart. After I investigated the issue, i found missing permission in the ClusterRole for the workflow-controller.

- apiGroups:
  - argoproj.io
  resources:
    - workflowtasksets/status
    - workflowartifactgctasks/status
  verbs:
    - patch

After adding this rule to the ClusterRole on my cluster, all HTTP Template jobs are running perfectly fine. I've opened an issue at the Helm-Chart repo (argoproj/argo-helm#2824) and they pointed out to me that the permission is missed in the "manifests/cluster-install/argo-server-rbac/argo-server-clusterole.yaml" file, too. Is it possible that these permissions are missing? Or did I some misconfiguration in my cluster? I'm a little confused that this issue should only happen on my site.

Thank you so much for helping.

Version(s)

v3.5.8

Paste a minimal workflow that reproduces the issue. We must be able to run the workflow; don't enter a workflows that uses private images.

apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: http-template-
  namespace: argocd
spec:
  entrypoint: main
  templates:
    - name: main
      steps:
        - - name: get-google-homepage
            template: http
            arguments:
              parameters: [{name: url, value: "https://www.google.com"}]
    - name: http
      inputs:
        parameters:
          - name: url
      http:
        timeoutSeconds: 60
        url: "{{inputs.parameters.url}}"
        method: "GET"
        successCondition: "response.body contains \"google\"" # available since v3.3
  ttlStrategy:
    secondsAfterCompletion: 300
  podGC:
    strategy: OnPodCompletion

Logs from the workflow controller

time="2024-07-11T11:35:07.711Z" level=warning msg="error updating taskset" error="failed patching taskset: workflowtasksets.argoproj.io \"http-template-5bskv\" is forbidden: User \"system:serviceaccount:argocd:argo-workflows-workflow-controller\" cannot patch resource \"workflowtasksets/status\" in API group \"argoproj.io\" in the namespace \"argocd\"" namespace=argocd workflow=http-template-5bskv

Logs from in your workflow's wait container

time="2024-07-11T11:35:07.711Z" level=warning msg="error updating taskset" error="failed patching taskset: workflowtasksets.argoproj.io \"http-template-5bskv\" is forbidden: User \"system:serviceaccount:argocd:argo-workflows-workflow-controller\" cannot patch resource \"workflowtasksets/status\" in API group \"argoproj.io\" in the namespace \"argocd\"" namespace=argocd workflow=http-template-5bskv
@agilgur5 agilgur5 changed the title Possible Bug in workflow cluster role missing permissions Controller ClusterRole missing permissions Jul 12, 2024
@agilgur5
Copy link
Member

agilgur5 commented Jul 12, 2024
edited
Loading

they pointed out to me that the permission is missed in the "manifests/cluster-install/argo-server-rbac/argo-server-clusterole.yaml" file, too.

I think you meant this file? The Controller ClusterRole?

argo-workflows/manifests/namespace-install/workflow-controller-rbac/workflow-controller-role.yaml

Line 47 in 5aac5a8

resources:

I've opened an issue at the Helm-Chart repo (argoproj/argo-helm#2824)

It looks like Tim responded in your PR rather: argoproj/argo-helm#2825 (comment)

I researched the behavior and found an error message in the workflow-controller pod:

Are you sure that was in your Controller, and not in the workflow's own Pod?

In your Helm issue, you pointed to the workflow role; that is the SA attached to Pods started by a workflow.
It seems to not be separated out per type of workflow, but the workflowtasksets/status permission inherits from the agent RBAC, which you can find here:

argo-workflows/manifests/quick-start/base/agent-role.yaml

Line 22 in 5aac5a8

- workflowtasksets/status

And indeed the agent communicates its status to the Controller that way. I don't believe the Controller otherwise needs that permission.

workflowartifactgctasks/status is similar for the ArtifactGC Pod:

argo-workflows/manifests/quick-start/base/artifactgc-role.yaml

Line 20 in 5aac5a8

- workflowartifactgctasks/status

@agilgur5 agilgur5 added area/templates/http area/agent Argo Agent that runs for HTTP and Plugin templates problem/more information needed Not enough information has been provide to diagnose this issue. type/support User support issue - likely not a bug labels Jul 12, 2024
@menzbua
Copy link
Author

menzbua commented Jul 15, 2024
edited by agilgur5
Loading

I reproduced the issue again. When i remove this permission from the ClusterRole argo-workflows-workflow-controller:

- apiGroups:
  - argoproj.io
  resources:
  - workflowtasksets/status
  - workflowartifactgctasks/status
  verbs:
  - patch

I see the errors in the workflow-controller pod:

time="2024-07-15T06:30:01.923Z" level=warning msg="error updating taskset" error="failed patching taskset: workflowtasksets.argoproj.io \"http-template-fjt8f\" is forbidden: User \"system:serviceaccount:argocd:argo-workflows-workflow-controller\" cannot patch resource \"workflowtasksets/status\" in API group \"argoproj.io\" in the namespace \"argocd\"" namespace=argocd workflow=http-template-fjt8f
time="2024-07-15T06:30:01.942Z" level=info msg="Workflow update successful" namespace=argocd phase=Running resourceVersion=260438096 workflow=http-template-fjt8f
time="2024-07-15T06:30:07.550Z" level=info msg="Processing workflow" Phase=Running ResourceVersion=260437855 namespace=argocd workflow=http-template-75bnp
time="2024-07-15T06:30:07.552Z" level=info msg="Task-result reconciliation" namespace=argocd numObjs=0 workflow=http-template-75bnp
time="2024-07-15T06:30:07.552Z" level=info msg=updateAgentPodStatus namespace=argocd workflow=http-template-75bnp
time="2024-07-15T06:30:07.552Z" level=info msg=assessAgentPodStatus namespace=argocd podName=http-template-75bnp-1340600742-agent
time="2024-07-15T06:30:07.552Z" level=error msg="was unable to obtain node for http-template-75bnp-2166136261" namespace=argocd workflow=http-template-75bnp
time="2024-07-15T06:30:07.552Z" level=info msg="Workflow step group node http-template-75bnp-2750993691 not yet completed" namespace=argocd workflow=http-template-75bnp
time="2024-07-15T06:30:07.552Z" level=info msg="TaskSet Reconciliation" namespace=argocd workflow=http-template-75bnp
time="2024-07-15T06:30:07.552Z" level=info msg="Creating TaskSet" namespace=argocd workflow=http-template-75bnp
time="2024-07-15T06:30:07.579Z" level=info msg=reconcileAgentPod namespace=argocd workflow=http-template-75bnp
time="2024-07-15T06:30:07.579Z" level=info msg=updateAgentPodStatus namespace=argocd workflow=http-template-75bnp
time="2024-07-15T06:30:07.579Z" level=info msg=assessAgentPodStatus namespace=argocd podName=http-template-75bnp-1340600742-agent
time="2024-07-15T06:30:07.579Z" level=info msg="Workflow to be dehydrated" Workflow Size=22261
time="2024-07-15T06:30:07.582Z" level=warning msg="error updating taskset" error="failed patching taskset: workflowtasksets.argoproj.io \"http-template-75bnp\" is forbidden: User \"system:serviceaccount:argocd:argo-workflows-workflow-controller\" cannot patch resource \"workflowtasksets/status\" in API group \"argoproj.io\" in the namespace \"argocd\"" namespace=argocd workflow=http-template-75bnp
time="2024-07-15T06:30:07.600Z" level=info msg="Workflow update successful" namespace=argocd phase=Running resourceVersion=260438180 workflow=http-template-75bnp
time="2024-07-15T06:30:10.059Z" level=info msg="Processing workflow" Phase=Running ResourceVersion=260437898 namespace=argocd workflow=http-template-nfrn9
time="2024-07-15T06:30:10.060Z" level=info msg="Task-result reconciliation" namespace=argocd numObjs=0 workflow=http-template-nfrn9
time="2024-07-15T06:30:10.060Z" level=info msg=updateAgentPodStatus namespace=argocd workflow=http-template-nfrn9
time="2024-07-15T06:30:10.060Z" level=info msg=assessAgentPodStatus namespace=argocd podName=http-template-nfrn9-1340600742-agent
time="2024-07-15T06:30:10.060Z" level=error msg="was unable to obtain node for http-template-nfrn9-2166136261" namespace=argocd workflow=http-template-nfrn9
time="2024-07-15T06:30:10.061Z" level=info msg="Workflow step group node http-template-nfrn9-2088566058 not yet completed" namespace=argocd workflow=http-template-nfrn9
time="2024-07-15T06:30:10.061Z" level=info msg="TaskSet Reconciliation" namespace=argocd workflow=http-template-nfrn9
time="2024-07-15T06:30:10.061Z" level=info msg="Creating TaskSet" namespace=argocd workflow=http-template-nfrn9
time="2024-07-15T06:30:10.076Z" level=info msg="Processing workflow" Phase=Running ResourceVersion=260437900 namespace=argocd workflow=http-template-h5mcv
time="2024-07-15T06:30:10.077Z" level=info msg="Task-result reconciliation" namespace=argocd numObjs=0 workflow=http-template-h5mcv
time="2024-07-15T06:30:10.077Z" level=info msg=updateAgentPodStatus namespace=argocd workflow=http-template-h5mcv
time="2024-07-15T06:30:10.077Z" level=info msg=assessAgentPodStatus namespace=argocd podName=http-template-h5mcv-1340600742-agent
time="2024-07-15T06:30:10.077Z" level=error msg="was unable to obtain node for http-template-h5mcv-2166136261" namespace=argocd workflow=http-template-h5mcv
time="2024-07-15T06:30:10.078Z" level=info msg="Workflow step group node http-template-h5mcv-2436720626 not yet completed" namespace=argocd workflow=http-template-h5mcv
time="2024-07-15T06:30:10.078Z" level=info msg="TaskSet Reconciliation" namespace=argocd workflow=http-template-h5mcv
time="2024-07-15T06:30:10.078Z" level=info msg="Creating TaskSet" namespace=argocd workflow=http-template-h5mcv
time="2024-07-15T06:30:10.095Z" level=info msg=reconcileAgentPod namespace=argocd workflow=http-template-nfrn9
time="2024-07-15T06:30:10.095Z" level=info msg=updateAgentPodStatus namespace=argocd workflow=http-template-nfrn9
time="2024-07-15T06:30:10.095Z" level=info msg=assessAgentPodStatus namespace=argocd podName=http-template-nfrn9-1340600742-agent
time="2024-07-15T06:30:10.095Z" level=info msg="Workflow to be dehydrated" Workflow Size=22168
time="2024-07-15T06:30:10.101Z" level=warning msg="error updating taskset" error="failed patching taskset: workflowtasksets.argoproj.io \"http-template-nfrn9\" is forbidden: User \"system:serviceaccount:argocd:argo-workflows-workflow-controller\" cannot patch resource \"workflowtasksets/status\" in API group \"argoproj.io\" in the namespace \"argocd\"" namespace=argocd workflow=http-template-nfrn9
time="2024-07-15T06:30:10.109Z" level=info msg=reconcileAgentPod namespace=argocd workflow=http-template-h5mcv
time="2024-07-15T06:30:10.109Z" level=info msg=updateAgentPodStatus namespace=argocd workflow=http-template-h5mcv
time="2024-07-15T06:30:10.109Z" level=info msg=assessAgentPodStatus namespace=argocd podName=http-template-h5mcv-1340600742-agent
time="2024-07-15T06:30:10.109Z" level=info msg="Workflow to be dehydrated" Workflow Size=22204
time="2024-07-15T06:30:10.113Z" level=warning msg="error updating taskset" error="failed patching taskset: workflowtasksets.argoproj.io \"http-template-h5mcv\" is forbidden: User \"system:serviceaccount:argocd:argo-workflows-workflow-controller\" cannot patch resource \"workflowtasksets/status\" in API group \"argoproj.io\" in the namespace \"argocd\"" namespace=argocd workflow=http-template-h5mcv
time="2024-07-15T06:30:10.120Z" level=info msg="Workflow update successful" namespace=argocd phase=Running resourceVersion=260438215 workflow=http-template-nfrn9
time="2024-07-15T06:30:10.131Z" level=info msg="Workflow update successful" namespace=argocd phase=Running resourceVersion=260438216 workflow=http-template-h5mcv
time="2024-07-15T06:31:42.349Z" level=info msg="Alloc=9776 TotalAlloc=4844300 Sys=32357 NumGC=2193 Goroutines=171"

And the tasks with HTTP-Template lasts very long:
long_lasting_tasks
When I reattach the policy to the ClusterRole no errors in the workflow-controller pod:

time="2024-07-15T06:38:11.910Z" level=info msg="Processing workflow" Phase= ResourceVersion=260445416 namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:11.921Z" level=warning msg="Non-transient error: configmaps \"artifact-repositories\" not found"
time="2024-07-15T06:38:11.921Z" level=info msg="resolved artifact repository" artifactRepositoryRef=default-artifact-repository
time="2024-07-15T06:38:11.921Z" level=info msg="Task-result reconciliation" namespace=argocd numObjs=0 workflow=http-template-tw7cw
time="2024-07-15T06:38:11.921Z" level=info msg="Updated phase  -> Running" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:11.921Z" level=warning msg="Node was nil, will be initialized as type Skipped" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:11.921Z" level=info msg="was unable to obtain node for , letting display name to be nodeName" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:11.921Z" level=info msg="Steps node http-template-tw7cw initialized Running" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:11.921Z" level=info msg="StepGroup node http-template-tw7cw-3315032375 initialized Running" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:11.922Z" level=warning msg="Node was nil, will be initialized as type Skipped" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:11.922Z" level=info msg="HTTP node http-template-tw7cw-337888994 initialized Pending" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:11.922Z" level=info msg="Workflow step group node http-template-tw7cw-3315032375 not yet completed" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:11.922Z" level=info msg="TaskSet Reconciliation" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:11.922Z" level=info msg="Creating TaskSet" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:11.941Z" level=info msg=reconcileAgentPod namespace=argocd workflow=http-template-tw7cw
W0715 06:38:12.035764       1 warnings.go:70] autopilot-default-resources-mutator:Autopilot updated Pod argocd/http-template-tw7cw-1340600742-agent: adjusted 'cpu' resource to meet requirements for containers [main] (see http://g.co/gke/autopilot-defaults).
time="2024-07-15T06:38:12.036Z" level=info msg="Created Agent pod" namespace=argocd podName=http-template-tw7cw-1340600742-agent workflow=http-template-tw7cw
time="2024-07-15T06:38:12.036Z" level=info msg=updateAgentPodStatus namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:12.036Z" level=info msg=assessAgentPodStatus namespace=argocd podName=http-template-tw7cw-1340600742-agent
time="2024-07-15T06:38:12.036Z" level=info msg="Workflow to be dehydrated" Workflow Size=1828
time="2024-07-15T06:38:12.079Z" level=info msg="Workflow update successful" namespace=argocd phase=Running resourceVersion=260445423 workflow=http-template-tw7cw
time="2024-07-15T06:38:22.037Z" level=info msg="Processing workflow" Phase=Running ResourceVersion=260445423 namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:22.038Z" level=info msg="Task-result reconciliation" namespace=argocd numObjs=0 workflow=http-template-tw7cw
time="2024-07-15T06:38:22.038Z" level=info msg=updateAgentPodStatus namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:22.038Z" level=info msg=assessAgentPodStatus namespace=argocd podName=http-template-tw7cw-1340600742-agent
time="2024-07-15T06:38:22.039Z" level=info msg="Workflow step group node http-template-tw7cw-3315032375 not yet completed" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:22.039Z" level=info msg="TaskSet Reconciliation" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:22.039Z" level=info msg="Creating TaskSet" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:22.066Z" level=info msg=reconcileAgentPod namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:22.066Z" level=info msg=updateAgentPodStatus namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:22.066Z" level=info msg=assessAgentPodStatus namespace=argocd podName=http-template-tw7cw-1340600742-agent
time="2024-07-15T06:38:32.068Z" level=info msg="Processing workflow" Phase=Running ResourceVersion=260445423 namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:32.069Z" level=info msg="Task-result reconciliation" namespace=argocd numObjs=0 workflow=http-template-tw7cw
time="2024-07-15T06:38:32.069Z" level=info msg=updateAgentPodStatus namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:32.069Z" level=info msg=assessAgentPodStatus namespace=argocd podName=http-template-tw7cw-1340600742-agent
time="2024-07-15T06:38:32.070Z" level=info msg="Workflow step group node http-template-tw7cw-3315032375 not yet completed" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:32.070Z" level=info msg="TaskSet Reconciliation" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:32.070Z" level=info msg="Creating TaskSet" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:32.104Z" level=info msg=reconcileAgentPod namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:32.104Z" level=info msg=updateAgentPodStatus namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:32.104Z" level=info msg=assessAgentPodStatus namespace=argocd podName=http-template-tw7cw-1340600742-agent
time="2024-07-15T06:38:32.104Z" level=info msg="Workflow to be dehydrated" Workflow Size=22306
time="2024-07-15T06:38:32.148Z" level=info msg="Workflow update successful" namespace=argocd phase=Running resourceVersion=260445722 workflow=http-template-tw7cw
time="2024-07-15T06:38:42.120Z" level=info msg="Processing workflow" Phase=Running ResourceVersion=260445722 namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:42.122Z" level=info msg="Task-result reconciliation" namespace=argocd numObjs=0 workflow=http-template-tw7cw
time="2024-07-15T06:38:42.123Z" level=info msg=updateAgentPodStatus namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:42.123Z" level=info msg=assessAgentPodStatus namespace=argocd podName=http-template-tw7cw-1340600742-agent
time="2024-07-15T06:38:42.124Z" level=info msg="Step group node http-template-tw7cw-3315032375 successful" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:42.124Z" level=info msg="node http-template-tw7cw-3315032375 phase Running -> Succeeded" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:42.124Z" level=info msg="node http-template-tw7cw-3315032375 finished: 2024-07-15 06:38:42.124665946 +0000 UTC" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:42.124Z" level=info msg="Outbound nodes of http-template-tw7cw-337888994 is [http-template-tw7cw-337888994]" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:42.124Z" level=info msg="Outbound nodes of http-template-tw7cw is [http-template-tw7cw-337888994]" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:42.124Z" level=info msg="node http-template-tw7cw phase Running -> Succeeded" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:42.124Z" level=info msg="node http-template-tw7cw finished: 2024-07-15 06:38:42.124839581 +0000 UTC" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:42.124Z" level=info msg="TaskSet Reconciliation" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:42.124Z" level=info msg=reconcileAgentPod namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:42.124Z" level=info msg="Updated phase Running -> Succeeded" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:42.125Z" level=info msg="Marking workflow completed" namespace=argocd workflow=http-template-tw7cw
time="2024-07-15T06:38:42.125Z" level=info msg="Workflow to be dehydrated" Workflow Size=22390
time="2024-07-15T06:38:42.131Z" level=info msg="cleaning up pod" action=deletePod key=argocd/http-template-tw7cw-1340600742-agent/deletePod
time="2024-07-15T06:38:42.173Z" level=info msg="Workflow update successful" namespace=argocd phase=Succeeded resourceVersion=260445867 workflow=http-template-tw7cw
time="2024-07-15T06:38:42.176Z" level=info msg="Queueing Succeeded workflow argocd/http-template-tw7cw for delete in 5m0s due to TTL"

And the jobs last for round about 30 seconds:
with_permissions
The workflow-controller uses the ServiceAccount whre the ClusterRole is bound to:
CleanShot 2024-07-15 at 08 44 27@2x
The workflows pod uses another ServiceAccount that have also the permissions to patch the workflowtasksets/status
worker_pod_service_account
In the worker pod I did not see any errors.

I've installed Argo-Workflows via Helm-Chart with this values:

server:
  extraArgs:
    - --auth-mode=sso
    - --auth-mode=client
  sso:
    enabled: true
    issuer: <private-value>
    clientId:
      name: dex-credentials
      key: gitlabClientId
    clientSecret:
      name: dex-credentials
      key: gitlabClientSecret
    redirectUrl: <private-value>
    rbac:
      enabled: false
controller:
  workflowNamespaces:
    - argocd
  workflowDefaults:
    spec:
      serviceAccountName: argo-workflow

After installing the Chart I create the Role, RoleBinding and ServiceAccount for the workflow-worker via a manifest:

# These configuration is needed to give workflows workers to cluster objects.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argo-workflow
  namespace: argocd
rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - get
      - watch
      - patch
  - apiGroups:
      - ""
    resources:
      - pods/log
    verbs:
      - get
      - watch
  - apiGroups:
      - ""
    resources:
      - pods/exec
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
  - apiGroups:
      - argoproj.io
    resources:
      - workflowtaskresults
    verbs:
      - create
      - patch
  - apiGroups:
      - argoproj.io
    resources:
      - workflowtasksets
      - workflowartifactgctasks
    verbs:
      - list
      - watch
  - apiGroups:
      - argoproj.io
    resources:
      - workflowtasksets/status
      - workflowartifactgctasks/status
    verbs:
      - patch
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: argo-workflow
  namespace: argocd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: argo-workflows-workflow
  namespace: argocd
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argo-workflow
subjects:
  - kind: ServiceAccount
    name: argo-workflow
    namespace: argocd
---
# As of Kubernetes v1.24, secrets are no longer automatically created for service accounts.
# See: https://argo-workflows.readthedocs.io/en/latest/service-account-secrets/
apiVersion: v1
kind: Secret
metadata:
  name: argo-workflow.service-account-token
  namespace: argocd
  annotations:
    kubernetes.io/service-account.name: argo-workflow
type: kubernetes.io/service-account-token

I hope this helps to clarify the issue.

Regards,
Manuel

@agilgur5 agilgur5 removed the problem/more information needed Not enough information has been provide to diagnose this issue. label Jul 16, 2024
@agilgur5 agilgur5 mentioned this issue Aug 8, 2024
Closed
4 tasks
@agilgur5 agilgur5 added type/regression Regression from previous behavior (a specific type of bug) area/controller Controller issues, panics labels Aug 10, 2024
@agilgur5 agilgur5 added this to the v3.5.x patches milestone Aug 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/agent Argo Agent that runs for HTTP and Plugin templates area/controller Controller issues, panics area/manifests area/templates/http type/bug type/regression Regression from previous behavior (a specific type of bug) type/support User support issue - likely not a bug
Projects
None yet
Milestone
v3.5.x patches
Development

No branches or pull requests
2 participants
@agilgur5 @menzbua