argoproj · crenshaw-dev · Jun 23, 2023 · Oct 10, 2022 · Oct 10, 2022 · Oct 10, 2022
@@ -538,13 +538,26 @@ argocd admin settings resource-overrides action run /tmp/deploy.yaml restart --a
 				modifiedRes, err := luaVM.ExecuteResourceAction(&res, action.ActionLua)
 				errors.CheckError(err)
 
-				if reflect.DeepEqual(&res, modifiedRes) {
-					_, _ = fmt.Printf("No fields had been changed by action: \n%s\n", action.Name)
-					return
+				for _, impactedResource := range modifiedRes {
+					result := impactedResource.UnstructuredObj
+					switch impactedResource.K8SOperation {
+					// No default case since a not supported operation would have failed upon unmarshaling earlier
+					case lua.PatchOperation:
+						if reflect.DeepEqual(&res, modifiedRes) {
+							_, _ = fmt.Printf("No fields had been changed by action: \n%s\n", action.Name)
+							return
+						}
+
+						_, _ = fmt.Printf("Following fields have been changed:\n\n")
+						_ = cli.PrintDiff(res.GetName(), &res, result)
+					case lua.CreateOperation:
+						yamlBytes, err := yaml.Marshal(impactedResource.UnstructuredObj)
+						errors.CheckError(err)
+						fmt.Println("Following resource was created:")
+						fmt.Println(bytes.NewBuffer(yamlBytes).String())
+					}
 				}
 
-				_, _ = fmt.Printf("Following fields have been changed:\n\n")
-				_ = cli.PrintDiff(res.GetName(), &res, modifiedRes)
 			})
 		},
 	}

@@ -226,6 +226,17 @@ spec:
   replicas: 0`
 )
 
+const (
+	testCronJobYAML = `apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: hello
+  namespace: test-ns
+  uid: "123"
+spec:
+  schedule: "* * * * *"`
+)
+
 func tempFile(content string) (string, io.Closer, error) {
 	f, err := os.CreateTemp("", "*.yaml")
 	if err != nil {
@@ -335,6 +346,12 @@ func TestResourceOverrideAction(t *testing.T) {
 	}
 	defer utils.Close(closer)
 
+	cronJobFile, closer, err := tempFile(testCronJobYAML)
+	if !assert.NoError(t, err) {
+		return
+	}
+	defer utils.Close(closer)
+
 	t.Run("NoActions", func(t *testing.T) {
 		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
 			"resource.customizations": `apps/Deployment: {}`}))
@@ -347,7 +364,7 @@ func TestResourceOverrideAction(t *testing.T) {
 		assert.Contains(t, out, "Actions are not configured")
 	})
 
-	t.Run("ActionConfigured", func(t *testing.T) {
+	t.Run("OldStyleActionConfigured", func(t *testing.T) {
 		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
 			"resource.customizations": `apps/Deployment:
   actions: |
@@ -381,4 +398,50 @@ restart  false
 resume   false
 `)
 	})
+
+	t.Run("NewStyleActionConfigured", func(t *testing.T) {
+		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
+			"resource.customizations": `batch/CronJob:
+  actions: |
+    discovery.lua: |
+      actions = {}
+      actions["create-a-job"] = {["disabled"] = false}
+      return actions
+    definitions:
+    - name: test
+      action.lua: |
+        job1 = {}
+        job1.apiVersion = "batch/v1"
+        job1.kind = "Job" 
+        job1.metadata = {}
+        job1.metadata.name = "hello-1"
+        job1.metadata.namespace = "obj.metadata.namespace"
+        impactedResource1 = {}
+        impactedResource1.operation = "create"
+        impactedResource1.resource = job1
+        result = {}
+        result[1] = impactedResource1
+        return result
+`}))
+		out, err := captureStdout(func() {
+			cmd.SetArgs([]string{"run-action", cronJobFile, "test"})
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		})
+		assert.NoError(t, err)
+		assert.Contains(t, out, "resource was created:")
+		assert.Contains(t, out, "hello-1")
+
+		out, err = captureStdout(func() {
+			cmd.SetArgs([]string{"list-actions", cronJobFile})
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		})
+
+		assert.NoError(t, err)
+		assert.Contains(t, out, "NAME")
+		assert.Contains(t, out, "ENABLED")
+		assert.Contains(t, out, "create-a-job")
+		assert.Contains(t, out, "false")
+	})
 }
@@ -12,11 +12,30 @@ Argo CD supports custom resource actions written in [Lua](https://www.lua.org/).
 * Have a custom resource for which Argo CD does not provide any built-in actions.
 * Have a commonly performed manual task that might be error prone if executed by users via `kubectl`
 
+The resource actions act on a single object.
+
 You can define your own custom resource actions in the `argocd-cm` ConfigMap.
 
+### Custom Resource Action Types
+
+#### An action that modifies the source resource
+
+This action modifies and returns the source resource.
+This kind of action was the only one available till 2.8, and it is still supported.
+
+#### An action that produces a list of new or modified resources
+
+**An alpha feature, introduced in 2.8.**
+
+This action returns a list of impacted resources, each impacted resource has a K8S resource and an operation to perform on.   
+Currently supported operations are "create" and "patch", "patch" is only supported for the source resource.   
+Creating new resources is possible, by specifying a "create" operation for each such resource in the returned list.  
+One of the returned resources can be the modified source object, with a "patch" operation, if needed.   
+See the definition examples below.
+
 ### Define a Custom Resource Action in `argocd-cm` ConfigMap
 
-Custom resource actions can be defined in `resource.customizations.actions.<group_kind>` field of `argocd-cm`. Following example demonstrates a set of custom actions for `CronJob` resources. 
+Custom resource actions can be defined in `resource.customizations.actions.<group_kind>` field of `argocd-cm`. Following example demonstrates a set of custom actions for `CronJob` resources, each such action returns the modified CronJob. 
 The customizations key is in the format of `resource.customizations.actions.<apiGroup_Kind>`.
 
 ```yaml
@@ -51,4 +70,114 @@ resource.customizations.actions.batch_CronJob: |
 
 The `discovery.lua` script must return a table where the key name represents the action name. You can optionally include logic to enable or disable certain actions based on the current object state.
 
-Each action name must be represented in the list of `definitions` with an accompanying `action.lua` script to control the resource modifications. The `obj` is a global variable which contains the resource. Each action script must return an optionally modified version of the resource. In this example, we are simply setting `.spec.suspend` to either `true` or `false`.
+Each action name must be represented in the list of `definitions` with an accompanying `action.lua` script to control the resource modifications. The `obj` is a global variable which contains the resource. Each action script returns an optionally modified version of the resource. In this example, we are simply setting `.spec.suspend` to either `true` or `false`.
+
+#### Creating new resources with a custom action
+
+!!! important
+    Creating resources via the Argo CD UI is an intentional, strategic departure from GitOps principles. We recommend 
+    that you use this feature sparingly and only for resources that are not part of the desired state of the 
+    application.
+
+The resource the action is invoked on would be referred to as the `source resource`.  
+The new resource and all the resources implicitly created as a result, must be permitted on the AppProject level, otherwise the creation will fail.
+
+##### Creating a source resource child resources with a custom action
+
+If the new resource represents a k8s child of the source resource, the source resource ownerReference must be set on the new resource.  
+Here is an example Lua snippet, that takes care of constructing a Job resource that is a child of a source CronJob resource - the `obj` is a global variable, which contains the source resource:
+
+```lua
+-- ...
+ownerRef = {}
+ownerRef.apiVersion = obj.apiVersion
+ownerRef.kind = obj.kind
+ownerRef.name = obj.metadata.name
+ownerRef.uid = obj.metadata.uid
+job = {}
+job.metadata = {}
+job.metadata.ownerReferences = {}
+job.metadata.ownerReferences[1] = ownerRef
+-- ...
+```
+
+##### Creating independent child resources with a custom action
+
+If the new resource is independent of the source resource, the default behavior of such new resource is that it is not known by the App of the source resource (as it is not part of the desired state and does not have an `ownerReference`).  
+To make the App aware of the new resource, the `app.kubernetes.io/instance` label (or other ArgoCD tracking label, if configured) must be set on the resource.   
+It can be copied from the source resource, like this:
+
+```lua
+-- ...
+newObj = {}
+newObj.metadata = {}
+newObj.metadata.labels = {}
+newObj.metadata.labels["app.kubernetes.io/instance"] = obj.metadata.labels["app.kubernetes.io/instance"]
+-- ...
+```   
+
+While the new resource will be part of the App with the tracking label in place, it will be immediately deleted if auto prune is set on the App.   
+To keep the resource, set `Prune=false` annotation on the resource, with this Lua snippet:
+
+```lua
+-- ...
+newObj.metadata.annotations = {}
+newObj.metadata.annotations["argocd.argoproj.io/sync-options"] = "Prune=false"
+-- ...
+```
+
+(If setting `Prune=false` behavior, the resource will not be deleted upon the deletion of the App, and will require a manual cleanup).
+
+The resource and the App will now appear out of sync - which is the expected ArgoCD behavior upon creating a resource that is not part of the desired state.
+
+If you wish to treat such an App as a synced one, add the following resource annotation in Lua code:
+
+```lua
+-- ...
+newObj.metadata.annotations["argocd.argoproj.io/compare-options"] = "IgnoreExtraneous"
+-- ...
+```
+
+#### An action that produces a list of resources - a complete example:
+
+```yaml
+resource.customizations.actions.ConfigMap: |
+  discovery.lua: |
+    actions = {}
+    actions["do-things"] = {}
+    return actions
+  definitions:
+  - name: do-things
+    action.lua: |
+      -- Create a new ConfigMap
+      cm1 = {}
+      cm1.apiVersion = "v1"
+      cm1.kind = "ConfigMap"
+      cm1.metadata = {}
+      cm1.metadata.name = "cm1"
+      cm1.metadata.namespace = obj.metadata.namespace
+      cm1.metadata.labels = {}
+      -- Copy ArgoCD tracking label so that the resource is recognized by the App
+      cm1.metadata.labels["app.kubernetes.io/instance"] = obj.metadata.labels["app.kubernetes.io/instance"]
+      cm1.metadata.annotations = {}
+      -- For Apps with auto-prune, set the prune false on the resource, so it does not get deleted
+      cm1.metadata.annotations["argocd.argoproj.io/sync-options"] = "Prune=false"	  
+      -- Keep the App synced even though it has a resource that is not in Git
+      cm1.metadata.annotations["argocd.argoproj.io/compare-options"] = "IgnoreExtraneous"		  
+      cm1.data = {}
+      cm1.data.myKey1 = "myValue1"
+      impactedResource1 = {}
+      impactedResource1.operation = "create"
+      impactedResource1.resource = cm1
+
+      -- Patch the original cm
+      obj.metadata.labels["aKey"] = "aValue"
+      impactedResource2 = {}
+      impactedResource2.operation = "patch"
+      impactedResource2.resource = obj
+
+      result = {}
+      result[1] = impactedResource1
+      result[2] = impactedResource2
+      return result		  
+```
@@ -23,3 +23,45 @@ Prior to `v2.8`, the `List` endpoint on the `ClusterService` did **not** filter
 clusters when responding, despite accepting query parameters. This bug has
 been addressed, and query parameters are now taken into account to filter the
 resulting list of clusters.
+
+## Configure RBAC to account for new actions
+
+2.8 introduces three new actions:
+* Create a Job from a CronJob
+* Create a Workflow from a CronWorkflow
+* Create a Workflow from a WorkflowTemplate
+
+When you upgrade to 2.8, RBAC policies with `applications` in the *resource*
+field and `*` or `action/*` in the action field, it will automatically grant the
+ability to use these new actions.
+
+If you would like to avoid granting these new permissions, you can update your RBAC policies to be more specific.
+
+### Example
+
+Old:
+
+```csv
+p, role:action-runner, applications, actions/, *, allow
+```
+
+New:
+
+```csv
+p, role:action-runner, applications, action/argoproj.io/Rollout/abort, *, allow
+p, role:action-runner, applications, action/argoproj.io/Rollout/promote-full, *, allow
+p, role:action-runner, applications, action/argoproj.io/Rollout/retry, *, allow
+p, role:action-runner, applications, action/argoproj.io/Rollout/resume, *, allow
+p, role:action-runner, applications, action/argoproj.io/Rollout/restart, *, allow
+p, role:action-runner, applications, action/argoproj.io/AnalysisRun/terminate, *, allow
+p, role:action-runner, applications, action/apps/DaemonSet/restart, *, allow
+p, role:action-runner, applications, action/apps/StatefulSet/restart, *, allow
+p, role:action-runner, applications, action/apps/Deployment/pause, *, allow
+p, role:action-runner, applications, action/apps/Deployment/resume, *, allow
+p, role:action-runner, applications, action/apps/Deployment/restart, *, allow
+
+# If you don't want to grant the new permissions, don't include the following lines
+p, role:action-runner, applications, action/argoproj.io/WorkflowTemplate/create-workflow, *, allow
+p, role:action-runner, applications, action/argoproj.io/CronWorkflow/create-workflow, *, allow
+p, role:action-runner, applications, action/batch/CronJob/create-job, *, allow
+```
@@ -10,7 +10,7 @@ require (
 	github.com/TomOnTime/utfutil v0.0.0-20180511104225-09c41003ee1d
 	github.com/alicebob/miniredis/v2 v2.30.3
 	github.com/antonmedv/expr v1.12.5
-	github.com/argoproj/gitops-engine v0.7.1-0.20230526233214-ad9a694fe4bc
+	github.com/argoproj/gitops-engine v0.7.1-0.20230607163028-425d65e07695
 	github.com/argoproj/notifications-engine v0.4.1-0.20230620204159-3446d4ae8520
 	github.com/argoproj/pkg v0.13.7-0.20221221191914-44694015343d
 	github.com/aws/aws-sdk-go v1.44.288

@@ -121,8 +121,8 @@ github.com/antlr/antlr4/runtime/Go/antlr v0.0.0-20210826220005-b48c857c3a0e/go.m
 github.com/antonmedv/expr v1.12.5 h1:Fq4okale9swwL3OeLLs9WD9H6GbgBLJyN/NUHRv+n0E=
 github.com/antonmedv/expr v1.12.5/go.mod h1:FPC8iWArxls7axbVLsW+kpg1mz29A1b2M6jt+hZfDkU=
 github.com/appscode/go v0.0.0-20191119085241-0887d8ec2ecc/go.mod h1:OawnOmAL4ZX3YaPdN+8HTNwBveT1jMsqP74moa9XUbE=
-github.com/argoproj/gitops-engine v0.7.1-0.20230526233214-ad9a694fe4bc h1:i6OgOvFFsoWiGBFEhhDNcYoRtxxtrVwcD7wCEeqhct4=
-github.com/argoproj/gitops-engine v0.7.1-0.20230526233214-ad9a694fe4bc/go.mod h1:WpA/B7tgwfz+sdNE3LqrTrb7ArEY1FOPI2pAGI0hfPc=
+github.com/argoproj/gitops-engine v0.7.1-0.20230607163028-425d65e07695 h1:w8OPbqHyhWxLyC4LZgs5JBUe7AOkJpNZqFa92yy7Kmc=
+github.com/argoproj/gitops-engine v0.7.1-0.20230607163028-425d65e07695/go.mod h1:WpA/B7tgwfz+sdNE3LqrTrb7ArEY1FOPI2pAGI0hfPc=
 github.com/argoproj/notifications-engine v0.4.1-0.20230620204159-3446d4ae8520 h1:ZCpg1Zk78E8QxMI52w6ZIddxkBHv27YWmfWQdxxWUkw=
 github.com/argoproj/notifications-engine v0.4.1-0.20230620204159-3446d4ae8520/go.mod h1:sbhf4EjAUGAqRdHIzifDIiWsjlsTfmytVJJCCiUdyVA=
 github.com/argoproj/pkg v0.13.7-0.20221221191914-44694015343d h1:7fXEKF3OQ9i1PrgieA6FLrXOL3UAKyiotomn0RHevds=

@@ -4,6 +4,8 @@ metadata:
   annotations:
     deployment.kubernetes.io/revision: "1"
   creationTimestamp: "2021-09-21T22:35:20Z"
+  name: nginx-deploy
+  namespace: default  
   generation: 2
 spec:
   paused: true

@@ -5,6 +5,8 @@ metadata:
     deployment.kubernetes.io/revision: "1"
   creationTimestamp: "2021-09-21T22:35:20Z"
   generation: 3
+  name: nginx-deploy
+  namespace: default  
 spec:
   progressDeadlineSeconds: 600
   replicas: 3

@@ -0,0 +1,4 @@
+actionTests:
+- action: create-workflow
+  inputPath: testdata/cronworkflow.yaml
+  expectedOutputPath: testdata/workflow.yaml