Argo-cd: Argocd RBAC configmap scopes field not working properly

Created on 23 Jul 2019  路  4Comments  路  Source: argoproj/argo-cd

Describe the bug

Based on this, trying to use scopes field on argocd rbac configmap, on one hand specifying it as an array gives validation errors. On the other, once we specify it as a string, it makes argocd server fail because argocd server is expecting an array.

To Reproduce

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    app.kubernetes.io/name: argocd-rbac-cm
    app.kubernetes.io/part-of: argocd
  name: argocd-rbac-cm
  namespace: argocd
data:
  policy.default: role:readonly
  policy.csv: |
    p, role:myrole, applications, sync, */*, allow
    g, role:myrole, role:readonly

    g, emailname, role:syncer

  scopes: [email]

applying above configuration gives following error:

error: error validating "configmaps/argocd-rbac-configmap.yaml": error validating data: ValidationError(ConfigMap.data.scopes): invalid type for io.k8s.api.core.v1.ConfigMap.data: got "array", expected "string"; if you choose to ignore these errors, turn validation off with --validate=false

Changing scopes field to:

...

data:
  policy.default: role:readonly
  policy.csv: |
    p, role:myrole, applications, sync, */*, allow
    g, role:myrole, role:readonly

    g, emailname, role:syncer

  scopes: email

then works (no validation errros), but with this configuration, the server does not start, giving this error:

time="2019-07-23T10:25:25Z" level=info msg="Starting configmap/secret informers"
time="2019-07-23T10:25:25Z" level=info msg="Configmap/secret informer synced"
time="2019-07-23T10:25:25Z" level=info msg="Starting configmap/secret informers"
time="2019-07-23T10:25:25Z" level=info msg="secrets informer cancelled"
time="2019-07-23T10:25:25Z" level=info msg="configmap informer cancelled"
time="2019-07-23T10:25:25Z" level=info msg="Configmap/secret informer synced"
2019/07/23 10:25:25 [Model:]
2019/07/23 10:25:25 e.e: some(where (p_eft == allow)) && !some(where (p_eft == deny))
2019/07/23 10:25:25 m.m: g(r_sub, p_sub) && keyMatch(r_res, p_res) && keyMatch(r_act, p_act) && keyMatch(r_obj, p_obj)
2019/07/23 10:25:25 g.g: _, _
2019/07/23 10:25:25 r.r: sub, res, act, obj
2019/07/23 10:25:25 p.p: sub, res, act, obj, eft
2019/07/23 10:25:25 [Policy:]
2019/07/23 10:25:25 [p :  sub, res, act, obj, eft :  []]
2019/07/23 10:25:25 [g :  _, _ :  []]
2019/07/23 10:25:25 [Role links for: g]
time="2019-07-23T10:25:25Z" level=info msg="Creating client app (argo-cd)"
time="2019-07-23T10:25:25Z" level=info msg="argocd v1.1.0+c48712d.dirty serving on port 8080 (url: https://myargocd.com, tls: true, namespace: argocd, sso: true)"
time="2019-07-23T10:25:25Z" level=info msg="0xc0003c0b40 subscribed to settings updates"
time="2019-07-23T10:25:25Z" level=fatal msg="yaml: unmarshal errors:\n  line 1: cannot unmarshal !!str `email` into []string"

Expected behavior

Argocd rbac configmap scopes field should not throw validation errors when specifying it as an array. On the other hand, when specifying it as a string, argocd server should not fail when trying to read the configuration.

Version

argocd: v1.0.2+e0bd546.dirty
  BuildDate: 2019-06-14T17:15:36Z
  GitCommit: e0bd546a07818ec06a27c2b3033454e3eb1c4152
  GitTreeState: dirty
  GoVersion: go1.11.4
  Compiler: gc
  Platform: darwin/amd64
argocd-server: v1.1.0+c48712d.dirty
  BuildDate: 2019-07-22T22:11:10Z
  GitCommit: c48712d988320b7dbe6eb6b478a225cc6c385248
  GitTreeState: dirty
  GoVersion: go1.11.4
  Compiler: gc
  Platform: linux/amd64
  Ksonnet Version: 0.13.1
bug security
Source
picture amarruedo

All 4 comments

This is a standard K8S config map, and so values are always strings, that we then parse into an array. so I don't think it is not Argo CD reporting these errors.

@jessesuen ?

alexec picture alexec on 23 Jul 2019

@alexec you are right, then documentation should be corrected since the example provided uses an array on the configmap, which leads to the validation error.

Also in the same documentation file it says that The scope value can be a string, or a list of strings., from where I understand that:


scopes: email

should be a valid configuration, but that makes argocd server fail with the error provided above.

At the end I would like to know how to properly configure scopes parameter so I can use email adresses inestead of sub fields on LDAP authentication.

For the record, I was following progress on issue https://github.com/argoproj/argo-cd/issues/1444 which lead me to this new issue.

Thank you very much for your attention.

amarruedo picture amarruedo on 24 Jul 2019

@alexmt do you want to fix this doc issue please?

alexec picture alexec on 24 Jul 2019
👍1

Thanks for pointing this out @amarruedo . https://github.com/argoproj/argo-cd/pull/2003

alexmt picture alexmt on 24 Jul 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

everesio picture everesio  路  3Comments
duboisf picture duboisf  路  3Comments
hulu1522 picture hulu1522  路  3Comments
eroji picture eroji  路  3Comments
peterbosalliandercom picture peterbosalliandercom  路  3Comments