feat: add support for Prune/Delete=confirm sync option

As deletion confirmation acts on the whole Application it could makes
sense to add it as a sync option rather than a resource annotation. It
also could be more convenient to integrate in certain workflows for
users.

Signed-off-by: Arthur Outhenin-Chalandre <[email protected]>

Author: MrFreezeex

controller/appcontroller.go

@@ -1230,6 +1230,11 @@ func (ctrl *ApplicationController) finalizeApplicationDeletion(app *appv1.Applic
 			return err
 		}
 
+		if app.Spec.SyncPolicy != nil && app.Spec.SyncPolicy.SyncOptions.HasOption(synccommon.SyncOptionDeleteRequireConfirm) && !deletionApproved {
+			logCtx.Infof("Application requires manual confirmation to be deleted")
+			return nil
+		}
+
 		for k := range objsMap {
 			// Wait for objects pending deletion to complete before proceeding with next sync wave
 			if objsMap[k].GetDeletionTimestamp() != nil {

controller/sync.go

@@ -347,6 +347,7 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, project *v1alp
 			clientSideApplyManager,
 		),
 		sync.WithPruneConfirmed(app.IsDeletionConfirmed(state.StartedAt.Time)),
+		sync.WithRequiresPruneConfirmation(syncOp.SyncOptions.HasOption(common.SyncOptionPruneRequireConfirm)),
 		sync.WithSkipDryRunOnMissingResource(syncOp.SyncOptions.HasOption(common.SyncOptionSkipDryRunOnMissingResource)),
 	}
 

docs/user-guide/sync-options.md

@@ -34,6 +34,20 @@ metadata:
 To confirm the pruning you can use Argo CD UI, CLI or manually apply the `argocd.argoproj.io/deletion-approved: <ISO formatted timestamp>`
 annotation to the application.
 
+It also can be enabled at the application level like in the example below:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+spec:
+  syncPolicy:
+    syncOptions:
+    - Prune=confirm
+```
+
+Note that setting a Prune sync option on the application level will not override
+the same sync option set on a specific resource, both will still be applied.
+
 ## Disable Kubectl Validation
 
 For a certain class of objects, it is necessary to `kubectl apply` them using the `--validate=false` flag. Examples of this are Kubernetes types which uses `RawExtension`, such as [ServiceCatalog](https://github.com/kubernetes-incubator/service-catalog/blob/master/pkg/apis/servicecatalog/v1beta1/types.go#L497). You can do that using this annotation:
@@ -101,6 +115,20 @@ metadata:
 To confirm the deletion you can use Argo CD UI, CLI or manually apply the `argocd.argoproj.io/deletion-approved: <ISO formatted timestamp>`
 annotation to the application.
 
+It also can be enabled at the application level like in the example below:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+spec:
+  syncPolicy:
+    syncOptions:
+    - Delete=confirm
+```
+
+Note that setting a Delete sync option on the application level will not override
+the same sync option set on a specific resource, both will still be applied.
+
 ## Selective Sync
 
 Currently, when syncing using auto sync Argo CD applies every object in the application.

gitops-engine/pkg/sync/sync_context.go

@@ -115,6 +115,13 @@ func WithPrune(prune bool) SyncOpt {
 	}
 }
 
+// WithRequiresPruneConfirmation specifies if pruning resources requires a confirmation
+func WithRequiresPruneConfirmation(requiresConfirmation bool) SyncOpt {
+	return func(ctx *syncContext) {
+		ctx.requiresPruneConfirmation = requiresConfirmation
+	}
+}
+
 // WithPruneConfirmed specifies if prune is confirmed for resources that require confirmation
 func WithPruneConfirmed(confirmed bool) SyncOpt {
 	return func(ctx *syncContext) {
@@ -367,6 +374,7 @@ type syncContext struct {
 	pruneLast                       bool
 	prunePropagationPolicy          *metav1.DeletionPropagation
 	pruneConfirmed                  bool
+	requiresPruneConfirmation       bool
 	clientSideApplyMigrationManager string
 	enableClientSideApplyMigration  bool
 
@@ -1406,7 +1414,7 @@ func (sc *syncContext) runTasks(tasks syncTasks, dryRun bool) runState {
 		if !sc.pruneConfirmed {
 			var resources []string
 			for _, task := range pruneTasks {
-				if resourceutil.HasAnnotationOption(task.liveObj, common.AnnotationSyncOptions, common.SyncOptionPruneRequireConfirm) {
+				if sc.requiresPruneConfirmation || resourceutil.HasAnnotationOption(task.liveObj, common.AnnotationSyncOptions, common.SyncOptionPruneRequireConfirm) {
 					resources = append(resources, fmt.Sprintf("%s/%s/%s", task.obj().GetAPIVersion(), task.obj().GetKind(), task.name()))
 				}
 			}

gitops-engine/pkg/sync/sync_context_test.go

@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"reflect"
+	"strconv"
 	"strings"
 	"testing"
 	"time"
@@ -836,6 +837,43 @@ func TestDoNotPrunePruneFalse(t *testing.T) {
 	assert.Equal(t, synccommon.OperationSucceeded, phase)
 }
 
+// make sure that we need confirmation to prune with Prune=confirm
+func TestPruneConfirm(t *testing.T) {
+	for _, appLevelConfirmation := range []bool{true, false} {
+		t.Run("appLevelConfirmation="+strconv.FormatBool(appLevelConfirmation), func(t *testing.T) {
+			syncCtx := newTestSyncCtx(nil, WithOperationSettings(false, true, false, false))
+			syncCtx.requiresPruneConfirmation = appLevelConfirmation
+			pod := testingutils.NewPod()
+			if appLevelConfirmation {
+				pod.SetAnnotations(map[string]string{synccommon.AnnotationSyncOptions: "Prune=true"})
+			} else {
+				pod.SetAnnotations(map[string]string{synccommon.AnnotationSyncOptions: "Prune=confirm"})
+			}
+			pod.SetNamespace(testingutils.FakeArgoCDNamespace)
+			syncCtx.resources = groupResources(ReconciliationResult{
+				Live:   []*unstructured.Unstructured{pod},
+				Target: []*unstructured.Unstructured{nil},
+			})
+
+			syncCtx.Sync()
+			phase, msg, resources := syncCtx.GetState()
+
+			assert.Equal(t, synccommon.OperationRunning, phase)
+			assert.Empty(t, resources)
+			assert.Equal(t, "Waiting for pruning confirmation of v1/Pod/my-pod", msg)
+
+			syncCtx.pruneConfirmed = true
+			syncCtx.Sync()
+
+			phase, _, resources = syncCtx.GetState()
+			assert.Equal(t, synccommon.OperationSucceeded, phase)
+			assert.Len(t, resources, 1)
+			assert.Equal(t, synccommon.ResultCodePruned, resources[0].Status)
+			assert.Equal(t, "pruned", resources[0].Message)
+		})
+	}
+}
+
 // // make sure Validate=false means we don't validate
 func TestSyncOptionValidate(t *testing.T) {
 	tests := []struct {

test/e2e/app_management_test.go

@@ -3087,6 +3087,42 @@ func TestDeletionConfirmation(t *testing.T) {
 		Then().Expect(DoesNotExist())
 }
 
+func TestDeletionConfirmationSyncOption(t *testing.T) {
+	ctx := Given(t)
+	ctx.
+		And(func() {
+			_, err := fixture.KubeClientset.CoreV1().ConfigMaps(fixture.DeploymentNamespace()).Create(
+				t.Context(), &corev1.ConfigMap{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "test-configmap",
+						Labels: map[string]string{
+							common.LabelKeyAppInstance: ctx.AppName(),
+						},
+					},
+				}, metav1.CreateOptions{})
+			require.NoError(t, err)
+		}).
+		Path(guestbookPath).
+		Async(true).
+		When().
+		CreateApp().Then().When().
+		PatchApp(`[{
+			"op": "add",
+			"path": "/spec/syncPolicy",
+			"value": { "syncOptions": ["Delete=confirm", "Prune=confirm"] }
+			}]`).Sync().
+		Then().Expect(OperationPhaseIs(OperationRunning)).
+		When().ConfirmDeletion().
+		Then().Expect(OperationPhaseIs(OperationSucceeded)).
+		When().Delete(true).
+		Then().
+		And(func(app *Application) {
+			assert.NotNil(t, app.DeletionTimestamp)
+		}).
+		When().ConfirmDeletion().
+		Then().Expect(DoesNotExist())
+}
+
 func TestLastTransitionTimeUnchangedError(t *testing.T) {
 	// Ensure that, if the health status hasn't changed, the lastTransitionTime is not updated.
 

ui/src/app/applications/components/application-details/application-details.tsx

@@ -1137,6 +1137,18 @@ Are you sure you want to disable auto-sync and rollback application '${props.mat
         [setExtensionPanelVisible]
     );
 
+    const requiresDeletionConfirmation = (app: appModels.Application): boolean => {
+        if (app.status.resources.find(r => r.requiresDeletionConfirmation)) {
+            return true;
+        }
+
+        if (app.spec.syncPolicy?.syncOptions?.includes('Delete=confirm') || app.spec.syncPolicy?.syncOptions?.includes('Prune=confirm')) {
+            return true;
+        }
+
+        return false;
+    }
+
     const getApplicationActionMenu = useCallback(
         (app: appModels.Application, needOverlapLabelOnNarrowScreen: boolean) => {
             const refreshing = app.metadata.annotations && app.metadata.annotations[appModels.AnnotationRefreshKey];
@@ -1163,7 +1175,7 @@ Are you sure you want to disable auto-sync and rollback application '${props.mat
                     action: () => AppUtils.showDeploy('all', null, appContext),
                     disabled: !app.spec.source && (!app.spec.sources || app.spec.sources.length === 0) && !app.spec.sourceHydrator
                 },
-                ...(app.status?.operationState?.phase === 'Running' && app.status.resources.find(r => r.requiresDeletionConfirmation)
+                ...(app.status?.operationState?.phase === 'Running' && requiresDeletionConfirmation(app)
                     ? [
                           {
                               iconClassName: 'fa fa-check',
@@ -1187,7 +1199,7 @@ Are you sure you want to disable auto-sync and rollback application '${props.mat
                     disabled: !app.status.operationState
                 },
                 app.metadata.deletionTimestamp &&
-                app.status.resources.find(r => r.requiresDeletionConfirmation) &&
+                requiresDeletionConfirmation(app) &&
                 !((app.metadata.annotations || {})[appModels.AppDeletionConfirmedAnnotation] == 'true')
                     ? {
                           iconClassName: 'fa fa-check',