argocd-redis role is missing in install.yaml since ArgoCD 2.0 (non-HA)

[zwilling79]

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug

Since ArgoCD 2.1.0 the argocd-redis role is missing in manifests/install.yaml but is still referenced in the corresponding role binding. The role exists in manifests/ha/install.yaml but differs from the argocd-redis role in manifests/install.yaml from earlier ArgoCD releases (pre 2.1.0).

To Reproduce

• Open https://github.com/argoproj/argo-cd/blob/master/manifests/install.yaml
• Search for the argocd-redis role

Expected behavior

argocd-redis role is included. In ArgoCD 2.0.5 the role was defined as follows:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app.kubernetes.io/component: redis
    app.kubernetes.io/name: argocd-redis
    app.kubernetes.io/part-of: argocd
  name: argocd-redis
rules:
- apiGroups:
  - security.openshift.io
  resourceNames:
  - nonroot
  resources:
  - securitycontextconstraints
  verbs:
  - use

In ArgoCD 2.1.x the role in the manifest/ha/install.yaml is defined as follows:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    app.kubernetes.io/component: redis
    app.kubernetes.io/name: argocd-redis-ha
    app.kubernetes.io/part-of: argocd
  name: argocd-redis-ha
rules:
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - get

[jannfis]

This change was done as part of cleanup in #5863

Can you please elaborate on the error you are seeing without this role?

[zwilling79]

I wanted to update my ArgoCD instance from 2.0.5 to 2.1.1 and have seen this as a diff. Furthermore, I was confused why the argocd-redis role is still referenced in the argocd-redis RoleBinding resource. The update had no issues (the role still exists in the cluster/namespace). Also an installation into an empty namespace didn't show any errors. So it seems that Kubernetes can handle this situation.

I guess that in this case the argocd-redis RoleBinding could also be removed and in addition to that even the argocd-redis service account?

[zwilling79]

What also confuses me, why is the argocd-redis-ha role still included in manifest/ha/install.yaml?

[Reamer]

Also an installation into an empty namespace didn't show any errors. So it seems that Kubernetes can handle this situation.

If I delete the argocd-redis role, the redis pod does not start in OKD/Openshift 4.7

pods "argocd-redis-9c7c8f86-" is forbidden: unable to validate against any security context constraint: [spec.containers[0].securityContext.runAsUser: Invalid value: 999: must be in the ranges: [1000690000, 1000699999]]

I use this workaround in my kustomization.yml

patchesJson6902:
- target:
    version: v1
    kind: Deployment
    name: argocd-redis
  patch: |
    - op: "remove"
      path: /spec/template/spec/securityContext/runAsUser

Redis then starts with the uid 1000690000.

[chrisob]

The HA manifests still reference runAsUser and fsGroup which result in OpenShift refusing to create the pods due to the missing SCC:

https://github.com/argoproj/argo-cd/blob/v2.1.2/manifests/ha/namespace-install.yaml#L1908
https://github.com/argoproj/argo-cd/blob/v2.1.2/manifests/ha/namespace-install.yaml#L1162

[sersanherr]

The HA manifests still reference runAsUser and fsGroup which result in OpenShift refusing to create the pods due to the missing SCC:

https://github.com/argoproj/argo-cd/blob/v2.1.2/manifests/ha/namespace-install.yaml#L1908
https://github.com/argoproj/argo-cd/blob/v2.1.2/manifests/ha/namespace-install.yaml#L1162

I have the same problem, deleting the runAsUser fixes the issue.

[collardmsc]

When trying to install from latest stable manifest

Error from server (NotFound): error when applying patch: {"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"rbac.authorization.k8s.io/v1\",\"kind\":\"RoleBinding\",\"metadata\":{\"annotations\":{},\"labels\":{\"app.kubernetes.io/component\":\"redis\",\"app.kubernetes.io/name\":\"argocd-redis\",\"app.kubernetes.io/part-of\":\"argocd\"},\"name\":\"argocd-redis\",\"namespace\":\"argocd\"},\"roleRef\":{\"apiGroup\":\"rbac.authorization.k8s.io\",\"kind\":\"Role\",\"name\":\"argocd-redis\"},\"subjects\":[{\"kind\":\"ServiceAccount\",\"name\":\"argocd-redis\"}]}\n"}},"subjects":[{"kind":"ServiceAccount","name":"argocd-redis"}]} to: Resource: "rbac.authorization.k8s.io/v1, Resource=rolebindings", GroupVersionKind: "rbac.authorization.k8s.io/v1, Kind=RoleBinding" Name: "argocd-redis", Namespace: "argocd" for: "https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml": roles.rbac.authorization.k8s.io "argocd-redis" not found