Application and ImageUpdater CRDs in different namespaces #1575
Description
Is your feature request related to a problem? Please describe.
We run a setup with ApplicationSets, which are managed by us as admins. ApplicationSets and the Applications generated (via the Git file generator) are deployed in the argocd namespace. Argo CD and Argo CD Image Updater are also installed in the same namespace.
Other resources of these Applications, such as Deployments, Ingresses, PVCs, etc., are deployed in team-specific namespaces—for example, team-test. The team-test namespace is used by a group of developers with their own RBAC configuration and is governed by a specific AppProject that allows them to deploy resources only within their namespace.
We want to give these developers the ability to create their own ImageUpdater CRDs to update their applications. However, with the current approach, they cannot do this because they are not allowed to deploy CRDs in the argocd namespace.
Describe the solution you'd like
Argo CD Image Updater admins should be able to set a variable, such as NamespaceSelector, which the Image Updater controller would use to search for ImageUpdater CRDs. This would allow teams (e.g., team-test) to create their own ImageUpdater CRDs that can modify resources only within their own namespace.
Describe alternatives you've considered
- A custom operator that tracks team-specific ImageUpdater CRDs and deploys them in the “correct” namespace. However, this approach does not seem secure enough and might allow developers to affect resources in other teams’ namespaces. A similar concern is described here.
- Deploying Applications and ApplicationSets in each team namespace (e.g.,
team-test). However, this seems like an anti-pattern and raises security concerns.
Version
This feature request applies to (check all that apply):
- Annotation-based configuration (versions starting with
0, e.g.,0.17.0) - CRD-based configuration (versions starting with
1, e.g.,1.0.0)