From 64672ad61119c51e8d60d6a9b80d40052b720771 Mon Sep 17 00:00:00 2001
From: Rizwana777 <rizwananaaz177@gmail.com>
Date: Thu, 4 Jun 2026 13:18:39 +0530
Subject: [PATCH] fix: fix dex e2e test failures

Signed-off-by: Rizwana777 <rizwananaaz177@gmail.com>
---
 .../parallel/1-031_validate_toolchain_test.go |  2 +-
 .../1-095_validate_dex_clientsecret_test.go   | 29 ++++++--------
 ...98_validate_dex_clientsecret_deprecated.go | 40 +++++++------------
 3 files changed, 28 insertions(+), 43 deletions(-)

diff --git a/test/openshift/e2e/ginkgo/parallel/1-031_validate_toolchain_test.go b/test/openshift/e2e/ginkgo/parallel/1-031_validate_toolchain_test.go
index 5f00156f4e4..c1224337c1a 100644
--- a/test/openshift/e2e/ginkgo/parallel/1-031_validate_toolchain_test.go
+++ b/test/openshift/e2e/ginkgo/parallel/1-031_validate_toolchain_test.go
@@ -100,7 +100,7 @@ var _ = Describe("GitOps Operator Parallel E2E Tests", func() {
 			} else {
 				// when running against RC/ released version of gitops
 				expected_dexVersion = "v2.45.0"
-				expected_redisVersion = "7.2.11"
+				expected_redisVersion = "8.2.3"
 			}
 
 			By("locating pods containing toolchain in openshift-gitops")
diff --git a/test/openshift/e2e/ginkgo/parallel/1-095_validate_dex_clientsecret_test.go b/test/openshift/e2e/ginkgo/parallel/1-095_validate_dex_clientsecret_test.go
index 9a3cfac1f8f..1febd4ba8df 100644
--- a/test/openshift/e2e/ginkgo/parallel/1-095_validate_dex_clientsecret_test.go
+++ b/test/openshift/e2e/ginkgo/parallel/1-095_validate_dex_clientsecret_test.go
@@ -18,7 +18,6 @@ package parallel
 
 import (
 	"context"
-	"strings"
 
 	argov1beta1api "github.com/argoproj-labs/argocd-operator/api/v1beta1"
 	. "github.com/onsi/ginkgo/v2"
@@ -90,22 +89,18 @@ var _ = Describe("GitOps Operator Parallel E2E Tests", func() {
 
 			By("validating that the Dex Client Secret was copied from dex serviceaccount token secret in to argocd-secret, by the operator")
 
-			// To verify the behavior we should first get the token secret name of the dex service account.
+			// The operator now creates an Opaque secret with a deterministic name for the Dex token
+			// (via TokenRequest API) instead of using auto-generated kubernetes.io/service-account-token secrets.
+			// The secret name follows the pattern: <argocd-name>-<dex-sa-name>-token
+			dexTokenSecretName := "example-argocd-argocd-dex-server-token" // #nosec G101 -- This is a Kubernetes secret name, not a credential
 
-			var secretName string
-			for _, secretData := range serviceAccount.Secrets {
-
-				if strings.Contains(secretData.Name, "token") {
-					secretName = secretData.Name
-				}
-			}
-			Expect(secretName).ToNot(BeEmpty())
-
-			// Extract the clientSecret
-			secretReferencedFromServiceAccount := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: secretName, Namespace: ns.Name}}
-			Eventually(secretReferencedFromServiceAccount).Should(k8sFixture.ExistByName())
-			tokenFromSASecret := secretReferencedFromServiceAccount.Data["token"]
-			Expect(tokenFromSASecret).ToNot(BeEmpty())
+			// Extract the clientSecret from the Dex token secret
+			dexTokenSecret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: dexTokenSecretName, Namespace: ns.Name}}
+			Eventually(dexTokenSecret, "30s", "2s").Should(k8sFixture.ExistByName())
+			tokenFromDexSecret := dexTokenSecret.Data["token"]
+			Expect(tokenFromDexSecret).ToNot(BeEmpty())
+			// Verify the secret also contains an expiry field
+			Expect(dexTokenSecret.Data["expiry"]).ToNot(BeEmpty())
 
 			// actualClientSecret is the value of the secret in argocd-secret where argocd-operator should copy the secret from
 			argocdSecret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "argocd-secret", Namespace: ns.Name}}
@@ -113,7 +108,7 @@ var _ = Describe("GitOps Operator Parallel E2E Tests", func() {
 
 			actualClientSecret := argocdSecret.Data["oidc.dex.clientSecret"]
 
-			Expect(string(actualClientSecret)).To(Equal(string(tokenFromSASecret)), "Dex Client Secret for OIDC is not valid")
+			Expect(string(actualClientSecret)).To(Equal(string(tokenFromDexSecret)), "Dex Client Secret for OIDC is not valid")
 
 		})
 
diff --git a/test/openshift/e2e/ginkgo/parallel/1-098_validate_dex_clientsecret_deprecated.go b/test/openshift/e2e/ginkgo/parallel/1-098_validate_dex_clientsecret_deprecated.go
index 2de2bb64c7b..2eaa3c002c7 100644
--- a/test/openshift/e2e/ginkgo/parallel/1-098_validate_dex_clientsecret_deprecated.go
+++ b/test/openshift/e2e/ginkgo/parallel/1-098_validate_dex_clientsecret_deprecated.go
@@ -19,7 +19,6 @@ package parallel
 import (
 	"context"
 	"fmt"
-	"strings"
 
 	argov1beta1api "github.com/argoproj-labs/argocd-operator/api/v1beta1"
 	. "github.com/onsi/ginkgo/v2"
@@ -86,40 +85,31 @@ var _ = Describe("GitOps Operator Parallel E2E Tests", func() {
 
 			By("validating that the Dex Client Secret was copied from dex serviceaccount token secret to argocd-secret, by the operator")
 			Eventually(func() error {
-				// Get the service account and find its token secret
-				err := k8sClient.Get(ctx, client.ObjectKeyFromObject(dexServiceAccount), dexServiceAccount)
-				if err != nil {
-					return err
-				}
-
-				// Find the token secret from the service account secrets
-				var tokenSecretName string
-				for _, secret := range dexServiceAccount.Secrets {
-					if secret.Name != "" && strings.Contains(secret.Name, "token") {
-						tokenSecretName = secret.Name
-						break
-					}
-				}
+				// The operator now creates an Opaque secret with a deterministic name for the Dex token
+				// (via TokenRequest API) instead of using auto-generated kubernetes.io/service-account-token secrets.
+				// The secret name follows the pattern: <argocd-name>-<dex-sa-name>-token
+				dexTokenSecretName := "example-argocd-argocd-dex-server-token" // #nosec G101 -- This is a Kubernetes secret name, not a credential
 
-				if tokenSecretName == "" {
-					return fmt.Errorf("no token secret found for service account %s", dexServiceAccount.Name)
-				}
-
-				// Get the token secret and extract the token
-				tokenSecret := &corev1.Secret{
+				// Get the Dex token secret and extract the token
+				dexTokenSecret := &corev1.Secret{
 					ObjectMeta: metav1.ObjectMeta{
-						Name:      tokenSecretName,
+						Name:      dexTokenSecretName,
 						Namespace: namespace.Name,
 					},
 				}
-				err = k8sClient.Get(ctx, client.ObjectKeyFromObject(tokenSecret), tokenSecret)
+				err := k8sClient.Get(ctx, client.ObjectKeyFromObject(dexTokenSecret), dexTokenSecret)
 				if err != nil {
 					return err
 				}
 
-				expectedClientSecret, exists := tokenSecret.Data["token"]
+				expectedClientSecret, exists := dexTokenSecret.Data["token"]
 				if !exists {
-					return fmt.Errorf("token not found in secret %s", tokenSecretName)
+					return fmt.Errorf("token not found in secret %s", dexTokenSecretName)
+				}
+
+				// Verify the secret also contains an expiry field
+				if _, exists := dexTokenSecret.Data["expiry"]; !exists {
+					return fmt.Errorf("expiry not found in secret %s", dexTokenSecretName)
 				}
 
 				// Get the argocd-secret and extract the oidc.dex.clientSecret