Provide a way to tell ArgoCD that it should not delete but only disown a resource

[ein-stein-chen]

Summary

Provide an option on the Application and/or Resource level so that ArgoCD will never delete a resource but only disown it (by removing the tracking label/annotation e.g. app.kubernetes.io/instance).
If the resource used server-side-apply then ArgoCD should remove all fields it managed.

Motivation

If Argo CD is used to patch existing resources in the cluster which are not created by Argo CD itself, it would create problems if Argo CD would delete the resource.

Example:
Using Argo CD for managing custom labels on cluster nodes.

This can be achieved by creating an Application with the sync option ServerSideApply=true and then creating a (or templating) partial Node objects that only contain the labels we want to set.

---
apiVersion: v1
kind: Node
metadata:
  name: kubernetes-worker-0
  labels:
    env: staging

But this makes it rather easy to accidentally delete the node (either by directly deleting the Node via the UI or when the Application is deleted or during sync when pruning and the file was removed).

It is already possible to work around some of those problems, by not setting finalizers on the Application and adding the argocd.argoproj.io/sync-options: "Delete=false,Prune=false" annotation.

But this will (only) leave the option to delete the Node via the UI while it is not easily possible to simply tell Argo CD to disown the Node which will then stay in the UI as OutOfSync forever.

Also, it would be nice to remove all the fields Argo CD set/managed when disowning the node.

Proposal

Add a sync option on the Resource level (e.g. Disown) that can be one of:

• no (Default)
• only (Only remove the tracking label/annotation when pruning and deleting a resource)
• andRemoveManagedFields (Also remove all fields managed by Argo CD when using server-side-apply)

Related

• How does arcocd support patching of existing resources #2437
• How to patch existing resource? #3984
• Annotation on child resources so ArgoCD doesn't delete them when parrent Application gets deleted #5945
• https://cloud-native.slack.com/archives/C01TSERG0KZ/p1620727687395200

[dadurex]

+1 to this proposal.

[kaiyuanlim]

+1

Would be nice to have this as some of the resources are moved to being provisioned for example by terraform instead.

[gadiener]

+1 I'd love to have that available

[danmanners]

+1 this would be really useful, especially for namespaces that may be referenced in multiple applications

[glasser]

Am I correct in understanding that this is a workaround for doing a one-time disown:

• Make sure that pruning is not enable on your app's auto-sync.
• Remove the resource from Git
• See that the app is now out of sync
• Manually remove the app.kubernetes.io/instance label from the resource

[akloss-cibo]

I can't speak for the original author, but this is what I do:

for wf in $( kubectl --namespace argocd get application "$1" -o yaml | yq eval '.status.resources[] | select(.kind == "Workflow" and .requiresPruning) | .name' - ) ; do
  kubectl patch workflow $wf --type=merge -p '{"metadata":{"labels":{"app.kubernetes.io/instance":null}}}'
done

[prune998]

you also need to get rid of the annotation

  annotations:
    argocd.argoproj.io/tracking-id: <app>:/Namespace:argocd-demo-project/test-argo-keep-ns

[prune998]

Maybe an annotation like resourceTrackingMethod: none that we add on a resource, so ArgoCD would create it without labels/annotations for tracking ?
This would be like creating the resource from outside the ArgoCD Apps... but it will not appear in the UI...

[akloss-cibo]

This would be like creating the resource from outside the ArgoCD Apps... but it will not appear in the UI...

I can't speak for the original author of this issue, but that's definitely not a feature I'm interested in.

[chrisxuwq]

I would vote for this feature that could allow resources to be disowned by ArgoCD, or they'll always appears to be out-of-sync if we don't actually want to delete them..