Red Hat SummitChapter 1. Managing the application set resources in non-control plane namespaces
Argo CD application sets in non-control plane namespaces is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
By using application sets, you can automate and manage the deployments of multiple Argo CD applications declaratively from a single mono-repository to many clusters at once with greater flexibility.
With Red Hat OpenShift GitOps 1.12 and later, as a cluster administrator, you can create and manage the ApplicationSet resources in non-control plane namespaces declaratively, other than the openshift-gitops control plane namespace, by explicitly enabling and configuring the ArgoCD and ApplicationSet custom resources (CRs) as per your requirements. This functionality is particularly useful in multitenancy environments when you want to manage deployments of Argo CD applications for your isolated teams. This functionality is called the ApplicationSet in any namespace feature in the Argo CD open source project.
The generated Argo CD applications can create resources in any non-control plane namespace. However, the application itself will be in the same namespace as the application set resources.
1.1. Prerequisites
-
You have a user-defined cluster-scoped Argo CD instance in your defined namespace. For example,
spring-petclinicnamespace. -
You have explicitly enabled and configured the target namespaces in the
ArgoCDCR to manage application resources in non-control plane namespaces.
1.2. Enabling the application set resources in non-control plane namespaces
As a cluster administrator, you can define a certain set of non-control plane namespaces wherein users can create, update, and reconcile ApplicationSet resources. You must explicitly enable and configure the ArgoCD and ApplicationSet custom resources (CRs) as per your requirements.
Procedure
Set the
sourceNamespacesparameter for theapplicationSetspec to include the non-control plane namespaces:Example Argo CD custom resource:
apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: example namespace: spring-petclinic spec: applicationSet: sourceNamespaces: - devwhere:
spec.applicationSet-
Specifies the list of non-control plane namespaces for creating and managing
ApplicationSetresources.
NoteAt the moment, the use of wildcards (
*) is not supported in the.spec.applicationSet.sourceNamespacesfield.Verify that the following role-based access control (RBAC) resources are either created or modified by the GitOps Operator:
Expand Name Kind Purpose <argocd_name>-<argocd_namespace>-argocd-applicationset-controllerClusterRoleandClusterRoleBindingFor the Argo CD ApplicationSet Controller to watch and list
ApplicationSetresources at cluster-level<argocd_name>-<argocd_namespace>-applicationsetRoleandRoleBindingFor the Argo CD ApplicationSet Controller to manage
ApplicationSetresources in target namespace<argocd_name>-<target_namespace>RoleandRoleBindingFor the Argo CD server to manage
ApplicationSetresources in target namespace through UI, API, or CLINoteThe Operator adds the
argocd.argoproj.io/applicationset-managed-by-cluster-argocdlabel to the target namespace.
1.3. About configuring ApplicationSet namespaces using names and patterns
Red Hat OpenShift GitOps controls which namespaces an Argo CD instance can use to create and manage ApplicationSet resources.
You enable this behavior by specifying allowed namespaces in the Argo CD custom resource (CR) using the spec.applicationSet.sourceNamespaces field. The Red Hat OpenShift GitOps Operator uses this configuration to determine which namespaces are permitted to host ApplicationSet resources and automatically provisions the required role-based access control (RBAC) resources.
The spec.applicationSet.sourceNamespaces field supports the following namespace selectors:
- Explicit namespace names
- Glob-style wildcard patterns
- Regular expression patterns
The Red Hat OpenShift GitOps Operator evaluates these selectors at reconcile time and applies permissions to all matching namespaces. Permissions are also automatically applied to newly created namespaces that match the configured selectors.
1.3.1. Enable ApplicationSet in a specific namespace
To enable an Argo CD instance to manage ApplicationSet resources in a specific namespace, add the namespace name to the spec.applicationSet.sourceNamespaces field in the Argo CD custom resource.
Procedure
Add the namespace name to the
spec.applicationSet.sourceNamespacesfield in the Argo CD custom resource:apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: example spec: sourceNamespaces: - foo applicationSet: sourceNamespaces: - fooIn this example, the Argo CD instance named
examplecan create and manageApplicationSetresources in thefoonamespace.
1.3.2. Define glob-style in wildcard patterns
To grant permissions across multiple namespaces that share a common naming convention, use glob-style wildcard patterns.
Procedure
Use glob-style wildcard patterns in the
spec.applicationSet.sourceNamespacesfield to grant permissions across multiple namespaces:apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: example spec: sourceNamespaces: - team-* applicationSet: sourceNamespaces: - team-*This configuration allows the Argo CD instance to manage
ApplicationSetresources in namespaces, such asteam-1andteam-2.
1.3.3. Define regular expressions in patterns
To precisely control which namespaces receive permissions, use regular expressions. Regular expression patterns must be wrapped in forward slashes (/pattern/).
Procedure
Use regular expression patterns wrapped in forward slashes in the
spec.applicationSet.sourceNamespacesfield:apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: example spec: sourceNamespaces: - team-* applicationSet: sourceNamespaces: - /^team-(frontend|backend)$/ - /^team-[0-9]+$/In this example, permissions are granted only to namespaces that match the specified regular expressions.
Patterns wrapped in forward slashes (/pattern/\) are treated as regular expressions. Patterns without slashes are treated as glob-style wildcard patterns.
To create applications in non-control-plane namespaces, Apps in Any Namespace must be enabled. Ensure that the target namespace names are included in the spec.sourceNamespaces field of the Argo CD custom resource.
Avoid using broad patterns. These patterns can match a large number of namespaces, including system or sensitive namespaces, and might grant unintended access. Use the most specific pattern that meets your requirements and regularly review which namespaces match your configuration.
1.4. Allowing Source Code Manager Providers
Please read this section carefully. Misconfiguration could lead to potential security issues.
Allowing ApplicationSet resources in non-control plane namespaces can result in the exfiltration of secrets through malicious API endpoints in Source Code Manager (SCM) Provider or Pull Request (PR) generators. To prevent unauthorized access to sensitive information, the Operator disables the SCM Provider and PR generators by default as a precautionary measure.
Procedure
To use the SCM Provider and PR generators, explicitly define a list of allowed SCM Providers:
Example Argo CD custom resource:
apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: example-argocd spec: applicationSet: sourceNamespaces: - dev scmProviders: - https://git.mydomain.com/ - https://gitlab.mydomain.com/where:
spec.applicationSet.scmProviders- Specifies the list of URLs of the allowed SCM Providers.
NoteIf you use a URL that is not in the list of allowed SCM Providers, the Argo CD ApplicationSet Controller will reject it.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}