fix(argo-cd): fix RBAC condition for shard-cm when dynamicClusterDistribution is enabled

[Raj-glitch-max]

What this fixes

Fixes the RBAC condition in charts/argo-cd/templates/argocd-application-controller/role.yaml that prevented argocd-app-controller-shard-cm permissions from being granted in standard installations.

Root cause: The condition was:

{{- if and (not .Values.createClusterRoles) .Values.controller.dynamicClusterDistribution }}

Since createClusterRoles defaults to true, (not .Values.createClusterRoles) always evaluates to false, short-circuiting the entire block. The application controller never received permission to read or write the shard mapping ConfigMap, causing conflict retries and zombie controllers stuck at shard=-1.

Fix: Change the condition to:

{{- if .Values.controller.dynamicClusterDistribution }}

The shard-CM permission should be gated only on whether dynamic cluster distribution is enabled — it has no dependency on createClusterRoles.

Verification

Reproduced with helm template before the fix:

# Before fix — shard-cm permission absent (the bug)
helm template argocd charts/argo-cd \
  --set controller.dynamicClusterDistribution=true \
  --set createClusterRoles=true \
  | grep "argocd-app-controller-shard-cm"
# Output: (empty)

After the fix:

# After fix — shard-cm permission present ✅
helm template argocd charts/argo-cd \
  --set controller.dynamicClusterDistribution=true \
  --set createClusterRoles=true \
  | grep "argocd-app-controller-shard-cm"
# Output:   - argocd-app-controller-shard-cm

# Feature off — no permission added ✅
helm template argocd charts/argo-cd \
  --set controller.dynamicClusterDistribution=false \
  --set createClusterRoles=true \
  | grep "argocd-app-controller-shard-cm"
# Output: (empty)

Changes

• role.yaml — fix the broken RBAC condition (1 line)
• ci/dynamic-sharding-values.yaml — add createClusterRoles: true to actually test the standard install path in CI
• values.yaml — document that enabling dynamicClusterDistribution grants shard-cm RBAC access
• Chart.yaml — version bump 9.5.11 → 9.5.12 + changelog entry

Related

Reported in argoproj/argo-cd#21181

Checklist

• I have bumped the chart version according to versioning
• I have updated the documentation according to documentation
• I have updated the chart changelog with all the changes that come with this pull request according to changelog
• Any new values are backwards compatible and/or have sensible default.
• I have signed off all my commits as required by DCO
• I have created a separate pull request for each chart according to pull requests
• My build is green (troubleshooting builds)

[Copilot]

Pull request overview

Fixes a Helm chart templating bug that prevented Argo CD’s application controller from receiving RBAC permissions to manage the shard mapping ConfigMap when controller.dynamicClusterDistribution is enabled.

Changes:

• Fix RBAC gating logic so shard ConfigMap permissions are granted whenever controller.dynamicClusterDistribution is enabled.
• Update CI values to explicitly test the standard install path (createClusterRoles: true).
• Document the RBAC implication in values.yaml and bump chart version + changelog entry.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
charts/argo-cd/templates/argocd-application-controller/role.yaml	Removes incorrect createClusterRoles dependency so shard-cm Role rule is emitted when dynamic distribution is enabled.
charts/argo-cd/ci/dynamic-sharding-values.yaml	Ensures CI scenario covers the common default (createClusterRoles: true) while enabling dynamic sharding.
charts/argo-cd/values.yaml	Documents that enabling dynamic cluster distribution grants RBAC access to the shard mapping ConfigMap.
charts/argo-cd/Chart.yaml	Bumps chart version and adds an Artifact Hub changelog entry describing the fix.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.