Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(server): appset list uses argocd's namespace instead of all (#15429) #15432

Merged
merged 8 commits into from
Nov 1, 2023

Conversation

JorTurFer
Copy link
Contributor

As it's explained on #15429, current appset listing implementation is using all namespaces instead of default namespace when the namespace isn't explicitly provided. This PR adds a check following other functions with in the same file to ensure that in case of not explicitly setting the namespace, argocd's namespace is used and not a global query is done (if a global query is the expected behaviour, the RBAC must be update to allow it accordingly).

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.

Fixes #15429

Copy link
Member

@jannfis jannfis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JorTurFer
Copy link
Contributor Author

Hi @jannfis
PTAL 🙏
I have replaced the current client with a lister scoped to the same namespaces that the applications. I have reused the same factory indeed, if you think that it's better to create its own factory to allow different namespaces for appsets than the applications, I can update the PR.

@codecov
Copy link

codecov bot commented Sep 13, 2023

Codecov Report

Attention: 1 lines in your changes are missing coverage. Please review.

Comparison is base (f8f9ae9) 49.69% compared to head (f8d054d) 49.69%.

Additional details and impacted files
@@            Coverage Diff             @@
##           master   #15432      +/-   ##
==========================================
- Coverage   49.69%   49.69%   -0.01%     
==========================================
  Files         267      267              
  Lines       46362    46363       +1     
==========================================
  Hits        23039    23039              
- Misses      21063    21064       +1     
  Partials     2260     2260              
Files Coverage Δ
server/server.go 56.18% <100.00%> (-0.05%) ⬇️
server/applicationset/applicationset.go 59.91% <90.90%> (+0.34%) ⬆️

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@jsoref
Copy link
Member

jsoref commented Sep 26, 2023

This needs documentation and a release notes item.

@JorTurFer
Copy link
Contributor Author

JorTurFer commented Sep 26, 2023

This needs documentation and a release notes item

About the documentation, there isn't any new feature to document, this is a fix for the RBAC issue. I mean, we can add it as a feature, but the idea was to fix the bug in the RBAC for appsets. Could you point me to the correct place to update it? I'll try to do it (if you'd give me an example, it would be nice)

I have followed as well the PR template and I haven't seen anything about the release notes, could you point me to there too?
I have seen that the changelog hasn't been updated for a year, is it the correct place?

@jsoref
Copy link
Member

jsoref commented Sep 26, 2023

Could you point me to the correct place to update it? I'll try to do it (if you'd give me an example, it would be nice)

So, here's the upgrade docs for 2.7 to 2.8: https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/2.7-2.8/

As mentioned, this would be a breaking change (as is your fix), so it needs some thought.

A breaking change should be listed in upgrading as a call out to anyone upgrading.

Fwiw, Support dropped for argocd-cm plugins is a breaking change, it doesn't have to use the word breaking.

that content was originally introduced in #12707, although it was since moved...

@JorTurFer
Copy link
Contributor Author

JorTurFer commented Sep 26, 2023

A breaking change should be listed in upgrading as a call out to anyone upgrading.

No no, this isn't a breaking change at all, let me summarize the things:

  1. v2.8 introduced changes in the appsets which require RBAC changes
  2. I opened a PR reverting some changes to avoid the RBAC changes requirement
  3. @jannfis told me that it'd be a breaking change, and we agreed with adding listers instead of kubernetes client
  4. I refactored my PR with those changes, not introducing any breaking change but fixing the RBAC issue

My question about the docs was because as this isn't a breaking change and the UX hasn't changed (because I have just fixed a bug), I don't know where I should document it. The links sent are for migration path, but this isn't something for a migration, it's just a bugfix

@jsoref
Copy link
Member

jsoref commented Sep 26, 2023

If the RBAC behavior is different before/after, surely that's a breaking change -- someone with a certain set of configurations will see different behavior before/after, no? (I'm on slack, and I suspect this'd be easier to discuss there... -- I might need a picture -- sorry)

@JorTurFer
Copy link
Contributor Author

If the RBAC behavior is different before/after, surely that's a breaking change -- someone with a certain set of configurations will see different behavior before/after, no? (I'm on slack, and I suspect this'd be easier to discuss there... -- I might need a picture -- sorry)

Sure, write me (Jorge Turrado on CNCF/Kubernetes workspaces) or give me your handle and I'll do it 😄

server/applicationset/applicationset_test.go Outdated Show resolved Hide resolved
server/applicationset/applicationset.go Outdated Show resolved Hide resolved
Signed-off-by: Jorge Turrado <[email protected]>
Signed-off-by: Jorge Turrado <[email protected]>
Copy link
Member

@ishitasequeira ishitasequeira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!!

Copy link
Member

@ishitasequeira ishitasequeira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JorTurFer I approved the PR but we have a failure to the generated code. Can you fix that?

The code LGTM!!

Signed-off-by: Jorge Turrado <[email protected]>
@JorTurFer
Copy link
Contributor Author

JorTurFer commented Oct 5, 2023

I approved the PR but we have a failure to the generated code. Can you fix that?

I have just updated the generated code, I didn't notice that it was autogenerated code and I changed it manually 🤦

@JorTurFer
Copy link
Contributor Author

I don't know how to solve the current issue. I updated the manifest with the pending changes, but now it shows other error and I don't know how to solve it. Locally I execute make manifests-local and make codegen-local but there isn't any change in my local

@JorTurFer
Copy link
Contributor Author

The issue has gone automagically just rebasing the branch xd

Copy link
Member

@blakepettersson blakepettersson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

Copy link
Member

@ishitasequeira ishitasequeira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @JorTurFer! LGTM!

@ishitasequeira ishitasequeira enabled auto-merge (squash) November 1, 2023 02:11
@crenshaw-dev crenshaw-dev dismissed stale reviews from jannfis and themself November 1, 2023 14:54

times are a changing

@ishitasequeira ishitasequeira merged commit c70e1b7 into argoproj:master Nov 1, 2023
22 checks passed
@crenshaw-dev
Copy link
Member

/cherry-pick release-2.9

gcp-cherry-pick-bot bot pushed a commit that referenced this pull request Nov 1, 2023
…) (#15432)

* fix(server): appset list uses argocd's namespace instead of all

Signed-off-by: Jorge Turrado <[email protected]>

* use lister to scope the observed namespaces based on which namespaces monitors for apps

Signed-off-by: Jorge Turrado <[email protected]>

* apply feedback

Signed-off-by: Jorge Turrado <[email protected]>

* add missing change 🤦

Signed-off-by: Jorge Turrado <[email protected]>

* update generated manifests

Signed-off-by: Jorge Turrado <[email protected]>

---------

Signed-off-by: Jorge Turrado <[email protected]>
@crenshaw-dev
Copy link
Member

Let's start by introducing this fix just in 2.9. If it behaves, and if people ask for it, we can pick it further back.

crenshaw-dev pushed a commit that referenced this pull request Nov 1, 2023
…) (#15432) (#16203)

* fix(server): appset list uses argocd's namespace instead of all



* use lister to scope the observed namespaces based on which namespaces monitors for apps



* apply feedback



* add missing change 🤦



* update generated manifests



---------

Signed-off-by: Jorge Turrado <[email protected]>
Co-authored-by: Jorge Turrado Ferrero <[email protected]>
@JorTurFer JorTurFer deleted the fix-appset-list branch November 1, 2023 20:31
@JorTurFer
Copy link
Contributor Author

Let's start by introducing this fix just in 2.9. If it behaves, and if people ask for it, we can pick it further back.

We are using v2.8 😢
I'll check to upgrade to 2.9 when the fix is released

@JorTurFer
Copy link
Contributor Author

v2.9 hasn't been released yet :(
Could you include the fix in next v2.8?

jmilic1 pushed a commit to jmilic1/argo-cd that referenced this pull request Nov 13, 2023
…proj#15429) (argoproj#15432)

* fix(server): appset list uses argocd's namespace instead of all

Signed-off-by: Jorge Turrado <[email protected]>

* use lister to scope the observed namespaces based on which namespaces monitors for apps

Signed-off-by: Jorge Turrado <[email protected]>

* apply feedback

Signed-off-by: Jorge Turrado <[email protected]>

* add missing change 🤦

Signed-off-by: Jorge Turrado <[email protected]>

* update generated manifests

Signed-off-by: Jorge Turrado <[email protected]>

---------

Signed-off-by: Jorge Turrado <[email protected]>
Signed-off-by: jmilic1 <[email protected]>
vladfr pushed a commit to vladfr/argo-cd that referenced this pull request Dec 13, 2023
…proj#15429) (argoproj#15432)

* fix(server): appset list uses argocd's namespace instead of all

Signed-off-by: Jorge Turrado <[email protected]>

* use lister to scope the observed namespaces based on which namespaces monitors for apps

Signed-off-by: Jorge Turrado <[email protected]>

* apply feedback

Signed-off-by: Jorge Turrado <[email protected]>

* add missing change 🤦

Signed-off-by: Jorge Turrado <[email protected]>

* update generated manifests

Signed-off-by: Jorge Turrado <[email protected]>

---------

Signed-off-by: Jorge Turrado <[email protected]>
tesla59 pushed a commit to tesla59/argo-cd that referenced this pull request Dec 16, 2023
…proj#15429) (argoproj#15432)

* fix(server): appset list uses argocd's namespace instead of all

Signed-off-by: Jorge Turrado <[email protected]>

* use lister to scope the observed namespaces based on which namespaces monitors for apps

Signed-off-by: Jorge Turrado <[email protected]>

* apply feedback

Signed-off-by: Jorge Turrado <[email protected]>

* add missing change 🤦

Signed-off-by: Jorge Turrado <[email protected]>

* update generated manifests

Signed-off-by: Jorge Turrado <[email protected]>

---------

Signed-off-by: Jorge Turrado <[email protected]>
lyda pushed a commit to lyda/argo-cd that referenced this pull request Mar 28, 2024
…proj#15429) (argoproj#15432)

* fix(server): appset list uses argocd's namespace instead of all

Signed-off-by: Jorge Turrado <[email protected]>

* use lister to scope the observed namespaces based on which namespaces monitors for apps

Signed-off-by: Jorge Turrado <[email protected]>

* apply feedback

Signed-off-by: Jorge Turrado <[email protected]>

* add missing change 🤦

Signed-off-by: Jorge Turrado <[email protected]>

* update generated manifests

Signed-off-by: Jorge Turrado <[email protected]>

---------

Signed-off-by: Jorge Turrado <[email protected]>
Signed-off-by: Kevin Lyda <[email protected]>
@ebuildy
Copy link
Contributor

ebuildy commented May 7, 2024

I suspect this PR for new warning logs:

W0507 19:44:33.469804 7 reflector.go:424] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: failed to list *v1alpha1.ApplicationSet: the server could not find the requested resource (get applicationsets.argoproj.io)
E0507 19:44:33.469828 7 reflector.go:140] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:169: Failed to watch *v1alpha1.ApplicationSet: failed to list *v1alpha1.ApplicationSet: the server could not find the requested resource (get applicationsets.argoproj.io)

We disable applicationSet, and seeing every minute these messages since we upgrade from 2.8 to 2.10.

@JorTurFer
Copy link
Contributor Author

We disable applicationSet, and seeing every minute these messages since we upgrade from 2.8 to 2.10.

What do you mean with We disable applicationSet? Did you remove the CRD?

@ebuildy
Copy link
Contributor

ebuildy commented May 7, 2024

We disable applicationSet, and seeing every minute these messages since we upgrade from 2.8 to 2.10.

What do you mean with We disable applicationSet? Did you remove the CRD?

ApplicationSet is optional, we use official argocd helm chart from:

https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/templates/crds/crd-applicationset.yaml#L1

Maybe the CRD should be always installed !

@JorTurFer
Copy link
Contributor Author

oh, interesting. I don't think that this PR is the root cause, as this PR changed the global listing with namespace listing, so the problem is previous to this PR. Before this PR the applicationsets were already readed from the cluster

Hariharasuthan99 pushed a commit to AmadeusITGroup/argo-cd that referenced this pull request Jun 16, 2024
…proj#15429) (argoproj#15432)

* fix(server): appset list uses argocd's namespace instead of all

Signed-off-by: Jorge Turrado <[email protected]>

* use lister to scope the observed namespaces based on which namespaces monitors for apps

Signed-off-by: Jorge Turrado <[email protected]>

* apply feedback

Signed-off-by: Jorge Turrado <[email protected]>

* add missing change 🤦

Signed-off-by: Jorge Turrado <[email protected]>

* update generated manifests

Signed-off-by: Jorge Turrado <[email protected]>

---------

Signed-off-by: Jorge Turrado <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

Listing ApplicationSets requires global permissions even if argocd is namespaced
7 participants