Allow project namespaceResourceWhitelist on selected namespaces

[andrewkaczynski]

Summary

The Argo CD Project permissions "namespaceResourceWhitelist" affects all the possible namespaces allowed in the project destination. We want to narrow down the scope to selected namespaces only if specified.

Motivation

We have different teams, and for each, we configure similarly to the below Projects:

kind: AppProject
metadata:
  name: team-a
  namespace: argocd
spec:
  description: Team A Project
  sourceRepos:
  - '*'

  destinations:
  - namespace: !{kube-system,kube-public,kube-node-lease,velero}
    server: https://cluster-a.example.com:6443
    name: cluster-a
  - namespace: !{kube-system,kube-public,kube-node-lease,velero}
    server: https://cluster-b.example.com:6443
    name: cluster-b

Where certain namespaces are considered system ones by us and we don't want to give access to them to our teams. However, we want to allow them to configure single objects on them like CRDs to allow consume the services running on them.

Proposal

The proposal would be to extend the existing namespaceResourceWhitelist permission option to allow listed objects to be created in selected namespaces if specified. Example:

# Deny all namespaced-scoped resources in namespace velero from being created, except for Backup and BackupStorageLocation.
  namespaceResourceWhitelist:
  - group: 'velero.io'
    kind: Backup
    namespace: velero
  - group: 'velero.io'
    kind: BackupStorageLocation
    namespace: velero

That would require a change in the Argo CD Projects permissions engine. If a namespace is not listed, it should follow existing rules and apply to all allowed namespaces.
If the namespace is listed under namespaceResourceWhitelist but blacklisted In the destination namespace, the one in namespaceResourceWhitelist should have precedence and allow selected objects to be created.