fix: restoring tracking labels for cleaning up of orphaned roles and rolebindings

[akhilnittala]

What type of PR is this?

/kind chore

What does this PR do / why we need it:
Identifies Roles and RoleBindings associated with namespace-scoped Argo CD instances and restores any missing labels to ensure correct resource tracking and cleanup.
Have you updated the necessary documentation?

• Documentation update is required by this PR.
• Documentation has been updated.

Which issue(s) this PR fixes:
https://issues.redhat.com/browse/GITOPS-8537
Fixes #?
https://issues.redhat.com/browse/GITOPS-8537
How to test changes / Special notes to the reviewer:
First reproduce the issue based on the steps mentioned in the jira

Install gitops operator with changes and verify the resources which are not cleanedup as per above step.

Summary by CodeRabbit

• New Features

  • Automatically restores missing tracking labels on orphaned namespaces, applying only required labels, skipping the controller's own namespace, logging updates, and aggregating errors encountered.

• Tests

  • Added tests covering multiple namespace and RBAC scenarios to verify label restoration, immutability of the controller namespace, and error aggregation.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds logic to reconcile orphaned Roles: finds Roles labeled for ArgoCD that reference Application/ApplicationSet source namespaces, verifies they are orphaned and application-scoped, and restores missing ArgoCD tracking labels on the referenced Namespaces before continuing reconciliation. Includes unit test coverage.

Changes

Cohort / File(s)	Summary
Orphan namespace label restoration controllers/argocd/argocd_controller.go	Inserted call to restoreTrackingLabelsForOrphanedNamespaces in internalReconcile. Added unexported helpers to list Roles with ArgoCD labels, validate orphaned Roles (isOrphanedRole, hasApplicationScopedRules), compute required tracking labels, and apply missing labels to Namespaces (skipping ArgoCD's own namespace). Aggregates errors and logs updates.
Test coverage for label restoration controllers/argocd/argocd_controller_test.go	Imported maps and added Test_restoreTrackingLabelsForOrphanedNamespaces to exercise multiple namespace/Role scenarios using a fake client; asserts labels are restored where appropriate.

Sequence Diagram(s)

sequenceDiagram
    participant Reconciler as Reconciler
    participant K8sAPI as Kubernetes API
    participant RoleValidator as Role Validator
    participant NSMutator as Namespace Mutator

    Reconciler->>K8sAPI: List Roles with ArgoCD labels
    K8sAPI-->>Reconciler: Roles list

    loop per Role
        Reconciler->>RoleValidator: isOrphanedRole(role)
        RoleValidator->>RoleValidator: check name vs App/AppSet sources
        RoleValidator->>RoleValidator: hasApplicationScopedRules()
        RoleValidator-->>Reconciler: valid / invalid

        alt valid orphan role
            Reconciler->>K8sAPI: Get referenced Namespace (skip ArgoCD namespace)
            K8sAPI-->>Reconciler: Namespace

            Reconciler->>RoleValidator: requiredTrackingLabelsForRole(role)
            RoleValidator-->>Reconciler: labels to ensure

            Reconciler->>NSMutator: addMissingLabels(namespace, labels)
            NSMutator->>K8sAPI: Patch/Update Namespace
            K8sAPI-->>NSMutator: Patch result
            NSMutator-->>Reconciler: updated / no-op
        end
    end

    Reconciler-->>Reconciler: Aggregate errors and continue

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 I hopped through Roles and Namespace lanes,
Restored the labels, mended the chains.
Orphaned tags now found their home,
RBAC checked, no more to roam.
A tiny hop — reconciliation done.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: restoring tracking labels for orphaned roles and rolebindings to enable cleanup.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[anandf]

LGTM

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@controllers/argocd/argocd_controller.go`:
- Around line 448-467: The hasApplicationScopedRules function misses wildcard
resources like "*" and therefore returns false for roles that actually grant
access; update the logic in hasApplicationScopedRules to treat a resource entry
of "*" (and optionally the group-wide wildcard) as a match: when iterating
rule.Resources inside hasApplicationScopedRules, first check if res == "*" (or
rule.Resources contains "*") and return true if so, otherwise continue the
existing switch that checks for "applications", "applications/status",
"applicationsets", "applicationsets/status"; ensure the check occurs only after
confirming the rule.APIGroups contains "argoproj.io" (const argoCDAPIGroup) so
wildcard resources in that API group are correctly recognized.

[svghadi]

LGTM. Thanks