Downstream testing tokenRef default Restrictions for ApplicationSet A…

[nmirasch]

…ny-Namespace Mode

What type of PR is this?

Uncomment only one /kind line, and delete the rest.
For example, > /kind bug would simply become: /kind bug

/kind test

What does this PR do / why we need it:
Update the argocd-operator dependency to argoproj-labs/argocd-operator@e8e51ab, which enforces
ApplicationSet tokenRef strict mode defaults via argocd-cmd-params-cm when
applicationSet sourceNamespaces are configured.

Add downstream e2e coverage in 1-037 to verify the cmd-params key defaults
to true/false based on sourceNamespaces and can be overridden via
spec.cmdParams. Adjust the ImageUpdater test for argocd-image-updater v1.2.0.

Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

Fixes: https://redhat.atlassian.net/browse/GITOPS-9735

Test acceptance criteria:

• Unit Test
• [ X] E2E Test

How to test changes / Special notes to the reviewer:

[openshift-ci]

Hi @nmirasch. Thanks for your PR.

I'm waiting for a redhat-developer member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Bump Go toolchain and many module versions; align CI/Docker builder images; simplify ImageUpdater CR creation; centralize ARGOCD_CLUSTER_CONFIG_NAMESPACES and add ApplicationSet tokenRef strict-mode tests; update health import paths and convert several boolean fields to pointer booleans in tests.

Changes

Dependency and build updates

Layer / File(s)	Summary
Go version and dependency updates go.mod	Go toolchain set to 1.26.2 and multiple direct/indirect module versions bumped; gitops-engine replace pin updated.
CI and Docker builder image bumps Dockerfile, .ci-operator.yaml, openshift-ci/build-root/Dockerfile	Builder base image and CI build-root image tags updated to match Go 1.26.2 toolset.

E2E Test Updates

Layer / File(s)	Summary
ApplicationSet namespace configuration and tokenRef tests test/openshift/e2e/ginkgo/sequential/1-037_validate_applicationset_in_any_namespace_test.go	Imported configmapFixture, expanded suite-level ARGOCD_CLUSTER_CONFIG_NAMESPACES, removed redundant per-test env setup, and added three It tests asserting tokenRef strict-mode defaults and override behavior via the ArgoCD command-params ConfigMap.
ImageUpdater spec cleanup test/openshift/e2e/ginkgo/parallel/1-121_validate_image_updater_test.go	Removed explicit Spec.Namespace from ImageUpdater CR construction; namespace remains set via ObjectMeta; updated health import path.
SyncPolicy pointer boolean corrections test/openshift/e2e/ginkgo/sequential/*, test/openshift/e2e/ginkgo/parallel/*	Replaced boolean literals with ptr.To(true) pointer booleans for SyncPolicy.Automated.Prune and SelfHeal; added k8s.io/utils/ptr import where needed.
Readiness matcher logging tweak test/openshift/e2e/ginkgo/fixture/argocd/fixture.go	Readiness wait logging now prints expected "Available" and actual .status.phase to GinkgoWriter.
Health import path and trivial import reorders test/openshift/e2e/ginkgo/... (many files)	Updated many test imports to use github.com/argoproj/argo-cd/gitops-engine/pkg/... and reordered imports in several test files.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: adding downstream testing for tokenRef default restrictions for ApplicationSet in any-namespace mode, which aligns with the PR's primary objective of adding e2e coverage.
Description check	✅ Passed	The description is well-related to the changeset, explaining the dependency update for argocd-operator, e2e test additions for tokenRef strict-mode defaults, and ImageUpdater test adjustments.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[svghadi]

/ok-to-test

[nmirasch]

/retest

[nmirasch]

/retest

[nmirasch]

/retest

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

go.mod (2)

231-263: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Fix Kubernetes dependency skew in go.mod replace block (v0.35.2 required, v0.34.0 replaced).

go.mod requires core k8s.io/* modules at v0.35.2 (lines 27-30), but the replace block pins a broad set of k8s.io/* modules to v0.34.0 (lines 231-262). This can introduce API/type skew across the Kubernetes dependency graph and make the build behavior depend on replace side effects rather than the intended versions.

Align the replace block to v0.35.2 (or remove the replaces if not required).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 231 - 263, The replace block in go.mod pins many
k8s.io/* modules to v0.34.0 causing dependency skew with the required v0.35.2;
update the replace entries that reference k8s.io/api, k8s.io/apimachinery,
k8s.io/client-go, etc. in the replace block to v0.35.2 (or remove the entire
k8s.io/* replace block if it’s unnecessary) so all k8s.io/* modules align with
the project’s declared v0.35.2 dependencies and prevent API/type mismatches.

---

223-223: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Remove/align the golang.org/x/tools replace to prevent tooling drift

go.mod targets Go 1.26.0, but it requires golang.org/x/tools v0.44.0 (line 183) while replace forces golang.org/x/tools v0.35.0 (line 223). This forced downgrade can cause analyzer/gopls/IDE behavior to diverge from what the selected module graph expects.

Unless there’s a proven blocker, remove the replace or bump it to match the selected x/tools version (or document why the downgrade is necessary).

golang.org/x/tools => golang.org/x/tools v0.35.0

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` at line 223, The replace directive forcing golang.org/x/tools to
v0.35.0 conflicts with the required golang.org/x/tools v0.44.0 for Go 1.26.0;
remove the replace entry for golang.org/x/tools or update it to v0.44.0 (or add
a brief comment documenting a justified downgrade) so the module graph and
tooling (gopls/analyzers) use the same x/tools version.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@go.mod`:
- Around line 231-263: The replace block in go.mod pins many k8s.io/* modules to
v0.34.0 causing dependency skew with the required v0.35.2; update the replace
entries that reference k8s.io/api, k8s.io/apimachinery, k8s.io/client-go, etc.
in the replace block to v0.35.2 (or remove the entire k8s.io/* replace block if
it’s unnecessary) so all k8s.io/* modules align with the project’s declared
v0.35.2 dependencies and prevent API/type mismatches.
- Line 223: The replace directive forcing golang.org/x/tools to v0.35.0
conflicts with the required golang.org/x/tools v0.44.0 for Go 1.26.0; remove the
replace entry for golang.org/x/tools or update it to v0.44.0 (or add a brief
comment documenting a justified downgrade) so the module graph and tooling
(gopls/analyzers) use the same x/tools version.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 9f6e59a3-4856-4085-93f8-133d5379e099

📥 Commits

Reviewing files that changed from the base of the PR and between 0654673 and cd0563a.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (10)

• .ci-operator.yaml
• Dockerfile
• go.mod
• openshift-ci/build-root/Dockerfile
• test/openshift/e2e/ginkgo/fixture/application/fixture.go
• test/openshift/e2e/ginkgo/parallel/1-046_validate_application_tracking_test.go
• test/openshift/e2e/ginkgo/sequential/1-053_validate_argocd_agent_principal_connected_test.go
• test/openshift/e2e/ginkgo/sequential/1-102_validate_handle_terminating_namespaces_test.go
• test/openshift/e2e/ginkgo/sequential/1-108_alternate_cluster_roles_cluster_scoped_instance_test.go
• test/openshift/e2e/ginkgo/sequential/1-120_repo_server_system_ca_trust.go

✅ Files skipped from review due to trivial changes (4)

• Dockerfile
• .ci-operator.yaml
• openshift-ci/build-root/Dockerfile
• test/openshift/e2e/ginkgo/parallel/1-046_validate_application_tracking_test.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@go.mod`:
- Around line 195-197: Update the stale go.mod replace pins that override the
intended Kubernetes bump: locate the replace directives referencing
k8s.io/cli-runtime and k8s.io/component-helpers (and any other k8s.io/* replace
entries) and either update their target versions to v0.35.2 to match the require
lines or remove the unnecessary replace directives so the module graph resolves
to the required v0.35.2 versions consistently.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: b4a8fbbd-ceb5-4932-b1ee-71ae337a11b2

📥 Commits

Reviewing files that changed from the base of the PR and between cd0563a and b382d86.

📒 Files selected for processing (1)

• go.mod

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate go.mod and print relevant sections with line numbers
ls -la
if [ -f go.mod ]; then
  echo "== go.mod =="
  nl -ba go.mod | sed -n '160,280p'
else
  echo "go.mod not found at repo root"
  exit 1
fi

Repository: redhat-developer/gitops-operator

Length of output: 2287

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== go.mod: lines 185-210 =="
awk 'NR>=185 && NR<=210 {printf "%d\t%s\n", NR, $0}' go.mod

echo
echo "== go.mod: lines 220-250 =="
awk 'NR>=220 && NR<=250 {printf "%d\t%s\n", NR, $0}' go.mod

echo
echo "== go.mod: matches for k8s.io/cli-runtime =="
rg -n "k8s\.io/cli-runtime" go.mod || true

echo
echo "== go.mod: matches for k8s.io/component-helpers =="
rg -n "k8s\.io/component-helpers" go.mod || true

echo
echo "== go.mod: replace block for k8s.io/* (if any) =="
rg -n "^replace\s+k8s\.io/" go.mod || true

Repository: redhat-developer/gitops-operator

Length of output: 3532

---

Kubernetes version bump is neutralized by stale replace pins in go.mod.

In go.mod (requires at lines 195-197), k8s.io/cli-runtime and k8s.io/component-helpers are set to v0.35.2, but the Kubernetes replace block pins them back to v0.34.0 (k8s.io/cli-runtime => ... v0.34.0, k8s.io/component-helpers => ... v0.34.0). Because replace takes precedence over require, the upgrade intent is defeated and version skew risk increases.

Align the k8s.io/* replace entries to v0.35.2 (or remove unnecessary replace directives) so the module graph resolves consistently.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 195 - 197, Update the stale go.mod replace pins that
override the intended Kubernetes bump: locate the replace directives referencing
k8s.io/cli-runtime and k8s.io/component-helpers (and any other k8s.io/* replace
entries) and either update their target versions to v0.35.2 to match the require
lines or remove the unnecessary replace directives so the module graph resolves
to the required v0.35.2 versions consistently.

[coderabbitai]

♻️ Duplicate comments (1)

go.mod (1)

26-29: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Kubernetes dependency bump is effectively overridden by the replace block.

go.mod declares several k8s.io/* modules at v0.35.2 (e.g., Line 26–Line 29, Line 194–Line 196), but Line 230–Line 261 force those modules back to v0.34.0 via replace. This creates dependency skew and defeats the intended upgrade in this PR.

Suggested minimal fix

-	k8s.io/api => k8s.io/api v0.34.0
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.34.0
-	k8s.io/apimachinery => k8s.io/apimachinery v0.34.0
-	k8s.io/apiserver => k8s.io/apiserver v0.34.0
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.34.0
-	k8s.io/client-go => k8s.io/client-go v0.34.0
+	k8s.io/api => k8s.io/api v0.35.2
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.35.2
+	k8s.io/apimachinery => k8s.io/apimachinery v0.35.2
+	k8s.io/apiserver => k8s.io/apiserver v0.35.2
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.35.2
+	k8s.io/client-go => k8s.io/client-go v0.35.2
 	...
-	k8s.io/component-base => k8s.io/component-base v0.34.0
-	k8s.io/component-helpers => k8s.io/component-helpers v0.34.0
+	k8s.io/component-base => k8s.io/component-base v0.35.2
+	k8s.io/component-helpers => k8s.io/component-helpers v0.35.2

(Or remove unnecessary k8s.io/* replaces entirely if no longer needed.)

As per coding guidelines, "Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity."

Also applies to: 194-196, 230-261

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@go.mod` around lines 26 - 29, The go.mod declares k8s.io/* modules at v0.35.2
but a replace block later pins those same modules to v0.34.0, which negates the
upgrade; remove or update the replace entries that reference the k8s.io modules
(the replace entries forcing v0.34.0) so they either point to v0.35.2 or are
deleted if no longer needed, ensuring the declared module versions (k8s.io/api,
k8s.io/apiextensions-apiserver, k8s.io/apimachinery, k8s.io/client-go) take
effect and avoid dependency skew.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@go.mod`:
- Around line 26-29: The go.mod declares k8s.io/* modules at v0.35.2 but a
replace block later pins those same modules to v0.34.0, which negates the
upgrade; remove or update the replace entries that reference the k8s.io modules
(the replace entries forcing v0.34.0) so they either point to v0.35.2 or are
deleted if no longer needed, ensuring the declared module versions (k8s.io/api,
k8s.io/apiextensions-apiserver, k8s.io/apimachinery, k8s.io/client-go) take
effect and avoid dependency skew.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 8253bc5d-381a-40a9-a80c-8c5310a44daa

📥 Commits

Reviewing files that changed from the base of the PR and between b382d86 and 473d4ce.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (25)

• Dockerfile
• go.mod
• test/openshift/e2e/ginkgo/fixture/application/fixture.go
• test/openshift/e2e/ginkgo/fixture/argocd/fixture.go
• test/openshift/e2e/ginkgo/parallel/1-008_validate-custom-argocd-namespace_test.go
• test/openshift/e2e/ginkgo/parallel/1-009_validate-manage-other-namespace_test.go
• test/openshift/e2e/ginkgo/parallel/1-012_validate-managed-by-chain_test.go
• test/openshift/e2e/ginkgo/parallel/1-023_validate_repo_server_tls_test.go
• test/openshift/e2e/ginkgo/parallel/1-025-validate-managed-by-change_test.go
• test/openshift/e2e/ginkgo/parallel/1-054_validate_deploymentconfig_test.go
• test/openshift/e2e/ginkgo/parallel/1-058_validate_prometheus_rule_test.go
• test/openshift/e2e/ginkgo/parallel/1-070_validate_config_management_plugin_test.go
• test/openshift/e2e/ginkgo/parallel/1-116_annotation-based-tracking_test.go
• test/openshift/e2e/ginkgo/parallel/1-121_validate_image_updater_test.go
• test/openshift/e2e/ginkgo/parallel/1-122_validate_user_defined_appproject.go
• test/openshift/e2e/ginkgo/sequential/1-006_validate_machine_config_test.go
• test/openshift/e2e/ginkgo/sequential/1-008_validate-4.9CI-Failures_test.go
• test/openshift/e2e/ginkgo/sequential/1-010_validate-ootb-manage-other-namespace_test.go
• test/openshift/e2e/ginkgo/sequential/1-027_validate_operand_from_git_test.go
• test/openshift/e2e/ginkgo/sequential/1-037_validate_applicationset_in_any_namespace_test.go
• test/openshift/e2e/ginkgo/sequential/1-053_validate_argocd_agent_principal_connected_test.go
• test/openshift/e2e/ginkgo/sequential/1-059_validate_argocd_agent_terminal_streaming_test.go
• test/openshift/e2e/ginkgo/sequential/1-064_validate_tcp_reset_error_test.go
• test/openshift/e2e/ginkgo/sequential/1-108_alternate_cluster_roles_cluster_scoped_instance_test.go
• test/openshift/e2e/ginkgo/sequential/1-113_validate_namespacemanagement_test.go

✅ Files skipped from review due to trivial changes (13)

• test/openshift/e2e/ginkgo/parallel/1-058_validate_prometheus_rule_test.go
• test/openshift/e2e/ginkgo/parallel/1-012_validate-managed-by-chain_test.go
• test/openshift/e2e/ginkgo/sequential/1-027_validate_operand_from_git_test.go
• test/openshift/e2e/ginkgo/parallel/1-070_validate_config_management_plugin_test.go
• test/openshift/e2e/ginkgo/parallel/1-116_annotation-based-tracking_test.go
• test/openshift/e2e/ginkgo/sequential/1-008_validate-4.9CI-Failures_test.go
• test/openshift/e2e/ginkgo/sequential/1-064_validate_tcp_reset_error_test.go
• test/openshift/e2e/ginkgo/sequential/1-113_validate_namespacemanagement_test.go
• Dockerfile
• test/openshift/e2e/ginkgo/parallel/1-122_validate_user_defined_appproject.go
• test/openshift/e2e/ginkgo/parallel/1-009_validate-manage-other-namespace_test.go
• test/openshift/e2e/ginkgo/sequential/1-059_validate_argocd_agent_terminal_streaming_test.go
• test/openshift/e2e/ginkgo/fixture/application/fixture.go

🚧 Files skipped from review as they are similar to previous changes (4)

• test/openshift/e2e/ginkgo/parallel/1-121_validate_image_updater_test.go
• test/openshift/e2e/ginkgo/sequential/1-108_alternate_cluster_roles_cluster_scoped_instance_test.go
• test/openshift/e2e/ginkgo/sequential/1-053_validate_argocd_agent_principal_connected_test.go
• test/openshift/e2e/ginkgo/sequential/1-037_validate_applicationset_in_any_namespace_test.go

[nmirasch]

/retest

[svghadi]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: svghadi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [svghadi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[svghadi]

/cherry-pick v1.21

[openshift-cherrypick-robot]

@svghadi: once the present PR merges, I will cherry-pick it on top of v1.21 in a new PR and assign it to you.

Details

In response to this:

/cherry-pick v1.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-cherrypick-robot]

@svghadi: new pull request created: #1169

Details

In response to this:

/cherry-pick v1.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@nmirasch: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v4.14-ci-index-gitops-operator-bundle	b3da9fd	link	unknown	/test v4.14-ci-index-gitops-operator-bundle
ci/prow/v4.19-kuttl-parallel	b3da9fd	link	unknown	/test v4.19-kuttl-parallel

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.