revert updates to repository

Signed-off-by: Chetan Banavikalmutt <[email protected]>
Assisted-by: Cursor

Author: chetan-rns

agent/inbound.go

@@ -528,23 +528,24 @@ func (a *Agent) deleteApplication(app *v1alpha1.Application) error {
 
 	logCtx.Infof("Deleting application")
 
+	if a.mode == types.AgentModeManaged {
+		a.sourceCache.Application.Delete(app.UID)
+	}
+
 	deletionPropagation := backend.DeletePropagationBackground
 	err := a.appManager.Delete(a.context, a.namespace, app, &deletionPropagation)
 	if err != nil {
 		if apierrors.IsNotFound(err) {
 			logCtx.Debug("application is not found, perhaps it is already deleted")
-			if a.mode == types.AgentModeManaged {
-				a.sourceCache.Application.Delete(app.UID)
-			}
 			return nil
 		}
+		// Restore the cache if the deletion fails
+		if a.mode == types.AgentModeManaged {
+			a.sourceCache.Application.Set(app.UID, app.Spec)
+		}
 		return err
 	}
 
-	if a.mode == types.AgentModeManaged {
-		a.sourceCache.Application.Delete(app.UID)
-	}
-
 	err = a.appManager.Unmanage(app.QualifiedName())
 	if err != nil {
 		log().Warnf("Could not unmanage app %s: %v", app.QualifiedName(), err)
@@ -635,6 +636,8 @@ func (a *Agent) deleteAppProject(project *v1alpha1.AppProject) error {
 
 	logCtx.Infof("Deleting appProject")
 
+	a.sourceCache.AppProject.Delete(project.UID)
+
 	deletionPropagation := backend.DeletePropagationBackground
 	err := a.projectManager.Delete(a.context, project, &deletionPropagation)
 	if err != nil {
@@ -643,11 +646,11 @@ func (a *Agent) deleteAppProject(project *v1alpha1.AppProject) error {
 			a.sourceCache.AppProject.Delete(project.UID)
 			return nil
 		}
+		// Restore the cache if the deletion fails
+		a.sourceCache.AppProject.Set(project.UID, project.Spec)
 		return err
 	}
 
-	a.sourceCache.AppProject.Delete(project.UID)
-
 	err = a.projectManager.Unmanage(project.Name)
 	if err != nil {
 		log().Warnf("Could not unmanage appProject %s: %v", project.Name, err)
@@ -682,6 +685,8 @@ func (a *Agent) createRepository(incoming *corev1.Secret) (*corev1.Secret, error
 		incoming.Annotations = make(map[string]string)
 	}
 
+	a.sourceCache.Repository.Set(incoming.UID, incoming.Data)
+
 	// Get rid of some fields that we do not want to have on the repository as we start fresh.
 	delete(incoming.Annotations, "kubectl.kubernetes.io/last-applied-configuration")
 
@@ -716,6 +721,8 @@ func (a *Agent) updateRepository(incoming *corev1.Secret) (*corev1.Secret, error
 
 	logCtx.Infof("Updating repository")
 
+	a.sourceCache.Repository.Set(incoming.UID, incoming.Data)
+
 	return a.repoManager.UpdateManagedRepository(a.context, incoming)
 }
 
@@ -732,13 +739,17 @@ func (a *Agent) deleteRepository(repo *corev1.Secret) error {
 
 	logCtx.Infof("Deleting repository")
 
+	a.sourceCache.Repository.Delete(repo.UID)
+
 	deletionPropagation := backend.DeletePropagationBackground
 	err := a.repoManager.Delete(a.context, repo.Name, repo.Namespace, &deletionPropagation)
 	if err != nil {
 		if apierrors.IsNotFound(err) {
 			logCtx.Debug("repository is not found, perhaps it is already deleted")
 			return nil
 		}
+		// Restore the cache if the deletion fails
+		a.sourceCache.Repository.Set(repo.UID, repo.Data)
 		return err
 	}
 

agent/outbound.go

@@ -19,12 +19,14 @@ import (
 
 	"github.com/argoproj-labs/argocd-agent/internal/event"
 	"github.com/argoproj-labs/argocd-agent/internal/logging/logfields"
+	"github.com/argoproj-labs/argocd-agent/internal/manager"
 	"github.com/argoproj-labs/argocd-agent/internal/resources"
 	"github.com/argoproj-labs/argocd-agent/pkg/types"
 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 	cacheutil "github.com/argoproj/argo-cd/v3/util/cache"
 	"github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // addAppCreationToQueue processes a new application event originating from the
@@ -116,6 +118,13 @@ func (a *Agent) addAppDeletionToQueue(app *v1alpha1.Application) {
 	logCtx := log().WithField(logfields.Event, "DeleteApp").WithField(logfields.Application, app.QualifiedName())
 	logCtx.Debugf("Delete app event")
 
+	if isResourceFromPrincipal(app) {
+		if manager.RevertUserInitiatedDeletion(a.context, app, a.sourceCache.Application, a.appManager, logCtx) {
+			logCtx.Trace("Deleted app is recreated")
+			return
+		}
+	}
+
 	a.resources.Remove(resources.NewResourceKeyFromApp(app))
 
 	if !a.appManager.IsManaged(app.QualifiedName()) {
@@ -248,6 +257,13 @@ func (a *Agent) addAppProjectDeletionToQueue(appProject *v1alpha1.AppProject) {
 
 	logCtx.Debugf("Delete appProject event")
 
+	if isResourceFromPrincipal(appProject) {
+		if manager.RevertUserInitiatedDeletion(a.context, appProject, a.sourceCache.AppProject, a.projectManager, logCtx) {
+			logCtx.Trace("Deleted appProject is recreated")
+			return
+		}
+	}
+
 	a.resources.Remove(resources.NewResourceKeyFromAppProject(appProject))
 
 	// Only send the deletion event when we're in autonomous mode
@@ -347,6 +363,11 @@ func (a *Agent) handleRepositoryUpdate(old, new *corev1.Secret) {
 	a.watchLock.Lock()
 	defer a.watchLock.Unlock()
 
+	if a.repoManager.RevertRepositoryChanges(a.context, new, a.sourceCache.Repository) {
+		logCtx.Debugf("Modifications done to repository are reverted")
+		return
+	}
+
 	if a.mode.IsAutonomous() {
 		logCtx.Debugf("Skipping repository event because the agent is not in managed mode")
 		return
@@ -371,6 +392,11 @@ func (a *Agent) handleRepositoryDeletion(repo *corev1.Secret) {
 
 	logCtx.Debugf("Delete repository event")
 
+	if manager.RevertUserInitiatedDeletion(a.context, repo, a.sourceCache.Repository, a.repoManager, logCtx) {
+		logCtx.Trace("Deleted repository is recreated")
+		return
+	}
+
 	if a.mode.IsAutonomous() {
 		logCtx.Debugf("Skipping repository event because the agent is not in managed mode")
 		return
@@ -388,3 +414,14 @@ func (a *Agent) handleRepositoryDeletion(repo *corev1.Secret) {
 		return
 	}
 }
+
+// isResourceFromPrincipal checks if a Kubernetes resource was created by the principal
+// by examining if it has the source UID annotation.
+func isResourceFromPrincipal(resource metav1.Object) bool {
+	annotations := resource.GetAnnotations()
+	if annotations == nil {
+		return false
+	}
+	_, ok := annotations[manager.SourceUIDAnnotation]
+	return ok
+}

internal/cache/resource_cache.go

@@ -77,6 +77,15 @@ func (c *ResourceCache[T]) Get(sourceUID types.UID) (T, bool) {
 	return item, ok
 }
 
+// Contains checks if a resource is in the cache
+func (c *ResourceCache[T]) Contains(sourceUID types.UID) bool {
+	c.lock.RLock()
+	defer c.lock.RUnlock()
+
+	_, ok := c.items[sourceUID]
+	return ok
+}
+
 // Delete removes a resource from the cache
 func (c *ResourceCache[T]) Delete(sourceUID types.UID) {
 	c.lock.Lock()
@@ -103,27 +112,3 @@ func (c *ResourceCache[T]) Len() int {
 	defer c.lock.RUnlock()
 	return len(c.items)
 }
-
-// Keys returns all keys in the cache
-func (c *ResourceCache[T]) Keys() []types.UID {
-	c.lock.RLock()
-	defer c.lock.RUnlock()
-
-	keys := make([]types.UID, 0, len(c.items))
-	for key := range c.items {
-		keys = append(keys, key)
-	}
-	return keys
-}
-
-// ForEach iterates over all items in the cache
-func (c *ResourceCache[T]) ForEach(fn func(types.UID, T) bool) {
-	c.lock.RLock()
-	defer c.lock.RUnlock()
-
-	for key, value := range c.items {
-		if !fn(key, value) {
-			break
-		}
-	}
-}

internal/manager/appproject/appproject.go

@@ -392,8 +392,6 @@ func (m *AppProjectManager) RevertAppProjectChanges(ctx context.Context, project
 			}
 			return true
 		} else {
-			logCtx.Trace(cachedSpec)
-			logCtx.Trace(project.Spec)
 			logCtx.Debugf("AppProject %s is already in sync with source cache", project.Name)
 		}
 	} else {

internal/manager/manager.go

@@ -15,8 +15,14 @@
 package manager
 
 import (
+	"context"
 	"fmt"
 	"sync"
+
+	"github.com/sirupsen/logrus"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/types"
 )
 
 type ManagerRole int
@@ -187,3 +193,59 @@ func (o *ObservedResources) Len() int {
 	defer o.mu.RUnlock()
 	return len(o.observed)
 }
+
+type kubeResource interface {
+	runtime.Object
+	metav1.Object
+}
+
+type resourceCache[R kubeResource] interface {
+	Contains(uid types.UID) bool
+}
+
+type resourceManager[R kubeResource] interface {
+	Create(ctx context.Context, obj R) (R, error)
+}
+
+// RevertUserInitiatedDeletion detects if a resource deletion was unauthorized and recreates the resource.
+// Returns true if the resource was recreated, false otherwise.
+func RevertUserInitiatedDeletion[R kubeResource](ctx context.Context,
+	outbound R,
+	resCache resourceCache[R],
+	mgr resourceManager[R],
+	logCtx *logrus.Entry,
+) bool {
+
+	logCtx = logCtx.WithFields(logrus.Fields{
+		"resource": outbound.GetName(),
+		"kind":     outbound.GetObjectKind().GroupVersionKind().Kind,
+	})
+
+	sourceUID, exists := outbound.GetAnnotations()[SourceUIDAnnotation]
+	if !exists {
+		logCtx.Errorf("Source UID annotation not found for resource")
+		return false
+	}
+
+	// If the resource is not in the cache, it means it was deleted by an incoming delete event.
+	// So no need to recreate it.
+	if !resCache.Contains(types.UID(sourceUID)) {
+		logCtx.Debugf("Expected deletion detected - allowing it to proceed")
+		return false
+	}
+
+	logCtx.Warnf("Unauthorized deletion detected - recreating")
+	// This is an unauthorized deletion (user-initiated), recreate the resource
+	resource := outbound.DeepCopyObject().(R)
+	resource.SetResourceVersion("")
+	resource.SetDeletionTimestamp(nil)
+	resource.SetUID(types.UID(sourceUID))
+	_, err := mgr.Create(ctx, resource)
+	if err != nil {
+		logCtx.WithError(err).Error("failed to recreate resource after unauthorized deletion")
+	} else {
+		logCtx.Infof("Recreated resource after unauthorized deletion")
+	}
+
+	return true
+}