Feat: disable GitOps Service and default instance on xKS clusters

[anandrkskd]

What type of PR is this?
/kind enhancement

What does this PR do / why we need it:

The OpenShift GitOps Operator assumes an OpenShift cluster today: it registers the GitopsService controller, auto-creates a default Argo CD instance in openshift-gitops, and configures Dex/SSO against OpenShift authentication.
On xKS (non-OpenShift Kubernetes) clusters, those behaviors are not required and can cause failures.

This PR detects non-OpenShift clusters at startup by checking whether the config.openshift.io API is present (via existing InspectCluster() discovery). When it is not found, the operator:

1. Skips ReconcileGitopsService controller registration — this controller manages OpenShift-specific resources (default Argo CD instance, console plugin backend, RBAC, namespace setup, and related reconciliation) that do not apply on xKS.
2. Prevents default Argo CD instance provisioning — no openshift-gitops Argo CD CR is created on xKS.
3. Skips SSO/Dex in the default Argo CD CR template — getArgoSSOSpec() returns nil on non-OpenShift clusters, so Dex is not configured when NewCR() is used.
   On OpenShift clusters, behavior is unchanged. The existing DISABLE_DEFAULT_ARGOCD_INSTANCE environment variable continues to work as before.

Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

Fixes https://redhat.atlassian.net/browse/GITOPS-9943

Test acceptance criteria:

• Unit Test
• E2E Test

How to test changes / Special notes to the reviewer:

On xKS (vanilla Kubernetes or cluster without config.openshift.io):

1. Install the operator.
2. Confirm operator logs contain: Non-OpenShift cluster detected, skipping GitopsService controller setup
3. Confirm no Argo CD CR named openshift-gitops is created in openshift-gitops.
4. Confirm the GitopsService controller is not running (no reconciliation of console plugin backend resources).

On OpenShift:

1. Install the operator without DISABLE_DEFAULT_ARGOCD_INSTANCE.
2. Confirm default Argo CD instance is still created in openshift-gitops.
3. Confirm GitopsService controller runs and console plugin resources are reconciled as before.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ecfe18ca-fca1-4c8d-bf0e-e8d96150d7bd

📥 Commits

Reviewing files that changed from the base of the PR and between aecf34c and c749948.

📒 Files selected for processing (4)

• cmd/main.go
• controllers/argocd/argocd.go
• controllers/argocd/argocd_test.go
• controllers/util/util.go

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• argoproj-labs/argocd-operator (manual)

🚧 Files skipped from review as they are similar to previous changes (4)

• cmd/main.go
• controllers/argocd/argocd.go
• controllers/util/util.go
• controllers/argocd/argocd_test.go

---

📝 Walkthrough

Summary by CodeRabbit

• Bug Fixes
  • Improved handling of non-OpenShift cluster environments by conditionally disabling GitOps controller registration and skipping SSO/Dex configuration when the OpenShift API is unavailable.
  • Enhanced external authentication detection to avoid Dex/SSO setup when external authentication is enabled.
• Tests
  • Added coverage to verify SSO is not configured on non-OpenShift clusters.

Walkthrough

Adds an exported OpenShift detection helper and uses it to: (1) skip registering the ReconcileGitopsService controller on non-OpenShift clusters, and (2) skip ArgoCD SSO/Dex configuration when the cluster is not OpenShift or external auth is enabled. Tests updated to assert both paths.

Changes

OpenShift gating and controller/SSO behavior

Layer / File(s)	Summary
Cluster inspection helpers controllers/util/util.go	Adds exported IsOpenShiftCluster() helper delegating to IsConfigAPIFound(), and expands GoDoc for cluster API detection functions.
ArgoCD SSO gating in controller controllers/argocd/argocd.go	Imports util package, adds package logger, and updates getArgoSSOSpec to return nil (and log) when not OpenShift or when external authentication is enabled.
Tests for OpenShift vs non-OpenShift behavior controllers/argocd/argocd_test.go	Imports controllers/util, sets SetConfigAPIFound(true) in existing tests, and adds TestSSOSkippedOnNonOpenShift asserting Spec.SSO == nil when not OpenShift.
Controller wiring gated by OpenShift detection cmd/main.go	Adds clarifying comment and conditions ReconcileGitopsService SetupWithManager on util.IsOpenShiftCluster(); logs and skips setup when false.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: disabling GitOps Service and default instance on non-OpenShift Kubernetes clusters, which aligns with the PR's primary objective.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, providing detailed context about why the changes are needed, what changes are made, and how to test them.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[anandrkskd]

/retest

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

controllers/argocd/argocd.go (1)

101-103: 💤 Low value

Consider passing context through instead of using context.TODO().

Using context.TODO() is not ideal for production code. Consider adding a context.Context parameter to getArgoSSOSpec and passing it through from the caller.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/argocd/argocd.go` around lines 101 - 103, The code uses
context.TODO() when calling
argoappController.IsExternalAuthenticationEnabledOnCluster; update
getArgoSSOSpec to accept a context.Context parameter, replace context.TODO()
with that ctx when calling IsExternalAuthenticationEnabledOnCluster, and
propagate the new ctx through any callers of getArgoSSOSpec (update signatures
and call sites accordingly); ensure any helper functions called within
getArgoSSOSpec that currently use context.TODO() also accept/receive the
propagated ctx.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@controllers/argocd/argocd_test.go`:
- Around line 234-249: The test TestSSOSkippedOnNonOpenShift sets
util.SetConfigAPIFound(false) but defers util.SetConfigAPIFound(true), which
mismatches the actual default (false) in util.go and other tests (TestArgoCD,
TestDexConfiguration); change the deferred call in TestSSOSkippedOnNonOpenShift
to util.SetConfigAPIFound(false) so the test restores the real default and
avoids cross-test pollution.

---

Nitpick comments:
In `@controllers/argocd/argocd.go`:
- Around line 101-103: The code uses context.TODO() when calling
argoappController.IsExternalAuthenticationEnabledOnCluster; update
getArgoSSOSpec to accept a context.Context parameter, replace context.TODO()
with that ctx when calling IsExternalAuthenticationEnabledOnCluster, and
propagate the new ctx through any callers of getArgoSSOSpec (update signatures
and call sites accordingly); ensure any helper functions called within
getArgoSSOSpec that currently use context.TODO() also accept/receive the
propagated ctx.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 77aecd47-2f3f-4e6b-8c85-f460ea8fbb30

📥 Commits

Reviewing files that changed from the base of the PR and between 9aafd89 and 00b53d8.

📒 Files selected for processing (4)

• cmd/main.go
• controllers/argocd/argocd.go
• controllers/argocd/argocd_test.go
• controllers/util/util.go

[anandrkskd]

/retest

[anandrkskd]

/retest

[svghadi]

/lgtm

Just had one question regarding console-plugin and backend. They are controlled by gitopsservice controller. Is it expected that even these components shouldn't run on xks env?

[anandrkskd]

Console plugin and gitops-backend are OpenShift specific, and are not required to run on non-OpenShift/xKS platforms. Disabling GitOps Service should take care of this.

[anandf]

Posted few nitpick comments. otherwise looks good to me.

[openshift-ci]

New changes are detected. LGTM label has been removed.

[anandf]

LGTM

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[anandrkskd]

/retest