Downstream testing tokenRef default Restrictions for ApplicationSet A…

[nmirasch]

…ny-Namespace Mode

What type of PR is this?

Uncomment only one /kind line, and delete the rest.
For example, > /kind bug would simply become: /kind bug

/kind test

What does this PR do / why we need it:
Update the argocd-operator dependency to argoproj-labs/argocd-operator@e8e51ab, which enforces
ApplicationSet tokenRef strict mode defaults via argocd-cmd-params-cm when
applicationSet sourceNamespaces are configured.

Add downstream e2e coverage in 1-037 to verify the cmd-params key defaults
to true/false based on sourceNamespaces and can be overridden via
spec.cmdParams. Adjust the ImageUpdater test for argocd-image-updater v1.2.0.

Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

Fixes: https://redhat.atlassian.net/browse/GITOPS-9735

Test acceptance criteria:

• Unit Test
• [ X] E2E Test

How to test changes / Special notes to the reviewer:

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jopit for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Hi @nmirasch. Thanks for your PR.

I'm waiting for a redhat-developer member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: f7326dbb-d390-4039-a2b5-0e19799a111b

📥 Commits

Reviewing files that changed from the base of the PR and between aacca24 and c8626e1.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• go.mod
• test/openshift/e2e/ginkgo/parallel/1-121_validate_image_updater_test.go
• test/openshift/e2e/ginkgo/sequential/1-037_validate_applicationset_in_any_namespace_test.go

💤 Files with no reviewable changes (1)

• test/openshift/e2e/ginkgo/parallel/1-121_validate_image_updater_test.go

---

📝 Walkthrough

Summary by CodeRabbit

• Chores

  • Updated Go to 1.25.9 and bumped multiple dependencies including Argo CD, image updater, testing frameworks, and observability components for security and stability improvements.

• Tests

  • Enhanced E2E test coverage with new validation scenarios for tokenRef strict mode defaulting behavior across different ApplicationSet namespace configurations.

Walkthrough

This PR bumps the Go toolchain to 1.25.9 and updates all direct and indirect module dependencies. It also refactors OpenShift E2E test setup to consolidate namespace configuration at the suite level and adds test cases for ApplicationSet tokenRef strict mode behavior.

Changes

Dependency Management

Layer / File(s)

Summary

Go version and dependency updates go.mod

Go toolchain upgraded from 1.25.5 to 1.25.9. Direct dependencies updated: Argo CD v3 (3.3.6 → 3.3.10), image updater (1.1.1 → 1.2.0), test frameworks (ginkgo, gomega), logging (zap), and x/mod. Indirect dependencies bumped: cert-manager (1.20.1 → 1.20.2), Google libraries (cel-go, go-querystring, pprof), moby/spdystream (0.5.0 → 0.5.1), OpenTelemetry suite (1.40.0 → 1.43.0), gRPC (1.79.3 → 1.80.0), and Kustomize (0.21.0 → 0.21.1). Removed unused go-strcase dependency.

E2E Test Updates

Layer / File(s)	Summary
ImageUpdater spec cleanup test/openshift/e2e/ginkgo/parallel/1-121_validate_image_updater_test.go	Removed explicit Spec.Namespace field from ImageUpdater custom resource construction; namespace is now implicitly set through ObjectMeta.
ApplicationSet namespace configuration and tokenRef tests test/openshift/e2e/ginkgo/sequential/1-037_validate_applicationset_in_any_namespace_test.go	Added configmapFixture import and consolidated ARGOCD_CLUSTER_CONFIG_NAMESPACES environment variable setup to the suite level, removing redundant local configuration calls from individual test cases. Introduced three new test cases validating tokenRef strict mode defaults: true when sourceNamespaces is configured, false when sourceNamespaces is empty on creation, and overrideable via spec.cmdParams through the ArgoCDCmdParamsConfigMapName ConfigMap.

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding downstream e2e testing for tokenRef default restrictions for ApplicationSet in any-namespace mode, which aligns with the PR objectives.
Description check	✅ Passed	The description is related to the changeset, explaining the dependency update, e2e test coverage additions, and the ImageUpdater test adjustment that match the code changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[svghadi]

/ok-to-test

[nmirasch]

/retest

[openshift-ci]

@nmirasch: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/unit	c8626e1	link	true	/test unit
ci/prow/v4.19-e2e	c8626e1	link	true	/test v4.19-e2e
ci/prow/v4.14-kuttl-parallel	c8626e1	link	false	/test v4.14-kuttl-parallel
ci/prow/v4.19-kuttl-sequential	c8626e1	link	true	/test v4.19-kuttl-sequential
ci/prow/v4.14-e2e	c8626e1	link	false	/test v4.14-e2e
ci/prow/v4.14-kuttl-sequential	c8626e1	link	false	/test v4.14-kuttl-sequential
ci/prow/v4.19-kuttl-parallel	c8626e1	link	true	/test v4.19-kuttl-parallel

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.