Summary

What change you think needs making.
When executing a sync of an application with the create namespace flag, argoCD first does a validation for all resources if they can/need to be created. I think it would be better if argoCD would create the namespace first and then does the validation for the resources.

Motivation

If someone is using rolebindings for grating permissions to specific namespaces and these rolebindings are automatically created when the namespace is created, then argocd would fail because of no permissions in the namespace:

Example error:
error when retrieving current configuration of: Resource: "/v1, Resource=services", GroupVersionKind: "/v1, Kind=Service" Name: "nickapp", Namespace: "nicktenant-testapp" from server for: "/dev/shm/3151028562": services "nickapp" is forbidden: User "system:serviceaccount:serviceaccounts:nicktenant" cannot get resource "services" in API group "" in the namespace "nicktenant-testapp"

If one would create the namespace first and then tries to apply the resources to this namespace then there would be one issue.

Good the know:

• clasticx capsule uses this create role on namespace creation construction
• the example is with the impersonation funcionality of argoCD where argocd impersonates a tenant in the cluster

Proposal

How do you think this should be implemented?
Change the order in which events are handled during a sync. Do the namespace creation first and then focus on the resources that should land in the namespace.