Skip to content

kargo-api does not use the global.sharedResources.namespace #5665

New issue
New issue
Open
Open
kargo-api does not use the global.sharedResources.namespace#5665
Labels
kind/bugSomething isn't working as intended; If unsure that something IS a bug, start a discussion insteadneeds/areaIssue or PR needs to be labeled to indicate what parts of the code base are affectedneeds/priorityPriority has not yet been determined; a good signal that maintainers aren't fully committed
@ThreePinkApples

Description

@ThreePinkApples
ThreePinkApples
opened on Jan 29, 2026

Checklist

  • I've searched the issue queue to verify this is not a duplicate bug report.
  • I've included steps to reproduce the bug.
  • I've pasted the output of kargo version.
  • I've pasted logs, if applicable.

Description

When manually overriding the global.sharedResources.namespace config, it does not apply to kargo-api, and results in the WebUI being unable to list the resources.
The SHARED_RESOURCE_NAMSPACE is clearly missing from the configmap https://github.com/akuity/kargo/blob/994057f5210992dd3f76fb3cf64f7c1a336ebe6c/charts/kargo/templates/api/configmap.yaml

Workaround: Manually set SHARED_RESOURCES_NAMESPACE in the kargo-api configmap

Screenshots

Image

Steps to Reproduce

  1. Set global.sharedResources.namespace to something other than the default value
  2. Go to settings/shared-secrets in the WebUI and either get an error such as permission denied (if the default namespace does not exist, which is my scenario), or just no secrets listed

Version

{
  "version": "v1.9.0",
  "buildDate": "2026-01-29T04:30:27Z",
  "gitCommit": "d16522090b99645053862138dacd7191ba44d207",
  "gitTreeDirty": false,
  "goVersion": "go1.25.5",
  "compiler": "gc",
  "platform": "linux/amd64"
}

Logs

2026-01-29T11:25:09Z	ERROR	option/log.go:53	finished unary call: permission_denied: secrets is forbidden: User "system:serviceaccount:kargo:kargo-api" cannot list resource "secrets" in API group "" in the namespace "kargo-shared-resources"	{"connect.service": "akuity.io.kargo.service.v1alpha1.KargoService", "connect.method": "ListGenericCredentials", "connect.start_time": "2026-01-29T11:25:09Z", "connect.duration": "3.829004ms", "connect.code": "permission_denied"}
github.com/akuity/kargo/pkg/server/option.(*logInterceptor).WrapUnary.func1
	github.com/akuity/kargo/pkg/server/option/log.go:53
connectrpc.com/connect.NewUnaryHandler[...].func2
	connectrpc.com/[email protected]/handler.go:78
connectrpc.com/connect.(*Handler).ServeHTTP
	connectrpc.com/[email protected]/handler.go:333
github.com/akuity/kargo/api/service/v1alpha1/svcv1alpha1connect.NewKargoServiceHandler.func1
	github.com/akuity/kargo/[email protected]/service/v1alpha1/svcv1alpha1connect/service.connect.go:2282
net/http.HandlerFunc.ServeHTTP
	net/http/server.go:2322
net/http.(*ServeMux).ServeHTTP
	net/http/server.go:2861
golang.org/x/net/http2/h2c.h2cHandler.ServeHTTP
	golang.org/x/[email protected]/http2/h2c/h2c.go:125
net/http.serverHandler.ServeHTTP
	net/http/server.go:3340
net/http.initALPNRequest.ServeHTTP
	net/http/server.go:4013
net/http.(*http2serverConn).runHandler
	net/http/h2_bundle.go:6386

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugSomething isn't working as intended; If unsure that something IS a bug, start a discussion insteadneeds/areaIssue or PR needs to be labeled to indicate what parts of the code base are affectedneeds/priorityPriority has not yet been determined; a good signal that maintainers aren't fully committed

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions