github.com/argoproj-labs/argocd-operator@v0.10.0/docs/usage/appsets-in-any-namespace.md

github.com/argoproj-labs/argocd-operator@v0.10.0/docs/usage/appsets-in-any-namespace.md (about)

     1  # ApplicationSets in Any Namespace
     2  
     3  **Current feature state**: Beta
     4  
     5  !!! note
     6      This feature is considered beta feature in upstream Argo CD as of now. Some of the implementation details may change over the course of time until it is promoted to a stable status.
     7  
     8  Argo CD supports managing `ApplicationSet` resources in non-control plane namespaces. Argo CD administrators can define a certain set of namespaces to create, update, and reconcile `ApplicationSet` resources.
     9  
    10  To manage the `ApplicationSet` resources in non-control plane namespaces i.e outside the Argo CD's namespace, you must satisfy the following prerequisites:
    11  
    12  1. The Argo CD instance should be cluster-scoped
    13  2. [Apps in Any Namespace](./apps-in-any-namespace.md) should be enabled on target namespaces
    14  
    15  ## Enable ApplicationSets in a namespace
    16  
    17  To enable this feature in a namespace, add the namespace name under `.spec.applicationSet.sourceNamespaces` field in ArgoCD CR.
    18  
    19  For example, following configuration will allow `example` Argo CD instance to create & manage `ApplicationSet` resource in `foo` namespace. 
    20  ```yaml
    21  apiVersion: argoproj.io/v1beta1
    22  kind: ArgoCD
    23  metadata:
    24    name: example
    25  spec:
    26    applicationSet:
    27      sourceNamespaces:
    28        - foo
    29  ```
    30  
    31  As of now, wildcards are not supported in `.spec.applicationSet.sourceNamespaces`. 
    32  
    33  !!! important 
    34      Ensure that [Apps in Any Namespace](./apps-in-any-namespace.md) is enabled on target namespace i.e the target namespace name is part of `.spec.sourceNamespaces` field in ArgoCD CR.
    35  
    36  The Operator creates/modifies below RBAC resources when ApplicationSets in Any Namespace is enabled
    37  
    38  |Name|Kind|Purpose|
    39  |:-|:-|:-|
    40  |`<argoCDName-argoCDNamespace>-argocd-applicationset-controller`|ClusteRole & ClusterRoleBinding|For ApplicationSet controller to watch and list `ApplicationSet` resources at cluster-level|
    41  |`<argoCDName-argoCDNamespace>-applicationset`|Role & RoleBinding|For ApplicationSet controller to manage `ApplicationSet` resources in target namespace|
    42  |`<argoCDName-targetNamespace>`|Role & RoleBinding|For Argo CD server to manage `ApplicationSet` resources in target namespace via UI, API or CLI|
    43  
    44  Additionally, it adds `argocd.argoproj.io/applicationset-managed-by-cluster-argocd` label to the target namespace.
    45  
    46  Note that generated `Application` can create resources in any namespace. However, the `Application` itself will be in same namespace as `ApplicationSet`.
    47  
    48  ## Allow SCM Providers
    49  
    50  By default, whenever you enable the ApplicationSets in Any Namespace feature, the Operator disables Source Code Manager (SCM) Provider generator & Pull Request (PR) generator for security reasons. Read upstream [documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/applicationset/Appset-Any-Namespace/#scm-providers-secrets-consideration) for more details. 
    51  
    52  To use SCM Provider & PR generators, Argo CD administrators must explicitly define a list of allowed SCM providers using the `.spec.applicationSet.scmProviders` field in the ArgoCD CR. 
    53  
    54  ```yaml
    55  apiVersion: argoproj.io/v1beta1
    56  kind: ArgoCD
    57  metadata:
    58    name: example
    59  spec:
    60    applicationSet:
    61      sourceNamespaces:
    62        - foo
    63      scmProviders:
    64        - https://git.mydomain.com/
    65        - https://gitlab.mydomain.com/
    66  ```
    67  
    68  This will configure ApplicationSet controller to allow the defined URLs for SCM Provider & PR generators. If any other url is used, it will be rejected by the ApplicationSet controller.
    69  
    70  !!! important
    71      Please read upstream [documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/applicationset/Appset-Any-Namespace/#scm-providers-secrets-consideration) carefully. Misconfiguration could lead to potential security issues.
    72  
    73  ### Things to consider
    74  
    75  Only one of either `managed-by` or `applicationset-managed-by-cluster-argocd` labels can be applied to a given namespace. We will be prioritizing `managed-by` label in case of a conflict as this feature is currently in beta, so the new roles/rolebindings will not be created if namespace is already labelled with `managed-by` label, and they will be deleted if a namespace is first added to the `.spec.applicationSet.sourceNamespaces` list and is later also labelled with `managed-by` label.
    76  
    77  
    78