namespaceManagement in namespace-scoped ArgoCD (operator v0.17.0) creates tenant RBAC but does not label namespace; cross-namespace Applications not discovered

[aelbarkani]

Summary

I’m trying to use the operator feature named “namespaceManagement” (implemented in #1687 and documented in OpenShift GitOps docs) with upstream argocd-operator.

With a namespace-scoped ArgoCD instance, enabling namespaceManagement creates the expected RBAC in the tenant namespace, but the tenant namespace is not labeled (argocd.argoproj.io/managed-by), and Applications created in that tenant namespace do not appear in the Argo CD UI.

Additionally, the operator logs show errors saying the tenant namespace is “not permitted … based on NamespaceManagement rules”, even though it is listed under the ArgoCD CR’s namespaceManagement.

Environment

• Platform: OpenShift / OLM (Subscription from community-operators)
• argocd-operator: v0.17.0
  • CSV: argocd-operator.v0.17.0
  • image: quay.io/argoprojlabs/argocd-operator@sha256:6a4d487c6d38a6ca5b2d95bbba0886cafdc222d9f55729d618681d84162f5385
• Argo CD version: v3.2.6
• ArgoCD instance:
  • namespace: dwm-argocd-enable-multinamespace
  • name: argocd
  • scope: namespace-scoped
• Tenant namespace: testargocdmulti

Operator install (Subscription)

Subscription (key fields):

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: argocd-operator
  namespace: argocd-operator
spec:
  channel: alpha
  config:
    env:
    - name: DISABLE_DEFAULT_ARGOCD_INSTANCE
      value: "true"
    - name: ALLOW_NAMESPACE_MANAGEMENT_IN_NAMESPACE_SCOPED_INSTANCES
      value: "true"
  installPlanApproval: Manual
  name: argocd-operator
  source: community-operators
  sourceNamespace: openshift-marketplace
status:
  installedCSV: argocd-operator.v0.17.0

ArgoCD CR configuration

ArgoCD CR (key fields):

apiVersion: argoproj.io/v1beta1
kind: ArgoCD
metadata:
  name: argocd
  namespace: dwm-argocd-enable-multinamespace
spec:
  version: v3.2.6
  extraConfig:
    application.namespaces: testargocdmulti
    application.sync.impersonation.enabled: "false"
  namespaceManagement:
  - allowManagedBy: true
    name: testargocdmulti

What I expected

• The operator would label the tenant namespace with argocd.argoproj.io/managed-by (as described in downstream docs), so that a namespace-scoped Argo CD instance can discover/manage Applications in that namespace.
• Applications created in the allowed tenant namespace (testargocdmulti) would appear in the Argo CD UI for the ArgoCD instance in dwm-argocd-enable-multinamespace.

What actually happened

• The operator creates RBAC in the tenant namespace for the Argo CD application-controller and server service accounts (see below).
• The tenant namespace is not labeled with argocd.argoproj.io/managed-by.
• Applications created in the tenant namespace do not appear in the Argo CD UI.

Evidence

Tenant namespace is not labeled

Namespace labels excerpt:

apiVersion: v1
kind: Namespace
metadata:
  name: testargocdmulti
  labels:
    kubernetes.io/metadata.name: testargocdmulti
    pod-security.kubernetes.io/audit: baseline
    pod-security.kubernetes.io/audit-version: latest
    pod-security.kubernetes.io/warn: baseline
    pod-security.kubernetes.io/warn-version: latest

Also, querying for namespaces with argocd.argoproj.io/managed-by returned none.

Tenant namespace RBAC created

RBAC objects created/managed in tenant namespace testargocdmulti:

• Role/RoleBinding: argocd-argocd-application-controller (subject is SA dwm-argocd-enable-multinamespace/argocd-argocd-application-controller)
• Role/RoleBinding: argocd-argocd-server (subject is SA dwm-argocd-enable-multinamespace/argocd-argocd-server)

Example YAML:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: argocd-argocd-application-controller
  namespace: testargocdmulti
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: [""]
  resources: ["serviceaccounts"]
  verbs: ["impersonate"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: argocd-argocd-application-controller
  namespace: testargocdmulti
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: argocd-argocd-application-controller
subjects:
- kind: ServiceAccount
  name: argocd-argocd-application-controller
  namespace: dwm-argocd-enable-multinamespace

Argo CD configmap includes application.namespaces

argocd-cm excerpt:

apiVersion: v1
kind: ConfigMap
metadata:
  name: argocd-cm
  namespace: dwm-argocd-enable-multinamespace
data:
  application.namespaces: testargocdmulti
  admin.enabled: "false"
  application.instanceLabelKey: argocd.argoproj.io/dwm-argocd-enable-multinamespace-argocd

NamespaceManagement CR exists but logs still error

NamespaceManagement CR found:

apiVersion: argoproj.io/v1beta1
kind: NamespaceManagement
metadata:
  name: ui-team-namespace
  namespace: testargocdmulti
spec:
  managedBy: dwm-argocd-enable-multinamespace
status:
  conditions:
  - type: Reconciled
    status: "True"
    reason: Success

Operator log excerpt:

2026-01-25T21:52:40Z	INFO	controller_argocd	Reconciling NamespaceManagement
2026-01-25T21:52:40Z	INFO	controller_argocd	Skipping NamespaceManagement CR as it targets a different ArgoCD instance	{"namespace": "testargocdmulti"}
2026-01-25T21:52:40Z	ERROR	Reconciler error	{"controller": "argocd", "controllerGroup": "argoproj.io", "controllerKind": "ArgoCD", "ArgoCD": {"name":"argocd","namespace":"dwm-argocd-enable-multinamespace"}, "error": "namespace management errors: Namespace testargocdmulti is not permitted for management by ArgoCD instance dwm-argocd-enable-multinamespace based on NamespaceManagement rules"}

Questions

1. Is ArgoCD spec.namespaceManagement supported in upstream argocd-operator, or is it downstream-only (OpenShift GitOps)? If it is supported upstream, which versions is it expected to work in?

2. Is this feature expected to work for namespace-scoped ArgoCD instances? If yes:

• Is ALLOW_NAMESPACE_MANAGEMENT_IN_NAMESPACE_SCOPED_INSTANCES required and supported upstream?
• What is the expected behavior (namespace labels, generated NamespaceManagement CRs, RBAC, Argo CD config changes)?

3. Should the operator label tenant namespaces with argocd.argoproj.io/managed-by automatically when using ArgoCD spec.namespaceManagement? In my test, RBAC is created but the label is not applied.

4. What is the intended relationship between:

• ArgoCD spec.namespaceManagement (in the ArgoCD CR),
• the NamespaceManagement CRD/kind,
• and Argo CD’s application.namespaces setting?

5. Why would the operator say “Namespace testargocdmulti is not permitted … based on NamespaceManagement rules” even though the tenant namespace is listed in the ArgoCD CR and a NamespaceManagement CR exists in that tenant namespace with managedBy pointing at the ArgoCD namespace?

6. Is there missing upstream documentation for this feature (or is it intentionally undocumented because it’s not supported/complete)?

References

• Upstream PR adding namespaceManagement: Add NamespaceManagement reconciliation #1687
• OpenShift GitOps docs describing namespaceManagement: https://docs.redhat.com/en/documentation/red_hat_openshift_gitops/1.19/html/multitenancy/multitenancy-support-in-gitops#gitops-enable-tenant-namespace-management-with-namespacemanagement_multitenancy-support-in-gitops

[jgwest]

The NamespaceManagement feature does not allow namespace-scoped Argo CD instances to see Applications in other namespaces. The two features are unrelated from each other.

The NamespaceManagement feature allows namespace-scoped Argo CD instances to DEPLOY to other namespaces. This is similar to the managed-by label, but made available without the need to set that label.

Applications created in the allowed tenant namespace (testargocdmulti) would appear in the Argo CD UI for the ArgoCD instance in dwm-argocd-enable-multinamespace.

This is the 'applications in any namespace' feature which is not related to the namespace management feature.

[Mangaal]

This is how we enable app in any namespace https://docs.redhat.com/en/documentation/red_hat_openshift_gitops/1.13/html/argo_cd_applications/managing-apps-in-non-control-plane-namespaces

[svghadi]

@nmirasch - can we confirm the expected behaviour?

What I expected

• The operator would label the tenant namespace with argocd.argoproj.io/managed-by (as described in downstream docs), so that a namespace-scoped Argo CD instance can discover/manage resources of an Applications in that namespace.
• Applications created in the allowed tenant namespace (testargocdmulti) would appear in the Argo CD UI for the ArgoCD instance in dwm-argocd-enable-multinamespace. The cross namespace application deployment is not supported by this feature. You need to use Apps in any namespace as pointed out by Jonathan. We can instead confirm if the application resources are deployed as expected in the new namespace. If this is working as expected, there is no code fix required.

[nmirasch]

@svghadi, For the first expectation, PR #2120 ensures the operator sets argocd.argoproj.io/managed-by= on allowed tenant namespaces and keeps tenant RBAC and cleanup consistent with that ownership model. Before the fix, tenant RBAC could exist without the label which breaks the documented managed tenant namespace behaviour, that is what the PR corrects.

For cross-namespace Application CRs / UI, as Jonathan noted, namespaceManagement alone does not provide “create Application resources only in the tenant namespace and have them behave like a full Apps in any namespace setup (listing/reconcile as if they lived in the Argo CD namespace).” That requires Apps in any namespace and the usual configuration. The namespaceManagement fix does not change or replace that second expectation.