Feat: disable GitOps Service and default instance on xKS clusters

[anandrkskd]

What type of PR is this?
/kind enhancement

What does this PR do / why we need it:

The OpenShift GitOps Operator assumes an OpenShift cluster today: it registers the GitopsService controller, auto-creates a default Argo CD instance in openshift-gitops, and configures Dex/SSO against OpenShift authentication.
On xKS (non-OpenShift Kubernetes) clusters, those behaviors are not required and can cause failures.

This PR detects non-OpenShift clusters at startup by checking whether the config.openshift.io API is present (via existing InspectCluster() discovery). When it is not found, the operator:

1. Skips ReconcileGitopsService controller registration — this controller manages OpenShift-specific resources (default Argo CD instance, console plugin backend, RBAC, namespace setup, and related reconciliation) that do not apply on xKS.
2. Prevents default Argo CD instance provisioning — no openshift-gitops Argo CD CR is created on xKS.
3. Skips SSO/Dex in the default Argo CD CR template — getArgoSSOSpec() returns nil on non-OpenShift clusters, so Dex is not configured when NewCR() is used.
   On OpenShift clusters, behavior is unchanged. The existing DISABLE_DEFAULT_ARGOCD_INSTANCE environment variable continues to work as before.

Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:

Fixes https://redhat.atlassian.net/browse/GITOPS-9943

Test acceptance criteria:

• Unit Test
• E2E Test

How to test changes / Special notes to the reviewer:

On xKS (vanilla Kubernetes or cluster without config.openshift.io):

1. Install the operator.
2. Confirm operator logs contain: Non-OpenShift cluster detected, skipping GitopsService controller setup
3. Confirm no Argo CD CR named openshift-gitops is created in openshift-gitops.
4. Confirm the GitopsService controller is not running (no reconciliation of console plugin backend resources).

On OpenShift:

1. Install the operator without DISABLE_DEFAULT_ARGOCD_INSTANCE.
2. Confirm default Argo CD instance is still created in openshift-gitops.
3. Confirm GitopsService controller runs and console plugin resources are reconciled as before.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds an exported OpenShift detection helper and uses it to: (1) skip registering the ReconcileGitopsService controller on non-OpenShift clusters, and (2) skip ArgoCD SSO/Dex configuration when the cluster is not OpenShift or external auth is enabled. Tests updated to assert both paths.

Changes

OpenShift gating and controller/SSO behavior

Layer / File(s)	Summary
Cluster inspection helpers controllers/util/util.go	Adds exported IsConfigAPIFound() and IsOpenShiftCluster() helpers for detecting the OpenShift Config API.
ArgoCD SSO gating in controller controllers/argocd/argocd.go	Adds package logger and changes getArgoSSOSpec to return nil (and log) when not OpenShift or when external authentication is enabled; otherwise returns Dex-enabled ArgoCDSSOSpec.
Tests for OpenShift vs non-OpenShift behavior controllers/argocd/argocd_test.go	Imports controllers/util, forces SetConfigAPIFound(true/false) in tests, and adds TestSSOSkippedOnNonOpenShift asserting Spec.SSO == nil when not OpenShift.
Controller wiring gated by OpenShift detection cmd/main.go	Adds comment and conditions ReconcileGitopsService SetupWithManager on util.IsOpenShiftCluster(); logs and skips setup when false.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 30.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, explaining why the changes are needed, what they do, and how to test them on both xKS and OpenShift clusters.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title directly and clearly describes the main change: disabling GitOps Service and default instance detection on non-OpenShift (xKS) clusters, which is the core objective of the PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign trdoyle81 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[anandrkskd]

/retest

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

controllers/argocd/argocd.go (1)

101-103: 💤 Low value

Consider passing context through instead of using context.TODO().

Using context.TODO() is not ideal for production code. Consider adding a context.Context parameter to getArgoSSOSpec and passing it through from the caller.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/argocd/argocd.go` around lines 101 - 103, The code uses
context.TODO() when calling
argoappController.IsExternalAuthenticationEnabledOnCluster; update
getArgoSSOSpec to accept a context.Context parameter, replace context.TODO()
with that ctx when calling IsExternalAuthenticationEnabledOnCluster, and
propagate the new ctx through any callers of getArgoSSOSpec (update signatures
and call sites accordingly); ensure any helper functions called within
getArgoSSOSpec that currently use context.TODO() also accept/receive the
propagated ctx.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@controllers/argocd/argocd_test.go`:
- Around line 234-249: The test TestSSOSkippedOnNonOpenShift sets
util.SetConfigAPIFound(false) but defers util.SetConfigAPIFound(true), which
mismatches the actual default (false) in util.go and other tests (TestArgoCD,
TestDexConfiguration); change the deferred call in TestSSOSkippedOnNonOpenShift
to util.SetConfigAPIFound(false) so the test restores the real default and
avoids cross-test pollution.

---

Nitpick comments:
In `@controllers/argocd/argocd.go`:
- Around line 101-103: The code uses context.TODO() when calling
argoappController.IsExternalAuthenticationEnabledOnCluster; update
getArgoSSOSpec to accept a context.Context parameter, replace context.TODO()
with that ctx when calling IsExternalAuthenticationEnabledOnCluster, and
propagate the new ctx through any callers of getArgoSSOSpec (update signatures
and call sites accordingly); ensure any helper functions called within
getArgoSSOSpec that currently use context.TODO() also accept/receive the
propagated ctx.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 77aecd47-2f3f-4e6b-8c85-f460ea8fbb30

📥 Commits

Reviewing files that changed from the base of the PR and between 9aafd89 and 00b53d8.

📒 Files selected for processing (4)

• cmd/main.go
• controllers/argocd/argocd.go
• controllers/argocd/argocd_test.go
• controllers/util/util.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Inconsistent test cleanup: defer should reset to default value.

The defer on line 236 sets configAPIFound to true, but the default value in util.go is false. This is inconsistent with the other tests (TestArgoCD and TestDexConfiguration) which defer to false. For consistency and to avoid potential test pollution, the defer should reset to the actual default value.

🧪 Proposed fix

 func TestSSOSkippedOnNonOpenShift(t *testing.T) {
 	util.SetConfigAPIFound(false)
-	defer util.SetConfigAPIFound(true)
+	defer util.SetConfigAPIFound(false)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	func TestSSOSkippedOnNonOpenShift(t *testing.T) {
	util.SetConfigAPIFound(false)
	defer util.SetConfigAPIFound(true)
	scheme := runtime.NewScheme()
	_ = argoapp.AddToScheme(scheme)
	_ = configv1.AddToScheme(scheme)
	fakeClient := fake.NewClientBuilder().
	WithScheme(scheme).
	Build()
	testArgoCD, _ := NewCR("openshift-gitops", "openshift-gitops", fakeClient)
	assert.Assert(t, testArgoCD.Spec.SSO == nil, "SSO should be nil on non-OpenShift clusters")
	}
	func TestSSOSkippedOnNonOpenShift(t *testing.T) {
	util.SetConfigAPIFound(false)
	defer util.SetConfigAPIFound(false)
	scheme := runtime.NewScheme()
	_ = argoapp.AddToScheme(scheme)
	_ = configv1.AddToScheme(scheme)
	fakeClient := fake.NewClientBuilder().
	WithScheme(scheme).
	Build()
	testArgoCD, _ := NewCR("openshift-gitops", "openshift-gitops", fakeClient)
	assert.Assert(t, testArgoCD.Spec.SSO == nil, "SSO should be nil on non-OpenShift clusters")
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@controllers/argocd/argocd_test.go` around lines 234 - 249, The test
TestSSOSkippedOnNonOpenShift sets util.SetConfigAPIFound(false) but defers
util.SetConfigAPIFound(true), which mismatches the actual default (false) in
util.go and other tests (TestArgoCD, TestDexConfiguration); change the deferred
call in TestSSOSkippedOnNonOpenShift to util.SetConfigAPIFound(false) so the
test restores the real default and avoids cross-test pollution.

[openshift-ci]

@anandrkskd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v4.14-ci-index-gitops-operator-bundle	00b53d8	link	true	/test v4.14-ci-index-gitops-operator-bundle
ci/prow/v4.14-kuttl-sequential	00b53d8	link	false	/test v4.14-kuttl-sequential
ci/prow/v4.14-images	00b53d8	link	true	/test v4.14-images
ci/prow/v4.14-kuttl-parallel	00b53d8	link	false	/test v4.14-kuttl-parallel
ci/prow/v4.14-e2e	00b53d8	link	false	/test v4.14-e2e

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.