sibling of 06b05c6b00

2026-02-22 02:28:46 +01:00 · 2023-10-02 19:09:10 +00:00
40 changed files with 177 additions and 473 deletions
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -360,7 +360,6 @@ jobs:
    name: Run end-to-end tests
    runs-on: ubuntu-22.04
    strategy:
-      fail-fast: false
      matrix:
        k3s-version: [v1.27.2, v1.26.0, v1.25.4, v1.24.3]
    needs: 
--- a/13
+++ b/13
@@ -49,7 +49,7 @@ ARGOCD_E2E_DEX_PORT?=5556
 ARGOCD_E2E_YARN_HOST?=localhost
 ARGOCD_E2E_DISABLE_AUTH?=

-ARGOCD_E2E_TEST_TIMEOUT?=60m
+ARGOCD_E2E_TEST_TIMEOUT?=45m

 ARGOCD_IN_CI?=false
 ARGOCD_TEST_E2E?=true
@@ -386,9 +386,9 @@ test: test-tools-image
 .PHONY: test-local
 test-local:
 	if test "$(TEST_MODULE)" = ""; then \
-		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -coverprofile=coverage.out; \
+		./hack/test.sh -coverprofile=coverage.out `go list ./... | grep -v 'test/e2e'`; \
 	else \
-		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES="$(TEST_MODULE)" ./hack/test.sh -coverprofile=coverage.out "$(TEST_MODULE)"; \
+		./hack/test.sh -coverprofile=coverage.out "$(TEST_MODULE)"; \
 	fi

 .PHONY: test-race
@@ -400,9 +400,9 @@ test-race: test-tools-image
 .PHONY: test-race-local
 test-race-local:
 	if test "$(TEST_MODULE)" = ""; then \
-		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -race -coverprofile=coverage.out; \
+		./hack/test.sh -race -coverprofile=coverage.out `go list ./... | grep -v 'test/e2e'`; \
 	else \
-		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES="$(TEST_MODULE)" ./hack/test.sh -race -coverprofile=coverage.out; \
+		./hack/test.sh -race -coverprofile=coverage.out "$(TEST_MODULE)"; \
 	fi

 # Run the E2E test suite. E2E test servers (see start-e2e target) must be
@@ -416,7 +416,7 @@ test-e2e:
 test-e2e-local: cli-local
 	# NO_PROXY ensures all tests don't go out through a proxy if one is configured on the test system
 	export GO111MODULE=off
-	DIST_DIR=${DIST_DIR} RERUN_FAILS=5 PACKAGES="./test/e2e" ARGOCD_E2E_RECORD=${ARGOCD_E2E_RECORD} ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v
+	ARGOCD_E2E_RECORD=${ARGOCD_E2E_RECORD} ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v ./test/e2e

 # Spawns a shell in the test server container for debugging purposes
 debug-test-server: test-tools-image
@@ -557,7 +557,6 @@ install-tools-local: install-test-tools-local install-codegen-tools-local instal
 install-test-tools-local:
 	./hack/install.sh kustomize
 	./hack/install.sh helm-linux
-	./hack/install.sh gotestsum

 # Installs all tools required for running codegen (Linux packages)
 .PHONY: install-codegen-tools-local
--- a/2
+++ b/2
@@ -1 +1 @@
-2.9.0
+2.9.0-rc1
--- a/applicationset/controllers/applicationset_controller.go
+++ b/applicationset/controllers/applicationset_controller.go
@@ -695,16 +695,8 @@ func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context,
 			continue
 		}
 		r.updateCache(ctx, found, appLog)
-
-		if action != controllerutil.OperationResultNone {
-			// Don't pollute etcd with "unchanged Application" events
-			r.Recorder.Eventf(&applicationSet, corev1.EventTypeNormal, fmt.Sprint(action), "%s Application %q", action, generatedApp.Name)
-			appLog.Logf(log.InfoLevel, "%s Application", action)
-		} else {
-			// "unchanged Application" can be inferred by Reconcile Complete with no action being listed
-			// Or enable debug logging
-			appLog.Logf(log.DebugLevel, "%s Application", action)
-		}
+		r.Recorder.Eventf(&applicationSet, corev1.EventTypeNormal, fmt.Sprint(action), "%s Application %q", action, generatedApp.Name)
+		appLog.Logf(log.InfoLevel, "%s Application", action)
 	}
 	return firstError
 }
--- a/applicationset/generators/git.go
+++ b/applicationset/generators/git.go
@@ -148,9 +148,6 @@ func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []
 			return nil, fmt.Errorf("unable to parse file: %v", err)
 		}
 		objectsFound = append(objectsFound, singleObj)
-	} else if len(objectsFound) == 0 {
-		// If file is valid but empty, add a default empty item
-		objectsFound = append(objectsFound, map[string]interface{}{})
 	}

 	res := []map[string]interface{}{}
--- a/applicationset/generators/git_test.go
+++ b/applicationset/generators/git_test.go
@@ -4,173 +4,119 @@ import (
 	"fmt"
 	"testing"

-	"github.com/argoproj/argo-cd/v2/applicationset/services/mocks"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/services/mocks"
+
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )

 func Test_generateParamsFromGitFile(t *testing.T) {
-	defaultContent := []byte(`
+	values := map[string]string{}
+	params, err := (*GitGenerator)(nil).generateParamsFromGitFile("path/dir/file_name.yaml", []byte(`
 foo:
  bar: baz
-`)
-	type args struct {
-		filePath          string
-		fileContent       []byte
-		values            map[string]string
-		useGoTemplate     bool
-		goTemplateOptions []string
-		pathParamPrefix   string
+`), values, false, nil, "")
+	if err != nil {
+		t.Fatal(err)
 	}
-	tests := []struct {
-		name    string
-		args    args
-		want    []map[string]interface{}
-		wantErr bool
-	}{
+	assert.Equal(t, []map[string]interface{}{
 		{
-			name: "empty file returns path parameters",
-			args: args{
-				filePath:      "path/dir/file_name.yaml",
-				fileContent:   []byte(""),
-				values:        map[string]string{},
-				useGoTemplate: false,
-			},
-			want: []map[string]interface{}{
-				{
-					"path":                    "path/dir",
-					"path.basename":           "dir",
-					"path.filename":           "file_name.yaml",
-					"path.basenameNormalized": "dir",
-					"path.filenameNormalized": "file-name.yaml",
-					"path[0]":                 "path",
-					"path[1]":                 "dir",
-				},
-			},
-		},
-		{
-			name: "invalid json/yaml file returns error",
-			args: args{
-				filePath:      "path/dir/file_name.yaml",
-				fileContent:   []byte("this is not json or yaml"),
-				values:        map[string]string{},
-				useGoTemplate: false,
-			},
-			wantErr: true,
-		},
-		{
-			name: "file parameters are added to params",
-			args: args{
-				filePath:      "path/dir/file_name.yaml",
-				fileContent:   defaultContent,
-				values:        map[string]string{},
-				useGoTemplate: false,
-			},
-			want: []map[string]interface{}{
-				{
-					"foo.bar":                 "baz",
-					"path":                    "path/dir",
-					"path.basename":           "dir",
-					"path.filename":           "file_name.yaml",
-					"path.basenameNormalized": "dir",
-					"path.filenameNormalized": "file-name.yaml",
-					"path[0]":                 "path",
-					"path[1]":                 "dir",
-				},
-			},
-		},
-		{
-			name: "path parameter are prefixed",
-			args: args{
-				filePath:        "path/dir/file_name.yaml",
-				fileContent:     defaultContent,
-				values:          map[string]string{},
-				useGoTemplate:   false,
-				pathParamPrefix: "myRepo",
-			},
-			want: []map[string]interface{}{
-				{
-					"foo.bar":                        "baz",
-					"myRepo.path":                    "path/dir",
-					"myRepo.path.basename":           "dir",
-					"myRepo.path.filename":           "file_name.yaml",
-					"myRepo.path.basenameNormalized": "dir",
-					"myRepo.path.filenameNormalized": "file-name.yaml",
-					"myRepo.path[0]":                 "path",
-					"myRepo.path[1]":                 "dir",
-				},
-			},
-		},
-		{
-			name: "file parameters are added to params with go template",
-			args: args{
-				filePath:      "path/dir/file_name.yaml",
-				fileContent:   defaultContent,
-				values:        map[string]string{},
-				useGoTemplate: true,
-			},
-			want: []map[string]interface{}{
-				{
-					"foo": map[string]interface{}{
-						"bar": "baz",
-					},
-					"path": map[string]interface{}{
-						"path":               "path/dir",
-						"basename":           "dir",
-						"filename":           "file_name.yaml",
-						"basenameNormalized": "dir",
-						"filenameNormalized": "file-name.yaml",
-						"segments": []string{
-							"path",
-							"dir",
-						},
-					},
-				},
-			},
-		},
-		{
-			name: "path parameter are prefixed with go template",
-			args: args{
-				filePath:        "path/dir/file_name.yaml",
-				fileContent:     defaultContent,
-				values:          map[string]string{},
-				useGoTemplate:   true,
-				pathParamPrefix: "myRepo",
-			},
-			want: []map[string]interface{}{
-				{
-					"foo": map[string]interface{}{
-						"bar": "baz",
-					},
-					"myRepo": map[string]interface{}{
-						"path": map[string]interface{}{
-							"path":               "path/dir",
-							"basename":           "dir",
-							"filename":           "file_name.yaml",
-							"basenameNormalized": "dir",
-							"filenameNormalized": "file-name.yaml",
-							"segments": []string{
-								"path",
-								"dir",
-							},
-						},
-					},
-				},
-			},
+			"foo.bar":                 "baz",
+			"path":                    "path/dir",
+			"path.basename":           "dir",
+			"path.filename":           "file_name.yaml",
+			"path.basenameNormalized": "dir",
+			"path.filenameNormalized": "file-name.yaml",
+			"path[0]":                 "path",
+			"path[1]":                 "dir",
 		},
+	}, params)
+}
+
+func Test_generatePrefixedParamsFromGitFile(t *testing.T) {
+	values := map[string]string{}
+	params, err := (*GitGenerator)(nil).generateParamsFromGitFile("path/dir/file_name.yaml", []byte(`
+foo:
+  bar: baz
+`), values, false, nil, "myRepo")
+	if err != nil {
+		t.Fatal(err)
 	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			params, err := (*GitGenerator)(nil).generateParamsFromGitFile(tt.args.filePath, tt.args.fileContent, tt.args.values, tt.args.useGoTemplate, tt.args.goTemplateOptions, tt.args.pathParamPrefix)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("GitGenerator.generateParamsFromGitFile() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-			assert.Equal(t, tt.want, params)
-		})
+	assert.Equal(t, []map[string]interface{}{
+		{
+			"foo.bar":                        "baz",
+			"myRepo.path":                    "path/dir",
+			"myRepo.path.basename":           "dir",
+			"myRepo.path.filename":           "file_name.yaml",
+			"myRepo.path.basenameNormalized": "dir",
+			"myRepo.path.filenameNormalized": "file-name.yaml",
+			"myRepo.path[0]":                 "path",
+			"myRepo.path[1]":                 "dir",
+		},
+	}, params)
+}
+
+func Test_generateParamsFromGitFileGoTemplate(t *testing.T) {
+	values := map[string]string{}
+	params, err := (*GitGenerator)(nil).generateParamsFromGitFile("path/dir/file_name.yaml", []byte(`
+foo:
+  bar: baz
+`), values, true, nil, "")
+	if err != nil {
+		t.Fatal(err)
 	}
+	assert.Equal(t, []map[string]interface{}{
+		{
+			"foo": map[string]interface{}{
+				"bar": "baz",
+			},
+			"path": map[string]interface{}{
+				"path":               "path/dir",
+				"basename":           "dir",
+				"filename":           "file_name.yaml",
+				"basenameNormalized": "dir",
+				"filenameNormalized": "file-name.yaml",
+				"segments": []string{
+					"path",
+					"dir",
+				},
+			},
+		},
+	}, params)
+}
+
+func Test_generatePrefixedParamsFromGitFileGoTemplate(t *testing.T) {
+	values := map[string]string{}
+	params, err := (*GitGenerator)(nil).generateParamsFromGitFile("path/dir/file_name.yaml", []byte(`
+foo:
+  bar: baz
+`), values, true, nil, "myRepo")
+	if err != nil {
+		t.Fatal(err)
+	}
+	assert.Equal(t, []map[string]interface{}{
+		{
+			"foo": map[string]interface{}{
+				"bar": "baz",
+			},
+			"myRepo": map[string]interface{}{
+				"path": map[string]interface{}{
+					"path":               "path/dir",
+					"basename":           "dir",
+					"filename":           "file_name.yaml",
+					"basenameNormalized": "dir",
+					"filenameNormalized": "file-name.yaml",
+					"segments": []string{
+						"path",
+						"dir",
+					},
+				},
+			},
+		},
+	}, params)
 }

 func TestGitGenerateParamsFromDirectories(t *testing.T) {
--- a/docs/assets/zitadel-actions.png
+++ b/docs/assets/zitadel-actions.png
--- a/docs/assets/zitadel-application-1.png
+++ b/docs/assets/zitadel-application-1.png
--- a/docs/assets/zitadel-application-2.png
+++ b/docs/assets/zitadel-application-2.png
--- a/docs/assets/zitadel-application-3.png
+++ b/docs/assets/zitadel-application-3.png
--- a/docs/assets/zitadel-application-4.png
+++ b/docs/assets/zitadel-application-4.png
--- a/docs/assets/zitadel-application-secrets.png
+++ b/docs/assets/zitadel-application-secrets.png
--- a/docs/assets/zitadel-application-settings.png
+++ b/docs/assets/zitadel-application-settings.png
--- a/docs/assets/zitadel-argocd-login.png
+++ b/docs/assets/zitadel-argocd-login.png
--- a/docs/assets/zitadel-argocd-user-info.png
+++ b/docs/assets/zitadel-argocd-user-info.png
--- a/docs/assets/zitadel-project-authorizations.png
+++ b/docs/assets/zitadel-project-authorizations.png
--- a/docs/assets/zitadel-project-roles.png
+++ b/docs/assets/zitadel-project-roles.png
--- a/docs/assets/zitadel-project-settings.png
+++ b/docs/assets/zitadel-project-settings.png
--- a/docs/assets/zitadel-project.png
+++ b/docs/assets/zitadel-project.png
--- a/docs/developer-guide/ci.md
+++ b/docs/developer-guide/ci.md
@@ -66,7 +66,7 @@ make builder-image IMAGE_NAMESPACE=argoproj IMAGE_TAG=v1.0.0
 ## Public CD

 Every commit to master is built and published to `ghcr.io/argoproj/argo-cd/argocd:<version>-<short-sha>`. The list of images is available at
-[https://github.com/argoproj/argo-cd/packages](https://github.com/argoproj/argo-cd/packages).
+https://github.com/argoproj/argo-cd/packages.

 !!! note
    GitHub docker registry [requires](https://github.community/t5/GitHub-Actions/docker-pull-from-public-GitHub-Package-Registry-fail-with-quot/m-p/32888#M1294) authentication to read
--- a/docs/operator-manual/app-any-namespace.md
+++ b/docs/operator-manual/app-any-namespace.md
@@ -20,7 +20,7 @@ Some manual steps will need to be performed by the Argo CD administrator in orde

 ### Cluster-scoped Argo CD installation

-This feature can only be enabled and used when your Argo CD is installed as a cluster-wide instance, so it has permissions to list and manipulate resources on a cluster scope. It will not work with an Argo CD installed in namespace-scoped mode.
+This feature can only be enabled and used when your Argo CD is installed as a cluster-wide instance, so it has permissions to list and manipulate resources on a cluster scope. It will *not* work with an Argo CD installed in namespace-scoped mode.

 ### Switch resource tracking method

--- a/docs/operator-manual/applicationset/Add-self-signed-TLS-Certs.md
+++ b/docs/operator-manual/applicationset/Add-self-signed-TLS-Certs.md
@@ -0,0 +1,9 @@
+# Add support for self-signed TLS / Certificates for Gitlab SCM/PR Provider
+
+## Implementation details
+
+### Overview
+
+In order for a self-signed TLS certificate be used by an ApplicationSet's SCM / PR Gitlab Generator, the certificate needs to be mounted on the application-controller. The path of the mounted certificate must be explicitly set using the environment variable `ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH` or alternatively using parameter `--scm-root-ca-path`. The applicationset controller will read the mounted certificate to create the Gitlab client for SCM/PR Providers
+
+This can be achieved conveniently by setting `applicationsetcontroller.scm.root.ca.path` in the argocd-cmd-params-cm ConfigMap. Be sure to restart the ApplicationSet controller after setting this value.
--- a/docs/operator-manual/applicationset/Generators-Pull-Request.md
+++ b/docs/operator-manual/applicationset/Generators-Pull-Request.md
@@ -105,7 +105,7 @@ spec:
 * `pullRequestState`: PullRequestState is an additional MRs filter to get only those with a certain state. Default: "" (all states)
 * `insecure`: By default (false) - Skip checking the validity of the SCM's certificate - useful for self-signed TLS certificates.

-As a preferable alternative to setting `insecure` to true, you can configure self-signed TLS certificates for Gitlab by [mounting self-signed certificate to the applicationset controller](./Generators-SCM-Provider.md#self-signed-tls-certificates).
+As a preferable alternative to setting `insecure` to true, you can configure self-signed TLS certificates for Gitlab by [mounting self-signed certificate to the applicationset controller](./Add-self-signed-TLS-Certs.md).

 ## Gitea

--- a/docs/operator-manual/applicationset/Generators-SCM-Provider.md
+++ b/docs/operator-manual/applicationset/Generators-SCM-Provider.md
@@ -111,18 +111,12 @@ spec:
 * `tokenRef`: A `Secret` name and key containing the GitLab access token to use for requests. If not specified, will make anonymous requests which have a lower rate limit and can only see public repositories.
 * `insecure`: By default (false) - Skip checking the validity of the SCM's certificate - useful for self-signed TLS certificates.

+As a preferable alternative to setting `insecure` to true, you can configure self-signed TLS certificates for Gitlab by [mounting self-signed certificate to the applicationset controller](./Add-self-signed-TLS-Certs.md).
+
 For label filtering, the repository tags are used.

 Available clone protocols are `ssh` and `https`.

-### Self-signed TLS Certificates
-
-As a preferable alternative to setting `insecure` to true, you can configure self-signed TLS certificates for Gitlab.
-
-In order for a self-signed TLS certificate be used by an ApplicationSet's SCM / PR Gitlab Generator, the certificate needs to be mounted on the applicationset-controller. The path of the mounted certificate must be explicitly set using the environment variable `ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH` or alternatively using parameter `--scm-root-ca-path`. The applicationset controller will read the mounted certificate to create the Gitlab client for SCM/PR Providers
-
-This can be achieved conveniently by setting `applicationsetcontroller.scm.root.ca.path` in the argocd-cmd-params-cm ConfigMap. Be sure to restart the ApplicationSet controller after setting this value.
-
 ## Gitea

 The Gitea mode uses the Gitea API to scan organizations in your instance
--- a/docs/operator-manual/tested-kubernetes-versions.md
+++ b/docs/operator-manual/tested-kubernetes-versions.md
@@ -1,6 +1,5 @@
 | Argo CD version | Kubernetes versions |
 |-----------------|---------------------|
+| 2.9 | v1.27, v1.26, v1.25, v1.24 |
+| 2.8 | v1.27, v1.26, v1.25, v1.24 |
 | 2.7 | v1.26, v1.25, v1.24, v1.23 |
-| 2.6 | v1.24, v1.23, v1.22 |
-| 2.5 | v1.24, v1.23, v1.22 |
-
--- a/docs/operator-manual/user-management/zitadel.md
+++ b/docs/operator-manual/user-management/zitadel.md
@@ -1,210 +0,0 @@
-# Zitadel
-Please also consult the [Zitadel Documentation](https://zitadel.com/docs).
-## Integrating Zitadel and ArgoCD
-These instructions will take you through the entire process of getting your ArgoCD application authenticating and authorizing with Zitadel. You will create an application within Zitadel and configure ArgoCD to use Zitadel for authentication using roles set in Zitadel to determine privileges in ArgoCD.
-
-The following steps are required to integrate ArgoCD with Zitadel:
-1. Create a new project and a new application in Zitadel
-2. Configure the application in Zitadel
-3. Set up roles in Zitadel
-4. Set up an action in Zitadel
-5. Configure ArgoCD configmaps
-6. Test the setup
-
-The following values will be used in this example:
- Zitadel FQDN: `auth.example.com`
- Zitadel Project: `argocd-project`
- Zitadel Application: `argocd-application`
- Zitadel Action: `groupsClaim`
- ArgoCD FQDN: `argocd.example.com`
- ArgoCD Administrator Role: `argocd_administrators`
- ArgoCD User Role: `argocd_users`
-
-You may choose different values in your setup; these are used to keep the guide consistent.
-
-## Setting up your project and application in Zitadel
-First, we will create a new project within Zitadel. Go to **Projects** and select **Create New Project**.  
-You should now see the following screen.  
-
-![Zitadel Project](../../assets/zitadel-project.png "Zitadel Project")
-
-Check the following options:
- Assert Roles on Authentication
- Check authorization on Authentication
-
-![Zitadel Project Settings](../../assets/zitadel-project-settings.png "Zitadel Project Settings")
-
-### Roles
-
-Go to **Roles** and click **New**. Create the following two roles. Use the specified values below for both fields **Key** and **Group**.
- `argocd_administrators`
- `argocd_users`
-
-Your roles should now look like this:
-
-![Zitadel Project Roles](../../assets/zitadel-project-roles.png "Zitadel Project Roles")
-
-### Authorizations
-
-Next, go to **Authorizations** and assign your user the role `argocd_administrators`.
-Click **New**, enter the name of your user and click **Continue**. Select the role `argocd_administrators` and click **Save**.
-
-Your authorizations should now look like this:
-
-![Zitadel Project Authorizations](../../assets/zitadel-project-authorizations.png "Zitadel Project Authorizations")
-
-### Creating an application
-
-Go to **General** and create a new application. Name the application `argocd-application`.
-
-For type of the application, select **WEB** and click continue.
-
-![Zitadel Application Setup Step 1](../../assets/zitadel-application-1.png "Zitadel Application Setup Step 1")
-
-Select **CODE** and continue.
-
-![Zitadel Application Setup Step 2](../../assets/zitadel-application-2.png "Zitadel Application Setup Step 2")
-
-Next, we will set up the redirect and post-logout URIs. Set the following values:
- Redirect URI: `https://argocd.example.com/auth/callback`
- Post Logout URI: `https://argocd.example.com`
-
-The post logout URI is optional. In the example setup users will be taken back to the ArgoCD login page after logging out.
-
-![Zitadel Application Setup Step 3](../../assets/zitadel-application-3.png "Zitadel Application Setup Step 3")
-
-Verify your configuration on the next screen and click **Create** to create the application.
-
-![Zitadel Application Setup Step 4](../../assets/zitadel-application-4.png "Zitadel Application Setup Step 4")
-
-After clicking **Create** you will be shown the `ClientId` and the `ClientSecret` for your application. Make sure to copy the ClientSecret as you will not be able to retrieve it after closing this window.  
-For our example, the following values are used:
- ClientId: `227060711795262483@argocd-project`
- ClientSecret: `UGvTjXVFAQ8EkMv2x4GbPcrEwrJGWZ0sR2KbwHRNfYxeLsDurCiVEpa5bkgW0pl0`
-
-![Zitadel Application Secrets](../../assets/zitadel-application-secrets.png "Zitadel Application Secrets")
-
-Once you have saved the ClientSecret in a safe place, click **Close** to complete creating the application.
-
-Go to **Token Settings** and enable the following options:  
- User roles inside ID Token
- User Info inside ID Token
-
-![Zitadel Application Settings](../../assets/zitadel-application-settings.png "Zitadel Application Settings")
-
-## Setting up an action in Zitadel
-
-To include the role of the user in the token issued by Zitadel, we will need to set up a Zitadel Action. The authorization in ArgoCD will be determined by the role contained within the auth token.  
-Go to **Actions**, click **New** and choose `groupsClaim` as the name of your action.
-
-Paste the following code into the action:
-
-```javascript
-/**
- * sets the roles an additional claim in the token with roles as value an project as key
- *
- * The role claims of the token look like the following:
- *
- * // added by the code below
- * "groups": ["{roleName}", "{roleName}", ...],
- *
- * Flow: Complement token, Triggers: Pre Userinfo creation, Pre access token creation
- *
- * @param ctx
- * @param api
- */
-function groupsClaim(ctx, api) {
-  if (ctx.v1.user.grants === undefined || ctx.v1.user.grants.count == 0) {
-    return;
-  }
-
-  let grants = [];
-  ctx.v1.user.grants.grants.forEach((claim) => {
-    claim.roles.forEach((role) => {
-      grants.push(role);
-    });
-  });
-
-  api.v1.claims.setClaim("groups", grants);
-}
-```
-
-Check **Allowed To Fail** and click **Add** to add your action.  
-
-*Note: If **Allowed To Fail** is not checked and a user does not have a role assigned, it may be possible that the user is no longer able to log in to Zitadel as the login flow fails when the action fails.*
-
-Next, add your action to the **Complement Token** flow. Select the **Complement Token** flow from the dropdown and click **Add trigger**.  
-Add your action to both triggers **Pre Userinfo creation** and **Pre access token creation**.
-
-Your Actions page should now look like the following screenshot:
-
-![Zitadel Actions](../../assets/zitadel-actions.png "Zitadel Actions")
-
-
-## Configuring the ArgoCD configmaps
-
-Next, we will configure two ArgoCD configmaps:
- [argocd-cm.yaml](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-cm.yaml)
- [argocd-rbac-cm.yaml](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-rbac-cm.yaml)
-
-Configure your configmaps as follows while making sure to replace the relevant values such as `url`, `issuer`, `clientID`, `clientSecret` and `logoutURL` with ones matching your setup.
-
-### argocd-cm.yaml
-```yaml
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: argocd-cm
-  namespace: argocd
-  labels:
-    app.kubernetes.io/part-of: argocd
-data:
-  admin.enabled: "false"
-  url: https://argocd.example.com
-  oidc.config: |
-    name: Zitadel
-    issuer: https://auth.example.com
-    clientID: 227060711795262483@argocd-project
-    clientSecret: UGvTjXVFAQ8EkMv2x4GbPcrEwrJGWZ0sR2KbwHRNfYxeLsDurCiVEpa5bkgW0pl0
-    requestedScopes:
-      - openid
-      - profile
-      - email
-      - groups
-    logoutURL: https://auth.example.com/oidc/v1/end_session
-```
-
-### argocd-rbac-cm.yaml
-```yaml
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: argocd-rbac-cm
-  namespace: argocd
-  labels:
-    app.kubernetes.io/part-of: argocd
-data:
-  scopes: '[groups]'
-  policy.csv: |
-    g, argocd_administrators, role:admin
-    g, argocd_users, role:readonly
-  policy.default: ''
-```
-
-The roles specified under `policy.csv` must match the roles configured in Zitadel.  
-The Zitadel role `argocd_administrators` will be assigned the ArgoCD role `admin` granting admin access to ArgoCD.  
-The Zitadel role `argocd_users` will be assigned the ArgoCD role `readonly` granting read-only access to ArgoCD.
-
-Deploy your ArgoCD configmaps. ArgoCD and Zitadel should now be set up correctly to allow users to log in to ArgoCD using Zitadel.
-
-## Testing the setup
-
-Go to your ArgoCD instance. You should now see the **LOG IN WITH ZITADEL** button above the usual username/password login.
-
-![Zitadel ArgoCD Login](../../assets/zitadel-argocd-login.png "Zitadel ArgoCD Login")
-
-After logging in with your Zitadel user go to **User Info**. If everything is set up correctly you should now see the group `argocd_administrators` as shown below.
-
-![Zitadel ArgoCD User Info](../../assets/zitadel-argocd-user-info.png "Zitadel ArgoCD User Info")
--- a/docs/user-guide/projects.md
+++ b/docs/user-guide/projects.md
@@ -3,8 +3,8 @@
 Projects provide a logical grouping of applications, which is useful when Argo CD is used by multiple
 teams. Projects provide the following features:

-* restrict what may be deployed (trusted Git source repositories)
-* restrict where apps may be deployed to (destination clusters and namespaces)
+* restrict *what* may be deployed (trusted Git source repositories)
+* restrict *where* apps may be deployed to (destination clusters and namespaces)
 * restrict what kinds of objects may or may not be deployed (e.g. RBAC, CRDs, DaemonSets, NetworkPolicy etc...)
 * defining project roles to provide application RBAC (bound to OIDC groups and/or JWT tokens)

@@ -346,4 +346,4 @@ spec:
 ```

 With this set, the application above would no longer be allowed to be synced to any cluster other than the ones which 
-are a part of the same project.    
+are a part of the same project.    
--- a/hack/installers/install-gotestsum.sh
+++ b/hack/installers/install-gotestsum.sh
@@ -1,26 +0,0 @@
-#!/bin/bash
-set -eux -o pipefail
-
-# Code from: https://github.com/argoproj/argo-rollouts/blob/f650a1fd0ba7beb2125e1598410515edd572776f/hack/installers/install-dev-tools.sh
-
-PROJECT_ROOT=$(cd $(dirname ${BASH_SOURCE})/../..; pwd)
-DIST_PATH="${PROJECT_ROOT}/dist"
-PATH="${DIST_PATH}:${PATH}"
-
-mkdir -p ${DIST_PATH}
-
-gotestsum_version=1.11.0
-
-OS=$(go env GOOS)
-ARCH=$(go env GOARCH)
-
-export TARGET_FILE=gotestsum_${gotestsum_version}_${OS}_${ARCH}.tar.gz
-temp_path="/tmp/${TARGET_FILE}"
-url=https://github.com/gotestyourself/gotestsum/releases/download/v${gotestsum_version}/gotestsum_${gotestsum_version}_${OS}_${ARCH}.tar.gz
-[ -e ${temp_path} ] || curl -sLf --retry 3 -o ${temp_path} ${url}
-
-mkdir -p /tmp/gotestsum-${gotestsum_version}
-tar -xvzf ${temp_path} -C /tmp/gotestsum-${gotestsum_version}
-cp /tmp/gotestsum-${gotestsum_version}/gotestsum ${DIST_PATH}/gotestsum
-chmod +x ${DIST_PATH}/gotestsum
-gotestsum --version
--- a/hack/test.sh
+++ b/hack/test.sh
@@ -15,4 +15,12 @@ fi

 mkdir -p $TEST_RESULTS

-GODEBUG="tarinsecurepath=0,zipinsecurepath=0" ${DIST_DIR}/gotestsum --rerun-fails-report=rerunreport.txt --junitfile=$TEST_RESULTS/junit.xml --format=testname --rerun-fails="$RERUN_FAILS" --packages="$PACKAGES" -- $TEST_FLAGS $*
+report() {
+	set -eux -o pipefail
+
+	go-junit-report < $TEST_RESULTS/test.out > $TEST_RESULTS/junit.xml
+}
+
+trap 'report' EXIT
+
+GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go test $TEST_FLAGS -failfast $* 2>&1 | tee $TEST_RESULTS/test.out
--- a/manifests/base/kustomization.yaml
+++ b/manifests/base/kustomization.yaml
@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
  newName: quay.io/argoproj/argocd
-  newTag: latest
+  newTag: v2.9.0-rc1
 resources:
 - ./application-controller
 - ./dex
--- a/manifests/core-install.yaml
+++ b/manifests/core-install.yaml
@@ -20742,7 +20742,7 @@ spec:
              key: applicationsetcontroller.allowed.scm.providers
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -21042,7 +21042,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -21094,7 +21094,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -21313,7 +21313,7 @@ spec:
              key: controller.kubectl.parallelism.limit
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/manifests/core-install/kustomization.yaml
+++ b/manifests/core-install/kustomization.yaml
@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
  newName: quay.io/argoproj/argocd
-  newTag: latest
+  newTag: v2.9.0-rc1
--- a/manifests/ha/base/kustomization.yaml
+++ b/manifests/ha/base/kustomization.yaml
@@ -12,7 +12,7 @@ patches:
 images:
 - name: quay.io/argoproj/argocd
  newName: quay.io/argoproj/argocd
-  newTag: latest
+  newTag: v2.9.0-rc1
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller
--- a/manifests/ha/install.yaml
+++ b/manifests/ha/install.yaml
@@ -21998,7 +21998,7 @@ spec:
              key: applicationsetcontroller.allowed.scm.providers
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -22121,7 +22121,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -22191,7 +22191,7 @@ spec:
              key: notificationscontroller.log.level
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -22522,7 +22522,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -22574,7 +22574,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -22863,7 +22863,7 @@ spec:
              key: server.enable.proxy.extension
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -23109,7 +23109,7 @@ spec:
              key: controller.kubectl.parallelism.limit
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/manifests/ha/namespace-install.yaml
+++ b/manifests/ha/namespace-install.yaml
@@ -1654,7 +1654,7 @@ spec:
              key: applicationsetcontroller.allowed.scm.providers
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -1777,7 +1777,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -1847,7 +1847,7 @@ spec:
              key: notificationscontroller.log.level
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -2178,7 +2178,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -2230,7 +2230,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -2519,7 +2519,7 @@ spec:
              key: server.enable.proxy.extension
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -2765,7 +2765,7 @@ spec:
              key: controller.kubectl.parallelism.limit
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/manifests/install.yaml
+++ b/manifests/install.yaml
@@ -21093,7 +21093,7 @@ spec:
              key: applicationsetcontroller.allowed.scm.providers
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -21216,7 +21216,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -21286,7 +21286,7 @@ spec:
              key: notificationscontroller.log.level
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -21568,7 +21568,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -21620,7 +21620,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -21907,7 +21907,7 @@ spec:
              key: server.enable.proxy.extension
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -22153,7 +22153,7 @@ spec:
              key: controller.kubectl.parallelism.limit
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/manifests/namespace-install.yaml
+++ b/manifests/namespace-install.yaml
@@ -749,7 +749,7 @@ spec:
              key: applicationsetcontroller.allowed.scm.providers
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -872,7 +872,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -942,7 +942,7 @@ spec:
              key: notificationscontroller.log.level
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -1224,7 +1224,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -1276,7 +1276,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -1563,7 +1563,7 @@ spec:
              key: server.enable.proxy.extension
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -1809,7 +1809,7 @@ spec:
              key: controller.kubectl.parallelism.limit
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.9.0-rc1
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -26,9 +26,6 @@ nav:
  - operator-manual/declarative-setup.md
  - operator-manual/app-any-namespace.md
  - operator-manual/ingress.md
-  - High Availability:
-    - Overview: operator-manual/high_availability.md
-    - Dynamic Cluster Distribution: operator-manual/dynamic-cluster-distribution.md
  - User Management:
    - operator-manual/user-management/index.md
    - operator-manual/user-management/auth0.md
@@ -38,7 +35,6 @@ nav:
    - operator-manual/user-management/keycloak.md
    - operator-manual/user-management/openunison.md
    - operator-manual/user-management/google.md
-    - operator-manual/user-management/zitadel.md
    - operator-manual/rbac.md
  - Security:
    - Overview: operator-manual/security.md
@@ -48,6 +44,7 @@ nav:
  - operator-manual/cluster-bootstrapping.md
  - operator-manual/secret-management.md
  - operator-manual/disaster_recovery.md
+  - operator-manual/high_availability.md
  - operator-manual/reconcile.md
  - operator-manual/webhook.md
  - operator-manual/health.md
--- a/pkg/apis/application/v1alpha1/applicationset_types.go
+++ b/pkg/apis/application/v1alpha1/applicationset_types.go
@@ -229,7 +229,7 @@ type ApplicationSetTerminalGenerator struct {
 	SCMProvider             *SCMProviderGenerator `json:"scmProvider,omitempty" protobuf:"bytes,4,name=scmProvider"`
 	ClusterDecisionResource *DuckTypeGenerator    `json:"clusterDecisionResource,omitempty" protobuf:"bytes,5,name=clusterDecisionResource"`
 	PullRequest             *PullRequestGenerator `json:"pullRequest,omitempty" protobuf:"bytes,6,name=pullRequest"`
-	Plugin                  *PluginGenerator      `json:"plugin,omitempty" protobuf:"bytes,7,name=plugin"`
+	Plugin                  *PluginGenerator      `json:"plugin,omitempty" protobuf:"bytes,7,name=pullRequest"`

 	// Selector allows to post-filter all generator.
 	Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,8,name=selector"`
--- a/ui-test/yarn.lock
+++ b/ui-test/yarn.lock
@@ -1222,9 +1222,9 @@ selenium-webdriver@^4.0.0-alpha.7:
    ws "^7.3.1"

 semver@^5.3.0:
-  version "5.7.2"
-  resolved "https://registry.yarnpkg.com/semver/-/semver-5.7.2.tgz#48d55db737c3287cd4835e17fa13feace1c41ef8"
-  integrity sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g==
+  version "5.7.1"
+  resolved "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz"
+  integrity sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==

 serialize-javascript@5.0.1:
  version "5.0.1"