Skip to content

fix(argo-cd): Omit runAsUser for dex when deployed on OpenShift#3785

Merged
tico24 merged 2 commits intoargoproj:mainfrom
CLNRMN:fix/argo-cd-openshift
Mar 18, 2026
Merged

fix(argo-cd): Omit runAsUser for dex when deployed on OpenShift#3785
tico24 merged 2 commits intoargoproj:mainfrom
CLNRMN:fix/argo-cd-openshift

Conversation

@CLNRMN
Copy link
Copy Markdown
Contributor

@CLNRMN CLNRMN commented Mar 18, 2026
edited by jmeridth
Loading

Checklist:

  • I have bumped the chart version according to versioning
  • I have updated the documentation according to documentation
  • I have updated the chart changelog with all the changes that come with this pull request according to changelog.
  • Any new values are backwards compatible and/or have sensible default.
  • I have signed off all my commits as required by DCO.
  • I have created a separate pull request for each chart according to pull requests
  • My build is green (troubleshooting builds).

fix(argo-cd): Omit runAsUser for dex when deployed on OpenShift

Context

PR #3749 updated the dex Docker image to v2.45.1 and introduced a hardcoded runAsUser: 1001 in the dex containerSecurityContext. This broke deployments on OpenShift.

On OpenShift, the restricted / restricted-v2 SCC (Security Context Constraint) assigns UIDs from a namespace-specific range. A hardcoded runAsUser value like 1001 falls outside that allocated range and is rejected, preventing the dex pod from starting.

What changed

In charts/argo-cd/templates/dex/deployment.yaml, the securityContext rendering for both the dex container and the copyutil init container now conditionally omits runAsUser when openshift.enabled is true:

{{- if $.Values.openshift.enabled }}
  {{- omit . "runAsUser" | toYaml | nindent 10 }}
{{- else }}
  {{- toYaml . | nindent 10 }}
{{- end }}

By omitting runAsUser when openshift.enabled is set, OpenShift's SCC can assign a valid UID from the namespace's allocated range automatically, allowing the dex pod to start successfully.

@CLNRMN CLNRMN force-pushed the fix/argo-cd-openshift branch from e2c5934 to 7d0ca2e Compare March 18, 2026 08:04
mbevc1
mbevc1 previously approved these changes Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@mbevc1 mbevc1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I cannot test this, but it's a follwo-up from a previous PR

@CLNRMN
Copy link
Copy Markdown
Contributor Author

CLNRMN commented Mar 18, 2026

@mbevc1 Here are some more details about the diff, so you could have a better insight:

Default values.yaml (with the runAsUser set to 1001)

helm template . -f values.yaml --set=openshift.enabled=false | yq 'select(.kind == "Deployment" and .metadata.name == "release-name-argocd-dex-server") | .spec.template.spec | {"initContainers": .initContainers[0].securityContext, "containers": .containers[0].securityContext }'       
initContainers:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 1001
  seccompProfile:
    type: RuntimeDefault
containers:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 1001
  seccompProfile:
    type: RuntimeDefault

values.yaml with openshift.enabled=enabled, the runAsUser is dropped, so OpenShift handles it as before the PR #3749

helm template . -f values.yaml --set=openshift.enabled=enabled | yq 'select(.kind == "Deployment" and .metadata.name == "release-name-argocd-dex-server") | .spec.template.spec | {"initContainers": .initContainers[0].securityContext, "containers": .containers[0].securityContext }'
initContainers:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault
containers:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault

@CLNRMN CLNRMN force-pushed the fix/argo-cd-openshift branch from 7d0ca2e to bff381d Compare March 18, 2026 10:23
@CLNRMN CLNRMN force-pushed the fix/argo-cd-openshift branch from bff381d to 30ab7d7 Compare March 18, 2026 10:25
jmeridth
jmeridth previously approved these changes Mar 18, 2026
View reviewed changes
@CLNRMN CLNRMN requested review from jmeridth and mbevc1 March 18, 2026 11:53
@jmeridth
Copy link
Copy Markdown
Member

jmeridth commented Mar 18, 2026

@CLNRMN please fix the conflict. Thank you for this contribution.

@tico24 tico24 enabled auto-merge (squash) March 18, 2026 14:39
@tico24 tico24 merged commit b7a248b into argoproj:main Mar 18, 2026
7 checks passed
@github-actions github-actions Bot mentioned this pull request Apr 6, 2026
Merged
1 task
xavier-re pushed a commit to xavier-re/argo-helm-xr that referenced this pull request Apr 8, 2026
@CLNRMN @xavier-re
fix(argo-cd): Omit runAsUser for dex when deployed on OpenShift (argo…
17ef69b 
…proj#3785)

Signed-off-by: clnrmn <[email protected]>
Signed-off-by: Colin <[email protected]>
Signed-off-by: Xavier Renaut <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmeridth jmeridth jmeridth approved these changes

@mbevc1 mbevc1 mbevc1 approved these changes

@mkilchhofer mkilchhofer Awaiting requested review from mkilchhofer mkilchhofer is a code owner

@yu-croco yu-croco Awaiting requested review from yu-croco yu-croco is a code owner

@pdrastil pdrastil Awaiting requested review from pdrastil pdrastil is a code owner

@tico24 tico24 Awaiting requested review from tico24 tico24 is a code owner

Assignees

No one assigned

Labels

argo-cd size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@CLNRMN @jmeridth @mbevc1 @tico24