gitops-namespace-scoped-instance.adoc

Namespace-scoped instance (Application delivery instance)

After you create an Argo CD custom resource (CR) in one of your namespaces, the {gitops-shortname} Operator starts an Argo CD in this namespace, which you can use for application delivery. In its initial state, this instance has permission to deploy resources only in the same namespace in which it is installed. However, you might need to configure the instance to meet your specific requirements.

With the {gitops-shortname} Operator, you can extend the permissions of the Argo CD instance to enable the Argo CD Application Controller to deploy resources into other namespaces apart from where it is installed.

Note	The roles that the {gitops-shortname} Operator in the namespace creates are namespace-scoped and only have access to namespace resources. The Operator cannot perform any actions outside of the namespaces it manages.

How does this method work?

The {gitops-shortname} Operator allows OpenShift users to instantiate Argo CD instances in their namespaces, provided that they have permission to create Argo CD resources in the argoproj.io/v1alpha1 or argoproj.io/v1beta1 API in their namespace. Currently, a namespace-scoped instance has full administrative permissions for one or many namespaces it manages, similar to allowing all verbs for all resources within that namespace.

For the Argo CD Application Controller to deploy resources in other namespaces, you must configure Kubernetes roles and role bindings. These roles and bindings identify the namespaces that a namespace-scoped instance can manage. The {gitops-shortname} Operator supports the argocd.argoproj.io/managed-by label to simplify this setup. Use this label to indicate the namespaces managed by the instance. When you deploy the {gitops-shortname} Operator in namespace-scoped mode, it automatically creates the required roles and role bindings in each labeled namespace.

Important

The argocd.argoproj.io/managed-by label only works for namespaces in the same cluster as the {gitops-shortname} Operator. For remote clusters, you must define the permissions manually.

By default, when labeling the namespace by using the managed-by label, the {gitops-shortname} Operator gives the Argo CD Application Controller permissions equal to the Kubernetes default admin cluster role for the labeled namespace. However, you can opt to define an alternate cluster role that is used for the controller and server components by using the CONTROLLER_CLUSTER_ROLE and CONTROLLER_SERVER_ROLE environment variables in the Operator’s Subscription resource. When you give these variables, the Operator will not create a default role in the namespace but rather only create a role binding in the namespace of the corresponding cluster role. It is up to the administrator to create the cluster role, having full control over the permissions.

Note

When defining your role, Argo CD will attempt to interact with all resources. Therefore, you must either give permission to view, get, and watch all resources in your custom cluster role, or configure the Argo CD CR to include or exclude specific resources through the resourceInclusions or resourceExclusions fields defined in the role. It is not possible to manage cluster-scoped resources, such as namespaces, custom resource definitions (CRDs), or cluster roles with a namespace-scoped instance.