chore: install git-lfs 3.7.1 version using an install script (#26465)

Signed-off-by: Patroklos Papapetrou <ppapapetrou76@gmail.com>
Co-authored-by: Nitish Kumar <justnitish06@gmail.com>

Dockerfile

@@ -16,7 +16,6 @@ RUN apt-get update && apt-get install --no-install-recommends -y \
     unzip \
     fcgiwrap \
     git \
-    git-lfs \
     make \
     wget \
     gcc \
@@ -29,7 +28,8 @@ COPY hack/install.sh hack/tool-versions.sh ./
 COPY hack/installers installers
 
 RUN ./install.sh helm && \
-    INSTALL_PATH=/usr/local/bin ./install.sh kustomize
+    INSTALL_PATH=/usr/local/bin ./install.sh kustomize && \
+    ./install.sh git-lfs
 
 ####################################################################################################
 # Argo CD Base - used as the base for both the release and dev argocd images
@@ -51,7 +51,7 @@ RUN groupadd -g $ARGOCD_USER_ID argocd && \
     apt-get update && \
     apt-get dist-upgrade -y && \
     apt-get install --no-install-recommends -y \
-    git git-lfs tini ca-certificates gpg gpg-agent tzdata connect-proxy openssh-client && \
+    git tini ca-certificates gpg gpg-agent tzdata connect-proxy openssh-client && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*
 
@@ -61,6 +61,7 @@ COPY hack/gpg-wrapper.sh \
     /usr/local/bin/
 COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
 COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize
+COPY --from=builder /usr/local/bin/git-lfs /usr/local/bin/git-lfs
 
 # keep uid_entrypoint.sh for backward compatibility
 RUN ln -s /usr/local/bin/entrypoint.sh /usr/local/bin/uid_entrypoint.sh

Dockerfile.tilt

@@ -11,7 +11,6 @@ RUN apt-get update && apt-get install --no-install-recommends -y \
     unzip \
     fcgiwrap \
     git \
-    git-lfs \
     make \
     wget \
     gcc \
@@ -28,7 +27,8 @@ COPY hack/install.sh hack/tool-versions.sh ./
 COPY hack/installers installers
 
 RUN ./install.sh helm && \
-    INSTALL_PATH=/usr/local/bin ./install.sh kustomize
+    INSTALL_PATH=/usr/local/bin ./install.sh kustomize && \
+    ./install.sh git-lfs
 
 COPY hack/gpg-wrapper.sh \
     hack/git-verify-wrapper.sh \

gitops-engine/pkg/utils/kube/resource_ops.go

@@ -603,11 +603,24 @@ func (k *kubectlResourceOperations) authReconcile(ctx context.Context, obj *unst
 	if err != nil {
 		return "", fmt.Errorf("error creating kube client: %w", err)
 	}
+
+	clusterScoped := obj.GetKind() == "ClusterRole" || obj.GetKind() == "ClusterRoleBinding"
+
 	// `kubectl auth reconcile` has a side effect of auto-creating namespaces if it doesn't exist.
 	// See: https://github.com/kubernetes/kubernetes/issues/71185. This is behavior which we do
 	// not want. We need to check if the namespace exists, before know if it is safe to run this
 	// command. Skip this for dryRuns.
-	if dryRunStrategy == cmdutil.DryRunNone && obj.GetNamespace() != "" {
+
+	// When an Argo CD Application specifies destination.namespace, that namespace
+	// may be propagated even for cluster-scoped resources. Passing a namespace in
+	// this case causes `kubectl auth reconcile` to fail with:
+	//   "namespaces <ns> not found"
+	// or may trigger unintended namespace handling behavior.
+	// Therefore, we skip namespace existence checks for cluster-scoped RBAC
+	// resources and allow reconcile to run without a namespace.
+	//
+	// https://github.com/argoproj/argo-cd/issues/24833
+	if dryRunStrategy == cmdutil.DryRunNone && obj.GetNamespace() != "" && !clusterScoped {
 		_, err = kubeClient.CoreV1().Namespaces().Get(ctx, obj.GetNamespace(), metav1.GetOptions{})
 		if err != nil {
 			return "", fmt.Errorf("error getting namespace %s: %w", obj.GetNamespace(), err)

gitops-engine/pkg/utils/kube/resource_ops_test.go

@@ -0,0 +1,75 @@
+package kube
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing"
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/client-go/rest"
+	cmdutil "k8s.io/kubectl/pkg/cmd/util"
+)
+
+func TestAuthReconcileWithMissingNamespace(t *testing.T) {
+	namespace := "test-ns"
+	fakeBearer := "fake-bearer"
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		status := &metav1.Status{
+			Status:  "Failure",
+			Message: fmt.Sprintf("namespace \"%s\" not found", namespace),
+			Reason:  metav1.StatusReasonNotFound,
+			Code:    http.StatusNotFound,
+		}
+		w.WriteHeader(http.StatusNotFound)
+		json.NewEncoder(w).Encode(status)
+	}))
+	defer server.Close()
+
+	kubeConfigFlags := genericclioptions.NewConfigFlags(true)
+	kubeConfigFlags.Namespace = &namespace
+	kubeConfigFlags.APIServer = &server.URL
+	kubeConfigFlags.BearerToken = &fakeBearer
+	matchFlags := cmdutil.NewMatchVersionFlags(kubeConfigFlags)
+	fact := cmdutil.NewFactory(matchFlags)
+
+	config := &rest.Config{Host: server.URL}
+	k := &kubectlResourceOperations{
+		config: config,
+		fact:   fact,
+	}
+
+	role := testingutils.NewRole()
+	role.SetNamespace(namespace)
+
+	_, err := k.authReconcile(context.Background(), role, "/dev/null", cmdutil.DryRunNone)
+	assert.Error(t, err)
+	assert.True(t, errors.IsNotFound(err), "returned error wasn't not found")
+
+	roleBinding := testingutils.NewRoleBinding()
+	roleBinding.SetNamespace(namespace)
+
+	_, err = k.authReconcile(context.Background(), roleBinding, "/dev/null", cmdutil.DryRunNone)
+	assert.Error(t, err)
+	assert.True(t, errors.IsNotFound(err), "returned error wasn't not found")
+
+	clusterRole := testingutils.NewClusterRole()
+	clusterRole.SetNamespace(namespace)
+
+	_, err = k.authReconcile(context.Background(), clusterRole, "/dev/null", cmdutil.DryRunNone)
+	assert.NoError(t, err)
+
+	clusterRoleBinding := testingutils.NewClusterRoleBinding()
+	clusterRoleBinding.SetNamespace(namespace)
+
+	_, err = k.authReconcile(context.Background(), clusterRoleBinding, "/dev/null", cmdutil.DryRunNone)
+	assert.NoError(t, err)
+}

gitops-engine/pkg/utils/testing/testdata.go

@@ -97,3 +97,55 @@ metadata:
   name: testnamespace
 spec:`)
 }
+
+func NewRole() *unstructured.Unstructured {
+	return Unstructured(`apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: my-role
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "watch", "list"]`)
+}
+
+func NewRoleBinding() *unstructured.Unstructured {
+	return Unstructured(`apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: my-role-binding
+subjects:
+- kind: User
+  name: user
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: my-role
+  apiGroup: rbac.authorization.k8s.io`)
+}
+
+func NewClusterRole() *unstructured.Unstructured {
+	return Unstructured(`apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: my-cluster-role
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "watch", "list"]`)
+}
+
+func NewClusterRoleBinding() *unstructured.Unstructured {
+	return Unstructured(`apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: my-cluster-role-binding
+subjects:
+- kind: Group
+  name: group
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: my-cluster-role
+  apiGroup: rbac.authorization.k8s.io`)
+}

hack/installers/checksums/git-lfs-linux-amd64-v3.7.1.tar.gz.sha256

@@ -0,0 +1 @@
+1c0b6ee5200ca708c5cebebb18fdeb0e1c98f1af5c1a9cba205a4c0ab5a5ec08  git-lfs-linux-amd64-v3.7.1.tar.gz

hack/installers/checksums/git-lfs-linux-arm64-v3.7.1.tar.gz.sha256

@@ -0,0 +1 @@
+73a9c90eeb4312133a63c3eaee0c38c019ea7bfa0953d174809d25b18588dd8d  git-lfs-linux-arm64-v3.7.1.tar.gz

hack/installers/install-git-lfs.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+set -eux -o pipefail
+
+. "$(dirname "$0")"/../tool-versions.sh
+
+export TARGET_FILE=git-lfs-${INSTALL_OS}-${ARCHITECTURE}-v${git_lfs_version}.tar.gz
+
+[ -e "$DOWNLOADS/${TARGET_FILE}" ] || curl -sLf --retry 3 -o "$DOWNLOADS/${TARGET_FILE}" "https://github.com/git-lfs/git-lfs/releases/download/v${git_lfs_version}/${TARGET_FILE}"
+"$(dirname "$0")"/compare-chksum.sh
+mkdir -p /tmp/git-lfs && tar -C /tmp/git-lfs --strip-components=1 -xzf "$DOWNLOADS/${TARGET_FILE}"
+sudo install -m 0755 "/tmp/git-lfs/git-lfs" "$BIN/git-lfs"
+git-lfs version

hack/tool-versions.sh

@@ -15,3 +15,4 @@ helm3_version=3.19.4
 kustomize5_version=5.8.1
 protoc_version=29.3
 oras_version=1.2.0
+git_lfs_version=3.7.1

test/container/Dockerfile

@@ -14,7 +14,7 @@ FROM docker.io/library/registry:3.0@sha256:6c5666b861f3505b116bb9aa9b25175e71210
 
 FROM docker.io/bitnamilegacy/kubectl:1.32@sha256:9524faf8e3cefb47fa28244a5d15f95ec21a73d963273798e593e61f80712333 AS kubectl
 
-FROM docker.io/library/ubuntu:26.04@sha256:4095ef613201918336b5d7d00be15d8b09c72ddb77c80bca249c255887a64d87
+FROM docker.io/library/ubuntu:26.04@sha256:fed6ddb82c61194e1814e93b59cfcb6759e5aa33c4e41bb3782313c2386ed6df
 
 ENV DEBIAN_FRONTEND=noninteractive
 
@@ -28,7 +28,6 @@ RUN  apt-get update && apt-get install --fix-missing --no-install-recommends -y
     nginx \
     fcgiwrap \
     git \
-    git-lfs \
     gpg \
     gpg-agent \
     jq \
@@ -71,6 +70,7 @@ RUN ./install.sh helm && \
     ./install.sh codegen-go-tools && \
     ./install.sh lint-tools && \
     ./install.sh gotestsum && \
+    ./install.sh git-lfs && \
     go install github.com/mattn/goreman@latest && \
     go install github.com/kisielk/godepgraph@latest && \
     go install github.com/jstemmer/go-junit-report@latest && \