-
Story
-
Resolution: Duplicate
-
Major
-
None
-
None
-
None
-
None
-
8
-
False
-
-
False
-
-
Story (Required)
As a user of OpenShift Gitops trying to have namespaces managed by my instance in a self-service way, I would like the operator to label namespaces with the managed-by label when I request it to
Namespace admin users cannot label namespaces they need managed by their Argo CD instance. They must rely on a cluster admin to label/un-label namespaces for them. We would like to make this self service by having the operator perform this on request
See parent epic for details.
Approach (Required)
- Create a new section in CR for managed namespaces (allowed list)
- User creates a NamespaceManagementRequest resource in their namespace
- Controller picks up new instance and reconciles it
- Looks for the `argocd.argoproj.io/managed-by` label in the resource's spec and identifies namespace containing the instance that needs to manage this namespace
- Checks if this namespace is allowed in the instance that is requested for management
- If yes - label the namespace
- If no - emit log statement saying namespace is absent from allowed list
- If namespace is not present in managing instance's allowed list, or NamespaceManagementRequest resource is missing from an "allowed" namespace - assume namespace should not be managed and remove label (if present) - emit a log statement explaning why it was removed
Dependencies
https://issues.redhat.com/browse/GITOPS-4227
Acceptance Criteria (Mandatory)
- Namespace labeling logic is implemented
- Thorough e2e testing to prevent privilege escalation
- is duplicated by
-
GITOPS-6179 Implement NamespaceManagement reconciliation
-
- Closed
-