argocd appset generate need clusterscope permission

[llavaud]

Describe the bug

When I try to generate the application templates from an applicationSet resource using the new argocd appset generate CLI command, I have the following error message:

FATA[0000] rpc error: code = PermissionDenied desc = unable to generate Applications of ApplicationSet: error generating applications: failed to get params for second generator in the matrix generator: child generator returned an error on parameter generation: error getting cluster secrets: secrets is forbidden: User "system:serviceaccount:argo-cd:argocd-server" cannot list resource "secrets" in API group "" at the cluster scope%0Atime="2024-11-06T20:14:43Z" level=error msg="error generating application from params" applicationset=reusable-workflows-manifests error="failed to get params for second generator in the matrix generator: child generator returned an error on parameter generation: error getting cluster secrets: secrets is forbidden: User \"system:serviceaccount:argo-cd:argocd-server\" cannot list resource \"secrets\" in API group \"\" at the cluster scope"

After adding a clusterrole/clusterrolebinding that add get/watch/list on secrets it works

To Reproduce

Launch the following command on an applicationSet manifest that use the Cluster generator:

argocd appset generate appset.yaml

Expected behavior

Render templates without needed to give clusterscope permissions to the argcd-server service account. The argocd-server already have necessary permission to read secrets in the argocd namespace

Version

argocd: v2.13.0+347f221
  BuildDate: 2024-11-04T12:09:06Z
  GitCommit: 347f221adba5599ef4d5f12ee572b2c17d01db4d
  GitTreeState: clean
  GoVersion: go1.23.1
  Compiler: gc
  Platform: linux/amd64