Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-725

"Grant" permissions to ArgoCD by namespace labels

    XMLWordPrintable

Details

    • Epic
    • Resolution: Done
    • Major
    • 1.2, 1.3
    • None
    • ArgoCD
    • "Grant" permissions to ArgoCD by namespace labels
    • False
    • False
    • Done
    • 100
    • 100% 100%
    • Undefined

    Description

      About

      In order to enable ArgoCD in namespace "foo" to deploy workloads in namespace "bar", the user needs to grant ArgoCD permissions to do so by creating a role-binding and add the namespace in the cluster secret.

       

      There are issues with these approach:

      1. The name of the application controller's service account is a detail we should not be exposing users too. https://github.com/siamaksade/openshift-gitops-getting-started/blob/main/cluster/namespace/spring-petclinic-rolebinding.yaml
      2. The approach needs heavy documentation and separate yaml on Git!
      3. If the service account name changes, it's a detail we would be exposing the user to.

       

      In order to make this experience less error-prone, we should support the following

      1. A namespace admin labels her namespace with the name+namespace associated with the ArgoCD instance that she wants to have manage her namespace.
      2. Add the namespace to the cluster secret in the namepace where the argocd instance is deployed in.
      3. .. and that's it! 

       

      Implementation notes:

      Our GitOps Operator controller should watch for namespaces with that label and create the correct rolebinding(s).

      Acceptance criteria

      • The Operator implements the operations as described in the design document
      • All scenarios (creating, removing and migrating) are properly tested
      • The mechanism is properly documented for the users of the Operator

      Attachments

        Issue Links

          is documented by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. RHDEVDOCS-3356 Document how Admin permissions are dependent on the namespace labels

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. GITOPS-1290 Non-admin Argo CD operands through namespace annotations

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              shuagarw@redhat.com Shubham Agarwal (Inactive)
              shbose Shoubhik Bose
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: