diff --git a/controllers/argocd/role_test.go b/controllers/argocd/role_test.go index 111b45e74..5dc49cda2 100644 --- a/controllers/argocd/role_test.go +++ b/controllers/argocd/role_test.go @@ -172,8 +172,11 @@ func TestReconcileArgoCD_reconcileClusterRole_disabled(t *testing.T) { // Disable creation of default ClusterRole a.Spec.DefaultClusterScopedRoleDisabled = true + err := cl.Update(context.Background(), a) + assert.NoError(t, err) + // Reconcile ClusterRole - _, err := r.reconcileClusterRole(workloadIdentifier, expectedRules, a) + _, err = r.reconcileClusterRole(workloadIdentifier, expectedRules, a) assert.NoError(t, err) // Ensure default ClusterRole is not created @@ -184,6 +187,8 @@ func TestReconcileArgoCD_reconcileClusterRole_disabled(t *testing.T) { // Now enable creation of default ClusterRole a.Spec.DefaultClusterScopedRoleDisabled = false + err = cl.Update(context.Background(), a) + assert.NoError(t, err) // Again reconcile ClusterRole _, err = r.reconcileClusterRole(workloadIdentifier, expectedRules, a) @@ -194,6 +199,8 @@ func TestReconcileArgoCD_reconcileClusterRole_disabled(t *testing.T) { // Once again disable creation of default ClusterRole a.Spec.DefaultClusterScopedRoleDisabled = true + err = cl.Update(context.Background(), a) + assert.NoError(t, err) // Once again reconcile ClusterRole _, err = r.reconcileClusterRole(workloadIdentifier, expectedRules, a) diff --git a/controllers/argocd/rolebinding_test.go b/controllers/argocd/rolebinding_test.go index 0bc6da551..da6c1c132 100644 --- a/controllers/argocd/rolebinding_test.go +++ b/controllers/argocd/rolebinding_test.go @@ -198,6 +198,8 @@ func TestReconcileArgoCD_reconcileClusterRoleBinding_disabled(t *testing.T) { // Disable creation of default ClusterRole, hence RoleBinding won't be created either. a.Spec.DefaultClusterScopedRoleDisabled = true + err := cl.Update(context.Background(), a) + assert.NoError(t, err) // Reconcile ClusterRoleBinding assert.NoError(t, r.reconcileClusterRoleBinding(workloadIdentifier, expectedClusterRole, a)) @@ -205,12 +207,14 @@ func TestReconcileArgoCD_reconcileClusterRoleBinding_disabled(t *testing.T) { // Ensure default ClusterRoleBinding is not created clusterRoleBinding := &rbacv1.ClusterRoleBinding{} expectedName := fmt.Sprintf("%s-%s-%s", a.Name, a.Namespace, workloadIdentifier) - err := r.Client.Get(context.TODO(), types.NamespacedName{Name: expectedName}, clusterRoleBinding) + err = r.Client.Get(context.TODO(), types.NamespacedName{Name: expectedName}, clusterRoleBinding) assert.Error(t, err) assert.ErrorContains(t, err, "not found") // Now enable creation of default ClusterRole, hence RoleBinding should be created aw well. a.Spec.DefaultClusterScopedRoleDisabled = false + err = cl.Update(context.Background(), a) + assert.NoError(t, err) // Again reconcile ClusterRoleBinding assert.NoError(t, r.reconcileClusterRoleBinding(workloadIdentifier, expectedClusterRole, a)) @@ -220,6 +224,8 @@ func TestReconcileArgoCD_reconcileClusterRoleBinding_disabled(t *testing.T) { // Once again disable creation of default ClusterRole a.Spec.DefaultClusterScopedRoleDisabled = true + err = cl.Update(context.Background(), a) + assert.NoError(t, err) // Once again reconcile ClusterRoleBinding assert.NoError(t, r.reconcileClusterRoleBinding(workloadIdentifier, expectedClusterRole, a)) diff --git a/docs/usage/custom_roles.md b/docs/usage/custom_roles.md index 4f1622967..102de533e 100644 --- a/docs/usage/custom_roles.md +++ b/docs/usage/custom_roles.md @@ -59,3 +59,5 @@ metadata: spec: defaultClusterScopedRoleDisabled: true ``` + +When `defaultClusterScopedRoleDisabled` is `true`, the default ClusterRole/ClusterRoleBindings for the Argo CD instance will not be created, and the administrative user is free to create and customize these independent of the operator. The field can later be set to `false`, to recreate these resources, if needed. \ No newline at end of file