sibling of c9c40684b7

Signed-off-by: rumstead <37445536+rumstead@users.noreply.github.com>

.github/workflows/ci-build.yaml

@@ -429,6 +429,13 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
       GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
     steps:
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
+        with:
+          large-packages: false
+          docker-images: false
+          swap-storage: false
+          tool-cache: false
       - name: Checkout code
         uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
       - name: Setup Golang

.github/workflows/image-reuse.yaml

@@ -17,11 +17,9 @@ on:
       platforms:
         required: true
         type: string
-        default: linux/amd64
       push:
         required: true
         type: boolean
-        default: false
       target:
         required: false
         type: string

.github/workflows/release.yaml

@@ -195,7 +195,7 @@ jobs:
           echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"
 
       - name: Upload SBOM
-        uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.0
+        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.readthedocs.yaml

@@ -2,6 +2,7 @@ version: 2
 formats: all
 mkdocs:
   fail_on_warning: false
+  configuration: mkdocs.yml
 python:
   install:
     - requirements: docs/requirements.txt

Makefile

@@ -490,6 +490,7 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	ARGOCD_APPLICATIONSET_CONTROLLER_TOKENREF_STRICT_MODE=true \
 	ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS=http://127.0.0.1:8341,http://127.0.0.1:8342,http://127.0.0.1:8343,http://127.0.0.1:8344 \
 	ARGOCD_E2E_TEST=true \
+	ARGOCD_HYDRATOR_ENABLED=true \
 		goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START}
 	ls -lrt /tmp/coverage
 

Procfile

@@ -1,5 +1,5 @@
-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/app-controller} HOSTNAME=testappcontroller-1  FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --server-side-diff-enabled=${ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF:-'false'}"
-api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/api-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''}"
+controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/app-controller} HOSTNAME=testappcontroller-1  FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --commit-server localhost:${ARGOCD_E2E_COMMITSERVER_PORT:-8086} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --server-side-diff-enabled=${ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF:-'false'} --hydrator-enabled=${ARGOCD_HYDRATOR_ENABLED:='false'}"
+api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/api-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --hydrator-enabled=${ARGOCD_HYDRATOR_ENABLED:='false'}"
 dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v2/cmd gendexcfg -o `pwd`/dist/dex.yaml && (test -f dist/dex.yaml || { echo 'Failed to generate dex configuration'; exit 1; }) && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:$(grep "image: ghcr.io/dexidp/dex" manifests/base/dex/argocd-dex-server-deployment.yaml | cut -d':' -f3) dex serve /dex.yaml"
 redis: hack/start-redis-with-password.sh
 repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/repo-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"

USERS.md

@@ -335,6 +335,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Swisscom](https://www.swisscom.ch)
 1. [Swissquote](https://github.com/swissquote)
 1. [Syncier](https://syncier.com/)
+1. [Synergy](https://synergy.net.au)
 1. [Syself](https://syself.com)
 1. [TableCheck](https://tablecheck.com/)
 1. [Tailor Brands](https://www.tailorbrands.com)

VERSION

@@ -1 +1 @@
-2.14.0
+2.14.1

applicationset/controllers/applicationset_controller.go

@@ -525,11 +525,9 @@ func (r *ApplicationSetReconciler) getMinRequeueAfter(applicationSetInfo *argov1
 }
 
 func ignoreNotAllowedNamespaces(namespaces []string) predicate.Predicate {
-	return predicate.Funcs{
-		CreateFunc: func(e event.CreateEvent) bool {
-			return utils.IsNamespaceAllowed(namespaces, e.Object.GetNamespace())
-		},
-	}
+	return predicate.NewPredicateFuncs(func(object client.Object) bool {
+		return utils.IsNamespaceAllowed(namespaces, object.GetNamespace())
+	})
 }
 
 func appControllerIndexer(rawObj client.Object) []string {

applicationset/controllers/applicationset_controller_test.go

@@ -6657,3 +6657,86 @@ func TestMigrateStatus(t *testing.T) {
 		})
 	}
 }
+
+func TestIgnoreNotAllowedNamespaces(t *testing.T) {
+	tests := []struct {
+		name       string
+		namespaces []string
+		objectNS   string
+		expected   bool
+	}{
+		{
+			name:       "Namespace allowed",
+			namespaces: []string{"allowed-namespace"},
+			objectNS:   "allowed-namespace",
+			expected:   true,
+		},
+		{
+			name:       "Namespace not allowed",
+			namespaces: []string{"allowed-namespace"},
+			objectNS:   "not-allowed-namespace",
+			expected:   false,
+		},
+		{
+			name:       "Empty allowed namespaces",
+			namespaces: []string{},
+			objectNS:   "any-namespace",
+			expected:   false,
+		},
+		{
+			name:       "Multiple allowed namespaces",
+			namespaces: []string{"allowed-namespace-1", "allowed-namespace-2"},
+			objectNS:   "allowed-namespace-2",
+			expected:   true,
+		},
+		{
+			name:       "Namespace not in multiple allowed namespaces",
+			namespaces: []string{"allowed-namespace-1", "allowed-namespace-2"},
+			objectNS:   "not-allowed-namespace",
+			expected:   false,
+		},
+		{
+			name:       "Namespace matched by glob pattern",
+			namespaces: []string{"allowed-namespace-*"},
+			objectNS:   "allowed-namespace-1",
+			expected:   true,
+		},
+		{
+			name:       "Namespace matched by regex pattern",
+			namespaces: []string{"/^allowed-namespace-[^-]+$/"},
+			objectNS:   "allowed-namespace-1",
+			expected:   true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			predicate := ignoreNotAllowedNamespaces(tt.namespaces)
+			object := &v1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: tt.objectNS,
+				},
+			}
+
+			t.Run(tt.name+":Create", func(t *testing.T) {
+				result := predicate.Create(event.CreateEvent{Object: object})
+				assert.Equal(t, tt.expected, result)
+			})
+
+			t.Run(tt.name+":Update", func(t *testing.T) {
+				result := predicate.Update(event.UpdateEvent{ObjectNew: object})
+				assert.Equal(t, tt.expected, result)
+			})
+
+			t.Run(tt.name+":Delete", func(t *testing.T) {
+				result := predicate.Delete(event.DeleteEvent{Object: object})
+				assert.Equal(t, tt.expected, result)
+			})
+
+			t.Run(tt.name+":Generic", func(t *testing.T) {
+				result := predicate.Generic(event.GenericEvent{Object: object})
+				assert.Equal(t, tt.expected, result)
+			})
+		})
+	}
+}

applicationset/services/scm_provider/gitlab.go

@@ -2,10 +2,10 @@ package scm_provider
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/http"
 	"os"
-	pathpkg "path"
 
 	"github.com/hashicorp/go-retryablehttp"
 	"github.com/xanzy/go-gitlab"
@@ -129,40 +129,31 @@ func (g *GitlabProvider) ListRepos(ctx context.Context, cloneProtocol string) ([
 func (g *GitlabProvider) RepoHasPath(_ context.Context, repo *Repository, path string) (bool, error) {
 	p, _, err := g.client.Projects.GetProject(repo.Organization+"/"+repo.Repository, nil)
 	if err != nil {
-		return false, err
+		return false, fmt.Errorf("error getting Project Info: %w", err)
 	}
-	directories := []string{
-		path,
-		pathpkg.Dir(path),
-	}
-	for _, directory := range directories {
-		options := gitlab.ListTreeOptions{
-			Path: &directory,
-			Ref:  &repo.Branch,
-		}
-		for {
-			treeNode, resp, err := g.client.Repositories.ListTree(p.ID, &options)
+
+	// search if the path is a file and exists in the repo
+	fileOptions := gitlab.GetFileOptions{Ref: &repo.Branch}
+	_, _, err = g.client.RepositoryFiles.GetFile(p.ID, path, &fileOptions)
+	if err != nil {
+		if errors.Is(err, gitlab.ErrNotFound) {
+			// no file found, check for a directory
+			options := gitlab.ListTreeOptions{
+				Path: &path,
+				Ref:  &repo.Branch,
+			}
+			_, _, err := g.client.Repositories.ListTree(p.ID, &options)
 			if err != nil {
+				if errors.Is(err, gitlab.ErrNotFound) {
+					return false, nil // no file or directory found
+				}
 				return false, err
 			}
-			if path == directory {
-				if resp.TotalItems > 0 {
-					return true, nil
-				}
-			}
-			for i := range treeNode {
-				if treeNode[i].Path == path {
-					return true, nil
-				}
-			}
-			if resp.NextPage == 0 {
-				// no future pages
-				break
-			}
-			options.Page = resp.NextPage
+			return true, nil // directory found
 		}
+		return false, err
 	}
-	return false, nil
+	return true, nil // file found
 }
 
 func (g *GitlabProvider) listBranches(_ context.Context, repo *Repository) ([]gitlab.Branch, error) {

applicationset/services/scm_provider/gitlab_test.go

@@ -20,6 +20,7 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 	t.Helper()
 	return func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
+		fmt.Println(r.RequestURI)
 		switch r.RequestURI {
 		case "/api/v4":
 			fmt.Println("here1")
@@ -1040,6 +1041,32 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			if err != nil {
 				t.Fail()
 			}
+			// Recent versions of the Gitlab API (v17.7+) listTree return 404 not only when a file doesn't exist, but also
+			// when a path is to a file instead of a directory. Code was refactored to explicitly search for file then
+			// search for directory, catching 404 errors as "file not found".
+		case "/api/v4/projects/27084533/repository/files/argocd?ref=master":
+			w.WriteHeader(http.StatusNotFound)
+		case "/api/v4/projects/27084533/repository/files/argocd%2Finstall%2Eyaml?ref=master":
+			_, err := io.WriteString(w, `{"file_name":"install.yaml","file_path":"argocd/install.yaml","size":0,"encoding":"base64","content_sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","ref":"main","blob_id":"e69de29bb2d1d6434b8b29ae775ad8c2e48c5391","commit_id":"6d4c0f9d34534ccc73aa3f3180b25e2aebe630eb","last_commit_id":"b50eb63f9c0e09bfdb070db26fd32c7210291f52","execute_filemode":false,"content":""}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v4/projects/27084533/repository/files/notathing?ref=master":
+			w.WriteHeader(http.StatusNotFound)
+		case "/api/v4/projects/27084533/repository/tree?path=notathing&ref=master":
+			w.WriteHeader(http.StatusNotFound)
+		case "/api/v4/projects/27084533/repository/files/argocd%2Fnotathing%2Eyaml?ref=master":
+			w.WriteHeader(http.StatusNotFound)
+		case "/api/v4/projects/27084533/repository/tree?path=argocd%2Fnotathing.yaml&ref=master":
+			w.WriteHeader(http.StatusNotFound)
+		case "/api/v4/projects/27084533/repository/files/notathing%2Fnotathing%2Eyaml?ref=master":
+			w.WriteHeader(http.StatusNotFound)
+		case "/api/v4/projects/27084533/repository/tree?path=notathing%2Fnotathing.yaml&ref=master":
+			w.WriteHeader(http.StatusNotFound)
+		case "/api/v4/projects/27084533/repository/files/notathing%2Fnotathing%2Fnotathing%2Eyaml?ref=master":
+			w.WriteHeader(http.StatusNotFound)
+		case "/api/v4/projects/27084533/repository/tree?path=notathing%2Fnotathing%2Fnotathing.yaml&ref=master":
+			w.WriteHeader(http.StatusNotFound)
 		case "/api/v4/projects/27084533/repository/branches/foo":
 			w.WriteHeader(http.StatusNotFound)
 		default:
@@ -1194,6 +1221,16 @@ func TestGitlabHasPath(t *testing.T) {
 			path:   "argocd/notathing.yaml",
 			exists: false,
 		},
+		{
+			name:   "noexistent file in noexistent directory",
+			path:   "notathing/notathing.yaml",
+			exists: false,
+		},
+		{
+			name:   "noexistent file in nested noexistent directory",
+			path:   "notathing/notathing/notathing.yaml",
+			exists: false,
+		},
 	}
 
 	for _, c := range cases {

applicationset/utils/clusterUtils.go

@@ -2,22 +2,15 @@ package utils
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
-	"strconv"
-	"strings"
 	"sync"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/argoproj/argo-cd/v2/common"
 	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/db"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
-	"k8s.io/utils/ptr"
 )
 
 // The contents of this file are from
@@ -126,11 +119,15 @@ func ListClusters(ctx context.Context, clientset kubernetes.Interface, namespace
 	hasInClusterCredentials := false
 	for i, clusterSecret := range clusterSecrets {
 		// This line has changed from the original Argo CD code: now receives an error, and handles it
-		cluster, err := secretToCluster(&clusterSecret)
+		cluster, err := db.SecretToCluster(&clusterSecret)
 		if err != nil || cluster == nil {
 			return nil, fmt.Errorf("unable to convert cluster secret to cluster object '%s': %w", clusterSecret.Name, err)
 		}
 
+		// db.SecretToCluster populates these, but they're not meant to be available to the caller.
+		cluster.Labels = nil
+		cluster.Annotations = nil
+
 		clusterList.Items[i] = *cluster
 		if cluster.Server == appv1.KubernetesInternalAPIServerAddr {
 			hasInClusterCredentials = true
@@ -167,48 +164,3 @@ func getLocalCluster(clientset kubernetes.Interface) *appv1.Cluster {
 	cluster.ConnectionState.ModifiedAt = &now
 	return cluster
 }
-
-// secretToCluster converts a secret into a Cluster object
-func secretToCluster(s *corev1.Secret) (*appv1.Cluster, error) {
-	var config appv1.ClusterConfig
-	if len(s.Data["config"]) > 0 {
-		if err := json.Unmarshal(s.Data["config"], &config); err != nil {
-			// This line has changed from the original Argo CD: now returns an error rather than panicing.
-			return nil, err
-		}
-	}
-
-	var namespaces []string
-	for _, ns := range strings.Split(string(s.Data["namespaces"]), ",") {
-		if ns = strings.TrimSpace(ns); ns != "" {
-			namespaces = append(namespaces, ns)
-		}
-	}
-	var refreshRequestedAt *metav1.Time
-	if v, found := s.Annotations[appv1.AnnotationKeyRefresh]; found {
-		requestedAt, err := time.Parse(time.RFC3339, v)
-		if err != nil {
-			log.Warnf("Error while parsing date in cluster secret '%s': %v", s.Name, err)
-		} else {
-			refreshRequestedAt = &metav1.Time{Time: requestedAt}
-		}
-	}
-	var shard *int64
-	if shardStr := s.Data["shard"]; shardStr != nil {
-		if val, err := strconv.Atoi(string(shardStr)); err != nil {
-			log.Warnf("Error while parsing shard in cluster secret '%s': %v", s.Name, err)
-		} else {
-			shard = ptr.To(int64(val))
-		}
-	}
-	cluster := appv1.Cluster{
-		ID:                 string(s.UID),
-		Server:             strings.TrimRight(string(s.Data["server"]), "/"),
-		Name:               string(s.Data["name"]),
-		Namespaces:         namespaces,
-		Config:             config,
-		RefreshRequestedAt: refreshRequestedAt,
-		Shard:              shard,
-	}
-	return &cluster, nil
-}

applicationset/utils/clusterUtils_test.go

@@ -20,51 +20,6 @@ const (
 	fakeNamespace = "fake-ns"
 )
 
-// From Argo CD util/db/cluster_test.go
-func Test_secretToCluster(t *testing.T) {
-	secret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "mycluster",
-			Namespace: fakeNamespace,
-		},
-		Data: map[string][]byte{
-			"name":   []byte("test"),
-			"server": []byte("http://mycluster"),
-			"config": []byte("{\"username\":\"foo\", \"disableCompression\":true}"),
-		},
-	}
-	cluster, err := secretToCluster(secret)
-	require.NoError(t, err)
-	assert.Equal(t, argoappv1.Cluster{
-		Name:   "test",
-		Server: "http://mycluster",
-		Config: argoappv1.ClusterConfig{
-			Username:           "foo",
-			DisableCompression: true,
-		},
-	}, *cluster)
-}
-
-// From Argo CD util/db/cluster_test.go
-func Test_secretToCluster_NoConfig(t *testing.T) {
-	secret := &corev1.Secret{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "mycluster",
-			Namespace: fakeNamespace,
-		},
-		Data: map[string][]byte{
-			"name":   []byte("test"),
-			"server": []byte("http://mycluster"),
-		},
-	}
-	cluster, err := secretToCluster(secret)
-	require.NoError(t, err)
-	assert.Equal(t, argoappv1.Cluster{
-		Name:   "test",
-		Server: "http://mycluster",
-	}, *cluster)
-}
-
 func createClusterSecret(secretName string, clusterName string, clusterServer string) *corev1.Secret {
 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{

assets/builtin-policy.csv

@@ -10,6 +10,7 @@ p, role:readonly, applications, get, */*, allow
 p, role:readonly, certificates, get, *, allow
 p, role:readonly, clusters, get, *, allow
 p, role:readonly, repositories, get, *, allow
+p, role:readonly, write-repositories, get, *, allow
 p, role:readonly, projects, get, *, allow
 p, role:readonly, accounts, get, *, allow
 p, role:readonly, gpgkeys, get, *, allow
@@ -17,7 +18,9 @@ p, role:readonly, logs, get, */*, allow
 
 p, role:admin, applications, create, */*, allow
 p, role:admin, applications, update, */*, allow
+p, role:admin, applications, update/*, */*, allow
 p, role:admin, applications, delete, */*, allow
+p, role:admin, applications, delete/*, */*, allow
 p, role:admin, applications, sync, */*, allow
 p, role:admin, applications, override, */*, allow
 p, role:admin, applications, action/*, */*, allow
@@ -34,6 +37,9 @@ p, role:admin, clusters, delete, *, allow
 p, role:admin, repositories, create, *, allow
 p, role:admin, repositories, update, *, allow
 p, role:admin, repositories, delete, *, allow
+p, role:admin, write-repositories, create, *, allow
+p, role:admin, write-repositories, update, *, allow
+p, role:admin, write-repositories, delete, *, allow
 p, role:admin, projects, create, *, allow
 p, role:admin, projects, update, *, allow
 p, role:admin, projects, delete, *, allow
@@ -43,4 +49,4 @@ p, role:admin, gpgkeys, delete, *, allow
 p, role:admin, exec, create, */*, allow
 
 g, role:admin, role:readonly
-g, admin, role:admin
+g, admin, role:admin

assets/swagger.json

@@ -1990,6 +1990,39 @@
         }
       }
     },
+    "/api/v1/applicationsets/generate": {
+      "post": {
+        "tags": [
+          "ApplicationSetService"
+        ],
+        "summary": "Generate generates",
+        "operationId": "ApplicationSetService_Generate",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/applicationsetApplicationSetGenerateRequest"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/applicationsetApplicationSetGenerateResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
     "/api/v1/applicationsets/{name}": {
       "get": {
         "tags": [
@@ -4084,6 +4117,504 @@
         }
       }
     },
+    "/api/v1/write-repocreds": {
+      "get": {
+        "tags": [
+          "RepoCredsService"
+        ],
+        "summary": "ListWriteRepositoryCredentials gets a list of all configured repository credential sets that have write access",
+        "operationId": "RepoCredsService_ListWriteRepositoryCredentials",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "Repo URL for query.",
+            "name": "url",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RepoCredsList"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      },
+      "post": {
+        "tags": [
+          "RepoCredsService"
+        ],
+        "summary": "CreateWriteRepositoryCredentials creates a new repository credential set with write access",
+        "operationId": "RepoCredsService_CreateWriteRepositoryCredentials",
+        "parameters": [
+          {
+            "description": "Repository definition",
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RepoCreds"
+            }
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to create in upsert mode.",
+            "name": "upsert",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RepoCreds"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
+    "/api/v1/write-repocreds/{creds.url}": {
+      "put": {
+        "tags": [
+          "RepoCredsService"
+        ],
+        "summary": "UpdateWriteRepositoryCredentials updates a repository credential set with write access",
+        "operationId": "RepoCredsService_UpdateWriteRepositoryCredentials",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "URL is the URL to which these credentials match",
+            "name": "creds.url",
+            "in": "path",
+            "required": true
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RepoCreds"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RepoCreds"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
+    "/api/v1/write-repocreds/{url}": {
+      "delete": {
+        "tags": [
+          "RepoCredsService"
+        ],
+        "summary": "DeleteWriteRepositoryCredentials deletes a repository credential set with write access from the configuration",
+        "operationId": "RepoCredsService_DeleteWriteRepositoryCredentials",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "url",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/repocredsRepoCredsResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
+    "/api/v1/write-repositories": {
+      "get": {
+        "tags": [
+          "RepositoryService"
+        ],
+        "summary": "ListWriteRepositories gets a list of all configured write repositories",
+        "operationId": "RepositoryService_ListWriteRepositories",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "Repo URL for query.",
+            "name": "repo",
+            "in": "query"
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to force a cache refresh on repo's connection state.",
+            "name": "forceRefresh",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "App project for query.",
+            "name": "appProject",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RepositoryList"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      },
+      "post": {
+        "tags": [
+          "RepositoryService"
+        ],
+        "summary": "CreateWriteRepository creates a new write repository configuration",
+        "operationId": "RepositoryService_CreateWriteRepository",
+        "parameters": [
+          {
+            "description": "Repository definition",
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/v1alpha1Repository"
+            }
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to create in upsert mode.",
+            "name": "upsert",
+            "in": "query"
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to operate on credential set instead of repository.",
+            "name": "credsOnly",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1Repository"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
+    "/api/v1/write-repositories/{repo.repo}": {
+      "put": {
+        "tags": [
+          "RepositoryService"
+        ],
+        "summary": "UpdateWriteRepository updates a write repository configuration",
+        "operationId": "RepositoryService_UpdateWriteRepository",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "Repo contains the URL to the remote repository",
+            "name": "repo.repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/v1alpha1Repository"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1Repository"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
+    "/api/v1/write-repositories/{repo}": {
+      "get": {
+        "tags": [
+          "RepositoryService"
+        ],
+        "summary": "GetWrite returns a repository or its write credentials",
+        "operationId": "RepositoryService_GetWrite",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "Repo URL for query",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to force a cache refresh on repo's connection state.",
+            "name": "forceRefresh",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "App project for query.",
+            "name": "appProject",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1Repository"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      },
+      "delete": {
+        "tags": [
+          "RepositoryService"
+        ],
+        "summary": "DeleteWriteRepository deletes a write repository from the configuration",
+        "operationId": "RepositoryService_DeleteWriteRepository",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "Repo URL for query",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to force a cache refresh on repo's connection state.",
+            "name": "forceRefresh",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "App project for query.",
+            "name": "appProject",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/repositoryRepoResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
+    "/api/v1/write-repositories/{repo}/validate": {
+      "post": {
+        "tags": [
+          "RepositoryService"
+        ],
+        "summary": "ValidateWriteAccess validates write access to a repository with given parameters",
+        "operationId": "RepositoryService_ValidateWriteAccess",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "The URL to the repo",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "description": "The URL to the repo",
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "type": "string",
+            "description": "Username for accessing repo.",
+            "name": "username",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Password for accessing repo.",
+            "name": "password",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Private key data for accessing SSH repository.",
+            "name": "sshPrivateKey",
+            "in": "query"
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to skip certificate or host key validation.",
+            "name": "insecure",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "TLS client cert data for accessing HTTPS repository.",
+            "name": "tlsClientCertData",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "TLS client cert key for accessing HTTPS repository.",
+            "name": "tlsClientCertKey",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "The type of the repo.",
+            "name": "type",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "The name of the repo.",
+            "name": "name",
+            "in": "query"
+          },
+          {
+            "type": "boolean",
+            "description": "Whether helm-oci support should be enabled for this repo.",
+            "name": "enableOci",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Github App Private Key PEM data.",
+            "name": "githubAppPrivateKey",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "format": "int64",
+            "description": "Github App ID of the app used to access the repo.",
+            "name": "githubAppID",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "format": "int64",
+            "description": "Github App Installation ID of the installed GitHub App.",
+            "name": "githubAppInstallationID",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Github App Enterprise base url if empty will default to https://api.github.com.",
+            "name": "githubAppEnterpriseBaseUrl",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "HTTP/HTTPS proxy to access the repository.",
+            "name": "proxy",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Reference between project and repository that allow you automatically to be added as item inside SourceRepos project entity.",
+            "name": "project",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "Google Cloud Platform service account key.",
+            "name": "gcpServiceAccountKey",
+            "in": "query"
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to force HTTP basic auth.",
+            "name": "forceHttpBasicAuth",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/repositoryRepoResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
     "/api/version": {
       "get": {
         "tags": [
@@ -4725,6 +5256,9 @@
         "help": {
           "$ref": "#/definitions/clusterHelp"
         },
+        "hydratorEnabled": {
+          "type": "boolean"
+        },
         "impersonationEnabled": {
           "type": "boolean"
         },

cmd/argocd-application-controller/commands/argocd_application_controller.go

@@ -19,6 +19,7 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 
 	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	commitclient "github.com/argoproj/argo-cd/v2/commitserver/apiclient"
 	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/controller"
 	"github.com/argoproj/argo-cd/v2/controller/sharding"
@@ -58,6 +59,7 @@ func NewCommand() *cobra.Command {
 		repoErrorGracePeriod             int64
 		repoServerAddress                string
 		repoServerTimeoutSeconds         int
+		commitServerAddress              string
 		selfHealTimeoutSeconds           int
 		selfHealBackoffTimeoutSeconds    int
 		selfHealBackoffFactor            int
@@ -87,7 +89,8 @@ func NewCommand() *cobra.Command {
 		ignoreNormalizerOpts             normalizers.IgnoreNormalizerOpts
 
 		// argocd k8s event logging flag
-		enableK8sEvent []string
+		enableK8sEvent  []string
+		hydratorEnabled bool
 	)
 	command := cobra.Command{
 		Use:               cliName,
@@ -157,6 +160,8 @@ func NewCommand() *cobra.Command {
 
 			repoClientset := apiclient.NewRepoServerClientset(repoServerAddress, repoServerTimeoutSeconds, tlsConfig)
 
+			commitClientset := commitclient.NewCommitServerClientset(commitServerAddress)
+
 			cache, err := cacheSource()
 			errors.CheckError(err)
 			cache.Cache.SetClient(cacheutil.NewTwoLevelClient(cache.Cache.GetClient(), 10*time.Minute))
@@ -183,6 +188,7 @@ func NewCommand() *cobra.Command {
 				kubeClient,
 				appClient,
 				repoClientset,
+				commitClientset,
 				cache,
 				kubectl,
 				resyncDuration,
@@ -205,6 +211,7 @@ func NewCommand() *cobra.Command {
 				enableDynamicClusterDistribution,
 				ignoreNormalizerOpts,
 				enableK8sEvent,
+				hydratorEnabled,
 			)
 			errors.CheckError(err)
 			cacheutil.CollectMetrics(redisClient, appController.GetMetricsServer(), nil)
@@ -247,6 +254,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().Int64Var(&repoErrorGracePeriod, "repo-error-grace-period-seconds", int64(env.ParseDurationFromEnv("ARGOCD_REPO_ERROR_GRACE_PERIOD_SECONDS", defaultAppResyncPeriod*time.Second, 0, math.MaxInt64).Seconds()), "Grace period in seconds for ignoring consecutive errors while communicating with repo server.")
 	command.Flags().StringVar(&repoServerAddress, "repo-server", env.StringFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER", common.DefaultRepoServerAddr), "Repo server address.")
 	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS", 60, 0, math.MaxInt64), "Repo server RPC call timeout seconds.")
+	command.Flags().StringVar(&commitServerAddress, "commit-server", env.StringFromEnv("ARGOCD_APPLICATION_CONTROLLER_COMMIT_SERVER", common.DefaultCommitServerAddr), "Commit server address.")
 	command.Flags().IntVar(&statusProcessors, "status-processors", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS", 20, 0, math.MaxInt32), "Number of application status processors")
 	command.Flags().IntVar(&operationProcessors, "operation-processors", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS", 10, 0, math.MaxInt32), "Number of application operation processors")
 	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", env.StringFromEnv("ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT", "text"), "Set the logging format. One of: text|json")
@@ -285,7 +293,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().DurationVar(&ignoreNormalizerOpts.JQExecutionTimeout, "ignore-normalizer-jq-execution-timeout-seconds", env.ParseDurationFromEnv("ARGOCD_IGNORE_NORMALIZER_JQ_TIMEOUT", 0*time.Second, 0, math.MaxInt64), "Set ignore normalizer JQ execution timeout")
 	// argocd k8s event logging flag
 	command.Flags().StringSliceVar(&enableK8sEvent, "enable-k8s-event", env.StringsFromEnv("ARGOCD_ENABLE_K8S_EVENT", argo.DefaultEnableEventList(), ","), "Enable ArgoCD to use k8s event. For disabling all events, set the value as `none`. (e.g --enable-k8s-event=none), For enabling specific events, set the value as `event reason`. (e.g --enable-k8s-event=StatusRefreshed,ResourceCreated)")
-
+	command.Flags().BoolVar(&hydratorEnabled, "hydrator-enabled", env.ParseBoolFromEnv("ARGOCD_HYDRATOR_ENABLED", false), "Feature flag to enable Hydrator. Default (\"false\")")
 	cacheSource = appstatecache.AddCacheFlagsToCmd(&command, cacheutil.Options{
 		OnClientCreated: func(client *redis.Client) {
 			redisClient = client

cmd/argocd-server/commands/argocd_server.go

@@ -87,6 +87,7 @@ func NewCommand() *cobra.Command {
 		applicationNamespaces    []string
 		enableProxyExtension     bool
 		webhookParallelism       int
+		hydratorEnabled          bool
 
 		// ApplicationSet
 		enableNewGitFileGlobbing bool
@@ -243,6 +244,7 @@ func NewCommand() *cobra.Command {
 				EnableProxyExtension:    enableProxyExtension,
 				WebhookParallelism:      webhookParallelism,
 				EnableK8sEvent:          enableK8sEvent,
+				HydratorEnabled:         hydratorEnabled,
 			}
 
 			appsetOpts := server.ApplicationSetOpts{
@@ -321,6 +323,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().BoolVar(&enableProxyExtension, "enable-proxy-extension", env.ParseBoolFromEnv("ARGOCD_SERVER_ENABLE_PROXY_EXTENSION", false), "Enable Proxy Extension feature")
 	command.Flags().IntVar(&webhookParallelism, "webhook-parallelism-limit", env.ParseNumFromEnv("ARGOCD_SERVER_WEBHOOK_PARALLELISM_LIMIT", 50, 1, 1000), "Number of webhook requests processed concurrently")
 	command.Flags().StringSliceVar(&enableK8sEvent, "enable-k8s-event", env.StringsFromEnv("ARGOCD_ENABLE_K8S_EVENT", argo.DefaultEnableEventList(), ","), "Enable ArgoCD to use k8s event. For disabling all events, set the value as `none`. (e.g --enable-k8s-event=none), For enabling specific events, set the value as `event reason`. (e.g --enable-k8s-event=StatusRefreshed,ResourceCreated)")
+	command.Flags().BoolVar(&hydratorEnabled, "hydrator-enabled", env.ParseBoolFromEnv("ARGOCD_HYDRATOR_ENABLED", false), "Feature flag to enable Hydrator. Default (\"false\")")
 
 	// Flags related to the applicationSet component.
 	command.Flags().StringVar(&scmRootCAPath, "appset-scm-root-ca-path", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH", ""), "Provide Root CA Path for self-signed TLS Certificates")

cmd/argocd/commands/admin/app_test.go

@@ -91,7 +91,7 @@ func TestGetReconcileResults_Refresh(t *testing.T) {
 
 	appClientset := appfake.NewSimpleClientset(app, proj)
 	deployment := test.NewDeployment()
-	kubeClientset := kubefake.NewSimpleClientset(deployment, &cm)
+	kubeClientset := kubefake.NewClientset(deployment, &cm)
 	clusterCache := clustermocks.ClusterCache{}
 	clusterCache.On("IsNamespaced", mock.Anything).Return(true, nil)
 	clusterCache.On("GetGVKParser", mock.Anything).Return(nil)

cmd/argocd/commands/admin/cluster.go

@@ -617,7 +617,7 @@ func NewGenClusterConfigCommand(pathOpts *clientcmd.PathOptions) *cobra.Command
 			clientConfig := clientcmd.NewDefaultClientConfig(*cfgAccess, &overrides)
 			conf, err := clientConfig.ClientConfig()
 			errors.CheckError(err)
-			kubeClientset := fake.NewSimpleClientset()
+			kubeClientset := fake.NewClientset()
 
 			var awsAuthConf *v1alpha1.AWSAuthConfig
 			var execProviderConf *v1alpha1.ExecProviderConfig

cmd/argocd/commands/admin/repo.go

@@ -150,7 +150,7 @@ func NewGenRepoSpecCommand() *cobra.Command {
 					},
 				},
 			}
-			kubeClientset := fake.NewSimpleClientset(argoCDCM)
+			kubeClientset := fake.NewClientset(argoCDCM)
 			settingsMgr := settings.NewSettingsManager(ctx, kubeClientset, ArgoCDNamespace)
 			argoDB := db.NewDB(ArgoCDNamespace, settingsMgr, kubeClientset)
 

cmd/argocd/commands/admin/settings.go

@@ -119,7 +119,7 @@ func (opts *settingsOpts) createSettingsManager(ctx context.Context) (*settings.
 		}
 	}
 	setSettingsMeta(argocdSecret)
-	clientset := fake.NewSimpleClientset(argocdSecret, argocdCM)
+	clientset := fake.NewClientset(argocdSecret, argocdCM)
 
 	manager := settings.NewSettingsManager(ctx, clientset, "default")
 	errors.CheckError(manager.ResyncInformers())

cmd/argocd/commands/admin/settings_rbac_test.go

@@ -147,7 +147,7 @@ func Test_PolicyFromK8s(t *testing.T) {
 	ctx := context.Background()
 
 	require.NoError(t, err)
-	kubeclientset := fake.NewSimpleClientset(&v1.ConfigMap{
+	kubeclientset := fake.NewClientset(&v1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "argocd-rbac-cm",
 			Namespace: "argocd",
@@ -280,7 +280,7 @@ p, role:user, logs, get, .*/.*, allow
 p, role:user, exec, create, .*/.*, allow
 `
 
-	kubeclientset := fake.NewSimpleClientset(&v1.ConfigMap{
+	kubeclientset := fake.NewClientset(&v1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "argocd-rbac-cm",
 			Namespace: "argocd",

cmd/argocd/commands/admin/settings_test.go

@@ -45,7 +45,7 @@ func captureStdout(callback func()) (string, error) {
 func newSettingsManager(data map[string]string) *settings.SettingsManager {
 	ctx := context.Background()
 
-	clientset := fake.NewSimpleClientset(&v1.ConfigMap{
+	clientset := fake.NewClientset(&v1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: "default",
 			Name:      common.ArgoCDConfigMapName,

cmd/argocd/commands/app.go

@@ -112,6 +112,7 @@ type watchOpts struct {
 	suspended bool
 	degraded  bool
 	delete    bool
+	hydrated  bool
 }
 
 // NewApplicationCreateCommand returns a new instance of an `argocd app create` command
@@ -1883,6 +1884,7 @@ func NewApplicationWaitCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command.Flags().BoolVar(&watch.suspended, "suspended", false, "Wait for suspended")
 	command.Flags().BoolVar(&watch.degraded, "degraded", false, "Wait for degraded")
 	command.Flags().BoolVar(&watch.delete, "delete", false, "Wait for delete")
+	command.Flags().BoolVar(&watch.hydrated, "hydrated", false, "Wait for hydration operations")
 	command.Flags().StringVarP(&selector, "selector", "l", "", "Wait for apps by label. Supports '=', '==', '!=', in, notin, exists & not exists. Matching apps must satisfy all of the specified label constraints.")
 	command.Flags().StringArrayVar(&resources, "resource", []string{}, fmt.Sprintf("Sync only specific resources as GROUP%[1]sKIND%[1]sNAME or %[2]sGROUP%[1]sKIND%[1]sNAME. Fields may be blank and '*' can be used. This option may be specified repeatedly", resourceFieldDelimiter, resourceExcludeIndicator))
 	command.Flags().BoolVar(&watch.operation, "operation", false, "Wait for pending operations")
@@ -2450,7 +2452,7 @@ func groupResourceStates(app *argoappv1.Application, selectedResources []*argoap
 }
 
 // check if resource health, sync and operation statuses matches watch options
-func checkResourceStatus(watch watchOpts, healthStatus string, syncStatus string, operationStatus *argoappv1.Operation) bool {
+func checkResourceStatus(watch watchOpts, healthStatus string, syncStatus string, operationStatus *argoappv1.Operation, hydrationFinished bool) bool {
 	if watch.delete {
 		return false
 	}
@@ -2480,7 +2482,8 @@ func checkResourceStatus(watch watchOpts, healthStatus string, syncStatus string
 
 	synced := !watch.sync || syncStatus == string(argoappv1.SyncStatusCodeSynced)
 	operational := !watch.operation || operationStatus == nil
-	return synced && healthCheckPassed && operational
+	hydrated := !watch.hydrated || hydrationFinished
+	return synced && healthCheckPassed && operational && hydrated
 }
 
 // resourceParentChild gets the latest state of the app and the latest state of the app's resource tree and then
@@ -2644,13 +2647,15 @@ func waitOnApplicationStatus(ctx context.Context, acdClient argocdclient.Client,
 			}
 		}
 
+		hydrationFinished := app.Status.SourceHydrator.CurrentOperation != nil && app.Status.SourceHydrator.CurrentOperation.Phase == argoappv1.HydrateOperationPhaseHydrated && app.Status.SourceHydrator.CurrentOperation.SourceHydrator.DeepEquals(app.Status.SourceHydrator.LastSuccessfulOperation.SourceHydrator) && app.Status.SourceHydrator.CurrentOperation.DrySHA == app.Status.SourceHydrator.LastSuccessfulOperation.DrySHA
+
 		var selectedResourcesAreReady bool
 
 		// If selected resources are included, wait only on those resources, otherwise wait on the application as a whole.
 		if len(selectedResources) > 0 {
 			selectedResourcesAreReady = true
 			for _, state := range getResourceStates(app, selectedResources) {
-				resourceIsReady := checkResourceStatus(watch, state.Health, state.Status, appEvent.Application.Operation)
+				resourceIsReady := checkResourceStatus(watch, state.Health, state.Status, appEvent.Application.Operation, hydrationFinished)
 				if !resourceIsReady {
 					selectedResourcesAreReady = false
 					break
@@ -2658,7 +2663,7 @@ func waitOnApplicationStatus(ctx context.Context, acdClient argocdclient.Client,
 			}
 		} else {
 			// Wait on the application as a whole
-			selectedResourcesAreReady = checkResourceStatus(watch, string(app.Status.Health.Status), string(app.Status.Sync.Status), appEvent.Application.Operation)
+			selectedResourcesAreReady = checkResourceStatus(watch, string(app.Status.Health.Status), string(app.Status.Sync.Status), appEvent.Application.Operation, hydrationFinished)
 		}
 
 		if selectedResourcesAreReady && (!operationInProgress || !watch.operation) {

cmd/argocd/commands/app_test.go

@@ -1705,7 +1705,7 @@ func TestCheckResourceStatus(t *testing.T) {
 			suspended: true,
 			health:    true,
 			degraded:  true,
-		}, string(health.HealthStatusHealthy), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusHealthy), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.True(t, res)
 	})
 	t.Run("Degraded, Suspended and health status failed", func(t *testing.T) {
@@ -1713,57 +1713,57 @@ func TestCheckResourceStatus(t *testing.T) {
 			suspended: true,
 			health:    true,
 			degraded:  true,
-		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.False(t, res)
 	})
 	t.Run("Suspended and health status passed", func(t *testing.T) {
 		res := checkResourceStatus(watchOpts{
 			suspended: true,
 			health:    true,
-		}, string(health.HealthStatusHealthy), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusHealthy), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.True(t, res)
 	})
 	t.Run("Suspended and health status failed", func(t *testing.T) {
 		res := checkResourceStatus(watchOpts{
 			suspended: true,
 			health:    true,
-		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.False(t, res)
 	})
 	t.Run("Suspended passed", func(t *testing.T) {
 		res := checkResourceStatus(watchOpts{
 			suspended: true,
 			health:    false,
-		}, string(health.HealthStatusSuspended), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusSuspended), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.True(t, res)
 	})
 	t.Run("Suspended failed", func(t *testing.T) {
 		res := checkResourceStatus(watchOpts{
 			suspended: true,
 			health:    false,
-		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.False(t, res)
 	})
 	t.Run("Health passed", func(t *testing.T) {
 		res := checkResourceStatus(watchOpts{
 			suspended: false,
 			health:    true,
-		}, string(health.HealthStatusHealthy), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusHealthy), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.True(t, res)
 	})
 	t.Run("Health failed", func(t *testing.T) {
 		res := checkResourceStatus(watchOpts{
 			suspended: false,
 			health:    true,
-		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.False(t, res)
 	})
 	t.Run("Synced passed", func(t *testing.T) {
-		res := checkResourceStatus(watchOpts{}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		res := checkResourceStatus(watchOpts{}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.True(t, res)
 	})
 	t.Run("Synced failed", func(t *testing.T) {
-		res := checkResourceStatus(watchOpts{}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeOutOfSync), &v1alpha1.Operation{})
+		res := checkResourceStatus(watchOpts{}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeOutOfSync), &v1alpha1.Operation{}, true)
 		assert.True(t, res)
 	})
 	t.Run("Degraded passed", func(t *testing.T) {
@@ -1771,7 +1771,7 @@ func TestCheckResourceStatus(t *testing.T) {
 			suspended: false,
 			health:    false,
 			degraded:  true,
-		}, string(health.HealthStatusDegraded), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusDegraded), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.True(t, res)
 	})
 	t.Run("Degraded failed", func(t *testing.T) {
@@ -1779,7 +1779,7 @@ func TestCheckResourceStatus(t *testing.T) {
 			suspended: false,
 			health:    false,
 			degraded:  true,
-		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{})
+		}, string(health.HealthStatusProgressing), string(v1alpha1.SyncStatusCodeSynced), &v1alpha1.Operation{}, true)
 		assert.False(t, res)
 	})
 }

cmd/argocd/commands/headless/headless.go

@@ -14,7 +14,8 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	corev1 "k8s.io/api/core/v1"
+	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	runtimeUtil "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/dynamic"
@@ -128,7 +129,7 @@ func (c *forwardRepoClientset) NewRepoServerClient() (io.Closer, repoapiclient.R
 		}
 		repoServerName := c.repoServerName
 		repoServererviceLabelSelector := common.LabelKeyComponentRepoServer + "=" + common.LabelValueComponentRepoServer
-		repoServerServices, err := c.kubeClientset.CoreV1().Services(c.namespace).List(context.Background(), v1.ListOptions{LabelSelector: repoServererviceLabelSelector})
+		repoServerServices, err := c.kubeClientset.CoreV1().Services(c.namespace).List(context.Background(), metaV1.ListOptions{LabelSelector: repoServererviceLabelSelector})
 		if err != nil {
 			c.err = err
 			return
@@ -243,6 +244,10 @@ func MaybeStartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOpti
 	if err != nil {
 		return fmt.Errorf("error adding argo resources to scheme: %w", err)
 	}
+	err = corev1.AddToScheme(scheme)
+	if err != nil {
+		return fmt.Errorf("error adding corev1 resources to scheme: %w", err)
+	}
 	controllerClientset, err := client.New(restConfig, client.Options{
 		Scheme: scheme,
 	})

cmd/util/app.go

@@ -91,6 +91,12 @@ type AppOptions struct {
 	retryBackoffFactor              int64
 	ref                             string
 	SourceName                      string
+	drySourceRepo                   string
+	drySourceRevision               string
+	drySourcePath                   string
+	syncSourceBranch                string
+	syncSourcePath                  string
+	hydrateToBranch                 string
 }
 
 // SetAutoMaxProcs sets the GOMAXPROCS value based on the binary name.
@@ -112,6 +118,12 @@ func AddAppFlags(command *cobra.Command, opts *AppOptions) {
 	command.Flags().StringVar(&opts.chart, "helm-chart", "", "Helm Chart name")
 	command.Flags().StringVar(&opts.env, "env", "", "Application environment to monitor")
 	command.Flags().StringVar(&opts.revision, "revision", "", "The tracking source branch, tag, commit or Helm chart version the application will sync to")
+	command.Flags().StringVar(&opts.drySourceRepo, "dry-source-repo", "", "Repository URL of the app dry source")
+	command.Flags().StringVar(&opts.drySourceRevision, "dry-source-revision", "", "Revision of the app dry source")
+	command.Flags().StringVar(&opts.drySourcePath, "dry-source-path", "", "Path in repository to the app directory for the dry source")
+	command.Flags().StringVar(&opts.syncSourceBranch, "sync-source-branch", "", "The branch from which the app will sync")
+	command.Flags().StringVar(&opts.syncSourcePath, "sync-source-path", "", "The path in the repository from which the app will sync")
+	command.Flags().StringVar(&opts.hydrateToBranch, "hydrate-to-branch", "", "The branch to hydrate the app to")
 	command.Flags().IntVar(&opts.revisionHistoryLimit, "revision-history-limit", argoappv1.RevisionHistoryLimit, "How many items to keep in revision history")
 	command.Flags().StringVar(&opts.destServer, "dest-server", "", "K8s cluster URL (e.g. https://kubernetes.default.svc)")
 	command.Flags().StringVar(&opts.destName, "dest-name", "", "K8s cluster Name (e.g. minikube)")
@@ -175,21 +187,27 @@ func SetAppSpecOptions(flags *pflag.FlagSet, spec *argoappv1.ApplicationSpec, ap
 	if flags == nil {
 		return visited
 	}
-	source := spec.GetSourcePtrByPosition(sourcePosition)
-	if source == nil {
-		source = &argoappv1.ApplicationSource{}
-	}
-	source, visited = ConstructSource(source, *appOpts, flags)
-	if spec.HasMultipleSources() {
-		if sourcePosition == 0 {
-			spec.Sources[sourcePosition] = *source
-		} else if sourcePosition > 0 {
-			spec.Sources[sourcePosition-1] = *source
-		} else {
-			spec.Sources = append(spec.Sources, *source)
-		}
+	var h *argoappv1.SourceHydrator
+	h, hasHydratorFlag := constructSourceHydrator(spec.SourceHydrator, *appOpts, flags)
+	if hasHydratorFlag {
+		spec.SourceHydrator = h
 	} else {
-		spec.Source = source
+		source := spec.GetSourcePtrByPosition(sourcePosition)
+		if source == nil {
+			source = &argoappv1.ApplicationSource{}
+		}
+		source, visited = ConstructSource(source, *appOpts, flags)
+		if spec.HasMultipleSources() {
+			if sourcePosition == 0 {
+				spec.Sources[sourcePosition] = *source
+			} else if sourcePosition > 0 {
+				spec.Sources[sourcePosition-1] = *source
+			} else {
+				spec.Sources = append(spec.Sources, *source)
+			}
+		} else {
+			spec.Source = source
+		}
 	}
 	flags.Visit(func(f *pflag.Flag) {
 		visited++
@@ -592,9 +610,7 @@ func constructAppsBaseOnName(appName string, labels, annotations, args []string,
 			Name:      appName,
 			Namespace: appNs,
 		},
-		Spec: argoappv1.ApplicationSpec{
-			Source: &argoappv1.ApplicationSource{},
-		},
+		Spec: argoappv1.ApplicationSpec{},
 	}
 	SetAppSpecOptions(flags, &app.Spec, &appOpts, 0)
 	SetParameterOverrides(app, appOpts.Parameters, 0)
@@ -768,6 +784,47 @@ func ConstructSource(source *argoappv1.ApplicationSource, appOpts AppOptions, fl
 	return source, visited
 }
 
+// constructSourceHydrator constructs a source hydrator from the command line flags. It returns the modified source
+// hydrator and a boolean indicating if any hydrator flags were set. We return instead of just modifying the source
+// hydrator in place because the given hydrator `h` might be nil. In that case, we need to create a new source hydrator
+// and return it.
+func constructSourceHydrator(h *argoappv1.SourceHydrator, appOpts AppOptions, flags *pflag.FlagSet) (*argoappv1.SourceHydrator, bool) {
+	hasHydratorFlag := false
+	ensureNotNil := func(notEmpty bool) {
+		hasHydratorFlag = true
+		if notEmpty && h == nil {
+			h = &argoappv1.SourceHydrator{}
+		}
+	}
+	flags.Visit(func(f *pflag.Flag) {
+		switch f.Name {
+		case "dry-source-repo":
+			ensureNotNil(appOpts.drySourceRepo != "")
+			h.DrySource.RepoURL = appOpts.drySourceRepo
+		case "dry-source-path":
+			ensureNotNil(appOpts.drySourcePath != "")
+			h.DrySource.Path = appOpts.drySourcePath
+		case "dry-source-revision":
+			ensureNotNil(appOpts.drySourceRevision != "")
+			h.DrySource.TargetRevision = appOpts.drySourceRevision
+		case "sync-source-branch":
+			ensureNotNil(appOpts.syncSourceBranch != "")
+			h.SyncSource.TargetBranch = appOpts.syncSourceBranch
+		case "sync-source-path":
+			ensureNotNil(appOpts.syncSourcePath != "")
+			h.SyncSource.Path = appOpts.syncSourcePath
+		case "hydrate-to-branch":
+			ensureNotNil(appOpts.hydrateToBranch != "")
+			if appOpts.hydrateToBranch == "" {
+				h.HydrateTo = nil
+			} else {
+				h.HydrateTo = &argoappv1.HydrateTo{TargetBranch: appOpts.hydrateToBranch}
+			}
+		}
+	})
+	return h, hasHydratorFlag
+}
+
 func mergeLabels(app *argoappv1.Application, labels []string) {
 	mapLabels, err := label.Parse(labels)
 	errors.CheckError(err)

cmd/util/app_test.go

@@ -295,6 +295,28 @@ func Test_setAppSpecOptions(t *testing.T) {
 		require.NoError(t, f.SetFlag("helm-api-versions", "v2"))
 		assert.Equal(t, []string{"v1", "v2"}, f.spec.Source.Helm.APIVersions)
 	})
+	t.Run("source hydrator", func(t *testing.T) {
+		require.NoError(t, f.SetFlag("dry-source-repo", "https://github.com/argoproj/argocd-example-apps"))
+		assert.Equal(t, "https://github.com/argoproj/argocd-example-apps", f.spec.SourceHydrator.DrySource.RepoURL)
+
+		require.NoError(t, f.SetFlag("dry-source-path", "apps"))
+		assert.Equal(t, "apps", f.spec.SourceHydrator.DrySource.Path)
+
+		require.NoError(t, f.SetFlag("dry-source-revision", "HEAD"))
+		assert.Equal(t, "HEAD", f.spec.SourceHydrator.DrySource.TargetRevision)
+
+		require.NoError(t, f.SetFlag("sync-source-branch", "env/test"))
+		assert.Equal(t, "env/test", f.spec.SourceHydrator.SyncSource.TargetBranch)
+
+		require.NoError(t, f.SetFlag("sync-source-path", "apps"))
+		assert.Equal(t, "apps", f.spec.SourceHydrator.SyncSource.Path)
+
+		require.NoError(t, f.SetFlag("hydrate-to-branch", "env/test-next"))
+		assert.Equal(t, "env/test-next", f.spec.SourceHydrator.HydrateTo.TargetBranch)
+
+		require.NoError(t, f.SetFlag("hydrate-to-branch", ""))
+		assert.Nil(t, f.spec.SourceHydrator.HydrateTo)
+	})
 }
 
 func newMultiSourceAppOptionsFixture() *appOptionsFixture {

cmd/util/cluster_test.go

@@ -162,7 +162,7 @@ func TestGetKubePublicEndpoint(t *testing.T) {
 			if tc.clusterInfo != nil {
 				objects = append(objects, tc.clusterInfo)
 			}
-			clientset := fake.NewSimpleClientset(objects...)
+			clientset := fake.NewClientset(objects...)
 			endpoint, err := GetKubePublicEndpoint(clientset)
 			if tc.expectError {
 				require.Error(t, err)

common/common.go

@@ -26,6 +26,8 @@ const (
 const (
 	// DefaultRepoServerAddr is the gRPC address of the Argo CD repo server
 	DefaultRepoServerAddr = "argocd-repo-server:8081"
+	// DefaultCommitServerAddr is the gRPC address of the Argo CD commit server
+	DefaultCommitServerAddr = "argocd-commit-server:8086"
 	// DefaultDexServerAddr is the HTTP address of the Dex OIDC server, which we run a reverse proxy against
 	DefaultDexServerAddr = "argocd-dex-server:5556"
 	// DefaultRedisAddr is the default redis address
@@ -179,6 +181,8 @@ const (
 	LabelValueSecretTypeRepository = "repository"
 	// LabelValueSecretTypeRepoCreds indicates a secret type of repository credentials
 	LabelValueSecretTypeRepoCreds = "repo-creds"
+	// LabelValueSecretTypeRepositoryWrite indicates a secret type of repository credentials for writing
+	LabelValueSecretTypeRepositoryWrite = "repository-write"
 	// LabelValueSecretTypeSCMCreds indicates a secret type of SCM credentials
 	LabelValueSecretTypeSCMCreds = "scm-creds"
 

common/common_test.go

@@ -92,7 +92,7 @@ func TestSetOptionalRedisPasswordFromKubeConfig(t *testing.T) {
 			t.Parallel()
 			var (
 				ctx          = context.TODO()
-				kubeClient   = kubefake.NewSimpleClientset()
+				kubeClient   = kubefake.NewClientset()
 				redisOptions = &redis.Options{}
 			)
 			if tc.secret != nil {

controller/appcontroller.go

@@ -42,8 +42,10 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/workqueue"
 
+	commitclient "github.com/argoproj/argo-cd/v2/commitserver/apiclient"
 	"github.com/argoproj/argo-cd/v2/common"
 	statecache "github.com/argoproj/argo-cd/v2/controller/cache"
+	"github.com/argoproj/argo-cd/v2/controller/hydrator"
 	"github.com/argoproj/argo-cd/v2/controller/metrics"
 	"github.com/argoproj/argo-cd/v2/controller/sharding"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
@@ -121,6 +123,8 @@ type ApplicationController struct {
 	appComparisonTypeRefreshQueue workqueue.TypedRateLimitingInterface[string]
 	appOperationQueue             workqueue.TypedRateLimitingInterface[string]
 	projectRefreshQueue           workqueue.TypedRateLimitingInterface[string]
+	appHydrateQueue               workqueue.TypedRateLimitingInterface[string]
+	hydrationQueue                workqueue.TypedRateLimitingInterface[hydrator.HydrationQueueKey]
 	appInformer                   cache.SharedIndexInformer
 	appLister                     applisters.ApplicationLister
 	projInformer                  cache.SharedIndexInformer
@@ -146,6 +150,8 @@ type ApplicationController struct {
 	// dynamicClusterDistributionEnabled if disabled deploymentInformer is never initialized
 	dynamicClusterDistributionEnabled bool
 	deploymentInformer                informerv1.DeploymentInformer
+
+	hydrator *hydrator.Hydrator
 }
 
 // NewApplicationController creates new instance of ApplicationController.
@@ -155,6 +161,7 @@ func NewApplicationController(
 	kubeClientset kubernetes.Interface,
 	applicationClientset appclientset.Interface,
 	repoClientset apiclient.Clientset,
+	commitClientset commitclient.Clientset,
 	argoCache *appstatecache.Cache,
 	kubectl kube.Kubectl,
 	appResyncPeriod time.Duration,
@@ -177,6 +184,7 @@ func NewApplicationController(
 	dynamicClusterDistributionEnabled bool,
 	ignoreNormalizerOpts normalizers.IgnoreNormalizerOpts,
 	enableK8sEvent []string,
+	hydratorEnabled bool,
 ) (*ApplicationController, error) {
 	log.Infof("appResyncPeriod=%v, appHardResyncPeriod=%v, appResyncJitter=%v", appResyncPeriod, appHardResyncPeriod, appResyncJitter)
 	db := db.NewDB(namespace, settingsMgr, kubeClientset)
@@ -190,10 +198,12 @@ func NewApplicationController(
 		kubeClientset:                     kubeClientset,
 		kubectl:                           kubectl,
 		applicationClientset:              applicationClientset,
-		appRefreshQueue:                   workqueue.NewTypedRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), workqueue.TypedRateLimitingQueueConfig[string]{Name: "app_reconciliation_queue"}),
-		appOperationQueue:                 workqueue.NewTypedRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), workqueue.TypedRateLimitingQueueConfig[string]{Name: "app_operation_processing_queue"}),
-		projectRefreshQueue:               workqueue.NewTypedRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig), workqueue.TypedRateLimitingQueueConfig[string]{Name: "project_reconciliation_queue"}),
-		appComparisonTypeRefreshQueue:     workqueue.NewTypedRateLimitingQueue(ratelimiter.NewCustomAppControllerRateLimiter(rateLimiterConfig)),
+		appRefreshQueue:                   workqueue.NewTypedRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter[string](rateLimiterConfig), workqueue.TypedRateLimitingQueueConfig[string]{Name: "app_reconciliation_queue"}),
+		appOperationQueue:                 workqueue.NewTypedRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter[string](rateLimiterConfig), workqueue.TypedRateLimitingQueueConfig[string]{Name: "app_operation_processing_queue"}),
+		projectRefreshQueue:               workqueue.NewTypedRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter[string](rateLimiterConfig), workqueue.TypedRateLimitingQueueConfig[string]{Name: "project_reconciliation_queue"}),
+		appComparisonTypeRefreshQueue:     workqueue.NewTypedRateLimitingQueue(ratelimiter.NewCustomAppControllerRateLimiter[string](rateLimiterConfig)),
+		appHydrateQueue:                   workqueue.NewTypedRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter[string](rateLimiterConfig), workqueue.TypedRateLimitingQueueConfig[string]{Name: "app_hydration_queue"}),
+		hydrationQueue:                    workqueue.NewTypedRateLimitingQueueWithConfig(ratelimiter.NewCustomAppControllerRateLimiter[hydrator.HydrationQueueKey](rateLimiterConfig), workqueue.TypedRateLimitingQueueConfig[hydrator.HydrationQueueKey]{Name: "manifest_hydration_queue"}),
 		db:                                db,
 		statusRefreshTimeout:              appResyncPeriod,
 		statusHardRefreshTimeout:          appHardResyncPeriod,
@@ -211,6 +221,9 @@ func NewApplicationController(
 		dynamicClusterDistributionEnabled: dynamicClusterDistributionEnabled,
 		ignoreNormalizerOpts:              ignoreNormalizerOpts,
 	}
+	if hydratorEnabled {
+		ctrl.hydrator = hydrator.NewHydrator(&ctrl, appResyncPeriod, commitClientset)
+	}
 	if kubectlParallelismLimit > 0 {
 		ctrl.kubectlSemaphore = semaphore.NewWeighted(kubectlParallelismLimit)
 	}
@@ -845,6 +858,8 @@ func (ctrl *ApplicationController) Run(ctx context.Context, statusProcessors int
 	defer ctrl.appComparisonTypeRefreshQueue.ShutDown()
 	defer ctrl.appOperationQueue.ShutDown()
 	defer ctrl.projectRefreshQueue.ShutDown()
+	defer ctrl.appHydrateQueue.ShutDown()
+	defer ctrl.hydrationQueue.ShutDown()
 
 	ctrl.metricsServer.RegisterClustersInfoSource(ctx, ctrl.stateCache)
 	ctrl.RegisterClusterSecretUpdater(ctx)
@@ -903,6 +918,19 @@ func (ctrl *ApplicationController) Run(ctx context.Context, statusProcessors int
 		for ctrl.processProjectQueueItem() {
 		}
 	}, time.Second, ctx.Done())
+
+	if ctrl.hydrator != nil {
+		go wait.Until(func() {
+			for ctrl.processAppHydrateQueueItem() {
+			}
+		}, time.Second, ctx.Done())
+
+		go wait.Until(func() {
+			for ctrl.processHydrationQueueItem() {
+			}
+		}, time.Second, ctx.Done())
+	}
+
 	<-ctx.Done()
 }
 
@@ -1774,6 +1802,68 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 	return
 }
 
+func (ctrl *ApplicationController) processAppHydrateQueueItem() (processNext bool) {
+	appKey, shutdown := ctrl.appHydrateQueue.Get()
+	if shutdown {
+		processNext = false
+		return
+	}
+	processNext = true
+	defer func() {
+		if r := recover(); r != nil {
+			log.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
+		}
+		ctrl.appHydrateQueue.Done(appKey)
+	}()
+	obj, exists, err := ctrl.appInformer.GetIndexer().GetByKey(appKey)
+	if err != nil {
+		log.Errorf("Failed to get application '%s' from informer index: %+v", appKey, err)
+		return
+	}
+	if !exists {
+		// This happens after app was deleted, but the work queue still had an entry for it.
+		return
+	}
+	origApp, ok := obj.(*appv1.Application)
+	if !ok {
+		log.Warnf("Key '%s' in index is not an application", appKey)
+		return
+	}
+
+	ctrl.hydrator.ProcessAppHydrateQueueItem(origApp)
+
+	getAppLog(origApp).Debug("Successfully processed app hydrate queue item")
+	return
+}
+
+func (ctrl *ApplicationController) processHydrationQueueItem() (processNext bool) {
+	hydrationKey, shutdown := ctrl.hydrationQueue.Get()
+	if shutdown {
+		processNext = false
+		return
+	}
+	processNext = true
+	defer func() {
+		if r := recover(); r != nil {
+			log.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
+		}
+		ctrl.hydrationQueue.Done(hydrationKey)
+	}()
+
+	logCtx := log.WithFields(log.Fields{
+		"sourceRepoURL":        hydrationKey.SourceRepoURL,
+		"sourceTargetRevision": hydrationKey.SourceTargetRevision,
+		"destinationBranch":    hydrationKey.DestinationBranch,
+	})
+
+	logCtx.Debug("Processing hydration queue item")
+
+	ctrl.hydrator.ProcessHydrationQueueItem(hydrationKey)
+
+	logCtx.Debug("Successfully processed hydration queue item")
+	return
+}
+
 func resourceStatusKey(res appv1.ResourceStatus) string {
 	return strings.Join([]string{res.Group, res.Kind, res.Namespace, res.Name}, "/")
 }
@@ -1782,7 +1872,8 @@ func currentSourceEqualsSyncedSource(app *appv1.Application) bool {
 	if app.Spec.HasMultipleSources() {
 		return app.Spec.Sources.Equals(app.Status.Sync.ComparedTo.Sources)
 	}
-	return app.Spec.Source.Equals(&app.Status.Sync.ComparedTo.Source)
+	source := app.Spec.GetSource()
+	return source.Equals(&app.Status.Sync.ComparedTo.Source)
 }
 
 // needRefreshAppStatus answers if application status needs to be refreshed.
@@ -1918,6 +2009,7 @@ func (ctrl *ApplicationController) persistAppStatus(orig *appv1.Application, new
 			newAnnotations[k] = v
 		}
 		delete(newAnnotations, appv1.AnnotationKeyRefresh)
+		delete(newAnnotations, appv1.AnnotationKeyHydrate)
 	}
 	patch, modified, err := createMergePatch(
 		&appv1.Application{ObjectMeta: metav1.ObjectMeta{Annotations: orig.GetAnnotations()}, Status: orig.Status},
@@ -2325,6 +2417,9 @@ func (ctrl *ApplicationController) newApplicationInformerAndLister() (cache.Shar
 				if !newOK || (delay != nil && *delay != time.Duration(0)) {
 					ctrl.appOperationQueue.AddRateLimited(key)
 				}
+				if ctrl.hydrator != nil {
+					ctrl.appHydrateQueue.AddRateLimited(newApp.QualifiedName())
+				}
 				ctrl.clusterSharding.UpdateApp(newApp)
 			},
 			DeleteFunc: func(obj interface{}) {

controller/appcontroller_test.go

@@ -42,6 +42,7 @@ import (
 
 	dbmocks "github.com/argoproj/argo-cd/v2/util/db/mocks"
 
+	mockcommitclient "github.com/argoproj/argo-cd/v2/commitserver/apiclient/mocks"
 	mockstatecache "github.com/argoproj/argo-cd/v2/controller/cache/mocks"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned/fake"
@@ -126,6 +127,8 @@ func newFakeControllerWithResync(data *fakeData, appResyncPeriod time.Duration,
 
 	mockRepoClientset := mockrepoclient.Clientset{RepoServerServiceClient: &mockRepoClient}
 
+	mockCommitClientset := mockcommitclient.Clientset{}
+
 	secret := corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "argocd-secret",
@@ -148,7 +151,7 @@ func newFakeControllerWithResync(data *fakeData, appResyncPeriod time.Duration,
 	}
 	runtimeObjs := []runtime.Object{&clust, &secret, &cm}
 	runtimeObjs = append(runtimeObjs, data.additionalObjs...)
-	kubeClient := fake.NewSimpleClientset(runtimeObjs...)
+	kubeClient := fake.NewClientset(runtimeObjs...)
 	settingsMgr := settings.NewSettingsManager(context.Background(), kubeClient, test.FakeArgoCDNamespace)
 	kubectl := &MockKubectl{Kubectl: &kubetest.MockKubectlCmd{}}
 	ctrl, err := NewApplicationController(
@@ -157,6 +160,7 @@ func newFakeControllerWithResync(data *fakeData, appResyncPeriod time.Duration,
 		kubeClient,
 		appclientset.NewSimpleClientset(data.apps...),
 		&mockRepoClientset,
+		&mockCommitClientset,
 		appstatecache.NewCache(
 			cacheutil.NewCache(cacheutil.NewInMemoryCache(1*time.Minute)),
 			1*time.Minute,
@@ -182,6 +186,7 @@ func newFakeControllerWithResync(data *fakeData, appResyncPeriod time.Duration,
 		false,
 		normalizers.IgnoreNormalizerOpts{},
 		testEnableEventList,
+		false,
 	)
 	db := &dbmocks.ArgoDB{}
 	db.On("GetApplicationControllerReplicas").Return(1)

controller/cache/cache.go

@@ -69,6 +69,12 @@ const (
 	// EnvClusterCacheRetryUseBackoff is the env variable to control whether to use a backoff strategy with the retry during cluster cache sync
 	EnvClusterCacheRetryUseBackoff = "ARGOCD_CLUSTER_CACHE_RETRY_USE_BACKOFF"
 
+	// EnvClusterCacheBatchEventsProcessing is the env variable to control whether to enable batch events processing
+	EnvClusterCacheBatchEventsProcessing = "ARGOCD_CLUSTER_CACHE_BATCH_EVENTS_PROCESSING"
+
+	// EnvClusterCacheEventsProcessingInterval is the env variable to control the interval between processing events when BatchEventsProcessing is enabled
+	EnvClusterCacheEventsProcessingInterval = "ARGOCD_CLUSTER_CACHE_EVENTS_PROCESSING_INTERVAL"
+
 	// AnnotationIgnoreResourceUpdates when set to true on an untracked resource,
 	// argo will apply `ignoreResourceUpdates` configuration on it.
 	AnnotationIgnoreResourceUpdates = "argocd.argoproj.io/ignore-resource-updates"
@@ -103,6 +109,12 @@ var (
 
 	// clusterCacheRetryUseBackoff specifies whether to use a backoff strategy on cluster cache sync, if retry is enabled
 	clusterCacheRetryUseBackoff bool = false
+
+	// clusterCacheBatchEventsProcessing specifies whether to enable batch events processing
+	clusterCacheBatchEventsProcessing bool = false
+
+	// clusterCacheEventsProcessingInterval specifies the interval between processing events when BatchEventsProcessing is enabled
+	clusterCacheEventsProcessingInterval = 100 * time.Millisecond
 )
 
 func init() {
@@ -114,6 +126,8 @@ func init() {
 	clusterCacheListSemaphoreSize = env.ParseInt64FromEnv(EnvClusterCacheListSemaphore, clusterCacheListSemaphoreSize, 0, math.MaxInt64)
 	clusterCacheAttemptLimit = int32(env.ParseNumFromEnv(EnvClusterCacheAttemptLimit, int(clusterCacheAttemptLimit), 1, math.MaxInt32))
 	clusterCacheRetryUseBackoff = env.ParseBoolFromEnv(EnvClusterCacheRetryUseBackoff, false)
+	clusterCacheBatchEventsProcessing = env.ParseBoolFromEnv(EnvClusterCacheBatchEventsProcessing, false)
+	clusterCacheEventsProcessingInterval = env.ParseDurationFromEnv(EnvClusterCacheEventsProcessingInterval, clusterCacheEventsProcessingInterval, 0, math.MaxInt64)
 }
 
 type LiveStateCache interface {
@@ -554,6 +568,8 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		clustercache.SetLogr(logutils.NewLogrusLogger(log.WithField("server", cluster.Server))),
 		clustercache.SetRetryOptions(clusterCacheAttemptLimit, clusterCacheRetryUseBackoff, isRetryableError),
 		clustercache.SetRespectRBAC(respectRBAC),
+		clustercache.SetBatchEventsProcessing(clusterCacheBatchEventsProcessing),
+		clustercache.SetEventProcessingInterval(clusterCacheEventsProcessingInterval),
 	}
 
 	clusterCache = clustercache.NewClusterCache(clusterCacheConfig, clusterCacheOpts...)
@@ -608,6 +624,10 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		c.metricsServer.IncClusterEventsCount(cluster.Server, gvk.Group, gvk.Kind)
 	})
 
+	_ = clusterCache.OnProcessEventsHandler(func(duration time.Duration, processedEventsNumber int) {
+		c.metricsServer.ObserveResourceEventsProcessingDuration(cluster.Server, duration, processedEventsNumber)
+	})
+
 	c.clusters[server] = clusterCache
 
 	return clusterCache, nil

controller/cache/cache_test.go

@@ -140,7 +140,7 @@ func TestHandleDeleteEvent_CacheDeadlock(t *testing.T) {
 	}
 	db := &dbmocks.ArgoDB{}
 	db.On("GetApplicationControllerReplicas").Return(1)
-	fakeClient := fake.NewSimpleClientset()
+	fakeClient := fake.NewClientset()
 	settingsMgr := argosettings.NewSettingsManager(context.TODO(), fakeClient, "argocd")
 	liveStateCacheLock := sync.RWMutex{}
 	gitopsEngineClusterCache := &mocks.ClusterCache{}

controller/clusterinfoupdater_test.go

@@ -67,7 +67,7 @@ func TestClusterSecretUpdater(t *testing.T) {
 			"server.secretkey": nil,
 		},
 	}
-	kubeclientset := fake.NewSimpleClientset(emptyArgoCDConfigMap, argoCDSecret)
+	kubeclientset := fake.NewClientset(emptyArgoCDConfigMap, argoCDSecret)
 	appclientset := appsfake.NewSimpleClientset()
 	appInformer := appinformers.NewApplicationInformer(appclientset, "", time.Minute, cache.Indexers{})
 	settingsManager := settings.NewSettingsManager(context.Background(), kubeclientset, fakeNamespace)

controller/hook.go

@@ -51,7 +51,7 @@ func (ctrl *ApplicationController) executePostDeleteHooks(app *v1alpha1.Applicat
 		revisions = append(revisions, src.TargetRevision)
 	}
 
-	targets, _, _, err := ctrl.appStateManager.GetRepoObjs(app, app.Spec.GetSources(), appLabelKey, revisions, false, false, false, proj, false)
+	targets, _, _, err := ctrl.appStateManager.GetRepoObjs(app, app.Spec.GetSources(), appLabelKey, revisions, false, false, false, proj, false, true)
 	if err != nil {
 		return false, err
 	}

controller/hydrator/hydrator.go

@@ -0,0 +1,352 @@
+package hydrator
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	commitclient "github.com/argoproj/argo-cd/v2/commitserver/apiclient"
+	"github.com/argoproj/argo-cd/v2/controller/utils"
+	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	argoio "github.com/argoproj/argo-cd/v2/util/io"
+)
+
+// Dependencies is the interface for the dependencies of the Hydrator. It serves two purposes: 1) it prevents the
+// hydrator from having direct access to the app controller, and 2) it allows for easy mocking of dependencies in tests.
+// If you add something here, be sure that it is something the app controller needs to provide to the hydrator.
+type Dependencies interface {
+	// TODO: determine if we actually need to get the app, or if all the stuff we need the app for is done already on
+	//       the app controller side.
+	GetProcessableAppProj(app *appv1.Application) (*appv1.AppProject, error)
+	GetProcessableApps() (*appv1.ApplicationList, error)
+	GetRepoObjs(app *appv1.Application, source appv1.ApplicationSource, revision string, project *appv1.AppProject) ([]*unstructured.Unstructured, *apiclient.ManifestResponse, error)
+	GetWriteCredentials(ctx context.Context, repoURL string, project string) (*appv1.Repository, error)
+	RequestAppRefresh(appName string)
+	// TODO: only allow access to the hydrator status
+	PersistAppHydratorStatus(orig *appv1.Application, newStatus *appv1.SourceHydratorStatus)
+	AddHydrationQueueItem(key HydrationQueueKey)
+}
+
+type Hydrator struct {
+	dependencies         Dependencies
+	statusRefreshTimeout time.Duration
+	commitClientset      commitclient.Clientset
+}
+
+func NewHydrator(dependencies Dependencies, statusRefreshTimeout time.Duration, commitClientset commitclient.Clientset) *Hydrator {
+	return &Hydrator{
+		dependencies:         dependencies,
+		statusRefreshTimeout: statusRefreshTimeout,
+		commitClientset:      commitClientset,
+	}
+}
+
+func (h *Hydrator) ProcessAppHydrateQueueItem(origApp *appv1.Application) {
+	origApp = origApp.DeepCopy()
+	app := origApp.DeepCopy()
+
+	if app.Spec.SourceHydrator == nil {
+		return
+	}
+
+	logCtx := utils.GetAppLog(app)
+
+	logCtx.Debug("Processing app hydrate queue item")
+
+	// TODO: don't reuse statusRefreshTimeout. Create a new timeout for hydration.
+	needsHydration, reason := appNeedsHydration(origApp, h.statusRefreshTimeout)
+	if !needsHydration {
+		return
+	}
+
+	logCtx.WithField("reason", reason).Info("Hydrating app")
+
+	app.Status.SourceHydrator.CurrentOperation = &appv1.HydrateOperation{
+		StartedAt:      metav1.Now(),
+		FinishedAt:     nil,
+		Phase:          appv1.HydrateOperationPhaseHydrating,
+		SourceHydrator: *app.Spec.SourceHydrator,
+	}
+	h.dependencies.PersistAppHydratorStatus(origApp, &app.Status.SourceHydrator)
+	origApp.Status.SourceHydrator = app.Status.SourceHydrator
+	h.dependencies.AddHydrationQueueItem(getHydrationQueueKey(app))
+
+	logCtx.Debug("Successfully processed app hydrate queue item")
+}
+
+func getHydrationQueueKey(app *appv1.Application) HydrationQueueKey {
+	destinationBranch := app.Spec.SourceHydrator.SyncSource.TargetBranch
+	if app.Spec.SourceHydrator.HydrateTo != nil {
+		destinationBranch = app.Spec.SourceHydrator.HydrateTo.TargetBranch
+	}
+	key := HydrationQueueKey{
+		SourceRepoURL:        app.Spec.SourceHydrator.DrySource.RepoURL,
+		SourceTargetRevision: app.Spec.SourceHydrator.DrySource.TargetRevision,
+		DestinationBranch:    destinationBranch,
+	}
+	return key
+}
+
+type HydrationQueueKey struct {
+	SourceRepoURL        string
+	SourceTargetRevision string
+	DestinationBranch    string
+}
+
+// uniqueHydrationDestination is used to detect duplicate hydrate destinations.
+type uniqueHydrationDestination struct {
+	sourceRepoURL        string
+	sourceTargetRevision string
+	destinationBranch    string
+	destinationPath      string
+}
+
+func (h *Hydrator) ProcessHydrationQueueItem(hydrationKey HydrationQueueKey) (processNext bool) {
+	logCtx := log.WithFields(log.Fields{
+		"sourceRepoURL":        hydrationKey.SourceRepoURL,
+		"sourceTargetRevision": hydrationKey.SourceTargetRevision,
+		"destinationBranch":    hydrationKey.DestinationBranch,
+	})
+
+	relevantApps, drySHA, hydratedSHA, err := h.hydrateAppsLatestCommit(logCtx, hydrationKey)
+	if drySHA != "" {
+		logCtx = logCtx.WithField("drySHA", drySHA)
+	}
+	if err != nil {
+		logCtx.WithField("appCount", len(relevantApps)).WithError(err).Error("Failed to hydrate apps")
+		for _, app := range relevantApps {
+			origApp := app.DeepCopy()
+			app.Status.SourceHydrator.CurrentOperation.Phase = appv1.HydrateOperationPhaseFailed
+			failedAt := metav1.Now()
+			app.Status.SourceHydrator.CurrentOperation.FinishedAt = &failedAt
+			app.Status.SourceHydrator.CurrentOperation.Message = fmt.Sprintf("Failed to hydrate revision %q: %v", drySHA, err.Error())
+			// We may or may not have gotten far enough in the hydration process to get a non-empty SHA, but set it just
+			// in case we did.
+			app.Status.SourceHydrator.CurrentOperation.DrySHA = drySHA
+			h.dependencies.PersistAppHydratorStatus(origApp, &app.Status.SourceHydrator)
+			logCtx = logCtx.WithField("app", app.QualifiedName())
+			logCtx.Errorf("Failed to hydrate app: %v", err)
+		}
+		return
+	}
+	logCtx.WithField("appCount", len(relevantApps)).Debug("Successfully hydrated apps")
+	finishedAt := metav1.Now()
+	for _, app := range relevantApps {
+		origApp := app.DeepCopy()
+		operation := &appv1.HydrateOperation{
+			StartedAt:      app.Status.SourceHydrator.CurrentOperation.StartedAt,
+			FinishedAt:     &finishedAt,
+			Phase:          appv1.HydrateOperationPhaseHydrated,
+			Message:        "",
+			DrySHA:         drySHA,
+			HydratedSHA:    hydratedSHA,
+			SourceHydrator: app.Status.SourceHydrator.CurrentOperation.SourceHydrator,
+		}
+		app.Status.SourceHydrator.CurrentOperation = operation
+		app.Status.SourceHydrator.LastSuccessfulOperation = &appv1.SuccessfulHydrateOperation{
+			DrySHA:         drySHA,
+			HydratedSHA:    hydratedSHA,
+			SourceHydrator: app.Status.SourceHydrator.CurrentOperation.SourceHydrator,
+		}
+		h.dependencies.PersistAppHydratorStatus(origApp, &app.Status.SourceHydrator)
+		// Request a refresh since we pushed a new commit.
+		h.dependencies.RequestAppRefresh(app.QualifiedName())
+	}
+	return
+}
+
+func (h *Hydrator) hydrateAppsLatestCommit(logCtx *log.Entry, hydrationKey HydrationQueueKey) ([]*appv1.Application, string, string, error) {
+	relevantApps, err := h.getRelevantAppsForHydration(logCtx, hydrationKey)
+	if err != nil {
+		return nil, "", "", fmt.Errorf("failed to get relevant apps for hydration: %w", err)
+	}
+
+	dryRevision, hydratedRevision, err := h.hydrate(logCtx, relevantApps)
+	if err != nil {
+		return relevantApps, dryRevision, "", fmt.Errorf("failed to hydrate apps: %w", err)
+	}
+
+	return relevantApps, dryRevision, hydratedRevision, nil
+}
+
+func (h *Hydrator) getRelevantAppsForHydration(logCtx *log.Entry, hydrationKey HydrationQueueKey) ([]*appv1.Application, error) {
+	// Get all apps
+	apps, err := h.dependencies.GetProcessableApps()
+	if err != nil {
+		return nil, fmt.Errorf("failed to list apps: %w", err)
+	}
+
+	var relevantApps []*appv1.Application
+	uniqueDestinations := make(map[uniqueHydrationDestination]bool, len(apps.Items))
+	for _, app := range apps.Items {
+		if app.Spec.SourceHydrator == nil {
+			continue
+		}
+
+		if app.Spec.SourceHydrator.DrySource.RepoURL != hydrationKey.SourceRepoURL ||
+			app.Spec.SourceHydrator.DrySource.TargetRevision != hydrationKey.SourceTargetRevision {
+			continue
+		}
+		destinationBranch := app.Spec.SourceHydrator.SyncSource.TargetBranch
+		if app.Spec.SourceHydrator.HydrateTo != nil {
+			destinationBranch = app.Spec.SourceHydrator.HydrateTo.TargetBranch
+		}
+		if destinationBranch != hydrationKey.DestinationBranch {
+			continue
+		}
+
+		var proj *appv1.AppProject
+		proj, err = h.dependencies.GetProcessableAppProj(&app)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get project %q for app %q: %w", app.Spec.Project, app.QualifiedName(), err)
+		}
+		permitted := proj.IsSourcePermitted(app.Spec.GetSource())
+		if !permitted {
+			// Log and skip. We don't want to fail the entire operation because of one app.
+			logCtx.Warnf("App %q is not permitted to use source %q", app.QualifiedName(), app.Spec.Source.String())
+			continue
+		}
+
+		uniqueDestinationKey := uniqueHydrationDestination{
+			sourceRepoURL:        app.Spec.SourceHydrator.DrySource.RepoURL,
+			sourceTargetRevision: app.Spec.SourceHydrator.DrySource.TargetRevision,
+			destinationBranch:    destinationBranch,
+			destinationPath:      app.Spec.SourceHydrator.SyncSource.Path,
+		}
+		// TODO: test the dupe detection
+		if _, ok := uniqueDestinations[uniqueDestinationKey]; ok {
+			return nil, fmt.Errorf("multiple app hydrators use the same destination: %v", uniqueDestinationKey)
+		}
+		uniqueDestinations[uniqueDestinationKey] = true
+
+		relevantApps = append(relevantApps, &app)
+	}
+	return relevantApps, nil
+}
+
+func (h *Hydrator) hydrate(logCtx *log.Entry, apps []*appv1.Application) (string, string, error) {
+	if len(apps) == 0 {
+		return "", "", nil
+	}
+	repoURL := apps[0].Spec.SourceHydrator.DrySource.RepoURL
+	syncBranch := apps[0].Spec.SourceHydrator.SyncSource.TargetBranch
+	targetBranch := apps[0].Spec.GetHydrateToSource().TargetRevision
+	var paths []*commitclient.PathDetails
+	projects := make(map[string]bool, len(apps))
+	var targetRevision string
+	// TODO: parallelize this loop
+	for _, app := range apps {
+		project, err := h.dependencies.GetProcessableAppProj(app)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to get project: %w", err)
+		}
+		projects[project.Name] = true
+		drySource := appv1.ApplicationSource{
+			RepoURL:        app.Spec.SourceHydrator.DrySource.RepoURL,
+			Path:           app.Spec.SourceHydrator.DrySource.Path,
+			TargetRevision: app.Spec.SourceHydrator.DrySource.TargetRevision,
+		}
+		if targetRevision == "" {
+			targetRevision = app.Spec.SourceHydrator.DrySource.TargetRevision
+		}
+
+		// TODO: enable signature verification
+		objs, resp, err := h.dependencies.GetRepoObjs(app, drySource, targetRevision, project)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to get repo objects: %w", err)
+		}
+
+		// This should be the DRY SHA. We set it here so that after processing the first app, all apps are hydrated
+		// using the same SHA.
+		targetRevision = resp.Revision
+
+		// Set up a ManifestsRequest
+		manifestDetails := make([]*commitclient.HydratedManifestDetails, len(objs))
+		for i, obj := range objs {
+			objJson, err := json.Marshal(obj)
+			if err != nil {
+				return "", "", fmt.Errorf("failed to marshal object: %w", err)
+			}
+			manifestDetails[i] = &commitclient.HydratedManifestDetails{ManifestJSON: string(objJson)}
+		}
+
+		paths = append(paths, &commitclient.PathDetails{
+			Path:      app.Spec.SourceHydrator.SyncSource.Path,
+			Manifests: manifestDetails,
+			Commands:  resp.Commands,
+		})
+	}
+
+	// If all the apps are under the same project, use that project. Otherwise, use an empty string to indicate that we
+	// need global creds.
+	project := ""
+	if len(projects) == 1 {
+		for p := range projects {
+			project = p
+		}
+	}
+
+	repo, err := h.dependencies.GetWriteCredentials(context.Background(), repoURL, project)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to get hydrator credentials: %w", err)
+	}
+	if repo == nil {
+		// Try without credentials.
+		repo = &appv1.Repository{
+			Repo: repoURL,
+		}
+		logCtx.Warn("no credentials found for repo, continuing without credentials")
+	}
+
+	manifestsRequest := commitclient.CommitHydratedManifestsRequest{
+		Repo:          repo,
+		SyncBranch:    syncBranch,
+		TargetBranch:  targetBranch,
+		DrySha:        targetRevision,
+		CommitMessage: fmt.Sprintf("[Argo CD Bot] hydrate %s", targetRevision),
+		Paths:         paths,
+	}
+
+	closer, commitService, err := h.commitClientset.NewCommitServerClient()
+	if err != nil {
+		return targetRevision, "", fmt.Errorf("failed to create commit service: %w", err)
+	}
+	defer argoio.Close(closer)
+	resp, err := commitService.CommitHydratedManifests(context.Background(), &manifestsRequest)
+	if err != nil {
+		return targetRevision, "", fmt.Errorf("failed to commit hydrated manifests: %w", err)
+	}
+	return targetRevision, resp.HydratedSha, nil
+}
+
+// appNeedsHydration answers if application needs manifests hydrated.
+func appNeedsHydration(app *appv1.Application, statusHydrateTimeout time.Duration) (needsHydration bool, reason string) {
+	if app.Spec.SourceHydrator == nil {
+		return false, "source hydrator not configured"
+	}
+
+	var hydratedAt *metav1.Time
+	if app.Status.SourceHydrator.CurrentOperation != nil {
+		hydratedAt = &app.Status.SourceHydrator.CurrentOperation.StartedAt
+	}
+
+	if app.IsHydrateRequested() {
+		return true, "hydrate requested"
+	} else if app.Status.SourceHydrator.CurrentOperation == nil {
+		return true, "no previous hydrate operation"
+	} else if !app.Spec.SourceHydrator.DeepEquals(app.Status.SourceHydrator.CurrentOperation.SourceHydrator) {
+		return true, "spec.sourceHydrator differs"
+	} else if app.Status.SourceHydrator.CurrentOperation.Phase == appv1.HydrateOperationPhaseFailed && metav1.Now().Sub(app.Status.SourceHydrator.CurrentOperation.FinishedAt.Time) > 2*time.Minute {
+		return true, "previous hydrate operation failed more than 2 minutes ago"
+	} else if hydratedAt == nil || hydratedAt.Add(statusHydrateTimeout).Before(time.Now().UTC()) {
+		return true, "hydration expired"
+	}
+
+	return false, ""
+}

controller/hydrator/hydrator_test.go

@@ -0,0 +1,103 @@
+package hydrator
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+func Test_appNeedsHydration(t *testing.T) {
+	t.Parallel()
+
+	now := metav1.NewTime(time.Now())
+	oneHourAgo := metav1.NewTime(now.Add(-1 * time.Hour))
+
+	testCases := []struct {
+		name                   string
+		app                    *v1alpha1.Application
+		timeout                time.Duration
+		expectedNeedsHydration bool
+		expectedMessage        string
+	}{
+		{
+			name:                   "source hydrator not configured",
+			app:                    &v1alpha1.Application{},
+			expectedNeedsHydration: false,
+			expectedMessage:        "source hydrator not configured",
+		},
+		{
+			name: "hydrate requested",
+			app: &v1alpha1.Application{
+				ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{v1alpha1.AnnotationKeyHydrate: "normal"}},
+				Spec:       v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
+			},
+			timeout:                1 * time.Hour,
+			expectedNeedsHydration: true,
+			expectedMessage:        "hydrate requested",
+		},
+		{
+			name: "no previous hydrate operation",
+			app: &v1alpha1.Application{
+				Spec: v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
+			},
+			timeout:                1 * time.Hour,
+			expectedNeedsHydration: true,
+			expectedMessage:        "no previous hydrate operation",
+		},
+		{
+			name: "spec.sourceHydrator differs",
+			app: &v1alpha1.Application{
+				Spec: v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
+				Status: v1alpha1.ApplicationStatus{SourceHydrator: v1alpha1.SourceHydratorStatus{CurrentOperation: &v1alpha1.HydrateOperation{
+					SourceHydrator: v1alpha1.SourceHydrator{DrySource: v1alpha1.DrySource{RepoURL: "something new"}},
+				}}},
+			},
+			timeout:                1 * time.Hour,
+			expectedNeedsHydration: true,
+			expectedMessage:        "spec.sourceHydrator differs",
+		},
+		{
+			name: "hydration failed more than two minutes ago",
+			app: &v1alpha1.Application{
+				Spec:   v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
+				Status: v1alpha1.ApplicationStatus{SourceHydrator: v1alpha1.SourceHydratorStatus{CurrentOperation: &v1alpha1.HydrateOperation{DrySHA: "abc123", FinishedAt: &oneHourAgo, Phase: v1alpha1.HydrateOperationPhaseFailed}}},
+			},
+			timeout:                1 * time.Hour,
+			expectedNeedsHydration: true,
+			expectedMessage:        "previous hydrate operation failed more than 2 minutes ago",
+		},
+		{
+			name: "timeout reached",
+			app: &v1alpha1.Application{
+				Spec:   v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
+				Status: v1alpha1.ApplicationStatus{SourceHydrator: v1alpha1.SourceHydratorStatus{CurrentOperation: &v1alpha1.HydrateOperation{StartedAt: oneHourAgo}}},
+			},
+			timeout:                1 * time.Minute,
+			expectedNeedsHydration: true,
+			expectedMessage:        "hydration expired",
+		},
+		{
+			name: "hydrate not needed",
+			app: &v1alpha1.Application{
+				Spec:   v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
+				Status: v1alpha1.ApplicationStatus{SourceHydrator: v1alpha1.SourceHydratorStatus{CurrentOperation: &v1alpha1.HydrateOperation{DrySHA: "abc123", StartedAt: now, FinishedAt: &now, Phase: v1alpha1.HydrateOperationPhaseFailed}}},
+			},
+			timeout:                1 * time.Hour,
+			expectedNeedsHydration: false,
+			expectedMessage:        "",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			needsHydration, message := appNeedsHydration(tc.app, tc.timeout)
+			assert.Equal(t, tc.expectedNeedsHydration, needsHydration)
+			assert.Equal(t, tc.expectedMessage, message)
+		})
+	}
+}

controller/hydrator_dependencies.go

@@ -0,0 +1,71 @@
+package controller
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/argoproj/argo-cd/v2/controller/hydrator"
+	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+/**
+This file implements the hydrator.Dependencies interface for the ApplicationController.
+
+Hydration logic does not belong in this file. The methods here should be "bookkeeping" methods that keep hydration work
+in the hydrator and app controller work in the app controller. The only purpose of this file is to provide the hydrator
+safe, minimal access to certain app controller functionality to avoid duplicate code.
+*/
+
+func (ctrl *ApplicationController) GetProcessableAppProj(app *appv1.Application) (*appv1.AppProject, error) {
+	return ctrl.getAppProj(app)
+}
+
+// GetProcessableApps returns a list of applications that are processable by the controller.
+func (ctrl *ApplicationController) GetProcessableApps() (*appv1.ApplicationList, error) {
+	// getAppList already filters out applications that are not processable by the controller.
+	return ctrl.getAppList(metav1.ListOptions{})
+}
+
+func (ctrl *ApplicationController) GetRepoObjs(app *appv1.Application, source appv1.ApplicationSource, revision string, project *appv1.AppProject) ([]*unstructured.Unstructured, *apiclient.ManifestResponse, error) {
+	sources := []appv1.ApplicationSource{source}
+	revisions := []string{revision}
+
+	appLabelKey, err := ctrl.settingsMgr.GetAppInstanceLabelKey()
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to get app instance label key: %w", err)
+	}
+
+	// FIXME: use cache and revision cache
+	objs, resp, _, err := ctrl.appStateManager.GetRepoObjs(app, sources, appLabelKey, revisions, true, true, false, project, false, false)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to get repo objects: %w", err)
+	}
+
+	if len(resp) != 1 {
+		return nil, nil, fmt.Errorf("expected one manifest response, got %d", len(resp))
+	}
+
+	return objs, resp[0], nil
+}
+
+func (ctrl *ApplicationController) GetWriteCredentials(ctx context.Context, repoURL string, project string) (*appv1.Repository, error) {
+	return ctrl.db.GetWriteRepository(ctx, repoURL, project)
+}
+
+func (ctrl *ApplicationController) RequestAppRefresh(appName string) {
+	ctrl.requestAppRefresh(appName, CompareWithLatest.Pointer(), nil)
+}
+
+func (ctrl *ApplicationController) PersistAppHydratorStatus(orig *appv1.Application, newStatus *appv1.SourceHydratorStatus) {
+	status := orig.Status.DeepCopy()
+	status.SourceHydrator = *newStatus
+	ctrl.persistAppStatus(orig, status)
+}
+
+func (ctrl *ApplicationController) AddHydrationQueueItem(key hydrator.HydrationQueueKey) {
+	ctrl.hydrationQueue.AddRateLimited(key)
+}

controller/metrics/metrics.go

@@ -30,18 +30,20 @@ import (
 
 type MetricsServer struct {
 	*http.Server
-	syncCounter             *prometheus.CounterVec
-	kubectlExecCounter      *prometheus.CounterVec
-	kubectlExecPendingGauge *prometheus.GaugeVec
-	orphanedResourcesGauge  *prometheus.GaugeVec
-	k8sRequestCounter       *prometheus.CounterVec
-	clusterEventsCounter    *prometheus.CounterVec
-	redisRequestCounter     *prometheus.CounterVec
-	reconcileHistogram      *prometheus.HistogramVec
-	redisRequestHistogram   *prometheus.HistogramVec
-	registry                *prometheus.Registry
-	hostname                string
-	cron                    *cron.Cron
+	syncCounter                       *prometheus.CounterVec
+	kubectlExecCounter                *prometheus.CounterVec
+	kubectlExecPendingGauge           *prometheus.GaugeVec
+	orphanedResourcesGauge            *prometheus.GaugeVec
+	k8sRequestCounter                 *prometheus.CounterVec
+	clusterEventsCounter              *prometheus.CounterVec
+	redisRequestCounter               *prometheus.CounterVec
+	reconcileHistogram                *prometheus.HistogramVec
+	redisRequestHistogram             *prometheus.HistogramVec
+	resourceEventsProcessingHistogram *prometheus.HistogramVec
+	resourceEventsNumberGauge         *prometheus.GaugeVec
+	registry                          *prometheus.Registry
+	hostname                          string
+	cron                              *cron.Cron
 }
 
 const (
@@ -153,6 +155,20 @@ var (
 		},
 		descAppDefaultLabels,
 	)
+
+	resourceEventsProcessingHistogram = prometheus.NewHistogramVec(
+		prometheus.HistogramOpts{
+			Name:    "argocd_resource_events_processing",
+			Help:    "Time to process resource events in seconds.",
+			Buckets: []float64{0.25, .5, 1, 2, 4, 8, 16},
+		},
+		[]string{"server"},
+	)
+
+	resourceEventsNumberGauge = prometheus.NewGaugeVec(prometheus.GaugeOpts{
+		Name: "argocd_resource_events_processed_in_batch",
+		Help: "Number of resource events processed in batch",
+	}, []string{"server"})
 )
 
 // NewMetricsServer returns a new prometheus server which collects application metrics
@@ -202,6 +218,8 @@ func NewMetricsServer(addr string, appLister applister.ApplicationLister, appFil
 	registry.MustRegister(clusterEventsCounter)
 	registry.MustRegister(redisRequestCounter)
 	registry.MustRegister(redisRequestHistogram)
+	registry.MustRegister(resourceEventsProcessingHistogram)
+	registry.MustRegister(resourceEventsNumberGauge)
 
 	return &MetricsServer{
 		registry: registry,
@@ -209,16 +227,18 @@ func NewMetricsServer(addr string, appLister applister.ApplicationLister, appFil
 			Addr:    addr,
 			Handler: mux,
 		},
-		syncCounter:             syncCounter,
-		k8sRequestCounter:       k8sRequestCounter,
-		kubectlExecCounter:      kubectlExecCounter,
-		kubectlExecPendingGauge: kubectlExecPendingGauge,
-		orphanedResourcesGauge:  orphanedResourcesGauge,
-		reconcileHistogram:      reconcileHistogram,
-		clusterEventsCounter:    clusterEventsCounter,
-		redisRequestCounter:     redisRequestCounter,
-		redisRequestHistogram:   redisRequestHistogram,
-		hostname:                hostname,
+		syncCounter:                       syncCounter,
+		k8sRequestCounter:                 k8sRequestCounter,
+		kubectlExecCounter:                kubectlExecCounter,
+		kubectlExecPendingGauge:           kubectlExecPendingGauge,
+		orphanedResourcesGauge:            orphanedResourcesGauge,
+		reconcileHistogram:                reconcileHistogram,
+		clusterEventsCounter:              clusterEventsCounter,
+		redisRequestCounter:               redisRequestCounter,
+		redisRequestHistogram:             redisRequestHistogram,
+		resourceEventsProcessingHistogram: resourceEventsProcessingHistogram,
+		resourceEventsNumberGauge:         resourceEventsNumberGauge,
+		hostname:                          hostname,
 		// This cron is used to expire the metrics cache.
 		// Currently clearing the metrics cache is logging and deleting from the map
 		// so there is no possibility of panic, but we will add a chain to keep robfig/cron v1 behavior.
@@ -284,6 +304,12 @@ func (m *MetricsServer) ObserveRedisRequestDuration(duration time.Duration) {
 	m.redisRequestHistogram.WithLabelValues(m.hostname, common.ApplicationController).Observe(duration.Seconds())
 }
 
+// ObserveResourceEventsProcessingDuration observes resource events processing duration
+func (m *MetricsServer) ObserveResourceEventsProcessingDuration(server string, duration time.Duration, processedEventsNumber int) {
+	m.resourceEventsProcessingHistogram.WithLabelValues(server).Observe(duration.Seconds())
+	m.resourceEventsNumberGauge.WithLabelValues(server).Set(float64(processedEventsNumber))
+}
+
 // IncReconcile increments the reconcile counter for an application
 func (m *MetricsServer) IncReconcile(app *argoappv1.Application, duration time.Duration) {
 	m.reconcileHistogram.WithLabelValues(app.Namespace, app.Spec.Destination.Server).Observe(duration.Seconds())
@@ -311,6 +337,8 @@ func (m *MetricsServer) SetExpiration(cacheExpiration time.Duration) error {
 		m.redisRequestCounter.Reset()
 		m.reconcileHistogram.Reset()
 		m.redisRequestHistogram.Reset()
+		m.resourceEventsProcessingHistogram.Reset()
+		m.resourceEventsNumberGauge.Reset()
 	})
 	if err != nil {
 		return err

controller/state.go

@@ -71,7 +71,7 @@ type managedResource struct {
 type AppStateManager interface {
 	CompareAppState(app *v1alpha1.Application, project *v1alpha1.AppProject, revisions []string, sources []v1alpha1.ApplicationSource, noCache bool, noRevisionCache bool, localObjects []string, hasMultipleSources bool, rollback bool) (*comparisonResult, error)
 	SyncAppState(app *v1alpha1.Application, state *v1alpha1.OperationState)
-	GetRepoObjs(app *v1alpha1.Application, sources []v1alpha1.ApplicationSource, appLabelKey string, revisions []string, noCache, noRevisionCache, verifySignature bool, proj *v1alpha1.AppProject, rollback bool) ([]*unstructured.Unstructured, []*apiclient.ManifestResponse, bool, error)
+	GetRepoObjs(app *v1alpha1.Application, sources []v1alpha1.ApplicationSource, appLabelKey string, revisions []string, noCache, noRevisionCache, verifySignature bool, proj *v1alpha1.AppProject, rollback, sendRuntimeState bool) ([]*unstructured.Unstructured, []*apiclient.ManifestResponse, bool, error)
 }
 
 // comparisonResult holds the state of an application after the reconciliation
@@ -125,7 +125,7 @@ type appStateManager struct {
 // task to the repo-server. It returns the list of generated manifests as unstructured
 // objects. It also returns the full response from all calls to the repo server as the
 // second argument.
-func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alpha1.ApplicationSource, appLabelKey string, revisions []string, noCache, noRevisionCache, verifySignature bool, proj *v1alpha1.AppProject, rollback bool) ([]*unstructured.Unstructured, []*apiclient.ManifestResponse, bool, error) {
+func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alpha1.ApplicationSource, appLabelKey string, revisions []string, noCache, noRevisionCache, verifySignature bool, proj *v1alpha1.AppProject, rollback, sendRuntimeState bool) ([]*unstructured.Unstructured, []*apiclient.ManifestResponse, bool, error) {
 	ts := stats.NewTimingStats()
 	helmRepos, err := m.db.ListHelmRepositories(context.Background())
 	if err != nil {
@@ -219,6 +219,14 @@ func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alp
 
 		revision := revisions[i]
 
+		appNamespace := app.Spec.Destination.Namespace
+		apiVersions := argo.APIResourcesToStrings(apiResources, true)
+		if !sendRuntimeState {
+			appNamespace = ""
+			apiVersions = nil
+			serverVersion = ""
+		}
+
 		if !source.IsHelm() && syncedRevision != "" && keyManifestGenerateAnnotationExists && keyManifestGenerateAnnotationVal != "" {
 			// Validate the manifest-generate-path annotation to avoid generating manifests if it has not changed.
 			updateRevisionResult, err := repoClient.UpdateRevisionForPaths(context.Background(), &apiclient.UpdateRevisionForPathsRequest{
@@ -229,10 +237,10 @@ func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alp
 				Paths:              path.GetAppRefreshPaths(app),
 				AppLabelKey:        appLabelKey,
 				AppName:            app.InstanceName(m.namespace),
-				Namespace:          app.Spec.Destination.Namespace,
+				Namespace:          appNamespace,
 				ApplicationSource:  &source,
 				KubeVersion:        serverVersion,
-				ApiVersions:        argo.APIResourcesToStrings(apiResources, true),
+				ApiVersions:        apiVersions,
 				TrackingMethod:     string(argo.GetTrackingMethod(m.settingsMgr)),
 				RefSources:         refSources,
 				HasMultipleSources: app.Spec.HasMultipleSources(),
@@ -263,11 +271,11 @@ func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alp
 			NoRevisionCache:                 noRevisionCache,
 			AppLabelKey:                     appLabelKey,
 			AppName:                         app.InstanceName(m.namespace),
-			Namespace:                       app.Spec.Destination.Namespace,
+			Namespace:                       appNamespace,
 			ApplicationSource:               &source,
 			KustomizeOptions:                kustomizeOptions,
 			KubeVersion:                     serverVersion,
-			ApiVersions:                     argo.APIResourcesToStrings(apiResources, true),
+			ApiVersions:                     apiVersions,
 			VerifySignature:                 verifySignature,
 			HelmRepoCreds:                   permittedHelmCredentials,
 			TrackingMethod:                  string(argo.GetTrackingMethod(m.settingsMgr)),
@@ -309,6 +317,39 @@ func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alp
 	return targetObjs, manifestInfos, revisionUpdated, nil
 }
 
+// ResolveGitRevision will resolve the given revision to a full commit SHA. Only works for git.
+func (m *appStateManager) ResolveGitRevision(repoURL string, revision string) (string, error) {
+	conn, repoClient, err := m.repoClientset.NewRepoServerClient()
+	if err != nil {
+		return "", fmt.Errorf("failed to connect to repo server: %w", err)
+	}
+	defer io.Close(conn)
+
+	repo, err := m.db.GetRepository(context.Background(), repoURL, "")
+	if err != nil {
+		return "", fmt.Errorf("failed to get repo %q: %w", repoURL, err)
+	}
+
+	// Mock the app. The repo-server only needs to know whether the "chart" field is populated.
+	app := &v1alpha1.Application{
+		Spec: v1alpha1.ApplicationSpec{
+			Source: &v1alpha1.ApplicationSource{
+				RepoURL:        repoURL,
+				TargetRevision: revision,
+			},
+		},
+	}
+	resp, err := repoClient.ResolveRevision(context.Background(), &apiclient.ResolveRevisionRequest{
+		Repo:              repo,
+		App:               app,
+		AmbiguousRevision: revision,
+	})
+	if err != nil {
+		return "", fmt.Errorf("failed to determine whether the dry source has changed: %w", err)
+	}
+	return resp.Revision, nil
+}
+
 func unmarshalManifests(manifests []string) ([]*unstructured.Unstructured, error) {
 	targetObjs := make([]*unstructured.Unstructured, 0)
 	for _, manifest := range manifests {
@@ -441,7 +482,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1
 		if hasMultipleSources {
 			return &comparisonResult{
 				syncStatus: &v1alpha1.SyncStatus{
-					ComparedTo: v1alpha1.ComparedTo{Destination: app.Spec.Destination, Sources: sources, IgnoreDifferences: app.Spec.IgnoreDifferences},
+					ComparedTo: app.Spec.BuildComparedToStatus(),
 					Status:     v1alpha1.SyncStatusCodeUnknown,
 					Revisions:  revisions,
 				},
@@ -450,7 +491,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1
 		} else {
 			return &comparisonResult{
 				syncStatus: &v1alpha1.SyncStatus{
-					ComparedTo: v1alpha1.ComparedTo{Source: sources[0], Destination: app.Spec.Destination, IgnoreDifferences: app.Spec.IgnoreDifferences},
+					ComparedTo: app.Spec.BuildComparedToStatus(),
 					Status:     v1alpha1.SyncStatusCodeUnknown,
 					Revision:   revisions[0],
 				},
@@ -490,7 +531,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1
 			}
 		}
 
-		targetObjs, manifestInfos, revisionUpdated, err = m.GetRepoObjs(app, sources, appLabelKey, revisions, noCache, noRevisionCache, verifySignature, project, rollback)
+		targetObjs, manifestInfos, revisionUpdated, err = m.GetRepoObjs(app, sources, appLabelKey, revisions, noCache, noRevisionCache, verifySignature, project, rollback, true)
 		if err != nil {
 			targetObjs = make([]*unstructured.Unstructured, 0)
 			msg := fmt.Sprintf("Failed to load target state: %s", err.Error())

controller/sync_test.go

@@ -56,7 +56,7 @@ func TestPersistRevisionHistory(t *testing.T) {
 
 	updatedApp, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(app.Namespace).Get(context.Background(), app.Name, v1.GetOptions{})
 	require.NoError(t, err)
-	assert.Len(t, updatedApp.Status.History, 1)
+	require.Len(t, updatedApp.Status.History, 1)
 	assert.Equal(t, app.Spec.GetSource(), updatedApp.Status.History[0].Source)
 	assert.Equal(t, "abc123", updatedApp.Status.History[0].Revision)
 }

controller/utils/log.go

@@ -0,0 +1,17 @@
+package utils
+
+import (
+	"github.com/sirupsen/logrus"
+
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+// GetAppLog returns a logrus entry with fields set for the given application.
+func GetAppLog(app *v1alpha1.Application) *logrus.Entry {
+	return logrus.WithFields(logrus.Fields{
+		"application":        app.Name,
+		"app-namespace":      app.Namespace,
+		"app-qualified-name": app.QualifiedName(),
+		"project":            app.Spec.Project,
+	})
+}

docs/operator-manual/argocd-cmd-params-cm.yaml

@@ -9,6 +9,9 @@ data:
   # Repo server address. (default "argocd-repo-server:8081")
   repo.server: "argocd-repo-server:8081"
 
+  # Commit server address. (default "argocd-commit-server:8086")
+  commit.server: "argocd-commit-server:8086"
+
   # Redis server hostname and port (e.g. argocd-redis:6379)
   redis.server: "argocd-redis:6379"
   # Enable compression for data sent to Redis with the required compression algorithm. (default 'gzip')
@@ -16,6 +19,9 @@ data:
   # Redis database
   redis.db:
 
+  # Enables the alpha "manifest hydrator" feature. (default "false")
+  hydrator.enabled: "false"
+
   # Open-Telemetry collector address: (e.g. "otel-collector:4317")
   otlp.address: ""
   # Open-Telemetry collector insecure: (e.g. "true")
@@ -79,6 +85,13 @@ data:
   controller.diff.server.side: "false"
   # Enables profile endpoint on the internal metrics port
   controller.profile.enabled: "false"
+  # Enables batch-processing mode in the controller's cluster cache. This can help improve performance for clusters that
+  # have high "churn," i.e. lots of resource modifications.
+  controller.cluster.cache.batch.events.processing: "false"
+  # This sets the interval at which the controller's cluster cache processes a batch of cluster events. A lower value
+  # will increase the speed at which Argo CD becomes aware of external cluster state. A higher value will reduce cluster
+  # cache lock contention and better handle high-churn clusters.
+  controller.cluster.cache.events.processing.interval: "100ms"
 
   ## Server properties
   # Listen on given address for incoming connections (default "0.0.0.0")
@@ -195,6 +208,15 @@ data:
   # Include hidden directories from Git
   reposerver.include.hidden.directories: "false"
 
+  ## Commit-server properties
+  # Listen on given address for incoming connections (default "0.0.0.0")
+  commitserver.listen.address: "0.0.0.0"
+  # Set the logging format. One of: text|json (default "text")
+  commitserver.log.format: "text"
+  # Set the logging level. One of: debug|info|warn|error (default "info")
+  commitserver.log.level: "info"
+  # Listen on given address for metrics (default "0.0.0.0")
+  commitserver.metrics.listen.address: "0.0.0.0"
 
   # Set the logging format. One of: text|json (default "text")
   dexserver.log.format: "text"

docs/operator-manual/high_availability.md

@@ -130,6 +130,15 @@ stringData:
   count (grouped by k8s api version, the granule of parallelism for list operations). In this case, all resources will
   be buffered in memory -- no api server request will be blocked by processing.
 
+* `ARGOCD_CLUSTER_CACHE_BATCH_EVENTS_PROCESSING` - environment variable that enables the controller to collect events
+  for Kubernetes resources and process them in a batch. This is useful when the cluster contains a large number of resources,
+  and the controller is overwhelmed by the number of events. The default value is `false`, which means that the controller
+  processes events one by one.
+
+* `ARGOCD_CLUSTER_CACHE_EVENTS_PROCESSING_INTERVAL` - environment variable controlling the interval for processing events in a batch.
+  The valid value is in the format of Go time duration string, e.g. `1ms`, `1s`, `1m`, `1h`. The default value is `100ms`.
+  The variable is used only when `ARGOCD_CLUSTER_CACHE_BATCH_EVENTS_PROCESSING` is set to `true`.
+
 * `ARGOCD_APPLICATION_TREE_SHARD_SIZE` - environment variable controlling the max number of resources stored in one Redis
   key. Splitting application tree into multiple keys helps to reduce the amount of traffic between the controller and Redis.
   The default value is 0, which means that the application tree is stored in a single Redis key. The reasonable value is 100.

docs/operator-manual/metrics.md

@@ -24,6 +24,8 @@ Metrics about applications. Scraped at the `argocd-metrics:8082/metrics` endpoin
 | `argocd_kubectl_exec_total` | counter | Number of kubectl executions |
 | `argocd_redis_request_duration` | histogram | Redis requests duration. |
 | `argocd_redis_request_total` | counter | Number of redis requests executed during application reconciliation |
+| `argocd_resource_events_processing` | histogram | Time to process resource events in batch in seconds |
+| `argocd_resource_events_processed_in_batch` | gauge | Number of resource events processed in batch |
 
 If you use Argo CD with many application and project creation and deletion,
 the metrics page will keep in cache your application and project's history.

docs/operator-manual/notifications/templates.md

@@ -57,7 +57,7 @@ kind: Secret
 metadata:
   name: argocd-notifications-secret
 stringData:
-  sampleWebhookToken: secret-token 
+  sampleWebhookToken: secret-token
 type: Opaque
 ```
 
@@ -112,7 +112,7 @@ You can change the timezone to show in notifications as follows.
 
 ## Functions
 
-Templates have access to the set of built-in functions:
+Templates have access to the set of built-in functions such as the functions of the [Sprig](https://masterminds.github.io/sprig/) package
 
 ```yaml
 apiVersion: v1

docs/operator-manual/rbac.md

@@ -130,9 +130,9 @@ p, example-user, applications, delete/*/Pod/*/*, default/prod-app, allow
     Argo CD RBAC does not use `/` as a separator when evaluating glob patterns. So the pattern `delete/*/kind/*`
     will match `delete/<group>/kind/<namespace>/<name>` but also `delete/<group>/<kind>/kind/<name>`.
 
-    The fact that both of these match will generally not be a problem, because resource kinds generally contain capital 
-    letters, and namespaces cannot contain capital letters. However, it is possible for a resource kind to be lowercase. 
-    So it is better to just always include all the parts of the resource in the pattern (in other words, always use four 
+    The fact that both of these match will generally not be a problem, because resource kinds generally contain capital
+    letters, and namespaces cannot contain capital letters. However, it is possible for a resource kind to be lowercase.
+    So it is better to just always include all the parts of the resource in the pattern (in other words, always use four
     slashes).
 
 If we want to grant access to the user to update all resources of an application, but not the application itself:
@@ -148,9 +148,9 @@ p, example-user, applications, delete, default/prod-app, deny
 p, example-user, applications, delete/*/Pod/*/*, default/prod-app, allow
 ```
 
-!!! note
+!!! note "Disable Application permission Inheritance"
 
-    It is not possible to deny fine-grained permissions for a sub-resource if the action was **explicitly allowed on the application**.
+    By default, it is not possible to deny fine-grained permissions for a sub-resource if the action was **explicitly allowed on the application**.
     For instance, the following policies will **allow** a user to delete the Pod and any other resources in the application:
 
     ```csv
@@ -158,6 +158,20 @@ p, example-user, applications, delete/*/Pod/*/*, default/prod-app, allow
     p, example-user, applications, delete/*/Pod/*/*, default/prod-app, deny
     ```
 
+    To change this behavior, you can set the config value
+    `server.rbac.disableApplicationFineGrainedRBACInheritance` to `true` in
+    the Argo CD ConfigMap `argocd-cm`.
+
+    When inheritance is disabled, it is now possible to deny fine-grained permissions for a sub-resource
+    if the action was **explicitly allowed on the application**.
+
+    For instance, if we want to explicitly allow updates to the application, but deny updates to any sub-resources:
+
+    ```csv
+    p, example-user, applications, update, default/prod-app, allow
+    p, example-user, applications, update/*, default/prod-app, deny
+    ```
+
 #### The `action` action
 
 The `action` action corresponds to either built-in resource customizations defined

docs/operator-manual/server-commands/argocd-application-controller.md

@@ -27,6 +27,7 @@ argocd-application-controller [flags]
       --client-certificate string                                 Path to a client certificate file for TLS
       --client-key string                                         Path to a client key file for TLS
       --cluster string                                            The name of the kubeconfig cluster to use
+      --commit-server string                                      Commit server address. (default "argocd-commit-server:8086")
       --context string                                            The name of the kubeconfig context to use
       --default-cache-expiration duration                         Cache expiration default (default 24h0m0s)
       --disable-compression                                       If true, opt-out of response compression for all requests to the server
@@ -34,6 +35,7 @@ argocd-application-controller [flags]
       --enable-k8s-event none                                     Enable ArgoCD to use k8s event. For disabling all events, set the value as none. (e.g --enable-k8s-event=none), For enabling specific events, set the value as `event reason`. (e.g --enable-k8s-event=StatusRefreshed,ResourceCreated) (default [all])
       --gloglevel int                                             Set the glog logging level
   -h, --help                                                      help for argocd-application-controller
+      --hydrator-enabled                                          Feature flag to enable Hydrator. Default ("false")
       --ignore-normalizer-jq-execution-timeout-seconds duration   Set ignore normalizer JQ execution timeout
       --insecure-skip-tls-verify                                  If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
       --kubeconfig string                                         Path to a kube config. Only required if out-of-cluster

docs/operator-manual/server-commands/argocd-server.md

@@ -55,6 +55,7 @@ argocd-server [flags]
       --enable-proxy-extension                          Enable Proxy Extension feature
       --gloglevel int                                   Set the glog logging level
   -h, --help                                            help for argocd-server
+      --hydrator-enabled                                Feature flag to enable Hydrator. Default ("false")
       --insecure                                        Run server without TLS
       --insecure-skip-tls-verify                        If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
       --kubeconfig string                               Path to a kube config. Only required if out-of-cluster

docs/operator-manual/tested-kubernetes-versions.md

@@ -1,2 +1,5 @@
-This page is populated for released Argo CD versions. Use the version selector to view this table for a specific 
-version. 
+| Argo CD version | Kubernetes versions |
+|-----------------|---------------------|
+| 2.14 | v1.31, v1.30, v1.29, v1.28 |
+| 2.13 | v1.30, v1.29, v1.28, v1.27 |
+| 2.12 | v1.29, v1.28, v1.27, v1.26 |

docs/operator-manual/upgrading/2.13-2.14.md

@@ -0,0 +1,6 @@
+# v2.13 to 2.14
+
+## Upgraded Helm Version
+
+Helm was upgraded to 3.16.2 and the skipSchemaValidation Flag was added to
+the [CLI and Application CR](https://argo-cd.readthedocs.io/en/latest/user-guide/helm/#helm-skip-schema-validation). 

docs/proposals/manifest-hydrator.md

@@ -0,0 +1,538 @@
+---
+title: Manifest Hydrator
+authors:
+  - "@crenshaw-dev"
+  - "@zachaller"
+sponsors:
+  - TBD        # List all interested parties here.
+reviewers:
+  - TBD
+approvers:
+  - TBD
+
+creation-date: 2024-03-26
+last-updated: 2024-03-26
+---
+
+# Manifest Hydrator
+
+This proposal describes a feature to make manifest hydration (i.e. the "rendered manifest pattern") a first-class feature of Argo CD.
+
+## Terms
+
+* dry manifests: DRY or Don't Repeat Yourself - things like Kustomize overlays and Helm charts that produce Kubernetes manifests but are not themselves Kubernetes Manifests
+* hydrated manifests: the output from dry manifest tools, i.e. plain Kubernetes manifests
+
+## Summary
+
+Manifest hydration tools like Helm and Kustomize are indispensable in GitOps. These tools transform "dry" (Don't Repeat Yourself) sources into plain Kubernetes manifests. The effects of a change to dry sources are not always obvious. So storing only dry sources in git leaves the user with an incomplete and confusing history of their application. This undercuts some of the main benefits of GitOps.
+
+The "rendered manifests" pattern has emerged as a way to mitigate the downsides of using hydration tools in GitOps. Today, developers use CI tools to automatically hydrate manifests and push to separate branches. They then configure Argo CD to deploy from the hydrated branches. (For more information, see the awesome [blog post](https://akuity.io/blog/the-rendered-manifests-pattern/) and [ArgoCon talk](https://www.youtube.com/watch?v=TonN-369Qfo) by Nicholas Morey.)
+
+This proposal describes manifest hydration and pushing to git as a first-class feature of Argo CD.
+
+It offers two modes of operation: push-to-deploy and push-to-stage. In push-to-deploy, hydrated manifests are pushed to the same branch from which Argo CD deploys. In push-to-stage, manifests are pushed to a different branch, and Argo CD relies on some external system to move changes to the deployment branch; this provides an integration point for automated environment promotion systems.
+
+### Opinions
+
+This proposal is opinionated. It is based on the belief that, in order to reap the full benefits of GitOps, every change to an application's desired state must originate from a commit to a single GitOps repository. In other words, the full history of the application's desired state must be visible as the commit history on a git repository.
+
+This requirement is incompatible with tooling which injects nondeterministic configuration into the desired state before it is deployed by the GitOps controller. Examples of nondeterministic external configuration are:
+
+1) Helm chart dependencies on unpinned chart versions
+2) Kustomize remote bases to unpinned git revisions
+3) Config tool parameter overrides in the Argo CD Application `spec.source` fields
+4) Multiple sources referenced in the same application (knowledge of combination of source versions is held externally to git)
+
+Injecting nondeterministic configuration makes it impossible to know the complete history of an application by looking at a git branch history. Even if the nondeterministic output is databased (for example, in a hydrated source branch in git), it is impossible for developers to confidently make changes to desired state, because they cannot know ahead of time what other configuration will be injected at deploy time.
+
+We believe that the problems of injecting external configuration are best solved by asking these two questions:
+
+1) Does the configuration belong in the developer's interface (i.e. the dry manifests)?
+2) Does the configuration need to be mutable at runtime, or only at deploy time?
+
+If the configuration belongs in the developer's interface, write a tool to push the information to git. Image tags are a good example of such configuration, and the Argo CD Image Updater is a good example of such tooling.
+
+If the configuration doesn't belong in the developer's interface, and it needs to be updated at runtime, write a controller. The developer shouldn't be expected to maintain configuration which is not an immediate part of their desired state. An example would be an auto-sizing controller which eliminates the need for the developer to manage their own autoscaler config.
+
+If the configuration doesn't belong in the developer's interface and doesn't need to be updated at runtime (only at deploy time), write a mutating webhook. This is a great option for injecting cluster-specific configuration that the developer doesn't need to directly control.
+
+With these three options available (git-pushers, controllers, and mutating webhooks), we believe that it is not generally necessary to inject nondeterministic configuration into the manifest hydration process. Instead, we can have a full history of the developer's minimal intent (dry branch) and the full expression of that intent (hydrated branch) completely recorded in a series of commits on a git branch.
+
+By respecting these limitations, we unlock the ability to manage change promotion/reversion entirely via git. Change lineage is fully represented as a series of dry commit hashes. This makes it possible to write reliable rules around how these hashes are promoted to different environments and how they are reverted (i.e. we can meaningfully say "`prod` may never be more than one dry hash ahead of `test`"). If information about the lineage of an application is scattered among multiple sources, it is difficult or even impossible to meaningfully define rules about how one environment's lineage must relate to that of another environment.
+
+Being opinionated unlocks the full benefits of GitOps as well as the ability to build a reasonable, reliable preview/promotion/reversion system. 
+
+These opinions will lock out use cases where configuration injection cannot be avoided by writing git-pushers, controllers, or mutating webhooks. We believe that the benefits of making an opinionated system outweigh the costs of compromising those opinions.
+
+## Motivation
+
+Many organizations have implemented their own manifest hydration system. By implementing it in Argo CD, we can lower the cost to our users of maintaining those systems, and we can encourage best practices related to the pattern.
+
+### Goals
+
+1) Make manifest hydration easy and intuitive for Argo CD users
+2) Make it possible to implement a promotion system which relies on the manifest hydration's push-to-stage mode
+3) Emphasize maintaining as much of the system's state as possible in git rather than in the Application CR (e.g. source hydrator config values, such as Helm values)
+4) Every deployed change must have a corresponding dry commit - i.e. git is always the source of any changes
+5) Developers should be able to easily reproduce the manifest hydration process locally, i.e. by running some commands
+
+#### Hydration Reproducibility
+
+One goal of this proposal is to make hydration reproducibility easy. Reproducibility brings a couple benefits: easy iteration/debugging and reliable previews.
+
+##### Easy Iteration/Debugging
+
+The hydration system should enable developers to easily reproduce the hydration process locally. The developer should be able to run a short series of commands and perform the exact same tasks that Argo CD would take to hydrate their manifests. This allows the developer to verify that Argo CD is behaving as expected and to quickly tweak inputs and see the results. This lets them iterate quickly and improves developer satisfaction and change velocity.
+
+To provide this experience, the hydrator needs to provide the developer with a few pieces of information:
+
+1) The input repo URL, path, and commit SHA
+2) The hydration tool CLI version(s) (for example, the version of the Helm CLI used for hydration)
+3) A series of commands and arguments which the developer can run locally
+
+Equipped with this information, the developer can perform the exact same steps as Argo CD and be confident that their dry manifest changes will produce the desired output.
+
+Ensuring that hydration is deterministic assures the developer that the output for a given dry state will be the same next week as it is today.
+
+###### Avoiding Esoteric Behavior
+
+We should avoid the developer needing to know Argo CD-specific behavior in order to reproduce hydration. Tools like Helm, Kustimize, etc. have excellent public-facing documentation which the developer should be able to take advantage of without needing to know quirks of Argo CD.
+
+##### Reliable Previews
+
+Deterministic hydration output allows Argo CD to produce a reliable change preview when a developer proposes a change to the dry manifests via a PR.
+
+If output is not deterministic, then a preview generated today might not be valid/correct a week, day, or even hour later. Non-determinism makes it so that developers can't trust that the change they review will be the change actually applied.
+
+### Non-Goals
+
+1) Implementing a change promotion system
+
+## Open Questions
+
+* The `sourceHydrator` field is mutually exclusive with the `source` and the `sources` field. Should we throw an error if they're both configured, or should we just pick one and ignore the others?
+* How will/should this feature relate to the image updater? Is there an opportunity to share code, since both tools involve pushing to git?
+* Should we enforce a naming convention for hydrated manifest branches, e.g. `argo/...`? This would make it easier to recommend branch protection rules, for example, only allow pushes to `argo/*` from the argo bot.
+* Should we enforce setting a `sourceHydrator.syncSource.path` to something besides `.`? Setting a path makes it easier to add/remove other apps later if desired.
+
+## Proposal
+
+Today, Argo CD watches one or more git repositories (configured in the `spec.source` or `spec.sources` field). When a new commit appears, Argo CD updates the desired state by rendering the manifests with the configured manifest hydration tool. If auto-sync is enabled, Argo CD applies the new manifests to the cluster.
+
+With the introduction of this change, Argo CD will watch two revisions in the same git repository: the first is the "dry source", i.e. the git repo/revision where the un-rendered manifests reside, and the second is the "hydrated source," where the rendered manifests are places and retrieved for syncing to the cluster.
+
+### New `spec.sourceHydrator` Application Field
+
+A `sourceHydrator` field will be added to the Argo CD Application spec:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: example
+spec:
+  # The sourceHydrator field is mutually-exclusive with `source` and with `sources`. If this field is configured, we 
+  # should either throw an error or ignore the other two.
+  sourceHydrator:
+    drySource:
+      repoURL: https://github.com/argoproj/argocd-example-apps
+      targetRevision: main
+      # This assumes the Application's environments are modeled as directories.
+      path: environments/e2e
+    syncSource:
+      targetBranch: environments/e2e
+      path: .
+    # The hydrateTo field is optional. If specified, Argo CD will write hydrated manifests to this branch instead of the
+    # syncSource.targetBranch. This allows the user to "stage" a hydrated commit before actually deploying the changes
+    # by merging them into the syncSource branch. A complete change promotion system can be built around this feature. 
+    hydrateTo:
+      targetBranch: environments/e2e-next
+      # The path is assumed to be the same as that in syncSource.
+```
+
+When the Argo CD application controller detects a new commit on the `drySource`, it queue up the hydration process.
+
+When the application controller detects a new (hydrated) commit on the `syncSource.targetBranch`, it will sync the manifests.
+
+### Processing a New Dry Commit
+
+On noticing a new dry commit, Argo CD will first collect all Applications which have the same `drySource` repo and targetRevision.
+
+Argo CD will then group those sources by the configured `syncSource` targetBranch.
+
+```go
+package hydrator
+
+import "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+
+type DrySource struct {
+	repoURL        string
+	targetRevision string
+}
+
+type SyncSource struct {
+	targetBranch string
+}
+
+var appGroups map[DrySource]map[SyncSource][]v1alpha1.Application
+```
+
+Then Argo CD will loop over the apps in each group. For each group, it will run manifest hydration on the configured `drySource.path` and write the result to the configured `syncSource.path`. After looping over all apps in the group and writing all their manifests, it will commit the changes to the configured `syncSource` repoURL and targetBranch (or, if configured, the `hydratedTo` targetBranch). Finally, it will push those changes to git. Then it will repeat this process for the remaining groups.
+
+The actual push operation should be delegated to the [commit server](./manifest-hydrator/commit-server/README.md).
+
+To understand how this would work for a simple dev/test/prod setup with two regions, consider this example:
+
+```yaml
+### DEV APPS ###
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dev-west
+spec:
+  sourceHydrator:
+    drySource:
+      repoURL: https://github.com/argoproj/argocd-example-apps
+      targetRevision: main
+      path: environments/dev/west
+    syncSource:
+      targetBranch: environments/dev
+      path: west
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dev-east
+spec:
+  sourceHydrator:
+    drySource:
+      repoURL: https://github.com/argoproj/argocd-example-apps
+      targetRevision: main
+      path: environments/dev/east
+    syncSource:
+      targetBranch: environments/dev
+      path: east
+---
+### TEST APPS ###
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: test-west
+spec:
+  sourceHydrator:
+    drySource:
+      repoURL: https://github.com/argoproj/argocd-example-apps
+      targetRevision: main
+      path: environments/test/west
+    syncSource:
+      targetBranch: environments/test
+      path: west
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: test-east
+spec:
+  sourceHydrator:
+    drySource:
+      repoURL: https://github.com/argoproj/argocd-example-apps
+      targetRevision: main
+      path: environments/test/east
+    syncSource:
+      targetBranch: environments/prod
+      path: east
+---
+### PROD APPS ###
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-west
+spec:
+  sourceHydrator:
+    drySource:
+      repoURL: https://github.com/argoproj/argocd-example-apps
+      targetRevision: main
+      path: environments/prod/west
+    syncSource:
+      targetBranch: environments/prod
+      path: west
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-east
+spec:
+  sourceHydrator:
+    drySource:
+      repoURL: https://github.com/argoproj/argocd-example-apps
+      targetRevision: main
+      path: environments/prod/east
+    syncSource:
+      targetBranch: environments/prod
+      path: east
+---
+```
+
+Each commit to the dry branch will result in a commit to up to three branches. Each commit to an environment branch will contain changes for west, east, or both (depending on which is affected). Changes originating from a single dry commit are always grouped into a single hydrated commit.
+
+### Handling External Values Files
+
+Since only one source may be used in as the dry source, the multi-source approach to external Helm values files will not work here. Instead, we'll recommend that users use the umbrella chart approach. The main reasons for multi-source as an alternative were convenience (no need to maintain the parent chart) and resolving issues with authentication to dependency charts. We believe the simplification is worth the cost of convenience, and we can address the auth issues as standalone bugs.
+
+An earlier iteration of this proposal attempted to preserve the multi-source style of external value file inclusion by introducing a "magic" `.argocd-hydrator.yaml` file containing `additionalSources` to reference the Helm chart. In the end, it felt like we were re-implementing Helm's dependencies feature or git submodules. It's better to just rely on one of those existing tools.
+
+### `.argocd-source.yaml` Support
+
+The `spec.sourceHydrator.drySource` field contains only three fields: `repoURL`, `targetRevision`, and `path`.
+
+`spec.source` contains a number of fields for configuring manifest hydration tools (`helm`, `kustomize`, and `directory`). That functionality is still available for `spec.sourceHydrator`. But instead of being configured in the Application CR, those values are set in `.argocd-source.yaml`, an existing "override" mechanism for `spec.source`. By requiring that this configuration be set in `.argocd-source.yaml`, we respect the principle that all changes must be made in git instead of in the Application CR.
+
+### `spec.destination.namespace` Behavior
+
+The Application `spec.destination.namespace` field is used to set the `metadata.namespace` field of any namespace resources for which that field is not set in the manifests.
+
+The hydrator will not inject `metadata.namespace` into the hydrated manifests pushed to git. Instead, Argo CD's behavior of injecting that value immediately before applying to the cluster will continue to be used with the `spec.sourceHydrator.syncSource`.
+
+### Build Environment Support
+
+For sources specified in `spec.source` or `spec.sources`, Argo CD [sets certain environment variables](https://argo-cd.readthedocs.io/en/stable/user-guide/build-environment/) before running the manifest hydration tool.
+
+Some of these environment variables may change independently of the dry source and therefore break the reproducibility of manifest hydration (see the [Opinions](#opinions) section). Therefore, only some environment variables will be populated for the `spec.sourceHydrator` source.
+
+These environment variables will **not** be set:
+
+* `ARGOCD_APP_NAME`
+* `ARGOCD_APP_NAMESPACE`
+* `KUBE_VERSION`
+* `KUBE_API_VERSIONS`
+
+These environment variables will be set because they are commit SHAs and are directly and immutably tied to the dry manifest commit:
+
+* `ARGOCD_APP_REVISION`
+* `ARGOCD_APP_REVISION_SHORT`
+
+These environment variables will be set because they are inherently tied to the manifest hydrator configuration. If these fields set in `spec.sourceHydrator.drySource` change, we are breaking the connection to the original hydrator configuration anyway.
+
+* `ARGOCD_APP_SOURCE_PATH`
+* `ARGOCD_APP_SOURCE_REPO_URL`
+* `ARGOCD_APP_SOURCE_TARGET_REVISION`
+
+### Support for Helm-Specific Features
+
+#### App Name / Release Name
+
+By default, Argo CD's `source` and `sources` fields use the Application's name as the release name when hydrating Helm manifests.
+
+To centralize the source of truth when using `spec.sourceHydrator`, the default release name will be an empty string, and any different release name should be specified in the `helm.releaseName` field in `.argocd-source.yaml`.
+
+#### Kube API Versions
+
+`helm install` supports dynamically reading Kube API versions from the destination cluster to adjust manifest output. `helm template` accepts a list of Kube API versions to simulate the same behavior, and Argo CD's `spec.source` and `spec.sources` fields set those API versions when running `helm template`.
+
+To centralize the source of truth when using `spec.sourceHydrator`, the Kube API versions will not be populated by default.
+
+Instead, a new field will be added to the Application's `spec.source.helm` field:
+
+```yaml
+kind: Application
+spec:
+  source:
+    helm:
+      apiVersions:
+        - admissionregistration.k8s.io/v1/MutatingWebhookConfiguration
+        - admissionregistration.k8s.io/v1/ValidatingWebhookConfiguration
+        - ... etc.
+```
+
+That field will also be available in `.argocd-source.yaml`:
+
+```yaml
+helm:
+  apiVersions:
+    - admissionregistration.k8s.io/v1/MutatingWebhookConfiguration
+    - admissionregistration.k8s.io/v1/ValidatingWebhookConfiguration
+    - ... etc.
+```
+
+So the appropriate way to set Kube API versions for the source hydrator will be to populate the `.argocd-source.yaml` file.
+
+#### Hydrated Environment Branches
+
+Representing the dry manifests of environments as branches has well-documented downsides for developer experience. Specifically, it's toilsome for developers to manage moving changes from one branch to another and avoid drift.
+
+So environments-as-directories has emerged as the standard for good GitOps practices. Change management across directories in a single branch is much easier to perform and reason about.
+
+**This proposal does not suggest using branches to represent the dry manifests of environments.** As a matter of fact, this proposal codifies the current best practice of representing the dry manifests as directories in a single branch.
+
+This proposal recommends using different branches for the _hydrated_ representation of environments only. Using different branches has some benefits:
+
+1) Intuitive grouping of "changes to ship at once" - for example, if you have app-1-east and app-1-west, it makes sense to merge a single hydrated PR to deploy to both of those apps at once
+2) Easy-to-read history of a single environment via the commits history
+3) Easy comparison between environments using the SCMs' "compare" interfaces
+
+In other words, branches make a very nice _read_ interface for _hydrated_ manifests while preserving the best-practice of using _directories_ for the _write_ interface.
+
+### Commit Metadata
+
+Each output directory should contain two files: manifest.yaml and README.md. manifest.yaml should contain the plain hydrated manifests. The resources should be sorted by namespace, name, group, and kind (in that order).
+
+The README will be built using the following template:
+
+````gotemplate
+{{ if eq (len .applications) 1 }}
+{{ $appName := (index .applications 0).metadata.name }}
+# {{ $appName }} Manifests
+
+[manifest.yaml](./manifest.yaml) contains the hydrated manifests for the {{ $appName }} application.
+{{ end }}
+{{ if gt (len .applications) 1 }}
+{{ $appName := (index .applications 0).metadata.name }}
+# Manifests for {{ len .applications }} Applications
+
+[manifest.yaml](./manifest.yaml) contains the hydrated manifests for these applications:
+{{ range $i, $app := .applications }}
+- {{ $app.name }}
+{{ end }}
+{{ end }}
+
+These are the details of the most recent change;
+* Author: {{ .commitAuthor }}
+* Message: {{ .commitMessage }}
+* Time: {{ .commitTime }}
+
+To reproduce the manifest hydration, do the following:
+
+```
+git clone {{ .repoURL }}
+cd {{ .repoName }}
+git checkout {{ .dryShortSHA }}
+{{ range $i, $command := .commands }}
+{{ $command }}
+{{ end }}
+```
+````
+
+This template should be admin-configurable.
+
+Example output might look like this:
+
+````markdown
+# dev-west Manifests
+
+[manifest.yaml](./manifest.yaml) contains the hydrated manifests for the dev-west application.
+
+These are the details of the most recent change;
+* Author: Michael Crenshaw <michael@example.com>
+* Message: chore: bumped image tag to v0.0.2
+* Time: 2024-03-27 10:32:04 UTC
+
+To reproduce the manifest hydration, do the following:
+
+```
+git clone https://github.com/argoproj/argocd-example-apps
+cd argocd-example-apps
+git checkout ab2382f
+kustomize edit set image my-app:v0.0.2
+kustomize build environments/dev/west
+```
+````
+
+The hydrator will also write a `hydrator.metadata` file containing a JSON representation of all the values available for README templating. This metadata can be used by external systems (e.g. a PR-based promoter system) to generate contextual information about the hydrated manifest's provenance.
+
+```json
+{
+  "commands": ["kustomize edit set image my-app:v0.0.2", "kustomize build ."],
+  "drySHA": "ab2382f",
+  "commitAuthor": "Michael Crenshaw <michael@example.com>",
+  "commitMessage": "chore: bump Helm dependency chart to 32.1.12",
+  "repoURL": "https://github.com/argoproj/argocd-example-apps"
+}
+```
+
+To request a commit to the hydrated branch, the application controller will make a call to the CommitManifests service.
+
+A single call will bundle all the changes destined for a given targetBranch.
+
+It's the application controller's job to ensure that the user has write access to the repo before making the call.
+
+```protobuf
+// CommitManifests represents the caller's request for some Kubernetes manifests to be pushed to a git repository.
+message CommitManifests {
+  // repoURL is the URL of the repo we're pushing to. HTTPS or SSH URLs are acceptable.
+  required string repoURL = 1;
+  // targetBranch is the name of the branch we're pushing to.
+  required string targetBranch = 2;
+  // drySHA is the full SHA256 hash of the "dry commit" from which the manifests were hydrated.
+  required string drySHA = 3;
+  // commitAuthor is the name of the author of the dry commit.
+  required string commitAuthor = 4;
+  // commitMessage is the short commit message from the dry commit.
+  required string commitMessage = 5;
+  // commitTime is the dry commit timestamp.
+  required string commitTime = 6;
+  // details holds the information about the actual hydrated manifests.
+  repeated CommitPathDetails details = 7;
+}
+
+// CommitManifestDetails represents the details about a 
+message CommitPathDetails {
+  // path is the path to the directory to which these manifests should be written.
+  required string path = 1;
+  // manifests is a list of JSON documents representing the Kubernetes manifests.
+  repeated string manifests = 2;
+  // readme is a string which will be written to a README.md alongside the manifest.yaml. 
+  required string readme = 3;
+}
+
+message CommitManifestsResponse {
+}
+```
+
+### Push access
+
+The hydrator will need to push to the git repository. This will require a secret containing the git credentials.
+
+Write access will be configured via a Kubernetes secret with the following structure:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    argocd.argoproj.io/secret-type: repository-write
+stringData:
+  url: 'https://github.com/argoproj/argocd-example-apps'
+  githubAppID: '123456'
+  githubInstallationID: '123456'
+  githubAppPrivateKey: |
+    -----
+```
+
+### Use cases
+
+#### Use case 1:
+
+An organization with strong requirements around change auditing might enable manifest hydration in order to generate a full history of changes.
+
+#### Use case 2:
+
+### Implementation Details/Notes/Constraints
+
+### Detailed examples
+
+### Security Considerations
+
+This proposal would involve introducing a component capable of pushing to git.
+
+We'll need to consider what git permissions setup to recommend, what security features we should recommend enabling (e.g. branch protection), etc.
+
+We'll also need to consider how to store the git push secrets. It's probable that they'll need to be stored in a namespace separate from the other Argo CD components to provide a bit extra protection.
+
+### Risks and Mitigations
+
+### Upgrade / Downgrade Strategy
+
+## Drawbacks
+
+## Alternatives

docs/proposals/manifest-hydrator/README.md

@@ -0,0 +1,44 @@
+# Argo CD Manifest Hydrator
+
+Most Argo CD Applications don't directly use plain Kubernetes manifests. They reference a Helm chart or some Kustomize manifests, and then Argo CD transforms those sources into their final form (plain Kubernetes manifests).
+
+Having Argo CD quietly do this transformation behind the scenes is convenient. But it can make it harder for developers to understand the full state of their application, both current and past. Hydrating (also known as "rendering") the sources and pushing the hydrated manifests to git is a common technique to preserve a full history of an Application's state.
+
+Argo CD provides first-class tooling to hydrate manifests and push them to git. This document explains how to take advantage of that tooling.
+
+## Setting up git Push Access
+
+To use Argo CD's source hydration tooling, you have to grant Argo CD push access to all the repositories for apps using the source hydrator.
+
+### Security Considerations
+
+Argo CD stores git push secrets separately from the main Argo CD components and separately from git pull credentials to minimize the possibility of a malicious actor stealing the secrets or hijacking Argo CD components to push malicious changes.
+
+Pushing hydrated manifests to git can improve security by ensuring that all state changes are stored and auditable. If a malicious actor does manage to produce malicious changes in manifests, those changes will be discoverable in git instead of living only in the live cluster state.
+
+You should use your SCM's security mechanisms to ensure that Argo CD can only push to the allowed repositories and branches.
+
+### Adding the Access Credentials
+
+To set up push access, add a secret to the `argocd-push` namespace with the following format:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-example-apps
+  labels:
+    # Note that this is "repository-push" instead of "repository". The same secret should never be used for both push and pull access.
+    argocd.argoproj.io/secret-type: repository-push
+type: Opaque
+stringData:
+  url: https://github.com/argoproj/argocd-example-apps.git
+  username: '****'
+  password: '****'
+```
+
+Once the secret is available, any Application which has pull access to a given repo will be able to use the source hydration tooling to also push to that repo.
+
+## Using the `sourceHydrator` Field
+
+## Migrating from the `source` or `sources` Field

docs/proposals/manifest-hydrator/commit-server/README.md

@@ -0,0 +1,38 @@
+# Commit Server
+
+The Argo CD Commit Server provides push access to git repositories for hydrated manifests.
+
+The server exposes a gRPC service which accepts requests to push hydrated manifests to a git repository. This is the interface:
+
+```protobuf
+// CommitManifests represents the caller's request for some Kubernetes manifests to be pushed to a git repository.
+message CommitManifests {
+  // repoURL is the URL of the repo we're pushing to. HTTPS or SSH URLs are acceptable.
+  required string repoURL = 1;
+  // targetBranch is the name of the branch we're pushing to.
+  required string targetBranch = 2;
+  // drySHA is the full SHA256 hash of the "dry commit" from which the manifests were hydrated.
+  required string drySHA = 3;
+  // commitAuthor is the name of the author of the dry commit.
+  required string commitAuthor = 4;
+  // commitMessage is the short commit message from the dry commit.
+  required string commitMessage = 5;
+  // commitTime is the dry commit timestamp.
+  required string commitTime = 6;
+  // details holds the information about the actual hydrated manifests.
+  repeated CommitPathDetails details = 7;
+}
+
+// CommitManifestDetails represents the details about a 
+message CommitPathDetails {
+  // path is the path to the directory to which these manifests should be written.
+  required string path = 1;
+  // manifests is a list of JSON documents representing the Kubernetes manifests.
+  repeated string manifests = 2;
+  // readme is a string which will be written to a README.md alongside the manifest.yaml. 
+  required string readme = 3;
+}
+
+message CommitManifestsResponse {
+}
+```

docs/snyk/index.md

@@ -23,39 +23,39 @@ recent minor releases.
 | [install.yaml](master/argocd-iac-install.html) | - | - | - | - |
 | [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - |
 
-### v2.13.1
+### v2.13.2
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.13.1/argocd-test.html) | 0 | 0 | 7 | 2 |
-| [ui/yarn.lock](v2.13.1/argocd-test.html) | 0 | 0 | 1 | 0 |
-| [dex:v2.41.1](v2.13.1/ghcr.io_dexidp_dex_v2.41.1.html) | 0 | 0 | 0 | 2 |
-| [haproxy:2.6.17-alpine](v2.13.1/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 4 |
-| [redis:7.0.15-alpine](v2.13.1/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
-| [argocd:v2.13.1](v2.13.1/quay.io_argoproj_argocd_v2.13.1.html) | 0 | 0 | 3 | 10 |
-| [redis:7.0.15-alpine](v2.13.1/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
-| [install.yaml](v2.13.1/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v2.13.1/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v2.13.2/argocd-test.html) | 1 | 0 | 7 | 2 |
+| [ui/yarn.lock](v2.13.2/argocd-test.html) | 0 | 0 | 1 | 0 |
+| [dex:v2.41.1](v2.13.2/ghcr.io_dexidp_dex_v2.41.1.html) | 0 | 0 | 0 | 2 |
+| [haproxy:2.6.17-alpine](v2.13.2/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 4 |
+| [redis:7.0.15-alpine](v2.13.2/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
+| [argocd:v2.13.2](v2.13.2/quay.io_argoproj_argocd_v2.13.2.html) | 0 | 0 | 3 | 10 |
+| [redis:7.0.15-alpine](v2.13.2/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
+| [install.yaml](v2.13.2/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.13.2/argocd-iac-namespace-install.html) | - | - | - | - |
 
-### v2.12.7
+### v2.12.8
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.12.7/argocd-test.html) | 0 | 0 | 8 | 2 |
-| [ui/yarn.lock](v2.12.7/argocd-test.html) | 0 | 0 | 1 | 0 |
-| [dex:v2.38.0](v2.12.7/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 7 |
-| [haproxy:2.6.17-alpine](v2.12.7/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 4 |
-| [redis:7.0.15-alpine](v2.12.7/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
-| [argocd:v2.12.7](v2.12.7/quay.io_argoproj_argocd_v2.12.7.html) | 0 | 0 | 3 | 11 |
-| [redis:7.0.15-alpine](v2.12.7/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
-| [install.yaml](v2.12.7/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v2.12.7/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v2.12.8/argocd-test.html) | 1 | 0 | 8 | 2 |
+| [ui/yarn.lock](v2.12.8/argocd-test.html) | 0 | 0 | 1 | 0 |
+| [dex:v2.38.0](v2.12.8/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 7 |
+| [haproxy:2.6.17-alpine](v2.12.8/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 4 |
+| [redis:7.0.15-alpine](v2.12.8/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
+| [argocd:v2.12.8](v2.12.8/quay.io_argoproj_argocd_v2.12.8.html) | 0 | 0 | 3 | 10 |
+| [redis:7.0.15-alpine](v2.12.8/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
+| [install.yaml](v2.12.8/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.12.8/argocd-iac-namespace-install.html) | - | - | - | - |
 
 ### v2.11.12
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.11.12/argocd-test.html) | 0 | 2 | 9 | 2 |
+| [go.mod](v2.11.12/argocd-test.html) | 1 | 2 | 9 | 2 |
 | [ui/yarn.lock](v2.11.12/argocd-test.html) | 0 | 0 | 1 | 0 |
 | [dex:v2.38.0](v2.11.12/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 7 |
 | [haproxy:2.6.14-alpine](v2.11.12/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 7 |

docs/snyk/master/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:23:04 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:23:55 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>
@@ -2861,7 +2861,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 24840
+                              Line number: 24846
                           </li>
                       </ul>
               

docs/snyk/master/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:23:14 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:24:05 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>
@@ -2815,7 +2815,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 2163
+                              Line number: 2169
                           </li>
                       </ul>
               

docs/snyk/master/argocd-test.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:20:56 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:21:36 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -470,7 +470,7 @@
               <div class="meta-counts">
                 <div class="meta-count"><span>7</span> <span>known vulnerabilities</span></div>
                 <div class="meta-count"><span>26 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>2158</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>2160</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->

docs/snyk/master/ghcr.io_dexidp_dex_v2.41.1.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="22 known vulnerabilities found in 43 vulnerable dependency paths.">
+  <meta name="description" content="23 known vulnerabilities found in 44 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:21:06 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:21:47 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -469,8 +469,8 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>22</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>43 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>23</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>44 vulnerable dependency paths</span></div>
                 <div class="meta-count"><span>969</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
@@ -479,6 +479,80 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
+            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
+            <div class="card__section">
+        
+                <div class="label label--critical">
+                    <span class="label__text">critical severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/crypto/ssh
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.24.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v4@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@v0.24.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
+        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
+        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
+        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
+        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
+        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
+        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">Insertion of Sensitive Information into Log File</h2>
             <div class="card__section">

docs/snyk/master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:21:11 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:21:52 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:21:15 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:22:00 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>

docs/snyk/master/quay.io_argoproj_argocd_latest.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:21:33 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:22:20 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -472,7 +472,7 @@
               <div class="meta-counts">
                 <div class="meta-count"><span>20</span> <span>known vulnerabilities</span></div>
                 <div class="meta-count"><span>100 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>2378</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>2380</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->

docs/snyk/master/redis_7.0.15-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:21:38 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:22:25 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>

docs/snyk/v2.11.12/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:30:13 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:31:10 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v2.11.12/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:30:22 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:31:19 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v2.11.12/argocd-test.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="14 known vulnerabilities found in 1075 vulnerable dependency paths.">
+  <meta name="description" content="15 known vulnerabilities found in 1089 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:28:19 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:29:14 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -467,8 +467,8 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>14</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>1075 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>15</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>1089 vulnerable dependency paths</span></div>
                 <div class="meta-count"><span>2041</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
@@ -477,6 +477,277 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
+            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
+            <div class="card__section">
+        
+                <div class="label label--critical">
+                    <span class="label__text">critical severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/crypto/ssh
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/argoproj/argo-cd/v2@0.0.0 and golang.org/x/crypto/ssh@0.19.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.19.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/knownhosts@0.19.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.19.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.19.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.19.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.19.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/knownhosts@0.19.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.19.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.19.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/xanzy/ssh-agent@0.3.3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/agent@0.19.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.19.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.19.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/knownhosts@0.19.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.19.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.19.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/xanzy/ssh-agent@0.3.3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/agent@0.19.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.19.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/knownhosts@0.19.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.19.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/xanzy/ssh-agent@0.3.3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/agent@0.19.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.19.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
+        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
+        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
+        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
+        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
+        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
+        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
             <h2 class="card__title">Denial of Service (DoS)</h2>
             <div class="card__section">

docs/snyk/v2.11.12/ghcr.io_dexidp_dex_v2.38.0.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="41 known vulnerabilities found in 129 vulnerable dependency paths.">
+  <meta name="description" content="42 known vulnerabilities found in 130 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:28:28 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:29:22 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -469,8 +469,8 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>41</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>129 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>42</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>130 vulnerable dependency paths</span></div>
                 <div class="meta-count"><span>829</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
@@ -479,6 +479,80 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
+            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
+            <div class="card__section">
+        
+                <div class="label label--critical">
+                    <span class="label__text">critical severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: ghcr.io/dexidp/dex:v2.38.0/hairyhenderson/gomplate/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/crypto/ssh
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/crypto/ssh@v0.18.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@v0.18.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
+        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
+        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
+        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
+        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
+        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
+        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
             <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2>
             <div class="card__section">

docs/snyk/v2.11.12/haproxy_2.6.14-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:28:32 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:29:27 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/v2.11.12/quay.io_argoproj_argocd_v2.11.12.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="37 known vulnerabilities found in 209 vulnerable dependency paths.">
+  <meta name="description" content="38 known vulnerabilities found in 210 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:28:51 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:29:45 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -470,8 +470,8 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>37</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>209 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>38</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>210 vulnerable dependency paths</span></div>
                 <div class="meta-count"><span>2280</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
@@ -480,6 +480,80 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
+            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
+            <div class="card__section">
+        
+                <div class="label label--critical">
+                    <span class="label__text">critical severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: quay.io/argoproj/argocd:v2.11.12/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/crypto/ssh
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.19.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@v0.19.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
+        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
+        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
+        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
+        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
+        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
+        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
             <h2 class="card__title">Denial of Service (DoS)</h2>
             <div class="card__section">
@@ -5191,6 +5265,7 @@
         <li><a href="https://curl.se/docs/CVE-2024-9681.json">https://curl.se/docs/CVE-2024-9681.json</a></li>
         <li><a href="https://hackerone.com/reports/2764830">https://hackerone.com/reports/2764830</a></li>
         <li><a href="http://www.openwall.com/lists/oss-security/2024/11/06/2">http://www.openwall.com/lists/oss-security/2024/11/06/2</a></li>
+        <li><a href="https://security.netapp.com/advisory/ntap-20241213-0006/">https://security.netapp.com/advisory/ntap-20241213-0006/</a></li>
         </ul>
         
               <hr/>

docs/snyk/v2.11.12/redis_7.0.15-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:28:55 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:29:49 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>

docs/snyk/v2.12.8/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:27:55 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:28:50 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v2.12.8/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:28:04 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:28:59 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v2.12.8/argocd-test.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="10 known vulnerabilities found in 36 vulnerable dependency paths.">
+  <meta name="description" content="12 known vulnerabilities found in 54 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:23:27 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:26:45 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -467,9 +467,9 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>10</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>36 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>2131</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>12</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>54 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>2061</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->
@@ -477,6 +477,314 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
+            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
+            <div class="card__section">
+        
+                <div class="label label--critical">
+                    <span class="label__text">critical severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/crypto/ssh
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/argoproj/argo-cd/v2@0.0.0 and golang.org/x/crypto/ssh@0.23.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        code.gitea.io/sdk/gitea@0.18.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/knownhosts@0.23.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        code.gitea.io/sdk/gitea@0.18.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-fed/httpsig@1.1.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        code.gitea.io/sdk/gitea@0.18.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/agent@0.23.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/xanzy/ssh-agent@0.3.3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/agent@0.23.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/knownhosts@0.23.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/xanzy/ssh-agent@0.3.3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/agent@0.23.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/knownhosts@0.23.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/xanzy/ssh-agent@0.3.3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/agent@0.23.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/knownhosts@0.23.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.23.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
+        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
+        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
+        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
+        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
+        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
+        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">LGPL-3.0 license</h2>
             <div class="card__section">
@@ -538,6 +846,118 @@
                 <p><a href="https://snyk.io/vuln/snyk:lic:golang:gopkg.in:retry.v1:LGPL-3.0">More about this vulnerability</a></p>
             </div>
         
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/rs/cors
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    github.com/argoproj/argo-cd/v2@0.0.0, github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/rs/cors@1.9.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a <code>Access-Control-Request-Headers</code> header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code class="language-golang">
+        func BenchmarkPreflightAdversarialACRH(b *testing.B) {
+            resps := makeFakeResponses(b.N)
+            req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
+            req.Header.Add(headerOrigin, dummyOrigin)
+            req.Header.Add(headerACRM, http.MethodGet)
+            req.Header[headerACRH] = adversarialACRH
+            handler := Default().Handler(testHandler)
+        
+            b.ReportAllocs()
+            b.ResetTimer()
+            for i := 0; i &lt; b.N; i++ {
+                handler.ServeHTTP(resps[i], req)
+            }
+        }
+        
+        var adversarialACRH []string
+        
+        func init() { // populates adversarialACRH
+            n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
+            commas := strings.Repeat(&quot;,&quot;, n)
+            res := make([]string, n)
+            for i := range res {
+                res[i] = commas
+            }
+            adversarialACRH = res
+        }
+        </code></pre>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>github.com/rs/cors</code> to version 1.11.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2">GitHub Commit</a></li>
+        <li><a href="https://github.com/rs/cors/issues/170">GitHub Issue</a></li>
+        <li><a href="https://github.com/rs/cors/pull/171">GitHub PR</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRSCORS-7430192">More about this vulnerability</a></p>
+            </div>
+        
         </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">MPL-2.0 license</h2>
@@ -625,7 +1045,7 @@
                     <li class="card__meta__item">Introduced through:
         
         
-                                    github.com/argoproj/argo-cd/v2@0.0.0, code.gitea.io/sdk/gitea@0.19.0 and others
+                                    github.com/argoproj/argo-cd/v2@0.0.0, code.gitea.io/sdk/gitea@0.18.0 and others
                     </li>
                 </ul>
         
@@ -639,7 +1059,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        code.gitea.io/sdk/gitea@0.19.0
+                                        code.gitea.io/sdk/gitea@0.18.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/hashicorp/go-version@1.6.0
                                         
@@ -721,7 +1141,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/go-gitlab@0.109.0
+                                        github.com/xanzy/go-gitlab@0.91.1
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/hashicorp/go-retryablehttp@0.7.7
                                         
@@ -927,7 +1347,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/go-gitlab@0.109.0
+                                        github.com/xanzy/go-gitlab@0.91.1
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/hashicorp/go-cleanhttp@0.5.2
                                         
@@ -938,7 +1358,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/go-gitlab@0.109.0
+                                        github.com/xanzy/go-gitlab@0.91.1
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/hashicorp/go-retryablehttp@0.7.7
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1074,7 +1494,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                github.com/argoproj/argo-cd/v2@0.0.0 and github.com/gosimple/slug@1.14.0
+                                github.com/argoproj/argo-cd/v2@0.0.0 and github.com/gosimple/slug@1.13.1
         
                     </li>
                 </ul>
@@ -1089,7 +1509,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/gosimple/slug@1.14.0
+                                        github.com/gosimple/slug@1.13.1
                                         
                                 </span>
         
@@ -1394,7 +1814,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1407,7 +1827,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1422,7 +1842,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1437,7 +1857,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1471,7 +1891,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1488,7 +1908,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         

docs/snyk/v2.12.8/ghcr.io_dexidp_dex_v2.38.0.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="41 known vulnerabilities found in 129 vulnerable dependency paths.">
+  <meta name="description" content="42 known vulnerabilities found in 130 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:26:04 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:26:55 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -469,8 +469,8 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>41</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>129 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>42</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>130 vulnerable dependency paths</span></div>
                 <div class="meta-count"><span>829</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
@@ -479,6 +479,80 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
+            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
+            <div class="card__section">
+        
+                <div class="label label--critical">
+                    <span class="label__text">critical severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: ghcr.io/dexidp/dex:v2.38.0/hairyhenderson/gomplate/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/crypto/ssh
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/crypto/ssh@v0.18.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@v0.18.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
+        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
+        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
+        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
+        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
+        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
+        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
             <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2>
             <div class="card__section">

docs/snyk/v2.12.8/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:23:37 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:26:58 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/v2.12.8/public.ecr.aws_docker_library_redis_7.0.15-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:26:12 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:27:03 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>

docs/snyk/v2.12.8/redis_7.0.15-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:26:35 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:27:27 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>

docs/snyk/v2.13.2/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:25:26 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:26:19 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>
@@ -881,7 +881,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23359
+                              Line number: 23358
                           </li>
                       </ul>
               
@@ -933,7 +933,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23658
+                              Line number: 23657
                           </li>
                       </ul>
               
@@ -991,7 +991,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 22896
+                              Line number: 22895
                           </li>
                       </ul>
               
@@ -1049,7 +1049,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23165
+                              Line number: 23164
                           </li>
                       </ul>
               
@@ -1107,7 +1107,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23119
+                              Line number: 23118
                           </li>
                       </ul>
               
@@ -1165,7 +1165,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23225
+                              Line number: 23224
                           </li>
                       </ul>
               
@@ -1223,7 +1223,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23330
+                              Line number: 23329
                           </li>
                       </ul>
               
@@ -1281,7 +1281,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23354
+                              Line number: 23353
                           </li>
                       </ul>
               
@@ -1339,7 +1339,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23658
+                              Line number: 23657
                           </li>
                       </ul>
               
@@ -1397,7 +1397,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23411
+                              Line number: 23410
                           </li>
                       </ul>
               
@@ -1455,7 +1455,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23743
+                              Line number: 23742
                           </li>
                       </ul>
               
@@ -1513,7 +1513,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 24133
+                              Line number: 24132
                           </li>
                       </ul>
               
@@ -1565,7 +1565,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23145
+                              Line number: 23144
                           </li>
                       </ul>
               
@@ -1617,7 +1617,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 22896
+                              Line number: 22895
                           </li>
                       </ul>
               
@@ -1669,7 +1669,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23119
+                              Line number: 23118
                           </li>
                       </ul>
               
@@ -1721,7 +1721,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23330
+                              Line number: 23329
                           </li>
                       </ul>
               
@@ -1779,7 +1779,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 22896
+                              Line number: 22895
                           </li>
                       </ul>
               
@@ -1837,7 +1837,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23119
+                              Line number: 23118
                           </li>
                       </ul>
               
@@ -1895,7 +1895,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23165
+                              Line number: 23164
                           </li>
                       </ul>
               
@@ -1953,7 +1953,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23225
+                              Line number: 23224
                           </li>
                       </ul>
               
@@ -2011,7 +2011,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23330
+                              Line number: 23329
                           </li>
                       </ul>
               
@@ -2069,7 +2069,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23354
+                              Line number: 23353
                           </li>
                       </ul>
               
@@ -2127,7 +2127,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23658
+                              Line number: 23657
                           </li>
                       </ul>
               
@@ -2185,7 +2185,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23411
+                              Line number: 23410
                           </li>
                       </ul>
               
@@ -2243,7 +2243,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23743
+                              Line number: 23742
                           </li>
                       </ul>
               
@@ -2301,7 +2301,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 24133
+                              Line number: 24132
                           </li>
                       </ul>
               
@@ -2357,7 +2357,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23043
+                              Line number: 23042
                           </li>
                       </ul>
               
@@ -2413,7 +2413,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23173
+                              Line number: 23172
                           </li>
                       </ul>
               
@@ -2469,7 +2469,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23148
+                              Line number: 23147
                           </li>
                       </ul>
               
@@ -2525,7 +2525,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23264
+                              Line number: 23263
                           </li>
                       </ul>
               
@@ -2581,7 +2581,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23347
+                              Line number: 23346
                           </li>
                       </ul>
               
@@ -2637,7 +2637,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23361
+                              Line number: 23360
                           </li>
                       </ul>
               
@@ -2693,7 +2693,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23665
+                              Line number: 23664
                           </li>
                       </ul>
               
@@ -2749,7 +2749,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23631
+                              Line number: 23630
                           </li>
                       </ul>
               
@@ -2805,7 +2805,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 24034
+                              Line number: 24033
                           </li>
                       </ul>
               
@@ -2861,7 +2861,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 24352
+                              Line number: 24351
                           </li>
                       </ul>
               

docs/snyk/v2.13.2/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:25:35 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:26:29 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v2.13.2/argocd-test.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="11 known vulnerabilities found in 37 vulnerable dependency paths.">
+  <meta name="description" content="11 known vulnerabilities found in 53 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:25:56 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:24:18 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -468,8 +468,8 @@
     
               <div class="meta-counts">
                 <div class="meta-count"><span>11</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>37 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>2061</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>53 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>2131</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->
@@ -477,6 +477,314 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
+            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
+            <div class="card__section">
+        
+                <div class="label label--critical">
+                    <span class="label__text">critical severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/crypto/ssh
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/argoproj/argo-cd/v2@0.0.0 and golang.org/x/crypto/ssh@0.27.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        code.gitea.io/sdk/gitea@0.19.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/knownhosts@0.27.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        code.gitea.io/sdk/gitea@0.19.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-fed/httpsig@1.1.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        code.gitea.io/sdk/gitea@0.19.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/agent@0.27.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/xanzy/ssh-agent@0.3.3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/agent@0.27.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/knownhosts@0.27.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/xanzy/ssh-agent@0.3.3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/agent@0.27.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/knownhosts@0.27.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/xanzy/ssh-agent@0.3.3
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/agent@0.27.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/skeema/knownhosts@1.2.2
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh/knownhosts@0.27.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@0.27.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
+        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
+        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
+        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
+        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
+        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
+        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">LGPL-3.0 license</h2>
             <div class="card__section">
@@ -538,118 +846,6 @@
                 <p><a href="https://snyk.io/vuln/snyk:lic:golang:gopkg.in:retry.v1:LGPL-3.0">More about this vulnerability</a></p>
             </div>
         
-        </div><!-- .card -->
-        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
-            <h2 class="card__title">Denial of Service (DoS)</h2>
-            <div class="card__section">
-        
-                <div class="label label--medium">
-                    <span class="label__text">medium severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod
-                    </li>
-                    <li class="card__meta__item">
-                        Package Manager: golang
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            github.com/rs/cors
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-        
-                                    github.com/argoproj/argo-cd/v2@0.0.0, github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 and others
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/rs/cors@1.9.0
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a <code>Access-Control-Request-Headers</code> header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.</p>
-        <h2 id="poc">PoC</h2>
-        <pre><code class="language-golang">
-        func BenchmarkPreflightAdversarialACRH(b *testing.B) {
-            resps := makeFakeResponses(b.N)
-            req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
-            req.Header.Add(headerOrigin, dummyOrigin)
-            req.Header.Add(headerACRM, http.MethodGet)
-            req.Header[headerACRH] = adversarialACRH
-            handler := Default().Handler(testHandler)
-        
-            b.ReportAllocs()
-            b.ResetTimer()
-            for i := 0; i &lt; b.N; i++ {
-                handler.ServeHTTP(resps[i], req)
-            }
-        }
-        
-        var adversarialACRH []string
-        
-        func init() { // populates adversarialACRH
-            n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
-            commas := strings.Repeat(&quot;,&quot;, n)
-            res := make([]string, n)
-            for i := range res {
-                res[i] = commas
-            }
-            adversarialACRH = res
-        }
-        </code></pre>
-        <h2 id="details">Details</h2>
-        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
-        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
-        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
-        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
-        <p>Two common types of DoS vulnerabilities:</p>
-        <ul>
-        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
-        </li>
-        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
-        </li>
-        </ul>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>github.com/rs/cors</code> to version 1.11.0 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2">GitHub Commit</a></li>
-        <li><a href="https://github.com/rs/cors/issues/170">GitHub Issue</a></li>
-        <li><a href="https://github.com/rs/cors/pull/171">GitHub PR</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRSCORS-7430192">More about this vulnerability</a></p>
-            </div>
-        
         </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">MPL-2.0 license</h2>
@@ -737,7 +933,7 @@
                     <li class="card__meta__item">Introduced through:
         
         
-                                    github.com/argoproj/argo-cd/v2@0.0.0, code.gitea.io/sdk/gitea@0.18.0 and others
+                                    github.com/argoproj/argo-cd/v2@0.0.0, code.gitea.io/sdk/gitea@0.19.0 and others
                     </li>
                 </ul>
         
@@ -751,7 +947,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        code.gitea.io/sdk/gitea@0.18.0
+                                        code.gitea.io/sdk/gitea@0.19.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/hashicorp/go-version@1.6.0
                                         
@@ -833,7 +1029,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/go-gitlab@0.91.1
+                                        github.com/xanzy/go-gitlab@0.109.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/hashicorp/go-retryablehttp@0.7.7
                                         
@@ -1039,7 +1235,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/go-gitlab@0.91.1
+                                        github.com/xanzy/go-gitlab@0.109.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/hashicorp/go-cleanhttp@0.5.2
                                         
@@ -1050,7 +1246,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/go-gitlab@0.91.1
+                                        github.com/xanzy/go-gitlab@0.109.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/hashicorp/go-retryablehttp@0.7.7
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1186,7 +1382,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                github.com/argoproj/argo-cd/v2@0.0.0 and github.com/gosimple/slug@1.13.1
+                                github.com/argoproj/argo-cd/v2@0.0.0 and github.com/gosimple/slug@1.14.0
         
                     </li>
                 </ul>
@@ -1201,7 +1397,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/gosimple/slug@1.13.1
+                                        github.com/gosimple/slug@1.14.0
                                         
                                 </span>
         
@@ -1506,7 +1702,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1519,7 +1715,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1534,7 +1730,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1549,7 +1745,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1583,7 +1779,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1600,7 +1796,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         

docs/snyk/v2.13.2/ghcr.io_dexidp_dex_v2.41.1.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="22 known vulnerabilities found in 43 vulnerable dependency paths.">
+  <meta name="description" content="23 known vulnerabilities found in 44 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:23:34 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:24:25 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -469,8 +469,8 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>22</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>43 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>23</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>44 vulnerable dependency paths</span></div>
                 <div class="meta-count"><span>969</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
@@ -479,6 +479,80 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
+            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
+            <div class="card__section">
+        
+                <div class="label label--critical">
+                    <span class="label__text">critical severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/crypto/ssh
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.24.0
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v4@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/crypto/ssh@v0.24.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
+        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
+        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
+        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
+        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
+        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
+        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">Insertion of Sensitive Information into Log File</h2>
             <div class="card__section">

docs/snyk/v2.13.2/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:26:08 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:24:28 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/v2.13.2/public.ecr.aws_docker_library_redis_7.0.15-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:23:41 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:24:32 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>

docs/snyk/v2.13.2/redis_7.0.15-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 8th 2024, 12:24:03 am (UTC+00:00)</p>
+                <p class="timestamp">December 15th 2024, 12:24:54 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>

docs/user-guide/commands/argocd_account_can-i.md

@@ -22,7 +22,7 @@ argocd account can-i update projects 'default'
 argocd account can-i create clusters '*'
 
 Actions: [get create update delete sync override action invoke]
-Resources: [clusters projects applications applicationsets repositories certificates accounts gpgkeys logs exec extensions]
+Resources: [clusters projects applications applicationsets repositories write-repositories certificates accounts gpgkeys logs exec extensions]
 
 ```
 

docs/user-guide/commands/argocd_admin_app_generate-spec.md

@@ -45,6 +45,9 @@ argocd admin app generate-spec APPNAME [flags]
       --directory-exclude string                   Set glob expression used to exclude files from application source path
       --directory-include string                   Set glob expression used to include files from application source path
       --directory-recurse                          Recurse directory
+      --dry-source-path string                     Path in repository to the app directory for the dry source
+      --dry-source-repo string                     Repository URL of the app dry source
+      --dry-source-revision string                 Revision of the app dry source
       --env string                                 Application environment to monitor
   -f, --file string                                Filename or URL to Kubernetes manifests for the app
       --helm-api-versions stringArray              Helm api-versions (in format [group/]version/kind) to use when running helm template (Can be repeated to set several values: --helm-api-versions traefik.io/v1alpha1/TLSOption --helm-api-versions v1/Service). If not set, use the api-versions from the destination cluster
@@ -60,6 +63,7 @@ argocd admin app generate-spec APPNAME [flags]
       --helm-skip-tests                            Skip helm test manifests installation step
       --helm-version string                        Helm version
   -h, --help                                       help for generate-spec
+      --hydrate-to-branch string                   The branch to hydrate the app to
       --ignore-missing-value-files                 Ignore locally missing valueFiles when setting helm template --values
   -i, --inline                                     If set then generated resource is written back to the file specified in --file flag
       --jsonnet-ext-var-code stringArray           Jsonnet ext var
@@ -101,6 +105,8 @@ argocd admin app generate-spec APPNAME [flags]
       --sync-retry-backoff-factor int              Factor multiplies the base duration after each failed sync retry (default 2)
       --sync-retry-backoff-max-duration duration   Max sync retry backoff duration. Input needs to be a duration (e.g. 2m, 1h) (default 3m0s)
       --sync-retry-limit int                       Max number of allowed sync retries
+      --sync-source-branch string                  The branch from which the app will sync
+      --sync-source-path string                    The path in the repository from which the app will sync
       --validate                                   Validation of repo and cluster (default true)
       --values stringArray                         Helm values file(s) to use
       --values-literal-file string                 Filename or URL to import as a literal Helm values block

docs/user-guide/commands/argocd_app_add-source.md

@@ -28,6 +28,9 @@ argocd app add-source APPNAME [flags]
       --directory-exclude string                   Set glob expression used to exclude files from application source path
       --directory-include string                   Set glob expression used to include files from application source path
       --directory-recurse                          Recurse directory
+      --dry-source-path string                     Path in repository to the app directory for the dry source
+      --dry-source-repo string                     Repository URL of the app dry source
+      --dry-source-revision string                 Revision of the app dry source
       --env string                                 Application environment to monitor
       --helm-api-versions stringArray              Helm api-versions (in format [group/]version/kind) to use when running helm template (Can be repeated to set several values: --helm-api-versions traefik.io/v1alpha1/TLSOption --helm-api-versions v1/Service). If not set, use the api-versions from the destination cluster
       --helm-chart string                          Helm Chart name
@@ -42,6 +45,7 @@ argocd app add-source APPNAME [flags]
       --helm-skip-tests                            Skip helm test manifests installation step
       --helm-version string                        Helm version
   -h, --help                                       help for add-source
+      --hydrate-to-branch string                   The branch to hydrate the app to
       --ignore-missing-value-files                 Ignore locally missing valueFiles when setting helm template --values
       --jsonnet-ext-var-code stringArray           Jsonnet ext var
       --jsonnet-ext-var-str stringArray            Jsonnet string ext var
@@ -78,6 +82,8 @@ argocd app add-source APPNAME [flags]
       --sync-retry-backoff-factor int              Factor multiplies the base duration after each failed sync retry (default 2)
       --sync-retry-backoff-max-duration duration   Max sync retry backoff duration. Input needs to be a duration (e.g. 2m, 1h) (default 3m0s)
       --sync-retry-limit int                       Max number of allowed sync retries
+      --sync-source-branch string                  The branch from which the app will sync
+      --sync-source-path string                    The path in the repository from which the app will sync
       --validate                                   Validation of repo and cluster (default true)
       --values stringArray                         Helm values file(s) to use
       --values-literal-file string                 Filename or URL to import as a literal Helm values block

docs/user-guide/commands/argocd_app_create.md

@@ -47,6 +47,9 @@ argocd app create APPNAME [flags]
       --directory-exclude string                   Set glob expression used to exclude files from application source path
       --directory-include string                   Set glob expression used to include files from application source path
       --directory-recurse                          Recurse directory
+      --dry-source-path string                     Path in repository to the app directory for the dry source
+      --dry-source-repo string                     Repository URL of the app dry source
+      --dry-source-revision string                 Revision of the app dry source
       --env string                                 Application environment to monitor
   -f, --file string                                Filename or URL to Kubernetes manifests for the app
       --helm-api-versions stringArray              Helm api-versions (in format [group/]version/kind) to use when running helm template (Can be repeated to set several values: --helm-api-versions traefik.io/v1alpha1/TLSOption --helm-api-versions v1/Service). If not set, use the api-versions from the destination cluster
@@ -62,6 +65,7 @@ argocd app create APPNAME [flags]
       --helm-skip-tests                            Skip helm test manifests installation step
       --helm-version string                        Helm version
   -h, --help                                       help for create
+      --hydrate-to-branch string                   The branch to hydrate the app to
       --ignore-missing-value-files                 Ignore locally missing valueFiles when setting helm template --values
       --jsonnet-ext-var-code stringArray           Jsonnet ext var
       --jsonnet-ext-var-str stringArray            Jsonnet string ext var
@@ -101,6 +105,8 @@ argocd app create APPNAME [flags]
       --sync-retry-backoff-factor int              Factor multiplies the base duration after each failed sync retry (default 2)
       --sync-retry-backoff-max-duration duration   Max sync retry backoff duration. Input needs to be a duration (e.g. 2m, 1h) (default 3m0s)
       --sync-retry-limit int                       Max number of allowed sync retries
+      --sync-source-branch string                  The branch from which the app will sync
+      --sync-source-path string                    The path in the repository from which the app will sync
       --upsert                                     Allows to override application with the same name even if supplied application spec is different from existing spec
       --validate                                   Validation of repo and cluster (default true)
       --values stringArray                         Helm values file(s) to use

docs/user-guide/commands/argocd_app_set.md

@@ -40,6 +40,9 @@ argocd app set APPNAME [flags]
       --directory-exclude string                   Set glob expression used to exclude files from application source path
       --directory-include string                   Set glob expression used to include files from application source path
       --directory-recurse                          Recurse directory
+      --dry-source-path string                     Path in repository to the app directory for the dry source
+      --dry-source-repo string                     Repository URL of the app dry source
+      --dry-source-revision string                 Revision of the app dry source
       --env string                                 Application environment to monitor
       --helm-api-versions stringArray              Helm api-versions (in format [group/]version/kind) to use when running helm template (Can be repeated to set several values: --helm-api-versions traefik.io/v1alpha1/TLSOption --helm-api-versions v1/Service). If not set, use the api-versions from the destination cluster
       --helm-chart string                          Helm Chart name
@@ -54,6 +57,7 @@ argocd app set APPNAME [flags]
       --helm-skip-tests                            Skip helm test manifests installation step
       --helm-version string                        Helm version
   -h, --help                                       help for set
+      --hydrate-to-branch string                   The branch to hydrate the app to
       --ignore-missing-value-files                 Ignore locally missing valueFiles when setting helm template --values
       --jsonnet-ext-var-code stringArray           Jsonnet ext var
       --jsonnet-ext-var-str stringArray            Jsonnet string ext var
@@ -91,6 +95,8 @@ argocd app set APPNAME [flags]
       --sync-retry-backoff-factor int              Factor multiplies the base duration after each failed sync retry (default 2)
       --sync-retry-backoff-max-duration duration   Max sync retry backoff duration. Input needs to be a duration (e.g. 2m, 1h) (default 3m0s)
       --sync-retry-limit int                       Max number of allowed sync retries
+      --sync-source-branch string                  The branch from which the app will sync
+      --sync-source-path string                    The path in the repository from which the app will sync
       --validate                                   Validation of repo and cluster (default true)
       --values stringArray                         Helm values file(s) to use
       --values-literal-file string                 Filename or URL to import as a literal Helm values block

docs/user-guide/commands/argocd_app_wait.md

@@ -43,6 +43,7 @@ argocd app wait [APPNAME.. | -l selector] [flags]
       --delete                 Wait for delete
       --health                 Wait for health
   -h, --help                   help for wait
+      --hydrated               Wait for hydration operations
       --operation              Wait for pending operations
   -o, --output string          Output format. One of: json|yaml|wide|tree|tree=detailed (default "wide")
       --resource stringArray   Sync only specific resources as GROUP:KIND:NAME or !GROUP:KIND:NAME. Fields may be blank and '*' can be used. This option may be specified repeatedly

docs/user-guide/source-hydrator.md

@@ -0,0 +1,198 @@
+# Source Hydrator
+
+**Current feature state**: Alpha
+
+Tools like Helm and Kustomize allow users to express their Kubernetes manifests in a more concise and reusable way
+(keeping it DRY - Don't Repeat Yourself). However, these tools can obscure the actual Kubernetes manifests that are
+applied to the cluster.
+
+The "rendered manifest pattern" is a way to push the hydrated manifests to git before syncing them to the cluster. This
+allows users to see the actual Kubernetes manifests that are applied to the cluster.
+
+The source hydrator is a feature of Argo CD that allows users to push the hydrated manifests to git before syncing them
+to the cluster.
+
+## Enabling the Source Hydrator
+
+The source hydrator is disabled by default.
+
+To enable the source hydrator, you need to enable the "commit server" component and set the `hydrator.enabled` field in
+argocd-cmd-params-cm ConfigMap to `"true"`.
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cmd-params-cm
+  namespace: argocd
+data:
+  hydrator.enabled: "true"
+```
+
+!!! important
+    After updating the ConfigMap, you must restart the Argo CD controller and API server for the changes to take effect.
+
+If you are using one of the `*-install.yaml` manifests to install Argo CD, you can use the 
+`*-install-with-hydrator.yaml` version of that file instead.
+
+For example,
+
+```
+Without hydrator: https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
+With hydrator:    https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install-with-hydrator.yaml
+```
+
+!!! important
+    The `*-with-hydrator-install.yaml` manifests will eventually be removed when the source hydrator is either enabled
+    by default or removed. The upgrade guide will note if the `install-with-hydrator.yaml` manifests are no longer
+    available.
+
+## Using the Source Hydrator
+
+To use the source hydrator, you must first install a push secret. This example uses a GitHub App for authentication, but
+you can use [any authentication method that Argo CD supports for repository access](../operator-manual/declarative-setup.md#repositories).
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-push-secret
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repository-write
+type: Opaque
+stringData:
+  url: "https://github.com"
+  type: "git"
+  githubAppID: "<your app ID here>"
+  githubAppInstallationID: "<your installation ID here>"
+  githubAppPrivateKey: |
+    <your private key here>
+```
+
+The label `argocd.argoproj.io/secret-type: repository-write` causes this Secret to be used for pushing manifests to git
+instead of pulling from git.
+
+Once your push secret is installed, set the `spec.sourceHydrator` field of the Application. For example:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: my-app
+spec:
+  sourceHydrator:
+    drySource:
+      repoURL: https://github.com/argoproj/argocd-example-apps
+      path: helm-guestbook
+      targetRevision: HEAD
+    syncSource:
+      targetBranch: environments/dev
+      path: helm-guestbook
+```
+
+In this example, the hydrated manifests will be pushed to the `environments/dev` branch of the `argocd-example-apps`
+repository.
+
+!!! important "Project-Scoped Repositories"
+
+    Repository Secrets may contain a `project` field, making the secret only usable by Applications in that project.
+    The source hydrator only supports project-scoped repositories if all Applications writing to the same repository and
+    branch are in the same project. If Applications in different projects write to the same repository and branch, the
+    source hydrator will not be able to use a project-scoped repository secret and will require a global repository 
+    secret. This behavior may change in the future.
+
+If there are multiple repository-write Secrets available for a repo, the source hydrator will non-deterministically
+select one of the matching Secrets and log a warning saying "Found multiple credentials for repoURL".
+
+## Pushing to a "Staging" Branch
+
+The source hydrator can be used to push hydrated manifests to a "staging" branch instead of the `syncSource` branch.
+This provides a way to prevent the hydrated manifests from being applied to the cluster until some prerequisite
+conditions are met (in effect providing a way to handle environment promotion via Pull Requests).
+
+To use the source hydrator to push to a "staging" branch, set the `spec.sourceHydrator.hydrateTo` field of the
+Application. For example:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: my-app
+spec:
+  project: my-project
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  sourceHydrator:
+    drySource:
+      repoURL: https://github.com/argoproj/argocd-example-apps
+      path: helm-guestbook
+      targetRevision: HEAD
+    syncSource:
+      targetBranch: environments/dev
+      path: helm-guestbook
+    hydrateTo:
+      targetBranch: environments/dev-next
+```
+
+In this example, the hydrated manifests will be pushed to the `environments/dev-next` branch, and Argo CD will not sync
+the changes until something moves them to the `environments/dev` branch.
+
+You could use a CI action to move the hydrated manifests from the `hydrateTo` branch to the `syncSource` branch. To
+introduce a gating mechanism, you could require a Pull Request to be opened to merge the changes from the `hydrateTo`
+branch to the `syncSource` branch.
+
+Argo CD will only push changes to the `hydrateTo` branch, it will not create a PR or otherwise facilitate moving those 
+changes to the `syncSource` branch. You will need to use your own tooling to move the changes from the `hydrateTo` 
+branch to the `syncSource` branch.
+
+## Limitations
+
+### Signature Verification
+
+The source hydrator **does not currently support signature verification of the DRY sources it hydrates/commits**. It
+also does not sign the commits it pushes to git, so if signature verification is enabled, the commits will fail
+verification when Argo CD attempts to sync the hydrated manifests.
+
+### Project-Scoped Push Secrets
+
+If all the Applications for a given destination repo/branch are under the same project, then the hydrator will use any
+available project-scoped push secrets. If two Applications for a given repo/branch are in different projects, then the
+hydrator will not be able to use a project-scoped push secret and will require a global push secret.
+
+### Credential Templates
+
+Credential templates allow a single credential to be used for multiple repositories. The source hydrator does not 
+currently support credential templates. You will need a separate credential for each repository.
+
+## Prerequisites
+
+### Handle Secrets on the Destination Cluster
+
+Do not use the source hydrator with any tool that injects secrets into your manifests as part of the hydration process
+(for example, Helm with SOPS or the Argo CD Vault Plugin). These secrets would be committed to git. Instead, use a
+secrets operator that populates the secret values on the destination cluster.
+
+## Best Practices
+
+### Make Hydration Deterministic
+
+The source hydrator should be deterministic. For a given dry source commit, the hydrator should always produce the same
+hydrated manifests. This means that the hydrator should not rely on external state or configuration that is not stored
+in git.
+
+Examples of non-deterministic hydration:
+
+* A Helm chart using unpinned dependencies
+* A Helm chart is using a non-deterministic template function such as `randAlphaNum` or `lookup`
+* [Config Management Plugins](../operator-manual/config-management-plugins.md) which retrieve non-git state, such as secrets
+* Kustomize manifests referencing unpinned remote bases
+
+### Enable Branch Protection
+
+Argo CD should be the only thing pushing hydrated manifests to the hydrated branches. To prevent other tools or users
+from pushing to the hydrated branches, enable branch protection in your SCM.
+
+It is best practice to prefix the hydrated branches with a common prefix, such as `environment/`. This makes it easier
+to configure branch protection rules on the destination repository.

docs/user-guide/sync-waves.md

@@ -4,9 +4,9 @@
 
 <iframe width="560" height="315" src="https://www.youtube.com/embed/zIHe3EVp528" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
 
-Argo CD executes a sync operation in a number of steps. At a high-level, there are three phases *pre-sync*, *sync* and *post-sync*.  
+Argo CD executes a sync operation in a number of steps. At a high-level, there are three phases *pre-sync*, *sync* and *post-sync*.
 
-Within each phase you can have one or more waves, that allows you to ensure certain resources are healthy before subsequent resources are synced.   
+Within each phase you can have one or more waves, that allows you to ensure certain resources are healthy before subsequent resources are synced.
 
 ## How Do I Configure Phases?
 
@@ -32,6 +32,12 @@ metadata:
 
 Hooks and resources are assigned to wave zero by default. The wave can be negative, so you can create a wave that runs before all other resources.
 
+### Can Multiple Resources Share the Same Wave?
+
+Yes, multiple resources can share the same sync-wave value. Resources with the same sync-wave are processed together.
+
+Within a wave, resources are ordered by their kind (e.g. namespaces first) and then by their name.
+
 ## How Does It Work?
 
 When Argo CD starts a sync, it orders the resources in the following precedence:
@@ -39,10 +45,10 @@ When Argo CD starts a sync, it orders the resources in the following precedence:
 * The phase
 * The wave they are in (lower values first for creation & updation and higher values first for deletion)
 * By kind (e.g. [namespaces first and then other Kubernetes resources, followed by custom resources](https://github.com/argoproj/gitops-engine/blob/bc9ce5764fa306f58cf59199a94f6c968c775a2d/pkg/sync/sync_tasks.go#L27-L66))
-* By name 
+* By name
 
 It then determines the number of the next wave to apply. This is the first number where any resource is out-of-sync or unhealthy.
- 
+
 It applies resources in that wave. 
 
 It repeats this process until all phases and waves are in-sync and healthy.

go.mod

@@ -4,13 +4,13 @@ go 1.22.0
 
 require (
 	code.gitea.io/sdk/gitea v0.19.0
-	github.com/Azure/kubelogin v0.1.5
+	github.com/Azure/kubelogin v0.1.6
 	github.com/Masterminds/semver/v3 v3.3.1
 	github.com/Masterminds/sprig/v3 v3.3.0
 	github.com/TomOnTime/utfutil v0.0.0-20180511104225-09c41003ee1d
 	github.com/alicebob/miniredis/v2 v2.33.0
 	github.com/antonmedv/expr v1.15.1
-	github.com/argoproj/gitops-engine v0.7.1-0.20241211202847-8849c3f30c55
+	github.com/argoproj/gitops-engine v0.7.1-0.20250129155113-c19f8cfa4d27
 	github.com/argoproj/notifications-engine v0.4.1-0.20241007194503-2fef5c9049fd
 	github.com/argoproj/pkg v0.13.7-0.20230626144333-d56162821bd1
 	github.com/aws/aws-sdk-go v1.55.5
@@ -82,13 +82,13 @@ require (
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0
 	go.opentelemetry.io/otel v1.33.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.32.0
-	go.opentelemetry.io/otel/sdk v1.32.0
-	golang.org/x/crypto v0.31.0
+	go.opentelemetry.io/otel/sdk v1.33.0
+	golang.org/x/crypto v0.32.0
 	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f
-	golang.org/x/net v0.32.0
+	golang.org/x/net v0.34.0
 	golang.org/x/oauth2 v0.24.0
 	golang.org/x/sync v0.10.0
-	golang.org/x/term v0.27.0
+	golang.org/x/term v0.28.0
 	golang.org/x/time v0.8.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28
 	google.golang.org/grpc v1.68.1
@@ -151,7 +151,7 @@ require (
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/tools v0.27.0 // indirect
 	google.golang.org/api v0.171.0 // indirect

go.sum

@@ -34,8 +34,8 @@ github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+Z
 github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
 github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
-github.com/Azure/kubelogin v0.1.5 h1:PozX8xltEH78z1Ru3D/hCK6XWA9JHd2L4g2OPh1H15A=
-github.com/Azure/kubelogin v0.1.5/go.mod h1:tZpc7Tjlo0O/WArnhrY40CGbmWe+2X1mlf2fkQbNuDc=
+github.com/Azure/kubelogin v0.1.6 h1:2TK38wwjODYVWlHuI7wijwGmsigpDkXWmy9eqXBmMnw=
+github.com/Azure/kubelogin v0.1.6/go.mod h1:NxlvRs9CambNudRXrk63zpPgG7PHzqZwsn0v82cuFRE=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
 github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU=
@@ -88,8 +88,8 @@ github.com/antonmedv/expr v1.15.1/go.mod h1:0E/6TxnOlRNp81GMzX9QfDPAmHo2Phg00y4J
 github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/appscode/go v0.0.0-20191119085241-0887d8ec2ecc/go.mod h1:OawnOmAL4ZX3YaPdN+8HTNwBveT1jMsqP74moa9XUbE=
-github.com/argoproj/gitops-engine v0.7.1-0.20241211202847-8849c3f30c55 h1:GEyH0LY7gB/BKnahEl6pgNHc6EdjX308b090tn6odKc=
-github.com/argoproj/gitops-engine v0.7.1-0.20241211202847-8849c3f30c55/go.mod h1:WsnykM8idYRUnneeT31cM/Fq/ZsjkefCbjiD8ioCJkU=
+github.com/argoproj/gitops-engine v0.7.1-0.20250129155113-c19f8cfa4d27 h1:OYlZjVY13/x3Rn1HyStXoBGPbFkmvBWyRTEiBlJXkUU=
+github.com/argoproj/gitops-engine v0.7.1-0.20250129155113-c19f8cfa4d27/go.mod h1:WsnykM8idYRUnneeT31cM/Fq/ZsjkefCbjiD8ioCJkU=
 github.com/argoproj/notifications-engine v0.4.1-0.20241007194503-2fef5c9049fd h1:lOVVoK89j9Nd4+JYJiKAaMNYC1402C0jICROOfUPWn0=
 github.com/argoproj/notifications-engine v0.4.1-0.20241007194503-2fef5c9049fd/go.mod h1:N0A4sEws2soZjEpY4hgZpQS8mRIEw6otzwfkgc3g9uQ=
 github.com/argoproj/pkg v0.13.7-0.20230626144333-d56162821bd1 h1:qsHwwOJ21K2Ao0xPju1sNuqphyMnMYkyB3ZLoLtxWpo=
@@ -988,8 +988,8 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.32.0 h1:9kV11
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.32.0/go.mod h1:JyA0FHXe22E1NeNiHmVp7kFHglnexDQ7uRWDiiJ1hKQ=
 go.opentelemetry.io/otel/metric v1.33.0 h1:r+JOocAyeRVXD8lZpjdQjzMadVZp2M4WmQ+5WtEnklQ=
 go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M=
-go.opentelemetry.io/otel/sdk v1.32.0 h1:RNxepc9vK59A8XsgZQouW8ue8Gkb4jpWtJm9ge5lEG4=
-go.opentelemetry.io/otel/sdk v1.32.0/go.mod h1:LqgegDBjKMmb2GC6/PrTnteJG39I8/vJCAP9LlJXEjU=
+go.opentelemetry.io/otel/sdk v1.33.0 h1:iax7M131HuAm9QkZotNHEfstof92xM+N8sr3uHXc2IM=
+go.opentelemetry.io/otel/sdk v1.33.0/go.mod h1:A1Q5oi7/9XaMlIWzPSxLRWOI8nG3FnzHJNbiENQuihM=
 go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s=
 go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck=
 go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
@@ -1049,8 +1049,8 @@ golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOM
 golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw=
@@ -1135,8 +1135,8 @@ golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
-golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
-golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
+golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1231,8 +1231,8 @@ golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/telemetry v0.0.0-20240208230135-b75ee8823808/go.mod h1:KG1lNk5ZFNssSZLrpVb4sMXKMpGwGXOxSG3rnu2gZQQ=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -1257,8 +1257,8 @@ golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/term v0.19.0/go.mod h1:2CuTdWZ7KHSQwUzKva0cbMg6q2DMI3Mmxp+gKJbskEk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
-golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
-golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=

hack/update-manifests.sh

@@ -49,3 +49,21 @@ $KUSTOMIZE build "${SRCROOT}/manifests/ha/namespace-install" >> "${SRCROOT}/mani
 
 echo "${AUTOGENMSG}" > "${SRCROOT}/manifests/core-install.yaml"
 $KUSTOMIZE build "${SRCROOT}/manifests/core-install" >> "${SRCROOT}/manifests/core-install.yaml"
+
+# Copies enabling manifest hydrator. These can be removed once the manifest hydrator is either removed or enabled by 
+# default.
+
+echo "${AUTOGENMSG}" > "${SRCROOT}/manifests/install-with-hydrator.yaml"
+$KUSTOMIZE build "${SRCROOT}/manifests/cluster-install-with-hydrator" >> "${SRCROOT}/manifests/install-with-hydrator.yaml"
+
+echo "${AUTOGENMSG}" > "${SRCROOT}/manifests/namespace-install-with-hydrator.yaml"
+$KUSTOMIZE build "${SRCROOT}/manifests/namespace-install-with-hydrator" >> "${SRCROOT}/manifests/namespace-install-with-hydrator.yaml"
+
+echo "${AUTOGENMSG}" > "${SRCROOT}/manifests/ha/install-with-hydrator.yaml"
+$KUSTOMIZE build "${SRCROOT}/manifests/ha/cluster-install-with-hydrator" >> "${SRCROOT}/manifests/ha/install-with-hydrator.yaml"
+
+echo "${AUTOGENMSG}" > "${SRCROOT}/manifests/ha/namespace-install-with-hydrator.yaml"
+$KUSTOMIZE build "${SRCROOT}/manifests/ha/namespace-install-with-hydrator" >> "${SRCROOT}/manifests/ha/namespace-install-with-hydrator.yaml"
+
+echo "${AUTOGENMSG}" > "${SRCROOT}/manifests/core-install-with-hydrator.yaml"
+$KUSTOMIZE build "${SRCROOT}/manifests/core-install-with-hydrator" >> "${SRCROOT}/manifests/core-install-with-hydrator.yaml"