Initial CI automation on test for GitOps operator support for xKS

[anandrkskd]

assisted-by: ClaudeCode

What type of PR is this?

/kind enhancement

What does this PR do / why we need it:
This PR adds CI automation to deploy gitops-operator on xKS(kind) cluster. This CI pipeline

• builds controler manager image
• push image with TTL of 1 day to quay
• and deploy the image usking make deploy on a Kind cluster
• And expects for manager pod to be up.

Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

Fixes 9841
Test acceptance criteria:

• Unit Test
• E2E Test

How to test changes / Special notes to the reviewer:

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jopit for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Summary by CodeRabbit

• Bug Fixes
  • Made the webhook certificate secret optional, improving deployment reliability in environments where that secret is not present.
• Chores
  • Added automated pull request deployment validation to help catch installation and rollout issues earlier.

Walkthrough

A pull-request workflow is added to build a local image, load it into kind, install and deploy the operator, and verify controller-manager availability. The webhook certificate secret volume is also marked optional.

Changes

Deploy-test CI Workflow

Layer / File(s)	Summary
Workflow trigger and environment configuration .github/workflows/deploy-test.yaml	Configures the pull_request trigger for all branches and defines the workflow-level IMG environment variable set to gitops-operator:test.
Kind deployment and availability check .github/workflows/deploy-test.yaml	Disables webhook and Prometheus resources for the kind run, builds and loads the manager image, installs CRDs, deploys the operator, and waits for the controller-manager deployment to become available.
Webhook certificate secret optionality config/default/manager_webhook_patch.yaml	Marks the webhook-server-cert secret in the webhook patch as optional for the certificate volume.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly points to new CI automation for testing GitOps operator support on xKS/kind.
Description check	✅ Passed	The description is about adding CI automation for deploying and testing gitops-operator on a kind cluster.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details

{}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/deploy-test.yaml:
- Line 17: Replace the floating version tags on the GitHub Actions uses
statements at lines 17, 20, 25, and 40 with their corresponding immutable commit
SHAs. Instead of using `@v4`, `@v5`, `@v3`, and `@v1` tags for actions/checkout,
actions/setup-node, and other actions in this workflow, pin each to a specific
commit SHA by looking up the actual commit hash for each version tag and
replacing the tag portion with the full SHA reference (e.g., uses:
actions/checkout@abc123def456... format).
- Around line 54-57: The kubectl wait command in the deploy-test workflow is
targeting the wrong Deployment and namespace. The make deploy command creates a
controller named argocd-operator-controller-manager in the
argocd-operator-system namespace, but the current kubectl wait command is
looking for openshift-gitops-operator-controller-manager in
openshift-gitops-operator namespace. Update the deployment name from
openshift-gitops-operator-controller-manager to
argocd-operator-controller-manager and change the namespace from
openshift-gitops-operator to argocd-operator-system to match what is actually
deployed by make deploy.
- Around line 16-17: The actions/checkout action is using default credential
persistence settings, which stores the GitHub token in the git config for
subsequent steps. Disable credential persistence by adding the
persist-credentials parameter set to false in the actions/checkout@v4 step to
reduce credential exposure risk and remove the unnecessary token storage since
it is not needed for this workflow's subsequent steps.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4dbab3dd-9103-47f8-a5a5-97285e3bd659

📥 Commits

Reviewing files that changed from the base of the PR and between 8fa22b8 and 7a41a6d.

📒 Files selected for processing (1)

• .github/workflows/deploy-test.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• argoproj-labs/argocd-operator (manual)

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable credential persistence in checkout step

Line 17 uses actions/checkout with default credential persistence. That leaves the GitHub token in local git config for subsequent steps, which is unnecessary for this workflow and expands credential exposure risk.

Suggested fix

       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Checkout code
	uses: actions/checkout@v4
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	persist-credentials: false

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 16-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml around lines 16 - 17, The
actions/checkout action is using default credential persistence settings, which
stores the GitHub token in the git config for subsequent steps. Disable
credential persistence by adding the persist-credentials parameter set to false
in the actions/checkout@v4 step to reduce credential exposure risk and remove
the unnecessary token storage since it is not needed for this workflow's
subsequent steps.

Source: Linters/SAST tools

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Controller verification targets the wrong Deployment/namespace

Line 54–57 waits for deployment/openshift-gitops-operator-controller-manager in openshift-gitops-operator, but make deploy applies config/default, which resolves to the controller in argocd-operator-system (argocd-operator-controller-manager). This will make the CI check fail even when deploy succeeds.

Suggested fix

       - name: Verify Controller Manager deployment is available
         run: |
           kubectl wait --for=condition=available --timeout=120s \
-            deployment/openshift-gitops-operator-controller-manager \
-            -n openshift-gitops-operator
-          kubectl get pods -n openshift-gitops-operator
+            deployment/argocd-operator-controller-manager \
+            -n argocd-operator-system
+          kubectl get pods -n argocd-operator-system

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	kubectl wait --for=condition=available --timeout=120s \
	deployment/openshift-gitops-operator-controller-manager \
	-n openshift-gitops-operator
	kubectl get pods -n openshift-gitops-operator
	kubectl wait --for=condition=available --timeout=120s \
	deployment/argocd-operator-controller-manager \
	-n argocd-operator-system
	kubectl get pods -n argocd-operator-system

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml around lines 54 - 57, The kubectl wait
command in the deploy-test workflow is targeting the wrong Deployment and
namespace. The make deploy command creates a controller named
argocd-operator-controller-manager in the argocd-operator-system namespace, but
the current kubectl wait command is looking for
openshift-gitops-operator-controller-manager in openshift-gitops-operator
namespace. Update the deployment name from
openshift-gitops-operator-controller-manager to
argocd-operator-controller-manager and change the namespace from
openshift-gitops-operator to argocd-operator-system to match what is actually
deployed by make deploy.

Source: Linked repositories

[coderabbitai]

♻️ Duplicate comments (2)

.github/workflows/deploy-test.yaml (2)

17-17: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin all GitHub Actions to immutable SHAs.

Lines 17, 20, and 25 use floating tags (@v4, @v5, @v1), which weakens supply-chain integrity under strict CI policy.

Suggested pattern

-        uses: actions/checkout@v4
+        uses: actions/checkout@<full-commit-sha>

-        uses: actions/setup-go@v5
+        uses: actions/setup-go@<full-commit-sha>

-        uses: helm/kind-action@v1
+        uses: helm/kind-action@<full-commit-sha>

#!/bin/bash
# Verify unpinned GitHub Action refs in workflow files (expects matches for floating tags)
rg -nP '^\s*uses:\s*[^@]+@v[0-9]+(\.[0-9]+)?\s*$' .github/workflows

Also applies to: 20-20, 25-25

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml at line 17, The GitHub Actions in the
deploy-test.yaml workflow file are specified with floating version tags (`@v4`,
`@v5`, `@v1`) instead of immutable commit SHAs, which weakens supply-chain security.
For each of the three uses statements on lines 17, 20, and 25, replace the
floating version tag (the `@vX` portion) with the full commit SHA of that specific
action version. This ensures that the exact version of the action is always used
and cannot be changed unexpectedly by upstream maintainers.

Source: Linters/SAST tools

---

16-17: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Disable checkout credential persistence.

Line 17 uses default token persistence in actions/checkout, which is unnecessary for this workflow and broadens token exposure across subsequent steps.

Suggested patch

       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-test.yaml around lines 16 - 17, The Checkout code
step uses actions/checkout@v4 with default token persistence enabled, which
unnecessarily exposes the authentication token across subsequent workflow steps.
Add the persist-credentials parameter set to false in the actions/checkout@v4
step configuration to disable credential persistence and reduce the token
exposure surface.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/deploy-test.yaml:
- Line 17: The GitHub Actions in the deploy-test.yaml workflow file are
specified with floating version tags (`@v4`, `@v5`, `@v1`) instead of immutable commit
SHAs, which weakens supply-chain security. For each of the three uses statements
on lines 17, 20, and 25, replace the floating version tag (the `@vX` portion) with
the full commit SHA of that specific action version. This ensures that the exact
version of the action is always used and cannot be changed unexpectedly by
upstream maintainers.
- Around line 16-17: The Checkout code step uses actions/checkout@v4 with
default token persistence enabled, which unnecessarily exposes the
authentication token across subsequent workflow steps. Add the
persist-credentials parameter set to false in the actions/checkout@v4 step
configuration to disable credential persistence and reduce the token exposure
surface.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 8c590d01-a18c-43d1-842a-c520e43b8b13

📥 Commits

Reviewing files that changed from the base of the PR and between 7a41a6d and 67df3df.

📒 Files selected for processing (1)

• .github/workflows/deploy-test.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@config/default/manager_webhook_patch.yaml`:
- Around line 21-24: The webhook patch update in manager_webhook_patch.yaml is
not covered by deploy-test because the workflow disables that patch before
deployment. Update the deploy-test path in .github/workflows/deploy-test.yaml so
this manifest change is exercised, either by keeping the webhook patch enabled
in a dedicated kind-only flow or by adding a separate job that deploys with
webhooks enabled. Use the existing manager_webhook_patch.yaml and deploy-test
workflow symbols to locate the affected paths.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 8445f928-3853-47c6-bca1-c7735b2fcb75

📥 Commits

Reviewing files that changed from the base of the PR and between 68aebc9 and 5413f4d.

📒 Files selected for processing (2)

• .github/workflows/deploy-test.yaml
• config/default/manager_webhook_patch.yaml

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• argoproj-labs/argocd-operator (manual)

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== deploy-test workflow disables the webhook patch =="
sed -n '25,40p' .github/workflows/deploy-test.yaml | nl -ba

echo
echo "== default kustomization still includes the webhook patch =="
sed -n '35,45p' config/default/kustomization.yaml | nl -ba

echo
echo "== changed patch content =="
sed -n '15,30p' config/default/manager_webhook_patch.yaml | nl -ba

Repository: redhat-developer/gitops-operator

Length of output: 264

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== deploy-test workflow =="
sed -n '1,120p' .github/workflows/deploy-test.yaml | cat -n

echo
echo "== default kustomization =="
sed -n '1,120p' config/default/kustomization.yaml | cat -n

echo
echo "== manager_webhook_patch =="
sed -n '1,80p' config/default/manager_webhook_patch.yaml | cat -n

Repository: redhat-developer/gitops-operator

Length of output: 6356

---

Cover the webhook patch change in deploy-test config/default/manager_webhook_patch.yaml:21-24 is only exercised when manager_webhook_patch.yaml stays enabled, but .github/workflows/deploy-test.yaml comments that patch out before make deploy. Either move this change behind the same kind-only path or add a workflow job that deploys with webhooks enabled so this manifest change doesn't drift untested.

🧰 Tools

🪛 Checkov (3.3.1)

[medium] 1-24: Containers should not run with allowPrivilegeEscalation

(CKV_K8S_20)

---

[medium] 1-24: Minimize the admission of root containers

(CKV_K8S_23)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@config/default/manager_webhook_patch.yaml` around lines 21 - 24, The webhook
patch update in manager_webhook_patch.yaml is not covered by deploy-test because
the workflow disables that patch before deployment. Update the deploy-test path
in .github/workflows/deploy-test.yaml so this manifest change is exercised,
either by keeping the webhook patch enabled in a dedicated kind-only flow or by
adding a separate job that deploys with webhooks enabled. Use the existing
manager_webhook_patch.yaml and deploy-test workflow symbols to locate the
affected paths.