fix(config): install Image Updater into argocd namespace by default

[dkarpele]

Closes #1341
Closes #1343 - wrong target file name was created because of missing argocd-namespace flag when using controller namespace different from ArgoCD ns.
Closes #1338 - duplicates #1343

Summary by CodeRabbit

• New Features

  • Deploy Image Updater to a configurable Kubernetes namespace; CLI flag now defaults from ARGOCD_NAMESPACE.
  • Resources and RBAC updated to operate in the chosen Argo CD namespace instead of a fixed system namespace.

• Documentation

  • Expanded installation guide with two install options and cross-namespace RBAC instructions.

• Chores

  • Deployment and undeploy tooling updated to honor the configurable namespace.

• Tests

  • Tests updated to expect environment-based default for the namespace flag.

[coderabbitai]

Walkthrough

Controller and manifests made namespace-agnostic: CLI default for --argocd-namespace now reads ARGOCD_NAMESPACE; many manifests and RBAC removed hardcoded argocd-image-updater-system namespaces or switched subjects to argocd; Makefile adds IMAGE_UPDATER_CONTROLLER_NAMESPACE and docs updated for multi-namespace installs.

Changes

Cohort / File(s)	Change Summary
Build / Makefile Makefile	Added IMAGE_UPDATER_CONTROLLER_NAMESPACE (default argocd) and used it for deploy/undeploy kubectl -n invocations (preserve --ignore-not-found on delete).
Controller startup & tests cmd/run.go, cmd/run_test.go	--argocd-namespace flag default now sourced from env.GetStringVal("ARGOCD_NAMESPACE", ""); startup log uses structured logFields (app, loglevel, interval, healthPort) and conditionally appends argocdNamespace; tests updated for env-based default.
Webhook command & tests cmd/webhook.go, cmd/webhook_test.go	--argocd-namespace flag default changed to env.GetStringVal("ARGOCD_NAMESPACE", ""); tests aligned.
Kustomize / default manifests config/default/kustomization.yaml, config/default/metrics_service.yaml	Removed explicit namespace entries (kustomization and Service) so resources are not bound to argocd-image-updater-system.
Install manifests config/install.yaml	Removed many explicit namespace fields across resources; adjusted ClusterRoleBinding subjects to reference argocd where applicable; added ARGOCD_NAMESPACE env var to the controller Deployment (sourced from ConfigMap, optional).
Manager deployment config/manager/manager.yaml	Replaced Namespace resource with Deployment, removed metadata.namespace from Deployment, added ARGOCD_NAMESPACE env var from ConfigMap, preserved existing interval env var wiring.
Network policy & monitoring config/network-policy/allow-metrics-traffic.yaml, config/prometheus/monitor.yaml	Removed metadata.namespace from NetworkPolicy; updated ServiceMonitor metadata.namespace from system → argocd.
RBAC: ServiceAccount & Bindings config/rbac/service_account.yaml, config/rbac/role_binding.yaml, config/rbac/leader_election_role_binding.yaml, config/rbac/metrics_auth_role_binding.yaml, config/rbac/metrics_reader_role_binding.yaml	Removed hardcoded ServiceAccount namespace or changed subjects to argocd; made RoleBinding subject namespaces implicit (inherit binding namespace) or explicit argocd as appropriate.
Docs docs/install/installation.md, docs/install/cmd/run.md	Installation docs rewritten to present namespace options, documented ARGOCD_NAMESPACE/argocd.namespace usage, cross-namespace RBAC steps, and updated CLI flag docs (--argocd-namespace long form and env fallback).

Sequence Diagram(s)

sequenceDiagram
  participant Env as Deployment / OS Env
  participant Controller as Image Updater Controller
  participant ConfigMap as argocd-image-updater-config (optional)
  Note over Env,ConfigMap: Deployment may set ARGOCD_NAMESPACE from ConfigMap
  Env->>Controller: provide ARGOCD_NAMESPACE
  Controller->>Controller: env.GetStringVal("ARGOCD_NAMESPACE","")
  alt ARGOCD_NAMESPACE present
    Controller->>Controller: set flag default --argocd-namespace
  else
    Controller->>Controller: --argocd-namespace default = ""
  end
  Controller->>Controller: build structured logFields (app, loglevel, interval, healthPort)
  alt argocdNamespace non-empty
    Controller->>Controller: append argocdNamespace to startup log
  end
  Controller->>Kubernetes: initialize RBAC / metrics / webhook using applied namespace context

Loading

Possibly related PRs

• fix: configure the global logger for argo-cd utilities #1322 — Modifies cmd/run.go startup logging and flag initialization; directly related to this PR's changes to structured logs and ARGOCD_NAMESPACE-based --argocd-namespace.

Pre-merge checks

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	The PR addresses #1341 (cross-namespace git:repocreds access) by enabling namespace-aware configuration via environment variables and CLI flags. Issues #1338 and #1343 appear unrelated to namespace configuration and are not addressed by these changes.	Address the Helm filename generation issue (#1343) and investigate the dry-run behavior (#1338), or clarify why these issues are included in this PR's closure list.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately describes the main change: installing Image Updater into the argocd namespace by default, which aligns with the comprehensive changes across Makefile, configuration files, and documentation.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with enabling namespace-aware deployment: Makefile variables, environment variable support, flag updates, RBAC adjustments, and comprehensive documentation updates for the new namespace configuration approach.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

❌ Patch coverage is 28.57143% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.77%. Comparing base (005a7bc) to head (483236e).

Files with missing lines	Patch %	Lines
cmd/run.go	16.66%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #1356      +/-   ##
==========================================
- Coverage   70.80%   70.77%   -0.04%     
==========================================
  Files          49       49              
  Lines        4528     4530       +2     
==========================================
  Hits         3206     3206              
- Misses       1125     1127       +2     
  Partials      197      197              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

config/manager/manager.yaml (1)

52-66: Manager deployment ARGOCD_NAMESPACE wiring and pull policy look reasonable

• Injecting ARGOCD_NAMESPACE from argocd-image-updater-config (argocd.namespace, optional) matches the pattern used in config/install.yaml and gives a clean knob for cross-namespace setups.
• Explicit imagePullPolicy: IfNotPresent is fine for this kustomize/manager manifest, even with a :latest tag, since production installs rely on config/install.yaml.

No functional issues spotted here.

If you want stricter “always refresh latest” behavior even in dev, you could leave the pull policy implicit so Kubernetes defaults to Always for :latest, but that’s purely a workflow preference.

docs/install/installation.md (1)

9-89: Namespace & RBAC docs clearly address same‑namespace and cross‑namespace setups, with minor flow nits

The new “Choosing an installation namespace” section does a good job of:

• Making the default argocd-namespace assumption explicit.
• Calling out that ClusterRoleBinding subjects[].namespace must be adjusted when Argo CD or the updater runs outside argocd.
• Documenting the cross-namespace Role/RoleBinding needed for repo creds (secrets, configmaps, get/list/watch), which lines up with the controller’s needs.

Two small polish opportunities you might consider:

1. Option 2 install flow – Step 1 applies the remote install.yaml directly, and Step 3 later tells the user to download and modify that same manifest to fix the ClusterRoleBinding subjects. To avoid a transient misconfigured state and potential confusion, you could recommend:

   • “Download install.yaml, update the subjects[].namespace in all ClusterRoleBindings to <updater_namespace>, then kubectl apply -n <updater_namespace> -f install.yaml,” instead of applying the unedited remote first.

2. ARGOCD_NAMESPACE example – The snippet shows adding ARGOCD_NAMESPACE via a literal value: <argocd_namespace>, while the shipped manifests use a configMapKeyRef (argocd-image-updater-config / argocd.namespace). Both are correct, but a short note that you can either set a literal value or configure the argocd.namespace key in the argocd-image-updater-config ConfigMap would make it clearer how this ties back to the manifests.

These are documentation refinements only; the technical guidance is sound.

config/install.yaml (1)

821-835: Controller ARGOCD_NAMESPACE env from ConfigMap cleanly enables cross‑namespace setups

Injecting ARGOCD_NAMESPACE from argocd-image-updater-config (argocd.namespace, optional) gives a central, declarative knob to point the controller at the Argo CD namespace without relying solely on CLI flags. It also keeps the default behavior unchanged when the key is absent (env empty → same-namespace assumptions).

This is consistent with cmd flag defaults and with the manager manifest.

You might later document the argocd.namespace key explicitly alongside the ARGOCD_NAMESPACE/--argocd-namespace options so users see all three configuration paths in one place.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 005a7bc and 6aade29.

📒 Files selected for processing (18)

• Makefile (2 hunks)
• cmd/run.go (2 hunks)
• cmd/run_test.go (1 hunks)
• cmd/webhook.go (1 hunks)
• cmd/webhook_test.go (1 hunks)
• config/default/kustomization.yaml (1 hunks)
• config/default/metrics_service.yaml (0 hunks)
• config/install.yaml (4 hunks)
• config/manager/manager.yaml (1 hunks)
• config/network-policy/allow-metrics-traffic.yaml (0 hunks)
• config/prometheus/monitor.yaml (1 hunks)
• config/rbac/leader_election_role_binding.yaml (0 hunks)
• config/rbac/metrics_auth_role_binding.yaml (1 hunks)
• config/rbac/metrics_reader_role_binding.yaml (1 hunks)
• config/rbac/role_binding.yaml (1 hunks)
• config/rbac/service_account.yaml (0 hunks)
• docs/install/cmd/run.md (1 hunks)
• docs/install/installation.md (1 hunks)

💤 Files with no reviewable changes (4)

• config/network-policy/allow-metrics-traffic.yaml
• config/rbac/service_account.yaml
• config/default/metrics_service.yaml
• config/rbac/leader_election_role_binding.yaml

🧰 Additional context used

🧬 Code graph analysis (4)

cmd/run_test.go (1)

registry-scanner/pkg/env/env.go (1)

• GetStringVal (31-37)

cmd/webhook_test.go (1)

registry-scanner/pkg/env/env.go (1)

• GetStringVal (31-37)

cmd/webhook.go (1)

registry-scanner/pkg/env/env.go (1)

• GetStringVal (31-37)

cmd/run.go (3)

pkg/version/version.go (2)

• BinaryName (20-22)
• Version (15-18)

pkg/argocd/util.go (1)

• GetPrintableInterval (11-17)

registry-scanner/pkg/env/env.go (1)

• GetStringVal (31-37)

🪛 LanguageTool

docs/install/cmd/run.md

[style] ~17-~17: To form a complete sentence, be sure to include a subject.
Context: ...amespace the controller is running in. Can also be set with the ARGOCD_NAMESPACE...

(MISSING_IT_THERE)

docs/install/installation.md

[style] ~58-~58: Consider a more expressive alternative.
Context: ...talled (<updater_namespace>). To do this, download install.yaml and manua...

(DO_ACHIEVE)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Ensure registry-scanner Go modules synchronicity and run tests
• GitHub Check: Analyze (go)
• GitHub Check: Ensure unit tests are passing
• GitHub Check: Ensure code is correctly linted
• GitHub Check: build_image

🔇 Additional comments (15)

config/default/kustomization.yaml (1)

2-2: LGTM! Namespace configuration now deferred to deployment time.

Commenting out the namespace field enables flexible namespace selection at deployment. This aligns with the Makefile changes that now specify the namespace via IMAGE_UPDATER_CONTROLLER_NAMESPACE and the kubectl -n flag.

config/rbac/role_binding.yaml (1)

15-15: LGTM! ServiceAccount namespace updated to match new default.

The namespace change from argocd-image-updater-system to argocd aligns the ClusterRoleBinding subject with the new default installation namespace.

cmd/webhook.go (1)

77-77: LGTM! Environment-based default for ArgoCD namespace.

The flag default now sources from the ARGOCD_NAMESPACE environment variable, enabling flexible namespace configuration for multi-namespace deployments. This change is consistent with the corresponding update in cmd/run.go.

docs/install/cmd/run.md (1)

13-18: LGTM! Documentation accurately reflects environment-based namespace configuration.

The updated flag documentation clearly explains:

• When the flag is required (cross-namespace deployments)
• Default behavior (controller's namespace)
• Environment variable alternative (ARGOCD_NAMESPACE)

The static analysis hint about sentence structure can be safely ignored as the fragment format is acceptable and clear in documentation context.

Makefile (3)

1-1: LGTM! New namespace variable enables flexible deployment configuration.

The IMAGE_UPDATER_CONTROLLER_NAMESPACE variable defaults to argocd but allows override via environment or command-line, supporting both standard and custom namespace deployments.

---

200-200: LGTM! Deploy target now respects namespace configuration.

Adding the -n ${IMAGE_UPDATER_CONTROLLER_NAMESPACE} flag ensures resources are deployed to the specified namespace, working in tandem with the commented-out namespace in config/default/kustomization.yaml.

---

204-204: LGTM! Undeploy target mirrors deploy namespace configuration.

The namespace flag ensures cleanup occurs in the correct namespace, maintaining consistency with the deploy target.

cmd/run.go (2)

102-111: LGTM! Improved structured logging with conditional namespace field.

The refactored startup logging uses a slice-based approach and only logs the argocdNamespace when explicitly set, avoiding noise from empty values. This provides cleaner, more informative logs.

---

292-292: LGTM! Environment-based default for ArgoCD namespace flag.

The flag default now sources from the ARGOCD_NAMESPACE environment variable, consistent with the webhook command and supporting flexible multi-namespace deployments.

config/rbac/metrics_auth_role_binding.yaml (1)

12-12: LGTM! ServiceAccount namespace updated for metrics authentication.

The namespace change from argocd-image-updater-system to argocd aligns with the new default installation namespace and is consistent with other RBAC binding updates in this PR.

config/rbac/metrics_reader_role_binding.yaml (1)

12-12: LGTM! ServiceAccount namespace updated for metrics reader role.

The namespace change from argocd-image-updater-system to argocd completes the consistent namespace migration across all RBAC bindings in this PR.

cmd/run_test.go (1)

44-55: argocd-namespace default assertion now correctly mirrors env-based behavior

Using env.GetStringVal("ARGOCD_NAMESPACE", "") in the assertion keeps the test aligned with the flag’s new default resolution and is consistent with the other env-driven defaults in this test.

config/prometheus/monitor.yaml (1)

4-16: ServiceMonitor namespace aligns with new default install target

Pointing the ServiceMonitor at the argocd namespace matches the new default deployment location for the controller. Users running in a different or dedicated monitoring namespace can still override this manifest as needed.

cmd/webhook_test.go (1)

27-36: Webhook argocd-namespace flag test is consistent with env-based default

Asserting env.GetStringVal("ARGOCD_NAMESPACE", "") for --argocd-namespace is consistent with the controller’s configuration model and other flag defaults in this test.

config/install.yaml (1)

710-751: ClusterRoleBinding subject namespaces correctly moved to argocd, consistent with docs

Binding the argocd-image-updater-controller ServiceAccount in the argocd namespace for the manager and metrics ClusterRoleBindings matches the new default install target and the warning you added in the docs about needing to adjust these when Argo CD/updater are in a different namespace.

This makes the “argocd as default, override by editing subjects[].namespace when needed” behavior explicit in the manifests.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

config/install.yaml (1)

721-750: Hardcoded argocd namespace in ClusterRoleBindings limits flexibility without manual customization.

The three ClusterRoleBindings (lines 724, 737, 750) specify namespace: argocd in their subjects. This assumes Argo CD runs in the argocd namespace. Users installing into different namespaces must manually edit this file, which is documented in the installation guide but increases operational friction.

Consider either:

• Parameterizing the namespace for ClusterRoleBindings in a kustomization base
• Documenting a sed/patch command for automation
• Providing separate overlay manifests for common namespace variations

This is acceptable as a known limitation if the primary use case is the argocd namespace, but could cause friction for the "Option 2: Install into a separate namespace" flow described in the installation guide.

docs/install/cmd/run.md (1)

13-18: Minor documentation clarity improvement needed.

Lines 15–18 describe the flag's behavior, but a blank line (line 17) separates the default behavior from the environment variable reference. Reformat to improve readability:

~The namespace where Argo CD is running. Required only if the Image Updater runs in a different namespace than Argo CD.
~Defaults to the namespace the controller is running in.
~
~Can also be set with the `ARGOCD_NAMESPACE` environment variable.
+The namespace where Argo CD is running. Required only if the Image Updater runs in a different namespace than Argo CD.
+Defaults to the namespace the controller is running in.
+Can also be set with the `ARGOCD_NAMESPACE` environment variable.

This improves flow and addresses the static analysis style note about sentence structure.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6aade29 and 273e814.

📒 Files selected for processing (18)

• Makefile (2 hunks)
• cmd/run.go (2 hunks)
• cmd/run_test.go (1 hunks)
• cmd/webhook.go (1 hunks)
• cmd/webhook_test.go (1 hunks)
• config/default/kustomization.yaml (0 hunks)
• config/default/metrics_service.yaml (0 hunks)
• config/install.yaml (4 hunks)
• config/manager/manager.yaml (1 hunks)
• config/network-policy/allow-metrics-traffic.yaml (0 hunks)
• config/prometheus/monitor.yaml (1 hunks)
• config/rbac/leader_election_role_binding.yaml (0 hunks)
• config/rbac/metrics_auth_role_binding.yaml (1 hunks)
• config/rbac/metrics_reader_role_binding.yaml (1 hunks)
• config/rbac/role_binding.yaml (1 hunks)
• config/rbac/service_account.yaml (0 hunks)
• docs/install/cmd/run.md (1 hunks)
• docs/install/installation.md (1 hunks)

💤 Files with no reviewable changes (5)

• config/rbac/leader_election_role_binding.yaml
• config/rbac/service_account.yaml
• config/network-policy/allow-metrics-traffic.yaml
• config/default/kustomization.yaml
• config/default/metrics_service.yaml

🚧 Files skipped from review as they are similar to previous changes (10)

• cmd/run.go
• cmd/run_test.go
• config/rbac/role_binding.yaml
• config/rbac/metrics_auth_role_binding.yaml
• config/manager/manager.yaml
• Makefile
• cmd/webhook_test.go
• cmd/webhook.go
• config/prometheus/monitor.yaml
• config/rbac/metrics_reader_role_binding.yaml

🧰 Additional context used

🪛 LanguageTool

docs/install/installation.md

[style] ~58-~58: Consider a more expressive alternative.
Context: ...talled (<updater_namespace>). To do this, download install.yaml and manua...

(DO_ACHIEVE)

docs/install/cmd/run.md

[style] ~17-~17: To form a complete sentence, be sure to include a subject.
Context: ...amespace the controller is running in. Can also be set with the ARGOCD_NAMESPACE...

(MISSING_IT_THERE)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Ensure registry-scanner Go modules synchronicity and run tests
• GitHub Check: Ensure unit tests are passing
• GitHub Check: Ensure code is correctly linted
• GitHub Check: Analyze (go)
• GitHub Check: build_image

🔇 Additional comments (3)

config/install.yaml (1)

821-826: ARGOCD_NAMESPACE environment variable correctly configured with optional override.

The ARGOCD_NAMESPACE environment variable is sourced from a ConfigMap key (argocd.namespace) with optional: true, allowing users to override the default behavior via configuration. This aligns with PR objective to support multi-namespace deployments.

Verify in downstream code (e.g., cmd/run.go) that an empty or missing environment variable correctly defaults to the controller's own namespace, as documented.

docs/install/installation.md (2)

9-25: Installation namespace guidance is clear and well-structured.

The two-option approach (recommended argocd namespace vs. separate namespace) provides good guidance. The warning (line 23–24) about manually updating ClusterRoleBinding namespaces correctly documents the limitation of hardcoded manifests. Option 1 follows best practices by minimizing configuration overhead.

---

26-89: Multi-namespace installation instructions are comprehensive and well-documented.

The four-step Option 2 flow covers:

1. Namespace creation and manifest deployment
2. ARGOCD_NAMESPACE configuration (environment variable or CLI flag)
3. ClusterRoleBinding namespace adjustment
4. Cross-namespace RBAC setup in the Argo CD namespace

The cross-namespace Role/RoleBinding example (lines 66–89) correctly grants the required permissions (get, list, watch on secrets and configmaps) to access Argo CD resources from the updater namespace. This directly addresses PR issue #1341.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

docs/install/installation.md (2)

26-62: Comprehensive multi-step guidance for Option 2.

The separate namespace installation option is well-structured with clear steps. Providing three alternative methods for configuring the Argo CD namespace (environment variable, ConfigMap, or CLI flag at lines 44-61) gives users flexibility. However, it might be helpful to indicate which method is preferred or when to use each, though this is not blocking.

Consider briefly noting which configuration method is preferred for the Argo CD namespace setting (e.g., "environment variables are recommended" or "use ConfigMap for easier runtime changes").

---

63-68: RBAC adjustment instructions are clear but could use slightly more expressive language.

The instructions for adjusting ClusterRoleBinding are clear and accurate. However, line 67 uses "download install.yaml and manually change" which is flagged by the style checker as potentially benefiting from more expressive wording.

Consider rephrasing line 67 from "download install.yaml and manually change" to something like "download install.yaml, then update" or "download and modify install.yaml to change" for better flow.

As per static analysis hints.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 273e814 and 483236e.

📒 Files selected for processing (1)

• docs/install/installation.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

docs/install/installation.md

[style] ~67-~67: Consider a more expressive alternative.
Context: ...talled (<updater_namespace>). To do this, download install.yaml and manua...

(DO_ACHIEVE)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: Ensure registry-scanner Go modules synchronicity and run tests
• GitHub Check: Ensure code is correctly linted
• GitHub Check: Ensure unit tests are passing
• GitHub Check: Analyze (go)
• GitHub Check: build_image

🔇 Additional comments (2)

docs/install/installation.md (2)

9-25: Clear recommendation and helpful warning for namespace selection.

Option 1 is appropriately marked as the recommended approach and provides the simplest path for users. The warning about manifest assumptions (lines 23-24) is valuable for users with non-default namespaces, ensuring they won't encounter silent failures.

---

69-98: Cross-namespace RBAC examples are well-documented and comprehensive.

The Role and RoleBinding YAML examples clearly show how to grant the image updater service account read access to secrets and configmaps in the Argo CD namespace. The use of <argocd_namespace> and <updater_namespace> placeholders is consistent and appropriate. The specification of ["get", "list", "watch"] verbs at line 83 correctly aligns with the stated requirements for cross-namespace read permissions.