fix: revert updates to autonomous apps on the control plane (#567)

Signed-off-by: Chetan Banavikalmutt <[email protected]>

Author: chetan-rns

internal/manager/application/application.go

@@ -626,9 +626,9 @@ func (m *ApplicationManager) RevertManagedAppChanges(ctx context.Context, app *v
 	sourceUID, exists := app.Annotations[manager.SourceUIDAnnotation]
 	if exists && m.mode == manager.ManagerModeManaged {
 		if cachedAppSpec, ok := appCache.GetApplicationSpec(ty.UID(sourceUID), logCtx); ok {
-			logCtx.Debugf("Application: %s is available in agent cache", app.Name)
+			logCtx.Debugf("Application %s is available in agent cache", app.Name)
 
-			if diff := reflect.DeepEqual(cachedAppSpec, app.Spec); !diff {
+			if isEqual := reflect.DeepEqual(cachedAppSpec, app.Spec); !isEqual {
 				app.Spec = cachedAppSpec
 				logCtx.Infof("Reverting modifications done in application: %s", app.Name)
 				if _, err := m.UpdateManagedApp(ctx, app); err != nil {
@@ -638,12 +638,45 @@ func (m *ApplicationManager) RevertManagedAppChanges(ctx context.Context, app *v
 				return true
 			}
 		} else {
-			logCtx.Debugf("Application: %s is not available in agent cache", app.Name)
+			logCtx.Errorf("Application %s is not available in agent cache", app.Name)
 		}
 	}
 	return false
 }
 
+// RevertAutonomousAppChanges compares the actual spec with expected spec stored in cache,
+// if actual spec doesn't match with cache, then it is reverted to be in sync with cache, which is same as agent cluster.
+func (m *ApplicationManager) RevertAutonomousAppChanges(ctx context.Context, app *v1alpha1.Application) bool {
+	logCtx := log().WithFields(logrus.Fields{
+		"component":       "RevertAutonomousAppChanges",
+		"application":     app.QualifiedName(),
+		"resourceVersion": app.ResourceVersion,
+	})
+
+	sourceUID, exists := app.Annotations[manager.SourceUIDAnnotation]
+	if !exists {
+		return false
+	}
+
+	if cachedAppSpec, ok := appCache.GetApplicationSpec(ty.UID(sourceUID), logCtx); ok {
+		logCtx.Debugf("Application %s is available in agent cache", app.Name)
+
+		if isEqual := reflect.DeepEqual(cachedAppSpec, app.Spec); !isEqual {
+			app.Spec = cachedAppSpec
+			logCtx.Infof("Reverting modifications to the application: %s", app.Name)
+			if _, err := m.UpdateAutonomousApp(ctx, app.Namespace, app); err != nil {
+				logCtx.Errorf("Unable to revert modifications done in application: %s. Error: %v", app.Name, err)
+				return false
+			}
+			return true
+		}
+	} else {
+		logCtx.Errorf("Application %s is not available in agent cache", app.Name)
+	}
+
+	return false
+}
+
 func log() *logrus.Entry {
 	return logrus.WithField("component", "AppManager")
 }

principal/callbacks.go

@@ -15,6 +15,8 @@
 package principal
 
 import (
+	"fmt"
+
 	"github.com/argoproj-labs/argocd-agent/internal/event"
 	"github.com/argoproj-labs/argocd-agent/internal/manager"
 	"github.com/argoproj-labs/argocd-agent/internal/manager/appproject"
@@ -25,6 +27,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	k8stypes "k8s.io/apimachinery/pkg/types"
 )
 
 // newAppCallback is executed when a new application event was emitted from
@@ -70,6 +73,26 @@ func (s *Server) updateAppCallback(old *v1alpha1.Application, new *v1alpha1.Appl
 		"event":            "application_update",
 		"application_name": old.Name,
 	})
+
+	if isResourceFromAutonomousAgent(new) {
+		// Remove finalizers from autonomous agent applications if it is being deleted
+		if new.DeletionTimestamp != nil && len(new.Finalizers) > 0 {
+			updated, err := s.appManager.RemoveFinalizers(s.ctx, new)
+			if err != nil {
+				logCtx.WithError(err).Error("Failed to remove finalizers from autonomous application")
+			} else {
+				logCtx.Debug("Removed finalizers from autonomous application to allow deletion")
+				new = updated
+			}
+		}
+
+		// Revert modifications on autonomous agent applications
+		if s.appManager.RevertAutonomousAppChanges(s.ctx, new) {
+			logCtx.Trace("Modifications to the application are reverted")
+			return
+		}
+	}
+
 	if s.appManager.IsChangeIgnored(new.QualifiedName(), new.ResourceVersion) {
 		logCtx.WithField("resource_version", new.ResourceVersion).Debugf("Resource version has already been seen")
 		return
@@ -103,6 +126,14 @@ func (s *Server) deleteAppCallback(outbound *v1alpha1.Application) {
 		"application_name": outbound.Name,
 	})
 
+	// Revert user-initiated deletion on autonomous agent applications
+	if isResourceFromAutonomousAgent(outbound) {
+		if s.revertUserInitiatedDeletion(outbound, logCtx) {
+			logCtx.Trace("Deleted application is recreated")
+			return
+		}
+	}
+
 	s.resources.Remove(outbound.Namespace, resources.NewResourceKeyFromApp(outbound))
 
 	if !s.queues.HasQueuePair(outbound.Namespace) {
@@ -586,3 +617,30 @@ func isResourceFromAutonomousAgent(resource metav1.Object) bool {
 	_, ok := annotations[manager.SourceUIDAnnotation]
 	return ok
 }
+
+func (s *Server) revertUserInitiatedDeletion(outbound *v1alpha1.Application, logCtx *logrus.Entry) bool {
+	appKey := fmt.Sprintf("%s/%s", outbound.Namespace, outbound.Name)
+
+	// Check if this deletion was expected (agent-initiated)
+	if s.isExpectedDeletion(appKey) {
+		logCtx.Debugf("Expected deletion from autonomous agent - allowing it to proceed")
+		// This is a legitimate deletion from the agent, let it proceed normally
+		return false
+	}
+
+	logCtx.Warnf("Unauthorized deletion detected for autonomous agent application - recreating")
+	// This is an unauthorized deletion (user-initiated), recreate the app
+	app := outbound.DeepCopy()
+	app.ResourceVersion = ""
+	app.DeletionTimestamp = nil
+	sourceUID := outbound.Annotations[manager.SourceUIDAnnotation]
+	app.SetUID(k8stypes.UID(sourceUID))
+	_, err := s.appManager.Create(s.ctx, app)
+	if err != nil {
+		logCtx.WithError(err).Error("failed to recreate application after unauthorized deletion")
+	} else {
+		logCtx.Infof("Recreated application %s after unauthorized deletion", outbound.Name)
+	}
+
+	return true
+}