argocd appset generate need clusterscope permission

[llavaud]

Describe the bug

When I try to generate the application templates from an applicationSet resource using the new argocd appset generate CLI command, I have the following error message:

FATA[0000] rpc error: code = PermissionDenied desc = unable to generate Applications of ApplicationSet: error generating applications: failed to get params for second generator in the matrix generator: child generator returned an error on parameter generation: error getting cluster secrets: secrets is forbidden: User "system:serviceaccount:argo-cd:argocd-server" cannot list resource "secrets" in API group "" at the cluster scope%0Atime="2024-11-06T20:14:43Z" level=error msg="error generating application from params" applicationset=reusable-workflows-manifests error="failed to get params for second generator in the matrix generator: child generator returned an error on parameter generation: error getting cluster secrets: secrets is forbidden: User \"system:serviceaccount:argo-cd:argocd-server\" cannot list resource \"secrets\" in API group \"\" at the cluster scope"

After adding a clusterrole/clusterrolebinding that add get/watch/list on secrets it works

To Reproduce

Launch the following command on an applicationSet manifest that use the Cluster generator:

argocd appset generate appset.yaml

Expected behavior

Render templates without needed to give clusterscope permissions to the argcd-server service account. The argocd-server already have necessary permission to read secrets in the argocd namespace

Version

argocd: v2.13.0+347f221
  BuildDate: 2024-11-04T12:09:06Z
  GitCommit: 347f221adba5599ef4d5f12ee572b2c17d01db4d
  GitTreeState: clean
  GoVersion: go1.23.1
  Compiler: gc
  Platform: linux/amd64

[andrii-korotkov-verkada]

After adding a clusterrole/clusterrolebinding that add get/watch/list on secrets it works

Where exactly do you add this?

[llavaud]

After adding a clusterrole/clusterrolebinding that add get/watch/list on secrets it works

Where exactly do you add this?

I added a clusterrolebinding that give secrets get/watch/list permissions to the argocd-server service account

[andrii-korotkov-verkada]

Hm, I don't think you can avoid giving ArgoCD server cluster scope permissions. argocd namespace permissions don't seem like they'd allow to access cluster-scope secrets. Would you suggest to move some objects from the cluster scope into the target namespace?

[llavaud]

Hm, I don't think you can avoid giving ArgoCD server cluster scope permissions. argocd namespace permissions don't seem like they'd allow to access cluster-scope secrets. Would you suggest to move some objects from the cluster scope into the target namespace?

Currently I deployed Argo CD using the Helm Chart without giving any clusterscope permissions, why would I need to give clusterscope permission for this feature ?

[andrii-korotkov-verkada]

Looks like it's trying to read some cluster-scope secret. Can you share your manifests, values files etc., please?

[blakepettersson]

Should be fixed with #20950