Local WebUI broken in all 2.11 and 2.10.10 and later if using ArgoCD Core about argo-cd HOT 5 OPEN

Is there any insight as to when this will be remediated?
I'm affected by this and unable to revert to older version due to other issues.

from argo-cd.

Related to #18464

from argo-cd.

I ran into this problem with the WebUI when installing from core-install.yaml and logging in using argo login --core. I'm only piling on because it doesn't seem to be limited to just the WebUI. See #18464 as already mentioned and some other commands as well:

❯ argocd app diff myapp
ERRO[0000] finished unary call with code Unknown         error="error getting cached app managed resources: NOAUTH Authentication required." grpc.code=Unknown grpc.method=ManagedResources grpc.service=application.ApplicationService grpc.start_time="2024-07-04T08:54:24-07:00" grpc.time_ms=97.836 span.kind=server system=grpc
FATA[0000] rpc error: code = Unknown desc = error getting cached app managed resources: NOAUTH Authentication required.

from argo-cd.

This looks to be #3130.

I updated from 2.10.0 to 2.10.13 to fix another issue and ran into this.

IMO, this shouldn't have been applied on a patch release to 2.10. It substantially changes the underlying configuration, adds tooling, etc. I would strongly advocate for a rollback on 2.10 at least. The underlying security issue existed for years and it didn't need to be rushed into a patch release on a stable branch.

As to a fix for 2.11 and forward - the cli doesn't seem to have a way to set a redis password at runtime and should likely read it from a default location under normal circumstances.

There is a workaround documented here if you both need latest release and core. I suspect this can also be done with the built-in redis via Kustomize if you're managing argo with argo but I have not had time to try yet.

from argo-cd.

The following Kustomize patch appears to do the trick. Tested with 2.11.4 but should also work with 2.10.x.

Unfortunately the changes to the redis container are brittle. If the args list changes, the patch needs to be updated. I attempted to use deleteFromPrimitiveList but it appears to be buggy when the key to delete doesn't currently exist and will re-add it, which results in constant sync churn of adding/removing the redis password flag. It is very possible there's a cleaner way to do this.

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: argocd-application-controller
spec:
  template:
    spec:
      containers:
        - name: argocd-application-controller
          env:
            - name: REDIS_PASSWORD
              $patch: delete
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: argocd-repo-server
spec:
  template:
    spec:
      containers:
        - name: argocd-repo-server
          env:
            - name: REDIS_PASSWORD
              $patch: delete
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: argocd-redis
spec:
  template:
    spec:
      containers:
        - name: redis
          env:
            - name: REDIS_PASSWORD
              $patch: delete
          args:
            - '--save'
            - ''
            - '--appendonly'
            - 'no'
      initContainers:
        - name: secret-init
          $patch: delete

Include as an explicit SMP:

patchesStrategicMerge:
  - overlays/redis-nopassword.yaml

from argo-cd.