Add missing permission for impersonation #1651
Conversation
Signed-off-by: Varsha B <[email protected]>
Signed-off-by: Varsha B <[email protected]>
There was a problem hiding this comment.
Hi @anandf, the current steps mentioned here do not work for a ns scoped instance. Could you please suggest the required modifications?
Even after adding the managed-by label, I see this error:
message: 'ComparisonError: Failed to load live state: Namespace "guestbook" for Deployment "guestbook-ui" is not managed'
There was a problem hiding this comment.
Instead of guestbook namespace, can you try using argocd-test-impersonation as the destination ns ? For a namespace scoped ArgoCD instance, you can deploy manifests only in the same ns as the RBAC permits only that by default. Otherwise, you have to create a ns guestbook and apply the managed-by label. You cannot test the CreateNamespace=true sync policy in that case.
| metadata: | ||
| name: test-impersonation-ns | ||
| labels: | ||
| argocd.argoproj.io/managed-by: openshift-gitops |
There was a problem hiding this comment.
| argocd.argoproj.io/managed-by: openshift-gitops | |
| label `argocd.argoproj.io/managed-by` not required here |
| metadata: | ||
| name: guestbook | ||
| labels: | ||
| argocd.argoproj.io/managed-by: openshift-gitops |
There was a problem hiding this comment.
| argocd.argoproj.io/managed-by: openshift-gitops | |
| argocd.argoproj.io/managed-by: test-impersonation-ns |
| metadata: | ||
| name: test-impersonation-ns | ||
| labels: | ||
| argocd.argoproj.io/managed-by: openshift-gitops |
There was a problem hiding this comment.
| argocd.argoproj.io/managed-by: openshift-gitops | |
| label `argocd.argoproj.io/managed-by` not required here |
| metadata: | ||
| name: guestbook | ||
| labels: | ||
| argocd.argoproj.io/managed-by: openshift-gitops |
There was a problem hiding this comment.
The label argocd.argoproj.io/managed-by is set to openshift-gitops. However, since this ArgoCD instance is deployed in the test-impersonation-ns namespace, I suggest updating the label value to reflect that. The updated label should be argocd.argoproj.io/managed-by: test-impersonation-ns.
| argocd.argoproj.io/managed-by: openshift-gitops | |
| argocd.argoproj.io/managed-by: test-impersonation-ns |
Signed-off-by: Varsha B <[email protected]>
Signed-off-by: Varsha B <[email protected]>
varshab1210
force-pushed
the
add-impersonate-permission
branch
3 times, most recently
from
aa57947 to
d051b9f
Compare
varshab1210
force-pushed
the
add-impersonate-permission
branch
2 times, most recently
from
df2a1e6 to
c005e25
Compare
Signed-off-by: Varsha B <[email protected]>
varshab1210
force-pushed
the
add-impersonate-permission
branch
from
c005e25 to
f400f35
Compare
What type of PR is this?
/kind enhancement
What does this PR do / why we need it:
Because of missing permission in application controller clusterrole, impersonation feature does not work as expected. This PR aims to fix the same
Have you updated the necessary documentation?
Which issue(s) this PR fixes:
Fixes #?
How to test changes / Special notes to the reviewer: