Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 1. Managing the application set resources in non-control plane namespaces
Argo CD application sets in non-control plane namespaces is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.
For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.
By using application sets, you can automate and manage the deployments of multiple Argo CD applications declaratively from a single mono-repository to many clusters at once with greater flexibility.
With Red Hat OpenShift GitOps 1.12 and later, as a cluster administrator, you can create and manage the ApplicationSet
resources in non-control plane namespaces declaratively, other than the openshift-gitops
control plane namespace, by explicitly enabling and configuring the ArgoCD
and ApplicationSet
custom resources (CRs) as per your requirements. This functionality is particularly useful in multitenancy environments when you want to manage deployments of Argo CD applications for your isolated teams. This functionality is called the ApplicationSet in any namespace feature in the Argo CD open source project.
The generated Argo CD applications can create resources in any non-control plane namespace. However, the application itself will be in the same namespace as the application set resources.
1.1. Prerequisites
-
You have a user-defined cluster-scoped Argo CD instance in your defined namespace. For example,
spring-petclinic
namespace. -
You have explicitly enabled and configured the target namespaces in the
ArgoCD
CR to manage application resources in non-control plane namespaces.
1.2. Enabling the application set resources in non-control plane namespaces
As a cluster administrator, you can define a certain set of non-control plane namespaces wherein users can create, update, and reconcile ApplicationSet
resources. You must explicitly enable and configure the ArgoCD
and ApplicationSet
custom resources (CRs) as per your requirements.
Procedure
Set the
sourceNamespaces
parameter for theapplicationSet
spec to include the non-control plane namespaces:Example Argo CD custom resource
apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: example namespace: spring-petclinic spec: applicationSet: sourceNamespaces: 1 - dev 2
NoteAt the moment, the use of wildcards (
*
) is not supported in the.spec.applicationSet.sourceNamespaces
field.Verify that the following role-based access control (RBAC) resources are either created or modified by the GitOps Operator:
Name Kind Purpose <argocd_name>-<argocd_namespace>-argocd-applicationset-controller
ClusterRole
andClusterRoleBinding
For the Argo CD ApplicationSet Controller to watch and list
ApplicationSet
resources at cluster-level<argocd_name>-<argocd_namespace>-applicationset
Role
andRoleBinding
For the Argo CD ApplicationSet Controller to manage
ApplicationSet
resources in target namespace<argocd_name>-<target_namespace>
Role
andRoleBinding
For the Argo CD server to manage
ApplicationSet
resources in target namespace through UI, API, or CLINoteThe Operator adds the
argocd.argoproj.io/applicationset-managed-by-cluster-argocd
label to the target namespace.
1.3. Allowing Source Code Manager Providers
Please read this section carefully. Misconfiguration could lead to potential security issues.
Allowing ApplicationSet
resources in non-control plane namespaces can result in the exfiltration of secrets through malicious API endpoints in Source Code Manager (SCM) Provider or Pull Request (PR) generators. To prevent unauthorized access to sensitive information, the Operator disables the SCM Provider and PR generators by default as a precautionary measure.
Procedure
To use the SCM Provider and PR generators, explicitly define a list of allowed SCM Providers:
Example Argo CD custom resource
apiVersion: argoproj.io/v1beta1 kind: ArgoCD metadata: name: example-argocd spec: applicationSet: sourceNamespaces: - dev scmProviders: 1 - https://git.mydomain.com/ - https://gitlab.mydomain.com/
- 1
- The list of URLs of the allowed SCM Providers.
If you use a URL that is not in the list of allowed SCM Providers, the Argo CD ApplicationSet Controller will reject it.