Story (Required)

See parent epic for explanation of feature, and example API description.

Background and Approach (Required)

See parent epic for explanation of feature, and example API description.

The purpose of this story is implemented.

Acceptance Criteria (Mandatory)

• Add new custom resource 'NamespaceManagement' and implement reconciliation
  • I THINK we may not even need to implement a Reconcile function for NamespaceManagement.
  • Instead we can use 'bldr.Watches(&NamespaceManagement{}, handler.EnqueueRequestsFromMapFunc(nmMapper))'
  • nmMapper would be called whenever a NamespaceManagement was created/modified/deleted, and that function should return the name/namespace of the ArgoCD CR that the NM .spec.managedBy field refers to.
  • See 'clusterSecretResourceMapper' for an example of a mapper func.
• Add new field to ArgoCD CR, as above, and implement reconciliation
  • Glob matching on .name field of .spec.namespaceManagement. See epic for API example.
  • There are other glob matching functions used by Argo CD operator that we can borrow.
  • Glob matching just means supporting '' or 'my-namespace-', where '*' can be any text. This is less expressive than pure regexp (but also simpler)
• The general logic is:
  • When:
    • There exists a NamespaceManagement in a namespace,
    • AND, that NamespaceManagement's '.spec.managedBy' field points to a namespace containing an ArgoCD instance.
    • AND, that ArgoCD instance has .spec.namespaceManagement, and within '.spec.namespaceManagement' there exists a rule that matches the namespace from previous step
    • AND the feature is enabled in the Subscription (see below)
  • Then:
    • Create a Role/RoleBinding in the namespace containing NamespaceManagement
    • Update the .data.namespaces field of the default Argo CD cluster secret.
  • Add/update/removal of '.spec.managedBy' field should cause role/rolebinding/argo cd namespace list to be updated
  • Deletion of NamespaceManagement should cause role/rolebinding/argo cd namespace list to be deleted
  • Add/update/removal of fields of .spec.namespaceManagement should causerole/rolebinding/argo cd namespace list to be update/deleted
  • Disabling the feature in the subscription should remove the fields.
  • NOTE: NamespaceManagement does NOT add the managed-by label to the Namespace. It acts similar to a Namespace that has this label, but we are not actually using the label for this feature.
• How a user enables the feature
  • Due to the potential for security concerns (unexpected privilege escalation), we should not enable this feature by default.
  • Instead, to enable this feature, the user should add 'ALLOW_NAMESPACE_MANAGEMENT_IN_NAMESPACE_SCOPED_INSTANCES=true' (or another better env var name) to the OpenShift GitOps Subscription.
  • This is similar to how, with other features, we require an env value to be set within the Subscription. See OpenShift GitOps docs for details.

• Unit/E2E tests
  • Including:
    • Unit/E2E tests that test glob matching
    • Unit tests to verify behaviour described above.
• Docs
  • We'll need to add new documentation to OpenShift GitOps that mentions how this works, and also mentions the security concerns that the user should be aware of before enabling the feature.
  • I've added some proposed text for this to the parent epic.