Open P0t4T0o opened 3 months ago
Hey @P0t4T0o, seems like this is already possible. I wrote https://github.com/argoproj/argo-cd/blob/master/resource_customizations/external-secrets.io/ExternalSecret/actions/refresh/action.lua a while back and it uses the os
package to add an annotation with the date, which triggers a watch event on the controller.
From https://github.com/argoproj/argo-cd/pull/2300
Retrieving the timestamp in lua was problematic, because os.date() resides in the os lua library. The entire Lua 'os' library is a security risk because the os library can also do things like call os.exit() and read local files. So in order to support restarts, we had to expose a subset of the lua os library to the Lua VM. The subset of functionality was copied from the go-lua implementation.
Maybe @argoproj/argo-security and @jessesuen should be involved in whether we add additional package or not.
@P0t4T0o what functions do you need? Can you share the Lua script you want to run? And have you tried to use useOpenLibs
as documented in https://argo-cd.readthedocs.io/en/stable/operator-manual/health/
Summary
Hi all! Currently, when some custom resource action is executed, ArgoCD server runs bare lua script without importing standard libraries. This setup limits the use of custom actions only to a trivial use cases which eg. dont require manipulation with strings.
Motivation
Our team manages hundreds of ArgoCD Applications of our customers. We try to follow strict gitops model - customers have only get & sync permissions in their Applications and are supposed to manage their resources - create/update/delete only by altering the spec of their resource manifest in repository. In order to address some aspects and improve UX, eg. when update of some service failed and needs to be retriggered, we would like to have a custom action which would do that instead of requiring customer to update their manifest with increased generation number or some dummy annotation which would trigger it. In some cases, to make a decision, we would need
string
library to match particular substring oros
to parse a timestamp.Proposal
One possibility could be a new flag for ArgoCDServer eg.
--lua-allow-openlib=string --lua-allow-openlib=math
which would pass whitelisted libs inVM
struct and then compose an array of libs in(vm VM) runLua()
Please let me know what are your thoughts. Im happy to open a PR if the proposal makes sense and aligns with a plan