Namespaced Apprepository: cronjobs not displayed in ArgoCD UI when repo deployed in namespace other than the kubeapps namespace

[Jonito]

Describe the bug
We deployed GCP Artifact Registry (oci) Apprepos in separate namespaces using ArgoCD. The repos can be seen under each of the required namespace in kubeapps package administration and functionality works
The cronjobs for these Apprepos get deployed in kubeapps namespace along with the jobs created by the cronjobs run.
But the cronjobs are not seen from Argocd.
To Reproduce
Steps to reproduce the behavior:

1. Deploy GCP artifact repository (OCI) as namedspace Apprepo.
2. Verify the app repos in Kubeapps package administration in the expected namespace.
3. Verify the functionality using a helm chart
4. Verify the contents of cronjob for that Apprepo. If the cronjob is in different namespace then the Apprepo the it will have missing ownerReferences: when checked the cronjob

for e.g one of my cronjobs.

kubectl get cronjobs apprepo-ecpipeline-sync-gcp-ecpipeline -o yaml
apiVersion: batch/v1
kind: CronJob
metadata:
creationTimestamp: "2022-11-14T09:33:34Z"
generation: 1
labels:
apprepositories.kubeapps.com/repo-name: gcp-ecpipeline
apprepositories.kubeapps.com/repo-namespace: ecpipeline
name: apprepo-ecpipeline-sync-gcp-ecpipeline
namespace: apps
resourceVersion: "29377232"
uid: 62e3cb9b-762e-42e1-b7ea-760a86aea3c6
spec:
concurrencyPolicy: Replace
failedJobsHistoryLimit: 1
jobTemplate:
metadata:
creationTimestamp: null
spec:
template:
metadata:
creationTimestamp: null
labels:
apprepositories.kubeapps.com/repo-name: gcp-ecpipeline
apprepositories.kubeapps.com/repo-namespace: ecpipeline
spec:
containers:
- args:
- sync
- --database-url=apps-postgresql:5432
- --database-user=postgres
- --database-name=assets
- --user-agent-comment=kubeapps/2.5.0
- --global-repos-namespace=apps
- --namespace=ecpipeline
- gcp-ecpipeline
- https://europe-west4-docker.pkg.dev/sap-cx-pipeline-test/
- oci
- --oci-repositories
- k8s-ec-pipeline/jenkins-ecpipeline
command:
- /asset-syncer
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
key: postgres-password
name: kubeapps-postgresql
- name: AUTHORIZATION_HEADER
valueFrom:
secretKeyRef:
key: authorizationHeader
name: ecpipeline-apprepo-gcp-ecpipeline
image: eu.gcr.io/sap-cx-pipeline-prod/k8s-apps/kubeapps-asset-syncer:2.5.0-scratch-r0
imagePullPolicy: IfNotPresent
name: sync
resources:
limits:
cpu: 500m
memory: 100M
requests:
cpu: 100m
memory: 50M
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
restartPolicy: OnFailure
schedulerName: default-scheduler
securityContext:
runAsUser: 1001
terminationGracePeriodSeconds: 30
ttlSecondsAfterFinished: 3600
schedule: '*/10 * * * *'
successfulJobsHistoryLimit: 3
suspend: false
status:
lastScheduleTime: "2022-11-14T10:20:00Z"
lastSuccessfulTime: "2022-11-14T10:20:05Z"

Expected behavior
I expected the cronjobs to be deployed in same namespace as the Apprepos so the the cronjobs ownerReferences gets defined in the cronjob

Screenshots

Part screenshot of argocd deployment showing the Apprepositories.
In this screenshot i have three repos gcp-test-ecpipeline , gcp-test-modelt-sre and gcp-test-modelt
cronjob displayed for gcp-test-ecpipeline which is in same namespace as kubeapps.
gcp-test-modelt-sre and gcp-test-modelt are in different namespaces and cronjobs not seen in the scrrenshot.

Desktop (please complete the following information):

• Version [2.5.0]
• Kubernetes version [v1.23.11]
• Package version []

Additional context
Add any other context about the problem here.

[absoludity]

Hi @Jonito . I think the related issue here is that the current Kubeapps asset-syncer command requires the database secret for the Kubeapps postgresql database (as in, it talks directly to the DB :/ ), which means that we can really only restrict ourselves to running the asset-sync jobs in the Kubeapps namespace (since otherwise we'd need to copy that secret out to other namespaces - not something we can consider). I had hoped we could at some point address this (see #2394), but it's not something currently prioritized.

So unfortunately I don't currently see a solution for you, other than if there was a way for ArgoCD to link to a cronjob in a different namespace :/ Happy to add any annotations or similar that might be useful/required though I think it's a known restriction - for example, see crossplane/crossplane#2928

[ppbaena]

Hi @Jonito, this is Pepe Baena, engineering manager at Kubeapps. As a Kubeapps adopter, I’d like to feature your organization in the ADOPTERS.md file. Would you like to be included? We only need a PR with your logo and 1-2 sentences describing how your organization uses Kubeapps (we can also help you with this PR).

I really appreciate it for promoting Kubeapps use cases like yours throughout our amazing open-source community.
Thank you so much for your contribution.

[Jonito]

@ppbaena

I work for SAP and it's already there in the ADOPTERS.md.

[ppbaena]

Thank's @Jonito. I have not everyone in your team identified 😄