Skip to content

test(configmap): mask the token value annotation in the ArgoCD UI/CLI#1221

Open
dkarpele wants to merge 1 commit into
redhat-developer:masterfrom
dkarpele:dk-GITOPS-10509
Open

test(configmap): mask the token value annotation in the ArgoCD UI/CLI#1221
dkarpele wants to merge 1 commit into
redhat-developer:masterfrom
dkarpele:dk-GITOPS-10509

Conversation

@dkarpele

@dkarpele dkarpele commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

This PR has temporarilly changes in go.mod and test/openshift/e2e/ginkgo/parallel/1-132_validate_sensitive_annotation_masking_test.go.

  1. go.mod uses temp commit github.com/argoproj-labs/argocd-operator v0.0.0-20260715184606-28cf63dec3bb that will be replaced with master commit when feat(configmap): mask the token value annotation in the ArgoCD UI/CLI on OpenShift argoproj-labs/argocd-operator#2284 is merged

UPD: done

					Source: &argocdv1alpha1.ApplicationSource{
						RepoURL:        "https://github.com/dkarpele/gitops-operator",
						Path:           "test/examples/dockercfg-token-secret",
						TargetRevision: "dk-GITOPS-10509",
					},

will be replaced with

					Source: &argocdv1alpha1.ApplicationSource{
						RepoURL:        "https://github.com/redhat-developer/gitops-operator",
						Path:           "test/examples/dockercfg-token-secret",
						TargetRevision: "HEAD",
					},

UPD: done

  1. I created a separate PR to push test/examples/dockercfg-token-secret/secret.yaml to master test(e2e): prepare secret for e2e test 1-132_validate_sensitive_annotation_masking_test #1222

UPD: done

What type of PR is this?
/kind failing-test

What does this PR do / why we need it:
E2e Test for argoproj-labs/argocd-operator#2284: feat(configmap): mask the token value annotation in the ArgoCD UI/CLI on OpenShift

Have you updated the necessary documentation?

  • Documentation update is required by this PR.
  • Documentation has been updated.

Which issue(s) this PR fixes:
https://redhat.atlassian.net/browse/GITOPS-10509

Fixes #?

Test acceptance criteria:

  • Unit Test
  • [*] E2E Test

How to test changes / Special notes to the reviewer:

Summary by CodeRabbit

  • Bug Fixes

    • Improved masking of sensitive OpenShift annotation values so secret contents do not appear in application diffs or CLI output.
    • Ensured masked annotations do not trigger incorrect out-of-sync state during refresh and synchronization.
  • Tests

    • Added an OpenShift-targeted end-to-end test that validates sensitive annotation masking across refresh, sync status checks, and diff output.
  • Chores

    • Updated Go module dependency versions to newer releases.

@openshift-ci openshift-ci Bot added kind/failing-test Categorizes issue or PR as related to a frequently failing test. do-not-merge/work-in-progress labels Jul 16, 2026
@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign chetan-rns for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 389ab3a2-6646-41e1-8297-d1d87c6287ab

📥 Commits

Reviewing files that changed from the base of the PR and between e1c2b6b and 1b20da5.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (2)
  • go.mod
  • test/openshift/e2e/ginkgo/parallel/1-132_validate_sensitive_annotation_masking_test.go
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • argoproj-labs/argocd-operator (manual)
🚧 Files skipped from review as they are similar to previous changes (2)
  • test/openshift/e2e/ginkgo/parallel/1-132_validate_sensitive_annotation_masking_test.go
  • go.mod

📝 Walkthrough

Walkthrough

This change updates three Go module dependencies and adds an OpenShift Ginkgo E2E test that verifies sensitive annotation values remain masked in Argo CD synchronization and diff output.

Changes

Go dependency updates

Layer / File(s) Summary
Module version updates
go.mod
Updates the Argo CD Operator, golang.org/x/mod, and golang.org/x/tools dependency versions.

Sensitive annotation masking coverage

Layer / File(s) Summary
Sensitive annotation masking E2E flow
test/openshift/e2e/ginkgo/parallel/1-132_validate_sensitive_annotation_masking_test.go
Adds setup and an end-to-end flow that deploys a dockercfg secret, injects a sensitive OpenShift annotation, refreshes the application, and verifies synchronized status and redacted diff output.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Suggested reviewers: jannfis, varshab1210

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change: an Argo CD/OpenShift test for masking token value annotations in the UI/CLI.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci

openshift-ci Bot commented Jul 16, 2026

Copy link
Copy Markdown

Hi @dkarpele. Thanks for your PR.

I'm waiting for a redhat-developer member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@varshab1210

Copy link
Copy Markdown
Member

/ok-to-test

@varshab1210

Copy link
Copy Markdown
Member

/test all

@dkarpele

Copy link
Copy Markdown
Contributor Author

/test all

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@test/openshift/e2e/ginkgo/parallel/1-132_validate_sensitive_annotation_masking_test.go`:
- Around line 124-139: Update the ArgoCD CLI login flow around RunArgoCDCLI so
adminPassword cannot appear in logs when --config precedes login. Prefer
reordering the arguments to place login first if supported; otherwise harden
RunArgoCDCLI to detect login regardless of argument order and redact the
password before logging.
- Around line 181-207: Capture and assert the errors returned by both
RunArgoCDCLI calls in the refresh and app diff steps. Update the refresh path
before the Synced Consistently check and the diff path before inspecting
diffOutput so either command failure fails the test, while preserving the
existing token-output assertion.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 3716ee4b-d0ce-4c5b-861e-756615f98874

📥 Commits

Reviewing files that changed from the base of the PR and between 8695d85 and e1c2b6b.

⛔ Files ignored due to path filters (1)
  • go.sum is excluded by !**/*.sum
📒 Files selected for processing (2)
  • go.mod
  • test/openshift/e2e/ginkgo/parallel/1-132_validate_sensitive_annotation_masking_test.go
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • argoproj-labs/argocd-operator (manual)

… on OpenShift

Co-authored-by: Claude <noreply@anthropic.com>
Signed-off-by: dkarpele <karpelevich@gmail.com>
@dkarpele

Copy link
Copy Markdown
Contributor Author

/test all

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

kind/failing-test Categorizes issue or PR as related to a frequently failing test. ok-to-test

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants