Allow Ignoring Ownership

It's possible that a controller can adopt managed resources by attaching
an owner reference to it.  This owner reference has the effect of
keeping the resource alive, even though our intention is to delete it.
This adds in a new annotation that inhibits the consideration of owner
references.

Fixes argoproj/argo-cd#11972

pkg/cache/references.go

@@ -10,6 +10,8 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
 
+	"github.com/argoproj/gitops-engine/pkg/sync/common"
+	"github.com/argoproj/gitops-engine/pkg/sync/resource"
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 )
 
@@ -19,6 +21,15 @@ func mightHaveInferredOwner(r *Resource) bool {
 }
 
 func (c *clusterCache) resolveResourceReferences(un *unstructured.Unstructured) ([]metav1.OwnerReference, func(kube.ResourceKey) bool) {
+	// An application may add owner references to resources that are managed by Helm or
+	// similar.  Those references will erroneously keep the resource alive as it looks
+	// like it's implicitly created by the parent.  By adding this annotation to the
+	// resource it's possible to opt out of this behaviour and actually allow deletion
+	// as intended.
+	if resource.HasAnnotationOption(un, common.AnnotationSyncOptions, common.SyncOptionIgnoreOwnerReferences) {
+		return nil, func(_ kube.ResourceKey) bool { return false }
+	}
+
 	var isInferredParentOf func(_ kube.ResourceKey) bool
 	ownerRefs := un.GetOwnerReferences()
 	gvk := un.GroupVersionKind()

pkg/sync/common/types.go

@@ -29,6 +29,9 @@ const (
 	SyncOptionReplace = "Replace=true"
 	// Sync option that enables use of --server-side flag instead of client-side
 	SyncOptionServerSideApply = "ServerSideApply=true"
+	// Sync option that ignores owner references when the underlying app adds them
+	// to resources extraneously
+	SyncOptionIgnoreOwnerReferences = "IgnoreOwnerReferences=true"
 )
 
 type PermissionValidator func(un *unstructured.Unstructured, res *metav1.APIResource) error