Managing the application resources in non-control plane namespaces | Argo CD applications

Prerequisites
Configuring the Argo CD CR of your user-defined cluster-scoped Argo CD instance with the target namespaces
Creating and configuring a user-defined AppProject instance with the target namespaces
Creating and configuring the Application CR to reference the target namespace and user-defined AppProject instance
Additional resources

As a cluster administrator, you can create and manage the Application resources in non-control plane namespaces declaratively other than the openshift-gitops control plane namespace. This functionality is called the Applications in any namespace feature in the Argo CD open source project.

As a developer, if you are creating Argo CD applications in non-control plane namespaces other than the openshift-gitops control plane namespace, ensure that your cluster administrator grants the necessary permissions to them.

Otherwise, after the Argo CD reconciliation, you will see an error message similar to the following example:

Example error message

error while validating and normalizing app: error getting application's project: application 'app' in namespace 'dev' is not allowed to use project 'default'

To use this functionality, you must explicitly enable and configure the target namespaces in the following objects:

The ArgoCD custom resource (CR) of your user-defined cluster-scoped Argo CD instance
The AppProject custom resource (CR)
The Application CR

The process of creating and managing the Application resources in non-control plane namespaces consists of the following procedures:

This functionality is useful in multitenancy environments when you want to manage deployments of Argo CD applications for your isolated teams.

To prevent privilege escalations for your application teams, you must meet the following requirements:

Do not configure non-control plane namespaces in the .spec.sourceNamespaces field of any privileged AppProject instance, for example, the default instance of your AppProject CR installed in either the openshift-gitops control plane namespace or your defined namespace.
Do not grant access to the openshift-gitops control plane namespace within the AppProject CRD.
Always create and configure user-defined AppProject instances in the openshift-gitops control plane namespace, and then configure non-control plane namespaces in the .spec.sourceNamespaces field within the corresponding user-defined AppProject instance.

Prerequisites

You have installed Red Hat OpenShift GitOps 1.13.0 or a later version on your OpenShift Container Platform cluster.
You have a user-defined cluster-scoped Argo CD instance in your defined namespace, for example, spring-petclinic namespace.

Configuring the Argo CD CR of your user-defined cluster-scoped Argo CD instance with the target namespaces

As a cluster administrator, you can define a certain set of non-control plane namespaces in which users can create, update, and reconcile Application resources. You must first explicitly configure the target namespaces in the ArgoCD custom resource (CR) of your user-defined cluster-scoped Argo CD instance per your requirements.

Prerequisites

You are logged in to the OpenShift Container Platform cluster as an administrator.
You have installed Red Hat OpenShift GitOps 1.13.0 or a later version on your OpenShift Container Platform cluster.
You have a user-defined cluster-scoped Argo CD instance in your defined namespace, for example, spring-petclinic namespace.

Procedure

In the Administrator perspective of the web console, click Operators → Installed Operators.
From the Project list, select the project where the user-defined cluster-scoped Argo CD instance is installed.
Select Red Hat OpenShift GitOps from the installed Operators list and go to the Argo CD tab.
Click your user-defined cluster-scoped Argo CD instance.

Configure the ArgoCD CR of your user-defined cluster-scoped Argo CD instance with the target namespaces:

Click the YAML tab and edit the YAML file of the ArgoCD CR.

In the ArgoCD CR, set the value of the sourceNamespaces parameter to include the non-control plane namespaces:

Example ArgoCD CR

apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: example (1)
  namespace: spring-petclinic (2)
spec:
  sourceNamespaces: (3)
    - dev (4)
    - app-team-* (5)

1	The name of the user-defined cluster-scoped Argo CD instance.
2	The namespace where you want to run the user-defined cluster-scoped Argo CD instance.
3	The list of non-control plane namespaces for creating and managing `Application` resources.
4	The name of the target namespace for the Argo CD server to create and manage `Application` resources.
5	With wildcards (``), specifies the name of the target namespaces matching the pattern `app-team-`, such as `app-team-1` and `app-team-2`, for the Argo CD server to create and manage `Application` resources.

Click Save and Reload.

When a target namespace is specified under the sourceNamespaces field, the Operator adds the argocd.argoproj.io/managed-by-cluster-argocd label to the specified namespace.

Example dev target namespace

apiVersion: v1
kind: Namespace
metadata:
  name: dev
  labels:
    argocd.argoproj.io/managed-by-cluster-argocd: spring-petclinic (1)
    kubernetes.io/metadata.name: dev (2)

1	The namespace of the user-defined cluster-scoped Argo CD instance.
2	The target namespace for the Argo CD server to create and manage `Application` resources.

Verify that Operator adds the argocd.argoproj.io/managed-by-cluster-argocd label to the specified namespace:
1. Go to Administration → Namespaces and click Create Namespace.
2. In the Create Namespace dialog box, provide the Name and click Create.
  
  For example, to create dev target namespace, enter dev in the Name field. You can repeat the previous steps to create the app-team-1 and app-team-2 target namespaces.
  
  The Namespaces page displays the created target namespaces.
3. Click the target namespace and go to the YAML tab to verify the argocd.argoproj.io/managed-by-cluster-argocd label added by the Operator.

Verify that your user-defined cluster-scoped Argo CD instance is configured with a cluster role to manage cluster-scoped resources:

Go to User Management → Roles and from the Filter list, select Cluster-wide Roles.
Search for the created cluster roles by using the Search by name field. For example, example-spring-petclinic-argocd-application-controller and example-spring-petclinic-argocd-server.

The Roles page displays the created cluster roles.

Verify that the following role-based access control (RBAC) resources are created by the GitOps Operator:

Name Kind Purpose

Name	Kind	Purpose
`<argocd_name>-<argocd_namespace>-argocd-application-controller`	`ClusterRole` and `ClusterRoleBinding`	For the Argo CD Application Controller to watch and list `Application` resources at cluster-level
`<argocd_name>-<argocd_namespace>-argocd-server`	`ClusterRole` and `ClusterRoleBinding`	For the Argo CD Server to watch and list `Application` resources at cluster-level
`<argocd_name>-<target_namespace>`	`Role` and `RoleBinding`	For the Argo CD server to manage `Application` resources in target namespace through the UI, API, or CLI

<argocd_name>-<argocd_namespace>-argocd-application-controller

ClusterRole and ClusterRoleBinding

For the Argo CD Application Controller to watch and list Application resources at cluster-level

<argocd_name>-<argocd_namespace>-argocd-server

ClusterRole and ClusterRoleBinding

For the Argo CD Server to watch and list Application resources at cluster-level

<argocd_name>-<target_namespace>

Role and RoleBinding

For the Argo CD server to manage Application resources in target namespace through the UI, API, or CLI

Additional resources

Installing a user-defined Argo CD instance

Creating and configuring a user-defined AppProject instance with the target namespaces

As a cluster administrator, you can define a certain set of non-control plane namespaces in which users can create, update, and reconcile Application resources. After you configure your user-defined cluster-scoped Argo CD instance with target namespaces, you must create and configure a user-defined AppProject instance in the openshift-gitops control plane namespace. In addition, you must explicitly configure the target namespaces in the .spec.sourceNamespaces field of the user-defined AppProject instance.

Applications in the GitOps control plane namespace (openshift-gitops) are allowed to set their .spec.project field to reference any AppProject instance, regardless of the restrictions placed by the .spec.sourceNamespaces field in the AppProject custom resource (CR).

Prerequisites

You are logged in to the OpenShift Container Platform cluster as an administrator.
You have installed Red Hat OpenShift GitOps 1.13.0 or a later version on your OpenShift Container Platform cluster.

Procedure

Create and configure a user-defined AppProject instance in the openshift-gitops control plane namespace to specify the target namespaces in the .spec.sourceNamespaces field:

From the Project list, select the openshift-gitops project.
In the Administrator perspective of the web console, click Operators → Installed Operators → Red Hat OpenShift GitOps and go to the AppProject tab.

Click Create AppProject and enter the following configuration in the YAML view:

Example user-defined AppProject instance

kind: AppProject
apiVersion: argoproj.io/v1alpha1
metadata:
  name: project-one (1)
  namespace: openshift-gitops (2)
spec:
  sourceNamespaces: (3)
  - dev (4)
  - app-team-* (5)
  destinations: (6)
    - name: '*'
      namespace: '*'
      server: '*'
   sourceRepos: (7)
    - '*'

1	The name of the user-defined `AppProject` instance.
2	The control plane namespace where you want to run the user-defined `AppProject` instance.
3	The list of non-control plane namespaces for creating and managing `Application` resources.
4	The name of the target namespace for the Argo CD server to create and manage `Application` resources.
5	With wildcards (``), specifies the name of the target namespaces matching the pattern `app-team-`, such as `app-team-1` and `app-team-2`, for the Argo CD server to create and manage `Application` resources.
6	References to the clusters and namespaces into which applications within the user-defined `AppProject` instance can deploy.
7	References to the repositories from which applications within the user-defined `AppProject` instance can pull manifests.

Click Create.

The AppProjects page displays the created user-defined AppProject instance.

Creating and configuring the Application CR to reference the target namespace and user-defined AppProject instance

As a cluster administrator, you can define a certain set of non-control plane namespaces in which users can create, update, and reconcile Application resources. After you configure the target namespaces in the .spec.sourceNamespaces field of the user-defined AppProject instance, you must explicitly create and configure the Application custom resource (CR) with the parameters for the metadata.namespace and .spec.project fields to reference the target namespace and user-defined AppProject instance.

Prerequisites

You are logged in to the OpenShift Container Platform cluster as an administrator.
You have installed Red Hat OpenShift GitOps 1.13.0 or a later version on your OpenShift Container Platform cluster.

Procedure

Create and configure the Application CR with the parameters for the metadata.namespace and .spec.project fields to reference the target namespace and user-defined AppProject instance:
1. From the Project list, select the target namespace.
2. In the Administrator perspective of the web console, click Operators → Installed Operators → Red Hat OpenShift GitOps and go to the Application tab.
3. Click Create Application and enter the following configuration in the YAML view:
  Example user-defined AppProject instance
  kind: Application apiVersion: argoproj.io/v1alpha1 metadata: name: cluster-configs (1) namespace: dev (2) spec: project: project-one (3) # ...
  1 The name of the application.
  
  2 The name of the target namespace for the Argo CD server to create and manage Application resources.
  
  3 The name of the user-defined AppProject instance.
4. Click Create.
  
  The Applications page displays the created application.
  
  The cluster-configs Argo CD application now has the statuses Healthy and Synced.

1	The name of the application.
2	The name of the target namespace for the Argo CD server to create and manage `Application` resources.
3	The name of the user-defined `AppProject` instance.