About
In order to enable ArgoCD in namespace "foo" to deploy workloads in namespace "bar", the user needs to grant ArgoCD permissions to do so by creating a role-binding and add the namespace in the cluster secret.
There are issues with these approach:
- The name of the application controller's service account is a detail we should not be exposing users too. https://github.com/siamaksade/openshift-gitops-getting-started/blob/main/cluster/namespace/spring-petclinic-rolebinding.yaml
- The approach needs heavy documentation and separate yaml on Git!
- If the service account name changes, it's a detail we would be exposing the user to.
In order to make this experience less error-prone, we should support the following
- A namespace admin labels her namespace with the name+namespace associated with the ArgoCD instance that she wants to have manage her namespace.
- Add the namespace to the cluster secret in the namepace where the argocd instance is deployed in.
- .. and that's it!
Implementation notes:
Our GitOps Operator controller should watch for namespaces with that label and create the correct rolebinding(s).
Acceptance criteria
- The Operator implements the operations as described in the design document
- All scenarios (creating, removing and migrating) are properly tested
- The mechanism is properly documented for the users of the Operator
- is documented by
-
RHDEVDOCS-3356 Document how Admin permissions are dependent on the namespace labels
-
- Closed
-
- is related to
-
GITOPS-1290 Non-admin Argo CD operands through namespace annotations
-
- Closed
-