From 7f11a5075131882323c48f2768b8c4f60bb22db1 Mon Sep 17 00:00:00 2001
From: Matt Pryor <matt@stackhpc.com>
Date: Mon, 30 Jan 2023 17:16:31 +0000
Subject: [PATCH 1/2] Only respect controller refs for resources

Signed-off-by: Matt Pryor <matt@stackhpc.com>
---
 pkg/cache/references.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/pkg/cache/references.go b/pkg/cache/references.go
index 218983655..90412bf8d 100644
--- a/pkg/cache/references.go
+++ b/pkg/cache/references.go
@@ -20,9 +20,17 @@ func mightHaveInferredOwner(r *Resource) bool {
 
 func (c *clusterCache) resolveResourceReferences(un *unstructured.Unstructured) ([]metav1.OwnerReference, func(kube.ResourceKey) bool) {
 	var isInferredParentOf func(_ kube.ResourceKey) bool
-	ownerRefs := un.GetOwnerReferences()
+	allOwnerRefs := un.GetOwnerReferences()
 	gvk := un.GroupVersionKind()
 
+	// TODO: Put this behind a gate
+	ownerRefs := []metav1.OwnerReference{}
+	for _, ownerRef := range allOwnerRefs {
+		if ownerRef.Controller != nil && *ownerRef.Controller {
+			ownerRefs = append(ownerRefs, ownerRef)
+		}
+	}
+
 	switch {
 
 	// Special case for endpoint. Remove after https://github.com/kubernetes/kubernetes/issues/28483 is fixed

From b0e28e350b47c0f65e3b8185ed465e62552a0271 Mon Sep 17 00:00:00 2001
From: Matt Pryor <matt@stackhpc.com>
Date: Wed, 1 Feb 2023 12:44:31 +0000
Subject: [PATCH 2/2] Move code behind a resource-specific annotation

Signed-off-by: Matt Pryor <matt@stackhpc.com>
---
 pkg/cache/references.go  | 16 ++++++++++------
 pkg/sync/common/types.go |  2 ++
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/pkg/cache/references.go b/pkg/cache/references.go
index 90412bf8d..da47467e9 100644
--- a/pkg/cache/references.go
+++ b/pkg/cache/references.go
@@ -10,6 +10,8 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
 
+	synccommon "github.com/argoproj/gitops-engine/pkg/sync/common"
+	syncresource "github.com/argoproj/gitops-engine/pkg/sync/resource"
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 )
 
@@ -20,15 +22,17 @@ func mightHaveInferredOwner(r *Resource) bool {
 
 func (c *clusterCache) resolveResourceReferences(un *unstructured.Unstructured) ([]metav1.OwnerReference, func(kube.ResourceKey) bool) {
 	var isInferredParentOf func(_ kube.ResourceKey) bool
-	allOwnerRefs := un.GetOwnerReferences()
+	ownerRefs := un.GetOwnerReferences()
 	gvk := un.GroupVersionKind()
 
-	// TODO: Put this behind a gate
-	ownerRefs := []metav1.OwnerReference{}
-	for _, ownerRef := range allOwnerRefs {
-		if ownerRef.Controller != nil && *ownerRef.Controller {
-			ownerRefs = append(ownerRefs, ownerRef)
+	if syncresource.HasAnnotationOption(un, synccommon.AnnotationSyncOptions, synccommon.SyncOptionControllerReferencesOnly) {
+		controllerOwnerRefs := []metav1.OwnerReference{}
+		for _, ownerRef := range un.GetOwnerReferences() {
+			if ownerRef.Controller != nil && *ownerRef.Controller {
+				controllerOwnerRefs = append(controllerOwnerRefs, ownerRef)
+			}
 		}
+		return controllerOwnerRefs, isInferredParentOf
 	}
 
 	switch {
diff --git a/pkg/sync/common/types.go b/pkg/sync/common/types.go
index 3aaeb6376..b21493dc1 100644
--- a/pkg/sync/common/types.go
+++ b/pkg/sync/common/types.go
@@ -31,6 +31,8 @@ const (
 	SyncOptionServerSideApply = "ServerSideApply=true"
 	// Sync option that disables resource deletion
 	SyncOptionDisableDeletion = "Delete=false"
+	// Sync option that means only controller owner references are respected
+	SyncOptionControllerReferencesOnly = "ControllerReferencesOnly=true"
 )
 
 type PermissionValidator func(un *unstructured.Unstructured, res *metav1.APIResource) error