Chaos testing

[pasha-codefresh]

User description

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

---

Type

enhancement, documentation

---

Description

• Added support for logs resource in RBAC settings and enforcement based on environment variable.
• Implemented chaos testing command for simulating replicas changes.
• Added unit and E2E tests for RBAC enforcement on logs.
• Updated documentation to include logs resource in RBAC.
• Updated Go version and added indirect dependencies.
• Configuration changes to include environment variable for RBAC log enforcement in various deployments.

---

Changes walkthrough

	Relevant files
Enhancement	8 files settings_rbac.go Add log resource to RBAC settings                                                cmd/argocd/commands/admin/settings_rbac.go Added log and logs to resourceMap and validRBACResources for RBAC settings. +3/-0      common.go Introduce constant for cmd params config map                          common/common.go Introduced ArgoCDCmdParamsConfigMapName constant for cmd params config map. +5/-3      cmd.go Implement chaos testing command                                                    hack/chaos-testing/cmd/commands/cmd.go Implemented chaos testing command for simulating replicas changes. +106/-0  main.go Add entry point for chaos testing command                                hack/chaos-testing/cmd/main.go Entry point for chaos testing command. +16/-0    argo-api.go Add Argo CD API utility functions for chaos testing            hack/chaos-testing/util/argo-api.go Utility functions for interacting with Argo CD API in chaos testing. +111/-0  account.go Temporarily enforce RBAC for logs based on env var              server/account/account.go Added temporary RBAC enforcement for logs based on environment variable. +12/-0    application.go Enforce RBAC for logs in pod logs query                                    server/application/application.go Enforce RBAC for logs in application pod logs query based on env var. +11/-0    rbacpolicy.go Include logs in RBAC policy resources                                        server/rbacpolicy/rbacpolicy.go Included ResourceLogs in RBAC policy resources. +3/-1
Tests	8 files account_test.go Add unit tests for RBAC enforcement on logs                            server/account/account_test.go Unit tests for RBAC enforcement on logs. +54/-0    rbacpolicy_test.go Add unit tests for RBAC policy including logs                        server/rbacpolicy/rbacpolicy_test.go Unit tests for RBAC policy enforcement including logs. +30/-6    accounts_test.go Add E2E tests for RBAC enforcement on logs                              test/e2e/accounts_test.go E2E tests for RBAC enforcement on logs. +78/-0    actions.go Add actions for testing RBAC on logs                                          test/e2e/fixture/account/actions.go Added actions for testing RBAC enforcement on logs. +25/-0    consequences.go Add consequences for testing RBAC on logs                                test/e2e/fixture/account/consequences.go Added consequences for testing RBAC enforcement on logs. +6/-0      context.go Add context setup for testing RBAC on logs                              test/e2e/fixture/account/context.go Added context setup for testing RBAC enforcement on logs. +6/-0      fixture.go Add fixture setup for testing RBAC on logs                              test/e2e/fixture/fixture.go Added fixture setup for testing RBAC enforcement on logs. +18/-0    argocd-rbac-cm.yaml Add logs resource to RBAC config map test data                      cmd/argocd/commands/admin/testdata/rbac/argocd-rbac-cm.yaml Added logs resource to RBAC config map test data. +1/-0
Configuration changes	6 files Makefile Adjust codegen order in Makefile                                                  Makefile Adjusted codegen order in Makefile. +1/-1      argocd-server-deployment.yaml Add env var for RBAC log enforcement in server deployment manifests/base/server/argocd-server-deployment.yaml Added environment variable for RBAC log enforcement in server deployment. +6/-0      install.yaml Add env var for RBAC log enforcement in HA install              manifests/ha/install.yaml Added environment variable for RBAC log enforcement in HA install. +6/-0      namespace-install.yaml Add env var for RBAC log enforcement in namespace install manifests/ha/namespace-install.yaml Added environment variable for RBAC log enforcement in namespace install. +6/-0      install.yaml Add env var for RBAC log enforcement in install manifest  manifests/install.yaml Added environment variable for RBAC log enforcement in install manifest. +6/-0      namespace-install.yaml Add env var for RBAC log enforcement in namespace install manifest manifests/namespace-install.yaml Added environment variable for RBAC log enforcement in namespace install manifest. +6/-0
Documentation	1 files argocd_account_can-i.md Document inclusion of logs resource in RBAC                            docs/user-guide/commands/argocd_account_can-i.md Updated documentation to include logs resource in RBAC. +1/-1
Dependencies	1 files go.mod Update Go version and add indirect dependencies                    go.mod Updated Go version and added indirect dependencies. +126/-1
Miscellaneous	1 files gen_resources.yaml Update sample cluster generation settings                                hack/gen-resources/examples/gen_resources.yaml Updated sample cluster generation settings in gen_resources.yaml. +2/-2

---

✨ PR-Agent usage:
Comment /help on the PR to get a list of all available PR-Agent tools and their descriptions

[codiumai-pr-agent-pro]

PR-Agent was enabled for this repository. To use it, please link your git user with your CodiumAI identity here.

CI Failure Feedback

Action: Validate PR Title

Failed stage: Run thehanimo/pr-title-checker@0cf5902181e78341bb97bb06646396e5bd354b3f [❌]

Failure summary: The action failed because it encountered an HttpError when attempting to add the label "title needs formatting" to the PR. This error occurred because the integration (GitHub Action) did not have the necessary permissions to access the resource, which in this context likely means it lacked permission to modify PR labels.

Relevant error logs: 1: ##[group]Operating System 2: Ubuntu ... 22: Prepare all required actions 23: Getting action download info 24: Download action repository 'thehanimo/pr-title-checker@0cf5902181e78341bb97bb06646396e5bd354b3f' (SHA:0cf5902181e78341bb97bb06646396e5bd354b3f) 25: Complete job name: Validate PR Title 26: ##[group]Run thehanimo/pr-title-checker@0cf5902181e78341bb97bb06646396e5bd354b3f 27: with: 28: GITHUB_TOKEN: *** 29: configuration_path: .github/pr-title-checker-config.json 30: pass_on_octokit_error: false 31: ##[endgroup] 32: Using config file .github/pr-title-checker-config.json from repo pasha-codefresh/argo-cd [ref: 8bb41eda04d9a41a4fe7375888d77f91a68fd429] 33: Creating label (title needs formatting)... 34: Label (title needs formatting) already created. 35: ##[notice]PR Title needs to pass regex '^(feat|fix|docs|test|ci|chore)!?(\(.*\))?!?:.* 36: Adding label (title needs formatting) to PR... 37: HttpError: Resource not accessible by integration 38: ##[error]Failed to add label (title needs formatting) to PR

---

✨ CI feedback usage guide:

---

The CI feedback tool (/checks) automatically triggers when a PR has a failed check.
The tool analyzes the failed checks and provides several feedbacks:

• Failed stage
• Failed test name
• Failure summary
• Relevant error logs

In addition to being automatically triggered, the tool can also be invoked manually by commenting on a PR:

/checks "https://github.com/{repo_name}/actions/runs/{run_number}/job/{job_number}"

where {repo_name} is the name of the repository, {run_number} is the run number of the failed check, and {job_number} is the job number of the failed check.

Configuration options

• enable_auto_checks_feedback - if set to true, the tool will automatically provide feedback when a check is failed. Default is true.
• excluded_checks_list - a list of checks to exclude from the feedback, for example: ["check1", "check2"]. Default is an empty list.
• enable_help_text - if set to true, the tool will provide a help message with the feedback. Default is true.
• persistent_comment - if set to true, the tool will overwrite a previous checks comment with the new feedback. Default is true.
• final_update_message - if persistent_comment is true and updating a previous checks message, the tool will also create a new message: "Persistent checks updated to latest commit". Default is true.

See more information about the checks tool in the docs.

[pasha-codefresh]

/review

[codiumai-pr-agent-pro]

PR-Agent was enabled for this repository. To use it, please link your git user with your CodiumAI identity here.

PR Description updated to latest commit (7405e03)

• Copy walkthrough table to "Files Changed" Tab

[codiumai-pr-agent-pro]

PR-Agent was enabled for this repository. To use it, please link your git user with your CodiumAI identity here.

PR Review

⏱️ Estimated effort to review [1-5]	2, because the PR introduces a significant amount of changes across multiple files, including new functionality and updates to existing logic. However, the changes are well-structured and pertain to a single feature enhancement, making it easier to review.
🧪 Relevant tests	No
🔍 Possible issues	Possible Bug: The simulateReplicasChanges function in hack/chaos-testing/cmd/commands/cmd.go does not handle errors from argoApi.UpdateReplicas and util2.Wait properly. It prints the error but continues the loop, which might not be the intended behavior.
	Performance Concern: The infinite loop in simulateReplicasChanges function could potentially create a large number of goroutines if not controlled properly, leading to performance issues.
🔒 Security concerns	No

Code feedback:

---

relevant file	hack/chaos-testing/cmd/commands/cmd.go
suggestion	Consider breaking the infinite loop in simulateReplicasChanges under certain conditions to prevent potential performance issues. [important]
relevant line	for {

---

relevant file	server/account/account.go
suggestion	Implement error handling for the env.ParseBoolFromEnv function to ensure the application behaves as expected even if the environment variable is not set correctly. [medium]
relevant line	logsRBACEnforceEnable := env.ParseBoolFromEnv("ARGOCD_SERVER_RBAC_LOG_ENFORCE_ENABLE", false)

---

relevant file	hack/chaos-testing/cmd/commands/cmd.go
suggestion	Handle errors from argoApi.UpdateReplicas and util2.Wait properly by either retrying with a backoff or exiting the loop to avoid potential infinite error loops. [important]
relevant line	_, err := argoApi.UpdateReplicas(token, 2, app.Name)

---

relevant file	hack/chaos-testing/util/argo-api.go
suggestion	Validate the token parameter in the ArgoApi methods to ensure it's not empty before making API calls, to avoid unnecessary network calls and potential errors. [medium]
relevant line	func (api *ArgoApi) sendPost(uri string, token string, payload []byte) (map[string]interface{}, error) {

---

---

✨ Review tool usage guide:

---

Overview:
The review tool scans the PR code changes, and generates a PR review which includes several types of feedbacks, such as possible PR issues, security threats and relevant test in the PR. More feedbacks can be added by configuring the tool.

The tool can be triggered automatically every time a new PR is opened, or can be invoked manually by commenting on any PR.

• When commenting, to edit configurations related to the review tool (pr_reviewer section), use the following template:

/review --pr_reviewer.some_config1=... --pr_reviewer.some_config2=...

• With a configuration file, use the following template:

[pr_reviewer]
some_config1=...
some_config2=...

See the review usage page for a comprehensive guide on using this tool.

[codiumai-pr-agent-pro]

PR-Agent was enabled for this repository. To use it, please link your git user with your CodiumAI identity here.

PR Review

⏱️ Estimated effort to review [1-5]	4, because the PR introduces a significant amount of new code across multiple files, including a new feature (chaos testing), updates to RBAC settings, and a new command implementation. The complexity of the changes, especially around security and RBAC, requires careful review to ensure correctness and security.
🧪 Relevant tests	No
🔍 Possible issues	Possible Security Concern: The introduction of chaos testing commands and the associated changes to the application and server components could introduce security vulnerabilities if not properly authenticated and authorized.
	RBAC Changes: The addition of "logs" as a resource in RBAC settings needs thorough review to ensure it doesn't inadvertently grant broader access than intended.
	Hardcoded Values: The use of hardcoded values (e.g., "http://localhost:8080" as the Argo server host in hack/chaos-testing/cmd/commands/cmd.go) could limit the flexibility and usability of the code in different environments.
🔒 Security concerns	RBAC Changes: The addition of new RBAC resources and the conditional enforcement of RBAC for logs based on an environment variable could introduce security concerns if not correctly implemented. It's crucial to ensure that these changes do not inadvertently allow unauthorized access to sensitive information or operations.

---

✨ Review tool usage guide:

---

Overview:
The review tool scans the PR code changes, and generates a PR review which includes several types of feedbacks, such as possible PR issues, security threats and relevant test in the PR. More feedbacks can be added by configuring the tool.

The tool can be triggered automatically every time a new PR is opened, or can be invoked manually by commenting on any PR.

• When commenting, to edit configurations related to the review tool (pr_reviewer section), use the following template:

/review --pr_reviewer.some_config1=... --pr_reviewer.some_config2=...

• With a configuration file, use the following template:

[pr_reviewer]
some_config1=...
some_config2=...

See the review usage page for a comprehensive guide on using this tool.

[codiumai-pr-agent-pro]

PR Code Suggestions

Category	Suggestions
Security	Avoid disabling SSL certificate verification in production code. It's recommended to avoid using InsecureSkipVerify: true in production code because it disables SSL certificate verification, making the connection vulnerable to man-in-the-middle attacks. If you need to skip TLS verification for development purposes, consider making it configurable and ensure it's turned off in production environments. hack/chaos-testing/util/argo-api.go [20] -http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} +// For development only: Skip TLS certificate verification +// WARNING: Never use in production! +if devMode { + http.DefaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{InsecureSkipVerify: true} +}
Enhancement	Improve readability by using fmt.Sprintf for string formatting. Instead of concatenating strings to form the authorization header, use fmt.Sprintf for better readability and maintainability. hack/chaos-testing/util/argo-api.go [31] -req.Header.Set("Authorization", "Bearer "+token) +req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
Best practice	Improve error handling by checking errors immediately after they occur. To improve error handling, check for errors immediately after they could occur. This includes checking the error returned by io.ReadAll before attempting to unmarshal the JSON. hack/chaos-testing/util/argo-api.go [39-40] body, err := io.ReadAll(resp.Body) +if err != nil { + return nil, err +} err = json.Unmarshal(body, &result)
	Unset environment variables after the test to avoid side effects. It's recommended to unset environment variables after the test to avoid side effects on other tests. Use defer os.Unsetenv("ARGOCD_SERVER_RBAC_LOG_ENFORCE_ENABLE") right after setting the environment variable. server/account/account_test.go [335] os.Setenv("ARGOCD_SERVER_RBAC_LOG_ENFORCE_ENABLE", "true") +defer os.Unsetenv("ARGOCD_SERVER_RBAC_LOG_ENFORCE_ENABLE")
	Group and comment constants logically for better readability. To ensure the constants are grouped logically and are easy to find, consider adding a comment above the new constants introduced (ArgoCDCmdParamsConfigMapName) explaining their purpose or grouping them with related constants. common/common.go [20-23] -ArgoCDConfigMapName = "argocd-cm" -ArgoCDSecretName = "argocd-secret" -ArgoCDRBACConfigMapName = "argocd-rbac-cm" +// ConfigMap names used by Argo CD for various configurations +ArgoCDConfigMapName = "argocd-cm" +ArgoCDSecretName = "argocd-secret" +ArgoCDRBACConfigMapName = "argocd-rbac-cm" +// ArgoCDCmdParamsConfigMapName holds command parameters for Argo CD ArgoCDCmdParamsConfigMapName = "argocd-cmd-params-cm"
	Clean up and update the go.mod file by running go mod tidy. Consider running go mod tidy to clean up the go.mod file. This command can help remove unnecessary dependencies and ensure that the go.mod file is up to date with the actual dependencies used in the project. go.mod [95-218] +// After running `go mod tidy` require ( - cloud.google.com/go v0.81.0 // indirect - ... - sigs.k8s.io/kustomize/kyaml v0.13.0 // indirect + // Potentially reduced set of dependencies )
	Avoid hardcoding user-specific paths in the configuration file. Ensure that the valuesFilePath is generalized or parameterized to avoid hardcoding user-specific paths in the configuration file. hack/gen-resources/examples/gen_resources.yaml [12] -valuesFilePath: /Users/pashavictorovich/.kube/util/values.yaml +valuesFilePath: <path-to-your-values-file>
Maintainability	Add a termination condition or signal handling to the infinite loop. Using an infinite loop with for { without a clear exit condition can lead to issues with resource consumption and may make the application difficult to terminate. Consider adding a termination condition or signal handling to gracefully stop the loop. hack/chaos-testing/cmd/commands/cmd.go [36-61] -for { +for keepRunning { ... + // Add logic to update keepRunning or listen for a termination signal }
	Use a constant for the environment variable name for easier maintenance. Instead of hardcoding the environment variable name "ARGOCD_SERVER_RBAC_LOG_ENFORCE_ENABLE", consider defining it as a constant in a more central place. This makes the code easier to maintain and the environment variable names easier to manage. server/account/account.go [135] -logsRBACEnforceEnable := env.ParseBoolFromEnv("ARGOCD_SERVER_RBAC_LOG_ENFORCE_ENABLE", false) +const EnvVarRBACLogEnforceEnable = "ARGOCD_SERVER_RBAC_LOG_ENFORCE_ENABLE" +logsRBACEnforceEnable := env.ParseBoolFromEnv(EnvVarRBACLogEnforceEnable, false)
	Extract RBAC enforcement logic into a separate function for better readability. To improve code readability and maintainability, consider extracting the RBAC enforcement logic into a separate function. This keeps the PodLogs function focused on its primary responsibility and makes the code easier to understand and test. server/application/application.go [1203-1207] -logsRBACEnforceEnable := env.ParseBoolFromEnv("ARGOCD_SERVER_RBAC_LOG_ENFORCE_ENABLE", false) -if logsRBACEnforceEnable { - if err := s.enf.EnforceErr(ws.Context().Value("claims"), rbacpolicy.ResourceLogs, rbacpolicy.ActionGet, appRBACName(*a)); err != nil { - return err - } +if err := enforceRBACForLogs(ws.Context(), s.enf, appRBACName(*a)); err != nil { + return err }
	Improve readability by reordering dependencies in the codegen-local target. Consider reordering the dependencies in the codegen-local target to follow a logical or alphabetical order. This can improve readability and maintainability of the Makefile. Makefile [212] -codegen-local: ensure-gopath mod-vendor-local gogen protogen clientgen openapigen clidocsgen manifests-local notification-docs notification-catalog +codegen-local: ensure-gopath clidocsgen clientgen gogen manifests-local mod-vendor-local notification-catalog notification-docs openapigen protogen
Performance	Reuse the HTTP client to improve performance. Reuse the HTTP client instead of creating a new one for each request to improve performance and resource utilization. Consider defining the client as a field of the ArgoApi struct. hack/chaos-testing/util/argo-api.go [25] -client := &http.Client{} +// Define client in the ArgoApi struct +type ArgoApi struct { + host string + client *http.Client +} +// Initialize it once +func NewArgoApi(host string) *ArgoApi { + return &ArgoApi{ + host: host, + client: &http.Client{}, + } +} + +// Use the existing client +resp, err := api.client.Do(req) +
Possible issue	Add error handling for SetCmdParam and CanIGetLogs methods. For consistency and error handling, consider checking for errors in SetCmdParam and CanIGetLogs methods. This ensures that any issues during these operations are caught and handled appropriately. test/e2e/fixture/account/actions.go [66-68] func (a *Actions) SetCmdParam(paramKey string, paramValue string) *Actions { - fixture.SetCmdParam(paramKey, paramValue) + if err := fixture.SetCmdParam(paramKey, paramValue); err != nil { + a.lastError = err + } return a }
Documentation	Update the documentation to reflect the latest resources available for argocd account can-i command. Ensure that the documentation for argocd account can-i command is updated to reflect the latest changes or additions to the resources, such as the inclusion of logs. docs/user-guide/commands/argocd_account_can-i.md [23] -Resources: [clusters projects applications repositories certificates logs] +Resources: [clusters projects applications repositories certificates logs <any-new-resources>]

---

✨ Improve tool usage guide:

---

Overview:
The improve tool scans the PR code changes, and automatically generates suggestions for improving the PR code. The tool can be triggered automatically every time a new PR is opened, or can be invoked manually by commenting on a PR.

• When commenting, to edit configurations related to the improve tool (pr_code_suggestions section), use the following template:

/improve --pr_code_suggestions.some_config1=... --pr_code_suggestions.some_config2=...

• With a configuration file, use the following template:

[pr_code_suggestions]
some_config1=...
some_config2=...

See the improve usage page for a comprehensive guide on using this tool.

[codiumai-pr-agent-pro]

PR-Agent was enabled for this repository. To use it, please link your git user with your CodiumAI identity here.

CI Failure Feedback

Action: Validate PR Title

Failed stage: Run thehanimo/pr-title-checker@0cf5902181e78341bb97bb06646396e5bd354b3f [❌]

Failure summary: The action failed because it attempted to add a label "title needs formatting" to the PR, but encountered an HttpError indicating "Resource not accessible by integration". This error typically occurs when the GitHub Action does not have the necessary permissions to modify PR labels.

Relevant error logs: 1: ##[group]Operating System 2: Ubuntu ... 22: Prepare all required actions 23: Getting action download info 24: Download action repository 'thehanimo/pr-title-checker@0cf5902181e78341bb97bb06646396e5bd354b3f' (SHA:0cf5902181e78341bb97bb06646396e5bd354b3f) 25: Complete job name: Validate PR Title 26: ##[group]Run thehanimo/pr-title-checker@0cf5902181e78341bb97bb06646396e5bd354b3f 27: with: 28: GITHUB_TOKEN: *** 29: configuration_path: .github/pr-title-checker-config.json 30: pass_on_octokit_error: false 31: ##[endgroup] 32: Using config file .github/pr-title-checker-config.json from repo pasha-codefresh/argo-cd [ref: 8bb41eda04d9a41a4fe7375888d77f91a68fd429] 33: Creating label (title needs formatting)... 34: Label (title needs formatting) already created. 35: ##[notice]PR Title needs to pass regex '^(feat|fix|docs|test|ci|chore)!?(\(.*\))?!?:.* 36: Adding label (title needs formatting) to PR... 37: HttpError: Resource not accessible by integration 38: ##[error]Failed to add label (title needs formatting) to PR

---

✨ CI feedback usage guide:

---

The CI feedback tool (/checks) automatically triggers when a PR has a failed check.
The tool analyzes the failed checks and provides several feedbacks:

• Failed stage
• Failed test name
• Failure summary
• Relevant error logs

In addition to being automatically triggered, the tool can also be invoked manually by commenting on a PR:

/checks "https://github.com/{repo_name}/actions/runs/{run_number}/job/{job_number}"

where {repo_name} is the name of the repository, {run_number} is the run number of the failed check, and {job_number} is the job number of the failed check.

Configuration options

• enable_auto_checks_feedback - if set to true, the tool will automatically provide feedback when a check is failed. Default is true.
• excluded_checks_list - a list of checks to exclude from the feedback, for example: ["check1", "check2"]. Default is an empty list.
• enable_help_text - if set to true, the tool will provide a help message with the feedback. Default is true.
• persistent_comment - if set to true, the tool will overwrite a previous checks comment with the new feedback. Default is true.
• final_update_message - if persistent_comment is true and updating a previous checks message, the tool will also create a new message: "Persistent checks updated to latest commit". Default is true.

See more information about the checks tool in the docs.