Skip to content

Added E2E tests for role ownership validation#1208

Open
alkakumari016 wants to merge 4 commits into
redhat-developer:masterfrom
alkakumari016:role_val_e2e
Open

Added E2E tests for role ownership validation#1208
alkakumari016 wants to merge 4 commits into
redhat-developer:masterfrom
alkakumari016:role_val_e2e

Conversation

@alkakumari016

Copy link
Copy Markdown
Contributor

What type of PR is this?

Uncomment only one /kind line, and delete the rest.
For example, > /kind bug would simply become: /kind bug

/kind bug
/kind cleanup
/kind failing-test
/kind enhancement
/kind documentation
/kind code-refactoring

What does this PR do / why we need it:
Change git ref for argocd operator and adds E2E tests for role ownership validation
Have you updated the necessary documentation?

  • Documentation update is required by this PR.
  • Documentation has been updated.

Which issue(s) this PR fixes:

Fixes #?

Test acceptance criteria:

  • Unit Test
  • E2E Test

How to test changes / Special notes to the reviewer:

@openshift-ci openshift-ci Bot requested review from jannfis and trdoyle81 July 9, 2026 07:23
@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jopit for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ec32e2a7-5346-4521-9c3d-557b254f9947

📥 Commits

Reviewing files that changed from the base of the PR and between 5441d56 and c6e32a4.

📒 Files selected for processing (4)
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership.go
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_agent_test.go
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_principal_test.go
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_image_updater.go
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • argoproj-labs/argocd-operator (manual)
🚧 Files skipped from review as they are similar to previous changes (4)
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_image_updater.go
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_principal_test.go
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership.go
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_agent_test.go

📝 Walkthrough

Summary by CodeRabbit

  • Tests
    • Added end-to-end coverage validating that Argo CD Image Updater, Agent, and Agent Principal resources retain their cluster-scoped permissions across reconciliation.
    • Added checks confirming resources remain available and operational when multiple Argo CD instances are configured in separate namespaces.
    • Added validation for expected services, deployments, labels, routes, policies, certificates, and readiness conditions.

Walkthrough

Adds four sequential OpenShift Ginkgo E2E tests covering stable cluster-scoped RBAC ownership for default Argo CD components, agents, agent principals, and Image Updater across multiple ArgoCD reconciliations.

Changes

Role ownership E2E tests

Layer / File(s) Summary
Default controller/server/image-updater ownership test
test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership.go
Captures controller, applicationset, server, and Image Updater RBAC UIDs before and after creating a second ArgoCD instance, then compares them.
Agent role ownership test
test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_agent_test.go
Creates agent resources, verifies expected services and deployment labels, and confirms cluster-scoped RBAC UIDs remain unchanged.
Agent principal role ownership test
test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_principal_test.go
Creates and validates principal resources, certificates, logs, and deployment readiness before checking stable cluster-scoped RBAC UIDs.
Image Updater role ownership test
test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_image_updater.go
Enables Image Updater, configures required OpenShift permissions, waits for its controller, and verifies stable ClusterRole and ClusterRoleBinding UIDs.

Estimated code review effort: 4 (Complex) | ~45 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main change by describing the added E2E role ownership validation tests.
Description check ✅ Passed The description is related to the changeset and mentions both the git ref change and the new E2E validation tests.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🧹 Nitpick comments (1)
test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_agent.go (1)

69-106: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Duplicated agent spec configuration violates DRY.

The ArgoCDAgent spec block (lines 81-104) is repeated almost verbatim at lines 198-221, with only the instance name and Redis address differing. Extract a helper function to build the agent spec to prevent divergence.

♻️ Extract a helper for the agent spec
+func buildAgentSpec(name string) *argov1beta1api.ArgoCDAgentSpec {
+    return &argov1beta1api.ArgoCDAgentSpec{
+        Agent: &argov1beta1api.AgentSpec{
+            Enabled:   ptr.To(true),
+            Creds:     "mtls:any",
+            LogLevel:  "info",
+            LogFormat: "text",
+            Client: &argov1beta1api.AgentClientSpec{
+                PrincipalServerAddress: "argocd-agent-principal.example.com",
+                PrincipalServerPort:    "443",
+                Mode:                   string(argov1beta1api.AgentModeManaged),
+                EnableWebSocket:        ptr.To(false),
+                EnableCompression:      ptr.To(false),
+                KeepAliveInterval:      "30s",
+            },
+            TLS: &argov1beta1api.AgentTLSSpec{
+                SecretName:       agentClientTLSSecretName,
+                RootCASecretName: agentRootCASecretName,
+                Insecure:         ptr.To(false),
+            },
+            Redis: &argov1beta1api.AgentRedisSpec{
+                ServerAddress: fmt.Sprintf("%s-redis:%d", name, common.ArgoCDDefaultRedisPort),
+            },
+        },
+    }
+}

Then use it in both places:

 // In BeforeEach (line 81)
-					ArgoCDAgent: &argov1beta1api.ArgoCDAgentSpec{
-						Agent: &argov1beta1api.AgentSpec{
-							...
-						},
-					},
+					ArgoCDAgent: buildAgentSpec("argocd-agent"),

 // In It block (line 198)
-					ArgoCDAgent: &argov1beta1api.ArgoCDAgentSpec{
-						Agent: &argov1beta1api.AgentSpec{
-							...
-						},
-					},
+					ArgoCDAgent: buildAgentSpec("argocd-agent-argocd"),

Also applies to: 186-223

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_agent.go`
around lines 69 - 106, The ArgoCDAgent configuration is duplicated in multiple
test setups, so extract the repeated AgentSpec construction into a helper and
reuse it in both places. Create a small builder/helper near the test cases that
assembles the common AgentSpec fields, then pass in the few varying values like
the instance name and Redis server address from the duplicated ArgoCD spec
blocks. Keep the existing ArgoCD, ArgoCDAgent, and AgentClientSpec usage intact
while replacing the repeated inline literal with the shared helper.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_principal.go`:
- Around line 311-322: The namespace-scoped reuse block is missing an update for
principalNetworkPolicy, so it can still point at the original namespace when
verifyExpectedResourcesExist runs. In the setup where argoCD, serviceAccount,
role, roleBinding, principalDeployment, and principalRoute are reassigned to
nsScoped.Name, also set principalNetworkPolicy.Namespace to nsScoped.Name so all
scoped resources stay consistent.

In
`@test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_image_updater.go`:
- Around line 84-99: The SCC permission check in the role ownership validation
is using the wrong `oc auth can-i` result handling, since `ExecCommand` returns
"yes"/"no" rather than a service account name, so update the logic in the
`default` service account block to compare the trimmed output against "yes" and
only call `add-scc-to-user` when needed. Also extract this repeated
permission-check-and-add flow into a shared helper used by both namespace blocks
to remove the duplicated code in the validation test.
- Line 158: The SCC grant for the second image updater instance is using the
wrong namespace variable, so the permission is applied to the first namespace
instead of the second one. Update the `ExecCommand` call in
`validate_role_ownership_image_updater.go` so the `add-scc-to-user` command
targets the `default` service account in `ns1.Name`, matching the
`system:serviceaccount:<ns1.Name>:default` user used for the second instance.
Keep the first instance unchanged and ensure the second instance’s SCC
assignment references the same namespace as its deployment.
- Around line 62-78: The AfterEach cleanup contains dead code because
defaultArgocd and imageUpdater are never assigned anywhere in this test, so the
cleanup branches never run. Remove the unused defaultArgocd/imageUpdater
declarations and delete the corresponding cleanup blocks in AfterEach, and also
drop the now-unused imageUpdaterApi import so the test only keeps real
setup/teardown paths.

In `@test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership.go`:
- Line 52: The imageUpdaterControllerClusterRoleBindingName constant is
truncated and does not match the actual ClusterRoleBinding name used elsewhere
in the test. Update imageUpdaterControllerClusterRoleBindingName in
validate_role_ownership.go to use the full
openshift-gitops-openshift-gitops-argocd-image-updater-controller value so it
stays consistent with the related ClusterRole constant and the object referenced
later in the test.

---

Nitpick comments:
In
`@test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_agent.go`:
- Around line 69-106: The ArgoCDAgent configuration is duplicated in multiple
test setups, so extract the repeated AgentSpec construction into a helper and
reuse it in both places. Create a small builder/helper near the test cases that
assembles the common AgentSpec fields, then pass in the few varying values like
the instance name and Redis server address from the duplicated ArgoCD spec
blocks. Keep the existing ArgoCD, ArgoCDAgent, and AgentClientSpec usage intact
while replacing the repeated inline literal with the shared helper.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 0b34271d-6b78-4426-a2f0-128fbd921916

📥 Commits

Reviewing files that changed from the base of the PR and between 7b86850 and 87ce7e4.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (5)
  • go.mod
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership.go
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_agent.go
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_principal.go
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_image_updater.go
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • argoproj-labs/argocd-operator (manual)

Comment on lines +84 to +99
By("ensuring default service account has anyuid SCC permission")
serviceAccountUser := "system:serviceaccount:" + ns.Name + ":default"
output, err := osFixture.ExecCommand("oc", "auth", "can-i", "use", "scc/anyuid", "--as", serviceAccountUser)
hasPermission := false
if err == nil && len(output) > 0 {
// Check if the service account user is already in the users list
// Remove quotes and whitespace for comparison
output = strings.TrimSpace(strings.Trim(output, "'\""))
if strings.Contains(output, serviceAccountUser) {
hasPermission = true
}
}
if !hasPermission {
_, err := osFixture.ExecCommand("oc", "adm", "policy", "add-scc-to-user", "anyuid", "-z", "default", "-n", ns.Name)
Expect(err).NotTo(HaveOccurred(), "Failed to add anyuid SCC to default service account")
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Incorrect SCC permission check logic and duplicated code.

oc auth can-i returns "yes" or "no", but the code checks strings.Contains(output, serviceAccountUser), which will never match. hasPermission is therefore always false and the SCC is always redundantly added. The check should compare against "yes". Additionally, this logic is duplicated for both namespaces.

🔧 Fix check logic and extract helper
+	checkAndGrantAnyuidSCC := func(namespace string) {
+		serviceAccountUser := "system:serviceaccount:" + namespace + ":default"
+		output, err := osFixture.ExecCommand("oc", "auth", "can-i", "use", "scc/anyuid", "--as", serviceAccountUser)
+		if err == nil && strings.EqualFold(strings.TrimSpace(output), "yes") {
+			return
+		}
+		_, err = osFixture.ExecCommand("oc", "adm", "policy", "add-scc-to-user", "anyuid", "-z", "default", "-n", namespace)
+		Expect(err).NotTo(HaveOccurred(), "Failed to add anyuid SCC to default service account")
+	}

Then replace both duplicated blocks:

-		By("ensuring default service account has anyuid SCC permission")
-		serviceAccountUser := "system:serviceaccount:" + ns.Name + ":default"
-		output, err := osFixture.ExecCommand("oc", "auth", "can-i", "use", "scc/anyuid", "--as", serviceAccountUser)
-		hasPermission := false
-		if err == nil && len(output) > 0 {
-			output = strings.TrimSpace(strings.Trim(output, "'\""))
-			if strings.Contains(output, serviceAccountUser) {
-				hasPermission = true
-			}
-		}
-		if !hasPermission {
-			_, err := osFixture.ExecCommand("oc", "adm", "policy", "add-scc-to-user", "anyuid", "-z", "default", "-n", ns.Name)
-			Expect(err).NotTo(HaveOccurred(), "Failed to add anyuid SCC to default service account")
-		}
+		By("ensuring default service account has anyuid SCC permission")
+		checkAndGrantAnyuidSCC(ns.Name)

And for the second namespace:

-		By("ensuring default service account has anyuid SCC permission")
-		serviceAccountUser = "system:serviceaccount:" + ns1.Name + ":default"
-		output, err = osFixture.ExecCommand("oc", "auth", "can-i", "use", "scc/anyuid", "--as", serviceAccountUser)
-		hasPermission = false
-		if err == nil && len(output) > 0 {
-			output = strings.TrimSpace(strings.Trim(output, "'\""))
-			if strings.Contains(output, serviceAccountUser) {
-				hasPermission = true
-			}
-		}
-		if !hasPermission {
-			_, err := osFixture.ExecCommand("oc", "adm", "policy", "add-scc-to-user", "anyuid", "-z", "default", "-n", ns.Name)
-			Expect(err).NotTo(HaveOccurred(), "Failed to add anyuid SCC to default service account")
-		}
+		By("ensuring default service account has anyuid SCC permission")
+		checkAndGrantAnyuidSCC(ns1.Name)

Also applies to: 145-160

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_image_updater.go`
around lines 84 - 99, The SCC permission check in the role ownership validation
is using the wrong `oc auth can-i` result handling, since `ExecCommand` returns
"yes"/"no" rather than a service account name, so update the logic in the
`default` service account block to compare the trimmed output against "yes" and
only call `add-scc-to-user` when needed. Also extract this repeated
permission-check-and-add flow into a shared helper used by both namespace blocks
to remove the duplicated code in the validation test.

Comment thread test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership.go Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_principal_test.go (1)

313-317: 🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win

Missing principalNetworkPolicy.Namespace update for scoped instance.

When reusing argoCD for the namespace-scoped instance, the namespaces of serviceAccount, role, roleBinding, principalDeployment, and principalRoute are updated to nsScoped.Name, but principalNetworkPolicy.Namespace is not. While the current test flow doesn't call verifyExpectedResourcesExist for the scoped namespace, this inconsistency could cause failures if the test is extended.

🔧 Add missing namespace update
 		serviceAccount.Namespace = nsScoped.Name
 		role.Namespace = nsScoped.Name
 		roleBinding.Namespace = nsScoped.Name
 		principalDeployment.Namespace = nsScoped.Name
 		principalRoute.Namespace = nsScoped.Name
+		principalNetworkPolicy.Namespace = nsScoped.Name
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_principal_test.go`
around lines 313 - 317, The namespace-scoped reuse block is missing the
Namespace update for principalNetworkPolicy, leaving it inconsistent with
serviceAccount, role, roleBinding, principalDeployment, and principalRoute.
Update principalNetworkPolicy.Namespace alongside the other reused resources in
the scoped-instance setup so all principal resources point to nsScoped.Name. Use
the existing namespace reassignment block in the test and the
principalNetworkPolicy symbol to locate the fix.
🧹 Nitpick comments (2)
test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_principal_test.go (1)

189-201: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Remove duplicate principalNetworkPolicy assignment.

principalNetworkPolicy is assigned twice with identical metadata (lines 189–194 and 196–201). The second assignment is dead code and should be removed.

♻️ Proposed fix
 		principalNetworkPolicy = &networkingv1.NetworkPolicy{
 			ObjectMeta: metav1.ObjectMeta{
 				Name:      fmt.Sprintf("%s-agent-principal-network-policy", argoCDName),
 				Namespace: ns.Name,
 			},
 		}
-
-		principalNetworkPolicy = &networkingv1.NetworkPolicy{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      fmt.Sprintf("%s-agent-principal-network-policy", argoCDName),
-				Namespace: ns.Name,
-			},
-		}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_principal_test.go`
around lines 189 - 201, Remove the duplicate principalNetworkPolicy
initialization in the validation test: the second assignment to
principalNetworkPolicy in the same block is identical to the first and should be
deleted. Keep the single NetworkPolicy construction near the existing
principalNetworkPolicy symbol so the test only creates it once.
test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_agent_test.go (1)

133-142: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Misleading By message for Service type assertion.

The By message says "LoadBalancer or ClusterIP depending on which service," but the assertion on line 142 unconditionally expects "ClusterIP". This message is stale or copy-pasted from a different test and should be corrected to avoid confusion.

♻️ Proposed fix
-			By("verifying Service '" + serviceName + "' exists and is a LoadBalancer or ClusterIP depending on which service")
+			By("verifying Service '" + serviceName + "' exists and is a ClusterIP")
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_agent_test.go`
around lines 133 - 142, The `By` description around the Service assertion is
stale and does not match the actual check in this test. Update the message near
the `service`/`Expect(string(service.Spec.Type))` assertion so it accurately
states that the Service is expected to be `ClusterIP` here, or otherwise align
the assertion with the intended service type logic if this test should vary by
service name.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In
`@test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_principal_test.go`:
- Around line 313-317: The namespace-scoped reuse block is missing the Namespace
update for principalNetworkPolicy, leaving it inconsistent with serviceAccount,
role, roleBinding, principalDeployment, and principalRoute. Update
principalNetworkPolicy.Namespace alongside the other reused resources in the
scoped-instance setup so all principal resources point to nsScoped.Name. Use the
existing namespace reassignment block in the test and the principalNetworkPolicy
symbol to locate the fix.

---

Nitpick comments:
In
`@test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_agent_test.go`:
- Around line 133-142: The `By` description around the Service assertion is
stale and does not match the actual check in this test. Update the message near
the `service`/`Expect(string(service.Spec.Type))` assertion so it accurately
states that the Service is expected to be `ClusterIP` here, or otherwise align
the assertion with the intended service type logic if this test should vary by
service name.

In
`@test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_principal_test.go`:
- Around line 189-201: Remove the duplicate principalNetworkPolicy
initialization in the validation test: the second assignment to
principalNetworkPolicy in the same block is identical to the first and should be
deleted. Keep the single NetworkPolicy construction near the existing
principalNetworkPolicy symbol so the test only creates it once.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: dda076d9-4a99-4473-b7c8-d7793fab4e54

📥 Commits

Reviewing files that changed from the base of the PR and between 87ce7e4 and 749f04a.

📒 Files selected for processing (2)
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_agent_test.go
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_principal_test.go
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • argoproj-labs/argocd-operator (manual)

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_image_updater.go (1)

72-87: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

SCC permission check logic still incorrect — previously flagged but unaddressed.

oc auth can-i use scc/anyuid --as <user> returns "yes" or "no", but the code checks strings.Contains(output, serviceAccountUser), which will never match. hasPermission is therefore always false and the SCC is always redundantly added. This was flagged in a prior review and remains unfixed. The duplicated logic across both namespace blocks is also still present.

🔧 Fix check logic and extract helper
+		checkAndGrantAnyuidSCC := func(namespace string) {
+			serviceAccountUser := "system:serviceaccount:" + namespace + ":default"
+			output, err := osFixture.ExecCommand("oc", "auth", "can-i", "use", "scc/anyuid", "--as", serviceAccountUser)
+			if err == nil && strings.EqualFold(strings.TrimSpace(output), "yes") {
+				return
+			}
+			_, err = osFixture.ExecCommand("oc", "adm", "policy", "add-scc-to-user", "anyuid", "-z", "default", "-n", namespace)
+			Expect(err).NotTo(HaveOccurred(), "Failed to add anyuid SCC to default service account")
+		}

Then replace both duplicated blocks:

 		By("ensuring default service account has anyuid SCC permission")
-		serviceAccountUser := "system:serviceaccount:" + ns.Name + ":default"
-		output, err := osFixture.ExecCommand("oc", "auth", "can-i", "use", "scc/anyuid", "--as", serviceAccountUser)
-		hasPermission := false
-		if err == nil && len(output) > 0 {
-			// Check if the service account user is already in the users list
-			// Remove quotes and whitespace for comparison
-			output = strings.TrimSpace(strings.Trim(output, "'\""))
-			if strings.Contains(output, serviceAccountUser) {
-				hasPermission = true
-			}
-		}
-		if !hasPermission {
-			_, err := osFixture.ExecCommand("oc", "adm", "policy", "add-scc-to-user", "anyuid", "-z", "default", "-n", ns.Name)
-			Expect(err).NotTo(HaveOccurred(), "Failed to add anyuid SCC to default service account")
-		}
+		checkAndGrantAnyuidSCC(ns.Name)

And for the second namespace:

 		By("ensuring default service account has anyuid SCC permission")
-		serviceAccountUser = "system:serviceaccount:" + ns1.Name + ":default"
-		output, err = osFixture.ExecCommand("oc", "auth", "can-i", "use", "scc/anyuid", "--as", serviceAccountUser)
-		hasPermission = false
-		if err == nil && len(output) > 0 {
-			// Check if the service account user is already in the users list
-			// Remove quotes and whitespace for comparison
-			output = strings.TrimSpace(strings.Trim(output, "'\""))
-			if strings.Contains(output, serviceAccountUser) {
-				hasPermission = true
-			}
-		}
-		if !hasPermission {
-			_, err := osFixture.ExecCommand("oc", "adm", "policy", "add-scc-to-user", "anyuid", "-z", "default", "-n", ns1.Name)
-			Expect(err).NotTo(HaveOccurred(), "Failed to add anyuid SCC to default service account")
-		}
+		checkAndGrantAnyuidSCC(ns1.Name)

Also applies to: 133-148

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_image_updater.go`
around lines 72 - 87, The SCC permission check in the repeated namespace blocks
is still wrong: `oc auth can-i use scc/anyuid --as ...` returns a yes/no
response, so the `strings.Contains(output, serviceAccountUser)` test in this
flow will never succeed. Update the logic around `osFixture.ExecCommand`,
`hasPermission`, and the `add-scc-to-user` fallback to inspect the returned
yes/no value correctly, and extract the duplicated check into a helper so both
namespace sections use the same fixed implementation.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In
`@test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_image_updater.go`:
- Around line 72-87: The SCC permission check in the repeated namespace blocks
is still wrong: `oc auth can-i use scc/anyuid --as ...` returns a yes/no
response, so the `strings.Contains(output, serviceAccountUser)` test in this
flow will never succeed. Update the logic around `osFixture.ExecCommand`,
`hasPermission`, and the `add-scc-to-user` fallback to inspect the returned
yes/no value correctly, and extract the duplicated check into a helper so both
namespace sections use the same fixed implementation.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8bdf037c-1195-43f4-baf2-0ac283e04b69

📥 Commits

Reviewing files that changed from the base of the PR and between 749f04a and 821c93e.

📒 Files selected for processing (3)
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership.go
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_principal_test.go
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_image_updater.go
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • argoproj-labs/argocd-operator (manual)
💤 Files with no reviewable changes (1)
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • test/openshift/e2e/ginkgo/sequential/1-125_validate_role_ownership_agent_principal_test.go

@alkakumari016

Copy link
Copy Markdown
Contributor Author

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
✅ Action performed

Full review finished.


Your plan includes PR reviews subject to rate limits. More reviews will be available in 55 seconds.

@alkakumari016

Copy link
Copy Markdown
Contributor Author

/retest

…ator ref

Signed-off-by: Alka Kumari <alkumari@redhat.com>
Signed-off-by: Alka Kumari <alkumari@redhat.com>
Signed-off-by: Alka Kumari <alkumari@redhat.com>
Signed-off-by: Alka Kumari <alkumari@redhat.com>
@alkakumari016

Copy link
Copy Markdown
Contributor Author

/retest

1 similar comment
@alkakumari016

Copy link
Copy Markdown
Contributor Author

/retest

@openshift-ci

openshift-ci Bot commented Jul 10, 2026

Copy link
Copy Markdown

@alkakumari016: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/v4.19-e2e c6e32a4 link true /test v4.19-e2e
ci/prow/v4.19-kuttl-parallel c6e32a4 link true /test v4.19-kuttl-parallel
ci/prow/v4.19-kuttl-sequential c6e32a4 link true /test v4.19-kuttl-sequential
ci/prow/v4.14-e2e c6e32a4 link false /test v4.14-e2e
ci/prow/v4.14-kuttl-parallel c6e32a4 link false /test v4.14-kuttl-parallel
ci/prow/v4.14-kuttl-sequential c6e32a4 link false /test v4.14-kuttl-sequential

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant