GitOps Docs JIRA: https://issues.redhat.com/browse/GITOPS-4481
RHDEVDOCS JIRA: https://issues.redhat.com/browse/RHDEVDOCS-6022
Out of the box, the OpenShift GitOps operator is only configured to support cluster-scoped Argo Rollouts installs.
When an Argo Rollouts install is cluster-scoped (via a RolloutManager resource), all Rollout custom resources (CRs) within any Namespace will be reconciled by that Argo Rollouts instance. This allows you use to Argo Rollouts across any namespace on the cluster.
For example, let's say Argo Rollouts is installed into the 'argo-rollouts' Namespace, and configured for cluster scope, via a RolloutManager CR created within that namespace. Henceforth, that Argo Rollouts instance would watch and reconcile all Rollout CRs created within any cluster namespace. A new Rollout CR created within a 'my-application' namespace, for instance, would be handled by the Argo Rollouts instance within the 'argo-rollouts' namespace.
An alternative to cluster-scoped Argo Rollouts installs is namespace-scoped Argo Rollouts installs. Namespace-scoped Argo Rollouts installs do not require cluster wide permissions via ClusterRoles or ClusterRoleBindings. This allows them to be created by users with permissions that are only limited to a single namespace. Namespaced-scoped instance may be considered for the security benefits that come with limiting the cluster scope of a single Argo Rollouts instance.
With a namespace-scoped Argo Rollouts install, Argo Rollouts will only reconcile Rollout resources within the same namespace as that Argo Rollouts install. For example, if Argo Rollouts is installed into 'argo-rollouts-ns', that Argo Rollouts installation would only reconcile Rollout resources within that same 'argo-rollouts-ns' Namespace. An Rollout resource within another namespace, such as a 'my-application' Namespace, would be ignored.
If we wish to use one or more namespace-scoped Argo Rollouts installs on the cluster, we will need to enable namespace-scoped Argo Rollouts within the configuration of the OpenShift GitOps operator.
As above, cluster-scoped Argo Rollouts support is enabled by default, out of the box. No additional steps are required.
Note: To prevent unintended privilege escalation, OpenShift GitOps only supports EITHER cluster-scoped Rollouts installs OR namespaced-scoped Rollouts installs, on a cluster. That is, it does not support both simultaneously: you must choose which to enable on the cluster, with the default being cluster-scoped.
Prerequisites
- You have installed the Red Hat OpenShift GitOps Operator.
- You have logged in to the OpenShift Container Platform cluster as an administrator.
Procedure
To enable namespace-scoped Argo Rollouts installs, perform the following steps.
- In the Administrator perspective, navigate to Administration → CustomResourceDefinitions.
- Find the Subscription CRD and click to open it.
- Select the Instances tab and click the openshift-gitops-operator subscription.
- Select the YAML tab. You will need to add the
NAMESPACE_SCOPED_ARGO_ROLLOUTSenvironment variable, with value of'true'(single quotes required) to.spec.config.env, to configure the operator to allow namespace-scoped installs of Rollouts:
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: openshift-gitops-operator
spec:
# (...)
config:
env:
- name: NAMESPACE_SCOPED_ARGO_ROLLOUTS
value: 'true'This instructs OpenShift GitOps to configure the Argo Rollouts operator to only reconcile namespace-scoped Argo Rollouts installs.
- To verify that OpenShift GitOps has now enabled namespace-scoped Argo Rollouts installs, we can examine the logs of the Openshift GitOps container. In the Administrator perspective, navigate to Workloads → Pods. Select the 'openshift-gitops-operator-controller-manager' Pod, then select the Logs tab.
- Verify that within the container logs, we can see a log statement indicating that the operator is "Running in namespaced-scoped mode". In contrast, if it is in cluster-scoped mode, you will see "Running in cluster-scoped mode".
- Next, we will need to create a RolloutManager resource which will perform the namespace-scoped Argo Rollout install. First, select the Project into which we will install Argo Rollouts, via the Project selector at the top of the OpenShift console. We may optionally create a new Project via this mechanism.
- Next, after we've selected the target Project, navigate to Operators → Installed Operators → Red Hat OpenShift GitOps, then select the 'RolloutManager' tab.
- Click the 'Create RolloutManager' button.
- Select YAML view. When creating a namespace-scoped Argo Rollouts install, you must specify '.spec.namespaceScoped: true' via within the RolloutManager resource. Enter the following into the YAML view.
apiVersion: argoproj.io/v1alpha1
kind: RolloutManager
metadata:
name: rollout-manager
spec:
namespaceScoped: true - Click the Create button. Once the RolloutManager resource is created, OpenShift GitOps will install a namespace-scoped Argo Rollouts install into the Namespace.
- To verify the sucess of the install, select the RolloutManager that was created, and select YAML.
- Examine the the '.status' field of the RolloutManager resource. The 'phase' field should have a value of 'Available', and the '.status.conditions' will inform you if there are any configuration errors to address: for example, an error will be reported if we are trying to create a namespace-scoped Argo Rollouts install when a cluster-scoped Rollouts install already exists on the cluster.