Skip to content

Enabling Multi-Tenancy in ArgoCD#

ArgoCD integration in Multi Tenant Operator#

With the Multi-Tenant Operator (MTO), cluster administrators can configure multi-tenancy within their cluster. The integration of ArgoCD with MTO allows for the configuration of multi-tenancy in ArgoCD applications and AppProjects.

MTO can be configured to create AppProjects for each tenant. These AppProjects enable tenants to create ArgoCD Applications that can be synced to namespaces owned by them. Cluster admins can blacklist certain namespace resources and allow specific cluster-scoped resources as needed (see the NamespaceResourceBlacklist and ClusterResourceWhitelist sections in Integration Config docs and Tenant Custom Resource docs).

Note that ArgoCD integration in MTO is optional.

Default ArgoCD configuration#

We have set a default ArgoCD configuration in Multi Tenant Operator that fulfils the following use cases:

  • Tenants can only see their ArgoCD applications in the ArgoCD frontend.
  • Tenant 'Owners' and 'Editors' have full access to their ArgoCD applications.
  • Tenants in the 'Viewers' group have read-only access to their ArgoCD applications.
  • Tenants can sync all namespace-scoped resources, except those that are blacklisted.
  • Tenants can sync only cluster-scoped resources that are allow-listed.
  • Tenant 'Owners' can configure their own GitOps source repositories at the tenant level.
  • Cluster admins can prevent specific resources from syncing via ArgoCD.
  • Cluster admins have full access to all ArgoCD applications and AppProjects.
  • ArgoCD integration is on a per-tenant level; namespace-scoped applications are synced only to tenant namespaces.

Creating ArgoCD AppProjects for your tenant#

To ensure each tenant has their own ArgoCD AppProjects, administrators must first specify the ArgoCD namespace in the IntegrationConfig:

apiVersion: tenantoperator.stakater.com/v1beta1
kind: IntegrationConfig
metadata:
  name: tenant-operator-config
  namespace: multi-tenant-operator
spec:
  ...
  argocd:
    namespace: openshift-operators
  ...

Administrators then create an Extension CR associated with the tenant:

apiVersion: tenantoperator.stakater.com/v1alpha1
kind: Extensions
metadata:
  name: extensions-sample
spec:
  tenantName: tenant-sample
  argoCD:
    onDeletePurgeAppProject: true
    appProject:
      sourceRepos:
        - "github.com/stakater/repo"
      clusterResourceWhitelist:
        - group: ""
          kind: "Pod"
      namespaceResourceBlacklist:
        - group: "v1"
          kind: "ConfigMap"

This creates an AppProject for the tenant:

oc get AppProject -A
NAMESPACE             NAME           AGE
openshift-operators   tenant-sample  5d15h

Example of the created AppProject:

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: tenant-sample
  namespace: openshift-operators
spec:
  destinations:
    - namespace: tenant-sample-build
      server: "https://kubernetes.default.svc"
    - namespace: tenant-sample-dev
      server: "https://kubernetes.default.svc"
    - namespace: tenant-sample-stage
      server: "https://kubernetes.default.svc"
  roles:
    - description: >-
        Role that gives full access to all resources inside the tenant's
        namespace to the tenant owner groups
      groups:
        - saap-cluster-admins
        - stakater-team
        - tenant-sample-owner-group
      name: tenant-sample-owner
      policies:
        - "p, proj:tenant-sample:tenant-sample-owner, *, *, tenant-sample/*, allow"
    - description: >-
        Role that gives edit access to all resources inside the tenant's
        namespace to the tenant owner group
      groups:
        - saap-cluster-admins
        - stakater-team
        - tenant-sample-edit-group
      name: tenant-sample-edit
      policies:
        - "p, proj:tenant-sample:tenant-sample-edit, *, *, tenant-sample/*, allow"
    - description: >-
        Role that gives view access to all resources inside the tenant's
        namespace to the tenant owner group
      groups:
        - saap-cluster-admins
        - stakater-team
        - tenant-sample-view-group
      name: tenant-sample-view
      policies:
        - "p, proj:tenant-sample:tenant-sample-view, *, get, tenant-sample/*, allow"
  sourceRepos:
    - "https://github.com/stakater/gitops-config"

Users belonging to the tenant group will now see only applications created by them in the ArgoCD frontend:

image

Note

For ArgoCD Multi Tenancy to work properly, any default roles or policies attached to all users must be removed.

Preventing ArgoCD from Syncing Certain Namespaced Resources#

To prevent tenants from syncing ResourceQuota and LimitRange resources to their namespaces, administrators can specify these resources in the blacklist section of the ArgoCD configuration in the IntegrationConfig:

apiVersion: tenantoperator.stakater.com/v1beta1
kind: IntegrationConfig
metadata:
  name: tenant-operator-config
  namespace: multi-tenant-operator
spec:
  ...
  integrations:
    argocd:
      namespace: openshift-operators
      namespaceResourceBlacklist:
        - group: ""
          kind: ResourceQuota
        - group: ""
          kind: LimitRange
  ...

This configuration ensures these resources are not synced by ArgoCD if added to any tenant's project directory in GitOps. The AppProject will include the blacklisted resources:

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: tenant-sample
  namespace: openshift-operators
spec:
  ...
  namespaceResourceBlacklist:
    - group: ''
      kind: ResourceQuota
    - group: ''
      kind: LimitRange
  ...

Allowing ArgoCD to Sync Certain Cluster-Wide Resources#

To allow tenants to sync the Environment cluster-scoped resource, administrators can specify this resource in the allow-list section of the ArgoCD configuration in the IntegrationConfig's spec:

apiVersion: tenantoperator.stakater.com/v1beta1
kind: IntegrationConfig
metadata:
  name: tenant-operator-config
  namespace: multi-tenant-operator
spec:
  ...
  integrations:
    argocd:
      namespace: openshift-operators
      clusterResourceWhitelist:
        - group: ""
          kind: Environment
  ...

This configuration ensures these resources are synced by ArgoCD if added to any tenant's project directory in GitOps. The AppProject will include the allow-listed resources:

apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
  name: tenant-sample
  namespace: openshift-operators
spec:
  ...
  clusterResourceWhitelist:
  - group: ""
    kind: Environment
  ...

Overriding NamespaceResourceBlacklist and/or ClusterResourceWhitelist Per Tenant#

To override the namespaceResourceBlacklist and/or clusterResourceWhitelist set via Integration Config for a specific tenant, administrators can specify these in the argoCD section of the Extension CR:

apiVersion: tenantoperator.stakater.com/v1alpha1
kind: Extensions
metadata:
  name: extensions-blue-sky
spec:
  tenantName: blue-sky
  argoCD:
    onDeletePurgeAppProject: true
    appProject:
      sourceRepos:
        - "github.com/stakater/repo"
      clusterResourceWhitelist:
        - group: ""
          kind: "Pod"
      namespaceResourceBlacklist:
        - group: "v1"
          kind: "ConfigMap"

This configuration allows for tailored settings for each tenant, ensuring flexibility and control over ArgoCD resources.