chore: sync upstream e2e tests to downstream

[varshab1210]

What type of PR is this?

/kind enhancement

What does this PR do / why we need it:

sync upstream argocd-operator e2e tests to downstream
Tested locally against 1.21 RC

Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

Fixes #?

Test acceptance criteria:

• Unit Test
• E2E Test

How to test changes / Special notes to the reviewer:

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign varshab1210 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: f99b92f4-c80a-4c23-ad0e-eea4dec08445

📥 Commits

Reviewing files that changed from the base of the PR and between 99f9192 and fc863da.

📒 Files selected for processing (1)

• test/openshift/e2e/ginkgo/parallel/1-048_validate_controller_sharding_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• argoproj-labs/argocd-operator (manual)

🚧 Files skipped from review as they are similar to previous changes (1)

• test/openshift/e2e/ginkgo/parallel/1-048_validate_controller_sharding_test.go

---

📝 Walkthrough

Summary by CodeRabbit

• New Features
  • Extended the Argo CD CRD with per-component Prometheus ServiceMonitor tuning (interval/scrapeTimeout), Application Controller sharding algorithm selection, improved logging configuration (logFormat/logLevel with deprecated logformat), and declarative webhookSecrets with Azure DevOps username/password pairing validation.
  • Added agent resource configuration and new top-level options: clusterDomain, cmdParams, and webTerminalEnabled.
• Tests
  • Expanded OpenShift E2E coverage for logformat compatibility, controller sharding env var behavior, Dex token/secret handling, ApplicationSet cleanup/reconciliation, server serving-cert annotation restoration, webhook secret sync/preserve/remove, metrics ServiceMonitor enablement, and RoleBinding annotation propagation.

Walkthrough

Adds and extends eleven Ginkgo E2E test files across parallel and sequential suites, and expands the ArgoCD CRD schema with new configuration surfaces. E2E tests cover: deprecated lowercase logformat fields, controller sharding algorithm env vars, Dex client secret lifecycle and legacy token cleanup, ApplicationSet spec-omission resource cleanup, OpenShift serving-cert annotation restore, declarative webhook secrets syncing into argocd-secret, Prometheus ServiceMonitor metrics config propagation, RoleBinding tracking annotation non-inheritance, ApplicationSet RBAC revocation and restoration, and agent/principal ServiceMonitor toggle behavior. CRD enhancements add metrics configuration, resource limits, webhook secret management, log format standardization, sharding algorithm selection, and root-level configuration fields across both manifest and config schema files.

Changes

E2E Test Coverage Expansion and CRD Schema Enhancement

Layer / File(s)	Summary
Deprecated logformat field and sharding algorithm env var tests test/openshift/e2e/ginkgo/parallel/1-043_validate_log_level_format_test.go, test/openshift/e2e/ginkgo/parallel/1-048_validate_controller_sharding_test.go	Adds a test for deprecated spec.logformat fields propagating --logformat json to Deployment commands; extends the sharding test to assert ARGOCD_CONTROLLER_SHARDING_ALGORITHM is set/unset on the StatefulSet when DistributionAlgorithm is added or removed.
Dex client secret lifecycle and legacy token cleanup tests test/openshift/e2e/ginkgo/parallel/1-095_validate_dex_clientsecret_test.go	Replaces one Dex test with two It blocks: the first validates the short-lived token secret, RFC3339 expiry, and argocd-secret key match; the second synthesizes a legacy token secret, triggers operator cleanup via annotation, and asserts deletion and continued Argo CD health.
ApplicationSet spec-omission cleanup and serving-cert annotation restore tests test/openshift/e2e/ginkgo/parallel/1-125_validate_applicationset_cleanup_when_spec_field_omitted_test.go, test/openshift/e2e/ginkgo/parallel/1-125_validate_server_serving_cert_annotation_restore_test.go	New test asserting ApplicationSet controller resources (Deployment, ServiceAccount, Role, RoleBinding, Service) are deleted when spec.applicationSet is set to nil; two-spec test for serving-cert annotation add/remove under TLS passthrough and reencrypt, including post-upgrade stale state and user-managed TLS secret scenarios.
Declarative webhook secrets sync, preservation, and removal tests test/openshift/e2e/ginkgo/parallel/1-126_validate_declarative_webhook_secrets_test.go	New 700-line suite covering spec.webhookSecrets → argocd-secret propagation for GitHub, GitLab, Azure DevOps, Bitbucket, and Gogs; preservation when stanza is absent or nulled; provider-driven key removal; atomic Azure DevOps pair removal on missing secret ref; and CRD rejection of partial Azure DevOps config.
ServiceMonitor metrics config propagation tests test/openshift/e2e/ginkgo/parallel/1-126_validate_servicemonitor_metrics_config_test.go	New 412-line suite with three It blocks verifying interval/scrapeTimeout propagation into Prometheus ServiceMonitor endpoints for per-component, principal, and agent metrics specs, including update and clear lifecycle steps.
RoleBinding tracking annotation non-inheritance tests test/openshift/e2e/ginkgo/parallel/1-131_validate_rolebinding_no_tracking_annotation_propagation_test.go	New test asserting operator-generated RoleBindings in managed and Argo CD namespaces contain only the operator's default annotation and do not inherit CR-level tracking/installation annotations.
ApplicationSet RBAC revocation and restoration tests test/openshift/e2e/ginkgo/sequential/1-037_validate_applicationset_in_any_namespace_test.go	Adds error namespaces to cluster config and debug lists; introduces a new test that strips the ClusterRole list namespaces permission, verifies ApplicationSet deployment is blocked, restores rules via annotation, and asserts the deployment reappears with --applicationset-namespaces.
Agent and principal ServiceMonitor lifecycle tests test/openshift/e2e/ginkgo/sequential/1-051_validate_argocd_agent_principal_test.go, test/openshift/e2e/ginkgo/sequential/1-052_validate_argocd_agent_agent_test.go	Adds monitoringv1 imports and new It blocks to principal and agent test suites that toggle spec.prometheus.enabled (and agent enabled) and assert ServiceMonitor creation, deletion, and recreation accordingly.
CRD metrics and resource configuration schemas bundle/manifests/argoproj.io_argocds.yaml, config/crd/bases/argoproj.io_argocds.yaml	Both CRD manifests are expanded with metrics schema blocks for Agent, Principal, Application Controller, Notifications, Repo Server, and Server; resources blocks added for Agent container and principal component supporting Kubernetes resource claims, limits, and requests.
CRD webhook secrets schema and validation bundle/manifests/argoproj.io_argocds.yaml, config/crd/bases/argoproj.io_argocds.yaml	Both CRD manifests add a webhookSecrets schema with provider-specific secret reference objects (Azure DevOps, Bitbucket, Bitbucket Server, GitHub, GitLab, Gogs) and an x-kubernetes-validations rule ensuring Azure DevOps username/password secret refs are provided together.
CRD Application Controller sharding algorithm bundle/manifests/argoproj.io_argocds.yaml, config/crd/bases/argoproj.io_argocds.yaml	Both CRD manifests add an algorithm field to Application Controller sharding configuration with enum values legacy, round-robin, and consistent-hashing in multiple schema sections.
CRD log format and level standardization bundle/manifests/argoproj.io_argocds.yaml, config/crd/bases/argoproj.io_argocds.yaml	Both CRD manifests add logFormat (enum text/json) and logLevel fields to Notifications and ApplicationSet configurations; mark logformat as deprecated in multiple schema sections.
CRD root-level configuration expansion bundle/manifests/argoproj.io_argocds.yaml, config/crd/bases/argoproj.io_argocds.yaml	Both CRD manifests expand root-level spec fields with clusterDomain (string), cmdParams (map of string values), and webTerminalEnabled (boolean).
CRD NetworkPolicy default removal and manifest updates bundle/manifests/argoproj.io_argocds.yaml, config/crd/bases/argoproj.io_argocds.yaml, bundle/manifests/gitops-operator.clusterserviceversion.yaml	Both CRD manifests remove explicit default: true from networkPolicy.enabled field in multiple schema locations; CSV metadata updated with new creation timestamp.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~70 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: syncing upstream e2e tests to downstream, which is the primary objective of this PR.
Description check	✅ Passed	The description is related to the changeset by identifying the PR type (enhancement), stating that it syncs upstream e2e tests to downstream, and mentioning local testing against version 1.21 RC.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[varshab1210]

@aali309 I had to change the name as I saw the error

Route.route.openshift.io "example-argocd-clear-github-server" is invalid: spec.host: Invalid value: "example-argocd-clear-github-server-gitops-e2e-test-0b13d83e-eda2.apps.psi-421-002.ocp-gitops-qe.com": must be no more than 63 characters

Looks like we need something similar to https://redhat.atlassian.net/issues?jql=reporter%20IN%20(62332b7550cceb00707ad539)%20AND%20type%20%3D%20Bug%20AND%20summary%20~%20%22host%22&selectedIssue=GITOPS-7315

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@test/openshift/e2e/ginkgo/parallel/1-048_validate_controller_sharding_test.go`:
- Around line 119-122: The assertion at line 121 negates the
HaveContainerWithEnvVar matcher with a specific key and value, which only passes
if the environment variable exists with a different value. This is too weak and
can miss regressions. Instead of using ShouldNot with HaveContainerWithEnvVar
matching a specific key-value pair, use a matcher that asserts the
ARGOCD_CONTROLLER_SHARDING_ALGORITHM environment variable key is completely
absent from the app controller StatefulSet, regardless of its value. Replace the
negated key-value matcher with an assertion that explicitly checks for the
absence of the environment variable key itself.

In
`@test/openshift/e2e/ginkgo/sequential/1-037_validate_applicationset_in_any_namespace_test.go`:
- Around line 643-656: The nested loop structure selecting the
operatorClusterRoleName picks the first matching ClusterRoleBinding for the
ServiceAccount without verifying it grants the required permissions, which can
lead to selecting the wrong RBAC object. Instead of selecting based only on
matching the ServiceAccount name and namespace, implement a deterministic
selection criterion by resolving the candidate ClusterRoles and validating that
the selected ClusterRole grants the necessary permissions (such as `list` on
`namespaces`) before using it for mutation. This ensures the correct operator
ClusterRole is chosen for the test rather than any arbitrary matching binding.
- Around line 663-691: The rule rewriting logic in the loop iterating through
operatorClusterRole.Rules does not handle PolicyRules containing multiple
resources correctly. When a rule contains both "namespaces" and other resources,
the current code removes "list" from the verbs but applies this modified verb
set to all resources in the rule, not just namespaces. To fix this, when you
find "namespaces" in the resources list, check if there are other resources
present as well. If it is a mixed rule with multiple resources, create two
separate PolicyRule objects: one with only "namespaces" as the resource and the
modified verbs (without "list"), and another with the non-namespaces resources
and the original verbs. If "namespaces" is the only resource, proceed with the
existing logic of removing "list" and adding the modified rule to modifiedRules.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ad187eb0-4a14-46b0-ae80-5a89cd221a7f

📥 Commits

Reviewing files that changed from the base of the PR and between 426874a and e35b5df.

📒 Files selected for processing (11)

• test/openshift/e2e/ginkgo/parallel/1-043_validate_log_level_format_test.go
• test/openshift/e2e/ginkgo/parallel/1-048_validate_controller_sharding_test.go
• test/openshift/e2e/ginkgo/parallel/1-095_validate_dex_clientsecret_test.go
• test/openshift/e2e/ginkgo/parallel/1-125_validate_applicationset_cleanup_when_spec_field_omitted_test.go
• test/openshift/e2e/ginkgo/parallel/1-125_validate_server_serving_cert_annotation_restore_test.go
• test/openshift/e2e/ginkgo/parallel/1-126_validate_declarative_webhook_secrets_test.go
• test/openshift/e2e/ginkgo/parallel/1-126_validate_servicemonitor_metrics_config_test.go
• test/openshift/e2e/ginkgo/parallel/1-131_validate_rolebinding_no_tracking_annotation_propagation_test.go
• test/openshift/e2e/ginkgo/sequential/1-037_validate_applicationset_in_any_namespace_test.go
• test/openshift/e2e/ginkgo/sequential/1-051_validate_argocd_agent_principal_test.go
• test/openshift/e2e/ginkgo/sequential/1-052_validate_argocd_agent_agent_test.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• argoproj-labs/argocd-operator (manual)

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Select the operator ClusterRoleBinding deterministically before mutation.

This loop picks the first ClusterRoleBinding matching the ServiceAccount, which can point to a non-operator ClusterRole. That can make the test skip incorrectly or mutate the wrong RBAC object.

Use a deterministic selection criterion (e.g., resolve candidate ClusterRoles and choose one that actually grants list on namespaces) before editing rules.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@test/openshift/e2e/ginkgo/sequential/1-037_validate_applicationset_in_any_namespace_test.go`
around lines 643 - 656, The nested loop structure selecting the
operatorClusterRoleName picks the first matching ClusterRoleBinding for the
ServiceAccount without verifying it grants the required permissions, which can
lead to selecting the wrong RBAC object. Instead of selecting based only on
matching the ServiceAccount name and namespace, implement a deterministic
selection criterion by resolving the candidate ClusterRoles and validating that
the selected ClusterRole grants the necessary permissions (such as `list` on
`namespaces`) before using it for mutation. This ensures the correct operator
ClusterRole is chosen for the test rather than any arbitrary matching binding.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

The rule rewrite revokes list from more than namespaces in mixed rules.

When a PolicyRule contains namespaces plus other resources, the rewritten rule keeps all resources but drops list, unintentionally revoking list for unrelated resources too. That broadens the failure mode and weakens the test’s causal signal.

Split mixed rules: keep original verbs for non-namespaces resources, and apply the verb removal only to a namespaces-only rule.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@test/openshift/e2e/ginkgo/sequential/1-037_validate_applicationset_in_any_namespace_test.go`
around lines 663 - 691, The rule rewriting logic in the loop iterating through
operatorClusterRole.Rules does not handle PolicyRules containing multiple
resources correctly. When a rule contains both "namespaces" and other resources,
the current code removes "list" from the verbs but applies this modified verb
set to all resources in the rule, not just namespaces. To fix this, when you
find "namespaces" in the resources list, check if there are other resources
present as well. If it is a mixed rule with multiple resources, create two
separate PolicyRule objects: one with only "namespaces" as the resource and the
modified verbs (without "list"), and another with the non-namespaces resources
and the original verbs. If "namespaces" is the only resource, proceed with the
existing logic of removing "list" and adding the modified rule to modifiedRules.

[cjcocokrisp]

LGTM to me overall. Addressed what I think about the coderabbit comment as well. Once this is merged I can also sync this change with the upstream test.

[cjcocokrisp]

I agree with coderabbit's comment. The suggested fix also seems good to me as well and I have commented below the version that I used to test it.

			Eventually(func() bool {
				if err := k8sClient.Get(ctx, client.ObjectKeyFromObject(statefulSet), statefulSet); err != nil {
					return false
				}
				if len(statefulSet.Spec.Template.Spec.Containers) == 0 {
					return false
				}
				for _, env := range statefulSet.Spec.Template.Spec.Containers[0].Env {
					if env.Name == "ARGOCD_CONTROLLER_SHARDING_ALGORITHM" {
						return false
					}
				}
				return true
			}, "60s", "5").Should(BeTrue(), "StatefulSet should have no env variable named ARGOCD_CONTROLLER_SHARDING_ALGORITHM")

[varshab1210]

/test v4.14-ci-index-gitops-operator-bundle

[varshab1210]

/test v4.14-kuttl-parallel

[openshift-ci]

@varshab1210: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v4.14-kuttl-parallel	fc863da	link	false	/test v4.14-kuttl-parallel

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[aali309]

LGTM