Feat: disable GitOps Service and default instance on xKS clusters (#1172)

* disable default instance on xKS clusters

Signed-off-by: Anand Kumar Singh <anandrkskd@gmail.com>

* Dex with OpenShiftOAuth: true fails on vanilla K8s because oauth.openshift.io API doesn't exist. Gate on config.openshift.io presence before configuring SSO.

assisted-by: claude-code
Signed-off-by: Anand Kumar Singh <anandrkskd@gmail.com>

* use IsOpenshitCluster to gate openshift specific capabilities

Signed-off-by: Anand Kumar Singh <anandrkskd@gmail.com>

* add proper logs, remove deadcode, fix test

assisted-by: Cursor for code-review
Signed-off-by: Anand Kumar Singh <anandrkskd@gmail.com>

* fix unit test

Signed-off-by: Anand Kumar Singh <anandrkskd@gmail.com>

* fix comments and nit picks

Signed-off-by: Anand Kumar Singh <anandrkskd@gmail.com>

---------

Signed-off-by: Anand Kumar Singh <anandrkskd@gmail.com>

Author: anandrkskd

cmd/main.go

@@ -223,6 +223,7 @@ func main() {
 	registerComponentOrExit(mgr, argov1beta1api.AddToScheme)
 
 	// Setup Scheme for OpenShift Config if available
+	// Disables default Argo CD instance if the cluster doesn't contain OpenShift config API
 	if util.IsConfigAPIFound() {
 		registerComponentOrExit(mgr, configv1.AddToScheme)
 	}
@@ -254,13 +255,17 @@ func main() {
 		}
 	}
 
-	if err = (&controllers.ReconcileGitopsService{
-		Client:                client,
-		Scheme:                mgr.GetScheme(),
-		DisableDefaultInstall: strings.ToLower(os.Getenv(common.DisableDefaultInstallEnvVar)) == "true",
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "GitopsService")
-		os.Exit(1)
+	if util.IsOpenShiftCluster() {
+		if err = (&controllers.ReconcileGitopsService{
+			Client:                client,
+			Scheme:                mgr.GetScheme(),
+			DisableDefaultInstall: strings.ToLower(os.Getenv(common.DisableDefaultInstallEnvVar)) == "true",
+		}).SetupWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create controller", "controller", "GitopsService")
+			os.Exit(1)
+		}
+	} else {
+		setupLog.Info("skipping GitopsService controller setup", "reason", "OpenShift Config API not available")
 	}
 
 	if util.IsRouteAPIFound() {

controllers/argocd/argocd.go

@@ -21,13 +21,17 @@ import (
 
 	argoapp "github.com/argoproj-labs/argocd-operator/api/v1beta1"
 	argoappController "github.com/argoproj-labs/argocd-operator/controllers/argocd"
+	"github.com/redhat-developer/gitops-operator/controllers/util"
 	v1 "k8s.io/api/core/v1"
 	resourcev1 "k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/yaml"
 )
 
+var log = logf.Log.WithName("controller_argocd")
+
 var (
 	defaultAdminPolicy = "g, system:cluster-admins, role:admin\ng, cluster-admins, role:admin\n"
 	defaultScope       = "[groups]"
@@ -90,7 +94,12 @@ func getArgoDexSpec() *argoapp.ArgoCDDexSpec {
 }
 
 func getArgoSSOSpec(client client.Client) *argoapp.ArgoCDSSOSpec {
-	if argoappController.IsOpenShiftCluster() && argoappController.IsExternalAuthenticationEnabledOnCluster(context.TODO(), client) {
+	if !util.IsOpenShiftCluster() {
+		log.Info("non-OpenShift cluster detected, skipping SSO/Dex configuration")
+		return nil
+	}
+	if argoappController.IsExternalAuthenticationEnabledOnCluster(context.TODO(), client) {
+		log.Info("external authentication enabled on cluster, skipping SSO/Dex configuration")
 		return nil
 	}
 	return &argoapp.ArgoCDSSOSpec{

controllers/argocd/argocd_test.go

@@ -22,6 +22,7 @@ import (
 
 	argoapp "github.com/argoproj-labs/argocd-operator/api/v1beta1"
 	configv1 "github.com/openshift/api/config/v1"
+	"github.com/redhat-developer/gitops-operator/controllers/util"
 	"gotest.tools/assert"
 	v1 "k8s.io/api/core/v1"
 	resourcev1 "k8s.io/apimachinery/pkg/api/resource"
@@ -30,6 +31,9 @@ import (
 )
 
 func TestArgoCD(t *testing.T) {
+	util.SetConfigAPIFound(true)
+	defer util.SetConfigAPIFound(false)
+
 	scheme := runtime.NewScheme()
 	_ = argoapp.AddToScheme(scheme)
 	_ = configv1.AddToScheme(scheme)
@@ -199,6 +203,9 @@ func TestArgoCD(t *testing.T) {
 }
 
 func TestDexConfiguration(t *testing.T) {
+	util.SetConfigAPIFound(true)
+	defer util.SetConfigAPIFound(false)
+
 	scheme := runtime.NewScheme()
 	_ = argoapp.AddToScheme(scheme)
 	_ = configv1.AddToScheme(scheme)
@@ -223,3 +230,20 @@ func TestDexConfiguration(t *testing.T) {
 	}
 	assert.DeepEqual(t, testArgoCD.Spec.RBAC, testRBAC)
 }
+
+// kubernetes environment test, no defer required as the Config API is false by default
+func TestSSOSkippedOnNonOpenShift(t *testing.T) {
+	util.SetConfigAPIFound(false)
+
+	scheme := runtime.NewScheme()
+	_ = argoapp.AddToScheme(scheme)
+	_ = configv1.AddToScheme(scheme)
+
+	fakeClient := fake.NewClientBuilder().
+		WithScheme(scheme).
+		Build()
+
+	testArgoCD, _ := NewCR("openshift-gitops", "openshift-gitops", fakeClient)
+
+	assert.Assert(t, testArgoCD.Spec.SSO == nil, "SSO should be nil on non-OpenShift clusters")
+}

controllers/util/util.go

@@ -116,11 +116,16 @@ func InspectCluster() error {
 	return stderrors.Join(errs...)
 }
 
-// used as a shortcut to check if the cluster is an OpenShift cluster
+// IsConfigAPIFound return true if the CRD config.openshift.io is available in the cluster and false otherwise.
 func IsConfigAPIFound() bool {
 	return configAPIFound
 }
 
+// IsOpenShiftCluster uses IsConfigAPIFound to check if the cluster is an OpenShift cluster.
+func IsOpenShiftCluster() bool {
+	return IsConfigAPIFound()
+}
+
 // verify if the Config.Openshift.io API is found
 func verifyConfigAPI() error {
 	found, err := argoutil.VerifyAPI(configv1.GroupName, configv1.GroupVersion.Version)
@@ -131,6 +136,7 @@ func verifyConfigAPI() error {
 	return nil
 }
 
+// IsConsoleAPIFound return true if the CRD console.openshift.io is available in the cluster.
 func IsConsoleAPIFound() bool {
 	return consoleAPIFound
 }
@@ -144,6 +150,7 @@ func verifyConsoleAPI() error {
 	return nil
 }
 
+// IsRouteAPIFound return true if the CRD route.openshift.io is available in the cluster.
 func IsRouteAPIFound() bool {
 	return routeAPIFound
 }
@@ -169,10 +176,12 @@ func verifyMonitoringAPI() error {
 	return nil
 }
 
+// IsMonitoringAPIFound return true if the CRD monitoring.coreos.com is available in the cluster.
 func IsMonitoringAPIFound() bool {
 	return monitoringAPIFound
 }
 
+// IsTemplateAPIFound return true if the CRD template.openshift.io is available in the cluster.
 func IsTemplateAPIFound() bool {
 	return templateAPIFound
 }
@@ -186,6 +195,7 @@ func verifyTemplateAPI() error {
 	return nil
 }
 
+// IsAppsAPIFound return true if the CRD apps.openshift.io is available in the cluster.
 func IsAppsAPIFound() bool {
 	return appsAPIFound
 }
@@ -199,6 +209,7 @@ func verifyAppsAPI() error {
 	return nil
 }
 
+// IsOAuthAPIFound return true if the CRD oauth.openshift.io is available in the cluster.
 func IsOAuthAPIFound() bool {
 	return oauthAPIFound
 }
@@ -212,6 +223,7 @@ func verifyOAuthAPI() error {
 	return nil
 }
 
+// IsOLMAPIFound return true if the CRD operators.coreos.com is available in the cluster.
 func IsOLMAPIFound() bool {
 	return olmAPIFound
 }