fix: Better transformation of AppProjects from autonomous agents (#500)

jannfis · web-flow · commit c5d8972416d4 · 2025-08-11T07:16:03.000-04:00
Signed-off-by: jannfis &lt;jann@mistrust.net&gt;
diff --git a/docs/user-guide/appprojects.md b/docs/user-guide/appprojects.md
@@ -43,7 +43,7 @@ spec:
   - agent-*
   destinations:
   - name: agent-*
-    namespace: "*"
+    namespace: "guestbook"
     server: "*"
   sourceRepos:
   - "*"
@@ -55,13 +55,13 @@ When this AppProject is created on the principal, it will be automatically distr
 
 When an AppProject is sent to an agent, it undergoes transformation to make it agent-specific:
 
-1. **Destinations**: Only destinations matching the agent are kept, and they're transformed to point to the local cluster:
+1. **Destinations**: Only destinations matching the agent are kept (using glob pattern matching), and they're transformed to point to the local cluster:
 
 ```yaml
    destinations:
    - name: "in-cluster"
      server: "https://kubernetes.default.svc"
-     namespace: "*"
+     namespace: "guestbook"  # Preserves original namespace restrictions
 ```
 
 2. **Source Namespaces**: Limited to only the agent's namespace:
@@ -99,24 +99,90 @@ spec:
   - name: "in-cluster"
     namespace: "*"
     server: "https://kubernetes.default.svc"
+  # Can also have multiple destinations - all will be transformed
+  - name: "another-destination"
+    namespace: "specific-ns"
+    server: "https://kubernetes.default.svc"
   sourceNamespaces:
   - argocd
   sourceRepos:
   - "*"
 ```
 
+When this AppProject is created on an autonomous agent named `agent-production`, it will be transformed and appear on the principal as:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: agent-production-my-project  # Prefixed with agent name
+  namespace: argocd                  # Placed in Argo CD namespace on principal
+spec:
+  destinations:
+  - name: agent-production           # All destinations point to agent
+    namespace: "*"
+    server: "*"
+  - name: agent-production
+    namespace: "specific-ns"         # Original namespace restrictions preserved
+    server: "*"
+  sourceNamespaces:
+  - agent-production                 # Agent's namespace on principal
+  sourceRepos:
+  - "*"
+```
+
 ### Principal-Side Transformation
 
 When an AppProject is received from an autonomous agent, the principal applies transformations:
 
+!!! note
+    AppProjects from autonomous agents on the control plane are not used for reconciliation (there is no app controller running on the principal for these projects). Instead, they allow the Argo CD API (and UI, CLI) to determine which operations are valid to be performed on Applications that reference these AppProjects.
+
+!!! warning "Important"
+    AppProjects that are synced from autonomous agents should not be used by other Applications outside of that agent, as they may change unpredictably when the autonomous agent modifies its local AppProject configuration.
+
 1. **Name Prefixing**: The project name is prefixed with the agent name to avoid conflicts:
 
 ```
    Original: my-project
    On Principal: agent-production-my-project
 ```
 
-2. **Namespace Mapping**: The project is placed in the agent's corresponding namespace on the principal
+2. **Source Namespaces**: Transformed to allow Applications from the agent's namespace on the principal:
+
+```yaml
+   sourceNamespaces:
+   - agent-production  # The agent's namespace on the principal
+```
+
+3. **Destinations**: All destinations are transformed to point to the agent cluster:
+
+```yaml
+   destinations:
+   - name: agent-production  # The agent name
+     server: "*"
+     namespace: "*"  # Preserves original namespace restrictions
+```
+
+4. **Namespace Mapping**: The project is placed in the Argo CD namespace on the principal (same as where other AppProjects reside)
+
+## Key Transformation Differences
+
+The transformation logic differs significantly between managed and autonomous agents:
+
+### Managed Agents (Principal → Agent)
+- **Direction**: AppProject flows from principal to agent
+- **Selection**: Uses glob pattern matching on `sourceNamespaces` and `destinations` to determine which agents receive the project
+- **Destinations**: Filtered to only include destinations matching the agent, then transformed to `in-cluster`
+- **Source Namespaces**: Replaced with the single agent namespace
+- **Name**: Remains unchanged
+
+### Autonomous Agents (Agent → Principal)
+- **Direction**: AppProject flows from agent to principal  
+- **Selection**: All AppProjects created on autonomous agents are synchronized
+- **Destinations**: All destinations are transformed to point to the agent cluster (name = agent name, server = "*")
+- **Source Namespaces**: Replaced with the agent's namespace on the principal
+- **Name**: Prefixed with agent name to avoid conflicts
 
 ### Lifecycle Management
 
diff --git a/hack/dev-env/apps/autonomous-guestbook.yaml b/hack/dev-env/apps/autonomous-guestbook.yaml
@@ -4,7 +4,7 @@ metadata:
   name: guestbook
   namespace: argocd
 spec:
-  project: default
+  project: test-project
   source:
     repoURL: https://github.com/argoproj/argocd-example-apps
     targetRevision: HEAD
diff --git a/hack/dev-env/apps/autonomous-project.yaml b/hack/dev-env/apps/autonomous-project.yaml
@@ -0,0 +1,16 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: test-project
+  namespace: argocd
+spec:
+  clusterResourceWhitelist:
+  - group: ''
+    kind: Namespace
+  destinations:
+  - namespace: 'guestbook'
+    name: 'in-cluster'
+    server: 'https://kubernetes.default.svc'
+  sourceRepos:
+  - '*'
+
diff --git a/principal/event.go b/principal/event.go
@@ -24,7 +24,6 @@ import (
 	"github.com/argoproj-labs/argocd-agent/internal/event"
 	"github.com/argoproj-labs/argocd-agent/internal/kube"
 	"github.com/argoproj-labs/argocd-agent/internal/manager"
-	"github.com/argoproj-labs/argocd-agent/internal/manager/appproject"
 	"github.com/argoproj-labs/argocd-agent/internal/metrics"
 	"github.com/argoproj-labs/argocd-agent/internal/namedlock"
 	"github.com/argoproj-labs/argocd-agent/internal/resync"
@@ -150,11 +149,9 @@ func (s *Server) processApplicationEvent(ctx context.Context, agentName string,
 		}
 
 		// AppProjects from the autonomous agents are prefixed with the agent name
-		if incoming.Spec.Project != appproject.DefaultAppProjectName {
-			incoming.Spec.Project, err = agentPrefixedProjectName(incoming.Spec.Project, agentName)
-			if err != nil {
-				return fmt.Errorf("could not prefix project name: %w", err)
-			}
+		incoming.Spec.Project, err = agentPrefixedProjectName(incoming.Spec.Project, agentName)
+		if err != nil {
+			return fmt.Errorf("could not prefix project name: %w", err)
 		}
 
 		// Set the destination name to the cluster mapping for the agent
@@ -293,11 +290,18 @@ func (s *Server) processAppProjectEvent(ctx context.Context, agentName string, e
 
 	// AppProjects coming from different autonomous agents could have the same name,
 	// so we prefix the project name with the agent name
-	if agentMode.IsAutonomous() && incoming.Name != appproject.DefaultAppProjectName {
+	if agentMode.IsAutonomous() {
 		incoming.Name, err = agentPrefixedProjectName(incoming.Name, agentName)
 		if err != nil {
 			return fmt.Errorf("could not prefix project name: %w", err)
 		}
+		// Set the source namespaces to allow the agent's namespace on the principal
+		incoming.Spec.SourceNamespaces = []string{agentName}
+		// Set all destinations to point to the agent cluster
+		for i := range incoming.Spec.Destinations {
+			incoming.Spec.Destinations[i].Name = agentName
+			incoming.Spec.Destinations[i].Server = "*"
+		}
 	}
 
 	switch ev.Type() {
diff --git a/principal/event_test.go b/principal/event_test.go
@@ -312,7 +312,7 @@ func Test_UpdateEvents(t *testing.T) {
 		assert.Equal(t, "foo", napp.Spec.Destination.Name)
 		assert.Equal(t, "", napp.Spec.Destination.Server)
 		assert.Nil(t, napp.Operation)
-		assert.Equal(t, "default", napp.Spec.Project)
+		assert.Equal(t, "foo-default", napp.Spec.Project)
 		assert.Equal(t, v1alpha1.SyncStatusCodeSynced, napp.Status.Sync.Status)
 	})
 
@@ -507,6 +507,16 @@ func Test_processAppProjectEvent(t *testing.T) {
 			},
 			Spec: v1alpha1.AppProjectSpec{
 				SourceRepos: []string{"foo"},
+				Destinations: []v1alpha1.ApplicationDestination{
+					{
+						Name:   "original-cluster",
+						Server: "https://original.server.com",
+					},
+					{
+						Name:   "another-cluster",
+						Server: "https://another.server.com",
+					},
+				},
 			},
 		}
 
@@ -534,6 +544,16 @@ func Test_processAppProjectEvent(t *testing.T) {
 		createdProject, err := fac.ApplicationsClientset.ArgoprojV1alpha1().AppProjects("argocd").Get(context.TODO(), projName, v1.GetOptions{})
 		assert.NoError(t, err)
 		assert.Equal(t, projName, createdProject.Name)
+
+		// Check that SourceNamespaces is set to the agent name
+		assert.Equal(t, []string{"foo"}, createdProject.Spec.SourceNamespaces)
+
+		// Check that all destinations are updated to point to the agent cluster
+		assert.Len(t, createdProject.Spec.Destinations, 2)
+		for _, dest := range createdProject.Spec.Destinations {
+			assert.Equal(t, "foo", dest.Name)
+			assert.Equal(t, "*", dest.Server)
+		}
 	})
 
 	t.Run("Update appProject in autonomous mode", func(t *testing.T) {
@@ -544,6 +564,12 @@ func Test_processAppProjectEvent(t *testing.T) {
 			},
 			Spec: v1alpha1.AppProjectSpec{
 				SourceRepos: []string{"foo"},
+				Destinations: []v1alpha1.ApplicationDestination{
+					{
+						Name:   "original-cluster",
+						Server: "https://original.server.com",
+					},
+				},
 			},
 		}
 
@@ -554,6 +580,7 @@ func Test_processAppProjectEvent(t *testing.T) {
 
 		updatedProject := project.DeepCopy()
 		updatedProject.Spec.Description = "updated"
+		updatedProject.Name = "test" // Use original name (will be prefixed)
 		ev.SetData(cloudevents.ApplicationJSON, updatedProject)
 
 		wq := wqmock.NewTypedRateLimitingInterface[*cloudevents.Event](t)
@@ -567,13 +594,21 @@ func Test_processAppProjectEvent(t *testing.T) {
 		_, err = s.processRecvQueue(context.Background(), "foo", wq)
 		assert.NoError(t, err)
 
-		projName, err := agentPrefixedProjectName(project.Name, "foo")
+		projName, err := agentPrefixedProjectName(updatedProject.Name, "foo")
 		assert.Nil(t, err)
 
-		// Check that the AppProject was created with the prefixed name
+		// Check that the AppProject was updated with the correct changes
 		got, err := fac.ApplicationsClientset.ArgoprojV1alpha1().AppProjects("argocd").Get(context.TODO(), projName, v1.GetOptions{})
 		assert.NoError(t, err)
 		assert.Equal(t, updatedProject.Spec.Description, got.Spec.Description)
+
+		// Check that SourceNamespaces is set to the agent name
+		assert.Equal(t, []string{"foo"}, got.Spec.SourceNamespaces)
+
+		// Check that all destinations are updated to point to the agent cluster
+		assert.Len(t, got.Spec.Destinations, 1)
+		assert.Equal(t, "foo", got.Spec.Destinations[0].Name)
+		assert.Equal(t, "*", got.Spec.Destinations[0].Server)
 	})
 
 	t.Run("Delete AppProject in managed mode", func(t *testing.T) {
diff --git a/test/e2e2/basic_test.go b/test/e2e2/basic_test.go
@@ -169,6 +169,7 @@ func (suite *BasicTestSuite) Test_AgentAutonomous() {
 	requires.NoError(err)
 	app.Spec.Destination.Name = "agent-autonomous"
 	app.Spec.Destination.Server = ""
+	app.Spec.Project = "agent-autonomous-default"
 	requires.Equal(&app.Spec, &papp.Spec)
 
 	// Modify the application on the autonomous-agent and ensure the change is
diff --git a/test/e2e2/fixture/fixture.go b/test/e2e2/fixture/fixture.go
@@ -62,11 +62,33 @@ func (suite *BaseSuite) SetupSuite() {
 	requires.Nil(err)
 	suite.AutonomousAgentClient, err = NewKubeClient(config)
 	requires.Nil(err)
+
 }
 
 func (suite *BaseSuite) SetupTest() {
 	err := CleanUp(suite.Ctx, suite.PrincipalClient, suite.ManagedAgentClient, suite.AutonomousAgentClient)
 	suite.Require().Nil(err)
+
+	// Ensure that the autonomous agent's default AppProject exists on the principal
+	project := &argoapp.AppProject{}
+	key := types.NamespacedName{Name: "default", Namespace: "argocd"}
+	err = suite.AutonomousAgentClient.Get(suite.Ctx, key, project, metav1.GetOptions{})
+	suite.Require().Nil(err)
+	now := time.Now().Format(time.RFC3339)
+	project.Annotations = map[string]string{"created": now}
+	err = suite.AutonomousAgentClient.Update(suite.Ctx, project, metav1.UpdateOptions{})
+	suite.Require().Nil(err)
+
+	suite.Require().Eventually(func() bool {
+		project := &argoapp.AppProject{}
+		key := types.NamespacedName{Name: "agent-autonomous-default", Namespace: "argocd"}
+		err := suite.PrincipalClient.Get(suite.Ctx, key, project, metav1.GetOptions{})
+		if err != nil {
+			suite.T().Log(err)
+		}
+		return err == nil && len(project.Annotations) > 0 && project.Annotations["created"] == now
+	}, 10*time.Second, 1*time.Second)
+
 	suite.T().Logf("Test begun at: %v", time.Now())
 }
 
diff --git a/test/e2e2/resync_test.go b/test/e2e2/resync_test.go
@@ -504,6 +504,7 @@ func (suite *ResyncTestSuite) createAutonomousApp() *argoapp.Application {
 	requires.NoError(err)
 	app.Spec.Destination.Name = "agent-autonomous"
 	app.Spec.Destination.Server = ""
+	app.Spec.Project = "agent-autonomous-default"
 	requires.Equal(&app.Spec, &papp.Spec)
 
 	return &app
diff --git a/test/e2e2/sync_test.go b/test/e2e2/sync_test.go
@@ -245,6 +245,7 @@ func (suite *SyncTestSuite) Test_SyncAutonomous() {
 	requires.NoError(err)
 	app.Spec.Destination.Name = "agent-autonomous"
 	app.Spec.Destination.Server = ""
+	app.Spec.Project = "agent-autonomous-default"
 	requires.Equal(&app.Spec, &papp.Spec)
 
 	// Modify the application on the autonomous-agent and ensure the change is
