fix: Drop owner references from autonomous agent events (#524)

Signed-off-by: navin <[email protected]>

Author: ncr38

agent/inbound.go

@@ -104,12 +104,15 @@ func (a *Agent) processIncomingApplication(ev *event.Event) error {
 
 	var exists, sourceUIDMatch bool
 
-	// Source UID annotation is not present for apps on the autonomous agent since it is the source of truth.
 	if a.mode == types.AgentModeManaged {
+		// Source UID annotation is not present for apps on the autonomous agent since it is the source of truth.
 		exists, sourceUIDMatch, err = a.appManager.CompareSourceUID(a.context, incomingApp)
 		if err != nil {
 			return fmt.Errorf("failed to compare the source UID of app: %w", err)
 		}
+		// In managed mode, Drop ownerReferences from the incoming resource
+		// This can lead to garbage-collection of the resource on the agent cluster, if referenced owner is missing. For example, AppSet
+		incomingApp.OwnerReferences = nil
 	}
 
 	switch ev.Type() {
@@ -195,6 +198,12 @@ func (a *Agent) processIncomingAppProject(ev *event.Event) error {
 		return fmt.Errorf("failed to validate source UID of appProject: %w", err)
 	}
 
+	if a.mode == types.AgentModeManaged {
+		// In managed mode, Drop ownerReferences from the incoming resource
+		// This can lead to garbage-collection of the resource on the agent cluster, if referenced owner is missing. For example, AppSet
+		incomingAppProject.OwnerReferences = nil
+	}
+
 	switch ev.Type() {
 	case event.Create:
 		if exists {

agent/inbound_test.go

@@ -48,6 +48,14 @@ func Test_CreateApplication(t *testing.T) {
 	app := &v1alpha1.Application{ObjectMeta: v1.ObjectMeta{
 		Name:      "test",
 		Namespace: "default",
+		OwnerReferences: []v1.OwnerReference{
+			{
+				APIVersion: "argoproj.io/v1alpha1",
+				Kind:       "ApplicationSet",
+				Name:       "owner",
+				UID:        "uid-1",
+			},
+		},
 	}}
 	t.Run("Discard event in unmanaged mode", func(t *testing.T) {
 		napp, err := a.createApplication(app)
@@ -72,6 +80,7 @@ func Test_CreateApplication(t *testing.T) {
 		napp, err := a.createApplication(app)
 		require.NoError(t, err)
 		require.NotNil(t, napp)
+		require.Empty(t, napp.OwnerReferences, "OwnerReferences should not be applied on managed app")
 	})
 
 }
@@ -87,6 +96,14 @@ func Test_ProcessIncomingAppWithUIDMismatch(t *testing.T) {
 	incomingApp := &v1alpha1.Application{ObjectMeta: v1.ObjectMeta{
 		Name:      "test",
 		Namespace: "argocd",
+		OwnerReferences: []v1.OwnerReference{
+			{
+				APIVersion: "argoproj.io/v1alpha1",
+				Kind:       "ApplicationSet",
+				Name:       "owner",
+				UID:        "uid-1",
+			},
+		},	
 	}}
 
 	// oldApp is the app that is already present on the agent
@@ -540,6 +557,14 @@ func Test_UpdateApplication(t *testing.T) {
 			Name:            "test",
 			Namespace:       "default",
 			ResourceVersion: "12345",
+			OwnerReferences: []v1.OwnerReference{
+				{
+					APIVersion: "argoproj.io/v1alpha1",
+					Kind:       "ApplicationSet",
+					Name:       "owner",
+					UID:        "uid-1",
+				},
+			},
 		}}
 	t.Run("Discard event because version has been seen already", func(t *testing.T) {
 		defer a.appManager.ClearIgnored()
@@ -561,6 +586,7 @@ func Test_UpdateApplication(t *testing.T) {
 		napp, err := a.updateApplication(app)
 		require.NoError(t, err)
 		require.NotNil(t, napp)
+		require.Empty(t, napp.OwnerReferences, "OwnerReferences should not be applied on managed app")
 	})
 
 	t.Run("Update application using update in managed mode", func(t *testing.T) {
@@ -575,6 +601,7 @@ func Test_UpdateApplication(t *testing.T) {
 		napp, err := a.updateApplication(app)
 		require.NoError(t, err)
 		require.NotNil(t, napp)
+		require.Empty(t, napp.OwnerReferences, "OwnerReferences should not be applied on managed app")
 	})
 
 	t.Run("Update application using patch in autonomous mode", func(t *testing.T) {
@@ -620,6 +647,14 @@ func Test_CreateAppProject(t *testing.T) {
 		ObjectMeta: v1.ObjectMeta{
 			Name:      "test",
 			Namespace: "default",
+			OwnerReferences: []v1.OwnerReference{
+				{
+					APIVersion: "argoproj.io/v1alpha1",
+					Kind:       "Application",
+					Name:       "owner",
+					UID:        "uid-1",
+				},
+			},
 		}, Spec: v1alpha1.AppProjectSpec{
 			SourceNamespaces: []string{"default", "argocd"},
 		},
@@ -648,6 +683,7 @@ func Test_CreateAppProject(t *testing.T) {
 		napp, err := a.createAppProject(project)
 		require.NoError(t, err)
 		require.NotNil(t, napp)
+		require.Empty(t, napp.OwnerReferences, "OwnerReferences should not be applied on managed app project")
 	})
 
 	t.Run("Create appproject", func(t *testing.T) {
@@ -658,6 +694,7 @@ func Test_CreateAppProject(t *testing.T) {
 		napp, err := a.createAppProject(project)
 		require.NoError(t, err)
 		require.NotNil(t, napp)
+		require.Empty(t, napp.OwnerReferences, "OwnerReferences should not be applied on managed app project")
 	})
 
 }
@@ -674,6 +711,14 @@ func Test_UpdateAppProject(t *testing.T) {
 			Name:            "test",
 			Namespace:       "argocd",
 			ResourceVersion: "12345",
+			OwnerReferences: []v1.OwnerReference{
+				{
+					APIVersion: "argoproj.io/v1alpha1",
+					Kind:       "Application",
+					Name:       "owner",
+					UID:        "uid-1",
+				},
+			},
 		},
 		Spec: v1alpha1.AppProjectSpec{
 			SourceNamespaces: []string{"default", "argocd"},
@@ -693,6 +738,7 @@ func Test_UpdateAppProject(t *testing.T) {
 		napp, err := a.updateAppProject(project)
 		require.NoError(t, err)
 		require.NotNil(t, napp)
+		require.Empty(t, napp.OwnerReferences, "OwnerReferences should not be applied on managed app project")
 	})
 
 	t.Run("Create the appproject if it doesn't exist", func(t *testing.T) {
@@ -703,6 +749,7 @@ func Test_UpdateAppProject(t *testing.T) {
 		napp, err := a.updateAppProject(project)
 		require.NoError(t, err)
 		require.NotNil(t, napp)
+		require.Empty(t, napp.OwnerReferences, "OwnerReferences should not be applied on managed app project")
 	})
 
 }

principal/event.go

@@ -154,6 +154,10 @@ func (s *Server) processApplicationEvent(ctx context.Context, agentName string,
 			return fmt.Errorf("could not prefix project name: %w", err)
 		}
 
+		// In autonomous mode, Drop ownerReferences from the agent-side resource
+		// Having ownerReferences can lead to garbage-collection of the resource on the control plane, if owner is missing
+		incoming.OwnerReferences = nil
+
 		// Set the destination name to the cluster mapping for the agent
 		cluster := s.clusterMgr.Mapping(agentName)
 		if cluster == nil {
@@ -297,6 +301,11 @@ func (s *Server) processAppProjectEvent(ctx context.Context, agentName string, e
 		}
 		// Set the source namespaces to allow the agent's namespace on the principal
 		incoming.Spec.SourceNamespaces = []string{agentName}
+
+		// In autonomous mode, Drop ownerReferences from the incoming resource
+		// This can lead to garbage-collection of the resource on the control plane, if owner is missing For example, AppSet
+		incoming.OwnerReferences = nil
+
 		// Set all destinations to point to the agent cluster
 		for i := range incoming.Spec.Destinations {
 			incoming.Spec.Destinations[i].Name = agentName

principal/event_test.go

@@ -146,6 +146,14 @@ func Test_CreateEvents(t *testing.T) {
 			ObjectMeta: v1.ObjectMeta{
 				Name:      "test",
 				Namespace: "argocd",
+				OwnerReferences: []v1.OwnerReference{
+					{
+						APIVersion: "argoproj.io/v1alpha1",
+						Kind:       "ApplicationSet",
+						Name:       "test",
+						UID:        "test",
+					},
+				},
 			},
 			Spec: v1alpha1.ApplicationSpec{
 				Project: "test",
@@ -183,6 +191,8 @@ func Test_CreateEvents(t *testing.T) {
 		assert.NoError(t, err)
 		require.NotNil(t, napp)
 		assert.Equal(t, "HEAD", napp.Spec.Source.TargetRevision)
+		// OwnerReferences should be dropped on the control-plane application
+		assert.Empty(t, napp.OwnerReferences)
 		// Check that the destination is set to the cluster mapping
 		assert.Equal(t, "foo", napp.Spec.Destination.Name)
 		assert.Equal(t, "", napp.Spec.Destination.Server)
@@ -200,6 +210,14 @@ func Test_CreateEvents(t *testing.T) {
 			ObjectMeta: v1.ObjectMeta{
 				Name:      "test",
 				Namespace: "argocd",
+				OwnerReferences: []v1.OwnerReference{
+					{
+						APIVersion: "argoproj.io/v1alpha1",
+						Kind:       "ApplicationSet",
+						Name:       "test",
+						UID:        "test",
+					},
+				},
 			},
 			Spec: v1alpha1.ApplicationSpec{
 				Source: &v1alpha1.ApplicationSource{
@@ -219,6 +237,7 @@ func Test_CreateEvents(t *testing.T) {
 		}
 		exapp := app.DeepCopy()
 		exapp.Namespace = "foo"
+		exapp.OwnerReferences = nil
 		fac := kube.NewKubernetesFakeClientWithApps(exapp)
 		ev := cloudevents.NewEvent()
 		ev.SetDataSchema("application")
@@ -237,6 +256,7 @@ func Test_CreateEvents(t *testing.T) {
 		napp, err := fac.ApplicationsClientset.ArgoprojV1alpha1().Applications("foo").Get(context.TODO(), "test", v1.GetOptions{})
 		assert.NoError(t, err)
 		require.NotNil(t, napp)
+		assert.Empty(t, napp.OwnerReferences)
 		// Check that the destination is set to the cluster mapping
 		assert.Equal(t, "foo", napp.Spec.Destination.Name)
 		assert.Equal(t, "", napp.Spec.Destination.Server)
@@ -250,6 +270,14 @@ func Test_UpdateEvents(t *testing.T) {
 			ObjectMeta: v1.ObjectMeta{
 				Name:      "test",
 				Namespace: "argocd",
+				OwnerReferences: []v1.OwnerReference{
+					{
+						APIVersion: "argoproj.io/v1alpha1",
+						Kind:       "ApplicationSet",
+						Name:       "test",
+						UID:        "test",
+					},
+				},
 			},
 			Spec: v1alpha1.ApplicationSpec{
 				Project: "default",
@@ -308,6 +336,8 @@ func Test_UpdateEvents(t *testing.T) {
 		assert.NoError(t, err)
 		require.NotNil(t, napp)
 		assert.Equal(t, "HEAD", napp.Spec.Source.TargetRevision)
+		// OwnerReferences should be dropped on spec update in autonomous mode
+		assert.Empty(t, napp.OwnerReferences)
 		// Check that the destination is set to the cluster mapping
 		assert.Equal(t, "foo", napp.Spec.Destination.Name)
 		assert.Equal(t, "", napp.Spec.Destination.Server)
@@ -504,6 +534,14 @@ func Test_processAppProjectEvent(t *testing.T) {
 			ObjectMeta: v1.ObjectMeta{
 				Name:      "test",
 				Namespace: "argocd",
+				OwnerReferences: []v1.OwnerReference{
+					{
+						APIVersion: "argoproj.io/v1alpha1",
+						Kind:       "ApplicationSet",
+						Name:       "owner",
+						UID:        "uid-1",
+					},
+				},
 			},
 			Spec: v1alpha1.AppProjectSpec{
 				SourceRepos: []string{"foo"},
@@ -544,6 +582,8 @@ func Test_processAppProjectEvent(t *testing.T) {
 		createdProject, err := fac.ApplicationsClientset.ArgoprojV1alpha1().AppProjects("argocd").Get(context.TODO(), projName, v1.GetOptions{})
 		assert.NoError(t, err)
 		assert.Equal(t, projName, createdProject.Name)
+		// OwnerReferences should be dropped on the control-plane appProject
+		assert.Empty(t, createdProject.OwnerReferences)
 
 		// Check that SourceNamespaces is set to the agent name
 		assert.Equal(t, []string{"foo"}, createdProject.Spec.SourceNamespaces)
@@ -579,6 +619,8 @@ func Test_processAppProjectEvent(t *testing.T) {
 		ev.SetType(event.SpecUpdate.String())
 
 		updatedProject := project.DeepCopy()
+		// include owner refs in update payload and ensure they are dropped
+		updatedProject.OwnerReferences = []v1.OwnerReference{{APIVersion: "argoproj.io/v1alpha1", Kind: "ApplicationSet", Name: "owner2", UID: "uid-2"}}
 		updatedProject.Spec.Description = "updated"
 		updatedProject.Name = "test" // Use original name (will be prefixed)
 		ev.SetData(cloudevents.ApplicationJSON, updatedProject)
@@ -601,6 +643,8 @@ func Test_processAppProjectEvent(t *testing.T) {
 		got, err := fac.ApplicationsClientset.ArgoprojV1alpha1().AppProjects("argocd").Get(context.TODO(), projName, v1.GetOptions{})
 		assert.NoError(t, err)
 		assert.Equal(t, updatedProject.Spec.Description, got.Spec.Description)
+		// OwnerReferences should be dropped on update as well
+		assert.Empty(t, got.OwnerReferences)
 
 		// Check that SourceNamespaces is set to the agent name
 		assert.Equal(t, []string{"foo"}, got.Spec.SourceNamespaces)