Merge branch 'master' into usr/akhil/GITOPS-8591

akhilnittala · web-flow · commit 3868522ce691 · 2025-12-29T18:56:56.000+05:30
diff --git a/README.md b/README.md
@@ -12,22 +12,28 @@ An operator that gets you an Argo CD for cluster configuration out-of-the-box on
 apiVersion: operators.coreos.com/v1alpha1
 kind: CatalogSource
 metadata:
-  name: gitops-service-source
+  name: devel-gitops-service-source
   namespace: openshift-marketplace
 spec:
-  displayName: 'Gitops Service by Red Hat'
-  image: 'quay.io/<quay-username>/gitops-operator-index:v0.0.1'
-  publisher: 'Red Hat Developer'
+  displayName: "!!! GITOPS DEVEL !!!"
+  image: quay.io/<QUAY_USERNAME>/gitops-operator-catalog:v<VERSION>
+  publisher: "!!! GITOPS DEVEL !!!"
   sourceType: grpc
 ```
+(Remember to replace the placeholders)
 
-2. Go to the OperatorHub on OpenShift Webconsole and look for the "OpenShift GitOps" operator.
-
+- This only works _after_ you have built and pushed the bundle and the catalog (see below).
+- To verify the source is correctly configured, `oc y CatalogSource gitops-service-source -n openshift-marketplace | yq '.status.connectionState.lastObservedState'` should report `READY`.
+  - If not, consult `oc get events -n openshift-marketplace`.
 
+2. Go to the OperatorHub on OpenShift Webconsole and look for the "OpenShift GitOps" operator from `!!! GITOPS DEVEL !!!` source.
 
 ![a relative link](docs/assets/operatorhub-listing.png)
 
-3. Install the operator in the `openshift-gitops-operator` namespace using the defaults in the wizard, and optionally, select the checkbox to enable cluster monitoring on the namespace. Wait for it to show up in the list of "Installed Operators". If it doesn't install properly, you can check on its status in the "Installed Operators" tab in the `openshift-gitops-operator` namespace.
+3. Install the operator in the `openshift-gitops-operator` namespace using the defaults in the wizard, and optionally, select the checkbox to enable cluster monitoring on the namespace. 
+  Wait for it to show up in the list of "Installed Operators". 
+  If it doesn't install properly, you can check on its status in the "Installed Operators" tab in the `openshift-gitops-operator` namespace, or `oc get jobs -n openshift-marketplace`.
+  To rerun the operator install, make sure to remove the Subscription and the InstallPlan (if exists).
 
 ![a relative link](docs/assets/installed-operator.png)
 
@@ -74,14 +80,16 @@ Set the base image and version for building operator, bundle and index images.
 export IMAGE=quay.io/<quay-username>/gitops-operator VERSION=1.8.0
 ```
 
+Note quey.io will auto-create the repositories if they do not exist.
+Make sure to change their visibility to public in Quay UI, so OpenShift can access them.  
+
 1. Build and push the operator image.
 
 ```
 make docker-build docker-push
 ```
 
-
-2. Build and push the Bundle image ( operator + OLM manifests )
+2. Build and push the Bundle image (operator + OLM manifests)
 
 ```
 make bundle
@@ -90,12 +98,6 @@ make bundle-build bundle-push
 
 3. Build and push the Index image
 
-Install `opm` binary which is required to build index images
-
-```
-make opm
-```
-
 ```
 make catalog-build catalog-push
 ```
diff --git a/docs/Red_Hat-OpenShift_GitOps-Standard-RGB.svg b/docs/Red_Hat-OpenShift_GitOps-Standard-RGB.svg
@@ -0,0 +1,90 @@
+<?xml version="1.0" encoding="UTF-8"?><svg id="uuid-99a6b5df-7063-42c1-b1cc-89de381e04b9" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 38 38"><title>Red Hat OpenShift GitOps icon</title>
+<desc>Cloud</desc>
+<metadata><?xpacket begin="﻿" id="W5M0MpCehiHzreSzNTczkc9d"?>
+<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 8.0-c001 1.000000, 0000/00/00-00:00:00        ">
+   <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+      <rdf:Description rdf:about=""
+            xmlns:xmp="http://ns.adobe.com/xap/1.0/"
+            xmlns:dc="http://purl.org/dc/elements/1.1/"
+            xmlns:cq="http://www.day.com/jcr/cq/1.0"
+            xmlns:tiff="http://ns.adobe.com/tiff/1.0/"
+            xmlns:xmpRights="http://ns.adobe.com/xap/1.0/rights/">
+         <xmp:rhcc-effective-on>2024-03-01T15:27:08.985Z</xmp:rhcc-effective-on>
+         <xmp:rhcc-metadata-complete-moderator>pending</xmp:rhcc-metadata-complete-moderator>
+         <xmp:rhcc-translation-id>TRA491e8f6d-86ca-4077-9996-b733892099df</xmp:rhcc-translation-id>
+         <xmp:brand-content-type>Icon</xmp:brand-content-type>
+         <xmp:CreateDate>2024-03-01T15:27:08.985Z</xmp:CreateDate>
+         <xmp:rhcc-aspect-ratio>square</xmp:rhcc-aspect-ratio>
+         <xmp:rhcc-effective-on-set-on-upload>true</xmp:rhcc-effective-on-set-on-upload>
+         <xmp:rhcc-metadata-complete-uploader>pending</xmp:rhcc-metadata-complete-uploader>
+         <xmp:rhcc-file-last-modified>2024-07-12T23:54:08.862Z</xmp:rhcc-file-last-modified>
+         <xmp:rhcc-audience>rhcc-audience:internal</xmp:rhcc-audience>
+         <xmp:rhcc-rights-restricted>no</xmp:rhcc-rights-restricted>
+         <xmp:brand-content-subtype>Technology icon</xmp:brand-content-subtype>
+         <xmp:rhcc-derivative-id>DER491e8f6d-86ca-4077-9996-b733892099df</xmp:rhcc-derivative-id>
+         <xmp:rhcc-uploaded-by>pmeilleu@redhat.com</xmp:rhcc-uploaded-by>
+         <xmp:brand-logo-color>Standard</xmp:brand-logo-color>
+         <xmp:rhcc-notify-portal-subscribers-on-change>yes</xmp:rhcc-notify-portal-subscribers-on-change>
+         <xmp:rhcc-product>
+            <rdf:Bag>
+               <rdf:li>rhcc-product:red-hat-openshift</rdf:li>
+               <rdf:li>rhcc-product:red-hat-developer-hub</rdf:li>
+            </rdf:Bag>
+         </xmp:rhcc-product>
+         <xmp:brand-subtype>
+            <rdf:Bag>
+               <rdf:li>Technology icon</rdf:li>
+            </rdf:Bag>
+         </xmp:brand-subtype>
+         <dc:format>image/svg+xml</dc:format>
+         <dc:modified>2024-05-10T00:23:47.853Z</dc:modified>
+         <dc:title>
+            <rdf:Alt>
+               <rdf:li xml:lang="x-default">Red Hat OpenShift GitOps icon</rdf:li>
+            </rdf:Alt>
+         </dc:title>
+         <dc:description>
+            <rdf:Alt>
+               <rdf:li xml:lang="x-default">Cloud</rdf:li>
+            </rdf:Alt>
+         </dc:description>
+         <cq:lastReplicationAction_scene7>Activate</cq:lastReplicationAction_scene7>
+         <cq:lastReplicationAction_publish>Activate</cq:lastReplicationAction_publish>
+         <cq:lastReplicated_publish>2024-10-02T19:52:48.931Z</cq:lastReplicated_publish>
+         <cq:lastReplicatedBy>workflow-process-service</cq:lastReplicatedBy>
+         <cq:lastReplicationAction>Activate</cq:lastReplicationAction>
+         <cq:lastReplicatedBy_publish>workflow-process-service</cq:lastReplicatedBy_publish>
+         <cq:isDelivered>false</cq:isDelivered>
+         <cq:lastReplicated>2024-10-02T19:52:48.931Z</cq:lastReplicated>
+         <cq:lastReplicatedBy_scene7>workflow-process-service</cq:lastReplicatedBy_scene7>
+         <cq:lastReplicated_scene7>2024-10-02T19:52:48.931Z</cq:lastReplicated_scene7>
+         <tiff:ImageLength>38</tiff:ImageLength>
+         <tiff:ImageWidth>38</tiff:ImageWidth>
+         <xmpRights:UsageTerms>
+            <rdf:Alt>
+               <rdf:li xml:lang="x-default">Use technology icons to represent Red Hat products and components. Do not remove the icon from the bounding shape.</rdf:li>
+            </rdf:Alt>
+         </xmpRights:UsageTerms>
+      </rdf:Description>
+   </rdf:RDF>
+</x:xmpmeta>
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                                                                                    
+                                     
+<?xpacket end="w"?></metadata>
+<defs><style>.uuid-fbc8a358-4ee4-4127-940b-377320af327d{fill:#ed0000;}.uuid-b3c6afe2-3de9-4e1e-99ff-06d4dd0cbc6a{fill:#fff;}.uuid-cfc1eb66-0f29-420b-bf33-e74b9246b104{fill:#e0e0e0;}</style></defs><path class="uuid-b3c6afe2-3de9-4e1e-99ff-06d4dd0cbc6a" d="m28.00001,37c4.97056,0,9-4.02944,9-9V10c0-4.97057-4.02944-9-9-9H10.00001C5.02945,1,1.00001,5.02943,1.00001,10v18c0,4.97056,4.02944,9,9,9h18Z"/><path class="uuid-cfc1eb66-0f29-420b-bf33-e74b9246b104" d="m28,2.25c4.27332,0,7.75,3.47662,7.75,7.75v18c0,4.27332-3.47668,7.75-7.75,7.75H10c-4.27332,0-7.75-3.47668-7.75-7.75V10c0-4.27338,3.47668-7.75,7.75-7.75h18m0-1.25H10C5.02942,1,1,5.02942,1,10v18c0,4.97058,4.02942,9,9,9h18c4.97058,0,9-4.02942,9-9V10c0-4.97058-4.02942-9-9-9h0Z"/><path class="uuid-fbc8a358-4ee4-4127-940b-377320af327d" d="m28,17.375c-.49658,0-.95654.14648-1.35303.38721l-1.40918-1.40918c.24072-.39648.38721-.85645.38721-1.35303,0-1.44727-1.17773-2.625-2.625-2.625s-2.625,1.17773-2.625,2.625c0,1.23083.85498,2.25928,2,2.5415v4.91699c-1.14502.28223-2,1.31067-2,2.5415,0,1.44727,1.17773,2.625,2.625,2.625s2.625-1.17773,2.625-2.625c0-1.23083-.85498-2.25928-2-2.5415v-4.91699c.26074-.06421.50427-.16797.72803-.30371l1.40918,1.40918c-.2406.39648-.38721.85645-.38721,1.35303,0,1.44727,1.17773,2.625,2.625,2.625s2.625-1.17773,2.625-2.625-1.17773-2.625-2.625-2.625Zm-6.375-2.375c0-.75781.61719-1.375,1.375-1.375s1.375.61719,1.375,1.375-.61719,1.375-1.375,1.375-1.375-.61719-1.375-1.375Zm2.75,10c0,.75781-.61719,1.375-1.375,1.375s-1.375-.61719-1.375-1.375.61719-1.375,1.375-1.375,1.375.61719,1.375,1.375Zm3.625-3.625c-.75781,0-1.375-.61719-1.375-1.375s.61719-1.375,1.375-1.375,1.375.61719,1.375,1.375-.61719,1.375-1.375,1.375Z"/><path d="m21.25,19.01172c-.30957-.13574-.60352-.30762-.87402-.51074-.27734-.20801-.66797-.15234-.875.12305-.20801.27637-.15234.66797.12305.875.34766.26172.72656.4834,1.12598.65723.08105.03613.16602.05273.25.05273.24023,0,.46973-.13965.57227-.375.13867-.31641-.00586-.68457-.32227-.82227Z"/><path d="m23,9.375c-3.10156,0-5.625,2.52344-5.625,5.625v6c0,1.38965-.6377,2.66504-1.75,3.5-.27637.20703-.33203.59961-.125.875.12305.16406.31055.25.5.25.13086,0,.2627-.04102.375-.125,1.42969-1.07324,2.25-2.71387,2.25-4.5v-6c0-2.41211,1.96289-4.375,4.375-4.375s4.375,1.96289,4.375,4.375c0,.2959-.0293.58984-.08691.87598-.06836.33789.15039.66797.48828.73633.33984.07227.66895-.14941.73633-.48828.07422-.36719.1123-.74512.1123-1.12402,0-3.10156-2.52344-5.625-5.625-5.625Z"/><path d="m12.47656,23.45801c-.24414-.24414-.64062-.24414-.88477,0-.24316.24414-.24316.64062,0,.88477l.9906.98999c-2.21399-.21387-3.9574-2.06372-3.9574-4.33276,0-2.41211,1.96289-4.375,4.375-4.375.95605,0,1.86328.30273,2.62402.87402.27832.20898.66895.15234.875-.12305.20801-.27637.15234-.66797-.12305-.875-.97949-.73633-2.14648-1.12598-3.37598-1.12598-3.10156,0-5.625,2.52344-5.625,5.625,0,2.91699,2.23242,5.32117,5.07812,5.59729l-.86133.86072c-.24316.24414-.24316.64062,0,.88477.12207.12207.28223.18262.44238.18262s.32031-.06055.44238-.18262l2-2c.24316-.24414.24316-.64062,0-.88477l-2-2Z"/></svg>
diff --git a/scripts/audit-namespace-roles/README.md b/scripts/audit-namespace-roles/README.md
@@ -0,0 +1,62 @@
+This script may be used to audit the namespace-scoped Roles/RoleBindings that are created by the GitOps operator's 'applications in any namespace/applicationsets in any namespace' features. 
+(The 'apps/applications in any namespace' features are not enabled by default. They are enabled via `ArgoCD` CR `.spec.sourceNamespaces` and `.spec.applicationSet.sourceNamespaces`.)
+
+This is a simple script that will look for Roles/RoleBindings across ALL namespaces that meet ALL of the following criteria:
+- A) The Role allows access to `argoproj.io/Application` resource
+- B) The Role has label `app.kubernetes.io/part-of: argocd`
+- C) The RoleBinding references a service-account in another namespace (cross-namespace access)
+
+This criteria ensures that the Role/RoleBinding was likely created by GitOps operator, and that an Argo CD instance on the cluster has (or had) access to that namespace.
+
+## Procedure:
+1) Ensure that `jq` and `oc` executables are installed and on path.
+2) Ensure that you are logged into cluster via `oc` or `kubectl` CLI.
+3) Execute `./audit-operator-roles.sh`
+4) Examine the output list of Roles/RoleBindings.
+
+For each Role/RoleBinding that is listed:
+- If a Role/RoleBinding is listed, that means another namespace on the cluster has access to the namespace containing the Role/RoleBinding
+- Verify that it is correct for the namespace containing the Role/RoleBinding to be accessed by the namespace listed in subject field of the RoleBinding.
+	- For example, it is correct if you need an Argo CD instance (installed in the namespace listed in subject field of the RoleBinding) to deploy to the namespace containing the RoleBinding.
+    - In contrast, it is likely not correct if there exist Roles/RoleBindings in namespaces that Argo CD is not explicitly deploying to.
+- If a Role/RoleBinding exists that is not required, delete them.
+	- NOTE: They will be recreated by the operator if there exists an `ArgoCD` CR that references the namespace via the `.spec.sourceNamespaces` or `.spec.applicationSet.sourceNamespaces`.
+	- If this is the case, first remove the namespace from these fields, then delete the Role/RoleBinding.
+	
+
+Example:
+
+In this example, the script indicates that the `my-argocd` namespace has access to the `app-ns` namespaces via multiple GitOps-operator-created Roles/RoleBindings:
+
+```
+=========================================================
+SEARCH CRITERIA (Must match ALL):
+  1. API/Resource: argoproj.io / applications
+  2. Label:        app.kubernetes.io/part-of=argocd
+  3. Scope:        Cross-namespace only
+=========================================================
+
+Scanning Cluster (this may take a moment)...
+
+Roles with cross-namespace access:
+  • Role: app-ns/example-my-argocd-applicationset
+  • Role: app-ns/example_app-ns
+
+Cross-namespace bindings detail:
+--------------------------------------------------
+BINDING:   app-ns / example-my-argocd-applicationset
+ROLE REF:  example-my-argocd-applicationset
+SUBJECTS (cross-namespace only):
+  • ServiceAccount: example-applicationset-controller (ns: my-argocd)
+
+• Namespace my-argocd has access to app-ns
+
+--------------------------------------------------
+BINDING:   app-ns / example_app-ns
+ROLE REF:  example_app-ns
+SUBJECTS (cross-namespace only):
+  • ServiceAccount: example-argocd-server (ns: my-argocd)
+  • ServiceAccount: example-argocd-application-controller (ns: my-argocd)
+
+• Namespace my-argocd has access to app-ns
+```
diff --git a/scripts/audit-namespace-roles/audit-operator-roles.sh b/scripts/audit-namespace-roles/audit-operator-roles.sh
