Story (Required)

• As an Operator Administrator, when I populate the sourceNamespaces field, I want the operator to automatically configure the necessary RBAC and restart the notifications controller with the correct arguments, so that the self-service notification feature becomes fully functional.

Background and Approach (Required)

This story implements the core logic that makes the API change from https://issues.redhat.com/browse/GITOPS-8025 functional. The operator needs to grant the central notifications controller permission to read resources in other namespaces and tell the controller which namespaces to watch. This will be done by replicating the existing reconciliation pattern used for sourceNamespaces in other parts of the operator.

• The technical approach involves: Creating a new reconciliation function
• This function will Loop through each namespace in spec.notifications.sourceNamespaces.
• For each namespace:
• create a Role with get, list, watch permissions on Secrets and ConfigMaps.
• Create a RoleBinding that links this Role to the central argocd-notifications-controller ServiceAccount.
• Set an OwnerReference on every Role and RoleBinding to ensure they are garbage-collected.
• Implement a cleanup routine to delete the RBAC resources from any namespace that is removed from the list.
• Modifying the notifications Deployment generation logic to:
  • Read the sourceNamespaces list.
  • Construct a comma-separated string containing the central Argo CD namespace plus all namespaces from the list.
  • Add the --application-namespaces argument to the controller's container command with this string.

Out of Scope

• Changes to the reconciliation logic for the Application Controller or ApplicationSet Controller.

• Changes to the argo-cd notifications controller source code itself.

Dependencies

• https://issues.redhat.com/browse/GITOPS-8025  Enable Namespace Configuration for Notification

Acceptance Criteria (Mandatory)

• Given an ArgoCD CR with 'team-1' added to spec.notifications.sourceNamespaces,
• Then a Role and RoleBinding for the notifications controller are created in the "team-1" namespace.
• And the argocd-notifications-controller Pod is restarted with the argument --namespaces=argocd,team-1 (assuming Argo CD is in the argocd namespace).
• Given the previous state,
• When I remove team-1 from the sourceNamespaces list and apply the change,
• Then the Role and RoleBinding in the team-1 namespace are deleted.
• And the argocd-notifications-controller Pod is restarted with the argument --namespaces=argocd.
• Given an ArgoCD CR is configured to watch team-1,
• When I delete the ArgoCD CR itself,
• Then the Role and RoleBinding in the team-1 namespace are automatically garbage-collected.

Definition of Done

• Code Complete:
  • All code has been written, reviewed, and approved.
• Tested:
  • Unit tests have been written and passed.
  • Ensure code coverage is not reduced with the changes.
  • Integration tests have been automated.
  • System tests have been conducted, and all critical bugs have been fixed.
  • Tested and merged on OpenShift either upstream or downstream on a local build.
• Documentation:
  • User documentation or release notes have been written (if applicable).
• Build:
  • Code has been successfully built and integrated into the main repository / project.
  • Midstream changes (if applicable) are done, reviewed, approved and merged.
• Review:
  • Code has been peer-reviewed and meets coding standards.
  • All acceptance criteria defined in the user story have been met.
  • Tested by reviewer on OpenShift.
• Deployment:
  • The feature has been deployed on OpenShift cluster for testing.