-
Notifications
You must be signed in to change notification settings - Fork 746
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: changes to support the feature apps in any namespaces #794
feat: changes to support the feature apps in any namespaces #794
Conversation
dcf2f00
to
88634f0
Compare
what happens if the same namespace features in the "sourceNamespaces" list of 2 different argo-cd instances? I think it would also be good to have some e2e tests written out that can cover scenarios like this |
88634f0
to
dd7aea0
Compare
Yes, we would reconcile the roles for both the argo-cd instances. |
eecb3f2
to
c9d5985
Compare
@ishitasequeira that might be a problem, no? should we maybe consider some kind of mechanism to check if an app is already being managed by some other instance? |
As mentioned in @jannfis's upstream PR description,
I will update our documentation with this comment. |
@ishitasequeira |
@jaideepr97 Agreed. A little over-engineered solution could be having an admission webhook disallow specification of a namespace in |
@sbose78 that could work |
I think managing a map might be difficult as we would have to take care of cleaning it up too if the ArgoCD instance is updated later and a namespace is removed from it.. I was wondering if we could use a label like |
@ishitasequeira FWIW I don't think cleanup would be too bad, we would just need to watch for changes in the CR when a namespace is removed from the watch list, and when a namespace is deleted - in both cases we check if that namespace has any roles that need to be cleaned up & then remove that entry from the map (We already have similar watches in place to react to different events like removal of SSO in CR or deletion of managed namespace) |
c9d5985
to
f31cf97
Compare
As agreed in the slack conversation, we are attaching a label |
@iam-veeramalla @jopit @jaideepr97 could you review the PR? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ishitasequeira it seems like we may not be handling clean up in this PR. When someone removes a namespace from a source list, I think the label should be removed from that namespace and the roles and rolebindings will need to be cleaned up as well.
Another point that occurred to me was that if one instance tries to watch a namespace that is already being watched by a different instance we could consider alerting them through a warning event or something else
ae96967
to
a6219c1
Compare
986837e
to
aa31c4f
Compare
I have tested this PR locally and it works as expected for the most part
@ishitasequeira please update the e2e test to ensure proper cleanup of roles/rolebindings as discussed |
other than that this LGTM, thanks a lot @ishitasequeira !! |
/lgtm |
aa31c4f
to
0f8e7d6
Compare
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
@jaideepr97 I have updated the documentation and the e2e test. @iam-veeramalla @wtam2018 PTAL. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ishitasequeira Please add a step in the e2e test that removes a namespace from a source list, and then checks that the role/rolebinding is removed from the namespace that was removed from the list
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
Signed-off-by: ishitasequeira <ishiseq29@gmail.com>
babe78b
to
eb2328b
Compare
Merged, thanks again @ishitasequeira ! |
What type of PR is this?
/kind enhancement
What does this PR do / why we need it:
The PR adds support for the feature apps in any namespace added upstream. To do so, the PR adds new command args
--additional-namespace
to ArgoCD ApplicationController and ArgoCD Server components. Also, the PR adds new roles in the respective namespaces for ArgoCD Server to perform actions in the namespace.Have you updated the necessary documentation?
Which issue(s) this PR fixes:
https://issues.redhat.com/browse/GITOPS-2341
How to test changes / Special notes to the reviewer:
make install run
argocd-test
andargocd-1
Check if the ArgoCD pods came up successfully using command
kubectl get pods | grep example-argocd
Check whether the new roles were created in namespaces
argocd-test
andargocd-1
Check if the namespaces
argocd-test
andargocd-1
have a new labelargocd.argoproj.io/managed-by-cluster-argocd
e2e test for the PR.
kubectl kuttl test ./tests/k8s --config ./tests/kuttl-tests.yaml --test 1-024_validate_apps_in_any_namespace