argoproj-labs
diff --git a/‎cmd/main.go‎
Lines changed: 2 additions & 0 deletions b/‎cmd/main.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎controllers/argocd/argocd_controller.go‎
Lines changed: 45 additions & 36 deletions b/‎controllers/argocd/argocd_controller.go‎
Lines changed: 45 additions & 36 deletions
diff --git a/‎controllers/argocd/argocd_controller_test.go‎
Lines changed: 109 additions & 5 deletions b/‎controllers/argocd/argocd_controller_test.go‎
Lines changed: 109 additions & 5 deletions
@@ -37,6 +37,7 @@ import (
 	"github.com/argoproj-labs/argocd-operator/common"
 	"github.com/argoproj-labs/argocd-operator/controllers/argocd"
 	"github.com/argoproj-labs/argocd-operator/controllers/argocdexport"
+	"github.com/argoproj-labs/argocd-operator/controllers/argoutil"
 
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 
@@ -243,6 +244,7 @@ func main() {
 		LocalUsers: &argocd.LocalUsersInfo{
 			TokenRenewalTimers: map[string]*argocd.TokenRenewalTimer{},
 		},
+		FipsConfigChecker: argoutil.NewLinuxFipsConfigChecker(),
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "ArgoCD")
 		os.Exit(1)
 
@@ -26,13 +26,13 @@ import (
 
 	argoproj "github.com/argoproj-labs/argocd-operator/api/v1beta1"
 	"github.com/argoproj-labs/argocd-operator/common"
+	"github.com/argoproj-labs/argocd-operator/controllers/argoutil"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
-
 	"k8s.io/client-go/kubernetes"
 
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -83,6 +83,8 @@ type ReconcileArgoCD struct {
 
 	K8sClient  kubernetes.Interface
 	LocalUsers *LocalUsersInfo
+	// FipsConfigChecker checks if the deployment needs FIPS specific environment variables set.
+	FipsConfigChecker argoutil.FipsConfigChecker
 }
 
 var log = logr.Log.WithName("controller_argocd")
@@ -124,22 +126,32 @@ var ActiveInstanceMap = make(map[string]string)
 // - https://pkg.go.dev/sigs.k8s.io/[email protected]/pkg/reconcile
 func (r *ReconcileArgoCD) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) {
 
-	result, argocd, err := r.internalReconcile(ctx, request)
+	result, argocd, argocdStatus, err := r.internalReconcile(ctx, request)
 
 	message := ""
 	if err != nil {
 		message = err.Error()
+		argocdStatus.Phase = "Failed" // Any error should reset phase back to Failed
+	}
+
+	log.Info("reconciling status")
+	if reconcileStatusErr := r.reconcileStatus(argocd, argocdStatus); reconcileStatusErr != nil {
+		log.Error(reconcileStatusErr, "Unable to reconcile status")
+		argocdStatus.Phase = "Failed"
+		message = "unable to reconcile ArgoCD CR .status field"
 	}
 
-	if error := updateStatusConditionOfArgoCD(ctx, createCondition(message), argocd, r.Client, log); error != nil {
-		log.Error(error, "unable to update status of ArgoCD")
-		return reconcile.Result{}, error
+	if updateStatusErr := updateStatusConditionOfArgoCD(ctx, createCondition(message), argocd, argocdStatus, r.Client, log); updateStatusErr != nil {
+		log.Error(updateStatusErr, "unable to update status of ArgoCD")
+		return reconcile.Result{}, updateStatusErr
 	}
 
 	return result, err
 }
 
-func (r *ReconcileArgoCD) internalReconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, *argoproj.ArgoCD, error) {
+func (r *ReconcileArgoCD) internalReconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, *argoproj.ArgoCD, *argoproj.ArgoCDStatus, error) {
+
+	argoCDStatus := &argoproj.ArgoCDStatus{} // Start with a blank canvas
 
 	reconcileStartTS := time.Now()
 	defer func() {
@@ -156,10 +168,10 @@ func (r *ReconcileArgoCD) internalReconcile(ctx context.Context, request ctrl.Re
 			// Request object not found, could have been deleted after reconcile request.
 			// Owned objects are automatically garbage collected. For additional cleanup logic use finalizers.
 			// Return and don't requeue
-			return reconcile.Result{}, argocd, nil
+			return reconcile.Result{}, argocd, argoCDStatus, nil
 		}
 		// Error reading the object - requeue the request.
-		return reconcile.Result{}, argocd, err
+		return reconcile.Result{}, argocd, argoCDStatus, err
 	}
 
 	// If the number of notification replicas is greater than 1, display a warning.
@@ -171,14 +183,14 @@ func (r *ReconcileArgoCD) internalReconcile(ctx context.Context, request ctrl.Re
 	labelSelector, err := labels.Parse(r.LabelSelector)
 	if err != nil {
 		message := fmt.Sprintf("error parsing the labelSelector '%s'.", labelSelector)
-		reqLogger.Info(message)
-		return reconcile.Result{}, argocd, fmt.Errorf("%s error: %w", message, err)
+		reqLogger.Error(err, message)
+		return reconcile.Result{}, argocd, argoCDStatus, fmt.Errorf("%s error: %w", message, err)
 	}
 
 	// Match the value of labelSelector from ReconcileArgoCD to labels from the argocd instance
 	if !labelSelector.Matches(labels.Set(argocd.Labels)) {
-		reqLogger.Info(fmt.Sprintf("the ArgoCD instance '%s' does not match the label selector '%s' and skipping for reconciliation", request.NamespacedName, r.LabelSelector))
-		return reconcile.Result{}, argocd, fmt.Errorf("the ArgoCD instance '%s' does not match the label selector '%s' and skipping for reconciliation", request.NamespacedName, r.LabelSelector)
+		reqLogger.Error(nil, fmt.Sprintf("the ArgoCD instance '%s' does not match the label selector '%s' and skipping for reconciliation", request.NamespacedName, r.LabelSelector))
+		return reconcile.Result{}, argocd, argoCDStatus, fmt.Errorf("the ArgoCD instance '%s' does not match the label selector '%s' and skipping for reconciliation", request.NamespacedName, r.LabelSelector)
 	}
 
 	newPhase := argocd.Status.Phase
@@ -207,6 +219,8 @@ func (r *ReconcileArgoCD) internalReconcile(ctx context.Context, request ctrl.Re
 
 	if argocd.GetDeletionTimestamp() != nil {
 
+		argoCDStatus.Phase = "Unknown" // Set to Unknown since we are in the process of deleting ArgoCD CR
+
 		// Argo CD instance marked for deletion; remove entry from activeInstances map and decrement active instance count
 		// by phase as well as total
 		delete(ActiveInstanceMap, argocd.Namespace)
@@ -220,74 +234,69 @@ func (r *ReconcileArgoCD) internalReconcile(ctx context.Context, request ctrl.Re
 
 		if argocd.IsDeletionFinalizerPresent() {
 			if err := r.deleteClusterResources(argocd); err != nil {
-				return reconcile.Result{}, argocd, fmt.Errorf("failed to delete ClusterResources: %w", err)
+				return reconcile.Result{}, argocd, argoCDStatus, fmt.Errorf("failed to delete ClusterResources: %w", err)
 			}
 
 			if isRemoveManagedByLabelOnArgoCDDeletion() {
 				if err := r.removeManagedByLabelFromNamespaces(argocd.Namespace); err != nil {
-					return reconcile.Result{}, argocd, fmt.Errorf("failed to remove label from namespace[%v], error: %w", argocd.Namespace, err)
+					return reconcile.Result{}, argocd, argoCDStatus, fmt.Errorf("failed to remove label from namespace[%v], error: %w", argocd.Namespace, err)
 				}
 			}
 
 			if err := r.removeUnmanagedSourceNamespaceResources(argocd); err != nil {
-				return reconcile.Result{}, argocd, fmt.Errorf("failed to remove resources from sourceNamespaces, error: %w", err)
+				return reconcile.Result{}, argocd, argoCDStatus, fmt.Errorf("failed to remove resources from sourceNamespaces, error: %w", err)
 			}
 
 			if err := r.removeUnmanagedApplicationSetSourceNamespaceResources(argocd); err != nil {
-				return reconcile.Result{}, argocd, fmt.Errorf("failed to remove resources from applicationSetSourceNamespaces, error: %w", err)
+				return reconcile.Result{}, argocd, argoCDStatus, fmt.Errorf("failed to remove resources from applicationSetSourceNamespaces, error: %w", err)
 			}
 
 			if err := r.removeDeletionFinalizer(argocd); err != nil {
-				return reconcile.Result{}, argocd, err
+				return reconcile.Result{}, argocd, argoCDStatus, err
 			}
 
 			// remove namespace of deleted Argo CD instance from deprecationEventEmissionTracker (if exists) so that if another instance
 			// is created in the same namespace in the future, that instance is appropriately tracked
 			delete(DeprecationEventEmissionTracker, argocd.Namespace)
 		}
 
-		return reconcile.Result{}, argocd, nil
+		return reconcile.Result{}, argocd, argoCDStatus, nil
 	}
 
 	if !argocd.IsDeletionFinalizerPresent() {
 		if err := r.addDeletionFinalizer(argocd); err != nil {
-			return reconcile.Result{}, argocd, err
+			return reconcile.Result{}, argocd, argoCDStatus, err
 		}
 	}
 
-	// get the latest version of argocd instance before reconciling
-	if err = r.Get(ctx, request.NamespacedName, argocd); err != nil {
-		return reconcile.Result{}, argocd, err
-	}
-
 	if err = r.setManagedNamespaces(argocd); err != nil {
-		return reconcile.Result{}, argocd, err
+		return reconcile.Result{}, argocd, argoCDStatus, err
 	}
 
 	if err = r.setManagedSourceNamespaces(argocd); err != nil {
-		return reconcile.Result{}, argocd, err
+		return reconcile.Result{}, argocd, argoCDStatus, err
 	}
 
 	if err = r.setManagedApplicationSetSourceNamespaces(argocd); err != nil {
-		return reconcile.Result{}, argocd, err
+		return reconcile.Result{}, argocd, argoCDStatus, err
 	}
 
 	// Handle NamespaceManagement reconciliation and check if Namespace Management is enabled via the Subscription env variable.
 	if isNamespaceManagementEnabled() {
 		if err := r.reconcileNamespaceManagement(argocd); err != nil {
-			return reconcile.Result{}, argocd, err
+			return reconcile.Result{}, argocd, argoCDStatus, err
 		}
 	} else if argocd.Spec.NamespaceManagement != nil {
 		k8sClient := r.K8sClient
 		if err := r.disableNamespaceManagement(argocd, k8sClient); err != nil {
 			log.Error(err, "Failed to disable NamespaceManagement feature")
-			return reconcile.Result{}, argocd, err
+			return reconcile.Result{}, argocd, argoCDStatus, err
 		}
 	} else if len(argocd.Spec.NamespaceManagement) == 0 {
 		// Handle cleanup of NamespaceManagement RBAC when the feature is removed from the ArgoCD CR.
 		nsMgmtList := &argoproj.NamespaceManagementList{}
 		if err := r.List(context.TODO(), nsMgmtList); err != nil {
-			return reconcile.Result{}, argocd, err
+			return reconcile.Result{}, argocd, argoCDStatus, err
 		}
 
 		k8sClient := r.K8sClient
@@ -301,7 +310,7 @@ func (r *ReconcileArgoCD) internalReconcile(ctx context.Context, request ctrl.Re
 			namespace := &corev1.Namespace{}
 			if err := r.Get(ctx, types.NamespacedName{Name: nsMgmt.Namespace}, namespace); err != nil {
 				log.Error(err, fmt.Sprintf("unable to fetch namespace %s", nsMgmt.Namespace))
-				return reconcile.Result{}, argocd, err
+				return reconcile.Result{}, argocd, argoCDStatus, err
 			}
 
 			// Skip RBAC deletion if the namespace has the "managed-by" label
@@ -313,13 +322,13 @@ func (r *ReconcileArgoCD) internalReconcile(ctx context.Context, request ctrl.Re
 			// Remove roles and rolebindings
 			if err := deleteRBACsForNamespace(nsMgmt.Namespace, k8sClient); err != nil {
 				log.Error(err, fmt.Sprintf("Failed to delete RBACs for namespace: %s", nsMgmt.Namespace))
-				return reconcile.Result{}, argocd, err
+				return reconcile.Result{}, argocd, argoCDStatus, err
 			}
 			log.Info(fmt.Sprintf("Successfully removed RBACs for namespace: %s", nsMgmt.Namespace))
 
 			if err := deleteManagedNamespaceFromClusterSecret(argocd.Namespace, nsMgmt.Namespace, k8sClient); err != nil {
 				log.Error(err, fmt.Sprintf("Unable to delete namespace %s from cluster secret", nsMgmt.Namespace))
-				return reconcile.Result{}, argocd, err
+				return reconcile.Result{}, argocd, argoCDStatus, err
 			}
 
 		}
@@ -328,13 +337,13 @@ func (r *ReconcileArgoCD) internalReconcile(ctx context.Context, request ctrl.Re
 	// Process DropMetadata for namespace-based label cleanup
 	r.processDropMetadataForCleanup(argocd)
 
-	if err := r.reconcileResources(argocd); err != nil {
+	if err := r.reconcileResources(argocd, argoCDStatus); err != nil {
 		// Error reconciling ArgoCD sub-resources - requeue the request.
-		return reconcile.Result{}, argocd, err
+		return reconcile.Result{}, argocd, argoCDStatus, err
 	}
 
 	// Return and don't requeue
-	return reconcile.Result{}, argocd, nil
+	return reconcile.Result{}, argocd, argoCDStatus, nil
 }
 
 // SetupWithManager sets up the controller with the Manager.
 
@@ -27,7 +27,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	appsv1 "k8s.io/api/apps/v1"
-	v1 "k8s.io/api/rbac/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -78,6 +78,110 @@ func TestReconcileArgoCD_Reconcile_with_deleted(t *testing.T) {
 	}
 }
 
+// TestReconcileArgoCD_DexWorkloads verifies that when dex is enabled, that the appropriate operator resources are created. When dex is disabled, the objects are verified to be removed.
+func TestReconcileArgoCD_DexWorkloads(t *testing.T) {
+	logf.SetLogger(ZapLogger(true))
+	a := makeTestArgoCD()
+
+	a.Spec.SSO = &argoproj.ArgoCDSSOSpec{
+		Provider: argoproj.SSOProviderTypeDex,
+		Dex: &argoproj.ArgoCDDexSpec{
+			Config:         "test-config",
+			OpenShiftOAuth: false,
+		},
+	}
+
+	resObjs := []client.Object{a}
+	subresObjs := []client.Object{a}
+	runtimeObjs := []runtime.Object{}
+	sch := makeTestReconcilerScheme(argoproj.AddToScheme)
+	cl := makeTestReconcilerClient(sch, resObjs, subresObjs, runtimeObjs)
+	r := makeTestReconciler(cl, sch, testclient.NewSimpleClientset())
+
+	assert.NoError(t, createNamespace(r, a.Namespace, ""))
+
+	req := reconcile.Request{
+		NamespacedName: types.NamespacedName{
+			Name:      a.Name,
+			Namespace: a.Namespace,
+		},
+	}
+
+	_, err := r.Reconcile(context.TODO(), req)
+	assert.NoError(t, err)
+
+	objectsToVerify := []client.Object{}
+
+	dexRole := &rbacv1.Role{ObjectMeta: metav1.ObjectMeta{Name: "argocd-argocd-dex-server", Namespace: a.Namespace}}
+	objectsToVerify = append(objectsToVerify, dexRole)
+
+	dexRoleBinding := &rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "argocd-argocd-dex-server", Namespace: a.Namespace}}
+	objectsToVerify = append(objectsToVerify, dexRoleBinding)
+
+	dexServiceAccount := &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "argocd-argocd-dex-server", Namespace: a.Namespace}}
+	objectsToVerify = append(objectsToVerify, dexServiceAccount)
+
+	dexService := &corev1.Service{ObjectMeta: metav1.ObjectMeta{Name: "argocd-dex-server", Namespace: a.Namespace}}
+	objectsToVerify = append(objectsToVerify, dexService)
+
+	dexDeployment := &corev1.Service{ObjectMeta: metav1.ObjectMeta{Name: "argocd-dex-server", Namespace: a.Namespace}}
+	objectsToVerify = append(objectsToVerify, dexDeployment)
+
+	for _, objectToVerify := range objectsToVerify {
+		t.Logf("verifying object %s", objectToVerify.GetName())
+		err = r.Get(context.TODO(), client.ObjectKeyFromObject(objectToVerify), objectToVerify)
+		assert.NoError(t, err)
+		assert.True(t, len(objectToVerify.GetOwnerReferences()) > 0)
+	}
+
+	var secretList corev1.SecretList
+	err = r.List(context.TODO(), &secretList, client.InNamespace(a.Namespace))
+	assert.NoError(t, err)
+
+	configMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "argocd-cm",
+			Namespace: a.Namespace,
+		},
+	}
+	err = r.Get(context.TODO(), client.ObjectKeyFromObject(configMap), configMap)
+	assert.NoError(t, err)
+
+	assert.Equal(t, configMap.Data["dex.config"], a.Spec.SSO.Dex.Config)
+
+	var dexSecret *corev1.Secret
+
+	for idx := range secretList.Items {
+		secret := secretList.Items[idx]
+		if strings.HasPrefix(secret.Name, "argocd-dex-server-token-") {
+			dexSecret = &secret
+			break
+		}
+	}
+	assert.NotNil(t, dexSecret)
+
+	err = r.Get(context.TODO(), client.ObjectKeyFromObject(a), a)
+	assert.NoError(t, err)
+
+	a.Spec.SSO = nil
+	err = r.Update(context.TODO(), a)
+	assert.NoError(t, err)
+
+	_, err = r.Reconcile(context.TODO(), req)
+	assert.NoError(t, err)
+
+	for _, objectToVerify := range objectsToVerify {
+		err = r.Get(context.TODO(), client.ObjectKeyFromObject(objectToVerify), objectToVerify)
+		assert.Error(t, err)
+	}
+
+	err = r.Get(context.TODO(), client.ObjectKeyFromObject(configMap), configMap)
+	assert.NoError(t, err)
+
+	assert.Equal(t, configMap.Data["dex.config"], "")
+
+}
+
 func TestReconcileArgoCD_Reconcile(t *testing.T) {
 	logf.SetLogger(ZapLogger(true))
 	a := makeTestArgoCD()
@@ -313,11 +417,11 @@ func TestReconcileArgoCD_CleanUp(t *testing.T) {
 	}{
 		{
 			fmt.Sprintf("ClusterRole %s", common.ArgoCDApplicationControllerComponent),
-			newClusterRole(common.ArgoCDApplicationControllerComponent, []v1.PolicyRule{}, a),
+			newClusterRole(common.ArgoCDApplicationControllerComponent, []rbacv1.PolicyRule{}, a),
 		},
 		{
 			fmt.Sprintf("ClusterRole %s", common.ArgoCDServerComponent),
-			newClusterRole(common.ArgoCDServerComponent, []v1.PolicyRule{}, a),
+			newClusterRole(common.ArgoCDServerComponent, []rbacv1.PolicyRule{}, a),
 		},
 		{
 			fmt.Sprintf("ClusterRoleBinding %s", common.ArgoCDApplicationControllerComponent),
@@ -355,8 +459,8 @@ func addFinalizer(finalizerParam string) argoCDOpt { //nolint:unparam
 
 func clusterResources(argocd *argoproj.ArgoCD) []client.Object {
 	return []client.Object{
-		newClusterRole(common.ArgoCDApplicationControllerComponent, []v1.PolicyRule{}, argocd),
-		newClusterRole(common.ArgoCDServerComponent, []v1.PolicyRule{}, argocd),
+		newClusterRole(common.ArgoCDApplicationControllerComponent, []rbacv1.PolicyRule{}, argocd),
+		newClusterRole(common.ArgoCDServerComponent, []rbacv1.PolicyRule{}, argocd),
 		newClusterRoleBindingWithname(common.ArgoCDApplicationControllerComponent, argocd),
 		newClusterRoleBindingWithname(common.ArgoCDServerComponent, argocd),
 	}