argo-cd icon indicating copy to clipboard operation
argo-cd copied to clipboard
verified publisher icon argoproj

docs: proposal to introduce 'Prune/Delete=confirm' sync option value

Open alexmt opened this issue 1 year ago • 7 comments

The proposal documents a new sync option that allows end user to manually approve resource deletion while application syncing/deletion.

alexmt avatar Aug 14 '24 00:08 alexmt

:x: Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

  • :rocket: /bns:deploy to deploy the environment

bunnyshell[bot] avatar Aug 14 '24 00:08 bunnyshell[bot]

:x: Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

  • :rocket: /bns:deploy to deploy the environment

bunnyshell[bot] avatar Aug 14 '24 00:08 bunnyshell[bot]

Thank you for review! PTAL

alexmt avatar Aug 14 '24 18:08 alexmt

@jannfis , I agree it won't be needed to approve resources individually. The only use case I can imagine something like: CRD deletions must be approved by a platform team.

The main motivation to keep it at a resource level is to avoid introducing more RBAC changes and re-use resource-level actions. I expect that in real life, most apps would have one or two resources so app level vs resource level won't make a big difference. WDYT?

alexmt avatar Aug 15 '24 15:08 alexmt

The main motivation to keep it at a resource level is to avoid introducing more RBAC changes and re-use resource-level actions

I think in case of the approval would be on Application level, everyone with either edit or delete RBAC permissions for an Application resource would be allowed to approve these deletions. So there would be no need for RBAC changes in that scenario too. Or was your intention to separate those concerns?

jannfis avatar Aug 16 '24 00:08 jannfis

@jannfis , ah - good point. I did not intend to have separate permission to approve; I just did not think we could also re-use app edit permission. Updating proposal

alexmt avatar Aug 16 '24 17:08 alexmt

The main motivation to keep it at a resource level is to avoid introducing more RBAC changes and re-use resource-level actions

I think in case of the approval would be on Application level, everyone with either edit or delete RBAC permissions for an Application resource would be allowed to approve these deletions. So there would be no need for RBAC changes in that scenario too. Or was your intention to separate those concerns?

It is a good point.

wanghong230 avatar Aug 19 '24 14:08 wanghong230

@alexmt If you have a minute to resolve lingering conversations I think we can merge. @crenshaw-dev is out on vacation for the next 3 weeks and I think we have enough eyes on this that we don't have to wait additional time.

todaywasawesome avatar Aug 28 '24 14:08 todaywasawesome