fix: sync default appproject updates to managed agents (#529)

Signed-off-by: Chetan Banavikalmutt <[email protected]>

Author: chetan-rns

agent/inbound_test.go

@@ -545,6 +545,152 @@ func Test_ProcessIncomingAppProjectWithUIDMismatch(t *testing.T) {
 		require.Equal(t, expectedCalls, gotCalls)
 		require.False(t, a.appManager.IsManaged(incomingAppProject.Name))
 	})
+
+	// Missing Source UID Annotation scenarios - when existing AppProject lacks the source UID annotation
+	t.Run("Create: Existing AppProject without source UID annotation should be deleted and recreated", func(t *testing.T) {
+		// Setup separate backend for this test to avoid mock conflicts
+		beMissing := backend_mocks.NewAppProject(t)
+		var err error
+		a.projectManager, err = appproject.NewAppProjectManager(beMissing, "argocd", appproject.WithAllowUpsert(true))
+		require.NoError(t, err)
+
+		// Setup for missing source UID scenario
+		existingAppProject := &v1alpha1.AppProject{
+			ObjectMeta: v1.ObjectMeta{
+				Name:      "test",
+				Namespace: "argocd",
+				UID:       ktypes.UID("existing_uid"),
+			},
+		}
+
+		// Configure separate backend
+		getMockMissing := beMissing.On("Get", mock.Anything, mock.Anything, mock.Anything).Return(existingAppProject, nil)
+		createMockMissing := beMissing.On("Create", mock.Anything, mock.Anything).Return(createdAppProject, nil)
+		deleteMockMissing := beMissing.On("Delete", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil)
+
+		defer func() {
+			getMockMissing.Unset()
+			createMockMissing.Unset()
+			deleteMockMissing.Unset()
+		}()
+
+		a.projectManager.Manage(existingAppProject.Name)
+		defer a.projectManager.ClearManaged()
+
+		ev := event.New(evs.AppProjectEvent(event.Create, incomingAppProject), event.TargetAppProject)
+		err = a.processIncomingAppProject(ev)
+
+		// The process should succeed after deleting the existing AppProject and creating the new one
+		require.NoError(t, err)
+
+		// Verify the sequence: Get (to compare UID), Delete (existing), Create (new)
+		expectedCalls := []string{"Get", "Delete", "Create"}
+		gotCalls := []string{}
+		for _, call := range beMissing.Calls {
+			gotCalls = append(gotCalls, call.Method)
+		}
+		require.Equal(t, expectedCalls, gotCalls)
+
+		// Verify the created AppProject has the correct source UID annotation
+		appInterface := beMissing.Calls[2].ReturnArguments[0]
+		latestAppProject, ok := appInterface.(*v1alpha1.AppProject)
+		require.True(t, ok)
+		require.Equal(t, string(incomingAppProject.UID), latestAppProject.Annotations[manager.SourceUIDAnnotation])
+	})
+
+	t.Run("Update: Existing AppProject without source UID annotation should be deleted and recreated", func(t *testing.T) {
+		// Setup separate backend for this test to avoid mock conflicts
+		beMissing := backend_mocks.NewAppProject(t)
+		var err error
+		a.projectManager, err = appproject.NewAppProjectManager(beMissing, "argocd", appproject.WithAllowUpsert(true))
+		require.NoError(t, err)
+
+		// Setup for missing source UID scenario
+		existingAppProject := &v1alpha1.AppProject{
+			ObjectMeta: v1.ObjectMeta{
+				Name:      "test",
+				Namespace: "argocd",
+				UID:       ktypes.UID("existing_uid"),
+			},
+		}
+
+		// Configure separate backend
+		getMockMissing := beMissing.On("Get", mock.Anything, mock.Anything, mock.Anything).Return(existingAppProject, nil)
+		createMockMissing := beMissing.On("Create", mock.Anything, mock.Anything).Return(createdAppProject, nil)
+		deleteMockMissing := beMissing.On("Delete", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil)
+
+		defer func() {
+			getMockMissing.Unset()
+			createMockMissing.Unset()
+			deleteMockMissing.Unset()
+		}()
+
+		a.projectManager.Manage(existingAppProject.Name)
+		defer a.projectManager.ClearManaged()
+
+		ev := event.New(evs.AppProjectEvent(event.SpecUpdate, incomingAppProject), event.TargetAppProject)
+		err = a.processIncomingAppProject(ev)
+
+		// The process should succeed after deleting the existing AppProject and creating the new one
+		require.NoError(t, err)
+
+		// Verify the sequence: Get (to compare UID), Delete (existing), Create (new)
+		expectedCalls := []string{"Get", "Delete", "Create"}
+		gotCalls := []string{}
+		for _, call := range beMissing.Calls {
+			gotCalls = append(gotCalls, call.Method)
+		}
+		require.Equal(t, expectedCalls, gotCalls)
+
+		// Verify the created AppProject has the correct source UID annotation
+		appInterface := beMissing.Calls[2].ReturnArguments[0]
+		latestAppProject, ok := appInterface.(*v1alpha1.AppProject)
+		require.True(t, ok)
+		require.Equal(t, string(incomingAppProject.UID), latestAppProject.Annotations[manager.SourceUIDAnnotation])
+	})
+
+	t.Run("Delete: Existing AppProject without source UID annotation should be deleted", func(t *testing.T) {
+		// Setup separate backend for this test to avoid mock conflicts
+		beMissing := backend_mocks.NewAppProject(t)
+		var err error
+		a.projectManager, err = appproject.NewAppProjectManager(beMissing, "argocd", appproject.WithAllowUpsert(true))
+		require.NoError(t, err)
+
+		// Setup for missing source UID scenario
+		existingAppProject := &v1alpha1.AppProject{
+			ObjectMeta: v1.ObjectMeta{
+				Name:      "test",
+				Namespace: "argocd",
+				UID:       ktypes.UID("existing_uid"),
+			},
+		}
+
+		// Configure separate backend
+		getMockMissing := beMissing.On("Get", mock.Anything, mock.Anything, mock.Anything).Return(existingAppProject, nil)
+		deleteMockMissing := beMissing.On("Delete", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil)
+
+		defer func() {
+			getMockMissing.Unset()
+			deleteMockMissing.Unset()
+		}()
+
+		a.projectManager.Manage(existingAppProject.Name)
+		defer a.projectManager.ClearManaged()
+
+		ev := event.New(evs.AppProjectEvent(event.Delete, incomingAppProject), event.TargetAppProject)
+		err = a.processIncomingAppProject(ev)
+
+		// Delete events should succeed after deleting the existing AppProject
+		require.NoError(t, err)
+
+		// Verify the sequence: Get (to compare UID), Delete (existing)
+		expectedCalls := []string{"Get", "Delete"}
+		gotCalls := []string{}
+		for _, call := range beMissing.Calls {
+			gotCalls = append(gotCalls, call.Method)
+		}
+		require.Equal(t, expectedCalls, gotCalls)
+	})
 }
 
 func Test_UpdateApplication(t *testing.T) {

internal/manager/appproject/appproject.go

@@ -18,6 +18,8 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net/url"
+	"strings"
 	"time"
 
 	"github.com/argoproj-labs/argocd-agent/internal/backend"
@@ -355,23 +357,100 @@ func (m *AppProjectManager) CompareSourceUID(ctx context.Context, incoming *v1al
 	// If there is an existing appProject with the same name/namespace, compare its source UID with the incoming appProject.
 	sourceUID, ok := existing.Annotations[manager.SourceUIDAnnotation]
 	if !ok {
-		return true, false, fmt.Errorf("source UID Annotation is not found for appProject: %s", incoming.Name)
+		return true, false, nil
 	}
 
 	return true, string(incoming.UID) == sourceUID, nil
 }
 
-// DoesAgentMatchWithProject checks if the agent name matches the AppProject's destinations and source namespaces
+// DoesAgentMatchWithProject checks if the agent name matches the given AppProject.
+// We match the agent to an AppProject if:
+// 1. The agent name matches any one of the destination names OR
+// 2. The agent name is empty but the agent name is present in the server URL parameter AND
+// 3. The agent name is not denied by any of the destination names
+// Ref: https://github.com/argoproj/argo-cd/blob/master/pkg/apis/application/v1alpha1/app_project_types.go#L477
 func DoesAgentMatchWithProject(agentName string, appProject v1alpha1.AppProject) bool {
-	matched := false
+	destinationMatched := false
+
 	for _, dst := range appProject.Spec.Destinations {
-		if glob.Match(dst.Name, agentName) {
-			matched = true
-			break
+		// Return immediately if the agent name is denied by any of the destination names
+		if dst.Name != "" && isDenyPattern(dst.Name) && glob.Match(dst.Name[1:], agentName) {
+			return false
+		}
+
+		// Some AppProjects (e.g. default) may not always have a name so we need to check the server URL
+		if dst.Name == "" && dst.Server != "" {
+			if dst.Server == "*" {
+				destinationMatched = true
+				continue
+			}
+
+			// Server URL will be the resource proxy URL https://<rp-hostname>:<port>?agentName=<agent-name>
+			server, err := url.Parse(dst.Server)
+			if err != nil {
+				continue
+			}
+
+			serverAgentName := server.Query().Get("agentName")
+			if serverAgentName == "" {
+				continue
+			}
+
+			if glob.Match(serverAgentName, agentName) {
+				destinationMatched = true
+			}
+		}
+
+		// Match the agent name to the destination name and continue looking for deny patterns
+		if dst.Name != "" && glob.Match(dst.Name, agentName) {
+			destinationMatched = true
 		}
 	}
 
-	return matched && glob.MatchStringInList(appProject.Spec.SourceNamespaces, agentName, glob.REGEXP)
+	// Must match both destination and source namespace requirements
+	return destinationMatched &&
+		glob.MatchStringInList(appProject.Spec.SourceNamespaces, agentName, glob.REGEXP)
+}
+
+func isDenyPattern(pattern string) bool {
+	return strings.HasPrefix(pattern, "!")
+}
+
+// AgentSpecificAppProject returns an agent specific version of the given AppProject
+// We don't have to check for deny patterns because we only construct the agent specific AppProject
+// if the agent name matches the AppProject's destinations.
+func AgentSpecificAppProject(appProject v1alpha1.AppProject, agent string) v1alpha1.AppProject {
+	// Only keep the destinations that are relevant to the given agent
+	filteredDst := []v1alpha1.ApplicationDestination{}
+	for _, dst := range appProject.Spec.Destinations {
+		nameMatches := dst.Name != "" && glob.Match(dst.Name, agent)
+		serverMatches := false
+
+		// Handle server-only destinations (like default project)
+		if dst.Name == "" && dst.Server != "" {
+			if dst.Server == "*" {
+				serverMatches = true
+			} else if server, err := url.Parse(dst.Server); err == nil {
+				serverAgentName := server.Query().Get("agentName")
+				serverMatches = serverAgentName != "" && glob.Match(serverAgentName, agent)
+			}
+		}
+
+		if nameMatches || serverMatches {
+			dst.Name = "in-cluster"
+			dst.Server = "https://kubernetes.default.svc"
+			filteredDst = append(filteredDst, dst)
+		}
+	}
+	appProject.Spec.Destinations = filteredDst
+
+	// Only allow Applications to be managed from the agent namespace
+	appProject.Spec.SourceNamespaces = []string{agent}
+
+	// Remove the roles since they are not relevant on the workload cluster
+	appProject.Spec.Roles = []v1alpha1.ProjectRole{}
+
+	return appProject
 }
 
 func log() *logrus.Entry {