Update version to v0.10.3

See also kubernetes-sigs/kustomize#514

Dockerfile

@@ -61,7 +61,7 @@ RUN wget https://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-li
     mv /tmp/linux-amd64/helm /usr/local/bin/helm
 
 # Install kustomize
-ENV KUSTOMIZE_VERSION=1.0.8
+ENV KUSTOMIZE_VERSION=1.0.10
 RUN curl -L -o /usr/local/bin/kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64 && \
     chmod +x /usr/local/bin/kustomize
 

VERSION

@@ -1 +1 @@
-0.10.0
+0.10.3

manifests/base/kustomization.yaml

@@ -24,10 +24,10 @@ resources:
 
 imageTags:
 - name: argoproj/argocd-server
-  newTag: latest
+  newTag: v0.10.3
 - name: argoproj/argocd-ui
-  newTag: latest
+  newTag: v0.10.3
 - name: argoproj/argocd-repo-server
-  newTag: latest
+  newTag: v0.10.3
 - name: argoproj/argocd-application-controller
-  newTag: latest
+  newTag: v0.10.3

manifests/install.yaml

@@ -321,7 +321,7 @@ spec:
         - /argocd-application-controller
         - --repo-server
         - argocd-repo-server:8081
-        image: argoproj/argocd-application-controller:latest
+        image: argoproj/argocd-application-controller:v0.10.3
         name: application-controller
       serviceAccountName: application-controller
 ---
@@ -342,7 +342,7 @@ spec:
       containers:
       - command:
         - /argocd-repo-server
-        image: argoproj/argocd-repo-server:latest
+        image: argoproj/argocd-repo-server:v0.10.3
         name: argocd-repo-server
         ports:
         - containerPort: 8081
@@ -372,7 +372,7 @@ spec:
         - /shared/app
         - --repo-server
         - argocd-repo-server:8081
-        image: argoproj/argocd-server:latest
+        image: argoproj/argocd-server:v0.10.3
         name: argocd-server
         readinessProbe:
           httpGet:
@@ -389,7 +389,7 @@ spec:
         - -r
         - /app
         - /shared
-        image: argoproj/argocd-ui:latest
+        image: argoproj/argocd-ui:v0.10.3
         name: ui
         volumeMounts:
         - mountPath: /shared
@@ -429,7 +429,7 @@ spec:
         - cp
         - /argocd-util
         - /shared
-        image: argoproj/argocd-server:latest
+        image: argoproj/argocd-server:v0.10.3
         name: copyutil
         volumeMounts:
         - mountPath: /shared

manifests/namespace-install.yaml

@@ -261,7 +261,7 @@ spec:
         - /argocd-application-controller
         - --repo-server
         - argocd-repo-server:8081
-        image: argoproj/argocd-application-controller:latest
+        image: argoproj/argocd-application-controller:v0.10.3
         name: application-controller
       serviceAccountName: application-controller
 ---
@@ -282,7 +282,7 @@ spec:
       containers:
       - command:
         - /argocd-repo-server
-        image: argoproj/argocd-repo-server:latest
+        image: argoproj/argocd-repo-server:v0.10.3
         name: argocd-repo-server
         ports:
         - containerPort: 8081
@@ -312,7 +312,7 @@ spec:
         - /shared/app
         - --repo-server
         - argocd-repo-server:8081
-        image: argoproj/argocd-server:latest
+        image: argoproj/argocd-server:v0.10.3
         name: argocd-server
         readinessProbe:
           httpGet:
@@ -329,7 +329,7 @@ spec:
         - -r
         - /app
         - /shared
-        image: argoproj/argocd-ui:latest
+        image: argoproj/argocd-ui:v0.10.3
         name: ui
         volumeMounts:
         - mountPath: /shared
@@ -369,7 +369,7 @@ spec:
         - cp
         - /argocd-util
         - /shared
-        image: argoproj/argocd-server:latest
+        image: argoproj/argocd-server:v0.10.3
         name: copyutil
         volumeMounts:
         - mountPath: /shared

server/server.go

@@ -243,6 +243,7 @@ func (a *ArgoCDServer) Run(ctx context.Context, port int) {
 		tlsConfig := tls.Config{
 			Certificates: []tls.Certificate{*a.settings.Certificate},
 		}
+		a.TLSConfigCustomizer(&tlsConfig)
 		tlsl = tls.NewListener(tlsl, &tlsConfig)
 
 		// Now, we build another mux recursively to match HTTPS and gRPC.

util/argo/argo.go

@@ -122,6 +122,7 @@ func RefreshApp(appIf v1alpha1.ApplicationInterface, name string) (*argoappv1.Ap
 }
 
 // WaitForRefresh watches an application until its comparison timestamp is after the refresh timestamp
+// If refresh timestamp is not present, will use current timestamp at time of call
 func WaitForRefresh(appIf v1alpha1.ApplicationInterface, name string, timeout *time.Duration) (*argoappv1.Application, error) {
 	ctx := context.Background()
 	var cancel context.CancelFunc
@@ -136,6 +137,7 @@ func WaitForRefresh(appIf v1alpha1.ApplicationInterface, name string, timeout *t
 		return nil, err
 	}
 	defer watchIf.Stop()
+	now := time.Now().UTC()
 
 	for {
 		select {
@@ -161,6 +163,9 @@ func WaitForRefresh(appIf v1alpha1.ApplicationInterface, name string, timeout *t
 				return nil, fmt.Errorf("Application event object failed conversion: %v", next)
 			}
 			refreshTimestampStr := app.ObjectMeta.Annotations[common.AnnotationKeyRefresh]
+			if refreshTimestampStr == "" {
+				refreshTimestampStr = now.String()
+			}
 			refreshTimestamp, err := time.Parse(time.RFC3339, refreshTimestampStr)
 			if err != nil {
 				return nil, fmt.Errorf("Unable to parse '%s': %v", common.AnnotationKeyRefresh, err)

util/dex/dex.go

@@ -20,7 +20,6 @@ import (
 
 	"github.com/coreos/dex/api"
 	oidc "github.com/coreos/go-oidc"
-	jwt "github.com/dgrijalva/jwt-go"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"
 	"google.golang.org/grpc"
@@ -325,15 +324,9 @@ func (a *ClientApp) HandleCallback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	idToken, err := a.verify(rawIDToken)
+	claims, err := a.sessionMgr.VerifyToken(rawIDToken)
 	if err != nil {
-		http.Error(w, fmt.Sprintf("Failed to verify ID token: %v", err), http.StatusInternalServerError)
-		return
-	}
-	var claims jwt.MapClaims
-	err = idToken.Claims(&claims)
-	if err != nil {
-		http.Error(w, fmt.Sprintf("Failed to unmarshal claims: %v", err), http.StatusInternalServerError)
+		http.Error(w, fmt.Sprintf("invalid session token: %v", err), http.StatusInternalServerError)
 		return
 	}
 	flags := []string{"path=/"}

util/git/client.go

@@ -149,7 +149,7 @@ func (m *nativeGitClient) Checkout(revision string) error {
 	if _, err := m.runCmd("git", "checkout", "--force", revision); err != nil {
 		return err
 	}
-	if _, err := m.runCmd("git", "clean", "-fd"); err != nil {
+	if _, err := m.runCmd("git", "clean", "-fdx"); err != nil {
 		return err
 	}
 	return nil

util/session/sessionmanager.go

@@ -160,7 +160,29 @@ func (mgr *SessionManager) VerifyToken(tokenString string) (jwt.Claims, error) {
 		verifier := provider.Verifier(&oidc.Config{ClientID: claims.Audience})
 		idToken, err := verifier.Verify(context.Background(), tokenString)
 		if err != nil {
-			return nil, err
+			// HACK: if we failed token verification, it's possible the reason was because dex
+			// restarted and has new JWKS signing keys (we do not back dex with persistent storage
+			// so keys might be regenerated). Detect this by:
+			// 1. looking for the specific error message
+			// 2. re-initializing the OIDC provider
+			// 3. re-attempting token verification
+			// NOTE: the error message is sensitive to implementation of verifier.Verify()
+			if !strings.Contains(err.Error(), "failed to verify signature") {
+				return nil, err
+			}
+			provider, retryErr := mgr.initializeOIDCProvider()
+			if retryErr != nil {
+				// return original error if we fail to re-initialize OIDC
+				return nil, err
+			}
+			verifier = provider.Verifier(&oidc.Config{ClientID: claims.Audience})
+			idToken, err = verifier.Verify(context.Background(), tokenString)
+			if err != nil {
+				return nil, err
+			}
+			// If we get here, we successfully re-initialized OIDC and after re-initialization,
+			// the token is now valid.
+			log.Info("New OIDC settings detected")
 		}
 		var claims jwt.MapClaims
 		err = idToken.Claims(&claims)
@@ -168,6 +190,7 @@ func (mgr *SessionManager) VerifyToken(tokenString string) (jwt.Claims, error) {
 	}
 }
 
+// Username is a helper to extract a human readable username from a context
 func Username(ctx context.Context) string {
 	claims, ok := ctx.Value("claims").(jwt.Claims)
 	if !ok {
@@ -194,8 +217,7 @@ func MakeCookieMetadata(key, value string, flags ...string) string {
 	return strings.Join(components, "; ")
 }
 
-// OIDCProvider lazily initializes and returns the OIDC provider, querying the well known oidc
-// configuration path (http://example-argocd.com/api/dex/.well-known/openid-configuration).
+// OIDCProvider lazily initializes, memoizes, and returns the OIDC provider.
 // We have to initialize the provider lazily since ArgoCD is an OIDC client to itself, which
 // presents a chicken-and-egg problem of (1) serving dex over HTTP, and (2) querying the OIDC
 // provider (ourselves) to initialize the app.
@@ -203,6 +225,12 @@ func (mgr *SessionManager) OIDCProvider() (*oidc.Provider, error) {
 	if mgr.provider != nil {
 		return mgr.provider, nil
 	}
+	return mgr.initializeOIDCProvider()
+}
+
+// initializeOIDCProvider re-initializes the OIDC provider, querying the well known oidc
+// configuration path (http://example-argocd.com/api/dex/.well-known/openid-configuration)
+func (mgr *SessionManager) initializeOIDCProvider() (*oidc.Provider, error) {
 	if !mgr.settings.IsSSOConfigured() {
 		return nil, fmt.Errorf("SSO is not configured")
 	}
@@ -213,7 +241,6 @@ func (mgr *SessionManager) OIDCProvider() (*oidc.Provider, error) {
 	if err != nil {
 		return nil, fmt.Errorf("Failed to query provider %q: %v", issuerURL, err)
 	}
-
 	// Returns the scopes the provider supports
 	// See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
 	var s struct {
@@ -223,24 +250,27 @@ func (mgr *SessionManager) OIDCProvider() (*oidc.Provider, error) {
 		return nil, fmt.Errorf("Failed to parse provider scopes_supported: %v", err)
 	}
 	log.Infof("OpenID supported scopes: %v", s.ScopesSupported)
+	offlineAsScope := false
 	if len(s.ScopesSupported) == 0 {
 		// scopes_supported is a "RECOMMENDED" discovery claim, not a required
 		// one. If missing, assume that the provider follows the spec and has
 		// an "offline_access" scope.
-		mgr.offlineAsScope = true
+		offlineAsScope = true
 	} else {
 		// See if scopes_supported has the "offline_access" scope.
 		for _, scope := range s.ScopesSupported {
 			if scope == oidc.ScopeOfflineAccess {
-				mgr.offlineAsScope = true
+				offlineAsScope = true
 				break
 			}
 		}
 	}
 	mgr.provider = provider
+	mgr.offlineAsScope = offlineAsScope
 	return mgr.provider, nil
 }
 
+// OfflineAsScope returns whether or not the OIDC provider supports offline as a scope
 func (mgr *SessionManager) OfflineAsScope() bool {
 	_, _ = mgr.OIDCProvider() // forces offlineAsScope to be determined
 	return mgr.offlineAsScope