Skip to content

Sync with impersonation does not work when app destinations reference server name instead of url #23309

New issue
New issue
Closed
#23504
Closed
Sync with impersonation does not work when app destinations reference server name instead of url#23309
#23504
Labels
bugSomething isn't working
@nimjor

Description

@nimjor
nimjor
opened on Jun 6, 2025

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

App sync when impersonation is enabled throws error

failed to find a matching service account to impersonate: no matching service account found for destination server  and namespace foo-namespace

if the application references the destination server by name rather than url. Note the extra space after "server" in the error message above (server and), highlighting that it is simply not finding a value where it's looking when attempting to sync.

This bug is not present in v2.14.5 but is present in v3.0.5.

To Reproduce

The following manifests can be used as referenced below.

argocd-manager-foo.yaml 
apiVersion: v1
kind: Namespace
metadata:
  name: foo
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: argocd-manager-foo
  namespace: foo
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argocd-manager-foo-role
  namespace: foo
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: argocd-manager-foo-role-binding
  namespace: foo
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argocd-manager-foo-role
subjects:
- kind: ServiceAccount
  name: argocd-manager-foo
  namespace: foo
argocd-bug-repro.yaml 
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: foo
  namespace: argocd
spec:
  clusterResourceWhitelist:
  - group: '*'
    kind: '*'
  description: Foo Applications
  destinationServiceAccounts:
  - defaultServiceAccount: argocd-manager-foo
    namespace: foo
    server: https://kubernetes.default.svc
  destinations:
  - name: in-cluster
    namespace: foo
  namespaceResourceWhitelist:
  - group: '*'
    kind: '*'
  orphanedResources:
    warn: false
  sourceNamespaces:
  - argocd
  sourceRepos:
  - https://github.com/nimjor/argocd-bug
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: hello-world
  namespace: argocd
spec:
  destination:
    name: in-cluster
    namespace: foo
  project: foo
  revisionHistoryLimit: 3
  source:
    path: hello-world
    repoURL: https://github.com/nimjor/argocd-bug.git
    targetRevision: HEAD
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
    - ApplyOutOfSyncOnly=true
    - CreateNamespace=true
  1. Verify no bug in v2.14.5+f463a94
    a. curl https://raw.githubusercontent.com/argoproj/argo-cd/v2.14.5/manifests/install.yaml | kubectl apply -f -
    b. Edit the argocd-cm ConfigMap to enable impersonation: application.sync.impersonation.enabled: true
    c. Create the service account to be used for impersonation: kubectl apply -f argocd-manager-foo.yaml
    d. Create the test project using the argocd-manager-foo service account for sync, and the test app: kubectl apply -f argocd-bug-repro.yaml
    e. Check that the app is healthy (it's just a ConfigMap). Click the Sync button in the Argo UI and observe no error during sync.
  2. Reproduce bug in latest stable v3.0.5+af9ebac
    a. curl https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml | kubectl apply -f -
    b. Edit the argocd-cm ConfigMap to enable impersonation: application.sync.impersonation.enabled: true
    c. Create the service account to be used for impersonation: kubectl apply -f argocd-manager-foo.yaml
    d. Create the test project using the argocd-manager-foo service account for sync, and the test app: kubectl apply -f argocd-bug-repro.yaml
    e. Check that the app is healthy (it's just a ConfigMap). Click the Sync button and observe the error described.

Expected behavior

Sync with impersonation should respect either ApplicationDestination.Server (the URL) or ApplicationDestination.Name when attempting to sync.

Screenshots

Version

argocd: v2.14.5+f463a94
  BuildDate: 2025-03-11T04:57:25Z
  GitCommit: f463a945d57267e9691cede37021d9ddc5994f36
  GitTreeState: clean
  GoVersion: go1.24.1
  Compiler: gc
  Platform: darwin/arm64
argocd-server: v3.0.5+af9ebac
  BuildDate: 2025-05-29T17:30:53Z
  GitCommit: af9ebac0bb35dc16eb034c1cefaf7c92d1029927
  GitTreeState: clean
  GoVersion: go1.24.1
  Compiler: gc
  Platform: linux/arm64
  Kustomize Version: v5.6.0 2025-01-14T15:12:17Z
  Helm Version: v3.17.1+g980d8ac
  Kubectl Version: v0.32.2
  Jsonnet Version: v0.20.0

Logs

{"application":"hello-world","dest-namespace":"foo","dest-server":"","level":"info","msg":"Updated sync status:  -\u003e Synced","reason":"ResourceUpdated","time":"2025-06-06T18:04:59Z","type":"Normal"}
{"application":"hello-world","dest-namespace":"foo","dest-server":"","level":"info","msg":"Updated health status:  -\u003e Healthy","reason":"ResourceUpdated","time":"2025-06-06T18:04:59Z","type":"Normal"}
{"app-namespace":"argocd","app-qualified-name":"argocd/hello-world","application":"hello-world","level":"info","msg":"Update successful","project":"foo","time":"2025-06-06T18:04:59Z"}
{"app-namespace":"argocd","app-qualified-name":"argocd/hello-world","app_status_update_ms":0,"application":"hello-world","auto_sync_ms":0,"compare_app_state_ms":1659,"comparison-level":3,"comparison_with_nothing_ms":0,"dedup_ms":0,"dest-name":"in-cluster","dest-namespace":"foo","dest-server":"","diff_ms":1,"git_ms":1651,"health_ms":0,"level":"info","live_ms":4,"msg":"Reconciliation completed","normalize_application_ms":6,"patch_ms":3,"persist_app_status_ms":8,"process_finalizers_ms":0,"project":"foo","refresh_app_conditions_ms":1,"set_app_managed_resources_ms":2,"setop_ms":0,"settings_ms":1,"sync_ms":0,"time":"2025-06-06T18:04:59Z","time_ms":1678}
{"app-namespace":"argocd","app-qualified-name":"argocd/hello-world","application":"hello-world","level":"info","msg":"updated 'argocd/hello-world' operation (phase: Running)","project":"foo","time":"2025-06-06T18:06:00Z"}
{"app-namespace":"argocd","app-qualified-name":"argocd/hello-world","application":"hello-world","level":"info","msg":"Initialized new operation: {\u0026SyncOperation{Revision:877261b72496bf2ffe3df873133ed9a7a405d6f3,Prune:false,DryRun:false,SyncStrategy:\u0026SyncStrategy{Apply:nil,Hook:\u0026SyncStrategyHook{SyncStrategyApply:SyncStrategyApply{Force:false,},},},Resources:[]SyncOperationResource{},Source:nil,Manifests:[],SyncOptions:[ApplyOutOfSyncOnly=true CreateNamespace=true],Sources:[]ApplicationSource{},Revisions:[],SelfHealAttemptsCount:0,} {admin false} [] {0 nil}}","project":"foo","time":"2025-06-06T18:06:00Z"}
{"level":"info","msg":"Ignore status for all objects","time":"2025-06-06T18:06:00Z"}
{"application":"argocd/hello-world","level":"info","msg":"Comparing app state (cluster: https://kubernetes.default.svc, namespace: foo)","time":"2025-06-06T18:06:00Z"}
{"application":"argocd/hello-world","build_options_ms":1,"level":"info","manifests_ms":13,"msg":"GetRepoObjs stats","plugins_ms":0,"repo_ms":0,"time":"2025-06-06T18:06:00Z","time_ms":15}
{"level":"info","msg":"Ignore status for all objects","time":"2025-06-06T18:06:00Z"}
{"app-namespace":"argocd","app-qualified-name":"argocd/hello-world","application":"hello-world","level":"info","msg":"updated 'argocd/hello-world' operation (phase: Error)","project":"foo","time":"2025-06-06T18:06:00Z"}
{"application":"hello-world","dest-namespace":"foo","dest-server":"","level":"info","msg":"Sync operation to 877261b72496bf2ffe3df873133ed9a7a405d6f3 failed: failed to find a matching service account to impersonate: no matching service account found for destination server  and namespace foo","reason":"OperationCompleted","time":"2025-06-06T18:06:00Z","type":"Warning"}
{"app-namespace":"argocd","app-qualified-name":"argocd/hello-world","application":"hello-world","level":"info","msg":"Refreshing app status (controller refresh requested), level (3)","project":"foo","time":"2025-06-06T18:06:00Z"}
{"level":"info","msg":"Ignore status for all objects","time":"2025-06-06T18:06:00Z"}
{"application":"argocd/hello-world","level":"info","msg":"Comparing app state (cluster: https://kubernetes.default.svc, namespace: foo)","time":"2025-06-06T18:06:00Z"}
{"application":"argocd/hello-world","build_options_ms":0,"level":"info","manifests_ms":391,"msg":"GetRepoObjs stats","plugins_ms":0,"repo_ms":0,"time":"2025-06-06T18:06:00Z","time_ms":392}
{"app-namespace":"argocd","app-qualified-name":"argocd/hello-world","application":"hello-world","level":"info","msg":"Skipping auto-sync: application status is Synced","project":"foo","time":"2025-06-06T18:06:00Z"}
{"app-namespace":"argocd","app-qualified-name":"argocd/hello-world","application":"hello-world","level":"info","msg":"Update successful","project":"foo","time":"2025-06-06T18:06:00Z"}
{"app-namespace":"argocd","app-qualified-name":"argocd/hello-world","app_status_update_ms":0,"application":"hello-world","auto_sync_ms":0,"compare_app_state_ms":417,"comparison-level":3,"comparison_with_nothing_ms":0,"dedup_ms":2,"dest-name":"in-cluster","dest-namespace":"foo","dest-server":"","diff_ms":0,"git_ms":393,"health_ms":0,"level":"info","live_ms":19,"msg":"Reconciliation completed","normalize_application_ms":3,"patch_ms":53,"persist_app_status_ms":54,"process_finalizers_ms":0,"project":"foo","refresh_app_conditions_ms":2,"set_app_managed_resources_ms":2,"setop_ms":0,"settings_ms":0,"sync_ms":0,"time":"2025-06-06T18:06:00Z","time_ms":479}

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions