Missing permission in ArgoRollout cluster role

[Ahmed-Elkollaly]

Describe the bug

I can't use the recent feature scaleDown, used in migration to Argo rollout, due to missing permission in clusterrole in the helm chart in argo-rollout v2.36.1 https://github.com/argoproj/argo-helm/blob/main/charts/argo-rollouts/templates/controller/clusterrole.yaml#L60

https://argo-rollouts.readthedocs.io/en/stable/migrating/

  workloadRef:                                 # Reference an existing Deployment using workloadRef field
    apiVersion: apps/v1
    kind: Deployment
    name: rollout-ref-deployment
    scaleDown: onsuccess

The error from argo-rollout controller pod
time="2024-06-25T12:38:07Z" level=error msg="deployments.apps \"rollout-ref-deployment\" is forbidden: User \"system:serviceaccount:argo-rollouts:argo-rollouts\" cannot update resource \"deployments\" in API group \"apps\" in the namespace \"dev\"

Related helm chart

argo-rollouts

Helm chart version

2.36.1

To Reproduce

Steps to reproduce the issue

1. Apply deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/instance: rollout-canary
  name: rollout-ref-deployment
spec:
  replicas: 1                              
  selector:
    matchLabels:
      app: rollout-ref-deployment
  template:
    metadata:
      labels:
        app: rollout-ref-deployment
    spec:
      containers:
        - name: rollouts-demo
          image: argoproj/rollouts-demo:blue
          imagePullPolicy: Always
          ports:
            - containerPort: 8080

2. Apply Rollout

apiVersion: argoproj.io/v1alpha1               # Create a rollout resource
kind: Rollout
metadata:
  name: rollout-ref-deployment
spec:
  replicas: 5
  selector:
    matchLabels:
      app: rollout-ref-deployment
  workloadRef:                                 # Reference an existing Deployment using workloadRef field
    apiVersion: apps/v1
    kind: Deployment
    name: rollout-ref-deployment
    scaleDown: onsuccess
  strategy:
    canary:
      steps:
        - setWeight: 20
        - pause: {duration: 10s}

3. check argo-rollout controller pod logs
   time="2024-06-25T12:38:07Z" level=error msg="deployments.apps \"rollout-ref-deployment\" is forbidden: User \"system:serviceaccount:argo-rollouts:argo-rollouts\" cannot update resource \"deployments\" in API group \"apps\" in the namespace \"dev\"

Expected behavior

use the recent feature scaleDown in argorollout v1.7.0 without any access issue

Screenshots

No response

Additional context

No response

[yu-croco]

Hi @Ahmed-Elkollaly , thank you for opening issue.
Since we follow upstream's manifest (in this case, here), can you also open an issue in upstream?
Once upstream releases new version, we also follow it.

[Ahmed-Elkollaly]

I opened an issue in the argo-rollout project. thank you

[yu-croco]

📝
upstream has been fixed in argoproj/argo-rollouts#3675 . We will follow the fix when the PR is delivered as a specific version.

[DrFaust92]

Ill follow up on this and open a PR here now thats its merged upstream

[yu-croco]

Hi @DrFaust92
FYI; Renovate in argo-helm will open PR when upstream releases new version, and we will check the diffs under manifest in upstream at the PR. :)
e.g.) #2794

[DrFaust92]

yu-croco makes sense, but in this case it was a manifest only upstream change and doesnt require a binary release to add this.

[yu-croco]

We only follow specific version of upstream, instead of main branch.
Upstream will release the manifest diff with other diffs, so we need to wait for next (or next next?) release of upstream.

[muma378]

Hi I had the same issue when use the scaledown feature. I found the feature was released in v1.7.1 and the image was updated in helm, so is it the right time to update the cluster role?
I opened a PR #2816, please feel free to close if it is not correct.

[yu-croco]

Hi @muma378 ,
As I mentioned earlier, the point is upstresm's manifest.
There is no update permission in v1.7.1 (ref: v1.7.1's permission), so we are waiting for it.