chore: disable codeql workflow on cherry-pick branches (#12893)

Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>

.github/workflows/ci-build.yaml

@@ -9,6 +9,7 @@ on:
   pull_request:
     branches:
       - 'master'
+      - 'release-*'
 
 env:
   # Golang version to use across CI steps
@@ -18,15 +19,18 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   check-go:
     name: Ensure Go modules synchronicity
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Download all Go modules
@@ -42,13 +46,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -59,17 +63,20 @@ jobs:
         run: make build-local
 
   lint-go:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: Lint Go code
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@0ad9a0988b3973e851ab0a07adf248ec2e100376 # v3.3.1
         with:
           version: v1.45.2
           args: --timeout 10m --exclude SA5011 --verbose
@@ -86,11 +93,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -110,13 +117,17 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
       - name: Install all tools required for building & testing
         run: |
           make install-test-tools-local
+        # We install kustomize in the dist directory
+      - name: Add dist to PATH
+        run: |
+          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
       - name: Setup git username and email
         run: |
           git config --global user.name "John Doe"
@@ -127,12 +138,12 @@ jobs:
       - name: Run all unit tests
         run: make test-local
       - name: Generate code coverage artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: code-coverage
           path: coverage.out
       - name: Generate test results artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: test-results
           path: test-results/
@@ -149,11 +160,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -173,13 +184,17 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
       - name: Install all tools required for building & testing
         run: |
           make install-test-tools-local
+        # We install kustomize in the dist directory
+      - name: Add dist to PATH
+        run: |
+          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
       - name: Setup git username and email
         run: |
           git config --global user.name "John Doe"
@@ -190,7 +205,7 @@ jobs:
       - name: Run all unit tests
         run: make test-race-local
       - name: Generate test results artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: race-results
           path: test-results/
@@ -200,9 +215,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Create symlink in GOPATH
@@ -226,6 +241,10 @@ jobs:
           make install-codegen-tools-local
           make install-go-tools-local
         working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+        # We install kustomize in the dist directory
+      - name: Add dist to PATH
+        run: |
+          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
       - name: Run codegen
         run: |
           set -x
@@ -244,14 +263,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup NodeJS
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: '12.18.4'
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@v1
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -281,12 +300,12 @@ jobs:
       sonar_secret: ${{ secrets.SONAR_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
         with:
           fetch-depth: 0
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@v1
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -297,16 +316,16 @@ jobs:
         run: |
           mkdir -p test-results
       - name: Get code coverage artifiact
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: code-coverage
       - name: Get test result artifact
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: test-results
           path: test-results
       - name: Upload code coverage information to codecov.io
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # v3.1.1
         with:
           file: coverage.out
       - name: Perform static code analysis using SonarCloud
@@ -359,14 +378,22 @@ jobs:
       GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: GH actions workaround - Kill XSP4 process
         run: |
           sudo pkill mono || true
+      # ubuntu-22.04 comes with kubectl, but the version is not pinned. The version as of 2022-12-05 is 1.26.0 which
+      # breaks the `TestNamespacedResourceDiffing` e2e test. So we'll pin to 1.25 and then fix the underlying issue.
+      - name: Install kubectl
+        run: |
+          rm /usr/local/bin/kubectl
+          curl -LO https://dl.k8s.io/release/v1.25.4/bin/linux/amd64/kubectl
+          mv kubectl /usr/local/bin/kubectl
+          chmod +x /usr/local/bin/kubectl
       - name: Install K3S
         env:
           INSTALL_K3S_VERSION: ${{ matrix.k3s-version }}+k3s1
@@ -379,7 +406,7 @@ jobs:
           sudo chown runner $HOME/.kube/config
           kubectl version
       - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -405,9 +432,9 @@ jobs:
           git config --global user.email "john.doe@example.com"
       - name: Pull Docker image required for tests
         run: |
-          docker pull quay.io/dexidp/dex:v2.25.0
+          docker pull ghcr.io/dexidp/dex:v2.36.0
           docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.0-alpine
+          docker pull redis:7.0.8-alpine
       - name: Create target directory for binaries in the build-process
         run: |
           mkdir -p dist
@@ -435,7 +462,7 @@ jobs:
           set -x
           make test-e2e-local
       - name: Upload e2e-server logs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: e2e-server-k8s${{ matrix.k3s-version }}.log
           path: /tmp/e2e-server.log

.github/workflows/codeql.yml

@@ -5,6 +5,7 @@ on:
     # Secrets aren't available for dependabot on push. https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#error-403-resource-not-accessible-by-integration-when-using-dependabot
     branches-ignore:
       - 'dependabot/**'
+      - 'cherry-pick-*'
   pull_request:
   schedule:
     - cron: '0 19 * * 0'
@@ -13,8 +14,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
     if: github.repository == 'argoproj/argo-cd'
 
     # CodeQL runs on ubuntu-latest and windows-latest
@@ -22,11 +30,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
       # Override language selection by uncommenting this and choosing your languages
       # with:
       #   languages: go, javascript, csharp, python, cpp, java
@@ -34,7 +42,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -48,4 +56,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33

.github/workflows/image.yaml

@@ -16,29 +16,34 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   publish:
+    permissions:
+      contents: write  # for git to push upgrade commit if not already deployed
     if: github.repository == 'argoproj/argo-cd'
     runs-on: ubuntu-latest
     env:
       GOPATH: /home/runner/work/argo-cd/argo-cd
     steps:
-      - uses: actions/setup-go@v1
+      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
-      - uses: actions/checkout@master
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
         with:
           path: src/github.com/argoproj/argo-cd
 
       # get image tag
-      - run: echo ::set-output name=tag::$(cat ./VERSION)-${GITHUB_SHA::8}
+      - run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
         working-directory: ./src/github.com/argoproj/argo-cd
         id: image
 
       # login
       - run: |
-          docker login ghcr.io --username $USERNAME --password $PASSWORD
-          docker login quay.io --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
+          docker login ghcr.io --username $USERNAME --password-stdin <<< "$PASSWORD"
+          docker login quay.io --username "$DOCKER_USERNAME" --password-stdin <<< "$DOCKER_TOKEN"
         if: github.event_name == 'push'
         env:
           USERNAME: ${{ secrets.USERNAME }}
@@ -47,11 +52,11 @@ jobs:
           DOCKER_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
 
       # build
-      - uses: docker/setup-qemu-action@v1
-      - uses: docker/setup-buildx-action@v1
+      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
 
       - name: Setup cache for argocd-ui docker layer
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-single-buildx-${{ github.sha }}
@@ -87,7 +92,7 @@ jobs:
             IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
           fi
           echo "Building image for platforms: $IMAGE_PLATFORMS"
-          docker buildx build --platform $IMAGE_PLATFORMS --push="${{ github.event_name == 'push' }}" \
+          docker buildx build --platform $IMAGE_PLATFORMS --sbom=false --provenance=false --push="${{ github.event_name == 'push' }}" \
             --cache-from "type=local,src=/tmp/.buildx-cache" \
             -t ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }} \
             -t quay.io/argoproj/argocd:latest .
@@ -110,6 +115,29 @@ jobs:
           mv /tmp/.buildx-cache-new /tmp/.buildx-cache
         if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'test-arm-image')
 
+      # sign container images
+      - name: Install cosign
+        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
+        with:
+          cosign-release: 'v1.13.1'
+
+      - name: Install crane to get digest of image
+        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c
+
+      - name: Get digest of image
+        run: |
+          echo "IMAGE_DIGEST=$(crane digest quay.io/argoproj/argocd:latest)" >> $GITHUB_ENV
+
+      - name: Sign Argo CD latest image
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argocd@${{ env.IMAGE_DIGEST }}
+          # Displays the public key to share.
+          cosign public-key --key env://COSIGN_PRIVATE_KEY
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+        if: ${{ github.event_name == 'push' }}
+
       # deploy
       - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
         if: github.event_name == 'push'

.github/workflows/release.yaml

@@ -12,10 +12,15 @@ on:
       - "!release-v0*"
 
 env:
-    GOLANG_VERSION: '1.18'
+  GOLANG_VERSION: '1.18'
+
+permissions:
+  contents: read
 
 jobs:
   prepare-release:
+    permissions:
+      contents: write # To push changes to release branch
     name: Perform automatic release on trigger ${{ github.ref }}
     if: github.repository == 'argoproj/argo-cd'
     runs-on: ubuntu-latest
@@ -38,7 +43,7 @@ jobs:
       GIT_EMAIL: argoproj@gmail.com
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -142,7 +147,7 @@ jobs:
           echo "RELEASE_NOTES=${RELEASE_NOTES}" >> $GITHUB_ENV
 
       - name: Setup Golang
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
 
@@ -172,6 +177,10 @@ jobs:
         run: |
           set -ue
           make install-codegen-tools-local
+          
+          # We install kustomize in the dist directory
+          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
+          
           make manifests-local VERSION=${TARGET_VERSION}
           git diff
           git commit manifests/ -m "Bump version to ${TARGET_VERSION}"
@@ -190,28 +199,51 @@ jobs:
           QUAY_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
         run: |
           set -ue
-          docker login quay.io --username "${QUAY_USERNAME}" --password "${QUAY_TOKEN}"
+          docker login quay.io --username "${QUAY_USERNAME}" --password-stdin <<< "${QUAY_TOKEN}"
           # Remove the following when Docker Hub is gone
-          docker login --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
+          docker login --username "${DOCKER_USERNAME}" --password-stdin <<< "${DOCKER_TOKEN}"
         if: ${{ env.DRY_RUN != 'true' }}
 
-      - uses: docker/setup-qemu-action@v1
-      - uses: docker/setup-buildx-action@v1
+      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
       - name: Build and push Docker image for release
         run: |
           set -ue
           git clean -fd
           mkdir -p dist/
-          docker buildx build --platform linux/amd64,linux/arm64 --push -t ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION} -t argoproj/argocd:v${TARGET_VERSION} .
+          docker buildx build --platform linux/amd64,linux/arm64,linux/s390x,linux/ppc64le --sbom=false --provenance=false --push -t ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION} -t argoproj/argocd:v${TARGET_VERSION} .
           make release-cli
           make checksums
           chmod +x ./dist/argocd-linux-amd64
           ./dist/argocd-linux-amd64 version --client
         if: ${{ env.DRY_RUN != 'true' }}
 
+      - name: Install cosign
+        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
+        with:
+          cosign-release: 'v1.13.1'
+
+      - name: Install crane to get digest of image
+        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c
+
+      - name: Get digest of image
+        run: |
+          echo "IMAGE_DIGEST=$(crane digest quay.io/argoproj/argocd:v${TARGET_VERSION})" >> $GITHUB_ENV
+
+      - name: Sign Argo CD container images and assets
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAMESPACE}/argocd@${{ env.IMAGE_DIGEST }}
+          cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argocd-${TARGET_VERSION}-checksums.txt > ./dist/argocd-${TARGET_VERSION}-checksums.sig
+          # Retrieves the public key to release as an asset
+          cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argocd-cosign.pub
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+        if: ${{ env.DRY_RUN != 'true' }}
+
       - name: Read release notes file
         id: release-notes
-        uses: juliangruber/read-file-action@v1
+        uses: juliangruber/read-file-action@02bbba9876a8f870efd4ad64e3b9088d3fb94d4b # v1.1.6
         with:
           path: ${{ env.RELEASE_NOTES }}
 
@@ -222,7 +254,7 @@ jobs:
           git push origin ${RELEASE_TAG}
 
       - name: Dry run GitHub release
-        uses: actions/create-release@v1
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         id: create_release
@@ -243,7 +275,7 @@ jobs:
           SIGS_BOM_VERSION: v0.2.1
           # comma delimited list of project relative folders to inspect for package
           # managers (gomod, yarn, npm).
-          PROJECT_FOLDERS: ".,./ui" 
+          PROJECT_FOLDERS: ".,./ui"
           # full qualified name of the docker image to be inspected
           DOCKER_IMAGE: ${{env.IMAGE_NAMESPACE}}/argocd:v${{env.TARGET_VERSION}}
         run: |
@@ -265,8 +297,16 @@ jobs:
           cd /tmp && tar -zcf sbom.tar.gz *.spdx
         if: ${{ env.DRY_RUN != 'true' }}
 
+      - name: Sign sbom
+        run: |
+          cosign sign-blob --key env://COSIGN_PRIVATE_KEY /tmp/sbom.tar.gz > /tmp/sbom.tar.gz.sig
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+        if: ${{ env.DRY_RUN != 'true' }}
+
       - name: Create GitHub release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -274,16 +314,17 @@ jobs:
           tag_name: ${{ env.RELEASE_TAG }}
           draft: ${{ env.DRAFT_RELEASE }}
           prerelease: ${{ env.PRE_RELEASE }}
-          body: ${{ steps.release-notes.outputs.content }}
+          body: ${{ steps.release-notes.outputs.content }}  # Pre-pended to the generated notes
           files: |
             dist/argocd-*
             /tmp/sbom.tar.gz
+            /tmp/sbom.tar.gz.sig
         if: ${{ env.DRY_RUN != 'true' }}
 
       - name: Update homebrew formula
         env:
           HOMEBREW_TOKEN: ${{ secrets.RELEASE_HOMEBREW_TOKEN }}
-        uses: dawidd6/action-homebrew-bump-formula@v3
+        uses: dawidd6/action-homebrew-bump-formula@02e79d9da43d79efa846d73695b6052cbbdbf48a # v3.8.3
         with:
           token: ${{env.HOMEBREW_TOKEN}}
           formula: argocd

CHANGELOG.md

@@ -2,28 +2,36 @@
 
 ## v2.4.0 (Unreleased)
 
-### Web Terminal In Argo CD UI
+### Web Terminal In Argo CD UI
 
 Feature enables engineers to start a shell in the running application container without leaving the web interface. Just find the required Kubernetes
 Pod using the Application Details page, click on it and select the Terminal tab. The shell starts automatically and enables you to execute the required
 commands, and helps to troubleshoot the application state.
 
-### Access Control For Pod Logs & Web Terminal
+### Access Control For Pod Logs & Web Terminal
 
 Argo CD is used to manage the critical infrastructure of multiple organizations, which makes security the top priority of the project. We've listened to
 your feedback and introduced additional access control settings that control access to Kubernetes Pod logs and the new Web Terminal feature.
 
+#### Pod Logs UI
+
+Since 2.4.9, the LOGS tab in pod view is visible in the UI only for users with explicit allow get logs policy.
+
+#### Known pod logs UI issue prior to 2.4.9
+
+Upon pressing the "LOGS" tab in pod view by users who don't have an explicit allow get logs policy, the red "unable to load data: Internal error" is received in the bottom of the screen, and "Failed to load data, please try again" is displayed.
+
 ### OpenTelemetry Tracing Integration
 
 The new feature allows emitting richer telemetry data that might make identifying performance bottlenecks easier. The new feature is available for argocd-server
 and argocd-repo-server components and can be enabled using the --otlp-address flag.
 
-### Power PC and IBM Z Support
+### Power PC and IBM Z Support
 
 The list of supported architectures has been expanded, and now includes IBM Z (s390x) and PowerPC (ppc64le). Starting with the v2.4 release the official quay.io
 repository is going to have images for amd64, arm64, ppc64le, and s390x architectures.
 
-### Other Notable Changes
+### Other Notable Changes
 
 Overall v2.4 release includes more than 300 hundred commits from nearly 90 contributors. Here is a short sample of the contributions:
 

Dockerfile

@@ -1,4 +1,4 @@
-ARG BASE_IMAGE=docker.io/library/ubuntu:21.10
+ARG BASE_IMAGE=docker.io/library/ubuntu:22.04
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
@@ -63,7 +63,7 @@ RUN ln -s /usr/local/bin/entrypoint.sh /usr/local/bin/uid_entrypoint.sh
 # support for mounting configuration from a configmap
 WORKDIR /app/config/ssh
 RUN touch ssh_known_hosts && \
-    ln -s ssh_known_hosts /etc/ssh/ssh_known_hosts 
+    ln -s /app/config/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts
 
 WORKDIR /app/config
 RUN mkdir -p tls && \
@@ -92,12 +92,13 @@ COPY ["ui/", "."]
 
 ARG ARGO_VERSION=latest
 ENV ARGO_VERSION=$ARGO_VERSION
-RUN HOST_ARCH='amd64' NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OPTIONS=--max_old_space_size=8192 yarn build
+ARG TARGETARCH
+RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OPTIONS=--max_old_space_size=8192 yarn build
 
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM  docker.io/library/golang:1.18 AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.18 AS argocd-build
 
 WORKDIR /go/src/github.com/argoproj/argo-cd
 
@@ -127,4 +128,4 @@ RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server && \
     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-applicationset-controller && \
     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-k8s-auth
 
-USER 999
+USER 999

Makefile

@@ -25,7 +25,7 @@ DOCKER_WORKDIR?=/go/src/github.com/argoproj/argo-cd
 
 ARGOCD_PROCFILE?=Procfile
 
-# Strict mode has been disabled in latest versions of mkdocs-material. 
+# Strict mode has been disabled in latest versions of mkdocs-material.
 # Thus pointing to the older image of mkdocs-material matching the version used by argo-cd.
 MKDOCS_DOCKER_IMAGE?=squidfunk/mkdocs-material:4.1.1
 MKDOCS_RUN_ARGS?=
@@ -114,7 +114,7 @@ define run-in-test-client
 		bash -c "$(1)"
 endef
 
-# 
+#
 define exec-in-test-server
 	docker exec -it -u $(shell id -u):$(shell id -g) -e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) argocd-test-server $(1)
 endef
@@ -205,7 +205,7 @@ clientgen: ensure-gopath
 
 .PHONY: clidocsgen
 clidocsgen: ensure-gopath
-	go run tools/cmd-docs/main.go	
+	go run tools/cmd-docs/main.go
 
 
 .PHONY: codegen-local
@@ -234,6 +234,8 @@ release-cli: clean-debug build-ui
 	make BIN_NAME=argocd-darwin-arm64 GOOS=darwin GOARCH=arm64 argocd-all
 	make BIN_NAME=argocd-linux-amd64 GOOS=linux argocd-all
 	make BIN_NAME=argocd-linux-arm64 GOOS=linux GOARCH=arm64 argocd-all
+	make BIN_NAME=argocd-linux-ppc64le GOOS=linux GOARCH=ppc64le argocd-all
+	make BIN_NAME=argocd-linux-s390x GOOS=linux GOARCH=s390x argocd-all
 	make BIN_NAME=argocd-windows-amd64.exe GOOS=windows argocd-all
 
 .PHONY: test-tools-image
@@ -566,4 +568,4 @@ applicationset-controller:
 
 .PHONY: checksums
 checksums:
-	for f in ./dist/$(BIN_NAME)-*; do openssl dgst -sha256 "$$f" | awk ' { print $$2 }' > "$$f".sha256 ; done
+	sha256sum ./dist/$(BIN_NAME)-* | awk -F './dist/' '{print $$1 $$2}' > ./dist/$(BIN_NAME)-$(TARGET_VERSION)-checksums.txt

Procfile

@@ -1,12 +1,12 @@
-controller: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
-api-server: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} "
+controller: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
+api-server: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
 dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v2/cmd gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:v2.30.2 dex serve /dex.yaml"
 redis: bash -c "if [ \"$ARGOCD_REDIS_LOCAL\" == 'true' ]; then redis-server --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; else docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} redis:7.0.0-alpine --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; fi"
-repo-server: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379}"
-cmp-server: [ "$ARGOCD_E2E_TEST" == 'true' ] && exit 0 || [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-cmp-server ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp} $COMMAND --config-dir-path ./test/cmp --loglevel debug"
+repo-server: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
+cmp-server: [ "$ARGOCD_E2E_TEST" == 'true' ] && exit 0 || [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-cmp-server ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp} $COMMAND --config-dir-path ./test/cmp --loglevel debug --otlp-address=${ARGOCD_OTLP_ADDRESS}"
 ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
 git-server: test/fixture/testrepos/start-git.sh
 helm-registry: test/fixture/testrepos/start-helm-registry.sh
 dev-mounter: [[ "$ARGOCD_E2E_TEST" != "true" ]] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}
 applicationset-controller: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_ASK_PASS_SOCK=/tmp/applicationset-ask-pass.sock ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
-notification: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug"
+notification: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug"

USERS.md

@@ -37,6 +37,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Chargetrip](https://chargetrip.com)
 1. [Chime](https://www.chime.com)
 1. [Cisco ET&I](https://eti.cisco.com/)
+1. [Cobalt](https://www.cobalt.io/)
 1. [Codefresh](https://www.codefresh.io/)
 1. [Codility](https://www.codility.com/)
 1. [Commonbond](https://commonbond.co/)
@@ -81,6 +82,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [IITS-Consulting](https://iits-consulting.de)
 1. [imaware](https://imaware.health)
 1. [Index Exchange](https://www.indexexchange.com/)
+1. [Info Support](https://www.infosupport.com/)
 1. [InsideBoard](https://www.insideboard.com)
 1. [Intuit](https://www.intuit.com/)
 1. [Joblift](https://joblift.com/)

VERSION

@@ -1 +1 @@
-2.4.0
+2.4.28

applicationset/controllers/applicationset_controller.go

@@ -20,11 +20,16 @@ import (
 	"time"
 
 	"github.com/go-logr/logr"
+	log "github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
+	apierr "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/record"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/source"
@@ -33,18 +38,10 @@ import (
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	"github.com/argoproj/argo-cd/v2/common"
 	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/v2/util/db"
-
-	log "github.com/sirupsen/logrus"
-	"k8s.io/apimachinery/pkg/runtime"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
 	argoutil "github.com/argoproj/argo-cd/v2/util/argo"
-
-	apierr "k8s.io/apimachinery/pkg/api/errors"
+	"github.com/argoproj/argo-cd/v2/util/db"
 )
 
 const (
@@ -55,6 +52,13 @@ const (
 	ReconcileRequeueOnValidationError = time.Minute * 3
 )
 
+var (
+	preservedAnnotations = []string{
+		NotifiedAnnotationKey,
+		argov1alpha1.AnnotationKeyRefresh,
+	}
+)
+
 // ApplicationSetReconciler reconciles a ApplicationSet object
 type ApplicationSetReconciler struct {
 	client.Client
@@ -527,12 +531,16 @@ func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context,
 			// Copy only the Application/ObjectMeta fields that are significant, from the generatedApp
 			found.Spec = generatedApp.Spec
 
-			// Preserve argo cd notifications state (https://github.com/argoproj/applicationset/issues/180)
-			if state, exists := found.ObjectMeta.Annotations[NotifiedAnnotationKey]; exists {
-				if generatedApp.Annotations == nil {
-					generatedApp.Annotations = map[string]string{}
+			// Preserve specially treated argo cd annotations:
+			// * https://github.com/argoproj/applicationset/issues/180
+			// * https://github.com/argoproj/argo-cd/issues/10500
+			for _, key := range preservedAnnotations {
+				if state, exists := found.ObjectMeta.Annotations[key]; exists {
+					if generatedApp.Annotations == nil {
+						generatedApp.Annotations = map[string]string{}
+					}
+					generatedApp.Annotations[key] = state
 				}
-				generatedApp.Annotations[NotifiedAnnotationKey] = state
 			}
 			found.ObjectMeta.Annotations = generatedApp.Annotations
 

applicationset/controllers/applicationset_controller_test.go

@@ -13,9 +13,11 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	kubefake "k8s.io/client-go/kubernetes/fake"
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	crtclient "sigs.k8s.io/controller-runtime/pkg/client"
@@ -25,10 +27,6 @@ import (
 	"github.com/argoproj/argo-cd/v2/applicationset/generators"
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	kubefake "k8s.io/client-go/kubernetes/fake"
-
 	"github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned/fake"
@@ -755,7 +753,7 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 			},
 		},
 		{
-			name: "Ensure that argocd notifications state annotation is preserved from an existing app",
+			name: "Ensure that argocd notifications state and refresh annotation is preserved from an existing app",
 			appSet: argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "name",
@@ -781,8 +779,9 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 						ResourceVersion: "2",
 						Labels:          map[string]string{"label-key": "label-value"},
 						Annotations: map[string]string{
-							"annot-key":           "annot-value",
-							NotifiedAnnotationKey: `{"b620d4600c771a6f4cxxxxxxx:on-deployed:[0].y7b5sbwa2Q329JYHxxxxxx-fBs:slack:slack-test":1617144614}`,
+							"annot-key":                       "annot-value",
+							NotifiedAnnotationKey:             `{"b620d4600c771a6f4cxxxxxxx:on-deployed:[0].y7b5sbwa2Q329JYHxxxxxx-fBs:slack:slack-test":1617144614}`,
+							argov1alpha1.AnnotationKeyRefresh: string(argov1alpha1.RefreshTypeNormal),
 						},
 					},
 					Spec: argov1alpha1.ApplicationSpec{
@@ -811,7 +810,8 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 						Namespace:       "namespace",
 						ResourceVersion: "3",
 						Annotations: map[string]string{
-							NotifiedAnnotationKey: `{"b620d4600c771a6f4cxxxxxxx:on-deployed:[0].y7b5sbwa2Q329JYHxxxxxx-fBs:slack:slack-test":1617144614}`,
+							NotifiedAnnotationKey:             `{"b620d4600c771a6f4cxxxxxxx:on-deployed:[0].y7b5sbwa2Q329JYHxxxxxx-fBs:slack:slack-test":1617144614}`,
+							argov1alpha1.AnnotationKeyRefresh: string(argov1alpha1.RefreshTypeNormal),
 						},
 					},
 					Spec: argov1alpha1.ApplicationSpec{

applicationset/controllers/requeue_after_test.go

@@ -0,0 +1,180 @@
+package controllers
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	dynfake "k8s.io/client-go/dynamic/fake"
+	kubefake "k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/generators"
+	argoappsetv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
+)
+
+func TestRequeueAfter(t *testing.T) {
+	mockServer := argoCDServiceMock{}
+	ctx := context.Background()
+	scheme := runtime.NewScheme()
+	err := argoappsetv1alpha1.AddToScheme(scheme)
+	assert.Nil(t, err)
+	gvrToListKind := map[schema.GroupVersionResource]string{{
+		Group:    "mallard.io",
+		Version:  "v1",
+		Resource: "ducks",
+	}: "DuckList"}
+	appClientset := kubefake.NewSimpleClientset()
+	k8sClient := fake.NewClientBuilder().Build()
+	duckType := &unstructured.Unstructured{
+		Object: map[string]interface{}{
+			"apiVersion": "v2quack",
+			"kind":       "Duck",
+			"metadata": map[string]interface{}{
+				"name":      "mightyduck",
+				"namespace": "namespace",
+				"labels":    map[string]interface{}{"duck": "all-species"},
+			},
+			"status": map[string]interface{}{
+				"decisions": []interface{}{
+					map[string]interface{}{
+						"clusterName": "staging-01",
+					},
+					map[string]interface{}{
+						"clusterName": "production-01",
+					},
+				},
+			},
+		},
+	}
+	fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, duckType)
+
+	terminalGenerators := map[string]generators.Generator{
+		"List":                    generators.NewListGenerator(),
+		"Clusters":                generators.NewClusterGenerator(k8sClient, ctx, appClientset, "argocd"),
+		"Git":                     generators.NewGitGenerator(mockServer),
+		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build()),
+		"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd"),
+		"PullRequest":             generators.NewPullRequestGenerator(k8sClient),
+	}
+
+	nestedGenerators := map[string]generators.Generator{
+		"List":                    terminalGenerators["List"],
+		"Clusters":                terminalGenerators["Clusters"],
+		"Git":                     terminalGenerators["Git"],
+		"SCMProvider":             terminalGenerators["SCMProvider"],
+		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
+		"PullRequest":             terminalGenerators["PullRequest"],
+		"Matrix":                  generators.NewMatrixGenerator(terminalGenerators),
+		"Merge":                   generators.NewMergeGenerator(terminalGenerators),
+	}
+
+	topLevelGenerators := map[string]generators.Generator{
+		"List":                    terminalGenerators["List"],
+		"Clusters":                terminalGenerators["Clusters"],
+		"Git":                     terminalGenerators["Git"],
+		"SCMProvider":             terminalGenerators["SCMProvider"],
+		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
+		"PullRequest":             terminalGenerators["PullRequest"],
+		"Matrix":                  generators.NewMatrixGenerator(nestedGenerators),
+		"Merge":                   generators.NewMergeGenerator(nestedGenerators),
+	}
+
+	client := fake.NewClientBuilder().WithScheme(scheme).Build()
+	r := ApplicationSetReconciler{
+		Client:     client,
+		Scheme:     scheme,
+		Recorder:   record.NewFakeRecorder(0),
+		Generators: topLevelGenerators,
+	}
+
+	type args struct {
+		appset *argoappsetv1alpha1.ApplicationSet
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    time.Duration
+		wantErr assert.ErrorAssertionFunc
+	}{
+		{name: "Cluster", args: args{appset: &argoappsetv1alpha1.ApplicationSet{
+			Spec: argoappsetv1alpha1.ApplicationSetSpec{
+				Generators: []argoappsetv1alpha1.ApplicationSetGenerator{{Clusters: &argoappsetv1alpha1.ClusterGenerator{}}},
+			},
+		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
+		{name: "ClusterMergeNested", args: args{&argoappsetv1alpha1.ApplicationSet{
+			Spec: argoappsetv1alpha1.ApplicationSetSpec{
+				Generators: []argoappsetv1alpha1.ApplicationSetGenerator{
+					{Clusters: &argoappsetv1alpha1.ClusterGenerator{}},
+					{Merge: &argoappsetv1alpha1.MergeGenerator{
+						Generators: []argoappsetv1alpha1.ApplicationSetNestedGenerator{
+							{
+								Clusters: &argoappsetv1alpha1.ClusterGenerator{},
+								Git:      &argoappsetv1alpha1.GitGenerator{},
+							},
+						},
+					}},
+				},
+			},
+		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
+		{name: "ClusterMatrixNested", args: args{&argoappsetv1alpha1.ApplicationSet{
+			Spec: argoappsetv1alpha1.ApplicationSetSpec{
+				Generators: []argoappsetv1alpha1.ApplicationSetGenerator{
+					{Clusters: &argoappsetv1alpha1.ClusterGenerator{}},
+					{Matrix: &argoappsetv1alpha1.MatrixGenerator{
+						Generators: []argoappsetv1alpha1.ApplicationSetNestedGenerator{
+							{
+								Clusters: &argoappsetv1alpha1.ClusterGenerator{},
+								Git:      &argoappsetv1alpha1.GitGenerator{},
+							},
+						},
+					}},
+				},
+			},
+		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
+		{name: "ListGenerator", args: args{appset: &argoappsetv1alpha1.ApplicationSet{
+			Spec: argoappsetv1alpha1.ApplicationSetSpec{
+				Generators: []argoappsetv1alpha1.ApplicationSetGenerator{{List: &argoappsetv1alpha1.ListGenerator{}}},
+			},
+		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equalf(t, tt.want, r.getMinRequeueAfter(tt.args.appset), "getMinRequeueAfter(%v)", tt.args.appset)
+		})
+	}
+}
+
+type argoCDServiceMock struct {
+	mock *mock.Mock
+}
+
+func (a argoCDServiceMock) GetApps(ctx context.Context, repoURL string, revision string) ([]string, error) {
+	args := a.mock.Called(ctx, repoURL, revision)
+
+	return args.Get(0).([]string), args.Error(1)
+}
+
+func (a argoCDServiceMock) GetFiles(ctx context.Context, repoURL string, revision string, pattern string) (map[string][]byte, error) {
+	args := a.mock.Called(ctx, repoURL, revision, pattern)
+
+	return args.Get(0).(map[string][]byte), args.Error(1)
+}
+
+func (a argoCDServiceMock) GetFileContent(ctx context.Context, repoURL string, revision string, path string) ([]byte, error) {
+	args := a.mock.Called(ctx, repoURL, revision, path)
+
+	return args.Get(0).([]byte), args.Error(1)
+}
+
+func (a argoCDServiceMock) GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error) {
+	args := a.mock.Called(ctx, repoURL, revision)
+	return args.Get(0).([]string), args.Error(1)
+}

applicationset/examples/git-generator-directory/cluster-addons/argo-workflows/kustomization.yaml

@@ -1,6 +1,6 @@
 #namePrefix: kustomize-
 
 resources:
-- namespace-install.yaml
+- https://github.com/argoproj/argo-workflows/releases/download/v3.4.0/namespace-install.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

applicationset/examples/git-generator-directory/cluster-addons/argo-workflows/namespace-install.yaml

@@ -1,417 +0,0 @@
-# This is an auto-generated file. DO NOT EDIT
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: clusterworkflowtemplates.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: ClusterWorkflowTemplate
-    listKind: ClusterWorkflowTemplateList
-    plural: clusterworkflowtemplates
-    shortNames:
-    - clusterwftmpl
-    - cwft
-    singular: clusterworkflowtemplate
-  scope: Cluster
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: cronworkflows.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: CronWorkflow
-    listKind: CronWorkflowList
-    plural: cronworkflows
-    shortNames:
-    - cwf
-    - cronwf
-    singular: cronworkflow
-  scope: Namespaced
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: workfloweventbindings.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: WorkflowEventBinding
-    listKind: WorkflowEventBindingList
-    plural: workfloweventbindings
-    shortNames:
-    - wfeb
-    singular: workfloweventbinding
-  scope: Namespaced
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: workflows.argoproj.io
-spec:
-  additionalPrinterColumns:
-  - JSONPath: .status.phase
-    description: Status of the workflow
-    name: Status
-    type: string
-  - JSONPath: .status.startedAt
-    description: When the workflow was started
-    format: date-time
-    name: Age
-    type: date
-  group: argoproj.io
-  names:
-    kind: Workflow
-    listKind: WorkflowList
-    plural: workflows
-    shortNames:
-    - wf
-    singular: workflow
-  scope: Namespaced
-  subresources: {}
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: workflowtemplates.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: WorkflowTemplate
-    listKind: WorkflowTemplateList
-    plural: workflowtemplates
-    shortNames:
-    - wftmpl
-    singular: workflowtemplate
-  scope: Namespaced
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: argo
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: argo-server
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: argo-role
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - pods/exec
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - watch
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - persistentvolumeclaims
-  verbs:
-  - create
-  - delete
-  - get
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflows
-  - workflows/finalizers
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-  - create
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflowtemplates
-  - workflowtemplates/finalizers
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-- apiGroups:
-  - argoproj.io
-  resources:
-  - cronworkflows
-  - cronworkflows/finalizers
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
-- apiGroups:
-  - policy
-  resources:
-  - poddisruptionbudgets
-  verbs:
-  - create
-  - get
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: argo-server-role
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - watch
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - create
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - pods/exec
-  - pods/log
-  verbs:
-  - get
-  - list
-  - watch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - watch
-  - create
-  - patch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflows
-  - workfloweventbindings
-  - workflowtemplates
-  - cronworkflows
-  - cronworkflows/finalizers
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: argo-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: argo-role
-subjects:
-- kind: ServiceAccount
-  name: argo
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: argo-server-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: argo-server-role
-subjects:
-- kind: ServiceAccount
-  name: argo-server
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: workflow-controller-configmap
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: argo-server
-spec:
-  ports:
-  - name: web
-    port: 2746
-    targetPort: 2746
-  selector:
-    app: argo-server
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: workflow-controller-metrics
-spec:
-  ports:
-  - name: metrics
-    port: 9090
-    protocol: TCP
-    targetPort: 9090
-  selector:
-    app: workflow-controller
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: argo-server
-spec:
-  selector:
-    matchLabels:
-      app: argo-server
-  template:
-    metadata:
-      labels:
-        app: argo-server
-    spec:
-      containers:
-      - args:
-        - server
-        - --namespaced
-        image: argoproj/argocli:v2.12.5
-        name: argo-server
-        ports:
-        - containerPort: 2746
-          name: web
-        readinessProbe:
-          httpGet:
-            path: /
-            port: 2746
-            scheme: HTTP
-          initialDelaySeconds: 10
-          periodSeconds: 20
-        volumeMounts:
-        - mountPath: /tmp
-          name: tmp
-      nodeSelector:
-        kubernetes.io/os: linux
-      securityContext:
-        runAsNonRoot: true
-      serviceAccountName: argo-server
-      volumes:
-      - emptyDir: {}
-        name: tmp
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: workflow-controller
-spec:
-  selector:
-    matchLabels:
-      app: workflow-controller
-  template:
-    metadata:
-      labels:
-        app: workflow-controller
-    spec:
-      containers:
-      - args:
-        - --configmap
-        - workflow-controller-configmap
-        - --executor-image
-        - argoproj/argoexec:v2.12.5
-        - --namespaced
-        command:
-        - workflow-controller
-        image: argoproj/workflow-controller:v2.12.5
-        livenessProbe:
-          httpGet:
-            path: /metrics
-            port: metrics
-          initialDelaySeconds: 30
-          periodSeconds: 30
-        name: workflow-controller
-        ports:
-        - containerPort: 9090
-          name: metrics
-      nodeSelector:
-        kubernetes.io/os: linux
-      securityContext:
-        runAsNonRoot: true
-      serviceAccountName: argo

applicationset/examples/git-generator-directory/cluster-addons/prometheus-operator/Chart.yaml

@@ -11,4 +11,4 @@ version: 0.1.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
-appVersion: "1.0"
+appVersion: "1.0"

applicationset/examples/git-generator-directory/cluster-addons/prometheus-operator/requirements.yaml

@@ -1,4 +1,4 @@
 dependencies:
 - name: kube-prometheus-stack
-  version: 9.4.10
+  version: 40.5.0
   repository: https://prometheus-community.github.io/helm-charts

applicationset/examples/git-generator-directory/excludes/cluster-addons/argo-workflows/kustomization.yaml

@@ -1,6 +1,6 @@
 #namePrefix: kustomize-
 
 resources:
-- namespace-install.yaml
+- https://github.com/argoproj/argo-workflows/releases/download/v3.4.0/namespace-install.yaml
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

applicationset/examples/git-generator-directory/excludes/cluster-addons/argo-workflows/namespace-install.yaml

@@ -1,417 +0,0 @@
-# This is an auto-generated file. DO NOT EDIT
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: clusterworkflowtemplates.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: ClusterWorkflowTemplate
-    listKind: ClusterWorkflowTemplateList
-    plural: clusterworkflowtemplates
-    shortNames:
-    - clusterwftmpl
-    - cwft
-    singular: clusterworkflowtemplate
-  scope: Cluster
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: cronworkflows.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: CronWorkflow
-    listKind: CronWorkflowList
-    plural: cronworkflows
-    shortNames:
-    - cwf
-    - cronwf
-    singular: cronworkflow
-  scope: Namespaced
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: workfloweventbindings.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: WorkflowEventBinding
-    listKind: WorkflowEventBindingList
-    plural: workfloweventbindings
-    shortNames:
-    - wfeb
-    singular: workfloweventbinding
-  scope: Namespaced
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: workflows.argoproj.io
-spec:
-  additionalPrinterColumns:
-  - JSONPath: .status.phase
-    description: Status of the workflow
-    name: Status
-    type: string
-  - JSONPath: .status.startedAt
-    description: When the workflow was started
-    format: date-time
-    name: Age
-    type: date
-  group: argoproj.io
-  names:
-    kind: Workflow
-    listKind: WorkflowList
-    plural: workflows
-    shortNames:
-    - wf
-    singular: workflow
-  scope: Namespaced
-  subresources: {}
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: workflowtemplates.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: WorkflowTemplate
-    listKind: WorkflowTemplateList
-    plural: workflowtemplates
-    shortNames:
-    - wftmpl
-    singular: workflowtemplate
-  scope: Namespaced
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: argo
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: argo-server
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: argo-role
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - pods/exec
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - watch
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - persistentvolumeclaims
-  verbs:
-  - create
-  - delete
-  - get
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflows
-  - workflows/finalizers
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-  - create
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflowtemplates
-  - workflowtemplates/finalizers
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-- apiGroups:
-  - argoproj.io
-  resources:
-  - cronworkflows
-  - cronworkflows/finalizers
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
-- apiGroups:
-  - policy
-  resources:
-  - poddisruptionbudgets
-  verbs:
-  - create
-  - get
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: argo-server-role
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - watch
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - create
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - pods/exec
-  - pods/log
-  verbs:
-  - get
-  - list
-  - watch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - watch
-  - create
-  - patch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflows
-  - workfloweventbindings
-  - workflowtemplates
-  - cronworkflows
-  - cronworkflows/finalizers
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: argo-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: argo-role
-subjects:
-- kind: ServiceAccount
-  name: argo
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: argo-server-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: argo-server-role
-subjects:
-- kind: ServiceAccount
-  name: argo-server
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: workflow-controller-configmap
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: argo-server
-spec:
-  ports:
-  - name: web
-    port: 2746
-    targetPort: 2746
-  selector:
-    app: argo-server
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: workflow-controller-metrics
-spec:
-  ports:
-  - name: metrics
-    port: 9090
-    protocol: TCP
-    targetPort: 9090
-  selector:
-    app: workflow-controller
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: argo-server
-spec:
-  selector:
-    matchLabels:
-      app: argo-server
-  template:
-    metadata:
-      labels:
-        app: argo-server
-    spec:
-      containers:
-      - args:
-        - server
-        - --namespaced
-        image: argoproj/argocli:v2.12.5
-        name: argo-server
-        ports:
-        - containerPort: 2746
-          name: web
-        readinessProbe:
-          httpGet:
-            path: /
-            port: 2746
-            scheme: HTTP
-          initialDelaySeconds: 10
-          periodSeconds: 20
-        volumeMounts:
-        - mountPath: /tmp
-          name: tmp
-      nodeSelector:
-        kubernetes.io/os: linux
-      securityContext:
-        runAsNonRoot: true
-      serviceAccountName: argo-server
-      volumes:
-      - emptyDir: {}
-        name: tmp
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: workflow-controller
-spec:
-  selector:
-    matchLabels:
-      app: workflow-controller
-  template:
-    metadata:
-      labels:
-        app: workflow-controller
-    spec:
-      containers:
-      - args:
-        - --configmap
-        - workflow-controller-configmap
-        - --executor-image
-        - argoproj/argoexec:v2.12.5
-        - --namespaced
-        command:
-        - workflow-controller
-        image: argoproj/workflow-controller:v2.12.5
-        livenessProbe:
-          httpGet:
-            path: /metrics
-            port: metrics
-          initialDelaySeconds: 30
-          periodSeconds: 30
-        name: workflow-controller
-        ports:
-        - containerPort: 9090
-          name: metrics
-      nodeSelector:
-        kubernetes.io/os: linux
-      securityContext:
-        runAsNonRoot: true
-      serviceAccountName: argo

applicationset/examples/git-generator-directory/excludes/cluster-addons/prometheus-operator/Chart.yaml

@@ -1 +1,14 @@
+apiVersion: v2
 name: helm-prometheus-operator
+
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: "1.0"

applicationset/examples/git-generator-directory/excludes/cluster-addons/prometheus-operator/requirements.yaml

@@ -1,4 +1,4 @@
 dependencies:
 - name: kube-prometheus-stack
-  version: 9.4.10
+  version: 40.5.0
   repository: https://prometheus-community.github.io/helm-charts

applicationset/examples/git-generator-directory/excludes/git-directories-exclude-example.yaml

@@ -2,6 +2,7 @@ apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
   name: cluster-addons
+  namespace: argocd
 spec:
   generators:
   - git:
@@ -15,7 +16,7 @@ spec:
     metadata:
       name: '{{path.basename}}'
     spec:
-      project: default
+      project: "my-project"
       source:
         repoURL: https://github.com/argoproj/argo-cd.git
         targetRevision: HEAD
@@ -23,3 +24,6 @@ spec:
       destination:
         server: https://kubernetes.default.svc
         namespace: '{{path.basename}}'
+      syncPolicy:
+        syncOptions:
+        - CreateNamespace=true

applicationset/examples/git-generator-directory/git-directories-example.yaml

@@ -2,6 +2,7 @@ apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
   name: cluster-addons
+  namespace: argocd
 spec:
   generators:
   - git:
@@ -13,7 +14,7 @@ spec:
     metadata:
       name: '{{path.basename}}'
     spec:
-      project: default
+      project: "my-project"
       source:
         repoURL: https://github.com/argoproj/argo-cd.git
         targetRevision: HEAD
@@ -21,3 +22,6 @@ spec:
       destination:
         server: https://kubernetes.default.svc
         namespace: '{{path.basename}}'
+      syncPolicy:
+        syncOptions:
+        - CreateNamespace=true

applicationset/generators/cluster.go

@@ -51,6 +51,8 @@ func NewClusterGenerator(c client.Client, ctx context.Context, clientset kuberne
 	return g
 }
 
+// GetRequeueAfter never requeue the cluster generator because the `clusterSecretEventHandler` will requeue the appsets
+// when the cluster secrets change
 func (g *ClusterGenerator) GetRequeueAfter(appSetGenerator *argoappsetv1alpha1.ApplicationSetGenerator) time.Duration {
 	return NoRequeueAfter
 }
@@ -166,7 +168,7 @@ func (g *ClusterGenerator) getSecretsByClusterName(appSetGenerator *argoappsetv1
 
 }
 
-// santize the name in accordance with the below rules
+// sanitize the name in accordance with the below rules
 // 1. contain no more than 253 characters
 // 2. contain only lowercase alphanumeric characters, '-' or '.'
 // 3. start and end with an alphanumeric character

applicationset/generators/git.go

@@ -162,8 +162,10 @@ func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []
 		}
 		params["path"] = path.Dir(filePath)
 		params["path.basename"] = path.Base(params["path"])
+		params["path.filename"] = path.Base(filePath)
 		params["path.basenameNormalized"] = sanitizeName(path.Base(params["path"]))
-		for k, v := range strings.Split(strings.TrimSuffix(params["path"], params["path.basename"]), "/") {
+		params["path.filenameNormalized"] = sanitizeName(path.Base(params["path.filename"]))
+		for k, v := range strings.Split(params["path"], "/") {
 			if len(v) > 0 {
 				params["path["+strconv.Itoa(k)+"]"] = v
 			}
@@ -213,7 +215,7 @@ func (g *GitGenerator) generateParamsFromApps(requestedApps []string, _ *argopro
 		params["path"] = a
 		params["path.basename"] = path.Base(a)
 		params["path.basenameNormalized"] = sanitizeName(path.Base(a))
-		for k, v := range strings.Split(strings.TrimSuffix(params["path"], params["path.basename"]), "/") {
+		for k, v := range strings.Split(params["path"], "/") {
 			if len(v) > 0 {
 				params["path["+strconv.Itoa(k)+"]"] = v
 			}

applicationset/generators/git_test.go

@@ -47,6 +47,28 @@ func (a argoCDServiceMock) GetDirectories(ctx context.Context, repoURL string, r
 	return args.Get(0).([]string), args.Error(1)
 }
 
+func Test_generateParamsFromGitFile(t *testing.T) {
+	params, err := (*GitGenerator)(nil).generateParamsFromGitFile("path/dir/file_name.yaml", []byte(`
+foo:
+  bar: baz
+`))
+	if err != nil {
+		t.Fatal(err)
+	}
+	assert.Equal(t, []map[string]string{
+		{
+			"foo.bar":                 "baz",
+			"path":                    "path/dir",
+			"path.basename":           "dir",
+			"path.filename":           "file_name.yaml",
+			"path.basenameNormalized": "dir",
+			"path.filenameNormalized": "file-name.yaml",
+			"path[0]":                 "path",
+			"path[1]":                 "dir",
+		},
+	}, params)
+}
+
 func TestGitGenerateParamsFromDirectories(t *testing.T) {
 
 	cases := []struct {
@@ -68,9 +90,9 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 			},
 			repoError: nil,
 			expected: []map[string]string{
-				{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1"},
-				{"path": "app2", "path.basename": "app2", "path.basenameNormalized": "app2"},
-				{"path": "app_3", "path.basename": "app_3", "path.basenameNormalized": "app-3"},
+				{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1", "path[0]": "app1"},
+				{"path": "app2", "path.basename": "app2", "path.basenameNormalized": "app2", "path[0]": "app2"},
+				{"path": "app_3", "path.basename": "app_3", "path.basenameNormalized": "app-3", "path[0]": "app_3"},
 			},
 			expectedError: nil,
 		},
@@ -85,8 +107,8 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 			},
 			repoError: nil,
 			expected: []map[string]string{
-				{"path": "p1/app2", "path.basename": "app2", "path[0]": "p1", "path.basenameNormalized": "app2"},
-				{"path": "p1/p2/app3", "path.basename": "app3", "path[0]": "p1", "path[1]": "p2", "path.basenameNormalized": "app3"},
+				{"path": "p1/app2", "path.basename": "app2", "path[0]": "p1", "path[1]": "app2", "path.basenameNormalized": "app2"},
+				{"path": "p1/p2/app3", "path.basename": "app3", "path[0]": "p1", "path[1]": "p2", "path[2]": "app3", "path.basenameNormalized": "app3"},
 			},
 			expectedError: nil,
 		},
@@ -102,9 +124,9 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 			},
 			repoError: nil,
 			expected: []map[string]string{
-				{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1"},
-				{"path": "app2", "path.basename": "app2", "path.basenameNormalized": "app2"},
-				{"path": "p2/app3", "path.basename": "app3", "path[0]": "p2", "path.basenameNormalized": "app3"},
+				{"path": "app1", "path.basename": "app1", "path[0]": "app1", "path.basenameNormalized": "app1"},
+				{"path": "app2", "path.basename": "app2", "path[0]": "app2", "path.basenameNormalized": "app2"},
+				{"path": "p2/app3", "path.basename": "app3", "path[0]": "p2", "path[1]": "app3", "path.basenameNormalized": "app3"},
 			},
 			expectedError: nil,
 		},
@@ -120,9 +142,9 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 			},
 			repoError: nil,
 			expected: []map[string]string{
-				{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1"},
-				{"path": "app2", "path.basename": "app2", "path.basenameNormalized": "app2"},
-				{"path": "p2/app3", "path.basename": "app3", "path[0]": "p2", "path.basenameNormalized": "app3"},
+				{"path": "app1", "path.basename": "app1", "path[0]": "app1", "path.basenameNormalized": "app1"},
+				{"path": "app2", "path.basename": "app2", "path[0]": "app2", "path.basenameNormalized": "app2"},
+				{"path": "p2/app3", "path.basename": "app3", "path[0]": "p2", "path[1]": "app3", "path.basenameNormalized": "app3"},
 			},
 			expectedError: nil,
 		},
@@ -238,7 +260,10 @@ func TestGitGenerateParamsFromFiles(t *testing.T) {
 					"path":                    "cluster-config/production",
 					"path.basename":           "production",
 					"path[0]":                 "cluster-config",
+					"path[1]":                 "production",
 					"path.basenameNormalized": "production",
+					"path.filename":           "config.json",
+					"path.filenameNormalized": "config.json",
 				},
 				{
 					"cluster.owner":           "foo.bar@example.com",
@@ -247,7 +272,10 @@ func TestGitGenerateParamsFromFiles(t *testing.T) {
 					"path":                    "cluster-config/staging",
 					"path.basename":           "staging",
 					"path[0]":                 "cluster-config",
+					"path[1]":                 "staging",
 					"path.basenameNormalized": "staging",
+					"path.filename":           "config.json",
+					"path.filenameNormalized": "config.json",
 				},
 			},
 			expectedError: nil,
@@ -305,7 +333,10 @@ func TestGitGenerateParamsFromFiles(t *testing.T) {
 					"path":                    "cluster-config/production",
 					"path.basename":           "production",
 					"path[0]":                 "cluster-config",
+					"path[1]":                 "production",
 					"path.basenameNormalized": "production",
+					"path.filename":           "config.json",
+					"path.filenameNormalized": "config.json",
 				},
 				{
 					"cluster.owner":           "john.doe@example.com",
@@ -314,7 +345,10 @@ func TestGitGenerateParamsFromFiles(t *testing.T) {
 					"path":                    "cluster-config/production",
 					"path.basename":           "production",
 					"path[0]":                 "cluster-config",
+					"path[1]":                 "production",
 					"path.basenameNormalized": "production",
+					"path.filename":           "config.json",
+					"path.filenameNormalized": "config.json",
 				},
 			},
 			expectedError: nil,
@@ -353,7 +387,10 @@ cluster:
 					"path":                    "cluster-config/production",
 					"path.basename":           "production",
 					"path[0]":                 "cluster-config",
+					"path[1]":                 "production",
 					"path.basenameNormalized": "production",
+					"path.filename":           "config.yaml",
+					"path.filenameNormalized": "config.yaml",
 				},
 				{
 					"cluster.owner":           "foo.bar@example.com",
@@ -362,7 +399,10 @@ cluster:
 					"path":                    "cluster-config/staging",
 					"path.basename":           "staging",
 					"path[0]":                 "cluster-config",
+					"path[1]":                 "staging",
 					"path.basenameNormalized": "staging",
+					"path.filename":           "config.yaml",
+					"path.filenameNormalized": "config.yaml",
 				},
 			},
 			expectedError: nil,
@@ -393,7 +433,10 @@ cluster:
 					"path":                    "cluster-config/production",
 					"path.basename":           "production",
 					"path[0]":                 "cluster-config",
+					"path[1]":                 "production",
 					"path.basenameNormalized": "production",
+					"path.filename":           "config.yaml",
+					"path.filenameNormalized": "config.yaml",
 				},
 				{
 					"cluster.owner":           "john.doe@example.com",
@@ -402,7 +445,10 @@ cluster:
 					"path":                    "cluster-config/production",
 					"path.basename":           "production",
 					"path[0]":                 "cluster-config",
+					"path[1]":                 "production",
 					"path.basenameNormalized": "production",
+					"path.filename":           "config.yaml",
+					"path.filenameNormalized": "config.yaml",
 				},
 			},
 			expectedError: nil,

applicationset/generators/matrix.go

@@ -67,28 +67,13 @@ func (m *MatrixGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.App
 }
 
 func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]string, error) {
-	var matrix *argoprojiov1alpha1.MatrixGenerator
-	if appSetBaseGenerator.Matrix != nil {
-		// Since nested matrix generator is represented as a JSON object in the CRD, we unmarshall it back to a Go struct here.
-		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(appSetBaseGenerator.Matrix)
-		if err != nil {
-			return nil, fmt.Errorf("unable to unmarshall nested matrix generator: %v", err)
-		}
-		if nestedMatrix != nil {
-			matrix = nestedMatrix.ToMatrixGenerator()
-		}
+	matrixGen, err := getMatrixGenerator(appSetBaseGenerator)
+	if err != nil {
+		return nil, err
 	}
-
-	var mergeGenerator *argoprojiov1alpha1.MergeGenerator
-	if appSetBaseGenerator.Merge != nil {
-		// Since nested merge generator is represented as a JSON object in the CRD, we unmarshall it back to a Go struct here.
-		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(appSetBaseGenerator.Merge)
-		if err != nil {
-			return nil, fmt.Errorf("unable to unmarshall nested merge generator: %v", err)
-		}
-		if nestedMerge != nil {
-			mergeGenerator = nestedMerge.ToMergeGenerator()
-		}
+	mergeGen, err := getMergeGenerator(appSetBaseGenerator)
+	if err != nil {
+		return nil, err
 	}
 
 	t, err := Transform(
@@ -99,8 +84,8 @@ func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Appli
 			SCMProvider:             appSetBaseGenerator.SCMProvider,
 			ClusterDecisionResource: appSetBaseGenerator.ClusterDecisionResource,
 			PullRequest:             appSetBaseGenerator.PullRequest,
-			Matrix:                  matrix,
-			Merge:                   mergeGenerator,
+			Matrix:                  matrixGen,
+			Merge:                   mergeGen,
 		},
 		m.supportedGenerators,
 		argoprojiov1alpha1.ApplicationSetTemplate{},
@@ -128,10 +113,15 @@ func (m *MatrixGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap
 	var found bool
 
 	for _, r := range appSetGenerator.Matrix.Generators {
+		matrixGen, _ := getMatrixGenerator(r)
+		mergeGen, _ := getMergeGenerator(r)
 		base := &argoprojiov1alpha1.ApplicationSetGenerator{
-			List:     r.List,
-			Clusters: r.Clusters,
-			Git:      r.Git,
+			List:        r.List,
+			Clusters:    r.Clusters,
+			Git:         r.Git,
+			PullRequest: r.PullRequest,
+			Matrix:      matrixGen,
+			Merge:       mergeGen,
 		}
 		generators := GetRelevantGenerators(base, m.supportedGenerators)
 
@@ -152,6 +142,17 @@ func (m *MatrixGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap
 
 }
 
+func getMatrixGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*argoprojiov1alpha1.MatrixGenerator, error) {
+	if r.Matrix == nil {
+		return nil, nil
+	}
+	matrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(r.Matrix)
+	if err != nil {
+		return nil, err
+	}
+	return matrix.ToMatrixGenerator(), nil
+}
+
 func (m *MatrixGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.Matrix.Template
 }

applicationset/generators/matrix_test.go

@@ -191,6 +191,8 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 		Elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "Cluster","url": "Url"}`)}},
 	}
 
+	pullRequestGenerator := &argoprojiov1alpha1.PullRequestGenerator{}
+
 	testCases := []struct {
 		name               string
 		baseGenerators     []argoprojiov1alpha1.ApplicationSetNestedGenerator
@@ -223,6 +225,31 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 			gitGetRequeueAfter: time.Duration(1),
 			expected:           time.Duration(1),
 		},
+		{
+			name: "returns the minimal time for pull request",
+			baseGenerators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
+				{
+					Git: gitGenerator,
+				},
+				{
+					PullRequest: pullRequestGenerator,
+				},
+			},
+			gitGetRequeueAfter: time.Duration(15 * time.Second),
+			expected:           time.Duration(15 * time.Second),
+		},
+		{
+			name: "returns the default time if no requeueAfterSeconds is provided",
+			baseGenerators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
+				{
+					Git: gitGenerator,
+				},
+				{
+					PullRequest: pullRequestGenerator,
+				},
+			},
+			expected: time.Duration(30 * time.Minute),
+		},
 	}
 
 	for _, testCase := range testCases {
@@ -233,16 +260,18 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 
 			for _, g := range testCaseCopy.baseGenerators {
 				gitGeneratorSpec := argoprojiov1alpha1.ApplicationSetGenerator{
-					Git:  g.Git,
-					List: g.List,
+					Git:         g.Git,
+					List:        g.List,
+					PullRequest: g.PullRequest,
 				}
 				mock.On("GetRequeueAfter", &gitGeneratorSpec).Return(testCaseCopy.gitGetRequeueAfter, nil)
 			}
 
 			var matrixGenerator = NewMatrixGenerator(
 				map[string]Generator{
-					"Git":  mock,
-					"List": &ListGenerator{},
+					"Git":         mock,
+					"List":        &ListGenerator{},
+					"PullRequest": &PullRequestGenerator{},
 				},
 			)
 

applicationset/generators/merge.go

@@ -127,27 +127,13 @@ func getParamSetsByMergeKey(mergeKeys []string, paramSets []map[string]string) (
 
 // getParams get the parameters generated by this generator.
 func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]string, error) {
-
-	var matrix *argoprojiov1alpha1.MatrixGenerator
-	if appSetBaseGenerator.Matrix != nil {
-		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(appSetBaseGenerator.Matrix)
-		if err != nil {
-			return nil, err
-		}
-		if nestedMatrix != nil {
-			matrix = nestedMatrix.ToMatrixGenerator()
-		}
+	matrixGen, err := getMatrixGenerator(appSetBaseGenerator)
+	if err != nil {
+		return nil, err
 	}
-
-	var mergeGenerator *argoprojiov1alpha1.MergeGenerator
-	if appSetBaseGenerator.Merge != nil {
-		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(appSetBaseGenerator.Merge)
-		if err != nil {
-			return nil, err
-		}
-		if nestedMerge != nil {
-			mergeGenerator = nestedMerge.ToMergeGenerator()
-		}
+	mergeGen, err := getMergeGenerator(appSetBaseGenerator)
+	if err != nil {
+		return nil, err
 	}
 
 	t, err := Transform(
@@ -158,8 +144,8 @@ func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Applic
 			SCMProvider:             appSetBaseGenerator.SCMProvider,
 			ClusterDecisionResource: appSetBaseGenerator.ClusterDecisionResource,
 			PullRequest:             appSetBaseGenerator.PullRequest,
-			Matrix:                  matrix,
-			Merge:                   mergeGenerator,
+			Matrix:                  matrixGen,
+			Merge:                   mergeGen,
 		},
 		m.supportedGenerators,
 		argoprojiov1alpha1.ApplicationSetTemplate{},
@@ -185,10 +171,15 @@ func (m *MergeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.App
 	var found bool
 
 	for _, r := range appSetGenerator.Merge.Generators {
+		matrixGen, _ := getMatrixGenerator(r)
+		mergeGen, _ := getMergeGenerator(r)
 		base := &argoprojiov1alpha1.ApplicationSetGenerator{
-			List:     r.List,
-			Clusters: r.Clusters,
-			Git:      r.Git,
+			List:        r.List,
+			Clusters:    r.Clusters,
+			Git:         r.Git,
+			PullRequest: r.PullRequest,
+			Matrix:      matrixGen,
+			Merge:       mergeGen,
 		}
 		generators := GetRelevantGenerators(base, m.supportedGenerators)
 
@@ -209,6 +200,17 @@ func (m *MergeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.App
 
 }
 
+func getMergeGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*argoprojiov1alpha1.MergeGenerator, error) {
+	if r.Merge == nil {
+		return nil, nil
+	}
+	merge, err := argoprojiov1alpha1.ToNestedMergeGenerator(r.Merge)
+	if err != nil {
+		return nil, err
+	}
+	return merge.ToMergeGenerator(), nil
+}
+
 // GetTemplate gets the Template field for the MergeGenerator.
 func (m *MergeGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.Merge.Template

applicationset/generators/scm_provider.go

@@ -101,6 +101,15 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 		if scmError != nil {
 			return nil, fmt.Errorf("error initializing Bitbucket Server service: %v", scmError)
 		}
+	} else if providerConfig.Bitbucket != nil {
+		appPassword, err := g.getSecretRef(ctx, providerConfig.Bitbucket.AppPasswordRef, applicationSetInfo.Namespace)
+		if err != nil {
+			return nil, fmt.Errorf("error fetching Bitbucket cloud appPassword: %v", err)
+		}
+		provider, err = scm_provider.NewBitBucketCloudProvider(ctx, providerConfig.Bitbucket.Owner, providerConfig.Bitbucket.User, appPassword, providerConfig.Bitbucket.AllBranches)
+		if err != nil {
+			return nil, fmt.Errorf("error initializing Bitbucket cloud service: %v", err)
+		}
 	} else {
 		return nil, fmt.Errorf("no SCM provider implementation configured")
 	}

applicationset/services/pull_request/gitea_test.go

@@ -2,13 +2,253 @@ package pull_request
 
 import (
 	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 )
 
+func giteaMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Println(r.RequestURI)
+		switch r.RequestURI {
+		case "/api/v1/version":
+			_, err := io.WriteString(w, `{"version":"1.17.0+dev-452-g1f0541780"}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v1/repos/test-argocd/pr-test/pulls?limit=0&page=1&state=open":
+			_, err := io.WriteString(w, `[{
+				"id": 50721,
+				"url": "https://gitea.com/test-argocd/pr-test/pulls/1",
+				"number": 1,
+				"user": {
+					"id": 4476,
+					"login": "graytshirt",
+					"full_name": "Dan",
+					"email": "graytshirt@noreply.gitea.io",
+					"avatar_url": "https://secure.gravatar.com/avatar/2446c67bcd59d71f6ae3cf376ec2ae37?d=identicon",
+					"language": "",
+					"is_admin": false,
+					"last_login": "0001-01-01T00:00:00Z",
+					"created": "2020-04-07T01:14:36+08:00",
+					"restricted": false,
+					"active": false,
+					"prohibit_login": false,
+					"location": "",
+					"website": "",
+					"description": "",
+					"visibility": "public",
+					"followers_count": 0,
+					"following_count": 4,
+					"starred_repos_count": 1,
+					"username": "graytshirt"
+				},
+				"title": "add an empty file",
+				"body": "",
+				"labels": [],
+				"milestone": null,
+				"assignee": null,
+				"assignees": null,
+				"state": "open",
+				"is_locked": false,
+				"comments": 0,
+				"html_url": "https://gitea.com/test-argocd/pr-test/pulls/1",
+				"diff_url": "https://gitea.com/test-argocd/pr-test/pulls/1.diff",
+				"patch_url": "https://gitea.com/test-argocd/pr-test/pulls/1.patch",
+				"mergeable": true,
+				"merged": false,
+				"merged_at": null,
+				"merge_commit_sha": null,
+				"merged_by": null,
+				"base": {
+					"label": "main",
+					"ref": "main",
+					"sha": "72687815ccba81ef014a96201cc2e846a68789d8",
+					"repo_id": 21618,
+					"repo": {
+						"id": 21618,
+						"owner": {
+							"id": 31480,
+							"login": "test-argocd",
+							"full_name": "",
+							"email": "",
+							"avatar_url": "https://gitea.com/avatars/22d1b1d3f61abf95951c4a958731d848",
+							"language": "",
+							"is_admin": false,
+							"last_login": "0001-01-01T00:00:00Z",
+							"created": "2022-04-06T02:28:06+08:00",
+							"restricted": false,
+							"active": false,
+							"prohibit_login": false,
+							"location": "",
+							"website": "",
+							"description": "",
+							"visibility": "public",
+							"followers_count": 0,
+							"following_count": 0,
+							"starred_repos_count": 0,
+							"username": "test-argocd"
+						},
+						"name": "pr-test",
+						"full_name": "test-argocd/pr-test",
+						"description": "",
+						"empty": false,
+						"private": false,
+						"fork": false,
+						"template": false,
+						"parent": null,
+						"mirror": false,
+						"size": 28,
+						"language": "",
+						"languages_url": "https://gitea.com/api/v1/repos/test-argocd/pr-test/languages",
+						"html_url": "https://gitea.com/test-argocd/pr-test",
+						"ssh_url": "git@gitea.com:test-argocd/pr-test.git",
+						"clone_url": "https://gitea.com/test-argocd/pr-test.git",
+						"original_url": "",
+						"website": "",
+						"stars_count": 0,
+						"forks_count": 0,
+						"watchers_count": 1,
+						"open_issues_count": 0,
+						"open_pr_counter": 1,
+						"release_counter": 0,
+						"default_branch": "main",
+						"archived": false,
+						"created_at": "2022-04-06T02:32:09+08:00",
+						"updated_at": "2022-04-06T02:33:12+08:00",
+						"permissions": {
+							"admin": false,
+							"push": false,
+							"pull": true
+						},
+						"has_issues": true,
+						"internal_tracker": {
+							"enable_time_tracker": true,
+							"allow_only_contributors_to_track_time": true,
+							"enable_issue_dependencies": true
+						},
+						"has_wiki": true,
+						"has_pull_requests": true,
+						"has_projects": true,
+						"ignore_whitespace_conflicts": false,
+						"allow_merge_commits": true,
+						"allow_rebase": true,
+						"allow_rebase_explicit": true,
+						"allow_squash_merge": true,
+						"default_merge_style": "merge",
+						"avatar_url": "",
+						"internal": false,
+						"mirror_interval": "",
+						"mirror_updated": "0001-01-01T00:00:00Z",
+						"repo_transfer": null
+					}
+				},
+				"head": {
+					"label": "test",
+					"ref": "test",
+					"sha": "7bbaf62d92ddfafd9cc8b340c619abaec32bc09f",
+					"repo_id": 21618,
+					"repo": {
+						"id": 21618,
+						"owner": {
+							"id": 31480,
+							"login": "test-argocd",
+							"full_name": "",
+							"email": "",
+							"avatar_url": "https://gitea.com/avatars/22d1b1d3f61abf95951c4a958731d848",
+							"language": "",
+							"is_admin": false,
+							"last_login": "0001-01-01T00:00:00Z",
+							"created": "2022-04-06T02:28:06+08:00",
+							"restricted": false,
+							"active": false,
+							"prohibit_login": false,
+							"location": "",
+							"website": "",
+							"description": "",
+							"visibility": "public",
+							"followers_count": 0,
+							"following_count": 0,
+							"starred_repos_count": 0,
+							"username": "test-argocd"
+						},
+						"name": "pr-test",
+						"full_name": "test-argocd/pr-test",
+						"description": "",
+						"empty": false,
+						"private": false,
+						"fork": false,
+						"template": false,
+						"parent": null,
+						"mirror": false,
+						"size": 28,
+						"language": "",
+						"languages_url": "https://gitea.com/api/v1/repos/test-argocd/pr-test/languages",
+						"html_url": "https://gitea.com/test-argocd/pr-test",
+						"ssh_url": "git@gitea.com:test-argocd/pr-test.git",
+						"clone_url": "https://gitea.com/test-argocd/pr-test.git",
+						"original_url": "",
+						"website": "",
+						"stars_count": 0,
+						"forks_count": 0,
+						"watchers_count": 1,
+						"open_issues_count": 0,
+						"open_pr_counter": 1,
+						"release_counter": 0,
+						"default_branch": "main",
+						"archived": false,
+						"created_at": "2022-04-06T02:32:09+08:00",
+						"updated_at": "2022-04-06T02:33:12+08:00",
+						"permissions": {
+							"admin": false,
+							"push": false,
+							"pull": true
+						},
+						"has_issues": true,
+						"internal_tracker": {
+							"enable_time_tracker": true,
+							"allow_only_contributors_to_track_time": true,
+							"enable_issue_dependencies": true
+						},
+						"has_wiki": true,
+						"has_pull_requests": true,
+						"has_projects": true,
+						"ignore_whitespace_conflicts": false,
+						"allow_merge_commits": true,
+						"allow_rebase": true,
+						"allow_rebase_explicit": true,
+						"allow_squash_merge": true,
+						"default_merge_style": "merge",
+						"avatar_url": "",
+						"internal": false,
+						"mirror_interval": "",
+						"mirror_updated": "0001-01-01T00:00:00Z",
+						"repo_transfer": null
+					}
+				},
+				"merge_base": "72687815ccba81ef014a96201cc2e846a68789d8",
+				"due_date": null,
+				"created_at": "2022-04-06T02:34:24+08:00",
+				"updated_at": "2022-04-06T02:34:24+08:00",
+				"closed_at": null
+			}]`)
+			if err != nil {
+				t.Fail()
+			}
+		}
+	}
+}
+
 func TestGiteaList(t *testing.T) {
-	host, err := NewGiteaService(context.Background(), "", "https://gitea.com", "test-argocd", "pr-test", false)
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		giteaMockHandler(t)(w, r)
+	}))
+	host, err := NewGiteaService(context.Background(), "", ts.URL, "test-argocd", "pr-test", false)
 	assert.Nil(t, err)
 	prs, err := host.List(context.Background())
 	assert.Nil(t, err)

applicationset/services/repo_service.go

@@ -19,8 +19,9 @@ type RepositoryDB interface {
 }
 
 type argoCDService struct {
-	repositoriesDB RepositoryDB
-	storecreds     git.CredsStore
+	repositoriesDB   RepositoryDB
+	storecreds       git.CredsStore
+	submoduleEnabled bool
 }
 
 type Repos interface {
@@ -32,11 +33,12 @@ type Repos interface {
 	GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error)
 }
 
-func NewArgoCDService(db db.ArgoDB, gitCredStore git.CredsStore, repoServerAddress string) Repos {
+func NewArgoCDService(db db.ArgoDB, gitCredStore git.CredsStore, submoduleEnabled bool) Repos {
 
 	return &argoCDService{
-		repositoriesDB: db.(RepositoryDB),
-		storecreds:     gitCredStore,
+		repositoriesDB:   db.(RepositoryDB),
+		storecreds:       gitCredStore,
+		submoduleEnabled: submoduleEnabled,
 	}
 }
 
@@ -52,7 +54,7 @@ func (a *argoCDService) GetFiles(ctx context.Context, repoURL string, revision s
 		return nil, err
 	}
 
-	err = checkoutRepo(gitRepoClient, revision)
+	err = checkoutRepo(gitRepoClient, revision, a.submoduleEnabled)
 	if err != nil {
 		return nil, err
 	}
@@ -86,7 +88,7 @@ func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revi
 		return nil, err
 	}
 
-	err = checkoutRepo(gitRepoClient, revision)
+	err = checkoutRepo(gitRepoClient, revision, a.submoduleEnabled)
 	if err != nil {
 		return nil, err
 	}
@@ -128,7 +130,7 @@ func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revi
 
 }
 
-func checkoutRepo(gitRepoClient git.Client, revision string) error {
+func checkoutRepo(gitRepoClient git.Client, revision string, submoduleEnabled bool) error {
 	err := gitRepoClient.Init()
 	if err != nil {
 		return fmt.Errorf("Error during initializing repo: %w", err)
@@ -143,7 +145,7 @@ func checkoutRepo(gitRepoClient git.Client, revision string) error {
 	if err != nil {
 		return fmt.Errorf("Error during fetching commitSHA: %w", err)
 	}
-	err = gitRepoClient.Checkout(commitSHA, true)
+	err = gitRepoClient.Checkout(commitSHA, submoduleEnabled)
 	if err != nil {
 		return fmt.Errorf("Error during repo checkout: %w", err)
 	}

applicationset/services/scm_provider/gitea_test.go

@@ -2,13 +2,262 @@ package scm_provider
 
 import (
 	"context"
+	"io"
+	"net/http"
+	"net/http/httptest"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
+	"github.com/argoproj/argo-cd/v2/applicationset/services/scm_provider/testdata"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
 )
 
+func giteaMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.RequestURI {
+		case "/api/v1/version":
+			_, err := io.WriteString(w, `{"version":"1.17.0+dev-452-g1f0541780"}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v1/orgs/test-argocd/repos?limit=0&page=1":
+			_, err := io.WriteString(w, `[{
+					"id": 21618,
+					"owner": {
+						"id": 31480,
+						"login": "test-argocd",
+						"full_name": "",
+						"email": "",
+						"avatar_url": "https://gitea.com/avatars/22d1b1d3f61abf95951c4a958731d848",
+						"language": "",
+						"is_admin": false,
+						"last_login": "0001-01-01T00:00:00Z",
+						"created": "2022-04-06T02:28:06+08:00",
+						"restricted": false,
+						"active": false,
+						"prohibit_login": false,
+						"location": "",
+						"website": "",
+						"description": "",
+						"visibility": "public",
+						"followers_count": 0,
+						"following_count": 0,
+						"starred_repos_count": 0,
+						"username": "test-argocd"
+					},
+					"name": "pr-test",
+					"full_name": "test-argocd/pr-test",
+					"description": "",
+					"empty": false,
+					"private": false,
+					"fork": false,
+					"template": false,
+					"parent": null,
+					"mirror": false,
+					"size": 28,
+					"language": "",
+					"languages_url": "https://gitea.com/api/v1/repos/test-argocd/pr-test/languages",
+					"html_url": "https://gitea.com/test-argocd/pr-test",
+					"ssh_url": "git@gitea.com:test-argocd/pr-test.git",
+					"clone_url": "https://gitea.com/test-argocd/pr-test.git",
+					"original_url": "",
+					"website": "",
+					"stars_count": 0,
+					"forks_count": 0,
+					"watchers_count": 1,
+					"open_issues_count": 0,
+					"open_pr_counter": 1,
+					"release_counter": 0,
+					"default_branch": "main",
+					"archived": false,
+					"created_at": "2022-04-06T02:32:09+08:00",
+					"updated_at": "2022-04-06T02:33:12+08:00",
+					"permissions": {
+						"admin": false,
+						"push": false,
+						"pull": true
+					},
+					"has_issues": true,
+					"internal_tracker": {
+						"enable_time_tracker": true,
+						"allow_only_contributors_to_track_time": true,
+						"enable_issue_dependencies": true
+					},
+					"has_wiki": true,
+					"has_pull_requests": true,
+					"has_projects": true,
+					"ignore_whitespace_conflicts": false,
+					"allow_merge_commits": true,
+					"allow_rebase": true,
+					"allow_rebase_explicit": true,
+					"allow_squash_merge": true,
+					"default_merge_style": "merge",
+					"avatar_url": "",
+					"internal": false,
+					"mirror_interval": "",
+					"mirror_updated": "0001-01-01T00:00:00Z",
+					"repo_transfer": null
+				}]`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v1/repos/test-argocd/pr-test/branches/main":
+			_, err := io.WriteString(w, `{
+				"name": "main",
+				"commit": {
+					"id": "72687815ccba81ef014a96201cc2e846a68789d8",
+					"message": "initial commit\n",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/72687815ccba81ef014a96201cc2e846a68789d8",
+					"author": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"committer": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"verification": {
+						"verified": false,
+						"reason": "gpg.error.no_gpg_keys_found",
+						"signature": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEXYAkwEBRpXzXgHFWlgCr7m50zBMFAmJMiqUACgkQlgCr7m50\nzBPSmQgAiVVEIxC42tuks4iGFNURrtYvypZAEIc+hJgt2kBpmdCrAphYPeAj+Wtr\n9KT7dDscCZIba2wx39HEXO2S7wNCXESvAzrA8rdfbXjR4L2miZ1urfBkEoqK5i/F\noblWGuAyjurX4KPa2ARROd0H4AXxt6gNAXaFPgZO+xXCyNKZfad/lkEP1AiPRknD\nvTTMbEkIzFHK9iVwZ9DORGpfF1wnLzxWmMfhYatZnBgFNnoeJNtFhCJo05rHBgqc\nqVZWXt1iF7nysBoXSzyx1ZAsmBr/Qerkuj0nonh0aPVa6NKJsdmeJyPX4zXXoi6E\ne/jpxX2UQJkpFezg3IjUpvE5FvIiYg==\n=3Af2\n-----END PGP SIGNATURE-----\n",
+						"signer": null,
+						"payload": "tree 64d47c7fc6e31dcf00654223ec4ab749dd0a464e\nauthor Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\ncommitter Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\n\ninitial commit\n"
+					},
+					"timestamp": "2022-04-05T14:29:51-04:00",
+					"added": null,
+					"removed": null,
+					"modified": null
+				},
+				"protected": false,
+				"required_approvals": 0,
+				"enable_status_check": false,
+				"status_check_contexts": [],
+				"user_can_push": false,
+				"user_can_merge": false,
+				"effective_branch_protection_name": ""
+			}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v1/repos/test-argocd/pr-test/branches?limit=0&page=1":
+			_, err := io.WriteString(w, `[{
+				"name": "main",
+				"commit": {
+					"id": "72687815ccba81ef014a96201cc2e846a68789d8",
+					"message": "initial commit\n",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/72687815ccba81ef014a96201cc2e846a68789d8",
+					"author": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"committer": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"verification": {
+						"verified": false,
+						"reason": "gpg.error.no_gpg_keys_found",
+						"signature": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEXYAkwEBRpXzXgHFWlgCr7m50zBMFAmJMiqUACgkQlgCr7m50\nzBPSmQgAiVVEIxC42tuks4iGFNURrtYvypZAEIc+hJgt2kBpmdCrAphYPeAj+Wtr\n9KT7dDscCZIba2wx39HEXO2S7wNCXESvAzrA8rdfbXjR4L2miZ1urfBkEoqK5i/F\noblWGuAyjurX4KPa2ARROd0H4AXxt6gNAXaFPgZO+xXCyNKZfad/lkEP1AiPRknD\nvTTMbEkIzFHK9iVwZ9DORGpfF1wnLzxWmMfhYatZnBgFNnoeJNtFhCJo05rHBgqc\nqVZWXt1iF7nysBoXSzyx1ZAsmBr/Qerkuj0nonh0aPVa6NKJsdmeJyPX4zXXoi6E\ne/jpxX2UQJkpFezg3IjUpvE5FvIiYg==\n=3Af2\n-----END PGP SIGNATURE-----\n",
+						"signer": null,
+						"payload": "tree 64d47c7fc6e31dcf00654223ec4ab749dd0a464e\nauthor Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\ncommitter Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\n\ninitial commit\n"
+					},
+					"timestamp": "2022-04-05T14:29:51-04:00",
+					"added": null,
+					"removed": null,
+					"modified": null
+				},
+				"protected": false,
+				"required_approvals": 0,
+				"enable_status_check": false,
+				"status_check_contexts": [],
+				"user_can_push": false,
+				"user_can_merge": false,
+				"effective_branch_protection_name": ""
+			}, {
+				"name": "test",
+				"commit": {
+					"id": "7bbaf62d92ddfafd9cc8b340c619abaec32bc09f",
+					"message": "add an empty file\n",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/7bbaf62d92ddfafd9cc8b340c619abaec32bc09f",
+					"author": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"committer": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"verification": {
+						"verified": false,
+						"reason": "gpg.error.no_gpg_keys_found",
+						"signature": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEXYAkwEBRpXzXgHFWlgCr7m50zBMFAmJMiugACgkQlgCr7m50\nzBN+7wgAkCHD3KfX3Ffkqv2qPwqgHNYM1bA6Hmffzhv0YeD9jWCI3tp0JulP4iFZ\ncQ7jqx9xP9tCQMSFCaijLRHaE6Js1xrVtf0OKRkbpdlvkyrIM3sQhqyQgAsISrDG\nLzSqeoQQjglzeWESYh2Tjn1CgqQNKjI6LLepSwvF1pIeV4pJpJobaEbIfTgStdzM\nWEk8o0I+EZaYqK0C0vU9N0LK/LR/jnlaHsb4OUjvk+S7lRjZwBkrsg7P/QsqtCVd\nw5nkxDiCx1J58zKMnQ7ZinJEK9A5WYdnMYc6aBn7ARgZrblXPPBkkKUhEv3ZSPeW\nKv9i4GQy838xkVSTFkHNj1+a5o6zEA==\n=JiFw\n-----END PGP SIGNATURE-----\n",
+						"signer": null,
+						"payload": "tree cdddf3e1d6a8a7e6899a044d0e1bc73bf798e2f5\nparent 72687815ccba81ef014a96201cc2e846a68789d8\nauthor Dan Molik \u003cdan@danmolik.com\u003e 1649183458 -0400\ncommitter Dan Molik \u003cdan@danmolik.com\u003e 1649183458 -0400\n\nadd an empty file\n"
+					},
+					"timestamp": "2022-04-05T14:30:58-04:00",
+					"added": null,
+					"removed": null,
+					"modified": null
+				},
+				"protected": false,
+				"required_approvals": 0,
+				"enable_status_check": false,
+				"status_check_contexts": [],
+				"user_can_push": false,
+				"user_can_merge": false,
+				"effective_branch_protection_name": ""
+			}]`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v1/repos/gitea/go-sdk/contents/README.md?ref=master":
+			_, err := io.WriteString(w, `{
+  "name": "README.md",
+  "path": "README.md",
+  "sha": "3605625ef3f80dc092167b54e3f55eb0663d729f",
+  "last_commit_sha": "6b6fdd91ce769bb4641084e15f76554fb841bf27",
+  "type": "file",
+  "size": 1673,
+  "encoding": "base64",
+  "content": "IyBHaXRlYSBTREsgZm9yIEdvCgpbIVtMaWNlbnNlOiBNSVRdKGh0dHBzOi8vaW1nLnNoaWVsZHMuaW8vYmFkZ2UvTGljZW5zZS1NSVQtYmx1ZS5zdmcpXShodHRwczovL29wZW5zb3VyY2Uub3JnL2xpY2Vuc2VzL01JVCkgWyFbUmVsZWFzZV0oaHR0cHM6Ly9yYXN0ZXIuc2hpZWxkcy5pby9iYWRnZS9keW5hbWljL2pzb24uc3ZnP2xhYmVsPXJlbGVhc2UmdXJsPWh0dHBzOi8vZ2l0ZWEuY29tL2FwaS92MS9yZXBvcy9naXRlYS9nby1zZGsvcmVsZWFzZXMmcXVlcnk9JFswXS50YWdfbmFtZSldKGh0dHBzOi8vZ2l0ZWEuY29tL2dpdGVhL2dvLXNkay9yZWxlYXNlcykgWyFbQnVpbGQgU3RhdHVzXShodHRwczovL2Ryb25lLmdpdGVhLmNvbS9hcGkvYmFkZ2VzL2dpdGVhL2dvLXNkay9zdGF0dXMuc3ZnKV0oaHR0cHM6Ly9kcm9uZS5naXRlYS5jb20vZ2l0ZWEvZ28tc2RrKSBbIVtKb2luIHRoZSBjaGF0IGF0IGh0dHBzOi8vaW1nLnNoaWVsZHMuaW8vZGlzY29yZC8zMjI1Mzg5NTQxMTkxODQzODQuc3ZnXShodHRwczovL2ltZy5zaGllbGRzLmlvL2Rpc2NvcmQvMzIyNTM4OTU0MTE5MTg0Mzg0LnN2ZyldKGh0dHBzOi8vZGlzY29yZC5nZy9HaXRlYSkgWyFbXShodHRwczovL2ltYWdlcy5taWNyb2JhZGdlci5jb20vYmFkZ2VzL2ltYWdlL2dpdGVhL2dpdGVhLnN2ZyldKGh0dHA6Ly9taWNyb2JhZGdlci5jb20vaW1hZ2VzL2dpdGVhL2dpdGVhICJHZXQgeW91ciBvd24gaW1hZ2UgYmFkZ2Ugb24gbWljcm9iYWRnZXIuY29tIikgWyFbR28gUmVwb3J0IENhcmRdKGh0dHBzOi8vZ29yZXBvcnRjYXJkLmNvbS9iYWRnZS9jb2RlLmdpdGVhLmlvL3NkayldKGh0dHBzOi8vZ29yZXBvcnRjYXJkLmNvbS9yZXBvcnQvY29kZS5naXRlYS5pby9zZGspIFshW0dvRG9jXShodHRwczovL2dvZG9jLm9yZy9jb2RlLmdpdGVhLmlvL3Nkay9naXRlYT9zdGF0dXMuc3ZnKV0oaHR0cHM6Ly9nb2RvYy5vcmcvY29kZS5naXRlYS5pby9zZGsvZ2l0ZWEpCgpUaGlzIHByb2plY3QgYWN0cyBhcyBhIGNsaWVudCBTREsgaW1wbGVtZW50YXRpb24gd3JpdHRlbiBpbiBHbyB0byBpbnRlcmFjdCB3aXRoIHRoZSBHaXRlYSBBUEkgaW1wbGVtZW50YXRpb24uIEZvciBmdXJ0aGVyIGluZm9ybWF0aW9ucyB0YWtlIGEgbG9vayBhdCB0aGUgY3VycmVudCBbZG9jdW1lbnRhdGlvbl0oaHR0cHM6Ly9nb2RvYy5vcmcvY29kZS5naXRlYS5pby9zZGsvZ2l0ZWEpLgoKTm90ZTogZnVuY3Rpb24gYXJndW1lbnRzIGFyZSBlc2NhcGVkIGJ5IHRoZSBTREsuCgojIyBVc2UgaXQKCmBgYGdvCmltcG9ydCAiY29kZS5naXRlYS5pby9zZGsvZ2l0ZWEiCmBgYAoKIyMgVmVyc2lvbiBSZXF1aXJlbWVudHMKICogZ28gPj0gMS4xMwogKiBnaXRlYSA+PSAxLjExCgojIyBDb250cmlidXRpbmcKCkZvcmsgLT4gUGF0Y2ggLT4gUHVzaCAtPiBQdWxsIFJlcXVlc3QKCiMjIEF1dGhvcnMKCiogW01haW50YWluZXJzXShodHRwczovL2dpdGh1Yi5jb20vb3Jncy9nby1naXRlYS9wZW9wbGUpCiogW0NvbnRyaWJ1dG9yc10oaHR0cHM6Ly9naXRodWIuY29tL2dvLWdpdGVhL2dvLXNkay9ncmFwaHMvY29udHJpYnV0b3JzKQoKIyMgTGljZW5zZQoKVGhpcyBwcm9qZWN0IGlzIHVuZGVyIHRoZSBNSVQgTGljZW5zZS4gU2VlIHRoZSBbTElDRU5TRV0oTElDRU5TRSkgZmlsZSBmb3IgdGhlIGZ1bGwgbGljZW5zZSB0ZXh0Lgo=",
+  "target": null,
+  "url": "https://gitea.com/api/v1/repos/gitea/go-sdk/contents/README.md?ref=master",
+  "html_url": "https://gitea.com/gitea/go-sdk/src/branch/master/README.md",
+  "git_url": "https://gitea.com/api/v1/repos/gitea/go-sdk/git/blobs/3605625ef3f80dc092167b54e3f55eb0663d729f",
+  "download_url": "https://gitea.com/gitea/go-sdk/raw/branch/master/README.md",
+  "submodule_git_url": null,
+  "_links": {
+    "self": "https://gitea.com/api/v1/repos/gitea/go-sdk/contents/README.md?ref=master",
+    "git": "https://gitea.com/api/v1/repos/gitea/go-sdk/git/blobs/3605625ef3f80dc092167b54e3f55eb0663d729f",
+    "html": "https://gitea.com/gitea/go-sdk/src/branch/master/README.md"
+  }
+}
+`)
+			require.NoError(t, err)
+		case "/api/v1/repos/gitea/go-sdk/contents/gitea?ref=master":
+			_, err := io.WriteString(w, testdata.ReposGiteaGoSdkContentsGiteaResponse)
+			require.NoError(t, err)
+		case "/api/v1/repos/gitea/go-sdk/contents/notathing?ref=master":
+			w.WriteHeader(404)
+			_, err := io.WriteString(w, `{"errors":["object does not exist [id: , rel_path: notathing]"],"message":"GetContentsOrList","url":"https://gitea.com/api/swagger"}`)
+			require.NoError(t, err)
+		default:
+			_, err := io.WriteString(w, `[]`)
+			if err != nil {
+				t.Fail()
+			}
+		}
+	}
+}
 func TestGiteaListRepos(t *testing.T) {
 	cases := []struct {
 		name, proto, url                        string
@@ -17,28 +266,28 @@ func TestGiteaListRepos(t *testing.T) {
 		filters                                 []v1alpha1.SCMProviderGeneratorFilter
 	}{
 		{
-			name:     "blank protocol",
+			name:        "blank protocol",
 			allBranches: false,
-			url:      "git@gitea.com:test-argocd/pr-test.git",
-			branches: []string{"main"},
+			url:         "git@gitea.com:test-argocd/pr-test.git",
+			branches:    []string{"main"},
 		},
 		{
-			name:  "ssh protocol",
+			name:        "ssh protocol",
 			allBranches: false,
-			proto: "ssh",
-			url:   "git@gitea.com:test-argocd/pr-test.git",
+			proto:       "ssh",
+			url:         "git@gitea.com:test-argocd/pr-test.git",
 		},
 		{
-			name:  "https protocol",
+			name:        "https protocol",
 			allBranches: false,
-			proto: "https",
-			url:   "https://gitea.com/test-argocd/pr-test",
+			proto:       "https",
+			url:         "https://gitea.com/test-argocd/pr-test",
 		},
 		{
-			name:     "other protocol",
+			name:        "other protocol",
 			allBranches: false,
-			proto:    "other",
-			hasError: true,
+			proto:       "other",
+			hasError:    true,
 		},
 		{
 			name:        "all branches",
@@ -47,15 +296,17 @@ func TestGiteaListRepos(t *testing.T) {
 			branches:    []string{"main"},
 		},
 	}
-
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		giteaMockHandler(t)(w, r)
+	}))
+	defer ts.Close()
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			provider, _ := NewGiteaProvider(context.Background(), "test-argocd", "", "https://gitea.com/", c.allBranches, false)
+			provider, _ := NewGiteaProvider(context.Background(), "test-argocd", "", ts.URL, c.allBranches, false)
 			rawRepos, err := ListRepos(context.Background(), provider, c.filters, c.proto)
 			if c.hasError {
 				assert.NotNil(t, err)
 			} else {
-				checkRateLimit(t, err)
 				assert.Nil(t, err)
 				// Just check that this one project shows up. Not a great test but better thing nothing?
 				repos := []*Repository{}
@@ -77,22 +328,32 @@ func TestGiteaListRepos(t *testing.T) {
 }
 
 func TestGiteaHasPath(t *testing.T) {
-	host, _ := NewGiteaProvider(context.Background(), "gitea", "", "https://gitea.com/", false, false)
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		giteaMockHandler(t)(w, r)
+	}))
+	defer ts.Close()
+	host, _ := NewGiteaProvider(context.Background(), "gitea", "", ts.URL, false, false)
 	repo := &Repository{
 		Organization: "gitea",
 		Repository:   "go-sdk",
 		Branch:       "master",
 	}
-	ok, err := host.RepoHasPath(context.Background(), repo, "README.md")
-	assert.Nil(t, err)
-	assert.True(t, ok)
 
-	// directory
-	ok, err = host.RepoHasPath(context.Background(), repo, "gitea")
-	assert.Nil(t, err)
-	assert.True(t, ok)
+	t.Run("file exists", func(t *testing.T) {
+		ok, err := host.RepoHasPath(context.Background(), repo, "README.md")
+		assert.Nil(t, err)
+		assert.True(t, ok)
+	})
 
-	ok, err = host.RepoHasPath(context.Background(), repo, "notathing")
-	assert.Nil(t, err)
-	assert.False(t, ok)
+	t.Run("directory exists", func(t *testing.T) {
+		ok, err := host.RepoHasPath(context.Background(), repo, "gitea")
+		assert.Nil(t, err)
+		assert.True(t, ok)
+	})
+
+	t.Run("does not exists", func(t *testing.T) {
+		ok, err := host.RepoHasPath(context.Background(), repo, "notathing")
+		assert.Nil(t, err)
+		assert.False(t, ok)
+	})
 }

applicationset/services/scm_provider/github_test.go

@@ -2,8 +2,9 @@ package scm_provider
 
 import (
 	"context"
-	"os"
-	"strings"
+	"io"
+	"net/http"
+	"net/http/httptest"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -11,27 +12,192 @@ import (
 	"github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
 )
 
-func checkRateLimit(t *testing.T, err error) {
-	// Check if we've hit a rate limit, don't fail the test if so.
-	if err != nil && (strings.Contains(err.Error(), "rate limit exceeded") ||
-		(strings.Contains(err.Error(), "API rate limit") && strings.Contains(err.Error(), "still exceeded"))) {
-
-		// GitHub Actions add this environment variable to indicate branch ref you are running on
-		githubRef := os.Getenv("GITHUB_REF")
-
-		// Only report rate limit errors as errors, when:
-		// - We are running in a GitHub action
-		// - AND, we are running that action on the 'master' or 'release-*' branch
-		// (unfortunately, for PRs, we don't have access to GitHub secrets that would allow us to embed a token)
-		failOnRateLimitErrors := os.Getenv("CI") != "" && (strings.Contains(githubRef, "/master") || strings.Contains(githubRef, "/release-"))
-
-		t.Logf("Got a rate limit error, consider setting $GITHUB_TOKEN to increase your GitHub API rate limit: %v\n", err)
-		if failOnRateLimitErrors {
-			t.FailNow()
-		} else {
-			t.SkipNow()
+func githubMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.RequestURI {
+		case "/api/v3/orgs/argoproj/repos?per_page=100":
+			_, err := io.WriteString(w, `[
+				{
+				  "id": 1296269,
+				  "node_id": "MDEwOlJlcG9zaXRvcnkxMjk2MjY5",
+				  "name": "argo-cd",
+				  "full_name": "argoproj/argo-cd",
+				  "owner": {
+					"login": "argoproj",
+					"id": 1,
+					"node_id": "MDQ6VXNlcjE=",
+					"avatar_url": "https://github.com/images/error/argoproj_happy.gif",
+					"gravatar_id": "",
+					"url": "https://api.github.com/users/argoproj",
+					"html_url": "https://github.com/argoproj",
+					"followers_url": "https://api.github.com/users/argoproj/followers",
+					"following_url": "https://api.github.com/users/argoproj/following{/other_user}",
+					"gists_url": "https://api.github.com/users/argoproj/gists{/gist_id}",
+					"starred_url": "https://api.github.com/users/argoproj/starred{/owner}{/repo}",
+					"subscriptions_url": "https://api.github.com/users/argoproj/subscriptions",
+					"organizations_url": "https://api.github.com/users/argoproj/orgs",
+					"repos_url": "https://api.github.com/users/argoproj/repos",
+					"events_url": "https://api.github.com/users/argoproj/events{/privacy}",
+					"received_events_url": "https://api.github.com/users/argoproj/received_events",
+					"type": "User",
+					"site_admin": false
+				  },
+				  "private": false,
+				  "html_url": "https://github.com/argoproj/argo-cd",
+				  "description": "This your first repo!",
+				  "fork": false,
+				  "url": "https://api.github.com/repos/argoproj/argo-cd",
+				  "archive_url": "https://api.github.com/repos/argoproj/argo-cd/{archive_format}{/ref}",
+				  "assignees_url": "https://api.github.com/repos/argoproj/argo-cd/assignees{/user}",
+				  "blobs_url": "https://api.github.com/repos/argoproj/argo-cd/git/blobs{/sha}",
+				  "branches_url": "https://api.github.com/repos/argoproj/argo-cd/branches{/branch}",
+				  "collaborators_url": "https://api.github.com/repos/argoproj/argo-cd/collaborators{/collaborator}",
+				  "comments_url": "https://api.github.com/repos/argoproj/argo-cd/comments{/number}",
+				  "commits_url": "https://api.github.com/repos/argoproj/argo-cd/commits{/sha}",
+				  "compare_url": "https://api.github.com/repos/argoproj/argo-cd/compare/{base}...{head}",
+				  "contents_url": "https://api.github.com/repos/argoproj/argo-cd/contents/{path}",
+				  "contributors_url": "https://api.github.com/repos/argoproj/argo-cd/contributors",
+				  "deployments_url": "https://api.github.com/repos/argoproj/argo-cd/deployments",
+				  "downloads_url": "https://api.github.com/repos/argoproj/argo-cd/downloads",
+				  "events_url": "https://api.github.com/repos/argoproj/argo-cd/events",
+				  "forks_url": "https://api.github.com/repos/argoproj/argo-cd/forks",
+				  "git_commits_url": "https://api.github.com/repos/argoproj/argo-cd/git/commits{/sha}",
+				  "git_refs_url": "https://api.github.com/repos/argoproj/argo-cd/git/refs{/sha}",
+				  "git_tags_url": "https://api.github.com/repos/argoproj/argo-cd/git/tags{/sha}",
+				  "git_url": "git:github.com/argoproj/argo-cd.git",
+				  "issue_comment_url": "https://api.github.com/repos/argoproj/argo-cd/issues/comments{/number}",
+				  "issue_events_url": "https://api.github.com/repos/argoproj/argo-cd/issues/events{/number}",
+				  "issues_url": "https://api.github.com/repos/argoproj/argo-cd/issues{/number}",
+				  "keys_url": "https://api.github.com/repos/argoproj/argo-cd/keys{/key_id}",
+				  "labels_url": "https://api.github.com/repos/argoproj/argo-cd/labels{/name}",
+				  "languages_url": "https://api.github.com/repos/argoproj/argo-cd/languages",
+				  "merges_url": "https://api.github.com/repos/argoproj/argo-cd/merges",
+				  "milestones_url": "https://api.github.com/repos/argoproj/argo-cd/milestones{/number}",
+				  "notifications_url": "https://api.github.com/repos/argoproj/argo-cd/notifications{?since,all,participating}",
+				  "pulls_url": "https://api.github.com/repos/argoproj/argo-cd/pulls{/number}",
+				  "releases_url": "https://api.github.com/repos/argoproj/argo-cd/releases{/id}",
+				  "ssh_url": "git@github.com:argoproj/argo-cd.git",
+				  "stargazers_url": "https://api.github.com/repos/argoproj/argo-cd/stargazers",
+				  "statuses_url": "https://api.github.com/repos/argoproj/argo-cd/statuses/{sha}",
+				  "subscribers_url": "https://api.github.com/repos/argoproj/argo-cd/subscribers",
+				  "subscription_url": "https://api.github.com/repos/argoproj/argo-cd/subscription",
+				  "tags_url": "https://api.github.com/repos/argoproj/argo-cd/tags",
+				  "teams_url": "https://api.github.com/repos/argoproj/argo-cd/teams",
+				  "trees_url": "https://api.github.com/repos/argoproj/argo-cd/git/trees{/sha}",
+				  "clone_url": "https://github.com/argoproj/argo-cd.git",
+				  "mirror_url": "git:git.example.com/argoproj/argo-cd",
+				  "hooks_url": "https://api.github.com/repos/argoproj/argo-cd/hooks",
+				  "svn_url": "https://svn.github.com/argoproj/argo-cd",
+				  "homepage": "https://github.com",
+				  "language": null,
+				  "forks_count": 9,
+				  "stargazers_count": 80,
+				  "watchers_count": 80,
+				  "size": 108,
+				  "default_branch": "master",
+				  "open_issues_count": 0,
+				  "is_template": false,
+				  "topics": [
+					"argoproj",
+					"atom",
+					"electron",
+					"api"
+				  ],
+				  "has_issues": true,
+				  "has_projects": true,
+				  "has_wiki": true,
+				  "has_pages": false,
+				  "has_downloads": true,
+				  "archived": false,
+				  "disabled": false,
+				  "visibility": "public",
+				  "pushed_at": "2011-01-26T19:06:43Z",
+				  "created_at": "2011-01-26T19:01:12Z",
+				  "updated_at": "2011-01-26T19:14:43Z",
+				  "permissions": {
+					"admin": false,
+					"push": false,
+					"pull": true
+				  },
+				  "template_repository": null
+				}
+			  ]`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v3/repos/argoproj/argo-cd/branches?per_page=100":
+			_, err := io.WriteString(w, `[
+				{
+				  "name": "master",
+				  "commit": {
+					"sha": "c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc",
+					"url": "https://api.github.com/repos/argoproj/argo-cd/commits/c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc"
+				  },
+				  "protected": true,
+				  "protection": {
+					"required_status_checks": {
+					  "enforcement_level": "non_admins",
+					  "contexts": [
+						"ci-test",
+						"linter"
+					  ]
+					}
+				  },
+				  "protection_url": "https://api.github.com/repos/argoproj/hello-world/branches/master/protection"
+				}
+			  ]
+			`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v3/repos/argoproj/argo-cd/contents/pkg?ref=master":
+			_, err := io.WriteString(w, `{
+				"type": "file",
+				"encoding": "base64",
+				"size": 5362,
+				"name": "pkg/",
+				"path": "pkg/",
+				"content": "encoded content ...",
+				"sha": "3d21ec53a331a6f037a91c368710b99387d012c1",
+				"url": "https://api.github.com/repos/octokit/octokit.rb/contents/README.md",
+				"git_url": "https://api.github.com/repos/octokit/octokit.rb/git/blobs/3d21ec53a331a6f037a91c368710b99387d012c1",
+				"html_url": "https://github.com/octokit/octokit.rb/blob/master/README.md",
+				"download_url": "https://raw.githubusercontent.com/octokit/octokit.rb/master/README.md",
+				"_links": {
+				  "git": "https://api.github.com/repos/octokit/octokit.rb/git/blobs/3d21ec53a331a6f037a91c368710b99387d012c1",
+				  "self": "https://api.github.com/repos/octokit/octokit.rb/contents/README.md",
+				  "html": "https://github.com/octokit/octokit.rb/blob/master/README.md"
+				}
+			  }`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v3/repos/argoproj/argo-cd/branches/master":
+			_, err := io.WriteString(w, `{
+				"name": "master",
+				"commit": {
+				  "sha": "c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc",
+				  "url": "https://api.github.com/repos/octocat/Hello-World/commits/c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc"
+				},
+				"protected": true,
+				"protection": {
+				  "required_status_checks": {
+					"enforcement_level": "non_admins",
+					"contexts": [
+					  "ci-test",
+					  "linter"
+					]
+				  }
+				},
+				"protection_url": "https://api.github.com/repos/octocat/hello-world/branches/master/protection"
+			  }`)
+			if err != nil {
+				t.Fail()
+			}
+		default:
+			w.WriteHeader(404)
 		}
-
 	}
 }
 
@@ -66,18 +232,20 @@ func TestGithubListRepos(t *testing.T) {
 			name:        "all branches",
 			allBranches: true,
 			url:         "git@github.com:argoproj/argo-cd.git",
-			branches:    []string{"master", "release-0.11"},
+			branches:    []string{"master"},
 		},
 	}
-
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		githubMockHandler(t)(w, r)
+	}))
+	defer ts.Close()
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			provider, _ := NewGithubProvider(context.Background(), "argoproj", "", "", c.allBranches)
+			provider, _ := NewGithubProvider(context.Background(), "argoproj", "", ts.URL, c.allBranches)
 			rawRepos, err := ListRepos(context.Background(), provider, c.filters, c.proto)
 			if c.hasError {
 				assert.Error(t, err)
 			} else {
-				checkRateLimit(t, err)
 				assert.NoError(t, err)
 				// Just check that this one project shows up. Not a great test but better thing nothing?
 				repos := []*Repository{}
@@ -99,25 +267,31 @@ func TestGithubListRepos(t *testing.T) {
 }
 
 func TestGithubHasPath(t *testing.T) {
-	host, _ := NewGithubProvider(context.Background(), "argoproj", "", "", false)
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		githubMockHandler(t)(w, r)
+	}))
+	defer ts.Close()
+	host, _ := NewGithubProvider(context.Background(), "argoproj", "", ts.URL, false)
 	repo := &Repository{
 		Organization: "argoproj",
 		Repository:   "argo-cd",
 		Branch:       "master",
 	}
 	ok, err := host.RepoHasPath(context.Background(), repo, "pkg/")
-	checkRateLimit(t, err)
 	assert.Nil(t, err)
 	assert.True(t, ok)
 
 	ok, err = host.RepoHasPath(context.Background(), repo, "notathing/")
-	checkRateLimit(t, err)
 	assert.Nil(t, err)
 	assert.False(t, ok)
 }
 
 func TestGithubGetBranches(t *testing.T) {
-	host, _ := NewGithubProvider(context.Background(), "argoproj", "", "", false)
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		githubMockHandler(t)(w, r)
+	}))
+	defer ts.Close()
+	host, _ := NewGithubProvider(context.Background(), "argoproj", "", ts.URL, false)
 	repo := &Repository{
 		Organization: "argoproj",
 		Repository:   "argo-cd",
@@ -125,19 +299,26 @@ func TestGithubGetBranches(t *testing.T) {
 	}
 	repos, err := host.GetBranches(context.Background(), repo)
 	if err != nil {
-		checkRateLimit(t, err)
 		assert.NoError(t, err)
 	} else {
 		assert.Equal(t, repos[0].Branch, "master")
 	}
-  // Get all branches
+	//Branch Doesn't exists instead of error will return no error
+	repo2 := &Repository{
+		Organization: "argoproj",
+		Repository:   "applicationset",
+		Branch:       "main",
+	}
+	_, err = host.GetBranches(context.Background(), repo2)
+	assert.NoError(t, err)
+
+	// Get all branches
 	host.allBranches = true
 	repos, err = host.GetBranches(context.Background(), repo)
 	if err != nil {
-		checkRateLimit(t, err)
 		assert.NoError(t, err)
 	} else {
-		// considering master and one release branch to always exist.
-		assert.Greater(t, len(repos), 1)
+		// considering master  branch to  exist.
+		assert.Equal(t, len(repos), 1)
 	}
 }

applicationset/services/scm_provider/gitlab_test.go

@@ -2,6 +2,10 @@ package scm_provider
 
 import (
 	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -9,6 +13,275 @@ import (
 	"github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
 )
 
+func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.RequestURI {
+		case "/api/v4":
+			fmt.Println("here1")
+		case "/api/v4/groups/test-argocd-proton/projects?include_subgroups=false&per_page=100":
+			fmt.Println("here")
+			_, err := io.WriteString(w, `[{
+				"id": 27084533,
+				"description": "",
+				"name": "argocd",
+				"name_with_namespace": "test argocd proton / argocd",
+				"path": "argocd",
+				"path_with_namespace": "test-argocd-proton/argocd",
+				"created_at": "2021-06-01T17:30:44.724Z",
+				"default_branch": "master",
+				"tag_list": [],
+				"topics": [],
+				"ssh_url_to_repo": "git@gitlab.com:test-argocd-proton/argocd.git",
+				"http_url_to_repo": "https://gitlab.com/test-argocd-proton/argocd.git",
+				"web_url": "https://gitlab.com/test-argocd-proton/argocd",
+				"readme_url": null,
+				"avatar_url": null,
+				"forks_count": 0,
+				"star_count": 0,
+				"last_activity_at": "2021-06-04T08:19:51.656Z",
+				"namespace": {
+					"id": 12258515,
+					"name": "test argocd proton",
+					"path": "test-argocd-proton",
+					"kind": "gro* Connection #0 to host gitlab.com left intact up ",
+					"full_path ": "test - argocd - proton ",
+					"parent_id ": null,
+					"avatar_url ": null,
+					"web_url ": "https: //gitlab.com/groups/test-argocd-proton"
+				},
+				"container_registry_image_prefix": "registry.gitlab.com/test-argocd-proton/argocd",
+				"_links": {
+					"self": "https://gitlab.com/api/v4/projects/27084533",
+					"issues": "https://gitlab.com/api/v4/projects/27084533/issues",
+					"merge_requests": "https://gitlab.com/api/v4/projects/27084533/merge_requests",
+					"repo_branches": "https://gitlab.com/api/v4/projects/27084533/repository/branches",
+					"labels": "https://gitlab.com/api/v4/projects/27084533/labels",
+					"events": "https://gitlab.com/api/v4/projects/27084533/events",
+					"members": "https://gitlab.com/api/v4/projects/27084533/members",
+					"cluster_agents": "https://gitlab.com/api/v4/projects/27084533/cluster_agents"
+				},
+				"packages_enabled": true,
+				"empty_repo": false,
+				"archived": false,
+				"visibility": "public",
+				"resolve_outdated_diff_discussions": false,
+				"container_expiration_policy": {
+					"cadence": "1d",
+					"enabled": false,
+					"keep_n": 10,
+					"older_than": "90d",
+					"name_regex": ".*",
+					"name_regex_keep": null,
+					"next_run_at": "2021-06-02T17:30:44.740Z"
+				},
+				"issues_enabled": true,
+				"merge_requests_enabled": true,
+				"wiki_enabled": true,
+				"jobs_enabled": true,
+				"snippets_enabled": true,
+				"container_registry_enabled": true,
+				"service_desk_enabled": true,
+				"can_create_merge_request_in": false,
+				"issues_access_level": "enabled",
+				"repository_access_level": "enabled",
+				"merge_requests_access_level": "enabled",
+				"forking_access_level": "enabled",
+				"wiki_access_level": "enabled",
+				"builds_access_level": "enabled",
+				"snippets_access_level": "enabled",
+				"pages_access_level": "enabled",
+				"operations_access_level": "enabled",
+				"analytics_access_level": "enabled",
+				"container_registry_access_level": "enabled",
+				"security_and_compliance_access_level": "private",
+				"emails_disabled": null,
+				"shared_runners_enabled": true,
+				"lfs_enabled": true,
+				"creator_id": 2378866,
+				"import_status": "none",
+				"open_issues_count": 0,
+				"ci_default_git_depth": 50,
+				"ci_forward_deployment_enabled": true,
+				"ci_job_token_scope_enabled": false,
+				"public_jobs": true,
+				"build_timeout": 3600,
+				"auto_cancel_pending_pipelines": "enabled",
+				"ci_config_path": "",
+				"shared_with_groups": [],
+				"only_allow_merge_if_pipeline_succeeds": false,
+				"allow_merge_on_skipped_pipeline": null,
+				"restrict_user_defined_variables": false,
+				"request_access_enabled": true,
+				"only_allow_merge_if_all_discussions_are_resolved": false,
+				"remove_source_branch_after_merge": true,
+				"printing_merge_request_link_enabled": true,
+				"merge_method": "merge",
+				"squash_option": "default_off",
+				"suggestion_commit_message": null,
+				"merge_commit_template": null,
+				"squash_commit_template": null,
+				"auto_devops_enabled": false,
+				"auto_devops_deploy_strategy": "continuous",
+				"autoclose_referenced_issues": true,
+				"keep_latest_artifact": true,
+				"runner_token_expiration_interval": null,
+				"approvals_before_merge": 0,
+				"mirror": false,
+				"external_authorization_classification_label": "",
+				"marked_for_deletion_at": null,
+				"marked_for_deletion_on": null,
+				"requirements_enabled": true,
+				"requirements_access_level": "enabled",
+				"security_and_compliance_enabled": false,
+				"compliance_frameworks": [],
+				"issues_template": null,
+				"merge_requests_template": null,
+				"merge_pipelines_enabled": false,
+				"merge_trains_enabled": false
+			}]`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v4/projects/27084533/repository/branches/master":
+			fmt.Println("returning")
+			_, err := io.WriteString(w, `{
+				"name": "master",
+				"commit": {
+					"id": "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					"short_id": "8898d799",
+					"created_at": "2021-06-04T08:24:44.000+00:00",
+					"parent_ids": ["3c9d50be1ef949ad28674e238c7e12a17b1e9706", "56482e001731640b4123cf177e51c696f08a3005"],
+					"title": "Merge branch 'pipeline-1317911429' into 'master'",
+					"message": "Merge branch 'pipeline-1317911429' into 'master'\n\n[testapp-ci] manifests/demo/test-app.yaml: release v1.1.0\n\nSee merge request test-argocd-proton/argocd!3",
+					"author_name": "Martin Vozník",
+					"author_email": "martin@voznik.cz",
+					"authored_date": "2021-06-04T08:24:44.000+00:00",
+					"committer_name": "Martin Vozník",
+					"committer_email": "martin@voznik.cz",
+					"committed_date": "2021-06-04T08:24:44.000+00:00",
+					"trailers": {},
+					"web_url": "https://gitlab.com/test-argocd-proton/argocd/-/commit/8898d7999fc99dd0fd578650b58b244fc63f6b53"
+				},
+				"merged": false,
+				"protected": true,
+				"developers_can_push": false,
+				"developers_can_merge": false,
+				"can_push": false,
+				"default": true,
+				"web_url": "https://gitlab.com/test-argocd-proton/argocd/-/tree/master"
+			}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v4/projects/27084533/repository/branches?per_page=100":
+			_, err := io.WriteString(w, `[{
+				"name": "master",
+				"commit": {
+					"id": "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					"short_id": "8898d799",
+					"created_at": "2021-06-04T08:24:44.000+00:00",
+					"parent_ids": null,
+					"title": "Merge branch 'pipeline-1317911429' into 'master'",
+					"message": "Merge branch 'pipeline-1317911429' into 'master'",
+					"author_name": "Martin Vozník",
+					"author_email": "martin@voznik.cz",
+					"authored_date": "2021-06-04T08:24:44.000+00:00",
+					"committer_name": "Martin Vozník",
+					"committer_email": "martin@voznik.cz",
+					"committed_date": "2021-06-04T08:24:44.000+00:00",
+					"trailers": null,
+					"web_url": "https://gitlab.com/test-argocd-proton/argocd/-/commit/8898d7999fc99dd0fd578650b58b244fc63f6b53"
+				},
+				"merged": false,
+				"protected": true,
+				"developers_can_push": false,
+				"developers_can_merge": false,
+				"can_push": false,
+				"default": true,
+				"web_url": "https://gitlab.com/test-argocd-proton/argocd/-/tree/master"
+			}, {
+				"name": "pipeline-1310077506",
+				"commit": {
+					"id": "0f92540e5f396ba960adea4ed0aa905baf3f73d1",
+					"short_id": "0f92540e",
+					"created_at": "2021-06-01T18:39:59.000+00:00",
+					"parent_ids": null,
+					"title": "[testapp-ci] manifests/demo/test-app.yaml: release v1.0.1",
+					"message": "[testapp-ci] manifests/demo/test-app.yaml: release v1.0.1",
+					"author_name": "ci-test-app",
+					"author_email": "mvoznik+cicd@protonmail.com",
+					"authored_date": "2021-06-01T18:39:59.000+00:00",
+					"committer_name": "ci-test-app",
+					"committer_email": "mvoznik+cicd@protonmail.com",
+					"committed_date": "2021-06-01T18:39:59.000+00:00",
+					"trailers": null,
+					"web_url": "https://gitlab.com/test-argocd-proton/argocd/-/commit/0f92540e5f396ba960adea4ed0aa905baf3f73d1"
+				},
+				"merged": false,
+				"protected": false,
+				"developers_can_push": false,
+				"developers_can_merge": false,
+				"can_push": false,
+				"default": false,
+				"web_url": "https://gitlab.com/test-argocd-proton/argocd/-/tree/pipeline-1310077506"
+			}]`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v4/projects/test-argocd-proton%2Fargocd":
+			fmt.Println("auct")
+			_, err := io.WriteString(w, `{
+				"id": 27084533,
+				"description": "",
+				"name": "argocd",
+				"name_with_namespace": "test argocd proton / argocd",
+				"path": "argocd",
+				"path_with_namespace": "test-argocd-proton/argocd",
+				"created_at": "2021-06-01T17:30:44.724Z",
+				"default_branch": "master",
+				"tag_list": [],
+				"topics": [],
+				"ssh_url_to_repo": "git@gitlab.com:test-argocd-proton/argocd.git",
+				"http_url_to_repo": "https://gitlab.com/test-argocd-proton/argocd.git",
+				"web_url": "https://gitlab.com/test-argocd-proton/argocd",
+				"readme_url": null,
+				"avatar_url": null,
+				"forks_count": 0,
+				"star_count": 0,
+				"last_activity_at": "2021-06-04T08:19:51.656Z",
+				"namespace": {
+					"id": 12258515,
+					"name": "test argocd proton",
+					"path": "test-argocd-proton",
+					"kind": "group",
+					"full_path": "test-argocd-proton",
+					"parent_id": null,
+					"avatar_url": null,
+					"web_url": "https://gitlab.com/groups/test-argocd-proton"
+				}
+			}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v4/projects/27084533/repository/tree?path=argocd&ref=master":
+			_, err := io.WriteString(w, `[{"id":"ca14f2a3718159c74572a5325fb4bfb0662a2d3e","name":"ingress.yaml","type":"blob","path":"argocd/ingress.yaml","mode":"100644"},{"id":"de2a53a73b1550b3e0f4d37ea0a6d878bf9c5096","name":"install.yaml","type":"blob","path":"argocd/install.yaml","mode":"100644"}]`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v4/projects/27084533/repository/tree?path=.&ref=master":
+			_, err := io.WriteString(w, `[{"id":"f2bf99fa8f7a27df9c43d2dffc8c8cd747f3181a","name":"argocd","type":"tree","path":"argocd","mode":"040000"},{"id":"68a3125232e01c1583a6a6299534ce10c5e7dd83","name":"manifests","type":"tree","path":"manifests","mode":"040000"}]`)
+			if err != nil {
+				t.Fail()
+			}
+		default:
+			_, err := io.WriteString(w, `[]`)
+			if err != nil {
+				t.Fail()
+			}
+		}
+	}
+}
 func TestGitlabListRepos(t *testing.T) {
 	cases := []struct {
 		name, proto, url                        string
@@ -40,18 +313,19 @@ func TestGitlabListRepos(t *testing.T) {
 			name:        "all branches",
 			allBranches: true,
 			url:         "git@gitlab.com:test-argocd-proton/argocd.git",
-			branches:    []string{"master", "pipeline-1310077506"},
+			branches:    []string{"master"},
 		},
 	}
-
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		gitlabMockHandler(t)(w, r)
+	}))
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			provider, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", "", c.allBranches, c.includeSubgroups)
+			provider, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, c.allBranches, c.includeSubgroups)
 			rawRepos, err := ListRepos(context.Background(), provider, c.filters, c.proto)
 			if c.hasError {
 				assert.NotNil(t, err)
 			} else {
-				checkRateLimit(t, err)
 				assert.Nil(t, err)
 				// Just check that this one project shows up. Not a great test but better thing nothing?
 				repos := []*Repository{}
@@ -73,7 +347,10 @@ func TestGitlabListRepos(t *testing.T) {
 }
 
 func TestGitlabHasPath(t *testing.T) {
-	host, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", "", false, true)
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		gitlabMockHandler(t)(w, r)
+	}))
+	host, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, false, true)
 	repo := &Repository{
 		Organization: "test-argocd-proton",
 		Repository:   "argocd",

applicationset/services/scm_provider/testdata/data.go

@@ -0,0 +1,6 @@
+package testdata
+
+import _ "embed"
+
+//go:embed repos_gitea_go-sdk_contents_gitea.json
+var ReposGiteaGoSdkContentsGiteaResponse string

assets/builtin-policy.csv

@@ -1,7 +1,7 @@
 # Built-in policy which defines two roles: role:readonly and role:admin,
 # and additionally assigns the admin user to the role:admin role.
 # There are two policy formats:
-# 1. Applications (which belong to a project):
+# 1. Applications, logs, and exec (which belong to a project):
 # p, <user/group>, <resource>, <action>, <project>/<object>
 # 2. All other resources:
 # p, <user/group>, <resource>, <action>, <object>

assets/swagger.json

@@ -265,6 +265,16 @@
             "description": "the repoURL to restrict returned list applications.",
             "name": "repo",
             "in": "query"
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi",
+            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
+            "name": "project",
+            "in": "query"
           }
         ],
         "responses": {
@@ -529,6 +539,16 @@
             "description": "the repoURL to restrict returned list applications.",
             "name": "repo",
             "in": "query"
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi",
+            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
+            "name": "project",
+            "in": "query"
           }
         ],
         "responses": {
@@ -3167,6 +3187,16 @@
             "description": "the repoURL to restrict returned list applications.",
             "name": "repo",
             "in": "query"
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi",
+            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
+            "name": "project",
+            "in": "query"
           }
         ],
         "responses": {

cmd/argocd-application-controller/commands/argocd_application_controller.go

@@ -28,6 +28,7 @@ import (
 	kubeutil "github.com/argoproj/argo-cd/v2/util/kube"
 	"github.com/argoproj/argo-cd/v2/util/settings"
 	"github.com/argoproj/argo-cd/v2/util/tls"
+	"github.com/argoproj/argo-cd/v2/util/trace"
 )
 
 const (
@@ -58,6 +59,7 @@ func NewCommand() *cobra.Command {
 		redisClient              *redis.Client
 		repoServerPlaintext      bool
 		repoServerStrictTLS      bool
+		otlpAddress              string
 	)
 	var command = cobra.Command{
 		Use:               cliName,
@@ -149,6 +151,14 @@ func NewCommand() *cobra.Command {
 			stats.StartStatsTicker(10 * time.Minute)
 			stats.RegisterHeapDumper("memprofile")
 
+			if otlpAddress != "" {
+				closeTracer, err := trace.InitTracer(ctx, "argocd-controller", otlpAddress)
+				if err != nil {
+					log.Fatalf("failed to initialize tracing: %v", err)
+				}
+				defer closeTracer()
+			}
+
 			go appController.Run(ctx, statusProcessors, operationProcessors)
 
 			// Wait forever
@@ -173,6 +183,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().BoolVar(&repoServerPlaintext, "repo-server-plaintext", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT", false), "Disable TLS on connections to repo server")
 	command.Flags().BoolVar(&repoServerStrictTLS, "repo-server-strict-tls", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS", false), "Whether to use strict validation of the TLS cert presented by the repo server")
 	command.Flags().StringSliceVar(&metricsAplicationLabels, "metrics-application-labels", []string{}, "List of Application labels that will be added to the argocd_application_labels metric")
+	command.Flags().StringVar(&otlpAddress, "otlp-address", env.StringFromEnv("ARGOCD_APPLICATION_CONTROLLER_OTLP_ADDRESS", ""), "OpenTelemetry collector address to send traces to")
 	cacheSrc = appstatecache.AddCacheFlagsToCmd(&command, func(client *redis.Client) {
 		redisClient = client
 	})

cmd/argocd-applicationset-controller/commands/applicationset_controller.go

@@ -18,6 +18,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/reposerver/askpass"
+	"github.com/argoproj/argo-cd/v2/util/env"
 
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -37,6 +38,11 @@ import (
 	argosettings "github.com/argoproj/argo-cd/v2/util/settings"
 )
 
+// TODO: load this using Cobra. https://github.com/argoproj/argo-cd/issues/10157
+func getSubmoduleEnabled() bool {
+	return env.ParseBoolFromEnv(common.EnvGitSubmoduleEnabled, true)
+}
+
 func NewCommand() *cobra.Command {
 	var (
 		clientConfig         clientcmd.ClientConfig
@@ -136,7 +142,7 @@ func NewCommand() *cobra.Command {
 			terminalGenerators := map[string]generators.Generator{
 				"List":                    generators.NewListGenerator(),
 				"Clusters":                generators.NewClusterGenerator(mgr.GetClient(), context.Background(), k8sClient, namespace),
-				"Git":                     generators.NewGitGenerator(services.NewArgoCDService(argoCDDB, askPassServer, argocdRepoServer)),
+				"Git":                     generators.NewGitGenerator(services.NewArgoCDService(argoCDDB, askPassServer, getSubmoduleEnabled())),
 				"SCMProvider":             generators.NewSCMProviderGenerator(mgr.GetClient()),
 				"ClusterDecisionResource": generators.NewDuckTypeGenerator(context.Background(), dynamicClient, k8sClient, namespace),
 				"PullRequest":             generators.NewPullRequestGenerator(mgr.GetClient()),

cmd/argocd-k8s-auth/commands/aws.go

@@ -1,6 +1,7 @@
 package commands
 
 import (
+	"context"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -40,16 +41,7 @@ func newAWSCommand() *cobra.Command {
 	var command = &cobra.Command{
 		Use: "aws",
 		Run: func(c *cobra.Command, args []string) {
-			sess, err := session.NewSession()
-			errors.CheckError(err)
-			stsAPI := sts.New(sess)
-			if roleARN != "" {
-				creds := stscreds.NewCredentials(sess, roleARN)
-				stsAPI = sts.New(sess, &aws.Config{Credentials: creds})
-			}
-			request, _ := stsAPI.GetCallerIdentityRequest(&sts.GetCallerIdentityInput{})
-			request.HTTPRequest.Header.Add(clusterIDHeader, clusterName)
-			presignedURLString, err := request.Presign(requestPresignParam)
+			presignedURLString, err := getSignedRequestWithRetry(time.Minute, 5*time.Second, clusterName, roleARN, getSignedRequest)
 			errors.CheckError(err)
 			token := v1Prefix + base64.RawURLEncoding.EncodeToString([]byte(presignedURLString))
 			// Set token expiration to 1 minute before the presigned URL expires for some cushion
@@ -62,6 +54,43 @@ func newAWSCommand() *cobra.Command {
 	return command
 }
 
+type getSignedRequestFunc func(clusterName, roleARN string) (string, error)
+
+func getSignedRequestWithRetry(timeout, interval time.Duration, clusterName, roleARN string, fn getSignedRequestFunc) (string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+	for {
+		signed, err := fn(clusterName, roleARN)
+		if err == nil {
+			return signed, nil
+		}
+		select {
+		case <-ctx.Done():
+			return "", fmt.Errorf("timeout while trying to get signed aws request: last error: %s", err)
+		case <-time.After(interval):
+		}
+	}
+}
+
+func getSignedRequest(clusterName, roleARN string) (string, error) {
+	sess, err := session.NewSession()
+	if err != nil {
+		return "", fmt.Errorf("error creating new AWS session: %s", err)
+	}
+	stsAPI := sts.New(sess)
+	if roleARN != "" {
+		creds := stscreds.NewCredentials(sess, roleARN)
+		stsAPI = sts.New(sess, &aws.Config{Credentials: creds})
+	}
+	request, _ := stsAPI.GetCallerIdentityRequest(&sts.GetCallerIdentityInput{})
+	request.HTTPRequest.Header.Add(clusterIDHeader, clusterName)
+	signed, err := request.Presign(requestPresignParam)
+	if err != nil {
+		return "", fmt.Errorf("error presigning AWS request: %s", err)
+	}
+	return signed, nil
+}
+
 func formatJSON(token string, expiration time.Time) string {
 	expirationTimestamp := metav1.NewTime(expiration)
 	execInput := &clientauthv1beta1.ExecCredential{

cmd/argocd-k8s-auth/commands/aws_test.go

@@ -0,0 +1,73 @@
+package commands
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetSignedRequestWithRetry(t *testing.T) {
+	t.Run("will return signed request on first attempt", func(t *testing.T) {
+		// given
+		t.Parallel()
+		mock := &signedRequestMock{
+			returnFunc: func(m *signedRequestMock) (string, error) {
+				return "token", nil
+			},
+		}
+
+		// when
+		signed, err := getSignedRequestWithRetry(time.Second, time.Millisecond, "cluster-name", "", mock.getSignedRequestMock)
+
+		// then
+		assert.NoError(t, err)
+		assert.Equal(t, "token", signed)
+	})
+	t.Run("will return signed request on third attempt", func(t *testing.T) {
+		// given
+		t.Parallel()
+		mock := &signedRequestMock{
+			returnFunc: func(m *signedRequestMock) (string, error) {
+				if m.getSignedRequestCalls < 3 {
+					return "", fmt.Errorf("some error")
+				}
+				return "token", nil
+			},
+		}
+
+		// when
+		signed, err := getSignedRequestWithRetry(time.Second, time.Millisecond, "cluster-name", "", mock.getSignedRequestMock)
+
+		// then
+		assert.NoError(t, err)
+		assert.Equal(t, "token", signed)
+	})
+	t.Run("will return error on timeout", func(t *testing.T) {
+		// given
+		t.Parallel()
+		mock := &signedRequestMock{
+			returnFunc: func(m *signedRequestMock) (string, error) {
+				return "", fmt.Errorf("some error")
+			},
+		}
+
+		// when
+		signed, err := getSignedRequestWithRetry(time.Second, time.Millisecond, "cluster-name", "", mock.getSignedRequestMock)
+
+		// then
+		assert.Error(t, err)
+		assert.Equal(t, "", signed)
+	})
+}
+
+type signedRequestMock struct {
+	getSignedRequestCalls int
+	returnFunc            func(m *signedRequestMock) (string, error)
+}
+
+func (m *signedRequestMock) getSignedRequestMock(clusterName, roleARN string) (string, error) {
+	m.getSignedRequestCalls++
+	return m.returnFunc(m)
+}

cmd/argocd-repo-server/commands/argocd_repo_server.go

@@ -14,6 +14,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/health/grpc_health_v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 
 	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
 	"github.com/argoproj/argo-cd/v2/common"
@@ -70,15 +71,17 @@ func getSubmoduleEnabled() bool {
 
 func NewCommand() *cobra.Command {
 	var (
-		parallelismLimit       int64
-		listenPort             int
-		metricsPort            int
-		otlpAddress            string
-		cacheSrc               func() (*reposervercache.Cache, error)
-		tlsConfigCustomizer    tls.ConfigCustomizer
-		tlsConfigCustomizerSrc func() (tls.ConfigCustomizer, error)
-		redisClient            *redis.Client
-		disableTLS             bool
+		parallelismLimit                  int64
+		listenPort                        int
+		metricsPort                       int
+		otlpAddress                       string
+		cacheSrc                          func() (*reposervercache.Cache, error)
+		tlsConfigCustomizer               tls.ConfigCustomizer
+		tlsConfigCustomizerSrc            func() (tls.ConfigCustomizer, error)
+		redisClient                       *redis.Client
+		disableTLS                        bool
+		maxCombinedDirectoryManifestsSize string
+		cmpTarExcludedGlobs               []string
 	)
 	var command = cobra.Command{
 		Use:               cliName,
@@ -98,15 +101,20 @@ func NewCommand() *cobra.Command {
 			cache, err := cacheSrc()
 			errors.CheckError(err)
 
+			maxCombinedDirectoryManifestsQuantity, err := resource.ParseQuantity(maxCombinedDirectoryManifestsSize)
+			errors.CheckError(err)
+
 			askPassServer := askpass.NewServer()
 			metricsServer := metrics.NewMetricsServer()
 			cacheutil.CollectMetrics(redisClient, metricsServer)
 			server, err := reposerver.NewServer(metricsServer, cache, tlsConfigCustomizer, repository.RepoServerInitConstants{
-				ParallelismLimit: parallelismLimit,
+				ParallelismLimit:                             parallelismLimit,
 				PauseGenerationAfterFailedGenerationAttempts: getPauseGenerationAfterFailedGenerationAttempts(),
 				PauseGenerationOnFailureForMinutes:           getPauseGenerationOnFailureForMinutes(),
 				PauseGenerationOnFailureForRequests:          getPauseGenerationOnFailureForRequests(),
 				SubmoduleEnabled:                             getSubmoduleEnabled(),
+				MaxCombinedDirectoryManifestsSize:            maxCombinedDirectoryManifestsQuantity,
+				CMPTarExcludedGlobs:                          cmpTarExcludedGlobs,
 			}, askPassServer)
 			errors.CheckError(err)
 
@@ -182,6 +190,8 @@ func NewCommand() *cobra.Command {
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortRepoServerMetrics, "Start metrics server on given port")
 	command.Flags().StringVar(&otlpAddress, "otlp-address", env.StringFromEnv("ARGOCD_REPO_SERVER_OTLP_ADDRESS", ""), "OpenTelemetry collector address to send traces to")
 	command.Flags().BoolVar(&disableTLS, "disable-tls", env.ParseBoolFromEnv("ARGOCD_REPO_SERVER_DISABLE_TLS", false), "Disable TLS on the gRPC endpoint")
+	command.Flags().StringVar(&maxCombinedDirectoryManifestsSize, "max-combined-directory-manifests-size", env.StringFromEnv("ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE", "10M"), "Max combined size of manifest files in a directory-type Application")
+	command.Flags().StringArrayVar(&cmpTarExcludedGlobs, "plugin-tar-exclude", env.StringsFromEnv("ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS", []string{}, ";"), "Globs to filter when sending tarballs to plugins.")
 
 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(&command)
 	cacheSrc = reposervercache.AddCacheFlagsToCmd(&command, func(client *redis.Client) {

cmd/argocd-server/commands/argocd_server.go

@@ -152,7 +152,10 @@ func NewCommand() *cobra.Command {
 			stats.RegisterStackDumper()
 			stats.StartStatsTicker(10 * time.Minute)
 			stats.RegisterHeapDumper("memprofile")
-
+			argocd := server.NewServer(context.Background(), argoCDOpts)
+			argocd.Init(context.Background())
+			lns, err := argocd.Listen()
+			errors.CheckError(err)
 			for {
 				var closer func()
 				ctx := context.Background()
@@ -163,8 +166,7 @@ func NewCommand() *cobra.Command {
 						log.Fatalf("failed to initialize tracing: %v", err)
 					}
 				}
-				argocd := server.NewServer(ctx, argoCDOpts)
-				argocd.Run(ctx, listenPort, metricsPort)
+				argocd.Run(ctx, lns)
 				cancel()
 				if closer != nil {
 					closer()

cmd/argocd/commands/admin/app_test.go

@@ -88,6 +88,7 @@ func TestGetReconcileResults_Refresh(t *testing.T) {
 	kubeClientset := kubefake.NewSimpleClientset(deployment, &cm)
 	clusterCache := clustermocks.ClusterCache{}
 	clusterCache.On("IsNamespaced", mock.Anything).Return(true, nil)
+	clusterCache.On("GetGVKParser", mock.Anything).Return(nil)
 	repoServerClient := mocks.RepoServerServiceClient{}
 	repoServerClient.On("GenerateManifest", mock.Anything, mock.Anything).Return(&argocdclient.ManifestResponse{
 		Manifests: []string{test.DeploymentManifest},

cmd/argocd/commands/admin/cluster.go

@@ -609,7 +609,7 @@ func GenerateToken(clusterOpts cmdutil.ClusterOptions, conf *rest.Config) (strin
 	clientset, err := kubernetes.NewForConfig(conf)
 	errors.CheckError(err)
 
-	bearerToken, err := clusterauth.GetServiceAccountBearerToken(clientset, clusterOpts.SystemNamespace, clusterOpts.ServiceAccount)
+	bearerToken, err := clusterauth.GetServiceAccountBearerToken(clientset, clusterOpts.SystemNamespace, clusterOpts.ServiceAccount, common.BearerTokenTimeout)
 	if err != nil {
 		return "", err
 	}

cmd/argocd/commands/admin/settings.go

@@ -207,7 +207,7 @@ var validatorsByGroup = map[string]settingValidator{
 			}
 			ssoProvider = "Dex"
 		} else if general.OIDCConfigRAW != "" {
-			if _, err := settings.UnmarshalOIDCConfig(general.OIDCConfigRAW); err != nil {
+			if err := settings.ValidateOIDCConfig(general.OIDCConfigRAW); err != nil {
 				return "", fmt.Errorf("invalid oidc.config: %v", err)
 			}
 			ssoProvider = "OIDC"

cmd/argocd/commands/app.go

@@ -25,6 +25,7 @@ import (
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
@@ -778,7 +779,7 @@ func getLocalObjectsString(app *argoappv1.Application, local, localRepoRoot, app
 		ApiVersions:       apiVersions,
 		Plugins:           configManagementPlugins,
 		TrackingMethod:    trackingMethod,
-	}, true, &git.NoopCredsStore{})
+	}, true, &git.NoopCredsStore{}, resource.MustParse("0"))
 	errors.CheckError(err)
 
 	return res.Manifests

cmd/argocd/commands/cluster.go

@@ -101,7 +101,7 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 				clientset, err := kubernetes.NewForConfig(conf)
 				errors.CheckError(err)
 				if clusterOpts.ServiceAccount != "" {
-					managerBearerToken, err = clusterauth.GetServiceAccountBearerToken(clientset, clusterOpts.SystemNamespace, clusterOpts.ServiceAccount)
+					managerBearerToken, err = clusterauth.GetServiceAccountBearerToken(clientset, clusterOpts.SystemNamespace, clusterOpts.ServiceAccount, common.BearerTokenTimeout)
 				} else {
 					isTerminal := isatty.IsTerminal(os.Stdout.Fd()) || isatty.IsCygwinTerminal(os.Stdout.Fd())
 
@@ -115,7 +115,7 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 							os.Exit(1)
 						}
 					}
-					managerBearerToken, err = clusterauth.InstallClusterManagerRBAC(clientset, clusterOpts.SystemNamespace, clusterOpts.Namespaces)
+					managerBearerToken, err = clusterauth.InstallClusterManagerRBAC(clientset, clusterOpts.SystemNamespace, clusterOpts.Namespaces, common.BearerTokenTimeout)
 				}
 				errors.CheckError(err)
 			}

cmd/argocd/commands/context_test.go

@@ -36,13 +36,13 @@ users:
 - auth-token: vErrYS3c3tReFRe$hToken
   name: localhost:8080`
 
-const testConfigFilePath = "./testdata/config"
+const testConfigFilePath = "./testdata/local.config"
 
 func TestContextDelete(t *testing.T) {
-
 	// Write the test config file
 	err := ioutil.WriteFile(testConfigFilePath, []byte(testConfig), os.ModePerm)
 	assert.NoError(t, err)
+	defer os.Remove(testConfigFilePath)
 
 	err = os.Chmod(testConfigFilePath, 0600)
 	require.NoError(t, err, "Could not change the file permission to 0600 %v", err)
@@ -75,9 +75,4 @@ func TestContextDelete(t *testing.T) {
 	assert.NotContains(t, localConfig.Servers, localconfig.Server{PlainText: true, Server: "localhost:8080"})
 	assert.NotContains(t, localConfig.Users, localconfig.User{AuthToken: "vErrYS3c3tReFRe$hToken", Name: "localhost:8080"})
 	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "argocd2.example.com:443", Server: "argocd2.example.com:443", User: "argocd2.example.com:443"})
-
-	// Write the file again so that no conflicts are made in git
-	err = ioutil.WriteFile(testConfigFilePath, []byte(testConfig), os.ModePerm)
-	assert.NoError(t, err)
-
 }

cmd/argocd/commands/headless/headless.go

@@ -215,8 +215,13 @@ func StartLocalServer(clientOpts *apiclient.ClientOptions, ctxStr string, port *
 		ListenHost:    *address,
 		RepoClientset: &forwardRepoClientset{namespace: namespace, context: ctxStr},
 	})
+	srv.Init(ctx)
 
-	go srv.Run(ctx, *port, 0)
+	lns, err := srv.Listen()
+	if err != nil {
+		return err
+	}
+	go srv.Run(ctx, lns)
 	clientOpts.ServerAddr = fmt.Sprintf("%s:%d", *address, *port)
 	clientOpts.PlainText = true
 	if !cache2.WaitForCacheSync(ctx.Done(), srv.Initialized) {

cmd/argocd/commands/login.go

@@ -36,11 +36,12 @@ import (
 // NewLoginCommand returns a new instance of `argocd login` command
 func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		ctxName  string
-		username string
-		password string
-		sso      bool
-		ssoPort  int
+		ctxName     string
+		username    string
+		password    string
+		sso         bool
+		ssoPort     int
+		skipTestTLS bool
 	)
 	var command = &cobra.Command{
 		Use:   "login SERVER",
@@ -68,21 +69,25 @@ argocd login cd.argoproj.io --core`,
 				server = "kubernetes"
 			} else {
 				server = args[0]
-				tlsTestResult, err := grpc_util.TestTLS(server)
-				errors.CheckError(err)
-				if !tlsTestResult.TLS {
-					if !globalClientOpts.PlainText {
-						if !cli.AskToProceed("WARNING: server is not configured with TLS. Proceed (y/n)? ") {
-							os.Exit(1)
+
+				if !skipTestTLS {
+					dialTime := 30 * time.Second
+					tlsTestResult, err := grpc_util.TestTLS(server, dialTime)
+					errors.CheckError(err)
+					if !tlsTestResult.TLS {
+						if !globalClientOpts.PlainText {
+							if !cli.AskToProceed("WARNING: server is not configured with TLS. Proceed (y/n)? ") {
+								os.Exit(1)
+							}
+							globalClientOpts.PlainText = true
 						}
-						globalClientOpts.PlainText = true
-					}
-				} else if tlsTestResult.InsecureErr != nil {
-					if !globalClientOpts.Insecure {
-						if !cli.AskToProceed(fmt.Sprintf("WARNING: server certificate had error: %s. Proceed insecurely (y/n)? ", tlsTestResult.InsecureErr)) {
-							os.Exit(1)
+					} else if tlsTestResult.InsecureErr != nil {
+						if !globalClientOpts.Insecure {
+							if !cli.AskToProceed(fmt.Sprintf("WARNING: server certificate had error: %s. Proceed insecurely (y/n)? ", tlsTestResult.InsecureErr)) {
+								os.Exit(1)
+							}
+							globalClientOpts.Insecure = true
 						}
-						globalClientOpts.Insecure = true
 					}
 				}
 			}
@@ -174,6 +179,8 @@ argocd login cd.argoproj.io --core`,
 	command.Flags().StringVar(&password, "password", "", "the password of an account to authenticate")
 	command.Flags().BoolVar(&sso, "sso", false, "perform SSO login")
 	command.Flags().IntVar(&ssoPort, "sso-port", DefaultSSOLocalPort, "port to run local OAuth2 login application")
+	command.Flags().
+		BoolVar(&skipTestTLS, "skip-test-tls", false, "Skip testing whether the server is configured with TLS (this can help when the command hangs for no apparent reason)")
 	return command
 }
 
@@ -189,7 +196,13 @@ func userDisplayName(claims jwt.MapClaims) string {
 
 // oauth2Login opens a browser, runs a temporary HTTP server to delegate OAuth2 login flow and
 // returns the JWT token and a refresh token (if supported)
-func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCConfig, oauth2conf *oauth2.Config, provider *oidc.Provider) (string, string) {
+func oauth2Login(
+	ctx context.Context,
+	port int,
+	oidcSettings *settingspkg.OIDCConfig,
+	oauth2conf *oauth2.Config,
+	provider *oidc.Provider,
+) (string, string) {
 	oauth2conf.RedirectURL = fmt.Sprintf("http://localhost:%d/auth/callback", port)
 	oidcConf, err := oidcutil.ParseConfig(provider)
 	errors.CheckError(err)
@@ -202,7 +215,10 @@ func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCCo
 	// completionChan is to signal flow completed. Non-empty string indicates error
 	completionChan := make(chan string)
 	// stateNonce is an OAuth2 state nonce
-	stateNonce := rand.RandString(10)
+	// According to the spec (https://www.rfc-editor.org/rfc/rfc6749#section-10.10), this must be guessable with
+	// probability <= 2^(-128). The following call generates one of 52^24 random strings, ~= 2^136 possibilities.
+	stateNonce, err := rand.String(24)
+	errors.CheckError(err)
 	var tokenString string
 	var refreshToken string
 
@@ -212,7 +228,11 @@ func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCCo
 	}
 
 	// PKCE implementation of https://tools.ietf.org/html/rfc7636
-	codeVerifier := rand.RandStringCharset(43, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~")
+	codeVerifier, err := rand.StringFromCharset(
+		43,
+		"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~",
+	)
+	errors.CheckError(err)
 	codeChallengeHash := sha256.Sum256([]byte(codeVerifier))
 	codeChallenge := base64.RawURLEncoding.EncodeToString(codeChallengeHash[:])
 
@@ -296,7 +316,8 @@ func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCCo
 		opts = append(opts, oauth2.SetAuthURLParam("code_challenge_method", "S256"))
 		url = oauth2conf.AuthCodeURL(stateNonce, opts...)
 	case oidcutil.GrantTypeImplicit:
-		url = oidcutil.ImplicitFlowURL(oauth2conf, stateNonce, opts...)
+		url, err = oidcutil.ImplicitFlowURL(oauth2conf, stateNonce, opts...)
+		errors.CheckError(err)
 	default:
 		log.Fatalf("Unsupported grant type: %v", grantType)
 	}

cmd/argocd/commands/logout_test.go

@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
 	"github.com/argoproj/argo-cd/v2/util/localconfig"
@@ -16,6 +17,10 @@ func TestLogout(t *testing.T) {
 	// Write the test config file
 	err := ioutil.WriteFile(testConfigFilePath, []byte(testConfig), os.ModePerm)
 	assert.NoError(t, err)
+	defer os.Remove(testConfigFilePath)
+
+	err = os.Chmod(testConfigFilePath, 0600)
+	require.NoError(t, err)
 
 	localConfig, err := localconfig.ReadLocalConfig(testConfigFilePath)
 	assert.NoError(t, err)
@@ -32,9 +37,4 @@ func TestLogout(t *testing.T) {
 	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "argocd1.example.com:443", Server: "argocd1.example.com:443", User: "argocd1.example.com:443"})
 	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "argocd2.example.com:443", Server: "argocd2.example.com:443", User: "argocd2.example.com:443"})
 	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "localhost:8080", Server: "localhost:8080", User: "localhost:8080"})
-
-	// Write the file again so that no conflicts are made in git
-	err = ioutil.WriteFile(testConfigFilePath, []byte(testConfig), os.ModePerm)
-	assert.NoError(t, err)
-
 }

cmd/argocd/commands/testdata/config

@@ -28,4 +28,4 @@ current-context: localhost:8080
 users:
 - name:  argocd1.example.com:443
 - name:  argocd2.example.com:443
-- name:  localhost:8080
+- name:  localhost:8080

cmpserver/apiclient/clientset.go

@@ -7,6 +7,7 @@ import (
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	grpc_retry "github.com/grpc-ecosystem/go-grpc-middleware/retry"
 	log "github.com/sirupsen/logrus"
+	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
 
@@ -46,6 +47,8 @@ func NewConnection(address string) (*grpc.ClientConn, error) {
 		grpc.WithStreamInterceptor(grpc_retry.StreamClientInterceptor(retryOpts...)),
 		grpc.WithUnaryInterceptor(grpc_middleware.ChainUnaryClient(unaryInterceptors...)),
 		grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(MaxGRPCMessageSize), grpc.MaxCallSendMsgSize(MaxGRPCMessageSize)),
+		grpc.WithUnaryInterceptor(otelgrpc.UnaryClientInterceptor()),
+		grpc.WithStreamInterceptor(otelgrpc.StreamClientInterceptor()),
 	}
 
 	dialOpts = append(dialOpts, grpc.WithTransportCredentials(insecure.NewCredentials()))

cmpserver/plugin/config.go

@@ -25,8 +25,6 @@ type PluginConfigSpec struct {
 	Init             Command  `json:"init,omitempty"`
 	Generate         Command  `json:"generate"`
 	Discover         Discover `json:"discover"`
-	AllowConcurrency bool     `json:"allowConcurrency"`
-	LockRepo         bool     `json:"lockRepo"`
 }
 
 //Discover holds find and fileName

cmpserver/plugin/plugin.go

@@ -8,8 +8,10 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"time"
+	"unicode"
 
 	"github.com/argoproj/pkg/rand"
 
@@ -73,9 +75,8 @@ func runCommand(ctx context.Context, command Command, path string, env []string)
 	}
 	logCtx := log.WithFields(log.Fields{"execID": execId})
 
-	// log in a way we can copy-and-paste into a terminal
-	args := strings.Join(cmd.Args, " ")
-	logCtx.WithFields(log.Fields{"dir": cmd.Dir}).Info(args)
+	argsToLog := getCommandArgsToLog(cmd)
+	logCtx.WithFields(log.Fields{"dir": cmd.Dir}).Info(argsToLog)
 
 	var stdout bytes.Buffer
 	var stderr bytes.Buffer
@@ -106,7 +107,7 @@ func runCommand(ctx context.Context, command Command, path string, env []string)
 	logCtx.WithFields(log.Fields{"duration": duration}).Debug(output)
 
 	if err != nil {
-		err := newCmdError(args, errors.New(err.Error()), strings.TrimSpace(stderr.String()))
+		err := newCmdError(argsToLog, errors.New(err.Error()), strings.TrimSpace(stderr.String()))
 		logCtx.Error(err.Error())
 		return strings.TrimSuffix(output, "\n"), err
 	}
@@ -114,6 +115,28 @@ func runCommand(ctx context.Context, command Command, path string, env []string)
 	return strings.TrimSuffix(output, "\n"), nil
 }
 
+// getCommandArgsToLog represents the given command in a way that we can copy-and-paste into a terminal
+func getCommandArgsToLog(cmd *exec.Cmd) string {
+	var argsToLog []string
+	for _, arg := range cmd.Args {
+		containsSpace := false
+		for _, r := range arg {
+			if unicode.IsSpace(r) {
+				containsSpace = true
+				break
+			}
+		}
+		if containsSpace {
+			// add quotes and escape any internal quotes
+			argsToLog = append(argsToLog, strconv.Quote(arg))
+		} else {
+			argsToLog = append(argsToLog, arg)
+		}
+	}
+	args := strings.Join(argsToLog, " ")
+	return args
+}
+
 type CmdError struct {
 	Args   string
 	Stderr string
@@ -233,12 +256,12 @@ func (s *Service) MatchRepository(stream apiclient.ConfigManagementPluginService
 		}
 	}()
 
-	_, err = cmp.ReceiveRepoStream(bufferedCtx, stream, workDir)
+	metadata, err := cmp.ReceiveRepoStream(bufferedCtx, stream, workDir)
 	if err != nil {
 		return fmt.Errorf("match repository error receiving stream: %s", err)
 	}
 
-	isSupported, err := s.matchRepository(bufferedCtx, workDir)
+	isSupported, err := s.matchRepository(bufferedCtx, workDir, metadata.GetEnv())
 	if err != nil {
 		return fmt.Errorf("match repository error: %s", err)
 	}
@@ -251,7 +274,7 @@ func (s *Service) MatchRepository(stream apiclient.ConfigManagementPluginService
 	return nil
 }
 
-func (s *Service) matchRepository(ctx context.Context, workdir string) (bool, error) {
+func (s *Service) matchRepository(ctx context.Context, workdir string, envEntries []*apiclient.EnvEntry) (bool, error) {
 	config := s.initConstants.PluginConfig
 	if config.Spec.Discover.FileName != "" {
 		log.Debugf("config.Spec.Discover.FileName is provided")
@@ -284,7 +307,9 @@ func (s *Service) matchRepository(ctx context.Context, workdir string) (bool, er
 	}
 
 	log.Debugf("Going to try runCommand.")
-	find, err := runCommand(ctx, config.Spec.Discover.Find.Command, workdir, os.Environ())
+	env := append(os.Environ(), environ(envEntries)...)
+
+	find, err := runCommand(ctx, config.Spec.Discover.Find.Command, workdir, env)
 	if err != nil {
 		return false, fmt.Errorf("error running find command: %s", err)
 	}

cmpserver/plugin/plugin_test.go

@@ -2,6 +2,7 @@ package plugin
 
 import (
 	"context"
+	"os/exec"
 	"path/filepath"
 	"testing"
 	"time"
@@ -10,6 +11,7 @@ import (
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"github.com/argoproj/argo-cd/v2/cmpserver/apiclient"
 	"github.com/argoproj/argo-cd/v2/test"
 )
 
@@ -62,6 +64,7 @@ func TestMatchRepository(t *testing.T) {
 	type fixture struct {
 		service *Service
 		path    string
+		env     []*apiclient.EnvEntry
 	}
 	setup := func(t *testing.T, opts ...pluginOpt) *fixture {
 		t.Helper()
@@ -71,6 +74,7 @@ func TestMatchRepository(t *testing.T) {
 		return &fixture{
 			service: s,
 			path:    path,
+			env:     []*apiclient.EnvEntry{{Name: "ENV_VAR", Value: "1"}},
 		}
 	}
 	t.Run("will match plugin by filename", func(t *testing.T) {
@@ -81,7 +85,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		match, err := f.service.matchRepository(context.Background(), f.path)
+		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.NoError(t, err)
@@ -95,7 +99,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		match, err := f.service.matchRepository(context.Background(), f.path)
+		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.NoError(t, err)
@@ -111,7 +115,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		match, err := f.service.matchRepository(context.Background(), f.path)
+		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.NoError(t, err)
@@ -127,7 +131,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		match, err := f.service.matchRepository(context.Background(), f.path)
+		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.NoError(t, err)
@@ -145,7 +149,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		match, err := f.service.matchRepository(context.Background(), f.path)
+		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.NoError(t, err)
@@ -163,7 +167,44 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		match, err := f.service.matchRepository(context.Background(), f.path)
+		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
+
+		// then
+		assert.NoError(t, err)
+		assert.False(t, match)
+	})
+	t.Run("will match plugin because env var defined", func(t *testing.T) {
+		// given
+		d := Discover{
+			Find: Find{
+				Command: Command{
+					Command: []string{"sh", "-c", "echo -n $ENV_VAR"},
+				},
+			},
+		}
+		f := setup(t, withDiscover(d))
+
+		// when
+		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
+
+		// then
+		assert.NoError(t, err)
+		assert.True(t, match)
+	})
+	t.Run("will not match plugin because no env var defined", func(t *testing.T) {
+		// given
+		d := Discover{
+			Find: Find{
+				Command: Command{
+					// Use printf instead of echo since OSX prints the "-n" when there's no additional arg.
+					Command: []string{"sh", "-c", `printf "%s" "$ENV_NO_VAR"`},
+				},
+			},
+		}
+		f := setup(t, withDiscover(d))
+
+		// when
+		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.NoError(t, err)
@@ -181,7 +222,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		match, err := f.service.matchRepository(context.Background(), f.path)
+		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.Error(t, err)
@@ -226,3 +267,30 @@ func TestRunCommandContextTimeout(t *testing.T) {
 	assert.Error(t, err) // The command should time out, causing an error.
 	assert.Less(t, after.Sub(before), 1*time.Second)
 }
+
+func Test_getCommandArgsToLog(t *testing.T) {
+	testCases := []struct {
+		name     string
+		args     []string
+		expected string
+	}{
+		{
+			name:     "no spaces",
+			args:     []string{"sh", "-c", "cat"},
+			expected: "sh -c cat",
+		},
+		{
+			name:     "spaces",
+			args:     []string{"sh", "-c", `echo "hello world"`},
+			expected: `sh -c "echo \"hello world\""`,
+		},
+	}
+
+	for _, tc := range testCases {
+		tcc := tc
+		t.Run(tcc.name, func(t *testing.T) {
+			t.Parallel()
+			assert.Equal(t, tcc.expected, getCommandArgsToLog(exec.Command(tcc.args[0], tcc.args[1:]...)))
+		})
+	}
+}

cmpserver/plugin/testdata/ksonnet/config/plugin.yaml

@@ -11,5 +11,3 @@ spec:
   discover:
     find:
       glob: "**/*/main.jsonnet"
-  allowConcurrency: false
-  lockRepo: false

cmpserver/plugin/testdata/kustomize-neg/config/plugin-bad.yaml

@@ -12,5 +12,3 @@ spec:
     find:
       command: [sh, -c, find . -name kustomization.yaml]
       glob: "**/*/kustomization.yaml"
-  allowConcurrency: true
-  lockRepo: false

cmpserver/plugin/testdata/kustomize/config/plugin.yaml

@@ -12,5 +12,3 @@ spec:
     find:
       command: [sh, -c, find . -name kustomization.yaml]
       glob: "**/*/kustomization.yaml"
-  allowConcurrency: true
-  lockRepo: false

cmpserver/server.go

@@ -2,12 +2,13 @@ package cmpserver
 
 import (
 	"fmt"
-	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 	"net"
 	"os"
 	"os/signal"
 	"syscall"
 
+	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
+
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	grpc_logrus "github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus"
 	grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
@@ -24,6 +25,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/server/version"
 	"github.com/argoproj/argo-cd/v2/util/errors"
 	grpc_util "github.com/argoproj/argo-cd/v2/util/grpc"
+	"google.golang.org/grpc/keepalive"
 )
 
 // ArgoCDCMPServer is the config management plugin server implementation
@@ -61,6 +63,11 @@ func NewServer(initConstants plugin.CMPServerInitConstants) (*ArgoCDCMPServer, e
 		grpc.StreamInterceptor(grpc_middleware.ChainStreamServer(streamInterceptors...)),
 		grpc.MaxRecvMsgSize(apiclient.MaxGRPCMessageSize),
 		grpc.MaxSendMsgSize(apiclient.MaxGRPCMessageSize),
+		grpc.KeepaliveEnforcementPolicy(
+			keepalive.EnforcementPolicy{
+				MinTime: common.GRPCKeepAliveEnforcementMinimum,
+			},
+		),
 	}
 
 	return &ArgoCDCMPServer{

common/common.go

@@ -1,12 +1,15 @@
 package common
 
 import (
+	"errors"
 	"os"
 	"path/filepath"
 	"strconv"
 	"time"
 
 	"github.com/sirupsen/logrus"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 )
 
 // Default service addresses and URLS of Argo CD internal services
@@ -229,6 +232,12 @@ const (
 	CacheVersion = "1.8.3"
 )
 
+// Constants used by util/clusterauth package
+const (
+	ClusterAuthRequestTimeout = 10 * time.Second
+	BearerTokenTimeout        = 30 * time.Second
+)
+
 const (
 	DefaultGitRetryMaxDuration time.Duration = time.Second * 5        // 5s
 	DefaultGitRetryDuration    time.Duration = time.Millisecond * 250 // 0.25s
@@ -280,3 +289,17 @@ const (
 	// AnnotationApplicationRefresh is an annotation that is added when an ApplicationSet is requested to be refreshed by a webhook. The ApplicationSet controller will remove this annotation at the end of reconcilation.
 	AnnotationApplicationSetRefresh = "argocd.argoproj.io/application-set-refresh"
 )
+
+// gRPC settings
+const (
+	GRPCKeepAliveEnforcementMinimum = 10 * time.Second
+	// Keep alive is 2x enforcement minimum to ensure network jitter does not introduce ENHANCE_YOUR_CALM errors
+	GRPCKeepAliveTime = 2 * GRPCKeepAliveEnforcementMinimum
+)
+
+// Common error messages
+const TokenVerificationError = "failed to verify the token"
+
+var TokenVerificationErr = errors.New(TokenVerificationError)
+
+var PermissionDeniedAPIError = status.Error(codes.PermissionDenied, "permission denied")

controller/appcontroller.go

@@ -605,11 +605,16 @@ func (ctrl *ApplicationController) hideSecretData(app *appv1.Application, compar
 				return nil, fmt.Errorf("error getting tracking method: %s", err)
 			}
 
+			clusterCache, err := ctrl.stateCache.GetClusterCache(app.Spec.Destination.Server)
+			if err != nil {
+				return nil, fmt.Errorf("error getting cluster cache: %s", err)
+			}
 			diffConfig, err := argodiff.NewDiffConfigBuilder().
 				WithDiffSettings(app.Spec.IgnoreDifferences, resourceOverrides, compareOptions.IgnoreAggregatedRoles).
 				WithTracking(appLabelKey, trackingMethod).
 				WithNoCache().
 				WithLogger(logutils.NewLogrusLogger(logutils.NewWithCurrentConfig())).
+				WithGVKParser(clusterCache.GetGVKParser()).
 				Build()
 			if err != nil {
 				return nil, fmt.Errorf("appcontroller error building diff config: %s", err)

controller/appcontroller_test.go

@@ -121,6 +121,7 @@ func newFakeController(data *fakeData) *ApplicationController {
 	clusterCacheMock := mocks.ClusterCache{}
 	clusterCacheMock.On("IsNamespaced", mock.Anything).Return(true, nil)
 	clusterCacheMock.On("GetOpenAPISchema").Return(nil, nil)
+	clusterCacheMock.On("GetGVKParser").Return(nil)
 
 	mockStateCache := mockstatecache.LiveStateCache{}
 	ctrl.appStateManager.(*appStateManager).liveStateCache = &mockStateCache

controller/cache/cache.go

@@ -25,6 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
 
 	"github.com/argoproj/argo-cd/v2/controller/metrics"
@@ -176,6 +177,7 @@ func NewLiveStateCache(
 type cacheSettings struct {
 	clusterSettings     clustercache.Settings
 	appInstanceLabelKey string
+	trackingMethod      appv1.TrackingMethod
 }
 
 type liveStateCache struct {
@@ -210,7 +212,7 @@ func (c *liveStateCache) loadCacheSettings() (*cacheSettings, error) {
 		ResourceHealthOverride: lua.ResourceHealthOverrides(resourceOverrides),
 		ResourcesFilter:        resourcesFilter,
 	}
-	return &cacheSettings{clusterSettings, appInstanceLabelKey}, nil
+	return &cacheSettings{clusterSettings, appInstanceLabelKey, argo.GetTrackingMethod(c.settingsMgr)}, nil
 }
 
 func asResourceNode(r *clustercache.Resource) appv1.ResourceNode {
@@ -354,7 +356,8 @@ func isTransientNetworkErr(err error) bool {
 	}
 	if strings.Contains(errorString, "net/http: TLS handshake timeout") ||
 		strings.Contains(errorString, "i/o timeout") ||
-		strings.Contains(errorString, "connection timed out") {
+		strings.Contains(errorString, "connection timed out") ||
+		strings.Contains(errorString, "connection reset by peer") {
 		return true
 	}
 	return false
@@ -387,7 +390,20 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		return nil, fmt.Errorf("controller is configured to ignore cluster %s", cluster.Server)
 	}
 
-	trackingMethod := argo.GetTrackingMethod(c.settingsMgr)
+	clusterCacheConfig := cluster.RESTConfig()
+	// Controller dynamically fetches all resource types available on the cluster
+	// using a discovery API that may contain deprecated APIs.
+	// This causes log flooding when managing a large number of clusters.
+	// https://github.com/argoproj/argo-cd/issues/11973
+	// However, we can safely suppress deprecation warnings
+	// because we do not rely on resources with a particular API group or version.
+	// https://kubernetes.io/blog/2020/09/03/warnings/#customize-client-handling
+	//
+	// Completely suppress warning logs only for log levels that are less than Debug.
+	if log.GetLevel() < log.DebugLevel {
+		clusterCacheConfig.WarningHandler = rest.NoWarnings{}
+	}
+
 	clusterCacheOpts := []clustercache.UpdateSettingsFunc{
 		clustercache.SetListSemaphore(semaphore.NewWeighted(clusterCacheListSemaphoreSize)),
 		clustercache.SetListPageSize(clusterCacheListPageSize),
@@ -400,9 +416,12 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		clustercache.SetPopulateResourceInfoHandler(func(un *unstructured.Unstructured, isRoot bool) (interface{}, bool) {
 			res := &ResourceInfo{}
 			populateNodeInfo(un, res)
+			c.lock.RLock()
+			cacheSettings := c.cacheSettings
+			c.lock.RUnlock()
 			res.Health, _ = health.GetResourceHealth(un, cacheSettings.clusterSettings.ResourceHealthOverride)
 
-			appName := c.resourceTracking.GetAppName(un, cacheSettings.appInstanceLabelKey, trackingMethod)
+			appName := c.resourceTracking.GetAppName(un, cacheSettings.appInstanceLabelKey, cacheSettings.trackingMethod)
 			if isRoot && appName != "" {
 				res.AppName = appName
 			}
@@ -416,7 +435,7 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		clustercache.SetRetryOptions(clusterCacheAttemptLimit, clusterCacheRetryUseBackoff, isRetryableError),
 	}
 
-	clusterCache = clustercache.NewClusterCache(cluster.RESTConfig(), clusterCacheOpts...)
+	clusterCache = clustercache.NewClusterCache(clusterCacheConfig, clusterCacheOpts...)
 
 	_ = clusterCache.OnResourceUpdated(func(newRes *clustercache.Resource, oldRes *clustercache.Resource, namespaceResources map[kube.ResourceKey]*clustercache.Resource) {
 		toNotify := make(map[string]bool)

controller/cache/cache_test.go

@@ -111,6 +111,7 @@ func TestIsRetryableError(t *testing.T) {
 		tlsHandshakeTimeoutErr net.Error = netError("net/http: TLS handshake timeout")
 		ioTimeoutErr           net.Error = netError("i/o timeout")
 		connectionTimedout     net.Error = netError("connection timed out")
+		connectionReset        net.Error = netError("connection reset by peer")
 	)
 	t.Run("Nil", func(t *testing.T) {
 		assert.False(t, isRetryableError(nil))
@@ -148,4 +149,7 @@ func TestIsRetryableError(t *testing.T) {
 	t.Run("ConnectionTimeout", func(t *testing.T) {
 		assert.True(t, isRetryableError(connectionTimedout))
 	})
+	t.Run("ConnectionReset", func(t *testing.T) {
+		assert.True(t, isRetryableError(connectionReset))
+	})
 }

controller/state.go

@@ -461,7 +461,14 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 	} else {
 		diffConfigBuilder.WithCache(m.cache, app.GetName())
 	}
-	// it necessary to ignore the error at this point to avoid creating duplicated
+
+	gvkParser, err := m.getGVKParser(app.Spec.Destination.Server)
+	if err != nil {
+		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionUnknownError, Message: err.Error(), LastTransitionTime: &now})
+	}
+	diffConfigBuilder.WithGVKParser(gvkParser)
+
+	// it is necessary to ignore the error at this point to avoid creating duplicated
 	// application conditions as argo.StateDiffs will validate this diffConfig again.
 	diffConfig, _ := diffConfigBuilder.Build()
 
@@ -487,6 +494,8 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 		}
 		gvk := obj.GroupVersionKind()
 
+		isSelfReferencedObj := m.isSelfReferencedObj(liveObj, targetObj, app.GetName(), appLabelKey, trackingMethod)
+
 		resState := v1alpha1.ResourceStatus{
 			Namespace:       obj.GetNamespace(),
 			Name:            obj.GetName(),
@@ -494,7 +503,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 			Version:         gvk.Version,
 			Group:           gvk.Group,
 			Hook:            hookutil.IsHook(obj),
-			RequiresPruning: targetObj == nil && liveObj != nil,
+			RequiresPruning: targetObj == nil && liveObj != nil && isSelfReferencedObj,
 		}
 
 		var diffResult diff.DiffResult
@@ -503,8 +512,11 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 		} else {
 			diffResult = diff.DiffResult{Modified: false, NormalizedLive: []byte("{}"), PredictedLive: []byte("{}")}
 		}
-		if resState.Hook || ignore.Ignore(obj) || (targetObj != nil && hookutil.Skip(targetObj)) {
-			// For resource hooks or skipped resources, don't store sync status, and do not affect overall sync status
+		if resState.Hook || ignore.Ignore(obj) || (targetObj != nil && hookutil.Skip(targetObj)) || !isSelfReferencedObj {
+			// For resource hooks, skipped resources or objects that may have
+			// been created by another controller with annotations copied from
+			// the source object, don't store sync status, and do not affect
+			// overall sync status
 		} else if diffResult.Modified || targetObj == nil || liveObj == nil {
 			// Set resource state to OutOfSync since one of the following is true:
 			// * target and live resource are different
@@ -660,3 +672,60 @@ func NewAppStateManager(
 		resourceTracking:     resourceTracking,
 	}
 }
+
+// isSelfReferencedObj returns whether the given obj is managed by the application
+// according to the values of the tracking id (aka app instance value) annotation.
+// It returns true when all of the properties of the tracking id (app name, namespace,
+// group and kind) match the properties of the live object, or if the tracking method
+// used does not provide the required properties for matching.
+// Reference: https://github.com/argoproj/argo-cd/issues/8683
+func (m *appStateManager) isSelfReferencedObj(live, config *unstructured.Unstructured, appName, appLabelKey string, trackingMethod v1alpha1.TrackingMethod) bool {
+	if live == nil {
+		return true
+	}
+
+	// If tracking method doesn't contain required metadata for this check,
+	// we are not able to determine and just assume the object to be managed.
+	if trackingMethod == argo.TrackingMethodLabel {
+		return true
+	}
+
+	// config != nil is the best-case scenario for constructing an accurate
+	// Tracking ID. `config` is the "desired state" (from git/helm/etc.).
+	// Using the desired state is important when there is an ApiGroup upgrade.
+	// When upgrading, the comparison must be made with the new tracking ID.
+	// Example:
+	//     live resource annotation will be:
+	//        ingress-app:extensions/Ingress:default/some-ingress
+	//     when it should be:
+	//        ingress-app:networking.k8s.io/Ingress:default/some-ingress
+	// More details in: https://github.com/argoproj/argo-cd/pull/11012
+	var aiv argo.AppInstanceValue
+	if config != nil {
+		aiv = argo.UnstructuredToAppInstanceValue(config, appName, "")
+		return isSelfReferencedObj(live, aiv)
+	}
+
+	// If config is nil then compare the live resource with the value
+	// of the annotation. In this case, in order to validate if obj is
+	// managed by this application, the values from the annotation have
+	// to match the properties from the live object. Cluster scoped objects
+	// carry the app's destination namespace in the tracking annotation,
+	// but are unique in GVK + name combination.
+	appInstance := m.resourceTracking.GetAppInstance(live, appLabelKey, trackingMethod)
+	if appInstance != nil {
+		return isSelfReferencedObj(live, *appInstance)
+	}
+	return true
+}
+
+// isSelfReferencedObj returns true if the given Tracking ID (`aiv`) matches
+// the given object. It returns false when the ID doesn't match. This sometimes
+// happens when a tracking label or annotation gets accidentally copied to a
+// different resource.
+func isSelfReferencedObj(obj *unstructured.Unstructured, aiv argo.AppInstanceValue) bool {
+	return (obj.GetNamespace() == aiv.Namespace || obj.GetNamespace() == "") &&
+		obj.GetName() == aiv.Name &&
+		obj.GetObjectKind().GroupVersionKind().Group == aiv.Group &&
+		obj.GetObjectKind().GroupVersionKind().Kind == aiv.Kind
+}

controller/state_test.go

@@ -13,6 +13,8 @@ import (
 	. "github.com/argoproj/gitops-engine/pkg/utils/testing"
 	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -21,6 +23,7 @@ import (
 	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/v2/test"
+	"github.com/argoproj/argo-cd/v2/util/argo"
 )
 
 // TestCompareAppStateEmpty tests comparison when both git and live have no objects
@@ -770,3 +773,180 @@ func TestComparisonResult_GetSyncStatus(t *testing.T) {
 
 	assert.Equal(t, status, res.GetSyncStatus())
 }
+
+func TestIsLiveResourceManaged(t *testing.T) {
+	managedObj := kube.MustToUnstructured(&corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "configmap1",
+			Namespace: "default",
+			Annotations: map[string]string{
+				common.AnnotationKeyAppInstance: "guestbook:/ConfigMap:default/configmap1",
+			},
+		},
+	})
+	managedObjWithLabel := kube.MustToUnstructured(&corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "configmap1",
+			Namespace: "default",
+			Labels: map[string]string{
+				common.LabelKeyAppInstance: "guestbook",
+			},
+		},
+	})
+	unmanagedObjWrongName := kube.MustToUnstructured(&corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "configmap2",
+			Namespace: "default",
+			Annotations: map[string]string{
+				common.AnnotationKeyAppInstance: "guestbook:/ConfigMap:default/configmap1",
+			},
+		},
+	})
+	unmanagedObjWrongKind := kube.MustToUnstructured(&corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "configmap2",
+			Namespace: "default",
+			Annotations: map[string]string{
+				common.AnnotationKeyAppInstance: "guestbook:/Service:default/configmap2",
+			},
+		},
+	})
+	unmanagedObjWrongGroup := kube.MustToUnstructured(&corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "configmap2",
+			Namespace: "default",
+			Annotations: map[string]string{
+				common.AnnotationKeyAppInstance: "guestbook:apps/ConfigMap:default/configmap2",
+			},
+		},
+	})
+	unmanagedObjWrongNamespace := kube.MustToUnstructured(&corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "configmap2",
+			Namespace: "default",
+			Annotations: map[string]string{
+				common.AnnotationKeyAppInstance: "guestbook:/ConfigMap:fakens/configmap2",
+			},
+		},
+	})
+	managedWrongAPIGroup := kube.MustToUnstructured(&networkingv1.Ingress{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "networking.k8s.io/v1",
+			Kind:       "Ingress",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "some-ingress",
+			Namespace: "default",
+			Annotations: map[string]string{
+				common.AnnotationKeyAppInstance: "guestbook:extensions/Ingress:default/some-ingress",
+			},
+		},
+	})
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app, &defaultProj},
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: map[kube.ResourceKey]*unstructured.Unstructured{
+			kube.GetResourceKey(managedObj):                 managedObj,
+			kube.GetResourceKey(unmanagedObjWrongName):      unmanagedObjWrongName,
+			kube.GetResourceKey(unmanagedObjWrongKind):      unmanagedObjWrongKind,
+			kube.GetResourceKey(unmanagedObjWrongGroup):     unmanagedObjWrongGroup,
+			kube.GetResourceKey(unmanagedObjWrongNamespace): unmanagedObjWrongNamespace,
+		},
+	})
+
+	manager := ctrl.appStateManager.(*appStateManager)
+	appName := "guestbook"
+
+	t.Run("will return true if trackingid matches the resource", func(t *testing.T) {
+		// given
+		t.Parallel()
+		configObj := managedObj.DeepCopy()
+
+		// then
+		assert.True(t, manager.isSelfReferencedObj(managedObj, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		assert.True(t, manager.isSelfReferencedObj(managedObj, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
+	t.Run("will return true if tracked with label", func(t *testing.T) {
+		// given
+		t.Parallel()
+		configObj := managedObjWithLabel.DeepCopy()
+
+		// then
+		assert.True(t, manager.isSelfReferencedObj(managedObjWithLabel, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+	})
+	t.Run("will handle if trackingId has wrong resource name and config is nil", func(t *testing.T) {
+		// given
+		t.Parallel()
+
+		// then
+		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongName, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongName, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
+	t.Run("will handle if trackingId has wrong resource group and config is nil", func(t *testing.T) {
+		// given
+		t.Parallel()
+
+		// then
+		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
+	t.Run("will handle if trackingId has wrong kind and config is nil", func(t *testing.T) {
+		// given
+		t.Parallel()
+
+		// then
+		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
+	t.Run("will handle if trackingId has wrong namespace and config is nil", func(t *testing.T) {
+		// given
+		t.Parallel()
+
+		// then
+		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotationAndLabel))
+	})
+	t.Run("will return true if live is nil", func(t *testing.T) {
+		t.Parallel()
+		assert.True(t, manager.isSelfReferencedObj(nil, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
+
+	t.Run("will handle upgrade in desired state APIGroup", func(t *testing.T) {
+		// given
+		t.Parallel()
+		config := managedWrongAPIGroup.DeepCopy()
+		delete(config.GetAnnotations(), common.AnnotationKeyAppInstance)
+
+		// then
+		assert.True(t, manager.isSelfReferencedObj(managedWrongAPIGroup, config, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+	})
+}

controller/sync.go

@@ -17,6 +17,7 @@ import (
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/managedfields"
 	"k8s.io/kubectl/pkg/util/openapi"
 
 	cdcommon "github.com/argoproj/argo-cd/v2/common"
@@ -46,6 +47,14 @@ func (m *appStateManager) getOpenAPISchema(server string) (openapi.Resources, er
 	return cluster.GetOpenAPISchema(), nil
 }
 
+func (m *appStateManager) getGVKParser(server string) (*managedfields.GvkParser, error) {
+	cluster, err := m.liveStateCache.GetClusterCache(server)
+	if err != nil {
+		return nil, err
+	}
+	return cluster.GetGVKParser(), nil
+}
+
 func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha1.OperationState) {
 	// Sync requests might be requested with ambiguous revisions (e.g. master, HEAD, v1.2.3).
 	// This can change meaning when resuming operations (e.g a hook sync). After calculating a
@@ -140,7 +149,13 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 	}
 
 	atomic.AddUint64(&syncIdPrefix, 1)
-	syncId := fmt.Sprintf("%05d-%s", syncIdPrefix, rand.RandString(5))
+	randSuffix, err := rand.String(5)
+	if err != nil {
+		state.Phase = common.OperationError
+		state.Message = fmt.Sprintf("Failed generate random sync ID: %v", err)
+		return
+	}
+	syncId := fmt.Sprintf("%05d-%s", syncIdPrefix, randSuffix)
 
 	logEntry := log.WithFields(log.Fields{"application": app.Name, "syncId": syncId})
 	initialResourcesRes := make([]common.ResourceSyncResult, 0)
@@ -190,6 +205,13 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		reconciliationResult.Target = patchedTargets
 	}
 
+	appLabelKey, err := m.settingsMgr.GetAppInstanceLabelKey()
+	if err != nil {
+		log.Errorf("Could not get appInstanceLabelKey: %v", err)
+		return
+	}
+	trackingMethod := argo.GetTrackingMethod(m.settingsMgr)
+
 	syncCtx, cleanup, err := sync.NewSyncContext(
 		compareResult.syncStatus.Revision,
 		reconciliationResult,
@@ -202,7 +224,7 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		sync.WithHealthOverride(lua.ResourceHealthOverrides(resourceOverrides)),
 		sync.WithPermissionValidator(func(un *unstructured.Unstructured, res *v1.APIResource) error {
 			if !proj.IsGroupKindPermitted(un.GroupVersionKind().GroupKind(), res.Namespaced) {
-				return fmt.Errorf("Resource %s:%s is not permitted in project %s.", un.GroupVersionKind().Group, un.GroupVersionKind().Kind, proj.Name)
+				return fmt.Errorf("resource %s:%s is not permitted in project %s", un.GroupVersionKind().Group, un.GroupVersionKind().Kind, proj.Name)
 			}
 			if res.Namespaced && !proj.IsDestinationPermitted(v1alpha1.ApplicationDestination{Namespace: un.GetNamespace(), Server: app.Spec.Destination.Server, Name: app.Spec.Destination.Name}) {
 				return fmt.Errorf("namespace %v is not permitted in project '%s'", un.GetNamespace(), proj.Name)
@@ -212,7 +234,9 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		sync.WithOperationSettings(syncOp.DryRun, syncOp.Prune, syncOp.SyncStrategy.Force(), syncOp.IsApplyStrategy() || len(syncOp.Resources) > 0),
 		sync.WithInitialState(state.Phase, state.Message, initialResourcesRes, state.StartedAt),
 		sync.WithResourcesFilter(func(key kube.ResourceKey, target *unstructured.Unstructured, live *unstructured.Unstructured) bool {
-			return len(syncOp.Resources) == 0 || argo.ContainsSyncResource(key.Name, key.Namespace, schema.GroupVersionKind{Kind: key.Kind, Group: key.Group}, syncOp.Resources)
+			return (len(syncOp.Resources) == 0 ||
+				argo.ContainsSyncResource(key.Name, key.Namespace, schema.GroupVersionKind{Kind: key.Kind, Group: key.Group}, syncOp.Resources)) &&
+				m.isSelfReferencedObj(live, target, app.GetName(), appLabelKey, trackingMethod)
 		}),
 		sync.WithManifestValidation(!syncOp.SyncOptions.HasOption(common.SyncOptionsDisableValidation)),
 		sync.WithNamespaceCreation(syncOp.SyncOptions.HasOption("CreateNamespace=true"), func(un *unstructured.Unstructured) bool {

docs/assets/versions.js

@@ -9,16 +9,6 @@ setTimeout(function() {
   caret.innerHTML = "<i class='fa fa-caret-down dropdown-caret'></i>"
   caret.classList.add('dropdown-caret')
   div.querySelector('.rst-current-version').appendChild(caret);
-  div.querySelector('.rst-current-version').addEventListener('click', function() {
-      const classes = container.className.split(' ');
-      const index = classes.indexOf('shift-up');
-      if (index === -1) {
-          classes.push('shift-up');
-      } else {
-          classes.splice(index, 1);
-      }
-      container.className = classes.join(' ');
-  });
   }
 
   var CSSLink = document.createElement('link');

docs/cli_installation.md

@@ -4,10 +4,10 @@ You can download the latest Argo CD version from [the latest release page of thi
 
 ## Linux and WSL
 
-### ArchLinux User Repository ([AUR](https://aur.archlinux.org/packages/))
+### ArchLinux
 
 ```bash
-yay -Sy argocd-bin
+pacman -S argocd
 ```
 
 ### Homebrew

docs/developer-guide/running-locally.md

@@ -27,6 +27,8 @@ kubectl -n argocd scale deployment/argocd-dex-server --replicas 0
 kubectl -n argocd scale deployment/argocd-repo-server --replicas 0
 kubectl -n argocd scale deployment/argocd-server --replicas 0
 kubectl -n argocd scale deployment/argocd-redis --replicas 0
+kubectl -n argocd scale deployment/argocd-applicationset-controller --replicas 0
+kubectl -n argocd scale deployment/argocd-notifications-controller --replicas 0
 ```
 
 ### Start local services

docs/developer-guide/toolchain-guide.md

@@ -24,8 +24,7 @@ You will need at least the following things in your toolchain in order to develo
 
 * A Kubernetes cluster. You won't need a fully blown multi-master, multi-node cluster, but you will need something like K3S, Minikube or microk8s. You will also need a working Kubernetes client (`kubectl`) configuration in your development environment. The configuration must reside in `~/.kube/config` and the API server URL must point to the IP address of your local machine (or VM), and **not** to `localhost` or `127.0.0.1` if you are using the virtualized development toolchain (see below)
 
-* You will also need a working Docker runtime environment, to be able to build and run images.
-The Docker version must be fairly recent, and support multi-stage builds. You should not work as root. Make your local user a member of the `docker` group to be able to control the Docker service on your machine.
+* You will also need a working Docker runtime environment, to be able to build and run images. The Docker version must be 17.05.0 or higher, to support multi-stage builds. 
 
 * Obviously, you will need a `git` client for pulling source code and pushing back your changes.
 

docs/developer-guide/ui-extensions.md

@@ -0,0 +1,64 @@
+# UI Extensions
+
+Argo CD web user interface can be extended with additional UI elements. Extensions should be delivered as a javascript file
+in the `argocd-server` Pods that are placed in the `/tmp/extensions` directory and starts with `extension` prefix ( matches to `^extension(.*)\.js$` regex ).
+
+```
+/tmp/extensions
+├── example1
+│   └── extension-1.js
+└── example2
+    └── extension-2.js
+```
+
+Extensions are loaded during initial page rendering and should register themselves using API exposed in the `extensionsAPI` global variable. (See
+corresponding extension type details for additional information).
+
+The extension should provide a React component that is responsible for rendering the UI element. Extension should not bundle the React library.
+Instead extension should use the `react` global variable. You can leverage `externals` setting if you are using webpack:
+
+```js
+  externals: {
+    react: 'React'
+  }
+```
+
+## Resource Tab Extensions
+
+Resource Tab extensions is an extension that provides an additional tab for the resource sliding panel at the Argo CD Application details page.
+
+The resource tab extension should be registered using the `extensionsAPI.registerResourceExtension` method:
+
+```typescript
+registerResourceExtension(component: ExtensionComponent, group: string, kind: string, tabTitle: string)
+```
+
+* `component: ExtensionComponent` is a React component that receives the following properties:
+
+    * application: Application - Argo CD Application resource;
+    * resource: State - the kubernetes resource object;
+    * tree: ApplicationTree - includes list of all resources that comprise the application;
+
+    See properties interfaces in [models.ts](https://github.com/argoproj/argo-cd/blob/master/ui/src/app/shared/models.ts)
+
+* `group: string` - the glob expression that matches the group of the resource; note: use globstar (`**`) to match all groups including empty string;
+* `kind: string` - the glob expression that matches the kind of the resource;
+* `tabTitle: string` - the extension tab title.
+* `opts: Object` - additional options:
+  * `icon: string` - the class name the represents the icon from the [https://fontawesome.com/](https://fontawesome.com/) library (e.g. 'fa-calendar-alt');
+
+Below is an example of a resource tab extension:
+
+```javascript
+((window) => {
+    const component = () => {
+        return React.createElement( 'div', {}, 'Hello World' );
+    };
+    window.extensionsAPI.registerResourceExtension(component, '*', '*', 'Nice extension');
+})(window)
+```
+
+## Application Tab Extensions
+
+Since the Argo CD Application is a Kubernetes resource, application tabs can be the same as any other resource tab.
+Make sure to use 'argoproj.io'/'Application' as group/kind and an extension will be used to render the application-level tab.

docs/faq.md

@@ -63,7 +63,7 @@ or a randomly generated password stored in a secret (Argo CD 1.9 and later).
 ## How to disable admin user?
 
 Add `admin.enabled: "false"` to the `argocd-cm` ConfigMap (
-see [user management](operator-manual/user-management/index.md)).
+see [user management](./operator-manual/user-management/index.md)).
 
 ## Argo CD cannot deploy Helm Chart based applications without internet access, how can I solve it?
 
@@ -122,9 +122,9 @@ To terminate the sync, click on the "synchronisation" then "terminate":
 
 ![Synchronization](assets/synchronization-button.png) ![Terminate](assets/terminate-button.png)
 
-## Why Is My App Out Of Sync Even After Syncing?
+## Why Is My App `Out Of Sync` Even After Syncing?
 
-Is some cases, the tool you use may conflict with Argo CD by adding the `app.kubernetes.io/instance` label. E.g. using
+In some cases, the tool you use may conflict with Argo CD by adding the `app.kubernetes.io/instance` label. E.g. using
 Kustomize common labels feature.
 
 Argo CD automatically sets the `app.kubernetes.io/instance` label and uses it to determine which resources form the app.
@@ -151,7 +151,7 @@ E.g.
 To fix this use diffing
 customizations [settings](./user-guide/diffing.md#known-kubernetes-types-in-crds-resource-limits-volume-mounts-etc).
 
-## How Do I Fix "invalid cookie, longer than max length 4093"?
+## How Do I Fix `invalid cookie, longer than max length 4093`?
 
 Argo CD uses a JWT as the auth token. You likely are part of many groups and have gone over the 4KB limit which is set
 for cookies. You can get the list of groups by opening "developer tools -> network"
@@ -174,7 +174,9 @@ argocd ... --grpc-web
 
 ## Why Am I Getting `x509: certificate signed by unknown authority` When Using The CLI?
 
-Your not running your server with correct certs.
+The certificate created by default by Argo CD is not automatically recognised by the Argo CD CLI, in order
+to create a secure system you must follow the instructions to [install a certificate](/operator-manual/tls/)
+and configure your client OS to trust that certificate.
 
 If you're not running in a production system (e.g. you're testing Argo CD out), try the `--insecure` flag:
 
@@ -187,7 +189,7 @@ argocd ... --insecure
 ## I have configured Dex via `dex.config` in `argocd-cm`, it still says Dex is unconfigured. Why?
 
 Most likely you forgot to set the `url` in `argocd-cm` to point to your ArgoCD as well. See also
-[the docs](/operator-manual/user-management/#2-configure-argo-cd-for-sso).
+[the docs](./operator-manual/user-management/index.md#2-configure-argo-cd-for-sso).
 
 ## Why are `SealedSecret` resources reporting a `Status`?
 
@@ -216,4 +218,38 @@ resource.customizations.health.bitnami.com_SealedSecret: |
   hs.status = "Healthy"
   hs.message = "Controller doesn't report resource status"
   return hs
-```
+```
+
+## How do I fix `The order in patch list … doesn't match $setElementOrder list: …`?
+
+An application may trigger a sync error labeled a `ComparisonError` with a message like:
+
+> The order in patch list: [map[name:**KEY_BC** value:150] map[name:**KEY_BC** value:500] map[name:**KEY_BD** value:250] map[name:**KEY_BD** value:500] map[name:KEY_BI value:something]] doesn't match $setElementOrder list: [map[name:KEY_AA] map[name:KEY_AB] map[name:KEY_AC] map[name:KEY_AD] map[name:KEY_AE] map[name:KEY_AF] map[name:KEY_AG] map[name:KEY_AH] map[name:KEY_AI] map[name:KEY_AJ] map[name:KEY_AK] map[name:KEY_AL] map[name:KEY_AM] map[name:KEY_AN] map[name:KEY_AO] map[name:KEY_AP] map[name:KEY_AQ] map[name:KEY_AR] map[name:KEY_AS] map[name:KEY_AT] map[name:KEY_AU] map[name:KEY_AV] map[name:KEY_AW] map[name:KEY_AX] map[name:KEY_AY] map[name:KEY_AZ] map[name:KEY_BA] map[name:KEY_BB] map[name:**KEY_BC**] map[name:**KEY_BD**] map[name:KEY_BE] map[name:KEY_BF] map[name:KEY_BG] map[name:KEY_BH] map[name:KEY_BI] map[name:**KEY_BC**] map[name:**KEY_BD**]]
+
+
+There are two parts to the message:
+
+1. `The order in patch list: [`
+
+    This identifies values for items, especially items that appear multiple times:
+
+    > map[name:**KEY_BC** value:150] map[name:**KEY_BC** value:500] map[name:**KEY_BD** value:250] map[name:**KEY_BD** value:500] map[name:KEY_BI value:something]
+
+    You'll want to identify the keys that are duplicated -- you can focus on the first part, as each duplicated key will appear, once for each of its value with its value in the first list. The second list is really just 
+
+   `]`
+
+2. `doesn't match $setElementOrder list: [`
+
+    This includes all of the keys. It's included for debugging purposes -- you don't need to pay much attention to it. It will give you a hint about the precise location in the list for the duplicated keys:
+
+    > map[name:KEY_AA] map[name:KEY_AB] map[name:KEY_AC] map[name:KEY_AD] map[name:KEY_AE] map[name:KEY_AF] map[name:KEY_AG] map[name:KEY_AH] map[name:KEY_AI] map[name:KEY_AJ] map[name:KEY_AK] map[name:KEY_AL] map[name:KEY_AM] map[name:KEY_AN] map[name:KEY_AO] map[name:KEY_AP] map[name:KEY_AQ] map[name:KEY_AR] map[name:KEY_AS] map[name:KEY_AT] map[name:KEY_AU] map[name:KEY_AV] map[name:KEY_AW] map[name:KEY_AX] map[name:KEY_AY] map[name:KEY_AZ] map[name:KEY_BA] map[name:KEY_BB] map[name:**KEY_BC**] map[name:**KEY_BD**] map[name:KEY_BE] map[name:KEY_BF] map[name:KEY_BG] map[name:KEY_BH] map[name:KEY_BI] map[name:**KEY_BC**] map[name:**KEY_BD**]
+   
+   `]`
+
+In this case, the duplicated keys have been **emphasized** to help you identify the problematic keys. Many editors have the ability to highlight all instances of a string, using such an editor can help with such problems.
+
+The most common instance of this error is with `env:` fields for `containers`.
+
+!!! note "Dynamic applications"
+    It's possible that your application is being generated by a tool in which case the duplication might not be evident within the scope of a single file. If you have trouble debugging this problem, consider filing a ticket to the owner of the generator tool asking them to improve its validation and error reporting.

docs/getting_started.md

@@ -29,6 +29,13 @@ kubectl create namespace argocd
 kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/core-install.yaml
 ```
 
+This default installation will have a self-signed certificate and cannot be accessed without a bit of extra work.
+Do one of:
+
+* Follow the [instructions to configure a certificate](operator-manual/tls.md) (and ensure that the client OS trusts it).
+* Configure the client OS to trust the self signed certificate.
+* Use the --insecure flag on all Argo CD CLI operations in this guide.
+
 Use `argocd login --core` to [configure](./user-guide/commands/argocd_login.md) CLI access and skip steps 3-5.
 
 ## 2. Download Argo CD CLI

docs/operator-manual/application.yaml

@@ -45,6 +45,9 @@ spec:
       valueFiles:
       - values-prod.yaml
 
+      # Ignore locally missing valueFiles when installing Helm chart. Defaults to false
+      ignoreMissingValueFiles: false
+
       # Values file as block file
       values: |
         ingress:
@@ -61,6 +64,9 @@ spec:
               hosts:
                 - mydomain.example.com
 
+      # Skip custom resource definition installation if chart contains custom resource definitions. Defaults to false
+      skipCrds: false
+
       # Optional Helm version to template with. If omitted it will fall back to look at the 'apiVersion' in Chart.yaml
       # and decide which Helm binary to use automatically. This field can be either 'v2' or 'v3'.
       version: v2
@@ -69,11 +75,16 @@ spec:
     kustomize:
       # Optional kustomize version. Note: version must be configured in argocd-cm ConfigMap
       version: v3.5.4
-      # Optional image name prefix
+      # Supported kustomize transformers. https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
       namePrefix: prod-
-      # Optional images passed to "kustomize edit set image".
+      nameSuffix: -some-suffix
+      commonLabels:
+        foo: bar
+      commonAnnotations:
+        beep: boop
       images:
       - gcr.io/heptio-images/ks-guestbook-demo:0.2
+      - my-app=gcr.io/my-repo/my-app:0.1
 
     # directory
     directory:
@@ -92,6 +103,14 @@ spec:
         - code: false
           name: foo
           value: bar
+      # Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during
+      # manifest generation. This takes precedence over the `include` field.
+      # To match multiple patterns, wrap the patterns in {} and separate them with commas. For example: '{config.yaml,env-use2/*}'
+      exclude: 'config.yaml'
+      # Include contains a glob pattern to match paths against that should be explicitly included during manifest
+      # generation. If this field is set, only matching manifests will be included.
+      # To match multiple patterns, wrap the patterns in {} and separate them with commas. For example: '{*.yml,*.yaml}'
+      include: '*.yaml'
 
     # plugin specific config
     plugin:
@@ -106,7 +125,10 @@ spec:
 
   # Destination cluster and namespace to deploy the application
   destination:
+    # cluster API URL
     server: https://kubernetes.default.svc
+    # or cluster name
+    # name: in-cluster
     # The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace
     namespace: guestbook
 

docs/operator-manual/applicationset/Generators-Cluster.md

@@ -45,7 +45,7 @@ spec:
     metadata:
       name: '{{name}}-guestbook' # 'name' field of the Secret
     spec:
-      project: "default"
+      project: "my-project"
       source:
         repoURL: https://github.com/argoproj/argocd-example-apps/
         targetRevision: HEAD
@@ -144,7 +144,7 @@ spec:
     metadata:
       name: '{{name}}-guestbook'
     spec:
-      project: "default"
+      project: "my-project"
       source:
         repoURL: https://github.com/argoproj/argocd-example-apps/
         # The cluster values field for each generator will be substituted here:

docs/operator-manual/applicationset/Generators-Git.md

@@ -2,6 +2,12 @@
 
 The Git generator contains two subtypes: the Git directory generator, and Git file generator.
 
+!!! warning
+    Git generators are often used to make it easier for (non-admin) developers to create Applications.
+    If the `project` field in your ApplicationSet is templated, developers may be able to create Applications under Projects with excessive permissions.
+    For ApplicationSets with a templated `project` field, [the source of truth _must_ be controlled by admins](./Security.md#templated-project-field)
+    - in the case of git generators, PRs must require admin approval.
+
 ## Git Generator: Directories
 
 The Git directory generator, one of two subtypes of the Git generator, generates parameters using the directory structure of a specified Git repository.
@@ -39,9 +45,9 @@ spec:
       - path: applicationset/examples/git-generator-directory/cluster-addons/*
   template:
     metadata:
-      name: '{{path[0]}}'
+      name: '{{path.basename}}'
     spec:
-      project: default
+      project: "my-project"
       source:
         repoURL: https://github.com/argoproj/argo-cd.git
         targetRevision: HEAD
@@ -49,6 +55,9 @@ spec:
       destination:
         server: https://kubernetes.default.svc
         namespace: '{{path.basename}}'
+      syncPolicy:
+        syncOptions:
+        - CreateNamespace=true
 ```
 (*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/git-generator-directory).*)
 
@@ -59,13 +68,15 @@ The generator parameters are:
 - `{{path.basename}}`: For any directory path within the Git repository that matches the `path` wildcard, the right-most path name is extracted (e.g. `/directory/directory2` would produce `directory2`).
 - `{{path.basenameNormalized}}`: This field is the same as `path.basename` with unsupported characters replaced with `-` (e.g. a `path` of `/directory/directory_2`, and `path.basename` of `directory_2` would produce `directory-2` here).
 
-Whenever a new Helm chart/Kustomize YAML/Application/plain subfolder is added to the Git repository, the ApplicationSet controller will detect this change and automatically deploy the resulting manifests within new `Application` resources.
+**Note**: The right-most path name always becomes `{{path.basename}}`. For example, for `- path: /one/two/three/four`, `{{path.basename}}` is `four`.
+
+Whenever a new Helm chart/Kustomize YAML/Application/plain subdirectory is added to the Git repository, the ApplicationSet controller will detect this change and automatically deploy the resulting manifests within new `Application` resources.
 
 As with other generators, clusters *must* already be defined within Argo CD, in order to generate Applications for them.
 
 ### Exclude directories
 
-The Git directory generator will automatically exclude folders that begin with `.` (such as `.git`).
+The Git directory generator will automatically exclude directories that begin with `.` (such as `.git`).
 
 The Git directory generator also supports an `exclude` option in order to exclude directories in the repository from being scanned by the ApplicationSet controller:
 
@@ -88,7 +99,7 @@ spec:
     metadata:
       name: '{{path.basename}}'
     spec:
-      project: default
+      project: "my-project"
       source:
         repoURL: https://github.com/argoproj/argo-cd.git
         targetRevision: HEAD
@@ -99,7 +110,7 @@ spec:
 ```
 (*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/examples/applicationset/git-generator-directory/excludes).*)
 
-This example excludes the `exclude-helm-guestbook` directory from the list of directories scanned for this `ApplictionSet` resource.
+This example excludes the `exclude-helm-guestbook` directory from the list of directories scanned for this `ApplicationSet` resource.
 
 !!! note "Exclude rules have higher priority than include rules"
 
@@ -144,6 +155,41 @@ Or, a shorter way (using [path.Match](https://golang.org/pkg/path/#Match) syntax
   exclude: true
 ```
 
+### Root Of Git Repo
+
+The Git directory generator can be configured to deploy from the root of the git repository by providing `'*'` as the `path`.
+
+To exclude directories, you only need to put the name/[path.Match](https://golang.org/pkg/path/#Match) of the directory you do not want to deploy.
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: cluster-addons
+  namespace: argocd
+spec:
+  generators:
+  - git:
+      repoURL: https://github.com/example/example-repo.git
+      revision: HEAD
+      directories:
+      - path: '*'
+      - path: donotdeploy
+        exclude: true
+  template:
+    metadata:
+      name: '{{path.basename}}'
+    spec:
+      project: "my-project"
+      source:
+        repoURL: https://github.com/example/example-repo.git
+        targetRevision: HEAD
+        path: '{{path}}'
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: '{{path.basename}}'
+```
+
 ## Git Generator: Files
 
 The Git file generator is the second subtype of the Git generator. The Git file generator generates parameters using the contents of JSON/YAML files found within a specified repository.
@@ -164,7 +210,7 @@ Suppose you have a Git repository with the following directory structure:
 └── git-generator-files.yaml
 ```
 
-The folders are:
+The directories are:
 
 - `guestbook` contains the Kubernetes resources for a simple guestbook application
 - `cluster-config` contains JSON/YAML files describing the individual engineering clusters: one for `dev` and one for `prod`.
@@ -228,10 +274,16 @@ As with other generators, clusters *must* already be defined within Argo CD, in
 
 In addition to the flattened key/value pairs from the configuration file, the following generator parameters are provided:
 
-- `{{path}}`: The path to the folder containing matching configuration file within the Git repository. Example: `/clusters/clusterA`, if the config file was `/clusters/clusterA/config.json`
+- `{{path}}`: The path to the directory containing matching configuration file within the Git repository. Example: `/clusters/clusterA`, if the config file was `/clusters/clusterA/config.json`
 - `{{path[n]}}`: The path to the matching configuration file within the Git repository, split into array elements (`n` - array index). Example: `path[0]: clusters`, `path[1]: clusterA`
-- `{{path.basename}}`: Basename of the path to the folder containing the configuration file (e.g. `clusterA`, with the above example.)
+- `{{path.basename}}`: Basename of the path to the directory containing the configuration file (e.g. `clusterA`, with the above example.)
 - `{{path.basenameNormalized}}`: This field is the same as `path.basename` with unsupported characters replaced with `-` (e.g. a `path` of `/directory/directory_2`, and `path.basename` of `directory_2` would produce `directory-2` here).
+- `{{path.filename}}`: The matched filename. e.g., `config.json` in the above example.
+- `{{path.filenameNormalized}}`: The matched filename with unsupported characters replaced with `-`.
+
+**Note**: The right-most *directory* name always becomes `{{path.basename}}`. For example, from `- path: /one/two/three/four/config.json`, `{{path.basename}}` will be `four`. 
+The filename can always be accessed using `{{path.filename}}`. 
+
 
 ## Webhook Configuration
 

docs/operator-manual/applicationset/Generators-List.md

@@ -20,7 +20,7 @@ spec:
     metadata:
       name: '{{cluster}}-guestbook'
     spec:
-      project: default
+      project: "my-project"
       source:
         repoURL: https://github.com/argoproj/argo-cd.git
         targetRevision: HEAD

docs/operator-manual/applicationset/Generators-Matrix.md

@@ -107,32 +107,33 @@ Finally, the Matrix generator will combine both sets of outputs, and produce:
 ## Restrictions
 
 1. The Matrix generator currently only supports combining the outputs of only two child generators (eg does not support generating combinations for 3 or more).
+
 1. You should specify only a single generator per array entry, eg this is not valid:
-```yaml
-- matrix:
-    generators:
-     - list: # (...)
-       git: # (...)
-```
+
+        - matrix:
+            generators:
+            - list: # (...)
+              git: # (...)
+
     - While this *will* be accepted by Kubernetes API validation, the controller will report an error on generation. Each generator should be specified in a separate array element, as in the examples above.
+
 1. The Matrix generator does not currently support [`template` overrides](Template.md#generator-templates) specified on child generators, eg this `template` will not be processed:
-```yaml
-- matrix:
-    generators:
-      - list:
-          elements:
-            - # (...)
-          template: { } # Not processed
-```
+
+        - matrix:
+            generators:
+              - list:
+                  elements:
+                    - # (...)
+                  template: { } # Not processed
+
 1. Combination-type generators (matrix or merge) can only be nested once. For example, this will not work:
-```yaml
-- matrix:
-    generators:
-      - matrix:
-          generators:
-            - matrix:  # This third level is invalid.
-                generators:
-                  - list:
-                      elements:
-                        - # (...)
-```
+
+        - matrix:
+            generators:
+              - matrix:
+                  generators:
+                    - matrix:  # This third level is invalid.
+                        generators:
+                          - list:
+                              elements:
+                                - # (...)

docs/operator-manual/applicationset/Generators-Merge.md

@@ -114,31 +114,31 @@ When merged with the updated base parameters, the `values.redis` value for the p
 ## Restrictions
 
 1. You should specify only a single generator per array entry. This is not valid:
-```yaml
-- merge:
-    generators:
-     - list: # (...)
-       git: # (...)
-```
+
+        - merge:
+            generators:
+            - list: # (...)
+              git: # (...)
+
     - While this *will* be accepted by Kubernetes API validation, the controller will report an error on generation. Each generator should be specified in a separate array element, as in the examples above.
+
 1. The Merge generator does not support [`template` overrides](Template.md#generator-templates) specified on child generators. This `template` will not be processed:
-```yaml
-- merge:
-    generators:
-      - list:
-          elements:
-            - # (...)
-          template: { } # Not processed
-```
+
+        - merge:
+            generators:
+              - list:
+                  elements:
+                    - # (...)
+                  template: { } # Not processed
+
 1. Combination-type generators (Matrix or Merge) can only be nested once. For example, this will not work:
-```yaml
-- merge:
-    generators:
-      - merge:
-          generators:
-            - merge:  # This third level is invalid.
-                generators:
-                  - list:
-                      elements:
-                        - # (...)
-```
+
+        - merge:
+            generators:
+              - merge:
+                  generators:
+                    - merge:  # This third level is invalid.
+                        generators:
+                          - list:
+                              elements:
+                                - # (...)

docs/operator-manual/applicationset/Generators-Pull-Request.md

@@ -1,7 +1,6 @@
 # Pull Request Generator
 
-The Pull Request generator uses the API of an SCMaaS provider (eg GitHub/GitLab) to automatically discover open pull requests within an repository. This fits well with the style of building a test environment when you create a pull request.
-
+The Pull Request generator uses the API of an SCMaaS provider (GitHub, Gitea, or Bitbucket Server) to automatically discover open pull requests within a repository. This fits well with the style of building a test environment when you create a pull request.
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -11,14 +10,22 @@ metadata:
 spec:
   generators:
   - pullRequest:
+      # When using a Pull Request generator, the ApplicationSet controller polls every `requeueAfterSeconds` interval (defaulting to every 30 minutes) to detect changes.
+      requeueAfterSeconds: 1800
       # See below for provider specific options.
       github:
         # ...
 ```
 
+!!! note
+    Know the security implications of PR generators in ApplicationSets. 
+    [Only admins may create ApplicationSets](./Security.md#only-admins-may-createupdatedelete-applicationsets) to avoid
+    leaking Secrets, and [only admins may create PRs](./Security.md#templated-project-field) if the `project` field of 
+    an ApplicationSet with a PR generator is templated, to avoid granting management of out-of-bounds resources.
+
 ## GitHub
 
-Specify the repository from which to fetch the Github Pull requests.
+Specify the repository from which to fetch the GitHub Pull requests.
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -42,16 +49,16 @@ spec:
         # Labels is used to filter the PRs that you want to target. (optional)
         labels:
         - preview
-  requeueAfterSeconds: 1800
+      requeueAfterSeconds: 1800
   template:
   # ...
 ```
 
 * `owner`: Required name of the GitHub organization or user.
-* `repo`: Required name of the Github repository.
+* `repo`: Required name of the GitHub repository.
 * `api`: If using GitHub Enterprise, the URL to access it. (Optional)
 * `tokenRef`: A `Secret` name and key containing the GitHub access token to use for requests. If not specified, will make anonymous requests which have a lower rate limit and can only see public repositories. (Optional)
-* `labels`: Labels is used to filter the PRs that you want to target. (Optional)
+* `labels`: Filter the PRs to those containing **all** of the labels listed. (Optional)
 
 ## Gitea
 
@@ -78,7 +85,7 @@ spec:
           key: token
         # many gitea deployments use TLS, but many are self-hosted and self-signed certificates
         insecure: true
-  requeueAfterSeconds: 1800
+      requeueAfterSeconds: 1800
   template:
   # ...
 ```
@@ -134,7 +141,7 @@ If you want to access a private repository, you must also provide the credential
 ## Filters
 
 Filters allow selecting which pull requests to generate for. Each filter can declare one or more conditions, all of which must pass. If multiple filters are present, any can match for a repository to be included. If no filters are specified, all pull requests will be processed.
-Currently, only a subset of filters is available when comparing with SCM provider filters.
+Currently, only a subset of filters is available when comparing with [SCM provider](Generators-SCM-Provider.md) filters.
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -143,7 +150,7 @@ metadata:
   name: myapps
 spec:
   generators:
-  - scmProvider:
+  - pullRequest:
       # ...
       # Include any pull request ending with "argocd". (optional)
       filters:
@@ -154,6 +161,7 @@ spec:
 
 * `branchMatch`: A regexp matched against source branch names.
 
+[GitHub](#github) and [GitLab](#gitlab) also support a `labels` filter.
 
 ## Template
 
@@ -182,7 +190,7 @@ spec:
           parameters:
           - name: "image.tag"
             value: "pull-{{head_sha}}"
-      project: default
+      project: "my-project"
       destination:
         server: https://kubernetes.default.svc
         namespace: default
@@ -213,7 +221,7 @@ spec:
             app.kubernetes.io/instance: {{branch}}-{{number}}
           images:
           - ghcr.io/myorg/myrepo:{{head_sha}}
-      project: default
+      project: "my-project"
       destination:
         server: https://kubernetes.default.svc
         namespace: default
@@ -230,6 +238,7 @@ When using a Pull Request generator, the ApplicationSet controller polls every `
 The configuration is almost the same as the one described [in the Git generator](Generators-Git.md), but there is one difference: if you want to use the Pull Request Generator as well, additionally configure the following settings.
 
 In section 1, _"Create the webhook in the Git provider"_, add an event so that a webhook request will be sent when a pull request is created, closed, or label changed.
+
 Select `Let me select individual events` and enable the checkbox for `Pull requests`.
 
 ![Add Webhook](../../assets/applicationset/webhook-config-pull-request.png "Add Webhook Pull Request")

docs/operator-manual/applicationset/Generators-SCM-Provider.md

@@ -19,9 +19,15 @@ spec:
 
 * `cloneProtocol`: Which protocol to use for the SCM URL. Default is provider-specific but ssh if possible. Not all providers necessarily support all protocols, see provider documentation below for available options.
 
+!!! note
+    Know the security implications of using SCM generators. [Only admins may create ApplicationSets](./Security.md#only-admins-may-createupdatedelete-applicationsets) 
+    to avoid leaking Secrets, and [only admins may create repos/branches](./Security.md#templated-project-field) if the 
+    `project` field of an ApplicationSet with an SCM generator is templated, to avoid granting management of 
+    out-of-bounds resources.
+
 ## GitHub
 
-The GitHub mode uses the GitHub API to scan and organization in either github.com or GitHub Enterprise.
+The GitHub mode uses the GitHub API to scan an organization in either github.com or GitHub Enterprise.
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -70,7 +76,7 @@ spec:
       gitlab:
         # The base GitLab group to scan.  You can either use the group id or the full namespaced path.
         group: "8675309"
-        # For GitLab Enterprise:
+        # For self-hosted GitLab:
         api: https://gitlab.example.com/
         # If true, scan every branch of every repository. If false, scan only the default branch. Defaults to false.
         allBranches: true
@@ -85,7 +91,7 @@ spec:
 ```
 
 * `group`: Required name of the base GitLab group to scan. If you have multiple base groups, use multiple generators.
-* `api`: If using GitHub Enterprise, the URL to access it.
+* `api`: If using self-hosted GitLab, the URL to access it.
 * `allBranches`: By default (false) the template will only be evaluated for the default branch of each repo. If this is true, every branch of every repository will be passed to the filters. If using this flag, you likely want to use a `branchMatch` filter.
 * `includeSubgroups`: By default (false) the controller will only search for repos directly in the base group. If this is true, it will recurse through all the subgroups searching for repos to scan.
 * `tokenRef`: A `Secret` name and key containing the GitLab access token to use for requests. If not specified, will make anonymous requests which have a lower rate limit and can only see public repositories.
@@ -172,6 +178,42 @@ If you want to access a private repository, you must also provide the credential
 
 Available clone protocols are `ssh` and `https`.
 
+## Bitbucket Cloud
+
+The Bitbucket mode uses the Bitbucket API V2 to scan a workspace in bitbucket.org.
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: myapps
+spec:
+  generators:
+  - scmProvider:
+      bitbucket:
+        # The workspace id (slug).  
+        owner: "example-owner"
+        # The user to use for basic authentication with an app password.
+        user: "example-user"
+        # If true, scan every branch of every repository. If false, scan only the main branch. Defaults to false.
+        allBranches: true
+        # Reference to a Secret containing an app password.
+        appPasswordRef:
+          secretName: appPassword
+          key: password
+  template:
+  # ...
+```
+
+* `owner`: The workspace ID (slug) to use when looking up repositories.
+* `user`: The user to use for authentication to the Bitbucket API V2 at bitbucket.org.
+* `allBranches`: By default (false) the template will only be evaluated for the main branch of each repo. If this is true, every branch of every repository will be passed to the filters. If using this flag, you likely want to use a `branchMatch` filter.
+* `appPasswordRef`: A `Secret` name and key containing the bitbucket app password to use for requests.
+
+This SCM provider does not yet support label filtering
+
+Available clone protocols are `ssh` and `https`.
+
 ## Filters
 
 Filters allow selecting which repositories to generate for. Each filter can declare one or more conditions, all of which must pass. If multiple filters are present, any can match for a repository to be included. If no filters are specified, all repositories will be processed.

docs/operator-manual/applicationset/Generators.md

@@ -4,7 +4,7 @@ Generators are responsible for generating *parameters*, which are then rendered
 
 Generators are primarily based on the data source that they use to generate the template parameters. For example: the List generator provides a set of parameters from a *literal list*, the Cluster generator uses the *Argo CD cluster list* as a source, the Git generator uses files/directories from a *Git repository*, and so.
 
-As of this writing there are seven generators:
+As of this writing there are eight generators:
 
 - [List generator](Generators-List.md): The List generator allows you to target Argo CD Applications to clusters based on a fixed list of cluster name/URL values.
 - [Cluster generator](Generators-Cluster.md): The Cluster generator allows you to target Argo CD Applications to clusters, based on the list of clusters defined within (and managed by) Argo CD (which includes automatically responding to cluster addition/removal events from Argo CD).

docs/operator-manual/applicationset/Getting-Started.md

@@ -22,9 +22,9 @@ Follow the [Argo CD Getting Started](../../getting_started.md) instructions for
 
 ### B) Install ApplicationSet into an existing Argo CD install (pre-Argo CD v2.3)
 
-**Note**: These instruction only apply to versions of Argo CD before v2.3.0.
+**Note**: These instructions only apply to versions of Argo CD before v2.3.0.
 
-The ApplicationSet controller *must* be installed into the same namespace as the Argo CD it is targetting.
+The ApplicationSet controller *must* be installed into the same namespace as the Argo CD it is targeting.
 
 Presuming that Argo CD is installed into the `argocd` namespace, run the following command:
 

docs/operator-manual/applicationset/Security.md

@@ -0,0 +1,38 @@
+# ApplicationSet Security
+
+ApplicationSet is a powerful tool, and it is crucial to understand its security implications before using it.
+
+## Only admins may create/update/delete ApplicationSets
+
+ApplicationSets can create Applications under arbitrary [Projects](../../user-guide/projects.md). Argo CD setups often
+include Projects (such as the `default`) with high levels of permissions, often including the ability to manage the 
+resources of Argo CD itself (like the RBAC ConfigMap).
+
+ApplicationSets can also quickly create an arbitrary number of Applications and just as quickly delete them.
+
+Finally, ApplicationSets can reveal privileged information. For example, the [git generator](./Generators-Git.md) can
+read Secrets in the Argo CD namespace and send them to arbitrary URLs (e.g. URL provided for the `api` field) as auth headers.
+(This functionality is intended for authorizing requests to SCM providers like GitHub, but it could be abused by a malicious user.)
+
+For these reasons, **only admins** may be given permission (via Kubernetes RBAC or any other mechanism) to create, 
+update, or delete ApplicationSets.
+
+## Admins must apply appropriate controls for ApplicationSets' sources of truth
+
+Even if non-admins can't create ApplicationSet resources, they may be able to affect the behavior of ApplicationSets.
+
+For example, if an ApplicationSet uses a [git generator](./Generators-Git.md), a malicious user with push access to the
+source git repository could generate an excessively high number of Applications, putting strain on the ApplicationSet
+and Application controllers. They could also cause the SCM provider's rate limiting to kick in, degrading ApplicationSet
+service.
+
+### Templated `project` field
+
+It's important to pay special attention to ApplicationSets where the `project` field is templated. A malicious user with
+write access to the generator's source of truth (for example, someone with push access to the git repo for a git
+generator) could create Applications under Projects with insufficient restrictions. A malicious user with the ability to
+create an Application under an unrestricted Project (like the `default` Project) could take control of Argo CD itself
+by, for example, modifying its RBAC ConfigMap.
+
+If the `project` field is not hard-coded in an ApplicationSet's template, then admins _must_ control all sources of 
+truth for the ApplicationSet's generators.

docs/operator-manual/applicationset/index.md

@@ -15,6 +15,9 @@ The ApplicationSet controller, supplements Argo CD by adding additional features
 - Improved support for monorepos: in the context of Argo CD, a monorepo is multiple Argo CD Application resources defined within a single Git repository
 - Within multitenant clusters, improves the ability of individual cluster tenants to deploy applications using Argo CD (without needing to involve privileged cluster administrators in enabling the destination clusters/namespaces)
 
+!!! note
+    Be aware of the [security implications](./Security.md) of ApplicationSets before using them.
+
 ## The ApplicationSet resource
 
 This example defines a new `guestbook` resource of kind `ApplicationSet`:
@@ -37,6 +40,7 @@ spec:
     metadata:
       name: '{{cluster}}-guestbook'
     spec:
+      project: my-project
       source:
         repoURL: https://github.com/infra-team/cluster-deployments.git
         targetRevision: HEAD

docs/operator-manual/argocd-cm.yaml

@@ -36,15 +36,18 @@ data:
   help.chatUrl: "https://mycorp.slack.com/argo-cd"
   # the text for getting chat help, defaults to "Chat now!"
   help.chatText: "Chat now!"
-  # The URLs to download additional ArgoCD binaries (besides the Linux amd64 binary included by default)
+  # The URLs to download additional ArgoCD binaries (besides the Linux with current platform binary included by default)
   # for different OS architectures. If provided, additional download buttons will be displayed on the help page.
+  help.download.linux-amd64: "path-or-url-to-download"
   help.download.linux-arm64: "path-or-url-to-download"
+  help.download.linux-ppc64le: "path-or-url-to-download"
+  help.download.linux-s390x: "path-or-url-to-download"
   help.download.darwin-amd64: "path-or-url-to-download"
   help.download.darwin-arm64: "path-or-url-to-download"
   help.download.windows-amd64: "path-or-url-to-download"
 
   # A dex connector configuration (optional). See SSO configuration documentation:
-  # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/sso
+  # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/user-management/index.md#sso
   # https://dexidp.io/docs/connectors/
   dex.config: |
     connectors:
@@ -231,6 +234,14 @@ data:
   # If omitted, Argo CD injects the app name into the label: 'app.kubernetes.io/instance'
   application.instanceLabelKey: mycompany.com/appname
 
+  # You can change the resource tracking method Argo CD uses by changing the
+  # setting application.resourceTrackingMethod to the desired method.
+  # The following methods are available:
+  # - label            : Uses the application.instanceLabelKey label for tracking
+  # - annotation       : Uses an annotation with additional metadata for tracking instead of the label
+  # - annotation+label : Also uses an annotation for tracking, but additionally labels the resource with the application name
+  application.resourceTrackingMethod: annotation
+
   # disables admin user. Admin is enabled by default
   admin.enabled: "false"
   # add an additional local user with apiKey and login capabilities
@@ -288,3 +299,12 @@ data:
 
   # exec.enabled indicates whether the UI exec feature is enabled. It is disabled by default.
   exec.enabled: "false"
+
+  # exec.shells restricts which shells are allowed for `exec`, and in which order they are attempted
+  exec.shells: "bash,sh,powershell,cmd"
+
+  # oidc.tls.insecure.skip.verify determines whether certificate verification is skipped when verifying tokens with the
+  # configured OIDC provider (either external or the bundled Dex instance). Setting this to "true" will cause JWT
+  # token verification to pass despite the OIDC provider having an invalid certificate. Only set to "true" if you
+  # understand the risks.
+  oidc.tls.insecure.skip.verify: "false"

docs/operator-manual/argocd-cmd-params-cm.yaml

@@ -17,6 +17,9 @@ data:
   # Redis database
   redis.db:
 
+  # Open-Telemetry collector address: (e.g. "otel-collector:4317")
+  otlp.address:
+
   ## Controller Properties
   # Repo server RPC call timeout seconds.
   controller.repo.server.timeout.seconds: "60"
@@ -103,4 +106,10 @@ data:
   reposerver.repo.cache.expiration: "24h0m0s"
   # Cache expiration default (default 24h0m0s)
   reposerver.default.cache.expiration: "24h0m0s"
-  
+  # Max combined manifest file size for a single directory-type Application. In-memory manifest representation may be as
+  # much as 300x the manifest file size. Limit this to stay within the memory limits of the repo-server while allowing
+  # for 300x memory expansion and N Applications running at the same time.
+  # (example 10M max * 300 expansion * 10 Apps = 30G max theoretical memory usage).
+  reposerver.max.combined.directory.manifests.size: '10M'
+  # Paths to be excluded from the tarball streamed to plugins. Separate with ;
+  reposerver.plugin.tar.exclusions: ""

docs/operator-manual/custom_tools.md

@@ -51,7 +51,7 @@ following example builds an entirely customized repo-server from a Dockerfile, i
 dependencies that may be needed for generating manifests.
 
 ```Dockerfile
-FROM argoproj/argocd:latest
+FROM argoproj/argocd:v2.5.4 # Replace tag with the appropriate argo version
 
 # Switch to root for the ability to perform install
 USER root

docs/operator-manual/declarative-setup.md

@@ -77,7 +77,7 @@ spec:
 ```
 
 !!! warning
-    By default, deleting an application will not perform a cascade delete, which would delete its resources. You must add the finalizer if you want this behaviour - which you may well not want.
+    Without the `resources-finalizer.argocd.argoproj.io` finalizer, deleting an application will not delete the resources it manages. To perform a cascading delete, you must add the finalizer. See [App Deletion](../user-guide/app_deletion.md#about-the-deletion-finalizer).
 
 ```yaml
 metadata:
@@ -489,6 +489,7 @@ The secret data must include following fields:
 * `name` - cluster name
 * `server` - cluster api server url
 * `namespaces` - optional comma-separated list of namespaces which are accessible in that cluster. Cluster level resources would be ignored if namespace list is not empty.
+* `clusterResources` - optional boolean string (`"true"` or `"false"`) determining whether Argo CD can manage cluster-level resources on this cluster. This setting is used only if the list of managed namespaces is not empty.
 * `config` - JSON representation of following data structure:
 
 ```yaml

docs/operator-manual/health.md

@@ -5,7 +5,7 @@ Argo CD provides built-in health assessment for several standard Kubernetes type
 surfaced to the overall Application health status as a whole. The following checks are made for
 specific types of kubernetes resources:
 
-### Deployment, ReplicaSet, StatefulSet DaemonSet
+### Deployment, ReplicaSet, StatefulSet, DaemonSet
 * Observed generation is equal to desired generation.
 * Number of **updated** replicas equals the number of desired replicas.
 

docs/operator-manual/high_availability.md

@@ -1,10 +1,8 @@
 # High Availability
 
-Argo CD is largely stateless, all data is persisted as Kubernetes objects, which in turn is stored in Kubernetes' etcd. Redis is only used as a throw-away cache and can be lost. When lost, it will be rebuilt without loss of service.
+Argo CD is largely stateless. All data is persisted as Kubernetes objects, which in turn is stored in Kubernetes' etcd. Redis is only used as a throw-away cache and can be lost. When lost, it will be rebuilt without loss of service.
 
-A set of HA manifests are provided for users who wish to run Argo CD in a highly available manner. This runs more containers, and runs Redis in HA mode.
-
-[Manifests ⧉](https://github.com/argoproj/argo-cd/tree/master/manifests) 
+A set of [HA manifests](https://github.com/argoproj/argo-cd/tree/master/manifests/ha) are provided for users who wish to run Argo CD in a highly available manner. This runs more containers, and runs Redis in HA mode.
 
 !!! note
     The HA installation will require at least three different nodes due to pod anti-affinity roles in the specs.
@@ -17,11 +15,11 @@ A set of HA manifests are provided for users who wish to run Argo CD in a highly
 
 The `argocd-repo-server` is responsible for cloning Git repository, keeping it up to date and generating manifests using the appropriate tool.
 
-* `argocd-repo-server` fork/exec config management tool to generate manifests. The fork can fail due to lack of memory and limit on the number of OS threads.
-The `--parallelismlimit` flag controls how many manifests generations are running concurrently and allows avoiding OOM kills.
+* `argocd-repo-server` fork/exec config management tool to generate manifests. The fork can fail due to lack of memory or limit on the number of OS threads.
+The `--parallelismlimit` flag controls how many manifests generations are running concurrently and helps avoid OOM kills.
 
 * the `argocd-repo-server` ensures that repository is in the clean state during the manifest generation using config management tools such as Kustomize, Helm
-or custom plugin. As a result Git repositories with multiple applications might be affect repository server performance.
+or custom plugin. As a result Git repositories with multiple applications might affect repository server performance.
 Read [Monorepo Scaling Considerations](#monorepo-scaling-considerations) for more information.
 
 * `argocd-repo-server` clones repository into `/tmp` ( of path specified in `TMPDIR` env variable ). Pod might run out of disk space if have too many repository
@@ -30,7 +28,7 @@ or repositories has a lot of files. To avoid this problem mount persistent volum
 * `argocd-repo-server` `git ls-remote` to resolve ambiguous revision such as `HEAD`, branch or tag name. This operation is happening pretty frequently
 and might fail. To avoid failed syncs use `ARGOCD_GIT_ATTEMPTS_COUNT` environment variable to retry failed requests.
 
-* `argocd-repo-server` Every 3m (by default) Argo CD checks for changes to the app manifests. Argo CD assumes by default that manifests only change when the repo changes, so it caches generated manifests (for 24h by default). With Kustomize remote bases, or Helm patch releases, the manifests can change even though the repo has not changed. By reducing the cache time, you can get the changes without waiting for 24h. Use `--repo-cache-expiration duration`, and we'd suggest in low volume environments you try '1h'. Bear in mind this will negate the benefit of caching if set too low. 
+* `argocd-repo-server` Every 3m (by default) Argo CD checks for changes to the app manifests. Argo CD assumes by default that manifests only change when the repo changes, so it caches the generated manifests (for 24h by default). With Kustomize remote bases, or Helm patch releases, the manifests can change even though the repo has not changed. By reducing the cache time, you can get the changes without waiting for 24h. Use `--repo-cache-expiration duration`, and we'd suggest in low volume environments you try '1h'. Bear in mind that this will negate the benefits of caching if set too low. 
 
 * `argocd-repo-server` fork exec config management tools such as `helm` or `kustomize` and enforces 90 seconds timeout. The timeout can be increased using `ARGOCD_EXEC_TIMEOUT` env variable. The value should be in Go time duration string format, for example, `2m30s`.
 
@@ -61,7 +59,7 @@ number of allowed concurrent kubectl fork/execs.
 * The controller uses Kubernetes watch APIs to maintain lightweight Kubernetes cluster cache. This allows to avoid querying Kubernetes during app reconciliation and significantly improve
 performance. For performance reasons controller monitors and caches only preferred the version of a resource. During reconciliation, the controller might have to convert cached resource from
 preferred version into a version of the resource stored in Git. If `kubectl convert` fails because conversion is not supported then controller falls back to Kubernetes API query which slows down
-reconciliation. In this case advice user-preferred resource version in Git.
+reconciliation. In this case, we advise you to use the preferred resource version in Git.
 
 * The controller polls Git every 3m by default. You can increase this duration using `timeout.reconciliation` setting in the `argocd-cm` ConfigMap. The value of `timeout.reconciliation` is a duration string e.g `60s`, `1m`, `1h` or `1d`.
 
@@ -119,27 +117,24 @@ If the manifest generation has no side effects then requests are processed in pa
   * **Multiple Helm based applications pointing to the same directory in one Git repository:** ensure that your Helm chart don't have conditional
 [dependencies](https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags) and create `.argocd-allow-concurrency` file in chart directory.
 
-  * **Multiple Custom plugin based applications:** avoid creating temporal files during manifest generation and create `.argocd-allow-concurrency` file in app directory.
+  * **Multiple Custom plugin based applications:** avoid creating temporal files during manifest generation and create `.argocd-allow-concurrency` file in app directory, or use the sidecar plugin option, which processes each application using a temporary copy of the repository.
 
   * **Multiple Kustomize applications in same repository with [parameter overrides](../user-guide/parameters.md):** sorry, no workaround for now.
 
 
 ### Webhook and Manifest Paths Annotation
 
-Argo CD aggressively caches generated manifests and uses repository commit SHA as a cache key. A new commit to the Git repository invalidates cache for all applications configured in the repository
-that again negatively affect mono repositories with multiple applications. You might use [webhooks ⧉](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/webhook.md) and `argocd.argoproj.io/manifest-generate-paths` Application
-CRD annotation to solve this problem and improve performance.
+Argo CD aggressively caches generated manifests and uses the repository commit SHA as a cache key. A new commit to the Git repository invalidates the cache for all applications configured in the repository.
+This can negatively affect repositories with multiple applications. You can use [webhooks](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/webhook.md) and the `argocd.argoproj.io/manifest-generate-paths` Application CRD annotation to solve this problem and improve performance.
 
-The `argocd.argoproj.io/manifest-generate-paths` contains a semicolon-separated list of paths within the Git repository that are used during manifest generation. The webhook compares paths specified in the annotation
-with the changed files specified in the webhook payload. If non of the changed files are located in the paths then webhook don't trigger application reconciliation and re-uses previously generated manifests cache for a new commit.
+The `argocd.argoproj.io/manifest-generate-paths` annotation contains a semicolon-separated list of paths within the Git repository that are used during manifest generation. The webhook compares paths specified in the annotation with the changed files specified in the webhook payload. If no modified files match the paths specified in `argocd.argoproj.io/manifest-generate-paths`, then the webhook will not trigger application reconciliation and the existing cache will be considered valid for the new commit.
 
-Installations that use a different repo for each app are **not** subject to this behavior and will likely get no benefit from using these annotations.
+Installations that use a different repository for each application are **not** subject to this behavior and will likely get no benefit from using these annotations.
 
 !!! note
-    Application manifest paths annotation support depends on the git provider used for the Application. It is currently only supported for GitHub, GitLab, and Gogs based repos
-I'm using `.Second()` modifier to avoid distracting users who already rely on `--app-resync` flag.
+    Application manifest paths annotation support depends on the git provider used for the Application. It is currently only supported for GitHub, GitLab, and Gogs based repos.
 
-* **Relative path** The annotation might contains relative path. In this case the path is considered relative to the path specified in the application source:
+* **Relative path** The annotation might contain a relative path. In this case the path is considered relative to the path specified in the application source:
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -157,7 +152,8 @@ spec:
     path: guestbook
 # ...
 ```
-* **Absolute path** The annotation value might be an absolute path started from '/'. In this case path is considered as an absolute path within the Git repository:
+
+* **Absolute path** The annotation value might be an absolute path starting with '/'. In this case path is considered as an absolute path within the Git repository:
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1

docs/operator-manual/ingress.md

@@ -12,7 +12,7 @@ There are several ways how Ingress can be configured.
 
 The Ambassador Edge Stack can be used as a Kubernetes ingress controller with [automatic TLS termination](https://www.getambassador.io/docs/latest/topics/running/tls/#host) and routing capabilities for both the CLI and the UI.
 
-The API server should be run with TLS disabled. Edit the `argocd-server` deployment to add the `--insecure` flag to the argocd-server command. Given the `argocd` CLI includes the port number in the request `host` header, 2 Mappings are required.
+The API server should be run with TLS disabled. Edit the `argocd-server` deployment to add the `--insecure` flag to the argocd-server command, or simply set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md). Given the `argocd` CLI includes the port number in the request `host` header, 2 Mappings are required.
 
 ### Option 1: Mapping CRD for Host-based Routing
 ```yaml
@@ -72,7 +72,7 @@ argocd login <host>:<port> --grpc-web-root-path /argo-cd
 ## [Contour](https://projectcontour.io/)
 The Contour ingress controller can terminate TLS ingress traffic at the edge.
 
-The Argo CD API server should be run with TLS disabled. Edit the `argocd-server` Deployment to add the `--insecure` flag to the argocd-server container command.
+The Argo CD API server should be run with TLS disabled. Edit the `argocd-server` Deployment to add the `--insecure` flag to the argocd-server container command, or simply set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md).
 
 It is also possible to provide an internal-only ingress path and an external-only ingress path by deploying two instances of Contour: one behind a private-subnet LoadBalancer service and one behind a public-subnet LoadBalancer service. The private Contour deployment will pick up Ingresses annotated with `kubernetes.io/ingress.class: contour-internal` and the public Contour deployment will pick up Ingresses annotated with `kubernetes.io/ingress.class: contour-external`.
 
@@ -164,20 +164,7 @@ spec:
 The argocd-server Service needs to be annotated with `projectcontour.io/upstream-protocol.h2c: "https,443"` to wire up the gRPC protocol proxying.
 
 The API server should then be run with TLS disabled. Edit the `argocd-server` deployment to add the
-`--insecure` flag to the argocd-server command:
-
-```yaml
-spec:
-  template:
-    spec:
-      containers:
-      - name: argocd-server
-        command:
-        - /argocd-server
-        - --repo-server
-        - argocd-repo-server:8081
-        - --insecure
-```
+`--insecure` flag to the argocd-server command, or simply set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md).
 
 ## [kubernetes/ingress-nginx](https://github.com/kubernetes/ingress-nginx)
 
@@ -319,20 +306,7 @@ spec:
 ```
 
 The API server should then be run with TLS disabled. Edit the `argocd-server` deployment to add the
-`--insecure` flag to the argocd-server command:
-
-```yaml
-spec:
-  template:
-    spec:
-      containers:
-      - name: argocd-server
-        command:
-        - argocd-server
-        - --repo-server
-        - argocd-repo-server:8081
-        - --insecure
-```
+`--insecure` flag to the argocd-server command, or simply set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md).
 
 The obvious disadvantage to this approach is that this technique requires two separate hostnames for
 the API server -- one for gRPC and the other for HTTP/HTTPS. However it allows TLS termination to
@@ -345,7 +319,7 @@ Traefik can be used as an edge router and provide [TLS](https://docs.traefik.io/
 
 It currently has an advantage over NGINX in that it can terminate both TCP and HTTP connections _on the same port_ meaning you do not require multiple hosts or paths.
 
-The API server should be run with TLS disabled. Edit the `argocd-server` deployment to add the `--insecure` flag to the argocd-server command.
+The API server should be run with TLS disabled. Edit the `argocd-server` deployment to add the `--insecure` flag to the argocd-server command or set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md).
 
 ### IngressRoute CRD
 ```yaml
@@ -455,26 +429,9 @@ If you need detail for all the options available for these Google integrations,
 
 ### Disable internal TLS
 
-First, to avoid internal redirection loops from HTTP to HTTPS, the API server should be run with TLS disabled. Edit the argocd-server deployment to add the --insecure flag to the argocd-server command. For this you can edit your resource live with `kubectl -n argocd edit deployments.apps argocd-server` or use a kustomize patch before installing Argo CD.
+First, to avoid internal redirection loops from HTTP to HTTPS, the API server should be run with TLS disabled.
 
-The container command should change from:
-```yaml
-      containers:
-      - command:
-        - argocd-server
-        - --staticassets
-        - /shared/app
-```
-
-To:
-```yaml
-      containers:
-      - command:
-        - argocd-server
-        - --insecure
-        - --staticassets
-        - /shared/app
-```
+Edit the `--insecure` flag in the `argocd-server` command of the argocd-server deployment, or simply set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md).
 
 ### Creating a service
 

docs/operator-manual/installation.md

@@ -32,7 +32,7 @@ Not recommended for production use. This type of installation is typically used
   > Note: Argo CD CRDs are not included into [namespace-install.yaml](https://github.com/argoproj/argo-cd/blob/master/manifests/namespace-install.yaml).
   > and have to be installed separately. The CRD manifests are located in the [manifests/crds](https://github.com/argoproj/argo-cd/blob/master/manifests/crds) directory.
   > Use the following command to install them:
-  > ```bash
+  > ```
   > kubectl apply -k https://github.com/argoproj/argo-cd/manifests/crds\?ref\=stable
   > ```
 
@@ -74,10 +74,27 @@ kind: Kustomization
 
 namespace: argocd
 resources:
-- https://raw.githubusercontent.com/argoproj/argo-cd/v2.0.4/manifests/ha/install.yaml
+- github.com/argoproj/argo-cd/manifests/ha?ref=v2.6.2
 ```
 
 ## Helm
 
 The Argo CD can be installed using [Helm](https://helm.sh/). The Helm chart is currently community maintained and available at
 [argo-helm/charts/argo-cd](https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd).
+
+## Supported versions
+
+Similar to the Kubernetes project, the supported versions of Argo CD at any given point in time are the latest patch releases for the N 
+and N - 1 minor versions.
+These Argo CD versions are supported on the same versions of Kubernetes that are supported by Kubernetes itself (normally the last 3 released versions).
+
+Essentially the Argo CD project follows the same support scheme as Kubernetes but for N, N-1 while Kubernetes supports N, N-1, N-2 versions.
+
+For example if the latest minor version of ArgoCD are 2.4.3 and 2.3.5  while supported Kubernetes versions are 1.24, 1.23 and 1.22 then the following combinations are supported:
+
+* Argo CD 2.4.3 on Kubernetes 1.24
+* Argo CD 2.4.3 on Kubernetes 1.23
+* Argo CD 2.4.3 on Kubernetes 1.22
+* Argo CD 2.3.5 on Kubernetes 1.24
+* Argo CD 2.3.5 on Kubernetes 1.23
+* Argo CD 2.3.5 on Kubernetes 1.22

docs/operator-manual/metrics.md

@@ -9,7 +9,7 @@ Metrics about applications. Scraped at the `argocd-metrics:8082/metrics` endpoin
 |--------|:----:|-------------|
 | `argocd_app_info` | gauge | Information about Applications. It contains labels such as `sync_status` and `health_status` that reflect the application state in ArgoCD. |
 | `argocd_app_k8s_request_total` | counter | Number of kubernetes requests executed during application reconciliation |
-| `argocd_app_labels` | gauge | Argo Application labels converted to Prometheus labels. Disabled by default. See section bellow about how to enable it. |
+| `argocd_app_labels` | gauge | Argo Application labels converted to Prometheus labels. Disabled by default. See section below about how to enable it. |
 | `argocd_app_reconcile` | histogram | Application reconciliation performance. |
 | `argocd_app_sync_total` | counter | Counter for application sync history |
 | `argocd_cluster_api_resource_objects` | gauge | Number of k8s resource objects in the cache. |
@@ -41,7 +41,7 @@ Some examples are:
 As the Application labels are specific to each company, this feature is disabled by default. To enable it, add the
 `--metrics-application-labels` flag to the ArgoCD application controller.
 
-The example bellow will expose the ArgoCD Application labels `team-name` and `business-unit` to Prometheus:
+The example below will expose the ArgoCD Application labels `team-name` and `business-unit` to Prometheus:
 
     containers:
     - command:
@@ -67,8 +67,10 @@ Scraped at the `argocd-server-metrics:8083/metrics` endpoint.
 | Metric | Type | Description |
 |--------|:----:|-------------|
 | `argocd_redis_request_duration` | histogram | Redis requests duration. |
-| `argocd_redis_request_total` | counter | Number of kubernetes requests executed during application reconciliation. |
-
+| `argocd_redis_request_total` | counter | Number of kubernetes requests executed during application
+reconciliation. |
+| `grpc_server_handled_total` | counter | Total number of RPCs completed on the server, regardless of success or failure. |
+| `grpc_server_msg_sent_total` | counter | Total number of gRPC stream messages sent by the server. |
 ## Repo Server Metrics
 Metrics about the Repo Server.
 Scraped at the `argocd-repo-server:8084/metrics` endpoint.