From c0c4791ce79e0818749cad0ebfc076ffb6f4767c Mon Sep 17 00:00:00 2001
From: Andrew Lytvynov <awly@tailscale.com>
Date: Thu, 8 Aug 2024 15:23:06 -0500
Subject: [PATCH] cmd/gitops-pusher: ignore previous etag if local acls match
 control (#13068)

In a situation when manual edits are made on the admin panel, around the
GitOps process, the pusher will be stuck if `--fail-on-manual-edits` is
set, as expected.

To recover from this, there are 2 options:
1. revert the admin panel changes to get back in sync with the code
2. check in the manual edits to code

The former will work well, since previous and local ETags will match
control ETag again. The latter will still fail, since local and control
ETags match, but previous does not.

For this situation, check the local ETag against control first and
ignore previous when things are already in sync.

Updates https://github.com/tailscale/corp/issues/22177

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
---
 cmd/gitops-pusher/gitops-pusher.go | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/cmd/gitops-pusher/gitops-pusher.go b/cmd/gitops-pusher/gitops-pusher.go
index 1abf36a3b..c33937ef2 100644
--- a/cmd/gitops-pusher/gitops-pusher.go
+++ b/cmd/gitops-pusher/gitops-pusher.go
@@ -66,6 +66,12 @@ func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(conte
 		log.Printf("local:   %s", localEtag)
 		log.Printf("cache:   %s", cache.PrevETag)
 
+		if controlEtag == localEtag {
+			cache.PrevETag = localEtag
+			log.Println("no update needed, doing nothing")
+			return nil
+		}
+
 		if cache.PrevETag != controlEtag {
 			if err := modifiedExternallyError(); err != nil {
 				if *failOnManualEdits {
@@ -76,12 +82,6 @@ func apply(cache *Cache, client *http.Client, tailnet, apiKey string) func(conte
 			}
 		}
 
-		if controlEtag == localEtag {
-			cache.PrevETag = localEtag
-			log.Println("no update needed, doing nothing")
-			return nil
-		}
-
 		if err := applyNewACL(ctx, client, tailnet, apiKey, *policyFname, controlEtag); err != nil {
 			return err
 		}
@@ -113,6 +113,11 @@ func test(cache *Cache, client *http.Client, tailnet, apiKey string) func(contex
 		log.Printf("local:   %s", localEtag)
 		log.Printf("cache:   %s", cache.PrevETag)
 
+		if controlEtag == localEtag {
+			log.Println("no updates found, doing nothing")
+			return nil
+		}
+
 		if cache.PrevETag != controlEtag {
 			if err := modifiedExternallyError(); err != nil {
 				if *failOnManualEdits {
@@ -123,11 +128,6 @@ func test(cache *Cache, client *http.Client, tailnet, apiKey string) func(contex
 			}
 		}
 
-		if controlEtag == localEtag {
-			log.Println("no updates found, doing nothing")
-			return nil
-		}
-
 		if err := testNewACLs(ctx, client, tailnet, apiKey, *policyFname); err != nil {
 			return err
 		}