Feat: disable GitOps Service and default instance on xKS clusters

[anandrkskd]

What type of PR is this?
/kind enhancement

What does this PR do / why we need it:

The OpenShift GitOps Operator assumes an OpenShift cluster today: it registers the GitopsService controller, auto-creates a default Argo CD instance in openshift-gitops, and configures Dex/SSO against OpenShift authentication.
On xKS (non-OpenShift Kubernetes) clusters, those behaviors are not required and can cause failures.

This PR detects non-OpenShift clusters at startup by checking whether the config.openshift.io API is present (via existing InspectCluster() discovery). When it is not found, the operator:

1. Skips ReconcileGitopsService controller registration — this controller manages OpenShift-specific resources (default Argo CD instance, console plugin backend, RBAC, namespace setup, and related reconciliation) that do not apply on xKS.
2. Prevents default Argo CD instance provisioning — no openshift-gitops Argo CD CR is created on xKS.
3. Skips SSO/Dex in the default Argo CD CR template — getArgoSSOSpec() returns nil on non-OpenShift clusters, so Dex is not configured when NewCR() is used.
   On OpenShift clusters, behavior is unchanged. The existing DISABLE_DEFAULT_ARGOCD_INSTANCE environment variable continues to work as before.

Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

Fixes https://redhat.atlassian.net/browse/GITOPS-9943

Test acceptance criteria:

• Unit Test
• E2E Test

How to test changes / Special notes to the reviewer:

On xKS (vanilla Kubernetes or cluster without config.openshift.io):

1. Install the operator.
2. Confirm operator logs contain: Non-OpenShift cluster detected, skipping GitopsService controller setup
3. Confirm no Argo CD CR named openshift-gitops is created in openshift-gitops.
4. Confirm the GitopsService controller is not running (no reconciliation of console plugin backend resources).

On OpenShift:

1. Install the operator without DISABLE_DEFAULT_ARGOCD_INSTANCE.
2. Confirm default Argo CD instance is still created in openshift-gitops.
3. Confirm GitopsService controller runs and console plugin resources are reconciled as before.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 6cfb9f44-bc21-479a-8833-b493cd1f7a14

📥 Commits

Reviewing files that changed from the base of the PR and between 00b53d8 and aecf34c.

📒 Files selected for processing (1)

• controllers/argocd/argocd_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• controllers/argocd/argocd_test.go

---

📝 Walkthrough

Summary by CodeRabbit

• Bug Fixes

  • Improved handling of non-OpenShift cluster environments by conditionally disabling GitOps controller registration and SSO configuration when the OpenShift API is unavailable.
  • Enhanced external authentication checks to properly skip Dex setup on unsupported cluster types.

• Tests

  • Added test coverage for SSO configuration on non-OpenShift clusters.

Walkthrough

Adds an exported OpenShift detection helper and uses it to: (1) skip registering the ReconcileGitopsService controller on non-OpenShift clusters, and (2) skip ArgoCD SSO/Dex configuration when the cluster is not OpenShift or external auth is enabled. Tests updated to assert both paths.

Changes

OpenShift gating and controller/SSO behavior

Layer / File(s)	Summary
Cluster inspection helpers controllers/util/util.go	Adds exported IsConfigAPIFound() and IsOpenShiftCluster() helpers for detecting the OpenShift Config API.
ArgoCD SSO gating in controller controllers/argocd/argocd.go	Adds package logger and changes getArgoSSOSpec to return nil (and log) when not OpenShift or when external authentication is enabled; otherwise returns Dex-enabled ArgoCDSSOSpec.
Tests for OpenShift vs non-OpenShift behavior controllers/argocd/argocd_test.go	Imports controllers/util, forces SetConfigAPIFound(true/false) in tests, and adds TestSSOSkippedOnNonOpenShift asserting Spec.SSO == nil when not OpenShift.
Controller wiring gated by OpenShift detection cmd/main.go	Adds comment and conditions ReconcileGitopsService SetupWithManager on util.IsOpenShiftCluster(); logs and skips setup when false.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: disabling GitOps Service and default instance on non-OpenShift (xKS) clusters, which is the core objective of the PR.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining the rationale, implementation details, testing criteria, and expected behavior on both xKS and OpenShift clusters.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign trdoyle81 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[anandrkskd]

/retest

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

controllers/argocd/argocd.go (1)

101-103: 💤 Low value

Consider passing context through instead of using context.TODO().

Using context.TODO() is not ideal for production code. Consider adding a context.Context parameter to getArgoSSOSpec and passing it through from the caller.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/argocd/argocd.go` around lines 101 - 103, The code uses
context.TODO() when calling
argoappController.IsExternalAuthenticationEnabledOnCluster; update
getArgoSSOSpec to accept a context.Context parameter, replace context.TODO()
with that ctx when calling IsExternalAuthenticationEnabledOnCluster, and
propagate the new ctx through any callers of getArgoSSOSpec (update signatures
and call sites accordingly); ensure any helper functions called within
getArgoSSOSpec that currently use context.TODO() also accept/receive the
propagated ctx.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@controllers/argocd/argocd_test.go`:
- Around line 234-249: The test TestSSOSkippedOnNonOpenShift sets
util.SetConfigAPIFound(false) but defers util.SetConfigAPIFound(true), which
mismatches the actual default (false) in util.go and other tests (TestArgoCD,
TestDexConfiguration); change the deferred call in TestSSOSkippedOnNonOpenShift
to util.SetConfigAPIFound(false) so the test restores the real default and
avoids cross-test pollution.

---

Nitpick comments:
In `@controllers/argocd/argocd.go`:
- Around line 101-103: The code uses context.TODO() when calling
argoappController.IsExternalAuthenticationEnabledOnCluster; update
getArgoSSOSpec to accept a context.Context parameter, replace context.TODO()
with that ctx when calling IsExternalAuthenticationEnabledOnCluster, and
propagate the new ctx through any callers of getArgoSSOSpec (update signatures
and call sites accordingly); ensure any helper functions called within
getArgoSSOSpec that currently use context.TODO() also accept/receive the
propagated ctx.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 77aecd47-2f3f-4e6b-8c85-f460ea8fbb30

📥 Commits

Reviewing files that changed from the base of the PR and between 9aafd89 and 00b53d8.

📒 Files selected for processing (4)

• cmd/main.go
• controllers/argocd/argocd.go
• controllers/argocd/argocd_test.go
• controllers/util/util.go

[anandrkskd]

/retest

[anandrkskd]

/retest

[svghadi]

/lgtm

Just had one question regarding console-plugin and backend. They are controlled by gitopsservice controller. Is it expected that even these components shouldn't run on xks env?

[anandrkskd]

Console plugin and gitops-backend are OpenShift specific, and are not required to run on non-OpenShift/xKS platforms. Disabling GitOps Service should take care of this.