feat(appset): ApplicationSet in any namespace

[speedfl]

Signed-off-by: gmuselli geoffrey.muselli@gmail.com

Closes #10655

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• Optional. My organization is added to USERS.md.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).

[codecov]

Codecov Report

Patch coverage: 59.21% and no project coverage change.

Comparison is base (771012b) 49.64% compared to head (fec35ea) 49.65%.

Additional details and impacted files

@@           Coverage Diff            @@
##           master   #12378    +/-   ##
========================================
  Coverage   49.64%   49.65%            
========================================
  Files         257      258     +1     
  Lines       43948    44423   +475     
========================================
+ Hits        21820    22060   +240     
- Misses      19981    20193   +212     
- Partials     2147     2170    +23     

Impacted Files	Coverage Δ
cmd/argocd/commands/app.go	21.81% <0.00%> (ø)
cmd/argocd/commands/app_actions.go	0.00% <0.00%> (ø)
cmd/argocd/commands/app_resources.go	9.55% <0.00%> (ø)
pkg/apiclient/apiclient.go	1.19% <0.00%> (ø)
pkg/apis/application/v1alpha1/types.go	59.11% <ø> (-0.57%)	⬇️
server/application/terminal.go	12.67% <0.00%> (ø)
cmd/argocd/commands/applicationset.go	16.33% <19.23%> (-0.72%)	⬇️
.../apis/application/v1alpha1/applicationset_types.go	31.25% <25.00%> (+0.13%)	⬆️
...cationset/controllers/applicationset_controller.go	62.35% <50.00%> (-0.37%)	⬇️
server/applicationset/applicationset.go	60.24% <85.18%> (ø)
... and 8 more

... and 6 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[speedfl]

Took the opportunity to add a test for applicationset server

https://github.com/argoproj/argo-cd/pull/12378/files#diff-1b078e5493d7d523ef5e4e0ab51e198b4f82eb44475a54b0e37951ebb9fce010

[crenshaw-dev]

@speedfl I haven't dived into this yet, but: for appsets outside of the argocd namespace, how will secrets such as GitHub API tokens be resolved? Will we look for them in the argocd namespace or in the AppSet's namespace?

[speedfl]

@crenshaw-dev you are right, it will take the secrets into the argocd namespace.

It can represent a security concern however after thinking about it I arrived to this conclusion:

• If people wants to share the tokens / clusters they can use this model
• if people doesn't want to share the tokens / clusters they can still deploy in namespace mode

Maybe an addendum in the doc could be required

[crenshaw-dev]

@speedfl yep I think good documentation should do the trick.

I need to implement a change to allow-list SCMs so folks can't exfiltrate secrets by setting api: https://server-i-own.bad.

[speedfl]

@crenshaw-dev I pushed an update on the documentaion

[robertvarjasi]

Can you guys do the review? We would like to leverage this feature.

[crenshaw-dev]

@robertvarjasi probably not in time for 2.7. I'll set it to target 2.8.

[alexbde]

@crenshaw-dev will the issue #11104 also be fixed within this PR? It would be great if we could decide to have App Sets in the one namespace and generated Applications in another one.

[speedfl]

@alexbde I would prefer to go incremental. I can work on #11104 later

[iandelahorne]

Looking forward to this in a coming release, we leverage apps in any namespace and just now ran into not being able to use appsets in any namespace

[speedfl]

Hi @crenshaw-dev could we set the milestones for this one to 2.8 ? I think this one is really a big added values. Even more than full templating as it allows to use applicationset without being an admin :)

[crenshaw-dev]

it allows to use applicationset without being an admin :)

I don't think this is entirely true yet. Non-admin users could use appsets to exfiltrate secrets, including the Argo CD API Server key, used to sign JWTs. They could exfiltrate that secret and then use it to sign themselves an admin JWT.

[speedfl]

@crenshaw-dev @ishitasequeira I fixed everything 👍

[speedfl]

@crenshaw-dev I looked at #9353 content. It looks really clear.
Do you want me to treat it as part of this PR so that applicationset can be fully delivered as non admin ready ?

[crenshaw-dev]

@speedfl maybe as a new PR based on this one? Wanna make sure nothing slows down this PR, so we can definitely get it into 2.8.

[speedfl]

Ok I will fix conflict as soon as possible!

[speedfl]

All done @crenshaw-dev

[crenshaw-dev]

Small things, I hope. :-)

[speedfl]

Thanks a lot @crenshaw-dev 🙂