application destination ... do not match any of the allowed destinations in project ...

[jkleinlercher]

Checklist:

• I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• I've included steps to reproduce the bug.
• I've pasted the output of argocd version.

Describe the bug

I have an appproject "johnny-team-project" with the following spec:

spec:
  clusterResourceWhitelist:
  - group: ""
    kind: Namespace
  - group: kargo.akuity.io
    kind: Project
  destinations:
  - name: in-cluster
    namespace: '!johnny-team-*'
    server: https://kubernetes.default.svc
  - name: in-cluster
    namespace: adn-johnny-team
    server: https://kubernetes.default.svc
  - name: '*'
    namespace: '*'
    server: '*'
  sourceNamespaces:
  - adn-johnny-team
  sourceRepos:
  - https://xxxxxxxx/cb351076/*

When I deploy an app with the following spec:

spec:
  destination:
    name: wkr-t--cluster000
    namespace: johnny-team-podtato-test
  project: johnny-team-project
  source:
    helm:
      valueFiles:
      - values-test.yaml
    path: .
    repoURL: https://xxxxxxxx/cb351076/podtato-head-example.git
    targetRevision: main
  syncPolicy:
    automated:
      prune: true
      selfHeal: true

I get this error

    message: 'InvalidSpecError: application destination server ''https://api.cluster000.xxxxxx.at''
      and namespace ''johnny-team-podtato-test'' do not match any of the allowed destinations
      in project ''johnny-team-project'''

When I delete this rule it works:

  - name: in-cluster
    namespace: '!johnny-team-*'
    server: https://kubernetes.default.svc

Even when I just change the namespace in the rule above from

    namespace: '!johnny-team-*'

to

    namespace: "!bla-*"

it works. So it seem that the deny rule for the namespace doesn't respect the corresponding destination server/name. Is that works as designed?

However, as I understand https://argo-cd.readthedocs.io/en/latest/user-guide/projects/ this rule above should only prevent apps to deploy in "johnny-team-*" namespace on "https://kubernetes.default.svc" (in-cluster), not on any other cluster, like ''https://api.cluster000.xxxxxx.at''

**To Reproduce**

The steps above with a multi cluster env should help to reproduce the problem

**Expected behavior**

the app should be able to get deployed on a remote cluster in namespace  "johnny-team-podtato-test"

**Screenshots**

<!-- If applicable, add screenshots to help explain your problem. -->

**Version**

```shell
v2.13.1+af54ef8

Logs

time="2025-01-17T08:01:12Z" level=info msg="updated 'adn-johnny-team/podtato-test' operation (phase: Error)" app-namespace=adn-johnny-team app-qualified-name=adn-johnny-team/podtato-test application=podtato-test project=johnny-team-project
time="2025-01-17T08:01:12Z" level=info msg="Sync operation to 697ca44a072b2193af0cec5dd365ca9f2fe8330d failed: InvalidSpecError: application destination server 'https://api.cluster000.xxxxxxx.at' and namespace 'johnny-team-podtato-test' do not match any of the allowed destinations in project 'johnny-team-project'" application=podtato-test dest-namespace=johnny-team-podtato-test dest-server="https://api.cluster000.xxxxxxxxx.at" reason=OperationCompleted type=Warning

[jkleinlercher]

is this fixed / related to #20045 ?

[jkleinlercher]

according to be880ad this is planned for 2.14 .. so waiting for 2.14 release