Namespaced objects missing from hierarchy when owned by cluster-scoped objects #24379
Description
ArgoCD Bug Report: Cross-Namespace Hierarchy Traversal Issue
Checklist:
- I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
- I've included steps to reproduce the bug.
- I've pasted the output of
argocd version.
Describe the bug
ArgoCD fails to display namespaced resources in the application tree when they have ownerReferences to cluster-scoped resources. This occurs due to a cross-namespace hierarchy traversal limitation in the gitops-engine's IterateHierarchyV2 function.
Root Cause: The buildGraph function in pkg/cache/cluster.go only processes resources within the same namespace, causing cross-namespace parent-child relationships to be missed. Specifically, when a cluster-scoped resource (e.g., Crossplane ProviderRevision) owns namespaced resources (e.g., Deployment, Service), the namespaced children don't appear in ArgoCD's resource tree.
To Reproduce
- Deploy a cluster-scoped resource that creates namespaced children via ownerReferences:
# Example: Crossplane ProviderRevision (cluster-scoped parent)
apiVersion: pkg.crossplane.io/v1
kind: ProviderRevision
metadata:
name: provider-aws-cloudformation-3b2c213545b8
---
# Namespaced child with ownerReference to cluster-scoped parent
apiVersion: apps/v1
kind: Deployment
metadata:
name: provider-aws-cloudformation-3b2c213545b8
namespace: crossplane-system
ownerReferences:
- apiVersion: pkg.crossplane.io/v1
kind: ProviderRevision
name: provider-aws-cloudformation-3b2c213545b8
uid: <provider-revision-uid>
---
# Cluster-scoped child (this WILL appear - works correctly)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane:provider:provider-aws-cloudformation-3b2c213545b8:system
ownerReferences:
- apiVersion: pkg.crossplane.io/v1
kind: ProviderRevision
name: provider-aws-cloudformation-3b2c213545b8
uid: <provider-revision-uid>- Create an ArgoCD Application that tracks the ProviderRevision
- Observe in ArgoCD UI that:
- ✅ ProviderRevision appears
- ✅ ClusterRole appears (cluster-scoped → cluster-scoped works)
- ❌ Deployment is missing (cluster-scoped → namespaced fails)
Expected behavior
All resources with ownerReferences should appear in the ArgoCD application tree regardless of namespace boundaries. The Deployment should be visible as a child of the ProviderRevision.
Actual behavior
Only cluster-scoped children appear in the resource tree. Namespaced children of cluster-scoped parents are missing.
Technical Details
The issue is in gitops-engine/pkg/cache/cluster.go at line 1068 in the IterateHierarchyV2 function:
graph := buildGraph(nsNodes, c.resources) // Should pass c.resources for cross-namespace lookupThe buildGraph function needs enhancement to handle cross-namespace relationships by:
- Accepting an
allResourcesparameter for global resource lookup - Implementing cross-namespace parent resolution logic
- Processing cross-namespace children in addition to same-namespace resources
Version
argocd: v2.12.3+c5b1b3b.dirty
BuildDate: 2024-08-30T19:14:57Z
GitCommit: c5b1b3ba3733e68ba954b17d73816ea0273e6cc6
GitTreeState: dirty
GoVersion: go1.23.1
Compiler: gc
Platform: darwin/arm64Impact
This bug affects any Kubernetes operator that uses cluster-scoped resources as parents of namespaced resources, including:
- Crossplane providers and configurations
- cert-manager cluster issuers
- Custom operators following similar patterns
Proposed Fix
The fix requires enhancing the buildGraph function in gitops-engine to support cross-namespace hierarchy traversal. A working implementation is available that:
- Maintains backward compatibility
- Adds minimal performance overhead
- Includes comprehensive test coverage
- Passes all existing regression tests
The fix involves updating pkg/cache/cluster.go to pass the complete resource map to buildGraph and enhancing the function to handle cross-namespace parent-child relationships.
Logs
No specific error logs are generated - the resources are simply omitted from the tree without warnings or errors.