feat: syncing to a different revision requires override privilege

[schraax]

Currently, it is possible to sync an application to any commit disregarding the revision definied in the application. Similar to syncing to arbitrary local manifests, this should be considered as 'override', because it is a deviation from gitops principle.

Reasoning:
ArgoCD and GitOps offer a way to compare application state against a 'desired' state. The desired state is defined in the Application object. The application object can be protected against editing via RBAC, but this protection is rendered useless by the possibility to sync to any revision.

Fixes: #21696,#22857

This is implemented with a toggle, so it will nnot break any existing behavior.
Hint: Once the feature is toggle on, users wanting to sync to different revisions need to be granted 'override' rights on the application.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Toolchain Guide
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[bunnyshell]

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

• 🚀 /bns:deploy to deploy the environment

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.81%. Comparing base (7430650) to head (e01aa9c).
⚠️ Report is 365 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #22858      +/-   ##
==========================================
+ Coverage   60.71%   60.81%   +0.09%     
==========================================
  Files         350      350              
  Lines       60392    60430      +38     
==========================================
+ Hits        36669    36749      +80     
+ Misses      20797    20766      -31     
+ Partials     2926     2915      -11     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pjiang-dev]

Few typos, but LGTM

[blakepettersson]

I think this generally LGTM at a glance, but would need to take a deeper look at the change itself when I have some more time.

[niclaslock]

We also require this feature.
@blakepettersson any chance this will be released soon?

[schraax]

pretty please, can we get this reviewed and merged. I will gladly adapt to any recommendations, but I think we should really implement this change soon, as the current behavior is contrary to gitops...

[ppapapetrou76]

Overall LGTM but there are few things we need to consider IMHO

[schraax]

i have renamed the flag, in order to make the intent clearer.

[blakepettersson]

@schraax I think this LGTM, but you'd need to fix the conflicts

[schraax]

ok, i have removed the conflict. I have fulfilled any and all requests, and will continue to do so, but please, lets get this merged.

[schraax]

@agaudreault , @blakepettersson : please, lets get this merged with 3.2.
it fixes 2 bugs, which break our usecase (separating sync and edit roles).
@agaudreault: from your requested changes i have deduced that the intention was not clear.
I have since renamed the flag, and added documentation to make clear the default behaviour is exactly like you suggested.

[agaudreault]

small nitpicks, but LGTM.