Merge branch 'master' into usr/akhil/GITOPS-9256

Author: akhilnittala

controllers/argocd/openshift/openshift.go

@@ -63,8 +63,7 @@ func ReconcilerHook(cr *argoapp.ArgoCD, v interface{}, hint string) error {
 		case cr.Name + "-repo-server":
 
 			prodImage := o.Spec.Template.Spec.Containers[0].Image
-			usingReleasedImages := strings.Contains(prodImage, "registry.redhat.io/openshift-gitops-1/argocd-rhel")
-			if cr.Spec.Repo.SystemCATrust != nil && usingReleasedImages {
+			if cr.Spec.Repo.SystemCATrust != nil {
 				updateSystemCATrustBuilding(cr, o, prodImage, logv)
 			}
 		}
@@ -154,7 +153,8 @@ done
 echo "User defined trusted CA files:"
 ls /etc/pki/ca-trust/source/anchors/
 
-update-ca-trust
+# Specifying the explicit location to turn on the container-aware behavior
+update-ca-trust extract --output /etc/pki/ca-trust/extracted
 
 echo "Trusted anchors:"
 trust list

go.mod

@@ -11,6 +11,7 @@ require (
 	github.com/go-logr/logr v1.4.3
 	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.1-0.20241114170450-2d3c2a9cc518
+	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674
 	github.com/hashicorp/go-version v1.7.0
 	github.com/onsi/ginkgo/v2 v2.28.1
 	github.com/onsi/gomega v1.39.1
@@ -101,7 +102,6 @@ require (
 	github.com/google/go-github/v75 v75.0.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 // indirect
-	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // indirect
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect

test/openshift/e2e/ginkgo/fixture/argocdclient/fixture.go

@@ -0,0 +1,199 @@
+/*
+Copyright 2026.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package argocdclient
+
+import (
+	"crypto/tls"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+	"github.com/gorilla/websocket"
+)
+
+// TerminalClient represents a test client for terminal WebSocket connections.
+type TerminalClient struct {
+	wsConn   *websocket.Conn
+	mu       sync.Mutex
+	closed   bool
+	output   strings.Builder
+	outputMu sync.Mutex
+}
+
+// ExecTerminal opens a terminal session to a pod via WebSocket.
+// This replicates the behavior of the ArgoCD UI when a user opens a terminal session to an application.
+// ArgoCD decides which shell to use based on the configured allowed shells.
+func ExecTerminal(endpoint, token string, app *v1alpha1.Application, namespace, podName, container string) (*TerminalClient, error) {
+	u := &url.URL{
+		Scheme: "wss",
+		Host:   endpoint,
+		Path:   "/terminal",
+	}
+
+	q := u.Query()
+	q.Set("pod", podName)
+	q.Set("container", container)
+	q.Set("appName", app.Name)
+	q.Set("appNamespace", app.Namespace)
+	q.Set("projectName", app.Spec.Project)
+	q.Set("namespace", namespace)
+	u.RawQuery = q.Encode()
+
+	dialer := websocket.Dialer{
+		TLSClientConfig: &tls.Config{
+			InsecureSkipVerify: true, // #nosec G402
+		},
+	}
+
+	headers := http.Header{}
+	headers.Set("Cookie", fmt.Sprintf("argocd.token=%s", token))
+
+	wsConn, resp, err := dialer.Dial(u.String(), headers)
+	if err != nil {
+		if resp != nil {
+			defer resp.Body.Close()
+			body, _ := io.ReadAll(resp.Body)
+			return nil, fmt.Errorf("failed to connect to terminal WebSocket: %w (status: %d, body: %s)", err, resp.StatusCode, string(body))
+		}
+		return nil, fmt.Errorf("failed to connect to terminal WebSocket: %w", err)
+	}
+
+	session := &TerminalClient{
+		wsConn: wsConn,
+	}
+
+	go session.readOutput()
+
+	return session, nil
+}
+
+// terminalMessage is the JSON message format used by ArgoCD terminal WebSocket
+type terminalMessage struct {
+	Operation string `json:"operation"`
+	Data      string `json:"data"`
+	Rows      uint16 `json:"rows"`
+	Cols      uint16 `json:"cols"`
+}
+
+// readOutput continuously reads output from the WebSocket connection
+func (s *TerminalClient) readOutput() {
+	for {
+		_, message, err := s.wsConn.ReadMessage()
+		if err != nil {
+			// Connection closed or error
+			return
+		}
+
+		if len(message) < 1 {
+			continue
+		}
+
+		// Parse JSON message
+		var msg terminalMessage
+		if err := json.Unmarshal(message, &msg); err != nil {
+			continue
+		}
+
+		switch msg.Operation {
+		case "stdout":
+			s.outputMu.Lock()
+			s.output.WriteString(msg.Data)
+			s.outputMu.Unlock()
+		}
+	}
+}
+
+// SendInput sends input to the terminal session
+func (s *TerminalClient) SendInput(input string) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.closed {
+		return errors.New("session is closed")
+	}
+
+	// ArgoCD terminal uses JSON messages (includes rows/cols like the UI)
+	msg, err := json.Marshal(terminalMessage{
+		Operation: "stdin",
+		Data:      input,
+		Rows:      24,
+		Cols:      80,
+	})
+	if err != nil {
+		return err
+	}
+	return s.wsConn.WriteMessage(websocket.TextMessage, msg)
+}
+
+// SendResize sends a terminal resize message
+func (s *TerminalClient) SendResize(cols, rows uint16) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.closed {
+		return errors.New("session is closed")
+	}
+
+	// ArgoCD terminal uses JSON messages
+	msg, err := json.Marshal(terminalMessage{
+		Operation: "resize",
+		Cols:      cols,
+		Rows:      rows,
+	})
+	if err != nil {
+		return err
+	}
+	return s.wsConn.WriteMessage(websocket.TextMessage, msg)
+}
+
+// GetOutput returns all captured output so far
+func (s *TerminalClient) GetOutput() string {
+	s.outputMu.Lock()
+	defer s.outputMu.Unlock()
+	return s.output.String()
+}
+
+// WaitForOutput waits until the output contains the expected string or timeout
+func (s *TerminalClient) WaitForOutput(expected string, timeout time.Duration) bool {
+	deadline := time.Now().Add(timeout)
+	for time.Now().Before(deadline) {
+		if strings.Contains(s.GetOutput(), expected) {
+			return true
+		}
+		time.Sleep(100 * time.Millisecond)
+	}
+	return false
+}
+
+// Close closes the terminal session
+func (s *TerminalClient) Close() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if s.closed {
+		return nil
+	}
+	s.closed = true
+	return s.wsConn.Close()
+}

test/openshift/e2e/ginkgo/fixture/clusterserviceversion/fixture.go

@@ -2,6 +2,7 @@ package clusterserviceversion
 
 import (
 	"context"
+	"strings"
 
 	. "github.com/onsi/gomega"
 	olmv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
@@ -27,5 +28,16 @@ func Update(obj *olmv1alpha1.ClusterServiceVersion, modify func(*olmv1alpha1.Clu
 		return k8sClient.Update(context.Background(), obj)
 	})
 	Expect(err).ToNot(HaveOccurred())
+}
 
+func Get(ctx context.Context, k8sClient client.Client) *olmv1alpha1.ClusterServiceVersion {
+	var csvList olmv1alpha1.ClusterServiceVersionList
+	Expect(k8sClient.List(ctx, &csvList, client.InNamespace("openshift-gitops-operator"))).To(Succeed())
+	for idx := range csvList.Items {
+		idxCSV := csvList.Items[idx]
+		if strings.Contains(idxCSV.Name, "gitops-operator") {
+			return &idxCSV
+		}
+	}
+	return nil
 }

test/openshift/e2e/ginkgo/fixture/utils/fixtureUtils.go

@@ -3,6 +3,7 @@ package utils
 import (
 	"os"
 
+	certificatesv1beta1 "k8s.io/api/certificates/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
@@ -146,6 +147,10 @@ func getKubeClient(config *rest.Config) (client.Client, *runtime.Scheme, error)
 		return nil, nil, err
 	}
 
+	if err := certificatesv1beta1.AddToScheme(scheme); err != nil {
+		return nil, nil, err
+	}
+
 	k8sClient, err := client.New(config, client.Options{Scheme: scheme})
 	if err != nil {
 		return nil, nil, err

test/openshift/e2e/ginkgo/sequential/1-053_validate_argocd_agent_principal_connected_test.go

@@ -516,7 +516,7 @@ var _ = Describe("GitOps Operator Sequential E2E Tests", func() {
 		It("Should deploy ArgoCD principal and agent instances in both modes and verify they are working as expected", func() {
 
 			By("Deploy principal and verify it starts successfully")
-			deployPrincipal(ctx, k8sClient, registerCleanup)
+			deployPrincipal(ctx, k8sClient, registerCleanup, false)
 
 			By("Deploy managed agent and verify it starts successfully")
 			deployAgent(ctx, k8sClient, registerCleanup, argov1beta1api.AgentModeManaged)
@@ -609,7 +609,7 @@ var _ = Describe("GitOps Operator Sequential E2E Tests", func() {
 // This function deploys the principal ArgoCD instance and waits for it to be ready.
 // It creates the required secrets for the principal and verifies that the principal deployment is in Ready state.
 // It also verifies that the principal logs contain the expected messages.
-func deployPrincipal(ctx context.Context, k8sClient client.Client, registerCleanup func(func())) {
+func deployPrincipal(ctx context.Context, k8sClient client.Client, registerCleanup func(func()), enableServerRoute bool) {
 	GinkgoHelper()
 
 	nsPrincipal, cleanup := fixture.CreateNamespaceWithCleanupFunc(namespaceAgentPrincipal)
@@ -624,6 +624,12 @@ func deployPrincipal(ctx context.Context, k8sClient client.Client, registerClean
 		waitForLoadBalancer = false
 	}
 
+	if enableServerRoute {
+		argoCDInstance.Spec.Server.Route = argov1beta1api.ArgoCDRouteSpec{
+			Enabled: true,
+		}
+	}
+
 	Expect(k8sClient.Create(ctx, argoCDInstance)).To(Succeed())
 
 	By("Wait for principal service to be ready and use LoadBalancer hostname/IP when available")
@@ -678,7 +684,7 @@ func deployPrincipal(ctx context.Context, k8sClient client.Client, registerClean
 
 	Eventually(&appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{
 		Name:      deploymentNameAgentPrincipal,
-		Namespace: nsPrincipal.Name}}, "120s", "5s").Should(deploymentFixture.HaveReadyReplicas(1))
+		Namespace: nsPrincipal.Name}}, "240s", "5s").Should(deploymentFixture.HaveReadyReplicas(1))
 
 	By("Verify principal logs contain expected messages")