Add default resourceExclusions in ArgoCD Instance (#978)

Rizwana777 · svghadi · web-flow · commit dc9c12ce7569 · 2025-10-06T11:50:09.000Z
* Add default resourceExclusions in ArgoCD Instance

Signed-off-by: Rizwana777 &lt;rizwananaaz177@gmail.com&gt;

* Add unit/e2e tests for resourceExclusions

Signed-off-by: Rizwana777 &lt;rizwananaaz177@gmail.com&gt;

---------

Signed-off-by: Rizwana777 &lt;rizwananaaz177@gmail.com&gt;
Co-authored-by: Siddhesh Ghadi &lt;61187612+svghadi@users.noreply.github.com&gt;
diff --git a/bundle/manifests/gitops-operator.clusterserviceversion.yaml b/bundle/manifests/gitops-operator.clusterserviceversion.yaml
@@ -134,7 +134,7 @@ metadata:
                 }
               }
             },
-            "resourceExclusions": "- apiGroups:\n  - tekton.dev\n  clusters:\n  - '*'\n  kinds:\n  - TaskRun\n  - PipelineRun        \n",
+            "resourceExclusions": "- apiGroups:\n  - \"\"\n  - discovery.k8s.io\n  kinds:\n  - Endpoints\n  - EndpointSlice\n- apiGroups:\n  - apiregistration.k8s.io\n  kinds:\n  - APIService\n- apiGroups:\n  - coordination.k8s.io\n  kinds:\n  - Lease\n- apiGroups:\n  - authentication.k8s.io\n  - authorization.k8s.io\n  kinds:\n  - SelfSubjectReview\n  - TokenReview\n  - LocalSubjectAccessReview\n  - SelfSubjectAccessReview\n  - SelfSubjectRulesReview\n  - SubjectAccessReview\n- apiGroups:\n  - certificates.k8s.io\n  kinds:\n  - CertificateSigningRequest\n- apiGroups:\n  - cert-manager.io\n  kinds:\n  - CertificateRequest\n- apiGroups:\n  - cilium.io\n  kinds:\n  - CiliumIdentity\n  - CiliumEndpoint\n  - CiliumEndpointSlice\n- apiGroups:\n  - kyverno.io\n  - reports.kyverno.io\n  - wgpolicyk8s.io\n  kinds:\n  - PolicyReport\n  - ClusterPolicyReport\n  - EphemeralReport\n  - ClusterEphemeralReport\n  - AdmissionReport\n  - ClusterAdmissionReport\n  - BackgroundScanReport\n  - ClusterBackgroundScanReport\n  - UpdateRequest\n- apiGroups:\n  - tekton.dev\n  clusters:\n  - '*'\n  kinds:\n  - TaskRun\n  - PipelineRun\n",
             "server": {
               "resources": {
                 "limits": {
@@ -180,7 +180,7 @@ metadata:
     capabilities: Deep Insights
     console.openshift.io/plugins: '["gitops-plugin"]'
     containerImage: quay.io/redhat-developer/gitops-operator
-    createdAt: "2025-08-21T01:20:45Z"
+    createdAt: "2025-09-30T08:46:55Z"
     description: Enables teams to adopt GitOps principles for managing cluster configurations
       and application delivery across hybrid multi-cluster Kubernetes environments.
     features.operators.openshift.io/disconnected: "true"
diff --git a/config/samples/argoproj.io_v1alpha1_argocd.yaml b/config/samples/argoproj.io_v1alpha1_argocd.yaml
@@ -55,6 +55,58 @@ spec:
         cpu: 250m
         memory: 128Mi
   resourceExclusions: |
+    - apiGroups:
+      - ""
+      - discovery.k8s.io
+      kinds:
+      - Endpoints
+      - EndpointSlice
+    - apiGroups:
+      - apiregistration.k8s.io
+      kinds:
+      - APIService
+    - apiGroups:
+      - coordination.k8s.io
+      kinds:
+      - Lease
+    - apiGroups:
+      - authentication.k8s.io
+      - authorization.k8s.io
+      kinds:
+      - SelfSubjectReview
+      - TokenReview
+      - LocalSubjectAccessReview
+      - SelfSubjectAccessReview
+      - SelfSubjectRulesReview
+      - SubjectAccessReview
+    - apiGroups:
+      - certificates.k8s.io
+      kinds:
+      - CertificateSigningRequest
+    - apiGroups:
+      - cert-manager.io
+      kinds:
+      - CertificateRequest
+    - apiGroups:
+      - cilium.io
+      kinds:
+      - CiliumIdentity
+      - CiliumEndpoint
+      - CiliumEndpointSlice
+    - apiGroups:
+      - kyverno.io
+      - reports.kyverno.io
+      - wgpolicyk8s.io
+      kinds:
+      - PolicyReport
+      - ClusterPolicyReport
+      - EphemeralReport
+      - ClusterEphemeralReport
+      - AdmissionReport
+      - ClusterAdmissionReport
+      - BackgroundScanReport
+      - ClusterBackgroundScanReport
+      - UpdateRequest
     - apiGroups:
       - tekton.dev
       clusters:
diff --git a/config/samples/argoproj.io_v1beta1_argocd.yaml b/config/samples/argoproj.io_v1beta1_argocd.yaml
@@ -55,13 +55,65 @@ spec:
         cpu: 250m
         memory: 128Mi
   resourceExclusions: |
+    - apiGroups:
+      - ""
+      - discovery.k8s.io
+      kinds:
+      - Endpoints
+      - EndpointSlice
+    - apiGroups:
+      - apiregistration.k8s.io
+      kinds:
+      - APIService
+    - apiGroups:
+      - coordination.k8s.io
+      kinds:
+      - Lease
+    - apiGroups:
+      - authentication.k8s.io
+      - authorization.k8s.io
+      kinds:
+      - SelfSubjectReview
+      - TokenReview
+      - LocalSubjectAccessReview
+      - SelfSubjectAccessReview
+      - SelfSubjectRulesReview
+      - SubjectAccessReview
+    - apiGroups:
+      - certificates.k8s.io
+      kinds:
+      - CertificateSigningRequest
+    - apiGroups:
+      - cert-manager.io
+      kinds:
+      - CertificateRequest
+    - apiGroups:
+      - cilium.io
+      kinds:
+      - CiliumIdentity
+      - CiliumEndpoint
+      - CiliumEndpointSlice
+    - apiGroups:
+      - kyverno.io
+      - reports.kyverno.io
+      - wgpolicyk8s.io
+      kinds:
+      - PolicyReport
+      - ClusterPolicyReport
+      - EphemeralReport
+      - ClusterEphemeralReport
+      - AdmissionReport
+      - ClusterAdmissionReport
+      - BackgroundScanReport
+      - ClusterBackgroundScanReport
+      - UpdateRequest
     - apiGroups:
       - tekton.dev
       clusters:
       - '*'
       kinds:
       - TaskRun
-      - PipelineRun        
+      - PipelineRun
   controller:
     resources:
       limits:
diff --git a/controllers/argocd/argocd.go b/controllers/argocd/argocd.go
@@ -179,9 +179,49 @@ func getDefaultRBAC() argoapp.ArgoCDRBACSpec {
 }
 
 // NewCR returns an ArgoCD reference optimized for use in OpenShift
-// with Tekton
+// with comprehensive default resource exclusions
 func NewCR(name, ns string) (*argoapp.ArgoCD, error) {
 	b, err := yaml.Marshal([]resource{
+		{
+			APIGroups: []string{"", "discovery.k8s.io"},
+			Kinds:     []string{"Endpoints", "EndpointSlice"},
+			Clusters:  []string{"*"},
+		},
+		{
+			APIGroups: []string{"apiregistration.k8s.io"},
+			Kinds:     []string{"APIService"},
+			Clusters:  []string{"*"},
+		},
+		{
+			APIGroups: []string{"coordination.k8s.io"},
+			Kinds:     []string{"Lease"},
+			Clusters:  []string{"*"},
+		},
+		{
+			APIGroups: []string{"authentication.k8s.io", "authorization.k8s.io"},
+			Kinds:     []string{"SelfSubjectReview", "TokenReview", "LocalSubjectAccessReview", "SelfSubjectAccessReview", "SelfSubjectRulesReview", "SubjectAccessReview"},
+			Clusters:  []string{"*"},
+		},
+		{
+			APIGroups: []string{"certificates.k8s.io"},
+			Kinds:     []string{"CertificateSigningRequest"},
+			Clusters:  []string{"*"},
+		},
+		{
+			APIGroups: []string{"cert-manager.io"},
+			Kinds:     []string{"CertificateRequest"},
+			Clusters:  []string{"*"},
+		},
+		{
+			APIGroups: []string{"cilium.io"},
+			Kinds:     []string{"CiliumIdentity", "CiliumEndpoint", "CiliumEndpointSlice"},
+			Clusters:  []string{"*"},
+		},
+		{
+			APIGroups: []string{"kyverno.io", "reports.kyverno.io", "wgpolicyk8s.io"},
+			Kinds:     []string{"PolicyReport", "ClusterPolicyReport", "EphemeralReport", "ClusterEphemeralReport", "AdmissionReport", "ClusterAdmissionReport", "BackgroundScanReport", "ClusterBackgroundScanReport", "UpdateRequest"},
+			Clusters:  []string{"*"},
+		},
 		{
 			APIGroups: []string{"tekton.dev"},
 			Kinds:     []string{"TaskRun", "PipelineRun"},
diff --git a/controllers/argocd/argocd_test.go b/controllers/argocd/argocd_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package argocd
 
 import (
+	"strings"
 	"testing"
 
 	argoapp "github.com/argoproj-labs/argocd-operator/api/v1beta1"
@@ -126,6 +127,66 @@ func TestArgoCD(t *testing.T) {
 		},
 	}
 	assert.DeepEqual(t, testArgoCD.Spec.Server.Resources, testServerResources)
+
+	// Test ResourceExclusions field
+	resourceExclusions := testArgoCD.Spec.ResourceExclusions
+	assert.Assert(t, len(resourceExclusions) > 0)
+
+	// Verify that the YAML contains expected resource types
+	expectedResources := []string{
+		"Endpoints",
+		"EndpointSlice",
+		"APIService",
+		"Lease",
+		"SelfSubjectReview",
+		"TokenReview",
+		"LocalSubjectAccessReview",
+		"SelfSubjectAccessReview",
+		"SelfSubjectRulesReview",
+		"SubjectAccessReview",
+		"CertificateSigningRequest",
+		"CertificateRequest",
+		"CiliumIdentity",
+		"CiliumEndpoint",
+		"CiliumEndpointSlice",
+		"PolicyReport",
+		"ClusterPolicyReport",
+		"EphemeralReport",
+		"ClusterEphemeralReport",
+		"AdmissionReport",
+		"ClusterAdmissionReport",
+		"BackgroundScanReport",
+		"ClusterBackgroundScanReport",
+		"UpdateRequest",
+		"TaskRun",
+		"PipelineRun",
+	}
+
+	for _, expectedResource := range expectedResources {
+		assert.Assert(t, strings.Contains(resourceExclusions, expectedResource),
+			"ResourceExclusions should contain %s", expectedResource)
+	}
+
+	// Verify that the YAML contains expected API groups
+	expectedAPIGroups := []string{
+		"discovery.k8s.io",
+		"apiregistration.k8s.io",
+		"coordination.k8s.io",
+		"authentication.k8s.io",
+		"authorization.k8s.io",
+		"certificates.k8s.io",
+		"cert-manager.io",
+		"cilium.io",
+		"kyverno.io",
+		"reports.kyverno.io",
+		"wgpolicyk8s.io",
+		"tekton.dev",
+	}
+
+	for _, expectedAPIGroup := range expectedAPIGroups {
+		assert.Assert(t, strings.Contains(resourceExclusions, expectedAPIGroup),
+			"ResourceExclusions should contain API group %s", expectedAPIGroup)
+	}
 }
 
 func TestDexConfiguration(t *testing.T) {
diff --git a/test/openshift/e2e/ginkgo/parallel/1-033_validate_resource_exclusions_test.go b/test/openshift/e2e/ginkgo/parallel/1-033_validate_resource_exclusions_test.go
