fix(appset): add applicationset leader election to roles and clean up (#14369) (#23976)

Signed-off-by: Manuelraa <kontakt@manuel-rapp.de> Signed-off-by: rumstead <37445536+rumstead@users.noreply.github.com> Co-authored-by: Manuelraa <kontakt@manuel-rapp.de>
2026-02-20 01:28:45 +01:00 · 2025-07-29 11:38:53 -04:00
parent 998253aa41
commit 31e0f428e8
12 changed files with 274 additions and 271 deletions
--- a/manifests/base/applicationset-controller/argocd-applicationset-controller-role.yaml
+++ b/manifests/base/applicationset-controller/argocd-applicationset-controller-role.yaml
@@ -38,7 +38,7 @@ rules:
      - patch
      - update
  - apiGroups:
-      - ''
+      - ""
    resources:
      - events
    verbs:
@@ -48,7 +48,7 @@ rules:
      - patch
      - watch
  - apiGroups:
-      - ''
+      - ""
    resources:
      - secrets
      - configmaps
@@ -56,12 +56,22 @@ rules:
      - get
      - list
      - watch
+  # argocd-applicationset-controller leader election rules
+  # Create with resourceNames fails, so use a separate rule for the lease creation
  - apiGroups:
-      - apps
-      - extensions
+      - coordination.k8s.io
    resources:
-      - deployments
+      - leases
+    verbs:
+      - create
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    resourceNames:
+      # Defined in `cmd/argocd-applicationset-controller/commands/applicationset_controller.go`
+      - 58ac56fa.applicationsets.argoproj.io
    verbs:
      - get
-      - list
-      - watch
+      - update
+      - create
--- a/manifests/cluster-rbac/applicationset-controller/argocd-applicationset-controller-clusterrole.yaml
+++ b/manifests/cluster-rbac/applicationset-controller/argocd-applicationset-controller-clusterrole.yaml
@@ -1,90 +1,77 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
+  name: argocd-applicationset-controller
  labels:
    app.kubernetes.io/name: argocd-applicationset-controller
    app.kubernetes.io/part-of: argocd
    app.kubernetes.io/component: applicationset-controller
-  name: argocd-applicationset-controller
 rules:
- apiGroups:
-  - argoproj.io
-  resources:
-  - applications
-  - applicationsets
-  - applicationsets/finalizers
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
- apiGroups:
-  - argoproj.io
-  resources:
-  - applicationsets/status
-  verbs:
-  - get
-  - patch
-  - update
- apiGroups:
-  - argoproj.io
-  resources:
-  - appprojects
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - get
-  - list
-  - patch
-  - watch
- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
-  - update
-  - delete
-  - get
-  - list
-  - patch
-  - watch
- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - apps
-  - extensions
-  resources:
-  - deployments
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - coordination.k8s.io
-  resources:
-  - leases
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - applications
+      - applicationsets
+      - applicationsets/finalizers
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - appprojects
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - applicationsets/status
+    verbs:
+      - get
+      - patch
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - get
+      - list
+      - patch
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+  # argocd-applicationset-controller leader election rules
+  # Create with resourceNames fails, so use a separate rule for the lease creation
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    verbs:
+      - create
+  - apiGroups:
+      - coordination.k8s.io
+    resources:
+      - leases
+    resourceNames:
+      # Defined in `cmd/argocd-applicationset-controller/commands/applicationset_controller.go`
+      - 58ac56fa.applicationsets.argoproj.io
+    verbs:
+      - get
+      - update
+      - create
--- a/manifests/core-install-with-hydrator.yaml
+++ b/manifests/core-install-with-hydrator.yaml
@@ -24148,14 +24148,21 @@ rules:
  - list
  - watch
 - apiGroups:
-  - apps
-  - extensions
+  - coordination.k8s.io
  resources:
-  - deployments
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - 58ac56fa.applicationsets.argoproj.io
+  resources:
+  - leases
  verbs:
  - get
-  - list
-  - watch
+  - update
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
--- a/manifests/core-install.yaml
+++ b/manifests/core-install.yaml
@@ -24139,14 +24139,21 @@ rules:
  - list
  - watch
 - apiGroups:
-  - apps
-  - extensions
+  - coordination.k8s.io
  resources:
-  - deployments
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - 58ac56fa.applicationsets.argoproj.io
+  resources:
+  - leases
  verbs:
  - get
-  - list
-  - watch
+  - update
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
--- a/manifests/ha/install-with-hydrator.yaml
+++ b/manifests/ha/install-with-hydrator.yaml
@@ -24186,14 +24186,21 @@ rules:
  - list
  - watch
 - apiGroups:
-  - apps
-  - extensions
+  - coordination.k8s.io
  resources:
-  - deployments
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - 58ac56fa.applicationsets.argoproj.io
+  resources:
+  - leases
  verbs:
  - get
-  - list
-  - watch
+  - update
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -24392,14 +24399,6 @@ rules:
  - patch
  - update
  - watch
- apiGroups:
-  - argoproj.io
-  resources:
-  - applicationsets/status
-  verbs:
-  - get
-  - patch
-  - update
 - apiGroups:
  - argoproj.io
  resources:
@@ -24408,6 +24407,14 @@ rules:
  - get
  - list
  - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applicationsets/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
  - ""
  resources:
@@ -24418,31 +24425,11 @@ rules:
  - list
  - patch
  - watch
- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
-  - update
-  - delete
-  - get
-  - list
-  - patch
-  - watch
 - apiGroups:
  - ""
  resources:
  - secrets
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - apps
-  - extensions
-  resources:
-  - deployments
+  - configmaps
  verbs:
  - get
  - list
@@ -24453,12 +24440,16 @@ rules:
  - leases
  verbs:
  - create
-  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - 58ac56fa.applicationsets.argoproj.io
+  resources:
+  - leases
+  verbs:
  - get
-  - list
-  - patch
  - update
-  - watch
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/manifests/ha/install.yaml
+++ b/manifests/ha/install.yaml
@@ -24177,14 +24177,21 @@ rules:
  - list
  - watch
 - apiGroups:
-  - apps
-  - extensions
+  - coordination.k8s.io
  resources:
-  - deployments
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - 58ac56fa.applicationsets.argoproj.io
+  resources:
+  - leases
  verbs:
  - get
-  - list
-  - watch
+  - update
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -24383,14 +24390,6 @@ rules:
  - patch
  - update
  - watch
- apiGroups:
-  - argoproj.io
-  resources:
-  - applicationsets/status
-  verbs:
-  - get
-  - patch
-  - update
 - apiGroups:
  - argoproj.io
  resources:
@@ -24399,6 +24398,14 @@ rules:
  - get
  - list
  - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applicationsets/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
  - ""
  resources:
@@ -24409,31 +24416,11 @@ rules:
  - list
  - patch
  - watch
- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
-  - update
-  - delete
-  - get
-  - list
-  - patch
-  - watch
 - apiGroups:
  - ""
  resources:
  - secrets
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - apps
-  - extensions
-  resources:
-  - deployments
+  - configmaps
  verbs:
  - get
  - list
@@ -24444,12 +24431,16 @@ rules:
  - leases
  verbs:
  - create
-  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - 58ac56fa.applicationsets.argoproj.io
+  resources:
+  - leases
+  verbs:
  - get
-  - list
-  - patch
  - update
-  - watch
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/manifests/ha/namespace-install-with-hydrator.yaml
+++ b/manifests/ha/namespace-install-with-hydrator.yaml
@@ -189,14 +189,21 @@ rules:
  - list
  - watch
 - apiGroups:
-  - apps
-  - extensions
+  - coordination.k8s.io
  resources:
-  - deployments
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - 58ac56fa.applicationsets.argoproj.io
+  resources:
+  - leases
  verbs:
  - get
-  - list
-  - watch
+  - update
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
--- a/manifests/ha/namespace-install.yaml
+++ b/manifests/ha/namespace-install.yaml
@@ -180,14 +180,21 @@ rules:
  - list
  - watch
 - apiGroups:
-  - apps
-  - extensions
+  - coordination.k8s.io
  resources:
-  - deployments
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - 58ac56fa.applicationsets.argoproj.io
+  resources:
+  - leases
  verbs:
  - get
-  - list
-  - watch
+  - update
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
--- a/manifests/install-with-hydrator.yaml
+++ b/manifests/install-with-hydrator.yaml
@@ -24175,14 +24175,21 @@ rules:
  - list
  - watch
 - apiGroups:
-  - apps
-  - extensions
+  - coordination.k8s.io
  resources:
-  - deployments
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - 58ac56fa.applicationsets.argoproj.io
+  resources:
+  - leases
  verbs:
  - get
-  - list
-  - watch
+  - update
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -24359,14 +24366,6 @@ rules:
  - patch
  - update
  - watch
- apiGroups:
-  - argoproj.io
-  resources:
-  - applicationsets/status
-  verbs:
-  - get
-  - patch
-  - update
 - apiGroups:
  - argoproj.io
  resources:
@@ -24375,6 +24374,14 @@ rules:
  - get
  - list
  - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applicationsets/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
  - ""
  resources:
@@ -24385,31 +24392,11 @@ rules:
  - list
  - patch
  - watch
- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
-  - update
-  - delete
-  - get
-  - list
-  - patch
-  - watch
 - apiGroups:
  - ""
  resources:
  - secrets
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - apps
-  - extensions
-  resources:
-  - deployments
+  - configmaps
  verbs:
  - get
  - list
@@ -24420,12 +24407,16 @@ rules:
  - leases
  verbs:
  - create
-  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - 58ac56fa.applicationsets.argoproj.io
+  resources:
+  - leases
+  verbs:
  - get
-  - list
-  - patch
  - update
-  - watch
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/manifests/install.yaml
+++ b/manifests/install.yaml
@@ -24166,14 +24166,21 @@ rules:
  - list
  - watch
 - apiGroups:
-  - apps
-  - extensions
+  - coordination.k8s.io
  resources:
-  - deployments
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - 58ac56fa.applicationsets.argoproj.io
+  resources:
+  - leases
  verbs:
  - get
-  - list
-  - watch
+  - update
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -24350,14 +24357,6 @@ rules:
  - patch
  - update
  - watch
- apiGroups:
-  - argoproj.io
-  resources:
-  - applicationsets/status
-  verbs:
-  - get
-  - patch
-  - update
 - apiGroups:
  - argoproj.io
  resources:
@@ -24366,6 +24365,14 @@ rules:
  - get
  - list
  - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applicationsets/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
  - ""
  resources:
@@ -24376,31 +24383,11 @@ rules:
  - list
  - patch
  - watch
- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
-  - update
-  - delete
-  - get
-  - list
-  - patch
-  - watch
 - apiGroups:
  - ""
  resources:
  - secrets
-  verbs:
-  - get
-  - list
-  - watch
- apiGroups:
-  - apps
-  - extensions
-  resources:
-  - deployments
+  - configmaps
  verbs:
  - get
  - list
@@ -24411,12 +24398,16 @@ rules:
  - leases
  verbs:
  - create
-  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - 58ac56fa.applicationsets.argoproj.io
+  resources:
+  - leases
+  verbs:
  - get
-  - list
-  - patch
  - update
-  - watch
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
--- a/manifests/namespace-install-with-hydrator.yaml
+++ b/manifests/namespace-install-with-hydrator.yaml
@@ -178,14 +178,21 @@ rules:
  - list
  - watch
 - apiGroups:
-  - apps
-  - extensions
+  - coordination.k8s.io
  resources:
-  - deployments
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - 58ac56fa.applicationsets.argoproj.io
+  resources:
+  - leases
  verbs:
  - get
-  - list
-  - watch
+  - update
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
--- a/manifests/namespace-install.yaml
+++ b/manifests/namespace-install.yaml
@@ -169,14 +169,21 @@ rules:
  - list
  - watch
 - apiGroups:
-  - apps
-  - extensions
+  - coordination.k8s.io
  resources:
-  - deployments
+  - leases
+  verbs:
+  - create
+- apiGroups:
+  - coordination.k8s.io
+  resourceNames:
+  - 58ac56fa.applicationsets.argoproj.io
+  resources:
+  - leases
  verbs:
  - get
-  - list
-  - watch
+  - update
+  - create
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role