Bump version to 2.0.0-rc1

* docs: add 2.0 change log and mention redis in upgrade instructions

Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>

* docs: apply reviewer notes

Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>

.github/workflows/ci-build.yaml

@@ -30,7 +30,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.14.12'
+          go-version: '1.16.2'
       - name: Download all Go modules
         run: |
           go mod download
@@ -48,7 +48,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.14.12'
+          go-version: '1.16.2'
       - name: Restore go build cache
         uses: actions/cache@v1
         with:
@@ -69,7 +69,7 @@ jobs:
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@v2
         with:
-          version: v1.29
+          version: v1.38.0
           args: --timeout 5m --exclude SA5011
 
   test-go:
@@ -87,7 +87,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.14.12'
+          go-version: '1.16.2'
       - name: Install required packages
         run: |
           sudo apt-get install git -y
@@ -147,7 +147,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.14.12'
+          go-version: '1.16.2'
       - name: Install required packages
         run: |
           sudo apt-get install git -y
@@ -196,7 +196,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.14.12'
+          go-version: '1.16.2'
       - name: Create symlink in GOPATH
         run: |
           mkdir -p ~/go/src/github.com/argoproj
@@ -354,7 +354,10 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.14.12'
+          go-version: '1.16.2'
+      - name: GH actions workaround - Kill XSP4 process
+        run: |
+          sudo pkill mono || true
       - name: Install K3S
         env:
           INSTALL_K3S_VERSION: ${{ matrix.k3s-version }}+k3s1
@@ -392,7 +395,7 @@ jobs:
         run: |
           docker pull quay.io/dexidp/dex:v2.25.0
           docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:5.0.10-alpine
+          docker pull redis:6.2.1-alpine
       - name: Create target directory for binaries in the build-process
         run: |
           mkdir -p dist

.github/workflows/image.yaml

@@ -13,7 +13,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v1
         with:
-          go-version: '1.14.12'
+          go-version: '1.16.2'
       - uses: actions/checkout@master
         with:
           path: src/github.com/argoproj/argo-cd

.github/workflows/release.yaml

@@ -139,7 +139,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.14.12'
+          go-version: '1.16.2'
 
       - name: Setup Git author information
         run: |

CHANGELOG.md

@@ -1,6 +1,111 @@
 # Changelog
 
-## v1.8.0 (Unreleased)
+## v2.0.0 (Unreleased)
+
+> [Upgrade instructions](./docs/operator-manual/upgrading/1.8-2.0.md)
+
+### Pods View
+
+Pods View is particularly useful for applications that have hundreds of pods. Instead of visualizing all Kubernetes
+resources for the application, it only shows Kubernetes pods and closely related resources. The Pods View supports
+grouping related resources by Parent Resource, Top Level Parent, or by Node. Each way of grouping solves a particular
+use case. For example grouping by Top Level Parent allows you to quickly find how many pods your application is running
+and which resources created them. Grouping by Node allows to see how Pods are spread across the nodes and how many
+resources they requested.
+
+
+### Logs Viewer
+
+Argo CD provides a way to see live logs of pods, which is very useful for debugging and troubleshooting. In the v2.0
+release, the log visualization has been rewritten to support pagination, filtering, the ability to disable/enable log
+streaming, and even a dark mode for terminal lovers. Do you want to see aggregated logs of multiple deployment pods?
+Not a problem! Just click on the parent resource such as Deployment, ReplicaSet, or StatefulSet and navigate
+to the Logs tab.
+
+### Banner Feature
+
+Want to notify your Argo CD users of upcoming changes? Just specify the notification message and optional URL using the
+`ui.bannercontent` and `ui.bannerurl` attributes in the `argocd-cm` ConfigMap. 
+
+### Core Features
+
+* The new sync option `PrunePropagationPolicy=background` allows using background deletion during syncing
+* New application finalizer `resources-finalizer.argocd.argoproj.io:background` allows using background deletion when the application is deleted
+* The new sync option `ApplyOutOfSyncOnly=true` allows skipping syncing resources that are already in the desired state.
+* The new sync option `PruneLast=true` allows deferring resource pruning until the last synchronization phase after all other resources are synced and healthy.
+
+### The argocd-util CLI
+
+Argo CD Util is a CLI tool that contains useful commands for operators who manage Argo CD. Starting from this release
+the Argo CD Utility is published with every Argo CD release as a Homebrew installation.
+
+## v1.8.7 (2021-02-26)
+
+### Important note
+This release fixed a regression regarding which cluster resources are permitted on the AppProject level.
+Previous to this fix, after #3960 has been merged, all cluster resources were allowed on project level when neither of
+the allow or deny lists was defined. However, the correct behavior is to block all resources in this case.
+
+If you have Projects with empty allow and deny lists, but want the associated applications be able to sync cluster
+resources, you will have to adapt your cluster resources allow lists to explicitly allow the resources.
+
+- fix: redact sensitive data in logs (#5662)
+- fix: Properly escape HTML for error message from CLI SSO (#5563)
+- fix: Empty resource whitelist allowed all resources (#5540) (#5551)
+
+## v1.8.6 (2021-02-26)
+
+- fix: Properly escape HTML for error message from CLI SSO (#5563)
+- fix: API server should not print resource body when resource update fails (#5617)
+- fix: fix memory leak in application controller (#5604)
+
+## v1.8.5 (2021-02-19)
+
+- fix: 'argocd app wait --suspended' stuck if operation is in progress (#5511)
+- fix: Presync hooks stop working after namespace resource is added in a Helm chart #5522
+- docs: add the missing rbac resources to the documentation (#5476)
+- refactor: optimize argocd-application-controller redis usage (#5345)
+
+## v1.8.4 (2021-02-05)
+
+- feat: set X-XSS-Protection while serving static content (#5412)
+- fix: version info should be avaialble if anonymous access is enabled (#5422)
+- fix: disable jwt claim audience validation #5381 (#5413)
+- fix: /api/version should not return tools version for unauthenticated requests (#5415)
+- fix: account tokens should be rejected if required capability is disabled (#5414)
+- fix: tokens keep working after account is deactivated (#5402)
+- fix: a request which was using a revoked project token, would still be allowed to perform requests allowed by default policy (#5378)
+
+## v1.8.3 (2021-01-21)
+
+- fix: make sure JWT token time fields contain only integer values (#5228)
+
+## v1.8.2 (2021-01-09)
+
+### Bug Fixes
+
+- fix: updating cluster drops secret (#5220)
+- fix: remove invalid assumption about OCI helm chart path (#5179)
+- fix: Possible nil pointer dereference in repository API (#5128)
+- fix: Possible nil pointer dereference in repocreds API (#5130)
+- fix: use json serialization to store cache instead of github.com/vmihailenco/msgpack (#4965)
+- fix: add liveness probe to restart repo server if it fails to server tls requests (#5110) (#5119)
+- fix: Allow correct SSO redirect URL for CLI static client (#5098)
+- fix: add grpc health check (#5060)
+- fix: setting 'revision history limit' errors in UI (#5035)
+- fix: add api-server liveness probe that catches bad data in informer (#5026)
+
+### Refactoring
+
+- chore: Update Dex to v2.27.0 (#5058)
+- chore: Upgrade gorilla/handlers and gorilla/websocket (#5186)
+- chore: Upgrade jwt-go to 4.0.0-preview1 (#5184)
+
+## v1.8.1 (2020-12-09)
+
+- fix: sync retry is broken for multi-phase syncs (#5017)
+
+## v1.8.0 (2020-12-09)
 
 ### Mono-Repository Improvements
 
@@ -1410,7 +1515,7 @@ running Dex (e.g. Okta, OneLogin, Auth0, Microsoft, etc...)
 The optional, [Dex IDP OIDC provider](https://github.com/dexidp/dex) is still bundled as part of the
 default installation, in order to provide a seamless out-of-box experience, enabling Argo CD to
 integrate with non-OIDC providers, and to benefit from Dex's full range of
-[connectors](https://github.com/dexidp/dex/tree/master/Documentation/connectors).
+[connectors](https://dexidp.io/docs/connectors/).
 
 #### OIDC group bindings to Project Roles
 OIDC group claims from an OAuth2 provider can now be bound to a Argo CD project roles. Previously,

Dockerfile

@@ -4,7 +4,7 @@ ARG BASE_IMAGE=ubuntu:20.10
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM golang:1.14.12 as builder
+FROM golang:1.16.2 as builder
 
 RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list
 
@@ -102,7 +102,7 @@ RUN NODE_ENV='production' yarn build
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM golang:1.14.12 as argocd-build
+FROM golang:1.16.0 as argocd-build
 
 COPY --from=builder /usr/local/bin/packr /usr/local/bin/packr
 

Makefile

@@ -45,6 +45,7 @@ ARGOCD_E2E_REPOSERVER_PORT?=8081
 ARGOCD_E2E_REDIS_PORT?=6379
 ARGOCD_E2E_DEX_PORT?=5556
 ARGOCD_E2E_YARN_HOST?=localhost
+ARGOCD_E2E_DISABLE_AUTH?=
 
 ARGOCD_IN_CI?=false
 ARGOCD_TEST_E2E?=true
@@ -73,6 +74,7 @@ define run-in-test-server
 		-e ARGOCD_IN_CI=$(ARGOCD_IN_CI) \
 		-e ARGOCD_E2E_TEST=$(ARGOCD_E2E_TEST) \
 		-e ARGOCD_E2E_YARN_HOST=$(ARGOCD_E2E_YARN_HOST) \
+		-e ARGOCD_E2E_DISABLE_AUTH=$(ARGOCD_E2E_DISABLE_AUTH) \
 		-v ${DOCKER_SRC_MOUNT} \
 		-v ${GOPATH}/pkg/mod:/go/pkg/mod${VOLUME_MOUNT} \
 		-v ${GOCACHE}:/tmp/go-build-cache${VOLUME_MOUNT} \

OWNERS

@@ -5,13 +5,12 @@ owners:
 approvers:
 - alexec
 - alexmt
-- dthomson25
 - jannfis
 - jessesuen
+- jgwest
 - mayzhang2000
-- rachelwang20
 
 reviewers:
-- jgwest
-- wtam2018
+- dthomson25
 - tetchel
+- wtam2018

Procfile

@@ -1,7 +1,7 @@
 controller: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller go run ./cmd/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
 api-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server go run ./cmd/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --staticassets ui/dist/app"
 dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/cmd gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:v2.27.0 serve /dex.yaml"
-redis: docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} redis:5.0.10-alpine --save "" --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}
+redis: docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} redis:6.2.1-alpine --save "" --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}
 repo-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server go run ./cmd/main.go --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379}"
 ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
 git-server: test/fixture/testrepos/start-git.sh

README.md

@@ -28,8 +28,24 @@ Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
 To learn more about Argo CD [go to the complete documentation](https://argo-cd.readthedocs.io/).
 Check live demo at https://cd.apps.argoproj.io/.
 
-## Community Blogs and Presentations
+## Community
 
+### Contribution, Discussion and Support
+
+ You can reach the Argo CD community and developers via the following channels:
+
+* Q & A : [Github Discussions](https://github.com/argoproj/argo-cd/discussions)
+* Chat : [The #argo-cd Slack channel](https://argoproj.github.io/community/join-slack)
+* Contributors Office Hours: [Every Thursday](https://calendar.google.com/calendar/u/0/embed?src=argoproj@gmail.com) | [Agenda](https://docs.google.com/document/d/1ttgw98MO45Dq7ZUHpIiOIEfbyeitKHNfMjbY5dLLMKQ)
+* User Community meeting: [Every other Wednesday](https://calendar.google.com/calendar/u/0/embed?src=argoproj@gmail.com) | [Agenda](https://docs.google.com/document/d/1xkoFkVviB70YBzSEa4bDnu-rUZ1sIFtwKKG1Uw8XsY8)
+
+
+Participation in the Argo CD project is governed by the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md)
+
+
+### Blogs and Presentations
+
+1. [Couchbase - How To Run a Database Cluster in Kubernetes Using Argo CD](https://youtu.be/nkPoPaVzExY)
 1. [Automation of Everything - How To Combine Argo Events, Workflows & Pipelines, CD, and Rollouts](https://youtu.be/XNXJtxkUKeY)
 1. [Environments Based On Pull Requests (PRs): Using Argo CD To Apply GitOps Principles On Previews](https://youtu.be/cpAaI8p4R60)
 1. [Argo CD: Applying GitOps Principles To Manage Production Environment In Kubernetes](https://youtu.be/vpWQeoaiRM4)
@@ -44,10 +60,10 @@ Check live demo at https://cd.apps.argoproj.io/.
 1. [Machine Learning as Code](https://www.youtube.com/watch?v=VXrGp5er1ZE&t=0s&index=135&list=PLj6h78yzYM2PZf9eA7bhWnIh_mK1vyOfU). Among other things, describes how Kubeflow uses Argo CD to implement GitOPs for ML
 1. [Argo CD - GitOps Continuous Delivery for Kubernetes](https://www.youtube.com/watch?v=aWDIQMbp1cc&feature=youtu.be&t=1m4s)
 1. [Introduction to Argo CD : Kubernetes DevOps CI/CD](https://www.youtube.com/watch?v=2WSJF7d8dUg&feature=youtu.be)
-1. [GitOps Deployment and Kubernetes - using ArgoCD](https://medium.com/riskified-technology/gitops-deployment-and-kubernetes-f1ab289efa4b)
+1. [GitOps Deployment and Kubernetes - using Argo CD](https://medium.com/riskified-technology/gitops-deployment-and-kubernetes-f1ab289efa4b)
 1. [Deploy Argo CD with Ingress and TLS in Three Steps: No YAML Yak Shaving Required](https://itnext.io/deploy-argo-cd-with-ingress-and-tls-in-three-steps-no-yaml-yak-shaving-required-bc536d401491)
 1. [GitOps Continuous Delivery with Argo and Codefresh](https://codefresh.io/events/cncf-member-webinar-gitops-continuous-delivery-argo-codefresh/)
-1. [Stay up to date with ArgoCD and Renovate](https://mjpitz.com/blog/2020/12/03/renovate-your-gitops/)
+1. [Stay up to date with Argo CD and Renovate](https://mjpitz.com/blog/2020/12/03/renovate-your-gitops/)
 1. [Setting up Argo CD with Helm](https://www.arthurkoziel.com/setting-up-argocd-with-helm/)
-1. [Applied GitOps with ArgoCD](https://thenewstack.io/applied-gitops-with-argocd/)
+1. [Applied GitOps with Argo CD](https://thenewstack.io/applied-gitops-with-argocd/)
 1. [Solving configuration drift using GitOps with Argo CD](https://www.cncf.io/blog/2020/12/17/solving-configuration-drift-using-gitops-with-argo-cd/)

USERS.md

@@ -8,6 +8,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [3Rein](https://www.3rein.com/)
 1. [7shifts](https://www.7shifts.com/)
 1. [Adevinta](https://www.adevinta.com/)
+1. [Ambassador Labs](https://www.getambassador.io/)
 1. [ANSTO - Australian Synchrotron](https://www.synchrotron.org.au/)
 1. [AppDirect](https://www.appdirect.com)
 1. [Arctiq Inc.](https://www.arctiq.ca)
@@ -38,6 +39,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Future PLC](https://www.futureplc.com/)
 1. [Garner](https://www.garnercorp.com)
 1. [GMETRI](https://gmetri.com/)
+1. [Gojek](https://www.gojek.io/)
 1. [Greenpass](https://www.greenpass.com.br/)
 1. [Healy](https://www.healyworld.net)
 1. [hipages](https://hipages.com.au/)
@@ -89,6 +91,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Robotinfra](https://www.robotinfra.com)
 1. [Saildrone](https://www.saildrone.com/)
 1. [Saloodo! GmbH](https://www.saloodo.com)
+1. [Schwarz IT](https://jobs.schwarz/it-mission)
 1. [Speee](https://speee.jp/)
 1. [Spendesk](https://spendesk.com/)
 1. [Sumo Logic](https://sumologic.com/)
@@ -117,4 +120,5 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [WeMo Scooter](https://www.wemoscooter.com/)
 1. [Whitehat Berlin](https://whitehat.berlin) by Guido Maria Serra +Fenaroli
 1. [Yieldlab](https://www.yieldlab.de/)
-1. [Sap Labs] (http://sap.com)
+1. [Sap Labs](http://sap.com)
+1. [Smilee.io](https://smilee.io)

VERSION

@@ -1 +1 @@
-1.9.0
+2.0.0-rc1

cmd/argocd-application-controller/commands/argocd_application_controller.go

@@ -2,6 +2,7 @@ package commands
 
 import (
 	"context"
+	"fmt"
 	"math"
 	"time"
 
@@ -26,6 +27,7 @@ import (
 	"github.com/argoproj/argo-cd/util/errors"
 	kubeutil "github.com/argoproj/argo-cd/util/kube"
 	"github.com/argoproj/argo-cd/util/settings"
+	"github.com/argoproj/argo-cd/util/tls"
 )
 
 const (
@@ -50,6 +52,8 @@ func NewCommand() *cobra.Command {
 		kubectlParallelismLimit  int64
 		cacheSrc                 func() (*appstatecache.Cache, error)
 		redisClient              *redis.Client
+		repoServerPlaintext      bool
+		repoServerStrictTLS      bool
 	)
 	var command = cobra.Command{
 		Use:               cliName,
@@ -72,7 +76,26 @@ func NewCommand() *cobra.Command {
 			errors.CheckError(err)
 
 			resyncDuration := time.Duration(appResyncPeriod) * time.Second
-			repoClientset := apiclient.NewRepoServerClientset(repoServerAddress, repoServerTimeoutSeconds)
+			tlsConfig := apiclient.TLSConfiguration{
+				DisableTLS:       repoServerPlaintext,
+				StrictValidation: repoServerStrictTLS,
+			}
+
+			// Load CA information to use for validating connections to the
+			// repository server, if strict TLS validation was requested.
+			if !repoServerPlaintext && repoServerStrictTLS {
+				pool, err := tls.LoadX509CertPool(
+					fmt.Sprintf("%s/controller/tls/tls.crt", env.StringFromEnv(common.EnvAppConfigPath, common.DefaultAppConfigPath)),
+					fmt.Sprintf("%s/controller/tls/ca.crt", env.StringFromEnv(common.EnvAppConfigPath, common.DefaultAppConfigPath)),
+				)
+				if err != nil {
+					log.Fatalf("%v", err)
+				}
+				tlsConfig.Certificates = pool
+			}
+
+			repoClientset := apiclient.NewRepoServerClientset(repoServerAddress, repoServerTimeoutSeconds, tlsConfig)
+
 			ctx, cancel := context.WithCancel(context.Background())
 			defer cancel()
 
@@ -126,6 +149,8 @@ func NewCommand() *cobra.Command {
 	command.Flags().DurationVar(&metricsCacheExpiration, "metrics-cache-expiration", 0*time.Second, "Prometheus metrics cache expiration (disabled  by default. e.g. 24h0m0s)")
 	command.Flags().IntVar(&selfHealTimeoutSeconds, "self-heal-timeout-seconds", 5, "Specifies timeout between application self heal attempts")
 	command.Flags().Int64Var(&kubectlParallelismLimit, "kubectl-parallelism-limit", 20, "Number of allowed concurrent kubectl fork/execs. Any value less the 1 means no limit.")
+	command.Flags().BoolVar(&repoServerPlaintext, "repo-server-plaintext", false, "Disable TLS on connections to repo server")
+	command.Flags().BoolVar(&repoServerStrictTLS, "repo-server-strict-tls", false, "Whether to use strict validation of the TLS cert presented by the repo server")
 	cacheSrc = appstatecache.AddCacheFlagsToCmd(&command, func(client *redis.Client) {
 		redisClient = client
 	})

cmd/argocd-repo-server/commands/argocd_repo_server.go

@@ -67,8 +67,10 @@ func NewCommand() *cobra.Command {
 		listenPort             int
 		metricsPort            int
 		cacheSrc               func() (*reposervercache.Cache, error)
+		tlsConfigCustomizer    tls.ConfigCustomizer
 		tlsConfigCustomizerSrc func() (tls.ConfigCustomizer, error)
 		redisClient            *redis.Client
+		disableTLS             bool
 	)
 	var command = cobra.Command{
 		Use:               cliName,
@@ -79,8 +81,11 @@ func NewCommand() *cobra.Command {
 			cli.SetLogFormat(cmdutil.LogFormat)
 			cli.SetLogLevel(cmdutil.LogLevel)
 
-			tlsConfigCustomizer, err := tlsConfigCustomizerSrc()
-			errors.CheckError(err)
+			if !disableTLS {
+				var err error
+				tlsConfigCustomizer, err = tlsConfigCustomizerSrc()
+				errors.CheckError(err)
+			}
 
 			cache, err := cacheSrc()
 			errors.CheckError(err)
@@ -104,7 +109,7 @@ func NewCommand() *cobra.Command {
 					// connect to itself to make sure repo server is able to serve connection
 					// used by liveness probe to auto restart repo server
 					// see https://github.com/argoproj/argo-cd/issues/5110 for more information
-					conn, err := apiclient.NewConnection(fmt.Sprintf("localhost:%d", listenPort), 60)
+					conn, err := apiclient.NewConnection(fmt.Sprintf("localhost:%d", listenPort), 60, &apiclient.TLSConfiguration{DisableTLS: disableTLS})
 					if err != nil {
 						return err
 					}
@@ -152,6 +157,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().Int64Var(&parallelismLimit, "parallelismlimit", 0, "Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit.")
 	command.Flags().IntVar(&listenPort, "port", common.DefaultPortRepoServer, "Listen on given port for incoming connections")
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortRepoServerMetrics, "Start metrics server on given port")
+	command.Flags().BoolVar(&disableTLS, "disable-tls", false, "Disable TLS on the gRPC endpoint")
 
 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(&command)
 	cacheSrc = reposervercache.AddCacheFlagsToCmd(&command, func(client *redis.Client) {

cmd/argocd-server/commands/argocd_server.go

@@ -2,6 +2,7 @@ package commands
 
 import (
 	"context"
+	"fmt"
 	"time"
 
 	"github.com/argoproj/pkg/stats"
@@ -60,6 +61,8 @@ func NewCommand() *cobra.Command {
 		tlsConfigCustomizerSrc   func() (tls.ConfigCustomizer, error)
 		cacheSrc                 func() (*servercache.Cache, error)
 		frameOptions             string
+		repoServerPlaintext      bool
+		repoServerStrictTLS      bool
 	)
 	var command = &cobra.Command{
 		Use:               cliName,
@@ -93,8 +96,25 @@ func NewCommand() *cobra.Command {
 				appclientsetConfig = kube.AddFailureRetryWrapper(appclientsetConfig, failureRetryCount, failureRetryPeriodMilliSeconds)
 			}
 			appclientset := appclientset.NewForConfigOrDie(appclientsetConfig)
-			repoclientset := apiclient.NewRepoServerClientset(repoServerAddress, repoServerTimeoutSeconds)
+			tlsConfig := apiclient.TLSConfiguration{
+				DisableTLS:       repoServerPlaintext,
+				StrictValidation: repoServerStrictTLS,
+			}
 
+			// Load CA information to use for validating connections to the
+			// repository server, if strict TLS validation was requested.
+			if !repoServerPlaintext && repoServerStrictTLS {
+				pool, err := tls.LoadX509CertPool(
+					fmt.Sprintf("%s/server/tls/tls.crt", env.StringFromEnv(common.EnvAppConfigPath, common.DefaultAppConfigPath)),
+					fmt.Sprintf("%s/server/tls/ca.crt", env.StringFromEnv(common.EnvAppConfigPath, common.DefaultAppConfigPath)),
+				)
+				if err != nil {
+					log.Fatalf("%v", err)
+				}
+				tlsConfig.Certificates = pool
+			}
+
+			repoclientset := apiclient.NewRepoServerClientset(repoServerAddress, repoServerTimeoutSeconds, tlsConfig)
 			if rootPath != "" {
 				if baseHRef != "" && baseHRef != rootPath {
 					log.Warnf("--basehref and --rootpath had conflict: basehref: %s rootpath: %s", baseHRef, rootPath)
@@ -153,6 +173,8 @@ func NewCommand() *cobra.Command {
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortArgoCDAPIServerMetrics, "Start metrics on given port")
 	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", 60, "Repo server RPC call timeout seconds.")
 	command.Flags().StringVar(&frameOptions, "x-frame-options", "sameorigin", "Set X-Frame-Options header in HTTP responses to `value`. To disable, set to \"\".")
+	command.Flags().BoolVar(&repoServerPlaintext, "repo-server-plaintext", false, "Use a plaintext client (non-TLS) to connect to repository server")
+	command.Flags().BoolVar(&repoServerStrictTLS, "repo-server-strict-tls", false, "Perform strict validation of TLS certificates when connecting to repo server")
 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(command)
 	cacheSrc = servercache.AddCacheFlagsToCmd(command, func(client *redis.Client) {
 		redisClient = client

cmd/argocd-util/commands/app.go

@@ -10,8 +10,6 @@ import (
 	"sort"
 	"time"
 
-	appstatecache "github.com/argoproj/argo-cd/util/cache/appstate"
-
 	"github.com/ghodss/yaml"
 	"github.com/spf13/cobra"
 	apiv1 "k8s.io/api/core/v1"
@@ -22,6 +20,7 @@ import (
 	kubecache "k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/clientcmd"
 
+	cmdutil "github.com/argoproj/argo-cd/cmd/util"
 	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/controller"
 	"github.com/argoproj/argo-cd/controller/cache"
@@ -31,6 +30,7 @@ import (
 	appinformers "github.com/argoproj/argo-cd/pkg/client/informers/externalversions"
 	"github.com/argoproj/argo-cd/reposerver/apiclient"
 	cacheutil "github.com/argoproj/argo-cd/util/cache"
+	appstatecache "github.com/argoproj/argo-cd/util/cache/appstate"
 	"github.com/argoproj/argo-cd/util/cli"
 	"github.com/argoproj/argo-cd/util/config"
 	"github.com/argoproj/argo-cd/util/db"
@@ -39,20 +39,79 @@ import (
 	"github.com/argoproj/argo-cd/util/settings"
 )
 
-func NewAppsCommand() *cobra.Command {
+func NewAppCommand() *cobra.Command {
 	var command = &cobra.Command{
-		Use:   "apps",
-		Short: "Utility commands operate on ArgoCD applications",
+		Use:   "app",
+		Short: "Manage applications configuration",
 		Run: func(c *cobra.Command, args []string) {
 			c.HelpFunc()(c, args)
 		},
 	}
 
+	command.AddCommand(NewGenAppSpecCommand())
 	command.AddCommand(NewReconcileCommand())
 	command.AddCommand(NewDiffReconcileResults())
 	return command
 }
 
+// NewGenAppSpecCommand generates declarative configuration file for given application
+func NewGenAppSpecCommand() *cobra.Command {
+	var (
+		appOpts      cmdutil.AppOptions
+		fileURL      string
+		appName      string
+		labels       []string
+		outputFormat string
+	)
+	var command = &cobra.Command{
+		Use:   "generate-spec APPNAME",
+		Short: "Generate declarative config for an application",
+		Example: `
+	# Generate declarative config for a directory app
+	argocd-util app generate-spec guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --directory-recurse
+
+	# Generate declarative config for a Jsonnet app
+	argocd-util app generate-spec jsonnet-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path jsonnet-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --jsonnet-ext-str replicas=2
+
+	# Generate declarative config for a Helm app
+	argocd-util app generate-spec helm-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path helm-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --helm-set replicaCount=2
+
+	# Generate declarative config for a Helm app from a Helm repo
+	argocd-util app generate-spec nginx-ingress --repo https://kubernetes-charts.storage.googleapis.com --helm-chart nginx-ingress --revision 1.24.3 --dest-namespace default --dest-server https://kubernetes.default.svc
+
+	# Generate declarative config for a Kustomize app
+	argocd-util app generate-spec kustomize-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path kustomize-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --kustomize-image gcr.io/heptio-images/ks-guestbook-demo:0.1
+
+	# Generate declarative config for a app using a custom tool:
+	argocd-util app generate-spec ksane --repo https://github.com/argoproj/argocd-example-apps.git --path plugins/kasane --dest-namespace default --dest-server https://kubernetes.default.svc --config-management-plugin kasane
+`,
+		Run: func(c *cobra.Command, args []string) {
+			app, err := cmdutil.ConstructApp(fileURL, appName, labels, args, appOpts, c.Flags())
+			errors.CheckError(err)
+
+			if app.Name == "" {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			var printResources []interface{}
+			printResources = append(printResources, app)
+			errors.CheckError(cmdutil.PrintResources(printResources, outputFormat))
+		},
+	}
+	command.Flags().StringVar(&appName, "name", "", "A name for the app, ignored if a file is set (DEPRECATED)")
+	command.Flags().StringVarP(&fileURL, "file", "f", "", "Filename or URL to Kubernetes manifests for the app")
+	command.Flags().StringArrayVarP(&labels, "label", "l", []string{}, "Labels to apply to the app")
+	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
+
+	// Only complete files with appropriate extension.
+	err := command.Flags().SetAnnotation("file", cobra.BashCompFilenameExt, []string{"json", "yaml", "yml"})
+	errors.CheckError(err)
+
+	cmdutil.AddAppFlags(command, &appOpts)
+	return command
+}
+
 type appReconcileResult struct {
 	Name       string                          `json:"name"`
 	Health     *v1alpha1.HealthStatus          `json:"health"`
@@ -192,7 +251,7 @@ func NewReconcileCommand() *cobra.Command {
 					errors.CheckError(err)
 					repoServerAddress = fmt.Sprintf("localhost:%d", repoServerPort)
 				}
-				repoServerClient := apiclient.NewRepoServerClientset(repoServerAddress, 60)
+				repoServerClient := apiclient.NewRepoServerClientset(repoServerAddress, 60, apiclient.TLSConfiguration{DisableTLS: false, StrictValidation: false})
 
 				appClientset := appclientset.NewForConfigOrDie(cfg)
 				kubeClientset := kubernetes.NewForConfigOrDie(cfg)

cmd/argocd-util/commands/argocd_util.go

@@ -1,32 +1,21 @@
 package commands
 
 import (
-	"bufio"
-	"context"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"os"
 	"reflect"
 
-	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/ghodss/yaml"
-	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	apiv1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/dynamic"
-	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 
 	cmdutil "github.com/argoproj/argo-cd/cmd/util"
 	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/db"
 	"github.com/argoproj/argo-cd/util/errors"
 	"github.com/argoproj/argo-cd/util/settings"
 )
@@ -62,162 +51,19 @@ func NewCommand() *cobra.Command {
 	}
 
 	command.AddCommand(cli.NewVersionCmd(cliName))
-	command.AddCommand(NewImportCommand())
-	command.AddCommand(NewExportCommand())
-	command.AddCommand(NewClusterConfig())
+	command.AddCommand(NewClusterCommand(pathOpts))
 	command.AddCommand(NewProjectsCommand())
 	command.AddCommand(NewSettingsCommand())
-	command.AddCommand(NewAppsCommand())
-	command.AddCommand(NewRBACCommand())
-	command.AddCommand(NewGenerateConfigCommand(pathOpts))
+	command.AddCommand(NewAppCommand())
+	command.AddCommand(NewRepoCommand())
+	command.AddCommand(NewImportCommand())
+	command.AddCommand(NewExportCommand())
 
 	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
 	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
 	return command
 }
 
-// NewImportCommand defines a new command for exporting Kubernetes and Argo CD resources.
-func NewImportCommand() *cobra.Command {
-	var (
-		clientConfig clientcmd.ClientConfig
-		prune        bool
-		dryRun       bool
-	)
-	var command = cobra.Command{
-		Use:   "import SOURCE",
-		Short: "Import Argo CD data from stdin (specify `-') or a file",
-		Run: func(c *cobra.Command, args []string) {
-			if len(args) != 1 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-			config, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			config.QPS = 100
-			config.Burst = 50
-			errors.CheckError(err)
-			namespace, _, err := clientConfig.Namespace()
-			errors.CheckError(err)
-			acdClients := newArgoCDClientsets(config, namespace)
-
-			var input []byte
-			if in := args[0]; in == "-" {
-				input, err = ioutil.ReadAll(os.Stdin)
-			} else {
-				input, err = ioutil.ReadFile(in)
-			}
-			errors.CheckError(err)
-			var dryRunMsg string
-			if dryRun {
-				dryRunMsg = " (dry run)"
-			}
-
-			// pruneObjects tracks live objects and it's current resource version. any remaining
-			// items in this map indicates the resource should be pruned since it no longer appears
-			// in the backup
-			pruneObjects := make(map[kube.ResourceKey]unstructured.Unstructured)
-			configMaps, err := acdClients.configMaps.List(context.Background(), metav1.ListOptions{})
-			errors.CheckError(err)
-			// referencedSecrets holds any secrets referenced in the argocd-cm configmap. These
-			// secrets need to be imported too
-			var referencedSecrets map[string]bool
-			for _, cm := range configMaps.Items {
-				if isArgoCDConfigMap(cm.GetName()) {
-					pruneObjects[kube.ResourceKey{Group: "", Kind: "ConfigMap", Name: cm.GetName()}] = cm
-				}
-				if cm.GetName() == common.ArgoCDConfigMapName {
-					referencedSecrets = getReferencedSecrets(cm)
-				}
-			}
-
-			secrets, err := acdClients.secrets.List(context.Background(), metav1.ListOptions{})
-			errors.CheckError(err)
-			for _, secret := range secrets.Items {
-				if isArgoCDSecret(referencedSecrets, secret) {
-					pruneObjects[kube.ResourceKey{Group: "", Kind: "Secret", Name: secret.GetName()}] = secret
-				}
-			}
-			applications, err := acdClients.applications.List(context.Background(), metav1.ListOptions{})
-			errors.CheckError(err)
-			for _, app := range applications.Items {
-				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "Application", Name: app.GetName()}] = app
-			}
-			projects, err := acdClients.projects.List(context.Background(), metav1.ListOptions{})
-			errors.CheckError(err)
-			for _, proj := range projects.Items {
-				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "AppProject", Name: proj.GetName()}] = proj
-			}
-
-			// Create or replace existing object
-			backupObjects, err := kube.SplitYAML(input)
-			errors.CheckError(err)
-			for _, bakObj := range backupObjects {
-				gvk := bakObj.GroupVersionKind()
-				key := kube.ResourceKey{Group: gvk.Group, Kind: gvk.Kind, Name: bakObj.GetName()}
-				liveObj, exists := pruneObjects[key]
-				delete(pruneObjects, key)
-				var dynClient dynamic.ResourceInterface
-				switch bakObj.GetKind() {
-				case "Secret":
-					dynClient = acdClients.secrets
-				case "ConfigMap":
-					dynClient = acdClients.configMaps
-				case "AppProject":
-					dynClient = acdClients.projects
-				case "Application":
-					dynClient = acdClients.applications
-				}
-				if !exists {
-					if !dryRun {
-						_, err = dynClient.Create(context.Background(), bakObj, metav1.CreateOptions{})
-						errors.CheckError(err)
-					}
-					fmt.Printf("%s/%s %s created%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
-				} else if specsEqual(*bakObj, liveObj) {
-					fmt.Printf("%s/%s %s unchanged%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
-				} else {
-					if !dryRun {
-						newLive := updateLive(bakObj, &liveObj)
-						_, err = dynClient.Update(context.Background(), newLive, metav1.UpdateOptions{})
-						errors.CheckError(err)
-					}
-					fmt.Printf("%s/%s %s updated%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
-				}
-			}
-
-			// Delete objects not in backup
-			for key := range pruneObjects {
-				if prune {
-					var dynClient dynamic.ResourceInterface
-					switch key.Kind {
-					case "Secret":
-						dynClient = acdClients.secrets
-					case "AppProject":
-						dynClient = acdClients.projects
-					case "Application":
-						dynClient = acdClients.applications
-					default:
-						log.Fatalf("Unexpected kind '%s' in prune list", key.Kind)
-					}
-					if !dryRun {
-						err = dynClient.Delete(context.Background(), key.Name, metav1.DeleteOptions{})
-						errors.CheckError(err)
-					}
-					fmt.Printf("%s/%s %s pruned%s\n", key.Group, key.Kind, key.Name, dryRunMsg)
-				} else {
-					fmt.Printf("%s/%s %s needs pruning\n", key.Group, key.Kind, key.Name)
-				}
-			}
-		},
-	}
-
-	clientConfig = cli.AddKubectlFlagsToCmd(&command)
-	command.Flags().BoolVar(&dryRun, "dry-run", false, "Print what will be performed")
-	command.Flags().BoolVar(&prune, "prune", false, "Prune secrets, applications and projects which do not appear in the backup")
-
-	return &command
-}
-
 type argoCDClientsets struct {
 	configMaps   dynamic.ResourceInterface
 	secrets      dynamic.ResourceInterface
@@ -236,78 +82,6 @@ func newArgoCDClientsets(config *rest.Config, namespace string) *argoCDClientset
 	}
 }
 
-// NewExportCommand defines a new command for exporting Kubernetes and Argo CD resources.
-func NewExportCommand() *cobra.Command {
-	var (
-		clientConfig clientcmd.ClientConfig
-		out          string
-	)
-	var command = cobra.Command{
-		Use:   "export",
-		Short: "Export all Argo CD data to stdout (default) or a file",
-		Run: func(c *cobra.Command, args []string) {
-			config, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			namespace, _, err := clientConfig.Namespace()
-			errors.CheckError(err)
-
-			var writer io.Writer
-			if out == "-" {
-				writer = os.Stdout
-			} else {
-				f, err := os.Create(out)
-				errors.CheckError(err)
-				bw := bufio.NewWriter(f)
-				writer = bw
-				defer func() {
-					err = bw.Flush()
-					errors.CheckError(err)
-					err = f.Close()
-					errors.CheckError(err)
-				}()
-			}
-
-			acdClients := newArgoCDClientsets(config, namespace)
-			acdConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDConfigMapName, metav1.GetOptions{})
-			errors.CheckError(err)
-			export(writer, *acdConfigMap)
-			acdRBACConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDRBACConfigMapName, metav1.GetOptions{})
-			errors.CheckError(err)
-			export(writer, *acdRBACConfigMap)
-			acdKnownHostsConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDKnownHostsConfigMapName, metav1.GetOptions{})
-			errors.CheckError(err)
-			export(writer, *acdKnownHostsConfigMap)
-			acdTLSCertsConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDTLSCertsConfigMapName, metav1.GetOptions{})
-			errors.CheckError(err)
-			export(writer, *acdTLSCertsConfigMap)
-
-			referencedSecrets := getReferencedSecrets(*acdConfigMap)
-			secrets, err := acdClients.secrets.List(context.Background(), metav1.ListOptions{})
-			errors.CheckError(err)
-			for _, secret := range secrets.Items {
-				if isArgoCDSecret(referencedSecrets, secret) {
-					export(writer, secret)
-				}
-			}
-			projects, err := acdClients.projects.List(context.Background(), metav1.ListOptions{})
-			errors.CheckError(err)
-			for _, proj := range projects.Items {
-				export(writer, proj)
-			}
-			applications, err := acdClients.applications.List(context.Background(), metav1.ListOptions{})
-			errors.CheckError(err)
-			for _, app := range applications.Items {
-				export(writer, app)
-			}
-		},
-	}
-
-	clientConfig = cli.AddKubectlFlagsToCmd(&command)
-	command.Flags().StringVarP(&out, "out", "o", "-", "Output to the specified file instead of stdout")
-
-	return &command
-}
-
 // getReferencedSecrets examines the argocd-cm config for any referenced repo secrets and returns a
 // map of all referenced secrets.
 func getReferencedSecrets(un unstructured.Unstructured) map[string]bool {
@@ -437,83 +211,6 @@ func specsEqual(left, right unstructured.Unstructured) bool {
 	return false
 }
 
-// updateLive replaces the live object's finalizers, spec, annotations, labels, and data from the
-// backup object but leaves all other fields intact (status, other metadata, etc...)
-func updateLive(bak, live *unstructured.Unstructured) *unstructured.Unstructured {
-	newLive := live.DeepCopy()
-	newLive.SetAnnotations(bak.GetAnnotations())
-	newLive.SetLabels(bak.GetLabels())
-	newLive.SetFinalizers(bak.GetFinalizers())
-	switch live.GetKind() {
-	case "Secret", "ConfigMap":
-		newLive.Object["data"] = bak.Object["data"]
-	case "AppProject":
-		newLive.Object["spec"] = bak.Object["spec"]
-	case "Application":
-		newLive.Object["spec"] = bak.Object["spec"]
-		if _, ok := bak.Object["status"]; ok {
-			newLive.Object["status"] = bak.Object["status"]
-		}
-	}
-	return newLive
-}
-
-// export writes the unstructured object and removes extraneous cruft from output before writing
-func export(w io.Writer, un unstructured.Unstructured) {
-	name := un.GetName()
-	finalizers := un.GetFinalizers()
-	apiVersion := un.GetAPIVersion()
-	kind := un.GetKind()
-	labels := un.GetLabels()
-	annotations := un.GetAnnotations()
-	unstructured.RemoveNestedField(un.Object, "metadata")
-	un.SetName(name)
-	un.SetFinalizers(finalizers)
-	un.SetAPIVersion(apiVersion)
-	un.SetKind(kind)
-	un.SetLabels(labels)
-	un.SetAnnotations(annotations)
-	data, err := yaml.Marshal(un.Object)
-	errors.CheckError(err)
-	_, err = w.Write(data)
-	errors.CheckError(err)
-	_, err = w.Write([]byte(yamlSeparator))
-	errors.CheckError(err)
-}
-
-// NewClusterConfig returns a new instance of `argocd-util kubeconfig` command
-func NewClusterConfig() *cobra.Command {
-	var (
-		clientConfig clientcmd.ClientConfig
-	)
-	var command = &cobra.Command{
-		Use:               "kubeconfig CLUSTER_URL OUTPUT_PATH",
-		Short:             "Generates kubeconfig for the specified cluster",
-		DisableAutoGenTag: true,
-		Run: func(c *cobra.Command, args []string) {
-			if len(args) != 2 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-			serverUrl := args[0]
-			output := args[1]
-			conf, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			namespace, _, err := clientConfig.Namespace()
-			errors.CheckError(err)
-			kubeclientset, err := kubernetes.NewForConfig(conf)
-			errors.CheckError(err)
-
-			cluster, err := db.NewDB(namespace, settings.NewSettingsManager(context.Background(), kubeclientset, namespace), kubeclientset).GetCluster(context.Background(), serverUrl)
-			errors.CheckError(err)
-			err = kube.WriteKubeConfig(cluster.RawRestConfig(), namespace, output)
-			errors.CheckError(err)
-		},
-	}
-	clientConfig = cli.AddKubectlFlagsToCmd(command)
-	return command
-}
-
 func iterateStringFields(obj interface{}, callback func(name string, val string) string) {
 	if mapField, ok := obj.(map[string]interface{}); ok {
 		for field, val := range mapField {

cmd/argocd-util/commands/backup.go

@@ -0,0 +1,298 @@
+package commands
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
+	"github.com/ghodss/yaml"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	apierr "k8s.io/apimachinery/pkg/api/errors"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/argoproj/argo-cd/common"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/errors"
+)
+
+// NewExportCommand defines a new command for exporting Kubernetes and Argo CD resources.
+func NewExportCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+		out          string
+	)
+	var command = cobra.Command{
+		Use:   "export",
+		Short: "Export all Argo CD data to stdout (default) or a file",
+		Run: func(c *cobra.Command, args []string) {
+			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+
+			var writer io.Writer
+			if out == "-" {
+				writer = os.Stdout
+			} else {
+				f, err := os.Create(out)
+				errors.CheckError(err)
+				bw := bufio.NewWriter(f)
+				writer = bw
+				defer func() {
+					err = bw.Flush()
+					errors.CheckError(err)
+					err = f.Close()
+					errors.CheckError(err)
+				}()
+			}
+
+			acdClients := newArgoCDClientsets(config, namespace)
+			acdConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDConfigMapName, v1.GetOptions{})
+			errors.CheckError(err)
+			export(writer, *acdConfigMap)
+			acdRBACConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDRBACConfigMapName, v1.GetOptions{})
+			errors.CheckError(err)
+			export(writer, *acdRBACConfigMap)
+			acdKnownHostsConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDKnownHostsConfigMapName, v1.GetOptions{})
+			errors.CheckError(err)
+			export(writer, *acdKnownHostsConfigMap)
+			acdTLSCertsConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDTLSCertsConfigMapName, v1.GetOptions{})
+			errors.CheckError(err)
+			export(writer, *acdTLSCertsConfigMap)
+
+			referencedSecrets := getReferencedSecrets(*acdConfigMap)
+			secrets, err := acdClients.secrets.List(context.Background(), v1.ListOptions{})
+			errors.CheckError(err)
+			for _, secret := range secrets.Items {
+				if isArgoCDSecret(referencedSecrets, secret) {
+					export(writer, secret)
+				}
+			}
+			projects, err := acdClients.projects.List(context.Background(), v1.ListOptions{})
+			errors.CheckError(err)
+			for _, proj := range projects.Items {
+				export(writer, proj)
+			}
+			applications, err := acdClients.applications.List(context.Background(), v1.ListOptions{})
+			errors.CheckError(err)
+			for _, app := range applications.Items {
+				export(writer, app)
+			}
+		},
+	}
+
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().StringVarP(&out, "out", "o", "-", "Output to the specified file instead of stdout")
+
+	return &command
+}
+
+// NewImportCommand defines a new command for exporting Kubernetes and Argo CD resources.
+func NewImportCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+		prune        bool
+		dryRun       bool
+		verbose      bool
+	)
+	var command = cobra.Command{
+		Use:   "import SOURCE",
+		Short: "Import Argo CD data from stdin (specify `-') or a file",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			config.QPS = 100
+			config.Burst = 50
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+			acdClients := newArgoCDClientsets(config, namespace)
+
+			var input []byte
+			if in := args[0]; in == "-" {
+				input, err = ioutil.ReadAll(os.Stdin)
+			} else {
+				input, err = ioutil.ReadFile(in)
+			}
+			errors.CheckError(err)
+			var dryRunMsg string
+			if dryRun {
+				dryRunMsg = " (dry run)"
+			}
+
+			// pruneObjects tracks live objects and it's current resource version. any remaining
+			// items in this map indicates the resource should be pruned since it no longer appears
+			// in the backup
+			pruneObjects := make(map[kube.ResourceKey]unstructured.Unstructured)
+			configMaps, err := acdClients.configMaps.List(context.Background(), v1.ListOptions{})
+			errors.CheckError(err)
+			// referencedSecrets holds any secrets referenced in the argocd-cm configmap. These
+			// secrets need to be imported too
+			var referencedSecrets map[string]bool
+			for _, cm := range configMaps.Items {
+				if isArgoCDConfigMap(cm.GetName()) {
+					pruneObjects[kube.ResourceKey{Group: "", Kind: "ConfigMap", Name: cm.GetName()}] = cm
+				}
+				if cm.GetName() == common.ArgoCDConfigMapName {
+					referencedSecrets = getReferencedSecrets(cm)
+				}
+			}
+
+			secrets, err := acdClients.secrets.List(context.Background(), v1.ListOptions{})
+			errors.CheckError(err)
+			for _, secret := range secrets.Items {
+				if isArgoCDSecret(referencedSecrets, secret) {
+					pruneObjects[kube.ResourceKey{Group: "", Kind: "Secret", Name: secret.GetName()}] = secret
+				}
+			}
+			applications, err := acdClients.applications.List(context.Background(), v1.ListOptions{})
+			errors.CheckError(err)
+			for _, app := range applications.Items {
+				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "Application", Name: app.GetName()}] = app
+			}
+			projects, err := acdClients.projects.List(context.Background(), v1.ListOptions{})
+			errors.CheckError(err)
+			for _, proj := range projects.Items {
+				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "AppProject", Name: proj.GetName()}] = proj
+			}
+
+			// Create or replace existing object
+			backupObjects, err := kube.SplitYAML(input)
+			errors.CheckError(err)
+			for _, bakObj := range backupObjects {
+				gvk := bakObj.GroupVersionKind()
+				key := kube.ResourceKey{Group: gvk.Group, Kind: gvk.Kind, Name: bakObj.GetName()}
+				liveObj, exists := pruneObjects[key]
+				delete(pruneObjects, key)
+				var dynClient dynamic.ResourceInterface
+				switch bakObj.GetKind() {
+				case "Secret":
+					dynClient = acdClients.secrets
+				case "ConfigMap":
+					dynClient = acdClients.configMaps
+				case "AppProject":
+					dynClient = acdClients.projects
+				case "Application":
+					dynClient = acdClients.applications
+				}
+				if !exists {
+					if !dryRun {
+						_, err = dynClient.Create(context.Background(), bakObj, v1.CreateOptions{})
+						errors.CheckError(err)
+					}
+					fmt.Printf("%s/%s %s created%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
+				} else if specsEqual(*bakObj, liveObj) {
+					if verbose {
+						fmt.Printf("%s/%s %s unchanged%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
+					}
+				} else {
+					if !dryRun {
+						newLive := updateLive(bakObj, &liveObj)
+						_, err = dynClient.Update(context.Background(), newLive, v1.UpdateOptions{})
+						errors.CheckError(err)
+					}
+					fmt.Printf("%s/%s %s updated%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
+				}
+			}
+
+			// Delete objects not in backup
+			for key, liveObj := range pruneObjects {
+				if prune {
+					var dynClient dynamic.ResourceInterface
+					switch key.Kind {
+					case "Secret":
+						dynClient = acdClients.secrets
+					case "AppProject":
+						dynClient = acdClients.projects
+					case "Application":
+						dynClient = acdClients.applications
+						if !dryRun {
+							if finalizers := liveObj.GetFinalizers(); len(finalizers) > 0 {
+								newLive := liveObj.DeepCopy()
+								newLive.SetFinalizers(nil)
+								_, err = dynClient.Update(context.Background(), newLive, v1.UpdateOptions{})
+								if err != nil && !apierr.IsNotFound(err) {
+									errors.CheckError(err)
+								}
+							}
+						}
+					default:
+						logrus.Fatalf("Unexpected kind '%s' in prune list", key.Kind)
+					}
+					if !dryRun {
+						err = dynClient.Delete(context.Background(), key.Name, v1.DeleteOptions{})
+						if err != nil && !apierr.IsNotFound(err) {
+							errors.CheckError(err)
+						}
+					}
+					fmt.Printf("%s/%s %s pruned%s\n", key.Group, key.Kind, key.Name, dryRunMsg)
+				} else {
+					fmt.Printf("%s/%s %s needs pruning\n", key.Group, key.Kind, key.Name)
+				}
+			}
+		},
+	}
+
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().BoolVar(&dryRun, "dry-run", false, "Print what will be performed")
+	command.Flags().BoolVar(&prune, "prune", false, "Prune secrets, applications and projects which do not appear in the backup")
+	command.Flags().BoolVar(&verbose, "verbose", false, "Verbose output (versus only changed output)")
+
+	return &command
+}
+
+// export writes the unstructured object and removes extraneous cruft from output before writing
+func export(w io.Writer, un unstructured.Unstructured) {
+	name := un.GetName()
+	finalizers := un.GetFinalizers()
+	apiVersion := un.GetAPIVersion()
+	kind := un.GetKind()
+	labels := un.GetLabels()
+	annotations := un.GetAnnotations()
+	unstructured.RemoveNestedField(un.Object, "metadata")
+	un.SetName(name)
+	un.SetFinalizers(finalizers)
+	un.SetAPIVersion(apiVersion)
+	un.SetKind(kind)
+	un.SetLabels(labels)
+	un.SetAnnotations(annotations)
+	data, err := yaml.Marshal(un.Object)
+	errors.CheckError(err)
+	_, err = w.Write(data)
+	errors.CheckError(err)
+	_, err = w.Write([]byte(yamlSeparator))
+	errors.CheckError(err)
+}
+
+// updateLive replaces the live object's finalizers, spec, annotations, labels, and data from the
+// backup object but leaves all other fields intact (status, other metadata, etc...)
+func updateLive(bak, live *unstructured.Unstructured) *unstructured.Unstructured {
+	newLive := live.DeepCopy()
+	newLive.SetAnnotations(bak.GetAnnotations())
+	newLive.SetLabels(bak.GetLabels())
+	newLive.SetFinalizers(bak.GetFinalizers())
+	switch live.GetKind() {
+	case "Secret", "ConfigMap":
+		newLive.Object["data"] = bak.Object["data"]
+	case "AppProject":
+		newLive.Object["spec"] = bak.Object["spec"]
+	case "Application":
+		newLive.Object["spec"] = bak.Object["spec"]
+		if _, ok := bak.Object["status"]; ok {
+			newLive.Object["status"] = bak.Object["status"]
+		}
+	}
+	return newLive
+}

cmd/argocd-util/commands/cluster.go

@@ -0,0 +1,237 @@
+package commands
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"text/tabwriter"
+	"time"
+
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
+	"github.com/go-redis/redis/v8"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/tools/clientcmd"
+
+	cmdutil "github.com/argoproj/argo-cd/cmd/util"
+	"github.com/argoproj/argo-cd/common"
+	"github.com/argoproj/argo-cd/controller/sharding"
+	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	cacheutil "github.com/argoproj/argo-cd/util/cache"
+	appstatecache "github.com/argoproj/argo-cd/util/cache/appstate"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/db"
+	"github.com/argoproj/argo-cd/util/errors"
+	kubeutil "github.com/argoproj/argo-cd/util/kube"
+	"github.com/argoproj/argo-cd/util/settings"
+)
+
+func NewClusterCommand(pathOpts *clientcmd.PathOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "cluster",
+		Short: "Manage clusters configuration",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+		},
+	}
+
+	command.AddCommand(NewClusterConfig())
+	command.AddCommand(NewGenClusterConfigCommand(pathOpts))
+	command.AddCommand(NewClusterStatsCommand())
+
+	return command
+}
+
+func NewClusterStatsCommand() *cobra.Command {
+	var (
+		shard            int
+		replicas         int
+		clientConfig     clientcmd.ClientConfig
+		cacheSrc         func() (*appstatecache.Cache, error)
+		portForwardRedis bool
+	)
+	var command = cobra.Command{
+		Use:   "stats",
+		Short: "Prints information cluster statistics and inferred shard number",
+		Run: func(cmd *cobra.Command, args []string) {
+			log.SetLevel(log.WarnLevel)
+
+			clientCfg, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+
+			kubeClient := kubernetes.NewForConfigOrDie(clientCfg)
+			if replicas == 0 {
+				controllerPods, err := kubeClient.CoreV1().Pods(namespace).List(context.Background(), v1.ListOptions{
+					LabelSelector: "app.kubernetes.io/name=argocd-application-controller"})
+				errors.CheckError(err)
+				replicas = len(controllerPods.Items)
+			}
+
+			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClient, namespace)
+
+			argoDB := db.NewDB(namespace, settingsMgr, kubeClient)
+			clusters, err := argoDB.ListClusters(context.Background())
+			errors.CheckError(err)
+			var cache *appstatecache.Cache
+			if portForwardRedis {
+				port, err := kubeutil.PortForward("app.kubernetes.io/name=argocd-redis-ha-haproxy", 6379, namespace)
+				errors.CheckError(err)
+				client := redis.NewClient(&redis.Options{Addr: fmt.Sprintf("localhost:%d", port)})
+				cache = appstatecache.NewCache(cacheutil.NewCache(cacheutil.NewRedisCache(client, time.Hour)), time.Hour)
+			} else {
+				cache, err = cacheSrc()
+				errors.CheckError(err)
+			}
+
+			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+			_, _ = fmt.Fprintf(w, "SERVER\tSHARD\tCONNECTION\tAPPS COUNT\tRESOURCES COUNT\n")
+
+			for _, cluster := range clusters.Items {
+				clusterShard := 0
+				if replicas > 0 {
+					clusterShard = sharding.GetShardByID(cluster.ID, replicas)
+				}
+
+				if shard != -1 && clusterShard != shard {
+					continue
+				}
+
+				var info argoappv1.ClusterInfo
+				_ = cache.GetClusterInfo(cluster.Server, &info)
+				_, _ = fmt.Fprintf(w, "%s\t%d\t%s\t%d\t%d\n", cluster.Server, clusterShard, info.ConnectionState.Status, info.ApplicationsCount, info.CacheInfo.ResourcesCount)
+			}
+			_ = w.Flush()
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().IntVar(&shard, "shard", -1, "Cluster shard filter")
+	command.Flags().IntVar(&replicas, "replicas", 0, "Application controller replicas count. Inferred from number of running controller pods if not specified")
+	command.Flags().BoolVar(&portForwardRedis, "port-forward-redis", true, "Automatically port-forward ha proxy redis from current namespace?")
+	cacheSrc = appstatecache.AddCacheFlagsToCmd(&command)
+	return &command
+}
+
+// NewClusterConfig returns a new instance of `argocd-util kubeconfig` command
+func NewClusterConfig() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+	)
+	var command = &cobra.Command{
+		Use:               "kubeconfig CLUSTER_URL OUTPUT_PATH",
+		Short:             "Generates kubeconfig for the specified cluster",
+		DisableAutoGenTag: true,
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			serverUrl := args[0]
+			output := args[1]
+			conf, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+			kubeclientset, err := kubernetes.NewForConfig(conf)
+			errors.CheckError(err)
+
+			cluster, err := db.NewDB(namespace, settings.NewSettingsManager(context.Background(), kubeclientset, namespace), kubeclientset).GetCluster(context.Background(), serverUrl)
+			errors.CheckError(err)
+			err = kube.WriteKubeConfig(cluster.RawRestConfig(), namespace, output)
+			errors.CheckError(err)
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(command)
+	return command
+}
+
+func NewGenClusterConfigCommand(pathOpts *clientcmd.PathOptions) *cobra.Command {
+	var (
+		clusterOpts  cmdutil.ClusterOptions
+		bearerToken  string
+		outputFormat string
+	)
+	var command = &cobra.Command{
+		Use:   "generate-spec CONTEXT",
+		Short: "Generate declarative config for a cluster",
+		Run: func(c *cobra.Command, args []string) {
+			log.SetLevel(log.WarnLevel)
+			var configAccess clientcmd.ConfigAccess = pathOpts
+			if len(args) == 0 {
+				log.Error("Choose a context name from:")
+				cmdutil.PrintKubeContexts(configAccess)
+				os.Exit(1)
+			}
+			cfgAccess, err := configAccess.GetStartingConfig()
+			errors.CheckError(err)
+			contextName := args[0]
+			clstContext := cfgAccess.Contexts[contextName]
+			if clstContext == nil {
+				log.Fatalf("Context %s does not exist in kubeconfig", contextName)
+			}
+
+			overrides := clientcmd.ConfigOverrides{
+				Context: *clstContext,
+			}
+			clientConfig := clientcmd.NewDefaultClientConfig(*cfgAccess, &overrides)
+			conf, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			kubeClientset := fake.NewSimpleClientset()
+
+			var awsAuthConf *argoappv1.AWSAuthConfig
+			var execProviderConf *argoappv1.ExecProviderConfig
+			if clusterOpts.AwsClusterName != "" {
+				awsAuthConf = &argoappv1.AWSAuthConfig{
+					ClusterName: clusterOpts.AwsClusterName,
+					RoleARN:     clusterOpts.AwsRoleArn,
+				}
+			} else if clusterOpts.ExecProviderCommand != "" {
+				execProviderConf = &argoappv1.ExecProviderConfig{
+					Command:     clusterOpts.ExecProviderCommand,
+					Args:        clusterOpts.ExecProviderArgs,
+					Env:         clusterOpts.ExecProviderEnv,
+					APIVersion:  clusterOpts.ExecProviderAPIVersion,
+					InstallHint: clusterOpts.ExecProviderInstallHint,
+				}
+			} else if bearerToken == "" {
+				bearerToken = "bearer-token"
+			}
+			if clusterOpts.Name != "" {
+				contextName = clusterOpts.Name
+			}
+			clst := cmdutil.NewCluster(contextName, clusterOpts.Namespaces, conf, bearerToken, awsAuthConf, execProviderConf)
+			if clusterOpts.InCluster {
+				clst.Server = common.KubernetesInternalAPIServerAddr
+			}
+			if clusterOpts.Shard >= 0 {
+				clst.Shard = &clusterOpts.Shard
+			}
+
+			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, ArgoCDNamespace)
+			argoDB := db.NewDB(ArgoCDNamespace, settingsMgr, kubeClientset)
+
+			_, err = argoDB.CreateCluster(context.Background(), clst)
+			errors.CheckError(err)
+
+			secName, err := db.ServerToSecretName(clst.Server)
+			errors.CheckError(err)
+
+			secret, err := kubeClientset.CoreV1().Secrets(ArgoCDNamespace).Get(context.Background(), secName, v1.GetOptions{})
+			errors.CheckError(err)
+
+			cmdutil.ConvertSecretData(secret)
+			var printResources []interface{}
+			printResources = append(printResources, secret)
+			errors.CheckError(cmdutil.PrintResources(printResources, outputFormat))
+		},
+	}
+	command.PersistentFlags().StringVar(&pathOpts.LoadingRules.ExplicitPath, pathOpts.ExplicitFileFlag, pathOpts.LoadingRules.ExplicitPath, "use a particular kubeconfig file")
+	command.Flags().StringVar(&bearerToken, "bearer-token", "", "Authentication token that should be used to access K8S API server")
+	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
+	cmdutil.AddClusterFlags(command, &clusterOpts)
+	return command
+}

cmd/argocd-util/commands/config.go

@@ -1,359 +0,0 @@
-package commands
-
-import (
-	"context"
-	"fmt"
-	"io/ioutil"
-	"os"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	apiv1 "k8s.io/api/core/v1"
-	apierr "k8s.io/apimachinery/pkg/api/errors"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes/fake"
-	"k8s.io/client-go/tools/clientcmd"
-
-	cmdutil "github.com/argoproj/argo-cd/cmd/util"
-	"github.com/argoproj/argo-cd/common"
-	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/db"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/git"
-	"github.com/argoproj/argo-cd/util/settings"
-)
-
-const (
-	ArgoCDNamespace  = "argocd"
-	repoSecretPrefix = "repo"
-)
-
-func NewGenerateConfigCommand(pathOpts *clientcmd.PathOptions) *cobra.Command {
-	var command = &cobra.Command{
-		Use:   "config",
-		Short: "Generate declarative configuration files",
-		Run: func(c *cobra.Command, args []string) {
-			c.HelpFunc()(c, args)
-		},
-	}
-	command.AddCommand(NewGenAppConfigCommand())
-	command.AddCommand(NewGenProjectConfigCommand())
-	command.AddCommand(NewGenClusterConfigCommand(pathOpts))
-	command.AddCommand(NewGenRepoConfigCommand())
-
-	return command
-}
-
-// NewGenAppConfigCommand generates declarative configuration file for given application
-func NewGenAppConfigCommand() *cobra.Command {
-	var (
-		appOpts      cmdutil.AppOptions
-		fileURL      string
-		appName      string
-		labels       []string
-		outputFormat string
-	)
-	var command = &cobra.Command{
-		Use:   "app APPNAME",
-		Short: "Generate declarative config for an application",
-		Example: `
-	# Generate declarative config for a directory app
-	argocd-util config app guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --directory-recurse
-
-	# Generate declarative config for a Jsonnet app
-	argocd-util config app jsonnet-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path jsonnet-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --jsonnet-ext-str replicas=2
-
-	# Generate declarative config for a Helm app
-	argocd-util config app helm-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path helm-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --helm-set replicaCount=2
-
-	# Generate declarative config for a Helm app from a Helm repo
-	argocd-util config app nginx-ingress --repo https://kubernetes-charts.storage.googleapis.com --helm-chart nginx-ingress --revision 1.24.3 --dest-namespace default --dest-server https://kubernetes.default.svc
-
-	# Generate declarative config for a Kustomize app
-	argocd-util config app kustomize-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path kustomize-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --kustomize-image gcr.io/heptio-images/ks-guestbook-demo:0.1
-
-	# Generate declarative config for a app using a custom tool:
-	argocd-util config app ksane --repo https://github.com/argoproj/argocd-example-apps.git --path plugins/kasane --dest-namespace default --dest-server https://kubernetes.default.svc --config-management-plugin kasane
-`,
-		Run: func(c *cobra.Command, args []string) {
-			app, err := cmdutil.ConstructApp(fileURL, appName, labels, args, appOpts, c.Flags())
-			errors.CheckError(err)
-
-			if app.Name == "" {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-
-			var printResources []interface{}
-			printResources = append(printResources, app)
-			errors.CheckError(cmdutil.PrintResources(printResources, outputFormat))
-		},
-	}
-	command.Flags().StringVar(&appName, "name", "", "A name for the app, ignored if a file is set (DEPRECATED)")
-	command.Flags().StringVarP(&fileURL, "file", "f", "", "Filename or URL to Kubernetes manifests for the app")
-	command.Flags().StringArrayVarP(&labels, "label", "l", []string{}, "Labels to apply to the app")
-	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
-
-	// Only complete files with appropriate extension.
-	err := command.Flags().SetAnnotation("file", cobra.BashCompFilenameExt, []string{"json", "yaml", "yml"})
-	errors.CheckError(err)
-
-	cmdutil.AddAppFlags(command, &appOpts)
-	return command
-}
-
-// NewGenProjectConfigCommand generates declarative configuration file for given project
-func NewGenProjectConfigCommand() *cobra.Command {
-	var (
-		opts         cmdutil.ProjectOpts
-		fileURL      string
-		outputFormat string
-	)
-	var command = &cobra.Command{
-		Use:   "proj PROJECT",
-		Short: "Generate declarative config for a project",
-		Run: func(c *cobra.Command, args []string) {
-			proj, err := cmdutil.ConstructAppProj(fileURL, args, opts, c)
-			errors.CheckError(err)
-
-			var printResources []interface{}
-			printResources = append(printResources, proj)
-			errors.CheckError(cmdutil.PrintResources(printResources, outputFormat))
-		},
-	}
-	command.Flags().StringVarP(&fileURL, "file", "f", "", "Filename or URL to Kubernetes manifests for the project")
-	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
-	err := command.Flags().SetAnnotation("file", cobra.BashCompFilenameExt, []string{"json", "yaml", "yml"})
-	if err != nil {
-		log.Fatal(err)
-	}
-	cmdutil.AddProjFlags(command, &opts)
-	return command
-}
-
-func NewGenClusterConfigCommand(pathOpts *clientcmd.PathOptions) *cobra.Command {
-	var (
-		clusterOpts  cmdutil.ClusterOptions
-		bearerToken  string
-		outputFormat string
-	)
-	var command = &cobra.Command{
-		Use:   "cluster CONTEXT",
-		Short: "Generate declarative config for a cluster",
-		Run: func(c *cobra.Command, args []string) {
-			var configAccess clientcmd.ConfigAccess = pathOpts
-			if len(args) == 0 {
-				log.Error("Choose a context name from:")
-				cmdutil.PrintKubeContexts(configAccess)
-				os.Exit(1)
-			}
-			cfgAccess, err := configAccess.GetStartingConfig()
-			errors.CheckError(err)
-			contextName := args[0]
-			clstContext := cfgAccess.Contexts[contextName]
-			if clstContext == nil {
-				log.Fatalf("Context %s does not exist in kubeconfig", contextName)
-			}
-
-			overrides := clientcmd.ConfigOverrides{
-				Context: *clstContext,
-			}
-			clientConfig := clientcmd.NewDefaultClientConfig(*cfgAccess, &overrides)
-			conf, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			kubeClientset := fake.NewSimpleClientset()
-
-			var awsAuthConf *argoappv1.AWSAuthConfig
-			var execProviderConf *argoappv1.ExecProviderConfig
-			if clusterOpts.AwsClusterName != "" {
-				awsAuthConf = &argoappv1.AWSAuthConfig{
-					ClusterName: clusterOpts.AwsClusterName,
-					RoleARN:     clusterOpts.AwsRoleArn,
-				}
-			} else if clusterOpts.ExecProviderCommand != "" {
-				execProviderConf = &argoappv1.ExecProviderConfig{
-					Command:     clusterOpts.ExecProviderCommand,
-					Args:        clusterOpts.ExecProviderArgs,
-					Env:         clusterOpts.ExecProviderEnv,
-					APIVersion:  clusterOpts.ExecProviderAPIVersion,
-					InstallHint: clusterOpts.ExecProviderInstallHint,
-				}
-			} else if bearerToken == "" {
-				bearerToken = "bearer-token"
-			}
-			if clusterOpts.Name != "" {
-				contextName = clusterOpts.Name
-			}
-			clst := cmdutil.NewCluster(contextName, clusterOpts.Namespaces, conf, bearerToken, awsAuthConf, execProviderConf)
-			if clusterOpts.InCluster {
-				clst.Server = common.KubernetesInternalAPIServerAddr
-			}
-			if clusterOpts.Shard >= 0 {
-				clst.Shard = &clusterOpts.Shard
-			}
-
-			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, ArgoCDNamespace)
-			argoDB := db.NewDB(ArgoCDNamespace, settingsMgr, kubeClientset)
-
-			_, err = argoDB.CreateCluster(context.Background(), clst)
-			errors.CheckError(err)
-
-			secName, err := db.ServerToSecretName(clst.Server)
-			errors.CheckError(err)
-
-			secret, err := kubeClientset.CoreV1().Secrets(ArgoCDNamespace).Get(context.Background(), secName, v1.GetOptions{})
-			errors.CheckError(err)
-
-			cmdutil.ConvertSecretData(secret)
-			var printResources []interface{}
-			printResources = append(printResources, secret)
-			errors.CheckError(cmdutil.PrintResources(printResources, outputFormat))
-		},
-	}
-	command.PersistentFlags().StringVar(&pathOpts.LoadingRules.ExplicitPath, pathOpts.ExplicitFileFlag, pathOpts.LoadingRules.ExplicitPath, "use a particular kubeconfig file")
-	command.Flags().StringVar(&bearerToken, "bearer-token", "", "Authentication token that should be used to access K8S API server")
-	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
-	cmdutil.AddClusterFlags(command, &clusterOpts)
-	return command
-}
-
-func NewGenRepoConfigCommand() *cobra.Command {
-	var (
-		repoOpts     cmdutil.RepoOptions
-		outputFormat string
-	)
-
-	// For better readability and easier formatting
-	var repoAddExamples = `  
-  # Add a Git repository via SSH using a private key for authentication, ignoring the server's host key:
-  argocd-util config repo git@git.example.com:repos/repo --insecure-ignore-host-key --ssh-private-key-path ~/id_rsa
-
-  # Add a Git repository via SSH on a non-default port - need to use ssh:// style URLs here
-  argocd-util config repo ssh://git@git.example.com:2222/repos/repo --ssh-private-key-path ~/id_rsa
-
-  # Add a private Git repository via HTTPS using username/password and TLS client certificates:
-  argocd-util config repo https://git.example.com/repos/repo --username git --password secret --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key
-
-  # Add a private Git repository via HTTPS using username/password without verifying the server's TLS certificate
-  argocd-util config repo https://git.example.com/repos/repo --username git --password secret --insecure-skip-server-verification
-
-  # Add a public Helm repository named 'stable' via HTTPS
-  argocd-util config repo https://kubernetes-charts.storage.googleapis.com --type helm --name stable  
-
-  # Add a private Helm repository named 'stable' via HTTPS
-  argocd-util config repo https://kubernetes-charts.storage.googleapis.com --type helm --name stable --username test --password test
-
-  # Add a private Helm OCI-based repository named 'stable' via HTTPS
-  argocd-util config repo helm-oci-registry.cn-zhangjiakou.cr.aliyuncs.com --type helm --name stable --enable-oci --username test --password test
-`
-
-	var command = &cobra.Command{
-		Use:     "repo REPOURL",
-		Short:   "Generate declarative config for a repo",
-		Example: repoAddExamples,
-		Run: func(c *cobra.Command, args []string) {
-			if len(args) != 1 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-
-			// Repository URL
-			repoOpts.Repo.Repo = args[0]
-
-			// Specifying ssh-private-key-path is only valid for SSH repositories
-			if repoOpts.SshPrivateKeyPath != "" {
-				if ok, _ := git.IsSSHURL(repoOpts.Repo.Repo); ok {
-					keyData, err := ioutil.ReadFile(repoOpts.SshPrivateKeyPath)
-					if err != nil {
-						log.Fatal(err)
-					}
-					repoOpts.Repo.SSHPrivateKey = string(keyData)
-				} else {
-					err := fmt.Errorf("--ssh-private-key-path is only supported for SSH repositories.")
-					errors.CheckError(err)
-				}
-			}
-
-			// tls-client-cert-path and tls-client-cert-key-key-path must always be
-			// specified together
-			if (repoOpts.TlsClientCertPath != "" && repoOpts.TlsClientCertKeyPath == "") || (repoOpts.TlsClientCertPath == "" && repoOpts.TlsClientCertKeyPath != "") {
-				err := fmt.Errorf("--tls-client-cert-path and --tls-client-cert-key-path must be specified together")
-				errors.CheckError(err)
-			}
-
-			// Specifying tls-client-cert-path is only valid for HTTPS repositories
-			if repoOpts.TlsClientCertPath != "" {
-				if git.IsHTTPSURL(repoOpts.Repo.Repo) {
-					tlsCertData, err := ioutil.ReadFile(repoOpts.TlsClientCertPath)
-					errors.CheckError(err)
-					tlsCertKey, err := ioutil.ReadFile(repoOpts.TlsClientCertKeyPath)
-					errors.CheckError(err)
-					repoOpts.Repo.TLSClientCertData = string(tlsCertData)
-					repoOpts.Repo.TLSClientCertKey = string(tlsCertKey)
-				} else {
-					err := fmt.Errorf("--tls-client-cert-path is only supported for HTTPS repositories")
-					errors.CheckError(err)
-				}
-			}
-
-			// Set repository connection properties only when creating repository, not
-			// when creating repository credentials.
-			// InsecureIgnoreHostKey is deprecated and only here for backwards compat
-			repoOpts.Repo.InsecureIgnoreHostKey = repoOpts.InsecureIgnoreHostKey
-			repoOpts.Repo.Insecure = repoOpts.InsecureSkipServerVerification
-			repoOpts.Repo.EnableLFS = repoOpts.EnableLfs
-			repoOpts.Repo.EnableOCI = repoOpts.EnableOci
-
-			if repoOpts.Repo.Type == "helm" && repoOpts.Repo.Name == "" {
-				errors.CheckError(fmt.Errorf("must specify --name for repos of type 'helm'"))
-			}
-
-			// If the user set a username, but didn't supply password via --password,
-			// then we prompt for it
-			if repoOpts.Repo.Username != "" && repoOpts.Repo.Password == "" {
-				repoOpts.Repo.Password = cli.PromptPassword(repoOpts.Repo.Password)
-			}
-
-			argoCDCM := &apiv1.ConfigMap{
-				TypeMeta: v1.TypeMeta{
-					Kind:       "ConfigMap",
-					APIVersion: "v1",
-				},
-				ObjectMeta: v1.ObjectMeta{
-					Name:      common.ArgoCDConfigMapName,
-					Namespace: ArgoCDNamespace,
-					Labels: map[string]string{
-						"app.kubernetes.io/part-of": "argocd",
-					},
-				},
-			}
-			kubeClientset := fake.NewSimpleClientset(argoCDCM)
-			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, ArgoCDNamespace)
-			argoDB := db.NewDB(ArgoCDNamespace, settingsMgr, kubeClientset)
-
-			var printResources []interface{}
-			_, err := argoDB.CreateRepository(context.Background(), &repoOpts.Repo)
-			errors.CheckError(err)
-
-			secret, err := kubeClientset.CoreV1().Secrets(ArgoCDNamespace).Get(context.Background(), db.RepoURLToSecretName(repoSecretPrefix, repoOpts.Repo.Repo), v1.GetOptions{})
-			if err != nil {
-				if !apierr.IsNotFound(err) {
-					errors.CheckError(err)
-				}
-			} else {
-				cmdutil.ConvertSecretData(secret)
-				printResources = append(printResources, secret)
-			}
-
-			cm, err := kubeClientset.CoreV1().ConfigMaps(ArgoCDNamespace).Get(context.Background(), common.ArgoCDConfigMapName, v1.GetOptions{})
-			errors.CheckError(err)
-
-			printResources = append(printResources, cm)
-			errors.CheckError(cmdutil.PrintResources(printResources, outputFormat))
-		},
-	}
-	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
-	cmdutil.AddRepoFlags(command, &repoOpts)
-	return command
-}

cmd/argocd-util/commands/project.go

@@ -7,6 +7,7 @@ import (
 	"path/filepath"
 	"strings"
 
+	cmdutil "github.com/argoproj/argo-cd/cmd/util"
 	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
 	appclient "github.com/argoproj/argo-cd/pkg/client/clientset/versioned/typed/application/v1alpha1"
@@ -21,18 +22,49 @@ import (
 
 func NewProjectsCommand() *cobra.Command {
 	var command = &cobra.Command{
-		Use:   "projects",
-		Short: "Utility commands operate on ArgoCD Projects",
+		Use:   "proj",
+		Short: "Manage projects configuration",
 		Run: func(c *cobra.Command, args []string) {
 			c.HelpFunc()(c, args)
 		},
 	}
 
+	command.AddCommand(NewGenProjectSpecCommand())
 	command.AddCommand(NewUpdatePolicyRuleCommand())
 	command.AddCommand(NewProjectAllowListGenCommand())
 	return command
 }
 
+// NewGenProjectConfigCommand generates declarative configuration file for given project
+func NewGenProjectSpecCommand() *cobra.Command {
+	var (
+		opts         cmdutil.ProjectOpts
+		fileURL      string
+		outputFormat string
+	)
+	var command = &cobra.Command{
+		Use:   "generate-spec PROJECT",
+		Short: "Generate declarative config for a project",
+		Run: func(c *cobra.Command, args []string) {
+			proj, err := cmdutil.ConstructAppProj(fileURL, args, opts, c)
+			errors.CheckError(err)
+
+			var printResources []interface{}
+			printResources = append(printResources, proj)
+			errors.CheckError(cmdutil.PrintResources(printResources, outputFormat))
+		},
+	}
+	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
+	command.Flags().StringVarP(&fileURL, "file", "f", "", "Filename or URL to Kubernetes manifests for the project")
+
+	// Only complete files with appropriate extension.
+	err := command.Flags().SetAnnotation("file", cobra.BashCompFilenameExt, []string{"json", "yaml", "yml"})
+	errors.CheckError(err)
+
+	cmdutil.AddProjFlags(command, &opts)
+	return command
+}
+
 func globMatch(pattern string, val string) bool {
 	if pattern == "*" {
 		return true

cmd/argocd-util/commands/repo.go

@@ -0,0 +1,182 @@
+package commands
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	apiv1 "k8s.io/api/core/v1"
+	apierr "k8s.io/apimachinery/pkg/api/errors"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes/fake"
+
+	cmdutil "github.com/argoproj/argo-cd/cmd/util"
+	"github.com/argoproj/argo-cd/common"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/db"
+	"github.com/argoproj/argo-cd/util/errors"
+	"github.com/argoproj/argo-cd/util/git"
+	"github.com/argoproj/argo-cd/util/settings"
+)
+
+const (
+	ArgoCDNamespace  = "argocd"
+	repoSecretPrefix = "repo"
+)
+
+func NewRepoCommand() *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "repo",
+		Short: "Manage repositories configuration",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+		},
+	}
+	command.AddCommand(NewGenRepoSpecCommand())
+
+	return command
+}
+
+func NewGenRepoSpecCommand() *cobra.Command {
+	var (
+		repoOpts     cmdutil.RepoOptions
+		outputFormat string
+	)
+
+	// For better readability and easier formatting
+	var repoAddExamples = `  
+  # Add a Git repository via SSH using a private key for authentication, ignoring the server's host key:
+  argocd-util repo generate-spec git@git.example.com:repos/repo --insecure-ignore-host-key --ssh-private-key-path ~/id_rsa
+
+  # Add a Git repository via SSH on a non-default port - need to use ssh:// style URLs here
+  argocd-util repo generate-spec ssh://git@git.example.com:2222/repos/repo --ssh-private-key-path ~/id_rsa
+
+  # Add a private Git repository via HTTPS using username/password and TLS client certificates:
+  argocd-util repo generate-spec https://git.example.com/repos/repo --username git --password secret --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key
+
+  # Add a private Git repository via HTTPS using username/password without verifying the server's TLS certificate
+  argocd-util repo generate-spec https://git.example.com/repos/repo --username git --password secret --insecure-skip-server-verification
+
+  # Add a public Helm repository named 'stable' via HTTPS
+  argocd-util repo generate-spec https://kubernetes-charts.storage.googleapis.com --type helm --name stable  
+
+  # Add a private Helm repository named 'stable' via HTTPS
+  argocd-util repo generate-spec https://kubernetes-charts.storage.googleapis.com --type helm --name stable --username test --password test
+
+  # Add a private Helm OCI-based repository named 'stable' via HTTPS
+  argocd-util repo generate-spec helm-oci-registry.cn-zhangjiakou.cr.aliyuncs.com --type helm --name stable --enable-oci --username test --password test
+`
+
+	var command = &cobra.Command{
+		Use:     "generate-spec REPOURL",
+		Short:   "Generate declarative config for a repo",
+		Example: repoAddExamples,
+		Run: func(c *cobra.Command, args []string) {
+			log.SetLevel(log.WarnLevel)
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			// Repository URL
+			repoOpts.Repo.Repo = args[0]
+
+			// Specifying ssh-private-key-path is only valid for SSH repositories
+			if repoOpts.SshPrivateKeyPath != "" {
+				if ok, _ := git.IsSSHURL(repoOpts.Repo.Repo); ok {
+					keyData, err := ioutil.ReadFile(repoOpts.SshPrivateKeyPath)
+					if err != nil {
+						log.Fatal(err)
+					}
+					repoOpts.Repo.SSHPrivateKey = string(keyData)
+				} else {
+					err := fmt.Errorf("--ssh-private-key-path is only supported for SSH repositories.")
+					errors.CheckError(err)
+				}
+			}
+
+			// tls-client-cert-path and tls-client-cert-key-key-path must always be
+			// specified together
+			if (repoOpts.TlsClientCertPath != "" && repoOpts.TlsClientCertKeyPath == "") || (repoOpts.TlsClientCertPath == "" && repoOpts.TlsClientCertKeyPath != "") {
+				err := fmt.Errorf("--tls-client-cert-path and --tls-client-cert-key-path must be specified together")
+				errors.CheckError(err)
+			}
+
+			// Specifying tls-client-cert-path is only valid for HTTPS repositories
+			if repoOpts.TlsClientCertPath != "" {
+				if git.IsHTTPSURL(repoOpts.Repo.Repo) {
+					tlsCertData, err := ioutil.ReadFile(repoOpts.TlsClientCertPath)
+					errors.CheckError(err)
+					tlsCertKey, err := ioutil.ReadFile(repoOpts.TlsClientCertKeyPath)
+					errors.CheckError(err)
+					repoOpts.Repo.TLSClientCertData = string(tlsCertData)
+					repoOpts.Repo.TLSClientCertKey = string(tlsCertKey)
+				} else {
+					err := fmt.Errorf("--tls-client-cert-path is only supported for HTTPS repositories")
+					errors.CheckError(err)
+				}
+			}
+
+			// Set repository connection properties only when creating repository, not
+			// when creating repository credentials.
+			// InsecureIgnoreHostKey is deprecated and only here for backwards compat
+			repoOpts.Repo.InsecureIgnoreHostKey = repoOpts.InsecureIgnoreHostKey
+			repoOpts.Repo.Insecure = repoOpts.InsecureSkipServerVerification
+			repoOpts.Repo.EnableLFS = repoOpts.EnableLfs
+			repoOpts.Repo.EnableOCI = repoOpts.EnableOci
+
+			if repoOpts.Repo.Type == "helm" && repoOpts.Repo.Name == "" {
+				errors.CheckError(fmt.Errorf("must specify --name for repos of type 'helm'"))
+			}
+
+			// If the user set a username, but didn't supply password via --password,
+			// then we prompt for it
+			if repoOpts.Repo.Username != "" && repoOpts.Repo.Password == "" {
+				repoOpts.Repo.Password = cli.PromptPassword(repoOpts.Repo.Password)
+			}
+
+			argoCDCM := &apiv1.ConfigMap{
+				TypeMeta: v1.TypeMeta{
+					Kind:       "ConfigMap",
+					APIVersion: "v1",
+				},
+				ObjectMeta: v1.ObjectMeta{
+					Name:      common.ArgoCDConfigMapName,
+					Namespace: ArgoCDNamespace,
+					Labels: map[string]string{
+						"app.kubernetes.io/part-of": "argocd",
+					},
+				},
+			}
+			kubeClientset := fake.NewSimpleClientset(argoCDCM)
+			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, ArgoCDNamespace)
+			argoDB := db.NewDB(ArgoCDNamespace, settingsMgr, kubeClientset)
+
+			var printResources []interface{}
+			_, err := argoDB.CreateRepository(context.Background(), &repoOpts.Repo)
+			errors.CheckError(err)
+
+			secret, err := kubeClientset.CoreV1().Secrets(ArgoCDNamespace).Get(context.Background(), db.RepoURLToSecretName(repoSecretPrefix, repoOpts.Repo.Repo), v1.GetOptions{})
+			if err != nil {
+				if !apierr.IsNotFound(err) {
+					errors.CheckError(err)
+				}
+			} else {
+				cmdutil.ConvertSecretData(secret)
+				printResources = append(printResources, secret)
+			}
+
+			cm, err := kubeClientset.CoreV1().ConfigMaps(ArgoCDNamespace).Get(context.Background(), common.ArgoCDConfigMapName, v1.GetOptions{})
+			errors.CheckError(err)
+
+			printResources = append(printResources, cm)
+			errors.CheckError(cmdutil.PrintResources(printResources, outputFormat))
+		},
+	}
+	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
+	cmdutil.AddRepoFlags(command, &repoOpts)
+	return command
+}

cmd/argocd-util/commands/settings.go

@@ -162,6 +162,7 @@ func NewSettingsCommand() *cobra.Command {
 
 	command.AddCommand(NewValidateSettingsCommand(&opts))
 	command.AddCommand(NewResourceOverridesCommand(&opts))
+	command.AddCommand(NewRBACCommand())
 
 	opts.clientConfig = cli.AddKubectlFlagsToCmd(command)
 	command.PersistentFlags().StringVar(&opts.argocdCMPath, "argocd-cm-path", "", "Path to local argocd-cm.yaml file")

cmd/argocd/commands/app.go

@@ -556,6 +556,7 @@ func NewApplicationUnsetCommand(clientOpts *argocdclient.ClientOptions) *cobra.C
 		namePrefix       bool
 		kustomizeVersion bool
 		kustomizeImages  []string
+		pluginEnvs       []string
 		appOpts          cmdutil.AppOptions
 	)
 	var command = &cobra.Command{
@@ -661,9 +662,22 @@ func NewApplicationUnsetCommand(clientOpts *argocdclient.ClientOptions) *cobra.C
 						}
 					}
 				}
-				if !updated {
-					return
+			}
+
+			if app.Spec.Source.Plugin != nil {
+				if len(pluginEnvs) == 0 {
+					c.HelpFunc()(c, args)
+					os.Exit(1)
 				}
+				for _, env := range pluginEnvs {
+					err = app.Spec.Source.Plugin.RemoveEnvEntry(env)
+					errors.CheckError(err)
+				}
+				updated = true
+			}
+
+			if !updated {
+				return
 			}
 
 			cmdutil.SetAppSpecOptions(c.Flags(), &app.Spec, &appOpts)
@@ -682,6 +696,7 @@ func NewApplicationUnsetCommand(clientOpts *argocdclient.ClientOptions) *cobra.C
 	command.Flags().BoolVar(&namePrefix, "nameprefix", false, "Kustomize nameprefix")
 	command.Flags().BoolVar(&kustomizeVersion, "kustomize-version", false, "Kustomize version")
 	command.Flags().StringArrayVar(&kustomizeImages, "kustomize-image", []string{}, "Kustomize images name (e.g. --kustomize-image node --kustomize-image mysql)")
+	command.Flags().StringArrayVar(&pluginEnvs, "plugin-env", []string{}, "Unset plugin env variables (e.g --plugin-env name)")
 	return command
 }
 
@@ -936,8 +951,9 @@ func groupObjsForDiff(resources *application.ManagedResourcesResponse, objs map[
 // NewApplicationDeleteCommand returns a new instance of an `argocd app delete` command
 func NewApplicationDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		cascade  bool
-		noPrompt bool
+		cascade           bool
+		noPrompt          bool
+		propagationPolicy string
 	)
 	var command = &cobra.Command{
 		Use:   "delete APPNAME",
@@ -963,6 +979,9 @@ func NewApplicationDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 				if c.Flag("cascade").Changed {
 					appDeleteReq.Cascade = &cascade
 				}
+				if c.Flag("propagation-policy").Changed {
+					appDeleteReq.PropagationPolicy = &propagationPolicy
+				}
 				if cascade && isTerminal && !noPrompt {
 					var confirmAnswer string = "n"
 					var lowercaseAnswer string
@@ -997,6 +1016,7 @@ func NewApplicationDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 		},
 	}
 	command.Flags().BoolVar(&cascade, "cascade", true, "Perform a cascaded deletion of all application resources")
+	command.Flags().StringVarP(&propagationPolicy, "propagation-policy", "p", "foreground", "Specify propagation policy for deletion of application's resources. One of: foreground|background")
 	command.Flags().BoolVarP(&noPrompt, "yes", "y", false, "Turn off prompting to confirm cascaded deletion of application resources")
 	return command
 }
@@ -1045,6 +1065,7 @@ func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 		output   string
 		selector string
 		projects []string
+		repo     string
 	)
 	var command = &cobra.Command{
 		Use:   "list",
@@ -1063,6 +1084,9 @@ func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			if len(projects) != 0 {
 				appList = argo.FilterByProjects(appList, projects)
 			}
+			if repo != "" {
+				appList = argo.FilterByRepo(appList, repo)
+			}
 			switch output {
 			case "yaml", "json":
 				err := PrintResourceList(appList, output, false)
@@ -1079,6 +1103,7 @@ func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: wide|name|json|yaml")
 	command.Flags().StringVarP(&selector, "selector", "l", "", "List apps by label")
 	command.Flags().StringArrayVarP(&projects, "project", "p", []string{}, "Filter by project name")
+	command.Flags().StringVarP(&repo, "repo", "r", "", "List apps by source repo URL")
 	return command
 }
 

cmd/argocd/commands/project.go

@@ -14,7 +14,6 @@ import (
 	"github.com/ghodss/yaml"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
@@ -129,23 +128,7 @@ func NewProjectSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 
-			visited := 0
-			c.Flags().Visit(func(f *pflag.Flag) {
-				visited++
-				switch f.Name {
-				case "description":
-					proj.Spec.Description = opts.Description
-				case "dest":
-					proj.Spec.Destinations = opts.GetDestinations()
-				case "src":
-					proj.Spec.SourceRepos = opts.Sources
-				case "signature-keys":
-					proj.Spec.SignatureKeys = opts.GetSignatureKeys()
-				case "orphaned-resources", "orphaned-resources-warn":
-					proj.Spec.OrphanedResources = cmdutil.GetOrphanedResourcesSettings(c, opts)
-				}
-			})
-			if visited == 0 {
+			if visited := cmdutil.SetProjSpecOptions(c.Flags(), &proj.Spec, &opts); visited == 0 {
 				log.Error("Please set at least one option to update")
 				c.HelpFunc()(c, args)
 				os.Exit(1)

cmd/util/app.go

@@ -7,11 +7,13 @@ import (
 	"net/url"
 	"os"
 	"strings"
+	"time"
 
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/pointer"
 
 	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/pkg/apis/application"
@@ -62,6 +64,10 @@ type AppOptions struct {
 	Validate                   bool
 	directoryExclude           string
 	directoryInclude           string
+	retryLimit                 int64
+	retryBackoffDuration       time.Duration
+	retryBackoffMaxDuration    time.Duration
+	retryBackoffFactor         int64
 }
 
 func AddAppFlags(command *cobra.Command, opts *AppOptions) {
@@ -105,6 +111,10 @@ func AddAppFlags(command *cobra.Command, opts *AppOptions) {
 	command.Flags().StringArrayVar(&opts.kustomizeCommonAnnotations, "kustomize-common-annotation", []string{}, "Set common labels in Kustomize")
 	command.Flags().StringVar(&opts.directoryExclude, "directory-exclude", "", "Set glob expression used to exclude files from application source path")
 	command.Flags().StringVar(&opts.directoryInclude, "directory-include", "", "Set glob expression used to include files from application source path")
+	command.Flags().Int64Var(&opts.retryLimit, "retry-limit", 0, "Max number of allowed sync retries")
+	command.Flags().DurationVar(&opts.retryBackoffDuration, "retry-backoff-duration", common.DefaultSyncRetryDuration, "Retry backoff base duration. Input needs to be a duration (e.g. 2m, 1h)")
+	command.Flags().DurationVar(&opts.retryBackoffMaxDuration, "retry-backoff-max-duration", common.DefaultSyncRetryMaxDuration, "Max retry backoff duration. Input needs to be a duration (e.g. 2m, 1h)")
+	command.Flags().Int64Var(&opts.retryBackoffFactor, "retry-backoff-factor", common.DefaultSyncRetryFactor, "Factor multiplies the base duration after each failed retry")
 }
 
 func SetAppSpecOptions(flags *pflag.FlagSet, spec *argoappv1.ApplicationSpec, appOpts *AppOptions) int {
@@ -238,6 +248,28 @@ func SetAppSpecOptions(flags *pflag.FlagSet, spec *argoappv1.ApplicationSpec, ap
 			if spec.SyncPolicy.IsZero() {
 				spec.SyncPolicy = nil
 			}
+		case "retry-limit":
+			if appOpts.retryLimit > 0 {
+				if spec.SyncPolicy == nil {
+					spec.SyncPolicy = &argoappv1.SyncPolicy{}
+				}
+				spec.SyncPolicy.Retry = &argoappv1.RetryStrategy{
+					Limit: appOpts.retryLimit,
+					Backoff: &argoappv1.Backoff{
+						Duration:    appOpts.retryBackoffDuration.String(),
+						MaxDuration: appOpts.retryBackoffMaxDuration.String(),
+						Factor:      pointer.Int64Ptr(appOpts.retryBackoffFactor),
+					},
+				}
+			} else if appOpts.retryLimit == 0 {
+				if spec.SyncPolicy.IsZero() {
+					spec.SyncPolicy = nil
+				} else {
+					spec.SyncPolicy.Retry = nil
+				}
+			} else {
+				log.Fatalf("Invalid retry-limit [%d]", appOpts.retryLimit)
+			}
 		}
 	})
 	if flags.Changed("auto-prune") {

cmd/util/app_test.go

@@ -164,4 +164,11 @@ func Test_setAppSpecOptions(t *testing.T) {
 		assert.NoError(t, f.SetFlag("sync-option", "!a=1"))
 		assert.Nil(t, f.spec.SyncPolicy)
 	})
+	t.Run("RetryLimit", func(t *testing.T) {
+		assert.NoError(t, f.SetFlag("retry-limit", "5"))
+		assert.True(t, f.spec.SyncPolicy.Retry.Limit == 5)
+
+		assert.NoError(t, f.SetFlag("retry-limit", "0"))
+		assert.Nil(t, f.spec.SyncPolicy)
+	})
 }

cmd/util/common.go

@@ -24,21 +24,26 @@ func PrintResources(resources []interface{}, output string) error {
 		}
 		resources[i] = filteredResource
 	}
+	var obj interface{} = resources
+	if len(resources) == 1 {
+		obj = resources[0]
+	}
 
 	switch output {
 	case "json":
-		jsonBytes, err := json.MarshalIndent(resources, "", "  ")
+		jsonBytes, err := json.MarshalIndent(obj, "", "  ")
 		if err != nil {
 			return err
 		}
 
 		fmt.Println(string(jsonBytes))
 	case "yaml":
-		yamlBytes, err := yaml.Marshal(resources)
+		yamlBytes, err := yaml.Marshal(obj)
 		if err != nil {
 			return err
 		}
-		fmt.Println(string(yamlBytes))
+		// marshaled YAML already ends with the new line character
+		fmt.Print(string(yamlBytes))
 	default:
 		return fmt.Errorf("unknown output format: %s", output)
 	}

cmd/util/project.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/pointer"
 
@@ -19,12 +20,17 @@ import (
 )
 
 type ProjectOpts struct {
-	Description              string
-	destinations             []string
-	Sources                  []string
-	SignatureKeys            []string
-	orphanedResourcesEnabled bool
-	orphanedResourcesWarn    bool
+	Description   string
+	destinations  []string
+	Sources       []string
+	SignatureKeys []string
+
+	orphanedResourcesEnabled   bool
+	orphanedResourcesWarn      bool
+	allowedClusterResources    []string
+	deniedClusterResources     []string
+	allowedNamespacedResources []string
+	deniedNamespacedResources  []string
 }
 
 func AddProjFlags(command *cobra.Command, opts *ProjectOpts) {
@@ -35,6 +41,39 @@ func AddProjFlags(command *cobra.Command, opts *ProjectOpts) {
 	command.Flags().StringSliceVar(&opts.SignatureKeys, "signature-keys", []string{}, "GnuPG public key IDs for commit signature verification")
 	command.Flags().BoolVar(&opts.orphanedResourcesEnabled, "orphaned-resources", false, "Enables orphaned resources monitoring")
 	command.Flags().BoolVar(&opts.orphanedResourcesWarn, "orphaned-resources-warn", false, "Specifies if applications should have a warning condition when orphaned resources detected")
+	command.Flags().StringArrayVar(&opts.allowedClusterResources, "allow-cluster-resource", []string{}, "List of allowed cluster level resources")
+	command.Flags().StringArrayVar(&opts.deniedClusterResources, "deny-cluster-resource", []string{}, "List of denied cluster level resources")
+	command.Flags().StringArrayVar(&opts.allowedNamespacedResources, "allow-namespaced-resource", []string{}, "List of allowed namespaced resources")
+	command.Flags().StringArrayVar(&opts.deniedNamespacedResources, "deny-namespaced-resource", []string{}, "List of denied namespaced resources")
+
+}
+
+func getGroupKindList(values []string) []v1.GroupKind {
+	var res []v1.GroupKind
+	for _, val := range values {
+		if parts := strings.Split(val, "/"); len(parts) == 2 {
+			res = append(res, v1.GroupKind{Group: parts[0], Kind: parts[1]})
+		} else if len(parts) == 1 {
+			res = append(res, v1.GroupKind{Kind: parts[0]})
+		}
+	}
+	return res
+}
+
+func (opts *ProjectOpts) GetAllowedClusterResources() []v1.GroupKind {
+	return getGroupKindList(opts.allowedClusterResources)
+}
+
+func (opts *ProjectOpts) GetDeniedClusterResources() []v1.GroupKind {
+	return getGroupKindList(opts.deniedClusterResources)
+}
+
+func (opts *ProjectOpts) GetAllowedNamespacedResources() []v1.GroupKind {
+	return getGroupKindList(opts.allowedNamespacedResources)
+}
+
+func (opts *ProjectOpts) GetDeniedNamespacedResources() []v1.GroupKind {
+	return getGroupKindList(opts.deniedNamespacedResources)
 }
 
 func (opts *ProjectOpts) GetDestinations() []v1alpha1.ApplicationDestination {
@@ -65,8 +104,8 @@ func (opts *ProjectOpts) GetSignatureKeys() []v1alpha1.SignatureKey {
 	return signatureKeys
 }
 
-func GetOrphanedResourcesSettings(c *cobra.Command, opts ProjectOpts) *v1alpha1.OrphanedResourcesMonitorSettings {
-	warnChanged := c.Flag("orphaned-resources-warn").Changed
+func GetOrphanedResourcesSettings(flagSet *pflag.FlagSet, opts ProjectOpts) *v1alpha1.OrphanedResourcesMonitorSettings {
+	warnChanged := flagSet.Changed("orphaned-resources-warn")
 	if opts.orphanedResourcesEnabled || warnChanged {
 		settings := v1alpha1.OrphanedResourcesMonitorSettings{}
 		if warnChanged {
@@ -96,8 +135,43 @@ func readProjFromURI(fileURL string, proj *v1alpha1.AppProject) error {
 	return err
 }
 
+func SetProjSpecOptions(flags *pflag.FlagSet, spec *v1alpha1.AppProjectSpec, projOpts *ProjectOpts) int {
+	visited := 0
+	flags.Visit(func(f *pflag.Flag) {
+		visited++
+		switch f.Name {
+		case "description":
+			spec.Description = projOpts.Description
+		case "dest":
+			spec.Destinations = projOpts.GetDestinations()
+		case "src":
+			spec.SourceRepos = projOpts.Sources
+		case "signature-keys":
+			spec.SignatureKeys = projOpts.GetSignatureKeys()
+		case "allow-cluster-resource":
+			spec.ClusterResourceWhitelist = projOpts.GetAllowedClusterResources()
+		case "deny-cluster-resource":
+			spec.ClusterResourceBlacklist = projOpts.GetDeniedClusterResources()
+		case "allow-namespaced-resource":
+			spec.NamespaceResourceWhitelist = projOpts.GetAllowedNamespacedResources()
+		case "deny-namespaced-resource":
+			spec.NamespaceResourceBlacklist = projOpts.GetDeniedNamespacedResources()
+		}
+	})
+	if flags.Changed("orphaned-resources") || flags.Changed("orphaned-resources-warn") {
+		spec.OrphanedResources = GetOrphanedResourcesSettings(flags, *projOpts)
+		visited++
+	}
+	return visited
+}
+
 func ConstructAppProj(fileURL string, args []string, opts ProjectOpts, c *cobra.Command) (*v1alpha1.AppProject, error) {
-	var proj v1alpha1.AppProject
+	var proj = v1alpha1.AppProject{
+		TypeMeta: v1.TypeMeta{
+			Kind:       application.AppProjectKind,
+			APIVersion: application.Group + "/v1alpha1",
+		},
+	}
 	if fileURL == "-" {
 		// read stdin
 		err := readProjFromStdin(&proj)
@@ -120,22 +194,9 @@ func ConstructAppProj(fileURL string, args []string, opts ProjectOpts, c *cobra.
 			c.HelpFunc()(c, args)
 			os.Exit(1)
 		}
-		projName := args[0]
-		proj = v1alpha1.AppProject{
-			TypeMeta: v1.TypeMeta{
-				Kind:       application.AppProjectKind,
-				APIVersion: application.Group + "/v1alpha1",
-			},
-			ObjectMeta: v1.ObjectMeta{Name: projName},
-			Spec: v1alpha1.AppProjectSpec{
-				Description:       opts.Description,
-				Destinations:      opts.GetDestinations(),
-				SourceRepos:       opts.Sources,
-				SignatureKeys:     opts.GetSignatureKeys(),
-				OrphanedResources: GetOrphanedResourcesSettings(c, opts),
-			},
-		}
+		proj.Name = args[0]
 	}
+	SetProjSpecOptions(c.Flags(), &proj.Spec, &opts)
 
 	return &proj, nil
 }

cmd/util/project_test.go

@@ -0,0 +1,24 @@
+package util
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestProjectOpts_ResourceLists(t *testing.T) {
+	opts := ProjectOpts{
+		allowedNamespacedResources: []string{"ConfigMap"},
+		deniedNamespacedResources:  []string{"apps/DaemonSet"},
+		allowedClusterResources:    []string{"apiextensions.k8s.io/CustomResourceDefinition"},
+		deniedClusterResources:     []string{"rbac.authorization.k8s.io/ClusterRole"},
+	}
+
+	assert.ElementsMatch(t,
+		[]v1.GroupKind{{Kind: "ConfigMap"}}, opts.GetAllowedNamespacedResources(),
+		[]v1.GroupKind{{Group: "apps", Kind: "DaemonSet"}}, opts.GetDeniedNamespacedResources(),
+		[]v1.GroupKind{{Group: "apiextensions.k8s.io", Kind: "CustomResourceDefinition"}}, opts.GetAllowedClusterResources(),
+		[]v1.GroupKind{{Group: "rbac.authorization.k8s.io", Kind: "ClusterRole"}}, opts.GetDeniedClusterResources(),
+	)
+}

common/common.go

@@ -53,6 +53,8 @@ const (
 	DefaultSSHKnownHostsName = "ssh_known_hosts"
 	// Default path to GnuPG home directory
 	DefaultGnuPgHomePath = "/app/config/gpg/keys"
+	// Default path to repo server TLS endpoint config
+	DefaultAppConfigPath = "/app/config"
 )
 
 const (
@@ -125,9 +127,15 @@ const (
 	AnnotationKeyManagedBy = "managed-by"
 	// AnnotationValueManagedByArgoCD is a 'managed-by' annotation value for resources managed by Argo CD
 	AnnotationValueManagedByArgoCD = "argocd.argoproj.io"
-	// ResourcesFinalizerName the finalizer value which we inject to finalize deletion of an application
+	// ResourcesFinalizerName is the finalizer value which we inject to finalize deletion of an application
 	ResourcesFinalizerName = "resources-finalizer.argocd.argoproj.io"
 
+	// ForegroundPropagationPolicyFinalizer is the finalizer we inject to delete application with foreground propagation policy
+	ForegroundPropagationPolicyFinalizer = "resources-finalizer.argocd.argoproj.io/foreground"
+
+	// BackgroundPropagationPolicyFinalizer is the finalizer we inject to delete application with background propagation policy
+	BackgroundPropagationPolicyFinalizer = "resources-finalizer.argocd.argoproj.io/background"
+
 	// AnnotationKeyManifestGeneratePaths is an annotation that contains a list of semicolon-separated paths in the
 	// manifests repository that affects the manifest generation. Paths might be either relative or absolute. The
 	// absolute path means an absolute path within the repository and the relative path is relative to the application
@@ -188,6 +196,10 @@ const (
 	EnvEnableGRPCTimeHistogramEnv = "ARGOCD_ENABLE_GRPC_TIME_HISTOGRAM"
 	// EnvGithubAppCredsExpirationDuration controls the caching of Github app credentials. This value is in minutes (default: 60)
 	EnvGithubAppCredsExpirationDuration = "ARGOCD_GITHUB_APP_CREDS_EXPIRATION_DURATION"
+	// EnvHelmIndexCacheDuration controls how the helm repository index file is cached for (default: 0)
+	EnvHelmIndexCacheDuration = "ARGOCD_HELM_INDEX_CACHE_DURATION"
+	// EnvRepoServerConfigPath allows to override the configuration path for repo server
+	EnvAppConfigPath = "ARGOCD_APP_CONF_PATH"
 )
 
 const (

controller/appcontroller.go

@@ -839,9 +839,16 @@ func (ctrl *ApplicationController) finalizeApplicationDeletion(app *appv1.Applic
 	config := metrics.AddMetricsTransportWrapper(ctrl.metricsServer, app, cluster.RESTConfig())
 
 	filteredObjs := FilterObjectsForDeletion(objs)
+
+	propagationPolicy := metav1.DeletePropagationForeground
+	if app.GetPropagationPolicy() == common.BackgroundPropagationPolicyFinalizer {
+		propagationPolicy = metav1.DeletePropagationBackground
+	}
+	logCtx.Infof("Deleting application's resources with %s propagation policy", propagationPolicy)
+
 	err = kube.RunAllAsync(len(filteredObjs), func(i int) error {
 		obj := filteredObjs[i]
-		return ctrl.kubectl.DeleteResource(context.Background(), config, obj.GroupVersionKind(), obj.GetName(), obj.GetNamespace(), false)
+		return ctrl.kubectl.DeleteResource(context.Background(), config, obj.GroupVersionKind(), obj.GetName(), obj.GetNamespace(), metav1.DeleteOptions{PropagationPolicy: &propagationPolicy})
 	})
 	if err != nil {
 		return objs, err
@@ -869,14 +876,8 @@ func (ctrl *ApplicationController) finalizeApplicationDeletion(app *appv1.Applic
 	if err != nil {
 		return objs, err
 	}
-	app.SetCascadedDeletion(false)
-	var patch []byte
-	patch, _ = json.Marshal(map[string]interface{}{
-		"metadata": map[string]interface{}{
-			"finalizers": app.Finalizers,
-		},
-	})
-	_, err = ctrl.applicationClientset.ArgoprojV1alpha1().Applications(app.Namespace).Patch(context.Background(), app.Name, types.MergePatchType, patch, metav1.PatchOptions{})
+
+	err = ctrl.removeCascadeFinalizer(app)
 	if err != nil {
 		return objs, err
 	}
@@ -886,6 +887,19 @@ func (ctrl *ApplicationController) finalizeApplicationDeletion(app *appv1.Applic
 	return objs, nil
 }
 
+func (ctrl *ApplicationController) removeCascadeFinalizer(app *appv1.Application) error {
+	app.UnSetCascadedDeletion()
+	var patch []byte
+	patch, _ = json.Marshal(map[string]interface{}{
+		"metadata": map[string]interface{}{
+			"finalizers": app.Finalizers,
+		},
+	})
+
+	_, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(app.Namespace).Patch(context.Background(), app.Name, types.MergePatchType, patch, metav1.PatchOptions{})
+	return err
+}
+
 func (ctrl *ApplicationController) setAppCondition(app *appv1.Application, condition appv1.ApplicationCondition) {
 	// do nothing if app already has same condition
 	for _, c := range app.Status.Conditions {

controller/sharding/sharding.go

@@ -26,8 +26,8 @@ func InferShard() (int, error) {
 	return shard, nil
 }
 
-// getShardByID calculates cluster shard as `clusterSecret.UID % replicas count`
-func getShardByID(id string, replicas int) int {
+// GetShardByID calculates cluster shard as `clusterSecret.UID % replicas count`
+func GetShardByID(id string, replicas int) int {
 	if id == "" {
 		return 0
 	} else {
@@ -45,7 +45,7 @@ func GetClusterFilter(replicas int, shard int) func(c *v1alpha1.Cluster) bool {
 			if c.Shard != nil {
 				clusterShard = int(*c.Shard)
 			} else {
-				clusterShard = getShardByID(c.ID, replicas)
+				clusterShard = GetShardByID(c.ID, replicas)
 			}
 		}
 		return clusterShard == shard

controller/sharding/sharding_test.go

@@ -9,14 +9,14 @@ import (
 )
 
 func TestGetShardByID_NotEmptyID(t *testing.T) {
-	assert.Equal(t, 0, getShardByID("1", 2))
-	assert.Equal(t, 1, getShardByID("2", 2))
-	assert.Equal(t, 0, getShardByID("3", 2))
-	assert.Equal(t, 1, getShardByID("4", 2))
+	assert.Equal(t, 0, GetShardByID("1", 2))
+	assert.Equal(t, 1, GetShardByID("2", 2))
+	assert.Equal(t, 0, GetShardByID("3", 2))
+	assert.Equal(t, 1, GetShardByID("4", 2))
 }
 
 func TestGetShardByID_EmptyID(t *testing.T) {
-	shard := getShardByID("", 10)
+	shard := GetShardByID("", 10)
 	assert.Equal(t, 0, shard)
 }
 

controller/state.go

@@ -275,34 +275,29 @@ func verifyGnuPGSignature(revision string, project *appv1.AppProject, manifestIn
 	conditions := make([]appv1.ApplicationCondition, 0)
 	// We need to have some data in the verification result to parse, otherwise there was no signature
 	if manifestInfo.VerifyResult != "" {
-		verifyResult, err := gpg.ParseGitCommitVerification(manifestInfo.VerifyResult)
-		if err != nil {
-			conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now})
-			log.Errorf("Error while verifying git commit for revision %s: %s", revision, err.Error())
-		} else {
-			switch verifyResult.Result {
-			case gpg.VerifyResultGood:
-				// This is the only case we allow to sync to, but we need to make sure signing key is allowed
-				validKey := false
-				for _, k := range project.Spec.SignatureKeys {
-					if gpg.KeyID(k.KeyID) == gpg.KeyID(verifyResult.KeyID) && gpg.KeyID(k.KeyID) != "" {
-						validKey = true
-						break
-					}
+		verifyResult := gpg.ParseGitCommitVerification(manifestInfo.VerifyResult)
+		switch verifyResult.Result {
+		case gpg.VerifyResultGood:
+			// This is the only case we allow to sync to, but we need to make sure signing key is allowed
+			validKey := false
+			for _, k := range project.Spec.SignatureKeys {
+				if gpg.KeyID(k.KeyID) == gpg.KeyID(verifyResult.KeyID) && gpg.KeyID(k.KeyID) != "" {
+					validKey = true
+					break
 				}
-				if !validKey {
-					msg := fmt.Sprintf("Found good signature made with %s key %s, but this key is not allowed in AppProject",
-						verifyResult.Cipher, verifyResult.KeyID)
-					conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: msg, LastTransitionTime: &now})
-				}
-			case gpg.VerifyResultInvalid:
-				msg := fmt.Sprintf("Found signature made with %s key %s, but verification result was invalid: '%s'",
-					verifyResult.Cipher, verifyResult.KeyID, verifyResult.Message)
-				conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: msg, LastTransitionTime: &now})
-			default:
-				msg := fmt.Sprintf("Could not verify commit signature on revision '%s', check logs for more information.", revision)
+			}
+			if !validKey {
+				msg := fmt.Sprintf("Found good signature made with %s key %s, but this key is not allowed in AppProject",
+					verifyResult.Cipher, verifyResult.KeyID)
 				conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: msg, LastTransitionTime: &now})
 			}
+		case gpg.VerifyResultInvalid:
+			msg := fmt.Sprintf("Found signature made with %s key %s, but verification result was invalid: '%s'",
+				verifyResult.Cipher, verifyResult.KeyID, verifyResult.Message)
+			conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: msg, LastTransitionTime: &now})
+		default:
+			msg := fmt.Sprintf("Could not verify commit signature on revision '%s', check logs for more information.", revision)
+			conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: msg, LastTransitionTime: &now})
 		}
 	} else {
 		msg := fmt.Sprintf("Target revision %s in Git is not signed, but a signature is required", revision)

controller/sync.go

@@ -136,6 +136,16 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		})
 	}
 
+	prunePropagationPolicy := v1.DeletePropagationForeground
+	switch {
+	case syncOp.SyncOptions.HasOption("PrunePropagationPolicy=background"):
+		prunePropagationPolicy = v1.DeletePropagationBackground
+	case syncOp.SyncOptions.HasOption("PrunePropagationPolicy=foreground"):
+		prunePropagationPolicy = v1.DeletePropagationForeground
+	case syncOp.SyncOptions.HasOption("PrunePropagationPolicy=orphan"):
+		prunePropagationPolicy = v1.DeletePropagationOrphan
+	}
+
 	syncCtx, err := sync.NewSyncContext(
 		compareResult.syncStatus.Revision,
 		compareResult.reconciliationResult,
@@ -159,7 +169,7 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		sync.WithResourcesFilter(func(key kube.ResourceKey, target *unstructured.Unstructured, live *unstructured.Unstructured) bool {
 			return len(syncOp.Resources) == 0 || argo.ContainsSyncResource(key.Name, key.Namespace, schema.GroupVersionKind{Kind: key.Kind, Group: key.Group}, syncOp.Resources)
 		}),
-		sync.WithManifestValidation(!syncOp.SyncOptions.HasOption("Validate=false")),
+		sync.WithManifestValidation(!syncOp.SyncOptions.HasOption(common.SyncOptionsDisableValidation)),
 		sync.WithNamespaceCreation(syncOp.SyncOptions.HasOption("CreateNamespace=true"), func(un *unstructured.Unstructured) bool {
 			if un != nil && kube.GetAppInstanceLabel(un, cdcommon.LabelKeyAppInstance) != "" {
 				kube.UnsetLabel(un, cdcommon.LabelKeyAppInstance)
@@ -168,8 +178,10 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 			return false
 		}),
 		sync.WithSyncWaveHook(delayBetweenSyncWaves),
-		sync.WithPruneLast(syncOp.SyncOptions.HasOption("PruneLast=true")),
+		sync.WithPruneLast(syncOp.SyncOptions.HasOption(common.SyncOptionPruneLast)),
 		sync.WithResourceModificationChecker(syncOp.SyncOptions.HasOption("ApplyOutOfSyncOnly=true"), compareResult.diffResultList),
+		sync.WithPrunePropagationPolicy(&prunePropagationPolicy),
+		sync.WithReplace(syncOp.SyncOptions.HasOption(common.SyncOptionReplace)),
 	)
 
 	if err != nil {

docs/assets/versions.css

@@ -1,4 +1,4 @@
-.md-header-nav__title {
+.md-header__title {
   display: flex;
 }
 

docs/assets/versions.js

@@ -3,7 +3,7 @@ setTimeout(function() {
   window[callbackName] = function (response) {
   const div = document.createElement('div');
   div.innerHTML = response.html;
-  document.querySelector(".md-header-nav > .md-header-nav__title").appendChild(div);
+  document.querySelector(".md-header__inner > .md-header__title").appendChild(div);
   const container = div.querySelector('.rst-versions');
   var caret = document.createElement('div');
   caret.innerHTML = "<i class='fa fa-caret-down dropdown-caret'></i>"

docs/developer-guide/contributing.md

@@ -239,6 +239,34 @@ If you touched UI code, you should also run the Yarn linter on it:
 * Run `make lint-ui`
 * Fix any of the errors reported by it
 
+## Contributing to Argo CD UI
+
+Argo CD, along with Argo Workflows, uses shared React components from [Argo UI](https://github.com/argoproj/argo-ui). Examples of some of these components include buttons, containers, form controls, 
+and others. Although you can make changes to these files and run them locally, in order to have these changes added to the Argo CD repo, you will need to follow these steps. 
+
+1. Fork and clone the [Argo UI repository](https://github.com/argoproj/argo-ui).
+
+2. `cd` into your `argo-ui` directory, and then run `yarn install`. 
+
+3. Make your file changes.
+
+4. Run `yarn start` to start a [storybook](https://storybook.js.org/) dev server and view the components in your browser. Make sure all your changes work as expected. 
+
+5. Use [yarn link](https://classic.yarnpkg.com/en/docs/cli/link/) to link Argo UI package to your Argo CD repository. (Commands below assume that `argo-ui` and `argo-cd` are both located within the same parent folder)
+
+    * `cd argo-ui`
+    * `yarn link`
+    * `cd ../argo-cd`
+    * `yarn link argo-ui`
+
+    Once `argo-ui` package has been successfully linked, test out changes in your local development environment. 
+
+6. Commit changes and open a PR to [Argo UI](https://github.com/argoproj/argo-ui). 
+
+7. Once your PR has been merged in Argo UI, `cd` into your `argo-cd` folder and run `yarn add https://github.com/argoproj/argo-ui.git`. This will update the commit SHA in the `ui/yarn.lock` file to use the lastest master commit for argo-ui. 
+
+8. Submit changes to `ui/yarn.lock`in a PR to Argo CD. 
+
 ## Setting up a local toolchain
 
 For development, you can either use the fully virtualized toolchain provided as Docker images, or you can set up the toolchain on your local development machine. Due to the dynamic nature of requirements, you might want to stay with the virtualized environment.

docs/developer-guide/dependencies.md

@@ -45,7 +45,7 @@ If you make changes to the Argo UI component, and your Argo CD changes depend on
 1. Make changes to Argo UI and submit the PR request.
 2. Also, prepare your Argo CD changes, but don't create the PR just yet.
 3. **After** the Argo UI PR has been merged to master, then as part of your Argo CD changes:
-	- Run `yarn add https://github.com/argoproj/argo-ui.git`, and then,
+	- Run `yarn add git+https://github.com/argoproj/argo-ui.git`, and then,
 	- Check in the regenerated yarn.lock file as part of your Argo CD commit
 4. Create the Argo CD PR	 when you are ready. The PR build and test checks should pass.
 

docs/developer-guide/test-e2e.md

@@ -25,10 +25,6 @@ The Makefile's `start-e2e` target starts instances of ArgoCD on your local machi
 
 If you have changed the port for `argocd-server`, be sure to also set `ARGOCD_SERVER` environment variable to point to that port, e.g. `export ARGOCD_SERVER=localhost:8888` before running `make test-e2e` so that the test will communicate to the correct server component.
 
-## CI Set-up
-
-The tests are executed by Argo Workflow defined at `.argo-ci/ci.yaml`. CI job The builds an Argo CD image, deploy argo cd components into throw-away kubernetes cluster provisioned
-using k3s and run e2e tests against it.
 
 ## Test Isolation
 

docs/faq.md

@@ -97,7 +97,7 @@ Use the following steps to reconstruct configured cluster config and connect to
 
 ```bash
 kubectl exec -it <argocd-pod-name> bash # ssh into any argocd server pod
-argocd-util kubeconfig https://<cluster-url> /tmp/config --namespace argocd # generate your cluster config
+argocd-util cluster kubeconfig https://<cluster-url> /tmp/config --namespace argocd # generate your cluster config
 KUBECONFIG=/tmp/config kubectl get pods # test connection manually
 ```
 
@@ -178,7 +178,7 @@ Most likely you forgot to set the `url` in `argocd-cm` to point to your ArgoCD a
 ## Why are resources of type `SealedSecret` stuck in the `Progressing` state?
 
 The controller of the `SealedSecret` resource may expose the status condition on resource it provisioned. Since
-version `v1.9.0` ArgoCD picks up that status condition to derive a health status for the `SealedSecret`.
+version `v2.0.0` ArgoCD picks up that status condition to derive a health status for the `SealedSecret`.
 
 Versions before `v0.15.0` of the `SealedSecret` controller are affected by an issue regarding this status
 conditions updates, which is why this feature is disabled by default in these versions. Status condition updates may be

docs/getting_started.md

@@ -92,7 +92,7 @@ argocd account update-password
 !!! note
     The initial password is set in a kubernetes secret, named `argocd-secret`, during ArgoCD's initial start up. This means if you edit
     the deployment in any way which causes a new pod to be deployed, such as disabling TLS on the Argo CD API server. Take note of the initial
-    pod name when you first install Argo CD, or reset the password by following [these instructions](../../faq/#i-forgot-the-admin-password-how-do-i-reset-it)
+    pod name when you first install Argo CD, or reset the password by following [these instructions](../faq/#i-forgot-the-admin-password-how-do-i-reset-it)
 
 > Argo CD v1.9 and later
 

docs/operator-manual/application.yaml

@@ -105,6 +105,8 @@ spec:
     syncOptions:     # Sync options which modifies sync behavior
     - Validate=false # disables resource validation (equivalent to 'kubectl apply --validate=false') ( true by default ).
     - CreateNamespace=true # Namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster.
+    - PrunePropagationPolicy=foreground # Supported policies are background, foreground and orphan.
+    - PruneLast=true # Allow the ability for resource pruning to happen as a final, implicit wave of a sync operation
     # The retry feature is available since v1.7
     retry:
       limit: 5 # number of failed sync attempt retries; unlimited number of attempts if less than 0

docs/operator-manual/argocd-cm.yaml

@@ -30,7 +30,7 @@ data:
 
   # A dex connector configuration (optional). See SSO configuration documentation:
   # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/sso
-  # https://github.com/dexidp/dex/tree/master/Documentation/connectors
+  # https://dexidp.io/docs/connectors/
   dex.config: |
     connectors:
       # GitHub example

docs/operator-manual/high_availability.md

@@ -127,7 +127,7 @@ If the manifest generation has no side effects then requests are processed in pa
 ### Webhook and Manifest Paths Annotation
 
 Argo CD aggressively caches generated manifests and uses repository commit SHA as a cache key. A new commit to the Git repository invalidates cache for all applications configured in the repository
-that again negatively affect mono repositories with multiple applications. You might use [webhooks ⧉](https://github.com/argoproj/argo-cd/tree/master/docs/operator-manual/webhook) and `argocd.argoproj.io/manifest-generate-paths` Application
+that again negatively affect mono repositories with multiple applications. You might use [webhooks ⧉](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/webhook.md) and `argocd.argoproj.io/manifest-generate-paths` Application
 CRD annotation to solve this problem and improve performance.
 
 The `argocd.argoproj.io/manifest-generate-paths` contains a semicolon-separated list of paths within the Git repository that are used during manifest generation. The webhook compares paths specified in the annotation

docs/operator-manual/ingress.md

@@ -300,7 +300,7 @@ spec:
       containers:
       - name: argocd-server
         command:
-        - /argocd-server
+        - argocd-server
         - --staticassets
         - /shared/app
         - --repo-server

docs/operator-manual/rbac.md

@@ -84,27 +84,27 @@ The anonymous users get default role permissions specified by `policy.default` i
 ## Validating and testing your RBAC policies
 
 If you want to ensure that your RBAC policies are working as expected, you can
-use the `argocd-util rbac` command to validate them. This tool allows you to
+use the `argocd-util settings rbac` command to validate them. This tool allows you to
 test whether a certain role or subject can perform the requested action with a
 policy that's not live yet in the system, i.e. from a local file or config map.
 Additionally, it can be used against the live policy in the cluster your Argo
 CD is running in.
 
 To check whether your new policy is valid and understood by Argo CD's RBAC
-implementation, you can use the `argocd-util rbac validate` command.
+implementation, you can use the `argocd-util settings rbac validate` command.
 
 ### Validating a policy
 
 To validate a policy stored in a local text file:
 
 ```shell
-argocd-util rbac validate --policy-file somepolicy.csv
+argocd-util settings rbac validate --policy-file somepolicy.csv
 ```
 
 To validate a policy stored in a local K8s ConfigMap definition in a YAML file:
 
 ```shell
-argocd-util rbac validate --policy-file argocd-rbac-cm.yaml
+argocd-util settings rbac validate --policy-file argocd-rbac-cm.yaml
 ```
 
 To validate a policy stored in K8s, used by Argo CD in namespace `argocd`,
@@ -112,17 +112,17 @@ ensure that your current context in `~/.kube/config` is pointing to your
 Argo CD cluster and give appropriate namespace:
 
 ```shell
-argocd-util rbac validate --namespace argocd
+argocd-util settings rbac validate --namespace argocd
 ```
 
 ### Testing a policy
 
 To test whether a role or subject (group or local user) has sufficient
 permissions to execute certain actions on certain resources, you can
-use the `argocd-util rbac can` command. Its general syntax is
+use the `argocd-util settings rbac can` command. Its general syntax is
 
 ```shell
-argocd-util rbac can SOMEROLE ACTION RESOURCE SUBRESOURCE [flags]
+argocd-util settings rbac can SOMEROLE ACTION RESOURCE SUBRESOURCE [flags]
 ```
 
 Given the example from the above ConfigMap, which defines the role
@@ -130,13 +130,13 @@ Given the example from the above ConfigMap, which defines the role
 you can test whether that role can do something like follows:
 
 ```shell
-$ argocd-util rbac can role:org-admin get applications --policy-file argocd-rbac-cm.yaml
+$ argocd-util settings rbac can role:org-admin get applications --policy-file argocd-rbac-cm.yaml
 Yes
-$ argocd-util rbac can role:org-admin get clusters --policy-file argocd-rbac-cm.yaml
+$ argocd-util settings rbac can role:org-admin get clusters --policy-file argocd-rbac-cm.yaml
 Yes
-$ argocd-util rbac can role:org-admin create clusters 'somecluster' --policy-file argocd-rbac-cm.yaml
+$ argocd-util settings rbac can role:org-admin create clusters 'somecluster' --policy-file argocd-rbac-cm.yaml
 No
-$ argocd-util rbac can role:org-admin create applications 'someproj/someapp' --policy-file argocd-rbac-cm.yaml
+$ argocd-util settings rbac can role:org-admin create applications 'someproj/someapp' --policy-file argocd-rbac-cm.yaml
 Yes
 ```
 
@@ -148,19 +148,19 @@ You can test against the role:
 
 ```shell
 # Plain policy, without a default role defined
-$ argocd-util rbac can role:stagin-db-admins get applications --policy-file policy.csv
+$ argocd-util settings rbac can role:stagin-db-admins get applications --policy-file policy.csv
 No
-$ argocd-util rbac can role:staging-db-admins get applications 'staging-db-admins/*' --policy-file policy.csv
+$ argocd-util settings rbac can role:staging-db-admins get applications 'staging-db-admins/*' --policy-file policy.csv
 Yes
 # Argo CD augments a builtin policy with two roles defined, the default role
 # being 'role:readonly' - You can include a named default role to use:
-$ argocd-util rbac can role:stagin-db-admins get applications --policy-file policy.csv --default-role role:readonly
+$ argocd-util settings rbac can role:stagin-db-admins get applications --policy-file policy.csv --default-role role:readonly
 Yes
 ```
 
 Or against the group defined:
 
 ```shell
-$ argocd-util rbac can db-admins get applications 'staging-db-admins/*' --policy-file policy.csv
+$ argocd-util settings rbac can db-admins get applications 'staging-db-admins/*' --policy-file policy.csv
 Yes
 ```

docs/operator-manual/server-commands/argocd-application-controller.md

@@ -38,6 +38,8 @@ argocd-application-controller [flags]
       --redis string                          Redis server hostname and port (e.g. argocd-redis:6379). 
       --redisdb int                           Redis database.
       --repo-server string                    Repo server address. (default "argocd-repo-server:8081")
+      --repo-server-plaintext                 Disable TLS on connections to repo server
+      --repo-server-strict-tls                Whether to use strict validation of the TLS cert presented by the repo server
       --repo-server-timeout-seconds int       Repo server RPC call timeout seconds. (default 60)
       --request-timeout string                The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
       --self-heal-timeout-seconds int         Specifies timeout between application self heal attempts (default 5)

docs/operator-manual/server-commands/argocd-repo-server.md

@@ -14,6 +14,7 @@ argocd-repo-server [flags]
 
 ```
       --default-cache-expiration duration   Cache expiration default (default 24h0m0s)
+      --disable-tls                         Disable TLS on the gRPC endpoint
   -h, --help                                help for argocd-repo-server
       --logformat string                    Set the logging format. One of: text|json (default "text")
       --loglevel string                     Set the logging level. One of: debug|info|warn|error (default "info")

docs/operator-manual/server-commands/argocd-server.md

@@ -43,6 +43,8 @@ argocd-server [flags]
       --redis string                                  Redis server hostname and port (e.g. argocd-redis:6379). 
       --redisdb int                                   Redis database.
       --repo-server string                            Repo server address (default "argocd-repo-server:8081")
+      --repo-server-plaintext                         Use a plaintext client (non-TLS) to connect to repository server
+      --repo-server-strict-tls                        Perform strict validation of TLS certificates when connecting to repo server
       --repo-server-timeout-seconds int               Repo server RPC call timeout seconds. (default 60)
       --request-timeout string                        The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
       --rootpath string                               Used if Argo CD is running behind reverse proxy under subpath different from /

docs/operator-manual/server-commands/argocd-util.md

@@ -20,13 +20,12 @@ argocd-util [flags]
 
 ### SEE ALSO
 
-* [argocd-util apps](argocd-util_apps.md)	 - Utility commands operate on ArgoCD applications
-* [argocd-util config](argocd-util_config.md)	 - Generate declarative configuration files
+* [argocd-util app](argocd-util_app.md)	 - Manage applications configuration
+* [argocd-util cluster](argocd-util_cluster.md)	 - Manage clusters configuration
 * [argocd-util export](argocd-util_export.md)	 - Export all Argo CD data to stdout (default) or a file
 * [argocd-util import](argocd-util_import.md)	 - Import Argo CD data from stdin (specify `-') or a file
-* [argocd-util kubeconfig](argocd-util_kubeconfig.md)	 - Generates kubeconfig for the specified cluster
-* [argocd-util projects](argocd-util_projects.md)	 - Utility commands operate on ArgoCD Projects
-* [argocd-util rbac](argocd-util_rbac.md)	 - Validate and test RBAC configuration
+* [argocd-util proj](argocd-util_proj.md)	 - Manage projects configuration
+* [argocd-util repo](argocd-util_repo.md)	 - Manage repositories configuration
 * [argocd-util settings](argocd-util_settings.md)	 - Provides set of commands for settings validation and troubleshooting
 * [argocd-util version](argocd-util_version.md)	 - Print version information
 

docs/operator-manual/server-commands/argocd-util_app.md

@@ -0,0 +1,21 @@
+## argocd-util app
+
+Manage applications configuration
+
+```
+argocd-util app [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for app
+```
+
+### SEE ALSO
+
+* [argocd-util](argocd-util.md)	 - argocd-util tools used by Argo CD
+* [argocd-util app diff-reconcile-results](argocd-util_app_diff-reconcile-results.md)	 - Compare results of two reconciliations and print diff.
+* [argocd-util app generate-spec](argocd-util_app_generate-spec.md)	 - Generate declarative config for an application
+* [argocd-util app get-reconcile-results](argocd-util_app_get-reconcile-results.md)	 - Reconcile all applications and stores reconciliation summary in the specified file.
+

docs/operator-manual/server-commands/argocd-util_app_diff-reconcile-results.md

@@ -0,0 +1,18 @@
+## argocd-util app diff-reconcile-results
+
+Compare results of two reconciliations and print diff.
+
+```
+argocd-util app diff-reconcile-results PATH1 PATH2 [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for diff-reconcile-results
+```
+
+### SEE ALSO
+
+* [argocd-util app](argocd-util_app.md)	 - Manage applications configuration
+

docs/operator-manual/server-commands/argocd-util_app_generate-spec.md

@@ -0,0 +1,90 @@
+## argocd-util app generate-spec
+
+Generate declarative config for an application
+
+```
+argocd-util app generate-spec APPNAME [flags]
+```
+
+### Examples
+
+```
+
+	# Generate declarative config for a directory app
+	argocd-util app generate-spec guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --directory-recurse
+
+	# Generate declarative config for a Jsonnet app
+	argocd-util app generate-spec jsonnet-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path jsonnet-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --jsonnet-ext-str replicas=2
+
+	# Generate declarative config for a Helm app
+	argocd-util app generate-spec helm-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path helm-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --helm-set replicaCount=2
+
+	# Generate declarative config for a Helm app from a Helm repo
+	argocd-util app generate-spec nginx-ingress --repo https://kubernetes-charts.storage.googleapis.com --helm-chart nginx-ingress --revision 1.24.3 --dest-namespace default --dest-server https://kubernetes.default.svc
+
+	# Generate declarative config for a Kustomize app
+	argocd-util app generate-spec kustomize-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path kustomize-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --kustomize-image gcr.io/heptio-images/ks-guestbook-demo:0.1
+
+	# Generate declarative config for a app using a custom tool:
+	argocd-util app generate-spec ksane --repo https://github.com/argoproj/argocd-example-apps.git --path plugins/kasane --dest-namespace default --dest-server https://kubernetes.default.svc --config-management-plugin kasane
+
+```
+
+### Options
+
+```
+      --allow-empty                               Set allow zero live resources when sync is automated
+      --auto-prune                                Set automatic pruning when sync is automated
+      --config-management-plugin string           Config management plugin name
+      --dest-name string                          K8s cluster Name (e.g. minikube)
+      --dest-namespace string                     K8s target namespace (overrides the namespace specified in the ksonnet app.yaml)
+      --dest-server string                        K8s cluster URL (e.g. https://kubernetes.default.svc)
+      --directory-exclude string                  Set glob expression used to exclude files from application source path
+      --directory-include string                  Set glob expression used to include files from application source path
+      --directory-recurse                         Recurse directory
+      --env string                                Application environment to monitor
+  -f, --file string                               Filename or URL to Kubernetes manifests for the app
+      --helm-chart string                         Helm Chart name
+      --helm-set stringArray                      Helm set values on the command line (can be repeated to set several values: --helm-set key1=val1 --helm-set key2=val2)
+      --helm-set-file stringArray                 Helm set values from respective files specified via the command line (can be repeated to set several values: --helm-set-file key1=path1 --helm-set-file key2=path2)
+      --helm-set-string stringArray               Helm set STRING values on the command line (can be repeated to set several values: --helm-set-string key1=val1 --helm-set-string key2=val2)
+      --helm-version string                       Helm version
+  -h, --help                                      help for generate-spec
+      --jsonnet-ext-var-code stringArray          Jsonnet ext var
+      --jsonnet-ext-var-str stringArray           Jsonnet string ext var
+      --jsonnet-libs stringArray                  Additional jsonnet libs (prefixed by repoRoot)
+      --jsonnet-tla-code stringArray              Jsonnet top level code arguments
+      --jsonnet-tla-str stringArray               Jsonnet top level string arguments
+      --kustomize-common-annotation stringArray   Set common labels in Kustomize
+      --kustomize-common-label stringArray        Set common labels in Kustomize
+      --kustomize-image stringArray               Kustomize images (e.g. --kustomize-image node:8.15.0 --kustomize-image mysql=mariadb,alpine@sha256:24a0c4b4a4c0eb97a1aabb8e29f18e917d05abfe1b7a7c07857230879ce7d3d)
+      --kustomize-version string                  Kustomize version
+  -l, --label stringArray                         Labels to apply to the app
+      --name string                               A name for the app, ignored if a file is set (DEPRECATED)
+      --nameprefix string                         Kustomize nameprefix
+      --namesuffix string                         Kustomize namesuffix
+  -o, --output string                             Output format. One of: json|yaml (default "yaml")
+  -p, --parameter stringArray                     set a parameter override (e.g. -p guestbook=image=example/guestbook:latest)
+      --path string                               Path in repository to the app directory, ignored if a file is set
+      --plugin-env stringArray                    Additional plugin envs
+      --project string                            Application project name
+      --release-name string                       Helm release-name
+      --repo string                               Repository URL, ignored if a file is set
+      --retry-backoff-duration duration           Retry backoff base duration. Input needs to be a duration (e.g. 2m, 1h) (default 5s)
+      --retry-backoff-factor int                  Factor multiplies the base duration after each failed retry (default 2)
+      --retry-backoff-max-duration duration       Max retry backoff duration. Input needs to be a duration (e.g. 2m, 1h) (default 3m0s)
+      --retry-limit int                           Max number of allowed sync retries
+      --revision string                           The tracking source branch, tag, commit or Helm chart version the application will sync to
+      --revision-history-limit int                How many items to keep in revision history (default 10)
+      --self-heal                                 Set self healing when sync is automated
+      --sync-option Prune=false                   Add or remove a sync option, e.g add Prune=false. Remove using `!` prefix, e.g. `!Prune=false`
+      --sync-policy string                        Set the sync policy (one of: none, automated (aliases of automated: auto, automatic))
+      --validate                                  Validation of repo and cluster (default true)
+      --values stringArray                        Helm values file(s) to use
+      --values-literal-file string                Filename or URL to import as a literal Helm values block
+```
+
+### SEE ALSO
+
+* [argocd-util app](argocd-util_app.md)	 - Manage applications configuration
+

docs/operator-manual/server-commands/argocd-util_app_get-reconcile-results.md

@@ -0,0 +1,39 @@
+## argocd-util app get-reconcile-results
+
+Reconcile all applications and stores reconciliation summary in the specified file.
+
+```
+argocd-util app get-reconcile-results PATH [flags]
+```
+
+### Options
+
+```
+      --as string                      Username to impersonate for the operation
+      --as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
+      --certificate-authority string   Path to a cert file for the certificate authority
+      --client-certificate string      Path to a client certificate file for TLS
+      --client-key string              Path to a client key file for TLS
+      --cluster string                 The name of the kubeconfig cluster to use
+      --context string                 The name of the kubeconfig context to use
+  -h, --help                           help for get-reconcile-results
+      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --kubeconfig string              Path to a kube config. Only required if out-of-cluster
+      --l string                       Label selector
+  -n, --namespace string               If present, the namespace scope for this CLI request
+      --o string                       Output format (yaml|json) (default "yaml")
+      --password string                Password for basic authentication to the API server
+      --refresh                        If set to true then recalculates apps reconciliation
+      --repo-server string             Repo server address.
+      --request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
+      --server string                  The address and port of the Kubernetes API server
+      --tls-server-name string         If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.
+      --token string                   Bearer token for authentication to the API server
+      --user string                    The name of the kubeconfig user to use
+      --username string                Username for basic authentication to the API server
+```
+
+### SEE ALSO
+
+* [argocd-util app](argocd-util_app.md)	 - Manage applications configuration
+

docs/operator-manual/server-commands/argocd-util_cluster.md

@@ -0,0 +1,21 @@
+## argocd-util cluster
+
+Manage clusters configuration
+
+```
+argocd-util cluster [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for cluster
+```
+
+### SEE ALSO
+
+* [argocd-util](argocd-util.md)	 - argocd-util tools used by Argo CD
+* [argocd-util cluster generate-spec](argocd-util_cluster_generate-spec.md)	 - Generate declarative config for a cluster
+* [argocd-util cluster kubeconfig](argocd-util_cluster_kubeconfig.md)	 - Generates kubeconfig for the specified cluster
+* [argocd-util cluster stats](argocd-util_cluster_stats.md)	 - Prints information cluster statistics and inferred shard number
+

docs/operator-manual/server-commands/argocd-util_cluster_generate-spec.md

@@ -0,0 +1,32 @@
+## argocd-util cluster generate-spec
+
+Generate declarative config for a cluster
+
+```
+argocd-util cluster generate-spec CONTEXT [flags]
+```
+
+### Options
+
+```
+      --aws-cluster-name string            AWS Cluster name if set then aws cli eks token command will be used to access cluster
+      --aws-role-arn string                Optional AWS role arn. If set then AWS IAM Authenticator assumes a role to perform cluster operations instead of the default AWS credential provider chain.
+      --bearer-token string                Authentication token that should be used to access K8S API server
+      --exec-command string                Command to run to provide client credentials to the cluster. You may need to build a custom ArgoCD image to ensure the command is available at runtime.
+      --exec-command-api-version string    Preferred input version of the ExecInfo for the --exec-command executable
+      --exec-command-args stringArray      Arguments to supply to the --exec-command executable
+      --exec-command-env stringToString    Environment vars to set when running the --exec-command executable (default [])
+      --exec-command-install-hint string   Text shown to the user when the --exec-command executable doesn't seem to be present
+  -h, --help                               help for generate-spec
+      --in-cluster                         Indicates Argo CD resides inside this cluster and should connect using the internal k8s hostname (kubernetes.default.svc)
+      --kubeconfig string                  use a particular kubeconfig file
+      --name string                        Overwrite the cluster name
+      --namespace stringArray              List of namespaces which are allowed to manage
+  -o, --output string                      Output format. One of: json|yaml (default "yaml")
+      --shard int                          Cluster shard number; inferred from hostname if not set (default -1)
+```
+
+### SEE ALSO
+
+* [argocd-util cluster](argocd-util_cluster.md)	 - Manage clusters configuration
+

docs/operator-manual/server-commands/argocd-util_cluster_kubeconfig.md

@@ -0,0 +1,35 @@
+## argocd-util cluster kubeconfig
+
+Generates kubeconfig for the specified cluster
+
+```
+argocd-util cluster kubeconfig CLUSTER_URL OUTPUT_PATH [flags]
+```
+
+### Options
+
+```
+      --as string                      Username to impersonate for the operation
+      --as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
+      --certificate-authority string   Path to a cert file for the certificate authority
+      --client-certificate string      Path to a client certificate file for TLS
+      --client-key string              Path to a client key file for TLS
+      --cluster string                 The name of the kubeconfig cluster to use
+      --context string                 The name of the kubeconfig context to use
+  -h, --help                           help for kubeconfig
+      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --kubeconfig string              Path to a kube config. Only required if out-of-cluster
+  -n, --namespace string               If present, the namespace scope for this CLI request
+      --password string                Password for basic authentication to the API server
+      --request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
+      --server string                  The address and port of the Kubernetes API server
+      --tls-server-name string         If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.
+      --token string                   Bearer token for authentication to the API server
+      --user string                    The name of the kubeconfig user to use
+      --username string                Username for basic authentication to the API server
+```
+
+### SEE ALSO
+
+* [argocd-util cluster](argocd-util_cluster.md)	 - Manage clusters configuration
+

docs/operator-manual/server-commands/argocd-util_cluster_stats.md

@@ -0,0 +1,44 @@
+## argocd-util cluster stats
+
+Prints information cluster statistics and inferred shard number
+
+```
+argocd-util cluster stats [flags]
+```
+
+### Options
+
+```
+      --app-state-cache-expiration duration   Cache expiration for app state (default 1h0m0s)
+      --as string                             Username to impersonate for the operation
+      --as-group stringArray                  Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
+      --certificate-authority string          Path to a cert file for the certificate authority
+      --client-certificate string             Path to a client certificate file for TLS
+      --client-key string                     Path to a client key file for TLS
+      --cluster string                        The name of the kubeconfig cluster to use
+      --context string                        The name of the kubeconfig context to use
+      --default-cache-expiration duration     Cache expiration default (default 24h0m0s)
+  -h, --help                                  help for stats
+      --insecure-skip-tls-verify              If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --kubeconfig string                     Path to a kube config. Only required if out-of-cluster
+  -n, --namespace string                      If present, the namespace scope for this CLI request
+      --password string                       Password for basic authentication to the API server
+      --port-forward-redis                    Automatically port-forward ha proxy redis from current namespace? (default true)
+      --redis string                          Redis server hostname and port (e.g. argocd-redis:6379). 
+      --redisdb int                           Redis database.
+      --replicas int                          Application controller replicas count. Inferred from number of running controller pods if not specified
+      --request-timeout string                The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
+      --sentinel stringArray                  Redis sentinel hostname and port (e.g. argocd-redis-ha-announce-0:6379). 
+      --sentinelmaster string                 Redis sentinel master group name. (default "master")
+      --server string                         The address and port of the Kubernetes API server
+      --shard int                             Cluster shard filter (default -1)
+      --tls-server-name string                If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.
+      --token string                          Bearer token for authentication to the API server
+      --user string                           The name of the kubeconfig user to use
+      --username string                       Username for basic authentication to the API server
+```
+
+### SEE ALSO
+
+* [argocd-util cluster](argocd-util_cluster.md)	 - Manage clusters configuration
+

docs/operator-manual/server-commands/argocd-util_config_app.md

@@ -43,7 +43,6 @@ argocd-util config app APPNAME [flags]
       --directory-include string                  Set glob expression used to include files from application source path
       --directory-recurse                         Recurse directory
       --env string                                Application environment to monitor
-  -f, --file string                               Filename or URL to Kubernetes manifests for the app
       --helm-chart string                         Helm Chart name
       --helm-set stringArray                      Helm set values on the command line (can be repeated to set several values: --helm-set key1=val1 --helm-set key2=val2)
       --helm-set-file stringArray                 Helm set values from respective files specified via the command line (can be repeated to set several values: --helm-set-file key1=path1 --helm-set-file key2=path2)
@@ -70,6 +69,10 @@ argocd-util config app APPNAME [flags]
       --project string                            Application project name
       --release-name string                       Helm release-name
       --repo string                               Repository URL, ignored if a file is set
+      --retry-backoff-duration duration           Retry backoff base duration. Input needs to be a duration (e.g. 2m, 1h) (default 5s)
+      --retry-backoff-factor int                  Factor multiplies the base duration after each failed retry (default 2)
+      --retry-backoff-max-duration duration       Max retry backoff duration. Input needs to be a duration (e.g. 2m, 1h) (default 3m0s)
+      --retry-limit int                           Max number of allowed sync retries
       --revision string                           The tracking source branch, tag, commit or Helm chart version the application will sync to
       --revision-history-limit int                How many items to keep in revision history (default 10)
       --self-heal                                 Set self healing when sync is automated

docs/operator-manual/server-commands/argocd-util_config_proj.md

@@ -11,7 +11,6 @@ argocd-util config proj PROJECT [flags]
 ```
       --description string        Project description
   -d, --dest stringArray          Permitted destination server and namespace (e.g. https://192.168.99.100:8443,default)
-  -f, --file string               Filename or URL to Kubernetes manifests for the project
   -h, --help                      help for proj
       --orphaned-resources        Enables orphaned resources monitoring
       --orphaned-resources-warn   Specifies if applications should have a warning condition when orphaned resources detected

docs/operator-manual/server-commands/argocd-util_import.md

@@ -29,6 +29,7 @@ argocd-util import SOURCE [flags]
       --token string                   Bearer token for authentication to the API server
       --user string                    The name of the kubeconfig user to use
       --username string                Username for basic authentication to the API server
+      --verbose                        Verbose output (versus only changed output)
 ```
 
 ### SEE ALSO

docs/operator-manual/server-commands/argocd-util_proj.md

@@ -0,0 +1,21 @@
+## argocd-util proj
+
+Manage projects configuration
+
+```
+argocd-util proj [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for proj
+```
+
+### SEE ALSO
+
+* [argocd-util](argocd-util.md)	 - argocd-util tools used by Argo CD
+* [argocd-util proj generate-allow-list](argocd-util_proj_generate-allow-list.md)	 - Generates project allow list from the specified clusterRole file
+* [argocd-util proj generate-spec](argocd-util_proj_generate-spec.md)	 - Generate declarative config for a project
+* [argocd-util proj update-role-policy](argocd-util_proj_update-role-policy.md)	 - Implement bulk project role update. Useful to back-fill existing project policies or remove obsolete actions.
+

docs/operator-manual/server-commands/argocd-util_proj_generate-allow-list.md

@@ -0,0 +1,36 @@
+## argocd-util proj generate-allow-list
+
+Generates project allow list from the specified clusterRole file
+
+```
+argocd-util proj generate-allow-list CLUSTERROLE_PATH PROJ_NAME [flags]
+```
+
+### Options
+
+```
+      --as string                      Username to impersonate for the operation
+      --as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
+      --certificate-authority string   Path to a cert file for the certificate authority
+      --client-certificate string      Path to a client certificate file for TLS
+      --client-key string              Path to a client key file for TLS
+      --cluster string                 The name of the kubeconfig cluster to use
+      --context string                 The name of the kubeconfig context to use
+  -h, --help                           help for generate-allow-list
+      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --kubeconfig string              Path to a kube config. Only required if out-of-cluster
+  -n, --namespace string               If present, the namespace scope for this CLI request
+  -o, --out string                     Output to the specified file instead of stdout (default "-")
+      --password string                Password for basic authentication to the API server
+      --request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
+      --server string                  The address and port of the Kubernetes API server
+      --tls-server-name string         If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.
+      --token string                   Bearer token for authentication to the API server
+      --user string                    The name of the kubeconfig user to use
+      --username string                Username for basic authentication to the API server
+```
+
+### SEE ALSO
+
+* [argocd-util proj](argocd-util_proj.md)	 - Manage projects configuration
+

docs/operator-manual/server-commands/argocd-util_proj_generate-spec.md

@@ -0,0 +1,30 @@
+## argocd-util proj generate-spec
+
+Generate declarative config for a project
+
+```
+argocd-util proj generate-spec PROJECT [flags]
+```
+
+### Options
+
+```
+      --allow-cluster-resource stringArray      List of allowed cluster level resources
+      --allow-namespaced-resource stringArray   List of allowed namespaced resources
+      --deny-cluster-resource stringArray       List of denied cluster level resources
+      --deny-namespaced-resource stringArray    List of denied namespaced resources
+      --description string                      Project description
+  -d, --dest stringArray                        Permitted destination server and namespace (e.g. https://192.168.99.100:8443,default)
+  -f, --file string                             Filename or URL to Kubernetes manifests for the project
+  -h, --help                                    help for generate-spec
+      --orphaned-resources                      Enables orphaned resources monitoring
+      --orphaned-resources-warn                 Specifies if applications should have a warning condition when orphaned resources detected
+  -o, --output string                           Output format. One of: json|yaml (default "yaml")
+      --signature-keys strings                  GnuPG public key IDs for commit signature verification
+  -s, --src stringArray                         Permitted source repository URL
+```
+
+### SEE ALSO
+
+* [argocd-util proj](argocd-util_proj.md)	 - Manage projects configuration
+

docs/operator-manual/server-commands/argocd-util_proj_update-role-policy.md

@@ -0,0 +1,51 @@
+## argocd-util proj update-role-policy
+
+Implement bulk project role update. Useful to back-fill existing project policies or remove obsolete actions.
+
+```
+argocd-util proj update-role-policy PROJECT_GLOB MODIFICATION ACTION [flags]
+```
+
+### Examples
+
+```
+  # Add policy that allows executing any action (action/*) to roles which name matches to *deployer* in all projects  
+  argocd-util projects update-role-policy '*' set 'action/*' --role '*deployer*' --resource applications --scope '*' --permission allow
+
+  # Remove policy that which manages running (action/*) from all roles which name matches *deployer* in all projects
+  argocd-util projects update-role-policy '*' remove override --role '*deployer*'
+
+```
+
+### Options
+
+```
+      --as string                      Username to impersonate for the operation
+      --as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
+      --certificate-authority string   Path to a cert file for the certificate authority
+      --client-certificate string      Path to a client certificate file for TLS
+      --client-key string              Path to a client key file for TLS
+      --cluster string                 The name of the kubeconfig cluster to use
+      --context string                 The name of the kubeconfig context to use
+      --dry-run                        Dry run (default true)
+  -h, --help                           help for update-role-policy
+      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --kubeconfig string              Path to a kube config. Only required if out-of-cluster
+  -n, --namespace string               If present, the namespace scope for this CLI request
+      --password string                Password for basic authentication to the API server
+      --permission string              Action permission
+      --request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
+      --resource string                Resource e.g. 'applications'
+      --role string                    Role name pattern e.g. '*deployer*' (default "*")
+      --scope string                   Resource scope e.g. '*'
+      --server string                  The address and port of the Kubernetes API server
+      --tls-server-name string         If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.
+      --token string                   Bearer token for authentication to the API server
+      --user string                    The name of the kubeconfig user to use
+      --username string                Username for basic authentication to the API server
+```
+
+### SEE ALSO
+
+* [argocd-util proj](argocd-util_proj.md)	 - Manage projects configuration
+

docs/operator-manual/server-commands/argocd-util_repo.md

@@ -0,0 +1,19 @@
+## argocd-util repo
+
+Manage repositories configuration
+
+```
+argocd-util repo [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for repo
+```
+
+### SEE ALSO
+
+* [argocd-util](argocd-util.md)	 - argocd-util tools used by Argo CD
+* [argocd-util repo generate-spec](argocd-util_repo_generate-spec.md)	 - Generate declarative config for a repo
+

docs/operator-manual/server-commands/argocd-util_repo_generate-spec.md

@@ -0,0 +1,61 @@
+## argocd-util repo generate-spec
+
+Generate declarative config for a repo
+
+```
+argocd-util repo generate-spec REPOURL [flags]
+```
+
+### Examples
+
+```
+  
+  # Add a Git repository via SSH using a private key for authentication, ignoring the server's host key:
+  argocd-util repo generate-spec git@git.example.com:repos/repo --insecure-ignore-host-key --ssh-private-key-path ~/id_rsa
+
+  # Add a Git repository via SSH on a non-default port - need to use ssh:// style URLs here
+  argocd-util repo generate-spec ssh://git@git.example.com:2222/repos/repo --ssh-private-key-path ~/id_rsa
+
+  # Add a private Git repository via HTTPS using username/password and TLS client certificates:
+  argocd-util repo generate-spec https://git.example.com/repos/repo --username git --password secret --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key
+
+  # Add a private Git repository via HTTPS using username/password without verifying the server's TLS certificate
+  argocd-util repo generate-spec https://git.example.com/repos/repo --username git --password secret --insecure-skip-server-verification
+
+  # Add a public Helm repository named 'stable' via HTTPS
+  argocd-util repo generate-spec https://kubernetes-charts.storage.googleapis.com --type helm --name stable  
+
+  # Add a private Helm repository named 'stable' via HTTPS
+  argocd-util repo generate-spec https://kubernetes-charts.storage.googleapis.com --type helm --name stable --username test --password test
+
+  # Add a private Helm OCI-based repository named 'stable' via HTTPS
+  argocd-util repo generate-spec helm-oci-registry.cn-zhangjiakou.cr.aliyuncs.com --type helm --name stable --enable-oci --username test --password test
+
+```
+
+### Options
+
+```
+      --enable-lfs                              enable git-lfs (Large File Support) on this repository
+      --enable-oci                              enable helm-oci (Helm OCI-Based Repository)
+      --github-app-enterprise-base-url string   base url to use when using GitHub Enterprise (e.g. https://ghe.example.com/api/v3
+      --github-app-id int                       id of the GitHub Application
+      --github-app-installation-id int          installation id of the GitHub Application
+      --github-app-private-key-path string      private key of the GitHub Application
+  -h, --help                                    help for generate-spec
+      --insecure-ignore-host-key                disables SSH strict host key checking (deprecated, use --insecure-skip-server-verification instead)
+      --insecure-skip-server-verification       disables server certificate and host key checks
+      --name string                             name of the repository, mandatory for repositories of type helm
+  -o, --output string                           Output format. One of: json|yaml (default "yaml")
+      --password string                         password to the repository
+      --ssh-private-key-path string             path to the private ssh key (e.g. ~/.ssh/id_rsa)
+      --tls-client-cert-key-path string         path to the TLS client cert's key path (must be PEM format)
+      --tls-client-cert-path string             path to the TLS client cert (must be PEM format)
+      --type string                             type of the repository, "git" or "helm" (default "git")
+      --username string                         username to the repository
+```
+
+### SEE ALSO
+
+* [argocd-util repo](argocd-util_repo.md)	 - Manage repositories configuration
+

docs/operator-manual/server-commands/argocd-util_settings.md

@@ -35,6 +35,7 @@ argocd-util settings [flags]
 ### SEE ALSO
 
 * [argocd-util](argocd-util.md)	 - argocd-util tools used by Argo CD
+* [argocd-util settings rbac](argocd-util_settings_rbac.md)	 - Validate and test RBAC configuration
 * [argocd-util settings resource-overrides](argocd-util_settings_resource-overrides.md)	 - Troubleshoot resource overrides
 * [argocd-util settings validate](argocd-util_settings_validate.md)	 - Validate settings
 

docs/operator-manual/server-commands/argocd-util_settings_rbac.md

@@ -0,0 +1,45 @@
+## argocd-util settings rbac
+
+Validate and test RBAC configuration
+
+```
+argocd-util settings rbac [flags]
+```
+
+### Options
+
+```
+  -h, --help   help for rbac
+```
+
+### Options inherited from parent commands
+
+```
+      --argocd-cm-path string          Path to local argocd-cm.yaml file
+      --argocd-secret-path string      Path to local argocd-secret.yaml file
+      --as string                      Username to impersonate for the operation
+      --as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
+      --certificate-authority string   Path to a cert file for the certificate authority
+      --client-certificate string      Path to a client certificate file for TLS
+      --client-key string              Path to a client key file for TLS
+      --cluster string                 The name of the kubeconfig cluster to use
+      --context string                 The name of the kubeconfig context to use
+      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --kubeconfig string              Path to a kube config. Only required if out-of-cluster
+      --load-cluster-settings          Indicates that config map and secret should be loaded from cluster unless local file path is provided
+  -n, --namespace string               If present, the namespace scope for this CLI request
+      --password string                Password for basic authentication to the API server
+      --request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
+      --server string                  The address and port of the Kubernetes API server
+      --tls-server-name string         If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.
+      --token string                   Bearer token for authentication to the API server
+      --user string                    The name of the kubeconfig user to use
+      --username string                Username for basic authentication to the API server
+```
+
+### SEE ALSO
+
+* [argocd-util settings](argocd-util_settings.md)	 - Provides set of commands for settings validation and troubleshooting
+* [argocd-util settings rbac can](argocd-util_settings_rbac_can.md)	 - Check RBAC permissions for a role or subject
+* [argocd-util settings rbac validate](argocd-util_settings_rbac_validate.md)	 - Validate RBAC policy
+

docs/operator-manual/server-commands/argocd-util_settings_rbac_can.md

@@ -0,0 +1,78 @@
+## argocd-util settings rbac can
+
+Check RBAC permissions for a role or subject
+
+### Synopsis
+
+
+Check whether a given role or subject has appropriate RBAC permissions to do
+something.
+
+
+```
+argocd-util settings rbac can ROLE/SUBJECT ACTION RESOURCE [SUB-RESOURCE] [flags]
+```
+
+### Examples
+
+```
+
+# Check whether role some:role has permissions to create an application in the
+# 'default' project, using a local policy.csv file
+argocd-util rbac can some:role create application 'default/app' --policy-file policy.csv
+
+# Policy file can also be K8s config map with data keys like argocd-rbac-cm,
+# i.e. 'policy.csv' and (optionally) 'policy.default'
+argocd-util rbac can some:role create application 'default/app' --policy-file argocd-rbac-cm.yaml
+
+# If --policy-file is not given, the ConfigMap 'argocd-rbac-cm' from K8s is
+# used. You need to specify the argocd namespace, and make sure that your
+# current Kubernetes context is pointing to the cluster Argo CD is running in
+argocd-util rbac can some:role create application 'default/app' --namespace argocd
+
+# You can override a possibly configured default role
+argocd-util rbac can someuser create application 'default/app' --default-role role:readonly
+
+
+```
+
+### Options
+
+```
+      --default-role string   name of the default role to use
+  -h, --help                  help for can
+      --policy-file string    path to the policy file to use
+  -q, --quiet                 quiet mode - do not print results to stdout
+      --strict                whether to perform strict check on action and resource names (default true)
+      --use-builtin-policy    whether to also use builtin-policy (default true)
+```
+
+### Options inherited from parent commands
+
+```
+      --argocd-cm-path string          Path to local argocd-cm.yaml file
+      --argocd-secret-path string      Path to local argocd-secret.yaml file
+      --as string                      Username to impersonate for the operation
+      --as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
+      --certificate-authority string   Path to a cert file for the certificate authority
+      --client-certificate string      Path to a client certificate file for TLS
+      --client-key string              Path to a client key file for TLS
+      --cluster string                 The name of the kubeconfig cluster to use
+      --context string                 The name of the kubeconfig context to use
+      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --kubeconfig string              Path to a kube config. Only required if out-of-cluster
+      --load-cluster-settings          Indicates that config map and secret should be loaded from cluster unless local file path is provided
+  -n, --namespace string               If present, the namespace scope for this CLI request
+      --password string                Password for basic authentication to the API server
+      --request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
+      --server string                  The address and port of the Kubernetes API server
+      --tls-server-name string         If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.
+      --token string                   Bearer token for authentication to the API server
+      --user string                    The name of the kubeconfig user to use
+      --username string                Username for basic authentication to the API server
+```
+
+### SEE ALSO
+
+* [argocd-util settings rbac](argocd-util_settings_rbac.md)	 - Validate and test RBAC configuration
+

docs/operator-manual/server-commands/argocd-util_settings_rbac_validate.md

@@ -0,0 +1,51 @@
+## argocd-util settings rbac validate
+
+Validate RBAC policy
+
+### Synopsis
+
+
+Validates an RBAC policy for being syntactically correct. The policy must be
+a local file, and in either CSV or K8s ConfigMap format.
+
+
+```
+argocd-util settings rbac validate --policy-file=POLICYFILE [flags]
+```
+
+### Options
+
+```
+  -h, --help                 help for validate
+      --policy-file string   path to the policy file to use
+```
+
+### Options inherited from parent commands
+
+```
+      --argocd-cm-path string          Path to local argocd-cm.yaml file
+      --argocd-secret-path string      Path to local argocd-secret.yaml file
+      --as string                      Username to impersonate for the operation
+      --as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
+      --certificate-authority string   Path to a cert file for the certificate authority
+      --client-certificate string      Path to a client certificate file for TLS
+      --client-key string              Path to a client key file for TLS
+      --cluster string                 The name of the kubeconfig cluster to use
+      --context string                 The name of the kubeconfig context to use
+      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --kubeconfig string              Path to a kube config. Only required if out-of-cluster
+      --load-cluster-settings          Indicates that config map and secret should be loaded from cluster unless local file path is provided
+  -n, --namespace string               If present, the namespace scope for this CLI request
+      --password string                Password for basic authentication to the API server
+      --request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
+      --server string                  The address and port of the Kubernetes API server
+      --tls-server-name string         If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.
+      --token string                   Bearer token for authentication to the API server
+      --user string                    The name of the kubeconfig user to use
+      --username string                Username for basic authentication to the API server
+```
+
+### SEE ALSO
+
+* [argocd-util settings rbac](argocd-util_settings_rbac.md)	 - Validate and test RBAC configuration
+

docs/operator-manual/troubleshooting.md

@@ -8,7 +8,7 @@ connectivity issues.
 Argo CD provides multiple ways to customize system behavior and has a lot of settings. It might be dangerous to modify
 settings on Argo CD used in production by multiple users. Before applying settings you can use `argocd-util` binary to
 make sure that settings are valid and Argo CD is working as expected. The `argocd-util` binary is available in `argocd`
-image and might be used using docker. 
+image and might be used using docker.
 You can download the latest `argocd-util` binary from [the latest release page of this repository](https://github.com/argoproj/argo-cd/releases/latest), which will include the `argocd-util` CLI.
 Example:
 
@@ -21,7 +21,7 @@ If you are using Linux you can extract `argocd-util` binary from docker image:
 
 ```bash
 docker run --rm -it -w /src -v $(pwd):/src argocd cp /usr/local/bin/argocd-util ./argocd-util
-``` 
+```
 
 The `argocd-util settings validate` command performs basic settings validation and print short summary
 of each settings group.
@@ -38,10 +38,11 @@ docker run --rm -it -w /src -v $(pwd):/src argoproj/argocd:<version> \
   argocd-util settings resource-overrides ignore-differences ./deploy.yaml --argocd-cm-path ./argocd-cm.yaml
 ```
 
-* Health Assessment
+**Health Assessment**
 
-[Health assessment](../user-guide/diffing.md) allows excluding some resource fields from diffing process.
-The diffing customizations are configured in `resource.customizations` field of `argocd-cm` ConfigMap. 
+Argo CD provides built-in [health assessment](./health.md) for several kubernetes resources which can be further
+customized by writing your own health checks in [Lua](https://www.lua.org/).
+The health checks are configured in the `resource.customizations` field of `argocd-cm` ConfigMap.
 
 The following `argocd-util` command assess resource health using Lua script configured in the specified ConfigMap.
 
@@ -50,7 +51,7 @@ docker run --rm -it -w /src -v $(pwd):/src argoproj/argocd:<version> \
   argocd-util settings resource-overrides health ./deploy.yaml --argocd-cm-path ./argocd-cm.yaml
 ```
 
-* Resource Actions
+**Resource Actions**
 
 Resource actions allows configuring named Lua script which performs resource modification.
 
@@ -59,19 +60,19 @@ applied modifications.
 
 ```bash
 docker run --rm -it -w /src -v $(pwd):/src argoproj/argocd:<version> \
-  argocd-util settings resource-overrides run-action /tmp/deploy.yaml restart --argocd-cm-path /private/tmp/argocd-cm.yaml 
+  argocd-util settings resource-overrides run-action /tmp/deploy.yaml restart --argocd-cm-path /private/tmp/argocd-cm.yaml
 ```
 
 The following `argocd-util` command lists actions available for a given resource using Lua script configured in the specified ConfigMap.
 
 ```bash
 docker run --rm -it -w /src -v $(pwd):/src argoproj/argocd:<version> \
-  argocd-util settings resource-overrides list-actions /tmp/deploy.yaml --argocd-cm-path /private/tmp/argocd-cm.yaml 
+  argocd-util settings resource-overrides list-actions /tmp/deploy.yaml --argocd-cm-path /private/tmp/argocd-cm.yaml
 ```
 
 ## Cluster credentials
 
-The `argocd-util kubeconfig` is useful if you manually created Secret with cluster credentials and trying need to
+The `argocd-util cluster kubeconfig` is useful if you manually created Secret with cluster credentials and trying need to
 troubleshoot connectivity issues. In this case, it is suggested to use the following steps:
 
 1 SSH into [argocd-application-controller] pod.
@@ -81,10 +82,10 @@ kubectl exec -n argocd -it \
   $(kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-application-controller -o jsonpath='{.items[0].metadata.name}') bash
 ```
 
-2 Use `argocd-util kubeconfig` command to export kubeconfig file from the configured Secret: 
+2 Use `argocd-util cluster kubeconfig` command to export kubeconfig file from the configured Secret:
 
 ```
-argocd-util kubeconfig https://<api-server-url> /tmp/kubeconfig --namespace argocd
+argocd-util cluster kubeconfig https://<api-server-url> /tmp/kubeconfig --namespace argocd
 ```
 
 3 Use `kubectl` to get more details about connection issues, fix them and apply changes back to secret:
@@ -92,4 +93,4 @@ argocd-util kubeconfig https://<api-server-url> /tmp/kubeconfig --namespace argo
 ```
 export KUBECONFIG=/tmp/kubeconfig
 kubectl get pods -v 9
-``` 
+```

docs/operator-manual/upgrading/1.8-1.9.md

@@ -1,74 +0,0 @@
-# v1.8 to 1.9
-
-## Environment variables expansion
-
-Argo CD supports using [environment variables](../../../user-guide/build-environment/) in
-config management tools parameters. The expansion logic has been improved and now expands missing environment variables
-into an empty string.
-
-## Docker image migrated to use Ubuntu as base
-
-The official Docker image has been migrated to use `ubuntu:20.10` instead of
-`debian:10-slim` as base image. While this should not affect user experience,
-you might be affected if you use custom-built images and/or include third party
-tools in custom-built images.
-
-Please make sure that your custom tools are still working with the update to
-v1.9 before deploying it onto production.
-
-## Container registry switched to quay.io and sundown of Docker Hub repository
-
-Due to Docker Hub's new rate-limiting and retention policies, the Argo project
-has decided to switch to the
-[quay.io](https://quay.io)
-registry as a new home for all images published by its sub-projects.
-
-As of Argo CD version 1.9, the installation manifests are configured to pull the
-container images from `quay.io` and we announce the **sundown** of the existing
-Docker Hub repositories. For the 1.9 release this means, we will still push to
-both registries, but we will stop pushing images to Docker Hub once Argo CD 1.10
-has been released.
-
-Please make sure that your clusters can pull from the `quay.io` registry.
-If you aren't able to do so timely, you can change the container image slugs in
-the installation manually to Docker Hub as a workaround to install Argo CD 1.9.
-This workaround will not be possible anymore with 1.10, however.
-
-## Dex tool migrated from argocd-util to argocd-dex
-
-The dex commands `rundex` and `gendexcfg` have been migrated from `argocd-util` to `argocd-dex`.
-It means that you need to update `argocd-dex-server` deployment's commands to install `argocd-dex` 
-binary instead of `argocd-util` in init container and run dex command from `argocd-dex` instead of `argocd-util`:
-
-```bash
-initContainers:
-- command:
-  - cp
-  - -n
-  - /usr/local/bin/argocd
-  - /shared/argocd-dex
-```
-
-```bash
-containers:
-- command:
-  - /shared/argocd-dex
-  - rundex
-```
-Note that starting from v1.9 argocd binary behaviour has changed. 
-It will have all argocd binaries such `argocd-dex`, `argocd-server`, `argocd-repo-server`, 
-`argocd-application-controller`, `argocd-util`, `argocd` baked inside. 
-The binary will change behaviour based on its name. 
-
-## Updated retry params type from String to Duration for app sync
-
-App Sync command exposes certain retry options, which allows the users to parameterize the sync retries. 
-Two of those params, `retry-backoff-duration` and `retry-backoff-max-duration` were declared as type `string` rather than `duration`. 
-This allowed users to provide the values to these flags without time unit (seconds, minutes, hours ...) or any random string as well, 
-but since we have migrated from `string` to `duration`, it is now mandatory for users to provide a unit (valid duration).
-
-```bash
-EXAMPLE: 
-argocd app sync <app-name> --retry-backoff-duration=10 -> invalid
-argocd app sync <app-name> --retry-backoff-duration=10s -> valid
-```

docs/operator-manual/upgrading/1.8-2.0.md

@@ -0,0 +1,138 @@
+# v1.8 to v2.0
+
+## Redis Upgraded to v6.2.1
+
+The bundled Redis version has been upgraded to v6.2.1.
+
+The Redis itself should be able to upgrade with no downtime, as well as Argo CD does not use it as a persistent store.
+However, if you are running Argo CD in production with multiple users it is recommended to upgrade during off-peak
+hours to avoid user-visible failures.
+
+## Environment variables expansion
+
+Argo CD supports using [environment variables](../../../user-guide/build-environment/) in
+config management tools parameters. The expansion logic has been improved and now expands missing environment variables
+into an empty string.
+
+## Docker image migrated to use Ubuntu as base
+
+The official Docker image has been migrated to use `ubuntu:20.10` instead of
+`debian:10-slim` as base image. While this should not affect user experience,
+you might be affected if you use custom-built images and/or include third party
+tools in custom-built images.
+
+Please make sure that your custom tools are still working with the update to
+v2.0 before deploying it onto production.
+
+## Container registry switched to quay.io and sundown of Docker Hub repository
+
+Due to Docker Hub's new rate-limiting and retention policies, the Argo project
+has decided to switch to the
+[quay.io](https://quay.io)
+registry as a new home for all images published by its sub-projects.
+
+As of Argo CD version 2.0, the installation manifests are configured to pull the
+container images from `quay.io` and we announce the **sundown** of the existing
+Docker Hub repositories. For the 2.0 release this means, we will still push to
+both registries, but we will stop pushing images to Docker Hub once Argo CD 2.1
+has been released.
+
+Please make sure that your clusters can pull from the `quay.io` registry.
+If you aren't able to do so timely, you can change the container image slugs in
+the installation manually to Docker Hub as a workaround to install Argo CD 2.0.
+This workaround will not be possible anymore with 2.1, however.
+
+## Dex tool migrated from argocd-util to argocd-dex
+
+The dex commands `rundex` and `gendexcfg` have been migrated from `argocd-util` to `argocd-dex`.
+It means that you need to update `argocd-dex-server` deployment's commands to install `argocd-dex` 
+binary instead of `argocd-util` in init container and run dex command from `argocd-dex` instead of `argocd-util`:
+
+```bash
+initContainers:
+- command:
+  - cp
+  - -n
+  - /usr/local/bin/argocd
+  - /shared/argocd-dex
+```
+
+```bash
+containers:
+- command:
+  - /shared/argocd-dex
+  - rundex
+```
+Note that starting from v2.0 argocd binary behaviour has changed. 
+It will have all argocd binaries such `argocd-dex`, `argocd-server`, `argocd-repo-server`, 
+`argocd-application-controller`, `argocd-util`, `argocd` baked inside. 
+The binary will change behaviour based on its name. 
+
+## Updated retry params type from String to Duration for app sync
+
+App Sync command exposes certain retry options, which allows the users to parameterize the sync retries. 
+Two of those params, `retry-backoff-duration` and `retry-backoff-max-duration` were declared as type `string` rather than `duration`. 
+This allowed users to provide the values to these flags without time unit (seconds, minutes, hours ...) or any random string as well, 
+but since we have migrated from `string` to `duration`, it is now mandatory for users to provide a unit (valid duration).
+
+```bash
+EXAMPLE: 
+argocd app sync <app-name> --retry-backoff-duration=10 -> invalid
+argocd app sync <app-name> --retry-backoff-duration=10s -> valid
+```
+
+## Switch to Golang 1.16
+
+The official Argo CD binaries are now being build using Go 1.16, making a jump
+from the previous 1.14.x. Users should note that Go 1.15 introduced deprecation
+of validating server names against the `CommonName` property of a certificate
+when performing TLS connections.
+
+If you have repository servers with an incompatible certificate, connections to
+those servers might break. You will have to issue correct certificates to 
+unbreak such a situation.
+
+## Migration of CRDs from apiextensions/v1beta1 to apiextensions/v1
+
+Our CRDs (`Application` and `AppProject`) have been moved from the
+deprecated `apiextensions/v1beta1` to the `apiextensions/v1` API group.
+
+This does **not** affect the version of the CRDs themselves.
+
+We do not expect that changes to existing CRs for `Application` and `AppProject`
+are required from users, or that this change requires otherwise actions and this
+note is just included for completeness.
+
+## Helm v3 is now the default when rendering Charts
+
+With this release, we made Helm v3 being the default version for rendering any
+Helm charts through Argo CD. We also disabled the Helm version auto-detection
+depending on the `apiVersion` field of the `Chart.yaml`, so the charts will
+be rendered using Helm v3 regardless of what's in the Chart's `apiVersion`
+field.
+
+This can result in minor out-of-sync conditions on your Applications that were
+previously rendered using Helm v2 (e.g. a change in one of the annotations that
+Helm adds). You can fix this by syncing the Application.
+
+If you have existing Charts that require to be rendered using Helm v2, you will
+need to explicitly configure your Application to use Helm v2 for rendering the
+chart, as described 
+[here](../../user-guide/helm.md#helm-version)
+
+Please also note that Helm v2 is now being considered deprecated in Argo CD, as
+it will not receive any updates from the upstream Helm project anymore. We will
+still ship the Helm v2 binary for the next two releases, but it will be subject
+to removal after that grace period.
+
+Users are encouraged to upgrade any Charts that still require Helm v2 to be
+compatible with Helm v3.
+
+## Kustomize version updated to v3.9.4
+
+Argo CD now ships with Kustomize v3.9.4 by default. Please make sure that your
+manifests will render correctly with this Kustomize version.
+
+If you need backwards compatibility to a previous version of Kustomize, please
+consider setting up a custom Kustomize version and configure your Applications
+to be rendered using that specific version.

docs/user-guide/application-set.md

@@ -0,0 +1,45 @@
+### Automating the generation of Argo CD Applications with the ApplicationSet Controller
+
+The [ApplicationSet controller](https://github.com/argoproj-labs/applicationset) is a sub-project of Argo CD which adds Application automation, and seeks to improve multi-cluster support and cluster multitenant support within Argo CD. Argo CD Applications may be templated from multiple different sources, including from Git or Argo CD's own defined cluster list. 
+
+The set of tools provided by the ApplicationSet controller may also be used to allow developers (without access to the Argo CD namespace) to independently create Applications without cluster-administrator intervention.
+
+The ApplicationSet controller is installed alongside Argo CD (within the same namespace), and the controller automatically generates Argo CD Applications based on the contents of a new `ApplicationSet` Custom Resource (CR).
+
+Here is an example of an `ApplicationSet` resource that can be used to target an Argo CD Application to multiple clusters:
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  generators:
+  - list:
+      items:
+      - cluster: engineering-dev
+        url: https://1.2.3.4
+      - cluster: engineering-prod
+        url: https://2.4.6.8
+      - cluster: finance-preprod
+        url: https://9.8.7.6
+  template:
+    metadata:
+      name: '{{cluster}}-guestbook'
+    spec:
+      project: default
+      source:
+        repoURL: https://github.com/argoproj-labs/applicationset.git
+        targetRevision: HEAD
+        path: examples/list-generator/guestbook/{{cluster}}
+      destination:
+        server: '{{url}}'
+        namespace: guestbook
+```
+
+The List generator passes the `url` and `cluster` fields into the template as `{{param}}`-style parameters, which are then rendered into three corresponding Argo CD Applications (one for each defined cluster). Targeting new clusters (or removing existing clusters) is simply a matter of altering the `ApplicationSet` resource, and the corresponding Argo CD Applications will be automatically created.
+
+Likewise, changes made to the ApplicationSet `template` fields will automatically be applied to every generated Application. Managing a set of multiple Argo CD Applications is thus as easy as managing a single `ApplicationSet` resource.
+
+Within ApplicationSet there exist other more powerful generators in addition to the List generator, including the Cluster generator (which automatically uses Argo CD-defined clusters to template Applications), and the Git generator (which uses the files/directories of a Git repository to template applications).
+
+To learn more about the ApplicationSet controller, check out [ApplicationSet documentation](https://argocd-applicationset.readthedocs.io/en/stable/) and [Getting Started](https://argocd-applicationset.readthedocs.io/en/stable/Geting-Started/) to install the ApplicationSet controller alongside Argo CD.

docs/user-guide/commands/argocd_app_create.md

@@ -69,6 +69,10 @@ argocd app create APPNAME [flags]
       --project string                            Application project name
       --release-name string                       Helm release-name
       --repo string                               Repository URL, ignored if a file is set
+      --retry-backoff-duration duration           Retry backoff base duration. Input needs to be a duration (e.g. 2m, 1h) (default 5s)
+      --retry-backoff-factor int                  Factor multiplies the base duration after each failed retry (default 2)
+      --retry-backoff-max-duration duration       Max retry backoff duration. Input needs to be a duration (e.g. 2m, 1h) (default 3m0s)
+      --retry-limit int                           Max number of allowed sync retries
       --revision string                           The tracking source branch, tag, commit or Helm chart version the application will sync to
       --revision-history-limit int                How many items to keep in revision history (default 10)
       --self-heal                                 Set self healing when sync is automated

docs/user-guide/commands/argocd_app_delete.md

@@ -9,9 +9,10 @@ argocd app delete APPNAME [flags]
 ### Options
 
 ```
-      --cascade   Perform a cascaded deletion of all application resources (default true)
-  -h, --help      help for delete
-  -y, --yes       Turn off prompting to confirm cascaded deletion of application resources
+      --cascade                     Perform a cascaded deletion of all application resources (default true)
+  -h, --help                        help for delete
+  -p, --propagation-policy string   Specify propagation policy for deletion of application's resources. One of: foreground|background (default "foreground")
+  -y, --yes                         Turn off prompting to confirm cascaded deletion of application resources
 ```
 
 ### Options inherited from parent commands

docs/user-guide/commands/argocd_app_list.md

@@ -22,6 +22,7 @@ argocd app list [flags]
   -h, --help                  help for list
   -o, --output string         Output format. One of: wide|name|json|yaml (default "wide")
   -p, --project stringArray   Filter by project name
+  -r, --repo string           List apps by source repo URL
   -l, --selector string       List apps by label
 ```
 

docs/user-guide/commands/argocd_app_set.md

@@ -42,6 +42,10 @@ argocd app set APPNAME [flags]
       --project string                            Application project name
       --release-name string                       Helm release-name
       --repo string                               Repository URL, ignored if a file is set
+      --retry-backoff-duration duration           Retry backoff base duration. Input needs to be a duration (e.g. 2m, 1h) (default 5s)
+      --retry-backoff-factor int                  Factor multiplies the base duration after each failed retry (default 2)
+      --retry-backoff-max-duration duration       Max retry backoff duration. Input needs to be a duration (e.g. 2m, 1h) (default 3m0s)
+      --retry-limit int                           Max number of allowed sync retries
       --revision string                           The tracking source branch, tag, commit or Helm chart version the application will sync to
       --revision-history-limit int                How many items to keep in revision history (default 10)
       --self-heal                                 Set self healing when sync is automated

docs/user-guide/commands/argocd_app_unset.md

@@ -28,6 +28,7 @@ argocd app unset APPNAME parameters [flags]
       --nameprefix                    Kustomize nameprefix
       --namesuffix                    Kustomize namesuffix
   -p, --parameter stringArray         Unset a parameter override (e.g. -p guestbook=image)
+      --plugin-env stringArray        Unset plugin env variables (e.g --plugin-env name)
       --values stringArray            Unset one or more Helm values files
       --values-literal                Unset literal Helm values block
 ```

docs/user-guide/commands/argocd_proj_create.md

@@ -9,15 +9,19 @@ argocd proj create PROJECT [flags]
 ### Options
 
 ```
-      --description string        Project description
-  -d, --dest stringArray          Permitted destination server and namespace (e.g. https://192.168.99.100:8443,default)
-  -f, --file string               Filename or URL to Kubernetes manifests for the project
-  -h, --help                      help for create
-      --orphaned-resources        Enables orphaned resources monitoring
-      --orphaned-resources-warn   Specifies if applications should have a warning condition when orphaned resources detected
-      --signature-keys strings    GnuPG public key IDs for commit signature verification
-  -s, --src stringArray           Permitted source repository URL
-      --upsert                    Allows to override a project with the same name even if supplied project spec is different from existing spec
+      --allow-cluster-resource stringArray      List of allowed cluster level resources
+      --allow-namespaced-resource stringArray   List of allowed namespaced resources
+      --deny-cluster-resource stringArray       List of denied cluster level resources
+      --deny-namespaced-resource stringArray    List of denied namespaced resources
+      --description string                      Project description
+  -d, --dest stringArray                        Permitted destination server and namespace (e.g. https://192.168.99.100:8443,default)
+  -f, --file string                             Filename or URL to Kubernetes manifests for the project
+  -h, --help                                    help for create
+      --orphaned-resources                      Enables orphaned resources monitoring
+      --orphaned-resources-warn                 Specifies if applications should have a warning condition when orphaned resources detected
+      --signature-keys strings                  GnuPG public key IDs for commit signature verification
+  -s, --src stringArray                         Permitted source repository URL
+      --upsert                                  Allows to override a project with the same name even if supplied project spec is different from existing spec
 ```
 
 ### Options inherited from parent commands

docs/user-guide/commands/argocd_proj_set.md

@@ -9,13 +9,17 @@ argocd proj set PROJECT [flags]
 ### Options
 
 ```
-      --description string        Project description
-  -d, --dest stringArray          Permitted destination server and namespace (e.g. https://192.168.99.100:8443,default)
-  -h, --help                      help for set
-      --orphaned-resources        Enables orphaned resources monitoring
-      --orphaned-resources-warn   Specifies if applications should have a warning condition when orphaned resources detected
-      --signature-keys strings    GnuPG public key IDs for commit signature verification
-  -s, --src stringArray           Permitted source repository URL
+      --allow-cluster-resource stringArray      List of allowed cluster level resources
+      --allow-namespaced-resource stringArray   List of allowed namespaced resources
+      --deny-cluster-resource stringArray       List of denied cluster level resources
+      --deny-namespaced-resource stringArray    List of denied namespaced resources
+      --description string                      Project description
+  -d, --dest stringArray                        Permitted destination server and namespace (e.g. https://192.168.99.100:8443,default)
+  -h, --help                                    help for set
+      --orphaned-resources                      Enables orphaned resources monitoring
+      --orphaned-resources-warn                 Specifies if applications should have a warning condition when orphaned resources detected
+      --signature-keys strings                  GnuPG public key IDs for commit signature verification
+  -s, --src stringArray                         Permitted source repository URL
 ```
 
 ### Options inherited from parent commands

docs/user-guide/helm.md

@@ -178,12 +178,12 @@ After that you have to use your custom image for ArgoCD installation.
 
 ## Helm Version
 
-ArgoCD normally detects which version of Helm to use by looking at the `apiVersion` in Chart.yaml.
+Argo CD will assume that the Helm chart is v3 (even if the apiVersion field in the chart is Helm v2), unless v2 is explicitly specified within the Argo CD Application (see below).
 
 If needed, it is possible to specifically set the Helm version to template with by setting the `helm-version` flag on the cli (either v2 or v3):
 
 ```bash
-argocd app set helm-guestbook --helm-version v2
+argocd app set helm-guestbook --helm-version v3
 ```
 
 Or using declarative syntax:
@@ -192,5 +192,5 @@ Or using declarative syntax:
 spec:
   source:
     helm:
-      version: v2
+      version: v3
 ```

docs/user-guide/sync-options.md

@@ -82,4 +82,46 @@ Example:
 
 ```bash
 $ argocd app set guestbook --sync-option ApplyOutOfSyncOnly=true
-```
+```
+
+## Resources Prune Deletion Propagation Policy
+
+By default, extraneous resources get pruned using foreground deletion policy. The propagation policy can be controlled
+using `PrunePropagationPolicy` sync option. Supported policies are background, foreground and orphan.
+
+```yaml
+syncOptions:
+- PrunePropagationPolicy=foreground
+```
+
+## Prune Last
+
+This feature is to allow the ability for resource pruning to happen as a final, implicit wave of a sync operation, 
+after the other resources have been deployed and become healthy, and after all other waves completed successfully. 
+
+```yaml
+syncOptions:
+- PruneLast=true
+```
+
+This can also be configured at individual resource level.
+```yaml
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: PruneLast=true
+```
+
+## Replace Resource Instead Of Applying Changes
+
+By default, Argo CD executes `kubectl apply` operation to apply the configuration stored in Git. In some cases
+`kubectl apply` is not suitable. For example, resource spec might be too big and won't fit into
+`kubectl.kubernetes.io/last-applied-configuration` annotation that is added by `kubectl apply`. In such cases you
+might use `Replace=true` sync option:
+
+
+```yaml
+syncOptions:
+- Replace=true
+```
+
+If the `Replace=true` sync option is set the Argo CD will use `kubectl replace` or `kubectl create` command to apply changes.

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/TomOnTime/utfutil v0.0.0-20180511104225-09c41003ee1d
 	github.com/alicebob/miniredis v2.5.0+incompatible
 	github.com/alicebob/miniredis/v2 v2.14.2
-	github.com/argoproj/gitops-engine v0.2.1-0.20210218233004-354817a103ee
+	github.com/argoproj/gitops-engine v0.3.0
 	github.com/argoproj/pkg v0.2.0
 	github.com/bombsimon/logrusr v1.0.0
 	github.com/bradleyfalzon/ghinstallation v1.1.1
@@ -72,15 +72,15 @@ require (
 	gopkg.in/go-playground/webhooks.v5 v5.11.0
 	gopkg.in/src-d/go-git.v4 v4.13.1
 	gopkg.in/yaml.v2 v2.3.0
-	k8s.io/api v0.20.1
-	k8s.io/apiextensions-apiserver v0.20.1
-	k8s.io/apimachinery v0.20.1
+	k8s.io/api v0.20.4
+	k8s.io/apiextensions-apiserver v0.20.4
+	k8s.io/apimachinery v0.20.4
 	k8s.io/client-go v11.0.1-0.20190816222228-6d55c1b1f1ca+incompatible
-	k8s.io/code-generator v0.20.1
-	k8s.io/component-base v0.20.1
-	k8s.io/klog v1.0.0
+	k8s.io/code-generator v0.20.4
+	k8s.io/component-base v0.20.4
+	k8s.io/klog/v2 v2.4.0
 	k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd
-	k8s.io/kubectl v0.20.1
+	k8s.io/kubectl v0.20.4
 	k8s.io/utils v0.0.0-20201110183641-67b214c5f920
 	layeh.com/gopher-json v0.0.0-20190114024228-97fed8db8427
 	sigs.k8s.io/yaml v1.2.0
@@ -94,28 +94,28 @@ replace (
 
 	google.golang.org/grpc => google.golang.org/grpc v1.15.0
 
-	k8s.io/api => k8s.io/api v0.20.1
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.20.1
-	k8s.io/apimachinery => k8s.io/apimachinery v0.20.1
-	k8s.io/apiserver => k8s.io/apiserver v0.20.1
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.20.1
-	k8s.io/client-go => k8s.io/client-go v0.20.1
-	k8s.io/cloud-provider => k8s.io/cloud-provider v0.20.1
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.20.1
-	k8s.io/code-generator => k8s.io/code-generator v0.20.1
-	k8s.io/component-base => k8s.io/component-base v0.20.1
-	k8s.io/component-helpers => k8s.io/component-helpers v0.20.1
-	k8s.io/controller-manager => k8s.io/controller-manager v0.20.1
-	k8s.io/cri-api => k8s.io/cri-api v0.20.1
-	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.20.1
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.20.1
-	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.20.1
-	k8s.io/kube-proxy => k8s.io/kube-proxy v0.20.1
-	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.20.1
-	k8s.io/kubectl => k8s.io/kubectl v0.20.1
-	k8s.io/kubelet => k8s.io/kubelet v0.20.1
-	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.20.1
-	k8s.io/metrics => k8s.io/metrics v0.20.1
-	k8s.io/mount-utils => k8s.io/mount-utils v0.20.1
-	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.20.1
+	k8s.io/api => k8s.io/api v0.20.4
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.20.4
+	k8s.io/apimachinery => k8s.io/apimachinery v0.20.4
+	k8s.io/apiserver => k8s.io/apiserver v0.20.4
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.20.4
+	k8s.io/client-go => k8s.io/client-go v0.20.4
+	k8s.io/cloud-provider => k8s.io/cloud-provider v0.20.4
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.20.4
+	k8s.io/code-generator => k8s.io/code-generator v0.20.4
+	k8s.io/component-base => k8s.io/component-base v0.20.4
+	k8s.io/component-helpers => k8s.io/component-helpers v0.20.4
+	k8s.io/controller-manager => k8s.io/controller-manager v0.20.4
+	k8s.io/cri-api => k8s.io/cri-api v0.20.4
+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.20.4
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.20.4
+	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.20.4
+	k8s.io/kube-proxy => k8s.io/kube-proxy v0.20.4
+	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.20.4
+	k8s.io/kubectl => k8s.io/kubectl v0.20.4
+	k8s.io/kubelet => k8s.io/kubelet v0.20.4
+	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.20.4
+	k8s.io/metrics => k8s.io/metrics v0.20.4
+	k8s.io/mount-utils => k8s.io/mount-utils v0.20.4
+	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.20.4
 )

go.sum

@@ -1,14 +1,12 @@
 bitbucket.org/bertimus9/systemstat v0.0.0-20180207000608-0eeff89b0690/go.mod h1:Ulb78X89vxKYgdL24HMTiXYHlyHEvruOj1ZPlqeNEZM=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0 h1:ROfEUZz+Gh5pa62DJWXSaonyu3StP6EA6lPEXPI6mCo=
 cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
 cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
 cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
 cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
 cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
 cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
-cloud.google.com/go v0.51.0 h1:PvKAVQWCtlGUSlZkGW3QLelKaWq7KYv/MW1EboG8bfM=
 cloud.google.com/go v0.51.0/go.mod h1:hWtGJ6gnXH+KgDv+V0zFGDvpi07n3z8ZNj3T1RW0Gcw=
 cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
 cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
@@ -88,8 +86,8 @@ github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
-github.com/argoproj/gitops-engine v0.2.1-0.20210218233004-354817a103ee h1:3i5XKBKlvrOv5sbh/2QsiIERWAVBQYeQwgdNbjvhwBU=
-github.com/argoproj/gitops-engine v0.2.1-0.20210218233004-354817a103ee/go.mod h1:dmGvluybnmaSzsJA7PnrgCoSYQ5stFUNqS46F3gma+M=
+github.com/argoproj/gitops-engine v0.3.0 h1:emDED8sHRX81mQOi8C24oW1wTJ3peXRHI6RJlvZWHkk=
+github.com/argoproj/gitops-engine v0.3.0/go.mod h1:IBHhAkqlC+3r/wBWUitWSidQhPzlLoSTWp2htq3dyQk=
 github.com/argoproj/pkg v0.2.0 h1:ETgC600kr8WcAi3MEVY5sA1H7H/u1/IysYOobwsZ8No=
 github.com/argoproj/pkg v0.2.0/go.mod h1:F4TZgInLUEjzsWFB/BTJBsewoEy0ucnKSq6vmQiD/yc=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
@@ -111,7 +109,6 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bifurcation/mint v0.0.0-20180715133206-93c51c6ce115/go.mod h1:zVt7zX3K/aDCk9Tj+VM7YymsX66ERvzCJzw8rFCX2JU=
 github.com/bketelsen/crypt v0.0.3-0.20200106085610-5cbc8cc4026c/go.mod h1:MKsuJmJgSg28kpZDP6UIiPt0e0Oz0kqKNGyRaWEPv84=
-github.com/blang/semver v3.5.0+incompatible h1:CGxCgetQ64DKk7rdZ++Vfnb1+ogGNnB17OJKJXD2Cfs=
 github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
@@ -324,7 +321,6 @@ github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfU
 github.com/golang/groupcache v0.0.0-20160516000752-02826c3e7903/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7 h1:5ZkaAPbicIKTF2I64qf5Fh8Aa83Q/dnOafMYV0OMwjA=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e h1:1r7pUrabqp18hOBcwBwiTsbnFeTZHV9eER/QT5JVZxY=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -346,7 +342,7 @@ github.com/gomodule/redigo v2.0.0+incompatible/go.mod h1:B4C85qUVwatsJoIUNIfCRsp
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0 h1:0udJVsspx3VBr5FwtLhQQtuAsVc79tTq0ocGIPAU6qo=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/cadvisor v0.38.6/go.mod h1:1OFB9sOOMkBdUBGCO/1SArawTnDscgMzTodacVDe8mA=
+github.com/google/cadvisor v0.38.7/go.mod h1:1OFB9sOOMkBdUBGCO/1SArawTnDscgMzTodacVDe8mA=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -373,7 +369,6 @@ github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm4
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.0.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -423,7 +418,6 @@ github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2p
 github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
 github.com/heketi/heketi v9.0.1-0.20190917153846-c2e2a4ab7ab9+incompatible/go.mod h1:bB9ly3RchcQqsQ9CpyaQwvva7RS5ytVoSoholZQON6o=
 github.com/heketi/tests v0.0.0-20151005000721-f3775cbcefd6/go.mod h1:xGMAM8JLi7UkZt1i4FQeQy0R2T8GLUwQhOP5M1gBhy4=
-github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
@@ -447,7 +441,6 @@ github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/u
 github.com/json-iterator/go v1.1.10 h1:Kz6Cvnvv2wGdaG/V8yMvfkmNiXq9Ya2KUv4rouJJr68=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jstemmer/go-junit-report v0.9.1 h1:6QPYqodiu3GuPL+7mfx+NwDdp2eTkp9IfEUpgAwUN0o=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
@@ -532,7 +525,6 @@ github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQz
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/moby/ipvs v1.0.1/go.mod h1:2pngiyseZbIKXNv7hsKj3O9UEz30c53MT9005gt2hxQ=
 github.com/moby/sys/mountinfo v0.1.3/go.mod h1:w2t2Avltqx8vE7gX5l+QiBKxODu2TX0+Syr3h52Tw4o=
-github.com/moby/term v0.0.0-20200312100748-672ec06f55cd h1:aY7OQNf2XqY/JQ6qREWamhI/81os/agb2BAGpcx5yWI=
 github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo=
 github.com/moby/term v0.0.0-20201110203204-bea5bbe245bf h1:Un6PNx5oMK6CCwO3QTUyPiK2mtZnPrpDl5UnZ64eCkw=
 github.com/moby/term v0.0.0-20201110203204-bea5bbe245bf/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc=
@@ -561,14 +553,12 @@ github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:v
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw=
 github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.14.2 h1:8mVmC9kjFFmA8H4pKMUhcblgifdkOIXPvbhN1T36q1M=
 github.com/onsi/ginkgo v1.14.2/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
@@ -621,7 +611,6 @@ github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R
 github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.0-20190522114515-bc1a522cf7b1/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
-github.com/prometheus/procfs v0.1.3 h1:F0+tqvhOksq22sc6iCHF5WGlWjdwj92p0udFh1VFBS8=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.2.0 h1:wH4vA7pcjKuZzjF7lM8awk4fnuJO6idemZXoKnULUx4=
 github.com/prometheus/procfs v0.2.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
@@ -666,7 +655,6 @@ github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/cobra v1.0.0 h1:6m/oheQuQ13N9ks4hubMG6BnvwOeaJrqSPLahSnczz8=
 github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
 github.com/spf13/cobra v1.1.1 h1:KfztREH0tPxJJ+geloSLaAkaPkr4ki2Er5quFV1TDo4=
 github.com/spf13/cobra v1.1.1/go.mod h1:WnodtKOvamDL/PwE2M4iKs8aMDBZ5Q5klgD3qfVJQMI=
@@ -761,7 +749,6 @@ golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190617133340-57b3e21c3d56/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190701094942-4def268fd1a4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0 h1:hb9wdF1z5waM+dSIICn1l0DkLVDT3hqhhQsDNUmHPRE=
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
@@ -838,7 +825,6 @@ golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201006153459-a7d1128ccaa0/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201022231255-08b38378de70/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201024042810-be3efd7ff127 h1:pZPp9+iYUqwYKLjht0SDBbRCRK/9gAXDy7pz5fRDpjo=
 golang.org/x/net v0.0.0-20201024042810-be3efd7ff127/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b h1:uwuIcX0g4Yl1NC5XAz37xsr2lTtcqevgzYNVt49waME=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
@@ -854,7 +840,6 @@ golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 h1:SQFwaSi55rU7vdNs9Yr0Z324VNlrF+0wMqRXT4St8ck=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a h1:DcqTD9SDLc+1P/r1EmRBwnVsrOwW+kk2vWf9n+1sGhs=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -910,7 +895,6 @@ golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f h1:+Nyd8tzPX9R7BWHguqsrbFdRx3WQ/1ib8I44HXV5yTA=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201110211018-35f3e6cf4a65/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201112073958-5cba982894dd h1:5CtCZbICpIOFdgO940moixOPjc0178IU44m4EjOO5IY=
@@ -919,14 +903,12 @@ golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fq
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4 h1:0YWbFKbhXG/wIiuHDSKpS0Iy7FSA+u45VtBMfQcFTTc=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20191024005414-555d28b269f0 h1:/5xXl8Y5W96D+TtHSlonuFqGHIWVuyCkGJLwGh9JJFs=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e h1:EHBhcS0mlXEAVwNyO2dLfjToGsyY4j24pTs2ScHnX7s=
 golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1023,7 +1005,6 @@ google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfG
 google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 h1:+kGHl1aib/qcwaRi1CbqBZ1rk19r85MNUf8HaBghugY=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a h1:pOwg4OoaRYScjmR4LlLgdtnyoHYTSAVhhqe5uPdpII8=
 google.golang.org/genproto v0.0.0-20201110150050-8816d57aaa9a/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
@@ -1031,7 +1012,6 @@ google.golang.org/grpc v1.15.0 h1:Az/KuahOM4NAidTEuJCv/RonAA7rYsTPkqXVjr+8OOw=
 google.golang.org/grpc v1.15.0/go.mod h1:0JHn/cJsOMiMfNA9+DeHDlAU7KAAB5GDlYFpa9MZMio=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.24.0 h1:UhZDfRO8JRQru4/+LlLE0BRKGF8L+PICnvYZmx/fEGA=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
@@ -1042,7 +1022,6 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogR
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/gcfg.v1 v1.2.0/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
 gopkg.in/go-playground/webhooks.v5 v5.11.0 h1:V3vej+ZXrVvO2EmBTKlhClEbpTqXH44K5OyLUMOkHMg=
@@ -1087,29 +1066,29 @@ honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/api v0.20.1 h1:ud1c3W3YNzGd6ABJlbFfKXBKXO+1KdGfcgGGNgFR03E=
-k8s.io/api v0.20.1/go.mod h1:KqwcCVogGxQY3nBlRpwt+wpAMF/KjaCc7RpywacvqUo=
-k8s.io/apiextensions-apiserver v0.20.1 h1:ZrXQeslal+6zKM/HjDXLzThlz/vPSxrfK3OqL8txgVQ=
-k8s.io/apiextensions-apiserver v0.20.1/go.mod h1:ntnrZV+6a3dB504qwC5PN/Yg9PBiDNt1EVqbW2kORVk=
-k8s.io/apimachinery v0.20.1 h1:LAhz8pKbgR8tUwn7boK+b2HZdt7MiTu2mkYtFMUjTRQ=
-k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
-k8s.io/apiserver v0.20.1 h1:yEqdkxlnQbxi/3e74cp0X16h140fpvPrNnNRAJBDuBk=
-k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU=
-k8s.io/cli-runtime v0.20.1 h1:fJhRQ9EfTpJpCqSFOAqnYLuu5aAM7yyORWZ26qW1jJc=
-k8s.io/cli-runtime v0.20.1/go.mod h1:6wkMM16ZXTi7Ow3JLYPe10bS+XBnIkL6V9dmEz0mbuY=
-k8s.io/client-go v0.20.1 h1:Qquik0xNFbK9aUG92pxHYsyfea5/RPO9o9bSywNor+M=
-k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y=
-k8s.io/cloud-provider v0.20.1/go.mod h1:x2E8iyhfwoxQbk361wNBdTCFTQNKx8m/ZcxQPxpmFfE=
-k8s.io/cluster-bootstrap v0.20.1/go.mod h1:Xnom8jy4bkF9pz1w7XQAZYQWMYF4m3CSCTqYiehDdXI=
-k8s.io/code-generator v0.20.1 h1:kre3GNich5gbO3d1FyTT8fHI4ZJezZV217yFdWlQaRQ=
-k8s.io/code-generator v0.20.1/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg=
-k8s.io/component-base v0.20.1 h1:6OQaHr205NSl24t5wOF2IhdrlxZTWEZwuGlLvBgaeIg=
-k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk=
-k8s.io/component-helpers v0.20.1 h1:Sw6bB6AHPPaI+Q3s3WNPjP2iHbuME252in03HvXXTEM=
-k8s.io/component-helpers v0.20.1/go.mod h1:Q8trCj1zyLNdeur6pD2QvsF8d/nWVfK71YjN5+qVXy4=
-k8s.io/controller-manager v0.20.1/go.mod h1:Wfwz1Sn3ITXiMKO+Z2qhc9b34YgzOL7puRi9jb4wIUo=
-k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI=
-k8s.io/csi-translation-lib v0.20.1/go.mod h1:Jk3Ta91UveSd54W44P8qCXB57BQy7uqUrLaBqhT/4z4=
+k8s.io/api v0.20.4 h1:xZjKidCirayzX6tHONRQyTNDVIR55TYVqgATqo6ZULY=
+k8s.io/api v0.20.4/go.mod h1:++lNL1AJMkDymriNniQsWRkMDzRaX2Y/POTUi8yvqYQ=
+k8s.io/apiextensions-apiserver v0.20.4 h1:VO/Y5PwBdznMIctX/vvgSNhxffikEmcLC/V1bpbhHhU=
+k8s.io/apiextensions-apiserver v0.20.4/go.mod h1:Hzebis/9c6Io5yzHp24Vg4XOkTp1ViMwKP/6gmpsfA4=
+k8s.io/apimachinery v0.20.4 h1:vhxQ0PPUUU2Ns1b9r4/UFp13UPs8cw2iOoTjnY9faa0=
+k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU=
+k8s.io/apiserver v0.20.4 h1:zMMKIgIUDIFiwK3LyY7qOV4Z4wKsHVYExL6vXY9fPX4=
+k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM=
+k8s.io/cli-runtime v0.20.4 h1:jVU13lBeebHLtarHeHkoIi3uRONFzccmP7hHLzEoQ4w=
+k8s.io/cli-runtime v0.20.4/go.mod h1:dz38e1CM4uuIhy8PMFUZv7qsvIdoE3ByZYlmbHNCkt4=
+k8s.io/client-go v0.20.4 h1:85crgh1IotNkLpKYKZHVNI1JT86nr/iDCvq2iWKsql4=
+k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k=
+k8s.io/cloud-provider v0.20.4/go.mod h1:wbU+iVZIWA3+iDEK5q8Ki9de1cgIHixr2B7LzO2nAjg=
+k8s.io/cluster-bootstrap v0.20.4/go.mod h1:WemJ9DOVs8DOvG+XjpQv29otMJHRazmR8gDnJPs4qA4=
+k8s.io/code-generator v0.20.4 h1:FhilVnvwMFVs65SxIQjXSOznGmzJIZEk3CCk/SULBfk=
+k8s.io/code-generator v0.20.4/go.mod h1:UsqdF+VX4PU2g46NC2JRs4gc+IfrctnwHb76RNbWHJg=
+k8s.io/component-base v0.20.4 h1:gdvPs4G11e99meQnW4zN+oYOjH8qkLz1sURrAzvKWqc=
+k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGwgjI=
+k8s.io/component-helpers v0.20.4 h1:3XJi6w+AcLd5f3ZwSRfgWuHFnUCmMAaRsUt2+NGDyQ0=
+k8s.io/component-helpers v0.20.4/go.mod h1:S7jGg8zQp3kwvSzfuGtNaQAMVmvzomXDioTm5vABn9g=
+k8s.io/controller-manager v0.20.4/go.mod h1:WEvFUeeywQl0dIUvorC8Zx/vSqgB8sGKrzNncUEcjlE=
+k8s.io/cri-api v0.20.4/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI=
+k8s.io/csi-translation-lib v0.20.4/go.mod h1:WisLItCdoDKB4lr6nkhzQsfgBNBJDI/TD9m4Crw92JM=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20201113003025-83324d819ded h1:JApXBKYyB7l9xx+DK7/+mFjC7A9Bt5A93FPvFD0HIFE=
 k8s.io/gengo v0.0.0-20201113003025-83324d819ded/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
@@ -1120,22 +1099,22 @@ k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
 k8s.io/klog/v2 v2.4.0 h1:7+X0fUguPyrKEC4WjH8iGDg3laWgMo5tMnRTIGTTxGQ=
 k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
-k8s.io/kube-aggregator v0.20.1 h1:IPiL4l4ODmpzfte6LSYXbXuDyuYmTDZ4vQIcLS9NIZ0=
-k8s.io/kube-aggregator v0.20.1/go.mod h1:1ZeyRfSg5HcRI8dihvWAc7VpXSMAw9UmZoWXBUOPyew=
-k8s.io/kube-controller-manager v0.20.1/go.mod h1:9iwMjyiO1pzgO9b2WvWmGoTilkal4ke7ceCcNWW6NAI=
+k8s.io/kube-aggregator v0.20.4 h1:j/SUwPy1eO+ud3XOUGmH18gISPyerqhXOoNRZDbv3fs=
+k8s.io/kube-aggregator v0.20.4/go.mod h1:0ixQ9De7KXyHteXizS6nVtrnKqGa4kiuxl9rEBsNccw=
+k8s.io/kube-controller-manager v0.20.4/go.mod h1:HCVTzFZhw/dtTgfeF2mEUSZZM++poC6qUhNmZ5yRELk=
 k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd h1:sOHNzJIkytDF6qadMNKhhDRpc6ODik8lVC6nOur7B2c=
 k8s.io/kube-openapi v0.0.0-20201113171705-d219536bb9fd/go.mod h1:WOJ3KddDSol4tAGcJo0Tvi+dK12EcqSLqcWsryKMpfM=
-k8s.io/kube-proxy v0.20.1/go.mod h1:/PlQONAFpILYSKgmAg4sNsmlrXqPgwMSce/pWBtbbzk=
-k8s.io/kube-scheduler v0.20.1/go.mod h1:3LrKGlT1iM1rsc4S8wSkTUaVrFsptQixESqBrtM0e6o=
-k8s.io/kubectl v0.20.1 h1:7h1vSrL/B3hLrhlCJhbTADElPKDbx+oVUt3+QDSXxBo=
-k8s.io/kubectl v0.20.1/go.mod h1:2bE0JLYTRDVKDiTREFsjLAx4R2GvUtL/mGYFXfFFMzY=
-k8s.io/kubelet v0.20.1/go.mod h1:5zyqbuxkRJYcxNrh33VwHxd6T7HdqpuzpFldjgX8JMg=
-k8s.io/kubernetes v1.20.1 h1:SHJ+Ua3v2nzKB6JEGJilKv/JIiVJFo+dCs707Z3H0nk=
-k8s.io/kubernetes v1.20.1/go.mod h1:v2E/T5A+ikBt81n9HZ8VVns5IXSsMHP1ITIFuHY3d5s=
-k8s.io/legacy-cloud-providers v0.20.1/go.mod h1:r2Qf8WVnfQndTp6dSPPfGRtjO1CoWVbW098M4SI7njY=
-k8s.io/metrics v0.20.1/go.mod h1:JhpBE/fad3yRGsgEpiZz5FQQM5wJ18OTLkD7Tv40c0s=
-k8s.io/mount-utils v0.20.1/go.mod h1:Jv9NRZ5L2LF87A17GaGlArD+r3JAJdZFvo4XD1cG4Kc=
-k8s.io/sample-apiserver v0.20.1/go.mod h1:Ti0ug/r3ascaPpc7z22LC3jg3+wv7oCpcNPs0YdREes=
+k8s.io/kube-proxy v0.20.4/go.mod h1:FU0h3UFlM/n/NorYVzchOCYZa/eGyo/VdWpvrhtkPsY=
+k8s.io/kube-scheduler v0.20.4/go.mod h1:w1/IOIJ6q9K1TQ/9sQBvNDSvi9ylZgJaedkwWU5l9bA=
+k8s.io/kubectl v0.20.4 h1:Y1gUiigiZM+ulcrnWeqSHlTd0/7xWcQIXjuMnjtHyoo=
+k8s.io/kubectl v0.20.4/go.mod h1:yCC5lUQyXRmmtwyxfaakryh9ezzp/bT0O14LeoFLbGo=
+k8s.io/kubelet v0.20.4/go.mod h1:Jtubfqr/TlXcOMaUYWoGVkuY/iM5xmZiEukcJSJs0ns=
+k8s.io/kubernetes v1.20.4 h1:gPeOspTx01shAQuFhae+O7ZfU0WKlD7RE5L0pooU0g8=
+k8s.io/kubernetes v1.20.4/go.mod h1:5oh+vhVyWep2o+IH61i3aU4e/Q77Yt96tcKwYOpVbvk=
+k8s.io/legacy-cloud-providers v0.20.4/go.mod h1:whukzxTjXr2SclI8TObPeCFqIyWJ0IfqTb9enRi8Bs8=
+k8s.io/metrics v0.20.4/go.mod h1:DDXS+Ls+2NAxRcVhXKghRPa3csljyJRjDRjPe6EOg/g=
+k8s.io/mount-utils v0.20.4/go.mod h1:Jv9NRZ5L2LF87A17GaGlArD+r3JAJdZFvo4XD1cG4Kc=
+k8s.io/sample-apiserver v0.20.4/go.mod h1:QoqZx37RKI+i+yQ7mUL5rEaY59OciDCmMRmoIAiKPKs=
 k8s.io/system-validators v1.2.0/go.mod h1:bPldcLgkIUK22ALflnsXk8pvkTEndYdNuaHH6gRrl0Q=
 k8s.io/utils v0.0.0-20201110183641-67b214c5f920 h1:CbnUZsM497iRC5QMVkHwyl8s2tB3g7yaSHkYPkpgelw=
 k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=

hack/gen-crd-spec/main.go

@@ -12,7 +12,7 @@ import (
 
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/ghodss/yaml"
-	extensionsobj "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
+	extensionsobj "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
@@ -28,6 +28,7 @@ func getCustomResourceDefinitions() map[string]*extensionsobj.CustomResourceDefi
 		"controller-gen",
 		"paths=./pkg/apis/application/...",
 		"crd:trivialVersions=true",
+		"crd:crdVersions=v1",
 		"output:crd:stdout",
 	).Output()
 	checkErr(err)
@@ -35,6 +36,8 @@ func getCustomResourceDefinitions() map[string]*extensionsobj.CustomResourceDefi
 	// clean up stuff left by controller-gen
 	deleteFile("config/webhook/manifests.yaml")
 	deleteFile("config/webhook")
+	deleteFile("config/argoproj.io_applications.yaml")
+	deleteFile("config/argoproj.io_appprojects.yaml")
 	deleteFile("config")
 
 	objs, err := kube.SplitYAML(crdYamlBytes)
@@ -58,7 +61,6 @@ func getCustomResourceDefinitions() map[string]*extensionsobj.CustomResourceDefi
 		}
 		delete(crd.Annotations, "controller-gen.kubebuilder.io/version")
 		crd.Spec.Scope = "Namespaced"
-		crd.Spec.PreserveUnknownFields = nil
 		crds[crd.Name] = crd
 	}
 	return crds
@@ -72,7 +74,7 @@ func deleteFile(path string) {
 }
 
 func removeValidation(un *unstructured.Unstructured, path string) {
-	schemaPath := []string{"spec", "validation", "openAPIV3Schema"}
+	schemaPath := []string{"spec", "versions[*]", "schema", "openAPIV3Schema"}
 	for _, part := range strings.Split(path, ".") {
 		schemaPath = append(schemaPath, "properties", part)
 	}

hack/installers/install-codegen-go-tools.sh

@@ -2,7 +2,7 @@
 set -eux -o pipefail
 
 GO111MODULE=on go get github.com/gogo/protobuf/gogoproto@v1.3.1
-GO111MODULE=on go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.3
+GO111MODULE=on go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.4.1
 GO111MODULE=on go get github.com/golang/protobuf/protoc-gen-go@v1.4.2
 GO111MODULE=on go get github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway@v1.12.2
 GO111MODULE=on go get github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger@v1.12.2

hack/installers/install-codegen-tools.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
 set -eux -o pipefail
 
-KUSTOMIZE_VERSION=3.8.1 "$(dirname $0)/../install.sh" helm2-linux jq-linux kustomize-linux protoc-linux swagger-linux
+KUSTOMIZE_VERSION=3.9.4 "$(dirname $0)/../install.sh" helm2-linux jq-linux kustomize-linux protoc-linux swagger-linux

hack/tool-versions.sh

@@ -7,7 +7,7 @@ jq_version=1.6
 ksonnet_version=0.13.1
 kubectl_version=1.17.8
 kubectx_version=0.6.3
-kustomize3_version=3.8.1
+kustomize3_version=3.9.4
 packr_version=1.21.9
 protoc_version=3.7.1
 swagger_version=0.19.0

hack/versions.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 # Update required versions of dependencies here whenever you change them in 
 # go.mod
-kube_version=v0.20.1
+kube_version=v0.20.4
 grpc_version=v1.26.0
 protobuf_version=v1.3.2
 grpc_gateway_version=v1.16.0

manifests/base/application-controller/argocd-application-controller-statefulset.yaml

@@ -41,6 +41,14 @@ spec:
             port: 8082
           initialDelaySeconds: 5
           periodSeconds: 10
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - all
+        volumeMounts:
+        - name: argocd-repo-server-tls
+          mountPath: /app/config/controller/tls
       serviceAccountName: argocd-application-controller
       affinity:
         podAntiAffinity:
@@ -57,3 +65,15 @@ spec:
                 matchLabels:
                   app.kubernetes.io/part-of: argocd
               topologyKey: kubernetes.io/hostname
+      volumes:
+      - name: argocd-repo-server-tls
+        secret:
+          secretName: argocd-repo-server-tls
+          optional: true
+          items:
+          - key: tls.crt
+            path: tls.crt
+          - key: tls.key
+            path: tls.key
+          - key: ca.crt
+            path: ca.crt

manifests/base/kustomization.yaml

@@ -4,8 +4,8 @@ kind: Kustomization
 
 images:
 - name: quay.io/argoproj/argocd
-  newName: quay.io/argoproj/argocd
-  newTag: latest
+  newName: argoproj/argocd
+  newTag: v2.0.0-rc1
 resources:
 - ./application-controller
 - ./dex