feat(sourceNamespace): Exclusion

Signed-off-by: Arthur <[email protected]>

cmd/argocd-application-controller/commands/argocd_application_controller.go

@@ -69,6 +69,7 @@ func NewCommand() *cobra.Command {
 		otlpHeaders                      map[string]string
 		otlpAttrs                        []string
 		applicationNamespaces            []string
+		applicationNamespacesIgnored     []string
 		persistResourceHealth            bool
 		shardingAlgorithm                string
 		enableDynamicClusterDistribution bool
@@ -168,6 +169,7 @@ func NewCommand() *cobra.Command {
 				persistResourceHealth,
 				clusterSharding,
 				applicationNamespaces,
+				applicationNamespacesIgnored,
 				&workqueueRateLimit,
 				serverSideDiff,
 				enableDynamicClusterDistribution,
@@ -219,6 +221,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringToStringVar(&otlpHeaders, "otlp-headers", env.ParseStringToStringFromEnv("ARGOCD_APPLICATION_CONTROLLER_OTLP_HEADERS", map[string]string{}, ","), "List of OpenTelemetry collector extra headers sent with traces, headers are comma-separated key-value pairs(e.g. key1=value1,key2=value2)")
 	command.Flags().StringSliceVar(&otlpAttrs, "otlp-attrs", env.StringsFromEnv("ARGOCD_APPLICATION_CONTROLLER_OTLP_ATTRS", []string{}, ","), "List of OpenTelemetry collector extra attrs when send traces, each attribute is separated by a colon(e.g. key:value)")
 	command.Flags().StringSliceVar(&applicationNamespaces, "application-namespaces", env.StringsFromEnv("ARGOCD_APPLICATION_NAMESPACES", []string{}, ","), "List of additional namespaces that applications are allowed to be reconciled from")
+	command.Flags().StringSliceVar(&applicationNamespacesIgnored, "application-namespaces-ignored", env.StringsFromEnv("ARGOCD_APPLICATION_NAMESPACES_IGNORED", []string{}, ","), "List of additional namespaces where application resources should be ignored")
 	command.Flags().BoolVar(&persistResourceHealth, "persist-resource-health", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_PERSIST_RESOURCE_HEALTH", true), "Enables storing the managed resources health in the Application CRD")
 	command.Flags().StringVar(&shardingAlgorithm, "sharding-method", env.StringFromEnv(common.EnvControllerShardingAlgorithm, common.DefaultShardingAlgorithm), "Enables choice of sharding method. Supported sharding methods are : [legacy, round-robin, consistent-hashing] ")
 	// global queue rate limit config

cmd/argocd-notification/commands/controller.go

@@ -56,6 +56,7 @@ func NewCommand() *cobra.Command {
 		configMapName                  string
 		secretName                     string
 		applicationNamespaces          []string
+		applicationNamespacesIgnored   []string
 		selfServiceNotificationEnabled bool
 	)
 	command := cobra.Command{
@@ -140,7 +141,7 @@ func NewCommand() *cobra.Command {
 			log.Infof("serving metrics on port %d", metricsPort)
 			log.Infof("loading configuration %d", metricsPort)
 
-			ctrl := notificationscontroller.NewController(k8sClient, dynamicClient, argocdService, namespace, applicationNamespaces, appLabelSelector, registry, secretName, configMapName, selfServiceNotificationEnabled)
+			ctrl := notificationscontroller.NewController(k8sClient, dynamicClient, argocdService, namespace, applicationNamespaces, applicationNamespacesIgnored, appLabelSelector, registry, secretName, configMapName, selfServiceNotificationEnabled)
 			err = ctrl.Init(ctx)
 			if err != nil {
 				return fmt.Errorf("failed to initialize controller: %w", err)
@@ -164,6 +165,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringVar(&configMapName, "config-map-name", "argocd-notifications-cm", "Set notifications ConfigMap name")
 	command.Flags().StringVar(&secretName, "secret-name", "argocd-notifications-secret", "Set notifications Secret name")
 	command.Flags().StringSliceVar(&applicationNamespaces, "application-namespaces", env.StringsFromEnv("ARGOCD_APPLICATION_NAMESPACES", []string{}, ","), "List of additional namespaces that this controller should send notifications for")
+	command.Flags().StringSliceVar(&applicationNamespacesIgnored, "application-namespaces-ignored", env.StringsFromEnv("ARGOCD_APPLICATION_NAMESPACES_IGNORED", []string{}, ","), "List of additional namespaces where application resources should be ignored")
 	command.Flags().BoolVar(&selfServiceNotificationEnabled, "self-service-notification-enabled", env.ParseBoolFromEnv("ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED", false), "Allows the Argo CD notification controller to pull notification config from the namespace that the resource is in. This is useful for self-service notification.")
 	return &command
 }

cmd/argocd-server/commands/argocd_server.go

@@ -50,39 +50,40 @@ var (
 // NewCommand returns a new instance of an argocd command
 func NewCommand() *cobra.Command {
 	var (
-		redisClient              *redis.Client
-		insecure                 bool
-		listenHost               string
-		listenPort               int
-		metricsHost              string
-		metricsPort              int
-		otlpAddress              string
-		otlpInsecure             bool
-		otlpHeaders              map[string]string
-		otlpAttrs                []string
-		glogLevel                int
-		clientConfig             clientcmd.ClientConfig
-		repoServerTimeoutSeconds int
-		baseHRef                 string
-		rootPath                 string
-		repoServerAddress        string
-		dexServerAddress         string
-		disableAuth              bool
-		contentTypes             string
-		enableGZip               bool
-		tlsConfigCustomizerSrc   func() (tls.ConfigCustomizer, error)
-		cacheSrc                 func() (*servercache.Cache, error)
-		repoServerCacheSrc       func() (*reposervercache.Cache, error)
-		frameOptions             string
-		contentSecurityPolicy    string
-		repoServerPlaintext      bool
-		repoServerStrictTLS      bool
-		dexServerPlaintext       bool
-		dexServerStrictTLS       bool
-		staticAssetsDir          string
-		applicationNamespaces    []string
-		enableProxyExtension     bool
-		webhookParallelism       int
+		redisClient                  *redis.Client
+		insecure                     bool
+		listenHost                   string
+		listenPort                   int
+		metricsHost                  string
+		metricsPort                  int
+		otlpAddress                  string
+		otlpInsecure                 bool
+		otlpHeaders                  map[string]string
+		otlpAttrs                    []string
+		glogLevel                    int
+		clientConfig                 clientcmd.ClientConfig
+		repoServerTimeoutSeconds     int
+		baseHRef                     string
+		rootPath                     string
+		repoServerAddress            string
+		dexServerAddress             string
+		disableAuth                  bool
+		contentTypes                 string
+		enableGZip                   bool
+		tlsConfigCustomizerSrc       func() (tls.ConfigCustomizer, error)
+		cacheSrc                     func() (*servercache.Cache, error)
+		repoServerCacheSrc           func() (*reposervercache.Cache, error)
+		frameOptions                 string
+		contentSecurityPolicy        string
+		repoServerPlaintext          bool
+		repoServerStrictTLS          bool
+		dexServerPlaintext           bool
+		dexServerStrictTLS           bool
+		staticAssetsDir              string
+		applicationNamespaces        []string
+		applicationNamespacesIgnored []string
+		enableProxyExtension         bool
+		webhookParallelism           int
 
 		// ApplicationSet
 		enableNewGitFileGlobbing bool
@@ -195,34 +196,35 @@ func NewCommand() *cobra.Command {
 			}
 
 			argoCDOpts := server.ArgoCDServerOpts{
-				Insecure:                insecure,
-				ListenPort:              listenPort,
-				ListenHost:              listenHost,
-				MetricsPort:             metricsPort,
-				MetricsHost:             metricsHost,
-				Namespace:               namespace,
-				BaseHRef:                baseHRef,
-				RootPath:                rootPath,
-				DynamicClientset:        dynamicClient,
-				KubeControllerClientset: controllerClient,
-				KubeClientset:           kubeclientset,
-				AppClientset:            appClientSet,
-				RepoClientset:           repoclientset,
-				DexServerAddr:           dexServerAddress,
-				DexTLSConfig:            dexTlsConfig,
-				DisableAuth:             disableAuth,
-				ContentTypes:            contentTypesList,
-				EnableGZip:              enableGZip,
-				TLSConfigCustomizer:     tlsConfigCustomizer,
-				Cache:                   cache,
-				RepoServerCache:         repoServerCache,
-				XFrameOptions:           frameOptions,
-				ContentSecurityPolicy:   contentSecurityPolicy,
-				RedisClient:             redisClient,
-				StaticAssetsDir:         staticAssetsDir,
-				ApplicationNamespaces:   applicationNamespaces,
-				EnableProxyExtension:    enableProxyExtension,
-				WebhookParallelism:      webhookParallelism,
+				Insecure:                     insecure,
+				ListenPort:                   listenPort,
+				ListenHost:                   listenHost,
+				MetricsPort:                  metricsPort,
+				MetricsHost:                  metricsHost,
+				Namespace:                    namespace,
+				BaseHRef:                     baseHRef,
+				RootPath:                     rootPath,
+				DynamicClientset:             dynamicClient,
+				KubeControllerClientset:      controllerClient,
+				KubeClientset:                kubeclientset,
+				AppClientset:                 appClientSet,
+				RepoClientset:                repoclientset,
+				DexServerAddr:                dexServerAddress,
+				DexTLSConfig:                 dexTlsConfig,
+				DisableAuth:                  disableAuth,
+				ContentTypes:                 contentTypesList,
+				EnableGZip:                   enableGZip,
+				TLSConfigCustomizer:          tlsConfigCustomizer,
+				Cache:                        cache,
+				RepoServerCache:              repoServerCache,
+				XFrameOptions:                frameOptions,
+				ContentSecurityPolicy:        contentSecurityPolicy,
+				RedisClient:                  redisClient,
+				StaticAssetsDir:              staticAssetsDir,
+				ApplicationNamespaces:        applicationNamespaces,
+				ApplicationNamespacesIgnored: applicationNamespacesIgnored,
+				EnableProxyExtension:         enableProxyExtension,
+				WebhookParallelism:           webhookParallelism,
 			}
 
 			appsetOpts := server.ApplicationSetOpts{
@@ -295,6 +297,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().BoolVar(&dexServerPlaintext, "dex-server-plaintext", env.ParseBoolFromEnv("ARGOCD_SERVER_DEX_SERVER_PLAINTEXT", false), "Use a plaintext client (non-TLS) to connect to dex server")
 	command.Flags().BoolVar(&dexServerStrictTLS, "dex-server-strict-tls", env.ParseBoolFromEnv("ARGOCD_SERVER_DEX_SERVER_STRICT_TLS", false), "Perform strict validation of TLS certificates when connecting to dex server")
 	command.Flags().StringSliceVar(&applicationNamespaces, "application-namespaces", env.StringsFromEnv("ARGOCD_APPLICATION_NAMESPACES", []string{}, ","), "List of additional namespaces where application resources can be managed in")
+	command.Flags().StringSliceVar(&applicationNamespacesIgnored, "application-namespaces-ignored", env.StringsFromEnv("ARGOCD_APPLICATION_NAMESPACES_IGNORED", []string{}, ","), "List of additional namespaces where application resources should be ignored")
 	command.Flags().BoolVar(&enableProxyExtension, "enable-proxy-extension", env.ParseBoolFromEnv("ARGOCD_SERVER_ENABLE_PROXY_EXTENSION", false), "Enable Proxy Extension feature")
 	command.Flags().IntVar(&webhookParallelism, "webhook-parallelism-limit", env.ParseNumFromEnv("ARGOCD_SERVER_WEBHOOK_PARALLELISM_LIMIT", 50, 1, 1000), "Number of webhook requests processed concurrently")
 

controller/appcontroller.go

@@ -140,6 +140,7 @@ type ApplicationController struct {
 	clusterSharding               sharding.ClusterShardingCache
 	projByNameCache               sync.Map
 	applicationNamespaces         []string
+	applicationNamespacesIgnored  []string
 	ignoreNormalizerOpts          normalizers.IgnoreNormalizerOpts
 
 	// dynamicClusterDistributionEnabled if disabled deploymentInformer is never initialized
@@ -168,6 +169,7 @@ func NewApplicationController(
 	persistResourceHealth bool,
 	clusterSharding sharding.ClusterShardingCache,
 	applicationNamespaces []string,
+	applicationNamespacesIgnored []string,
 	rateLimiterConfig *ratelimiter.AppControllerRateLimiterConfig,
 	serverSideDiff bool,
 	dynamicClusterDistributionEnabled bool,
@@ -202,6 +204,7 @@ func NewApplicationController(
 		clusterSharding:                   clusterSharding,
 		projByNameCache:                   sync.Map{},
 		applicationNamespaces:             applicationNamespaces,
+		applicationNamespacesIgnored:      applicationNamespacesIgnored,
 		dynamicClusterDistributionEnabled: dynamicClusterDistributionEnabled,
 		ignoreNormalizerOpts:              ignoreNormalizerOpts,
 	}
@@ -2087,7 +2090,7 @@ func (ctrl *ApplicationController) shouldSelfHeal(app *appv1.Application) (bool,
 // isAppNamespaceAllowed returns whether the application is allowed in the
 // namespace it's residing in.
 func (ctrl *ApplicationController) isAppNamespaceAllowed(app *appv1.Application) bool {
-	return app.Namespace == ctrl.namespace || glob.MatchStringInList(ctrl.applicationNamespaces, app.Namespace, false)
+	return app.Namespace == ctrl.namespace || (glob.MatchStringInList(ctrl.applicationNamespaces, app.Namespace, false) && !glob.MatchStringInList(ctrl.applicationNamespacesIgnored, app.Namespace, false))
 }
 
 func (ctrl *ApplicationController) canProcessApp(obj interface{}) bool {

controller/appcontroller_test.go

@@ -159,6 +159,7 @@ func newFakeController(data *fakeData, repoErr error) *ApplicationController {
 		true,
 		nil,
 		data.applicationNamespaces,
+		[]string{},
 		nil,
 		false,
 		false,

docs/operator-manual/notifications/index.md

@@ -55,7 +55,7 @@ for their Argo CD applications. For example, the end-user can configure notifica
 This feature is based on applications in any namespace. See [applications in any namespace](../app-any-namespace.md) page for more information.
 
 In order to enable this feature, the Argo CD administrator must reconfigure the argocd-notification-controller workloads to add  `--application-namespaces` and `--self-service-notification-enabled` parameters to the container's startup command.
-`--application-namespaces` controls the list of namespaces that Argo CD applications are in. `--self-service-notification-enabled` turns on this feature.
+`--application-namespaces` controls the list of namespaces that Argo CD applications are in. `--self-service-notification-enabled` turns on this feature. If some additional namespaces need to excluded that are within the previous selection, `--application-namespaces-ignored` can be used.
 
 The startup parameters for both can also be conveniently set up and kept in sync by specifying
 the `application.namespaces` and `notificationscontroller.selfservice.enabled` in the argocd-cmd-params-cm ConfigMap instead of changing the manifests for the respective workloads. For example:

docs/operator-manual/server-commands/argocd-application-controller.md

@@ -20,6 +20,7 @@ argocd-application-controller [flags]
       --app-resync-jitter int                                     Maximum time period in seconds to add as a delay jitter for application resync.
       --app-state-cache-expiration duration                       Cache expiration for app state (default 1h0m0s)
       --application-namespaces strings                            List of additional namespaces that applications are allowed to be reconciled from
+      --application-namespaces-ignored strings                    List of additional namespaces where application resources should be ignored
       --as string                                                 Username to impersonate for the operation
       --as-group stringArray                                      Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
       --as-uid string                                             UID to impersonate for the operation

docs/operator-manual/server-commands/argocd-server.md

@@ -29,6 +29,7 @@ argocd-server [flags]
       --api-content-types string                        Semicolon separated list of allowed content types for non GET api requests. Any content type is allowed if empty. (default "application/json")
       --app-state-cache-expiration duration             Cache expiration for app state (default 1h0m0s)
       --application-namespaces strings                  List of additional namespaces where application resources can be managed in
+      --application-namespaces-ignored strings          List of additional namespaces where application resources should be ignored
       --appset-allowed-scm-providers strings            The list of allowed custom SCM provider API URLs. This restriction does not apply to SCM or PR generators which do not accept a custom API URL. (Default: Empty = all)
       --appset-enable-new-git-file-globbing             Enable new globbing in Git files generator.
       --appset-enable-scm-providers                     Enable retrieving information from SCM providers, used by the SCM and PR generators (Default: true) (default true)

notification_controller/controller/controller.go

@@ -60,6 +60,7 @@ func NewController(
 	argocdService service.Service,
 	namespace string,
 	applicationNamespaces []string,
+	applicationNamespacesIgnored []string,
 	appLabelSelector string,
 	registry *controller.MetricsRegistry,
 	secretName string,
@@ -74,8 +75,8 @@ func NewController(
 	if len(applicationNamespaces) == 0 {
 		appClient = namespaceableAppClient.Namespace(namespace)
 	}
-	appInformer := newInformer(appClient, namespace, applicationNamespaces, appLabelSelector)
-	appProjInformer := newInformer(newAppProjClient(client, namespace), namespace, []string{namespace}, "")
+	appInformer := newInformer(appClient, namespace, applicationNamespaces, applicationNamespacesIgnored, appLabelSelector)
+	appProjInformer := newInformer(newAppProjClient(client, namespace), namespace, []string{namespace}, applicationNamespacesIgnored, "")
 	var notificationConfigNamespace string
 	if selfServiceNotificationEnabled {
 		notificationConfigNamespace = v1.NamespaceAll
@@ -138,7 +139,7 @@ func (c *notificationController) alterDestinations(obj v1.Object, destinations s
 	return destinations
 }
 
-func newInformer(resClient dynamic.ResourceInterface, controllerNamespace string, applicationNamespaces []string, selector string) cache.SharedIndexInformer {
+func newInformer(resClient dynamic.ResourceInterface, controllerNamespace string, applicationNamespaces []string, applicationNamespacesIgnored []string, selector string) cache.SharedIndexInformer {
 	informer := cache.NewSharedIndexInformer(
 		&cache.ListWatch{
 			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
@@ -151,7 +152,7 @@ func newInformer(resClient dynamic.ResourceInterface, controllerNamespace string
 				}
 				newItems := []unstructured.Unstructured{}
 				for _, res := range appList.Items {
-					if controllerNamespace == res.GetNamespace() || glob.MatchStringInList(applicationNamespaces, res.GetNamespace(), false) {
+					if controllerNamespace == res.GetNamespace() || (glob.MatchStringInList(applicationNamespaces, res.GetNamespace(), false && !glob.MatchStringInList(applicationNamespacesIgnored, res.GetNamespace(), false))) {
 						newItems = append(newItems, res)
 					}
 				}

notification_controller/controller/controller_test.go

@@ -120,6 +120,7 @@ func TestInit(t *testing.T) {
 			nil,
 			"default",
 			[]string{},
+			[]string{},
 			appLabelSelector,
 			nil,
 			"my-secret",
@@ -154,6 +155,7 @@ func TestInitTimeout(t *testing.T) {
 		nil,
 		"default",
 		[]string{},
+		[]string{},
 		appLabelSelector,
 		nil,
 		"my-secret",