fix: Progress Sync Unknown in UI

[aali309]

Closes: #24190
Closes: #24296

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Title of the PR
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[bunnyshell]

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

• 🚀 /bns:deploy to deploy the environment

[aali309]

@reggie-k, can you please review this for me! Thnx

[nitishfy]

Thank you for raising the PR. Can you please attach a demonstration video if possible?

[aali309]

updatedFix.mov

[dag-andersen]

Hi @aali309

It’s me from the reported issue: #24190 (comment) :)

Maybe I’m missing something, but wouldn’t it be more fitting to rename this function to hasApplicationSetParent or isPartOfApplicationSet or something similar?

The function only checks if there’s an owner reference pointing to an ApplicationSet, and does not check if rolling sync has been enabled. I understand that the sync-strategy is checked later in the code, but I would argue that the current function name is a bit misleading considering what it actually does.

[nitishfy]

updatedFix.mov

We are currently hiding that icon. What about the case when it has been enabled and shouldn't be unknown?

[aali309]

updatedFix.mov

We are currently hiding that icon. What about the case when it has been enabled and shouldn't be unknown?

current logic, I believe it's working correctly:
When rolling sync is enabled and status is available: Shows the actual progressive sync status
When rolling sync is enabled but status not yet populated: Shows "Waiting" status (not "Unknown")
When ApplicationSet doesn't use RollingSync strategy: Hides the section entirely (return null)

[aali309]

updatedFix.mov

We are currently hiding that icon. What about the case when it has been enabled and shouldn't be unknown?

current logic, I believe it's working correctly: When rolling sync is enabled and status is available: Shows the actual progressive sync status When rolling sync is enabled but status not yet populated: Shows "Waiting" status (not "Unknown") When ApplicationSet doesn't use RollingSync strategy: Hides the section entirely (return null)

This is when its enabled

[reggie-k]

@aali309 Could you attach a screenshot of how it looks like when the App is part of a progressive sync but the user has no permissions on the AppSet? I'm asking myself for this case, should we even display the progressive sync status for the App?

[aali309]

@aali309 Could you attach a screenshot of how it looks like when the App is part of a progressive sync but the user has no permissions on the AppSet? I'm asking myself for this case, should we even display the progressive sync status for the App?

I think its better to create a follow up PR to close this access denied issue #24225

I was also thinking to have something like this

For user awareness, it informs users that there is progressive sync information available, but they don't have access to it. WDYT?

[reggie-k]

I like this approach, but not sure, from security point if view, that we are not disclosing info that isn't supposed to be disclosed. Would love to hear @crenshaw-dev or @agaudreault 's take on this. I'm adding it to today's contributor agenda meeting for discussion.

[aali309]

I like this approach, but not sure, from security point if view, that we are not disclosing info that isn't supposed to be disclosed. Would love to hear @crenshaw-dev or @agaudreault 's take on this. I'm adding it to today's contributor agenda meeting for discussion.

Thank you @reggie-k , so I guess we are disabling it

[reggie-k]

@aali309 Please see the summary from today's contributor meeting (the RBAC + docs stuff can go into another PR)
#24190 (comment)

[reggie-k]

I believe we would need the following scenarios tested:

1. Application page for an app that is part of an AppSet WITH progressive sync and user WITH permissions on the AppSet (either an admin or has explicit permissions) - the panel should be shown
2. Application page for an app that is part of an AppSet WITH progressive sync and user WITHOUT permissions on the AppSet - the panel should be hidden
3. Application page for an app that is part of an AppSet WITHOUT progressive sync and user WITH permissions on the AppSet (either an admin or has explicit permissions)- the panel should be hidden
4. Application page for an app that is part of an AppSet WITHOUT progressive sync and user WITHOUT permissions for the AppSet - the panel should be hidden
5. Application page for an app that is NOT part of an AppSet - the panel should be hidden

[aali309]

I believe we would need the following scenarios tested:

1. Application page for an app that is part of an AppSet WITH progressive sync and user WITH permissions on the AppSet (either an admin or has explicit permissions) - the panel should be shown
2. Application page for an app that is part of an AppSet WITH progressive sync and user WITHOUT permissions on the AppSet - the panel should be hidden
3. Application page for an app that is part of an AppSet WITHOUT progressive sync and user WITH permissions on the AppSet (either an admin or has explicit permissions)- the panel should be hidden
4. Application page for an app that is part of an AppSet WITHOUT progressive sync and user WITHOUT permissions for the AppSet - the panel should be hidden
5. Application page for an app that is NOT part of an AppSet - the panel should be hidden

Tested all these 5 scenarios @reggie-k @agaudreault PTAL.

[ranakan19]

Relying on error text is fragile, could you look into the error object when permissionError occurs to see if something like errorCode or statusCode(403) or error type exists and use that instead?

[aali309]

This is what I thought initially but here's what I found:

• The DataLoader component wraps HTTP errors in React elements, so we can't directly access HTTP status codes like error.status or error.statusText.
  Therefore:
  error.status → undefined (not accessible)
  error.statusText → undefined (not accessible)
  error.response → undefined (not accessible)
  error.code → undefined (not accessible)

[reggie-k]

It will be better to check for permissions explicitly using can-i, like here:

argo-cd/ui/src/app/applications/components/resource-details/resource-details.tsx

Line 284 in 993344e

const logsAllowed = await services.accounts.canI('logs', 'get', application.spec.project + '/' + application.metadata.name);

Showing / hiding logs of pods in the App is done with a similar logic - shown if the user has permissions, hidden otherwise.

[ranakan19]

left some comments inline

[aali309]

@reggie-k
I see on the issue that we should also hide the panel when AllAtOnce strategy is enabled? It should only show for RollingSync strategy, and user has permissions?

[keithchong]

LGTM

[keithchong]

Merging.

[argo-cd-cherry-pick-bot]

🍒 Cherry-pick PR created for 3.2: #24641

[argo-cd-cherry-pick-bot]

🍒 Cherry-pick PR created for 3.1: #24643