diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 1d653ca..b905b4a 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -9,7 +9,6 @@ repos:
       - id: trailing-whitespace
         args: [--markdown-linebreak-ext=md]
         exclude_types: [sql]
-      - id: check-yaml
       - id: check-executables-have-shebangs
       # Cross platform
       - id: check-case-conflict
diff --git a/src/aks-platform/05_argocd.tf b/src/aks-platform/05_argocd.tf
index bd73473..88a3d90 100644
--- a/src/aks-platform/05_argocd.tf
+++ b/src/aks-platform/05_argocd.tf
@@ -18,7 +18,9 @@ resource "helm_release" "argocd" {
   wait      = false
 
   values = [
-    file("${path.module}/argocd/argocd_helm_setup_values.yaml")
+    templatefile("${path.module}/argocd/argocd_helm_setup_values.yaml", {
+      argocd_application_namespaces = var.argocd_application_namespaces
+    })
   ]
 
   depends_on = [
@@ -52,7 +54,7 @@ resource "azurerm_key_vault_secret" "argocd_admin_username" {
 # tools
 #
 module "argocd_workload_identity_init" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init?ref=v8.42.1"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init?ref=v8.77.0"
 
   workload_identity_name_prefix         = "argocd"
   workload_identity_resource_group_name = azurerm_resource_group.rg_aks.name
@@ -60,7 +62,7 @@ module "argocd_workload_identity_init" {
 }
 
 module "argocd_workload_identity_configuration" {
-  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration?ref=v8.42.1"
+  source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration?ref=v8.77.0"
 
   workload_identity_name_prefix         = "argocd"
   workload_identity_resource_group_name = azurerm_resource_group.rg_aks.name
@@ -77,7 +79,7 @@ module "argocd_workload_identity_configuration" {
 }
 
 module "cert_mounter_argocd_internal" {
-  source           = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter?ref=v8.42.1"
+  source           = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter?ref=v8.77.0"
   namespace        = "argocd"
   certificate_name = replace(local.argocd_internal_url, ".", "-")
   kv_name          = data.azurerm_key_vault.kv_core_ita.name
diff --git a/src/aks-platform/99_variables.tf b/src/aks-platform/99_variables.tf
index fdbdc9c..dd3e4be 100644
--- a/src/aks-platform/99_variables.tf
+++ b/src/aks-platform/99_variables.tf
@@ -587,7 +587,15 @@ variable "dns_zone_internal_prefix" {
   description = "The dns subdomain."
 }
 
+#
+# Argocd
+#
 variable "argocd_helm_release_version" {
   type        = string
   description = "ArgoCD helm chart release version"
 }
+
+variable "argocd_application_namespaces" {
+  type        = list(string)
+  description = "In which namespaces argocd can create applications"
+}
diff --git a/src/aks-platform/README.md b/src/aks-platform/README.md
index 71701d7..0dcea6f 100644
--- a/src/aks-platform/README.md
+++ b/src/aks-platform/README.md
@@ -43,9 +43,9 @@ Re-enable all the resource, commented before to complete the procedure
 | <a name="module_aks"></a> [aks](#module\_aks) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_cluster | v8.42.1 |
 | <a name="module_aks_prometheus_install"></a> [aks\_prometheus\_install](#module\_aks\_prometheus\_install) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_prometheus_install | v8.34.0 |
 | <a name="module_aks_storage_class"></a> [aks\_storage\_class](#module\_aks\_storage\_class) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_storage_class | v8.34.0 |
-| <a name="module_argocd_workload_identity_configuration"></a> [argocd\_workload\_identity\_configuration](#module\_argocd\_workload\_identity\_configuration) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration | v8.42.1 |
-| <a name="module_argocd_workload_identity_init"></a> [argocd\_workload\_identity\_init](#module\_argocd\_workload\_identity\_init) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init | v8.42.1 |
-| <a name="module_cert_mounter_argocd_internal"></a> [cert\_mounter\_argocd\_internal](#module\_cert\_mounter\_argocd\_internal) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter | v8.42.1 |
+| <a name="module_argocd_workload_identity_configuration"></a> [argocd\_workload\_identity\_configuration](#module\_argocd\_workload\_identity\_configuration) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration | v8.77.0 |
+| <a name="module_argocd_workload_identity_init"></a> [argocd\_workload\_identity\_init](#module\_argocd\_workload\_identity\_init) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init | v8.77.0 |
+| <a name="module_cert_mounter_argocd_internal"></a> [cert\_mounter\_argocd\_internal](#module\_cert\_mounter\_argocd\_internal) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter | v8.77.0 |
 | <a name="module_keda_workload_identity_configuration"></a> [keda\_workload\_identity\_configuration](#module\_keda\_workload\_identity\_configuration) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_configuration | v8.45.0 |
 | <a name="module_keda_workload_identity_init"></a> [keda\_workload\_identity\_init](#module\_keda\_workload\_identity\_init) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity_init | v8.45.0 |
 | <a name="module_nginx_ingress"></a> [nginx\_ingress](#module\_nginx\_ingress) | terraform-module/release/helm | 2.7.0 |
@@ -134,6 +134,7 @@ Re-enable all the resource, commented before to complete the procedure
 | <a name="input_aks_system_node_pool"></a> [aks\_system\_node\_pool](#input\_aks\_system\_node\_pool) | AKS node pool system configuration | <pre>object({<br/>    name                         = string,<br/>    vm_size                      = string,<br/>    os_disk_type                 = string,<br/>    os_disk_size_gb              = string,<br/>    node_count_min               = number,<br/>    node_count_max               = number,<br/>    node_labels                  = map(any),<br/>    node_tags                    = map(any),<br/>    only_critical_addons_enabled = optional(bool, true)<br/>    zones                        = optional(list(any), [1, 2, 3])<br/>  })</pre> | n/a | yes |
 | <a name="input_aks_user_node_pool"></a> [aks\_user\_node\_pool](#input\_aks\_user\_node\_pool) | AKS node pool user configuration | <pre>object({<br/>    enabled                    = optional(bool, true),<br/>    name                       = string,<br/>    vm_size                    = string,<br/>    os_disk_type               = string,<br/>    os_disk_size_gb            = string,<br/>    node_count_min             = number,<br/>    node_count_max             = number,<br/>    node_labels                = map(any),<br/>    node_taints                = list(string),<br/>    node_tags                  = map(any),<br/>    ultra_ssd_enabled          = optional(bool, false),<br/>    enable_host_encryption     = optional(bool, true),<br/>    max_pods                   = optional(number, 250),<br/>    upgrade_settings_max_surge = optional(string, "30%"),<br/>    zones                      = optional(list(any), [1, 2, 3]),<br/>  })</pre> | n/a | yes |
 | <a name="input_aks_vm_size"></a> [aks\_vm\_size](#input\_aks\_vm\_size) | The size of the AKS Virtual Machine in the Node Pool. | `string` | `"Standard_DS3_v2"` | no |
+| <a name="input_argocd_application_namespaces"></a> [argocd\_application\_namespaces](#input\_argocd\_application\_namespaces) | In which namespaces argocd can create applications | `list(string)` | n/a | yes |
 | <a name="input_argocd_helm_release_version"></a> [argocd\_helm\_release\_version](#input\_argocd\_helm\_release\_version) | ArgoCD helm chart release version | `string` | n/a | yes |
 | <a name="input_cidr_subnet_system_aks"></a> [cidr\_subnet\_system\_aks](#input\_cidr\_subnet\_system\_aks) | Subnet cluster kubernetes. | `list(string)` | n/a | yes |
 | <a name="input_cidr_subnet_user_aks"></a> [cidr\_subnet\_user\_aks](#input\_cidr\_subnet\_user\_aks) | Subnet cluster kubernetes. | `list(string)` | n/a | yes |
diff --git a/src/aks-platform/argocd/argocd_helm_setup_values.yaml b/src/aks-platform/argocd/argocd_helm_setup_values.yaml
index 8c4ff9e..582ca99 100644
--- a/src/aks-platform/argocd/argocd_helm_setup_values.yaml
+++ b/src/aks-platform/argocd/argocd_helm_setup_values.yaml
@@ -1,35 +1,62 @@
 dex:
   enabled: true
+
 server:
   replicas: 1
   extraArgs:
     - --insecure
-  config:
-    repositories: |
-      - type: helm
-        name: argo-cd
-        url: https://argoproj.github.io/argo-helm
   ingress:
     enabled: true
-    labels: {}
     ingressClassName: "nginx"
     hostname: argocd.internal.devopslab.pagopa.it
-
     annotations:
       nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
       nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    tls: false # Cambiato a false per evitare il TLS host doppio
     extraTls:
       - hosts:
-        - argocd.internal.devopslab.pagopa.it
-        # Based on the ingress controller used secret might be optional
+          - argocd.internal.devopslab.pagopa.it
         secretName: argocd-internal-devopslab-pagopa-it
-    https: true
+
 redis-ha:
   enabled: false
+
 repoServer:
   replicas: 1
+
 applicationSet:
   replicas: 1
+
 configs:
+  params:
+    application.namespaces: "${join(",", argocd_application_namespaces)}"
+
   cm:
-    timeout.reconciliation: 30s
+    timeout.reconciliation: 31s
+    application.resourceTrackingMethod: annotation
+
+  rbac:
+    policy.csv: |
+      p, role:readonly, applications, get, */*, allow
+      p, role:readonly, projects, get, *, allow
+      p, role:admin, applications, create, */*, allow
+      p, role:admin, applications, update, */*, allow
+      p, role:admin, applications, delete, */*, allow
+      p, role:admin, applications, sync, */*, allow
+      p, role:admin, applications, override, */*, allow
+      p, role:admin, applications, action/*, */*, allow
+      p, role:admin, projects, create, *, allow
+      p, role:admin, projects, update, *, allow
+      p, role:admin, projects, delete, *, allow
+
+controller:
+  args:
+    - --application-namespaces=${join(",", argocd_application_namespaces)}
+
+  clusterRoleRules:
+    enabled: true
+    rules:
+     - apiGroups: ["*"]
+       resources: ["*"]
+       verbs: ["*"]
+       namespaces: "[${join(", ", argocd_application_namespaces)}]"
diff --git a/src/aks-platform/env/itn-dev/terraform.tfvars b/src/aks-platform/env/itn-dev/terraform.tfvars
index 1b3f399..f9713de 100644
--- a/src/aks-platform/env/itn-dev/terraform.tfvars
+++ b/src/aks-platform/env/itn-dev/terraform.tfvars
@@ -146,5 +146,9 @@ law_prometheus_sku               = "PerGB2018"
 law_prometheus_retention_in_days = 30
 law_prometheus_daily_quota_gb    = 0.1
 
-# https://github.com/argoproj/argo-helm/releases/tag/argo-cd-7.7.7
-argocd_helm_release_version = "7.7.7" #2.13.0
+#
+# Argocd
+#
+# https://github.com/argoproj/argo-helm/releases/tag/argo-cd-7.7.16
+argocd_helm_release_version   = "7.7.16" #2.13.0+
+argocd_application_namespaces = ["argocd", "testit", "diego", "keda"]
diff --git a/src/domains/diego-app/.terraform.lock.hcl b/src/domains/diego-app/.terraform.lock.hcl
index b471247..9297e91 100644
--- a/src/domains/diego-app/.terraform.lock.hcl
+++ b/src/domains/diego-app/.terraform.lock.hcl
@@ -5,6 +5,7 @@ provider "registry.terraform.io/argoproj-labs/argocd" {
   version     = "7.1.0"
   constraints = "~> 7.1.0"
   hashes = [
+    "h1:3sVJshsbJa/vj3MtZgLqDI6jy1mqF22auycq6nTpbKY=",
     "h1:l2eyIy5lh96Z/zhxmS1MspxTOBRWV2Qdy2T9bnYwWNE=",
     "zh:16a54a33061054769b46f395070815b5c027ca793f8e8af0d0459404ec38018a",
     "zh:3d1e1fbf877d43a08896ca321e2b5951cd5e0397b95f9d46d45a462987eb1045",
@@ -23,6 +24,7 @@ provider "registry.terraform.io/hashicorp/azuread" {
   version     = "2.47.0"
   constraints = "<= 2.47.0"
   hashes = [
+    "h1:g8+gBFM4QVOEQFqAEs5pR6iXpbGvgPvcEi1evHwziyw=",
     "h1:iRwDQBdXBpVBoYwM9au2RG01RQuJSm3TGQ2kioFVAas=",
     "zh:1372d81eb24ef3b4b00ea350fe87219f22da51691b8e42ce91d662f6c2a8af5e",
     "zh:1c3e89cf19118fc07d7b04257251fc9897e722c16e0a0df7b07fcd261f8c12e7",
@@ -44,6 +46,7 @@ provider "registry.terraform.io/hashicorp/azurerm" {
   constraints = "~> 3.30, ~> 3.110"
   hashes = [
     "h1:Ew2CcKxce0b1gv3KpztpPt54dw1y7qEnkda5n0fuoPg=",
+    "h1:pAXy9cKU+bX1rvWog4YWeLbg7VFHqRTAFKbjayIXK1k=",
     "zh:2e25f47492366821a786762369f0e0921cc9452d64bfd5075f6fdfcf1a9c6d70",
     "zh:41eb34f2f7469bf3eb1019dfb0e7fc28256f809824016f4f8b9d691bf473b2ac",
     "zh:48bb9c87b3d928da1abc1d3db75453c9725de4674c612daf3800160cc7145d30",
@@ -64,6 +67,7 @@ provider "registry.terraform.io/hashicorp/helm" {
   constraints = "~> 2.12, <= 2.12.1"
   hashes = [
     "h1:7wfYOAeSEchHB8idNl+2jf+OkFi9zFSOLWkEZFuTCik=",
+    "h1:aBfcqM4cbywa7TAxfT1YoFS+Cst9waerlm4XErFmJlk=",
     "zh:1d623fb1662703f2feb7860e3c795d849c77640eecbc5a776784d08807b15004",
     "zh:253a5bc62ba2c4314875139e3fbd2feaad5ef6b0fb420302a474ab49e8e51a38",
     "zh:282358f4ad4f20d0ccaab670b8645228bfad1c03ac0d0df5889f0aea8aeac01a",
@@ -83,6 +87,7 @@ provider "registry.terraform.io/hashicorp/kubernetes" {
   version     = "2.30.0"
   constraints = "~> 2.30.0"
   hashes = [
+    "h1:+Je5UPTWMmO4eG5ep1WfujkXQI9tDk0OsMU4olU76Bg=",
     "h1:z0Gy1p59XfS9MawIqCck7m2eeEEhAj6D7n8Ngglu8vE=",
     "zh:06531333a72fe6d2829f37a328e08a3fc4ed66226344a003b62418a834ac6c69",
     "zh:34480263939ef5007ce65c9f4945df5cab363f91e5260ae552bcd9f2ffeed444",
@@ -102,6 +107,7 @@ provider "registry.terraform.io/hashicorp/kubernetes" {
 provider "registry.terraform.io/hashicorp/local" {
   version = "2.5.2"
   hashes = [
+    "h1:IyFbOIO6mhikFNL/2h1iZJ6kyN3U00jgkpCLUCThAfE=",
     "h1:p99F1AoV9z51aJ4EdItxz/vLwWIyhx/0Iw7L7sWSH1o=",
     "zh:136299545178ce281c56f36965bf91c35407c11897f7082b3b983d86cb79b511",
     "zh:3b4486858aa9cb8163378722b642c57c529b6c64bfbfc9461d940a84cd66ebea",
@@ -123,6 +129,7 @@ provider "registry.terraform.io/hashicorp/null" {
   constraints = "~> 3.2, <= 3.2.1"
   hashes = [
     "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=",
+    "h1:ydA0/SNRVB1o95btfshvYsmxA+jZFRZcvKzZSB+4S1M=",
     "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840",
     "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb",
     "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5",
diff --git a/src/domains/diego-app/05_argocd.tf b/src/domains/diego-app/05_argocd.tf
index 5ebf409..5769a92 100644
--- a/src/domains/diego-app/05_argocd.tf
+++ b/src/domains/diego-app/05_argocd.tf
@@ -13,7 +13,7 @@ resource "argocd_project" "project" {
   spec {
     description = "${var.domain}-project"
 
-    source_namespaces = ["argocd"]
+    source_namespaces = ["argocd", var.domain]
     source_repos      = ["*"]
 
     destination {
@@ -44,13 +44,11 @@ resource "argocd_project" "project" {
       warn = true
     }
 
-    #     role {
-    #       name = "anotherrole"
-    #       policies = [
-    #         "p, proj:myproject:testrole, applications, get, myproject/*, allow",
-    #         "p, proj:myproject:testrole, applications, sync, myproject/*, deny",
-    #       ]
-    #     }
+    # role {
+    #   name = "project-admin"
+    #   policies = [
+    #   ]
+    # }
   }
 }
 
@@ -90,7 +88,7 @@ resource "argocd_application" "diego_applications" {
 
   metadata {
     name      = each.value.name
-    namespace = "argocd"
+    namespace = var.domain
     labels = {
       name   = each.value.name
       domain = var.domain