argo-cd icon indicating copy to clipboard operation
argo-cd copied to clipboard
verified publisher icon argoproj

Add option to trigger sync hooks on partial syncs

Open praneethkaturi opened this issue 2 years ago • 6 comments

Summary

The proposed change aims to extend the current capabilities of Argo CD by introducing an option that allows sync hooks to be triggered during partial or selective sync operations. Currently, sync hooks in Argo CD are designed to execute during full sync processes. However, there are use cases, particularly in complex deployment environments, where partial or selective syncs are frequently used. In these scenarios, the inability to trigger sync hooks can lead to gaps in important operational procedures such as auditing, compliance checks, or custom validation and testing routines.

Motivation

In scenarios where every sync in Argo CD is monitored for auditing purposes, and additional checks (like pre-validation RBAC or post-validation testing) are required, the inability to trigger hooks during selective/partial syncs can lead to bypassing these critical steps. Implementing an option to enforce these hooks for all types of syncs would enhance the control and security of the sync process.

Proposal

Introduce an annotation within the Argo CD application or alongside the sync hook. This annotation would indicate whether triggering hooks for all types of syncs (including partial/selective) is required. This feature would allow users to specify their need for comprehensive hook execution, thereby ensuring compliance with audit and validation procedures.

praneethkaturi avatar Dec 25 '23 05:12 praneethkaturi

I'm eager to discuss this feature further with the community. If deemed valuable, I would be excited to contribute to its development.

praneethkaturi avatar Dec 25 '23 05:12 praneethkaturi

I'm eager to discuss this feature further with the community. If deemed valuable, I would be excited to contribute to its development.

Do you want to bring this to the next contributor's experience meeting on Dec 28th?

todaywasawesome avatar Dec 26 '23 19:12 todaywasawesome

Do you want to bring this to the next contributor's experience meeting on Dec 28th?

Certainly, I'm excited to discuss this in our meeting. I've included it as a suggestion in the document. Since this is my first time suggesting a feature, I'd really appreciate your guidance on the preparations needed prior to the meeting.

praneethkaturi avatar Dec 27 '23 02:12 praneethkaturi

@todaywasawesome Hey Dan! Looks like we didn't have a lot of attendance this time around, I'll bring it up in the next meeting. Meanwhile, could you please let me know if it is just an open discussion or is any prep needed from my side to present the feature?

praneethkaturi avatar Dec 28 '23 16:12 praneethkaturi

The issue was discussed during the contributors' meeting. We've come up with two proposals:

  • Implement a new sync option that would allow users to request running hooks even if sync is partial. All sync options can be specified at the app level as a default. Proposal would not be required and next step it to just implement it ( cc @praneethkaturi in case you want to prepare PR )
  • we've agreed that it makes sense to have separate RBAC check for the partial sync. The use case is to allow administrators to disable partial syncs. The main concern here is to make behavior backward compatible. Separate issue is required for this change.

alexmt avatar Jan 04 '24 16:01 alexmt

@alexmt Thank you for summarizing it, yes I will start working on the PR!

praneethkaturi avatar Jan 04 '24 16:01 praneethkaturi