Synchronization and updating of Kubernetes ingresses in different namespaces.

[hpmistry19]

Describe the bug

We encountered an intriguing error/bug that reveals a permission-related issue. The error message highlights that the user "system:serviceaccount:argo-rollouts:argo-rollouts" lacks the necessary privileges to update the "ingresses" resource within the "networking.k8s.io" API group across the specified namespace(s) "*".

Upon investigating the issue, it appears that the reference at https://github.com/argoproj/argo-helm/blob/main/charts/argo-rollouts/templates/controller/clusterrole.yaml indicates that the "ingress" resource lacks the capability to perform "update" operations on resources.

During my attempts to modify the existing clusterrole permission, specifically to allow the "update" verb for the "ingress" resource, I encountered limitations preventing me from making the desired changes. In light of this, I kindly request the assistance of someone knowledgeable in this matter to review the situation and provide guidance on resolving the issue.

Related helm chart

argo-rollouts

Helm chart version

2.22.2

To Reproduce

1. Described the clusterrole having this issue.
2. Tried to edit the clusterrole to add verbs "update"
3. Tried to patch the existing clusterrole to add verb "update"

Expected behavior

It is expected that the "argo-rollout" clusterrole grants permissions to update the "ingresses" resource within the "networking.k8s.io" API group across the specified namespaces.

Screenshots

No response

Additional context

No response

[yu-croco]

argo-rollouts follows the upstream's manifest, so I wonder it's better to fix the upstream at first. 🤔

[hpmistry19]

I am unsure if we are allowed to edit the main upstream chart here?

[yu-croco]

@hpmistry19
If there is a reasonable reason, anybody can submit PR. 👍

[zachaller]

This has been changed upstream argoproj/argo-rollouts#2933