Log Spam/Sorta Infinite Loop?

[ForbiddenEra]

I've got Argo setup managing itself. Using GitLab login w/Dex. Viewing the logs for the argocd-server pods results in the logs being spammed:

time="2024-01-13T14:09:16Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=ListResourceLinks grpc.service=application.ApplicationService grpc.start_time="2024-01-13T14:09:16Z" grpc.time_ms=28.747 span.kind=server system=grpc
time="2024-01-13T14:09:16Z" level=info msg="received unary call /application.ApplicationService/ListResourceLinks" grpc.method=ListResourceLinks grpc.request.claims="{\"at_hash\":\"REMOVED\",\"aud\":\"argo-cd\",\"c_hash\":\"REMOVED\",\"email\":\"REMOVED\",\"email_verified\":true,\"exp\":REMOVED,\"iat\":REMOVED,\"iss\":\"https://REMOVED/api/dex\",\"name\":\"REMOVED\",\"preferred_username\":\"REMOVED\",\"sub\":\"REMOVED\"}" grpc.request.content="name:\"argocd\" namespace:\"argocd\" resourceName:\"argocd-applicationset-controller-network-policy\" version:\"v1\" group:\"networking.k8s.io\" kind:\"NetworkPolicy\" appNamespace:\"argocd\" " grpc.service=application.ApplicationService grpc.start_time="2024-01-13T14:09:16Z" span.kind=server system=grpc
W0113 14:09:16.800066 6 warnings.go:70] Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.
W0113 14:09:16.809253 6 warnings.go:70] Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.

The warning itself is interesting, but, otherwise it seems as if each time the UI tries to update/refresh the log, it's doing a "CanI" call, which gets logged - infinite loop!

[ForbiddenEra]

I should probably note that I'm on v2.9.0+d9df252 - I tried to upgrade to 2.9.3 but I ran into a bit of 'wth': https://cloud-native.slack.com/archives/C01TSERG0KZ/p1705156638442669

[jgwest]

@ForbiddenEra Can you provide reproduction steps?

[ForbiddenEra]

@ForbiddenEra Can you provide reproduction steps?

Just setup Dex using GitLab as per the docs. Nothing special really.

argocd-cm:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
data:
  admin.enabled: "false"
  cluster.inClusterEnabled: "false"
  dex.config: |
    connectors:
      - type: gitlab
        id: gitlab
        name: GitLab
        config:
          baseURL: https://gitlab.com
          clientID: $gitlab-sso-clientID
          clientSecret: $gitlab-sso-clientSecret
          redirectURI: https://argo.example.com:5556/dex/callback
          scopes:
          - profile
          - email
          - groups
          groups:
          - example
          useLoginAsID: false
  exec.enabled: "true"
  url: https://argo.example.com
  statusbadge.enabled: "true"
  users.session.duration: "8h"

argocd-rbac-cm:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-rbac-cm
data:
  policy.csv: |
    g, forbiddenera, role:admin
  policy.default: role:deny
  scopes: '[profile, email, groups, preferred_username]'

[ForbiddenEra]

Just updating to say still seeing it on 2.10.5:

W0410 22:06:29.419976 7 warnings.go:70] Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.
W0410 22:06:29.447433 7 warnings.go:70] Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.
W0410 22:06:29.463706 7 warnings.go:70] Use tokens from the TokenRequest API or manually created secret-based tokens instead of auto-generated secret-based tokens.

[VannTen]

This is because argocd rely on the secret auto-generated by kubernetes when creating a service account
It should never use the auto-generated secret and instead create a separate secret (see https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#create-token) until TokenRequest support is implemented.

[andrii-korotkov-verkada]

ArgoCD versions 2.10 and below have reached EOL. Can you upgrade and let us know if the issue is still present, please?