Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Argo CD application sets

Red Hat OpenShift GitOps 1.15

Managing the application set resources in non-control plane namespaces

Red Hat OpenShift Documentation Team

Abstract

This document provides information about how to enable and manage the application set resources in non-control plane namespaces.

Chapter 1. Managing the application set resources in non-control plane namespaces

Important

Argo CD application sets in non-control plane namespaces is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

By using application sets, you can automate and manage the deployments of multiple Argo CD applications declaratively from a single mono-repository to many clusters at once with greater flexibility.

With Red Hat OpenShift GitOps 1.12 and later, as a cluster administrator, you can create and manage the ApplicationSet resources in non-control plane namespaces declaratively, other than the openshift-gitops control plane namespace, by explicitly enabling and configuring the ArgoCD and ApplicationSet custom resources (CRs) as per your requirements. This functionality is particularly useful in multitenancy environments when you want to manage deployments of Argo CD applications for your isolated teams. This functionality is called the ApplicationSet in any namespace feature in the Argo CD open source project.

Note

The generated Argo CD applications can create resources in any non-control plane namespace. However, the application itself will be in the same namespace as the application set resources.

1.1. Prerequisites

1.2. Enabling the application set resources in non-control plane namespaces

As a cluster administrator, you can define a certain set of non-control plane namespaces wherein users can create, update, and reconcile ApplicationSet resources. You must explicitly enable and configure the ArgoCD and ApplicationSet custom resources (CRs) as per your requirements.

Procedure

  1. Set the sourceNamespaces parameter for the applicationSet spec to include the non-control plane namespaces:

    Example Argo CD custom resource

    apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: example
  namespace: spring-petclinic
spec:
  applicationSet:
    sourceNamespaces: 1
      - dev 2

    1
    List of non-control plane namespaces for creating and managing ApplicationSet resources.
    2
    Name of the target namespace for the Argo CD server to create and manage ApplicationSet resources.
    Note

    At the moment, the use of wildcards (*) is not supported in the .spec.applicationSet.sourceNamespaces field.

  2. Verify that the following role-based access control (RBAC) resources are either created or modified by the GitOps Operator:

    NameKindPurpose

    <argocd_name>-<argocd_namespace>-argocd-applicationset-controller

    ClusterRole and ClusterRoleBinding

    For the Argo CD ApplicationSet Controller to watch and list ApplicationSet resources at cluster-level

    <argocd_name>-<argocd_namespace>-applicationset

    Role and RoleBinding

    For the Argo CD ApplicationSet Controller to manage ApplicationSet resources in target namespace

    <argocd_name>-<target_namespace>

    Role and RoleBinding

    For the Argo CD server to manage ApplicationSet resources in target namespace through UI, API, or CLI

    Note

    The Operator adds the argocd.argoproj.io/applicationset-managed-by-cluster-argocd label to the target namespace.

1.3. Allowing Source Code Manager Providers

Important

Please read this section carefully. Misconfiguration could lead to potential security issues.

Allowing ApplicationSet resources in non-control plane namespaces can result in the exfiltration of secrets through malicious API endpoints in Source Code Manager (SCM) Provider or Pull Request (PR) generators. To prevent unauthorized access to sensitive information, the Operator disables the SCM Provider and PR generators by default as a precautionary measure.

Procedure

  • To use the SCM Provider and PR generators, explicitly define a list of allowed SCM Providers:

    Example Argo CD custom resource

    apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: example-argocd
spec:
  applicationSet:
    sourceNamespaces:
      - dev
    scmProviders: 1
      - https://git.mydomain.com/
      - https://gitlab.mydomain.com/

    1
    The list of URLs of the allowed SCM Providers.
Note

If you use a URL that is not in the list of allowed SCM Providers, the Argo CD ApplicationSet Controller will reject it.

1.4. Additional resources

Legal Notice

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubRedditYoutube

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.