Within ArgoCD, the App Project, aka Project, is the container for controlling permissions around Applications deploying resources into the cluster. Configuring it correctly will lead to a robust, secure deployment environment for leveraging Gitops successfully. Misconfiguring it will lead to frustrated engineers unable to deploy services.
Part 1 – Repositories
Source vs Scoped Repositories
The descriptions for both of these read the same:
Git repositories where application manifests are permitted to be retrieved from
But they do function differently.
These are the Git repositories which this Project may read. For example, if I shorthand my Gitlab hostname to g.cth.com:
https://but will not allow
https://will only allow
https://, but not any other projects
https://and any other project in the group, but not any other groups
https://will allow any group beneath
https://, and any project in any of those groups
https://will not allow any group beneath
https://, but only those two groups deep
https://will allow any group or sub group beneath
https://and any project
Unfortunately, you can create Repositories for a Project which do not match the source repositories configuration.
These are the Git repositories currently assigned to this Project. These come directly from ArgoCD Repositories. There will be issues if a scoped repository does not match a source repository.
application spec is invalid: InvalidSpecError: application repo https://gitlab.clearthehaze.com/examples/hello-world.git is not permitted in project 'example-project'
Part 2 – Restrictions and Allowance
This allows you to control the destination for resources deployed within this Project. This may be limiting it to a test cluster, or limiting resources to going to a specific namespace. In my example, I am limiting deployment to the current Kubernetes cluster and only to the namespace
Allow and Deny Lists
The next four settings allow you to configure what types of resources are either allowed (limiting anything else) or denied (allowing everything else). This may be applied across the cluster or to specific namespaces. For example, to restrict deploying roles, click the edit button and select Roles in the dropdown for the Kind. Then click Save.
In the example shown above, I’ve also limited access to modifying the ResourceQuota and LimitRange within the namespace. This prevents any application from messing with resource restrictions place on the namespace.
Summary of the Project
The Project is an important component of utilizing ArgoCD. I hope you’ll find this helpful as you embark on applying Gitops!