sibling of 5d6111b745

.github/workflows/ci-build.yaml

@@ -1,5 +1,5 @@
 name: Integration tests
-on:
+on: 
   push:
     branches:
       - 'master'
@@ -23,28 +23,9 @@ permissions:
   contents: read
 
 jobs:
-  changes:
-    runs-on: ubuntu-latest
-    outputs:
-      backend: ${{ steps.filter.outputs.backend }}
-      frontend: ${{ steps.filter.outputs.frontend }}
-    steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
-      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2
-        id: filter
-        with:
-          # Any file which is not under docs/, ui/ or is not a markdown file is counted as a backend file
-          filters: |
-            backend:
-              - '!(ui/**|docs/**|**.md|**/*.md)'
-            frontend:
-              - 'ui/**'
   check-go:
     name: Ensure Go modules synchronicity
-    if: ${{ needs.changes.outputs.backend == 'true' }}
     runs-on: ubuntu-22.04
-    needs:
-      - changes
     steps:
       - name: Checkout code
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
@@ -62,10 +43,7 @@ jobs:
 
   build-go:
     name: Build & cache Go code
-    if: ${{ needs.changes.outputs.backend == 'true' }}
     runs-on: ubuntu-22.04
-    needs:
-      - changes
     steps:
       - name: Checkout code
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
@@ -89,10 +67,7 @@ jobs:
       contents: read  # for actions/checkout to fetch code
       pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: Lint Go code
-    if: ${{ needs.changes.outputs.backend == 'true' }}
     runs-on: ubuntu-22.04
-    needs:
-      - changes
     steps:
       - name: Checkout code
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
@@ -108,14 +83,12 @@ jobs:
 
   test-go:
     name: Run unit tests for Go packages
-    if: ${{ needs.changes.outputs.backend == 'true' }}
     runs-on: ubuntu-22.04
     needs:
       - build-go
-      - changes
     env:
       GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
-      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
+      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}      
     steps:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
@@ -177,14 +150,12 @@ jobs:
 
   test-go-race:
     name: Run unit tests with -race for Go packages
-    if: ${{ needs.changes.outputs.backend == 'true' }}
     runs-on: ubuntu-22.04
     needs:
       - build-go
-      - changes
     env:
       GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
-      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
+      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
     steps:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
@@ -241,10 +212,7 @@ jobs:
 
   codegen:
     name: Check changes to generated code
-    if: ${{ needs.changes.outputs.backend == 'true' }}
     runs-on: ubuntu-22.04
-    needs:
-      - changes
     steps:
       - name: Checkout code
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
@@ -292,17 +260,14 @@ jobs:
 
   build-ui:
     name: Build, test & lint UI code
-    if: ${{ needs.changes.outputs.frontend == 'true' }}
     runs-on: ubuntu-22.04
-    needs:
-      - changes
     steps:
       - name: Checkout code
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Setup NodeJS
         uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
-          node-version: '21.6.1'
+          node-version: '20.7.0'
       - name: Restore node dependency cache
         id: cache-dependencies
         uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
@@ -327,12 +292,10 @@ jobs:
 
   analyze:
     name: Process & analyze test artifacts
-    if: ${{ needs.changes.outputs.backend == 'true' || needs.changes.outputs.frontend == 'true' }}
     runs-on: ubuntu-22.04
     needs:
       - test-go
       - build-ui
-      - changes
     env:
       sonar_secret: ${{ secrets.SONAR_TOKEN }}
     steps:
@@ -352,7 +315,7 @@ jobs:
       - name: Create test-results directory
         run: |
           mkdir -p test-results
-      - name: Get code coverage artifact
+      - name: Get code coverage artifiact
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: code-coverage
@@ -373,37 +336,35 @@ jobs:
           SCANNER_PATH: /tmp/cache/scanner
           OS: linux
         run: |
-          # We do not use the provided action, because it does contain an old
-          # version of the scanner, and also takes time to build.
-          set -e
-          mkdir -p ${SCANNER_PATH}
-          export SONAR_USER_HOME=${SCANNER_PATH}/.sonar
-          if [[ ! -x "${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner" ]]; then
-            curl -Ol https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SCANNER_VERSION}-${OS}.zip
-            unzip -qq -o sonar-scanner-cli-${SCANNER_VERSION}-${OS}.zip -d ${SCANNER_PATH}
-          fi
-          
-          chmod +x ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner
-          chmod +x ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/jre/bin/java
-          
-          # Explicitly set NODE_MODULES
-          export NODE_MODULES=${PWD}/ui/node_modules
-          export NODE_PATH=${PWD}/ui/node_modules
-          
-          ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner
+            # We do not use the provided action, because it does contain an old
+            # version of the scanner, and also takes time to build.
+            set -e
+            mkdir -p ${SCANNER_PATH}
+            export SONAR_USER_HOME=${SCANNER_PATH}/.sonar
+            if [[ ! -x "${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner" ]]; then
+              curl -Ol https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SCANNER_VERSION}-${OS}.zip
+              unzip -qq -o sonar-scanner-cli-${SCANNER_VERSION}-${OS}.zip -d ${SCANNER_PATH}
+            fi
+
+            chmod +x ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner
+            chmod +x ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/jre/bin/java
+
+            # Explicitly set NODE_MODULES
+            export NODE_MODULES=${PWD}/ui/node_modules
+            export NODE_PATH=${PWD}/ui/node_modules
+
+            ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner
         if: env.sonar_secret != ''
 
   test-e2e:
     name: Run end-to-end tests
-    if: ${{ needs.changes.outputs.backend == 'true' }}
     runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
       matrix:
-        k3s-version: [v1.29.1, v1.28.6, v1.27.10, v1.26.13, v1.25.16]
-    needs:
+        k3s-version: [v1.28.2, v1.27.6, v1.26.9, v1.25.14]
+    needs: 
       - build-go
-      - changes
     env:
       GOPATH: /home/runner/go
       ARGOCD_FAKE_IN_CLUSTER: "true"
@@ -416,7 +377,7 @@ jobs:
       ARGOCD_APPLICATION_NAMESPACES: "argocd-e2e-external,argocd-e2e-external-2"
       ARGOCD_SERVER: "127.0.0.1:8088"
       GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
-      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
+      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
     steps:
       - name: Checkout code
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
@@ -466,7 +427,7 @@ jobs:
           git config --global user.email "john.doe@example.com"
       - name: Pull Docker image required for tests
         run: |
-          docker pull ghcr.io/dexidp/dex:v2.38.0
+          docker pull ghcr.io/dexidp/dex:v2.37.0
           docker pull argoproj/argo-cd-ci-builder:v1.0.0
           docker pull redis:7.0.14-alpine
       - name: Create target directory for binaries in the build-process
@@ -501,26 +462,3 @@ jobs:
           name: e2e-server-k8s${{ matrix.k3s-version }}.log
           path: /tmp/e2e-server.log
         if: ${{ failure() }}
-
-  # workaround for status checks -- check this one job instead of each individual E2E job in the matrix
-  # this allows us to skip the entire matrix when it doesn't need to run while still having accurate status checks
-  # see:
-  # https://github.com/argoproj/argo-workflows/pull/12006
-  # https://github.com/orgs/community/discussions/9141#discussioncomment-2296809
-  # https://github.com/orgs/community/discussions/26822#discussioncomment-3305794
-  test-e2e-composite-result:
-    name: E2E Tests - Composite result
-    if: ${{ always() }}
-    needs:
-      - test-e2e
-      - changes
-    runs-on: ubuntu-22.04
-    steps:
-      - run: |
-          result="${{ needs.test-e2e.result }}"
-          # mark as successful even if skipped
-          if [[ $result == "success" || $result == "skipped" ]]; then
-            exit 0
-          else
-            exit 1
-          fi

CODEOWNERS

@@ -2,10 +2,9 @@
 ** @argoproj/argocd-approvers
 
 # Docs
-/docs/**     @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
-/USERS.md    @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
-/README.md   @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
-/mkdocs.yml  @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
+/docs/**    @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
+/USERS.md   @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
+/mkdocs.yml @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
 
 # CI
 /.github/**       @argoproj/argocd-approvers @argoproj/argocd-approvers-ci

Dockerfile

@@ -51,7 +51,7 @@ RUN groupadd -g $ARGOCD_USER_ID argocd && \
     apt-get update && \
     apt-get dist-upgrade -y && \
     apt-get install -y \
-    git git-lfs tini gpg tzdata connect-proxy && \
+    git git-lfs tini gpg tzdata && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
@@ -83,7 +83,7 @@ WORKDIR /home/argocd
 ####################################################################################################
 # Argo CD UI stage
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/node:21.6.1@sha256:abc4a25c8b5a2b460f3144aabfc8941ecd7e4fb721e0b14b635e70394c1899fb AS argocd-ui
+FROM --platform=$BUILDPLATFORM docker.io/library/node:20.6.1@sha256:14bd39208dbc0eb171cbfb26ccb9ac09fa1b2eba04ccd528ab5d12983fd9ee24 AS argocd-ui
 
 WORKDIR /src
 COPY ["ui/package.json", "ui/yarn.lock", "./"]

Makefile

@@ -175,21 +175,29 @@ endif
 .PHONY: all
 all: cli image
 
+# We have some legacy requirements for being checked out within $GOPATH.
+# The ensure-gopath target can be used as dependency to ensure we are running
+# within these boundaries.
+.PHONY: ensure-gopath
+ensure-gopath:
+ifneq ("$(PWD)","$(LEGACY_PATH)")
+	@echo "Due to legacy requirements for codegen, repository needs to be checked out within \$$GOPATH"
+	@echo "Location of this repo should be '$(LEGACY_PATH)' but is '$(PWD)'"
+	@exit 1
+endif
+
 .PHONY: gogen
-gogen:
+gogen: ensure-gopath
 	export GO111MODULE=off
 	go generate ./util/argo/...
 
 .PHONY: protogen
-protogen: mod-vendor-local protogen-fast
-
-.PHONY: protogen-fast
-protogen-fast:
+protogen: ensure-gopath mod-vendor-local
 	export GO111MODULE=off
 	./hack/generate-proto.sh
 
 .PHONY: openapigen
-openapigen:
+openapigen: ensure-gopath
 	export GO111MODULE=off
 	./hack/update-openapi.sh
 
@@ -204,22 +212,19 @@ notification-docs:
 
 
 .PHONY: clientgen
-clientgen:
+clientgen: ensure-gopath
 	export GO111MODULE=off
 	./hack/update-codegen.sh
 
 .PHONY: clidocsgen
-clidocsgen:
+clidocsgen: ensure-gopath
 	go run tools/cmd-docs/main.go
 
 
 .PHONY: codegen-local
-codegen-local: mod-vendor-local gogen protogen clientgen openapigen clidocsgen manifests-local notification-docs notification-catalog
+codegen-local: ensure-gopath mod-vendor-local gogen protogen clientgen openapigen clidocsgen manifests-local notification-docs notification-catalog
 	rm -rf vendor/
 
-.PHONY: codegen-local-fast
-codegen-local-fast: gogen protogen-fast clientgen openapigen clidocsgen manifests-local notification-docs notification-catalog
-
 .PHONY: codegen
 codegen: test-tools-image
 	$(call run-in-test-client,make codegen-local)

README.md

@@ -13,7 +13,6 @@
 **Social:**
 [![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
 [![Slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack)
-[![LinkedIn](https://img.shields.io/badge/LinkedIn-argoproj-blue.svg?logo=linkedin)](https://www.linkedin.com/company/argoproj/)
 
 # Argo CD - Declarative Continuous Delivery for Kubernetes
 
@@ -86,5 +85,4 @@ Participation in the Argo CD project is governed by the [CNCF Code of Conduct](h
 1. [Getting Started with ArgoCD for GitOps Deployments](https://youtu.be/AvLuplh1skA)
 1. [Using Argo CD & Datree for Stable Kubernetes CI/CD Deployments](https://youtu.be/17894DTru2Y)
 1. [How to create Argo CD Applications Automatically using ApplicationSet? "Automation of GitOps"](https://amralaayassen.medium.com/how-to-create-argocd-applications-automatically-using-applicationset-automation-of-the-gitops-59455eaf4f72)
-1. [Progressive Delivery with Service Mesh – Argo Rollouts with Istio](https://www.cncf.io/blog/2022/12/16/progressive-delivery-with-service-mesh-argo-rollouts-with-istio/)
 

USERS.md

@@ -94,7 +94,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Fave](https://myfave.com)
 1. [Flexport](https://www.flexport.com/)
 1. [Flip](https://flip.id)
-1. [Fly Security](https://www.flysecurity.com.br/)
 1. [Fonoa](https://www.fonoa.com/)
 1. [Fortra](https://www.fortra.com)
 1. [freee](https://corp.freee.co.jp/en/company/)
@@ -130,7 +129,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [IBM](https://www.ibm.com/)
 1. [Ibotta](https://home.ibotta.com)
 1. [IITS-Consulting](https://iits-consulting.de)
-1. [IllumiDesk](https://www.illumidesk.com)
 1. [imaware](https://imaware.health)
 1. [Indeed](https://indeed.com)
 1. [Index Exchange](https://www.indexexchange.com/)
@@ -221,7 +219,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Pigment](https://www.gopigment.com/)
 1. [Pipefy](https://www.pipefy.com/)
 1. [Pismo](https://pismo.io/)
-1. [PITS Globale Datenrettungsdienste](https://www.pitsdatenrettung.de/)
 1. [Platform9 Systems](https://platform9.com/)
 1. [Polarpoint.io](https://polarpoint.io)
 1. [PostFinance](https://github.com/postfinance)
@@ -284,7 +281,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Tamkeen Technologies](https://tamkeentech.sa/)
 1. [Techcombank](https://www.techcombank.com.vn/trang-chu)
 1. [Technacy](https://www.technacy.it/)
-1. [Telavita](https://www.telavita.com.br/)
 1. [Tesla](https://tesla.com/)
 1. [The Scale Factory](https://www.scalefactory.com/)
 1. [ThousandEyes](https://www.thousandeyes.com/)

VERSION

@@ -1 +1 @@
-2.9.0
+2.10.0

assets/swagger.json

@@ -5664,10 +5664,6 @@
           "type": "string",
           "title": "ClusterName contains AWS cluster name"
         },
-        "profile": {
-          "description": "Profile contains optional role ARN. If set then AWS IAM Authenticator uses the profile to perform cluster operations instead of the default AWS credential provider chain.",
-          "type": "string"
-        },
         "roleARN": {
           "description": "RoleARN contains optional role ARN. If set then AWS IAM Authenticator assume a role to perform cluster operations instead of the default AWS credential provider chain.",
           "type": "string"
@@ -8503,9 +8499,6 @@
           "format": "int64",
           "title": "ID is an auto incrementing identifier of the RevisionHistory"
         },
-        "initiatedBy": {
-          "$ref": "#/definitions/v1alpha1OperationInitiator"
-        },
         "revision": {
           "type": "string",
           "title": "Revision holds the revision the sync was performed against"

cmd/argocd-application-controller/commands/argocd_application_controller.go

@@ -6,12 +6,11 @@ import (
 	"math"
 	"time"
 
+	"github.com/argoproj/argo-cd/v2/pkg/ratelimiter"
 	"github.com/argoproj/pkg/stats"
 	"github.com/redis/go-redis/v9"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	kubeerrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 
@@ -21,7 +20,6 @@ import (
 	"github.com/argoproj/argo-cd/v2/controller/sharding"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
-	"github.com/argoproj/argo-cd/v2/pkg/ratelimiter"
 	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
 	cacheutil "github.com/argoproj/argo-cd/v2/util/cache"
 	appstatecache "github.com/argoproj/argo-cd/v2/util/cache/appstate"
@@ -33,6 +31,8 @@ import (
 	"github.com/argoproj/argo-cd/v2/util/settings"
 	"github.com/argoproj/argo-cd/v2/util/tls"
 	"github.com/argoproj/argo-cd/v2/util/trace"
+	kubeerrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 const (
@@ -147,8 +147,7 @@ func NewCommand() *cobra.Command {
 				appController.InvalidateProjectsCache()
 			}))
 			kubectl := kubeutil.NewKubectl()
-			clusterSharding, err := getClusterSharding(kubeClient, settingsMgr, shardingAlgorithm, enableDynamicClusterDistribution)
-			errors.CheckError(err)
+			clusterSharding := getClusterSharding(kubeClient, settingsMgr, shardingAlgorithm, enableDynamicClusterDistribution)
 			appController, err = controller.NewApplicationController(
 				namespace,
 				settingsMgr,
@@ -171,7 +170,6 @@ func NewCommand() *cobra.Command {
 				applicationNamespaces,
 				&workqueueRateLimit,
 				serverSideDiff,
-				enableDynamicClusterDistribution,
 			)
 			errors.CheckError(err)
 			cacheutil.CollectMetrics(redisClient, appController.GetMetricsServer())
@@ -232,37 +230,27 @@ func NewCommand() *cobra.Command {
 	command.Flags().Float64Var(&workqueueRateLimit.BackoffFactor, "wq-backoff-factor", env.ParseFloat64FromEnv("WORKQUEUE_BACKOFF_FACTOR", 1.5, 0, math.MaxFloat64), "Set Workqueue Per Item Rate Limiter Backoff Factor, default is 1.5")
 	command.Flags().BoolVar(&enableDynamicClusterDistribution, "dynamic-cluster-distribution-enabled", env.ParseBoolFromEnv(common.EnvEnableDynamicClusterDistribution, false), "Enables dynamic cluster distribution.")
 	command.Flags().BoolVar(&serverSideDiff, "server-side-diff-enabled", env.ParseBoolFromEnv(common.EnvServerSideDiff, false), "Feature flag to enable ServerSide diff. Default (\"false\")")
-	cacheSource = appstatecache.AddCacheFlagsToCmd(&command, cacheutil.Options{
-		OnClientCreated: func(client *redis.Client) {
-			redisClient = client
-		},
+	cacheSource = appstatecache.AddCacheFlagsToCmd(&command, func(client *redis.Client) {
+		redisClient = client
 	})
 	return &command
 }
 
-func getClusterSharding(kubeClient *kubernetes.Clientset, settingsMgr *settings.SettingsManager, shardingAlgorithm string, enableDynamicClusterDistribution bool) (sharding.ClusterShardingCache, error) {
-	var (
-		replicasCount int
-	)
+func getClusterSharding(kubeClient *kubernetes.Clientset, settingsMgr *settings.SettingsManager, shardingAlgorithm string, enableDynamicClusterDistribution bool) sharding.ClusterShardingCache {
+	var replicasCount int
 	// StatefulSet mode and Deployment mode uses different default values for shard number.
 	defaultShardNumberValue := 0
+	applicationControllerName := env.StringFromEnv(common.EnvAppControllerName, common.DefaultApplicationControllerName)
+	appControllerDeployment, err := kubeClient.AppsV1().Deployments(settingsMgr.GetNamespace()).Get(context.Background(), applicationControllerName, metav1.GetOptions{})
 
-	if enableDynamicClusterDistribution {
-		applicationControllerName := env.StringFromEnv(common.EnvAppControllerName, common.DefaultApplicationControllerName)
-		appControllerDeployment, err := kubeClient.AppsV1().Deployments(settingsMgr.GetNamespace()).Get(context.Background(), applicationControllerName, metav1.GetOptions{})
-
-		// if app controller deployment is not found when dynamic cluster distribution is enabled error out
-		if err != nil {
-			return nil, fmt.Errorf("(dymanic cluster distribution) failed to get app controller deployment: %v", err)
-		}
-
-		if appControllerDeployment != nil && appControllerDeployment.Spec.Replicas != nil {
-			replicasCount = int(*appControllerDeployment.Spec.Replicas)
-			defaultShardNumberValue = -1
-		} else {
-			return nil, fmt.Errorf("(dymanic cluster distribution) failed to get app controller deployment replica count")
-		}
+	// if the application controller deployment was not found, the Get() call returns an empty Deployment object. So, set the variable to nil explicitly
+	if err != nil && kubeerrors.IsNotFound(err) {
+		appControllerDeployment = nil
+	}
 
+	if enableDynamicClusterDistribution && appControllerDeployment != nil && appControllerDeployment.Spec.Replicas != nil {
+		replicasCount = int(*appControllerDeployment.Spec.Replicas)
+		defaultShardNumberValue = -1
 	} else {
 		replicasCount = env.ParseNumFromEnv(common.EnvControllerReplicas, 0, 0, math.MaxInt32)
 	}
@@ -270,7 +258,7 @@ func getClusterSharding(kubeClient *kubernetes.Clientset, settingsMgr *settings.
 	if replicasCount > 1 {
 		// check for shard mapping using configmap if application-controller is a deployment
 		// else use existing logic to infer shard from pod name if application-controller is a statefulset
-		if enableDynamicClusterDistribution {
+		if enableDynamicClusterDistribution && appControllerDeployment != nil {
 			var err error
 			// retry 3 times if we find a conflict while updating shard mapping configMap.
 			// If we still see conflicts after the retries, wait for next iteration of heartbeat process.
@@ -298,5 +286,5 @@ func getClusterSharding(kubeClient *kubernetes.Clientset, settingsMgr *settings.
 		log.Info("Processing all cluster shards")
 	}
 	db := db.NewDB(settingsMgr.GetNamespace(), settingsMgr, kubeClient)
-	return sharding.NewClusterSharding(db, shardNumber, replicasCount, shardingAlgorithm), nil
+	return sharding.NewClusterSharding(db, shardNumber, replicasCount, shardingAlgorithm)
 }

cmd/argocd-k8s-auth/commands/aws.go

@@ -37,14 +37,13 @@ func newAWSCommand() *cobra.Command {
 	var (
 		clusterName string
 		roleARN     string
-		profile     string
 	)
 	var command = &cobra.Command{
 		Use: "aws",
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
 
-			presignedURLString, err := getSignedRequestWithRetry(ctx, time.Minute, 5*time.Second, clusterName, roleARN, profile, getSignedRequest)
+			presignedURLString, err := getSignedRequestWithRetry(ctx, time.Minute, 5*time.Second, clusterName, roleARN, getSignedRequest)
 			errors.CheckError(err)
 			token := v1Prefix + base64.RawURLEncoding.EncodeToString([]byte(presignedURLString))
 			// Set token expiration to 1 minute before the presigned URL expires for some cushion
@@ -54,17 +53,16 @@ func newAWSCommand() *cobra.Command {
 	}
 	command.Flags().StringVar(&clusterName, "cluster-name", "", "AWS Cluster name")
 	command.Flags().StringVar(&roleARN, "role-arn", "", "AWS Role ARN")
-	command.Flags().StringVar(&profile, "profile", "", "AWS Profile")
 	return command
 }
 
-type getSignedRequestFunc func(clusterName, roleARN string, profile string) (string, error)
+type getSignedRequestFunc func(clusterName, roleARN string) (string, error)
 
-func getSignedRequestWithRetry(ctx context.Context, timeout, interval time.Duration, clusterName, roleARN string, profile string, fn getSignedRequestFunc) (string, error) {
+func getSignedRequestWithRetry(ctx context.Context, timeout, interval time.Duration, clusterName, roleARN string, fn getSignedRequestFunc) (string, error) {
 	ctx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
 	for {
-		signed, err := fn(clusterName, roleARN, profile)
+		signed, err := fn(clusterName, roleARN)
 		if err == nil {
 			return signed, nil
 		}
@@ -76,10 +74,8 @@ func getSignedRequestWithRetry(ctx context.Context, timeout, interval time.Durat
 	}
 }
 
-func getSignedRequest(clusterName, roleARN string, profile string) (string, error) {
-	sess, err := session.NewSessionWithOptions(session.Options{
-		Profile: profile,
-	})
+func getSignedRequest(clusterName, roleARN string) (string, error) {
+	sess, err := session.NewSession()
 	if err != nil {
 		return "", fmt.Errorf("error creating new AWS session: %s", err)
 	}

cmd/argocd-k8s-auth/commands/aws_test.go

@@ -22,7 +22,7 @@ func TestGetSignedRequestWithRetry(t *testing.T) {
 		}
 
 		// when
-		signed, err := getSignedRequestWithRetry(ctx, time.Second, time.Millisecond, "cluster-name", "", "", mock.getSignedRequestMock)
+		signed, err := getSignedRequestWithRetry(ctx, time.Second, time.Millisecond, "cluster-name", "", mock.getSignedRequestMock)
 
 		// then
 		assert.NoError(t, err)
@@ -41,7 +41,7 @@ func TestGetSignedRequestWithRetry(t *testing.T) {
 		}
 
 		// when
-		signed, err := getSignedRequestWithRetry(ctx, time.Second, time.Millisecond, "cluster-name", "", "", mock.getSignedRequestMock)
+		signed, err := getSignedRequestWithRetry(ctx, time.Second, time.Millisecond, "cluster-name", "", mock.getSignedRequestMock)
 
 		// then
 		assert.NoError(t, err)
@@ -57,7 +57,7 @@ func TestGetSignedRequestWithRetry(t *testing.T) {
 		}
 
 		// when
-		signed, err := getSignedRequestWithRetry(ctx, time.Second, time.Millisecond, "cluster-name", "", "", mock.getSignedRequestMock)
+		signed, err := getSignedRequestWithRetry(ctx, time.Second, time.Millisecond, "cluster-name", "", mock.getSignedRequestMock)
 
 		// then
 		assert.Error(t, err)
@@ -70,7 +70,7 @@ type signedRequestMock struct {
 	returnFunc            func(m *signedRequestMock) (string, error)
 }
 
-func (m *signedRequestMock) getSignedRequestMock(clusterName, roleARN string, profile string) (string, error) {
+func (m *signedRequestMock) getSignedRequestMock(clusterName, roleARN string) (string, error) {
 	m.getSignedRequestCalls++
 	return m.returnFunc(m)
 }

cmd/argocd-repo-server/commands/argocd_repo_server.go

@@ -210,10 +210,8 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringVar(&helmManifestMaxExtractedSize, "helm-manifest-max-extracted-size", env.StringFromEnv("ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE", "1G"), "Maximum size of helm manifest archives when extracted")
 	command.Flags().BoolVar(&disableManifestMaxExtractedSize, "disable-helm-manifest-max-extracted-size", env.ParseBoolFromEnv("ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE", false), "Disable maximum size of helm manifest archives when extracted")
 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(&command)
-	cacheSrc = reposervercache.AddCacheFlagsToCmd(&command, cacheutil.Options{
-		OnClientCreated: func(client *redis.Client) {
-			redisClient = client
-		},
+	cacheSrc = reposervercache.AddCacheFlagsToCmd(&command, func(client *redis.Client) {
+		redisClient = client
 	})
 	return &command
 }

cmd/argocd-server/commands/argocd_server.go

@@ -19,10 +19,8 @@ import (
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
 	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
-	reposervercache "github.com/argoproj/argo-cd/v2/reposerver/cache"
 	"github.com/argoproj/argo-cd/v2/server"
 	servercache "github.com/argoproj/argo-cd/v2/server/cache"
-	cacheutil "github.com/argoproj/argo-cd/v2/util/cache"
 	"github.com/argoproj/argo-cd/v2/util/cli"
 	"github.com/argoproj/argo-cd/v2/util/dex"
 	"github.com/argoproj/argo-cd/v2/util/env"
@@ -68,7 +66,6 @@ func NewCommand() *cobra.Command {
 		enableGZip               bool
 		tlsConfigCustomizerSrc   func() (tls.ConfigCustomizer, error)
 		cacheSrc                 func() (*servercache.Cache, error)
-		repoServerCacheSrc       func() (*reposervercache.Cache, error)
 		frameOptions             string
 		contentSecurityPolicy    string
 		repoServerPlaintext      bool
@@ -110,8 +107,6 @@ func NewCommand() *cobra.Command {
 			errors.CheckError(err)
 			cache, err := cacheSrc()
 			errors.CheckError(err)
-			repoServerCache, err := repoServerCacheSrc()
-			errors.CheckError(err)
 
 			kubeclientset := kubernetes.NewForConfigOrDie(config)
 
@@ -196,7 +191,6 @@ func NewCommand() *cobra.Command {
 				EnableGZip:            enableGZip,
 				TLSConfigCustomizer:   tlsConfigCustomizer,
 				Cache:                 cache,
-				RepoServerCache:       repoServerCache,
 				XFrameOptions:         frameOptions,
 				ContentSecurityPolicy: contentSecurityPolicy,
 				RedisClient:           redisClient,
@@ -269,11 +263,8 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringSliceVar(&applicationNamespaces, "application-namespaces", env.StringsFromEnv("ARGOCD_APPLICATION_NAMESPACES", []string{}, ","), "List of additional namespaces where application resources can be managed in")
 	command.Flags().BoolVar(&enableProxyExtension, "enable-proxy-extension", env.ParseBoolFromEnv("ARGOCD_SERVER_ENABLE_PROXY_EXTENSION", false), "Enable Proxy Extension feature")
 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(command)
-	cacheSrc = servercache.AddCacheFlagsToCmd(command, cacheutil.Options{
-		OnClientCreated: func(client *redis.Client) {
-			redisClient = client
-		},
+	cacheSrc = servercache.AddCacheFlagsToCmd(command, func(client *redis.Client) {
+		redisClient = client
 	})
-	repoServerCacheSrc = reposervercache.AddCacheFlagsToCmd(command, cacheutil.Options{FlagPrefix: "repo-server-"})
 	return command
 }

cmd/argocd/commands/admin/cluster.go

@@ -26,6 +26,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/controller/sharding"
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
 	"github.com/argoproj/argo-cd/v2/util/argo"
 	cacheutil "github.com/argoproj/argo-cd/v2/util/cache"
@@ -71,7 +72,7 @@ argocd admin cluster namespaces my-cluster `,
 }
 
 type ClusterWithInfo struct {
-	v1alpha1.Cluster
+	argoappv1.Cluster
 	// Shard holds controller shard number that handles the cluster
 	Shard int
 	// Namespaces holds list of namespaces managed by Argo CD in the cluster
@@ -625,16 +626,15 @@ func NewGenClusterConfigCommand(pathOpts *clientcmd.PathOptions) *cobra.Command
 			errors.CheckError(err)
 			kubeClientset := fake.NewSimpleClientset()
 
-			var awsAuthConf *v1alpha1.AWSAuthConfig
-			var execProviderConf *v1alpha1.ExecProviderConfig
+			var awsAuthConf *argoappv1.AWSAuthConfig
+			var execProviderConf *argoappv1.ExecProviderConfig
 			if clusterOpts.AwsClusterName != "" {
-				awsAuthConf = &v1alpha1.AWSAuthConfig{
+				awsAuthConf = &argoappv1.AWSAuthConfig{
 					ClusterName: clusterOpts.AwsClusterName,
 					RoleARN:     clusterOpts.AwsRoleArn,
-					Profile:     clusterOpts.AwsProfile,
 				}
 			} else if clusterOpts.ExecProviderCommand != "" {
-				execProviderConf = &v1alpha1.ExecProviderConfig{
+				execProviderConf = &argoappv1.ExecProviderConfig{
 					Command:     clusterOpts.ExecProviderCommand,
 					Args:        clusterOpts.ExecProviderArgs,
 					Env:         clusterOpts.ExecProviderEnv,
@@ -658,7 +658,7 @@ func NewGenClusterConfigCommand(pathOpts *clientcmd.PathOptions) *cobra.Command
 
 			clst := cmdutil.NewCluster(contextName, clusterOpts.Namespaces, clusterOpts.ClusterResources, conf, bearerToken, awsAuthConf, execProviderConf, labelsMap, annotationsMap)
 			if clusterOpts.InClusterEndpoint() {
-				clst.Server = v1alpha1.KubernetesInternalAPIServerAddr
+				clst.Server = argoappv1.KubernetesInternalAPIServerAddr
 			}
 			if clusterOpts.ClusterEndpoint == string(cmdutil.KubePublicEndpoint) {
 				// Ignore `kube-public` cluster endpoints, since this command is intended to run without invoking any network connections.

cmd/argocd/commands/app.go

@@ -1625,7 +1625,7 @@ func NewApplicationWaitCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 				list, err := appIf.List(ctx, &application.ApplicationQuery{Selector: pointer.String(selector)})
 				errors.CheckError(err)
 				for _, i := range list.Items {
-					appNames = append(appNames, i.QualifiedName())
+					appNames = append(appNames, i.Name)
 				}
 			}
 			for _, appName := range appNames {
@@ -1996,7 +1996,7 @@ func getAppNamesBySelector(ctx context.Context, appIf application.ApplicationSer
 			return []string{}, fmt.Errorf("no apps match selector %v", selector)
 		}
 		for _, i := range list.Items {
-			appNames = append(appNames, i.QualifiedName())
+			appNames = append(appNames, i.Name)
 		}
 	}
 	return appNames, nil

cmd/argocd/commands/cluster.go

@@ -111,7 +111,6 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 				awsAuthConf = &argoappv1.AWSAuthConfig{
 					ClusterName: clusterOpts.AwsClusterName,
 					RoleARN:     clusterOpts.AwsRoleArn,
-					Profile:     clusterOpts.AwsProfile,
 				}
 			} else if clusterOpts.ExecProviderCommand != "" {
 				execProviderConf = &argoappv1.ExecProviderConfig{

cmd/argocd/commands/headless/headless.go

@@ -78,12 +78,6 @@ func (c *forwardCacheClient) Set(item *cache.Item) error {
 	})
 }
 
-func (c *forwardCacheClient) Rename(oldKey string, newKey string, expiration time.Duration) error {
-	return c.doLazy(func(client cache.CacheClient) error {
-		return client.Rename(oldKey, newKey, expiration)
-	})
-}
-
 func (c *forwardCacheClient) Get(key string, obj interface{}) error {
 	return c.doLazy(func(client cache.CacheClient) error {
 		return client.Get(key, obj)

cmd/argocd/commands/repo.go

@@ -64,12 +64,6 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
   # Add a Git repository via SSH on a non-default port - need to use ssh:// style URLs here
   argocd repo add ssh://git@git.example.com:2222/repos/repo --ssh-private-key-path ~/id_rsa
 
-  # Add a Git repository via SSH using socks5 proxy with no proxy credentials
-  argocd repo add ssh://git@github.com/argoproj/argocd-example-apps --ssh-private-key-path ~/id_rsa --proxy socks5://your.proxy.server.ip:1080
-
-  # Add a Git repository via SSH using socks5 proxy with proxy credentials
-  argocd repo add ssh://git@github.com/argoproj/argocd-example-apps --ssh-private-key-path ~/id_rsa --proxy socks5://username:password@your.proxy.server.ip:1080
-
   # Add a private Git repository via HTTPS using username/password and TLS client certificates:
   argocd repo add https://git.example.com/repos/repo --username git --password secret --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key
 

cmd/util/cluster.go

@@ -144,7 +144,6 @@ type ClusterOptions struct {
 	Upsert                  bool
 	ServiceAccount          string
 	AwsRoleArn              string
-	AwsProfile              string
 	AwsClusterName          string
 	SystemNamespace         string
 	Namespaces              []string
@@ -170,7 +169,6 @@ func AddClusterFlags(command *cobra.Command, opts *ClusterOptions) {
 	command.Flags().BoolVar(&opts.InCluster, "in-cluster", false, "Indicates Argo CD resides inside this cluster and should connect using the internal k8s hostname (kubernetes.default.svc)")
 	command.Flags().StringVar(&opts.AwsClusterName, "aws-cluster-name", "", "AWS Cluster name if set then aws cli eks token command will be used to access cluster")
 	command.Flags().StringVar(&opts.AwsRoleArn, "aws-role-arn", "", "Optional AWS role arn. If set then AWS IAM Authenticator assumes a role to perform cluster operations instead of the default AWS credential provider chain.")
-	command.Flags().StringVar(&opts.AwsProfile, "aws-profile", "", "Optional AWS profile. If set then AWS IAM Authenticator uses this profile to perform cluster operations instead of the default AWS credential provider chain.")
 	command.Flags().StringArrayVar(&opts.Namespaces, "namespace", nil, "List of namespaces which are allowed to manage")
 	command.Flags().BoolVar(&opts.ClusterResources, "cluster-resources", false, "Indicates if cluster level resources should be managed. The setting is used only if list of managed namespaces is not empty.")
 	command.Flags().StringVar(&opts.Name, "name", "", "Overwrite the cluster name")

controller/appcontroller.go

@@ -48,6 +48,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/controller/sharding"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
 	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	argov1alpha "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
 	"github.com/argoproj/argo-cd/v2/pkg/client/informers/externalversions/application/v1alpha1"
 	applisters "github.com/argoproj/argo-cd/v2/pkg/client/listers/application/v1alpha1"
@@ -113,6 +114,7 @@ type ApplicationController struct {
 	appInformer                   cache.SharedIndexInformer
 	appLister                     applisters.ApplicationLister
 	projInformer                  cache.SharedIndexInformer
+	deploymentInformer            informerv1.DeploymentInformer
 	appStateManager               AppStateManager
 	stateCache                    statecache.LiveStateCache
 	statusRefreshTimeout          time.Duration
@@ -129,10 +131,6 @@ type ApplicationController struct {
 	clusterSharding               sharding.ClusterShardingCache
 	projByNameCache               sync.Map
 	applicationNamespaces         []string
-
-	// dynamicClusterDistributionEnabled if disabled deploymentInformer is never initialized
-	dynamicClusterDistributionEnabled bool
-	deploymentInformer                informerv1.DeploymentInformer
 }
 
 // NewApplicationController creates new instance of ApplicationController.
@@ -158,7 +156,6 @@ func NewApplicationController(
 	applicationNamespaces []string,
 	rateLimiterConfig *ratelimiter.AppControllerRateLimiterConfig,
 	serverSideDiff bool,
-	dynamicClusterDistributionEnabled bool,
 ) (*ApplicationController, error) {
 	log.Infof("appResyncPeriod=%v, appHardResyncPeriod=%v, appResyncJitter=%v", appResyncPeriod, appHardResyncPeriod, appResyncJitter)
 	db := db.NewDB(namespace, settingsMgr, kubeClientset)
@@ -167,29 +164,28 @@ func NewApplicationController(
 		log.Info("Using default workqueue rate limiter config")
 	}
 	ctrl := ApplicationController{
-		cache:                             argoCache,
-		namespace:                         namespace,
-		kubeClientset:                     kubeClientset,
-		kubectl:                           kubectl,
-		applicationClientset:              applicationClientset,
-		repoClientset:                     repoClientset,
-		appRefreshQueue:                   workqueue.NewNamedRateLimitingQueue(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), "app_reconciliation_queue"),
-		appOperationQueue:                 workqueue.NewNamedRateLimitingQueue(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), "app_operation_processing_queue"),
-		projectRefreshQueue:               workqueue.NewNamedRateLimitingQueue(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), "project_reconciliation_queue"),
-		appComparisonTypeRefreshQueue:     workqueue.NewRateLimitingQueue(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig)),
-		db:                                db,
-		statusRefreshTimeout:              appResyncPeriod,
-		statusHardRefreshTimeout:          appHardResyncPeriod,
-		statusRefreshJitter:               appResyncJitter,
-		refreshRequestedApps:              make(map[string]CompareWith),
-		refreshRequestedAppsMutex:         &sync.Mutex{},
-		auditLogger:                       argo.NewAuditLogger(namespace, kubeClientset, common.ApplicationController),
-		settingsMgr:                       settingsMgr,
-		selfHealTimeout:                   selfHealTimeout,
-		clusterSharding:                   clusterSharding,
-		projByNameCache:                   sync.Map{},
-		applicationNamespaces:             applicationNamespaces,
-		dynamicClusterDistributionEnabled: dynamicClusterDistributionEnabled,
+		cache:                         argoCache,
+		namespace:                     namespace,
+		kubeClientset:                 kubeClientset,
+		kubectl:                       kubectl,
+		applicationClientset:          applicationClientset,
+		repoClientset:                 repoClientset,
+		appRefreshQueue:               workqueue.NewNamedRateLimitingQueue(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), "app_reconciliation_queue"),
+		appOperationQueue:             workqueue.NewNamedRateLimitingQueue(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), "app_operation_processing_queue"),
+		projectRefreshQueue:           workqueue.NewNamedRateLimitingQueue(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), "project_reconciliation_queue"),
+		appComparisonTypeRefreshQueue: workqueue.NewRateLimitingQueue(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig)),
+		db:                            db,
+		statusRefreshTimeout:          appResyncPeriod,
+		statusHardRefreshTimeout:      appHardResyncPeriod,
+		statusRefreshJitter:           appResyncJitter,
+		refreshRequestedApps:          make(map[string]CompareWith),
+		refreshRequestedAppsMutex:     &sync.Mutex{},
+		auditLogger:                   argo.NewAuditLogger(namespace, kubeClientset, common.ApplicationController),
+		settingsMgr:                   settingsMgr,
+		selfHealTimeout:               selfHealTimeout,
+		clusterSharding:               clusterSharding,
+		projByNameCache:               sync.Map{},
+		applicationNamespaces:         applicationNamespaces,
 	}
 	if kubectlParallelismLimit > 0 {
 		ctrl.kubectlSemaphore = semaphore.NewWeighted(kubectlParallelismLimit)
@@ -232,33 +228,25 @@ func NewApplicationController(
 	}
 
 	factory := informers.NewSharedInformerFactoryWithOptions(ctrl.kubeClientset, defaultDeploymentInformerResyncDuration, informers.WithNamespace(settingsMgr.GetNamespace()))
-
-	var deploymentInformer informerv1.DeploymentInformer
-
-	// only initialize deployment informer if dynamic distribution is enabled
-	if dynamicClusterDistributionEnabled {
-		deploymentInformer = factory.Apps().V1().Deployments()
-	}
+	deploymentInformer := factory.Apps().V1().Deployments()
 
 	readinessHealthCheck := func(r *http.Request) error {
-		if dynamicClusterDistributionEnabled {
-			applicationControllerName := env.StringFromEnv(common.EnvAppControllerName, common.DefaultApplicationControllerName)
-			appControllerDeployment, err := deploymentInformer.Lister().Deployments(settingsMgr.GetNamespace()).Get(applicationControllerName)
-			if err != nil {
-				if kubeerrors.IsNotFound(err) {
-					appControllerDeployment = nil
-				} else {
-					return fmt.Errorf("error retrieving Application Controller Deployment: %s", err)
-				}
+		applicationControllerName := env.StringFromEnv(common.EnvAppControllerName, common.DefaultApplicationControllerName)
+		appControllerDeployment, err := deploymentInformer.Lister().Deployments(settingsMgr.GetNamespace()).Get(applicationControllerName)
+		if err != nil {
+			if kubeerrors.IsNotFound(err) {
+				appControllerDeployment = nil
+			} else {
+				return fmt.Errorf("error retrieving Application Controller Deployment: %s", err)
 			}
-			if appControllerDeployment != nil {
-				if appControllerDeployment.Spec.Replicas != nil && int(*appControllerDeployment.Spec.Replicas) <= 0 {
-					return fmt.Errorf("application controller deployment replicas is not set or is less than 0, replicas: %d", appControllerDeployment.Spec.Replicas)
-				}
-				shard := env.ParseNumFromEnv(common.EnvControllerShard, -1, -math.MaxInt32, math.MaxInt32)
-				if _, err := sharding.GetOrUpdateShardFromConfigMap(kubeClientset.(*kubernetes.Clientset), settingsMgr, int(*appControllerDeployment.Spec.Replicas), shard); err != nil {
-					return fmt.Errorf("error while updating the heartbeat for to the Shard Mapping ConfigMap: %s", err)
-				}
+		}
+		if appControllerDeployment != nil {
+			if appControllerDeployment.Spec.Replicas != nil && int(*appControllerDeployment.Spec.Replicas) <= 0 {
+				return fmt.Errorf("application controller deployment replicas is not set or is less than 0, replicas: %d", appControllerDeployment.Spec.Replicas)
+			}
+			shard := env.ParseNumFromEnv(common.EnvControllerShard, -1, -math.MaxInt32, math.MaxInt32)
+			if _, err := sharding.GetOrUpdateShardFromConfigMap(kubeClientset.(*kubernetes.Clientset), settingsMgr, int(*appControllerDeployment.Spec.Replicas), shard); err != nil {
+				return fmt.Errorf("error while updating the heartbeat for to the Shard Mapping ConfigMap: %s", err)
 			}
 		}
 		return nil
@@ -786,11 +774,7 @@ func (ctrl *ApplicationController) Run(ctx context.Context, statusProcessors int
 
 	go ctrl.appInformer.Run(ctx.Done())
 	go ctrl.projInformer.Run(ctx.Done())
-
-	if ctrl.dynamicClusterDistributionEnabled {
-		// only start deployment informer if dynamic distribution is enabled
-		go ctrl.deploymentInformer.Informer().Run(ctx.Done())
-	}
+	go ctrl.deploymentInformer.Informer().Run(ctx.Done())
 
 	clusters, err := ctrl.db.ListClusters(ctx)
 	if err != nil {
@@ -1050,7 +1034,7 @@ func (ctrl *ApplicationController) getPermittedAppLiveObjects(app *appv1.Applica
 	return objsMap, nil
 }
 
-func (ctrl *ApplicationController) isValidDestination(app *appv1.Application) (bool, *appv1.Cluster) {
+func (ctrl *ApplicationController) isValidDestination(app *appv1.Application) (bool, *argov1alpha.Cluster) {
 	// Validate the cluster using the Application destination's `name` field, if applicable,
 	// and set the Server field, if needed.
 	if err := argo.ValidateDestination(context.Background(), &app.Spec.Destination, ctrl.db); err != nil {
@@ -2223,4 +2207,4 @@ func (ctrl *ApplicationController) toAppQualifiedName(appName, appNamespace stri
 	return fmt.Sprintf("%s/%s", appNamespace, appName)
 }
 
-type ClusterFilterFunction func(c *appv1.Cluster, distributionFunction sharding.DistributionFunction) bool
+type ClusterFilterFunction func(c *argov1alpha.Cluster, distributionFunction sharding.DistributionFunction) bool

controller/appcontroller_test.go

@@ -157,7 +157,6 @@ func newFakeController(data *fakeData, repoErr error) *ApplicationController {
 		nil,
 
 		false,
-		false,
 	)
 	db := &dbmocks.ArgoDB{}
 	db.On("GetApplicationControllerReplicas").Return(1)

controller/state.go

@@ -880,16 +880,7 @@ func useDiffCache(noCache bool, manifestInfos []*apiclient.ManifestResponse, sou
 	return true
 }
 
-func (m *appStateManager) persistRevisionHistory(
-	app *v1alpha1.Application,
-	revision string,
-	source v1alpha1.ApplicationSource,
-	revisions []string,
-	sources []v1alpha1.ApplicationSource,
-	hasMultipleSources bool,
-	startedAt metav1.Time,
-	initiatedBy v1alpha1.OperationInitiator,
-) error {
+func (m *appStateManager) persistRevisionHistory(app *v1alpha1.Application, revision string, source v1alpha1.ApplicationSource, revisions []string, sources []v1alpha1.ApplicationSource, hasMultipleSources bool, startedAt metav1.Time) error {
 	var nextID int64
 	if len(app.Status.History) > 0 {
 		nextID = app.Status.History.LastRevisionHistory().ID + 1
@@ -902,7 +893,6 @@ func (m *appStateManager) persistRevisionHistory(
 			ID:              nextID,
 			Sources:         sources,
 			Revisions:       revisions,
-			InitiatedBy:     initiatedBy,
 		})
 	} else {
 		app.Status.History = append(app.Status.History, v1alpha1.RevisionHistory{
@@ -911,7 +901,6 @@ func (m *appStateManager) persistRevisionHistory(
 			DeployStartedAt: &startedAt,
 			ID:              nextID,
 			Source:          source,
-			InitiatedBy:     initiatedBy,
 		})
 	}
 

controller/state_test.go

@@ -23,7 +23,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 
 	"github.com/argoproj/argo-cd/v2/common"
-	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/v2/test"
@@ -839,7 +838,7 @@ func Test_appStateManager_persistRevisionHistory(t *testing.T) {
 		app.Spec.RevisionHistoryLimit = &i
 	}
 	addHistory := func() {
-		err := manager.persistRevisionHistory(app, "my-revision", argoappv1.ApplicationSource{}, []string{}, []argoappv1.ApplicationSource{}, false, metav1.Time{}, v1alpha1.OperationInitiator{})
+		err := manager.persistRevisionHistory(app, "my-revision", argoappv1.ApplicationSource{}, []string{}, []argoappv1.ApplicationSource{}, false, metav1.Time{})
 		assert.NoError(t, err)
 	}
 	addHistory()
@@ -875,7 +874,7 @@ func Test_appStateManager_persistRevisionHistory(t *testing.T) {
 	assert.Len(t, app.Status.History, 9)
 
 	metav1NowTime := metav1.NewTime(time.Now())
-	err := manager.persistRevisionHistory(app, "my-revision", argoappv1.ApplicationSource{}, []string{}, []argoappv1.ApplicationSource{}, false, metav1NowTime, v1alpha1.OperationInitiator{})
+	err := manager.persistRevisionHistory(app, "my-revision", argoappv1.ApplicationSource{}, []string{}, []argoappv1.ApplicationSource{}, false, metav1NowTime)
 	assert.NoError(t, err)
 	assert.Equal(t, app.Status.History.LastRevisionHistory().DeployStartedAt, &metav1NowTime)
 }

controller/sync.go

@@ -103,7 +103,7 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 	if syncOp.SyncOptions.HasOption("FailOnSharedResource=true") &&
 		hasSharedResource {
 		state.Phase = common.OperationFailed
-		state.Message = fmt.Sprintf("Shared resource found: %s", sharedResourceMessage)
+		state.Message = fmt.Sprintf("Shared resouce found: %s", sharedResourceMessage)
 		return
 	}
 
@@ -391,7 +391,7 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 	logEntry.WithField("duration", time.Since(start)).Info("sync/terminate complete")
 
 	if !syncOp.DryRun && len(syncOp.Resources) == 0 && state.Phase.Successful() {
-		err := m.persistRevisionHistory(app, compareResult.syncStatus.Revision, source, compareResult.syncStatus.Revisions, compareResult.syncStatus.ComparedTo.Sources, app.Spec.HasMultipleSources(), state.StartedAt, state.Operation.InitiatedBy)
+		err := m.persistRevisionHistory(app, compareResult.syncStatus.Revision, source, compareResult.syncStatus.Revisions, compareResult.syncStatus.ComparedTo.Sources, app.Spec.HasMultipleSources(), state.StartedAt)
 		if err != nil {
 			state.Phase = common.OperationError
 			state.Message = fmt.Sprintf("failed to record sync to history: %v", err)

docs/cli_installation.md

@@ -37,17 +37,6 @@ sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd
 rm argocd-linux-amd64
 ```
 
-#### Download latest stable version
-
-You can download the latest stable release by executing below steps:
-
-```bash
-VERSION=$(curl -L -s https://raw.githubusercontent.com/argoproj/argo-cd/stable/VERSION)
-curl -sSL -o argocd-linux-amd64 https://github.com/argoproj/argo-cd/releases/download/v$VERSION/argocd-linux-amd64
-sudo install -m 555 argocd-linux-amd64 /usr/local/bin/argocd
-rm argocd-linux-amd64
-```
-
 You should now be able to run `argocd` commands.
 
 

docs/developer-guide/architecture/components.md

@@ -71,7 +71,7 @@ and the CLI functionalities.
 ### Application Controller
 
 The Application Controller is responsible for reconciling the
-Application resource in Kubernetes synchronizing the desired
+Application resource in Kubernetes syncronizing the desired
 application state (provided in Git) with the live state (in
 Kubernetes). The Application Controller is also responsible for
 reconciling the Project resource.

docs/developer-guide/contributors-quickstart.md

@@ -9,8 +9,6 @@ and the [toolchain guide](toolchain-guide.md).
 
 ### Install Go
 
-<https://go.dev/doc/install/>
-
 Install version 1.18 or newer (Verify version by running `go version`)
 
 ### Clone the Argo CD repo
@@ -25,29 +23,16 @@ git clone https://github.com/argoproj/argo-cd.git
 
 <https://docs.docker.com/engine/install/>
 
-### Install or Upgrade a Tool for Running Local Clusters (e.g. kind or minikube)
-
-#### Installation guide for kind:
+### Install or Upgrade `kind` (Optional - Should work with any local cluster)
 
 <https://kind.sigs.k8s.io/docs/user/quick-start/>
 
-#### Installation guide for minikube:
-
-<https://minikube.sigs.k8s.io/docs/start/>
-
 ### Start Your Local Cluster
 
-For example, if you are using kind:
 ```shell
 kind create cluster
 ```
 
-Or, if you are using minikube:
-
-```shell
-minikube start
-```
-
 ### Install Argo CD
 
 ```shell

docs/developer-guide/site.md

@@ -7,14 +7,20 @@ The website is built using `mkdocs` and `mkdocs-material`.
 To test:
 
 ```bash
-make build-docs
 make serve-docs
 ```
+
 Once running, you can view your locally built documentation at [http://0.0.0.0:8000/](http://0.0.0.0:8000/). 
 
+## Deploying
+
+```bash
+make publish-docs
+```
+
 ## Analytics
 
 !!! tip
     Don't forget to disable your ad-blocker when testing.
 
-We collect [Google Analytics](https://analytics.google.com/analytics/web/#/report-home/a105170809w198079555p192782995).
+We collect [Google Analytics](https://analytics.google.com/analytics/web/#/report-home/a105170809w198079555p192782995).

docs/developer-guide/toolchain-guide.md

@@ -304,7 +304,7 @@ For installing the tools required to build and test Argo CD on your local system
 You can change the target location by setting the `BIN` environment before running the installer scripts. For example, you can install the binaries into `~/go/bin` (which should then be the first component in your `PATH` environment, i.e. `export PATH=~/go/bin:$PATH`):
 
 ```shell
-BIN=~/go/bin make install-tools-local
+make BIN=~/go/bin install-tools-local
 ```
 
 Additionally, you have to install at least the following tools via your OS's package manager (this list might not be always up-to-date):

docs/getting_started.md

@@ -22,8 +22,12 @@ This will create a new namespace, `argocd`, where Argo CD services and applicati
     The installation manifests include `ClusterRoleBinding` resources that reference `argocd` namespace. If you are installing Argo CD into a different
     namespace then make sure to update the namespace reference.
 
-!!! tip
-    If you are not interested in UI, SSO, and multi-cluster features, then you can install only the [core](operator-manual/core/#installing) Argo CD components.
+If you are not interested in UI, SSO, multi-cluster features then you can install [core](operator-manual/installation.md#core) Argo CD components only:
+
+```bash
+kubectl create namespace argocd
+kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/core-install.yaml
+```
 
 This default installation will have a self-signed certificate and cannot be accessed without a bit of extra work.
 Do one of:

docs/operator-manual/application.yaml

@@ -119,7 +119,7 @@ spec:
         extVars:
         - name: foo
           value: bar
-          # You can use "code" to determine if the value is either string (false, the default) or Jsonnet code (if code is true).
+          # You can use "code to determine if the value is either string (false, the default) or Jsonnet code (if code is true).
         - code: true
           name: baz
           value: "true"

docs/operator-manual/applicationset/GoTemplate.md

@@ -12,7 +12,7 @@ An additional `normalize` function makes any string parameter usable as a valid
 with hyphens and truncating at 253 characters. This is useful when making parameters safe for things like Application
 names.
 
-Another `slugify` function has been added which, by default, sanitizes and smart truncates (it doesn't cut a word into 2). This function accepts a couple of arguments:
+Another function has `slugify` function has been added which, by default, sanitizes and smart truncate (means doesn't cut a word into 2). This function accepts a couple of arguments:
 - The first argument (if provided) is an integer specifying the maximum length of the slug.
 - The second argument (if provided) is a boolean indicating whether smart truncation is enabled.
 - The last argument (if provided) is the input name that needs to be slugified.
@@ -206,8 +206,6 @@ ApplicationSet controller provides:
   1. contains no more than 253 characters
   2. contains only lowercase alphanumeric characters, '-' or '.'
   3. starts and ends with an alphanumeric character
-
-- `slugify`: sanitizes like `normalize` and smart truncates (it doesn't cut a word into 2) like described in the [introduction](#introduction) section.
 - `toYaml` / `fromYaml` / `fromYamlArray` helm like functions
 
 

docs/operator-manual/applicationset/Template.md

@@ -85,7 +85,7 @@ spec:
         spec:
           project: "default"
           source:
-            targetRevision: HEAD
+            revision: HEAD
             repoURL: https://github.com/argoproj/argo-cd.git
             # New path value is generated here:
             path: 'applicationset/examples/template-override/{{cluster}}-override'

docs/operator-manual/argocd-cm.yaml

@@ -308,10 +308,8 @@ data:
   # have either a permanent banner or a regular closeable banner, and NOT both. eg. A user can't dismiss a
   # notification message (closeable) banner, to then immediately see a permanent banner.
   # ui.bannerpermanent: "true"
-  # An option to specify the position of the banner, either the top or bottom of the page, or both. The valid values 
-  # are: "top", "bottom" and "both".  The default (if the option is not provided), is "top". If "both" is specified, then 
-  # the content appears both at the top and the bottom of the page. Uncomment the following line to make the banner appear 
-  # at the bottom of the page. Change the value as needed.
+  # An option to specify the position of the banner, either the top or bottom of the page. The default is at the top.
+  # Uncomment to make the banner appear at the bottom of the page. Any value other than "bottom" will make the banner appear at the top.
   # ui.bannerposition: "bottom"
 
   # Application reconciliation timeout is the max amount of time required to discover if a new manifests version got

docs/operator-manual/declarative-setup.md

@@ -549,7 +549,6 @@ bearerToken: string
 awsAuthConfig:
     clusterName: string
     roleARN: string
-    profile: string
 # Configure external command to supply client credentials
 # See https://godoc.org/k8s.io/client-go/tools/clientcmd/api#ExecConfig
 execProviderConfig:

docs/operator-manual/ingress.md

@@ -166,43 +166,6 @@ The argocd-server Service needs to be annotated with `projectcontour.io/upstream
 The API server should then be run with TLS disabled. Edit the `argocd-server` deployment to add the
 `--insecure` flag to the argocd-server command, or simply set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md).
 
-Contour httpproxy CRD:
-
-Using a contour httpproxy CRD allows you to use the same hostname for the GRPC and REST api.
-
-```yaml
-apiVersion: projectcontour.io/v1
-kind: HTTPProxy
-metadata:
-  name: argocd-server
-  namespace: argocd
-spec:
-  ingressClassName: contour
-  virtualhost:
-    fqdn: path.to.argocd.io
-    tls:
-      secretName: wildcard-tls
-  routes:
-    - conditions:
-        - prefix: /
-        - header:
-            name: Content-Type
-            contains: application/grpc
-      services:
-        - name: argocd-server
-          port: 80
-          protocol: h2c # allows for unencrypted http2 connections
-      timeoutPolicy:
-        response: 1h
-        idle: 600s
-        idleConnection: 600s
-    - conditions:
-        - prefix: /
-      services:
-        - name: argocd-server
-          port: 80
-```
-
 ## [kubernetes/ingress-nginx](https://github.com/kubernetes/ingress-nginx)
 
 ### Option 1: SSL-Passthrough

docs/operator-manual/metrics.md

@@ -70,8 +70,6 @@ Scraped at the `argocd-server-metrics:8083/metrics` endpoint.
 | `argocd_redis_request_total` | counter | Number of Kubernetes requests executed during application reconciliation. |
 | `grpc_server_handled_total` | counter | Total number of RPCs completed on the server, regardless of success or failure. |
 | `grpc_server_msg_sent_total` | counter | Total number of gRPC stream messages sent by the server. |
-| `argocd_proxy_extension_request_total` | counter | Number of requests sent to the configured proxy extensions. |
-| `argocd_proxy_extension_request_duration_seconds` | histogram | Request duration in seconds between the Argo CD API server and the proxy extension backend. |
 
 ## Repo Server Metrics
 Metrics about the Repo Server.

docs/operator-manual/notifications/functions.md

@@ -48,16 +48,6 @@ Transforms given GIT URL into HTTPs format.
 
 Returns repository URL full name `(<owner>/<repoName>)`. Currently supports only Github, GitLab and Bitbucket.
 
-<hr>
-**`repo.QueryEscape(s string) string`**
-
-QueryEscape escapes the string, so it can be safely placed inside a URL
-
-Example:
-```
-/projects/{{ call .repo.QueryEscape (call .repo.FullNameByRepoURL .app.status.RepoURL) }}/merge_requests
-```
-
 <hr>
 **`repo.GetCommitMetadata(sha string) CommitMetadata`**
 

docs/operator-manual/notifications/services/alertmanager.md

@@ -43,7 +43,7 @@ You should turn off "send_resolved" or you will receive unnecessary recovery not
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.alertmanager: |
     targets:
@@ -58,7 +58,7 @@ If your alertmanager has changed the default api, you can customize "apiPath".
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.alertmanager: |
     targets:
@@ -89,7 +89,7 @@ stringData:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.alertmanager: |
     targets:
@@ -110,7 +110,7 @@ data:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.alertmanager: |
     targets:

docs/operator-manual/notifications/services/awssqs.md

@@ -1,8 +1,8 @@
-# AWS SQS
+# AWS SQS 
 
 ## Parameters
 
-This notification service is capable of sending simple messages to AWS SQS queue.
+This notification service is capable of sending simple messages to AWS SQS queue. 
 
 * `queue` - name of the queue you are intending to send messages to. Can be overridden with target destination annotation.
 * `region` - region of the sqs queue can be provided via env variable AWS_DEFAULT_REGION
@@ -30,7 +30,7 @@ metadata:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.awssqs: |
     region: "us-east-2"
@@ -63,7 +63,7 @@ stringData:
 
 ### Minimal configuration using AWS Env variables
 
-Ensure the following list of environment variables are injected via OIDC, or another method. And assuming SQS is local to the account.
+Ensure following list of environment variables are injected via OIDC, or other method. And assuming SQS is local to the account.
 You may skip usage of secret for sensitive data and omit other parameters. (Setting parameters via ConfigMap takes precedent.)
 
 Variables:
@@ -89,7 +89,7 @@ metadata:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.awssqs: |
     queue: "myqueue"
@@ -104,16 +104,3 @@ data:
     - oncePer: obj.metadata.annotations["generation"]
 
 ```
-
-## FIFO SQS Queues
-
-FIFO queues require a [MessageGroupId](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html#SQS-SendMessage-request-MessageGroupId) to be sent along with every message, every message with a matching MessageGroupId will be processed one by one in order.
-
-To send to a FIFO SQS Queue you must include a `messageGroupId` in the template such as in the example below:
-
-```yaml
-template.deployment-ready: |
-  message: |
-    Deployment {{.obj.metadata.name}} is ready!
-  messageGroupId: {{.obj.metadata.name}}-deployment
-```

docs/operator-manual/notifications/services/email.md

@@ -20,7 +20,7 @@ The following snippet contains sample Gmail service configuration:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.email.gmail: |
     username: $email-username
@@ -36,7 +36,7 @@ Without authentication:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.email.example: |
     host: smtp.example.com
@@ -52,7 +52,7 @@ data:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   template.app-sync-succeeded: |
     email:

docs/operator-manual/notifications/services/github.md

@@ -24,7 +24,7 @@ in `argocd-notifications-cm` ConfigMap
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.github: |
     appID: <app-id>
@@ -76,7 +76,6 @@ template.app-deployed: |
       logURL: "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
       requiredContexts: []
       autoMerge: true
-      transientEnvironment: false
     pullRequestComment:
       content: |
         Application {{.app.metadata.name}} is now running new version of deployments manifests.

docs/operator-manual/notifications/services/googlechat.md

@@ -19,7 +19,7 @@ The Google Chat notification service send message notifications to a google chat
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.googlechat: |
     webhooks:

docs/operator-manual/notifications/services/grafana.md

@@ -21,7 +21,7 @@ Available parameters :
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.grafana: |
     apiUrl: https://grafana.example.com/api

docs/operator-manual/notifications/services/mattermost.md

@@ -19,7 +19,7 @@ in `argocd-notifications-cm` ConfigMap
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.mattermost: |
     apiURL: <api-url>

docs/operator-manual/notifications/services/newrelic.md

@@ -14,7 +14,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.newrelic: |
     apiURL: <api-url>

docs/operator-manual/notifications/services/opsgenie.md

@@ -12,15 +12,14 @@ To be able to send notifications with argocd-notifications you have to create an
 8. Give your integration a name, copy the "API key" and safe it somewhere for later
 9. Make sure the checkboxes for "Create and Update Access" and "enable" are selected, disable the other checkboxes to remove unnecessary permissions
 10. Click "Safe Integration" at the bottom
-11. Check your browser for the correct server apiURL. If it is "app.opsgenie.com" then use the US/international api url `api.opsgenie.com` in the next step, otherwise use `api.eu.opsgenie.com` (European API). 
-12. You are finished with configuring Opsgenie. Now you need to configure argocd-notifications. Use the apiUrl, the team name and the apiKey to configure the Opsgenie integration in the `argocd-notifications-secret` secret.
-
+11. Check your browser for the correct server apiURL. If it is "app.opsgenie.com" then use the us/international api url `api.opsgenie.com` in the next step, otherwise use `api.eu.opsgenie.com` (european api). 
+12. You are finished with configuring opsgenie. Now you need to configure argocd-notifications. Use the apiUrl, the team name and the apiKey to configure the opsgenie integration in the `argocd-notifications-secret` secret. 
 
 ```yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.opsgenie: |
     apiUrl: <api-url>

docs/operator-manual/notifications/services/pagerduty.md

@@ -1,17 +1,17 @@
-# PagerDuty
+# Pagerduty
 
 ## Parameters
 
-The PagerDuty notification service is used to create PagerDuty incidents and requires specifying the following settings:
+The Pagerduty notification service is used to create pagerduty incidents and requires specifying the following settings:
 
-* `pagerdutyToken` - the PagerDuty auth token
+* `pagerdutyToken` - the pagerduty auth token
 * `from` - email address of a valid user associated with the account making the request.
 * `serviceID` - The ID of the resource.
 
 
 ## Example
 
-The following snippet contains sample PagerDuty service configuration:
+The following snippet contains sample Pagerduty service configuration:
 
 ```yaml
 apiVersion: v1
@@ -26,7 +26,7 @@ stringData:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.pagerduty: |
     token: $pagerdutyToken
@@ -35,13 +35,13 @@ data:
 
 ## Template
 
-[Notification templates](../templates.md) support specifying subject for PagerDuty notifications:
+[Notification templates](../templates.md) support specifying subject for pagerduty notifications:
 
 ```yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   template.rollout-aborted: |
     message: Rollout {{.rollout.metadata.name}} is aborted.
@@ -62,5 +62,5 @@ apiVersion: argoproj.io/v1alpha1
 kind: Rollout
 metadata:
   annotations:
-    notifications.argoproj.io/subscribe.on-rollout-aborted.pagerduty: "<serviceID for PagerDuty>"
+    notifications.argoproj.io/subscribe.on-rollout-aborted.pagerduty: "<serviceID for Pagerduty>"
 ```

docs/operator-manual/notifications/services/pagerduty_v2.md

@@ -28,7 +28,7 @@ stringData:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.pagerdutyv2: |
     serviceKeys:
@@ -43,7 +43,7 @@ data:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   template.rollout-aborted: |
     message: Rollout {{.rollout.metadata.name}} is aborted.
@@ -74,5 +74,5 @@ apiVersion: argoproj.io/v1alpha1
 kind: Rollout
 metadata:
   annotations:
-    notifications.argoproj.io/subscribe.on-rollout-aborted.pagerdutyv2: "<serviceID for PagerDuty>"
+    notifications.argoproj.io/subscribe.on-rollout-aborted.pagerdutyv2: "<serviceID for Pagerduty>"
 ```

docs/operator-manual/notifications/services/pushover.md

@@ -1,13 +1,13 @@
 # Pushover
 
 1. Create an app at [pushover.net](https://pushover.net/apps/build).
-2. Store the API key in `<secret-name>` Secret and define the secret name in `argocd-notifications-cm` ConfigMap:
+2. Store the API key in `<secret-name>` Secret and define the secret name in `<config-map-name>` ConfigMap:
 
 ```yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.pushover: |
     token: $pushover-token

docs/operator-manual/notifications/services/rocketchat.md

@@ -43,7 +43,7 @@ stringData:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.rocketchat: |
     email: $rocketchat-email

docs/operator-manual/notifications/services/slack.md

@@ -15,7 +15,6 @@ The Slack notification service configuration includes following settings:
 | `signingSecret`       | False        | `string`       |                 | `8f742231b10e8888abcd99yyyzzz85a5` |
 | `token`              | **True**     | `string`       | The app's OAuth access token. | `xoxb-1234567890-1234567890123-5n38u5ed63fgzqlvuyxvxcx6` |
 | `username`           | False        | `string`       | The app username. | `argocd` |
-| `disableUnfurl`      | False        | `bool`         | Disable slack unfurling links in messages | `true` |
 
 ## Configuration
 
@@ -49,7 +48,7 @@ The Slack notification service configuration includes following settings:
       apiVersion: v1
       kind: ConfigMap
       metadata:
-        name: argocd-notifications-cm
+        name: <config-map-name>
       data:
         service.slack: |
           token: $slack-token

docs/operator-manual/notifications/services/teams.md

@@ -18,7 +18,7 @@ The Teams notification service send message notifications using Teams bot and re
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.teams: |
     recipientUrls:

docs/operator-manual/notifications/services/telegram.md

@@ -2,13 +2,13 @@
 
 1. Get an API token using [@Botfather](https://t.me/Botfather).
 2. Store token in `<secret-name>` Secret and configure telegram integration
-in `argocd-notifications-cm` ConfigMap:
+in `<config-map-name>` ConfigMap:
 
 ```yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.telegram: |
     token: $telegram-token

docs/operator-manual/notifications/services/webex.md

@@ -24,7 +24,7 @@ The Webex Teams notification service configuration includes following settings:
     apiVersion: v1
     kind: ConfigMap
     metadata:
-    name: argocd-notifications-cm
+    name: <config-map-name>
     data:
     service.webex: |
         token: $webex-token

docs/operator-manual/notifications/services/webhook.md

@@ -31,7 +31,7 @@ Use the following steps to configure webhook:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.webhook.<webhook-name>: |
     url: https://<hostname>/<optional-path>
@@ -50,7 +50,7 @@ data:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   template.github-commit-status: |
     webhook:
@@ -82,7 +82,7 @@ metadata:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.webhook.github: |
     url: https://api.github.com
@@ -97,7 +97,7 @@ data:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.webhook.github: |
     url: https://api.github.com
@@ -128,7 +128,7 @@ data:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.webhook.jenkins: |
     url: http://<jenkins-host>/job/<job-name>/build?token=<job-secret>
@@ -145,7 +145,7 @@ type: Opaque
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.webhook.form: |
     url: https://form.example.com
@@ -166,7 +166,7 @@ data:
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: argocd-notifications-cm
+  name: <config-map-name>
 data:
   service.webhook.slack_webhook: |
     url: https://hooks.slack.com/services/xxxxx

docs/operator-manual/notifications/triggers.md

@@ -1,7 +1,7 @@
 The trigger defines the condition when the notification should be sent. The definition includes name, condition
 and notification templates reference. The condition is a predicate expression that returns true if the notification
 should be sent. The trigger condition evaluation is powered by [antonmedv/expr](https://github.com/antonmedv/expr).
-The condition language syntax is described at [language-definition.md](https://github.com/antonmedv/expr/blob/master/docs/language-definition.md).
+The condition language syntax is described at [Language-Definition.md](https://github.com/antonmedv/expr/blob/master/docs/Language-Definition.md).
 
 The trigger is configured in the `argocd-notifications-cm` ConfigMap. For example the following trigger sends a notification
 when application sync status changes to `Unknown` using the `app-sync-status` template:
@@ -71,7 +71,7 @@ When one repo is used to sync multiple applications, the `oncePer: app.status.sy
 
 ### oncePer
 
-The `oncePer` field is supported like as follows.
+The `oncePer` filed is supported like as follows.
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1

docs/operator-manual/server-commands/argocd-server.md

@@ -25,87 +25,74 @@ argocd-server [flags]
 ### Options
 
 ```
-      --address string                                  Listen on given address (default "0.0.0.0")
-      --api-content-types string                        Semicolon separated list of allowed content types for non GET api requests. Any content type is allowed if empty. (default "application/json")
-      --app-state-cache-expiration duration             Cache expiration for app state (default 1h0m0s)
-      --application-namespaces strings                  List of additional namespaces where application resources can be managed in
-      --as string                                       Username to impersonate for the operation
-      --as-group stringArray                            Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
-      --as-uid string                                   UID to impersonate for the operation
-      --basehref string                                 Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from / (default "/")
-      --certificate-authority string                    Path to a cert file for the certificate authority
-      --client-certificate string                       Path to a client certificate file for TLS
-      --client-key string                               Path to a client key file for TLS
-      --cluster string                                  The name of the kubeconfig cluster to use
-      --connection-status-cache-expiration duration     Cache expiration for cluster/repo connection status (default 1h0m0s)
-      --content-security-policy value                   Set Content-Security-Policy header in HTTP responses to value. To disable, set to "". (default "frame-ancestors 'self';")
-      --context string                                  The name of the kubeconfig context to use
-      --default-cache-expiration duration               Cache expiration default (default 24h0m0s)
-      --dex-server string                               Dex server address (default "argocd-dex-server:5556")
-      --dex-server-plaintext                            Use a plaintext client (non-TLS) to connect to dex server
-      --dex-server-strict-tls                           Perform strict validation of TLS certificates when connecting to dex server
-      --disable-auth                                    Disable client authentication
-      --disable-compression                             If true, opt-out of response compression for all requests to the server
-      --enable-gzip                                     Enable GZIP compression (default true)
-      --enable-proxy-extension                          Enable Proxy Extension feature
-      --gloglevel int                                   Set the glog logging level
-  -h, --help                                            help for argocd-server
-      --insecure                                        Run server without TLS
-      --insecure-skip-tls-verify                        If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
-      --kubeconfig string                               Path to a kube config. Only required if out-of-cluster
-      --logformat string                                Set the logging format. One of: text|json (default "text")
-      --login-attempts-expiration duration              Cache expiration for failed login attempts (default 24h0m0s)
-      --loglevel string                                 Set the logging level. One of: debug|info|warn|error (default "info")
-      --metrics-address string                          Listen for metrics on given address (default "0.0.0.0")
-      --metrics-port int                                Start metrics on given port (default 8083)
-  -n, --namespace string                                If present, the namespace scope for this CLI request
-      --oidc-cache-expiration duration                  Cache expiration for OIDC state (default 3m0s)
-      --otlp-address string                             OpenTelemetry collector address to send traces to
-      --otlp-attrs strings                              List of OpenTelemetry collector extra attrs when send traces, each attribute is separated by a colon(e.g. key:value)
-      --otlp-headers stringToString                     List of OpenTelemetry collector extra headers sent with traces, headers are comma-separated key-value pairs(e.g. key1=value1,key2=value2) (default [])
-      --otlp-insecure                                   OpenTelemetry collector insecure mode (default true)
-      --password string                                 Password for basic authentication to the API server
-      --port int                                        Listen on given port (default 8080)
-      --proxy-url string                                If provided, this URL will be used to connect via proxy
-      --redis string                                    Redis server hostname and port (e.g. argocd-redis:6379). 
-      --redis-ca-certificate string                     Path to Redis server CA certificate (e.g. /etc/certs/redis/ca.crt). If not specified, system trusted CAs will be used for server certificate validation.
-      --redis-client-certificate string                 Path to Redis client certificate (e.g. /etc/certs/redis/client.crt).
-      --redis-client-key string                         Path to Redis client key (e.g. /etc/certs/redis/client.crt).
-      --redis-compress string                           Enable compression for data sent to Redis with the required compression algorithm. (possible values: gzip, none) (default "gzip")
-      --redis-insecure-skip-tls-verify                  Skip Redis server certificate validation.
-      --redis-use-tls                                   Use TLS when connecting to Redis. 
-      --redisdb int                                     Redis database.
-      --repo-cache-expiration duration                  Cache expiration for repo state, incl. app lists, app details, manifest generation, revision meta-data (default 24h0m0s)
-      --repo-server string                              Repo server address (default "argocd-repo-server:8081")
-      --repo-server-default-cache-expiration duration   Cache expiration default (default 24h0m0s)
-      --repo-server-plaintext                           Use a plaintext client (non-TLS) to connect to repository server
-      --repo-server-redis string                        Redis server hostname and port (e.g. argocd-redis:6379). 
-      --repo-server-redis-ca-certificate string         Path to Redis server CA certificate (e.g. /etc/certs/redis/ca.crt). If not specified, system trusted CAs will be used for server certificate validation.
-      --repo-server-redis-client-certificate string     Path to Redis client certificate (e.g. /etc/certs/redis/client.crt).
-      --repo-server-redis-client-key string             Path to Redis client key (e.g. /etc/certs/redis/client.crt).
-      --repo-server-redis-compress string               Enable compression for data sent to Redis with the required compression algorithm. (possible values: gzip, none) (default "gzip")
-      --repo-server-redis-insecure-skip-tls-verify      Skip Redis server certificate validation.
-      --repo-server-redis-use-tls                       Use TLS when connecting to Redis. 
-      --repo-server-redisdb int                         Redis database.
-      --repo-server-sentinel stringArray                Redis sentinel hostname and port (e.g. argocd-redis-ha-announce-0:6379). 
-      --repo-server-sentinelmaster string               Redis sentinel master group name. (default "master")
-      --repo-server-strict-tls                          Perform strict validation of TLS certificates when connecting to repo server
-      --repo-server-timeout-seconds int                 Repo server RPC call timeout seconds. (default 60)
-      --request-timeout string                          The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
-      --revision-cache-expiration duration              Cache expiration for cached revision (default 3m0s)
-      --rootpath string                                 Used if Argo CD is running behind reverse proxy under subpath different from /
-      --sentinel stringArray                            Redis sentinel hostname and port (e.g. argocd-redis-ha-announce-0:6379). 
-      --sentinelmaster string                           Redis sentinel master group name. (default "master")
-      --server string                                   The address and port of the Kubernetes API server
-      --staticassets string                             Directory path that contains additional static assets (default "/shared/app")
-      --tls-server-name string                          If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.
-      --tlsciphers string                               The list of acceptable ciphers to be used when establishing TLS connections. Use 'list' to list available ciphers. (default "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_GCM_SHA384")
-      --tlsmaxversion string                            The maximum SSL/TLS version that is acceptable (one of: 1.0|1.1|1.2|1.3) (default "1.3")
-      --tlsminversion string                            The minimum SSL/TLS version that is acceptable (one of: 1.0|1.1|1.2|1.3) (default "1.2")
-      --token string                                    Bearer token for authentication to the API server
-      --user string                                     The name of the kubeconfig user to use
-      --username string                                 Username for basic authentication to the API server
-      --x-frame-options value                           Set X-Frame-Options header in HTTP responses to value. To disable, set to "". (default "sameorigin")
+      --address string                                Listen on given address (default "0.0.0.0")
+      --api-content-types string                      Semicolon separated list of allowed content types for non GET api requests. Any content type is allowed if empty. (default "application/json")
+      --app-state-cache-expiration duration           Cache expiration for app state (default 1h0m0s)
+      --application-namespaces strings                List of additional namespaces where application resources can be managed in
+      --as string                                     Username to impersonate for the operation
+      --as-group stringArray                          Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
+      --as-uid string                                 UID to impersonate for the operation
+      --basehref string                               Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from / (default "/")
+      --certificate-authority string                  Path to a cert file for the certificate authority
+      --client-certificate string                     Path to a client certificate file for TLS
+      --client-key string                             Path to a client key file for TLS
+      --cluster string                                The name of the kubeconfig cluster to use
+      --connection-status-cache-expiration duration   Cache expiration for cluster/repo connection status (default 1h0m0s)
+      --content-security-policy value                 Set Content-Security-Policy header in HTTP responses to value. To disable, set to "". (default "frame-ancestors 'self';")
+      --context string                                The name of the kubeconfig context to use
+      --default-cache-expiration duration             Cache expiration default (default 24h0m0s)
+      --dex-server string                             Dex server address (default "argocd-dex-server:5556")
+      --dex-server-plaintext                          Use a plaintext client (non-TLS) to connect to dex server
+      --dex-server-strict-tls                         Perform strict validation of TLS certificates when connecting to dex server
+      --disable-auth                                  Disable client authentication
+      --disable-compression                           If true, opt-out of response compression for all requests to the server
+      --enable-gzip                                   Enable GZIP compression (default true)
+      --enable-proxy-extension                        Enable Proxy Extension feature
+      --gloglevel int                                 Set the glog logging level
+  -h, --help                                          help for argocd-server
+      --insecure                                      Run server without TLS
+      --insecure-skip-tls-verify                      If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --kubeconfig string                             Path to a kube config. Only required if out-of-cluster
+      --logformat string                              Set the logging format. One of: text|json (default "text")
+      --login-attempts-expiration duration            Cache expiration for failed login attempts (default 24h0m0s)
+      --loglevel string                               Set the logging level. One of: debug|info|warn|error (default "info")
+      --metrics-address string                        Listen for metrics on given address (default "0.0.0.0")
+      --metrics-port int                              Start metrics on given port (default 8083)
+  -n, --namespace string                              If present, the namespace scope for this CLI request
+      --oidc-cache-expiration duration                Cache expiration for OIDC state (default 3m0s)
+      --otlp-address string                           OpenTelemetry collector address to send traces to
+      --otlp-attrs strings                            List of OpenTelemetry collector extra attrs when send traces, each attribute is separated by a colon(e.g. key:value)
+      --otlp-headers stringToString                   List of OpenTelemetry collector extra headers sent with traces, headers are comma-separated key-value pairs(e.g. key1=value1,key2=value2) (default [])
+      --otlp-insecure                                 OpenTelemetry collector insecure mode (default true)
+      --password string                               Password for basic authentication to the API server
+      --port int                                      Listen on given port (default 8080)
+      --proxy-url string                              If provided, this URL will be used to connect via proxy
+      --redis string                                  Redis server hostname and port (e.g. argocd-redis:6379). 
+      --redis-ca-certificate string                   Path to Redis server CA certificate (e.g. /etc/certs/redis/ca.crt). If not specified, system trusted CAs will be used for server certificate validation.
+      --redis-client-certificate string               Path to Redis client certificate (e.g. /etc/certs/redis/client.crt).
+      --redis-client-key string                       Path to Redis client key (e.g. /etc/certs/redis/client.crt).
+      --redis-compress string                         Enable compression for data sent to Redis with the required compression algorithm. (possible values: gzip, none) (default "gzip")
+      --redis-insecure-skip-tls-verify                Skip Redis server certificate validation.
+      --redis-use-tls                                 Use TLS when connecting to Redis. 
+      --redisdb int                                   Redis database.
+      --repo-server string                            Repo server address (default "argocd-repo-server:8081")
+      --repo-server-plaintext                         Use a plaintext client (non-TLS) to connect to repository server
+      --repo-server-strict-tls                        Perform strict validation of TLS certificates when connecting to repo server
+      --repo-server-timeout-seconds int               Repo server RPC call timeout seconds. (default 60)
+      --request-timeout string                        The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
+      --rootpath string                               Used if Argo CD is running behind reverse proxy under subpath different from /
+      --sentinel stringArray                          Redis sentinel hostname and port (e.g. argocd-redis-ha-announce-0:6379). 
+      --sentinelmaster string                         Redis sentinel master group name. (default "master")
+      --server string                                 The address and port of the Kubernetes API server
+      --staticassets string                           Directory path that contains additional static assets (default "/shared/app")
+      --tls-server-name string                        If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.
+      --tlsciphers string                             The list of acceptable ciphers to be used when establishing TLS connections. Use 'list' to list available ciphers. (default "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_GCM_SHA384")
+      --tlsmaxversion string                          The maximum SSL/TLS version that is acceptable (one of: 1.0|1.1|1.2|1.3) (default "1.3")
+      --tlsminversion string                          The minimum SSL/TLS version that is acceptable (one of: 1.0|1.1|1.2|1.3) (default "1.2")
+      --token string                                  Bearer token for authentication to the API server
+      --user string                                   The name of the kubeconfig user to use
+      --username string                               Username for basic authentication to the API server
+      --x-frame-options value                         Set X-Frame-Options header in HTTP responses to value. To disable, set to "". (default "sameorigin")
 ```
 
 ### SEE ALSO

docs/operator-manual/signed-release-assets.md

@@ -92,7 +92,7 @@ The attestation payload contains a non-forgeable provenance which is base64 enco
 ```bash
 slsa-verifier verify-image "$IMAGE" \
     --source-uri github.com/argoproj/argo-cd \
-    --source-tag v2.7.0 \
+    --source-tag v2.7.0
     --print-provenance | jq
 ```
 

docs/operator-manual/tested-kubernetes-versions.md

@@ -1,6 +1,5 @@
 | Argo CD version | Kubernetes versions |
 |-----------------|---------------------|
-| 2.7 | v1.26, v1.25, v1.24, v1.23 |
-| 2.6 | v1.24, v1.23, v1.22 |
-| 2.5 | v1.24, v1.23, v1.22 |
-
+| 2.10 | v1.28, v1.27, v1.26, v1.25 |
+| 2.9 | v1.28, v1.27, v1.26, v1.25 |
+| 2.8 | v1.27, v1.26, v1.25, v1.24 |

docs/operator-manual/upgrading/2.10-2.11.md

@@ -1,5 +0,0 @@
-# v2.10 to 2.11
-
-## initiatedBy added in Application CRD
-
-In order to address [argoproj/argo-cd#16612](https://github.com/argoproj/argo-cd/issues/16612), initiatedBy has been added in the Application CRD.

docs/operator-manual/user-management/microsoft.md

@@ -1,16 +1,13 @@
 # Microsoft
 
-!!! note ""
-    Entra ID was formerly known as Azure AD.
+* [Azure AD SAML Enterprise App Auth using Dex](#azure-ad-saml-enterprise-app-auth-using-dex)
+* [Azure AD App Registration Auth using OIDC](#azure-ad-app-registration-auth-using-oidc)
+* [Azure AD App Registration Auth using Dex](#azure-ad-app-registration-auth-using-dex)
 
-* [Entra ID SAML Enterprise App Auth using Dex](#entra-id-saml-enterprise-app-auth-using-dex)
-* [Entra ID App Registration Auth using OIDC](#entra-id-app-registration-auth-using-oidc)
-* [Entra ID App Registration Auth using Dex](#entra-id-app-registration-auth-using-dex)
+## Azure AD SAML Enterprise App Auth using Dex
+### Configure a new Azure AD Enterprise App
 
-## Entra ID SAML Enterprise App Auth using Dex
-### Configure a new Entra ID Enterprise App
-
-1. From the `Microsoft Entra ID` > `Enterprise applications` menu, choose `+ New application`
+1. From the `Azure Active Directory` > `Enterprise applications` menu, choose `+ New application`
 2. Select `Non-gallery application`
 3. Enter a `Name` for the application (e.g. `Argo CD`), then choose `Add`
 4. Once the application is created, open it from the `Enterprise applications` menu.
@@ -34,9 +31,9 @@
       - *Keep a copy of the encoded output to be used in the next section.*
 9. From the `Single sign-on` menu, copy the `Login URL` parameter, to be used in the next section.
 
-### Configure Argo to use the new Entra ID Enterprise App
+### Configure Argo to use the new Azure AD Enterprise App
 
-1. Edit `argocd-cm` and add the following `dex.config` to the data section, replacing the `caData`, `my-argo-cd-url` and `my-login-url` your values from the Entra ID App:
+1. Edit `argocd-cm` and add the following `dex.config` to the data section, replacing the `caData`, `my-argo-cd-url` and `my-login-url` your values from the Azure AD App:
 
             data:
               url: https://my-argo-cd-url
@@ -59,7 +56,7 @@
                     groupsAttr: Group
 
 2. Edit `argocd-rbac-cm` to configure permissions, similar to example below.
-      - Use Entra ID `Group IDs` for assigning roles.
+      - Use Azure AD `Group IDs` for assigning roles.
       - See [RBAC Configurations](../rbac.md) for more detailed scenarios.
 
             # example policy
@@ -73,11 +70,11 @@
                p, role:org-admin, repositories, delete, *, allow
                g, "84ce98d1-e359-4f3b-85af-985b458de3c6", role:org-admin # (azure group assigned to role)
 
-## Entra ID App Registration Auth using OIDC
-### Configure a new Entra ID App registration
-#### Add a new Entra ID App registration
+## Azure AD App Registration Auth using OIDC
+### Configure a new Azure AD App registration
+#### Add a new Azure AD App registration
 
-1. From the `Microsoft Entra ID` > `App registrations` menu, choose `+ New registration`
+1. From the `Azure Active Directory` > `App registrations` menu, choose `+ New registration`
 2. Enter a `Name` for the application (e.g. `Argo CD`).
 3. Specify who can use the application (e.g. `Accounts in this organizational directory only`).
 4. Enter Redirect URI (optional) as follows (replacing `my-argo-cd-url` with your Argo URL), then choose `Add`.
@@ -95,29 +92,29 @@
       - **Redirect URI:** `http://localhost:8085/auth/callback`
       ![Azure App registration's Authentication](../../assets/azure-app-registration-authentication.png "Azure App registration's Authentication")
 
-#### Add credentials a new Entra ID App registration
+#### Add credentials a new Azure AD App registration
 
 1. From the `Certificates & secrets` menu, choose `+ New client secret`
 2. Enter a `Name` for the secret (e.g. `ArgoCD-SSO`).
       - Make sure to copy and save generated value. This is a value for the `client_secret`.
       ![Azure App registration's Secret](../../assets/azure-app-registration-secret.png "Azure App registration's Secret")
 
-#### Setup permissions for Entra ID Application
+#### Setup permissions for Azure AD Application
 
 1. From the `API permissions` menu, choose `+ Add a permission`
 2. Find `User.Read` permission (under `Microsoft Graph`) and grant it to the created application:
-   ![Entra ID API permissions](../../assets/azure-api-permissions.png "Entra ID API permissions")
+   ![Azure AD API permissions](../../assets/azure-api-permissions.png "Azure AD API permissions")
 3. From the `Token Configuration` menu, choose `+ Add groups claim`
-   ![Entra ID token configuration](../../assets/azure-token-configuration.png "Entra ID token configuration")
+   ![Azure AD token configuration](../../assets/azure-token-configuration.png "Azure AD token configuration")
 
-### Associate an Entra ID group to your Entra ID App registration
+### Associate an Azure AD group to your Azure AD App registration
 
-1. From the `Microsoft Entra ID` > `Enterprise applications` menu, search the App that you created (e.g. `Argo CD`).
-      - An Enterprise application with the same name of the Entra ID App registration is created when you add a new Entra ID App registration.
+1. From the `Azure Active Directory` > `Enterprise applications` menu, search the App that you created (e.g. `Argo CD`).
+      - An Enterprise application with the same name of the Azure AD App registration is created when you add a new Azure AD App registration.
 2. From the `Users and groups` menu of the app, add any users or groups requiring access to the service.
    ![Azure Enterprise SAML Users](../../assets/azure-enterprise-users.png "Azure Enterprise SAML Users")
 
-### Configure Argo to use the new Entra ID App registration
+### Configure Argo to use the new Azure AD App registration
 
 1. Edit `argocd-cm` and configure the `data.oidc.config` and `data.url` section:
 
@@ -176,7 +173,7 @@
 
    Refer to [operator-manual/argocd-rbac-cm.yaml](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-rbac-cm.yaml) for all of the available variables.
 
-## Entra ID App Registration Auth using Dex
+## Azure AD App Registration Auth using Dex
 
 Configure a new AD App Registration, as above.
 Then, add the `dex.config` to `argocd-cm`:
@@ -203,9 +200,9 @@ data:
 
 1. Open a new browser tab and enter your ArgoCD URI: https://`<my-argo-cd-url>`
    ![Azure SSO Web Log In](../../assets/azure-sso-web-log-in-via-azure.png "Azure SSO Web Log In")
-3. Click `LOGIN VIA AZURE` button to log in with your Microsoft Entra ID account. You’ll see the ArgoCD applications screen.
+3. Click `LOGIN VIA AZURE` button to log in with your Azure Active Directory account. You’ll see the ArgoCD applications screen.
    ![Azure SSO Web Application](../../assets/azure-sso-web-application.png "Azure SSO Web Application")
-4. Navigate to User Info and verify Group ID. Groups will have your group’s Object ID that you added in the `Setup permissions for Entra ID Application` step.
+4. Navigate to User Info and verify Group ID. Groups will have your group’s Object ID that you added in the `Setup permissions for Azure AD Application` step.
    ![Azure SSO Web User Info](../../assets/azure-sso-web-user-info.png "Azure SSO Web User Info")
 
 ### Log in to ArgoCD using CLI

docs/operator-manual/user-management/okta.md

@@ -118,81 +118,34 @@ data:
 
 ## OIDC (without Dex)
 
-!!! warning "Okta groups for RBAC"
-    If you want `groups` scope returned from Okta, you will need to enable [API Access Management with Okta](https://developer.okta.com/docs/concepts/api-access-management/). This addon is free, and automatically enabled, on Okta developer edition. However, it's an optional add-on for production environments, with an additional associated cost.
+!!! warning "Do you want groups for RBAC later?"
+    If you want `groups` scope returned from Okta you need to unfortunately contact support to enable [API Access Management with Okta](https://developer.okta.com/docs/concepts/api-access-management/) or [_just use SAML above!_](#saml-with-dex)
 
-    You may alternately add a "groups" scope and claim to the default authorization server, and then filter the claim in the Okta application configuration. It's not clear if this requires the Authorization Server add-on.
-
-    If this is not an option for you, use the [SAML (with Dex)](#saml-with-dex) option above instead.
-
-!!! note
-    These instructions and screenshots are of Okta version 2023.05.2 E. You can find the current version in the Okta website footer.
-
-First, create the OIDC integration:
-
-1. On the `Okta Admin` page, navigate to the Okta Applications at `Applications > Applications.`
-1. Choose `Create App Integration`, and choose `OIDC`, and then `Web Application` in the resulting dialogues.
-    ![Okta OIDC app dialogue](../../assets/okta-create-oidc-app.png)
-1. Update the following:
-    1. `App Integration name` and `Logo` - set these to suit your needs; they'll be displayed in the Okta catalogue.
-    1. `Sign-in redirect URLs`: Add `https://argocd.example.com/auth/callback`; replacing `argocd.example.com` with your ArgoCD web interface URL. Also add `http://localhost:8085/auth/callback` if you would like to be able to login with the CLI.
-    1. `Sign-out redirect URIs`: Add `https://argocd.example.com`; substituting the correct domain name as above. 
-    1. Either assign groups, or choose to skip this step for now.
-    1. Leave the rest of the options as-is, and save the integration.
-    ![Okta app settings](../../assets/okta-app.png)
-1. Copy the `Client ID` and the `Client Secret` from the newly created app; you will need these later.
-
-Next, create a custom Authorization server:
+    Next you may need the API Access Management feature, which the support team can enable for your OktaPreview domain for testing, to enable "custom scopes" and a separate endpoint to use instead of the "public" `/oauth2/v1/authorize` API Access Management endpoint. This might be a paid feature if you want OIDC unfortunately. The free alternative I found was SAML.
 
 1. On the `Okta Admin` page, navigate to the Okta API Management at `Security > API`.
-1. Click `Add Authorization Server`, and assign it a name and a description. The `Audience` should match your ArgoCD URL - `https://argocd.example.com`
-1. Click `Scopes > Add Scope`:
-    1. Add a scope called `groups`. Leave the rest of the options as default.
-    ![Groups Scope](../../assets/okta-groups-scope.png)
-1. Click `Claims > Add Claim`:
-    1. Add a claim called `groups`.
-    1. Adjust the `Include in token type` to `ID Token`, `Always`.
-    1. Adjust the `Value type` to `Groups`.
-    1. Add a filter that will match the Okta groups you want passed on to ArgoCD; for example `Regex: argocd-.*`.
-    1. Set `Include in` to `groups` (the scope you created above).
-    ![Groups Claim](../../assets/okta-groups-claim.png)
-1. Click on `Access Policies` > `Add Policy.` This policy will restrict how this authorization server is used.
-    1. Add a name and description.
-    1. Assign the policy to the client (application integration) you created above. The field should auto-complete as you type.
-    1. Create the policy.
-    ![Auth Policy](../../assets/okta-auth-policy.png)
-1. Add a rule to the policy:
-    1. Add a name; `default` is a reasonable name for this rule.
-    1. Fine-tune the settings to suit your organization's security posture. Some ideas:
-        1. uncheck all the grant types except the Authorization Code.
-        1. Adjust the token lifetime to govern how long a session can last.
-        1. Restrict refresh token lifetime, or completely disable it.
-    ![Default rule](../../assets/okta-auth-rule.png)
-1. Finally, click `Back to Authorization Servers`, and copy the `Issuer URI`. You will need this later.
-
-If you haven't yet created Okta groups, and assigned them to the application integration, you should do that now:
-
-1. Go to `Directory > Groups`
-1. For each group you wish to add:
-    1. Click `Add Group`, and choose a meaningful name. It should match the regex or pattern you added to your custom `group` claim.
-    1. Click on the group (refresh the page if the new group didn't show up in the list).
-    1. Assign Okta users to the group.
-    1. Click on `Applications` and assign the OIDC application integration you created to this group.
-    1. Repeat as needed.
-
-Finally, configure ArgoCD itself. Edit the `argocd-cm` configmap:
+    ![Okta API Management](../../assets/api-management.png)
+1. Choose your `default` authorization server.
+1. Click `Scopes > Add Scope`
+    1. Add a scope called `groups`.
+    ![Groups Scope](../../assets/groups-scope.png)
+1. Click `Claims > Add Claim.`
+    1. Add a claim called `groups`
+    1. Choose the matching options you need, one example is:
+        * e.g. to match groups starting with `argocd-` you'd return an `ID Token` using your scope name from step 3 (e.g. `groups`) where the groups name `matches` the `regex` `argocd-.*`
+    ![Groups Claim](../../assets/groups-claim.png)
+1. Edit the `argocd-cm` and configure the `data.oidc.config` section:
 
 <!-- markdownlint-disable MD046 -->
 ```yaml
-url: https://argocd.example.com
 oidc.config: |
   name: Okta
-  # this is the authorization server URI
-  issuer: https://example.okta.com/oauth2/aus9abcdefgABCDEFGd7
-  clientID: 0oa9abcdefgh123AB5d7
-  clientSecret: ABCDEFG1234567890abcdefg
+  issuer: https://yourorganization.oktapreview.com
+  clientID: 0oaltaqg3oAIf2NOa0h3
+  clientSecret: ZXF_CfUc-rtwNfzFecGquzdeJ_MxM4sGc8pDT2Tg6t
   requestedScopes: ["openid", "profile", "email", "groups"]
   requestedIDTokenClaims: {"groups": {"essential": true}}
 ```
+<!-- markdownlint-enable MD046 -->
+
 
-You may want to store the `clientSecret` in a Kubernetes secret; see [how to deal with SSO secrets](./index.md/#sensitive-data-and-sso-client-secrets ) for more details.

docs/proposals/decouple-application-sync-user-using-impersonation.md

@@ -1,592 +0,0 @@
----
-title: Decouple Control plane and Application Sync privileges
-authors:
-  - "@anandf"
-sponsors:
-  - Red Hat
-reviewers:
-  - "@blakepettersson"
-  - "@crenshaw-dev"
-  - "@jannfis"
-approvers:
-  - "@alexmt"
-  - "@crenshaw-dev"
-  - "@jannfis"
-
-creation-date: 2023-06-23
-last-updated: 2024-02-06
----
-
-# Decouple Application Sync using Impersonation
-
-Application syncs in Argo CD have the same privileges as the Argo CD control plane. As a consequence, in a multi-tenant setup, the Argo CD control plane privileges needs to match the tenant that needs the highest privileges. As an example, if an Argo CD instance has 10 Applications and only one of them requires admin privileges, then the Argo CD control plane must have admin privileges in order to be able to sync that one Application. Argo CD provides a multi-tenancy model to restrict what each Application can do using `AppProjects`, even though the control plane has higher privileges, however that creates a large attack surface since if Argo CD is compromised, attackers would have cluster-admin access to the cluster.
-
-The goal of this proposal is to perform the Application sync as a different user using impersonation and use the service account provided in the cluster config purely for control plane operations.
-
-### What is Impersonation
-
-Impersonation is a feature in Kubernetes and enabled in the `kubectl` CLI client, using which, a user can act as another user through impersonation headers. For example, an admin could use this feature to debug an authorization policy by temporarily impersonating another user and seeing if a request was denied.
-
-Impersonation requests first authenticate as the requesting user, then switch to the impersonated user info.
-
-```
-kubectl --as <user-to-impersonate> ...
-kubectl --as <user-to-impersonate> --as-group <group-to-impersonate> ...
-```
-
-## Open Questions [optional]
-
-- Should the restrictions imposed as part of the `AppProjects` be honored if the impersonation feature is enabled ?
->Yes, other restrictions implemented by `AppProject` related to whitelisting/blacklisting resources must continue to be honoured.
-- Can an Application refer to a service account with elevated privileges like say  `cluster-admin`, `admin`, and service accounts used for running the ArgoCD controllers itself ?
->Yes, this is possible as long as the ArgoCD admin user explicitly allows it through the `AppProject` configuration.
-- Among the destinations configured in the `AppProject`, if there are multiple matches for a given destination, which destination option should be used ?
->If there are more than one matching destination, either with a glob pattern match or an exact match, then we use the first valid match to determine the service account to be used for the sync operation.
-- Can the kubernetes audit trail events capture the impersonation.
->Yes, kubernetes audit trail events capture both the actual user and the impersonating user details and hence its possible to track who executed the commands and as which user permissions using the audit trails.
-- Would the Sync hooks be using the impersonation service account.
->Yes, if the impersonation feature is enabled and customers use Sync hooks, then impersonation service account would be used for executing the hook jobs as well.
-- If application resources have hardcoded namespaces in the git repository, would different service accounts be used for each resource during the sync operation ?
->The service account to be used for impersonation is determined on a per Application level rather than on per resource level. The value specified in `Application.spec.destination.namespace` would be used to determine the service account to be used for the sync operation of all resources present in the `Application`.
-
-## Summary
-
-In a multi team/multi tenant environment, an application team is typically granted access to a namespace to self-manage their Applications in a declarative way. Current implementation of ArgoCD requires the ArgoCD Administrator to create an `AppProject` with access settings configured to replicate the RBAC resources that are configured for each team. This approach requires duplication of effort and also requires syncing the access between both to maintain the security posture. It would be desirable for users to use the existing RBAC rules without having to revert to Argo CD API to create and manage these Applications. One namespace per team, or even one namespace per application is what we are looking to address as part of this proposal.
-
-## Motivation
-
-This proposal would allow ArgoCD administrators to manage the cluster permissions using kubernetes native RBAC implementation rather than using complex configurations in `AppProjects` to restrict access to individual applications. By decoupling the privileges required for application sync from the privileges required for ArgoCD control plane operations, the security requirement of providing least privileges can be achieved there by improving the security posture of ArgoCD. For implementing multi team/tenant use cases, this decoupling would be greatly beneficial.
-
-### Assumptions
-
-- Namespaces are pre-populated with one or more `ServiceAccounts` that define the permissions for each `AppProject`.
-- Many users prefer to control access to kubernetes resources through kubernetes RBAC constructs instead of Argo specific constructs.
-- Each tenant is generally given access to a specific namespace along with a service account, role or cluster role and role binding to control access to that namespace. 
-- `Applications` created by a tenant manage namespaced resources.
-- An `AppProject` can either be mapped to a single tenant or multiple related tenants and the respective destinations that needs to be managed via the `AppProject`, needs to be configured.
-
-
-### Goals
-- Applications may only impersonate ServiceAccounts that live in the same namespace as the destination namespace configured in the application.If the service account is created in a different namespace, then the user can provide the service account name in the format `<namespace>:<service_account_name>` . ServiceAccount to be used for syncing each application is determined by the target destination configured in the `AppProject` associated with the `Application`.
-- If impersonation feature is enabled, and no service account name is provided in the associated `AppProject`, then the default service account of the destination namespace of the `Application` should be used.
-- Access restrictions implemented through properties in AppProject (if done) must have the existing behavior. From a security standpoint, any restrictions that were available before switching to a service account based approach should continue to exist even when the impersonation feature is enabled.
-
-### Non-Goals
-
-None
-
-## Proposal
-
-As part of this proposal, it would be possible for an ArgoCD Admin to specify a service account name in `AppProjects` CR for a single or a group of destinations. A destination is uniquely identified by a target cluster and a namespace combined.
-
-When applications gets synced, based on its destination (target cluster and namespace combination), the `defaultServiceAccount` configured in the `AppProject` will be selected and used for impersonation when executing the kubectl commands for the sync operation.
-
-We would be introducing a new element `destinationServiceAccounts` in `AppProject.spec`. This element is used for the sole purpose of specifying the impersonation configuration. The `defaultServiceAccount` configured for the `AppProject` would be used for the sync operation for a particular destination cluster and namespace. If impersonation feature is enabled and no specific service account is provided in the `AppProject` CR, then the `default` service account in the destination namespace would be used for impersonation.
-
-```
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: my-project
-  namespace: argocd
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  description: Example Project
-  # Allow manifests to deploy from any Git repos
-  sourceRepos:
-    - '*'
-  destinations:
-    - *
-  destinationServiceAccounts:
-    - server: https://kubernetes.default.svc
-      namespace: guestbook
-      defaultServiceAccount: guestbook-deployer
-    - server: https://kubernetes.default.svc
-      namespace: guestbook-dev
-      defaultServiceAccount: guestbook-dev-deployer
-    - server: https://kubernetes.default.svc
-      namespace: guestbook-stage
-      defaultServiceAccount: guestbook-stage-deployer
-```
-
-### Structure of DestinationServiceAccount:
-|Parameter| Type | Required/Optional| Description|
-| ------ | ------ | ------- | -------- |
-| server | string | Required | Server specifies the URL of the target cluster's Kubernetes control plane API. Glob patterns are supported. |
-| namespace | string | Required | Namespace specifies the target namespace for the application's resources. Glob patterns are supported. |
-| defaultServiceAccount | string | Required| DefaultServiceAccount specifies the service account to be impersonated when performing the `Application` sync operation.|
-
-**Note:** Only server URL for the target cluster is supported and target cluster name is not supported.
-
-### Future enhancements
-
-In a future release, we plan to support overriding of service accounts at the application level. In that case, we would be adding an element called `allowedServiceAccounts` to `AppProject.spec.destinationServiceAccounts[*]`
-
-### Use cases
-
-#### Use case 1:
-
-As a user, I would like to use kubernetes security constructs to restrict user access for application sync
-So that, I can provide granular permissions based on the principle of least privilege required for syncing an application.
-
-#### Use case 2:
-
-As a user, I would like to configure a common service account for all applications associated to an AppProject
-So that, I can use a generic convention of naming service accounts and avoid associating the service account per application.
-
-### Design considerations
-
-- Extending the `destinations` field under `AppProjects` was an option that was considered. But since the intent of it was to restrict the destinations that an associated `Application` can use, it was not used. Also the destination fields allowed negation operator (`!`) which would complicate the service account matching logic. The decision to create a new struct under `AppProject.Spec` for specifying the service account for each destination was considered a better alternative.
-
-- The field name `defaultServiceAccount` was chosen instead of `serviceAccount` as we wanted to support overriding of the service account at an `Application` at a later point in time and wanted to reserve the name `serviceAccount` for future extension.
-
-- Not supporting all impersonation options at the moment to keep the initial design to a minimum. Based on the need and feedback, support to impersonate users or groups can be added in future.
-
-### Implementation Details/Notes/Constraints
-
-#### Component : GitOps Engine
-
-- Fix GitOps Engine code to honor Impersonate configuration set in the Application sync context for all kubectl commands that are being executed.
-
-#### Component: ArgoCD API
-
-- Create a new struct type `DestinationServiceAccount` having fields `namespace`, `server` and `defaultServiceAccount`
-- Create a new field `DestinationServiceAccounts` under a `AppProject.Spec` that takes in a list of `DestinationServiceAccount` objects.
-- Add Documentation for newly introduced struct and its fields for `DestinationServiceAccount` and `DestinationServiceAccounts` under `AppProject.Spec`
-
-#### Component: ArgoCD Application Controller
-
-- Provide a configuration in `argocd-cm`  which can be modified to enable the Impersonation feature. Set `applicationcontroller.enable.impersonation: true` in the Argo CD ConfigMap. Default value of `applicationcontroller.enable.impersonation` would be `false` and user has to explicitly override it to use this feature.
-- Provide an option to override the Impersonation feature using environment variables.
-Set `ARGOCD_APPLICATION_CONTROLLER_ENABLE_IMPERSONATION=true` in the Application controller environment variables. Default value of the environment variable must be `false` and user has to explicitly set it to `true` to use this feature.
-- Provide an option to enable this feature using a command line flag `--enable-impersonation`. This new argument option needs to be added to the Application controller args.
-- Fix Application Controller `sync.go` to set the Impersonate configuration from the AppProject CR to the `SyncContext` Object (rawConfig and restConfig field, need to understand which config is used for the actual sync and if both configs need to be impersonated.)
-
-#### Component: ArgoCD UI
-
-- Provide option to create `DestinationServiceAccount` with fields `namespace`, `server` and `defaultServiceAccount`.
-- Provide option to add multiple `DestinationServiceAccounts` to an `AppProject` created/updated via the web console.
-- Update the User Guide documentation on how to use these newly added fields from the web console.
-
-#### Component: ArgoCD CLI
-
-- Provide option to create `DestinationServiceAccount` with fields `namespace`, `server` and `defaultServiceAccount`.
-- Provide option to add multiple `DestinationServiceAccounts` to an `AppProject` created/updated via the web console.
-- Update the User Guide and other documentation where the CLI option usages are explained.
-
-#### Component: Documentation
-
-- Add note that this is a Beta feature in the documentation.
-- Add a separate section for this feature under user-guide section.
-- Update the ArgoCD  CLI command reference documentation.
-- Update the ArgoCD  UI command reference documentation.
-
-### Detailed examples
-
-#### Example 1: Service account for application sync specified at the AppProject level for all namespaces
-
-In this specific scenario, service account name `generic-deployer` will get used for the application sync as the namespace `guestbook` matches the glob pattern `*`.
-
-- Install ArgoCD in the `argocd` namespace.
-```
-kubectl apply -f https://raw.githubusercontent.com/argoproj/argo-cd/master/manifests/install.yaml -n argocd
-```
-
-- Enable the impersonation feature in ArgoCD.
-```
-kubectl set env statefulset/argocd-application-controller ARGOCD_APPLICATION_CONTROLLER_ENABLE_IMPERSONATION=true
-```
-
-- Create a namespace called `guestbook` and a service account called `guestbook-deployer`.
-```
-kubectl create namespace guestbook
-kubectl create serviceaccount guestbook-deployer
-```
-
-- Create Role and RoleBindings and configure RBAC access for creating `Service` and `Deployment` objects in namespace `guestbook` for service account `guestbook-deployer`.
-```
-kubectl create role guestbook-deployer-role --verb get,list,update,delete --resource pods,deployment,service
-kubectl create rolebinding guestbook-deployer-rb --serviceaccount guestbook-deployer --role guestbook-deployer-role
-```
-
-- Create the `Application` in the `argocd` namespace and the required `AppProject` as below 
-```
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: guestbook
-  namespace: argocd
-spec:
-  project: my-project
-  source:
-    repoURL: https://github.com/argoproj/argocd-example-apps.git
-    targetRevision: HEAD
-    path: guestbook
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: guestbook
----
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: my-project
-  namespace: argocd
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  description: Example Project
-  # Allow manifests to deploy from any Git repos
-  sourceRepos:
-    - '*'
-  destinations:
-    - namespace: *
-      server: https://kubernetes.default.svc
-  destinationServiceAccounts:
-    - namespace: *
-      server: https://kubernetes.default.svc 
-      defaultServiceAccount: generic-deployer
-```
-
-#### Example 2: Service account for application sync specified at the AppProject level for specific namespaces
-
-In this specific scenario, service account name `guestbook-deployer` will get used for the application sync as the namespace `guestbook` matches the target namespace `guestbook`.
-
-- Install ArgoCD in the `argocd` namespace.
-```
-kubectl apply -f https://raw.githubusercontent.com/argoproj/argo-cd/master/manifests/install.yaml -n argocd
-```
-
-- Enable the impersonation feature in ArgoCD.
-```
-kubectl set env statefulset/argocd-application-controller ARGOCD_APPLICATION_CONTROLLER_ENABLE_IMPERSONATION=true
-```
-
-- Create a namespace called `guestbook` and a service account called `guestbook-deployer`.
-```
-kubectl create namespace guestbook
-kubectl create serviceaccount guestbook-deployer
-```
-- Create Role and RoleBindings and configure RBAC access for creating `Service` and `Deployment` objects in namespace `guestbook` for service account `guestbook-deployer`.
-```
-kubectl create role guestbook-deployer-role --verb get,list,update,delete --resource pods,deployment,service
-kubectl create rolebinding guestbook-deployer-rb --serviceaccount guestbook-deployer --role guestbook-deployer-role
-```
-
-In this specific scenario, service account name `guestbook-deployer` will get used as it matches to the specific namespace `guestbook`.
-```
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: guestbook
-  namespace: argocd
-spec:
-  project: my-project
-  source:
-    repoURL: https://github.com/argoproj/argocd-example-apps.git
-    targetRevision: HEAD
-    path: guestbook
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: guestbook
----
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: my-project
-  namespace: argocd
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  description: Example Project
-  # Allow manifests to deploy from any Git repos
-  sourceRepos:
-    - '*'
-  destinations:
-    - namespace: guestbook
-      server: https://kubernetes.default.svc
-    - namespace: guestbook-ui
-      server: https://kubernetes.default.svc
-  destinationServiceAccounts:
-    - namespace: guestbook
-      server: https://kubernetes.default.svc
-      defaultServiceAccount: guestbook-deployer
-    - namespace: guestbook-ui
-      server: https://kubernetes.default.svc
-      defaultServiceAccount: guestbook-ui-deployer
-```
-
-#### Example 3: Remote destination with cluster-admin access and using different service account for the sync operation
-
-**Note**: In this example, we are relying on the default service account `argocd-manager` with `cluster-admin` privileges which gets created when adding a remote cluster destination using the ArgoCD CLI.
-
-- Install ArgoCD in the `argocd` namespace.
-```
-kubectl apply -f https://raw.githubusercontent.com/argoproj/argo-cd/master/manifests/install.yaml -n argocd
-```
-
-- Enable the impersonation feature in ArgoCD.
-```
-kubectl set env statefulset/argocd-application-controller ARGOCD_APPLICATION_CONTROLLER_ENABLE_IMPERSONATION=true
-```
-
-- Add the remote cluster as a destination to argocd
-```
-argocd cluster add remote-cluster --name remote-cluster
-```
-**Note:** The above command would create a service account named `argocd-manager` in `kube-system` namespace and `ClusterRole` named `argocd-manager-role` with full cluster admin access and a `ClusterRoleBinding` named `argocd-manager-role-binding` mapping the `argocd-manager-role` to the service account `remote-cluster`
-
-- In the remote cluster, create a namespace called `guestbook` and a service account called `guestbook-deployer`.
-```
-kubectl ctx remote-cluster
-kubectl create namespace guestbook
-kubectl create serviceaccount guestbook-deployer
-```
-
-- In the remote cluster, create `Role` and `RoleBindings` and configure RBAC access for creating `Service` and `Deployment` objects in namespace `guestbook` for service account `guestbook-deployer`.
-
-```
-kubectl ctx remote-cluster
-kubectl create role guestbook-deployer-role --verb get,list,update,delete --resource pods,deployment,service
-kubectl create rolebinding guestbook-deployer-rb --serviceaccount guestbook-deployer --role guestbook-deployer-role
-```
-
-- Create the `Application` and `AppProject` for the `guestbook` application.
-```
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: guestbook
-  namespace: argocd
-spec:
-  project: my-project
-  source:
-    repoURL: https://github.com/argoproj/argocd-example-apps.git
-    targetRevision: HEAD
-    path: guestbook
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: guestbook
----
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: my-project
-  namespace: argocd
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  description: Example Project
-  # Allow manifests to deploy from any Git repos
-  sourceRepos:
-    - '*'
-  destinations:
-    - namespace: guestbook
-      server: https://kubernetes.default.svc
-      serviceAccountName: guestbook-deployer
-  destinationServiceAccounts:
-    - namespace: guestbook
-      server: https://kubernetes.default.svc
-      defaultServiceAccount: guestbook-deployer
-```
-
-#### Example 4: Remote destination with a custom service account for the sync operation
-
-**Note**: In this example, we are relying on a non default service account `guestbook` created in the target cluster and namespace for the sync operation. This use case is for handling scenarios where the remote cluster is managed by a different administrator and providing a service account with `cluster-admin` level access is not feasible.
-
-- Install ArgoCD in the `argocd` namespace.
-```
-kubectl apply -f https://raw.githubusercontent.com/argoproj/argo-cd/master/manifests/install.yaml -n argocd
-```
-
-- Enable the impersonation feature in ArgoCD.
-```
-kubectl set env statefulset/argocd-application-controller ARGOCD_APPLICATION_CONTROLLER_ENABLE_IMPERSONATION=true
-```
-
-- In the remote cluster, create a service account called `argocd-admin`
-```
-kubectl ctx remote-cluster
-kubectl create serviceaccount argocd-admin
-kubectl create clusterrole argocd-admin-role --verb=impersonate --resource="users,groups,serviceaccounts"
-kubectl create clusterrole argocd-admin-role-access-review --verb=create --resource="selfsubjectaccessreviews"
-kubectl create clusterrolebinding argocd-admin-role-binding --serviceaccount argocd-admin --clusterrole  argocd-admin-role
-kubectl create clusterrolebinding argocd-admin-access-review-role-binding --serviceaccount argocd-admin --clusterrole  argocd-admin-role
-```
-
-- In the remote cluster, create a namespace called `guestbook` and a service account called `guestbook-deployer`.
-```
-kubectl ctx remote-cluster
-kubectl create namespace guestbook
-kubectl create serviceaccount guestbook-deployer
-```
-
-- In the remote cluster, create `Role` and `RoleBindings` and configure RBAC access for creating `Service` and `Deployment` objects in namespace `guestbook` for service account `guestbook-deployer`.
-```
-kubectl create role guestbook-deployer-role --verb get,list,update,delete --resource pods,deployment,service
-kubectl create rolebinding guestbook-deployer-rb --serviceaccount guestbook-deployer --role guestbook-deployer-role
-```
-
-In this specific scenario, service account name `guestbook-deployer` will get used as it matches to the specific namespace `guestbook`.
-```
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: guestbook
-  namespace: argocd
-spec:
-  project: my-project
-  source:
-    repoURL: https://github.com/argoproj/argocd-example-apps.git
-    targetRevision: HEAD
-    path: guestbook
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: guestbook
----
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: my-project
-  namespace: argocd
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  description: Example Project
-  # Allow manifests to deploy from any Git repos
-  sourceRepos:
-    - '*'
-  destinations:
-    - namespace: guestbook
-      server: https://kubernetes.default.svc
-    - namespace: guestbook-ui
-      server: https://kubernetes.default.svc
-  destinationServiceAccounts:
-    - namespace: guestbook
-      server: https://kubernetes.default.svc
-      defaultServiceAccount: guestbook-deployer
-    - namespace: guestbook-ui
-      server: https://kubernetes.default.svc
-      defaultServiceAccount: guestbook-ui-deployer
-```
-
-### Special cases
-
-#### Specifying service account in a different namespace
-
-By default, the service account would be looked up in the Application's destination namespace configured through `Application.Spec.Destination.Namespace` field. If the service account is in a different namespace, then users can provide the namespace of the service account explicitly in the format <namespace>:<service_account_name>
-eg:
-```
-  ...
-  destinationServiceAccounts:
-    - server: https://kubernetes.default.svc
-      namespace: *
-      defaultServiceAccount: mynamespace:guestbook-deployer
-  ...
-```
-
-#### Multiple matches of destinations
-
-If there are multiple matches for a given destination, the first valid match in the list of `destinationServiceAccounts` would be used.
-
-eg:
-Lets assume that the `AppProject` has the below `destinationServiceAccounts` configured.
-```
-  ...
-  destinationServiceAccounts:
-    - server: https://kubernetes.default.svc
-      namespace: guestbook-prod
-      defaultServiceAccount: guestbook-prod-deployer
-    - server: https://kubernetes.default.svc
-      namespace: guestbook-*
-      defaultServiceAccount: guestbook-generic-deployer
-    - server: https://kubernetes.default.svc
-      namespace: *
-      defaultServiceAccount: generic-deployer
-  ...
-```
-- If the application destination namespace is `myns`, then the service account `generic-deployer` would be used as the first valid match is the glob pattern `*` and there are no other valid matches in the list.
-- If the application destination namespace is `guestbook-dev` or `guestbook-stage`, then both glob patterns `*` and `guestbook-*` are valid matches, however `guestbook-*` pattern appears first and hence, the service account `guestbook-generic-deployer` would be used for the impersonation.
-- If the application destination namespace is `guestbook-prod`, then there are three candidates, however the first valid match in the list is the one with service account `guestbook-prod-deployer` and that would be used for the impersonation.
-
-#### Application resources referring to multiple namespaces
-If application resources have hardcoded namespaces in the git repository, would different service accounts be used for each resource during the sync operation ?
-
-The service account to be used for impersonation is determined on a per Application level rather than on per resource level. The value specified in `Application.spec.destination.namespace` would be used to determine the service account to be used for the sync operation of all resources present in the `Application`.
-
-### Security Considerations
-
-* How does this proposal impact the security aspects of Argo CD workloads ?
-* Are there any unresolved follow-ups that need to be done to make the enhancement more robust ?
-
-### Risks and Mitigations
-
-#### Privilege Escalation
-
-There could be an issue of privilege escalation, if we allow users to impersonate without restrictions. This is mitigated by only allowing admin users to configure service account used for the sync operation at the `AppProject` level.
-
-Instead of allowing users to impersonate all possible users, administrators can restrict the users a particular service account can impersonate using the `resourceNames` field in the RBAC spec.
-
-
-### Upgrade / Downgrade Strategy
-
-If applicable, how will the component be upgraded and downgraded? Make sure this is in the test
-plan.
-
-Consider the following in developing an upgrade/downgrade strategy for this enhancement:
-
-- What changes (in invocations, configurations, API use, etc.) is an existing cluster required to
-  make on upgrade in order to keep previous behavior?
-- What changes (in invocations, configurations, API use, etc.) is an existing cluster required to
-  make on upgrade in order to make use of the enhancement?
-
-- This feature would be implemented on an `opt-in` based on a feature flag and disabled by default.
-- The new struct being added to `AppProject.Spec` would be introduced as an optional field and would be enabled only if the feature is enabled explicitly by a feature flag. If new property is used in the CR, but the feature flag is not enabled, then a warning message would be displayed during reconciliation of such CRs.
-
-
-## Drawbacks
-
-- When using this feature, there is an overhead in creating namespaces, service accounts and the required RBAC policies and mapping the service accounts with the corresponding `AppProject` configuration.
-
-## Alternatives
-
-### Option 1
-Allow all options available in the `ImpersonationConfig` available to the user through the `AppProject` CRs.
-
-```
-apiVersion: argoproj.io/v1alpha1
-kind: AppProject
-metadata:
-  name: my-project
-  namespace: argocd
-spec:
-  description: Example Project
-  # Allow manifests to deploy from any Git repos
-  sourceRepos:
-  - '*'
-  destinations:
-  - namespace: *
-    server: https://kubernetes.default.svc
-    namespace: guestbook
-    impersonate:
-      user: system:serviceaccount:dev_ns:admin
-      uid: 1234
-      groups:
-        - admin
-        - view
-        - edit
-```
-
-### Related issue
-
-https://github.com/argoproj/argo-cd/issues/7689
-
-
-### Related links
-
-https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation
-
-### Prior art
-
-https://github.com/argoproj/argo-cd/pull/3377
-https://github.com/argoproj/argo-cd/pull/7651

docs/proposals/native-oci-support.md

@@ -126,10 +126,10 @@ Consider the following in developing an upgrade/downgrade strategy for this enha
 
 ## Drawbacks
 
-* Sourcing content from an OCI registry may be perceived to be against GitOps principles as content is not sourced from a Git repository. This concern could be mitigated by attaching additional details related to the content (such as original Git source [URL, revision]). Though it should be noted that the GitOps principles only require a source of truth to be visioned and immutable which OCI registries support.
+* Sourcing content from an OCI registry may be perceived to be against GitOps principles as content is not sourced from a Git repository. This concern could be mitigated by attaching additional details related to the content (such as original Git source [URL, revision]). Though it should be noted that the GitOps principles only require a source of truth to be visioned and immutable which OCI registires support.
 
 ## Alternatives
 
 ### Config Management Plugin
 
-Content stored within OCI artifacts could be sourced using a Config Management Plugin which would not require changes to the core capabilities provided by Argo CD. However, this would be hacky and not represent itself within the Argo CD UI.
+Content stored within OCI artifacts could be sourced using a Config Management Plugin which would not require changes to the core capabilities provided by Argo CD. However, this would be hacky and not represent itself within the Argo CD UI.

docs/user-guide/commands/argocd_admin_cluster_generate-spec.md

@@ -13,7 +13,6 @@ argocd admin cluster generate-spec CONTEXT [flags]
 ```
       --annotation stringArray             Set metadata annotations (e.g. --annotation key=value)
       --aws-cluster-name string            AWS Cluster name if set then aws cli eks token command will be used to access cluster
-      --aws-profile string                 Optional AWS profile. If set then AWS IAM Authenticator uses this profile to perform cluster operations instead of the default AWS credential provider chain.
       --aws-role-arn string                Optional AWS role arn. If set then AWS IAM Authenticator assumes a role to perform cluster operations instead of the default AWS credential provider chain.
       --bearer-token string                Authentication token that should be used to access K8S API server
       --cluster-endpoint string            Cluster endpoint to use. Can be one of the following: 'kubeconfig', 'kube-public', or 'internal'.

docs/user-guide/commands/argocd_cluster_add.md

@@ -13,7 +13,6 @@ argocd cluster add CONTEXT [flags]
 ```
       --annotation stringArray             Set metadata annotations (e.g. --annotation key=value)
       --aws-cluster-name string            AWS Cluster name if set then aws cli eks token command will be used to access cluster
-      --aws-profile string                 Optional AWS profile. If set then AWS IAM Authenticator uses this profile to perform cluster operations instead of the default AWS credential provider chain.
       --aws-role-arn string                Optional AWS role arn. If set then AWS IAM Authenticator assumes a role to perform cluster operations instead of the default AWS credential provider chain.
       --cluster-endpoint string            Cluster endpoint to use. Can be one of the following: 'kubeconfig', 'kube-public', or 'internal'.
       --cluster-resources                  Indicates if cluster level resources should be managed. The setting is used only if list of managed namespaces is not empty.

docs/user-guide/commands/argocd_repo_add.md

@@ -17,12 +17,6 @@ argocd repo add REPOURL [flags]
   # Add a Git repository via SSH on a non-default port - need to use ssh:// style URLs here
   argocd repo add ssh://git@git.example.com:2222/repos/repo --ssh-private-key-path ~/id_rsa
 
-  # Add a Git repository via SSH using socks5 proxy with no proxy credentials
-  argocd repo add ssh://git@github.com/argoproj/argocd-example-apps --ssh-private-key-path ~/id_rsa --proxy socks5://your.proxy.server.ip:1080
-
-  # Add a Git repository via SSH using socks5 proxy with proxy credentials
-  argocd repo add ssh://git@github.com/argoproj/argocd-example-apps --ssh-private-key-path ~/id_rsa --proxy socks5://username:password@your.proxy.server.ip:1080
-
   # Add a private Git repository via HTTPS using username/password and TLS client certificates:
   argocd repo add https://git.example.com/repos/repo --username git --password secret --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key
 

docs/user-guide/helm.md

@@ -25,28 +25,9 @@ spec:
     namespace: kubeseal
 ```
 
-Another example using a public OCI helm chart:
-```yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: nginx
-spec:
-  project: default
-  source:
-    chart: nginx
-    repoURL: registry-1.docker.io/bitnamicharts  # note: the oci:// syntax is not included.
-    targetRevision: 15.9.0
-  destination:
-    name: "in-cluster"
-    namespace: nginx
-```
-
 !!! note "When using multiple ways to provide values"
     Order of precedence is `parameters > valuesObject > values > valueFiles > helm repository values.yaml` (see [Here](./helm.md#helm-value-precedence) for a more detailed example)
 
-See [here](../operator-manual/declarative-setup.md#helm-chart-repositories) for more info about how to configure private Helm repositories.
-
 ## Values Files
 
 Helm has the ability to use a different, or even multiple "values.yaml" files to derive its

docs/user-guide/kustomize.md

@@ -162,9 +162,6 @@ data:
     kustomize.buildOptions: --load-restrictor LoadRestrictionsNone
     kustomize.buildOptions.v4.4.0: --output /tmp
 ```
-
-After modifying `kustomize.buildOptions`, you may need to restart ArgoCD for the changes to take effect.
-
 ## Custom Kustomize versions
 
 Argo CD supports using multiple Kustomize versions simultaneously and specifies required version per application.

docs/user-guide/resource_hooks.md

@@ -63,7 +63,6 @@ metadata:
     argocd.argoproj.io/hook: PostSync
     argocd.argoproj.io/hook-delete-policy: HookSucceeded
 ```
-Multiple hook delete policies can be specified as a comma separated list.
 
 The following policies define when the hook will be deleted.
 

docs/user-guide/sync-options.md

@@ -270,7 +270,7 @@ spec:
     - RespectIgnoreDifferences=true
 ```
 
-The example above shows how an Argo CD Application can be configured so it will ignore the `spec.replicas` field from the desired state (git) during the sync stage. This is achieved by calculating and pre-patching the desired state before applying it in the cluster. Note that the `RespectIgnoreDifferences` sync option is only effective when the resource is already created in the cluster. If the Application is being created and no live state exists, the desired state is applied as-is.
+The example above shows how an Argo CD Application can be configured so it will ignore the `spec.replicas` field from the desired state (git) during the sync stage. This is achieve by calculating and pre-patching the desired state before applying it in the cluster. Note that the `RespectIgnoreDifferences` sync option is only effective when the resource is already created in the cluster. If the Application is being created and no live state exists, the desired state is applied as-is.
 
 ## Create Namespace
 

docs/user-guide/sync-waves.md

@@ -37,7 +37,7 @@ Hooks and resources are assigned to wave zero by default. The wave can be negati
 When Argo CD starts a sync, it orders the resources in the following precedence:
 
 * The phase
-* The wave they are in (lower values first for creation & updation and higher values first for deletion)
+* The wave they are in (lower values first)
 * By kind (e.g. [namespaces first and then other Kubernetes resources, followed by custom resources](https://github.com/argoproj/gitops-engine/blob/bc9ce5764fa306f58cf59199a94f6c968c775a2d/pkg/sync/sync_tasks.go#L27-L66))
 * By name 
 
@@ -49,8 +49,6 @@ It repeats this process until all phases and waves are in-sync and healthy.
 
 Because an application can have resources that are unhealthy in the first wave, it may be that the app can never get to healthy.
 
-During pruning of resources, resources from higher waves are processed first before moving to lower waves. If, for any reason, a resource isn't removed/pruned in a wave, the resources in next waves won't be processed. This is to ensure proper resource cleanup between waves.
-
 Note that there's currently a delay between each sync wave in order give other controllers a chance to react to the spec change
 that we just applied. This also prevent Argo CD from assessing resource health too quickly (against the stale object), causing
 hooks to fire prematurely. The current delay between each sync wave is 2 seconds and can be configured via environment

go.mod

@@ -13,10 +13,10 @@ require (
 	github.com/TomOnTime/utfutil v0.0.0-20180511104225-09c41003ee1d
 	github.com/alicebob/miniredis/v2 v2.30.4
 	github.com/antonmedv/expr v1.15.2
-	github.com/argoproj/gitops-engine v0.7.1-0.20240124052710-5fd9f449e757
-	github.com/argoproj/notifications-engine v0.4.1-0.20240206192038-2daee6022f41
+	github.com/argoproj/gitops-engine v0.7.1-0.20240122213038-792124280fcc
+	github.com/argoproj/notifications-engine v0.4.1-0.20231027194313-a8d185ecc0a9
 	github.com/argoproj/pkg v0.13.7-0.20230626144333-d56162821bd1
-	github.com/aws/aws-sdk-go v1.50.8
+	github.com/aws/aws-sdk-go v1.44.317
 	github.com/bmatcuk/doublestar/v4 v4.6.0
 	github.com/bombsimon/logrusr/v2 v2.0.1
 	github.com/bradleyfalzon/ghinstallation/v2 v2.6.0
@@ -25,8 +25,7 @@ require (
 	github.com/coreos/go-oidc/v3 v3.6.0
 	github.com/cyphar/filepath-securejoin v0.2.4
 	github.com/dustin/go-humanize v1.0.1
-	github.com/evanphx/json-patch v5.9.0+incompatible
-	github.com/felixge/httpsnoop v1.0.3
+	github.com/evanphx/json-patch v5.6.0+incompatible
 	github.com/fsnotify/fsnotify v1.6.0
 	github.com/gfleury/go-bitbucket-v1 v0.0.0-20220301131131-8e7ed04b843e
 	github.com/go-git/go-git/v5 v5.11.0
@@ -82,7 +81,7 @@ require (
 	go.opentelemetry.io/otel v1.21.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0
 	go.opentelemetry.io/otel/sdk v1.21.0
-	golang.org/x/crypto v0.17.0
+	golang.org/x/crypto v0.16.0
 	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
 	golang.org/x/oauth2 v0.11.0
 	golang.org/x/sync v0.3.0
@@ -115,20 +114,19 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v0.5.2 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.24.1 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.25.12 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.16.16 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sqs v1.29.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect
-	github.com/aws/smithy-go v1.19.0 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.17.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.18.8 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.13.8 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.28 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.21 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sqs v1.20.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.12.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.18.0 // indirect
+	github.com/aws/smithy-go v1.13.5 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/google/s2a-go v0.1.4 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
@@ -180,6 +178,7 @@ require (
 	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d // indirect
 	github.com/fatih/camelcase v1.0.0 // indirect
+	github.com/felixge/httpsnoop v1.0.3 // indirect
 	github.com/fvbommel/sortorder v1.0.1 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect

go.sum

@@ -694,10 +694,10 @@ github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb
 github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU=
 github.com/appscode/go v0.0.0-20191119085241-0887d8ec2ecc/go.mod h1:OawnOmAL4ZX3YaPdN+8HTNwBveT1jMsqP74moa9XUbE=
-github.com/argoproj/gitops-engine v0.7.1-0.20240124052710-5fd9f449e757 h1:5fKAhTQcTBom0vin56cz/UTPx2GMuvdb+lJRAUOPbHA=
-github.com/argoproj/gitops-engine v0.7.1-0.20240124052710-5fd9f449e757/go.mod h1:gWE8uROi7hIkWGNAVM+8FWkMfo0vZ03SLx/aFw/DBzg=
-github.com/argoproj/notifications-engine v0.4.1-0.20240206192038-2daee6022f41 h1:PQE8LbcbRHdtnQzeEWwVU2QHXACKOA30yS3No5HSoTQ=
-github.com/argoproj/notifications-engine v0.4.1-0.20240206192038-2daee6022f41/go.mod h1:TsyusmXQWIL0ST7YMRG/ered7WlWDmbmnPpXnS2LJmM=
+github.com/argoproj/gitops-engine v0.7.1-0.20240122213038-792124280fcc h1:Fv94Mi2WvtvPkEH5WoWC3iy/VoQRLeSsE0hyg0n2UkY=
+github.com/argoproj/gitops-engine v0.7.1-0.20240122213038-792124280fcc/go.mod h1:gWE8uROi7hIkWGNAVM+8FWkMfo0vZ03SLx/aFw/DBzg=
+github.com/argoproj/notifications-engine v0.4.1-0.20231027194313-a8d185ecc0a9 h1:1lt0VXzmLK7Vv0kaeal3S6/JIfzPyBORkUWXhiqF3l0=
+github.com/argoproj/notifications-engine v0.4.1-0.20231027194313-a8d185ecc0a9/go.mod h1:E/vv4+by868m0mmflaRfGBmKBtAupoF+mmyfekP8QCk=
 github.com/argoproj/pkg v0.13.7-0.20230626144333-d56162821bd1 h1:qsHwwOJ21K2Ao0xPju1sNuqphyMnMYkyB3ZLoLtxWpo=
 github.com/argoproj/pkg v0.13.7-0.20230626144333-d56162821bd1/go.mod h1:CZHlkyAD1/+FbEn6cB2DQTj48IoLGvEYsWEvtzP3238=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
@@ -713,37 +713,35 @@ github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:W
 github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQwij/eHl5CU=
 github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.44.289/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
-github.com/aws/aws-sdk-go v1.50.8 h1:gY0WoOW+/Wz6XmYSgDH9ge3wnAevYDSQWPxxJvqAkP4=
-github.com/aws/aws-sdk-go v1.50.8/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
+github.com/aws/aws-sdk-go v1.44.317 h1:+8XWrLmGMwPPXSRSLPzhgcGnzJ2mYkgkrcB9C/GnSOU=
+github.com/aws/aws-sdk-go v1.44.317/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
-github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU=
-github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4=
-github.com/aws/aws-sdk-go-v2/config v1.25.12 h1:mF4cMuNh/2G+d19nWnm1vJ/ak0qK6SbqF0KtSX9pxu0=
-github.com/aws/aws-sdk-go-v2/config v1.25.12/go.mod h1:lOvvqtZP9p29GIjOTuA/76HiVk0c/s8qRcFRq2+E2uc=
-github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5gbadPbWdV1WcAddK8=
-github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1 h1:uR9lXYjdPX0xY+NhvaJ4dD8rpSRz5VY81ccIIoNG+lw=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.7.1/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino=
-github.com/aws/aws-sdk-go-v2/service/sqs v1.29.7 h1:tRNrFDGRm81e6nTX5Q4CFblea99eAfm0dxXazGpLceU=
-github.com/aws/aws-sdk-go-v2/service/sqs v1.29.7/go.mod h1:8GWUDux5Z2h6z2efAtr54RdHXtLm8sq7Rg85ZNY/CZM=
-github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 h1:eajuO3nykDPdYicLlP3AGgOyVN3MOlFmZv7WGTuJPow=
-github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w1NmfkfiSK8mS4zOx3BA=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8=
-github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0=
-github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U=
-github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM=
-github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
+github.com/aws/aws-sdk-go-v2 v1.17.3 h1:shN7NlnVzvDUgPQ+1rLMSxY8OWRNDRYtiqe0p/PgrhY=
+github.com/aws/aws-sdk-go-v2 v1.17.3/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
+github.com/aws/aws-sdk-go-v2/config v1.18.8 h1:lDpy0WM8AHsywOnVrOHaSMfpaiV2igOw8D7svkFkXVA=
+github.com/aws/aws-sdk-go-v2/config v1.18.8/go.mod h1:5XCmmyutmzzgkpk/6NYTjeWb6lgo9N170m1j6pQkIBs=
+github.com/aws/aws-sdk-go-v2/credentials v1.13.8 h1:vTrwTvv5qAwjWIGhZDSBH/oQHuIQjGmD232k01FUh6A=
+github.com/aws/aws-sdk-go-v2/credentials v1.13.8/go.mod h1:lVa4OHbvgjVot4gmh1uouF1ubgexSCN92P6CJQpT0t8=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.21 h1:j9wi1kQ8b+e0FBVHxCqCGo4kxDU175hoDHcWAi0sauU=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.21/go.mod h1:ugwW57Z5Z48bpvUyZuaPy4Kv+vEfJWnIrky7RmkBvJg=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27 h1:I3cakv2Uy1vNmmhRQmFptYDxOvBnwCdNwyw63N0RaRU=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.27/go.mod h1:a1/UpzeyBBerajpnP5nGZa9mGzsBn5cOKxm6NWQsvoI=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21 h1:5NbbMrIzmUn/TXFqAle6mgrH5m9cOvMLRGL7pnG8tRE=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.21/go.mod h1:+Gxn8jYn5k9ebfHEqlhrMirFjSW0v0C9fI+KN5vk2kE=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.28 h1:KeTxcGdNnQudb46oOl4d90f2I33DF/c6q3RnZAmvQdQ=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.28/go.mod h1:yRZVr/iT0AqyHeep00SZ4YfBAKojXz08w3XMBscdi0c=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.21 h1:5C6XgTViSb0bunmU57b3CT+MhxULqHH2721FVA+/kDM=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.21/go.mod h1:lRToEJsn+DRA9lW4O9L9+/3hjTkUzlzyzHqn8MTds5k=
+github.com/aws/aws-sdk-go-v2/service/sqs v1.20.0 h1:tQoMg8i4nFAB70cJ4wiAYEiZRYo2P6uDmU2D6ys/igo=
+github.com/aws/aws-sdk-go-v2/service/sqs v1.20.0/go.mod h1:jQhN5f4p3PALMNlUtfb/0wGIFlV7vGtJlPDVfxfNfPY=
+github.com/aws/aws-sdk-go-v2/service/sso v1.12.0 h1:/2gzjhQowRLarkkBOGPXSRnb8sQ2RVsjdG1C/UliK/c=
+github.com/aws/aws-sdk-go-v2/service/sso v1.12.0/go.mod h1:wo/B7uUm/7zw/dWhBJ4FXuw1sySU5lyIhVg1Bu2yL9A=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.0 h1:Jfly6mRxk2ZOSlbCvZfKNS7TukSx1mIzhSsqZ/IGSZI=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.0/go.mod h1:TZSH7xLO7+phDtViY/KUp9WGCJMQkLJ/VpgkTFd5gh8=
+github.com/aws/aws-sdk-go-v2/service/sts v1.18.0 h1:kOO++CYo50RcTFISESluhWEi5Prhg+gaSs4whWabiZU=
+github.com/aws/aws-sdk-go-v2/service/sts v1.18.0/go.mod h1:+lGbb3+1ugwKrNTWcf2RT05Xmp543B06zDFTwiTLp7I=
+github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8=
+github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/beevik/ntp v0.2.0/go.mod h1:hIHWr+l3+/clUnF44zdK+CWW7fO8dR5cIylAQ76NRpg=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
@@ -877,8 +875,8 @@ github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBF
 github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE=
 github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
 github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls=
-github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
+github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
 github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4=
 github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d h1:105gxyaGwCFad8crR9dcMQWvV9Hvulu6hwUh4tWPJnM=
@@ -1815,8 +1813,8 @@ golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
-golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.16.0 h1:mMMrFzRSCF0GvB7Ne27XVtVAaXLrPmgPC7/v0tkwHaY=
+golang.org/x/crypto v0.16.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=

hack/generate-proto.sh

@@ -10,13 +10,9 @@ set -o nounset
 set -o pipefail
 
 # shellcheck disable=SC2128
-PROJECT_ROOT=$(
-    cd "$(dirname "${BASH_SOURCE}")"/..
-    pwd
-)
+PROJECT_ROOT=$(cd "$(dirname "${BASH_SOURCE}")"/..; pwd)
 PATH="${PROJECT_ROOT}/dist:${PATH}"
 GOPATH=$(go env GOPATH)
-GOPATH_PROJECT_ROOT="${GOPATH}/src/github.com/argoproj/argo-cd"
 
 # output tool versions
 go version
@@ -45,7 +41,6 @@ APIMACHINERY_PKGS=(
 
 export GO111MODULE=on
 [ -e ./v2 ] || ln -s . v2
-[ -e "${GOPATH_PROJECT_ROOT}" ] || (mkdir -p "$(dirname "${GOPATH_PROJECT_ROOT}")" && ln -s "${PROJECT_ROOT}" "${GOPATH_PROJECT_ROOT}")
 
 # protoc_include is the include directory containing the .proto files distributed with protoc binary
 if [ -d /dist/protoc-include ]; then
@@ -58,17 +53,10 @@ fi
 
 go-to-protobuf \
     --go-header-file="${PROJECT_ROOT}"/hack/custom-boilerplate.go.txt \
-    --packages="$(
-        IFS=,
-        echo "${PACKAGES[*]}"
-    )" \
-    --apimachinery-packages="$(
-        IFS=,
-        echo "${APIMACHINERY_PKGS[*]}"
-    )" \
-    --proto-import="${PROJECT_ROOT}"/vendor \
-    --proto-import="${protoc_include}" \
-    --output-base="${GOPATH}/src/"
+    --packages="$(IFS=, ; echo "${PACKAGES[*]}")" \
+    --apimachinery-packages="$(IFS=, ; echo "${APIMACHINERY_PKGS[*]}")" \
+    --proto-import=./vendor \
+    --proto-import="${protoc_include}"
 
 # Either protoc-gen-go, protoc-gen-gofast, or protoc-gen-gogofast can be used to build
 # server/*/<service>.pb.go from .proto files. golang/protobuf and gogo/protobuf can be used
@@ -98,11 +86,9 @@ for i in ${PROTO_FILES}; do
         --${GOPROTOBINARY}_out=plugins=grpc:"$GOPATH"/src \
         --grpc-gateway_out=logtostderr=true:"$GOPATH"/src \
         --swagger_out=logtostderr=true:. \
-        "$i"
+        $i
 done
-
-[ -L "${GOPATH_PROJECT_ROOT}" ] && rm -rf "${GOPATH_PROJECT_ROOT}"
-[ -L ./v2 ] && rm -rf v2
+[ -e ./v2 ] && rm -rf v2
 
 # collect_swagger gathers swagger files into a subdirectory
 collect_swagger() {
@@ -111,7 +97,7 @@ collect_swagger() {
     PRIMARY_SWAGGER=$(mktemp)
     COMBINED_SWAGGER=$(mktemp)
 
-    cat <<EOF >"${PRIMARY_SWAGGER}"
+    cat <<EOF > "${PRIMARY_SWAGGER}"
 {
   "swagger": "2.0",
   "info": {
@@ -125,7 +111,7 @@ EOF
 
     rm -f "${SWAGGER_OUT}"
 
-    find "${SWAGGER_ROOT}" -name '*.swagger.json' -exec swagger mixin --ignore-conflicts "${PRIMARY_SWAGGER}" '{}' \+ >"${COMBINED_SWAGGER}"
+    find "${SWAGGER_ROOT}" -name '*.swagger.json' -exec swagger mixin --ignore-conflicts "${PRIMARY_SWAGGER}" '{}' \+ > "${COMBINED_SWAGGER}"
     jq -r 'del(.definitions[].properties[]? | select(."$ref"!=null and .description!=null).description) | del(.definitions[].properties[]? | select(."$ref"!=null and .title!=null).title) |
       # The "array" and "map" fields have custom unmarshaling. Modify the swagger to reflect this.
       .definitions.v1alpha1ApplicationSourcePluginParameter.properties.array = {"description":"Array is the value of an array type parameter.","type":"array","items":{"type":"string"}} |
@@ -134,10 +120,10 @@ EOF
       del(.definitions.v1alpha1OptionalMap) |
       # Output for int64 is incorrect, because it is based on proto definitions, where int64 is a string. In our JSON API, we expect int64 to be an integer. https://github.com/grpc-ecosystem/grpc-gateway/issues/219
       (.definitions[]?.properties[]? | select(.type == "string" and .format == "int64")) |= (.type = "integer")
-    ' "${COMBINED_SWAGGER}" |
-        jq '.definitions.v1Time.type = "string" | .definitions.v1Time.format = "date-time" | del(.definitions.v1Time.properties)' |
-        jq '.definitions.v1alpha1ResourceNode.allOf = [{"$ref": "#/definitions/v1alpha1ResourceRef"}] | del(.definitions.v1alpha1ResourceNode.properties.resourceRef) ' \
-            >"${SWAGGER_OUT}"
+    ' "${COMBINED_SWAGGER}" | \
+    jq '.definitions.v1Time.type = "string" | .definitions.v1Time.format = "date-time" | del(.definitions.v1Time.properties)' | \
+    jq '.definitions.v1alpha1ResourceNode.allOf = [{"$ref": "#/definitions/v1alpha1ResourceRef"}] | del(.definitions.v1alpha1ResourceNode.properties.resourceRef) ' \
+    > "${SWAGGER_OUT}"
 
     /bin/rm "${PRIMARY_SWAGGER}" "${COMBINED_SWAGGER}"
 }
@@ -153,3 +139,4 @@ clean_swagger server
 clean_swagger reposerver
 clean_swagger controller
 clean_swagger cmpserver
+

hack/update-codegen.sh

@@ -19,31 +19,21 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-PROJECT_ROOT=$(
-  cd $(dirname ${BASH_SOURCE})/..
-  pwd
-)
+PROJECT_ROOT=$(cd $(dirname ${BASH_SOURCE})/..; pwd)
 PATH="${PROJECT_ROOT}/dist:${PATH}"
-GOPATH=$(go env GOPATH)
-GOPATH_PROJECT_ROOT="${GOPATH}/src/github.com/argoproj/argo-cd"
 
 TARGET_SCRIPT=/tmp/generate-groups.sh
 
 # codegen utilities are installed outside of generate-groups.sh so remove the `go install` step in the script.
-sed -e '/go install/d' ${PROJECT_ROOT}/vendor/k8s.io/code-generator/generate-groups.sh >${TARGET_SCRIPT}
+sed -e '/go install/d' ${PROJECT_ROOT}/vendor/k8s.io/code-generator/generate-groups.sh > ${TARGET_SCRIPT}
 
 # generate-groups.sh assumes codegen utilities are installed to GOBIN, but we just ensure the CLIs
 # are in the path and invoke them without assumption of their location
 sed -i.bak -e 's#${gobin}/##g' ${TARGET_SCRIPT}
 
 [ -e ./v2 ] || ln -s . v2
-[ -e "${GOPATH_PROJECT_ROOT}" ] || (mkdir -p "$(dirname "${GOPATH_PROJECT_ROOT}")" && ln -s "${PROJECT_ROOT}" "${GOPATH_PROJECT_ROOT}")
-
 bash -x ${TARGET_SCRIPT} "deepcopy,client,informer,lister" \
   github.com/argoproj/argo-cd/v2/pkg/client github.com/argoproj/argo-cd/v2/pkg/apis \
   "application:v1alpha1" \
-  --go-header-file "${PROJECT_ROOT}/hack/custom-boilerplate.go.txt" \
-  --output-base "${GOPATH}/src"
-
-[ -L "${GOPATH_PROJECT_ROOT}" ] && rm -rf "${GOPATH_PROJECT_ROOT}"
-[ -L ./v2 ] && rm -rf v2
+  --go-header-file ${PROJECT_ROOT}/hack/custom-boilerplate.go.txt
+[ -e ./v2 ] && rm -rf v2

hack/update-openapi.sh

@@ -5,30 +5,20 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
-PROJECT_ROOT=$(
-  cd $(dirname "$0")/..
-  pwd
-)
+PROJECT_ROOT=$(cd $(dirname "$0")/.. ; pwd)
 PATH="${PROJECT_ROOT}/dist:${PATH}"
-GOPATH=$(go env GOPATH)
-GOPATH_PROJECT_ROOT="${GOPATH}/src/github.com/argoproj/argo-cd"
-
 VERSION="v1alpha1"
-
+ 
 [ -e ./v2 ] || ln -s . v2
-[ -e "${GOPATH_PROJECT_ROOT}" ] || (mkdir -p "$(dirname "${GOPATH_PROJECT_ROOT}")" && ln -s "${PROJECT_ROOT}" "${GOPATH_PROJECT_ROOT}")
-
 openapi-gen \
   --go-header-file ${PROJECT_ROOT}/hack/custom-boilerplate.go.txt \
   --input-dirs github.com/argoproj/argo-cd/v2/pkg/apis/application/${VERSION} \
   --output-package github.com/argoproj/argo-cd/v2/pkg/apis/application/${VERSION} \
   --report-filename pkg/apis/api-rules/violation_exceptions.list \
-  --output-base "${GOPATH}/src" \
   $@
-
-[ -L "${GOPATH_PROJECT_ROOT}" ] && rm -rf "${GOPATH_PROJECT_ROOT}"
-[ -L ./v2 ] && rm -rf v2
+[ -e ./v2 ] && rm -rf v2
 
 export GO111MODULE=on
-go build -o ./dist/gen-crd-spec "${PROJECT_ROOT}/hack/gen-crd-spec"
+go build -o ./dist/gen-crd-spec ${PROJECT_ROOT}/hack/gen-crd-spec
 ./dist/gen-crd-spec
+

manifests/base/application-controller-deployment/argocd-application-controller-statefulset.yaml

@@ -1,15 +0,0 @@
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: argocd-application-controller
-spec:
-  replicas: 0
-  template:
-    spec:
-      containers:
-      - name: argocd-application-controller
-        args:
-        - /usr/local/bin/argocd-application-controller
-        env:
-        - name: ARGOCD_CONTROLLER_REPLICAS
-          value: "0"

manifests/base/application-controller-deployment/kustomization.yaml

@@ -2,8 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- ../application-controller-roles
 - argocd-application-controller-service.yaml
-- argocd-application-controller-statefulset.yaml
 - argocd-application-controller-deployment.yaml
-

manifests/base/application-controller-roles/kustomization.yaml

@@ -1,7 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-
-resources:
-- argocd-application-controller-sa.yaml
-- argocd-application-controller-role.yaml
-- argocd-application-controller-rolebinding.yaml

manifests/base/application-controller/kustomization.yaml

@@ -2,7 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-- ../application-controller-roles
+- argocd-application-controller-sa.yaml
+- argocd-application-controller-role.yaml
+- argocd-application-controller-rolebinding.yaml
 - argocd-application-controller-statefulset.yaml
 - argocd-metrics.yaml
 - argocd-application-controller-network-policy.yaml

manifests/base/dex/argocd-dex-server-deployment.yaml

@@ -37,7 +37,7 @@ spec:
             type: RuntimeDefault
       containers:
       - name: dex
-        image: ghcr.io/dexidp/dex:v2.38.0
+        image: ghcr.io/dexidp/dex:v2.37.0
         imagePullPolicy: Always
         command: [/shared/argocd-dex, rundex]
         env:

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: latest
+  newTag: v2.10.0
 resources:
 - ./application-controller
 - ./dex

manifests/core-install.yaml

@@ -1726,19 +1726,6 @@ spec:
                       description: ID is an auto incrementing identifier of the RevisionHistory
                       format: int64
                       type: integer
-                    initiatedBy:
-                      description: InitiatedBy contains information about who initiated
-                        the operations
-                      properties:
-                        automated:
-                          description: Automated is set to true if operation was initiated
-                            automatically by the application controller.
-                          type: boolean
-                        username:
-                          description: Username contains the name of a user who started
-                            operation
-                          type: string
-                      type: object
                     revision:
                       description: Revision holds the revision the sync was performed
                         against
@@ -21039,7 +21026,7 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.10.0
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -21363,7 +21350,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.10.0
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -21415,7 +21402,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.10.0
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -21676,7 +21663,7 @@ spec:
               key: controller.diff.server.side
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.10.0
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: latest
+  newTag: v2.10.0

manifests/crds/application-crd.yaml

@@ -1725,19 +1725,6 @@ spec:
                       description: ID is an auto incrementing identifier of the RevisionHistory
                       format: int64
                       type: integer
-                    initiatedBy:
-                      description: InitiatedBy contains information about who initiated
-                        the operations
-                      properties:
-                        automated:
-                          description: Automated is set to true if operation was initiated
-                            automatically by the application controller.
-                          type: boolean
-                        username:
-                          description: Username contains the name of a user who started
-                            operation
-                          type: string
-                      type: object
                     revision:
                       description: Revision holds the revision the sync was performed
                         against

manifests/ha/base/controller-deployment/kustomization.yaml

@@ -1,17 +1,20 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
+
 patches:
-- path: argocd-application-controller-statefulset.yaml
 - path: argocd-repo-server-deployment.yaml
 - path: argocd-server-deployment.yaml
+- path: argocd-application-controller-statefulset.yaml
 - path: argocd-cmd-params-cm.yaml
 
+
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
   newTag: latest
 resources:
+- ../../../base/application-controller
 - ../../../base/application-controller-deployment
 - ../../../base/applicationset-controller
 - ../../../base/dex