Skip to content

Precreate the openshift-gitops-cluster-admin-rolebinding CRB #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mbaldessari merged 2 commits into from
Mar 19, 2026
Merged

Precreate the openshift-gitops-cluster-admin-rolebinding CRB #51

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b3f6618
Precreate the openshift-gitops-cluster-admin-rolebinding CRB
mbaldessari Mar 18, 2026
a8584af
Fix unit tests and add one for the added template
mbaldessari Mar 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions templates/policies/application-policies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,23 @@ spec:
include:
- default
object-templates:
- complianceType: mustonlyhave
objectDefinition:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: openshift-gitops-cluster-admin-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: openshift-gitops-argocd-application-controller
namespace: openshift-gitops
- kind: ServiceAccount
name: openshift-gitops-argocd-server
namespace: openshift-gitops
- complianceType: mustonlyhave
objectDefinition:
apiVersion: argoproj.io/v1alpha1
Expand Down
93 changes: 76 additions & 17 deletions tests/application_policy_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,65 @@ tests:
path: spec.clusterSelector.matchLabels.clusterGroup
value: group-two

# Test for openshift-gitops-cluster-admin-rolebinding CRB
- it: Should precreate the openshift-gitops-cluster-admin-rolebinding ClusterRoleBinding
values:
- ./clusterselector_values.yaml
set:
global:
multiSourceSupport: true
multiSourceRepoUrl: "https://charts.example.com"
multiSourceTargetRevision: "0.1.0"
asserts:
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.kind
value: ClusterRoleBinding
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.metadata.name
value: openshift-gitops-cluster-admin-rolebinding
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.roleRef.kind
value: ClusterRole
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.roleRef.name
value: cluster-admin
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].complianceType
value: mustonlyhave
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
contains:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.subjects
content:
kind: ServiceAccount
name: openshift-gitops-argocd-application-controller
namespace: openshift-gitops
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
contains:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.subjects
content:
kind: ServiceAccount
name: openshift-gitops-argocd-server
namespace: openshift-gitops

# Tests for clusterGroupGitRepoUrl and clusterGroupChartGitRevision
- it: Should use chart clustergroup when clusterGroupGitRepoUrl is not set
values:
Expand All @@ -101,25 +160,25 @@ tests:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].chart
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].chart
value: clustergroup
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].repoURL
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].repoURL
value: "https://charts.example.com"
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].targetRevision
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].targetRevision
value: "0.1.0"
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
isNull:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].path
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].path

- it: Should use path when clusterGroupGitRepoUrl is set
values:
Expand All @@ -138,25 +197,25 @@ tests:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].path
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].path
value: "."
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].repoURL
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].repoURL
value: "https://github.com/example/clustergroup-chart"
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].targetRevision
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].targetRevision
value: "feature-branch"
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
isNull:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].chart
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].chart

- it: Should use clusterGroupGitRepoUrl with fallback to multiSourceTargetRevision when only clusterGroupGitRepoUrl is set
values:
Expand All @@ -174,19 +233,19 @@ tests:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].path
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].path
value: "."
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].repoURL
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].repoURL
value: "https://github.com/example/clustergroup-chart"
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].targetRevision
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].targetRevision
value: "0.1.0"

- it: should render a spoke app of apps with the correct helm parameters (no deletePattern set)
Expand All @@ -208,19 +267,19 @@ tests:
path: metadata.name
value: group-one-clustergroup-policy
lengthEqual:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].helm.parameters
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].helm.parameters
count: 20 # 17 (in the helper) +3 (1 override, and 1 clusterGroup.name)
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].helm.parameters[16].name
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].helm.parameters[16].name
value: "global.deletePattern"
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].helm.parameters[16].value
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].helm.parameters[16].value
value: null

- it: should render a spoke app of apps with the correct helm parameters (if deletePattern set to DeleteSpokeChildApps)
Expand All @@ -243,19 +302,19 @@ tests:
path: metadata.name
value: group-one-clustergroup-policy
lengthEqual:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].helm.parameters
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].helm.parameters
count: 20 # 17 (in the helper) +3 (1 override, and 1 clusterGroup.name)
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].helm.parameters[16].name
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].helm.parameters[16].name
value: "global.deletePattern"
- documentSelector:
path: metadata.name
value: group-one-clustergroup-policy
equal:
path: spec.policy-templates[0].objectDefinition.spec.object-templates[0].objectDefinition.spec.sources[1].helm.parameters[16].value
path: spec.policy-templates[0].objectDefinition.spec.object-templates[1].objectDefinition.spec.sources[1].helm.parameters[16].value
value: "DeleteChildApps"

- it: should not render a spoke app of apps (if deletePattern set to DeleteSpoke)
Expand Down
Loading