Bump version to 2.5.3

* fix: hide app namespace when irrelevant (#11111)

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* wire up setting

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* fix: hide app namespace

Signed-off-by: ashutosh16 <11219262+ashutosh16@users.noreply.github.com>

* fix: hide app namespace

Signed-off-by: ashutosh16 <11219262+ashutosh16@users.noreply.github.com>

* add null check

Signed-off-by: ashutosh16 <11219262+ashutosh16@users.noreply.github.com>

* Update ui/src/app/applications/components/utils.tsx

Co-authored-by: Blake Pettersson <blake.pettersson@gmail.com>
Signed-off-by: asingh <11219262+ashutosh16@users.noreply.github.com>

* lint

Signed-off-by: ashutosh16 <11219262+ashutosh16@users.noreply.github.com>

* fix name generation

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Signed-off-by: ashutosh16 <11219262+ashutosh16@users.noreply.github.com>
Signed-off-by: asingh <11219262+ashutosh16@users.noreply.github.com>
Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Blake Pettersson <blake.pettersson@gmail.com>

.github/workflows/ci-build.yaml

@@ -18,15 +18,18 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   check-go:
     name: Ensure Go modules synchronicity
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Download all Go modules
@@ -42,13 +45,13 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -59,13 +62,16 @@ jobs:
         run: make build-local
 
   lint-go:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: Lint Go code
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Run golangci-lint
@@ -86,11 +92,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -110,7 +116,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -127,12 +133,12 @@ jobs:
       - name: Run all unit tests
         run: make test-local
       - name: Generate code coverage artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: code-coverage
           path: coverage.out
       - name: Generate test results artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: test-results
           path: test-results/
@@ -149,11 +155,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -173,7 +179,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -190,7 +196,7 @@ jobs:
       - name: Run all unit tests
         run: make test-race-local
       - name: Generate test results artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: race-results
           path: test-results/
@@ -200,9 +206,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Create symlink in GOPATH
@@ -244,14 +250,14 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup NodeJS
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v3
         with:
           node-version: '12.18.4'
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -281,12 +287,12 @@ jobs:
       sonar_secret: ${{ secrets.SONAR_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -297,16 +303,16 @@ jobs:
         run: |
           mkdir -p test-results
       - name: Get code coverage artifiact
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v3
         with:
           name: code-coverage
       - name: Get test result artifact
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v3
         with:
           name: test-results
           path: test-results
       - name: Upload code coverage information to codecov.io
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@v3
         with:
           file: coverage.out
       - name: Perform static code analysis using SonarCloud
@@ -360,9 +366,9 @@ jobs:
       GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: GH actions workaround - Kill XSP4 process
@@ -380,7 +386,7 @@ jobs:
           sudo chown runner $HOME/.kube/config
           kubectl version
       - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -406,7 +412,7 @@ jobs:
           git config --global user.email "john.doe@example.com"
       - name: Pull Docker image required for tests
         run: |
-          docker pull ghcr.io/dexidp/dex:v2.35.1-distroless
+          docker pull ghcr.io/dexidp/dex:v2.35.3
           docker pull argoproj/argo-cd-ci-builder:v1.0.0
           docker pull redis:7.0.5-alpine
       - name: Create target directory for binaries in the build-process
@@ -436,7 +442,7 @@ jobs:
           set -x
           make test-e2e-local
       - name: Upload e2e-server logs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: e2e-server-k8s${{ matrix.k3s-version }}.log
           path: /tmp/e2e-server.log

.github/workflows/codeql.yml

@@ -13,8 +13,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
     if: github.repository == 'argoproj/argo-cd'
 
     # CodeQL runs on ubuntu-latest and windows-latest
@@ -22,7 +29,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/image.yaml

@@ -16,14 +16,19 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   publish:
+    permissions:
+      contents: write  # for git to push upgrade commit if not already deployed
     if: github.repository == 'argoproj/argo-cd'
     runs-on: ubuntu-22.04
     env:
       GOPATH: /home/runner/work/argo-cd/argo-cd
     steps:
-      - uses: actions/setup-go@v1
+      - uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - uses: actions/checkout@master
@@ -37,8 +42,8 @@ jobs:
 
       # login
       - run: |
-          docker login ghcr.io --username $USERNAME --password $PASSWORD
-          docker login quay.io --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
+          docker login ghcr.io --username $USERNAME --password-stdin <<< "$PASSWORD"
+          docker login quay.io --username "$DOCKER_USERNAME" --password-stdin <<< "$DOCKER_TOKEN"
         if: github.event_name == 'push'
         env:
           USERNAME: ${{ secrets.USERNAME }}
@@ -47,8 +52,8 @@ jobs:
           DOCKER_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
 
       # build
-      - uses: docker/setup-qemu-action@v1
-      - uses: docker/setup-buildx-action@v1
+      - uses: docker/setup-qemu-action@v2
+      - uses: docker/setup-buildx-action@v2
       - run: |
           IMAGE_PLATFORMS=linux/amd64
           if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-arm-image') }}" == "true" ]]
@@ -61,6 +66,22 @@ jobs:
             -t quay.io/argoproj/argocd:latest .
         working-directory: ./src/github.com/argoproj/argo-cd
 
+      # sign container images
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.13.0'
+
+      - name: Sign Argo CD latest image
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argocd:latest
+          # Displays the public key to share.
+          cosign public-key --key env://COSIGN_PRIVATE_KEY
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+        if: ${{ github.event_name == 'push' }}
+
       # deploy
       - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
         if: github.event_name == 'push'

.github/workflows/release.yaml

@@ -14,8 +14,13 @@ on:
 env:
     GOLANG_VERSION: '1.18'
 
+permissions:
+  contents: read
+
 jobs:
   prepare-release:
+    permissions:
+      contents: write # To push changes to release branch
     name: Perform automatic release on trigger ${{ github.ref }}
     if: github.repository == 'argoproj/argo-cd'
     runs-on: ubuntu-22.04
@@ -38,7 +43,7 @@ jobs:
       GIT_EMAIL: argoproj@gmail.com
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -142,7 +147,7 @@ jobs:
           echo "RELEASE_NOTES=${RELEASE_NOTES}" >> $GITHUB_ENV
 
       - name: Setup Golang
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
 
@@ -190,13 +195,13 @@ jobs:
           QUAY_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
         run: |
           set -ue
-          docker login quay.io --username "${QUAY_USERNAME}" --password "${QUAY_TOKEN}"
+          docker login quay.io --username "${QUAY_USERNAME}" --password-stdin <<< "${QUAY_TOKEN}"
           # Remove the following when Docker Hub is gone
-          docker login --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
+          docker login --username "${DOCKER_USERNAME}" --password-stdin <<< "${DOCKER_TOKEN}"
         if: ${{ env.DRY_RUN != 'true' }}
 
-      - uses: docker/setup-qemu-action@v1
-      - uses: docker/setup-buildx-action@v1
+      - uses: docker/setup-qemu-action@v2
+      - uses: docker/setup-buildx-action@v2
       - name: Build and push Docker image for release
         run: |
           set -ue
@@ -209,6 +214,22 @@ jobs:
           ./dist/argocd-linux-amd64 version --client
         if: ${{ env.DRY_RUN != 'true' }}
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.13.0'
+
+      - name: Sign Argo CD container images and assets
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION}
+          cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argocd-${TARGET_VERSION}-checksums.txt > ./dist/argocd-${TARGET_VERSION}-checksums.sig
+          # Retrieves the public key to release as an asset
+          cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argocd-cosign.pub
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+        if: ${{ env.DRY_RUN != 'true' }}
+
       - name: Read release notes file
         id: release-notes
         uses: juliangruber/read-file-action@v1
@@ -265,6 +286,14 @@ jobs:
           cd /tmp && tar -zcf sbom.tar.gz *.spdx
         if: ${{ env.DRY_RUN != 'true' }}
 
+      - name: Sign sbom
+        run: |
+          cosign sign-blob --key env://COSIGN_PRIVATE_KEY /tmp/sbom.tar.gz > /tmp/sbom.tar.gz.sig
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+        if: ${{ env.DRY_RUN != 'true' }}
+
       - name: Create GitHub release
         uses: softprops/action-gh-release@v1
         env:
@@ -274,10 +303,11 @@ jobs:
           tag_name: ${{ env.RELEASE_TAG }}
           draft: ${{ env.DRAFT_RELEASE }}
           prerelease: ${{ env.PRE_RELEASE }}
-          body: ${{ steps.release-notes.outputs.content }}
+          body: ${{ steps.release-notes.outputs.content }}  # Pre-pended to the generated notes
           files: |
             dist/argocd-*
             /tmp/sbom.tar.gz
+            /tmp/sbom.tar.gz.sig
         if: ${{ env.DRY_RUN != 'true' }}
 
       - name: Update homebrew formula

.github/workflows/update-snyk.yaml

@@ -2,14 +2,20 @@ name: Snyk report update
 on:
   schedule:
     - cron: '0 0 * * 0' # midnight every Sunday
+
+permissions:
+  contents: read
+
 jobs:
   snyk-report:
+    permissions:
+      contents: write  # To push snyk reports
     if: github.repository == 'argoproj/argo-cd'
     name: Update Snyk report in the docs directory
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Build reports

Makefile

@@ -512,7 +512,7 @@ build-docs-local:
 
 .PHONY: build-docs
 build-docs:
-	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} build
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -v ${CURRENT_DIR}:/docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install -r docs/requirements.txt; mkdocs build'
 
 .PHONY: serve-docs-local
 serve-docs-local:
@@ -520,7 +520,7 @@ serve-docs-local:
 
 .PHONY: serve-docs
 serve-docs:
-	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} serve -a 0.0.0.0:8000
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}/site:/site -w /site --entrypoint "" ${MKDOCS_DOCKER_IMAGE} python3 -m http.server --bind 0.0.0.0 8000
 
 
 # Verify that kubectl can connect to your K8s cluster from Docker
@@ -576,7 +576,7 @@ applicationset-controller:
 
 .PHONY: checksums
 checksums:
-	for f in ./dist/$(BIN_NAME)-*; do openssl dgst -sha256 "$$f" | awk ' { print $$2 }' > "$$f".sha256 ; done
+	sha256sum ./dist/$(BIN_NAME)-* | awk -F './dist/' '{print $$1 $$2}' > ./dist/$(BIN_NAME)-$(TARGET_VERSION)-checksums.txt
 
 .PHONY: snyk-container-tests
 snyk-container-tests:

USERS.md

@@ -160,6 +160,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Pipefy](https://www.pipefy.com/)
 1. [Pismo](https://pismo.io/)
 1. [Polarpoint.io](https://polarpoint.io)
+1. [PostFinance](https://github.com/postfinance)
 1. [Preferred Networks](https://preferred.jp/en/)
 1. [Productboard](https://www.productboard.com/)
 1. [Prudential](https://prudential.com.sg)

VERSION

@@ -1 +1 @@
-2.5.0
+2.5.3

applicationset/controllers/applicationset_controller.go

@@ -19,7 +19,6 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/go-logr/logr"
 	log "github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
 	apierr "k8s.io/apimachinery/pkg/api/errors"
@@ -62,7 +61,6 @@ var (
 // ApplicationSetReconciler reconciles a ApplicationSet object
 type ApplicationSetReconciler struct {
 	client.Client
-	Log              logr.Logger
 	Scheme           *runtime.Scheme
 	Recorder         record.EventRecorder
 	Generators       map[string]generators.Generator
@@ -77,15 +75,14 @@ type ApplicationSetReconciler struct {
 // +kubebuilder:rbac:groups=argoproj.io,resources=applicationsets/status,verbs=get;update;patch
 
 func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
-	_ = r.Log.WithValues("applicationset", req.NamespacedName)
-	_ = log.WithField("applicationset", req.NamespacedName)
+	logCtx := log.WithField("applicationset", req.NamespacedName)
 
 	var applicationSetInfo argov1alpha1.ApplicationSet
 	parametersGenerated := false
 
 	if err := r.Get(ctx, req.NamespacedName, &applicationSetInfo); err != nil {
 		if client.IgnoreNotFound(err) != nil {
-			log.WithError(err).Infof("unable to get ApplicationSet: '%v' ", err)
+			logCtx.WithError(err).Infof("unable to get ApplicationSet: '%v' ", err)
 		}
 		return ctrl.Result{}, client.IgnoreNotFound(err)
 	}
@@ -123,7 +120,7 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		//
 		// Changes to watched resources will cause this to be reconciled sooner than
 		// the RequeueAfter time.
-		log.Errorf("error occurred during application validation: %s", err.Error())
+		logCtx.Errorf("error occurred during application validation: %s", err.Error())
 
 		_ = r.setApplicationSetStatusCondition(ctx,
 			&applicationSetInfo,
@@ -148,7 +145,7 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		var message string
 		for _, v := range validateErrors {
 			message = v.Error()
-			log.Errorf("validation error found during application validation: %s", message)
+			logCtx.Errorf("validation error found during application validation: %s", message)
 		}
 		if len(validateErrors) > 1 {
 			// Only the last message gets added to the appset status, to keep the size reasonable.
@@ -215,7 +212,7 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		delete(applicationSetInfo.Annotations, common.AnnotationApplicationSetRefresh)
 		err := r.Client.Update(ctx, &applicationSetInfo)
 		if err != nil {
-			log.Warnf("error occurred while updating ApplicationSet: %v", err)
+			logCtx.Warnf("error occurred while updating ApplicationSet: %v", err)
 			_ = r.setApplicationSetStatusCondition(ctx,
 				&applicationSetInfo,
 				argov1alpha1.ApplicationSetCondition{
@@ -230,7 +227,7 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 	}
 
 	requeueAfter := r.getMinRequeueAfter(&applicationSetInfo)
-	log.WithField("requeueAfter", requeueAfter).Info("end reconcile")
+	logCtx.WithField("requeueAfter", requeueAfter).Info("end reconcile")
 
 	if len(validateErrors) == 0 {
 		if err := r.setApplicationSetStatusCondition(ctx,

applicationset/controllers/applicationset_controller_test.go

@@ -1832,7 +1832,6 @@ func TestReconcilerValidationErrorBehaviour(t *testing.T) {
 	}}, nil)
 
 	r := ApplicationSetReconciler{
-		Log:      ctrl.Log.WithName("controllers").WithName("ApplicationSet"),
 		Client:   client,
 		Scheme:   scheme,
 		Renderer: &utils.Render{},
@@ -1908,7 +1907,6 @@ func TestSetApplicationSetStatusCondition(t *testing.T) {
 	client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appSet).Build()
 
 	r := ApplicationSetReconciler{
-		Log:      ctrl.Log.WithName("controllers").WithName("ApplicationSet"),
 		Client:   client,
 		Scheme:   scheme,
 		Renderer: &utils.Render{},

applicationset/examples/git-generator-directory/cluster-addons/argo-workflows/kustomization.yaml

@@ -1,6 +1,6 @@
 #namePrefix: kustomize-
 
 resources:
-- namespace-install.yaml
+- https://github.com/argoproj/argo-workflows/releases/download/v3.4.0/namespace-install.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

applicationset/examples/git-generator-directory/cluster-addons/argo-workflows/namespace-install.yaml

@@ -1,417 +0,0 @@
-# This is an auto-generated file. DO NOT EDIT
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: clusterworkflowtemplates.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: ClusterWorkflowTemplate
-    listKind: ClusterWorkflowTemplateList
-    plural: clusterworkflowtemplates
-    shortNames:
-    - clusterwftmpl
-    - cwft
-    singular: clusterworkflowtemplate
-  scope: Cluster
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: cronworkflows.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: CronWorkflow
-    listKind: CronWorkflowList
-    plural: cronworkflows
-    shortNames:
-    - cwf
-    - cronwf
-    singular: cronworkflow
-  scope: Namespaced
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: workfloweventbindings.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: WorkflowEventBinding
-    listKind: WorkflowEventBindingList
-    plural: workfloweventbindings
-    shortNames:
-    - wfeb
-    singular: workfloweventbinding
-  scope: Namespaced
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: workflows.argoproj.io
-spec:
-  additionalPrinterColumns:
-  - JSONPath: .status.phase
-    description: Status of the workflow
-    name: Status
-    type: string
-  - JSONPath: .status.startedAt
-    description: When the workflow was started
-    format: date-time
-    name: Age
-    type: date
-  group: argoproj.io
-  names:
-    kind: Workflow
-    listKind: WorkflowList
-    plural: workflows
-    shortNames:
-    - wf
-    singular: workflow
-  scope: Namespaced
-  subresources: {}
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: workflowtemplates.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: WorkflowTemplate
-    listKind: WorkflowTemplateList
-    plural: workflowtemplates
-    shortNames:
-    - wftmpl
-    singular: workflowtemplate
-  scope: Namespaced
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: argo
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: argo-server
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: argo-role
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - pods/exec
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - watch
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - persistentvolumeclaims
-  verbs:
-  - create
-  - delete
-  - get
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflows
-  - workflows/finalizers
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-  - create
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflowtemplates
-  - workflowtemplates/finalizers
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-- apiGroups:
-  - argoproj.io
-  resources:
-  - cronworkflows
-  - cronworkflows/finalizers
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
-- apiGroups:
-  - policy
-  resources:
-  - poddisruptionbudgets
-  verbs:
-  - create
-  - get
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: argo-server-role
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - watch
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - create
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - pods/exec
-  - pods/log
-  verbs:
-  - get
-  - list
-  - watch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - watch
-  - create
-  - patch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflows
-  - workfloweventbindings
-  - workflowtemplates
-  - cronworkflows
-  - cronworkflows/finalizers
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: argo-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: argo-role
-subjects:
-- kind: ServiceAccount
-  name: argo
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: argo-server-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: argo-server-role
-subjects:
-- kind: ServiceAccount
-  name: argo-server
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: workflow-controller-configmap
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: argo-server
-spec:
-  ports:
-  - name: web
-    port: 2746
-    targetPort: 2746
-  selector:
-    app: argo-server
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: workflow-controller-metrics
-spec:
-  ports:
-  - name: metrics
-    port: 9090
-    protocol: TCP
-    targetPort: 9090
-  selector:
-    app: workflow-controller
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: argo-server
-spec:
-  selector:
-    matchLabels:
-      app: argo-server
-  template:
-    metadata:
-      labels:
-        app: argo-server
-    spec:
-      containers:
-      - args:
-        - server
-        - --namespaced
-        image: argoproj/argocli:v2.12.5
-        name: argo-server
-        ports:
-        - containerPort: 2746
-          name: web
-        readinessProbe:
-          httpGet:
-            path: /
-            port: 2746
-            scheme: HTTP
-          initialDelaySeconds: 10
-          periodSeconds: 20
-        volumeMounts:
-        - mountPath: /tmp
-          name: tmp
-      nodeSelector:
-        kubernetes.io/os: linux
-      securityContext:
-        runAsNonRoot: true
-      serviceAccountName: argo-server
-      volumes:
-      - emptyDir: {}
-        name: tmp
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: workflow-controller
-spec:
-  selector:
-    matchLabels:
-      app: workflow-controller
-  template:
-    metadata:
-      labels:
-        app: workflow-controller
-    spec:
-      containers:
-      - args:
-        - --configmap
-        - workflow-controller-configmap
-        - --executor-image
-        - argoproj/argoexec:v2.12.5
-        - --namespaced
-        command:
-        - workflow-controller
-        image: argoproj/workflow-controller:v2.12.5
-        livenessProbe:
-          httpGet:
-            path: /metrics
-            port: metrics
-          initialDelaySeconds: 30
-          periodSeconds: 30
-        name: workflow-controller
-        ports:
-        - containerPort: 9090
-          name: metrics
-      nodeSelector:
-        kubernetes.io/os: linux
-      securityContext:
-        runAsNonRoot: true
-      serviceAccountName: argo

applicationset/examples/git-generator-directory/cluster-addons/prometheus-operator/Chart.yaml

@@ -11,4 +11,4 @@ version: 0.1.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: "1.0"
+appVersion: "1.0"

applicationset/examples/git-generator-directory/cluster-addons/prometheus-operator/requirements.yaml

@@ -1,4 +1,4 @@
 dependencies:
 - name: kube-prometheus-stack
-  version: 9.4.10
+  version: 40.5.0
   repository: https://prometheus-community.github.io/helm-charts

applicationset/examples/git-generator-directory/excludes/cluster-addons/argo-workflows/kustomization.yaml

@@ -1,6 +1,6 @@
 #namePrefix: kustomize-
 
 resources:
-- namespace-install.yaml
+- https://github.com/argoproj/argo-workflows/releases/download/v3.4.0/namespace-install.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

applicationset/examples/git-generator-directory/excludes/cluster-addons/argo-workflows/namespace-install.yaml

@@ -1,417 +0,0 @@
-# This is an auto-generated file. DO NOT EDIT
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: clusterworkflowtemplates.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: ClusterWorkflowTemplate
-    listKind: ClusterWorkflowTemplateList
-    plural: clusterworkflowtemplates
-    shortNames:
-    - clusterwftmpl
-    - cwft
-    singular: clusterworkflowtemplate
-  scope: Cluster
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: cronworkflows.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: CronWorkflow
-    listKind: CronWorkflowList
-    plural: cronworkflows
-    shortNames:
-    - cwf
-    - cronwf
-    singular: cronworkflow
-  scope: Namespaced
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: workfloweventbindings.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: WorkflowEventBinding
-    listKind: WorkflowEventBindingList
-    plural: workfloweventbindings
-    shortNames:
-    - wfeb
-    singular: workfloweventbinding
-  scope: Namespaced
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: workflows.argoproj.io
-spec:
-  additionalPrinterColumns:
-  - JSONPath: .status.phase
-    description: Status of the workflow
-    name: Status
-    type: string
-  - JSONPath: .status.startedAt
-    description: When the workflow was started
-    format: date-time
-    name: Age
-    type: date
-  group: argoproj.io
-  names:
-    kind: Workflow
-    listKind: WorkflowList
-    plural: workflows
-    shortNames:
-    - wf
-    singular: workflow
-  scope: Namespaced
-  subresources: {}
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: workflowtemplates.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: WorkflowTemplate
-    listKind: WorkflowTemplateList
-    plural: workflowtemplates
-    shortNames:
-    - wftmpl
-    singular: workflowtemplate
-  scope: Namespaced
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: argo
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: argo-server
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: argo-role
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - pods/exec
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - watch
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - persistentvolumeclaims
-  verbs:
-  - create
-  - delete
-  - get
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflows
-  - workflows/finalizers
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-  - create
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflowtemplates
-  - workflowtemplates/finalizers
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-- apiGroups:
-  - argoproj.io
-  resources:
-  - cronworkflows
-  - cronworkflows/finalizers
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
-- apiGroups:
-  - policy
-  resources:
-  - poddisruptionbudgets
-  verbs:
-  - create
-  - get
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: argo-server-role
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - watch
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - create
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - pods/exec
-  - pods/log
-  verbs:
-  - get
-  - list
-  - watch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - watch
-  - create
-  - patch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflows
-  - workfloweventbindings
-  - workflowtemplates
-  - cronworkflows
-  - cronworkflows/finalizers
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: argo-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: argo-role
-subjects:
-- kind: ServiceAccount
-  name: argo
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: argo-server-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: argo-server-role
-subjects:
-- kind: ServiceAccount
-  name: argo-server
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: workflow-controller-configmap
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: argo-server
-spec:
-  ports:
-  - name: web
-    port: 2746
-    targetPort: 2746
-  selector:
-    app: argo-server
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: workflow-controller-metrics
-spec:
-  ports:
-  - name: metrics
-    port: 9090
-    protocol: TCP
-    targetPort: 9090
-  selector:
-    app: workflow-controller
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: argo-server
-spec:
-  selector:
-    matchLabels:
-      app: argo-server
-  template:
-    metadata:
-      labels:
-        app: argo-server
-    spec:
-      containers:
-      - args:
-        - server
-        - --namespaced
-        image: argoproj/argocli:v2.12.5
-        name: argo-server
-        ports:
-        - containerPort: 2746
-          name: web
-        readinessProbe:
-          httpGet:
-            path: /
-            port: 2746
-            scheme: HTTP
-          initialDelaySeconds: 10
-          periodSeconds: 20
-        volumeMounts:
-        - mountPath: /tmp
-          name: tmp
-      nodeSelector:
-        kubernetes.io/os: linux
-      securityContext:
-        runAsNonRoot: true
-      serviceAccountName: argo-server
-      volumes:
-      - emptyDir: {}
-        name: tmp
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: workflow-controller
-spec:
-  selector:
-    matchLabels:
-      app: workflow-controller
-  template:
-    metadata:
-      labels:
-        app: workflow-controller
-    spec:
-      containers:
-      - args:
-        - --configmap
-        - workflow-controller-configmap
-        - --executor-image
-        - argoproj/argoexec:v2.12.5
-        - --namespaced
-        command:
-        - workflow-controller
-        image: argoproj/workflow-controller:v2.12.5
-        livenessProbe:
-          httpGet:
-            path: /metrics
-            port: metrics
-          initialDelaySeconds: 30
-          periodSeconds: 30
-        name: workflow-controller
-        ports:
-        - containerPort: 9090
-          name: metrics
-      nodeSelector:
-        kubernetes.io/os: linux
-      securityContext:
-        runAsNonRoot: true
-      serviceAccountName: argo

applicationset/examples/git-generator-directory/excludes/cluster-addons/prometheus-operator/Chart.yaml

@@ -1 +1,14 @@
+apiVersion: v2
 name: helm-prometheus-operator
+
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: "1.0"

applicationset/examples/git-generator-directory/excludes/cluster-addons/prometheus-operator/requirements.yaml

@@ -1,4 +1,4 @@
 dependencies:
 - name: kube-prometheus-stack
-  version: 9.4.10
+  version: 40.5.0
   repository: https://prometheus-community.github.io/helm-charts

applicationset/examples/git-generator-directory/excludes/git-directories-exclude-example-fasttemplate.yaml

@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: cluster-addons
+  namespace: argocd
+spec:
+  generators:
+  - git:
+      repoURL: https://github.com/argoproj/argo-cd.git
+      revision: HEAD
+      directories:
+      - path: applicationset/examples/git-generator-directory/excludes/cluster-addons/*
+      - exclude: true
+        path: applicationset/examples/git-generator-directory/excludes/cluster-addons/exclude-helm-guestbook
+  template:
+    metadata:
+      name: '{{path.basename}}'
+    spec:
+      project: "my-project"
+      source:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        targetRevision: HEAD
+        path: '{{path}}'
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: '{{path.basename}}'
+      syncPolicy:
+        syncOptions:
+        - CreateNamespace=true

applicationset/examples/git-generator-directory/excludes/git-directories-exclude-example.yaml

@@ -2,7 +2,9 @@ apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
   name: cluster-addons
+  namespace: argocd
 spec:
+  goTemplate: true
   generators:
   - git:
       repoURL: https://github.com/argoproj/argo-cd.git
@@ -15,7 +17,7 @@ spec:
     metadata:
       name: '{{.path.basename}}'
     spec:
-      project: default
+      project: "my-project"
       source:
         repoURL: https://github.com/argoproj/argo-cd.git
         targetRevision: HEAD
@@ -23,3 +25,6 @@ spec:
       destination:
         server: https://kubernetes.default.svc
         namespace: '{{.path.basename}}'
+      syncPolicy:
+        syncOptions:
+        - CreateNamespace=true

applicationset/examples/git-generator-directory/git-directories-example-fasttemplate.yaml

@@ -2,6 +2,7 @@ apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
   name: cluster-addons
+  namespace: argocd
 spec:
   generators:
   - git:
@@ -13,7 +14,7 @@ spec:
     metadata:
       name: '{{path.basename}}'
     spec:
-      project: default
+      project: "my-project"
       source:
         repoURL: https://github.com/argoproj/argo-cd.git
         targetRevision: HEAD
@@ -21,3 +22,6 @@ spec:
       destination:
         server: https://kubernetes.default.svc
         namespace: '{{path.basename}}'
+      syncPolicy:
+        syncOptions:
+        - CreateNamespace=true

applicationset/examples/git-generator-directory/git-directories-example.yaml

@@ -2,6 +2,7 @@ apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
   name: cluster-addons
+  namespace: argocd
 spec:
   goTemplate: true
   generators:
@@ -14,7 +15,7 @@ spec:
     metadata:
       name: '{{.path.basename}}'
     spec:
-      project: default
+      project: "my-project"
       source:
         repoURL: https://github.com/argoproj/argo-cd.git
         targetRevision: HEAD
@@ -22,3 +23,6 @@ spec:
       destination:
         server: https://kubernetes.default.svc
         namespace: '{{.path.basename}}'
+      syncPolicy:
+        syncOptions:
+        - CreateNamespace=true

applicationset/utils/utils.go

@@ -133,6 +133,16 @@ func (r *Render) deeplyReplace(copy, original reflect.Value, replaceMap map[stri
 			if err := r.deeplyReplace(copyValue, originalValue, replaceMap, useGoTemplate); err != nil {
 				return err
 			}
+
+			// Keys can be templated as well as values (e.g. to template something into an annotation).
+			if key.Kind() == reflect.String {
+				templatedKey, err := r.Replace(key.String(), replaceMap, useGoTemplate)
+				if err != nil {
+					return err
+				}
+				key = reflect.ValueOf(templatedKey)
+			}
+
 			copy.SetMapIndex(key, copyValue)
 		}
 

applicationset/utils/utils_test.go

@@ -7,6 +7,7 @@ import (
 	"github.com/sirupsen/logrus"
 	logtest "github.com/sirupsen/logrus/hooks/test"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -461,7 +462,49 @@ func TestRenderTemplateParamsGoTemplate(t *testing.T) {
 			}
 		})
 	}
+}
 
+func TestRenderTemplateKeys(t *testing.T) {
+	t.Run("fasttemplate", func(t *testing.T) {
+		application := &argoappsv1.Application{
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					"annotation-{{key}}": "annotation-{{value}}",
+				},
+			},
+		}
+
+		params := map[string]interface{}{
+			"key":   "some-key",
+			"value": "some-value",
+		}
+
+		render := Render{}
+		newApplication, err := render.RenderTemplateParams(application, nil, params, false)
+		require.NoError(t, err)
+		require.Contains(t, newApplication.ObjectMeta.Annotations, "annotation-some-key")
+		assert.Equal(t, newApplication.ObjectMeta.Annotations["annotation-some-key"], "annotation-some-value")
+	})
+	t.Run("gotemplate", func(t *testing.T) {
+		application := &argoappsv1.Application{
+			ObjectMeta: metav1.ObjectMeta{
+				Annotations: map[string]string{
+					"annotation-{{ .key }}": "annotation-{{ .value }}",
+				},
+			},
+		}
+
+		params := map[string]interface{}{
+			"key":   "some-key",
+			"value": "some-value",
+		}
+
+		render := Render{}
+		newApplication, err := render.RenderTemplateParams(application, nil, params, true)
+		require.NoError(t, err)
+		require.Contains(t, newApplication.ObjectMeta.Annotations, "annotation-some-key")
+		assert.Equal(t, newApplication.ObjectMeta.Annotations["annotation-some-key"], "annotation-some-value")
+	})
 }
 
 func TestRenderTemplateParamsFinalizers(t *testing.T) {

argocd-cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
+JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
+-----END PUBLIC KEY-----

assets/builtin-policy.csv

@@ -21,6 +21,10 @@ p, role:admin, applications, delete, */*, allow
 p, role:admin, applications, sync, */*, allow
 p, role:admin, applications, override, */*, allow
 p, role:admin, applications, action/*, */*, allow
+p, role:admin, applicationsets, get, */*, allow
+p, role:admin, applicationsets, create, */*, allow
+p, role:admin, applicationsets, update, */*, allow
+p, role:admin, applicationsets, delete, */*, allow
 p, role:admin, certificates, create, *, allow
 p, role:admin, certificates, update, *, allow
 p, role:admin, certificates, delete, *, allow
@@ -39,4 +43,4 @@ p, role:admin, gpgkeys, delete, *, allow
 p, role:admin, exec, create, */*, allow
 
 g, role:admin, role:readonly
-g, admin, role:admin
+g, admin, role:admin

assets/swagger.json

@@ -4097,6 +4097,9 @@
         "appLabelKey": {
           "type": "string"
         },
+        "appsInAnyNamespaceEnabled": {
+          "type": "boolean"
+        },
         "configManagementPlugins": {
           "type": "array",
           "items": {
@@ -7423,6 +7426,10 @@
         "status": {
           "type": "string"
         },
+        "syncWave": {
+          "type": "string",
+          "format": "int64"
+        },
         "version": {
           "type": "string"
         }

cmd/argocd-applicationset-controller/commands/applicationset_controller.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"net/http"
 	"os"
-	"strings"
 	"time"
 
 	"github.com/argoproj/pkg/stats"
@@ -16,6 +15,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/applicationset/generators"
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	"github.com/argoproj/argo-cd/v2/applicationset/webhook"
+	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
 	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/reposerver/askpass"
 	"github.com/argoproj/argo-cd/v2/util/env"
@@ -56,8 +56,6 @@ func NewCommand() *cobra.Command {
 		policy               string
 		debugLog             bool
 		dryRun               bool
-		logFormat            string
-		logLevel             string
 	)
 	scheme := runtime.NewScheme()
 	_ = clientgoscheme.AddToScheme(scheme)
@@ -79,6 +77,9 @@ func NewCommand() *cobra.Command {
 				},
 			)
 
+			cli.SetLogFormat(cmdutil.LogFormat)
+			cli.SetLogLevel(cmdutil.LogLevel)
+
 			restConfig, err := clientConfig.ClientConfig()
 			if err != nil {
 				return err
@@ -86,21 +87,6 @@ func NewCommand() *cobra.Command {
 
 			restConfig.UserAgent = fmt.Sprintf("argocd-applicationset-controller/%s (%s)", vers.Version, vers.Platform)
 
-			level, err := log.ParseLevel(logLevel)
-			if err != nil {
-				return err
-			}
-			log.SetLevel(level)
-			switch strings.ToLower(logFormat) {
-			case "json":
-				log.SetFormatter(&log.JSONFormatter{})
-			case "text":
-				if os.Getenv("FORCE_LOG_COLORS") == "1" {
-					log.SetFormatter(&log.TextFormatter{ForceColors: true})
-				}
-			default:
-				return fmt.Errorf("Unknown log format '%s'", logFormat)
-			}
 			policyObj, exists := utils.Policies[policy]
 			if !exists {
 				log.Info("Policy value can be: sync, create-only, create-update")
@@ -184,7 +170,6 @@ func NewCommand() *cobra.Command {
 			if err = (&controllers.ApplicationSetReconciler{
 				Generators:       topLevelGenerators,
 				Client:           mgr.GetClient(),
-				Log:              ctrl.Log.WithName("controllers").WithName("ApplicationSet"),
 				Scheme:           mgr.GetScheme(),
 				Recorder:         mgr.GetEventRecorderFor("applicationset-controller"),
 				Renderer:         &utils.Render{},
@@ -217,9 +202,9 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringVar(&argocdRepoServer, "argocd-repo-server", "argocd-repo-server:8081", "Argo CD repo server address")
 	command.Flags().StringVar(&policy, "policy", "sync", "Modify how application is synced between the generator and the cluster. Default is 'sync' (create & update & delete), options: 'create-only', 'create-update' (no deletion)")
 	command.Flags().BoolVar(&debugLog, "debug", false, "Print debug logs. Takes precedence over loglevel")
-	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().BoolVar(&dryRun, "dry-run", false, "Enable dry run mode")
-	command.Flags().StringVar(&logFormat, "logformat", "text", "Set the logging format. One of: text|json")
 	return &command
 }
 

cmd/argocd/commands/admin/notifications.go

@@ -33,7 +33,7 @@ func NewNotificationsCommand() *cobra.Command {
 	var argocdService service.Service
 	toolsCommand := cmd.NewToolsCommand(
 		"notifications",
-		"notifications",
+		"argocd admin notifications",
 		applications,
 		settings.GetFactorySettings(argocdService, "argocd-notifications-secret", "argocd-notifications-cm"), func(clientConfig clientcmd.ClientConfig) {
 			k8sCfg, err := clientConfig.ClientConfig()

cmpserver/plugin/config.go

@@ -25,8 +25,6 @@ type PluginConfigSpec struct {
 	Init             Command  `json:"init,omitempty"`
 	Generate         Command  `json:"generate"`
 	Discover         Discover `json:"discover"`
-	AllowConcurrency bool     `json:"allowConcurrency"`
-	LockRepo         bool     `json:"lockRepo"`
 }
 
 //Discover holds find and fileName

cmpserver/plugin/testdata/ksonnet/config/plugin.yaml

@@ -11,5 +11,3 @@ spec:
   discover:
     find:
       glob: "**/*/main.jsonnet"
-  allowConcurrency: false
-  lockRepo: false

cmpserver/plugin/testdata/kustomize-neg/config/plugin-bad.yaml

@@ -12,5 +12,3 @@ spec:
     find:
       command: [sh, -c, find . -name kustomization.yaml]
       glob: "**/*/kustomization.yaml"
-  allowConcurrency: true
-  lockRepo: false

cmpserver/plugin/testdata/kustomize/config/plugin.yaml

@@ -12,5 +12,3 @@ spec:
     find:
       command: [sh, -c, find . -name kustomization.yaml]
       glob: "**/*/kustomization.yaml"
-  allowConcurrency: true
-  lockRepo: false

controller/appcontroller.go

@@ -1497,17 +1497,7 @@ func (ctrl *ApplicationController) refreshAppConditions(app *appv1.Application)
 	errorConditions := make([]appv1.ApplicationCondition, 0)
 	proj, err := ctrl.getAppProj(app)
 	if err != nil {
-		if apierr.IsNotFound(err) {
-			errorConditions = append(errorConditions, appv1.ApplicationCondition{
-				Type:    appv1.ApplicationConditionInvalidSpecError,
-				Message: fmt.Sprintf("Application referencing project %s which does not exist", app.Spec.Project),
-			})
-		} else {
-			errorConditions = append(errorConditions, appv1.ApplicationCondition{
-				Type:    appv1.ApplicationConditionUnknownError,
-				Message: err.Error(),
-			})
-		}
+		errorConditions = append(errorConditions, ctrl.projectErrorToCondition(err, app))
 	} else {
 		specConditions, err := argo.ValidatePermissions(context.Background(), &app.Spec, proj, ctrl.db)
 		if err != nil {
@@ -1798,7 +1788,7 @@ func (ctrl *ApplicationController) newApplicationInformerAndLister() (cache.Shar
 					// If the application is not allowed to use the project,
 					// log an error.
 					if _, err := ctrl.getAppProj(app); err != nil {
-						ctrl.setAppCondition(app, appv1.ApplicationCondition{Type: appv1.ApplicationConditionUnknownError, Message: err.Error()})
+						ctrl.setAppCondition(app, ctrl.projectErrorToCondition(err, app))
 					}
 				}
 
@@ -1869,6 +1859,19 @@ func (ctrl *ApplicationController) newApplicationInformerAndLister() (cache.Shar
 	return informer, lister
 }
 
+func (ctrl *ApplicationController) projectErrorToCondition(err error, app *appv1.Application) appv1.ApplicationCondition {
+	var condition appv1.ApplicationCondition
+	if apierr.IsNotFound(err) {
+		condition = appv1.ApplicationCondition{
+			Type:    appv1.ApplicationConditionInvalidSpecError,
+			Message: fmt.Sprintf("Application referencing project %s which does not exist", app.Spec.Project),
+		}
+	} else {
+		condition = appv1.ApplicationCondition{Type: appv1.ApplicationConditionUnknownError, Message: err.Error()}
+	}
+	return condition
+}
+
 func (ctrl *ApplicationController) RegisterClusterSecretUpdater(ctx context.Context) {
 	updater := NewClusterInfoUpdater(ctrl.stateCache, ctrl.db, ctrl.appLister.Applications(""), ctrl.cache, ctrl.clusterFilter, ctrl.getAppProj, ctrl.namespace)
 	go updater.Run(ctx)

controller/appcontroller_test.go

@@ -1068,6 +1068,34 @@ func TestUpdateReconciledAt(t *testing.T) {
 
 }
 
+func TestProjectErrorToCondition(t *testing.T) {
+	app := newFakeApp()
+	app.Spec.Project = "wrong project"
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app, &defaultProj},
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
+	})
+	key, _ := cache.MetaNamespaceKeyFunc(app)
+	ctrl.appRefreshQueue.Add(key)
+	ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), nil)
+
+	ctrl.processAppRefreshQueueItem()
+
+	obj, ok, err := ctrl.appInformer.GetIndexer().GetByKey(key)
+	assert.True(t, ok)
+	assert.NoError(t, err)
+	updatedApp := obj.(*argoappv1.Application)
+	assert.Equal(t, argoappv1.ApplicationConditionInvalidSpecError, updatedApp.Status.Conditions[0].Type)
+	assert.Equal(t, "Application referencing project wrong project which does not exist", updatedApp.Status.Conditions[0].Message)
+	assert.Equal(t, argoappv1.ApplicationConditionInvalidSpecError, updatedApp.Status.Conditions[0].Type)
+}
+
 func TestFinalizeProjectDeletion_HasApplications(t *testing.T) {
 	app := newFakeApp()
 	proj := &argoappv1.AppProject{ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: test.FakeArgoCDNamespace}}

controller/state.go

@@ -14,6 +14,7 @@ import (
 	hookutil "github.com/argoproj/gitops-engine/pkg/sync/hook"
 	"github.com/argoproj/gitops-engine/pkg/sync/ignore"
 	resourceutil "github.com/argoproj/gitops-engine/pkg/sync/resource"
+	"github.com/argoproj/gitops-engine/pkg/sync/syncwaves"
 	kubeutil "github.com/argoproj/gitops-engine/pkg/utils/kube"
 	log "github.com/sirupsen/logrus"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -513,7 +514,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 		}
 		gvk := obj.GroupVersionKind()
 
-		isSelfReferencedObj := m.isSelfReferencedObj(liveObj, appLabelKey, trackingMethod)
+		isSelfReferencedObj := m.isSelfReferencedObj(liveObj, targetObj, app.GetName(), appLabelKey, trackingMethod)
 
 		resState := v1alpha1.ResourceStatus{
 			Namespace:       obj.GetNamespace(),
@@ -524,6 +525,9 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 			Hook:            hookutil.IsHook(obj),
 			RequiresPruning: targetObj == nil && liveObj != nil && isSelfReferencedObj,
 		}
+		if targetObj != nil {
+			resState.SyncWave = int64(syncwaves.Wave(targetObj))
+		}
 
 		var diffResult diff.DiffResult
 		if i < len(diffResults.Diffs) {
@@ -695,12 +699,13 @@ func NewAppStateManager(
 }
 
 // isSelfReferencedObj returns whether the given obj is managed by the application
-// according to the values in the tracking annotation. It returns true when all
-// of the properties in the annotation (name, namespace, group and kind) match
-// the properties of the inspected object, or if the tracking method used does
-// not provide the required properties for matching.
-func (m *appStateManager) isSelfReferencedObj(obj *unstructured.Unstructured, appLabelKey string, trackingMethod v1alpha1.TrackingMethod) bool {
-	if obj == nil {
+// according to the values of the tracking id (aka app instance value) annotation.
+// It returns true when all of the properties of the tracking id (app name, namespace,
+// group and kind) match the properties of the live object, or if the tracking method
+// used does not provide the required properties for matching.
+// Reference: https://github.com/argoproj/argo-cd/issues/8683
+func (m *appStateManager) isSelfReferencedObj(live, config *unstructured.Unstructured, appName, appLabelKey string, trackingMethod v1alpha1.TrackingMethod) bool {
+	if live == nil {
 		return true
 	}
 
@@ -710,17 +715,42 @@ func (m *appStateManager) isSelfReferencedObj(obj *unstructured.Unstructured, ap
 		return true
 	}
 
-	// In order for us to assume obj to be managed by this application, the
-	// values from the annotation have to match the properties from the live
-	// object. Cluster scoped objects carry the app's destination namespace
-	// in the tracking annotation, but are unique in GVK + name combination.
-	appInstance := m.resourceTracking.GetAppInstance(obj, appLabelKey, trackingMethod)
-	if appInstance != nil {
-		return (obj.GetNamespace() == appInstance.Namespace || obj.GetNamespace() == "") &&
-			obj.GetName() == appInstance.Name &&
-			obj.GetObjectKind().GroupVersionKind().Group == appInstance.Group &&
-			obj.GetObjectKind().GroupVersionKind().Kind == appInstance.Kind
+	// config != nil is the best-case scenario for constructing an accurate
+	// Tracking ID. `config` is the "desired state" (from git/helm/etc.).
+	// Using the desired state is important when there is an ApiGroup upgrade.
+	// When upgrading, the comparison must be made with the new tracking ID.
+	// Example:
+	//     live resource annotation will be:
+	//        ingress-app:extensions/Ingress:default/some-ingress
+	//     when it should be:
+	//        ingress-app:networking.k8s.io/Ingress:default/some-ingress
+	// More details in: https://github.com/argoproj/argo-cd/pull/11012
+	var aiv argo.AppInstanceValue
+	if config != nil {
+		aiv = argo.UnstructuredToAppInstanceValue(config, appName, "")
+		return isSelfReferencedObj(live, aiv)
 	}
 
+	// If config is nil then compare the live resource with the value
+	// of the annotation. In this case, in order to validate if obj is
+	// managed by this application, the values from the annotation have
+	// to match the properties from the live object. Cluster scoped objects
+	// carry the app's destination namespace in the tracking annotation,
+	// but are unique in GVK + name combination.
+	appInstance := m.resourceTracking.GetAppInstance(live, appLabelKey, trackingMethod)
+	if appInstance != nil {
+		return isSelfReferencedObj(live, *appInstance)
+	}
 	return true
 }
+
+// isSelfReferencedObj returns true if the given Tracking ID (`aiv`) matches
+// the given object. It returns false when the ID doesn't match. This sometimes
+// happens when a tracking label or annotation gets accidentally copied to a
+// different resource.
+func isSelfReferencedObj(obj *unstructured.Unstructured, aiv argo.AppInstanceValue) bool {
+	return (obj.GetNamespace() == aiv.Namespace || obj.GetNamespace() == "") &&
+		obj.GetName() == aiv.Name &&
+		obj.GetObjectKind().GroupVersionKind().Group == aiv.Group &&
+		obj.GetObjectKind().GroupVersionKind().Kind == aiv.Kind
+}

controller/state_test.go

@@ -13,6 +13,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -852,6 +853,19 @@ func TestIsLiveResourceManaged(t *testing.T) {
 			},
 		},
 	})
+	managedWrongAPIGroup := kube.MustToUnstructured(&networkingv1.Ingress{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "networking.k8s.io/v1",
+			Kind:       "Ingress",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "some-ingress",
+			Namespace: "default",
+			Annotations: map[string]string{
+				common.AnnotationKeyAppInstance: "guestbook:extensions/Ingress:default/some-ingress",
+			},
+		},
+	})
 	ctrl := newFakeController(&fakeData{
 		apps: []runtime.Object{app, &defaultProj},
 		manifestResponse: &apiclient.ManifestResponse{
@@ -870,30 +884,69 @@ func TestIsLiveResourceManaged(t *testing.T) {
 	})
 
 	manager := ctrl.appStateManager.(*appStateManager)
+	appName := "guestbook"
 
-	// Managed resource w/ annotations
-	assert.True(t, manager.isSelfReferencedObj(managedObj, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-	assert.True(t, manager.isSelfReferencedObj(managedObj, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	t.Run("will return true if trackingid matches the resource", func(t *testing.T) {
+		// given
+		t.Parallel()
+		configObj := managedObj.DeepCopy()
 
-	// Managed resource w/ label
-	assert.True(t, manager.isSelfReferencedObj(managedObjWithLabel, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		// then
+		assert.True(t, manager.isSelfReferencedObj(managedObj, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		assert.True(t, manager.isSelfReferencedObj(managedObj, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
+	t.Run("will return true if tracked with label", func(t *testing.T) {
+		// given
+		t.Parallel()
+		configObj := managedObjWithLabel.DeepCopy()
 
-	// Wrong resource name
-	assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-	assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+		// then
+		assert.True(t, manager.isSelfReferencedObj(managedObjWithLabel, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+	})
+	t.Run("will handle if trackingId has wrong resource name and config is nil", func(t *testing.T) {
+		// given
+		t.Parallel()
 
-	// Wrong resource group
-	assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-	assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+		// then
+		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongName, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongName, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
+	t.Run("will handle if trackingId has wrong resource group and config is nil", func(t *testing.T) {
+		// given
+		t.Parallel()
 
-	// Wrong resource kind
-	assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-	assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+		// then
+		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
+	t.Run("will handle if trackingId has wrong kind and config is nil", func(t *testing.T) {
+		// given
+		t.Parallel()
 
-	// Wrong resource namespace
-	assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-	assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotationAndLabel))
+		// then
+		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
+	t.Run("will handle if trackingId has wrong namespace and config is nil", func(t *testing.T) {
+		// given
+		t.Parallel()
 
-	// Nil resource
-	assert.True(t, manager.isSelfReferencedObj(nil, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+		// then
+		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotationAndLabel))
+	})
+	t.Run("will return true if live is nil", func(t *testing.T) {
+		t.Parallel()
+		assert.True(t, manager.isSelfReferencedObj(nil, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
+
+	t.Run("will handle upgrade in desired state APIGroup", func(t *testing.T) {
+		// given
+		t.Parallel()
+		config := managedWrongAPIGroup.DeepCopy()
+		delete(config.GetAnnotations(), common.AnnotationKeyAppInstance)
+
+		// then
+		assert.True(t, manager.isSelfReferencedObj(managedWrongAPIGroup, config, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
 }

controller/sync.go

@@ -246,7 +246,7 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		sync.WithResourcesFilter(func(key kube.ResourceKey, target *unstructured.Unstructured, live *unstructured.Unstructured) bool {
 			return (len(syncOp.Resources) == 0 ||
 				argo.ContainsSyncResource(key.Name, key.Namespace, schema.GroupVersionKind{Kind: key.Kind, Group: key.Group}, syncOp.Resources)) &&
-				m.isSelfReferencedObj(live, appLabelKey, trackingMethod)
+				m.isSelfReferencedObj(live, target, app.GetName(), appLabelKey, trackingMethod)
 		}),
 		sync.WithManifestValidation(!syncOp.SyncOptions.HasOption(common.SyncOptionsDisableValidation)),
 		sync.WithNamespaceCreation(syncOp.SyncOptions.HasOption("CreateNamespace=true"), func(un *unstructured.Unstructured) bool {

docs/developer-guide/api-docs.md

@@ -11,15 +11,6 @@ $ curl $ARGOCD_SERVER/api/v1/session -d $'{"username":"admin","password":"passwo
 {"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1Njc4MTIzODcsImlzcyI6ImFyZ29jZCIsIm5iZiI6MTU2NzgxMjM4Nywic3ViIjoiYWRtaW4ifQ.ejyTgFxLhuY9mOBtKhcnvobg3QZXJ4_RusN_KIdVwao"} 
 ```
 
-> <=v1.2
-
-Then pass using the HTTP `SetCookie` header, prefixing with `argocd.token`:
-
-```bash
-$ curl $ARGOCD_SERVER/api/v1/applications --cookie "argocd.token=$ARGOCD_TOKEN" 
-{"metadata":{"selfLink":"/apis/argoproj.io/v1alpha1/namespaces/argocd/applications","resourceVersion":"37755"},"items":...}
-```
-
 Then pass using the HTTP `Authorization` header, prefixing with `Bearer `:
 
 ```bash

docs/developer-guide/contributors-quickstart.md

@@ -0,0 +1,112 @@
+# Contributors Quick-Start 
+
+This guide is a starting point for first-time contributors running Argo CD locally for the first time.
+
+It skips advanced topics such as codegen, which are covered in the [running locally guide](running-locally.md)
+and the [toolchain guide](toolchain-guide.md).
+
+## Getting Started
+
+### Install Go
+
+- Install version 1.18 or newer (Verify version by running `go version`)
+
+- Get current value of `GOPATH` env:
+   ```shell
+   go env | grep path
+   ```
+- Change directory into that path
+   ```shell
+   cd <path>
+   ```
+
+### Clone the Argo CD repo
+
+```shell
+mkdir -p src/github.com/argoproj/ &&
+cd src/github.com/argoproj &&
+git clone https://github.com/argoproj/argo-cd.git
+```
+
+### Install Docker
+
+<https://docs.docker.com/engine/install/>
+
+### Install or Upgrade `kind` (Optional - Should work with any local cluster)
+
+<https://kind.sigs.k8s.io/docs/user/quick-start/>
+
+### Start Your Local Cluster
+
+```shell
+kind create cluster
+```
+
+### Install Argo CD
+
+```shell
+kubectl create namespace argocd &&
+kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/master/manifests/install.yaml
+```
+
+Set kubectl config to avoid specifying the namespace in every kubectl command.  
+All following commands in this guide assume the namespace is already set.
+
+```shell
+kubectl config set-context --current --namespace=argocd
+```
+
+### Install `yarn`
+
+<https://classic.yarnpkg.com/lang/en/docs/install/>
+
+### Install `goreman`
+
+<https://github.com/mattn/goreman#getting-started>
+
+### Run Argo CD
+
+```shell
+cd argo-cd
+make start-local ARGOCD_GPG_ENABLED=false
+```
+
+- Navigate to <localhost:4000> to the ArgoCD UI on browser
+- It may take a few minutes for the UI to be responsive
+
+!!! note
+    If the UI is not working, check the logs from `make start-local`. The logs are `DEBUG` level by default. If the logs are
+    too noisy to find the problem, try editing log levels for the commands in the `Procfile` in the root of the Argo CD repo.
+
+## Making Changes
+
+### UI Changes
+
+Modifying the User-Interface (by editing .tsx or .scss files) auto-reloads the changes on port 4000.
+
+### Backend Changes
+
+Modifying the API server, repo server, or a controller requires restarting the current `make start-local` session to reflect the changes.
+
+### CLI Changes
+
+Modifying the CLI requires restarting the current `make start-local` session to reflect the changes.
+
+To test most CLI commands, you will need to log in.
+
+First, get the auto-generated secret:
+
+```shell
+kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo
+```
+
+Then log in using that password and username `admin`:
+
+```shell
+dist/argocd login localhost:8080
+```
+
+---
+Congrats on making it to the end of this runbook! 🚀
+
+For more on Argo CD, find us in Slack - <https://slack.cncf.io/> [#argo-contributors](https://cloud-native.slack.com/archives/C020XM04CUW)

docs/faq.md

@@ -81,11 +81,6 @@ might decide to refresh `stable` repo. As workaround override
 
 ```yaml
 data:
-  # v1.2 or earlier use `helm.repositories`
-  helm.repositories: |
-    - url: http://<internal-helm-repo-host>:8080
-      name: stable
-  # v1.3 or later use `repositories` with `type: helm`
   repositories: |
     - type: helm
       url: http://<internal-helm-repo-host>:8080

docs/operator-manual/application.yaml

@@ -99,10 +99,12 @@ spec:
           value: bar
       # Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during
       # manifest generation. This takes precedence over the `include` field.
-      exclude: string
+      # To match multiple patterns, wrap the patterns in {} and separate them with commas. For example: '{config.yaml,env-use2/*}'
+      exclude: 'config.yaml'
       # Include contains a glob pattern to match paths against that should be explicitly included during manifest
       # generation. If this field is set, only matching manifests will be included.
-      include: string
+      # To match multiple patterns, wrap the patterns in {} and separate them with commas. For example: '{*.yml,*.yaml}'
+      include: '*.yaml'
 
     # plugin specific config
     plugin:

docs/operator-manual/applicationset/Generators-Git.md

@@ -45,7 +45,7 @@ spec:
       - path: applicationset/examples/git-generator-directory/cluster-addons/*
   template:
     metadata:
-      name: '{{path[0]}}'
+      name: '{{path.basename}}'
     spec:
       project: "my-project"
       source:
@@ -55,6 +55,9 @@ spec:
       destination:
         server: https://kubernetes.default.svc
         namespace: '{{path.basename}}'
+      syncPolicy:
+        syncOptions:
+        - CreateNamespace=true
 ```
 (*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/git-generator-directory).*)
 

docs/operator-manual/applicationset/Generators-Pull-Request.md

@@ -10,6 +10,8 @@ metadata:
 spec:
   generators:
   - pullRequest:
+      # When using a Pull Request generator, the ApplicationSet controller polls every `requeueAfterSeconds` interval (defaulting to every 30 minutes) to detect changes.
+      requeueAfterSeconds: 1800
       # See below for provider specific options.
       github:
         # ...
@@ -181,7 +183,7 @@ If you want to access a private repository, you must also provide the credential
 ## Filters
 
 Filters allow selecting which pull requests to generate for. Each filter can declare one or more conditions, all of which must pass. If multiple filters are present, any can match for a repository to be included. If no filters are specified, all pull requests will be processed.
-Currently, only a subset of filters is available when comparing with SCM provider filters.
+Currently, only a subset of filters is available when comparing with [SCM provider](Generators-SCM-Provider.md) filters.
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -190,7 +192,7 @@ metadata:
   name: myapps
 spec:
   generators:
-  - scmProvider:
+  - pullRequest:
       # ...
       # Include any pull request ending with "argocd". (optional)
       filters:
@@ -201,6 +203,7 @@ spec:
 
 * `branchMatch`: A regexp matched against source branch names.
 
+[GitHub](#github) and [GitLab](#gitlab) also support a `labels` filter.
 
 ## Template
 

docs/operator-manual/applicationset/GoTemplate.md

@@ -74,6 +74,13 @@ All your templates must replace parameters with GoTemplate Syntax:
 
 Example: `{{ some.value }}` becomes `{{ .some.value }}`
 
+### Cluster Generators
+
+By activating Go Templating, `{{ .metadata }}` becomes an object.
+
+- `{{ metadata.labels.my-label }}` becomes `{{ index .metadata.labels "my-label" }}`
+- `{{ metadata.annotations.my/annotation }}` becomes `{{ index .metadata.annotations "my/annotation" }}`
+
 ### Git Generators
 
 By activating Go Templating, `{{ .path }}` becomes an object. Therefore, some changes must be made to the Git 

docs/operator-manual/high_availability.md

@@ -61,7 +61,7 @@ number of allowed concurrent kubectl fork/execs.
 * The controller uses Kubernetes watch APIs to maintain lightweight Kubernetes cluster cache. This allows to avoid querying Kubernetes during app reconciliation and significantly improve
 performance. For performance reasons controller monitors and caches only preferred the version of a resource. During reconciliation, the controller might have to convert cached resource from
 preferred version into a version of the resource stored in Git. If `kubectl convert` fails because conversion is not supported then controller falls back to Kubernetes API query which slows down
-reconciliation. In this case advice user-preferred resource version in Git.
+reconciliation. In this case, we advise you to use the preferred resource version in Git.
 
 * The controller polls Git every 3m by default. You can increase this duration using `timeout.reconciliation` setting in the `argocd-cm` ConfigMap. The value of `timeout.reconciliation` is a duration string e.g `60s`, `1m`, `1h` or `1d`.
 
@@ -126,20 +126,17 @@ If the manifest generation has no side effects then requests are processed in pa
 
 ### Webhook and Manifest Paths Annotation
 
-Argo CD aggressively caches generated manifests and uses repository commit SHA as a cache key. A new commit to the Git repository invalidates cache for all applications configured in the repository
-that again negatively affect mono repositories with multiple applications. You might use [webhooks ⧉](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/webhook.md) and `argocd.argoproj.io/manifest-generate-paths` Application
-CRD annotation to solve this problem and improve performance.
+Argo CD aggressively caches generated manifests and uses the repository commit SHA as a cache key. A new commit to the Git repository invalidates the cache for all applications configured in the repository.
+This can negatively affect repositories with multiple applications. You can use [webhooks](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/webhook.md) and the `argocd.argoproj.io/manifest-generate-paths` Application CRD annotation to solve this problem and improve performance.
 
-The `argocd.argoproj.io/manifest-generate-paths` contains a semicolon-separated list of paths within the Git repository that are used during manifest generation. The webhook compares paths specified in the annotation
-with the changed files specified in the webhook payload. If non of the changed files are located in the paths then webhook don't trigger application reconciliation and re-uses previously generated manifests cache for a new commit.
+The `argocd.argoproj.io/manifest-generate-paths` annotation contains a semicolon-separated list of paths within the Git repository that are used during manifest generation. The webhook compares paths specified in the annotation with the changed files specified in the webhook payload. If no modified files match the paths specified in `argocd.argoproj.io/manifest-generate-paths`, then the webhook will not trigger application reconciliation and the existing cache will be considered valid for the new commit.
 
-Installations that use a different repo for each app are **not** subject to this behavior and will likely get no benefit from using these annotations.
+Installations that use a different repository for each application are **not** subject to this behavior and will likely get no benefit from using these annotations.
 
 !!! note
-    Application manifest paths annotation support depends on the git provider used for the Application. It is currently only supported for GitHub, GitLab, and Gogs based repos
-I'm using `.Second()` modifier to avoid distracting users who already rely on `--app-resync` flag.
+    Application manifest paths annotation support depends on the git provider used for the Application. It is currently only supported for GitHub, GitLab, and Gogs based repos.
 
-* **Relative path** The annotation might contains relative path. In this case the path is considered relative to the path specified in the application source:
+* **Relative path** The annotation might contain a relative path. In this case the path is considered relative to the path specified in the application source:
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -157,7 +154,8 @@ spec:
     path: guestbook
 # ...
 ```
-* **Absolute path** The annotation value might be an absolute path started from '/'. In this case path is considered as an absolute path within the Git repository:
+
+* **Absolute path** The annotation value might be an absolute path starting with '/'. In this case path is considered as an absolute path within the Git repository:
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1

docs/operator-manual/metrics.md

@@ -9,7 +9,7 @@ Metrics about applications. Scraped at the `argocd-metrics:8082/metrics` endpoin
 |--------|:----:|-------------|
 | `argocd_app_info` | gauge | Information about Applications. It contains labels such as `sync_status` and `health_status` that reflect the application state in ArgoCD. |
 | `argocd_app_k8s_request_total` | counter | Number of kubernetes requests executed during application reconciliation |
-| `argocd_app_labels` | gauge | Argo Application labels converted to Prometheus labels. Disabled by default. See section bellow about how to enable it. |
+| `argocd_app_labels` | gauge | Argo Application labels converted to Prometheus labels. Disabled by default. See section below about how to enable it. |
 | `argocd_app_reconcile` | histogram | Application reconciliation performance. |
 | `argocd_app_sync_total` | counter | Counter for application sync history |
 | `argocd_cluster_api_resource_objects` | gauge | Number of k8s resource objects in the cache. |
@@ -41,7 +41,7 @@ Some examples are:
 As the Application labels are specific to each company, this feature is disabled by default. To enable it, add the
 `--metrics-application-labels` flag to the ArgoCD application controller.
 
-The example bellow will expose the ArgoCD Application labels `team-name` and `business-unit` to Prometheus:
+The example below will expose the ArgoCD Application labels `team-name` and `business-unit` to Prometheus:
 
     containers:
     - command:

docs/operator-manual/notifications/troubleshooting-commands.md

@@ -1,9 +1,9 @@
-## notifications template get
+## argocd admin notifications template get
 
 Prints information about configured templates
 
 ```
-notifications template get [flags]
+argocd admin notifications template get [flags]
 ```
 
 ### Examples
@@ -11,9 +11,9 @@ notifications template get [flags]
 ```
 
 # prints all templates
-notifications template get
+argocd admin notifications template get
 # print YAML formatted app-sync-succeeded template definition
-notifications template get app-sync-succeeded -o=yaml
+argocd admin notifications template get app-sync-succeeded -o=yaml
 
 ```
 
@@ -53,12 +53,12 @@ notifications template get app-sync-succeeded -o=yaml
       --username string                 Username for basic authentication to the API server
 ```
 
-## notifications template notify
+## argocd admin notifications template notify
 
 Generates notification using the specified template and send it to specified recipients
 
 ```
-notifications template notify NAME RESOURCE_NAME [flags]
+argocd admin notifications template notify NAME RESOURCE_NAME [flags]
 ```
 
 ### Examples
@@ -66,10 +66,10 @@ notifications template notify NAME RESOURCE_NAME [flags]
 ```
 
 # Trigger notification using in-cluster config map and secret
-notifications template notify app-sync-succeeded guestbook --recipient slack:my-slack-channel
+argocd admin notifications template notify app-sync-succeeded guestbook --recipient slack:my-slack-channel
 
 # Render notification render generated notification in console
-notifications template notify app-sync-succeeded guestbook
+argocd admin notifications template notify app-sync-succeeded guestbook
 
 ```
 
@@ -109,12 +109,12 @@ notifications template notify app-sync-succeeded guestbook
       --username string                 Username for basic authentication to the API server
 ```
 
-## notifications trigger get
+## argocd admin notifications trigger get
 
 Prints information about configured triggers
 
 ```
-notifications trigger get [flags]
+argocd admin notifications trigger get [flags]
 ```
 
 ### Examples
@@ -122,9 +122,9 @@ notifications trigger get [flags]
 ```
 
 # prints all triggers
-notifications trigger get
+argocd admin notifications trigger get
 # print YAML formatted on-sync-failed trigger definition
-notifications trigger get on-sync-failed -o=yaml
+argocd admin notifications trigger get on-sync-failed -o=yaml
 
 ```
 
@@ -164,12 +164,12 @@ notifications trigger get on-sync-failed -o=yaml
       --username string                 Username for basic authentication to the API server
 ```
 
-## notifications trigger run
+## argocd admin notifications trigger run
 
 Evaluates specified trigger condition and prints the result
 
 ```
-notifications trigger run NAME RESOURCE_NAME [flags]
+argocd admin notifications trigger run NAME RESOURCE_NAME [flags]
 ```
 
 ### Examples
@@ -177,10 +177,10 @@ notifications trigger run NAME RESOURCE_NAME [flags]
 ```
 
 # Execute trigger configured in 'argocd-notification-cm' ConfigMap
-notifications trigger run on-sync-status-unknown ./sample-app.yaml
+argocd admin notifications trigger run on-sync-status-unknown ./sample-app.yaml
 
 # Execute trigger using my-config-map.yaml instead of 'argocd-notifications-cm' ConfigMap
-notifications trigger run on-sync-status-unknown ./sample-app.yaml \
+argocd admin notifications trigger run on-sync-status-unknown ./sample-app.yaml \
     --config-map ./my-config-map.yaml
 ```
 

docs/operator-manual/notifications/troubleshooting.md

@@ -1,6 +1,6 @@
 ## Troubleshooting
 
-The `argocd-notifications` binary includes a set of CLI commands that helps to configure the controller
+The `argocd admin notifications` is a CLI command group that helps to configure the controller
 settings and troubleshoot issues.
 
 ## Global flags
@@ -17,15 +17,15 @@ Additionally, you can specify `:empty` value to use empty secret with no notific
 * Get list of triggers configured in the local config map:
 
 ```bash
-argocd-notifications trigger get \
-  --config-map ./argocd-notifications-cm.yaml --secret :empty
+argocd admin notifications trigger get \
+  --config-map ./argocd admin notifications-cm.yaml --secret :empty
 ```
 
 * Trigger notification using in-cluster config map and secret:
 
 ```bash
-argocd-notifications template notify \
-  app-sync-succeeded guestbook --recipient slack:argocd-notifications
+argocd admin notifications template notify \
+  app-sync-succeeded guestbook --recipient slack:argocd admin notifications
 ```
 
 ## Kustomize
@@ -44,18 +44,18 @@ kustomize build ./argocd-notifications | \
 
 ### On your laptop
 
-You can download `argocd-notifications` from the github [release](https://github.com/argoproj-labs/argocd-notifications/releases)
+You can download the `argocd` CLI from the github [release](https://github.com/argoproj/argo-cd/releases)
 attachments.
 
-The binary is available in `argoprojlabs/argocd-notifications` image. Use the `docker run` and volume mount
+The binary is available in `argoproj/argo-cd` image. Use the `docker run` and volume mount
 to execute binary on any platform. 
 
 **Example:**
 
 ```bash
 docker run --rm -it -w /src -v $(pwd):/src \
-  argoprojlabs/argocd-notifications:<version> \
-  /app/argocd-notifications trigger get \
+  argoproj/argo-cd:<version> \
+  /app/argocd admin notifications trigger get \
   --config-map ./argocd-notifications-cm.yaml --secret :empty
 ```
 
@@ -67,7 +67,7 @@ configuration.
 **Example**
 ```bash
 kubectl exec -it argocd-notifications-controller-<pod-hash> \
-  /app/argocd-notifications trigger get
+  /app/argocd admin notifications trigger get
 ```
 
 ## Commands

docs/operator-manual/rbac.md

@@ -46,7 +46,7 @@ subresources of an application.
 #### The `action` action
 
 The `action` action corresponds to either built-in resource customizations defined
-[in the Argo CD repository](https://github.com/argoproj/argo-cd/search?q=filename%3Aaction.lua+path%3Aresource_customizations),
+[in the Argo CD repository](https://github.com/argoproj/argo-cd/tree/master/resource_customizations),
 or to [custom resource actions](resource_actions.md#custom-resource-actions) defined by you.
 The `action` path is of the form `action/<api-group>/<Kind>/<action-name>`. For
 example, a resource customization path
@@ -86,6 +86,10 @@ configures a custom role, named `org-admin`. The role is assigned to any user wh
 `your-github-org:your-team` group. All other users get the default policy of `role:readonly`,
 which cannot modify Argo CD settings.
 
+!!! warning
+    All authenticated users get _at least_ the permissions granted by the default policy. This access cannot be blocked 
+    by a `deny` rule. Instead, restrict the default policy and then grant permissions to individual roles as needed.
+
 *ArgoCD ConfigMap `argocd-rbac-cm` Example:*
 
 ```yaml

docs/operator-manual/signed-release-assets.md

@@ -0,0 +1,32 @@
+# Verification of Argo CD signatures
+
+All Argo CD container images are signed by cosign. Checksums are created for the CLI binaries and then signed to ensure integrity.
+
+## Prerequisites
+- Cosign [installation instructions](https://docs.sigstore.dev/cosign/installation)
+- Obtain or have a copy of the [public key](https://github.com/argoproj/argo-cd/blob/master/argocd-cosign.pub) ```argocd-cosign.pub```
+
+Once you have installed cosign, you can use [argocd-cosign.pub](https://github.com/argoproj/argo-cd/blob/master/argocd-cosign.pub) to verify the signed assets or container images.
+```
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
+JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
+-----END PUBLIC KEY-----
+```
+## Verification of container images
+
+```bash
+cosign verify --key argocd-cosign.pub  quay.io/argoproj/argocd:latest
+
+Verification for quay.io/argoproj/argocd:latest --
+The following checks were performed on each of these signatures:
+  * The cosign claims were validated
+  * The signatures were verified against the specified public key
+...
+```
+## Verification of signed assets
+
+```bash
+cosign verify-blob --key cosign.pub --signature $(cat argocd-$VERSION-checksums.sig) argocd-$VERSION-checksums.txt
+Verified OK
+```

docs/operator-manual/upgrading/2.4-2.5.md

@@ -112,7 +112,7 @@ The bundled Kustomize version has been upgraded from 4.4.1 to 4.5.7.
 
 ## Upgraded Helm Version
 
-Note that bundled Helm version has been upgraded from 3.9.0 to 3.10.0.
+Note that bundled Helm version has been upgraded from 3.9.0 to 3.10.1.
 
 ## Upgraded HAProxy version
 

docs/operator-manual/upgrading/overview.md

@@ -37,6 +37,7 @@ kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/<v
 
 <hr/>
 
+* [v2.4 to v2.5](./2.4-2.5.md)
 * [v2.3 to v2.4](./2.3-2.4.md)
 * [v2.2 to v2.3](./2.2-2.3.md)
 * [v2.1 to v2.2](./2.1-2.2.md)

docs/proposals/config-management-plugin-v2.md

@@ -168,7 +168,6 @@ spec:
     check:
     - command: [-f ./main.ts]
       glob: "main.ts"
-  allowConcurrency: true # enables generating multiple manifests in parallel. 
 ```
 
 #### Config Management Plugin API Server (cmp-server)
@@ -320,6 +319,5 @@ spec:
     check:
     - command: [-f ./main.ts]
       glob: "main.ts"
-  allowConcurrency: true # enables generating multiple manifests in parallel. 
 ```
 2. Something magically patches the relevant manifest to add the sidecar.

docs/requirements.txt

@@ -1,5 +1,5 @@
 mkdocs==1.2.3
-mkdocs-material==7.1.7
+mkdocs-material==7.1.8
 markdown_include==0.6.0
 pygments==2.7.4
 jinja2==3.0.3

docs/user-guide/build-environment.md

@@ -2,14 +2,16 @@
 
 [Custom tools](config-management-plugins.md), [Helm](helm.md), [Jsonnet](jsonnet.md), and [Kustomize](kustomize.md) support the following build env vars:
 
-* `ARGOCD_APP_NAME` - name of application
-* `ARGOCD_APP_NAMESPACE` - destination application namespace.
-* `ARGOCD_APP_REVISION` - the resolved revision, e.g. `f913b6cbf58aa5ae5ca1f8a2b149477aebcbd9d8`
-* `ARGOCD_APP_SOURCE_PATH` - the path of the app within the repo
-* `ARGOCD_APP_SOURCE_REPO_URL` the repo's URL
-* `ARGOCD_APP_SOURCE_TARGET_REVISION` - the target revision from the spec, e.g. `master`.
-* `KUBE_VERSION` - the version of kubernetes
-* `KUBE_API_VERSIONS` = the version of kubernetes API
+| Variable                            | Description                                                             |
+| ----------------------------------- | ----------------------------------------------------------------------- |
+| `ARGOCD_APP_NAME`                   | The name of the application.                                            |
+| `ARGOCD_APP_NAMESPACE`              | The destination namespace of the application.                           |
+| `ARGOCD_APP_REVISION`               | The resolved revision, e.g. `f913b6cbf58aa5ae5ca1f8a2b149477aebcbd9d8`. |
+| `ARGOCD_APP_SOURCE_PATH`            | The path of the app within the source repo.                             |
+| `ARGOCD_APP_SOURCE_REPO_URL`        | The source repo URL.                                                    |
+| `ARGOCD_APP_SOURCE_TARGET_REVISION` | The target revision from the spec, e.g. `master`.                       |
+| `KUBE_VERSION`                      | The version of Kubernetes.                                              |
+| `KUBE_API_VERSIONS`                 | The version of the Kubernetes API.                                      |
 
 In case you don't want a variable to be interpolated, `$` can be escaped via `$$`.
 

docs/user-guide/commands/argocd_admin_notifications_template_get.md

@@ -11,9 +11,9 @@ argocd admin notifications template get [flags]
 ```
 
 # prints all templates
-notifications template get
+argocd admin notifications template get
 # print YAML formatted app-sync-succeeded template definition
-notifications template get app-sync-succeeded -o=yaml
+argocd admin notifications template get app-sync-succeeded -o=yaml
 
 ```
 

docs/user-guide/commands/argocd_admin_notifications_template_notify.md

@@ -11,10 +11,10 @@ argocd admin notifications template notify NAME RESOURCE_NAME [flags]
 ```
 
 # Trigger notification using in-cluster config map and secret
-notifications template notify app-sync-succeeded guestbook --recipient slack:my-slack-channel
+argocd admin notifications template notify app-sync-succeeded guestbook --recipient slack:my-slack-channel
 
 # Render notification render generated notification in console
-notifications template notify app-sync-succeeded guestbook
+argocd admin notifications template notify app-sync-succeeded guestbook
 
 ```
 

docs/user-guide/commands/argocd_admin_notifications_trigger_get.md

@@ -11,9 +11,9 @@ argocd admin notifications trigger get [flags]
 ```
 
 # prints all triggers
-notifications trigger get
+argocd admin notifications trigger get
 # print YAML formatted on-sync-failed trigger definition
-notifications trigger get on-sync-failed -o=yaml
+argocd admin notifications trigger get on-sync-failed -o=yaml
 
 ```
 

docs/user-guide/commands/argocd_admin_notifications_trigger_run.md

@@ -11,10 +11,10 @@ argocd admin notifications trigger run NAME RESOURCE_NAME [flags]
 ```
 
 # Execute trigger configured in 'argocd-notification-cm' ConfigMap
-notifications trigger run on-sync-status-unknown ./sample-app.yaml
+argocd admin notifications trigger run on-sync-status-unknown ./sample-app.yaml
 
 # Execute trigger using my-config-map.yaml instead of 'argocd-notifications-cm' ConfigMap
-notifications trigger run on-sync-status-unknown ./sample-app.yaml \
+argocd admin notifications trigger run on-sync-status-unknown ./sample-app.yaml \
     --config-map ./my-config-map.yaml
 ```
 

docs/user-guide/config-management-plugins.md

@@ -63,6 +63,10 @@ metadata:
   name: cmp-plugin
 spec:
   version: v1.0
+  init:
+    # Init always happens immediately before generate, but its output is not treated as manifests.
+    # This is a good place to, for example, download chart dependencies.
+    command: [sh, -c, 'echo "Initializing..."']
   generate:
     command: [sh, -c, 'echo "{\"kind\": \"ConfigMap\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"$ARGOCD_APP_NAME\", \"namespace\": \"$ARGOCD_APP_NAMESPACE\", \"annotations\": {\"Foo\": \"$FOO\", \"KubeVersion\": \"$KUBE_VERSION\", \"KubeApiVersion\": \"$KUBE_API_VERSIONS\",\"Bar\": \"baz\"}}}"']
   discover:
@@ -94,6 +98,11 @@ Argo CD expects the plugin configuration file to be located at `/home/argocd/cmp
 
 If you use a custom image for the sidecar, you can add the file directly to that image.
 
+```dockerfile
+WORKDIR /home/argocd/cmp-server/config/
+COPY plugin.yaml ./
+```
+
 If you use a stock image for the sidecar or would rather maintain the plugin configuration in a ConfigMap, just nest the
 plugin config file in a ConfigMap under the `plugin.yaml` key.
 
@@ -110,6 +119,8 @@ data:
       name: cmp-plugin
     spec:
       version: v1.0
+      init:
+        command: [sh, -c, 'echo "Initializing..."']
       generate:
         command: [sh, -c, 'echo "{\"kind\": \"ConfigMap\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"$ARGOCD_APP_NAME\", \"namespace\": \"$ARGOCD_APP_NAMESPACE\", \"annotations\": {\"Foo\": \"$FOO\", \"KubeVersion\": \"$KUBE_VERSION\", \"KubeApiVersion\": \"$KUBE_API_VERSIONS\",\"Bar\": \"baz\"}}}"']
       discover:
@@ -230,12 +241,29 @@ If you don't need to set any environment variables, you can set an empty plugin
     Each CMP command will also independently timeout on the `ARGOCD_EXEC_TIMEOUT` set for the CMP sidecar. The default
     is 90s. So if you increase the repo server timeout greater than 90s, be sure to set `ARGOCD_EXEC_TIMEOUT` on the
     sidecar.
+    
+!!! note
+    Each Application can only have one config management plugin configured at a time. If you're converting an existing
+    plugin configured through the `argocd-cm` ConfigMap to a sidecar, make sure the discovery mechanism only returns
+    true for Applications that have had their `name` field in the `plugin` section of their spec removed.
+
+## Debugging a CMP
+
+If you are actively developing a sidecar-installed CMP, keep a few things in mind:
+
+1) If you are mounting plugin.yaml from a ConfigMap, you will have to restart the repo-server Pod so the plugin will
+   pick up the changes.
+2) If you have baked plugin.yaml into your image, you will have to build, push, and force a re-pull of that image on the
+   repo-server Pod so the plugin will pick up the changes. If you are using `:latest`, the Pod will always pull the new
+   image. If you're using a different, static tag, set `imagePullPolicy: Always` on the CMP's sidecar container.
+3) CMP errors are cached by the repo-server in Redis. Restarting the repo-server Pod will not clear the cache. Always
+   do a "Hard Refresh" when actively developing a CMP so you have the latest output.
 
 ## Plugin tar stream exclusions
 
 In order to increase the speed of manifest generation, certain files and folders can be excluded from being sent to your
-plugin. We recommend excluding your `.git` folder if it isn't necessary. Use Go's 
-[filepatch.Match](https://pkg.go.dev/path/filepath#Match) syntax.
+plugin. We recommend excluding your `.git` folder if it isn't necessary. Use Go's
+[filepatch.Match](https://pkg.go.dev/path/filepath#Match) syntax. For example, `.git/*` to exclude `.git` folder.
 
 You can set it one of three ways:
 

docs/user-guide/diffing.md

@@ -81,7 +81,7 @@ data:
     - '.webhooks[]?.clientConfig.caBundle'
 ```
 
-Resource customization can also be configured to ignore all differences made by a managedField.manager at the system level. The example bellow shows how to configure Argo CD to ignore changes made by `kube-controller-manager` in `Deployment` resources.
+Resource customization can also be configured to ignore all differences made by a managedField.manager at the system level. The example below shows how to configure Argo CD to ignore changes made by `kube-controller-manager` in `Deployment` resources.
 
 ```yaml
 data:
@@ -90,7 +90,7 @@ data:
     - kube-controller-manager
 ```
 
-It is possible to configure ignoreDifferences to be applied to all resources in every Application managed by an Argo CD instance. In order to do so, resource customizations can be configured like in the example bellow:
+It is possible to configure ignoreDifferences to be applied to all resources in every Application managed by an Argo CD instance. In order to do so, resource customizations can be configured like in the example below:
 
 ```yaml
 data:

docs/user-guide/directory.md

@@ -0,0 +1,129 @@
+# Directory
+
+A directory-type application loads plain manifest files from `.yml`, `.yaml`, and `.json` files. A directory-type
+application may be created from the UI, CLI, or declaratively. This is the declarative syntax:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: guestbook
+spec:
+  destination:
+    namespace: default
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: guestbook
+    repoURL: https://github.com/argoproj/argocd-example-apps.git
+    targetRevision: HEAD
+```
+
+It's unnecessary to explicitly add the `spec.source.directory` field except to add additional configuration options.
+Argo CD will automatically detect that the source repository/path contains plain manifest files.
+
+## Enabling Recursive Resource Detection
+
+By default, directory applications will only include the files from the root of the configured repository/path.
+
+To enable recursive resource detection, set the `recurse` option.
+
+```bash
+argocd app set guestbook --directory-recurse
+```
+
+To do the same thing declaratively, use this syntax:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+spec:
+  source:
+    directory:
+      recurse: true
+```
+
+## Including/Excluding Files
+
+### Including Only Certain Files
+
+To include only certain files/directories in a directory application, set the `include` option. The value is a glob
+pattern.
+
+For example, if you want to include only `.yaml` files, you can use this pattern:
+
+```shell
+argocd app set guestbook --directory-include "*.yaml"
+```
+
+!!! note
+    It is important to quote `*.yaml` so that the shell does not expand the pattern before sending it to Argo CD.
+
+It is also possible to include multiple patterns. Wrap the patterns with `{}` and separate them with commas. To include
+`.yml` and `.yaml` files, use this pattern:
+
+```shell
+argocd app set guestbook --directory-include "{*.yml,*.yaml}"
+```
+
+To include only a certain directory, use a pattern like this:
+
+```shell
+argocd app set guestbook --directory-include "some-directory/*"
+```
+
+To accomplish the same thing declaratively, use this syntax:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+spec:
+  source:
+    directory:
+      include: 'some-directory/*'
+```
+
+### Excluding Certain Files
+
+It is possible to exclude files matching a pattern from directory applications. For example, in a repository containing
+some manifests and also a non-manifest YAML file, you could exclude the config file like this:
+
+```shell
+argocd app set guestbook --directory-exclude "config.yaml"
+```
+
+It is possible to exclude more than one pattern. For example, a config file and an irrelevant directory:
+
+```shell
+argocd app set guestbook --directory-exclude "{config.yaml,env-use2/*}"
+```
+
+If both `include` and `exclude` are specified, then the Application will include all files which match the `include`
+pattern and do not match the `exclude` pattern. For example, consider this source repository:
+
+```
+config.json
+deployment.yaml
+env-use2/
+  configmap.yaml
+env-usw2/
+  configmap.yaml
+```
+
+To exclude `config.json` and the `env-usw2` directory, you could use this combination of patterns:
+
+```shell
+argocd app set guestbook --directory-include "*.yaml" --directory-exclude "{config.json,env-usw2/*}"
+```
+
+This would be the declarative syntax:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+spec:
+  source:
+    directory:
+      exclude: '{config.json,env-usw2/*}'
+      include: '*.yaml'
+```

docs/user-guide/import.md

@@ -0,0 +1,55 @@
+# Importing Argo CD go packages 
+
+## Issue 
+
+When importing Argo CD packages in your own projects, you may face some errors when downloading the dependencies, such as "unknown revision v0.0.0". This is because Argo CD directly depends on some Kubernetes packages which have these unknown v0.0.0 versions in their go.mod.
+
+## Solution
+
+Add a replace section in your own go.mod as same as the replace section of the corresponding Argo CD version's go.mod. In order to find the go.mod for a specific version, navigate to the [Argo CD repository](https://github.com/argoproj/argo-cd/) and click on the switch branches/tags dropdown to select the version you are looking for. Now you can view the go.mod file for a specific version along with all other files.
+
+## Example
+
+If you are using Argo CD v2.4.15, your go.mod should contain the following:
+
+```
+replace (
+    // https://github.com/golang/go/issues/33546#issuecomment-519656923
+    github.com/go-check/check => github.com/go-check/check v0.0.0-20180628173108-788fd7840127
+
+    github.com/golang/protobuf => github.com/golang/protobuf v1.4.2
+    github.com/gorilla/websocket => github.com/gorilla/websocket v1.4.2
+    github.com/grpc-ecosystem/grpc-gateway => github.com/grpc-ecosystem/grpc-gateway v1.16.0
+    github.com/improbable-eng/grpc-web => github.com/improbable-eng/grpc-web v0.0.0-20181111100011-16092bd1d58a
+
+    // Avoid CVE-2022-28948
+    gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
+
+    // https://github.com/kubernetes/kubernetes/issues/79384#issuecomment-505627280
+    k8s.io/api => k8s.io/api v0.23.1
+    k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.23.1
+    k8s.io/apimachinery => k8s.io/apimachinery v0.23.1
+    k8s.io/apiserver => k8s.io/apiserver v0.23.1
+    k8s.io/cli-runtime => k8s.io/cli-runtime v0.23.1
+    k8s.io/client-go => k8s.io/client-go v0.23.1
+    k8s.io/cloud-provider => k8s.io/cloud-provider v0.23.1
+    k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.23.1
+    k8s.io/code-generator => k8s.io/code-generator v0.23.1
+    k8s.io/component-base => k8s.io/component-base v0.23.1
+    k8s.io/component-helpers => k8s.io/component-helpers v0.23.1
+    k8s.io/controller-manager => k8s.io/controller-manager v0.23.1
+    k8s.io/cri-api => k8s.io/cri-api v0.23.1
+    k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.23.1
+    k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.23.1
+    k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.23.1
+    k8s.io/kube-proxy => k8s.io/kube-proxy v0.23.1
+    k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.23.1
+    k8s.io/kubectl => k8s.io/kubectl v0.23.1
+    k8s.io/kubelet => k8s.io/kubelet v0.23.1
+    k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.23.1
+    k8s.io/metrics => k8s.io/metrics v0.23.1
+    k8s.io/mount-utils => k8s.io/mount-utils v0.23.1
+    k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.23.1
+    k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.23.1
+)
+```

docs/user-guide/private-repositories.md

@@ -34,11 +34,6 @@ or UI:
 
 1. Click `Connect` to test the connection and have the repository added 
 
-> earlier than v1.2
-
-1. Navigate to `Settings/Repositories`
-1. Click `Connect Repo` button and enter HTTPS credentials
-
 ![connect repo](../assets/connect-repo.png)
 
 #### Access Token
@@ -109,14 +104,6 @@ Using the UI:
 !!!note 
     When your SSH repository is served from a non-standard port, you have to use `ssh://`-style URLs to specify your repository. The scp-style `git@yourgit.com:yourrepo` URLs do **not** support port specification, and will treat any port number as part of the repository's path.
 
-> earlier than v1.2
-
-The Argo CD UI don't support configuring SSH credentials. The SSH credentials can only be configured using the Argo CD CLI:
-
-```
-argocd repo add git@github.com:argoproj/argocd-example-apps.git --ssh-private-key-path ~/.ssh/id_rsa
-```
-
 ### GitHub App Credential
 
 Private repositories that are hosted on GitHub.com or GitHub Enterprise can be accessed using credentials from a GitHub Application. Consult the [GitHub documentation](https://docs.github.com/en/developers/apps/about-apps#about-github-apps) on how to create an application.
@@ -268,12 +255,6 @@ It is possible to add and remove TLS certificates using the ArgoCD web UI:
 You can also manage TLS certificates in a declarative, self-managed ArgoCD setup. All TLS certificates are stored in the ConfigMap object `argocd-tls-cert-cm`.
 Please refer to the [Operator Manual](../../operator-manual/declarative-setup/#repositories-using-self-signed-tls-certificates-or-are-signed-by-custom-ca) for more information.
 
-> Before v1.2
-
-We do not currently have first-class support for this. See [#1513](https://github.com/argoproj/argo-cd/issues/1513).
-
-As a work-around, you can customize your Argo CD image. See [#1344](https://github.com/argoproj/argo-cd/issues/1344#issuecomment-479811810)
-
 ## Unknown SSH Hosts
 
 If you are using a privately hosted Git service over SSH, then you have the following  options:
@@ -351,28 +332,7 @@ It is possible to add and remove SSH known hosts entries using the ArgoCD web UI
 
 ### Managing SSH known hosts data using declarative setup
 
-You can also manage SSH known hosts entries in a declarative, self-managed ArgoCD setup. All SSH public host keys are stored in the ConfigMap object `argocd-ssh-known-hosts-cm`. For more details, please refer to the [Operator Manual](../../operator-manual/declarative-setup/#ssh-known-host-public-keys)
-
-> Before v1.2
-
- 
-(1) You can customize the Argo CD Docker image by adding the host's SSH public key to `/etc/ssh/ssh_known_hosts`. Additional entries to this file can be generated using the `ssh-keyscan` utility (e.g. `ssh-keyscan your-private-git-server.com`. For more information see [example](https://github.com/argoproj/argo-cd/tree/master/examples/known-hosts) which demonstrates how `/etc/ssh/ssh_known_hosts` can be customized.
-
-!!! note
-    The `/etc/ssh/ssh_known_hosts` should include Git host on each Argo CD deployment as well as on a computer where `argocd repo add` is executed. After resolving issue
-    [#1514](https://github.com/argoproj/argo-cd/issues/1514) only `argocd-repo-server` deployment has to be customized.
-
-(1) Add repository using Argo CD CLI and `--insecure-ignore-host-key` flag:
-
-```bash
-argocd repo add git@github.com:argoproj/argocd-example-apps.git --ssh-private-key-path ~/.ssh/id_rsa --insecure-ignore-host-key 
-```
-
-!!! warning "Don't use in production"
-    The `--insecure-ignore-host-key` should not be used in production as this is subject to man-in-the-middle attacks. 
-
-!!! warning "This does not work for Kustomize remote bases or custom plugins"
-    For Kustomize support, see [#827](https://github.com/argoproj/argo-cd/issues/827).
+You can also manage SSH known hosts entries in a declarative, self-managed ArgoCD setup. All SSH public host keys are stored in the ConfigMap object `argocd-ssh-known-hosts-cm`. For more details, please refer to the [Operator Manual](../operator-manual/declarative-setup.md#ssh-known-host-public-keys).
 
 ## Git Submodules
 
@@ -380,5 +340,5 @@ Submodules are supported and will be picked up automatically. If the submodule r
 
 ## Declarative Configuration
 
-See [declarative setup](../../operator-manual/declarative-setup#repositories)
+See [declarative setup](../operator-manual/declarative-setup.md#repositories)
 

docs/user-guide/sync-options.md

@@ -25,12 +25,10 @@ The sync-status panel shows that pruning was skipped, and why:
 
 ![sync option no prune](../assets/sync-option-no-prune-sync-status.png)
 
-The app will be out of sync if ArgoCD expects a resource to be pruned. You may wish to use this along with [compare options](compare-options.md).
+The app will be out of sync if Argo CD expects a resource to be pruned. You may wish to use this along with [compare options](compare-options.md).
 
 ## Disable Kubectl Validation
 
->v1.2
-
 For a certain class of objects, it is necessary to `kubectl apply` them using the `--validate=false` flag. Examples of this are kubernetes types which uses `RawExtension`, such as [ServiceCatalog](https://github.com/kubernetes-incubator/service-catalog/blob/master/pkg/apis/servicecatalog/v1beta1/types.go#L497). You can do using this annotations:
 
 
@@ -44,13 +42,11 @@ If you want to exclude a whole class of objects globally, consider setting `reso
     
 ## Skip Dry Run for new custom resources types
 
->v1.6
-
 When syncing a custom resource which is not yet known to the cluster, there are generally two options:
 
-1) The CRD manifest is part of the same sync. Then ArgoCD will automatically skip the dry run, the CRD will be applied and the resource can be created.
+1) The CRD manifest is part of the same sync. Then Argo CD will automatically skip the dry run, the CRD will be applied and the resource can be created.
 2) In some cases the CRD is not part of the sync, but it could be created in another way, e.g. by a controller in the cluster. An example is [gatekeeper](https://github.com/open-policy-agent/gatekeeper),
-which creates CRDs in response to user defined `ConstraintTemplates`. ArgoCD cannot find the CRD in the sync and will fail with the error `the server could not find the requested resource`.
+which creates CRDs in response to user defined `ConstraintTemplates`. Argo CD cannot find the CRD in the sync and will fail with the error `the server could not find the requested resource`.
 
 To skip the dry run for missing resource types, use the following annotation:
 
@@ -64,7 +60,7 @@ The dry run will still be executed if the CRD is already present in the cluster.
 
 ## Selective Sync
 
-Currently when syncing using auto sync ArgoCD applies every object in the application. 
+Currently when syncing using auto sync Argo CD applies every object in the application. 
 For applications containing thousands of objects this takes quite a long time and puts undue pressure on the api server.
 Turning on selective sync option which will sync only out-of-sync resources. 
 
@@ -129,7 +125,7 @@ metadata:
 
 ## Replace Resource Instead Of Applying Changes
 
-By default, ArgoCD executes `kubectl apply` operation to apply the configuration stored in Git. In some cases
+By default, Argo CD executes `kubectl apply` operation to apply the configuration stored in Git. In some cases
 `kubectl apply` is not suitable. For example, resource spec might be too big and won't fit into
 `kubectl.kubernetes.io/last-applied-configuration` annotation that is added by `kubectl apply`. In such cases you
 might use `Replace=true` sync option:
@@ -144,7 +140,7 @@ spec:
     - Replace=true
 ```
 
-If the `Replace=true` sync option is set the ArgoCD will use `kubectl replace` or `kubectl create` command to apply changes.
+If the `Replace=true` sync option is set the Argo CD will use `kubectl replace` or `kubectl create` command to apply changes.
 
 This can also be configured at individual resource level.
 ```yaml
@@ -155,10 +151,25 @@ metadata:
 
 ## Server-Side Apply
 
-By default, ArgoCD executes `kubectl apply` operation to apply the configuration stored in Git. This is a client
-side operation that relies on `kubectl.kubernetes.io/last-applied-configuration` annotation to store the previous
-resource state. In some cases the resource is too big to fit in 262144 bytes allowed annotation size. In this case
-server-side apply can be used to avoid this issue as the annotation is not used in this case.
+This option enables Kubernetes
+[Server-Side Apply](https://kubernetes.io/docs/reference/using-api/server-side-apply/).
+
+By default, Argo CD executes `kubectl apply` operation to apply the configuration stored in Git.
+This is a client side operation that relies on `kubectl.kubernetes.io/last-applied-configuration`
+annotation to store the previous resource state.
+
+However, there are some cases where you want to use `kubectl apply --server-side` over `kubectl apply`:
+
+- Resource is too big to fit in 262144 bytes allowed annotation size. In this case
+  server-side apply can be used to avoid this issue as the annotation is not used in this case.
+- Patching of existing resources on the cluster that are not fully managed by Argo CD.
+- Use a more declarative approach, which tracks a user's field management, rather than a user's last
+  applied state.
+
+If `ServerSideApply=true` sync option is set, Argo CD will use `kubectl apply --server-side`
+command to apply changes.
+
+It can be enabled at the application level like in the example below:
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -169,20 +180,50 @@ spec:
     - ServerSideApply=true
 ```
 
-If the `ServerSideApply=true` sync option is set the ArgoCD will use `kubectl apply --server-side` command to apply changes.
+To enable ServerSideApply just for an individual resource, the sync-option annotation
+can be used:
 
-This can also be configured at individual resource level.
 ```yaml
 metadata:
   annotations:
     argocd.argoproj.io/sync-options: ServerSideApply=true
 ```
 
+ServerSideApply can also be used to patch existing resources by providing a partial
+yaml. For example, if there is a requirement to update just the number of replicas
+in a given Deployment, the following yaml can be provided to Argo CD:
+
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: my-deployment
+spec:
+  replicas: 3
+```
+
+Note that by the Deployment schema specification, this isn't a valid manifest. In this
+case an additional sync option *must* be provided to skip schema validation. The example
+below shows how to configure the application to enable the two necessary sync options:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+spec:
+  syncPolicy:
+    syncOptions:
+    - ServerSideApply=true
+    - Validate=false
+```
+
+In this case, Argo CD will use `kubectl apply --server-side --validate=false` command
+to apply changes.
+
 Note: [`Replace=true`](#replace-resource-instead-of-applying-changes) takes precedence over `ServerSideApply=true`.
 
 ## Fail the sync if a shared resource is found
 
-By default, ArgoCD will apply all manifests found in the git path configured in the Application regardless if the resources defined in the yamls are already applied by another Application. If the `FailOnSharedResource` sync option is set, ArgoCD will fail the sync whenever it finds a resource in the current Application that is already applied in the cluster by another Application.
+By default, Argo CD will apply all manifests found in the git path configured in the Application regardless if the resources defined in the yamls are already applied by another Application. If the `FailOnSharedResource` sync option is set, Argo CD will fail the sync whenever it finds a resource in the current Application that is already applied in the cluster by another Application.
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -195,7 +236,7 @@ spec:
 
 ## Respect ignore difference configs
 
-This sync option is used to enable ArgoCD to consider the configurations made in the `spec.ignoreDifferences` attribute also during the sync stage. By default, ArgoCD uses the `ignoreDifferences` config just for computing the diff between the live and desired state which defines if the application is synced or not. However during the sync stage, the desired state is applied as-is. The patch is calculated using a 3-way-merge between the live state the desired state and the `last-applied-configuration` annotation. This sometimes leads to an undesired results. This behavior can be changed by setting the `RespectIgnoreDifferences=true` sync option like in the example bellow:
+This sync option is used to enable Argo CD to consider the configurations made in the `spec.ignoreDifferences` attribute also during the sync stage. By default, Argo CD uses the `ignoreDifferences` config just for computing the diff between the live and desired state which defines if the application is synced or not. However during the sync stage, the desired state is applied as-is. The patch is calculated using a 3-way-merge between the live state the desired state and the `last-applied-configuration` annotation. This sometimes leads to an undesired results. This behavior can be changed by setting the `RespectIgnoreDifferences=true` sync option like in the example below:
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -213,7 +254,7 @@ spec:
     - RespectIgnoreDifferences=true
 ```
 
-The example above shows how an ArgoCD Application can be configured so it will ignore the `spec.replicas` field from the desired state (git) during the sync stage. This is achieve by calculating and pre-patching the desired state before applying it in the cluster. Note that the `RespectIgnoreDifferences` sync option is only effective when the resource is already created in the cluster. If the Application is being created and no live state exists, the desired state is applied as-is.
+The example above shows how an Argo CD Application can be configured so it will ignore the `spec.replicas` field from the desired state (git) during the sync stage. This is achieve by calculating and pre-patching the desired state before applying it in the cluster. Note that the `RespectIgnoreDifferences` sync option is only effective when the resource is already created in the cluster. If the Application is being created and no live state exists, the desired state is applied as-is.
 
 ## Create Namespace
 

docs/user-guide/tracking_strategies.md

@@ -20,6 +20,8 @@ For Helm, all versions are [Semantic Versions](https://semver.org/). As a result
 | Track minor releases (e.g. in QA) | Use a range | `1.*` or `>=1.0.0 <2.0.0` |
 | Use the latest (e.g. in local development) | Use star range |  `*` or `>=0.0.0` |
 
+**Note for OCI Helm repositories**: the only available strategy is "Pin to a version".
+
 [Read about version ranges](https://www.telerik.com/blogs/the-mystical-magical-semver-ranges-used-by-npm-bower)
 
 ## Git

hack/gen-catalog/main.go

@@ -150,18 +150,27 @@ func generateBuiltInTriggersDocs(out io.Writer, triggers map[string][]triggers.C
 }
 
 func generateCommandsDocs(out io.Writer) error {
-	toolsCmd := admin.NewNotificationsCommand()
-	for _, subCommand := range toolsCmd.Commands() {
-		for _, c := range subCommand.Commands() {
-			var cmdDesc bytes.Buffer
-			if err := doc.GenMarkdown(c, &cmdDesc); err != nil {
-				return err
-			}
-			for _, line := range strings.Split(cmdDesc.String(), "\n") {
-				if strings.HasPrefix(line, "### SEE ALSO") {
-					break
+    // create parents so that CommandPath() is correctly resolved
+	mainCmd := &cobra.Command{Use: "argocd"}
+	adminCmd := &cobra.Command{Use: "admin"}
+	toolCmd := admin.NewNotificationsCommand()
+	adminCmd.AddCommand(toolCmd)
+	mainCmd.AddCommand(adminCmd)
+	for _, mainSubCommand := range mainCmd.Commands() {
+		for _, adminSubCommand := range mainSubCommand.Commands() {
+			for _, toolSubCommand := range adminSubCommand.Commands() {
+				for _, c := range toolSubCommand.Commands() {
+					var cmdDesc bytes.Buffer
+					if err := doc.GenMarkdown(c, &cmdDesc); err != nil {
+						return err
+					}
+					for _, line := range strings.Split(cmdDesc.String(), "\n") {
+						if strings.HasPrefix(line, "### SEE ALSO") {
+							break
+						}
+						_, _ = fmt.Fprintf(out, "%s\n", line)
+					}
 				}
-				_, _ = fmt.Fprintf(out, "%s\n", line)
 			}
 		}
 	}

hack/gen-crd-spec/main.go

@@ -17,8 +17,9 @@ import (
 
 var (
 	kindToCRDPath = map[string]string{
-		application.ApplicationFullName: "manifests/crds/application-crd.yaml",
-		application.AppProjectFullName:  "manifests/crds/appproject-crd.yaml",
+		application.ApplicationFullName:    "manifests/crds/application-crd.yaml",
+		application.AppProjectFullName:     "manifests/crds/appproject-crd.yaml",
+		application.ApplicationSetFullName: "manifests/crds/applicationset-crd.yaml",
 	}
 )
 
@@ -54,7 +55,7 @@ func getCustomResourceDefinitions() map[string]*extensionsobj.CustomResourceDefi
 			removeValidation(un, "status")
 		}
 
-		crd := toCRD(un)
+		crd := toCRD(un, un.GetName() == "applicationsets.argoproj.io")
 		crd.Labels = map[string]string{
 			"app.kubernetes.io/name":    crd.Name,
 			"app.kubernetes.io/part-of": "argocd",
@@ -81,7 +82,10 @@ func removeValidation(un *unstructured.Unstructured, path string) {
 	unstructured.RemoveNestedField(un.Object, schemaPath...)
 }
 
-func toCRD(un *unstructured.Unstructured) *extensionsobj.CustomResourceDefinition {
+func toCRD(un *unstructured.Unstructured, removeDesc bool) *extensionsobj.CustomResourceDefinition {
+	if removeDesc {
+		removeDescription(un.Object)
+	}
 	unBytes, err := json.Marshal(un)
 	checkErr(err)
 
@@ -92,6 +96,25 @@ func toCRD(un *unstructured.Unstructured) *extensionsobj.CustomResourceDefinitio
 	return &crd
 }
 
+func removeDescription(v interface{}) {
+	switch v := v.(type) {
+	case []interface{}:
+		for _, v := range v {
+			removeDescription(v)
+		}
+	case map[string]interface{}:
+		if _, ok := v["description"]; ok {
+			_, ok := v["description"].(string)
+			if ok {
+				delete(v, "description")
+			}
+		}
+		for _, v := range v {
+			removeDescription(v)
+		}
+	}
+}
+
 func checkErr(err error) {
 	if err != nil {
 		panic(err)

hack/generate-release-notes.sh

@@ -0,0 +1,105 @@
+#!/usr/bin/env bash
+
+if [ "$1" == "" ] || [ "$2" == "" ] || [ "$3" == "" ]; then
+cat <<-EOM
+USAGE:
+
+  generate-release-notes.sh NEW_REF OLD_REF NEW_VERSION
+
+EXAMPLES:
+
+  # For releasing a new minor version:
+  generate-release-notes.sh release-2.5 release-2.4 v2.5.0-rc1 > /tmp/release.md
+
+  # For a patch release:
+  generate-release-notes.sh release-2.4 v2.4.13 v2.4.14 > /tmp/release.md
+EOM
+exit 1
+fi
+
+function to_list_items() {
+  sed 's/^/- /'
+}
+
+function strip_last_word() {
+  sed 's/ [^ ]*$//'
+}
+
+function nonempty_line_count() {
+  sed '/^\s*$/d' | wc -l | tr -d ' \n'
+}
+
+function only_last_word() {
+  awk 'NF>1{print $NF}'
+}
+
+new_ref=$1
+old_ref=$2
+version=$3
+
+cat <<-EOM
+## Quick Start
+
+### Non-HA:
+
+\`\`\`shell
+kubectl create namespace argocd
+kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/$version/manifests/install.yaml
+\`\`\`
+
+### HA:
+
+\`\`\`shell
+kubectl create namespace argocd
+kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/$version/manifests/ha/install.yaml
+\`\`\`
+
+## Release signatures
+
+All Argo CD container images and CLI binaries are signed by cosign. See the [documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets.md/) on how to verify the signatures.
+\`\`\`shell
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
+JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
+-----END PUBLIC KEY-----
+\`\`\`
+
+## Upgrading
+
+If upgrading from a different minor version, be sure to read the [upgrading](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/overview/) documentation.
+
+EOM
+
+# Adapted from https://stackoverflow.com/a/67029088/684776
+less_log=$(git log --pretty="format:%s %ae" --cherry-pick --left-only --no-merges "$new_ref...$old_ref")
+more_log=$(git log --pretty="format:%s %ae" "$new_ref..$old_ref")
+
+new_commits=$(diff --new-line-format="" --unchanged-line-format="" <(echo "$less_log") <(echo "$more_log") | grep -v "Merge pull request from GHSA")
+new_commits_no_email=$(echo "$new_commits" | strip_last_word)
+
+contributors_num=$(echo "$new_commits" | only_last_word | sort -u | nonempty_line_count)
+
+new_commits_num=$(echo "$new_commits" | nonempty_line_count)
+features_num=$(echo "$new_commits_no_email" | grep '^feat' | nonempty_line_count)
+fixes_num=$(echo "$new_commits_no_email" | grep '^fix' | nonempty_line_count)
+
+previous_contributors=$(git log --pretty="format:%an %ae" "$old_ref" | sort -uf)
+all_contributors=$(git log --pretty="format:%an %ae" "$new_ref" | sort -uf)
+new_contributors=$(diff --new-line-format="" --unchanged-line-format="" <(echo "$all_contributors") <(echo "$previous_contributors"))
+new_contributors_num=$(echo "$new_contributors" | only_last_word | nonempty_line_count)  # Count contributors by email
+new_contributors_names=$(echo "$new_contributors" | strip_last_word | to_list_items)
+
+new_contributors_message=""
+if [ "$new_contributors_num" -gt 0 ]; then
+  new_contributors_message=" ($new_contributors_num of them new)"
+fi
+
+echo "## Changes"
+echo
+echo "This release includes $new_commits_num contributions from $contributors_num contributors$new_contributors_message with $features_num features and $fixes_num bug fixes."
+echo
+if [ "$new_contributors_num" -lt 20 ] && [ "$new_contributors_num" -gt 0 ]; then
+  echo "A special thanks goes to the $new_contributors_num new contributors:"
+  echo "$new_contributors_names"
+  echo
+fi

hack/installers/checksums/helm-v3.10.1-linux-amd64.tar.gz.sha256

@@ -0,0 +1 @@
+c12d2cd638f2d066fec123d0bd7f010f32c643afdf288d39a4610b1f9cb32af3  helm-v3.10.1-linux-amd64.tar.gz

hack/installers/checksums/helm-v3.10.1-linux-arm64.tar.gz.sha256

@@ -0,0 +1 @@
+d04b38d439ab8655abb4cb9ccc1efa8a3fe95f3f68af46d9137c6b7985491833  helm-v3.10.1-linux-arm64.tar.gz

hack/installers/checksums/helm-v3.10.1-linux-ppc64le.tar.gz.sha256

@@ -0,0 +1 @@
+855ab37613b393c68d50b4355273df2322f27db08b1deca8807bac80343a8a64  helm-v3.10.1-linux-ppc64le.tar.gz

hack/installers/checksums/helm-v3.10.1-linux-s390x.tar.gz.sha256

@@ -0,0 +1 @@
+e51220b4582a3cad4b45330c96e1b0408d33e25f90a9e66b06649903acf1bed1  helm-v3.10.1-linux-s390x.tar.gz

hack/tool-versions.sh

@@ -11,7 +11,7 @@
 # Use ./hack/installers/checksums/add-helm-checksums.sh and
 # add-kustomize-checksums.sh to help download checksums.
 ###############################################################################
-helm3_version=3.10.0
+helm3_version=3.10.1
 kubectl_version=1.17.8
 kubectx_version=0.6.3
 kustomize4_version=4.5.7

hack/trigger-release.sh

@@ -30,6 +30,7 @@ cleanup() {
 
 if test "${NEW_TAG}" = "" -o "${GIT_REMOTE}" = ""; then
 	echo "!! Usage: $0 <release tag> <remote> [path to release notes file]" >&2
+	echo "You can use generate-release-notes.sh to generate the release notes file." >&2
 	exit 1
 fi
 

manifests/base/dex/argocd-dex-server-deployment.yaml

@@ -37,7 +37,7 @@ spec:
             type: RuntimeDefault
       containers:
       - name: dex
-        image: ghcr.io/dexidp/dex:v2.35.1-distroless
+        image: ghcr.io/dexidp/dex:v2.35.3
         imagePullPolicy: Always
         command: [/shared/argocd-dex, rundex]
         env:

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: latest
+  newTag: v2.5.3
 resources:
 - ./application-controller
 - ./dex

manifests/base/redis/argocd-redis-network-policy.yaml

@@ -10,26 +10,22 @@ spec:
   - Ingress
   - Egress
   ingress:
-    - from:
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-server
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-repo-server
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-application-controller
-      ports:
-        - protocol: TCP
-          port: 6379
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-repo-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-application-controller
+    ports:
+    - protocol: TCP
+      port: 6379
   egress:
-    - to:
-      - namespaceSelector: {}
-      ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP 
-    
-      
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP

manifests/core-install.yaml

@@ -336,8 +336,8 @@ spec:
                           and is only valid for applications sourced from Git.
                         type: string
                       plugin:
-                        description: ConfigManagementPlugin holds config management
-                          plugin specific options
+                        description: Plugin holds config management plugin specific
+                          options
                         properties:
                           env:
                             description: Env is a list of environment variable entries
@@ -682,8 +682,7 @@ spec:
                       and is only valid for applications sourced from Git.
                     type: string
                   plugin:
-                    description: ConfigManagementPlugin holds config management plugin
-                      specific options
+                    description: Plugin holds config management plugin specific options
                     properties:
                       env:
                         description: Env is a list of environment variable entries
@@ -1038,8 +1037,8 @@ spec:
                             and is only valid for applications sourced from Git.
                           type: string
                         plugin:
-                          description: ConfigManagementPlugin holds config management
-                            plugin specific options
+                          description: Plugin holds config management plugin specific
+                            options
                           properties:
                             env:
                               description: Env is a list of environment variable entries
@@ -1410,8 +1409,8 @@ spec:
                                   from Git.
                                 type: string
                               plugin:
-                                description: ConfigManagementPlugin holds config management
-                                  plugin specific options
+                                description: Plugin holds config management plugin
+                                  specific options
                                 properties:
                                   env:
                                     description: Env is a list of environment variable
@@ -1754,8 +1753,8 @@ spec:
                               and is only valid for applications sourced from Git.
                             type: string
                           plugin:
-                            description: ConfigManagementPlugin holds config management
-                              plugin specific options
+                            description: Plugin holds config management plugin specific
+                              options
                             properties:
                               env:
                                 description: Env is a list of environment variable
@@ -1846,6 +1845,9 @@ spec:
                       description: SyncStatusCode is a type which represents possible
                         comparison results
                       type: string
+                    syncWave:
+                      format: int64
+                      type: integer
                     version:
                       type: string
                   type: object
@@ -2092,8 +2094,8 @@ spec:
                               and is only valid for applications sourced from Git.
                             type: string
                           plugin:
-                            description: ConfigManagementPlugin holds config management
-                              plugin specific options
+                            description: Plugin holds config management plugin specific
+                              options
                             properties:
                               env:
                                 description: Env is a list of environment variable
@@ -2159,6 +2161,7 @@ kind: CustomResourceDefinition
 metadata:
   labels:
     app.kubernetes.io/name: applicationsets.argoproj.io
+    app.kubernetes.io/part-of: argocd
   name: applicationsets.argoproj.io
 spec:
   group: argoproj.io
@@ -9632,7 +9635,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -9890,7 +9893,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -9941,7 +9944,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -10148,7 +10151,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -10236,8 +10239,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - namespaceSelector: {}
   ingress:
   - from:
     - podSelector:

manifests/core-install/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: latest
+  newTag: v2.5.3

manifests/crds/application-crd.yaml

@@ -335,8 +335,8 @@ spec:
                           and is only valid for applications sourced from Git.
                         type: string
                       plugin:
-                        description: ConfigManagementPlugin holds config management
-                          plugin specific options
+                        description: Plugin holds config management plugin specific
+                          options
                         properties:
                           env:
                             description: Env is a list of environment variable entries
@@ -681,8 +681,7 @@ spec:
                       and is only valid for applications sourced from Git.
                     type: string
                   plugin:
-                    description: ConfigManagementPlugin holds config management plugin
-                      specific options
+                    description: Plugin holds config management plugin specific options
                     properties:
                       env:
                         description: Env is a list of environment variable entries
@@ -1037,8 +1036,8 @@ spec:
                             and is only valid for applications sourced from Git.
                           type: string
                         plugin:
-                          description: ConfigManagementPlugin holds config management
-                            plugin specific options
+                          description: Plugin holds config management plugin specific
+                            options
                           properties:
                             env:
                               description: Env is a list of environment variable entries
@@ -1409,8 +1408,8 @@ spec:
                                   from Git.
                                 type: string
                               plugin:
-                                description: ConfigManagementPlugin holds config management
-                                  plugin specific options
+                                description: Plugin holds config management plugin
+                                  specific options
                                 properties:
                                   env:
                                     description: Env is a list of environment variable
@@ -1753,8 +1752,8 @@ spec:
                               and is only valid for applications sourced from Git.
                             type: string
                           plugin:
-                            description: ConfigManagementPlugin holds config management
-                              plugin specific options
+                            description: Plugin holds config management plugin specific
+                              options
                             properties:
                               env:
                                 description: Env is a list of environment variable
@@ -1845,6 +1844,9 @@ spec:
                       description: SyncStatusCode is a type which represents possible
                         comparison results
                       type: string
+                    syncWave:
+                      format: int64
+                      type: integer
                     version:
                       type: string
                   type: object
@@ -2091,8 +2093,8 @@ spec:
                               and is only valid for applications sourced from Git.
                             type: string
                           plugin:
-                            description: ConfigManagementPlugin holds config management
-                              plugin specific options
+                            description: Plugin holds config management plugin specific
+                              options
                             properties:
                               env:
                                 description: Env is a list of environment variable

manifests/crds/applicationset-crd.yaml

@@ -3,6 +3,7 @@ kind: CustomResourceDefinition
 metadata:
   labels:
     app.kubernetes.io/name: applicationsets.argoproj.io
+    app.kubernetes.io/part-of: argocd
   name: applicationsets.argoproj.io
 spec:
   group: argoproj.io

manifests/ha/base/kustomization.yaml

@@ -11,7 +11,7 @@ patchesStrategicMerge:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: latest
+  newTag: v2.5.3
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller

manifests/ha/base/redis-ha/argocd-redis-ha-proxy-network-policy.yaml

@@ -10,35 +10,33 @@ spec:
   - Ingress
   - Egress
   ingress:
-    - from:
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-server
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-repo-server
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-application-controller
-      ports:
-        - port: 6379
-          protocol: TCP
-        - port: 26379
-          protocol: TCP
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-repo-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-application-controller
+    ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
   egress:
-    - to:
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-redis-ha
-      ports:
-        - port: 6379
-          protocol: TCP
-        - port: 26379
-          protocol: TCP
-    - to:
-      - namespaceSelector: {}
-      ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
+  - to:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+    ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP

manifests/ha/base/redis-ha/argocd-redis-ha-server-network-policy.yaml

@@ -10,32 +10,30 @@ spec:
   - Ingress
   - Egress
   ingress:
-    - from:
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-redis-ha-haproxy
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-redis-ha
-      ports:
-        - port: 6379
-          protocol: TCP
-        - port: 26379
-          protocol: TCP
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha-haproxy
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+    ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
   egress:
-    - to:
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-redis-ha
-      ports:
-        - port: 6379
-          protocol: TCP
-        - port: 26379
-          protocol: TCP
-    - to:
-      - namespaceSelector: {}
-      ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
+  - to:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+    ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP

manifests/ha/base/redis-ha/chart/requirements.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: redis-ha
   repository: https://dandydeveloper.github.io/charts
-  version: 4.17.8
-digest: sha256:24b66a7cd8e6ec23502173bd643bfaa66cf0d062df0361370226754e0cedda12
-generated: "2022-08-12T00:12:34.042365707-07:00"
+  version: 4.22.3
+digest: sha256:ae773caf65b172bdd2216072c03ba76ef3c0383dbd1e2478934a67b9455f6a2e
+generated: "2022-11-02T16:57:25.047025473-07:00"

manifests/ha/base/redis-ha/chart/requirements.yaml

@@ -1,4 +1,4 @@
 dependencies:
 - name: redis-ha
-  version: 4.17.8
+  version: 4.22.3
   repository: https://dandydeveloper.github.io/charts

manifests/ha/base/redis-ha/chart/upstream.yaml

@@ -9,7 +9,7 @@ metadata:
   labels:
     heritage: Helm
     release: argocd
-    chart: redis-ha-4.17.8
+    chart: redis-ha-4.22.3
     app: argocd-redis-ha
 ---
 # Source: redis-ha/charts/redis-ha/templates/redis-haproxy-serviceaccount.yaml
@@ -21,7 +21,7 @@ metadata:
   labels:
     heritage: Helm
     release: argocd
-    chart: redis-ha-4.17.8
+    chart: redis-ha-4.22.3
     app: argocd-redis-ha
 ---
 # Source: redis-ha/charts/redis-ha/templates/redis-ha-configmap.yaml
@@ -33,7 +33,7 @@ metadata:
   labels:
     heritage: Helm
     release: argocd
-    chart: redis-ha-4.17.8
+    chart: redis-ha-4.22.3
     app: argocd-redis-ha
 data:
   redis.conf: |
@@ -41,7 +41,6 @@ data:
     port 6379
     rename-command FLUSHDB ""
     rename-command FLUSHALL ""
-    bind 0.0.0.0
     maxmemory 0
     maxmemory-policy volatile-lru
     min-replicas-max-lag 5
@@ -54,7 +53,6 @@ data:
   sentinel.conf: |
     dir "/data"
     port 26379
-    bind 0.0.0.0
         sentinel down-after-milliseconds argocd 10000
         sentinel failover-timeout argocd 180000
         maxclients 10000
@@ -176,11 +174,11 @@ data:
             echo "Getting redis master ip.."
             echo "  blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master"
             DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')"
-            echo "  identified redis (may be redis master) ip (${DEFAULT_MASTER})"
             if [ -z "${DEFAULT_MASTER}" ]; then
                 echo "Error: Unable to resolve redis master (getent hosts)."
                 exit 1
             fi
+            echo "  identified redis (may be redis master) ip (${DEFAULT_MASTER})"
             echo "Setting default slave config for redis and sentinel.."
             echo "  using master ip (${DEFAULT_MASTER})"
             redis_update "${DEFAULT_MASTER}"
@@ -277,11 +275,7 @@ data:
     getent_hosts() {
         index=${1:-${INDEX}}
         service="${SERVICE}-announce-${index}"
-        pod="${SERVICE}-server-${index}"
         host=$(getent hosts "${service}")
-        if [ -z "${host}" ]; then
-            host=$(getent hosts "${pod}")
-        fi
         echo "${host}"
     }
 
@@ -443,11 +437,11 @@ data:
             echo "Getting redis master ip.."
             echo "  blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master"
             DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')"
-            echo "  identified redis (may be redis master) ip (${DEFAULT_MASTER})"
             if [ -z "${DEFAULT_MASTER}" ]; then
                 echo "Error: Unable to resolve redis master (getent hosts)."
                 exit 1
             fi
+            echo "  identified redis (may be redis master) ip (${DEFAULT_MASTER})"
             echo "Setting default slave config for redis and sentinel.."
             echo "  using master ip (${DEFAULT_MASTER})"
             redis_update "${DEFAULT_MASTER}"
@@ -544,11 +538,7 @@ data:
     getent_hosts() {
         index=${1:-${INDEX}}
         service="${SERVICE}-announce-${index}"
-        pod="${SERVICE}-server-${index}"
         host=$(getent hosts "${service}")
-        if [ -z "${host}" ]; then
-            host=$(getent hosts "${pod}")
-        fi
         echo "${host}"
     }
 
@@ -593,18 +583,24 @@ data:
 
     identify_announce_ip
 
+    while [ -z "${ANNOUNCE_IP}" ]; do
+        echo "Error: Could not resolve the announce ip for this pod."
+        sleep 30
+        identify_announce_ip
+    done
+
     while true; do
         sleep 60
 
         # where is redis master
         identify_master
 
-        if [ "$MASTER" == "$ANNOUNCE_IP" ]; then
+        if [ "$MASTER" = "$ANNOUNCE_IP" ]; then
             redis_role
             if [ "$ROLE" != "master" ]; then
                 reinit
             fi
-        else
+        elif [ "${MASTER}" ]; then
             identify_redis_master
             if [ "$REDIS_MASTER" != "$MASTER" ]; then
                 reinit
@@ -622,7 +618,7 @@ data:
       timeout check 2s
 
     listen health_check_http_url
-      bind [::]:8888 v4v6
+      bind [::]:8888  v4v6
       mode http
       monitor-uri /healthz
       option      dontlognull
@@ -636,7 +632,6 @@ data:
       tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
       tcp-check expect string REPLACE_ANNOUNCE0
       tcp-check send QUIT\r\n
-      tcp-check expect string +OK
       server R0 argocd-redis-ha-announce-0:26379 check inter 3s
       server R1 argocd-redis-ha-announce-1:26379 check inter 3s
       server R2 argocd-redis-ha-announce-2:26379 check inter 3s
@@ -650,7 +645,6 @@ data:
       tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
       tcp-check expect string REPLACE_ANNOUNCE1
       tcp-check send QUIT\r\n
-      tcp-check expect string +OK
       server R0 argocd-redis-ha-announce-0:26379 check inter 3s
       server R1 argocd-redis-ha-announce-1:26379 check inter 3s
       server R2 argocd-redis-ha-announce-2:26379 check inter 3s
@@ -664,7 +658,6 @@ data:
       tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
       tcp-check expect string REPLACE_ANNOUNCE2
       tcp-check send QUIT\r\n
-      tcp-check expect string +OK
       server R0 argocd-redis-ha-announce-0:26379 check inter 3s
       server R1 argocd-redis-ha-announce-1:26379 check inter 3s
       server R2 argocd-redis-ha-announce-2:26379 check inter 3s
@@ -764,7 +757,7 @@ metadata:
   labels:
     heritage: Helm
     release: argocd
-    chart: redis-ha-4.17.8
+    chart: redis-ha-4.22.3
     app: argocd-redis-ha
 data:
   redis_liveness.sh: |
@@ -814,7 +807,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.17.8
+    chart: redis-ha-4.22.3
 rules:
 - apiGroups:
     - ""
@@ -833,7 +826,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.17.8
+    chart: redis-ha-4.22.3
     component: argocd-redis-ha-haproxy
 rules:
 - apiGroups:
@@ -853,7 +846,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.17.8
+    chart: redis-ha-4.22.3
 subjects:
 - kind: ServiceAccount
   name: argocd-redis-ha
@@ -872,7 +865,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.17.8
+    chart: redis-ha-4.22.3
     component: argocd-redis-ha-haproxy
 subjects:
 - kind: ServiceAccount
@@ -892,7 +885,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.17.8
+    chart: redis-ha-4.22.3
   annotations:
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
 spec:
@@ -922,7 +915,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.17.8
+    chart: redis-ha-4.22.3
   annotations:
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
 spec:
@@ -952,7 +945,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.17.8
+    chart: redis-ha-4.22.3
   annotations:
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
 spec:
@@ -982,7 +975,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.17.8
+    chart: redis-ha-4.22.3
   annotations:
 spec:
   type: ClusterIP
@@ -1010,7 +1003,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.17.8
+    chart: redis-ha-4.22.3
     component: argocd-redis-ha-haproxy
   annotations:
 spec:
@@ -1034,7 +1027,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.17.8
+    chart: redis-ha-4.22.3
 spec:
   strategy:
     type: RollingUpdate
@@ -1052,11 +1045,15 @@ spec:
         release: argocd
         revision: "1"
       annotations:
-        checksum/config: 33967cee643b636d6e9a66e82b7f85814ceb8c55fba7a1d8af439ef056934e5c
+        checksum/config: 1f7a9ffcacb3871ceb9b0741c0714e3f7fa656d426a398c1f727fffb01073f35
     spec:
       # Needed when using unmodified rbac-setup.yml
       
       serviceAccountName: argocd-redis-ha-haproxy
+      securityContext: 
+        fsGroup: 99
+        runAsNonRoot: true
+        runAsUser: 99
       nodeSelector:
         {}
       tolerations:
@@ -1080,20 +1077,20 @@ spec:
         - sh
         args:
         - /readonly/haproxy_init.sh
+        securityContext: 
+          null
         volumeMounts:
         - name: config-volume
           mountPath: /readonly
           readOnly: true
         - name: data
           mountPath: /data
-      securityContext:
-        fsGroup: 1000
-        runAsNonRoot: true
-        runAsUser: 1000
       containers:
       - name: haproxy
         image: haproxy:2.6.2-alpine
         imagePullPolicy: IfNotPresent
+        securityContext: 
+          null
         livenessProbe:
           httpGet:
             path: /healthz
@@ -1140,7 +1137,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.17.8
+    chart: redis-ha-4.22.3
   annotations:
     {}
 spec:
@@ -1156,7 +1153,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/init-config: 226aec192d2f29b5355769c9f1fbf093bf36c3a1e15b574b71fb8fe73fd37c05
+        checksum/init-config: 84ccf6a9b8a7fa3ae5b62a8f17d6c65a5197e9605da9b2761179bf942828eefe
       labels:
         release: argocd
         app: redis-ha
@@ -1172,7 +1169,7 @@ spec:
                   release: argocd
                   argocd-redis-ha: replica
               topologyKey: kubernetes.io/hostname
-      securityContext:
+      securityContext: 
         fsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
@@ -1188,6 +1185,8 @@ spec:
         - sh
         args:
         - /readonly-config/init.sh
+        securityContext: 
+          null        
         env:
         - name: SENTINEL_ID_0
           value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6
@@ -1211,6 +1210,8 @@ spec:
         - redis-server
         args:
         - /data/conf/redis.conf
+        securityContext: 
+          null
         livenessProbe:
           initialDelaySeconds: 30
           periodSeconds: 15
@@ -1259,6 +1260,8 @@ spec:
           - redis-sentinel
         args:
           - /data/conf/sentinel.conf
+        securityContext: 
+          null
         livenessProbe:
           initialDelaySeconds: 30
           periodSeconds: 15
@@ -1301,6 +1304,8 @@ spec:
           - sh
         args:
           - /readonly-config/fix-split-brain.sh
+        securityContext: 
+          null        
         env:
         - name: SENTINEL_ID_0
           value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6

manifests/ha/base/redis-ha/chart/values.yaml

@@ -5,16 +5,15 @@ redis-ha:
     masterGroupName: argocd
     config:
       save: "\"\""
-      bind: "0.0.0.0"
   haproxy:
     enabled: true
     image:
       tag: 2.6.2-alpine
+    containerSecurityContext: null
     timeout:
       server: 6m
       client: 6m
     checkInterval: 3s
   image:
     tag: 7.0.5-alpine
-  sentinel:
-    bind: "0.0.0.0"
+  containerSecurityContext: null

manifests/ha/base/redis-ha/overlays/statefulset-containers-securityContext.yaml

@@ -25,3 +25,12 @@
       - ALL
     seccompProfile:
       type: RuntimeDefault
+- op: add
+  path: /spec/template/spec/containers/2/securityContext
+  value:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    seccompProfile:
+      type: RuntimeDefault

manifests/ha/install.yaml

@@ -336,8 +336,8 @@ spec:
                           and is only valid for applications sourced from Git.
                         type: string
                       plugin:
-                        description: ConfigManagementPlugin holds config management
-                          plugin specific options
+                        description: Plugin holds config management plugin specific
+                          options
                         properties:
                           env:
                             description: Env is a list of environment variable entries
@@ -682,8 +682,7 @@ spec:
                       and is only valid for applications sourced from Git.
                     type: string
                   plugin:
-                    description: ConfigManagementPlugin holds config management plugin
-                      specific options
+                    description: Plugin holds config management plugin specific options
                     properties:
                       env:
                         description: Env is a list of environment variable entries
@@ -1038,8 +1037,8 @@ spec:
                             and is only valid for applications sourced from Git.
                           type: string
                         plugin:
-                          description: ConfigManagementPlugin holds config management
-                            plugin specific options
+                          description: Plugin holds config management plugin specific
+                            options
                           properties:
                             env:
                               description: Env is a list of environment variable entries
@@ -1410,8 +1409,8 @@ spec:
                                   from Git.
                                 type: string
                               plugin:
-                                description: ConfigManagementPlugin holds config management
-                                  plugin specific options
+                                description: Plugin holds config management plugin
+                                  specific options
                                 properties:
                                   env:
                                     description: Env is a list of environment variable
@@ -1754,8 +1753,8 @@ spec:
                               and is only valid for applications sourced from Git.
                             type: string
                           plugin:
-                            description: ConfigManagementPlugin holds config management
-                              plugin specific options
+                            description: Plugin holds config management plugin specific
+                              options
                             properties:
                               env:
                                 description: Env is a list of environment variable
@@ -1846,6 +1845,9 @@ spec:
                       description: SyncStatusCode is a type which represents possible
                         comparison results
                       type: string
+                    syncWave:
+                      format: int64
+                      type: integer
                     version:
                       type: string
                   type: object
@@ -2092,8 +2094,8 @@ spec:
                               and is only valid for applications sourced from Git.
                             type: string
                           plugin:
-                            description: ConfigManagementPlugin holds config management
-                              plugin specific options
+                            description: Plugin holds config management plugin specific
+                              options
                             properties:
                               env:
                                 description: Env is a list of environment variable
@@ -2159,6 +2161,7 @@ kind: CustomResourceDefinition
 metadata:
   labels:
     app.kubernetes.io/name: applicationsets.argoproj.io
+    app.kubernetes.io/part-of: argocd
   name: applicationsets.argoproj.io
 spec:
   group: argoproj.io
@@ -9908,11 +9911,11 @@ data:
             echo "Getting redis master ip.."
             echo "  blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master"
             DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')"
-            echo "  identified redis (may be redis master) ip (${DEFAULT_MASTER})"
             if [ -z "${DEFAULT_MASTER}" ]; then
                 echo "Error: Unable to resolve redis master (getent hosts)."
                 exit 1
             fi
+            echo "  identified redis (may be redis master) ip (${DEFAULT_MASTER})"
             echo "Setting default slave config for redis and sentinel.."
             echo "  using master ip (${DEFAULT_MASTER})"
             redis_update "${DEFAULT_MASTER}"
@@ -10009,11 +10012,7 @@ data:
     getent_hosts() {
         index=${1:-${INDEX}}
         service="${SERVICE}-announce-${index}"
-        pod="${SERVICE}-server-${index}"
         host=$(getent hosts "${service}")
-        if [ -z "${host}" ]; then
-            host=$(getent hosts "${pod}")
-        fi
         echo "${host}"
     }
 
@@ -10058,18 +10057,24 @@ data:
 
     identify_announce_ip
 
+    while [ -z "${ANNOUNCE_IP}" ]; do
+        echo "Error: Could not resolve the announce ip for this pod."
+        sleep 30
+        identify_announce_ip
+    done
+
     while true; do
         sleep 60
 
         # where is redis master
         identify_master
 
-        if [ "$MASTER" == "$ANNOUNCE_IP" ]; then
+        if [ "$MASTER" = "$ANNOUNCE_IP" ]; then
             redis_role
             if [ "$ROLE" != "master" ]; then
                 reinit
             fi
-        else
+        elif [ "${MASTER}" ]; then
             identify_redis_master
             if [ "$REDIS_MASTER" != "$MASTER" ]; then
                 reinit
@@ -10085,7 +10090,7 @@ data:
       timeout check 2s
 
     listen health_check_http_url
-      bind [::]:8888 v4v6
+      bind [::]:8888  v4v6
       mode http
       monitor-uri /healthz
       option      dontlognull
@@ -10099,7 +10104,6 @@ data:
       tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
       tcp-check expect string REPLACE_ANNOUNCE0
       tcp-check send QUIT\r\n
-      tcp-check expect string +OK
       server R0 argocd-redis-ha-announce-0:26379 check inter 3s
       server R1 argocd-redis-ha-announce-1:26379 check inter 3s
       server R2 argocd-redis-ha-announce-2:26379 check inter 3s
@@ -10113,7 +10117,6 @@ data:
       tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
       tcp-check expect string REPLACE_ANNOUNCE1
       tcp-check send QUIT\r\n
-      tcp-check expect string +OK
       server R0 argocd-redis-ha-announce-0:26379 check inter 3s
       server R1 argocd-redis-ha-announce-1:26379 check inter 3s
       server R2 argocd-redis-ha-announce-2:26379 check inter 3s
@@ -10127,7 +10130,6 @@ data:
       tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
       tcp-check expect string REPLACE_ANNOUNCE2
       tcp-check send QUIT\r\n
-      tcp-check expect string +OK
       server R0 argocd-redis-ha-announce-0:26379 check inter 3s
       server R1 argocd-redis-ha-announce-1:26379 check inter 3s
       server R2 argocd-redis-ha-announce-2:26379 check inter 3s
@@ -10303,11 +10305,11 @@ data:
             echo "Getting redis master ip.."
             echo "  blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master"
             DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')"
-            echo "  identified redis (may be redis master) ip (${DEFAULT_MASTER})"
             if [ -z "${DEFAULT_MASTER}" ]; then
                 echo "Error: Unable to resolve redis master (getent hosts)."
                 exit 1
             fi
+            echo "  identified redis (may be redis master) ip (${DEFAULT_MASTER})"
             echo "Setting default slave config for redis and sentinel.."
             echo "  using master ip (${DEFAULT_MASTER})"
             redis_update "${DEFAULT_MASTER}"
@@ -10404,11 +10406,7 @@ data:
     getent_hosts() {
         index=${1:-${INDEX}}
         service="${SERVICE}-announce-${index}"
-        pod="${SERVICE}-server-${index}"
         host=$(getent hosts "${service}")
-        if [ -z "${host}" ]; then
-            host=$(getent hosts "${pod}")
-        fi
         echo "${host}"
     }
 
@@ -10456,7 +10454,6 @@ data:
     port 6379
     rename-command FLUSHDB ""
     rename-command FLUSHALL ""
-    bind 0.0.0.0
     maxmemory 0
     maxmemory-policy volatile-lru
     min-replicas-max-lag 5
@@ -10468,7 +10465,6 @@ data:
   sentinel.conf: |
     dir "/data"
     port 26379
-    bind 0.0.0.0
         sentinel down-after-milliseconds argocd 10000
         sentinel failover-timeout argocd 180000
         maxclients 10000
@@ -10881,7 +10877,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -10962,7 +10958,7 @@ spec:
               key: dexserver.disable.tls
               name: argocd-cmd-params-cm
               optional: true
-        image: ghcr.io/dexidp/dex:v2.35.1-distroless
+        image: ghcr.io/dexidp/dex:v2.35.3
         imagePullPolicy: Always
         name: dex
         ports:
@@ -10991,7 +10987,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -11044,7 +11040,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -11102,7 +11098,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: 33967cee643b636d6e9a66e82b7f85814ceb8c55fba7a1d8af439ef056934e5c
+        checksum/config: 1f7a9ffcacb3871ceb9b0741c0714e3f7fa656d426a398c1f727fffb01073f35
       labels:
         app.kubernetes.io/name: argocd-redis-ha-haproxy
       name: argocd-redis-ha-haproxy
@@ -11168,9 +11164,9 @@ spec:
         - mountPath: /data
           name: data
       securityContext:
-        fsGroup: 1000
+        fsGroup: 99
         runAsNonRoot: true
-        runAsUser: 1000
+        runAsUser: 99
       serviceAccountName: argocd-redis-ha-haproxy
       volumes:
       - configMap:
@@ -11341,7 +11337,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -11392,7 +11388,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -11665,7 +11661,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -11900,7 +11896,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -11960,7 +11956,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/init-config: 226aec192d2f29b5355769c9f1fbf093bf36c3a1e15b574b71fb8fe73fd37c05
+        checksum/init-config: 84ccf6a9b8a7fa3ae5b62a8f17d6c65a5197e9605da9b2761179bf942828eefe
       labels:
         app.kubernetes.io/name: argocd-redis-ha
     spec:
@@ -12086,6 +12082,13 @@ spec:
         imagePullPolicy: IfNotPresent
         name: split-brain-fix
         resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - mountPath: /readonly-config
           name: config
@@ -12237,8 +12240,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - namespaceSelector: {}
   ingress:
   - from:
     - podSelector:
@@ -12282,8 +12283,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - namespaceSelector: {}
   ingress:
   - from:
     - podSelector:

manifests/ha/namespace-install.yaml

@@ -577,11 +577,11 @@ data:
             echo "Getting redis master ip.."
             echo "  blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master"
             DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')"
-            echo "  identified redis (may be redis master) ip (${DEFAULT_MASTER})"
             if [ -z "${DEFAULT_MASTER}" ]; then
                 echo "Error: Unable to resolve redis master (getent hosts)."
                 exit 1
             fi
+            echo "  identified redis (may be redis master) ip (${DEFAULT_MASTER})"
             echo "Setting default slave config for redis and sentinel.."
             echo "  using master ip (${DEFAULT_MASTER})"
             redis_update "${DEFAULT_MASTER}"
@@ -678,11 +678,7 @@ data:
     getent_hosts() {
         index=${1:-${INDEX}}
         service="${SERVICE}-announce-${index}"
-        pod="${SERVICE}-server-${index}"
         host=$(getent hosts "${service}")
-        if [ -z "${host}" ]; then
-            host=$(getent hosts "${pod}")
-        fi
         echo "${host}"
     }
 
@@ -727,18 +723,24 @@ data:
 
     identify_announce_ip
 
+    while [ -z "${ANNOUNCE_IP}" ]; do
+        echo "Error: Could not resolve the announce ip for this pod."
+        sleep 30
+        identify_announce_ip
+    done
+
     while true; do
         sleep 60
 
         # where is redis master
         identify_master
 
-        if [ "$MASTER" == "$ANNOUNCE_IP" ]; then
+        if [ "$MASTER" = "$ANNOUNCE_IP" ]; then
             redis_role
             if [ "$ROLE" != "master" ]; then
                 reinit
             fi
-        else
+        elif [ "${MASTER}" ]; then
             identify_redis_master
             if [ "$REDIS_MASTER" != "$MASTER" ]; then
                 reinit
@@ -754,7 +756,7 @@ data:
       timeout check 2s
 
     listen health_check_http_url
-      bind [::]:8888 v4v6
+      bind [::]:8888  v4v6
       mode http
       monitor-uri /healthz
       option      dontlognull
@@ -768,7 +770,6 @@ data:
       tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
       tcp-check expect string REPLACE_ANNOUNCE0
       tcp-check send QUIT\r\n
-      tcp-check expect string +OK
       server R0 argocd-redis-ha-announce-0:26379 check inter 3s
       server R1 argocd-redis-ha-announce-1:26379 check inter 3s
       server R2 argocd-redis-ha-announce-2:26379 check inter 3s
@@ -782,7 +783,6 @@ data:
       tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
       tcp-check expect string REPLACE_ANNOUNCE1
       tcp-check send QUIT\r\n
-      tcp-check expect string +OK
       server R0 argocd-redis-ha-announce-0:26379 check inter 3s
       server R1 argocd-redis-ha-announce-1:26379 check inter 3s
       server R2 argocd-redis-ha-announce-2:26379 check inter 3s
@@ -796,7 +796,6 @@ data:
       tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
       tcp-check expect string REPLACE_ANNOUNCE2
       tcp-check send QUIT\r\n
-      tcp-check expect string +OK
       server R0 argocd-redis-ha-announce-0:26379 check inter 3s
       server R1 argocd-redis-ha-announce-1:26379 check inter 3s
       server R2 argocd-redis-ha-announce-2:26379 check inter 3s
@@ -972,11 +971,11 @@ data:
             echo "Getting redis master ip.."
             echo "  blindly assuming (${SERVICE}-announce-0) or (${SERVICE}-server-0) are master"
             DEFAULT_MASTER="$(getent_hosts 0 | awk '{ print $1 }')"
-            echo "  identified redis (may be redis master) ip (${DEFAULT_MASTER})"
             if [ -z "${DEFAULT_MASTER}" ]; then
                 echo "Error: Unable to resolve redis master (getent hosts)."
                 exit 1
             fi
+            echo "  identified redis (may be redis master) ip (${DEFAULT_MASTER})"
             echo "Setting default slave config for redis and sentinel.."
             echo "  using master ip (${DEFAULT_MASTER})"
             redis_update "${DEFAULT_MASTER}"
@@ -1073,11 +1072,7 @@ data:
     getent_hosts() {
         index=${1:-${INDEX}}
         service="${SERVICE}-announce-${index}"
-        pod="${SERVICE}-server-${index}"
         host=$(getent hosts "${service}")
-        if [ -z "${host}" ]; then
-            host=$(getent hosts "${pod}")
-        fi
         echo "${host}"
     }
 
@@ -1125,7 +1120,6 @@ data:
     port 6379
     rename-command FLUSHDB ""
     rename-command FLUSHALL ""
-    bind 0.0.0.0
     maxmemory 0
     maxmemory-policy volatile-lru
     min-replicas-max-lag 5
@@ -1137,7 +1131,6 @@ data:
   sentinel.conf: |
     dir "/data"
     port 26379
-    bind 0.0.0.0
         sentinel down-after-milliseconds argocd 10000
         sentinel failover-timeout argocd 180000
         maxclients 10000
@@ -1550,7 +1543,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1631,7 +1624,7 @@ spec:
               key: dexserver.disable.tls
               name: argocd-cmd-params-cm
               optional: true
-        image: ghcr.io/dexidp/dex:v2.35.1-distroless
+        image: ghcr.io/dexidp/dex:v2.35.3
         imagePullPolicy: Always
         name: dex
         ports:
@@ -1660,7 +1653,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1713,7 +1706,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1771,7 +1764,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: 33967cee643b636d6e9a66e82b7f85814ceb8c55fba7a1d8af439ef056934e5c
+        checksum/config: 1f7a9ffcacb3871ceb9b0741c0714e3f7fa656d426a398c1f727fffb01073f35
       labels:
         app.kubernetes.io/name: argocd-redis-ha-haproxy
       name: argocd-redis-ha-haproxy
@@ -1837,9 +1830,9 @@ spec:
         - mountPath: /data
           name: data
       securityContext:
-        fsGroup: 1000
+        fsGroup: 99
         runAsNonRoot: true
-        runAsUser: 1000
+        runAsUser: 99
       serviceAccountName: argocd-redis-ha-haproxy
       volumes:
       - configMap:
@@ -2010,7 +2003,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2061,7 +2054,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2334,7 +2327,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2569,7 +2562,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -2629,7 +2622,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/init-config: 226aec192d2f29b5355769c9f1fbf093bf36c3a1e15b574b71fb8fe73fd37c05
+        checksum/init-config: 84ccf6a9b8a7fa3ae5b62a8f17d6c65a5197e9605da9b2761179bf942828eefe
       labels:
         app.kubernetes.io/name: argocd-redis-ha
     spec:
@@ -2755,6 +2748,13 @@ spec:
         imagePullPolicy: IfNotPresent
         name: split-brain-fix
         resources: {}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
         volumeMounts:
         - mountPath: /readonly-config
           name: config
@@ -2906,8 +2906,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - namespaceSelector: {}
   ingress:
   - from:
     - podSelector:
@@ -2951,8 +2949,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - namespaceSelector: {}
   ingress:
   - from:
     - podSelector:

manifests/install.yaml

@@ -336,8 +336,8 @@ spec:
                           and is only valid for applications sourced from Git.
                         type: string
                       plugin:
-                        description: ConfigManagementPlugin holds config management
-                          plugin specific options
+                        description: Plugin holds config management plugin specific
+                          options
                         properties:
                           env:
                             description: Env is a list of environment variable entries
@@ -682,8 +682,7 @@ spec:
                       and is only valid for applications sourced from Git.
                     type: string
                   plugin:
-                    description: ConfigManagementPlugin holds config management plugin
-                      specific options
+                    description: Plugin holds config management plugin specific options
                     properties:
                       env:
                         description: Env is a list of environment variable entries
@@ -1038,8 +1037,8 @@ spec:
                             and is only valid for applications sourced from Git.
                           type: string
                         plugin:
-                          description: ConfigManagementPlugin holds config management
-                            plugin specific options
+                          description: Plugin holds config management plugin specific
+                            options
                           properties:
                             env:
                               description: Env is a list of environment variable entries
@@ -1410,8 +1409,8 @@ spec:
                                   from Git.
                                 type: string
                               plugin:
-                                description: ConfigManagementPlugin holds config management
-                                  plugin specific options
+                                description: Plugin holds config management plugin
+                                  specific options
                                 properties:
                                   env:
                                     description: Env is a list of environment variable
@@ -1754,8 +1753,8 @@ spec:
                               and is only valid for applications sourced from Git.
                             type: string
                           plugin:
-                            description: ConfigManagementPlugin holds config management
-                              plugin specific options
+                            description: Plugin holds config management plugin specific
+                              options
                             properties:
                               env:
                                 description: Env is a list of environment variable
@@ -1846,6 +1845,9 @@ spec:
                       description: SyncStatusCode is a type which represents possible
                         comparison results
                       type: string
+                    syncWave:
+                      format: int64
+                      type: integer
                     version:
                       type: string
                   type: object
@@ -2092,8 +2094,8 @@ spec:
                               and is only valid for applications sourced from Git.
                             type: string
                           plugin:
-                            description: ConfigManagementPlugin holds config management
-                              plugin specific options
+                            description: Plugin holds config management plugin specific
+                              options
                             properties:
                               env:
                                 description: Env is a list of environment variable
@@ -2159,6 +2161,7 @@ kind: CustomResourceDefinition
 metadata:
   labels:
     app.kubernetes.io/name: applicationsets.argoproj.io
+    app.kubernetes.io/part-of: argocd
   name: applicationsets.argoproj.io
 spec:
   group: argoproj.io
@@ -9952,7 +9955,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -10033,7 +10036,7 @@ spec:
               key: dexserver.disable.tls
               name: argocd-cmd-params-cm
               optional: true
-        image: ghcr.io/dexidp/dex:v2.35.1-distroless
+        image: ghcr.io/dexidp/dex:v2.35.3
         imagePullPolicy: Always
         name: dex
         ports:
@@ -10062,7 +10065,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -10115,7 +10118,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -10368,7 +10371,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -10419,7 +10422,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -10688,7 +10691,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -10921,7 +10924,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -11052,8 +11055,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - namespaceSelector: {}
   ingress:
   - from:
     - podSelector:

manifests/namespace-install.yaml

@@ -621,7 +621,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -702,7 +702,7 @@ spec:
               key: dexserver.disable.tls
               name: argocd-cmd-params-cm
               optional: true
-        image: ghcr.io/dexidp/dex:v2.35.1-distroless
+        image: ghcr.io/dexidp/dex:v2.35.3
         imagePullPolicy: Always
         name: dex
         ports:
@@ -731,7 +731,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -784,7 +784,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1037,7 +1037,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1088,7 +1088,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -1357,7 +1357,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -1590,7 +1590,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:latest
+        image: quay.io/argoproj/argocd:v2.5.3
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -1721,8 +1721,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - namespaceSelector: {}
   ingress:
   - from:
     - podSelector:

mkdocs.yml

@@ -1,10 +1,11 @@
+extra:
+  analytics:
+    property: G-5Z1VTPDL73
+    provider: google
 extra_css:
 - assets/versions.css
 extra_javascript:
 - assets/versions.js
-google_analytics:
-- UA-105170809-2
-- auto
 markdown_extensions:
 - markdown_include.include
 - codehilite
@@ -35,6 +36,7 @@ nav:
   - Security:
     - Overview: operator-manual/security.md
     - snyk/index.md
+    - operator-manual/signed-release-assets.md
   - operator-manual/tls.md
   - operator-manual/cluster-bootstrapping.md
   - operator-manual/secret-management.md
@@ -55,9 +57,9 @@ nav:
     - operator-manual/notifications/catalog.md
     - operator-manual/notifications/monitoring.md
     - operator-manual/notifications/subscriptions.md
+    - operator-manual/notifications/troubleshooting.md
     - operator-manual/notifications/troubleshooting-commands.md
     - operator-manual/notifications/troubleshooting-errors.md
-    - operator-manual/notifications/troubleshooting.md
     - Notification Services:
       - operator-manual/notifications/services/alertmanager.md
       - operator-manual/notifications/services/email.md
@@ -123,7 +125,9 @@ nav:
   - user-guide/application_sources.md
   - user-guide/kustomize.md
   - user-guide/helm.md
+  - user-guide/import.md
   - user-guide/jsonnet.md
+  - user-guide/directory.md
   - user-guide/config-management-plugins.md
   - user-guide/tool_detection.md
   - user-guide/projects.md
@@ -155,6 +159,7 @@ nav:
   - developer-guide/index.md
   - Code Contribution Guide: developer-guide/code-contributions.md
   - Toolchain Guide: developer-guide/toolchain-guide.md
+  - developer-guide/contributors-quickstart.md
   - developer-guide/release-process-and-cadence.md
   - developer-guide/running-locally.md
   - developer-guide/debugging-remote-environment.md

pkg/apiclient/settings/settings.pb.go

@@ -84,24 +84,25 @@ type Settings struct {
 	GoogleAnalytics    *GoogleAnalyticsConfig                `protobuf:"bytes,7,opt,name=googleAnalytics,proto3" json:"googleAnalytics,omitempty"`
 	KustomizeOptions   *v1alpha1.KustomizeOptions            `protobuf:"bytes,8,opt,name=kustomizeOptions,proto3" json:"kustomizeOptions,omitempty"`
 	// Help settings
-	Help                    *Help                              `protobuf:"bytes,9,opt,name=help,proto3" json:"help,omitempty"`
-	Plugins                 []*Plugin                          `protobuf:"bytes,10,rep,name=plugins,proto3" json:"plugins,omitempty"`
-	UserLoginsDisabled      bool                               `protobuf:"varint,11,opt,name=userLoginsDisabled,proto3" json:"userLoginsDisabled,omitempty"`
-	ConfigManagementPlugins []*v1alpha1.ConfigManagementPlugin `protobuf:"bytes,12,rep,name=configManagementPlugins,proto3" json:"configManagementPlugins,omitempty"`
-	KustomizeVersions       []string                           `protobuf:"bytes,13,rep,name=kustomizeVersions,proto3" json:"kustomizeVersions,omitempty"`
-	UiCssURL                string                             `protobuf:"bytes,14,opt,name=uiCssURL,proto3" json:"uiCssURL,omitempty"`
-	UiBannerContent         string                             `protobuf:"bytes,15,opt,name=uiBannerContent,proto3" json:"uiBannerContent,omitempty"`
-	UiBannerURL             string                             `protobuf:"bytes,16,opt,name=uiBannerURL,proto3" json:"uiBannerURL,omitempty"`
-	PasswordPattern         string                             `protobuf:"bytes,17,opt,name=passwordPattern,proto3" json:"passwordPattern,omitempty"`
-	TrackingMethod          string                             `protobuf:"bytes,18,opt,name=trackingMethod,proto3" json:"trackingMethod,omitempty"`
-	UiBannerPermanent       bool                               `protobuf:"varint,19,opt,name=uiBannerPermanent,proto3" json:"uiBannerPermanent,omitempty"`
-	UiBannerPosition        string                             `protobuf:"bytes,20,opt,name=uiBannerPosition,proto3" json:"uiBannerPosition,omitempty"`
-	StatusBadgeRootUrl      string                             `protobuf:"bytes,21,opt,name=statusBadgeRootUrl,proto3" json:"statusBadgeRootUrl,omitempty"`
-	ExecEnabled             bool                               `protobuf:"varint,22,opt,name=execEnabled,proto3" json:"execEnabled,omitempty"`
-	ControllerNamespace     string                             `protobuf:"bytes,23,opt,name=controllerNamespace,proto3" json:"controllerNamespace,omitempty"`
-	XXX_NoUnkeyedLiteral    struct{}                           `json:"-"`
-	XXX_unrecognized        []byte                             `json:"-"`
-	XXX_sizecache           int32                              `json:"-"`
+	Help                      *Help                              `protobuf:"bytes,9,opt,name=help,proto3" json:"help,omitempty"`
+	Plugins                   []*Plugin                          `protobuf:"bytes,10,rep,name=plugins,proto3" json:"plugins,omitempty"`
+	UserLoginsDisabled        bool                               `protobuf:"varint,11,opt,name=userLoginsDisabled,proto3" json:"userLoginsDisabled,omitempty"`
+	ConfigManagementPlugins   []*v1alpha1.ConfigManagementPlugin `protobuf:"bytes,12,rep,name=configManagementPlugins,proto3" json:"configManagementPlugins,omitempty"`
+	KustomizeVersions         []string                           `protobuf:"bytes,13,rep,name=kustomizeVersions,proto3" json:"kustomizeVersions,omitempty"`
+	UiCssURL                  string                             `protobuf:"bytes,14,opt,name=uiCssURL,proto3" json:"uiCssURL,omitempty"`
+	UiBannerContent           string                             `protobuf:"bytes,15,opt,name=uiBannerContent,proto3" json:"uiBannerContent,omitempty"`
+	UiBannerURL               string                             `protobuf:"bytes,16,opt,name=uiBannerURL,proto3" json:"uiBannerURL,omitempty"`
+	PasswordPattern           string                             `protobuf:"bytes,17,opt,name=passwordPattern,proto3" json:"passwordPattern,omitempty"`
+	TrackingMethod            string                             `protobuf:"bytes,18,opt,name=trackingMethod,proto3" json:"trackingMethod,omitempty"`
+	UiBannerPermanent         bool                               `protobuf:"varint,19,opt,name=uiBannerPermanent,proto3" json:"uiBannerPermanent,omitempty"`
+	UiBannerPosition          string                             `protobuf:"bytes,20,opt,name=uiBannerPosition,proto3" json:"uiBannerPosition,omitempty"`
+	StatusBadgeRootUrl        string                             `protobuf:"bytes,21,opt,name=statusBadgeRootUrl,proto3" json:"statusBadgeRootUrl,omitempty"`
+	ExecEnabled               bool                               `protobuf:"varint,22,opt,name=execEnabled,proto3" json:"execEnabled,omitempty"`
+	ControllerNamespace       string                             `protobuf:"bytes,23,opt,name=controllerNamespace,proto3" json:"controllerNamespace,omitempty"`
+	AppsInAnyNamespaceEnabled bool                               `protobuf:"varint,24,opt,name=appsInAnyNamespaceEnabled,proto3" json:"appsInAnyNamespaceEnabled,omitempty"`
+	XXX_NoUnkeyedLiteral      struct{}                           `json:"-"`
+	XXX_unrecognized          []byte                             `json:"-"`
+	XXX_sizecache             int32                              `json:"-"`
 }
 
 func (m *Settings) Reset()         { *m = Settings{} }
@@ -298,6 +299,13 @@ func (m *Settings) GetControllerNamespace() string {
 	return ""
 }
 
+func (m *Settings) GetAppsInAnyNamespaceEnabled() bool {
+	if m != nil {
+		return m.AppsInAnyNamespaceEnabled
+	}
+	return false
+}
+
 type GoogleAnalyticsConfig struct {
 	TrackingID           string   `protobuf:"bytes,1,opt,name=trackingID,proto3" json:"trackingID,omitempty"`
 	AnonymizeUsers       bool     `protobuf:"varint,2,opt,name=anonymizeUsers,proto3" json:"anonymizeUsers,omitempty"`
@@ -675,78 +683,79 @@ func init() {
 func init() { proto.RegisterFile("server/settings/settings.proto", fileDescriptor_a480d494da040caa) }
 
 var fileDescriptor_a480d494da040caa = []byte{
-	// 1129 bytes of a gzipped FileDescriptorProto
+	// 1148 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x56, 0x4f, 0x6f, 0x1b, 0x45,
-	0x14, 0xd7, 0xd6, 0x69, 0x62, 0xbf, 0x34, 0x75, 0x32, 0x6d, 0xd3, 0xc5, 0x2a, 0x8e, 0xf1, 0xa1,
-	0x32, 0x08, 0xd6, 0x8d, 0x2b, 0x04, 0x42, 0xaa, 0x00, 0xdb, 0x55, 0x6b, 0xea, 0xb6, 0x61, 0xdb,
-	0xf4, 0x80, 0x84, 0xaa, 0xc9, 0xee, 0x63, 0xb3, 0x78, 0x3d, 0xb3, 0x9a, 0x99, 0x35, 0x75, 0x8f,
-	0xdc, 0xb8, 0x70, 0x81, 0x4f, 0xc3, 0x27, 0xe0, 0x88, 0xc4, 0x3d, 0x42, 0x16, 0x1f, 0x82, 0x23,
-	0x9a, 0xd9, 0x3f, 0xd9, 0xd8, 0xe6, 0x8f, 0xd4, 0xdb, 0xcc, 0xef, 0xf7, 0xfe, 0xcd, 0x9b, 0x37,
-	0xf3, 0x1e, 0x34, 0x25, 0x8a, 0x19, 0x8a, 0xae, 0x44, 0xa5, 0x42, 0x16, 0xc8, 0x62, 0xe1, 0xc4,
-	0x82, 0x2b, 0x4e, 0xb6, 0xbc, 0x28, 0x91, 0x0a, 0x45, 0xe3, 0x7a, 0xc0, 0x03, 0x6e, 0xb0, 0xae,
-	0x5e, 0xa5, 0x74, 0xe3, 0x56, 0xc0, 0x79, 0x10, 0x61, 0x97, 0xc6, 0x61, 0x97, 0x32, 0xc6, 0x15,
-	0x55, 0x21, 0x67, 0x99, 0x72, 0x63, 0x1c, 0x84, 0xea, 0x34, 0x39, 0x71, 0x3c, 0x3e, 0xed, 0x52,
-	0x61, 0xd4, 0xbf, 0x35, 0x8b, 0x0f, 0x3c, 0xbf, 0x3b, 0xeb, 0x75, 0xe3, 0x49, 0xa0, 0x35, 0x65,
-	0x97, 0xc6, 0x71, 0x14, 0x7a, 0x46, 0xb7, 0x3b, 0x3b, 0xa4, 0x51, 0x7c, 0x4a, 0x0f, 0xbb, 0x01,
-	0x32, 0x14, 0x54, 0xa1, 0x9f, 0x59, 0xfb, 0xec, 0x3f, 0xac, 0x2d, 0x9f, 0x84, 0x87, 0xbe, 0xd7,
-	0xf5, 0x22, 0x1a, 0x4e, 0xb3, 0x78, 0xda, 0x75, 0xd8, 0x79, 0x96, 0xb1, 0x5f, 0x26, 0x28, 0xe6,
-	0xed, 0xbf, 0x00, 0xaa, 0x39, 0x42, 0xde, 0x82, 0x4a, 0x22, 0x22, 0xdb, 0x6a, 0x59, 0x9d, 0x5a,
-	0x7f, 0x6b, 0x71, 0x76, 0x50, 0x39, 0x76, 0xc7, 0xae, 0xc6, 0xc8, 0x1d, 0xa8, 0xf9, 0xf8, 0x6a,
-	0xc0, 0xd9, 0x37, 0x61, 0x60, 0x5f, 0x6a, 0x59, 0x9d, 0xed, 0x1e, 0x71, 0xb2, 0xcc, 0x38, 0xc3,
-	0x9c, 0x71, 0xcf, 0x85, 0xc8, 0x00, 0x40, 0xfb, 0xcf, 0x54, 0x2a, 0x46, 0xe5, 0x5a, 0xa1, 0xf2,
-	0x74, 0x34, 0x1c, 0xa4, 0x54, 0xff, 0xea, 0xe2, 0xec, 0x00, 0xce, 0xf7, 0x6e, 0x49, 0x8d, 0xb4,
-	0x60, 0x9b, 0xc6, 0xf1, 0x98, 0x9e, 0x60, 0xf4, 0x08, 0xe7, 0xf6, 0x86, 0x8e, 0xcc, 0x2d, 0x43,
-	0xe4, 0x05, 0xec, 0x09, 0x94, 0x3c, 0x11, 0x1e, 0x3e, 0x9d, 0xa1, 0x10, 0xa1, 0x8f, 0xd2, 0xbe,
-	0xdc, 0xaa, 0x74, 0xb6, 0x7b, 0x9d, 0xc2, 0x5b, 0x7e, 0x42, 0xc7, 0x5d, 0x16, 0xbd, 0xcf, 0x94,
-	0x98, 0xbb, 0xab, 0x26, 0x88, 0x03, 0x44, 0x2a, 0xaa, 0x12, 0xd9, 0xa7, 0x7e, 0x80, 0xf7, 0x19,
-	0x3d, 0x89, 0xd0, 0xb7, 0x37, 0x5b, 0x56, 0xa7, 0xea, 0xae, 0x61, 0xc8, 0x43, 0xa8, 0xa7, 0x95,
-	0xf0, 0x39, 0xa3, 0xd1, 0x5c, 0x85, 0x9e, 0xb4, 0xb7, 0xcc, 0x99, 0x9b, 0x45, 0x14, 0x0f, 0x2e,
-	0xf2, 0xd9, 0x71, 0x97, 0xd5, 0xc8, 0x6b, 0xd8, 0x9d, 0x24, 0x52, 0xf1, 0x69, 0xf8, 0x1a, 0x9f,
-	0xc6, 0xa6, 0x9a, 0xec, 0xaa, 0x31, 0xf5, 0xc4, 0x39, 0x2f, 0x00, 0x27, 0x2f, 0x00, 0xb3, 0x78,
-	0xe9, 0xf9, 0xce, 0xac, 0xe7, 0xc4, 0x93, 0xc0, 0xd1, 0xe5, 0xe4, 0x94, 0xca, 0xc9, 0xc9, 0xcb,
-	0xc9, 0x79, 0xb4, 0x64, 0xd5, 0x5d, 0xf1, 0x43, 0xde, 0x81, 0x8d, 0x53, 0x8c, 0x62, 0xbb, 0x66,
-	0xfc, 0xed, 0x14, 0xa1, 0x3f, 0xc4, 0x28, 0x76, 0x0d, 0x45, 0xde, 0x85, 0xad, 0x38, 0x4a, 0x82,
-	0x90, 0x49, 0x1b, 0x4c, 0x9a, 0xeb, 0x85, 0xd4, 0x91, 0xc1, 0xdd, 0x9c, 0xd7, 0x39, 0x4c, 0x24,
-	0x8a, 0x31, 0xd7, 0xbb, 0x61, 0x28, 0xd3, 0x1c, 0x6e, 0xa7, 0x39, 0x5c, 0x65, 0xc8, 0x8f, 0x16,
-	0xdc, 0xf4, 0x4c, 0x56, 0x1e, 0x53, 0x46, 0x03, 0x9c, 0x22, 0x53, 0x47, 0x99, 0xaf, 0x2b, 0xc6,
-	0xd7, 0xf3, 0x37, 0xcb, 0xc0, 0x60, 0xad, 0x71, 0xf7, 0x9f, 0x9c, 0x92, 0xf7, 0x61, 0xaf, 0x48,
-	0xd1, 0x0b, 0x14, 0xd2, 0xdc, 0xc5, 0x4e, 0xab, 0xd2, 0xa9, 0xb9, 0xab, 0x04, 0x69, 0x40, 0x35,
-	0x09, 0x07, 0x52, 0x1e, 0xbb, 0x63, 0xfb, 0xaa, 0xa9, 0xd4, 0x62, 0x4f, 0x3a, 0x50, 0x4f, 0xc2,
-	0x3e, 0x65, 0x0c, 0xc5, 0x80, 0x33, 0x85, 0x4c, 0xd9, 0x75, 0x23, 0xb2, 0x0c, 0xeb, 0x92, 0xcf,
-	0x21, 0x6d, 0x68, 0x37, 0x2d, 0xf9, 0x12, 0xa4, 0x6d, 0xc5, 0x54, 0xca, 0xef, 0xb8, 0xf0, 0x8f,
-	0xa8, 0x52, 0x28, 0x98, 0xbd, 0x97, 0xda, 0x5a, 0x82, 0xc9, 0x6d, 0xb8, 0xaa, 0x04, 0xf5, 0x26,
-	0x21, 0x0b, 0x1e, 0xa3, 0x3a, 0xe5, 0xbe, 0x4d, 0x8c, 0xe0, 0x12, 0xaa, 0xcf, 0x99, 0x3b, 0x38,
-	0x42, 0x31, 0xa5, 0x4c, 0xc7, 0x77, 0xcd, 0xdc, 0xd3, 0x2a, 0x41, 0xde, 0x83, 0xdd, 0x02, 0xe4,
-	0x32, 0xd4, 0x29, 0xb6, 0xaf, 0x1b, 0xbb, 0x2b, 0xf8, 0xd2, 0x33, 0x72, 0x39, 0x57, 0xc7, 0x22,
-	0xb2, 0x6f, 0x18, 0xe9, 0x35, 0x8c, 0x3e, 0x3d, 0xbe, 0x42, 0x2f, 0x7f, 0x6f, 0xfb, 0x26, 0x86,
-	0x32, 0x44, 0xee, 0xc0, 0x35, 0x8f, 0x33, 0x25, 0x78, 0x14, 0xa1, 0x78, 0x42, 0xa7, 0x28, 0x63,
-	0xea, 0xa1, 0x7d, 0xd3, 0x98, 0x5c, 0x47, 0x35, 0x7e, 0xb6, 0x60, 0x7f, 0xfd, 0xc3, 0x27, 0xbb,
-	0x50, 0x99, 0xe0, 0x3c, 0xfd, 0xf1, 0x5c, 0xbd, 0x24, 0x3e, 0x5c, 0x9e, 0xd1, 0x28, 0xc1, 0xec,
-	0x93, 0x7b, 0xc3, 0x27, 0xb7, 0xec, 0xd6, 0x4d, 0x8d, 0x7f, 0x72, 0xe9, 0x63, 0xab, 0xfd, 0x12,
-	0x6e, 0xac, 0xfd, 0x11, 0x48, 0x13, 0x20, 0xbf, 0x9f, 0xd1, 0x30, 0x8b, 0xad, 0x84, 0xe8, 0x5b,
-	0xa5, 0x8c, 0xb3, 0xb9, 0x2e, 0xbe, 0x63, 0x89, 0x42, 0x9a, 0x58, 0xab, 0xee, 0x12, 0xda, 0xfe,
-	0xc5, 0x82, 0x0d, 0xfd, 0x70, 0x89, 0x0d, 0x5b, 0xde, 0x29, 0x35, 0x99, 0x4f, 0xad, 0xe5, 0x5b,
-	0x5d, 0xb2, 0x7a, 0xf9, 0x1c, 0x5f, 0x29, 0x63, 0xa4, 0xe6, 0x16, 0x7b, 0x72, 0x0f, 0xe0, 0x24,
-	0x64, 0x54, 0xcc, 0x8f, 0x45, 0x24, 0xed, 0x8a, 0x79, 0x7f, 0x6f, 0x5f, 0xf8, 0x11, 0x9c, 0x7e,
-	0xc1, 0xa7, 0xff, 0x68, 0x49, 0xa1, 0x71, 0x0f, 0xea, 0x4b, 0xf4, 0x9a, 0x6c, 0x5f, 0x2f, 0x67,
-	0xbb, 0x56, 0xce, 0xce, 0x2d, 0xd8, 0x4c, 0x5f, 0x21, 0x21, 0xb0, 0xc1, 0xe8, 0x14, 0x33, 0x35,
-	0xb3, 0x6e, 0x7f, 0x0a, 0xb5, 0xa2, 0xe9, 0x90, 0x1e, 0x80, 0xc7, 0x19, 0x43, 0x4f, 0x71, 0x21,
-	0x6d, 0xcb, 0x04, 0x7a, 0xde, 0x9c, 0x06, 0x39, 0xe5, 0x96, 0xa4, 0xda, 0x77, 0xa1, 0x56, 0x10,
-	0xeb, 0x3c, 0x68, 0x4c, 0xcd, 0xe3, 0x3c, 0x30, 0xb3, 0x6e, 0xff, 0x50, 0x81, 0x52, 0xa3, 0x5a,
-	0xab, 0xb6, 0x0f, 0x9b, 0xa1, 0x94, 0x09, 0x8a, 0x4c, 0x31, 0xdb, 0x91, 0x0e, 0x54, 0xbd, 0x28,
-	0x44, 0xa6, 0x46, 0x43, 0xd3, 0x0b, 0x6b, 0xfd, 0x2b, 0x8b, 0xb3, 0x83, 0xea, 0x20, 0xc3, 0xdc,
-	0x82, 0x25, 0x87, 0xb0, 0xed, 0x45, 0x61, 0x4e, 0xa4, 0x2d, 0xaf, 0x5f, 0x5f, 0x9c, 0x1d, 0x6c,
-	0x0f, 0xc6, 0xa3, 0x42, 0xbe, 0x2c, 0xa3, 0x9d, 0x4a, 0x8f, 0xc7, 0x59, 0xe3, 0xab, 0xb9, 0xd9,
-	0x8e, 0xbc, 0x84, 0x9d, 0xd0, 0x7f, 0xce, 0x27, 0xc8, 0x06, 0x66, 0x08, 0xb0, 0x37, 0x4d, 0x6e,
-	0x6e, 0xaf, 0xe9, 0xc2, 0xce, 0xa8, 0x2c, 0x68, 0xae, 0xab, 0xbf, 0xb7, 0x38, 0x3b, 0xd8, 0x19,
-	0x0d, 0x4b, 0xb8, 0x7b, 0xd1, 0x5e, 0x63, 0x0e, 0x64, 0x55, 0x6f, 0xcd, 0x35, 0x3f, 0xbe, 0xf8,
-	0xa8, 0x3e, 0xfa, 0xd7, 0x47, 0x95, 0x4e, 0x31, 0x4e, 0x31, 0x86, 0xe9, 0x71, 0xc0, 0x31, 0xf6,
-	0x4b, 0xf5, 0xd1, 0xfb, 0x1a, 0xea, 0x79, 0x57, 0x7f, 0x86, 0x62, 0x16, 0x7a, 0x48, 0xbe, 0x80,
-	0xca, 0x03, 0x54, 0x64, 0x7f, 0xa5, 0xed, 0x9b, 0x51, 0xa7, 0xb1, 0xb7, 0x82, 0xb7, 0xed, 0xef,
-	0x7f, 0xff, 0xf3, 0xa7, 0x4b, 0x84, 0xec, 0x9a, 0xf1, 0x6d, 0x76, 0x58, 0x8c, 0x4e, 0xfd, 0xc1,
-	0xaf, 0x8b, 0xa6, 0xf5, 0xdb, 0xa2, 0x69, 0xfd, 0xb1, 0x68, 0x5a, 0x5f, 0x7d, 0xf8, 0xff, 0xc6,
-	0xb8, 0xf4, 0x0e, 0x0b, 0x23, 0x27, 0x9b, 0x66, 0xe8, 0xba, 0xfb, 0x77, 0x00, 0x00, 0x00, 0xff,
-	0xff, 0x2a, 0xfc, 0x97, 0xee, 0x63, 0x0a, 0x00, 0x00,
+	0x14, 0xd7, 0xd6, 0x69, 0x62, 0x3f, 0x37, 0x75, 0x32, 0x6d, 0xd3, 0xad, 0x55, 0x92, 0xe0, 0x43,
+	0x65, 0x10, 0xac, 0x1b, 0x57, 0x08, 0x84, 0xa8, 0xa0, 0xb6, 0xab, 0xd6, 0xd4, 0x6d, 0xc3, 0xb6,
+	0xe9, 0x01, 0x09, 0x55, 0x93, 0xdd, 0xc7, 0x66, 0xf1, 0x7a, 0x66, 0x35, 0x33, 0x6b, 0xea, 0x1e,
+	0xb9, 0x71, 0xe1, 0x02, 0x9f, 0x85, 0x03, 0x9f, 0x80, 0x23, 0x12, 0xf7, 0x08, 0x59, 0x7c, 0x10,
+	0x34, 0xb3, 0x7f, 0xb2, 0xb1, 0x5d, 0x40, 0xea, 0x6d, 0xe6, 0xf7, 0x7b, 0xff, 0xe6, 0xcd, 0x7b,
+	0x33, 0x0f, 0x76, 0x25, 0x8a, 0x29, 0x8a, 0x8e, 0x44, 0xa5, 0x42, 0x16, 0xc8, 0x62, 0xe1, 0xc4,
+	0x82, 0x2b, 0x4e, 0x36, 0xbc, 0x28, 0x91, 0x0a, 0x45, 0xf3, 0x6a, 0xc0, 0x03, 0x6e, 0xb0, 0x8e,
+	0x5e, 0xa5, 0x74, 0xf3, 0x66, 0xc0, 0x79, 0x10, 0x61, 0x87, 0xc6, 0x61, 0x87, 0x32, 0xc6, 0x15,
+	0x55, 0x21, 0x67, 0x99, 0x72, 0x73, 0x14, 0x84, 0xea, 0x24, 0x39, 0x76, 0x3c, 0x3e, 0xe9, 0x50,
+	0x61, 0xd4, 0xbf, 0x33, 0x8b, 0x0f, 0x3d, 0xbf, 0x33, 0xed, 0x76, 0xe2, 0x71, 0xa0, 0x35, 0x65,
+	0x87, 0xc6, 0x71, 0x14, 0x7a, 0x46, 0xb7, 0x33, 0x3d, 0xa0, 0x51, 0x7c, 0x42, 0x0f, 0x3a, 0x01,
+	0x32, 0x14, 0x54, 0xa1, 0x9f, 0x59, 0xfb, 0xe2, 0x3f, 0xac, 0x2d, 0x9e, 0x84, 0x87, 0xbe, 0xd7,
+	0xf1, 0x22, 0x1a, 0x4e, 0xb2, 0x78, 0x5a, 0x0d, 0xd8, 0x7c, 0x96, 0xb1, 0x5f, 0x25, 0x28, 0x66,
+	0xad, 0x5f, 0xeb, 0x50, 0xcd, 0x11, 0x72, 0x03, 0x2a, 0x89, 0x88, 0x6c, 0x6b, 0xdf, 0x6a, 0xd7,
+	0x7a, 0x1b, 0xf3, 0xd3, 0xbd, 0xca, 0x91, 0x3b, 0x72, 0x35, 0x46, 0x6e, 0x43, 0xcd, 0xc7, 0x57,
+	0x7d, 0xce, 0xbe, 0x0d, 0x03, 0xfb, 0xc2, 0xbe, 0xd5, 0xae, 0x77, 0x89, 0x93, 0x65, 0xc6, 0x19,
+	0xe4, 0x8c, 0x7b, 0x26, 0x44, 0xfa, 0x00, 0xda, 0x7f, 0xa6, 0x52, 0x31, 0x2a, 0x57, 0x0a, 0x95,
+	0xa7, 0xc3, 0x41, 0x3f, 0xa5, 0x7a, 0x97, 0xe7, 0xa7, 0x7b, 0x70, 0xb6, 0x77, 0x4b, 0x6a, 0x64,
+	0x1f, 0xea, 0x34, 0x8e, 0x47, 0xf4, 0x18, 0xa3, 0x47, 0x38, 0xb3, 0xd7, 0x74, 0x64, 0x6e, 0x19,
+	0x22, 0x2f, 0x60, 0x5b, 0xa0, 0xe4, 0x89, 0xf0, 0xf0, 0xe9, 0x14, 0x85, 0x08, 0x7d, 0x94, 0xf6,
+	0xc5, 0xfd, 0x4a, 0xbb, 0xde, 0x6d, 0x17, 0xde, 0xf2, 0x13, 0x3a, 0xee, 0xa2, 0xe8, 0x7d, 0xa6,
+	0xc4, 0xcc, 0x5d, 0x36, 0x41, 0x1c, 0x20, 0x52, 0x51, 0x95, 0xc8, 0x1e, 0xf5, 0x03, 0xbc, 0xcf,
+	0xe8, 0x71, 0x84, 0xbe, 0xbd, 0xbe, 0x6f, 0xb5, 0xab, 0xee, 0x0a, 0x86, 0x3c, 0x84, 0x46, 0x5a,
+	0x09, 0xf7, 0x18, 0x8d, 0x66, 0x2a, 0xf4, 0xa4, 0xbd, 0x61, 0xce, 0xbc, 0x5b, 0x44, 0xf1, 0xe0,
+	0x3c, 0x9f, 0x1d, 0x77, 0x51, 0x8d, 0xbc, 0x86, 0xad, 0x71, 0x22, 0x15, 0x9f, 0x84, 0xaf, 0xf1,
+	0x69, 0x6c, 0xaa, 0xc9, 0xae, 0x1a, 0x53, 0x4f, 0x9c, 0xb3, 0x02, 0x70, 0xf2, 0x02, 0x30, 0x8b,
+	0x97, 0x9e, 0xef, 0x4c, 0xbb, 0x4e, 0x3c, 0x0e, 0x1c, 0x5d, 0x4e, 0x4e, 0xa9, 0x9c, 0x9c, 0xbc,
+	0x9c, 0x9c, 0x47, 0x0b, 0x56, 0xdd, 0x25, 0x3f, 0xe4, 0x5d, 0x58, 0x3b, 0xc1, 0x28, 0xb6, 0x6b,
+	0xc6, 0xdf, 0x66, 0x11, 0xfa, 0x43, 0x8c, 0x62, 0xd7, 0x50, 0xe4, 0x3d, 0xd8, 0x88, 0xa3, 0x24,
+	0x08, 0x99, 0xb4, 0xc1, 0xa4, 0xb9, 0x51, 0x48, 0x1d, 0x1a, 0xdc, 0xcd, 0x79, 0x9d, 0xc3, 0x44,
+	0xa2, 0x18, 0x71, 0xbd, 0x1b, 0x84, 0x32, 0xcd, 0x61, 0x3d, 0xcd, 0xe1, 0x32, 0x43, 0x7e, 0xb2,
+	0xe0, 0xba, 0x67, 0xb2, 0xf2, 0x98, 0x32, 0x1a, 0xe0, 0x04, 0x99, 0x3a, 0xcc, 0x7c, 0x5d, 0x32,
+	0xbe, 0x9e, 0xbf, 0x5d, 0x06, 0xfa, 0x2b, 0x8d, 0xbb, 0x6f, 0x72, 0x4a, 0x3e, 0x80, 0xed, 0x22,
+	0x45, 0x2f, 0x50, 0x48, 0x73, 0x17, 0x9b, 0xfb, 0x95, 0x76, 0xcd, 0x5d, 0x26, 0x48, 0x13, 0xaa,
+	0x49, 0xd8, 0x97, 0xf2, 0xc8, 0x1d, 0xd9, 0x97, 0x4d, 0xa5, 0x16, 0x7b, 0xd2, 0x86, 0x46, 0x12,
+	0xf6, 0x28, 0x63, 0x28, 0xfa, 0x9c, 0x29, 0x64, 0xca, 0x6e, 0x18, 0x91, 0x45, 0x58, 0x97, 0x7c,
+	0x0e, 0x69, 0x43, 0x5b, 0x69, 0xc9, 0x97, 0x20, 0x6d, 0x2b, 0xa6, 0x52, 0x7e, 0xcf, 0x85, 0x7f,
+	0x48, 0x95, 0x42, 0xc1, 0xec, 0xed, 0xd4, 0xd6, 0x02, 0x4c, 0x6e, 0xc1, 0x65, 0x25, 0xa8, 0x37,
+	0x0e, 0x59, 0xf0, 0x18, 0xd5, 0x09, 0xf7, 0x6d, 0x62, 0x04, 0x17, 0x50, 0x7d, 0xce, 0xdc, 0xc1,
+	0x21, 0x8a, 0x09, 0x65, 0x3a, 0xbe, 0x2b, 0xe6, 0x9e, 0x96, 0x09, 0xf2, 0x3e, 0x6c, 0x15, 0x20,
+	0x97, 0xa1, 0x4e, 0xb1, 0x7d, 0xd5, 0xd8, 0x5d, 0xc2, 0x17, 0xda, 0xc8, 0xe5, 0x5c, 0x1d, 0x89,
+	0xc8, 0xbe, 0x66, 0xa4, 0x57, 0x30, 0xfa, 0xf4, 0xf8, 0x0a, 0xbd, 0xbc, 0xdf, 0x76, 0x4c, 0x0c,
+	0x65, 0x88, 0xdc, 0x86, 0x2b, 0x1e, 0x67, 0x4a, 0xf0, 0x28, 0x42, 0xf1, 0x84, 0x4e, 0x50, 0xc6,
+	0xd4, 0x43, 0xfb, 0xba, 0x31, 0xb9, 0x8a, 0x22, 0x9f, 0xc1, 0x0d, 0x1a, 0xc7, 0x72, 0xc8, 0xee,
+	0xb1, 0x59, 0x81, 0xe6, 0x1e, 0x6c, 0xe3, 0xe1, 0xcd, 0x02, 0xcd, 0x5f, 0x2c, 0xd8, 0x59, 0xfd,
+	0x6c, 0x90, 0x2d, 0xa8, 0x8c, 0x71, 0x96, 0xbe, 0x97, 0xae, 0x5e, 0x12, 0x1f, 0x2e, 0x4e, 0x69,
+	0x94, 0x60, 0xf6, 0x44, 0xbe, 0x65, 0xc3, 0x2e, 0xba, 0x75, 0x53, 0xe3, 0x9f, 0x5e, 0xf8, 0xc4,
+	0x6a, 0xbd, 0x84, 0x6b, 0x2b, 0xdf, 0x13, 0xb2, 0x0b, 0x90, 0xdf, 0xee, 0x70, 0x90, 0xc5, 0x56,
+	0x42, 0x74, 0x4d, 0x50, 0xc6, 0xd9, 0x4c, 0x97, 0xee, 0x91, 0x44, 0x21, 0x4d, 0xac, 0x55, 0x77,
+	0x01, 0x6d, 0xfd, 0x66, 0xc1, 0x9a, 0x6e, 0x7b, 0x62, 0xc3, 0x86, 0x77, 0x42, 0xcd, 0xbd, 0xa5,
+	0xd6, 0xf2, 0xad, 0x2e, 0x78, 0xbd, 0x7c, 0x8e, 0xaf, 0x94, 0x31, 0x52, 0x73, 0x8b, 0x3d, 0xb9,
+	0x0b, 0x70, 0x1c, 0x32, 0x2a, 0x66, 0x47, 0x22, 0x92, 0x76, 0xc5, 0x74, 0xef, 0x3b, 0xe7, 0xde,
+	0x13, 0xa7, 0x57, 0xf0, 0xe9, 0x2b, 0x5c, 0x52, 0x68, 0xde, 0x85, 0xc6, 0x02, 0xbd, 0x22, 0xdb,
+	0x57, 0xcb, 0xd9, 0xae, 0x95, 0xb3, 0x73, 0x13, 0xd6, 0xd3, 0x1e, 0x26, 0x04, 0xd6, 0x18, 0x9d,
+	0x60, 0xa6, 0x66, 0xd6, 0xad, 0xcf, 0xa1, 0x56, 0x7c, 0x59, 0xa4, 0x0b, 0xe0, 0x71, 0xc6, 0xd0,
+	0x53, 0x5c, 0x48, 0xdb, 0x32, 0x81, 0x9e, 0x7d, 0x6d, 0xfd, 0x9c, 0x72, 0x4b, 0x52, 0xad, 0x3b,
+	0x50, 0x2b, 0x88, 0x55, 0x1e, 0x34, 0xa6, 0x66, 0x71, 0x1e, 0x98, 0x59, 0xb7, 0x7e, 0xac, 0x40,
+	0xe9, 0x9b, 0x5b, 0xa9, 0xb6, 0x03, 0xeb, 0xa1, 0x94, 0x09, 0x8a, 0x4c, 0x31, 0xdb, 0x91, 0x36,
+	0x54, 0xbd, 0x28, 0x44, 0xa6, 0x86, 0x03, 0xf3, 0x93, 0xd6, 0x7a, 0x97, 0xe6, 0xa7, 0x7b, 0xd5,
+	0x7e, 0x86, 0xb9, 0x05, 0x4b, 0x0e, 0xa0, 0xee, 0x45, 0x61, 0x4e, 0xa4, 0x1f, 0x66, 0xaf, 0x31,
+	0x3f, 0xdd, 0xab, 0xf7, 0x47, 0xc3, 0x42, 0xbe, 0x2c, 0xa3, 0x9d, 0x4a, 0x8f, 0xc7, 0xd9, 0xb7,
+	0x59, 0x73, 0xb3, 0x1d, 0x79, 0x09, 0x9b, 0xa1, 0xff, 0x9c, 0x8f, 0x91, 0xf5, 0xcd, 0x08, 0x61,
+	0xaf, 0x9b, 0xdc, 0xdc, 0x5a, 0xf1, 0x87, 0x3b, 0xc3, 0xb2, 0xa0, 0xb9, 0xae, 0xde, 0xf6, 0xfc,
+	0x74, 0x6f, 0x73, 0x38, 0x28, 0xe1, 0xee, 0x79, 0x7b, 0xcd, 0x19, 0x90, 0x65, 0xbd, 0x15, 0xd7,
+	0xfc, 0xf8, 0x7c, 0x53, 0x7d, 0xfc, 0xaf, 0x4d, 0x95, 0xce, 0x40, 0x4e, 0x31, 0xc4, 0xe9, 0x61,
+	0xc2, 0x31, 0xf6, 0x4b, 0xf5, 0xd1, 0xfd, 0x06, 0x1a, 0xf9, 0x4c, 0xf0, 0x0c, 0xc5, 0x34, 0xf4,
+	0x90, 0x7c, 0x09, 0x95, 0x07, 0xa8, 0xc8, 0xce, 0xd2, 0xd0, 0x60, 0x06, 0xa5, 0xe6, 0xf6, 0x12,
+	0xde, 0xb2, 0x7f, 0xf8, 0xf3, 0xef, 0x9f, 0x2f, 0x10, 0xb2, 0x65, 0x86, 0xbf, 0xe9, 0x41, 0x31,
+	0x78, 0xf5, 0xfa, 0xbf, 0xcf, 0x77, 0xad, 0x3f, 0xe6, 0xbb, 0xd6, 0x5f, 0xf3, 0x5d, 0xeb, 0xeb,
+	0x8f, 0xfe, 0xdf, 0x10, 0x98, 0xde, 0x61, 0x61, 0xe4, 0x78, 0xdd, 0x8c, 0x6c, 0x77, 0xfe, 0x09,
+	0x00, 0x00, 0xff, 0xff, 0xf0, 0x33, 0x47, 0xc2, 0xa1, 0x0a, 0x00, 0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
@@ -882,6 +891,18 @@ func (m *Settings) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if m.AppsInAnyNamespaceEnabled {
+		i--
+		if m.AppsInAnyNamespaceEnabled {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i--
+		dAtA[i] = 0x1
+		i--
+		dAtA[i] = 0xc0
+	}
 	if len(m.ControllerNamespace) > 0 {
 		i -= len(m.ControllerNamespace)
 		copy(dAtA[i:], m.ControllerNamespace)
@@ -1576,6 +1597,9 @@ func (m *Settings) Size() (n int) {
 	if l > 0 {
 		n += 2 + l + sovSettings(uint64(l))
 	}
+	if m.AppsInAnyNamespaceEnabled {
+		n += 3
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -2625,6 +2649,26 @@ func (m *Settings) Unmarshal(dAtA []byte) error {
 			}
 			m.ControllerNamespace = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 24:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AppsInAnyNamespaceEnabled", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowSettings
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.AppsInAnyNamespaceEnabled = bool(v != 0)
 		default:
 			iNdEx = preIndex
 			skippy, err := skipSettings(dAtA[iNdEx:])

pkg/apis/application/v1alpha1/app_project_types.go

@@ -1,10 +1,10 @@
 package v1alpha1
 
 import (
-	fmt "fmt"
+	"fmt"
 	"sort"
 	"strconv"
-	strings "strings"
+	"strings"
 
 	"github.com/argoproj/argo-cd/v2/util/git"
 	"github.com/argoproj/argo-cd/v2/util/glob"
@@ -167,6 +167,10 @@ func (p *AppProject) ValidateProject() error {
 		}
 
 		key := fmt.Sprintf("%s/%s", dest.Server, dest.Namespace)
+		if dest.Server == "" && dest.Name != "" {
+			// destination cluster set using name instead of server endpoint
+			key = fmt.Sprintf("%s/%s", dest.Name, dest.Namespace)
+		}
 		if _, ok := destKeys[key]; ok {
 			return status.Errorf(codes.InvalidArgument, "destination '%s' already added", key)
 		}
@@ -176,9 +180,9 @@ func (p *AppProject) ValidateProject() error {
 	srcNamespaces := make(map[string]bool)
 	for _, ns := range p.Spec.SourceNamespaces {
 		if _, ok := srcNamespaces[ns]; ok {
-			return status.Errorf(codes.InvalidArgument, "source namespaces '%s' already added", ns)
+			return status.Errorf(codes.InvalidArgument, "source namespace '%s' already added", ns)
 		}
-		destKeys[ns] = true
+		srcNamespaces[ns] = true
 	}
 
 	srcRepos := make(map[string]bool)

pkg/apis/application/v1alpha1/generated.proto

@@ -322,7 +322,7 @@ message ApplicationSource {
   // Directory holds path/directory specific options
   optional ApplicationSourceDirectory directory = 10;
 
-  // ConfigManagementPlugin holds config management plugin specific options
+  // Plugin holds config management plugin specific options
   optional ApplicationSourcePlugin plugin = 11;
 
   // Chart is a Helm chart name, and must be specified for applications sourced from a Helm repo.
@@ -1525,6 +1525,8 @@ message ResourceStatus {
   optional bool hook = 8;
 
   optional bool requiresPruning = 9;
+
+  optional int64 syncWave = 10;
 }
 
 // RetryStrategy contains information about the strategy to apply when a sync failed