Merge branch 'master' into GITOPS-9682-Create-App-Test

Author: trdoyle81

scripts/openshiftci-presubmit-unittests.sh

@@ -27,3 +27,31 @@ cd ../..
 
 # Run unit
 make test
+
+# Upload coverage to codecov.io - failures here should not fail the build
+(
+  set +e
+  CODECOV_TOKEN_FILE="/var/run/codecov-token/CODECOV_TOKEN"
+  if [[ ! -f "${CODECOV_TOKEN_FILE}" ]]; then
+    echo "Codecov token not found at ${CODECOV_TOKEN_FILE}, skipping upload"
+    exit 0
+  fi
+  CODECOV_TOKEN="$(cat "${CODECOV_TOKEN_FILE}")"
+  COMMIT="$(git rev-parse HEAD)"
+  BRANCH="$(git rev-parse --abbrev-ref HEAD)"
+  QUERY="token=${CODECOV_TOKEN}&commit=${COMMIT}&branch=${BRANCH}&flags=unit-tests"
+
+  # Step 1: request an upload slot; response is two lines: report URL, S3 URL.
+  RESPONSE=$(curl -sX POST -H 'Accept: text/plain' "https://codecov.io/upload/v4?${QUERY}")
+  S3_URL=$(echo "${RESPONSE}" | sed -n 2p)
+  if [[ -z "${S3_URL}" ]]; then
+    echo "Codecov did not return an upload URL, aborting"
+    exit 1
+  fi
+
+  # Step 2: PUT the coverage file to GCS (Codecov uses GCS, not AWS S3;
+  # x-amz-storage-class is not supported and causes a 400).
+  curl -fiX PUT --data-binary @cover.out \
+    -H 'Content-Type: text/plain' \
+    "${S3_URL}"
+) || echo "Coverage upload to codecov.io failed, continuing"

test/openshift/e2e/ginkgo/parallel/1-031_validate_toolchain_test.go

@@ -100,7 +100,7 @@ var _ = Describe("GitOps Operator Parallel E2E Tests", func() {
 			} else {
 				// when running against RC/ released version of gitops
 				expected_dexVersion = "v2.45.0"
-				expected_redisVersion = "7.2.11"
+				expected_redisVersion = "8.2.3"
 			}
 
 			By("locating pods containing toolchain in openshift-gitops")

test/openshift/e2e/ginkgo/parallel/1-095_validate_dex_clientsecret_test.go

@@ -18,7 +18,6 @@ package parallel
 
 import (
 	"context"
-	"strings"
 
 	argov1beta1api "github.com/argoproj-labs/argocd-operator/api/v1beta1"
 	. "github.com/onsi/ginkgo/v2"
@@ -90,30 +89,26 @@ var _ = Describe("GitOps Operator Parallel E2E Tests", func() {
 
 			By("validating that the Dex Client Secret was copied from dex serviceaccount token secret in to argocd-secret, by the operator")
 
-			// To verify the behavior we should first get the token secret name of the dex service account.
+			// The operator now creates an Opaque secret with a deterministic name for the Dex token
+			// (via TokenRequest API) instead of using auto-generated kubernetes.io/service-account-token secrets.
+			// The secret name follows the pattern: <argocd-name>-<dex-sa-name>-token
+			dexTokenSecretName := "example-argocd-argocd-dex-server-token" // #nosec G101 -- This is a Kubernetes secret name, not a credential
 
-			var secretName string
-			for _, secretData := range serviceAccount.Secrets {
-
-				if strings.Contains(secretData.Name, "token") {
-					secretName = secretData.Name
-				}
-			}
-			Expect(secretName).ToNot(BeEmpty())
-
-			// Extract the clientSecret
-			secretReferencedFromServiceAccount := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: secretName, Namespace: ns.Name}}
-			Eventually(secretReferencedFromServiceAccount).Should(k8sFixture.ExistByName())
-			tokenFromSASecret := secretReferencedFromServiceAccount.Data["token"]
-			Expect(tokenFromSASecret).ToNot(BeEmpty())
+			// Extract the clientSecret from the Dex token secret
+			dexTokenSecret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: dexTokenSecretName, Namespace: ns.Name}}
+			Eventually(dexTokenSecret, "30s", "2s").Should(k8sFixture.ExistByName())
+			tokenFromDexSecret := dexTokenSecret.Data["token"]
+			Expect(tokenFromDexSecret).ToNot(BeEmpty())
+			// Verify the secret also contains an expiry field
+			Expect(dexTokenSecret.Data["expiry"]).ToNot(BeEmpty())
 
 			// actualClientSecret is the value of the secret in argocd-secret where argocd-operator should copy the secret from
 			argocdSecret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "argocd-secret", Namespace: ns.Name}}
 			Eventually(argocdSecret).Should(k8sFixture.ExistByName())
 
 			actualClientSecret := argocdSecret.Data["oidc.dex.clientSecret"]
 
-			Expect(string(actualClientSecret)).To(Equal(string(tokenFromSASecret)), "Dex Client Secret for OIDC is not valid")
+			Expect(string(actualClientSecret)).To(Equal(string(tokenFromDexSecret)), "Dex Client Secret for OIDC is not valid")
 
 		})
 

test/openshift/e2e/ginkgo/parallel/1-098_validate_dex_clientsecret_deprecated.go

@@ -19,7 +19,6 @@ package parallel
 import (
 	"context"
 	"fmt"
-	"strings"
 
 	argov1beta1api "github.com/argoproj-labs/argocd-operator/api/v1beta1"
 	. "github.com/onsi/ginkgo/v2"
@@ -86,40 +85,31 @@ var _ = Describe("GitOps Operator Parallel E2E Tests", func() {
 
 			By("validating that the Dex Client Secret was copied from dex serviceaccount token secret to argocd-secret, by the operator")
 			Eventually(func() error {
-				// Get the service account and find its token secret
-				err := k8sClient.Get(ctx, client.ObjectKeyFromObject(dexServiceAccount), dexServiceAccount)
-				if err != nil {
-					return err
-				}
-
-				// Find the token secret from the service account secrets
-				var tokenSecretName string
-				for _, secret := range dexServiceAccount.Secrets {
-					if secret.Name != "" && strings.Contains(secret.Name, "token") {
-						tokenSecretName = secret.Name
-						break
-					}
-				}
+				// The operator now creates an Opaque secret with a deterministic name for the Dex token
+				// (via TokenRequest API) instead of using auto-generated kubernetes.io/service-account-token secrets.
+				// The secret name follows the pattern: <argocd-name>-<dex-sa-name>-token
+				dexTokenSecretName := "example-argocd-argocd-dex-server-token" // #nosec G101 -- This is a Kubernetes secret name, not a credential
 
-				if tokenSecretName == "" {
-					return fmt.Errorf("no token secret found for service account %s", dexServiceAccount.Name)
-				}
-
-				// Get the token secret and extract the token
-				tokenSecret := &corev1.Secret{
+				// Get the Dex token secret and extract the token
+				dexTokenSecret := &corev1.Secret{
 					ObjectMeta: metav1.ObjectMeta{
-						Name:      tokenSecretName,
+						Name:      dexTokenSecretName,
 						Namespace: namespace.Name,
 					},
 				}
-				err = k8sClient.Get(ctx, client.ObjectKeyFromObject(tokenSecret), tokenSecret)
+				err := k8sClient.Get(ctx, client.ObjectKeyFromObject(dexTokenSecret), dexTokenSecret)
 				if err != nil {
 					return err
 				}
 
-				expectedClientSecret, exists := tokenSecret.Data["token"]
+				expectedClientSecret, exists := dexTokenSecret.Data["token"]
 				if !exists {
-					return fmt.Errorf("token not found in secret %s", tokenSecretName)
+					return fmt.Errorf("token not found in secret %s", dexTokenSecretName)
+				}
+
+				// Verify the secret also contains an expiry field
+				if _, exists := dexTokenSecret.Data["expiry"]; !exists {
+					return fmt.Errorf("expiry not found in secret %s", dexTokenSecretName)
 				}
 
 				// Get the argocd-secret and extract the oidc.dex.clientSecret

test/openshift/e2e/ginkgo/sequential/1-037_validate_applicationset_in_any_namespace_test.go

@@ -15,6 +15,7 @@ import (
 	appprojectFixture "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/appproject"
 	argocdFixture "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/argocd"
 	clusterroleFixture "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/clusterrole"
+	configmapFixture "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/configmap"
 	deploymentFixture "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/deployment"
 	k8sFixture "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/k8s"
 	namespaceFixture "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/namespace"
@@ -44,6 +45,10 @@ var _ = Describe("GitOps Operator Sequential E2E Tests", func() {
 		BeforeEach(func() {
 
 			fixture.EnsureSequentialCleanSlate()
+
+			fixture.SetEnvInOperatorSubscriptionOrDeployment("ARGOCD_CLUSTER_CONFIG_NAMESPACES",
+				"openshift-gitops, argocd-e2e-cluster-config, appset-argocd, appset-old-ns, appset-new-ns, appset-argocd-clusterrole, appset-target-ns")
+
 			k8sClient, _ = utils.GetE2ETestKubeClient()
 			ctx = context.Background()
 		})
@@ -62,8 +67,6 @@ var _ = Describe("GitOps Operator Sequential E2E Tests", func() {
 
 		It("verifying that ArgoCD CR '.spec.applicationset.sourcenamespaces' and '.spec.sourcenamespaces' correctly control role/rolebindings within the managed namespaces", func() {
 
-			fixture.SetEnvInOperatorSubscriptionOrDeployment("ARGOCD_CLUSTER_CONFIG_NAMESPACES", "openshift-gitops, argocd-e2e-cluster-config, appset-argocd, appset-old-ns, appset-new-ns")
-
 			By("0) create namespaces: appset-argocd, appset-old-ns, appset-new-ns")
 
 			appset_argocdNS, cleanupFunc := fixture.CreateNamespaceWithCleanupFunc("appset-argocd")
@@ -746,8 +749,6 @@ var _ = Describe("GitOps Operator Sequential E2E Tests", func() {
 
 			By("0) create namespaces: appset-argocd, team-1, team-2, team-frontend, team-backend, other-ns")
 
-			fixture.SetEnvInOperatorSubscriptionOrDeployment("ARGOCD_CLUSTER_CONFIG_NAMESPACES", "openshift-gitops, argocd-e2e-cluster-config, appset-argocd")
-
 			appset_wildcard_argocdNS, cleanupFunc := fixture.CreateNamespaceWithCleanupFunc("appset-argocd")
 			cleanupFunctions = append(cleanupFunctions, cleanupFunc)
 
@@ -981,8 +982,6 @@ var _ = Describe("GitOps Operator Sequential E2E Tests", func() {
 
 		It("verifies ApplicationSet clusterrole rules and creates appset/app in another namespace", func() {
 
-			fixture.SetEnvInOperatorSubscriptionOrDeployment("ARGOCD_CLUSTER_CONFIG_NAMESPACES", "openshift-gitops, argocd-e2e-cluster-config, appset-argocd-clusterrole,appset-target-ns")
-
 			By("creating Argo CD namespace and target source namespace")
 			argoNamespace, cleanupFunc := fixture.CreateNamespaceWithCleanupFunc("appset-argocd-clusterrole")
 			cleanupFunctions = append(cleanupFunctions, cleanupFunc)
@@ -1194,5 +1193,92 @@ var _ = Describe("GitOps Operator Sequential E2E Tests", func() {
 			Eventually(appset).Should(k8sFixture.NotExistByName())
 		})
 
+		It("defaults tokenRef strict mode to true when applicationSet sourceNamespaces are configured", func() {
+			appsetArgocdNS, cleanupFunc := fixture.CreateNamespaceWithCleanupFunc("appset-argocd")
+			cleanupFunctions = append(cleanupFunctions, cleanupFunc)
+
+			targetNS, cleanupFunc := fixture.CreateNamespaceWithCleanupFunc("appset-target-ns")
+			cleanupFunctions = append(cleanupFunctions, cleanupFunc)
+
+			argoCD := &v1beta1.ArgoCD{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "tokenref-strict-true",
+					Namespace: appsetArgocdNS.Name,
+				},
+				Spec: v1beta1.ArgoCDSpec{
+					ApplicationSet: &v1beta1.ArgoCDApplicationSet{
+						SourceNamespaces: []string{targetNS.Name},
+					},
+				},
+			}
+			Expect(k8sClient.Create(ctx, argoCD)).To(Succeed())
+
+			cmdParamsCM := &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      common.ArgoCDCmdParamsConfigMapName,
+					Namespace: argoCD.Namespace,
+				},
+			}
+			Eventually(cmdParamsCM, "3m", "5s").Should(configmapFixture.HaveStringDataKeyValue(common.ArgoCDApplicationSetControllerTokenRefStrictModeCmdParamKey, "true"))
+		})
+
+		It("defaults tokenRef strict mode to false when applicationSet sourceNamespaces are empty on create", func() {
+			appsetArgocdNS, cleanupFunc := fixture.CreateNamespaceWithCleanupFunc("appset-argocd")
+			cleanupFunctions = append(cleanupFunctions, cleanupFunc)
+
+			argoCD := &v1beta1.ArgoCD{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "tokenref-strict-false-empty",
+					Namespace: appsetArgocdNS.Name,
+				},
+				Spec: v1beta1.ArgoCDSpec{
+					ApplicationSet: &v1beta1.ArgoCDApplicationSet{
+						SourceNamespaces: []string{},
+					},
+				},
+			}
+			Expect(k8sClient.Create(ctx, argoCD)).To(Succeed())
+
+			cmdParamsCM := &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      common.ArgoCDCmdParamsConfigMapName,
+					Namespace: argoCD.Namespace,
+				},
+			}
+			Eventually(cmdParamsCM, "3m", "5s").Should(configmapFixture.HaveStringDataKeyValue(common.ArgoCDApplicationSetControllerTokenRefStrictModeCmdParamKey, "false"))
+		})
+
+		It("spec.cmdParams overrides tokenRef strict mode default", func() {
+			appsetArgocdNS, cleanupFunc := fixture.CreateNamespaceWithCleanupFunc("appset-argocd")
+			cleanupFunctions = append(cleanupFunctions, cleanupFunc)
+
+			targetNS, cleanupFunc := fixture.CreateNamespaceWithCleanupFunc("appset-target-ns")
+			cleanupFunctions = append(cleanupFunctions, cleanupFunc)
+
+			argoCD := &v1beta1.ArgoCD{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "tokenref-strict-optout",
+					Namespace: appsetArgocdNS.Name,
+				},
+				Spec: v1beta1.ArgoCDSpec{
+					ApplicationSet: &v1beta1.ArgoCDApplicationSet{
+						SourceNamespaces: []string{targetNS.Name},
+					},
+					CmdParams: map[string]string{
+						common.ArgoCDApplicationSetControllerTokenRefStrictModeCmdParamKey: "false",
+					},
+				},
+			}
+			Expect(k8sClient.Create(ctx, argoCD)).To(Succeed())
+
+			cmdParamsCM := &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      common.ArgoCDCmdParamsConfigMapName,
+					Namespace: argoCD.Namespace,
+				},
+			}
+			Eventually(cmdParamsCM, "3m", "5s").Should(configmapFixture.HaveStringDataKeyValue(common.ArgoCDApplicationSetControllerTokenRefStrictModeCmdParamKey, "false"))
+		})
+
 	})
 })