AppProject RBAC policies use invalid wildcard `*` for resource type, breaking ArgoCD operations

[heino-kroeger]

AppProject RBAC policies use invalid wildcard * for resource type, breaking ArgoCD operations

APL Version

linode/apl-tasks:v3.18.0

Describe the bug

APL generates AppProject resources for teams with RBAC policy rules that use * as the resource type:

p, proj:team-<name>:platform-admin, *, *, team-<name>/*, allow
p, proj:team-<name>:team-member, *, get, team-<name>/*, allow

The ArgoCD version shipped with APL v3.18.0 rejects * in the resource position and requires one of the explicit resource types: applications, applicationsets, repositories, exec, logs, or clusters.

This causes the following error when attempting to update project settings (e.g. changing a team's app-of-apps repository):

Unable to update project: invalid policy rule 'p, proj:team-<name>:platform-admin, *, *, team-<name>/*, allow':
project resource must be: 'applications', 'applicationsets', 'repositories', 'exec', 'logs' or 'clusters', not '*'

Steps to reproduce

1. Install APL v3.18.0 on an LKE cluster
2. Create a team (e.g. kmw-stage)
3. Open the ArgoCD UI and navigate to the team's project settings
4. Attempt to modify the sourceRepos for the team's AppProject
5. Observe the error above

Expected behavior

APL should generate valid AppProject policies using explicit resource types, e.g.:

policies:
  - "p, proj:team-<name>:platform-admin, applications, *, team-<name>/*, allow"
  - "p, proj:team-<name>:platform-admin, applicationsets, *, team-<name>/*, allow"
  - "p, proj:team-<name>:platform-admin, repositories, *, team-<name>/*, allow"
  - "p, proj:team-<name>:platform-admin, clusters, *, team-<name>/*, allow"
  - "p, proj:team-<name>:platform-admin, logs, *, team-<name>/*, allow"
  - "p, proj:team-<name>:platform-admin, exec, *, team-<name>/*, allow"

The same expansion is needed for the team-member role (with action get instead of *).

Actual AppProject generated by APL

roles:
  - name: platform-admin
    description: Team member privileges to team-<name>
    groups:
      - platform-admin
      - team-<name>
    policies:
      - p, proj:team-<name>:platform-admin, *, *, team-<name>/*, allow
  - name: team-member
    description: Team member privileges to team-<name>
    groups:
      - team-<name>
    policies:
      - p, proj:team-<name>:team-member, *, get, team-<name>/*, allow

Additional context

• Manual patching of the AppProject via kubectl patch is immediately reverted by the APL reconciliation loop.
• The read-only and ci-role roles are unaffected because they already use applications as the explicit resource type.
• This appears to be a regression introduced when ArgoCD was upgraded to a version that enforces strict resource type validation in project-scoped policies.

[j-zimnowoda]

Thanks for the report. You have provided the tasks version (v3.18.0), I assume that you are using the v4.15.1. Could you confirm?

[j-zimnowoda]

I was able to reproduce it while editing team project.

[heino-kroeger]

Thanks for the report. You have provided the tasks version (v3.18.0), I assume that you are using the v4.15.1. Could you confirm?

I've created the Cluster from scratch last week. I've got these versions from the cluster and hope it helps.
apl-tasks:v3.18.0
apl-api:v4.17.0
apl-console:v4.13.0

ArgoCD is v3.3.3

[j-zimnowoda]

Thanks. We are going to fix it.