redhat-developer · openshift-merge-bot · Jun 5, 2026 · Jun 4, 2026 · coderabbitai · Jun 4, 2026
diff --git a/test/openshift/e2e/ginkgo/parallel/1-031_validate_toolchain_test.go b/test/openshift/e2e/ginkgo/parallel/1-031_validate_toolchain_test.go
@@ -100,7 +100,7 @@ var _ = Describe("GitOps Operator Parallel E2E Tests", func() {
 			} else {
 				// when running against RC/ released version of gitops
 				expected_dexVersion = "v2.45.0"
-				expected_redisVersion = "7.2.11"
+				expected_redisVersion = "8.2.3"
 			}
 
 			By("locating pods containing toolchain in openshift-gitops")

diff --git a/test/openshift/e2e/ginkgo/parallel/1-095_validate_dex_clientsecret_test.go b/test/openshift/e2e/ginkgo/parallel/1-095_validate_dex_clientsecret_test.go
@@ -18,7 +18,6 @@ package parallel
 
 import (
 	"context"
-	"strings"
 
 	argov1beta1api "github.com/argoproj-labs/argocd-operator/api/v1beta1"
 	. "github.com/onsi/ginkgo/v2"
@@ -90,30 +89,26 @@ var _ = Describe("GitOps Operator Parallel E2E Tests", func() {
 
 			By("validating that the Dex Client Secret was copied from dex serviceaccount token secret in to argocd-secret, by the operator")
 
-			// To verify the behavior we should first get the token secret name of the dex service account.
+			// The operator now creates an Opaque secret with a deterministic name for the Dex token
+			// (via TokenRequest API) instead of using auto-generated kubernetes.io/service-account-token secrets.
+			// The secret name follows the pattern: <argocd-name>-<dex-sa-name>-token
+			dexTokenSecretName := "example-argocd-argocd-dex-server-token" // #nosec G101 -- This is a Kubernetes secret name, not a credential
 
-			var secretName string
-			for _, secretData := range serviceAccount.Secrets {
-
-				if strings.Contains(secretData.Name, "token") {
-					secretName = secretData.Name
-				}
-			}
-			Expect(secretName).ToNot(BeEmpty())
-
-			// Extract the clientSecret
-			secretReferencedFromServiceAccount := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: secretName, Namespace: ns.Name}}
-			Eventually(secretReferencedFromServiceAccount).Should(k8sFixture.ExistByName())
-			tokenFromSASecret := secretReferencedFromServiceAccount.Data["token"]
-			Expect(tokenFromSASecret).ToNot(BeEmpty())
+			// Extract the clientSecret from the Dex token secret
+			dexTokenSecret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: dexTokenSecretName, Namespace: ns.Name}}
+			Eventually(dexTokenSecret, "30s", "2s").Should(k8sFixture.ExistByName())
+			tokenFromDexSecret := dexTokenSecret.Data["token"]
+			Expect(tokenFromDexSecret).ToNot(BeEmpty())
+			// Verify the secret also contains an expiry field
+			Expect(dexTokenSecret.Data["expiry"]).ToNot(BeEmpty())
 
 			// actualClientSecret is the value of the secret in argocd-secret where argocd-operator should copy the secret from
 			argocdSecret := &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "argocd-secret", Namespace: ns.Name}}
 			Eventually(argocdSecret).Should(k8sFixture.ExistByName())
 
 			actualClientSecret := argocdSecret.Data["oidc.dex.clientSecret"]
 
-			Expect(string(actualClientSecret)).To(Equal(string(tokenFromSASecret)), "Dex Client Secret for OIDC is not valid")
+			Expect(string(actualClientSecret)).To(Equal(string(tokenFromDexSecret)), "Dex Client Secret for OIDC is not valid")
 
 		})
 

diff --git a/test/openshift/e2e/ginkgo/parallel/1-098_validate_dex_clientsecret_deprecated.go b/test/openshift/e2e/ginkgo/parallel/1-098_validate_dex_clientsecret_deprecated.go
@@ -19,7 +19,6 @@ package parallel
 import (
 	"context"
 	"fmt"
-	"strings"
 
 	argov1beta1api "github.com/argoproj-labs/argocd-operator/api/v1beta1"
 	. "github.com/onsi/ginkgo/v2"
@@ -86,40 +85,31 @@ var _ = Describe("GitOps Operator Parallel E2E Tests", func() {
 
 			By("validating that the Dex Client Secret was copied from dex serviceaccount token secret to argocd-secret, by the operator")
 			Eventually(func() error {
-				// Get the service account and find its token secret
-				err := k8sClient.Get(ctx, client.ObjectKeyFromObject(dexServiceAccount), dexServiceAccount)
-				if err != nil {
-					return err
-				}
-
-				// Find the token secret from the service account secrets
-				var tokenSecretName string
-				for _, secret := range dexServiceAccount.Secrets {
-					if secret.Name != "" && strings.Contains(secret.Name, "token") {
-						tokenSecretName = secret.Name
-						break
-					}
-				}
+				// The operator now creates an Opaque secret with a deterministic name for the Dex token
+				// (via TokenRequest API) instead of using auto-generated kubernetes.io/service-account-token secrets.
+				// The secret name follows the pattern: <argocd-name>-<dex-sa-name>-token
+				dexTokenSecretName := "example-argocd-argocd-dex-server-token" // #nosec G101 -- This is a Kubernetes secret name, not a credential
 
-				if tokenSecretName == "" {
-					return fmt.Errorf("no token secret found for service account %s", dexServiceAccount.Name)
-				}
-
-				// Get the token secret and extract the token
-				tokenSecret := &corev1.Secret{
+				// Get the Dex token secret and extract the token
+				dexTokenSecret := &corev1.Secret{
 					ObjectMeta: metav1.ObjectMeta{
-						Name:      tokenSecretName,
+						Name:      dexTokenSecretName,
 						Namespace: namespace.Name,
 					},
 				}
-				err = k8sClient.Get(ctx, client.ObjectKeyFromObject(tokenSecret), tokenSecret)
+				err := k8sClient.Get(ctx, client.ObjectKeyFromObject(dexTokenSecret), dexTokenSecret)
 				if err != nil {
 					return err
 				}
 
-				expectedClientSecret, exists := tokenSecret.Data["token"]
+				expectedClientSecret, exists := dexTokenSecret.Data["token"]
 				if !exists {
-					return fmt.Errorf("token not found in secret %s", tokenSecretName)
+					return fmt.Errorf("token not found in secret %s", dexTokenSecretName)
+				}
+
+				// Verify the secret also contains an expiry field
+				if _, exists := dexTokenSecret.Data["expiry"]; !exists {
+					return fmt.Errorf("expiry not found in secret %s", dexTokenSecretName)
 				}
 
 				// Get the argocd-secret and extract the oidc.dex.clientSecret