AppSource CRD

[alexmt]

Summary

Existing ApplicationSet CRD provides allows managing multiple Argo CD applications in a centralized way. This works very well when one team is responsible for managing a set of apps and wants to reduce the amount of manual work to maintain a list of Argo CD apps up to date.

Motivation

We still have another use case: multiple teams use Argo CD as a service and want to independently manage applications. It is proposed to introduce AppSource CRD that simplifies managing Argo CD apps in a decentralized way.

Proposal

Create an AppSource CRD that should be installed into the managed cluster and can be used by developers with target cluster access to create Argo CD applications.

CRD

AppSource is CRD that should be installed into the managed cluster and contains only the application source field. Example:

apiVersion: argoproj.io/v1alpha1
kind: AppSource
metadata:
  name: guestbook
spec:
  path: kustomize-guestbook
  repoURL: https://github.com/argoproj/argocd-example-apps

Controller

The AppSource CRD controller should be watching for AppSource instances in namespaces and should normal Argo CD Applications using Argo CD API. The controller administrator should configure the following settings:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-source-cm
data:
  argocd.address: argo-cd-demo.argoproj.io:443 # Argo CD server hostname and port
  argocd.token: $token # Argo CD access token
  project.pattern: '(.*)-us-(west|east)-2' # patter that allows to decide in which project apps 
                                    # should be created based on AppSource namespace.
                                    # E.g. AppSources in `my-project-us-west-2` and `my-project-us-east-2` should
                                    # create apps in to 'my-project'

The controller and CRD should be implemented as a https://github.com/argoproj-labs project.

Nice To Have Features

If the first MVC gets good feedback then the following features can be implemented:

• Project creation - admin can define project template that should be used to create a project if it does not exist
• RBAC based resource allow list - controller can auto-populate project resource allow/deny list using the K8S Role from the managed namespace

[sbose78]

HI Alex, May I confirm that the AppSource CRD is namespace-scoped ?

[alexmt]

@sbose78 yes, that is correct

[jgwest]

@alexmt In which namespace would the argocd-source-cm resource be defined? I assume it would be defined in the AppSource controller namespace, rather than in the same namespace as the AppSource(s)? (If it WERE in the same namespace as the AppSource, then tenants would likely have write access to ConfigMaps in that namespace, and would be able to alter it to point at whichever project they wanted)

[aceamarco]

Hello @jgwest I've been working on the first MVC @alexmt described, and in my opinion I think the config should be and is being created within the RBAC configured argocd namespace that only admins have access to.