|
| 1 | +/* |
| 2 | +Copyright 2025. |
| 3 | +
|
| 4 | +Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | +you may not use this file except in compliance with the License. |
| 6 | +You may obtain a copy of the License at |
| 7 | +
|
| 8 | + http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | +
|
| 10 | +Unless required by applicable law or agreed to in writing, software |
| 11 | +distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | +See the License for the specific language governing permissions and |
| 14 | +limitations under the License. |
| 15 | +*/ |
| 16 | + |
| 17 | +package parallel |
| 18 | + |
| 19 | +import ( |
| 20 | + "context" |
| 21 | + |
| 22 | + argov1beta1api "github.com/argoproj-labs/argocd-operator/api/v1beta1" |
| 23 | + . "github.com/onsi/ginkgo/v2" |
| 24 | + . "github.com/onsi/gomega" |
| 25 | + "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture" |
| 26 | + argocdFixture "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/argocd" |
| 27 | + configmapFixture "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/configmap" |
| 28 | + k8sFixture "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/k8s" |
| 29 | + fixtureUtils "github.com/redhat-developer/gitops-operator/test/openshift/e2e/ginkgo/fixture/utils" |
| 30 | + corev1 "k8s.io/api/core/v1" |
| 31 | + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
| 32 | + "k8s.io/utils/ptr" |
| 33 | + "sigs.k8s.io/controller-runtime/pkg/client" |
| 34 | +) |
| 35 | + |
| 36 | +var _ = Describe("GitOps Operator Parallel E2E Tests", func() { |
| 37 | + |
| 38 | + Context("1-121_validate_logs_rbac_enforcement", func() { |
| 39 | + |
| 40 | + var ( |
| 41 | + k8sClient client.Client |
| 42 | + ctx context.Context |
| 43 | + ) |
| 44 | + |
| 45 | + BeforeEach(func() { |
| 46 | + fixture.EnsureParallelCleanSlate() |
| 47 | + |
| 48 | + k8sClient, _ = fixtureUtils.GetE2ETestKubeClient() |
| 49 | + ctx = context.Background() |
| 50 | + }) |
| 51 | + |
| 52 | + It("validates logs RBAC enforcement as first-class citizen in Argo CD 3.0", func() { |
| 53 | + |
| 54 | + // Step 1: Create ArgoCD instance with custom RBAC roles for logs testing |
| 55 | + // This tests the new first-class logs RBAC functionality in Argo CD 3.0 |
| 56 | + By("creating an Argo CD instance with custom RBAC roles for logs testing") |
| 57 | + ns, cleanupFunc := fixture.CreateRandomE2ETestNamespaceWithCleanupFunc() |
| 58 | + defer cleanupFunc() |
| 59 | + |
| 60 | + // Initial RBAC policy with custom roles - one with logs permissions, one without |
| 61 | + initialRBACPolicy := `# Custom role without logs permissions |
| 62 | +p, role:no-logs, applications, get, */*, allow |
| 63 | +# Custom role with logs permissions |
| 64 | +p, role:with-logs, applications, get, */*, allow |
| 65 | +p, role:with-logs, logs, get, */*, allow` |
| 66 | + |
| 67 | + argoCD := &argov1beta1api.ArgoCD{ |
| 68 | + ObjectMeta: metav1.ObjectMeta{ |
| 69 | + Name: "argocd", |
| 70 | + Namespace: ns.Name, |
| 71 | + }, |
| 72 | + Spec: argov1beta1api.ArgoCDSpec{ |
| 73 | + RBAC: argov1beta1api.ArgoCDRBACSpec{ |
| 74 | + Policy: ptr.To(initialRBACPolicy), // Custom RBAC policy for testing logs enforcement |
| 75 | + }, |
| 76 | + }, |
| 77 | + } |
| 78 | + Expect(k8sClient.Create(ctx, argoCD)).To(Succeed()) |
| 79 | + |
| 80 | + // Step 2: Wait for ArgoCD to be fully deployed and ready |
| 81 | + By("waiting for ArgoCD CR to be reconciled and the instance to be ready") |
| 82 | + Eventually(argoCD, "5m", "5s").Should(argocdFixture.BeAvailable()) |
| 83 | + |
| 84 | + // Step 3: Verify initial RBAC configuration is applied correctly |
| 85 | + // This confirms that the operator correctly applies the custom RBAC policies |
| 86 | + By("verifying the initial RBAC ConfigMap contains custom roles") |
| 87 | + argocdRBACCM := &corev1.ConfigMap{ |
| 88 | + ObjectMeta: metav1.ObjectMeta{ |
| 89 | + Name: "argocd-rbac-cm", |
| 90 | + Namespace: ns.Name, |
| 91 | + }, |
| 92 | + } |
| 93 | + Eventually(argocdRBACCM).Should(k8sFixture.ExistByName()) |
| 94 | + Eventually(argocdRBACCM).Should(configmapFixture.HaveStringDataKeyValue("policy.csv", initialRBACPolicy)) |
| 95 | + |
| 96 | + // Step 4: Verify that the deprecated server.rbac.log.enforce.enable is not present |
| 97 | + // In Argo CD 3.0, logs RBAC is enforced by default and this config is no longer needed |
| 98 | + By("verifying that deprecated server.rbac.log.enforce.enable is not present in argocd-cm") |
| 99 | + argocdCM := &corev1.ConfigMap{ |
| 100 | + ObjectMeta: metav1.ObjectMeta{ |
| 101 | + Name: "argocd-cm", |
| 102 | + Namespace: ns.Name, |
| 103 | + }, |
| 104 | + } |
| 105 | + Eventually(argocdCM).Should(k8sFixture.ExistByName()) |
| 106 | + // Verify the deprecated key is not present (logs RBAC is now first-class) |
| 107 | + Eventually(argocdCM).ShouldNot(configmapFixture.HaveStringDataKeyValue("server.rbac.log.enforce.enable", "true")) |
| 108 | + |
| 109 | + // Step 5: Update RBAC policy to include global log viewer role |
| 110 | + // This tests the ability to add new roles with logs permissions |
| 111 | + By("updating RBAC policy to include global log viewer role") |
| 112 | + updatedRBACPolicy := `# Custom role without logs permissions |
| 113 | +p, role:no-logs, applications, get, */*, allow |
| 114 | +# Custom role with logs permissions |
| 115 | +p, role:with-logs, applications, get, */*, allow |
| 116 | +p, role:with-logs, logs, get, */*, allow |
| 117 | +# Global log viewer role |
| 118 | +p, role:global-log-viewer, logs, get, */*, allow` |
| 119 | + |
| 120 | + argocdFixture.Update(argoCD, func(ac *argov1beta1api.ArgoCD) { |
| 121 | + ac.Spec.RBAC.Policy = ptr.To(updatedRBACPolicy) |
| 122 | + }) |
| 123 | + |
| 124 | + // Step 6: Verify the RBAC ConfigMap is updated with the global log viewer role |
| 125 | + // This confirms that the operator correctly applies the updated RBAC policies |
| 126 | + By("verifying the RBAC ConfigMap is updated with global log viewer role") |
| 127 | + Eventually(argocdRBACCM).Should(configmapFixture.HaveStringDataKeyValue("policy.csv", updatedRBACPolicy)) |
| 128 | + |
| 129 | + // Step 7: Test legacy configuration handling |
| 130 | + // This simulates upgrading from Argo CD 2.x where server.rbac.log.enforce.enable was used |
| 131 | + By("testing legacy configuration handling") |
| 132 | + legacyRBACPolicy := `# Custom role with only applications access |
| 133 | +p, role:app-only, applications, get, */*, allow` |
| 134 | + |
| 135 | + argocdFixture.Update(argoCD, func(ac *argov1beta1api.ArgoCD) { |
| 136 | + ac.Spec.RBAC.Policy = ptr.To(legacyRBACPolicy) |
| 137 | + }) |
| 138 | + |
| 139 | + // Step 8: Verify legacy configuration is handled correctly |
| 140 | + // This ensures that Argo CD 3.0 properly handles legacy RBAC configurations |
| 141 | + By("verifying legacy configuration is handled correctly") |
| 142 | + Eventually(argocdRBACCM).Should(configmapFixture.HaveStringDataKeyValue("policy.csv", legacyRBACPolicy)) |
| 143 | + |
| 144 | + // Step 9: Verify ArgoCD remains stable throughout RBAC changes |
| 145 | + // This ensures that logs RBAC enforcement doesn't break the ArgoCD instance |
| 146 | + By("verifying ArgoCD remains available after RBAC changes") |
| 147 | + Eventually(argoCD, "2m", "5s").Should(argocdFixture.BeAvailable()) |
| 148 | + |
| 149 | + // Step 10: Final verification that deprecated config is still not present |
| 150 | + // This confirms that the deprecated server.rbac.log.enforce.enable is never added |
| 151 | + By("verifying deprecated server.rbac.log.enforce.enable remains absent") |
| 152 | + Eventually(argocdCM).ShouldNot(configmapFixture.HaveStringDataKeyValue("server.rbac.log.enforce.enable", "true")) |
| 153 | + }) |
| 154 | + |
| 155 | + }) |
| 156 | +}) |
0 commit comments