From 671b3d3ee4c4a5500576432e079d8f4bc076e621 Mon Sep 17 00:00:00 2001 From: Siddhesh Ghadi <61187612+svghadi@users.noreply.github.com> Date: Tue, 27 Jun 2023 20:28:22 +0530 Subject: [PATCH 1/4] feat: Unify sso status & remove deprecated .spec.sso & .spec.dex fields (#896) * Remove deprecated dex & sso fields Signed-off-by: Siddhesh Ghadi * Unify .status.sso Signed-off-by: Siddhesh Ghadi * Add unit test for .status.sso unification Signed-off-by: Siddhesh Ghadi * Add & fix e2e tests for unified status.sso Signed-off-by: Siddhesh Ghadi * make bundle Signed-off-by: Siddhesh Ghadi * Fix make bundle codegen ci failure Signed-off-by: Siddhesh Ghadi * Fix keycloak status reconciliation Signed-off-by: Siddhesh Ghadi * Case insensitive sso provider check Signed-off-by: Siddhesh Ghadi * Do not block reconciliation due to sso failures SSO is a non-critical component and we shouldn't block reconciliation on its failure Signed-off-by: Siddhesh Ghadi * Remove extra .ToLower() calls on already defined sso value Signed-off-by: Siddhesh Ghadi * Remove envVar & setEnvVarFunc feilds from dex unit tests There are a lot of unit tests that have envVar & setEnvVarFunc field that was required for DISABLE_DEX testing. These fields are not required in these tests anymore. Signed-off-by: Siddhesh Ghadi * Fix ci failure Signed-off-by: Siddhesh Ghadi --------- Signed-off-by: Siddhesh Ghadi --- api/v1alpha1/argocd_types.go | 48 +-- api/v1alpha1/zz_generated.deepcopy.go | 30 -- ...argocd-operator.clusterserviceversion.yaml | 58 +--- bundle/manifests/argoproj.io_argocds.yaml | 110 +------ config/crd/bases/argoproj.io_argocds.yaml | 110 +------ ...argocd-operator.clusterserviceversion.yaml | 58 +--- controllers/argocd/configmap.go | 11 +- controllers/argocd/configmap_test.go | 120 +------ controllers/argocd/deployment_test.go | 14 +- controllers/argocd/dex.go | 32 +- controllers/argocd/dexUtil.go | 39 +-- controllers/argocd/dex_test.go | 281 ---------------- controllers/argocd/keycloak.go | 16 +- controllers/argocd/keycloak_test.go | 61 +--- controllers/argocd/secret.go | 5 +- controllers/argocd/sso.go | 162 ++-------- controllers/argocd/sso_test.go | 300 +++--------------- controllers/argocd/status.go | 77 ++++- controllers/argocd/status_test.go | 139 +++++--- controllers/argocd/testing.go | 15 +- controllers/argocd/util.go | 17 +- controllers/argocd/util_test.go | 16 +- ...operator.v0.6.0.clusterserviceversion.yaml | 58 +--- .../0.6.0/argoproj.io_argocds.yaml | 110 +------ ...operator.v0.7.0.clusterserviceversion.yaml | 58 +--- .../0.7.0/argoproj.io_argocds.yaml | 110 +------ .../1-015_validate_sso_config/05-assert.yaml | 34 -- .../1-015_validate_sso_config/06-errors.yaml | 24 -- .../06-remove-dex-spec-config.yaml | 7 - .../01-assert.yaml} | 2 +- .../01-install.yaml | 0 .../02-assert.yaml | 2 +- .../02-errors.yaml | 0 .../02-provider-dex-no-dex-spec.yaml | 0 .../03-assert.yaml | 2 +- .../03-dex-spec-sso.yaml | 0 .../04-assert.yaml} | 2 +- .../04-errors.yaml | 0 .../04-remove-dex-spec-sso.yaml | 2 +- .../05-assert.yaml} | 6 +- .../05-provider-keycloak-dex-spec.yaml} | 4 +- .../01-argocd-keycloak.yaml | 3 +- .../01-assert.yaml | 15 - .../01-install.yaml | 7 - .../02-verify-clientsecret.yaml | 19 -- 45 files changed, 418 insertions(+), 1766 deletions(-) delete mode 100644 tests/k8s/1-015_validate_sso_config/05-assert.yaml delete mode 100644 tests/k8s/1-015_validate_sso_config/06-errors.yaml delete mode 100644 tests/k8s/1-015_validate_sso_config/06-remove-dex-spec-config.yaml rename tests/k8s/{1-015_validate_sso_config/07-assert.yaml => 1-015_validate_sso_status/01-assert.yaml} (83%) rename tests/k8s/{1-015_validate_sso_config => 1-015_validate_sso_status}/01-install.yaml (100%) rename tests/k8s/{1-015_validate_sso_config => 1-015_validate_sso_status}/02-assert.yaml (82%) rename tests/k8s/{1-015_validate_sso_config => 1-015_validate_sso_status}/02-errors.yaml (100%) rename tests/k8s/{1-015_validate_sso_config => 1-015_validate_sso_status}/02-provider-dex-no-dex-spec.yaml (100%) rename tests/k8s/{1-015_validate_sso_config => 1-015_validate_sso_status}/03-assert.yaml (96%) rename tests/k8s/{1-015_validate_sso_config => 1-015_validate_sso_status}/03-dex-spec-sso.yaml (100%) rename tests/k8s/{1-015_validate_sso_config/01-assert.yaml => 1-015_validate_sso_status/04-assert.yaml} (83%) rename tests/k8s/{1-015_validate_sso_config => 1-015_validate_sso_status}/04-errors.yaml (100%) rename tests/k8s/{1-015_validate_sso_config => 1-015_validate_sso_status}/04-remove-dex-spec-sso.yaml (75%) rename tests/k8s/{1-015_validate_sso_config/05-spec-dex-config.yaml => 1-015_validate_sso_status/05-assert.yaml} (63%) rename tests/k8s/{1-015_validate_sso_config/07-provider-keycloak-dex-spec.yaml => 1-015_validate_sso_status/05-provider-keycloak-dex-spec.yaml} (79%) delete mode 100644 tests/ocp/1-005_validate_dex_clientsecret_deprecated/01-assert.yaml delete mode 100644 tests/ocp/1-005_validate_dex_clientsecret_deprecated/01-install.yaml delete mode 100644 tests/ocp/1-005_validate_dex_clientsecret_deprecated/02-verify-clientsecret.yaml diff --git a/api/v1alpha1/argocd_types.go b/api/v1alpha1/argocd_types.go index 72fdb5e3c..99d79141a 100644 --- a/api/v1alpha1/argocd_types.go +++ b/api/v1alpha1/argocd_types.go @@ -17,6 +17,8 @@ limitations under the License. package v1alpha1 import ( + "strings" + routev1 "github.com/openshift/api/route/v1" "github.com/argoproj-labs/argocd-operator/common" @@ -199,12 +201,6 @@ type ArgoCDDexSpec struct { Version string `json:"version,omitempty"` } -// ArgoCDDexOAuthSpec defines the desired state for the Dex OAuth configuration. -type ArgoCDDexOAuthSpec struct { - // Enabled will toggle OAuth support for the Dex server. - Enabled bool `json:"enabled"` -} - // ArgoCDGrafanaSpec defines the desired state for the Grafana component. type ArgoCDGrafanaSpec struct { // Enabled will toggle Grafana support globally for ArgoCD. @@ -616,16 +612,8 @@ const ( // ArgoCDSSOSpec defines SSO provider. type ArgoCDSSOSpec struct { - // Image is the SSO container image. - Image string `json:"image,omitempty"` // Provider installs and configures the given SSO Provider with Argo CD. Provider SSOProviderType `json:"provider,omitempty"` - // Resources defines the Compute Resources required by the container for SSO. - Resources *corev1.ResourceRequirements `json:"resources,omitempty"` - // VerifyTLS set to false disables strict TLS validation. - VerifyTLS *bool `json:"verifyTLS,omitempty"` - // Version is the SSO container image tag. - Version string `json:"version,omitempty"` // Dex contains the configuration for Argo CD dex authentication Dex *ArgoCDDexSpec `json:"dex,omitempty"` @@ -677,9 +665,6 @@ type ArgoCDSpec struct { // Controller defines the Application Controller options for ArgoCD. Controller ArgoCDApplicationControllerSpec `json:"controller,omitempty"` - // Dex defines the Dex server options for ArgoCD. - Dex *ArgoCDDexSpec `json:"dex,omitempty"` - // DisableAdmin will disable the admin user. DisableAdmin bool `json:"disableAdmin,omitempty"` @@ -840,14 +825,14 @@ type ArgoCDStatus struct { //+operator-sdk:csv:customresourcedefinitions:type=status,displayName="ApplicationSetController",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"} ApplicationSetController string `json:"applicationSetController,omitempty"` - // Dex is a simple, high-level summary of where the Argo CD Dex component is in its lifecycle. - // There are four possible dex values: - // Pending: The Argo CD Dex component has been accepted by the Kubernetes system, but one or more of the required resources have not been created. - // Running: All of the required Pods for the Argo CD Dex component are in a Ready state. - // Failed: At least one of the Argo CD Dex component Pods had a failure. - // Unknown: The state of the Argo CD Dex component could not be obtained. - //+operator-sdk:csv:customresourcedefinitions:type=status,displayName="Dex",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"} - Dex string `json:"dex,omitempty"` + // SSO is a simple, high-level summary of where the Argo CD SSO(Dex/Keycloak) component is in its lifecycle. + // There are four possible sso values: + // Pending: The Argo CD SSO component has been accepted by the Kubernetes system, but one or more of the required resources have not been created. + // Running: All of the required Pods for the Argo CD SSO component are in a Ready state. + // Failed: At least one of the Argo CD SSO component Pods had a failure. + // Unknown: The state of the Argo CD SSO component could not be obtained. + //+operator-sdk:csv:customresourcedefinitions:type=status,displayName="SSO",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"} + SSO string `json:"sso,omitempty"` // NotificationsController is a simple, high-level summary of where the Argo CD notifications controller component is in its lifecycle. // There are four possible NotificationsController values: @@ -858,13 +843,6 @@ type ArgoCDStatus struct { //+operator-sdk:csv:customresourcedefinitions:type=status,displayName="NotificationsController",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"} NotificationsController string `json:"notificationsController,omitempty"` - // SSOConfig defines the status of SSO configuration. - // Success: Only one SSO provider is configured in CR. - // Failed: SSO configuration is illegal or more than one SSO providers are configured in CR. - // Unknown: The SSO configuration could not be obtained. - //+operator-sdk:csv:customresourcedefinitions:type=status,displayName="SSOConfig",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"} - SSOConfig string `json:"ssoConfig,omitempty"` - // Phase is a simple, high-level summary of where the ArgoCD is in its lifecycle. // There are four possible phase values: // Pending: The ArgoCD has been accepted by the Kubernetes system, but one or more of the required resources have not been created. @@ -1035,3 +1013,9 @@ func ParseResourceTrackingMethod(name string) ResourceTrackingMethod { return ResourceTrackingMethodInvalid } + +// ToLower returns the lower case representation for a SSOProviderType +func (p SSOProviderType) ToLower() SSOProviderType { + str := string(p) + return SSOProviderType(strings.ToLower(str)) +} diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 7ea277a89..449473d4c 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -189,21 +189,6 @@ func (in *ArgoCDCertificateSpec) DeepCopy() *ArgoCDCertificateSpec { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ArgoCDDexOAuthSpec) DeepCopyInto(out *ArgoCDDexOAuthSpec) { - *out = *in -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ArgoCDDexOAuthSpec. -func (in *ArgoCDDexOAuthSpec) DeepCopy() *ArgoCDDexOAuthSpec { - if in == nil { - return nil - } - out := new(ArgoCDDexOAuthSpec) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ArgoCDDexSpec) DeepCopyInto(out *ArgoCDDexSpec) { *out = *in @@ -771,16 +756,6 @@ func (in *ArgoCDRouteSpec) DeepCopy() *ArgoCDRouteSpec { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ArgoCDSSOSpec) DeepCopyInto(out *ArgoCDSSOSpec) { *out = *in - if in.Resources != nil { - in, out := &in.Resources, &out.Resources - *out = new(v1.ResourceRequirements) - (*in).DeepCopyInto(*out) - } - if in.VerifyTLS != nil { - in, out := &in.VerifyTLS, &out.VerifyTLS - *out = new(bool) - **out = **in - } if in.Dex != nil { in, out := &in.Dex, &out.Dex *out = new(ArgoCDDexSpec) @@ -905,11 +880,6 @@ func (in *ArgoCDSpec) DeepCopyInto(out *ArgoCDSpec) { (*in).DeepCopyInto(*out) } in.Controller.DeepCopyInto(&out.Controller) - if in.Dex != nil { - in, out := &in.Dex, &out.Dex - *out = new(ArgoCDDexSpec) - (*in).DeepCopyInto(*out) - } if in.ExtraConfig != nil { in, out := &in.ExtraConfig, &out.ExtraConfig *out = make(map[string]string, len(*in)) diff --git a/bundle/manifests/argocd-operator.clusterserviceversion.yaml b/bundle/manifests/argocd-operator.clusterserviceversion.yaml index 980787b9c..73f8f8544 100644 --- a/bundle/manifests/argocd-operator.clusterserviceversion.yaml +++ b/bundle/manifests/argocd-operator.clusterserviceversion.yaml @@ -349,38 +349,6 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Controller - urn:alm:descriptor:com.tectonic.ui:resourceRequirements - - description: Config is the dex connector configuration. - displayName: Configuration - path: dex.config - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:text - - description: Image is the Dex container image. - displayName: Image - path: dex.image - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:text - - description: OpenShiftOAuth enables OpenShift OAuth authentication for the - Dex server. - displayName: OpenShift OAuth Enabled' - path: dex.openShiftOAuth - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - - description: Resources defines the Compute Resources required by the container - for Dex. - displayName: Resource Requirements' - path: dex.resources - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:resourceRequirements - - description: Version is the Dex container image tag. - displayName: Version - path: dex.version - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:text - description: GAAnonymizeUsers toggles user IDs being hashed before sending to google analytics. displayName: Google Analytics Anonymize Users' @@ -780,17 +748,6 @@ spec: path: applicationSetController x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text - - description: 'Dex is a simple, high-level summary of where the Argo CD Dex - component is in its lifecycle. There are four possible dex values: Pending: - The Argo CD Dex component has been accepted by the Kubernetes system, but - one or more of the required resources have not been created. Running: All - of the required Pods for the Argo CD Dex component are in a Ready state. - Failed: At least one of the Argo CD Dex component Pods had a failure. Unknown: - The state of the Argo CD Dex component could not be obtained.' - displayName: Dex - path: dex - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:text - description: 'NotificationsController is a simple, high-level summary of where the Argo CD notifications controller component is in its lifecycle. There are four possible NotificationsController values: Pending: The Argo CD notifications @@ -848,12 +805,15 @@ spec: path: server x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text - - description: 'SSOConfig defines the status of SSO configuration. Success: - Only one SSO provider is configured in CR. Failed: SSO configuration is - illegal or more than one SSO providers are configured in CR. Unknown: The - SSO configuration could not be obtained.' - displayName: SSOConfig - path: ssoConfig + - description: 'SSO is a simple, high-level summary of where the Argo CD SSO(Dex/Keycloak) + component is in its lifecycle. There are four possible sso values: Pending: + The Argo CD SSO component has been accepted by the Kubernetes system, but + one or more of the required resources have not been created. Running: All + of the required Pods for the Argo CD SSO component are in a Ready state. + Failed: At least one of the Argo CD SSO component Pods had a failure. Unknown: + The state of the Argo CD SSO component could not be obtained.' + displayName: SSO + path: sso x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text version: v1alpha1 diff --git a/bundle/manifests/argoproj.io_argocds.yaml b/bundle/manifests/argoproj.io_argocds.yaml index d47d3cabf..87d7c51d6 100644 --- a/bundle/manifests/argoproj.io_argocds.yaml +++ b/bundle/manifests/argoproj.io_argocds.yaml @@ -569,56 +569,6 @@ spec: type: integer type: object type: object - dex: - description: Dex defines the Dex server options for ArgoCD. - properties: - config: - description: Config is the dex connector configuration. - type: string - groups: - description: Optional list of required groups a user must be a - member of - items: - type: string - type: array - image: - description: Image is the Dex container image. - type: string - openShiftOAuth: - description: OpenShiftOAuth enables OpenShift OAuth authentication - for the Dex server. - type: boolean - resources: - description: Resources defines the Compute Resources required - by the container for Dex. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - version: - description: Version is the Dex container image tag. - type: string - type: object disableAdmin: description: DisableAdmin will disable the admin user. type: boolean @@ -6222,9 +6172,6 @@ spec: description: Version is the Dex container image tag. type: string type: object - image: - description: Image is the SSO container image. - type: string keycloak: description: Keycloak contains the configuration for Argo CD keycloak authentication @@ -6275,39 +6222,6 @@ spec: description: Provider installs and configures the given SSO Provider with Argo CD. type: string - resources: - description: Resources defines the Compute Resources required - by the container for SSO. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - verifyTLS: - description: VerifyTLS set to false disables strict TLS validation. - type: boolean - version: - description: Version is the SSO container image tag. - type: string type: object statusBadgeEnabled: description: StatusBadgeEnabled toggles application status badge feature. @@ -6371,16 +6285,6 @@ spec: component Pods had a failure. Unknown: The state of the Argo CD applicationSet controller component could not be obtained.' type: string - dex: - description: 'Dex is a simple, high-level summary of where the Argo - CD Dex component is in its lifecycle. There are four possible dex - values: Pending: The Argo CD Dex component has been accepted by - the Kubernetes system, but one or more of the required resources - have not been created. Running: All of the required Pods for the - Argo CD Dex component are in a Ready state. Failed: At least one - of the Argo CD Dex component Pods had a failure. Unknown: The state - of the Argo CD Dex component could not be obtained.' - type: string host: description: Host is the hostname of the Ingress. type: string @@ -6445,11 +6349,15 @@ spec: one of the Argo CD server component Pods had a failure. Unknown: The state of the Argo CD server component could not be obtained.' type: string - ssoConfig: - description: 'SSOConfig defines the status of SSO configuration. Success: - Only one SSO provider is configured in CR. Failed: SSO configuration - is illegal or more than one SSO providers are configured in CR. - Unknown: The SSO configuration could not be obtained.' + sso: + description: 'SSO is a simple, high-level summary of where the Argo + CD SSO(Dex/Keycloak) component is in its lifecycle. There are four + possible sso values: Pending: The Argo CD SSO component has been + accepted by the Kubernetes system, but one or more of the required + resources have not been created. Running: All of the required Pods + for the Argo CD SSO component are in a Ready state. Failed: At least + one of the Argo CD SSO component Pods had a failure. Unknown: The + state of the Argo CD SSO component could not be obtained.' type: string type: object type: object diff --git a/config/crd/bases/argoproj.io_argocds.yaml b/config/crd/bases/argoproj.io_argocds.yaml index a870120c2..b2c21ff3b 100644 --- a/config/crd/bases/argoproj.io_argocds.yaml +++ b/config/crd/bases/argoproj.io_argocds.yaml @@ -571,56 +571,6 @@ spec: type: integer type: object type: object - dex: - description: Dex defines the Dex server options for ArgoCD. - properties: - config: - description: Config is the dex connector configuration. - type: string - groups: - description: Optional list of required groups a user must be a - member of - items: - type: string - type: array - image: - description: Image is the Dex container image. - type: string - openShiftOAuth: - description: OpenShiftOAuth enables OpenShift OAuth authentication - for the Dex server. - type: boolean - resources: - description: Resources defines the Compute Resources required - by the container for Dex. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - version: - description: Version is the Dex container image tag. - type: string - type: object disableAdmin: description: DisableAdmin will disable the admin user. type: boolean @@ -6224,9 +6174,6 @@ spec: description: Version is the Dex container image tag. type: string type: object - image: - description: Image is the SSO container image. - type: string keycloak: description: Keycloak contains the configuration for Argo CD keycloak authentication @@ -6277,39 +6224,6 @@ spec: description: Provider installs and configures the given SSO Provider with Argo CD. type: string - resources: - description: Resources defines the Compute Resources required - by the container for SSO. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - verifyTLS: - description: VerifyTLS set to false disables strict TLS validation. - type: boolean - version: - description: Version is the SSO container image tag. - type: string type: object statusBadgeEnabled: description: StatusBadgeEnabled toggles application status badge feature. @@ -6373,16 +6287,6 @@ spec: component Pods had a failure. Unknown: The state of the Argo CD applicationSet controller component could not be obtained.' type: string - dex: - description: 'Dex is a simple, high-level summary of where the Argo - CD Dex component is in its lifecycle. There are four possible dex - values: Pending: The Argo CD Dex component has been accepted by - the Kubernetes system, but one or more of the required resources - have not been created. Running: All of the required Pods for the - Argo CD Dex component are in a Ready state. Failed: At least one - of the Argo CD Dex component Pods had a failure. Unknown: The state - of the Argo CD Dex component could not be obtained.' - type: string host: description: Host is the hostname of the Ingress. type: string @@ -6447,11 +6351,15 @@ spec: one of the Argo CD server component Pods had a failure. Unknown: The state of the Argo CD server component could not be obtained.' type: string - ssoConfig: - description: 'SSOConfig defines the status of SSO configuration. Success: - Only one SSO provider is configured in CR. Failed: SSO configuration - is illegal or more than one SSO providers are configured in CR. - Unknown: The SSO configuration could not be obtained.' + sso: + description: 'SSO is a simple, high-level summary of where the Argo + CD SSO(Dex/Keycloak) component is in its lifecycle. There are four + possible sso values: Pending: The Argo CD SSO component has been + accepted by the Kubernetes system, but one or more of the required + resources have not been created. Running: All of the required Pods + for the Argo CD SSO component are in a Ready state. Failed: At least + one of the Argo CD SSO component Pods had a failure. Unknown: The + state of the Argo CD SSO component could not be obtained.' type: string type: object type: object diff --git a/config/manifests/bases/argocd-operator.clusterserviceversion.yaml b/config/manifests/bases/argocd-operator.clusterserviceversion.yaml index 71acbfc53..a8dd45b4c 100644 --- a/config/manifests/bases/argocd-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/argocd-operator.clusterserviceversion.yaml @@ -223,38 +223,6 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Controller - urn:alm:descriptor:com.tectonic.ui:resourceRequirements - - description: Config is the dex connector configuration. - displayName: Configuration - path: dex.config - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:text - - description: Image is the Dex container image. - displayName: Image - path: dex.image - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:text - - description: OpenShiftOAuth enables OpenShift OAuth authentication for the - Dex server. - displayName: OpenShift OAuth Enabled' - path: dex.openShiftOAuth - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - - description: Resources defines the Compute Resources required by the container - for Dex. - displayName: Resource Requirements' - path: dex.resources - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:resourceRequirements - - description: Version is the Dex container image tag. - displayName: Version - path: dex.version - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:text - description: GAAnonymizeUsers toggles user IDs being hashed before sending to google analytics. displayName: Google Analytics Anonymize Users' @@ -654,17 +622,6 @@ spec: path: applicationSetController x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text - - description: 'Dex is a simple, high-level summary of where the Argo CD Dex - component is in its lifecycle. There are four possible dex values: Pending: - The Argo CD Dex component has been accepted by the Kubernetes system, but - one or more of the required resources have not been created. Running: All - of the required Pods for the Argo CD Dex component are in a Ready state. - Failed: At least one of the Argo CD Dex component Pods had a failure. Unknown: - The state of the Argo CD Dex component could not be obtained.' - displayName: Dex - path: dex - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:text - description: 'NotificationsController is a simple, high-level summary of where the Argo CD notifications controller component is in its lifecycle. There are four possible NotificationsController values: Pending: The Argo CD notifications @@ -722,12 +679,15 @@ spec: path: server x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text - - description: 'SSOConfig defines the status of SSO configuration. Success: - Only one SSO provider is configured in CR. Failed: SSO configuration is - illegal or more than one SSO providers are configured in CR. Unknown: The - SSO configuration could not be obtained.' - displayName: SSOConfig - path: ssoConfig + - description: 'SSO is a simple, high-level summary of where the Argo CD SSO(Dex/Keycloak) + component is in its lifecycle. There are four possible sso values: Pending: + The Argo CD SSO component has been accepted by the Kubernetes system, but + one or more of the required resources have not been created. Running: All + of the required Pods for the Argo CD SSO component are in a Ready state. + Failed: At least one of the Argo CD SSO component Pods had a failure. Unknown: + The state of the Argo CD SSO component could not be obtained.' + displayName: SSO + path: sso x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text version: v1alpha1 diff --git a/controllers/argocd/configmap.go b/controllers/argocd/configmap.go index a0f3d21ea..1afe9c832 100644 --- a/controllers/argocd/configmap.go +++ b/controllers/argocd/configmap.go @@ -438,14 +438,13 @@ func (r *ReconcileArgoCD) reconcileArgoConfigMap(cr *argoprojv1a1.ArgoCD) error cm.Data[common.ArgoCDKeyServerURL] = r.getArgoServerURI(cr) cm.Data[common.ArgoCDKeyUsersAnonymousEnabled] = fmt.Sprint(cr.Spec.UsersAnonymousEnabled) - // create dex config if dex is enabled either through DISABLE_DEX or through `.spec.sso` + // create dex config if dex is enabled through `.spec.sso` if UseDex(cr) { dexConfig := getDexConfig(cr) - // If no dexConfig expressed but openShiftOAuth is requested through either `.spec.dex` or `.spec.sso.dex`, use default + // If no dexConfig expressed but openShiftOAuth is requested through `.spec.sso.dex`, use default // openshift dex config - if dexConfig == "" && (cr.Spec.Dex != nil && !reflect.DeepEqual(cr.Spec.Dex, &v1alpha1.ArgoCDDexSpec{}) && cr.Spec.Dex.OpenShiftOAuth || - (cr.Spec.SSO != nil && cr.Spec.SSO.Dex != nil && cr.Spec.SSO.Dex.OpenShiftOAuth)) { + if dexConfig == "" && (cr.Spec.SSO != nil && cr.Spec.SSO.Dex != nil && cr.Spec.SSO.Dex.OpenShiftOAuth) { cfg, err := r.getOpenShiftDexConfig(cr) if err != nil { return err @@ -477,13 +476,13 @@ func (r *ReconcileArgoCD) reconcileArgoConfigMap(cr *argoprojv1a1.ArgoCD) error existingCM := &corev1.ConfigMap{} if argoutil.IsObjectFound(r.Client, cr.Namespace, cm.Name, existingCM) { - // reconcile dex configuration if dex is enabled either through `DISABLE_DEX` or `.spec.sso.dex.provider` or there is + // reconcile dex configuration if dex is enabled `.spec.sso.dex.provider` or there is // existing dex configuration if UseDex(cr) { if err := r.reconcileDexConfiguration(existingCM, cr); err != nil { return err } - } else if cr.Spec.SSO != nil && cr.Spec.SSO.Provider == v1alpha1.SSOProviderTypeKeycloak { + } else if cr.Spec.SSO != nil && cr.Spec.SSO.Provider.ToLower() == v1alpha1.SSOProviderTypeKeycloak { // retain oidc.config during reconcilliation when keycloak is configured cm.Data[common.ArgoCDKeyOIDCConfig] = existingCM.Data[common.ArgoCDKeyOIDCConfig] } diff --git a/controllers/argocd/configmap_test.go b/controllers/argocd/configmap_test.go index c53012fce..70a3cb82d 100644 --- a/controllers/argocd/configmap_test.go +++ b/controllers/argocd/configmap_test.go @@ -300,37 +300,10 @@ func TestReconcileArgoCD_reconcileArgoConfigMap_withDexConnector(t *testing.T) { tests := []struct { name string - setEnvVarFunc func(*testing.T, string) - envVar string updateCrSpecFunc func(cr *argoprojv1alpha1.ArgoCD) }{ { - name: "dex config using .spec.dex + disable_dex", - setEnvVarFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - envVar: "false", - updateCrSpecFunc: nil, - }, - { - name: "dex config using .spec.sso.provider=dex + .spec.sso.dex", - setEnvVarFunc: nil, - envVar: "", - updateCrSpecFunc: func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Provider: v1alpha1.SSOProviderTypeDex, - Dex: &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - }, - } - }, - }, - { - name: "dex config using .spec.sso.provider=dex + .spec.sso.dex + DISABLE_DEX=false", - setEnvVarFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - envVar: "false", + name: "dex config using .spec.sso.provider=dex + .spec.sso.dex", updateCrSpecFunc: func(cr *argoprojv1alpha1.ArgoCD) { cr.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ Provider: v1alpha1.SSOProviderTypeDex, @@ -353,22 +326,19 @@ func TestReconcileArgoCD_reconcileArgoConfigMap_withDexConnector(t *testing.T) { } a := makeTestArgoCD(func(a *argoprojv1alpha1.ArgoCD) { - a.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: false, + a.Spec.SSO = &argoprojv1alpha1.ArgoCDSSOSpec{ + Provider: v1alpha1.SSOProviderTypeDex, + Dex: &v1alpha1.ArgoCDDexSpec{ + OpenShiftOAuth: false, + }, } }) secret := argoutil.NewSecretWithName(a, "token") r := makeTestReconciler(t, a, sa, secret) - if test.setEnvVarFunc != nil { - test.setEnvVarFunc(t, test.envVar) - a.Spec.Dex.OpenShiftOAuth = true - } - if test.updateCrSpecFunc != nil { test.updateCrSpecFunc(a) - a.Spec.Dex = &v1alpha1.ArgoCDDexSpec{} } err := r.reconcileArgoConfigMap(a) assert.NoError(t, err) @@ -405,31 +375,17 @@ func TestReconcileArgoCD_reconcileArgoConfigMap_withDexDisabled(t *testing.T) { logf.SetLogger(ZapLogger(true)) tests := []struct { - name string - setEnvVarFunc func(*testing.T, string) - argoCD *argoprojv1alpha1.ArgoCD + name string + argoCD *argoprojv1alpha1.ArgoCD }{ { - name: "dex disabled using DISABLE_DEX", - setEnvVarFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: false, - } - }), - }, - { - name: "dex disabled by removing .spec.sso", - setEnvVarFunc: nil, + name: "dex disabled by removing .spec.sso", argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { cr.Spec.SSO = nil }), }, { - name: "dex disabled by switching provider", - setEnvVarFunc: nil, + name: "dex disabled by switching provider", argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { cr.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ Provider: v1alpha1.SSOProviderTypeKeycloak, @@ -441,9 +397,6 @@ func TestReconcileArgoCD_reconcileArgoConfigMap_withDexDisabled(t *testing.T) { for _, test := range tests { t.Run(test.name, func(t *testing.T) { r := makeTestReconciler(t, test.argoCD) - if test.setEnvVarFunc != nil { - test.setEnvVarFunc(t, "true") - } err := r.reconcileArgoConfigMap(test.argoCD) assert.NoError(t, err) @@ -462,54 +415,18 @@ func TestReconcileArgoCD_reconcileArgoConfigMap_withDexDisabled(t *testing.T) { } } -// When dex is enabled, dexConfig should be present in argocd-cm, when disabled, it should be removed (except when .spec.dex.openShiftOAuth is true) +// When dex is enabled, dexConfig should be present in argocd-cm, when disabled, it should be removed func TestReconcileArgoCD_reconcileArgoConfigMap_dexConfigDeletedwhenDexDisabled(t *testing.T) { logf.SetLogger(ZapLogger(true)) tests := []struct { name string - setEnvVarFunc func(*testing.T, string) updateCrFunc func(cr *argoprojv1alpha1.ArgoCD) argoCD *argoprojv1alpha1.ArgoCD wantConfigRemoved bool }{ { - name: "dex disabled using DISABLE_DEX, config removed", - setEnvVarFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - updateCrFunc: func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: false, - } - }, - argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - } - }), - wantConfigRemoved: true, - }, - { - name: "dex disabled using DISABLE_DEX, config not removed", - setEnvVarFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - updateCrFunc: func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - } - }, - argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - } - }), - wantConfigRemoved: false, - }, - { - name: "dex disabled by removing .spec.sso.provider", - setEnvVarFunc: nil, + name: "dex disabled by removing .spec.sso.provider", updateCrFunc: func(cr *argoprojv1alpha1.ArgoCD) { cr.Spec.SSO = nil }, @@ -524,10 +441,11 @@ func TestReconcileArgoCD_reconcileArgoConfigMap_dexConfigDeletedwhenDexDisabled( wantConfigRemoved: true, }, { - name: "dex disabled by switching provider", - setEnvVarFunc: nil, + name: "dex disabled by switching provider", updateCrFunc: func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.SSO = nil + cr.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ + Provider: argoprojv1alpha1.SSOProviderTypeKeycloak, + } }, argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { cr.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ @@ -553,9 +471,6 @@ func TestReconcileArgoCD_reconcileArgoConfigMap_dexConfigDeletedwhenDexDisabled( secret := argoutil.NewSecretWithName(test.argoCD, "token") r := makeTestReconciler(t, test.argoCD, sa, secret) - if test.setEnvVarFunc != nil { - test.setEnvVarFunc(t, "false") - } err := r.reconcileArgoConfigMap(test.argoCD) assert.NoError(t, err) @@ -571,9 +486,6 @@ func TestReconcileArgoCD_reconcileArgoConfigMap_dexConfigDeletedwhenDexDisabled( t.Fatalf("reconcileArgoConfigMap failed,could not find dexConfig") } - if test.setEnvVarFunc != nil { - test.setEnvVarFunc(t, "true") - } if test.updateCrFunc != nil { test.updateCrFunc(test.argoCD) } diff --git a/controllers/argocd/deployment_test.go b/controllers/argocd/deployment_test.go index 1b217840e..f557ac3c6 100644 --- a/controllers/argocd/deployment_test.go +++ b/controllers/argocd/deployment_test.go @@ -557,8 +557,11 @@ func TestReconcileArgoCD_reconcileDeployments_proxy(t *testing.T) { logf.SetLogger(ZapLogger(true)) a := makeTestArgoCD(func(a *argoprojv1alpha1.ArgoCD) { a.Spec.Grafana.Enabled = true - a.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - Config: "test", + a.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ + Provider: v1alpha1.SSOProviderTypeDex, + Dex: &v1alpha1.ArgoCDDexSpec{ + Config: "test", + }, } }) r := makeTestReconciler(t, a) @@ -583,8 +586,11 @@ func TestReconcileArgoCD_reconcileDeployments_proxy_update_existing(t *testing.T a := makeTestArgoCD(func(a *argoprojv1alpha1.ArgoCD) { a.Spec.Grafana.Enabled = true - a.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - Config: "test", + a.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ + Provider: v1alpha1.SSOProviderTypeDex, + Dex: &v1alpha1.ArgoCDDexSpec{ + Config: "test", + }, } }) r := makeTestReconciler(t, a) diff --git a/controllers/argocd/dex.go b/controllers/argocd/dex.go index b81b90103..5ae952eb0 100644 --- a/controllers/argocd/dex.go +++ b/controllers/argocd/dex.go @@ -31,20 +31,12 @@ type DexConnector struct { Type string `yaml:"type"` } -// UseDex determines whether Dex resources should be created and configured or not, with a focus on -// backward compatibility and not introducing breaking changes to existing user workflows +// UseDex determines whether Dex resources should be created and configured or not func UseDex(cr *argoprojv1a1.ArgoCD) bool { if cr.Spec.SSO != nil { - return cr.Spec.SSO.Provider == v1alpha1.SSOProviderTypeDex - } - if isDexDisabled() { - return false - } - // we don't care about the case where dex is enabled either explicitly through DISABLE_DEX (or implicitly due to the flag being unset) - // in terms of creation/deletion of resources unless there is existing configuration in place that must be honored - if cr.Spec.Dex != nil && !reflect.DeepEqual(cr.Spec.Dex, v1alpha1.ArgoCDDexSpec{}) && (len(cr.Spec.Dex.Config) > 0 || cr.Spec.Dex.OpenShiftOAuth) { - return true + return cr.Spec.SSO.Provider.ToLower() == v1alpha1.SSOProviderTypeDex } + return false } @@ -110,10 +102,9 @@ func (r *ReconcileArgoCD) reconcileDexConfiguration(cm *corev1.ConfigMap, cr *ar actual := cm.Data[common.ArgoCDKeyDexConfig] desired := getDexConfig(cr) - // If no dexConfig expressed but openShiftOAuth is requested through either `.spec.dex` or `.spec.sso.dex`, use default + // If no dexConfig expressed but openShiftOAuth is requested through `.spec.sso.dex`, use default // openshift dex config - if len(desired) <= 0 && (cr.Spec.Dex != nil && !reflect.DeepEqual(cr.Spec.Dex, &v1alpha1.ArgoCDDexSpec{}) && cr.Spec.Dex.OpenShiftOAuth || - cr.Spec.SSO != nil && cr.Spec.SSO.Dex != nil && cr.Spec.SSO.Dex.OpenShiftOAuth) { + if len(desired) <= 0 && (cr.Spec.SSO != nil && cr.Spec.SSO.Dex != nil && cr.Spec.SSO.Dex.OpenShiftOAuth) { cfg, err := r.getOpenShiftDexConfig(cr) if err != nil { return err @@ -147,9 +138,7 @@ func (r *ReconcileArgoCD) getOpenShiftDexConfig(cr *argoprojv1a1.ArgoCD) (string groups := []string{} // Allow override of groups from CR - if cr.Spec.Dex != nil && !reflect.DeepEqual(cr.Spec.Dex, v1alpha1.ArgoCDDexSpec{}) && cr.Spec.Dex.Groups != nil { - groups = cr.Spec.Dex.Groups - } else if cr.Spec.SSO != nil && cr.Spec.SSO.Dex != nil && cr.Spec.SSO.Dex.Groups != nil { + if cr.Spec.SSO != nil && cr.Spec.SSO.Dex != nil && cr.Spec.SSO.Dex.Groups != nil { groups = cr.Spec.SSO.Dex.Groups } @@ -180,9 +169,8 @@ func (r *ReconcileArgoCD) getOpenShiftDexConfig(cr *argoprojv1a1.ArgoCD) (string // reconcileDexServiceAccount will ensure that the Dex ServiceAccount is configured properly for OpenShift OAuth. func (r *ReconcileArgoCD) reconcileDexServiceAccount(cr *argoprojv1a1.ArgoCD) error { - // if openShiftOAuth set to false in both `.spec.dex` and `.spec.sso.dex`, no need to configure it - if (cr.Spec.Dex == nil || reflect.DeepEqual(cr.Spec.Dex, &v1alpha1.ArgoCDDexSpec{}) || !cr.Spec.Dex.OpenShiftOAuth) && - (cr.Spec.SSO == nil || cr.Spec.SSO.Dex == nil || !cr.Spec.SSO.Dex.OpenShiftOAuth) { + // if openShiftOAuth set to false in `.spec.sso.dex`, no need to configure it + if cr.Spec.SSO == nil || cr.Spec.SSO.Dex == nil || !cr.Spec.SSO.Dex.OpenShiftOAuth { return nil // OpenShift OAuth not enabled, move along... } @@ -441,7 +429,7 @@ func (r *ReconcileArgoCD) reconcileDexResources(cr *argoprojv1a1.ArgoCD) error { log.Error(err, "error reconciling dex deployment") } - if err := r.reconcileStatusDex(cr); err != nil { + if err := r.reconcileStatusSSO(cr); err != nil { log.Error(err, "error reconciling dex status") } @@ -492,7 +480,7 @@ func (r *ReconcileArgoCD) deleteDexResources(cr *argoprojv1a1.ArgoCD) error { log.Error(err, "error reconciling dex rolebinding") } - if err := r.reconcileStatusDex(cr); err != nil { + if err := r.reconcileStatusSSO(cr); err != nil { log.Error(err, "error reconciling dex status") } diff --git a/controllers/argocd/dexUtil.go b/controllers/argocd/dexUtil.go index d04f6dbac..fee911fdd 100644 --- a/controllers/argocd/dexUtil.go +++ b/controllers/argocd/dexUtil.go @@ -3,28 +3,21 @@ package argocd import ( "fmt" "os" - "reflect" - "strings" corev1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1" - "github.com/argoproj-labs/argocd-operator/api/v1alpha1" argoprojv1a1 "github.com/argoproj-labs/argocd-operator/api/v1alpha1" "github.com/argoproj-labs/argocd-operator/common" "github.com/argoproj-labs/argocd-operator/controllers/argoutil" ) -var ( - isDisableDexSet bool -) - // getDexContainerImage will return the container image for the Dex server. // // There are three possible options for configuring the image, and this is the // order of preference. // -// 1. from the Spec, the spec.dex field has an image and version to use for +// 1. from the Spec, the spec.sso.dex field has an image and version to use for // generating an image reference. // 2. from the Environment, this looks for the `ARGOCD_DEX_IMAGE` field and uses // that if the spec is not configured. @@ -36,9 +29,7 @@ func getDexContainerImage(cr *argoprojv1a1.ArgoCD) string { img := "" tag := "" - if cr.Spec.Dex != nil && !reflect.DeepEqual(cr.Spec.Dex, &v1alpha1.ArgoCDDexSpec{}) && cr.Spec.Dex.Image != "" { - img = cr.Spec.Dex.Image - } else if cr.Spec.SSO != nil && cr.Spec.SSO.Dex != nil && cr.Spec.SSO.Dex.Image != "" { + if cr.Spec.SSO != nil && cr.Spec.SSO.Dex != nil && cr.Spec.SSO.Dex.Image != "" { img = cr.Spec.SSO.Dex.Image } @@ -47,9 +38,7 @@ func getDexContainerImage(cr *argoprojv1a1.ArgoCD) string { defaultImg = true } - if cr.Spec.Dex != nil && !reflect.DeepEqual(cr.Spec.Dex, &v1alpha1.ArgoCDDexSpec{}) && cr.Spec.Dex.Version != "" { - tag = cr.Spec.Dex.Version - } else if cr.Spec.SSO != nil && cr.Spec.SSO.Dex != nil && cr.Spec.SSO.Dex.Version != "" { + if cr.Spec.SSO != nil && cr.Spec.SSO.Dex != nil && cr.Spec.SSO.Dex.Version != "" { tag = cr.Spec.SSO.Dex.Version } @@ -80,9 +69,7 @@ func getDexResources(cr *argoprojv1a1.ArgoCD) corev1.ResourceRequirements { resources := v1.ResourceRequirements{} // Allow override of resource requirements from CR - if cr.Spec.Dex != nil && !reflect.DeepEqual(cr.Spec.Dex, &v1alpha1.ArgoCDDexSpec{}) && cr.Spec.Dex.Resources != nil { - resources = *cr.Spec.Dex.Resources - } else if cr.Spec.SSO != nil && cr.Spec.SSO.Dex != nil && cr.Spec.SSO.Dex.Resources != nil { + if cr.Spec.SSO != nil && cr.Spec.SSO.Dex != nil && cr.Spec.SSO.Dex.Resources != nil { resources = *cr.Spec.SSO.Dex.Resources } @@ -95,26 +82,8 @@ func getDexConfig(cr *argoprojv1a1.ArgoCD) string { // Allow override of config from CR if cr.Spec.ExtraConfig["dex.config"] != "" { config = cr.Spec.ExtraConfig["dex.config"] - } else if cr.Spec.Dex != nil && !reflect.DeepEqual(cr.Spec.Dex, v1alpha1.ArgoCDDexSpec{}) && len(cr.Spec.Dex.Config) > 0 { - config = cr.Spec.Dex.Config } else if cr.Spec.SSO != nil && cr.Spec.SSO.Dex != nil && len(cr.Spec.SSO.Dex.Config) > 0 { config = cr.Spec.SSO.Dex.Config } return config } - -func isDexDisabled() bool { - - isDisableDexSet = false - if v, ok := os.LookupEnv("DISABLE_DEX"); ok && v != "" { - - // isDisableDexSet helps us differentiate those cases where isDexDisabled() returns false either because it actually is set to false - // or because it isn't set at all. Since `DISABLE_DEX` may or may not be used anymore we have to account for this case as well - isDisableDexSet = true - return strings.ToLower(v) == "true" - } - - // `DISABLE_DEX` is not in use - isDisableDexSet = false - return false -} diff --git a/controllers/argocd/dex_test.go b/controllers/argocd/dex_test.go index 7107bcb18..8eef4bcae 100644 --- a/controllers/argocd/dex_test.go +++ b/controllers/argocd/dex_test.go @@ -2,7 +2,6 @@ package argocd import ( "context" - "os" "testing" "github.com/stretchr/testify/assert" @@ -19,54 +18,6 @@ import ( "github.com/argoproj-labs/argocd-operator/common" ) -func Test_isDexDisabled(t *testing.T) { - - tests := []struct { - name string - envVar string - envVarFunc func(*testing.T, string) - wantIsDisableDexSet bool - wantIsDexDisabled bool - }{ - { - name: "DISABLE_DEX not set", - envVar: "", - envVarFunc: nil, - wantIsDisableDexSet: false, - }, - { - name: "DISABLE_DEX set to false", - envVar: "false", - envVarFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - wantIsDexDisabled: false, - wantIsDisableDexSet: true, - }, - { - name: "DISABLE_DEX set to true", - envVar: "true", - envVarFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - wantIsDexDisabled: true, - wantIsDisableDexSet: true, - }, - } - - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - if test.envVarFunc != nil { - test.envVarFunc(t, test.envVar) - } - - gotIsDexDisabled := isDexDisabled() - assert.Equal(t, test.wantIsDexDisabled, gotIsDexDisabled) - assert.Equal(t, test.wantIsDisableDexSet, isDisableDexSet) - }) - } -} - func TestReconcileArgoCD_reconcileDexDeployment_with_dex_disabled(t *testing.T) { logf.SetLogger(ZapLogger(true)) @@ -75,17 +26,6 @@ func TestReconcileArgoCD_reconcileDexDeployment_with_dex_disabled(t *testing.T) setEnvFunc func(*testing.T, string) argoCD *argoprojv1alpha1.ArgoCD }{ - { - name: "dex disabled using DISABLE_DEX", - setEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - } - }), - }, { name: "dex disabled by not specifying .spec.sso.provider=dex", setEnvFunc: nil, @@ -132,26 +72,6 @@ func TestReconcileArgoCD_reconcileDexDeployment_removes_dex_when_disabled(t *tes argoCD *argoprojv1alpha1.ArgoCD wantDeploymentDeleted bool }{ - { - name: "dex disabled using DISABLE_DEX", - setEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - updateEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - updateCrFunc: func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: false, - } - }, - argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - } - }), - wantDeploymentDeleted: true, - }, { name: "dex disabled by removing .spec.sso", setEnvFunc: nil, @@ -186,22 +106,6 @@ func TestReconcileArgoCD_reconcileDexDeployment_removes_dex_when_disabled(t *tes }), wantDeploymentDeleted: true, }, - { - name: "dex disabled but deployment not deleted because of existing dex configuration", - setEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - updateCrFunc: nil, - updateEnvFunc: func(t *testing.T, envVar string) { - os.Unsetenv("DISABLE_DEX") - }, - argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - } - }), - wantDeploymentDeleted: false, - }, } for _, test := range tests { @@ -246,27 +150,6 @@ func TestReconcileArgoCD_reconcileDeployments_Dex_with_resources(t *testing.T) { setEnvFunc func(*testing.T, string) argoCD *argoprojv1alpha1.ArgoCD }{ - { - name: "dex with resources - DISABLE_DEX", - setEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - Config: "test-config", - Resources: &corev1.ResourceRequirements{ - Requests: corev1.ResourceList{ - corev1.ResourceMemory: resourcev1.MustParse("128Mi"), - corev1.ResourceCPU: resourcev1.MustParse("250m"), - }, - Limits: corev1.ResourceList{ - corev1.ResourceMemory: resourcev1.MustParse("256Mi"), - corev1.ResourceCPU: resourcev1.MustParse("500m"), - }, - }, - } - }), - }, { name: "dex with resources - .spec.sso.provider=dex", setEnvFunc: nil, @@ -525,26 +408,6 @@ func TestReconcileArgoCD_reconcileDexDeployment_withUpdate(t *testing.T) { argoCD *argoprojv1alpha1.ArgoCD wantPodSpec corev1.PodSpec }{ - { - name: "update dex deployment - .spec.dex + DISABLE_DEX", - setEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - updateCrFunc: func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Image = "justatest" - cr.Spec.Version = "latest" - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - Image: "testdex", - Version: "v0.0.1", - } - }, - argoCD: makeTestArgoCD(func(ac *argoprojv1alpha1.ArgoCD) { - ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Provider: v1alpha1.SSOProviderTypeDex, - } - }), - wantPodSpec: desiredPodSpec, - }, { name: "update dex deployment - .spec.sso.provider=dex + .spec.sso.dex", setEnvFunc: nil, @@ -613,26 +476,6 @@ func TestReconcileArgoCD_reconcileDexService_removes_dex_when_disabled(t *testin argoCD *argoprojv1alpha1.ArgoCD wantServiceDeleted bool }{ - { - name: "dex disabled using DISABLE_DEX", - setEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - updateCrFunc: func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - } - }, - updateEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - } - }), - wantServiceDeleted: true, - }, { name: "dex disabled by removing .spec.sso", setEnvFunc: nil, @@ -667,22 +510,6 @@ func TestReconcileArgoCD_reconcileDexService_removes_dex_when_disabled(t *testin }), wantServiceDeleted: true, }, - { - name: "dex disabled but deployment not deleted because of existing dex configuration", - setEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - updateCrFunc: nil, - argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - } - }), - updateEnvFunc: func(t *testing.T, env string) { - os.Unsetenv("DISABLE_DEX") - }, - wantServiceDeleted: false, - }, } for _, test := range tests { @@ -731,26 +558,6 @@ func TestReconcileArgoCD_reconcileDexServiceAccount_removes_dex_when_disabled(t argoCD *argoprojv1alpha1.ArgoCD wantServiceAccountDeleted bool }{ - { - name: "dex disabled using DISABLE_DEX", - setEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - updateCrFunc: func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: false, - } - }, - updateEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - } - }), - wantServiceAccountDeleted: true, - }, { name: "dex disabled by removing .spec.sso", setEnvFunc: nil, @@ -785,22 +592,6 @@ func TestReconcileArgoCD_reconcileDexServiceAccount_removes_dex_when_disabled(t }), wantServiceAccountDeleted: true, }, - { - name: "dex disabled but sa not deleted because of existing dex configuration", - setEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - updateCrFunc: nil, - updateEnvFunc: func(*testing.T, string) { - os.Unsetenv("DISABLE_DEX") - }, - argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - } - }), - wantServiceAccountDeleted: false, - }, } for _, test := range tests { @@ -850,26 +641,6 @@ func TestReconcileArgoCD_reconcileRole_dex_disabled(t *testing.T) { argoCD *argoprojv1alpha1.ArgoCD wantRoleDeleted bool }{ - { - name: "dex disabled using DISABLE_DEX", - setEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - updateCrFunc: func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: false, - } - }, - updateEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - } - }), - wantRoleDeleted: true, - }, { name: "dex disabled by removing .spec.sso", setEnvFunc: nil, @@ -904,22 +675,6 @@ func TestReconcileArgoCD_reconcileRole_dex_disabled(t *testing.T) { }), wantRoleDeleted: true, }, - { - name: "dex disabled but sa not deleted because of existing dex configuration", - setEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - updateCrFunc: nil, - updateEnvFunc: func(*testing.T, string) { - os.Unsetenv("DISABLE_DEX") - }, - argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - } - }), - wantRoleDeleted: false, - }, } for _, test := range tests { @@ -974,26 +729,6 @@ func TestReconcileArgoCD_reconcileRoleBinding_dex_disabled(t *testing.T) { argoCD *argoprojv1alpha1.ArgoCD wantRoleBindingDeleted bool }{ - { - name: "dex disabled using DISABLE_DEX", - setEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - updateEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - updateCrFunc: func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: false, - } - }, - argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - } - }), - wantRoleBindingDeleted: true, - }, { name: "dex disabled by removing .spec.sso", setEnvFunc: nil, @@ -1028,22 +763,6 @@ func TestReconcileArgoCD_reconcileRoleBinding_dex_disabled(t *testing.T) { }), wantRoleBindingDeleted: true, }, - { - name: "dex disabled but sa not deleted because of existing dex configuration", - setEnvFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - updateCrFunc: nil, - updateEnvFunc: func(*testing.T, string) { - os.Unsetenv("DISABLE_DEX") - }, - argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - } - }), - wantRoleBindingDeleted: false, - }, } for _, test := range tests { diff --git a/controllers/argocd/keycloak.go b/controllers/argocd/keycloak.go index 4b331f6ef..4c525d3ce 100644 --- a/controllers/argocd/keycloak.go +++ b/controllers/argocd/keycloak.go @@ -158,7 +158,7 @@ type CustomKeycloakAPIRealm struct { // There are three possible options for configuring the image, and this is the // order of preference. // -// 1. from the Spec, the spec.sso field has an image and version to use for +// 1. from the Spec, the spec.sso.keycloak field has an image and version to use for // generating an image reference. // 2. From the Environment, this looks for the `ARGOCD_KEYCLOAK_IMAGE` field and uses // that if the spec is not configured. @@ -170,9 +170,7 @@ func getKeycloakContainerImage(cr *argoprojv1a1.ArgoCD) string { img := "" tag := "" - if cr.Spec.SSO != nil && cr.Spec.SSO.Image != "" { - img = cr.Spec.SSO.Image - } else if cr.Spec.SSO.Keycloak != nil && cr.Spec.SSO.Keycloak.Image != "" { + if cr.Spec.SSO.Keycloak != nil && cr.Spec.SSO.Keycloak.Image != "" { img = cr.Spec.SSO.Keycloak.Image } @@ -184,9 +182,7 @@ func getKeycloakContainerImage(cr *argoprojv1a1.ArgoCD) string { defaultImg = true } - if cr.Spec.SSO != nil && cr.Spec.SSO.Version != "" { - tag = cr.Spec.SSO.Version - } else if cr.Spec.SSO.Keycloak != nil && cr.Spec.SSO.Keycloak.Version != "" { + if cr.Spec.SSO.Keycloak != nil && cr.Spec.SSO.Keycloak.Version != "" { tag = cr.Spec.SSO.Keycloak.Version } @@ -258,9 +254,7 @@ func getKeycloakResources(cr *argoprojv1a1.ArgoCD) corev1.ResourceRequirements { resources := defaultKeycloakResources() // Allow override of resource requirements from CR - if cr.Spec.SSO != nil && cr.Spec.SSO.Resources != nil { - resources = *cr.Spec.SSO.Resources - } else if cr.Spec.SSO.Keycloak != nil && cr.Spec.SSO.Keycloak.Resources != nil { + if cr.Spec.SSO.Keycloak != nil && cr.Spec.SSO.Keycloak.Resources != nil { resources = *cr.Spec.SSO.Keycloak.Resources } @@ -821,7 +815,7 @@ func (r *ReconcileArgoCD) prepareKeycloakConfig(cr *argoprojv1a1.ArgoCD) (*keycl } // By default TLS Verification should be enabled. - if (cr.Spec.SSO.VerifyTLS == nil || *cr.Spec.SSO.VerifyTLS) && (cr.Spec.SSO.Keycloak == nil || (cr.Spec.SSO.Keycloak.VerifyTLS == nil || *cr.Spec.SSO.Keycloak.VerifyTLS)) { + if cr.Spec.SSO.Keycloak == nil || (cr.Spec.SSO.Keycloak.VerifyTLS == nil || *cr.Spec.SSO.Keycloak.VerifyTLS) { tlsVerification = true } diff --git a/controllers/argocd/keycloak_test.go b/controllers/argocd/keycloak_test.go index 06afdd2c0..80d759ff2 100644 --- a/controllers/argocd/keycloak_test.go +++ b/controllers/argocd/keycloak_test.go @@ -124,27 +124,6 @@ func TestKeycloakContainerImage(t *testing.T) { templateAPIFound: true, wantContainerImage: "envImage:latest", }, - { - name: "both cr.spec.sso.Image and ArgoCDKeycloakImageEnvName are set.", - setEnvVarFunc: func(t *testing.T, s string) { - t.Setenv(common.ArgoCDKeycloakImageEnvName, s) - }, - envVar: "envImage:latest", - argoCD: makeArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Provider: argoappv1.SSOProviderTypeKeycloak, - } - }), - updateCrFunc: func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Provider: argoappv1.SSOProviderTypeKeycloak, - Image: "crImage", - Version: "crVersion", - } - }, - templateAPIFound: true, - wantContainerImage: "crImage:crVersion", - }, { name: "both cr.spec.sso.keycloak.Image and ArgoCDKeycloakImageEnvName are set", setEnvVarFunc: func(t *testing.T, s string) { @@ -289,20 +268,6 @@ func TestKeycloakResources(t *testing.T) { updateCrFunc: nil, wantResources: defaultKeycloakResources(), }, - { - name: "override with .spec.sso", - argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Provider: argoappv1.SSOProviderTypeKeycloak, - } - }), - updateCrFunc: func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Resources: &fR, - } - }, - wantResources: getFakeKeycloakResources(), - }, { name: "override with .spec.sso.keycloak", argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { @@ -405,7 +370,7 @@ func TestKeycloakConfigVerifyTLSForOpenShift(t *testing.T) { desiredVerifyTLS bool }{ { - name: ".spec.sso.verifyTLS & .spec.sso.keycloak.verifyTLS both nil", + name: ".spec.sso.keycloak.verifyTLS nil", argoCD: makeTestArgoCD(func(ac *argoprojv1alpha1.ArgoCD) { ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ Provider: argoappv1.SSOProviderTypeKeycloak, @@ -414,7 +379,7 @@ func TestKeycloakConfigVerifyTLSForOpenShift(t *testing.T) { desiredVerifyTLS: true, }, { - name: ".spec.sso.verifyTLS nil, .spec.sso.keycloak.verifyTLS false", + name: ".spec.sso.keycloak.verifyTLS false", argoCD: makeTestArgoCD(func(ac *argoprojv1alpha1.ArgoCD) { ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ Provider: argoappv1.SSOProviderTypeKeycloak, @@ -426,17 +391,7 @@ func TestKeycloakConfigVerifyTLSForOpenShift(t *testing.T) { desiredVerifyTLS: false, }, { - name: ".spec.sso.verifyTLS false, .spec.sso.keycloak.verifyTLS nil", - argoCD: makeTestArgoCD(func(ac *argoprojv1alpha1.ArgoCD) { - ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Provider: argoappv1.SSOProviderTypeKeycloak, - VerifyTLS: boolPtr(false), - } - }), - desiredVerifyTLS: false, - }, - { - name: ".spec.sso.verifyTLS nil, .spec.sso.keycloak.verifyTLS true", + name: ".spec.sso.keycloak.verifyTLS true", argoCD: makeTestArgoCD(func(ac *argoprojv1alpha1.ArgoCD) { ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ Provider: argoappv1.SSOProviderTypeKeycloak, @@ -447,16 +402,6 @@ func TestKeycloakConfigVerifyTLSForOpenShift(t *testing.T) { }), desiredVerifyTLS: true, }, - { - name: ".spec.sso.verifyTLS true, .spec.sso.keycloak.verifyTLS nil", - argoCD: makeTestArgoCD(func(ac *argoprojv1alpha1.ArgoCD) { - ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Provider: argoappv1.SSOProviderTypeKeycloak, - VerifyTLS: boolPtr(true), - } - }), - desiredVerifyTLS: true, - }, } for _, test := range tests { diff --git a/controllers/argocd/secret.go b/controllers/argocd/secret.go index f47d083b3..c2fe82c6f 100644 --- a/controllers/argocd/secret.go +++ b/controllers/argocd/secret.go @@ -29,6 +29,7 @@ import ( argopass "github.com/argoproj/argo-cd/v2/util/password" tlsutil "github.com/operator-framework/operator-sdk/pkg/tls" + "github.com/argoproj-labs/argocd-operator/api/v1alpha1" argoprojv1a1 "github.com/argoproj-labs/argocd-operator/api/v1alpha1" "github.com/argoproj-labs/argocd-operator/common" "github.com/argoproj-labs/argocd-operator/controllers/argoutil" @@ -183,7 +184,7 @@ func (r *ReconcileArgoCD) reconcileArgoSecret(cr *argoprojv1a1.ArgoCD) error { common.ArgoCDKeyTLSPrivateKey: tlsSecret.Data[common.ArgoCDKeyTLSPrivateKey], } - if UseDex(cr) { + if cr.Spec.SSO != nil && cr.Spec.SSO.Provider.ToLower() == v1alpha1.SSOProviderTypeDex { dexOIDCClientSecret, err := r.getDexOAuthClientSecret(cr) if err != nil { return nil @@ -333,7 +334,7 @@ func (r *ReconcileArgoCD) reconcileExistingArgoSecret(cr *argoprojv1a1.ArgoCD, s changed = true } - if UseDex(cr) { + if cr.Spec.SSO != nil && cr.Spec.SSO.Provider.ToLower() == v1alpha1.SSOProviderTypeDex { dexOIDCClientSecret, err := r.getDexOAuthClientSecret(cr) if err != nil { return err diff --git a/controllers/argocd/sso.go b/controllers/argocd/sso.go index b4e5ae4eb..b64b6145f 100644 --- a/controllers/argocd/sso.go +++ b/controllers/argocd/sso.go @@ -17,8 +17,6 @@ package argocd import ( "errors" "fmt" - "os" - "reflect" template "github.com/openshift/api/template/v1" apiErrors "k8s.io/apimachinery/pkg/api/errors" @@ -57,94 +55,19 @@ func verifyTemplateAPI() error { } // The purpose of reconcileSSO is to try and catch as many illegal configuration edge cases at the highest level (that can lead to conflicts) -// as possible, that may arise from the operator supporting multiple SSO providers in a backwards-compatible way. -// The operator must support both `.spec.dex` and `.spec.sso.dex` for dex, and `.spec.sso` fields and `.spec.sso.keycloak` -// fields for keycloak. The operator must identify edge cases involving partial configurations of specs, spec mismatch with +// as possible, that may arise from the operator supporting multiple SSO providers. +// The operator must support `.spec.sso.dex` fields for dex, and `.spec.sso.keycloak` fields for keycloak. +// The operator must identify edge cases involving partial configurations of specs, spec mismatch with // active provider, contradicting configuration etc, and throw the appropriate errors. func (r *ReconcileArgoCD) reconcileSSO(cr *argoprojv1a1.ArgoCD) error { // reset ssoConfigLegalStatus at the beginning of each SSO reconciliation round ssoConfigLegalStatus = ssoLegalUnknown - // Emit events warning users about deprecation notice for soon-to-be-removed fields in the CR if being used - - if env := os.Getenv("DISABLE_DEX"); env != "" { - // Emit event for each instance providing users with deprecation notice for `DISABLE_DEX` if not emitted already - if currentInstanceEventEmissionStatus, ok := DeprecationEventEmissionTracker[cr.Namespace]; !ok || !currentInstanceEventEmissionStatus.DisableDexDeprecationWarningEmitted { - err := argoutil.CreateEvent(r.Client, "Warning", "Deprecated", "`DISABLE_DEX` is deprecated, and support will be removed in Argo CD Operator v0.8.0/OpenShift GitOps v1.10.0. Dex can be enabled/disabled through `.spec.sso`", "DeprecationNotice", cr.ObjectMeta, cr.TypeMeta) - if err != nil { - return err - } - - if !ok { - currentInstanceEventEmissionStatus = DeprecationEventEmissionStatus{DisableDexDeprecationWarningEmitted: true} - } else { - currentInstanceEventEmissionStatus.DisableDexDeprecationWarningEmitted = true - } - DeprecationEventEmissionTracker[cr.Namespace] = currentInstanceEventEmissionStatus - } - - } - - if cr.Spec.Dex != nil && !reflect.DeepEqual(cr.Spec.Dex, &v1alpha1.ArgoCDDexSpec{}) { - - // Emit event for each instance providing users with deprecation notice for `.spec.dex` if not emitted already - if currentInstanceEventEmissionStatus, ok := DeprecationEventEmissionTracker[cr.Namespace]; !ok || !currentInstanceEventEmissionStatus.DexSpecDeprecationWarningEmitted { - err := argoutil.CreateEvent(r.Client, "Warning", "Deprecated", "`.spec.dex` is deprecated, and support will be removed in Argo CD Operator v0.8.0/OpenShift GitOps v1.10.0. Dex configuration can be managed through `.spec.sso.dex`", "DeprecationNotice", cr.ObjectMeta, cr.TypeMeta) - if err != nil { - return err - } - - if !ok { - currentInstanceEventEmissionStatus = DeprecationEventEmissionStatus{DexSpecDeprecationWarningEmitted: true} - } else { - currentInstanceEventEmissionStatus.DexSpecDeprecationWarningEmitted = true - } - DeprecationEventEmissionTracker[cr.Namespace] = currentInstanceEventEmissionStatus - } - - } - - if cr.Spec.SSO != nil && (cr.Spec.SSO.Image != "" || cr.Spec.SSO.Version != "" || - cr.Spec.SSO.VerifyTLS != nil || cr.Spec.SSO.Resources != nil) { - - // Emit event for each instance providing users with deprecation notice for `.spec.SSO` subfields if not emitted already - if currentInstanceEventEmissionStatus, ok := DeprecationEventEmissionTracker[cr.Namespace]; !ok || !currentInstanceEventEmissionStatus.SSOSpecDeprecationWarningEmitted { - err := argoutil.CreateEvent(r.Client, "Warning", "Deprecated", "`.spec.SSO.Image`, `.spec.SSO.Version`, `.spec.SSO.Resources` and `.spec.SSO.VerifyTLS` are deprecated, and support will be removed in Argo CD Operator v0.8.0/OpenShift GitOps v1.10.0. Keycloak configuration can be managed through `.spec.sso.keycloak`", "DeprecationNotice", cr.ObjectMeta, cr.TypeMeta) - if err != nil { - return err - } - - if !ok { - currentInstanceEventEmissionStatus = DeprecationEventEmissionStatus{SSOSpecDeprecationWarningEmitted: true} - } else { - currentInstanceEventEmissionStatus.SSOSpecDeprecationWarningEmitted = true - } - DeprecationEventEmissionTracker[cr.Namespace] = currentInstanceEventEmissionStatus - } - } - // case 1 if cr.Spec.SSO == nil { - - errMsg := "" - var err error - // no SSO configured, nothing to do here - if !UseDex(cr) { - return nil - } - - if (!isDexDisabled() && isDisableDexSet) && cr.Spec.Dex != nil && !reflect.DeepEqual(cr.Spec.Dex, &v1alpha1.ArgoCDDexSpec{}) && !cr.Spec.Dex.OpenShiftOAuth && cr.Spec.Dex.Config == "" { - // dex is enabled but no dexconfig supplied. This will cause health probe to fail as per - // https://github.com/argoproj-labs/argocd-operator/pull/615 ==> conflict - errMsg = "must suppy valid dex configuration when dex is enabled" - err = errors.New(illegalSSOConfiguration + errMsg) - log.Error(err, fmt.Sprintf("Illegal expression of SSO configuration detetected for Argo CD %s in namespace %s. %s", cr.Name, cr.Namespace, errMsg)) - ssoConfigLegalStatus = ssoLegalFailed // set global indicator that SSO config has gone wrong - _ = r.reconcileStatusSSOConfig(cr) - return err - } + return nil } if cr.Spec.SSO != nil { @@ -154,77 +77,50 @@ func (r *ReconcileArgoCD) reconcileSSO(cr *argoprojv1a1.ArgoCD) error { isError := false // case 2 - if cr.Spec.SSO.Provider == v1alpha1.SSOProviderTypeDex { - // Relevant SSO settings at play are `DISABLE_DEX`, `.spec.dex`, `.spec.sso` fields, `.spec.sso.keycloak` + if cr.Spec.SSO.Provider.ToLower() == v1alpha1.SSOProviderTypeDex { + // Relevant SSO settings at play are `.spec.sso.dex` fields, `.spec.sso.keycloak` - if isDexDisabled() && isDisableDexSet { - // DISABLE_DEX is true when `.spec.sso.provider` is set to dex ==> conflict - errMsg = "cannot set DISABLE_DEX to true when dex is configured through .spec.sso" - isError = true - } else if cr.Spec.SSO.Dex == nil || (cr.Spec.SSO.Dex != nil && !cr.Spec.SSO.Dex.OpenShiftOAuth && cr.Spec.SSO.Dex.Config == "") { + if cr.Spec.SSO.Dex == nil || (cr.Spec.SSO.Dex != nil && !cr.Spec.SSO.Dex.OpenShiftOAuth && cr.Spec.SSO.Dex.Config == "") { // sso provider specified as dex but no dexconfig supplied. This will cause health probe to fail as per // https://github.com/argoproj-labs/argocd-operator/pull/615 ==> conflict - errMsg = "must suppy valid dex configuration when requested SSO provider is dex" + errMsg = "must supply valid dex configuration when requested SSO provider is dex" isError = true } else if cr.Spec.SSO.Keycloak != nil { // new keycloak spec fields are expressed when `.spec.sso.provider` is set to dex ==> conflict errMsg = "cannot supply keycloak configuration in .spec.sso.keycloak when requested SSO provider is dex" isError = true - } else if cr.Spec.Dex != nil && (cr.Spec.Dex.Image != "" || cr.Spec.Dex.Config != "" || cr.Spec.Dex.Resources != nil || len(cr.Spec.Dex.Groups) != 0 || - cr.Spec.Dex.Version != "" || cr.Spec.Dex.OpenShiftOAuth != cr.Spec.SSO.Dex.OpenShiftOAuth) { - // old dex spec fields are expressed when `.spec.sso.provider` is set to dex instead of using new `.spec.sso.dex` ==> conflict - errMsg = "cannot specify .spec.Dex fields when dex is configured through .spec.sso.dex" - isError = true - } else if cr.Spec.SSO.Image != "" || cr.Spec.SSO.Version != "" || cr.Spec.SSO.VerifyTLS != nil || cr.Spec.SSO.Resources != nil { - // old keycloak spec fields expressed when `.spec.sso.provider` is set to dex ==> conflict - errMsg = "cannot supply keycloak configuration in spec.sso when requested SSO provider is dex" - isError = true } if isError { err = errors.New(illegalSSOConfiguration + errMsg) - log.Error(err, fmt.Sprintf("Illegal expression of SSO configuration detetected for Argo CD %s in namespace %s. %s", cr.Name, cr.Namespace, errMsg)) + log.Error(err, fmt.Sprintf("Illegal expression of SSO configuration detected for Argo CD %s in namespace %s. %s", cr.Name, cr.Namespace, errMsg)) ssoConfigLegalStatus = ssoLegalFailed // set global indicator that SSO config has gone wrong - _ = r.reconcileStatusSSOConfig(cr) + _ = r.reconcileStatusSSO(cr) return err } } // case 3 - if cr.Spec.SSO.Provider == v1alpha1.SSOProviderTypeKeycloak { - // Relevant SSO settings at play are `DISABLE_DEX`, `.spec.dex`, `.spec.sso` fields, `.spec.sso.keycloak`, `.spec.sso.dex` - - if (cr.Spec.SSO.Keycloak != nil) && (cr.Spec.SSO.Image != "" || cr.Spec.SSO.Version != "" || - cr.Spec.SSO.Resources != nil || cr.Spec.SSO.VerifyTLS != nil) { - // Keycloak specs expressed both in old `.spec.sso` fields as well as in `.spec.sso.keycloak` simultaneously and they don't match - // ==> conflict - errMsg = "cannot specify keycloak fields in .spec.sso when keycloak is configured through .spec.sso.keycloak" - err = errors.New(illegalSSOConfiguration + errMsg) - isError = true - } else if cr.Spec.SSO.Dex != nil { + if cr.Spec.SSO.Provider.ToLower() == v1alpha1.SSOProviderTypeKeycloak { + // Relevant SSO settings at play are `.spec.sso.keycloak` fields, `.spec.sso.dex` + + if cr.Spec.SSO.Dex != nil { // new dex spec fields are expressed when `.spec.sso.provider` is set to keycloak ==> conflict errMsg = "cannot supply dex configuration when requested SSO provider is keycloak" err = errors.New(illegalSSOConfiguration + errMsg) isError = true - } else if (cr.Spec.Dex != nil && !reflect.DeepEqual(cr.Spec.Dex, &v1alpha1.ArgoCDDexSpec{}) && (cr.Spec.Dex.OpenShiftOAuth || cr.Spec.Dex.Config != "")) { - // Keycloak configured as SSO provider, but dex config also present in argocd-cm. May cause both SSO providers to get - // configured if Dex pods happen to be running due to `DEX_DISABLED` being set to false ==> conflict - errMsg = "multiple SSO providers configured simultaneously" - err = errors.New(multipleSSOConfiguration + errMsg) - isError = true } - // (cannot check against presence of DISABLE_DEX as erroring out here would break current behavior) if isError { - log.Error(err, fmt.Sprintf("Illegal expression of SSO configuration deletected for Argo CD %s in namespace %s. %s", cr.Name, cr.Namespace, errMsg)) + log.Error(err, fmt.Sprintf("Illegal expression of SSO configuration detected for Argo CD %s in namespace %s. %s", cr.Name, cr.Namespace, errMsg)) ssoConfigLegalStatus = ssoLegalFailed // set global indicator that SSO config has gone wrong - _ = r.reconcileStatusSSOConfig(cr) + _ = r.reconcileStatusSSO(cr) return err } } // case 4 - if cr.Spec.SSO.Provider == "" { + if cr.Spec.SSO.Provider.ToLower() == "" { if cr.Spec.SSO.Dex != nil || // `.spec.sso.dex` expressed without specifying SSO provider ==> conflict @@ -235,10 +131,22 @@ func (r *ReconcileArgoCD) reconcileSSO(cr *argoprojv1a1.ArgoCD) error { err = errors.New(illegalSSOConfiguration + errMsg) log.Error(err, fmt.Sprintf("Cannot specify SSO provider spec without specifying SSO provider type for Argo CD %s in namespace %s.", cr.Name, cr.Namespace)) ssoConfigLegalStatus = ssoLegalFailed // set global indicator that SSO config has gone wrong - _ = r.reconcileStatusSSOConfig(cr) + _ = r.reconcileStatusSSO(cr) return err } } + + // case 5 + if cr.Spec.SSO.Provider.ToLower() != v1alpha1.SSOProviderTypeDex && cr.Spec.SSO.Provider.ToLower() != v1alpha1.SSOProviderTypeKeycloak { + // `.spec.sso.provider` contains unsupported value + + errMsg = fmt.Sprintf("Unsupported SSO provider type. Supported providers are %s and %s", v1alpha1.SSOProviderTypeDex, v1alpha1.SSOProviderTypeKeycloak) + err = errors.New(illegalSSOConfiguration + errMsg) + log.Error(err, fmt.Sprintf("Unsupported SSO provider type for Argo CD %s in namespace %s.", cr.Name, cr.Namespace)) + ssoConfigLegalStatus = ssoLegalFailed // set global indicator that SSO config has gone wrong + _ = r.reconcileStatusSSO(cr) + return err + } } // control reaching this point means that none of the illegal config combinations were detected. SSO is configured legally @@ -247,7 +155,7 @@ func (r *ReconcileArgoCD) reconcileSSO(cr *argoprojv1a1.ArgoCD) error { // reconcile resources based on enabled provider // keycloak - if cr.Spec.SSO != nil && cr.Spec.SSO.Provider == argoprojv1a1.SSOProviderTypeKeycloak { + if cr.Spec.SSO != nil && cr.Spec.SSO.Provider.ToLower() == argoprojv1a1.SSOProviderTypeKeycloak { // Trigger reconciliation of any Dex resources so they get deleted if err := r.reconcileDexResources(cr); err != nil && !apiErrors.IsNotFound(err) { @@ -271,7 +179,7 @@ func (r *ReconcileArgoCD) reconcileSSO(cr *argoprojv1a1.ArgoCD) error { } } - _ = r.reconcileStatusSSOConfig(cr) + _ = r.reconcileStatusSSO(cr) return nil } @@ -280,12 +188,12 @@ func (r *ReconcileArgoCD) deleteSSOConfiguration(newCr *argoprojv1a1.ArgoCD, old log.Info("uninstalling existing SSO configuration") - if oldCr.Spec.SSO.Provider == argoprojv1a1.SSOProviderTypeKeycloak { + if oldCr.Spec.SSO.Provider.ToLower() == argoprojv1a1.SSOProviderTypeKeycloak { if err := deleteKeycloakConfiguration(newCr); err != nil { log.Error(err, "Unable to delete existing keycloak configuration") return err } - } else if oldCr.Spec.SSO.Provider == argoprojv1a1.SSOProviderTypeDex { + } else if oldCr.Spec.SSO.Provider.ToLower() == argoprojv1a1.SSOProviderTypeDex { // Trigger reconciliation of Dex resources so they get deleted if err := r.deleteDexResources(newCr); err != nil { log.Error(err, "Unable to reconcile necessary resources for uninstallation of Dex") @@ -293,6 +201,6 @@ func (r *ReconcileArgoCD) deleteSSOConfiguration(newCr *argoprojv1a1.ArgoCD, old } } - _ = r.reconcileStatusSSOConfig(newCr) + _ = r.reconcileStatusSSO(newCr) return nil } diff --git a/controllers/argocd/sso_test.go b/controllers/argocd/sso_test.go index d7cc45d36..c7eed61c7 100644 --- a/controllers/argocd/sso_test.go +++ b/controllers/argocd/sso_test.go @@ -17,7 +17,6 @@ package argocd import ( "context" "errors" - "sort" "testing" oappsv1 "github.com/openshift/api/apps/v1" @@ -89,85 +88,65 @@ func TestReconcile_illegalSSOConfiguration(t *testing.T) { logf.SetLogger(ZapLogger(true)) tests := []struct { - name string - argoCD *argov1alpha1.ArgoCD - envVar string - setEnvVarFunc func(*testing.T, string) - wantErr bool - Err error + name string + argoCD *argov1alpha1.ArgoCD + wantErr bool + Err error + wantSSOConfigLegalStatus string }{ { - name: "no conflicts - no sso configured", - argoCD: makeTestArgoCD(func(ac *argov1alpha1.ArgoCD) {}), - setEnvVarFunc: nil, - envVar: "", - wantErr: false, + name: "no conflicts - no sso configured", + argoCD: makeTestArgoCD(func(ac *argov1alpha1.ArgoCD) {}), + wantErr: false, + wantSSOConfigLegalStatus: "Unknown", }, { - name: "sso provider dex + DISABLE_DEX", + name: "no conflict - case insensitive sso provider value", argoCD: makeTestArgoCD(func(ac *argov1alpha1.ArgoCD) { ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Provider: v1alpha1.SSOProviderTypeDex, + Provider: "DEX", Dex: &v1alpha1.ArgoCDDexSpec{ Config: "test-config", }, } }), - setEnvVarFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - envVar: "true", - wantErr: true, - Err: errors.New("illegal SSO configuration: cannot set DISABLE_DEX to true when dex is configured through .spec.sso"), + wantErr: false, + wantSSOConfigLegalStatus: "Success", }, { - name: "sso provider dex + non empty, conflicting `.spec.dex` fields", + name: "no conflict - valid dex sso configurations", argoCD: makeTestArgoCD(func(ac *argov1alpha1.ArgoCD) { ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Provider: v1alpha1.SSOProviderTypeDex, + Provider: "dex", Dex: &v1alpha1.ArgoCDDexSpec{ - Config: "", - OpenShiftOAuth: true, + Config: "test-config", + OpenShiftOAuth: false, }, } - ac.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - Config: "non-empty-config", - OpenShiftOAuth: true, - } }), - setEnvVarFunc: nil, - envVar: "", - wantErr: true, - Err: errors.New("illegal SSO configuration: cannot specify .spec.Dex fields when dex is configured through .spec.sso.dex"), + wantErr: false, + wantSSOConfigLegalStatus: "Success", }, { - name: "sso provider dex but no .spec.sso.dex provided", + name: "no conflict - valid keycloak sso configurations", argoCD: makeTestArgoCD(func(ac *argov1alpha1.ArgoCD) { ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Provider: v1alpha1.SSOProviderTypeDex, + Provider: "keycloak", } }), - setEnvVarFunc: nil, - envVar: "", - wantErr: true, - Err: errors.New("illegal SSO configuration: must suppy valid dex configuration when requested SSO provider is dex"), + wantErr: false, + wantSSOConfigLegalStatus: "Success", }, { - name: "sso provider dex + `.spec.sso` fields provided", + name: "sso provider dex but no .spec.sso.dex provided", argoCD: makeTestArgoCD(func(ac *argov1alpha1.ArgoCD) { ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ Provider: v1alpha1.SSOProviderTypeDex, - Dex: &v1alpha1.ArgoCDDexSpec{ - Config: "test", - }, - Image: "test-image", - Version: "test-image-version", } }), - setEnvVarFunc: nil, - envVar: "", - wantErr: true, - Err: errors.New("illegal SSO configuration: cannot supply keycloak configuration in spec.sso when requested SSO provider is dex"), + wantErr: true, + Err: errors.New("illegal SSO configuration: must supply valid dex configuration when requested SSO provider is dex"), + wantSSOConfigLegalStatus: "Failed", }, { name: "sso provider dex + `.spec.sso.keycloak`", @@ -183,72 +162,9 @@ func TestReconcile_illegalSSOConfiguration(t *testing.T) { }, } }), - setEnvVarFunc: nil, - envVar: "", - wantErr: true, - Err: errors.New("illegal SSO configuration: cannot supply keycloak configuration in .spec.sso.keycloak when requested SSO provider is dex"), - }, - { - name: "DISABLE_DEX + `.spec.sso.keycloak`", - argoCD: makeTestArgoCD(func(ac *argov1alpha1.ArgoCD) { - ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Keycloak: &v1alpha1.ArgoCDKeycloakSpec{ - Image: "test-image", - Version: "test-image-version", - }, - } - }), - setEnvVarFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - envVar: "false", - wantErr: true, - Err: errors.New("illegal SSO configuration: Cannot specify SSO provider spec without specifying SSO provider type"), - }, - { - name: "no conflicts - `DISABLE_DEX` + `.spec.sso` fields", - argoCD: makeTestArgoCD(func(ac *argov1alpha1.ArgoCD) { - ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Image: "test-image", - Version: "test-image-version", - } - }), - setEnvVarFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - envVar: "true", - wantErr: false, - }, - { - name: "sso provider keycloak + `.spec.dex.OpenShiftOAuth`", - argoCD: makeTestArgoCD(func(ac *argov1alpha1.ArgoCD) { - ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Provider: argov1alpha1.SSOProviderTypeKeycloak, - } - ac.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - } - }), - setEnvVarFunc: nil, - envVar: "", - wantErr: true, - Err: errors.New("multiple SSO configuration: multiple SSO providers configured simultaneously"), - }, - { - name: "sso provider keycloak + `.spec.sso` + `.spec.sso.keycloak", - argoCD: makeTestArgoCD(func(ac *argov1alpha1.ArgoCD) { - ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Provider: argov1alpha1.SSOProviderTypeKeycloak, - Image: "test-image", - Keycloak: &v1alpha1.ArgoCDKeycloakSpec{ - Version: "test-image-version-2", - }, - } - }), - setEnvVarFunc: nil, - envVar: "", - wantErr: true, - Err: errors.New("illegal SSO configuration: cannot specify keycloak fields in .spec.sso when keycloak is configured through .spec.sso.keycloak"), + wantErr: true, + Err: errors.New("illegal SSO configuration: cannot supply keycloak configuration in .spec.sso.keycloak when requested SSO provider is dex"), + wantSSOConfigLegalStatus: "Failed", }, { name: "sso provider keycloak + `.spec.sso.dex`", @@ -261,10 +177,9 @@ func TestReconcile_illegalSSOConfiguration(t *testing.T) { }, } }), - setEnvVarFunc: nil, - envVar: "", - wantErr: true, - Err: errors.New("illegal SSO configuration: cannot supply dex configuration when requested SSO provider is keycloak"), + wantErr: true, + Err: errors.New("illegal SSO configuration: cannot supply dex configuration when requested SSO provider is keycloak"), + wantSSOConfigLegalStatus: "Failed", }, { name: "sso provider missing but sso.dex/keycloak supplied", @@ -279,38 +194,24 @@ func TestReconcile_illegalSSOConfiguration(t *testing.T) { }, } }), - setEnvVarFunc: nil, - envVar: "", - wantErr: true, - Err: errors.New("illegal SSO configuration: Cannot specify SSO provider spec without specifying SSO provider type"), - }, - { - name: "no conflict - no provider but .spec.sso fields supplied", - argoCD: makeTestArgoCD(func(ac *argov1alpha1.ArgoCD) { - ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Image: "test-image", - Version: "test-image-version", - } - }), - setEnvVarFunc: nil, - envVar: "", - wantErr: false, + wantErr: true, + Err: errors.New("illegal SSO configuration: Cannot specify SSO provider spec without specifying SSO provider type"), + wantSSOConfigLegalStatus: "Failed", }, { - name: "no conflict (preserve existing behavior) sso provider keycloak + DISABLE_DEX", + name: "unsupported sso provider but sso.dex/keycloak supplied", argoCD: makeTestArgoCD(func(ac *argov1alpha1.ArgoCD) { ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Provider: argov1alpha1.SSOProviderTypeKeycloak, - } - ac.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: false, + Provider: "Unsupported", + Dex: &v1alpha1.ArgoCDDexSpec{ + Config: "test-config", + OpenShiftOAuth: true, + }, } }), - setEnvVarFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - envVar: "true", - wantErr: false, + wantErr: true, + Err: errors.New("illegal SSO configuration: Unsupported SSO provider type. Supported providers are dex and keycloak"), + wantSSOConfigLegalStatus: "Failed", }, } @@ -319,14 +220,16 @@ func TestReconcile_illegalSSOConfiguration(t *testing.T) { r := makeTestReconciler(t, test.argoCD) assert.NoError(t, createNamespace(r, test.argoCD.Namespace, "")) - if test.setEnvVarFunc != nil { - test.setEnvVarFunc(t, test.envVar) - } - err := r.reconcileSSO(test.argoCD) + assert.Equal(t, test.wantSSOConfigLegalStatus, ssoConfigLegalStatus) if err != nil { if !test.wantErr { - t.Errorf("Got unexpected error") + // ignore unexpected errors for legal sso configurations. + // keycloak reconciliation code expects a live cluster & + // therefore throws unexpected errors during unit testing + if ssoConfigLegalStatus != ssoLegalSuccess { + t.Errorf("Got unexpected error") + } } else { assert.Equal(t, test.Err, err) } @@ -340,105 +243,6 @@ func TestReconcile_illegalSSOConfiguration(t *testing.T) { } -func TestReconcile_emitEventOnDetectingDeprecatedFields(t *testing.T) { - logf.SetLogger(ZapLogger(true)) - - DeprecationEventEmissionTracker = make(map[string]DeprecationEventEmissionStatus) - - disableDexEvent := &corev1.Event{ - Reason: "DeprecationNotice", - Message: "`DISABLE_DEX` is deprecated, and support will be removed in Argo CD Operator v0.8.0/OpenShift GitOps v1.10.0. Dex can be enabled/disabled through `.spec.sso`", - Action: "Deprecated", - } - - specDexEvent := &corev1.Event{ - Reason: "DeprecationNotice", - Message: "`.spec.dex` is deprecated, and support will be removed in Argo CD Operator v0.8.0/OpenShift GitOps v1.10.0. Dex configuration can be managed through `.spec.sso.dex`", - Action: "Deprecated", - } - - specSSOEvent := &corev1.Event{ - Reason: "DeprecationNotice", - Message: "`.spec.SSO.Image`, `.spec.SSO.Version`, `.spec.SSO.Resources` and `.spec.SSO.VerifyTLS` are deprecated, and support will be removed in Argo CD Operator v0.8.0/OpenShift GitOps v1.10.0. Keycloak configuration can be managed through `.spec.sso.keycloak`", - Action: "Deprecated", - } - - tests := []struct { - name string - argoCD *argov1alpha1.ArgoCD - envVar string - setEnvVarFunc func(*testing.T, string) - wantEvents []*corev1.Event - }{ - { - name: "DISABLE_DEX env var in use", - argoCD: makeTestArgoCD(func(ac *argov1alpha1.ArgoCD) {}), - envVar: "true", - setEnvVarFunc: func(t *testing.T, envVar string) { - t.Setenv("DISABLE_DEX", envVar) - }, - wantEvents: []*corev1.Event{disableDexEvent}, - }, - { - name: ".spec.dex in use", - argoCD: makeTestArgoCD(func(ac *argov1alpha1.ArgoCD) { - ac.Spec.Dex = &argov1alpha1.ArgoCDDexSpec{ - Config: "", - Groups: []string{}, - Image: "", - Version: "", - } - }), - envVar: "", - setEnvVarFunc: nil, - wantEvents: []*corev1.Event{specDexEvent}, - }, - { - name: ".spec.sso in use", - argoCD: makeTestArgoCD(func(ac *argov1alpha1.ArgoCD) { - ac.Spec.SSO = &argov1alpha1.ArgoCDSSOSpec{ - Image: "test-image", - Version: "test-image-version", - } - }), - envVar: "", - setEnvVarFunc: nil, - wantEvents: []*corev1.Event{specSSOEvent}, - }, - } - - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - r := makeFakeReconciler(t, test.argoCD) - - if test.setEnvVarFunc != nil { - test.setEnvVarFunc(t, test.envVar) - } - err := r.reconcileSSO(test.argoCD) - assert.NoError(t, err) - - gotEventList := &corev1.EventList{} - - err = r.Client.List(context.TODO(), gotEventList) - assert.NoError(t, err) - assert.Equal(t, len(test.wantEvents), len(gotEventList.Items)) - - sort.Slice(gotEventList.Items, func(i, j int) bool { - return gotEventList.Items[i].Message < gotEventList.Items[j].Message - }) - - sort.Slice(test.wantEvents, func(i, j int) bool { - return test.wantEvents[i].Message < test.wantEvents[j].Message - }) - - for i := range gotEventList.Items { - assert.Equal(t, test.wantEvents[i].Message, gotEventList.Items[i].Message) - } - - }) - } -} - func TestReconcile_testKeycloakK8sInstance(t *testing.T) { logf.SetLogger(ZapLogger(true)) a := makeTestArgoCDForKeycloak() diff --git a/controllers/argocd/status.go b/controllers/argocd/status.go index 0f6a9a564..fb349dceb 100644 --- a/controllers/argocd/status.go +++ b/controllers/argocd/status.go @@ -19,8 +19,10 @@ import ( "reflect" "strings" + oappsv1 "github.com/openshift/api/apps/v1" routev1 "github.com/openshift/api/route/v1" corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" "sigs.k8s.io/controller-runtime/pkg/client" @@ -34,12 +36,8 @@ func (r *ReconcileArgoCD) reconcileStatus(cr *argoprojv1a1.ArgoCD) error { return err } - if err := r.reconcileStatusSSOConfig(cr); err != nil { - return err - } - - if err := r.reconcileStatusDex(cr); err != nil { - log.Error(err, "error reconciling dex status") + if err := r.reconcileStatusSSO(cr); err != nil { + log.Info(err.Error()) } if err := r.reconcileStatusPhase(cr); err != nil { @@ -110,10 +108,52 @@ func (r *ReconcileArgoCD) reconcileStatusDex(cr *argoprojv1a1.ArgoCD) error { } } - if cr.Status.Dex != status { - cr.Status.Dex = status + if cr.Status.SSO != status { + cr.Status.SSO = status return r.Client.Status().Update(context.TODO(), cr) } + + return nil +} + +// reconcileStatusKeycloak will ensure that the Keycloak status is updated for the given ArgoCD. +func (r *ReconcileArgoCD) reconcileStatusKeycloak(cr *argoprojv1a1.ArgoCD) error { + status := "Unknown" + + if IsTemplateAPIAvailable() { + // keycloak is installed using OpenShift templates. + dc := &oappsv1.DeploymentConfig{ + ObjectMeta: metav1.ObjectMeta{ + Name: defaultKeycloakIdentifier, + Namespace: cr.Namespace, + }, + } + if argoutil.IsObjectFound(r.Client, cr.Namespace, dc.Name, dc) { + status = "Pending" + + if dc.Status.ReadyReplicas == dc.Spec.Replicas { + status = "Running" + } + } + + } else { + d := newDeploymentWithName(defaultKeycloakIdentifier, defaultKeycloakIdentifier, cr) + if argoutil.IsObjectFound(r.Client, cr.Namespace, d.Name, d) { + status = "Pending" + + if d.Spec.Replicas != nil { + if d.Status.ReadyReplicas == *d.Spec.Replicas { + status = "Running" + } + } + } + } + + if cr.Status.SSO != status { + cr.Status.SSO = status + return r.Client.Status().Update(context.TODO(), cr) + } + return nil } @@ -140,15 +180,26 @@ func (r *ReconcileArgoCD) reconcileStatusApplicationSetController(cr *argoprojv1 } // reconcileStatusSSOConfig will ensure that the SSOConfig status is updated for the given ArgoCD. -func (r *ReconcileArgoCD) reconcileStatusSSOConfig(cr *argoprojv1a1.ArgoCD) error { +func (r *ReconcileArgoCD) reconcileStatusSSO(cr *argoprojv1a1.ArgoCD) error { - // set status to track ssoConfigLegalStatus so it is always up to date with latest ssoConfig situation + // set status to track ssoConfigLegalStatus so it is always up to date with latest sso situation status := ssoConfigLegalStatus - if cr.Status.SSOConfig != status { - cr.Status.SSOConfig = status - return r.Client.Status().Update(context.TODO(), cr) + // perform dex/keycloak status reconciliation only if sso configurations are legal + if status == ssoLegalSuccess { + if cr.Spec.SSO != nil && cr.Spec.SSO.Provider.ToLower() == argoprojv1a1.SSOProviderTypeDex { + return r.reconcileStatusDex(cr) + } else if cr.Spec.SSO != nil && cr.Spec.SSO.Provider.ToLower() == argoprojv1a1.SSOProviderTypeKeycloak { + return r.reconcileStatusKeycloak(cr) + } + } else { + // illegal/unknown sso configurations + if cr.Status.SSO != status { + cr.Status.SSO = status + return r.Client.Status().Update(context.TODO(), cr) + } } + return nil } diff --git a/controllers/argocd/status_test.go b/controllers/argocd/status_test.go index 8586280bb..0686cd3d7 100644 --- a/controllers/argocd/status_test.go +++ b/controllers/argocd/status_test.go @@ -2,12 +2,12 @@ package argocd import ( "context" - "errors" "testing" "github.com/argoproj-labs/argocd-operator/api/v1alpha1" argoprojv1alpha1 "github.com/argoproj-labs/argocd-operator/api/v1alpha1" + oappsv1 "github.com/openshift/api/apps/v1" routev1 "github.com/openshift/api/route/v1" "github.com/stretchr/testify/assert" v1 "k8s.io/api/core/v1" @@ -17,66 +17,112 @@ import ( logf "sigs.k8s.io/controller-runtime/pkg/log" ) -func TestReconcileArgoCD_reconcileStatusSSOConfig(t *testing.T) { +func TestReconcileArgoCD_reconcileStatusKeycloak_K8s(t *testing.T) { + logf.SetLogger(ZapLogger(true)) + + a := makeTestArgoCDForKeycloak() + r := makeTestReconciler(t, a) + assert.NoError(t, createNamespace(r, a.Namespace, "")) + + d := newKeycloakDeployment(a) + + // keycloak not installed + _ = r.reconcileStatusKeycloak(a) + assert.Equal(t, "Unknown", a.Status.SSO) + + // keycloak installation started + r.Client.Create(context.TODO(), d) + + _ = r.reconcileStatusKeycloak(a) + assert.Equal(t, "Pending", a.Status.SSO) + + // keycloak installation completed + d.Status.ReadyReplicas = *d.Spec.Replicas + r.Client.Status().Update(context.TODO(), d) + + _ = r.reconcileStatusKeycloak(a) + assert.Equal(t, "Running", a.Status.SSO) +} + +func TestReconcileArgoCD_reconcileStatusKeycloak_OpenShift(t *testing.T) { + logf.SetLogger(ZapLogger(true)) + + a := makeTestArgoCDForKeycloak() + r := makeTestReconciler(t, a) + assert.NoError(t, createNamespace(r, a.Namespace, "")) + + assert.NoError(t, oappsv1.AddToScheme(r.Scheme)) + templateAPIFound = true + defer removeTemplateAPI() + + dc := getKeycloakDeploymentConfigTemplate(a) + dc.ObjectMeta.Name = defaultKeycloakIdentifier + + // keycloak not installed + _ = r.reconcileStatusKeycloak(a) + assert.Equal(t, "Unknown", a.Status.SSO) + + // keycloak installation started + r.Client.Create(context.TODO(), dc) + + _ = r.reconcileStatusKeycloak(a) + assert.Equal(t, "Pending", a.Status.SSO) + + // keycloak installation completed + dc.Status.ReadyReplicas = dc.Spec.Replicas + r.Client.Status().Update(context.TODO(), dc) + + _ = r.reconcileStatusKeycloak(a) + assert.Equal(t, "Running", a.Status.SSO) +} + +func TestReconcileArgoCD_reconcileStatusSSO(t *testing.T) { logf.SetLogger(ZapLogger(true)) tests := []struct { - name string - argoCD *argoprojv1alpha1.ArgoCD - templateAPIfound bool - wantSSOConfig string - wantErr bool - Err error + name string + argoCD *argoprojv1alpha1.ArgoCD + wantSSOStatus string }{ { - name: "only dex configured", - argoCD: makeTestArgoCD(func(ac *argoprojv1alpha1.ArgoCD) { - ac.Spec.Dex = &argoprojv1alpha1.ArgoCDDexSpec{ - Resources: makeTestDexResources(), - OpenShiftOAuth: true, - } - }), - templateAPIfound: false, - wantSSOConfig: "Success", - wantErr: false, - }, - { - name: "only keycloak configured", + name: "both dex and keycloak configured", argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { cr.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ Provider: argoprojv1alpha1.SSOProviderTypeKeycloak, - } - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: false, + Dex: &v1alpha1.ArgoCDDexSpec{ + OpenShiftOAuth: true, + }, } }), - templateAPIfound: true, - wantSSOConfig: "Success", - wantErr: false, + wantSSOStatus: "Failed", }, { - name: "both dex and keycloak configured", + name: "sso provider dex but no .spec.sso.dex provided", argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { cr.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ - Provider: argoprojv1alpha1.SSOProviderTypeKeycloak, - } - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, + Provider: argoprojv1alpha1.SSOProviderTypeDex, } }), - templateAPIfound: true, - wantSSOConfig: "Failed", - wantErr: true, - Err: errors.New("multiple SSO configuration"), + wantSSOStatus: "Failed", }, { name: "no sso configured", argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { - cr.Spec.Dex = &v1alpha1.ArgoCDDexSpec{} + cr.Spec.SSO = nil + }), + wantSSOStatus: "Unknown", + }, + { + name: "unsupported sso configured", + argoCD: makeTestArgoCD(func(cr *argoprojv1alpha1.ArgoCD) { + cr.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ + Provider: "Unsupported", + Dex: &v1alpha1.ArgoCDDexSpec{ + OpenShiftOAuth: true, + }, + } }), - templateAPIfound: false, - wantSSOConfig: "Unknown", - wantErr: false, + wantSSOStatus: "Failed", }, } @@ -86,18 +132,11 @@ func TestReconcileArgoCD_reconcileStatusSSOConfig(t *testing.T) { r := makeTestReconciler(t, test.argoCD) assert.NoError(t, createNamespace(r, test.argoCD.Namespace, "")) - err := r.reconcileSSO(test.argoCD) + r.reconcileSSO(test.argoCD) - err = r.reconcileStatusSSOConfig(test.argoCD) - if err != nil { - if !test.wantErr { - t.Errorf("Got unexpected error") - } else { - assert.Equal(t, test.Err, err) - } - } + r.reconcileStatusSSO(test.argoCD) - assert.Equal(t, test.wantSSOConfig, test.argoCD.Status.SSOConfig) + assert.Equal(t, test.wantSSOStatus, test.argoCD.Status.SSO) }) } } diff --git a/controllers/argocd/testing.go b/controllers/argocd/testing.go index 49ef77481..ee2e190de 100644 --- a/controllers/argocd/testing.go +++ b/controllers/argocd/testing.go @@ -103,10 +103,10 @@ func makeTestArgoCDForKeycloakWithDex(opts ...argoCDOpt) *argoprojv1alpha1.ArgoC Spec: argoprojv1alpha1.ArgoCDSpec{ SSO: &argoprojv1alpha1.ArgoCDSSOSpec{ Provider: "keycloak", - }, - Dex: &argoprojv1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, - Resources: makeTestDexResources(), + Dex: &argoprojv1alpha1.ArgoCDDexSpec{ + OpenShiftOAuth: true, + Resources: makeTestDexResources(), + }, }, Server: argoprojv1alpha1.ArgoCDServerSpec{ Route: argoprojv1alpha1.ArgoCDRouteSpec{ @@ -134,8 +134,11 @@ func makeTestArgoCDWithResources(opts ...argoCDOpt) *argoprojv1alpha1.ArgoCD { HA: argoprojv1alpha1.ArgoCDHASpec{ Resources: makeTestHAResources(), }, - Dex: &argoprojv1alpha1.ArgoCDDexSpec{ - Resources: makeTestDexResources(), + SSO: &argoprojv1alpha1.ArgoCDSSOSpec{ + Provider: "dex", + Dex: &argoprojv1alpha1.ArgoCDDexSpec{ + Resources: makeTestDexResources(), + }, }, Controller: argoprojv1alpha1.ArgoCDApplicationControllerSpec{ Resources: makeTestControllerResources(), diff --git a/controllers/argocd/util.go b/controllers/argocd/util.go index dfef38c35..1050f4237 100644 --- a/controllers/argocd/util.go +++ b/controllers/argocd/util.go @@ -705,19 +705,16 @@ func (r *ReconcileArgoCD) redisShouldUseTLS(cr *argoprojv1a1.ArgoCD) bool { // reconcileResources will reconcile common ArgoCD resources. func (r *ReconcileArgoCD) reconcileResources(cr *argoprojv1a1.ArgoCD) error { - // reconcile SSO first, because dex resources get reconciled through other function calls as well, not just through reconcileSSO (this is important - // so that dex resources can be appropriately cleaned up when DISABLE_DEX is set to true and the operator pod restarts but doesn't enter - // dex reconciliation again because dex is disabled, thus leaving hanging resources around if they are not also cleaned up in the main loop) // we reconcile SSO first so that we can catch and throw errors for any illegal SSO configurations right away, and return control from here // preventing dex resources from getting created anyway through the other function calls, effectively bypassing the SSO checks log.Info("reconciling SSO") if err := r.reconcileSSO(cr); err != nil { - return err + log.Info(err.Error()) } log.Info("reconciling status") if err := r.reconcileStatus(cr); err != nil { - return err + log.Info(err.Error()) } log.Info("reconciling roles") @@ -989,16 +986,6 @@ func (r *ReconcileArgoCD) setResourceWatches(bldr *builder.Builder, clusterResou } } - // trigger deletion of dex when dex configuration is removed from .spec.dex - if !reflect.DeepEqual(oldCR.Spec.Dex, newCR.Spec.Dex) && (newCR.Spec.Dex == nil || - (newCR.Spec.Dex.Config == "" && !newCR.Spec.Dex.OpenShiftOAuth)) { - err := r.deleteDexResources(newCR) - if err != nil { - log.Error(err, fmt.Sprintf("Failed to delete SSO Configuration for ArgoCD %s in namespace %s", - newCR.Name, newCR.Namespace)) - } - } - // Trigger reconciliation of SSO on update event if !reflect.DeepEqual(oldCR.Spec.SSO, newCR.Spec.SSO) && newCR.Spec.SSO != nil && oldCR.Spec.SSO != nil { err := r.reconcileSSO(newCR) diff --git a/controllers/argocd/util_test.go b/controllers/argocd/util_test.go index bce11586a..61641a08b 100644 --- a/controllers/argocd/util_test.go +++ b/controllers/argocd/util_test.go @@ -46,9 +46,12 @@ var imageTests = []struct { imageFunc: getDexContainerImage, want: dexTestImage, opts: []argoCDOpt{func(a *argoprojv1alpha1.ArgoCD) { - a.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - Image: "testing/dex", - Version: "latest", + a.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ + Provider: v1alpha1.SSOProviderTypeDex, + Dex: &v1alpha1.ArgoCDDexSpec{ + Image: "testing/dex", + Version: "latest", + }, } }}, }, @@ -640,8 +643,11 @@ func generateEncodedPEM(t *testing.T, host string) []byte { func TestReconcileArgoCD_reconcileDexOAuthClientSecret(t *testing.T) { logf.SetLogger(ZapLogger(true)) a := makeTestArgoCD(func(ac *argoprojv1alpha1.ArgoCD) { - ac.Spec.Dex = &v1alpha1.ArgoCDDexSpec{ - OpenShiftOAuth: true, + ac.Spec.SSO = &v1alpha1.ArgoCDSSOSpec{ + Provider: v1alpha1.SSOProviderTypeDex, + Dex: &v1alpha1.ArgoCDDexSpec{ + OpenShiftOAuth: true, + }, } }) r := makeTestReconciler(t, a) diff --git a/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml index 8f25562da..f77e5f910 100644 --- a/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml +++ b/deploy/olm-catalog/argocd-operator/0.6.0/argocd-operator.v0.6.0.clusterserviceversion.yaml @@ -349,38 +349,6 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Controller - urn:alm:descriptor:com.tectonic.ui:resourceRequirements - - description: Config is the dex connector configuration. - displayName: Configuration - path: dex.config - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:text - - description: Image is the Dex container image. - displayName: Image - path: dex.image - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:text - - description: OpenShiftOAuth enables OpenShift OAuth authentication for the - Dex server. - displayName: OpenShift OAuth Enabled' - path: dex.openShiftOAuth - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - - description: Resources defines the Compute Resources required by the container - for Dex. - displayName: Resource Requirements' - path: dex.resources - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:resourceRequirements - - description: Version is the Dex container image tag. - displayName: Version - path: dex.version - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:text - description: GAAnonymizeUsers toggles user IDs being hashed before sending to google analytics. displayName: Google Analytics Anonymize Users' @@ -780,17 +748,6 @@ spec: path: applicationSetController x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text - - description: 'Dex is a simple, high-level summary of where the Argo CD Dex - component is in its lifecycle. There are four possible dex values: Pending: - The Argo CD Dex component has been accepted by the Kubernetes system, but - one or more of the required resources have not been created. Running: All - of the required Pods for the Argo CD Dex component are in a Ready state. - Failed: At least one of the Argo CD Dex component Pods had a failure. Unknown: - The state of the Argo CD Dex component could not be obtained.' - displayName: Dex - path: dex - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:text - description: 'NotificationsController is a simple, high-level summary of where the Argo CD notifications controller component is in its lifecycle. There are four possible NotificationsController values: Pending: The Argo CD notifications @@ -848,12 +805,15 @@ spec: path: server x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text - - description: 'SSOConfig defines the status of SSO configuration. Success: - Only one SSO provider is configured in CR. Failed: SSO configuration is - illegal or more than one SSO providers are configured in CR. Unknown: The - SSO configuration could not be obtained.' - displayName: SSOConfig - path: ssoConfig + - description: 'SSO is a simple, high-level summary of where the Argo CD SSO(Dex/Keycloak) + component is in its lifecycle. There are four possible sso values: Pending: + The Argo CD SSO component has been accepted by the Kubernetes system, but + one or more of the required resources have not been created. Running: All + of the required Pods for the Argo CD SSO component are in a Ready state. + Failed: At least one of the Argo CD SSO component Pods had a failure. Unknown: + The state of the Argo CD SSO component could not be obtained.' + displayName: SSO + path: sso x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text version: v1alpha1 diff --git a/deploy/olm-catalog/argocd-operator/0.6.0/argoproj.io_argocds.yaml b/deploy/olm-catalog/argocd-operator/0.6.0/argoproj.io_argocds.yaml index 9b86bd949..e362fed37 100644 --- a/deploy/olm-catalog/argocd-operator/0.6.0/argoproj.io_argocds.yaml +++ b/deploy/olm-catalog/argocd-operator/0.6.0/argoproj.io_argocds.yaml @@ -548,56 +548,6 @@ spec: type: integer type: object type: object - dex: - description: Dex defines the Dex server options for ArgoCD. - properties: - config: - description: Config is the dex connector configuration. - type: string - groups: - description: Optional list of required groups a user must be a - member of - items: - type: string - type: array - image: - description: Image is the Dex container image. - type: string - openShiftOAuth: - description: OpenShiftOAuth enables OpenShift OAuth authentication - for the Dex server. - type: boolean - resources: - description: Resources defines the Compute Resources required - by the container for Dex. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - version: - description: Version is the Dex container image tag. - type: string - type: object disableAdmin: description: DisableAdmin will disable the admin user. type: boolean @@ -6201,9 +6151,6 @@ spec: description: Version is the Dex container image tag. type: string type: object - image: - description: Image is the SSO container image. - type: string keycloak: description: Keycloak contains the configuration for Argo CD keycloak authentication @@ -6254,39 +6201,6 @@ spec: description: Provider installs and configures the given SSO Provider with Argo CD. type: string - resources: - description: Resources defines the Compute Resources required - by the container for SSO. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - verifyTLS: - description: VerifyTLS set to false disables strict TLS validation. - type: boolean - version: - description: Version is the SSO container image tag. - type: string type: object statusBadgeEnabled: description: StatusBadgeEnabled toggles application status badge feature. @@ -6350,16 +6264,6 @@ spec: component Pods had a failure. Unknown: The state of the Argo CD applicationSet controller component could not be obtained.' type: string - dex: - description: 'Dex is a simple, high-level summary of where the Argo - CD Dex component is in its lifecycle. There are four possible dex - values: Pending: The Argo CD Dex component has been accepted by - the Kubernetes system, but one or more of the required resources - have not been created. Running: All of the required Pods for the - Argo CD Dex component are in a Ready state. Failed: At least one - of the Argo CD Dex component Pods had a failure. Unknown: The state - of the Argo CD Dex component could not be obtained.' - type: string host: description: Host is the hostname of the Ingress. type: string @@ -6424,11 +6328,15 @@ spec: one of the Argo CD server component Pods had a failure. Unknown: The state of the Argo CD server component could not be obtained.' type: string - ssoConfig: - description: 'SSOConfig defines the status of SSO configuration. Success: - Only one SSO provider is configured in CR. Failed: SSO configuration - is illegal or more than one SSO providers are configured in CR. - Unknown: The SSO configuration could not be obtained.' + sso: + description: 'SSO is a simple, high-level summary of where the Argo + CD SSO(Dex/Keycloak) component is in its lifecycle. There are four + possible sso values: Pending: The Argo CD SSO component has been + accepted by the Kubernetes system, but one or more of the required + resources have not been created. Running: All of the required Pods + for the Argo CD SSO component are in a Ready state. Failed: At least + one of the Argo CD SSO component Pods had a failure. Unknown: The + state of the Argo CD SSO component could not be obtained.' type: string type: object type: object diff --git a/deploy/olm-catalog/argocd-operator/0.7.0/argocd-operator.v0.7.0.clusterserviceversion.yaml b/deploy/olm-catalog/argocd-operator/0.7.0/argocd-operator.v0.7.0.clusterserviceversion.yaml index 980787b9c..73f8f8544 100644 --- a/deploy/olm-catalog/argocd-operator/0.7.0/argocd-operator.v0.7.0.clusterserviceversion.yaml +++ b/deploy/olm-catalog/argocd-operator/0.7.0/argocd-operator.v0.7.0.clusterserviceversion.yaml @@ -349,38 +349,6 @@ spec: x-descriptors: - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Controller - urn:alm:descriptor:com.tectonic.ui:resourceRequirements - - description: Config is the dex connector configuration. - displayName: Configuration - path: dex.config - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:text - - description: Image is the Dex container image. - displayName: Image - path: dex.image - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:text - - description: OpenShiftOAuth enables OpenShift OAuth authentication for the - Dex server. - displayName: OpenShift OAuth Enabled' - path: dex.openShiftOAuth - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:booleanSwitch - - description: Resources defines the Compute Resources required by the container - for Dex. - displayName: Resource Requirements' - path: dex.resources - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:resourceRequirements - - description: Version is the Dex container image tag. - displayName: Version - path: dex.version - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:fieldGroup:Dex - - urn:alm:descriptor:com.tectonic.ui:text - description: GAAnonymizeUsers toggles user IDs being hashed before sending to google analytics. displayName: Google Analytics Anonymize Users' @@ -780,17 +748,6 @@ spec: path: applicationSetController x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text - - description: 'Dex is a simple, high-level summary of where the Argo CD Dex - component is in its lifecycle. There are four possible dex values: Pending: - The Argo CD Dex component has been accepted by the Kubernetes system, but - one or more of the required resources have not been created. Running: All - of the required Pods for the Argo CD Dex component are in a Ready state. - Failed: At least one of the Argo CD Dex component Pods had a failure. Unknown: - The state of the Argo CD Dex component could not be obtained.' - displayName: Dex - path: dex - x-descriptors: - - urn:alm:descriptor:com.tectonic.ui:text - description: 'NotificationsController is a simple, high-level summary of where the Argo CD notifications controller component is in its lifecycle. There are four possible NotificationsController values: Pending: The Argo CD notifications @@ -848,12 +805,15 @@ spec: path: server x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text - - description: 'SSOConfig defines the status of SSO configuration. Success: - Only one SSO provider is configured in CR. Failed: SSO configuration is - illegal or more than one SSO providers are configured in CR. Unknown: The - SSO configuration could not be obtained.' - displayName: SSOConfig - path: ssoConfig + - description: 'SSO is a simple, high-level summary of where the Argo CD SSO(Dex/Keycloak) + component is in its lifecycle. There are four possible sso values: Pending: + The Argo CD SSO component has been accepted by the Kubernetes system, but + one or more of the required resources have not been created. Running: All + of the required Pods for the Argo CD SSO component are in a Ready state. + Failed: At least one of the Argo CD SSO component Pods had a failure. Unknown: + The state of the Argo CD SSO component could not be obtained.' + displayName: SSO + path: sso x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text version: v1alpha1 diff --git a/deploy/olm-catalog/argocd-operator/0.7.0/argoproj.io_argocds.yaml b/deploy/olm-catalog/argocd-operator/0.7.0/argoproj.io_argocds.yaml index d47d3cabf..87d7c51d6 100644 --- a/deploy/olm-catalog/argocd-operator/0.7.0/argoproj.io_argocds.yaml +++ b/deploy/olm-catalog/argocd-operator/0.7.0/argoproj.io_argocds.yaml @@ -569,56 +569,6 @@ spec: type: integer type: object type: object - dex: - description: Dex defines the Dex server options for ArgoCD. - properties: - config: - description: Config is the dex connector configuration. - type: string - groups: - description: Optional list of required groups a user must be a - member of - items: - type: string - type: array - image: - description: Image is the Dex container image. - type: string - openShiftOAuth: - description: OpenShiftOAuth enables OpenShift OAuth authentication - for the Dex server. - type: boolean - resources: - description: Resources defines the Compute Resources required - by the container for Dex. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - version: - description: Version is the Dex container image tag. - type: string - type: object disableAdmin: description: DisableAdmin will disable the admin user. type: boolean @@ -6222,9 +6172,6 @@ spec: description: Version is the Dex container image tag. type: string type: object - image: - description: Image is the SSO container image. - type: string keycloak: description: Keycloak contains the configuration for Argo CD keycloak authentication @@ -6275,39 +6222,6 @@ spec: description: Provider installs and configures the given SSO Provider with Argo CD. type: string - resources: - description: Resources defines the Compute Resources required - by the container for SSO. - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Limits describes the maximum amount of compute - resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'Requests describes the minimum amount of compute - resources required. If Requests is omitted for a container, - it defaults to Limits if that is explicitly specified, otherwise - to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' - type: object - type: object - verifyTLS: - description: VerifyTLS set to false disables strict TLS validation. - type: boolean - version: - description: Version is the SSO container image tag. - type: string type: object statusBadgeEnabled: description: StatusBadgeEnabled toggles application status badge feature. @@ -6371,16 +6285,6 @@ spec: component Pods had a failure. Unknown: The state of the Argo CD applicationSet controller component could not be obtained.' type: string - dex: - description: 'Dex is a simple, high-level summary of where the Argo - CD Dex component is in its lifecycle. There are four possible dex - values: Pending: The Argo CD Dex component has been accepted by - the Kubernetes system, but one or more of the required resources - have not been created. Running: All of the required Pods for the - Argo CD Dex component are in a Ready state. Failed: At least one - of the Argo CD Dex component Pods had a failure. Unknown: The state - of the Argo CD Dex component could not be obtained.' - type: string host: description: Host is the hostname of the Ingress. type: string @@ -6445,11 +6349,15 @@ spec: one of the Argo CD server component Pods had a failure. Unknown: The state of the Argo CD server component could not be obtained.' type: string - ssoConfig: - description: 'SSOConfig defines the status of SSO configuration. Success: - Only one SSO provider is configured in CR. Failed: SSO configuration - is illegal or more than one SSO providers are configured in CR. - Unknown: The SSO configuration could not be obtained.' + sso: + description: 'SSO is a simple, high-level summary of where the Argo + CD SSO(Dex/Keycloak) component is in its lifecycle. There are four + possible sso values: Pending: The Argo CD SSO component has been + accepted by the Kubernetes system, but one or more of the required + resources have not been created. Running: All of the required Pods + for the Argo CD SSO component are in a Ready state. Failed: At least + one of the Argo CD SSO component Pods had a failure. Unknown: The + state of the Argo CD SSO component could not be obtained.' type: string type: object type: object diff --git a/tests/k8s/1-015_validate_sso_config/05-assert.yaml b/tests/k8s/1-015_validate_sso_config/05-assert.yaml deleted file mode 100644 index c7e8a8357..000000000 --- a/tests/k8s/1-015_validate_sso_config/05-assert.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: argocd -status: - phase: Available - ssoConfig: Success ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argocd-dex-server -status: - readyReplicas: 1 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: argocd-argocd-dex-server ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argocd-argocd-dex-server ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argocd-argocd-dex-server ---- -apiVersion: v1 -kind: Service -metadata: - name: argocd-dex-server \ No newline at end of file diff --git a/tests/k8s/1-015_validate_sso_config/06-errors.yaml b/tests/k8s/1-015_validate_sso_config/06-errors.yaml deleted file mode 100644 index 29e4f1025..000000000 --- a/tests/k8s/1-015_validate_sso_config/06-errors.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: argocd-dex-server ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: argocd-argocd-dex-server ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: argocd-argocd-dex-server ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: argocd-argocd-dex-server ---- -apiVersion: v1 -kind: Service -metadata: - name: argocd-dex-server \ No newline at end of file diff --git a/tests/k8s/1-015_validate_sso_config/06-remove-dex-spec-config.yaml b/tests/k8s/1-015_validate_sso_config/06-remove-dex-spec-config.yaml deleted file mode 100644 index 565ddf5db..000000000 --- a/tests/k8s/1-015_validate_sso_config/06-remove-dex-spec-config.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -# patches the subscription to change sso provider to keycloak -- script: | - kubectl patch -n $NAMESPACE argocd/argocd --type='json' -p='[{"op": "remove", "path": "/spec/dex/config"}]' -- script: sleep 10 diff --git a/tests/k8s/1-015_validate_sso_config/07-assert.yaml b/tests/k8s/1-015_validate_sso_status/01-assert.yaml similarity index 83% rename from tests/k8s/1-015_validate_sso_config/07-assert.yaml rename to tests/k8s/1-015_validate_sso_status/01-assert.yaml index e0204d28c..b65514352 100644 --- a/tests/k8s/1-015_validate_sso_config/07-assert.yaml +++ b/tests/k8s/1-015_validate_sso_status/01-assert.yaml @@ -4,4 +4,4 @@ metadata: name: argocd status: phase: Available - ssoConfig: Failed \ No newline at end of file + sso: Unknown \ No newline at end of file diff --git a/tests/k8s/1-015_validate_sso_config/01-install.yaml b/tests/k8s/1-015_validate_sso_status/01-install.yaml similarity index 100% rename from tests/k8s/1-015_validate_sso_config/01-install.yaml rename to tests/k8s/1-015_validate_sso_status/01-install.yaml diff --git a/tests/k8s/1-015_validate_sso_config/02-assert.yaml b/tests/k8s/1-015_validate_sso_status/02-assert.yaml similarity index 82% rename from tests/k8s/1-015_validate_sso_config/02-assert.yaml rename to tests/k8s/1-015_validate_sso_status/02-assert.yaml index 1139addd4..64248a06b 100644 --- a/tests/k8s/1-015_validate_sso_config/02-assert.yaml +++ b/tests/k8s/1-015_validate_sso_status/02-assert.yaml @@ -4,4 +4,4 @@ metadata: name: argocd status: phase: Available - ssoConfig: Unknown + sso: Failed diff --git a/tests/k8s/1-015_validate_sso_config/02-errors.yaml b/tests/k8s/1-015_validate_sso_status/02-errors.yaml similarity index 100% rename from tests/k8s/1-015_validate_sso_config/02-errors.yaml rename to tests/k8s/1-015_validate_sso_status/02-errors.yaml diff --git a/tests/k8s/1-015_validate_sso_config/02-provider-dex-no-dex-spec.yaml b/tests/k8s/1-015_validate_sso_status/02-provider-dex-no-dex-spec.yaml similarity index 100% rename from tests/k8s/1-015_validate_sso_config/02-provider-dex-no-dex-spec.yaml rename to tests/k8s/1-015_validate_sso_status/02-provider-dex-no-dex-spec.yaml diff --git a/tests/k8s/1-015_validate_sso_config/03-assert.yaml b/tests/k8s/1-015_validate_sso_status/03-assert.yaml similarity index 96% rename from tests/k8s/1-015_validate_sso_config/03-assert.yaml rename to tests/k8s/1-015_validate_sso_status/03-assert.yaml index c7e8a8357..d26b59dcd 100644 --- a/tests/k8s/1-015_validate_sso_config/03-assert.yaml +++ b/tests/k8s/1-015_validate_sso_status/03-assert.yaml @@ -4,7 +4,7 @@ metadata: name: argocd status: phase: Available - ssoConfig: Success + sso: Running --- apiVersion: apps/v1 kind: Deployment diff --git a/tests/k8s/1-015_validate_sso_config/03-dex-spec-sso.yaml b/tests/k8s/1-015_validate_sso_status/03-dex-spec-sso.yaml similarity index 100% rename from tests/k8s/1-015_validate_sso_config/03-dex-spec-sso.yaml rename to tests/k8s/1-015_validate_sso_status/03-dex-spec-sso.yaml diff --git a/tests/k8s/1-015_validate_sso_config/01-assert.yaml b/tests/k8s/1-015_validate_sso_status/04-assert.yaml similarity index 83% rename from tests/k8s/1-015_validate_sso_config/01-assert.yaml rename to tests/k8s/1-015_validate_sso_status/04-assert.yaml index d7e212829..b65514352 100644 --- a/tests/k8s/1-015_validate_sso_config/01-assert.yaml +++ b/tests/k8s/1-015_validate_sso_status/04-assert.yaml @@ -4,4 +4,4 @@ metadata: name: argocd status: phase: Available - ssoConfig: Unknown \ No newline at end of file + sso: Unknown \ No newline at end of file diff --git a/tests/k8s/1-015_validate_sso_config/04-errors.yaml b/tests/k8s/1-015_validate_sso_status/04-errors.yaml similarity index 100% rename from tests/k8s/1-015_validate_sso_config/04-errors.yaml rename to tests/k8s/1-015_validate_sso_status/04-errors.yaml diff --git a/tests/k8s/1-015_validate_sso_config/04-remove-dex-spec-sso.yaml b/tests/k8s/1-015_validate_sso_status/04-remove-dex-spec-sso.yaml similarity index 75% rename from tests/k8s/1-015_validate_sso_config/04-remove-dex-spec-sso.yaml rename to tests/k8s/1-015_validate_sso_status/04-remove-dex-spec-sso.yaml index 20f13e365..eb7e10754 100644 --- a/tests/k8s/1-015_validate_sso_config/04-remove-dex-spec-sso.yaml +++ b/tests/k8s/1-015_validate_sso_status/04-remove-dex-spec-sso.yaml @@ -1,7 +1,7 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: -# patches the subscription to change sso provider to keycloak +# patches the subscription to remove sso provider - script: | kubectl patch -n $NAMESPACE argocd/argocd --type='json' -p='[{"op": "remove", "path": "/spec/sso"}]' - script: sleep 10 diff --git a/tests/k8s/1-015_validate_sso_config/05-spec-dex-config.yaml b/tests/k8s/1-015_validate_sso_status/05-assert.yaml similarity index 63% rename from tests/k8s/1-015_validate_sso_config/05-spec-dex-config.yaml rename to tests/k8s/1-015_validate_sso_status/05-assert.yaml index 2962ff406..b60827818 100644 --- a/tests/k8s/1-015_validate_sso_config/05-spec-dex-config.yaml +++ b/tests/k8s/1-015_validate_sso_status/05-assert.yaml @@ -2,6 +2,6 @@ apiVersion: argoproj.io/v1alpha1 kind: ArgoCD metadata: name: argocd -spec: - dex: - config: test-config \ No newline at end of file +status: + phase: Available + sso: Failed \ No newline at end of file diff --git a/tests/k8s/1-015_validate_sso_config/07-provider-keycloak-dex-spec.yaml b/tests/k8s/1-015_validate_sso_status/05-provider-keycloak-dex-spec.yaml similarity index 79% rename from tests/k8s/1-015_validate_sso_config/07-provider-keycloak-dex-spec.yaml rename to tests/k8s/1-015_validate_sso_status/05-provider-keycloak-dex-spec.yaml index 1dc712ac0..1b7234cec 100644 --- a/tests/k8s/1-015_validate_sso_config/07-provider-keycloak-dex-spec.yaml +++ b/tests/k8s/1-015_validate_sso_status/05-provider-keycloak-dex-spec.yaml @@ -5,5 +5,5 @@ metadata: spec: sso: provider: keycloak - dex: - config: test \ No newline at end of file + dex: + config: test \ No newline at end of file diff --git a/tests/k8s/1-016_validate_keycloak/01-argocd-keycloak.yaml b/tests/k8s/1-016_validate_keycloak/01-argocd-keycloak.yaml index d710e31f0..b6d541376 100644 --- a/tests/k8s/1-016_validate_keycloak/01-argocd-keycloak.yaml +++ b/tests/k8s/1-016_validate_keycloak/01-argocd-keycloak.yaml @@ -7,7 +7,8 @@ metadata: spec: sso: provider: keycloak - verifyTLS: false # required when running operator locally + keycloak: + verifyTLS: false # required when running operator locally server: ingress: enabled: true \ No newline at end of file diff --git a/tests/ocp/1-005_validate_dex_clientsecret_deprecated/01-assert.yaml b/tests/ocp/1-005_validate_dex_clientsecret_deprecated/01-assert.yaml deleted file mode 100644 index 6f0ec542f..000000000 --- a/tests/ocp/1-005_validate_dex_clientsecret_deprecated/01-assert.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestAssert -timeout: 120 ---- -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: example-argocd -status: - phase: Available ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: example-argocd-argocd-dex-server \ No newline at end of file diff --git a/tests/ocp/1-005_validate_dex_clientsecret_deprecated/01-install.yaml b/tests/ocp/1-005_validate_dex_clientsecret_deprecated/01-install.yaml deleted file mode 100644 index b52696a53..000000000 --- a/tests/ocp/1-005_validate_dex_clientsecret_deprecated/01-install.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: example-argocd -spec: - dex: - openShiftOAuth: true \ No newline at end of file diff --git a/tests/ocp/1-005_validate_dex_clientsecret_deprecated/02-verify-clientsecret.yaml b/tests/ocp/1-005_validate_dex_clientsecret_deprecated/02-verify-clientsecret.yaml deleted file mode 100644 index 25defd5b7..000000000 --- a/tests/ocp/1-005_validate_dex_clientsecret_deprecated/02-verify-clientsecret.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: kuttl.dev/v1beta1 -kind: TestStep -commands: -- script: | - # This test validates the Dex Client Secret copied by the operator from dex serviceaccount token secret in to argocd-secret. - # To verify the behavior we should first get the token secret name of the dex service account. - secret=$(oc get -n $NAMESPACE sa example-argocd-argocd-dex-server -o json | jq -r '.secrets' | grep token | sed 's/ "name": "//g' | sed 's/"//g') - - # Extract the clientSecret - expectedClientSecret=$(oc get secret $secret -n $NAMESPACE -o json | jq -r '.data.token') - - # actualClientSecret is the value of the secret in argocd-secret where argocd-operator should copy the secret from - actualClientSecret=$(oc get secret argocd-secret -o json -n $NAMESPACE | jq -r '.data."oidc.dex.clientSecret"') - - # Verify - if $expectedClientSecret != $actualClientSecret; then - echo "Error: Dex Client Secret for OIDC is not valid" - exit 1 - fi \ No newline at end of file From 2970865ec3fd215c0224dd35c2500880521c8945 Mon Sep 17 00:00:00 2001 From: Siddhesh Ghadi <61187612+svghadi@users.noreply.github.com> Date: Tue, 27 Jun 2023 20:30:53 +0530 Subject: [PATCH 2/4] doc: Update docs to reflect sso unification changes (#930) * Update docs to reflect sso unification changes Signed-off-by: Siddhesh Ghadi * Add a note about removed sso fields Signed-off-by: Siddhesh Ghadi --------- Signed-off-by: Siddhesh Ghadi --- docs/reference/api.html.md | 103 +------------ docs/reference/argocd.md | 248 +++++++++++++----------------- docs/usage/dex.md | 120 ++++----------- docs/usage/keycloak/kubernetes.md | 11 +- docs/usage/keycloak/openshift.md | 7 +- 5 files changed, 152 insertions(+), 337 deletions(-) diff --git a/docs/reference/api.html.md b/docs/reference/api.html.md index 09511e95a..da876eac2 100644 --- a/docs/reference/api.html.md +++ b/docs/reference/api.html.md @@ -85,19 +85,6 @@ Resource Types:

Controller defines the Application Controller options for ArgoCD.

- - - dex
- - - ArgoCDDexSpec - - - - -

Dex defines the Dex server options for ArgoCD.

- - gaTrackingID
@@ -1982,19 +1969,6 @@ Resource Types:

Controller defines the Application Controller options for ArgoCD.

- - - dex
- - - ArgoCDDexSpec - - - - -

Dex defines the Dex server options for ArgoCD.

- - gaTrackingID
@@ -2310,51 +2284,6 @@ Resource Types: - - - image
- - string - - - -

Image is the Keycloak container image.

- - - - - resources
- - - Kubernetes core/v1.ResourceRequirements - - - -

Resources defines the Compute Resources required by the container for Keycloak.

- - - - - version
- - string - - - -

Version is the Keycloak container image tag.

- - - - - verifyTLS
- - bool - - - -

VerifyTLS set to false disables strict TLS validation.

- - dex
@@ -2364,7 +2293,7 @@ Resource Types: -

Dex contains the configuration for Argo CD dex authentication

+

Dex contains the configuration for Argo CD dex authentication (previously found under cr.spec.dex)

@@ -2425,23 +2354,6 @@ Resource Types:

- - - dex
- - string - - - -

Dex is a simple, high-level summary of where the Argo CD Dex component is in its lifecycle. - There are five possible dex values: - Pending: The Argo CD Dex component has been accepted by the Kubernetes system, but one or more of the required resources have not been created. - Running: All of the required Pods for the Argo CD Dex component are in a Ready state. - Failed: At least one of the Argo CD Dex component Pods had a failure. - Unknown: For some reason the state of the Argo CD Dex component could not be obtained. -

- - notifications
@@ -2529,17 +2441,18 @@ Resource Types: - ssoConfig
+ sso
string -

ssoConfig is a simple, high-level summary of the status of SSO configuration for the Argo CD instance. - There are three possible server values: - Success: Only one SSO provider is configured in CR - Failed: SSO configuration is illegal or more than one SSO providers are configured in CR. - Unknown: For some reason the SSO configuration could not be obtained. +

SSO is a simple, high-level summary of where the Argo CD SSO(Dex/Keycloak) component is in its lifecycle. + There are four possible server values: + Pending: The Argo CD SSO component has been accepted by the Kubernetes system, but one or more of the required resources have not been created. + Running: All of the required Pods for the Argo CD SSO component are in a Ready state. + Failed: At least one of the Argo CD SSO component Pods had a failure. + Unknown: The state of the Argo CD SSO component could not be obtained.

diff --git a/docs/reference/argocd.md b/docs/reference/argocd.md index 1b11c86ce..736b21072 100644 --- a/docs/reference/argocd.md +++ b/docs/reference/argocd.md @@ -15,7 +15,6 @@ Name | Default | Description [**ApplicationSet**](#applicationset-controller-options) | [Object] | ApplicationSet controller configuration options. [**ConfigManagementPlugins**](#config-management-plugins) | [Empty] | Configuration to add a config management plugin. [**Controller**](#controller-options) | [Object] | Argo CD Application Controller options. -[**Dex**](#dex-options) | [Object] | Dex configuration options. [**DisableAdmin**](#disable-admin) | `false` | Disable the admin user. [**ExtraConfig**](#extra-config) | [Empty] | A catch-all mechanism to populate the argocd-cm configmap. [**GATrackingID**](#ga-tracking-id) | [Empty] | The google analytics tracking ID to use. @@ -234,106 +233,6 @@ spec: replicas: 5 ``` -## Dex Options - -!!! warning - `.spec.dex` is deprecated and support will be removed in Argo CD operator v0.8.0. Please use `.spec.sso.dex` to configure Dex. - -!!! note - `.spec.dex` field was earlier scheduled for removal in Argo CD operator v0.7.0, but has been extended to Argo CD operator v0.8.0. - -The following properties are available for configuring the Dex component. - -Name | Default | Description ---- | --- | --- -Config | [Empty] | The `dex.config` property in the `argocd-cm` ConfigMap. -Groups | [Empty] | Optional list of required groups a user must be a member of -Image | `quay.io/dexidp/dex` | The container image for Dex. This overrides the `ARGOCD_DEX_IMAGE` environment variable. -OpenShiftOAuth | false | Enable automatic configuration of OpenShift OAuth authentication for the Dex server. This is ignored if a value is presnt for `Dex.Config`. -Resources | [Empty] | The container compute resources. -Version | v2.21.0 (SHA) | The tag to use with the Dex container image. - -### Dex Example - -The following examples show all properties set to the default values. Both configuration methods will be supported until v0.8.0 - -``` yaml -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: example-argocd - labels: - example: dex -spec: - dex: - config: "" - groups: - - default - image: quay.io/dexidp/dex - openShiftOAuth: false - resources: {} - version: v2.21.0 -``` -OR - -``` yaml -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: example-argocd - labels: - example: dex -spec: - sso: - provider: dex - dex: - config: "" - groups: - - default - image: quay.io/dexidp/dex - openShiftOAuth: false - resources: {} - version: v2.21.0 -``` - -Please refer to the [dex user guide](../usage/dex.md) to learn more about configuring dex as a Single sign-on provider. - - -### Dex OpenShift OAuth Example - -The following example configures Dex to use the OAuth server built into OpenShift. - -The `OpenShiftOAuth` property can be used to trigger the operator to auto configure the built-in OpenShift OAuth server. The RBAC `Policy` property is used to give the admin role in the Argo CD cluster to users in the OpenShift `cluster-admins` group. - -``` yaml -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: example-argocd - labels: - example: openshift-oauth -spec: - dex: - openShiftOAuth: true - rbac: - defaultPolicy: 'role:readonly' - policy: | - g, cluster-admins, role:admin - scopes: '[groups]' -``` - -### Important Note regarding Role Mappings: - -To have a specific user be properly atrributed with the `role:admin` upon SSO through Openshift, the user needs to be in a **group** with the `cluster-admin` role added. If the user only has a direct `ClusterRoleBinding` to the Openshift role for `cluster-admin`, the ArgoCD role will not map. - -A quick fix will be to create an `cluster-admins` group, add the user to the group and then apply the `cluster-admin` ClusterRole to the group. - -``` -oc adm groups new cluster-admins -oc adm groups add-users cluster-admins USER -oc adm policy add-cluster-role-to-group cluster-admin cluster-admins -``` - ## Disable Admin Disable the admin user. This property maps directly to the `admin.enabled` field in the `argocd-cm` ConfigMap. @@ -374,7 +273,6 @@ spec: "ping": "pong" // The same entry is reflected in Argo CD Configmap. ``` - ## GA Tracking ID The google analytics tracking ID to use. This property maps directly to the `ga.trackingid` field in the `argocd-cm` ConfigMap. @@ -741,36 +639,6 @@ spec: my-git.com ssh-rsa AAAAB3NzaC... ``` -## Keycloak Options - -The following properties are available for configuring Keycloak Single sign-on provider. - -Name | Default | Description ---- | --- | --- -Image | OpenShift - `registry.redhat.io/rh-sso-7/sso75-openshift-rhel8`
Kuberentes - `quay.io/keycloak/keycloak` | The container image for keycloak. This overrides the `ARGOCD_KEYCLOAK_IMAGE` environment variable. -Resources | `Requests`: CPU=500m, Mem=512Mi, `Limits`: CPU=1000m, Mem=1024Mi | The container compute resources. -RootCA | "" | root CA certificate for communicating with the OIDC provider -VerifyTLS | true | Whether to enforce strict TLS checking when communicating with Keycloak service. -Version | OpenShift - `sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3` (7.5.1)
Kubernetes - `sha256:64fb81886fde61dee55091e6033481fa5ccdac62ae30a4fd29b54eb5e97df6a9` (15.0.2) | The tag to use with the keycloak container image. - -### Keycloak Single sign-on Example - -The following example uses keycloak as Single sign-on option for Argo CD. - -``` yaml -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: example-argocd - labels: - example: status-badge-enabled -spec: - sso: - provider: keycloak -``` - -Please refer to the [keycloak user guide](../usage/keycloak/kubernetes.md) to learn more about configuring keycloak as a Single sign-on provider. - ## Kustomize Build Options Build options/parameters to use with `kustomize build` (optional). This property maps directly to the `kustomize.buildOptions` field in the `argocd-cm` ConfigMap. @@ -1578,24 +1446,126 @@ spec: ## Single sign-on Options -!!! warning - `.spec.sso.Image`, `.spec.sso.Version`, `.spec.sso.Resources` and `.spec.sso.verifyTLS` are deprecated and support will be removed in Argo CD operator v0.8.0. Please use equivalent fields under `.spec.sso.keycloak` to configure your keycloak instance. +The following properties are available for configuring the Single sign-on component. + +Name | Default | Description +--- | --- | --- +[Keycloak](#keycloak-options) | [Object] | Configuration options for Keycloak SSO provider +[Dex](#dex-options) | [Object] | Configuration options for Dex SSO provider +Provider | [Empty] | The name of the provider used to configure Single sign-on. For now the supported options are "dex" and "keycloak". + +## Dex Options + +The following properties are available for configuring the Dex component. + +Name | Default | Description +--- | --- | --- +Config | [Empty] | The `dex.config` property in the `argocd-cm` ConfigMap. +Groups | [Empty] | Optional list of required groups a user must be a member of +Image | `quay.io/dexidp/dex` | The container image for Dex. This overrides the `ARGOCD_DEX_IMAGE` environment variable. +OpenShiftOAuth | false | Enable automatic configuration of OpenShift OAuth authentication for the Dex server. This is ignored if a value is present for `sso.dex.config`. +Resources | [Empty] | The container compute resources. +Version | v2.21.0 (SHA) | The tag to use with the Dex container image. + +### Dex Example !!! note - `.spec.sso.Image`, `.spec.sso.Version`, `.spec.sso.Resources` and `.spec.sso.verifyTLS` fields were earlier scheduled for removal in Argo CD operator v0.7.0, but have been extended to Argo CD operator v0.8.0. + `.spec.dex` is no longer supported in Argo CD operator v0.8.0 onwards, use `.spec.sso.dex` instead. -The following properties are available for configuring the Single sign-on component. +The following examples show all properties set to the default values. + +``` yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: example-argocd + labels: + example: dex +spec: + sso: + provider: dex + dex: + config: "" + groups: + - default + image: quay.io/dexidp/dex + openShiftOAuth: false + resources: {} + version: v2.21.0 +``` + +Please refer to the [dex user guide](../usage/dex.md) to learn more about configuring dex as a Single sign-on provider. + +### Dex OpenShift OAuth Example + +The following example configures Dex to use the OAuth server built into OpenShift. + +The `OpenShiftOAuth` property can be used to trigger the operator to auto configure the built-in OpenShift OAuth server. The RBAC `Policy` property is used to give the admin role in the Argo CD cluster to users in the OpenShift `cluster-admins` group. + +``` yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: example-argocd + labels: + example: openshift-oauth +spec: + sso: + provider: dex + dex: + openShiftOAuth: true + rbac: + defaultPolicy: 'role:readonly' + policy: | + g, cluster-admins, role:admin + scopes: '[groups]' +``` + +### Important Note regarding Role Mappings: + +To have a specific user be properly atrributed with the `role:admin` upon SSO through Openshift, the user needs to be in a **group** with the `cluster-admin` role added. If the user only has a direct `ClusterRoleBinding` to the Openshift role for `cluster-admin`, the ArgoCD role will not map. + +A quick fix will be to create an `cluster-admins` group, add the user to the group and then apply the `cluster-admin` ClusterRole to the group. + +``` +oc adm groups new cluster-admins +oc adm groups add-users cluster-admins USER +oc adm policy add-cluster-role-to-group cluster-admin cluster-admins +``` + +## Keycloak Options + +The following properties are available for configuring Keycloak Single sign-on provider. Name | Default | Description --- | --- | --- Image | OpenShift - `registry.redhat.io/rh-sso-7/sso75-openshift-rhel8`
Kuberentes - `quay.io/keycloak/keycloak` | The container image for keycloak. This overrides the `ARGOCD_KEYCLOAK_IMAGE` environment variable. -[Keycloak](#keycloak-options) | [Object] | Configuration options for Keycloak SSO provider -[Dex](#dex-options) | [Object] | Configuration options for Dex SSO provider -Provider | [Empty] | The name of the provider used to configure Single sign-on. For now the supported options are Dex and keycloak. Resources | `Requests`: CPU=500m, Mem=512Mi, `Limits`: CPU=1000m, Mem=1024Mi | The container compute resources. +RootCA | "" | root CA certificate for communicating with the OIDC provider VerifyTLS | true | Whether to enforce strict TLS checking when communicating with Keycloak service. Version | OpenShift - `sha256:720a7e4c4926c41c1219a90daaea3b971a3d0da5a152a96fed4fb544d80f52e3` (7.5.1)
Kubernetes - `sha256:64fb81886fde61dee55091e6033481fa5ccdac62ae30a4fd29b54eb5e97df6a9` (15.0.2) | The tag to use with the keycloak container image. +### Keycloak Single sign-on Example + +!!! note + `.spec.sso.Image`, `.spec.sso.Version`, `.spec.sso.Resources` and `.spec.sso.verifyTLS` fields are no longer supported in Argo CD operator v0.8.0 onwards. Please use equivalent fields under `.spec.sso.keycloak` to configure your keycloak instance. + +The following example uses keycloak as Single sign-on option for Argo CD. + +``` yaml +apiVersion: argoproj.io/v1alpha1 +kind: ArgoCD +metadata: + name: example-argocd + labels: + example: status-badge-enabled +spec: + sso: + provider: keycloak +``` + +Please refer to the [keycloak user guide](../usage/keycloak/kubernetes.md) to learn more about configuring keycloak as a Single sign-on provider. + ## System-Level Configuration The comparison of resources with well-known issues can be customized at a system level. Ignored differences can be configured for a specified group and kind diff --git a/docs/usage/dex.md b/docs/usage/dex.md index 26c4a474e..172900487 100644 --- a/docs/usage/dex.md +++ b/docs/usage/dex.md @@ -1,24 +1,16 @@ - [Overview](#overview) - [Installing & Configuring Dex](#installing--configuring-dex) - - [Using `.spec.sso.provider`](#using-specssoprovider) - - [Using the DISABLE_DEX environment variable](#using-the-disable_dex-environment-variable) - [Dex OpenShift OAuth Connector](#dex-openshift-oauth-connector) - [Role Mappings](#role-mappings) - [Dex GitHub Connector](#dex-github-connector) - [Uninstalling Dex](#uninstalling-dex) - - [Using `.spec.sso`](#using-specsso) - - [Using the DISABLE_DEX environment variable](#using-the-disable_dex-environment-variable-1) - - [Using `.spec.dex`](#using-specdex) ## Overview Dex can be used to delegate authentication to external identity providers like GitHub, SAML and others. SSO configuration of Argo CD requires updating the Argo CD CR with [Dex connector](https://dexidp.io/docs/connectors/) settings. - ## Installing & Configuring Dex -#### Using `.spec.sso.provider` - Dex configuration has moved to `.spec.sso` in release v0.4.0. Dex can be enabled by setting `.spec.sso.provider` to `dex` in the Argo CD CR. !!! note @@ -27,6 +19,9 @@ Dex configuration has moved to `.spec.sso` in release v0.4.0. Dex can be enabled !!! note Specifying `.spec.sso.dex` without setting dex as the provider will result in an error. +!!! note + `.spec.dex` is no longer supported in Argo CD operator v0.8.0 onwards, use `.spec.sso.dex` instead. + An example of correctly configured dex would look as follows: ```yaml @@ -41,46 +36,6 @@ spec: openShiftOAuth: true ``` -#### Using the DISABLE_DEX environment variable - -!!! warning - `DISABLE_DEX` is deprecated and support will be removed in Argo CD operator v0.8.0. Please use `.spec.sso.provider` to enable/disable Dex. - -!!! note - `DISABLE_DEX` environment variable was earlier scheduled for removal in Argo CD operator v0.7.0, but has been extended to Argo CD operator v0.8.0. - -Until release v0.4.0 of Argo CD operator, Dex resources were created by default unless the `DISABLE_DEX` environment variable was explicitly set to `true`. However, v0.4.0 onward, `DISBALE_DEX` being either unset, or set to `false` will not trigger creation of Dex resources, unless there is valid Dex configuration expressed through `.spec.dex`. Users can continue setting `DISABLE_DEX` to `true` to uninstall dex resources until v0.8.0. - -!!! warning - `.spec.dex` is deprecated and support will be removed in Argo CD operator v0.8.0. Please use `.spec.sso.dex` to configure Dex. - -!!! note - `.spec.dex` field was earlier scheduled for removal in Argo CD operator v0.7.0, but has been extended to Argo CD operator v0.8.0. - -An example of correctly configured dex would look as follows: - -Set the `DISABLE_DEX` to `false` in the Subscription resource of the operator. - -```yaml -spec: - config: - env: - - name: DISABLE_DEX - value: "false" -``` - -and supply `.spec.dex` with valid configuration - -```yaml -apiVersion: argoproj.io/v1alpha1 -kind: ArgoCD -metadata: - name: example-argocd -spec: - dex: - openShiftOAuth: true -``` - ## Dex OpenShift OAuth Connector The below section describes how to configure Argo CD SSO using OpenShift connector as an example. Dex makes use of the users and groups defined within OpenShift by querying the platform provided OAuth server. @@ -95,10 +50,12 @@ metadata: labels: example: openshift-oauth spec: - dex: - openShiftOAuth: true - groups: - - default + sso: + provider: dex + dex: + openShiftOAuth: true + groups: + - default rbac: defaultPolicy: 'role:readonly' policy: | @@ -126,7 +83,7 @@ The below section describes how to configure Argo CD SSO using GitHub (OAuth2) a 2. Update the Argo CD CR. -In the `dex.config` key, add the github connector to the connectors sub field. See the Dex [GitHub connector documentation](https://github.com/dexidp/website/blob/main/content/docs/connectors/github.md) for explanation of the fields. A minimal config should populate the clientID, clientSecret generated in Step 1. +In the `sso.dex.config` key, add the github connector to the connectors sub field. See the Dex [GitHub connector documentation](https://github.com/dexidp/website/blob/main/content/docs/connectors/github.md) for explanation of the fields. A minimal config should populate the clientID, clientSecret generated in Step 1. You will very likely want to restrict logins to one or more GitHub organization. In the `connectors.config.orgs` list, add one or more GitHub organizations. Any member of the org will then be able to login to Argo CD to perform management tasks. @@ -138,50 +95,25 @@ metadata: labels: example: openshift-oauth spec: - dex: - config: | - connectors: - # GitHub example - - type: github - id: github - name: GitHub - config: - clientID: xxxxxxxxxxxxxx - clientSecret: $dex.github.clientSecret # Alternatively $:dex.github.clientSecret - orgs: - - name: dummy-org + sso: + provider: dex + dex: + config: | + connectors: + # GitHub example + - type: github + id: github + name: GitHub + config: + clientID: xxxxxxxxxxxxxx + clientSecret: $dex.github.clientSecret # Alternatively $:dex.github.clientSecret + orgs: + - name: dummy-org ``` ## Uninstalling Dex -#### Using `.spec.sso` - -Dex can be uninstalled either by removing `.spec.sso` from the Argo CD CR, or switching to a different SSO provider. - -#### Using the DISABLE_DEX environment variable - -Dex can be uninstalled by setting `DISABLE_DEX` to `true` in the Subscription resource of the operator. - -```yaml -spec: - config: - env: - - name: DISABLE_DEX - value: "true" -``` - -!!! warning - `DISABLE_DEX` is deprecated and support will be removed in Argo CD operator v0.8.0. Please use `.spec.sso.provider` to enable/disable Dex. - !!! note - `DISABLE_DEX` environment variable was earlier scheduled for removal in Argo CD operator v0.7.0, but has been extended to Argo CD operator v0.8.0. - -#### Using `.spec.dex` - -Dex can be uninstalled by either removing `.spec.dex` from the Argo CD CR, or ensuring `.spec.dex.config` is empty and `.spec.dex.openShiftOAuth` is set to `false`. + `DISABLE_DEX` environment variable is no longer supported in Argo CD operator v0.8.0 onwards. -!!! warning - `.spec.dex` is deprecated and support will be removed in Argo CD operator v0.8.0. Please use `.spec.sso.dex` to configure Dex. - -!!! note - `.spec.dex` field was earlier scheduled for removal in Argo CD operator v0.7.0, but has been extended to Argo CD operator v0.8.0. \ No newline at end of file +Dex can be uninstalled either by removing `.spec.sso` from the Argo CD CR, or switching to a different SSO provider. diff --git a/docs/usage/keycloak/kubernetes.md b/docs/usage/keycloak/kubernetes.md index 87fa7acc1..c8a3db94f 100644 --- a/docs/usage/keycloak/kubernetes.md +++ b/docs/usage/keycloak/kubernetes.md @@ -46,10 +46,10 @@ spec: ``` If your keycloak is setup with a certificate which is not signed by one of the well known certificate authorities you can provide a custom certificate which will be used in verifying the Keycloak's TLS certificate when communicating with it. -Add the rootCA to your Argo CD custom resource `.spec.keycloak.rootCA` field. The operator reconciles to this change and updates the `oidc.config` in `argocd-cm` configmap with the PEM encoded root certificate. +Add the rootCA to your Argo CD custom resource `.spec.sso.keycloak.rootCA` field. The operator reconciles to this change and updates the `oidc.config` in `argocd-cm` configmap with the PEM encoded root certificate. !!! note - Argo CD server pod should be restarted after updating the `.spec.keycloak.rootCA`. + Argo CD server pod should be restarted after updating the `.spec.sso.keycloak.rootCA`. Please refer to the below example: @@ -74,14 +74,11 @@ spec: enabled: true ``` -!!! warning - `.spec.sso.Image`, `.spec.sso.Version`, `.spec.sso.Resources` and `.spec.sso.verifyTLS` are deprecated and support will be removed in Argo CD operator v0.8.0. Please use equivalent fields under `.spec.sso.keycloak` to configure your keycloak instance. - !!! note - `.spec.sso.Image`, `.spec.sso.Version`, `.spec.sso.Resources` and `.spec.sso.verifyTLS` fields were earlier scheduled for removal in Argo CD operator v0.7.0, but have been extended to Argo CD operator v0.8.0. + `.spec.sso.Image`, `.spec.sso.Version`, `.spec.sso.Resources` and `.spec.sso.verifyTLS` fields are no longer supported in Argo CD operator v0.8.0 onwards. Please use equivalent fields under `.spec.sso.keycloak` to configure your keycloak instance. !!! note - If you test the operator locally using `make run`, please add `.spec.sso.verifyTLS: false`, or `.spec.sso.keycloak.verifyTLS: false` to your Argo CD CR. Specifying conflicting information in both specs will result in errors. + If you test the operator locally using `make run`, please add `.spec.sso.keycloak.verifyTLS: false` to your Argo CD CR. Specifying conflicting information in both specs will result in errors. ## Create diff --git a/docs/usage/keycloak/openshift.md b/docs/usage/keycloak/openshift.md index e3294671c..89bb4dacb 100644 --- a/docs/usage/keycloak/openshift.md +++ b/docs/usage/keycloak/openshift.md @@ -20,10 +20,10 @@ spec: ``` If your keycloak is setup with a certificate which is not signed by one of the well known certificate authorities you can provide a custom certificate which will be used in verifying the Keycloak's TLS certificate when communicating with it. -Add the rootCA to your Argo CD custom resource `.spec.keycloak.rootCA` field. The operator reconciles to this change and updates the `oidc.config` in `argocd-cm` configmap with the PEM encoded root certificate. +Add the rootCA to your Argo CD custom resource `.spec.sso.keycloak.rootCA` field. The operator reconciles to this change and updates the `oidc.config` in `argocd-cm` configmap with the PEM encoded root certificate. !!! note - Argo CD server pod should be restarted after updating the `.spec.keycloak.rootCA`. + Argo CD server pod should be restarted after updating the `.spec.sso.keycloak.rootCA`. Please refer to the below example: @@ -48,6 +48,9 @@ spec: enabled: true ``` +!!! note + `.spec.sso.Image`, `.spec.sso.Version`, `.spec.sso.Resources` and `.spec.sso.verifyTLS` fields are no longer supported in Argo CD operator v0.8.0 onwards. Please use equivalent fields under `.spec.sso.keycloak` to configure your keycloak instance. + ## Create Create a new Argo CD Instance in the `argocd` namespace using the provided example. From cd38bd24558b5d1992979205fb738c03522c3911 Mon Sep 17 00:00:00 2001 From: Cristina Sirbu Date: Thu, 29 Jun 2023 21:32:47 +0300 Subject: [PATCH 3/4] Update notifications_util.go (#938) Fix typo in trigger on-sync-status-unknown for argocd-notifications-cm configMap. Signed-off-by: Sirbu, Cristina Signed-off-by: Sirbu, Cristina --------- Signed-off-by: Arthur Signed-off-by: Sirbu, Cristina Signed-off-by: Sirbu, Cristina Co-authored-by: Arthur Vardevanyan --- controllers/argocd/notifications_util.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/controllers/argocd/notifications_util.go b/controllers/argocd/notifications_util.go index 6d85b9e8d..710aa361b 100644 --- a/controllers/argocd/notifications_util.go +++ b/controllers/argocd/notifications_util.go @@ -531,7 +531,7 @@ teams: when: app.status.operationState.phase in ['Running']` notificationsConfig["trigger.on-sync-status-unknown"] = `- description: Application status is 'Unknown' - end: + send: - app-sync-status-unknown when: app.status.sync.status == 'Unknown'` From ba14854e595206cb5c85d64f35e559552c0f4105 Mon Sep 17 00:00:00 2001 From: Abhishek Veeramalla Date: Mon, 3 Jul 2023 20:23:50 +0530 Subject: [PATCH 4/4] feat: upgrade Argo CD version and SSH Known Host Keys (#942) Signed-off-by: iam-veeramalla --- build/util/Dockerfile | 4 ++-- common/defaults.go | 15 ++++++++++----- go.mod | 2 +- go.sum | 4 ++-- 4 files changed, 15 insertions(+), 10 deletions(-) diff --git a/build/util/Dockerfile b/build/util/Dockerfile index 171d21af4..76de99508 100644 --- a/build/util/Dockerfile +++ b/build/util/Dockerfile @@ -1,5 +1,5 @@ -# Argo CD v2.6.3 -FROM quay.io/argoproj/argocd@sha256:0fd690bd7b89bd6f947b4000de33abd53ebcd36b57216f1c675a1127707b5eef as argocd +# Argo CD v2.7.6 +FROM quay.io/argoproj/argocd@sha256:7daba5f38b23f4f091951b727db6f87dc04ad396fd21044401502438d633836e as argocd # Final Image FROM docker.io/library/ubuntu:22.04 diff --git a/common/defaults.go b/common/defaults.go index 5355de053..05402b143 100644 --- a/common/defaults.go +++ b/common/defaults.go @@ -61,7 +61,7 @@ const ( ArgoCDDefaultArgoImage = "quay.io/argoproj/argocd" // ArgoCDDefaultArgoVersion is the Argo CD container image digest to use when version not specified. - ArgoCDDefaultArgoVersion = "sha256:0fd690bd7b89bd6f947b4000de33abd53ebcd36b57216f1c675a1127707b5eef" // v2.6.3 + ArgoCDDefaultArgoVersion = "sha256:7daba5f38b23f4f091951b727db6f87dc04ad396fd21044401502438d633836e" // v2.7.6 // ArgoCDDefaultBackupKeyLength is the length of the generated default backup key. ArgoCDDefaultBackupKeyLength = 32 @@ -289,15 +289,20 @@ const ( ArgoCDDefaultServerSessionKeyNumSymbols = 0 // ArgoCDDefaultSSHKnownHosts is the default SSH Known hosts data. - ArgoCDDefaultSSHKnownHosts = `bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== -github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + ArgoCDDefaultSSHKnownHosts = `[ssh.github.com]:443 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= +[ssh.github.com]:443 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl +[ssh.github.com]:443 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= +bitbucket.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIQmuzMBuKdWeF4+a2sjSSpBK0iqitSQ+5BM9KhpexuGt20JpTVM7u5BDZngncgrqDMbWdxMWWOGtZ9UgbqgZE= +bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO +bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== +github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= +github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl +github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H -github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= -github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl ` ) diff --git a/go.mod b/go.mod index 0d07e6f3c..29f03b302 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/argoproj-labs/argocd-operator go 1.19 require ( - github.com/argoproj/argo-cd/v2 v2.6.7 + github.com/argoproj/argo-cd/v2 v2.7.6 github.com/coreos/prometheus-operator v0.40.0 github.com/go-logr/logr v1.2.4 github.com/google/go-cmp v0.5.9 diff --git a/go.sum b/go.sum index 7a95ee35e..bf08d0f6c 100644 --- a/go.sum +++ b/go.sum @@ -115,8 +115,8 @@ github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20210826220005-b48c857c3a0e/go.m github.com/apache/arrow/go/arrow v0.0.0-20191024131854-af6fa24be0db/go.mod h1:VTxUBvSJ3s3eHAg65PNgrsn5BtqCRPdmyXh6rAfdxN0= github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ= -github.com/argoproj/argo-cd/v2 v2.6.7 h1:hBW8QNi6rAN5yERIiwLz3dzErxoJ1Y3BGWwlFsnxETM= -github.com/argoproj/argo-cd/v2 v2.6.7/go.mod h1:Vqnr5UMfUt+01ycy1bVTARUVGuOUZmGAp52CC3spkVo= +github.com/argoproj/argo-cd/v2 v2.7.6 h1:AKRQm0fLGgBmKQILrpc/2PZM2WYlfCP5tquU6DqDudU= +github.com/argoproj/argo-cd/v2 v2.7.6/go.mod h1:uRU//iTjnzlCs+hKOKo5Na2OZGNTlklnu/g9Wi4enh4= github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=