Support cross-namespace sourceRef in ImageUpdateAutomation

[squaremo]

For some deployments of Flux, the GitRepository object giving access to a git repo is owned by one team, and the definitions for image updates (ImageRepository, ImagePolicy, and ImageUpdateAutomation) are owned by other teams. There is a strong preference in those cases for keeping the GitRepository in one namespace, and letting teams define automation in their own namespaces -- but to be able to do that, the ImageUpdateAutomation object would need to be able to refer to a GitRepository object in another namespace.

Similar work was done in fluxcd/image-reflector-controller#162, and for more background on similar use cases, see #85.

(I am not going to recapitulate the pros and cons of breaking namespace isolation here -- that ship has sailed ^meaning.)

[aryan9600]

Looking at fluxcd/image-reflector-controller#162, do we want to add similar ACL support or let ImageUpdateAutomation objects in any namespace have access to a GitRepository?

[squaremo]

do we want to add similar ACL support or let ImageUpdateAutomation objects in any namespace have access to a GitRepository?

Good question. I would feel more comfortable waiting for accessFrom to be implemented in source controller, then respecting it here.

[stefanprodan]

Good question. I would feel more comfortable waiting for accessFrom to be implemented in source controller, then respecting it here.

ACLs are client-side, as described in fluxcd/flux2#2092, we do have the SC APIs with ACLs released.

[stefanprodan]

@squaremo according to fluxcd/flux2#2093 this controller should accept cross-namespace refs as KC and HC do now. When that RFC is merged, only then we can add a flag to enforce ACLs.