As a user of the Argo CD community Operator, I want to know how the new permission management works as of v0.1.0 because after an upgrade from 0.0.15, all of my applications receive a permission denied error for some reason and stopped syncing.

Context:

We introduced namespace-scoped mode with reconciliation of the in-cluster cluster secret to allow deployments only in the same namespace where the Operand is created in. This breaks many existing installations after upgrade to 0.1.0.

Acceptance criteria:

We have documentation for the upstream Argo CD operator in place that explains:

• The default permissions for new and existing ArgoCD instances and the restrictions implied by that (e.g. only resources in the same namespace, no management of cluster resources, etc)
• Clarification that it's not sufficient anymore to just create new Roles and RoleBindings to fix permission errors
• Brief explanation of the two distinct modes (namespace vs cluster-level)
• Brief explanation of the reconciliation of in-cluster cluster secret and its impact
• How to manage a different namespace in namespace scoped mode (e.g. usage of argo-cd.argoproj.io/managed-by label)
• How to elevate an ArgoCD instance to become cluster-scoped (e.g. how to configure ARGOCD_CLUSTER_CONFIG_NAMESPACES environment)