ArgoCD Bug Report: Cross-Namespace Hierarchy Traversal Issue
Checklist:
Describe the bug
ArgoCD fails to display namespaced resources in the application tree when they have ownerReferences to cluster-scoped resources. This occurs due to a cross-namespace hierarchy traversal limitation in the gitops-engine's IterateHierarchyV2 function.
Root Cause: The buildGraph function in pkg/cache/cluster.go only processes resources within the same namespace, causing cross-namespace parent-child relationships to be missed. Specifically, when a cluster-scoped resource (e.g., Crossplane ProviderRevision) owns namespaced resources (e.g., Deployment, Service), the namespaced children don't appear in ArgoCD's resource tree.
To Reproduce
- Deploy a cluster-scoped resource that creates namespaced children via ownerReferences:
# Example: Crossplane ProviderRevision (cluster-scoped parent)
apiVersion: pkg.crossplane.io/v1
kind: ProviderRevision
metadata:
name: provider-aws-cloudformation-3b2c213545b8
---
# Namespaced child with ownerReference to cluster-scoped parent
apiVersion: apps/v1
kind: Deployment
metadata:
name: provider-aws-cloudformation-3b2c213545b8
namespace: crossplane-system
ownerReferences:
- apiVersion: pkg.crossplane.io/v1
kind: ProviderRevision
name: provider-aws-cloudformation-3b2c213545b8
uid: <provider-revision-uid>
---
# Cluster-scoped child (this WILL appear - works correctly)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:provider:provider-aws-cloudformation-3b2c213545b8:system
ownerReferences:
- apiVersion: pkg.crossplane.io/v1
kind: ProviderRevision
name: provider-aws-cloudformation-3b2c213545b8
uid: <provider-revision-uid>
- Create an ArgoCD Application that tracks the ProviderRevision
- Observe in ArgoCD UI that:
- ✅ ProviderRevision appears
- ✅ ClusterRole appears (cluster-scoped → cluster-scoped works)
- ❌ Deployment is missing (cluster-scoped → namespaced fails)
Expected behavior
All resources with ownerReferences should appear in the ArgoCD application tree regardless of namespace boundaries. The Deployment should be visible as a child of the ProviderRevision.
Actual behavior
Only cluster-scoped children appear in the resource tree. Namespaced children of cluster-scoped parents are missing.
Technical Details
The issue is in gitops-engine/pkg/cache/cluster.go at line 1068 in the IterateHierarchyV2 function:
graph := buildGraph(nsNodes, c.resources) // Should pass c.resources for cross-namespace lookup
The buildGraph function needs enhancement to handle cross-namespace relationships by:
- Accepting an
allResources parameter for global resource lookup
- Implementing cross-namespace parent resolution logic
- Processing cross-namespace children in addition to same-namespace resources
Version
argocd: v2.12.3+c5b1b3b.dirty
BuildDate: 2024-08-30T19:14:57Z
GitCommit: c5b1b3ba3733e68ba954b17d73816ea0273e6cc6
GitTreeState: dirty
GoVersion: go1.23.1
Compiler: gc
Platform: darwin/arm64
Impact
This bug affects any Kubernetes operator that uses cluster-scoped resources as parents of namespaced resources, including:
- Crossplane providers and configurations
- cert-manager cluster issuers
- Custom operators following similar patterns
Proposed Fix
The fix requires enhancing the buildGraph function in gitops-engine to support cross-namespace hierarchy traversal. A working implementation is available that:
- Maintains backward compatibility
- Adds minimal performance overhead
- Includes comprehensive test coverage
- Passes all existing regression tests
The fix involves updating pkg/cache/cluster.go to pass the complete resource map to buildGraph and enhancing the function to handle cross-namespace parent-child relationships.
Logs
No specific error logs are generated - the resources are simply omitted from the tree without warnings or errors.
ArgoCD Bug Report: Cross-Namespace Hierarchy Traversal Issue
Checklist:
argocd version.Describe the bug
ArgoCD fails to display namespaced resources in the application tree when they have ownerReferences to cluster-scoped resources. This occurs due to a cross-namespace hierarchy traversal limitation in the gitops-engine's
IterateHierarchyV2function.Root Cause: The
buildGraphfunction inpkg/cache/cluster.goonly processes resources within the same namespace, causing cross-namespace parent-child relationships to be missed. Specifically, when a cluster-scoped resource (e.g., Crossplane ProviderRevision) owns namespaced resources (e.g., Deployment, Service), the namespaced children don't appear in ArgoCD's resource tree.To Reproduce
Expected behavior
All resources with ownerReferences should appear in the ArgoCD application tree regardless of namespace boundaries. The Deployment should be visible as a child of the ProviderRevision.
Actual behavior
Only cluster-scoped children appear in the resource tree. Namespaced children of cluster-scoped parents are missing.
Technical Details
The issue is in
gitops-engine/pkg/cache/cluster.goat line 1068 in theIterateHierarchyV2function:The
buildGraphfunction needs enhancement to handle cross-namespace relationships by:allResourcesparameter for global resource lookupVersion
Impact
This bug affects any Kubernetes operator that uses cluster-scoped resources as parents of namespaced resources, including:
Proposed Fix
The fix requires enhancing the
buildGraphfunction in gitops-engine to support cross-namespace hierarchy traversal. A working implementation is available that:The fix involves updating
pkg/cache/cluster.goto pass the complete resource map tobuildGraphand enhancing the function to handle cross-namespace parent-child relationships.Logs
No specific error logs are generated - the resources are simply omitted from the tree without warnings or errors.