namespaceManagement in namespace-scoped ArgoCD (operator v0.17.0) creates tenant RBAC but does not label namespace; cross-namespace Applications not discovered #2039
Description
Summary
I’m trying to use the operator feature named “namespaceManagement” (implemented in #1687 and documented in OpenShift GitOps docs) with upstream argocd-operator.
With a namespace-scoped ArgoCD instance, enabling namespaceManagement creates the expected RBAC in the tenant namespace, but the tenant namespace is not labeled (argocd.argoproj.io/managed-by), and Applications created in that tenant namespace do not appear in the Argo CD UI.
Additionally, the operator logs show errors saying the tenant namespace is “not permitted … based on NamespaceManagement rules”, even though it is listed under the ArgoCD CR’s namespaceManagement.
Environment
- Platform: OpenShift / OLM (Subscription from community-operators)
- argocd-operator: v0.17.0
- CSV: argocd-operator.v0.17.0
- image: quay.io/argoprojlabs/argocd-operator@sha256:6a4d487c6d38a6ca5b2d95bbba0886cafdc222d9f55729d618681d84162f5385
- Argo CD version: v3.2.6
- ArgoCD instance:
- namespace: dwm-argocd-enable-multinamespace
- name: argocd
- scope: namespace-scoped
- Tenant namespace: testargocdmulti
Operator install (Subscription)
Subscription (key fields):
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: argocd-operator
namespace: argocd-operator
spec:
channel: alpha
config:
env:
- name: DISABLE_DEFAULT_ARGOCD_INSTANCE
value: "true"
- name: ALLOW_NAMESPACE_MANAGEMENT_IN_NAMESPACE_SCOPED_INSTANCES
value: "true"
installPlanApproval: Manual
name: argocd-operator
source: community-operators
sourceNamespace: openshift-marketplace
status:
installedCSV: argocd-operator.v0.17.0
ArgoCD CR configuration
ArgoCD CR (key fields):
apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
name: argocd
namespace: dwm-argocd-enable-multinamespace
spec:
version: v3.2.6
extraConfig:
application.namespaces: testargocdmulti
application.sync.impersonation.enabled: "false"
namespaceManagement:
- allowManagedBy: true
name: testargocdmulti
What I expected
- The operator would label the tenant namespace with argocd.argoproj.io/managed-by (as described in downstream docs), so that a namespace-scoped Argo CD instance can discover/manage Applications in that namespace.
- Applications created in the allowed tenant namespace (testargocdmulti) would appear in the Argo CD UI for the ArgoCD instance in dwm-argocd-enable-multinamespace.
What actually happened
- The operator creates RBAC in the tenant namespace for the Argo CD application-controller and server service accounts (see below).
- The tenant namespace is not labeled with argocd.argoproj.io/managed-by.
- Applications created in the tenant namespace do not appear in the Argo CD UI.
Evidence
Tenant namespace is not labeled
Namespace labels excerpt:
apiVersion: v1
kind: Namespace
metadata:
name: testargocdmulti
labels:
kubernetes.io/metadata.name: testargocdmulti
pod-security.kubernetes.io/audit: baseline
pod-security.kubernetes.io/audit-version: latest
pod-security.kubernetes.io/warn: baseline
pod-security.kubernetes.io/warn-version: latest
Also, querying for namespaces with argocd.argoproj.io/managed-by returned none.
Tenant namespace RBAC created
RBAC objects created/managed in tenant namespace testargocdmulti:
- Role/RoleBinding: argocd-argocd-application-controller (subject is SA dwm-argocd-enable-multinamespace/argocd-argocd-application-controller)
- Role/RoleBinding: argocd-argocd-server (subject is SA dwm-argocd-enable-multinamespace/argocd-argocd-server)
Example YAML:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: argocd-argocd-application-controller
namespace: testargocdmulti
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["impersonate"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: argocd-argocd-application-controller
namespace: testargocdmulti
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: argocd-argocd-application-controller
subjects:
- kind: ServiceAccount
name: argocd-argocd-application-controller
namespace: dwm-argocd-enable-multinamespace
Argo CD configmap includes application.namespaces
argocd-cm excerpt:
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
namespace: dwm-argocd-enable-multinamespace
data:
application.namespaces: testargocdmulti
admin.enabled: "false"
application.instanceLabelKey: argocd.argoproj.io/dwm-argocd-enable-multinamespace-argocd
NamespaceManagement CR exists but logs still error
NamespaceManagement CR found:
apiVersion: argoproj.io/v1beta1
kind: NamespaceManagement
metadata:
name: ui-team-namespace
namespace: testargocdmulti
spec:
managedBy: dwm-argocd-enable-multinamespace
status:
conditions:
- type: Reconciled
status: "True"
reason: Success
Operator log excerpt:
2026-01-25T21:52:40Z INFO controller_argocd Reconciling NamespaceManagement
2026-01-25T21:52:40Z INFO controller_argocd Skipping NamespaceManagement CR as it targets a different ArgoCD instance {"namespace": "testargocdmulti"}
2026-01-25T21:52:40Z ERROR Reconciler error {"controller": "argocd", "controllerGroup": "argoproj.io", "controllerKind": "ArgoCD", "ArgoCD": {"name":"argocd","namespace":"dwm-argocd-enable-multinamespace"}, "error": "namespace management errors: Namespace testargocdmulti is not permitted for management by ArgoCD instance dwm-argocd-enable-multinamespace based on NamespaceManagement rules"}
Questions
-
Is ArgoCD spec.namespaceManagement supported in upstream argocd-operator, or is it downstream-only (OpenShift GitOps)? If it is supported upstream, which versions is it expected to work in?
-
Is this feature expected to work for namespace-scoped ArgoCD instances? If yes:
- Is ALLOW_NAMESPACE_MANAGEMENT_IN_NAMESPACE_SCOPED_INSTANCES required and supported upstream?
- What is the expected behavior (namespace labels, generated NamespaceManagement CRs, RBAC, Argo CD config changes)?
-
Should the operator label tenant namespaces with argocd.argoproj.io/managed-by automatically when using ArgoCD spec.namespaceManagement? In my test, RBAC is created but the label is not applied.
-
What is the intended relationship between:
- ArgoCD spec.namespaceManagement (in the ArgoCD CR),
- the NamespaceManagement CRD/kind,
- and Argo CD’s application.namespaces setting?
-
Why would the operator say “Namespace testargocdmulti is not permitted … based on NamespaceManagement rules” even though the tenant namespace is listed in the ArgoCD CR and a NamespaceManagement CR exists in that tenant namespace with managedBy pointing at the ArgoCD namespace?
-
Is there missing upstream documentation for this feature (or is it intentionally undocumented because it’s not supported/complete)?
References
- Upstream PR adding namespaceManagement: Add NamespaceManagement reconciliation #1687
- OpenShift GitOps docs describing namespaceManagement: https://docs.redhat.com/en/documentation/red_hat_openshift_gitops/1.19/html/multitenancy/multitenancy-support-in-gitops#gitops-enable-tenant-namespace-management-with-namespacemanagement_multitenancy-support-in-gitops