feat: Selectively prevent resources from being synced (#551)

Signed-off-by: jannfis <[email protected]>

Author: jannfis

agent/agent.go

@@ -28,6 +28,7 @@ import (
 	kubeappproject "github.com/argoproj-labs/argocd-agent/internal/backend/kubernetes/appproject"
 	kubenamespace "github.com/argoproj-labs/argocd-agent/internal/backend/kubernetes/namespace"
 	kuberepository "github.com/argoproj-labs/argocd-agent/internal/backend/kubernetes/repository"
+	"github.com/argoproj-labs/argocd-agent/internal/config"
 	"github.com/argoproj-labs/argocd-agent/internal/event"
 	"github.com/argoproj-labs/argocd-agent/internal/informer"
 	"github.com/argoproj-labs/argocd-agent/internal/kube"
@@ -171,10 +172,10 @@ func NewAgent(ctx context.Context, client *kube.KubernetesClient, namespace stri
 
 	// appListFunc and watchFunc are anonymous functions for the informer
 	appListFunc := func(ctx context.Context, opts v1.ListOptions) (runtime.Object, error) {
-		return client.ApplicationsClientset.ArgoprojV1alpha1().Applications(a.namespace).List(ctx, opts)
+		return client.ApplicationsClientset.ArgoprojV1alpha1().Applications(a.namespace).List(ctx, config.DefaultLabelSelector())
 	}
 	appWatchFunc := func(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
-		return client.ApplicationsClientset.ArgoprojV1alpha1().Applications(a.namespace).Watch(ctx, opts)
+		return client.ApplicationsClientset.ArgoprojV1alpha1().Applications(a.namespace).Watch(ctx, config.DefaultLabelSelector())
 	}
 
 	appInformerOptions := []informer.InformerOption[*v1alpha1.Application]{
@@ -213,11 +214,11 @@ func NewAgent(ctx context.Context, client *kube.KubernetesClient, namespace stri
 	appManagerOpts = append(appManagerOpts, application.WithAllowUpsert(allowUpsert))
 
 	projListFunc := func(ctx context.Context, opts v1.ListOptions) (runtime.Object, error) {
-		return client.ApplicationsClientset.ArgoprojV1alpha1().AppProjects(a.namespace).List(ctx, opts)
+		return client.ApplicationsClientset.ArgoprojV1alpha1().AppProjects(a.namespace).List(ctx, config.DefaultLabelSelector())
 	}
 
 	projWatchFunc := func(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
-		return client.ApplicationsClientset.ArgoprojV1alpha1().AppProjects(a.namespace).Watch(ctx, opts)
+		return client.ApplicationsClientset.ArgoprojV1alpha1().AppProjects(a.namespace).Watch(ctx, config.DefaultLabelSelector())
 	}
 
 	projInformerOptions := []informer.InformerOption[*v1alpha1.AppProject]{
@@ -253,10 +254,10 @@ func NewAgent(ctx context.Context, client *kube.KubernetesClient, namespace stri
 
 	repoInformerOptions := []informer.InformerOption[*corev1.Secret]{
 		informer.WithListHandler[*corev1.Secret](func(ctx context.Context, opts v1.ListOptions) (runtime.Object, error) {
-			return client.Clientset.CoreV1().Secrets(a.namespace).List(ctx, opts)
+			return client.Clientset.CoreV1().Secrets(a.namespace).List(ctx, config.DefaultLabelSelector())
 		}),
 		informer.WithWatchHandler[*corev1.Secret](func(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
-			return client.Clientset.CoreV1().Secrets(a.namespace).Watch(ctx, opts)
+			return client.Clientset.CoreV1().Secrets(a.namespace).Watch(ctx, config.DefaultLabelSelector())
 		}),
 		informer.WithAddHandler[*corev1.Secret](a.handleRepositoryCreation),
 		informer.WithUpdateHandler[*corev1.Secret](a.handleRepositoryUpdate),

agent/agent_test.go

@@ -21,24 +21,26 @@ import (
 	"testing"
 
 	"github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/runtime"
 
+	"github.com/argoproj-labs/argocd-agent/internal/kube"
 	"github.com/argoproj-labs/argocd-agent/pkg/client"
-	"github.com/argoproj-labs/argocd-agent/test/fake/kube"
+	fakekube "github.com/argoproj-labs/argocd-agent/test/fake/kube"
 	"github.com/stretchr/testify/require"
 )
 
-func newAgent(t *testing.T) *Agent {
+func newAgent(t *testing.T, apps ...runtime.Object) (*Agent, *kube.KubernetesClient) {
 	t.Helper()
-	kubec := kube.NewKubernetesFakeClientWithApps("argocd")
+	kubec := fakekube.NewKubernetesFakeClientWithApps("argocd", apps...)
 	remote, err := client.NewRemote("127.0.0.1", 8080)
 	require.NoError(t, err)
 	agent, err := NewAgent(context.TODO(), kubec, "argocd", WithRemote(remote))
 	require.NoError(t, err)
-	return agent
+	return agent, kubec
 }
 
 func Test_NewAgent(t *testing.T) {
-	kubec := kube.NewKubernetesFakeClientWithApps("agent")
+	kubec := fakekube.NewKubernetesFakeClientWithApps("agent")
 	agent, err := NewAgent(context.TODO(), kubec, "agent", WithRemote(&client.Remote{}))
 	require.NotNil(t, agent)
 	require.NoError(t, err)
@@ -209,7 +211,7 @@ func Test_NewAgent(t *testing.T) {
 // }
 
 func Test_Healthz(t *testing.T) {
-	agent := newAgent(t)
+	agent, _ := newAgent(t)
 	require.NotNil(t, agent)
 
 	t.Run("Healthz when agent is connected", func(t *testing.T) {

agent/connection_test.go

@@ -24,7 +24,7 @@ import (
 )
 
 func TestResyncOnStart(t *testing.T) {
-	a := newAgent(t)
+	a, _ := newAgent(t)
 	a.emitter = event.NewEventSource("test")
 	a.kubeClient.RestConfig = &rest.Config{}
 	logCtx := log()

agent/filters.go

@@ -15,6 +15,7 @@
 package agent
 
 import (
+	"github.com/argoproj-labs/argocd-agent/internal/config"
 	"github.com/argoproj-labs/argocd-agent/internal/filter"
 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v3/util/glob"
@@ -28,7 +29,7 @@ func (a *Agent) DefaultAppFilterChain() *filter.Chain[*v1alpha1.Application] {
 
 	// Admit based on namespace of the application
 	fc.AppendAdmitFilter(func(app *v1alpha1.Application) bool {
-		if !glob.MatchStringInList(append([]string{a.namespace}, a.options.namespaces...), app.Namespace, glob.REGEXP) {
+		if !glob.MatchStringInList(append([]string{a.namespace}, a.allowedNamespaces...), app.Namespace, glob.REGEXP) {
 			log().Warnf("namespace not allowed: %s", app.QualifiedName())
 			return false
 		}
@@ -39,6 +40,14 @@ func (a *Agent) DefaultAppFilterChain() *filter.Chain[*v1alpha1.Application] {
 		return true
 	})
 
+	// Ignore applications that have the skip sync label
+	fc.AppendAdmitFilter(func(app *v1alpha1.Application) bool {
+		if v, ok := app.Labels[config.SkipSyncLabel]; ok && v == "true" {
+			return false
+		}
+		return true
+	})
+
 	return fc
 }
 

agent/filters_test.go

@@ -0,0 +1,251 @@
+// Copyright 2025 The argocd-agent Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package agent
+
+import (
+	"context"
+	"testing"
+
+	"github.com/argoproj-labs/argocd-agent/internal/config"
+	"github.com/argoproj-labs/argocd-agent/pkg/client"
+	fakekube "github.com/argoproj-labs/argocd-agent/test/fake/kube"
+	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestDefaultAppFilterChain_SkipSyncLabel(t *testing.T) {
+	kubec := fakekube.NewKubernetesFakeClientWithApps("argocd")
+	remote, err := client.NewRemote("127.0.0.1", 8080)
+	require.NoError(t, err)
+	agent, err := NewAgent(context.TODO(), kubec, "argocd", WithRemote(remote))
+	require.NoError(t, err)
+
+	filterChain := agent.DefaultAppFilterChain()
+
+	tests := []struct {
+		name     string
+		app      *v1alpha1.Application
+		expected bool
+	}{
+		{
+			name: "Application without skip sync label should be admitted",
+			app: &v1alpha1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-app",
+					Namespace: "argocd",
+					Labels:    map[string]string{},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "Application with skip sync label set to false should be admitted",
+			app: &v1alpha1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-app",
+					Namespace: "argocd",
+					Labels: map[string]string{
+						config.SkipSyncLabel: "false",
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "Application with skip sync label set to empty string should be admitted",
+			app: &v1alpha1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-app",
+					Namespace: "argocd",
+					Labels: map[string]string{
+						config.SkipSyncLabel: "",
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "Application with skip sync label set to true should be rejected",
+			app: &v1alpha1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-app",
+					Namespace: "argocd",
+					Labels: map[string]string{
+						config.SkipSyncLabel: "true",
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "Application with skip sync label set to TRUE (case sensitive) should be admitted",
+			app: &v1alpha1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-app",
+					Namespace: "argocd",
+					Labels: map[string]string{
+						config.SkipSyncLabel: "TRUE",
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "Application with skip sync label and other labels should be rejected when skip sync is true",
+			app: &v1alpha1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-app",
+					Namespace: "argocd",
+					Labels: map[string]string{
+						config.SkipSyncLabel:           "true",
+						"app.kubernetes.io/name":       "test-app",
+						"app.kubernetes.io/instance":   "prod",
+						"app.kubernetes.io/managed-by": "argocd",
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "Application in wrong namespace with skip sync label should be rejected (namespace filter takes precedence)",
+			app: &v1alpha1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-app",
+					Namespace: "wrong-namespace",
+					Labels: map[string]string{
+						config.SkipSyncLabel: "false",
+					},
+				},
+			},
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := filterChain.Admit(tt.app)
+			assert.Equal(t, tt.expected, result, "Filter result should match expected value")
+		})
+	}
+}
+
+func TestDefaultAppFilterChain_NamespaceAndSkipSyncInteraction(t *testing.T) {
+	kubec := fakekube.NewKubernetesFakeClientWithApps("argocd")
+	remote, err := client.NewRemote("127.0.0.1", 8080)
+	require.NoError(t, err)
+
+	// Create agent with multiple allowed namespaces
+	agent, err := NewAgent(context.TODO(), kubec, "argocd",
+		WithRemote(remote),
+		WithAllowedNamespaces("argocd", "apps", "staging"))
+	require.NoError(t, err)
+
+	filterChain := agent.DefaultAppFilterChain()
+
+	tests := []struct {
+		name     string
+		app      *v1alpha1.Application
+		expected bool
+		reason   string
+	}{
+		{
+			name: "App in allowed namespace without skip sync label should be admitted",
+			app: &v1alpha1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-app",
+					Namespace: "apps",
+				},
+			},
+			expected: true,
+			reason:   "Namespace is allowed, no skip sync label",
+		},
+		{
+			name: "App in allowed namespace with skip sync=true should be rejected",
+			app: &v1alpha1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-app",
+					Namespace: "staging",
+					Labels: map[string]string{
+						config.SkipSyncLabel: "true",
+					},
+				},
+			},
+			expected: false,
+			reason:   "Skip sync label takes effect even in allowed namespace",
+		},
+		{
+			name: "App in disallowed namespace with skip sync=false should be rejected",
+			app: &v1alpha1.Application{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-app",
+					Namespace: "production",
+					Labels: map[string]string{
+						config.SkipSyncLabel: "false",
+					},
+				},
+			},
+			expected: false,
+			reason:   "Namespace filter rejects before skip sync filter",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := filterChain.Admit(tt.app)
+			assert.Equal(t, tt.expected, result, tt.reason)
+		})
+	}
+}
+
+func TestDefaultAppFilterChain_ProcessChange(t *testing.T) {
+	kubec := fakekube.NewKubernetesFakeClientWithApps("argocd")
+	remote, err := client.NewRemote("127.0.0.1", 8080)
+	require.NoError(t, err)
+	agent, err := NewAgent(context.TODO(), kubec, "argocd", WithRemote(remote))
+	require.NoError(t, err)
+
+	filterChain := agent.DefaultAppFilterChain()
+
+	oldApp := &v1alpha1.Application{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-app",
+			Namespace: "argocd",
+			Labels: map[string]string{
+				config.SkipSyncLabel: "false",
+			},
+		},
+	}
+
+	newApp := &v1alpha1.Application{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-app",
+			Namespace: "argocd",
+			Labels: map[string]string{
+				config.SkipSyncLabel: "true",
+			},
+		},
+	}
+
+	// Test that change processing works (no change filters are currently implemented)
+	result := filterChain.ProcessChange(oldApp, newApp)
+	assert.True(t, result, "ProcessChange should return true when no change filters are defined")
+}
+
+func init() {
+	logrus.SetLevel(logrus.TraceLevel)
+}