-
Story
-
Resolution: Done
-
Critical
-
None
-
None
As a user of the Argo CD community Operator, I want to know how the new permission management works as of v0.1.0 because after an upgrade from 0.0.15, all of my applications receive a permission denied error for some reason and stopped syncing.
Context:
We introduced namespace-scoped mode with reconciliation of the in-cluster cluster secret to allow deployments only in the same namespace where the Operand is created in. This breaks many existing installations after upgrade to 0.1.0.
Acceptance criteria:
We have documentation for the upstream Argo CD operator in place that explains:
- The default permissions for new and existing ArgoCD instances and the restrictions implied by that (e.g. only resources in the same namespace, no management of cluster resources, etc)
- Clarification that it's not sufficient anymore to just create new Roles and RoleBindings to fix permission errors
- Brief explanation of the two distinct modes (namespace vs cluster-level)
- Brief explanation of the reconciliation of in-cluster cluster secret and its impact
- How to manage a different namespace in namespace scoped mode (e.g. usage of argo-cd.argoproj.io/managed-by label)
- How to elevate an ArgoCD instance to become cluster-scoped (e.g. how to configure ARGOCD_CLUSTER_CONFIG_NAMESPACES environment)