Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-4228

Implement logic for Managed Namespace labeling

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Duplicate
    • Icon: Major Major
    • None
    • None
    • None
    • None
    • 8
    • False
    • Hide

      None

      Show
      None
    • False

      Story (Required)

      As a user of OpenShift Gitops trying to have namespaces managed by my instance in a self-service way, I would like the operator to label namespaces with the managed-by label when I request it to 

      Namespace admin users cannot label namespaces they need managed by their Argo CD instance. They must rely on a cluster admin to label/un-label namespaces for them. We would like to make this self service by having the operator perform this on request

      See parent epic for details.

      Approach (Required)

      • Create a new section in CR for managed namespaces (allowed list)
      • User creates a NamespaceManagementRequest resource in their namespace
      • Controller picks up new instance and reconciles it
        • Looks for the `argocd.argoproj.io/managed-by` label in the resource's spec and identifies namespace containing the instance that needs to manage this namespace
        • Checks if this namespace is allowed in the instance that is requested for management
          • If yes - label the namespace
          • If no - emit log statement saying namespace is absent from allowed list
      • If namespace is not present in managing instance's allowed list, or NamespaceManagementRequest resource is missing from an "allowed" namespace - assume namespace should not be managed and remove label (if present) - emit a log statement explaning why it was removed

      Dependencies

      https://issues.redhat.com/browse/GITOPS-4227

      Acceptance Criteria (Mandatory)

      • Namespace labeling logic is implemented
      • Thorough e2e testing to prevent privilege escalation

              Unassigned Unassigned
              jrao@redhat.com Jaideep Rao
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: