Skip to content

[v1.18] Add default resourceExclusions in ArgoCD Instance #982

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 6, 2025
Merged

[v1.18] Add default resourceExclusions in ArgoCD Instance #982

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
587da89
Add default resourceExclusions in ArgoCD Instance
Rizwana777 Sep 30, 2025
c408ae9
Add unit/e2e tests for resourceExclusions
Rizwana777 Oct 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions bundle/manifests/gitops-operator.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ metadata:
}
}
},
"resourceExclusions": "- apiGroups:\n - tekton.dev\n clusters:\n - '*'\n kinds:\n - TaskRun\n - PipelineRun \n",
"resourceExclusions": "- apiGroups:\n - \"\"\n - discovery.k8s.io\n kinds:\n - Endpoints\n - EndpointSlice\n- apiGroups:\n - apiregistration.k8s.io\n kinds:\n - APIService\n- apiGroups:\n - coordination.k8s.io\n kinds:\n - Lease\n- apiGroups:\n - authentication.k8s.io\n - authorization.k8s.io\n kinds:\n - SelfSubjectReview\n - TokenReview\n - LocalSubjectAccessReview\n - SelfSubjectAccessReview\n - SelfSubjectRulesReview\n - SubjectAccessReview\n- apiGroups:\n - certificates.k8s.io\n kinds:\n - CertificateSigningRequest\n- apiGroups:\n - cert-manager.io\n kinds:\n - CertificateRequest\n- apiGroups:\n - cilium.io\n kinds:\n - CiliumIdentity\n - CiliumEndpoint\n - CiliumEndpointSlice\n- apiGroups:\n - kyverno.io\n - reports.kyverno.io\n - wgpolicyk8s.io\n kinds:\n - PolicyReport\n - ClusterPolicyReport\n - EphemeralReport\n - ClusterEphemeralReport\n - AdmissionReport\n - ClusterAdmissionReport\n - BackgroundScanReport\n - ClusterBackgroundScanReport\n - UpdateRequest\n- apiGroups:\n - tekton.dev\n clusters:\n - '*'\n kinds:\n - TaskRun\n - PipelineRun\n",
"server": {
"resources": {
"limits": {
Expand Down Expand Up @@ -180,7 +180,7 @@ metadata:
capabilities: Deep Insights
console.openshift.io/plugins: '["gitops-plugin"]'
containerImage: quay.io/redhat-developer/gitops-operator
createdAt: "2025-08-21T01:20:45Z"
createdAt: "2025-09-30T08:46:55Z"
description: Enables teams to adopt GitOps principles for managing cluster configurations
and application delivery across hybrid multi-cluster Kubernetes environments.
features.operators.openshift.io/disconnected: "true"
Expand Down
52 changes: 52 additions & 0 deletions config/samples/argoproj.io_v1alpha1_argocd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,58 @@ spec:
cpu: 250m
memory: 128Mi
resourceExclusions: |
- apiGroups:
- ""
- discovery.k8s.io
kinds:
- Endpoints
- EndpointSlice
- apiGroups:
- apiregistration.k8s.io
kinds:
- APIService
- apiGroups:
- coordination.k8s.io
kinds:
- Lease
- apiGroups:
- authentication.k8s.io
- authorization.k8s.io
kinds:
- SelfSubjectReview
- TokenReview
- LocalSubjectAccessReview
- SelfSubjectAccessReview
- SelfSubjectRulesReview
- SubjectAccessReview
- apiGroups:
- certificates.k8s.io
kinds:
- CertificateSigningRequest
- apiGroups:
- cert-manager.io
kinds:
- CertificateRequest
- apiGroups:
- cilium.io
kinds:
- CiliumIdentity
- CiliumEndpoint
- CiliumEndpointSlice
- apiGroups:
- kyverno.io
- reports.kyverno.io
- wgpolicyk8s.io
kinds:
- PolicyReport
- ClusterPolicyReport
- EphemeralReport
- ClusterEphemeralReport
- AdmissionReport
- ClusterAdmissionReport
- BackgroundScanReport
- ClusterBackgroundScanReport
- UpdateRequest
- apiGroups:
- tekton.dev
clusters:
Expand Down
54 changes: 53 additions & 1 deletion config/samples/argoproj.io_v1beta1_argocd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,13 +55,65 @@ spec:
cpu: 250m
memory: 128Mi
resourceExclusions: |
- apiGroups:
- ""
- discovery.k8s.io
kinds:
- Endpoints
- EndpointSlice
- apiGroups:
- apiregistration.k8s.io
kinds:
- APIService
- apiGroups:
- coordination.k8s.io
kinds:
- Lease
- apiGroups:
- authentication.k8s.io
- authorization.k8s.io
kinds:
- SelfSubjectReview
- TokenReview
- LocalSubjectAccessReview
- SelfSubjectAccessReview
- SelfSubjectRulesReview
- SubjectAccessReview
- apiGroups:
- certificates.k8s.io
kinds:
- CertificateSigningRequest
- apiGroups:
- cert-manager.io
kinds:
- CertificateRequest
- apiGroups:
- cilium.io
kinds:
- CiliumIdentity
- CiliumEndpoint
- CiliumEndpointSlice
- apiGroups:
- kyverno.io
- reports.kyverno.io
- wgpolicyk8s.io
kinds:
- PolicyReport
- ClusterPolicyReport
- EphemeralReport
- ClusterEphemeralReport
- AdmissionReport
- ClusterAdmissionReport
- BackgroundScanReport
- ClusterBackgroundScanReport
- UpdateRequest
- apiGroups:
- tekton.dev
clusters:
- '*'
kinds:
- TaskRun
- PipelineRun
- PipelineRun
controller:
resources:
limits:
Expand Down
42 changes: 41 additions & 1 deletion controllers/argocd/argocd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,9 +179,49 @@ func getDefaultRBAC() argoapp.ArgoCDRBACSpec {
}

// NewCR returns an ArgoCD reference optimized for use in OpenShift
// with Tekton
// with comprehensive default resource exclusions
func NewCR(name, ns string) (*argoapp.ArgoCD, error) {
b, err := yaml.Marshal([]resource{
{
APIGroups: []string{"", "discovery.k8s.io"},
Kinds: []string{"Endpoints", "EndpointSlice"},
Clusters: []string{"*"},
},
{
APIGroups: []string{"apiregistration.k8s.io"},
Kinds: []string{"APIService"},
Clusters: []string{"*"},
},
{
APIGroups: []string{"coordination.k8s.io"},
Kinds: []string{"Lease"},
Clusters: []string{"*"},
},
{
APIGroups: []string{"authentication.k8s.io", "authorization.k8s.io"},
Kinds: []string{"SelfSubjectReview", "TokenReview", "LocalSubjectAccessReview", "SelfSubjectAccessReview", "SelfSubjectRulesReview", "SubjectAccessReview"},
Clusters: []string{"*"},
},
{
APIGroups: []string{"certificates.k8s.io"},
Kinds: []string{"CertificateSigningRequest"},
Clusters: []string{"*"},
},
{
APIGroups: []string{"cert-manager.io"},
Kinds: []string{"CertificateRequest"},
Clusters: []string{"*"},
},
{
APIGroups: []string{"cilium.io"},
Kinds: []string{"CiliumIdentity", "CiliumEndpoint", "CiliumEndpointSlice"},
Clusters: []string{"*"},
},
{
APIGroups: []string{"kyverno.io", "reports.kyverno.io", "wgpolicyk8s.io"},
Kinds: []string{"PolicyReport", "ClusterPolicyReport", "EphemeralReport", "ClusterEphemeralReport", "AdmissionReport", "ClusterAdmissionReport", "BackgroundScanReport", "ClusterBackgroundScanReport", "UpdateRequest"},
Clusters: []string{"*"},
},
{
APIGroups: []string{"tekton.dev"},
Kinds: []string{"TaskRun", "PipelineRun"},
Expand Down
61 changes: 61 additions & 0 deletions controllers/argocd/argocd_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ limitations under the License.
package argocd

import (
"strings"
"testing"

argoapp "github.com/argoproj-labs/argocd-operator/api/v1beta1"
Expand Down Expand Up @@ -126,6 +127,66 @@ func TestArgoCD(t *testing.T) {
},
}
assert.DeepEqual(t, testArgoCD.Spec.Server.Resources, testServerResources)

// Test ResourceExclusions field
resourceExclusions := testArgoCD.Spec.ResourceExclusions
assert.Assert(t, len(resourceExclusions) > 0)

// Verify that the YAML contains expected resource types
expectedResources := []string{
"Endpoints",
"EndpointSlice",
"APIService",
"Lease",
"SelfSubjectReview",
"TokenReview",
"LocalSubjectAccessReview",
"SelfSubjectAccessReview",
"SelfSubjectRulesReview",
"SubjectAccessReview",
"CertificateSigningRequest",
"CertificateRequest",
"CiliumIdentity",
"CiliumEndpoint",
"CiliumEndpointSlice",
"PolicyReport",
"ClusterPolicyReport",
"EphemeralReport",
"ClusterEphemeralReport",
"AdmissionReport",
"ClusterAdmissionReport",
"BackgroundScanReport",
"ClusterBackgroundScanReport",
"UpdateRequest",
"TaskRun",
"PipelineRun",
}

for _, expectedResource := range expectedResources {
assert.Assert(t, strings.Contains(resourceExclusions, expectedResource),
"ResourceExclusions should contain %s", expectedResource)
}

// Verify that the YAML contains expected API groups
expectedAPIGroups := []string{
"discovery.k8s.io",
"apiregistration.k8s.io",
"coordination.k8s.io",
"authentication.k8s.io",
"authorization.k8s.io",
"certificates.k8s.io",
"cert-manager.io",
"cilium.io",
"kyverno.io",
"reports.kyverno.io",
"wgpolicyk8s.io",
"tekton.dev",
}

for _, expectedAPIGroup := range expectedAPIGroups {
assert.Assert(t, strings.Contains(resourceExclusions, expectedAPIGroup),
"ResourceExclusions should contain API group %s", expectedAPIGroup)
}
}

func TestDexConfiguration(t *testing.T) {
Expand Down
Loading