Skip to content

Commit a39775a

Browse files
authored
[GITOPS-9015]: Skip OpenshiftDexConfig when OpenShift Cluster Authentication is based on OIDC Provider (#1070)
* [GITOPS-9015]: Skip OpenshiftDexConfig when OpenShift Cluster Authentication is based on OIDC Provider Signed-off-by: akhil nittala <nakhil@redhat.com> * [GITOPS-9015]: Skip OpenshiftDexConfig when OpenShift Cluster Authentication is based on OIDC Provider Signed-off-by: akhil nittala <nakhil@redhat.com> * [GITOPS-9015]: Skip OpenshiftDexConfig when OpenShift Cluster Authentication is based on OIDC Provider Signed-off-by: akhil nittala <nakhil@redhat.com> * [GITOPS-9015]: Skip OpenshiftDexConfig when OpenShift Cluster Authentication is based on OIDC Provider Signed-off-by: akhil nittala <nakhil@redhat.com> * [GITOPS-9015]: Skip OpenshiftDexConfig when OpenShift Cluster Authentication is based on OIDC Provider Signed-off-by: akhil nittala <nakhil@redhat.com> * fix: restoring tracking labels for cleaning up of orphaned roles and rolebindings Signed-off-by: akhil nittala <nakhil@redhat.com> * [GITOPS-9015]: Skip OpenshiftDexConfig when OpenShift Cluster Authentication is based on OIDC Provider Signed-off-by: akhil nittala <nakhil@redhat.com> * [GITOPS-9015]: Skip OpenshiftDexConfig when OpenShift Cluster Authentication is based on OIDC Provider Signed-off-by: akhil nittala <nakhil@redhat.com> --------- Signed-off-by: akhil nittala <nakhil@redhat.com>
1 parent 60437bc commit a39775a

File tree

10 files changed

+140
-17
lines changed

10 files changed

+140
-17
lines changed

bundle/manifests/gitops-operator.clusterserviceversion.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -574,6 +574,7 @@ spec:
574574
- apiGroups:
575575
- config.openshift.io
576576
resources:
577+
- authentications
577578
- clusterversions
578579
- ingresses
579580
verbs:

config/rbac/role.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -223,6 +223,7 @@ rules:
223223
- apiGroups:
224224
- config.openshift.io
225225
resources:
226+
- authentications
226227
- clusterversions
227228
- ingresses
228229
verbs:

controllers/argocd/argocd.go

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,11 +17,14 @@ limitations under the License.
1717
package argocd
1818

1919
import (
20+
"context"
21+
2022
argoapp "github.com/argoproj-labs/argocd-operator/api/v1beta1"
23+
argoappController "github.com/argoproj-labs/argocd-operator/controllers/argocd"
2124
v1 "k8s.io/api/core/v1"
2225
resourcev1 "k8s.io/apimachinery/pkg/api/resource"
2326
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
24-
27+
"sigs.k8s.io/controller-runtime/pkg/client"
2528
"sigs.k8s.io/yaml"
2629
)
2730

@@ -86,7 +89,10 @@ func getArgoDexSpec() *argoapp.ArgoCDDexSpec {
8689
}
8790
}
8891

89-
func getArgoSSOSpec() *argoapp.ArgoCDSSOSpec {
92+
func getArgoSSOSpec(client client.Client) *argoapp.ArgoCDSSOSpec {
93+
if argoappController.IsOpenShiftCluster() && argoappController.IsExternalAuthenticationEnabledOnCluster(context.TODO(), client) {
94+
return nil
95+
}
9096
return &argoapp.ArgoCDSSOSpec{
9197
Provider: argoapp.SSOProviderTypeDex,
9298
Dex: getArgoDexSpec(),
@@ -180,7 +186,7 @@ func getDefaultRBAC() argoapp.ArgoCDRBACSpec {
180186

181187
// NewCR returns an ArgoCD reference optimized for use in OpenShift
182188
// with comprehensive default resource exclusions
183-
func NewCR(name, ns string) (*argoapp.ArgoCD, error) {
189+
func NewCR(name, ns string, client client.Client) (*argoapp.ArgoCD, error) {
184190
b, err := yaml.Marshal([]resource{
185191
{
186192
APIGroups: []string{"", "discovery.k8s.io"},
@@ -239,7 +245,7 @@ func NewCR(name, ns string) (*argoapp.ArgoCD, error) {
239245
Spec: argoapp.ArgoCDSpec{
240246
ApplicationSet: getArgoApplicationSetSpec(),
241247
Controller: getArgoControllerSpec(),
242-
SSO: getArgoSSOSpec(),
248+
SSO: getArgoSSOSpec(client),
243249
Grafana: getArgoGrafanaSpec(),
244250
HA: getArgoHASpec(),
245251
Redis: getArgoRedisSpec(),

controllers/argocd/argocd_test.go

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,13 +21,22 @@ import (
2121
"testing"
2222

2323
argoapp "github.com/argoproj-labs/argocd-operator/api/v1beta1"
24+
configv1 "github.com/openshift/api/config/v1"
2425
"gotest.tools/assert"
2526
v1 "k8s.io/api/core/v1"
2627
resourcev1 "k8s.io/apimachinery/pkg/api/resource"
28+
"k8s.io/apimachinery/pkg/runtime"
29+
"sigs.k8s.io/controller-runtime/pkg/client/fake"
2730
)
2831

2932
func TestArgoCD(t *testing.T) {
30-
testArgoCD, _ := NewCR("openshift-gitops", "openshift-gitops")
33+
scheme := runtime.NewScheme()
34+
_ = argoapp.AddToScheme(scheme)
35+
_ = configv1.AddToScheme(scheme)
36+
37+
fakeClient := fake.NewClientBuilder().WithScheme(scheme).Build()
38+
39+
testArgoCD, _ := NewCR("openshift-gitops", "openshift-gitops", fakeClient)
3140

3241
testApplicationSetResources := &v1.ResourceRequirements{
3342
Requests: v1.ResourceList{
@@ -190,7 +199,15 @@ func TestArgoCD(t *testing.T) {
190199
}
191200

192201
func TestDexConfiguration(t *testing.T) {
193-
testArgoCD, _ := NewCR("openshift-gitops", "openshift-gitops")
202+
scheme := runtime.NewScheme()
203+
_ = argoapp.AddToScheme(scheme)
204+
_ = configv1.AddToScheme(scheme)
205+
206+
fakeClient := fake.NewClientBuilder().
207+
WithScheme(scheme).
208+
Build()
209+
210+
testArgoCD, _ := NewCR("openshift-gitops", "openshift-gitops", fakeClient)
194211

195212
// Verify Dex OpenShift Configuration
196213
assert.Equal(t, testArgoCD.Spec.SSO.Dex.OpenShiftOAuth, true)

controllers/gitopsservice_controller.go

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -134,6 +134,7 @@ type ReconcileGitopsService struct {
134134
DisableDefaultInstall bool
135135
}
136136

137+
// +kubebuilder:rbac:groups=config.openshift.io,resources=authentications,verbs=get;list;watch
137138
//+kubebuilder:rbac:groups=pipelines.openshift.io,resources=gitopsservices,verbs=get;list;watch;create;update;patch;delete
138139
//+kubebuilder:rbac:groups=pipelines.openshift.io,resources=gitopsservices/status,verbs=get;update;patch
139140
//+kubebuilder:rbac:groups=pipelines.openshift.io,resources=gitopsservices/finalizers,verbs=update
@@ -313,7 +314,7 @@ func (r *ReconcileGitopsService) Reconcile(ctx context.Context, request reconcil
313314

314315
func (r *ReconcileGitopsService) ensureDefaultArgoCDInstanceDoesntExist() error {
315316

316-
defaultArgoCDInstance, err := argocd.NewCR(common.ArgoCDInstanceName, serviceNamespace)
317+
defaultArgoCDInstance, err := argocd.NewCR(common.ArgoCDInstanceName, serviceNamespace, r.Client)
317318
if err != nil {
318319
return err
319320
}
@@ -349,7 +350,7 @@ func (r *ReconcileGitopsService) ensureDefaultArgoCDInstanceDoesntExist() error
349350

350351
func (r *ReconcileGitopsService) reconcileDefaultArgoCDInstance(instance *pipelinesv1alpha1.GitopsService, reqLogger logr.Logger) (reconcile.Result, error) {
351352

352-
defaultArgoCDInstance, err := argocd.NewCR(common.ArgoCDInstanceName, serviceNamespace)
353+
defaultArgoCDInstance, err := argocd.NewCR(common.ArgoCDInstanceName, serviceNamespace, r.Client)
353354
if err != nil {
354355
return reconcile.Result{}, err
355356
}

go.mod

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ go 1.25.5
44

55
require (
66
github.com/argoproj-labs/argo-rollouts-manager v0.0.8-0.20260218104514-432c01ce417a
7-
github.com/argoproj-labs/argocd-operator v0.17.0-rc1.0.20260211145236-4c05ef8fa3d7
7+
github.com/argoproj-labs/argocd-operator v0.17.0-rc1.0.20260225073619-a52ee52d3941
88
github.com/argoproj/argo-cd/v3 v3.3.0
99
github.com/argoproj/gitops-engine v0.7.1-0.20251217140045-5baed5604d2d
1010
github.com/go-logr/logr v1.4.3
@@ -43,7 +43,7 @@ require (
4343
github.com/Masterminds/semver/v3 v3.4.0 // indirect
4444
github.com/Microsoft/go-winio v0.6.2 // indirect
4545
github.com/ProtonMail/go-crypto v1.1.6 // indirect
46-
github.com/argoproj-labs/argocd-image-updater v1.1.0 // indirect
46+
github.com/argoproj-labs/argocd-image-updater v1.1.1 // indirect
4747
github.com/argoproj/pkg v0.13.7-0.20250305113207-cbc37dc61de5 // indirect
4848
github.com/argoproj/pkg/v2 v2.0.1 // indirect
4949
github.com/beorn7/perks v1.0.1 // indirect

go.sum

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -37,10 +37,10 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuW
3737
github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
3838
github.com/argoproj-labs/argo-rollouts-manager v0.0.8-0.20260218104514-432c01ce417a h1:USjEzxbs2lZtx7+Hp9u5dYgu7pf/9XnDUSc9+Hmulmo=
3939
github.com/argoproj-labs/argo-rollouts-manager v0.0.8-0.20260218104514-432c01ce417a/go.mod h1:WPyZkNHZjir/OTt8mrRwcUZKe1euHrHPJsRv1Wp/F/0=
40-
github.com/argoproj-labs/argocd-image-updater v1.1.0 h1:XR+xZf8bDFBaTpVdVpe06t/DPmrIG4BG3HukUXul6X0=
41-
github.com/argoproj-labs/argocd-image-updater v1.1.0/go.mod h1:RbPRnEqWBPq1OP29vlZjmfL+/NfonpoagH8SInP/YHc=
42-
github.com/argoproj-labs/argocd-operator v0.17.0-rc1.0.20260211145236-4c05ef8fa3d7 h1:SF89hDvomBhku9IjRO60fzeS8ZdwHgmo7KhfTLF4tYo=
43-
github.com/argoproj-labs/argocd-operator v0.17.0-rc1.0.20260211145236-4c05ef8fa3d7/go.mod h1:G9rmG9/3gV899eg8wL/4YQYTBSq5M+xEwfVBMuE8RlA=
40+
github.com/argoproj-labs/argocd-image-updater v1.1.1 h1:7YDaR3WX2NMsDKp0wN7TRaRRHaVHQ94tSybi2P99MGk=
41+
github.com/argoproj-labs/argocd-image-updater v1.1.1/go.mod h1:gMHiNrGNwNSt4ljf0ykcnmNvXBk/NJ+Z17AnZVe7V7I=
42+
github.com/argoproj-labs/argocd-operator v0.17.0-rc1.0.20260225073619-a52ee52d3941 h1:wkBZFBhSxIpaOfQOwQT44kgwkI/UC7IxM85GJ8w+nHI=
43+
github.com/argoproj-labs/argocd-operator v0.17.0-rc1.0.20260225073619-a52ee52d3941/go.mod h1:3/Y9YWMU+DHC+onOQVXPAxrNkoBAGZD+UQui9BgJBjY=
4444
github.com/argoproj/argo-cd/v3 v3.3.0 h1:9UlruTd5cC/MyvorTXgAIblfZTy63MF5FYvvoAaUvwU=
4545
github.com/argoproj/argo-cd/v3 v3.3.0/go.mod h1:5VAfe0s/a4VY5GmAIFK76FtW6xn7zAcLmaw25bOL/2g=
4646
github.com/argoproj/gitops-engine v0.7.1-0.20251217140045-5baed5604d2d h1:iUJYrbSvpV9n8vyl1sBt1GceM60HhHfnHxuzcm5apDg=

test/e2e/gitopsservice_test.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -156,7 +156,7 @@ var _ = Describe("GitOpsServiceController", func() {
156156
}
157157

158158
By("create a new Argo CD instance in test ns")
159-
argocdNonDefaultNamespaceInstance, err := argocd.NewCR(argocdNonDefaultInstanceName, argocdNonDefaultNamespace)
159+
argocdNonDefaultNamespaceInstance, err := argocd.NewCR(argocdNonDefaultInstanceName, argocdNonDefaultNamespace, k8sClient)
160160
Expect(err).NotTo(HaveOccurred())
161161

162162
err = k8sClient.Create(context.TODO(), argocdNonDefaultNamespaceInstance)
@@ -344,7 +344,7 @@ var _ = Describe("GitOpsServiceController", func() {
344344
}
345345

346346
// create an ArgoCD instance in the source namespace
347-
argoCDInstanceObj, err := argocd.NewCR(argocdInstance, sourceNS)
347+
argoCDInstanceObj, err := argocd.NewCR(argocdInstance, sourceNS, k8sClient)
348348
Expect(err).NotTo(HaveOccurred())
349349
err = k8sClient.Create(context.TODO(), argoCDInstanceObj)
350350
if !kubeerrors.IsAlreadyExists(err) {
@@ -523,7 +523,7 @@ var _ = Describe("GitOpsServiceController", func() {
523523
}
524524

525525
By("create an Argo CD instance in source namespace")
526-
argoCDInstanceObj, err := argocd.NewCR(argocdNonDefaultNamespaceInstanceName, argocdNonDefaultNamespace)
526+
argoCDInstanceObj, err := argocd.NewCR(argocdNonDefaultNamespaceInstanceName, argocdNonDefaultNamespace, k8sClient)
527527
Expect(err).NotTo(HaveOccurred())
528528
err = k8sClient.Create(context.TODO(), argoCDInstanceObj)
529529
Expect(err).NotTo(HaveOccurred())

test/openshift/e2e/ginkgo/fixture/argocd/fixture.go

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -153,6 +153,41 @@ func HaveApplicationControllerOperationProcessors(operationProcessors int) match
153153
})
154154
}
155155

156+
func HaveExternalAuthenticationCondition(expected metav1.Condition) matcher.GomegaMatcher {
157+
return fetchArgoCD(func(argocd *argov1beta1api.ArgoCD) bool {
158+
for _, c := range argocd.Status.Conditions {
159+
// FIRST match by Type
160+
if c.Type != expected.Type {
161+
continue
162+
}
163+
GinkgoWriter.Println("Matched condition type:", c.Type)
164+
// Then check Reason
165+
if c.Reason != expected.Reason {
166+
GinkgoWriter.Println("HaveCondition: reason does not match", c.Reason, expected.Reason)
167+
return false
168+
}
169+
170+
// Then check Status
171+
if c.Status != expected.Status {
172+
GinkgoWriter.Println("HaveCondition: status does not match", c.Status, expected.Status)
173+
return false
174+
}
175+
176+
// Message check is optional (can be multiline)
177+
if expected.Message != "" && c.Message != expected.Message {
178+
GinkgoWriter.Println("HaveCondition: message does not match")
179+
return false
180+
}
181+
182+
// ✅ Found correct condition
183+
return true
184+
}
185+
186+
GinkgoWriter.Println("HaveCondition: condition type not found:", expected.Type)
187+
return false
188+
})
189+
}
190+
156191
func HaveCondition(condition metav1.Condition) matcher.GomegaMatcher {
157192
return fetchArgoCD(func(argocd *argov1beta1api.ArgoCD) bool {
158193

test/openshift/e2e/ginkgo/parallel/1-050_validate_sso_test.go

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ package parallel
22

33
import (
44
"context"
5+
"strings"
56

67
argov1beta1api "github.com/argoproj-labs/argocd-operator/api/v1beta1"
78
. "github.com/onsi/ginkgo/v2"
@@ -10,14 +11,27 @@ import (
1011
argocdFixture "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/argocd"
1112
deploymentFixture "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/deployment"
1213
k8sFixture "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/k8s"
14+
osFixture "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/os"
1315
"github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/utils"
1416
appsv1 "k8s.io/api/apps/v1"
1517
corev1 "k8s.io/api/core/v1"
1618
rbacv1 "k8s.io/api/rbac/v1"
1719
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
20+
"k8s.io/apimachinery/pkg/types"
1821
"sigs.k8s.io/controller-runtime/pkg/client"
1922
)
2023

24+
func getOCPVersion() string {
25+
output, err := osFixture.ExecCommand("oc", "version")
26+
Expect(err).ToNot(HaveOccurred())
27+
for _, line := range strings.Split(output, "\n") {
28+
if strings.Contains(line, "Server Version:") {
29+
return strings.TrimSpace(line[strings.Index(line, ":")+1:])
30+
}
31+
}
32+
return ""
33+
}
34+
2135
var _ = Describe("GitOps Operator Parallel E2E Tests", func() {
2236

2337
Context("1-050_validate_sso", func() {
@@ -44,6 +58,54 @@ var _ = Describe("GitOps Operator Parallel E2E Tests", func() {
4458
cleanupFunc()
4559
}
4660
})
61+
It("ensures the conditions in status when external Authentication is enabled on clusters; above 4.20 by default in openshit is enabled", func() {
62+
By("creating simple namespace-scoped Argo CD instance")
63+
ocVersion := getOCPVersion()
64+
Expect(ocVersion).ToNot(BeEmpty())
65+
if ocVersion < "4.20" {
66+
Skip("skipping this test as OCP version is less than 4.20")
67+
return
68+
}
69+
ns, cleanupFunc = fixture.CreateRandomE2ETestNamespaceWithCleanupFunc()
70+
71+
argoCD := &argov1beta1api.ArgoCD{
72+
ObjectMeta: metav1.ObjectMeta{Name: "argocd", Namespace: ns.Name},
73+
Spec: argov1beta1api.ArgoCDSpec{},
74+
}
75+
argoCD.Spec.SSO = &argov1beta1api.ArgoCDSSOSpec{
76+
Provider: argov1beta1api.SSOProviderTypeDex,
77+
Dex: &argov1beta1api.ArgoCDDexSpec{
78+
OpenShiftOAuth: true,
79+
},
80+
}
81+
Expect(k8sClient.Create(ctx, argoCD)).To(Succeed())
82+
Eventually(argoCD, "5m", "5s").Should(argocdFixture.HaveSSOStatus("Failed"))
83+
84+
By("verifying the conditions in status")
85+
Eventually(argoCD).Should(argocdFixture.HaveExternalAuthenticationCondition(metav1.Condition{
86+
Reason: "UnsupportedSSOConfiguration",
87+
Status: "True",
88+
Type: "UnsupportedConfiguration",
89+
}))
90+
91+
argocdFixture.Update(argoCD, func(ac *argov1beta1api.ArgoCD) {
92+
ac.Spec.SSO = nil
93+
})
94+
Eventually(func() []metav1.Condition {
95+
fresh := &argov1beta1api.ArgoCD{}
96+
err := k8sClient.Get(ctx, types.NamespacedName{Name: argoCD.Name, Namespace: argoCD.Namespace}, fresh)
97+
Expect(err).NotTo(HaveOccurred())
98+
return fresh.Status.Conditions
99+
}, "2m", "5s").ShouldNot(
100+
ContainElement(
101+
WithTransform(func(c metav1.Condition) string {
102+
return c.Type
103+
}, Equal("UnsupportedConfiguration")),
104+
),
105+
)
106+
Eventually(argoCD, "5m", "5s").Should(argocdFixture.HaveSSOStatus("Unknown"))
107+
108+
})
47109

48110
It("ensures Dex/Keycloak SSO can be enabled and disabled on a namespace-scoped Argo CD instance", func() {
49111

0 commit comments

Comments
 (0)