fix test

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

.github/workflows/ci-build.yaml

@@ -429,6 +429,13 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
       GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
     steps:
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
+        with:
+          large-packages: false
+          docker-images: false
+          swap-storage: false
+          tool-cache: false
       - name: Checkout code
         uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
       - name: Setup Golang

Makefile

@@ -490,6 +490,7 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	ARGOCD_APPLICATIONSET_CONTROLLER_TOKENREF_STRICT_MODE=true \
 	ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS=http://127.0.0.1:8341,http://127.0.0.1:8342,http://127.0.0.1:8343,http://127.0.0.1:8344 \
 	ARGOCD_E2E_TEST=true \
+	ARGOCD_HYDRATOR_ENABLED=true \
 		goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START}
 	ls -lrt /tmp/coverage
 

Procfile

@@ -1,5 +1,5 @@
-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/app-controller} HOSTNAME=testappcontroller-1  FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --server-side-diff-enabled=${ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF:-'false'}"
-api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/api-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''}"
+controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/app-controller} HOSTNAME=testappcontroller-1  FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --commit-server localhost:${ARGOCD_E2E_COMMITSERVER_PORT:-8086} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --server-side-diff-enabled=${ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF:-'false'} --hydrator-enabled=${ARGOCD_HYDRATOR_ENABLED:='false'}"
+api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/api-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --hydrator-enabled=${ARGOCD_HYDRATOR_ENABLED:='false'}"
 dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v2/cmd gendexcfg -o `pwd`/dist/dex.yaml && (test -f dist/dex.yaml || { echo 'Failed to generate dex configuration'; exit 1; }) && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:$(grep "image: ghcr.io/dexidp/dex" manifests/base/dex/argocd-dex-server-deployment.yaml | cut -d':' -f3) dex serve /dex.yaml"
 redis: hack/start-redis-with-password.sh
 repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/repo-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"

assets/builtin-policy.csv

@@ -10,6 +10,7 @@ p, role:readonly, applications, get, */*, allow
 p, role:readonly, certificates, get, *, allow
 p, role:readonly, clusters, get, *, allow
 p, role:readonly, repositories, get, *, allow
+p, role:readonly, write-repositories, get, *, allow
 p, role:readonly, projects, get, *, allow
 p, role:readonly, accounts, get, *, allow
 p, role:readonly, gpgkeys, get, *, allow
@@ -34,6 +35,9 @@ p, role:admin, clusters, delete, *, allow
 p, role:admin, repositories, create, *, allow
 p, role:admin, repositories, update, *, allow
 p, role:admin, repositories, delete, *, allow
+p, role:admin, write-repositories, create, *, allow
+p, role:admin, write-repositories, update, *, allow
+p, role:admin, write-repositories, delete, *, allow
 p, role:admin, projects, create, *, allow
 p, role:admin, projects, update, *, allow
 p, role:admin, projects, delete, *, allow

assets/swagger.json

@@ -4084,6 +4084,504 @@
         }
       }
     },
+    "/api/v1/write-repocreds": {
+      "get": {
+        "tags": [
+          "RepoCredsService"
+        ],
+        "summary": "ListWriteRepositoryCredentials gets a list of all configured repository credential sets that have write access",
+        "operationId": "RepoCredsService_ListWriteRepositoryCredentials",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "Repo URL for query.",
+            "name": "url",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RepoCredsList"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      },
+      "post": {
+        "tags": [
+          "RepoCredsService"
+        ],
+        "summary": "CreateWriteRepositoryCredentials creates a new repository credential set with write access",
+        "operationId": "RepoCredsService_CreateWriteRepositoryCredentials",
+        "parameters": [
+          {
+            "description": "Repository definition",
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RepoCreds"
+            }
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to create in upsert mode.",
+            "name": "upsert",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RepoCreds"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
+    "/api/v1/write-repocreds/{creds.url}": {
+      "put": {
+        "tags": [
+          "RepoCredsService"
+        ],
+        "summary": "UpdateWriteRepositoryCredentials updates a repository credential set with write access",
+        "operationId": "RepoCredsService_UpdateWriteRepositoryCredentials",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "URL is the URL to which these credentials match",
+            "name": "creds.url",
+            "in": "path",
+            "required": true
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RepoCreds"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RepoCreds"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
+    "/api/v1/write-repocreds/{url}": {
+      "delete": {
+        "tags": [
+          "RepoCredsService"
+        ],
+        "summary": "DeleteWriteRepositoryCredentials deletes a repository credential set with write access from the configuration",
+        "operationId": "RepoCredsService_DeleteWriteRepositoryCredentials",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "url",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/repocredsRepoCredsResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
+    "/api/v1/write-repositories": {
+      "get": {
+        "tags": [
+          "RepositoryService"
+        ],
+        "summary": "ListWriteRepositories gets a list of all configured write repositories",
+        "operationId": "RepositoryService_ListWriteRepositories",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "Repo URL for query.",
+            "name": "repo",
+            "in": "query"
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to force a cache refresh on repo's connection state.",
+            "name": "forceRefresh",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "App project for query.",
+            "name": "appProject",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RepositoryList"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      },
+      "post": {
+        "tags": [
+          "RepositoryService"
+        ],
+        "summary": "CreateWriteRepository creates a new write repository configuration",
+        "operationId": "RepositoryService_CreateWriteRepository",
+        "parameters": [
+          {
+            "description": "Repository definition",
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/v1alpha1Repository"
+            }
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to create in upsert mode.",
+            "name": "upsert",
+            "in": "query"
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to operate on credential set instead of repository.",
+            "name": "credsOnly",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1Repository"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
+    "/api/v1/write-repositories/{repo.repo}": {
+      "put": {
+        "tags": [
+          "RepositoryService"
+        ],
+        "summary": "UpdateWriteRepository updates a write repository configuration",
+        "operationId": "RepositoryService_UpdateWriteRepository",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "Repo contains the URL to the remote repository",
+            "name": "repo.repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/v1alpha1Repository"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1Repository"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
+    "/api/v1/write-repositories/{repo}": {
+      "get": {
+        "tags": [
+          "RepositoryService"
+        ],
+        "summary": "GetWrite returns a repository or its write credentials",
+        "operationId": "RepositoryService_GetWrite",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "Repo URL for query",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to force a cache refresh on repo's connection state.",
+            "name": "forceRefresh",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "App project for query.",
+            "name": "appProject",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1Repository"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      },
+      "delete": {
+        "tags": [
+          "RepositoryService"
+        ],
+        "summary": "DeleteWriteRepository deletes a write repository from the configuration",
+        "operationId": "RepositoryService_DeleteWriteRepository",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "Repo URL for query",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to force a cache refresh on repo's connection state.",
+            "name": "forceRefresh",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "App project for query.",
+            "name": "appProject",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/repositoryRepoResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
+    "/api/v1/write-repositories/{repo}/validate": {
+      "post": {
+        "tags": [
+          "RepositoryService"
+        ],
+        "summary": "ValidateWriteAccess validates write access to a repository with given parameters",
+        "operationId": "RepositoryService_ValidateWriteAccess",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "The URL to the repo",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "description": "The URL to the repo",
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "type": "string",
+            "description": "Username for accessing repo.",
+            "name": "username",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Password for accessing repo.",
+            "name": "password",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Private key data for accessing SSH repository.",
+            "name": "sshPrivateKey",
+            "in": "query"
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to skip certificate or host key validation.",
+            "name": "insecure",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "TLS client cert data for accessing HTTPS repository.",
+            "name": "tlsClientCertData",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "TLS client cert key for accessing HTTPS repository.",
+            "name": "tlsClientCertKey",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "The type of the repo.",
+            "name": "type",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "The name of the repo.",
+            "name": "name",
+            "in": "query"
+          },
+          {
+            "type": "boolean",
+            "description": "Whether helm-oci support should be enabled for this repo.",
+            "name": "enableOci",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Github App Private Key PEM data.",
+            "name": "githubAppPrivateKey",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "format": "int64",
+            "description": "Github App ID of the app used to access the repo.",
+            "name": "githubAppID",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "format": "int64",
+            "description": "Github App Installation ID of the installed GitHub App.",
+            "name": "githubAppInstallationID",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Github App Enterprise base url if empty will default to https://api.github.com.",
+            "name": "githubAppEnterpriseBaseUrl",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "HTTP/HTTPS proxy to access the repository.",
+            "name": "proxy",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Reference between project and repository that allow you automatically to be added as item inside SourceRepos project entity.",
+            "name": "project",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Google Cloud Platform service account key.",
+            "name": "gcpServiceAccountKey",
+            "in": "query"
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to force HTTP basic auth.",
+            "name": "forceHttpBasicAuth",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/repositoryRepoResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
     "/api/version": {
       "get": {
         "tags": [
@@ -4725,6 +5223,9 @@
         "help": {
           "$ref": "#/definitions/clusterHelp"
         },
+        "hydratorEnabled": {
+          "type": "boolean"
+        },
         "impersonationEnabled": {
           "type": "boolean"
         },

cmd/argocd-application-controller/commands/argocd_application_controller.go

@@ -19,6 +19,7 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 
 	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	commitclient "github.com/argoproj/argo-cd/v2/commitserver/apiclient"
 	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/controller"
 	"github.com/argoproj/argo-cd/v2/controller/sharding"
@@ -58,6 +59,7 @@ func NewCommand() *cobra.Command {
 		repoErrorGracePeriod             int64
 		repoServerAddress                string
 		repoServerTimeoutSeconds         int
+		commitServerAddress              string
 		selfHealTimeoutSeconds           int
 		selfHealBackoffTimeoutSeconds    int
 		selfHealBackoffFactor            int
@@ -87,7 +89,8 @@ func NewCommand() *cobra.Command {
 		ignoreNormalizerOpts             normalizers.IgnoreNormalizerOpts
 
 		// argocd k8s event logging flag
-		enableK8sEvent []string
+		enableK8sEvent  []string
+		hydratorEnabled bool
 	)
 	command := cobra.Command{
 		Use:               cliName,
@@ -157,6 +160,8 @@ func NewCommand() *cobra.Command {
 
 			repoClientset := apiclient.NewRepoServerClientset(repoServerAddress, repoServerTimeoutSeconds, tlsConfig)
 
+			commitClientset := commitclient.NewCommitServerClientset(commitServerAddress)
+
 			cache, err := cacheSource()
 			errors.CheckError(err)
 			cache.Cache.SetClient(cacheutil.NewTwoLevelClient(cache.Cache.GetClient(), 10*time.Minute))
@@ -183,6 +188,7 @@ func NewCommand() *cobra.Command {
 				kubeClient,
 				appClient,
 				repoClientset,
+				commitClientset,
 				cache,
 				kubectl,
 				resyncDuration,
@@ -205,6 +211,7 @@ func NewCommand() *cobra.Command {
 				enableDynamicClusterDistribution,
 				ignoreNormalizerOpts,
 				enableK8sEvent,
+				hydratorEnabled,
 			)
 			errors.CheckError(err)
 			cacheutil.CollectMetrics(redisClient, appController.GetMetricsServer(), nil)
@@ -247,6 +254,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().Int64Var(&repoErrorGracePeriod, "repo-error-grace-period-seconds", int64(env.ParseDurationFromEnv("ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS", defaultAppResyncPeriod*time.Second, 0, math.MaxInt64).Seconds()), "Grace period in seconds for ignoring consecutive errors while communicating with repo server.")
 	command.Flags().StringVar(&repoServerAddress, "repo-server", env.StringFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER", common.DefaultRepoServerAddr), "Repo server address.")
 	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS", 60, 0, math.MaxInt64), "Repo server RPC call timeout seconds.")
+	command.Flags().StringVar(&commitServerAddress, "commit-server", env.StringFromEnv("ARGOCD_APPLICATION_CONTROLLER_COMMIT_SERVER", common.DefaultCommitServerAddr), "Commit server address.")
 	command.Flags().IntVar(&statusProcessors, "status-processors", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS", 20, 0, math.MaxInt32), "Number of application status processors")
 	command.Flags().IntVar(&operationProcessors, "operation-processors", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS", 10, 0, math.MaxInt32), "Number of application operation processors")
 	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", env.StringFromEnv("ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT", "text"), "Set the logging format. One of: text|json")
@@ -285,7 +293,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().DurationVar(&ignoreNormalizerOpts.JQExecutionTimeout, "ignore-normalizer-jq-execution-timeout-seconds", env.ParseDurationFromEnv("ARGOCD_IGNORE_NORMALIZER_JQ_TIMEOUT", 0*time.Second, 0, math.MaxInt64), "Set ignore normalizer JQ execution timeout")
 	// argocd k8s event logging flag
 	command.Flags().StringSliceVar(&enableK8sEvent, "enable-k8s-event", env.StringsFromEnv("ARGOCD_ENABLE_K8S_EVENT", argo.DefaultEnableEventList(), ","), "Enable ArgoCD to use k8s event. For disabling all events, set the value as `none`. (e.g --enable-k8s-event=none), For enabling specific events, set the value as `event reason`. (e.g --enable-k8s-event=StatusRefreshed,ResourceCreated)")
-
+	command.Flags().BoolVar(&hydratorEnabled, "hydrator-enabled", env.ParseBoolFromEnv("ARGOCD_HYDRATOR_ENABLED", false), "Feature flag to enable Hydrator. Default (\"false\")")
 	cacheSource = appstatecache.AddCacheFlagsToCmd(&command, cacheutil.Options{
 		OnClientCreated: func(client *redis.Client) {
 			redisClient = client

cmd/argocd-server/commands/argocd_server.go

@@ -87,6 +87,7 @@ func NewCommand() *cobra.Command {
 		applicationNamespaces    []string
 		enableProxyExtension     bool
 		webhookParallelism       int
+		hydratorEnabled          bool
 
 		// ApplicationSet
 		enableNewGitFileGlobbing bool
@@ -243,6 +244,7 @@ func NewCommand() *cobra.Command {
 				EnableProxyExtension:    enableProxyExtension,
 				WebhookParallelism:      webhookParallelism,
 				EnableK8sEvent:          enableK8sEvent,
+				HydratorEnabled:         hydratorEnabled,
 			}
 
 			appsetOpts := server.ApplicationSetOpts{
@@ -321,6 +323,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().BoolVar(&enableProxyExtension, "enable-proxy-extension", env.ParseBoolFromEnv("ARGOCD_SERVER_ENABLE_PROXY_EXTENSION", false), "Enable Proxy Extension feature")
 	command.Flags().IntVar(&webhookParallelism, "webhook-parallelism-limit", env.ParseNumFromEnv("ARGOCD_SERVER_WEBHOOK_PARALLELISM_LIMIT", 50, 1, 1000), "Number of webhook requests processed concurrently")
 	command.Flags().StringSliceVar(&enableK8sEvent, "enable-k8s-event", env.StringsFromEnv("ARGOCD_ENABLE_K8S_EVENT", argo.DefaultEnableEventList(), ","), "Enable ArgoCD to use k8s event. For disabling all events, set the value as `none`. (e.g --enable-k8s-event=none), For enabling specific events, set the value as `event reason`. (e.g --enable-k8s-event=StatusRefreshed,ResourceCreated)")
+	command.Flags().BoolVar(&hydratorEnabled, "hydrator-enabled", env.ParseBoolFromEnv("ARGOCD_HYDRATOR_ENABLED", false), "Feature flag to enable Hydrator. Default (\"false\")")
 
 	// Flags related to the applicationSet component.
 	command.Flags().StringVar(&scmRootCAPath, "appset-scm-root-ca-path", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH", ""), "Provide Root CA Path for self-signed TLS Certificates")

cmd/argocd/commands/app.go

@@ -112,6 +112,7 @@ type watchOpts struct {
 	suspended bool
 	degraded  bool
 	delete    bool
+	hydrated  bool
 }
 
 // NewApplicationCreateCommand returns a new instance of an `argocd app create` command
@@ -1883,6 +1884,7 @@ func NewApplicationWaitCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command.Flags().BoolVar(&watch.suspended, "suspended", false, "Wait for suspended")
 	command.Flags().BoolVar(&watch.degraded, "degraded", false, "Wait for degraded")
 	command.Flags().BoolVar(&watch.delete, "delete", false, "Wait for delete")
+	command.Flags().BoolVar(&watch.hydrated, "hydrated", false, "Wait for hydration operations")
 	command.Flags().StringVarP(&selector, "selector", "l", "", "Wait for apps by label. Supports '=', '==', '!=', in, notin, exists & not exists. Matching apps must satisfy all of the specified label constraints.")
 	command.Flags().StringArrayVar(&resources, "resource", []string{}, fmt.Sprintf("Sync only specific resources as GROUP%[1]sKIND%[1]sNAME or %[2]sGROUP%[1]sKIND%[1]sNAME. Fields may be blank and '*' can be used. This option may be specified repeatedly", resourceFieldDelimiter, resourceExcludeIndicator))
 	command.Flags().BoolVar(&watch.operation, "operation", false, "Wait for pending operations")
@@ -2450,7 +2452,7 @@ func groupResourceStates(app *argoappv1.Application, selectedResources []*argoap
 }
 
 // check if resource health, sync and operation statuses matches watch options
-func checkResourceStatus(watch watchOpts, healthStatus string, syncStatus string, operationStatus *argoappv1.Operation) bool {
+func checkResourceStatus(watch watchOpts, healthStatus string, syncStatus string, operationStatus *argoappv1.Operation, hydrationFinished bool) bool {
 	if watch.delete {
 		return false
 	}
@@ -2480,7 +2482,8 @@ func checkResourceStatus(watch watchOpts, healthStatus string, syncStatus string
 
 	synced := !watch.sync || syncStatus == string(argoappv1.SyncStatusCodeSynced)
 	operational := !watch.operation || operationStatus == nil
-	return synced && healthCheckPassed && operational
+	hydrated := !watch.hydrated || hydrationFinished
+	return synced && healthCheckPassed && operational && hydrated
 }
 
 // resourceParentChild gets the latest state of the app and the latest state of the app's resource tree and then
@@ -2644,13 +2647,15 @@ func waitOnApplicationStatus(ctx context.Context, acdClient argocdclient.Client,
 			}
 		}
 
+		hydrationFinished := app.Status.SourceHydrator.CurrentOperation != nil && app.Status.SourceHydrator.CurrentOperation.Phase == argoappv1.HydrateOperationPhaseHydrated && app.Status.SourceHydrator.CurrentOperation.SourceHydrator.DeepEquals(app.Status.SourceHydrator.LastSuccessfulOperation.SourceHydrator) && app.Status.SourceHydrator.CurrentOperation.DrySHA == app.Status.SourceHydrator.LastSuccessfulOperation.DrySHA
+
 		var selectedResourcesAreReady bool
 
 		// If selected resources are included, wait only on those resources, otherwise wait on the application as a whole.
 		if len(selectedResources) > 0 {
 			selectedResourcesAreReady = true
 			for _, state := range getResourceStates(app, selectedResources) {
-				resourceIsReady := checkResourceStatus(watch, state.Health, state.Status, appEvent.Application.Operation)
+				resourceIsReady := checkResourceStatus(watch, state.Health, state.Status, appEvent.Application.Operation, hydrationFinished)
 				if !resourceIsReady {
 					selectedResourcesAreReady = false
 					break
@@ -2658,7 +2663,7 @@ func waitOnApplicationStatus(ctx context.Context, acdClient argocdclient.Client,
 			}
 		} else {
 			// Wait on the application as a whole
-			selectedResourcesAreReady = checkResourceStatus(watch, string(app.Status.Health.Status), string(app.Status.Sync.Status), appEvent.Application.Operation)
+			selectedResourcesAreReady = checkResourceStatus(watch, string(app.Status.Health.Status), string(app.Status.Sync.Status), appEvent.Application.Operation, hydrationFinished)
 		}
 
 		if selectedResourcesAreReady && (!operationInProgress || !watch.operation) {

cmd/argocd/commands/app_test.go

@@ -1705,7 +1705,7 @@ func TestCheckResourceStatus(t *testing.T) {
 			suspended: true,
 			health:    true,
 			degraded:  true,
-		}, string(health.HealthStatusHealthy), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusHealthy), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.True(t, res)
 	})
 	t.Run("Degraded, Suspended and health status failed", func(t *testing.T) {
@@ -1713,57 +1713,57 @@ func TestCheckResourceStatus(t *testing.T) {
 			suspended: true,
 			health:    true,
 			degraded:  true,
-		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.False(t, res)
 	})
 	t.Run("Suspended and health status passed", func(t *testing.T) {
 		res := checkResourceStatus(watchOpts{
 			suspended: true,
 			health:    true,
-		}, string(health.HealthStatusHealthy), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusHealthy), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.True(t, res)
 	})
 	t.Run("Suspended and health status failed", func(t *testing.T) {
 		res := checkResourceStatus(watchOpts{
 			suspended: true,
 			health:    true,
-		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.False(t, res)
 	})
 	t.Run("Suspended passed", func(t *testing.T) {
 		res := checkResourceStatus(watchOpts{
 			suspended: true,
 			health:    false,
-		}, string(health.HealthStatusSuspended), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusSuspended), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.True(t, res)
 	})
 	t.Run("Suspended failed", func(t *testing.T) {
 		res := checkResourceStatus(watchOpts{
 			suspended: true,
 			health:    false,
-		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.False(t, res)
 	})
 	t.Run("Health passed", func(t *testing.T) {
 		res := checkResourceStatus(watchOpts{
 			suspended: false,
 			health:    true,
-		}, string(health.HealthStatusHealthy), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusHealthy), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.True(t, res)
 	})
 	t.Run("Health failed", func(t *testing.T) {
 		res := checkResourceStatus(watchOpts{
 			suspended: false,
 			health:    true,
-		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.False(t, res)
 	})
 	t.Run("Synced passed", func(t *testing.T) {
-		res := checkResourceStatus(watchOpts{}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		res := checkResourceStatus(watchOpts{}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.True(t, res)
 	})
 	t.Run("Synced failed", func(t *testing.T) {
-		res := checkResourceStatus(watchOpts{}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeOutOfSync), &v1alpha1.Operation{})
+		res := checkResourceStatus(watchOpts{}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeOutOfSync), &v1alpha1.Operation{}, true)
 		assert.True(t, res)
 	})
 	t.Run("Degraded passed", func(t *testing.T) {
@@ -1771,7 +1771,7 @@ func TestCheckResourceStatus(t *testing.T) {
 			suspended: false,
 			health:    false,
 			degraded:  true,
-		}, string(health.HealthStatusDegraded), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusDegraded), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.True(t, res)
 	})
 	t.Run("Degraded failed", func(t *testing.T) {
@@ -1779,7 +1779,7 @@ func TestCheckResourceStatus(t *testing.T) {
 			suspended: false,
 			health:    false,
 			degraded:  true,
-		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.False(t, res)
 	})
 }

cmd/util/app.go

@@ -91,6 +91,12 @@ type AppOptions struct {
 	retryBackoffFactor              int64
 	ref                             string
 	SourceName                      string
+	drySourceRepo                   string
+	drySourceRevision               string
+	drySourcePath                   string
+	syncSourceBranch                string
+	syncSourcePath                  string
+	hydrateToBranch                 string
 }
 
 // SetAutoMaxProcs sets the GOMAXPROCS value based on the binary name.
@@ -112,6 +118,12 @@ func AddAppFlags(command *cobra.Command, opts *AppOptions) {
 	command.Flags().StringVar(&opts.chart, "helm-chart", "", "Helm Chart name")
 	command.Flags().StringVar(&opts.env, "env", "", "Application environment to monitor")
 	command.Flags().StringVar(&opts.revision, "revision", "", "The tracking source branch, tag, commit or Helm chart version the application will sync to")
+	command.Flags().StringVar(&opts.drySourceRepo, "dry-source-repo", "", "Repository URL of the app dry source")
+	command.Flags().StringVar(&opts.drySourceRevision, "dry-source-revision", "", "Revision of the app dry source")
+	command.Flags().StringVar(&opts.drySourcePath, "dry-source-path", "", "Path in repository to the app directory for the dry source")
+	command.Flags().StringVar(&opts.syncSourceBranch, "sync-source-branch", "", "The branch from which the app will sync")
+	command.Flags().StringVar(&opts.syncSourcePath, "sync-source-path", "", "The path in the repository from which the app will sync")
+	command.Flags().StringVar(&opts.hydrateToBranch, "hydrate-to-branch", "", "The branch to hydrate the app to")
 	command.Flags().IntVar(&opts.revisionHistoryLimit, "revision-history-limit", argoappv1.RevisionHistoryLimit, "How many items to keep in revision history")
 	command.Flags().StringVar(&opts.destServer, "dest-server", "", "K8s cluster URL (e.g. https://kubernetes.default.svc)")
 	command.Flags().StringVar(&opts.destName, "dest-name", "", "K8s cluster Name (e.g. minikube)")
@@ -175,21 +187,27 @@ func SetAppSpecOptions(flags *pflag.FlagSet, spec *argoappv1.ApplicationSpec, ap
 	if flags == nil {
 		return visited
 	}
-	source := spec.GetSourcePtrByPosition(sourcePosition)
-	if source == nil {
-		source = &argoappv1.ApplicationSource{}
-	}
-	source, visited = ConstructSource(source, *appOpts, flags)
-	if spec.HasMultipleSources() {
-		if sourcePosition == 0 {
-			spec.Sources[sourcePosition] = *source
-		} else if sourcePosition > 0 {
-			spec.Sources[sourcePosition-1] = *source
-		} else {
-			spec.Sources = append(spec.Sources, *source)
-		}
+	var h *argoappv1.SourceHydrator
+	h, hasHydratorFlag := constructSourceHydrator(spec.SourceHydrator, *appOpts, flags)
+	if hasHydratorFlag {
+		spec.SourceHydrator = h
 	} else {
-		spec.Source = source
+		source := spec.GetSourcePtrByPosition(sourcePosition)
+		if source == nil {
+			source = &argoappv1.ApplicationSource{}
+		}
+		source, visited = ConstructSource(source, *appOpts, flags)
+		if spec.HasMultipleSources() {
+			if sourcePosition == 0 {
+				spec.Sources[sourcePosition] = *source
+			} else if sourcePosition > 0 {
+				spec.Sources[sourcePosition-1] = *source
+			} else {
+				spec.Sources = append(spec.Sources, *source)
+			}
+		} else {
+			spec.Source = source
+		}
 	}
 	flags.Visit(func(f *pflag.Flag) {
 		visited++
@@ -592,9 +610,7 @@ func constructAppsBaseOnName(appName string, labels, annotations, args []string,
 			Name:      appName,
 			Namespace: appNs,
 		},
-		Spec: argoappv1.ApplicationSpec{
-			Source: &argoappv1.ApplicationSource{},
-		},
+		Spec: argoappv1.ApplicationSpec{},
 	}
 	SetAppSpecOptions(flags, &app.Spec, &appOpts, 0)
 	SetParameterOverrides(app, appOpts.Parameters, 0)
@@ -768,6 +784,47 @@ func ConstructSource(source *argoappv1.ApplicationSource, appOpts AppOptions, fl
 	return source, visited
 }
 
+// constructSourceHydrator constructs a source hydrator from the command line flags. It returns the modified source
+// hydrator and a boolean indicating if any hydrator flags were set. We return instead of just modifying the source
+// hydrator in place because the given hydrator `h` might be nil. In that case, we need to create a new source hydrator
+// and return it.
+func constructSourceHydrator(h *argoappv1.SourceHydrator, appOpts AppOptions, flags *pflag.FlagSet) (*argoappv1.SourceHydrator, bool) {
+	hasHydratorFlag := false
+	ensureNotNil := func(notEmpty bool) {
+		hasHydratorFlag = true
+		if notEmpty && h == nil {
+			h = &argoappv1.SourceHydrator{}
+		}
+	}
+	flags.Visit(func(f *pflag.Flag) {
+		switch f.Name {
+		case "dry-source-repo":
+			ensureNotNil(appOpts.drySourceRepo != "")
+			h.DrySource.RepoURL = appOpts.drySourceRepo
+		case "dry-source-path":
+			ensureNotNil(appOpts.drySourcePath != "")
+			h.DrySource.Path = appOpts.drySourcePath
+		case "dry-source-revision":
+			ensureNotNil(appOpts.drySourceRevision != "")
+			h.DrySource.TargetRevision = appOpts.drySourceRevision
+		case "sync-source-branch":
+			ensureNotNil(appOpts.syncSourceBranch != "")
+			h.SyncSource.TargetBranch = appOpts.syncSourceBranch
+		case "sync-source-path":
+			ensureNotNil(appOpts.syncSourcePath != "")
+			h.SyncSource.Path = appOpts.syncSourcePath
+		case "hydrate-to-branch":
+			ensureNotNil(appOpts.hydrateToBranch != "")
+			if appOpts.hydrateToBranch == "" {
+				h.HydrateTo = nil
+			} else {
+				h.HydrateTo = &argoappv1.HydrateTo{TargetBranch: appOpts.hydrateToBranch}
+			}
+		}
+	})
+	return h, hasHydratorFlag
+}
+
 func mergeLabels(app *argoappv1.Application, labels []string) {
 	mapLabels, err := label.Parse(labels)
 	errors.CheckError(err)

cmd/util/app_test.go

@@ -295,6 +295,28 @@ func Test_setAppSpecOptions(t *testing.T) {
 		require.NoError(t, f.SetFlag("helm-api-versions", "v2"))
 		assert.Equal(t, []string{"v1", "v2"}, f.spec.Source.Helm.APIVersions)
 	})
+	t.Run("source hydrator", func(t *testing.T) {
+		require.NoError(t, f.SetFlag("dry-source-repo", "https://github.com/argoproj/argocd-example-apps"))
+		assert.Equal(t, "https://github.com/argoproj/argocd-example-apps", f.spec.SourceHydrator.DrySource.RepoURL)
+
+		require.NoError(t, f.SetFlag("dry-source-path", "apps"))
+		assert.Equal(t, "apps", f.spec.SourceHydrator.DrySource.Path)
+
+		require.NoError(t, f.SetFlag("dry-source-revision", "HEAD"))
+		assert.Equal(t, "HEAD", f.spec.SourceHydrator.DrySource.TargetRevision)
+
+		require.NoError(t, f.SetFlag("sync-source-branch", "env/test"))
+		assert.Equal(t, "env/test", f.spec.SourceHydrator.SyncSource.TargetBranch)
+
+		require.NoError(t, f.SetFlag("sync-source-path", "apps"))
+		assert.Equal(t, "apps", f.spec.SourceHydrator.SyncSource.Path)
+
+		require.NoError(t, f.SetFlag("hydrate-to-branch", "env/test-next"))
+		assert.Equal(t, "env/test-next", f.spec.SourceHydrator.HydrateTo.TargetBranch)
+
+		require.NoError(t, f.SetFlag("hydrate-to-branch", ""))
+		assert.Nil(t, f.spec.SourceHydrator.HydrateTo)
+	})
 }
 
 func newMultiSourceAppOptionsFixture() *appOptionsFixture {

common/common.go

@@ -26,6 +26,8 @@ const (
 const (
 	// DefaultRepoServerAddr is the gRPC address of the Argo CD repo server
 	DefaultRepoServerAddr = "argocd-repo-server:8081"
+	// DefaultCommitServerAddr is the gRPC address of the Argo CD commit server
+	DefaultCommitServerAddr = "argocd-commit-server:8086"
 	// DefaultDexServerAddr is the HTTP address of the Dex OIDC server, which we run a reverse proxy against
 	DefaultDexServerAddr = "argocd-dex-server:5556"
 	// DefaultRedisAddr is the default redis address
@@ -179,6 +181,8 @@ const (
 	LabelValueSecretTypeRepository = "repository"
 	// LabelValueSecretTypeRepoCreds indicates a secret type of repository credentials
 	LabelValueSecretTypeRepoCreds = "repo-creds"
+	// LabelValueSecretTypeRepositoryWrite indicates a secret type of repository credentials for writing
+	LabelValueSecretTypeRepositoryWrite = "repository-write"
 	// LabelValueSecretTypeSCMCreds indicates a secret type of SCM credentials
 	LabelValueSecretTypeSCMCreds = "scm-creds"
 

controller/appcontroller.go

@@ -42,8 +42,10 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/workqueue"
 
+	commitclient "github.com/argoproj/argo-cd/v2/commitserver/apiclient"
 	"github.com/argoproj/argo-cd/v2/common"
 	statecache "github.com/argoproj/argo-cd/v2/controller/cache"
+	"github.com/argoproj/argo-cd/v2/controller/hydrator"
 	"github.com/argoproj/argo-cd/v2/controller/metrics"
 	"github.com/argoproj/argo-cd/v2/controller/sharding"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
@@ -121,6 +123,8 @@ type ApplicationController struct {
 	appComparisonTypeRefreshQueue workqueue.TypedRateLimitingInterface[string]
 	appOperationQueue             workqueue.TypedRateLimitingInterface[string]
 	projectRefreshQueue           workqueue.TypedRateLimitingInterface[string]
+	appHydrateQueue               workqueue.TypedRateLimitingInterface[string]
+	hydrationQueue                workqueue.TypedRateLimitingInterface[hydrator.HydrationQueueKey]
 	appInformer                   cache.SharedIndexInformer
 	appLister                     applisters.ApplicationLister
 	projInformer                  cache.SharedIndexInformer
@@ -146,6 +150,8 @@ type ApplicationController struct {
 	// dynamicClusterDistributionEnabled if disabled deploymentInformer is never initialized
 	dynamicClusterDistributionEnabled bool
 	deploymentInformer                informerv1.DeploymentInformer
+
+	hydrator *hydrator.Hydrator
 }
 
 // NewApplicationController creates new instance of ApplicationController.
@@ -155,6 +161,7 @@ func NewApplicationController(
 	kubeClientset kubernetes.Interface,
 	applicationClientset appclientset.Interface,
 	repoClientset apiclient.Clientset,
+	commitClientset commitclient.Clientset,
 	argoCache *appstatecache.Cache,
 	kubectl kube.Kubectl,
 	appResyncPeriod time.Duration,
@@ -177,6 +184,7 @@ func NewApplicationController(
 	dynamicClusterDistributionEnabled bool,
 	ignoreNormalizerOpts normalizers.IgnoreNormalizerOpts,
 	enableK8sEvent []string,
+	hydratorEnabled bool,
 ) (*ApplicationController, error) {
 	log.Infof("appResyncPeriod=%v, appHardResyncPeriod=%v, appResyncJitter=%v", appResyncPeriod, appHardResyncPeriod, appResyncJitter)
 	db := db.NewDB(namespace, settingsMgr, kubeClientset)
@@ -190,10 +198,12 @@ func NewApplicationController(
 		kubeClientset:                     kubeClientset,
 		kubectl:                           kubectl,
 		applicationClientset:              applicationClientset,
-		appRefreshQueue:                   workqueue.NewTypedRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), workqueue.TypedRateLimitingQueueConfig[string]{Name: "app_reconciliation_queue"}),
-		appOperationQueue:                 workqueue.NewTypedRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), workqueue.TypedRateLimitingQueueConfig[string]{Name: "app_operation_processing_queue"}),
-		projectRefreshQueue:               workqueue.NewTypedRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), workqueue.TypedRateLimitingQueueConfig[string]{Name: "project_reconciliation_queue"}),
-		appComparisonTypeRefreshQueue:     workqueue.NewTypedRateLimitingQueue(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig)),
+		appRefreshQueue:                   workqueue.NewTypedRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter[string](rateLimiterConfig), workqueue.TypedRateLimitingQueueConfig[string]{Name: "app_reconciliation_queue"}),
+		appOperationQueue:                 workqueue.NewTypedRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter[string](rateLimiterConfig), workqueue.TypedRateLimitingQueueConfig[string]{Name: "app_operation_processing_queue"}),
+		projectRefreshQueue:               workqueue.NewTypedRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter[string](rateLimiterConfig), workqueue.TypedRateLimitingQueueConfig[string]{Name: "project_reconciliation_queue"}),
+		appComparisonTypeRefreshQueue:     workqueue.NewTypedRateLimitingQueue(ratelimiter.NewCustomAppControllerRateLimiter[string](rateLimiterConfig)),
+		appHydrateQueue:                   workqueue.NewTypedRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter[string](rateLimiterConfig), workqueue.TypedRateLimitingQueueConfig[string]{Name: "app_hydration_queue"}),
+		hydrationQueue:                    workqueue.NewTypedRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter[hydrator.HydrationQueueKey](rateLimiterConfig), workqueue.TypedRateLimitingQueueConfig[hydrator.HydrationQueueKey]{Name: "manifest_hydration_queue"}),
 		db:                                db,
 		statusRefreshTimeout:              appResyncPeriod,
 		statusHardRefreshTimeout:          appHardResyncPeriod,
@@ -211,6 +221,9 @@ func NewApplicationController(
 		dynamicClusterDistributionEnabled: dynamicClusterDistributionEnabled,
 		ignoreNormalizerOpts:              ignoreNormalizerOpts,
 	}
+	if hydratorEnabled {
+		ctrl.hydrator = hydrator.NewHydrator(&ctrl, appResyncPeriod, commitClientset)
+	}
 	if kubectlParallelismLimit > 0 {
 		ctrl.kubectlSemaphore = semaphore.NewWeighted(kubectlParallelismLimit)
 	}
@@ -845,6 +858,8 @@ func (ctrl *ApplicationController) Run(ctx context.Context, statusProcessors int
 	defer ctrl.appComparisonTypeRefreshQueue.ShutDown()
 	defer ctrl.appOperationQueue.ShutDown()
 	defer ctrl.projectRefreshQueue.ShutDown()
+	defer ctrl.appHydrateQueue.ShutDown()
+	defer ctrl.hydrationQueue.ShutDown()
 
 	ctrl.metricsServer.RegisterClustersInfoSource(ctx, ctrl.stateCache)
 	ctrl.RegisterClusterSecretUpdater(ctx)
@@ -903,6 +918,19 @@ func (ctrl *ApplicationController) Run(ctx context.Context, statusProcessors int
 		for ctrl.processProjectQueueItem() {
 		}
 	}, time.Second, ctx.Done())
+
+	if ctrl.hydrator != nil {
+		go wait.Until(func() {
+			for ctrl.processAppHydrateQueueItem() {
+			}
+		}, time.Second, ctx.Done())
+
+		go wait.Until(func() {
+			for ctrl.processHydrationQueueItem() {
+			}
+		}, time.Second, ctx.Done())
+	}
+
 	<-ctx.Done()
 }
 
@@ -1774,6 +1802,68 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 	return
 }
 
+func (ctrl *ApplicationController) processAppHydrateQueueItem() (processNext bool) {
+	appKey, shutdown := ctrl.appHydrateQueue.Get()
+	if shutdown {
+		processNext = false
+		return
+	}
+	processNext = true
+	defer func() {
+		if r := recover(); r != nil {
+			log.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
+		}
+		ctrl.appHydrateQueue.Done(appKey)
+	}()
+	obj, exists, err := ctrl.appInformer.GetIndexer().GetByKey(appKey)
+	if err != nil {
+		log.Errorf("Failed to get application '%s' from informer index: %+v", appKey, err)
+		return
+	}
+	if !exists {
+		// This happens after app was deleted, but the work queue still had an entry for it.
+		return
+	}
+	origApp, ok := obj.(*appv1.Application)
+	if !ok {
+		log.Warnf("Key '%s' in index is not an application", appKey)
+		return
+	}
+
+	ctrl.hydrator.ProcessAppHydrateQueueItem(origApp)
+
+	getAppLog(origApp).Debug("Successfully processed app hydrate queue item")
+	return
+}
+
+func (ctrl *ApplicationController) processHydrationQueueItem() (processNext bool) {
+	hydrationKey, shutdown := ctrl.hydrationQueue.Get()
+	if shutdown {
+		processNext = false
+		return
+	}
+	processNext = true
+	defer func() {
+		if r := recover(); r != nil {
+			log.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
+		}
+		ctrl.hydrationQueue.Done(hydrationKey)
+	}()
+
+	logCtx := log.WithFields(log.Fields{
+		"sourceRepoURL":        hydrationKey.SourceRepoURL,
+		"sourceTargetRevision": hydrationKey.SourceTargetRevision,
+		"destinationBranch":    hydrationKey.DestinationBranch,
+	})
+
+	logCtx.Debug("Processing hydration queue item")
+
+	ctrl.hydrator.ProcessHydrationQueueItem(hydrationKey)
+
+	logCtx.Debug("Successfully processed hydration queue item")
+	return
+}
+
 func resourceStatusKey(res appv1.ResourceStatus) string {
 	return strings.Join([]string{res.Group, res.Kind, res.Namespace, res.Name}, "/")
 }
@@ -1782,7 +1872,8 @@ func currentSourceEqualsSyncedSource(app *appv1.Application) bool {
 	if app.Spec.HasMultipleSources() {
 		return app.Spec.Sources.Equals(app.Status.Sync.ComparedTo.Sources)
 	}
-	return app.Spec.Source.Equals(&app.Status.Sync.ComparedTo.Source)
+	source := app.Spec.GetSource()
+	return source.Equals(&app.Status.Sync.ComparedTo.Source)
 }
 
 // needRefreshAppStatus answers if application status needs to be refreshed.
@@ -1918,6 +2009,7 @@ func (ctrl *ApplicationController) persistAppStatus(orig *appv1.Application, new
 			newAnnotations[k] = v
 		}
 		delete(newAnnotations, appv1.AnnotationKeyRefresh)
+		delete(newAnnotations, appv1.AnnotationKeyHydrate)
 	}
 	patch, modified, err := createMergePatch(
 		&appv1.Application{ObjectMeta: metav1.ObjectMeta{Annotations: orig.GetAnnotations()}, Status: orig.Status},
@@ -2325,6 +2417,9 @@ func (ctrl *ApplicationController) newApplicationInformerAndLister() (cache.Shar
 				if !newOK || (delay != nil && *delay != time.Duration(0)) {
 					ctrl.appOperationQueue.AddRateLimited(key)
 				}
+				if ctrl.hydrator != nil {
+					ctrl.appHydrateQueue.AddRateLimited(newApp.QualifiedName())
+				}
 				ctrl.clusterSharding.UpdateApp(newApp)
 			},
 			DeleteFunc: func(obj interface{}) {

controller/appcontroller_test.go

@@ -42,6 +42,7 @@ import (
 
 	dbmocks "github.com/argoproj/argo-cd/v2/util/db/mocks"
 
+	mockcommitclient "github.com/argoproj/argo-cd/v2/commitserver/apiclient/mocks"
 	mockstatecache "github.com/argoproj/argo-cd/v2/controller/cache/mocks"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned/fake"
@@ -126,6 +127,8 @@ func newFakeControllerWithResync(data *fakeData, appResyncPeriod time.Duration,
 
 	mockRepoClientset := mockrepoclient.Clientset{RepoServerServiceClient: &mockRepoClient}
 
+	mockCommitClientset := mockcommitclient.Clientset{}
+
 	secret := corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "argocd-secret",
@@ -157,6 +160,7 @@ func newFakeControllerWithResync(data *fakeData, appResyncPeriod time.Duration,
 		kubeClient,
 		appclientset.NewSimpleClientset(data.apps...),
 		&mockRepoClientset,
+		&mockCommitClientset,
 		appstatecache.NewCache(
 			cacheutil.NewCache(cacheutil.NewInMemoryCache(1*time.Minute)),
 			1*time.Minute,
@@ -182,6 +186,7 @@ func newFakeControllerWithResync(data *fakeData, appResyncPeriod time.Duration,
 		false,
 		normalizers.IgnoreNormalizerOpts{},
 		testEnableEventList,
+		false,
 	)
 	db := &dbmocks.ArgoDB{}
 	db.On("GetApplicationControllerReplicas").Return(1)

controller/hook.go

@@ -51,7 +51,7 @@ func (ctrl *ApplicationController) executePostDeleteHooks(app *v1alpha1.Applicat
 		revisions = append(revisions, src.TargetRevision)
 	}
 
-	targets, _, _, err := ctrl.appStateManager.GetRepoObjs(app, app.Spec.GetSources(), appLabelKey, revisions, false, false, false, proj, false)
+	targets, _, _, err := ctrl.appStateManager.GetRepoObjs(app, app.Spec.GetSources(), appLabelKey, revisions, false, false, false, proj, false, true)
 	if err != nil {
 		return false, err
 	}

controller/hydrator/hydrator.go

@@ -0,0 +1,347 @@
+package hydrator
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	commitclient "github.com/argoproj/argo-cd/v2/commitserver/apiclient"
+	"github.com/argoproj/argo-cd/v2/controller/utils"
+	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	argoio "github.com/argoproj/argo-cd/v2/util/io"
+)
+
+// Dependencies is the interface for the dependencies of the Hydrator. It serves two purposes: 1) it prevents the
+// hydrator from having direct access to the app controller, and 2) it allows for easy mocking of dependencies in tests.
+// If you add something here, be sure that it is something the app controller needs to provide to the hydrator.
+type Dependencies interface {
+	// TODO: determine if we actually need to get the app, or if all the stuff we need the app for is done already on
+	//       the app controller side.
+	GetProcessableAppProj(app *appv1.Application) (*appv1.AppProject, error)
+	GetProcessableApps() (*appv1.ApplicationList, error)
+	GetRepoObjs(app *appv1.Application, source appv1.ApplicationSource, revision string, project *appv1.AppProject) ([]*unstructured.Unstructured, *apiclient.ManifestResponse, error)
+	GetWriteCredentials(ctx context.Context, repoURL string, project string) (*appv1.Repository, error)
+	RequestAppRefresh(appName string)
+	// TODO: only allow access to the hydrator status
+	PersistAppHydratorStatus(orig *appv1.Application, newStatus *appv1.SourceHydratorStatus)
+	AddHydrationQueueItem(key HydrationQueueKey)
+}
+
+type Hydrator struct {
+	dependencies         Dependencies
+	statusRefreshTimeout time.Duration
+	commitClientset      commitclient.Clientset
+}
+
+func NewHydrator(dependencies Dependencies, statusRefreshTimeout time.Duration, commitClientset commitclient.Clientset) *Hydrator {
+	return &Hydrator{
+		dependencies:         dependencies,
+		statusRefreshTimeout: statusRefreshTimeout,
+		commitClientset:      commitClientset,
+	}
+}
+
+func (h *Hydrator) ProcessAppHydrateQueueItem(origApp *appv1.Application) {
+	origApp = origApp.DeepCopy()
+	app := origApp.DeepCopy()
+
+	if app.Spec.SourceHydrator == nil {
+		return
+	}
+
+	logCtx := utils.GetAppLog(app)
+
+	logCtx.Debug("Processing app hydrate queue item")
+
+	// TODO: don't reuse statusRefreshTimeout. Create a new timeout for hydration.
+	needsHydration, reason := appNeedsHydration(origApp, h.statusRefreshTimeout)
+	if !needsHydration {
+		return
+	}
+
+	logCtx.WithField("reason", reason).Info("Hydrating app")
+
+	app.Status.SourceHydrator.CurrentOperation = &appv1.HydrateOperation{
+		StartedAt:      metav1.Now(),
+		FinishedAt:     nil,
+		Phase:          appv1.HydrateOperationPhaseHydrating,
+		SourceHydrator: *app.Spec.SourceHydrator,
+	}
+	h.dependencies.PersistAppHydratorStatus(origApp, &app.Status.SourceHydrator)
+	origApp.Status.SourceHydrator = app.Status.SourceHydrator
+	h.dependencies.AddHydrationQueueItem(getHydrationQueueKey(app))
+
+	logCtx.Debug("Successfully processed app hydrate queue item")
+}
+
+func getHydrationQueueKey(app *appv1.Application) HydrationQueueKey {
+	destinationBranch := app.Spec.SourceHydrator.SyncSource.TargetBranch
+	if app.Spec.SourceHydrator.HydrateTo != nil {
+		destinationBranch = app.Spec.SourceHydrator.HydrateTo.TargetBranch
+	}
+	key := HydrationQueueKey{
+		SourceRepoURL:        app.Spec.SourceHydrator.DrySource.RepoURL,
+		SourceTargetRevision: app.Spec.SourceHydrator.DrySource.TargetRevision,
+		DestinationBranch:    destinationBranch,
+	}
+	return key
+}
+
+type HydrationQueueKey struct {
+	SourceRepoURL        string
+	SourceTargetRevision string
+	DestinationBranch    string
+}
+
+// uniqueHydrationDestination is used to detect duplicate hydrate destinations.
+type uniqueHydrationDestination struct {
+	sourceRepoURL        string
+	sourceTargetRevision string
+	destinationBranch    string
+	destinationPath      string
+}
+
+func (h *Hydrator) ProcessHydrationQueueItem(hydrationKey HydrationQueueKey) (processNext bool) {
+	logCtx := log.WithFields(log.Fields{
+		"sourceRepoURL":        hydrationKey.SourceRepoURL,
+		"sourceTargetRevision": hydrationKey.SourceTargetRevision,
+		"destinationBranch":    hydrationKey.DestinationBranch,
+	})
+
+	relevantApps, drySHA, hydratedSHA, err := h.hydrateAppsLatestCommit(logCtx, hydrationKey)
+	if drySHA != "" {
+		logCtx = logCtx.WithField("drySHA", drySHA)
+	}
+	if err != nil {
+		logCtx.WithField("appCount", len(relevantApps)).WithError(err).Error("Failed to hydrate apps")
+		for _, app := range relevantApps {
+			origApp := app.DeepCopy()
+			app.Status.SourceHydrator.CurrentOperation.Phase = appv1.HydrateOperationPhaseFailed
+			failedAt := metav1.Now()
+			app.Status.SourceHydrator.CurrentOperation.FinishedAt = &failedAt
+			app.Status.SourceHydrator.CurrentOperation.Message = fmt.Sprintf("Failed to hydrated revision %s: %v", drySHA, err.Error())
+			h.dependencies.PersistAppHydratorStatus(origApp, &app.Status.SourceHydrator)
+			logCtx = logCtx.WithField("app", app.QualifiedName())
+			logCtx.Errorf("Failed to hydrate app: %v", err)
+		}
+		return
+	}
+	logCtx.WithField("appCount", len(relevantApps)).Debug("Successfully hydrated apps")
+	finishedAt := metav1.Now()
+	for _, app := range relevantApps {
+		origApp := app.DeepCopy()
+		operation := &appv1.HydrateOperation{
+			StartedAt:      app.Status.SourceHydrator.CurrentOperation.StartedAt,
+			FinishedAt:     &finishedAt,
+			Phase:          appv1.HydrateOperationPhaseHydrated,
+			Message:        "",
+			DrySHA:         drySHA,
+			HydratedSHA:    hydratedSHA,
+			SourceHydrator: app.Status.SourceHydrator.CurrentOperation.SourceHydrator,
+		}
+		app.Status.SourceHydrator.CurrentOperation = operation
+		app.Status.SourceHydrator.LastSuccessfulOperation = &appv1.SuccessfulHydrateOperation{
+			DrySHA:         drySHA,
+			HydratedSHA:    hydratedSHA,
+			SourceHydrator: app.Status.SourceHydrator.CurrentOperation.SourceHydrator,
+		}
+		h.dependencies.PersistAppHydratorStatus(origApp, &app.Status.SourceHydrator)
+		// Request a refresh since we pushed a new commit.
+		h.dependencies.RequestAppRefresh(app.QualifiedName())
+	}
+	return
+}
+
+func (h *Hydrator) hydrateAppsLatestCommit(logCtx *log.Entry, hydrationKey HydrationQueueKey) ([]*appv1.Application, string, string, error) {
+	relevantApps, err := h.getRelevantAppsForHydration(logCtx, hydrationKey)
+	if err != nil {
+		return nil, "", "", fmt.Errorf("failed to get relevant apps for hydration: %w", err)
+	}
+
+	hydratedRevision, dryRevision, err := h.hydrate(logCtx, relevantApps)
+	if err != nil {
+		return relevantApps, dryRevision, "", fmt.Errorf("failed to hydrate apps: %w", err)
+	}
+
+	return relevantApps, dryRevision, hydratedRevision, nil
+}
+
+func (h *Hydrator) getRelevantAppsForHydration(logCtx *log.Entry, hydrationKey HydrationQueueKey) ([]*appv1.Application, error) {
+	// Get all apps
+	apps, err := h.dependencies.GetProcessableApps()
+	if err != nil {
+		return nil, fmt.Errorf("failed to list apps: %w", err)
+	}
+
+	var relevantApps []*appv1.Application
+	uniqueDestinations := make(map[uniqueHydrationDestination]bool, len(apps.Items))
+	for _, app := range apps.Items {
+		if app.Spec.SourceHydrator == nil {
+			continue
+		}
+
+		if app.Spec.SourceHydrator.DrySource.RepoURL != hydrationKey.SourceRepoURL ||
+			app.Spec.SourceHydrator.DrySource.TargetRevision != hydrationKey.SourceTargetRevision {
+			continue
+		}
+		destinationBranch := app.Spec.SourceHydrator.SyncSource.TargetBranch
+		if app.Spec.SourceHydrator.HydrateTo != nil {
+			destinationBranch = app.Spec.SourceHydrator.HydrateTo.TargetBranch
+		}
+		if destinationBranch != hydrationKey.DestinationBranch {
+			continue
+		}
+
+		var proj *appv1.AppProject
+		proj, err = h.dependencies.GetProcessableAppProj(&app)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get project %q for app %q: %w", app.Spec.Project, app.QualifiedName(), err)
+		}
+		permitted := proj.IsSourcePermitted(app.Spec.GetSource())
+		if !permitted {
+			// Log and skip. We don't want to fail the entire operation because of one app.
+			logCtx.Warnf("App %q is not permitted to use source %q", app.QualifiedName(), app.Spec.Source.String())
+			continue
+		}
+
+		uniqueDestinationKey := uniqueHydrationDestination{
+			sourceRepoURL:        app.Spec.SourceHydrator.DrySource.RepoURL,
+			sourceTargetRevision: app.Spec.SourceHydrator.DrySource.TargetRevision,
+			destinationBranch:    destinationBranch,
+			destinationPath:      app.Spec.SourceHydrator.SyncSource.Path,
+		}
+		// TODO: test the dupe detection
+		if _, ok := uniqueDestinations[uniqueDestinationKey]; ok {
+			return nil, fmt.Errorf("multiple app hydrators use the same destination: %v", uniqueDestinationKey)
+		}
+		uniqueDestinations[uniqueDestinationKey] = true
+
+		relevantApps = append(relevantApps, &app)
+	}
+	return relevantApps, nil
+}
+
+func (h *Hydrator) hydrate(logCtx *log.Entry, apps []*appv1.Application) (string, string, error) {
+	if len(apps) == 0 {
+		return "", "", nil
+	}
+	repoURL := apps[0].Spec.SourceHydrator.DrySource.RepoURL
+	syncBranch := apps[0].Spec.SourceHydrator.SyncSource.TargetBranch
+	targetBranch := apps[0].Spec.GetHydrateToSource().TargetRevision
+	var paths []*commitclient.PathDetails
+	projects := make(map[string]bool, len(apps))
+	var targetRevision string
+	// TODO: parallelize this loop
+	for _, app := range apps {
+		project, err := h.dependencies.GetProcessableAppProj(app)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to get project: %w", err)
+		}
+		projects[project.Name] = true
+		drySource := appv1.ApplicationSource{
+			RepoURL:        app.Spec.SourceHydrator.DrySource.RepoURL,
+			Path:           app.Spec.SourceHydrator.DrySource.Path,
+			TargetRevision: app.Spec.SourceHydrator.DrySource.TargetRevision,
+		}
+		if targetRevision == "" {
+			targetRevision = app.Spec.SourceHydrator.DrySource.TargetRevision
+		}
+
+		// TODO: enable signature verification
+		objs, resp, err := h.dependencies.GetRepoObjs(app, drySource, targetRevision, project)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to get repo objects: %w", err)
+		}
+
+		targetRevision = resp.Revision
+
+		// Set up a ManifestsRequest
+		manifestDetails := make([]*commitclient.HydratedManifestDetails, len(objs))
+		for i, obj := range objs {
+			objJson, err := json.Marshal(obj)
+			if err != nil {
+				return "", "", fmt.Errorf("failed to marshal object: %w", err)
+			}
+			manifestDetails[i] = &commitclient.HydratedManifestDetails{ManifestJSON: string(objJson)}
+		}
+
+		paths = append(paths, &commitclient.PathDetails{
+			Path:      app.Spec.SourceHydrator.SyncSource.Path,
+			Manifests: manifestDetails,
+			Commands:  resp.Commands,
+		})
+	}
+
+	// If all the apps are under the same project, use that project. Otherwise, use an empty string to indicate that we
+	// need global creds.
+	project := ""
+	if len(projects) == 1 {
+		for p := range projects {
+			project = p
+		}
+	}
+
+	repo, err := h.dependencies.GetWriteCredentials(context.Background(), repoURL, project)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to get hydrator credentials: %w", err)
+	}
+	if repo == nil {
+		// Try without credentials.
+		repo = &appv1.Repository{
+			Repo: repoURL,
+		}
+		logCtx.Warn("no credentials found for repo, continuing without credentials")
+	}
+
+	manifestsRequest := commitclient.CommitHydratedManifestsRequest{
+		Repo:          repo,
+		SyncBranch:    syncBranch,
+		TargetBranch:  targetBranch,
+		DrySha:        targetRevision,
+		CommitMessage: fmt.Sprintf("[Argo CD Bot] hydrate %s", targetRevision),
+		Paths:         paths,
+	}
+
+	closer, commitService, err := h.commitClientset.NewCommitServerClient()
+	if err != nil {
+		return "", "", fmt.Errorf("failed to create commit service: %w", err)
+	}
+	defer argoio.Close(closer)
+	resp, err := commitService.CommitHydratedManifests(context.Background(), &manifestsRequest)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to commit hydrated manifests: %w", err)
+	}
+	return targetRevision, resp.HydratedSha, nil
+}
+
+// appNeedsHydration answers if application needs manifests hydrated.
+func appNeedsHydration(app *appv1.Application, statusHydrateTimeout time.Duration) (needsHydration bool, reason string) {
+	if app.Spec.SourceHydrator == nil {
+		return false, "source hydrator not configured"
+	}
+
+	var hydratedAt *metav1.Time
+	if app.Status.SourceHydrator.CurrentOperation != nil {
+		hydratedAt = &app.Status.SourceHydrator.CurrentOperation.StartedAt
+	}
+
+	if app.IsHydrateRequested() {
+		return true, "hydrate requested"
+	} else if app.Status.SourceHydrator.CurrentOperation == nil {
+		return true, "no previous hydrate operation"
+	} else if !app.Spec.SourceHydrator.DeepEquals(app.Status.SourceHydrator.CurrentOperation.SourceHydrator) {
+		return true, "spec.sourceHydrator differs"
+	} else if app.Status.SourceHydrator.CurrentOperation.Phase == appv1.HydrateOperationPhaseFailed && metav1.Now().Sub(app.Status.SourceHydrator.CurrentOperation.FinishedAt.Time) > 2*time.Minute {
+		return true, "previous hydrate operation failed more than 2 minutes ago"
+	} else if hydratedAt == nil || hydratedAt.Add(statusHydrateTimeout).Before(time.Now().UTC()) {
+		return true, "hydration expired"
+	}
+
+	return false, ""
+}

controller/hydrator/hydrator_test.go

@@ -0,0 +1,103 @@
+package hydrator
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+func Test_appNeedsHydration(t *testing.T) {
+	t.Parallel()
+
+	now := metav1.NewTime(time.Now())
+	oneHourAgo := metav1.NewTime(now.Add(-1 * time.Hour))
+
+	testCases := []struct {
+		name                   string
+		app                    *v1alpha1.Application
+		timeout                time.Duration
+		expectedNeedsHydration bool
+		expectedMessage        string
+	}{
+		{
+			name:                   "source hydrator not configured",
+			app:                    &v1alpha1.Application{},
+			expectedNeedsHydration: false,
+			expectedMessage:        "source hydrator not configured",
+		},
+		{
+			name: "hydrate requested",
+			app: &v1alpha1.Application{
+				ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{v1alpha1.AnnotationKeyHydrate: "normal"}},
+				Spec:       v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
+			},
+			timeout:                1 * time.Hour,
+			expectedNeedsHydration: true,
+			expectedMessage:        "hydrate requested",
+		},
+		{
+			name: "no previous hydrate operation",
+			app: &v1alpha1.Application{
+				Spec: v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
+			},
+			timeout:                1 * time.Hour,
+			expectedNeedsHydration: true,
+			expectedMessage:        "no previous hydrate operation",
+		},
+		{
+			name: "spec.sourceHydrator differs",
+			app: &v1alpha1.Application{
+				Spec: v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
+				Status: v1alpha1.ApplicationStatus{SourceHydrator: v1alpha1.SourceHydratorStatus{CurrentOperation: &v1alpha1.HydrateOperation{
+					SourceHydrator: v1alpha1.SourceHydrator{DrySource: v1alpha1.DrySource{RepoURL: "something new"}},
+				}}},
+			},
+			timeout:                1 * time.Hour,
+			expectedNeedsHydration: true,
+			expectedMessage:        "spec.sourceHydrator differs",
+		},
+		{
+			name: "hydration failed more than two minutes ago",
+			app: &v1alpha1.Application{
+				Spec:   v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
+				Status: v1alpha1.ApplicationStatus{SourceHydrator: v1alpha1.SourceHydratorStatus{CurrentOperation: &v1alpha1.HydrateOperation{DrySHA: "abc123", FinishedAt: &oneHourAgo, Phase: v1alpha1.HydrateOperationPhaseFailed}}},
+			},
+			timeout:                1 * time.Hour,
+			expectedNeedsHydration: true,
+			expectedMessage:        "previous hydrate operation failed more than 2 minutes ago",
+		},
+		{
+			name: "timeout reached",
+			app: &v1alpha1.Application{
+				Spec:   v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
+				Status: v1alpha1.ApplicationStatus{SourceHydrator: v1alpha1.SourceHydratorStatus{CurrentOperation: &v1alpha1.HydrateOperation{StartedAt: oneHourAgo}}},
+			},
+			timeout:                1 * time.Minute,
+			expectedNeedsHydration: true,
+			expectedMessage:        "hydration expired",
+		},
+		{
+			name: "hydrate not needed",
+			app: &v1alpha1.Application{
+				Spec:   v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
+				Status: v1alpha1.ApplicationStatus{SourceHydrator: v1alpha1.SourceHydratorStatus{CurrentOperation: &v1alpha1.HydrateOperation{DrySHA: "abc123", StartedAt: now, FinishedAt: &now, Phase: v1alpha1.HydrateOperationPhaseFailed}}},
+			},
+			timeout:                1 * time.Hour,
+			expectedNeedsHydration: false,
+			expectedMessage:        "",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			needsHydration, message := appNeedsHydration(tc.app, tc.timeout)
+			assert.Equal(t, tc.expectedNeedsHydration, needsHydration)
+			assert.Equal(t, tc.expectedMessage, message)
+		})
+	}
+}

controller/hydrator_dependencies.go

@@ -0,0 +1,71 @@
+package controller
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/argoproj/argo-cd/v2/controller/hydrator"
+	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+/**
+This file implements the hydrator.Dependencies interface for the ApplicationController.
+
+Hydration logic does not belong in this file. The methods here should be "bookkeeping" methods that keep hydration work
+in the hydrator and app controller work in the app controller. The only purpose of this file is to provide the hydrator
+safe, minimal access to certain app controller functionality to avoid duplicate code.
+*/
+
+func (ctrl *ApplicationController) GetProcessableAppProj(app *appv1.Application) (*appv1.AppProject, error) {
+	return ctrl.getAppProj(app)
+}
+
+// GetProcessableApps returns a list of applications that are processable by the controller.
+func (ctrl *ApplicationController) GetProcessableApps() (*appv1.ApplicationList, error) {
+	// getAppList already filters out applications that are not processable by the controller.
+	return ctrl.getAppList(metav1.ListOptions{})
+}
+
+func (ctrl *ApplicationController) GetRepoObjs(app *appv1.Application, source appv1.ApplicationSource, revision string, project *appv1.AppProject) ([]*unstructured.Unstructured, *apiclient.ManifestResponse, error) {
+	sources := []appv1.ApplicationSource{source}
+	revisions := []string{revision}
+
+	appLabelKey, err := ctrl.settingsMgr.GetAppInstanceLabelKey()
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to get app instance label key: %w", err)
+	}
+
+	// FIXME: use cache and revision cache
+	objs, resp, _, err := ctrl.appStateManager.GetRepoObjs(app, sources, appLabelKey, revisions, true, true, false, project, false, false)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to get repo objects: %w", err)
+	}
+
+	if len(resp) != 1 {
+		return nil, nil, fmt.Errorf("expected one manifest response, got %d", len(resp))
+	}
+
+	return objs, resp[0], nil
+}
+
+func (ctrl *ApplicationController) GetWriteCredentials(ctx context.Context, repoURL string, project string) (*appv1.Repository, error) {
+	return ctrl.db.GetWriteRepository(ctx, repoURL, project)
+}
+
+func (ctrl *ApplicationController) RequestAppRefresh(appName string) {
+	ctrl.requestAppRefresh(appName, CompareWithLatest.Pointer(), nil)
+}
+
+func (ctrl *ApplicationController) PersistAppHydratorStatus(orig *appv1.Application, newStatus *appv1.SourceHydratorStatus) {
+	status := orig.Status.DeepCopy()
+	status.SourceHydrator = *newStatus
+	ctrl.persistAppStatus(orig, status)
+}
+
+func (ctrl *ApplicationController) AddHydrationQueueItem(key hydrator.HydrationQueueKey) {
+	ctrl.hydrationQueue.AddRateLimited(key)
+}

controller/state.go

@@ -71,7 +71,7 @@ type managedResource struct {
 type AppStateManager interface {
 	CompareAppState(app *v1alpha1.Application, project *v1alpha1.AppProject, revisions []string, sources []v1alpha1.ApplicationSource, noCache bool, noRevisionCache bool, localObjects []string, hasMultipleSources bool, rollback bool) (*comparisonResult, error)
 	SyncAppState(app *v1alpha1.Application, state *v1alpha1.OperationState)
-	GetRepoObjs(app *v1alpha1.Application, sources []v1alpha1.ApplicationSource, appLabelKey string, revisions []string, noCache, noRevisionCache, verifySignature bool, proj *v1alpha1.AppProject, rollback bool) ([]*unstructured.Unstructured, []*apiclient.ManifestResponse, bool, error)
+	GetRepoObjs(app *v1alpha1.Application, sources []v1alpha1.ApplicationSource, appLabelKey string, revisions []string, noCache, noRevisionCache, verifySignature bool, proj *v1alpha1.AppProject, rollback, sendRuntimeState bool) ([]*unstructured.Unstructured, []*apiclient.ManifestResponse, bool, error)
 }
 
 // comparisonResult holds the state of an application after the reconciliation
@@ -125,7 +125,7 @@ type appStateManager struct {
 // task to the repo-server. It returns the list of generated manifests as unstructured
 // objects. It also returns the full response from all calls to the repo server as the
 // second argument.
-func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alpha1.ApplicationSource, appLabelKey string, revisions []string, noCache, noRevisionCache, verifySignature bool, proj *v1alpha1.AppProject, rollback bool) ([]*unstructured.Unstructured, []*apiclient.ManifestResponse, bool, error) {
+func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alpha1.ApplicationSource, appLabelKey string, revisions []string, noCache, noRevisionCache, verifySignature bool, proj *v1alpha1.AppProject, rollback, sendRuntimeState bool) ([]*unstructured.Unstructured, []*apiclient.ManifestResponse, bool, error) {
 	ts := stats.NewTimingStats()
 	helmRepos, err := m.db.ListHelmRepositories(context.Background())
 	if err != nil {
@@ -219,6 +219,14 @@ func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alp
 
 		revision := revisions[i]
 
+		appNamespace := app.Spec.Destination.Namespace
+		apiVersions := argo.APIResourcesToStrings(apiResources, true)
+		if !sendRuntimeState {
+			appNamespace = ""
+			apiVersions = nil
+			serverVersion = ""
+		}
+
 		if !source.IsHelm() && syncedRevision != "" && keyManifestGenerateAnnotationExists && keyManifestGenerateAnnotationVal != "" {
 			// Validate the manifest-generate-path annotation to avoid generating manifests if it has not changed.
 			updateRevisionResult, err := repoClient.UpdateRevisionForPaths(context.Background(), &apiclient.UpdateRevisionForPathsRequest{
@@ -229,10 +237,10 @@ func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alp
 				Paths:              path.GetAppRefreshPaths(app),
 				AppLabelKey:        appLabelKey,
 				AppName:            app.InstanceName(m.namespace),
-				Namespace:          app.Spec.Destination.Namespace,
+				Namespace:          appNamespace,
 				ApplicationSource:  &source,
 				KubeVersion:        serverVersion,
-				ApiVersions:        argo.APIResourcesToStrings(apiResources, true),
+				ApiVersions:        apiVersions,
 				TrackingMethod:     string(argo.GetTrackingMethod(m.settingsMgr)),
 				RefSources:         refSources,
 				HasMultipleSources: app.Spec.HasMultipleSources(),
@@ -263,11 +271,11 @@ func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alp
 			NoRevisionCache:                 noRevisionCache,
 			AppLabelKey:                     appLabelKey,
 			AppName:                         app.InstanceName(m.namespace),
-			Namespace:                       app.Spec.Destination.Namespace,
+			Namespace:                       appNamespace,
 			ApplicationSource:               &source,
 			KustomizeOptions:                kustomizeOptions,
 			KubeVersion:                     serverVersion,
-			ApiVersions:                     argo.APIResourcesToStrings(apiResources, true),
+			ApiVersions:                     apiVersions,
 			VerifySignature:                 verifySignature,
 			HelmRepoCreds:                   permittedHelmCredentials,
 			TrackingMethod:                  string(argo.GetTrackingMethod(m.settingsMgr)),
@@ -309,6 +317,39 @@ func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alp
 	return targetObjs, manifestInfos, revisionUpdated, nil
 }
 
+// ResolveGitRevision will resolve the given revision to a full commit SHA. Only works for git.
+func (m *appStateManager) ResolveGitRevision(repoURL string, revision string) (string, error) {
+	conn, repoClient, err := m.repoClientset.NewRepoServerClient()
+	if err != nil {
+		return "", fmt.Errorf("failed to connect to repo server: %w", err)
+	}
+	defer io.Close(conn)
+
+	repo, err := m.db.GetRepository(context.Background(), repoURL, "")
+	if err != nil {
+		return "", fmt.Errorf("failed to get repo %q: %w", repoURL, err)
+	}
+
+	// Mock the app. The repo-server only needs to know whether the "chart" field is populated.
+	app := &v1alpha1.Application{
+		Spec: v1alpha1.ApplicationSpec{
+			Source: &v1alpha1.ApplicationSource{
+				RepoURL:        repoURL,
+				TargetRevision: revision,
+			},
+		},
+	}
+	resp, err := repoClient.ResolveRevision(context.Background(), &apiclient.ResolveRevisionRequest{
+		Repo:              repo,
+		App:               app,
+		AmbiguousRevision: revision,
+	})
+	if err != nil {
+		return "", fmt.Errorf("failed to determine whether the dry source has changed: %w", err)
+	}
+	return resp.Revision, nil
+}
+
 func unmarshalManifests(manifests []string) ([]*unstructured.Unstructured, error) {
 	targetObjs := make([]*unstructured.Unstructured, 0)
 	for _, manifest := range manifests {
@@ -441,7 +482,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1
 		if hasMultipleSources {
 			return &comparisonResult{
 				syncStatus: &v1alpha1.SyncStatus{
-					ComparedTo: v1alpha1.ComparedTo{Destination: app.Spec.Destination, Sources: sources, IgnoreDifferences: app.Spec.IgnoreDifferences},
+					ComparedTo: app.Spec.BuildComparedToStatus(),
 					Status:     v1alpha1.SyncStatusCodeUnknown,
 					Revisions:  revisions,
 				},
@@ -450,7 +491,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1
 		} else {
 			return &comparisonResult{
 				syncStatus: &v1alpha1.SyncStatus{
-					ComparedTo: v1alpha1.ComparedTo{Source: sources[0], Destination: app.Spec.Destination, IgnoreDifferences: app.Spec.IgnoreDifferences},
+					ComparedTo: app.Spec.BuildComparedToStatus(),
 					Status:     v1alpha1.SyncStatusCodeUnknown,
 					Revision:   revisions[0],
 				},
@@ -490,7 +531,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1
 			}
 		}
 
-		targetObjs, manifestInfos, revisionUpdated, err = m.GetRepoObjs(app, sources, appLabelKey, revisions, noCache, noRevisionCache, verifySignature, project, rollback)
+		targetObjs, manifestInfos, revisionUpdated, err = m.GetRepoObjs(app, sources, appLabelKey, revisions, noCache, noRevisionCache, verifySignature, project, rollback, true)
 		if err != nil {
 			targetObjs = make([]*unstructured.Unstructured, 0)
 			msg := fmt.Sprintf("Failed to load target state: %s", err.Error())

controller/sync_test.go

@@ -56,7 +56,7 @@ func TestPersistRevisionHistory(t *testing.T) {
 
 	updatedApp, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(app.Namespace).Get(context.Background(), app.Name, v1.GetOptions{})
 	require.NoError(t, err)
-	assert.Len(t, updatedApp.Status.History, 1)
+	require.Len(t, updatedApp.Status.History, 1)
 	assert.Equal(t, app.Spec.GetSource(), updatedApp.Status.History[0].Source)
 	assert.Equal(t, "abc123", updatedApp.Status.History[0].Revision)
 }

controller/utils/log.go

@@ -0,0 +1,17 @@
+package utils
+
+import (
+	"github.com/sirupsen/logrus"
+
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+// GetAppLog returns a logrus entry with fields set for the given application.
+func GetAppLog(app *v1alpha1.Application) *logrus.Entry {
+	return logrus.WithFields(logrus.Fields{
+		"application":        app.Name,
+		"app-namespace":      app.Namespace,
+		"app-qualified-name": app.QualifiedName(),
+		"project":            app.Spec.Project,
+	})
+}

docs/operator-manual/argocd-cmd-params-cm.yaml

@@ -9,6 +9,9 @@ data:
   # Repo server address. (default "argocd-repo-server:8081")
   repo.server: "argocd-repo-server:8081"
 
+  # Commit server address. (default "argocd-commit-server:8086")
+  commit.server: "argocd-commit-server:8086"
+
   # Redis server hostname and port (e.g. argocd-redis:6379)
   redis.server: "argocd-redis:6379"
   # Enable compression for data sent to Redis with the required compression algorithm. (default 'gzip')
@@ -16,6 +19,9 @@ data:
   # Redis database
   redis.db:
 
+  # Enables the alpha "manifest hydrator" feature. (default "false")
+  hydrator.enabled: "false"
+
   # Open-Telemetry collector address: (e.g. "otel-collector:4317")
   otlp.address: ""
   # Open-Telemetry collector insecure: (e.g. "true")
@@ -195,6 +201,15 @@ data:
   # Include hidden directories from Git
   reposerver.include.hidden.directories: "false"
 
+  ## Commit-server properties
+  # Listen on given address for incoming connections (default "0.0.0.0")
+  commitserver.listen.address: "0.0.0.0"
+  # Set the logging format. One of: text|json (default "text")
+  commitserver.log.format: "text"
+  # Set the logging level. One of: debug|info|warn|error (default "info")
+  commitserver.log.level: "info"
+  # Listen on given address for metrics (default "0.0.0.0")
+  commitserver.metrics.listen.address: "0.0.0.0"
 
   # Set the logging format. One of: text|json (default "text")
   dexserver.log.format: "text"

docs/operator-manual/server-commands/argocd-application-controller.md

@@ -27,6 +27,7 @@ argocd-application-controller [flags]
       --client-certificate string                                 Path to a client certificate file for TLS
       --client-key string                                         Path to a client key file for TLS
       --cluster string                                            The name of the kubeconfig cluster to use
+      --commit-server string                                      Commit server address. (default "argocd-commit-server:8086")
       --context string                                            The name of the kubeconfig context to use
       --default-cache-expiration duration                         Cache expiration default (default 24h0m0s)
       --disable-compression                                       If true, opt-out of response compression for all requests to the server
@@ -34,6 +35,7 @@ argocd-application-controller [flags]
       --enable-k8s-event none                                     Enable ArgoCD to use k8s event. For disabling all events, set the value as none. (e.g --enable-k8s-event=none), For enabling specific events, set the value as `event reason`. (e.g --enable-k8s-event=StatusRefreshed,ResourceCreated) (default [all])
       --gloglevel int                                             Set the glog logging level
   -h, --help                                                      help for argocd-application-controller
+      --hydrator-enabled                                          Feature flag to enable Hydrator. Default ("false")
       --ignore-normalizer-jq-execution-timeout-seconds duration   Set ignore normalizer JQ execution timeout
       --insecure-skip-tls-verify                                  If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
       --kubeconfig string                                         Path to a kube config. Only required if out-of-cluster

docs/operator-manual/server-commands/argocd-server.md

@@ -55,6 +55,7 @@ argocd-server [flags]
       --enable-proxy-extension                          Enable Proxy Extension feature
       --gloglevel int                                   Set the glog logging level
   -h, --help                                            help for argocd-server
+      --hydrator-enabled                                Feature flag to enable Hydrator. Default ("false")
       --insecure                                        Run server without TLS
       --insecure-skip-tls-verify                        If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
       --kubeconfig string                               Path to a kube config. Only required if out-of-cluster

docs/user-guide/commands/argocd_account_can-i.md

@@ -22,7 +22,7 @@ argocd account can-i update projects 'default'
 argocd account can-i create clusters '*'
 
 Actions: [get create update delete sync override action invoke]
-Resources: [clusters projects applications applicationsets repositories certificates accounts gpgkeys logs exec extensions]
+Resources: [clusters projects applications applicationsets repositories write-repositories certificates accounts gpgkeys logs exec extensions]
 
 ```
 

docs/user-guide/commands/argocd_admin_app_generate-spec.md

@@ -45,6 +45,9 @@ argocd admin app generate-spec APPNAME [flags]
       --directory-exclude string                   Set glob expression used to exclude files from application source path
       --directory-include string                   Set glob expression used to include files from application source path
       --directory-recurse                          Recurse directory
+      --dry-source-path string                     Path in repository to the app directory for the dry source
+      --dry-source-repo string                     Repository URL of the app dry source
+      --dry-source-revision string                 Revision of the app dry source
       --env string                                 Application environment to monitor
   -f, --file string                                Filename or URL to Kubernetes manifests for the app
       --helm-api-versions stringArray              Helm api-versions (in format [group/]version/kind) to use when running helm template (Can be repeated to set several values: --helm-api-versions traefik.io/v1alpha1/TLSOption --helm-api-versions v1/Service). If not set, use the api-versions from the destination cluster
@@ -60,6 +63,7 @@ argocd admin app generate-spec APPNAME [flags]
       --helm-skip-tests                            Skip helm test manifests installation step
       --helm-version string                        Helm version
   -h, --help                                       help for generate-spec
+      --hydrate-to-branch string                   The branch to hydrate the app to
       --ignore-missing-value-files                 Ignore locally missing valueFiles when setting helm template --values
   -i, --inline                                     If set then generated resource is written back to the file specified in --file flag
       --jsonnet-ext-var-code stringArray           Jsonnet ext var
@@ -101,6 +105,8 @@ argocd admin app generate-spec APPNAME [flags]
       --sync-retry-backoff-factor int              Factor multiplies the base duration after each failed sync retry (default 2)
       --sync-retry-backoff-max-duration duration   Max sync retry backoff duration. Input needs to be a duration (e.g. 2m, 1h) (default 3m0s)
       --sync-retry-limit int                       Max number of allowed sync retries
+      --sync-source-branch string                  The branch from which the app will sync
+      --sync-source-path string                    The path in the repository from which the app will sync
       --validate                                   Validation of repo and cluster (default true)
       --values stringArray                         Helm values file(s) to use
       --values-literal-file string                 Filename or URL to import as a literal Helm values block

docs/user-guide/commands/argocd_app_add-source.md

@@ -28,6 +28,9 @@ argocd app add-source APPNAME [flags]
       --directory-exclude string                   Set glob expression used to exclude files from application source path
       --directory-include string                   Set glob expression used to include files from application source path
       --directory-recurse                          Recurse directory
+      --dry-source-path string                     Path in repository to the app directory for the dry source
+      --dry-source-repo string                     Repository URL of the app dry source
+      --dry-source-revision string                 Revision of the app dry source
       --env string                                 Application environment to monitor
       --helm-api-versions stringArray              Helm api-versions (in format [group/]version/kind) to use when running helm template (Can be repeated to set several values: --helm-api-versions traefik.io/v1alpha1/TLSOption --helm-api-versions v1/Service). If not set, use the api-versions from the destination cluster
       --helm-chart string                          Helm Chart name
@@ -42,6 +45,7 @@ argocd app add-source APPNAME [flags]
       --helm-skip-tests                            Skip helm test manifests installation step
       --helm-version string                        Helm version
   -h, --help                                       help for add-source
+      --hydrate-to-branch string                   The branch to hydrate the app to
       --ignore-missing-value-files                 Ignore locally missing valueFiles when setting helm template --values
       --jsonnet-ext-var-code stringArray           Jsonnet ext var
       --jsonnet-ext-var-str stringArray            Jsonnet string ext var
@@ -78,6 +82,8 @@ argocd app add-source APPNAME [flags]
       --sync-retry-backoff-factor int              Factor multiplies the base duration after each failed sync retry (default 2)
       --sync-retry-backoff-max-duration duration   Max sync retry backoff duration. Input needs to be a duration (e.g. 2m, 1h) (default 3m0s)
       --sync-retry-limit int                       Max number of allowed sync retries
+      --sync-source-branch string                  The branch from which the app will sync
+      --sync-source-path string                    The path in the repository from which the app will sync
       --validate                                   Validation of repo and cluster (default true)
       --values stringArray                         Helm values file(s) to use
       --values-literal-file string                 Filename or URL to import as a literal Helm values block

docs/user-guide/commands/argocd_app_create.md

@@ -47,6 +47,9 @@ argocd app create APPNAME [flags]
       --directory-exclude string                   Set glob expression used to exclude files from application source path
       --directory-include string                   Set glob expression used to include files from application source path
       --directory-recurse                          Recurse directory
+      --dry-source-path string                     Path in repository to the app directory for the dry source
+      --dry-source-repo string                     Repository URL of the app dry source
+      --dry-source-revision string                 Revision of the app dry source
       --env string                                 Application environment to monitor
   -f, --file string                                Filename or URL to Kubernetes manifests for the app
       --helm-api-versions stringArray              Helm api-versions (in format [group/]version/kind) to use when running helm template (Can be repeated to set several values: --helm-api-versions traefik.io/v1alpha1/TLSOption --helm-api-versions v1/Service). If not set, use the api-versions from the destination cluster
@@ -62,6 +65,7 @@ argocd app create APPNAME [flags]
       --helm-skip-tests                            Skip helm test manifests installation step
       --helm-version string                        Helm version
   -h, --help                                       help for create
+      --hydrate-to-branch string                   The branch to hydrate the app to
       --ignore-missing-value-files                 Ignore locally missing valueFiles when setting helm template --values
       --jsonnet-ext-var-code stringArray           Jsonnet ext var
       --jsonnet-ext-var-str stringArray            Jsonnet string ext var
@@ -101,6 +105,8 @@ argocd app create APPNAME [flags]
       --sync-retry-backoff-factor int              Factor multiplies the base duration after each failed sync retry (default 2)
       --sync-retry-backoff-max-duration duration   Max sync retry backoff duration. Input needs to be a duration (e.g. 2m, 1h) (default 3m0s)
       --sync-retry-limit int                       Max number of allowed sync retries
+      --sync-source-branch string                  The branch from which the app will sync
+      --sync-source-path string                    The path in the repository from which the app will sync
       --upsert                                     Allows to override application with the same name even if supplied application spec is different from existing spec
       --validate                                   Validation of repo and cluster (default true)
       --values stringArray                         Helm values file(s) to use

docs/user-guide/commands/argocd_app_set.md

@@ -40,6 +40,9 @@ argocd app set APPNAME [flags]
       --directory-exclude string                   Set glob expression used to exclude files from application source path
       --directory-include string                   Set glob expression used to include files from application source path
       --directory-recurse                          Recurse directory
+      --dry-source-path string                     Path in repository to the app directory for the dry source
+      --dry-source-repo string                     Repository URL of the app dry source
+      --dry-source-revision string                 Revision of the app dry source
       --env string                                 Application environment to monitor
       --helm-api-versions stringArray              Helm api-versions (in format [group/]version/kind) to use when running helm template (Can be repeated to set several values: --helm-api-versions traefik.io/v1alpha1/TLSOption --helm-api-versions v1/Service). If not set, use the api-versions from the destination cluster
       --helm-chart string                          Helm Chart name
@@ -54,6 +57,7 @@ argocd app set APPNAME [flags]
       --helm-skip-tests                            Skip helm test manifests installation step
       --helm-version string                        Helm version
   -h, --help                                       help for set
+      --hydrate-to-branch string                   The branch to hydrate the app to
       --ignore-missing-value-files                 Ignore locally missing valueFiles when setting helm template --values
       --jsonnet-ext-var-code stringArray           Jsonnet ext var
       --jsonnet-ext-var-str stringArray            Jsonnet string ext var
@@ -91,6 +95,8 @@ argocd app set APPNAME [flags]
       --sync-retry-backoff-factor int              Factor multiplies the base duration after each failed sync retry (default 2)
       --sync-retry-backoff-max-duration duration   Max sync retry backoff duration. Input needs to be a duration (e.g. 2m, 1h) (default 3m0s)
       --sync-retry-limit int                       Max number of allowed sync retries
+      --sync-source-branch string                  The branch from which the app will sync
+      --sync-source-path string                    The path in the repository from which the app will sync
       --validate                                   Validation of repo and cluster (default true)
       --values stringArray                         Helm values file(s) to use
       --values-literal-file string                 Filename or URL to import as a literal Helm values block

docs/user-guide/commands/argocd_app_wait.md

@@ -43,6 +43,7 @@ argocd app wait [APPNAME.. | -l selector] [flags]
       --delete                 Wait for delete
       --health                 Wait for health
   -h, --help                   help for wait
+      --hydrated               Wait for hydration operations
       --operation              Wait for pending operations
   -o, --output string          Output format. One of: json|yaml|wide|tree|tree=detailed (default "wide")
       --resource stringArray   Sync only specific resources as GROUP:KIND:NAME or !GROUP:KIND:NAME. Fields may be blank and '*' can be used. This option may be specified repeatedly

docs/user-guide/source-hydrator.md

@@ -0,0 +1,192 @@
+# Source Hydrator
+
+**Current feature state**: Alpha
+
+Tools like Helm and Kustomize allow users to express their Kubernetes manifests in a more concise and reusable way
+(keeping it DRY - Don't Repeat Yourself). However, these tools can obscure the actual Kubernetes manifests that are
+applied to the cluster.
+
+The "rendered manifest pattern" is a way to push the hydrated manifests to git before syncing them to the cluster. This
+allows users to see the actual Kubernetes manifests that are applied to the cluster.
+
+The source hydrator is a feature of Argo CD that allows users to push the hydrated manifests to git before syncing them
+to the cluster.
+
+## Enabling the Source Hydrator
+
+The source hydrator is disabled by default.
+
+To enable the source hydrator, you need to enable the "commit server" component and set the `hydrator.enabled` field in
+argocd-cmd-params-cm ConfigMap to `"true"`.
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cmd-params-cm
+  namespace: argocd
+data:
+  hydrator.enabled: "true"
+```
+
+!!! important
+    After updating the ConfigMap, you must restart the Argo CD controller and API server for the changes to take effect.
+
+If you are using one of the `*-install.yaml` manifests to install Argo CD, you can use the 
+`*-install-with-hydrator.yaml` version of that file instead.
+
+For example,
+
+```
+Without hydrator: https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
+With hydrator:    https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install-with-hydrator.yaml
+```
+
+!!! important
+    The `*-with-hydrator-install.yaml` manifests will eventually be removed when the source hydrator is either enabled
+    by default or removed. The upgrade guide will note if the `install-with-hydrator.yaml` manifests are no longer
+    available.
+
+## Using the Source Hydrator
+
+To use the source hydrator, you must first install a push secret. This example uses a GitHub App for authentication, but
+you can use [any authentication method that Argo CD supports for repository access](../operator-manual/declarative-setup.md#repositories).
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-push-secret
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repository-write
+type: Opaque
+stringData:
+  url: "https://github.com"
+  type: "git"
+  githubAppID: "<your app ID here>"
+  githubAppInstallationID: "<your installation ID here>"
+  githubAppPrivateKey: |
+    <your private key here>
+```
+
+The label `argocd.argoproj.io/secret-type: repository-write` causes this Secret to be used for pushing manifests to git
+instead of pulling from git.
+
+Once your push secret is installed, set the `spec.sourceHydrator` field of the Application. For example:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: my-app
+spec:
+  sourceHydrator:
+    drySource:
+      repoURL: https://github.com/argoproj/argocd-example-apps
+      path: helm-guestbook
+      targetRevision: HEAD
+    syncSource:
+      targetBranch: environments/dev
+      path: helm-guestbook
+```
+
+In this example, the hydrated manifests will be pushed to the `environments/dev` branch of the `argocd-example-apps`
+repository.
+
+!!! important "Project-Scoped Repositories"
+
+    Repository Secrets may contain a `project` field, making the secret only usable by Applications in that project.
+    The source hydrator only supports project-scoped repositories if all Applications writing to the same repository and
+    branch are in the same project. If Applications in different projects write to the same repository and branch, the
+    source hydrator will not be able to use a project-scoped repository secret and will require a global repository 
+    secret. This behavior may change in the future.
+
+If there are multiple repository-write Secrets available for a repo, the source hydrator will non-deterministically
+select one of the matching Secrets and log a warning saying "Found multiple credentials for repoURL".
+
+## Pushing to a "Staging" Branch
+
+The source hydrator can be used to push hydrated manifests to a "staging" branch instead of the `syncSource` branch.
+This provides a way to prevent the hydrated manifests from being applied to the cluster until some prerequisite
+conditions are met (in effect providing a way to handle environment promotion via Pull Requests).
+
+To use the source hydrator to push to a "staging" branch, set the `spec.sourceHydrator.hydrateTo` field of the
+Application. For example:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: my-app
+spec:
+  project: my-project
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  sourceHydrator:
+    drySource:
+      repoURL: https://github.com/argoproj/argocd-example-apps
+      path: helm-guestbook
+      targetRevision: HEAD
+    syncSource:
+      targetBranch: environments/dev
+      path: helm-guestbook
+    hydrateTo:
+      targetBranch: environments/dev-next
+```
+
+In this example, the hydrated manifests will be pushed to the `environments/dev-next` branch, and Argo CD will not sync
+the changes until something moves them to the `environments/dev` branch.
+
+You could use a CI action to move the hydrated manifests from the `hydrateTo` branch to the `syncSource` branch. To
+introduce a gating mechanism, you could require a Pull Request to be opened to merge the changes from the `hydrateTo`
+branch to the `syncSource` branch.
+
+Argo CD will only push changes to the `hydrateTo` branch, it will not create a PR or otherwise facilitate moving those 
+changes to the `syncSource` branch. You will need to use your own tooling to move the changes from the `hydrateTo` 
+branch to the `syncSource` branch.
+
+## Limitations
+
+### Project-Scoped Push Secrets
+
+If all the Applications for a given destination repo/branch are under the same project, then the hydrator will use any
+available project-scoped push secrets. If two Applications for a given repo/branch are in different projects, then the
+hydrator will not be able to use a project-scoped push secret and will require a global push secret.
+
+### Credential Templates
+
+Credential templates allow a single credential to be used for multiple repositories. The source hydrator does not 
+currently support credential templates. You will need a separate credential for each repository.
+
+## Prerequisites
+
+### Handle Secrets on the Destination Cluster
+
+Do not use the source hydrator with any tool that injects secrets into your manifests as part of the hydration process
+(for example, Helm with SOPS or the Argo CD Vault Plugin). These secrets would be committed to git. Instead, use a
+secrets operator that populates the secret values on the destination cluster.
+
+## Best Practices
+
+### Make Hydration Deterministic
+
+The source hydrator should be deterministic. For a given dry source commit, the hydrator should always produce the same
+hydrated manifests. This means that the hydrator should not rely on external state or configuration that is not stored
+in git.
+
+Examples of non-deterministic hydration:
+
+* A Helm chart using unpinned dependencies
+* A Helm chart is using a non-deterministic template function such as `randAlphaNum` or `lookup`
+* [Config Management Plugins](../operator-manual/config-management-plugins.md) which retrieve non-git state, such as secrets
+* Kustomize manifests referencing unpinned remote bases
+
+### Enable Branch Protection
+
+Argo CD should be the only thing pushing hydrated manifests to the hydrated branches. To prevent other tools or users
+from pushing to the hydrated branches, enable branch protection in your SCM.
+
+It is best practice to prefix the hydrated branches with a common prefix, such as `environment/`. This makes it easier
+to configure branch protection rules on the destination repository.

hack/update-manifests.sh

@@ -49,3 +49,21 @@ $KUSTOMIZE build "${SRCROOT}/manifests/ha/namespace-install" >> "${SRCROOT}/mani
 
 echo "${AUTOGENMSG}" > "${SRCROOT}/manifests/core-install.yaml"
 $KUSTOMIZE build "${SRCROOT}/manifests/core-install" >> "${SRCROOT}/manifests/core-install.yaml"
+
+# Copies enabling manifest hydrator. These can be removed once the manifest hydrator is either removed or enabled by 
+# default.
+
+echo "${AUTOGENMSG}" > "${SRCROOT}/manifests/install-with-hydrator.yaml"
+$KUSTOMIZE build "${SRCROOT}/manifests/cluster-install-with-hydrator" >> "${SRCROOT}/manifests/install-with-hydrator.yaml"
+
+echo "${AUTOGENMSG}" > "${SRCROOT}/manifests/namespace-install-with-hydrator.yaml"
+$KUSTOMIZE build "${SRCROOT}/manifests/namespace-install-with-hydrator" >> "${SRCROOT}/manifests/namespace-install-with-hydrator.yaml"
+
+echo "${AUTOGENMSG}" > "${SRCROOT}/manifests/ha/install-with-hydrator.yaml"
+$KUSTOMIZE build "${SRCROOT}/manifests/ha/cluster-install-with-hydrator" >> "${SRCROOT}/manifests/ha/install-with-hydrator.yaml"
+
+echo "${AUTOGENMSG}" > "${SRCROOT}/manifests/ha/namespace-install-with-hydrator.yaml"
+$KUSTOMIZE build "${SRCROOT}/manifests/ha/namespace-install-with-hydrator" >> "${SRCROOT}/manifests/ha/namespace-install-with-hydrator.yaml"
+
+echo "${AUTOGENMSG}" > "${SRCROOT}/manifests/core-install-with-hydrator.yaml"
+$KUSTOMIZE build "${SRCROOT}/manifests/core-install-with-hydrator" >> "${SRCROOT}/manifests/core-install-with-hydrator.yaml"

manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml

@@ -223,6 +223,12 @@ spec:
               name: argocd-cmd-params-cm
               key: controller.diff.server.side
               optional: true
+        - name: ARGOCD_HYDRATOR_ENABLED
+          valueFrom:
+            configMapKeyRef:
+              name: argocd-cmd-params-cm
+              key: hydrator.enabled
+              optional: true
         image: quay.io/argoproj/argocd:latest
         imagePullPolicy: Always
         name: argocd-application-controller

manifests/base/application-controller/argocd-application-controller-statefulset.yaml

@@ -232,6 +232,12 @@ spec:
               name: argocd-cmd-params-cm
               key: controller.ignore.normalizer.jq.timeout
               optional: true
+        - name: ARGOCD_HYDRATOR_ENABLED
+          valueFrom:
+            configMapKeyRef:
+              name: argocd-cmd-params-cm
+              key: hydrator.enabled
+              optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
         image: quay.io/argoproj/argocd:latest

manifests/base/commit-server/argocd-commit-server-deployment.yaml

@@ -83,6 +83,9 @@ spec:
           mountPath: /app/config/gpg/source
         - name: gpg-keyring
           mountPath: /app/config/gpg/keys
+        # We need a writeable temp directory for the askpass socket file.
+        - name: tmp
+          mountPath: /tmp
       initContainers:
       - command:
         - /bin/cp
@@ -117,8 +120,6 @@ spec:
           emptyDir: {}
         - name: tmp
           emptyDir: {}
-        - name: helm-working-dir
-          emptyDir: {}
         - name: argocd-commit-server-tls
           secret:
             secretName: argocd-commit-server-tls
@@ -132,8 +133,6 @@ spec:
               path: ca.crt
         - emptyDir: {}
           name: var-files
-        - emptyDir: {}
-          name: plugins
       affinity:
         podAntiAffinity:
           preferredDuringSchedulingIgnoredDuringExecution:

manifests/base/server/argocd-server-deployment.yaml

@@ -292,6 +292,12 @@ spec:
                   name: argocd-cmd-params-cm
                   key: applicationsetcontroller.enable.scm.providers
                   optional: true
+            - name: ARGOCD_HYDRATOR_ENABLED
+              valueFrom:
+                configMapKeyRef:
+                  name: argocd-cmd-params-cm
+                  key: hydrator.enabled
+                  optional: true
           volumeMounts:
             - name: ssh-known-hosts
               mountPath: /app/config/ssh

manifests/cluster-install-with-hydrator/kustomization.yaml

@@ -0,0 +1,12 @@
+resources:
+  - ../cluster-install
+  - ../base/commit-server
+
+patches:
+  - target:
+      kind: ConfigMap
+      name: argocd-cmd-params-cm
+    patch: |-
+      - op: add
+        path: /data
+        value: {"hydrator.enabled": "true"}

manifests/core-install-with-hydrator/kustomization.yaml

@@ -0,0 +1,12 @@
+resources:
+  - ../core-install
+  - ../base/commit-server
+
+patches:
+  - target:
+      kind: ConfigMap
+      name: argocd-cmd-params-cm
+    patch: |-
+      - op: add
+        path: /data
+        value: {"hydrator.enabled": "true"}

manifests/core-install.yaml

@@ -24864,6 +24864,12 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_HYDRATOR_ENABLED
+          valueFrom:
+            configMapKeyRef:
+              key: hydrator.enabled
+              name: argocd-cmd-params-cm
+              optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
         image: quay.io/argoproj/argocd:latest

manifests/ha/cluster-install-with-hydrator/kustomization.yaml

@@ -0,0 +1,3 @@
+resources:
+  - ../cluster-install
+  - ../../base/commit-server

manifests/ha/install-with-hydrator/kustomization.yaml

@@ -0,0 +1,3 @@
+resources:
+  - ../base
+  - ../../base/commit-server

manifests/ha/install.yaml

@@ -26519,6 +26519,12 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_HYDRATOR_ENABLED
+          valueFrom:
+            configMapKeyRef:
+              key: hydrator.enabled
+              name: argocd-cmd-params-cm
+              optional: true
         image: quay.io/argoproj/argocd:latest
         imagePullPolicy: Always
         livenessProbe:
@@ -26853,6 +26859,12 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_HYDRATOR_ENABLED
+          valueFrom:
+            configMapKeyRef:
+              key: hydrator.enabled
+              name: argocd-cmd-params-cm
+              optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
         image: quay.io/argoproj/argocd:latest

manifests/ha/namespace-install-with-hydrator/kustomization.yaml

@@ -0,0 +1,3 @@
+resources:
+  - ../namespace-install
+  - ../../base/commit-server

manifests/ha/namespace-install.yaml

@@ -2749,6 +2749,12 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_HYDRATOR_ENABLED
+          valueFrom:
+            configMapKeyRef:
+              key: hydrator.enabled
+              name: argocd-cmd-params-cm
+              optional: true
         image: quay.io/argoproj/argocd:latest
         imagePullPolicy: Always
         livenessProbe:
@@ -3083,6 +3089,12 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_HYDRATOR_ENABLED
+          valueFrom:
+            configMapKeyRef:
+              key: hydrator.enabled
+              name: argocd-cmd-params-cm
+              optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
         image: quay.io/argoproj/argocd:latest

manifests/install.yaml

@@ -25589,6 +25589,12 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_HYDRATOR_ENABLED
+          valueFrom:
+            configMapKeyRef:
+              key: hydrator.enabled
+              name: argocd-cmd-params-cm
+              optional: true
         image: quay.io/argoproj/argocd:latest
         imagePullPolicy: Always
         livenessProbe:
@@ -25923,6 +25929,12 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_HYDRATOR_ENABLED
+          valueFrom:
+            configMapKeyRef:
+              key: hydrator.enabled
+              name: argocd-cmd-params-cm
+              optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
         image: quay.io/argoproj/argocd:latest

manifests/namespace-install-with-hydrator/kustomization.yaml

@@ -0,0 +1,12 @@
+resources:
+  - ../namespace-install
+  - ../base/commit-server
+
+patches:
+  - target:
+      kind: ConfigMap
+      name: argocd-cmd-params-cm
+    patch: |-
+      - op: add
+        path: /data
+        value: {"hydrator.enabled": "true"}

manifests/namespace-install.yaml

@@ -1819,6 +1819,12 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_HYDRATOR_ENABLED
+          valueFrom:
+            configMapKeyRef:
+              key: hydrator.enabled
+              name: argocd-cmd-params-cm
+              optional: true
         image: quay.io/argoproj/argocd:latest
         imagePullPolicy: Always
         livenessProbe:
@@ -2153,6 +2159,12 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_HYDRATOR_ENABLED
+          valueFrom:
+            configMapKeyRef:
+              key: hydrator.enabled
+              name: argocd-cmd-params-cm
+              optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
         image: quay.io/argoproj/argocd:latest

pkg/apiclient/repocreds/repocreds.pb.go

@@ -285,38 +285,43 @@ func init() {
 func init() { proto.RegisterFile("server/repocreds/repocreds.proto", fileDescriptor_b0b5fce4710a8821) }
 
 var fileDescriptor_b0b5fce4710a8821 = []byte{
-	// 481 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x94, 0xc1, 0x6a, 0x14, 0x31,
-	0x18, 0xc7, 0x49, 0xa5, 0xc5, 0x46, 0x90, 0x76, 0x0a, 0xb5, 0x3b, 0x5b, 0xd7, 0x35, 0x07, 0x29,
-	0x45, 0x13, 0x76, 0x05, 0x0f, 0x1e, 0x6d, 0xc1, 0x83, 0xbd, 0x38, 0xe2, 0x45, 0x10, 0x49, 0x67,
-	0x3e, 0xa6, 0xb1, 0x71, 0x12, 0x93, 0xcc, 0x48, 0x11, 0x11, 0x7c, 0x01, 0x0f, 0x5e, 0xc5, 0x17,
-	0xf0, 0x01, 0x7c, 0x05, 0x8f, 0x82, 0x2f, 0x20, 0x8b, 0x0f, 0x22, 0xc9, 0xee, 0xcc, 0xec, 0xd2,
-	0x39, 0xec, 0x61, 0xf1, 0xf6, 0x4d, 0xf2, 0xe5, 0x9f, 0xdf, 0x7f, 0xbe, 0xef, 0x0b, 0x1e, 0x5a,
-	0x30, 0x15, 0x18, 0x66, 0x40, 0xab, 0xd4, 0x40, 0x66, 0xdb, 0x88, 0x6a, 0xa3, 0x9c, 0x8a, 0x36,
-	0x9b, 0x85, 0x78, 0x3f, 0x57, 0x2a, 0x97, 0xc0, 0xb8, 0x16, 0x8c, 0x17, 0x85, 0x72, 0xdc, 0x09,
-	0x55, 0xcc, 0x12, 0xe3, 0x93, 0x5c, 0xb8, 0xb3, 0xf2, 0x94, 0xa6, 0xea, 0x0d, 0xe3, 0x26, 0x57,
-	0xda, 0xa8, 0xd7, 0x21, 0xb8, 0x97, 0x66, 0xac, 0x1a, 0x33, 0x7d, 0x9e, 0xfb, 0x93, 0x96, 0x71,
-	0xad, 0xa5, 0x48, 0xc3, 0x59, 0x56, 0x8d, 0xb8, 0xd4, 0x67, 0x7c, 0xc4, 0x72, 0x28, 0xc0, 0x70,
-	0x07, 0xd9, 0x54, 0x8d, 0x10, 0x7c, 0x3d, 0x01, 0xad, 0x8e, 0xfc, 0xc5, 0x4f, 0x4b, 0x30, 0x17,
-	0xd1, 0x16, 0xbe, 0x52, 0x1a, 0xb9, 0x87, 0x86, 0xe8, 0x60, 0x33, 0xf1, 0x21, 0x39, 0xc4, 0xbb,
-	0x4d, 0xce, 0x31, 0x48, 0x70, 0x90, 0xc0, 0xdb, 0x12, 0xac, 0xeb, 0xc8, 0xdd, 0xc1, 0xdb, 0x4d,
-	0x6e, 0x02, 0x56, 0xab, 0xc2, 0x02, 0xf9, 0x8c, 0xe6, 0x14, 0x8e, 0x0c, 0xf0, 0x56, 0xe1, 0x25,
-	0x5e, 0x0f, 0xa6, 0x83, 0xc6, 0xb5, 0xf1, 0x63, 0xda, 0xba, 0xa3, 0xb5, 0xbb, 0x10, 0xbc, 0x4a,
-	0x33, 0x5a, 0x8d, 0xa9, 0x3e, 0xcf, 0xa9, 0x77, 0x47, 0xe7, 0xdc, 0xd1, 0xda, 0x1d, 0x6d, 0xaf,
-	0x9e, 0xaa, 0x46, 0xbb, 0x78, 0xa3, 0xd4, 0x16, 0x8c, 0xdb, 0x5b, 0x1b, 0xa2, 0x83, 0xab, 0xc9,
-	0xec, 0x8b, 0xbc, 0x9b, 0x03, 0x7a, 0xae, 0xb3, 0xff, 0x06, 0x34, 0xfe, 0xba, 0x8e, 0xb7, 0x9a,
-	0xc5, 0x67, 0x60, 0x2a, 0x91, 0x42, 0xf4, 0x0d, 0xe1, 0xde, 0x89, 0xb0, 0xce, 0x6f, 0x58, 0xe1,
-	0x94, 0xb9, 0xf0, 0xdb, 0x50, 0x38, 0xc1, 0xa5, 0x8d, 0x7a, 0xb4, 0xed, 0x95, 0xc5, 0x5a, 0xc5,
-	0x4f, 0x56, 0x44, 0xe7, 0x2f, 0x27, 0xbd, 0x4f, 0xbf, 0xff, 0x7e, 0x59, 0xdb, 0x89, 0xb6, 0x43,
-	0xe3, 0x55, 0xa3, 0xb6, 0x45, 0xa3, 0xef, 0x08, 0xf7, 0xeb, 0xba, 0x75, 0x21, 0xde, 0xee, 0x42,
-	0x5c, 0x28, 0x74, 0xbc, 0xaa, 0x1f, 0x49, 0x86, 0x01, 0x33, 0x26, 0x97, 0x31, 0x1f, 0xce, 0x8a,
-	0xfe, 0x03, 0xe1, 0x7e, 0x5d, 0xd4, 0xa5, 0x69, 0x17, 0xba, 0x60, 0x75, 0xb4, 0x77, 0x03, 0xed,
-	0x9d, 0xf8, 0xe6, 0x25, 0x5a, 0xf6, 0x7e, 0x4a, 0x50, 0x1a, 0xf9, 0xa1, 0x26, 0xff, 0x88, 0xfb,
-	0xf5, 0x80, 0x2d, 0x0d, 0xbe, 0x30, 0x91, 0xf1, 0x7e, 0x57, 0x4a, 0x33, 0x88, 0xb7, 0x02, 0x4d,
-	0xef, 0xf0, 0x46, 0x07, 0x8d, 0xe7, 0x78, 0x74, 0xfc, 0x73, 0x32, 0x40, 0xbf, 0x26, 0x03, 0xf4,
-	0x67, 0x32, 0x40, 0x2f, 0x1e, 0x2c, 0xf7, 0xd4, 0xa4, 0x52, 0x40, 0xe1, 0x5a, 0xad, 0xd3, 0x8d,
-	0xf0, 0xb6, 0xdc, 0xff, 0x17, 0x00, 0x00, 0xff, 0xff, 0x10, 0xaa, 0x0b, 0x07, 0xf6, 0x04, 0x00,
-	0x00,
+	// 570 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xc4, 0x95, 0x41, 0x6b, 0xd4, 0x40,
+	0x14, 0xc7, 0x99, 0x8a, 0xc5, 0x8e, 0x20, 0x6d, 0x0a, 0x6d, 0x37, 0xdb, 0x6e, 0x63, 0xc4, 0x52,
+	0x96, 0x76, 0xc2, 0xae, 0xe0, 0xc1, 0xa3, 0x2d, 0x78, 0xb0, 0x17, 0x57, 0x44, 0x10, 0x44, 0xa6,
+	0xd9, 0x47, 0x3a, 0x36, 0x66, 0xc6, 0x99, 0x49, 0x4a, 0x11, 0x11, 0x3c, 0x7a, 0xf1, 0xe0, 0xdd,
+	0xbb, 0x78, 0xd7, 0xbb, 0x27, 0x8f, 0x42, 0xbf, 0x80, 0x2c, 0x7e, 0x10, 0x99, 0xc9, 0x66, 0xb3,
+	0x4b, 0xb3, 0xb2, 0x0b, 0x6b, 0x7b, 0x7b, 0x49, 0x5e, 0xde, 0xfb, 0xfd, 0xff, 0xf3, 0x66, 0x06,
+	0x7b, 0x0a, 0x64, 0x06, 0x32, 0x90, 0x20, 0x78, 0x28, 0xa1, 0xab, 0xca, 0x88, 0x08, 0xc9, 0x35,
+	0x77, 0x16, 0x06, 0x2f, 0xdc, 0xf5, 0x88, 0xf3, 0x28, 0x86, 0x80, 0x0a, 0x16, 0xd0, 0x24, 0xe1,
+	0x9a, 0x6a, 0xc6, 0x93, 0x7e, 0xa2, 0x7b, 0x10, 0x31, 0x7d, 0x94, 0x1e, 0x92, 0x90, 0xbf, 0x0a,
+	0xa8, 0x8c, 0xb8, 0x90, 0xfc, 0xa5, 0x0d, 0x76, 0xc3, 0x6e, 0x90, 0xb5, 0x03, 0x71, 0x1c, 0x99,
+	0x3f, 0x55, 0x40, 0x85, 0x88, 0x59, 0x68, 0xff, 0x0d, 0xb2, 0x16, 0x8d, 0xc5, 0x11, 0x6d, 0x05,
+	0x11, 0x24, 0x20, 0xa9, 0x86, 0x6e, 0x5e, 0xcd, 0xf7, 0xf1, 0x8d, 0x0e, 0x08, 0xbe, 0x67, 0x1a,
+	0x3f, 0x4a, 0x41, 0x9e, 0x3a, 0x8b, 0xf8, 0x4a, 0x2a, 0xe3, 0x35, 0xe4, 0xa1, 0xed, 0x85, 0x8e,
+	0x09, 0xfd, 0x26, 0x5e, 0x19, 0xe4, 0xec, 0x43, 0x0c, 0x1a, 0x3a, 0xf0, 0x3a, 0x05, 0xa5, 0x2b,
+	0x72, 0x97, 0xf1, 0xd2, 0x20, 0xb7, 0x03, 0x4a, 0xf0, 0x44, 0x81, 0xff, 0x11, 0x0d, 0x55, 0xd8,
+	0x93, 0x40, 0xcb, 0x0a, 0xcf, 0xf1, 0x55, 0x2b, 0xda, 0xd6, 0xb8, 0xde, 0x7e, 0x40, 0x4a, 0x75,
+	0xa4, 0x50, 0x67, 0x83, 0x17, 0x61, 0x97, 0x64, 0x6d, 0x22, 0x8e, 0x23, 0x62, 0xd4, 0x91, 0x21,
+	0x75, 0xa4, 0x50, 0x47, 0xca, 0xd6, 0x79, 0x55, 0x67, 0x05, 0xcf, 0xa7, 0x42, 0x81, 0xd4, 0x6b,
+	0x73, 0x1e, 0xda, 0xbe, 0xd6, 0xe9, 0x3f, 0xf9, 0x27, 0x43, 0x40, 0x4f, 0x44, 0xf7, 0xc2, 0x80,
+	0xda, 0x67, 0x18, 0x2f, 0x0e, 0x5e, 0x3e, 0x06, 0x99, 0xb1, 0x10, 0x9c, 0xcf, 0x08, 0xd7, 0x0e,
+	0x98, 0xd2, 0xe6, 0x83, 0x62, 0x9a, 0xcb, 0x53, 0xf3, 0x19, 0x12, 0xcd, 0x68, 0xac, 0x9c, 0x1a,
+	0x29, 0x67, 0x65, 0x74, 0xad, 0xdc, 0x87, 0x33, 0xa2, 0x33, 0xcd, 0xfd, 0xda, 0xfb, 0xb3, 0x3f,
+	0x9f, 0xe6, 0x96, 0x9d, 0x25, 0x3b, 0x78, 0x59, 0xab, 0x1c, 0x51, 0xe7, 0x0b, 0xc2, 0x0d, 0x93,
+	0xf3, 0x54, 0x32, 0xe3, 0xd4, 0x65, 0x52, 0x6e, 0x5a, 0xca, 0x9a, 0xb3, 0x5a, 0x50, 0x9e, 0x18,
+	0xa6, 0xdd, 0x92, 0xf5, 0x2b, 0xc2, 0xf5, 0x62, 0xc6, 0xaa, 0x40, 0x6f, 0x56, 0x81, 0x8e, 0x0c,
+	0xa5, 0x3b, 0xab, 0x45, 0xf7, 0x3d, 0x0b, 0xeb, 0xfa, 0xe7, 0x2d, 0xbd, 0xd7, 0x1f, 0xd0, 0x6f,
+	0x08, 0x7b, 0x79, 0xf3, 0x7f, 0x78, 0x7b, 0x91, 0xc8, 0x5b, 0x16, 0xd9, 0xf3, 0xc7, 0xf9, 0x5b,
+	0x80, 0x7f, 0x47, 0xb8, 0x5e, 0xec, 0x9c, 0x89, 0x99, 0x47, 0xb6, 0xda, 0xec, 0x98, 0x77, 0x2c,
+	0xf3, 0x96, 0xbb, 0x71, 0xce, 0xe6, 0xe0, 0x4d, 0x4e, 0x90, 0xca, 0xf8, 0x6d, 0x41, 0xfe, 0x03,
+	0x61, 0x2f, 0x07, 0x99, 0xd6, 0xf2, 0xff, 0x84, 0xdf, 0xb6, 0xf8, 0x3b, 0xee, 0xad, 0x31, 0x96,
+	0x57, 0x89, 0x78, 0x87, 0xeb, 0xc5, 0x51, 0x3c, 0x31, 0xfe, 0xc8, 0xd9, 0xed, 0xae, 0x57, 0xa5,
+	0x0c, 0x8e, 0xec, 0xfe, 0x36, 0x6b, 0xae, 0x56, 0x58, 0x6a, 0x38, 0x9c, 0x0f, 0x08, 0x7b, 0x79,
+	0xc1, 0x69, 0x5d, 0x9c, 0x06, 0xe3, 0xb6, 0xc5, 0xd8, 0x6c, 0x6e, 0x8c, 0xb5, 0xc6, 0xc0, 0xdc,
+	0xdf, 0xff, 0xd9, 0x6b, 0xa0, 0x5f, 0xbd, 0x06, 0xfa, 0xdd, 0x6b, 0xa0, 0x67, 0x77, 0x27, 0xbb,
+	0x21, 0xc3, 0x98, 0x41, 0xa2, 0x4b, 0x61, 0x87, 0xf3, 0xf6, 0x4a, 0xbc, 0xf3, 0x37, 0x00, 0x00,
+	0xff, 0xff, 0xe4, 0x00, 0xe9, 0x59, 0xad, 0x07, 0x00, 0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
@@ -333,12 +338,20 @@ const _ = grpc.SupportPackageIsVersion4
 type RepoCredsServiceClient interface {
 	// ListRepositoryCredentials gets a list of all configured repository credential sets
 	ListRepositoryCredentials(ctx context.Context, in *RepoCredsQuery, opts ...grpc.CallOption) (*v1alpha1.RepoCredsList, error)
+	//ListWriteRepositoryCredentials gets a list of all configured repository credential sets that have write access
+	ListWriteRepositoryCredentials(ctx context.Context, in *RepoCredsQuery, opts ...grpc.CallOption) (*v1alpha1.RepoCredsList, error)
 	// CreateRepositoryCredentials creates a new repository credential set
 	CreateRepositoryCredentials(ctx context.Context, in *RepoCredsCreateRequest, opts ...grpc.CallOption) (*v1alpha1.RepoCreds, error)
+	// CreateWriteRepositoryCredentials creates a new repository credential set with write access
+	CreateWriteRepositoryCredentials(ctx context.Context, in *RepoCredsCreateRequest, opts ...grpc.CallOption) (*v1alpha1.RepoCreds, error)
 	// UpdateRepositoryCredentials updates a repository credential set
 	UpdateRepositoryCredentials(ctx context.Context, in *RepoCredsUpdateRequest, opts ...grpc.CallOption) (*v1alpha1.RepoCreds, error)
+	// UpdateWriteRepositoryCredentials updates a repository credential set with write access
+	UpdateWriteRepositoryCredentials(ctx context.Context, in *RepoCredsUpdateRequest, opts ...grpc.CallOption) (*v1alpha1.RepoCreds, error)
 	// DeleteRepositoryCredentials deletes a repository credential set from the configuration
 	DeleteRepositoryCredentials(ctx context.Context, in *RepoCredsDeleteRequest, opts ...grpc.CallOption) (*RepoCredsResponse, error)
+	// DeleteWriteRepositoryCredentials deletes a repository credential set with write access from the configuration
+	DeleteWriteRepositoryCredentials(ctx context.Context, in *RepoCredsDeleteRequest, opts ...grpc.CallOption) (*RepoCredsResponse, error)
 }
 
 type repoCredsServiceClient struct {
@@ -358,6 +371,15 @@ func (c *repoCredsServiceClient) ListRepositoryCredentials(ctx context.Context,
 	return out, nil
 }
 
+func (c *repoCredsServiceClient) ListWriteRepositoryCredentials(ctx context.Context, in *RepoCredsQuery, opts ...grpc.CallOption) (*v1alpha1.RepoCredsList, error) {
+	out := new(v1alpha1.RepoCredsList)
+	err := c.cc.Invoke(ctx, "/repocreds.RepoCredsService/ListWriteRepositoryCredentials", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *repoCredsServiceClient) CreateRepositoryCredentials(ctx context.Context, in *RepoCredsCreateRequest, opts ...grpc.CallOption) (*v1alpha1.RepoCreds, error) {
 	out := new(v1alpha1.RepoCreds)
 	err := c.cc.Invoke(ctx, "/repocreds.RepoCredsService/CreateRepositoryCredentials", in, out, opts...)
@@ -367,6 +389,15 @@ func (c *repoCredsServiceClient) CreateRepositoryCredentials(ctx context.Context
 	return out, nil
 }
 
+func (c *repoCredsServiceClient) CreateWriteRepositoryCredentials(ctx context.Context, in *RepoCredsCreateRequest, opts ...grpc.CallOption) (*v1alpha1.RepoCreds, error) {
+	out := new(v1alpha1.RepoCreds)
+	err := c.cc.Invoke(ctx, "/repocreds.RepoCredsService/CreateWriteRepositoryCredentials", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *repoCredsServiceClient) UpdateRepositoryCredentials(ctx context.Context, in *RepoCredsUpdateRequest, opts ...grpc.CallOption) (*v1alpha1.RepoCreds, error) {
 	out := new(v1alpha1.RepoCreds)
 	err := c.cc.Invoke(ctx, "/repocreds.RepoCredsService/UpdateRepositoryCredentials", in, out, opts...)
@@ -376,6 +407,15 @@ func (c *repoCredsServiceClient) UpdateRepositoryCredentials(ctx context.Context
 	return out, nil
 }
 
+func (c *repoCredsServiceClient) UpdateWriteRepositoryCredentials(ctx context.Context, in *RepoCredsUpdateRequest, opts ...grpc.CallOption) (*v1alpha1.RepoCreds, error) {
+	out := new(v1alpha1.RepoCreds)
+	err := c.cc.Invoke(ctx, "/repocreds.RepoCredsService/UpdateWriteRepositoryCredentials", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *repoCredsServiceClient) DeleteRepositoryCredentials(ctx context.Context, in *RepoCredsDeleteRequest, opts ...grpc.CallOption) (*RepoCredsResponse, error) {
 	out := new(RepoCredsResponse)
 	err := c.cc.Invoke(ctx, "/repocreds.RepoCredsService/DeleteRepositoryCredentials", in, out, opts...)
@@ -385,16 +425,33 @@ func (c *repoCredsServiceClient) DeleteRepositoryCredentials(ctx context.Context
 	return out, nil
 }
 
+func (c *repoCredsServiceClient) DeleteWriteRepositoryCredentials(ctx context.Context, in *RepoCredsDeleteRequest, opts ...grpc.CallOption) (*RepoCredsResponse, error) {
+	out := new(RepoCredsResponse)
+	err := c.cc.Invoke(ctx, "/repocreds.RepoCredsService/DeleteWriteRepositoryCredentials", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // RepoCredsServiceServer is the server API for RepoCredsService service.
 type RepoCredsServiceServer interface {
 	// ListRepositoryCredentials gets a list of all configured repository credential sets
 	ListRepositoryCredentials(context.Context, *RepoCredsQuery) (*v1alpha1.RepoCredsList, error)
+	//ListWriteRepositoryCredentials gets a list of all configured repository credential sets that have write access
+	ListWriteRepositoryCredentials(context.Context, *RepoCredsQuery) (*v1alpha1.RepoCredsList, error)
 	// CreateRepositoryCredentials creates a new repository credential set
 	CreateRepositoryCredentials(context.Context, *RepoCredsCreateRequest) (*v1alpha1.RepoCreds, error)
+	// CreateWriteRepositoryCredentials creates a new repository credential set with write access
+	CreateWriteRepositoryCredentials(context.Context, *RepoCredsCreateRequest) (*v1alpha1.RepoCreds, error)
 	// UpdateRepositoryCredentials updates a repository credential set
 	UpdateRepositoryCredentials(context.Context, *RepoCredsUpdateRequest) (*v1alpha1.RepoCreds, error)
+	// UpdateWriteRepositoryCredentials updates a repository credential set with write access
+	UpdateWriteRepositoryCredentials(context.Context, *RepoCredsUpdateRequest) (*v1alpha1.RepoCreds, error)
 	// DeleteRepositoryCredentials deletes a repository credential set from the configuration
 	DeleteRepositoryCredentials(context.Context, *RepoCredsDeleteRequest) (*RepoCredsResponse, error)
+	// DeleteWriteRepositoryCredentials deletes a repository credential set with write access from the configuration
+	DeleteWriteRepositoryCredentials(context.Context, *RepoCredsDeleteRequest) (*RepoCredsResponse, error)
 }
 
 // UnimplementedRepoCredsServiceServer can be embedded to have forward compatible implementations.
@@ -404,15 +461,27 @@ type UnimplementedRepoCredsServiceServer struct {
 func (*UnimplementedRepoCredsServiceServer) ListRepositoryCredentials(ctx context.Context, req *RepoCredsQuery) (*v1alpha1.RepoCredsList, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListRepositoryCredentials not implemented")
 }
+func (*UnimplementedRepoCredsServiceServer) ListWriteRepositoryCredentials(ctx context.Context, req *RepoCredsQuery) (*v1alpha1.RepoCredsList, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListWriteRepositoryCredentials not implemented")
+}
 func (*UnimplementedRepoCredsServiceServer) CreateRepositoryCredentials(ctx context.Context, req *RepoCredsCreateRequest) (*v1alpha1.RepoCreds, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method CreateRepositoryCredentials not implemented")
 }
+func (*UnimplementedRepoCredsServiceServer) CreateWriteRepositoryCredentials(ctx context.Context, req *RepoCredsCreateRequest) (*v1alpha1.RepoCreds, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CreateWriteRepositoryCredentials not implemented")
+}
 func (*UnimplementedRepoCredsServiceServer) UpdateRepositoryCredentials(ctx context.Context, req *RepoCredsUpdateRequest) (*v1alpha1.RepoCreds, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method UpdateRepositoryCredentials not implemented")
 }
+func (*UnimplementedRepoCredsServiceServer) UpdateWriteRepositoryCredentials(ctx context.Context, req *RepoCredsUpdateRequest) (*v1alpha1.RepoCreds, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UpdateWriteRepositoryCredentials not implemented")
+}
 func (*UnimplementedRepoCredsServiceServer) DeleteRepositoryCredentials(ctx context.Context, req *RepoCredsDeleteRequest) (*RepoCredsResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method DeleteRepositoryCredentials not implemented")
 }
+func (*UnimplementedRepoCredsServiceServer) DeleteWriteRepositoryCredentials(ctx context.Context, req *RepoCredsDeleteRequest) (*RepoCredsResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeleteWriteRepositoryCredentials not implemented")
+}
 
 func RegisterRepoCredsServiceServer(s *grpc.Server, srv RepoCredsServiceServer) {
 	s.RegisterService(&_RepoCredsService_serviceDesc, srv)
@@ -436,6 +505,24 @@ func _RepoCredsService_ListRepositoryCredentials_Handler(srv interface{}, ctx co
 	return interceptor(ctx, in, info, handler)
 }
 
+func _RepoCredsService_ListWriteRepositoryCredentials_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RepoCredsQuery)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RepoCredsServiceServer).ListWriteRepositoryCredentials(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/repocreds.RepoCredsService/ListWriteRepositoryCredentials",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RepoCredsServiceServer).ListWriteRepositoryCredentials(ctx, req.(*RepoCredsQuery))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _RepoCredsService_CreateRepositoryCredentials_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(RepoCredsCreateRequest)
 	if err := dec(in); err != nil {
@@ -454,6 +541,24 @@ func _RepoCredsService_CreateRepositoryCredentials_Handler(srv interface{}, ctx
 	return interceptor(ctx, in, info, handler)
 }
 
+func _RepoCredsService_CreateWriteRepositoryCredentials_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RepoCredsCreateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RepoCredsServiceServer).CreateWriteRepositoryCredentials(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/repocreds.RepoCredsService/CreateWriteRepositoryCredentials",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RepoCredsServiceServer).CreateWriteRepositoryCredentials(ctx, req.(*RepoCredsCreateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _RepoCredsService_UpdateRepositoryCredentials_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(RepoCredsUpdateRequest)
 	if err := dec(in); err != nil {
@@ -472,6 +577,24 @@ func _RepoCredsService_UpdateRepositoryCredentials_Handler(srv interface{}, ctx
 	return interceptor(ctx, in, info, handler)
 }
 
+func _RepoCredsService_UpdateWriteRepositoryCredentials_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RepoCredsUpdateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RepoCredsServiceServer).UpdateWriteRepositoryCredentials(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/repocreds.RepoCredsService/UpdateWriteRepositoryCredentials",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RepoCredsServiceServer).UpdateWriteRepositoryCredentials(ctx, req.(*RepoCredsUpdateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _RepoCredsService_DeleteRepositoryCredentials_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(RepoCredsDeleteRequest)
 	if err := dec(in); err != nil {
@@ -490,6 +613,24 @@ func _RepoCredsService_DeleteRepositoryCredentials_Handler(srv interface{}, ctx
 	return interceptor(ctx, in, info, handler)
 }
 
+func _RepoCredsService_DeleteWriteRepositoryCredentials_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RepoCredsDeleteRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RepoCredsServiceServer).DeleteWriteRepositoryCredentials(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/repocreds.RepoCredsService/DeleteWriteRepositoryCredentials",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RepoCredsServiceServer).DeleteWriteRepositoryCredentials(ctx, req.(*RepoCredsDeleteRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 var _RepoCredsService_serviceDesc = grpc.ServiceDesc{
 	ServiceName: "repocreds.RepoCredsService",
 	HandlerType: (*RepoCredsServiceServer)(nil),
@@ -498,18 +639,34 @@ var _RepoCredsService_serviceDesc = grpc.ServiceDesc{
 			MethodName: "ListRepositoryCredentials",
 			Handler:    _RepoCredsService_ListRepositoryCredentials_Handler,
 		},
+		{
+			MethodName: "ListWriteRepositoryCredentials",
+			Handler:    _RepoCredsService_ListWriteRepositoryCredentials_Handler,
+		},
 		{
 			MethodName: "CreateRepositoryCredentials",
 			Handler:    _RepoCredsService_CreateRepositoryCredentials_Handler,
 		},
+		{
+			MethodName: "CreateWriteRepositoryCredentials",
+			Handler:    _RepoCredsService_CreateWriteRepositoryCredentials_Handler,
+		},
 		{
 			MethodName: "UpdateRepositoryCredentials",
 			Handler:    _RepoCredsService_UpdateRepositoryCredentials_Handler,
 		},
+		{
+			MethodName: "UpdateWriteRepositoryCredentials",
+			Handler:    _RepoCredsService_UpdateWriteRepositoryCredentials_Handler,
+		},
 		{
 			MethodName: "DeleteRepositoryCredentials",
 			Handler:    _RepoCredsService_DeleteRepositoryCredentials_Handler,
 		},
+		{
+			MethodName: "DeleteWriteRepositoryCredentials",
+			Handler:    _RepoCredsService_DeleteWriteRepositoryCredentials_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "server/repocreds/repocreds.proto",

pkg/apiclient/repocreds/repocreds.pb.gw.go

@@ -69,6 +69,42 @@ func local_request_RepoCredsService_ListRepositoryCredentials_0(ctx context.Cont
 
 }
 
+var (
+	filter_RepoCredsService_ListWriteRepositoryCredentials_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
+)
+
+func request_RepoCredsService_ListWriteRepositoryCredentials_0(ctx context.Context, marshaler runtime.Marshaler, client RepoCredsServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoCredsQuery
+	var metadata runtime.ServerMetadata
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_RepoCredsService_ListWriteRepositoryCredentials_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.ListWriteRepositoryCredentials(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_RepoCredsService_ListWriteRepositoryCredentials_0(ctx context.Context, marshaler runtime.Marshaler, server RepoCredsServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoCredsQuery
+	var metadata runtime.ServerMetadata
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_RepoCredsService_ListWriteRepositoryCredentials_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := server.ListWriteRepositoryCredentials(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 var (
 	filter_RepoCredsService_CreateRepositoryCredentials_0 = &utilities.DoubleArray{Encoding: map[string]int{"creds": 0}, Base: []int{1, 1, 0}, Check: []int{0, 1, 2}}
 )
@@ -121,6 +157,58 @@ func local_request_RepoCredsService_CreateRepositoryCredentials_0(ctx context.Co
 
 }
 
+var (
+	filter_RepoCredsService_CreateWriteRepositoryCredentials_0 = &utilities.DoubleArray{Encoding: map[string]int{"creds": 0}, Base: []int{1, 1, 0}, Check: []int{0, 1, 2}}
+)
+
+func request_RepoCredsService_CreateWriteRepositoryCredentials_0(ctx context.Context, marshaler runtime.Marshaler, client RepoCredsServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoCredsCreateRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq.Creds); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_RepoCredsService_CreateWriteRepositoryCredentials_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.CreateWriteRepositoryCredentials(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_RepoCredsService_CreateWriteRepositoryCredentials_0(ctx context.Context, marshaler runtime.Marshaler, server RepoCredsServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoCredsCreateRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq.Creds); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_RepoCredsService_CreateWriteRepositoryCredentials_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := server.CreateWriteRepositoryCredentials(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 func request_RepoCredsService_UpdateRepositoryCredentials_0(ctx context.Context, marshaler runtime.Marshaler, client RepoCredsServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
 	var protoReq RepoCredsUpdateRequest
 	var metadata runtime.ServerMetadata
@@ -191,6 +279,76 @@ func local_request_RepoCredsService_UpdateRepositoryCredentials_0(ctx context.Co
 
 }
 
+func request_RepoCredsService_UpdateWriteRepositoryCredentials_0(ctx context.Context, marshaler runtime.Marshaler, client RepoCredsServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoCredsUpdateRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq.Creds); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["creds.url"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "creds.url")
+	}
+
+	err = runtime.PopulateFieldFromPath(&protoReq, "creds.url", val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "creds.url", err)
+	}
+
+	msg, err := client.UpdateWriteRepositoryCredentials(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_RepoCredsService_UpdateWriteRepositoryCredentials_0(ctx context.Context, marshaler runtime.Marshaler, server RepoCredsServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoCredsUpdateRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq.Creds); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["creds.url"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "creds.url")
+	}
+
+	err = runtime.PopulateFieldFromPath(&protoReq, "creds.url", val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "creds.url", err)
+	}
+
+	msg, err := server.UpdateWriteRepositoryCredentials(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 func request_RepoCredsService_DeleteRepositoryCredentials_0(ctx context.Context, marshaler runtime.Marshaler, client RepoCredsServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
 	var protoReq RepoCredsDeleteRequest
 	var metadata runtime.ServerMetadata
@@ -245,6 +403,60 @@ func local_request_RepoCredsService_DeleteRepositoryCredentials_0(ctx context.Co
 
 }
 
+func request_RepoCredsService_DeleteWriteRepositoryCredentials_0(ctx context.Context, marshaler runtime.Marshaler, client RepoCredsServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoCredsDeleteRequest
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["url"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "url")
+	}
+
+	protoReq.Url, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "url", err)
+	}
+
+	msg, err := client.DeleteWriteRepositoryCredentials(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_RepoCredsService_DeleteWriteRepositoryCredentials_0(ctx context.Context, marshaler runtime.Marshaler, server RepoCredsServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoCredsDeleteRequest
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["url"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "url")
+	}
+
+	protoReq.Url, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "url", err)
+	}
+
+	msg, err := server.DeleteWriteRepositoryCredentials(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 // RegisterRepoCredsServiceHandlerServer registers the http handlers for service RepoCredsService to "mux".
 // UnaryRPC     :call RepoCredsServiceServer directly.
 // StreamingRPC :currently unsupported pending https://github.com/grpc/grpc-go/issues/906.
@@ -274,6 +486,29 @@ func RegisterRepoCredsServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 
 	})
 
+	mux.Handle("GET", pattern_RepoCredsService_ListWriteRepositoryCredentials_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_RepoCredsService_ListWriteRepositoryCredentials_0(rctx, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepoCredsService_ListWriteRepositoryCredentials_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("POST", pattern_RepoCredsService_CreateRepositoryCredentials_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -297,6 +532,29 @@ func RegisterRepoCredsServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 
 	})
 
+	mux.Handle("POST", pattern_RepoCredsService_CreateWriteRepositoryCredentials_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_RepoCredsService_CreateWriteRepositoryCredentials_0(rctx, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepoCredsService_CreateWriteRepositoryCredentials_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("PUT", pattern_RepoCredsService_UpdateRepositoryCredentials_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -320,6 +578,29 @@ func RegisterRepoCredsServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 
 	})
 
+	mux.Handle("PUT", pattern_RepoCredsService_UpdateWriteRepositoryCredentials_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_RepoCredsService_UpdateWriteRepositoryCredentials_0(rctx, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepoCredsService_UpdateWriteRepositoryCredentials_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("DELETE", pattern_RepoCredsService_DeleteRepositoryCredentials_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -343,6 +624,29 @@ func RegisterRepoCredsServiceHandlerServer(ctx context.Context, mux *runtime.Ser
 
 	})
 
+	mux.Handle("DELETE", pattern_RepoCredsService_DeleteWriteRepositoryCredentials_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_RepoCredsService_DeleteWriteRepositoryCredentials_0(rctx, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepoCredsService_DeleteWriteRepositoryCredentials_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	return nil
 }
 
@@ -404,6 +708,26 @@ func RegisterRepoCredsServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 
 	})
 
+	mux.Handle("GET", pattern_RepoCredsService_ListWriteRepositoryCredentials_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_RepoCredsService_ListWriteRepositoryCredentials_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepoCredsService_ListWriteRepositoryCredentials_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("POST", pattern_RepoCredsService_CreateRepositoryCredentials_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -424,6 +748,26 @@ func RegisterRepoCredsServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 
 	})
 
+	mux.Handle("POST", pattern_RepoCredsService_CreateWriteRepositoryCredentials_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_RepoCredsService_CreateWriteRepositoryCredentials_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepoCredsService_CreateWriteRepositoryCredentials_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("PUT", pattern_RepoCredsService_UpdateRepositoryCredentials_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -444,6 +788,26 @@ func RegisterRepoCredsServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 
 	})
 
+	mux.Handle("PUT", pattern_RepoCredsService_UpdateWriteRepositoryCredentials_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_RepoCredsService_UpdateWriteRepositoryCredentials_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepoCredsService_UpdateWriteRepositoryCredentials_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("DELETE", pattern_RepoCredsService_DeleteRepositoryCredentials_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -464,25 +828,61 @@ func RegisterRepoCredsServiceHandlerClient(ctx context.Context, mux *runtime.Ser
 
 	})
 
+	mux.Handle("DELETE", pattern_RepoCredsService_DeleteWriteRepositoryCredentials_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_RepoCredsService_DeleteWriteRepositoryCredentials_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepoCredsService_DeleteWriteRepositoryCredentials_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	return nil
 }
 
 var (
 	pattern_RepoCredsService_ListRepositoryCredentials_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "repocreds"}, "", runtime.AssumeColonVerbOpt(true)))
 
+	pattern_RepoCredsService_ListWriteRepositoryCredentials_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "write-repocreds"}, "", runtime.AssumeColonVerbOpt(true)))
+
 	pattern_RepoCredsService_CreateRepositoryCredentials_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "repocreds"}, "", runtime.AssumeColonVerbOpt(true)))
 
+	pattern_RepoCredsService_CreateWriteRepositoryCredentials_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "write-repocreds"}, "", runtime.AssumeColonVerbOpt(true)))
+
 	pattern_RepoCredsService_UpdateRepositoryCredentials_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "repocreds", "creds.url"}, "", runtime.AssumeColonVerbOpt(true)))
 
+	pattern_RepoCredsService_UpdateWriteRepositoryCredentials_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "write-repocreds", "creds.url"}, "", runtime.AssumeColonVerbOpt(true)))
+
 	pattern_RepoCredsService_DeleteRepositoryCredentials_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "repocreds", "url"}, "", runtime.AssumeColonVerbOpt(true)))
+
+	pattern_RepoCredsService_DeleteWriteRepositoryCredentials_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "write-repocreds", "url"}, "", runtime.AssumeColonVerbOpt(true)))
 )
 
 var (
 	forward_RepoCredsService_ListRepositoryCredentials_0 = runtime.ForwardResponseMessage
 
+	forward_RepoCredsService_ListWriteRepositoryCredentials_0 = runtime.ForwardResponseMessage
+
 	forward_RepoCredsService_CreateRepositoryCredentials_0 = runtime.ForwardResponseMessage
 
+	forward_RepoCredsService_CreateWriteRepositoryCredentials_0 = runtime.ForwardResponseMessage
+
 	forward_RepoCredsService_UpdateRepositoryCredentials_0 = runtime.ForwardResponseMessage
 
+	forward_RepoCredsService_UpdateWriteRepositoryCredentials_0 = runtime.ForwardResponseMessage
+
 	forward_RepoCredsService_DeleteRepositoryCredentials_0 = runtime.ForwardResponseMessage
+
+	forward_RepoCredsService_DeleteWriteRepositoryCredentials_0 = runtime.ForwardResponseMessage
 )

pkg/apiclient/repository/repository.pb.go

@@ -730,81 +730,89 @@ func init() {
 }
 
 var fileDescriptor_8d38260443475705 = []byte{
-	// 1178 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x57, 0x5d, 0x6f, 0x1b, 0x45,
-	0x17, 0xd6, 0x26, 0x8d, 0x93, 0x9c, 0x7c, 0xd4, 0x99, 0xe4, 0xed, 0xbb, 0xb8, 0x6e, 0x1a, 0x6d,
-	0x4b, 0x15, 0xa2, 0xb2, 0x6e, 0x8c, 0x10, 0xa8, 0x08, 0x24, 0xe7, 0x43, 0x4d, 0x44, 0x44, 0xca,
-	0x56, 0xe1, 0x02, 0x81, 0xd0, 0x64, 0x7d, 0x62, 0x6f, 0xbb, 0xde, 0x9d, 0xce, 0x8c, 0x4d, 0xad,
-	0xaa, 0x37, 0x5c, 0x21, 0xc1, 0x0d, 0x42, 0x48, 0xdc, 0x21, 0x24, 0x24, 0x2e, 0xf8, 0x23, 0x5c,
-	0x22, 0xf1, 0x07, 0x50, 0xc4, 0x8f, 0xe0, 0x0a, 0xa1, 0x99, 0x59, 0xef, 0xae, 0x13, 0xdb, 0x49,
-	0x45, 0xc8, 0xdd, 0xcc, 0x73, 0xce, 0x9e, 0xf3, 0xcc, 0xb3, 0xe7, 0x9c, 0x9d, 0x05, 0x47, 0x20,
-	0xef, 0x20, 0xaf, 0x70, 0x64, 0xb1, 0x08, 0x64, 0xcc, 0xbb, 0xb9, 0xa5, 0xcb, 0x78, 0x2c, 0x63,
-	0x02, 0x19, 0x52, 0x2a, 0x37, 0xe2, 0xb8, 0x11, 0x62, 0x85, 0xb2, 0xa0, 0x42, 0xa3, 0x28, 0x96,
-	0x54, 0x06, 0x71, 0x24, 0x8c, 0x67, 0x69, 0xaf, 0x11, 0xc8, 0x66, 0xfb, 0xd0, 0xf5, 0xe3, 0x56,
-	0x85, 0xf2, 0x46, 0xcc, 0x78, 0xfc, 0x58, 0x2f, 0x5e, 0xf7, 0xeb, 0x95, 0x4e, 0xb5, 0xc2, 0x9e,
-	0x34, 0xd4, 0x93, 0xa2, 0x42, 0x19, 0x0b, 0x03, 0x5f, 0x3f, 0x5b, 0xe9, 0xac, 0xd3, 0x90, 0x35,
-	0xe9, 0x7a, 0xa5, 0x81, 0x11, 0x72, 0x2a, 0xb1, 0x9e, 0x44, 0xdb, 0x3e, 0x23, 0x9a, 0xa6, 0x75,
-	0x26, 0x7d, 0xa7, 0x0b, 0x73, 0x1e, 0xb2, 0xb8, 0xc6, 0x98, 0xf8, 0xb0, 0x8d, 0xbc, 0x4b, 0x08,
-	0x5c, 0x51, 0x4e, 0xb6, 0xb5, 0x62, 0xad, 0x4e, 0x7b, 0x7a, 0x4d, 0x4a, 0x30, 0xc5, 0xb1, 0x13,
-	0x88, 0x20, 0x8e, 0xec, 0x31, 0x8d, 0xa7, 0x7b, 0x62, 0xc3, 0x24, 0x65, 0xec, 0x03, 0xda, 0x42,
-	0x7b, 0x5c, 0x9b, 0x7a, 0x5b, 0xb2, 0x0c, 0x40, 0x19, 0x7b, 0xc8, 0xe3, 0xc7, 0xe8, 0x4b, 0xfb,
-	0x8a, 0x36, 0xe6, 0x10, 0x67, 0x1d, 0x26, 0x6b, 0x8c, 0xed, 0x46, 0x47, 0xb1, 0x4a, 0x2a, 0xbb,
-	0x0c, 0x7b, 0x49, 0xd5, 0x5a, 0x61, 0x8c, 0xca, 0x66, 0x92, 0x50, 0xaf, 0x9d, 0xbf, 0x2c, 0x58,
-	0x4c, 0xe8, 0x6e, 0xa1, 0xa4, 0x41, 0x98, 0x90, 0x6e, 0x40, 0x41, 0xc4, 0x6d, 0xee, 0x9b, 0x08,
-	0x33, 0xd5, 0x7d, 0x37, 0x53, 0xc7, 0xed, 0xa9, 0xa3, 0x17, 0x9f, 0xf9, 0x75, 0xb7, 0x53, 0x75,
-	0xd9, 0x93, 0x86, 0xab, 0xb4, 0x76, 0x73, 0x5a, 0xbb, 0x3d, 0xad, 0xdd, 0x5a, 0x06, 0x3e, 0xd2,
-	0x61, 0xbd, 0x24, 0x7c, 0xfe, 0xb4, 0x63, 0xa3, 0x4e, 0x3b, 0x7e, 0xf2, 0xb4, 0x64, 0x05, 0x66,
-	0x4c, 0x8c, 0xdd, 0xa8, 0x8e, 0xcf, 0xb4, 0x1c, 0x13, 0x5e, 0x1e, 0x22, 0x65, 0x98, 0xee, 0x20,
-	0x57, 0xa2, 0xee, 0xd6, 0xed, 0x09, 0x6d, 0xcf, 0x00, 0xe7, 0x5d, 0x28, 0xf6, 0x5e, 0x94, 0x87,
-	0x82, 0xc5, 0x91, 0x40, 0xf2, 0x1a, 0x4c, 0x04, 0x12, 0x5b, 0xc2, 0xb6, 0x56, 0xc6, 0x57, 0x67,
-	0xaa, 0x8b, 0x6e, 0xee, 0xf5, 0x26, 0xd2, 0x7a, 0xc6, 0xc3, 0xf1, 0x61, 0x5a, 0x3d, 0x3e, 0xfc,
-	0x1d, 0x3b, 0x30, 0x7b, 0x14, 0xab, 0xa3, 0xe2, 0x11, 0x47, 0x61, 0x64, 0x9f, 0xf2, 0xfa, 0xb0,
-	0xb3, 0xce, 0xe8, 0xfc, 0x38, 0x01, 0x57, 0x35, 0x49, 0xdf, 0x47, 0x31, 0xba, 0x9e, 0xda, 0x02,
-	0x79, 0x94, 0xc9, 0x98, 0xee, 0x95, 0x8d, 0x51, 0x21, 0x3e, 0x8f, 0x79, 0x3d, 0xc9, 0x90, 0xee,
-	0xc9, 0x6d, 0x98, 0x13, 0xa2, 0xf9, 0x90, 0x07, 0x1d, 0x2a, 0xf1, 0x7d, 0xec, 0x26, 0x45, 0xd5,
-	0x0f, 0xaa, 0x08, 0x41, 0x24, 0xd0, 0x6f, 0x73, 0xd4, 0x32, 0x4e, 0x79, 0xe9, 0x9e, 0xdc, 0x85,
-	0x05, 0x19, 0x8a, 0xcd, 0x30, 0xc0, 0x48, 0x6e, 0x22, 0x97, 0x5b, 0x54, 0x52, 0xbb, 0xa0, 0xa3,
-	0x9c, 0x36, 0x90, 0x35, 0x28, 0xf6, 0x81, 0x2a, 0xe5, 0xa4, 0x76, 0x3e, 0x85, 0xa7, 0x25, 0x3c,
-	0xdd, 0x5f, 0xc2, 0xfa, 0x8c, 0x60, 0x30, 0x7d, 0xbe, 0x32, 0x4c, 0x63, 0x44, 0x0f, 0x43, 0xdc,
-	0xf7, 0x03, 0x7b, 0x46, 0xd3, 0xcb, 0x00, 0x72, 0x0f, 0x16, 0x4d, 0xe5, 0xd6, 0x94, 0xaa, 0xe9,
-	0x39, 0x67, 0x75, 0x80, 0x41, 0x26, 0x55, 0x57, 0x29, 0xbc, 0xbb, 0x65, 0xcf, 0xad, 0x58, 0xab,
-	0xe3, 0x5e, 0x1e, 0x22, 0x6f, 0xc3, 0xff, 0xb3, 0x6d, 0x24, 0x24, 0x0d, 0x43, 0x5d, 0xda, 0xbb,
-	0x5b, 0xf6, 0xbc, 0xf6, 0x1e, 0x66, 0x26, 0xef, 0x41, 0x29, 0x35, 0x6d, 0x47, 0x12, 0x39, 0xe3,
-	0x81, 0xc0, 0x0d, 0x2a, 0xf0, 0x80, 0x87, 0xf6, 0x55, 0x4d, 0x6a, 0x84, 0x07, 0x59, 0x82, 0x09,
-	0xc6, 0xe3, 0x67, 0x5d, 0xbb, 0xa8, 0x5d, 0xcd, 0x46, 0xf5, 0x10, 0x4b, 0x4a, 0x68, 0xc1, 0xf4,
-	0x50, 0xb2, 0x25, 0x55, 0x58, 0x6a, 0xf8, 0xec, 0x11, 0xf2, 0x4e, 0xe0, 0x63, 0xcd, 0xf7, 0xe3,
-	0x76, 0xa4, 0x35, 0x27, 0xda, 0x6d, 0xa0, 0x8d, 0xb8, 0x40, 0x74, 0x8d, 0xee, 0x48, 0xc9, 0x36,
-	0xa8, 0x08, 0xfc, 0x5a, 0x5b, 0x36, 0xed, 0x45, 0x2d, 0xec, 0x00, 0x8b, 0x33, 0x0f, 0xb3, 0xaa,
-	0x44, 0x7b, 0x3d, 0xe4, 0xfc, 0x6c, 0xc1, 0x82, 0x02, 0x36, 0x39, 0x52, 0x89, 0x1e, 0x3e, 0x6d,
-	0xa3, 0x90, 0xe4, 0x93, 0x5c, 0xd5, 0xce, 0x54, 0x77, 0xfe, 0xdd, 0x38, 0xf1, 0xd2, 0xae, 0x4c,
-	0xea, 0xff, 0x1a, 0x14, 0xda, 0x4c, 0x20, 0x97, 0x49, 0x97, 0x25, 0x3b, 0x55, 0x1b, 0x3e, 0xc7,
-	0xba, 0xd8, 0x8f, 0xc2, 0xae, 0x2e, 0xfe, 0x29, 0x2f, 0x03, 0x9c, 0xa7, 0x86, 0xe8, 0x01, 0xab,
-	0x5f, 0x16, 0xd1, 0xea, 0xdf, 0xf3, 0x26, 0xa7, 0x01, 0x13, 0xf1, 0xc9, 0xd7, 0x16, 0x5c, 0xd9,
-	0x0b, 0x84, 0x24, 0xff, 0xcb, 0x0f, 0x9c, 0x74, 0xbc, 0x94, 0xf6, 0x2e, 0x8a, 0x85, 0x4a, 0xe2,
-	0xdc, 0xfc, 0xe2, 0xf7, 0x3f, 0xbf, 0x1d, 0xbb, 0x46, 0x96, 0xf4, 0x67, 0xb5, 0xb3, 0x9e, 0x7d,
-	0xc3, 0x02, 0x14, 0x5f, 0x8e, 0x59, 0xe4, 0x2b, 0x0b, 0xc6, 0x1f, 0xe0, 0x50, 0x36, 0x17, 0xa6,
-	0x89, 0x73, 0x4b, 0x33, 0xb9, 0x41, 0xae, 0x0f, 0x62, 0x52, 0x79, 0xae, 0x76, 0x2f, 0xc8, 0x77,
-	0x16, 0x14, 0x15, 0x6f, 0x2f, 0x67, 0xbb, 0x1c, 0xa1, 0xca, 0xa3, 0x84, 0x22, 0x9f, 0xc2, 0x94,
-	0xa1, 0x75, 0x34, 0x94, 0x4e, 0xb1, 0x1f, 0x3e, 0x12, 0xce, 0xaa, 0x0e, 0xe9, 0x90, 0x95, 0x11,
-	0x27, 0xae, 0x70, 0x15, 0xb2, 0x65, 0xc2, 0xab, 0xcf, 0x13, 0x79, 0xe5, 0x64, 0xf8, 0xf4, 0x76,
-	0x51, 0x2a, 0x0f, 0x32, 0xa5, 0xbd, 0x78, 0xae, 0x74, 0x54, 0xa5, 0xf8, 0xc6, 0x82, 0xb9, 0x07,
-	0x28, 0xb3, 0x7b, 0x00, 0xb9, 0x39, 0x20, 0x72, 0xfe, 0x8e, 0x50, 0x72, 0x86, 0x3b, 0xa4, 0x04,
-	0xde, 0xd1, 0x04, 0xde, 0x74, 0xee, 0x0d, 0x26, 0x60, 0xbe, 0xd6, 0x3a, 0xce, 0x81, 0xb7, 0xa7,
-	0xa9, 0xd4, 0x4d, 0x84, 0xfb, 0xd6, 0x1a, 0xe9, 0x68, 0x4a, 0x3b, 0x18, 0xb6, 0x36, 0x9b, 0x94,
-	0xcb, 0xa1, 0x32, 0x2f, 0xe7, 0xe1, 0xcc, 0x3d, 0x25, 0xe1, 0x6a, 0x12, 0xab, 0xe4, 0xce, 0x28,
-	0x15, 0x9a, 0x18, 0xb6, 0x7c, 0x93, 0xe6, 0x7b, 0x0b, 0x0a, 0x66, 0x7a, 0x91, 0x1b, 0x27, 0x33,
-	0xf6, 0x4d, 0xb5, 0x0b, 0x6c, 0x85, 0x57, 0x35, 0xc7, 0xb2, 0x33, 0xb0, 0xd6, 0xee, 0xeb, 0xe1,
-	0xa1, 0x5a, 0xf3, 0x07, 0x0b, 0x8a, 0x3d, 0x0a, 0xbd, 0x67, 0x2f, 0x8f, 0xa4, 0x73, 0x36, 0x49,
-	0xf2, 0x93, 0x05, 0x05, 0x33, 0x51, 0x4f, 0xf3, 0xea, 0x9b, 0xb4, 0x17, 0xc8, 0x6b, 0xdd, 0xbc,
-	0xe0, 0xd2, 0x88, 0x32, 0xd7, 0x54, 0x5e, 0x64, 0x42, 0xfe, 0x62, 0x41, 0xb1, 0x47, 0x67, 0xb8,
-	0x90, 0xff, 0x15, 0x61, 0xf7, 0xe5, 0x08, 0x13, 0x0a, 0x85, 0x2d, 0x0c, 0x51, 0xe2, 0xb0, 0x16,
-	0xb0, 0x4f, 0xc2, 0x69, 0xf1, 0xdf, 0x31, 0x33, 0x76, 0x6d, 0xd4, 0x8c, 0x55, 0x82, 0x34, 0xa1,
-	0x68, 0x52, 0xe4, 0xf4, 0x78, 0xe9, 0x64, 0xb7, 0xce, 0x91, 0x8c, 0x3c, 0x87, 0xf9, 0x8f, 0x68,
-	0x18, 0x28, 0x65, 0xcd, 0xbd, 0x96, 0x5c, 0x3f, 0x35, 0x49, 0xb2, 0xfb, 0xee, 0x88, 0x6c, 0x55,
-	0x9d, 0xed, 0xae, 0x73, 0x7b, 0x54, 0x5f, 0x77, 0x92, 0x54, 0x46, 0xc9, 0x8d, 0xed, 0x5f, 0x8f,
-	0x97, 0xad, 0xdf, 0x8e, 0x97, 0xad, 0x3f, 0x8e, 0x97, 0xad, 0x8f, 0xdf, 0x3a, 0xdf, 0x1f, 0xa4,
-	0xaf, 0x2f, 0xa6, 0xb9, 0x7f, 0xbd, 0xc3, 0x82, 0xfe, 0xd9, 0x7b, 0xe3, 0x9f, 0x00, 0x00, 0x00,
-	0xff, 0xff, 0x56, 0xc6, 0x8e, 0x59, 0xd1, 0x0e, 0x00, 0x00,
+	// 1304 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x98, 0xdd, 0x6e, 0x1b, 0x45,
+	0x14, 0xc7, 0xb5, 0x49, 0xe3, 0x26, 0x27, 0x4d, 0xeb, 0x4e, 0x9a, 0xb2, 0xb8, 0x69, 0x1a, 0xb6,
+	0xa5, 0x4a, 0xa3, 0x76, 0xdd, 0x18, 0x10, 0x55, 0x11, 0x48, 0x6e, 0x52, 0xb5, 0x11, 0x11, 0x2d,
+	0x5b, 0x15, 0x24, 0x04, 0x42, 0xd3, 0xf5, 0x89, 0xbd, 0xed, 0x7a, 0x77, 0x3a, 0x33, 0x76, 0x6b,
+	0x55, 0xbd, 0xe1, 0x02, 0x21, 0xc1, 0x0d, 0x42, 0x20, 0xae, 0xf8, 0x90, 0x90, 0x90, 0xe0, 0x9e,
+	0x67, 0xe0, 0x12, 0x89, 0x17, 0x40, 0x15, 0x0f, 0xc1, 0x25, 0x9a, 0x99, 0xf5, 0xee, 0xda, 0xf1,
+	0x47, 0xaa, 0x26, 0xb9, 0x9b, 0x39, 0x67, 0xf6, 0x9c, 0xdf, 0xfc, 0xe7, 0xcc, 0x87, 0x0d, 0x8e,
+	0x40, 0xde, 0x46, 0x5e, 0xe6, 0xc8, 0x62, 0x11, 0xc8, 0x98, 0x77, 0x72, 0x4d, 0x97, 0xf1, 0x58,
+	0xc6, 0x04, 0x32, 0x4b, 0x69, 0xb1, 0x1e, 0xc7, 0xf5, 0x10, 0xcb, 0x94, 0x05, 0x65, 0x1a, 0x45,
+	0xb1, 0xa4, 0x32, 0x88, 0x23, 0x61, 0x46, 0x96, 0xb6, 0xea, 0x81, 0x6c, 0xb4, 0xee, 0xb9, 0x7e,
+	0xdc, 0x2c, 0x53, 0x5e, 0x8f, 0x19, 0x8f, 0xef, 0xeb, 0xc6, 0x25, 0xbf, 0x56, 0x6e, 0x57, 0xca,
+	0xec, 0x41, 0x5d, 0x7d, 0x29, 0xca, 0x94, 0xb1, 0x30, 0xf0, 0xf5, 0xb7, 0xe5, 0xf6, 0x1a, 0x0d,
+	0x59, 0x83, 0xae, 0x95, 0xeb, 0x18, 0x21, 0xa7, 0x12, 0x6b, 0x49, 0xb4, 0xeb, 0x63, 0xa2, 0x69,
+	0xac, 0xb1, 0xf8, 0x4e, 0x07, 0xe6, 0x3c, 0x64, 0x71, 0x95, 0x31, 0xf1, 0x7e, 0x0b, 0x79, 0x87,
+	0x10, 0x38, 0xa4, 0x06, 0xd9, 0xd6, 0xb2, 0xb5, 0x32, 0xe3, 0xe9, 0x36, 0x29, 0xc1, 0x34, 0xc7,
+	0x76, 0x20, 0x82, 0x38, 0xb2, 0x27, 0xb4, 0x3d, 0xed, 0x13, 0x1b, 0x0e, 0x53, 0xc6, 0xde, 0xa3,
+	0x4d, 0xb4, 0x27, 0xb5, 0xab, 0xdb, 0x25, 0x4b, 0x00, 0x94, 0xb1, 0xdb, 0x3c, 0xbe, 0x8f, 0xbe,
+	0xb4, 0x0f, 0x69, 0x67, 0xce, 0xe2, 0xac, 0xc1, 0xe1, 0x2a, 0x63, 0x9b, 0xd1, 0x76, 0xac, 0x92,
+	0xca, 0x0e, 0xc3, 0x6e, 0x52, 0xd5, 0x56, 0x36, 0x46, 0x65, 0x23, 0x49, 0xa8, 0xdb, 0xce, 0x7f,
+	0x16, 0xcc, 0x27, 0xb8, 0x1b, 0x28, 0x69, 0x10, 0x26, 0xd0, 0x75, 0x28, 0x88, 0xb8, 0xc5, 0x7d,
+	0x13, 0x61, 0xb6, 0x72, 0xcb, 0xcd, 0xd4, 0x71, 0xbb, 0xea, 0xe8, 0xc6, 0xa7, 0x7e, 0xcd, 0x6d,
+	0x57, 0x5c, 0xf6, 0xa0, 0xee, 0x2a, 0xad, 0xdd, 0x9c, 0xd6, 0x6e, 0x57, 0x6b, 0xb7, 0x9a, 0x19,
+	0xef, 0xe8, 0xb0, 0x5e, 0x12, 0x3e, 0x3f, 0xdb, 0x89, 0x51, 0xb3, 0x9d, 0xec, 0x9f, 0x2d, 0x59,
+	0x86, 0x59, 0x13, 0x63, 0x33, 0xaa, 0xe1, 0x63, 0x2d, 0xc7, 0x94, 0x97, 0x37, 0x91, 0x45, 0x98,
+	0x69, 0x23, 0x57, 0xa2, 0x6e, 0xd6, 0xec, 0x29, 0xed, 0xcf, 0x0c, 0xce, 0xdb, 0x50, 0xec, 0x2e,
+	0x94, 0x87, 0x82, 0xc5, 0x91, 0x40, 0x72, 0x01, 0xa6, 0x02, 0x89, 0x4d, 0x61, 0x5b, 0xcb, 0x93,
+	0x2b, 0xb3, 0x95, 0x79, 0x37, 0xb7, 0xbc, 0x89, 0xb4, 0x9e, 0x19, 0xe1, 0xf8, 0x30, 0xa3, 0x3e,
+	0x1f, 0xbe, 0xc6, 0x0e, 0x1c, 0xd9, 0x8e, 0xd5, 0x54, 0x71, 0x9b, 0xa3, 0x30, 0xb2, 0x4f, 0x7b,
+	0x3d, 0xb6, 0x71, 0x73, 0x74, 0x7e, 0x9e, 0x82, 0x63, 0x1a, 0xd2, 0xf7, 0x51, 0x8c, 0xae, 0xa7,
+	0x96, 0x40, 0x1e, 0x65, 0x32, 0xa6, 0x7d, 0xe5, 0x63, 0x54, 0x88, 0x47, 0x31, 0xaf, 0x25, 0x19,
+	0xd2, 0x3e, 0x39, 0x07, 0x73, 0x42, 0x34, 0x6e, 0xf3, 0xa0, 0x4d, 0x25, 0xbe, 0x8b, 0x9d, 0xa4,
+	0xa8, 0x7a, 0x8d, 0x2a, 0x42, 0x10, 0x09, 0xf4, 0x5b, 0x1c, 0xb5, 0x8c, 0xd3, 0x5e, 0xda, 0x27,
+	0x17, 0xe1, 0xb8, 0x0c, 0xc5, 0x7a, 0x18, 0x60, 0x24, 0xd7, 0x91, 0xcb, 0x0d, 0x2a, 0xa9, 0x5d,
+	0xd0, 0x51, 0x76, 0x3a, 0xc8, 0x2a, 0x14, 0x7b, 0x8c, 0x2a, 0xe5, 0x61, 0x3d, 0x78, 0x87, 0x3d,
+	0x2d, 0xe1, 0x99, 0xde, 0x12, 0xd6, 0x73, 0x04, 0x63, 0xd3, 0xf3, 0x5b, 0x84, 0x19, 0x8c, 0xe8,
+	0xbd, 0x10, 0x6f, 0xf9, 0x81, 0x3d, 0xab, 0xf1, 0x32, 0x03, 0xb9, 0x0c, 0xf3, 0xa6, 0x72, 0xab,
+	0x4a, 0xd5, 0x74, 0x9e, 0x47, 0x74, 0x80, 0x41, 0x2e, 0x55, 0x57, 0xa9, 0x79, 0x73, 0xc3, 0x9e,
+	0x5b, 0xb6, 0x56, 0x26, 0xbd, 0xbc, 0x89, 0x5c, 0x81, 0x97, 0xb2, 0x6e, 0x24, 0x24, 0x0d, 0x43,
+	0x5d, 0xda, 0x9b, 0x1b, 0xf6, 0x51, 0x3d, 0x7a, 0x98, 0x9b, 0xbc, 0x03, 0xa5, 0xd4, 0x75, 0x3d,
+	0x92, 0xc8, 0x19, 0x0f, 0x04, 0x5e, 0xa3, 0x02, 0xef, 0xf2, 0xd0, 0x3e, 0xa6, 0xa1, 0x46, 0x8c,
+	0x20, 0x27, 0x60, 0x8a, 0xf1, 0xf8, 0x71, 0xc7, 0x2e, 0xea, 0xa1, 0xa6, 0xa3, 0xf6, 0x10, 0x4b,
+	0x4a, 0xe8, 0xb8, 0xd9, 0x43, 0x49, 0x97, 0x54, 0xe0, 0x44, 0xdd, 0x67, 0x77, 0x90, 0xb7, 0x03,
+	0x1f, 0xab, 0xbe, 0x1f, 0xb7, 0x22, 0xad, 0x39, 0xd1, 0xc3, 0x06, 0xfa, 0x88, 0x0b, 0x44, 0xd7,
+	0xe8, 0x4d, 0x29, 0xd9, 0x35, 0x2a, 0x02, 0xbf, 0xda, 0x92, 0x0d, 0x7b, 0x5e, 0x0b, 0x3b, 0xc0,
+	0xe3, 0x1c, 0x85, 0x23, 0xaa, 0x44, 0xbb, 0x7b, 0xc8, 0xf9, 0xd5, 0x82, 0xe3, 0xca, 0xb0, 0xce,
+	0x91, 0x4a, 0xf4, 0xf0, 0x61, 0x0b, 0x85, 0x24, 0x1f, 0xe7, 0xaa, 0x76, 0xb6, 0x72, 0xf3, 0xc5,
+	0x8e, 0x13, 0x2f, 0xdd, 0x95, 0x49, 0xfd, 0x9f, 0x84, 0x42, 0x8b, 0x09, 0xe4, 0x32, 0xd9, 0x65,
+	0x49, 0x4f, 0xd5, 0x86, 0xcf, 0xb1, 0x26, 0x6e, 0x45, 0x61, 0x47, 0x17, 0xff, 0xb4, 0x97, 0x19,
+	0x9c, 0x87, 0x06, 0xf4, 0x2e, 0xab, 0x1d, 0x14, 0x68, 0xe5, 0x87, 0x93, 0x26, 0xa7, 0x31, 0x26,
+	0xe2, 0x93, 0xaf, 0x2c, 0x38, 0xb4, 0x15, 0x08, 0x49, 0x16, 0xf2, 0x07, 0x4e, 0x7a, 0xbc, 0x94,
+	0xb6, 0xf6, 0x8a, 0x42, 0x25, 0x71, 0xce, 0x7c, 0xf6, 0xf7, 0xbf, 0xdf, 0x4c, 0x9c, 0x24, 0x27,
+	0xf4, 0xb5, 0xda, 0x5e, 0xcb, 0xee, 0xb0, 0x00, 0xc5, 0x17, 0x13, 0x16, 0xf9, 0xd2, 0x82, 0xc9,
+	0x1b, 0x38, 0x94, 0x66, 0xcf, 0x34, 0x71, 0xce, 0x6a, 0x92, 0xd3, 0xe4, 0xd4, 0x20, 0x92, 0xf2,
+	0x13, 0xd5, 0x7b, 0x4a, 0xbe, 0xb3, 0x60, 0xfa, 0x06, 0xca, 0x0f, 0x79, 0x20, 0x71, 0xff, 0x91,
+	0x2e, 0x68, 0xa4, 0xb3, 0xe4, 0x95, 0x2e, 0xd2, 0x23, 0x95, 0xf7, 0xd2, 0x20, 0xb0, 0x6f, 0x2d,
+	0x28, 0x2a, 0x41, 0xbd, 0x9c, 0xef, 0x60, 0x56, 0x70, 0x71, 0xd4, 0x0a, 0x92, 0x9f, 0x2c, 0x58,
+	0x50, 0xc3, 0xb4, 0x62, 0x07, 0x0f, 0xe7, 0x68, 0xb8, 0x45, 0x52, 0x1a, 0xae, 0x20, 0xf9, 0x04,
+	0xa6, 0x8d, 0x72, 0xdb, 0x43, 0xa1, 0x8a, 0xbd, 0xe6, 0x6d, 0xe1, 0xac, 0xe8, 0xc0, 0x0e, 0x59,
+	0x1e, 0x51, 0x2d, 0x65, 0xae, 0x42, 0x36, 0x4d, 0x78, 0x75, 0xb5, 0x93, 0x97, 0xfb, 0xc3, 0xa7,
+	0x2f, 0xb3, 0xd2, 0xe2, 0x20, 0x57, 0x7a, 0x8e, 0xed, 0x2a, 0x1d, 0x55, 0x29, 0xbe, 0xb6, 0x60,
+	0xee, 0x06, 0xca, 0xec, 0x0d, 0x45, 0xce, 0x0c, 0x88, 0x9c, 0x7f, 0x5f, 0x95, 0x9c, 0xe1, 0x03,
+	0x52, 0x80, 0xb7, 0x34, 0xc0, 0x1b, 0xce, 0xe5, 0xc1, 0x00, 0xe6, 0xa5, 0xa3, 0xe3, 0xdc, 0xf5,
+	0xb6, 0x34, 0x4a, 0xcd, 0x44, 0xb8, 0x6a, 0xad, 0x92, 0xb6, 0x46, 0xba, 0x89, 0x61, 0x73, 0xbd,
+	0x41, 0xb9, 0x1c, 0x2a, 0xf3, 0x52, 0xde, 0x9c, 0x0d, 0x4f, 0x21, 0x5c, 0x0d, 0xb1, 0x42, 0xce,
+	0x8f, 0x52, 0xa1, 0x81, 0x61, 0xd3, 0x37, 0x69, 0xbe, 0xb7, 0xa0, 0x60, 0x4e, 0x7e, 0x72, 0xba,
+	0x3f, 0x63, 0xcf, 0x8d, 0xb0, 0x87, 0x7b, 0xf6, 0x55, 0x53, 0x71, 0xce, 0xc0, 0xed, 0x70, 0x55,
+	0x1f, 0xbc, 0xea, 0x58, 0xfb, 0xd1, 0x82, 0x62, 0x17, 0xa1, 0xfb, 0xed, 0xc1, 0x41, 0x3a, 0xe3,
+	0x21, 0xc9, 0x6f, 0x16, 0x2c, 0x98, 0xfc, 0xbd, 0x7b, 0xf7, 0x00, 0x31, 0x93, 0xaa, 0x77, 0x46,
+	0xec, 0xde, 0x04, 0xf6, 0x17, 0x0b, 0x0a, 0xe6, 0xea, 0xdc, 0x49, 0xd7, 0x73, 0xa5, 0xee, 0x21,
+	0xdd, 0x9a, 0xa9, 0xc6, 0xd2, 0x88, 0x3d, 0xa9, 0x51, 0x9e, 0x66, 0xab, 0xfe, 0xbb, 0x05, 0xc5,
+	0x2e, 0xce, 0x70, 0x39, 0xf7, 0x0b, 0xd8, 0x7d, 0x3e, 0x60, 0xf2, 0x87, 0x05, 0x0b, 0x86, 0x65,
+	0x6c, 0x05, 0xec, 0x17, 0xf2, 0xeb, 0x1a, 0xd9, 0x2d, 0x9d, 0x1f, 0x77, 0x03, 0xf6, 0x80, 0x53,
+	0x28, 0x6c, 0x60, 0x88, 0xc3, 0xaf, 0x68, 0xbb, 0xdf, 0x9c, 0x1e, 0x31, 0xe7, 0xcd, 0x2b, 0x60,
+	0x75, 0xd4, 0x2b, 0x40, 0xad, 0x64, 0x03, 0x8a, 0x26, 0x45, 0x4e, 0x95, 0xe7, 0x4e, 0x76, 0x76,
+	0x17, 0xc9, 0x88, 0x80, 0x05, 0x93, 0xa9, 0x7f, 0x11, 0x9e, 0x3b, 0x5d, 0xf2, 0x9c, 0x58, 0xdd,
+	0xc5, 0x73, 0xe2, 0x09, 0x1c, 0xfd, 0x80, 0x86, 0x81, 0x5a, 0x54, 0xf3, 0x73, 0x8f, 0x9c, 0xda,
+	0x71, 0x49, 0x64, 0x3f, 0x03, 0x47, 0xe4, 0xac, 0xe8, 0x9c, 0x17, 0x9d, 0x73, 0xa3, 0x8e, 0xec,
+	0x76, 0x92, 0x2a, 0x59, 0xbe, 0xcf, 0x2d, 0x98, 0xef, 0x66, 0xd7, 0x93, 0x7e, 0x31, 0x84, 0x2b,
+	0x1a, 0xa1, 0xe2, 0xac, 0x8e, 0x9d, 0x76, 0x1f, 0xc8, 0xb5, 0xeb, 0x7f, 0x3e, 0x5b, 0xb2, 0xfe,
+	0x7a, 0xb6, 0x64, 0xfd, 0xf3, 0x6c, 0xc9, 0xfa, 0xe8, 0xcd, 0xdd, 0xfd, 0xc3, 0xe3, 0xeb, 0x1f,
+	0x8e, 0xb9, 0xff, 0x62, 0xee, 0x15, 0xf4, 0x9f, 0x31, 0xaf, 0xfd, 0x1f, 0x00, 0x00, 0xff, 0xff,
+	0x85, 0x4e, 0xc2, 0x40, 0x71, 0x12, 0x00, 0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
@@ -823,8 +831,12 @@ type RepositoryServiceClient interface {
 	List(ctx context.Context, in *RepoQuery, opts ...grpc.CallOption) (*v1alpha1.RepositoryList, error)
 	// Get returns a repository or its credentials
 	Get(ctx context.Context, in *RepoQuery, opts ...grpc.CallOption) (*v1alpha1.Repository, error)
+	// GetWrite returns a repository or its write credentials
+	GetWrite(ctx context.Context, in *RepoQuery, opts ...grpc.CallOption) (*v1alpha1.Repository, error)
 	// ListRepositories gets a list of all configured repositories
 	ListRepositories(ctx context.Context, in *RepoQuery, opts ...grpc.CallOption) (*v1alpha1.RepositoryList, error)
+	// ListWriteRepositories gets a list of all configured write repositories
+	ListWriteRepositories(ctx context.Context, in *RepoQuery, opts ...grpc.CallOption) (*v1alpha1.RepositoryList, error)
 	ListRefs(ctx context.Context, in *RepoQuery, opts ...grpc.CallOption) (*apiclient.Refs, error)
 	// ListApps returns list of apps in the repo
 	ListApps(ctx context.Context, in *RepoAppsQuery, opts ...grpc.CallOption) (*RepoAppsResponse, error)
@@ -836,16 +848,24 @@ type RepositoryServiceClient interface {
 	Create(ctx context.Context, in *RepoCreateRequest, opts ...grpc.CallOption) (*v1alpha1.Repository, error)
 	// CreateRepository creates a new repository configuration
 	CreateRepository(ctx context.Context, in *RepoCreateRequest, opts ...grpc.CallOption) (*v1alpha1.Repository, error)
+	// CreateWriteRepository creates a new write repository configuration
+	CreateWriteRepository(ctx context.Context, in *RepoCreateRequest, opts ...grpc.CallOption) (*v1alpha1.Repository, error)
 	// Update updates a repo or repo credential set
 	Update(ctx context.Context, in *RepoUpdateRequest, opts ...grpc.CallOption) (*v1alpha1.Repository, error)
 	// UpdateRepository updates a repository configuration
 	UpdateRepository(ctx context.Context, in *RepoUpdateRequest, opts ...grpc.CallOption) (*v1alpha1.Repository, error)
+	// UpdateWriteRepository updates a write repository configuration
+	UpdateWriteRepository(ctx context.Context, in *RepoUpdateRequest, opts ...grpc.CallOption) (*v1alpha1.Repository, error)
 	// Delete deletes a repository from the configuration
 	Delete(ctx context.Context, in *RepoQuery, opts ...grpc.CallOption) (*RepoResponse, error)
 	// DeleteRepository deletes a repository from the configuration
 	DeleteRepository(ctx context.Context, in *RepoQuery, opts ...grpc.CallOption) (*RepoResponse, error)
+	// DeleteWriteRepository deletes a write repository from the configuration
+	DeleteWriteRepository(ctx context.Context, in *RepoQuery, opts ...grpc.CallOption) (*RepoResponse, error)
 	// ValidateAccess validates access to a repository with given parameters
 	ValidateAccess(ctx context.Context, in *RepoAccessQuery, opts ...grpc.CallOption) (*RepoResponse, error)
+	// ValidateWriteAccess validates write access to a repository with given parameters
+	ValidateWriteAccess(ctx context.Context, in *RepoAccessQuery, opts ...grpc.CallOption) (*RepoResponse, error)
 }
 
 type repositoryServiceClient struct {
@@ -875,6 +895,15 @@ func (c *repositoryServiceClient) Get(ctx context.Context, in *RepoQuery, opts .
 	return out, nil
 }
 
+func (c *repositoryServiceClient) GetWrite(ctx context.Context, in *RepoQuery, opts ...grpc.CallOption) (*v1alpha1.Repository, error) {
+	out := new(v1alpha1.Repository)
+	err := c.cc.Invoke(ctx, "/repository.RepositoryService/GetWrite", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *repositoryServiceClient) ListRepositories(ctx context.Context, in *RepoQuery, opts ...grpc.CallOption) (*v1alpha1.RepositoryList, error) {
 	out := new(v1alpha1.RepositoryList)
 	err := c.cc.Invoke(ctx, "/repository.RepositoryService/ListRepositories", in, out, opts...)
@@ -884,6 +913,15 @@ func (c *repositoryServiceClient) ListRepositories(ctx context.Context, in *Repo
 	return out, nil
 }
 
+func (c *repositoryServiceClient) ListWriteRepositories(ctx context.Context, in *RepoQuery, opts ...grpc.CallOption) (*v1alpha1.RepositoryList, error) {
+	out := new(v1alpha1.RepositoryList)
+	err := c.cc.Invoke(ctx, "/repository.RepositoryService/ListWriteRepositories", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *repositoryServiceClient) ListRefs(ctx context.Context, in *RepoQuery, opts ...grpc.CallOption) (*apiclient.Refs, error) {
 	out := new(apiclient.Refs)
 	err := c.cc.Invoke(ctx, "/repository.RepositoryService/ListRefs", in, out, opts...)
@@ -939,6 +977,15 @@ func (c *repositoryServiceClient) CreateRepository(ctx context.Context, in *Repo
 	return out, nil
 }
 
+func (c *repositoryServiceClient) CreateWriteRepository(ctx context.Context, in *RepoCreateRequest, opts ...grpc.CallOption) (*v1alpha1.Repository, error) {
+	out := new(v1alpha1.Repository)
+	err := c.cc.Invoke(ctx, "/repository.RepositoryService/CreateWriteRepository", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // Deprecated: Do not use.
 func (c *repositoryServiceClient) Update(ctx context.Context, in *RepoUpdateRequest, opts ...grpc.CallOption) (*v1alpha1.Repository, error) {
 	out := new(v1alpha1.Repository)
@@ -958,6 +1005,15 @@ func (c *repositoryServiceClient) UpdateRepository(ctx context.Context, in *Repo
 	return out, nil
 }
 
+func (c *repositoryServiceClient) UpdateWriteRepository(ctx context.Context, in *RepoUpdateRequest, opts ...grpc.CallOption) (*v1alpha1.Repository, error) {
+	out := new(v1alpha1.Repository)
+	err := c.cc.Invoke(ctx, "/repository.RepositoryService/UpdateWriteRepository", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // Deprecated: Do not use.
 func (c *repositoryServiceClient) Delete(ctx context.Context, in *RepoQuery, opts ...grpc.CallOption) (*RepoResponse, error) {
 	out := new(RepoResponse)
@@ -977,6 +1033,15 @@ func (c *repositoryServiceClient) DeleteRepository(ctx context.Context, in *Repo
 	return out, nil
 }
 
+func (c *repositoryServiceClient) DeleteWriteRepository(ctx context.Context, in *RepoQuery, opts ...grpc.CallOption) (*RepoResponse, error) {
+	out := new(RepoResponse)
+	err := c.cc.Invoke(ctx, "/repository.RepositoryService/DeleteWriteRepository", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *repositoryServiceClient) ValidateAccess(ctx context.Context, in *RepoAccessQuery, opts ...grpc.CallOption) (*RepoResponse, error) {
 	out := new(RepoResponse)
 	err := c.cc.Invoke(ctx, "/repository.RepositoryService/ValidateAccess", in, out, opts...)
@@ -986,14 +1051,27 @@ func (c *repositoryServiceClient) ValidateAccess(ctx context.Context, in *RepoAc
 	return out, nil
 }
 
+func (c *repositoryServiceClient) ValidateWriteAccess(ctx context.Context, in *RepoAccessQuery, opts ...grpc.CallOption) (*RepoResponse, error) {
+	out := new(RepoResponse)
+	err := c.cc.Invoke(ctx, "/repository.RepositoryService/ValidateWriteAccess", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // RepositoryServiceServer is the server API for RepositoryService service.
 type RepositoryServiceServer interface {
 	// List returns list of repos or repository credentials
 	List(context.Context, *RepoQuery) (*v1alpha1.RepositoryList, error)
 	// Get returns a repository or its credentials
 	Get(context.Context, *RepoQuery) (*v1alpha1.Repository, error)
+	// GetWrite returns a repository or its write credentials
+	GetWrite(context.Context, *RepoQuery) (*v1alpha1.Repository, error)
 	// ListRepositories gets a list of all configured repositories
 	ListRepositories(context.Context, *RepoQuery) (*v1alpha1.RepositoryList, error)
+	// ListWriteRepositories gets a list of all configured write repositories
+	ListWriteRepositories(context.Context, *RepoQuery) (*v1alpha1.RepositoryList, error)
 	ListRefs(context.Context, *RepoQuery) (*apiclient.Refs, error)
 	// ListApps returns list of apps in the repo
 	ListApps(context.Context, *RepoAppsQuery) (*RepoAppsResponse, error)
@@ -1005,16 +1083,24 @@ type RepositoryServiceServer interface {
 	Create(context.Context, *RepoCreateRequest) (*v1alpha1.Repository, error)
 	// CreateRepository creates a new repository configuration
 	CreateRepository(context.Context, *RepoCreateRequest) (*v1alpha1.Repository, error)
+	// CreateWriteRepository creates a new write repository configuration
+	CreateWriteRepository(context.Context, *RepoCreateRequest) (*v1alpha1.Repository, error)
 	// Update updates a repo or repo credential set
 	Update(context.Context, *RepoUpdateRequest) (*v1alpha1.Repository, error)
 	// UpdateRepository updates a repository configuration
 	UpdateRepository(context.Context, *RepoUpdateRequest) (*v1alpha1.Repository, error)
+	// UpdateWriteRepository updates a write repository configuration
+	UpdateWriteRepository(context.Context, *RepoUpdateRequest) (*v1alpha1.Repository, error)
 	// Delete deletes a repository from the configuration
 	Delete(context.Context, *RepoQuery) (*RepoResponse, error)
 	// DeleteRepository deletes a repository from the configuration
 	DeleteRepository(context.Context, *RepoQuery) (*RepoResponse, error)
+	// DeleteWriteRepository deletes a write repository from the configuration
+	DeleteWriteRepository(context.Context, *RepoQuery) (*RepoResponse, error)
 	// ValidateAccess validates access to a repository with given parameters
 	ValidateAccess(context.Context, *RepoAccessQuery) (*RepoResponse, error)
+	// ValidateWriteAccess validates write access to a repository with given parameters
+	ValidateWriteAccess(context.Context, *RepoAccessQuery) (*RepoResponse, error)
 }
 
 // UnimplementedRepositoryServiceServer can be embedded to have forward compatible implementations.
@@ -1027,9 +1113,15 @@ func (*UnimplementedRepositoryServiceServer) List(ctx context.Context, req *Repo
 func (*UnimplementedRepositoryServiceServer) Get(ctx context.Context, req *RepoQuery) (*v1alpha1.Repository, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Get not implemented")
 }
+func (*UnimplementedRepositoryServiceServer) GetWrite(ctx context.Context, req *RepoQuery) (*v1alpha1.Repository, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetWrite not implemented")
+}
 func (*UnimplementedRepositoryServiceServer) ListRepositories(ctx context.Context, req *RepoQuery) (*v1alpha1.RepositoryList, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListRepositories not implemented")
 }
+func (*UnimplementedRepositoryServiceServer) ListWriteRepositories(ctx context.Context, req *RepoQuery) (*v1alpha1.RepositoryList, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListWriteRepositories not implemented")
+}
 func (*UnimplementedRepositoryServiceServer) ListRefs(ctx context.Context, req *RepoQuery) (*apiclient.Refs, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListRefs not implemented")
 }
@@ -1048,21 +1140,33 @@ func (*UnimplementedRepositoryServiceServer) Create(ctx context.Context, req *Re
 func (*UnimplementedRepositoryServiceServer) CreateRepository(ctx context.Context, req *RepoCreateRequest) (*v1alpha1.Repository, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method CreateRepository not implemented")
 }
+func (*UnimplementedRepositoryServiceServer) CreateWriteRepository(ctx context.Context, req *RepoCreateRequest) (*v1alpha1.Repository, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method CreateWriteRepository not implemented")
+}
 func (*UnimplementedRepositoryServiceServer) Update(ctx context.Context, req *RepoUpdateRequest) (*v1alpha1.Repository, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Update not implemented")
 }
 func (*UnimplementedRepositoryServiceServer) UpdateRepository(ctx context.Context, req *RepoUpdateRequest) (*v1alpha1.Repository, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method UpdateRepository not implemented")
 }
+func (*UnimplementedRepositoryServiceServer) UpdateWriteRepository(ctx context.Context, req *RepoUpdateRequest) (*v1alpha1.Repository, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UpdateWriteRepository not implemented")
+}
 func (*UnimplementedRepositoryServiceServer) Delete(ctx context.Context, req *RepoQuery) (*RepoResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Delete not implemented")
 }
 func (*UnimplementedRepositoryServiceServer) DeleteRepository(ctx context.Context, req *RepoQuery) (*RepoResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method DeleteRepository not implemented")
 }
+func (*UnimplementedRepositoryServiceServer) DeleteWriteRepository(ctx context.Context, req *RepoQuery) (*RepoResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeleteWriteRepository not implemented")
+}
 func (*UnimplementedRepositoryServiceServer) ValidateAccess(ctx context.Context, req *RepoAccessQuery) (*RepoResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ValidateAccess not implemented")
 }
+func (*UnimplementedRepositoryServiceServer) ValidateWriteAccess(ctx context.Context, req *RepoAccessQuery) (*RepoResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ValidateWriteAccess not implemented")
+}
 
 func RegisterRepositoryServiceServer(s *grpc.Server, srv RepositoryServiceServer) {
 	s.RegisterService(&_RepositoryService_serviceDesc, srv)
@@ -1104,6 +1208,24 @@ func _RepositoryService_Get_Handler(srv interface{}, ctx context.Context, dec fu
 	return interceptor(ctx, in, info, handler)
 }
 
+func _RepositoryService_GetWrite_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RepoQuery)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RepositoryServiceServer).GetWrite(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/repository.RepositoryService/GetWrite",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RepositoryServiceServer).GetWrite(ctx, req.(*RepoQuery))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _RepositoryService_ListRepositories_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(RepoQuery)
 	if err := dec(in); err != nil {
@@ -1122,6 +1244,24 @@ func _RepositoryService_ListRepositories_Handler(srv interface{}, ctx context.Co
 	return interceptor(ctx, in, info, handler)
 }
 
+func _RepositoryService_ListWriteRepositories_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RepoQuery)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RepositoryServiceServer).ListWriteRepositories(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/repository.RepositoryService/ListWriteRepositories",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RepositoryServiceServer).ListWriteRepositories(ctx, req.(*RepoQuery))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _RepositoryService_ListRefs_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(RepoQuery)
 	if err := dec(in); err != nil {
@@ -1230,6 +1370,24 @@ func _RepositoryService_CreateRepository_Handler(srv interface{}, ctx context.Co
 	return interceptor(ctx, in, info, handler)
 }
 
+func _RepositoryService_CreateWriteRepository_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RepoCreateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RepositoryServiceServer).CreateWriteRepository(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/repository.RepositoryService/CreateWriteRepository",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RepositoryServiceServer).CreateWriteRepository(ctx, req.(*RepoCreateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _RepositoryService_Update_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(RepoUpdateRequest)
 	if err := dec(in); err != nil {
@@ -1266,6 +1424,24 @@ func _RepositoryService_UpdateRepository_Handler(srv interface{}, ctx context.Co
 	return interceptor(ctx, in, info, handler)
 }
 
+func _RepositoryService_UpdateWriteRepository_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RepoUpdateRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RepositoryServiceServer).UpdateWriteRepository(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/repository.RepositoryService/UpdateWriteRepository",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RepositoryServiceServer).UpdateWriteRepository(ctx, req.(*RepoUpdateRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _RepositoryService_Delete_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(RepoQuery)
 	if err := dec(in); err != nil {
@@ -1302,6 +1478,24 @@ func _RepositoryService_DeleteRepository_Handler(srv interface{}, ctx context.Co
 	return interceptor(ctx, in, info, handler)
 }
 
+func _RepositoryService_DeleteWriteRepository_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RepoQuery)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RepositoryServiceServer).DeleteWriteRepository(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/repository.RepositoryService/DeleteWriteRepository",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RepositoryServiceServer).DeleteWriteRepository(ctx, req.(*RepoQuery))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _RepositoryService_ValidateAccess_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(RepoAccessQuery)
 	if err := dec(in); err != nil {
@@ -1320,6 +1514,24 @@ func _RepositoryService_ValidateAccess_Handler(srv interface{}, ctx context.Cont
 	return interceptor(ctx, in, info, handler)
 }
 
+func _RepositoryService_ValidateWriteAccess_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RepoAccessQuery)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(RepositoryServiceServer).ValidateWriteAccess(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/repository.RepositoryService/ValidateWriteAccess",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(RepositoryServiceServer).ValidateWriteAccess(ctx, req.(*RepoAccessQuery))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 var _RepositoryService_serviceDesc = grpc.ServiceDesc{
 	ServiceName: "repository.RepositoryService",
 	HandlerType: (*RepositoryServiceServer)(nil),
@@ -1332,10 +1544,18 @@ var _RepositoryService_serviceDesc = grpc.ServiceDesc{
 			MethodName: "Get",
 			Handler:    _RepositoryService_Get_Handler,
 		},
+		{
+			MethodName: "GetWrite",
+			Handler:    _RepositoryService_GetWrite_Handler,
+		},
 		{
 			MethodName: "ListRepositories",
 			Handler:    _RepositoryService_ListRepositories_Handler,
 		},
+		{
+			MethodName: "ListWriteRepositories",
+			Handler:    _RepositoryService_ListWriteRepositories_Handler,
+		},
 		{
 			MethodName: "ListRefs",
 			Handler:    _RepositoryService_ListRefs_Handler,
@@ -1360,6 +1580,10 @@ var _RepositoryService_serviceDesc = grpc.ServiceDesc{
 			MethodName: "CreateRepository",
 			Handler:    _RepositoryService_CreateRepository_Handler,
 		},
+		{
+			MethodName: "CreateWriteRepository",
+			Handler:    _RepositoryService_CreateWriteRepository_Handler,
+		},
 		{
 			MethodName: "Update",
 			Handler:    _RepositoryService_Update_Handler,
@@ -1368,6 +1592,10 @@ var _RepositoryService_serviceDesc = grpc.ServiceDesc{
 			MethodName: "UpdateRepository",
 			Handler:    _RepositoryService_UpdateRepository_Handler,
 		},
+		{
+			MethodName: "UpdateWriteRepository",
+			Handler:    _RepositoryService_UpdateWriteRepository_Handler,
+		},
 		{
 			MethodName: "Delete",
 			Handler:    _RepositoryService_Delete_Handler,
@@ -1376,10 +1604,18 @@ var _RepositoryService_serviceDesc = grpc.ServiceDesc{
 			MethodName: "DeleteRepository",
 			Handler:    _RepositoryService_DeleteRepository_Handler,
 		},
+		{
+			MethodName: "DeleteWriteRepository",
+			Handler:    _RepositoryService_DeleteWriteRepository_Handler,
+		},
 		{
 			MethodName: "ValidateAccess",
 			Handler:    _RepositoryService_ValidateAccess_Handler,
 		},
+		{
+			MethodName: "ValidateWriteAccess",
+			Handler:    _RepositoryService_ValidateWriteAccess_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "server/repository/repository.proto",

pkg/apiclient/repository/repository.pb.gw.go

@@ -141,6 +141,78 @@ func local_request_RepositoryService_Get_0(ctx context.Context, marshaler runtim
 
 }
 
+var (
+	filter_RepositoryService_GetWrite_0 = &utilities.DoubleArray{Encoding: map[string]int{"repo": 0}, Base: []int{1, 1, 0}, Check: []int{0, 1, 2}}
+)
+
+func request_RepositoryService_GetWrite_0(ctx context.Context, marshaler runtime.Marshaler, client RepositoryServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoQuery
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["repo"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "repo")
+	}
+
+	protoReq.Repo, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "repo", err)
+	}
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_RepositoryService_GetWrite_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.GetWrite(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_RepositoryService_GetWrite_0(ctx context.Context, marshaler runtime.Marshaler, server RepositoryServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoQuery
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["repo"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "repo")
+	}
+
+	protoReq.Repo, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "repo", err)
+	}
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_RepositoryService_GetWrite_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := server.GetWrite(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 var (
 	filter_RepositoryService_ListRepositories_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
 )
@@ -177,6 +249,42 @@ func local_request_RepositoryService_ListRepositories_0(ctx context.Context, mar
 
 }
 
+var (
+	filter_RepositoryService_ListWriteRepositories_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
+)
+
+func request_RepositoryService_ListWriteRepositories_0(ctx context.Context, marshaler runtime.Marshaler, client RepositoryServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoQuery
+	var metadata runtime.ServerMetadata
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_RepositoryService_ListWriteRepositories_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.ListWriteRepositories(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_RepositoryService_ListWriteRepositories_0(ctx context.Context, marshaler runtime.Marshaler, server RepositoryServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoQuery
+	var metadata runtime.ServerMetadata
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_RepositoryService_ListWriteRepositories_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := server.ListWriteRepositories(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 var (
 	filter_RepositoryService_ListRefs_0 = &utilities.DoubleArray{Encoding: map[string]int{"repo": 0}, Base: []int{1, 1, 0}, Check: []int{0, 1, 2}}
 )
@@ -567,6 +675,58 @@ func local_request_RepositoryService_CreateRepository_0(ctx context.Context, mar
 
 }
 
+var (
+	filter_RepositoryService_CreateWriteRepository_0 = &utilities.DoubleArray{Encoding: map[string]int{"repo": 0}, Base: []int{1, 1, 0}, Check: []int{0, 1, 2}}
+)
+
+func request_RepositoryService_CreateWriteRepository_0(ctx context.Context, marshaler runtime.Marshaler, client RepositoryServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoCreateRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq.Repo); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_RepositoryService_CreateWriteRepository_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.CreateWriteRepository(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_RepositoryService_CreateWriteRepository_0(ctx context.Context, marshaler runtime.Marshaler, server RepositoryServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoCreateRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq.Repo); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_RepositoryService_CreateWriteRepository_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := server.CreateWriteRepository(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 func request_RepositoryService_Update_0(ctx context.Context, marshaler runtime.Marshaler, client RepositoryServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
 	var protoReq RepoUpdateRequest
 	var metadata runtime.ServerMetadata
@@ -707,6 +867,76 @@ func local_request_RepositoryService_UpdateRepository_0(ctx context.Context, mar
 
 }
 
+func request_RepositoryService_UpdateWriteRepository_0(ctx context.Context, marshaler runtime.Marshaler, client RepositoryServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoUpdateRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq.Repo); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["repo.repo"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "repo.repo")
+	}
+
+	err = runtime.PopulateFieldFromPath(&protoReq, "repo.repo", val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "repo.repo", err)
+	}
+
+	msg, err := client.UpdateWriteRepository(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_RepositoryService_UpdateWriteRepository_0(ctx context.Context, marshaler runtime.Marshaler, server RepositoryServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoUpdateRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq.Repo); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["repo.repo"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "repo.repo")
+	}
+
+	err = runtime.PopulateFieldFromPath(&protoReq, "repo.repo", val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "repo.repo", err)
+	}
+
+	msg, err := server.UpdateWriteRepository(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 var (
 	filter_RepositoryService_Delete_0 = &utilities.DoubleArray{Encoding: map[string]int{"repo": 0}, Base: []int{1, 1, 0}, Check: []int{0, 1, 2}}
 )
@@ -851,6 +1081,78 @@ func local_request_RepositoryService_DeleteRepository_0(ctx context.Context, mar
 
 }
 
+var (
+	filter_RepositoryService_DeleteWriteRepository_0 = &utilities.DoubleArray{Encoding: map[string]int{"repo": 0}, Base: []int{1, 1, 0}, Check: []int{0, 1, 2}}
+)
+
+func request_RepositoryService_DeleteWriteRepository_0(ctx context.Context, marshaler runtime.Marshaler, client RepositoryServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoQuery
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["repo"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "repo")
+	}
+
+	protoReq.Repo, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "repo", err)
+	}
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_RepositoryService_DeleteWriteRepository_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.DeleteWriteRepository(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_RepositoryService_DeleteWriteRepository_0(ctx context.Context, marshaler runtime.Marshaler, server RepositoryServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoQuery
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["repo"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "repo")
+	}
+
+	protoReq.Repo, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "repo", err)
+	}
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_RepositoryService_DeleteWriteRepository_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := server.DeleteWriteRepository(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 var (
 	filter_RepositoryService_ValidateAccess_0 = &utilities.DoubleArray{Encoding: map[string]int{"repo": 0}, Base: []int{1, 2, 0, 0}, Check: []int{0, 1, 2, 2}}
 )
@@ -939,6 +1241,94 @@ func local_request_RepositoryService_ValidateAccess_0(ctx context.Context, marsh
 
 }
 
+var (
+	filter_RepositoryService_ValidateWriteAccess_0 = &utilities.DoubleArray{Encoding: map[string]int{"repo": 0}, Base: []int{1, 2, 0, 0}, Check: []int{0, 1, 2, 2}}
+)
+
+func request_RepositoryService_ValidateWriteAccess_0(ctx context.Context, marshaler runtime.Marshaler, client RepositoryServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoAccessQuery
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq.Repo); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["repo"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "repo")
+	}
+
+	protoReq.Repo, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "repo", err)
+	}
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_RepositoryService_ValidateWriteAccess_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.ValidateWriteAccess(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_RepositoryService_ValidateWriteAccess_0(ctx context.Context, marshaler runtime.Marshaler, server RepositoryServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RepoAccessQuery
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq.Repo); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["repo"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "repo")
+	}
+
+	protoReq.Repo, err = runtime.String(val)
+
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "repo", err)
+	}
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_RepositoryService_ValidateWriteAccess_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := server.ValidateWriteAccess(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 // RegisterRepositoryServiceHandlerServer registers the http handlers for service RepositoryService to "mux".
 // UnaryRPC     :call RepositoryServiceServer directly.
 // StreamingRPC :currently unsupported pending https://github.com/grpc/grpc-go/issues/906.
@@ -991,6 +1381,29 @@ func RegisterRepositoryServiceHandlerServer(ctx context.Context, mux *runtime.Se
 
 	})
 
+	mux.Handle("GET", pattern_RepositoryService_GetWrite_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_RepositoryService_GetWrite_0(rctx, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepositoryService_GetWrite_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("GET", pattern_RepositoryService_ListRepositories_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1014,6 +1427,29 @@ func RegisterRepositoryServiceHandlerServer(ctx context.Context, mux *runtime.Se
 
 	})
 
+	mux.Handle("GET", pattern_RepositoryService_ListWriteRepositories_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_RepositoryService_ListWriteRepositories_0(rctx, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepositoryService_ListWriteRepositories_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("GET", pattern_RepositoryService_ListRefs_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1152,6 +1588,29 @@ func RegisterRepositoryServiceHandlerServer(ctx context.Context, mux *runtime.Se
 
 	})
 
+	mux.Handle("POST", pattern_RepositoryService_CreateWriteRepository_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_RepositoryService_CreateWriteRepository_0(rctx, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepositoryService_CreateWriteRepository_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("PUT", pattern_RepositoryService_Update_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1198,6 +1657,29 @@ func RegisterRepositoryServiceHandlerServer(ctx context.Context, mux *runtime.Se
 
 	})
 
+	mux.Handle("PUT", pattern_RepositoryService_UpdateWriteRepository_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_RepositoryService_UpdateWriteRepository_0(rctx, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepositoryService_UpdateWriteRepository_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("DELETE", pattern_RepositoryService_Delete_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1244,6 +1726,29 @@ func RegisterRepositoryServiceHandlerServer(ctx context.Context, mux *runtime.Se
 
 	})
 
+	mux.Handle("DELETE", pattern_RepositoryService_DeleteWriteRepository_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_RepositoryService_DeleteWriteRepository_0(rctx, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepositoryService_DeleteWriteRepository_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("POST", pattern_RepositoryService_ValidateAccess_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1267,6 +1772,29 @@ func RegisterRepositoryServiceHandlerServer(ctx context.Context, mux *runtime.Se
 
 	})
 
+	mux.Handle("POST", pattern_RepositoryService_ValidateWriteAccess_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_RepositoryService_ValidateWriteAccess_0(rctx, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepositoryService_ValidateWriteAccess_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	return nil
 }
 
@@ -1348,6 +1876,26 @@ func RegisterRepositoryServiceHandlerClient(ctx context.Context, mux *runtime.Se
 
 	})
 
+	mux.Handle("GET", pattern_RepositoryService_GetWrite_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_RepositoryService_GetWrite_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepositoryService_GetWrite_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("GET", pattern_RepositoryService_ListRepositories_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1368,6 +1916,26 @@ func RegisterRepositoryServiceHandlerClient(ctx context.Context, mux *runtime.Se
 
 	})
 
+	mux.Handle("GET", pattern_RepositoryService_ListWriteRepositories_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_RepositoryService_ListWriteRepositories_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepositoryService_ListWriteRepositories_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("GET", pattern_RepositoryService_ListRefs_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1488,6 +2056,26 @@ func RegisterRepositoryServiceHandlerClient(ctx context.Context, mux *runtime.Se
 
 	})
 
+	mux.Handle("POST", pattern_RepositoryService_CreateWriteRepository_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_RepositoryService_CreateWriteRepository_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepositoryService_CreateWriteRepository_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("PUT", pattern_RepositoryService_Update_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1528,6 +2116,26 @@ func RegisterRepositoryServiceHandlerClient(ctx context.Context, mux *runtime.Se
 
 	})
 
+	mux.Handle("PUT", pattern_RepositoryService_UpdateWriteRepository_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_RepositoryService_UpdateWriteRepository_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepositoryService_UpdateWriteRepository_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("DELETE", pattern_RepositoryService_Delete_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1568,6 +2176,26 @@ func RegisterRepositoryServiceHandlerClient(ctx context.Context, mux *runtime.Se
 
 	})
 
+	mux.Handle("DELETE", pattern_RepositoryService_DeleteWriteRepository_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_RepositoryService_DeleteWriteRepository_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepositoryService_DeleteWriteRepository_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("POST", pattern_RepositoryService_ValidateAccess_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1588,6 +2216,26 @@ func RegisterRepositoryServiceHandlerClient(ctx context.Context, mux *runtime.Se
 
 	})
 
+	mux.Handle("POST", pattern_RepositoryService_ValidateWriteAccess_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_RepositoryService_ValidateWriteAccess_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_RepositoryService_ValidateWriteAccess_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	return nil
 }
 
@@ -1596,8 +2244,12 @@ var (
 
 	pattern_RepositoryService_Get_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "repositories", "repo"}, "", runtime.AssumeColonVerbOpt(true)))
 
+	pattern_RepositoryService_GetWrite_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "write-repositories", "repo"}, "", runtime.AssumeColonVerbOpt(true)))
+
 	pattern_RepositoryService_ListRepositories_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "repositories"}, "", runtime.AssumeColonVerbOpt(true)))
 
+	pattern_RepositoryService_ListWriteRepositories_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "write-repositories"}, "", runtime.AssumeColonVerbOpt(true)))
+
 	pattern_RepositoryService_ListRefs_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"api", "v1", "repositories", "repo", "refs"}, "", runtime.AssumeColonVerbOpt(true)))
 
 	pattern_RepositoryService_ListApps_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"api", "v1", "repositories", "repo", "apps"}, "", runtime.AssumeColonVerbOpt(true)))
@@ -1610,15 +2262,23 @@ var (
 
 	pattern_RepositoryService_CreateRepository_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "repositories"}, "", runtime.AssumeColonVerbOpt(true)))
 
+	pattern_RepositoryService_CreateWriteRepository_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "write-repositories"}, "", runtime.AssumeColonVerbOpt(true)))
+
 	pattern_RepositoryService_Update_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "repositories", "repo.repo"}, "", runtime.AssumeColonVerbOpt(true)))
 
 	pattern_RepositoryService_UpdateRepository_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "repositories", "repo.repo"}, "", runtime.AssumeColonVerbOpt(true)))
 
+	pattern_RepositoryService_UpdateWriteRepository_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "write-repositories", "repo.repo"}, "", runtime.AssumeColonVerbOpt(true)))
+
 	pattern_RepositoryService_Delete_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "repositories", "repo"}, "", runtime.AssumeColonVerbOpt(true)))
 
 	pattern_RepositoryService_DeleteRepository_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "repositories", "repo"}, "", runtime.AssumeColonVerbOpt(true)))
 
+	pattern_RepositoryService_DeleteWriteRepository_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "write-repositories", "repo"}, "", runtime.AssumeColonVerbOpt(true)))
+
 	pattern_RepositoryService_ValidateAccess_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"api", "v1", "repositories", "repo", "validate"}, "", runtime.AssumeColonVerbOpt(true)))
+
+	pattern_RepositoryService_ValidateWriteAccess_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"api", "v1", "write-repositories", "repo", "validate"}, "", runtime.AssumeColonVerbOpt(true)))
 )
 
 var (
@@ -1626,8 +2286,12 @@ var (
 
 	forward_RepositoryService_Get_0 = runtime.ForwardResponseMessage
 
+	forward_RepositoryService_GetWrite_0 = runtime.ForwardResponseMessage
+
 	forward_RepositoryService_ListRepositories_0 = runtime.ForwardResponseMessage
 
+	forward_RepositoryService_ListWriteRepositories_0 = runtime.ForwardResponseMessage
+
 	forward_RepositoryService_ListRefs_0 = runtime.ForwardResponseMessage
 
 	forward_RepositoryService_ListApps_0 = runtime.ForwardResponseMessage
@@ -1640,13 +2304,21 @@ var (
 
 	forward_RepositoryService_CreateRepository_0 = runtime.ForwardResponseMessage
 
+	forward_RepositoryService_CreateWriteRepository_0 = runtime.ForwardResponseMessage
+
 	forward_RepositoryService_Update_0 = runtime.ForwardResponseMessage
 
 	forward_RepositoryService_UpdateRepository_0 = runtime.ForwardResponseMessage
 
+	forward_RepositoryService_UpdateWriteRepository_0 = runtime.ForwardResponseMessage
+
 	forward_RepositoryService_Delete_0 = runtime.ForwardResponseMessage
 
 	forward_RepositoryService_DeleteRepository_0 = runtime.ForwardResponseMessage
 
+	forward_RepositoryService_DeleteWriteRepository_0 = runtime.ForwardResponseMessage
+
 	forward_RepositoryService_ValidateAccess_0 = runtime.ForwardResponseMessage
+
+	forward_RepositoryService_ValidateWriteAccess_0 = runtime.ForwardResponseMessage
 )

pkg/apiclient/settings/settings.pb.go

@@ -104,6 +104,7 @@ type Settings struct {
 	ImpersonationEnabled      bool                               `protobuf:"varint,25,opt,name=impersonationEnabled,proto3" json:"impersonationEnabled,omitempty"`
 	InstallationID            string                             `protobuf:"bytes,26,opt,name=installationID,proto3" json:"installationID,omitempty"`
 	AdditionalURLs            []string                           `protobuf:"bytes,27,rep,name=additionalUrls,proto3" json:"additionalUrls,omitempty"`
+	HydratorEnabled           bool                               `protobuf:"varint,28,opt,name=hydratorEnabled,proto3" json:"hydratorEnabled,omitempty"`
 	XXX_NoUnkeyedLiteral      struct{}                           `json:"-"`
 	XXX_unrecognized          []byte                             `json:"-"`
 	XXX_sizecache             int32                              `json:"-"`
@@ -331,6 +332,13 @@ func (m *Settings) GetAdditionalURLs() []string {
 	return nil
 }
 
+func (m *Settings) GetHydratorEnabled() bool {
+	if m != nil {
+		return m.HydratorEnabled
+	}
+	return false
+}
+
 type GoogleAnalyticsConfig struct {
 	TrackingID           string   `protobuf:"bytes,1,opt,name=trackingID,proto3" json:"trackingID,omitempty"`
 	AnonymizeUsers       bool     `protobuf:"varint,2,opt,name=anonymizeUsers,proto3" json:"anonymizeUsers,omitempty"`
@@ -764,87 +772,88 @@ func init() {
 func init() { proto.RegisterFile("server/settings/settings.proto", fileDescriptor_a480d494da040caa) }
 
 var fileDescriptor_a480d494da040caa = []byte{
-	// 1278 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x56, 0x4f, 0x6f, 0xdb, 0xc6,
-	0x12, 0x87, 0x22, 0xc7, 0x96, 0xc6, 0xb1, 0x65, 0x6f, 0x1c, 0x87, 0xd1, 0xcb, 0xb3, 0xf5, 0x74,
-	0x08, 0xf4, 0x1e, 0x5e, 0xa9, 0xd8, 0x41, 0xd1, 0x22, 0x68, 0xd0, 0x5a, 0x52, 0x90, 0xa8, 0x71,
-	0x12, 0x77, 0x13, 0xe7, 0xd0, 0x4b, 0xb0, 0x26, 0xa7, 0x14, 0x6b, 0x6a, 0x97, 0xd8, 0x5d, 0xaa,
-	0x51, 0x8e, 0xfd, 0x00, 0xbd, 0xb4, 0x9f, 0xa6, 0xf7, 0xa2, 0x3d, 0x15, 0x05, 0x7a, 0x37, 0x0a,
-	0xa1, 0x1f, 0xa4, 0xe0, 0xf2, 0x8f, 0x69, 0x4a, 0x4e, 0x0b, 0xe4, 0xb6, 0xfb, 0xfb, 0xcd, 0xbf,
-	0x1d, 0xce, 0x0c, 0x07, 0x76, 0x14, 0xca, 0x09, 0xca, 0xae, 0x42, 0xad, 0x7d, 0xee, 0xa9, 0xfc,
-	0x60, 0x87, 0x52, 0x68, 0x41, 0x56, 0x9c, 0x20, 0x52, 0x1a, 0x65, 0x73, 0xcb, 0x13, 0x9e, 0x30,
-	0x58, 0x37, 0x3e, 0x25, 0x74, 0xf3, 0xb6, 0x27, 0x84, 0x17, 0x60, 0x97, 0x85, 0x7e, 0x97, 0x71,
-	0x2e, 0x34, 0xd3, 0xbe, 0xe0, 0xa9, 0x72, 0xf3, 0xd0, 0xf3, 0xf5, 0x28, 0x3a, 0xb1, 0x1d, 0x31,
-	0xee, 0x32, 0x69, 0xd4, 0xbf, 0x36, 0x87, 0x0f, 0x1c, 0xb7, 0x3b, 0xd9, 0xef, 0x86, 0xa7, 0x5e,
-	0xac, 0xa9, 0xba, 0x2c, 0x0c, 0x03, 0xdf, 0x31, 0xba, 0xdd, 0xc9, 0x1e, 0x0b, 0xc2, 0x11, 0xdb,
-	0xeb, 0x7a, 0xc8, 0x51, 0x32, 0x8d, 0x6e, 0x6a, 0xed, 0xb3, 0xbf, 0xb1, 0x56, 0x7e, 0x89, 0xf0,
-	0x5d, 0xa7, 0xeb, 0x04, 0xcc, 0x1f, 0xa7, 0xf1, 0xb4, 0x1b, 0xb0, 0xf6, 0x22, 0x65, 0xbf, 0x88,
-	0x50, 0x4e, 0xdb, 0xbf, 0x5e, 0x83, 0x5a, 0x86, 0x90, 0x5b, 0x50, 0x8d, 0x64, 0x60, 0x55, 0x5a,
-	0x95, 0x4e, 0xbd, 0xb7, 0x32, 0x3b, 0xdb, 0xad, 0x1e, 0xd3, 0x43, 0x1a, 0x63, 0xe4, 0x2e, 0xd4,
-	0x5d, 0x7c, 0xd3, 0x17, 0xfc, 0x2b, 0xdf, 0xb3, 0xae, 0xb4, 0x2a, 0x9d, 0xd5, 0x7d, 0x62, 0xa7,
-	0x99, 0xb1, 0x07, 0x19, 0x43, 0xcf, 0x85, 0x48, 0x1f, 0x20, 0xf6, 0x9f, 0xaa, 0x54, 0x8d, 0xca,
-	0xf5, 0x5c, 0xe5, 0xf9, 0x70, 0xd0, 0x4f, 0xa8, 0xde, 0xfa, 0xec, 0x6c, 0x17, 0xce, 0xef, 0xb4,
-	0xa0, 0x46, 0x5a, 0xb0, 0xca, 0xc2, 0xf0, 0x90, 0x9d, 0x60, 0xf0, 0x04, 0xa7, 0xd6, 0x52, 0x1c,
-	0x19, 0x2d, 0x42, 0xe4, 0x15, 0x6c, 0x4a, 0x54, 0x22, 0x92, 0x0e, 0x3e, 0x9f, 0xa0, 0x94, 0xbe,
-	0x8b, 0xca, 0xba, 0xda, 0xaa, 0x76, 0x56, 0xf7, 0x3b, 0xb9, 0xb7, 0xec, 0x85, 0x36, 0x2d, 0x8b,
-	0x3e, 0xe4, 0x5a, 0x4e, 0xe9, 0xbc, 0x09, 0x62, 0x03, 0x51, 0x9a, 0xe9, 0x48, 0xf5, 0x98, 0xeb,
-	0xe1, 0x43, 0xce, 0x4e, 0x02, 0x74, 0xad, 0xe5, 0x56, 0xa5, 0x53, 0xa3, 0x0b, 0x18, 0xf2, 0x18,
-	0x1a, 0x49, 0x25, 0x1c, 0x70, 0x16, 0x4c, 0xb5, 0xef, 0x28, 0x6b, 0xc5, 0xbc, 0x79, 0x27, 0x8f,
-	0xe2, 0xd1, 0x45, 0x3e, 0x7d, 0x6e, 0x59, 0x8d, 0xbc, 0x85, 0x8d, 0xd3, 0x48, 0x69, 0x31, 0xf6,
-	0xdf, 0xe2, 0xf3, 0xd0, 0x54, 0x93, 0x55, 0x33, 0xa6, 0x9e, 0xd9, 0xe7, 0x05, 0x60, 0x67, 0x05,
-	0x60, 0x0e, 0xaf, 0x1d, 0xd7, 0x9e, 0xec, 0xdb, 0xe1, 0xa9, 0x67, 0xc7, 0xe5, 0x64, 0x17, 0xca,
-	0xc9, 0xce, 0xca, 0xc9, 0x7e, 0x52, 0xb2, 0x4a, 0xe7, 0xfc, 0x90, 0xff, 0xc0, 0xd2, 0x08, 0x83,
-	0xd0, 0xaa, 0x1b, 0x7f, 0x6b, 0x79, 0xe8, 0x8f, 0x31, 0x08, 0xa9, 0xa1, 0xc8, 0x7f, 0x61, 0x25,
-	0x0c, 0x22, 0xcf, 0xe7, 0xca, 0x02, 0x93, 0xe6, 0x46, 0x2e, 0x75, 0x64, 0x70, 0x9a, 0xf1, 0x71,
-	0x0e, 0x23, 0x85, 0xf2, 0x50, 0xc4, 0xb7, 0x81, 0xaf, 0x92, 0x1c, 0xae, 0x26, 0x39, 0x9c, 0x67,
-	0xc8, 0x77, 0x15, 0xb8, 0xe9, 0x98, 0xac, 0x3c, 0x65, 0x9c, 0x79, 0x38, 0x46, 0xae, 0x8f, 0x52,
-	0x5f, 0xd7, 0x8c, 0xaf, 0x97, 0xef, 0x97, 0x81, 0xfe, 0x42, 0xe3, 0xf4, 0x32, 0xa7, 0xe4, 0xff,
-	0xb0, 0x99, 0xa7, 0xe8, 0x15, 0x4a, 0x65, 0xbe, 0xc5, 0x5a, 0xab, 0xda, 0xa9, 0xd3, 0x79, 0x82,
-	0x34, 0xa1, 0x16, 0xf9, 0x7d, 0xa5, 0x8e, 0xe9, 0xa1, 0xb5, 0x6e, 0x2a, 0x35, 0xbf, 0x93, 0x0e,
-	0x34, 0x22, 0xbf, 0xc7, 0x38, 0x47, 0xd9, 0x17, 0x5c, 0x23, 0xd7, 0x56, 0xc3, 0x88, 0x94, 0xe1,
-	0xb8, 0xe4, 0x33, 0x28, 0x36, 0xb4, 0x91, 0x94, 0x7c, 0x01, 0x8a, 0x6d, 0x85, 0x4c, 0xa9, 0x6f,
-	0x84, 0x74, 0x8f, 0x98, 0xd6, 0x28, 0xb9, 0xb5, 0x99, 0xd8, 0x2a, 0xc1, 0xe4, 0x0e, 0xac, 0x6b,
-	0xc9, 0x9c, 0x53, 0x9f, 0x7b, 0x4f, 0x51, 0x8f, 0x84, 0x6b, 0x11, 0x23, 0x58, 0x42, 0xe3, 0x77,
-	0x66, 0x0e, 0x8e, 0x50, 0x8e, 0x19, 0x8f, 0xe3, 0xbb, 0x6e, 0xbe, 0xd3, 0x3c, 0x41, 0xfe, 0x07,
-	0x1b, 0x39, 0x28, 0x94, 0x1f, 0xa7, 0xd8, 0xda, 0x32, 0x76, 0xe7, 0xf0, 0x52, 0x1b, 0x51, 0x21,
-	0xf4, 0xb1, 0x0c, 0xac, 0x1b, 0x46, 0x7a, 0x01, 0x13, 0xbf, 0x1e, 0xdf, 0xa0, 0x93, 0xf5, 0xdb,
-	0xb6, 0x89, 0xa1, 0x08, 0x91, 0xbb, 0x70, 0xdd, 0x11, 0x5c, 0x4b, 0x11, 0x04, 0x28, 0x9f, 0xb1,
-	0x31, 0xaa, 0x90, 0x39, 0x68, 0xdd, 0x34, 0x26, 0x17, 0x51, 0xe4, 0x13, 0xb8, 0xc5, 0xc2, 0x50,
-	0x0d, 0xf9, 0x01, 0x9f, 0xe6, 0x68, 0xe6, 0xc1, 0x32, 0x1e, 0x2e, 0x17, 0x20, 0xfb, 0xb0, 0xe5,
-	0x8f, 0x43, 0x94, 0x4a, 0x70, 0x53, 0x4d, 0x99, 0xe2, 0x2d, 0xa3, 0xb8, 0x90, 0x8b, 0xf3, 0xee,
-	0x73, 0xa5, 0x59, 0x10, 0x18, 0x78, 0x38, 0xb0, 0x9a, 0x49, 0xde, 0x2f, 0xa2, 0xe4, 0x3e, 0xac,
-	0x33, 0xd7, 0x35, 0x99, 0x62, 0xc1, 0xb1, 0x0c, 0x94, 0xf5, 0xaf, 0xb8, 0xb8, 0x7a, 0x64, 0x76,
-	0xb6, 0xbb, 0x7e, 0x70, 0xce, 0xd0, 0x43, 0x45, 0x4b, 0x92, 0xcd, 0x1f, 0x2a, 0xb0, 0xbd, 0x78,
-	0x9c, 0x91, 0x0d, 0xa8, 0x9e, 0xe2, 0x34, 0x99, 0xe3, 0x34, 0x3e, 0x12, 0x17, 0xae, 0x4e, 0x58,
-	0x10, 0x61, 0x3a, 0xba, 0xdf, 0x73, 0x90, 0x94, 0xdd, 0xd2, 0xc4, 0xf8, 0xfd, 0x2b, 0x1f, 0x57,
-	0xda, 0xaf, 0xe1, 0xc6, 0xc2, 0x39, 0x47, 0x76, 0x00, 0xb2, 0xaa, 0x1b, 0x0e, 0xd2, 0xd8, 0x0a,
-	0x48, 0x9c, 0x33, 0xc6, 0x05, 0x9f, 0xc6, 0x2d, 0x75, 0xac, 0x50, 0x2a, 0x13, 0x6b, 0x8d, 0x96,
-	0xd0, 0xf6, 0x00, 0x6e, 0x66, 0xe3, 0x3c, 0x6d, 0x53, 0x8a, 0x2a, 0x14, 0x5c, 0x61, 0x71, 0x34,
-	0x55, 0xde, 0x3d, 0x9a, 0xda, 0x3f, 0x56, 0x60, 0x29, 0x1e, 0x6a, 0xc4, 0x82, 0x15, 0x67, 0xc4,
-	0x4c, 0x55, 0x26, 0x31, 0x65, 0xd7, 0xb8, 0x9d, 0xe3, 0xe3, 0x4b, 0x7c, 0xa3, 0x4d, 0x28, 0x75,
-	0x9a, 0xdf, 0xc9, 0x03, 0x80, 0x13, 0x9f, 0x33, 0x39, 0x35, 0x1f, 0xad, 0x6a, 0x9c, 0xfd, 0xfb,
-	0xc2, 0xb4, 0xb4, 0x7b, 0x39, 0x9f, 0xfc, 0x63, 0x0a, 0x0a, 0xcd, 0x07, 0xd0, 0x28, 0xd1, 0x0b,
-	0xbe, 0xd9, 0x56, 0xf1, 0x9b, 0xd5, 0x8b, 0x39, 0xbe, 0x0d, 0xcb, 0xc9, 0x7b, 0x08, 0x81, 0x25,
-	0xce, 0xc6, 0x98, 0xaa, 0x99, 0x73, 0xfb, 0x53, 0xa8, 0xe7, 0x3f, 0x64, 0xb2, 0x0f, 0xe0, 0x08,
-	0xce, 0xd1, 0xd1, 0x42, 0x66, 0x59, 0x39, 0xff, 0x71, 0xf7, 0x33, 0x8a, 0x16, 0xa4, 0xda, 0xf7,
-	0xa0, 0x9e, 0x13, 0x8b, 0x3c, 0xc4, 0x98, 0x9e, 0x86, 0x59, 0x60, 0xe6, 0xdc, 0xfe, 0xa9, 0x0a,
-	0x85, 0x9f, 0xf8, 0x42, 0xb5, 0x6d, 0x58, 0xf6, 0x95, 0x8a, 0x50, 0xa6, 0x8a, 0xe9, 0x8d, 0x74,
-	0xa0, 0xe6, 0x04, 0x3e, 0x72, 0x3d, 0x1c, 0x98, 0x3d, 0xa1, 0xde, 0xbb, 0x36, 0x3b, 0xdb, 0xad,
-	0xf5, 0x53, 0x8c, 0xe6, 0x2c, 0xd9, 0x83, 0x55, 0x27, 0xf0, 0x33, 0x22, 0x59, 0x07, 0x7a, 0x8d,
-	0xd9, 0xd9, 0xee, 0x6a, 0xff, 0x70, 0x98, 0xcb, 0x17, 0x65, 0x62, 0xa7, 0xca, 0x11, 0x61, 0xba,
-	0x14, 0xd4, 0x69, 0x7a, 0x23, 0xaf, 0x61, 0xcd, 0x77, 0x5f, 0x8a, 0x53, 0xe4, 0x7d, 0xb3, 0x20,
-	0x59, 0xcb, 0x26, 0x37, 0x77, 0x16, 0x6c, 0x28, 0xf6, 0xb0, 0x28, 0x68, 0x3e, 0x57, 0x6f, 0x73,
-	0x76, 0xb6, 0xbb, 0x36, 0x1c, 0x14, 0x70, 0x7a, 0xd1, 0x1e, 0xb9, 0x0f, 0x16, 0x9a, 0x71, 0x70,
-	0xf4, 0xa4, 0xff, 0xf0, 0x20, 0xd2, 0x23, 0xe4, 0x3a, 0xed, 0x24, 0xb3, 0x19, 0xd4, 0xe8, 0xa5,
-	0x7c, 0x73, 0x0a, 0x64, 0xde, 0xe7, 0x82, 0x12, 0x79, 0x7a, 0xb1, 0xad, 0x3f, 0x7a, 0x67, 0x5b,
-	0x27, 0xdb, 0xa1, 0x9d, 0xaf, 0xb7, 0xf1, 0x9a, 0x65, 0x1b, 0xfb, 0x85, 0xda, 0xda, 0xff, 0xb9,
-	0x02, 0x8d, 0xac, 0xbf, 0x5e, 0xa0, 0x9c, 0xf8, 0x0e, 0x92, 0xcf, 0xa1, 0xfa, 0x08, 0x35, 0xd9,
-	0x9e, 0xdb, 0xa7, 0xcc, 0x0e, 0xd9, 0xdc, 0x9c, 0xc3, 0xdb, 0xd6, 0xb7, 0xbf, 0xff, 0xf9, 0xfd,
-	0x15, 0x42, 0x36, 0xcc, 0x5e, 0x3c, 0xd9, 0xcb, 0x77, 0x52, 0x32, 0x02, 0x78, 0x84, 0xf9, 0x0f,
-	0xf6, 0x32, 0x93, 0xad, 0x39, 0xbc, 0xd4, 0xeb, 0xed, 0x96, 0xf1, 0xd0, 0x24, 0x56, 0xd9, 0x43,
-	0x37, 0x6d, 0xf1, 0x5e, 0xff, 0x97, 0xd9, 0x4e, 0xe5, 0xb7, 0xd9, 0x4e, 0xe5, 0x8f, 0xd9, 0x4e,
-	0xe5, 0xcb, 0x0f, 0xff, 0xd9, 0x26, 0x9e, 0x94, 0x5a, 0x6e, 0xec, 0x64, 0xd9, 0xec, 0xcd, 0xf7,
-	0xfe, 0x0a, 0x00, 0x00, 0xff, 0xff, 0x36, 0x87, 0xd7, 0x56, 0x26, 0x0c, 0x00, 0x00,
+	// 1293 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x56, 0xcd, 0x6e, 0x1b, 0xb7,
+	0x16, 0xc6, 0x44, 0x8e, 0x2d, 0x1d, 0xc7, 0x96, 0xcd, 0x38, 0xce, 0x44, 0x37, 0xd7, 0xd6, 0xd5,
+	0x22, 0xd0, 0xbd, 0xb8, 0x1d, 0xc5, 0x0a, 0x8a, 0x16, 0x41, 0x83, 0xd6, 0x92, 0x82, 0x44, 0x8d,
+	0x92, 0xb8, 0x4c, 0x9c, 0x45, 0x37, 0x01, 0x3d, 0xc3, 0x8e, 0xa6, 0x1e, 0x91, 0x03, 0x92, 0xa3,
+	0x46, 0x59, 0xf6, 0x01, 0xba, 0x69, 0x9f, 0xa6, 0xfb, 0xa2, 0x5d, 0x16, 0xe8, 0xde, 0x28, 0x84,
+	0x3e, 0x44, 0x97, 0x05, 0x39, 0x3f, 0x1e, 0x8f, 0xe4, 0xb4, 0x40, 0x76, 0xe4, 0xf7, 0x9d, 0x3f,
+	0x1e, 0x9e, 0x43, 0x1e, 0xd8, 0x93, 0x54, 0x4c, 0xa9, 0xe8, 0x48, 0xaa, 0x54, 0xc0, 0x7c, 0x99,
+	0x2f, 0x9c, 0x48, 0x70, 0xc5, 0xd1, 0x9a, 0x1b, 0xc6, 0x52, 0x51, 0xd1, 0xd8, 0xf1, 0xb9, 0xcf,
+	0x0d, 0xd6, 0xd1, 0xab, 0x84, 0x6e, 0xdc, 0xf6, 0x39, 0xf7, 0x43, 0xda, 0x21, 0x51, 0xd0, 0x21,
+	0x8c, 0x71, 0x45, 0x54, 0xc0, 0x59, 0xaa, 0xdc, 0x18, 0xf9, 0x81, 0x1a, 0xc7, 0x27, 0x8e, 0xcb,
+	0x27, 0x1d, 0x22, 0x8c, 0xfa, 0xd7, 0x66, 0xf1, 0x81, 0xeb, 0x75, 0xa6, 0xdd, 0x4e, 0x74, 0xea,
+	0x6b, 0x4d, 0xd9, 0x21, 0x51, 0x14, 0x06, 0xae, 0xd1, 0xed, 0x4c, 0x0f, 0x48, 0x18, 0x8d, 0xc9,
+	0x41, 0xc7, 0xa7, 0x8c, 0x0a, 0xa2, 0xa8, 0x97, 0x5a, 0xfb, 0xec, 0x6f, 0xac, 0x95, 0x4f, 0xc2,
+	0x03, 0xcf, 0xed, 0xb8, 0x21, 0x09, 0x26, 0x69, 0x3c, 0xad, 0x3a, 0x6c, 0xbc, 0x48, 0xd9, 0x2f,
+	0x62, 0x2a, 0x66, 0xad, 0x3f, 0xaf, 0x41, 0x35, 0x43, 0xd0, 0x2d, 0xa8, 0xc4, 0x22, 0xb4, 0xad,
+	0xa6, 0xd5, 0xae, 0xf5, 0xd6, 0xe6, 0x67, 0xfb, 0x95, 0x63, 0x3c, 0xc2, 0x1a, 0x43, 0x77, 0xa1,
+	0xe6, 0xd1, 0x37, 0x7d, 0xce, 0xbe, 0x0a, 0x7c, 0xfb, 0x4a, 0xd3, 0x6a, 0xaf, 0x77, 0x91, 0x93,
+	0x66, 0xc6, 0x19, 0x64, 0x0c, 0x3e, 0x17, 0x42, 0x7d, 0x00, 0xed, 0x3f, 0x55, 0xa9, 0x18, 0x95,
+	0xeb, 0xb9, 0xca, 0xf3, 0xe1, 0xa0, 0x9f, 0x50, 0xbd, 0xcd, 0xf9, 0xd9, 0x3e, 0x9c, 0xef, 0x71,
+	0x41, 0x0d, 0x35, 0x61, 0x9d, 0x44, 0xd1, 0x88, 0x9c, 0xd0, 0xf0, 0x09, 0x9d, 0xd9, 0x2b, 0x3a,
+	0x32, 0x5c, 0x84, 0xd0, 0x2b, 0xd8, 0x16, 0x54, 0xf2, 0x58, 0xb8, 0xf4, 0xf9, 0x94, 0x0a, 0x11,
+	0x78, 0x54, 0xda, 0x57, 0x9b, 0x95, 0xf6, 0x7a, 0xb7, 0x9d, 0x7b, 0xcb, 0x4e, 0xe8, 0xe0, 0xb2,
+	0xe8, 0x43, 0xa6, 0xc4, 0x0c, 0x2f, 0x9a, 0x40, 0x0e, 0x20, 0xa9, 0x88, 0x8a, 0x65, 0x8f, 0x78,
+	0x3e, 0x7d, 0xc8, 0xc8, 0x49, 0x48, 0x3d, 0x7b, 0xb5, 0x69, 0xb5, 0xab, 0x78, 0x09, 0x83, 0x1e,
+	0x43, 0x3d, 0xa9, 0x84, 0x43, 0x46, 0xc2, 0x99, 0x0a, 0x5c, 0x69, 0xaf, 0x99, 0x33, 0xef, 0xe5,
+	0x51, 0x3c, 0xba, 0xc8, 0xa7, 0xc7, 0x2d, 0xab, 0xa1, 0xb7, 0xb0, 0x75, 0x1a, 0x4b, 0xc5, 0x27,
+	0xc1, 0x5b, 0xfa, 0x3c, 0x32, 0xd5, 0x64, 0x57, 0x8d, 0xa9, 0x67, 0xce, 0x79, 0x01, 0x38, 0x59,
+	0x01, 0x98, 0xc5, 0x6b, 0xd7, 0x73, 0xa6, 0x5d, 0x27, 0x3a, 0xf5, 0x1d, 0x5d, 0x4e, 0x4e, 0xa1,
+	0x9c, 0x9c, 0xac, 0x9c, 0x9c, 0x27, 0x25, 0xab, 0x78, 0xc1, 0x0f, 0xfa, 0x0f, 0xac, 0x8c, 0x69,
+	0x18, 0xd9, 0x35, 0xe3, 0x6f, 0x23, 0x0f, 0xfd, 0x31, 0x0d, 0x23, 0x6c, 0x28, 0xf4, 0x5f, 0x58,
+	0x8b, 0xc2, 0xd8, 0x0f, 0x98, 0xb4, 0xc1, 0xa4, 0xb9, 0x9e, 0x4b, 0x1d, 0x19, 0x1c, 0x67, 0xbc,
+	0xce, 0x61, 0x2c, 0xa9, 0x18, 0x71, 0xbd, 0x1b, 0x04, 0x32, 0xc9, 0xe1, 0x7a, 0x92, 0xc3, 0x45,
+	0x06, 0x7d, 0x67, 0xc1, 0x4d, 0xd7, 0x64, 0xe5, 0x29, 0x61, 0xc4, 0xa7, 0x13, 0xca, 0xd4, 0x51,
+	0xea, 0xeb, 0x9a, 0xf1, 0xf5, 0xf2, 0xfd, 0x32, 0xd0, 0x5f, 0x6a, 0x1c, 0x5f, 0xe6, 0x14, 0xfd,
+	0x1f, 0xb6, 0xf3, 0x14, 0xbd, 0xa2, 0x42, 0x9a, 0xbb, 0xd8, 0x68, 0x56, 0xda, 0x35, 0xbc, 0x48,
+	0xa0, 0x06, 0x54, 0xe3, 0xa0, 0x2f, 0xe5, 0x31, 0x1e, 0xd9, 0x9b, 0xa6, 0x52, 0xf3, 0x3d, 0x6a,
+	0x43, 0x3d, 0x0e, 0x7a, 0x84, 0x31, 0x2a, 0xfa, 0x9c, 0x29, 0xca, 0x94, 0x5d, 0x37, 0x22, 0x65,
+	0x58, 0x97, 0x7c, 0x06, 0x69, 0x43, 0x5b, 0x49, 0xc9, 0x17, 0x20, 0x6d, 0x2b, 0x22, 0x52, 0x7e,
+	0xc3, 0x85, 0x77, 0x44, 0x94, 0xa2, 0x82, 0xd9, 0xdb, 0x89, 0xad, 0x12, 0x8c, 0xee, 0xc0, 0xa6,
+	0x12, 0xc4, 0x3d, 0x0d, 0x98, 0xff, 0x94, 0xaa, 0x31, 0xf7, 0x6c, 0x64, 0x04, 0x4b, 0xa8, 0x3e,
+	0x67, 0xe6, 0xe0, 0x88, 0x8a, 0x09, 0x61, 0x3a, 0xbe, 0xeb, 0xe6, 0x9e, 0x16, 0x09, 0xf4, 0x3f,
+	0xd8, 0xca, 0x41, 0x2e, 0x03, 0x9d, 0x62, 0x7b, 0xc7, 0xd8, 0x5d, 0xc0, 0x4b, 0x6d, 0x84, 0x39,
+	0x57, 0xc7, 0x22, 0xb4, 0x6f, 0x18, 0xe9, 0x25, 0x8c, 0x3e, 0x3d, 0x7d, 0x43, 0xdd, 0xac, 0xdf,
+	0x76, 0x4d, 0x0c, 0x45, 0x08, 0xdd, 0x85, 0xeb, 0x2e, 0x67, 0x4a, 0xf0, 0x30, 0xa4, 0xe2, 0x19,
+	0x99, 0x50, 0x19, 0x11, 0x97, 0xda, 0x37, 0x8d, 0xc9, 0x65, 0x14, 0xfa, 0x04, 0x6e, 0x91, 0x28,
+	0x92, 0x43, 0x76, 0xc8, 0x66, 0x39, 0x9a, 0x79, 0xb0, 0x8d, 0x87, 0xcb, 0x05, 0x50, 0x17, 0x76,
+	0x82, 0x49, 0x44, 0x85, 0xe4, 0xcc, 0x54, 0x53, 0xa6, 0x78, 0xcb, 0x28, 0x2e, 0xe5, 0x74, 0xde,
+	0x03, 0x26, 0x15, 0x09, 0x43, 0x03, 0x0f, 0x07, 0x76, 0x23, 0xc9, 0xfb, 0x45, 0x14, 0xdd, 0x87,
+	0x4d, 0xe2, 0x79, 0x26, 0x53, 0x24, 0x3c, 0x16, 0xa1, 0xb4, 0xff, 0xa5, 0x8b, 0xab, 0x87, 0xe6,
+	0x67, 0xfb, 0x9b, 0x87, 0xe7, 0x0c, 0x1e, 0x49, 0x5c, 0x92, 0xd4, 0x55, 0x30, 0x9e, 0x79, 0x82,
+	0x28, 0x2e, 0xb2, 0x90, 0x6e, 0x9b, 0x90, 0xca, 0x70, 0xe3, 0x07, 0x0b, 0x76, 0x97, 0x3f, 0x7c,
+	0x68, 0x0b, 0x2a, 0xa7, 0x74, 0x96, 0xbc, 0xf8, 0x58, 0x2f, 0x91, 0x07, 0x57, 0xa7, 0x24, 0x8c,
+	0x69, 0xfa, 0xc8, 0xbf, 0xe7, 0x93, 0x53, 0x76, 0x8b, 0x13, 0xe3, 0xf7, 0xaf, 0x7c, 0x6c, 0xb5,
+	0x5e, 0xc3, 0x8d, 0xa5, 0x2f, 0x22, 0xda, 0x03, 0xc8, 0xea, 0x73, 0x38, 0x48, 0x63, 0x2b, 0x20,
+	0x3a, 0xbb, 0x84, 0x71, 0x36, 0xd3, 0xcd, 0x77, 0x2c, 0xa9, 0x90, 0x26, 0xd6, 0x2a, 0x2e, 0xa1,
+	0xad, 0x01, 0xdc, 0xcc, 0x1e, 0xfe, 0xb4, 0xa1, 0x31, 0x95, 0x11, 0x67, 0x92, 0x16, 0x1f, 0x31,
+	0xeb, 0xdd, 0x8f, 0x58, 0xeb, 0x47, 0x0b, 0x56, 0xf4, 0xf3, 0x87, 0x6c, 0x58, 0x73, 0xc7, 0xc4,
+	0xd4, 0x6f, 0x12, 0x53, 0xb6, 0xd5, 0x8d, 0xaf, 0x97, 0x2f, 0xe9, 0x1b, 0x65, 0x42, 0xa9, 0xe1,
+	0x7c, 0x8f, 0x1e, 0x00, 0x9c, 0x04, 0x8c, 0x88, 0x99, 0xb9, 0xde, 0x8a, 0x71, 0xf6, 0xef, 0x0b,
+	0xef, 0xaa, 0xd3, 0xcb, 0xf9, 0xe4, 0x37, 0x2a, 0x28, 0x34, 0x1e, 0x40, 0xbd, 0x44, 0x2f, 0xb9,
+	0xb3, 0x9d, 0xe2, 0x9d, 0xd5, 0x8a, 0x39, 0xbe, 0x0d, 0xab, 0xc9, 0x79, 0x10, 0x82, 0x15, 0x46,
+	0x26, 0x34, 0x55, 0x33, 0xeb, 0xd6, 0xa7, 0x50, 0xcb, 0xbf, 0x6e, 0xd4, 0x05, 0x70, 0x39, 0x63,
+	0xd4, 0x55, 0x5c, 0x64, 0x59, 0x39, 0xff, 0xe2, 0xfb, 0x19, 0x85, 0x0b, 0x52, 0xad, 0x7b, 0x50,
+	0xcb, 0x89, 0x65, 0x1e, 0x34, 0xa6, 0x66, 0x51, 0x16, 0x98, 0x59, 0xb7, 0x7e, 0xaa, 0x40, 0xe1,
+	0xbb, 0x5f, 0xaa, 0xb6, 0x0b, 0xab, 0x81, 0x94, 0x31, 0x15, 0xa9, 0x62, 0xba, 0x43, 0x6d, 0xa8,
+	0xba, 0x61, 0x40, 0x99, 0x1a, 0x0e, 0xcc, 0x44, 0x51, 0xeb, 0x5d, 0x9b, 0x9f, 0xed, 0x57, 0xfb,
+	0x29, 0x86, 0x73, 0x16, 0x1d, 0xc0, 0xba, 0x1b, 0x06, 0x19, 0x91, 0x0c, 0x0e, 0xbd, 0xfa, 0xfc,
+	0x6c, 0x7f, 0xbd, 0x3f, 0x1a, 0xe6, 0xf2, 0x45, 0x19, 0xed, 0x54, 0xba, 0x3c, 0x4a, 0xc7, 0x87,
+	0x1a, 0x4e, 0x77, 0xe8, 0x35, 0x6c, 0x04, 0xde, 0x4b, 0x7e, 0x4a, 0x59, 0xdf, 0x8c, 0x52, 0xf6,
+	0xaa, 0xc9, 0xcd, 0x9d, 0x25, 0xb3, 0x8c, 0x33, 0x2c, 0x0a, 0x9a, 0xeb, 0xea, 0x6d, 0xcf, 0xcf,
+	0xf6, 0x37, 0x86, 0x83, 0x02, 0x8e, 0x2f, 0xda, 0x43, 0xf7, 0xc1, 0xa6, 0xa6, 0x55, 0x8f, 0x9e,
+	0xf4, 0x1f, 0x1e, 0xc6, 0x6a, 0x4c, 0x99, 0x4a, 0x3b, 0xc9, 0xcc, 0x10, 0x55, 0x7c, 0x29, 0xdf,
+	0x98, 0x01, 0x5a, 0xf4, 0xb9, 0xa4, 0x44, 0x9e, 0x5e, 0x6c, 0xeb, 0x8f, 0xde, 0xd9, 0xd6, 0xc9,
+	0x1c, 0xe9, 0xe4, 0x83, 0xb0, 0x1e, 0xc8, 0x1c, 0x63, 0xbf, 0x50, 0x5b, 0xdd, 0x9f, 0x2d, 0xa8,
+	0x67, 0xfd, 0xf5, 0x82, 0x8a, 0x69, 0xe0, 0x52, 0xf4, 0x39, 0x54, 0x1e, 0x51, 0x85, 0x76, 0x17,
+	0x26, 0x2f, 0x33, 0x6d, 0x36, 0xb6, 0x17, 0xf0, 0x96, 0xfd, 0xed, 0x6f, 0x7f, 0x7c, 0x7f, 0x05,
+	0xa1, 0x2d, 0x33, 0x41, 0x4f, 0x0f, 0xf2, 0xe9, 0x15, 0x8d, 0x01, 0x1e, 0xd1, 0xfc, 0x2b, 0xbe,
+	0xcc, 0x64, 0x73, 0x01, 0x2f, 0xf5, 0x7a, 0xab, 0x69, 0x3c, 0x34, 0x90, 0x5d, 0xf6, 0xd0, 0x49,
+	0x5b, 0xbc, 0xd7, 0xff, 0x65, 0xbe, 0x67, 0xfd, 0x3a, 0xdf, 0xb3, 0x7e, 0x9f, 0xef, 0x59, 0x5f,
+	0x7e, 0xf8, 0xcf, 0x66, 0xf6, 0xa4, 0xd4, 0x72, 0x63, 0x27, 0xab, 0x66, 0xc2, 0xbe, 0xf7, 0x57,
+	0x00, 0x00, 0x00, 0xff, 0xff, 0x57, 0xdb, 0xcf, 0xcf, 0x50, 0x0c, 0x00, 0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
@@ -1018,6 +1027,18 @@ func (m *Settings) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if m.HydratorEnabled {
+		i--
+		if m.HydratorEnabled {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i--
+		dAtA[i] = 0x1
+		i--
+		dAtA[i] = 0xe0
+	}
 	if len(m.AdditionalURLs) > 0 {
 		for iNdEx := len(m.AdditionalURLs) - 1; iNdEx >= 0; iNdEx-- {
 			i -= len(m.AdditionalURLs[iNdEx])
@@ -1823,6 +1844,9 @@ func (m *Settings) Size() (n int) {
 			n += 2 + l + sovSettings(uint64(l))
 		}
 	}
+	if m.HydratorEnabled {
+		n += 3
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -2997,6 +3021,26 @@ func (m *Settings) Unmarshal(dAtA []byte) error {
 			}
 			m.AdditionalURLs = append(m.AdditionalURLs, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
+		case 28:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field HydratorEnabled", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowSettings
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.HydratorEnabled = bool(v != 0)
 		default:
 			iNdEx = preIndex
 			skippy, err := skipSettings(dAtA[iNdEx:])

pkg/apis/application/v1alpha1/application_annotations.go

@@ -4,6 +4,8 @@ const (
 	// AnnotationKeyRefresh is the annotation key which indicates that app needs to be refreshed. Removed by application controller after app is refreshed.
 	// Might take values 'normal'/'hard'. Value 'hard' means manifest cache and target cluster state cache should be invalidated before refresh.
 	AnnotationKeyRefresh string = "argocd.argoproj.io/refresh"
+	// AnnotationKeyHydrate is the annotation key which indicates that app needs to be hydrated. Removed by application controller after app is hydrated.
+	AnnotationKeyHydrate string = "argocd.argoproj.io/hydrate"
 
 	// AnnotationKeyManifestGeneratePaths is an annotation that contains a list of semicolon-separated paths in the
 	// manifests repository that affects the manifest generation. Paths might be either relative or absolute. The

pkg/apis/application/v1alpha1/repository_types.go

@@ -5,6 +5,7 @@ import (
 	"net/url"
 	"strings"
 
+	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/util/cert"
 	"github.com/argoproj/argo-cd/v2/util/git"
 	"github.com/argoproj/argo-cd/v2/util/helm"
@@ -283,6 +284,34 @@ func (m *Repository) StringForLogging() string {
 	return fmt.Sprintf("&Repository{Repo: %q, Type: %q, Name: %q, Project: %q}", m.Repo, m.Type, m.Name, m.Project)
 }
 
+// Sanitized returns a copy of the Repository with sensitive information removed.
+func (m *Repository) Sanitized() *Repository {
+	return &Repository{
+		Repo:                       m.Repo,
+		Type:                       m.Type,
+		Name:                       m.Name,
+		Username:                   m.Username,
+		Insecure:                   m.IsInsecure(),
+		EnableLFS:                  m.EnableLFS,
+		EnableOCI:                  m.EnableOCI,
+		Proxy:                      m.Proxy,
+		NoProxy:                    m.NoProxy,
+		Project:                    m.Project,
+		ForceHttpBasicAuth:         m.ForceHttpBasicAuth,
+		InheritedCreds:             m.InheritedCreds,
+		GithubAppId:                m.GithubAppId,
+		GithubAppInstallationId:    m.GithubAppInstallationId,
+		GitHubAppEnterpriseBaseURL: m.GitHubAppEnterpriseBaseURL,
+	}
+}
+
+func (m *Repository) Normalize() *Repository {
+	if m.Type == "" {
+		m.Type = common.DefaultRepoType
+	}
+	return m
+}
+
 // Repositories defines a list of Repository configurations
 type Repositories []*Repository
 

pkg/apis/application/v1alpha1/types.go

@@ -219,6 +219,9 @@ func (a ApplicationSources) IsZero() bool {
 }
 
 func (a *ApplicationSpec) GetSource() ApplicationSource {
+	if a.SourceHydrator != nil {
+		return a.SourceHydrator.GetSyncSource()
+	}
 	// if Application has multiple sources, return the first source in sources
 	if a.HasMultipleSources() {
 		return a.Sources[0]
@@ -229,7 +232,26 @@ func (a *ApplicationSpec) GetSource() ApplicationSource {
 	return ApplicationSource{}
 }
 
+// GetHydrateToSource returns the hydrateTo source if it exists, otherwise returns the sync source.
+func (a *ApplicationSpec) GetHydrateToSource() ApplicationSource {
+	if a.SourceHydrator != nil {
+		targetRevision := a.SourceHydrator.SyncSource.TargetBranch
+		if a.SourceHydrator.HydrateTo != nil {
+			targetRevision = a.SourceHydrator.HydrateTo.TargetBranch
+		}
+		return ApplicationSource{
+			RepoURL:        a.SourceHydrator.DrySource.RepoURL,
+			Path:           a.SourceHydrator.SyncSource.Path,
+			TargetRevision: targetRevision,
+		}
+	}
+	return ApplicationSource{}
+}
+
 func (a *ApplicationSpec) GetSources() ApplicationSources {
+	if a.SourceHydrator != nil {
+		return ApplicationSources{a.SourceHydrator.GetSyncSource()}
+	}
 	if a.HasMultipleSources() {
 		return a.Sources
 	}
@@ -240,7 +262,7 @@ func (a *ApplicationSpec) GetSources() ApplicationSources {
 }
 
 func (a *ApplicationSpec) HasMultipleSources() bool {
-	return len(a.Sources) > 0
+	return a.SourceHydrator == nil && len(a.Sources) > 0
 }
 
 func (a *ApplicationSpec) GetSourcePtrByPosition(sourcePosition int) *ApplicationSource {
@@ -249,6 +271,10 @@ func (a *ApplicationSpec) GetSourcePtrByPosition(sourcePosition int) *Applicatio
 }
 
 func (a *ApplicationSpec) GetSourcePtrByIndex(sourceIndex int) *ApplicationSource {
+	if a.SourceHydrator != nil {
+		source := a.SourceHydrator.GetSyncSource()
+		return &source
+	}
 	// if Application has multiple sources, return the first source in sources
 	if a.HasMultipleSources() {
 		if sourceIndex > 0 {
@@ -366,6 +392,30 @@ type SourceHydrator struct {
 	HydrateTo *HydrateTo `json:"hydrateTo,omitempty" protobuf:"bytes,3,opt,name=hydrateTo"`
 }
 
+// GetSyncSource gets the source from which we should sync when a source hydrator is configured.
+func (s SourceHydrator) GetSyncSource() ApplicationSource {
+	return ApplicationSource{
+		// Pull the RepoURL from the dry source. The SyncSource's RepoURL is assumed to be the same.
+		RepoURL:        s.DrySource.RepoURL,
+		Path:           s.SyncSource.Path,
+		TargetRevision: s.SyncSource.TargetBranch,
+	}
+}
+
+// GetDrySource gets the dry source when a source hydrator is configured.
+func (s SourceHydrator) GetDrySource() ApplicationSource {
+	return ApplicationSource{
+		RepoURL:        s.DrySource.RepoURL,
+		Path:           s.DrySource.Path,
+		TargetRevision: s.DrySource.TargetRevision,
+	}
+}
+
+// DeepEquals returns true if the SourceHydrator is deeply equal to the given SourceHydrator.
+func (s SourceHydrator) DeepEquals(hydrator SourceHydrator) bool {
+	return s.DrySource == hydrator.DrySource && s.SyncSource == hydrator.SyncSource && s.HydrateTo.DeepEquals(hydrator.HydrateTo)
+}
+
 // DrySource specifies a location for dry "don't repeat yourself" manifest source information.
 type DrySource struct {
 	// RepoURL is the URL to the git repository that contains the application manifests
@@ -393,6 +443,19 @@ type HydrateTo struct {
 	TargetBranch string `json:"targetBranch" protobuf:"bytes,1,name=targetBranch"`
 }
 
+// DeepEquals returns true if the HydrateTo is deeply equal to the given HydrateTo.
+func (in *HydrateTo) DeepEquals(to *HydrateTo) bool {
+	if in == nil {
+		return to == nil
+	}
+	if to == nil {
+		// We already know in is not nil.
+		return false
+	}
+	// Compare de-referenced structs.
+	return *in == *to
+}
+
 // RefreshType specifies how to refresh the sources of a given application
 type RefreshType string
 
@@ -1105,6 +1168,16 @@ type SourceHydratorStatus struct {
 	CurrentOperation *HydrateOperation `json:"currentOperation,omitempty" protobuf:"bytes,2,opt,name=currentOperation"`
 }
 
+func (a *ApplicationStatus) FindResource(key kube.ResourceKey) (*ResourceStatus, bool) {
+	for i := range a.Resources {
+		res := a.Resources[i]
+		if kube.NewResourceKey(res.Group, res.Kind, res.Namespace, res.Name) == key {
+			return &res, true
+		}
+	}
+	return nil, false
+}
+
 // HydrateOperation contains information about the most recent hydrate operation
 type HydrateOperation struct {
 	// StartedAt indicates when the hydrate operation started
@@ -1143,16 +1216,6 @@ const (
 	HydrateOperationPhaseHydrated  HydrateOperationPhase = "Hydrated"
 )
 
-func (a *ApplicationStatus) FindResource(key kube.ResourceKey) (*ResourceStatus, bool) {
-	for i := range a.Resources {
-		res := a.Resources[i]
-		if kube.NewResourceKey(res.Group, res.Kind, res.Namespace, res.Name) == key {
-			return &res, true
-		}
-	}
-	return nil, false
-}
-
 // GetRevisions will return the current revision associated with the Application.
 // If app has multisources, it will return all corresponding revisions preserving
 // order from the app.spec.sources. If app has only one source, it will return a
@@ -2953,6 +3016,22 @@ func (app *Application) IsRefreshRequested() (RefreshType, bool) {
 	return refreshType, true
 }
 
+// IsHydrateRequested returns whether hydration has been requested for an application
+func (app *Application) IsHydrateRequested() bool {
+	annotations := app.GetAnnotations()
+	if annotations == nil {
+		return false
+	}
+	typeStr, ok := annotations[AnnotationKeyHydrate]
+	if !ok {
+		return false
+	}
+	if typeStr == "normal" {
+		return true
+	}
+	return false
+}
+
 func (app *Application) HasPostDeleteFinalizer(stage ...string) bool {
 	return getFinalizerIndex(app.ObjectMeta, strings.Join(append([]string{PostDeleteFinalizerName}, stage...), "/")) > -1
 }

pkg/ratelimiter/ratelimiter.go

@@ -35,10 +35,10 @@ func GetDefaultAppRateLimiterConfig() *AppControllerRateLimiterConfig {
 
 // NewCustomAppControllerRateLimiter is a constructor for the rate limiter for a workqueue used by app controller.  It has
 // both overall and per-item rate limiting.  The overall is a token bucket and the per-item is exponential(with auto resets)
-func NewCustomAppControllerRateLimiter(cfg *AppControllerRateLimiterConfig) workqueue.TypedRateLimiter[string] {
-	return workqueue.NewTypedMaxOfRateLimiter[string](
-		NewItemExponentialRateLimiterWithAutoReset(cfg.BaseDelay, cfg.MaxDelay, cfg.FailureCoolDown, cfg.BackoffFactor),
-		&workqueue.TypedBucketRateLimiter[string]{Limiter: rate.NewLimiter(rate.Limit(cfg.BucketQPS), int(cfg.BucketSize))},
+func NewCustomAppControllerRateLimiter[T comparable](cfg *AppControllerRateLimiterConfig) workqueue.TypedRateLimiter[T] {
+	return workqueue.NewTypedMaxOfRateLimiter[T](
+		NewItemExponentialRateLimiterWithAutoReset[T](cfg.BaseDelay, cfg.MaxDelay, cfg.FailureCoolDown, cfg.BackoffFactor),
+		&workqueue.TypedBucketRateLimiter[T]{Limiter: rate.NewLimiter(rate.Limit(cfg.BucketQPS), int(cfg.BucketSize))},
 	)
 }
 
@@ -49,7 +49,7 @@ type failureData struct {
 
 // ItemExponentialRateLimiterWithAutoReset does a simple baseDelay*2^<num-failures> limit
 // dealing with max failures and expiration/resets are up dependent on the cooldown period
-type ItemExponentialRateLimiterWithAutoReset struct {
+type ItemExponentialRateLimiterWithAutoReset[T comparable] struct {
 	failuresLock sync.Mutex
 	failures     map[interface{}]failureData
 
@@ -59,10 +59,10 @@ type ItemExponentialRateLimiterWithAutoReset struct {
 	backoffFactor float64
 }
 
-var _ workqueue.TypedRateLimiter[string] = &ItemExponentialRateLimiterWithAutoReset{}
+var _ workqueue.TypedRateLimiter[string] = &ItemExponentialRateLimiterWithAutoReset[string]{}
 
-func NewItemExponentialRateLimiterWithAutoReset(baseDelay, maxDelay, failureCoolDown time.Duration, backoffFactor float64) workqueue.TypedRateLimiter[string] {
-	return &ItemExponentialRateLimiterWithAutoReset{
+func NewItemExponentialRateLimiterWithAutoReset[T comparable](baseDelay, maxDelay, failureCoolDown time.Duration, backoffFactor float64) workqueue.TypedRateLimiter[T] {
+	return &ItemExponentialRateLimiterWithAutoReset[T]{
 		failures:      map[interface{}]failureData{},
 		baseDelay:     baseDelay,
 		maxDelay:      maxDelay,
@@ -71,7 +71,7 @@ func NewItemExponentialRateLimiterWithAutoReset(baseDelay, maxDelay, failureCool
 	}
 }
 
-func (r *ItemExponentialRateLimiterWithAutoReset) When(item string) time.Duration {
+func (r *ItemExponentialRateLimiterWithAutoReset[T]) When(item T) time.Duration {
 	r.failuresLock.Lock()
 	defer r.failuresLock.Unlock()
 
@@ -109,14 +109,14 @@ func (r *ItemExponentialRateLimiterWithAutoReset) When(item string) time.Duratio
 	return calculated
 }
 
-func (r *ItemExponentialRateLimiterWithAutoReset) NumRequeues(item string) int {
+func (r *ItemExponentialRateLimiterWithAutoReset[T]) NumRequeues(item T) int {
 	r.failuresLock.Lock()
 	defer r.failuresLock.Unlock()
 
 	return r.failures[item].failures
 }
 
-func (r *ItemExponentialRateLimiterWithAutoReset) Forget(item string) {
+func (r *ItemExponentialRateLimiterWithAutoReset[T]) Forget(item T) {
 	r.failuresLock.Lock()
 	defer r.failuresLock.Unlock()
 

reposerver/repository/repository.go

@@ -1138,6 +1138,9 @@ func helmTemplate(appPath string, repoRoot string, env *v1alpha1.Env, q *apiclie
 		if appHelm.ReleaseName != "" {
 			templateOpts.Name = appHelm.ReleaseName
 		}
+		if appHelm.Namespace != "" {
+			templateOpts.Namespace = appHelm.Namespace
+		}
 
 		resolvedValueFiles, err := getResolvedValueFiles(appPath, repoRoot, env, q.GetValuesFileSchemes(), appHelm.ValueFiles, q.RefSources, gitRepoPaths, appHelm.IgnoreMissingValueFiles)
 		if err != nil {

server/application/application_test.go

@@ -109,7 +109,7 @@ func fakeResolveRevisionResponseHelm() *apiclient.ResolveRevisionResponse {
 
 func fakeRepoServerClient(isHelm bool) *mocks.RepoServerServiceClient {
 	mockRepoServiceClient := mocks.RepoServerServiceClient{}
-	mockRepoServiceClient.On("ListApps", mock.Anything, mock.Anything).Return(fakeAppList(), nil)
+	mockRepoServiceClient.On("GetProcessableApps", mock.Anything, mock.Anything).Return(fakeAppList(), nil)
 	mockRepoServiceClient.On("GenerateManifest", mock.Anything, mock.Anything).Return(&apiclient.ManifestResponse{}, nil)
 	mockRepoServiceClient.On("GetAppDetails", mock.Anything, mock.Anything).Return(&apiclient.RepoAppDetailsResponse{}, nil)
 	mockRepoServiceClient.On("TestRepository", mock.Anything, mock.Anything).Return(&apiclient.TestRepositoryResponse{}, nil)

server/rbacpolicy/rbacpolicy.go

@@ -14,17 +14,18 @@ import (
 
 const (
 	// please add new items to Resources
-	ResourceClusters        = "clusters"
-	ResourceProjects        = "projects"
-	ResourceApplications    = "applications"
-	ResourceApplicationSets = "applicationsets"
-	ResourceRepositories    = "repositories"
-	ResourceCertificates    = "certificates"
-	ResourceAccounts        = "accounts"
-	ResourceGPGKeys         = "gpgkeys"
-	ResourceLogs            = "logs"
-	ResourceExec            = "exec"
-	ResourceExtensions      = "extensions"
+	ResourceClusters          = "clusters"
+	ResourceProjects          = "projects"
+	ResourceApplications      = "applications"
+	ResourceApplicationSets   = "applicationsets"
+	ResourceRepositories      = "repositories"
+	ResourceWriteRepositories = "write-repositories"
+	ResourceCertificates      = "certificates"
+	ResourceAccounts          = "accounts"
+	ResourceGPGKeys           = "gpgkeys"
+	ResourceLogs              = "logs"
+	ResourceExec              = "exec"
+	ResourceExtensions        = "extensions"
 
 	// please add new items to Actions
 	ActionGet      = "get"
@@ -45,6 +46,7 @@ var (
 		ResourceApplications,
 		ResourceApplicationSets,
 		ResourceRepositories,
+		ResourceWriteRepositories,
 		ResourceCertificates,
 		ResourceAccounts,
 		ResourceGPGKeys,

server/repocreds/repocreds.go

@@ -65,6 +65,30 @@ func (s *Server) ListRepositoryCredentials(ctx context.Context, q *repocredspkg.
 	return &appsv1.RepoCredsList{Items: items}, nil
 }
 
+// ListWriteRepositoryCredentials returns a list of all configured repository credential sets
+func (s *Server) ListWriteRepositoryCredentials(ctx context.Context, q *repocredspkg.RepoCredsQuery) (*appsv1.RepoCredsList, error) {
+	urls, err := s.db.ListRepositoryCredentials(ctx)
+	if err != nil {
+		return nil, err
+	}
+	items := make([]appsv1.RepoCreds, 0)
+	for _, url := range urls {
+		if s.enf.Enforce(ctx.Value("claims"), rbacpolicy.ResourceWriteRepositories, rbacpolicy.ActionGet, url) {
+			repo, err := s.db.GetWriteRepositoryCredentials(ctx, url)
+			if err != nil {
+				return nil, err
+			}
+			if repo != nil && repo.Password != "" {
+				items = append(items, appsv1.RepoCreds{
+					URL:      url,
+					Username: repo.Username,
+				})
+			}
+		}
+	}
+	return &appsv1.RepoCredsList{Items: items}, nil
+}
+
 // CreateRepositoryCredentials creates a new credential set in the configuration
 func (s *Server) CreateRepositoryCredentials(ctx context.Context, q *repocredspkg.RepoCredsCreateRequest) (*appsv1.RepoCreds, error) {
 	if q.Creds == nil {
@@ -99,6 +123,40 @@ func (s *Server) CreateRepositoryCredentials(ctx context.Context, q *repocredspk
 	return &appsv1.RepoCreds{URL: r.URL}, err
 }
 
+// CreateWriteRepositoryCredentials creates a new credential set in the configuration
+func (s *Server) CreateWriteRepositoryCredentials(ctx context.Context, q *repocredspkg.RepoCredsCreateRequest) (*appsv1.RepoCreds, error) {
+	if q.Creds == nil {
+		return nil, status.Errorf(codes.InvalidArgument, "missing payload in request")
+	}
+	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceWriteRepositories, rbacpolicy.ActionCreate, q.Creds.URL); err != nil {
+		return nil, err
+	}
+
+	r := q.Creds
+
+	if r.URL == "" {
+		return nil, status.Errorf(codes.InvalidArgument, "must specify URL")
+	}
+
+	_, err := s.db.CreateWriteRepositoryCredentials(ctx, r)
+	if status.Convert(err).Code() == codes.AlreadyExists {
+		// act idempotent if existing spec matches new spec
+		existing, getErr := s.db.GetWriteRepositoryCredentials(ctx, r.URL)
+		if getErr != nil {
+			return nil, status.Errorf(codes.Internal, "unable to check existing repository credentials details: %v", getErr)
+		}
+
+		if reflect.DeepEqual(existing, r) {
+			err = nil
+		} else if q.Upsert {
+			return s.UpdateWriteRepositoryCredentials(ctx, &repocredspkg.RepoCredsUpdateRequest{Creds: r})
+		} else {
+			return nil, status.Error(codes.InvalidArgument, argo.GenerateSpecIsDifferentErrorMessage("repository credentials", existing, r))
+		}
+	}
+	return &appsv1.RepoCreds{URL: r.URL}, err
+}
+
 // UpdateRepositoryCredentials updates a repository credential set
 func (s *Server) UpdateRepositoryCredentials(ctx context.Context, q *repocredspkg.RepoCredsUpdateRequest) (*appsv1.RepoCreds, error) {
 	if q.Creds == nil {
@@ -111,6 +169,18 @@ func (s *Server) UpdateRepositoryCredentials(ctx context.Context, q *repocredspk
 	return &appsv1.RepoCreds{URL: q.Creds.URL}, err
 }
 
+// UpdateWriteRepositoryCredentials updates a repository credential set
+func (s *Server) UpdateWriteRepositoryCredentials(ctx context.Context, q *repocredspkg.RepoCredsUpdateRequest) (*appsv1.RepoCreds, error) {
+	if q.Creds == nil {
+		return nil, status.Errorf(codes.InvalidArgument, "missing payload in request")
+	}
+	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceWriteRepositories, rbacpolicy.ActionUpdate, q.Creds.URL); err != nil {
+		return nil, err
+	}
+	_, err := s.db.UpdateWriteRepositoryCredentials(ctx, q.Creds)
+	return &appsv1.RepoCreds{URL: q.Creds.URL}, err
+}
+
 // DeleteRepositoryCredentials removes a credential set from the configuration
 func (s *Server) DeleteRepositoryCredentials(ctx context.Context, q *repocredspkg.RepoCredsDeleteRequest) (*repocredspkg.RepoCredsResponse, error) {
 	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceRepositories, rbacpolicy.ActionDelete, q.Url); err != nil {
@@ -120,3 +190,13 @@ func (s *Server) DeleteRepositoryCredentials(ctx context.Context, q *repocredspk
 	err := s.db.DeleteRepositoryCredentials(ctx, q.Url)
 	return &repocredspkg.RepoCredsResponse{}, err
 }
+
+// DeleteWriteRepositoryCredentials removes a credential set from the configuration
+func (s *Server) DeleteWriteRepositoryCredentials(ctx context.Context, q *repocredspkg.RepoCredsDeleteRequest) (*repocredspkg.RepoCredsResponse, error) {
+	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceWriteRepositories, rbacpolicy.ActionDelete, q.Url); err != nil {
+		return nil, err
+	}
+
+	err := s.db.DeleteWriteRepositoryCredentials(ctx, q.Url)
+	return &repocredspkg.RepoCredsResponse{}, err
+}

server/repocreds/repocreds.proto

@@ -43,6 +43,11 @@ service RepoCredsService {
 		option (google.api.http).get = "/api/v1/repocreds";
 	}
 
+	//ListWriteRepositoryCredentials gets a list of all configured repository credential sets that have write access
+	rpc ListWriteRepositoryCredentials(RepoCredsQuery) returns (github.com.argoproj.argo_cd.v2.pkg.apis.application.v1alpha1.RepoCredsList) {
+		option (google.api.http).get = "/api/v1/write-repocreds";
+	}
+
 	// CreateRepositoryCredentials creates a new repository credential set
 	rpc CreateRepositoryCredentials(RepoCredsCreateRequest) returns (github.com.argoproj.argo_cd.v2.pkg.apis.application.v1alpha1.RepoCreds) {
 		option (google.api.http) = {
@@ -51,6 +56,14 @@ service RepoCredsService {
 		};
 	}
 
+	// CreateWriteRepositoryCredentials creates a new repository credential set with write access
+	rpc CreateWriteRepositoryCredentials(RepoCredsCreateRequest) returns (github.com.argoproj.argo_cd.v2.pkg.apis.application.v1alpha1.RepoCreds) {
+		option (google.api.http) = {
+			post: "/api/v1/write-repocreds"
+			body: "creds"
+		};
+	}
+
 	// UpdateRepositoryCredentials updates a repository credential set
 	rpc UpdateRepositoryCredentials(RepoCredsUpdateRequest) returns (github.com.argoproj.argo_cd.v2.pkg.apis.application.v1alpha1.RepoCreds) {
 		option (google.api.http) = {
@@ -59,9 +72,21 @@ service RepoCredsService {
 		};
 	}
 
+	// UpdateWriteRepositoryCredentials updates a repository credential set with write access
+	rpc UpdateWriteRepositoryCredentials(RepoCredsUpdateRequest) returns (github.com.argoproj.argo_cd.v2.pkg.apis.application.v1alpha1.RepoCreds) {
+		option (google.api.http) = {
+			put: "/api/v1/write-repocreds/{creds.url}"
+			body: "creds"
+		};
+	}
+
 	// DeleteRepositoryCredentials deletes a repository credential set from the configuration
 	rpc DeleteRepositoryCredentials(RepoCredsDeleteRequest) returns (RepoCredsResponse) {
 		option (google.api.http).delete = "/api/v1/repocreds/{url}";
 	}
 
+	// DeleteWriteRepositoryCredentials deletes a repository credential set with write access from the configuration
+	rpc DeleteWriteRepositoryCredentials(RepoCredsDeleteRequest) returns (RepoCredsResponse) {
+		option (google.api.http).delete = "/api/v1/write-repocreds/{url}";
+	}
 }

server/repository/repository.go

@@ -16,7 +16,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/tools/cache"
 
-	"github.com/argoproj/argo-cd/v2/common"
 	repositorypkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/repository"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	appsv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -35,14 +34,15 @@ import (
 
 // Server provides a Repository service
 type Server struct {
-	db            db.ArgoDB
-	repoClientset apiclient.Clientset
-	enf           *rbac.Enforcer
-	cache         *servercache.Cache
-	appLister     applisters.ApplicationLister
-	projLister    cache.SharedIndexInformer
-	settings      *settings.SettingsManager
-	namespace     string
+	db              db.ArgoDB
+	repoClientset   apiclient.Clientset
+	enf             *rbac.Enforcer
+	cache           *servercache.Cache
+	appLister       applisters.ApplicationLister
+	projLister      cache.SharedIndexInformer
+	settings        *settings.SettingsManager
+	namespace       string
+	hydratorEnabled bool
 }
 
 // NewServer returns a new instance of the Repository service
@@ -55,16 +55,18 @@ func NewServer(
 	projLister cache.SharedIndexInformer,
 	namespace string,
 	settings *settings.SettingsManager,
+	hydratorEnabled bool,
 ) *Server {
 	return &Server{
-		db:            db,
-		repoClientset: repoClientset,
-		enf:           enf,
-		cache:         cache,
-		appLister:     appLister,
-		projLister:    projLister,
-		namespace:     namespace,
-		settings:      settings,
+		db:              db,
+		repoClientset:   repoClientset,
+		enf:             enf,
+		cache:           cache,
+		appLister:       appLister,
+		projLister:      projLister,
+		namespace:       namespace,
+		settings:        settings,
+		hydratorEnabled: hydratorEnabled,
 	}
 }
 
@@ -78,6 +80,14 @@ func (s *Server) getRepo(ctx context.Context, url, project string) (*appsv1.Repo
 	return repo, nil
 }
 
+func (s *Server) getWriteRepo(ctx context.Context, url, project string) (*appsv1.Repository, error) {
+	repo, err := s.db.GetWriteRepository(ctx, url, project)
+	if err != nil {
+		return nil, errPermissionDenied
+	}
+	return repo, nil
+}
+
 func createRBACObject(project string, repo string) string {
 	if project != "" {
 		return project + "/" + repo
@@ -138,7 +148,6 @@ func (s *Server) Get(ctx context.Context, q *repositorypkg.RepoQuery) (*appsv1.R
 		return nil, err
 	}
 
-	// getRepo does not return an error for unconfigured repositories, so we are checking here
 	exists, err := s.db.RepositoryExists(ctx, q.Repo, repo.Project)
 	if err != nil {
 		return nil, err
@@ -150,42 +159,75 @@ func (s *Server) Get(ctx context.Context, q *repositorypkg.RepoQuery) (*appsv1.R
 	return repo, nil
 }
 
+func (s *Server) GetWrite(ctx context.Context, q *repositorypkg.RepoQuery) (*appsv1.Repository, error) {
+	if !s.hydratorEnabled {
+		return nil, status.Error(codes.Unimplemented, "hydrator is disabled")
+	}
+
+	repo, err := getRepository(ctx, s.ListWriteRepositories, q)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceWriteRepositories, rbacpolicy.ActionGet, createRBACObject(repo.Project, repo.Repo)); err != nil {
+		return nil, err
+	}
+
+	exists, err := s.db.WriteRepositoryExists(ctx, q.Repo, repo.Project)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, status.Errorf(codes.NotFound, "write repo '%s' not found", q.Repo)
+	}
+
+	return repo, nil
+}
+
 // ListRepositories returns a list of all configured repositories and the state of their connections
 func (s *Server) ListRepositories(ctx context.Context, q *repositorypkg.RepoQuery) (*appsv1.RepositoryList, error) {
 	repos, err := s.db.ListRepositories(ctx)
 	if err != nil {
 		return nil, err
 	}
+	items, err := s.prepareRepoList(ctx, rbacpolicy.ResourceRepositories, repos, q.ForceRefresh)
+	if err != nil {
+		return nil, err
+	}
+	return &appsv1.RepositoryList{Items: items}, nil
+}
+
+// ListWriteRepositories returns a list of all configured repositories where the user has write access and the state of
+// their connections
+func (s *Server) ListWriteRepositories(ctx context.Context, q *repositorypkg.RepoQuery) (*appsv1.RepositoryList, error) {
+	if !s.hydratorEnabled {
+		return nil, status.Error(codes.Unimplemented, "hydrator is disabled")
+	}
+
+	repos, err := s.db.ListWriteRepositories(ctx)
+	if err != nil {
+		return nil, err
+	}
+	items, err := s.prepareRepoList(ctx, rbacpolicy.ResourceWriteRepositories, repos, q.ForceRefresh)
+	if err != nil {
+		return nil, err
+	}
+	return &appsv1.RepositoryList{Items: items}, nil
+}
+
+// ListRepositoriesByAppProject returns a list of all configured repositories and the state of their connections. It
+// normalizes, sanitizes, and filters out repositories that the user does not have access to in the specified project.
+// It also sorts the repositories by project and repo name.
+func (s *Server) prepareRepoList(ctx context.Context, resourceType string, repos []*appsv1.Repository, forceRefresh bool) (appsv1.Repositories, error) {
 	items := appsv1.Repositories{}
 	for _, repo := range repos {
-		if s.enf.Enforce(ctx.Value("claims"), rbacpolicy.ResourceRepositories, rbacpolicy.ActionGet, createRBACObject(repo.Project, repo.Repo)) {
-			// For backwards compatibility, if we have no repo type set assume a default
-			rType := repo.Type
-			if rType == "" {
-				rType = common.DefaultRepoType
-			}
-			// remove secrets
-			items = append(items, &appsv1.Repository{
-				Repo:                       repo.Repo,
-				Type:                       rType,
-				Name:                       repo.Name,
-				Username:                   repo.Username,
-				Insecure:                   repo.IsInsecure(),
-				EnableLFS:                  repo.EnableLFS,
-				EnableOCI:                  repo.EnableOCI,
-				Proxy:                      repo.Proxy,
-				NoProxy:                    repo.NoProxy,
-				Project:                    repo.Project,
-				ForceHttpBasicAuth:         repo.ForceHttpBasicAuth,
-				InheritedCreds:             repo.InheritedCreds,
-				GithubAppId:                repo.GithubAppId,
-				GithubAppInstallationId:    repo.GithubAppInstallationId,
-				GitHubAppEnterpriseBaseURL: repo.GitHubAppEnterpriseBaseURL,
-			})
-		}
+		items = append(items, repo.Normalize().Sanitized())
 	}
-	err = kube.RunAllAsync(len(items), func(i int) error {
-		items[i].ConnectionState = s.getConnectionState(ctx, items[i].Repo, items[i].Project, q.ForceRefresh)
+	items = items.Filter(func(r *appsv1.Repository) bool {
+		return s.enf.Enforce(ctx.Value("claims"), resourceType, rbacpolicy.ActionGet, createRBACObject(r.Project, r.Repo))
+	})
+	err := kube.RunAllAsync(len(items), func(i int) error {
+		items[i].ConnectionState = s.getConnectionState(ctx, items[i].Repo, items[i].Project, forceRefresh)
 		return nil
 	})
 	if err != nil {
@@ -196,7 +238,7 @@ func (s *Server) ListRepositories(ctx context.Context, q *repositorypkg.RepoQuer
 		second := items[j]
 		return strings.Compare(fmt.Sprintf("%s/%s", first.Project, first.Repo), fmt.Sprintf("%s/%s", second.Project, second.Repo)) < 0
 	})
-	return &appsv1.RepositoryList{Items: items}, nil
+	return items, nil
 }
 
 func (s *Server) ListRefs(ctx context.Context, q *repositorypkg.RepoQuery) (*apiclient.Refs, error) {
@@ -422,7 +464,7 @@ func (s *Server) CreateRepository(ctx context.Context, q *repositorypkg.RepoCrea
 			repo, err = existing, nil
 		} else if q.Upsert {
 			r.Project = q.Repo.Project
-			return s.UpdateRepository(ctx, &repositorypkg.RepoUpdateRequest{Repo: r})
+			return s.db.UpdateRepository(ctx, r)
 		} else {
 			return nil, status.Error(codes.InvalidArgument, argo.GenerateSpecIsDifferentErrorMessage("repository", existing, r))
 		}
@@ -433,6 +475,50 @@ func (s *Server) CreateRepository(ctx context.Context, q *repositorypkg.RepoCrea
 	return &appsv1.Repository{Repo: repo.Repo, Type: repo.Type, Name: repo.Name}, nil
 }
 
+// CreateWriteRepository creates a repository configuration with write credentials
+func (s *Server) CreateWriteRepository(ctx context.Context, q *repositorypkg.RepoCreateRequest) (*appsv1.Repository, error) {
+	if !s.hydratorEnabled {
+		return nil, status.Error(codes.Unimplemented, "hydrator is disabled")
+	}
+
+	if q.Repo == nil {
+		return nil, status.Errorf(codes.InvalidArgument, "missing payload in request")
+	}
+
+	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceWriteRepositories, rbacpolicy.ActionCreate, createRBACObject(q.Repo.Project, q.Repo.Repo)); err != nil {
+		return nil, err
+	}
+
+	if !q.Repo.HasCredentials() {
+		return nil, status.Errorf(codes.InvalidArgument, "missing credentials in request")
+	}
+
+	err := s.testRepo(ctx, q.Repo)
+	if err != nil {
+		return nil, err
+	}
+
+	repo, err := s.db.CreateWriteRepository(ctx, q.Repo)
+	if status.Convert(err).Code() == codes.AlreadyExists {
+		// act idempotent if existing spec matches new spec
+		existing, getErr := s.db.GetWriteRepository(ctx, q.Repo.Repo, q.Repo.Project)
+		if getErr != nil {
+			return nil, status.Errorf(codes.Internal, "unable to check existing repository details: %v", getErr)
+		}
+		if reflect.DeepEqual(existing, q.Repo) {
+			repo, err = existing, nil
+		} else if q.Upsert {
+			return s.db.UpdateWriteRepository(ctx, q.Repo)
+		} else {
+			return nil, status.Error(codes.InvalidArgument, argo.GenerateSpecIsDifferentErrorMessage("write repository", existing, q.Repo))
+		}
+	}
+	if err != nil {
+		return nil, err
+	}
+	return &appsv1.Repository{Repo: repo.Repo, Type: repo.Type, Name: repo.Name}, nil
+}
+
 // Update updates a repository or credential set
 // Deprecated: Use UpdateRepository() instead
 func (s *Server) Update(ctx context.Context, q *repositorypkg.RepoUpdateRequest) (*appsv1.Repository, error) {
@@ -462,6 +548,33 @@ func (s *Server) UpdateRepository(ctx context.Context, q *repositorypkg.RepoUpda
 	return &appsv1.Repository{Repo: q.Repo.Repo, Type: q.Repo.Type, Name: q.Repo.Name}, err
 }
 
+// UpdateWriteRepository updates a repository configuration with write credentials
+func (s *Server) UpdateWriteRepository(ctx context.Context, q *repositorypkg.RepoUpdateRequest) (*appsv1.Repository, error) {
+	if !s.hydratorEnabled {
+		return nil, status.Error(codes.Unimplemented, "hydrator is disabled")
+	}
+
+	if q.Repo == nil {
+		return nil, status.Errorf(codes.InvalidArgument, "missing payload in request")
+	}
+
+	repo, err := s.getWriteRepo(ctx, q.Repo.Repo, q.Repo.Project)
+	if err != nil {
+		return nil, err
+	}
+
+	// verify that user can do update inside project where repository is located
+	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceWriteRepositories, rbacpolicy.ActionUpdate, createRBACObject(repo.Project, repo.Repo)); err != nil {
+		return nil, err
+	}
+	// verify that user can do update inside project where repository will be located
+	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceWriteRepositories, rbacpolicy.ActionUpdate, createRBACObject(q.Repo.Project, q.Repo.Repo)); err != nil {
+		return nil, err
+	}
+	_, err = s.db.UpdateWriteRepository(ctx, q.Repo)
+	return &appsv1.Repository{Repo: q.Repo.Repo, Type: q.Repo.Type, Name: q.Repo.Name}, err
+}
+
 // Delete removes a repository from the configuration
 // Deprecated: Use DeleteRepository() instead
 func (s *Server) Delete(ctx context.Context, q *repositorypkg.RepoQuery) (*repositorypkg.RepoResponse, error) {
@@ -488,6 +601,25 @@ func (s *Server) DeleteRepository(ctx context.Context, q *repositorypkg.RepoQuer
 	return &repositorypkg.RepoResponse{}, err
 }
 
+// DeleteWriteRepository removes a repository from the configuration
+func (s *Server) DeleteWriteRepository(ctx context.Context, q *repositorypkg.RepoQuery) (*repositorypkg.RepoResponse, error) {
+	if !s.hydratorEnabled {
+		return nil, status.Error(codes.Unimplemented, "hydrator is disabled")
+	}
+
+	repo, err := getRepository(ctx, s.ListWriteRepositories, q)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceWriteRepositories, rbacpolicy.ActionDelete, createRBACObject(repo.Project, repo.Repo)); err != nil {
+		return nil, err
+	}
+
+	err = s.db.DeleteWriteRepository(ctx, repo.Repo, repo.Project)
+	return &repositorypkg.RepoResponse{}, err
+}
+
 // getRepository fetches a single repository which the user has access to. If only one repository can be found which
 // matches the same URL, that will be returned (this is for backward compatibility reasons). If multiple repositories
 // are matched, a repository is only returned if it matches the app project of the incoming request.
@@ -571,10 +703,47 @@ func (s *Server) ValidateAccess(ctx context.Context, q *repositorypkg.RepoAccess
 	return &repositorypkg.RepoResponse{}, nil
 }
 
+// ValidateWriteAccess checks whether write access to a repository is possible with the
+// given URL and credentials.
+func (s *Server) ValidateWriteAccess(ctx context.Context, q *repositorypkg.RepoAccessQuery) (*repositorypkg.RepoResponse, error) {
+	if !s.hydratorEnabled {
+		return nil, status.Error(codes.Unimplemented, "hydrator is disabled")
+	}
+
+	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceWriteRepositories, rbacpolicy.ActionCreate, createRBACObject(q.Project, q.Repo)); err != nil {
+		return nil, err
+	}
+
+	repo := &appsv1.Repository{
+		Repo:                       q.Repo,
+		Type:                       q.Type,
+		Name:                       q.Name,
+		Username:                   q.Username,
+		Password:                   q.Password,
+		SSHPrivateKey:              q.SshPrivateKey,
+		Insecure:                   q.Insecure,
+		TLSClientCertData:          q.TlsClientCertData,
+		TLSClientCertKey:           q.TlsClientCertKey,
+		EnableOCI:                  q.EnableOci,
+		GithubAppPrivateKey:        q.GithubAppPrivateKey,
+		GithubAppId:                q.GithubAppID,
+		GithubAppInstallationId:    q.GithubAppInstallationID,
+		GitHubAppEnterpriseBaseURL: q.GithubAppEnterpriseBaseUrl,
+		Proxy:                      q.Proxy,
+		GCPServiceAccountKey:       q.GcpServiceAccountKey,
+	}
+
+	err := s.testRepo(ctx, repo)
+	if err != nil {
+		return nil, err
+	}
+	return &repositorypkg.RepoResponse{}, nil
+}
+
 func (s *Server) testRepo(ctx context.Context, repo *appsv1.Repository) error {
 	conn, repoClient, err := s.repoClientset.NewRepoServerClient()
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to connect to repo-server: %w", err)
 	}
 	defer io.Close(conn)
 

server/repository/repository.proto

@@ -116,16 +116,26 @@ service RepositoryService {
 		option deprecated = true;
 	}
 
-		// Get returns a repository or its credentials
+	// Get returns a repository or its credentials
 	rpc Get(RepoQuery) returns (github.com.argoproj.argo_cd.v2.pkg.apis.application.v1alpha1.Repository) {
 		option (google.api.http).get = "/api/v1/repositories/{repo}";
 	}
 
+	// GetWrite returns a repository or its write credentials
+	rpc GetWrite(RepoQuery) returns (github.com.argoproj.argo_cd.v2.pkg.apis.application.v1alpha1.Repository) {
+		option (google.api.http).get = "/api/v1/write-repositories/{repo}";
+	}
+
 	// ListRepositories gets a list of all configured repositories
 	rpc ListRepositories(RepoQuery) returns (github.com.argoproj.argo_cd.v2.pkg.apis.application.v1alpha1.RepositoryList) {
 		option (google.api.http).get = "/api/v1/repositories";
 	}
 
+	// ListWriteRepositories gets a list of all configured write repositories
+	rpc ListWriteRepositories(RepoQuery) returns (github.com.argoproj.argo_cd.v2.pkg.apis.application.v1alpha1.RepositoryList) {
+		option (google.api.http).get = "/api/v1/write-repositories";
+	}
+
 	rpc ListRefs(RepoQuery) returns (Refs) {
 		option (google.api.http).get = "/api/v1/repositories/{repo}/refs";
 	}
@@ -165,6 +175,14 @@ service RepositoryService {
 		};
 	}
 
+	// CreateWriteRepository creates a new write repository configuration
+	rpc CreateWriteRepository(RepoCreateRequest) returns (github.com.argoproj.argo_cd.v2.pkg.apis.application.v1alpha1.Repository) {
+		option (google.api.http) = {
+			post: "/api/v1/write-repositories"
+			body: "repo"
+		};
+	}
+
 	// Update updates a repo or repo credential set
 	rpc Update(RepoUpdateRequest) returns (github.com.argoproj.argo_cd.v2.pkg.apis.application.v1alpha1.Repository) {
 		option (google.api.http) = {
@@ -182,6 +200,14 @@ service RepositoryService {
 		};
 	}
 
+	// UpdateWriteRepository updates a write repository configuration
+	rpc UpdateWriteRepository(RepoUpdateRequest) returns (github.com.argoproj.argo_cd.v2.pkg.apis.application.v1alpha1.Repository) {
+		option (google.api.http) = {
+			put: "/api/v1/write-repositories/{repo.repo}"
+			body: "repo"
+		};
+	}
+
 	// Delete deletes a repository from the configuration
 	rpc Delete(RepoQuery) returns (RepoResponse) {
 		option (google.api.http).delete = "/api/v1/repositories/{repo}";
@@ -193,6 +219,11 @@ service RepositoryService {
 		option (google.api.http).delete = "/api/v1/repositories/{repo}";
 	}
 
+	// DeleteWriteRepository deletes a write repository from the configuration
+	rpc DeleteWriteRepository(RepoQuery) returns (RepoResponse) {
+		option (google.api.http).delete = "/api/v1/write-repositories/{repo}";
+	}
+
 	// ValidateAccess validates access to a repository with given parameters
 	rpc ValidateAccess(RepoAccessQuery) returns (RepoResponse) {
 		option (google.api.http) = {
@@ -200,4 +231,12 @@ service RepositoryService {
 			body: "repo"
 		};
 	}
+
+	// ValidateWriteAccess validates write access to a repository with given parameters
+	rpc ValidateWriteAccess(RepoAccessQuery) returns (RepoResponse) {
+		option (google.api.http) = {
+			post: "/api/v1/write-repositories/{repo}/validate"
+			body: "repo"
+		};
+	}
 }

server/repository/repository_test.go

@@ -267,7 +267,7 @@ func TestRepositoryServer(t *testing.T) {
 		repoServerClient := mocks.RepoServerServiceClient{}
 		repoServerClientset := mocks.Clientset{RepoServerServiceClient: &repoServerClient}
 
-		s := NewServer(&repoServerClientset, argoDB, enforcer, nil, appLister, projInformer, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, argoDB, enforcer, nil, appLister, projInformer, testNamespace, settingsMgr, false)
 		url := "https://test"
 		repo, _ := s.getRepo(context.TODO(), url, "")
 		assert.Equal(t, repo.Repo, url)
@@ -278,7 +278,7 @@ func TestRepositoryServer(t *testing.T) {
 		repoServerClient.On("TestRepository", mock.Anything, mock.Anything).Return(&apiclient.TestRepositoryResponse{}, nil)
 		repoServerClientset := mocks.Clientset{RepoServerServiceClient: &repoServerClient}
 
-		s := NewServer(&repoServerClientset, argoDB, enforcer, nil, appLister, projInformer, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, argoDB, enforcer, nil, appLister, projInformer, testNamespace, settingsMgr, false)
 		url := "https://test"
 		_, err := s.ValidateAccess(context.TODO(), &repository.RepoAccessQuery{
 			Repo: url,
@@ -297,7 +297,7 @@ func TestRepositoryServer(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url, "").Return(&appsv1.Repository{Repo: url}, nil)
 		db.On("RepositoryExists", context.TODO(), url, "").Return(true, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr, false)
 		repo, err := s.Get(context.TODO(), &repository.RepoQuery{
 			Repo: url,
 		})
@@ -322,7 +322,7 @@ func TestRepositoryServer(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url, "").Return(testRepo, nil)
 		db.On("RepositoryExists", context.TODO(), url, "").Return(true, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr, false)
 		repo, err := s.Get(context.TODO(), &repository.RepoQuery{
 			Repo: url,
 		})
@@ -343,7 +343,7 @@ func TestRepositoryServer(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url, "").Return(nil, errors.New("some error"))
 		db.On("RepositoryExists", context.TODO(), url, "").Return(true, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr, false)
 		repo, err := s.Get(context.TODO(), &repository.RepoQuery{
 			Repo: url,
 		})
@@ -362,7 +362,7 @@ func TestRepositoryServer(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url, "").Return(&appsv1.Repository{Repo: url}, nil)
 		db.On("RepositoryExists", context.TODO(), url, "").Return(false, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr, false)
 		repo, err := s.Get(context.TODO(), &repository.RepoQuery{
 			Repo: url,
 		})
@@ -381,7 +381,7 @@ func TestRepositoryServer(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url, "").Return(&appsv1.Repository{Repo: url, Username: "test", Password: "it's a secret"}, nil)
 		db.On("RepositoryExists", context.TODO(), url, "").Return(true, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr, false)
 		repo, err := s.Get(context.TODO(), &repository.RepoQuery{
 			Repo: url,
 		})
@@ -404,7 +404,7 @@ func TestRepositoryServer(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url, "").Return(&appsv1.Repository{Repo: url, Username: "test"}, nil)
 		db.On("RepositoryExists", context.TODO(), url, "").Return(true, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr, false)
 		repo, err := s.Get(context.TODO(), &repository.RepoQuery{
 			Repo: url,
 		})
@@ -426,7 +426,7 @@ func TestRepositoryServer(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url, "").Return(&appsv1.Repository{Repo: url}, nil)
 		db.On("RepositoryExists", context.TODO(), url, "").Return(true, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr, false)
 		repo, err := s.Get(context.TODO(), &repository.RepoQuery{
 			Repo: url,
 		})
@@ -447,7 +447,7 @@ func TestRepositoryServer(t *testing.T) {
 			Project: "proj",
 		}, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr, false)
 		repo, err := s.CreateRepository(context.TODO(), &repository.RepoCreateRequest{
 			Repo: &appsv1.Repository{
 				Repo:     "test",
@@ -463,24 +463,27 @@ func TestRepositoryServer(t *testing.T) {
 		repoServerClient.On("TestRepository", mock.Anything, mock.Anything).Return(&apiclient.TestRepositoryResponse{}, nil)
 		repoServerClientset := mocks.Clientset{RepoServerServiceClient: &repoServerClient}
 
+		r := &appsv1.Repository{
+			Repo:     "test",
+			Username: "test",
+		}
+
 		db := &dbmocks.ArgoDB{}
 		db.On("GetRepository", context.TODO(), "test", "").Return(&appsv1.Repository{
 			Repo:     "test",
 			Username: "test",
 		}, nil)
 		db.On("CreateRepository", context.TODO(), mock.Anything).Return(nil, status.Errorf(codes.AlreadyExists, "repository already exists"))
-		db.On("UpdateRepository", context.TODO(), mock.Anything).Return(nil, nil)
+		db.On("UpdateRepository", context.TODO(), mock.Anything).Return(r, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr, false)
 		repo, err := s.CreateRepository(context.TODO(), &repository.RepoCreateRequest{
-			Repo: &appsv1.Repository{
-				Repo:     "test",
-				Username: "test",
-			},
+			Repo:   r,
 			Upsert: true,
 		})
 
 		require.NoError(t, err)
+		require.NotNil(t, repo)
 		assert.Equal(t, "test", repo.Repo)
 	})
 
@@ -496,7 +499,7 @@ func TestRepositoryServer(t *testing.T) {
 		db.On("ListHelmRepositories", context.TODO(), mock.Anything).Return(nil, nil)
 		db.On("ListRepositories", context.TODO()).Return([]*appsv1.Repository{&fakeRepo, &fakeRepo}, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr, false)
 		resp, err := s.ListRepositories(context.TODO(), &repository.RepoQuery{})
 		require.NoError(t, err)
 		assert.Len(t, resp.Items, 2)
@@ -518,7 +521,7 @@ func TestRepositoryServerListApps(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url, "default").Return(&appsv1.Repository{Repo: url}, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 		resp, err := s.ListApps(context.TODO(), &repository.RepoAppsQuery{
 			Repo:       "https://test",
 			Revision:   "HEAD",
@@ -547,7 +550,7 @@ func TestRepositoryServerListApps(t *testing.T) {
 			},
 		}, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 		resp, err := s.ListApps(context.TODO(), &repository.RepoAppsQuery{
 			Repo:       "https://test",
 			Revision:   "HEAD",
@@ -555,7 +558,7 @@ func TestRepositoryServerListApps(t *testing.T) {
 			AppProject: "default",
 		})
 		require.NoError(t, err)
-		assert.Len(t, resp.Items, 1)
+		require.Len(t, resp.Items, 1)
 		assert.Equal(t, "path/to/dir", resp.Items[0].Path)
 		assert.Equal(t, "Kustomize", resp.Items[0].Type)
 	})
@@ -578,7 +581,7 @@ func TestRepositoryServerListApps(t *testing.T) {
 			},
 		}, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 		resp, err := s.ListApps(context.TODO(), &repository.RepoAppsQuery{
 			Repo:       "https://test",
 			Revision:   "HEAD",
@@ -605,7 +608,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url, "default").Return(&appsv1.Repository{Repo: url}, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source: &appsv1.ApplicationSource{
 				RepoURL: url,
@@ -628,7 +631,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url, "default").Return(&appsv1.Repository{Repo: url}, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source: &appsv1.ApplicationSource{
 				RepoURL: url,
@@ -650,7 +653,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url, "default").Return(&appsv1.Repository{Repo: url}, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source: &appsv1.ApplicationSource{
 				RepoURL: url,
@@ -676,7 +679,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		repoServerClient.On("GetAppDetails", context.TODO(), mock.Anything).Return(&expectedResp, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source: &appsv1.ApplicationSource{
 				RepoURL: url,
@@ -701,7 +704,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		repoServerClient.On("GetAppDetails", context.TODO(), mock.Anything).Return(&expectedResp, nil)
 		appLister, projLister := newAppAndProjLister(defaultProjNoSources)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source: &appsv1.ApplicationSource{
 				RepoURL: url,
@@ -727,7 +730,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		repoServerClient.On("GetAppDetails", context.TODO(), mock.Anything).Return(&expectedResp, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj, guestbookApp)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source:     guestbookApp.Spec.GetSourcePtrByIndex(0),
 			AppName:    "guestbook",
@@ -752,7 +755,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		repoServerClient.On("GetAppDetails", context.TODO(), mock.Anything).Return(&expectedResp, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj, multiSourceApp001)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 		sources := multiSourceApp001.Spec.GetSources()
 		assert.Len(t, sources, 2)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
@@ -793,7 +796,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		repoServerClient.On("GetAppDetails", context.TODO(), mock.MatchedBy(func(req *apiclient.RepoServerAppDetailsQuery) bool { return req.Source.RepoURL == url1 })).Return(&expectedResp1, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj, multiSourceApp002)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 		sources := multiSourceApp002.Spec.GetSources()
 		assert.Len(t, sources, 2)
 
@@ -825,7 +828,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url, "mismatch").Return(&appsv1.Repository{Repo: url}, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj, guestbookApp)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source:     guestbookApp.Spec.GetSourcePtrByIndex(0),
 			AppName:    "guestbook",
@@ -846,7 +849,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		differentSource := guestbookApp.Spec.Source.DeepCopy()
 		differentSource.Helm.ValueFiles = []string{"/etc/passwd"}
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source:     differentSource,
 			AppName:    "guestbook",
@@ -872,7 +875,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		previousSource := guestbookApp.Status.History[0].Source.DeepCopy()
 		previousSource.TargetRevision = guestbookApp.Status.History[0].Revision
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source:     previousSource,
 			AppName:    "guestbook",
@@ -901,7 +904,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		differentSource := multiSourceApp001.Spec.Sources[0].DeepCopy()
 		differentSource.Helm.ValueFiles = []string{"/etc/passwd"}
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source:      differentSource,
 			AppName:     multiSourceApp001AppName,
@@ -929,7 +932,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		previousSource := multiSourceApp001.Status.History[0].Sources[0].DeepCopy()
 		previousSource.TargetRevision = multiSourceApp001.Status.History[0].Revisions[0]
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source:      previousSource,
 			AppName:     multiSourceApp001AppName,
@@ -1148,7 +1151,7 @@ func TestDeleteRepository(t *testing.T) {
 			db.On("GetRepository", context.TODO(), repo, "default").Return(&appsv1.Repository{Repo: repo, Project: "default"}, nil)
 			appLister, projLister := newAppAndProjLister(defaultProj)
 
-			s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
+			s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr, false)
 			resp, err := s.DeleteRepository(context.TODO(), &repository.RepoQuery{Repo: repo, AppProject: "default"})
 			require.NoError(t, err)
 			assert.Equal(t, repositorypkg.RepoResponse{}, *resp)

server/server.go

@@ -237,6 +237,7 @@ type ArgoCDServerOpts struct {
 	EnableProxyExtension    bool
 	WebhookParallelism      int
 	EnableK8sEvent          []string
+	HydratorEnabled         bool
 }
 
 type ApplicationSetOpts struct {
@@ -892,19 +893,24 @@ func (a *ArgoCDServer) newGRPCServer() (*grpc.Server, application.AppResourceTre
 		),
 	}
 	sensitiveMethods := map[string]bool{
-		"/cluster.ClusterService/Create":                          true,
-		"/cluster.ClusterService/Update":                          true,
-		"/session.SessionService/Create":                          true,
-		"/account.AccountService/UpdatePassword":                  true,
-		"/gpgkey.GPGKeyService/CreateGnuPGPublicKey":              true,
-		"/repository.RepositoryService/Create":                    true,
-		"/repository.RepositoryService/Update":                    true,
-		"/repository.RepositoryService/CreateRepository":          true,
-		"/repository.RepositoryService/UpdateRepository":          true,
-		"/repository.RepositoryService/ValidateAccess":            true,
-		"/repocreds.RepoCredsService/CreateRepositoryCredentials": true,
-		"/repocreds.RepoCredsService/UpdateRepositoryCredentials": true,
-		"/application.ApplicationService/PatchResource":           true,
+		"/cluster.ClusterService/Create":                               true,
+		"/cluster.ClusterService/Update":                               true,
+		"/session.SessionService/Create":                               true,
+		"/account.AccountService/UpdatePassword":                       true,
+		"/gpgkey.GPGKeyService/CreateGnuPGPublicKey":                   true,
+		"/repository.RepositoryService/Create":                         true,
+		"/repository.RepositoryService/Update":                         true,
+		"/repository.RepositoryService/CreateRepository":               true,
+		"/repository.RepositoryService/UpdateRepository":               true,
+		"/repository.RepositoryService/ValidateAccess":                 true,
+		"/repocreds.RepoCredsService/CreateRepositoryCredentials":      true,
+		"/repocreds.RepoCredsService/UpdateRepositoryCredentials":      true,
+		"/repository.RepositoryService/CreateWriteRepository":          true,
+		"/repository.RepositoryService/UpdateWriteRepository":          true,
+		"/repository.RepositoryService/ValidateWriteAccess":            true,
+		"/repocreds.RepoCredsService/CreateWriteRepositoryCredentials": true,
+		"/repocreds.RepoCredsService/UpdateWriteRepositoryCredentials": true,
+		"/application.ApplicationService/PatchResource":                true,
 		// Remove from logs both because the contents are sensitive and because they may be very large.
 		"/application.ApplicationService/GetManifestsWithFiles": true,
 	}
@@ -979,7 +985,7 @@ type ArgoCDServiceSet struct {
 func newArgoCDServiceSet(a *ArgoCDServer) *ArgoCDServiceSet {
 	kubectl := kubeutil.NewKubectl()
 	clusterService := cluster.NewServer(a.db, a.enf, a.Cache, kubectl)
-	repoService := repository.NewServer(a.RepoClientset, a.db, a.enf, a.Cache, a.appLister, a.projInformer, a.Namespace, a.settingsMgr)
+	repoService := repository.NewServer(a.RepoClientset, a.db, a.enf, a.Cache, a.appLister, a.projInformer, a.Namespace, a.settingsMgr, a.HydratorEnabled)
 	repoCredsService := repocreds.NewServer(a.RepoClientset, a.db, a.enf, a.settingsMgr)
 	var loginRateLimiter func() (io.Closer, error)
 	if maxConcurrentLoginRequestsCount > 0 {
@@ -1031,7 +1037,7 @@ func newArgoCDServiceSet(a *ArgoCDServer) *ArgoCDServiceSet {
 
 	projectService := project.NewServer(a.Namespace, a.KubeClientset, a.AppClientset, a.enf, projectLock, a.sessionMgr, a.policyEnforcer, a.projInformer, a.settingsMgr, a.db, a.EnableK8sEvent)
 	appsInAnyNamespaceEnabled := len(a.ArgoCDServerOpts.ApplicationNamespaces) > 0
-	settingsService := settings.NewServer(a.settingsMgr, a.RepoClientset, a, a.DisableAuth, appsInAnyNamespaceEnabled)
+	settingsService := settings.NewServer(a.settingsMgr, a.RepoClientset, a, a.DisableAuth, appsInAnyNamespaceEnabled, a.HydratorEnabled)
 	accountService := account.NewServer(a.sessionMgr, a.settingsMgr, a.enf)
 
 	notificationService := notification.NewServer(a.apiFactory)

server/settings/settings.go

@@ -24,6 +24,7 @@ type Server struct {
 	authenticator             Authenticator
 	disableAuth               bool
 	appsInAnyNamespaceEnabled bool
+	hydratorEnabled           bool
 }
 
 type Authenticator interface {
@@ -31,8 +32,8 @@ type Authenticator interface {
 }
 
 // NewServer returns a new instance of the Settings service
-func NewServer(mgr *settings.SettingsManager, repoClient apiclient.Clientset, authenticator Authenticator, disableAuth, appsInAnyNamespaceEnabled bool) *Server {
-	return &Server{mgr: mgr, repoClient: repoClient, authenticator: authenticator, disableAuth: disableAuth, appsInAnyNamespaceEnabled: appsInAnyNamespaceEnabled}
+func NewServer(mgr *settings.SettingsManager, repoClient apiclient.Clientset, authenticator Authenticator, disableAuth, appsInAnyNamespaceEnabled bool, hydratorEnabled bool) *Server {
+	return &Server{mgr: mgr, repoClient: repoClient, authenticator: authenticator, disableAuth: disableAuth, appsInAnyNamespaceEnabled: appsInAnyNamespaceEnabled, hydratorEnabled: hydratorEnabled}
 }
 
 // Get returns Argo CD settings
@@ -114,6 +115,7 @@ func (s *Server) Get(ctx context.Context, q *settingspkg.SettingsQuery) (*settin
 		ExecEnabled:               argoCDSettings.ExecEnabled,
 		AppsInAnyNamespaceEnabled: s.appsInAnyNamespaceEnabled,
 		ImpersonationEnabled:      argoCDSettings.ImpersonationEnabled,
+		HydratorEnabled:           s.hydratorEnabled,
 	}
 
 	if sessionmgr.LoggedIn(ctx) || s.disableAuth {

server/settings/settings.proto

@@ -45,6 +45,7 @@ message Settings {
     bool impersonationEnabled = 25;
     string installationID = 26;
     repeated string additionalUrls = 27 [(gogoproto.customname) = "AdditionalURLs"];
+    bool hydratorEnabled = 28;
 }
 
 message GoogleAnalyticsConfig {

test/e2e/fixture/app/actions.go

@@ -224,9 +224,14 @@ func (a *Actions) prepareCreateAppArgs(args []string) []string {
 	a.context.t.Helper()
 	args = append([]string{
 		"app", "create", a.context.AppQualifiedName(),
-		"--repo", fixture.RepoURL(a.context.repoURLType),
 	}, args...)
 
+	if a.context.drySourceRevision != "" || a.context.drySourcePath != "" || a.context.syncSourcePath != "" || a.context.syncSourceBranch != "" || a.context.hydrateToBranch != "" {
+		args = append(args, "--dry-source-repo", fixture.RepoURL(a.context.repoURLType))
+	} else {
+		args = append(args, "--repo", fixture.RepoURL(a.context.repoURLType))
+	}
+
 	if a.context.destName != "" && a.context.isDestServerInferred && !slices.Contains(args, "--dest-server") {
 		args = append(args, "--dest-name", a.context.destName)
 	} else {
@@ -236,6 +241,26 @@ func (a *Actions) prepareCreateAppArgs(args []string) []string {
 		args = append(args, "--path", a.context.path)
 	}
 
+	if a.context.drySourceRevision != "" {
+		args = append(args, "--dry-source-revision", a.context.drySourceRevision)
+	}
+
+	if a.context.drySourcePath != "" {
+		args = append(args, "--dry-source-path", a.context.drySourcePath)
+	}
+
+	if a.context.syncSourceBranch != "" {
+		args = append(args, "--sync-source-branch", a.context.syncSourceBranch)
+	}
+
+	if a.context.syncSourcePath != "" {
+		args = append(args, "--sync-source-path", a.context.syncSourcePath)
+	}
+
+	if a.context.hydrateToBranch != "" {
+		args = append(args, "--hydrate-to-branch", a.context.hydrateToBranch)
+	}
+
 	if a.context.chart != "" {
 		args = append(args, "--helm-chart", a.context.chart)
 	}

test/e2e/fixture/app/context.go

@@ -49,6 +49,11 @@ type Context struct {
 	helmSkipTests            bool
 	trackingMethod           v1alpha1.TrackingMethod
 	sources                  []v1alpha1.ApplicationSource
+	drySourceRevision        string
+	drySourcePath            string
+	syncSourceBranch         string
+	syncSourcePath           string
+	hydrateToBranch          string
 }
 
 type ContextArgs struct {
@@ -243,6 +248,31 @@ func (c *Context) Path(path string) *Context {
 	return c
 }
 
+func (c *Context) DrySourceRevision(revision string) *Context {
+	c.drySourceRevision = revision
+	return c
+}
+
+func (c *Context) DrySourcePath(path string) *Context {
+	c.drySourcePath = path
+	return c
+}
+
+func (c *Context) SyncSourceBranch(branch string) *Context {
+	c.syncSourceBranch = branch
+	return c
+}
+
+func (c *Context) SyncSourcePath(path string) *Context {
+	c.syncSourcePath = path
+	return c
+}
+
+func (c *Context) HydrateToBranch(branch string) *Context {
+	c.hydrateToBranch = branch
+	return c
+}
+
 func (c *Context) Recurse() *Context {
 	c.directoryRecurse = true
 	return c

test/e2e/hydrator_test.go

@@ -0,0 +1,102 @@
+package e2e
+
+import (
+	"testing"
+
+	. "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	. "github.com/argoproj/argo-cd/v2/test/e2e/fixture/app"
+
+	. "github.com/argoproj/gitops-engine/pkg/sync/common"
+)
+
+func TestSimpleHydrator(t *testing.T) {
+	Given(t).
+		DrySourcePath("guestbook").
+		DrySourceRevision("HEAD").
+		SyncSourcePath("guestbook").
+		SyncSourceBranch("env/test").
+		When().
+		CreateApp().
+		Refresh(RefreshTypeNormal).
+		Wait("--hydrated").
+		Sync().
+		Then().
+		Expect(OperationPhaseIs(OperationSucceeded)).
+		Expect(SyncStatusIs(SyncStatusCodeSynced))
+}
+
+func TestHydrateTo(t *testing.T) {
+	Given(t).
+		DrySourcePath("guestbook").
+		DrySourceRevision("HEAD").
+		SyncSourcePath("guestbook").
+		SyncSourceBranch("env/test").
+		HydrateToBranch("env/test-next").
+		When().
+		CreateApp().
+		Refresh(RefreshTypeNormal).
+		Wait("--hydrated").
+		Then().
+		Given().
+		// Async so we don't fail immediately on the error
+		Async(true).
+		When().
+		Sync().
+		Wait("--operation").
+		Then().
+		// Fails because we hydrated to env/test-next but not to env/test.
+		Expect(OperationPhaseIs(OperationError)).
+		When().
+		// Will now hydrate to the sync source branch.
+		AppSet("--hydrate-to-branch", "").
+		Refresh(RefreshTypeNormal).
+		Wait("--hydrated").
+		Sync().
+		Wait("--operation").
+		Then().
+		Expect(OperationPhaseIs(OperationSucceeded)).
+		Expect(SyncStatusIs(SyncStatusCodeSynced))
+}
+
+func TestAddingApp(t *testing.T) {
+	// Make sure that if we add another app targeting the same sync branch, it hydrates correctly.
+	Given(t).
+		Name("test-adding-app-1").
+		DrySourcePath("guestbook").
+		DrySourceRevision("HEAD").
+		SyncSourcePath("guestbook-1").
+		SyncSourceBranch("env/test").
+		When().
+		CreateApp().
+		Refresh(RefreshTypeNormal).
+		Wait("--hydrated").
+		Sync().
+		Then().
+		Expect(OperationPhaseIs(OperationSucceeded)).
+		Expect(SyncStatusIs(SyncStatusCodeSynced)).
+		Given().
+		Name("test-adding-app-2").
+		DrySourcePath("guestbook").
+		DrySourceRevision("HEAD").
+		SyncSourcePath("guestbook-2").
+		SyncSourceBranch("env/test").
+		When().
+		CreateApp().
+		Refresh(RefreshTypeNormal).
+		Wait("--hydrated").
+		Sync().
+		Then().
+		Expect(OperationPhaseIs(OperationSucceeded)).
+		Expect(SyncStatusIs(SyncStatusCodeSynced)).
+		// Clean up the apps manually since we used custom names.
+		When().
+		Delete(true).
+		Then().
+		Expect(DoesNotExist()).
+		Given().
+		Name("test-adding-app-1").
+		When().
+		Delete(true).
+		Then().
+		Expect(DoesNotExist())
+}

ui/src/app/applications/components/application-details/application-details.tsx

@@ -31,6 +31,7 @@ import {useSidebarTarget} from '../../../sidebar/sidebar';
 
 import './application-details.scss';
 import {TopBarActionMenuExt, AppViewExtension, StatusPanelExtension} from '../../../shared/services/extensions-service';
+import {ApplicationHydrateOperationState} from '../application-hydrate-operation-state/application-hydrate-operation-state';
 
 interface ApplicationDetailsState {
     page: number;
@@ -140,6 +141,10 @@ export class ApplicationDetails extends React.Component<RouteComponentProps<{app
         return {extensions, extensionsMap, statusExtensions, statusExtensionsMap, topBarActionMenuExts, topBarActionMenuExtsMap};
     };
 
+    private get showHydrateOperationState() {
+        return new URLSearchParams(this.props.history.location.search).get('hydrateOperation') === 'true';
+    }
+
     private get showOperationState() {
         return new URLSearchParams(this.props.history.location.search).get('operation') === 'true';
     }
@@ -479,6 +484,7 @@ export class ApplicationDetails extends React.Component<RouteComponentProps<{app
                             const isAppSelected = selectedItem === application;
                             const selectedNode = !isAppSelected && (selectedItem as appModels.ResourceNode);
                             const operationState = application.status.operationState;
+                            const hydrateOperationState = application.status.sourceHydrator.currentOperation;
                             const conditions = application.status.conditions || [];
                             const syncResourceKey = new URLSearchParams(this.props.history.location.search).get('deploy');
                             const tab = new URLSearchParams(this.props.history.location.search).get('tab');
@@ -673,6 +679,7 @@ export class ApplicationDetails extends React.Component<RouteComponentProps<{app
                                                     application={application}
                                                     showDiff={() => this.selectNode(appFullName, 0, 'diff')}
                                                     showOperation={() => this.setOperationStatusVisible(true)}
+                                                    showHydrateOperation={() => this.setHydrateOperationStatusVisible(true)}
                                                     showConditions={() => this.setConditionsStatusVisible(true)}
                                                     showExtension={id => this.setExtensionPanelVisible(id)}
                                                     showMetadataInfo={revision => this.setState({...this.state, revision})}
@@ -881,6 +888,11 @@ export class ApplicationDetails extends React.Component<RouteComponentProps<{app
                                         <SlidingPanel isShown={this.showOperationState && !!operationState} onClose={() => this.setOperationStatusVisible(false)}>
                                             {operationState && <ApplicationOperationState application={application} operationState={operationState} />}
                                         </SlidingPanel>
+                                        <SlidingPanel
+                                            isShown={this.showHydrateOperationState && !!hydrateOperationState}
+                                            onClose={() => this.setHydrateOperationStatusVisible(false)}>
+                                            {hydrateOperationState && <ApplicationHydrateOperationState hydrateOperationState={hydrateOperationState} />}
+                                        </SlidingPanel>
                                         <SlidingPanel isShown={this.showConditions && !!conditions} onClose={() => this.setConditionsStatusVisible(false)}>
                                             {conditions && <ApplicationConditions conditions={conditions} />}
                                         </SlidingPanel>
@@ -938,19 +950,21 @@ export class ApplicationDetails extends React.Component<RouteComponentProps<{app
                 iconClassName: 'fa fa-info-circle',
                 title: <ActionMenuItem actionLabel='Details' />,
                 action: () => this.selectNode(fullName),
-                disabled: !app.spec.source && (!app.spec.sources || app.spec.sources.length === 0)
+                disabled: !app.spec.source && (!app.spec.sources || app.spec.sources.length === 0) && !app.spec.sourceHydrator
             },
             {
                 iconClassName: 'fa fa-file-medical',
                 title: <ActionMenuItem actionLabel='Diff' />,
                 action: () => this.selectNode(fullName, 0, 'diff'),
-                disabled: app.status.sync.status === appModels.SyncStatuses.Synced || (!app.spec.source && (!app.spec.sources || app.spec.sources.length === 0))
+                disabled:
+                    app.status.sync.status === appModels.SyncStatuses.Synced ||
+                    (!app.spec.source && (!app.spec.sources || app.spec.sources.length === 0) && !app.spec.sourceHydrator)
             },
             {
                 iconClassName: 'fa fa-sync',
                 title: <ActionMenuItem actionLabel='Sync' />,
                 action: () => AppUtils.showDeploy('all', null, this.appContext.apis),
-                disabled: !app.spec.source && (!app.spec.sources || app.spec.sources.length === 0)
+                disabled: !app.spec.source && (!app.spec.sources || app.spec.sources.length === 0) && !app.spec.sourceHydrator
             },
             ...(app.status?.operationState?.phase === 'Running' && app.status.resources.find(r => r.requiresDeletionConfirmation)
                 ? [
@@ -1157,6 +1171,10 @@ export class ApplicationDetails extends React.Component<RouteComponentProps<{app
         this.appContext.apis.navigation.goto('.', {operation: isVisible}, {replace: true});
     }
 
+    private setHydrateOperationStatusVisible(isVisible: boolean) {
+        this.appContext.apis.navigation.goto('.', {hydrateOperation: isVisible}, {replace: true});
+    }
+
     private setConditionsStatusVisible(isVisible: boolean) {
         this.appContext.apis.navigation.goto('.', {conditions: isVisible}, {replace: true});
     }

ui/src/app/applications/components/application-hydrate-operation-state/application-hydrate-operation-state.scss

@@ -0,0 +1,18 @@
+.application-operation-state {
+  &__icons_container {
+    position: absolute;
+    left: 0;
+  }
+
+  &__icons_container_padding {
+    left: 15px;
+    position: relative;
+  }
+
+  &__message {
+    white-space: normal;
+    line-height: 16px;
+    display: inline-block;
+    vertical-align: middle;
+  }
+}

ui/src/app/applications/components/application-hydrate-operation-state/application-hydrate-operation-state.tsx

@@ -0,0 +1,76 @@
+import {Duration, Ticker} from 'argo-ui';
+import * as moment from 'moment';
+import * as PropTypes from 'prop-types';
+import * as React from 'react';
+
+import {Revision, Timestamp} from '../../../shared/components';
+import * as models from '../../../shared/models';
+
+import './application-hydrate-operation-state.scss';
+
+interface Props {
+    hydrateOperationState: models.HydrateOperation;
+}
+
+export const ApplicationHydrateOperationState: React.FunctionComponent<Props> = ({hydrateOperationState}) => {
+    const operationAttributes = [
+        {title: 'PHASE', value: hydrateOperationState.phase},
+        ...(hydrateOperationState.message ? [{title: 'MESSAGE', value: hydrateOperationState.message}] : []),
+        {title: 'STARTED AT', value: <Timestamp date={hydrateOperationState.startedAt} />},
+        {
+            title: 'DURATION',
+            value: (
+                <Ticker>
+                    {time => (
+                        <Duration
+                            durationS={
+                                ((hydrateOperationState.finishedAt && moment(hydrateOperationState.finishedAt)) || moment(time)).diff(moment(hydrateOperationState.startedAt)) /
+                                1000
+                            }
+                        />
+                    )}
+                </Ticker>
+            )
+        }
+    ];
+
+    if (hydrateOperationState.finishedAt && hydrateOperationState.phase !== 'Hydrating') {
+        operationAttributes.push({title: 'FINISHED AT', value: <Timestamp date={hydrateOperationState.finishedAt} />});
+    }
+    operationAttributes.push({
+        title: 'DRY REVISION',
+        value: (
+            <div>
+                <Revision repoUrl={hydrateOperationState.sourceHydrator.drySource.repoURL} revision={hydrateOperationState.drySHA} />
+            </div>
+        )
+    });
+    if (hydrateOperationState.finishedAt) {
+        operationAttributes.push({
+            title: 'HYDRATED REVISION',
+            value: (
+                <div>
+                    <Revision repoUrl={hydrateOperationState.sourceHydrator.drySource.repoURL} revision={hydrateOperationState.hydratedSHA} />
+                </div>
+            )
+        });
+    }
+    return (
+        <div>
+            <div className='white-box'>
+                <div className='white-box__details'>
+                    {operationAttributes.map(attr => (
+                        <div className='row white-box__details-row' key={attr.title}>
+                            <div className='columns small-3'>{attr.title}</div>
+                            <div className='columns small-9'>{attr.value}</div>
+                        </div>
+                    ))}
+                </div>
+            </div>
+        </div>
+    );
+};
+
+ApplicationHydrateOperationState.contextTypes = {
+    apis: PropTypes.object
+};

ui/src/app/applications/components/application-status-panel/application-status-panel.scss

@@ -181,6 +181,10 @@
         }
     }
 
+    &__hydrator-link {
+        width: 134px;
+    }
+
     &__item-name {
         margin: auto 0;
         max-width: $row-width;

ui/src/app/applications/components/application-status-panel/application-status-panel.tsx

@@ -5,7 +5,15 @@ import {Revision} from '../../../shared/components/revision';
 import {Timestamp} from '../../../shared/components/timestamp';
 import * as models from '../../../shared/models';
 import {services} from '../../../shared/services';
-import {ApplicationSyncWindowStatusIcon, ComparisonStatusIcon, getAppDefaultSource, getAppDefaultSyncRevisionExtra, getAppOperationState} from '../utils';
+import {
+    ApplicationSyncWindowStatusIcon,
+    ComparisonStatusIcon,
+    getAppDefaultSource,
+    getAppDefaultSyncRevisionExtra,
+    getAppOperationState,
+    HydrateOperationPhaseIcon,
+    hydrationStatusMessage
+} from '../utils';
 import {getConditionCategory, HealthStatusIcon, OperationState, syncStatusMessage, getAppDefaultSyncRevision, getAppDefaultOperationSyncRevision} from '../utils';
 import {RevisionMetadataPanel} from './revision-metadata-panel';
 import * as utils from '../utils';
@@ -16,6 +24,7 @@ interface Props {
     application: models.Application;
     showDiff?: () => any;
     showOperation?: () => any;
+    showHydrateOperation?: () => any;
     showConditions?: () => any;
     showExtension?: (id: string) => any;
     showMetadataInfo?: (revision: string) => any;
@@ -46,7 +55,7 @@ const sectionHeader = (info: SectionInfo, onClick?: () => any) => {
     );
 };
 
-export const ApplicationStatusPanel = ({application, showDiff, showOperation, showConditions, showExtension, showMetadataInfo}: Props) => {
+export const ApplicationStatusPanel = ({application, showDiff, showOperation, showHydrateOperation, showConditions, showExtension, showMetadataInfo}: Props) => {
     const today = new Date();
 
     let daysSinceLastSynchronized = 0;
@@ -84,6 +93,40 @@ export const ApplicationStatusPanel = ({application, showDiff, showOperation, sh
                 </div>
                 {application.status.health.message && <div className='application-status-panel__item-name'>{application.status.health.message}</div>}
             </div>
+            {application.spec.sourceHydrator && application.status?.sourceHydrator?.currentOperation && (
+                <div className='application-status-panel__item'>
+                    <div style={{lineHeight: '19.5px', marginBottom: '0.3em'}}>
+                        {sectionLabel({
+                            title: 'SOURCE HYDRATOR',
+                            helpContent: 'The source hydrator reads manifests from git, hydrates (renders) them, and pushes them to a different location in git.'
+                        })}
+                    </div>
+                    <div className='application-status-panel__item-value'>
+                        <a className='application-status-panel__item-value__hydrator-link' onClick={() => showHydrateOperation && showHydrateOperation()}>
+                            <HydrateOperationPhaseIcon operationState={application.status.sourceHydrator.currentOperation} />
+                            &nbsp;
+                            {application.status.sourceHydrator.currentOperation.phase}
+                        </a>
+                        <div className='application-status-panel__item-value__revision show-for-large'>{hydrationStatusMessage(application)}</div>
+                    </div>
+                    <div className='application-status-panel__item-name' style={{marginBottom: '0.5em'}}>
+                        {application.status.sourceHydrator.currentOperation.phase}{' '}
+                        <Timestamp date={application.status.sourceHydrator.currentOperation.finishedAt || application.status.sourceHydrator.currentOperation.startedAt} />
+                    </div>
+                    {application.status.sourceHydrator.currentOperation.message && (
+                        <div className='application-status-panel__item-name'>{application.status.sourceHydrator.currentOperation.message}</div>
+                    )}
+                    <div className='application-status-panel__item-name'>
+                        <RevisionMetadataPanel
+                            appName={application.metadata.name}
+                            appNamespace={application.metadata.namespace}
+                            type={''}
+                            revision={application.status.sourceHydrator.currentOperation.drySHA}
+                            versionId={utils.getAppCurrentVersion(application)}
+                        />
+                    </div>
+                </div>
+            )}
             <div className='application-status-panel__item'>
                 <React.Fragment>
                     {sectionHeader(
@@ -117,7 +160,7 @@ export const ApplicationStatusPanel = ({application, showDiff, showOperation, sh
                                 <RevisionMetadataPanel
                                     appName={application.metadata.name}
                                     appNamespace={application.metadata.namespace}
-                                    type={source.chart && 'helm'}
+                                    type={source?.chart && 'helm'}
                                     revision={revision}
                                     versionId={utils.getAppCurrentVersion(application)}
                                 />

ui/src/app/applications/components/application-status-panel/revision-metadata-panel.tsx

@@ -8,7 +8,10 @@ export const RevisionMetadataPanel = (props: {appName: string; appNamespace: str
         return <React.Fragment />;
     }
     return (
-        <DataLoader load={() => services.applications.revisionMetadata(props.appName, props.appNamespace, props.revision, 0, props.versionId)} errorRenderer={() => <div />}>
+        <DataLoader
+            key={props.revision}
+            load={() => services.applications.revisionMetadata(props.appName, props.appNamespace, props.revision, 0, props.versionId)}
+            errorRenderer={() => <div />}>
             {m => (
                 <Tooltip
                     popperOptions={{

ui/src/app/applications/components/utils.tsx

@@ -13,6 +13,7 @@ import {ResourceTreeNode} from './application-resource-tree/application-resource
 import {CheckboxField, COLORS, ErrorNotification, Revision} from '../../shared/components';
 import * as appModels from '../../shared/models';
 import {services} from '../../shared/services';
+import {ApplicationSource} from '../../shared/models';
 
 require('./utils.scss');
 
@@ -223,6 +224,29 @@ export const OperationPhaseIcon = ({app}: {app: appModels.Application}) => {
     return <i title={getOperationStateTitle(app)} qe-id='utils-operations-status-title' className={className} style={{color}} />;
 };
 
+export const HydrateOperationPhaseIcon = ({operationState}: {operationState?: appModels.HydrateOperation}) => {
+    if (operationState === undefined) {
+        return <React.Fragment />;
+    }
+    let className = '';
+    let color = '';
+    switch (operationState.phase) {
+        case appModels.HydrateOperationPhases.Hydrated:
+            className = 'fa fa-check-circle';
+            color = COLORS.operation.success;
+            break;
+        case appModels.HydrateOperationPhases.Failed:
+            className = 'fa fa-times-circle';
+            color = COLORS.operation.failed;
+            break;
+        default:
+            className = 'fa fa-circle-notch fa-spin';
+            color = COLORS.operation.running;
+            break;
+    }
+    return <i title={operationState.phase} qe-id='utils-operations-status-title' className={className} style={{color}} />;
+};
+
 export const ComparisonStatusIcon = ({
     status,
     resource,
@@ -777,6 +801,65 @@ export function syncStatusMessage(app: appModels.Application) {
     }
 }
 
+export function hydrationStatusMessage(app: appModels.Application) {
+    const drySource = app.status.sourceHydrator.currentOperation.sourceHydrator.drySource;
+    const dryCommit = app.status.sourceHydrator.currentOperation.drySHA;
+    const syncSource: ApplicationSource = {
+        repoURL: drySource.repoURL,
+        targetRevision:
+            app.status.sourceHydrator.currentOperation.sourceHydrator.hydrateTo?.targetBranch || app.status.sourceHydrator.currentOperation.sourceHydrator.syncSource.targetBranch,
+        path: app.status.sourceHydrator.currentOperation.sourceHydrator.syncSource.path
+    };
+    const hydratedCommit = app.status.sourceHydrator.currentOperation.hydratedSHA || '';
+
+    switch (app.status.sourceHydrator.currentOperation.phase) {
+        case appModels.HydrateOperationPhases.Hydrated:
+            return (
+                <span>
+                    from{' '}
+                    <Revision repoUrl={drySource.repoURL} revision={dryCommit}>
+                        {drySource.targetRevision + ' (' + dryCommit.substr(0, 7) + ')'}
+                    </Revision>
+                    <br />
+                    to{' '}
+                    <Revision repoUrl={syncSource.repoURL} revision={hydratedCommit}>
+                        {syncSource.targetRevision + ' (' + hydratedCommit.substr(0, 7) + ')'}
+                    </Revision>
+                </span>
+            );
+        case appModels.HydrateOperationPhases.Hydrating:
+            return (
+                <span>
+                    from{' '}
+                    <Revision repoUrl={drySource.repoURL} revision={dryCommit}>
+                        {drySource.targetRevision + ' (' + dryCommit.substr(0, 7) + ')'}
+                    </Revision>
+                    <br />
+                    to{' '}
+                    <Revision repoUrl={syncSource.repoURL} revision={syncSource.targetRevision}>
+                        {syncSource.targetRevision}
+                    </Revision>
+                </span>
+            );
+        case appModels.HydrateOperationPhases.Failed:
+            return (
+                <span>
+                    from{' '}
+                    <Revision repoUrl={drySource.repoURL} revision={dryCommit}>
+                        {drySource.targetRevision + ' (' + dryCommit.substr(0, 7) + ')'}
+                    </Revision>
+                    <br />
+                    to{' '}
+                    <Revision repoUrl={syncSource.repoURL} revision={syncSource.targetRevision}>
+                        {syncSource.targetRevision}
+                    </Revision>
+                </span>
+            );
+        default:
+            return <span>{}</span>;
+    }
+}
+
 export const HealthStatusIcon = ({state, noSpin}: {state: appModels.HealthStatus; noSpin?: boolean}) => {
     let color = COLORS.health.unknown;
     let icon = 'fa-question-circle';
@@ -1182,7 +1265,7 @@ export function getAppDefaultSource(app?: appModels.Application) {
     if (!app) {
         return null;
     }
-    return app.spec.sources && app.spec.sources.length > 0 ? app.spec.sources[0] : app.spec.source;
+    return getAppSpecDefaultSource(app.spec);
 }
 
 // getAppDefaultSyncRevision gets the first app revisions from `status.sync.revisions` or, if that list is missing or empty, the `revision`
@@ -1241,6 +1324,13 @@ export function getAppDefaultOperationSyncRevisionExtra(app?: appModels.Applicat
 }
 
 export function getAppSpecDefaultSource(spec: appModels.ApplicationSpec) {
+    if (spec.sourceHydrator) {
+        return {
+            repoURL: spec.sourceHydrator.drySource.repoURL,
+            targetRevision: spec.sourceHydrator.syncSource.targetBranch,
+            path: spec.sourceHydrator.syncSource.path
+        };
+    }
     return spec.sources && spec.sources.length > 0 ? spec.sources[0] : spec.source;
 }
 

ui/src/app/settings/components/repo-details/repo-details.tsx

@@ -4,9 +4,12 @@ import {FormApi, Text} from 'react-form';
 import {EditablePanel, EditablePanelItem} from '../../../shared/components';
 import * as models from '../../../shared/models';
 import {NewHTTPSRepoParams} from '../repos-list/repos-list';
+import {AuthSettingsCtx} from '../../../shared/context';
 
 export const RepoDetails = (props: {repo: models.Repository; save?: (params: NewHTTPSRepoParams) => Promise<void>}) => {
+    const useAuthSettingsCtx = React.useContext(AuthSettingsCtx);
     const {repo, save} = props;
+    const write = false;
     const FormItems = (repository: models.Repository): EditablePanelItem[] => {
         const items: EditablePanelItem[] = [
             {
@@ -34,6 +37,16 @@ export const RepoDetails = (props: {repo: models.Repository; save?: (params: New
             }
         ];
 
+        if (useAuthSettingsCtx?.hydratorEnabled) {
+            // Insert this item at index 1.
+            const item = {
+                title: 'Write',
+                view: write,
+                edit: (formApi: FormApi) => <FormField formApi={formApi} field='write' component={Text} componentProps={{type: 'checkbox'}} />
+            };
+            items.splice(1, 0, item);
+        }
+
         if (repository.project) {
             items.splice(repository.name ? 2 : 1, 0, {
                 title: 'Project',
@@ -83,7 +96,7 @@ export const RepoDetails = (props: {repo: models.Repository; save?: (params: New
                 password: !input.password && input.username && 'Password is required if username is given.'
             })}
             save={async input => {
-                const params: NewHTTPSRepoParams = {...newRepo};
+                const params: NewHTTPSRepoParams = {...newRepo, write};
                 params.name = input.name || '';
                 params.username = input.username || '';
                 params.password = input.password || '';

ui/src/app/settings/components/repos-list/repos-list.tsx

@@ -23,6 +23,8 @@ interface NewSSHRepoParams {
     proxy: string;
     noProxy: string;
     project?: string;
+    // write should be true if saving as a write credential.
+    write: boolean;
 }
 
 export interface NewHTTPSRepoParams {
@@ -40,6 +42,8 @@ export interface NewHTTPSRepoParams {
     project?: string;
     forceHttpBasicAuth?: boolean;
     enableOCI: boolean;
+    // write should be true if saving as a write credential.
+    write: boolean;
 }
 
 interface NewGitHubAppRepoParams {
@@ -57,6 +61,8 @@ interface NewGitHubAppRepoParams {
     proxy: string;
     noProxy: string;
     project?: string;
+    // write should be true if saving as a write credential.
+    write: boolean;
 }
 
 interface NewGoogleCloudSourceRepoParams {
@@ -67,11 +73,15 @@ interface NewGoogleCloudSourceRepoParams {
     proxy: string;
     noProxy: string;
     project?: string;
+    // write should be true if saving as a write credential.
+    write: boolean;
 }
 
 interface NewSSHRepoCredsParams {
     url: string;
     sshPrivateKey: string;
+    // write should be true if saving as a write credential.
+    write: boolean;
 }
 
 interface NewHTTPSRepoCredsParams {
@@ -84,6 +94,8 @@ interface NewHTTPSRepoCredsParams {
     noProxy: string;
     forceHttpBasicAuth: boolean;
     enableOCI: boolean;
+    // write should be true if saving as a write credential.
+    write: boolean;
 }
 
 interface NewGitHubAppRepoCredsParams {
@@ -96,11 +108,15 @@ interface NewGitHubAppRepoCredsParams {
     tlsClientCertKey: string;
     proxy: string;
     noProxy: string;
+    // write should be true if saving as a write credential.
+    write: boolean;
 }
 
 interface NewGoogleCloudSourceRepoCredsParams {
     url: string;
     gcpServiceAccountKey: string;
+    // write should be true if saving as a write credential.
+    write: boolean;
 }
 
 export enum ConnectionMethod {
@@ -117,6 +133,7 @@ export class ReposList extends React.Component<
         method: string;
         currentRepo: models.Repository;
         displayEditPanel: boolean;
+        authSettings: models.AuthSettings;
     }
 > {
     public static contextTypes = {
@@ -136,10 +153,17 @@ export class ReposList extends React.Component<
             connecting: false,
             method: ConnectionMethod.SSH,
             currentRepo: null,
-            displayEditPanel: false
+            displayEditPanel: false,
+            authSettings: null
         };
     }
 
+    public async componentDidMount() {
+        this.setState({
+            authSettings: await services.authService.settings()
+        });
+    }
+
     private ConnectRepoFormButton(method: string, onSelection: (method: string) => void) {
         return (
             <div className='white-box'>
@@ -169,7 +193,7 @@ export class ReposList extends React.Component<
     }
 
     private onChooseDefaultValues = (): FormValues => {
-        return {type: 'git', ghType: 'GitHub'};
+        return {type: 'git', ghType: 'GitHub', write: false};
     };
 
     private onValidateErrors(params: FormValues): FormErrors {
@@ -346,7 +370,7 @@ export class ReposList extends React.Component<
                                                                 },
                                                                 {
                                                                     title: 'Disconnect',
-                                                                    action: () => this.disconnectRepo(repo.repo, repo.project)
+                                                                    action: () => this.disconnectRepo(repo.repo, repo.project, false)
                                                                 }
                                                             ]}
                                                         />
@@ -389,7 +413,12 @@ export class ReposList extends React.Component<
                                                                     <i className='fa fa-ellipsis-v' />
                                                                 </button>
                                                             )}
-                                                            items={[{title: 'Remove', action: () => this.removeRepoCreds(repo.url)}]}
+                                                            items={[
+                                                                {
+                                                                    title: 'Remove',
+                                                                    action: () => this.removeRepoCreds(repo.url, false)
+                                                                }
+                                                            ]}
                                                         />
                                                     </div>
                                                 </div>
@@ -400,6 +429,129 @@ export class ReposList extends React.Component<
                             }
                         </DataLoader>
                     </div>
+                    {this.state.authSettings?.hydratorEnabled && (
+                        <div className='argo-container'>
+                            <DataLoader load={() => services.repos.listWrite()} ref={loader => (this.repoLoader = loader)}>
+                                {(repos: models.Repository[]) =>
+                                    (repos.length > 0 && (
+                                        <div className='argo-table-list'>
+                                            <div className='argo-table-list__head'>
+                                                <div className='row'>
+                                                    <div className='columns small-1' />
+                                                    <div className='columns small-1'>TYPE</div>
+                                                    <div className='columns small-2'>NAME</div>
+                                                    <div className='columns small-2'>PROJECT</div>
+                                                    <div className='columns small-4'>REPOSITORY</div>
+                                                    <div className='columns small-2'>CONNECTION STATUS</div>
+                                                </div>
+                                            </div>
+                                            {repos.map(repo => (
+                                                <div
+                                                    className={`argo-table-list__row ${this.isRepoUpdatable(repo) ? 'item-clickable' : ''}`}
+                                                    key={repo.repo}
+                                                    onClick={() => (this.isRepoUpdatable(repo) ? this.displayEditSliding(repo) : null)}>
+                                                    <div className='row'>
+                                                        <div className='columns small-1'>
+                                                            <i className='icon argo-icon-git' />
+                                                        </div>
+                                                        <div className='columns small-1'>write</div>
+                                                        <div className='columns small-2'>
+                                                            <Tooltip content={repo.name}>
+                                                                <span>{repo.name}</span>
+                                                            </Tooltip>
+                                                        </div>
+                                                        <div className='columns small-2'>
+                                                            <Tooltip content={repo.project}>
+                                                                <span>{repo.project}</span>
+                                                            </Tooltip>
+                                                        </div>
+                                                        <div className='columns small-4'>
+                                                            <Tooltip content={repo.repo}>
+                                                                <span>
+                                                                    <Repo url={repo.repo} />
+                                                                </span>
+                                                            </Tooltip>
+                                                        </div>
+                                                        <div className='columns small-2'>
+                                                            <ConnectionStateIcon state={repo.connectionState} /> {repo.connectionState.status}
+                                                            <DropDownMenu
+                                                                anchor={() => (
+                                                                    <button className='argo-button argo-button--light argo-button--lg argo-button--short'>
+                                                                        <i className='fa fa-ellipsis-v' />
+                                                                    </button>
+                                                                )}
+                                                                items={[
+                                                                    {
+                                                                        title: 'Create application',
+                                                                        action: () =>
+                                                                            this.appContext.apis.navigation.goto('/applications', {
+                                                                                new: JSON.stringify({spec: {sourceHydrator: {drySource: {repoURL: repo.repo}}}})
+                                                                            })
+                                                                    },
+                                                                    {
+                                                                        title: 'Disconnect',
+                                                                        action: () => this.disconnectRepo(repo.repo, repo.project, true)
+                                                                    }
+                                                                ]}
+                                                            />
+                                                        </div>
+                                                    </div>
+                                                </div>
+                                            ))}
+                                        </div>
+                                    )) || (
+                                        <EmptyState icon='argo-icon-git'>
+                                            <h4>No repositories connected</h4>
+                                            <h5>Connect your repo to deploy apps.</h5>
+                                        </EmptyState>
+                                    )
+                                }
+                            </DataLoader>
+                        </div>
+                    )}
+                    {this.state.authSettings?.hydratorEnabled && (
+                        <div className='argo-container'>
+                            <DataLoader load={() => services.repocreds.listWrite()} ref={loader => (this.credsLoader = loader)}>
+                                {(creds: models.RepoCreds[]) =>
+                                    creds.length > 0 && (
+                                        <div className='argo-table-list'>
+                                            <div className='argo-table-list__head'>
+                                                <div className='row'>
+                                                    <div className='columns small-9'>CREDENTIALS TEMPLATE URL</div>
+                                                    <div className='columns small-3'>CREDS</div>
+                                                </div>
+                                            </div>
+                                            {creds.map(repo => (
+                                                <div className='argo-table-list__row' key={repo.url}>
+                                                    <div className='row'>
+                                                        <div className='columns small-9'>
+                                                            <i className='icon argo-icon-git' /> <Repo url={repo.url} />
+                                                        </div>
+                                                        <div className='columns small-3'>
+                                                            -
+                                                            <DropDownMenu
+                                                                anchor={() => (
+                                                                    <button className='argo-button argo-button--light argo-button--lg argo-button--short'>
+                                                                        <i className='fa fa-ellipsis-v' />
+                                                                    </button>
+                                                                )}
+                                                                items={[
+                                                                    {
+                                                                        title: 'Remove',
+                                                                        action: () => this.removeRepoCreds(repo.url, true)
+                                                                    }
+                                                                ]}
+                                                            />
+                                                        </div>
+                                                    </div>
+                                                </div>
+                                            ))}
+                                        </div>
+                                    )
+                                }
+                            </DataLoader>
+                        </div>
+                    )}
                 </div>
                 <SlidingPanel
                     isShown={this.showConnectRepo || this.state.displayEditPanel}
@@ -427,21 +579,40 @@ export class ReposList extends React.Component<
                                     validateError={(values: FormValues) => this.onValidateErrors(values)}>
                                     {formApi => (
                                         <form onSubmit={formApi.submitForm} role='form' className='repos-list width-control'>
+                                            {this.state.authSettings?.hydratorEnabled && (
+                                                <div className='white-box'>
+                                                    <p>SAVE AS WRITE CREDENTIAL (ALPHA)</p>
+                                                    <p>
+                                                        The Source Hydrator is an Alpha feature which enables Applications to push hydrated manifests to git before syncing. To use
+                                                        the Source Hydrator for a repository, you must save two credentials: a read credential for pulling manifests and a write
+                                                        credential for pushing hydrated manifests. If you add a write credential for a repository, then{' '}
+                                                        <strong>any Application that can sync from the repo can also push hydrated manifests to that repo.</strong> Do not use this
+                                                        feature until you've read its documentation and understand the security implications.
+                                                    </p>
+                                                    <div className='argo-form-row'>
+                                                        <FormField formApi={formApi} label='Save as write credential' field='write' component={CheckboxField} />
+                                                    </div>
+                                                </div>
+                                            )}
                                             {this.state.method === ConnectionMethod.SSH && (
                                                 <div className='white-box'>
                                                     <p>CONNECT REPO USING SSH</p>
-                                                    <div className='argo-form-row'>
-                                                        <FormField formApi={formApi} label='Name (mandatory for Helm)' field='name' component={Text} />
-                                                    </div>
-                                                    <div className='argo-form-row'>
-                                                        <FormField
-                                                            formApi={formApi}
-                                                            label='Project'
-                                                            field='project'
-                                                            component={AutocompleteField}
-                                                            componentProps={{items: projects}}
-                                                        />
-                                                    </div>
+                                                    {formApi.getFormState().values.write === false && (
+                                                        <div className='argo-form-row'>
+                                                            <FormField formApi={formApi} label='Name (mandatory for Helm)' field='name' component={Text} />
+                                                        </div>
+                                                    )}
+                                                    {formApi.getFormState().values.write === false && (
+                                                        <div className='argo-form-row'>
+                                                            <FormField
+                                                                formApi={formApi}
+                                                                label='Project'
+                                                                field='project'
+                                                                component={AutocompleteField}
+                                                                componentProps={{items: projects}}
+                                                            />
+                                                        </div>
+                                                    )}
                                                     <div className='argo-form-row'>
                                                         <FormField formApi={formApi} label='Repository URL' field='url' component={Text} />
                                                     </div>
@@ -452,10 +623,12 @@ export class ReposList extends React.Component<
                                                         <FormField formApi={formApi} label='Skip server verification' field='insecure' component={CheckboxField} />
                                                         <HelpIcon title='This setting is ignored when creating as credential template.' />
                                                     </div>
-                                                    <div className='argo-form-row'>
-                                                        <FormField formApi={formApi} label='Enable LFS support (Git only)' field='enableLfs' component={CheckboxField} />
-                                                        <HelpIcon title='This setting is ignored when creating as credential template.' />
-                                                    </div>
+                                                    {formApi.getFormState().values.write === false && (
+                                                        <div className='argo-form-row'>
+                                                            <FormField formApi={formApi} label='Enable LFS support (Git only)' field='enableLfs' component={CheckboxField} />
+                                                            <HelpIcon title='This setting is ignored when creating as credential template.' />
+                                                        </div>
+                                                    )}
                                                     <div className='argo-form-row'>
                                                         <FormField formApi={formApi} label='Proxy (optional)' field='proxy' component={Text} />
                                                     </div>
@@ -480,15 +653,17 @@ export class ReposList extends React.Component<
                                                             />
                                                         </div>
                                                     )}
-                                                    <div className='argo-form-row'>
-                                                        <FormField
-                                                            formApi={formApi}
-                                                            label='Project'
-                                                            field='project'
-                                                            component={AutocompleteField}
-                                                            componentProps={{items: projects}}
-                                                        />
-                                                    </div>
+                                                    {formApi.getFormState().values.write === false && (
+                                                        <div className='argo-form-row'>
+                                                            <FormField
+                                                                formApi={formApi}
+                                                                label='Project'
+                                                                field='project'
+                                                                component={AutocompleteField}
+                                                                componentProps={{items: projects}}
+                                                            />
+                                                        </div>
+                                                    )}
                                                     <div className='argo-form-row'>
                                                         <FormField formApi={formApi} label='Repository URL' field='url' component={Text} />
                                                     </div>
@@ -706,11 +881,15 @@ export class ReposList extends React.Component<
     // Connect a new repository or create a repository credentials for SSH repositories
     private async connectSSHRepo(params: NewSSHRepoParams) {
         if (this.credsTemplate) {
-            this.createSSHCreds({url: params.url, sshPrivateKey: params.sshPrivateKey});
+            this.createSSHCreds({url: params.url, sshPrivateKey: params.sshPrivateKey, write: params.write});
         } else {
             this.setState({connecting: true});
             try {
-                await services.repos.createSSH(params);
+                if (params.write) {
+                    await services.repos.createSSHWrite(params);
+                } else {
+                    await services.repos.createSSH(params);
+                }
                 this.repoLoader.reload();
                 this.showConnectRepo = false;
             } catch (e) {
@@ -736,12 +915,17 @@ export class ReposList extends React.Component<
                 proxy: params.proxy,
                 noProxy: params.noProxy,
                 forceHttpBasicAuth: params.forceHttpBasicAuth,
-                enableOCI: params.enableOCI
+                enableOCI: params.enableOCI,
+                write: params.write
             });
         } else {
             this.setState({connecting: true});
             try {
-                await services.repos.createHTTPS(params);
+                if (params.write) {
+                    await services.repos.createHTTPSWrite(params);
+                } else {
+                    await services.repos.createHTTPS(params);
+                }
                 this.repoLoader.reload();
                 this.showConnectRepo = false;
             } catch (e) {
@@ -758,7 +942,11 @@ export class ReposList extends React.Component<
     // Update an existing repository for HTTPS repositories
     private async updateHTTPSRepo(params: NewHTTPSRepoParams) {
         try {
-            await services.repos.updateHTTPS(params);
+            if (params.write) {
+                await services.repos.updateHTTPSWrite(params);
+            } else {
+                await services.repos.updateHTTPS(params);
+            }
             this.repoLoader.reload();
             this.setState({displayEditPanel: false});
             this.refreshRepoList(params.url);
@@ -784,12 +972,17 @@ export class ReposList extends React.Component<
                 tlsClientCertData: params.tlsClientCertData,
                 tlsClientCertKey: params.tlsClientCertKey,
                 proxy: params.proxy,
-                noProxy: params.noProxy
+                noProxy: params.noProxy,
+                write: params.write
             });
         } else {
             this.setState({connecting: true});
             try {
-                await services.repos.createGitHubApp(params);
+                if (params.write) {
+                    await services.repos.createGitHubAppWrite(params);
+                } else {
+                    await services.repos.createGitHubApp(params);
+                }
                 this.repoLoader.reload();
                 this.showConnectRepo = false;
             } catch (e) {
@@ -808,12 +1001,17 @@ export class ReposList extends React.Component<
         if (this.credsTemplate) {
             this.createGoogleCloudSourceCreds({
                 url: params.url,
-                gcpServiceAccountKey: params.gcpServiceAccountKey
+                gcpServiceAccountKey: params.gcpServiceAccountKey,
+                write: params.write
             });
         } else {
             this.setState({connecting: true});
             try {
-                await services.repos.createGoogleCloudSource(params);
+                if (params.write) {
+                    await services.repos.createGoogleCloudSourceWrite(params);
+                } else {
+                    await services.repos.createGoogleCloudSource(params);
+                }
                 this.repoLoader.reload();
                 this.showConnectRepo = false;
             } catch (e) {
@@ -829,7 +1027,11 @@ export class ReposList extends React.Component<
 
     private async createHTTPSCreds(params: NewHTTPSRepoCredsParams) {
         try {
-            await services.repocreds.createHTTPS(params);
+            if (params.write) {
+                await services.repocreds.createHTTPSWrite(params);
+            } else {
+                await services.repocreds.createHTTPS(params);
+            }
             this.credsLoader.reload();
             this.showConnectRepo = false;
         } catch (e) {
@@ -842,7 +1044,11 @@ export class ReposList extends React.Component<
 
     private async createSSHCreds(params: NewSSHRepoCredsParams) {
         try {
-            await services.repocreds.createSSH(params);
+            if (params.write) {
+                await services.repocreds.createSSHWrite(params);
+            } else {
+                await services.repocreds.createSSH(params);
+            }
             this.credsLoader.reload();
             this.showConnectRepo = false;
         } catch (e) {
@@ -855,7 +1061,11 @@ export class ReposList extends React.Component<
 
     private async createGitHubAppCreds(params: NewGitHubAppRepoCredsParams) {
         try {
-            await services.repocreds.createGitHubApp(params);
+            if (params.write) {
+                await services.repocreds.createGitHubAppWrite(params);
+            } else {
+                await services.repocreds.createGitHubApp(params);
+            }
             this.credsLoader.reload();
             this.showConnectRepo = false;
         } catch (e) {
@@ -868,7 +1078,11 @@ export class ReposList extends React.Component<
 
     private async createGoogleCloudSourceCreds(params: NewGoogleCloudSourceRepoCredsParams) {
         try {
-            await services.repocreds.createGoogleCloudSource(params);
+            if (params.write) {
+                await services.repocreds.createGoogleCloudSourceWrite(params);
+            } else {
+                await services.repocreds.createGoogleCloudSource(params);
+            }
             this.credsLoader.reload();
             this.showConnectRepo = false;
         } catch (e) {
@@ -880,11 +1094,15 @@ export class ReposList extends React.Component<
     }
 
     // Remove a repository from the configuration
-    private async disconnectRepo(repo: string, project: string) {
+    private async disconnectRepo(repo: string, project: string, write: boolean) {
         const confirmed = await this.appContext.apis.popup.confirm('Disconnect repository', `Are you sure you want to disconnect '${repo}'?`);
         if (confirmed) {
             try {
-                await services.repos.delete(repo, project || '');
+                if (write) {
+                    await services.repos.deleteWrite(repo, project || '');
+                } else {
+                    await services.repos.delete(repo, project || '');
+                }
                 this.repoLoader.reload();
             } catch (e) {
                 this.appContext.apis.notifications.show({
@@ -896,11 +1114,15 @@ export class ReposList extends React.Component<
     }
 
     // Remove repository credentials from the configuration
-    private async removeRepoCreds(url: string) {
+    private async removeRepoCreds(url: string, write: boolean) {
         const confirmed = await this.appContext.apis.popup.confirm('Remove repository credentials', `Are you sure you want to remove credentials for URL prefix '${url}'?`);
         if (confirmed) {
             try {
-                await services.repocreds.delete(url);
+                if (write) {
+                    await services.repocreds.deleteWrite(url);
+                } else {
+                    await services.repocreds.delete(url);
+                }
                 this.credsLoader.reload();
             } catch (e) {
                 this.appContext.apis.notifications.show({

ui/src/app/shared/models.ts

@@ -214,6 +214,27 @@ export interface ApplicationSource {
     name?: string;
 }
 
+export interface SourceHydrator {
+    drySource: DrySource;
+    syncSource: SyncSource;
+    hydrateTo?: HydrateTo;
+}
+
+export interface DrySource {
+    repoURL: string;
+    targetRevision: string;
+    path: string;
+}
+
+export interface SyncSource {
+    targetBranch: string;
+    path: string;
+}
+
+export interface HydrateTo {
+    targetBranch: string;
+}
+
 export interface ApplicationSourceHelm {
     valueFiles: string[];
     values?: string;
@@ -285,6 +306,7 @@ export interface ApplicationSpec {
     project: string;
     source: ApplicationSource;
     sources: ApplicationSource[];
+    sourceHydrator?: SourceHydrator;
     destination: ApplicationDestination;
     syncPolicy?: SyncPolicy;
     ignoreDifferences?: ResourceIgnoreDifferences[];
@@ -445,8 +467,38 @@ export interface ApplicationStatus {
     health: HealthStatus;
     operationState?: OperationState;
     summary?: ApplicationSummary;
+    sourceHydrator?: SourceHydratorStatus;
 }
 
+export interface SourceHydratorStatus {
+    lastSuccessfulOperation?: SuccessfulHydrateOperation;
+    currentOperation?: HydrateOperation;
+}
+
+export interface HydrateOperation {
+    startedAt: models.Time;
+    finishedAt?: models.Time;
+    phase: HydrateOperationPhase;
+    message: string;
+    drySHA: string;
+    hydratedSHA: string;
+    sourceHydrator: SourceHydrator;
+}
+
+export interface SuccessfulHydrateOperation {
+    drySHA: string;
+    hydratedSHA: string;
+    sourceHydrator: SourceHydrator;
+}
+
+export type HydrateOperationPhase = 'Hydrating' | 'Failed' | 'Hydrated';
+
+export const HydrateOperationPhases = {
+    Hydrating: 'Hydrating' as OperationPhase,
+    Failed: 'Failed' as OperationPhase,
+    Hydrated: 'Hydrated' as OperationPhase
+};
+
 export interface JwtTokens {
     items: JwtToken[];
 }
@@ -504,6 +556,7 @@ export interface AuthSettings {
     uiBannerPosition: string;
     execEnabled: boolean;
     appsInAnyNamespaceEnabled: boolean;
+    hydratorEnabled: boolean;
 }
 
 export interface UserInfo {

ui/src/app/shared/services/repo-service.ts

@@ -1,6 +1,62 @@
 import * as models from '../models';
 import requests from './requests';
 
+export interface HTTPSQuery {
+    type: string;
+    name: string;
+    url: string;
+    username: string;
+    password: string;
+    tlsClientCertData: string;
+    tlsClientCertKey: string;
+    insecure: boolean;
+    enableLfs: boolean;
+    proxy: string;
+    noProxy: string;
+    project?: string;
+    forceHttpBasicAuth?: boolean;
+    enableOCI: boolean;
+}
+
+export interface SSHQuery {
+    type: string;
+    name: string;
+    url: string;
+    sshPrivateKey: string;
+    insecure: boolean;
+    enableLfs: boolean;
+    proxy: string;
+    noProxy: string;
+    project?: string;
+}
+
+export interface GitHubAppQuery {
+    type: string;
+    name: string;
+    url: string;
+    githubAppPrivateKey: string;
+    githubAppId: bigint;
+    githubAppInstallationId: bigint;
+    githubAppEnterpriseBaseURL: string;
+    tlsClientCertData: string;
+    tlsClientCertKey: string;
+    insecure: boolean;
+    enableLfs: boolean;
+    proxy: string;
+    noProxy: string;
+    project?: string;
+}
+
+export interface GoogleCloudSourceQuery {
+    type: string;
+    name: string;
+    url: string;
+    gcpServiceAccountKey: string;
+    proxy: string;
+    noProxy: string;
+    project?: string;
+}
+
 export class RepositoriesService {
     public list(): Promise<models.Repository[]> {
         return requests
@@ -9,6 +65,13 @@ export class RepositoriesService {
             .then(list => list.items || []);
     }
 
+    public listWrite(): Promise<models.Repository[]> {
+        return requests
+            .get(`/write-repositories`)
+            .then(res => res.body as models.RepositoryList)
+            .then(list => list.items || []);
+    }
+
     public listNoCache(): Promise<models.Repository[]> {
         return requests
             .get(`/repositories?forceRefresh=true`)
@@ -16,186 +79,205 @@ export class RepositoriesService {
             .then(list => list.items || []);
     }
 
-    public createHTTPS({
-        type,
-        name,
-        url,
-        username,
-        password,
-        tlsClientCertData,
-        tlsClientCertKey,
-        insecure,
-        enableLfs,
-        proxy,
-        noProxy,
-        project,
-        forceHttpBasicAuth,
-        enableOCI
-    }: {
-        type: string;
-        name: string;
-        url: string;
-        username: string;
-        password: string;
-        tlsClientCertData: string;
-        tlsClientCertKey: string;
-        insecure: boolean;
-        enableLfs: boolean;
-        proxy: string;
-        noProxy: string;
-        project?: string;
-        forceHttpBasicAuth?: boolean;
-        enableOCI: boolean;
-    }): Promise<models.Repository> {
+    public listWriteNoCache(): Promise<models.Repository[]> {
         return requests
-            .post('/repositories')
-            .send({type, name, repo: url, username, password, tlsClientCertData, tlsClientCertKey, insecure, enableLfs, proxy, noProxy, project, forceHttpBasicAuth, enableOCI})
-            .then(res => res.body as models.Repository);
+            .get(`/write-repositories?forceRefresh=true`)
+            .then(res => res.body as models.RepositoryList)
+            .then(list => list.items || []);
     }
 
-    public updateHTTPS({
-        type,
-        name,
-        url,
-        username,
-        password,
-        tlsClientCertData,
-        tlsClientCertKey,
-        insecure,
-        enableLfs,
-        proxy,
-        noProxy,
-        project,
-        forceHttpBasicAuth,
-        enableOCI
-    }: {
-        type: string;
-        name: string;
-        url: string;
-        username: string;
-        password: string;
-        tlsClientCertData: string;
-        tlsClientCertKey: string;
-        insecure: boolean;
-        enableLfs: boolean;
-        proxy: string;
-        noProxy: string;
-        project?: string;
-        forceHttpBasicAuth?: boolean;
-        enableOCI: boolean;
-    }): Promise<models.Repository> {
-        return requests
-            .put(`/repositories/${encodeURIComponent(url)}`)
-            .send({type, name, repo: url, username, password, tlsClientCertData, tlsClientCertKey, insecure, enableLfs, proxy, noProxy, project, forceHttpBasicAuth, enableOCI})
-            .then(res => res.body as models.Repository);
-    }
-
-    public createSSH({
-        type,
-        name,
-        url,
-        sshPrivateKey,
-        insecure,
-        enableLfs,
-        proxy,
-        noProxy,
-        project
-    }: {
-        type: string;
-        name: string;
-        url: string;
-        sshPrivateKey: string;
-        insecure: boolean;
-        enableLfs: boolean;
-        proxy: string;
-        noProxy: string;
-        project?: string;
-    }): Promise<models.Repository> {
-        return requests
-            .post('/repositories')
-            .send({type, name, repo: url, sshPrivateKey, insecure, enableLfs, proxy, noProxy, project})
-            .then(res => res.body as models.Repository);
-    }
-
-    public createGitHubApp({
-        type,
-        name,
-        url,
-        githubAppPrivateKey,
-        githubAppId,
-        githubAppInstallationId,
-        githubAppEnterpriseBaseURL,
-        tlsClientCertData,
-        tlsClientCertKey,
-        insecure,
-        enableLfs,
-        proxy,
-        noProxy,
-        project
-    }: {
-        type: string;
-        name: string;
-        url: string;
-        githubAppPrivateKey: string;
-        githubAppId: bigint;
-        githubAppInstallationId: bigint;
-        githubAppEnterpriseBaseURL: string;
-        tlsClientCertData: string;
-        tlsClientCertKey: string;
-        insecure: boolean;
-        enableLfs: boolean;
-        proxy: string;
-        noProxy: string;
-        project?: string;
-    }): Promise<models.Repository> {
+    public createHTTPS(q: HTTPSQuery): Promise<models.Repository> {
         return requests
             .post('/repositories')
             .send({
-                type,
-                name,
-                repo: url,
-                githubAppPrivateKey,
-                githubAppId,
-                githubAppInstallationId,
-                githubAppEnterpriseBaseURL,
-                tlsClientCertData,
-                tlsClientCertKey,
-                insecure,
-                enableLfs,
-                proxy,
-                noProxy,
-                project
+                type: q.type,
+                name: q.name,
+                repo: q.url,
+                username: q.username,
+                password: q.password,
+                tlsClientCertData: q.tlsClientCertData,
+                tlsClientCertKey: q.tlsClientCertKey,
+                insecure: q.insecure,
+                enableLfs: q.enableLfs,
+                proxy: q.proxy,
+                noProxy: q.noProxy,
+                project: q.project,
+                forceHttpBasicAuth: q.forceHttpBasicAuth,
+                enableOCI: q.enableOCI
             })
             .then(res => res.body as models.Repository);
     }
 
-    public createGoogleCloudSource({
-        type,
-        name,
-        url,
-        gcpServiceAccountKey,
-        proxy,
-        noProxy,
-        project
-    }: {
-        type: string;
-        name: string;
-        url: string;
-        gcpServiceAccountKey: string;
-        proxy: string;
-        noProxy: string;
-        project?: string;
-    }): Promise<models.Repository> {
+    public createHTTPSWrite(q: HTTPSQuery): Promise<models.Repository> {
+        return requests
+            .post('/write-repositories')
+            .send({
+                type: q.type,
+                name: q.name,
+                repo: q.url,
+                username: q.username,
+                password: q.password,
+                tlsClientCertData: q.tlsClientCertData,
+                tlsClientCertKey: q.tlsClientCertKey,
+                insecure: q.insecure,
+                enableLfs: q.enableLfs,
+                proxy: q.proxy,
+                noProxy: q.noProxy,
+                project: q.project,
+                forceHttpBasicAuth: q.forceHttpBasicAuth,
+                enableOCI: q.enableOCI
+            })
+            .then(res => res.body as models.Repository);
+    }
+
+    public updateHTTPS(q: HTTPSQuery): Promise<models.Repository> {
+        return requests
+            .put(`/repositories/${encodeURIComponent(q.url)}`)
+            .send({
+                type: q.type,
+                name: q.name,
+                repo: q.url,
+                username: q.username,
+                password: q.password,
+                tlsClientCertData: q.tlsClientCertData,
+                tlsClientCertKey: q.tlsClientCertKey,
+                insecure: q.insecure,
+                enableLfs: q.enableLfs,
+                proxy: q.proxy,
+                noProxy: q.noProxy,
+                project: q.project,
+                forceHttpBasicAuth: q.forceHttpBasicAuth,
+                enableOCI: q.enableOCI
+            })
+            .then(res => res.body as models.Repository);
+    }
+
+    public updateHTTPSWrite(q: HTTPSQuery): Promise<models.Repository> {
+        return requests
+            .put(`/write-repositories/${encodeURIComponent(q.url)}`)
+            .send({
+                type: q.type,
+                name: q.name,
+                repo: q.url,
+                username: q.username,
+                password: q.password,
+                tlsClientCertData: q.tlsClientCertData,
+                tlsClientCertKey: q.tlsClientCertKey,
+                insecure: q.insecure,
+                enableLfs: q.enableLfs,
+                proxy: q.proxy,
+                noProxy: q.noProxy,
+                project: q.project,
+                forceHttpBasicAuth: q.forceHttpBasicAuth,
+                enableOCI: q.enableOCI
+            })
+            .then(res => res.body as models.Repository);
+    }
+
+    public createSSH(q: SSHQuery): Promise<models.Repository> {
         return requests
             .post('/repositories')
             .send({
-                type,
-                name,
-                repo: url,
-                gcpServiceAccountKey,
-                proxy,
-                noProxy,
-                project
+                type: q.type,
+                name: q.name,
+                repo: q.url,
+                sshPrivateKey: q.sshPrivateKey,
+                insecure: q.insecure,
+                enableLfs: q.enableLfs,
+                proxy: q.proxy,
+                noProxy: q.noProxy,
+                project: q.project
+            })
+            .then(res => res.body as models.Repository);
+    }
+
+    public createSSHWrite(q: SSHQuery): Promise<models.Repository> {
+        return requests
+            .post('/write-repositories')
+            .send({
+                type: q.type,
+                name: q.name,
+                repo: q.url,
+                sshPrivateKey: q.sshPrivateKey,
+                insecure: q.insecure,
+                enableLfs: q.enableLfs,
+                proxy: q.proxy,
+                noProxy: q.noProxy,
+                project: q.project
+            })
+            .then(res => res.body as models.Repository);
+    }
+
+    public createGitHubApp(q: GitHubAppQuery): Promise<models.Repository> {
+        return requests
+            .post('/repositories')
+            .send({
+                type: q.type,
+                name: q.name,
+                repo: q.url,
+                githubAppPrivateKey: q.githubAppPrivateKey,
+                githubAppId: q.githubAppId,
+                githubAppInstallationId: q.githubAppInstallationId,
+                githubAppEnterpriseBaseURL: q.githubAppEnterpriseBaseURL,
+                tlsClientCertData: q.tlsClientCertData,
+                tlsClientCertKey: q.tlsClientCertKey,
+                insecure: q.insecure,
+                enableLfs: q.enableLfs,
+                proxy: q.proxy,
+                noProxy: q.noProxy,
+                project: q.project
+            })
+            .then(res => res.body as models.Repository);
+    }
+
+    public createGitHubAppWrite(q: GitHubAppQuery): Promise<models.Repository> {
+        return requests
+            .post('/write-repositories')
+            .send({
+                type: q.type,
+                name: q.name,
+                repo: q.url,
+                githubAppPrivateKey: q.githubAppPrivateKey,
+                githubAppId: q.githubAppId,
+                githubAppInstallationId: q.githubAppInstallationId,
+                githubAppEnterpriseBaseURL: q.githubAppEnterpriseBaseURL,
+                tlsClientCertData: q.tlsClientCertData,
+                tlsClientCertKey: q.tlsClientCertKey,
+                insecure: q.insecure,
+                enableLfs: q.enableLfs,
+                proxy: q.proxy,
+                noProxy: q.noProxy,
+                project: q.project
+            })
+            .then(res => res.body as models.Repository);
+    }
+
+    public createGoogleCloudSource(q: GoogleCloudSourceQuery): Promise<models.Repository> {
+        return requests
+            .post('/repositories')
+            .send({
+                type: q.type,
+                name: q.name,
+                repo: q.url,
+                gcpServiceAccountKey: q.gcpServiceAccountKey,
+                proxy: q.proxy,
+                noProxy: q.noProxy,
+                project: q.project
+            })
+            .then(res => res.body as models.Repository);
+    }
+
+    public createGoogleCloudSourceWrite(q: GoogleCloudSourceQuery): Promise<models.Repository> {
+        return requests
+            .post('/write-repositories')
+            .send({
+                type: q.type,
+                name: q.name,
+                repo: q.url,
+                gcpServiceAccountKey: q.gcpServiceAccountKey,
+                proxy: q.proxy,
+                noProxy: q.noProxy,
+                project: q.project
             })
             .then(res => res.body as models.Repository);
     }
@@ -207,6 +289,13 @@ export class RepositoriesService {
             .then(res => res.body as models.Repository);
     }
 
+    public deleteWrite(url: string, project: string): Promise<models.Repository> {
+        return requests
+            .delete(`/write-repositories/${encodeURIComponent(url)}?appProject=${project}`)
+            .send()
+            .then(res => res.body as models.Repository);
+    }
+
     public async revisions(repo: string): Promise<models.RefsInfo> {
         return requests.get(`/repositories/${encodeURIComponent(repo)}/refs`).then(res => res.body as models.RefsInfo);
     }

ui/src/app/shared/services/repocreds-service.ts

@@ -1,6 +1,38 @@
 import * as models from '../models';
 import requests from './requests';
 
+export interface HTTPSCreds {
+    url: string;
+    username: string;
+    password: string;
+    tlsClientCertData: string;
+    tlsClientCertKey: string;
+    proxy: string;
+    noProxy: string;
+}
+
+export interface SSHCreds {
+    url: string;
+    sshPrivateKey: string;
+}
+
+export interface GitHubAppCreds {
+    url: string;
+    githubAppPrivateKey: string;
+    githubAppId: bigint;
+    githubAppInstallationId: bigint;
+    githubAppEnterpriseBaseURL: string;
+    tlsClientCertData: string;
+    tlsClientCertKey: string;
+    proxy: string;
+    noProxy: string;
+}
+
+export interface GoogleCloudSourceCreds {
+    url: string;
+    gcpServiceAccountKey: string;
+}
+
 export class RepoCredsService {
     public list(): Promise<models.RepoCreds[]> {
         return requests
@@ -9,67 +41,66 @@ export class RepoCredsService {
             .then(list => list.items || []);
     }
 
-    public createHTTPS({
-        url,
-        username,
-        password,
-        tlsClientCertData,
-        tlsClientCertKey,
-        proxy,
-        noProxy
-    }: {
-        url: string;
-        username: string;
-        password: string;
-        tlsClientCertData: string;
-        tlsClientCertKey: string;
-        proxy: string;
-        noProxy: string;
-    }): Promise<models.RepoCreds> {
+    public listWrite(): Promise<models.RepoCreds[]> {
+        return requests
+            .get('/write-repocreds')
+            .then(res => res.body as models.RepoCredsList)
+            .then(list => list.items || []);
+    }
+
+    public createHTTPS(creds: HTTPSCreds): Promise<models.RepoCreds> {
         return requests
             .post('/repocreds')
-            .send({url, username, password, tlsClientCertData, tlsClientCertKey, proxy, noProxy})
+            .send(creds)
             .then(res => res.body as models.RepoCreds);
     }
 
-    public createSSH({url, sshPrivateKey}: {url: string; sshPrivateKey: string}): Promise<models.RepoCreds> {
+    public createHTTPSWrite(creds: HTTPSCreds): Promise<models.RepoCreds> {
         return requests
-            .post('/repocreds')
-            .send({url, sshPrivateKey})
+            .post('/write-repocreds')
+            .send(creds)
             .then(res => res.body as models.RepoCreds);
     }
 
-    public createGitHubApp({
-        url,
-        githubAppPrivateKey,
-        githubAppId,
-        githubAppInstallationId,
-        githubAppEnterpriseBaseURL,
-        tlsClientCertData,
-        tlsClientCertKey,
-        proxy,
-        noProxy
-    }: {
-        url: string;
-        githubAppPrivateKey: string;
-        githubAppId: bigint;
-        githubAppInstallationId: bigint;
-        githubAppEnterpriseBaseURL: string;
-        tlsClientCertData: string;
-        tlsClientCertKey: string;
-        proxy: string;
-        noProxy: string;
-    }): Promise<models.RepoCreds> {
+    public createSSH(creds: SSHCreds): Promise<models.RepoCreds> {
         return requests
             .post('/repocreds')
-            .send({url, githubAppPrivateKey, githubAppId, githubAppInstallationId, githubAppEnterpriseBaseURL, tlsClientCertData, tlsClientCertKey, proxy, noProxy})
+            .send(creds)
             .then(res => res.body as models.RepoCreds);
     }
 
-    public createGoogleCloudSource({url, gcpServiceAccountKey}: {url: string; gcpServiceAccountKey: string}): Promise<models.RepoCreds> {
+    public createSSHWrite(creds: SSHCreds): Promise<models.RepoCreds> {
+        return requests
+            .post('/write-repocreds')
+            .send(creds)
+            .then(res => res.body as models.RepoCreds);
+    }
+
+    public createGitHubApp(creds: GitHubAppCreds): Promise<models.RepoCreds> {
         return requests
             .post('/repocreds')
-            .send({url, gcpServiceAccountKey})
+            .send(creds)
+            .then(res => res.body as models.RepoCreds);
+    }
+
+    public createGitHubAppWrite(creds: GitHubAppCreds): Promise<models.RepoCreds> {
+        return requests
+            .post('/write-repocreds')
+            .send(creds)
+            .then(res => res.body as models.RepoCreds);
+    }
+
+    public createGoogleCloudSource(creds: GoogleCloudSourceCreds): Promise<models.RepoCreds> {
+        return requests
+            .post('/repocreds')
+            .send(creds)
+            .then(res => res.body as models.RepoCreds);
+    }
+
+    public createGoogleCloudSourceWrite(creds: GoogleCloudSourceCreds): Promise<models.RepoCreds> {
+        return requests
+            .post('/write-repocreds')
+            .send(creds)
             .then(res => res.body as models.RepoCreds);
     }
 
@@ -79,4 +110,11 @@ export class RepoCredsService {
             .send()
             .then(res => res.body as models.RepoCreds);
     }
+
+    public deleteWrite(url: string): Promise<models.RepoCreds> {
+        return requests
+            .delete(`/write-repocreds/${encodeURIComponent(url)}`)
+            .send()
+            .then(res => res.body as models.RepoCreds);
+    }
 }

util/argo/argo.go

@@ -231,6 +231,7 @@ func RefreshApp(appIf v1alpha1.ApplicationInterface, name string, refreshType ar
 		"metadata": map[string]interface{}{
 			"annotations": map[string]string{
 				argoappv1.AnnotationKeyRefresh: string(refreshType),
+				argoappv1.AnnotationKeyHydrate: "normal",
 			},
 		},
 	}
@@ -417,6 +418,12 @@ func validateRepo(ctx context.Context,
 		}
 	}
 
+	// If using the source hydrator, check the dry source instead of the sync source, since the sync source branch may
+	// not exist yet.
+	if app.Spec.SourceHydrator != nil {
+		sources = []argoappv1.ApplicationSource{app.Spec.SourceHydrator.GetDrySource()}
+	}
+
 	refSources, err := GetRefSources(ctx, sources, app.Spec.Project, db.GetRepository, []string{}, false)
 	if err != nil {
 		return nil, fmt.Errorf("error getting ref sources: %w", err)
@@ -555,11 +562,46 @@ func validateSourcePermissions(source argoappv1.ApplicationSource, hasMultipleSo
 	return conditions
 }
 
+func validateSourceHydrator(hydrator *argoappv1.SourceHydrator) []argoappv1.ApplicationCondition {
+	var conditions []argoappv1.ApplicationCondition
+	if hydrator.DrySource.RepoURL == "" {
+		conditions = append(conditions, argoappv1.ApplicationCondition{
+			Type:    argoappv1.ApplicationConditionInvalidSpecError,
+			Message: "spec.sourceHydrator.drySource.repoURL is required",
+		})
+	}
+	if hydrator.SyncSource.TargetBranch == "" {
+		conditions = append(conditions, argoappv1.ApplicationCondition{
+			Type:    argoappv1.ApplicationConditionInvalidSpecError,
+			Message: "spec.sourceHydrator.syncSource.targetBranch is required",
+		})
+	}
+	if hydrator.HydrateTo != nil && hydrator.HydrateTo.TargetBranch == "" {
+		conditions = append(conditions, argoappv1.ApplicationCondition{
+			Type:    argoappv1.ApplicationConditionInvalidSpecError,
+			Message: "when spec.sourceHydrator.hydrateTo is set, spec.sourceHydrator.hydrateTo.path is required",
+		})
+	}
+	return conditions
+}
+
 // ValidatePermissions ensures that the referenced cluster has been added to Argo CD and the app source repo and destination namespace/cluster are permitted in app project
 func ValidatePermissions(ctx context.Context, spec *argoappv1.ApplicationSpec, proj *argoappv1.AppProject, db db.ArgoDB) ([]argoappv1.ApplicationCondition, error) {
 	conditions := make([]argoappv1.ApplicationCondition, 0)
 
-	if spec.HasMultipleSources() {
+	if spec.SourceHydrator != nil {
+		condition := validateSourceHydrator(spec.SourceHydrator)
+		if len(condition) > 0 {
+			conditions = append(conditions, condition...)
+			return conditions, nil
+		}
+		if !proj.IsSourcePermitted(spec.SourceHydrator.GetDrySource()) {
+			conditions = append(conditions, argoappv1.ApplicationCondition{
+				Type:    argoappv1.ApplicationConditionInvalidSpecError,
+				Message: fmt.Sprintf("application repo %s is not permitted in project '%s'", spec.GetSource().RepoURL, spec.Project),
+			})
+		}
+	} else if spec.HasMultipleSources() {
 		for _, source := range spec.Sources {
 			condition := validateSourcePermissions(source, spec.HasMultipleSources())
 			if len(condition) > 0 {

util/db/db.go

@@ -47,6 +47,8 @@ type ArgoDB interface {
 
 	// ListRepositories lists repositories
 	ListRepositories(ctx context.Context) ([]*appv1.Repository, error)
+	// ListWriteRepositories lists repositories from write credentials
+	ListWriteRepositories(ctx context.Context) ([]*appv1.Repository, error)
 
 	// CreateRepository creates a repository
 	CreateRepository(ctx context.Context, r *appv1.Repository) (*appv1.Repository, error)
@@ -61,6 +63,19 @@ type ArgoDB interface {
 	// DeleteRepository deletes a repository from config
 	DeleteRepository(ctx context.Context, name, project string) error
 
+	// CreateWriteRepository creates a repository with write credentials
+	CreateWriteRepository(ctx context.Context, r *appv1.Repository) (*appv1.Repository, error)
+	// GetWriteRepository returns a repository by URL with write credentials
+	GetWriteRepository(ctx context.Context, url, project string) (*appv1.Repository, error)
+	// GetProjectWriteRepositories returns project scoped repositories from write credentials by given project name
+	GetProjectWriteRepositories(ctx context.Context, project string) ([]*appv1.Repository, error)
+	// WriteRepositoryExists returns whether a repository is configured for the given URL with write credentials
+	WriteRepositoryExists(ctx context.Context, repoURL, project string) (bool, error)
+	// UpdateWriteRepository updates a repository with write credentials
+	UpdateWriteRepository(ctx context.Context, r *appv1.Repository) (*appv1.Repository, error)
+	// DeleteWriteRepository deletes a repository from config with write credentials
+	DeleteWriteRepository(ctx context.Context, name, project string) error
+
 	// ListRepositoryCredentials list all repo credential sets URL patterns
 	ListRepositoryCredentials(ctx context.Context) ([]string, error)
 	// GetRepositoryCredentials gets repo credentials for given URL
@@ -72,6 +87,17 @@ type ArgoDB interface {
 	// DeleteRepositoryCredentials deletes a repository credential set from config
 	DeleteRepositoryCredentials(ctx context.Context, name string) error
 
+	// ListWriteRepositoryCredentials list all repo write credential sets URL patterns
+	ListWriteRepositoryCredentials(ctx context.Context) ([]string, error)
+	// GetWriteRepositoryCredentials gets repo write credentials for given URL
+	GetWriteRepositoryCredentials(ctx context.Context, name string) (*appv1.RepoCreds, error)
+	// CreateWriteRepositoryCredentials creates a repository write credential set
+	CreateWriteRepositoryCredentials(ctx context.Context, r *appv1.RepoCreds) (*appv1.RepoCreds, error)
+	// UpdateWriteRepositoryCredentials updates a repository write credential set
+	UpdateWriteRepositoryCredentials(ctx context.Context, r *appv1.RepoCreds) (*appv1.RepoCreds, error)
+	// DeleteWriteRepositoryCredentials deletes a repository write credential set from config
+	DeleteWriteRepositoryCredentials(ctx context.Context, name string) error
+
 	// ListRepoCertificates lists all configured certificates
 	ListRepoCertificates(ctx context.Context, selector *CertificateListSelector) (*appv1.RepositoryCertificateList, error)
 	// CreateRepoCertificate creates a new certificate entry
@@ -81,6 +107,9 @@ type ArgoDB interface {
 	// GetAllHelmRepositoryCredentials gets all repo credentials
 	GetAllHelmRepositoryCredentials(ctx context.Context) ([]*appv1.RepoCreds, error)
 
+	// GetWriteCredentials gets repo credentials specific to the hydrator for given URL
+	GetWriteCredentials(ctx context.Context, repoURL string) (*appv1.Repository, error)
+
 	// ListHelmRepositories lists repositories
 	ListHelmRepositories(ctx context.Context) ([]*appv1.Repository, error)
 

util/db/helmrepository.go

@@ -59,7 +59,7 @@ func (db *db) ListHelmRepositories(ctx context.Context) ([]*v1alpha1.Repository,
 		}
 		result[i] = repo
 	}
-	repos, err := db.listRepositories(ctx, ptr.To("helm"))
+	repos, err := db.listRepositories(ctx, ptr.To("helm"), false)
 	if err != nil {
 		return nil, fmt.Errorf("failed to list Helm repositories: %w", err)
 	}

util/db/mocks/ArgoDB.go

@@ -175,6 +175,66 @@ func (_m *ArgoDB) CreateRepositoryCredentials(ctx context.Context, r *v1alpha1.R
 	return r0, r1
 }
 
+// CreateWriteRepository provides a mock function with given fields: ctx, r
+func (_m *ArgoDB) CreateWriteRepository(ctx context.Context, r *v1alpha1.Repository) (*v1alpha1.Repository, error) {
+	ret := _m.Called(ctx, r)
+
+	if len(ret) == 0 {
+		panic("no return value specified for CreateWriteRepository")
+	}
+
+	var r0 *v1alpha1.Repository
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, *v1alpha1.Repository) (*v1alpha1.Repository, error)); ok {
+		return rf(ctx, r)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, *v1alpha1.Repository) *v1alpha1.Repository); ok {
+		r0 = rf(ctx, r)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.Repository)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, *v1alpha1.Repository) error); ok {
+		r1 = rf(ctx, r)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// CreateWriteRepositoryCredentials provides a mock function with given fields: ctx, r
+func (_m *ArgoDB) CreateWriteRepositoryCredentials(ctx context.Context, r *v1alpha1.RepoCreds) (*v1alpha1.RepoCreds, error) {
+	ret := _m.Called(ctx, r)
+
+	if len(ret) == 0 {
+		panic("no return value specified for CreateWriteRepositoryCredentials")
+	}
+
+	var r0 *v1alpha1.RepoCreds
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, *v1alpha1.RepoCreds) (*v1alpha1.RepoCreds, error)); ok {
+		return rf(ctx, r)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, *v1alpha1.RepoCreds) *v1alpha1.RepoCreds); ok {
+		r0 = rf(ctx, r)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.RepoCreds)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, *v1alpha1.RepoCreds) error); ok {
+		r1 = rf(ctx, r)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
 // DeleteCluster provides a mock function with given fields: ctx, server
 func (_m *ArgoDB) DeleteCluster(ctx context.Context, server string) error {
 	ret := _m.Called(ctx, server)
@@ -247,6 +307,42 @@ func (_m *ArgoDB) DeleteRepositoryCredentials(ctx context.Context, name string)
 	return r0
 }
 
+// DeleteWriteRepository provides a mock function with given fields: ctx, name, project
+func (_m *ArgoDB) DeleteWriteRepository(ctx context.Context, name string, project string) error {
+	ret := _m.Called(ctx, name, project)
+
+	if len(ret) == 0 {
+		panic("no return value specified for DeleteWriteRepository")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context, string, string) error); ok {
+		r0 = rf(ctx, name, project)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// DeleteWriteRepositoryCredentials provides a mock function with given fields: ctx, name
+func (_m *ArgoDB) DeleteWriteRepositoryCredentials(ctx context.Context, name string) error {
+	ret := _m.Called(ctx, name)
+
+	if len(ret) == 0 {
+		panic("no return value specified for DeleteWriteRepositoryCredentials")
+	}
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context, string) error); ok {
+		r0 = rf(ctx, name)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
 // GetAllHelmRepositoryCredentials provides a mock function with given fields: ctx
 func (_m *ArgoDB) GetAllHelmRepositoryCredentials(ctx context.Context) ([]*v1alpha1.RepoCreds, error) {
 	ret := _m.Called(ctx)
@@ -415,6 +511,36 @@ func (_m *ArgoDB) GetProjectRepositories(ctx context.Context, project string) ([
 	return r0, r1
 }
 
+// GetProjectWriteRepositories provides a mock function with given fields: ctx, project
+func (_m *ArgoDB) GetProjectWriteRepositories(ctx context.Context, project string) ([]*v1alpha1.Repository, error) {
+	ret := _m.Called(ctx, project)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetProjectWriteRepositories")
+	}
+
+	var r0 []*v1alpha1.Repository
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, string) ([]*v1alpha1.Repository, error)); ok {
+		return rf(ctx, project)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, string) []*v1alpha1.Repository); ok {
+		r0 = rf(ctx, project)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v1alpha1.Repository)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
+		r1 = rf(ctx, project)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
 // GetRepository provides a mock function with given fields: ctx, url, project
 func (_m *ArgoDB) GetRepository(ctx context.Context, url string, project string) (*v1alpha1.Repository, error) {
 	ret := _m.Called(ctx, url, project)
@@ -475,6 +601,96 @@ func (_m *ArgoDB) GetRepositoryCredentials(ctx context.Context, name string) (*v
 	return r0, r1
 }
 
+// GetWriteCredentials provides a mock function with given fields: ctx, repoURL
+func (_m *ArgoDB) GetWriteCredentials(ctx context.Context, repoURL string) (*v1alpha1.Repository, error) {
+	ret := _m.Called(ctx, repoURL)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetWriteCredentials")
+	}
+
+	var r0 *v1alpha1.Repository
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, string) (*v1alpha1.Repository, error)); ok {
+		return rf(ctx, repoURL)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, string) *v1alpha1.Repository); ok {
+		r0 = rf(ctx, repoURL)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.Repository)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
+		r1 = rf(ctx, repoURL)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// GetWriteRepository provides a mock function with given fields: ctx, url, project
+func (_m *ArgoDB) GetWriteRepository(ctx context.Context, url string, project string) (*v1alpha1.Repository, error) {
+	ret := _m.Called(ctx, url, project)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetWriteRepository")
+	}
+
+	var r0 *v1alpha1.Repository
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, string, string) (*v1alpha1.Repository, error)); ok {
+		return rf(ctx, url, project)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, string, string) *v1alpha1.Repository); ok {
+		r0 = rf(ctx, url, project)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.Repository)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, string, string) error); ok {
+		r1 = rf(ctx, url, project)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// GetWriteRepositoryCredentials provides a mock function with given fields: ctx, name
+func (_m *ArgoDB) GetWriteRepositoryCredentials(ctx context.Context, name string) (*v1alpha1.RepoCreds, error) {
+	ret := _m.Called(ctx, name)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetWriteRepositoryCredentials")
+	}
+
+	var r0 *v1alpha1.RepoCreds
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, string) (*v1alpha1.RepoCreds, error)); ok {
+		return rf(ctx, name)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, string) *v1alpha1.RepoCreds); ok {
+		r0 = rf(ctx, name)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.RepoCreds)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, string) error); ok {
+		r1 = rf(ctx, name)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
 // ListClusters provides a mock function with given fields: ctx
 func (_m *ArgoDB) ListClusters(ctx context.Context) (*v1alpha1.ClusterList, error) {
 	ret := _m.Called(ctx)
@@ -655,6 +871,66 @@ func (_m *ArgoDB) ListRepositoryCredentials(ctx context.Context) ([]string, erro
 	return r0, r1
 }
 
+// ListWriteRepositories provides a mock function with given fields: ctx
+func (_m *ArgoDB) ListWriteRepositories(ctx context.Context) ([]*v1alpha1.Repository, error) {
+	ret := _m.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListWriteRepositories")
+	}
+
+	var r0 []*v1alpha1.Repository
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context) ([]*v1alpha1.Repository, error)); ok {
+		return rf(ctx)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context) []*v1alpha1.Repository); ok {
+		r0 = rf(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*v1alpha1.Repository)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = rf(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// ListWriteRepositoryCredentials provides a mock function with given fields: ctx
+func (_m *ArgoDB) ListWriteRepositoryCredentials(ctx context.Context) ([]string, error) {
+	ret := _m.Called(ctx)
+
+	if len(ret) == 0 {
+		panic("no return value specified for ListWriteRepositoryCredentials")
+	}
+
+	var r0 []string
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context) ([]string, error)); ok {
+		return rf(ctx)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context) []string); ok {
+		r0 = rf(ctx)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]string)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context) error); ok {
+		r1 = rf(ctx)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
 // RemoveRepoCertificates provides a mock function with given fields: ctx, selector
 func (_m *ArgoDB) RemoveRepoCertificates(ctx context.Context, selector *db.CertificateListSelector) (*v1alpha1.RepositoryCertificateList, error) {
 	ret := _m.Called(ctx, selector)
@@ -803,6 +1079,66 @@ func (_m *ArgoDB) UpdateRepositoryCredentials(ctx context.Context, r *v1alpha1.R
 	return r0, r1
 }
 
+// UpdateWriteRepository provides a mock function with given fields: ctx, r
+func (_m *ArgoDB) UpdateWriteRepository(ctx context.Context, r *v1alpha1.Repository) (*v1alpha1.Repository, error) {
+	ret := _m.Called(ctx, r)
+
+	if len(ret) == 0 {
+		panic("no return value specified for UpdateWriteRepository")
+	}
+
+	var r0 *v1alpha1.Repository
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, *v1alpha1.Repository) (*v1alpha1.Repository, error)); ok {
+		return rf(ctx, r)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, *v1alpha1.Repository) *v1alpha1.Repository); ok {
+		r0 = rf(ctx, r)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.Repository)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, *v1alpha1.Repository) error); ok {
+		r1 = rf(ctx, r)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// UpdateWriteRepositoryCredentials provides a mock function with given fields: ctx, r
+func (_m *ArgoDB) UpdateWriteRepositoryCredentials(ctx context.Context, r *v1alpha1.RepoCreds) (*v1alpha1.RepoCreds, error) {
+	ret := _m.Called(ctx, r)
+
+	if len(ret) == 0 {
+		panic("no return value specified for UpdateWriteRepositoryCredentials")
+	}
+
+	var r0 *v1alpha1.RepoCreds
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, *v1alpha1.RepoCreds) (*v1alpha1.RepoCreds, error)); ok {
+		return rf(ctx, r)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, *v1alpha1.RepoCreds) *v1alpha1.RepoCreds); ok {
+		r0 = rf(ctx, r)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.RepoCreds)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, *v1alpha1.RepoCreds) error); ok {
+		r1 = rf(ctx, r)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
 // WatchClusters provides a mock function with given fields: ctx, handleAddEvent, handleModEvent, handleDeleteEvent
 func (_m *ArgoDB) WatchClusters(ctx context.Context, handleAddEvent func(*v1alpha1.Cluster), handleModEvent func(*v1alpha1.Cluster, *v1alpha1.Cluster), handleDeleteEvent func(string)) error {
 	ret := _m.Called(ctx, handleAddEvent, handleModEvent, handleDeleteEvent)
@@ -821,6 +1157,34 @@ func (_m *ArgoDB) WatchClusters(ctx context.Context, handleAddEvent func(*v1alph
 	return r0
 }
 
+// WriteRepositoryExists provides a mock function with given fields: ctx, repoURL, project
+func (_m *ArgoDB) WriteRepositoryExists(ctx context.Context, repoURL string, project string) (bool, error) {
+	ret := _m.Called(ctx, repoURL, project)
+
+	if len(ret) == 0 {
+		panic("no return value specified for WriteRepositoryExists")
+	}
+
+	var r0 bool
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, string, string) (bool, error)); ok {
+		return rf(ctx, repoURL, project)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, string, string) bool); ok {
+		r0 = rf(ctx, repoURL, project)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, string, string) error); ok {
+		r1 = rf(ctx, repoURL, project)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
 // NewArgoDB creates a new instance of ArgoDB. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
 // The first argument is typically a *testing.T value.
 func NewArgoDB(t interface {

util/db/repository.go

@@ -5,10 +5,11 @@ import (
 	"fmt"
 	"hash/fnv"
 
+	apiv1 "k8s.io/api/core/v1"
+
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
-	apiv1 "k8s.io/api/core/v1"
 
 	appsv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -77,6 +78,20 @@ func (db *db) CreateRepository(ctx context.Context, r *appsv1.Repository) (*apps
 	return secretBackend.CreateRepository(ctx, r)
 }
 
+func (db *db) CreateWriteRepository(ctx context.Context, r *appsv1.Repository) (*appsv1.Repository, error) {
+	secretBackend := db.repoWriteBackend()
+	secretExists, err := secretBackend.RepositoryExists(ctx, r.Repo, r.Project, false)
+	if err != nil {
+		return nil, err
+	}
+
+	if secretExists {
+		return nil, status.Errorf(codes.AlreadyExists, "repository %q already exists", r.Repo)
+	}
+
+	return secretBackend.CreateRepository(ctx, r)
+}
+
 func (db *db) GetRepository(ctx context.Context, repoURL, project string) (*appsv1.Repository, error) {
 	repository, err := db.getRepository(ctx, repoURL, project)
 	if err != nil {
@@ -90,12 +105,34 @@ func (db *db) GetRepository(ctx context.Context, repoURL, project string) (*apps
 	return repository, err
 }
 
+func (db *db) GetWriteRepository(ctx context.Context, repoURL, project string) (*appsv1.Repository, error) {
+	repository, err := db.repoWriteBackend().GetRepository(ctx, repoURL, project)
+	if err != nil {
+		return repository, fmt.Errorf("unable to get write repository %q: %w", repoURL, err)
+	}
+
+	// TODO: enrich with write credentials.
+	//if err := db.enrichCredsToRepo(ctx, repository); err != nil {
+	//	return repository, fmt.Errorf("unable to enrich write repository %q info with credentials: %w", repoURL, err)
+	//}
+
+	return repository, err
+}
+
 func (db *db) GetProjectRepositories(ctx context.Context, project string) ([]*appsv1.Repository, error) {
+	return db.getRepositories(settings.ByProjectRepoIndexer, project)
+}
+
+func (db *db) GetProjectWriteRepositories(ctx context.Context, project string) ([]*appsv1.Repository, error) {
+	return db.getRepositories(settings.ByProjectRepoWriteIndexer, project)
+}
+
+func (db *db) getRepositories(indexer, project string) ([]*appv1.Repository, error) {
 	informer, err := db.settingsMgr.GetSecretsInformer()
 	if err != nil {
 		return nil, err
 	}
-	secrets, err := informer.GetIndexer().ByIndex(settings.ByProjectRepoIndexer, project)
+	secrets, err := informer.GetIndexer().ByIndex(indexer, project)
 	if err != nil {
 		return nil, err
 	}
@@ -121,6 +158,11 @@ func (db *db) RepositoryExists(ctx context.Context, repoURL, project string) (bo
 	return legacyBackend.RepositoryExists(ctx, repoURL, project, true)
 }
 
+func (db *db) WriteRepositoryExists(ctx context.Context, repoURL, project string) (bool, error) {
+	secretsBackend := db.repoWriteBackend()
+	return secretsBackend.RepositoryExists(ctx, repoURL, project, true)
+}
+
 func (db *db) getRepository(ctx context.Context, repoURL, project string) (*appsv1.Repository, error) {
 	secretsBackend := db.repoBackend()
 	exists, err := secretsBackend.RepositoryExists(ctx, repoURL, project, true)
@@ -150,24 +192,37 @@ func (db *db) getRepository(ctx context.Context, repoURL, project string) (*apps
 }
 
 func (db *db) ListRepositories(ctx context.Context) ([]*appsv1.Repository, error) {
-	return db.listRepositories(ctx, nil)
+	return db.listRepositories(ctx, nil, false)
 }
 
-func (db *db) listRepositories(ctx context.Context, repoType *string) ([]*appsv1.Repository, error) {
+func (db *db) ListWriteRepositories(ctx context.Context) ([]*appsv1.Repository, error) {
+	return db.listRepositories(ctx, nil, true)
+}
+
+func (db *db) listRepositories(ctx context.Context, repoType *string, writeCreds bool) ([]*appsv1.Repository, error) {
 	// TODO It would be nice to check for duplicates between secret and legacy repositories and make it so that
 	// 	repositories from secrets overlay repositories from legacys.
 
-	secretRepositories, err := db.repoBackend().ListRepositories(ctx, repoType)
-	if err != nil {
-		return nil, err
-	}
+	var repositories []*appv1.Repository
+	if writeCreds {
+		var err error
+		repositories, err = db.repoWriteBackend().ListRepositories(ctx, repoType)
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		secretRepositories, err := db.repoBackend().ListRepositories(ctx, repoType)
+		if err != nil {
+			return nil, err
+		}
 
-	legacyRepositories, err := db.legacyRepoBackend().ListRepositories(ctx, repoType)
-	if err != nil {
-		return nil, err
-	}
+		legacyRepositories, err := db.legacyRepoBackend().ListRepositories(ctx, repoType)
+		if err != nil {
+			return nil, err
+		}
 
-	repositories := append(secretRepositories, legacyRepositories...)
+		repositories = append(secretRepositories, legacyRepositories...)
+	}
 	if err := db.enrichCredsToRepos(ctx, repositories); err != nil {
 		return nil, err
 	}
@@ -196,6 +251,20 @@ func (db *db) UpdateRepository(ctx context.Context, r *appsv1.Repository) (*apps
 	return nil, status.Errorf(codes.NotFound, "repo '%s' not found", r.Repo)
 }
 
+func (db *db) UpdateWriteRepository(ctx context.Context, r *appsv1.Repository) (*appsv1.Repository, error) {
+	secretBackend := db.repoWriteBackend()
+	exists, err := secretBackend.RepositoryExists(ctx, r.Repo, r.Project, false)
+	if err != nil {
+		return nil, err
+	}
+
+	if !exists {
+		return nil, status.Errorf(codes.NotFound, "repo '%s' not found", r.Repo)
+	}
+
+	return secretBackend.UpdateRepository(ctx, r)
+}
+
 func (db *db) DeleteRepository(ctx context.Context, repoURL, project string) error {
 	secretsBackend := db.repoBackend()
 	exists, err := secretsBackend.RepositoryExists(ctx, repoURL, project, false)
@@ -216,6 +285,20 @@ func (db *db) DeleteRepository(ctx context.Context, repoURL, project string) err
 	return status.Errorf(codes.NotFound, "repo '%s' not found", repoURL)
 }
 
+func (db *db) DeleteWriteRepository(ctx context.Context, repoURL, project string) error {
+	secretsBackend := db.repoWriteBackend()
+	exists, err := secretsBackend.RepositoryExists(ctx, repoURL, project, false)
+	if err != nil {
+		return err
+	}
+
+	if !exists {
+		return status.Errorf(codes.NotFound, "repo '%s' not found", repoURL)
+	}
+
+	return secretsBackend.DeleteRepository(ctx, repoURL, project)
+}
+
 // ListRepositoryCredentials returns a list of URLs that contain repo credential sets
 func (db *db) ListRepositoryCredentials(ctx context.Context) ([]string, error) {
 	// TODO It would be nice to check for duplicates between secret and legacy repositories and make it so that
@@ -234,6 +317,15 @@ func (db *db) ListRepositoryCredentials(ctx context.Context) ([]string, error) {
 	return append(secretRepoCreds, legacyRepoCreds...), nil
 }
 
+// ListWriteRepositoryCredentials returns a list of URLs that contain repo write credential sets
+func (db *db) ListWriteRepositoryCredentials(ctx context.Context) ([]string, error) {
+	secretRepoCreds, err := db.repoWriteBackend().ListRepoCreds(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return secretRepoCreds, nil
+}
+
 // GetRepositoryCredentials retrieves a repository credential set
 func (db *db) GetRepositoryCredentials(ctx context.Context, repoURL string) (*appsv1.RepoCreds, error) {
 	secretsBackend := db.repoBackend()
@@ -263,6 +355,31 @@ func (db *db) GetRepositoryCredentials(ctx context.Context, repoURL string) (*ap
 	return nil, nil
 }
 
+// GetWriteRepositoryCredentials retrieves a repository write credential set
+func (db *db) GetWriteRepositoryCredentials(ctx context.Context, repoURL string) (*appsv1.RepoCreds, error) {
+	secretBackend := db.repoWriteBackend()
+	exists, err := secretBackend.RepoCredsExists(ctx, repoURL)
+	if err != nil {
+		return nil, fmt.Errorf("unable to check if repository write credentials for %q exists from secrets backend: %w", repoURL, err)
+	}
+
+	if !exists {
+		return nil, nil
+	}
+
+	// TODO: enrich with write credentials.
+	//if err := db.enrichCredsToRepo(ctx, repository); err != nil {
+	//	return repository, fmt.Errorf("unable to enrich write repository %q info with credentials: %w", repoURL, err)
+	//}
+
+	creds, err := secretBackend.GetRepoCreds(ctx, repoURL)
+	if err != nil {
+		return nil, fmt.Errorf("unable to get repository write credentials for %q from secrets backend: %w", repoURL, err)
+	}
+
+	return creds, nil
+}
+
 // GetAllHelmRepositoryCredentials retrieves all repository credentials
 func (db *db) GetAllHelmRepositoryCredentials(ctx context.Context) ([]*appsv1.RepoCreds, error) {
 	// TODO It would be nice to check for duplicates between secret and legacy repositories and make it so that
@@ -302,6 +419,21 @@ func (db *db) CreateRepositoryCredentials(ctx context.Context, r *appsv1.RepoCre
 	return secretBackend.CreateRepoCreds(ctx, r)
 }
 
+// CreateWriteRepositoryCredentials creates a repository write credential set
+func (db *db) CreateWriteRepositoryCredentials(ctx context.Context, r *appsv1.RepoCreds) (*appsv1.RepoCreds, error) {
+	secretBackend := db.repoWriteBackend()
+	secretExists, err := secretBackend.RepoCredsExists(ctx, r.URL)
+	if err != nil {
+		return nil, err
+	}
+
+	if secretExists {
+		return nil, status.Errorf(codes.AlreadyExists, "write repository credentials %q already exists", r.URL)
+	}
+
+	return secretBackend.CreateRepoCreds(ctx, r)
+}
+
 // UpdateRepositoryCredentials updates a repository credential set
 func (db *db) UpdateRepositoryCredentials(ctx context.Context, r *appsv1.RepoCreds) (*appsv1.RepoCreds, error) {
 	secretsBackend := db.repoBackend()
@@ -323,6 +455,21 @@ func (db *db) UpdateRepositoryCredentials(ctx context.Context, r *appsv1.RepoCre
 	return nil, status.Errorf(codes.NotFound, "repository credentials '%s' not found", r.URL)
 }
 
+// UpdateWriteRepositoryCredentials updates a repository write credential set
+func (db *db) UpdateWriteRepositoryCredentials(ctx context.Context, r *appsv1.RepoCreds) (*appsv1.RepoCreds, error) {
+	secretBackend := db.repoWriteBackend()
+	exists, err := secretBackend.RepoCredsExists(ctx, r.URL)
+	if err != nil {
+		return nil, err
+	}
+
+	if !exists {
+		return nil, status.Errorf(codes.NotFound, "write repository credentials '%s' not found", r.URL)
+	}
+
+	return secretBackend.UpdateRepoCreds(ctx, r)
+}
+
 // DeleteRepositoryCredentials deletes a repository credential set from config, and
 // also all the secrets which actually contained the credentials.
 func (db *db) DeleteRepositoryCredentials(ctx context.Context, name string) error {
@@ -345,6 +492,19 @@ func (db *db) DeleteRepositoryCredentials(ctx context.Context, name string) erro
 	return status.Errorf(codes.NotFound, "repository credentials '%s' not found", name)
 }
 
+// DeleteWriteRepositoryCredentials deletes a repository write credential set from config, and
+// also all the secrets which actually contained the credentials.
+func (db *db) DeleteWriteRepositoryCredentials(ctx context.Context, name string) error {
+	secretBackend := db.repoWriteBackend()
+	exists, err := secretBackend.RepoCredsExists(ctx, name)
+	if err != nil {
+		return err
+	} else if exists {
+		return secretBackend.DeleteRepoCreds(ctx, name)
+	}
+	return status.Errorf(codes.NotFound, "write repository credentials '%s' not found", name)
+}
+
 func (db *db) enrichCredsToRepos(ctx context.Context, repositories []*appsv1.Repository) error {
 	for _, repository := range repositories {
 		if err := db.enrichCredsToRepo(ctx, repository); err != nil {
@@ -358,6 +518,10 @@ func (db *db) repoBackend() repositoryBackend {
 	return &secretsRepositoryBackend{db: db}
 }
 
+func (db *db) repoWriteBackend() repositoryBackend {
+	return &secretsRepositoryBackend{db: db, writeCreds: true}
+}
+
 func (db *db) legacyRepoBackend() repositoryBackend {
 	return &legacyRepositoryBackend{db: db}
 }

util/db/repository_secrets.go

@@ -21,6 +21,8 @@ var _ repositoryBackend = &secretsRepositoryBackend{}
 
 type secretsRepositoryBackend struct {
 	db *db
+	// If true, the backend will manage write only credentials. If false, it will manage only read credentials.
+	writeCreds bool
 }
 
 func (s *secretsRepositoryBackend) CreateRepository(ctx context.Context, repository *appsv1.Repository) (*appsv1.Repository, error) {
@@ -32,7 +34,7 @@ func (s *secretsRepositoryBackend) CreateRepository(ctx context.Context, reposit
 		},
 	}
 
-	repositoryToSecret(repository, repositorySecret)
+	s.repositoryToSecret(repository, repositorySecret)
 
 	_, err := s.db.createSecret(ctx, repositorySecret)
 	if err != nil {
@@ -102,7 +104,7 @@ func (s *secretsRepositoryBackend) GetRepository(ctx context.Context, repoURL, p
 func (s *secretsRepositoryBackend) ListRepositories(ctx context.Context, repoType *string) ([]*appsv1.Repository, error) {
 	var repos []*appsv1.Repository
 
-	secrets, err := s.db.listSecretsByType(common.LabelValueSecretTypeRepository)
+	secrets, err := s.db.listSecretsByType(s.getSecretType())
 	if err != nil {
 		return nil, err
 	}
@@ -141,7 +143,7 @@ func (s *secretsRepositoryBackend) UpdateRepository(ctx context.Context, reposit
 		return nil, err
 	}
 
-	repositoryToSecret(repository, repositorySecret)
+	s.repositoryToSecret(repository, repositorySecret)
 
 	_, err = s.db.kubeclientset.CoreV1().Secrets(s.db.ns).Update(ctx, repositorySecret, metav1.UpdateOptions{})
 	if err != nil {
@@ -362,7 +364,7 @@ func secretToRepository(secret *corev1.Secret) (*appsv1.Repository, error) {
 	return repository, nil
 }
 
-func repositoryToSecret(repository *appsv1.Repository, secret *corev1.Secret) {
+func (s *secretsRepositoryBackend) repositoryToSecret(repository *appsv1.Repository, secret *corev1.Secret) {
 	if secret.Data == nil {
 		secret.Data = make(map[string][]byte)
 	}
@@ -388,7 +390,7 @@ func repositoryToSecret(repository *appsv1.Repository, secret *corev1.Secret) {
 	updateSecretString(secret, "noProxy", repository.NoProxy)
 	updateSecretString(secret, "gcpServiceAccountKey", repository.GCPServiceAccountKey)
 	updateSecretBool(secret, "forceHttpBasicAuth", repository.ForceHttpBasicAuth)
-	addSecretMetadata(secret, common.LabelValueSecretTypeRepository)
+	addSecretMetadata(secret, s.getSecretType())
 }
 
 func (s *secretsRepositoryBackend) secretToRepoCred(secret *corev1.Secret) (*appsv1.RepoCreds, error) {
@@ -459,7 +461,7 @@ func repoCredsToSecret(repoCreds *appsv1.RepoCreds, secret *corev1.Secret) {
 }
 
 func (s *secretsRepositoryBackend) getRepositorySecret(repoURL, project string, allowFallback bool) (*corev1.Secret, error) {
-	secrets, err := s.db.listSecretsByType(common.LabelValueSecretTypeRepository)
+	secrets, err := s.db.listSecretsByType(s.getSecretType())
 	if err != nil {
 		return nil, fmt.Errorf("failed to list repository secrets: %w", err)
 	}
@@ -524,3 +526,10 @@ func (s *secretsRepositoryBackend) getRepositoryCredentialIndex(repoCredentials
 	}
 	return idx
 }
+
+func (s *secretsRepositoryBackend) getSecretType() string {
+	if s.writeCreds {
+		return common.LabelValueSecretTypeRepositoryWrite
+	}
+	return common.LabelValueSecretTypeRepository
+}

util/db/repository_secrets_test.go

@@ -83,7 +83,8 @@ func TestSecretsRepositoryBackend_CreateRepository(t *testing.T) {
 		// given
 		t.Parallel()
 		secret := &corev1.Secret{}
-		repositoryToSecret(repo, secret)
+		s := secretsRepositoryBackend{}
+		s.repositoryToSecret(repo, secret)
 		delete(secret.Labels, common.LabelKeySecretType)
 		f := setupWithK8sObjects(secret)
 		f.clientSet.ReactionChain = nil
@@ -119,7 +120,8 @@ func TestSecretsRepositoryBackend_CreateRepository(t *testing.T) {
 				Namespace: "default",
 			},
 		}
-		repositoryToSecret(repo, secret)
+		s := secretsRepositoryBackend{}
+		s.repositoryToSecret(repo, secret)
 		f := setupWithK8sObjects(secret)
 		f.clientSet.ReactionChain = nil
 		f.clientSet.WatchReactionChain = nil
@@ -682,7 +684,7 @@ func TestSecretsRepositoryBackend_GetRepoCreds(t *testing.T) {
 
 	repoCred, err := testee.GetRepoCreds(context.TODO(), "git@github.com:argoproj")
 	require.NoError(t, err)
-	assert.NotNil(t, repoCred)
+	require.NotNil(t, repoCred)
 	assert.Equal(t, "git@github.com:argoproj", repoCred.URL)
 	assert.Equal(t, "someUsername", repoCred.Username)
 	assert.Equal(t, "somePassword", repoCred.Password)

util/db/write_repository.go

@@ -0,0 +1,43 @@
+package db
+
+import (
+	"context"
+	"fmt"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	corev1 "k8s.io/api/core/v1"
+
+	"github.com/argoproj/argo-cd/v2/common"
+	appsv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+func (db *db) GetWriteCredentials(ctx context.Context, repoURL string) (*appsv1.Repository, error) {
+	secret, err := db.getRepoCredsSecret(repoURL)
+	if err != nil {
+		if status.Code(err) == codes.NotFound {
+			return nil, nil
+		}
+
+		return nil, fmt.Errorf("failed to get repository-write credentials Secret: %w", err)
+	}
+
+	return secretToRepository(secret)
+}
+
+func (db *db) getRepoCredsSecret(repoURL string) (*corev1.Secret, error) {
+	// Should reuse stuff from repo secrets backend...
+	secretBackend := &secretsRepositoryBackend{db: db}
+
+	secrets, err := db.listSecretsByType(common.LabelValueSecretTypeRepositoryWrite)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list repository-write credentials Secrets: %w", err)
+	}
+
+	index := secretBackend.getRepositoryCredentialIndex(secrets, repoURL)
+	if index < 0 {
+		return nil, status.Errorf(codes.NotFound, "repository-write credentials %q not found", repoURL)
+	}
+
+	return secrets[index], nil
+}

util/git/client.go

@@ -636,7 +636,7 @@ func (m *nativeGitClient) lsRemote(revision string) (string, error) {
 
 	refs, err := m.getRefs()
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("failed to list refs: %w", err)
 	}
 
 	if revision == "" {

util/git/git.go

@@ -1,6 +1,7 @@
 package git
 
 import (
+	"fmt"
 	"net/url"
 	"regexp"
 	"strings"
@@ -94,10 +95,13 @@ func IsHTTPURL(url string) bool {
 
 // TestRepo tests if a repo exists and is accessible with the given credentials
 func TestRepo(repo string, creds Creds, insecure bool, enableLfs bool, proxy string, noProxy string) error {
-	clnt, err := NewClient(repo, creds, insecure, enableLfs, proxy, noProxy)
+	client, err := NewClient(repo, creds, insecure, enableLfs, proxy, noProxy)
 	if err != nil {
-		return err
+		return fmt.Errorf("unable to initialize git client: %w", err)
 	}
-	_, err = clnt.LsRemote("HEAD")
-	return err
+	_, err = client.LsRemote("HEAD")
+	if err != nil {
+		return fmt.Errorf("unable to ls-remote HEAD on repository: %w", err)
+	}
+	return nil
 }

util/settings/settings.go

@@ -261,9 +261,10 @@ var (
 		}
 		return nil, nil
 	}
-	ByProjectClusterIndexer = "byProjectCluster"
-	ByProjectRepoIndexer    = "byProjectRepo"
-	byProjectIndexerFunc    = func(secretType string) func(obj interface{}) ([]string, error) {
+	ByProjectClusterIndexer   = "byProjectCluster"
+	ByProjectRepoIndexer      = "byProjectRepo"
+	ByProjectRepoWriteIndexer = "byProjectRepoWrite"
+	byProjectIndexerFunc      = func(secretType string) func(obj interface{}) ([]string, error) {
 		return func(obj interface{}) ([]string, error) {
 			s, ok := obj.(*apiv1.Secret)
 			if !ok {
@@ -1384,11 +1385,12 @@ func (mgr *SettingsManager) initialize(ctx context.Context) error {
 		},
 	}
 	indexers := cache.Indexers{
-		cache.NamespaceIndex:    cache.MetaNamespaceIndexFunc,
-		ByClusterURLIndexer:     byClusterURLIndexerFunc,
-		ByClusterNameIndexer:    byClusterNameIndexerFunc,
-		ByProjectClusterIndexer: byProjectIndexerFunc(common.LabelValueSecretTypeCluster),
-		ByProjectRepoIndexer:    byProjectIndexerFunc(common.LabelValueSecretTypeRepository),
+		cache.NamespaceIndex:      cache.MetaNamespaceIndexFunc,
+		ByClusterURLIndexer:       byClusterURLIndexerFunc,
+		ByClusterNameIndexer:      byClusterNameIndexerFunc,
+		ByProjectClusterIndexer:   byProjectIndexerFunc(common.LabelValueSecretTypeCluster),
+		ByProjectRepoIndexer:      byProjectIndexerFunc(common.LabelValueSecretTypeRepository),
+		ByProjectRepoWriteIndexer: byProjectIndexerFunc(common.LabelValueSecretTypeRepositoryWrite),
 	}
 	cmInformer := v1.NewFilteredConfigMapInformer(mgr.clientset, mgr.namespace, 3*time.Minute, indexers, tweakConfigMap)
 	secretsInformer := v1.NewSecretInformer(mgr.clientset, mgr.namespace, 3*time.Minute, indexers)