Normal ArgoCD needs to reconcile the IngressController in openshift-ingress-operator namespace and its certificates in openshift-ingress namespace. For ArgoCD to have permissions to reconcile resources in a given namespace the Namespace can be labeled. The mechanism by which that label provides ArgoCD with permissions isn't grokked at this time, but likely associates with the ClusterRole/Role used by ArgoCD. These namespaces are owned by Managed OpenShift; we are allowed to write resources to the namespace but not to actually change the Namespace itself (https://redhat-internal.slack.com/archives/CCX9DB894/p1741883822397229?thread_ts=1741879077.262019&cid=CCX9DB894). Since we cannot apply the Namespace label, we cannot give ArgoCD limited permissions to the namespace in this way.
We already give ArgoCD extra permissions via a ClusterRole in the Addon. We will extend those permissions to include the IngressController and ExternalSecret kinds. This will give them cluster-wide permission to reconcile those resources.
We will manually remove the (previously manually added) namespace labels that are currently applied in Integratino clusters to the IC namespaces.
We will confirm ArgoCD can still reconcile the resources in those namespaces, namely the public IC and its certificates.
