Update manifests to v1.3.2

* Make directory enforcer more lenient and add flag

* Fixes

* Lint fixes

* Lint fixes

* Fixed test

* Minor

* Removed enforcer option

* Move directory traversal check higher up

* Go fmt

* Allow URLs

* Added test

.argo-ci/ci.yaml

@@ -1,107 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Workflow
-metadata:
-  generateName: argo-cd-ci-
-spec:
-  entrypoint: argo-cd-ci
-  arguments:
-    parameters:
-    - name: revision
-      value: master
-    - name: repo
-      value: https://github.com/argoproj/argo-cd.git
-
-  templates:
-  - name: argo-cd-ci
-    steps:
-    - - name: build
-        template: ci-dind
-        arguments:
-          parameters:
-          - name: cmd
-            value: "{{item}}"
-        withItems:
-        - make controller-image server-image repo-server-image
-      - name: test
-        template: ci-builder
-        arguments:
-          parameters:
-          - name: cmd
-            value: "{{item}}"
-        withItems:
-        - dep ensure && make cli lint
-      - name: test-coverage
-        template: ci-builder
-        arguments:
-          parameters:
-          - name: cmd
-            value: "dep ensure && go get github.com/mattn/goveralls && make test-coverage"
-      - name: test-e2e
-        template: ci-builder
-        arguments:
-          parameters:
-          - name: cmd
-            value: "dep ensure && make test-e2e"
-
-  - name: ci-builder
-    inputs:
-      parameters:
-      - name: cmd
-      artifacts:
-      - name: code
-        path: /go/src/github.com/argoproj/argo-cd
-        git:
-          repo: "{{workflow.parameters.repo}}"
-          revision: "{{workflow.parameters.revision}}"
-    container:
-      image: argoproj/argo-cd-ci-builder:latest
-      command: [sh, -c]
-      args: ["mkfifo pipe; tee /tmp/logs.txt < pipe & {{inputs.parameters.cmd}} > pipe"]
-      workingDir: /go/src/github.com/argoproj/argo-cd
-      env:
-        - name: COVERALLS_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: coverall-token
-              key: coverall-token
-      resources:
-        requests:
-          memory: 1024Mi
-          cpu: 200m
-    outputs:
-      artifacts:
-      - name: logs
-        path: /tmp/logs.txt
-
-  - name: ci-dind
-    inputs:
-      parameters:
-      - name: cmd
-      artifacts:
-      - name: code
-        path: /go/src/github.com/argoproj/argo-cd
-        git:
-          repo: "{{workflow.parameters.repo}}"
-          revision: "{{workflow.parameters.revision}}"
-    container:
-      image: argoproj/argo-cd-ci-builder:latest
-      command: [sh, -c]
-      args: ["mkfifo pipe; tee /tmp/logs.txt < pipe & until docker ps; do sleep 3; done && {{inputs.parameters.cmd}} > pipe"]
-      workingDir: /go/src/github.com/argoproj/argo-cd
-      env:
-      - name: DOCKER_HOST
-        value: 127.0.0.1
-      resources:
-        requests:
-          memory: 1024Mi
-          cpu: 200m
-    sidecars:
-    - name: dind
-      image: docker:17.10-dind
-      securityContext:
-        privileged: true
-      mirrorVolumeMounts: true
-    outputs:
-      artifacts:
-      - name: logs
-        path: /tmp/logs.txt

.circleci/config.yml

@@ -0,0 +1,214 @@
+version: 2.1
+commands:
+  configure_git:
+    steps:
+      - run:
+          name: Configure Git
+          command: |
+            set -x
+            # must be configured for tests to run
+            git config --global user.email you@example.com
+            git config --global user.name "Your Name"
+            echo "export PATH=/home/circleci/.go_workspace/src/github.com/argoproj/argo-cd/hack:\$PATH" | tee -a $BASH_ENV
+            echo "export GIT_ASKPASS=git-ask-pass.sh" | tee -a $BASH_ENV
+  dep_ensure:
+    steps:
+      - restore_cache:
+          keys:
+            - vendor-v4-{{ checksum "Gopkg.lock" }}
+      - run:
+          name: Run dep ensure
+          command: dep ensure -v
+      - save_cache:
+          key: vendor-v4-{{ checksum "Gopkg.lock" }}
+          paths:
+            - vendor
+  install_golang:
+    steps:
+      - run:
+          name: Install Golang v1.12.6
+          command: |
+            go get golang.org/dl/go1.12.6
+            [ -e /home/circleci/sdk/go1.12.6 ] || go1.12.6 download
+            echo "export GOPATH=/home/circleci/.go_workspace" | tee -a $BASH_ENV
+            echo "export PATH=/home/circleci/sdk/go1.12.6/bin:\$PATH" | tee -a $BASH_ENV
+  save_go_cache:
+    steps:
+      - save_cache:
+          key: go-v18-{{ .Branch }}
+          paths:
+            - /home/circleci/.go_workspace
+            - /home/circleci/.cache/go-build
+            - /home/circleci/sdk/go1.12.6
+  restore_go_cache:
+    steps:
+      - restore_cache:
+          keys:
+            - go-v18-{{ .Branch }}
+            - go-v18-master
+            - go-v17-{{ .Branch }}
+            - go-v17-master
+jobs:
+  codegen:
+    docker:
+      - image: circleci/golang:1.12
+    working_directory: /go/src/github.com/argoproj/argo-cd
+    steps:
+      - checkout
+      - restore_cache:
+          keys: [codegen-v2]
+      - run: ./hack/install.sh codegen-go-tools
+      - run: sudo ./hack/install.sh codegen-tools
+      - run: dep ensure
+      - save_cache:
+          key: codegen-v2
+          paths: [vendor, /tmp/dl, /go/pkg]
+      - run: helm init --client-only
+      - run: make codegen-local
+      - run:
+          name: Check nothing has changed
+          command: |
+            set -xo pipefail
+            # This makes sure you ran `make pre-commit` before you pushed.
+            # We exclude the Swagger resources; CircleCI doesn't generate them correctly.
+            # When this fails, it will, create a patch file you can apply locally to fix it.
+            # To troubleshoot builds: https://argoproj.github.io/argo-cd/developer-guide/ci/
+            git diff --exit-code -- . ':!Gopkg.lock'  ':!assets/swagger.json' | tee codegen.patch
+      - store_artifacts:
+          path: codegen.patch
+          destination: .
+  test:
+    working_directory: /home/circleci/.go_workspace/src/github.com/argoproj/argo-cd
+    machine:
+      image: circleci/classic:201808-01
+    steps:
+      - restore_go_cache
+      - install_golang
+      - checkout
+      - restore_cache:
+          key: test-dl-v1
+      - run: sudo ./hack/install.sh kubectl-linux kubectx-linux dep-linux ksonnet-linux helm-linux kustomize-linux
+      - save_cache:
+          key: test-dl-v1
+          paths: [/tmp/dl]
+      - configure_git
+      - run: go get github.com/jstemmer/go-junit-report
+      - dep_ensure
+      - save_go_cache
+      - run: make test
+      - run:
+          name: Uploading code coverage
+          command: bash <(curl -s https://codecov.io/bash) -f coverage.out
+      - store_test_results:
+          path: test-results
+      - store_artifacts:
+          path: test-results
+          destination: .
+  e2e:
+    working_directory: /home/circleci/.go_workspace/src/github.com/argoproj/argo-cd
+    machine:
+      image: circleci/classic:201808-01
+    environment:
+      ARGOCD_FAKE_IN_CLUSTER: "true"
+      ARGOCD_SSH_DATA_PATH: "/tmp/argo-e2e/app/config/ssh"
+      ARGOCD_TLS_DATA_PATH: "/tmp/argo-e2e/app/config/tls"
+    steps:
+      - run:
+          name: Install and start K3S v0.5.0
+          command: |
+            curl -sfL https://get.k3s.io | sh -
+            sudo chmod -R a+rw /etc/rancher/k3s
+            kubectl version
+          background: true
+          environment:
+            INSTALL_K3S_EXEC: --docker
+            INSTALL_K3S_VERSION: v0.5.0
+      - restore_go_cache
+      - install_golang
+      - checkout
+      - restore_cache:
+          keys: [e2e-dl-v1]
+      - run: sudo ./hack/install.sh kubectx-linux dep-linux ksonnet-linux helm-linux kustomize-linux
+      - run: go get github.com/jstemmer/go-junit-report
+      - save_cache:
+          key: e2e-dl-v10
+          paths: [/tmp/dl]
+      - dep_ensure
+      - configure_git
+      - run: make cli
+      - run:
+          name: Create namespace
+          command: |
+            set -x
+            kubectl create ns argocd-e2e
+            kubens argocd-e2e
+            # install the certificates (not 100% sure we need this)
+            sudo cp /var/lib/rancher/k3s/server/tls/token-ca.crt /usr/local/share/ca-certificates/k3s.crt
+            sudo update-ca-certificates
+            # create the kubecfg, again - not sure we need this
+            cat /etc/rancher/k3s/k3s.yaml | sed "s/localhost/`hostname`/" | tee ~/.kube/config
+            echo "127.0.0.1 `hostname`" | sudo tee -a /etc/hosts
+      - run:
+          name: Apply manifests
+          command: kustomize build test/manifests/base | kubectl apply -f -
+      - run:
+          name: Start Redis
+          command: docker run --rm --name argocd-redis -i -p 6379:6379 redis:5.0.3-alpine --save "" --appendonly no
+          background: true
+      - run:
+          name: Start repo server
+          command: go run ./cmd/argocd-repo-server/main.go --loglevel debug --redis localhost:6379
+          background: true
+      - run:
+          name: Start API server
+          command: go run ./cmd/argocd-server/main.go --loglevel debug --redis localhost:6379 --insecure --dex-server http://localhost:5556 --repo-server localhost:8081 --staticassets ../argo-cd-ui/dist/app
+          background: true
+      - run:
+          name: Start Test Git
+          command: |
+            test/fixture/testrepos/start-git.sh
+          background: true
+      - run: until curl -v http://localhost:8080/healthz; do sleep 10; done
+      - run:
+          name: Start controller
+          command: go run ./cmd/argocd-application-controller/main.go --loglevel debug --redis localhost:6379 --repo-server localhost:8081 --kubeconfig ~/.kube/config
+          background: true
+      - run:
+          command: PATH=dist:$PATH make test-e2e
+          environment:
+            ARGOCD_OPTS: "--server localhost:8080 --plaintext"
+            ARGOCD_E2E_K3S: "true"
+      - store_test_results:
+          path: test-results
+      - store_artifacts:
+          path: test-results
+          destination: .
+  ui:
+    docker:
+      - image: node:11.15.0
+    working_directory: ~/argo-cd/ui
+    steps:
+      - checkout:
+          path: ~/argo-cd/
+      - restore_cache:
+          keys:
+            - yarn-packages-v4-{{ checksum "yarn.lock" }}
+      - run: yarn install --frozen-lockfile --ignore-optional --non-interactive
+      - save_cache:
+          key: yarn-packages-v4-{{ checksum "yarn.lock" }}
+          paths: [~/.cache/yarn, node_modules]
+      - run: yarn test
+      - run: yarn build
+      - run: yarn lint
+workflows:
+  version: 2
+  workflow:
+    jobs:
+      - test
+      - codegen:
+          requires:
+            - test
+      - ui:
+          requires:
+            - codegen
+      - e2e

.codecov.yml

@@ -0,0 +1,17 @@
+ignore:
+- "**/*.pb.go"
+- "**/*.pb.gw.go"
+- "**/*generated.go"
+- "**/*generated.deepcopy.go"
+- "**/*_test.go"
+- "pkg/apis/client/.*"
+- "pkg/client/.*"
+- "vendor/.*"
+coverage:
+  status:
+    # we've found this not to be useful
+    patch: off
+    project:
+      default:
+        # allow test coverage to drop by 1%, assume that it's typically due to CI problems
+        threshold: 1

.dockerignore

@@ -1,4 +1,13 @@
 # Prevent vendor directory from being copied to ensure we are not not pulling unexpected cruft from 
 # a user's workspace, and are only building off of what is locked by dep.
-vendor
-dist
+.vscode/
+.idea/
+.DS_Store
+vendor/
+dist/
+*.iml
+# delve debug binaries
+cmd/**/debug
+debug.test
+coverage.out
+ui/node_modules/

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,39 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: 'bug'
+assignees: ''
+---
+Checklist:
+
+* [ ] I've included steps to reproduce the bug.
+* [ ] I've pasted the output of `argocd version`.
+
+**Describe the bug**
+
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+
+A list of the steps required to reproduce the issue. Best of all, give us the URL to a repository that exhibits this issue.
+
+**Expected behavior**
+
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+
+If applicable, add screenshots to help explain your problem.
+
+**Version**
+
+```shell
+Paste the output from `argocd version` here.
+```
+
+**Logs**
+
+```
+Paste any relevant application logs here.
+```

.github/ISSUE_TEMPLATE/enhancement_proposal.md

@@ -0,0 +1,18 @@
+---
+name: Enhancement proposal
+about: Propose an enhancement for this project
+title: ''
+labels: 'enhancement'
+assignees: ''
+---
+# Summary
+
+What change you think needs making.
+
+# Motivation
+
+Please give examples of your use case, e.g. when would you use this.
+
+# Proposal
+
+How do you think this should be implemented?

.github/no-response.yml

@@ -0,0 +1 @@
+# See https://github.com/probot/no-response

.github/pull_request_template.md

@@ -0,0 +1,5 @@
+Checklist:
+
+* [ ] I've created an [enhancement proposal](https://github.com/argoproj/argo-cd/issues/new/choose) and I feel I've gotten a green light from the community. 
+* [ ] My build is green ([troubleshooting builds](https://argoproj.github.io/argo-cd/developer-guide/ci/)). 
+* [ ] Optional. My organisation is added to the README.

.github/stale.yml

@@ -0,0 +1,4 @@
+# See https://github.com/probot/stale
+# See https://github.com/probot/stale
+exemptLabels:
+  - backlog

.gitignore

@@ -3,8 +3,10 @@
 .DS_Store
 vendor/
 dist/
+site/
 *.iml
 # delve debug binaries
 cmd/**/debug
 debug.test
 coverage.out
+test-results

.golangci.yml

@@ -0,0 +1,22 @@
+run:
+  deadline: 2m
+  skip-files:
+    - ".*\\.pb\\.go"
+  skip-dirs:
+    - pkg/client/
+    - vendor/
+linters:
+  enable:
+    - vet
+    - deadcode
+    - goimports
+    - varcheck
+    - structcheck
+    - ineffassign
+    - unconvert
+    - unparam
+linters-settings:
+  goimports:
+    local-prefixes: github.com/argoproj/argo-cd
+service:
+  golangci-lint-version: 1.21.0

CHANGELOG.md

@@ -1,6 +1,692 @@
 # Changelog
 
-## v0.10.0 (TBD)
+## v1.2.3 (2019-10-1)
+* Make argo-cd docker images openshift friendly (#2362) (@duboisf)
+* Add dest-server and dest-namespace field to reconciliation logs (#2354)
+- Stop loggin /repository.RepositoryService/ValidateAccess parameters (#2386)
+
+## v1.2.2 (2019-09-26)
++ Resource action equivalent to `kubectl rollout restart` (#2177)
+- Badge response does not contain cache-control header (#2317) (@greenstatic)
+- Make sure the controller uses the latest git version if app reconciliation result expired (#2339)
+
+## v1.2.1 (2019-09-12)
++ Support limiting number of concurrent kubectl fork/execs (#2022)
++ Add --self-heal flag to argocd cli (#2296)
+- Fix degraded proxy support for http(s) git repository (#2243)
+- Fix nil pointer dereference in application controller (#2290)
+
+## v1.2.0 (2019-09-05)
+
+### New Features
+
+#### Server Certificate And Known Hosts Management
+
+The Server Certificate And Known Hosts Management feature makes it really easy to connect private Git repositories to Argo CD. Now Argo CD provides UI and CLI which
+enables managing certificates and known hosts which are used to access Git repositories. It is also possible to configure both hosts and certificates in a declarative manner using
+[argocd-ssh-known-hosts-cm](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-ssh-known-hosts-cm.yaml) and 
+[argocd-tls-certs-cm.yaml](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-tls-certs-cm.yaml) config maps.
+
+#### Self-Healing
+
+The existing Automatic Sync feature allows to automatically apply any new changes in Git to the target Kubernetes cluster. However, Automatic Sync does not cover the case when the
+application is out of sync due to the unexpected change in the target cluster. The Self-Healing feature fills this gap. With Self-Healing enabled Argo CD automatically pushes the desired state from Git into the cluster every time when state deviation is detected.
+
+**Anonymous access** - enable read-only access without authentication to anyone in your organization.
+
+Support for Git LFS enabled repositories - now you can store Helm charts as tar files and enable Git LFS in your repository.
+
+**Compact diff view** - compact diff summary of the whole application in a single view.
+
+**Badge for application status** - add badge with the health and sync status of your application into README.md of your deployment repo.
+
+**Allow configuring google analytics tracking** - use Google Analytics to check how many users are visiting UI or your Argo CD instance.
+
+#### Backward Incompatible Changes
+- Kustomize v1 support is removed. All kustomize charts are built using the same Kustomize version
+- Kustomize v2.0.3 upgraded to v3.1.0 . We've noticed one backward incompatible change: https://github.com/kubernetes-sigs/kustomize/issues/42 . Starting v2.1.0 namespace prefix feature works with CRD ( which might cause renaming of generated resource definitions)
+- Argo CD config maps must be annotated with `app.kubernetes.io/part-of: argocd` label. Make sure to apply updated `install.yaml` manifest in addition to changing image version.
+
+
+#### Enhancements
++ Adds a floating action button with help and chat links to every page.… (#2124)
++ Enhances cookie warning with actual length to help users fix their co… (#2134)
++ Added 'SyncFail' to possible HookTypes in UI (#2147)
++ Support for Git LFS enabled repositories (#1853)
++ Server certificate and known hosts management (#1514)
++ Client HTTPS certifcates for private git repositories (#1945)
++ Badge for application status (#1435)
++ Make the health check for APIService a built in (#1841)
++ Bitbucket Server and Gogs webhook providers (#1269)
++ Jsonnet TLA arguments in ArgoCD CLI (#1626)
++ Self Healing (#1736)
++ Compact diff view (#1831)
++ Allow Helm parameters to force ambiguously-typed values to be strings (#1846)
++ Support anonymous argocd access (#1620)
++ Allow configuring google analytics tracking (#738)
++ Bash autocompletion for argocd (#1798)
++ Additional commit metadata (#1219)
++ Displays targetRevision in app dashboards. (#1239)
++ Local path syncing (#839)
++ System level `kustomize build` options (#1789)
++ Adds support for `argocd app set` for Kustomize. (#1843)
++ Allow users to create tokens for projects where they have any role. (#1977)
++ Add Refresh button to applications table and card view (#1606)
++ Adds CLI support for adding and removing groups from project roles. (#1851)
++ Support dry run and hook vs. apply strategy during sync (#798)
++ UI should remember most recent selected tab on resource info panel (#2007)
++ Adds link to the project from the app summary page. (#1911)
++ Different icon for resources which require pruning (#1159)
+
+#### Bug Fixes
+
+- Do not panic if the type is not api.Status (an error scenario) (#2105)
+- Make sure endpoint is shown as a child of service (#2060)
+- Word-wraps app info in the table and list views. (#2004)
+- Project source/destination removal should consider wildcards (#1780)
+- Repo whitelisting in UI does not support wildcards (#2000)
+- Wait for CRD creation during sync process (#1940)
+- Added a button to select out of sync items in the sync panel (#1902)
+- Proper handling of an excluded resource in an application (#1621)
+- Stop repeating logs on stoped container (#1614)
+- Fix git repo url parsing on application list view (#2174)
+- Fix nil pointer dereference error during app reconciliation (#2146)
+- Fix history api fallback implementation to support app names with dots (#2114)
+- Fixes some code issues related to Kustomize build options. (#2146)
+- Adds checks around valid paths for apps (#2133)
+- Enpoint incorrectly considered top level managed resource (#2060)
+- Allow adding certs for hostnames ending on a dot (#2116)
+
+#### Other
+* Upgrade kustomize to v3.1.0 (#2068)
+* Remove support for Kustomize 1. (#1573)
+
+#### Contributors
+
+* [alexec](https://github.com/alexec)
+* [alexmt](https://github.com/alexmt)
+* [dmizelle](https://github.com/dmizelle)
+* [lcostea](https://github.com/lcostea)
+* [jutley](https://github.com/jutley)
+* [masa213f](https://github.com/masa213f)
+* [Rayyis](https://github.com/Rayyis)
+* [simster7](https://github.com/simster7)
+* [dthomson25](https://github.com/dthomson25)
+* [jannfis](https://github.com/jannfis)
+* [naynasiddharth](https://github.com/naynasiddharth)
+* [stgarf](https://github.com/stgarf)
+
+
+## v1.1.2 (2019-07-30)
+- 'argocd app wait' should print correct sync status (#2049)
+- Check that TLS is enabled when registering DEX Handlers (#2047)
+- Do not ignore Argo hooks when there is a Helm hook. (#1952)
+
+## v1.1.1 (2019-07-25)
++ Support 'override' action in UI/API (#1984)
+- Fix argocd app wait message (#1982)
+
+## v1.1.0 (2019-07-24)
+
+### New Features
+
+#### Sync Waves
+
+Sync waves feature allows executing a sync operation in a number of steps or waves. Within each synchronization phase (pre-sync, sync, post-sync) you can have one or more waves,
+than allows you to ensure certain resources are healthy before subsequent resources are synced.
+
+#### Optimized Interaction With Git
+
+Argo CD needs to execute `git fetch` operation to access application manifests and `git ls-remote` to resolve ambiguous git revision. The `git ls-remote` is executed very frequently
+and although the operation is very lightweight it adds unnecessary load on Git server and might cause performance issues. In v1.1 release, the application reconciliation process was
+optimized which significantly reduced the number of Git requests. With v1.1 release, Argo CD should send 3x ~ 5x fewer Git requests.
+
+#### User Defined Application Metadata
+
+User-defined Application metadata enables the user to define a list of useful URLs for their specific application and expose those links on the UI
+(e.g. reference tp a CI pipeline or an application-specific management tool). These links should provide helpful shortcuts that make easier to integrate Argo CD into existing
+systems by making it easier to find other components inside and outside Argo CD.
+
+### Deprecation Notice
+
+* Kustomize v1.0 is deprecated and support will be removed in the Argo CD v1.2 release.
+
+#### Enhancements
+
+- Sync waves [#1544](https://github.com/argoproj/argo-cd/issues/1544)
+- Adds Prune=false and IgnoreExtraneous options [#1629](https://github.com/argoproj/argo-cd/issues/1629)
+- Forward Git credentials to config management plugins [#1628](https://github.com/argoproj/argo-cd/issues/1628)
+- Improve Kustomize 2 parameters UI [#1609](https://github.com/argoproj/argo-cd/issues/1609)
+- Adds `argocd logout` [#1210](https://github.com/argoproj/argo-cd/issues/1210)
+- Make it possible to set Helm release name different from Argo CD app name.  [#1066](https://github.com/argoproj/argo-cd/issues/1066)
+- Add ability to specify system namespace during cluster add operation [#1661](https://github.com/argoproj/argo-cd/pull/1661) 
+- Make listener and metrics ports configurable [#1647](https://github.com/argoproj/argo-cd/pull/1647) 
+- Using SSH keys to authenticate kustomize bases from git [#827](https://github.com/argoproj/argo-cd/issues/827)
+- Adds `argocd app sync APPNAME --async` [#1728](https://github.com/argoproj/argo-cd/issues/1728)
+- Allow users to define app specific urls to expose in the UI [#1677](https://github.com/argoproj/argo-cd/issues/1677)
+- Error view instead of blank page in UI [#1375](https://github.com/argoproj/argo-cd/issues/1375)
+- Project Editor: Whitelisted Cluster Resources doesn't strip whitespace [#1693](https://github.com/argoproj/argo-cd/issues/1693)
+- Eliminate unnecessary git interactions for top-level resource changes (#1919)
+- Ability to rotate the bearer token used to manage external clusters (#1084)
+
+#### Bug Fixes
+
+- Project Editor: Whitelisted Cluster Resources doesn't strip whitespace [#1693](https://github.com/argoproj/argo-cd/issues/1693)
+- \[ui small bug\] menu position outside block [#1711](https://github.com/argoproj/argo-cd/issues/1711)
+- UI will crash when create application without destination namespace [#1701](https://github.com/argoproj/argo-cd/issues/1701)
+- ArgoCD synchronization failed due to internal error [#1697](https://github.com/argoproj/argo-cd/issues/1697)
+- Replicasets ordering is not stable on app tree view [#1668](https://github.com/argoproj/argo-cd/issues/1668)
+- Stuck processor on App Controller after deleting application with incomplete operation [#1665](https://github.com/argoproj/argo-cd/issues/1665)
+- Role edit page fails with JS error [#1662](https://github.com/argoproj/argo-cd/issues/1662)
+- failed parsing on parameters with comma [#1660](https://github.com/argoproj/argo-cd/issues/1660)
+- Handle nil obj when processing custom actions [#1700](https://github.com/argoproj/argo-cd/pull/1700)
+- Account for missing fields in Rollout HealthStatus [#1699](https://github.com/argoproj/argo-cd/pull/1699) 
+- Sync operation unnecessary waits for a healthy state of all resources [#1715](https://github.com/argoproj/argo-cd/issues/1715)
+- failed parsing on parameters with comma [#1660](https://github.com/argoproj/argo-cd/issues/1660)
+- argocd app sync hangs when cluster is not configured (#1935)
+- Do not allow app-of-app child app's Missing status to affect parent (#1954)
+- Argo CD don't handle well k8s objects which size exceeds 1mb (#1685)
+- Secret data not redacted in last-applied-configuration (#897)
+- Running app actions requires only read privileges (#1827)
+- UI should allow editing repo URL (#1763)
+- Make status fields as optional fields (#1779)
+- Use correct healthcheck for Rollout with empty steps list (#1776)
+
+#### Other
+
+- Add Prometheus metrics for git repo interactions (#1912)
+- App controller should log additional information during app syncing (#1909)
+- Make sure api server to repo server grpc calls have timeout (#1820)
+- Forked tool processes should timeout (#1821)
+- Add health check to the controller deployment (#1785)
+
+#### Contributors
+
+* [Aditya Gupta](https://github.com/AdityaGupta1)
+* [Alex Collins](https://github.com/alexec)
+* [Alex Matyushentsev](https://github.com/alexmt)
+* [Danny Thomson](https://github.com/dthomson25)
+* [jannfis](https://github.com/jannfis)
+* [Jesse Suen](https://github.com/jessesuen)
+* [Liviu Costea](https://github.com/lcostea)
+* [narg95](https://github.com/narg95)
+* [Simon Behar](https://github.com/simster7)
+
+See also [milestone v1.1](https://github.com/argoproj/argo-cd/milestone/13)
+
+## v1.0.0 (2019-05-16)
+
+### New Features
+
+#### Network View
+
+A new way to visual application resources had been introduced to the Application Details page. The Network View visualizes connections between Ingresses, Services and Pods
+based on ingress reference service, service's label selectors and labels. The new view is useful to understand the application traffic flow and troubleshot connectivity issues.
+
+#### Custom Actions
+
+Argo CD introduces Custom Resource Actions to allow users to provide their own Lua scripts to modify existing Kubernetes resources in their applications. These actions are exposed in the UI to allow easy, safe, and reliable changes to their resources.  This functionality can be used to introduce functionality such as suspending and enabling a Kubernetes cronjob, continue a BlueGreen deployment with Argo Rollouts, or scaling a deployment. 
+
+#### UI Enhancements & Usability Enhancements
+
+* New color palette intended to highlight unhealthily and out-of-sync resources more clearly.
+* The health of more resources is displayed, so it easier to quickly zoom to unhealthy pods, replica-sets, etc.
+* Resources that do not have health no longer appear to be healthy. 
+* Support for configuring Git repo credentials at a domain/org level
+* Support for configuring requested OIDC provider scopes and enforced RBAC scopes
+* Support for configuring monitored resources whitelist in addition to excluded resources
+
+### Breaking Changes
+
+* Remove deprecated componentParameterOverrides field #1372
+
+### Changes since v0.12.2
+
+#### Enhancements
+
+* `argocd app wait` should have `--resource` flag like sync #1206
+* Adds support for `kustomize edit set image`. Closes #1275 (#1324)
+* Allow wait to return on health or suspended (#1392)
+* Application warning when a manifest is defined twice #1070
+* Create new documentation website #1390
+* Default view should resource view instead of diff view #1354
+* Display number of errors on resource tab #1477
+* Displays resources that are being deleted as "Progressing". Closes #1410 (#1426)
+* Generate random name for grpc proxy unix socket file instead of time stamp (#1455)
+* Issue #357 - Expose application nodes networking information (#1333)
+* Issue #1404 - App controller unnecessary set namespace to cluster level resources (#1405)
+* Nils health if the resource does not provide it. Closes #1383 (#1408)
+* Perform health assessments on all resource nodes in the tree. Closes #1382 (#1422)
+* Remove deprecated componentParameterOverrides field #1372
+* Shows the health of the application. Closes #1433 (#1434)
+* Surface Service/Ingress external IPs, hostname to application #908
+* Surface pod status to tree view #1358
+* Support for customizable resource actions as Lua scripts #86
+* UI / API Errors Truncated, Time Out #1386
+* UI Enhancement Proposals Quick Wins #1274
+* Update argocd-util import/export to support proper backup and restore (#1328)
+* Whitelisting repos/clusters in projects should consider repo/cluster permissions #1432
+* Adds support for configuring repo creds at a domain/org level. (#1332)
+* Implement whitelist option analogous to `resource.exclusions` (#1490)
+* Added ability to sync specific labels from the command line (#1241)
+* Improve rendering app image information (#1552)
+* Add liveness probe to repo server/api servers (#1546)
+* Support configuring requested OIDC provider scopes and enforced RBAC scopes (#1471)
+
+#### Bug Fixes
+
+- Don't compare secrets in the CLI, since argo-cd doesn't have access to their data (#1459)
+- Dropdown menu should not have sync item for unmanaged resources #1357
+- Fixes goroutine leak. Closes #1381 (#1457)
+- Improve input style #1217
+- Issue #908 - Surface Service/Ingress external IPs, hostname to application (#1347)
+- kustomization fields are all mandatory #1504
+- Resource node details is crashing if live resource is missing $1505
+- Rollback UI is not showing correct ksonnet parameters in preview #1326
+- See details of applications fails with "r.nodes is undefined" #1371
+- UI fails to load custom actions is resource is not deployed #1502
+- Unable to create app from private repo: x509: certificate signed by unknown authority (#1171)
+- Fix hardcoded 'git' user in `util/git.NewClient` (#1555)
+- Application controller becomes unresponsive (#1476)
+- Load target resource using K8S if conversion fails (#1414)
+- Can't ignore a non-existent pointer anymore (#1586)
+- Impossible to sync to HEAD from UI if auto-sync is enabled (#1579)
+- Application controller is unable to delete self-referenced app (#1570)
+- Prevent reconciliation loop for self-managed apps (#1533)
+- Controller incorrectly report health state of self managed application (#1557)
+- Fix kustomize manifest generation crash is manifest has image without version (#1540)
+- Supply resourceVersion to watch request to prevent reading of stale cache (#1605)
+
+## v0.12.2 (2019-04-22)
+
+### Changes since v0.12.1
+
+- Fix racing condition in controller cache (#1498)
+- "bind: address already in use" after switching to gRPC-Web (#1451)
+- Annoying warning while using --grpc-web flag (#1420)
+- Delete helm temp directories (#1446)
+- Fix null pointer exception in secret normalization function (#1389)
+- Argo CD should not delete CRDs(#1425)
+- UI is unable to load cluster level resource manifest (#1429)
+
+## v0.12.1 (2019-04-09)
+
+### Changes since v0.12.0
+
+- [UI] applications view blows up when user does not have  permissions (#1368)
+- Add k8s objects circular dependency protection to getApp method (#1374)
+- App controller unnecessary set namespace to cluster level resources (#1404)
+- Changing SSO login URL to be a relative link so it's affected by basehref (#101) (@arnarg)
+- CLI diff should take into account resource customizations (#1294)
+- Don't try deleting application resource if it already has `deletionTimestamp` (#1406)
+- Fix invalid group filtering in 'patch-resource' command (#1319)
+- Fix null pointer dereference error in 'argocd app wait' (#1366)
+- kubectl v1.13 fails to convert extensions/NetworkPolicy (#1012)
+- Patch APIs are not audited (#1397)
+
++ 'argocd app wait' should fail sooner if app transitioned to Degraded state (#733)
++ Add mapping to new canonical Ingress API group - kubernetes 1.14 support (#1348) (@twz123)
++ Adds support for `kustomize edit set image`. (#1275)
++ Allow using any name for secrets which store cluster credentials (#1218)
++ Update argocd-util import/export to support proper backup and restore (#1048)
+
+## v0.12.0 (2019-03-20)
+
+### New Features
+
+#### Improved UI
+
+Many improvements to the UI were made, including:
+
+* Table view when viewing applications
+* Filters on applications
+* Table view when viewing application resources
+* YAML editor in UI
+* Switch to text-based diff instead of json diff
+* Ability to edit application specs
+
+#### Custom Health Assessments (CRD Health)
+
+Argo CD has long been able to perform health assessments on resources, however this could only
+assess the health for a few native kubernetes types (deployments, statefulsets, daemonsets, etc...).
+Now, Argo CD can be extended to gain understanding of any CRD health, in the form of Lua scripts.
+For example, using this feature, Argo CD now understands the CertManager Certificate CRD and will
+report a Degraded status when there are issues with the cert.
+
+#### Configuration Management Plugins
+
+Argo CD introduces Config Management Plugins to support custom configuration management tools other
+than the set that Argo CD provides out-of-the-box (Helm, Kustomize, Ksonnet, Jsonnet). Using config
+management plugins, Argo CD can be configured to run specified commands to render manifests. This
+makes it possible for Argo CD to support other config management tools (kubecfg, kapitan, shell
+scripts, etc...).
+
+#### High Availability
+
+Argo CD is now fully HA. A set HA of manifests are provided for users who wish to run Argo CD in
+a highly available manner. NOTE: The HA installation will require at least three different nodes due
+to pod anti-affinity roles in the specs.
+
+#### Improved Application Source
+
+* Support for Kustomize 2
+* YAML/JSON/Jsonnet Directories can now be recursed
+* Support for Jsonnet external variables and top-level arguments
+
+#### Additional Prometheus Metrics
+
+Argo CD provides the following additional prometheus metrics:
+* Sync counter to track sync activity and results over time
+* Application reconciliation (refresh) performance to track Argo CD performance and controller activity
+* Argo CD API Server metrics for monitoring HTTP/gRPC requests
+
+#### Fuzzy Diff Logic
+
+Argo CD can now be configured to ignore known differences for resource types by specifying a json
+pointer to the field path to ignore. This helps prevent OutOfSync conditions when a user has no
+control over the manifests. Ignored differences can be configured either at an application level, 
+or a system level, based on a group/kind.
+
+#### Resource Exclusions
+
+Argo CD can now be configured to completely ignore entire classes of resources group/kinds.
+Excluding high-volume resources improves performance and memory usage, and reduces load and
+bandwidth to the Kubernetes API server. It also allows users to fine-tune the permissions that
+Argo CD needs to a cluster by preventing Argo CD from attempting to watch resources of that
+group/kind.
+
+#### gRPC-Web Support
+
+The argocd CLI can be now configured to communicate to the Argo CD API server using gRPC-Web
+(HTTP1.1) using a new CLI flag `--grpc-web`. This resolves some compatibility issues users were
+experiencing with ingresses and gRPC (HTTP2), and should enable argocd CLI to work with virtually
+any load balancer, ingress controller, or API gateway.
+
+#### CLI features
+
+Argo CD introduces some additional CLI commands:
+
+* `argocd app edit APPNAME` - to edit an application spec using preferred EDITOR
+* `argocd proj edit PROJNAME` - to edit an project spec using preferred EDITOR
+* `argocd app patch APPNAME` - to patch an application spec
+* `argocd app patch-resource APPNAME` - to patch a specific resource which is part of an application
+
+
+### Breaking Changes
+
+#### Label selector changes, dex-server rename
+
+The label selectors for deployments were been renamed to use kubernetes common labels
+(`app.kuberentes.io/name=NAME` instead of `app=NAME`). Since K8s deployment label selectors are
+immutable, during an upgrade from v0.11 to v0.12, the old deployments should be deleted using
+`--cascade=false` which allows the new deployments to be created without introducing downtime.
+Once the new deployments are ready, the older replicasets can be deleted. Use the following
+instructions to upgrade from v0.11 to v0.12 without introducing downtime:
+
+```
+# delete the deployments with cascade=false. this orphan the replicasets, but leaves the pods running
+kubectl delete deploy --cascade=false argocd-server argocd-repo-server argocd-application-controller
+
+# apply the new manifests and wait for them to finish rolling out
+kubectl apply <new install manifests>
+kubectl rollout status deploy/argocd-application-controller
+kubectl rollout status deploy/argocd-repo-server
+kubectl rollout status deploy/argocd-application-controller
+
+# delete old replicasets which are using the legacy label
+kubectl delete rs -l app=argocd-server
+kubectl delete rs -l app=argocd-repo-server
+kubectl delete rs -l app=argocd-application-controller
+
+# delete the legacy dex-server which was renamed
+kubectl delete deploy dex-server
+```
+
+#### Deprecation of spec.source.componentParameterOverrides
+
+For declarative application specs, the `spec.source.componentParameterOverrides` field is now
+deprecated in favor of application source specific config. They are replaced with new fields
+specific to their respective config management. For example, a Helm application spec using the
+legacy field:
+
+```yaml
+spec:
+  source:
+    componentParameterOverrides:
+    - name: image.tag
+      value: v1.2
+```
+
+should move to:
+
+```yaml
+spec:
+  source:
+    helm:
+      parameters:
+      - name: image.tag
+        value: v1.2
+```
+
+Argo CD will automatically duplicate the legacy field values to the new locations (and vice versa)
+as part of automatic migration. The legacy `spec.source.componentParameterOverrides` field will be
+kept around for the v0.12 release (for migration purposes) and will be removed in the next Argo CD
+release.
+
+#### Removal of spec.source.environment and spec.source.valuesFiles
+
+The `spec.source.environment` and `spec.source.valuesFiles` fields, which were deprecated in v0.11,
+are now completely removed from the Application spec.
+
+
+#### API/CLI compatibility
+
+Due to API spec changes related to the deprecation of componentParameterOverrides, Argo CD v0.12
+has a minimum client version of v0.12.0. Older CLI clients will be rejected.
+
+
+### Changes since v0.11:
++ Improved UI
++ Custom Health Assessments (CRD Health)
++ Configuration Management Plugins
++ High Availability
++ Fuzzy Diff Logic
++ Resource Exclusions
++ gRPC-Web Support
++ CLI features
++ Additional prometheus metrics
++ Sample Grafana dashboard (#1277) (@hartman17)
++ Support for Kustomize 2
++ YAML/JSON/Jsonnet Directories can now be recursed
++ Support for Jsonnet external variables and top-level arguments
++ Optimized reconciliation performance for applications with very active resources (#1267)
++ Support a separate OAuth2 CLI clientID different from server (#1307)
++ argocd diff: only print to stdout, if there is a diff + exit code (#1288) (@marcb1)
++ Detection and handling of duplicated resource definitions (#1284)
++ Support kustomize apps with remote bases in private repos in the same host (#1264)
++ Support patching resource using REST API (#1186)
+* Deprecate componentParameterOverrides in favor of source specific config (#1207)
+* Support talking to Dex using local cluster address instead of public address (#1211)
+* Use Recreate deployment strategy for controller (#1315)
+* Honor os environment variables for helm commands (#1306) (@1337andre)
+* Disable CGO_ENABLED for server/controller binaries (#1286)
+* Documentation fixes and improvements (@twz123, @yann-soubeyrand, @OmerKahani, @dulltz)
+- Fix CRD creation/deletion handling (#1249)
+- Git cloning via SSH was not verifying host public key (#1276)
+- Fixed multiple goroutine leaks in controller and api-server
+- Fix isssue where `argocd app set -p` required repo privileges. (#1280)
+- Fix local diff of non-namespaced resources. Also handle duplicates in local diff (#1289)
+- Deprecated resource kinds from 'extensions' groups are not reconciled correctly (#1232)
+- Fix issue where CLI would panic after timeout when cli did not have get permissions (#1209)
+- invalidate repo cache on delete (#1182) (@narg95)
+
+## v0.11.2 (2019-02-19)
++ Adds client retry. Fixes #959 (#1119)
+- Prevent deletion hotloop (#1115)
+- Fix EncodeX509KeyPair function so it takes in account chained certificates (#1137) (@amarruedo)
+- Exclude metrics.k8s.io from watch (#1128)
+- Fix issue where dex restart could cause login failures (#1114)
+- Relax ingress/service health check to accept non-empty ingress list (#1053)
+- [UI] Correctly handle empty response from repository/<repo>/apps API
+
+## v0.11.1 (2019-01-18)
++ Allow using redis as a cache in repo-server (#1020)
+- Fix controller deadlock when checking for stale cache (#1044)
+- Namespaces are not being sorted during apply (#1038)
+- Controller cache was susceptible to clock skew in managed cluster
+- Fix ability to unset ApplicationSource specific parameters
+- Fix force resource delete API (#1033)
+- Incorrect PermissionDenied error during app creation when using project roles + user-defined RBAC (#1019)
+- Fix `kubctl convert` issue preventing deployment of extensions/NetworkPolicy (#1012)
+- Do not allow metadata.creationTimestamp to affect sync status (#1021)
+- Graceful handling of clusters where API resource discovery is partially successful (#1018)
+- Handle k8s resources circular dependency (#1016)
+- Fix `app diff --local` command (#1008)
+
+## v0.11.0 (2019-01-10)
+This is Argo CD's biggest release ever and introduces a completely redesigned controller architecture.
+
+### New Features
+
+#### Performance & Scalability
+The application controller has a completely redesigned architecture which improved performance and
+scalability during application reconciliation.
+
+This was achieved by introducing an in-memory, live state cache of lightweight Kubernetes object 
+metadata. During reconciliation, the controller no longer performs expensive, in-line queries of app
+related resources in K8s API server, instead relying on the metadata available in the live state 
+cache. This dramatically improves performance and responsiveness, and is less burdensome to the K8s
+API server.
+
+#### Object relationship visualization for CRDs
+With the new controller design, Argo CD is now able to understand ownership relationship between
+*all* Kubernetes objects, not just the built-in types. This enables Argo CD to visualize
+parent/child relationships between all kubernetes objects, including CRDs.
+
+#### Multi-namespaced applications
+During sync, Argo CD will now honor any explicitly set namespace in a manifest. Manifests without a
+namespace will continue deploy to the "preferred" namespace, as specified in app's
+`spec.destination.namespace`. This enables support for a class of applications which install to
+multiple namespaces. For example, Argo CD can now install the
+[prometheus-operator](https://github.com/helm/charts/tree/master/stable/prometheus-operator)
+helm chart, which deploys some resources into `kube-system`, and others into the
+`prometheus-operator` namespace.
+
+#### Large application support
+Full resource objects are no longer stored in the Application CRD object status. Instead, only
+lightweight metadata is stored in the status, such as a resource's sync and health status.
+This change enabled Argo CD to support applications with a very large number of resources 
+(e.g. istio), and reduces the bandwidth requirements when listing applications in the UI.
+
+#### Resource lifecycle hook improvements
+Resource lifecycle hooks (e.g. PreSync, PostSync) are now visible/manageable from the UI.
+Additionally, bare Pods with a restart policy of Never can now be used as a resource hook, as an
+alternative to Jobs, Workflows.
+
+#### K8s recommended application labels
+The tracking label for resources has been changed to use `app.kubernetes.io/instance`, as
+recommended in [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/),
+(changed from `applications.argoproj.io/app-name`). This will enable applications managed by Argo CD
+to interoperate with other tooling which are also converging on this labeling, such as the
+Kubernetes dashboard. Additionally, Argo CD no longer injects any tracking labels at the
+`spec.template.metadata` level.
+
+#### External OIDC provider support
+Argo CD now supports auth delegation to an existing, external OIDC providers without the need for
+running Dex (e.g. Okta, OneLogin, Auth0, Microsoft, etc...)
+
+The optional, [Dex IDP OIDC provider](https://github.com/dexidp/dex) is still bundled as part of the
+default installation, in order to provide a seamless out-of-box experience, enabling Argo CD to
+integrate with non-OIDC providers, and to benefit from Dex's full range of
+[connectors](https://github.com/dexidp/dex/tree/master/Documentation/connectors).
+
+#### OIDC group bindings to Project Roles
+OIDC group claims from an OAuth2 provider can now be bound to a Argo CD project roles. Previously,
+group claims could only be managed in the centralized ConfigMap, `argocd-rbac-cm`. They can now be
+managed at a project level. This enables project admins to self service access to applications
+within a project.
+
+#### Declarative Argo CD configuration
+Argo CD settings can be now be configured either declaratively, or imperatively. The `argocd-cm`
+ConfigMap now has a `repositories` field, which can reference credentials in a normal Kubernetes
+secret which you can create declaratively, outside of Argo CD.
+
+#### Helm repository support
+Helm repositories can be configured at the system level, enabling the deployment of helm charts
+which have a dependency to external helm repositories.
+
+### Breaking changes:
+
+* Argo CD's resource names were renamed for consistency. For example, the application-controller
+  deployment was renamed to argocd-application-controller. When upgrading from v0.10 to v0.11,
+  the older resources should be pruned to avoid inconsistent state and controller in-fighting.
+
+* As a consequence to moving to recommended kubernetes labels, when upgrading from v0.10 to v0.11,
+  all applications will immediately be OutOfSync due to the change in tracking labels. This will
+  correct itself with another sync of the application. However, since Pods will be recreated, please
+  take this into consideration, especially if your applications are configured with auto-sync.
+
+* There was significant reworking of the `app.status` fields to reduce the payload size, simplify
+  the datastructure and remove fields which were no longer used by the controller. No breaking
+  changes were made in `app.spec`.
+
+* An older Argo CD CLI (v0.10 and below) will not be compatible with Argo CD v0.11. To keep
+  CI pipelines in sync with the API server, it is recommended to have pipelines download the CLI
+  directly from the API server https://${ARGOCD_SERVER}/download/argocd-linux-amd64 during the CI
+  pipeline.
+
+### Changes since v0.10:
+* Improve Application state reconciliation performance (#806)
+* Refactor, consolidate and rename resource type data structures
++ Declarative setup and configuration of ArgoCD (#536)
++ Declaratively add helm repositories (#747)
++ Switch to k8s recommended app.kubernetes.io/instance label (#857)
++ Ability for a single application to deploy into multiple namespaces (#696)
++ Self service group access to project applications (#742)
++ Support for Pods as a sync hook (#801)
++ Support 'crd-install' helm hook (#355)
++ Use external 'diff' utility to render actual vs target state difference
++ Show sync policy in app list view
+* Remove resources state from application CRD (#758)
+* API server & UI should serve argocd binaries instead of linking to GitHub (#716)
+* Update versions for kubectl (v1.13.1), helm (v2.12.1), ksonnet (v0.13.1)
+* Update version of aws-iam-authenticator (0.4.0-alpha.1)
+* Ability to force refresh of application manifests from git
+* Improve diff assessment for Secrets, ClusterRoles, Roles
+- Failed to deploy helm chart with local dependencies and no internet access (#786)
+- Out of sync reported if Secrets with stringData are used (#763)
+- Unable to delete application in K8s v1.12 (#718)
+
+## v0.10.6 (2018-11-14)
+- Fix issue preventing in-cluster app sync due to go-client changes (issue #774)
+
+## v0.10.5 (2018-11-13)
++ Increase concurrency of application controller
+* Update dependencies to k8s v1.12 and client-go v9.0 (#729)
+- add argo cluster permission to view logs (#766) (@conorfennell)
+- Fix issue where applications could not be deleted on k8s v1.12
+- Allow 'syncApplication' action to reference target revision rather then hard-coding to 'HEAD' (#69) (@chrisgarland)
+- Issue #768 - Fix application wizard crash
+
+## v0.10.4 (2018-11-07)
+* Upgrade to Helm v0.11.0 (@amarrella)
+- Health check is not discerning apiVersion when assessing CRDs (issue #753)
+- Fix nil pointer dereference in util/health (@mduarte)
+
+## v0.10.3 (2018-10-28)
+* Fix applying TLS version settings
+* Update to kustomize 1.0.10 (@twz123)
+
+## v0.10.2 (2018-10-25)
+* Update to kustomize 1.0.9 (@twz123)
+- Fix app refresh err when k8s patch is too slow
+
+## v0.10.1 (2018-10-24)
+
+- Handle case where OIDC settings become invalid after dex server restart (issue #710)
+- git clean also needs to clean files under gitignore (issue #711)
+
+## v0.10.0 (2018-10-19)
 
 ### Changes since v0.9:
 
@@ -69,7 +755,7 @@ The above command allows the `default` project to deploy any cluster-scoped reso
 the behavior of v0.8.
 
 * The secret keys in the argocd-secret containing the TLS certificate and key, has been renamed from
-  `server.crt` and `server.key` to the standard `tls.crt` and `tls.key` keys. This enables ArgoCD
+  `server.crt` and `server.key` to the standard `tls.crt` and `tls.key` keys. This enables Argo CD
   to integrate better with Ingress and cert-manager. When upgrading to v0.9, the `server.crt` and
   `server.key` keys in argocd-secret should be renamed to the new keys.
 
@@ -80,8 +766,8 @@ the behavior of v0.8.
 + Redact K8s secrets from API server payloads (issue #470)
 + Support --in-cluster authentication without providing a kubeconfig (issue #527)
 + Special handling of CustomResourceDefinitions (issue #613)
-+ ArgoCD should download helm chart dependencies (issue #582)
-+ Export ArgoCD stats as prometheus style metrics (issue #513)
++ Argo CD should download helm chart dependencies (issue #582)
++ Export Argo CD stats as prometheus style metrics (issue #513)
 + Support restricting TLS version (issue #609)
 + Use 'kubectl auth reconcile' before 'kubectl apply' (issue #523)
 + Projects need controls on cluster-scoped resources (issue #330)
@@ -102,7 +788,7 @@ the behavior of v0.8.
 - Fix issue where changes were not pulled when tracking a branch (issue #567)
 - Lazy enforcement of unknown cluster/namespace restricted resources (issue #599)
 - Fix controller hot loop when app source contains bad manifests (issue #568)
-- Fix issue where ArgoCD fails to deploy when resources are in a K8s list format (issue #584)
+- Fix issue where Argo CD fails to deploy when resources are in a K8s list format (issue #584)
 - Fix comparison failure when app contains unregistered custom resource (issue #583)
 - Fix issue where helm hooks were being deployed as part of sync (issue #605)
 - Fix race conditions in kube.GetResourcesWithLabel and DeleteResourceWithLabel (issue #587)
@@ -111,7 +797,7 @@ the behavior of v0.8.
 - Helm hooks are being deployed as resources (issue #605)
 - Disagreement in three way diff calculation (issue #597)
 - SIGSEGV in kube.GetResourcesWithLabel (issue #587)
-- ArgoCD fails to deploy resources list (issue #584)
+- Argo CD fails to deploy resources list (issue #584)
 - Branch tracking not working properly (issue #567)
 - Controller hot loop when application source has bad manifests (issue #568)
 
@@ -233,7 +919,7 @@ RBAC policy rules, need to be rewritten to include one extra column with the eff
 ## v0.5.0 (2018-06-12)
 + RBAC access control
 + Repository/Cluster state monitoring
-+ ArgoCD settings import/export
++ Argo CD settings import/export
 + Application creation UI wizard
 + argocd app manifests for printing the application manifests
 + argocd app unset command to unset parameter overrides

CONTRIBUTING.md

@@ -1,77 +0,0 @@
-## Requirements
-Make sure you have following tools installed
-* [docker](https://docs.docker.com/install/#supported-platforms)
-* [golang](https://golang.org/)
-* [dep](https://github.com/golang/dep)
-* [protobuf](https://developers.google.com/protocol-buffers/)
-* [ksonnet](https://github.com/ksonnet/ksonnet#install)
-* [helm](https://github.com/helm/helm/releases)
-* [kustomize](https://github.com/kubernetes-sigs/kustomize/releases)
-* [go-swagger](https://github.com/go-swagger/go-swagger/blob/master/docs/install.md)
-* [jq](https://stedolan.github.io/jq/)
-* [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/).
-
-```
-$ brew tap go-swagger/go-swagger
-$ brew install go dep protobuf kubectl ksonnet/tap/ks kubernetes-helm jq go-swagger
-$ go get -u github.com/golang/protobuf/protoc-gen-go
-$ go get -u github.com/go-swagger/go-swagger/cmd/swagger
-$ go get -u github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway
-$ go get -u github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger
-```
-
-Nice to have [gometalinter](https://github.com/alecthomas/gometalinter) and [goreman](https://github.com/mattn/goreman):
-
-```
-$ go get -u gopkg.in/alecthomas/gometalinter.v2 github.com/mattn/goreman && gometalinter.v2 --install
-```
-
-## Building
-
-```
-$ go get -u github.com/argoproj/argo-cd
-$ dep ensure
-$ make
-```
-NOTE: The make command can take a while, and we recommend building the specific component you are working on
-* `make cli` - Make the argocd CLI tool
-* `make server` - Make the API/repo/controller server
-* `make codegen` - Builds protobuf and swagger files
-* `make argocd-util` - Make the administrator's utility, used for certain tasks such as import/export
-
-## Generating ArgoCD manifests for a specific image repository/tag
-
-During development, the `update-manifests.sh` script, can be used to conveniently regenerate the
-ArgoCD installation manifests with a customized image namespace and tag. This enables developers
-to easily apply manifests which are using the images that they pushed into their personal container
-repository.
-
-```
-$ IMAGE_NAMESPACE=jessesuen IMAGE_TAG=latest ./hack/update-manifests.sh
-$ kubectl apply -n argocd -f ./manifests/install.yaml
-```
-
-## Running locally
-
-You need to have access to kubernetes cluster (including [minikube](https://kubernetes.io/docs/tasks/tools/install-minikube/) or [docker edge](https://docs.docker.com/docker-for-mac/install/) ) in order to run Argo CD on your laptop:
-
-* install kubectl: `brew install kubectl`
-* make sure `kubectl` is connected to your cluster (e.g. `kubectl get pods` should work).
-* install application CRD using following command:
-
-```
-$ kubectl create -f install/manifests/01_application-crd.yaml
-```
-
-* start Argo CD services using [goreman](https://github.com/mattn/goreman):
-
-```
-$ goreman start
-```
-
-## Troubleshooting
-* Ensure argocd is installed: ./dist/argocd install
-* Ensure you're logged in: ./dist/argocd login --username admin --password <whatever password you set at install> localhost:8080
-* Ensure that roles are configured: kubectl create -f install/manifests/02c_argocd-rbac-cm.yaml
-* Ensure minikube is running: minikube stop && minikube start
-* Ensure Argo CD is aware of minikube: ./dist/argocd cluster add minikube

Dockerfile

@@ -1,12 +1,19 @@
+ARG BASE_IMAGE=debian:10-slim
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM golang:1.10.3 as builder
+FROM golang:1.12.6 as builder
+
+RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list
 
 RUN apt-get update && apt-get install -y \
+    openssh-server \
+    nginx \
+    fcgiwrap \
     git \
+    git-lfs \
     make \
     wget \
     gcc \
@@ -16,64 +23,80 @@ RUN apt-get update && apt-get install -y \
 
 WORKDIR /tmp
 
-# Install docker
-ENV DOCKER_VERSION=18.06.0
-RUN curl -O https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}-ce.tgz && \
-  tar -xzf docker-${DOCKER_VERSION}-ce.tgz && \
-  mv docker/docker /usr/local/bin/docker && \
-  rm -rf ./docker
-
-# Install dep
-ENV DEP_VERSION=0.5.0
-RUN wget https://github.com/golang/dep/releases/download/v${DEP_VERSION}/dep-linux-amd64 -O /usr/local/bin/dep && \
-    chmod +x /usr/local/bin/dep
-
-# Install gometalinter
-RUN curl -sLo- https://github.com/alecthomas/gometalinter/releases/download/v2.0.5/gometalinter-2.0.5-linux-amd64.tar.gz | \
-    tar -xzC "$GOPATH/bin" --exclude COPYING --exclude README.md --strip-components 1 -f- && \
-    ln -s $GOPATH/bin/gometalinter $GOPATH/bin/gometalinter.v2
-
-# Install packr
-ENV PACKR_VERSION=1.13.2
-RUN wget https://github.com/gobuffalo/packr/releases/download/v${PACKR_VERSION}/packr_${PACKR_VERSION}_linux_amd64.tar.gz && \
-    tar -vxf packr*.tar.gz -C /tmp/ && \
-    mv /tmp/packr /usr/local/bin/packr
-
-# Install kubectl
-RUN curl -L -o /usr/local/bin/kubectl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl && \
-    chmod +x /usr/local/bin/kubectl
-
-# Install ksonnet
-# NOTE: we frequently switch between tip of master ksonnet vs. official builds. Comment/uncomment
-# the corresponding section to switch between the two options:
-# Option 1: build ksonnet ourselves
-#RUN go get -v -u github.com/ksonnet/ksonnet && mv ${GOPATH}/bin/ksonnet /usr/local/bin/ks
-# Option 2: use official tagged ksonnet release
-ENV KSONNET_VERSION=0.13.0
-RUN wget https://github.com/ksonnet/ksonnet/releases/download/v${KSONNET_VERSION}/ks_${KSONNET_VERSION}_linux_amd64.tar.gz && \
-    tar -C /tmp/ -xf ks_${KSONNET_VERSION}_linux_amd64.tar.gz && \
-    mv /tmp/ks_${KSONNET_VERSION}_linux_amd64/ks /usr/local/bin/ks
-
-# Install helm
-ENV HELM_VERSION=2.9.1
-RUN wget https://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-linux-amd64.tar.gz && \
-    tar -C /tmp/ -xf helm-v${HELM_VERSION}-linux-amd64.tar.gz && \
-    mv /tmp/linux-amd64/helm /usr/local/bin/helm
-
-# Install kustomize
-ENV KUSTOMIZE_VERSION=1.0.8
-RUN curl -L -o /usr/local/bin/kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64 && \
-    chmod +x /usr/local/bin/kustomize
-
-ENV AWS_IAM_AUTHENTICATOR_VERSION=0.3.0
-RUN curl -L -o /usr/local/bin/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.3.0/heptio-authenticator-aws_${AWS_IAM_AUTHENTICATOR_VERSION}_linux_amd64 && \
-    chmod +x /usr/local/bin/aws-iam-authenticator
+ADD hack/install.sh .
+ADD hack/installers installers
 
+RUN ./install.sh dep-linux
+RUN ./install.sh packr-linux
+RUN ./install.sh kubectl-linux
+RUN ./install.sh ksonnet-linux
+RUN ./install.sh helm-linux
+RUN ./install.sh kustomize-linux
+RUN ./install.sh aws-iam-authenticator-linux
 
 ####################################################################################################
-# ArgoCD Build stage which performs the actual build of ArgoCD binaries
+# Argo CD Base - used as the base for both the release and dev argocd images
 ####################################################################################################
-FROM golang:1.10.3 as argocd-build
+FROM $BASE_IMAGE as argocd-base
+
+USER root
+
+RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list
+
+RUN groupadd -g 999 argocd && \
+    useradd -r -u 999 -g argocd argocd && \
+    mkdir -p /home/argocd && \
+    chown argocd:0 /home/argocd && \
+    chmod g=u /home/argocd && \
+    chmod g=u /etc/passwd && \
+    apt-get update && \
+    apt-get install -y git git-lfs && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+COPY hack/git-ask-pass.sh /usr/local/bin/git-ask-pass.sh
+COPY --from=builder /usr/local/bin/ks /usr/local/bin/ks
+COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
+COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/kubectl
+COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize
+COPY --from=builder /usr/local/bin/aws-iam-authenticator /usr/local/bin/aws-iam-authenticator
+# script to add current (possibly arbitrary) user to /etc/passwd at runtime
+# (if it's not already there, to be openshift friendly)
+COPY uid_entrypoint.sh /usr/local/bin/uid_entrypoint.sh
+
+# support for mounting configuration from a configmap
+RUN mkdir -p /app/config/ssh && \
+    touch /app/config/ssh/ssh_known_hosts && \
+    ln -s /app/config/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts 
+
+RUN mkdir -p /app/config/tls
+
+# workaround ksonnet issue https://github.com/ksonnet/ksonnet/issues/298
+ENV USER=argocd
+
+USER argocd
+WORKDIR /home/argocd
+
+####################################################################################################
+# Argo CD UI stage
+####################################################################################################
+FROM node:11.15.0 as argocd-ui
+
+WORKDIR /src
+ADD ["ui/package.json", "ui/yarn.lock", "./"]
+
+RUN yarn install
+
+ADD ["ui/", "."]
+
+ARG ARGO_VERSION=latest
+ENV ARGO_VERSION=$ARGO_VERSION
+RUN NODE_ENV='production' yarn build
+
+####################################################################################################
+# Argo CD Build stage which performs the actual build of Argo CD binaries
+####################################################################################################
+FROM golang:1.12.6 as argocd-build
 
 COPY --from=builder /usr/local/bin/dep /usr/local/bin/dep
 COPY --from=builder /usr/local/bin/packr /usr/local/bin/packr
@@ -91,46 +114,14 @@ RUN cd ${GOPATH}/src/dummy && \
 # Perform the build
 WORKDIR /go/src/github.com/argoproj/argo-cd
 COPY . .
-ARG MAKE_TARGET="cli server controller repo-server argocd-util"
-RUN make ${MAKE_TARGET}
+RUN make cli server controller repo-server argocd-util && \
+    make CLI_NAME=argocd-darwin-amd64 GOOS=darwin cli
 
 
 ####################################################################################################
 # Final image
 ####################################################################################################
-FROM debian:9.5-slim
+FROM argocd-base
+COPY --from=argocd-build /go/src/github.com/argoproj/argo-cd/dist/argocd* /usr/local/bin/
+COPY --from=argocd-ui ./src/dist/app /shared/app
 
-RUN groupadd -g 999 argocd && \
-    useradd -r -u 999 -g argocd argocd && \
-    mkdir -p /home/argocd && \
-    chown argocd:argocd /home/argocd && \
-    apt-get update && \
-    apt-get install -y git && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
-
-COPY --from=builder /usr/local/bin/ks /usr/local/bin/ks
-COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
-COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/kubectl
-COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize
-COPY --from=builder /usr/local/bin/aws-iam-authenticator /usr/local/bin/aws-iam-authenticator
-
-# workaround ksonnet issue https://github.com/ksonnet/ksonnet/issues/298
-ENV USER=argocd
-
-COPY --from=argocd-build /go/src/github.com/argoproj/argo-cd/dist/* /usr/local/bin/
-
-# Symlink argocd binaries under root for backwards compatibility that expect it under /
-RUN ln -s /usr/local/bin/argocd /argocd && \
-    ln -s /usr/local/bin/argocd-server /argocd-server && \
-    ln -s /usr/local/bin/argocd-util /argocd-util && \
-    ln -s /usr/local/bin/argocd-application-controller /argocd-application-controller && \
-    ln -s /usr/local/bin/argocd-repo-server /argocd-repo-server
-
-USER argocd
-
-RUN helm init --client-only
-
-WORKDIR /home/argocd
-ARG BINARY
-CMD ${BINARY}

Dockerfile.dev

@@ -0,0 +1,6 @@
+####################################################################################################
+# argocd-dev
+####################################################################################################
+FROM argocd-base
+COPY argocd* /usr/local/bin/
+COPY --from=argocd-ui ./src/dist/app /shared/app

Gopkg.toml

@@ -7,6 +7,7 @@ required = [
   "github.com/gogo/protobuf/protoc-gen-gofast",
   "github.com/gogo/protobuf/protoc-gen-gogofast",
   "k8s.io/code-generator/cmd/go-to-protobuf",
+  "k8s.io/kube-openapi/cmd/openapi-gen",
   "github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway",
   "github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger",
   "golang.org/x/sync/errgroup",
@@ -34,20 +35,24 @@ required = [
   name = "github.com/prometheus/client_golang"
   revision = "7858729281ec582767b20e0d696b6041d995d5e0"
 
-[[constraint]]
-  branch = "release-1.10"
+[[override]]
+  branch = "release-1.14"
   name = "k8s.io/api"
 
-[[constraint]]
-  name = "k8s.io/apiextensions-apiserver"
-  branch = "release-1.10"
+[[override]]
+  branch = "release-1.14"
+  name = "k8s.io/kubernetes"
 
-[[constraint]]
-  branch = "release-1.10"
+[[override]]
+  branch = "release-1.14"
   name = "k8s.io/code-generator"
 
-[[constraint]]
-  branch = "release-7.0"
+[[override]]
+  branch = "release-1.14"
+  name = "k8s.io/apimachinery"
+
+[[override]]
+  branch = "release-11.0"
   name = "k8s.io/client-go"
 
 [[constraint]]
@@ -61,3 +66,17 @@ required = [
 [[constraint]]
   branch = "master"
   name = "github.com/argoproj/pkg"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/yudai/gojsondiff"
+
+[[constraint]]
+  name = "github.com/spf13/cobra"
+  revision = "fe5e611709b0c57fa4a89136deaa8e1d4004d053"
+
+# TODO: move off of k8s.io/kube-openapi and use controller-tools for CRD spec generation
+# (override argoproj/argo contraint on master)
+[[override]]
+  revision = "411b2483e5034420675ebcdd4a55fc76fe5e55cf"
+  name = "k8s.io/kube-openapi"

Makefile

@@ -1,4 +1,4 @@
-PACKAGE=github.com/argoproj/argo-cd
+PACKAGE=github.com/argoproj/argo-cd/common
 CURRENT_DIR=$(shell pwd)
 DIST_DIR=${CURRENT_DIR}/dist
 CLI_NAME=argocd
@@ -9,6 +9,21 @@ GIT_COMMIT=$(shell git rev-parse HEAD)
 GIT_TAG=$(shell if [ -z "`git status --porcelain`" ]; then git describe --exact-match --tags HEAD 2>/dev/null; fi)
 GIT_TREE_STATE=$(shell if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)
 PACKR_CMD=$(shell if [ "`which packr`" ]; then echo "packr"; else echo "go run vendor/github.com/gobuffalo/packr/packr/main.go"; fi)
+VOLUME_MOUNT=$(shell [[ $(go env GOOS)=="darwin" ]] && echo ":delegated" || echo "")
+
+define run-in-dev-tool
+    docker run --rm -it -u $(shell id -u) -e HOME=/home/user -v ${CURRENT_DIR}:/go/src/github.com/argoproj/argo-cd${VOLUME_MOUNT} -w /go/src/github.com/argoproj/argo-cd argocd-dev-tools bash -c "GOPATH=/go $(1)"
+endef
+
+PATH:=$(PATH):$(PWD)/hack
+
+# docker image publishing options
+DOCKER_PUSH?=false
+IMAGE_NAMESPACE?=
+# perform static compilation
+STATIC_BUILD?=true
+# build development images
+DEV_IMAGE?=false
 
 override LDFLAGS += \
   -X ${PACKAGE}.version=${VERSION} \
@@ -16,19 +31,14 @@ override LDFLAGS += \
   -X ${PACKAGE}.gitCommit=${GIT_COMMIT} \
   -X ${PACKAGE}.gitTreeState=${GIT_TREE_STATE}
 
-# docker image publishing options
-DOCKER_PUSH=false
-IMAGE_TAG=latest
+ifeq (${STATIC_BUILD}, true)
+override LDFLAGS += -extldflags "-static"
+endif
+
 ifneq (${GIT_TAG},)
 IMAGE_TAG=${GIT_TAG}
 LDFLAGS += -X ${PACKAGE}.gitTag=${GIT_TAG}
 endif
-ifneq (${IMAGE_NAMESPACE},)
-override LDFLAGS += -X ${PACKAGE}/install.imageNamespace=${IMAGE_NAMESPACE}
-endif
-ifneq (${IMAGE_TAG},)
-override LDFLAGS += -X ${PACKAGE}/install.imageTag=${IMAGE_TAG}
-endif
 
 ifeq (${DOCKER_PUSH},true)
 ifndef IMAGE_NAMESPACE
@@ -41,99 +51,145 @@ IMAGE_PREFIX=${IMAGE_NAMESPACE}/
 endif
 
 .PHONY: all
-all: cli server-image controller-image repo-server-image argocd-util
+all: cli image argocd-util
 
 .PHONY: protogen
 protogen:
 	./hack/generate-proto.sh
 
+.PHONY: openapigen
+openapigen:
+	./hack/update-openapi.sh
+
 .PHONY: clientgen
 clientgen:
 	./hack/update-codegen.sh
 
-.PHONY: codegen
-codegen: protogen clientgen
+.PHONY: codegen-local
+codegen-local: protogen clientgen openapigen manifests-local
+
+.PHONY: codegen
+codegen: dev-tools-image
+	$(call run-in-dev-tool,make codegen-local)
 
-# NOTE: we use packr to do the build instead of go, since we embed .yaml files into the go binary.
-# This enables ease of maintenance of the yaml files.
 .PHONY: cli
 cli: clean-debug
-	${PACKR_CMD} build -v -i -ldflags '${LDFLAGS} -extldflags "-static"' -o ${DIST_DIR}/${CLI_NAME} ./cmd/argocd
+	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd/argocd
 
-.PHONY: cli-linux
-cli-linux: clean-debug
-	docker build --iidfile /tmp/argocd-linux-id --target argocd-build --build-arg MAKE_TARGET="cli IMAGE_TAG=$(IMAGE_TAG) IMAGE_NAMESPACE=$(IMAGE_NAMESPACE) CLI_NAME=argocd-linux-amd64" .
-	docker create --name tmp-argocd-linux `cat /tmp/argocd-linux-id`
-	docker cp tmp-argocd-linux:/go/src/github.com/argoproj/argo-cd/dist/argocd-linux-amd64 dist/
+.PHONY: release-cli
+release-cli: clean-debug image
+	docker create --name tmp-argocd-linux $(IMAGE_PREFIX)argocd:$(IMAGE_TAG)
+	docker cp tmp-argocd-linux:/usr/local/bin/argocd ${DIST_DIR}/argocd-linux-amd64
+	docker cp tmp-argocd-linux:/usr/local/bin/argocd-darwin-amd64 ${DIST_DIR}/argocd-darwin-amd64
 	docker rm tmp-argocd-linux
 
-.PHONY: cli-darwin
-cli-darwin: clean-debug
-	docker build --iidfile /tmp/argocd-darwin-id --target argocd-build --build-arg MAKE_TARGET="cli GOOS=darwin IMAGE_TAG=$(IMAGE_TAG) IMAGE_NAMESPACE=$(IMAGE_NAMESPACE) CLI_NAME=argocd-darwin-amd64" .
-	docker create --name tmp-argocd-darwin `cat /tmp/argocd-darwin-id`
-	docker cp tmp-argocd-darwin:/go/src/github.com/argoproj/argo-cd/dist/argocd-darwin-amd64 dist/
-	docker rm tmp-argocd-darwin
-
 .PHONY: argocd-util
 argocd-util: clean-debug
-	CGO_ENABLED=0 go build -v -i -ldflags '${LDFLAGS} -extldflags "-static"' -o ${DIST_DIR}/argocd-util ./cmd/argocd-util
+	# Build argocd-util as a statically linked binary, so it could run within the alpine-based dex container (argoproj/argo-cd#844)
+	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-util ./cmd/argocd-util
+
+.PHONY: dev-tools-image
+dev-tools-image:
+	cd hack && docker build -t argocd-dev-tools . -f Dockerfile.dev-tools
+
+.PHONY: manifests-local
+manifests-local:
+	./hack/update-manifests.sh
 
 .PHONY: manifests
 manifests:
-	./hack/update-manifests.sh
+	$(call run-in-dev-tool,make manifests-local IMAGE_TAG='${IMAGE_TAG}')
 
+
+# NOTE: we use packr to do the build instead of go, since we embed swagger files and policy.csv
+# files into the go binary
 .PHONY: server
 server: clean-debug
 	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd/argocd-server
-	
-.PHONY: server-image
-server-image:
-	docker build --build-arg BINARY=argocd-server -t $(IMAGE_PREFIX)argocd-server:$(IMAGE_TAG) .
-	@if [ "$(DOCKER_PUSH)" = "true" ] ; then docker push $(IMAGE_PREFIX)argocd-server:$(IMAGE_TAG) ; fi
 
 .PHONY: repo-server
 repo-server:
-	CGO_ENABLED=0 go build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd/argocd-repo-server
-
-.PHONY: repo-server-image
-repo-server-image:
-	docker build --build-arg BINARY=argocd-repo-server -t $(IMAGE_PREFIX)argocd-repo-server:$(IMAGE_TAG) .
-	@if [ "$(DOCKER_PUSH)" = "true" ] ; then docker push $(IMAGE_PREFIX)argocd-repo-server:$(IMAGE_TAG) ; fi
+	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd/argocd-repo-server
 
 .PHONY: controller
 controller:
-	CGO_ENABLED=0 go build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd/argocd-application-controller
+	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd/argocd-application-controller
 
-.PHONY: controller-image
-controller-image:
-	docker build --build-arg BINARY=argocd-application-controller -t $(IMAGE_PREFIX)argocd-application-controller:$(IMAGE_TAG)  .
-	@if [ "$(DOCKER_PUSH)" = "true" ] ; then docker push $(IMAGE_PREFIX)argocd-application-controller:$(IMAGE_TAG) ; fi
+.PHONY: packr
+packr:
+	go build -o ${DIST_DIR}/packr ./vendor/github.com/gobuffalo/packr/packr/
 
-.PHONY: cli-image
-cli-image:
-	docker build --build-arg BINARY=argocd -t $(IMAGE_PREFIX)argocd-cli:$(IMAGE_TAG) .
-	@if [ "$(DOCKER_PUSH)" = "true" ] ; then docker push $(IMAGE_PREFIX)argocd-cli:$(IMAGE_TAG) ; fi
+.PHONY: image
+ifeq ($(DEV_IMAGE), true)
+# The "dev" image builds the binaries from the users desktop environment (instead of in Docker)
+# which speeds up builds. Dockerfile.dev needs to be copied into dist to perform the build, since
+# the dist directory is under .dockerignore.
+IMAGE_TAG="dev-$(shell git describe --always --dirty)"
+image: packr
+	docker build -t argocd-base --target argocd-base .
+	docker build -t argocd-ui --target argocd-ui .
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd/argocd-server
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd/argocd-application-controller
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd/argocd-repo-server
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-util ./cmd/argocd-util
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd/argocd
+	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-darwin-amd64 ./cmd/argocd
+	cp Dockerfile.dev dist
+	docker build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) -f dist/Dockerfile.dev dist
+else
+image:
+	docker build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) .
+endif
+	@if [ "$(DOCKER_PUSH)" = "true" ] ; then docker push $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) ; fi
 
 .PHONY: builder-image
 builder-image:
 	docker build  -t $(IMAGE_PREFIX)argo-cd-ci-builder:$(IMAGE_TAG) --target builder .
+	@if [ "$(DOCKER_PUSH)" = "true" ] ; then docker push $(IMAGE_PREFIX)argo-cd-ci-builder:$(IMAGE_TAG) ; fi
+
+.PHONY: dep
+dep:
+	dep ensure -v
+
+.PHONY: dep-ensure
+dep-ensure:
+	dep ensure -no-vendor
+
+.PHONY: install-lint-tools
+install-lint-tools:
+	./hack/install.sh lint-tools
 
 .PHONY: lint
 lint:
-	gometalinter.v2 --config gometalinter.json ./...
+	golangci-lint --version
+	golangci-lint run --fix --verbose
+
+.PHONY: build
+build:
+	go build -v `go list ./... | grep -v 'resource_customizations\|test/e2e'`
 
 .PHONY: test
 test:
-	go test -v `go list ./... | grep -v "github.com/argoproj/argo-cd/test/e2e"`
-
-.PHONY: test-coverage
-test-coverage:
-	go test -v -covermode=count -coverprofile=coverage.out `go list ./... | grep -v "github.com/argoproj/argo-cd/test/e2e"`
-	@if [ "$(COVERALLS_TOKEN)" != "" ] ; then goveralls -ignore `find . -name '*.pb*.go' | grep -v vendor/ | sed 's!^./!!' | paste -d, -s -` -coverprofile=coverage.out -service=argo-ci -repotoken "$(COVERALLS_TOKEN)"; else echo 'No COVERALLS_TOKEN env var specified. Skipping submission to Coveralls.io'; fi
+	 ./hack/test.sh -coverprofile=coverage.out `go list ./... | grep -v 'test/e2e'`
 
 .PHONY: test-e2e
 test-e2e:
-	go test -v -failfast -timeout 20m ./test/e2e
+	./hack/test.sh -timeout 15m ./test/e2e
+
+.PHONY: start-e2e
+start-e2e: cli
+	killall goreman || true
+	# check we can connect to Docker to start Redis
+	docker version
+	kubectl create ns argocd-e2e || true
+	kubectl config set-context --current --namespace=argocd-e2e
+	kustomize build test/manifests/base | kubectl apply -f -
+	# set paths for locally managed ssh known hosts and tls certs data
+	ARGOCD_SSH_DATA_PATH=/tmp/argo-e2e/app/config/ssh \
+	ARGOCD_TLS_DATA_PATH=/tmp/argo-e2e/app/config/tls \
+	ARGOCD_E2E_DISABLE_AUTH=false \
+	ARGOCD_ZJWT_FEATURE_FLAG=always \
+		goreman start
 
 # Cleans VSCode debug.test files from sub-dirs to prevent them from being included in packr boxes
 .PHONY: clean-debug
@@ -144,8 +200,18 @@ clean-debug:
 clean: clean-debug
 	-rm -rf ${CURRENT_DIR}/dist
 
-.PHONY: precheckin
-precheckin: test lint
+.PHONY: start
+start:
+	killall goreman || true
+	# check we can connect to Docker to start Redis
+	docker version
+	kubectl create ns argocd || true
+	kubens argocd
+	ARGOCD_ZJWT_FEATURE_FLAG=always \
+		goreman start
+
+.PHONY: pre-commit
+pre-commit: dep-ensure codegen build lint test
 
 .PHONY: release-precheck
 release-precheck: manifests
@@ -154,4 +220,4 @@ release-precheck: manifests
 	@if [ "$(GIT_TAG)" != "v`cat VERSION`" ]; then echo 'VERSION does not match git tag'; exit 1; fi
 
 .PHONY: release
-release: release-precheck precheckin cli-darwin cli-linux server-image controller-image repo-server-image cli-image
+release: pre-commit release-precheck image release-cli

OWNERS

@@ -1,8 +1,12 @@
 owners:
+- alexec
 - alexmt
 - jessesuen
 
+reviewers:
+- jannfis
+
 approvers:
+- alexec
 - alexmt
 - jessesuen
-- merenbach

Procfile

@@ -1,4 +1,7 @@
-controller: go run ./cmd/argocd-application-controller/main.go
-api-server: go run ./cmd/argocd-server/main.go --insecure --disable-auth
-repo-server: go run ./cmd/argocd-repo-server/main.go --loglevel debug
-dex: sh -c "go run ./cmd/argocd-util/main.go gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p 5556:5556 -p 5557:5557 -v `pwd`/dist/dex.yaml:/dex.yaml quay.io/coreos/dex:v2.10.0 serve /dex.yaml"
+controller: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true go run ./cmd/argocd-application-controller/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
+api-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true go run ./cmd/argocd-server/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --staticassets ui/dist/app"
+dex: sh -c "go run ./cmd/argocd-util/main.go gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml quay.io/dexidp/dex:v2.14.0 serve /dex.yaml"
+redis: docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} redis:5.0.3-alpine --save "" --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}
+repo-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true go run ./cmd/argocd-repo-server/main.go --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379}"
+ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
+git-server: test/fixture/testrepos/start-git.sh

README.md

@@ -1,4 +1,6 @@
-[![Coverage Status](https://coveralls.io/repos/github/argoproj/argo-cd/badge.svg?branch=master)](https://coveralls.io/github/argoproj/argo-cd?branch=master)
+[![slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack)
+[![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd)
+[![Release Version](https://img.shields.io/github/v/release/argoproj/argo-cd?label=argo-cd)](https://github.com/argoproj/argo-cd/releases/latest)
 
 # Argo CD - Declarative Continuous Delivery for Kubernetes
 
@@ -6,71 +8,54 @@
 
 Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
 
-![Argo CD UI](docs/argocd-ui.gif)
+![Argo CD UI](docs/assets/argocd-ui.gif)
 
 ## Why Argo CD?
 
 Application definitions, configurations, and environments should be declarative and version controlled.
+
 Application deployment and lifecycle management should be automated, auditable, and easy to understand.
 
-## Getting Started
 
-Follow our [getting started guide](docs/getting_started.md). Further [documentation](docs/)
-is provided for additional features.
+## Who uses Argo CD?
 
-## How it works
+Organizations below are **officially** using Argo CD. Please send a PR with your organization name if you are using Argo CD.
 
-Argo CD follows the **GitOps** pattern of using git repositories as the source of truth for defining
-the desired application state. Kubernetes manifests can be specified in several ways:
-* [ksonnet](https://ksonnet.io) applications
-* [kustomize](https://kustomize.io) applications
-* [helm](https://helm.sh) charts
-* Plain directory of YAML/json manifests
+1. [ANSTO - Australian Synchrotron](https://www.synchrotron.org.au/)
+1. [Codility](https://www.codility.com/)
+1. [Commonbond](https://commonbond.co/)
+1. [CyberAgent](https://www.cyberagent.co.jp/en/)
+1. [END.](https://www.endclothing.com/)
+1. [Future PLC](https://www.futureplc.com/)
+1. [GMETRI](https://gmetri.com/)
+1. [Intuit](https://www.intuit.com/)
+1. [KintoHub](https://www.kintohub.com/)
+1. [KompiTech GmbH](https://www.kompitech.com/)
+1. [Lytt](https://www.lytt.co/)
+1. [Mambu](https://www.mambu.com/) 
+1. [Mirantis](https://mirantis.com/)
+1. [OpenSaaS Studio](https://opensaas.studio)
+1. [Optoro](https://www.optoro.com/)
+1. [Riskified](https://www.riskified.com/)
+1. [Saildrone](https://www.saildrone.com/)
+1. [Tesla](https://tesla.com/)
+1. [tZERO](https://www.tzero.com/)
+1. [Ticketmaster](https://ticketmaster.com)
+1. [Yieldlab](https://www.yieldlab.de/)
+1. [UBIO](https://ub.io/)
+1. [Volvo Cars](https://www.volvocars.com/)
 
-Argo CD automates the deployment of the desired application states in the specified target environments.
-Application deployments can track updates to branches, tags, or pinned to a specific version of 
-manifests at a git commit. See [tracking strategies](docs/tracking_strategies.md) for additional
-details about the different tracking strategies available.
+## Documentation
 
-For a quick 10 minute overview of ArgoCD, check out the demo presented to the Sig Apps community
-meeting:
-[![Alt text](https://img.youtube.com/vi/aWDIQMbp1cc/0.jpg)](https://youtu.be/aWDIQMbp1cc?t=1m4s)
+To learn more about Argo CD [go to the complete documentation](https://argoproj.github.io/argo-cd/).
 
+## Community Blogs and Presentations
 
-
-## Architecture
-
-![Argo CD Architecture](docs/argocd_architecture.png)
-
-Argo CD is implemented as a kubernetes controller which continuously monitors running applications
-and compares the current, live state against the desired target state (as specified in the git repo).
-A deployed application whose live state deviates from the target state is considered `OutOfSync`.
-Argo CD reports & visualizes the differences, while providing facilities to automatically or
-manually sync the live state back to the desired target state. Any modifications made to the desired
-target state in the git repo can be automatically applied and reflected in the specified target
-environments.
-
-For additional details, see [architecture overview](docs/architecture.md).
-
-## Features
-
-* Automated deployment of applications to specified target environments
-* Flexibility in support for multiple config management tools (Ksonnet, Kustomize, Helm, plain-YAML)
-* Continuous monitoring of deployed applications
-* Automated or manual syncing of applications to its desired state
-* Web and CLI based visualization of applications and differences between live vs. desired state
-* Rollback/Roll-anywhere to any application state committed in the git repository
-* Health assessment statuses on all components of the application
-* SSO Integration (OIDC, OAuth2, LDAP, SAML 2.0, GitLab, Microsoft, LinkedIn)
-* Webhook Integration (GitHub, BitBucket, GitLab)
-* PreSync, Sync, PostSync hooks to support complex application rollouts (e.g.blue/green & canary upgrades)
-* Audit trails for application events and API calls
-* Parameter overrides for overriding ksonnet/helm parameters in git
-* Service account/access key management for CI pipelines
-
-## Development Status
-* Argo CD is being used in production to deploy SaaS services at Intuit
-
-## Roadmap
-* Revamped UI, and feature parity with CLI
-* Customizable application actions
+1. [Comparison of Argo CD, Spinnaker, Jenkins X, and Tekton](https://www.inovex.de/blog/spinnaker-vs-argo-cd-vs-tekton-vs-jenkins-x/)
+1. [Simplify and Automate Deployments Using GitOps with IBM Multicloud Manager 3.1.2](https://medium.com/ibm-cloud/simplify-and-automate-deployments-using-gitops-with-ibm-multicloud-manager-3-1-2-4395af317359)
+1. [GitOps for Kubeflow using Argo CD](https://www.kubeflow.org/docs/use-cases/gitops-for-kubeflow/)
+1. [GitOps Toolsets on Kubernetes with CircleCI and Argo CD](https://www.digitalocean.com/community/tutorials/webinar-series-gitops-tool-sets-on-kubernetes-with-circleci-and-argo-cd)
+1. [Simplify and Automate Deployments Using GitOps with IBM Multicloud Manager](https://www.ibm.com/blogs/bluemix/2019/02/simplify-and-automate-deployments-using-gitops-with-ibm-multicloud-manager-3-1-2/)
+1. [CI/CD in Light Speed with K8s and Argo CD](https://www.youtube.com/watch?v=OdzH82VpMwI&feature=youtu.be)
+1. [Machine Learning as Code](https://www.youtube.com/watch?v=VXrGp5er1ZE&t=0s&index=135&list=PLj6h78yzYM2PZf9eA7bhWnIh_mK1vyOfU). Among other things, describes how Kubeflow uses Argo CD to implement GitOPs for ML
+1. [Argo CD - GitOps Continuous Delivery for Kubernetes](https://www.youtube.com/watch?v=aWDIQMbp1cc&feature=youtu.be&t=1m4s)

VERSION

@@ -1 +1 @@
-0.10.0
+1.3.2

assets/badge.svg

@@ -0,0 +1,22 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="131" height="20">
+    <linearGradient id="b" x2="0" y2="100%">
+        <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
+        <stop offset="1" stop-opacity=".1"/>
+    </linearGradient>
+    <clipPath id="a">
+        <rect width="131" height="20" rx="3" fill="#fff"/>
+    </clipPath>
+    <g clip-path="url(#a)">
+        <path id="leftPath" fill="#555" d="M0 0h74v20H0z"/>
+        <path id="rightPath" fill="#4c1" d="M74 0h57v20H74z"/>
+        <path fill="url(#b)" d="M0 0h131v20H0z"/>
+    </g>
+    <g fill="#fff" text-anchor="middle" font-family="DejaVu Sans,Verdana,Geneva,sans-serif" font-size="90">
+        <image x="5" y="3" width="14" height="14" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB8AAAAeCAYAAADU8sWcAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAACXBIWXMAAABPAAAATwFjiv3XAAACC2lUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyI+CiAgICAgICAgIDx0aWZmOlJlc29sdXRpb25Vbml0PjI8L3RpZmY6UmVzb2x1dGlvblVuaXQ+CiAgICAgICAgIDx0aWZmOkNvbXByZXNzaW9uPjE8L3RpZmY6Q29tcHJlc3Npb24+CiAgICAgICAgIDx0aWZmOk9yaWVudGF0aW9uPjE8L3RpZmY6T3JpZW50YXRpb24+CiAgICAgICAgIDx0aWZmOlBob3RvbWV0cmljSW50ZXJwcmV0YXRpb24+MjwvdGlmZjpQaG90b21ldHJpY0ludGVycHJldGF0aW9uPgogICAgICA8L3JkZjpEZXNjcmlwdGlvbj4KICAgPC9yZGY6UkRGPgo8L3g6eG1wbWV0YT4KD0UqkwAACpZJREFUSA11VnmQFcUZ//qY4527by92WWTXwHKqEJDDg0MQUioKSWopK4oaS9RAlMofUSPGbFlBSaViKomgQSNmIdECkUS8ophdozEJArKoKCsgIFlY2Pu9N29mero7X78FxCR2Vb8309PTv+/4fb9vCHz1II2Nm+jmzYul2bJsdlMyO7LyPGlZtYqQck1ZHCgwLZWiROeJgB7bDzpYb/7o0y/emzXv4Pts8+ZGBUC0uf/vQf57wdw3NTVRnOYFfXvj6pJcadkUmbDGRoxVSEItSYAQQrUmRBP81VoRpkFTJUMuZA/3g/28q3dn89b7u885D4348vgf8NPAxY033LJmSlDizlSOU94f6UhoHaZdC/3QCHWON2gDYBhAYyRAWgyD4QSi1815f29++vv/+CoD2Lm2nAFGl8mndzyxMMgk5/iW6xzPi/xVk+oyE8+vLNt14FR/0uYW14ox0IwUJ4ZAaUpAaaBEYByiyLbikWWNnnThvPIxu+L717auVeb81tbWsyk4C34u8I3LnlhcSCameMzykg7TwzOJGIYWQj+M+voLYcSo/hxY1E65FECUq4G4RFP0nSjMCMVAIIKUnOHkw90L6qq/vXvbh02trV8yoBh2E0NMY9GiG+58fIGXTF6epyw7JOnamZQbz/tCnDrVVzgqqdwTT0ZTdWDN0wPpMh3ZPZqHLSw98C7Y4RwtnAodsTwGAg0ppkcxrlkYJFID+Z0bn/zelsFImzQRXfScNJFiOG689dcT/FT6GzlqedVJTHRpPH6yz/PyfTlx2IrLCpvSdWrv5OXkX9fOJB/Mnaz3XzItap+yMDoyZgEE7F1SceIghryeRNwnTBkEqhRIxiLF6bCpDXNybW2v/ruxcTzbt2+zZmfCvWT+zxNhbek3cxaPlyYsXVWSSHT25rxC3o+OWK6aDn7sZ3r79ZNY28w45Esxuhw5RjmVvEQPlIwgR8bOiE7VdrPaA2+TeGEEhFbhtAEmG5pzk5WqqbWTPv7jC8sLpgxNSRWZrUeWTAgor7EY9ytTiURvzg8GskGU5xxKkc33yDcX1yc7x3ijLxF+zZgoEljgCrSiXOWIG/WGrjifHxl1V9iyeKwW1lHNo5SKmDmcYinivwhjVpkor55sQj9+/D4MO9bpLW8RN6zJzMvbPDUkHaecE368N1+IUUJfIm5hPf1w2kTedlm/LgntmqEWEQGT3ScJYUh2NIxiiWupSUFasor1VgzXvPATfv6BC3Roq0E9MLqAXKQcAe1rqi/dv+q3DwQUw6djY6tiAaG1jLEw7nAn64WhcStPqZqpA6chap8aage077GwbQcJDx8Awq3T3DHlbeijUHWwytHFuuizCTergdQ+YocxLRHVPNcESRAJxqo60nbSvExvvvWx23MCVvucDyRt5hitwDRHHG09pZiaT7MlSUdUhtQGZttYRdwA4WnFQjFnDA4LX7UdIlgMYpaouBgGMnuBKVN/ZhgBRCMVynNAHOfRm777q4UcrW3EZxcEnD/kclYlpVaFKFIZrIRtluvdls/G9InnLZ9fpLXoJjwZAzZkDJ5mjkIj8HTCKETH9oD0eoikMSDQ5cTrLrUg4QoaFlxUH5MdYy6yAFAaYBHed6ODkMPOkMcFZggZKa0SkaL/jMeDpq5D1Vez9693V/wNUg1jQRY8yLX8BcSba8AaOgyBOdqtQBz7DNj8lZCeNY9SN6aiD3bTOc89s2iliDVvKa3uGxf6doQAxYE2oBbm0HQPG5IxqKhOg9ZpSSQj+pDU+jv5t7913spV5c70GcqLJwgMGw6ZJUuBLbgHPW0D4rgQdewDvnAllN58B0D918AvzVBn3jWi/p4Hq2/s+et1URgBRlVRMGVvBtITfwyuyYPAoIRmWSIrEqjZW1Ml/qN7dtRWzptfBzXDoaeri6TicWhes8Zsg9iMOaAyU0D3fw4qdSEkrryquP77xx+HZCwG3T09HEZfCBUXTxh125H9VZ9SHp1OfZF4aEWI9MM1AhmiVCmaIwV6a2F5ge2q8s7OBB8ytPiOZduw6pFHYOS4cUUQGsNWXj4MVLYdaGU9UAQ0o2H8eHh49WpAITReKqdmGC0PsvF2JB4Gu+i5RqKg5JSi82mOnu9GYGEhwbFjSOXadJII7Pa6Ed3hwU8igAU8lU7D/ffdZ1pFEUT19YI+sR9oZgLIjo8h6usDu2oIzJpxOc4ZphKQtoqFxw6LzxIV/RMxkabSUPAJRz3A5oc50x9T7Lf3xkR0R0xGSS+IRIFQOUUUkqvGXdR5tGXnLmjbYXI0OLCJykIBvFe2ABVHgCQqgMpjkH9xE9IY7cSgGd0w+8mOVjiy68DOh+sauusiwSM8F11nlhCm39/SvP7ux4qNZVfba/0TJ183Is9opWtxEXe5E/cC+Y5bf+CilmczqaC/JigEOjjYTrwtzwB8tAn4kJFGMIEmy0B98gb4B7tAYimHncd19ObLrP25rW0/rb76pQqsoKTEkKJgoT64biCObVx35xvGGz67qYW3Nl0RWYH/ftxmo7pyfpSoKFFjEiLxhE73jXaueHXlGw+PZ68rS8pQ01QlodUjTqcAfcQo8qGjQB36EwQfbFAuF8wjZbmNtStefZ4nC0uibKIHez92AeZEUln5wocGuLGxyUbg2cVEFp5a9pFz11MH/ZCP6M0V8gmbxWZL35K2paFmUmjDgCXAMQkjqv8wgFMGBFVSCw8g1wWsrB5IBrTDAvB0eaAkhVHCeGzSQDUm3bE9/1hs/d7dBhy5aSqAaNNWN6Mvdn9+e0KGfl8hZCd6vBwqABmISKSkCgkqr/a6QMWrwLpsKaYWhfrwi1ikfWBNvQmUhXItAlznICMlcopFFNXcEA25wBw/EIms2L4O1onZs5u46abFUsILDWhAc/OKo7H+/OtuEFqaUcsmIE8CR47zEMsSuJvRQcceODVmOqR/uAHKftAC6R+9AKcmzgVxci9qexwLTIDZ34+MR6FVErXECXw7kc+3/G7j8gPG0dbWJmQnum1+zDj3U2rJ0rWzvFRynu/YskMTb5vetmwI7xyeg7R0g072ynEGwa0PwZTRDbDn0GGI1j0Ii2pCKPCyqJTl+eei9tOl5Kr1eU2seuG5ZMBv2fjUIMkQymAWC6jouQE3jdlYZa43PLnsLbcn++eYVwi6FCQktTCEmO3QAx2rhOllAl6bOwsahg2FDTMvhRklWVSUMkxcWEyHJFbUqyCW9AtRSV//K18AF4XmbOWeBTegCF78ujTXf3hm+XvTeo49G8/67Sg+A0a0OGc6CDzIlFbDL3+8GPYuuxLWP7AYysprIQx9YNjdzAglyVkD3qGvd3dsWvv0infM2qBj53zr49rZsJsNZwa2WeTTFxtP3L1oe1VCzh3AWqOM2FJJsFBwbMuCUAgQyAqGrVVJ7Zdwyz2RZS/X/GbrguJ5eNYgyhfnncH5v+DmYcft18Y1T5S7fl9jPMN+4aM6IpeQPmgxThNA5AnuJFhIeI2tHafiNqEUW1XQL+8NrfRznENP1drNuTOA5/5/KezmAZ4zaJBSdVaUvQk5PsNTeqfrMsKQOui5LGKibBAjmKgSRk/RIMlc8BiWCLbI95Dx05jybrMkfsh+xfgPf+hH0AC4OlsAAAAASUVORK5CYII="/>
+
+        <text id="leftText1" x="435" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="470"></text>
+        <text id="leftText2" x="435" y="140" transform="scale(.1)" textLength="470"></text>
+
+        <text id="rightText1" x="995" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="470"></text>
+        <text id="rightText1" x="995" y="140" transform="scale(.1)" textLength="470"></text></g>
+</svg>

assets/builtin-policy.csv

@@ -7,6 +7,7 @@
 # p, <user/group>, <resource>, <action>, <object>
 
 p, role:readonly, applications, get, */*, allow
+p, role:readonly, certificates, get, *, allow
 p, role:readonly, clusters, get, *, allow
 p, role:readonly, repositories, get, *, allow
 p, role:readonly, projects, get, *, allow
@@ -15,6 +16,11 @@ p, role:admin, applications, create, */*, allow
 p, role:admin, applications, update, */*, allow
 p, role:admin, applications, delete, */*, allow
 p, role:admin, applications, sync, */*, allow
+p, role:admin, applications, override, */*, allow
+p, role:admin, applications, action/*, */*, allow
+p, role:admin, certificates, create, *, allow
+p, role:admin, certificates, update, *, allow
+p, role:admin, certificates, delete, *, allow
 p, role:admin, clusters, create, *, allow
 p, role:admin, clusters, update, *, allow
 p, role:admin, clusters, delete, *, allow

cmd/argocd-application-controller/main.go

@@ -2,10 +2,8 @@ package main
 
 import (
 	"context"
-	"flag"
 	"fmt"
 	"os"
-	"strconv"
 	"time"
 
 	log "github.com/sirupsen/logrus"
@@ -18,12 +16,15 @@ import (
 	// load the oidc plugin (required to authenticate with OpenID Connect).
 	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
 
-	"github.com/argoproj/argo-cd"
+	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/controller"
 	"github.com/argoproj/argo-cd/errors"
 	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
-	"github.com/argoproj/argo-cd/reposerver"
+	"github.com/argoproj/argo-cd/reposerver/apiclient"
+	"github.com/argoproj/argo-cd/util/cache"
 	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/kube"
+	"github.com/argoproj/argo-cd/util/settings"
 	"github.com/argoproj/argo-cd/util/stats"
 )
 
@@ -36,29 +37,30 @@ const (
 
 func newCommand() *cobra.Command {
 	var (
-		clientConfig        clientcmd.ClientConfig
-		appResyncPeriod     int64
-		repoServerAddress   string
-		statusProcessors    int
-		operationProcessors int
-		logLevel            string
-		glogLevel           int
+		clientConfig             clientcmd.ClientConfig
+		appResyncPeriod          int64
+		repoServerAddress        string
+		repoServerTimeoutSeconds int
+		selfHealTimeoutSeconds   int
+		statusProcessors         int
+		operationProcessors      int
+		logLevel                 string
+		glogLevel                int
+		metricsPort              int
+		kubectlParallelismLimit  int64
+		cacheSrc                 func() (*cache.Cache, error)
 	)
 	var command = cobra.Command{
 		Use:   cliName,
 		Short: "application-controller is a controller to operate on applications CRD",
 		RunE: func(c *cobra.Command, args []string) error {
-			level, err := log.ParseLevel(logLevel)
-			errors.CheckError(err)
-			log.SetLevel(level)
-
-			// Set the glog level for the k8s go-client
-			_ = flag.CommandLine.Parse([]string{})
-			_ = flag.Lookup("logtostderr").Value.Set("true")
-			_ = flag.Lookup("v").Value.Set(strconv.Itoa(glogLevel))
+			cli.SetLogLevel(logLevel)
+			cli.SetGLogLevel(glogLevel)
 
 			config, err := clientConfig.ClientConfig()
 			errors.CheckError(err)
+			config.QPS = common.K8sClientConfigQPS
+			config.Burst = common.K8sClientConfigBurst
 
 			kubeClient := kubernetes.NewForConfigOrDie(config)
 			appClient := appclientset.NewForConfigOrDie(config)
@@ -67,25 +69,36 @@ func newCommand() *cobra.Command {
 			errors.CheckError(err)
 
 			resyncDuration := time.Duration(appResyncPeriod) * time.Second
-			repoClientset := reposerver.NewRepositoryServerClientset(repoServerAddress)
-			appController := controller.NewApplicationController(
-				namespace,
-				kubeClient,
-				appClient,
-				repoClientset,
-				resyncDuration)
-			secretController := controller.NewSecretController(kubeClient, repoClientset, resyncDuration, namespace)
-
+			repoClientset := apiclient.NewRepoServerClientset(repoServerAddress, repoServerTimeoutSeconds)
 			ctx, cancel := context.WithCancel(context.Background())
 			defer cancel()
 
-			log.Infof("Application Controller (version: %s) starting (namespace: %s)", argocd.GetVersion(), namespace)
+			cache, err := cacheSrc()
+			errors.CheckError(err)
+
+			settingsMgr := settings.NewSettingsManager(ctx, kubeClient, namespace)
+			kubectl := &kube.KubectlCmd{}
+			appController, err := controller.NewApplicationController(
+				namespace,
+				settingsMgr,
+				kubeClient,
+				appClient,
+				repoClientset,
+				cache,
+				kubectl,
+				resyncDuration,
+				time.Duration(selfHealTimeoutSeconds)*time.Second,
+				metricsPort,
+				kubectlParallelismLimit)
+			errors.CheckError(err)
+
+			log.Infof("Application Controller (version: %s) starting (namespace: %s)", common.GetVersion(), namespace)
 			stats.RegisterStackDumper()
 			stats.StartStatsTicker(10 * time.Minute)
 			stats.RegisterHeapDumper("memprofile")
 
-			go secretController.Run(ctx)
 			go appController.Run(ctx, statusProcessors, operationProcessors)
+
 			// Wait forever
 			select {}
 		},
@@ -93,11 +106,17 @@ func newCommand() *cobra.Command {
 
 	clientConfig = cli.AddKubectlFlagsToCmd(&command)
 	command.Flags().Int64Var(&appResyncPeriod, "app-resync", defaultAppResyncPeriod, "Time period in seconds for application resync.")
-	command.Flags().StringVar(&repoServerAddress, "repo-server", "localhost:8081", "Repo server address.")
+	command.Flags().StringVar(&repoServerAddress, "repo-server", common.DefaultRepoServerAddr, "Repo server address.")
+	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", 60, "Repo server RPC call timeout seconds.")
 	command.Flags().IntVar(&statusProcessors, "status-processors", 1, "Number of application status processors")
 	command.Flags().IntVar(&operationProcessors, "operation-processors", 1, "Number of application operation processors")
 	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().IntVar(&glogLevel, "gloglevel", 0, "Set the glog logging level")
+	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortArgoCDMetrics, "Start metrics server on given port")
+	command.Flags().IntVar(&selfHealTimeoutSeconds, "self-heal-timeout-seconds", 5, "Specifies timeout between application self heal attempts")
+	command.Flags().Int64Var(&kubectlParallelismLimit, "kubectl-parallelism-limit", 20, "Number of allowed concurrent kubectl fork/execs. Any value less the 1 means no limit.")
+
+	cacheSrc = cache.AddCacheFlagsToCmd(&command)
 	return &command
 }
 

cmd/argocd-repo-server/main.go

@@ -3,19 +3,19 @@ package main
 import (
 	"fmt"
 	"net"
+	"net/http"
 	"os"
 	"time"
 
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
-	"github.com/argoproj/argo-cd"
+	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/errors"
 	"github.com/argoproj/argo-cd/reposerver"
-	"github.com/argoproj/argo-cd/reposerver/repository"
+	"github.com/argoproj/argo-cd/reposerver/metrics"
 	"github.com/argoproj/argo-cd/util/cache"
-	"github.com/argoproj/argo-cd/util/git"
-	"github.com/argoproj/argo-cd/util/ksonnet"
+	"github.com/argoproj/argo-cd/util/cli"
 	"github.com/argoproj/argo-cd/util/stats"
 	"github.com/argoproj/argo-cd/util/tls"
 )
@@ -23,36 +23,41 @@ import (
 const (
 	// CLIName is the name of the CLI
 	cliName = "argocd-repo-server"
-	port    = 8081
 )
 
 func newCommand() *cobra.Command {
 	var (
 		logLevel               string
+		parallelismLimit       int64
+		listenPort             int
+		metricsPort            int
+		cacheSrc               func() (*cache.Cache, error)
 		tlsConfigCustomizerSrc func() (tls.ConfigCustomizer, error)
 	)
 	var command = cobra.Command{
 		Use:   cliName,
 		Short: "Run argocd-repo-server",
 		RunE: func(c *cobra.Command, args []string) error {
-			level, err := log.ParseLevel(logLevel)
-			errors.CheckError(err)
-			log.SetLevel(level)
+			cli.SetLogLevel(logLevel)
 
 			tlsConfigCustomizer, err := tlsConfigCustomizerSrc()
 			errors.CheckError(err)
 
-			server, err := reposerver.NewServer(git.NewFactory(), newCache(), tlsConfigCustomizer)
+			cache, err := cacheSrc()
 			errors.CheckError(err)
+
+			metricsServer := metrics.NewMetricsServer()
+			server, err := reposerver.NewServer(metricsServer, cache, tlsConfigCustomizer, parallelismLimit)
+			errors.CheckError(err)
+
 			grpc := server.CreateGRPC()
-			listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
+			listener, err := net.Listen("tcp", fmt.Sprintf(":%d", listenPort))
 			errors.CheckError(err)
 
-			ksVers, err := ksonnet.KsonnetVersion()
-			errors.CheckError(err)
+			http.Handle("/metrics", metricsServer.GetHandler())
+			go func() { errors.CheckError(http.ListenAndServe(fmt.Sprintf(":%d", metricsPort), nil)) }()
 
-			log.Infof("argocd-repo-server %s serving on %s", argocd.GetVersion(), listener.Addr())
-			log.Infof("ksonnet version: %s", ksVers)
+			log.Infof("argocd-repo-server %s serving on %s", common.GetVersion(), listener.Addr())
 			stats.RegisterStackDumper()
 			stats.StartStatsTicker(10 * time.Minute)
 			stats.RegisterHeapDumper("memprofile")
@@ -63,20 +68,14 @@ func newCommand() *cobra.Command {
 	}
 
 	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
+	command.Flags().Int64Var(&parallelismLimit, "parallelismlimit", 0, "Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit.")
+	command.Flags().IntVar(&listenPort, "port", common.DefaultPortRepoServer, "Listen on given port for incoming connections")
+	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortRepoServerMetrics, "Start metrics server on given port")
 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(&command)
+	cacheSrc = cache.AddCacheFlagsToCmd(&command)
 	return &command
 }
 
-func newCache() cache.Cache {
-	return cache.NewInMemoryCache(repository.DefaultRepoCacheExpiration)
-	// client := redis.NewClient(&redis.Options{
-	// 	Addr:     "localhost:6379",
-	// 	Password: "",
-	// 	DB:       0,
-	// })
-	// return cache.NewRedisCache(client, repository.DefaultRepoCacheExpiration)
-}
-
 func main() {
 	if err := newCommand().Execute(); err != nil {
 		fmt.Println(err)

cmd/argocd-server/commands/root.go

@@ -2,19 +2,18 @@ package commands
 
 import (
 	"context"
-	"flag"
-	"strconv"
 	"time"
 
-	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 
+	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/errors"
 	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
-	"github.com/argoproj/argo-cd/reposerver"
+	"github.com/argoproj/argo-cd/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/server"
+	"github.com/argoproj/argo-cd/util/cache"
 	"github.com/argoproj/argo-cd/util/cli"
 	"github.com/argoproj/argo-cd/util/stats"
 	"github.com/argoproj/argo-cd/util/tls"
@@ -23,51 +22,60 @@ import (
 // NewCommand returns a new instance of an argocd command
 func NewCommand() *cobra.Command {
 	var (
-		insecure               bool
-		logLevel               string
-		glogLevel              int
-		clientConfig           clientcmd.ClientConfig
-		staticAssetsDir        string
-		repoServerAddress      string
-		disableAuth            bool
-		tlsConfigCustomizerSrc func() (tls.ConfigCustomizer, error)
+		insecure                 bool
+		listenPort               int
+		metricsPort              int
+		logLevel                 string
+		glogLevel                int
+		clientConfig             clientcmd.ClientConfig
+		repoServerTimeoutSeconds int
+		staticAssetsDir          string
+		baseHRef                 string
+		repoServerAddress        string
+		dexServerAddress         string
+		disableAuth              bool
+		tlsConfigCustomizerSrc   func() (tls.ConfigCustomizer, error)
+		cacheSrc                 func() (*cache.Cache, error)
 	)
 	var command = &cobra.Command{
 		Use:   cliName,
 		Short: "Run the argocd API server",
 		Long:  "Run the argocd API server",
 		Run: func(c *cobra.Command, args []string) {
-			level, err := log.ParseLevel(logLevel)
-			errors.CheckError(err)
-			log.SetLevel(level)
-
-			// Set the glog level for the k8s go-client
-			_ = flag.CommandLine.Parse([]string{})
-			_ = flag.Lookup("logtostderr").Value.Set("true")
-			_ = flag.Lookup("v").Value.Set(strconv.Itoa(glogLevel))
+			cli.SetLogLevel(logLevel)
+			cli.SetGLogLevel(glogLevel)
 
 			config, err := clientConfig.ClientConfig()
 			errors.CheckError(err)
+			config.QPS = common.K8sClientConfigQPS
+			config.Burst = common.K8sClientConfigBurst
 
 			namespace, _, err := clientConfig.Namespace()
 			errors.CheckError(err)
 
 			tlsConfigCustomizer, err := tlsConfigCustomizerSrc()
 			errors.CheckError(err)
+			cache, err := cacheSrc()
+			errors.CheckError(err)
 
 			kubeclientset := kubernetes.NewForConfigOrDie(config)
 			appclientset := appclientset.NewForConfigOrDie(config)
-			repoclientset := reposerver.NewRepositoryServerClientset(repoServerAddress)
+			repoclientset := apiclient.NewRepoServerClientset(repoServerAddress, repoServerTimeoutSeconds)
 
 			argoCDOpts := server.ArgoCDServerOpts{
 				Insecure:            insecure,
+				ListenPort:          listenPort,
+				MetricsPort:         metricsPort,
 				Namespace:           namespace,
 				StaticAssetsDir:     staticAssetsDir,
+				BaseHRef:            baseHRef,
 				KubeClientset:       kubeclientset,
 				AppClientset:        appclientset,
 				RepoClientset:       repoclientset,
+				DexServerAddr:       dexServerAddress,
 				DisableAuth:         disableAuth,
 				TLSConfigCustomizer: tlsConfigCustomizer,
+				Cache:               cache,
 			}
 
 			stats.RegisterStackDumper()
@@ -75,10 +83,10 @@ func NewCommand() *cobra.Command {
 			stats.RegisterHeapDumper("memprofile")
 
 			for {
-				argocd := server.NewServer(argoCDOpts)
 				ctx := context.Background()
 				ctx, cancel := context.WithCancel(ctx)
-				argocd.Run(ctx, 8080)
+				argocd := server.NewServer(ctx, argoCDOpts)
+				argocd.Run(ctx, listenPort, metricsPort)
 				cancel()
 			}
 		},
@@ -87,11 +95,17 @@ func NewCommand() *cobra.Command {
 	clientConfig = cli.AddKubectlFlagsToCmd(command)
 	command.Flags().BoolVar(&insecure, "insecure", false, "Run server without TLS")
 	command.Flags().StringVar(&staticAssetsDir, "staticassets", "", "Static assets directory path")
+	command.Flags().StringVar(&baseHRef, "basehref", "/", "Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from /")
 	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().IntVar(&glogLevel, "gloglevel", 0, "Set the glog logging level")
-	command.Flags().StringVar(&repoServerAddress, "repo-server", "localhost:8081", "Repo server address.")
+	command.Flags().StringVar(&repoServerAddress, "repo-server", common.DefaultRepoServerAddr, "Repo server address")
+	command.Flags().StringVar(&dexServerAddress, "dex-server", common.DefaultDexServerAddr, "Dex server address")
 	command.Flags().BoolVar(&disableAuth, "disable-auth", false, "Disable client authentication")
 	command.AddCommand(cli.NewVersionCmd(cliName))
+	command.Flags().IntVar(&listenPort, "port", common.DefaultPortAPIServer, "Listen on given port")
+	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortArgoCDAPIServerMetrics, "Start metrics on given port")
+	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", 60, "Repo server RPC call timeout seconds.")
 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(command)
+	cacheSrc = cache.AddCacheFlagsToCmd(command)
 	return command
 }

cmd/argocd-util/main.go

@@ -1,31 +1,39 @@
 package main
 
 import (
+	"bufio"
 	"context"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"os"
 	"os/exec"
-	"strings"
+	"regexp"
 	"syscall"
 
-	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/errors"
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/db"
-	"github.com/argoproj/argo-cd/util/dex"
-	"github.com/argoproj/argo-cd/util/kube"
-	"github.com/argoproj/argo-cd/util/settings"
 	"github.com/ghodss/yaml"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	apiv1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 
+	"github.com/argoproj/argo-cd/common"
+	"github.com/argoproj/argo-cd/util"
+
+	"github.com/argoproj/argo-cd/errors"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/db"
+	"github.com/argoproj/argo-cd/util/dex"
+	"github.com/argoproj/argo-cd/util/kube"
+	"github.com/argoproj/argo-cd/util/settings"
+
 	// load the gcp plugin (required to authenticate against GKE clusters).
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	// load the oidc plugin (required to authenticate with OpenID Connect).
@@ -35,9 +43,15 @@ import (
 const (
 	// CLIName is the name of the CLI
 	cliName = "argocd-util"
-
 	// YamlSeparator separates sections of a YAML file
-	yamlSeparator = "\n---\n"
+	yamlSeparator = "---\n"
+)
+
+var (
+	configMapResource    = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "configmaps"}
+	secretResource       = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "secrets"}
+	applicationsResource = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "applications"}
+	appprojectsResource  = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "appprojects"}
 )
 
 // NewCommand returns a new instance of an argocd command
@@ -48,7 +62,7 @@ func NewCommand() *cobra.Command {
 
 	var command = &cobra.Command{
 		Use:   cliName,
-		Short: "argocd-util has internal tools used by ArgoCD",
+		Short: "argocd-util has internal tools used by Argo CD",
 		Run: func(c *cobra.Command, args []string) {
 			c.HelpFunc()(c, args)
 		},
@@ -59,7 +73,6 @@ func NewCommand() *cobra.Command {
 	command.AddCommand(NewGenDexConfigCommand())
 	command.AddCommand(NewImportCommand())
 	command.AddCommand(NewExportCommand())
-	command.AddCommand(NewSettingsCommand())
 	command.AddCommand(NewClusterConfig())
 
 	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
@@ -72,7 +85,7 @@ func NewRunDexCommand() *cobra.Command {
 	)
 	var command = cobra.Command{
 		Use:   "rundex",
-		Short: "Runs dex generating a config using settings from the ArgoCD configmap and secret",
+		Short: "Runs dex generating a config using settings from the Argo CD configmap and secret",
 		RunE: func(c *cobra.Command, args []string) error {
 			_, err := exec.LookPath("dex")
 			errors.CheckError(err)
@@ -81,24 +94,22 @@ func NewRunDexCommand() *cobra.Command {
 			namespace, _, err := clientConfig.Namespace()
 			errors.CheckError(err)
 			kubeClientset := kubernetes.NewForConfigOrDie(config)
-			settingsMgr := settings.NewSettingsManager(kubeClientset, namespace)
-			settings, err := settingsMgr.GetSettings()
+			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, namespace)
+			prevSettings, err := settingsMgr.GetSettings()
 			errors.CheckError(err)
-			ctx := context.Background()
-			settingsMgr.StartNotifier(ctx, settings)
-			updateCh := make(chan struct{}, 1)
+			updateCh := make(chan *settings.ArgoCDSettings, 1)
 			settingsMgr.Subscribe(updateCh)
 
 			for {
 				var cmd *exec.Cmd
-				dexCfgBytes, err := dex.GenerateDexConfigYAML(settings)
+				dexCfgBytes, err := dex.GenerateDexConfigYAML(prevSettings)
 				errors.CheckError(err)
 				if len(dexCfgBytes) == 0 {
 					log.Infof("dex is not configured")
 				} else {
 					err = ioutil.WriteFile("/tmp/dex.yaml", dexCfgBytes, 0644)
 					errors.CheckError(err)
-					log.Info(string(dexCfgBytes))
+					log.Info(redactor(string(dexCfgBytes)))
 					cmd = exec.Command("dex", "serve", "/tmp/dex.yaml")
 					cmd.Stdout = os.Stdout
 					cmd.Stderr = os.Stderr
@@ -108,10 +119,11 @@ func NewRunDexCommand() *cobra.Command {
 
 				// loop until the dex config changes
 				for {
-					<-updateCh
-					newDexCfgBytes, err := dex.GenerateDexConfigYAML(settings)
+					newSettings := <-updateCh
+					newDexCfgBytes, err := dex.GenerateDexConfigYAML(newSettings)
 					errors.CheckError(err)
 					if string(newDexCfgBytes) != string(dexCfgBytes) {
+						prevSettings = newSettings
 						log.Infof("dex config modified. restarting dex")
 						if cmd != nil && cmd.Process != nil {
 							err = cmd.Process.Signal(syscall.SIGTERM)
@@ -139,14 +151,14 @@ func NewGenDexConfigCommand() *cobra.Command {
 	)
 	var command = cobra.Command{
 		Use:   "gendexcfg",
-		Short: "Generates a dex config from ArgoCD settings",
+		Short: "Generates a dex config from Argo CD settings",
 		RunE: func(c *cobra.Command, args []string) error {
 			config, err := clientConfig.ClientConfig()
 			errors.CheckError(err)
 			namespace, _, err := clientConfig.Namespace()
 			errors.CheckError(err)
 			kubeClientset := kubernetes.NewForConfigOrDie(config)
-			settingsMgr := settings.NewSettingsManager(kubeClientset, namespace)
+			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, namespace)
 			settings, err := settingsMgr.GetSettings()
 			errors.CheckError(err)
 			dexCfgBytes, err := dex.GenerateDexConfigYAML(settings)
@@ -156,7 +168,29 @@ func NewGenDexConfigCommand() *cobra.Command {
 				return nil
 			}
 			if out == "" {
-				fmt.Printf(string(dexCfgBytes))
+				dexCfg := make(map[string]interface{})
+				err := yaml.Unmarshal(dexCfgBytes, &dexCfg)
+				errors.CheckError(err)
+				if staticClientsInterface, ok := dexCfg["staticClients"]; ok {
+					if staticClients, ok := staticClientsInterface.([]interface{}); ok {
+						for i := range staticClients {
+							staticClient := staticClients[i]
+							if mappings, ok := staticClient.(map[string]interface{}); ok {
+								for key := range mappings {
+									if key == "secret" {
+										mappings[key] = "******"
+									}
+								}
+								staticClients[i] = mappings
+							}
+						}
+						dexCfg["staticClients"] = staticClients
+					}
+				}
+				errors.CheckError(err)
+				maskedDexCfgBytes, err := yaml.Marshal(dexCfg)
+				errors.CheckError(err)
+				fmt.Print(string(maskedDexCfgBytes))
 			} else {
 				err = ioutil.WriteFile(out, dexCfgBytes, 0644)
 				errors.CheckError(err)
@@ -174,94 +208,153 @@ func NewGenDexConfigCommand() *cobra.Command {
 func NewImportCommand() *cobra.Command {
 	var (
 		clientConfig clientcmd.ClientConfig
+		prune        bool
+		dryRun       bool
 	)
 	var command = cobra.Command{
 		Use:   "import SOURCE",
 		Short: "Import Argo CD data from stdin (specify `-') or a file",
-		RunE: func(c *cobra.Command, args []string) error {
+		Run: func(c *cobra.Command, args []string) {
 			if len(args) != 1 {
 				c.HelpFunc()(c, args)
 				os.Exit(1)
 			}
-
-			var (
-				input       []byte
-				err         error
-				newSettings *settings.ArgoCDSettings
-				newRepos    []*v1alpha1.Repository
-				newClusters []*v1alpha1.Cluster
-				newApps     []*v1alpha1.Application
-				newRBACCM   *apiv1.ConfigMap
-			)
-
-			if in := args[0]; in == "-" {
-				input, err = ioutil.ReadAll(os.Stdin)
-				errors.CheckError(err)
-			} else {
-				input, err = ioutil.ReadFile(in)
-				errors.CheckError(err)
-			}
-			inputStrings := strings.Split(string(input), yamlSeparator)
-
-			err = yaml.Unmarshal([]byte(inputStrings[0]), &newSettings)
-			errors.CheckError(err)
-
-			err = yaml.Unmarshal([]byte(inputStrings[1]), &newRepos)
-			errors.CheckError(err)
-
-			err = yaml.Unmarshal([]byte(inputStrings[2]), &newClusters)
-			errors.CheckError(err)
-
-			err = yaml.Unmarshal([]byte(inputStrings[3]), &newApps)
-			errors.CheckError(err)
-
-			err = yaml.Unmarshal([]byte(inputStrings[4]), &newRBACCM)
-			errors.CheckError(err)
-
 			config, err := clientConfig.ClientConfig()
+			config.QPS = 100
+			config.Burst = 50
 			errors.CheckError(err)
 			namespace, _, err := clientConfig.Namespace()
 			errors.CheckError(err)
-			kubeClientset := kubernetes.NewForConfigOrDie(config)
+			acdClients := newArgoCDClientsets(config, namespace)
 
-			settingsMgr := settings.NewSettingsManager(kubeClientset, namespace)
-			err = settingsMgr.SaveSettings(newSettings)
+			var input []byte
+			if in := args[0]; in == "-" {
+				input, err = ioutil.ReadAll(os.Stdin)
+			} else {
+				input, err = ioutil.ReadFile(in)
+			}
 			errors.CheckError(err)
-			db := db.NewDB(namespace, kubeClientset)
+			var dryRunMsg string
+			if dryRun {
+				dryRunMsg = " (dry run)"
+			}
 
-			_, err = kubeClientset.CoreV1().ConfigMaps(namespace).Create(newRBACCM)
+			// pruneObjects tracks live objects and it's current resource version. any remaining
+			// items in this map indicates the resource should be pruned since it no longer appears
+			// in the backup
+			pruneObjects := make(map[kube.ResourceKey]string)
+			configMaps, err := acdClients.configMaps.List(metav1.ListOptions{})
 			errors.CheckError(err)
+			for _, cm := range configMaps.Items {
+				cmName := cm.GetName()
+				if cmName == common.ArgoCDConfigMapName || cmName == common.ArgoCDRBACConfigMapName {
+					pruneObjects[kube.ResourceKey{Group: "", Kind: "ConfigMap", Name: cm.GetName()}] = cm.GetResourceVersion()
+				}
+			}
+			secrets, err := acdClients.secrets.List(metav1.ListOptions{})
+			errors.CheckError(err)
+			for _, secret := range secrets.Items {
+				if isArgoCDSecret(nil, secret) {
+					pruneObjects[kube.ResourceKey{Group: "", Kind: "Secret", Name: secret.GetName()}] = secret.GetResourceVersion()
+				}
+			}
+			applications, err := acdClients.applications.List(metav1.ListOptions{})
+			errors.CheckError(err)
+			for _, app := range applications.Items {
+				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "Application", Name: app.GetName()}] = app.GetResourceVersion()
+			}
+			projects, err := acdClients.projects.List(metav1.ListOptions{})
+			errors.CheckError(err)
+			for _, proj := range projects.Items {
+				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "AppProject", Name: proj.GetName()}] = proj.GetResourceVersion()
+			}
 
-			for _, repo := range newRepos {
-				_, err := db.CreateRepository(context.Background(), repo)
-				if err != nil {
-					log.Warn(err)
+			// Create or replace existing object
+			objs, err := kube.SplitYAML(string(input))
+			errors.CheckError(err)
+			for _, obj := range objs {
+				gvk := obj.GroupVersionKind()
+				key := kube.ResourceKey{Group: gvk.Group, Kind: gvk.Kind, Name: obj.GetName()}
+				resourceVersion, exists := pruneObjects[key]
+				delete(pruneObjects, key)
+				var dynClient dynamic.ResourceInterface
+				switch obj.GetKind() {
+				case "Secret":
+					dynClient = acdClients.secrets
+				case "ConfigMap":
+					dynClient = acdClients.configMaps
+				case "AppProject":
+					dynClient = acdClients.projects
+				case "Application":
+					dynClient = acdClients.applications
+				}
+				if !exists {
+					if !dryRun {
+						_, err = dynClient.Create(obj, metav1.CreateOptions{})
+						errors.CheckError(err)
+					}
+					fmt.Printf("%s/%s %s created%s\n", gvk.Group, gvk.Kind, obj.GetName(), dryRunMsg)
+				} else {
+					if !dryRun {
+						obj.SetResourceVersion(resourceVersion)
+						_, err = dynClient.Update(obj, metav1.UpdateOptions{})
+						errors.CheckError(err)
+					}
+					fmt.Printf("%s/%s %s replaced%s\n", gvk.Group, gvk.Kind, obj.GetName(), dryRunMsg)
 				}
 			}
 
-			for _, cluster := range newClusters {
-				_, err := db.CreateCluster(context.Background(), cluster)
-				if err != nil {
-					log.Warn(err)
+			// Delete objects not in backup
+			for key := range pruneObjects {
+				if prune {
+					var dynClient dynamic.ResourceInterface
+					switch key.Kind {
+					case "Secret":
+						dynClient = acdClients.secrets
+					case "AppProject":
+						dynClient = acdClients.projects
+					case "Application":
+						dynClient = acdClients.applications
+					default:
+						log.Fatalf("Unexpected kind '%s' in prune list", key.Kind)
+					}
+					if !dryRun {
+						err = dynClient.Delete(key.Name, &metav1.DeleteOptions{})
+						errors.CheckError(err)
+					}
+					fmt.Printf("%s/%s %s pruned%s\n", key.Group, key.Kind, key.Name, dryRunMsg)
+				} else {
+					fmt.Printf("%s/%s %s needs pruning\n", key.Group, key.Kind, key.Name)
 				}
 			}
-
-			appClientset := appclientset.NewForConfigOrDie(config)
-			for _, app := range newApps {
-				out, err := appClientset.ArgoprojV1alpha1().Applications(namespace).Create(app)
-				errors.CheckError(err)
-				log.Println(out)
-			}
-
-			return nil
 		},
 	}
 
 	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().BoolVar(&dryRun, "dry-run", false, "Print what will be performed")
+	command.Flags().BoolVar(&prune, "prune", false, "Prune secrets, applications and projects which do not appear in the backup")
 
 	return &command
 }
 
+type argoCDClientsets struct {
+	configMaps   dynamic.ResourceInterface
+	secrets      dynamic.ResourceInterface
+	applications dynamic.ResourceInterface
+	projects     dynamic.ResourceInterface
+}
+
+func newArgoCDClientsets(config *rest.Config, namespace string) *argoCDClientsets {
+	dynamicIf, err := dynamic.NewForConfig(config)
+	errors.CheckError(err)
+	return &argoCDClientsets{
+		configMaps:   dynamicIf.Resource(configMapResource).Namespace(namespace),
+		secrets:      dynamicIf.Resource(secretResource).Namespace(namespace),
+		applications: dynamicIf.Resource(applicationsResource).Namespace(namespace),
+		projects:     dynamicIf.Resource(appprojectsResource).Namespace(namespace),
+	}
+}
+
 // NewExportCommand defines a new command for exporting Kubernetes and Argo CD resources.
 func NewExportCommand() *cobra.Command {
 	var (
@@ -271,69 +364,54 @@ func NewExportCommand() *cobra.Command {
 	var command = cobra.Command{
 		Use:   "export",
 		Short: "Export all Argo CD data to stdout (default) or a file",
-		RunE: func(c *cobra.Command, args []string) error {
+		Run: func(c *cobra.Command, args []string) {
 			config, err := clientConfig.ClientConfig()
 			errors.CheckError(err)
 			namespace, _, err := clientConfig.Namespace()
 			errors.CheckError(err)
-			kubeClientset := kubernetes.NewForConfigOrDie(config)
-
-			settingsMgr := settings.NewSettingsManager(kubeClientset, namespace)
-			settings, err := settingsMgr.GetSettings()
-			errors.CheckError(err)
-			// certificate data is included in secrets that are exported alongside
-			settings.Certificate = nil
-
-			db := db.NewDB(namespace, kubeClientset)
-			clusters, err := db.ListClusters(context.Background())
-			errors.CheckError(err)
-
-			repos, err := db.ListRepositories(context.Background())
-			errors.CheckError(err)
-
-			appClientset := appclientset.NewForConfigOrDie(config)
-			apps, err := appClientset.ArgoprojV1alpha1().Applications(namespace).List(metav1.ListOptions{})
-			errors.CheckError(err)
-
-			rbacCM, err := kubeClientset.CoreV1().ConfigMaps(namespace).Get(common.ArgoCDRBACConfigMapName, metav1.GetOptions{})
-			errors.CheckError(err)
-
-			// remove extraneous cruft from output
-			rbacCM.ObjectMeta = metav1.ObjectMeta{
-				Name: rbacCM.ObjectMeta.Name,
-			}
-
-			// remove extraneous cruft from output
-			for idx, app := range apps.Items {
-				apps.Items[idx].ObjectMeta = metav1.ObjectMeta{
-					Name:       app.ObjectMeta.Name,
-					Finalizers: app.ObjectMeta.Finalizers,
-				}
-				apps.Items[idx].Status = v1alpha1.ApplicationStatus{
-					History: app.Status.History,
-				}
-				apps.Items[idx].Operation = nil
-			}
-
-			// take a list of exportable objects, marshal them to YAML,
-			// and return a string joined by a delimiter
-			output := func(delimiter string, oo ...interface{}) string {
-				out := make([]string, 0)
-				for _, o := range oo {
-					data, err := yaml.Marshal(o)
-					errors.CheckError(err)
-					out = append(out, string(data))
-				}
-				return strings.Join(out, delimiter)
-			}(yamlSeparator, settings, repos.Items, clusters.Items, apps.Items, rbacCM)
 
+			var writer io.Writer
 			if out == "-" {
-				fmt.Println(output)
+				writer = os.Stdout
 			} else {
-				err = ioutil.WriteFile(out, []byte(output), 0644)
+				f, err := os.Create(out)
 				errors.CheckError(err)
+				defer util.Close(f)
+				writer = bufio.NewWriter(f)
+			}
+
+			acdClients := newArgoCDClientsets(config, namespace)
+			acdConfigMap, err := acdClients.configMaps.Get(common.ArgoCDConfigMapName, metav1.GetOptions{})
+			errors.CheckError(err)
+			export(writer, *acdConfigMap)
+			acdRBACConfigMap, err := acdClients.configMaps.Get(common.ArgoCDRBACConfigMapName, metav1.GetOptions{})
+			errors.CheckError(err)
+			export(writer, *acdRBACConfigMap)
+			acdKnownHostsConfigMap, err := acdClients.configMaps.Get(common.ArgoCDKnownHostsConfigMapName, metav1.GetOptions{})
+			errors.CheckError(err)
+			export(writer, *acdKnownHostsConfigMap)
+			acdTLSCertsConfigMap, err := acdClients.configMaps.Get(common.ArgoCDTLSCertsConfigMapName, metav1.GetOptions{})
+			errors.CheckError(err)
+			export(writer, *acdTLSCertsConfigMap)
+
+			referencedSecrets := getReferencedSecrets(*acdConfigMap)
+			secrets, err := acdClients.secrets.List(metav1.ListOptions{})
+			errors.CheckError(err)
+			for _, secret := range secrets.Items {
+				if isArgoCDSecret(referencedSecrets, secret) {
+					export(writer, secret)
+				}
+			}
+			projects, err := acdClients.projects.List(metav1.ListOptions{})
+			errors.CheckError(err)
+			for _, proj := range projects.Items {
+				export(writer, proj)
+			}
+			applications, err := acdClients.applications.List(metav1.ListOptions{})
+			errors.CheckError(err)
+			for _, app := range applications.Items {
+				export(writer, app)
 			}
-			return nil
 		},
 	}
 
@@ -343,49 +421,93 @@ func NewExportCommand() *cobra.Command {
 	return &command
 }
 
-// NewSettingsCommand returns a new instance of `argocd-util settings` command
-func NewSettingsCommand() *cobra.Command {
-	var (
-		clientConfig      clientcmd.ClientConfig
-		updateSuperuser   bool
-		superuserPassword string
-		updateSignature   bool
-	)
-	var command = &cobra.Command{
-		Use:   "settings",
-		Short: "Creates or updates ArgoCD settings",
-		Long:  "Creates or updates ArgoCD settings",
-		Run: func(c *cobra.Command, args []string) {
-			conf, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			namespace, wasSpecified, err := clientConfig.Namespace()
-			errors.CheckError(err)
-			if !(wasSpecified) {
-				namespace = "argocd"
+// getReferencedSecrets examines the argocd-cm config for any referenced repo secrets and returns a
+// map of all referenced secrets.
+func getReferencedSecrets(un unstructured.Unstructured) map[string]bool {
+	var cm apiv1.ConfigMap
+	err := runtime.DefaultUnstructuredConverter.FromUnstructured(un.Object, &cm)
+	errors.CheckError(err)
+	referencedSecrets := make(map[string]bool)
+	if reposRAW, ok := cm.Data["repositories"]; ok {
+		repoCreds := make([]settings.RepoCredentials, 0)
+		err := yaml.Unmarshal([]byte(reposRAW), &repoCreds)
+		errors.CheckError(err)
+		for _, cred := range repoCreds {
+			if cred.PasswordSecret != nil {
+				referencedSecrets[cred.PasswordSecret.Name] = true
 			}
-
-			kubeclientset, err := kubernetes.NewForConfig(conf)
-			errors.CheckError(err)
-			settingsMgr := settings.NewSettingsManager(kubeclientset, namespace)
-
-			_, err = settings.UpdateSettings(superuserPassword, settingsMgr, updateSignature, updateSuperuser, namespace)
-			errors.CheckError(err)
-		},
+			if cred.SSHPrivateKeySecret != nil {
+				referencedSecrets[cred.SSHPrivateKeySecret.Name] = true
+			}
+			if cred.UsernameSecret != nil {
+				referencedSecrets[cred.UsernameSecret.Name] = true
+			}
+			if cred.TLSClientCertDataSecret != nil {
+				referencedSecrets[cred.TLSClientCertDataSecret.Name] = true
+			}
+			if cred.TLSClientCertKeySecret != nil {
+				referencedSecrets[cred.TLSClientCertKeySecret.Name] = true
+			}
+		}
 	}
-	command.Flags().BoolVar(&updateSuperuser, "update-superuser", false, "force updating the  superuser password")
-	command.Flags().StringVar(&superuserPassword, "superuser-password", "", "password for super user")
-	command.Flags().BoolVar(&updateSignature, "update-signature", false, "force updating the server-side token signing signature")
-	clientConfig = cli.AddKubectlFlagsToCmd(command)
-	return command
+	return referencedSecrets
 }
 
-// NewClusterConfig returns a new instance of `argocd-util cluster-kubeconfig` command
+// isArgoCDSecret returns whether or not the given secret is a part of Argo CD configuration
+// (e.g. argocd-secret, repo credentials, or cluster credentials)
+func isArgoCDSecret(repoSecretRefs map[string]bool, un unstructured.Unstructured) bool {
+	secretName := un.GetName()
+	if secretName == common.ArgoCDSecretName {
+		return true
+	}
+	if repoSecretRefs != nil {
+		if _, ok := repoSecretRefs[secretName]; ok {
+			return true
+		}
+	}
+	if labels := un.GetLabels(); labels != nil {
+		if _, ok := labels[common.LabelKeySecretType]; ok {
+			return true
+		}
+	}
+	if annotations := un.GetAnnotations(); annotations != nil {
+		if annotations[common.AnnotationKeyManagedBy] == common.AnnotationValueManagedByArgoCD {
+			return true
+		}
+	}
+	return false
+}
+
+// export writes the unstructured object and removes extraneous cruft from output before writing
+func export(w io.Writer, un unstructured.Unstructured) {
+	name := un.GetName()
+	finalizers := un.GetFinalizers()
+	apiVersion := un.GetAPIVersion()
+	kind := un.GetKind()
+	labels := un.GetLabels()
+	annotations := un.GetAnnotations()
+	unstructured.RemoveNestedField(un.Object, "metadata")
+	un.SetName(name)
+	un.SetFinalizers(finalizers)
+	un.SetAPIVersion(apiVersion)
+	un.SetKind(kind)
+	un.SetLabels(labels)
+	un.SetAnnotations(annotations)
+	data, err := yaml.Marshal(un.Object)
+	errors.CheckError(err)
+	_, err = w.Write(data)
+	errors.CheckError(err)
+	_, err = w.Write([]byte(yamlSeparator))
+	errors.CheckError(err)
+}
+
+// NewClusterConfig returns a new instance of `argocd-util kubeconfig` command
 func NewClusterConfig() *cobra.Command {
 	var (
 		clientConfig clientcmd.ClientConfig
 	)
 	var command = &cobra.Command{
-		Use:   "cluster-kubeconfig CLUSTER_URL OUTPUT_PATH",
+		Use:   "kubeconfig CLUSTER_URL OUTPUT_PATH",
 		Short: "Generates kubeconfig for the specified cluster",
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) != 2 {
@@ -396,16 +518,12 @@ func NewClusterConfig() *cobra.Command {
 			output := args[1]
 			conf, err := clientConfig.ClientConfig()
 			errors.CheckError(err)
-			namespace, wasSpecified, err := clientConfig.Namespace()
+			namespace, _, err := clientConfig.Namespace()
 			errors.CheckError(err)
-			if !(wasSpecified) {
-				namespace = "argocd"
-			}
-
 			kubeclientset, err := kubernetes.NewForConfig(conf)
 			errors.CheckError(err)
 
-			cluster, err := db.NewDB(namespace, kubeclientset).GetCluster(context.Background(), serverUrl)
+			cluster, err := db.NewDB(namespace, settings.NewSettingsManager(context.Background(), kubeclientset, namespace), kubeclientset).GetCluster(context.Background(), serverUrl)
 			errors.CheckError(err)
 			err = kube.WriteKubeConfig(cluster.RESTConfig(), namespace, output)
 			errors.CheckError(err)
@@ -415,6 +533,11 @@ func NewClusterConfig() *cobra.Command {
 	return command
 }
 
+func redactor(dirtyString string) string {
+	dirtyString = regexp.MustCompile("(clientSecret: )[^ \n]*").ReplaceAllString(dirtyString, "$1********")
+	return regexp.MustCompile("(secret: )[^ \n]*").ReplaceAllString(dirtyString, "$1********")
+}
+
 func main() {
 	if err := NewCommand().Execute(); err != nil {
 		fmt.Println(err)

cmd/argocd-util/main_test.go

@@ -0,0 +1,73 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var textToRedact = `
+- config:
+    clientID: aabbccddeeff00112233
+    clientSecret: $dex.github.clientSecret
+    orgs:
+    - name: your-github-org
+    redirectURI: https://argocd.example.com/api/dex/callback
+  id: github
+  name: GitHub
+  type: github
+grpc:
+  addr: 0.0.0.0:5557
+issuer: https://argocd.example.com/api/dex
+oauth2:
+  skipApprovalScreen: true
+staticClients:
+- id: argo-cd
+  name: Argo CD
+  redirectURIs:
+  - https://argocd.example.com/auth/callback
+  secret: Dis9M-GA11oTwZVQQWdDklPQw-sWXZkWJFyyEhMs
+- id: argo-cd-cli
+  name: Argo CD CLI
+  public: true
+  redirectURIs:
+  - http://localhost
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556`
+
+var expectedRedaction = `
+- config:
+    clientID: aabbccddeeff00112233
+    clientSecret: ********
+    orgs:
+    - name: your-github-org
+    redirectURI: https://argocd.example.com/api/dex/callback
+  id: github
+  name: GitHub
+  type: github
+grpc:
+  addr: 0.0.0.0:5557
+issuer: https://argocd.example.com/api/dex
+oauth2:
+  skipApprovalScreen: true
+staticClients:
+- id: argo-cd
+  name: Argo CD
+  redirectURIs:
+  - https://argocd.example.com/auth/callback
+  secret: ********
+- id: argo-cd-cli
+  name: Argo CD CLI
+  public: true
+  redirectURIs:
+  - http://localhost
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556`
+
+func TestSecretsRedactor(t *testing.T) {
+	assert.Equal(t, expectedRedaction, redactor(textToRedact))
+}

cmd/argocd/commands/account.go

@@ -2,17 +2,24 @@ package commands
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
+	"strings"
 	"syscall"
 
+	"github.com/ghodss/yaml"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"golang.org/x/crypto/ssh/terminal"
+
 	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	"github.com/argoproj/argo-cd/server/account"
+	accountpkg "github.com/argoproj/argo-cd/pkg/apiclient/account"
+	"github.com/argoproj/argo-cd/pkg/apiclient/session"
 	"github.com/argoproj/argo-cd/util"
-	"github.com/argoproj/argo-cd/util/settings"
-	"github.com/spf13/cobra"
-	"golang.org/x/crypto/ssh/terminal"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/localconfig"
 )
 
 func NewAccountCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
@@ -25,6 +32,7 @@ func NewAccountCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 		},
 	}
 	command.AddCommand(NewAccountUpdatePasswordCommand(clientOpts))
+	command.AddCommand(NewAccountGetUserInfoCommand(clientOpts))
 	return command
 }
 
@@ -51,20 +59,39 @@ func NewAccountUpdatePasswordCommand(clientOpts *argocdclient.ClientOptions) *co
 			}
 			if newPassword == "" {
 				var err error
-				newPassword, err = settings.ReadAndConfirmPassword()
+				newPassword, err = cli.ReadAndConfirmPassword()
 				errors.CheckError(err)
 			}
 
-			updatePasswordRequest := account.UpdatePasswordRequest{
+			updatePasswordRequest := accountpkg.UpdatePasswordRequest{
 				NewPassword:     newPassword,
 				CurrentPassword: currentPassword,
 			}
 
-			conn, usrIf := argocdclient.NewClientOrDie(clientOpts).NewAccountClientOrDie()
+			acdClient := argocdclient.NewClientOrDie(clientOpts)
+			conn, usrIf := acdClient.NewAccountClientOrDie()
 			defer util.Close(conn)
-			_, err := usrIf.UpdatePassword(context.Background(), &updatePasswordRequest)
+
+			ctx := context.Background()
+			_, err := usrIf.UpdatePassword(ctx, &updatePasswordRequest)
 			errors.CheckError(err)
 			fmt.Printf("Password updated\n")
+
+			// Get a new JWT token after updating the password
+			localCfg, err := localconfig.ReadLocalConfig(clientOpts.ConfigPath)
+			errors.CheckError(err)
+			configCtx, err := localCfg.ResolveContext(clientOpts.Context)
+			errors.CheckError(err)
+			claims, err := configCtx.User.Claims()
+			errors.CheckError(err)
+			tokenString := passwordLogin(acdClient, claims.Subject, newPassword)
+			localCfg.UpsertUser(localconfig.User{
+				Name:      localCfg.CurrentContext,
+				AuthToken: tokenString,
+			})
+			err = localconfig.WriteLocalConfig(*localCfg, clientOpts.ConfigPath)
+			errors.CheckError(err)
+			fmt.Printf("Context '%s' updated\n", localCfg.CurrentContext)
 		},
 	}
 
@@ -72,3 +99,48 @@ func NewAccountUpdatePasswordCommand(clientOpts *argocdclient.ClientOptions) *co
 	command.Flags().StringVar(&newPassword, "new-password", "", "new password you want to update to")
 	return command
 }
+
+func NewAccountGetUserInfoCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
+	var command = &cobra.Command{
+		Use:   "get-user-info",
+		Short: "Get user info",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 0 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			conn, client := argocdclient.NewClientOrDie(clientOpts).NewSessionClientOrDie()
+			defer util.Close(conn)
+
+			ctx := context.Background()
+			response, err := client.GetUserInfo(ctx, &session.GetUserInfoRequest{})
+			errors.CheckError(err)
+
+			switch output {
+			case "yaml":
+				yamlBytes, err := yaml.Marshal(response)
+				errors.CheckError(err)
+				fmt.Println(string(yamlBytes))
+			case "json":
+				jsonBytes, err := json.MarshalIndent(response, "", "  ")
+				errors.CheckError(err)
+				fmt.Println(string(jsonBytes))
+			case "":
+				fmt.Printf("Logged In: %v\n", response.LoggedIn)
+				if response.LoggedIn {
+					fmt.Printf("Username: %s\n", response.Username)
+					fmt.Printf("Issuer: %s\n", response.Iss)
+					fmt.Printf("Groups: %v\n", strings.Join(response.Groups, ","))
+				}
+			default:
+				log.Fatalf("Unknown output format: %s", output)
+			}
+		},
+	}
+	command.Flags().StringVarP(&output, "output", "o", "", "Output format. One of: yaml, json")
+	return command
+}

cmd/argocd/commands/app_actions.go

@@ -0,0 +1,175 @@
+package commands
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"os"
+	"strconv"
+	"text/tabwriter"
+
+	"github.com/ghodss/yaml"
+	"github.com/spf13/cobra"
+
+	"github.com/argoproj/argo-cd/errors"
+	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	applicationpkg "github.com/argoproj/argo-cd/pkg/apiclient/application"
+	"github.com/argoproj/argo-cd/util"
+)
+
+type DisplayedAction struct {
+	Group    string
+	Kind     string
+	Name     string
+	Action   string
+	Disabled bool
+}
+
+// NewApplicationResourceActionsCommand returns a new instance of an `argocd app actions` command
+func NewApplicationResourceActionsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "actions",
+		Short: "Manage Resource actions",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+			os.Exit(1)
+		},
+	}
+	command.AddCommand(NewApplicationResourceActionsListCommand(clientOpts))
+	command.AddCommand(NewApplicationResourceActionsRunCommand(clientOpts))
+	return command
+}
+
+// NewApplicationResourceActionsListCommand returns a new instance of an `argocd app actions list` command
+func NewApplicationResourceActionsListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var namespace string
+	var kind string
+	var group string
+	var resourceName string
+	var output string
+	var command = &cobra.Command{
+		Use:   "list APPNAME",
+		Short: "Lists available actions on a resource",
+	}
+	command.Run = func(c *cobra.Command, args []string) {
+		if len(args) != 1 {
+			c.HelpFunc()(c, args)
+			os.Exit(1)
+		}
+		appName := args[0]
+		conn, appIf := argocdclient.NewClientOrDie(clientOpts).NewApplicationClientOrDie()
+		defer util.Close(conn)
+		ctx := context.Background()
+		resources, err := appIf.ManagedResources(ctx, &applicationpkg.ResourcesQuery{ApplicationName: &appName})
+		errors.CheckError(err)
+		filteredObjects := filterResources(command, resources.Items, group, kind, namespace, resourceName, true)
+		var availableActions []DisplayedAction
+		for i := range filteredObjects {
+			obj := filteredObjects[i]
+			gvk := obj.GroupVersionKind()
+			availActionsForResource, err := appIf.ListResourceActions(ctx, &applicationpkg.ApplicationResourceRequest{
+				Name:         &appName,
+				Namespace:    obj.GetNamespace(),
+				ResourceName: obj.GetName(),
+				Group:        gvk.Group,
+				Kind:         gvk.Kind,
+			})
+			errors.CheckError(err)
+			for _, action := range availActionsForResource.Actions {
+				displayAction := DisplayedAction{
+					Group:    gvk.Group,
+					Kind:     gvk.Kind,
+					Name:     obj.GetName(),
+					Action:   action.Name,
+					Disabled: action.Disabled,
+				}
+				availableActions = append(availableActions, displayAction)
+			}
+		}
+
+		switch output {
+		case "yaml":
+			yamlBytes, err := yaml.Marshal(availableActions)
+			errors.CheckError(err)
+			fmt.Println(string(yamlBytes))
+		case "json":
+			jsonBytes, err := json.MarshalIndent(availableActions, "", "  ")
+			errors.CheckError(err)
+			fmt.Println(string(jsonBytes))
+		case "":
+			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+			fmt.Fprintf(w, "GROUP\tKIND\tNAME\tACTION\tDISABLED\n")
+			fmt.Println()
+			for _, action := range availableActions {
+				fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", action.Group, action.Kind, action.Name, action.Action, strconv.FormatBool(action.Disabled))
+			}
+			_ = w.Flush()
+		}
+	}
+	command.Flags().StringVar(&resourceName, "resource-name", "", "Name of resource")
+	command.Flags().StringVar(&kind, "kind", "", "Kind")
+	command.Flags().StringVar(&group, "group", "", "Group")
+	command.Flags().StringVar(&namespace, "namespace", "", "Namespace")
+	command.Flags().StringVarP(&output, "out", "o", "", "Output format. One of: yaml, json")
+
+	return command
+}
+
+// NewApplicationResourceActionsRunCommand returns a new instance of an `argocd app actions run` command
+func NewApplicationResourceActionsRunCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var namespace string
+	var resourceName string
+	var kind string
+	var group string
+	var all bool
+	var command = &cobra.Command{
+		Use:   "run APPNAME ACTION",
+		Short: "Runs an available action on resource(s)",
+	}
+
+	command.Flags().StringVar(&resourceName, "resource-name", "", "Name of resource")
+	command.Flags().StringVar(&namespace, "namespace", "", "Namespace")
+	command.Flags().StringVar(&kind, "kind", "", "Kind")
+	command.Flags().StringVar(&group, "group", "", "Group")
+	errors.CheckError(command.MarkFlagRequired("kind"))
+	command.Flags().BoolVar(&all, "all", false, "Indicates whether to run the action on multiple matching resources")
+
+	command.Run = func(c *cobra.Command, args []string) {
+		if len(args) != 2 {
+			c.HelpFunc()(c, args)
+			os.Exit(1)
+		}
+		appName := args[0]
+		actionName := args[1]
+
+		conn, appIf := argocdclient.NewClientOrDie(clientOpts).NewApplicationClientOrDie()
+		defer util.Close(conn)
+		ctx := context.Background()
+		resources, err := appIf.ManagedResources(ctx, &applicationpkg.ResourcesQuery{ApplicationName: &appName})
+		errors.CheckError(err)
+		filteredObjects := filterResources(command, resources.Items, group, kind, namespace, resourceName, all)
+		var resGroup = filteredObjects[0].GroupVersionKind().Group
+		for i := range filteredObjects[1:] {
+			if filteredObjects[i].GroupVersionKind().Group != resGroup {
+				log.Fatal("Ambiguous resource group. Use flag --group to specify resource group explicitly.")
+			}
+		}
+
+		for i := range filteredObjects {
+			obj := filteredObjects[i]
+			gvk := obj.GroupVersionKind()
+			objResourceName := obj.GetName()
+			_, err := appIf.RunResourceAction(context.Background(), &applicationpkg.ResourceActionRunRequest{
+				Name:         &appName,
+				Namespace:    obj.GetNamespace(),
+				ResourceName: objResourceName,
+				Group:        gvk.Group,
+				Kind:         gvk.Kind,
+				Action:       actionName,
+			})
+			errors.CheckError(err)
+		}
+	}
+	return command
+}

cmd/argocd/commands/app_test.go

@@ -0,0 +1,55 @@
+package commands
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+)
+
+func TestParseLabels(t *testing.T) {
+	validLabels := []string{"key=value", "foo=bar", "intuit=inc"}
+
+	result, err := parseLabels(validLabels)
+	assert.NoError(t, err)
+	assert.Len(t, result, 3)
+
+	invalidLabels := []string{"key=value", "too=many=equals"}
+	_, err = parseLabels(invalidLabels)
+	assert.Error(t, err)
+
+	emptyLabels := []string{}
+	result, err = parseLabels(emptyLabels)
+	assert.NoError(t, err)
+	assert.Len(t, result, 0)
+
+}
+
+func Test_setHelmOpt(t *testing.T) {
+	t.Run("Zero", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{})
+		assert.Nil(t, src.Helm)
+	})
+	t.Run("ValueFiles", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{valueFiles: []string{"foo"}})
+		assert.Equal(t, []string{"foo"}, src.Helm.ValueFiles)
+	})
+	t.Run("ReleaseName", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{releaseName: "foo"})
+		assert.Equal(t, "foo", src.Helm.ReleaseName)
+	})
+	t.Run("HelmSets", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{helmSets: []string{"foo=bar"}})
+		assert.Equal(t, []v1alpha1.HelmParameter{{Name: "foo", Value: "bar"}}, src.Helm.Parameters)
+	})
+	t.Run("HelmSetStrings", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{helmSetStrings: []string{"foo=bar"}})
+		assert.Equal(t, []v1alpha1.HelmParameter{{Name: "foo", Value: "bar", ForceString: true}}, src.Helm.Parameters)
+	})
+}

cmd/argocd/commands/cert.go

@@ -0,0 +1,290 @@
+package commands
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"sort"
+	"strings"
+	"text/tabwriter"
+
+	"github.com/spf13/cobra"
+
+	"github.com/argoproj/argo-cd/errors"
+	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	certificatepkg "github.com/argoproj/argo-cd/pkg/apiclient/certificate"
+	appsv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util"
+	certutil "github.com/argoproj/argo-cd/util/cert"
+
+	"crypto/x509"
+)
+
+// NewCertCommand returns a new instance of an `argocd repo` command
+func NewCertCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "cert",
+		Short: "Manage repository certificates and SSH known hosts entries",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+			os.Exit(1)
+		},
+	}
+
+	command.AddCommand(NewCertAddSSHCommand(clientOpts))
+	command.AddCommand(NewCertAddTLSCommand(clientOpts))
+	command.AddCommand(NewCertListCommand(clientOpts))
+	command.AddCommand(NewCertRemoveCommand(clientOpts))
+	return command
+}
+
+func NewCertAddTLSCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		fromFile string
+		upsert   bool
+	)
+	var command = &cobra.Command{
+		Use:   "add-tls SERVERNAME",
+		Short: "Add TLS certificate data for connecting to repository server SERVERNAME",
+		Run: func(c *cobra.Command, args []string) {
+			conn, certIf := argocdclient.NewClientOrDie(clientOpts).NewCertClientOrDie()
+			defer util.Close(conn)
+
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			var certificateArray []string
+			var err error
+
+			if fromFile != "" {
+				fmt.Printf("Reading TLS certificate data in PEM format from '%s'\n", fromFile)
+				certificateArray, err = certutil.ParseTLSCertificatesFromPath(fromFile)
+			} else {
+				fmt.Println("Enter TLS certificate data in PEM format. Press CTRL-D when finished.")
+				certificateArray, err = certutil.ParseTLSCertificatesFromStream(os.Stdin)
+			}
+
+			errors.CheckError(err)
+
+			certificateList := make([]appsv1.RepositoryCertificate, 0)
+
+			subjectMap := make(map[string]*x509.Certificate)
+
+			for _, entry := range certificateArray {
+				// We want to make sure to only send valid certificate data to the
+				// server, so we decode the certificate into X509 structure before
+				// further processing it.
+				x509cert, err := certutil.DecodePEMCertificateToX509(entry)
+				errors.CheckError(err)
+
+				// TODO: We need a better way to detect duplicates sent in the stream,
+				// maybe by using fingerprints? For now, no two certs with the same
+				// subject may be sent.
+				if subjectMap[x509cert.Subject.String()] != nil {
+					fmt.Printf("ERROR: Cert with subject '%s' already seen in the input stream.\n", x509cert.Subject.String())
+					continue
+				} else {
+					subjectMap[x509cert.Subject.String()] = x509cert
+				}
+			}
+
+			serverName := args[0]
+
+			if len(certificateArray) > 0 {
+				certificateList = append(certificateList, appsv1.RepositoryCertificate{
+					ServerName: serverName,
+					CertType:   "https",
+					CertData:   []byte(strings.Join(certificateArray, "\n")),
+				})
+				certificates, err := certIf.CreateCertificate(context.Background(), &certificatepkg.RepositoryCertificateCreateRequest{
+					Certificates: &appsv1.RepositoryCertificateList{
+						Items: certificateList,
+					},
+					Upsert: upsert,
+				})
+				errors.CheckError(err)
+				fmt.Printf("Created entry with %d PEM certificates for repository server %s\n", len(certificates.Items), serverName)
+			} else {
+				fmt.Printf("No valid certificates have been detected in the stream.\n")
+			}
+		},
+	}
+	command.Flags().StringVar(&fromFile, "from", "", "read TLS certificate data from file (default is to read from stdin)")
+	command.Flags().BoolVar(&upsert, "upsert", false, "Replace existing TLS certificate if certificate is different in input")
+	return command
+}
+
+// NewCertAddCommand returns a new instance of an `argocd cert add` command
+func NewCertAddSSHCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		fromFile     string
+		batchProcess bool
+		upsert       bool
+		certificates []appsv1.RepositoryCertificate
+	)
+
+	var command = &cobra.Command{
+		Use:   "add-ssh --batch",
+		Short: "Add SSH known host entries for repository servers",
+		Run: func(c *cobra.Command, args []string) {
+
+			conn, certIf := argocdclient.NewClientOrDie(clientOpts).NewCertClientOrDie()
+			defer util.Close(conn)
+
+			var sshKnownHostsLists []string
+			var err error
+
+			// --batch is a flag, but it is mandatory for now.
+			if batchProcess {
+				if fromFile != "" {
+					fmt.Printf("Reading SSH known hosts entries from file '%s'\n", fromFile)
+					sshKnownHostsLists, err = certutil.ParseSSHKnownHostsFromPath(fromFile)
+				} else {
+					fmt.Println("Enter SSH known hosts entries, one per line. Press CTRL-D when finished.")
+					sshKnownHostsLists, err = certutil.ParseSSHKnownHostsFromStream(os.Stdin)
+				}
+			} else {
+				err = fmt.Errorf("You need to specify --batch or specify --help for usage instructions")
+			}
+
+			errors.CheckError(err)
+
+			if len(sshKnownHostsLists) == 0 {
+				errors.CheckError(fmt.Errorf("No valid SSH known hosts data found."))
+			}
+
+			for _, knownHostsEntry := range sshKnownHostsLists {
+				hostname, certSubType, certData, err := certutil.TokenizeSSHKnownHostsEntry(knownHostsEntry)
+				errors.CheckError(err)
+				_, _, err = certutil.KnownHostsLineToPublicKey(knownHostsEntry)
+				errors.CheckError(err)
+				certificate := appsv1.RepositoryCertificate{
+					ServerName:  hostname,
+					CertType:    "ssh",
+					CertSubType: certSubType,
+					CertData:    certData,
+				}
+
+				certificates = append(certificates, certificate)
+			}
+
+			certList := &appsv1.RepositoryCertificateList{Items: certificates}
+			response, err := certIf.CreateCertificate(context.Background(), &certificatepkg.RepositoryCertificateCreateRequest{
+				Certificates: certList,
+				Upsert:       upsert,
+			})
+			errors.CheckError(err)
+			fmt.Printf("Successfully created %d SSH known host entries\n", len(response.Items))
+		},
+	}
+	command.Flags().StringVar(&fromFile, "from", "", "Read SSH known hosts data from file (default is to read from stdin)")
+	command.Flags().BoolVar(&batchProcess, "batch", false, "Perform batch processing by reading in SSH known hosts data (mandatory flag)")
+	command.Flags().BoolVar(&upsert, "upsert", false, "Replace existing SSH server public host keys if key is different in input")
+	return command
+}
+
+// NewCertRemoveCommand returns a new instance of an `argocd cert rm` command
+func NewCertRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		certType    string
+		certSubType string
+		certQuery   certificatepkg.RepositoryCertificateQuery
+	)
+	var command = &cobra.Command{
+		Use:   "rm REPOSERVER",
+		Short: "Remove certificate of TYPE for REPOSERVER",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) < 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			conn, certIf := argocdclient.NewClientOrDie(clientOpts).NewCertClientOrDie()
+			defer util.Close(conn)
+			hostNamePattern := args[0]
+
+			// Prevent the user from specifying a wildcard as hostname as precaution
+			// measure -- the user could still use "?*" or any other pattern to
+			// remove all certificates, but it's less likely that it happens by
+			// accident.
+			if hostNamePattern == "*" {
+				err := fmt.Errorf("A single wildcard is not allowed as REPOSERVER name.")
+				errors.CheckError(err)
+			}
+			certQuery = certificatepkg.RepositoryCertificateQuery{
+				HostNamePattern: hostNamePattern,
+				CertType:        certType,
+				CertSubType:     certSubType,
+			}
+			removed, err := certIf.DeleteCertificate(context.Background(), &certQuery)
+			errors.CheckError(err)
+			if len(removed.Items) > 0 {
+				for _, cert := range removed.Items {
+					fmt.Printf("Removed cert for '%s' of type '%s' (subtype '%s')\n", cert.ServerName, cert.CertType, cert.CertSubType)
+				}
+			} else {
+				fmt.Println("No certificates were removed (none matched the given patterns)")
+			}
+		},
+	}
+	command.Flags().StringVar(&certType, "cert-type", "", "Only remove certs of given type (ssh, https)")
+	command.Flags().StringVar(&certSubType, "cert-sub-type", "", "Only remove certs of given sub-type (only for ssh)")
+	return command
+}
+
+// NewCertListCommand returns a new instance of an `argocd cert rm` command
+func NewCertListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		certType        string
+		hostNamePattern string
+		sortOrder       string
+	)
+	var command = &cobra.Command{
+		Use:   "list",
+		Short: "List configured certificates",
+		Run: func(c *cobra.Command, args []string) {
+			if certType != "" {
+				switch certType {
+				case "ssh":
+				case "https":
+				default:
+					fmt.Println("cert-type must be either ssh or https")
+					os.Exit(1)
+				}
+			}
+
+			conn, certIf := argocdclient.NewClientOrDie(clientOpts).NewCertClientOrDie()
+			defer util.Close(conn)
+			certificates, err := certIf.ListCertificates(context.Background(), &certificatepkg.RepositoryCertificateQuery{HostNamePattern: hostNamePattern, CertType: certType})
+			errors.CheckError(err)
+			printCertTable(certificates.Items, sortOrder)
+		},
+	}
+
+	command.Flags().StringVar(&sortOrder, "sort", "", "set display sort order, valid: 'hostname', 'type'")
+	command.Flags().StringVar(&certType, "cert-type", "", "only list certificates of given type, valid: 'ssh','https'")
+	command.Flags().StringVar(&hostNamePattern, "hostname-pattern", "", "only list certificates for hosts matching given glob-pattern")
+	return command
+}
+
+// Print table of certificate info
+func printCertTable(certs []appsv1.RepositoryCertificate, sortOrder string) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	fmt.Fprintf(w, "HOSTNAME\tTYPE\tSUBTYPE\tINFO\n")
+
+	if sortOrder == "hostname" || sortOrder == "" {
+		sort.Slice(certs, func(i, j int) bool {
+			return certs[i].ServerName < certs[j].ServerName
+		})
+	} else if sortOrder == "type" {
+		sort.Slice(certs, func(i, j int) bool {
+			return certs[i].CertType < certs[j].CertType
+		})
+	}
+
+	for _, c := range certs {
+		fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", c.ServerName, c.CertType, c.CertSubType, c.CertInfo)
+	}
+	_ = w.Flush()
+}

cmd/argocd/commands/cluster.go

@@ -9,18 +9,20 @@ import (
 	"strings"
 	"text/tabwriter"
 
-	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/errors"
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/server/cluster"
-	"github.com/argoproj/argo-cd/util"
 	"github.com/ghodss/yaml"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/argoproj/argo-cd/common"
+	"github.com/argoproj/argo-cd/errors"
+	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	clusterpkg "github.com/argoproj/argo-cd/pkg/apiclient/cluster"
+	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/util/clusterauth"
 )
 
 // NewClusterCommand returns a new instance of an `argocd cluster` command
@@ -38,16 +40,18 @@ func NewClusterCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientc
 	command.AddCommand(NewClusterGetCommand(clientOpts))
 	command.AddCommand(NewClusterListCommand(clientOpts))
 	command.AddCommand(NewClusterRemoveCommand(clientOpts))
+	command.AddCommand(NewClusterRotateAuthCommand(clientOpts))
 	return command
 }
 
 // NewClusterAddCommand returns a new instance of an `argocd cluster add` command
 func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientcmd.PathOptions) *cobra.Command {
 	var (
-		inCluster      bool
-		upsert         bool
-		awsRoleArn     string
-		awsClusterName string
+		inCluster       bool
+		upsert          bool
+		awsRoleArn      string
+		awsClusterName  string
+		systemNamespace string
 	)
 	var command = &cobra.Command{
 		Use:   "add",
@@ -84,7 +88,7 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 				// Install RBAC resources for managing the cluster
 				clientset, err := kubernetes.NewForConfig(conf)
 				errors.CheckError(err)
-				managerBearerToken, err = common.InstallClusterManagerRBAC(clientset)
+				managerBearerToken, err = clusterauth.InstallClusterManagerRBAC(clientset, systemNamespace)
 				errors.CheckError(err)
 			}
 			conn, clusterIf := argocdclient.NewClientOrDie(clientOpts).NewClusterClientOrDie()
@@ -93,7 +97,7 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 			if inCluster {
 				clst.Server = common.KubernetesInternalAPIServerAddr
 			}
-			clstCreateReq := cluster.ClusterCreateRequest{
+			clstCreateReq := clusterpkg.ClusterCreateRequest{
 				Cluster: clst,
 				Upsert:  upsert,
 			}
@@ -103,10 +107,11 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 		},
 	}
 	command.PersistentFlags().StringVar(&pathOpts.LoadingRules.ExplicitPath, pathOpts.ExplicitFileFlag, pathOpts.LoadingRules.ExplicitPath, "use a particular kubeconfig file")
-	command.Flags().BoolVar(&inCluster, "in-cluster", false, "Indicates ArgoCD resides inside this cluster and should connect using the internal k8s hostname (kubernetes.default.svc)")
+	command.Flags().BoolVar(&inCluster, "in-cluster", false, "Indicates Argo CD resides inside this cluster and should connect using the internal k8s hostname (kubernetes.default.svc)")
 	command.Flags().BoolVar(&upsert, "upsert", false, "Override an existing cluster with the same name even if the spec differs")
 	command.Flags().StringVar(&awsClusterName, "aws-cluster-name", "", "AWS Cluster name if set then aws-iam-authenticator will be used to access cluster")
 	command.Flags().StringVar(&awsRoleArn, "aws-role-arn", "", "Optional AWS role arn. If set then AWS IAM Authenticator assume a role to perform cluster operations instead of the default AWS credential provider chain.")
+	command.Flags().StringVar(&systemNamespace, "system-namespace", common.DefaultSystemNamespace, "Use different system namespace")
 	return command
 }
 
@@ -153,20 +158,8 @@ func NewCluster(name string, conf *rest.Config, managerBearerToken string, awsAu
 	tlsClientConfig := argoappv1.TLSClientConfig{
 		Insecure:   conf.TLSClientConfig.Insecure,
 		ServerName: conf.TLSClientConfig.ServerName,
-		CertData:   conf.TLSClientConfig.CertData,
-		KeyData:    conf.TLSClientConfig.KeyData,
 		CAData:     conf.TLSClientConfig.CAData,
 	}
-	if len(conf.TLSClientConfig.CertData) == 0 && conf.TLSClientConfig.CertFile != "" {
-		data, err := ioutil.ReadFile(conf.TLSClientConfig.CertFile)
-		errors.CheckError(err)
-		tlsClientConfig.CertData = data
-	}
-	if len(conf.TLSClientConfig.KeyData) == 0 && conf.TLSClientConfig.KeyFile != "" {
-		data, err := ioutil.ReadFile(conf.TLSClientConfig.KeyFile)
-		errors.CheckError(err)
-		tlsClientConfig.KeyData = data
-	}
 	if len(conf.TLSClientConfig.CAData) == 0 && conf.TLSClientConfig.CAFile != "" {
 		data, err := ioutil.ReadFile(conf.TLSClientConfig.CAFile)
 		errors.CheckError(err)
@@ -187,7 +180,7 @@ func NewCluster(name string, conf *rest.Config, managerBearerToken string, awsAu
 // NewClusterGetCommand returns a new instance of an `argocd cluster get` command
 func NewClusterGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
-		Use:   "get",
+		Use:   "get CLUSTER",
 		Short: "Get cluster information",
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) == 0 {
@@ -197,7 +190,7 @@ func NewClusterGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 			conn, clusterIf := argocdclient.NewClientOrDie(clientOpts).NewClusterClientOrDie()
 			defer util.Close(conn)
 			for _, clusterName := range args {
-				clst, err := clusterIf.Get(context.Background(), &cluster.ClusterQuery{Server: clusterName})
+				clst, err := clusterIf.Get(context.Background(), &clusterpkg.ClusterQuery{Server: clusterName})
 				errors.CheckError(err)
 				yamlBytes, err := yaml.Marshal(clst)
 				errors.CheckError(err)
@@ -211,7 +204,7 @@ func NewClusterGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 // NewClusterRemoveCommand returns a new instance of an `argocd cluster list` command
 func NewClusterRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
-		Use:   "rm",
+		Use:   "rm CLUSTER",
 		Short: "Remove cluster credentials",
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) == 0 {
@@ -226,9 +219,9 @@ func NewClusterRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 
 			for _, clusterName := range args {
 				// TODO(jessesuen): find the right context and remove manager RBAC artifacts
-				// err := common.UninstallClusterManagerRBAC(clientset)
+				// err := clusterauth.UninstallClusterManagerRBAC(clientset)
 				// errors.CheckError(err)
-				_, err := clusterIf.Delete(context.Background(), &cluster.ClusterQuery{Server: clusterName})
+				_, err := clusterIf.Delete(context.Background(), &clusterpkg.ClusterQuery{Server: clusterName})
 				errors.CheckError(err)
 			}
 		},
@@ -236,22 +229,65 @@ func NewClusterRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 	return command
 }
 
+// Print table of cluster information
+func printClusterTable(clusters []argoappv1.Cluster) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	_, _ = fmt.Fprintf(w, "SERVER\tNAME\tVERSION\tSTATUS\tMESSAGE\n")
+	for _, c := range clusters {
+		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", c.Server, c.Name, c.ServerVersion, c.ConnectionState.Status, c.ConnectionState.Message)
+	}
+	_ = w.Flush()
+}
+
+// Print list of cluster servers
+func printClusterServers(clusters []argoappv1.Cluster) {
+	for _, c := range clusters {
+		fmt.Println(c.Server)
+	}
+}
+
 // NewClusterListCommand returns a new instance of an `argocd cluster rm` command
 func NewClusterListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
 	var command = &cobra.Command{
 		Use:   "list",
 		Short: "List configured clusters",
 		Run: func(c *cobra.Command, args []string) {
 			conn, clusterIf := argocdclient.NewClientOrDie(clientOpts).NewClusterClientOrDie()
 			defer util.Close(conn)
-			clusters, err := clusterIf.List(context.Background(), &cluster.ClusterQuery{})
+			clusters, err := clusterIf.List(context.Background(), &clusterpkg.ClusterQuery{})
 			errors.CheckError(err)
-			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-			fmt.Fprintf(w, "SERVER\tNAME\tSTATUS\tMESSAGE\n")
-			for _, c := range clusters.Items {
-				fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", c.Server, c.Name, c.ConnectionState.Status, c.ConnectionState.Message)
+			if output == "server" {
+				printClusterServers(clusters.Items)
+			} else {
+				printClusterTable(clusters.Items)
 			}
-			_ = w.Flush()
+		},
+	}
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: wide|server")
+	return command
+}
+
+// NewClusterRotateAuthCommand returns a new instance of an `argocd cluster rotate-auth` command
+func NewClusterRotateAuthCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "rotate-auth CLUSTER",
+		Short: fmt.Sprintf("%s cluster rotate-auth CLUSTER", cliName),
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			conn, clusterIf := argocdclient.NewClientOrDie(clientOpts).NewClusterClientOrDie()
+			defer util.Close(conn)
+			clusterQuery := clusterpkg.ClusterQuery{
+				Server: args[0],
+			}
+			_, err := clusterIf.RotateAuth(context.Background(), &clusterQuery)
+			errors.CheckError(err)
+			fmt.Printf("Cluster '%s' rotated auth\n", clusterQuery.Server)
 		},
 	}
 	return command

cmd/argocd/commands/cluster_test.go

@@ -0,0 +1,31 @@
+package commands
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+)
+
+func Test_printClusterTable(t *testing.T) {
+	printClusterTable([]v1alpha1.Cluster{
+		{
+			Server: "my-server",
+			Name:   "my-name",
+			Config: v1alpha1.ClusterConfig{
+				Username:        "my-username",
+				Password:        "my-password",
+				BearerToken:     "my-bearer-token",
+				TLSClientConfig: v1alpha1.TLSClientConfig{},
+				AWSAuthConfig:   nil,
+			},
+			ConnectionState: v1alpha1.ConnectionState{
+				Status:     "my-status",
+				Message:    "my-message",
+				ModifiedAt: &metav1.Time{},
+			},
+			ServerVersion: "my-version",
+		},
+	})
+}

cmd/argocd/commands/common.go

@@ -2,4 +2,8 @@ package commands
 
 const (
 	cliName = "argocd"
+
+	// DefaultSSOLocalPort is the localhost port to listen on for the temporary web server performing
+	// the OAuth2 login flow.
+	DefaultSSOLocalPort = 8085
 )

cmd/argocd/commands/completion.go

@@ -0,0 +1,233 @@
+package commands
+
+import (
+	"fmt"
+	"io"
+	"log"
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+const (
+	bashCompletionFunc = `
+__argocd_list_apps() {
+	local -a argocd_out
+	if argocd_out=($(argocd app list --output name 2>/dev/null)); then
+		COMPREPLY+=( $( compgen -W "${argocd_out[*]}" -- "$cur" ) )
+	fi
+}
+
+__argocd_list_app_history() {
+	local app=$1
+	local -a argocd_out
+	if argocd_out=($(argocd app history $app --output id 2>/dev/null)); then
+		COMPREPLY+=( $( compgen -W "${argocd_out[*]}" -- "$cur" ) )
+	fi
+}
+
+__argocd_app_rollback() {
+	local -a command
+	for comp_word in "${COMP_WORDS[@]}"; do
+		if [[ $comp_word =~ ^-.*$ ]]; then
+			continue
+		fi
+		command+=($comp_word)
+	done
+
+	# fourth arg is app (if present): e.g.- argocd app rollback guestbook
+	local app=${command[3]}
+	local id=${command[4]}
+	if [[ -z $app || $app == $cur ]]; then
+		__argocd_list_apps
+	elif [[ -z $id || $id == $cur ]]; then
+		__argocd_list_app_history $app
+	fi
+}
+
+__argocd_list_servers() {
+	local -a argocd_out
+	if argocd_out=($(argocd cluster list --output server 2>/dev/null)); then
+		COMPREPLY+=( $( compgen -W "${argocd_out[*]}" -- "$cur" ) )
+	fi
+}
+
+__argocd_list_repos() {
+	local -a argocd_out
+	if argocd_out=($(argocd repo list --output url 2>/dev/null)); then
+		COMPREPLY+=( $( compgen -W "${argocd_out[*]}" -- "$cur" ) )
+	fi
+}
+
+__argocd_list_projects() {
+	local -a argocd_out
+	if argocd_out=($(argocd proj list --output name 2>/dev/null)); then
+		COMPREPLY+=( $( compgen -W "${argocd_out[*]}" -- "$cur" ) )
+	fi
+}
+
+__argocd_list_namespaces() {
+	local -a argocd_out
+	if argocd_out=($(kubectl get namespaces --no-headers 2>/dev/null | cut -f1 -d' ' 2>/dev/null)); then
+		COMPREPLY+=( $( compgen -W "${argocd_out[*]}" -- "$cur" ) )
+	fi
+}
+
+__argocd_proj_server_namespace() {
+	local -a command
+	for comp_word in "${COMP_WORDS[@]}"; do
+		if [[ $comp_word =~ ^-.*$ ]]; then
+			continue
+		fi
+		command+=($comp_word)
+	done
+
+	# expect something like this: argocd proj add-destination PROJECT SERVER NAMESPACE
+	local project=${command[3]}
+	local server=${command[4]}
+	local namespace=${command[5]}
+	if [[ -z $project || $project == $cur ]]; then
+		__argocd_list_projects
+	elif [[ -z $server || $server == $cur ]]; then
+		__argocd_list_servers
+	elif [[ -z $namespace || $namespace == $cur ]]; then
+		__argocd_list_namespaces
+	fi
+}
+
+__argocd_list_project_role() {
+	local project="$1"
+	local -a argocd_out
+	if argocd_out=($(argocd proj role list "$project" --output=name 2>/dev/null)); then
+		COMPREPLY+=( $( compgen -W "${argocd_out[*]}" -- "$cur" ) )
+	fi
+}
+
+__argocd_proj_role(){
+	local -a command
+	for comp_word in "${COMP_WORDS[@]}"; do
+		if [[ $comp_word =~ ^-.*$ ]]; then
+			continue
+		fi
+		command+=($comp_word)
+	done
+
+	# expect something like this: argocd proj role add-policy PROJECT ROLE-NAME
+	local project=${command[4]}
+	local role=${command[5]}
+	if [[ -z $project || $project == $cur ]]; then
+		__argocd_list_projects
+	elif [[ -z $role || $role == $cur ]]; then
+		__argocd_list_project_role $project
+	fi
+}
+
+__argocd_custom_func() {
+	case ${last_command} in
+		argocd_app_delete | \
+		argocd_app_diff | \
+		argocd_app_edit | \
+		argocd_app_get | \
+		argocd_app_history | \
+		argocd_app_manifests | \
+		argocd_app_patch-resource | \
+		argocd_app_set | \
+		argocd_app_sync | \
+		argocd_app_terminate-op | \
+		argocd_app_unset | \
+		argocd_app_wait | \
+		argocd_app_create)
+			__argocd_list_apps
+			return
+			;;
+		argocd_app_rollback)
+			__argocd_app_rollback
+			return
+			;;
+		argocd_cluster_get | \
+		argocd_cluster_rm | \
+		argocd_login | \
+		argocd_cluster_add)
+			__argocd_list_servers
+			return
+			;;
+		argocd_repo_rm | \
+		argocd_repo_add)
+			__argocd_list_repos
+			return
+			;;
+		argocd_proj_add-destination | \
+		argocd_proj_remove-destination)
+			__argocd_proj_server_namespace
+			return
+			;;
+		argocd_proj_add-source | \
+		argocd_proj_remove-source | \
+		argocd_proj_allow-cluster-resource | \
+		argocd_proj_allow-namespace-resource | \
+		argocd_proj_deny-cluster-resource | \
+		argocd_proj_deny-namespace-resource | \
+		argocd_proj_delete | \
+		argocd_proj_edit | \
+		argocd_proj_get | \
+		argocd_proj_set | \
+		argocd_proj_role_list)
+			__argocd_list_projects
+			return
+			;;
+		argocd_proj_role_remove-policy | \
+		argocd_proj_role_add-policy | \
+		argocd_proj_role_create | \
+		argocd_proj_role_delete | \
+		argocd_proj_role_get | \
+		argocd_proj_role_create-token | \
+		argocd_proj_role_delete-token)
+			__argocd_proj_role
+			return
+			;;
+		*)
+			;;
+	esac
+}
+	`
+)
+
+func NewCompletionCommand() *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "completion SHELL",
+		Short: "output shell completion code for the specified shell (bash or zsh)",
+		Long: `Write bash or zsh shell completion code to standard output.
+
+For bash, ensure you have bash completions installed and enabled.
+To access completions in your current shell, run
+$ source <(argocd completion bash)
+Alternatively, write it to a file and source in .bash_profile
+
+For zsh, output to a file in a directory referenced by the $fpath shell
+variable.
+`,
+		Run: func(cmd *cobra.Command, args []string) {
+			if len(args) != 1 {
+				cmd.HelpFunc()(cmd, args)
+				os.Exit(1)
+			}
+			shell := args[0]
+			rootCommand := NewCommand()
+			rootCommand.BashCompletionFunction = bashCompletionFunc
+			availableCompletions := map[string]func(io.Writer) error{
+				"bash": rootCommand.GenBashCompletion,
+				"zsh":  rootCommand.GenZshCompletion,
+			}
+			completion, ok := availableCompletions[shell]
+			if !ok {
+				fmt.Printf("Invalid shell '%s'. The supported shells are bash and zsh.\n", shell)
+				os.Exit(1)
+			}
+			if err := completion(os.Stdout); err != nil {
+				log.Fatal(err)
+			}
+		},
+	}
+
+	return command
+}

cmd/argocd/commands/context.go

@@ -8,25 +8,48 @@ import (
 	"strings"
 	"text/tabwriter"
 
+	"github.com/spf13/pflag"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
 	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	"github.com/argoproj/argo-cd/util/localconfig"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
 )
 
 // NewContextCommand returns a new instance of an `argocd ctx` command
 func NewContextCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var delete bool
 	var command = &cobra.Command{
 		Use:     "context",
 		Aliases: []string{"ctx"},
 		Short:   "Switch between contexts",
 		Run: func(c *cobra.Command, args []string) {
+
+			localCfg, err := localconfig.ReadLocalConfig(clientOpts.ConfigPath)
+			errors.CheckError(err)
+
+			deletePresentContext := false
+			c.Flags().Visit(func(f *pflag.Flag) {
+				if f.Name == "delete" {
+					deletePresentContext = true
+				}
+			})
+
 			if len(args) == 0 {
-				printArgoCDContexts(clientOpts.ConfigPath)
-				return
+				if deletePresentContext {
+					err := deleteContext(localCfg.CurrentContext, clientOpts.ConfigPath)
+					errors.CheckError(err)
+					return
+				} else {
+					printArgoCDContexts(clientOpts.ConfigPath)
+					return
+				}
 			}
+
 			ctxName := args[0]
+
 			argoCDDir, err := localconfig.DefaultConfigDir()
 			errors.CheckError(err)
 			prevCtxFile := path.Join(argoCDDir, ".prev-ctx")
@@ -36,8 +59,6 @@ func NewContextCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 				errors.CheckError(err)
 				ctxName = string(prevCtxBytes)
 			}
-			localCfg, err := localconfig.ReadLocalConfig(clientOpts.ConfigPath)
-			errors.CheckError(err)
 			if localCfg.CurrentContext == ctxName {
 				fmt.Printf("Already at context '%s'\n", localCfg.CurrentContext)
 				return
@@ -47,6 +68,7 @@ func NewContextCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 			}
 			prevCtx := localCfg.CurrentContext
 			localCfg.CurrentContext = ctxName
+
 			err = localconfig.WriteLocalConfig(*localCfg, clientOpts.ConfigPath)
 			errors.CheckError(err)
 			err = ioutil.WriteFile(prevCtxFile, []byte(prevCtx), 0644)
@@ -54,9 +76,43 @@ func NewContextCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 			fmt.Printf("Switched to context '%s'\n", localCfg.CurrentContext)
 		},
 	}
+	command.Flags().BoolVar(&delete, "delete", false, "Delete the context instead of switching to it")
 	return command
 }
 
+func deleteContext(context, configPath string) error {
+
+	localCfg, err := localconfig.ReadLocalConfig(configPath)
+	errors.CheckError(err)
+	if localCfg == nil {
+		return fmt.Errorf("Nothing to logout from")
+	}
+
+	serverName, ok := localCfg.RemoveContext(context)
+	if !ok {
+		return fmt.Errorf("Context %s does not exist", context)
+	}
+	_ = localCfg.RemoveUser(context)
+	_ = localCfg.RemoveServer(serverName)
+
+	if localCfg.IsEmpty() {
+		err = localconfig.DeleteLocalConfig(configPath)
+		errors.CheckError(err)
+	} else {
+		if localCfg.CurrentContext == context {
+			localCfg.CurrentContext = localCfg.Contexts[0].Name
+		}
+		err = localconfig.ValidateLocalConfig(*localCfg)
+		if err != nil {
+			return fmt.Errorf("Error in logging out")
+		}
+		err = localconfig.WriteLocalConfig(*localCfg, configPath)
+		errors.CheckError(err)
+	}
+	fmt.Printf("Context '%s' deleted\n", context)
+	return nil
+}
+
 func printArgoCDContexts(configPath string) {
 	localCfg, err := localconfig.ReadLocalConfig(configPath)
 	errors.CheckError(err)

cmd/argocd/commands/context_test.go

@@ -0,0 +1,60 @@
+package commands
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/argoproj/argo-cd/util/localconfig"
+)
+
+const testConfig = `contexts:
+- name: argocd.example.com:443
+  server: argocd.example.com:443
+  user: argocd.example.com:443
+- name: localhost:8080
+  server: localhost:8080
+  user: localhost:8080
+current-context: localhost:8080
+servers:
+- server: argocd.example.com:443
+- plain-text: true
+  server: localhost:8080
+users:
+- auth-token: vErrYS3c3tReFRe$hToken
+  name: argocd.example.com:443
+  refresh-token: vErrYS3c3tReFRe$hToken
+- auth-token: vErrYS3c3tReFRe$hToken
+  name: localhost:8080`
+
+const testConfigFilePath = "./testdata/config"
+
+func TestContextDelete(t *testing.T) {
+
+	// Write the test config file
+	err := ioutil.WriteFile(testConfigFilePath, []byte(testConfig), os.ModePerm)
+	assert.NoError(t, err)
+
+	localConfig, err := localconfig.ReadLocalConfig(testConfigFilePath)
+	assert.NoError(t, err)
+	assert.Equal(t, localConfig.CurrentContext, "localhost:8080")
+	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "localhost:8080", Server: "localhost:8080", User: "localhost:8080"})
+
+	err = deleteContext("localhost:8080", testConfigFilePath)
+	assert.NoError(t, err)
+
+	localConfig, err = localconfig.ReadLocalConfig(testConfigFilePath)
+	assert.NoError(t, err)
+	assert.Equal(t, localConfig.CurrentContext, "argocd.example.com:443")
+	assert.NotContains(t, localConfig.Contexts, localconfig.ContextRef{Name: "localhost:8080", Server: "localhost:8080", User: "localhost:8080"})
+	assert.NotContains(t, localConfig.Servers, localconfig.Server{PlainText: true, Server: "localhost:8080"})
+	assert.NotContains(t, localConfig.Users, localconfig.User{AuthToken: "vErrYS3c3tReFRe$hToken", Name: "localhost:8080"})
+	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "argocd.example.com:443", Server: "argocd.example.com:443", User: "argocd.example.com:443"})
+
+	// Write the file again so that no conflicts are made in git
+	err = ioutil.WriteFile(testConfigFilePath, []byte(testConfig), os.ModePerm)
+	assert.NoError(t, err)
+
+}

cmd/argocd/commands/login.go

@@ -2,28 +2,29 @@ package commands
 
 import (
 	"context"
-	"crypto/tls"
 	"fmt"
-	"net"
 	"net/http"
 	"os"
 	"strconv"
 	"time"
 
-	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/errors"
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	"github.com/argoproj/argo-cd/server/session"
-	"github.com/argoproj/argo-cd/server/settings"
-	"github.com/argoproj/argo-cd/util"
-	"github.com/argoproj/argo-cd/util/cli"
-	grpc_util "github.com/argoproj/argo-cd/util/grpc"
-	"github.com/argoproj/argo-cd/util/localconfig"
-	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/coreos/go-oidc"
+	"github.com/dgrijalva/jwt-go"
 	log "github.com/sirupsen/logrus"
 	"github.com/skratchdot/open-golang/open"
 	"github.com/spf13/cobra"
 	"golang.org/x/oauth2"
+
+	"github.com/argoproj/argo-cd/errors"
+	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	sessionpkg "github.com/argoproj/argo-cd/pkg/apiclient/session"
+	settingspkg "github.com/argoproj/argo-cd/pkg/apiclient/settings"
+	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/util/cli"
+	grpc_util "github.com/argoproj/argo-cd/util/grpc"
+	"github.com/argoproj/argo-cd/util/localconfig"
+	oidcutil "github.com/argoproj/argo-cd/util/oidc"
+	"github.com/argoproj/argo-cd/util/rand"
 )
 
 // NewLoginCommand returns a new instance of `argocd login` command
@@ -33,6 +34,7 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 		username string
 		password string
 		sso      bool
+		ssoPort  int
 	)
 	var command = &cobra.Command{
 		Use:   "login SERVER",
@@ -66,6 +68,7 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 				ServerAddr: server,
 				Insecure:   globalClientOpts.Insecure,
 				PlainText:  globalClientOpts.PlainText,
+				GRPCWeb:    globalClientOpts.GRPCWeb,
 			}
 			acdClient := argocdclient.NewClientOrDie(&clientOpts)
 			setConn, setIf := acdClient.NewSettingsClientOrDie()
@@ -81,12 +84,15 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 			if !sso {
 				tokenString = passwordLogin(acdClient, username, password)
 			} else {
-				acdSet, err := setIf.Get(context.Background(), &settings.SettingsQuery{})
+				ctx := context.Background()
+				httpClient, err := acdClient.HTTPClient()
 				errors.CheckError(err)
-				if !ssoConfigured(acdSet) {
-					log.Fatalf("ArgoCD instance is not configured with SSO")
-				}
-				tokenString, refreshToken = oauth2Login(server, clientOpts.PlainText)
+				ctx = oidc.ClientContext(ctx, httpClient)
+				acdSet, err := setIf.Get(ctx, &settingspkg.SettingsQuery{})
+				errors.CheckError(err)
+				oauth2conf, provider, err := acdClient.OIDCConfig(ctx, acdSet)
+				errors.CheckError(err)
+				tokenString, refreshToken = oauth2Login(ctx, ssoPort, acdSet.GetOIDCConfig(), oauth2conf, provider)
 			}
 
 			parser := &jwt.Parser{
@@ -107,6 +113,7 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 				Server:    server,
 				PlainText: globalClientOpts.PlainText,
 				Insecure:  globalClientOpts.Insecure,
+				GRPCWeb:   globalClientOpts.GRPCWeb,
 			})
 			localCfg.UpsertUser(localconfig.User{
 				Name:         ctxName,
@@ -130,7 +137,8 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 	command.Flags().StringVar(&ctxName, "name", "", "name to use for the context")
 	command.Flags().StringVar(&username, "username", "", "the username of an account to authenticate")
 	command.Flags().StringVar(&password, "password", "", "the password of an account to authenticate")
-	command.Flags().BoolVar(&sso, "sso", false, "Perform SSO login")
+	command.Flags().BoolVar(&sso, "sso", false, "perform SSO login")
+	command.Flags().IntVar(&ssoPort, "sso-port", DefaultSSOLocalPort, "port to run local OAuth2 login application")
 	return command
 }
 
@@ -144,97 +152,112 @@ func userDisplayName(claims jwt.MapClaims) string {
 	return claims["sub"].(string)
 }
 
-func ssoConfigured(set *settings.Settings) bool {
-	return set.DexConfig != nil && len(set.DexConfig.Connectors) > 0
-}
-
-// getFreePort asks the kernel for a free open port that is ready to use.
-func getFreePort() (int, error) {
-	ln, err := net.Listen("tcp", "[::]:0")
-	if err != nil {
-		return 0, err
-	}
-	return ln.Addr().(*net.TCPAddr).Port, ln.Close()
-}
-
 // oauth2Login opens a browser, runs a temporary HTTP server to delegate OAuth2 login flow and
 // returns the JWT token and a refresh token (if supported)
-func oauth2Login(host string, plaintext bool) (string, string) {
-	ctx := context.Background()
-	port, err := getFreePort()
+func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCConfig, oauth2conf *oauth2.Config, provider *oidc.Provider) (string, string) {
+	oauth2conf.RedirectURL = fmt.Sprintf("http://localhost:%d/auth/callback", port)
+	oidcConf, err := oidcutil.ParseConfig(provider)
 	errors.CheckError(err)
-	var scheme = "https"
-	if plaintext {
-		scheme = "http"
-	}
-	conf := &oauth2.Config{
-		ClientID: common.ArgoCDCLIClientAppID,
-		Scopes:   []string{"openid", "profile", "email", "groups", "offline_access"},
-		Endpoint: oauth2.Endpoint{
-			AuthURL:  fmt.Sprintf("%s://%s%s/auth", scheme, host, common.DexAPIEndpoint),
-			TokenURL: fmt.Sprintf("%s://%s%s/token", scheme, host, common.DexAPIEndpoint),
-		},
-		RedirectURL: fmt.Sprintf("http://localhost:%d/auth/callback", port),
-	}
-	srv := &http.Server{Addr: ":" + strconv.Itoa(port)}
+	log.Debug("OIDC Configuration:")
+	log.Debugf("  supported_scopes: %v", oidcConf.ScopesSupported)
+	log.Debugf("  response_types_supported: %v", oidcConf.ResponseTypesSupported)
+
+	// handledRequests ensures we do not handle more requests than necessary
+	handledRequests := 0
+	// completionChan is to signal flow completed. Non-empty string indicates error
+	completionChan := make(chan string)
+	// stateNonce is an OAuth2 state nonce
+	stateNonce := rand.RandString(10)
 	var tokenString string
 	var refreshToken string
-	loginCompleted := make(chan struct{})
 
+	handleErr := func(w http.ResponseWriter, errMsg string) {
+		http.Error(w, errMsg, http.StatusBadRequest)
+		completionChan <- errMsg
+	}
+
+	// Authorization redirect callback from OAuth2 auth flow.
+	// Handles both implicit and authorization code flow
 	callbackHandler := func(w http.ResponseWriter, r *http.Request) {
-		defer func() {
-			loginCompleted <- struct{}{}
-		}()
+		log.Debugf("Callback: %s", r.URL)
 
-		// Authorization redirect callback from OAuth2 auth flow.
-		if errMsg := r.FormValue("error"); errMsg != "" {
-			http.Error(w, errMsg+": "+r.FormValue("error_description"), http.StatusBadRequest)
-			log.Fatal(errMsg)
+		if formErr := r.FormValue("error"); formErr != "" {
+			handleErr(w, formErr+": "+r.FormValue("error_description"))
 			return
 		}
-		code := r.FormValue("code")
-		if code == "" {
-			errMsg := fmt.Sprintf("no code in request: %q", r.Form)
-			http.Error(w, errMsg, http.StatusBadRequest)
-			log.Fatal(errMsg)
-			return
-		}
-		tok, err := conf.Exchange(ctx, code)
-		errors.CheckError(err)
-		log.Info("Authentication successful")
 
-		var ok bool
-		tokenString, ok = tok.Extra("id_token").(string)
-		if !ok {
-			errMsg := "no id_token in token response"
-			http.Error(w, errMsg, http.StatusInternalServerError)
-			log.Fatal(errMsg)
+		handledRequests++
+		if handledRequests > 2 {
+			// Since implicit flow will redirect back to ourselves, this counter ensures we do not
+			// fallinto a redirect loop (e.g. user visits the page by hand)
+			handleErr(w, "Unable to complete login flow: too many redirects")
 			return
 		}
-		refreshToken, _ = tok.Extra("refresh_token").(string)
-		log.Debugf("Token: %s", tokenString)
-		log.Debugf("Refresh Token: %s", tokenString)
+
+		if len(r.Form) == 0 {
+			// If we get here, no form data was set. We presume to be performing an implicit login
+			// flow where the id_token is contained in a URL fragment, making it inaccessible to be
+			// read from the request. This javascript will redirect the browser to send the
+			// fragments as query parameters so our callback handler can read and return token.
+			fmt.Fprintf(w, `<script>window.location.search = window.location.hash.substring(1)</script>`)
+			return
+		}
+
+		if state := r.FormValue("state"); state != stateNonce {
+			handleErr(w, "Unknown state nonce")
+			return
+		}
+
+		tokenString = r.FormValue("id_token")
+		if tokenString == "" {
+			code := r.FormValue("code")
+			if code == "" {
+				handleErr(w, fmt.Sprintf("no code in request: %q", r.Form))
+				return
+			}
+			tok, err := oauth2conf.Exchange(ctx, code)
+			if err != nil {
+				handleErr(w, err.Error())
+				return
+			}
+			var ok bool
+			tokenString, ok = tok.Extra("id_token").(string)
+			if !ok {
+				handleErr(w, "no id_token in token response")
+				return
+			}
+			refreshToken, _ = tok.Extra("refresh_token").(string)
+		}
 		successPage := `
 		<div style="height:100px; width:100%!; display:flex; flex-direction: column; justify-content: center; align-items:center; background-color:#2ecc71; color:white; font-size:22"><div>Authentication successful!</div></div>
 		<p style="margin-top:20px; font-size:18; text-align:center">Authentication was successful, you can now return to CLI. This page will close automatically</p>
 		<script>window.onload=function(){setTimeout(this.close, 4000)}</script>
 		`
-		fmt.Fprintf(w, successPage)
+		fmt.Fprint(w, successPage)
+		completionChan <- ""
 	}
+	srv := &http.Server{Addr: "localhost:" + strconv.Itoa(port)}
 	http.HandleFunc("/auth/callback", callbackHandler)
 
-	// add transport for self-signed certificate to context
-	sslcli := &http.Client{
-		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-		},
-	}
-	ctx = context.WithValue(ctx, oauth2.HTTPClient, sslcli)
-
 	// Redirect user to login & consent page to ask for permission for the scopes specified above.
-	log.Info("Opening browser for authentication")
-	url := conf.AuthCodeURL("state", oauth2.AccessTypeOffline)
-	log.Infof("Authentication URL: %s", url)
+	fmt.Printf("Opening browser for authentication\n")
+
+	var url string
+	grantType := oidcutil.InferGrantType(oidcConf)
+	opts := []oauth2.AuthCodeOption{oauth2.AccessTypeOffline}
+	if claimsRequested := oidcSettings.GetIDTokenClaims(); claimsRequested != nil {
+		opts = oidcutil.AppendClaimsAuthenticationRequestParameter(opts, claimsRequested)
+	}
+
+	switch grantType {
+	case oidcutil.GrantTypeAuthorizationCode:
+		url = oauth2conf.AuthCodeURL(stateNonce, opts...)
+	case oidcutil.GrantTypeImplicit:
+		url = oidcutil.ImplicitFlowURL(oauth2conf, stateNonce, opts...)
+	default:
+		log.Fatalf("Unsupported grant type: %v", grantType)
+	}
+	fmt.Printf("Performing %s flow login: %s\n", grantType, url)
 	time.Sleep(1 * time.Second)
 	err = open.Run(url)
 	errors.CheckError(err)
@@ -243,8 +266,16 @@ func oauth2Login(host string, plaintext bool) (string, string) {
 			log.Fatalf("listen: %s\n", err)
 		}
 	}()
-	<-loginCompleted
+	errMsg := <-completionChan
+	if errMsg != "" {
+		log.Fatal(errMsg)
+	}
+	fmt.Printf("Authentication successful\n")
+	ctx, cancel := context.WithTimeout(ctx, 1*time.Second)
+	defer cancel()
 	_ = srv.Shutdown(ctx)
+	log.Debugf("Token: %s", tokenString)
+	log.Debugf("Refresh Token: %s", refreshToken)
 	return tokenString, refreshToken
 }
 
@@ -252,7 +283,7 @@ func passwordLogin(acdClient argocdclient.Client, username, password string) str
 	username, password = cli.PromptCredentials(username, password)
 	sessConn, sessionIf := acdClient.NewSessionClientOrDie()
 	defer util.Close(sessConn)
-	sessionRequest := session.SessionCreateRequest{
+	sessionRequest := sessionpkg.SessionCreateRequest{
 		Username: username,
 		Password: password,
 	}

cmd/argocd/commands/logout.go

@@ -0,0 +1,50 @@
+package commands
+
+import (
+	"fmt"
+	"os"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"github.com/argoproj/argo-cd/errors"
+	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	"github.com/argoproj/argo-cd/util/localconfig"
+)
+
+// NewLogoutCommand returns a new instance of `argocd logout` command
+func NewLogoutCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "logout CONTEXT",
+		Short: "Log out from Argo CD",
+		Long:  "Log out from Argo CD",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) == 0 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			context := args[0]
+
+			localCfg, err := localconfig.ReadLocalConfig(globalClientOpts.ConfigPath)
+			errors.CheckError(err)
+			if localCfg == nil {
+				log.Fatalf("Nothing to logout from")
+			}
+
+			ok := localCfg.RemoveToken(context)
+			if !ok {
+				log.Fatalf("Context %s does not exist", context)
+			}
+
+			err = localconfig.ValidateLocalConfig(*localCfg)
+			if err != nil {
+				log.Fatalf("Error in logging out: %s", err)
+			}
+			err = localconfig.WriteLocalConfig(*localCfg, globalClientOpts.ConfigPath)
+			errors.CheckError(err)
+
+			fmt.Printf("Logged out from '%s'\n", context)
+		},
+	}
+	return command
+}

cmd/argocd/commands/logout_test.go

@@ -0,0 +1,39 @@
+package commands
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/argoproj/argo-cd/pkg/apiclient"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/argoproj/argo-cd/util/localconfig"
+)
+
+func TestLogout(t *testing.T) {
+
+	// Write the test config file
+	err := ioutil.WriteFile(testConfigFilePath, []byte(testConfig), os.ModePerm)
+	assert.NoError(t, err)
+
+	localConfig, err := localconfig.ReadLocalConfig(testConfigFilePath)
+	assert.NoError(t, err)
+	assert.Equal(t, localConfig.CurrentContext, "localhost:8080")
+	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "localhost:8080", Server: "localhost:8080", User: "localhost:8080"})
+
+	command := NewLogoutCommand(&apiclient.ClientOptions{ConfigPath: testConfigFilePath})
+	command.Run(nil, []string{"localhost:8080"})
+
+	localConfig, err = localconfig.ReadLocalConfig(testConfigFilePath)
+	assert.NoError(t, err)
+	assert.Equal(t, localConfig.CurrentContext, "localhost:8080")
+	assert.NotContains(t, localConfig.Users, localconfig.User{AuthToken: "vErrYS3c3tReFRe$hToken", Name: "localhost:8080"})
+	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "argocd.example.com:443", Server: "argocd.example.com:443", User: "argocd.example.com:443"})
+
+	// Write the file again so that no conflicts are made in git
+	err = ioutil.WriteFile(testConfigFilePath, []byte(testConfig), os.ModePerm)
+	assert.NoError(t, err)
+
+}

cmd/argocd/commands/project.go

@@ -1,38 +1,41 @@
 package commands
 
 import (
+	"bufio"
 	"context"
+	"encoding/json"
 	"fmt"
+	"io"
+	"net/url"
 	"os"
-	"strconv"
 	"strings"
 	"text/tabwriter"
 	"time"
 
-	timeutil "github.com/argoproj/pkg/time"
 	"github.com/dustin/go-humanize"
+	"github.com/ghodss/yaml"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
-	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/pointer"
 
 	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	projectpkg "github.com/argoproj/argo-cd/pkg/apiclient/project"
 	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/server/project"
 	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/config"
 	"github.com/argoproj/argo-cd/util/git"
-	projectutil "github.com/argoproj/argo-cd/util/project"
-)
-
-const (
-	policyTemplate = "p, proj:%s:%s, applications, %s, %s/%s, %s"
 )
 
 type projectOpts struct {
-	description  string
-	destinations []string
-	sources      []string
+	description              string
+	destinations             []string
+	sources                  []string
+	orphanedResourcesEnabled bool
+	orphanedResourcesWarn    bool
 }
 
 type policyOpts struct {
@@ -69,9 +72,11 @@ func NewProjectCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	}
 	command.AddCommand(NewProjectRoleCommand(clientOpts))
 	command.AddCommand(NewProjectCreateCommand(clientOpts))
+	command.AddCommand(NewProjectGetCommand(clientOpts))
 	command.AddCommand(NewProjectDeleteCommand(clientOpts))
 	command.AddCommand(NewProjectListCommand(clientOpts))
 	command.AddCommand(NewProjectSetCommand(clientOpts))
+	command.AddCommand(NewProjectEditCommand(clientOpts))
 	command.AddCommand(NewProjectAddDestinationCommand(clientOpts))
 	command.AddCommand(NewProjectRemoveDestinationCommand(clientOpts))
 	command.AddCommand(NewProjectAddSourceCommand(clientOpts))
@@ -80,6 +85,7 @@ func NewProjectCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	command.AddCommand(NewProjectDenyClusterResourceCommand(clientOpts))
 	command.AddCommand(NewProjectAllowNamespaceResourceCommand(clientOpts))
 	command.AddCommand(NewProjectDenyNamespaceResourceCommand(clientOpts))
+	command.AddCommand(NewProjectWindowsCommand(clientOpts))
 	return command
 }
 
@@ -87,7 +93,21 @@ func addProjFlags(command *cobra.Command, opts *projectOpts) {
 	command.Flags().StringVarP(&opts.description, "description", "", "", "Project description")
 	command.Flags().StringArrayVarP(&opts.destinations, "dest", "d", []string{},
 		"Permitted destination server and namespace (e.g. https://192.168.99.100:8443,default)")
-	command.Flags().StringArrayVarP(&opts.sources, "src", "s", []string{}, "Permitted git source repository URL")
+	command.Flags().StringArrayVarP(&opts.sources, "src", "s", []string{}, "Permitted source repository URL")
+	command.Flags().BoolVar(&opts.orphanedResourcesEnabled, "orphaned-resources", false, "Enables orphaned resources monitoring")
+	command.Flags().BoolVar(&opts.orphanedResourcesWarn, "orphaned-resources-warn", false, "Specifies if applications should be a warning condition when orphaned resources detected")
+}
+
+func getOrphanedResourcesSettings(c *cobra.Command, opts projectOpts) *v1alpha1.OrphanedResourcesMonitorSettings {
+	warnChanged := c.Flag("orphaned-resources-warn").Changed
+	if opts.orphanedResourcesEnabled || warnChanged {
+		settings := v1alpha1.OrphanedResourcesMonitorSettings{}
+		if warnChanged {
+			settings.Warn = pointer.BoolPtr(opts.orphanedResourcesWarn)
+		}
+		return &settings
+	}
+	return nil
 }
 
 func addPolicyFlags(command *cobra.Command, opts *policyOpts) {
@@ -96,326 +116,6 @@ func addPolicyFlags(command *cobra.Command, opts *policyOpts) {
 	command.Flags().StringVarP(&opts.object, "object", "o", "", "Object within the project to grant/deny access.  Use '*' for a wildcard. Will want access to '<project>/<object>'")
 }
 
-// NewProjectRoleCommand returns a new instance of the `argocd proj role` command
-func NewProjectRoleCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
-	roleCommand := &cobra.Command{
-		Use:   "role",
-		Short: "Manage a project's roles",
-		Run: func(c *cobra.Command, args []string) {
-			c.HelpFunc()(c, args)
-			os.Exit(1)
-		},
-	}
-	roleCommand.AddCommand(NewProjectRoleListCommand(clientOpts))
-	roleCommand.AddCommand(NewProjectRoleGetCommand(clientOpts))
-	roleCommand.AddCommand(NewProjectRoleCreateCommand(clientOpts))
-	roleCommand.AddCommand(NewProjectRoleDeleteCommand(clientOpts))
-	roleCommand.AddCommand(NewProjectRoleCreateTokenCommand(clientOpts))
-	roleCommand.AddCommand(NewProjectRoleDeleteTokenCommand(clientOpts))
-	roleCommand.AddCommand(NewProjectRoleAddPolicyCommand(clientOpts))
-	roleCommand.AddCommand(NewProjectRoleRemovePolicyCommand(clientOpts))
-	return roleCommand
-}
-
-// NewProjectRoleAddPolicyCommand returns a new instance of an `argocd proj role add-policy` command
-func NewProjectRoleAddPolicyCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
-	var (
-		opts policyOpts
-	)
-	var command = &cobra.Command{
-		Use:   "add-policy PROJECT ROLE-NAME",
-		Short: "Add a policy to a project role",
-		Run: func(c *cobra.Command, args []string) {
-			if len(args) != 2 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-			if len(opts.action) <= 0 {
-				log.Fatal("Action needs to longer than 0 characters")
-			}
-			if len(opts.object) <= 0 {
-				log.Fatal("Objects needs to longer than 0 characters")
-
-			}
-
-			projName := args[0]
-			roleName := args[1]
-			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
-
-			proj, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
-			errors.CheckError(err)
-
-			roleIndex, err := projectutil.GetRoleIndexByName(proj, roleName)
-			if err != nil {
-				log.Fatal(err)
-			}
-			role := proj.Spec.Roles[roleIndex]
-
-			policy := fmt.Sprintf(policyTemplate, proj.Name, role.Name, opts.action, proj.Name, opts.object, opts.permission)
-			proj.Spec.Roles[roleIndex].Policies = append(role.Policies, policy)
-
-			_, err = projIf.Update(context.Background(), &project.ProjectUpdateRequest{Project: proj})
-			errors.CheckError(err)
-		},
-	}
-	addPolicyFlags(command, &opts)
-	return command
-}
-
-// NewProjectRoleRemovePolicyCommand returns a new instance of an `argocd proj role remove-policy` command
-func NewProjectRoleRemovePolicyCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
-	var (
-		opts policyOpts
-	)
-	var command = &cobra.Command{
-		Use:   "remove-policy PROJECT ROLE-NAME",
-		Short: "Remove a policy from a role within a project",
-		Run: func(c *cobra.Command, args []string) {
-			if len(args) != 2 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-			if opts.permission != "allow" && opts.permission != "deny" {
-				log.Fatal("Permission flag can only have the values 'allow' or 'deny'")
-			}
-
-			if len(opts.action) <= 0 {
-				log.Fatal("Action needs to longer than 0 characters")
-			}
-			if len(opts.object) <= 0 {
-				log.Fatal("Objects needs to longer than 0 characters")
-
-			}
-
-			projName := args[0]
-			roleName := args[1]
-			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
-
-			proj, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
-			errors.CheckError(err)
-
-			roleIndex, err := projectutil.GetRoleIndexByName(proj, roleName)
-			if err != nil {
-				log.Fatal(err)
-			}
-			role := proj.Spec.Roles[roleIndex]
-
-			policyToRemove := fmt.Sprintf(policyTemplate, proj.Name, role.Name, opts.action, proj.Name, opts.object, opts.permission)
-			duplicateIndex := -1
-			for i, policy := range role.Policies {
-				if policy == policyToRemove {
-					duplicateIndex = i
-					break
-				}
-			}
-			if duplicateIndex < 0 {
-				return
-			}
-			role.Policies[duplicateIndex] = role.Policies[len(role.Policies)-1]
-			proj.Spec.Roles[roleIndex].Policies = role.Policies[:len(role.Policies)-1]
-			_, err = projIf.Update(context.Background(), &project.ProjectUpdateRequest{Project: proj})
-			errors.CheckError(err)
-		},
-	}
-	addPolicyFlags(command, &opts)
-	return command
-}
-
-// NewProjectRoleCreateCommand returns a new instance of an `argocd proj role create` command
-func NewProjectRoleCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
-	var (
-		description string
-	)
-	var command = &cobra.Command{
-		Use:   "create PROJECT ROLE-NAME",
-		Short: "Create a project role",
-		Run: func(c *cobra.Command, args []string) {
-			if len(args) != 2 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-			projName := args[0]
-			roleName := args[1]
-			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
-
-			proj, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
-			errors.CheckError(err)
-
-			_, err = projectutil.GetRoleIndexByName(proj, roleName)
-			if err == nil {
-				return
-			}
-			proj.Spec.Roles = append(proj.Spec.Roles, v1alpha1.ProjectRole{Name: roleName, Description: description})
-
-			_, err = projIf.Update(context.Background(), &project.ProjectUpdateRequest{Project: proj})
-			errors.CheckError(err)
-		},
-	}
-	command.Flags().StringVarP(&description, "description", "", "", "Project description")
-	return command
-}
-
-// NewProjectRoleDeleteCommand returns a new instance of an `argocd proj role delete` command
-func NewProjectRoleDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
-	var command = &cobra.Command{
-		Use:   "delete PROJECT ROLE-NAME",
-		Short: "Delete a project role",
-		Run: func(c *cobra.Command, args []string) {
-			if len(args) != 2 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-			projName := args[0]
-			roleName := args[1]
-			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
-
-			proj, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
-			errors.CheckError(err)
-
-			index, err := projectutil.GetRoleIndexByName(proj, roleName)
-			if err != nil {
-				return
-			}
-			proj.Spec.Roles[index] = proj.Spec.Roles[len(proj.Spec.Roles)-1]
-			proj.Spec.Roles = proj.Spec.Roles[:len(proj.Spec.Roles)-1]
-
-			_, err = projIf.Update(context.Background(), &project.ProjectUpdateRequest{Project: proj})
-			errors.CheckError(err)
-		},
-	}
-	return command
-}
-
-// NewProjectRoleCreateTokenCommand returns a new instance of an `argocd proj role create-token` command
-func NewProjectRoleCreateTokenCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
-	var (
-		expiresIn string
-	)
-	var command = &cobra.Command{
-		Use:   "create-token PROJECT ROLE-NAME",
-		Short: "Create a project token",
-		Run: func(c *cobra.Command, args []string) {
-			if len(args) != 2 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-			projName := args[0]
-			roleName := args[1]
-			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
-			duration, err := timeutil.ParseDuration(expiresIn)
-			errors.CheckError(err)
-			token, err := projIf.CreateToken(context.Background(), &project.ProjectTokenCreateRequest{Project: projName, Role: roleName, ExpiresIn: int64(duration.Seconds())})
-			errors.CheckError(err)
-			fmt.Println(token.Token)
-		},
-	}
-	command.Flags().StringVarP(&expiresIn, "expires-in", "e", "0s", "Duration before the token will expire. (Default: No expiration)")
-
-	return command
-}
-
-// NewProjectRoleDeleteTokenCommand returns a new instance of an `argocd proj role delete-token` command
-func NewProjectRoleDeleteTokenCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
-	var command = &cobra.Command{
-		Use:   "delete-token PROJECT ROLE-NAME ISSUED-AT",
-		Short: "Delete a project token",
-		Run: func(c *cobra.Command, args []string) {
-			if len(args) != 3 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-			projName := args[0]
-			roleName := args[1]
-			issuedAt, err := strconv.ParseInt(args[2], 10, 64)
-			if err != nil {
-				log.Fatal(err)
-			}
-
-			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
-
-			_, err = projIf.DeleteToken(context.Background(), &project.ProjectTokenDeleteRequest{Project: projName, Role: roleName, Iat: issuedAt})
-			errors.CheckError(err)
-		},
-	}
-	return command
-}
-
-// NewProjectRoleListCommand returns a new instance of an `argocd proj roles list` command
-func NewProjectRoleListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
-	var command = &cobra.Command{
-		Use:   "list PROJECT",
-		Short: "List all the roles in a project",
-		Run: func(c *cobra.Command, args []string) {
-			if len(args) != 1 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-			projName := args[0]
-			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
-
-			project, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
-			errors.CheckError(err)
-			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-			fmt.Fprintf(w, "ROLE-NAME\tDESCRIPTION\n")
-			for _, role := range project.Spec.Roles {
-				fmt.Fprintf(w, "%s\t%s\n", role.Name, role.Description)
-			}
-			_ = w.Flush()
-		},
-	}
-	return command
-}
-
-// NewProjectRoleGetCommand returns a new instance of an `argocd proj roles get` command
-func NewProjectRoleGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
-	var command = &cobra.Command{
-		Use:   "get PROJECT ROLE-NAME",
-		Short: "Get the details of a specific role",
-		Run: func(c *cobra.Command, args []string) {
-			if len(args) != 2 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-			projName := args[0]
-			roleName := args[1]
-			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
-
-			project, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
-			errors.CheckError(err)
-
-			index, err := projectutil.GetRoleIndexByName(project, roleName)
-			errors.CheckError(err)
-			role := project.Spec.Roles[index]
-
-			printRoleFmtStr := "%-15s%s\n"
-			fmt.Printf(printRoleFmtStr, "Role Name:", roleName)
-			fmt.Printf(printRoleFmtStr, "Description:", role.Description)
-			fmt.Printf("Policies:\n")
-			fmt.Printf("%s\n", project.ProjectPoliciesString())
-			fmt.Printf("JWT Tokens:\n")
-			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-			fmt.Fprintf(w, "ID\tISSUED-AT\tEXPIRES-AT\n")
-			for _, token := range role.JWTTokens {
-				expiresAt := "<none>"
-				if token.ExpiresAt > 0 {
-					expiresAt = humanizeTimestamp(token.ExpiresAt)
-				}
-				fmt.Fprintf(w, "%d\t%s\t%s\n", token.IssuedAt, humanizeTimestamp(token.IssuedAt), expiresAt)
-			}
-			_ = w.Flush()
-		},
-	}
-	return command
-}
-
 func humanizeTimestamp(epoch int64) string {
 	ts := time.Unix(epoch, 0)
 	return fmt.Sprintf("%s (%s)", ts.Format(time.RFC3339), humanize.Time(ts))
@@ -424,32 +124,63 @@ func humanizeTimestamp(epoch int64) string {
 // NewProjectCreateCommand returns a new instance of an `argocd proj create` command
 func NewProjectCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		opts projectOpts
+		opts    projectOpts
+		fileURL string
+		upsert  bool
 	)
 	var command = &cobra.Command{
 		Use:   "create PROJECT",
 		Short: "Create a project",
 		Run: func(c *cobra.Command, args []string) {
-			if len(args) == 0 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-			projName := args[0]
-			proj := v1alpha1.AppProject{
-				ObjectMeta: v1.ObjectMeta{Name: projName},
-				Spec: v1alpha1.AppProjectSpec{
-					Description:  opts.description,
-					Destinations: opts.GetDestinations(),
-					SourceRepos:  opts.sources,
-				},
+			var proj v1alpha1.AppProject
+			if fileURL == "-" {
+				// read stdin
+				reader := bufio.NewReader(os.Stdin)
+				err := config.UnmarshalReader(reader, &proj)
+				if err != nil {
+					log.Fatalf("unable to read manifest from stdin: %v", err)
+				}
+			} else if fileURL != "" {
+				// read uri
+				parsedURL, err := url.ParseRequestURI(fileURL)
+				if err != nil || !(parsedURL.Scheme == "http" || parsedURL.Scheme == "https") {
+					err = config.UnmarshalLocalFile(fileURL, &proj)
+				} else {
+					err = config.UnmarshalRemoteFile(fileURL, &proj)
+				}
+				errors.CheckError(err)
+				if len(args) == 1 && args[0] != proj.Name {
+					log.Fatalf("project name '%s' does not match project spec metadata.name '%s'", args[0], proj.Name)
+				}
+			} else {
+				// read arguments
+				if len(args) == 0 {
+					c.HelpFunc()(c, args)
+					os.Exit(1)
+				}
+				projName := args[0]
+				proj = v1alpha1.AppProject{
+					ObjectMeta: v1.ObjectMeta{Name: projName},
+					Spec: v1alpha1.AppProjectSpec{
+						Description:       opts.description,
+						Destinations:      opts.GetDestinations(),
+						SourceRepos:       opts.sources,
+						OrphanedResources: getOrphanedResourcesSettings(c, opts),
+					},
+				}
 			}
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
 			defer util.Close(conn)
-
-			_, err := projIf.Create(context.Background(), &project.ProjectCreateRequest{Project: &proj})
+			_, err := projIf.Create(context.Background(), &projectpkg.ProjectCreateRequest{Project: &proj, Upsert: upsert})
 			errors.CheckError(err)
 		},
 	}
+	command.Flags().BoolVar(&upsert, "upsert", false, "Allows to override a project with the same name even if supplied project spec is different from existing spec")
+	command.Flags().StringVarP(&fileURL, "file", "f", "", "Filename or URL to Kubernetes manifests for the project")
+	err := command.Flags().SetAnnotation("file", cobra.BashCompFilenameExt, []string{"json", "yaml", "yml"})
+	if err != nil {
+		log.Fatal(err)
+	}
 	addProjFlags(command, &opts)
 	return command
 }
@@ -471,7 +202,7 @@ func NewProjectSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
 			defer util.Close(conn)
 
-			proj, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 
 			visited := 0
@@ -484,6 +215,8 @@ func NewProjectSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 					proj.Spec.Destinations = opts.GetDestinations()
 				case "src":
 					proj.Spec.SourceRepos = opts.sources
+				case "orphaned-resources", "orphaned-resources-warn":
+					proj.Spec.OrphanedResources = getOrphanedResourcesSettings(c, opts)
 				}
 			})
 			if visited == 0 {
@@ -492,7 +225,7 @@ func NewProjectSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 				os.Exit(1)
 			}
 
-			_, err = projIf.Update(context.Background(), &project.ProjectUpdateRequest{Project: proj})
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
 			errors.CheckError(err)
 		},
 	}
@@ -516,7 +249,7 @@ func NewProjectAddDestinationCommand(clientOpts *argocdclient.ClientOptions) *co
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
 			defer util.Close(conn)
 
-			proj, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 
 			for _, dest := range proj.Spec.Destinations {
@@ -525,7 +258,7 @@ func NewProjectAddDestinationCommand(clientOpts *argocdclient.ClientOptions) *co
 				}
 			}
 			proj.Spec.Destinations = append(proj.Spec.Destinations, v1alpha1.ApplicationDestination{Server: server, Namespace: namespace})
-			_, err = projIf.Update(context.Background(), &project.ProjectUpdateRequest{Project: proj})
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
 			errors.CheckError(err)
 		},
 	}
@@ -548,7 +281,7 @@ func NewProjectRemoveDestinationCommand(clientOpts *argocdclient.ClientOptions)
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
 			defer util.Close(conn)
 
-			proj, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 
 			index := -1
@@ -562,7 +295,7 @@ func NewProjectRemoveDestinationCommand(clientOpts *argocdclient.ClientOptions)
 				log.Fatal("Specified destination does not exist in project")
 			} else {
 				proj.Spec.Destinations = append(proj.Spec.Destinations[:index], proj.Spec.Destinations[index+1:]...)
-				_, err = projIf.Update(context.Background(), &project.ProjectUpdateRequest{Project: proj})
+				_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
 				errors.CheckError(err)
 			}
 		},
@@ -586,21 +319,21 @@ func NewProjectAddSourceCommand(clientOpts *argocdclient.ClientOptions) *cobra.C
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
 			defer util.Close(conn)
 
-			proj, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 
 			for _, item := range proj.Spec.SourceRepos {
 				if item == "*" && item == url {
-					log.Info("Wildcard source repository is already defined in project")
+					fmt.Printf("Source repository '*' already allowed in project\n")
 					return
 				}
-				if item == git.NormalizeGitURL(url) {
-					log.Info("Specified source repository is already defined in project")
+				if git.SameURL(item, url) {
+					fmt.Printf("Source repository '%s' already allowed in project\n", item)
 					return
 				}
 			}
 			proj.Spec.SourceRepos = append(proj.Spec.SourceRepos, url)
-			_, err = projIf.Update(context.Background(), &project.ProjectUpdateRequest{Project: proj})
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
 			errors.CheckError(err)
 		},
 	}
@@ -620,11 +353,11 @@ func modifyProjectResourceCmd(cmdUse, cmdDesc string, clientOpts *argocdclient.C
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
 			defer util.Close(conn)
 
-			proj, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 
 			if action(proj, group, kind) {
-				_, err = projIf.Update(context.Background(), &project.ProjectUpdateRequest{Project: proj})
+				_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
 				errors.CheckError(err)
 			}
 		},
@@ -644,7 +377,7 @@ func NewProjectAllowNamespaceResourceCommand(clientOpts *argocdclient.ClientOpti
 			}
 		}
 		if index == -1 {
-			log.Info("Specified cluster resource is not blacklisted")
+			fmt.Printf("Group '%s' and kind '%s' not in blacklisted namespaced resources\n", group, kind)
 			return false
 		}
 		proj.Spec.NamespaceResourceBlacklist = append(proj.Spec.NamespaceResourceBlacklist[:index], proj.Spec.NamespaceResourceBlacklist[index+1:]...)
@@ -659,7 +392,7 @@ func NewProjectDenyNamespaceResourceCommand(clientOpts *argocdclient.ClientOptio
 	return modifyProjectResourceCmd(use, desc, clientOpts, func(proj *v1alpha1.AppProject, group string, kind string) bool {
 		for _, item := range proj.Spec.NamespaceResourceBlacklist {
 			if item.Group == group && item.Kind == kind {
-				log.Infof("Group '%s' and kind '%s' are already blacklisted in project", item.Group, item.Kind)
+				fmt.Printf("Group '%s' and kind '%s' already present in blacklisted namespaced resources\n", group, kind)
 				return false
 			}
 		}
@@ -681,7 +414,7 @@ func NewProjectDenyClusterResourceCommand(clientOpts *argocdclient.ClientOptions
 			}
 		}
 		if index == -1 {
-			log.Info("Specified cluster resource already denied in project")
+			fmt.Printf("Group '%s' and kind '%s' not in whitelisted cluster resources\n", group, kind)
 			return false
 		}
 		proj.Spec.ClusterResourceWhitelist = append(proj.Spec.ClusterResourceWhitelist[:index], proj.Spec.ClusterResourceWhitelist[index+1:]...)
@@ -696,7 +429,7 @@ func NewProjectAllowClusterResourceCommand(clientOpts *argocdclient.ClientOption
 	return modifyProjectResourceCmd(use, desc, clientOpts, func(proj *v1alpha1.AppProject, group string, kind string) bool {
 		for _, item := range proj.Spec.ClusterResourceWhitelist {
 			if item.Group == group && item.Kind == kind {
-				log.Infof("Group '%s' and kind '%s' are already whitelisted in project", item.Group, item.Kind)
+				fmt.Printf("Group '%s' and kind '%s' already present in whitelisted cluster resources\n", group, kind)
 				return false
 			}
 		}
@@ -720,25 +453,21 @@ func NewProjectRemoveSourceCommand(clientOpts *argocdclient.ClientOptions) *cobr
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
 			defer util.Close(conn)
 
-			proj, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 
 			index := -1
 			for i, item := range proj.Spec.SourceRepos {
-				if item == "*" && item == url {
-					index = i
-					break
-				}
-				if item == git.NormalizeGitURL(url) {
+				if item == url {
 					index = i
 					break
 				}
 			}
 			if index == -1 {
-				log.Info("Specified source repository does not exist in project")
+				fmt.Printf("Source repository '%s' does not exist in project\n", url)
 			} else {
 				proj.Spec.SourceRepos = append(proj.Spec.SourceRepos[:index], proj.Spec.SourceRepos[index+1:]...)
-				_, err = projIf.Update(context.Background(), &project.ProjectUpdateRequest{Project: proj})
+				_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
 				errors.CheckError(err)
 			}
 		},
@@ -760,7 +489,7 @@ func NewProjectDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
 			defer util.Close(conn)
 			for _, name := range args {
-				_, err := projIf.Delete(context.Background(), &project.ProjectQuery{Name: name})
+				_, err := projIf.Delete(context.Background(), &projectpkg.ProjectQuery{Name: name})
 				errors.CheckError(err)
 			}
 		},
@@ -768,22 +497,193 @@ func NewProjectDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 	return command
 }
 
+// Print list of project names
+func printProjectNames(projects []v1alpha1.AppProject) {
+	for _, p := range projects {
+		fmt.Println(p.Name)
+	}
+}
+
+// Print table of project info
+func printProjectTable(projects []v1alpha1.AppProject) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	fmt.Fprintf(w, "NAME\tDESCRIPTION\tDESTINATIONS\tSOURCES\tCLUSTER-RESOURCE-WHITELIST\tNAMESPACE-RESOURCE-BLACKLIST\tORPHANED-RESOURCES\n")
+	for _, p := range projects {
+		printProjectLine(w, &p)
+	}
+	_ = w.Flush()
+}
+
 // NewProjectListCommand returns a new instance of an `argocd proj list` command
 func NewProjectListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
 	var command = &cobra.Command{
 		Use:   "list",
 		Short: "List projects",
 		Run: func(c *cobra.Command, args []string) {
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
 			defer util.Close(conn)
-			projects, err := projIf.List(context.Background(), &project.ProjectQuery{})
+			projects, err := projIf.List(context.Background(), &projectpkg.ProjectQuery{})
 			errors.CheckError(err)
-			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-			fmt.Fprintf(w, "NAME\tDESCRIPTION\tDESTINATIONS\tSOURCES\tCLUSTER-RESOURCE-WHITELIST\tNAMESPACE-RESOURCE-BLACKLIST\n")
-			for _, p := range projects.Items {
-				fmt.Fprintf(w, "%s\t%s\t%v\t%v\t%v\t%v\n", p.Name, p.Spec.Description, p.Spec.Destinations, p.Spec.SourceRepos, p.Spec.ClusterResourceWhitelist, p.Spec.NamespaceResourceBlacklist)
+			if output == "name" {
+				printProjectNames(projects.Items)
+			} else {
+				printProjectTable(projects.Items)
 			}
-			_ = w.Flush()
+		},
+	}
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: wide|name")
+	return command
+}
+
+func formatOrphanedResources(p *v1alpha1.AppProject) string {
+	if p.Spec.OrphanedResources == nil {
+		return "disabled"
+	}
+	return fmt.Sprintf("enabled (warn=%v)", p.Spec.OrphanedResources.IsWarn())
+}
+
+func printProjectLine(w io.Writer, p *v1alpha1.AppProject) {
+	var destinations, sourceRepos, clusterWhitelist, namespaceBlacklist string
+	switch len(p.Spec.Destinations) {
+	case 0:
+		destinations = "<none>"
+	case 1:
+		destinations = fmt.Sprintf("%s,%s", p.Spec.Destinations[0].Server, p.Spec.Destinations[0].Namespace)
+	default:
+		destinations = fmt.Sprintf("%d destinations", len(p.Spec.Destinations))
+	}
+	switch len(p.Spec.SourceRepos) {
+	case 0:
+		sourceRepos = "<none>"
+	case 1:
+		sourceRepos = p.Spec.SourceRepos[0]
+	default:
+		sourceRepos = fmt.Sprintf("%d repos", len(p.Spec.SourceRepos))
+	}
+	switch len(p.Spec.ClusterResourceWhitelist) {
+	case 0:
+		clusterWhitelist = "<none>"
+	case 1:
+		clusterWhitelist = fmt.Sprintf("%s/%s", p.Spec.ClusterResourceWhitelist[0].Group, p.Spec.ClusterResourceWhitelist[0].Kind)
+	default:
+		clusterWhitelist = fmt.Sprintf("%d resources", len(p.Spec.ClusterResourceWhitelist))
+	}
+	switch len(p.Spec.NamespaceResourceBlacklist) {
+	case 0:
+		namespaceBlacklist = "<none>"
+	default:
+		namespaceBlacklist = fmt.Sprintf("%d resources", len(p.Spec.NamespaceResourceBlacklist))
+	}
+	fmt.Fprintf(w, "%s\t%s\t%v\t%v\t%v\t%v\t%v\n", p.Name, p.Spec.Description, destinations, sourceRepos, clusterWhitelist, namespaceBlacklist, formatOrphanedResources(p))
+}
+
+// NewProjectGetCommand returns a new instance of an `argocd proj get` command
+func NewProjectGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	const printProjFmtStr = "%-34s%s\n"
+	var command = &cobra.Command{
+		Use:   "get PROJECT",
+		Short: "Get project details",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+			p, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+			fmt.Printf(printProjFmtStr, "Name:", p.Name)
+			fmt.Printf(printProjFmtStr, "Description:", p.Spec.Description)
+
+			// Print destinations
+			dest0 := "<none>"
+			if len(p.Spec.Destinations) > 0 {
+				dest0 = fmt.Sprintf("%s,%s", p.Spec.Destinations[0].Server, p.Spec.Destinations[0].Namespace)
+			}
+			fmt.Printf(printProjFmtStr, "Destinations:", dest0)
+			for i := 1; i < len(p.Spec.Destinations); i++ {
+				fmt.Printf(printProjFmtStr, "", fmt.Sprintf("%s,%s", p.Spec.Destinations[i].Server, p.Spec.Destinations[i].Namespace))
+			}
+
+			// Print sources
+			src0 := "<none>"
+			if len(p.Spec.SourceRepos) > 0 {
+				src0 = p.Spec.SourceRepos[0]
+			}
+			fmt.Printf(printProjFmtStr, "Repositories:", src0)
+			for i := 1; i < len(p.Spec.SourceRepos); i++ {
+				fmt.Printf(printProjFmtStr, "", p.Spec.SourceRepos[i])
+			}
+
+			// Print whitelisted cluster resources
+			cwl0 := "<none>"
+			if len(p.Spec.ClusterResourceWhitelist) > 0 {
+				cwl0 = fmt.Sprintf("%s/%s", p.Spec.ClusterResourceWhitelist[0].Group, p.Spec.ClusterResourceWhitelist[0].Kind)
+			}
+			fmt.Printf(printProjFmtStr, "Whitelisted Cluster Resources:", cwl0)
+			for i := 1; i < len(p.Spec.ClusterResourceWhitelist); i++ {
+				fmt.Printf(printProjFmtStr, "", fmt.Sprintf("%s/%s", p.Spec.ClusterResourceWhitelist[i].Group, p.Spec.ClusterResourceWhitelist[i].Kind))
+			}
+
+			// Print blacklisted namespaced resources
+			rbl0 := "<none>"
+			if len(p.Spec.NamespaceResourceBlacklist) > 0 {
+				rbl0 = fmt.Sprintf("%s/%s", p.Spec.NamespaceResourceBlacklist[0].Group, p.Spec.NamespaceResourceBlacklist[0].Kind)
+			}
+			fmt.Printf(printProjFmtStr, "Blacklisted Namespaced Resources:", rbl0)
+			for i := 1; i < len(p.Spec.NamespaceResourceBlacklist); i++ {
+				fmt.Printf(printProjFmtStr, "", fmt.Sprintf("%s/%s", p.Spec.NamespaceResourceBlacklist[i].Group, p.Spec.NamespaceResourceBlacklist[i].Kind))
+			}
+			fmt.Printf(printProjFmtStr, "Orphaned Resources:", formatOrphanedResources(p))
+		},
+	}
+	return command
+}
+
+func NewProjectEditCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "edit PROJECT",
+		Short: "Edit project",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+			projData, err := json.Marshal(proj.Spec)
+			errors.CheckError(err)
+			projData, err = yaml.JSONToYAML(projData)
+			errors.CheckError(err)
+
+			cli.InteractiveEdit(fmt.Sprintf("%s-*-edit.yaml", projName), projData, func(input []byte) error {
+				input, err = yaml.YAMLToJSON(input)
+				if err != nil {
+					return err
+				}
+				updatedSpec := v1alpha1.AppProjectSpec{}
+				err = json.Unmarshal(input, &updatedSpec)
+				if err != nil {
+					return err
+				}
+				proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+				if err != nil {
+					return err
+				}
+				proj.Spec = updatedSpec
+				_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+				if err != nil {
+					return fmt.Errorf("Failed to update project:\n%v", err)
+				}
+				return err
+			})
 		},
 	}
 	return command

cmd/argocd/commands/project_role.go

@@ -0,0 +1,398 @@
+package commands
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strconv"
+	"text/tabwriter"
+
+	timeutil "github.com/argoproj/pkg/time"
+	"github.com/spf13/cobra"
+
+	"github.com/argoproj/argo-cd/errors"
+	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	projectpkg "github.com/argoproj/argo-cd/pkg/apiclient/project"
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util"
+)
+
+const (
+	policyTemplate = "p, proj:%s:%s, applications, %s, %s/%s, %s"
+)
+
+// NewProjectRoleCommand returns a new instance of the `argocd proj role` command
+func NewProjectRoleCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	roleCommand := &cobra.Command{
+		Use:   "role",
+		Short: "Manage a project's roles",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+			os.Exit(1)
+		},
+	}
+	roleCommand.AddCommand(NewProjectRoleListCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectRoleGetCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectRoleCreateCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectRoleDeleteCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectRoleCreateTokenCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectRoleDeleteTokenCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectRoleAddPolicyCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectRoleRemovePolicyCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectRoleAddGroupCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectRoleRemoveGroupCommand(clientOpts))
+	return roleCommand
+}
+
+// NewProjectRoleAddPolicyCommand returns a new instance of an `argocd proj role add-policy` command
+func NewProjectRoleAddPolicyCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		opts policyOpts
+	)
+	var command = &cobra.Command{
+		Use:   "add-policy PROJECT ROLE-NAME",
+		Short: "Add a policy to a project role",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			roleName := args[1]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			role, roleIndex, err := proj.GetRoleByName(roleName)
+			errors.CheckError(err)
+
+			policy := fmt.Sprintf(policyTemplate, proj.Name, role.Name, opts.action, proj.Name, opts.object, opts.permission)
+			proj.Spec.Roles[roleIndex].Policies = append(role.Policies, policy)
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	addPolicyFlags(command, &opts)
+	return command
+}
+
+// NewProjectRoleRemovePolicyCommand returns a new instance of an `argocd proj role remove-policy` command
+func NewProjectRoleRemovePolicyCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		opts policyOpts
+	)
+	var command = &cobra.Command{
+		Use:   "remove-policy PROJECT ROLE-NAME",
+		Short: "Remove a policy from a role within a project",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			roleName := args[1]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			role, roleIndex, err := proj.GetRoleByName(roleName)
+			errors.CheckError(err)
+
+			policyToRemove := fmt.Sprintf(policyTemplate, proj.Name, role.Name, opts.action, proj.Name, opts.object, opts.permission)
+			duplicateIndex := -1
+			for i, policy := range role.Policies {
+				if policy == policyToRemove {
+					duplicateIndex = i
+					break
+				}
+			}
+			if duplicateIndex < 0 {
+				return
+			}
+			role.Policies[duplicateIndex] = role.Policies[len(role.Policies)-1]
+			proj.Spec.Roles[roleIndex].Policies = role.Policies[:len(role.Policies)-1]
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	addPolicyFlags(command, &opts)
+	return command
+}
+
+// NewProjectRoleCreateCommand returns a new instance of an `argocd proj role create` command
+func NewProjectRoleCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		description string
+	)
+	var command = &cobra.Command{
+		Use:   "create PROJECT ROLE-NAME",
+		Short: "Create a project role",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			roleName := args[1]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			_, _, err = proj.GetRoleByName(roleName)
+			if err == nil {
+				fmt.Printf("Role '%s' already exists\n", roleName)
+				return
+			}
+			proj.Spec.Roles = append(proj.Spec.Roles, v1alpha1.ProjectRole{Name: roleName, Description: description})
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+			fmt.Printf("Role '%s' created\n", roleName)
+		},
+	}
+	command.Flags().StringVarP(&description, "description", "", "", "Project description")
+	return command
+}
+
+// NewProjectRoleDeleteCommand returns a new instance of an `argocd proj role delete` command
+func NewProjectRoleDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "delete PROJECT ROLE-NAME",
+		Short: "Delete a project role",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			roleName := args[1]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			_, index, err := proj.GetRoleByName(roleName)
+			if err != nil {
+				fmt.Printf("Role '%s' does not exist in project\n", roleName)
+				return
+			}
+			proj.Spec.Roles[index] = proj.Spec.Roles[len(proj.Spec.Roles)-1]
+			proj.Spec.Roles = proj.Spec.Roles[:len(proj.Spec.Roles)-1]
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+			fmt.Printf("Role '%s' deleted\n", roleName)
+		},
+	}
+	return command
+}
+
+// NewProjectRoleCreateTokenCommand returns a new instance of an `argocd proj role create-token` command
+func NewProjectRoleCreateTokenCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		expiresIn string
+	)
+	var command = &cobra.Command{
+		Use:   "create-token PROJECT ROLE-NAME",
+		Short: "Create a project token",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			roleName := args[1]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+			duration, err := timeutil.ParseDuration(expiresIn)
+			errors.CheckError(err)
+			token, err := projIf.CreateToken(context.Background(), &projectpkg.ProjectTokenCreateRequest{Project: projName, Role: roleName, ExpiresIn: int64(duration.Seconds())})
+			errors.CheckError(err)
+			fmt.Println(token.Token)
+		},
+	}
+	command.Flags().StringVarP(&expiresIn, "expires-in", "e", "0s", "Duration before the token will expire. (Default: No expiration)")
+
+	return command
+}
+
+// NewProjectRoleDeleteTokenCommand returns a new instance of an `argocd proj role delete-token` command
+func NewProjectRoleDeleteTokenCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "delete-token PROJECT ROLE-NAME ISSUED-AT",
+		Short: "Delete a project token",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 3 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			roleName := args[1]
+			issuedAt, err := strconv.ParseInt(args[2], 10, 64)
+			errors.CheckError(err)
+
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			_, err = projIf.DeleteToken(context.Background(), &projectpkg.ProjectTokenDeleteRequest{Project: projName, Role: roleName, Iat: issuedAt})
+			errors.CheckError(err)
+		},
+	}
+	return command
+}
+
+// Print list of project role names
+func printProjectRoleListName(roles []v1alpha1.ProjectRole) {
+	for _, role := range roles {
+		fmt.Println(role.Name)
+	}
+}
+
+// Print table of project roles
+func printProjectRoleListTable(roles []v1alpha1.ProjectRole) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	fmt.Fprintf(w, "ROLE-NAME\tDESCRIPTION\n")
+	for _, role := range roles {
+		fmt.Fprintf(w, "%s\t%s\n", role.Name, role.Description)
+	}
+	_ = w.Flush()
+}
+
+// NewProjectRoleListCommand returns a new instance of an `argocd proj roles list` command
+func NewProjectRoleListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
+	var command = &cobra.Command{
+		Use:   "list PROJECT",
+		Short: "List all the roles in a project",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			project, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+			if output == "name" {
+				printProjectRoleListName(project.Spec.Roles)
+			} else {
+				printProjectRoleListTable(project.Spec.Roles)
+			}
+		},
+	}
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: wide|name")
+	return command
+}
+
+// NewProjectRoleGetCommand returns a new instance of an `argocd proj roles get` command
+func NewProjectRoleGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "get PROJECT ROLE-NAME",
+		Short: "Get the details of a specific role",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			roleName := args[1]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			role, _, err := proj.GetRoleByName(roleName)
+			errors.CheckError(err)
+
+			printRoleFmtStr := "%-15s%s\n"
+			fmt.Printf(printRoleFmtStr, "Role Name:", roleName)
+			fmt.Printf(printRoleFmtStr, "Description:", role.Description)
+			fmt.Printf("Policies:\n")
+			fmt.Printf("%s\n", proj.ProjectPoliciesString())
+			fmt.Printf("JWT Tokens:\n")
+			// TODO(jessesuen): print groups
+			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+			fmt.Fprintf(w, "ID\tISSUED-AT\tEXPIRES-AT\n")
+			for _, token := range role.JWTTokens {
+				expiresAt := "<none>"
+				if token.ExpiresAt > 0 {
+					expiresAt = humanizeTimestamp(token.ExpiresAt)
+				}
+				fmt.Fprintf(w, "%d\t%s\t%s\n", token.IssuedAt, humanizeTimestamp(token.IssuedAt), expiresAt)
+			}
+			_ = w.Flush()
+		},
+	}
+	return command
+}
+
+// NewProjectRoleAddGroupCommand returns a new instance of an `argocd proj role add-group` command
+func NewProjectRoleAddGroupCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "add-group PROJECT ROLE-NAME GROUP-CLAIM",
+		Short: "Add a group claim to a project role",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 3 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName, roleName, groupName := args[0], args[1], args[2]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+			updated, err := proj.AddGroupToRole(roleName, groupName)
+			errors.CheckError(err)
+			if !updated {
+				fmt.Printf("Group '%s' already present in role '%s'\n", groupName, roleName)
+				return
+			}
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+			fmt.Printf("Group '%s' added to role '%s'\n", groupName, roleName)
+		},
+	}
+	return command
+}
+
+// NewProjectRoleRemoveGroupCommand returns a new instance of an `argocd proj role remove-group` command
+func NewProjectRoleRemoveGroupCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "remove-group PROJECT ROLE-NAME GROUP-CLAIM",
+		Short: "Remove a group claim from a role within a project",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 3 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName, roleName, groupName := args[0], args[1], args[2]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+			updated, err := proj.RemoveGroupFromRole(roleName, groupName)
+			errors.CheckError(err)
+			if !updated {
+				fmt.Printf("Group '%s' not present in role '%s'\n", groupName, roleName)
+				return
+			}
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+			fmt.Printf("Group '%s' removed from role '%s'\n", groupName, roleName)
+		},
+	}
+	return command
+}

cmd/argocd/commands/projectwindows.go

@@ -0,0 +1,311 @@
+package commands
+
+import (
+	"context"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	"fmt"
+	"strings"
+	"text/tabwriter"
+
+	"strconv"
+
+	"github.com/argoproj/argo-cd/errors"
+	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	projectpkg "github.com/argoproj/argo-cd/pkg/apiclient/project"
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util"
+)
+
+// NewProjectWindowsCommand returns a new instance of the `argocd proj windows` command
+func NewProjectWindowsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	roleCommand := &cobra.Command{
+		Use:   "windows",
+		Short: "Manage a project's sync windows",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+			os.Exit(1)
+		},
+	}
+	roleCommand.AddCommand(NewProjectWindowsDisableManualSyncCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectWindowsEnableManualSyncCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectWindowsAddWindowCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectWindowsDeleteCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectWindowsListCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectWindowsUpdateCommand(clientOpts))
+	return roleCommand
+}
+
+// NewProjectSyncWindowsDisableManualSyncCommand returns a new instance of an `argocd proj windows disable-manual-sync` command
+func NewProjectWindowsDisableManualSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "disable-manual-sync PROJECT ID",
+		Short: "Disable manual sync for a sync window",
+		Long:  "Disable manual sync for a sync window. Requires ID which can be found by running \"argocd proj windows list PROJECT\"",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			projName := args[0]
+			id, err := strconv.Atoi(args[1])
+			errors.CheckError(err)
+
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			for i, window := range proj.Spec.SyncWindows {
+				if id == i {
+					window.ManualSync = false
+				}
+			}
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	return command
+}
+
+// NewProjectWindowsEnableManualSyncCommand returns a new instance of an `argocd proj windows enable-manual-sync` command
+func NewProjectWindowsEnableManualSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "enable-manual-sync PROJECT ID",
+		Short: "Enable manual sync for a sync window",
+		Long:  "Enable manual sync for a sync window. Requires ID which can be found by running \"argocd proj windows list PROJECT\"",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			projName := args[0]
+			id, err := strconv.Atoi(args[1])
+			errors.CheckError(err)
+
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			for i, window := range proj.Spec.SyncWindows {
+				if id == i {
+					window.ManualSync = true
+				}
+			}
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	return command
+}
+
+// NewProjectWindowsAddWindowCommand returns a new instance of an `argocd proj windows add` command
+func NewProjectWindowsAddWindowCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		kind         string
+		schedule     string
+		duration     string
+		applications []string
+		namespaces   []string
+		clusters     []string
+		manualSync   bool
+	)
+	var command = &cobra.Command{
+		Use:   "add PROJECT",
+		Short: "Add a sync window to a project",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			err = proj.Spec.AddWindow(kind, schedule, duration, applications, namespaces, clusters, manualSync)
+			errors.CheckError(err)
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	command.Flags().StringVarP(&kind, "kind", "k", "", "Sync window kind, either allow or deny")
+	command.Flags().StringVar(&schedule, "schedule", "", "Sync window schedule in cron format. (e.g. --schedule \"0 22 * * *\")")
+	command.Flags().StringVar(&duration, "duration", "", "Sync window duration. (e.g. --duration 1h)")
+	command.Flags().StringSliceVar(&applications, "applications", []string{}, "Applications that the schedule will be applied to. Comma separated, wildcards supported (e.g. --applications prod-\\*,website)")
+	command.Flags().StringSliceVar(&namespaces, "namespaces", []string{}, "Namespaces that the schedule will be applied to. Comma separated, wildcards supported (e.g. --namespaces default,\\*-prod)")
+	command.Flags().StringSliceVar(&clusters, "clusters", []string{}, "Clusters that the schedule will be applied to. Comma separated, wildcards supported (e.g. --clusters prod,staging)")
+	command.Flags().BoolVar(&manualSync, "manual-sync", false, "Allow manual syncs for both deny and allow windows")
+
+	return command
+}
+
+// NewProjectWindowsAddWindowCommand returns a new instance of an `argocd proj windows delete` command
+func NewProjectWindowsDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "delete PROJECT ID",
+		Short: "Delete a sync window from a project. Requires ID which can be found by running \"argocd proj windows list PROJECT\"",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			projName := args[0]
+			id, err := strconv.Atoi(args[1])
+			errors.CheckError(err)
+
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			err = proj.Spec.DeleteWindow(id)
+			errors.CheckError(err)
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	return command
+}
+
+// NewProjectWindowsUpdateCommand returns a new instance of an `argocd proj windows update` command
+func NewProjectWindowsUpdateCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		schedule     string
+		duration     string
+		applications []string
+		namespaces   []string
+		clusters     []string
+	)
+	var command = &cobra.Command{
+		Use:   "update PROJECT ID",
+		Short: "Update a project sync window",
+		Long:  "Update a project sync window. Requires ID which can be found by running \"argocd proj windows list PROJECT\"",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			projName := args[0]
+			id, err := strconv.Atoi(args[1])
+			errors.CheckError(err)
+
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			for i, window := range proj.Spec.SyncWindows {
+				if id == i {
+					err := window.Update(schedule, duration, applications, namespaces, clusters)
+					if err != nil {
+						errors.CheckError(err)
+					}
+				}
+			}
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	command.Flags().StringVar(&schedule, "schedule", "", "Sync window schedule in cron format. (e.g. --schedule \"0 22 * * *\")")
+	command.Flags().StringVar(&duration, "duration", "", "Sync window duration. (e.g. --duration 1h)")
+	command.Flags().StringSliceVar(&applications, "applications", []string{}, "Applications that the schedule will be applied to. Comma separated, wildcards supported (e.g. --applications prod-\\*,website)")
+	command.Flags().StringSliceVar(&namespaces, "namespaces", []string{}, "Namespaces that the schedule will be applied to. Comma separated, wildcards supported (e.g. --namespaces default,\\*-prod)")
+	command.Flags().StringSliceVar(&clusters, "clusters", []string{}, "Clusters that the schedule will be applied to. Comma separated, wildcards supported (e.g. --clusters prod,staging)")
+	return command
+}
+
+// NewProjectWindowsListCommand returns a new instance of an `argocd proj windows list` command
+func NewProjectWindowsListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "list PROJECT",
+		Short: "List project sync windows",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			printSyncWindows(proj)
+		},
+	}
+	return command
+}
+
+// Print table of sync window data
+func printSyncWindows(proj *v1alpha1.AppProject) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	var fmtStr string
+	headers := []interface{}{"ID", "STATUS", "KIND", "SCHEDULE", "DURATION", "APPLICATIONS", "NAMESPACES", "CLUSTERS", "MANUALSYNC"}
+	fmtStr = "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n"
+	fmt.Fprintf(w, fmtStr, headers...)
+	if proj.Spec.SyncWindows.HasWindows() {
+		for i, window := range proj.Spec.SyncWindows {
+			vals := []interface{}{
+				strconv.Itoa(i),
+				formatBoolOutput(window.Active()),
+				window.Kind,
+				window.Schedule,
+				window.Duration,
+				formatListOutput(window.Applications),
+				formatListOutput(window.Namespaces),
+				formatListOutput(window.Clusters),
+				formatManualOutput(window.ManualSync),
+			}
+			fmt.Fprintf(w, fmtStr, vals...)
+		}
+	}
+	_ = w.Flush()
+}
+
+func formatListOutput(list []string) string {
+	var o string
+	if len(list) == 0 {
+		o = "-"
+	} else {
+		o = strings.Join(list, ",")
+	}
+	return o
+}
+func formatBoolOutput(active bool) string {
+	var o string
+	if active {
+		o = "Active"
+	} else {
+		o = "Inactive"
+	}
+	return o
+}
+func formatManualOutput(active bool) string {
+	var o string
+	if active {
+		o = "Enabled"
+	} else {
+		o = "Disabled"
+	}
+	return o
+}

cmd/argocd/commands/relogin.go

@@ -1,15 +1,18 @@
 package commands
 
 import (
+	"context"
 	"fmt"
 	"os"
 
-	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/coreos/go-oidc"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	settingspkg "github.com/argoproj/argo-cd/pkg/apiclient/settings"
+	"github.com/argoproj/argo-cd/util"
 	"github.com/argoproj/argo-cd/util/localconfig"
 	"github.com/argoproj/argo-cd/util/session"
 )
@@ -18,6 +21,7 @@ import (
 func NewReloginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
 		password string
+		ssoPort  int
 	)
 	var command = &cobra.Command{
 		Use:   "relogin",
@@ -36,28 +40,34 @@ func NewReloginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comm
 			configCtx, err := localCfg.ResolveContext(localCfg.CurrentContext)
 			errors.CheckError(err)
 
-			parser := &jwt.Parser{
-				SkipClaimsValidation: true,
-			}
-			claims := jwt.StandardClaims{}
-			_, _, err = parser.ParseUnverified(configCtx.User.AuthToken, &claims)
-			errors.CheckError(err)
-
 			var tokenString string
 			var refreshToken string
+			clientOpts := argocdclient.ClientOptions{
+				ConfigPath: "",
+				ServerAddr: configCtx.Server.Server,
+				Insecure:   configCtx.Server.Insecure,
+				GRPCWeb:    globalClientOpts.GRPCWeb,
+				PlainText:  configCtx.Server.PlainText,
+			}
+			acdClient := argocdclient.NewClientOrDie(&clientOpts)
+			claims, err := configCtx.User.Claims()
+			errors.CheckError(err)
 			if claims.Issuer == session.SessionManagerClaimsIssuer {
-				clientOpts := argocdclient.ClientOptions{
-					ConfigPath: "",
-					ServerAddr: configCtx.Server.Server,
-					Insecure:   configCtx.Server.Insecure,
-					PlainText:  configCtx.Server.PlainText,
-				}
-				acdClient := argocdclient.NewClientOrDie(&clientOpts)
 				fmt.Printf("Relogging in as '%s'\n", claims.Subject)
 				tokenString = passwordLogin(acdClient, claims.Subject, password)
 			} else {
 				fmt.Println("Reinitiating SSO login")
-				tokenString, refreshToken = oauth2Login(configCtx.Server.Server, configCtx.Server.PlainText)
+				setConn, setIf := acdClient.NewSettingsClientOrDie()
+				defer util.Close(setConn)
+				ctx := context.Background()
+				httpClient, err := acdClient.HTTPClient()
+				errors.CheckError(err)
+				ctx = oidc.ClientContext(ctx, httpClient)
+				acdSet, err := setIf.Get(ctx, &settingspkg.SettingsQuery{})
+				errors.CheckError(err)
+				oauth2conf, provider, err := acdClient.OIDCConfig(ctx, acdSet)
+				errors.CheckError(err)
+				tokenString, refreshToken = oauth2Login(ctx, ssoPort, acdSet.GetOIDCConfig(), oauth2conf, provider)
 			}
 
 			localCfg.UpsertUser(localconfig.User{
@@ -71,5 +81,6 @@ func NewReloginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comm
 		},
 	}
 	command.Flags().StringVar(&password, "password", "", "the password of an account to authenticate")
+	command.Flags().IntVar(&ssoPort, "sso-port", DefaultSSOLocalPort, "port to run local OAuth2 login application")
 	return command
 }

cmd/argocd/commands/repo.go

@@ -10,10 +10,11 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
+	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	repositorypkg "github.com/argoproj/argo-cd/pkg/apiclient/repository"
 	appsv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/server/repository"
 	"github.com/argoproj/argo-cd/util"
 	"github.com/argoproj/argo-cd/util/cli"
 	"github.com/argoproj/argo-cd/util/git"
@@ -23,7 +24,7 @@ import (
 func NewRepoCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
 		Use:   "repo",
-		Short: "Manage git repository credentials",
+		Short: "Manage repository connection parameters",
 		Run: func(c *cobra.Command, args []string) {
 			c.HelpFunc()(c, args)
 			os.Exit(1)
@@ -39,44 +40,118 @@ func NewRepoCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 // NewRepoAddCommand returns a new instance of an `argocd repo add` command
 func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		repo              appsv1.Repository
-		upsert            bool
-		sshPrivateKeyPath string
+		repo                           appsv1.Repository
+		upsert                         bool
+		sshPrivateKeyPath              string
+		insecureIgnoreHostKey          bool
+		insecureSkipServerVerification bool
+		tlsClientCertPath              string
+		tlsClientCertKeyPath           string
+		enableLfs                      bool
 	)
+
+	// For better readability and easier formatting
+	var repoAddExamples = `  # Add a Git repository via SSH using a private key for authentication, ignoring the server's host key:
+  argocd repo add git@git.example.com:repos/repo --insecure-ignore-host-key --ssh-private-key-path ~/id_rsa
+
+  # Add a private Git repository via HTTPS using username/password and TLS client certificates:
+  argocd repo add https://git.example.com/repos/repo --username git --password secret --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key
+
+  # Add a private Git repository via HTTPS using username/password without verifying the server's TLS certificate
+  argocd repo add https://git.example.com/repos/repo --username git --password secret --insecure-skip-server-verification
+
+  # Add a public Helm repository named 'stable' via HTTPS
+  argocd repo add https://kubernetes-charts.storage.googleapis.com --type helm --name stable  
+
+  # Add a private Helm repository named 'stable' via HTTPS
+  argocd repo add https://kubernetes-charts.storage.googleapis.com --type helm --name stable --username test --password test
+`
+
 	var command = &cobra.Command{
-		Use:   "add REPO",
-		Short: "Add git repository credentials",
+		Use:     "add REPOURL",
+		Short:   "Add git repository connection parameters",
+		Example: repoAddExamples,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) != 1 {
 				c.HelpFunc()(c, args)
 				os.Exit(1)
 			}
+
+			// Repository URL
 			repo.Repo = args[0]
+
+			// Specifying ssh-private-key-path is only valid for SSH repositories
 			if sshPrivateKeyPath != "" {
-				keyData, err := ioutil.ReadFile(sshPrivateKeyPath)
-				if err != nil {
-					log.Fatal(err)
+				if ok, _ := git.IsSSHURL(repo.Repo); ok {
+					keyData, err := ioutil.ReadFile(sshPrivateKeyPath)
+					if err != nil {
+						log.Fatal(err)
+					}
+					repo.SSHPrivateKey = string(keyData)
+				} else {
+					err := fmt.Errorf("--ssh-private-key-path is only supported for SSH repositories.")
+					errors.CheckError(err)
 				}
-				repo.SSHPrivateKey = string(keyData)
 			}
-			// First test the repo *without* username/password. This gives us a hint on whether this
-			// is a private repo.
-			// NOTE: it is important not to run git commands to test git credentials on the user's
-			// system since it may mess with their git credential store (e.g. osx keychain).
-			// See issue #315
-			err := git.TestRepo(repo.Repo, "", "", repo.SSHPrivateKey)
-			if err != nil {
-				if git.IsSSHURL(repo.Repo) {
-					// If we failed using git SSH credentials, then the repo is automatically bad
-					log.Fatal(err)
+
+			// tls-client-cert-path and tls-client-cert-key-key-path must always be
+			// specified together
+			if (tlsClientCertPath != "" && tlsClientCertKeyPath == "") || (tlsClientCertPath == "" && tlsClientCertKeyPath != "") {
+				err := fmt.Errorf("--tls-client-cert-path and --tls-client-cert-key-path must be specified together")
+				errors.CheckError(err)
+			}
+
+			// Specifying tls-client-cert-path is only valid for HTTPS repositories
+			if tlsClientCertPath != "" {
+				if git.IsHTTPSURL(repo.Repo) {
+					tlsCertData, err := ioutil.ReadFile(tlsClientCertPath)
+					errors.CheckError(err)
+					tlsCertKey, err := ioutil.ReadFile(tlsClientCertKeyPath)
+					errors.CheckError(err)
+					repo.TLSClientCertData = string(tlsCertData)
+					repo.TLSClientCertKey = string(tlsCertKey)
+				} else {
+					err := fmt.Errorf("--tls-client-cert-path is only supported for HTTPS repositories")
+					errors.CheckError(err)
 				}
-				// If we can't test the repo, it's probably private. Prompt for credentials and
-				// let the server test it.
-				repo.Username, repo.Password = cli.PromptCredentials(repo.Username, repo.Password)
 			}
+
+			// InsecureIgnoreHostKey is deprecated and only here for backwards compat
+			repo.InsecureIgnoreHostKey = insecureIgnoreHostKey
+			repo.Insecure = insecureSkipServerVerification
+			repo.EnableLFS = enableLfs
+
+			if repo.Type == "helm" && repo.Name == "" {
+				errors.CheckError(fmt.Errorf("Must specify --name for repos of type 'helm'"))
+			}
+
 			conn, repoIf := argocdclient.NewClientOrDie(clientOpts).NewRepoClientOrDie()
 			defer util.Close(conn)
-			repoCreateReq := repository.RepoCreateRequest{
+
+			// If the user set a username, but didn't supply password via --password,
+			// then we prompt for it
+			if repo.Username != "" && repo.Password == "" {
+				repo.Password = cli.PromptPassword(repo.Password)
+			}
+
+			// We let the server check access to the repository before adding it. If
+			// it is a private repo, but we cannot access with with the credentials
+			// that were supplied, we bail out.
+			repoAccessReq := repositorypkg.RepoAccessQuery{
+				Repo:              repo.Repo,
+				Type:              repo.Type,
+				Name:              repo.Name,
+				Username:          repo.Username,
+				Password:          repo.Password,
+				SshPrivateKey:     repo.SSHPrivateKey,
+				TlsClientCertData: repo.TLSClientCertData,
+				TlsClientCertKey:  repo.TLSClientCertKey,
+				Insecure:          repo.IsInsecure(),
+			}
+			_, err := repoIf.ValidateAccess(context.Background(), &repoAccessReq)
+			errors.CheckError(err)
+
+			repoCreateReq := repositorypkg.RepoCreateRequest{
 				Repo:   &repo,
 				Upsert: upsert,
 			}
@@ -85,9 +160,16 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 			fmt.Printf("repository '%s' added\n", createdRepo.Repo)
 		},
 	}
+	command.Flags().StringVar(&repo.Type, "type", common.DefaultRepoType, "type of the repository, \"git\" or \"helm\"")
+	command.Flags().StringVar(&repo.Name, "name", "", "name of the repository, mandatory for repositories of type helm")
 	command.Flags().StringVar(&repo.Username, "username", "", "username to the repository")
 	command.Flags().StringVar(&repo.Password, "password", "", "password to the repository")
 	command.Flags().StringVar(&sshPrivateKeyPath, "ssh-private-key-path", "", "path to the private ssh key (e.g. ~/.ssh/id_rsa)")
+	command.Flags().StringVar(&tlsClientCertPath, "tls-client-cert-path", "", "path to the TLS client cert (must be PEM format)")
+	command.Flags().StringVar(&tlsClientCertKeyPath, "tls-client-cert-key-path", "", "path to the TLS client cert's key path (must be PEM format)")
+	command.Flags().BoolVar(&insecureIgnoreHostKey, "insecure-ignore-host-key", false, "disables SSH strict host key checking (deprecated, use --insecure-skip-server-validation instead)")
+	command.Flags().BoolVar(&insecureSkipServerVerification, "insecure-skip-server-verification", false, "disables server certificate and host key checks")
+	command.Flags().BoolVar(&enableLfs, "enable-lfs", false, "enable git-lfs (Large File Support) on this repository")
 	command.Flags().BoolVar(&upsert, "upsert", false, "Override an existing repository with the same name even if the spec differs")
 	return command
 }
@@ -96,7 +178,7 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 func NewRepoRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
 		Use:   "rm REPO",
-		Short: "Remove git repository credentials",
+		Short: "Remove repository credentials",
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) == 0 {
 				c.HelpFunc()(c, args)
@@ -105,7 +187,7 @@ func NewRepoRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 			conn, repoIf := argocdclient.NewClientOrDie(clientOpts).NewRepoClientOrDie()
 			defer util.Close(conn)
 			for _, repoURL := range args {
-				_, err := repoIf.Delete(context.Background(), &repository.RepoQuery{Repo: repoURL})
+				_, err := repoIf.Delete(context.Background(), &repositorypkg.RepoQuery{Repo: repoURL})
 				errors.CheckError(err)
 			}
 		},
@@ -113,23 +195,49 @@ func NewRepoRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 	return command
 }
 
+// Print table of repo info
+func printRepoTable(repos appsv1.Repositories) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	_, _ = fmt.Fprintf(w, "TYPE\tNAME\tREPO\tINSECURE\tLFS\tUSER\tSTATUS\tMESSAGE\n")
+	for _, r := range repos {
+		var username string
+		if r.Username == "" {
+			username = "-"
+		} else {
+			username = r.Username
+		}
+		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%v\t%v\t%s\t%s\t%s\n", r.Type, r.Name, r.Repo, r.IsInsecure(), r.EnableLFS, username, r.ConnectionState.Status, r.ConnectionState.Message)
+	}
+	_ = w.Flush()
+}
+
+// Print list of repo urls
+func printRepoUrls(repos appsv1.Repositories) {
+	for _, r := range repos {
+		fmt.Println(r.Repo)
+	}
+}
+
 // NewRepoListCommand returns a new instance of an `argocd repo rm` command
 func NewRepoListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
 	var command = &cobra.Command{
 		Use:   "list",
 		Short: "List configured repositories",
 		Run: func(c *cobra.Command, args []string) {
 			conn, repoIf := argocdclient.NewClientOrDie(clientOpts).NewRepoClientOrDie()
 			defer util.Close(conn)
-			repos, err := repoIf.List(context.Background(), &repository.RepoQuery{})
+			repos, err := repoIf.List(context.Background(), &repositorypkg.RepoQuery{})
 			errors.CheckError(err)
-			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-			fmt.Fprintf(w, "REPO\tUSER\tSTATUS\tMESSAGE\n")
-			for _, r := range repos.Items {
-				fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", r.Repo, r.Username, r.ConnectionState.Status, r.ConnectionState.Message)
+			if output == "url" {
+				printRepoUrls(repos.Items)
+			} else {
+				printRepoTable(repos.Items)
 			}
-			_ = w.Flush()
 		},
 	}
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: wide|url")
 	return command
 }

cmd/argocd/commands/root.go

@@ -1,13 +1,26 @@
 package commands
 
 import (
-	"github.com/argoproj/argo-cd/errors"
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	"github.com/argoproj/argo-cd/util/localconfig"
 	"github.com/spf13/cobra"
 	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/argoproj/argo-cd/errors"
+	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/config"
+	"github.com/argoproj/argo-cd/util/localconfig"
 )
 
+func init() {
+	cobra.OnInitialize(initConfig)
+}
+
+var logLevel string
+
+func initConfig() {
+	cli.SetLogLevel(logLevel)
+}
+
 // NewCommand returns a new instance of an argocd command
 func NewCommand() *cobra.Command {
 	var (
@@ -17,12 +30,13 @@ func NewCommand() *cobra.Command {
 
 	var command = &cobra.Command{
 		Use:   cliName,
-		Short: "argocd controls a ArgoCD server",
+		Short: "argocd controls a Argo CD server",
 		Run: func(c *cobra.Command, args []string) {
 			c.HelpFunc()(c, args)
 		},
 	}
 
+	command.AddCommand(NewCompletionCommand())
 	command.AddCommand(NewVersionCmd(&clientOpts))
 	command.AddCommand(NewClusterCommand(&clientOpts, pathOpts))
 	command.AddCommand(NewApplicationCommand(&clientOpts))
@@ -32,15 +46,19 @@ func NewCommand() *cobra.Command {
 	command.AddCommand(NewContextCommand(&clientOpts))
 	command.AddCommand(NewProjectCommand(&clientOpts))
 	command.AddCommand(NewAccountCommand(&clientOpts))
+	command.AddCommand(NewLogoutCommand(&clientOpts))
+	command.AddCommand(NewCertCommand(&clientOpts))
 
 	defaultLocalConfigPath, err := localconfig.DefaultLocalConfigPath()
 	errors.CheckError(err)
-	command.PersistentFlags().StringVar(&clientOpts.ConfigPath, "config", defaultLocalConfigPath, "Path to ArgoCD config")
-	command.PersistentFlags().StringVar(&clientOpts.ServerAddr, "server", "", "ArgoCD server address")
-	command.PersistentFlags().BoolVar(&clientOpts.PlainText, "plaintext", false, "Disable TLS")
-	command.PersistentFlags().BoolVar(&clientOpts.Insecure, "insecure", false, "Skip server certificate and domain verification")
-	command.PersistentFlags().StringVar(&clientOpts.CertFile, "server-crt", "", "Server certificate file")
-	command.PersistentFlags().StringVar(&clientOpts.AuthToken, "auth-token", "", "Authentication token")
-
+	command.PersistentFlags().StringVar(&clientOpts.ConfigPath, "config", config.GetFlag("config", defaultLocalConfigPath), "Path to Argo CD config")
+	command.PersistentFlags().StringVar(&clientOpts.ServerAddr, "server", config.GetFlag("server", ""), "Argo CD server address")
+	command.PersistentFlags().BoolVar(&clientOpts.PlainText, "plaintext", config.GetBoolFlag("plaintext"), "Disable TLS")
+	command.PersistentFlags().BoolVar(&clientOpts.Insecure, "insecure", config.GetBoolFlag("insecure"), "Skip server certificate and domain verification")
+	command.PersistentFlags().StringVar(&clientOpts.CertFile, "server-crt", config.GetFlag("server-crt", ""), "Server certificate file")
+	command.PersistentFlags().StringVar(&clientOpts.AuthToken, "auth-token", config.GetFlag("auth-token", ""), "Authentication token")
+	command.PersistentFlags().BoolVar(&clientOpts.GRPCWeb, "grpc-web", config.GetBoolFlag("grpc-web"), "Enables gRPC-web protocol. Useful if Argo CD server is behind proxy which does not support HTTP2.")
+	command.PersistentFlags().StringVar(&logLevel, "loglevel", config.GetFlag("loglevel", "info"), "Set the logging level. One of: debug|info|warn|error")
+	command.PersistentFlags().StringSliceVarP(&clientOpts.Headers, "header", "H", []string{}, "Sets additional header to all requests made by Argo CD CLI. (Can be repeated multiple times to add multiple headers, also supports comma separated headers)")
 	return command
 }

cmd/argocd/commands/testdata/config

@@ -0,0 +1,18 @@
+contexts:
+- name: argocd.example.com:443
+  server: argocd.example.com:443
+  user: argocd.example.com:443
+- name: localhost:8080
+  server: localhost:8080
+  user: localhost:8080
+current-context: localhost:8080
+servers:
+- server: argocd.example.com:443
+- plain-text: true
+  server: localhost:8080
+users:
+- auth-token: vErrYS3c3tReFRe$hToken
+  name: argocd.example.com:443
+  refresh-token: vErrYS3c3tReFRe$hToken
+- auth-token: vErrYS3c3tReFRe$hToken
+  name: localhost:8080

cmd/argocd/commands/version.go

@@ -4,12 +4,13 @@ import (
 	"context"
 	"fmt"
 
-	argocd "github.com/argoproj/argo-cd"
+	"github.com/golang/protobuf/ptypes/empty"
+	"github.com/spf13/cobra"
+
+	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	"github.com/argoproj/argo-cd/util"
-	"github.com/golang/protobuf/ptypes/empty"
-	"github.com/spf13/cobra"
 )
 
 // NewVersionCmd returns a new `version` command to be used as a sub-command to root
@@ -21,7 +22,7 @@ func NewVersionCmd(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 		Use:   "version",
 		Short: fmt.Sprintf("Print version information"),
 		Run: func(cmd *cobra.Command, args []string) {
-			version := argocd.GetVersion()
+			version := common.GetVersion()
 			fmt.Printf("%s: %s\n", cliName, version)
 			if !short {
 				fmt.Printf("  BuildDate: %s\n", version.BuildDate)
@@ -55,6 +56,9 @@ func NewVersionCmd(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 				fmt.Printf("  Compiler: %s\n", serverVers.Compiler)
 				fmt.Printf("  Platform: %s\n", serverVers.Platform)
 				fmt.Printf("  Ksonnet Version: %s\n", serverVers.KsonnetVersion)
+				fmt.Printf("  Kustomize Version: %s\n", serverVers.KustomizeVersion)
+				fmt.Printf("  Helm Version: %s\n", serverVers.HelmVersion)
+				fmt.Printf("  Kubectl Version: %s\n", serverVers.KubectlVersion)
 			}
 
 		},

common/common.go

@@ -1,109 +1,149 @@
 package common
 
-import (
-	rbacv1 "k8s.io/api/rbac/v1"
-
-	"github.com/argoproj/argo-cd/pkg/apis/application"
+// Default service addresses and URLS of Argo CD internal services
+const (
+	// DefaultRepoServerAddr is the gRPC address of the Argo CD repo server
+	DefaultRepoServerAddr = "argocd-repo-server:8081"
+	// DefaultDexServerAddr is the HTTP address of the Dex OIDC server, which we run a reverse proxy against
+	DefaultDexServerAddr = "http://argocd-dex-server:5556"
+	// DefaultRedisAddr is the default redis address
+	DefaultRedisAddr = "argocd-redis:6379"
 )
 
+// Kubernetes ConfigMap and Secret resource names which hold Argo CD settings
 const (
-	// MetadataPrefix is the prefix used for our labels and annotations
-	MetadataPrefix = "argocd.argoproj.io"
+	ArgoCDConfigMapName     = "argocd-cm"
+	ArgoCDSecretName        = "argocd-secret"
+	ArgoCDRBACConfigMapName = "argocd-rbac-cm"
+	// Contains SSH known hosts data for connecting repositories. Will get mounted as volume to pods
+	ArgoCDKnownHostsConfigMapName = "argocd-ssh-known-hosts-cm"
+	// Contains TLS certificate data for connecting repositories. Will get mounted as volume to pods
+	ArgoCDTLSCertsConfigMapName = "argocd-tls-certs-cm"
+)
 
-	// SecretTypeRepository indicates a secret type of repository
-	SecretTypeRepository = "repository"
+// Some default configurables
+const (
+	DefaultSystemNamespace = "kube-system"
+	DefaultRepoType        = "git"
+)
 
-	// SecretTypeCluster indicates a secret type of cluster
-	SecretTypeCluster = "cluster"
+// Default listener ports for ArgoCD components
+const (
+	DefaultPortAPIServer              = 8080
+	DefaultPortRepoServer             = 8081
+	DefaultPortArgoCDMetrics          = 8082
+	DefaultPortArgoCDAPIServerMetrics = 8083
+	DefaultPortRepoServerMetrics      = 8084
+)
 
-	// AuthCookieName is the HTTP cookie name where we store our auth token
-	AuthCookieName = "argocd.token"
-	// ResourcesFinalizerName is a number of application CRD finalizer
-	ResourcesFinalizerName = "resources-finalizer." + MetadataPrefix
+// Default paths on the pod's file system
+const (
+	// The default base path where application config is located
+	DefaultPathAppConfig = "/app/config"
+	// The default path where TLS certificates for repositories are located
+	DefaultPathTLSConfig = "/app/config/tls"
+	// The default path where SSH known hosts are stored
+	DefaultPathSSHConfig = "/app/config/ssh"
+	// Default name for the SSH known hosts file
+	DefaultSSHKnownHostsName = "ssh_known_hosts"
+)
 
+// Argo CD application related constants
+const (
 	// KubernetesInternalAPIServerAddr is address of the k8s API server when accessing internal to the cluster
 	KubernetesInternalAPIServerAddr = "https://kubernetes.default.svc"
+	// DefaultAppProjectName contains name of 'default' app project, which is available in every Argo CD installation
+	DefaultAppProjectName = "default"
+	// ArgoCDAdminUsername is the username of the 'admin' user
+	ArgoCDAdminUsername = "admin"
+	// ArgoCDUserAgentName is the default user-agent name used by the gRPC API client library and grpc-gateway
+	ArgoCDUserAgentName = "argocd-client"
+	// AuthCookieName is the HTTP cookie name where we store our auth token
+	AuthCookieName = "argocd.token"
+	// RevisionHistoryLimit is the max number of successful sync to keep in history
+	RevisionHistoryLimit = 10
+	// K8sClientConfigQPS controls the QPS to be used in K8s REST client configs
+	K8sClientConfigQPS = 25
+	// K8sClientConfigBurst controls the burst to be used in K8s REST client configs
+	K8sClientConfigBurst = 50
 )
 
-const (
-	ArgoCDAdminUsername     = "admin"
-	ArgoCDSecretName        = "argocd-secret"
-	ArgoCDConfigMapName     = "argocd-cm"
-	ArgoCDRBACConfigMapName = "argocd-rbac-cm"
-)
-
+// Dex related constants
 const (
 	// DexAPIEndpoint is the endpoint where we serve the Dex API server
 	DexAPIEndpoint = "/api/dex"
-	// LoginEndpoint is ArgoCD's shorthand login endpoint which redirects to dex's OAuth 2.0 provider's consent page
+	// LoginEndpoint is Argo CD's shorthand login endpoint which redirects to dex's OAuth 2.0 provider's consent page
 	LoginEndpoint = "/auth/login"
-	// CallbackEndpoint is ArgoCD's final callback endpoint we reach after OAuth 2.0 login flow has been completed
+	// CallbackEndpoint is Argo CD's final callback endpoint we reach after OAuth 2.0 login flow has been completed
 	CallbackEndpoint = "/auth/callback"
+	// DexCallbackEndpoint is Argo CD's final callback endpoint when Dex is configured
+	DexCallbackEndpoint = "/api/dex/callback"
 	// ArgoCDClientAppName is name of the Oauth client app used when registering our web app to dex
-	ArgoCDClientAppName = "ArgoCD"
+	ArgoCDClientAppName = "Argo CD"
 	// ArgoCDClientAppID is the Oauth client ID we will use when registering our app to dex
 	ArgoCDClientAppID = "argo-cd"
 	// ArgoCDCLIClientAppName is name of the Oauth client app used when registering our CLI to dex
-	ArgoCDCLIClientAppName = "ArgoCD CLI"
+	ArgoCDCLIClientAppName = "Argo CD CLI"
 	// ArgoCDCLIClientAppID is the Oauth client ID we will use when registering our CLI to dex
 	ArgoCDCLIClientAppID = "argo-cd-cli"
+)
+
+// Resource metadata labels and annotations (keys and values) used by Argo CD components
+const (
+	// LabelKeyAppInstance is the label key to use to uniquely identify the instance of an application
+	// The Argo CD application name is used as the instance name
+	LabelKeyAppInstance = "app.kubernetes.io/instance"
+	// LegacyLabelApplicationName is the legacy label (v0.10 and below) and is superceded by 'app.kubernetes.io/instance'
+	LabelKeyLegacyApplicationName = "applications.argoproj.io/app-name"
+	// LabelKeySecretType contains the type of argocd secret (currently: 'cluster')
+	LabelKeySecretType = "argocd.argoproj.io/secret-type"
+	// LabelValueSecretTypeCluster indicates a secret type of cluster
+	LabelValueSecretTypeCluster = "cluster"
+
+	// AnnotationCompareOptions is a comma-separated list of options for comparison
+	AnnotationCompareOptions = "argocd.argoproj.io/compare-options"
+	// AnnotationSyncOptions is a comma-separated list of options for syncing
+	AnnotationSyncOptions = "argocd.argoproj.io/sync-options"
+	// AnnotationSyncWave indicates which wave of the sync the resource or hook should be in
+	AnnotationSyncWave = "argocd.argoproj.io/sync-wave"
+	// AnnotationKeyHook contains the hook type of a resource
+	AnnotationKeyHook = "argocd.argoproj.io/hook"
+	// AnnotationKeyHookDeletePolicy is the policy of deleting a hook
+	AnnotationKeyHookDeletePolicy = "argocd.argoproj.io/hook-delete-policy"
+	// AnnotationKeyRefresh is the annotation key which indicates that app needs to be refreshed. Removed by application controller after app is refreshed.
+	// Might take values 'normal'/'hard'. Value 'hard' means manifest cache and target cluster state cache should be invalidated before refresh.
+	AnnotationKeyRefresh = "argocd.argoproj.io/refresh"
+	// AnnotationKeyManagedBy is annotation name which indicates that k8s resource is managed by an application.
+	AnnotationKeyManagedBy = "managed-by"
+	// AnnotationValueManagedByArgoCD is a 'managed-by' annotation value for resources managed by Argo CD
+	AnnotationValueManagedByArgoCD = "argocd.argoproj.io"
+	// ResourcesFinalizerName the finalizer value which we inject to finalize deletion of an application
+	ResourcesFinalizerName = "resources-finalizer.argocd.argoproj.io"
+)
+
+// Environment variables for tuning and debugging Argo CD
+const (
 	// EnvVarSSODebug is an environment variable to enable additional OAuth debugging in the API server
 	EnvVarSSODebug = "ARGOCD_SSO_DEBUG"
 	// EnvVarRBACDebug is an environment variable to enable additional RBAC debugging in the API server
 	EnvVarRBACDebug = "ARGOCD_RBAC_DEBUG"
-	// DefaultAppProjectName contains name of default app project. The default app project allows deploying application to any cluster.
-	DefaultAppProjectName = "default"
+	// EnvVarFakeInClusterConfig is an environment variable to fake an in-cluster RESTConfig using
+	// the current kubectl context (for development purposes)
+	EnvVarFakeInClusterConfig = "ARGOCD_FAKE_IN_CLUSTER"
+	// Overrides the location where SSH known hosts for repo access data is stored
+	EnvVarSSHDataPath = "ARGOCD_SSH_DATA_PATH"
+	// Overrides the location where TLS certificate for repo access data is stored
+	EnvVarTLSDataPath = "ARGOCD_TLS_DATA_PATH"
+	// Specifies number of git remote operations attempts count
+	EnvGitAttemptsCount = "ARGOCD_GIT_ATTEMPTS_COUNT"
 )
 
-var (
-	// LabelKeyAppInstance refers to the application instance resource name
-	LabelKeyAppInstance = MetadataPrefix + "/app-instance"
-
-	// LabelKeySecretType contains the type of argocd secret (either 'cluster' or 'repo')
-	LabelKeySecretType = MetadataPrefix + "/secret-type"
-
-	// AnnotationConnectionStatus contains connection state status
-	AnnotationConnectionStatus = MetadataPrefix + "/connection-status"
-	// AnnotationConnectionMessage contains additional information about connection status
-	AnnotationConnectionMessage = MetadataPrefix + "/connection-message"
-	// AnnotationConnectionModifiedAt contains timestamp when connection state had been modified
-	AnnotationConnectionModifiedAt = MetadataPrefix + "/connection-modified-at"
-
-	// AnnotationHook contains the hook type of a resource
-	AnnotationHook = MetadataPrefix + "/hook"
-	// AnnotationHookDeletePolicy is the policy of deleting a hook
-	AnnotationHookDeletePolicy = MetadataPrefix + "/hook-delete-policy"
-	// AnnotationHelmHook is the helm hook annotation
-	AnnotationHelmHook = "helm.sh/hook"
-
-	// LabelKeyApplicationControllerInstanceID is the label which allows to separate application among multiple running application controllers.
-	LabelKeyApplicationControllerInstanceID = application.ApplicationFullName + "/controller-instanceid"
-
-	// LabelApplicationName is the label which indicates that resource belongs to application with the specified name
-	LabelApplicationName = application.ApplicationFullName + "/app-name"
-
-	// AnnotationKeyRefresh is the annotation key in the application which is updated with an
-	// arbitrary value (i.e. timestamp) on a git event, to  force the controller to wake up and
-	// re-evaluate the application
-	AnnotationKeyRefresh = application.ApplicationFullName + "/refresh"
-)
-
-// ArgoCDManagerServiceAccount is the name of the service account for managing a cluster
 const (
-	ArgoCDManagerServiceAccount     = "argocd-manager"
-	ArgoCDManagerClusterRole        = "argocd-manager-role"
-	ArgoCDManagerClusterRoleBinding = "argocd-manager-role-binding"
+	// MinClientVersion is the minimum client version that can interface with this API server.
+	// When introducing breaking changes to the API or datastructures, this number should be bumped.
+	// The value here may be lower than the current value in VERSION
+	MinClientVersion = "1.3.0"
+	// CacheVersion is a objects version cached using util/cache/cache.go.
+	// Number should be bumped in case of backward incompatible change to make sure cache is invalidated after upgrade.
+	CacheVersion = "1.0.0"
 )
-
-// ArgoCDManagerPolicyRules are the policies to give argocd-manager
-var ArgoCDManagerPolicyRules = []rbacv1.PolicyRule{
-	{
-		APIGroups: []string{"*"},
-		Resources: []string{"*"},
-		Verbs:     []string{"*"},
-	},
-	{
-		NonResourceURLs: []string{"*"},
-		Verbs:           []string{"*"},
-	},
-}

common/version.go

@@ -1,4 +1,4 @@
-package argocd
+package common
 
 import (
 	"fmt"
@@ -6,9 +6,9 @@ import (
 )
 
 // Version information set by link flags during build. We fall back to these sane
-// default values when we build outside the Makefile context (e.g. go build or go test).
+// default values when we build outside the Makefile context (e.g. go run, go build, or go test).
 var (
-	version      = "0.0.0"                // value from VERSION file
+	version      = "99.99.99"             // value from VERSION file
 	buildDate    = "1970-01-01T00:00:00Z" // output from `date -u +'%Y-%m-%dT%H:%M:%SZ'`
 	gitCommit    = ""                     // output from `git rev-parse HEAD`
 	gitTag       = ""                     // output from `git describe --exact-match --tags HEAD` (if clean tree state)

controller/appcontroller_test.go

@@ -1,42 +1,161 @@
 package controller
 
 import (
+	"context"
+	"encoding/json"
 	"testing"
 	"time"
 
 	"github.com/ghodss/yaml"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	corev1 "k8s.io/api/core/v1"
+	apierr "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/kubernetes/fake"
+	kubetesting "k8s.io/client-go/testing"
+	"k8s.io/client-go/tools/cache"
 
+	"github.com/argoproj/argo-cd/common"
+	mockstatecache "github.com/argoproj/argo-cd/controller/cache/mocks"
 	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned/fake"
-	reposerver "github.com/argoproj/argo-cd/reposerver/mocks"
-	"github.com/stretchr/testify/assert"
+	"github.com/argoproj/argo-cd/reposerver/apiclient"
+	mockrepoclient "github.com/argoproj/argo-cd/reposerver/apiclient/mocks"
+	mockreposerver "github.com/argoproj/argo-cd/reposerver/mocks"
+	"github.com/argoproj/argo-cd/test"
+	utilcache "github.com/argoproj/argo-cd/util/cache"
+	"github.com/argoproj/argo-cd/util/kube"
+	"github.com/argoproj/argo-cd/util/kube/kubetest"
+	"github.com/argoproj/argo-cd/util/settings"
 )
 
-func newFakeController(apps ...runtime.Object) *ApplicationController {
-	kubeClientset := fake.NewSimpleClientset()
-	appClientset := appclientset.NewSimpleClientset(apps...)
-	repoClientset := reposerver.Clientset{}
-	return NewApplicationController(
-		"argocd",
-		kubeClientset,
-		appClientset,
-		&repoClientset,
-		time.Minute,
-	)
+type namespacedResource struct {
+	argoappv1.ResourceNode
+	AppName string
 }
 
+type fakeData struct {
+	apps                []runtime.Object
+	manifestResponse    *apiclient.ManifestResponse
+	managedLiveObjs     map[kube.ResourceKey]*unstructured.Unstructured
+	namespacedResources map[kube.ResourceKey]namespacedResource
+	configMapData       map[string]string
+}
+
+func newFakeController(data *fakeData) *ApplicationController {
+	var clust corev1.Secret
+	err := yaml.Unmarshal([]byte(fakeCluster), &clust)
+	if err != nil {
+		panic(err)
+	}
+
+	// Mock out call to GenerateManifest
+	mockRepoClient := mockrepoclient.RepoServerServiceClient{}
+	mockRepoClient.On("GenerateManifest", mock.Anything, mock.Anything).Return(data.manifestResponse, nil)
+	mockRepoClientset := mockreposerver.Clientset{}
+	mockRepoClientset.On("NewRepoServerClient").Return(&fakeCloser{}, &mockRepoClient, nil)
+
+	secret := corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "argocd-secret",
+			Namespace: test.FakeArgoCDNamespace,
+		},
+		Data: map[string][]byte{
+			"admin.password":   []byte("test"),
+			"server.secretkey": []byte("test"),
+		},
+	}
+	cm := corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "argocd-cm",
+			Namespace: test.FakeArgoCDNamespace,
+			Labels: map[string]string{
+				"app.kubernetes.io/part-of": "argocd",
+			},
+		},
+		Data: data.configMapData,
+	}
+	kubeClient := fake.NewSimpleClientset(&clust, &cm, &secret)
+	settingsMgr := settings.NewSettingsManager(context.Background(), kubeClient, test.FakeArgoCDNamespace)
+	kubectl := &kubetest.MockKubectlCmd{}
+	ctrl, err := NewApplicationController(
+		test.FakeArgoCDNamespace,
+		settingsMgr,
+		kubeClient,
+		appclientset.NewSimpleClientset(data.apps...),
+		&mockRepoClientset,
+		utilcache.NewCache(utilcache.NewInMemoryCache(1*time.Hour)),
+		kubectl,
+		time.Minute,
+		time.Minute,
+		common.DefaultPortArgoCDMetrics,
+		0,
+	)
+	if err != nil {
+		panic(err)
+	}
+	cancelProj := test.StartInformer(ctrl.projInformer)
+	defer cancelProj()
+	cancelApp := test.StartInformer(ctrl.appInformer)
+	defer cancelApp()
+	mockStateCache := mockstatecache.LiveStateCache{}
+	ctrl.appStateManager.(*appStateManager).liveStateCache = &mockStateCache
+	ctrl.stateCache = &mockStateCache
+	mockStateCache.On("IsNamespaced", mock.Anything, mock.Anything).Return(true, nil)
+	mockStateCache.On("GetManagedLiveObjs", mock.Anything, mock.Anything).Return(data.managedLiveObjs, nil)
+	response := make(map[kube.ResourceKey]argoappv1.ResourceNode)
+	for k, v := range data.namespacedResources {
+		response[k] = v.ResourceNode
+	}
+	mockStateCache.On("GetNamespaceTopLevelResources", mock.Anything, mock.Anything).Return(response, nil)
+	mockStateCache.On("IterateHierarchy", mock.Anything, mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
+		key := args[1].(kube.ResourceKey)
+		action := args[2].(func(child argoappv1.ResourceNode, appName string))
+		appName := ""
+		if res, ok := data.namespacedResources[key]; ok {
+			appName = res.AppName
+		}
+		action(argoappv1.ResourceNode{ResourceRef: argoappv1.ResourceRef{Group: key.Group, Namespace: key.Namespace, Name: key.Name}}, appName)
+	}).Return(nil)
+	return ctrl
+}
+
+type fakeCloser struct{}
+
+func (f *fakeCloser) Close() error { return nil }
+
+var fakeCluster = `
+apiVersion: v1
+data:
+  # {"bearerToken":"fake","tlsClientConfig":{"insecure":true},"awsAuthConfig":null}
+  config: eyJiZWFyZXJUb2tlbiI6ImZha2UiLCJ0bHNDbGllbnRDb25maWciOnsiaW5zZWN1cmUiOnRydWV9LCJhd3NBdXRoQ29uZmlnIjpudWxsfQ==
+  # minikube
+  name: aHR0cHM6Ly9sb2NhbGhvc3Q6NjQ0Mw==
+  # https://localhost:6443
+  server: aHR0cHM6Ly9sb2NhbGhvc3Q6NjQ0Mw==
+kind: Secret
+metadata:
+  labels:
+    argocd.argoproj.io/secret-type: cluster
+  name: some-secret
+  namespace: ` + test.FakeArgoCDNamespace + `
+type: Opaque
+`
+
 var fakeApp = `
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
+  uid: "123"
   name: my-app
-  namespace: argocd
+  namespace: ` + test.FakeArgoCDNamespace + `
 spec:
   destination:
-    namespace: dummy-namespace
+    namespace: ` + test.FakeDestNamespace + `
     server: https://localhost:6443
   project: default
   source:
@@ -63,6 +182,9 @@ status:
         namespace: default
         status: Synced
       revision: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+      source:
+        path: some/path
+        repoURL: https://github.com/argoproj/argocd-example-apps.git
 `
 
 func newFakeApp() *argoappv1.Application {
@@ -76,14 +198,14 @@ func newFakeApp() *argoappv1.Application {
 
 func TestAutoSync(t *testing.T) {
 	app := newFakeApp()
-	ctrl := newFakeController(app)
-	compRes := argoappv1.ComparisonResult{
-		Status:   argoappv1.ComparisonStatusOutOfSync,
+	ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}})
+	syncStatus := argoappv1.SyncStatus{
+		Status:   argoappv1.SyncStatusCodeOutOfSync,
 		Revision: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
 	}
-	cond := ctrl.autoSync(app, &compRes)
+	cond := ctrl.autoSync(app, &syncStatus, []argoappv1.ResourceStatus{})
 	assert.Nil(t, cond)
-	app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications("argocd").Get("my-app", metav1.GetOptions{})
+	app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(test.FakeArgoCDNamespace).Get("my-app", metav1.GetOptions{})
 	assert.NoError(t, err)
 	assert.NotNil(t, app.Operation)
 	assert.NotNil(t, app.Operation.Sync)
@@ -93,102 +215,126 @@ func TestAutoSync(t *testing.T) {
 func TestSkipAutoSync(t *testing.T) {
 	// Verify we skip when we previously synced to it in our most recent history
 	// Set current to 'aaaaa', desired to 'aaaa' and mark system OutOfSync
-	app := newFakeApp()
-	ctrl := newFakeController(app)
-	compRes := argoappv1.ComparisonResult{
-		Status:   argoappv1.ComparisonStatusOutOfSync,
-		Revision: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+	{
+		app := newFakeApp()
+		ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}})
+		syncStatus := argoappv1.SyncStatus{
+			Status:   argoappv1.SyncStatusCodeOutOfSync,
+			Revision: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+		}
+		cond := ctrl.autoSync(app, &syncStatus, []argoappv1.ResourceStatus{})
+		assert.Nil(t, cond)
+		app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(test.FakeArgoCDNamespace).Get("my-app", metav1.GetOptions{})
+		assert.NoError(t, err)
+		assert.Nil(t, app.Operation)
 	}
-	cond := ctrl.autoSync(app, &compRes)
-	assert.Nil(t, cond)
-	app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications("argocd").Get("my-app", metav1.GetOptions{})
-	assert.NoError(t, err)
-	assert.Nil(t, app.Operation)
 
 	// Verify we skip when we are already Synced (even if revision is different)
-	app = newFakeApp()
-	ctrl = newFakeController(app)
-	compRes = argoappv1.ComparisonResult{
-		Status:   argoappv1.ComparisonStatusSynced,
-		Revision: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+	{
+		app := newFakeApp()
+		ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}})
+		syncStatus := argoappv1.SyncStatus{
+			Status:   argoappv1.SyncStatusCodeSynced,
+			Revision: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+		}
+		cond := ctrl.autoSync(app, &syncStatus, []argoappv1.ResourceStatus{})
+		assert.Nil(t, cond)
+		app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(test.FakeArgoCDNamespace).Get("my-app", metav1.GetOptions{})
+		assert.NoError(t, err)
+		assert.Nil(t, app.Operation)
 	}
-	cond = ctrl.autoSync(app, &compRes)
-	assert.Nil(t, cond)
-	app, err = ctrl.applicationClientset.ArgoprojV1alpha1().Applications("argocd").Get("my-app", metav1.GetOptions{})
-	assert.NoError(t, err)
-	assert.Nil(t, app.Operation)
 
 	// Verify we skip when auto-sync is disabled
-	app = newFakeApp()
-	app.Spec.SyncPolicy = nil
-	ctrl = newFakeController(app)
-	compRes = argoappv1.ComparisonResult{
-		Status:   argoappv1.ComparisonStatusOutOfSync,
-		Revision: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+	{
+		app := newFakeApp()
+		app.Spec.SyncPolicy = nil
+		ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}})
+		syncStatus := argoappv1.SyncStatus{
+			Status:   argoappv1.SyncStatusCodeOutOfSync,
+			Revision: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+		}
+		cond := ctrl.autoSync(app, &syncStatus, []argoappv1.ResourceStatus{})
+		assert.Nil(t, cond)
+		app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(test.FakeArgoCDNamespace).Get("my-app", metav1.GetOptions{})
+		assert.NoError(t, err)
+		assert.Nil(t, app.Operation)
+	}
+
+	// Verify we skip when application is marked for deletion
+	{
+		app := newFakeApp()
+		now := metav1.Now()
+		app.DeletionTimestamp = &now
+		ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}})
+		syncStatus := argoappv1.SyncStatus{
+			Status:   argoappv1.SyncStatusCodeOutOfSync,
+			Revision: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+		}
+		cond := ctrl.autoSync(app, &syncStatus, []argoappv1.ResourceStatus{})
+		assert.Nil(t, cond)
+		app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(test.FakeArgoCDNamespace).Get("my-app", metav1.GetOptions{})
+		assert.NoError(t, err)
+		assert.Nil(t, app.Operation)
 	}
-	cond = ctrl.autoSync(app, &compRes)
-	assert.Nil(t, cond)
-	app, err = ctrl.applicationClientset.ArgoprojV1alpha1().Applications("argocd").Get("my-app", metav1.GetOptions{})
-	assert.NoError(t, err)
-	assert.Nil(t, app.Operation)
 
 	// Verify we skip when previous sync attempt failed and return error condition
 	// Set current to 'aaaaa', desired to 'bbbbb' and add 'bbbbb' to failure history
-	app = newFakeApp()
-	app.Status.OperationState = &argoappv1.OperationState{
-		Operation: argoappv1.Operation{
-			Sync: &argoappv1.SyncOperation{},
-		},
-		Phase: argoappv1.OperationFailed,
-		SyncResult: &argoappv1.SyncOperationResult{
+	{
+		app := newFakeApp()
+		app.Status.OperationState = &argoappv1.OperationState{
+			Operation: argoappv1.Operation{
+				Sync: &argoappv1.SyncOperation{},
+			},
+			Phase: argoappv1.OperationFailed,
+			SyncResult: &argoappv1.SyncOperationResult{
+				Revision: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+				Source:   *app.Spec.Source.DeepCopy(),
+			},
+		}
+		ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}})
+		syncStatus := argoappv1.SyncStatus{
+			Status:   argoappv1.SyncStatusCodeOutOfSync,
 			Revision: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
-		},
+		}
+		cond := ctrl.autoSync(app, &syncStatus, []argoappv1.ResourceStatus{})
+		assert.NotNil(t, cond)
+		app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(test.FakeArgoCDNamespace).Get("my-app", metav1.GetOptions{})
+		assert.NoError(t, err)
+		assert.Nil(t, app.Operation)
 	}
-	ctrl = newFakeController(app)
-	compRes = argoappv1.ComparisonResult{
-		Status:   argoappv1.ComparisonStatusOutOfSync,
-		Revision: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
-	}
-	cond = ctrl.autoSync(app, &compRes)
-	assert.NotNil(t, cond)
-	app, err = ctrl.applicationClientset.ArgoprojV1alpha1().Applications("argocd").Get("my-app", metav1.GetOptions{})
-	assert.NoError(t, err)
-	assert.Nil(t, app.Operation)
 }
 
 // TestAutoSyncIndicateError verifies we skip auto-sync and return error condition if previous sync failed
 func TestAutoSyncIndicateError(t *testing.T) {
 	app := newFakeApp()
-	app.Spec.Source.ComponentParameterOverrides = []argoappv1.ComponentParameter{
-		{
-			Name:  "a",
-			Value: "1",
+	app.Spec.Source.Helm = &argoappv1.ApplicationSourceHelm{
+		Parameters: []argoappv1.HelmParameter{
+			{
+				Name:  "a",
+				Value: "1",
+			},
 		},
 	}
-	ctrl := newFakeController(app)
-	compRes := argoappv1.ComparisonResult{
-		Status:   argoappv1.ComparisonStatusOutOfSync,
+	ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}})
+	syncStatus := argoappv1.SyncStatus{
+		Status:   argoappv1.SyncStatusCodeOutOfSync,
 		Revision: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
 	}
 	app.Status.OperationState = &argoappv1.OperationState{
 		Operation: argoappv1.Operation{
 			Sync: &argoappv1.SyncOperation{
-				ParameterOverrides: argoappv1.ParameterOverrides{
-					{
-						Name:  "a",
-						Value: "1",
-					},
-				},
+				Source: app.Spec.Source.DeepCopy(),
 			},
 		},
 		Phase: argoappv1.OperationFailed,
 		SyncResult: &argoappv1.SyncOperationResult{
 			Revision: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+			Source:   *app.Spec.Source.DeepCopy(),
 		},
 	}
-	cond := ctrl.autoSync(app, &compRes)
+	cond := ctrl.autoSync(app, &syncStatus, []argoappv1.ResourceStatus{})
 	assert.NotNil(t, cond)
-	app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications("argocd").Get("my-app", metav1.GetOptions{})
+	app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(test.FakeArgoCDNamespace).Get("my-app", metav1.GetOptions{})
 	assert.NoError(t, err)
 	assert.Nil(t, app.Operation)
 }
@@ -196,24 +342,30 @@ func TestAutoSyncIndicateError(t *testing.T) {
 // TestAutoSyncParameterOverrides verifies we auto-sync if revision is same but parameter overrides are different
 func TestAutoSyncParameterOverrides(t *testing.T) {
 	app := newFakeApp()
-	app.Spec.Source.ComponentParameterOverrides = []argoappv1.ComponentParameter{
-		{
-			Name:  "a",
-			Value: "1",
+	app.Spec.Source.Helm = &argoappv1.ApplicationSourceHelm{
+		Parameters: []argoappv1.HelmParameter{
+			{
+				Name:  "a",
+				Value: "1",
+			},
 		},
 	}
-	ctrl := newFakeController(app)
-	compRes := argoappv1.ComparisonResult{
-		Status:   argoappv1.ComparisonStatusOutOfSync,
+	ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}})
+	syncStatus := argoappv1.SyncStatus{
+		Status:   argoappv1.SyncStatusCodeOutOfSync,
 		Revision: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
 	}
 	app.Status.OperationState = &argoappv1.OperationState{
 		Operation: argoappv1.Operation{
 			Sync: &argoappv1.SyncOperation{
-				ParameterOverrides: argoappv1.ParameterOverrides{
-					{
-						Name:  "a",
-						Value: "2", // this value changed
+				Source: &argoappv1.ApplicationSource{
+					Helm: &argoappv1.ApplicationSourceHelm{
+						Parameters: []argoappv1.HelmParameter{
+							{
+								Name:  "a",
+								Value: "2", // this value changed
+							},
+						},
 					},
 				},
 			},
@@ -223,9 +375,358 @@ func TestAutoSyncParameterOverrides(t *testing.T) {
 			Revision: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
 		},
 	}
-	cond := ctrl.autoSync(app, &compRes)
+	cond := ctrl.autoSync(app, &syncStatus, []argoappv1.ResourceStatus{})
 	assert.Nil(t, cond)
-	app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications("argocd").Get("my-app", metav1.GetOptions{})
+	app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(test.FakeArgoCDNamespace).Get("my-app", metav1.GetOptions{})
 	assert.NoError(t, err)
 	assert.NotNil(t, app.Operation)
 }
+
+// TestFinalizeAppDeletion verifies application deletion
+func TestFinalizeAppDeletion(t *testing.T) {
+	app := newFakeApp()
+	app.Spec.Destination.Namespace = test.FakeArgoCDNamespace
+	appObj := kube.MustToUnstructured(&app)
+	ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}, managedLiveObjs: map[kube.ResourceKey]*unstructured.Unstructured{
+		kube.GetResourceKey(appObj): appObj,
+	}})
+
+	patched := false
+	fakeAppCs := ctrl.applicationClientset.(*appclientset.Clientset)
+	defaultReactor := fakeAppCs.ReactionChain[0]
+	fakeAppCs.ReactionChain = nil
+	fakeAppCs.AddReactor("get", "*", func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) {
+		return defaultReactor.React(action)
+	})
+	fakeAppCs.AddReactor("patch", "*", func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) {
+		patched = true
+		return true, nil, nil
+	})
+	err := ctrl.finalizeApplicationDeletion(app)
+	assert.NoError(t, err)
+	assert.True(t, patched)
+}
+
+// TestNormalizeApplication verifies we normalize an application during reconciliation
+func TestNormalizeApplication(t *testing.T) {
+	defaultProj := argoappv1.AppProject{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "default",
+			Namespace: test.FakeArgoCDNamespace,
+		},
+		Spec: argoappv1.AppProjectSpec{
+			SourceRepos: []string{"*"},
+			Destinations: []argoappv1.ApplicationDestination{
+				{
+					Server:    "*",
+					Namespace: "*",
+				},
+			},
+		},
+	}
+	app := newFakeApp()
+	app.Spec.Project = ""
+	app.Spec.Source.Kustomize = &argoappv1.ApplicationSourceKustomize{NamePrefix: "foo-"}
+	data := fakeData{
+		apps: []runtime.Object{app, &defaultProj},
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
+	}
+
+	{
+		// Verify we normalize the app because project is missing
+		ctrl := newFakeController(&data)
+		key, _ := cache.MetaNamespaceKeyFunc(app)
+		ctrl.appRefreshQueue.Add(key)
+		fakeAppCs := ctrl.applicationClientset.(*appclientset.Clientset)
+		fakeAppCs.ReactionChain = nil
+		normalized := false
+		fakeAppCs.AddReactor("patch", "*", func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) {
+			if patchAction, ok := action.(kubetesting.PatchAction); ok {
+				if string(patchAction.GetPatch()) == `{"spec":{"project":"default"}}` {
+					normalized = true
+				}
+			}
+			return true, nil, nil
+		})
+		ctrl.processAppRefreshQueueItem()
+		assert.True(t, normalized)
+	}
+
+	{
+		// Verify we don't unnecessarily normalize app when project is set
+		app.Spec.Project = "default"
+		data.apps[0] = app
+		ctrl := newFakeController(&data)
+		key, _ := cache.MetaNamespaceKeyFunc(app)
+		ctrl.appRefreshQueue.Add(key)
+		fakeAppCs := ctrl.applicationClientset.(*appclientset.Clientset)
+		fakeAppCs.ReactionChain = nil
+		normalized := false
+		fakeAppCs.AddReactor("patch", "*", func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) {
+			if patchAction, ok := action.(kubetesting.PatchAction); ok {
+				if string(patchAction.GetPatch()) == `{"spec":{"project":"default"}}` {
+					normalized = true
+				}
+			}
+			return true, nil, nil
+		})
+		ctrl.processAppRefreshQueueItem()
+		assert.False(t, normalized)
+	}
+}
+
+func TestHandleAppUpdated(t *testing.T) {
+	app := newFakeApp()
+	app.Spec.Destination.Namespace = test.FakeArgoCDNamespace
+	app.Spec.Destination.Server = common.KubernetesInternalAPIServerAddr
+	ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}})
+
+	ctrl.handleObjectUpdated(map[string]bool{app.Name: true}, kube.GetObjectRef(kube.MustToUnstructured(app)))
+	isRequested, level := ctrl.isRefreshRequested(app.Name)
+	assert.False(t, isRequested)
+	assert.Equal(t, ComparisonWithNothing, level)
+
+	ctrl.handleObjectUpdated(map[string]bool{app.Name: true}, corev1.ObjectReference{UID: "test", Kind: kube.DeploymentKind, Name: "test", Namespace: "default"})
+	isRequested, level = ctrl.isRefreshRequested(app.Name)
+	assert.True(t, isRequested)
+	assert.Equal(t, CompareWithRecent, level)
+}
+
+func TestHandleOrphanedResourceUpdated(t *testing.T) {
+	app1 := newFakeApp()
+	app1.Name = "app1"
+	app1.Spec.Destination.Namespace = test.FakeArgoCDNamespace
+	app1.Spec.Destination.Server = common.KubernetesInternalAPIServerAddr
+
+	app2 := newFakeApp()
+	app2.Name = "app2"
+	app2.Spec.Destination.Namespace = test.FakeArgoCDNamespace
+	app2.Spec.Destination.Server = common.KubernetesInternalAPIServerAddr
+
+	proj := defaultProj.DeepCopy()
+	proj.Spec.OrphanedResources = &argoappv1.OrphanedResourcesMonitorSettings{}
+
+	ctrl := newFakeController(&fakeData{apps: []runtime.Object{app1, app2, proj}})
+
+	ctrl.handleObjectUpdated(map[string]bool{}, corev1.ObjectReference{UID: "test", Kind: kube.DeploymentKind, Name: "test", Namespace: test.FakeArgoCDNamespace})
+
+	isRequested, level := ctrl.isRefreshRequested(app1.Name)
+	assert.True(t, isRequested)
+	assert.Equal(t, ComparisonWithNothing, level)
+
+	isRequested, level = ctrl.isRefreshRequested(app2.Name)
+	assert.True(t, isRequested)
+	assert.Equal(t, ComparisonWithNothing, level)
+}
+
+func TestSetOperationStateOnDeletedApp(t *testing.T) {
+	ctrl := newFakeController(&fakeData{apps: []runtime.Object{}})
+	fakeAppCs := ctrl.applicationClientset.(*appclientset.Clientset)
+	fakeAppCs.ReactionChain = nil
+	patched := false
+	fakeAppCs.AddReactor("patch", "*", func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) {
+		patched = true
+		return true, nil, apierr.NewNotFound(schema.GroupResource{}, "my-app")
+	})
+	ctrl.setOperationState(newFakeApp(), &argoappv1.OperationState{Phase: argoappv1.OperationSucceeded})
+	assert.True(t, patched)
+}
+
+func TestNeedRefreshAppStatus(t *testing.T) {
+	ctrl := newFakeController(&fakeData{apps: []runtime.Object{}})
+
+	app := newFakeApp()
+	now := metav1.Now()
+	app.Status.ReconciledAt = &now
+	app.Status.Sync = argoappv1.SyncStatus{
+		Status: argoappv1.SyncStatusCodeSynced,
+		ComparedTo: argoappv1.ComparedTo{
+			Source:      app.Spec.Source,
+			Destination: app.Spec.Destination,
+		},
+	}
+
+	// no need to refresh just reconciled application
+	needRefresh, _, _ := ctrl.needRefreshAppStatus(app, 1*time.Hour)
+	assert.False(t, needRefresh)
+
+	// refresh app using the 'deepest' requested comparison level
+	ctrl.requestAppRefresh(app.Name, CompareWithRecent)
+	ctrl.requestAppRefresh(app.Name, ComparisonWithNothing)
+
+	needRefresh, refreshType, compareWith := ctrl.needRefreshAppStatus(app, 1*time.Hour)
+	assert.True(t, needRefresh)
+	assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+	assert.Equal(t, CompareWithRecent, compareWith)
+
+	// refresh application which status is not reconciled using latest commit
+	app.Status.Sync = argoappv1.SyncStatus{Status: argoappv1.SyncStatusCodeUnknown}
+
+	needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour)
+	assert.True(t, needRefresh)
+	assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+	assert.Equal(t, CompareWithLatest, compareWith)
+
+	{
+		// refresh app using the 'latest' level if comparison expired
+		app := app.DeepCopy()
+		ctrl.requestAppRefresh(app.Name, CompareWithRecent)
+		reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
+		app.Status.ReconciledAt = &reconciledAt
+		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Minute)
+		assert.True(t, needRefresh)
+		assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+		assert.Equal(t, CompareWithLatest, compareWith)
+	}
+
+	{
+		app := app.DeepCopy()
+		// execute hard refresh if app has refresh annotation
+		reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
+		app.Status.ReconciledAt = &reconciledAt
+		app.Annotations = map[string]string{
+			common.AnnotationKeyRefresh: string(argoappv1.RefreshTypeHard),
+		}
+		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour)
+		assert.True(t, needRefresh)
+		assert.Equal(t, argoappv1.RefreshTypeHard, refreshType)
+		assert.Equal(t, CompareWithLatest, compareWith)
+	}
+
+	{
+		app := app.DeepCopy()
+		// ensure that CompareWithLatest level is used if application source has changed
+		ctrl.requestAppRefresh(app.Name, ComparisonWithNothing)
+		// sample app source change
+		app.Spec.Source.Helm = &argoappv1.ApplicationSourceHelm{
+			Parameters: []argoappv1.HelmParameter{{
+				Name:  "foo",
+				Value: "bar",
+			}},
+		}
+
+		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour)
+		assert.True(t, needRefresh)
+		assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+		assert.Equal(t, CompareWithLatest, compareWith)
+	}
+}
+
+func TestRefreshAppConditions(t *testing.T) {
+	defaultProj := argoappv1.AppProject{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "default",
+			Namespace: test.FakeArgoCDNamespace,
+		},
+		Spec: argoappv1.AppProjectSpec{
+			SourceRepos: []string{"*"},
+			Destinations: []argoappv1.ApplicationDestination{
+				{
+					Server:    "*",
+					Namespace: "*",
+				},
+			},
+		},
+	}
+
+	t.Run("NoErrorConditions", func(t *testing.T) {
+		app := newFakeApp()
+		ctrl := newFakeController(&fakeData{apps: []runtime.Object{app, &defaultProj}})
+
+		hasErrors := ctrl.refreshAppConditions(app)
+		assert.False(t, hasErrors)
+		assert.Len(t, app.Status.Conditions, 0)
+	})
+
+	t.Run("PreserveExistingWarningCondition", func(t *testing.T) {
+		app := newFakeApp()
+		app.Status.SetConditions([]argoappv1.ApplicationCondition{{Type: argoappv1.ApplicationConditionExcludedResourceWarning}}, nil)
+
+		ctrl := newFakeController(&fakeData{apps: []runtime.Object{app, &defaultProj}})
+
+		hasErrors := ctrl.refreshAppConditions(app)
+		assert.False(t, hasErrors)
+		assert.Len(t, app.Status.Conditions, 1)
+		assert.Equal(t, argoappv1.ApplicationConditionExcludedResourceWarning, app.Status.Conditions[0].Type)
+	})
+
+	t.Run("ReplacesSpecErrorCondition", func(t *testing.T) {
+		app := newFakeApp()
+		app.Spec.Project = "wrong project"
+		app.Status.SetConditions([]argoappv1.ApplicationCondition{{Type: argoappv1.ApplicationConditionInvalidSpecError, Message: "old message"}}, nil)
+
+		ctrl := newFakeController(&fakeData{apps: []runtime.Object{app, &defaultProj}})
+
+		hasErrors := ctrl.refreshAppConditions(app)
+		assert.True(t, hasErrors)
+		assert.Len(t, app.Status.Conditions, 1)
+		assert.Equal(t, argoappv1.ApplicationConditionInvalidSpecError, app.Status.Conditions[0].Type)
+		assert.Equal(t, "Application referencing project wrong project which does not exist", app.Status.Conditions[0].Message)
+	})
+}
+
+func TestUpdateReconciledAt(t *testing.T) {
+	app := newFakeApp()
+	reconciledAt := metav1.NewTime(time.Now().Add(-1 * time.Second))
+	app.Status = argoappv1.ApplicationStatus{ReconciledAt: &reconciledAt}
+	app.Status.Sync = argoappv1.SyncStatus{ComparedTo: argoappv1.ComparedTo{Source: app.Spec.Source, Destination: app.Spec.Destination}}
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app, &defaultProj},
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
+	})
+	key, _ := cache.MetaNamespaceKeyFunc(app)
+	fakeAppCs := ctrl.applicationClientset.(*appclientset.Clientset)
+	fakeAppCs.ReactionChain = nil
+	receivedPatch := map[string]interface{}{}
+	fakeAppCs.AddReactor("patch", "*", func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) {
+		if patchAction, ok := action.(kubetesting.PatchAction); ok {
+			assert.NoError(t, json.Unmarshal(patchAction.GetPatch(), &receivedPatch))
+		}
+		return true, nil, nil
+	})
+
+	t.Run("UpdatedOnFullReconciliation", func(t *testing.T) {
+		receivedPatch = map[string]interface{}{}
+		ctrl.requestAppRefresh(app.Name, CompareWithLatest)
+		ctrl.appRefreshQueue.Add(key)
+
+		ctrl.processAppRefreshQueueItem()
+
+		_, updated, err := unstructured.NestedString(receivedPatch, "status", "reconciledAt")
+		assert.NoError(t, err)
+		assert.True(t, updated)
+
+		_, updated, err = unstructured.NestedString(receivedPatch, "status", "observedAt")
+		assert.NoError(t, err)
+		assert.True(t, updated)
+	})
+
+	t.Run("NotUpdatedOnPartialReconciliation", func(t *testing.T) {
+		receivedPatch = map[string]interface{}{}
+		ctrl.appRefreshQueue.Add(key)
+		ctrl.requestAppRefresh(app.Name, CompareWithRecent)
+
+		ctrl.processAppRefreshQueueItem()
+
+		_, updated, err := unstructured.NestedString(receivedPatch, "status", "reconciledAt")
+		assert.NoError(t, err)
+		assert.False(t, updated)
+
+		_, updated, err = unstructured.NestedString(receivedPatch, "status", "observedAt")
+		assert.NoError(t, err)
+		assert.True(t, updated)
+	})
+
+}

controller/cache/cache.go

@@ -0,0 +1,275 @@
+package cache
+
+import (
+	"context"
+	"reflect"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/tools/cache"
+
+	"github.com/argoproj/argo-cd/controller/metrics"
+	appv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/util/db"
+	"github.com/argoproj/argo-cd/util/kube"
+	"github.com/argoproj/argo-cd/util/settings"
+)
+
+type cacheSettings struct {
+	ResourceOverrides   map[string]appv1.ResourceOverride
+	AppInstanceLabelKey string
+	ResourcesFilter     *settings.ResourcesFilter
+}
+
+type LiveStateCache interface {
+	IsNamespaced(server string, gk schema.GroupKind) (bool, error)
+	// Executes give callback against resource specified by the key and all its children
+	IterateHierarchy(server string, key kube.ResourceKey, action func(child appv1.ResourceNode, appName string)) error
+	// Returns state of live nodes which correspond for target nodes of specified application.
+	GetManagedLiveObjs(a *appv1.Application, targetObjs []*unstructured.Unstructured) (map[kube.ResourceKey]*unstructured.Unstructured, error)
+	// Returns all top level resources (resources without owner references) of a specified namespace
+	GetNamespaceTopLevelResources(server string, namespace string) (map[kube.ResourceKey]appv1.ResourceNode, error)
+	// Starts watching resources of each controlled cluster.
+	Run(ctx context.Context) error
+	// Invalidate invalidates the entire cluster state cache
+	Invalidate()
+}
+
+type ObjectUpdatedHandler = func(managedByApp map[string]bool, ref v1.ObjectReference)
+
+func GetTargetObjKey(a *appv1.Application, un *unstructured.Unstructured, isNamespaced bool) kube.ResourceKey {
+	key := kube.GetResourceKey(un)
+	if !isNamespaced {
+		key.Namespace = ""
+	} else if isNamespaced && key.Namespace == "" {
+		key.Namespace = a.Spec.Destination.Namespace
+	}
+
+	return key
+}
+
+func NewLiveStateCache(
+	db db.ArgoDB,
+	appInformer cache.SharedIndexInformer,
+	settingsMgr *settings.SettingsManager,
+	kubectl kube.Kubectl,
+	metricsServer *metrics.MetricsServer,
+	onObjectUpdated ObjectUpdatedHandler) LiveStateCache {
+
+	return &liveStateCache{
+		appInformer:       appInformer,
+		db:                db,
+		clusters:          make(map[string]*clusterInfo),
+		lock:              &sync.Mutex{},
+		onObjectUpdated:   onObjectUpdated,
+		kubectl:           kubectl,
+		settingsMgr:       settingsMgr,
+		metricsServer:     metricsServer,
+		cacheSettingsLock: &sync.Mutex{},
+	}
+}
+
+type liveStateCache struct {
+	db                db.ArgoDB
+	clusters          map[string]*clusterInfo
+	lock              *sync.Mutex
+	appInformer       cache.SharedIndexInformer
+	onObjectUpdated   ObjectUpdatedHandler
+	kubectl           kube.Kubectl
+	settingsMgr       *settings.SettingsManager
+	metricsServer     *metrics.MetricsServer
+	cacheSettingsLock *sync.Mutex
+	cacheSettings     *cacheSettings
+}
+
+func (c *liveStateCache) loadCacheSettings() (*cacheSettings, error) {
+	appInstanceLabelKey, err := c.settingsMgr.GetAppInstanceLabelKey()
+	if err != nil {
+		return nil, err
+	}
+	resourcesFilter, err := c.settingsMgr.GetResourcesFilter()
+	if err != nil {
+		return nil, err
+	}
+	resourceOverrides, err := c.settingsMgr.GetResourceOverrides()
+	if err != nil {
+		return nil, err
+	}
+	return &cacheSettings{AppInstanceLabelKey: appInstanceLabelKey, ResourceOverrides: resourceOverrides, ResourcesFilter: resourcesFilter}, nil
+}
+
+func (c *liveStateCache) getCluster(server string) (*clusterInfo, error) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	info, ok := c.clusters[server]
+	if !ok {
+		cluster, err := c.db.GetCluster(context.Background(), server)
+		if err != nil {
+			return nil, err
+		}
+		info = &clusterInfo{
+			apisMeta:         make(map[schema.GroupKind]*apiMeta),
+			lock:             &sync.Mutex{},
+			nodes:            make(map[kube.ResourceKey]*node),
+			nsIndex:          make(map[string]map[kube.ResourceKey]*node),
+			onObjectUpdated:  c.onObjectUpdated,
+			kubectl:          c.kubectl,
+			cluster:          cluster,
+			syncTime:         nil,
+			syncLock:         &sync.Mutex{},
+			log:              log.WithField("server", cluster.Server),
+			cacheSettingsSrc: c.getCacheSettings,
+		}
+
+		c.clusters[cluster.Server] = info
+	}
+	return info, nil
+}
+
+func (c *liveStateCache) getSyncedCluster(server string) (*clusterInfo, error) {
+	info, err := c.getCluster(server)
+	if err != nil {
+		return nil, err
+	}
+	err = info.ensureSynced()
+	if err != nil {
+		return nil, err
+	}
+	return info, nil
+}
+
+func (c *liveStateCache) Invalidate() {
+	log.Info("invalidating live state cache")
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	for _, clust := range c.clusters {
+		clust.lock.Lock()
+		clust.invalidate()
+		clust.lock.Unlock()
+	}
+	log.Info("live state cache invalidated")
+}
+
+func (c *liveStateCache) IsNamespaced(server string, gk schema.GroupKind) (bool, error) {
+	clusterInfo, err := c.getSyncedCluster(server)
+	if err != nil {
+		return false, err
+	}
+	return clusterInfo.isNamespaced(gk), nil
+}
+
+func (c *liveStateCache) IterateHierarchy(server string, key kube.ResourceKey, action func(child appv1.ResourceNode, appName string)) error {
+	clusterInfo, err := c.getSyncedCluster(server)
+	if err != nil {
+		return err
+	}
+	clusterInfo.iterateHierarchy(key, action)
+	return nil
+}
+
+func (c *liveStateCache) GetNamespaceTopLevelResources(server string, namespace string) (map[kube.ResourceKey]appv1.ResourceNode, error) {
+	clusterInfo, err := c.getSyncedCluster(server)
+	if err != nil {
+		return nil, err
+	}
+	return clusterInfo.getNamespaceTopLevelResources(namespace), nil
+}
+
+func (c *liveStateCache) GetManagedLiveObjs(a *appv1.Application, targetObjs []*unstructured.Unstructured) (map[kube.ResourceKey]*unstructured.Unstructured, error) {
+	clusterInfo, err := c.getSyncedCluster(a.Spec.Destination.Server)
+	if err != nil {
+		return nil, err
+	}
+	return clusterInfo.getManagedLiveObjs(a, targetObjs, c.metricsServer)
+}
+
+func isClusterHasApps(apps []interface{}, cluster *appv1.Cluster) bool {
+	for _, obj := range apps {
+		if app, ok := obj.(*appv1.Application); ok && app.Spec.Destination.Server == cluster.Server {
+			return true
+		}
+	}
+	return false
+}
+
+func (c *liveStateCache) getCacheSettings() *cacheSettings {
+	c.cacheSettingsLock.Lock()
+	defer c.cacheSettingsLock.Unlock()
+	return c.cacheSettings
+}
+
+func (c *liveStateCache) watchSettings(ctx context.Context) {
+	updateCh := make(chan *settings.ArgoCDSettings, 1)
+	c.settingsMgr.Subscribe(updateCh)
+
+	done := false
+	for !done {
+		select {
+		case <-updateCh:
+			nextCacheSettings, err := c.loadCacheSettings()
+			if err != nil {
+				log.Warnf("Failed to read updated settings: %v", err)
+				continue
+			}
+
+			c.cacheSettingsLock.Lock()
+			needInvalidate := false
+			if !reflect.DeepEqual(c.cacheSettings, nextCacheSettings) {
+				c.cacheSettings = nextCacheSettings
+				needInvalidate = true
+			}
+			c.cacheSettingsLock.Unlock()
+			if needInvalidate {
+				c.Invalidate()
+			}
+		case <-ctx.Done():
+			done = true
+		}
+	}
+	log.Info("shutting down settings watch")
+	c.settingsMgr.Unsubscribe(updateCh)
+	close(updateCh)
+}
+
+// Run watches for resource changes annotated with application label on all registered clusters and schedule corresponding app refresh.
+func (c *liveStateCache) Run(ctx context.Context) error {
+	cacheSettings, err := c.loadCacheSettings()
+	if err != nil {
+		return err
+	}
+	c.cacheSettings = cacheSettings
+
+	go c.watchSettings(ctx)
+
+	util.RetryUntilSucceed(func() error {
+		clusterEventCallback := func(event *db.ClusterEvent) {
+			c.lock.Lock()
+			defer c.lock.Unlock()
+			if cluster, ok := c.clusters[event.Cluster.Server]; ok {
+				if event.Type == watch.Deleted {
+					cluster.invalidate()
+					delete(c.clusters, event.Cluster.Server)
+				} else if event.Type == watch.Modified {
+					cluster.cluster = event.Cluster
+					cluster.invalidate()
+				}
+			} else if event.Type == watch.Added && isClusterHasApps(c.appInformer.GetStore().List(), event.Cluster) {
+				go func() {
+					// warm up cache for cluster with apps
+					_, _ = c.getSyncedCluster(event.Cluster.Server)
+				}()
+			}
+		}
+
+		return c.db.WatchClusters(ctx, clusterEventCallback)
+
+	}, "watch clusters", ctx, clusterRetryTimeout)
+
+	<-ctx.Done()
+	return nil
+}

controller/cache/cluster.go

@@ -0,0 +1,545 @@
+package cache
+
+import (
+	"context"
+	"fmt"
+	"runtime/debug"
+	"sort"
+	"strings"
+	"sync"
+	"time"
+
+	"k8s.io/apimachinery/pkg/types"
+
+	"github.com/argoproj/argo-cd/controller/metrics"
+
+	log "github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/watch"
+
+	appv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/util/health"
+	"github.com/argoproj/argo-cd/util/kube"
+)
+
+const (
+	clusterSyncTimeout         = 24 * time.Hour
+	clusterRetryTimeout        = 10 * time.Second
+	watchResourcesRetryTimeout = 1 * time.Second
+)
+
+type apiMeta struct {
+	namespaced      bool
+	resourceVersion string
+	watchCancel     context.CancelFunc
+}
+
+type clusterInfo struct {
+	syncLock  *sync.Mutex
+	syncTime  *time.Time
+	syncError error
+	apisMeta  map[schema.GroupKind]*apiMeta
+
+	lock    *sync.Mutex
+	nodes   map[kube.ResourceKey]*node
+	nsIndex map[string]map[kube.ResourceKey]*node
+
+	onObjectUpdated  ObjectUpdatedHandler
+	kubectl          kube.Kubectl
+	cluster          *appv1.Cluster
+	log              *log.Entry
+	cacheSettingsSrc func() *cacheSettings
+}
+
+func (c *clusterInfo) replaceResourceCache(gk schema.GroupKind, resourceVersion string, objs []unstructured.Unstructured) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	info, ok := c.apisMeta[gk]
+	if ok {
+		objByKind := make(map[kube.ResourceKey]*unstructured.Unstructured)
+		for i := range objs {
+			objByKind[kube.GetResourceKey(&objs[i])] = &objs[i]
+		}
+
+		for i := range objs {
+			obj := &objs[i]
+			key := kube.GetResourceKey(&objs[i])
+			existingNode, exists := c.nodes[key]
+			c.onNodeUpdated(exists, existingNode, obj, key)
+		}
+
+		for key, existingNode := range c.nodes {
+			if key.Kind != gk.Kind || key.Group != gk.Group {
+				continue
+			}
+
+			if _, ok := objByKind[key]; !ok {
+				c.onNodeRemoved(key, existingNode)
+			}
+		}
+		info.resourceVersion = resourceVersion
+	}
+}
+
+func isServiceAccountTokenSecret(un *unstructured.Unstructured) (bool, metav1.OwnerReference) {
+	ref := metav1.OwnerReference{
+		APIVersion: "v1",
+		Kind:       kube.ServiceAccountKind,
+	}
+	if un.GetKind() != kube.SecretKind || un.GroupVersionKind().Group != "" {
+		return false, ref
+	}
+
+	if typeVal, ok, err := unstructured.NestedString(un.Object, "type"); !ok || err != nil || typeVal != "kubernetes.io/service-account-token" {
+		return false, ref
+	}
+
+	annotations := un.GetAnnotations()
+	if annotations == nil {
+		return false, ref
+	}
+
+	id, okId := annotations["kubernetes.io/service-account.uid"]
+	name, okName := annotations["kubernetes.io/service-account.name"]
+	if okId && okName {
+		ref.Name = name
+		ref.UID = types.UID(id)
+	}
+	return ref.Name != "" && ref.UID != "", ref
+}
+
+func (c *clusterInfo) createObjInfo(un *unstructured.Unstructured, appInstanceLabel string) *node {
+	ownerRefs := un.GetOwnerReferences()
+	// Special case for endpoint. Remove after https://github.com/kubernetes/kubernetes/issues/28483 is fixed
+	if un.GroupVersionKind().Group == "" && un.GetKind() == kube.EndpointsKind && len(un.GetOwnerReferences()) == 0 {
+		ownerRefs = append(ownerRefs, metav1.OwnerReference{
+			Name:       un.GetName(),
+			Kind:       kube.ServiceKind,
+			APIVersion: "v1",
+		})
+	}
+
+	// edge case. Consider auto-created service account tokens as a child of service account objects
+	if yes, ref := isServiceAccountTokenSecret(un); yes {
+		ownerRefs = append(ownerRefs, ref)
+	}
+
+	nodeInfo := &node{
+		resourceVersion: un.GetResourceVersion(),
+		ref:             kube.GetObjectRef(un),
+		ownerRefs:       ownerRefs,
+	}
+
+	populateNodeInfo(un, nodeInfo)
+	appName := kube.GetAppInstanceLabel(un, appInstanceLabel)
+	if len(ownerRefs) == 0 && appName != "" {
+		nodeInfo.appName = appName
+		nodeInfo.resource = un
+	}
+	nodeInfo.health, _ = health.GetResourceHealth(un, c.cacheSettingsSrc().ResourceOverrides)
+	return nodeInfo
+}
+
+func (c *clusterInfo) setNode(n *node) {
+	key := n.resourceKey()
+	c.nodes[key] = n
+	ns, ok := c.nsIndex[key.Namespace]
+	if !ok {
+		ns = make(map[kube.ResourceKey]*node)
+		c.nsIndex[key.Namespace] = ns
+	}
+	ns[key] = n
+}
+
+func (c *clusterInfo) removeNode(key kube.ResourceKey) {
+	delete(c.nodes, key)
+	if ns, ok := c.nsIndex[key.Namespace]; ok {
+		delete(ns, key)
+		if len(ns) == 0 {
+			delete(c.nsIndex, key.Namespace)
+		}
+	}
+}
+
+func (c *clusterInfo) invalidate() {
+	c.syncLock.Lock()
+	defer c.syncLock.Unlock()
+	c.syncTime = nil
+	for i := range c.apisMeta {
+		c.apisMeta[i].watchCancel()
+	}
+	c.apisMeta = nil
+}
+
+func (c *clusterInfo) synced() bool {
+	if c.syncTime == nil {
+		return false
+	}
+	if c.syncError != nil {
+		return time.Now().Before(c.syncTime.Add(clusterRetryTimeout))
+	}
+	return time.Now().Before(c.syncTime.Add(clusterSyncTimeout))
+}
+
+func (c *clusterInfo) stopWatching(gk schema.GroupKind) {
+	c.syncLock.Lock()
+	defer c.syncLock.Unlock()
+	if info, ok := c.apisMeta[gk]; ok {
+		info.watchCancel()
+		delete(c.apisMeta, gk)
+		c.replaceResourceCache(gk, "", []unstructured.Unstructured{})
+		log.Warnf("Stop watching %s not found on %s.", gk, c.cluster.Server)
+	}
+}
+
+// startMissingWatches lists supported cluster resources and start watching for changes unless watch is already running
+func (c *clusterInfo) startMissingWatches() error {
+
+	apis, err := c.kubectl.GetAPIResources(c.cluster.RESTConfig(), c.cacheSettingsSrc().ResourcesFilter)
+	if err != nil {
+		return err
+	}
+
+	for i := range apis {
+		api := apis[i]
+		if _, ok := c.apisMeta[api.GroupKind]; !ok {
+			ctx, cancel := context.WithCancel(context.Background())
+			info := &apiMeta{namespaced: api.Meta.Namespaced, watchCancel: cancel}
+			c.apisMeta[api.GroupKind] = info
+			go c.watchEvents(ctx, api, info)
+		}
+	}
+	return nil
+}
+
+func runSynced(lock *sync.Mutex, action func() error) error {
+	lock.Lock()
+	defer lock.Unlock()
+	return action()
+}
+
+func (c *clusterInfo) watchEvents(ctx context.Context, api kube.APIResourceInfo, info *apiMeta) {
+	util.RetryUntilSucceed(func() (err error) {
+		defer func() {
+			if r := recover(); r != nil {
+				err = fmt.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
+			}
+		}()
+
+		err = runSynced(c.syncLock, func() error {
+			if info.resourceVersion == "" {
+				list, err := api.Interface.List(metav1.ListOptions{})
+				if err != nil {
+					return err
+				}
+				c.replaceResourceCache(api.GroupKind, list.GetResourceVersion(), list.Items)
+			}
+			return nil
+		})
+
+		if err != nil {
+			return err
+		}
+
+		w, err := api.Interface.Watch(metav1.ListOptions{ResourceVersion: info.resourceVersion})
+		if errors.IsNotFound(err) {
+			c.stopWatching(api.GroupKind)
+			return nil
+		}
+
+		err = runSynced(c.syncLock, func() error {
+			if errors.IsGone(err) {
+				info.resourceVersion = ""
+				log.Warnf("Resource version of %s on %s is too old.", api.GroupKind, c.cluster.Server)
+			}
+			return err
+		})
+
+		if err != nil {
+			return err
+		}
+		defer w.Stop()
+		for {
+			select {
+			case <-ctx.Done():
+				return nil
+			case event, ok := <-w.ResultChan():
+				if ok {
+					obj := event.Object.(*unstructured.Unstructured)
+					info.resourceVersion = obj.GetResourceVersion()
+					c.processEvent(event.Type, obj)
+					if kube.IsCRD(obj) {
+						if event.Type == watch.Deleted {
+							group, groupOk, groupErr := unstructured.NestedString(obj.Object, "spec", "group")
+							kind, kindOk, kindErr := unstructured.NestedString(obj.Object, "spec", "names", "kind")
+
+							if groupOk && groupErr == nil && kindOk && kindErr == nil {
+								gk := schema.GroupKind{Group: group, Kind: kind}
+								c.stopWatching(gk)
+							}
+						} else {
+							err = runSynced(c.syncLock, func() error {
+								return c.startMissingWatches()
+							})
+
+						}
+					}
+					if err != nil {
+						log.Warnf("Failed to start missing watch: %v", err)
+					}
+				} else {
+					return fmt.Errorf("Watch %s on %s has closed", api.GroupKind, c.cluster.Server)
+				}
+			}
+		}
+
+	}, fmt.Sprintf("watch %s on %s", api.GroupKind, c.cluster.Server), ctx, watchResourcesRetryTimeout)
+}
+
+func (c *clusterInfo) sync() (err error) {
+
+	c.log.Info("Start syncing cluster")
+
+	for i := range c.apisMeta {
+		c.apisMeta[i].watchCancel()
+	}
+	c.apisMeta = make(map[schema.GroupKind]*apiMeta)
+	c.nodes = make(map[kube.ResourceKey]*node)
+
+	apis, err := c.kubectl.GetAPIResources(c.cluster.RESTConfig(), c.cacheSettingsSrc().ResourcesFilter)
+	if err != nil {
+		return err
+	}
+	lock := sync.Mutex{}
+	err = util.RunAllAsync(len(apis), func(i int) error {
+		api := apis[i]
+		list, err := api.Interface.List(metav1.ListOptions{})
+		if err != nil {
+			return err
+		}
+
+		lock.Lock()
+		for i := range list.Items {
+			c.setNode(c.createObjInfo(&list.Items[i], c.cacheSettingsSrc().AppInstanceLabelKey))
+		}
+		lock.Unlock()
+		return nil
+	})
+
+	if err == nil {
+		err = c.startMissingWatches()
+	}
+
+	if err != nil {
+		log.Errorf("Failed to sync cluster %s: %v", c.cluster.Server, err)
+		return err
+	}
+
+	c.log.Info("Cluster successfully synced")
+	return nil
+}
+
+func (c *clusterInfo) ensureSynced() error {
+	c.syncLock.Lock()
+	defer c.syncLock.Unlock()
+	if c.synced() {
+		return c.syncError
+	}
+
+	err := c.sync()
+	syncTime := time.Now()
+	c.syncTime = &syncTime
+	c.syncError = err
+	return c.syncError
+}
+
+func (c *clusterInfo) getNamespaceTopLevelResources(namespace string) map[kube.ResourceKey]appv1.ResourceNode {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	nodes := make(map[kube.ResourceKey]appv1.ResourceNode)
+	for _, node := range c.nsIndex[namespace] {
+		if len(node.ownerRefs) == 0 {
+			nodes[node.resourceKey()] = node.asResourceNode()
+		}
+	}
+	return nodes
+}
+
+func (c *clusterInfo) iterateHierarchy(key kube.ResourceKey, action func(child appv1.ResourceNode, appName string)) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	if objInfo, ok := c.nodes[key]; ok {
+		nsNodes := c.nsIndex[key.Namespace]
+		action(objInfo.asResourceNode(), objInfo.getApp(nsNodes))
+		childrenByUID := make(map[types.UID][]*node)
+		for _, child := range nsNodes {
+			if objInfo.isParentOf(child) {
+				childrenByUID[child.ref.UID] = append(childrenByUID[child.ref.UID], child)
+			}
+		}
+		// make sure children has no duplicates
+		for _, children := range childrenByUID {
+			if len(children) > 0 {
+				// The object might have multiple children with the same UID (e.g. replicaset from apps and extensions group). It is ok to pick any object but we need to make sure
+				// we pick the same child after every refresh.
+				sort.Slice(children, func(i, j int) bool {
+					key1 := children[i].resourceKey()
+					key2 := children[j].resourceKey()
+					return strings.Compare(key1.String(), key2.String()) < 0
+				})
+				child := children[0]
+				action(child.asResourceNode(), child.getApp(nsNodes))
+				child.iterateChildren(nsNodes, map[kube.ResourceKey]bool{objInfo.resourceKey(): true}, action)
+			}
+		}
+	}
+}
+
+func (c *clusterInfo) isNamespaced(gk schema.GroupKind) bool {
+	if api, ok := c.apisMeta[gk]; ok && !api.namespaced {
+		return false
+	}
+	return true
+}
+
+func (c *clusterInfo) getManagedLiveObjs(a *appv1.Application, targetObjs []*unstructured.Unstructured, metricsServer *metrics.MetricsServer) (map[kube.ResourceKey]*unstructured.Unstructured, error) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+
+	managedObjs := make(map[kube.ResourceKey]*unstructured.Unstructured)
+	// iterate all objects in live state cache to find ones associated with app
+	for key, o := range c.nodes {
+		if o.appName == a.Name && o.resource != nil && len(o.ownerRefs) == 0 {
+			managedObjs[key] = o.resource
+		}
+	}
+	config := metrics.AddMetricsTransportWrapper(metricsServer, a, c.cluster.RESTConfig())
+	// iterate target objects and identify ones that already exist in the cluster,\
+	// but are simply missing our label
+	lock := &sync.Mutex{}
+	err := util.RunAllAsync(len(targetObjs), func(i int) error {
+		targetObj := targetObjs[i]
+		key := GetTargetObjKey(a, targetObj, c.isNamespaced(targetObj.GroupVersionKind().GroupKind()))
+		lock.Lock()
+		managedObj := managedObjs[key]
+		lock.Unlock()
+
+		if managedObj == nil {
+			if existingObj, exists := c.nodes[key]; exists {
+				if existingObj.resource != nil {
+					managedObj = existingObj.resource
+				} else {
+					var err error
+					managedObj, err = c.kubectl.GetResource(config, targetObj.GroupVersionKind(), existingObj.ref.Name, existingObj.ref.Namespace)
+					if err != nil {
+						if errors.IsNotFound(err) {
+							return nil
+						}
+						return err
+					}
+				}
+			} else if _, watched := c.apisMeta[key.GroupKind()]; !watched {
+				var err error
+				managedObj, err = c.kubectl.GetResource(config, targetObj.GroupVersionKind(), targetObj.GetName(), targetObj.GetNamespace())
+				if err != nil {
+					if errors.IsNotFound(err) {
+						return nil
+					}
+					return err
+				}
+			}
+		}
+
+		if managedObj != nil {
+			converted, err := c.kubectl.ConvertToVersion(managedObj, targetObj.GroupVersionKind().Group, targetObj.GroupVersionKind().Version)
+			if err != nil {
+				// fallback to loading resource from kubernetes if conversion fails
+				log.Warnf("Failed to convert resource: %v", err)
+				managedObj, err = c.kubectl.GetResource(config, targetObj.GroupVersionKind(), managedObj.GetName(), managedObj.GetNamespace())
+				if err != nil {
+					if errors.IsNotFound(err) {
+						return nil
+					}
+					return err
+				}
+			} else {
+				managedObj = converted
+			}
+			lock.Lock()
+			managedObjs[key] = managedObj
+			lock.Unlock()
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return managedObjs, nil
+}
+
+func (c *clusterInfo) processEvent(event watch.EventType, un *unstructured.Unstructured) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	key := kube.GetResourceKey(un)
+	existingNode, exists := c.nodes[key]
+	if event == watch.Deleted {
+		if exists {
+			c.onNodeRemoved(key, existingNode)
+		}
+	} else if event != watch.Deleted {
+		c.onNodeUpdated(exists, existingNode, un, key)
+	}
+}
+
+func (c *clusterInfo) onNodeUpdated(exists bool, existingNode *node, un *unstructured.Unstructured, key kube.ResourceKey) {
+	nodes := make([]*node, 0)
+	if exists {
+		nodes = append(nodes, existingNode)
+	}
+	newObj := c.createObjInfo(un, c.cacheSettingsSrc().AppInstanceLabelKey)
+	c.setNode(newObj)
+	nodes = append(nodes, newObj)
+	toNotify := make(map[string]bool)
+	for i := range nodes {
+		n := nodes[i]
+		if ns, ok := c.nsIndex[n.ref.Namespace]; ok {
+			app := n.getApp(ns)
+			if app == "" || skipAppRequeing(key) {
+				continue
+			}
+			toNotify[app] = n.isRootAppNode() || toNotify[app]
+		}
+	}
+	c.onObjectUpdated(toNotify, newObj.ref)
+}
+
+func (c *clusterInfo) onNodeRemoved(key kube.ResourceKey, n *node) {
+	appName := n.appName
+	if ns, ok := c.nsIndex[key.Namespace]; ok {
+		appName = n.getApp(ns)
+	}
+
+	c.removeNode(key)
+	managedByApp := make(map[string]bool)
+	if appName != "" {
+		managedByApp[appName] = n.isRootAppNode()
+	}
+	c.onObjectUpdated(managedByApp, n.ref)
+}
+
+var (
+	ignoredRefreshResources = map[string]bool{
+		"/" + kube.EndpointsKind: true,
+	}
+)
+
+// skipAppRequeing checks if the object is an API type which we want to skip requeuing against.
+// We ignore API types which have a high churn rate, and/or whose updates are irrelevant to the app
+func skipAppRequeing(key kube.ResourceKey) bool {
+	return ignoredRefreshResources[key.Group+"/"+key.Kind]
+}

controller/cache/cluster_test.go

@@ -0,0 +1,488 @@
+package cache
+
+import (
+	"fmt"
+	"sort"
+	"strings"
+	"sync"
+	"testing"
+
+	"github.com/ghodss/yaml"
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/dynamic/fake"
+
+	"github.com/argoproj/argo-cd/common"
+	"github.com/argoproj/argo-cd/errors"
+	appv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/kube"
+	"github.com/argoproj/argo-cd/util/kube/kubetest"
+)
+
+func strToUnstructured(jsonStr string) *unstructured.Unstructured {
+	obj := make(map[string]interface{})
+	err := yaml.Unmarshal([]byte(jsonStr), &obj)
+	errors.CheckError(err)
+	return &unstructured.Unstructured{Object: obj}
+}
+
+func mustToUnstructured(obj interface{}) *unstructured.Unstructured {
+	un, err := kube.ToUnstructured(obj)
+	errors.CheckError(err)
+	return un
+}
+
+var (
+	testPod = strToUnstructured(`
+  apiVersion: v1
+  kind: Pod
+  metadata:
+    uid: "1"
+    name: helm-guestbook-pod
+    namespace: default
+    ownerReferences:
+    - apiVersion: apps/v1
+      kind: ReplicaSet
+      name: helm-guestbook-rs
+      uid: "2"
+    resourceVersion: "123"`)
+
+	testRS = strToUnstructured(`
+  apiVersion: apps/v1
+  kind: ReplicaSet
+  metadata:
+    uid: "2"
+    name: helm-guestbook-rs
+    namespace: default
+    annotations:
+      deployment.kubernetes.io/revision: "2"
+    ownerReferences:
+    - apiVersion: apps/v1beta1
+      kind: Deployment
+      name: helm-guestbook
+      uid: "3"
+    resourceVersion: "123"`)
+
+	testDeploy = strToUnstructured(`
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata:
+    labels:
+      app.kubernetes.io/instance: helm-guestbook
+    uid: "3"
+    name: helm-guestbook
+    namespace: default
+    resourceVersion: "123"`)
+
+	testService = strToUnstructured(`
+  apiVersion: v1
+  kind: Service
+  metadata:
+    name: helm-guestbook
+    namespace: default
+    resourceVersion: "123"
+    uid: "4"
+  spec:
+    selector:
+      app: guestbook
+    type: LoadBalancer
+  status:
+    loadBalancer:
+      ingress:
+      - hostname: localhost`)
+
+	testIngress = strToUnstructured(`
+  apiVersion: extensions/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+    uid: "4"
+  spec:
+    backend:
+      serviceName: not-found-service
+      servicePort: 443
+    rules:
+    - host: helm-guestbook.com
+      http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+          path: /
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: https
+          path: /
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+)
+
+func newCluster(objs ...*unstructured.Unstructured) *clusterInfo {
+	runtimeObjs := make([]runtime.Object, len(objs))
+	for i := range objs {
+		runtimeObjs[i] = objs[i]
+	}
+	scheme := runtime.NewScheme()
+	client := fake.NewSimpleDynamicClient(scheme, runtimeObjs...)
+
+	apiResources := []kube.APIResourceInfo{{
+		GroupKind: schema.GroupKind{Group: "", Kind: "Pod"},
+		Interface: client.Resource(schema.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}),
+		Meta:      metav1.APIResource{Namespaced: true},
+	}, {
+		GroupKind: schema.GroupKind{Group: "apps", Kind: "ReplicaSet"},
+		Interface: client.Resource(schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "replicasets"}),
+		Meta:      metav1.APIResource{Namespaced: true},
+	}, {
+		GroupKind: schema.GroupKind{Group: "apps", Kind: "Deployment"},
+		Interface: client.Resource(schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"}),
+		Meta:      metav1.APIResource{Namespaced: true},
+	}}
+
+	return newClusterExt(&kubetest.MockKubectlCmd{APIResources: apiResources})
+}
+
+func newClusterExt(kubectl kube.Kubectl) *clusterInfo {
+	return &clusterInfo{
+		lock:            &sync.Mutex{},
+		nodes:           make(map[kube.ResourceKey]*node),
+		onObjectUpdated: func(managedByApp map[string]bool, reference corev1.ObjectReference) {},
+		kubectl:         kubectl,
+		nsIndex:         make(map[string]map[kube.ResourceKey]*node),
+		cluster:         &appv1.Cluster{},
+		syncTime:        nil,
+		syncLock:        &sync.Mutex{},
+		apisMeta:        make(map[schema.GroupKind]*apiMeta),
+		log:             log.WithField("cluster", "test"),
+		cacheSettingsSrc: func() *cacheSettings {
+			return &cacheSettings{AppInstanceLabelKey: common.LabelKeyAppInstance}
+		},
+	}
+}
+
+func getChildren(cluster *clusterInfo, un *unstructured.Unstructured) []appv1.ResourceNode {
+	hierarchy := make([]appv1.ResourceNode, 0)
+	cluster.iterateHierarchy(kube.GetResourceKey(un), func(child appv1.ResourceNode, app string) {
+		hierarchy = append(hierarchy, child)
+	})
+	return hierarchy[1:]
+}
+
+func TestGetNamespaceResources(t *testing.T) {
+	defaultNamespaceTopLevel1 := strToUnstructured(`
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata: {"name": "helm-guestbook1", "namespace": "default"}
+`)
+	defaultNamespaceTopLevel2 := strToUnstructured(`
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata: {"name": "helm-guestbook2", "namespace": "default"}
+`)
+	kubesystemNamespaceTopLevel2 := strToUnstructured(`
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata: {"name": "helm-guestbook3", "namespace": "kube-system"}
+`)
+
+	cluster := newCluster(defaultNamespaceTopLevel1, defaultNamespaceTopLevel2, kubesystemNamespaceTopLevel2)
+	err := cluster.ensureSynced()
+	assert.Nil(t, err)
+
+	resources := cluster.getNamespaceTopLevelResources("default")
+	assert.Len(t, resources, 2)
+	assert.Equal(t, resources[kube.GetResourceKey(defaultNamespaceTopLevel1)].Name, "helm-guestbook1")
+	assert.Equal(t, resources[kube.GetResourceKey(defaultNamespaceTopLevel2)].Name, "helm-guestbook2")
+
+	resources = cluster.getNamespaceTopLevelResources("kube-system")
+	assert.Len(t, resources, 1)
+	assert.Equal(t, resources[kube.GetResourceKey(kubesystemNamespaceTopLevel2)].Name, "helm-guestbook3")
+}
+
+func TestGetChildren(t *testing.T) {
+	cluster := newCluster(testPod, testRS, testDeploy)
+	err := cluster.ensureSynced()
+	assert.Nil(t, err)
+
+	rsChildren := getChildren(cluster, testRS)
+	assert.Equal(t, []appv1.ResourceNode{{
+		ResourceRef: appv1.ResourceRef{
+			Kind:      "Pod",
+			Namespace: "default",
+			Name:      "helm-guestbook-pod",
+			Group:     "",
+			Version:   "v1",
+			UID:       "1",
+		},
+		ParentRefs: []appv1.ResourceRef{{
+			Group:     "apps",
+			Version:   "",
+			Kind:      "ReplicaSet",
+			Namespace: "default",
+			Name:      "helm-guestbook-rs",
+			UID:       "2",
+		}},
+		Health:          &appv1.HealthStatus{Status: appv1.HealthStatusUnknown},
+		NetworkingInfo:  &appv1.ResourceNetworkingInfo{Labels: testPod.GetLabels()},
+		ResourceVersion: "123",
+		Info:            []appv1.InfoItem{{Name: "Containers", Value: "0/0"}},
+	}}, rsChildren)
+	deployChildren := getChildren(cluster, testDeploy)
+
+	assert.Equal(t, append([]appv1.ResourceNode{{
+		ResourceRef: appv1.ResourceRef{
+			Kind:      "ReplicaSet",
+			Namespace: "default",
+			Name:      "helm-guestbook-rs",
+			Group:     "apps",
+			Version:   "v1",
+			UID:       "2",
+		},
+		ResourceVersion: "123",
+		Health:          &appv1.HealthStatus{Status: appv1.HealthStatusHealthy},
+		Info:            []appv1.InfoItem{{Name: "Revision", Value: "Rev:2"}},
+		ParentRefs:      []appv1.ResourceRef{{Group: "apps", Version: "", Kind: "Deployment", Namespace: "default", Name: "helm-guestbook", UID: "3"}},
+	}}, rsChildren...), deployChildren)
+}
+
+func TestGetManagedLiveObjs(t *testing.T) {
+	cluster := newCluster(testPod, testRS, testDeploy)
+	err := cluster.ensureSynced()
+	assert.Nil(t, err)
+
+	targetDeploy := strToUnstructured(`
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: helm-guestbook
+  labels:
+    app: helm-guestbook`)
+
+	managedObjs, err := cluster.getManagedLiveObjs(&appv1.Application{
+		ObjectMeta: metav1.ObjectMeta{Name: "helm-guestbook"},
+		Spec: appv1.ApplicationSpec{
+			Destination: appv1.ApplicationDestination{
+				Namespace: "default",
+			},
+		},
+	}, []*unstructured.Unstructured{targetDeploy}, nil)
+	assert.Nil(t, err)
+	assert.Equal(t, managedObjs, map[kube.ResourceKey]*unstructured.Unstructured{
+		kube.NewResourceKey("apps", "Deployment", "default", "helm-guestbook"): testDeploy,
+	})
+}
+
+func TestChildDeletedEvent(t *testing.T) {
+	cluster := newCluster(testPod, testRS, testDeploy)
+	err := cluster.ensureSynced()
+	assert.Nil(t, err)
+
+	cluster.processEvent(watch.Deleted, testPod)
+
+	rsChildren := getChildren(cluster, testRS)
+	assert.Equal(t, []appv1.ResourceNode{}, rsChildren)
+}
+
+func TestProcessNewChildEvent(t *testing.T) {
+	cluster := newCluster(testPod, testRS, testDeploy)
+	err := cluster.ensureSynced()
+	assert.Nil(t, err)
+
+	newPod := strToUnstructured(`
+  apiVersion: v1
+  kind: Pod
+  metadata:
+    uid: "4"
+    name: helm-guestbook-pod2
+    namespace: default
+    ownerReferences:
+    - apiVersion: apps/v1
+      kind: ReplicaSet
+      name: helm-guestbook-rs
+      uid: "2"
+    resourceVersion: "123"`)
+
+	cluster.processEvent(watch.Added, newPod)
+
+	rsChildren := getChildren(cluster, testRS)
+	sort.Slice(rsChildren, func(i, j int) bool {
+		return strings.Compare(rsChildren[i].Name, rsChildren[j].Name) < 0
+	})
+	assert.Equal(t, []appv1.ResourceNode{{
+		ResourceRef: appv1.ResourceRef{
+			Kind:      "Pod",
+			Namespace: "default",
+			Name:      "helm-guestbook-pod",
+			Group:     "",
+			Version:   "v1",
+			UID:       "1",
+		},
+		Info:           []appv1.InfoItem{{Name: "Containers", Value: "0/0"}},
+		Health:         &appv1.HealthStatus{Status: appv1.HealthStatusUnknown},
+		NetworkingInfo: &appv1.ResourceNetworkingInfo{Labels: testPod.GetLabels()},
+		ParentRefs: []appv1.ResourceRef{{
+			Group:     "apps",
+			Version:   "",
+			Kind:      "ReplicaSet",
+			Namespace: "default",
+			Name:      "helm-guestbook-rs",
+			UID:       "2",
+		}},
+		ResourceVersion: "123",
+	}, {
+		ResourceRef: appv1.ResourceRef{
+			Kind:      "Pod",
+			Namespace: "default",
+			Name:      "helm-guestbook-pod2",
+			Group:     "",
+			Version:   "v1",
+			UID:       "4",
+		},
+		NetworkingInfo: &appv1.ResourceNetworkingInfo{Labels: testPod.GetLabels()},
+		Info:           []appv1.InfoItem{{Name: "Containers", Value: "0/0"}},
+		Health:         &appv1.HealthStatus{Status: appv1.HealthStatusUnknown},
+		ParentRefs: []appv1.ResourceRef{{
+			Group:     "apps",
+			Version:   "",
+			Kind:      "ReplicaSet",
+			Namespace: "default",
+			Name:      "helm-guestbook-rs",
+			UID:       "2",
+		}},
+		ResourceVersion: "123",
+	}}, rsChildren)
+}
+
+func TestUpdateResourceTags(t *testing.T) {
+	pod := &corev1.Pod{
+		TypeMeta:   metav1.TypeMeta{Kind: "Pod", APIVersion: "v1"},
+		ObjectMeta: metav1.ObjectMeta{Name: "testPod", Namespace: "default"},
+		Spec: corev1.PodSpec{
+			Containers: []corev1.Container{{
+				Name:  "test",
+				Image: "test",
+			}},
+		},
+	}
+	cluster := newCluster(mustToUnstructured(pod))
+
+	err := cluster.ensureSynced()
+	assert.Nil(t, err)
+
+	podNode := cluster.nodes[kube.GetResourceKey(mustToUnstructured(pod))]
+
+	assert.NotNil(t, podNode)
+	assert.Equal(t, []appv1.InfoItem{{Name: "Containers", Value: "0/1"}}, podNode.info)
+
+	pod.Status = corev1.PodStatus{
+		ContainerStatuses: []corev1.ContainerStatus{{
+			State: corev1.ContainerState{
+				Terminated: &corev1.ContainerStateTerminated{
+					ExitCode: -1,
+				},
+			},
+		}},
+	}
+	cluster.processEvent(watch.Modified, mustToUnstructured(pod))
+
+	podNode = cluster.nodes[kube.GetResourceKey(mustToUnstructured(pod))]
+
+	assert.NotNil(t, podNode)
+	assert.Equal(t, []appv1.InfoItem{{Name: "Status Reason", Value: "ExitCode:-1"}, {Name: "Containers", Value: "0/1"}}, podNode.info)
+}
+
+func TestUpdateAppResource(t *testing.T) {
+	updatesReceived := make([]string, 0)
+	cluster := newCluster(testPod, testRS, testDeploy)
+	cluster.onObjectUpdated = func(managedByApp map[string]bool, _ corev1.ObjectReference) {
+		for appName, fullRefresh := range managedByApp {
+			updatesReceived = append(updatesReceived, fmt.Sprintf("%s: %v", appName, fullRefresh))
+		}
+	}
+
+	err := cluster.ensureSynced()
+	assert.Nil(t, err)
+
+	cluster.processEvent(watch.Modified, mustToUnstructured(testPod))
+
+	assert.Contains(t, updatesReceived, "helm-guestbook: false")
+}
+
+func TestCircularReference(t *testing.T) {
+	dep := testDeploy.DeepCopy()
+	dep.SetOwnerReferences([]metav1.OwnerReference{{
+		Name:       testPod.GetName(),
+		Kind:       testPod.GetKind(),
+		APIVersion: testPod.GetAPIVersion(),
+	}})
+	cluster := newCluster(testPod, testRS, dep)
+	err := cluster.ensureSynced()
+
+	assert.Nil(t, err)
+
+	children := getChildren(cluster, dep)
+	assert.Len(t, children, 2)
+
+	node := cluster.nodes[kube.GetResourceKey(dep)]
+	assert.NotNil(t, node)
+	app := node.getApp(cluster.nodes)
+	assert.Equal(t, "", app)
+}
+
+func TestWatchCacheUpdated(t *testing.T) {
+	removed := testPod.DeepCopy()
+	removed.SetName(testPod.GetName() + "-removed-pod")
+
+	updated := testPod.DeepCopy()
+	updated.SetName(testPod.GetName() + "-updated-pod")
+	updated.SetResourceVersion("updated-pod-version")
+
+	cluster := newCluster(removed, updated)
+	err := cluster.ensureSynced()
+
+	assert.Nil(t, err)
+
+	added := testPod.DeepCopy()
+	added.SetName(testPod.GetName() + "-new-pod")
+
+	podGroupKind := testPod.GroupVersionKind().GroupKind()
+
+	cluster.replaceResourceCache(podGroupKind, "updated-list-version", []unstructured.Unstructured{*updated, *added})
+
+	_, ok := cluster.nodes[kube.GetResourceKey(removed)]
+	assert.False(t, ok)
+
+	updatedNode, ok := cluster.nodes[kube.GetResourceKey(updated)]
+	assert.True(t, ok)
+	assert.Equal(t, updatedNode.resourceVersion, "updated-pod-version")
+
+	_, ok = cluster.nodes[kube.GetResourceKey(added)]
+	assert.True(t, ok)
+}
+
+func TestGetDuplicatedChildren(t *testing.T) {
+	extensionsRS := testRS.DeepCopy()
+	extensionsRS.SetGroupVersionKind(schema.GroupVersionKind{Group: "extensions", Kind: kube.ReplicaSetKind, Version: "v1beta1"})
+	cluster := newCluster(testDeploy, testRS, extensionsRS)
+	err := cluster.ensureSynced()
+
+	assert.Nil(t, err)
+
+	// Get children multiple times to make sure the right child is picked up every time.
+	for i := 0; i < 5; i++ {
+		children := getChildren(cluster, testDeploy)
+		assert.Len(t, children, 1)
+		assert.Equal(t, "apps", children[0].Group)
+		assert.Equal(t, kube.ReplicaSetKind, children[0].Kind)
+		assert.Equal(t, testRS.GetName(), children[0].Name)
+	}
+}

controller/cache/info.go

@@ -0,0 +1,257 @@
+package cache
+
+import (
+	"fmt"
+
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	k8snode "k8s.io/kubernetes/pkg/util/node"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/util/kube"
+	"github.com/argoproj/argo-cd/util/resource"
+)
+
+func populateNodeInfo(un *unstructured.Unstructured, node *node) {
+
+	gvk := un.GroupVersionKind()
+	revision := resource.GetRevision(un)
+	if revision > 0 {
+		node.info = append(node.info, v1alpha1.InfoItem{Name: "Revision", Value: fmt.Sprintf("Rev:%v", revision)})
+	}
+	switch gvk.Group {
+	case "":
+		switch gvk.Kind {
+		case kube.PodKind:
+			populatePodInfo(un, node)
+			return
+		case kube.ServiceKind:
+			populateServiceInfo(un, node)
+			return
+		}
+	case "extensions", "networking.k8s.io":
+		switch gvk.Kind {
+		case kube.IngressKind:
+			populateIngressInfo(un, node)
+			return
+		}
+	}
+}
+
+func getIngress(un *unstructured.Unstructured) []v1.LoadBalancerIngress {
+	ingress, ok, err := unstructured.NestedSlice(un.Object, "status", "loadBalancer", "ingress")
+	if !ok || err != nil {
+		return nil
+	}
+	res := make([]v1.LoadBalancerIngress, 0)
+	for _, item := range ingress {
+		if lbIngress, ok := item.(map[string]interface{}); ok {
+			if hostname := lbIngress["hostname"]; hostname != nil {
+				res = append(res, v1.LoadBalancerIngress{Hostname: fmt.Sprintf("%s", hostname)})
+			} else if ip := lbIngress["ip"]; ip != nil {
+				res = append(res, v1.LoadBalancerIngress{IP: fmt.Sprintf("%s", ip)})
+			}
+		}
+	}
+	return res
+}
+
+func populateServiceInfo(un *unstructured.Unstructured, node *node) {
+	targetLabels, _, _ := unstructured.NestedStringMap(un.Object, "spec", "selector")
+	ingress := make([]v1.LoadBalancerIngress, 0)
+	if serviceType, ok, err := unstructured.NestedString(un.Object, "spec", "type"); ok && err == nil && serviceType == string(v1.ServiceTypeLoadBalancer) {
+		ingress = getIngress(un)
+	}
+	node.networkingInfo = &v1alpha1.ResourceNetworkingInfo{TargetLabels: targetLabels, Ingress: ingress}
+}
+
+func populateIngressInfo(un *unstructured.Unstructured, node *node) {
+	ingress := getIngress(un)
+	targetsMap := make(map[v1alpha1.ResourceRef]bool)
+	if backend, ok, err := unstructured.NestedMap(un.Object, "spec", "backend"); ok && err == nil {
+		targetsMap[v1alpha1.ResourceRef{
+			Group:     "",
+			Kind:      kube.ServiceKind,
+			Namespace: un.GetNamespace(),
+			Name:      fmt.Sprintf("%s", backend["serviceName"]),
+		}] = true
+	}
+	urlsSet := make(map[string]bool)
+	if rules, ok, err := unstructured.NestedSlice(un.Object, "spec", "rules"); ok && err == nil {
+		for i := range rules {
+			rule, ok := rules[i].(map[string]interface{})
+			if !ok {
+				continue
+			}
+			host := rule["host"]
+			if host == nil || host == "" {
+				for i := range ingress {
+					host = util.FirstNonEmpty(ingress[i].Hostname, ingress[i].IP)
+					if host != "" {
+						break
+					}
+				}
+			}
+			paths, ok, err := unstructured.NestedSlice(rule, "http", "paths")
+			if !ok || err != nil {
+				continue
+			}
+			for i := range paths {
+				path, ok := paths[i].(map[string]interface{})
+				if !ok {
+					continue
+				}
+
+				if serviceName, ok, err := unstructured.NestedString(path, "backend", "serviceName"); ok && err == nil {
+					targetsMap[v1alpha1.ResourceRef{
+						Group:     "",
+						Kind:      kube.ServiceKind,
+						Namespace: un.GetNamespace(),
+						Name:      serviceName,
+					}] = true
+				}
+
+				if port, ok, err := unstructured.NestedFieldNoCopy(path, "backend", "servicePort"); ok && err == nil && host != "" && host != nil {
+					stringPort := ""
+					switch typedPod := port.(type) {
+					case int64:
+						stringPort = fmt.Sprintf("%d", typedPod)
+					case float64:
+						stringPort = fmt.Sprintf("%d", int64(typedPod))
+					case string:
+						stringPort = typedPod
+					default:
+						stringPort = fmt.Sprintf("%v", port)
+					}
+
+					var externalURL string
+					switch stringPort {
+					case "80", "http":
+						externalURL = fmt.Sprintf("http://%s", host)
+					case "443", "https":
+						externalURL = fmt.Sprintf("https://%s", host)
+					default:
+						externalURL = fmt.Sprintf("http://%s:%s", host, stringPort)
+					}
+
+					subPath := ""
+					if nestedPath, ok, err := unstructured.NestedString(path, "path"); ok && err == nil {
+						subPath = nestedPath
+					}
+
+					externalURL += subPath
+					urlsSet[externalURL] = true
+				}
+			}
+		}
+	}
+	targets := make([]v1alpha1.ResourceRef, 0)
+	for target := range targetsMap {
+		targets = append(targets, target)
+	}
+	urls := make([]string, 0)
+	for url := range urlsSet {
+		urls = append(urls, url)
+	}
+	node.networkingInfo = &v1alpha1.ResourceNetworkingInfo{TargetRefs: targets, Ingress: ingress, ExternalURLs: urls}
+}
+
+func populatePodInfo(un *unstructured.Unstructured, node *node) {
+	pod := v1.Pod{}
+	err := runtime.DefaultUnstructuredConverter.FromUnstructured(un.Object, &pod)
+	if err != nil {
+		return
+	}
+	restarts := 0
+	totalContainers := len(pod.Spec.Containers)
+	readyContainers := 0
+
+	reason := string(pod.Status.Phase)
+	if pod.Status.Reason != "" {
+		reason = pod.Status.Reason
+	}
+
+	imagesSet := make(map[string]bool)
+	for _, container := range pod.Spec.InitContainers {
+		imagesSet[container.Image] = true
+	}
+	for _, container := range pod.Spec.Containers {
+		imagesSet[container.Image] = true
+	}
+
+	node.images = nil
+	for image := range imagesSet {
+		node.images = append(node.images, image)
+	}
+
+	initializing := false
+	for i := range pod.Status.InitContainerStatuses {
+		container := pod.Status.InitContainerStatuses[i]
+		restarts += int(container.RestartCount)
+		switch {
+		case container.State.Terminated != nil && container.State.Terminated.ExitCode == 0:
+			continue
+		case container.State.Terminated != nil:
+			// initialization is failed
+			if len(container.State.Terminated.Reason) == 0 {
+				if container.State.Terminated.Signal != 0 {
+					reason = fmt.Sprintf("Init:Signal:%d", container.State.Terminated.Signal)
+				} else {
+					reason = fmt.Sprintf("Init:ExitCode:%d", container.State.Terminated.ExitCode)
+				}
+			} else {
+				reason = "Init:" + container.State.Terminated.Reason
+			}
+			initializing = true
+		case container.State.Waiting != nil && len(container.State.Waiting.Reason) > 0 && container.State.Waiting.Reason != "PodInitializing":
+			reason = "Init:" + container.State.Waiting.Reason
+			initializing = true
+		default:
+			reason = fmt.Sprintf("Init:%d/%d", i, len(pod.Spec.InitContainers))
+			initializing = true
+		}
+		break
+	}
+	if !initializing {
+		restarts = 0
+		hasRunning := false
+		for i := len(pod.Status.ContainerStatuses) - 1; i >= 0; i-- {
+			container := pod.Status.ContainerStatuses[i]
+
+			restarts += int(container.RestartCount)
+			if container.State.Waiting != nil && container.State.Waiting.Reason != "" {
+				reason = container.State.Waiting.Reason
+			} else if container.State.Terminated != nil && container.State.Terminated.Reason != "" {
+				reason = container.State.Terminated.Reason
+			} else if container.State.Terminated != nil && container.State.Terminated.Reason == "" {
+				if container.State.Terminated.Signal != 0 {
+					reason = fmt.Sprintf("Signal:%d", container.State.Terminated.Signal)
+				} else {
+					reason = fmt.Sprintf("ExitCode:%d", container.State.Terminated.ExitCode)
+				}
+			} else if container.Ready && container.State.Running != nil {
+				hasRunning = true
+				readyContainers++
+			}
+		}
+
+		// change pod status back to "Running" if there is at least one container still reporting as "Running" status
+		if reason == "Completed" && hasRunning {
+			reason = "Running"
+		}
+	}
+
+	if pod.DeletionTimestamp != nil && pod.Status.Reason == k8snode.NodeUnreachablePodReason {
+		reason = "Unknown"
+	} else if pod.DeletionTimestamp != nil {
+		reason = "Terminating"
+	}
+
+	if reason != "" {
+		node.info = append(node.info, v1alpha1.InfoItem{Name: "Status Reason", Value: reason})
+	}
+	node.info = append(node.info, v1alpha1.InfoItem{Name: "Containers", Value: fmt.Sprintf("%d/%d", readyContainers, totalContainers)})
+	node.networkingInfo = &v1alpha1.ResourceNetworkingInfo{Labels: un.GetLabels()}
+}

controller/cache/info_test.go

@@ -0,0 +1,222 @@
+package cache
+
+import (
+	"sort"
+	"strings"
+	"testing"
+
+	v1 "k8s.io/api/core/v1"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/kube"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetPodInfo(t *testing.T) {
+	pod := strToUnstructured(`
+  apiVersion: v1
+  kind: Pod
+  metadata:
+    name: helm-guestbook-pod
+    namespace: default
+    ownerReferences:
+    - apiVersion: extensions/v1beta1
+      kind: ReplicaSet
+      name: helm-guestbook-rs
+    resourceVersion: "123"
+    labels:
+      app: guestbook
+  spec:
+    containers:
+    - image: bar`)
+
+	node := &node{}
+	populateNodeInfo(pod, node)
+	assert.Equal(t, []v1alpha1.InfoItem{{Name: "Containers", Value: "0/1"}}, node.info)
+	assert.Equal(t, []string{"bar"}, node.images)
+	assert.Equal(t, &v1alpha1.ResourceNetworkingInfo{Labels: map[string]string{"app": "guestbook"}}, node.networkingInfo)
+}
+
+func TestGetServiceInfo(t *testing.T) {
+	node := &node{}
+	populateNodeInfo(testService, node)
+	assert.Equal(t, 0, len(node.info))
+	assert.Equal(t, &v1alpha1.ResourceNetworkingInfo{
+		TargetLabels: map[string]string{"app": "guestbook"},
+		Ingress:      []v1.LoadBalancerIngress{{Hostname: "localhost"}},
+	}, node.networkingInfo)
+}
+
+func TestGetIngressInfo(t *testing.T) {
+	node := &node{}
+	populateNodeInfo(testIngress, node)
+	assert.Equal(t, 0, len(node.info))
+	sort.Slice(node.networkingInfo.TargetRefs, func(i, j int) bool {
+		return strings.Compare(node.networkingInfo.TargetRefs[j].Name, node.networkingInfo.TargetRefs[i].Name) < 0
+	})
+	assert.Equal(t, &v1alpha1.ResourceNetworkingInfo{
+		Ingress: []v1.LoadBalancerIngress{{IP: "107.178.210.11"}},
+		TargetRefs: []v1alpha1.ResourceRef{{
+			Namespace: "default",
+			Group:     "",
+			Kind:      kube.ServiceKind,
+			Name:      "not-found-service",
+		}, {
+			Namespace: "default",
+			Group:     "",
+			Kind:      kube.ServiceKind,
+			Name:      "helm-guestbook",
+		}},
+		ExternalURLs: []string{"https://helm-guestbook.com/"},
+	}, node.networkingInfo)
+}
+
+func TestGetIngressInfoNoHost(t *testing.T) {
+	ingress := strToUnstructured(`
+  apiVersion: extensions/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+  spec:
+    rules:
+    - http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+          path: /
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	node := &node{}
+	populateNodeInfo(ingress, node)
+
+	assert.Equal(t, &v1alpha1.ResourceNetworkingInfo{
+		Ingress: []v1.LoadBalancerIngress{{IP: "107.178.210.11"}},
+		TargetRefs: []v1alpha1.ResourceRef{{
+			Namespace: "default",
+			Group:     "",
+			Kind:      kube.ServiceKind,
+			Name:      "helm-guestbook",
+		}},
+		ExternalURLs: []string{"https://107.178.210.11/"},
+	}, node.networkingInfo)
+}
+func TestExternalUrlWithSubPath(t *testing.T) {
+	ingress := strToUnstructured(`
+  apiVersion: extensions/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+  spec:
+    rules:
+    - http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+          path: /my/sub/path/
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	node := &node{}
+	populateNodeInfo(ingress, node)
+
+	expectedExternalUrls := []string{"https://107.178.210.11/my/sub/path/"}
+	assert.Equal(t, expectedExternalUrls, node.networkingInfo.ExternalURLs)
+}
+func TestExternalUrlWithMultipleSubPaths(t *testing.T) {
+	ingress := strToUnstructured(`
+  apiVersion: extensions/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+  spec:
+    rules:
+    - host: helm-guestbook.com
+      http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+          path: /my/sub/path/
+        - backend:
+            serviceName: helm-guestbook-2
+            servicePort: 443
+          path: /my/sub/path/2
+        - backend:
+            serviceName: helm-guestbook-3
+            servicePort: 443
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	node := &node{}
+	populateNodeInfo(ingress, node)
+
+	expectedExternalUrls := []string{"https://helm-guestbook.com/my/sub/path/", "https://helm-guestbook.com/my/sub/path/2", "https://helm-guestbook.com"}
+	actualURLs := node.networkingInfo.ExternalURLs
+	sort.Strings(expectedExternalUrls)
+	sort.Strings(actualURLs)
+	assert.Equal(t, expectedExternalUrls, actualURLs)
+}
+func TestExternalUrlWithNoSubPath(t *testing.T) {
+	ingress := strToUnstructured(`
+  apiVersion: extensions/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+  spec:
+    rules:
+    - http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	node := &node{}
+	populateNodeInfo(ingress, node)
+
+	expectedExternalUrls := []string{"https://107.178.210.11"}
+	assert.Equal(t, expectedExternalUrls, node.networkingInfo.ExternalURLs)
+}
+
+func TestExternalUrlWithNetworkingApi(t *testing.T) {
+	ingress := strToUnstructured(`
+  apiVersion: networking.k8s.io/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+  spec:
+    rules:
+    - http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	node := &node{}
+	populateNodeInfo(ingress, node)
+
+	expectedExternalUrls := []string{"https://107.178.210.11"}
+	assert.Equal(t, expectedExternalUrls, node.networkingInfo.ExternalURLs)
+}

controller/cache/mocks/LiveStateCache.go

@@ -0,0 +1,122 @@
+// Code generated by mockery v1.0.0. DO NOT EDIT.
+
+package mocks
+
+import (
+	context "context"
+
+	mock "github.com/stretchr/testify/mock"
+
+	kube "github.com/argoproj/argo-cd/util/kube"
+
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+
+	unstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	v1alpha1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+)
+
+// LiveStateCache is an autogenerated mock type for the LiveStateCache type
+type LiveStateCache struct {
+	mock.Mock
+}
+
+// GetManagedLiveObjs provides a mock function with given fields: a, targetObjs
+func (_m *LiveStateCache) GetManagedLiveObjs(a *v1alpha1.Application, targetObjs []*unstructured.Unstructured) (map[kube.ResourceKey]*unstructured.Unstructured, error) {
+	ret := _m.Called(a, targetObjs)
+
+	var r0 map[kube.ResourceKey]*unstructured.Unstructured
+	if rf, ok := ret.Get(0).(func(*v1alpha1.Application, []*unstructured.Unstructured) map[kube.ResourceKey]*unstructured.Unstructured); ok {
+		r0 = rf(a, targetObjs)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(map[kube.ResourceKey]*unstructured.Unstructured)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(*v1alpha1.Application, []*unstructured.Unstructured) error); ok {
+		r1 = rf(a, targetObjs)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// GetNamespaceTopLevelResources provides a mock function with given fields: server, namespace
+func (_m *LiveStateCache) GetNamespaceTopLevelResources(server string, namespace string) (map[kube.ResourceKey]v1alpha1.ResourceNode, error) {
+	ret := _m.Called(server, namespace)
+
+	var r0 map[kube.ResourceKey]v1alpha1.ResourceNode
+	if rf, ok := ret.Get(0).(func(string, string) map[kube.ResourceKey]v1alpha1.ResourceNode); ok {
+		r0 = rf(server, namespace)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(map[kube.ResourceKey]v1alpha1.ResourceNode)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(string, string) error); ok {
+		r1 = rf(server, namespace)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// Invalidate provides a mock function with given fields:
+func (_m *LiveStateCache) Invalidate() {
+	_m.Called()
+}
+
+// IsNamespaced provides a mock function with given fields: server, gk
+func (_m *LiveStateCache) IsNamespaced(server string, gk schema.GroupKind) (bool, error) {
+	ret := _m.Called(server, gk)
+
+	var r0 bool
+	if rf, ok := ret.Get(0).(func(string, schema.GroupKind) bool); ok {
+		r0 = rf(server, gk)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(string, schema.GroupKind) error); ok {
+		r1 = rf(server, gk)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// IterateHierarchy provides a mock function with given fields: server, key, action
+func (_m *LiveStateCache) IterateHierarchy(server string, key kube.ResourceKey, action func(v1alpha1.ResourceNode, string)) error {
+	ret := _m.Called(server, key, action)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(string, kube.ResourceKey, func(v1alpha1.ResourceNode, string)) error); ok {
+		r0 = rf(server, key, action)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// Run provides a mock function with given fields: ctx
+func (_m *LiveStateCache) Run(ctx context.Context) error {
+	ret := _m.Called(ctx)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context) error); ok {
+		r0 = rf(ctx)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}

controller/cache/node.go

@@ -0,0 +1,142 @@
+package cache
+
+import (
+	log "github.com/sirupsen/logrus"
+
+	appv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/kube"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+type node struct {
+	resourceVersion string
+	ref             v1.ObjectReference
+	ownerRefs       []metav1.OwnerReference
+	info            []appv1.InfoItem
+	appName         string
+	// available only for root application nodes
+	resource *unstructured.Unstructured
+	// networkingInfo are available only for known types involved into networking: Ingress, Service, Pod
+	networkingInfo *appv1.ResourceNetworkingInfo
+	images         []string
+	health         *appv1.HealthStatus
+}
+
+func (n *node) isRootAppNode() bool {
+	return n.appName != "" && len(n.ownerRefs) == 0
+}
+
+func (n *node) resourceKey() kube.ResourceKey {
+	return kube.NewResourceKey(n.ref.GroupVersionKind().Group, n.ref.Kind, n.ref.Namespace, n.ref.Name)
+}
+
+func (n *node) isParentOf(child *node) bool {
+	for i, ownerRef := range child.ownerRefs {
+
+		// backfill UID of inferred owner child references
+		if ownerRef.UID == "" && n.ref.Kind == ownerRef.Kind && n.ref.APIVersion == ownerRef.APIVersion && n.ref.Name == ownerRef.Name {
+			ownerRef.UID = n.ref.UID
+			child.ownerRefs[i] = ownerRef
+			return true
+		}
+
+		if n.ref.UID == ownerRef.UID {
+			return true
+		}
+	}
+
+	return false
+}
+
+func ownerRefGV(ownerRef metav1.OwnerReference) schema.GroupVersion {
+	gv, err := schema.ParseGroupVersion(ownerRef.APIVersion)
+	if err != nil {
+		gv = schema.GroupVersion{}
+	}
+	return gv
+}
+
+func (n *node) getApp(ns map[kube.ResourceKey]*node) string {
+	return n.getAppRecursive(ns, map[kube.ResourceKey]bool{})
+}
+
+func (n *node) getAppRecursive(ns map[kube.ResourceKey]*node, visited map[kube.ResourceKey]bool) string {
+	if !visited[n.resourceKey()] {
+		visited[n.resourceKey()] = true
+	} else {
+		log.Warnf("Circular dependency detected: %v.", visited)
+		return n.appName
+	}
+
+	if n.appName != "" {
+		return n.appName
+	}
+	for _, ownerRef := range n.ownerRefs {
+		gv := ownerRefGV(ownerRef)
+		if parent, ok := ns[kube.NewResourceKey(gv.Group, ownerRef.Kind, n.ref.Namespace, ownerRef.Name)]; ok {
+			app := parent.getAppRecursive(ns, visited)
+			if app != "" {
+				return app
+			}
+		}
+	}
+	return ""
+}
+
+func newResourceKeySet(set map[kube.ResourceKey]bool, keys ...kube.ResourceKey) map[kube.ResourceKey]bool {
+	newSet := make(map[kube.ResourceKey]bool)
+	for k, v := range set {
+		newSet[k] = v
+	}
+	for i := range keys {
+		newSet[keys[i]] = true
+	}
+	return newSet
+}
+
+func (n *node) asResourceNode() appv1.ResourceNode {
+	gv, err := schema.ParseGroupVersion(n.ref.APIVersion)
+	if err != nil {
+		gv = schema.GroupVersion{}
+	}
+	parentRefs := make([]appv1.ResourceRef, len(n.ownerRefs))
+	for _, ownerRef := range n.ownerRefs {
+		ownerGvk := schema.FromAPIVersionAndKind(ownerRef.APIVersion, ownerRef.Kind)
+		ownerKey := kube.NewResourceKey(ownerGvk.Group, ownerRef.Kind, n.ref.Namespace, ownerRef.Name)
+		parentRefs[0] = appv1.ResourceRef{Name: ownerRef.Name, Kind: ownerKey.Kind, Namespace: n.ref.Namespace, Group: ownerKey.Group, UID: string(ownerRef.UID)}
+	}
+	return appv1.ResourceNode{
+		ResourceRef: appv1.ResourceRef{
+			UID:       string(n.ref.UID),
+			Name:      n.ref.Name,
+			Group:     gv.Group,
+			Version:   gv.Version,
+			Kind:      n.ref.Kind,
+			Namespace: n.ref.Namespace,
+		},
+		ParentRefs:      parentRefs,
+		Info:            n.info,
+		ResourceVersion: n.resourceVersion,
+		NetworkingInfo:  n.networkingInfo,
+		Images:          n.images,
+		Health:          n.health,
+	}
+}
+
+func (n *node) iterateChildren(ns map[kube.ResourceKey]*node, parents map[kube.ResourceKey]bool, action func(child appv1.ResourceNode, appName string)) {
+	for childKey, child := range ns {
+		if n.isParentOf(ns[childKey]) {
+			if parents[childKey] {
+				key := n.resourceKey()
+				log.Warnf("Circular dependency detected. %s is child and parent of %s", childKey.String(), key.String())
+			} else {
+				action(child.asResourceNode(), child.getApp(ns))
+				child.iterateChildren(ns, newResourceKeySet(parents, n.resourceKey()), action)
+			}
+		}
+	}
+}

controller/cache/node_test.go

@@ -0,0 +1,83 @@
+package cache
+
+import (
+	"testing"
+
+	"github.com/argoproj/argo-cd/common"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var c = &clusterInfo{cacheSettingsSrc: func() *cacheSettings {
+	return &cacheSettings{AppInstanceLabelKey: common.LabelKeyAppInstance}
+}}
+
+func TestIsParentOf(t *testing.T) {
+	child := c.createObjInfo(testPod, "")
+	parent := c.createObjInfo(testRS, "")
+	grandParent := c.createObjInfo(testDeploy, "")
+
+	assert.True(t, parent.isParentOf(child))
+	assert.False(t, grandParent.isParentOf(child))
+}
+
+func TestIsParentOfSameKindDifferentGroupAndUID(t *testing.T) {
+	rs := testRS.DeepCopy()
+	rs.SetAPIVersion("somecrd.io/v1")
+	rs.SetUID("123")
+	child := c.createObjInfo(testPod, "")
+	invalidParent := c.createObjInfo(rs, "")
+
+	assert.False(t, invalidParent.isParentOf(child))
+}
+
+func TestIsServiceParentOfEndPointWithTheSameName(t *testing.T) {
+	nonMatchingNameEndPoint := c.createObjInfo(strToUnstructured(`
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: not-matching-name
+  namespace: default
+`), "")
+
+	matchingNameEndPoint := c.createObjInfo(strToUnstructured(`
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: helm-guestbook
+  namespace: default
+`), "")
+
+	parent := c.createObjInfo(testService, "")
+
+	assert.True(t, parent.isParentOf(matchingNameEndPoint))
+	assert.Equal(t, parent.ref.UID, matchingNameEndPoint.ownerRefs[0].UID)
+	assert.False(t, parent.isParentOf(nonMatchingNameEndPoint))
+}
+
+func TestIsServiceAccoountParentOfSecret(t *testing.T) {
+	serviceAccount := c.createObjInfo(strToUnstructured(`
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: default
+  namespace: default
+  uid: '123'
+secrets:
+- name: default-token-123
+`), "")
+	tokenSecret := c.createObjInfo(strToUnstructured(`
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: default
+    kubernetes.io/service-account.uid: '123'
+  name: default-token-123
+  namespace: default
+  uid: '345'
+type: kubernetes.io/service-account-token
+`), "")
+
+	assert.True(t, serviceAccount.isParentOf(tokenSecret))
+}

controller/metrics/metrics.go

@@ -0,0 +1,226 @@
+package metrics
+
+import (
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	log "github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/labels"
+
+	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	applister "github.com/argoproj/argo-cd/pkg/client/listers/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/git"
+	"github.com/argoproj/argo-cd/util/healthz"
+)
+
+type MetricsServer struct {
+	*http.Server
+	syncCounter             *prometheus.CounterVec
+	k8sRequestCounter       *prometheus.CounterVec
+	kubectlExecCounter      *prometheus.CounterVec
+	kubectlExecPendingGauge *prometheus.GaugeVec
+	reconcileHistogram      *prometheus.HistogramVec
+}
+
+const (
+	// MetricsPath is the endpoint to collect application metrics
+	MetricsPath = "/metrics"
+)
+
+// Follow Prometheus naming practices
+// https://prometheus.io/docs/practices/naming/
+var (
+	descAppDefaultLabels = []string{"namespace", "name", "project"}
+
+	descAppInfo = prometheus.NewDesc(
+		"argocd_app_info",
+		"Information about application.",
+		append(descAppDefaultLabels, "repo", "dest_server", "dest_namespace"),
+		nil,
+	)
+	descAppCreated = prometheus.NewDesc(
+		"argocd_app_created_time",
+		"Creation time in unix timestamp for an application.",
+		descAppDefaultLabels,
+		nil,
+	)
+	descAppSyncStatusCode = prometheus.NewDesc(
+		"argocd_app_sync_status",
+		"The application current sync status.",
+		append(descAppDefaultLabels, "sync_status"),
+		nil,
+	)
+	descAppHealthStatus = prometheus.NewDesc(
+		"argocd_app_health_status",
+		"The application current health status.",
+		append(descAppDefaultLabels, "health_status"),
+		nil,
+	)
+)
+
+// NewMetricsServer returns a new prometheus server which collects application metrics
+func NewMetricsServer(addr string, appLister applister.ApplicationLister, healthCheck func() error) *MetricsServer {
+	mux := http.NewServeMux()
+	appRegistry := NewAppRegistry(appLister)
+	appRegistry.MustRegister(prometheus.NewProcessCollector(prometheus.ProcessCollectorOpts{}))
+	appRegistry.MustRegister(prometheus.NewGoCollector())
+	mux.Handle(MetricsPath, promhttp.HandlerFor(appRegistry, promhttp.HandlerOpts{}))
+	healthz.ServeHealthCheck(mux, healthCheck)
+
+	syncCounter := prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: "argocd_app_sync_total",
+			Help: "Number of application syncs.",
+		},
+		append(descAppDefaultLabels, "phase"),
+	)
+	appRegistry.MustRegister(syncCounter)
+	kubectlExecCounter := prometheus.NewCounterVec(prometheus.CounterOpts{
+		Name: "argocd_kubectl_exec_total",
+		Help: "Number of kubectl executions",
+	}, []string{"command"})
+	appRegistry.MustRegister(kubectlExecCounter)
+	kubectlExecPendingGauge := prometheus.NewGaugeVec(prometheus.GaugeOpts{
+		Name: "argocd_kubectl_exec_pending",
+		Help: "Number of pending kubectl executions",
+	}, []string{"command"})
+	appRegistry.MustRegister(kubectlExecPendingGauge)
+	k8sRequestCounter := prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: "argocd_app_k8s_request_total",
+			Help: "Number of kubernetes requests executed during application reconciliation.",
+		},
+		append(descAppDefaultLabels, "response_code"),
+	)
+	appRegistry.MustRegister(k8sRequestCounter)
+
+	reconcileHistogram := prometheus.NewHistogramVec(
+		prometheus.HistogramOpts{
+			Name: "argocd_app_reconcile",
+			Help: "Application reconciliation performance.",
+			// Buckets chosen after observing a ~2100ms mean reconcile time
+			Buckets: []float64{0.25, .5, 1, 2, 4, 8, 16},
+		},
+		descAppDefaultLabels,
+	)
+
+	appRegistry.MustRegister(reconcileHistogram)
+
+	return &MetricsServer{
+		Server: &http.Server{
+			Addr:    addr,
+			Handler: mux,
+		},
+		syncCounter:             syncCounter,
+		k8sRequestCounter:       k8sRequestCounter,
+		reconcileHistogram:      reconcileHistogram,
+		kubectlExecCounter:      kubectlExecCounter,
+		kubectlExecPendingGauge: kubectlExecPendingGauge,
+	}
+}
+
+// IncSync increments the sync counter for an application
+func (m *MetricsServer) IncSync(app *argoappv1.Application, state *argoappv1.OperationState) {
+	if !state.Phase.Completed() {
+		return
+	}
+	m.syncCounter.WithLabelValues(app.Namespace, app.Name, app.Spec.GetProject(), string(state.Phase)).Inc()
+}
+
+// IncKubernetesRequest increments the kubernetes requests counter for an application
+func (m *MetricsServer) IncKubernetesRequest(app *argoappv1.Application, statusCode int) {
+	m.k8sRequestCounter.WithLabelValues(app.Namespace, app.Name, app.Spec.GetProject(), strconv.Itoa(statusCode)).Inc()
+}
+
+// IncReconcile increments the reconcile counter for an application
+func (m *MetricsServer) IncReconcile(app *argoappv1.Application, duration time.Duration) {
+	m.reconcileHistogram.WithLabelValues(app.Namespace, app.Name, app.Spec.GetProject()).Observe(duration.Seconds())
+}
+
+func (m *MetricsServer) IncKubectlExec(command string) {
+	m.kubectlExecCounter.WithLabelValues(command).Inc()
+}
+
+func (m *MetricsServer) IncKubectlExecPending(command string) {
+	m.kubectlExecPendingGauge.WithLabelValues(command).Inc()
+}
+
+func (m *MetricsServer) DecKubectlExecPending(command string) {
+	m.kubectlExecPendingGauge.WithLabelValues(command).Dec()
+}
+
+type appCollector struct {
+	store applister.ApplicationLister
+}
+
+// NewAppCollector returns a prometheus collector for application metrics
+func NewAppCollector(appLister applister.ApplicationLister) prometheus.Collector {
+	return &appCollector{
+		store: appLister,
+	}
+}
+
+// NewAppRegistry creates a new prometheus registry that collects applications
+func NewAppRegistry(appLister applister.ApplicationLister) *prometheus.Registry {
+	registry := prometheus.NewRegistry()
+	registry.MustRegister(NewAppCollector(appLister))
+	return registry
+}
+
+// Describe implements the prometheus.Collector interface
+func (c *appCollector) Describe(ch chan<- *prometheus.Desc) {
+	ch <- descAppInfo
+	ch <- descAppCreated
+	ch <- descAppSyncStatusCode
+	ch <- descAppHealthStatus
+}
+
+// Collect implements the prometheus.Collector interface
+func (c *appCollector) Collect(ch chan<- prometheus.Metric) {
+	apps, err := c.store.List(labels.NewSelector())
+	if err != nil {
+		log.Warnf("Failed to collect applications: %v", err)
+		return
+	}
+	for _, app := range apps {
+		collectApps(ch, app)
+	}
+}
+
+func boolFloat64(b bool) float64 {
+	if b {
+		return 1
+	}
+	return 0
+}
+
+func collectApps(ch chan<- prometheus.Metric, app *argoappv1.Application) {
+	addConstMetric := func(desc *prometheus.Desc, t prometheus.ValueType, v float64, lv ...string) {
+		project := app.Spec.GetProject()
+		lv = append([]string{app.Namespace, app.Name, project}, lv...)
+		ch <- prometheus.MustNewConstMetric(desc, t, v, lv...)
+	}
+	addGauge := func(desc *prometheus.Desc, v float64, lv ...string) {
+		addConstMetric(desc, prometheus.GaugeValue, v, lv...)
+	}
+
+	addGauge(descAppInfo, 1, git.NormalizeGitURL(app.Spec.Source.RepoURL), app.Spec.Destination.Server, app.Spec.Destination.Namespace)
+
+	addGauge(descAppCreated, float64(app.CreationTimestamp.Unix()))
+
+	syncStatus := app.Status.Sync.Status
+	addGauge(descAppSyncStatusCode, boolFloat64(syncStatus == argoappv1.SyncStatusCodeSynced), string(argoappv1.SyncStatusCodeSynced))
+	addGauge(descAppSyncStatusCode, boolFloat64(syncStatus == argoappv1.SyncStatusCodeOutOfSync), string(argoappv1.SyncStatusCodeOutOfSync))
+	addGauge(descAppSyncStatusCode, boolFloat64(syncStatus == argoappv1.SyncStatusCodeUnknown || syncStatus == ""), string(argoappv1.SyncStatusCodeUnknown))
+
+	healthStatus := app.Status.Health.Status
+	addGauge(descAppHealthStatus, boolFloat64(healthStatus == argoappv1.HealthStatusUnknown || healthStatus == ""), argoappv1.HealthStatusUnknown)
+	addGauge(descAppHealthStatus, boolFloat64(healthStatus == argoappv1.HealthStatusProgressing), argoappv1.HealthStatusProgressing)
+	addGauge(descAppHealthStatus, boolFloat64(healthStatus == argoappv1.HealthStatusSuspended), argoappv1.HealthStatusSuspended)
+	addGauge(descAppHealthStatus, boolFloat64(healthStatus == argoappv1.HealthStatusHealthy), argoappv1.HealthStatusHealthy)
+	addGauge(descAppHealthStatus, boolFloat64(healthStatus == argoappv1.HealthStatusDegraded), argoappv1.HealthStatusDegraded)
+	addGauge(descAppHealthStatus, boolFloat64(healthStatus == argoappv1.HealthStatusMissing), argoappv1.HealthStatusMissing)
+}

controller/metrics/metrics_test.go

@@ -0,0 +1,237 @@
+package metrics
+
+import (
+	"context"
+	"log"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/ghodss/yaml"
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/tools/cache"
+
+	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned/fake"
+	appinformer "github.com/argoproj/argo-cd/pkg/client/informers/externalversions"
+	applister "github.com/argoproj/argo-cd/pkg/client/listers/application/v1alpha1"
+)
+
+const fakeApp = `
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: my-app
+  namespace: argocd
+spec:
+  destination:
+    namespace: dummy-namespace
+    server: https://localhost:6443
+  project: important-project
+  source:
+    path: some/path
+    repoURL: https://github.com/argoproj/argocd-example-apps.git
+status:
+  sync:
+    status: Synced
+  health:
+    status: Healthy
+`
+
+const expectedResponse = `# HELP argocd_app_created_time Creation time in unix timestamp for an application.
+# TYPE argocd_app_created_time gauge
+argocd_app_created_time{name="my-app",namespace="argocd",project="important-project"} -6.21355968e+10
+# HELP argocd_app_health_status The application current health status.
+# TYPE argocd_app_health_status gauge
+argocd_app_health_status{health_status="Degraded",name="my-app",namespace="argocd",project="important-project"} 0
+argocd_app_health_status{health_status="Healthy",name="my-app",namespace="argocd",project="important-project"} 1
+argocd_app_health_status{health_status="Missing",name="my-app",namespace="argocd",project="important-project"} 0
+argocd_app_health_status{health_status="Progressing",name="my-app",namespace="argocd",project="important-project"} 0
+argocd_app_health_status{health_status="Suspended",name="my-app",namespace="argocd",project="important-project"} 0
+argocd_app_health_status{health_status="Unknown",name="my-app",namespace="argocd",project="important-project"} 0
+# HELP argocd_app_info Information about application.
+# TYPE argocd_app_info gauge
+argocd_app_info{dest_namespace="dummy-namespace",dest_server="https://localhost:6443",name="my-app",namespace="argocd",project="important-project",repo="https://github.com/argoproj/argocd-example-apps"} 1
+# HELP argocd_app_sync_status The application current sync status.
+# TYPE argocd_app_sync_status gauge
+argocd_app_sync_status{name="my-app",namespace="argocd",project="important-project",sync_status="OutOfSync"} 0
+argocd_app_sync_status{name="my-app",namespace="argocd",project="important-project",sync_status="Synced"} 1
+argocd_app_sync_status{name="my-app",namespace="argocd",project="important-project",sync_status="Unknown"} 0
+`
+
+const fakeDefaultApp = `
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: my-app
+  namespace: argocd
+spec:
+  destination:
+    namespace: dummy-namespace
+    server: https://localhost:6443
+  source:
+    path: some/path
+    repoURL: https://github.com/argoproj/argocd-example-apps.git
+status:
+  sync:
+    status: Synced
+  health:
+    status: Healthy
+`
+
+const expectedDefaultResponse = `# HELP argocd_app_created_time Creation time in unix timestamp for an application.
+# TYPE argocd_app_created_time gauge
+argocd_app_created_time{name="my-app",namespace="argocd",project="default"} -6.21355968e+10
+# HELP argocd_app_health_status The application current health status.
+# TYPE argocd_app_health_status gauge
+argocd_app_health_status{health_status="Degraded",name="my-app",namespace="argocd",project="default"} 0
+argocd_app_health_status{health_status="Healthy",name="my-app",namespace="argocd",project="default"} 1
+argocd_app_health_status{health_status="Missing",name="my-app",namespace="argocd",project="default"} 0
+argocd_app_health_status{health_status="Progressing",name="my-app",namespace="argocd",project="default"} 0
+argocd_app_health_status{health_status="Suspended",name="my-app",namespace="argocd",project="default"} 0
+argocd_app_health_status{health_status="Unknown",name="my-app",namespace="argocd",project="default"} 0
+# HELP argocd_app_info Information about application.
+# TYPE argocd_app_info gauge
+argocd_app_info{dest_namespace="dummy-namespace",dest_server="https://localhost:6443",name="my-app",namespace="argocd",project="default",repo="https://github.com/argoproj/argocd-example-apps"} 1
+# HELP argocd_app_sync_status The application current sync status.
+# TYPE argocd_app_sync_status gauge
+argocd_app_sync_status{name="my-app",namespace="argocd",project="default",sync_status="OutOfSync"} 0
+argocd_app_sync_status{name="my-app",namespace="argocd",project="default",sync_status="Synced"} 1
+argocd_app_sync_status{name="my-app",namespace="argocd",project="default",sync_status="Unknown"} 0
+`
+
+var noOpHealthCheck = func() error {
+	return nil
+}
+
+func newFakeApp(fakeApp string) *argoappv1.Application {
+	var app argoappv1.Application
+	err := yaml.Unmarshal([]byte(fakeApp), &app)
+	if err != nil {
+		panic(err)
+	}
+	return &app
+}
+
+func newFakeLister(fakeApp ...string) (context.CancelFunc, applister.ApplicationLister) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	var fakeApps []runtime.Object
+	for _, name := range fakeApp {
+		fakeApps = append(fakeApps, newFakeApp(name))
+	}
+	appClientset := appclientset.NewSimpleClientset(fakeApps...)
+	factory := appinformer.NewFilteredSharedInformerFactory(appClientset, 0, "argocd", func(options *metav1.ListOptions) {})
+	appInformer := factory.Argoproj().V1alpha1().Applications().Informer()
+	go appInformer.Run(ctx.Done())
+	if !cache.WaitForCacheSync(ctx.Done(), appInformer.HasSynced) {
+		log.Fatal("Timed out waiting for caches to sync")
+	}
+	return cancel, factory.Argoproj().V1alpha1().Applications().Lister()
+}
+
+func testApp(t *testing.T, fakeApp string, expectedResponse string) {
+	cancel, appLister := newFakeLister(fakeApp)
+	defer cancel()
+	metricsServ := NewMetricsServer("localhost:8082", appLister, noOpHealthCheck)
+	req, err := http.NewRequest("GET", "/metrics", nil)
+	assert.NoError(t, err)
+	rr := httptest.NewRecorder()
+	metricsServ.Handler.ServeHTTP(rr, req)
+	assert.Equal(t, rr.Code, http.StatusOK)
+	body := rr.Body.String()
+	log.Println(body)
+	assertMetricsPrinted(t, expectedResponse, body)
+}
+
+type testCombination struct {
+	application      string
+	expectedResponse string
+}
+
+func TestMetrics(t *testing.T) {
+	combinations := []testCombination{
+		{
+			application:      fakeApp,
+			expectedResponse: expectedResponse,
+		},
+		{
+			application:      fakeDefaultApp,
+			expectedResponse: expectedDefaultResponse,
+		},
+	}
+
+	for _, combination := range combinations {
+		testApp(t, combination.application, combination.expectedResponse)
+	}
+}
+
+const appSyncTotal = `# HELP argocd_app_sync_total Number of application syncs.
+# TYPE argocd_app_sync_total counter
+argocd_app_sync_total{name="my-app",namespace="argocd",phase="Error",project="important-project"} 1
+argocd_app_sync_total{name="my-app",namespace="argocd",phase="Failed",project="important-project"} 1
+argocd_app_sync_total{name="my-app",namespace="argocd",phase="Succeeded",project="important-project"} 2
+`
+
+func TestMetricsSyncCounter(t *testing.T) {
+	cancel, appLister := newFakeLister()
+	defer cancel()
+	metricsServ := NewMetricsServer("localhost:8082", appLister, noOpHealthCheck)
+
+	fakeApp := newFakeApp(fakeApp)
+	metricsServ.IncSync(fakeApp, &argoappv1.OperationState{Phase: argoappv1.OperationRunning})
+	metricsServ.IncSync(fakeApp, &argoappv1.OperationState{Phase: argoappv1.OperationFailed})
+	metricsServ.IncSync(fakeApp, &argoappv1.OperationState{Phase: argoappv1.OperationError})
+	metricsServ.IncSync(fakeApp, &argoappv1.OperationState{Phase: argoappv1.OperationSucceeded})
+	metricsServ.IncSync(fakeApp, &argoappv1.OperationState{Phase: argoappv1.OperationSucceeded})
+
+	req, err := http.NewRequest("GET", "/metrics", nil)
+	assert.NoError(t, err)
+	rr := httptest.NewRecorder()
+	metricsServ.Handler.ServeHTTP(rr, req)
+	assert.Equal(t, rr.Code, http.StatusOK)
+	body := rr.Body.String()
+	log.Println(body)
+	assertMetricsPrinted(t, appSyncTotal, body)
+}
+
+// assertMetricsPrinted asserts every line in the expected lines appears in the body
+func assertMetricsPrinted(t *testing.T, expectedLines, body string) {
+	for _, line := range strings.Split(expectedLines, "\n") {
+		assert.Contains(t, body, line)
+	}
+}
+
+const appReconcileMetrics = `argocd_app_reconcile_bucket{name="my-app",namespace="argocd",project="important-project",le="0.25"} 0
+argocd_app_reconcile_bucket{name="my-app",namespace="argocd",project="important-project",le="0.5"} 0
+argocd_app_reconcile_bucket{name="my-app",namespace="argocd",project="important-project",le="1"} 0
+argocd_app_reconcile_bucket{name="my-app",namespace="argocd",project="important-project",le="2"} 0
+argocd_app_reconcile_bucket{name="my-app",namespace="argocd",project="important-project",le="4"} 0
+argocd_app_reconcile_bucket{name="my-app",namespace="argocd",project="important-project",le="8"} 1
+argocd_app_reconcile_bucket{name="my-app",namespace="argocd",project="important-project",le="16"} 1
+argocd_app_reconcile_bucket{name="my-app",namespace="argocd",project="important-project",le="+Inf"} 1
+argocd_app_reconcile_sum{name="my-app",namespace="argocd",project="important-project"} 5
+argocd_app_reconcile_count{name="my-app",namespace="argocd",project="important-project"} 1
+`
+
+func TestReconcileMetrics(t *testing.T) {
+	cancel, appLister := newFakeLister()
+	defer cancel()
+	metricsServ := NewMetricsServer("localhost:8082", appLister, noOpHealthCheck)
+
+	fakeApp := newFakeApp(fakeApp)
+	metricsServ.IncReconcile(fakeApp, 5*time.Second)
+
+	req, err := http.NewRequest("GET", "/metrics", nil)
+	assert.NoError(t, err)
+	rr := httptest.NewRecorder()
+	metricsServ.Handler.ServeHTTP(rr, req)
+	assert.Equal(t, rr.Code, http.StatusOK)
+	body := rr.Body.String()
+	log.Println(body)
+	assertMetricsPrinted(t, appReconcileMetrics, body)
+}

controller/metrics/transportwrapper.go

@@ -0,0 +1,37 @@
+package metrics
+
+import (
+	"net/http"
+
+	"k8s.io/client-go/rest"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+)
+
+type metricsRoundTripper struct {
+	roundTripper  http.RoundTripper
+	app           *v1alpha1.Application
+	metricsServer *MetricsServer
+}
+
+func (mrt *metricsRoundTripper) RoundTrip(r *http.Request) (*http.Response, error) {
+	resp, err := mrt.roundTripper.RoundTrip(r)
+	statusCode := 0
+	if resp != nil {
+		statusCode = resp.StatusCode
+	}
+	mrt.metricsServer.IncKubernetesRequest(mrt.app, statusCode)
+	return resp, err
+}
+
+// AddMetricsTransportWrapper adds a transport wrapper which increments 'argocd_app_k8s_request_total' counter on each kubernetes request
+func AddMetricsTransportWrapper(server *MetricsServer, app *v1alpha1.Application, config *rest.Config) *rest.Config {
+	wrap := config.WrapTransport
+	config.WrapTransport = func(rt http.RoundTripper) http.RoundTripper {
+		if wrap != nil {
+			rt = wrap(rt)
+		}
+		return &metricsRoundTripper{roundTripper: rt, metricsServer: server, app: app}
+	}
+	return config
+}

controller/secretcontroller.go

@@ -1,195 +0,0 @@
-package controller
-
-import (
-	"context"
-	"encoding/json"
-	"runtime/debug"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/fields"
-	"k8s.io/apimachinery/pkg/labels"
-	"k8s.io/apimachinery/pkg/selection"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/apimachinery/pkg/util/wait"
-	"k8s.io/client-go/informers"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/tools/cache"
-	"k8s.io/client-go/util/workqueue"
-
-	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/reposerver"
-	"github.com/argoproj/argo-cd/util/db"
-	"github.com/argoproj/argo-cd/util/git"
-)
-
-type SecretController struct {
-	kubeClient     kubernetes.Interface
-	secretQueue    workqueue.RateLimitingInterface
-	secretInformer cache.SharedIndexInformer
-	repoClientset  reposerver.Clientset
-	namespace      string
-}
-
-func (ctrl *SecretController) Run(ctx context.Context) {
-	go ctrl.secretInformer.Run(ctx.Done())
-	if !cache.WaitForCacheSync(ctx.Done(), ctrl.secretInformer.HasSynced) {
-		log.Error("Timed out waiting for caches to sync")
-		return
-	}
-	go wait.Until(func() {
-		for ctrl.processSecret() {
-		}
-	}, time.Second, ctx.Done())
-}
-
-func (ctrl *SecretController) processSecret() (processNext bool) {
-	secretKey, shutdown := ctrl.secretQueue.Get()
-	if shutdown {
-		processNext = false
-		return
-	} else {
-		processNext = true
-	}
-
-	defer func() {
-		if r := recover(); r != nil {
-			log.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
-		}
-		ctrl.secretQueue.Done(secretKey)
-	}()
-	obj, exists, err := ctrl.secretInformer.GetIndexer().GetByKey(secretKey.(string))
-	if err != nil {
-		log.Errorf("Failed to get secret '%s' from informer index: %+v", secretKey, err)
-		return
-	}
-	if !exists {
-		// This happens after secret was deleted, but the work queue still had an entry for it.
-		return
-	}
-	secret, ok := obj.(*corev1.Secret)
-	if !ok {
-		log.Warnf("Key '%s' in index is not an secret", secretKey)
-		return
-	}
-
-	if secret.Labels[common.LabelKeySecretType] == common.SecretTypeCluster {
-		cluster := db.SecretToCluster(secret)
-		ctrl.updateState(secret, ctrl.getClusterState(cluster))
-	} else if secret.Labels[common.LabelKeySecretType] == common.SecretTypeRepository {
-		repo := db.SecretToRepo(secret)
-		ctrl.updateState(secret, ctrl.getRepoConnectionState(repo))
-	}
-
-	return
-}
-
-func (ctrl *SecretController) getRepoConnectionState(repo *v1alpha1.Repository) v1alpha1.ConnectionState {
-	state := v1alpha1.ConnectionState{
-		ModifiedAt: repo.ConnectionState.ModifiedAt,
-		Status:     v1alpha1.ConnectionStatusUnknown,
-	}
-	err := git.TestRepo(repo.Repo, repo.Username, repo.Password, repo.SSHPrivateKey)
-	if err == nil {
-		state.Status = v1alpha1.ConnectionStatusSuccessful
-	} else {
-		state.Status = v1alpha1.ConnectionStatusFailed
-		state.Message = err.Error()
-	}
-	return state
-}
-
-func (ctrl *SecretController) getClusterState(cluster *v1alpha1.Cluster) v1alpha1.ConnectionState {
-	state := v1alpha1.ConnectionState{
-		ModifiedAt: cluster.ConnectionState.ModifiedAt,
-		Status:     v1alpha1.ConnectionStatusUnknown,
-	}
-	kubeClientset, err := kubernetes.NewForConfig(cluster.RESTConfig())
-	if err == nil {
-		_, err = kubeClientset.Discovery().ServerVersion()
-	}
-	if err == nil {
-		state.Status = v1alpha1.ConnectionStatusSuccessful
-	} else {
-		state.Status = v1alpha1.ConnectionStatusFailed
-		state.Message = err.Error()
-	}
-
-	return state
-}
-
-func (ctrl *SecretController) updateState(secret *corev1.Secret, state v1alpha1.ConnectionState) {
-	annotationsPatch := make(map[string]string)
-	for key, value := range db.AnnotationsFromConnectionState(&state) {
-		if secret.Annotations[key] != value {
-			annotationsPatch[key] = value
-		}
-	}
-	if len(annotationsPatch) > 0 {
-		annotationsPatch[common.AnnotationConnectionModifiedAt] = metav1.Now().Format(time.RFC3339)
-		patchData, err := json.Marshal(map[string]interface{}{
-			"metadata": map[string]interface{}{
-				"annotations": annotationsPatch,
-			},
-		})
-		if err != nil {
-			log.Warnf("Unable to prepare secret state annotation patch: %v", err)
-		} else {
-			_, err := ctrl.kubeClient.CoreV1().Secrets(secret.Namespace).Patch(secret.Name, types.MergePatchType, patchData)
-			if err != nil {
-				log.Warnf("Unable to patch secret state annotation: %v", err)
-			}
-		}
-	}
-}
-
-func newSecretInformer(client kubernetes.Interface, resyncPeriod time.Duration, namespace string, secretQueue workqueue.RateLimitingInterface) cache.SharedIndexInformer {
-	informerFactory := informers.NewFilteredSharedInformerFactory(
-		client,
-		resyncPeriod,
-		namespace,
-		func(options *metav1.ListOptions) {
-			var req *labels.Requirement
-			req, err := labels.NewRequirement(common.LabelKeySecretType, selection.In, []string{common.SecretTypeCluster, common.SecretTypeRepository})
-			if err != nil {
-				panic(err)
-			}
-
-			options.FieldSelector = fields.Everything().String()
-			labelSelector := labels.NewSelector().Add(*req)
-			options.LabelSelector = labelSelector.String()
-		},
-	)
-	informer := informerFactory.Core().V1().Secrets().Informer()
-	informer.AddEventHandler(
-		cache.ResourceEventHandlerFuncs{
-			AddFunc: func(obj interface{}) {
-				key, err := cache.MetaNamespaceKeyFunc(obj)
-				if err == nil {
-					secretQueue.Add(key)
-				}
-			},
-			UpdateFunc: func(old, new interface{}) {
-				key, err := cache.MetaNamespaceKeyFunc(new)
-				if err == nil {
-					secretQueue.Add(key)
-				}
-			},
-		},
-	)
-	return informer
-}
-
-func NewSecretController(kubeClient kubernetes.Interface, repoClientset reposerver.Clientset, resyncPeriod time.Duration, namespace string) *SecretController {
-	secretQueue := workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter())
-	return &SecretController{
-		kubeClient:     kubeClient,
-		secretQueue:    secretQueue,
-		secretInformer: newSecretInformer(kubeClient, resyncPeriod, namespace, secretQueue),
-		namespace:      namespace,
-		repoClientset:  repoClientset,
-	}
-}

controller/state.go

@@ -7,402 +7,508 @@ import (
 	"time"
 
 	log "github.com/sirupsen/logrus"
-	apierr "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/discovery"
-	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/tools/cache"
 
 	"github.com/argoproj/argo-cd/common"
+	statecache "github.com/argoproj/argo-cd/controller/cache"
+	"github.com/argoproj/argo-cd/controller/metrics"
 	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	appv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
-	"github.com/argoproj/argo-cd/reposerver"
-	"github.com/argoproj/argo-cd/reposerver/repository"
+	"github.com/argoproj/argo-cd/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/util/argo"
 	"github.com/argoproj/argo-cd/util/db"
 	"github.com/argoproj/argo-cd/util/diff"
+	"github.com/argoproj/argo-cd/util/health"
+	hookutil "github.com/argoproj/argo-cd/util/hook"
 	kubeutil "github.com/argoproj/argo-cd/util/kube"
+	"github.com/argoproj/argo-cd/util/resource"
+	"github.com/argoproj/argo-cd/util/resource/ignore"
+	"github.com/argoproj/argo-cd/util/settings"
 )
 
-const (
-	maxHistoryCnt = 5
-)
+type managedResource struct {
+	Target    *unstructured.Unstructured
+	Live      *unstructured.Unstructured
+	Diff      diff.DiffResult
+	Group     string
+	Version   string
+	Kind      string
+	Namespace string
+	Name      string
+	Hook      bool
+}
+
+func GetLiveObjs(res []managedResource) []*unstructured.Unstructured {
+	objs := make([]*unstructured.Unstructured, len(res))
+	for i := range res {
+		objs[i] = res[i].Live
+	}
+	return objs
+}
+
+type ResourceInfoProvider interface {
+	IsNamespaced(server string, gk schema.GroupKind) (bool, error)
+}
 
 // AppStateManager defines methods which allow to compare application spec and actual application state.
 type AppStateManager interface {
-	CompareAppState(app *v1alpha1.Application, revision string, overrides []v1alpha1.ComponentParameter) (
-		*v1alpha1.ComparisonResult, *repository.ManifestResponse, []v1alpha1.ApplicationCondition, error)
+	CompareAppState(app *v1alpha1.Application, revision string, source v1alpha1.ApplicationSource, noCache bool, localObjects []string) *comparisonResult
 	SyncAppState(app *v1alpha1.Application, state *v1alpha1.OperationState)
 }
 
-// appStateManager allows to compare application using KSonnet CLI
+type comparisonResult struct {
+	syncStatus       *v1alpha1.SyncStatus
+	healthStatus     *v1alpha1.HealthStatus
+	resources        []v1alpha1.ResourceStatus
+	managedResources []managedResource
+	hooks            []*unstructured.Unstructured
+	diffNormalizer   diff.Normalizer
+	appSourceType    v1alpha1.ApplicationSourceType
+}
+
+func (cr *comparisonResult) targetObjs() []*unstructured.Unstructured {
+	objs := cr.hooks
+	for _, r := range cr.managedResources {
+		if r.Target != nil {
+			objs = append(objs, r.Target)
+		}
+	}
+	return objs
+}
+
+// appStateManager allows to compare applications to git
 type appStateManager struct {
-	db            db.ArgoDB
-	appclientset  appclientset.Interface
-	kubectl       kubeutil.Kubectl
-	repoClientset reposerver.Clientset
-	namespace     string
+	metricsServer  *metrics.MetricsServer
+	db             db.ArgoDB
+	settingsMgr    *settings.SettingsManager
+	appclientset   appclientset.Interface
+	projInformer   cache.SharedIndexInformer
+	kubectl        kubeutil.Kubectl
+	repoClientset  apiclient.Clientset
+	liveStateCache statecache.LiveStateCache
+	namespace      string
 }
 
-// groupLiveObjects deduplicate list of kubernetes resources and choose correct version of resource: if resource has corresponding expected application resource then method pick
-// kubernetes resource with matching version, otherwise chooses single kubernetes resource with any version
-func groupLiveObjects(liveObjs []*unstructured.Unstructured, targetObjs []*unstructured.Unstructured) map[string]*unstructured.Unstructured {
-	targetByFullName := make(map[string]*unstructured.Unstructured)
-	for _, obj := range targetObjs {
-		targetByFullName[getResourceFullName(obj)] = obj
-	}
-
-	liveListByFullName := make(map[string][]*unstructured.Unstructured)
-	for _, obj := range liveObjs {
-		list := liveListByFullName[getResourceFullName(obj)]
-		if list == nil {
-			list = make([]*unstructured.Unstructured, 0)
-		}
-		list = append(list, obj)
-		liveListByFullName[getResourceFullName(obj)] = list
-	}
-
-	liveByFullName := make(map[string]*unstructured.Unstructured)
-
-	for fullName, list := range liveListByFullName {
-		targetObj := targetByFullName[fullName]
-		var liveObj *unstructured.Unstructured
-		if targetObj != nil {
-			for i := range list {
-				if list[i].GetAPIVersion() == targetObj.GetAPIVersion() {
-					liveObj = list[i]
-					break
-				}
-			}
-		} else {
-			liveObj = list[0]
-		}
-		if liveObj != nil {
-			liveByFullName[getResourceFullName(liveObj)] = liveObj
-		}
-	}
-	return liveByFullName
-}
-
-func (s *appStateManager) getTargetObjs(app *v1alpha1.Application, revision string, overrides []v1alpha1.ComponentParameter) ([]*unstructured.Unstructured, *repository.ManifestResponse, error) {
-	repo := s.getRepo(app.Spec.Source.RepoURL)
-	conn, repoClient, err := s.repoClientset.NewRepositoryClient()
+func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, source v1alpha1.ApplicationSource, appLabelKey, revision string, noCache bool) ([]*unstructured.Unstructured, []*unstructured.Unstructured, *apiclient.ManifestResponse, error) {
+	helmRepos, err := m.db.ListHelmRepositories(context.Background())
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
+	}
+	repo, err := m.db.GetRepository(context.Background(), source.RepoURL)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	conn, repoClient, err := m.repoClientset.NewRepoServerClient()
+	if err != nil {
+		return nil, nil, nil, err
 	}
 	defer util.Close(conn)
 
 	if revision == "" {
-		revision = app.Spec.Source.TargetRevision
+		revision = source.TargetRevision
 	}
 
-	// Decide what overrides to compare with.
-	var mfReqOverrides []*v1alpha1.ComponentParameter
-	if overrides != nil {
-		// If overrides is supplied, use that
-		mfReqOverrides = make([]*v1alpha1.ComponentParameter, len(overrides))
-		for i := range overrides {
-			item := overrides[i]
-			mfReqOverrides[i] = &item
-		}
-	} else {
-		// Otherwise, use the overrides in the app spec
-		mfReqOverrides = make([]*v1alpha1.ComponentParameter, len(app.Spec.Source.ComponentParameterOverrides))
-		for i := range app.Spec.Source.ComponentParameterOverrides {
-			item := app.Spec.Source.ComponentParameterOverrides[i]
-			mfReqOverrides[i] = &item
-		}
+	plugins, err := m.settingsMgr.GetConfigManagementPlugins()
+	if err != nil {
+		return nil, nil, nil, err
 	}
 
-	manifestInfo, err := repoClient.GenerateManifest(context.Background(), &repository.ManifestRequest{
-		Repo:                        repo,
-		Environment:                 app.Spec.Source.Environment,
-		Path:                        app.Spec.Source.Path,
-		Revision:                    revision,
-		ComponentParameterOverrides: mfReqOverrides,
-		AppLabel:                    app.Name,
-		ValueFiles:                  app.Spec.Source.ValuesFiles,
-		Namespace:                   app.Spec.Destination.Namespace,
+	tools := make([]*appv1.ConfigManagementPlugin, len(plugins))
+	for i := range plugins {
+		tools[i] = &plugins[i]
+	}
+
+	buildOptions, err := m.settingsMgr.GetKustomizeBuildOptions()
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	cluster, err := m.db.GetCluster(context.Background(), app.Spec.Destination.Server)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	cluster.ServerVersion, err = m.kubectl.GetServerVersion(cluster.RESTConfig())
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	manifestInfo, err := repoClient.GenerateManifest(context.Background(), &apiclient.ManifestRequest{
+		Repo:              repo,
+		Repos:             helmRepos,
+		Revision:          revision,
+		NoCache:           noCache,
+		AppLabelKey:       appLabelKey,
+		AppLabelValue:     app.Name,
+		Namespace:         app.Spec.Destination.Namespace,
+		ApplicationSource: &source,
+		Plugins:           tools,
+		KustomizeOptions: &appv1.KustomizeOptions{
+			BuildOptions: buildOptions,
+		},
+		KubeVersion: cluster.ServerVersion,
 	})
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
+	targetObjs, hooks, err := unmarshalManifests(manifestInfo.Manifests)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	return targetObjs, hooks, manifestInfo, nil
+}
 
+func unmarshalManifests(manifests []string) ([]*unstructured.Unstructured, []*unstructured.Unstructured, error) {
 	targetObjs := make([]*unstructured.Unstructured, 0)
-	for _, manifest := range manifestInfo.Manifests {
+	hooks := make([]*unstructured.Unstructured, 0)
+	for _, manifest := range manifests {
 		obj, err := v1alpha1.UnmarshalToUnstructured(manifest)
 		if err != nil {
 			return nil, nil, err
 		}
-		if isHook(obj) {
+		if ignore.Ignore(obj) {
 			continue
 		}
-		targetObjs = append(targetObjs, obj)
+		if hookutil.IsHook(obj) {
+			hooks = append(hooks, obj)
+		} else {
+			targetObjs = append(targetObjs, obj)
+		}
 	}
-	return targetObjs, manifestInfo, nil
+	return targetObjs, hooks, nil
 }
 
-func (s *appStateManager) getLiveObjs(app *v1alpha1.Application, targetObjs []*unstructured.Unstructured) (
-	[]*unstructured.Unstructured, map[string]*unstructured.Unstructured, error) {
+func DeduplicateTargetObjects(
+	server string,
+	namespace string,
+	objs []*unstructured.Unstructured,
+	infoProvider ResourceInfoProvider,
+) ([]*unstructured.Unstructured, []v1alpha1.ApplicationCondition, error) {
 
-	// Get the REST config for the cluster corresponding to the environment
-	clst, err := s.db.GetCluster(context.Background(), app.Spec.Destination.Server)
-	if err != nil {
-		return nil, nil, err
-	}
-	restConfig := clst.RESTConfig()
-
-	// Retrieve the live versions of the objects. exclude any hook objects
-	labeledObjs, err := kubeutil.GetResourcesWithLabel(restConfig, app.Spec.Destination.Namespace, common.LabelApplicationName, app.Name)
-	if err != nil {
-		return nil, nil, err
-	}
-	liveObjs := make([]*unstructured.Unstructured, 0)
-	for _, obj := range labeledObjs {
-		if isHook(obj) {
-			continue
+	targetByKey := make(map[kubeutil.ResourceKey][]*unstructured.Unstructured)
+	for i := range objs {
+		obj := objs[i]
+		isNamespaced, err := infoProvider.IsNamespaced(server, obj.GroupVersionKind().GroupKind())
+		if err != nil {
+			return objs, nil, err
 		}
-		liveObjs = append(liveObjs, obj)
+		if !isNamespaced {
+			obj.SetNamespace("")
+		} else if obj.GetNamespace() == "" {
+			obj.SetNamespace(namespace)
+		}
+		key := kubeutil.GetResourceKey(obj)
+		targetByKey[key] = append(targetByKey[key], obj)
+	}
+	conditions := make([]v1alpha1.ApplicationCondition, 0)
+	result := make([]*unstructured.Unstructured, 0)
+	for key, targets := range targetByKey {
+		if len(targets) > 1 {
+			conditions = append(conditions, appv1.ApplicationCondition{
+				Type:    appv1.ApplicationConditionRepeatedResourceWarning,
+				Message: fmt.Sprintf("Resource %s appeared %d times among application resources.", key.String(), len(targets)),
+			})
+		}
+		result = append(result, targets[len(targets)-1])
 	}
 
-	liveObjByFullName := groupLiveObjects(liveObjs, targetObjs)
+	return result, conditions, nil
+}
 
-	controlledLiveObj := make([]*unstructured.Unstructured, len(targetObjs))
-
-	// Move live resources which have corresponding target object to controlledLiveObj
-	dynClientPool := dynamic.NewDynamicClientPool(restConfig)
-	disco, err := discovery.NewDiscoveryClientForConfig(restConfig)
-	if err != nil {
-		return nil, nil, err
+// dedupLiveResources handles removes live resource duplicates with the same UID. Duplicates are created in a separate resource groups.
+// E.g. apps/Deployment produces duplicate in extensions/Deployment, authorization.openshift.io/ClusterRole produces duplicate in rbac.authorization.k8s.io/ClusterRole etc.
+// The method removes such duplicates unless it was defined in git ( exists in target resources list ). At least one duplicate stays.
+// If non of duplicates are in git at random one stays
+func dedupLiveResources(targetObjs []*unstructured.Unstructured, liveObjsByKey map[kubeutil.ResourceKey]*unstructured.Unstructured) {
+	targetObjByKey := make(map[kubeutil.ResourceKey]*unstructured.Unstructured)
+	for i := range targetObjs {
+		targetObjByKey[kubeutil.GetResourceKey(targetObjs[i])] = targetObjs[i]
 	}
-	for i, targetObj := range targetObjs {
-		fullName := getResourceFullName(targetObj)
-		liveObj := liveObjByFullName[fullName]
-		if liveObj == nil && targetObj.GetName() != "" {
-			// If we get here, it indicates we did not find the live resource when querying using
-			// our app label. However, it is possible that the resource was created/modified outside
-			// of ArgoCD. In order to determine that it is truly missing, we fall back to perform a
-			// direct lookup of the resource by name. See issue #141
-			gvk := targetObj.GroupVersionKind()
-			dclient, err := dynClientPool.ClientForGroupVersionKind(gvk)
-			if err != nil {
-				return nil, nil, err
-			}
-			apiResource, err := kubeutil.ServerResourceForGroupVersionKind(disco, gvk)
-			if err != nil {
-				if !apierr.IsNotFound(err) {
-					return nil, nil, err
-				}
-				// If we get here, the app is comprised of a custom resource which has yet to be registered
-			} else {
-				liveObj, err = kubeutil.GetLiveResource(dclient, targetObj, apiResource, app.Spec.Destination.Namespace)
-				if err != nil {
-					return nil, nil, err
+	liveObjsById := make(map[types.UID][]*unstructured.Unstructured)
+	for k := range liveObjsByKey {
+		obj := liveObjsByKey[k]
+		if obj != nil {
+			liveObjsById[obj.GetUID()] = append(liveObjsById[obj.GetUID()], obj)
+		}
+	}
+	for id := range liveObjsById {
+		objs := liveObjsById[id]
+
+		if len(objs) > 1 {
+			duplicatesLeft := len(objs)
+			for i := range objs {
+				obj := objs[i]
+				resourceKey := kubeutil.GetResourceKey(obj)
+				if _, ok := targetObjByKey[resourceKey]; !ok {
+					delete(liveObjsByKey, resourceKey)
+					duplicatesLeft--
+					if duplicatesLeft == 1 {
+						break
+					}
 				}
 			}
 		}
-		controlledLiveObj[i] = liveObj
-		delete(liveObjByFullName, fullName)
 	}
-	return controlledLiveObj, liveObjByFullName, nil
+}
+
+func (m *appStateManager) getComparisonSettings(app *appv1.Application) (string, map[string]v1alpha1.ResourceOverride, diff.Normalizer, error) {
+	resourceOverrides, err := m.settingsMgr.GetResourceOverrides()
+	if err != nil {
+		return "", nil, nil, err
+	}
+	appLabelKey, err := m.settingsMgr.GetAppInstanceLabelKey()
+	if err != nil {
+		return "", nil, nil, err
+	}
+	diffNormalizer, err := argo.NewDiffNormalizer(app.Spec.IgnoreDifferences, resourceOverrides)
+	if err != nil {
+		return "", nil, nil, err
+	}
+	return appLabelKey, resourceOverrides, diffNormalizer, nil
 }
 
 // CompareAppState compares application git state to the live app state, using the specified
-// revision and supplied overrides. If revision or overrides are empty, then compares against
+// revision and supplied source. If revision or overrides are empty, then compares against
 // revision and overrides in the app spec.
-func (s *appStateManager) CompareAppState(app *v1alpha1.Application, revision string, overrides []v1alpha1.ComponentParameter) (
-	*v1alpha1.ComparisonResult, *repository.ManifestResponse, []v1alpha1.ApplicationCondition, error) {
+func (m *appStateManager) CompareAppState(app *v1alpha1.Application, revision string, source v1alpha1.ApplicationSource, noCache bool, localManifests []string) *comparisonResult {
+	appLabelKey, resourceOverrides, diffNormalizer, err := m.getComparisonSettings(app)
 
+	// return unknown comparison result if basic comparison settings cannot be loaded
+	if err != nil {
+		return &comparisonResult{
+			syncStatus: &v1alpha1.SyncStatus{
+				ComparedTo: appv1.ComparedTo{Source: source, Destination: app.Spec.Destination},
+				Status:     appv1.SyncStatusCodeUnknown,
+			},
+			healthStatus: &appv1.HealthStatus{Status: appv1.HealthStatusUnknown},
+		}
+	}
+
+	// do best effort loading live and target state to present as much information about app state as possible
 	failedToLoadObjs := false
 	conditions := make([]v1alpha1.ApplicationCondition, 0)
-	targetObjs, manifestInfo, err := s.getTargetObjs(app, revision, overrides)
-	if err != nil {
-		targetObjs = make([]*unstructured.Unstructured, 0)
-		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
-		failedToLoadObjs = true
+
+	logCtx := log.WithField("application", app.Name)
+	logCtx.Infof("Comparing app state (cluster: %s, namespace: %s)", app.Spec.Destination.Server, app.Spec.Destination.Namespace)
+
+	var targetObjs []*unstructured.Unstructured
+	var hooks []*unstructured.Unstructured
+	var manifestInfo *apiclient.ManifestResponse
+
+	if len(localManifests) == 0 {
+		targetObjs, hooks, manifestInfo, err = m.getRepoObjs(app, source, appLabelKey, revision, noCache)
+		if err != nil {
+			targetObjs = make([]*unstructured.Unstructured, 0)
+			conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
+			failedToLoadObjs = true
+		}
+	} else {
+		targetObjs, hooks, err = unmarshalManifests(localManifests)
+		if err != nil {
+			targetObjs = make([]*unstructured.Unstructured, 0)
+			conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
+			failedToLoadObjs = true
+		}
+		manifestInfo = nil
 	}
 
-	controlledLiveObj, liveObjByFullName, err := s.getLiveObjs(app, targetObjs)
+	targetObjs, dedupConditions, err := DeduplicateTargetObjects(app.Spec.Destination.Server, app.Spec.Destination.Namespace, targetObjs, m.liveStateCache)
 	if err != nil {
-		controlledLiveObj = make([]*unstructured.Unstructured, len(targetObjs))
-		liveObjByFullName = make(map[string]*unstructured.Unstructured)
 		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
-		failedToLoadObjs = true
 	}
+	conditions = append(conditions, dedupConditions...)
 
-	for _, liveObj := range controlledLiveObj {
-		if liveObj != nil && liveObj.GetLabels() != nil {
-			if appLabelVal, ok := liveObj.GetLabels()[common.LabelApplicationName]; ok && appLabelVal != "" && appLabelVal != app.Name {
+	resFilter, err := m.settingsMgr.GetResourcesFilter()
+	if err != nil {
+		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
+	} else {
+		for i := len(targetObjs) - 1; i >= 0; i-- {
+			targetObj := targetObjs[i]
+			gvk := targetObj.GroupVersionKind()
+			if resFilter.IsExcludedResource(gvk.Group, gvk.Kind, app.Spec.Destination.Server) {
+				targetObjs = append(targetObjs[:i], targetObjs[i+1:]...)
 				conditions = append(conditions, v1alpha1.ApplicationCondition{
-					Type:    v1alpha1.ApplicationConditionSharedResourceWarning,
-					Message: fmt.Sprintf("Resource %s/%s is controller by applications '%s' and '%s'", liveObj.GetKind(), liveObj.GetName(), app.Name, appLabelVal),
+					Type:    v1alpha1.ApplicationConditionExcludedResourceWarning,
+					Message: fmt.Sprintf("Resource %s/%s %s is excluded in the settings", gvk.Group, gvk.Kind, targetObj.GetName()),
 				})
 			}
 		}
 	}
 
-	// Move root level live resources to controlledLiveObj and add nil to targetObjs to indicate that target object is missing
-	for fullName := range liveObjByFullName {
-		liveObj := liveObjByFullName[fullName]
-		if !hasParent(liveObj) {
-			targetObjs = append(targetObjs, nil)
-			controlledLiveObj = append(controlledLiveObj, liveObj)
+	logCtx.Debugf("Generated config manifests")
+	liveObjByKey, err := m.liveStateCache.GetManagedLiveObjs(app, targetObjs)
+	dedupLiveResources(targetObjs, liveObjByKey)
+	if err != nil {
+		liveObjByKey = make(map[kubeutil.ResourceKey]*unstructured.Unstructured)
+		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
+		failedToLoadObjs = true
+	}
+	logCtx.Debugf("Retrieved lived manifests")
+	for _, liveObj := range liveObjByKey {
+		if liveObj != nil {
+			appInstanceName := kubeutil.GetAppInstanceLabel(liveObj, appLabelKey)
+			if appInstanceName != "" && appInstanceName != app.Name {
+				conditions = append(conditions, v1alpha1.ApplicationCondition{
+					Type:    v1alpha1.ApplicationConditionSharedResourceWarning,
+					Message: fmt.Sprintf("%s/%s is part of a different application: %s", liveObj.GetKind(), liveObj.GetName(), appInstanceName),
+				})
+			}
 		}
 	}
 
-	log.Infof("Comparing app %s state in cluster %s (namespace: %s)", app.ObjectMeta.Name, app.Spec.Destination.Server, app.Spec.Destination.Namespace)
+	managedLiveObj := make([]*unstructured.Unstructured, len(targetObjs))
+	for i, obj := range targetObjs {
+		gvk := obj.GroupVersionKind()
+		ns := util.FirstNonEmpty(obj.GetNamespace(), app.Spec.Destination.Namespace)
+		if namespaced, err := m.liveStateCache.IsNamespaced(app.Spec.Destination.Server, obj.GroupVersionKind().GroupKind()); err == nil && !namespaced {
+			ns = ""
+		}
+		key := kubeutil.NewResourceKey(gvk.Group, gvk.Kind, ns, obj.GetName())
+		if liveObj, ok := liveObjByKey[key]; ok {
+			managedLiveObj[i] = liveObj
+			delete(liveObjByKey, key)
+		} else {
+			managedLiveObj[i] = nil
+		}
+	}
+	logCtx.Debugf("built managed objects list")
+	// Everything remaining in liveObjByKey are "extra" resources that aren't tracked in git.
+	// The following adds all the extras to the managedLiveObj list and backfills the targetObj
+	// list with nils, so that the lists are of equal lengths for comparison purposes.
+	for _, obj := range liveObjByKey {
+		targetObjs = append(targetObjs, nil)
+		managedLiveObj = append(managedLiveObj, obj)
+	}
 
 	// Do the actual comparison
-	diffResults, err := diff.DiffArray(targetObjs, controlledLiveObj)
+	diffResults, err := diff.DiffArray(targetObjs, managedLiveObj, diffNormalizer)
 	if err != nil {
-		return nil, nil, nil, err
+		diffResults = &diff.DiffResultList{}
+		failedToLoadObjs = true
+		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
 	}
 
-	comparisonStatus := v1alpha1.ComparisonStatusSynced
-
-	resources := make([]v1alpha1.ResourceState, len(targetObjs))
-	for i := 0; i < len(targetObjs); i++ {
-		resState := v1alpha1.ResourceState{
-			ChildLiveResources: make([]v1alpha1.ResourceNode, 0),
+	syncCode := v1alpha1.SyncStatusCodeSynced
+	managedResources := make([]managedResource, len(targetObjs))
+	resourceSummaries := make([]v1alpha1.ResourceStatus, len(targetObjs))
+	for i, targetObj := range targetObjs {
+		liveObj := managedLiveObj[i]
+		obj := liveObj
+		if obj == nil {
+			obj = targetObj
 		}
+		if obj == nil {
+			continue
+		}
+		gvk := obj.GroupVersionKind()
+
+		resState := v1alpha1.ResourceStatus{
+			Namespace:       obj.GetNamespace(),
+			Name:            obj.GetName(),
+			Kind:            gvk.Kind,
+			Version:         gvk.Version,
+			Group:           gvk.Group,
+			Hook:            hookutil.IsHook(obj),
+			RequiresPruning: targetObj == nil && liveObj != nil,
+		}
+
 		diffResult := diffResults.Diffs[i]
-		if diffResult.Modified {
-			// Set resource state to 'OutOfSync' since target and corresponding live resource are different
-			resState.Status = v1alpha1.ComparisonStatusOutOfSync
-			comparisonStatus = v1alpha1.ComparisonStatusOutOfSync
-		} else {
-			resState.Status = v1alpha1.ComparisonStatusSynced
-		}
-
-		if targetObjs[i] == nil {
-			resState.TargetState = "null"
-			// Set resource state to 'OutOfSync' since target resource is missing and live resource is unexpected
-			resState.Status = v1alpha1.ComparisonStatusOutOfSync
-			comparisonStatus = v1alpha1.ComparisonStatusOutOfSync
-		} else {
-			targetObjBytes, err := json.Marshal(targetObjs[i].Object)
-			if err != nil {
-				return nil, nil, nil, err
+		if resState.Hook || ignore.Ignore(obj) {
+			// For resource hooks, don't store sync status, and do not affect overall sync status
+		} else if diffResult.Modified || targetObj == nil || liveObj == nil {
+			// Set resource state to OutOfSync since one of the following is true:
+			// * target and live resource are different
+			// * target resource not defined and live resource is extra
+			// * target resource present but live resource is missing
+			resState.Status = v1alpha1.SyncStatusCodeOutOfSync
+			// we ignore the status if the obj needs pruning AND we have the annotation
+			needsPruning := targetObj == nil && liveObj != nil
+			if !(needsPruning && resource.HasAnnotationOption(obj, common.AnnotationCompareOptions, "IgnoreExtraneous")) {
+				syncCode = v1alpha1.SyncStatusCodeOutOfSync
 			}
-			resState.TargetState = string(targetObjBytes)
-		}
-
-		if controlledLiveObj[i] == nil {
-			resState.LiveState = "null"
-			// Set resource state to 'OutOfSync' since target resource present but corresponding live resource is missing
-			resState.Status = v1alpha1.ComparisonStatusOutOfSync
-			comparisonStatus = v1alpha1.ComparisonStatusOutOfSync
 		} else {
-			liveObjBytes, err := json.Marshal(controlledLiveObj[i].Object)
-			if err != nil {
-				return nil, nil, nil, err
-			}
-			resState.LiveState = string(liveObjBytes)
+			resState.Status = v1alpha1.SyncStatusCodeSynced
 		}
-
-		resources[i] = resState
+		// we can't say anything about the status if we were unable to get the target objects
+		if failedToLoadObjs {
+			resState.Status = v1alpha1.SyncStatusCodeUnknown
+		}
+		managedResources[i] = managedResource{
+			Name:      resState.Name,
+			Namespace: resState.Namespace,
+			Group:     resState.Group,
+			Kind:      resState.Kind,
+			Version:   resState.Version,
+			Live:      liveObj,
+			Target:    targetObj,
+			Diff:      diffResult,
+			Hook:      resState.Hook,
+		}
+		resourceSummaries[i] = resState
 	}
 
-	for i, resource := range resources {
-		liveResource := controlledLiveObj[i]
-		if liveResource != nil {
-			childResources, err := getChildren(liveResource, liveObjByFullName)
-			if err != nil {
-				return nil, nil, nil, err
-			}
-			resource.ChildLiveResources = childResources
-			resources[i] = resource
-		}
-	}
 	if failedToLoadObjs {
-		comparisonStatus = v1alpha1.ComparisonStatusUnknown
+		syncCode = v1alpha1.SyncStatusCodeUnknown
 	}
-	compResult := v1alpha1.ComparisonResult{
-		ComparedTo: app.Spec.Source,
-		ComparedAt: metav1.Time{Time: time.Now().UTC()},
-		Resources:  resources,
-		Status:     comparisonStatus,
+	syncStatus := v1alpha1.SyncStatus{
+		ComparedTo: appv1.ComparedTo{
+			Source:      source,
+			Destination: app.Spec.Destination,
+		},
+		Status: syncCode,
 	}
-
 	if manifestInfo != nil {
-		compResult.Revision = manifestInfo.Revision
+		syncStatus.Revision = manifestInfo.Revision
 	}
-	return &compResult, manifestInfo, conditions, nil
-}
 
-func hasParent(obj *unstructured.Unstructured) bool {
-	// TODO: remove special case after Service and Endpoint get explicit relationship ( https://github.com/kubernetes/kubernetes/issues/28483 )
-	return obj.GetKind() == kubeutil.EndpointsKind || metav1.GetControllerOf(obj) != nil
-}
+	healthStatus, err := health.SetApplicationHealth(resourceSummaries, GetLiveObjs(managedResources), resourceOverrides, func(obj *unstructured.Unstructured) bool {
+		return !isSelfReferencedApp(app, kubeutil.GetObjectRef(obj))
+	})
 
-func isControlledBy(obj *unstructured.Unstructured, parent *unstructured.Unstructured) bool {
-	// TODO: remove special case after Service and Endpoint get explicit relationship ( https://github.com/kubernetes/kubernetes/issues/28483 )
-	if obj.GetKind() == kubeutil.EndpointsKind && parent.GetKind() == kubeutil.ServiceKind {
-		return obj.GetName() == parent.GetName()
-	}
-	return metav1.IsControlledBy(obj, parent)
-}
-
-func getChildren(parent *unstructured.Unstructured, liveObjByFullName map[string]*unstructured.Unstructured) ([]v1alpha1.ResourceNode, error) {
-	children := make([]v1alpha1.ResourceNode, 0)
-	for fullName, obj := range liveObjByFullName {
-		if isControlledBy(obj, parent) {
-			delete(liveObjByFullName, fullName)
-			childResource := v1alpha1.ResourceNode{}
-			json, err := json.Marshal(obj)
-			if err != nil {
-				return nil, err
-			}
-			childResource.State = string(json)
-			childResourceChildren, err := getChildren(obj, liveObjByFullName)
-			if err != nil {
-				return nil, err
-			}
-			childResource.Children = childResourceChildren
-			children = append(children, childResource)
-		}
-	}
-	return children, nil
-}
-
-func getResourceFullName(obj *unstructured.Unstructured) string {
-	return fmt.Sprintf("%s:%s", obj.GetKind(), obj.GetName())
-}
-
-func (s *appStateManager) getRepo(repoURL string) *v1alpha1.Repository {
-	repo, err := s.db.GetRepository(context.Background(), repoURL)
 	if err != nil {
-		// If we couldn't retrieve from the repo service, assume public repositories
-		repo = &v1alpha1.Repository{Repo: repoURL}
+		conditions = append(conditions, appv1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
 	}
-	return repo
+
+	compRes := comparisonResult{
+		syncStatus:       &syncStatus,
+		healthStatus:     healthStatus,
+		resources:        resourceSummaries,
+		managedResources: managedResources,
+		hooks:            hooks,
+		diffNormalizer:   diffNormalizer,
+	}
+	if manifestInfo != nil {
+		compRes.appSourceType = v1alpha1.ApplicationSourceType(manifestInfo.SourceType)
+	}
+	app.Status.SetConditions(conditions, map[appv1.ApplicationConditionType]bool{
+		appv1.ApplicationConditionComparisonError:         true,
+		appv1.ApplicationConditionSharedResourceWarning:   true,
+		appv1.ApplicationConditionRepeatedResourceWarning: true,
+		appv1.ApplicationConditionExcludedResourceWarning: true,
+	})
+	return &compRes
 }
 
-func (s *appStateManager) persistDeploymentInfo(
-	app *v1alpha1.Application, revision string, envParams []*v1alpha1.ComponentParameter, overrides *[]v1alpha1.ComponentParameter) error {
-
-	params := make([]v1alpha1.ComponentParameter, len(envParams))
-	for i := range envParams {
-		param := *envParams[i]
-		params[i] = param
-	}
-	var nextID int64 = 0
+func (m *appStateManager) persistRevisionHistory(app *v1alpha1.Application, revision string, source v1alpha1.ApplicationSource) error {
+	var nextID int64
 	if len(app.Status.History) > 0 {
 		nextID = app.Status.History[len(app.Status.History)-1].ID + 1
 	}
-	history := append(app.Status.History, v1alpha1.DeploymentInfo{
-		ComponentParameterOverrides: app.Spec.Source.ComponentParameterOverrides,
-		Revision:                    revision,
-		DeployedAt:                  metav1.NewTime(time.Now().UTC()),
-		ID:                          nextID,
+	history := append(app.Status.History, v1alpha1.RevisionHistory{
+		Revision:   revision,
+		DeployedAt: metav1.NewTime(time.Now().UTC()),
+		ID:         nextID,
+		Source:     source,
 	})
 
-	if len(history) > maxHistoryCnt {
-		history = history[1 : maxHistoryCnt+1]
+	if len(history) > common.RevisionHistoryLimit {
+		history = history[1 : common.RevisionHistoryLimit+1]
 	}
 
-	patch, err := json.Marshal(map[string]map[string][]v1alpha1.DeploymentInfo{
+	patch, err := json.Marshal(map[string]map[string][]v1alpha1.RevisionHistory{
 		"status": {
 			"history": history,
 		},
@@ -410,7 +516,7 @@ func (s *appStateManager) persistDeploymentInfo(
 	if err != nil {
 		return err
 	}
-	_, err = s.appclientset.ArgoprojV1alpha1().Applications(s.namespace).Patch(app.Name, types.MergePatchType, patch)
+	_, err = m.appclientset.ArgoprojV1alpha1().Applications(m.namespace).Patch(app.Name, types.MergePatchType, patch)
 	return err
 }
 
@@ -418,15 +524,23 @@ func (s *appStateManager) persistDeploymentInfo(
 func NewAppStateManager(
 	db db.ArgoDB,
 	appclientset appclientset.Interface,
-	repoClientset reposerver.Clientset,
+	repoClientset apiclient.Clientset,
 	namespace string,
 	kubectl kubeutil.Kubectl,
+	settingsMgr *settings.SettingsManager,
+	liveStateCache statecache.LiveStateCache,
+	projInformer cache.SharedIndexInformer,
+	metricsServer *metrics.MetricsServer,
 ) AppStateManager {
 	return &appStateManager{
-		db:            db,
-		appclientset:  appclientset,
-		kubectl:       kubectl,
-		repoClientset: repoClientset,
-		namespace:     namespace,
+		liveStateCache: liveStateCache,
+		db:             db,
+		appclientset:   appclientset,
+		kubectl:        kubectl,
+		repoClientset:  repoClientset,
+		namespace:      namespace,
+		settingsMgr:    settingsMgr,
+		projInformer:   projInformer,
+		metricsServer:  metricsServer,
 	}
 }

controller/state_test.go

@@ -1,52 +1,393 @@
 package controller
 
 import (
+	"encoding/json"
 	"testing"
 
-	"github.com/ghodss/yaml"
 	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/apps/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	"github.com/argoproj/argo-cd/common"
+	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/reposerver/apiclient"
+	"github.com/argoproj/argo-cd/test"
+	"github.com/argoproj/argo-cd/util/kube"
 )
 
-var podManifest = []byte(`
-apiVersion: v1
-kind: Pod
-metadata:
-  name: my-pod
-spec:
-  containers:
-  - image: nginx:1.7.9
-    name: nginx
-    resources:
-      requests:
-        cpu: 0.2
-`)
-
-func newPod() *unstructured.Unstructured {
-	var un unstructured.Unstructured
-	err := yaml.Unmarshal(podManifest, &un)
-	if err != nil {
-		panic(err)
+// TestCompareAppStateEmpty tests comparison when both git and live have no objects
+func TestCompareAppStateEmpty(t *testing.T) {
+	app := newFakeApp()
+	data := fakeData{
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 	}
-	return &un
+	ctrl := newFakeController(&data)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
+	assert.NotNil(t, compRes)
+	assert.NotNil(t, compRes.syncStatus)
+	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
+	assert.Len(t, compRes.resources, 0)
+	assert.Len(t, compRes.managedResources, 0)
+	assert.Len(t, app.Status.Conditions, 0)
 }
 
-func TestIsHook(t *testing.T) {
-	pod := newPod()
-	assert.False(t, isHook(pod))
-
-	pod.SetAnnotations(map[string]string{"helm.sh/hook": "post-install"})
-	assert.True(t, isHook(pod))
-
-	pod = newPod()
-	pod.SetAnnotations(map[string]string{"argocd.argoproj.io/hook": "PreSync"})
-	assert.True(t, isHook(pod))
-
-	pod = newPod()
-	pod.SetAnnotations(map[string]string{"argocd.argoproj.io/hook": "Skip"})
-	assert.False(t, isHook(pod))
-
-	pod = newPod()
-	pod.SetAnnotations(map[string]string{"argocd.argoproj.io/hook": "Unknown"})
-	assert.False(t, isHook(pod))
+// TestCompareAppStateMissing tests when there is a manifest defined in the repo which doesn't exist in live
+func TestCompareAppStateMissing(t *testing.T) {
+	app := newFakeApp()
+	data := fakeData{
+		apps: []runtime.Object{app},
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{string(test.PodManifest)},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
+	}
+	ctrl := newFakeController(&data)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
+	assert.NotNil(t, compRes)
+	assert.NotNil(t, compRes.syncStatus)
+	assert.Equal(t, argoappv1.SyncStatusCodeOutOfSync, compRes.syncStatus.Status)
+	assert.Len(t, compRes.resources, 1)
+	assert.Len(t, compRes.managedResources, 1)
+	assert.Len(t, app.Status.Conditions, 0)
+}
+
+// TestCompareAppStateExtra tests when there is an extra object in live but not defined in git
+func TestCompareAppStateExtra(t *testing.T) {
+	pod := test.NewPod()
+	pod.SetNamespace(test.FakeDestNamespace)
+	app := newFakeApp()
+	key := kube.ResourceKey{Group: "", Kind: "Pod", Namespace: test.FakeDestNamespace, Name: app.Name}
+	data := fakeData{
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: map[kube.ResourceKey]*unstructured.Unstructured{
+			key: pod,
+		},
+	}
+	ctrl := newFakeController(&data)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
+	assert.NotNil(t, compRes)
+	assert.Equal(t, argoappv1.SyncStatusCodeOutOfSync, compRes.syncStatus.Status)
+	assert.Equal(t, 1, len(compRes.resources))
+	assert.Equal(t, 1, len(compRes.managedResources))
+	assert.Equal(t, 0, len(app.Status.Conditions))
+}
+
+// TestCompareAppStateHook checks that hooks are detected during manifest generation, and not
+// considered as part of resources when assessing Synced status
+func TestCompareAppStateHook(t *testing.T) {
+	pod := test.NewPod()
+	pod.SetAnnotations(map[string]string{common.AnnotationKeyHook: "PreSync"})
+	podBytes, _ := json.Marshal(pod)
+	app := newFakeApp()
+	data := fakeData{
+		apps: []runtime.Object{app},
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{string(podBytes)},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
+	}
+	ctrl := newFakeController(&data)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
+	assert.NotNil(t, compRes)
+	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
+	assert.Equal(t, 0, len(compRes.resources))
+	assert.Equal(t, 0, len(compRes.managedResources))
+	assert.Equal(t, 1, len(compRes.hooks))
+	assert.Equal(t, 0, len(app.Status.Conditions))
+}
+
+// checks that ignore resources are detected, but excluded from status
+func TestCompareAppStateCompareOptionIgnoreExtraneous(t *testing.T) {
+	pod := test.NewPod()
+	pod.SetAnnotations(map[string]string{common.AnnotationCompareOptions: "IgnoreExtraneous"})
+	app := newFakeApp()
+	data := fakeData{
+		apps: []runtime.Object{app},
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
+	}
+	ctrl := newFakeController(&data)
+
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
+
+	assert.NotNil(t, compRes)
+	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
+	assert.Len(t, compRes.resources, 0)
+	assert.Len(t, compRes.managedResources, 0)
+	assert.Len(t, app.Status.Conditions, 0)
+}
+
+// TestCompareAppStateExtraHook tests when there is an extra _hook_ object in live but not defined in git
+func TestCompareAppStateExtraHook(t *testing.T) {
+	pod := test.NewPod()
+	pod.SetAnnotations(map[string]string{common.AnnotationKeyHook: "PreSync"})
+	pod.SetNamespace(test.FakeDestNamespace)
+	app := newFakeApp()
+	key := kube.ResourceKey{Group: "", Kind: "Pod", Namespace: test.FakeDestNamespace, Name: app.Name}
+	data := fakeData{
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: map[kube.ResourceKey]*unstructured.Unstructured{
+			key: pod,
+		},
+	}
+	ctrl := newFakeController(&data)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
+
+	assert.NotNil(t, compRes)
+	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
+	assert.Equal(t, 1, len(compRes.resources))
+	assert.Equal(t, 1, len(compRes.managedResources))
+	assert.Equal(t, 0, len(compRes.hooks))
+	assert.Equal(t, 0, len(app.Status.Conditions))
+}
+
+func toJSON(t *testing.T, obj *unstructured.Unstructured) string {
+	data, err := json.Marshal(obj)
+	assert.NoError(t, err)
+	return string(data)
+}
+
+func TestCompareAppStateDuplicatedNamespacedResources(t *testing.T) {
+	obj1 := test.NewPod()
+	obj1.SetNamespace(test.FakeDestNamespace)
+	obj2 := test.NewPod()
+	obj3 := test.NewPod()
+	obj3.SetNamespace("kube-system")
+
+	app := newFakeApp()
+	data := fakeData{
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{toJSON(t, obj1), toJSON(t, obj2), toJSON(t, obj3)},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: map[kube.ResourceKey]*unstructured.Unstructured{
+			kube.GetResourceKey(obj1): obj1,
+			kube.GetResourceKey(obj3): obj3,
+		},
+	}
+	ctrl := newFakeController(&data)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
+
+	assert.NotNil(t, compRes)
+	assert.Contains(t, app.Status.Conditions, argoappv1.ApplicationCondition{
+		Message: "Resource /Pod/fake-dest-ns/my-pod appeared 2 times among application resources.",
+		Type:    argoappv1.ApplicationConditionRepeatedResourceWarning,
+	})
+	assert.Equal(t, 2, len(compRes.resources))
+}
+
+var defaultProj = argoappv1.AppProject{
+	ObjectMeta: metav1.ObjectMeta{
+		Name:      "default",
+		Namespace: test.FakeArgoCDNamespace,
+	},
+	Spec: argoappv1.AppProjectSpec{
+		SourceRepos: []string{"*"},
+		Destinations: []argoappv1.ApplicationDestination{
+			{
+				Server:    "*",
+				Namespace: "*",
+			},
+		},
+	},
+}
+
+func TestSetHealth(t *testing.T) {
+	app := newFakeApp()
+	deployment := kube.MustToUnstructured(&v1.Deployment{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "apps/v1beta1",
+			Kind:       "Deployment",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "demo",
+			Namespace: "default",
+		},
+	})
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app, &defaultProj},
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: map[kube.ResourceKey]*unstructured.Unstructured{
+			kube.GetResourceKey(deployment): deployment,
+		},
+	})
+
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
+
+	assert.Equal(t, compRes.healthStatus.Status, argoappv1.HealthStatusHealthy)
+}
+
+func TestSetHealthSelfReferencedApp(t *testing.T) {
+	app := newFakeApp()
+	unstructuredApp := kube.MustToUnstructured(app)
+	deployment := kube.MustToUnstructured(&v1.Deployment{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "apps/v1beta1",
+			Kind:       "Deployment",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "demo",
+			Namespace: "default",
+		},
+	})
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app, &defaultProj},
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: map[kube.ResourceKey]*unstructured.Unstructured{
+			kube.GetResourceKey(deployment):      deployment,
+			kube.GetResourceKey(unstructuredApp): unstructuredApp,
+		},
+	})
+
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
+
+	assert.Equal(t, compRes.healthStatus.Status, argoappv1.HealthStatusHealthy)
+}
+
+func TestSetManagedResourcesWithOrphanedResources(t *testing.T) {
+	proj := defaultProj.DeepCopy()
+	proj.Spec.OrphanedResources = &argoappv1.OrphanedResourcesMonitorSettings{}
+
+	app := newFakeApp()
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app, proj},
+		namespacedResources: map[kube.ResourceKey]namespacedResource{
+			kube.NewResourceKey("apps", kube.DeploymentKind, app.Namespace, "guestbook"): {
+				ResourceNode: argoappv1.ResourceNode{
+					ResourceRef: argoappv1.ResourceRef{Kind: kube.DeploymentKind, Name: "guestbook", Namespace: app.Namespace},
+				},
+				AppName: "",
+			},
+		},
+	})
+
+	tree, err := ctrl.setAppManagedResources(app, &comparisonResult{managedResources: make([]managedResource, 0)})
+
+	assert.NoError(t, err)
+	assert.Equal(t, len(tree.OrphanedNodes), 1)
+	assert.Equal(t, "guestbook", tree.OrphanedNodes[0].Name)
+	assert.Equal(t, app.Namespace, tree.OrphanedNodes[0].Namespace)
+}
+
+func TestSetManagedResourcesWithResourcesOfAnotherApp(t *testing.T) {
+	proj := defaultProj.DeepCopy()
+	proj.Spec.OrphanedResources = &argoappv1.OrphanedResourcesMonitorSettings{}
+
+	app1 := newFakeApp()
+	app1.Name = "app1"
+	app2 := newFakeApp()
+	app2.Name = "app2"
+
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app1, app2, proj},
+		namespacedResources: map[kube.ResourceKey]namespacedResource{
+			kube.NewResourceKey("apps", kube.DeploymentKind, app2.Namespace, "guestbook"): {
+				ResourceNode: argoappv1.ResourceNode{
+					ResourceRef: argoappv1.ResourceRef{Kind: kube.DeploymentKind, Name: "guestbook", Namespace: app2.Namespace},
+				},
+				AppName: "app2",
+			},
+		},
+	})
+
+	tree, err := ctrl.setAppManagedResources(app1, &comparisonResult{managedResources: make([]managedResource, 0)})
+
+	assert.NoError(t, err)
+	assert.Equal(t, len(tree.OrphanedNodes), 0)
+}
+
+func TestReturnUnknownComparisonStateOnSettingLoadError(t *testing.T) {
+	proj := defaultProj.DeepCopy()
+	proj.Spec.OrphanedResources = &argoappv1.OrphanedResourcesMonitorSettings{}
+
+	app := newFakeApp()
+
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app, proj},
+		configMapData: map[string]string{
+			"resource.customizations": "invalid setting",
+		},
+	})
+
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
+
+	assert.Equal(t, argoappv1.HealthStatusUnknown, compRes.healthStatus.Status)
+	assert.Equal(t, argoappv1.SyncStatusCodeUnknown, compRes.syncStatus.Status)
+}
+
+func TestSetManagedResourcesKnownOrphanedResourceExceptions(t *testing.T) {
+	proj := defaultProj.DeepCopy()
+	proj.Spec.OrphanedResources = &argoappv1.OrphanedResourcesMonitorSettings{}
+
+	app := newFakeApp()
+	app.Namespace = "default"
+
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app, proj},
+		namespacedResources: map[kube.ResourceKey]namespacedResource{
+			kube.NewResourceKey("apps", kube.DeploymentKind, app.Namespace, "guestbook"): {
+				ResourceNode: argoappv1.ResourceNode{ResourceRef: argoappv1.ResourceRef{Group: "apps", Kind: kube.DeploymentKind, Name: "guestbook", Namespace: app.Namespace}},
+			},
+			kube.NewResourceKey("", kube.ServiceAccountKind, app.Namespace, "default"): {
+				ResourceNode: argoappv1.ResourceNode{ResourceRef: argoappv1.ResourceRef{Kind: kube.ServiceAccountKind, Name: "default", Namespace: app.Namespace}},
+			},
+			kube.NewResourceKey("", kube.ServiceKind, app.Namespace, "kubernetes"): {
+				ResourceNode: argoappv1.ResourceNode{ResourceRef: argoappv1.ResourceRef{Kind: kube.ServiceAccountKind, Name: "kubernetes", Namespace: app.Namespace}},
+			},
+		},
+	})
+
+	tree, err := ctrl.setAppManagedResources(app, &comparisonResult{managedResources: make([]managedResource, 0)})
+
+	assert.NoError(t, err)
+	assert.Len(t, tree.OrphanedNodes, 1)
+	assert.Equal(t, "guestbook", tree.OrphanedNodes[0].Name)
+}
+
+func Test_comparisonResult_obs(t *testing.T) {
+	assert.Len(t, (&comparisonResult{}).targetObjs(), 0)
+	assert.Len(t, (&comparisonResult{managedResources: []managedResource{{}}}).targetObjs(), 0)
+	assert.Len(t, (&comparisonResult{managedResources: []managedResource{{Target: test.NewPod()}}}).targetObjs(), 1)
+	assert.Len(t, (&comparisonResult{hooks: []*unstructured.Unstructured{{}}}).targetObjs(), 1)
 }

controller/sync_hooks.go

@@ -0,0 +1,120 @@
+package controller
+
+import (
+	"fmt"
+
+	"github.com/argoproj/argo-cd/util/health"
+
+	apiv1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/kubernetes/pkg/apis/batch"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+)
+
+// getOperationPhase returns a hook status from an _live_ unstructured object
+func getOperationPhase(hook *unstructured.Unstructured) (operation v1alpha1.OperationPhase, message string) {
+	gvk := hook.GroupVersionKind()
+	if isBatchJob(gvk) {
+		return getStatusFromBatchJob(hook)
+	} else if isArgoWorkflow(gvk) {
+		return health.GetStatusFromArgoWorkflow(hook)
+	} else if isPod(gvk) {
+		return getStatusFromPod(hook)
+	} else {
+		return v1alpha1.OperationSucceeded, fmt.Sprintf("%s created", hook.GetName())
+	}
+}
+
+// isRunnable returns if the resource object is a runnable type which needs to be terminated
+func isRunnable(gvk schema.GroupVersionKind) bool {
+	return isBatchJob(gvk) || isArgoWorkflow(gvk) || isPod(gvk)
+}
+
+func isBatchJob(gvk schema.GroupVersionKind) bool {
+	return gvk.Group == "batch" && gvk.Kind == "Job"
+}
+
+// TODO this is a copy-and-paste of health.getJobHealth(), refactor out?
+func getStatusFromBatchJob(hook *unstructured.Unstructured) (operation v1alpha1.OperationPhase, message string) {
+	var job batch.Job
+	err := runtime.DefaultUnstructuredConverter.FromUnstructured(hook.Object, &job)
+	if err != nil {
+		return v1alpha1.OperationError, err.Error()
+	}
+	failed := false
+	var failMsg string
+	complete := false
+	for _, condition := range job.Status.Conditions {
+		switch condition.Type {
+		case batch.JobFailed:
+			failed = true
+			complete = true
+			failMsg = condition.Message
+		case batch.JobComplete:
+			complete = true
+			message = condition.Message
+		}
+	}
+	if !complete {
+		return v1alpha1.OperationRunning, message
+	} else if failed {
+		return v1alpha1.OperationFailed, failMsg
+	} else {
+		return v1alpha1.OperationSucceeded, message
+	}
+}
+
+func isArgoWorkflow(gvk schema.GroupVersionKind) bool {
+	return gvk.Group == "argoproj.io" && gvk.Kind == "Workflow"
+}
+
+func isPod(gvk schema.GroupVersionKind) bool {
+	return gvk.Group == "" && gvk.Kind == "Pod"
+}
+
+// TODO - this is very similar to health.getPodHealth() should we use that instead?
+func getStatusFromPod(hook *unstructured.Unstructured) (v1alpha1.OperationPhase, string) {
+	var pod apiv1.Pod
+	err := runtime.DefaultUnstructuredConverter.FromUnstructured(hook.Object, &pod)
+	if err != nil {
+		return v1alpha1.OperationError, err.Error()
+	}
+	getFailMessage := func(ctr *apiv1.ContainerStatus) string {
+		if ctr.State.Terminated != nil {
+			if ctr.State.Terminated.Message != "" {
+				return ctr.State.Terminated.Message
+			}
+			if ctr.State.Terminated.Reason == "OOMKilled" {
+				return ctr.State.Terminated.Reason
+			}
+			if ctr.State.Terminated.ExitCode != 0 {
+				return fmt.Sprintf("container %q failed with exit code %d", ctr.Name, ctr.State.Terminated.ExitCode)
+			}
+		}
+		return ""
+	}
+
+	switch pod.Status.Phase {
+	case apiv1.PodPending, apiv1.PodRunning:
+		return v1alpha1.OperationRunning, ""
+	case apiv1.PodSucceeded:
+		return v1alpha1.OperationSucceeded, ""
+	case apiv1.PodFailed:
+		if pod.Status.Message != "" {
+			// Pod has a nice error message. Use that.
+			return v1alpha1.OperationFailed, pod.Status.Message
+		}
+		for _, ctr := range append(pod.Status.InitContainerStatuses, pod.Status.ContainerStatuses...) {
+			if msg := getFailMessage(&ctr); msg != "" {
+				return v1alpha1.OperationFailed, msg
+			}
+		}
+		return v1alpha1.OperationFailed, ""
+	case apiv1.PodUnknown:
+		return v1alpha1.OperationError, ""
+	}
+	return v1alpha1.OperationRunning, ""
+}

controller/sync_phase.go

@@ -0,0 +1,29 @@
+package controller
+
+import (
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/hook"
+)
+
+func syncPhases(obj *unstructured.Unstructured) []v1alpha1.SyncPhase {
+	if hook.Skip(obj) {
+		return nil
+	} else if hook.IsHook(obj) {
+		phasesMap := make(map[v1alpha1.SyncPhase]bool)
+		for _, hookType := range hook.Types(obj) {
+			switch hookType {
+			case v1alpha1.HookTypePreSync, v1alpha1.HookTypeSync, v1alpha1.HookTypePostSync, v1alpha1.HookTypeSyncFail:
+				phasesMap[v1alpha1.SyncPhase(hookType)] = true
+			}
+		}
+		var phases []v1alpha1.SyncPhase
+		for phase := range phasesMap {
+			phases = append(phases, phase)
+		}
+		return phases
+	} else {
+		return []v1alpha1.SyncPhase{v1alpha1.SyncPhaseSync}
+	}
+}

controller/sync_phase_test.go

@@ -0,0 +1,57 @@
+package controller
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	. "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/test"
+)
+
+func TestSyncPhaseNone(t *testing.T) {
+	assert.Equal(t, []SyncPhase{SyncPhaseSync}, syncPhases(&unstructured.Unstructured{}))
+}
+
+func TestSyncPhasePreSync(t *testing.T) {
+	assert.Equal(t, []SyncPhase{SyncPhasePreSync}, syncPhases(pod("PreSync")))
+}
+
+func TestSyncPhaseSync(t *testing.T) {
+	assert.Equal(t, []SyncPhase{SyncPhaseSync}, syncPhases(pod("Sync")))
+}
+
+func TestSyncPhaseSkip(t *testing.T) {
+	assert.Nil(t, syncPhases(pod("Skip")))
+}
+
+// garbage hooks are still hooks, but have no phases, because some user spelled something wrong
+func TestSyncPhaseGarbage(t *testing.T) {
+	assert.Nil(t, syncPhases(pod("Garbage")))
+}
+
+func TestSyncPhasePost(t *testing.T) {
+	assert.Equal(t, []SyncPhase{SyncPhasePostSync}, syncPhases(pod("PostSync")))
+}
+
+func TestSyncPhaseFail(t *testing.T) {
+	assert.Equal(t, []SyncPhase{SyncPhaseSyncFail}, syncPhases(pod("SyncFail")))
+}
+
+func TestSyncPhaseTwoPhases(t *testing.T) {
+	assert.ElementsMatch(t, []SyncPhase{SyncPhasePreSync, SyncPhasePostSync}, syncPhases(pod("PreSync,PostSync")))
+}
+
+func TestSyncDuplicatedPhases(t *testing.T) {
+	assert.ElementsMatch(t, []SyncPhase{SyncPhasePreSync}, syncPhases(pod("PreSync,PreSync")))
+	assert.ElementsMatch(t, []SyncPhase{SyncPhasePreSync}, syncPhases(podWithHelmHook("pre-install,pre-upgrade")))
+}
+
+func pod(hookType string) *unstructured.Unstructured {
+	return test.Annotate(test.NewPod(), "argocd.argoproj.io/hook", hookType)
+}
+
+func podWithHelmHook(hookType string) *unstructured.Unstructured {
+	return test.Annotate(test.NewPod(), "helm.sh/hook", hookType)
+}

controller/sync_task.go

@@ -0,0 +1,130 @@
+package controller
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/hook"
+	"github.com/argoproj/argo-cd/util/resource/syncwaves"
+)
+
+// syncTask holds the live and target object. At least one should be non-nil. A targetObj of nil
+// indicates the live object needs to be pruned. A liveObj of nil indicates the object has yet to
+// be deployed
+type syncTask struct {
+	phase          v1alpha1.SyncPhase
+	liveObj        *unstructured.Unstructured
+	targetObj      *unstructured.Unstructured
+	skipDryRun     bool
+	syncStatus     v1alpha1.ResultCode
+	operationState v1alpha1.OperationPhase
+	message        string
+}
+
+func ternary(val bool, a, b string) string {
+	if val {
+		return a
+	} else {
+		return b
+	}
+}
+
+func (t *syncTask) String() string {
+	return fmt.Sprintf("%s/%d %s %s/%s:%s/%s %s->%s (%s,%s,%s)",
+		t.phase, t.wave(),
+		ternary(t.isHook(), "hook", "resource"), t.group(), t.kind(), t.namespace(), t.name(),
+		ternary(t.liveObj != nil, "obj", "nil"), ternary(t.targetObj != nil, "obj", "nil"),
+		t.syncStatus, t.operationState, t.message,
+	)
+}
+
+func (t *syncTask) isPrune() bool {
+	return t.targetObj == nil
+}
+
+// return the target object (if this exists) otherwise the live object
+// some caution - often you explicitly want the live object not the target object
+func (t *syncTask) obj() *unstructured.Unstructured {
+	return obj(t.targetObj, t.liveObj)
+}
+
+func (t *syncTask) wave() int {
+	return syncwaves.Wave(t.obj())
+}
+
+func (t *syncTask) isHook() bool {
+	return hook.IsHook(t.obj())
+}
+
+func (t *syncTask) group() string {
+	return t.groupVersionKind().Group
+}
+func (t *syncTask) kind() string {
+	return t.groupVersionKind().Kind
+}
+
+func (t *syncTask) version() string {
+	return t.groupVersionKind().Version
+}
+
+func (t *syncTask) groupVersionKind() schema.GroupVersionKind {
+	return t.obj().GroupVersionKind()
+}
+
+func (t *syncTask) name() string {
+	return t.obj().GetName()
+}
+
+func (t *syncTask) namespace() string {
+	return t.obj().GetNamespace()
+}
+
+func (t *syncTask) pending() bool {
+	return t.operationState == ""
+}
+
+func (t *syncTask) running() bool {
+	return t.operationState.Running()
+}
+
+func (t *syncTask) completed() bool {
+	return t.operationState.Completed()
+}
+
+func (t *syncTask) successful() bool {
+	return t.operationState.Successful()
+}
+
+func (t *syncTask) failed() bool {
+	return t.operationState.Failed()
+}
+
+func (t *syncTask) hookType() v1alpha1.HookType {
+	if t.isHook() {
+		return v1alpha1.HookType(t.phase)
+	} else {
+		return ""
+	}
+}
+
+func (t *syncTask) hasHookDeletePolicy(policy v1alpha1.HookDeletePolicy) bool {
+	// cannot have a policy if it is not a hook, it is meaningless
+	if !t.isHook() {
+		return false
+	}
+	for _, p := range hook.DeletePolicies(t.obj()) {
+		if p == policy {
+			return true
+		}
+	}
+	return false
+}
+
+func (t *syncTask) needsDeleting() bool {
+	return t.liveObj != nil && (t.pending() && t.hasHookDeletePolicy(v1alpha1.HookDeletePolicyBeforeHookCreation) ||
+		t.successful() && t.hasHookDeletePolicy(v1alpha1.HookDeletePolicyHookSucceeded) ||
+		t.failed() && t.hasHookDeletePolicy(v1alpha1.HookDeletePolicyHookFailed))
+}

controller/sync_task_test.go

@@ -0,0 +1,66 @@
+package controller
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	. "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	. "github.com/argoproj/argo-cd/test"
+)
+
+func Test_syncTask_hookType(t *testing.T) {
+	type fields struct {
+		phase   SyncPhase
+		liveObj *unstructured.Unstructured
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   HookType
+	}{
+		{"Empty", fields{SyncPhaseSync, NewPod()}, ""},
+		{"PreSyncHook", fields{SyncPhasePreSync, NewHook(HookTypePreSync)}, HookTypePreSync},
+		{"SyncHook", fields{SyncPhaseSync, NewHook(HookTypeSync)}, HookTypeSync},
+		{"PostSyncHook", fields{SyncPhasePostSync, NewHook(HookTypePostSync)}, HookTypePostSync},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			task := &syncTask{
+				phase:   tt.fields.phase,
+				liveObj: tt.fields.liveObj,
+			}
+			hookType := task.hookType()
+			assert.EqualValues(t, tt.want, hookType)
+		})
+	}
+}
+
+func Test_syncTask_hasHookDeletePolicy(t *testing.T) {
+	assert.False(t, (&syncTask{targetObj: NewPod()}).hasHookDeletePolicy(HookDeletePolicyBeforeHookCreation))
+	assert.False(t, (&syncTask{targetObj: NewPod()}).hasHookDeletePolicy(HookDeletePolicyHookSucceeded))
+	assert.False(t, (&syncTask{targetObj: NewPod()}).hasHookDeletePolicy(HookDeletePolicyHookFailed))
+	// must be hook
+	assert.False(t, (&syncTask{targetObj: Annotate(NewPod(), "argocd.argoproj.io/hook-delete-policy", "BeforeHookCreation")}).hasHookDeletePolicy(HookDeletePolicyBeforeHookCreation))
+	assert.True(t, (&syncTask{targetObj: Annotate(Annotate(NewPod(), "argocd.argoproj.io/hook", "Sync"), "argocd.argoproj.io/hook-delete-policy", "BeforeHookCreation")}).hasHookDeletePolicy(HookDeletePolicyBeforeHookCreation))
+	assert.True(t, (&syncTask{targetObj: Annotate(Annotate(NewPod(), "argocd.argoproj.io/hook", "Sync"), "argocd.argoproj.io/hook-delete-policy", "HookSucceeded")}).hasHookDeletePolicy(HookDeletePolicyHookSucceeded))
+	assert.True(t, (&syncTask{targetObj: Annotate(Annotate(NewPod(), "argocd.argoproj.io/hook", "Sync"), "argocd.argoproj.io/hook-delete-policy", "HookFailed")}).hasHookDeletePolicy(HookDeletePolicyHookFailed))
+}
+
+func Test_syncTask_needsDeleting(t *testing.T) {
+	assert.False(t, (&syncTask{liveObj: NewPod()}).needsDeleting())
+	// must be hook
+	assert.False(t, (&syncTask{liveObj: Annotate(NewPod(), "argocd.argoproj.io/hook-delete-policy", "BeforeHookCreation")}).needsDeleting())
+	// no need to delete if no live obj
+	assert.False(t, (&syncTask{targetObj: Annotate(Annotate(NewPod(), "argoocd.argoproj.io/hook", "Sync"), "argocd.argoproj.io/hook-delete-policy", "BeforeHookCreation")}).needsDeleting())
+	assert.True(t, (&syncTask{liveObj: Annotate(Annotate(NewPod(), "argocd.argoproj.io/hook", "Sync"), "argocd.argoproj.io/hook-delete-policy", "BeforeHookCreation")}).needsDeleting())
+	assert.True(t, (&syncTask{liveObj: Annotate(Annotate(NewPod(), "argocd.argoproj.io/hook", "Sync"), "argocd.argoproj.io/hook-delete-policy", "BeforeHookCreation")}).needsDeleting())
+	assert.True(t, (&syncTask{operationState: OperationSucceeded, liveObj: Annotate(Annotate(NewPod(), "argocd.argoproj.io/hook", "Sync"), "argocd.argoproj.io/hook-delete-policy", "HookSucceeded")}).needsDeleting())
+	assert.True(t, (&syncTask{operationState: OperationFailed, liveObj: Annotate(Annotate(NewPod(), "argocd.argoproj.io/hook", "Sync"), "argocd.argoproj.io/hook-delete-policy", "HookFailed")}).needsDeleting())
+}
+
+func Test_syncTask_wave(t *testing.T) {
+	assert.Equal(t, 0, (&syncTask{targetObj: NewPod()}).wave())
+	assert.Equal(t, 1, (&syncTask{targetObj: Annotate(NewPod(), "argocd.argoproj.io/sync-wave", "1")}).wave())
+}

controller/sync_tasks.go

@@ -0,0 +1,185 @@
+package controller
+
+import (
+	"strings"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+)
+
+// kindOrder represents the correct order of Kubernetes resources within a manifest
+var syncPhaseOrder = map[v1alpha1.SyncPhase]int{
+	v1alpha1.SyncPhasePreSync:  -1,
+	v1alpha1.SyncPhaseSync:     0,
+	v1alpha1.SyncPhasePostSync: 1,
+	v1alpha1.SyncPhaseSyncFail: 2,
+}
+
+// kindOrder represents the correct order of Kubernetes resources within a manifest
+// https://github.com/helm/helm/blob/master/pkg/tiller/kind_sorter.go
+var kindOrder = map[string]int{}
+
+func init() {
+	kinds := []string{
+		"Namespace",
+		"ResourceQuota",
+		"LimitRange",
+		"PodSecurityPolicy",
+		"PodDisruptionBudget",
+		"Secret",
+		"ConfigMap",
+		"StorageClass",
+		"PersistentVolume",
+		"PersistentVolumeClaim",
+		"ServiceAccount",
+		"CustomResourceDefinition",
+		"ClusterRole",
+		"ClusterRoleBinding",
+		"Role",
+		"RoleBinding",
+		"Service",
+		"DaemonSet",
+		"Pod",
+		"ReplicationController",
+		"ReplicaSet",
+		"Deployment",
+		"StatefulSet",
+		"Job",
+		"CronJob",
+		"Ingress",
+		"APIService",
+	}
+	for i, kind := range kinds {
+		// make sure none of the above entries are zero, we need that for custom resources
+		kindOrder[kind] = i - len(kinds)
+	}
+}
+
+type syncTasks []*syncTask
+
+func (s syncTasks) Len() int {
+	return len(s)
+}
+
+func (s syncTasks) Swap(i, j int) {
+	s[i], s[j] = s[j], s[i]
+}
+
+// order is
+// 1. phase
+// 2. wave
+// 3. kind
+// 4. name
+func (s syncTasks) Less(i, j int) bool {
+
+	tA := s[i]
+	tB := s[j]
+
+	d := syncPhaseOrder[tA.phase] - syncPhaseOrder[tB.phase]
+	if d != 0 {
+		return d < 0
+	}
+
+	d = tA.wave() - tB.wave()
+	if d != 0 {
+		return d < 0
+	}
+
+	a := tA.obj()
+	b := tB.obj()
+
+	// we take advantage of the fact that if the kind is not in the kindOrder map,
+	// then it will return the default int value of zero, which is the highest value
+	d = kindOrder[a.GetKind()] - kindOrder[b.GetKind()]
+	if d != 0 {
+		return d < 0
+	}
+
+	return a.GetName() < b.GetName()
+}
+
+func (s syncTasks) Filter(predicate func(task *syncTask) bool) (tasks syncTasks) {
+	for _, task := range s {
+		if predicate(task) {
+			tasks = append(tasks, task)
+		}
+	}
+	return tasks
+}
+
+func (s syncTasks) Split(predicate func(task *syncTask) bool) (trueTasks, falseTasks syncTasks) {
+	for _, task := range s {
+		if predicate(task) {
+			trueTasks = append(trueTasks, task)
+		} else {
+			falseTasks = append(falseTasks, task)
+		}
+	}
+	return trueTasks, falseTasks
+}
+
+func (s syncTasks) All(predicate func(task *syncTask) bool) bool {
+	for _, task := range s {
+		if !predicate(task) {
+			return false
+		}
+	}
+	return true
+}
+
+func (s syncTasks) Any(predicate func(task *syncTask) bool) bool {
+	for _, task := range s {
+		if predicate(task) {
+			return true
+		}
+	}
+	return false
+}
+
+func (s syncTasks) Find(predicate func(task *syncTask) bool) *syncTask {
+	for _, task := range s {
+		if predicate(task) {
+			return task
+		}
+	}
+	return nil
+}
+
+func (s syncTasks) String() string {
+	var values []string
+	for _, task := range s {
+		values = append(values, task.String())
+	}
+	return "[" + strings.Join(values, ", ") + "]"
+}
+
+func (s syncTasks) phase() v1alpha1.SyncPhase {
+	if len(s) > 0 {
+		return s[0].phase
+	}
+	return ""
+}
+
+func (s syncTasks) wave() int {
+	if len(s) > 0 {
+		return s[0].wave()
+	}
+	return 0
+}
+
+func (s syncTasks) lastPhase() v1alpha1.SyncPhase {
+	if len(s) > 0 {
+		return s[len(s)-1].phase
+	}
+	return ""
+}
+
+func (s syncTasks) lastWave() int {
+	if len(s) > 0 {
+		return s[len(s)-1].wave()
+	}
+	return 0
+}
+
+func (s syncTasks) multiStep() bool {
+	return s.wave() != s.lastWave() || s.phase() != s.lastPhase()
+}

controller/sync_tasks_test.go

@@ -0,0 +1,392 @@
+package controller
+
+import (
+	"sort"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	apiv1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	"github.com/argoproj/argo-cd/common"
+	. "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	. "github.com/argoproj/argo-cd/test"
+)
+
+func Test_syncTasks_kindOrder(t *testing.T) {
+	assert.Equal(t, -27, kindOrder["Namespace"])
+	assert.Equal(t, -1, kindOrder["APIService"])
+	assert.Equal(t, 0, kindOrder["MyCRD"])
+}
+
+func TestSortSyncTask(t *testing.T) {
+	sort.Sort(unsortedTasks)
+	assert.Equal(t, sortedTasks, unsortedTasks)
+}
+
+func TestAnySyncTasks(t *testing.T) {
+	res := unsortedTasks.Any(func(task *syncTask) bool {
+		return task.name() == "a"
+	})
+	assert.True(t, res)
+
+	res = unsortedTasks.Any(func(task *syncTask) bool {
+		return task.name() == "does-not-exist"
+	})
+	assert.False(t, res)
+
+}
+
+func TestAllSyncTasks(t *testing.T) {
+	res := unsortedTasks.All(func(task *syncTask) bool {
+		return task.name() != ""
+	})
+	assert.False(t, res)
+
+	res = unsortedTasks.All(func(task *syncTask) bool {
+		return task.name() == "a"
+	})
+	assert.False(t, res)
+}
+
+func TestSplitSyncTasks(t *testing.T) {
+	named, unnamed := sortedTasks.Split(func(task *syncTask) bool {
+		return task.name() != ""
+	})
+	assert.Equal(t, named, namedObjTasks)
+	assert.Equal(t, unnamed, unnamedTasks)
+}
+
+var unsortedTasks = syncTasks{
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+				"kind":         "Pod",
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+				"kind":         "Service",
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+				"kind":         "PersistentVolume",
+			},
+		},
+	},
+	{
+		phase: SyncPhaseSyncFail, targetObj: &unstructured.Unstructured{},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"annotations": map[string]interface{}{
+						"argocd.argoproj.io/sync-wave": "1",
+					},
+				},
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"name": "b",
+				},
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"name": "a",
+				},
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"annotations": map[string]interface{}{
+						"argocd.argoproj.io/sync-wave": "-1",
+					},
+				},
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+			},
+		},
+	},
+	{
+		phase:     SyncPhasePreSync,
+		targetObj: &unstructured.Unstructured{},
+	},
+	{
+		phase: SyncPhasePostSync, targetObj: &unstructured.Unstructured{},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+				"kind":         "ConfigMap",
+			},
+		},
+	},
+}
+
+var sortedTasks = syncTasks{
+	{
+		phase:     SyncPhasePreSync,
+		targetObj: &unstructured.Unstructured{},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"annotations": map[string]interface{}{
+						"argocd.argoproj.io/sync-wave": "-1",
+					},
+				},
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+				"kind":         "ConfigMap",
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+				"kind":         "PersistentVolume",
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+				"kind":         "Service",
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+				"kind":         "Pod",
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"name": "a",
+				},
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"name": "b",
+				},
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"annotations": map[string]interface{}{
+						"argocd.argoproj.io/sync-wave": "1",
+					},
+				},
+			},
+		},
+	},
+	{
+		phase:     SyncPhasePostSync,
+		targetObj: &unstructured.Unstructured{},
+	},
+	{
+		phase:     SyncPhaseSyncFail,
+		targetObj: &unstructured.Unstructured{},
+	},
+}
+
+var namedObjTasks = syncTasks{
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"name": "a",
+				},
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"name": "b",
+				},
+			},
+		},
+	},
+}
+
+var unnamedTasks = syncTasks{
+	{
+		phase:     SyncPhasePreSync,
+		targetObj: &unstructured.Unstructured{},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"annotations": map[string]interface{}{
+						"argocd.argoproj.io/sync-wave": "-1",
+					},
+				},
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+				"kind":         "ConfigMap",
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+				"kind":         "PersistentVolume",
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+				"kind":         "Service",
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+				"kind":         "Pod",
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"annotations": map[string]interface{}{
+						"argocd.argoproj.io/sync-wave": "1",
+					},
+				},
+			},
+		},
+	},
+	{
+		phase:     SyncPhasePostSync,
+		targetObj: &unstructured.Unstructured{},
+	},
+	{
+		phase:     SyncPhaseSyncFail,
+		targetObj: &unstructured.Unstructured{},
+	},
+}
+
+func Test_syncTasks_Filter(t *testing.T) {
+	tasks := syncTasks{{phase: SyncPhaseSync}, {phase: SyncPhasePostSync}}
+
+	assert.Equal(t, syncTasks{{phase: SyncPhaseSync}}, tasks.Filter(func(t *syncTask) bool {
+		return t.phase == SyncPhaseSync
+	}))
+}
+
+func TestSyncNamespaceAgainstCRD(t *testing.T) {
+	crd := &syncTask{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"kind": "Workflow",
+			},
+		}}
+	namespace := &syncTask{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"kind": "Namespace",
+			},
+		},
+	}
+
+	unsorted := syncTasks{crd, namespace}
+	sort.Sort(unsorted)
+
+	assert.Equal(t, syncTasks{namespace, crd}, unsorted)
+}
+
+func Test_syncTasks_multiStep(t *testing.T) {
+	t.Run("Single", func(t *testing.T) {
+		tasks := syncTasks{{liveObj: Annotate(NewPod(), common.AnnotationSyncWave, "-1"), phase: SyncPhaseSync}}
+		assert.Equal(t, SyncPhaseSync, tasks.phase())
+		assert.Equal(t, -1, tasks.wave())
+		assert.Equal(t, SyncPhaseSync, tasks.lastPhase())
+		assert.Equal(t, -1, tasks.lastWave())
+		assert.False(t, tasks.multiStep())
+	})
+	t.Run("Double", func(t *testing.T) {
+		tasks := syncTasks{
+			{liveObj: Annotate(NewPod(), common.AnnotationSyncWave, "-1"), phase: SyncPhasePreSync},
+			{liveObj: Annotate(NewPod(), common.AnnotationSyncWave, "1"), phase: SyncPhasePostSync},
+		}
+		assert.Equal(t, SyncPhasePreSync, tasks.phase())
+		assert.Equal(t, -1, tasks.wave())
+		assert.Equal(t, SyncPhasePostSync, tasks.lastPhase())
+		assert.Equal(t, 1, tasks.lastWave())
+		assert.True(t, tasks.multiStep())
+	})
+}

controller/sync_test.go

@@ -1,79 +1,54 @@
 package controller
 
 import (
-	"context"
 	"fmt"
-	"sort"
+	"reflect"
 	"testing"
 
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/apimachinery/pkg/watch"
-
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util/kube"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
-
-	apiv1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
 	fakedisco "k8s.io/client-go/discovery/fake"
+	"k8s.io/client-go/dynamic/fake"
 	"k8s.io/client-go/rest"
 	testcore "k8s.io/client-go/testing"
+
+	"github.com/argoproj/argo-cd/common"
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	. "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/reposerver/apiclient"
+	"github.com/argoproj/argo-cd/test"
+	"github.com/argoproj/argo-cd/util/kube"
+	"github.com/argoproj/argo-cd/util/kube/kubetest"
 )
 
-type kubectlOutput struct {
-	output string
-	err    error
-}
-
-type mockKubectlCmd struct {
-	commands map[string]kubectlOutput
-	events   chan watch.Event
-}
-
-func (k mockKubectlCmd) WatchResources(
-	ctx context.Context, config *rest.Config, namespace string, selector func(kind schema.GroupVersionKind) v1.ListOptions) (chan watch.Event, error) {
-
-	return k.events, nil
-}
-
-func (k mockKubectlCmd) DeleteResource(config *rest.Config, obj *unstructured.Unstructured, namespace string) error {
-	command, ok := k.commands[obj.GetName()]
-	if !ok {
-		return nil
-	}
-	return command.err
-}
-
-func (k mockKubectlCmd) ApplyResource(config *rest.Config, obj *unstructured.Unstructured, namespace string, dryRun, force bool) (string, error) {
-	command, ok := k.commands[obj.GetName()]
-	if !ok {
-		return "", nil
-	}
-	return command.output, command.err
-}
-
-// ConvertToVersion converts an unstructured object into the specified group/version
-func (k mockKubectlCmd) ConvertToVersion(obj *unstructured.Unstructured, group, version string) (*unstructured.Unstructured, error) {
-	return obj, nil
-}
-
 func newTestSyncCtx(resources ...*v1.APIResourceList) *syncContext {
 	fakeDisco := &fakedisco.FakeDiscovery{Fake: &testcore.Fake{}}
-	fakeDisco.Resources = append(resources, &v1.APIResourceList{
-		APIResources: []v1.APIResource{
-			{Kind: "pod", Namespaced: true},
-			{Kind: "deployment", Namespaced: true},
-			{Kind: "service", Namespaced: true},
+	fakeDisco.Resources = append(resources,
+		&v1.APIResourceList{
+			GroupVersion: "v1",
+			APIResources: []v1.APIResource{
+				{Kind: "Pod", Group: "", Version: "v1", Namespaced: true},
+				{Kind: "Service", Group: "", Version: "v1", Namespaced: true},
+			},
+		},
+		&v1.APIResourceList{
+			GroupVersion: "apps/v1",
+			APIResources: []v1.APIResource{
+				{Kind: "Deployment", Group: "apps", Version: "v1", Namespaced: true},
+			},
+		})
+	sc := syncContext{
+		config:    &rest.Config{},
+		namespace: test.FakeArgoCDNamespace,
+		server:    test.FakeClusterURL,
+		syncRes: &v1alpha1.SyncOperationResult{
+			Revision: "FooBarBaz",
 		},
-	})
-	kube.FlushServerResourcesCache()
-	return &syncContext{
-		comparison: &v1alpha1.ComparisonResult{},
-		config:     &rest.Config{},
-		namespace:  "test-namespace",
-		syncRes:    &v1alpha1.SyncOperationResult{},
 		syncOp: &v1alpha1.SyncOperation{
 			Prune: true,
 			SyncStrategy: &v1alpha1.SyncStrategy{
@@ -81,10 +56,14 @@ func newTestSyncCtx(resources ...*v1.APIResourceList) *syncContext {
 			},
 		},
 		proj: &v1alpha1.AppProject{
-			ObjectMeta: v1.ObjectMeta{
+			ObjectMeta: metav1.ObjectMeta{
 				Name: "test",
 			},
 			Spec: v1alpha1.AppProjectSpec{
+				Destinations: []v1alpha1.ApplicationDestination{{
+					Server:    test.FakeClusterURL,
+					Namespace: test.FakeArgoCDNamespace,
+				}},
 				ClusterResourceWhitelist: []v1.GroupKind{
 					{Group: "*", Kind: "*"},
 				},
@@ -94,34 +73,64 @@ func newTestSyncCtx(resources ...*v1.APIResourceList) *syncContext {
 		disco:   fakeDisco,
 		log:     log.WithFields(log.Fields{"application": "fake-app"}),
 	}
+	sc.kubectl = &kubetest.MockKubectlCmd{}
+	return &sc
+}
+
+func newManagedResource(live *unstructured.Unstructured) managedResource {
+	return managedResource{
+		Live:      live,
+		Group:     live.GroupVersionKind().Group,
+		Version:   live.GroupVersionKind().Version,
+		Kind:      live.GroupVersionKind().Kind,
+		Namespace: live.GetNamespace(),
+		Name:      live.GetName(),
+	}
+}
+
+func TestSyncNotPermittedNamespace(t *testing.T) {
+	syncCtx := newTestSyncCtx()
+	targetPod := test.NewPod()
+	targetPod.SetNamespace("kube-system")
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{{
+			Live:   nil,
+			Target: targetPod,
+		}, {
+			Live:   nil,
+			Target: test.NewService(),
+		}},
+	}
+	syncCtx.sync()
+	assert.Equal(t, v1alpha1.OperationFailed, syncCtx.opState.Phase)
+	assert.Contains(t, syncCtx.syncRes.Resources[0].Message, "not permitted in project")
 }
 
 func TestSyncCreateInSortedOrder(t *testing.T) {
 	syncCtx := newTestSyncCtx()
-	syncCtx.kubectl = mockKubectlCmd{}
-	syncCtx.comparison = &v1alpha1.ComparisonResult{
-		Resources: []v1alpha1.ResourceState{{
-			LiveState:   "",
-			TargetState: "{\"kind\":\"pod\"}",
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{{
+			Live:   nil,
+			Target: test.NewPod(),
 		}, {
-			LiveState:   "",
-			TargetState: "{\"kind\":\"service\"}",
-		},
-		},
+			Live:   nil,
+			Target: test.NewService(),
+		}},
 	}
 	syncCtx.sync()
+	assert.Equal(t, v1alpha1.OperationSucceeded, syncCtx.opState.Phase)
 	assert.Len(t, syncCtx.syncRes.Resources, 2)
 	for i := range syncCtx.syncRes.Resources {
-		if syncCtx.syncRes.Resources[i].Kind == "pod" {
-			assert.Equal(t, v1alpha1.ResourceDetailsSynced, syncCtx.syncRes.Resources[i].Status)
-		} else if syncCtx.syncRes.Resources[i].Kind == "service" {
-			assert.Equal(t, v1alpha1.ResourceDetailsSynced, syncCtx.syncRes.Resources[i].Status)
+		result := syncCtx.syncRes.Resources[i]
+		if result.Kind == "Pod" {
+			assert.Equal(t, v1alpha1.ResultCodeSynced, result.Status)
+			assert.Equal(t, "", result.Message)
+		} else if result.Kind == "Service" {
+			assert.Equal(t, "", result.Message)
 		} else {
 			t.Error("Resource isn't a pod or a service")
 		}
 	}
-	syncCtx.sync()
-	assert.Equal(t, syncCtx.opState.Phase, v1alpha1.OperationSucceeded)
 }
 
 func TestSyncCreateNotWhitelistedClusterResources(t *testing.T) {
@@ -142,261 +151,549 @@ func TestSyncCreateNotWhitelistedClusterResources(t *testing.T) {
 		{Group: "argoproj.io", Kind: "*"},
 	}
 
-	syncCtx.kubectl = mockKubectlCmd{}
-	syncCtx.comparison = &v1alpha1.ComparisonResult{
-		Resources: []v1alpha1.ResourceState{{
-			LiveState:   "",
-			TargetState: `{"apiVersion": "rbac.authorization.k8s.io/v1", "kind": "ClusterRole", "metadata": {"name": "argo-ui-cluster-role" }}`,
+	syncCtx.kubectl = &kubetest.MockKubectlCmd{}
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{{
+			Live: nil,
+			Target: kube.MustToUnstructured(&rbacv1.ClusterRole{
+				TypeMeta:   metav1.TypeMeta{Kind: "ClusterRole", APIVersion: "rbac.authorization.k8s.io/v1"},
+				ObjectMeta: metav1.ObjectMeta{Name: "argo-ui-cluster-role"}}),
 		}},
 	}
 	syncCtx.sync()
 	assert.Len(t, syncCtx.syncRes.Resources, 1)
-	assert.Equal(t, v1alpha1.ResourceDetailsSyncFailed, syncCtx.syncRes.Resources[0].Status)
-	assert.Contains(t, syncCtx.syncRes.Resources[0].Message, "not permitted in project")
+	result := syncCtx.syncRes.Resources[0]
+	assert.Equal(t, v1alpha1.ResultCodeSyncFailed, result.Status)
+	assert.Contains(t, result.Message, "not permitted in project")
 }
 
 func TestSyncBlacklistedNamespacedResources(t *testing.T) {
 	syncCtx := newTestSyncCtx()
 
 	syncCtx.proj.Spec.NamespaceResourceBlacklist = []v1.GroupKind{
-		{Group: "*", Kind: "deployment"},
+		{Group: "*", Kind: "Deployment"},
 	}
 
-	syncCtx.kubectl = mockKubectlCmd{}
-	syncCtx.comparison = &v1alpha1.ComparisonResult{
-		Resources: []v1alpha1.ResourceState{{
-			LiveState:   "",
-			TargetState: "{\"kind\":\"deployment\"}",
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{{
+			Live:   nil,
+			Target: test.NewDeployment(),
 		}},
 	}
 	syncCtx.sync()
 	assert.Len(t, syncCtx.syncRes.Resources, 1)
-	assert.Equal(t, v1alpha1.ResourceDetailsSyncFailed, syncCtx.syncRes.Resources[0].Status)
-	assert.Contains(t, syncCtx.syncRes.Resources[0].Message, "not permitted in project")
+	result := syncCtx.syncRes.Resources[0]
+	assert.Equal(t, v1alpha1.ResultCodeSyncFailed, result.Status)
+	assert.Contains(t, result.Message, "not permitted in project")
 }
 
 func TestSyncSuccessfully(t *testing.T) {
 	syncCtx := newTestSyncCtx()
-	syncCtx.kubectl = mockKubectlCmd{}
-	syncCtx.comparison = &v1alpha1.ComparisonResult{
-		Resources: []v1alpha1.ResourceState{{
-			LiveState:   "",
-			TargetState: "{\"kind\":\"service\"}",
+	pod := test.NewPod()
+	pod.SetNamespace(test.FakeArgoCDNamespace)
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{{
+			Live:   nil,
+			Target: test.NewService(),
 		}, {
-			LiveState:   "{\"kind\":\"pod\"}",
-			TargetState: "",
-		},
-		},
+			Live:   pod,
+			Target: nil,
+		}},
 	}
 	syncCtx.sync()
+	assert.Equal(t, v1alpha1.OperationSucceeded, syncCtx.opState.Phase)
 	assert.Len(t, syncCtx.syncRes.Resources, 2)
 	for i := range syncCtx.syncRes.Resources {
-		if syncCtx.syncRes.Resources[i].Kind == "pod" {
-			assert.Equal(t, v1alpha1.ResourceDetailsSyncedAndPruned, syncCtx.syncRes.Resources[i].Status)
-		} else if syncCtx.syncRes.Resources[i].Kind == "service" {
-			assert.Equal(t, v1alpha1.ResourceDetailsSynced, syncCtx.syncRes.Resources[i].Status)
+		result := syncCtx.syncRes.Resources[i]
+		if result.Kind == "Pod" {
+			assert.Equal(t, v1alpha1.ResultCodePruned, result.Status)
+			assert.Equal(t, "pruned", result.Message)
+		} else if result.Kind == "Service" {
+			assert.Equal(t, v1alpha1.ResultCodeSynced, result.Status)
+			assert.Equal(t, "", result.Message)
 		} else {
 			t.Error("Resource isn't a pod or a service")
 		}
 	}
-	syncCtx.sync()
-	assert.Equal(t, syncCtx.opState.Phase, v1alpha1.OperationSucceeded)
 }
 
 func TestSyncDeleteSuccessfully(t *testing.T) {
 	syncCtx := newTestSyncCtx()
-	syncCtx.kubectl = mockKubectlCmd{}
-	syncCtx.comparison = &v1alpha1.ComparisonResult{
-		Resources: []v1alpha1.ResourceState{{
-			LiveState:   "{\"kind\":\"service\"}",
-			TargetState: "",
+	svc := test.NewService()
+	svc.SetNamespace(test.FakeArgoCDNamespace)
+	pod := test.NewPod()
+	pod.SetNamespace(test.FakeArgoCDNamespace)
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{{
+			Live:   svc,
+			Target: nil,
 		}, {
-			LiveState:   "{\"kind\":\"pod\"}",
-			TargetState: "",
-		},
-		},
+			Live:   pod,
+			Target: nil,
+		}},
 	}
 	syncCtx.sync()
+	assert.Equal(t, v1alpha1.OperationSucceeded, syncCtx.opState.Phase)
 	for i := range syncCtx.syncRes.Resources {
-		if syncCtx.syncRes.Resources[i].Kind == "pod" {
-			assert.Equal(t, v1alpha1.ResourceDetailsSyncedAndPruned, syncCtx.syncRes.Resources[i].Status)
-		} else if syncCtx.syncRes.Resources[i].Kind == "service" {
-			assert.Equal(t, v1alpha1.ResourceDetailsSyncedAndPruned, syncCtx.syncRes.Resources[i].Status)
+		result := syncCtx.syncRes.Resources[i]
+		if result.Kind == "Pod" {
+			assert.Equal(t, v1alpha1.ResultCodePruned, result.Status)
+			assert.Equal(t, "pruned", result.Message)
+		} else if result.Kind == "Service" {
+			assert.Equal(t, v1alpha1.ResultCodePruned, result.Status)
+			assert.Equal(t, "pruned", result.Message)
 		} else {
 			t.Error("Resource isn't a pod or a service")
 		}
 	}
-	syncCtx.sync()
-	assert.Equal(t, syncCtx.opState.Phase, v1alpha1.OperationSucceeded)
 }
 
 func TestSyncCreateFailure(t *testing.T) {
 	syncCtx := newTestSyncCtx()
-	syncCtx.kubectl = mockKubectlCmd{
-		commands: map[string]kubectlOutput{
-			"test-service": {
-				output: "",
-				err:    fmt.Errorf("error: error validating \"test.yaml\": error validating data: apiVersion not set; if you choose to ignore these errors, turn validation off with --validate=false"),
+	testSvc := test.NewService()
+	syncCtx.kubectl = &kubetest.MockKubectlCmd{
+		Commands: map[string]kubetest.KubectlOutput{
+			testSvc.GetName(): {
+				Output: "",
+				Err:    fmt.Errorf("foo"),
 			},
 		},
 	}
-	syncCtx.comparison = &v1alpha1.ComparisonResult{
-		Resources: []v1alpha1.ResourceState{{
-			LiveState:   "",
-			TargetState: "{\"kind\":\"service\", \"metadata\":{\"name\":\"test-service\"}}",
-		},
-		},
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{{
+			Live:   nil,
+			Target: testSvc,
+		}},
 	}
 	syncCtx.sync()
 	assert.Len(t, syncCtx.syncRes.Resources, 1)
-	assert.Equal(t, v1alpha1.ResourceDetailsSyncFailed, syncCtx.syncRes.Resources[0].Status)
+	result := syncCtx.syncRes.Resources[0]
+	assert.Equal(t, v1alpha1.ResultCodeSyncFailed, result.Status)
+	assert.Equal(t, "foo", result.Message)
 }
 
 func TestSyncPruneFailure(t *testing.T) {
 	syncCtx := newTestSyncCtx()
-	syncCtx.kubectl = mockKubectlCmd{
-		commands: map[string]kubectlOutput{
+	syncCtx.kubectl = &kubetest.MockKubectlCmd{
+		Commands: map[string]kubetest.KubectlOutput{
 			"test-service": {
-				output: "",
-				err:    fmt.Errorf(" error: timed out waiting for \"test-service\" to be synced"),
+				Output: "",
+				Err:    fmt.Errorf("foo"),
 			},
 		},
 	}
-	syncCtx.comparison = &v1alpha1.ComparisonResult{
-		Resources: []v1alpha1.ResourceState{{
-			LiveState:   "{\"kind\":\"service\", \"metadata\":{\"name\":\"test-service\"}}",
-			TargetState: "",
-		},
-		},
+	testSvc := test.NewService()
+	testSvc.SetName("test-service")
+	testSvc.SetNamespace(test.FakeArgoCDNamespace)
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{{
+			Live:   testSvc,
+			Target: nil,
+		}},
 	}
 	syncCtx.sync()
+	assert.Equal(t, v1alpha1.OperationFailed, syncCtx.opState.Phase)
 	assert.Len(t, syncCtx.syncRes.Resources, 1)
-	assert.Equal(t, v1alpha1.ResourceDetailsSyncFailed, syncCtx.syncRes.Resources[0].Status)
+	result := syncCtx.syncRes.Resources[0]
+	assert.Equal(t, v1alpha1.ResultCodeSyncFailed, result.Status)
+	assert.Equal(t, "foo", result.Message)
 }
 
-func TestRunWorkflows(t *testing.T) {
-	// syncCtx := newTestSyncCtx()
-	// syncCtx.doWorkflowSync(nil, nil)
+func TestDontSyncOrPruneHooks(t *testing.T) {
+	syncCtx := newTestSyncCtx()
+	targetPod := test.NewPod()
+	targetPod.SetName("dont-create-me")
+	targetPod.SetAnnotations(map[string]string{common.AnnotationKeyHook: "PreSync"})
+	liveSvc := test.NewService()
+	liveSvc.SetName("dont-prune-me")
+	liveSvc.SetNamespace(test.FakeArgoCDNamespace)
+	liveSvc.SetAnnotations(map[string]string{common.AnnotationKeyHook: "PreSync"})
 
+	syncCtx.compareResult = &comparisonResult{
+		hooks: []*unstructured.Unstructured{targetPod, liveSvc},
+	}
+	syncCtx.sync()
+	assert.Len(t, syncCtx.syncRes.Resources, 0)
+	syncCtx.sync()
+	assert.Equal(t, v1alpha1.OperationSucceeded, syncCtx.opState.Phase)
 }
 
-func unsortedManifest() []syncTask {
-	return []syncTask{
-		{
-			targetObj: &unstructured.Unstructured{
-				Object: map[string]interface{}{
-					"GroupVersion": apiv1.SchemeGroupVersion.String(),
-					"kind":         "Pod",
-				},
-			},
+// make sure that we do not prune resources with Prune=false
+func TestDontPrunePruneFalse(t *testing.T) {
+	syncCtx := newTestSyncCtx()
+	pod := test.NewPod()
+	pod.SetAnnotations(map[string]string{common.AnnotationSyncOptions: "Prune=false"})
+	pod.SetNamespace(test.FakeArgoCDNamespace)
+	syncCtx.compareResult = &comparisonResult{managedResources: []managedResource{{Live: pod}}}
+
+	syncCtx.sync()
+
+	assert.Equal(t, v1alpha1.OperationSucceeded, syncCtx.opState.Phase)
+	assert.Len(t, syncCtx.syncRes.Resources, 1)
+	assert.Equal(t, v1alpha1.ResultCodePruneSkipped, syncCtx.syncRes.Resources[0].Status)
+	assert.Equal(t, "ignored (no prune)", syncCtx.syncRes.Resources[0].Message)
+
+	syncCtx.sync()
+
+	assert.Equal(t, v1alpha1.OperationSucceeded, syncCtx.opState.Phase)
+}
+
+// make sure Validate=false means we don't validate
+func TestSyncOptionValidate(t *testing.T) {
+	tests := []struct {
+		name          string
+		annotationVal string
+		want          bool
+	}{
+		{"Empty", "", true},
+		{"True", "Validate=true", true},
+		{"False", "Validate=false", false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			syncCtx := newTestSyncCtx()
+			pod := test.NewPod()
+			pod.SetAnnotations(map[string]string{common.AnnotationSyncOptions: tt.annotationVal})
+			pod.SetNamespace(test.FakeArgoCDNamespace)
+			syncCtx.compareResult = &comparisonResult{managedResources: []managedResource{{Target: pod, Live: pod}}}
+
+			syncCtx.sync()
+
+			kubectl, _ := syncCtx.kubectl.(*kubetest.MockKubectlCmd)
+			assert.Equal(t, tt.want, kubectl.LastValidate)
+		})
+	}
+}
+
+func TestSelectiveSyncOnly(t *testing.T) {
+	syncCtx := newTestSyncCtx()
+	pod1 := test.NewPod()
+	pod1.SetName("pod-1")
+	pod2 := test.NewPod()
+	pod2.SetName("pod-2")
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{{Target: pod1}},
+	}
+	syncCtx.syncResources = []v1alpha1.SyncOperationResource{{Kind: "Pod", Name: "pod-1"}}
+
+	tasks, successful := syncCtx.getSyncTasks()
+
+	assert.True(t, successful)
+	assert.Len(t, tasks, 1)
+	assert.Equal(t, "pod-1", tasks[0].name())
+}
+
+func TestUnnamedHooksGetUniqueNames(t *testing.T) {
+	syncCtx := newTestSyncCtx()
+	syncCtx.syncOp.SyncStrategy.Apply = nil
+	pod := test.NewPod()
+	pod.SetName("")
+	pod.SetAnnotations(map[string]string{common.AnnotationKeyHook: "PreSync,PostSync"})
+	syncCtx.compareResult = &comparisonResult{hooks: []*unstructured.Unstructured{pod}}
+
+	tasks, successful := syncCtx.getSyncTasks()
+
+	assert.True(t, successful)
+	assert.Len(t, tasks, 2)
+	assert.Contains(t, tasks[0].name(), "foobarb-presync-")
+	assert.Contains(t, tasks[1].name(), "foobarb-postsync-")
+	assert.Equal(t, "", pod.GetName())
+}
+
+func TestManagedResourceAreNotNamed(t *testing.T) {
+	syncCtx := newTestSyncCtx()
+	pod := test.NewPod()
+	pod.SetName("")
+	syncCtx.compareResult = &comparisonResult{managedResources: []managedResource{{Target: pod}}}
+
+	tasks, successful := syncCtx.getSyncTasks()
+
+	assert.True(t, successful)
+	assert.Len(t, tasks, 1)
+	assert.Equal(t, "", tasks[0].name())
+	assert.Equal(t, "", pod.GetName())
+}
+
+func TestDeDupingTasks(t *testing.T) {
+	syncCtx := newTestSyncCtx()
+	syncCtx.syncOp.SyncStrategy.Apply = nil
+	pod := test.NewPod()
+	pod.SetAnnotations(map[string]string{common.AnnotationKeyHook: "Sync"})
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{{Target: pod}},
+		hooks:            []*unstructured.Unstructured{pod},
+	}
+
+	tasks, successful := syncCtx.getSyncTasks()
+
+	assert.True(t, successful)
+	assert.Len(t, tasks, 1)
+}
+
+func TestObjectsGetANamespace(t *testing.T) {
+	syncCtx := newTestSyncCtx()
+	pod := test.NewPod()
+	syncCtx.compareResult = &comparisonResult{managedResources: []managedResource{{Target: pod}}}
+
+	tasks, successful := syncCtx.getSyncTasks()
+
+	assert.True(t, successful)
+	assert.Len(t, tasks, 1)
+	assert.Equal(t, test.FakeArgoCDNamespace, tasks[0].namespace())
+	assert.Equal(t, "", pod.GetNamespace())
+}
+
+func TestPersistRevisionHistory(t *testing.T) {
+	app := newFakeApp()
+	app.Status.OperationState = nil
+	app.Status.History = nil
+
+	defaultProject := &v1alpha1.AppProject{
+		ObjectMeta: v1.ObjectMeta{
+			Namespace: test.FakeArgoCDNamespace,
+			Name:      "default",
 		},
-		{
-			targetObj: &unstructured.Unstructured{
-				Object: map[string]interface{}{
-					"GroupVersion": apiv1.SchemeGroupVersion.String(),
-					"kind":         "Service",
-				},
-			},
+	}
+	data := fakeData{
+		apps: []runtime.Object{app, defaultProject},
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
 		},
-		{
-			targetObj: &unstructured.Unstructured{
-				Object: map[string]interface{}{
-					"GroupVersion": apiv1.SchemeGroupVersion.String(),
-					"kind":         "PersistentVolume",
-				},
-			},
+		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
+	}
+	ctrl := newFakeController(&data)
+
+	// Sync with source unspecified
+	opState := &v1alpha1.OperationState{Operation: v1alpha1.Operation{
+		Sync: &v1alpha1.SyncOperation{},
+	}}
+	ctrl.appStateManager.SyncAppState(app, opState)
+	// Ensure we record spec.source into sync result
+	assert.Equal(t, app.Spec.Source, opState.SyncResult.Source)
+
+	updatedApp, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(app.Namespace).Get(app.Name, v1.GetOptions{})
+	assert.Nil(t, err)
+	assert.Equal(t, 1, len(updatedApp.Status.History))
+	assert.Equal(t, app.Spec.Source, updatedApp.Status.History[0].Source)
+	assert.Equal(t, "abc123", updatedApp.Status.History[0].Revision)
+}
+
+func TestPersistRevisionHistoryRollback(t *testing.T) {
+	app := newFakeApp()
+	app.Status.OperationState = nil
+	app.Status.History = nil
+	defaultProject := &v1alpha1.AppProject{
+		ObjectMeta: v1.ObjectMeta{
+			Namespace: test.FakeArgoCDNamespace,
+			Name:      "default",
 		},
-		{
-			targetObj: &unstructured.Unstructured{
-				Object: map[string]interface{}{
-					"GroupVersion": apiv1.SchemeGroupVersion.String(),
-				},
-			},
+	}
+	data := fakeData{
+		apps: []runtime.Object{app, defaultProject},
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
 		},
-		{
-			targetObj: &unstructured.Unstructured{
-				Object: map[string]interface{}{
-					"GroupVersion": apiv1.SchemeGroupVersion.String(),
-					"kind":         "ConfigMap",
+		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
+	}
+	ctrl := newFakeController(&data)
+
+	// Sync with source specified
+	source := v1alpha1.ApplicationSource{
+		Helm: &v1alpha1.ApplicationSourceHelm{
+			Parameters: []v1alpha1.HelmParameter{
+				{
+					Name:  "test",
+					Value: "123",
 				},
 			},
 		},
 	}
+	opState := &v1alpha1.OperationState{Operation: v1alpha1.Operation{
+		Sync: &v1alpha1.SyncOperation{
+			Source: &source,
+		},
+	}}
+	ctrl.appStateManager.SyncAppState(app, opState)
+	// Ensure we record opState's source into sync result
+	assert.Equal(t, source, opState.SyncResult.Source)
+
+	updatedApp, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(app.Namespace).Get(app.Name, v1.GetOptions{})
+	assert.Nil(t, err)
+	assert.Equal(t, 1, len(updatedApp.Status.History))
+	assert.Equal(t, source, updatedApp.Status.History[0].Source)
+	assert.Equal(t, "abc123", updatedApp.Status.History[0].Revision)
 }
 
-func sortedManifest() []syncTask {
-	return []syncTask{
-		{
-			targetObj: &unstructured.Unstructured{
-				Object: map[string]interface{}{
-					"GroupVersion": apiv1.SchemeGroupVersion.String(),
-					"kind":         "ConfigMap",
-				},
-			},
-		},
-		{
-			targetObj: &unstructured.Unstructured{
-				Object: map[string]interface{}{
-					"GroupVersion": apiv1.SchemeGroupVersion.String(),
-					"kind":         "PersistentVolume",
-				},
-			},
-		},
-		{
-			targetObj: &unstructured.Unstructured{
-				Object: map[string]interface{}{
-					"GroupVersion": apiv1.SchemeGroupVersion.String(),
-					"kind":         "Service",
-				},
-			},
-		},
-		{
-			targetObj: &unstructured.Unstructured{
-				Object: map[string]interface{}{
-					"GroupVersion": apiv1.SchemeGroupVersion.String(),
-					"kind":         "Pod",
-				},
-			},
-		},
-		{
-			targetObj: &unstructured.Unstructured{
-				Object: map[string]interface{}{
-					"GroupVersion": apiv1.SchemeGroupVersion.String(),
-				},
-			},
-		},
+func TestSyncFailureHookWithSuccessfulSync(t *testing.T) {
+	syncCtx := newTestSyncCtx()
+	syncCtx.syncOp.SyncStrategy.Apply = nil
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{{Target: test.NewPod()}},
+		hooks:            []*unstructured.Unstructured{test.NewHook(HookTypeSyncFail)},
+	}
+
+	syncCtx.sync()
+
+	assert.Equal(t, OperationSucceeded, syncCtx.opState.Phase)
+	// only one result, we did not run the failure failureHook
+	assert.Len(t, syncCtx.syncRes.Resources, 1)
+}
+
+func TestSyncFailureHookWithFailedSync(t *testing.T) {
+	syncCtx := newTestSyncCtx()
+	syncCtx.syncOp.SyncStrategy.Apply = nil
+	pod := test.NewPod()
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{{Target: pod}},
+		hooks:            []*unstructured.Unstructured{test.NewHook(HookTypeSyncFail)},
+	}
+	syncCtx.kubectl = &kubetest.MockKubectlCmd{
+		Commands: map[string]kubetest.KubectlOutput{pod.GetName(): {Err: fmt.Errorf("")}},
+	}
+
+	syncCtx.sync()
+	syncCtx.sync()
+
+	assert.Equal(t, OperationFailed, syncCtx.opState.Phase)
+	assert.Len(t, syncCtx.syncRes.Resources, 2)
+}
+
+func TestBeforeHookCreation(t *testing.T) {
+	syncCtx := newTestSyncCtx()
+	syncCtx.syncOp.SyncStrategy.Apply = nil
+	hook := test.Annotate(test.Annotate(test.NewPod(), common.AnnotationKeyHook, "Sync"), common.AnnotationKeyHookDeletePolicy, "BeforeHookCreation")
+	hook.SetNamespace(test.FakeArgoCDNamespace)
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{newManagedResource(hook)},
+		hooks:            []*unstructured.Unstructured{hook},
+	}
+	syncCtx.dynamicIf = fake.NewSimpleDynamicClient(runtime.NewScheme())
+
+	syncCtx.sync()
+	assert.Len(t, syncCtx.syncRes.Resources, 1)
+	assert.Empty(t, syncCtx.syncRes.Resources[0].Message)
+}
+
+func TestRunSyncFailHooksFailed(t *testing.T) {
+	// Tests that other SyncFail Hooks run even if one of them fail.
+
+	syncCtx := newTestSyncCtx()
+	syncCtx.syncOp.SyncStrategy.Apply = nil
+	pod := test.NewPod()
+	successfulSyncFailHook := test.NewHook(HookTypeSyncFail)
+	successfulSyncFailHook.SetName("successful-sync-fail-hook")
+	failedSyncFailHook := test.NewHook(HookTypeSyncFail)
+	failedSyncFailHook.SetName("failed-sync-fail-hook")
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{{Target: pod}},
+		hooks:            []*unstructured.Unstructured{successfulSyncFailHook, failedSyncFailHook},
+	}
+
+	syncCtx.kubectl = &kubetest.MockKubectlCmd{
+		Commands: map[string]kubetest.KubectlOutput{
+			// Fail operation
+			pod.GetName(): {Err: fmt.Errorf("")},
+			// Fail a single SyncFail hook
+			failedSyncFailHook.GetName(): {Err: fmt.Errorf("")}},
+	}
+
+	syncCtx.sync()
+	syncCtx.sync()
+
+	fmt.Println(syncCtx.syncRes.Resources)
+	fmt.Println(syncCtx.opState.Phase)
+	// Operation as a whole should fail
+	assert.Equal(t, OperationFailed, syncCtx.opState.Phase)
+	// failedSyncFailHook should fail
+	assert.Equal(t, OperationFailed, syncCtx.syncRes.Resources[1].HookPhase)
+	assert.Equal(t, ResultCodeSyncFailed, syncCtx.syncRes.Resources[1].Status)
+	// successfulSyncFailHook should be synced running (it is an nginx pod)
+	assert.Equal(t, OperationRunning, syncCtx.syncRes.Resources[2].HookPhase)
+	assert.Equal(t, ResultCodeSynced, syncCtx.syncRes.Resources[2].Status)
+}
+
+func Test_syncContext_isSelectiveSync(t *testing.T) {
+	type fields struct {
+		compareResult *comparisonResult
+		syncResources []SyncOperationResource
+	}
+	oneSyncResource := []SyncOperationResource{{}}
+	oneResource := func(group, kind, name string, hook bool) *comparisonResult {
+		return &comparisonResult{resources: []v1alpha1.ResourceStatus{{Group: group, Kind: kind, Name: name, Hook: hook}}}
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   bool
+	}{
+		{"Empty", fields{}, false},
+		{"OneCompareResult", fields{oneResource("", "", "", false), []SyncOperationResource{}}, true},
+		{"OneSyncResource", fields{&comparisonResult{}, oneSyncResource}, true},
+		{"Equal", fields{oneResource("", "", "", false), oneSyncResource}, false},
+		{"EqualOutOfOrder", fields{&comparisonResult{resources: []v1alpha1.ResourceStatus{{Group: "a"}, {Group: "b"}}}, []SyncOperationResource{{Group: "b"}, {Group: "a"}}}, false},
+		{"KindDifferent", fields{oneResource("foo", "", "", false), oneSyncResource}, true},
+		{"GroupDifferent", fields{oneResource("", "foo", "", false), oneSyncResource}, true},
+		{"NameDifferent", fields{oneResource("", "", "foo", false), oneSyncResource}, true},
+		{"HookIgnored", fields{oneResource("", "", "", true), []SyncOperationResource{}}, false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			sc := &syncContext{
+				compareResult: tt.fields.compareResult,
+				syncResources: tt.fields.syncResources,
+			}
+			if got := sc.isSelectiveSync(); got != tt.want {
+				t.Errorf("syncContext.isSelectiveSync() = %v, want %v", got, tt.want)
+			}
+		})
 	}
 }
 
-func TestSortKubernetesResourcesSuccessfully(t *testing.T) {
-	unsorted := unsortedManifest()
-	ks := newKindSorter(unsorted, resourceOrder)
-	sort.Sort(ks)
-
-	expectedOrder := sortedManifest()
-	assert.Equal(t, len(unsorted), len(expectedOrder))
-	for i, sorted := range unsorted {
-		assert.Equal(t, expectedOrder[i], sorted)
+func Test_syncContext_liveObj(t *testing.T) {
+	type fields struct {
+		compareResult *comparisonResult
 	}
+	type args struct {
+		obj *unstructured.Unstructured
+	}
+	obj := test.NewPod()
+	obj.SetNamespace("my-ns")
 
+	found := test.NewPod()
+
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		want   *unstructured.Unstructured
+	}{
+		{"None", fields{compareResult: &comparisonResult{managedResources: []managedResource{}}}, args{obj: &unstructured.Unstructured{}}, nil},
+		{"Found", fields{compareResult: &comparisonResult{managedResources: []managedResource{{Group: obj.GroupVersionKind().Group, Kind: obj.GetKind(), Namespace: obj.GetNamespace(), Name: obj.GetName(), Live: found}}}}, args{obj: obj}, found},
+		{"EmptyNamespace", fields{compareResult: &comparisonResult{managedResources: []managedResource{{Group: obj.GroupVersionKind().Group, Kind: obj.GetKind(), Name: obj.GetName(), Live: found}}}}, args{obj: obj}, found},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			sc := &syncContext{
+				compareResult: tt.fields.compareResult,
+			}
+			if got := sc.liveObj(tt.args.obj); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("syncContext.liveObj() = %v, want %v", got, tt.want)
+			}
+		})
+	}
 }
 
-func TestSortManifestHandleNil(t *testing.T) {
-	task := syncTask{
-		targetObj: &unstructured.Unstructured{
-			Object: map[string]interface{}{
-				"GroupVersion": apiv1.SchemeGroupVersion.String(),
-				"kind":         "Service",
-			},
-		},
-	}
-	manifest := []syncTask{
-		{},
-		task,
-	}
-	ks := newKindSorter(manifest, resourceOrder)
-	sort.Sort(ks)
-	assert.Equal(t, task, manifest[0])
-	assert.Nil(t, manifest[1].targetObj)
-
+func Test_syncContext_hasCRDOfGroupKind(t *testing.T) {
+	// target
+	assert.False(t, (&syncContext{compareResult: &comparisonResult{managedResources: []managedResource{{Target: test.NewCRD()}}}}).hasCRDOfGroupKind("", ""))
+	assert.True(t, (&syncContext{compareResult: &comparisonResult{managedResources: []managedResource{{Target: test.NewCRD()}}}}).hasCRDOfGroupKind("argoproj.io", "TestCrd"))
+	// hook
+	assert.False(t, (&syncContext{compareResult: &comparisonResult{hooks: []*unstructured.Unstructured{test.NewCRD()}}}).hasCRDOfGroupKind("", ""))
+	assert.True(t, (&syncContext{compareResult: &comparisonResult{hooks: []*unstructured.Unstructured{test.NewCRD()}}}).hasCRDOfGroupKind("argoproj.io", "TestCrd"))
 }

docs/CONTRIBUTING.md

@@ -0,0 +1,166 @@
+# Contributing
+## Before You Start
+
+You must install and run the ArgoCD using a local Kubernetes (e.g. Docker for Desktop or Minikube) first. This will help you understand the application, but also get your local environment set-up.
+
+Then, to get a good grounding in Go, try out [the tutorial](https://tour.golang.org/).
+
+## Pre-requisites
+
+Install:
+
+* [docker](https://docs.docker.com/install/#supported-platforms)
+* [git](https://git-scm.com/) and [git-lfs](https://git-lfs.github.com/)
+* [golang](https://golang.org/)
+* [dep](https://github.com/golang/dep)
+* [ksonnet](https://github.com/ksonnet/ksonnet#install)
+* [helm](https://github.com/helm/helm/releases)
+* [kustomize](https://github.com/kubernetes-sigs/kustomize/releases)
+* [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
+* [kubectx](https://kubectx.dev)
+* [minikube](https://kubernetes.io/docs/setup/minikube/) or Docker for Desktop
+
+Brew users can quickly install the lot:
+    
+```bash
+brew install go git-lfs kubectl kubectx dep ksonnet/tap/ks kubernetes-helm kustomize kustomize
+```
+
+Check the versions:
+
+```
+go version ;# must be v1.12.x
+helm version ;# must be v2.13.x
+kustomize version ;# must be v3.10.x
+```
+
+Set up environment variables (e.g. is `~/.bashrc`):
+
+```bash
+export GOPATH=~/go
+export PATH=$PATH:$GOPATH/bin
+```
+
+Checkout the code:
+
+```bash
+go get -u github.com/argoproj/argo-cd
+cd ~/go/src/github.com/argoproj/argo-cd
+```
+
+## Building
+
+Ensure dependencies are up to date first:
+
+```shell
+dep ensure
+make dev-builder-image
+make install-lint-tools
+go get github.com/mattn/goreman
+go get github.com/jstemmer/go-junit-report
+```
+
+Common make targets:
+
+* `make codegen` - Run code generation
+* `make lint` - Lint code
+* `make test` - Run unit tests
+* `make cli` - Make the `argocd` CLI tool
+
+Check out the following [documentation](https://github.com/argoproj/argo-cd/blob/master/docs/developer-guide/test-e2e.md) for instructions on running the e2e tests.
+
+## Running Locally
+
+It is much easier to run and debug if you run ArgoCD on your local machine than in the Kubernetes cluster.
+
+You should scale the deployments to zero:
+
+```bash
+kubectl -n argocd scale deployment/argocd-application-controller --replicas 0
+kubectl -n argocd scale deployment/argocd-dex-server --replicas 0
+kubectl -n argocd scale deployment/argocd-repo-server --replicas 0
+kubectl -n argocd scale deployment/argocd-server --replicas 0
+kubectl -n argocd scale deployment/argocd-redis --replicas 0
+```
+
+Download Yarn dependencies and Compile:
+
+```bash
+~/go/src/github.com/argoproj/argo-cd/ui 
+yarn install
+yarn build
+```
+
+Then start the services:
+
+```bash
+cd ~/go/src/github.com/argoproj/argo-cd
+make start
+```
+
+You can now execute `argocd` command against your locally running ArgoCD by appending `--server localhost:8080 --plaintext --insecure`, e.g.:
+
+```bash
+argocd app create guestbook --path guestbook --repo https://github.com/argoproj/argocd-example-apps.git --dest-server https://kubernetes.default.svc  --dest-namespace default --server localhost:8080 --plaintext --insecure
+```
+
+You can open the UI: http://localhost:4000
+
+As an alternative to using the above command line parameters each time you call `argocd` CLI, you can set the following environment variables:
+
+```bash
+export ARGOCD_SERVER=127.0.0.1:8080
+export ARGOCD_OPTS="--plaintext --insecure"
+```
+
+## Running Local Containers
+
+You may need to run containers locally, so here's how:
+
+Create login to Docker Hub, then login.
+
+```bash
+docker login
+```
+
+Add your username as the environment variable, e.g. to your `~/.bash_profile`:
+
+```bash
+export IMAGE_NAMESPACE=alexcollinsintuit
+```
+
+If you don't want to use `latest` as the image's tag (the default), you can set it from the environment too:
+
+```bash
+export IMAGE_TAG=yourtag
+```
+
+Build the image:
+
+```bash
+DOCKER_PUSH=true make image
+```
+
+Update the manifests (be sure to do that from a shell that has above environment variables set)
+
+```bash
+make manifests
+```
+
+Install the manifests:
+
+```bash
+kubectl -n argocd apply --force -f manifests/install.yaml
+```
+
+Scale your deployments up:
+
+```bash
+kubectl -n argocd scale deployment/argocd-application-controller --replicas 1
+kubectl -n argocd scale deployment/argocd-dex-server --replicas 1
+kubectl -n argocd scale deployment/argocd-repo-server --replicas 1
+kubectl -n argocd scale deployment/argocd-server --replicas 1
+kubectl -n argocd scale deployment/argocd-redis --replicas 1
+```
+
+Now you can set-up the port-forwarding and open the UI or CLI.

docs/README.md

@@ -1,22 +0,0 @@
-# ArgoCD Documentation
-
-## [Getting Started](getting_started.md)
-
-## Concepts
-* [Architecture](architecture.md)
-* [Tracking Strategies](tracking_strategies.md)
-
-## Features
-* [Application Sources](application_sources.md)
-* [Application Parameters](parameters.md)
-* [Projects](projects.md)
-* [Automated Sync](auto_sync.md)
-* [Resource Health](health.md)
-* [Resource Hooks](resource_hooks.md)
-* [Single Sign On](sso.md)
-* [Webhooks](webhook.md)
-* [RBAC](rbac.md)
-
-## Other
-* [Configuring Ingress](ingress.md)
-* [F.A.Q.](faq.md)

docs/SUPPORT.md

@@ -0,0 +1,6 @@
+# Support
+
+1. Make sure you've read [understanding the basics](understand_the_basics.md) the [getting started guide](getting_started.md).
+2. Looked for an answer [the frequently asked questions](faq.md).
+3. Ask a question in [the Argo CD Slack channel ⧉](https://argoproj.github.io/community/join-slack).
+4. [Read issues, report a bug, or request a feature ⧉](https://github.com/argoproj/argo-cd/issues)

docs/application_sources.md

@@ -1,103 +0,0 @@
-# Application Source Types
-
-ArgoCD supports several different ways in which kubernetes manifests can be defined:
-
-* [ksonnet](https://ksonnet.io) applications
-* [kustomize](https://kustomize.io) applications
-* [helm](https://helm.sh) charts
-* Directory of YAML/json/jsonnet manifests
-
-Some additional considerations should be made when deploying apps of a particular type:
-
-## Ksonnet
-
-### Environments
-Ksonnet has a first class concept of an "environment." To create an application from a ksonnet
-app directory, an environment must be specified. For example, the following command creates the
-"guestbook-default" app, which points to the `default` environment:
-
-```
-argocd app create guestbook-default --repo https://github.com/argoproj/argocd-example-apps.git --path guestbook --env default
-```
-
-### Parameters
-Ksonnet parameters all belong to a component. For example, the following are the parameters
-available in the guestbook app, all of which belong to the `guestbook-ui` component:
-
-```
-$ ks param list
-COMPONENT    PARAM         VALUE
-=========    =====         =====
-guestbook-ui containerPort 80
-guestbook-ui image         "gcr.io/heptio-images/ks-guestbook-demo:0.1"
-guestbook-ui name          "guestbook-ui"
-guestbook-ui replicas      1
-guestbook-ui servicePort   80
-guestbook-ui type          "LoadBalancer"
-```
-
-When overriding ksonnet parameters in ArgoCD, the component name should also be specified in the
-`argocd app set` command, in the form of `-p COMPONENT=PARAM=VALUE`. For example:
-```
-argocd app set guestbook-default -p guestbook-ui=image=gcr.io/heptio-images/ks-guestbook-demo:0.1
-```
-
-## Helm
-
-### Values Files
-
-Helm has the ability to use a different, or even multiple "values.yaml" files to derive its
-parameters from. Alternate or multiple values file(s), can be specified using the `--values`
-flag. The flag can be repeated to support multiple values files:
-
-```
-argocd app set helm-guestbook --values values-production.yaml
-```
-
-### Helm Parameters
-
-Helm has the ability to set parameter values, which override any values in
-a `values.yaml`. For example, `service.type` is a common parameter which is exposed in a Helm chart:
-```
-helm template . --set service.type=LoadBalancer
-```
-Similarly ArgoCD can override values in the `values.yaml` parameters using `argo app set` command,
-in the form of `-p PARAM=VALUE`. For example:
-```
-argocd app set helm-guestbook -p service.type=LoadBalancer
-```
-
-### Helm Hooks
-
-Helm hooks are equivalent in concept to [ArgoCD resource hooks](resource_hooks.md). In helm, a hook
-is any normal kubernetes resource annotated with the `helm.sh/hook` annotation. When ArgoCD deploys
-helm application which contains helm hooks, all helm hook resources are currently ignored during
-the `kubectl apply` of the manifests. There is an 
-[open issue](https://github.com/argoproj/argo-cd/issues/355) to map Helm hooks to ArgoCD's concept
-of Pre/Post/Sync hooks.
- 
-### Random Data
-
-Helm templating has the ability to generate random data during chart rendering via the 
-`randAlphaNum` function. Many helm charts from the [charts repository](https://github.com/helm/charts)
-make use of this feature. For example, the following is the secret for the
-[redis helm chart](https://github.com/helm/charts/blob/master/stable/redis/templates/secrets.yaml):
-
-```
-data:
-  {{- if .Values.password }}
-  redis-password: {{ .Values.password | b64enc | quote }}
-  {{- else }}
-  redis-password: {{ randAlphaNum 10 | b64enc | quote }}
-  {{- end }}
-```
-
-The ArgoCD application controller periodically compares git state against the live state, running
-the `helm template <CHART>` command to generate the helm manifests. Because the random value is
-regenerated every time the comparison is made, any application which makes use of the `randAlphaNum`
-function will always be in an `OutOfSync` state. This can be mitigated by explicitly setting a
-value, in the values.yaml such that the value is stable between each comparison. For example:
-
-```
-argocd app set redis -p password=abc123
-```

docs/architecture.md

@@ -1,78 +0,0 @@
-
-# Argo CD - Architectural Overview
-
-![Argo CD Architecture](argocd_architecture.png)
-
-## Components
-
-### API Server
-The API server is a gRPC/REST server which exposes the API consumed by the Web UI, CLI, and CI/CD 
-systems. It has the following responsibilities:
-* application management and status reporting
-* invoking of application operations (e.g. sync, rollback, user-defined actions)
-* repository and cluster credential management (stored as K8s secrets)
-* authentication and auth delegation to external identity providers
-* RBAC enforcement
-* listener/forwarder for git webhook events
-
-### Repository Server
-The repository server is an internal service which maintains a local cache of the git repository
-holding the application manifests. It is responsible for generating and returning the Kubernetes
-manifests when provided the following inputs:
-* repository URL
-* git revision (commit, tag, branch)
-* application path
-* template specific settings: parameters, ksonnet environments, helm values.yaml
-
-### Application Controller
-The application controller is a Kubernetes controller which continuously monitors running
-applications and compares the current, live state against the desired target state (as specified in
-the git repo). It detects `OutOfSync` application state and optionally takes corrective action. It
-is responsible for invoking any user-defined hooks for lifcecycle events (PreSync, Sync, PostSync)
-
-### Application CRD (Custom Resource Definition)
-The Application CRD is the Kubernetes resource object representing a deployed application instance
-in an environment. It is defined by two key pieces of information:
-* `source` reference to the desired state in git (repository, revision, path, environment)
-* `destination` reference to the target cluster and namespace.
-
-An example spec is as follows:
-
-```
-spec:
-  project: default
-  source:
-    repoURL: https://github.com/argoproj/argocd-example-apps.git
-    targetRevision: HEAD
-    path: guestbook
-    environment: default
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: default
-```
-
-### AppProject CRD (Custom Resource Definition)
-The AppProject CRD is the Kubernetes resource object representing a grouping of applications. It is defined by three key pieces of information:
-* `sourceRepos` reference to the reposities that applications within the project can pull manifests from.
-* `destinations` reference to clusters and namespaces that applications within the project can deploy into.
-* `roles` list of entities with defintions of their access to resources within the project.
-
-An example spec is as follows:
-
-```
-spec:
-  description: Description of the project
-  destinations:
-  - namespace: default
-    server: https://kubernetes.default.svc
-  roles:
-  - description: Description of the role
-    jwtTokens:
-    - iat: 1535390316
-    name: role-name
-    policies:
-    - p, proj:proj-name:role-name, applications, get, proj-name/*, allow
-    - p, proj:proj-name:role-name, applications, sync, proj-name/*, deny
-  sourceRepos:
-  - https://github.com/argoproj/argocd-example-apps.git
-```