Configurable lua libs for resource actions

[P0t4T0o]

Summary

Hi all!
Currently, when some custom resource action is executed, ArgoCD server runs bare lua script without importing standard libraries. This setup limits the use of custom actions only to a trivial use cases which eg. dont require manipulation with strings.

Motivation

Our team manages hundreds of ArgoCD Applications of our customers. We try to follow strict gitops model - customers have only get & sync permissions in their Applications and are supposed to manage their resources - create/update/delete only by altering the spec of their resource manifest in repository.
In order to address some aspects and improve UX, eg. when update of some service failed and needs to be retriggered, we would like to have a custom action which would do that instead of requiring customer to update their manifest with increased generation number or some dummy annotation which would trigger it.
In some cases, to make a decision, we would need string library to match particular substring or os to parse a timestamp.

Proposal

One possibility could be a new flag for ArgoCDServer eg. --lua-allow-openlib=string --lua-allow-openlib=math which would pass whitelisted libs in VM struct and then compose an array of libs in (vm VM) runLua()

Please let me know what are your thoughts. Im happy to open a PR if the proposal makes sense and aligns with a plan

[agaudreault]

Hey @P0t4T0o, seems like this is already possible. I wrote https://github.com/argoproj/argo-cd/blob/master/resource_customizations/external-secrets.io/ExternalSecret/actions/refresh/action.lua a while back and it uses the os package to add an annotation with the date, which triggers a watch event on the controller.

[P0t4T0o]

Hi @agaudreault, that is right, os works because it is imported here. However string or math libs are not, so manipulation with strings is currently challenging. I have a working draft of necessary changes to enable this. If it is fine and everything aligns with the project's plan, I can open a PR

[agaudreault]

From #2300

Retrieving the timestamp in lua was problematic, because os.date() resides in the os lua library. The entire Lua 'os' library is a security risk because the os library can also do things like call os.exit() and read local files.
So in order to support restarts, we had to expose a subset of the lua os library to the Lua VM. The subset of functionality was copied from the go-lua implementation.

Maybe @argoproj/argo-security and @jessesuen should be involved in whether we add additional package or not.

@P0t4T0o what functions do you need? Can you share the Lua script you want to run? And have you tried to use useOpenLibs as documented in https://argo-cd.readthedocs.io/en/stable/operator-manual/health/