Update install manifests to v0.6.2

Bump verison to v0.6.1

CONTRIBUTING.md

@@ -1,10 +1,14 @@
 ## Requirements
-Make sure you have following tools installed [golang](https://golang.org/), [dep](https://github.com/golang/dep), [protobuf](https://developers.google.com/protocol-buffers/),
+Make sure you have following tools installed [docker](https://docs.docker.com/install/#supported-platforms), [golang](https://golang.org/), [dep](https://github.com/golang/dep), [protobuf](https://developers.google.com/protocol-buffers/), [ksonnet](https://github.com/ksonnet/ksonnet#install), [go-swagger](https://github.com/go-swagger/go-swagger/blob/master/docs/install.md), and [jq](https://stedolan.github.io/jq/)
 [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/).
 
 ```
-$ brew install go dep protobuf kubectl
+$ brew tap go-swagger/go-swagger
+$ brew install go dep protobuf kubectl ksonnet/tap/ks jq go-swagger
 $ go get -u github.com/golang/protobuf/protoc-gen-go
+$ go get -u github.com/go-swagger/go-swagger/cmd/swagger
+$ go get -u github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway
+$ go get -u github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger
 ```
 
 Nice to have [gometalinter](https://github.com/alecthomas/gometalinter) and [goreman](https://github.com/mattn/goreman):
@@ -20,6 +24,11 @@ $ go get -u github.com/argoproj/argo-cd
 $ dep ensure
 $ make
 ```
+NOTE: The make command can take a while, and we recommend building the specific component you are working on
+* `make cli` - Make the argocd CLI tool
+* `make server` - Make the API/repo/controller server
+* `make codegen` - Builds protobuf and swagger files
+* `make argocd-util` - Make the administrator's utility, used for certain tasks such as import/export
 
 ## Running locally
 
@@ -38,3 +47,10 @@ $ kubectl create -f install/manifests/01_application-crd.yaml
 ```
 $ goreman start
 ```
+
+## Troubleshooting
+* Ensure argocd is installed: ./dist/argocd install
+* Ensure you're logged in: ./dist/argocd login --username admin --password <whatever password you set at install> localhost:8080
+* Ensure that roles are configured: kubectl create -f install/manifests/02c_argocd-rbac-cm.yaml
+* Ensure minikube is running: minikube stop && minikube start
+* Ensure Argo CD is aware of minikube: ./dist/argocd cluster add minikube

COPYRIGHT

@@ -1,13 +0,0 @@
-Copyright 2017-2018 The Argo Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License..

Dockerfile-argocd

@@ -1,4 +1,4 @@
-FROM debian:9.3 as builder
+FROM debian:9.4 as builder
 
 RUN apt-get update && apt-get install -y \
     git \
@@ -10,7 +10,7 @@ RUN apt-get update && apt-get install -y \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 # Install go
-ENV GO_VERSION 1.9.3
+ENV GO_VERSION 1.10.3
 ENV GO_ARCH amd64
 ENV GOPATH /root/go
 ENV PATH ${GOPATH}/bin:/usr/local/go/bin:${PATH}
@@ -25,7 +25,7 @@ RUN cd /usr/local && \
     unzip protoc-*.zip && \
     wget https://github.com/golang/dep/releases/download/v0.4.1/dep-linux-amd64 -O /usr/local/bin/dep && \
     chmod +x /usr/local/bin/dep && \
-    wget https://github.com/gobuffalo/packr/releases/download/v1.10.4/packr_1.10.4_linux_amd64.tar.gz && \
+    wget https://github.com/gobuffalo/packr/releases/download/v1.11.0/packr_1.11.0_linux_amd64.tar.gz && \
     tar -vxf packr*.tar.gz -C /tmp/ && \
     mv /tmp/packr /usr/local/bin/packr 
 
@@ -58,7 +58,7 @@ FROM golang:1.10 as cli-tooling
 #RUN go get -v -u github.com/ksonnet/ksonnet && mv ${GOPATH}/bin/ksonnet /ks
 
 # Option 2: use official tagged ksonnet release
-env KSONNET_VERSION=0.10.2
+env KSONNET_VERSION=0.11.0
 RUN wget https://github.com/ksonnet/ksonnet/releases/download/v${KSONNET_VERSION}/ks_${KSONNET_VERSION}_linux_amd64.tar.gz && \
     tar -C /tmp/ -xf ks_${KSONNET_VERSION}_linux_amd64.tar.gz && \
     mv /tmp/ks_${KSONNET_VERSION}_linux_amd64/ks /ks

Dockerfile-ci-builder

@@ -1,4 +1,4 @@
-FROM golang:1.9.2
+FROM golang:1.10.3
 
 WORKDIR /tmp
 
@@ -15,7 +15,7 @@ RUN curl -o /kubectl -LO https://storage.googleapis.com/kubernetes-release/relea
     chmod +x /kubectl && mv /kubectl /usr/local/bin/kubectl
 
 # Install ksonnet
-env KSONNET_VERSION=0.10.2
+env KSONNET_VERSION=0.11.0
 RUN wget https://github.com/ksonnet/ksonnet/releases/download/v${KSONNET_VERSION}/ks_${KSONNET_VERSION}_linux_amd64.tar.gz && \
     tar -C /tmp/ -xf ks_${KSONNET_VERSION}_linux_amd64.tar.gz && \
     mv /tmp/ks_${KSONNET_VERSION}_linux_amd64/ks /usr/local/bin/ks && \

Gopkg.lock

@@ -15,6 +15,12 @@
   ]
   revision = "c02ca9a983da5807ddf7d796784928f5be4afd09"
 
+[[projects]]
+  name = "github.com/Knetic/govaluate"
+  packages = ["."]
+  revision = "d216395917cc49052c7c7094cf57f09657ca08a8"
+  version = "v3.0.0"
+
 [[projects]]
   name = "github.com/PuerkitoBio/purell"
   packages = ["."]
@@ -26,12 +32,43 @@
   packages = ["."]
   revision = "de5bf2ad457846296e2031421a34e2568e304e35"
 
+[[projects]]
+  name = "github.com/argoproj/argo"
+  packages = [
+    "pkg/apis/workflow",
+    "pkg/apis/workflow/v1alpha1"
+  ]
+  revision = "ac241c95c13f08e868cd6f5ee32c9ce273e239ff"
+  version = "v2.1.1"
+
+[[projects]]
+  name = "github.com/asaskevich/govalidator"
+  packages = ["."]
+  revision = "ccb8e960c48f04d6935e72476ae4a51028f9e22f"
+  version = "v9"
+
 [[projects]]
   name = "github.com/blang/semver"
   packages = ["."]
   revision = "2ee87856327ba09384cabd113bc6b5d174e9ec0f"
   version = "v3.5.1"
 
+[[projects]]
+  name = "github.com/casbin/casbin"
+  packages = [
+    ".",
+    "config",
+    "effect",
+    "model",
+    "persist",
+    "persist/file-adapter",
+    "rbac",
+    "rbac/default-role-manager",
+    "util"
+  ]
+  revision = "d71629e497929858300c38cd442098c178121c30"
+  version = "v1.5.0"
+
 [[projects]]
   name = "github.com/coreos/dex"
   packages = ["api"]
@@ -68,14 +105,25 @@
     ".",
     "log"
   ]
-  revision = "26b41036311f2da8242db402557a0dbd09dc83da"
-  version = "v2.6.0"
+  revision = "3658237ded108b4134956c1b3050349d93e7b895"
+  version = "v2.7.1"
 
 [[projects]]
   name = "github.com/ghodss/yaml"
   packages = ["."]
   revision = "0ca9ea5df5451ffdf184b4428c902747c2c11cd7"
-  version = "v1.0.0"
+
+[[projects]]
+  branch = "master"
+  name = "github.com/go-openapi/analysis"
+  packages = ["."]
+  revision = "5957818e100395077187fb7ef3b8a28227af06c6"
+
+[[projects]]
+  branch = "master"
+  name = "github.com/go-openapi/errors"
+  packages = ["."]
+  revision = "b2b2befaf267d082d779bcef52d682a47c779517"
 
 [[projects]]
   branch = "master"
@@ -89,18 +137,50 @@
   packages = ["."]
   revision = "36d33bfe519efae5632669801b180bf1a245da3b"
 
+[[projects]]
+  branch = "master"
+  name = "github.com/go-openapi/loads"
+  packages = ["."]
+  revision = "2a2b323bab96e6b1fdee110e57d959322446e9c9"
+
+[[projects]]
+  branch = "master"
+  name = "github.com/go-openapi/runtime"
+  packages = [
+    ".",
+    "logger",
+    "middleware",
+    "middleware/denco",
+    "middleware/header",
+    "middleware/untyped",
+    "security"
+  ]
+  revision = "cd9d8ed52e4b4665463cbc655500e4faa09c3c16"
+
 [[projects]]
   branch = "master"
   name = "github.com/go-openapi/spec"
   packages = ["."]
   revision = "1de3e0542de65ad8d75452a595886fdd0befb363"
 
+[[projects]]
+  branch = "master"
+  name = "github.com/go-openapi/strfmt"
+  packages = ["."]
+  revision = "481808443b00a14745fada967cb5eeff0f9b1df2"
+
 [[projects]]
   branch = "master"
   name = "github.com/go-openapi/swag"
   packages = ["."]
   revision = "84f4bee7c0a6db40e3166044c7983c1c32125429"
 
+[[projects]]
+  branch = "master"
+  name = "github.com/go-openapi/validate"
+  packages = ["."]
+  revision = "b0a3ed684d0fdd3e1eda00433382188ce8aa7169"
+
 [[projects]]
   name = "github.com/go-redis/cache"
   packages = [
@@ -129,8 +209,8 @@
 [[projects]]
   name = "github.com/gobuffalo/packr"
   packages = ["."]
-  revision = "6434a292ac52e6964adebfdce3f9ce6d9f16be01"
-  version = "v1.10.4"
+  revision = "7f4074995d431987caaa35088199f13c44b24440"
+  version = "v1.11.0"
 
 [[projects]]
   name = "github.com/gogo/protobuf"
@@ -178,7 +258,11 @@
   packages = [
     "jsonpb",
     "proto",
+    "protoc-gen-go",
     "protoc-gen-go/descriptor",
+    "protoc-gen-go/generator",
+    "protoc-gen-go/grpc",
+    "protoc-gen-go/plugin",
     "ptypes",
     "ptypes/any",
     "ptypes/duration",
@@ -188,12 +272,6 @@
   ]
   revision = "e09c5db296004fbe3f74490e84dcd62c3c5ddb1b"
 
-[[projects]]
-  branch = "master"
-  name = "github.com/google/btree"
-  packages = ["."]
-  revision = "e89373fe6b4a7413d7acd6da1725b83ef713e6e4"
-
 [[projects]]
   name = "github.com/google/go-jsonnet"
   packages = [
@@ -219,15 +297,6 @@
   revision = "ee43cbb60db7bd22502942cccbc39059117352ab"
   version = "v0.1.0"
 
-[[projects]]
-  branch = "master"
-  name = "github.com/gregjones/httpcache"
-  packages = [
-    ".",
-    "diskcache"
-  ]
-  revision = "2bcd89a1743fd4b373f7370ce8ddc14dfbd18229"
-
 [[projects]]
   branch = "master"
   name = "github.com/grpc-ecosystem/go-grpc-middleware"
@@ -246,6 +315,14 @@
 [[projects]]
   name = "github.com/grpc-ecosystem/grpc-gateway"
   packages = [
+    "protoc-gen-grpc-gateway",
+    "protoc-gen-grpc-gateway/descriptor",
+    "protoc-gen-grpc-gateway/generator",
+    "protoc-gen-grpc-gateway/gengateway",
+    "protoc-gen-grpc-gateway/httprule",
+    "protoc-gen-swagger",
+    "protoc-gen-swagger/genswagger",
+    "protoc-gen-swagger/options",
     "runtime",
     "runtime/internal",
     "utilities"
@@ -286,12 +363,6 @@
   revision = "e7c7f3b33712573affdcc7a107218e7926b9a05b"
   version = "1.0.6"
 
-[[projects]]
-  name = "github.com/juju/ratelimit"
-  packages = ["."]
-  revision = "59fac5042749a5afb9af70e813da1dd5474f0167"
-  version = "1.0.1"
-
 [[projects]]
   branch = "master"
   name = "github.com/kardianos/osext"
@@ -306,6 +377,7 @@
     "pkg/component",
     "pkg/docparser",
     "pkg/lib",
+    "pkg/log",
     "pkg/node",
     "pkg/params",
     "pkg/prototype",
@@ -314,8 +386,8 @@
     "pkg/util/kslib",
     "pkg/util/strings"
   ]
-  revision = "8c44a5b1545d3d03135f610170ef0167129294bc"
-  version = "v0.10.1"
+  revision = "e943ae55d4fe256c8330a047ce8426ad9dac110c"
+  version = "v0.11.0"
 
 [[projects]]
   name = "github.com/ksonnet/ksonnet-lib"
@@ -328,8 +400,8 @@
     "ksonnet-gen/nodemaker",
     "ksonnet-gen/printer"
   ]
-  revision = "d15220fdcdd07fd377894abff6276d86cb2d776d"
-  version = "v0.1.3"
+  revision = "dfcaa3d01d0c4948cb596403c35e966c774f2678"
+  version = "v0.1.8"
 
 [[projects]]
   branch = "master"
@@ -341,24 +413,18 @@
   ]
   revision = "32fa128f234d041f196a9f3e0fea5ac9772c08e1"
 
+[[projects]]
+  branch = "master"
+  name = "github.com/mitchellh/mapstructure"
+  packages = ["."]
+  revision = "bb74f1db0675b241733089d5a1faa5dd8b0ef57b"
+
 [[projects]]
   name = "github.com/patrickmn/go-cache"
   packages = ["."]
   revision = "a3647f8e31d79543b2d0f0ae2fe5c379d72cedc0"
   version = "v2.1.0"
 
-[[projects]]
-  branch = "master"
-  name = "github.com/petar/GoLLRB"
-  packages = ["llrb"]
-  revision = "53be0d36a84c2a886ca057d34b6aa4468df9ccb4"
-
-[[projects]]
-  name = "github.com/peterbourgon/diskv"
-  packages = ["."]
-  revision = "5f041e8faa004a95c88a202771f4cc3e991971e6"
-  version = "v2.0.1"
-
 [[projects]]
   name = "github.com/pkg/errors"
   packages = ["."]
@@ -380,6 +446,12 @@
   ]
   revision = "525d0eb5f91d30e3b1548de401b7ef9ea6898520"
 
+[[projects]]
+  branch = "master"
+  name = "github.com/qiangmzsx/string-adapter"
+  packages = ["."]
+  revision = "38f25303bb0cd40e674a6fac01e0171ab905f5a1"
+
 [[projects]]
   name = "github.com/sergi/go-diff"
   packages = ["diffmatchpatch"]
@@ -389,8 +461,7 @@
 [[projects]]
   name = "github.com/sirupsen/logrus"
   packages = ["."]
-  revision = "c155da19408a8799da419ed3eeb0cb5db0ad5dbc"
-  version = "v1.0.5"
+  revision = "ea8897e79973357ba785ac2533559a6297e83c44"
 
 [[projects]]
   branch = "master"
@@ -538,6 +609,12 @@
   ]
   revision = "4e4a3210bb54bb31f6ab2cdca2edcc0b50c420c1"
 
+[[projects]]
+  branch = "master"
+  name = "golang.org/x/time"
+  packages = ["rate"]
+  revision = "fbb02b2291d28baffd63558aa44b4b56f178d650"
+
 [[projects]]
   branch = "master"
   name = "golang.org/x/tools"
@@ -623,6 +700,15 @@
   revision = "3887ee99ecf07df5b447e9b00d9c0b2adaa9f3e4"
   version = "v0.9.0"
 
+[[projects]]
+  branch = "v2"
+  name = "gopkg.in/mgo.v2"
+  packages = [
+    "bson",
+    "internal/json"
+  ]
+  revision = "3f83fa5005286a7fe593b055f0d7771a7dce4655"
+
 [[projects]]
   name = "gopkg.in/square/go-jose.v2"
   packages = [
@@ -639,7 +725,7 @@
   revision = "eb3733d160e74a9c7e442f435eb3bea458e1d19f"
 
 [[projects]]
-  branch = "release-1.9"
+  branch = "release-1.10"
   name = "k8s.io/api"
   packages = [
     "admission/v1beta1",
@@ -673,10 +759,10 @@
     "storage/v1alpha1",
     "storage/v1beta1"
   ]
-  revision = "acf347b865f29325eb61f4cd2df11e86e073a5ee"
+  revision = "8b7507fac302640dd5f1efbf9643199952cc58db"
 
 [[projects]]
-  branch = "release-1.9"
+  branch = "release-1.10"
   name = "k8s.io/apiextensions-apiserver"
   packages = [
     "pkg/apis/apiextensions",
@@ -685,10 +771,10 @@
     "pkg/client/clientset/clientset/scheme",
     "pkg/client/clientset/clientset/typed/apiextensions/v1beta1"
   ]
-  revision = "b89f5ce12ce6e022fc3e9d7586d61346e694d56e"
+  revision = "b13a681559816a9c14f93086bbeeed1c7baf2bcb"
 
 [[projects]]
-  branch = "release-1.9"
+  branch = "release-1.10"
   name = "k8s.io/apimachinery"
   packages = [
     "pkg/api/equality",
@@ -701,7 +787,7 @@
     "pkg/apis/meta/internalversion",
     "pkg/apis/meta/v1",
     "pkg/apis/meta/v1/unstructured",
-    "pkg/apis/meta/v1alpha1",
+    "pkg/apis/meta/v1beta1",
     "pkg/conversion",
     "pkg/conversion/queryparams",
     "pkg/fields",
@@ -737,16 +823,56 @@
     "third_party/forked/golang/json",
     "third_party/forked/golang/reflect"
   ]
-  revision = "19e3f5aa3adca672c153d324e6b7d82ff8935f03"
+  revision = "f6313580a4d36c7c74a3d845dda6e116642c4f90"
 
 [[projects]]
-  branch = "release-6.0"
+  branch = "release-7.0"
   name = "k8s.io/client-go"
   packages = [
     "discovery",
     "discovery/fake",
     "dynamic",
     "dynamic/fake",
+    "informers",
+    "informers/admissionregistration",
+    "informers/admissionregistration/v1alpha1",
+    "informers/admissionregistration/v1beta1",
+    "informers/apps",
+    "informers/apps/v1",
+    "informers/apps/v1beta1",
+    "informers/apps/v1beta2",
+    "informers/autoscaling",
+    "informers/autoscaling/v1",
+    "informers/autoscaling/v2beta1",
+    "informers/batch",
+    "informers/batch/v1",
+    "informers/batch/v1beta1",
+    "informers/batch/v2alpha1",
+    "informers/certificates",
+    "informers/certificates/v1beta1",
+    "informers/core",
+    "informers/core/v1",
+    "informers/events",
+    "informers/events/v1beta1",
+    "informers/extensions",
+    "informers/extensions/v1beta1",
+    "informers/internalinterfaces",
+    "informers/networking",
+    "informers/networking/v1",
+    "informers/policy",
+    "informers/policy/v1beta1",
+    "informers/rbac",
+    "informers/rbac/v1",
+    "informers/rbac/v1alpha1",
+    "informers/rbac/v1beta1",
+    "informers/scheduling",
+    "informers/scheduling/v1alpha1",
+    "informers/settings",
+    "informers/settings/v1alpha1",
+    "informers/storage",
+    "informers/storage/v1",
+    "informers/storage/v1alpha1",
+    "informers/storage/v1beta1",
     "kubernetes",
     "kubernetes/fake",
     "kubernetes/scheme",
@@ -806,7 +932,34 @@
     "kubernetes/typed/storage/v1alpha1/fake",
     "kubernetes/typed/storage/v1beta1",
     "kubernetes/typed/storage/v1beta1/fake",
+    "listers/admissionregistration/v1alpha1",
+    "listers/admissionregistration/v1beta1",
+    "listers/apps/v1",
+    "listers/apps/v1beta1",
+    "listers/apps/v1beta2",
+    "listers/autoscaling/v1",
+    "listers/autoscaling/v2beta1",
+    "listers/batch/v1",
+    "listers/batch/v1beta1",
+    "listers/batch/v2alpha1",
+    "listers/certificates/v1beta1",
+    "listers/core/v1",
+    "listers/events/v1beta1",
+    "listers/extensions/v1beta1",
+    "listers/networking/v1",
+    "listers/policy/v1beta1",
+    "listers/rbac/v1",
+    "listers/rbac/v1alpha1",
+    "listers/rbac/v1beta1",
+    "listers/scheduling/v1alpha1",
+    "listers/settings/v1alpha1",
+    "listers/storage/v1",
+    "listers/storage/v1alpha1",
+    "listers/storage/v1beta1",
+    "pkg/apis/clientauthentication",
+    "pkg/apis/clientauthentication/v1alpha1",
     "pkg/version",
+    "plugin/pkg/client/auth/exec",
     "plugin/pkg/client/auth/gcp",
     "plugin/pkg/client/auth/oidc",
     "rest",
@@ -829,19 +982,21 @@
     "util/homedir",
     "util/integer",
     "util/jsonpath",
+    "util/retry",
     "util/workqueue"
   ]
-  revision = "9389c055a838d4f208b699b3c7c51b70f2368861"
+  revision = "26a26f55b28aa1b338fbaf6fbbe0bcd76aed05e0"
 
 [[projects]]
-  branch = "release-1.9"
+  branch = "release-1.10"
   name = "k8s.io/code-generator"
   packages = [
     "cmd/go-to-protobuf",
     "cmd/go-to-protobuf/protobuf",
+    "pkg/util",
     "third_party/forked/golang/reflect"
   ]
-  revision = "91d3f6a57905178524105a085085901bb73bd3dc"
+  revision = "9de8e796a74d16d2a285165727d04c185ebca6dc"
 
 [[projects]]
   branch = "master"
@@ -867,7 +1022,12 @@
 [[projects]]
   name = "k8s.io/kubernetes"
   packages = [
+    "pkg/apis/apps",
+    "pkg/apis/autoscaling",
+    "pkg/apis/batch",
     "pkg/apis/core",
+    "pkg/apis/extensions",
+    "pkg/apis/networking",
     "pkg/kubectl/scheme"
   ]
   revision = "81753b10df112992bf51bbc2c2f85208aad78335"
@@ -876,6 +1036,6 @@
 [solve-meta]
   analyzer-name = "dep"
   analyzer-version = 1
-  inputs-digest = "736e8116bcf49bf0889c2caf8e832a78a43fd5af65c5d10c86a443993de63d3c"
+  inputs-digest = "2eaad7537e4d4bc23be336a9e96c3e589cefccf6913125a37bf9b069bf02b5e9"
   solver-name = "gps-cdcl"
   solver-version = 1

Gopkg.toml

@@ -3,6 +3,9 @@ required = [
   "github.com/gogo/protobuf/protoc-gen-gogofast",
   "golang.org/x/sync/errgroup",
   "k8s.io/code-generator/cmd/go-to-protobuf",
+  "github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway",
+  "github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger",
+  "github.com/golang/protobuf/protoc-gen-go",
 ]
 
 [[constraint]]
@@ -13,25 +16,25 @@ required = [
   name = "github.com/grpc-ecosystem/grpc-gateway"
   version = "v1.3.1"
 
-# override ksonnet's release-1.8 dependency
+# override argo outdated dependency
 [[override]]
-  branch = "release-1.9"
+  branch = "release-1.10"
+  name = "k8s.io/api"
+
+[[override]]
+  branch = "release-1.10"
   name = "k8s.io/apimachinery"
 
-[[constraint]]
-  branch = "release-1.9"
-  name = "k8s.io/api"
-
 [[constraint]]
   name = "k8s.io/apiextensions-apiserver"
-  branch = "release-1.9"
+  branch = "release-1.10"
 
 [[constraint]]
-  branch = "release-1.9"
+  branch = "release-1.10"
   name = "k8s.io/code-generator"
 
-[[constraint]]
-  branch = "release-6.0"
+[[override]]
+  branch = "release-7.0"
   name = "k8s.io/client-go"
 
 [[constraint]]
@@ -40,9 +43,13 @@ required = [
 
 [[constraint]]
   name = "github.com/ksonnet/ksonnet"
-  version = "v0.10.1"
+  version = "v0.11.0"
+
+[[constraint]]
+  name = "github.com/gobuffalo/packr"
+  version = "v1.11.0"
 
 # override ksonnet's logrus dependency
 [[override]]
   name = "github.com/sirupsen/logrus"
-  version = "v1.0.3"
+  revision = "ea8897e79973357ba785ac2533559a6297e83c44"

LICENSE

@@ -187,7 +187,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2017-2018 The Argo Authors
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

Makefile

@@ -57,31 +57,37 @@ codegen: protogen clientgen
 # NOTE: we use packr to do the build instead of go, since we embed .yaml files into the go binary.
 # This enables ease of maintenance of the yaml files.
 .PHONY: cli
-cli:
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS} -extldflags "-static"' -o ${DIST_DIR}/${CLI_NAME} ./cmd/argocd
+cli: clean-debug
+	${PACKR_CMD} build -v -i -ldflags '${LDFLAGS} -extldflags "-static"' -o ${DIST_DIR}/${CLI_NAME} ./cmd/argocd
 
 .PHONY: cli-linux
-cli-linux:
+cli-linux: clean-debug
 	docker build --iidfile /tmp/argocd-linux-id --target builder --build-arg MAKE_TARGET="cli IMAGE_TAG=$(IMAGE_TAG) IMAGE_NAMESPACE=$(IMAGE_NAMESPACE) CLI_NAME=argocd-linux-amd64" -f Dockerfile-argocd .
 	docker create --name tmp-argocd-linux `cat /tmp/argocd-linux-id`
 	docker cp tmp-argocd-linux:/root/go/src/github.com/argoproj/argo-cd/dist/argocd-linux-amd64 dist/
 	docker rm tmp-argocd-linux
 
 .PHONY: cli-darwin
-cli-darwin:
+cli-darwin: clean-debug
 	docker build --iidfile /tmp/argocd-darwin-id --target builder --build-arg MAKE_TARGET="cli GOOS=darwin IMAGE_TAG=$(IMAGE_TAG) IMAGE_NAMESPACE=$(IMAGE_NAMESPACE) CLI_NAME=argocd-darwin-amd64" -f Dockerfile-argocd .
 	docker create --name tmp-argocd-darwin `cat /tmp/argocd-darwin-id`
 	docker cp tmp-argocd-darwin:/root/go/src/github.com/argoproj/argo-cd/dist/argocd-darwin-amd64 dist/
 	docker rm tmp-argocd-darwin
 
 .PHONY: argocd-util
-argocd-util:
+argocd-util: clean-debug
 	CGO_ENABLED=0 go build -v -i -ldflags '${LDFLAGS} -extldflags "-static"' -o ${DIST_DIR}/argocd-util ./cmd/argocd-util
 
-.PHONY: server
-server:
-	CGO_ENABLED=0 go build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd/argocd-server
+.PHONY: install-manifest
+install-manifest:
+	if [ "${IMAGE_NAMESPACE}" = "" ] ; then echo "IMAGE_NAMESPACE must be set to build install manifest" ; exit 1 ; fi
+	echo "# This is an auto-generated file. DO NOT EDIT" > manifests/install.yaml
+	cat manifests/components/*.yaml | sed 's@\( image: argoproj/\(.*\):latest\)@ image: '"${IMAGE_NAMESPACE}"'/\2:'"${IMAGE_TAG}"'@g' >> manifests/install.yaml
 
+.PHONY: server
+server: clean-debug
+	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd/argocd-server
+	
 .PHONY: server-image
 server-image:
 	docker build --build-arg BINARY=argocd-server -t $(IMAGE_PREFIX)argocd-server:$(IMAGE_TAG) -f Dockerfile-argocd .
@@ -126,15 +132,20 @@ test:
 test-e2e:
 	go test ./test/e2e
 
+# Cleans VSCode debug.test files from sub-dirs to prevent them from being included in packr boxes
+.PHONY: clean-debug
+clean-debug:
+	-find ${CURRENT_DIR} -name debug.test | xargs rm -f
+
 .PHONY: clean
-clean:
+clean: clean-debug
 	-rm -rf ${CURRENT_DIR}/dist
 
 .PHONY: precheckin
 precheckin: test lint
 
 .PHONY: release-precheck
-release-precheck:
+release-precheck: install-manifest
 	@if [ "$(GIT_TREE_STATE)" != "clean" ]; then echo 'git tree state is $(GIT_TREE_STATE)' ; exit 1; fi
 	@if [ -z "$(GIT_TAG)" ]; then echo 'commit must be tagged to perform release' ; exit 1; fi
 

Procfile

@@ -1,5 +1,4 @@
-controller: go run ./cmd/argocd-application-controller/main.go --app-resync 10
+controller: go run ./cmd/argocd-application-controller/main.go
 api-server: go run ./cmd/argocd-server/main.go --insecure --disable-auth
 repo-server: go run ./cmd/argocd-repo-server/main.go --loglevel debug
 dex: sh -c "go run ./cmd/argocd-util/main.go gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p 5556:5556 -p 5557:5557 -v `pwd`/dist/dex.yaml:/dex.yaml quay.io/coreos/dex:v2.10.0 serve /dex.yaml"
-redis: docker run --rm -p 6379:6379 redis:3.2.11

README.md

@@ -1,9 +1,11 @@
 
-# Argo CD - GitOps Continuous Delivery for Kubernetes
+# Argo CD - Declarative Continuous Delivery for Kubernetes
 
 ## What is Argo CD?
 
-Argo CD is a declarative, continuous delivery service based on ksonnet for Kubernetes.
+Argo CD is a declarative, continuous delivery service based on **ksonnet** for Kubernetes.
+
+![Argo CD UI](docs/argocd-ui.gif)
 
 ## Why Argo CD?
 
@@ -12,13 +14,14 @@ Application deployment and lifecycle management should be automated, auditable,
 
 ## Getting Started
 
-Follow our [getting started guide](docs/getting_started.md).
+Follow our [getting started guide](docs/getting_started.md). Further [documentation](docs/)
+is provided for additional features.
 
 ## How it works
 
-Argo CD uses git repositories as the source of truth for defining the desired application state as
-well as the target deployment environments. Kubernetes manifests are specified as
-[ksonnet](https://ksonnet.io) applications. Argo CD automates the deployment of the desired
+Argo CD follows the **GitOps** pattern of using git repositories as the source of truth for defining the
+desired application state. Kubernetes manifests are specified as [ksonnet](https://ksonnet.io)
+applications. Argo CD automates the deployment of the desired
 application states in the specified target environments.
 
 ![Argo CD Architecture](docs/argocd_architecture.png)
@@ -41,11 +44,13 @@ For additional details, see [architecture overview](docs/architecture.md).
 
 * Automated deployment of applications to specified target environments
 * Continuous monitoring of deployed applications
-* Automated or manual syncing of applications to its target state
-* Web and CLI based visualization of applications and differences between live vs. target state
+* Automated or manual syncing of applications to its desired state
+* Web and CLI based visualization of applications and differences between live vs. desired state
 * Rollback/Roll-anywhere to any application state committed in the git repository
-* SSO Integration (OIDC, LDAP, SAML 2.0, GitLab, Microsoft, LinkedIn)
+* Health assessment statuses on all components of the application
+* SSO Integration (OIDC, OAuth2, LDAP, SAML 2.0, GitLab, Microsoft, LinkedIn)
 * Webhook Integration (GitHub, BitBucket, GitLab)
+* PreSync, Sync, PostSync hooks to support complex application rollouts (e.g.blue/green & canary upgrades)
 
 ## What is ksonnet?
 
@@ -69,10 +74,10 @@ Imagine we have a single guestbook application deployed in following environment
 | Environment   | K8s Version | Application Image      | DB Connection String  | Environment Vars | Sidecars      |
 |---------------|-------------|------------------------|-----------------------|------------------|---------------|
 | minikube      | 1.10.0      | jesse/guestbook:latest | sql://locahost/db     | DEBUG=true       |               |
-| dev           | 1.9.0       | app/guestbook:latest   | sql://dev-test/db     | DEBUG=true       |               |
-| staging       | 1.8.0       | app/guestbook:e3c0263  | sql://staging/db      |                  | istio,dnsmasq |
-| us-west-1     | 1.8.0       | app/guestbook:abc1234  | sql://prod/db         | FOO_FEATURE=true | istio,dnsmasq |
-| us-west-2     | 1.8.0       | app/guestbook:abc1234  | sql://prod/db         |                  | istio,dnsmasq |
+| dev           | 1.11.0      | app/guestbook:latest   | sql://dev-test/db     | DEBUG=true       |               |
+| staging       | 1.10.0      | app/guestbook:e3c0263  | sql://staging/db      |                  | istio,dnsmasq |
+| us-west-1     | 1.9.0       | app/guestbook:abc1234  | sql://prod/db         | FOO_FEATURE=true | istio,dnsmasq |
+| us-west-2     | 1.10.0      | app/guestbook:abc1234  | sql://prod/db         |                  | istio,dnsmasq |
 | us-east-1     | 1.9.0       | app/guestbook:abc1234  | sql://prod/db         | BAR_FEATURE=true | istio,dnsmasq |
 
 Ksonnet:
@@ -83,9 +88,10 @@ Ksonnet:
 concise definition of kubernetes manifests
 
 ## Development Status
-* Argo CD is in early development
+* Argo CD is being used in production to deploy SaaS services at Intuit
 
 ## Roadmap
-* PreSync, PostSync, OutOfSync hooks
-* Customized application actions as Argo workflows
-* Blue/Green & canary upgrades
+* Audit trails for application events and API calls
+* Service account/access key management for CI pipelines
+* Revamped UI
+* Customizable application actions

VERSION

@@ -1 +1 @@
-0.4.5
+0.6.2

cmd/argocd-application-controller/main.go

@@ -8,22 +8,23 @@ import (
 	"strconv"
 	"time"
 
-	"github.com/argoproj/argo-cd"
-	"github.com/argoproj/argo-cd/controller"
-	"github.com/argoproj/argo-cd/errors"
-	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/db"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
-
 	// load the gcp plugin (required to authenticate against GKE clusters).
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	// load the oidc plugin (required to authenticate with OpenID Connect).
-	"github.com/argoproj/argo-cd/reposerver"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
+
+	"github.com/argoproj/argo-cd"
+	"github.com/argoproj/argo-cd/controller"
+	"github.com/argoproj/argo-cd/errors"
+	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
+	"github.com/argoproj/argo-cd/reposerver"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/db"
+	"github.com/argoproj/argo-cd/util/stats"
 )
 
 const (
@@ -72,23 +73,29 @@ func newCommand() *cobra.Command {
 			}
 			db := db.NewDB(namespace, kubeClient)
 			resyncDuration := time.Duration(appResyncPeriod) * time.Second
-			appStateManager := controller.NewAppStateManager(db, appClient, reposerver.NewRepositoryServerClientset(repoServerAddress), namespace)
-			appHealthManager := controller.NewAppHealthManager(db, namespace)
+			repoClientset := reposerver.NewRepositoryServerClientset(repoServerAddress)
+			appStateManager := controller.NewAppStateManager(db, appClient, repoClientset, namespace)
 
 			appController := controller.NewApplicationController(
 				namespace,
 				kubeClient,
 				appClient,
+				repoClientset,
 				db,
 				appStateManager,
-				appHealthManager,
 				resyncDuration,
 				&controllerConfig)
+			secretController := controller.NewSecretController(kubeClient, repoClientset, resyncDuration, namespace)
 
 			ctx, cancel := context.WithCancel(context.Background())
 			defer cancel()
 
 			log.Infof("Application Controller (version: %s) starting (namespace: %s)", argocd.GetVersion(), namespace)
+			stats.RegisterStackDumper()
+			stats.StartStatsTicker(10 * time.Minute)
+			stats.RegisterHeapDumper("memprofile")
+
+			go secretController.Run(ctx)
 			go appController.Run(ctx, statusProcessors, operationProcessors)
 			// Wait forever
 			select {}

cmd/argocd-repo-server/main.go

@@ -4,6 +4,10 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
 
 	"github.com/argoproj/argo-cd"
 	"github.com/argoproj/argo-cd/errors"
@@ -12,9 +16,7 @@ import (
 	"github.com/argoproj/argo-cd/util/cache"
 	"github.com/argoproj/argo-cd/util/git"
 	"github.com/argoproj/argo-cd/util/ksonnet"
-	"github.com/go-redis/redis"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
+	"github.com/argoproj/argo-cd/util/stats"
 )
 
 const (
@@ -45,6 +47,9 @@ func newCommand() *cobra.Command {
 
 			log.Infof("argocd-repo-server %s serving on %s", argocd.GetVersion(), listener.Addr())
 			log.Infof("ksonnet version: %s", ksVers)
+			stats.RegisterStackDumper()
+			stats.StartStatsTicker(10 * time.Minute)
+			stats.RegisterHeapDumper("memprofile")
 			err = grpc.Serve(listener)
 			errors.CheckError(err)
 			return nil
@@ -56,13 +61,13 @@ func newCommand() *cobra.Command {
 }
 
 func newCache() cache.Cache {
-	//return cache.NewInMemoryCache(repository.DefaultRepoCacheExpiration)
-	client := redis.NewClient(&redis.Options{
-		Addr:     "localhost:6379",
-		Password: "",
-		DB:       0,
-	})
-	return cache.NewRedisCache(client, repository.DefaultRepoCacheExpiration)
+	return cache.NewInMemoryCache(repository.DefaultRepoCacheExpiration)
+	// client := redis.NewClient(&redis.Options{
+	// 	Addr:     "localhost:6379",
+	// 	Password: "",
+	// 	DB:       0,
+	// })
+	// return cache.NewRedisCache(client, repository.DefaultRepoCacheExpiration)
 }
 
 func main() {

cmd/argocd-server/commands/root.go

@@ -2,16 +2,21 @@ package commands
 
 import (
 	"context"
+	"flag"
+	"strconv"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
 
 	"github.com/argoproj/argo-cd/errors"
 	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
 	"github.com/argoproj/argo-cd/reposerver"
 	"github.com/argoproj/argo-cd/server"
 	"github.com/argoproj/argo-cd/util/cli"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/tools/clientcmd"
+	"github.com/argoproj/argo-cd/util/stats"
 )
 
 // NewCommand returns a new instance of an argocd command
@@ -19,6 +24,7 @@ func NewCommand() *cobra.Command {
 	var (
 		insecure          bool
 		logLevel          string
+		glogLevel         int
 		clientConfig      clientcmd.ClientConfig
 		staticAssetsDir   string
 		repoServerAddress string
@@ -33,6 +39,11 @@ func NewCommand() *cobra.Command {
 			errors.CheckError(err)
 			log.SetLevel(level)
 
+			// Set the glog level for the k8s go-client
+			_ = flag.CommandLine.Parse([]string{})
+			_ = flag.Lookup("logtostderr").Value.Set("true")
+			_ = flag.Lookup("v").Value.Set(strconv.Itoa(glogLevel))
+
 			config, err := clientConfig.ClientConfig()
 			errors.CheckError(err)
 
@@ -52,9 +63,13 @@ func NewCommand() *cobra.Command {
 				RepoClientset:   repoclientset,
 				DisableAuth:     disableAuth,
 			}
-			argocd := server.NewServer(argoCDOpts)
+
+			stats.RegisterStackDumper()
+			stats.StartStatsTicker(10 * time.Minute)
+			stats.RegisterHeapDumper("memprofile")
 
 			for {
+				argocd := server.NewServer(argoCDOpts)
 				ctx := context.Background()
 				ctx, cancel := context.WithCancel(ctx)
 				argocd.Run(ctx, 8080)
@@ -67,6 +82,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().BoolVar(&insecure, "insecure", false, "Run server without TLS")
 	command.Flags().StringVar(&staticAssetsDir, "staticassets", "", "Static assets directory path")
 	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
+	command.Flags().IntVar(&glogLevel, "gloglevel", 0, "Set the glog logging level")
 	command.Flags().StringVar(&repoServerAddress, "repo-server", "localhost:8081", "Repo server address.")
 	command.Flags().BoolVar(&disableAuth, "disable-auth", false, "Disable client authentication")
 	command.AddCommand(cli.NewVersionCmd(cliName))

cmd/argocd-util/main.go

@@ -6,14 +6,22 @@ import (
 	"io/ioutil"
 	"os"
 	"os/exec"
+	"strings"
 	"syscall"
 
+	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/errors"
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
 	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/db"
 	"github.com/argoproj/argo-cd/util/dex"
 	"github.com/argoproj/argo-cd/util/settings"
+	"github.com/ghodss/yaml"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	apiv1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 
@@ -26,6 +34,9 @@ import (
 const (
 	// CLIName is the name of the CLI
 	cliName = "argocd-util"
+
+	// YamlSeparator separates sections of a YAML file
+	yamlSeparator = "\n---\n"
 )
 
 // NewCommand returns a new instance of an argocd command
@@ -45,6 +56,9 @@ func NewCommand() *cobra.Command {
 	command.AddCommand(cli.NewVersionCmd(cliName))
 	command.AddCommand(NewRunDexCommand())
 	command.AddCommand(NewGenDexConfigCommand())
+	command.AddCommand(NewImportCommand())
+	command.AddCommand(NewExportCommand())
+	command.AddCommand(NewSettingsCommand())
 
 	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
 	return command
@@ -154,6 +168,214 @@ func NewGenDexConfigCommand() *cobra.Command {
 	return &command
 }
 
+// NewImportCommand defines a new command for exporting Kubernetes and Argo CD resources.
+func NewImportCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+	)
+	var command = cobra.Command{
+		Use:   "import SOURCE",
+		Short: "Import Argo CD data from stdin (specify `-') or a file",
+		RunE: func(c *cobra.Command, args []string) error {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			var (
+				input       []byte
+				err         error
+				newSettings *settings.ArgoCDSettings
+				newRepos    []*v1alpha1.Repository
+				newClusters []*v1alpha1.Cluster
+				newApps     []*v1alpha1.Application
+				newRBACCM   *apiv1.ConfigMap
+			)
+
+			if in := args[0]; in == "-" {
+				input, err = ioutil.ReadAll(os.Stdin)
+				errors.CheckError(err)
+			} else {
+				input, err = ioutil.ReadFile(in)
+				errors.CheckError(err)
+			}
+			inputStrings := strings.Split(string(input), yamlSeparator)
+
+			err = yaml.Unmarshal([]byte(inputStrings[0]), &newSettings)
+			errors.CheckError(err)
+
+			err = yaml.Unmarshal([]byte(inputStrings[1]), &newRepos)
+			errors.CheckError(err)
+
+			err = yaml.Unmarshal([]byte(inputStrings[2]), &newClusters)
+			errors.CheckError(err)
+
+			err = yaml.Unmarshal([]byte(inputStrings[3]), &newApps)
+			errors.CheckError(err)
+
+			err = yaml.Unmarshal([]byte(inputStrings[4]), &newRBACCM)
+			errors.CheckError(err)
+
+			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+			kubeClientset := kubernetes.NewForConfigOrDie(config)
+
+			settingsMgr := settings.NewSettingsManager(kubeClientset, namespace)
+			err = settingsMgr.SaveSettings(newSettings)
+			errors.CheckError(err)
+			db := db.NewDB(namespace, kubeClientset)
+
+			_, err = kubeClientset.CoreV1().ConfigMaps(namespace).Create(newRBACCM)
+			errors.CheckError(err)
+
+			for _, repo := range newRepos {
+				_, err := db.CreateRepository(context.Background(), repo)
+				if err != nil {
+					log.Warn(err)
+				}
+			}
+
+			for _, cluster := range newClusters {
+				_, err := db.CreateCluster(context.Background(), cluster)
+				if err != nil {
+					log.Warn(err)
+				}
+			}
+
+			appClientset := appclientset.NewForConfigOrDie(config)
+			for _, app := range newApps {
+				out, err := appClientset.ArgoprojV1alpha1().Applications(namespace).Create(app)
+				errors.CheckError(err)
+				log.Println(out)
+			}
+
+			return nil
+		},
+	}
+
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+
+	return &command
+}
+
+// NewExportCommand defines a new command for exporting Kubernetes and Argo CD resources.
+func NewExportCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+		out          string
+	)
+	var command = cobra.Command{
+		Use:   "export",
+		Short: "Export all Argo CD data to stdout (default) or a file",
+		RunE: func(c *cobra.Command, args []string) error {
+			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+			kubeClientset := kubernetes.NewForConfigOrDie(config)
+
+			settingsMgr := settings.NewSettingsManager(kubeClientset, namespace)
+			settings, err := settingsMgr.GetSettings()
+			errors.CheckError(err)
+			// certificate data is included in secrets that are exported alongside
+			settings.Certificate = nil
+
+			db := db.NewDB(namespace, kubeClientset)
+			clusters, err := db.ListClusters(context.Background())
+			errors.CheckError(err)
+
+			repos, err := db.ListRepositories(context.Background())
+			errors.CheckError(err)
+
+			appClientset := appclientset.NewForConfigOrDie(config)
+			apps, err := appClientset.ArgoprojV1alpha1().Applications(namespace).List(metav1.ListOptions{})
+			errors.CheckError(err)
+
+			rbacCM, err := kubeClientset.CoreV1().ConfigMaps(namespace).Get(common.ArgoCDRBACConfigMapName, metav1.GetOptions{})
+			errors.CheckError(err)
+
+			// remove extraneous cruft from output
+			rbacCM.ObjectMeta = metav1.ObjectMeta{
+				Name: rbacCM.ObjectMeta.Name,
+			}
+
+			// remove extraneous cruft from output
+			for idx, app := range apps.Items {
+				apps.Items[idx].ObjectMeta = metav1.ObjectMeta{
+					Name:       app.ObjectMeta.Name,
+					Finalizers: app.ObjectMeta.Finalizers,
+				}
+				apps.Items[idx].Status = v1alpha1.ApplicationStatus{
+					History: app.Status.History,
+				}
+				apps.Items[idx].Operation = nil
+			}
+
+			// take a list of exportable objects, marshal them to YAML,
+			// and return a string joined by a delimiter
+			output := func(delimiter string, oo ...interface{}) string {
+				out := make([]string, 0)
+				for _, o := range oo {
+					data, err := yaml.Marshal(o)
+					errors.CheckError(err)
+					out = append(out, string(data))
+				}
+				return strings.Join(out, delimiter)
+			}(yamlSeparator, settings, repos.Items, clusters.Items, apps.Items, rbacCM)
+
+			if out == "-" {
+				fmt.Println(output)
+			} else {
+				err = ioutil.WriteFile(out, []byte(output), 0644)
+				errors.CheckError(err)
+			}
+			return nil
+		},
+	}
+
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().StringVarP(&out, "out", "o", "-", "Output to the specified file instead of stdout")
+
+	return &command
+}
+
+// NewSettingsCommand returns a new instance of `argocd-util settings` command
+func NewSettingsCommand() *cobra.Command {
+	var (
+		clientConfig      clientcmd.ClientConfig
+		updateSuperuser   bool
+		superuserPassword string
+		updateSignature   bool
+	)
+	var command = &cobra.Command{
+		Use:   "settings",
+		Short: "Creates or updates ArgoCD settings",
+		Long:  "Creates or updates ArgoCD settings",
+		Run: func(c *cobra.Command, args []string) {
+			conf, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, wasSpecified, err := clientConfig.Namespace()
+			errors.CheckError(err)
+			if !(wasSpecified) {
+				namespace = "argocd"
+			}
+
+			kubeclientset, err := kubernetes.NewForConfig(conf)
+			errors.CheckError(err)
+			settingsMgr := settings.NewSettingsManager(kubeclientset, namespace)
+
+			_ = settings.UpdateSettings(superuserPassword, settingsMgr, updateSignature, updateSuperuser, namespace)
+		},
+	}
+	command.Flags().BoolVar(&updateSuperuser, "update-superuser", false, "force updating the  superuser password")
+	command.Flags().StringVar(&superuserPassword, "superuser-password", "", "password for super user")
+	command.Flags().BoolVar(&updateSignature, "update-signature", false, "force updating the server-side token signing signature")
+	clientConfig = cli.AddKubectlFlagsToCmd(command)
+	return command
+}
+
 func main() {
 	if err := NewCommand().Execute(); err != nil {
 		fmt.Println(err)

cmd/argocd/commands/account.go

@@ -0,0 +1,72 @@
+package commands
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"syscall"
+
+	"github.com/argoproj/argo-cd/errors"
+	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	"github.com/argoproj/argo-cd/server/account"
+	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/util/settings"
+	"github.com/spf13/cobra"
+	"golang.org/x/crypto/ssh/terminal"
+)
+
+func NewAccountCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "account",
+		Short: "Manage account settings",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+			os.Exit(1)
+		},
+	}
+	command.AddCommand(NewAccountUpdatePasswordCommand(clientOpts))
+	return command
+}
+
+func NewAccountUpdatePasswordCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		currentPassword string
+		newPassword     string
+	)
+	var command = &cobra.Command{
+		Use:   "update-password",
+		Short: "Update password",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 0 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			if currentPassword == "" {
+				fmt.Print("*** Enter current password: ")
+				password, err := terminal.ReadPassword(syscall.Stdin)
+				errors.CheckError(err)
+				currentPassword = string(password)
+				fmt.Print("\n")
+			}
+			if newPassword == "" {
+				newPassword = settings.ReadAndConfirmPassword()
+			}
+
+			updatePasswordRequest := account.UpdatePasswordRequest{
+				NewPassword:     newPassword,
+				CurrentPassword: currentPassword,
+			}
+
+			conn, usrIf := argocdclient.NewClientOrDie(clientOpts).NewAccountClientOrDie()
+			defer util.Close(conn)
+			_, err := usrIf.UpdatePassword(context.Background(), &updatePasswordRequest)
+			errors.CheckError(err)
+			fmt.Printf("Password updated\n")
+		},
+	}
+
+	command.Flags().StringVar(&currentPassword, "current-password", "", "current password you wish to change")
+	command.Flags().StringVar(&newPassword, "new-password", "", "new password you want to update to")
+	return command
+}

cmd/argocd/commands/app.go

@@ -2,27 +2,38 @@ package commands
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
+	"io"
 	"net/url"
 	"os"
 	"strconv"
 	"strings"
 	"text/tabwriter"
+	"time"
 
-	"github.com/argoproj/argo-cd/errors"
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/server/application"
-	"github.com/argoproj/argo-cd/util"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/diff"
+	"github.com/ghodss/yaml"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"github.com/yudai/gojsondiff/formatter"
 	"golang.org/x/crypto/ssh/terminal"
-	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	"github.com/argoproj/argo-cd/common"
+	"github.com/argoproj/argo-cd/errors"
+	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/server/application"
+	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/util/argo"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/diff"
+	"github.com/argoproj/argo-cd/util/ksonnet"
+	kubeutil "github.com/argoproj/argo-cd/util/kube"
 )
 
 // NewApplicationCommand returns a new instance of an `argocd app` command
@@ -46,6 +57,8 @@ func NewApplicationCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comman
 	command.AddCommand(NewApplicationListCommand(clientOpts))
 	command.AddCommand(NewApplicationDeleteCommand(clientOpts))
 	command.AddCommand(NewApplicationWaitCommand(clientOpts))
+	command.AddCommand(NewApplicationManifestsCommand(clientOpts))
+	command.AddCommand(NewApplicationTerminateOpCommand(clientOpts))
 	return command
 }
 
@@ -87,6 +100,7 @@ func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 						Name: appName,
 					},
 					Spec: argoappv1.ApplicationSpec{
+						Project: appOpts.project,
 						Source: argoappv1.ApplicationSource{
 							RepoURL:        appOpts.repoURL,
 							Path:           appOpts.appPath,
@@ -105,8 +119,11 @@ func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 			setParameterOverrides(&app, appOpts.parameters)
 			conn, appIf := argocdclient.NewClientOrDie(clientOpts).NewApplicationClientOrDie()
 			defer util.Close(conn)
-			ctx := metadata.AppendToOutgoingContext(context.Background(), "upsert", strconv.FormatBool(upsert))
-			created, err := appIf.Create(ctx, &app)
+			appCreateRequest := application.ApplicationCreateRequest{
+				Application: app,
+				Upsert:      &upsert,
+			}
+			created, err := appIf.Create(context.Background(), &appCreateRequest)
 			errors.CheckError(err)
 			fmt.Printf("application '%s' created\n", created.ObjectMeta.Name)
 		},
@@ -121,7 +138,10 @@ func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 // NewApplicationGetCommand returns a new instance of an `argocd app get` command
 func NewApplicationGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		showParams bool
+		output        string
+		showParams    bool
+		showOperation bool
+		refresh       bool
 	)
 	var command = &cobra.Command{
 		Use:   "get APPNAME",
@@ -135,44 +155,66 @@ func NewApplicationGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 			conn, appIf := acdClient.NewApplicationClientOrDie()
 			defer util.Close(conn)
 			appName := args[0]
-			app, err := appIf.Get(context.Background(), &application.ApplicationQuery{Name: &appName})
+			app, err := appIf.Get(context.Background(), &application.ApplicationQuery{Name: &appName, Refresh: refresh})
 			errors.CheckError(err)
-			format := "%-15s%s\n"
-			fmt.Printf(format, "Name:", app.Name)
-			fmt.Printf(format, "Server:", app.Spec.Destination.Server)
-			fmt.Printf(format, "Namespace:", app.Spec.Destination.Namespace)
-			fmt.Printf(format, "URL:", appURL(acdClient, app))
-			fmt.Printf(format, "Environment:", app.Spec.Source.Environment)
-			fmt.Printf(format, "Repo:", app.Spec.Source.RepoURL)
-			fmt.Printf(format, "Path:", app.Spec.Source.Path)
-			fmt.Printf(format, "Target:", app.Spec.Source.TargetRevision)
-			if app.Status.ComparisonResult.Error != "" {
-				fmt.Printf(format, "Error:", app.Status.ComparisonResult.Error)
-			}
-			if showParams {
-				printParams(app)
-			}
-			if len(app.Status.ComparisonResult.Resources) > 0 {
-				fmt.Println()
-				w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-				fmt.Fprintf(w, "KIND\tNAME\tSTATUS\tHEALTH\n")
-				for _, res := range app.Status.ComparisonResult.Resources {
-					obj, err := argoappv1.UnmarshalToUnstructured(res.TargetState)
-					errors.CheckError(err)
-					if obj == nil {
-						obj, err = argoappv1.UnmarshalToUnstructured(res.LiveState)
-						errors.CheckError(err)
-					}
-					fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", obj.GetKind(), obj.GetName(), res.Status, res.Health.Status)
+			switch output {
+			case "yaml":
+				yamlBytes, err := yaml.Marshal(app)
+				errors.CheckError(err)
+				fmt.Println(string(yamlBytes))
+			case "json":
+				jsonBytes, err := json.MarshalIndent(app, "", "  ")
+				errors.CheckError(err)
+				fmt.Println(string(jsonBytes))
+			case "":
+				fmt.Printf(printOpFmtStr, "Name:", app.Name)
+				fmt.Printf(printOpFmtStr, "Server:", app.Spec.Destination.Server)
+				fmt.Printf(printOpFmtStr, "Namespace:", app.Spec.Destination.Namespace)
+				fmt.Printf(printOpFmtStr, "URL:", appURL(acdClient, app))
+				fmt.Printf(printOpFmtStr, "Environment:", app.Spec.Source.Environment)
+				fmt.Printf(printOpFmtStr, "Repo:", app.Spec.Source.RepoURL)
+				fmt.Printf(printOpFmtStr, "Path:", app.Spec.Source.Path)
+				fmt.Printf(printOpFmtStr, "Target:", app.Spec.Source.TargetRevision)
+
+				if len(app.Status.Conditions) > 0 {
+					fmt.Println()
+					w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+					printAppConditions(w, app)
+					_ = w.Flush()
+					fmt.Println()
 				}
-				_ = w.Flush()
+				if showOperation && app.Status.OperationState != nil {
+					fmt.Println()
+					printOperationResult(app.Status.OperationState)
+				}
+				if showParams {
+					printParams(app)
+				}
+				if len(app.Status.ComparisonResult.Resources) > 0 {
+					fmt.Println()
+					w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+					printAppResources(w, app, showOperation)
+					_ = w.Flush()
+				}
+			default:
+				log.Fatalf("Unknown output format: %s", output)
 			}
 		},
 	}
+	command.Flags().StringVarP(&output, "output", "o", "", "Output format. One of: yaml, json")
+	command.Flags().BoolVar(&showOperation, "show-operation", false, "Show application operation")
 	command.Flags().BoolVar(&showParams, "show-params", false, "Show application parameters and overrides")
+	command.Flags().BoolVar(&refresh, "refresh", false, "Refresh application data when retrieving")
 	return command
 }
 
+func printAppConditions(w io.Writer, app *argoappv1.Application) {
+	fmt.Fprintf(w, "CONDITION\tMESSAGE\n")
+	for _, item := range app.Status.Conditions {
+		fmt.Fprintf(w, "%s\t%s", item.Type, item.Message)
+	}
+}
+
 // appURL returns the URL of an application
 func appURL(acdClient argocdclient.Client, app *argoappv1.Application) string {
 	var scheme string
@@ -186,7 +228,7 @@ func appURL(acdClient argocdclient.Client, app *argoappv1.Application) string {
 			server = server[0 : len(server)-4]
 		}
 	}
-	return fmt.Sprintf("%s://%s/applications/%s/%s", scheme, server, app.Namespace, app.Name)
+	return fmt.Sprintf("%s://%s/applications/%s", scheme, server, app.Name)
 }
 
 func truncateString(str string, num int) string {
@@ -251,6 +293,8 @@ func NewApplicationSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 					app.Spec.Destination.Server = appOpts.destServer
 				case "dest-namespace":
 					app.Spec.Destination.Namespace = appOpts.destNamespace
+				case "project":
+					app.Spec.Project = appOpts.project
 				}
 			})
 			if visited == 0 {
@@ -259,17 +303,33 @@ func NewApplicationSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 				os.Exit(1)
 			}
 			setParameterOverrides(app, appOpts.parameters)
-			_, err = appIf.UpdateSpec(context.Background(), &application.ApplicationSpecRequest{
-				AppName: &app.Name,
-				Spec:    app.Spec,
+			oldOverrides := app.Spec.Source.ComponentParameterOverrides
+			updatedSpec, err := appIf.UpdateSpec(context.Background(), &application.ApplicationUpdateSpecRequest{
+				Name: &app.Name,
+				Spec: app.Spec,
 			})
 			errors.CheckError(err)
+
+			newOverrides := updatedSpec.Source.ComponentParameterOverrides
+			checkDroppedParams(newOverrides, oldOverrides)
 		},
 	}
 	addAppFlags(command, &appOpts)
 	return command
 }
 
+func checkDroppedParams(newOverrides []argoappv1.ComponentParameter, oldOverrides []argoappv1.ComponentParameter) {
+	newOverrideMap := argo.ParamToMap(newOverrides)
+
+	if len(oldOverrides) > len(newOverrides) {
+		for _, oldOverride := range oldOverrides {
+			if !argo.CheckValidParam(newOverrideMap, oldOverride) {
+				log.Warnf("Parameter %s in %s does not exist in ksonnet, parameter override dropped", oldOverride.Name, oldOverride.Component)
+			}
+		}
+	}
+}
+
 type appOptions struct {
 	repoURL       string
 	appPath       string
@@ -278,6 +338,7 @@ type appOptions struct {
 	destServer    string
 	destNamespace string
 	parameters    []string
+	project       string
 }
 
 func addAppFlags(command *cobra.Command, opts *appOptions) {
@@ -288,6 +349,7 @@ func addAppFlags(command *cobra.Command, opts *appOptions) {
 	command.Flags().StringVar(&opts.destServer, "dest-server", "", "K8s cluster URL (overrides the server URL specified in the ksonnet app.yaml)")
 	command.Flags().StringVar(&opts.destNamespace, "dest-namespace", "", "K8s target namespace (overrides the namespace specified in the ksonnet app.yaml)")
 	command.Flags().StringArrayVarP(&opts.parameters, "parameter", "p", []string{}, "set a parameter override (e.g. -p guestbook=image=example/guestbook:latest)")
+	command.Flags().StringVar(&opts.project, "project", "", "Application project name")
 }
 
 // NewApplicationUnsetCommand returns a new instance of an `argocd app unset` command
@@ -327,9 +389,9 @@ func NewApplicationUnsetCommand(clientOpts *argocdclient.ClientOptions) *cobra.C
 			if !updated {
 				return
 			}
-			_, err = appIf.UpdateSpec(context.Background(), &application.ApplicationSpecRequest{
-				AppName: &app.Name,
-				Spec:    app.Spec,
+			_, err = appIf.UpdateSpec(context.Background(), &application.ApplicationUpdateSpecRequest{
+				Name: &app.Name,
+				Spec: app.Spec,
 			})
 			errors.CheckError(err)
 		},
@@ -340,6 +402,11 @@ func NewApplicationUnsetCommand(clientOpts *argocdclient.ClientOptions) *cobra.C
 
 // NewApplicationDiffCommand returns a new instance of an `argocd app diff` command
 func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		refresh bool
+		local   string
+		env     string
+	)
 	var command = &cobra.Command{
 		Use:   "diff APPNAME",
 		Short: "Perform a diff against the target and live state",
@@ -351,32 +418,76 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			conn, appIf := argocdclient.NewClientOrDie(clientOpts).NewApplicationClientOrDie()
 			defer util.Close(conn)
 			appName := args[0]
-			app, err := appIf.Get(context.Background(), &application.ApplicationQuery{Name: &appName})
-			errors.CheckError(err)
-			targetObjs, err := app.Status.ComparisonResult.TargetObjects()
+			app, err := appIf.Get(context.Background(), &application.ApplicationQuery{Name: &appName, Refresh: refresh})
 			errors.CheckError(err)
 			liveObjs, err := app.Status.ComparisonResult.LiveObjects()
 			errors.CheckError(err)
-			diffResults, err := diff.DiffArray(targetObjs, liveObjs)
+
+			var compareObjs []*unstructured.Unstructured
+			if local != "" {
+				if env == "" {
+					log.Fatal("--env required when performing local diff")
+				}
+				ksApp, err := ksonnet.NewKsonnetApp(local)
+				errors.CheckError(err)
+				compareObjs, err = ksApp.Show(env)
+				errors.CheckError(err)
+				if len(app.Spec.Source.ComponentParameterOverrides) > 0 {
+					log.Warnf("Unable to display parameter overrides")
+				}
+				compareObjs, liveObjs = diff.MatchObjectLists(compareObjs, liveObjs)
+			} else {
+				if env != "" {
+					log.Fatal("--env option invalid when performing git diff")
+				}
+				compareObjs, err = app.Status.ComparisonResult.TargetObjects()
+				errors.CheckError(err)
+			}
+
+			// In order for the diff to be clean, need to set our app labels
+			setAppLabels(appName, compareObjs)
+			diffResults, err := diff.DiffArray(compareObjs, liveObjs)
 			errors.CheckError(err)
-			for i := 0; i < len(targetObjs); i++ {
-				targetObj := targetObjs[i]
+			for i := 0; i < len(compareObjs); i++ {
+				kind, name := getObjKindName(compareObjs[i], liveObjs[i])
 				diffRes := diffResults.Diffs[i]
-				fmt.Printf("===== %s %s ======\n", targetObj.GetKind(), targetObj.GetName())
+				fmt.Printf("===== %s %s ======\n", kind, name)
 				if diffRes.Modified {
 					formatOpts := formatter.AsciiFormatterConfig{
 						Coloring: terminal.IsTerminal(int(os.Stdout.Fd())),
 					}
-					out, err := diffResults.Diffs[i].ASCIIFormat(targetObj, formatOpts)
+					out, err := diffResults.Diffs[i].ASCIIFormat(compareObjs[i], formatOpts)
 					errors.CheckError(err)
 					fmt.Println(out)
 				}
 			}
+			if local != "" && len(app.Spec.Source.ComponentParameterOverrides) > 0 {
+				log.Warnf("Unable to display parameter overrides")
+			}
 		},
 	}
+	command.Flags().BoolVar(&refresh, "refresh", false, "Refresh application data when retrieving")
+	command.Flags().StringVar(&local, "local", "", "Compare live app to a local ksonnet app")
+	command.Flags().StringVar(&env, "env", "", "Compare live app to a specific environment")
 	return command
 }
 
+func getObjKindName(compare, live *unstructured.Unstructured) (string, string) {
+	if compare == nil {
+		return live.GetKind(), live.GetName()
+	}
+	return compare.GetKind(), compare.GetName()
+}
+
+func setAppLabels(appName string, compareObjs []*unstructured.Unstructured) {
+	for _, obj := range compareObjs {
+		if obj == nil {
+			continue
+		}
+		_ = kubeutil.SetLabel(obj, common.LabelApplicationName, appName)
+	}
+}
+
 // NewApplicationDeleteCommand returns a new instance of an `argocd app delete` command
 func NewApplicationDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
@@ -393,7 +504,7 @@ func NewApplicationDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 			conn, appIf := argocdclient.NewClientOrDie(clientOpts).NewApplicationClientOrDie()
 			defer util.Close(conn)
 			for _, appName := range args {
-				appDeleteReq := application.DeleteApplicationRequest{
+				appDeleteReq := application.ApplicationDeleteRequest{
 					Name: &appName,
 				}
 				if c.Flag("cascade").Changed {
@@ -423,12 +534,12 @@ func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			errors.CheckError(err)
 			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
 			var fmtStr string
-			headers := []interface{}{"NAME", "CLUSTER", "NAMESPACE", "STATUS", "HEALTH"}
+			headers := []interface{}{"NAME", "CLUSTER", "NAMESPACE", "PROJECT", "STATUS", "HEALTH", "CONDITIONS"}
 			if output == "wide" {
-				fmtStr = "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n"
-				headers = append(headers, "ENV", "REPO", "TARGET")
+				fmtStr = "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n"
+				headers = append(headers, "ENV", "REPO", "PATH", "TARGET")
 			} else {
-				fmtStr = "%s\t%s\t%s\t%s\t%s\n"
+				fmtStr = "%s\t%s\t%s\t%s\t%s\t%s\t%s\n"
 			}
 			fmt.Fprintf(w, fmtStr, headers...)
 			for _, app := range apps.Items {
@@ -436,11 +547,13 @@ func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 					app.Name,
 					app.Spec.Destination.Server,
 					app.Spec.Destination.Namespace,
+					app.Spec.GetProject(),
 					app.Status.ComparisonResult.Status,
 					app.Status.Health.Status,
+					formatConditionsSummary(app),
 				}
 				if output == "wide" {
-					vals = append(vals, app.Spec.Source.Environment, app.Spec.Source.RepoURL, app.Spec.Source.TargetRevision)
+					vals = append(vals, app.Spec.Source.Environment, app.Spec.Source.RepoURL, app.Spec.Source.Path, app.Spec.Source.TargetRevision)
 				}
 				fmt.Fprintf(w, fmtStr, vals...)
 			}
@@ -451,6 +564,31 @@ func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	return command
 }
 
+func formatConditionsSummary(app argoappv1.Application) string {
+	typeToCnt := make(map[string]int)
+	for i := range app.Status.Conditions {
+		condition := app.Status.Conditions[i]
+		if cnt, ok := typeToCnt[condition.Type]; ok {
+			typeToCnt[condition.Type] = cnt + 1
+		} else {
+			typeToCnt[condition.Type] = 1
+		}
+	}
+	items := make([]string, 0)
+	for cndType, cnt := range typeToCnt {
+		if cnt > 1 {
+			items = append(items, fmt.Sprintf("%s(%d)", cndType, cnt))
+		} else {
+			items = append(items, cndType)
+		}
+	}
+	summary := "<none>"
+	if len(items) > 0 {
+		summary = strings.Join(items, ",")
+	}
+	return summary
+}
+
 // NewApplicationWaitCommand returns a new instance of an `argocd app wait` command
 func NewApplicationWaitCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
@@ -458,7 +596,6 @@ func NewApplicationWaitCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 		healthOnly bool
 		timeout    uint
 	)
-	const defaultCheckTimeoutSeconds = 0
 	var command = &cobra.Command{
 		Use:   "wait APPNAME",
 		Short: "Wait for an application to reach a synced and healthy state",
@@ -470,51 +607,42 @@ func NewApplicationWaitCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			if syncOnly && healthOnly {
 				log.Fatalln("Please specify at most one of --sync-only or --health-only.")
 			}
+			appName := args[0]
 			conn, appIf := argocdclient.NewClientOrDie(clientOpts).NewApplicationClientOrDie()
 			defer util.Close(conn)
+			ctx := context.Background()
+			ctx, cancel := context.WithCancel(ctx)
+			defer cancel()
 
-			appName := args[0]
-			wc, err := appIf.Watch(context.Background(), &application.ApplicationQuery{
-				Name: &appName,
-			})
-			errors.CheckError(err)
-
-			success := util.Wait(timeout, func(done chan<- bool) {
-				for {
-					appEvent, err := wc.Recv()
-					errors.CheckError(err)
-
-					app := appEvent.Application
-					healthStatus := app.Status.Health.Status
-					syncStatus := app.Status.ComparisonResult.Status
-
-					log.Printf("App %q has sync status %q and health status %q", appName, syncStatus, healthStatus)
-					synced := (syncStatus == argoappv1.ComparisonStatusSynced)
-					healthy := (healthStatus == argoappv1.HealthStatusHealthy)
-
-					if (synced && healthy) || (synced && syncOnly) || (healthy && healthOnly) {
-						done <- true
-					}
-				}
-			})
-
-			if success {
-				log.Printf("App %q matches desired state", appName)
-			} else {
-				app, err := appIf.Get(context.Background(), &application.ApplicationQuery{Name: &appName})
-				errors.CheckError(err)
-
-				if len(app.Status.ComparisonResult.Resources) > 0 {
-					for _, res := range app.Status.ComparisonResult.Resources {
-						targetObj, err := argoappv1.UnmarshalToUnstructured(res.TargetState)
-						errors.CheckError(err)
-						if res.Status != argoappv1.ComparisonStatusSynced || res.Health.Status != argoappv1.HealthStatusHealthy {
-							log.Warnf("%s %q has sync status %q and health status %q: %s", targetObj.GetKind(), targetObj.GetName(), res.Status, res.Health.Status, res.Health.StatusDetails)
-						}
-					}
-				}
-				log.Fatalf("Timed out before seeing app %q match desired state", appName)
+			if timeout != 0 {
+				time.AfterFunc(time.Duration(timeout)*time.Second, func() {
+					cancel()
+				})
 			}
+
+			// print the initial components to format the tabwriter columns
+			app, err := appIf.Get(ctx, &application.ApplicationQuery{Name: &appName})
+			errors.CheckError(err)
+			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+			printAppResources(w, app, false)
+			_ = w.Flush()
+			prevCompRes := &app.Status.ComparisonResult
+
+			appEventCh := watchApp(ctx, appIf, appName)
+			for appEvent := range appEventCh {
+				app := appEvent.Application
+				printAppStateChange(w, prevCompRes, &app)
+				_ = w.Flush()
+				prevCompRes = &app.Status.ComparisonResult
+
+				synced := app.Status.ComparisonResult.Status == argoappv1.ComparisonStatusSynced
+				healthy := app.Status.Health.Status == argoappv1.HealthStatusHealthy
+				if len(app.Status.GetErrorConditions()) == 0 && ((synced && healthy) || (synced && syncOnly) || (healthy && healthOnly)) {
+					log.Printf("App %q matches desired state", appName)
+					return
+				}
+			}
+			log.Fatalf("Timed out (%ds) waiting for app %q match desired state", timeout, appName)
 		},
 	}
 	command.Flags().BoolVar(&syncOnly, "sync-only", false, "Wait only for sync")
@@ -523,12 +651,154 @@ func NewApplicationWaitCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	return command
 }
 
+func isCanceledContextErr(err error) bool {
+	if err == context.Canceled {
+		return true
+	}
+	if stat, ok := status.FromError(err); ok {
+		if stat.Code() == codes.Canceled {
+			return true
+		}
+	}
+	return false
+}
+
+// watchApp returns a channel of watch events for an app, retrying the watch upon errors. Closes
+// the returned channel when the context is discovered to be canceled.
+func watchApp(ctx context.Context, appIf application.ApplicationServiceClient, appName string) chan *argoappv1.ApplicationWatchEvent {
+	appEventsCh := make(chan *argoappv1.ApplicationWatchEvent)
+	go func() {
+		defer close(appEventsCh)
+		for {
+			wc, err := appIf.Watch(ctx, &application.ApplicationQuery{
+				Name: &appName,
+			})
+			if err != nil {
+				if isCanceledContextErr(err) {
+					return
+				}
+				if err != io.EOF {
+					log.Warnf("watch err: %v", err)
+				}
+				time.Sleep(1 * time.Second)
+				continue
+			}
+			for {
+				appEvent, err := wc.Recv()
+				if err != nil {
+					if isCanceledContextErr(err) {
+						return
+					}
+					if err != io.EOF {
+						log.Warnf("recv err: %v", err)
+					}
+					time.Sleep(1 * time.Second)
+					break
+				} else {
+					appEventsCh <- appEvent
+				}
+			}
+		}
+
+	}()
+	return appEventsCh
+}
+
+// printAppResources prints the resources of an application in a tabwriter table
+// Optionally prints the message from the operation state
+func printAppResources(w io.Writer, app *argoappv1.Application, showOperation bool) {
+	messages := make(map[string]string)
+	opState := app.Status.OperationState
+	var syncRes *argoappv1.SyncOperationResult
+
+	if showOperation {
+		fmt.Fprintf(w, "KIND\tNAME\tSTATUS\tHEALTH\tHOOK\tOPERATIONMSG\n")
+		if opState != nil {
+			if opState.SyncResult != nil {
+				syncRes = opState.SyncResult
+			} else if opState.RollbackResult != nil {
+				syncRes = opState.RollbackResult
+			}
+		}
+		if syncRes != nil {
+			for _, resDetails := range syncRes.Resources {
+				messages[fmt.Sprintf("%s/%s", resDetails.Kind, resDetails.Name)] = resDetails.Message
+			}
+			for _, hook := range syncRes.Hooks {
+				if hook.Type == argoappv1.HookTypePreSync {
+					fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\n", hook.Kind, hook.Name, hook.Status, "", hook.Type, hook.Message)
+				}
+			}
+		}
+	} else {
+		fmt.Fprintf(w, "KIND\tNAME\tSTATUS\tHEALTH\n")
+	}
+	for _, res := range app.Status.ComparisonResult.Resources {
+		obj, err := argoappv1.UnmarshalToUnstructured(res.TargetState)
+		errors.CheckError(err)
+		if obj == nil {
+			obj, err = argoappv1.UnmarshalToUnstructured(res.LiveState)
+			errors.CheckError(err)
+		}
+		if showOperation {
+			message := messages[fmt.Sprintf("%s/%s", obj.GetKind(), obj.GetName())]
+			fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s", obj.GetKind(), obj.GetName(), res.Status, res.Health.Status, "", message)
+		} else {
+			fmt.Fprintf(w, "%s\t%s\t%s\t%s", obj.GetKind(), obj.GetName(), res.Status, res.Health.Status)
+		}
+		fmt.Fprint(w, "\n")
+	}
+	if showOperation && syncRes != nil {
+		for _, hook := range syncRes.Hooks {
+			if hook.Type == argoappv1.HookTypeSync || hook.Type == argoappv1.HookTypePostSync {
+				fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\n", hook.Kind, hook.Name, hook.Status, "", hook.Type, hook.Message)
+			}
+		}
+
+	}
+}
+
+// printAppStateChange prints a component state change if it was different from the last time we saw it
+func printAppStateChange(w io.Writer, prevComp *argoappv1.ComparisonResult, app *argoappv1.Application) {
+	getPrevResState := func(kind, name string) (argoappv1.ComparisonStatus, argoappv1.HealthStatusCode) {
+		for _, res := range prevComp.Resources {
+			obj, err := argoappv1.UnmarshalToUnstructured(res.TargetState)
+			errors.CheckError(err)
+			if obj == nil {
+				obj, err = argoappv1.UnmarshalToUnstructured(res.LiveState)
+				errors.CheckError(err)
+			}
+			if obj.GetKind() == kind && obj.GetName() == name {
+				return res.Status, res.Health.Status
+			}
+		}
+		return "", ""
+	}
+	if len(app.Status.ComparisonResult.Resources) > 0 {
+		for _, res := range app.Status.ComparisonResult.Resources {
+			obj, err := argoappv1.UnmarshalToUnstructured(res.TargetState)
+			errors.CheckError(err)
+			if obj == nil {
+				obj, err = argoappv1.UnmarshalToUnstructured(res.LiveState)
+				errors.CheckError(err)
+			}
+			prevSync, prevHealth := getPrevResState(obj.GetKind(), obj.GetName())
+			if prevSync != res.Status || prevHealth != res.Health.Status {
+				fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", obj.GetKind(), obj.GetName(), res.Status, res.Health.Status)
+			}
+		}
+	}
+}
+
 // NewApplicationSyncCommand returns a new instance of an `argocd app sync` command
 func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
 		revision string
 		prune    bool
 		dryRun   bool
+		timeout  uint
+		strategy string
+		force    bool
 	)
 	var command = &cobra.Command{
 		Use:   "sync APPNAME",
@@ -547,12 +817,47 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 				Revision: revision,
 				Prune:    prune,
 			}
-			_, err := appIf.Sync(context.Background(), &syncReq)
+			switch strategy {
+			case "apply":
+				syncReq.Strategy = &argoappv1.SyncStrategy{Apply: &argoappv1.SyncStrategyApply{}}
+				syncReq.Strategy.Apply.Force = force
+			case "", "hook":
+				syncReq.Strategy = &argoappv1.SyncStrategy{Hook: &argoappv1.SyncStrategyHook{}}
+				syncReq.Strategy.Hook.Force = force
+			default:
+				log.Fatalf("Unknown sync strategy: '%s'", strategy)
+			}
+			ctx := context.Background()
+			_, err := appIf.Sync(ctx, &syncReq)
 			errors.CheckError(err)
-			status, err := waitUntilOperationCompleted(appIf, appName)
+			app, err := waitUntilOperationCompleted(appIf, appName, timeout)
 			errors.CheckError(err)
-			printOperationResult(appName, status)
-			if !status.Phase.Successful() {
+
+			// get refreshed app before printing to show accurate sync/health status
+			app, err = appIf.Get(ctx, &application.ApplicationQuery{Name: &appName, Refresh: true})
+			errors.CheckError(err)
+
+			fmt.Printf(printOpFmtStr, "Application:", appName)
+			printOperationResult(app.Status.OperationState)
+
+			if len(app.Status.ComparisonResult.Resources) > 0 {
+				fmt.Println()
+				w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+				printAppResources(w, app, true)
+				_ = w.Flush()
+			}
+
+			pruningRequired := 0
+			for _, resDetails := range app.Status.OperationState.SyncResult.Resources {
+				if resDetails.Status == argoappv1.ResourceDetailsPruningRequired {
+					pruningRequired++
+				}
+			}
+			if pruningRequired > 0 {
+				log.Fatalf("%d resources require pruning", pruningRequired)
+			}
+
+			if !app.Status.OperationState.Phase.Successful() && !dryRun {
 				os.Exit(1)
 			}
 		},
@@ -560,29 +865,29 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command.Flags().BoolVar(&dryRun, "dry-run", false, "Preview apply without affecting cluster")
 	command.Flags().BoolVar(&prune, "prune", false, "Allow deleting unexpected resources")
 	command.Flags().StringVar(&revision, "revision", "", "Sync to a specific revision. Preserves parameter overrides")
+	command.Flags().UintVar(&timeout, "timeout", defaultCheckTimeoutSeconds, "Time out after this many seconds")
+	command.Flags().StringVar(&strategy, "strategy", "", "Sync strategy (one of: apply|hook)")
+	command.Flags().BoolVar(&force, "force", false, "Use a force apply")
 	return command
 }
 
-func waitUntilOperationCompleted(appClient application.ApplicationServiceClient, appName string) (*argoappv1.OperationState, error) {
-	wc, err := appClient.Watch(context.Background(), &application.ApplicationQuery{
-		Name: &appName,
-	})
-	if err != nil {
-		return nil, err
+func waitUntilOperationCompleted(appClient application.ApplicationServiceClient, appName string, timeout uint) (*argoappv1.Application, error) {
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	if timeout != 0 {
+		time.AfterFunc(time.Duration(timeout)*time.Second, func() {
+			cancel()
+		})
 	}
-	appEvent, err := wc.Recv()
-	if err != nil {
-		return nil, err
-	}
-	for {
+
+	appEventCh := watchApp(ctx, appClient, appName)
+	for appEvent := range appEventCh {
 		if appEvent.Application.Status.OperationState != nil && appEvent.Application.Status.OperationState.Phase.Completed() {
-			return appEvent.Application.Status.OperationState, nil
-		}
-		appEvent, err = wc.Recv()
-		if err != nil {
-			return nil, err
+			return &appEvent.Application, nil
 		}
 	}
+	return nil, fmt.Errorf("Timed out (%ds) waiting for app %q match desired state", timeout, appName)
 }
 
 // setParameterOverrides updates an existing or appends a new parameter override in the application
@@ -624,6 +929,9 @@ func setParameterOverrides(app *argoappv1.Application, parameters []string) {
 
 // NewApplicationHistoryCommand returns a new instance of an `argocd app history` command
 func NewApplicationHistoryCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
 	var command = &cobra.Command{
 		Use:   "history APPNAME",
 		Short: "Show application deployment history",
@@ -638,14 +946,25 @@ func NewApplicationHistoryCommand(clientOpts *argocdclient.ClientOptions) *cobra
 			app, err := appIf.Get(context.Background(), &application.ApplicationQuery{Name: &appName})
 			errors.CheckError(err)
 			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-			fmt.Fprintf(w, "ID\tDATE\tCOMMIT\tPARAMETERS\n")
+			switch output {
+			case "wide":
+				fmt.Fprintf(w, "ID\tDATE\tCOMMIT\tPARAMETERS\n")
+			default:
+				fmt.Fprintf(w, "ID\tDATE\tCOMMIT\n")
+			}
 			for _, depInfo := range app.Status.History {
-				paramStr := paramString(depInfo.Params)
-				fmt.Fprintf(w, "%d\t%s\t%s\t%s\n", depInfo.ID, depInfo.DeployedAt, depInfo.Revision, paramStr)
+				switch output {
+				case "wide":
+					paramStr := paramString(depInfo.Params)
+					fmt.Fprintf(w, "%d\t%s\t%s\t%s\n", depInfo.ID, depInfo.DeployedAt, depInfo.Revision, paramStr)
+				default:
+					fmt.Fprintf(w, "%d\t%s\t%s\n", depInfo.ID, depInfo.DeployedAt, depInfo.Revision)
+				}
 			}
 			_ = w.Flush()
 		},
 	}
+	command.Flags().StringVarP(&output, "output", "o", "", "Output format. One of: wide")
 	return command
 }
 
@@ -663,7 +982,8 @@ func paramString(params []argoappv1.ComponentParameter) string {
 // NewApplicationRollbackCommand returns a new instance of an `argocd app rollback` command
 func NewApplicationRollbackCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		prune bool
+		prune   bool
+		timeout uint
 	)
 	var command = &cobra.Command{
 		Use:   "rollback APPNAME",
@@ -699,41 +1019,129 @@ func NewApplicationRollbackCommand(clientOpts *argocdclient.ClientOptions) *cobr
 			})
 			errors.CheckError(err)
 
-			status, err := waitUntilOperationCompleted(appIf, appName)
+			app, err = waitUntilOperationCompleted(appIf, appName, timeout)
 			errors.CheckError(err)
-			printOperationResult(appName, status)
-			if !status.Phase.Successful() {
+
+			// get refreshed app before printing to show accurate sync/health status
+			app, err = appIf.Get(ctx, &application.ApplicationQuery{Name: &appName, Refresh: true})
+			errors.CheckError(err)
+
+			fmt.Printf(printOpFmtStr, "Application:", appName)
+			printOperationResult(app.Status.OperationState)
+			if !app.Status.OperationState.Phase.Successful() {
 				os.Exit(1)
 			}
 		},
 	}
 	command.Flags().BoolVar(&prune, "prune", false, "Allow deleting unexpected resources")
+	command.Flags().UintVar(&timeout, "timeout", defaultCheckTimeoutSeconds, "Time out after this many seconds")
 	return command
 }
 
 const printOpFmtStr = "%-20s%s\n"
+const defaultCheckTimeoutSeconds = 0
 
-func printOperationResult(appName string, opState *argoappv1.OperationState) {
-	fmt.Printf(printOpFmtStr, "Application:", appName)
-	var syncRes *argoappv1.SyncOperationResult
+func printOperationResult(opState *argoappv1.OperationState) {
 	if opState.SyncResult != nil {
-		syncRes = opState.SyncResult
 		fmt.Printf(printOpFmtStr, "Operation:", "Sync")
 	} else if opState.RollbackResult != nil {
 		fmt.Printf(printOpFmtStr, "Operation:", "Rollback")
-		syncRes = opState.RollbackResult
 	}
 	fmt.Printf(printOpFmtStr, "Phase:", opState.Phase)
+	fmt.Printf(printOpFmtStr, "Start:", opState.StartedAt)
+	fmt.Printf(printOpFmtStr, "Finished:", opState.FinishedAt)
+	var duration time.Duration
+	if !opState.FinishedAt.IsZero() {
+		duration = time.Second * time.Duration(opState.FinishedAt.Unix()-opState.StartedAt.Unix())
+	} else {
+		duration = time.Second * time.Duration(time.Now().UTC().Unix()-opState.StartedAt.Unix())
+	}
+	fmt.Printf(printOpFmtStr, "Duration:", duration)
 	if opState.Message != "" {
 		fmt.Printf(printOpFmtStr, "Message:", opState.Message)
 	}
-	if syncRes != nil {
-		w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-		fmt.Printf("\n")
-		fmt.Fprintf(w, "KIND\tNAME\tMESSAGE\n")
-		for _, resDetails := range syncRes.Resources {
-			fmt.Fprintf(w, "%s\t%s\t%s\n", resDetails.Kind, resDetails.Name, resDetails.Message)
-		}
-		_ = w.Flush()
-	}
+}
+
+// NewApplicationManifestsCommand returns a new instance of an `argocd app manifests` command
+func NewApplicationManifestsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		source   string
+		revision string
+	)
+	var command = &cobra.Command{
+		Use:   "manifests APPNAME",
+		Short: "Print manifests of an application",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			appName := args[0]
+			conn, appIf := argocdclient.NewClientOrDie(clientOpts).NewApplicationClientOrDie()
+			defer util.Close(conn)
+			ctx := context.Background()
+			app, err := appIf.Get(ctx, &application.ApplicationQuery{Name: &appName})
+			errors.CheckError(err)
+
+			var unstructureds []*unstructured.Unstructured
+			switch source {
+			case "git":
+				if revision != "" {
+					q := application.ApplicationManifestQuery{
+						Name:     &appName,
+						Revision: revision,
+					}
+					res, err := appIf.GetManifests(ctx, &q)
+					errors.CheckError(err)
+					for _, mfst := range res.Manifests {
+						obj, err := argoappv1.UnmarshalToUnstructured(mfst)
+						errors.CheckError(err)
+						unstructureds = append(unstructureds, obj)
+					}
+				} else {
+					targetObjs, err := app.Status.ComparisonResult.TargetObjects()
+					errors.CheckError(err)
+					unstructureds = targetObjs
+				}
+			case "live":
+				liveObjs, err := app.Status.ComparisonResult.LiveObjects()
+				errors.CheckError(err)
+				unstructureds = liveObjs
+			default:
+				log.Fatalf("Unknown source type '%s'", source)
+			}
+
+			for _, obj := range unstructureds {
+				fmt.Println("---")
+				yamlBytes, err := yaml.Marshal(obj)
+				errors.CheckError(err)
+				fmt.Printf("%s\n", yamlBytes)
+			}
+		},
+	}
+	command.Flags().StringVar(&source, "source", "git", "Source of manifests. One of: live|git")
+	command.Flags().StringVar(&revision, "revision", "", "Show manifests at a specific revision")
+	return command
+}
+
+// NewApplicationTerminateOpCommand returns a new instance of an `argocd app terminate-op` command
+func NewApplicationTerminateOpCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "terminate-op APPNAME",
+		Short: "Terminate running operation of an application",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			appName := args[0]
+			conn, appIf := argocdclient.NewClientOrDie(clientOpts).NewApplicationClientOrDie()
+			defer util.Close(conn)
+			ctx := context.Background()
+			_, err := appIf.TerminateOperation(ctx, &application.OperationTerminateRequest{Name: &appName})
+			errors.CheckError(err)
+			fmt.Printf("Application '%s' operation terminating\n", appName)
+		},
+	}
+	return command
 }

cmd/argocd/commands/cluster.go

@@ -42,6 +42,10 @@ func NewClusterCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientc
 
 // NewClusterAddCommand returns a new instance of an `argocd cluster add` command
 func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientcmd.PathOptions) *cobra.Command {
+	var (
+		inCluster bool
+		upsert    bool
+	)
 	var command = &cobra.Command{
 		Use:   "add",
 		Short: fmt.Sprintf("%s cluster add CONTEXT", cliName),
@@ -71,12 +75,21 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 			conn, clusterIf := argocdclient.NewClientOrDie(clientOpts).NewClusterClientOrDie()
 			defer util.Close(conn)
 			clst := NewCluster(args[0], conf, managerBearerToken)
-			clst, err = clusterIf.Create(context.Background(), clst)
+			if inCluster {
+				clst.Server = common.KubernetesInternalAPIServerAddr
+			}
+			clstCreateReq := cluster.ClusterCreateRequest{
+				Cluster: clst,
+				Upsert:  upsert,
+			}
+			clst, err = clusterIf.Create(context.Background(), &clstCreateReq)
 			errors.CheckError(err)
 			fmt.Printf("Cluster '%s' added\n", clst.Name)
 		},
 	}
 	command.PersistentFlags().StringVar(&pathOpts.LoadingRules.ExplicitPath, pathOpts.ExplicitFileFlag, pathOpts.LoadingRules.ExplicitPath, "use a particular kubeconfig file")
+	command.Flags().BoolVar(&inCluster, "in-cluster", false, "Indicates ArgoCD resides inside this cluster and should connect using the internal k8s hostname (kubernetes.default.svc)")
+	command.Flags().BoolVar(&upsert, "upsert", false, "Override an existing cluster with the same name even if the spec differs")
 	return command
 }
 
@@ -96,9 +109,20 @@ func printKubeContexts(ca clientcmd.ConfigAccess) {
 	}
 	sort.Strings(contextNames)
 
+	if config.Clusters == nil {
+		return
+	}
+
 	for _, name := range contextNames {
+		// ignore malformed kube config entries
 		context := config.Contexts[name]
+		if context == nil {
+			continue
+		}
 		cluster := config.Clusters[context.Cluster]
+		if cluster == nil {
+			continue
+		}
 		prefix := " "
 		if config.CurrentContext == name {
 			prefix = "*"
@@ -200,9 +224,9 @@ func NewClusterListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comman
 			clusters, err := clusterIf.List(context.Background(), &cluster.ClusterQuery{})
 			errors.CheckError(err)
 			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-			fmt.Fprintf(w, "SERVER\tNAME\tMESSAGE\n")
+			fmt.Fprintf(w, "SERVER\tNAME\tSTATUS\tMESSAGE\n")
 			for _, c := range clusters.Items {
-				fmt.Fprintf(w, "%s\t%s\t%s\n", c.Server, c.Name, c.Message)
+				fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", c.Server, c.Name, c.ConnectionState.Status, c.ConnectionState.Message)
 			}
 			_ = w.Flush()
 		},

cmd/argocd/commands/install.go

@@ -1,75 +0,0 @@
-package commands
-
-import (
-	"github.com/argoproj/argo-cd/errors"
-	"github.com/argoproj/argo-cd/install"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/spf13/cobra"
-	"k8s.io/client-go/tools/clientcmd"
-)
-
-// NewInstallCommand returns a new instance of `argocd install` command
-func NewInstallCommand() *cobra.Command {
-	var (
-		clientConfig clientcmd.ClientConfig
-		installOpts  install.InstallOptions
-	)
-	var command = &cobra.Command{
-		Use:   "install",
-		Short: "Install Argo CD",
-		Long:  "Install Argo CD",
-		Run: func(c *cobra.Command, args []string) {
-			conf, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			namespace, wasSpecified, err := clientConfig.Namespace()
-			errors.CheckError(err)
-			if wasSpecified {
-				installOpts.Namespace = namespace
-			}
-			installer, err := install.NewInstaller(conf, installOpts)
-			errors.CheckError(err)
-			installer.Install()
-		},
-	}
-	command.Flags().BoolVar(&installOpts.Upgrade, "upgrade", false, "upgrade controller/ui deployments and configmap if already installed")
-	command.Flags().BoolVar(&installOpts.DryRun, "dry-run", false, "print the kubernetes manifests to stdout instead of installing")
-	command.Flags().StringVar(&installOpts.SuperuserPassword, "superuser-password", "", "password for super user")
-	command.Flags().StringVar(&installOpts.ControllerImage, "controller-image", install.DefaultControllerImage, "use a specified controller image")
-	command.Flags().StringVar(&installOpts.ServerImage, "server-image", install.DefaultServerImage, "use a specified api server image")
-	command.Flags().StringVar(&installOpts.UIImage, "ui-image", install.DefaultUIImage, "use a specified ui image")
-	command.Flags().StringVar(&installOpts.RepoServerImage, "repo-server-image", install.DefaultRepoServerImage, "use a specified repo server image")
-	command.Flags().StringVar(&installOpts.ImagePullPolicy, "image-pull-policy", "", "set the image pull policy of the pod specs")
-	clientConfig = cli.AddKubectlFlagsToCmd(command)
-	command.AddCommand(newSettingsCommand())
-	return command
-}
-
-// newSettingsCommand returns a new instance of `argocd install settings` command
-func newSettingsCommand() *cobra.Command {
-	var (
-		clientConfig clientcmd.ClientConfig
-		installOpts  install.InstallOptions
-	)
-	var command = &cobra.Command{
-		Use:   "settings",
-		Short: "Creates or updates ArgoCD settings",
-		Long:  "Creates or updates ArgoCD settings",
-		Run: func(c *cobra.Command, args []string) {
-			conf, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			namespace, wasSpecified, err := clientConfig.Namespace()
-			errors.CheckError(err)
-			if wasSpecified {
-				installOpts.Namespace = namespace
-			}
-			installer, err := install.NewInstaller(conf, installOpts)
-			errors.CheckError(err)
-			installer.InstallSettings()
-		},
-	}
-	command.Flags().BoolVar(&installOpts.UpdateSuperuser, "update-superuser", false, "force updating the  superuser password")
-	command.Flags().StringVar(&installOpts.SuperuserPassword, "superuser-password", "", "password for super user")
-	command.Flags().BoolVar(&installOpts.UpdateSignature, "update-signature", false, "force updating the server-side token signing signature")
-	clientConfig = cli.AddKubectlFlagsToCmd(command)
-	return command
-}

cmd/argocd/commands/project.go

@@ -0,0 +1,335 @@
+package commands
+
+import (
+	"os"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"strings"
+
+	"context"
+
+	"fmt"
+	"text/tabwriter"
+
+	"github.com/argoproj/argo-cd/errors"
+	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/server/project"
+	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/util/git"
+	"github.com/spf13/pflag"
+	"k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+type projectOpts struct {
+	description  string
+	destinations []string
+	sources      []string
+}
+
+func (opts *projectOpts) GetDestinations() []v1alpha1.ApplicationDestination {
+	destinations := make([]v1alpha1.ApplicationDestination, 0)
+	for _, destStr := range opts.destinations {
+		parts := strings.Split(destStr, ",")
+		if len(parts) != 2 {
+			log.Fatalf("Expected destination of the form: server,namespace. Received: %s", destStr)
+		} else {
+			destinations = append(destinations, v1alpha1.ApplicationDestination{
+				Server:    parts[0],
+				Namespace: parts[1],
+			})
+		}
+	}
+	return destinations
+}
+
+// NewProjectCommand returns a new instance of an `argocd proj` command
+func NewProjectCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "proj",
+		Short: "Manage projects",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+			os.Exit(1)
+		},
+	}
+	command.AddCommand(NewProjectCreateCommand(clientOpts))
+	command.AddCommand(NewProjectDeleteCommand(clientOpts))
+	command.AddCommand(NewProjectListCommand(clientOpts))
+	command.AddCommand(NewProjectSetCommand(clientOpts))
+	command.AddCommand(NewProjectAddDestinationCommand(clientOpts))
+	command.AddCommand(NewProjectRemoveDestinationCommand(clientOpts))
+	command.AddCommand(NewProjectAddSourceCommand(clientOpts))
+	command.AddCommand(NewProjectRemoveSourceCommand(clientOpts))
+	return command
+}
+
+func addProjFlags(command *cobra.Command, opts *projectOpts) {
+	command.Flags().StringVarP(&opts.description, "description", "", "desc", "Project description")
+	command.Flags().StringArrayVarP(&opts.destinations, "dest", "d", []string{},
+		"Allowed deployment destination. Includes comma separated server url and namespace (e.g. https://192.168.99.100:8443,default")
+	command.Flags().StringArrayVarP(&opts.sources, "src", "s", []string{}, "Allowed deployment source repository URL.")
+}
+
+// NewProjectCreateCommand returns a new instance of an `argocd proj create` command
+func NewProjectCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		opts projectOpts
+	)
+	var command = &cobra.Command{
+		Use:   "create PROJECT",
+		Short: "Create a project",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) == 0 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			proj := v1alpha1.AppProject{
+				ObjectMeta: v1.ObjectMeta{Name: projName},
+				Spec: v1alpha1.AppProjectSpec{
+					Description:  opts.description,
+					Destinations: opts.GetDestinations(),
+					SourceRepos:  opts.sources,
+				},
+			}
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			_, err := projIf.Create(context.Background(), &project.ProjectCreateRequest{Project: &proj})
+			errors.CheckError(err)
+		},
+	}
+	addProjFlags(command, &opts)
+	return command
+}
+
+// NewProjectSetCommand returns a new instance of an `argocd proj set` command
+func NewProjectSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		opts projectOpts
+	)
+	var command = &cobra.Command{
+		Use:   "set PROJECT",
+		Short: "Set project parameters",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) == 0 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			visited := 0
+			c.Flags().Visit(func(f *pflag.Flag) {
+				visited++
+				switch f.Name {
+				case "description":
+					proj.Spec.Description = opts.description
+				case "dest":
+					proj.Spec.Destinations = opts.GetDestinations()
+				case "src":
+					proj.Spec.SourceRepos = opts.sources
+				}
+			})
+			if visited == 0 {
+				log.Error("Please set at least one option to update")
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			_, err = projIf.Update(context.Background(), &project.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	addProjFlags(command, &opts)
+	return command
+}
+
+// NewProjectAddDestinationCommand returns a new instance of an `argocd proj add-destination` command
+func NewProjectAddDestinationCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "add-destination PROJECT SERVER NAMESPACE",
+		Short: "Add project destination",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 3 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			server := args[1]
+			namespace := args[2]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			for _, dest := range proj.Spec.Destinations {
+				if dest.Namespace == namespace && dest.Server == server {
+					log.Fatal("Specified destination is already defined in project")
+				}
+			}
+			proj.Spec.Destinations = append(proj.Spec.Destinations, v1alpha1.ApplicationDestination{Server: server, Namespace: namespace})
+			_, err = projIf.Update(context.Background(), &project.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	return command
+}
+
+// NewProjectRemoveDestinationCommand returns a new instance of an `argocd proj remove-destination` command
+func NewProjectRemoveDestinationCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "remove-destination PROJECT SERVER NAMESPACE",
+		Short: "Remove project destination",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 3 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			server := args[1]
+			namespace := args[2]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			index := -1
+			for i, dest := range proj.Spec.Destinations {
+				if dest.Namespace == namespace && dest.Server == server {
+					index = i
+					break
+				}
+			}
+			if index == -1 {
+				log.Fatal("Specified destination does not exist in project")
+			} else {
+				proj.Spec.Destinations = append(proj.Spec.Destinations[:index], proj.Spec.Destinations[index+1:]...)
+				_, err = projIf.Update(context.Background(), &project.ProjectUpdateRequest{Project: proj})
+				errors.CheckError(err)
+			}
+		},
+	}
+
+	return command
+}
+
+// NewProjectAddSourceCommand returns a new instance of an `argocd proj add-src` command
+func NewProjectAddSourceCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "add-source PROJECT URL",
+		Short: "Add project source repository",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			url := args[1]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			for _, item := range proj.Spec.SourceRepos {
+				if item == git.NormalizeGitURL(url) {
+					log.Fatal("Specified source repository is already defined in project")
+				}
+			}
+			proj.Spec.SourceRepos = append(proj.Spec.SourceRepos, url)
+			_, err = projIf.Update(context.Background(), &project.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	return command
+}
+
+// NewProjectRemoveSourceCommand returns a new instance of an `argocd proj remove-src` command
+func NewProjectRemoveSourceCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "remove-source PROJECT URL",
+		Short: "Remove project source repository",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			url := args[1]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &project.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			index := -1
+			for i, item := range proj.Spec.SourceRepos {
+				if item == git.NormalizeGitURL(url) {
+					index = i
+					break
+				}
+			}
+			if index == -1 {
+				log.Fatal("Specified source repository does not exist in project")
+			} else {
+				proj.Spec.SourceRepos = append(proj.Spec.SourceRepos[:index], proj.Spec.SourceRepos[index+1:]...)
+				_, err = projIf.Update(context.Background(), &project.ProjectUpdateRequest{Project: proj})
+				errors.CheckError(err)
+			}
+		},
+	}
+
+	return command
+}
+
+// NewProjectDeleteCommand returns a new instance of an `argocd proj delete` command
+func NewProjectDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "delete PROJECT",
+		Short: "Delete project",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) == 0 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+			for _, name := range args {
+				_, err := projIf.Delete(context.Background(), &project.ProjectQuery{Name: name})
+				errors.CheckError(err)
+			}
+		},
+	}
+	return command
+}
+
+// NewProjectListCommand returns a new instance of an `argocd proj list` command
+func NewProjectListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "list",
+		Short: "List projects",
+		Run: func(c *cobra.Command, args []string) {
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+			projects, err := projIf.List(context.Background(), &project.ProjectQuery{})
+			errors.CheckError(err)
+			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+			fmt.Fprintf(w, "NAME\tDESCRIPTION\tDESTINATIONS\n")
+			for _, p := range projects.Items {
+				fmt.Fprintf(w, "%s\t%s\t%v\n", p.Name, p.Spec.Description, p.Spec.Destinations)
+			}
+			_ = w.Flush()
+		},
+	}
+	return command
+}

cmd/argocd/commands/repo.go

@@ -7,6 +7,9 @@ import (
 	"os"
 	"text/tabwriter"
 
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
 	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	appsv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
@@ -14,8 +17,6 @@ import (
 	"github.com/argoproj/argo-cd/util"
 	"github.com/argoproj/argo-cd/util/cli"
 	"github.com/argoproj/argo-cd/util/git"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
 )
 
 // NewRepoCommand returns a new instance of an `argocd repo` command
@@ -39,6 +40,7 @@ func NewRepoCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
 		repo              appsv1.Repository
+		upsert            bool
 		sshPrivateKeyPath string
 	)
 	var command = &cobra.Command{
@@ -57,20 +59,28 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 				}
 				repo.SSHPrivateKey = string(keyData)
 			}
-			err := git.TestRepo(repo.Repo, repo.Username, repo.Password, repo.SSHPrivateKey)
+			// First test the repo *without* username/password. This gives us a hint on whether this
+			// is a private repo.
+			// NOTE: it is important not to run git commands to test git credentials on the user's
+			// system since it may mess with their git credential store (e.g. osx keychain).
+			// See issue #315
+			err := git.TestRepo(repo.Repo, "", "", repo.SSHPrivateKey)
 			if err != nil {
-				if repo.Username != "" && repo.Password != "" || git.IsSSHURL(repo.Repo) {
-					// if everything was supplied or repo URL is SSH url, one of the inputs was definitely bad
+				if git.IsSSHURL(repo.Repo) {
+					// If we failed using git SSH credentials, then the repo is automatically bad
 					log.Fatal(err)
 				}
-				// If we can't test the repo, it's probably private. Prompt for credentials and try again.
+				// If we can't test the repo, it's probably private. Prompt for credentials and
+				// let the server test it.
 				repo.Username, repo.Password = cli.PromptCredentials(repo.Username, repo.Password)
-				err = git.TestRepo(repo.Repo, repo.Username, repo.Password, repo.SSHPrivateKey)
 			}
-			errors.CheckError(err)
 			conn, repoIf := argocdclient.NewClientOrDie(clientOpts).NewRepoClientOrDie()
 			defer util.Close(conn)
-			createdRepo, err := repoIf.Create(context.Background(), &repo)
+			repoCreateReq := repository.RepoCreateRequest{
+				Repo:   &repo,
+				Upsert: upsert,
+			}
+			createdRepo, err := repoIf.Create(context.Background(), &repoCreateReq)
 			errors.CheckError(err)
 			fmt.Printf("repository '%s' added\n", createdRepo.Repo)
 		},
@@ -78,6 +88,7 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	command.Flags().StringVar(&repo.Username, "username", "", "username to the repository")
 	command.Flags().StringVar(&repo.Password, "password", "", "password to the repository")
 	command.Flags().StringVar(&sshPrivateKeyPath, "sshPrivateKeyPath", "", "path to the private ssh key (e.g. ~/.ssh/id_rsa)")
+	command.Flags().BoolVar(&upsert, "upsert", false, "Override an existing repository with the same name even if the spec differs")
 	return command
 }
 
@@ -113,9 +124,9 @@ func NewRepoListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 			repos, err := repoIf.List(context.Background(), &repository.RepoQuery{})
 			errors.CheckError(err)
 			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-			fmt.Fprintf(w, "REPO\tUSER\tMESSAGE\n")
+			fmt.Fprintf(w, "REPO\tUSER\tSTATUS\tMESSAGE\n")
 			for _, r := range repos.Items {
-				fmt.Fprintf(w, "%s\t%s\t%s\n", r.Repo, r.Username, r.Message)
+				fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", r.Repo, r.Username, r.ConnectionState.Status, r.ConnectionState.Message)
 			}
 			_ = w.Flush()
 		},

cmd/argocd/commands/root.go

@@ -28,9 +28,9 @@ func NewCommand() *cobra.Command {
 	command.AddCommand(NewApplicationCommand(&clientOpts))
 	command.AddCommand(NewLoginCommand(&clientOpts))
 	command.AddCommand(NewRepoCommand(&clientOpts))
-	command.AddCommand(NewInstallCommand())
-	command.AddCommand(NewUninstallCommand())
 	command.AddCommand(NewContextCommand(&clientOpts))
+	command.AddCommand(NewProjectCommand(&clientOpts))
+	command.AddCommand(NewAccountCommand(&clientOpts))
 
 	defaultLocalConfigPath, err := localconfig.DefaultLocalConfigPath()
 	errors.CheckError(err)

cmd/argocd/commands/uninstall.go

@@ -1,40 +0,0 @@
-package commands
-
-import (
-	"github.com/argoproj/argo-cd/errors"
-	"github.com/argoproj/argo-cd/install"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/spf13/cobra"
-	"k8s.io/client-go/tools/clientcmd"
-)
-
-// NewUninstallCommand returns a new instance of `argocd install` command
-func NewUninstallCommand() *cobra.Command {
-	var (
-		clientConfig    clientcmd.ClientConfig
-		installOpts     install.InstallOptions
-		deleteNamespace bool
-		deleteCRD       bool
-	)
-	var command = &cobra.Command{
-		Use:   "uninstall",
-		Short: "Uninstall Argo CD",
-		Long:  "Uninstall Argo CD",
-		Run: func(c *cobra.Command, args []string) {
-			conf, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			namespace, wasSpecified, err := clientConfig.Namespace()
-			errors.CheckError(err)
-			if wasSpecified {
-				installOpts.Namespace = namespace
-			}
-			installer, err := install.NewInstaller(conf, installOpts)
-			errors.CheckError(err)
-			installer.Uninstall(deleteNamespace, deleteCRD)
-		},
-	}
-	clientConfig = cli.AddKubectlFlagsToCmd(command)
-	command.Flags().BoolVar(&deleteNamespace, "delete-namespace", false, "Also delete the namespace during uninstall")
-	command.Flags().BoolVar(&deleteCRD, "delete-crd", false, "Also delete the Application CRD during uninstall")
-	return command
-}

common/common.go

@@ -1,8 +1,9 @@
 package common
 
 import (
-	"github.com/argoproj/argo-cd/pkg/apis/application"
 	rbacv1 "k8s.io/api/rbac/v1"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application"
 )
 
 const (
@@ -19,12 +20,16 @@ const (
 	AuthCookieName = "argocd.token"
 	// ResourcesFinalizerName is a number of application CRD finalizer
 	ResourcesFinalizerName = "resources-finalizer." + MetadataPrefix
+
+	// KubernetesInternalAPIServerAddr is address of the k8s API server when accessing internal to the cluster
+	KubernetesInternalAPIServerAddr = "https://kubernetes.default.svc"
 )
 
 const (
-	ArgoCDAdminUsername = "admin"
-	ArgoCDSecretName    = "argocd-secret"
-	ArgoCDConfigMapName = "argocd-cm"
+	ArgoCDAdminUsername     = "admin"
+	ArgoCDSecretName        = "argocd-secret"
+	ArgoCDConfigMapName     = "argocd-cm"
+	ArgoCDRBACConfigMapName = "argocd-rbac-cm"
 )
 
 const (
@@ -44,6 +49,10 @@ const (
 	ArgoCDCLIClientAppID = "argo-cd-cli"
 	// EnvVarSSODebug is an environment variable to enable additional OAuth debugging in the API server
 	EnvVarSSODebug = "ARGOCD_SSO_DEBUG"
+	// EnvVarRBACDebug is an environment variable to enable additional RBAC debugging in the API server
+	EnvVarRBACDebug = "ARGOCD_RBAC_DEBUG"
+	// DefaultAppProjectName contains name of default app project. The default app project allows deploying application to any cluster.
+	DefaultAppProjectName = "default"
 )
 
 var (
@@ -53,6 +62,18 @@ var (
 	// LabelKeySecretType contains the type of argocd secret (either 'cluster' or 'repo')
 	LabelKeySecretType = MetadataPrefix + "/secret-type"
 
+	// AnnotationConnectionStatus contains connection state status
+	AnnotationConnectionStatus = MetadataPrefix + "/connection-status"
+	// AnnotationConnectionMessage contains additional information about connection status
+	AnnotationConnectionMessage = MetadataPrefix + "/connection-message"
+	// AnnotationConnectionModifiedAt contains timestamp when connection state had been modified
+	AnnotationConnectionModifiedAt = MetadataPrefix + "/connection-modified-at"
+
+	// AnnotationHook contains the hook type of a resource
+	AnnotationHook = MetadataPrefix + "/hook"
+	// AnnotationHookDeletePolicy is the policy of deleting a hook
+	AnnotationHookDeletePolicy = MetadataPrefix + "/hook-delete-policy"
+
 	// LabelKeyApplicationControllerInstanceID is the label which allows to separate application among multiple running application controllers.
 	LabelKeyApplicationControllerInstanceID = application.ApplicationFullName + "/controller-instanceid"
 

controller/appcontroller.go

@@ -4,16 +4,11 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"reflect"
 	"runtime/debug"
 	"sync"
 	"time"
 
-	"github.com/argoproj/argo-cd/common"
-	appv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
-	appinformers "github.com/argoproj/argo-cd/pkg/client/informers/externalversions"
-	"github.com/argoproj/argo-cd/util/db"
-	"github.com/argoproj/argo-cd/util/kube"
 	log "github.com/sirupsen/logrus"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -23,11 +18,22 @@ import (
 	"k8s.io/apimachinery/pkg/selection"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/apimachinery/pkg/util/strategicpatch"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/util/workqueue"
+
+	"github.com/argoproj/argo-cd/common"
+	appv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
+	appinformers "github.com/argoproj/argo-cd/pkg/client/informers/externalversions"
+	"github.com/argoproj/argo-cd/reposerver"
+	"github.com/argoproj/argo-cd/util/argo"
+	"github.com/argoproj/argo-cd/util/db"
+	"github.com/argoproj/argo-cd/util/health"
+	"github.com/argoproj/argo-cd/util/kube"
 )
 
 const (
@@ -44,8 +50,8 @@ type ApplicationController struct {
 	appOperationQueue     workqueue.RateLimitingInterface
 	appInformer           cache.SharedIndexInformer
 	appStateManager       AppStateManager
-	appHealthManager      AppHealthManager
 	statusRefreshTimeout  time.Duration
+	repoClientset         reposerver.Clientset
 	db                    db.ArgoDB
 	forceRefreshApps      map[string]bool
 	forceRefreshAppsMutex *sync.Mutex
@@ -61,9 +67,9 @@ func NewApplicationController(
 	namespace string,
 	kubeClientset kubernetes.Interface,
 	applicationClientset appclientset.Interface,
+	repoClientset reposerver.Clientset,
 	db db.ArgoDB,
 	appStateManager AppStateManager,
-	appHealthManager AppHealthManager,
 	appResyncPeriod time.Duration,
 	config *ApplicationControllerConfig,
 ) *ApplicationController {
@@ -73,10 +79,10 @@ func NewApplicationController(
 		namespace:             namespace,
 		kubeClientset:         kubeClientset,
 		applicationClientset:  applicationClientset,
+		repoClientset:         repoClientset,
 		appRefreshQueue:       appRefreshQueue,
 		appOperationQueue:     appOperationQueue,
 		appStateManager:       appStateManager,
-		appHealthManager:      appHealthManager,
 		appInformer:           newApplicationInformer(applicationClientset, appRefreshQueue, appOperationQueue, appResyncPeriod, config),
 		db:                    db,
 		statusRefreshTimeout:  appResyncPeriod,
@@ -155,7 +161,7 @@ func (ctrl *ApplicationController) watchClusterResources(ctx context.Context, it
 
 }
 
-// watchAppsResources watches for resource changes annotated with application label on all registered clusters and schedule corresponding app refresh.
+// WatchAppsResources watches for resource changes annotated with application label on all registered clusters and schedule corresponding app refresh.
 func (ctrl *ApplicationController) watchAppsResources() {
 	watchingClusters := make(map[string]context.CancelFunc)
 
@@ -310,102 +316,101 @@ func (ctrl *ApplicationController) setAppCondition(app *appv1.Application, condi
 }
 
 func (ctrl *ApplicationController) processRequestedAppOperation(app *appv1.Application) {
-	state := appv1.OperationState{Phase: appv1.OperationRunning, Operation: *app.Operation, StartedAt: metav1.Now()}
+	var state *appv1.OperationState
 	// Recover from any unexpected panics and automatically set the status to be failed
 	defer func() {
 		if r := recover(); r != nil {
 			log.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
-			// TODO: consider adding Error OperationStatus in addition to Failed
 			state.Phase = appv1.OperationError
 			if rerr, ok := r.(error); ok {
 				state.Message = rerr.Error()
 			} else {
 				state.Message = fmt.Sprintf("%v", r)
 			}
-			ctrl.setOperationState(app.Name, state, app.Operation)
+			ctrl.setOperationState(app, state)
 		}
 	}()
-	if app.Status.OperationState != nil && !app.Status.OperationState.Phase.Completed() {
-		// If we get here, we are about process an operation but we notice it is already Running.
-		// We need to detect if the controller crashed before completing the operation, or if the
-		// the app object we pulled off the informer is simply stale and doesn't reflect the fact
-		// that the operation is completed. We don't want to perform the operation again. To detect
-		// this, always retrieve the latest version to ensure it is not stale.
+	if isOperationInProgress(app) {
+		// If we get here, we are about process an operation but we notice it is already in progress.
+		// We need to detect if the app object we pulled off the informer is stale and doesn't
+		// reflect the fact that the operation is completed. We don't want to perform the operation
+		// again. To detect this, always retrieve the latest version to ensure it is not stale.
 		freshApp, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(ctrl.namespace).Get(app.ObjectMeta.Name, metav1.GetOptions{})
 		if err != nil {
 			log.Errorf("Failed to retrieve latest application state: %v", err)
 			return
 		}
-		if freshApp.Status.OperationState == nil || freshApp.Status.OperationState.Phase.Completed() {
+		if !isOperationInProgress(freshApp) {
 			log.Infof("Skipping operation on stale application state (%s)", app.ObjectMeta.Name)
 			return
 		}
-		log.Warnf("Found interrupted application operation %s %v", app.ObjectMeta.Name, app.Status.OperationState)
+		app = freshApp
+		state = app.Status.OperationState.DeepCopy()
+		log.Infof("Resuming in-progress operation. app: %s, phase: %s, message: %s", app.ObjectMeta.Name, state.Phase, state.Message)
 	} else {
-		ctrl.setOperationState(app.Name, state, app.Operation)
+		state = &appv1.OperationState{Phase: appv1.OperationRunning, Operation: *app.Operation, StartedAt: metav1.Now()}
+		ctrl.setOperationState(app, state)
+		log.Infof("Initialized new operation. app: %s, operation: %v", app.ObjectMeta.Name, *app.Operation)
 	}
+	ctrl.appStateManager.SyncAppState(app, state)
 
-	if app.Operation.Sync != nil {
-		opRes := ctrl.appStateManager.SyncAppState(app, app.Operation.Sync.Revision, nil, app.Operation.Sync.DryRun, app.Operation.Sync.Prune)
-		state.Phase = opRes.Phase
-		state.Message = opRes.Message
-		state.SyncResult = opRes.SyncResult
-	} else if app.Operation.Rollback != nil {
-		var deploymentInfo *appv1.DeploymentInfo
-		for _, info := range app.Status.History {
-			if info.ID == app.Operation.Rollback.ID {
-				deploymentInfo = &info
-				break
+	if state.Phase == appv1.OperationRunning {
+		// It's possible for an app to be terminated while we were operating on it. We do not want
+		// to clobber the Terminated state with Running. Get the latest app state to check for this.
+		freshApp, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(ctrl.namespace).Get(app.ObjectMeta.Name, metav1.GetOptions{})
+		if err == nil {
+			if freshApp.Status.OperationState != nil && freshApp.Status.OperationState.Phase == appv1.OperationTerminating {
+				state.Phase = appv1.OperationTerminating
+				state.Message = "operation is terminating"
+				// after this, we will get requeued to the workqueue, but next time the
+				// SyncAppState will operate in a Terminating phase, allowing the worker to perform
+				// cleanup (e.g. delete jobs, workflows, etc...)
 			}
 		}
-		if deploymentInfo == nil {
-			state.Phase = appv1.OperationFailed
-			state.Message = fmt.Sprintf("application %s does not have deployment with id %v", app.Name, app.Operation.Rollback.ID)
-		} else {
-			opRes := ctrl.appStateManager.SyncAppState(app, deploymentInfo.Revision, &deploymentInfo.ComponentParameterOverrides, app.Operation.Rollback.DryRun, app.Operation.Rollback.Prune)
-			state.Phase = opRes.Phase
-			state.Message = opRes.Message
-			state.RollbackResult = opRes.SyncResult
-		}
-	} else {
-		state.Phase = appv1.OperationFailed
-		state.Message = "Invalid operation request"
 	}
-	ctrl.setOperationState(app.Name, state, app.Operation)
+
+	ctrl.setOperationState(app, state)
+	if state.Phase.Completed() {
+		// if we just completed an operation, force a refresh so that UI will report up-to-date
+		// sync/health information
+		ctrl.forceAppRefresh(app.ObjectMeta.Name)
+	}
 }
 
-func (ctrl *ApplicationController) setOperationState(appName string, state appv1.OperationState, operation *appv1.Operation) {
+func (ctrl *ApplicationController) setOperationState(app *appv1.Application, state *appv1.OperationState) {
 	retryUntilSucceed(func() error {
-		var inProgressOpValue *appv1.Operation
 		if state.Phase == "" {
 			// expose any bugs where we neglect to set phase
 			panic("no phase was set")
 		}
-		if !state.Phase.Completed() {
-			// If operation is still running, we populate the app.operation field, which prevents
-			// any other operation from running at the same time. Otherwise, it is cleared by setting
-			// it to nil which indicates no operation is in progress.
-			inProgressOpValue = operation
-		} else {
-			nowTime := metav1.Now()
-			state.FinishedAt = &nowTime
+		if state.Phase.Completed() {
+			now := metav1.Now()
+			state.FinishedAt = &now
 		}
-
-		patch, err := json.Marshal(map[string]interface{}{
+		patch := map[string]interface{}{
 			"status": map[string]interface{}{
 				"operationState": state,
 			},
-			"operation": inProgressOpValue,
-		})
+		}
+		if state.Phase.Completed() {
+			// If operation is completed, clear the operation field to indicate no operation is
+			// in progress.
+			patch["operation"] = nil
+		}
+		if reflect.DeepEqual(app.Status.OperationState, state) {
+			log.Infof("No operation updates necessary to '%s'. Skipping patch", app.Name)
+			return nil
+		}
+		patchJSON, err := json.Marshal(patch)
 		if err != nil {
 			return err
 		}
 		appClient := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(ctrl.namespace)
-		_, err = appClient.Patch(appName, types.MergePatchType, patch)
+		_, err = appClient.Patch(app.Name, types.MergePatchType, patchJSON)
 		if err != nil {
 			return err
 		}
-		log.Infof("updated '%s' operation (phase: %s)", appName, state.Phase)
+		log.Infof("updated '%s' operation (phase: %s)", app.Name, state.Phase)
 		return nil
 	}, "Update application operation state", context.Background(), updateOperationStateTimeout)
 }
@@ -415,10 +420,8 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 	if shutdown {
 		processNext = false
 		return
-	} else {
-		processNext = true
 	}
-
+	processNext = true
 	defer func() {
 		if r := recover(); r != nil {
 			log.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
@@ -440,64 +443,193 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 		log.Warnf("Key '%s' in index is not an application", appKey)
 		return
 	}
-
-	isForceRefreshed := ctrl.isRefreshForced(app.Name)
-	if isForceRefreshed || app.NeedRefreshAppStatus(ctrl.statusRefreshTimeout) {
-		log.Infof("Refreshing application '%s' status (force refreshed: %v)", app.Name, isForceRefreshed)
-
-		comparisonResult, parameters, healthState, err := ctrl.tryRefreshAppStatus(app.DeepCopy())
-		if err != nil {
-			comparisonResult = &appv1.ComparisonResult{
-				Status:     appv1.ComparisonStatusError,
-				Error:      fmt.Sprintf("Failed to get application status for application '%s': %v", app.Name, err),
-				ComparedTo: app.Spec.Source,
-				ComparedAt: metav1.Time{Time: time.Now().UTC()},
-			}
-			parameters = nil
-			healthState = &appv1.HealthStatus{Status: appv1.HealthStatusUnknown}
-		}
-		ctrl.updateAppStatus(app.Name, app.Namespace, comparisonResult, parameters, *healthState)
+	if !ctrl.needRefreshAppStatus(app, ctrl.statusRefreshTimeout) {
+		return
 	}
 
+	app = app.DeepCopy()
+	conditions, hasErrors := ctrl.refreshAppConditions(app)
+	if hasErrors {
+		comparisonResult := app.Status.ComparisonResult.DeepCopy()
+		comparisonResult.Status = appv1.ComparisonStatusUnknown
+		health := app.Status.Health.DeepCopy()
+		health.Status = appv1.HealthStatusUnknown
+		ctrl.updateAppStatus(app, comparisonResult, health, nil, conditions)
+		return
+	}
+
+	comparisonResult, manifestInfo, compConditions, err := ctrl.appStateManager.CompareAppState(app, "", nil)
+	if err != nil {
+		conditions = append(conditions, appv1.ApplicationCondition{Type: appv1.ApplicationConditionComparisonError, Message: err.Error()})
+	} else {
+		conditions = append(conditions, compConditions...)
+	}
+
+	var parameters []*appv1.ComponentParameter
+	if manifestInfo != nil {
+		parameters = manifestInfo.Params
+	}
+
+	healthState, err := setApplicationHealth(comparisonResult)
+	if err != nil {
+		conditions = append(conditions, appv1.ApplicationCondition{Type: appv1.ApplicationConditionComparisonError, Message: err.Error()})
+	}
+	ctrl.updateAppStatus(app, comparisonResult, healthState, parameters, conditions)
 	return
 }
 
-func (ctrl *ApplicationController) tryRefreshAppStatus(app *appv1.Application) (*appv1.ComparisonResult, *[]appv1.ComponentParameter, *appv1.HealthStatus, error) {
-	comparisonResult, manifestInfo, err := ctrl.appStateManager.CompareAppState(app)
-	if err != nil {
-		return nil, nil, nil, err
+// needRefreshAppStatus answers if application status needs to be refreshed.
+// Returns true if application never been compared, has changed or comparison result has expired.
+func (ctrl *ApplicationController) needRefreshAppStatus(app *appv1.Application, statusRefreshTimeout time.Duration) bool {
+	var reason string
+	if ctrl.isRefreshForced(app.Name) {
+		reason = "force refresh"
+	} else if app.Status.ComparisonResult.Status == appv1.ComparisonStatusUnknown {
+		reason = "comparison status unknown"
+	} else if !app.Spec.Source.Equals(app.Status.ComparisonResult.ComparedTo) {
+		reason = "spec.source differs"
+	} else if app.Status.ComparisonResult.ComparedAt.Add(statusRefreshTimeout).Before(time.Now().UTC()) {
+		reason = fmt.Sprintf("comparison expired. comparedAt: %v, expiry: %v", app.Status.ComparisonResult.ComparedAt, statusRefreshTimeout)
 	}
-	log.Infof("App %s comparison result: prev: %s. current: %s", app.Name, app.Status.ComparisonResult.Status, comparisonResult.Status)
-
-	parameters := make([]appv1.ComponentParameter, len(manifestInfo.Params))
-	for i := range manifestInfo.Params {
-		parameters[i] = *manifestInfo.Params[i]
+	if reason != "" {
+		log.Infof("Refreshing application '%s' status (%s)", app.Name, reason)
+		return true
 	}
-	healthState, err := ctrl.appHealthManager.GetAppHealth(app.Spec.Destination.Server, app.Spec.Destination.Namespace, comparisonResult)
-	if err != nil {
-		return nil, nil, nil, err
-	}
-	return comparisonResult, &parameters, healthState, nil
+	return false
 }
 
-func (ctrl *ApplicationController) updateAppStatus(
-	appName string, namespace string, comparisonResult *appv1.ComparisonResult, parameters *[]appv1.ComponentParameter, healthState appv1.HealthStatus) {
-	statusPatch := make(map[string]interface{})
-	statusPatch["comparisonResult"] = comparisonResult
-	statusPatch["parameters"] = parameters
-	statusPatch["health"] = healthState
-	patch, err := json.Marshal(map[string]interface{}{
-		"status": statusPatch,
-	})
-
-	if err == nil {
-		appClient := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(namespace)
-		_, err = appClient.Patch(appName, types.MergePatchType, patch)
-	}
+func (ctrl *ApplicationController) refreshAppConditions(app *appv1.Application) ([]appv1.ApplicationCondition, bool) {
+	conditions := make([]appv1.ApplicationCondition, 0)
+	proj, err := argo.GetAppProject(&app.Spec, ctrl.applicationClientset, ctrl.namespace)
 	if err != nil {
-		log.Warnf("Error updating application: %v", err)
+		if errors.IsNotFound(err) {
+			conditions = append(conditions, appv1.ApplicationCondition{
+				Type:    appv1.ApplicationConditionInvalidSpecError,
+				Message: fmt.Sprintf("Application referencing project %s which does not exist", app.Spec.Project),
+			})
+		} else {
+			conditions = append(conditions, appv1.ApplicationCondition{
+				Type:    appv1.ApplicationConditionUnknownError,
+				Message: err.Error(),
+			})
+		}
 	} else {
-		log.Info("Application update successful")
+		specConditions, err := argo.GetSpecErrors(context.Background(), &app.Spec, proj, ctrl.repoClientset, ctrl.db)
+		if err != nil {
+			conditions = append(conditions, appv1.ApplicationCondition{
+				Type:    appv1.ApplicationConditionUnknownError,
+				Message: err.Error(),
+			})
+		} else {
+			conditions = append(conditions, specConditions...)
+		}
+	}
+
+	// List of condition types which have to be reevaluated by controller; all remaining conditions should stay as is.
+	reevaluateTypes := map[appv1.ApplicationConditionType]bool{
+		appv1.ApplicationConditionInvalidSpecError:      true,
+		appv1.ApplicationConditionUnknownError:          true,
+		appv1.ApplicationConditionComparisonError:       true,
+		appv1.ApplicationConditionSharedResourceWarning: true,
+	}
+	appConditions := make([]appv1.ApplicationCondition, 0)
+	for i := 0; i < len(app.Status.Conditions); i++ {
+		condition := app.Status.Conditions[i]
+		if _, ok := reevaluateTypes[condition.Type]; !ok {
+			appConditions = append(appConditions, condition)
+		}
+	}
+	hasErrors := false
+	for i := range conditions {
+		condition := conditions[i]
+		appConditions = append(appConditions, condition)
+		if condition.IsError() {
+			hasErrors = true
+		}
+
+	}
+	return appConditions, hasErrors
+}
+
+// setApplicationHealth updates the health statuses of all resources performed in the comparison
+func setApplicationHealth(comparisonResult *appv1.ComparisonResult) (*appv1.HealthStatus, error) {
+	appHealth := appv1.HealthStatus{Status: appv1.HealthStatusHealthy}
+	if comparisonResult.Status == appv1.ComparisonStatusUnknown {
+		appHealth.Status = appv1.HealthStatusUnknown
+	}
+	for i, resource := range comparisonResult.Resources {
+		if resource.LiveState == "null" {
+			resource.Health = appv1.HealthStatus{Status: appv1.HealthStatusMissing}
+		} else {
+			var obj unstructured.Unstructured
+			err := json.Unmarshal([]byte(resource.LiveState), &obj)
+			if err != nil {
+				return nil, err
+			}
+			healthState, err := health.GetAppHealth(&obj)
+			if err != nil {
+				return nil, err
+			}
+			resource.Health = *healthState
+		}
+		comparisonResult.Resources[i] = resource
+		if health.IsWorse(appHealth.Status, resource.Health.Status) {
+			appHealth.Status = resource.Health.Status
+		}
+	}
+	return &appHealth, nil
+}
+
+// updateAppStatus persists updates to application status. Detects if there patch
+func (ctrl *ApplicationController) updateAppStatus(
+	app *appv1.Application,
+	comparisonResult *appv1.ComparisonResult,
+	healthState *appv1.HealthStatus,
+	parameters []*appv1.ComponentParameter,
+	conditions []appv1.ApplicationCondition,
+) {
+	modifiedApp := app.DeepCopy()
+	if comparisonResult != nil {
+		modifiedApp.Status.ComparisonResult = *comparisonResult
+		log.Infof("App %s comparison result: prev: %s. current: %s", app.Name, app.Status.ComparisonResult.Status, comparisonResult.Status)
+	}
+	if healthState != nil {
+		modifiedApp.Status.Health = *healthState
+	}
+	if parameters != nil {
+		modifiedApp.Status.Parameters = make([]appv1.ComponentParameter, len(parameters))
+		for i := range parameters {
+			modifiedApp.Status.Parameters[i] = *parameters[i]
+		}
+	}
+	if conditions != nil {
+		modifiedApp.Status.Conditions = conditions
+	}
+	origBytes, err := json.Marshal(app)
+	if err != nil {
+		log.Errorf("Error updating application %s (marshal orig app): %v", app.Name, err)
+		return
+	}
+	modifiedBytes, err := json.Marshal(modifiedApp)
+	if err != nil {
+		log.Errorf("Error updating application %s (marshal modified app): %v", app.Name, err)
+		return
+	}
+	patch, err := strategicpatch.CreateTwoWayMergePatch(origBytes, modifiedBytes, appv1.Application{})
+	if err != nil {
+		log.Errorf("Error calculating patch for app %s update: %v", app.Name, err)
+		return
+	}
+	if string(patch) == "{}" {
+		log.Infof("No status changes to %s. Skipping patch", app.Name)
+		return
+	}
+	appClient := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(app.Namespace)
+	_, err = appClient.Patch(app.Name, types.MergePatchType, patch)
+	if err != nil {
+		log.Warnf("Error updating application %s: %v", app.Name, err)
+	} else {
+		log.Infof("Application %s update successful", app.Name)
 	}
 }
 
@@ -558,3 +690,7 @@ func newApplicationInformer(
 	)
 	return informer
 }
+
+func isOperationInProgress(app *appv1.Application) bool {
+	return app.Status.OperationState != nil && !app.Status.OperationState.Phase.Completed()
+}

controller/health.go

@@ -1,137 +0,0 @@
-package controller
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-
-	appv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util/db"
-	"github.com/argoproj/argo-cd/util/kube"
-	"k8s.io/api/apps/v1"
-	coreV1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
-)
-
-const (
-	maxHistoryCnt = 5
-)
-
-type AppHealthManager interface {
-	GetAppHealth(server string, namespace string, comparisonResult *appv1.ComparisonResult) (*appv1.HealthStatus, error)
-}
-
-type kubeAppHealthManager struct {
-	db        db.ArgoDB
-	namespace string
-}
-
-func NewAppHealthManager(db db.ArgoDB, namespace string) AppHealthManager {
-	return &kubeAppHealthManager{db: db, namespace: namespace}
-}
-
-func (ctrl *kubeAppHealthManager) getServiceHealth(config *rest.Config, namespace string, name string) (*appv1.HealthStatus, error) {
-	clientSet, err := kubernetes.NewForConfig(config)
-	if err != nil {
-		return nil, err
-	}
-	service, err := clientSet.CoreV1().Services(namespace).Get(name, metav1.GetOptions{})
-	if err != nil {
-		return nil, err
-	}
-	health := appv1.HealthStatus{Status: appv1.HealthStatusHealthy}
-	if service.Spec.Type == coreV1.ServiceTypeLoadBalancer {
-		health.Status = appv1.HealthStatusProgressing
-		for _, ingress := range service.Status.LoadBalancer.Ingress {
-			if ingress.Hostname != "" || ingress.IP != "" {
-				health.Status = appv1.HealthStatusHealthy
-				break
-			}
-		}
-	}
-	return &health, nil
-}
-
-func (ctrl *kubeAppHealthManager) getDeploymentHealth(config *rest.Config, namespace string, name string) (*appv1.HealthStatus, error) {
-	clientSet, err := kubernetes.NewForConfig(config)
-	if err != nil {
-		return nil, err
-	}
-	deploy, err := clientSet.AppsV1().Deployments(namespace).Get(name, metav1.GetOptions{})
-	if err != nil {
-		return nil, err
-	}
-	health := appv1.HealthStatus{
-		Status: appv1.HealthStatusUnknown,
-	}
-	for _, condition := range deploy.Status.Conditions {
-		// deployment is healthy is it successfully progressed
-		if condition.Type == v1.DeploymentProgressing && condition.Status == "True" {
-			health.Status = appv1.HealthStatusHealthy
-		} else if condition.Type == v1.DeploymentReplicaFailure && condition.Status == "True" {
-			health.Status = appv1.HealthStatusDegraded
-		} else if condition.Type == v1.DeploymentProgressing && condition.Status == "False" {
-			health.Status = appv1.HealthStatusDegraded
-		} else if condition.Type == v1.DeploymentAvailable && condition.Status == "False" {
-			health.Status = appv1.HealthStatusDegraded
-		}
-		if health.Status != appv1.HealthStatusUnknown {
-			health.StatusDetails = fmt.Sprintf("%s:%s", condition.Reason, condition.Message)
-			break
-		}
-	}
-	return &health, nil
-}
-
-func (ctrl *kubeAppHealthManager) GetAppHealth(server string, namespace string, comparisonResult *appv1.ComparisonResult) (*appv1.HealthStatus, error) {
-	clst, err := ctrl.db.GetCluster(context.Background(), server)
-	if err != nil {
-		return nil, err
-	}
-	restConfig := clst.RESTConfig()
-
-	appHealth := appv1.HealthStatus{Status: appv1.HealthStatusHealthy}
-	for i := range comparisonResult.Resources {
-		resource := comparisonResult.Resources[i]
-		if resource.LiveState == "null" {
-			resource.Health = appv1.HealthStatus{Status: appv1.HealthStatusUnknown}
-		} else {
-			var obj unstructured.Unstructured
-			err := json.Unmarshal([]byte(resource.LiveState), &obj)
-			if err != nil {
-				return nil, err
-			}
-			switch obj.GetKind() {
-			case kube.DeploymentKind:
-				state, err := ctrl.getDeploymentHealth(restConfig, namespace, obj.GetName())
-				if err != nil {
-					return nil, err
-				}
-				resource.Health = *state
-			case kube.ServiceKind:
-				state, err := ctrl.getServiceHealth(restConfig, namespace, obj.GetName())
-				if err != nil {
-					return nil, err
-				}
-				resource.Health = *state
-			default:
-				resource.Health = appv1.HealthStatus{Status: appv1.HealthStatusHealthy}
-			}
-
-			if resource.Health.Status == appv1.HealthStatusProgressing {
-				if appHealth.Status == appv1.HealthStatusHealthy {
-					appHealth.Status = appv1.HealthStatusProgressing
-				}
-			} else if resource.Health.Status == appv1.HealthStatusDegraded {
-				if appHealth.Status == appv1.HealthStatusHealthy || appHealth.Status == appv1.HealthStatusProgressing {
-					appHealth.Status = appv1.HealthStatusDegraded
-				}
-			}
-		}
-		comparisonResult.Resources[i] = resource
-	}
-	return &appHealth, nil
-}

controller/secretcontroller.go

@@ -0,0 +1,205 @@
+package controller
+
+import (
+	"context"
+	"encoding/json"
+	"time"
+
+	"runtime/debug"
+
+	"github.com/argoproj/argo-cd/common"
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/reposerver"
+	"github.com/argoproj/argo-cd/reposerver/repository"
+	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/util/db"
+	log "github.com/sirupsen/logrus"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/selection"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/util/workqueue"
+)
+
+type SecretController struct {
+	kubeClient     kubernetes.Interface
+	secretQueue    workqueue.RateLimitingInterface
+	secretInformer cache.SharedIndexInformer
+	repoClientset  reposerver.Clientset
+	namespace      string
+}
+
+func (ctrl *SecretController) Run(ctx context.Context) {
+	go ctrl.secretInformer.Run(ctx.Done())
+	if !cache.WaitForCacheSync(ctx.Done(), ctrl.secretInformer.HasSynced) {
+		log.Error("Timed out waiting for caches to sync")
+		return
+	}
+	go wait.Until(func() {
+		for ctrl.processSecret() {
+		}
+	}, time.Second, ctx.Done())
+}
+
+func (ctrl *SecretController) processSecret() (processNext bool) {
+	secretKey, shutdown := ctrl.secretQueue.Get()
+	if shutdown {
+		processNext = false
+		return
+	} else {
+		processNext = true
+	}
+
+	defer func() {
+		if r := recover(); r != nil {
+			log.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
+		}
+		ctrl.secretQueue.Done(secretKey)
+	}()
+	obj, exists, err := ctrl.secretInformer.GetIndexer().GetByKey(secretKey.(string))
+	if err != nil {
+		log.Errorf("Failed to get secret '%s' from informer index: %+v", secretKey, err)
+		return
+	}
+	if !exists {
+		// This happens after secret was deleted, but the work queue still had an entry for it.
+		return
+	}
+	secret, ok := obj.(*corev1.Secret)
+	if !ok {
+		log.Warnf("Key '%s' in index is not an secret", secretKey)
+		return
+	}
+
+	if secret.Labels[common.LabelKeySecretType] == common.SecretTypeCluster {
+		cluster := db.SecretToCluster(secret)
+		ctrl.updateState(secret, ctrl.getClusterState(cluster))
+	} else if secret.Labels[common.LabelKeySecretType] == common.SecretTypeRepository {
+		repo := db.SecretToRepo(secret)
+		ctrl.updateState(secret, ctrl.getRepoConnectionState(repo))
+	}
+
+	return
+}
+
+func (ctrl *SecretController) getRepoConnectionState(repo *v1alpha1.Repository) v1alpha1.ConnectionState {
+	state := v1alpha1.ConnectionState{
+		ModifiedAt: repo.ConnectionState.ModifiedAt,
+		Status:     v1alpha1.ConnectionStatusUnknown,
+	}
+	closer, client, err := ctrl.repoClientset.NewRepositoryClient()
+	if err != nil {
+		log.Errorf("Unable to create repository client: %v", err)
+		return state
+	}
+
+	defer util.Close(closer)
+
+	_, err = client.ListDir(context.Background(), &repository.ListDirRequest{Repo: repo, Path: ".gitignore"})
+	if err == nil {
+		state.Status = v1alpha1.ConnectionStatusSuccessful
+	} else {
+		state.Status = v1alpha1.ConnectionStatusFailed
+		state.Message = err.Error()
+	}
+
+	return state
+}
+
+func (ctrl *SecretController) getClusterState(cluster *v1alpha1.Cluster) v1alpha1.ConnectionState {
+	state := v1alpha1.ConnectionState{
+		ModifiedAt: cluster.ConnectionState.ModifiedAt,
+		Status:     v1alpha1.ConnectionStatusUnknown,
+	}
+	kubeClientset, err := kubernetes.NewForConfig(cluster.RESTConfig())
+	if err == nil {
+		_, err = kubeClientset.Discovery().ServerVersion()
+	}
+	if err == nil {
+		state.Status = v1alpha1.ConnectionStatusSuccessful
+	} else {
+		state.Status = v1alpha1.ConnectionStatusFailed
+		state.Message = err.Error()
+	}
+
+	return state
+}
+
+func (ctrl *SecretController) updateState(secret *corev1.Secret, state v1alpha1.ConnectionState) {
+	annotationsPatch := make(map[string]string)
+	for key, value := range db.AnnotationsFromConnectionState(&state) {
+		if secret.Annotations[key] != value {
+			annotationsPatch[key] = value
+		}
+	}
+	if len(annotationsPatch) > 0 {
+		annotationsPatch[common.AnnotationConnectionModifiedAt] = metav1.Now().Format(time.RFC3339)
+		patchData, err := json.Marshal(map[string]interface{}{
+			"metadata": map[string]interface{}{
+				"annotations": annotationsPatch,
+			},
+		})
+		if err != nil {
+			log.Warnf("Unable to prepare secret state annotation patch: %v", err)
+		} else {
+			_, err := ctrl.kubeClient.CoreV1().Secrets(secret.Namespace).Patch(secret.Name, types.MergePatchType, patchData)
+			if err != nil {
+				log.Warnf("Unable to patch secret state annotation: %v", err)
+			}
+		}
+	}
+}
+
+func newSecretInformer(client kubernetes.Interface, resyncPeriod time.Duration, namespace string, secretQueue workqueue.RateLimitingInterface) cache.SharedIndexInformer {
+	informerFactory := informers.NewFilteredSharedInformerFactory(
+		client,
+		resyncPeriod,
+		namespace,
+		func(options *metav1.ListOptions) {
+			var req *labels.Requirement
+			req, err := labels.NewRequirement(common.LabelKeySecretType, selection.In, []string{common.SecretTypeCluster, common.SecretTypeRepository})
+			if err != nil {
+				panic(err)
+			}
+
+			options.FieldSelector = fields.Everything().String()
+			labelSelector := labels.NewSelector().Add(*req)
+			options.LabelSelector = labelSelector.String()
+		},
+	)
+	informer := informerFactory.Core().V1().Secrets().Informer()
+	informer.AddEventHandler(
+		cache.ResourceEventHandlerFuncs{
+			AddFunc: func(obj interface{}) {
+				key, err := cache.MetaNamespaceKeyFunc(obj)
+				if err == nil {
+					secretQueue.Add(key)
+				}
+			},
+			UpdateFunc: func(old, new interface{}) {
+				key, err := cache.MetaNamespaceKeyFunc(new)
+				if err == nil {
+					secretQueue.Add(key)
+				}
+			},
+		},
+	)
+	return informer
+}
+
+func NewSecretController(kubeClient kubernetes.Interface, repoClientset reposerver.Clientset, resyncPeriod time.Duration, namespace string) *SecretController {
+	secretQueue := workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter())
+	return &SecretController{
+		kubeClient:     kubeClient,
+		secretQueue:    secretQueue,
+		secretInformer: newSecretInformer(kubeClient, resyncPeriod, namespace, secretQueue),
+		namespace:      namespace,
+		repoClientset:  repoClientset,
+	}
+}

controller/state.go

@@ -6,6 +6,13 @@ import (
 	"fmt"
 	"time"
 
+	log "github.com/sirupsen/logrus"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/dynamic"
+
 	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
@@ -14,25 +21,22 @@ import (
 	"github.com/argoproj/argo-cd/util"
 	"github.com/argoproj/argo-cd/util/db"
 	"github.com/argoproj/argo-cd/util/diff"
-	"github.com/argoproj/argo-cd/util/kube"
 	kubeutil "github.com/argoproj/argo-cd/util/kube"
-	log "github.com/sirupsen/logrus"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/types"
-	"k8s.io/client-go/discovery"
-	"k8s.io/client-go/dynamic"
-	"k8s.io/client-go/rest"
+)
+
+const (
+	maxHistoryCnt = 5
 )
 
 // AppStateManager defines methods which allow to compare application spec and actual application state.
 type AppStateManager interface {
-	CompareAppState(app *v1alpha1.Application) (*v1alpha1.ComparisonResult, *repository.ManifestResponse, error)
-	SyncAppState(app *v1alpha1.Application, revision string, overrides *[]v1alpha1.ComponentParameter, dryRun bool, prune bool) *v1alpha1.OperationState
+	CompareAppState(app *v1alpha1.Application, revision string, overrides []v1alpha1.ComponentParameter) (
+		*v1alpha1.ComparisonResult, *repository.ManifestResponse, []v1alpha1.ApplicationCondition, error)
+	SyncAppState(app *v1alpha1.Application, state *v1alpha1.OperationState)
 }
 
-// KsonnetAppStateManager allows to compare application using KSonnet CLI
-type KsonnetAppStateManager struct {
+// ksonnetAppStateManager allows to compare application using KSonnet CLI
+type ksonnetAppStateManager struct {
 	db            db.ArgoDB
 	appclientset  appclientset.Interface
 	repoClientset reposerver.Clientset
@@ -41,7 +45,7 @@ type KsonnetAppStateManager struct {
 
 // groupLiveObjects deduplicate list of kubernetes resources and choose correct version of resource: if resource has corresponding expected application resource then method pick
 // kubernetes resource with matching version, otherwise chooses single kubernetes resource with any version
-func (ks *KsonnetAppStateManager) groupLiveObjects(liveObjs []*unstructured.Unstructured, targetObjs []*unstructured.Unstructured) map[string]*unstructured.Unstructured {
+func groupLiveObjects(liveObjs []*unstructured.Unstructured, targetObjs []*unstructured.Unstructured) map[string]*unstructured.Unstructured {
 	targetByFullName := make(map[string]*unstructured.Unstructured)
 	for _, obj := range targetObjs {
 		targetByFullName[getResourceFullName(obj)] = obj
@@ -79,19 +83,33 @@ func (ks *KsonnetAppStateManager) groupLiveObjects(liveObjs []*unstructured.Unst
 	return liveByFullName
 }
 
-// CompareAppState compares application spec and real app state using KSonnet
-func (ks *KsonnetAppStateManager) CompareAppState(app *v1alpha1.Application) (*v1alpha1.ComparisonResult, *repository.ManifestResponse, error) {
-	repo := ks.getRepo(app.Spec.Source.RepoURL)
-	conn, repoClient, err := ks.repoClientset.NewRepositoryClient()
+func (s *ksonnetAppStateManager) getTargetObjs(app *v1alpha1.Application, revision string, overrides []v1alpha1.ComponentParameter) ([]*unstructured.Unstructured, *repository.ManifestResponse, error) {
+	repo := s.getRepo(app.Spec.Source.RepoURL)
+	conn, repoClient, err := s.repoClientset.NewRepositoryClient()
 	if err != nil {
 		return nil, nil, err
 	}
 	defer util.Close(conn)
-	overrides := make([]*v1alpha1.ComponentParameter, len(app.Spec.Source.ComponentParameterOverrides))
-	if app.Spec.Source.ComponentParameterOverrides != nil {
+
+	if revision == "" {
+		revision = app.Spec.Source.TargetRevision
+	}
+
+	// Decide what overrides to compare with.
+	var mfReqOverrides []*v1alpha1.ComponentParameter
+	if overrides != nil {
+		// If overrides is supplied, use that
+		mfReqOverrides = make([]*v1alpha1.ComponentParameter, len(overrides))
+		for i := range overrides {
+			item := overrides[i]
+			mfReqOverrides[i] = &item
+		}
+	} else {
+		// Otherwise, use the overrides in the app spec
+		mfReqOverrides = make([]*v1alpha1.ComponentParameter, len(app.Spec.Source.ComponentParameterOverrides))
 		for i := range app.Spec.Source.ComponentParameterOverrides {
 			item := app.Spec.Source.ComponentParameterOverrides[i]
-			overrides[i] = &item
+			mfReqOverrides[i] = &item
 		}
 	}
 
@@ -99,40 +117,52 @@ func (ks *KsonnetAppStateManager) CompareAppState(app *v1alpha1.Application) (*v
 		Repo:                        repo,
 		Environment:                 app.Spec.Source.Environment,
 		Path:                        app.Spec.Source.Path,
-		Revision:                    app.Spec.Source.TargetRevision,
-		ComponentParameterOverrides: overrides,
+		Revision:                    revision,
+		ComponentParameterOverrides: mfReqOverrides,
 		AppLabel:                    app.Name,
 	})
 	if err != nil {
 		return nil, nil, err
 	}
 
-	targetObjs := make([]*unstructured.Unstructured, len(manifestInfo.Manifests))
-	for i, manifest := range manifestInfo.Manifests {
+	targetObjs := make([]*unstructured.Unstructured, 0)
+	for _, manifest := range manifestInfo.Manifests {
 		obj, err := v1alpha1.UnmarshalToUnstructured(manifest)
 		if err != nil {
 			return nil, nil, err
 		}
-		targetObjs[i] = obj
+		if isHook(obj) {
+			continue
+		}
+		targetObjs = append(targetObjs, obj)
 	}
+	return targetObjs, manifestInfo, nil
+}
 
-	server, namespace := app.Spec.Destination.Server, app.Spec.Destination.Namespace
+func (s *ksonnetAppStateManager) getLiveObjs(app *v1alpha1.Application, targetObjs []*unstructured.Unstructured) (
+	[]*unstructured.Unstructured, map[string]*unstructured.Unstructured, error) {
 
-	log.Infof("Comparing app %s state in cluster %s (namespace: %s)", app.ObjectMeta.Name, server, namespace)
 	// Get the REST config for the cluster corresponding to the environment
-	clst, err := ks.db.GetCluster(context.Background(), server)
+	clst, err := s.db.GetCluster(context.Background(), app.Spec.Destination.Server)
 	if err != nil {
 		return nil, nil, err
 	}
 	restConfig := clst.RESTConfig()
 
-	// Retrieve the live versions of the objects
-	liveObjs, err := kubeutil.GetResourcesWithLabel(restConfig, namespace, common.LabelApplicationName, app.Name)
+	// Retrieve the live versions of the objects. exclude any hook objects
+	labeledObjs, err := kubeutil.GetResourcesWithLabel(restConfig, app.Spec.Destination.Namespace, common.LabelApplicationName, app.Name)
 	if err != nil {
 		return nil, nil, err
 	}
+	liveObjs := make([]*unstructured.Unstructured, 0)
+	for _, obj := range labeledObjs {
+		if isHook(obj) {
+			continue
+		}
+		liveObjs = append(liveObjs, obj)
+	}
 
-	liveObjByFullName := ks.groupLiveObjects(liveObjs, targetObjs)
+	liveObjByFullName := groupLiveObjects(liveObjs, targetObjs)
 
 	controlledLiveObj := make([]*unstructured.Unstructured, len(targetObjs))
 
@@ -145,7 +175,7 @@ func (ks *KsonnetAppStateManager) CompareAppState(app *v1alpha1.Application) (*v
 	for i, targetObj := range targetObjs {
 		fullName := getResourceFullName(targetObj)
 		liveObj := liveObjByFullName[fullName]
-		if liveObj == nil {
+		if liveObj == nil && targetObj.GetName() != "" {
 			// If we get here, it indicates we did not find the live resource when querying using
 			// our app label. However, it is possible that the resource was created/modified outside
 			// of ArgoCD. In order to determine that it is truly missing, we fall back to perform a
@@ -159,7 +189,7 @@ func (ks *KsonnetAppStateManager) CompareAppState(app *v1alpha1.Application) (*v
 			if err != nil {
 				return nil, nil, err
 			}
-			liveObj, err = kubeutil.GetLiveResource(dclient, targetObj, apiResource, namespace)
+			liveObj, err = kubeutil.GetLiveResource(dclient, targetObj, apiResource, app.Spec.Destination.Namespace)
 			if err != nil {
 				return nil, nil, err
 			}
@@ -168,6 +198,43 @@ func (ks *KsonnetAppStateManager) CompareAppState(app *v1alpha1.Application) (*v
 		delete(liveObjByFullName, fullName)
 	}
 
+	return controlledLiveObj, liveObjByFullName, nil
+}
+
+// CompareAppState compares application git state to the live app state, using the specified
+// revision and supplied overrides. If revision or overrides are empty, then compares against
+// revision and overrides in the app spec.
+func (s *ksonnetAppStateManager) CompareAppState(app *v1alpha1.Application, revision string, overrides []v1alpha1.ComponentParameter) (
+	*v1alpha1.ComparisonResult, *repository.ManifestResponse, []v1alpha1.ApplicationCondition, error) {
+
+	failedToLoadObjs := false
+	conditions := make([]v1alpha1.ApplicationCondition, 0)
+	targetObjs, manifestInfo, err := s.getTargetObjs(app, revision, overrides)
+	if err != nil {
+		targetObjs = make([]*unstructured.Unstructured, 0)
+		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
+		failedToLoadObjs = true
+	}
+
+	controlledLiveObj, liveObjByFullName, err := s.getLiveObjs(app, targetObjs)
+	if err != nil {
+		controlledLiveObj = make([]*unstructured.Unstructured, len(targetObjs))
+		liveObjByFullName = make(map[string]*unstructured.Unstructured)
+		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
+		failedToLoadObjs = true
+	}
+
+	for _, liveObj := range controlledLiveObj {
+		if liveObj != nil && liveObj.GetLabels() != nil {
+			if appLabelVal, ok := liveObj.GetLabels()[common.LabelApplicationName]; ok && appLabelVal != "" && appLabelVal != app.Name {
+				conditions = append(conditions, v1alpha1.ApplicationCondition{
+					Type:    v1alpha1.ApplicationConditionSharedResourceWarning,
+					Message: fmt.Sprintf("Resource %s/%s is controller by applications '%s' and '%s'", liveObj.GetKind(), liveObj.GetName(), app.Name, appLabelVal),
+				})
+			}
+		}
+	}
+
 	// Move root level live resources to controlledLiveObj and add nil to targetObjs to indicate that target object is missing
 	for fullName := range liveObjByFullName {
 		liveObj := liveObjByFullName[fullName]
@@ -177,11 +244,14 @@ func (ks *KsonnetAppStateManager) CompareAppState(app *v1alpha1.Application) (*v
 		}
 	}
 
+	log.Infof("Comparing app %s state in cluster %s (namespace: %s)", app.ObjectMeta.Name, app.Spec.Destination.Server, app.Spec.Destination.Namespace)
+
 	// Do the actual comparison
 	diffResults, err := diff.DiffArray(targetObjs, controlledLiveObj)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
+
 	comparisonStatus := v1alpha1.ComparisonStatusSynced
 
 	resources := make([]v1alpha1.ResourceState, len(targetObjs))
@@ -206,7 +276,7 @@ func (ks *KsonnetAppStateManager) CompareAppState(app *v1alpha1.Application) (*v
 		} else {
 			targetObjBytes, err := json.Marshal(targetObjs[i].Object)
 			if err != nil {
-				return nil, nil, err
+				return nil, nil, nil, err
 			}
 			resState.TargetState = string(targetObjBytes)
 		}
@@ -219,7 +289,7 @@ func (ks *KsonnetAppStateManager) CompareAppState(app *v1alpha1.Application) (*v
 		} else {
 			liveObjBytes, err := json.Marshal(controlledLiveObj[i].Object)
 			if err != nil {
-				return nil, nil, err
+				return nil, nil, nil, err
 			}
 			resState.LiveState = string(liveObjBytes)
 		}
@@ -232,19 +302,22 @@ func (ks *KsonnetAppStateManager) CompareAppState(app *v1alpha1.Application) (*v
 		if liveResource != nil {
 			childResources, err := getChildren(liveResource, liveObjByFullName)
 			if err != nil {
-				return nil, nil, err
+				return nil, nil, nil, err
 			}
 			resource.ChildLiveResources = childResources
 			resources[i] = resource
 		}
 	}
+	if failedToLoadObjs {
+		comparisonStatus = v1alpha1.ComparisonStatusUnknown
+	}
 	compResult := v1alpha1.ComparisonResult{
 		ComparedTo: app.Spec.Source,
 		ComparedAt: metav1.Time{Time: time.Now().UTC()},
 		Resources:  resources,
 		Status:     comparisonStatus,
 	}
-	return &compResult, manifestInfo, nil
+	return &compResult, manifestInfo, conditions, nil
 }
 
 func hasParent(obj *unstructured.Unstructured) bool {
@@ -286,29 +359,7 @@ func getResourceFullName(obj *unstructured.Unstructured) string {
 	return fmt.Sprintf("%s:%s", obj.GetKind(), obj.GetName())
 }
 
-func (s *KsonnetAppStateManager) SyncAppState(
-	app *v1alpha1.Application, revision string, overrides *[]v1alpha1.ComponentParameter, dryRun bool, prune bool) *v1alpha1.OperationState {
-
-	if revision != "" {
-		app.Spec.Source.TargetRevision = revision
-	}
-
-	if overrides != nil {
-		app.Spec.Source.ComponentParameterOverrides = *overrides
-	}
-
-	opRes, manifest := s.syncAppResources(app, dryRun, prune)
-	if !dryRun && opRes.Phase.Successful() {
-		err := s.persistDeploymentInfo(app, manifest.Revision, manifest.Params, nil)
-		if err != nil {
-			opRes.Phase = v1alpha1.OperationError
-			opRes.Message = fmt.Sprintf("failed to record sync to history: %v", err)
-		}
-	}
-	return opRes
-}
-
-func (s *KsonnetAppStateManager) getRepo(repoURL string) *v1alpha1.Repository {
+func (s *ksonnetAppStateManager) getRepo(repoURL string) *v1alpha1.Repository {
 	repo, err := s.db.GetRepository(context.Background(), repoURL)
 	if err != nil {
 		// If we couldn't retrieve from the repo service, assume public repositories
@@ -317,7 +368,7 @@ func (s *KsonnetAppStateManager) getRepo(repoURL string) *v1alpha1.Repository {
 	return repo
 }
 
-func (s *KsonnetAppStateManager) persistDeploymentInfo(
+func (s *ksonnetAppStateManager) persistDeploymentInfo(
 	app *v1alpha1.Application, revision string, envParams []*v1alpha1.ComponentParameter, overrides *[]v1alpha1.ComponentParameter) error {
 
 	params := make([]v1alpha1.ComponentParameter, len(envParams))
@@ -325,16 +376,16 @@ func (s *KsonnetAppStateManager) persistDeploymentInfo(
 		param := *envParams[i]
 		params[i] = param
 	}
-	var nextId int64 = 0
+	var nextID int64 = 0
 	if len(app.Status.History) > 0 {
-		nextId = app.Status.History[len(app.Status.History)-1].ID + 1
+		nextID = app.Status.History[len(app.Status.History)-1].ID + 1
 	}
 	history := append(app.Status.History, v1alpha1.DeploymentInfo{
 		ComponentParameterOverrides: app.Spec.Source.ComponentParameterOverrides,
 		Revision:                    revision,
 		Params:                      params,
-		DeployedAt:                  metav1.NewTime(time.Now()),
-		ID:                          nextId,
+		DeployedAt:                  metav1.NewTime(time.Now().UTC()),
+		ID:                          nextID,
 	})
 
 	if len(history) > maxHistoryCnt {
@@ -353,131 +404,6 @@ func (s *KsonnetAppStateManager) persistDeploymentInfo(
 	return err
 }
 
-func (s *KsonnetAppStateManager) syncAppResources(
-	app *v1alpha1.Application,
-	dryRun bool,
-	prune bool) (*v1alpha1.OperationState, *repository.ManifestResponse) {
-
-	opRes := v1alpha1.OperationState{
-		SyncResult: &v1alpha1.SyncOperationResult{},
-	}
-
-	comparison, manifestInfo, err := s.CompareAppState(app)
-	if err != nil {
-		opRes.Phase = v1alpha1.OperationError
-		opRes.Message = err.Error()
-		return &opRes, manifestInfo
-	}
-
-	clst, err := s.db.GetCluster(context.Background(), app.Spec.Destination.Server)
-	if err != nil {
-		opRes.Phase = v1alpha1.OperationError
-		opRes.Message = err.Error()
-		return &opRes, manifestInfo
-	}
-	config := clst.RESTConfig()
-
-	opRes.SyncResult.Resources = make([]*v1alpha1.ResourceDetails, len(comparison.Resources))
-	liveObjs := make([]*unstructured.Unstructured, len(comparison.Resources))
-	targetObjs := make([]*unstructured.Unstructured, len(comparison.Resources))
-
-	// First perform a `kubectl apply --dry-run` against all the manifests. This will detect most
-	// (but not all) validation issues with the users' manifests (e.g. will detect syntax issues,
-	// but will not not detect if they are mutating immutable fields). If anything fails, we will
-	// refuse to perform the sync.
-	dryRunSuccessful := true
-	for i, resourceState := range comparison.Resources {
-		liveObj, err := resourceState.LiveObject()
-		if err != nil {
-			opRes.Phase = v1alpha1.OperationError
-			opRes.Message = fmt.Sprintf("Failed to unmarshal live object: %v", err)
-			return &opRes, manifestInfo
-		}
-		targetObj, err := resourceState.TargetObject()
-		if err != nil {
-			opRes.Phase = v1alpha1.OperationError
-			opRes.Message = fmt.Sprintf("Failed to unmarshal target object: %v", err)
-			return &opRes, manifestInfo
-		}
-		liveObjs[i] = liveObj
-		targetObjs[i] = targetObj
-		resDetails, successful := syncObject(config, app.Spec.Destination.Namespace, targetObj, liveObj, prune, true)
-		if !successful {
-			dryRunSuccessful = false
-		}
-		opRes.SyncResult.Resources[i] = &resDetails
-	}
-	if !dryRunSuccessful {
-		opRes.Phase = v1alpha1.OperationFailed
-		opRes.Message = "one or more objects failed to apply (dry run)"
-		return &opRes, manifestInfo
-	}
-	if dryRun {
-		opRes.Phase = v1alpha1.OperationSucceeded
-		opRes.Message = "successfully synced (dry run)"
-		return &opRes, manifestInfo
-	}
-	// If we get here, all objects passed their dry-run, so we are now ready to actually perform the
-	// `kubectl apply`. Loop through the resources again, this time without dry-run.
-	syncSuccessful := true
-	for i := range comparison.Resources {
-		resDetails, successful := syncObject(config, app.Spec.Destination.Namespace, targetObjs[i], liveObjs[i], prune, false)
-		if !successful {
-			syncSuccessful = false
-		}
-		opRes.SyncResult.Resources[i] = &resDetails
-	}
-	if !syncSuccessful {
-		opRes.Message = "one or more objects failed to apply"
-		opRes.Phase = v1alpha1.OperationFailed
-	} else {
-		opRes.Message = "successfully synced"
-		opRes.Phase = v1alpha1.OperationSucceeded
-	}
-	return &opRes, manifestInfo
-}
-
-// syncObject performs a sync of a single resource
-func syncObject(config *rest.Config, namespace string, targetObj, liveObj *unstructured.Unstructured, prune, dryRun bool) (v1alpha1.ResourceDetails, bool) {
-	obj := targetObj
-	if obj == nil {
-		obj = liveObj
-	}
-	resDetails := v1alpha1.ResourceDetails{
-		Name:      obj.GetName(),
-		Kind:      obj.GetKind(),
-		Namespace: namespace,
-	}
-	needsDelete := targetObj == nil
-	successful := true
-	if needsDelete {
-		if prune {
-			if dryRun {
-				resDetails.Message = "pruned (dry run)"
-			} else {
-				err := kubeutil.DeleteResource(config, liveObj, namespace)
-				if err != nil {
-					resDetails.Message = err.Error()
-					successful = false
-				} else {
-					resDetails.Message = "pruned"
-				}
-			}
-		} else {
-			resDetails.Message = "ignored (requires pruning)"
-		}
-	} else {
-		message, err := kube.ApplyResource(config, targetObj, namespace, dryRun)
-		if err != nil {
-			resDetails.Message = err.Error()
-			successful = false
-		} else {
-			resDetails.Message = message
-		}
-	}
-	return resDetails, successful
-}
-
 // NewAppStateManager creates new instance of Ksonnet app comparator
 func NewAppStateManager(
 	db db.ArgoDB,
@@ -485,7 +411,7 @@ func NewAppStateManager(
 	repoClientset reposerver.Clientset,
 	namespace string,
 ) AppStateManager {
-	return &KsonnetAppStateManager{
+	return &ksonnetAppStateManager{
 		db:            db,
 		appclientset:  appclientset,
 		repoClientset: repoClientset,

controller/sync.go

@@ -0,0 +1,841 @@
+package controller
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"reflect"
+	"strings"
+	"sync"
+
+	wfv1 "github.com/argoproj/argo/pkg/apis/workflow/v1alpha1"
+	log "github.com/sirupsen/logrus"
+	apierr "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/rest"
+	"k8s.io/kubernetes/pkg/apis/batch"
+
+	"github.com/argoproj/argo-cd/common"
+	appv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/reposerver/repository"
+	"github.com/argoproj/argo-cd/util/argo"
+	"github.com/argoproj/argo-cd/util/kube"
+)
+
+type syncContext struct {
+	appName       string
+	comparison    *appv1.ComparisonResult
+	config        *rest.Config
+	dynClientPool dynamic.ClientPool
+	disco         *discovery.DiscoveryClient
+	namespace     string
+	syncOp        *appv1.SyncOperation
+	syncRes       *appv1.SyncOperationResult
+	opState       *appv1.OperationState
+	manifestInfo  *repository.ManifestResponse
+	log           *log.Entry
+	// lock to protect concurrent updates of the result list
+	lock sync.Mutex
+}
+
+func (s *ksonnetAppStateManager) SyncAppState(app *appv1.Application, state *appv1.OperationState) {
+	// Sync requests are usually requested with ambiguous revisions (e.g. master, HEAD, v1.2.3).
+	// This can change meaning when resuming operations (e.g a hook sync). After calculating a
+	// concrete git commit SHA, the SHA is remembered in the status.operationState.syncResult and
+	// rollbackResult fields. This ensures that when resuming an operation, we sync to the same
+	// revision that we initially started with.
+	var revision string
+	var syncOp appv1.SyncOperation
+	var syncRes *appv1.SyncOperationResult
+	var overrides []appv1.ComponentParameter
+
+	if state.Operation.Sync != nil {
+		syncOp = *state.Operation.Sync
+		if state.SyncResult != nil {
+			syncRes = state.SyncResult
+			revision = state.SyncResult.Revision
+		} else {
+			syncRes = &appv1.SyncOperationResult{}
+			state.SyncResult = syncRes
+		}
+	} else if state.Operation.Rollback != nil {
+		var deploymentInfo *appv1.DeploymentInfo
+		for _, info := range app.Status.History {
+			if info.ID == app.Operation.Rollback.ID {
+				deploymentInfo = &info
+				break
+			}
+		}
+		if deploymentInfo == nil {
+			state.Phase = appv1.OperationFailed
+			state.Message = fmt.Sprintf("application %s does not have deployment with id %v", app.Name, app.Operation.Rollback.ID)
+			return
+		}
+		// Rollback is just a convenience around Sync
+		syncOp = appv1.SyncOperation{
+			Revision:     deploymentInfo.Revision,
+			DryRun:       state.Operation.Rollback.DryRun,
+			Prune:        state.Operation.Rollback.Prune,
+			SyncStrategy: &appv1.SyncStrategy{Apply: &appv1.SyncStrategyApply{}},
+		}
+		overrides = deploymentInfo.ComponentParameterOverrides
+		if state.RollbackResult != nil {
+			syncRes = state.RollbackResult
+			revision = state.RollbackResult.Revision
+		} else {
+			syncRes = &appv1.SyncOperationResult{}
+			state.RollbackResult = syncRes
+		}
+	} else {
+		state.Phase = appv1.OperationFailed
+		state.Message = "Invalid operation request: no operation specified"
+		return
+	}
+
+	if revision == "" {
+		// if we get here, it means we did not remember a commit SHA which we should be syncing to.
+		// This typically indicates we are just about to begin a brand new sync/rollback operation.
+		// Take the value in the requested operation. We will resolve this to a SHA later.
+		revision = syncOp.Revision
+	}
+	comparison, manifestInfo, conditions, err := s.CompareAppState(app, revision, overrides)
+	if err != nil {
+		state.Phase = appv1.OperationError
+		state.Message = err.Error()
+		return
+	}
+	errConditions := make([]appv1.ApplicationCondition, 0)
+	for i := range conditions {
+		if conditions[i].IsError() {
+			errConditions = append(errConditions, conditions[i])
+		}
+	}
+	if len(errConditions) > 0 {
+		state.Phase = appv1.OperationError
+		state.Message = argo.FormatAppConditions(errConditions)
+		return
+	}
+	// We now have a concrete commit SHA. Set this in the sync result revision so that we remember
+	// what we should be syncing to when resuming operations.
+	syncRes.Revision = manifestInfo.Revision
+
+	clst, err := s.db.GetCluster(context.Background(), app.Spec.Destination.Server)
+	if err != nil {
+		state.Phase = appv1.OperationError
+		state.Message = err.Error()
+		return
+	}
+
+	restConfig := clst.RESTConfig()
+	dynClientPool := dynamic.NewDynamicClientPool(restConfig)
+	disco, err := discovery.NewDiscoveryClientForConfig(restConfig)
+	if err != nil {
+		state.Phase = appv1.OperationError
+		state.Message = fmt.Sprintf("Failed to initialize dynamic client: %v", err)
+		return
+	}
+
+	syncCtx := syncContext{
+		appName:       app.Name,
+		comparison:    comparison,
+		config:        restConfig,
+		dynClientPool: dynClientPool,
+		disco:         disco,
+		namespace:     app.Spec.Destination.Namespace,
+		syncOp:        &syncOp,
+		syncRes:       syncRes,
+		opState:       state,
+		manifestInfo:  manifestInfo,
+		log:           log.WithFields(log.Fields{"application": app.Name}),
+	}
+
+	if state.Phase == appv1.OperationTerminating {
+		syncCtx.terminate()
+	} else {
+		syncCtx.sync()
+	}
+
+	if !syncOp.DryRun && syncCtx.opState.Phase.Successful() {
+		err := s.persistDeploymentInfo(app, manifestInfo.Revision, manifestInfo.Params, nil)
+		if err != nil {
+			state.Phase = appv1.OperationError
+			state.Message = fmt.Sprintf("failed to record sync to history: %v", err)
+		}
+	}
+}
+
+// syncTask holds the live and target object. At least one should be non-nil. A targetObj of nil
+// indicates the live object needs to be pruned. A liveObj of nil indicates the object has yet to
+// be deployed
+type syncTask struct {
+	liveObj   *unstructured.Unstructured
+	targetObj *unstructured.Unstructured
+}
+
+// sync has performs the actual apply or hook based sync
+func (sc *syncContext) sync() {
+	syncTasks, successful := sc.generateSyncTasks()
+	if !successful {
+		return
+	}
+	// Perform a `kubectl apply --dry-run` against all the manifests. This will detect most (but
+	// not all) validation issues with the user's manifests (e.g. will detect syntax issues, but
+	// will not not detect if they are mutating immutable fields). If anything fails, we will refuse
+	// to perform the sync.
+	if !sc.startedPreSyncPhase() {
+		// Optimization: we only wish to do this once per operation, performing additional dry-runs
+		// is harmless, but redundant. The indicator we use to detect if we have already performed
+		// the dry-run for this operation, is if the resource or hook list is empty.
+		if !sc.doApplySync(syncTasks, true, false, sc.syncOp.DryRun) {
+			sc.setOperationPhase(appv1.OperationFailed, "one or more objects failed to apply (dry run)")
+			return
+		}
+		if sc.syncOp.DryRun {
+			sc.setOperationPhase(appv1.OperationSucceeded, "successfully synced (dry run)")
+			return
+		}
+	}
+
+	// All objects passed a `kubectl apply --dry-run`, so we are now ready to actually perform the sync.
+	if sc.syncOp.SyncStrategy == nil {
+		// default sync strategy to hook if no strategy
+		sc.syncOp.SyncStrategy = &appv1.SyncStrategy{Hook: &appv1.SyncStrategyHook{}}
+	}
+	if sc.syncOp.SyncStrategy.Apply != nil {
+		if !sc.startedSyncPhase() {
+			if !sc.doApplySync(syncTasks, false, sc.syncOp.SyncStrategy.Apply.Force, true) {
+				sc.setOperationPhase(appv1.OperationFailed, "one or more objects failed to apply")
+				return
+			}
+			// If apply was successful, return here and force an app refresh. This is so the app
+			// will become requeued into the workqueue, to force a new sync/health assessment before
+			// marking the operation as completed
+			return
+		}
+		sc.setOperationPhase(appv1.OperationSucceeded, "successfully synced")
+	} else if sc.syncOp.SyncStrategy.Hook != nil {
+		hooks, err := sc.getHooks()
+		if err != nil {
+			sc.setOperationPhase(appv1.OperationError, fmt.Sprintf("failed to generate hooks resources: %v", err))
+			return
+		}
+		sc.doHookSync(syncTasks, hooks)
+	} else {
+		sc.setOperationPhase(appv1.OperationFailed, "Unknown sync strategy")
+		return
+	}
+}
+
+func (sc *syncContext) forceAppRefresh() {
+	sc.comparison.ComparedAt = metav1.Time{}
+}
+
+// generateSyncTasks() generates the list of sync tasks we will be performing during this sync.
+func (sc *syncContext) generateSyncTasks() ([]syncTask, bool) {
+	syncTasks := make([]syncTask, 0)
+	for _, resourceState := range sc.comparison.Resources {
+		liveObj, err := resourceState.LiveObject()
+		if err != nil {
+			sc.setOperationPhase(appv1.OperationError, fmt.Sprintf("Failed to unmarshal live object: %v", err))
+			return nil, false
+		}
+		targetObj, err := resourceState.TargetObject()
+		if err != nil {
+			sc.setOperationPhase(appv1.OperationError, fmt.Sprintf("Failed to unmarshal target object: %v", err))
+			return nil, false
+		}
+		syncTask := syncTask{
+			liveObj:   liveObj,
+			targetObj: targetObj,
+		}
+		syncTasks = append(syncTasks, syncTask)
+	}
+	return syncTasks, true
+}
+
+// startedPreSyncPhase detects if we already started the PreSync stage of a sync operation.
+// This is equal to if we have anything in our resource or hook list
+func (sc *syncContext) startedPreSyncPhase() bool {
+	if len(sc.syncRes.Resources) > 0 {
+		return true
+	}
+	if len(sc.syncRes.Hooks) > 0 {
+		return true
+	}
+	return false
+}
+
+// startedSyncPhase detects if we have already started the Sync stage of a sync operation.
+// This is equal to if the resource list is non-empty, or we we see Sync/PostSync hooks
+func (sc *syncContext) startedSyncPhase() bool {
+	if len(sc.syncRes.Resources) > 0 {
+		return true
+	}
+	for _, hookStatus := range sc.syncRes.Hooks {
+		if hookStatus.Type == appv1.HookTypeSync || hookStatus.Type == appv1.HookTypePostSync {
+			return true
+		}
+	}
+	return false
+}
+
+// startedPostSyncPhase detects if we have already started the PostSync stage. This is equal to if
+// we see any PostSync hooks
+func (sc *syncContext) startedPostSyncPhase() bool {
+	for _, hookStatus := range sc.syncRes.Hooks {
+		if hookStatus.Type == appv1.HookTypePostSync {
+			return true
+		}
+	}
+	return false
+}
+
+func (sc *syncContext) setOperationPhase(phase appv1.OperationPhase, message string) {
+	if sc.opState.Phase != phase || sc.opState.Message != message {
+		sc.log.Infof("Updating operation state. phase: %s -> %s, message: '%s' -> '%s'", sc.opState.Phase, phase, sc.opState.Message, message)
+	}
+	sc.opState.Phase = phase
+	sc.opState.Message = message
+}
+
+// applyObject performs a `kubectl apply` of a single resource
+func (sc *syncContext) applyObject(targetObj *unstructured.Unstructured, dryRun bool, force bool) appv1.ResourceDetails {
+	resDetails := appv1.ResourceDetails{
+		Name:      targetObj.GetName(),
+		Kind:      targetObj.GetKind(),
+		Namespace: sc.namespace,
+	}
+	message, err := kube.ApplyResource(sc.config, targetObj, sc.namespace, dryRun, force)
+	if err != nil {
+		resDetails.Message = err.Error()
+		resDetails.Status = appv1.ResourceDetailsSyncFailed
+		return resDetails
+	}
+	resDetails.Message = message
+	resDetails.Status = appv1.ResourceDetailsSynced
+	return resDetails
+}
+
+// pruneObject deletes the object if both prune is true and dryRun is false. Otherwise appropriate message
+func (sc *syncContext) pruneObject(liveObj *unstructured.Unstructured, prune, dryRun bool) appv1.ResourceDetails {
+	resDetails := appv1.ResourceDetails{
+		Name:      liveObj.GetName(),
+		Kind:      liveObj.GetKind(),
+		Namespace: liveObj.GetNamespace(),
+	}
+	if prune {
+		if dryRun {
+			resDetails.Message = "pruned (dry run)"
+			resDetails.Status = appv1.ResourceDetailsSyncedAndPruned
+		} else {
+			err := kube.DeleteResource(sc.config, liveObj, sc.namespace)
+			if err != nil {
+				resDetails.Message = err.Error()
+				resDetails.Status = appv1.ResourceDetailsSyncFailed
+			} else {
+				resDetails.Message = "pruned"
+				resDetails.Status = appv1.ResourceDetailsSyncedAndPruned
+			}
+		}
+	} else {
+		resDetails.Message = "ignored (requires pruning)"
+		resDetails.Status = appv1.ResourceDetailsPruningRequired
+	}
+	return resDetails
+}
+
+// performs a apply based sync of the given sync tasks (possibly pruning the objects).
+// If update is true, will updates the resource details with the result.
+// Or if the prune/apply failed, will also update the result.
+func (sc *syncContext) doApplySync(syncTasks []syncTask, dryRun, force, update bool) bool {
+	syncSuccessful := true
+	// apply all resources in parallel
+	var wg sync.WaitGroup
+	for _, task := range syncTasks {
+		wg.Add(1)
+		go func(t syncTask) {
+			defer wg.Done()
+			var resDetails appv1.ResourceDetails
+			if t.targetObj == nil {
+				resDetails = sc.pruneObject(t.liveObj, sc.syncOp.Prune, dryRun)
+			} else {
+				if isHook(t.targetObj) {
+					return
+				}
+				resDetails = sc.applyObject(t.targetObj, dryRun, force)
+			}
+			if !resDetails.Status.Successful() {
+				syncSuccessful = false
+			}
+			if update || !resDetails.Status.Successful() {
+				sc.setResourceDetails(&resDetails)
+			}
+		}(task)
+	}
+	wg.Wait()
+	return syncSuccessful
+}
+
+// doHookSync initiates (or continues) a hook-based sync. This method will be invoked when there may
+// already be in-flight (potentially incomplete) jobs/workflows, and should be idempotent.
+func (sc *syncContext) doHookSync(syncTasks []syncTask, hooks []*unstructured.Unstructured) {
+	// 1. Run PreSync hooks
+	if !sc.runHooks(hooks, appv1.HookTypePreSync) {
+		return
+	}
+
+	// 2. Run Sync hooks (e.g. blue-green sync workflow)
+	// Before performing Sync hooks, apply any normal manifests which aren't annotated with a hook.
+	// We only want to do this once per operation.
+	shouldContinue := true
+	if !sc.startedSyncPhase() {
+		if !sc.syncNonHookTasks(syncTasks) {
+			sc.setOperationPhase(appv1.OperationFailed, "one or more objects failed to apply")
+			return
+		}
+		shouldContinue = false
+	}
+	if !sc.runHooks(hooks, appv1.HookTypeSync) {
+		shouldContinue = false
+	}
+	if !shouldContinue {
+		return
+	}
+
+	// 3. Run PostSync hooks
+	// Before running PostSync hooks, we want to make rollout is complete (app is healthy). If we
+	// already started the post-sync phase, then we do not need to perform the health check.
+	postSyncHooks, _ := sc.getHooks(appv1.HookTypePostSync)
+	if len(postSyncHooks) > 0 && !sc.startedPostSyncPhase() {
+		healthState, err := setApplicationHealth(sc.comparison)
+		sc.log.Infof("PostSync application health check: %s", healthState.Status)
+		if err != nil {
+			sc.setOperationPhase(appv1.OperationError, fmt.Sprintf("failed to check application health: %v", err))
+			return
+		}
+		if healthState.Status != appv1.HealthStatusHealthy {
+			sc.setOperationPhase(appv1.OperationRunning, fmt.Sprintf("waiting for %s state to run %s hooks (current health: %s)", appv1.HealthStatusHealthy, appv1.HookTypePostSync, healthState.Status))
+			return
+		}
+	}
+	if !sc.runHooks(hooks, appv1.HookTypePostSync) {
+		return
+	}
+
+	// if we get here, all hooks successfully completed
+	sc.setOperationPhase(appv1.OperationSucceeded, "successfully synced")
+}
+
+// getHooks returns all hooks, or ones of the specific type(s)
+func (sc *syncContext) getHooks(hookTypes ...appv1.HookType) ([]*unstructured.Unstructured, error) {
+	var hooks []*unstructured.Unstructured
+	for _, manifest := range sc.manifestInfo.Manifests {
+		var hook unstructured.Unstructured
+		err := json.Unmarshal([]byte(manifest), &hook)
+		if err != nil {
+			return nil, err
+		}
+		if !isHook(&hook) {
+			continue
+		}
+		if len(hookTypes) > 0 {
+			match := false
+			for _, desiredType := range hookTypes {
+				if isHookType(&hook, desiredType) {
+					match = true
+					break
+				}
+			}
+			if !match {
+				continue
+			}
+		}
+		hooks = append(hooks, &hook)
+	}
+	return hooks, nil
+}
+
+// runHooks iterates & filters the target manifests for resources of the specified hook type, then
+// creates the resource. Updates the sc.opRes.hooks with the current status. Returns whether or not
+// we should continue to the next hook phase.
+func (sc *syncContext) runHooks(hooks []*unstructured.Unstructured, hookType appv1.HookType) bool {
+	shouldContinue := true
+	for _, hook := range hooks {
+		if hookType == appv1.HookTypeSync && isHookType(hook, appv1.HookTypeSkip) {
+			// If we get here, we are invoking all sync hooks and reached a resource that is
+			// annotated with the Skip hook. This will update the resource details to indicate it
+			// was skipped due to annotation
+			sc.setResourceDetails(&appv1.ResourceDetails{
+				Name:      hook.GetName(),
+				Kind:      hook.GetKind(),
+				Namespace: sc.namespace,
+				Message:   "Skipped",
+			})
+			continue
+		}
+		if !isHookType(hook, hookType) {
+			continue
+		}
+		updated, err := sc.runHook(hook, hookType)
+		if err != nil {
+			sc.setOperationPhase(appv1.OperationError, fmt.Sprintf("%s hook error: %v", hookType, err))
+			return false
+		}
+		if updated {
+			// If the result of running a hook, caused us to modify hook resource state, we should
+			// not proceed to the next hook phase. This is because before proceeding to the next
+			// phase, we want a full health assessment to happen. By returning early, we allow
+			// the application to get requeued into the controller workqueue, and on the next
+			// process iteration, a new CompareAppState() will be performed to get the most
+			// up-to-date live state. This enables us to accurately wait for an application to
+			// become Healthy before proceeding to run PostSync tasks.
+			shouldContinue = false
+		}
+	}
+	if !shouldContinue {
+		sc.log.Infof("Stopping after %s phase due to modifications to hook resource state", hookType)
+		return false
+	}
+	completed, successful := areHooksCompletedSuccessful(hookType, sc.syncRes.Hooks)
+	if !completed {
+		return false
+	}
+	if !successful {
+		sc.setOperationPhase(appv1.OperationFailed, fmt.Sprintf("%s hook failed", hookType))
+		return false
+	}
+	return true
+}
+
+// runHook runs the supplied hook and updates the hook status. Returns true if the result of
+// invoking this method resulted in changes to any hook status
+func (sc *syncContext) runHook(hook *unstructured.Unstructured, hookType appv1.HookType) (bool, error) {
+	// Hook resources names are deterministic, whether they are defined by the user (metadata.name),
+	// or formulated at the time of the operation (metadata.generateName). If user specifies
+	// metadata.generateName, then we will generate a formulated metadata.name before submission.
+	if hook.GetName() == "" {
+		postfix := strings.ToLower(fmt.Sprintf("%s-%s-%d", sc.syncRes.Revision[0:7], hookType, sc.opState.StartedAt.UTC().Unix()))
+		generatedName := hook.GetGenerateName()
+		hook = hook.DeepCopy()
+		hook.SetName(fmt.Sprintf("%s%s", generatedName, postfix))
+	}
+	// Check our hook statuses to see if we already completed this hook.
+	// If so, this method is a noop
+	prevStatus := sc.getHookStatus(hook, hookType)
+	if prevStatus != nil && prevStatus.Status.Completed() {
+		return false, nil
+	}
+
+	gvk := hook.GroupVersionKind()
+	dclient, err := sc.dynClientPool.ClientForGroupVersionKind(gvk)
+	if err != nil {
+		return false, err
+	}
+	apiResource, err := kube.ServerResourceForGroupVersionKind(sc.disco, gvk)
+	if err != nil {
+		return false, err
+	}
+	resIf := dclient.Resource(apiResource, sc.namespace)
+
+	var liveObj *unstructured.Unstructured
+	existing, err := resIf.Get(hook.GetName(), metav1.GetOptions{})
+	if err != nil {
+		if !apierr.IsNotFound(err) {
+			return false, fmt.Errorf("Failed to get status of %s hook %s '%s': %v", hookType, gvk, hook.GetName(), err)
+		}
+		hook = hook.DeepCopy()
+		err = kube.SetLabel(hook, common.LabelApplicationName, sc.appName)
+		if err != nil {
+			sc.log.Warnf("Failed to set application label on hook %v: %v", hook, err)
+		}
+		_, err := kube.ApplyResource(sc.config, hook, sc.namespace, false, false)
+		if err != nil {
+			return false, fmt.Errorf("Failed to create %s hook %s '%s': %v", hookType, gvk, hook.GetName(), err)
+		}
+		created, err := resIf.Get(hook.GetName(), metav1.GetOptions{})
+		if err != nil {
+			return true, fmt.Errorf("Failed to get status of %s hook %s '%s': %v", hookType, gvk, hook.GetName(), err)
+		}
+		sc.log.Infof("%s hook %s '%s' created", hookType, gvk, created.GetName())
+		sc.setOperationPhase(appv1.OperationRunning, fmt.Sprintf("running %s hooks", hookType))
+		liveObj = created
+	} else {
+		liveObj = existing
+	}
+	hookStatus := newHookStatus(liveObj, hookType)
+	if hookStatus.Status.Completed() {
+		if enforceDeletePolicy(hook, hookStatus.Status) {
+			err = sc.deleteHook(hook.GetName(), hook.GetKind(), hook.GetAPIVersion())
+			if err != nil {
+				hookStatus.Status = appv1.OperationFailed
+				hookStatus.Message = fmt.Sprintf("failed to delete %s hook: %v", hookStatus.Status, err)
+			}
+		}
+	}
+	return sc.updateHookStatus(hookStatus), nil
+}
+
+// enforceDeletePolicy examines the hook deletion policy of a object and deletes it based on the status
+func enforceDeletePolicy(hook *unstructured.Unstructured, phase appv1.OperationPhase) bool {
+	annotations := hook.GetAnnotations()
+	if annotations == nil {
+		return false
+	}
+	deletePolicies := strings.Split(annotations[common.AnnotationHookDeletePolicy], ",")
+	for _, dp := range deletePolicies {
+		policy := appv1.HookDeletePolicy(strings.TrimSpace(dp))
+		if policy == appv1.HookDeletePolicyHookSucceeded && phase == appv1.OperationSucceeded {
+			return true
+		}
+		if policy == appv1.HookDeletePolicyHookFailed && phase == appv1.OperationFailed {
+			return true
+		}
+	}
+	return false
+}
+
+// isHookType tells whether or not the supplied object is a hook of the specified type
+func isHookType(hook *unstructured.Unstructured, hookType appv1.HookType) bool {
+	annotations := hook.GetAnnotations()
+	if annotations == nil {
+		return false
+	}
+	resHookTypes := strings.Split(annotations[common.AnnotationHook], ",")
+	for _, ht := range resHookTypes {
+		if string(hookType) == strings.TrimSpace(ht) {
+			return true
+		}
+	}
+	return false
+}
+
+// isHook tells whether or not the supplied object is a application lifecycle hook, or a normal,
+// synced application resource
+func isHook(obj *unstructured.Unstructured) bool {
+	annotations := obj.GetAnnotations()
+	if annotations == nil {
+		return false
+	}
+	resHookTypes := strings.Split(annotations[common.AnnotationHook], ",")
+	for _, hookType := range resHookTypes {
+		hookType = strings.TrimSpace(hookType)
+		switch appv1.HookType(hookType) {
+		case appv1.HookTypePreSync, appv1.HookTypeSync, appv1.HookTypePostSync:
+			return true
+		}
+	}
+	return false
+}
+
+// syncNonHookTasks syncs or prunes the objects that are not handled by hooks using an apply sync.
+// returns true if the sync was successful
+func (sc *syncContext) syncNonHookTasks(syncTasks []syncTask) bool {
+	var nonHookTasks []syncTask
+	for _, task := range syncTasks {
+		if task.targetObj == nil {
+			nonHookTasks = append(nonHookTasks, task)
+		} else {
+			annotations := task.targetObj.GetAnnotations()
+			if annotations != nil && annotations[common.AnnotationHook] != "" {
+				// we are doing a hook sync and this resource is annotated with a hook annotation
+				continue
+			}
+			// if we get here, this resource does not have any hook annotation so we
+			// should perform an `kubectl apply`
+			nonHookTasks = append(nonHookTasks, task)
+		}
+	}
+	return sc.doApplySync(nonHookTasks, false, sc.syncOp.SyncStrategy.Hook.Force, true)
+}
+
+// setResourceDetails sets a resource details in the SyncResult.Resources list
+func (sc *syncContext) setResourceDetails(details *appv1.ResourceDetails) {
+	sc.lock.Lock()
+	defer sc.lock.Unlock()
+	for i, res := range sc.syncRes.Resources {
+		if res.Kind == details.Kind && res.Name == details.Name {
+			// update existing value
+			if res.Status != details.Status {
+				sc.log.Infof("updated resource %s/%s status: %s -> %s", res.Kind, res.Name, res.Status, details.Status)
+			}
+			if res.Message != details.Message {
+				sc.log.Infof("updated resource %s/%s message: %s -> %s", res.Kind, res.Name, res.Message, details.Message)
+			}
+			sc.syncRes.Resources[i] = details
+			return
+		}
+	}
+	sc.log.Infof("added resource %s/%s status: %s, message: %s", details.Kind, details.Name, details.Status, details.Message)
+	sc.syncRes.Resources = append(sc.syncRes.Resources, details)
+}
+
+func (sc *syncContext) getHookStatus(hookObj *unstructured.Unstructured, hookType appv1.HookType) *appv1.HookStatus {
+	for _, hr := range sc.syncRes.Hooks {
+		if hr.Name == hookObj.GetName() && hr.Kind == hookObj.GetKind() && hr.Type == hookType {
+			return hr
+		}
+	}
+	return nil
+}
+
+func newHookStatus(hook *unstructured.Unstructured, hookType appv1.HookType) appv1.HookStatus {
+	hookStatus := appv1.HookStatus{
+		Name:       hook.GetName(),
+		Kind:       hook.GetKind(),
+		APIVersion: hook.GetAPIVersion(),
+		Type:       hookType,
+	}
+	switch hookStatus.Kind {
+	case "Job":
+		var job batch.Job
+		err := runtime.DefaultUnstructuredConverter.FromUnstructured(hook.Object, &job)
+		if err != nil {
+			hookStatus.Status = appv1.OperationError
+			hookStatus.Message = err.Error()
+		} else {
+			failed := false
+			var failMsg string
+			complete := false
+			var message string
+			for _, condition := range job.Status.Conditions {
+				switch condition.Type {
+				case batch.JobFailed:
+					failed = true
+					complete = true
+					failMsg = condition.Message
+				case batch.JobComplete:
+					complete = true
+					message = condition.Message
+				}
+			}
+			if !complete {
+				hookStatus.Status = appv1.OperationRunning
+				hookStatus.Message = message
+			} else if failed {
+				hookStatus.Status = appv1.OperationFailed
+				hookStatus.Message = failMsg
+			} else {
+				hookStatus.Status = appv1.OperationSucceeded
+				hookStatus.Message = message
+			}
+		}
+	case "Workflow":
+		var wf wfv1.Workflow
+		err := runtime.DefaultUnstructuredConverter.FromUnstructured(hook.Object, &wf)
+		if err != nil {
+			hookStatus.Status = appv1.OperationError
+			hookStatus.Message = err.Error()
+		} else {
+			switch wf.Status.Phase {
+			case wfv1.NodeRunning:
+				hookStatus.Status = appv1.OperationRunning
+			case wfv1.NodeSucceeded:
+				hookStatus.Status = appv1.OperationSucceeded
+			case wfv1.NodeFailed:
+				hookStatus.Status = appv1.OperationFailed
+			case wfv1.NodeError:
+				hookStatus.Status = appv1.OperationError
+			}
+			hookStatus.Message = wf.Status.Message
+		}
+	default:
+		hookStatus.Status = appv1.OperationSucceeded
+		hookStatus.Message = fmt.Sprintf("%s created", hook.GetName())
+	}
+	return hookStatus
+}
+
+// updateHookStatus updates the status of a hook. Returns true if the hook was modified
+func (sc *syncContext) updateHookStatus(hookStatus appv1.HookStatus) bool {
+	sc.lock.Lock()
+	defer sc.lock.Unlock()
+	for i, prev := range sc.syncRes.Hooks {
+		if prev.Name == hookStatus.Name && prev.Kind == hookStatus.Kind && prev.Type == hookStatus.Type {
+			if reflect.DeepEqual(prev, hookStatus) {
+				return false
+			}
+			if prev.Status != hookStatus.Status {
+				sc.log.Infof("Hook %s %s/%s status: %s -> %s", hookStatus.Type, prev.Kind, prev.Name, prev.Status, hookStatus.Status)
+			}
+			if prev.Message != hookStatus.Message {
+				sc.log.Infof("Hook %s %s/%s message: '%s' -> '%s'", hookStatus.Type, prev.Kind, prev.Name, prev.Message, hookStatus.Message)
+			}
+			sc.syncRes.Hooks[i] = &hookStatus
+			return true
+		}
+	}
+	sc.syncRes.Hooks = append(sc.syncRes.Hooks, &hookStatus)
+	sc.log.Infof("Set new hook %s %s/%s. status: %s, message: %s", hookStatus.Type, hookStatus.Kind, hookStatus.Name, hookStatus.Status, hookStatus.Message)
+	return true
+}
+
+// areHooksCompletedSuccessful checks if all the hooks of the specified type are completed and successful
+func areHooksCompletedSuccessful(hookType appv1.HookType, hookStatuses []*appv1.HookStatus) (bool, bool) {
+	isSuccessful := true
+	for _, hookStatus := range hookStatuses {
+		if hookStatus.Type != hookType {
+			continue
+		}
+		if !hookStatus.Status.Completed() {
+			return false, false
+		}
+		if !hookStatus.Status.Successful() {
+			isSuccessful = false
+		}
+	}
+	return true, isSuccessful
+}
+
+// terminate looks for any running jobs/workflow hooks and deletes the resource
+func (sc *syncContext) terminate() {
+	terminateSuccessful := true
+	for _, hookStatus := range sc.syncRes.Hooks {
+		if hookStatus.Status.Completed() {
+			continue
+		}
+		switch hookStatus.Kind {
+		case "Job", "Workflow":
+			hookStatus.Status = appv1.OperationFailed
+			err := sc.deleteHook(hookStatus.Name, hookStatus.Kind, hookStatus.APIVersion)
+			if err != nil {
+				hookStatus.Message = fmt.Sprintf("Failed to delete %s hook %s/%s: %v", hookStatus.Type, hookStatus.Kind, hookStatus.Name, err)
+				terminateSuccessful = false
+			} else {
+				hookStatus.Message = fmt.Sprintf("Deleted %s hook %s/%s", hookStatus.Type, hookStatus.Kind, hookStatus.Name)
+			}
+			sc.updateHookStatus(*hookStatus)
+		}
+	}
+	if terminateSuccessful {
+		sc.setOperationPhase(appv1.OperationFailed, "Operation terminated")
+	} else {
+		sc.setOperationPhase(appv1.OperationError, "Operation termination had errors")
+	}
+}
+
+func (sc *syncContext) deleteHook(name, kind, apiVersion string) error {
+	groupVersion := strings.Split(apiVersion, "/")
+	if len(groupVersion) != 2 {
+		return fmt.Errorf("Failed to terminate app. Unrecognized group/version: %s", apiVersion)
+	}
+	gvk := schema.GroupVersionKind{
+		Group:   groupVersion[0],
+		Version: groupVersion[1],
+		Kind:    kind,
+	}
+	dclient, err := sc.dynClientPool.ClientForGroupVersionKind(gvk)
+	if err != nil {
+		return err
+	}
+	apiResource, err := kube.ServerResourceForGroupVersionKind(sc.disco, gvk)
+	if err != nil {
+		return err
+	}
+	resIf := dclient.Resource(apiResource, sc.namespace)
+	return resIf.Delete(name, &metav1.DeleteOptions{})
+}

controller/sync_test.go

@@ -0,0 +1,26 @@
+package controller
+
+import (
+	"testing"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	log "github.com/sirupsen/logrus"
+	"k8s.io/client-go/rest"
+)
+
+func newTestSyncCtx() *syncContext {
+	return &syncContext{
+		comparison: &v1alpha1.ComparisonResult{},
+		config:     &rest.Config{},
+		namespace:  "test-namespace",
+		syncOp:     &v1alpha1.SyncOperation{},
+		opState:    &v1alpha1.OperationState{},
+		log:        log.WithFields(log.Fields{"application": "fake-app"}),
+	}
+}
+
+func TestRunWorkflows(t *testing.T) {
+	// syncCtx := newTestSyncCtx()
+	// syncCtx.doWorkflowSync(nil, nil)
+
+}

docs/README.md

@@ -0,0 +1,14 @@
+# ArgoCD Documentation
+
+## [Getting Started](getting_started.md)
+
+## Concepts
+* [Architecture](architecture.md)
+* [Tracking Strategies](tracking_strategies.md)
+
+## Features
+* [Resource Health](health.md)
+* [Resource Hooks](resource_hooks.md)
+* [Single Sign On](sso.md)
+* [Webhooks](webhook.md)
+* [RBAC](rbac.md)

docs/getting_started.md

@@ -1,31 +1,37 @@
-# Argo CD Getting Started
+# ArgoCD Getting Started
 
-An example Ksonnet guestbook application is provided to demonstrates how Argo CD works.
+An example Ksonnet guestbook application is provided to demonstrates how ArgoCD works.
 
 ## Requirements
 * Installed [minikube](https://github.com/kubernetes/minikube#installation)
-* Installed the [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) command-line tool
+* Installed [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) command-line tool
 * Have a [kubeconfig](https://kubernetes.io/docs/tasks/access-application-cluster/configure-access-multiple-clusters/) file (default location is `~/.kube/config`).
 
-## 1. Download Argo CD
-
-Download the latest Argo CD version
+## 1. Install ArgoCD
 ```
-curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/download/v0.4.3/argocd-darwin-amd64
+kubectl create namespace argocd
+kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/master/manifests/install.yaml
+```
+This will create a new namespace, `argocd`, where ArgoCD services and application resources will live.
+
+NOTE:
+* On GKE with RBAC enabled, you may need to grant your account the ability to create new cluster roles
+```
+$ kubectl create clusterrolebinding YOURNAME-cluster-admin-binding --clusterrole=cluster-admin --user=YOUREMAIL@gmail.com
+```
+
+## 2. Download ArgoCD CLI
+
+Download the latest ArgoCD version:
+```
+curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/download/v0.6.0/argocd-darwin-amd64
 chmod +x /usr/local/bin/argocd
 ```
 
+## 3. Open access to ArgoCD API server
 
-## 2. Install Argo CD
-```
-argocd install
-```
-This will create a new namespace, `argocd`, where Argo CD services and application resources will live.
-
-## 3. Open access to Argo CD API server
-
-By default, the Argo CD API server is not exposed with an external IP. To expose the API server,
-change service type to `LoadBalancer`:
+By default, the ArgoCD API server is not exposed with an external IP. To expose the API server,
+change the service type to `LoadBalancer`:
 
 ```
 kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}'
@@ -33,49 +39,135 @@ kubectl patch svc argocd-server -n argocd -p '{"spec": {"type": "LoadBalancer"}}
 
 ## 4. Login to the server from the CLI
 
+Login with using the `admin` user. The initial password is autogenerated to be the pod name of the
+ArgoCD API server. This can be retrieved with the command:
 ```
-argocd login $(minikube service argocd-server -n argocd --url | cut -d'/' -f 3)
+kubectl get pods -n argocd -l app=argocd-server -o name | cut -d'/' -f 2
 ```
 
-Now, the Argo CD cli is configured to talk to API server and you can deploy your first application.
-
-## 5. Connect and deploy the Guestbook application
-
-1. Register the minikube cluster to Argo CD:
+Using the above password, login to ArgoCD's external IP:
 
+On Minikube:
 ```
-argocd cluster add minikube
+argocd login $(minikube service argocd-server -n argocd --url | cut -d'/' -f 3) --name minikube
 ```
-The `argocd cluster add CONTEXT` command installs an `argocd-manager` ServiceAccount and ClusterRole into
-the cluster associated with the supplied kubectl context. Argo CD then uses the associated service account
-token to perform its required management tasks (i.e. deploy/monitoring).
-
-2. Add the guestbook application and github repository containing the Guestbook application
-
+Other clusters:
 ```
-argocd app create --name guestbook --repo https://github.com/argoproj/argo-cd.git --path examples/guestbook --env minikube --dest-server https://$(minikube ip):8443
+kubectl get svc argocd-server
+argocd login <EXTERNAL-IP>
 ```
 
-Once the application is added, you can now see its status:
+After logging in, change the password using the command:
+```
+argocd account update-password
+```
+
+
+## 5. Register a cluster to deploy apps to
+
+We will now register a cluster to deploy applications to. First list all clusters contexts in your
+kubconfig:
+```
+argocd cluster add
+```
+
+Choose a context name from the list and supply it to `argocd cluster add CONTEXTNAME`. For example,
+for minikube context, run:
+```
+argocd cluster add minikube --in-cluster
+```
+
+The above command installs an `argocd-manager` ServiceAccount and ClusterRole into the cluster
+associated with the supplied kubectl context. ArgoCD uses the service account token to perform its
+management tasks (i.e. deploy/monitoring).
+
+The `--in-cluster` option indicates that the cluster we are registering, is the same cluster that
+ArgoCD is running in. This allows ArgoCD to connect to the cluster using the internal kubernetes
+hostname (kubernetes.default.svc). When registering a cluster external to ArgoCD, the `--in-cluster`
+flag should be omitted.
+
+## 6. Create the application from a git repository
+
+### Creating apps via UI
+
+Open a browser to the ArgoCD external UI, and login using the credentials set in step 4.
+
+On Minikube:
+```
+minikube service argocd-server -n argocd
+```
+
+Connect a git repository containing your apps. An example repository containing a sample 
+guestbook application is available at https://github.com/argoproj/argocd-example-apps.git.
+
+![connect repo](assets/connect_repo.png)
+
+After connecting a git repository, select the guestbook application for creation:
+
+![select repo](assets/select_repo.png)
+![select app](assets/select_app.png)
+![select env](assets/select_env.png)
+![create app](assets/create_app.png)
+
+
+### Creating apps via CLI
+
+Applications can be also be created using the ArgoCD CLI:
 
 ```
-argocd app list
-argocd app get guestbook
+argocd app create --name guestbook-default --repo https://github.com/argoproj/argocd-example-apps.git --path guestbook --env default
+```
+
+## 7. Sync (deploy) the application
+
+Once the guestbook application is created, you can now view its status:
+
+From UI:
+![create app](assets/guestbook-app.png)
+
+From CLI:
+```
+$ argocd app get guestbook-default
+Name:          guestbook-default
+Server:        https://kubernetes.default.svc
+Namespace:     default
+URL:           https://192.168.64.36:31880/applications/argocd/guestbook-default
+Environment:   default
+Repo:          https://github.com/argoproj/argocd-example-apps.git
+Path:          guestbook
+Target:        HEAD
+
+KIND        NAME          STATUS     HEALTH
+Service     guestbook-ui  OutOfSync
+Deployment  guestbook-ui  OutOfSync
 ```
 
 The application status is initially in an `OutOfSync` state, since the application has yet to be
 deployed, and no Kubernetes resources have been created. To sync (deploy) the application, run:
 
 ```
-argocd app sync guestbook
+$ argocd app sync guestbook-default
+Application:        guestbook-default
+Operation:          Sync
+Phase:              Succeeded
+Message:            successfully synced
+
+KIND        NAME          MESSAGE
+Service     guestbook-ui  service "guestbook-ui" created
+Deployment  guestbook-ui  deployment.apps "guestbook-ui" created
 ```
 
-[![asciicast](https://asciinema.org/a/uYnbFMy5WI2rc9S49oEAyGLb0.png)](https://asciinema.org/a/uYnbFMy5WI2rc9S49oEAyGLb0)
+This command retrieves the manifests from the ksonnet app in the git repository and performs a 
+`kubectl apply` of the manifests. The guestbook app is now running and you can now view its resource
+components, logs, events, and assessed health:
 
-Argo CD also allows to view and manager applications using web UI. Get the web UI URL by running:
+![view app](assets/guestbook-tree.png)
 
-```
-minikube service argocd-server -n argocd --url
-```
 
-![argo cd ui](argocd-ui.png)
+## 8. Next Steps
+
+ArgoCD supports additional features such as SSO, WebHooks, RBAC. See the following guides on setting
+these up:
+* [Configuring SSO](sso.md)
+* [Configuring RBAC](rbac.md)
+* [Configuring WebHooks](webhook.md)

docs/health.md

@@ -0,0 +1,18 @@
+# Resource Health
+
+## Overview
+ArgoCD provides built-in health assessment for several standard Kubernetes types, which is then
+surfaced to the overall Application health status as a whole. The following checks are made for
+specific types of kuberentes resources:
+
+### Deployment, ReplicaSet, StatefulSet DaemonSet
+
+* Observed generation is equal to desired generation.
+* Number of **updated** replicas equals the number of desired replicas.
+
+### Service
+* If service type is of type `LoadBalancer`, the `status.loadBalancer.ingress` list is non-empty,
+with at least one value for `hostname` or `IP`.
+
+### Ingress
+* The `status.loadBalancer.ingress` list is non-empty, with at least one value for `hostname` or `IP`.

docs/rbac.md

@@ -0,0 +1,99 @@
+# RBAC
+
+## Overview
+
+The feature RBAC allows restricting access to ArgoCD resources. ArgoCD does not have own user management system and has only one built-in user `admin`. The `admin` user is a
+superuser and it has full access. RBAC requires configuring [SSO](./sso.md) integration. Once [SSO](./sso.md) is connected you can define RBAC roles and map roles to groups.
+
+## Configure RBAC
+
+RBAC configuration allows defining roles and groups. ArgoCD has two pre-defined roles: role `role:readonly` which provides read-only access to all resources and role `role:admin`
+which provides full access. Role definitions are available in [builtin-policy.csv](../util/rbac/builtin-policy.csv) file.
+
+Additional roles and groups can be configured in `argocd-rbac-cm` ConfigMap. The example below custom role `org-admin`. The role is assigned to any user which belongs to
+`your-github-org:your-team` group. All other users get `role:readonly` and cannot modify ArgoCD settings.
+
+*ConfigMap `argocd-rbac-cm` example:*
+
+```yaml
+apiVersion: v1
+data:
+  policy.default: role:readonly
+  policy.csv: |
+    p, role:org-admin, applications, *, */*
+    p, role:org-admin, applications/*, *, */*
+
+    p, role:org-admin, clusters, get, *
+    p, role:org-admin, repositories, get, *
+    p, role:org-admin, repositories/apps, get, *
+
+    p, role:org-admin, repositories, create, *
+    p, role:org-admin, repositories, update, *
+    p, role:org-admin, repositories, delete, *
+
+    g, your-github-org:your-team, role:org-admin
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+```
+
+## Configure Projects
+
+Argo projects allow grouping applications which is useful if ArgoCD is used by multiple teams. Additionally, projects restrict source repositories and destination
+Kubernetes clusters which can be used by applications belonging to the project.
+
+### 1. Create new project
+
+Following command creates project `myproject` which can deploy applications to namespace `default` of cluster `https://kubernetes.default.svc`. The source ksonnet application
+should be defined in `https://github.com/argoproj/argocd-example-apps.git` repository.
+
+```
+argocd proj create myproject -d https://kubernetes.default.svc,default -s https://github.com/argoproj/argocd-example-apps.git
+```
+
+Project sources and destinations can be managed using commands `argocd project add-destination`, `argocd project remove-destination`, `argocd project add-source`
+and `argocd project remove-source`.
+
+### 2. Assign application to a project
+
+Each application belongs to a project. By default, all application belongs to the default project which provides access to any source repo/cluster. The application project can be
+changes using `app set` command:
+
+```
+argocd app set guestbook-default --project myproject
+```
+
+### 3. Update RBAC rules
+
+Following example configure admin access for two teams. Each team has access only two application of one project (`team1` can access `default` project and `team2` can access
+`myproject` project).
+
+*ConfigMap `argocd-rbac-cm` example:*
+
+```yaml
+apiVersion: v1
+data:
+  policy.default: ""
+  policy.csv: |
+    p, role:team1-admin, applications, *, default/*
+    p, role:team1-admin, applications/*, *, default/*
+
+    p, role:team1-admin, applications, *, myproject/*
+    p, role:team1-admin, applications/*, *, myproject/*
+
+    p, role:org-admin, clusters, get, *
+    p, role:org-admin, repositories, get, *
+    p, role:org-admin, repositories/apps, get, *
+
+    p, role:org-admin, repositories, create, *
+    p, role:org-admin, repositories, update, *
+    p, role:org-admin, repositories, delete, *
+
+    g, role:team1-admin, org-admin
+    g, role:team2-admin, org-admin
+    g, your-github-org:your-team1, role:team1-admin
+    g, your-github-org:your-team2, role:team2-admin
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+```

docs/resource_hooks.md

@@ -0,0 +1,61 @@
+# Resource Hooks
+
+## Overview
+
+Hooks are ways to interject custom logic before, during, and after a Sync operation. Some use cases
+for hooks are:
+* Using a `PreSync` hook to perform a database schema migration before deploying a new version of the app.
+* Using a `Sync` hook to orchestrate a complex deployment requiring more sophistication than the
+kubernetes rolling update strategy (e.g. a blue/green deployment).
+* Using a `PostSync` hook to run integration and health checks after a deployment.
+
+## Usage
+Hooks are simply kubernetes manifests annotated with the `argocd.argoproj.io/hook` annotation. To
+make use of hooks, simply add the annotation to any resource:
+
+```yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  generateName: schema-migrate-
+  annotations:
+    argocd.argoproj.io/hook: PreSync
+```
+
+During a Sync operation, ArgoCD will create the resource during the appropriate stage of the
+deployment. Hooks can be any type of Kuberentes resource kind, but tend to be most useful as
+[Kubernetes Jobs](https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/)
+or [Argo Workflows](https://github.com/argoproj/argo). Multiple hooks can be specified as a comma
+separated list.
+
+## Available Hooks
+The following hooks are defined:
+
+| Hook | Description |
+|------|-------------|
+| `PreSync` | Executes prior to the apply of the manifests. |
+| `Sync`  | Executes after all `PreSync` hooks completed and were successful. Occurs in conjuction with the apply of the manifests. |
+| `Skip` | Indicates to ArgoCD to skip the apply of the manifest. This is typically used in conjunction with a `Sync` hook which is presumably handling the deployment in an alternate way (e.g. blue-green deployment) |
+| `PostSync` | Executes after all `Sync` hooks completed and were successful, a succcessful apply, and all resources in a `Healthy` state. |
+
+
+## Hook Deletion Policies
+
+Hooks can be deleted in an automatic fashion using the annotation: `argocd.argoproj.io/hook-delete-policy`.
+
+```yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  generateName: integration-test-
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: OnSuccess
+```
+
+The following policies define when the hook will be deleted.
+
+| Policy | Description |
+|--------|-------------|
+| `OnSuccess` | The hook resource is deleted after the hook succeeded (e.g. Job/Workflow completed successfully). |
+| `OnFailure` | The hook resource is deleted after the hook failed. |

docs/sso.md

@@ -3,9 +3,9 @@
 ## Overview
 
 ArgoCD embeds and bundles [Dex](https://github.com/coreos/dex) as part of its installation, for the
-purposes of delegating authentication to an external identity provider. Multiple types of identity
+purpose of delegating authentication to an external identity provider. Multiple types of identity
 providers are supported (OIDC, SAML, LDAP, GitHub, etc...). SSO configuration of ArgoCD requires
-editing the `argocd-cm` ConfigMap with a 
+editing the `argocd-cm` ConfigMap with 
 [Dex connector](https://github.com/coreos/dex/tree/master/Documentation/connectors) settings. 
 
 This document describes how to configure ArgoCD SSO using GitHub (OAuth2) as an example, but the
@@ -45,16 +45,39 @@ data:
 
   dex.config: |
     connectors:
-    - type: github
-      id: github
-      name: GitHub
-      config:
-        clientID: 5aae0fcec2c11634be8c
-        clientSecret: c6fcb18177869174bd09be2c51259fb049c9d4e5
-        orgs:
-        - name: your-github-org
+      # GitHub example
+      - type: github
+        id: github
+        name: GitHub
+        config:
+          clientID: aabbccddeeff00112233
+          clientSecret: $dex.github.clientSecret
+          orgs:
+          - name: your-github-org
+
+      # GitHub enterprise example
+      - type: github
+        id: acme-github
+        name: Acme GitHub
+        config:
+          hostName: github.acme.com
+          clientID: abcdefghijklmnopqrst
+          clientSecret: $dex.acme.clientSecret
+          orgs:
+          - name: your-github-org
+
+      # OIDC example (e.g. Okta)
+      - type: oidc
+        id: okta
+        name: Okta
+        config:
+          issuer: https://dev-123456.oktapreview.com
+          clientID: aaaabbbbccccddddeee
+          clientSecret: $dex.okta.clientSecret
 ```
 
+After saving, the changes should take affect automatically.
+
 NOTES:
 * Any values which start with '$' will look to a key in argocd-secret of the same name (minus the $),
   to obtain the actual value. This allows you to store the `clientSecret` as a kubernetes secret.
@@ -62,11 +85,3 @@ NOTES:
   ArgoCD will automatically use the correct `redirectURI` for any OAuth2 connectors, to match the
   correct external callback URL (e.g. https://argocd.example.com/api/dex/callback)
 
-### 3. Restart ArgoCD for changes to take effect
-Any changes to the `argocd-cm` ConfigMap or `argocd-secret` Secret, currently require a restart of
-the ArgoCD API server for the settings to take effect. Delete the `argocd-server` pod to force a
-restart. [Issue #174](https://github.com/argoproj/argo-cd/issues/174) will address this limitation.
-
-```
-kubectl delete pod -l app=argocd-server
-```

docs/webhook.md

@@ -60,11 +60,4 @@ stringData:
 
 ```
 
-### 3. Restart ArgoCD for changes to take effect
-Any changes to the `argocd-cm` ConfigMap or `argocd-secret` Secret, currently require a restart of
-the ArgoCD API server for the settings to take effect. Delete the `argocd-server` pod to force a
-restart. [Issue #174](https://github.com/argoproj/argo-cd/issues/174) will address this limitation.
-
-```
-kubectl delete pod -l app=argocd-server
-```
+After saving, the changes should take affect automatically.

examples/guestbook/components/guestbook-ui.jsonnet

@@ -23,7 +23,7 @@ local appDeployment = deployment
     params.replicas,
     container
       .new(params.name, params.image)
-      .withPorts(containerPort.new(targetPort)),
-    labels);
+      .withPorts(containerPort.new(targetPort)) + if params.command != null then { command: [ params.command ] } else {},
+    labels).withProgressDeadlineSeconds(5);
 
 k.core.v1.list.new([appService, appDeployment])

examples/guestbook/components/params.libsonnet

@@ -12,7 +12,8 @@
       name: "guestbook-ui",
       replicas: 1,
       servicePort: 80,
-      type: "LoadBalancer",
+      type: "ClusterIP",
+      command: null,
     },
   },
 }

hack/generate-proto.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#! /usr/bin/env bash
 
 # This script auto-generates protobuf related files. It is intended to be run manually when either
 # API types are added/modified, or server gRPC calls are added. The generated files should then
@@ -55,6 +55,8 @@ GOPROTOBINARY=gogofast
 
 # protoc-gen-grpc-gateway is used to build <service>.pb.gw.go files from from .proto files
 go build -i -o dist/protoc-gen-grpc-gateway ./vendor/github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway
+# protoc-gen-swagger is used to build swagger.json
+go build -i -o dist/protoc-gen-swagger ./vendor/github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger
 
 # Generate server/<service>/(<service>.pb.go|<service>.pb.gw.go)
 PROTO_FILES=$(find $PROJECT_ROOT \( -name "*.proto" -and -path '*/server/*' -or -path '*/reposerver/*' -and -name "*.proto" \))
@@ -77,5 +79,44 @@ for i in ${PROTO_FILES}; do
         -I${GOGO_PROTOBUF_PATH} \
         --${GOPROTOBINARY}_out=plugins=grpc:$GOPATH/src \
         --grpc-gateway_out=logtostderr=true:$GOPATH/src \
+        --swagger_out=logtostderr=true:. \
         $i
 done
+
+# collect_swagger gathers swagger files into a subdirectory
+collect_swagger() {
+    SWAGGER_ROOT="$1"
+    EXPECTED_COLLISIONS="$2"
+    SWAGGER_OUT="${SWAGGER_ROOT}/swagger.json"
+    PRIMARY_SWAGGER=`mktemp`
+    COMBINED_SWAGGER=`mktemp`
+
+    cat <<EOF > "${PRIMARY_SWAGGER}"
+{
+  "swagger": "2.0",
+  "info": {
+    "title": "Consolidate Services",
+    "description": "Description of all APIs",
+    "version": "version not set"
+  },
+  "paths": {}
+}
+EOF
+
+    /bin/rm -f "${SWAGGER_OUT}"
+
+    /usr/bin/find "${SWAGGER_ROOT}" -name '*.swagger.json' -exec /usr/local/bin/swagger mixin -c "${EXPECTED_COLLISIONS}" "${PRIMARY_SWAGGER}" '{}' \+ > "${COMBINED_SWAGGER}"
+    /usr/local/bin/jq -r 'del(.definitions[].properties[]? | select(."$ref"!=null and .description!=null).description) | del(.definitions[].properties[]? | select(."$ref"!=null and .title!=null).title)' "${COMBINED_SWAGGER}" > "${SWAGGER_OUT}"
+
+    /bin/rm "${PRIMARY_SWAGGER}" "${COMBINED_SWAGGER}"
+}
+
+# clean up generated swagger files (should come after collect_swagger)
+clean_swagger() {
+    SWAGGER_ROOT="$1"
+    /usr/bin/find "${SWAGGER_ROOT}" -name '*.swagger.json' -delete
+}
+
+collect_swagger server 15
+clean_swagger server
+clean_swagger reposerver

install/install.go

@@ -1,379 +0,0 @@
-package install
-
-import (
-	"fmt"
-	"strings"
-	"syscall"
-
-	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/errors"
-	"github.com/argoproj/argo-cd/util/diff"
-	"github.com/argoproj/argo-cd/util/kube"
-	"github.com/argoproj/argo-cd/util/password"
-	"github.com/argoproj/argo-cd/util/session"
-	"github.com/argoproj/argo-cd/util/settings"
-	tlsutil "github.com/argoproj/argo-cd/util/tls"
-	"github.com/ghodss/yaml"
-	"github.com/gobuffalo/packr"
-	log "github.com/sirupsen/logrus"
-	"github.com/yudai/gojsondiff/formatter"
-	"golang.org/x/crypto/ssh/terminal"
-	appsv1beta2 "k8s.io/api/apps/v1beta2"
-	apiv1 "k8s.io/api/core/v1"
-	rbacv1 "k8s.io/api/rbac/v1"
-	apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
-	apierr "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/client-go/discovery"
-	"k8s.io/client-go/dynamic"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
-)
-
-var (
-	// These values will be overridden by the link flags during build
-	// (e.g. imageTag will use the official release tag on tagged builds)
-	imageNamespace = "argoproj"
-	imageTag       = "latest"
-
-	// Default namespace and image names which `argocd install` uses during install
-	DefaultInstallNamespace = "argocd"
-	DefaultControllerImage  = imageNamespace + "/argocd-application-controller:" + imageTag
-	DefaultUIImage          = imageNamespace + "/argocd-ui:" + imageTag
-	DefaultServerImage      = imageNamespace + "/argocd-server:" + imageTag
-	DefaultRepoServerImage  = imageNamespace + "/argocd-repo-server:" + imageTag
-)
-
-// InstallOptions stores a collection of installation settings.
-type InstallOptions struct {
-	DryRun            bool
-	Upgrade           bool
-	UpdateSuperuser   bool
-	UpdateSignature   bool
-	SuperuserPassword string
-	Namespace         string
-	ControllerImage   string
-	UIImage           string
-	ServerImage       string
-	RepoServerImage   string
-	ImagePullPolicy   string
-}
-
-type Installer struct {
-	InstallOptions
-	box           packr.Box
-	config        *rest.Config
-	dynClientPool dynamic.ClientPool
-	disco         discovery.DiscoveryInterface
-}
-
-func NewInstaller(config *rest.Config, opts InstallOptions) (*Installer, error) {
-	shallowCopy := *config
-	inst := Installer{
-		InstallOptions: opts,
-		box:            packr.NewBox("./manifests"),
-		config:         &shallowCopy,
-	}
-	if opts.Namespace == "" {
-		inst.Namespace = DefaultInstallNamespace
-	}
-	var err error
-	inst.dynClientPool = dynamic.NewDynamicClientPool(inst.config)
-	inst.disco, err = discovery.NewDiscoveryClientForConfig(inst.config)
-	if err != nil {
-		return nil, err
-	}
-	return &inst, nil
-}
-
-func (i *Installer) Install() {
-	i.InstallNamespace()
-	i.InstallApplicationCRD()
-	i.InstallSettings()
-	i.InstallApplicationController()
-	i.InstallArgoCDServer()
-	i.InstallArgoCDRepoServer()
-}
-
-func (i *Installer) Uninstall(deleteNamespace, deleteCRD bool) {
-	manifests := i.box.List()
-	for _, manifestPath := range manifests {
-		if strings.HasSuffix(manifestPath, ".yaml") || strings.HasSuffix(manifestPath, ".yml") {
-			var obj unstructured.Unstructured
-			i.unmarshalManifest(manifestPath, &obj)
-			switch strings.ToLower(obj.GetKind()) {
-			case "namespace":
-				if !deleteNamespace {
-					log.Infof("Skipped deletion of Namespace: '%s'", obj.GetName())
-					continue
-				}
-			case "customresourcedefinition":
-				if !deleteCRD {
-					log.Infof("Skipped deletion of CustomResourceDefinition: '%s'", obj.GetName())
-					continue
-				}
-			}
-			i.MustUninstallResource(&obj)
-		}
-	}
-}
-
-func (i *Installer) InstallNamespace() {
-	if i.Namespace != DefaultInstallNamespace {
-		// don't create namespace if a different one was supplied
-		return
-	}
-	var namespace apiv1.Namespace
-	i.unmarshalManifest("00_namespace.yaml", &namespace)
-	namespace.ObjectMeta.Name = i.Namespace
-	i.MustInstallResource(kube.MustToUnstructured(&namespace))
-}
-
-func (i *Installer) InstallApplicationCRD() {
-	var applicationCRD apiextensionsv1beta1.CustomResourceDefinition
-	i.unmarshalManifest("01_application-crd.yaml", &applicationCRD)
-	i.MustInstallResource(kube.MustToUnstructured(&applicationCRD))
-}
-
-func (i *Installer) InstallSettings() {
-	kubeclientset, err := kubernetes.NewForConfig(i.config)
-	errors.CheckError(err)
-	settingsMgr := settings.NewSettingsManager(kubeclientset, i.Namespace)
-	cdSettings, err := settingsMgr.GetSettings()
-	if err != nil {
-		if apierr.IsNotFound(err) {
-			cdSettings = &settings.ArgoCDSettings{}
-		} else {
-			log.Fatal(err)
-		}
-	}
-
-	if cdSettings.ServerSignature == nil || i.UpdateSignature {
-		// set JWT signature
-		signature, err := session.MakeSignature(32)
-		errors.CheckError(err)
-		cdSettings.ServerSignature = signature
-	}
-
-	if cdSettings.LocalUsers == nil {
-		cdSettings.LocalUsers = make(map[string]string)
-	}
-	if _, ok := cdSettings.LocalUsers[common.ArgoCDAdminUsername]; !ok || i.UpdateSuperuser {
-		passwordRaw := i.SuperuserPassword
-		if passwordRaw == "" {
-			passwordRaw = readAndConfirmPassword()
-		}
-		hashedPassword, err := password.HashPassword(passwordRaw)
-		errors.CheckError(err)
-		cdSettings.LocalUsers = map[string]string{
-			common.ArgoCDAdminUsername: hashedPassword,
-		}
-	}
-
-	if cdSettings.Certificate == nil {
-		// generate TLS cert
-		hosts := []string{
-			"localhost",
-			"argocd-server",
-			fmt.Sprintf("argocd-server.%s", i.Namespace),
-			fmt.Sprintf("argocd-server.%s.svc", i.Namespace),
-			fmt.Sprintf("argocd-server.%s.svc.cluster.local", i.Namespace),
-		}
-		certOpts := tlsutil.CertOptions{
-			Hosts:        hosts,
-			Organization: "Argo CD",
-			IsCA:         true,
-		}
-		cert, err := tlsutil.GenerateX509KeyPair(certOpts)
-		errors.CheckError(err)
-		cdSettings.Certificate = cert
-	}
-
-	err = settingsMgr.SaveSettings(cdSettings)
-	errors.CheckError(err)
-}
-
-func readAndConfirmPassword() string {
-	for {
-		fmt.Print("*** Enter an admin password: ")
-		password, err := terminal.ReadPassword(syscall.Stdin)
-		errors.CheckError(err)
-		fmt.Print("\n")
-		fmt.Print("*** Confirm the admin password: ")
-		confirmPassword, err := terminal.ReadPassword(syscall.Stdin)
-		errors.CheckError(err)
-		fmt.Print("\n")
-		if string(password) == string(confirmPassword) {
-			return string(password)
-		}
-		log.Error("Passwords do not match")
-	}
-}
-
-func (i *Installer) InstallApplicationController() {
-	var applicationControllerServiceAccount apiv1.ServiceAccount
-	var applicationControllerRole rbacv1.Role
-	var applicationControllerRoleBinding rbacv1.RoleBinding
-	var applicationControllerDeployment appsv1beta2.Deployment
-	i.unmarshalManifest("03a_application-controller-sa.yaml", &applicationControllerServiceAccount)
-	i.unmarshalManifest("03b_application-controller-role.yaml", &applicationControllerRole)
-	i.unmarshalManifest("03c_application-controller-rolebinding.yaml", &applicationControllerRoleBinding)
-	i.unmarshalManifest("03d_application-controller-deployment.yaml", &applicationControllerDeployment)
-	applicationControllerDeployment.Spec.Template.Spec.Containers[0].Image = i.ControllerImage
-	applicationControllerDeployment.Spec.Template.Spec.Containers[0].ImagePullPolicy = apiv1.PullPolicy(i.ImagePullPolicy)
-	i.MustInstallResource(kube.MustToUnstructured(&applicationControllerServiceAccount))
-	i.MustInstallResource(kube.MustToUnstructured(&applicationControllerRole))
-	i.MustInstallResource(kube.MustToUnstructured(&applicationControllerRoleBinding))
-	i.MustInstallResource(kube.MustToUnstructured(&applicationControllerDeployment))
-}
-
-func (i *Installer) InstallArgoCDServer() {
-	var argoCDServerServiceAccount apiv1.ServiceAccount
-	var argoCDServerControllerRole rbacv1.Role
-	var argoCDServerControllerRoleBinding rbacv1.RoleBinding
-	var argoCDServerControllerDeployment appsv1beta2.Deployment
-	var argoCDServerService apiv1.Service
-	i.unmarshalManifest("04a_argocd-server-sa.yaml", &argoCDServerServiceAccount)
-	i.unmarshalManifest("04b_argocd-server-role.yaml", &argoCDServerControllerRole)
-	i.unmarshalManifest("04c_argocd-server-rolebinding.yaml", &argoCDServerControllerRoleBinding)
-	i.unmarshalManifest("04d_argocd-server-deployment.yaml", &argoCDServerControllerDeployment)
-	i.unmarshalManifest("04e_argocd-server-service.yaml", &argoCDServerService)
-	argoCDServerControllerDeployment.Spec.Template.Spec.InitContainers[0].Image = i.ServerImage
-	argoCDServerControllerDeployment.Spec.Template.Spec.InitContainers[0].ImagePullPolicy = apiv1.PullPolicy(i.ImagePullPolicy)
-	argoCDServerControllerDeployment.Spec.Template.Spec.InitContainers[1].Image = i.UIImage
-	argoCDServerControllerDeployment.Spec.Template.Spec.InitContainers[1].ImagePullPolicy = apiv1.PullPolicy(i.ImagePullPolicy)
-	argoCDServerControllerDeployment.Spec.Template.Spec.Containers[0].Image = i.ServerImage
-	argoCDServerControllerDeployment.Spec.Template.Spec.Containers[0].ImagePullPolicy = apiv1.PullPolicy(i.ImagePullPolicy)
-	i.MustInstallResource(kube.MustToUnstructured(&argoCDServerServiceAccount))
-	i.MustInstallResource(kube.MustToUnstructured(&argoCDServerControllerRole))
-	i.MustInstallResource(kube.MustToUnstructured(&argoCDServerControllerRoleBinding))
-	i.MustInstallResource(kube.MustToUnstructured(&argoCDServerControllerDeployment))
-	i.MustInstallResource(kube.MustToUnstructured(&argoCDServerService))
-
-}
-
-func (i *Installer) InstallArgoCDRepoServer() {
-	var argoCDRepoServerControllerDeployment appsv1beta2.Deployment
-	var argoCDRepoServerService apiv1.Service
-	i.unmarshalManifest("05a_argocd-repo-server-deployment.yaml", &argoCDRepoServerControllerDeployment)
-	i.unmarshalManifest("05b_argocd-repo-server-service.yaml", &argoCDRepoServerService)
-	argoCDRepoServerControllerDeployment.Spec.Template.Spec.Containers[0].Image = i.RepoServerImage
-	argoCDRepoServerControllerDeployment.Spec.Template.Spec.Containers[0].ImagePullPolicy = apiv1.PullPolicy(i.ImagePullPolicy)
-	i.MustInstallResource(kube.MustToUnstructured(&argoCDRepoServerControllerDeployment))
-	i.MustInstallResource(kube.MustToUnstructured(&argoCDRepoServerService))
-}
-
-func (i *Installer) unmarshalManifest(fileName string, obj interface{}) {
-	yamlBytes, err := i.box.MustBytes(fileName)
-	errors.CheckError(err)
-	err = yaml.Unmarshal(yamlBytes, obj)
-	errors.CheckError(err)
-}
-
-func (i *Installer) MustInstallResource(obj *unstructured.Unstructured) *unstructured.Unstructured {
-	obj, err := i.InstallResource(obj)
-	errors.CheckError(err)
-	return obj
-}
-
-func isNamespaced(obj *unstructured.Unstructured) bool {
-	switch obj.GetKind() {
-	case "Namespace", "ClusterRole", "ClusterRoleBinding", "CustomResourceDefinition":
-		return false
-	}
-	return true
-}
-
-// InstallResource creates or updates a resource. If installed resource is up-to-date, does nothing
-func (i *Installer) InstallResource(obj *unstructured.Unstructured) (*unstructured.Unstructured, error) {
-	if isNamespaced(obj) {
-		obj.SetNamespace(i.Namespace)
-	}
-	// remove 'creationTimestamp' and 'status' fields from object so that the diff will not be modified
-	obj.SetCreationTimestamp(metav1.Time{})
-	delete(obj.Object, "status")
-	if i.DryRun {
-		printYAML(obj)
-		return nil, nil
-	}
-	gvk := obj.GroupVersionKind()
-	dclient, err := i.dynClientPool.ClientForGroupVersionKind(gvk)
-	if err != nil {
-		return nil, err
-	}
-	apiResource, err := kube.ServerResourceForGroupVersionKind(i.disco, gvk)
-	if err != nil {
-		return nil, err
-	}
-	reIf := dclient.Resource(apiResource, i.Namespace)
-	liveObj, err := reIf.Create(obj)
-	if err == nil {
-		fmt.Printf("%s '%s' created\n", liveObj.GetKind(), liveObj.GetName())
-		return liveObj, nil
-	}
-	if !apierr.IsAlreadyExists(err) {
-		return nil, err
-	}
-	liveObj, err = reIf.Get(obj.GetName(), metav1.GetOptions{})
-	if err != nil {
-		return nil, err
-	}
-	diffRes := diff.Diff(obj, liveObj)
-	if !diffRes.Modified {
-		fmt.Printf("%s '%s' up-to-date\n", liveObj.GetKind(), liveObj.GetName())
-		return liveObj, nil
-	}
-	if !i.Upgrade {
-		log.Println(diffRes.ASCIIFormat(obj, formatter.AsciiFormatterConfig{}))
-		return nil, fmt.Errorf("%s '%s' already exists. Rerun with --upgrade to update", obj.GetKind(), obj.GetName())
-
-	}
-	liveObj, err = reIf.Update(obj)
-	if err != nil {
-		return nil, err
-	}
-	fmt.Printf("%s '%s' updated\n", liveObj.GetKind(), liveObj.GetName())
-	return liveObj, nil
-}
-
-func (i *Installer) MustUninstallResource(obj *unstructured.Unstructured) {
-	err := i.UninstallResource(obj)
-	errors.CheckError(err)
-}
-
-// UninstallResource deletes a resource from the cluster
-func (i *Installer) UninstallResource(obj *unstructured.Unstructured) error {
-	if isNamespaced(obj) {
-		obj.SetNamespace(i.Namespace)
-	}
-	gvk := obj.GroupVersionKind()
-	dclient, err := i.dynClientPool.ClientForGroupVersionKind(gvk)
-	if err != nil {
-		return err
-	}
-	apiResource, err := kube.ServerResourceForGroupVersionKind(i.disco, gvk)
-	if err != nil {
-		return err
-	}
-	reIf := dclient.Resource(apiResource, i.Namespace)
-	deletePolicy := metav1.DeletePropagationForeground
-	err = reIf.Delete(obj.GetName(), &metav1.DeleteOptions{PropagationPolicy: &deletePolicy})
-	if err != nil {
-		if apierr.IsNotFound(err) {
-			fmt.Printf("%s '%s' not found\n", obj.GetKind(), obj.GetName())
-			return nil
-		}
-		return err
-	}
-	fmt.Printf("%s '%s' deleted\n", obj.GetKind(), obj.GetName())
-	return nil
-}
-
-func printYAML(obj interface{}) {
-	objBytes, err := yaml.Marshal(obj)
-	if err != nil {
-		log.Fatalf("Failed to marshal %v", obj)
-	}
-	fmt.Printf("---\n%s\n", string(objBytes))
-}

install/manifests/00_namespace.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: argocd

install/manifests/02a_argocd-cm.yaml

@@ -1,57 +0,0 @@
-# NOTE: the values here are just a example and are not the values used during an install.
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: argocd-cm
-  namespace: argocd
-data:
-  # url is the externally facing base URL of ArgoCD.
-  # This field is required when configuring SSO, which ArgoCD uses as part the redirectURI for the
-  # dex connectors. When configuring the application in the SSO provider (e.g. github, okta), the
-  # authorization callback URL will be url + /api/dex/callback. For example, if ArgoCD's url is
-  # https://example.com, then the auth callback to set in the SSO provider should be:
-  # https://example.com/api/dex/callback
-  url: http://localhost:8080
-
-  # dex.config holds the contents of the configuration yaml for the dex OIDC/Oauth2 provider sidecar.
-  # Only a subset of a full dex config is required, namely the connectors list. ArgoCD will generate
-  # the complete dex config based on the configured URL, and the known callback endpoint which the
-  # ArgoCD API server exposes (i.e. /api/dex/callback).
-  dex.config: |
-    # connectors is a list of dex connector configurations. For details on available connectors and
-    # how to configure them, see: https://github.com/coreos/dex/tree/master/Documentation/connectors
-    # NOTE:
-    # * Any values which start with '$' will look to a key in argocd-secret of the same name, to
-    #   obtain the actual value.
-    # * ArgoCD will automatically set the 'redirectURI' field in any OAuth2 connectors, to match the
-    #   external callback URL (e.g. https://example.com/api/dex/callback)
-    connectors:
-    # GitHub example
-    - type: github
-      id: github
-      name: GitHub
-      config:
-        clientID: aabbccddeeff00112233
-        clientSecret: $dex.github.clientSecret
-        orgs:
-        - name: your-github-org
-
-    # GitHub enterprise example
-    - type: github
-      id: acme-github
-      name: Acme GitHub
-      config:
-        hostName: github.acme.com
-        clientID: abcdefghijklmnopqrst
-        clientSecret: $dex.acme.clientSecret
-        orgs:
-        - name: your-github-org
-
-    # OIDC example (e.g. Okta)
-    - type: oidc
-      id: okta
-      name: Okta
-      config:
-        issuer: https://dev-123456.oktapreview.com
-        clientID: aaaabbbbccccddddeee
-        clientSecret: $dex.okta.clientSecret

install/manifests/02b_argocd-secret.yaml

@@ -1,27 +0,0 @@
-# NOTE: the values in this secret are provided as working manifest example and are not the values
-# used during an install. New values will be generated as part of `argocd install`
-apiVersion: v1
-kind: Secret
-metadata:
-  name: argocd-secret
-  namespace: argocd
-type: Opaque
-stringData:
-  # bcrypt hash of the string "password"
-  admin.password: $2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W
-  # random server signature key for session validation
-  server.secretkey: aEDvv73vv70F77+9CRBSNu+/vTYQ77+9EUFh77+9LzFyJ++/vXfLsO+/vWRbeu+/ve+/vQ==
-
-  # The following keys hold the shared secret for authenticating GitHub/GitLab/BitBucket webhook
-  # events. To enable webhooks, configure one or more of the following keys with the shared git
-  # provider webhook secret. The payload URL configured in the git provider should use the 
-  # /api/webhook endpoint of your ArgoCD instance (e.g. https://argocd.example.com/api/webhook)
-  github.webhook.secret: shhhh! it's a github secret
-  gitlab.webhook.secret: shhhh! it's a gitlab secret
-  bitbucket.webhook.uuid: your-bitbucket-uuid
-
-  # the following of user defined keys which are referenced in the example argocd-cm configmap
-  # as pat of SSO configuration.
-  dex.github.clientSecret: nv1vx8w4gw5byrflujfkxww6ykh85yq818aorvwy
-  dex.acme.clientSecret: 5pp7dyre3d5nyk0ree1tr0gd68k18xn94x8lfae9
-  dex.okta.clientSecret: x41ztv6ufyf07oyoopc6f62p222c00mox2ciquvt

manifests/components/01a_application-crd.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:

manifests/components/01b_appproject-crd.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: appprojects.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: AppProject
+    plural: appprojects
+    shortNames:
+    - appproj
+    - appprojs
+  scope: Namespaced
+  version: v1alpha1

manifests/components/02a_argocd-cm.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+data:
+  # See https://github.com/argoproj/argo-cd/blob/master/docs/sso.md#2-configure-argocd-for-sso 
+  # for more details about how to setup data config needed for sso
+
+  # URL is the external URL of ArgoCD
+  #url: 
+
+  # A dex connector configuration
+  #dex.config:

manifests/components/02b_argocd-secret.yaml

@@ -0,0 +1,24 @@
+---
+# NOTE: the values in this secret will be populated by the initial startup of the API
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-secret
+type: Opaque
+  # bcrypt hash of the admin password
+  #admin.password: 
+
+  # random server signature key for session validation
+  #server.secretkey:
+
+  # TLS certificate and private key for API server
+  #server.crt: 
+  #server.key:
+
+  # The following keys hold the shared secret for authenticating GitHub/GitLab/BitBucket webhook
+  # events. To enable webhooks, configure one or more of the following keys with the shared git
+  # provider webhook secret. The payload URL configured in the git provider should use the 
+  # /api/webhook endpoint of your ArgoCD instance (e.g. https://argocd.example.com/api/webhook)
+  #github.webhook.secret: 
+  #gitlab.webhook.secret:
+  #bitbucket.webhook.uuid: 

manifests/components/02c_argocd-rbac-cm.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+data:
+  # policy.csv holds the CSV file policy file which contains additional policy and role definitions.
+  # ArgoCD defines two built-in roles:
+  # * role:readonly - readonly access to all objects
+  # * role:admin - admin access to all objects
+  # The built-in policy can be seen under util/rbac/builtin-policy.csv
+  #policy.csv: ""
+
+  # There are two policy formats:
+  # 1. Applications (which belong to a project):
+  # p, <user/group>, <resource>, <action>, <project>/<object>
+  # 2. All other resources:
+  # p, <user/group>, <resource>, <action>, <object>
+
+  # For example, the following rule gives all members of 'my-org:team1' the ability to sync
+  # applications in the project named: my-project
+  # p, my-org:team1, applications, sync, my-project/*
+
+  # policy.default holds the default policy which will ArgoCD will fall back to, when authorizing
+  # a user for API requests
+  policy.default: role:readonly

manifests/components/03a_application-controller-sa.yaml

@@ -1,5 +1,5 @@
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: application-controller
-  namespace: argocd

manifests/components/03b_application-controller-role.yaml

@@ -1,8 +1,8 @@
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: application-controller-role
-  namespace: argocd
 rules:
 - apiGroups:
   - ""
@@ -11,10 +11,14 @@ rules:
   verbs:
   - get
   - watch
+  - list
+  - patch
+  - update
 - apiGroups:
   - argoproj.io
   resources:
   - applications
+  - appprojects
   verbs:
   - create
   - get

manifests/components/03c_application-controller-rolebinding.yaml

@@ -1,8 +1,8 @@
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: application-controller-role-binding
-  namespace: argocd
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

manifests/components/03d_application-controller-deployment.yaml

@@ -1,8 +1,8 @@
-apiVersion: apps/v1beta2
+---
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: application-controller
-  namespace: argocd
 spec:
   selector:
     matchLabels:

manifests/components/04a_argocd-server-sa.yaml

@@ -1,5 +1,5 @@
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: argocd-server
-  namespace: argocd

manifests/components/04b_argocd-server-role.yaml

@@ -1,34 +1,13 @@
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: argocd-server-role
-  namespace: argocd
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - pods/exec
-  - pods/log
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - ""
   resources:
   - secrets
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
   - configmaps
   verbs:
   - create
@@ -42,6 +21,7 @@ rules:
   - argoproj.io
   resources:
   - applications
+  - appprojects
   verbs:
   - create
   - get

manifests/components/04c_argocd-server-rolebinding.yaml

@@ -1,8 +1,8 @@
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: argocd-server-role-binding
-  namespace: argocd
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

manifests/components/04d_argocd-server-deployment.yaml

@@ -1,8 +1,8 @@
-apiVersion: apps/v1beta2
+---
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: argocd-server
-  namespace: argocd
 spec:
   selector:
     matchLabels:

manifests/components/04e_argocd-server-service.yaml

@@ -1,8 +1,8 @@
+---
 apiVersion: v1
 kind: Service
 metadata:
   name: argocd-server
-  namespace: argocd
 spec:
   ports:
   - name: http

manifests/components/05a_argocd-repo-server-deployment.yaml

@@ -1,8 +1,8 @@
-apiVersion: apps/v1beta2
+---
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: argocd-repo-server
-  namespace: argocd
 spec:
   selector:
     matchLabels:
@@ -18,7 +18,3 @@ spec:
         command: [/argocd-repo-server]
         ports:
           - containerPort: 8081
-      - name: redis
-        image: redis:3.2.11
-        ports:
-          - containerPort: 6379

manifests/components/05b_argocd-repo-server-service.yaml

@@ -1,8 +1,8 @@
+---
 apiVersion: v1
 kind: Service
 metadata:
   name: argocd-repo-server
-  namespace: argocd
 spec:
   ports:
   - port: 8081

manifests/install.yaml

@@ -0,0 +1,300 @@
+# This is an auto-generated file. DO NOT EDIT
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: applications.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: Application
+    plural: applications
+    shortNames:
+    - app
+  scope: Namespaced
+  version: v1alpha1
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: appprojects.argoproj.io
+spec:
+  group: argoproj.io
+  names:
+    kind: AppProject
+    plural: appprojects
+    shortNames:
+    - appproj
+    - appprojs
+  scope: Namespaced
+  version: v1alpha1
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+data:
+  # See https://github.com/argoproj/argo-cd/blob/master/docs/sso.md#2-configure-argocd-for-sso 
+  # for more details about how to setup data config needed for sso
+
+  # URL is the external URL of ArgoCD
+  #url: 
+
+  # A dex connector configuration
+  #dex.config:
+---
+# NOTE: the values in this secret will be populated by the initial startup of the API
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argocd-secret
+type: Opaque
+  # bcrypt hash of the admin password
+  #admin.password: 
+
+  # random server signature key for session validation
+  #server.secretkey:
+
+  # TLS certificate and private key for API server
+  #server.crt: 
+  #server.key:
+
+  # The following keys hold the shared secret for authenticating GitHub/GitLab/BitBucket webhook
+  # events. To enable webhooks, configure one or more of the following keys with the shared git
+  # provider webhook secret. The payload URL configured in the git provider should use the 
+  # /api/webhook endpoint of your ArgoCD instance (e.g. https://argocd.example.com/api/webhook)
+  #github.webhook.secret: 
+  #gitlab.webhook.secret:
+  #bitbucket.webhook.uuid: 
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-rbac-cm
+data:
+  # policy.csv holds the CSV file policy file which contains additional policy and role definitions.
+  # ArgoCD defines two built-in roles:
+  # * role:readonly - readonly access to all objects
+  # * role:admin - admin access to all objects
+  # The built-in policy can be seen under util/rbac/builtin-policy.csv
+  #policy.csv: ""
+
+  # There are two policy formats:
+  # 1. Applications (which belong to a project):
+  # p, <user/group>, <resource>, <action>, <project>/<object>
+  # 2. All other resources:
+  # p, <user/group>, <resource>, <action>, <object>
+
+  # For example, the following rule gives all members of 'my-org:team1' the ability to sync
+  # applications in the project named: my-project
+  # p, my-org:team1, applications, sync, my-project/*
+
+  # policy.default holds the default policy which will ArgoCD will fall back to, when authorizing
+  # a user for API requests
+  policy.default: role:readonly
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: application-controller
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: application-controller-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - watch
+  - list
+  - patch
+  - update
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - appprojects
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: application-controller-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: application-controller-role
+subjects:
+- kind: ServiceAccount
+  name: application-controller
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: application-controller
+spec:
+  selector:
+    matchLabels:
+      app: application-controller
+  template:
+    metadata:
+      labels:
+        app: application-controller
+    spec:
+      containers:
+      - command: [/argocd-application-controller, --repo-server, 'argocd-repo-server:8081']
+        image: argoproj/argocd-application-controller:v0.6.2
+        name: application-controller
+      serviceAccountName: application-controller
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-server
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argocd-server-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - configmaps
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - argoproj.io
+  resources:
+  - applications
+  - appprojects
+  verbs:
+  - create
+  - get
+  - list
+  - watch
+  - update
+  - delete
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argocd-server-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-server-role
+subjects:
+- kind: ServiceAccount
+  name: argocd-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argocd-server
+spec:
+  selector:
+    matchLabels:
+      app: argocd-server
+  template:
+    metadata:
+      labels:
+        app: argocd-server
+    spec:
+      serviceAccountName: argocd-server
+      initContainers:
+      - name: copyutil
+        image: argoproj/argocd-server:v0.6.2
+        command: [cp, /argocd-util, /shared]
+        volumeMounts:
+        - mountPath: /shared
+          name: static-files
+      - name: ui
+        image: argoproj/argocd-ui:v0.6.2
+        command: [cp, -r, /app, /shared]
+        volumeMounts:
+        - mountPath: /shared
+          name: static-files
+      containers:
+      - name: argocd-server
+        image: argoproj/argocd-server:v0.6.2
+        command: [/argocd-server, --staticassets, /shared/app, --repo-server, 'argocd-repo-server:8081']
+        volumeMounts:
+        - mountPath: /shared
+          name: static-files
+      - name: dex
+        image: quay.io/coreos/dex:v2.10.0
+        command: [/shared/argocd-util, rundex]
+        volumeMounts:
+        - mountPath: /shared
+          name: static-files
+      volumes:
+      - emptyDir: {}
+        name: static-files
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: argocd-server
+spec:
+  ports:
+  - name: http
+    protocol: TCP
+    port: 80
+    targetPort: 8080
+  - name: https
+    protocol: TCP
+    port: 443
+    targetPort: 8080
+  selector:
+    app: argocd-server
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: argocd-repo-server
+spec:
+  selector:
+    matchLabels:
+      app: argocd-repo-server
+  template:
+    metadata:
+      labels:
+        app: argocd-repo-server
+    spec:
+      containers:
+      - name: argocd-repo-server
+        image: argoproj/argocd-repo-server:v0.6.2
+        command: [/argocd-repo-server]
+        ports:
+          - containerPort: 8081
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: argocd-repo-server
+spec:
+  ports:
+  - port: 8081
+    targetPort: 8081
+  selector:
+    app: argocd-repo-server

pkg/apiclient/apiclient.go

@@ -11,8 +11,10 @@ import (
 	"os"
 	"strings"
 
+	"github.com/argoproj/argo-cd/server/account"
 	"github.com/argoproj/argo-cd/server/application"
 	"github.com/argoproj/argo-cd/server/cluster"
+	"github.com/argoproj/argo-cd/server/project"
 	"github.com/argoproj/argo-cd/server/repository"
 	"github.com/argoproj/argo-cd/server/session"
 	"github.com/argoproj/argo-cd/server/settings"
@@ -48,6 +50,10 @@ type Client interface {
 	NewSettingsClientOrDie() (*grpc.ClientConn, settings.SettingsServiceClient)
 	NewVersionClient() (*grpc.ClientConn, version.VersionServiceClient, error)
 	NewVersionClientOrDie() (*grpc.ClientConn, version.VersionServiceClient)
+	NewProjectClient() (*grpc.ClientConn, project.ProjectServiceClient, error)
+	NewProjectClientOrDie() (*grpc.ClientConn, project.ProjectServiceClient)
+	NewAccountClient() (*grpc.ClientConn, account.AccountServiceClient, error)
+	NewAccountClientOrDie() (*grpc.ClientConn, account.AccountServiceClient)
 }
 
 // ClientOptions hold address, security, and other settings for the API client.
@@ -292,3 +298,37 @@ func (c *client) NewVersionClientOrDie() (*grpc.ClientConn, version.VersionServi
 	}
 	return conn, versionIf
 }
+
+func (c *client) NewProjectClient() (*grpc.ClientConn, project.ProjectServiceClient, error) {
+	conn, err := c.NewConn()
+	if err != nil {
+		return nil, nil, err
+	}
+	projIf := project.NewProjectServiceClient(conn)
+	return conn, projIf, nil
+}
+
+func (c *client) NewProjectClientOrDie() (*grpc.ClientConn, project.ProjectServiceClient) {
+	conn, projIf, err := c.NewProjectClient()
+	if err != nil {
+		log.Fatalf("Failed to establish connection to %s: %v", c.ServerAddr, err)
+	}
+	return conn, projIf
+}
+
+func (c *client) NewAccountClient() (*grpc.ClientConn, account.AccountServiceClient, error) {
+	conn, err := c.NewConn()
+	if err != nil {
+		return nil, nil, err
+	}
+	usrIf := account.NewAccountServiceClient(conn)
+	return conn, usrIf, nil
+}
+
+func (c *client) NewAccountClientOrDie() (*grpc.ClientConn, account.AccountServiceClient) {
+	conn, usrIf, err := c.NewAccountClient()
+	if err != nil {
+		log.Fatalf("Failed to establish connection to %s: %v", c.ServerAddr, err)
+	}
+	return conn, usrIf
+}

pkg/apis/application/register.go

@@ -11,10 +11,10 @@ const (
 	ApplicationShortName string = "app"
 	ApplicationFullName  string = ApplicationPlural + "." + Group
 
-	// Cluster constants
-	ClusterKind      string = "Cluster"
-	ClusterSingular  string = "cluster"
-	ClusterPlural    string = "clusters"
-	ClusterShortName string = "cluster"
-	ClusterFullName  string = ClusterPlural + "." + Group
+	// AppProject constants
+	AppProjectKind      string = "AppProject"
+	AppProjectSingular  string = "appproject"
+	AppProjectPlural    string = "appprojects"
+	AppProjectShortName string = "appproject"
+	AppProjectFullName  string = AppProjectPlural + "." + Group
 )

pkg/apis/application/v1alpha1/generated.proto

@@ -13,6 +13,36 @@ import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
 // Package-wide variables from generator "generated".
 option go_package = "v1alpha1";
 
+// AppProject is a definition of AppProject resource.
+// +genclient
+// +genclient:noStatus
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+message AppProject {
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+  optional AppProjectSpec spec = 2;
+}
+
+// AppProjectList is list of AppProject resources
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+message AppProjectList {
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+  repeated AppProject items = 2;
+}
+
+// AppProjectSpec represents
+message AppProjectSpec {
+  // SourceRepos contains list of git repository URLs which can be used for deployment
+  repeated string sources = 1;
+
+  // Destinations contains list of destinations available for deployment
+  repeated ApplicationDestination destinations = 2;
+
+  // Description contains optional project description
+  optional string description = 3;
+}
+
 // Application is a definition of Application resource.
 // +genclient
 // +genclient:noStatus
@@ -79,6 +109,9 @@ message ApplicationSpec {
 
   // Destination overrides the kubernetes server and namespace defined in the environment ksonnet app.yaml
   optional ApplicationDestination destination = 2;
+
+  // Project is a application project name. Empty name means that application belongs to 'default' project.
+  optional string project = 3;
 }
 
 // ApplicationStatus contains information about application status in target environment.
@@ -119,8 +152,8 @@ message Cluster {
   // Config holds cluster information for connecting to a cluster
   optional ClusterConfig config = 3;
 
-  // Message can hold a status message or error.
-  optional string message = 4;
+  // ConnectionState contains information about cluster connection state
+  optional ConnectionState connectionState = 4;
 }
 
 // ClusterConfig is the configuration attributes. This structure is subset of the go-client
@@ -156,8 +189,6 @@ message ComparisonResult {
   optional string status = 5;
 
   repeated ResourceState resources = 6;
-
-  optional string error = 7;
 }
 
 // ComponentParameter contains information about component parameter value
@@ -169,6 +200,15 @@ message ComponentParameter {
   optional string value = 3;
 }
 
+// ConnectionState contains information about remote resource connection state
+message ConnectionState {
+  optional string status = 1;
+
+  optional string message = 2;
+
+  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time attemptedAt = 3;
+}
+
 // DeploymentInfo contains information relevant to an application deployment
 message DeploymentInfo {
   repeated ComponentParameter params = 1;
@@ -188,6 +228,27 @@ message HealthStatus {
   optional string statusDetails = 2;
 }
 
+// HookStatus contains status about a hook invocation
+message HookStatus {
+  // Name is the resource name
+  optional string name = 1;
+
+  // Kind is the resource kind
+  optional string kind = 2;
+
+  // APIVersion is the resource API version
+  optional string apiVersion = 3;
+
+  // Type is the type of hook (e.g. PreSync, Sync, PostSync, Skip)
+  optional string type = 4;
+
+  // Status a simple, high-level summary of where the resource is in its lifecycle
+  optional string status = 5;
+
+  // A human readable message indicating details about why the resource is in this condition.
+  optional string message = 6;
+}
+
 // Operation contains requested operation parameters.
 message Operation {
   optional SyncOperation sync = 1;
@@ -229,7 +290,7 @@ message Repository {
 
   optional string sshPrivateKey = 4;
 
-  optional string message = 5;
+  optional ConnectionState connectionState = 5;
 }
 
 // RepositoryList is a collection of Repositories.
@@ -247,6 +308,8 @@ message ResourceDetails {
   optional string namespace = 3;
 
   optional string message = 4;
+
+  optional string status = 5;
 }
 
 // ResourceNode contains information about live resource and its children
@@ -279,16 +342,53 @@ message RollbackOperation {
 
 // SyncOperation contains sync operation details.
 message SyncOperation {
+  // Revision is the git revision in which to sync the application to
   optional string revision = 1;
 
+  // Prune deletes resources that are no longer tracked in git
   optional bool prune = 2;
 
+  // DryRun will perform a `kubectl apply --dry-run` without actually performing the sync
   optional bool dryRun = 3;
+
+  // SyncStrategy describes how to perform the sync
+  optional SyncStrategy syncStrategy = 4;
 }
 
 // SyncOperationResult represent result of sync operation
 message SyncOperationResult {
+  // Resources holds the sync result of each individual resource
   repeated ResourceDetails resources = 1;
+
+  // Revision holds the git commit SHA of the sync
+  optional string revision = 2;
+
+  // Hooks contains list of hook resource statuses associated with this operation
+  repeated HookStatus hooks = 3;
+}
+
+// SyncStrategy indicates the
+message SyncStrategy {
+  // Apply wil perform a `kubectl apply` to perform the sync. This is the default strategy
+  optional SyncStrategyApply apply = 1;
+
+  // Hook will submit any referenced resources to perform the sync
+  optional SyncStrategyHook hook = 2;
+}
+
+// SyncStrategyApply uses `kubectl apply` to perform the apply
+message SyncStrategyApply {
+  // Force indicates whether or not to supply the --force flag to `kubectl apply`.
+  // The --force flag deletes and re-create the resource, when PATCH encounters conflict and has
+  // retried for 5 times.
+  optional bool force = 1;
+}
+
+// SyncStrategyHook will perform a sync using hooks annotations.
+// If no hook annotation is specified falls back to `kubectl apply`.
+message SyncStrategyHook {
+  // Embed SyncStrategyApply type to inherit any `apply` options
+  optional SyncStrategyApply syncStrategyApply = 1;
 }
 
 // TLSClientConfig contains settings to enable transport layer security

pkg/apis/application/v1alpha1/hack.go

@@ -11,7 +11,9 @@ type objectMeta struct {
 }
 
 func (a *Application) GetMetadata() *objectMeta {
-	return &objectMeta{
-		Name: &a.Name,
+	var om objectMeta
+	if a != nil {
+		om.Name = &a.Name
 	}
+	return &om
 }

pkg/apis/application/v1alpha1/register.go

@@ -12,6 +12,7 @@ var (
 	// SchemeGroupVersion is group version used to register these objects
 	SchemeGroupVersion                = schema.GroupVersion{Group: application.Group, Version: "v1alpha1"}
 	ApplicationSchemaGroupVersionKind = schema.GroupVersionKind{Group: application.Group, Version: "v1alpha1", Kind: application.ApplicationKind}
+	AppProjectSchemaGroupVersionKind  = schema.GroupVersionKind{Group: application.Group, Version: "v1alpha1", Kind: application.AppProjectKind}
 )
 
 // Resource takes an unqualified resource and returns a Group-qualified GroupResource.
@@ -29,6 +30,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 	scheme.AddKnownTypes(SchemeGroupVersion,
 		&Application{},
 		&ApplicationList{},
+		&AppProject{},
+		&AppProjectList{},
 	)
 	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
 	return nil

pkg/apis/application/v1alpha1/types.go

@@ -2,20 +2,27 @@ package v1alpha1
 
 import (
 	"encoding/json"
-	"time"
+	"strings"
 
-	"github.com/argoproj/argo-cd/common"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/rest"
+
+	"github.com/argoproj/argo-cd/common"
+	"github.com/argoproj/argo-cd/util/git"
 )
 
 // SyncOperation contains sync operation details.
 type SyncOperation struct {
+	// Revision is the git revision in which to sync the application to
 	Revision string `json:"revision,omitempty" protobuf:"bytes,1,opt,name=revision"`
-	Prune    bool   `json:"prune,omitempty" protobuf:"bytes,2,opt,name=prune"`
-	DryRun   bool   `json:"dryRun,omitempty" protobuf:"bytes,3,opt,name=dryRun"`
+	// Prune deletes resources that are no longer tracked in git
+	Prune bool `json:"prune,omitempty" protobuf:"bytes,2,opt,name=prune"`
+	// DryRun will perform a `kubectl apply --dry-run` without actually performing the sync
+	DryRun bool `json:"dryRun,omitempty" protobuf:"bytes,3,opt,name=dryRun"`
+	// SyncStrategy describes how to perform the sync
+	SyncStrategy *SyncStrategy `json:"syncStrategy,omitempty" protobuf:"bytes,4,opt,name=syncStrategy"`
 }
 
 type RollbackOperation struct {
@@ -33,10 +40,11 @@ type Operation struct {
 type OperationPhase string
 
 const (
-	OperationRunning   OperationPhase = "Running"
-	OperationFailed    OperationPhase = "Failed"
-	OperationError     OperationPhase = "Error"
-	OperationSucceeded OperationPhase = "Succeeded"
+	OperationRunning     OperationPhase = "Running"
+	OperationTerminating OperationPhase = "Terminating"
+	OperationFailed      OperationPhase = "Failed"
+	OperationError       OperationPhase = "Error"
+	OperationSucceeded   OperationPhase = "Succeeded"
 )
 
 func (os OperationPhase) Completed() bool {
@@ -69,16 +77,95 @@ type OperationState struct {
 	FinishedAt *metav1.Time `json:"finishedAt" protobuf:"bytes,7,opt,name=finishedAt"`
 }
 
+// SyncStrategy indicates the
+type SyncStrategy struct {
+	// Apply wil perform a `kubectl apply` to perform the sync. This is the default strategy
+	Apply *SyncStrategyApply `json:"apply,omitempty" protobuf:"bytes,1,opt,name=apply"`
+	// Hook will submit any referenced resources to perform the sync
+	Hook *SyncStrategyHook `json:"hook,omitempty" protobuf:"bytes,2,opt,name=hook"`
+}
+
+// SyncStrategyApply uses `kubectl apply` to perform the apply
+type SyncStrategyApply struct {
+	// Force indicates whether or not to supply the --force flag to `kubectl apply`.
+	// The --force flag deletes and re-create the resource, when PATCH encounters conflict and has
+	// retried for 5 times.
+	Force bool `json:"force,omitempty" protobuf:"bytes,1,opt,name=force"`
+}
+
+// SyncStrategyHook will perform a sync using hooks annotations.
+// If no hook annotation is specified falls back to `kubectl apply`.
+type SyncStrategyHook struct {
+	// Embed SyncStrategyApply type to inherit any `apply` options
+	SyncStrategyApply `protobuf:"bytes,1,opt,name=syncStrategyApply"`
+}
+
+type HookType string
+
+const (
+	HookTypePreSync  HookType = "PreSync"
+	HookTypeSync     HookType = "Sync"
+	HookTypePostSync HookType = "PostSync"
+	HookTypeSkip     HookType = "Skip"
+
+	// NOTE: we may consider adding SyncFail hook. With a SyncFail hook, finalizer-like logic could
+	// be implemented by specifying both PostSync,SyncFail in the hook annotation:
+	// (e.g.: argocd.argoproj.io/hook: PostSync,SyncFail)
+	//HookTypeSyncFail     HookType = "SyncFail"
+)
+
+type HookDeletePolicy string
+
+const (
+	HookDeletePolicyHookSucceeded HookDeletePolicy = "HookSucceeded"
+	HookDeletePolicyHookFailed    HookDeletePolicy = "HookFailed"
+)
+
+// HookStatus contains status about a hook invocation
+type HookStatus struct {
+	// Name is the resource name
+	Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
+	// Kind is the resource kind
+	Kind string `json:"kind" protobuf:"bytes,2,opt,name=kind"`
+	// APIVersion is the resource API version
+	APIVersion string `json:"apiVersion" protobuf:"bytes,3,opt,name=apiVersion"`
+	// Type is the type of hook (e.g. PreSync, Sync, PostSync, Skip)
+	Type HookType `json:"type" protobuf:"bytes,4,opt,name=type"`
+	// Status a simple, high-level summary of where the resource is in its lifecycle
+	Status OperationPhase `json:"status" protobuf:"bytes,5,opt,name=status"`
+	// A human readable message indicating details about why the resource is in this condition.
+	Message string `json:"message,omitempty" protobuf:"bytes,6,opt,name=message"`
+}
+
 // SyncOperationResult represent result of sync operation
 type SyncOperationResult struct {
-	Resources []*ResourceDetails `json:"resources" protobuf:"bytes,1,opt,name=resources"`
+	// Resources holds the sync result of each individual resource
+	Resources []*ResourceDetails `json:"resources,omitempty" protobuf:"bytes,1,opt,name=resources"`
+	// Revision holds the git commit SHA of the sync
+	Revision string `json:"revision" protobuf:"bytes,2,opt,name=revision"`
+	// Hooks contains list of hook resource statuses associated with this operation
+	Hooks []*HookStatus `json:"hooks,omitempty" protobuf:"bytes,3,opt,name=hooks"`
+}
+
+type ResourceSyncStatus string
+
+const (
+	ResourceDetailsSynced          ResourceSyncStatus = "Synced"
+	ResourceDetailsSyncFailed      ResourceSyncStatus = "SyncFailed"
+	ResourceDetailsSyncedAndPruned ResourceSyncStatus = "SyncedAndPruned"
+	ResourceDetailsPruningRequired ResourceSyncStatus = "PruningRequired"
+)
+
+func (s ResourceSyncStatus) Successful() bool {
+	return s != ResourceDetailsSyncFailed
 }
 
 type ResourceDetails struct {
-	Name      string `json:"name" protobuf:"bytes,1,opt,name=name"`
-	Kind      string `json:"kind" protobuf:"bytes,2,opt,name=kind"`
-	Namespace string `json:"namespace" protobuf:"bytes,3,opt,name=namespace"`
-	Message   string `json:"message,omitempty" protobuf:"bytes,4,opt,name=message"`
+	Name      string             `json:"name" protobuf:"bytes,1,opt,name=name"`
+	Kind      string             `json:"kind" protobuf:"bytes,2,opt,name=kind"`
+	Namespace string             `json:"namespace" protobuf:"bytes,3,opt,name=namespace"`
+	Message   string             `json:"message,omitempty" protobuf:"bytes,4,opt,name=message"`
+	Status    ResourceSyncStatus `json:"status,omitempty" protobuf:"bytes,5,opt,name=status"`
 }
 
 // DeploymentInfo contains information relevant to an application deployment
@@ -128,6 +215,8 @@ type ApplicationSpec struct {
 	Source ApplicationSource `json:"source" protobuf:"bytes,1,opt,name=source"`
 	// Destination overrides the kubernetes server and namespace defined in the environment ksonnet app.yaml
 	Destination ApplicationDestination `json:"destination" protobuf:"bytes,2,name=destination"`
+	// Project is a application project name. Empty name means that application belongs to 'default' project.
+	Project string `json:"project" protobuf:"bytes,3,name=project"`
 }
 
 // ComponentParameter contains information about component parameter value
@@ -165,8 +254,7 @@ type ComparisonStatus string
 
 // Possible comparison results
 const (
-	ComparisonStatusUnknown   ComparisonStatus = ""
-	ComparisonStatusError     ComparisonStatus = "Error"
+	ComparisonStatusUnknown   ComparisonStatus = "Unknown"
 	ComparisonStatusSynced    ComparisonStatus = "Synced"
 	ComparisonStatusOutOfSync ComparisonStatus = "OutOfSync"
 )
@@ -181,11 +269,23 @@ type ApplicationStatus struct {
 	Conditions       []ApplicationCondition `json:"conditions,omitempty" protobuf:"bytes,6,opt,name=conditions"`
 }
 
+// ApplicationConditionType represents type of application condition. Type name has following convention:
+// prefix "Error" means error condition
+// prefix "Warning" means warning condition
+// prefix "Info" means informational condition
 type ApplicationConditionType = string
 
 const (
 	// ApplicationConditionDeletionError indicates that controller failed to delete application
 	ApplicationConditionDeletionError = "DeletionError"
+	// ApplicationConditionInvalidSpecError indicates that application source is invalid
+	ApplicationConditionInvalidSpecError = "InvalidSpecError"
+	// ApplicationComparisonError indicates controller failed to compare application state
+	ApplicationConditionComparisonError = "ComparisonError"
+	// ApplicationConditionUnknownError indicates an unknown controller error
+	ApplicationConditionUnknownError = "UnknownError"
+	// ApplicationConditionSharedResourceWarning indicates that controller detected resources which belongs to more than one application
+	ApplicationConditionSharedResourceWarning = "SharedResourceWarning"
 )
 
 // ApplicationCondition contains details about current application condition
@@ -202,7 +302,6 @@ type ComparisonResult struct {
 	ComparedTo ApplicationSource `json:"comparedTo" protobuf:"bytes,2,opt,name=comparedTo"`
 	Status     ComparisonStatus  `json:"status" protobuf:"bytes,5,opt,name=status,casttype=ComparisonStatus"`
 	Resources  []ResourceState   `json:"resources" protobuf:"bytes,6,opt,name=resources"`
-	Error      string            `json:"error" protobuf:"bytes,7,opt,name=error"`
 }
 
 type HealthStatus struct {
@@ -213,10 +312,11 @@ type HealthStatus struct {
 type HealthStatusCode = string
 
 const (
-	HealthStatusUnknown     = ""
+	HealthStatusUnknown     = "Unknown"
 	HealthStatusProgressing = "Progressing"
 	HealthStatusHealthy     = "Healthy"
 	HealthStatusDegraded    = "Degraded"
+	HealthStatusMissing     = "Missing"
 )
 
 // ResourceNode contains information about live resource and its children
@@ -234,6 +334,22 @@ type ResourceState struct {
 	Health             HealthStatus     `json:"health,omitempty" protobuf:"bytes,5,opt,name=health"`
 }
 
+// ConnectionStatus represents connection status
+type ConnectionStatus = string
+
+const (
+	ConnectionStatusUnknown    = "Unknown"
+	ConnectionStatusSuccessful = "Successful"
+	ConnectionStatusFailed     = "Failed"
+)
+
+// ConnectionState contains information about remote resource connection state
+type ConnectionState struct {
+	Status     ConnectionStatus `json:"status" protobuf:"bytes,1,opt,name=status"`
+	Message    string           `json:"message" protobuf:"bytes,2,opt,name=message"`
+	ModifiedAt *metav1.Time     `json:"attemptedAt" protobuf:"bytes,3,opt,name=attemptedAt"`
+}
+
 // Cluster is the definition of a cluster resource
 type Cluster struct {
 	// Server is the API server URL of the Kubernetes cluster
@@ -245,8 +361,8 @@ type Cluster struct {
 	// Config holds cluster information for connecting to a cluster
 	Config ClusterConfig `json:"config" protobuf:"bytes,3,opt,name=config"`
 
-	// Message can hold a status message or error.
-	Message string `json:"message,omitempty" protobuf:"bytes,4,opt,name=message"`
+	// ConnectionState contains information about cluster connection state
+	ConnectionState ConnectionState `json:"connectionState,omitempty" protobuf:"bytes,4,opt,name=connectionState"`
 }
 
 // ClusterList is a collection of Clusters.
@@ -293,11 +409,11 @@ type TLSClientConfig struct {
 
 // Repository is a Git repository holding application configurations
 type Repository struct {
-	Repo          string `json:"repo" protobuf:"bytes,1,opt,name=repo"`
-	Username      string `json:"username,omitempty" protobuf:"bytes,2,opt,name=username"`
-	Password      string `json:"password,omitempty" protobuf:"bytes,3,opt,name=password"`
-	SSHPrivateKey string `json:"sshPrivateKey,omitempty" protobuf:"bytes,4,opt,name=sshPrivateKey"`
-	Message       string `json:"message,omitempty" protobuf:"bytes,5,opt,name=message"`
+	Repo            string          `json:"repo" protobuf:"bytes,1,opt,name=repo"`
+	Username        string          `json:"username,omitempty" protobuf:"bytes,2,opt,name=username"`
+	Password        string          `json:"password,omitempty" protobuf:"bytes,3,opt,name=password"`
+	SSHPrivateKey   string          `json:"sshPrivateKey,omitempty" protobuf:"bytes,4,opt,name=sshPrivateKey"`
+	ConnectionState ConnectionState `json:"connectionState,omitempty" protobuf:"bytes,5,opt,name=connectionState"`
 }
 
 // RepositoryList is a collection of Repositories.
@@ -306,6 +422,45 @@ type RepositoryList struct {
 	Items           []Repository `json:"items" protobuf:"bytes,2,rep,name=items"`
 }
 
+// AppProjectList is list of AppProject resources
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type AppProjectList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata" protobuf:"bytes,1,opt,name=metadata"`
+	Items           []AppProject `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+// AppProject is a definition of AppProject resource.
+// +genclient
+// +genclient:noStatus
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+type AppProject struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata" protobuf:"bytes,1,opt,name=metadata"`
+	Spec              AppProjectSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"`
+}
+
+// AppProjectSpec represents
+type AppProjectSpec struct {
+	// SourceRepos contains list of git repository URLs which can be used for deployment
+	SourceRepos []string `json:"sources" protobuf:"bytes,1,name=destination"`
+
+	// Destinations contains list of destinations available for deployment
+	Destinations []ApplicationDestination `json:"destinations" protobuf:"bytes,2,name=destination"`
+
+	// Description contains optional project description
+	Description string `json:"description,omitempty" protobuf:"bytes,3,opt,name=description"`
+}
+
+func GetDefaultProject(namespace string) AppProject {
+	return AppProject{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      common.DefaultAppProjectName,
+			Namespace: namespace,
+		},
+	}
+}
+
 func (app *Application) getFinalizerIndex(name string) int {
 	for i, finalizer := range app.Finalizers {
 		if finalizer == name {
@@ -333,11 +488,21 @@ func (app *Application) SetCascadedDeletion(prune bool) {
 	}
 }
 
-// NeedRefreshAppStatus answers if application status needs to be refreshed. Returns true if application never been compared, has changed or comparison result has expired.
-func (app *Application) NeedRefreshAppStatus(statusRefreshTimeout time.Duration) bool {
-	return app.Status.ComparisonResult.Status == ComparisonStatusUnknown ||
-		!app.Spec.Source.Equals(app.Status.ComparisonResult.ComparedTo) ||
-		app.Status.ComparisonResult.ComparedAt.Add(statusRefreshTimeout).Before(time.Now())
+// GetErrorConditions returns list of application error conditions
+func (status *ApplicationStatus) GetErrorConditions() []ApplicationCondition {
+	result := make([]ApplicationCondition, 0)
+	for i := range status.Conditions {
+		condition := status.Conditions[i]
+		if condition.IsError() {
+			result = append(result, condition)
+		}
+	}
+	return result
+}
+
+// IsError returns true if condition is error condition
+func (condition *ApplicationCondition) IsError() bool {
+	return strings.HasSuffix(condition.Type, "Error")
 }
 
 // Equals compares two instances of ApplicationSource and return true if instances are equal.
@@ -348,6 +513,46 @@ func (source ApplicationSource) Equals(other ApplicationSource) bool {
 		source.Environment == other.Environment
 }
 
+func (spec ApplicationSpec) BelongsToDefaultProject() bool {
+	return spec.GetProject() == common.DefaultAppProjectName
+}
+
+func (spec ApplicationSpec) GetProject() string {
+	if spec.Project == "" {
+		return common.DefaultAppProjectName
+	}
+	return spec.Project
+}
+
+func (proj AppProject) IsDefault() bool {
+	return proj.Name == "" || proj.Name == common.DefaultAppProjectName
+}
+
+func (proj AppProject) IsSourcePermitted(src ApplicationSource) bool {
+	if proj.IsDefault() {
+		return true
+	}
+	normalizedURL := git.NormalizeGitURL(src.RepoURL)
+	for _, repoURL := range proj.Spec.SourceRepos {
+		if git.NormalizeGitURL(repoURL) == normalizedURL {
+			return true
+		}
+	}
+	return false
+}
+
+func (proj AppProject) IsDestinationPermitted(dst ApplicationDestination) bool {
+	if proj.IsDefault() {
+		return true
+	}
+	for _, item := range proj.Spec.Destinations {
+		if item.Server == dst.Server && item.Namespace == dst.Namespace {
+			return true
+		}
+	}
+	return false
+}
+
 // RESTConfig returns a go-client REST config from cluster
 func (c *Cluster) RESTConfig() *rest.Config {
 	return &rest.Config{

pkg/apis/application/v1alpha1/zz_generated.deepcopy.go

@@ -9,6 +9,92 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AppProject) DeepCopyInto(out *AppProject) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AppProject.
+func (in *AppProject) DeepCopy() *AppProject {
+	if in == nil {
+		return nil
+	}
+	out := new(AppProject)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *AppProject) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AppProjectList) DeepCopyInto(out *AppProjectList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	out.ListMeta = in.ListMeta
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]AppProject, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AppProjectList.
+func (in *AppProjectList) DeepCopy() *AppProjectList {
+	if in == nil {
+		return nil
+	}
+	out := new(AppProjectList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *AppProjectList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AppProjectSpec) DeepCopyInto(out *AppProjectSpec) {
+	*out = *in
+	if in.SourceRepos != nil {
+		in, out := &in.SourceRepos, &out.SourceRepos
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
+	if in.Destinations != nil {
+		in, out := &in.Destinations, &out.Destinations
+		*out = make([]ApplicationDestination, len(*in))
+		copy(*out, *in)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AppProjectSpec.
+func (in *AppProjectSpec) DeepCopy() *AppProjectSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(AppProjectSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Application) DeepCopyInto(out *Application) {
 	*out = *in
@@ -215,6 +301,7 @@ func (in *ApplicationWatchEvent) DeepCopy() *ApplicationWatchEvent {
 func (in *Cluster) DeepCopyInto(out *Cluster) {
 	*out = *in
 	in.Config.DeepCopyInto(&out.Config)
+	in.ConnectionState.DeepCopyInto(&out.ConnectionState)
 	return
 }
 
@@ -310,6 +397,31 @@ func (in *ComponentParameter) DeepCopy() *ComponentParameter {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ConnectionState) DeepCopyInto(out *ConnectionState) {
+	*out = *in
+	if in.ModifiedAt != nil {
+		in, out := &in.ModifiedAt, &out.ModifiedAt
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(v1.Time)
+			(*in).DeepCopyInto(*out)
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectionState.
+func (in *ConnectionState) DeepCopy() *ConnectionState {
+	if in == nil {
+		return nil
+	}
+	out := new(ConnectionState)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeploymentInfo) DeepCopyInto(out *DeploymentInfo) {
 	*out = *in
@@ -353,6 +465,22 @@ func (in *HealthStatus) DeepCopy() *HealthStatus {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HookStatus) DeepCopyInto(out *HookStatus) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HookStatus.
+func (in *HookStatus) DeepCopy() *HookStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(HookStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Operation) DeepCopyInto(out *Operation) {
 	*out = *in
@@ -362,7 +490,7 @@ func (in *Operation) DeepCopyInto(out *Operation) {
 			*out = nil
 		} else {
 			*out = new(SyncOperation)
-			**out = **in
+			(*in).DeepCopyInto(*out)
 		}
 	}
 	if in.Rollback != nil {
@@ -435,6 +563,7 @@ func (in *OperationState) DeepCopy() *OperationState {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Repository) DeepCopyInto(out *Repository) {
 	*out = *in
+	in.ConnectionState.DeepCopyInto(&out.ConnectionState)
 	return
 }
 
@@ -455,7 +584,9 @@ func (in *RepositoryList) DeepCopyInto(out *RepositoryList) {
 	if in.Items != nil {
 		in, out := &in.Items, &out.Items
 		*out = make([]Repository, len(*in))
-		copy(*out, *in)
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
 	return
 }
@@ -552,6 +683,15 @@ func (in *RollbackOperation) DeepCopy() *RollbackOperation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SyncOperation) DeepCopyInto(out *SyncOperation) {
 	*out = *in
+	if in.SyncStrategy != nil {
+		in, out := &in.SyncStrategy, &out.SyncStrategy
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(SyncStrategy)
+			(*in).DeepCopyInto(*out)
+		}
+	}
 	return
 }
 
@@ -580,6 +720,18 @@ func (in *SyncOperationResult) DeepCopyInto(out *SyncOperationResult) {
 			}
 		}
 	}
+	if in.Hooks != nil {
+		in, out := &in.Hooks, &out.Hooks
+		*out = make([]*HookStatus, len(*in))
+		for i := range *in {
+			if (*in)[i] == nil {
+				(*out)[i] = nil
+			} else {
+				(*out)[i] = new(HookStatus)
+				(*in)[i].DeepCopyInto((*out)[i])
+			}
+		}
+	}
 	return
 }
 
@@ -593,6 +745,73 @@ func (in *SyncOperationResult) DeepCopy() *SyncOperationResult {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SyncStrategy) DeepCopyInto(out *SyncStrategy) {
+	*out = *in
+	if in.Apply != nil {
+		in, out := &in.Apply, &out.Apply
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(SyncStrategyApply)
+			**out = **in
+		}
+	}
+	if in.Hook != nil {
+		in, out := &in.Hook, &out.Hook
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(SyncStrategyHook)
+			**out = **in
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SyncStrategy.
+func (in *SyncStrategy) DeepCopy() *SyncStrategy {
+	if in == nil {
+		return nil
+	}
+	out := new(SyncStrategy)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SyncStrategyApply) DeepCopyInto(out *SyncStrategyApply) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SyncStrategyApply.
+func (in *SyncStrategyApply) DeepCopy() *SyncStrategyApply {
+	if in == nil {
+		return nil
+	}
+	out := new(SyncStrategyApply)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SyncStrategyHook) DeepCopyInto(out *SyncStrategyHook) {
+	*out = *in
+	out.SyncStrategyApply = in.SyncStrategyApply
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SyncStrategyHook.
+func (in *SyncStrategyHook) DeepCopy() *SyncStrategyHook {
+	if in == nil {
+		return nil
+	}
+	out := new(SyncStrategyHook)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSClientConfig) DeepCopyInto(out *TLSClientConfig) {
 	*out = *in

pkg/client/clientset/versioned/fake/clientset_generated.go

@@ -25,7 +25,15 @@ func NewSimpleClientset(objects ...runtime.Object) *Clientset {
 
 	fakePtr := testing.Fake{}
 	fakePtr.AddReactor("*", "*", testing.ObjectReaction(o))
-	fakePtr.AddWatchReactor("*", testing.DefaultWatchReactor(watch.NewFake(), nil))
+	fakePtr.AddWatchReactor("*", func(action testing.Action) (handled bool, ret watch.Interface, err error) {
+		gvr := action.GetResource()
+		ns := action.GetNamespace()
+		watch, err := o.Watch(gvr, ns)
+		if err != nil {
+			return false, nil, err
+		}
+		return true, watch, nil
+	})
 
 	return &Clientset{fakePtr, &fakediscovery.FakeDiscovery{Fake: &fakePtr}}
 }

pkg/client/clientset/versioned/fake/register.go

@@ -22,7 +22,7 @@ func init() {
 //
 //   import (
 //     "k8s.io/client-go/kubernetes"
-//     clientsetscheme "k8s.io/client-go/kuberentes/scheme"
+//     clientsetscheme "k8s.io/client-go/kubernetes/scheme"
 //     aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
 //   )
 //
@@ -33,5 +33,4 @@ func init() {
 // correctly.
 func AddToScheme(scheme *runtime.Scheme) {
 	argoprojv1alpha1.AddToScheme(scheme)
-
 }

pkg/client/clientset/versioned/scheme/register.go

@@ -22,7 +22,7 @@ func init() {
 //
 //   import (
 //     "k8s.io/client-go/kubernetes"
-//     clientsetscheme "k8s.io/client-go/kuberentes/scheme"
+//     clientsetscheme "k8s.io/client-go/kubernetes/scheme"
 //     aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
 //   )
 //
@@ -33,5 +33,4 @@ func init() {
 // correctly.
 func AddToScheme(scheme *runtime.Scheme) {
 	argoprojv1alpha1.AddToScheme(scheme)
-
 }

pkg/client/clientset/versioned/typed/application/v1alpha1/application_client.go

@@ -9,6 +9,7 @@ import (
 
 type ArgoprojV1alpha1Interface interface {
 	RESTClient() rest.Interface
+	AppProjectsGetter
 	ApplicationsGetter
 }
 
@@ -17,6 +18,10 @@ type ArgoprojV1alpha1Client struct {
 	restClient rest.Interface
 }
 
+func (c *ArgoprojV1alpha1Client) AppProjects(namespace string) AppProjectInterface {
+	return newAppProjects(c, namespace)
+}
+
 func (c *ArgoprojV1alpha1Client) Applications(namespace string) ApplicationInterface {
 	return newApplications(c, namespace)
 }

pkg/client/clientset/versioned/typed/application/v1alpha1/appproject.go

@@ -0,0 +1,139 @@
+package v1alpha1
+
+import (
+	v1alpha1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	scheme "github.com/argoproj/argo-cd/pkg/client/clientset/versioned/scheme"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// AppProjectsGetter has a method to return a AppProjectInterface.
+// A group's client should implement this interface.
+type AppProjectsGetter interface {
+	AppProjects(namespace string) AppProjectInterface
+}
+
+// AppProjectInterface has methods to work with AppProject resources.
+type AppProjectInterface interface {
+	Create(*v1alpha1.AppProject) (*v1alpha1.AppProject, error)
+	Update(*v1alpha1.AppProject) (*v1alpha1.AppProject, error)
+	Delete(name string, options *v1.DeleteOptions) error
+	DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error
+	Get(name string, options v1.GetOptions) (*v1alpha1.AppProject, error)
+	List(opts v1.ListOptions) (*v1alpha1.AppProjectList, error)
+	Watch(opts v1.ListOptions) (watch.Interface, error)
+	Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.AppProject, err error)
+	AppProjectExpansion
+}
+
+// appProjects implements AppProjectInterface
+type appProjects struct {
+	client rest.Interface
+	ns     string
+}
+
+// newAppProjects returns a AppProjects
+func newAppProjects(c *ArgoprojV1alpha1Client, namespace string) *appProjects {
+	return &appProjects{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the appProject, and returns the corresponding appProject object, and an error if there is any.
+func (c *appProjects) Get(name string, options v1.GetOptions) (result *v1alpha1.AppProject, err error) {
+	result = &v1alpha1.AppProject{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("appprojects").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of AppProjects that match those selectors.
+func (c *appProjects) List(opts v1.ListOptions) (result *v1alpha1.AppProjectList, err error) {
+	result = &v1alpha1.AppProjectList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("appprojects").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Do().
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested appProjects.
+func (c *appProjects) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("appprojects").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Watch()
+}
+
+// Create takes the representation of a appProject and creates it.  Returns the server's representation of the appProject, and an error, if there is any.
+func (c *appProjects) Create(appProject *v1alpha1.AppProject) (result *v1alpha1.AppProject, err error) {
+	result = &v1alpha1.AppProject{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("appprojects").
+		Body(appProject).
+		Do().
+		Into(result)
+	return
+}
+
+// Update takes the representation of a appProject and updates it. Returns the server's representation of the appProject, and an error, if there is any.
+func (c *appProjects) Update(appProject *v1alpha1.AppProject) (result *v1alpha1.AppProject, err error) {
+	result = &v1alpha1.AppProject{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("appprojects").
+		Name(appProject.Name).
+		Body(appProject).
+		Do().
+		Into(result)
+	return
+}
+
+// Delete takes name of the appProject and deletes it. Returns an error if one occurs.
+func (c *appProjects) Delete(name string, options *v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("appprojects").
+		Name(name).
+		Body(options).
+		Do().
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *appProjects) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("appprojects").
+		VersionedParams(&listOptions, scheme.ParameterCodec).
+		Body(options).
+		Do().
+		Error()
+}
+
+// Patch applies the patch and returns the patched appProject.
+func (c *appProjects) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.AppProject, err error) {
+	result = &v1alpha1.AppProject{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("appprojects").
+		SubResource(subresources...).
+		Name(name).
+		Body(data).
+		Do().
+		Into(result)
+	return
+}

pkg/client/clientset/versioned/typed/application/v1alpha1/fake/fake_application_client.go

@@ -10,6 +10,10 @@ type FakeArgoprojV1alpha1 struct {
 	*testing.Fake
 }
 
+func (c *FakeArgoprojV1alpha1) AppProjects(namespace string) v1alpha1.AppProjectInterface {
+	return &FakeAppProjects{c, namespace}
+}
+
 func (c *FakeArgoprojV1alpha1) Applications(namespace string) v1alpha1.ApplicationInterface {
 	return &FakeApplications{c, namespace}
 }

pkg/client/clientset/versioned/typed/application/v1alpha1/fake/fake_appproject.go

@@ -0,0 +1,110 @@
+package fake
+
+import (
+	v1alpha1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeAppProjects implements AppProjectInterface
+type FakeAppProjects struct {
+	Fake *FakeArgoprojV1alpha1
+	ns   string
+}
+
+var appprojectsResource = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "appprojects"}
+
+var appprojectsKind = schema.GroupVersionKind{Group: "argoproj.io", Version: "v1alpha1", Kind: "AppProject"}
+
+// Get takes name of the appProject, and returns the corresponding appProject object, and an error if there is any.
+func (c *FakeAppProjects) Get(name string, options v1.GetOptions) (result *v1alpha1.AppProject, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(appprojectsResource, c.ns, name), &v1alpha1.AppProject{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.AppProject), err
+}
+
+// List takes label and field selectors, and returns the list of AppProjects that match those selectors.
+func (c *FakeAppProjects) List(opts v1.ListOptions) (result *v1alpha1.AppProjectList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(appprojectsResource, appprojectsKind, c.ns, opts), &v1alpha1.AppProjectList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.AppProjectList{}
+	for _, item := range obj.(*v1alpha1.AppProjectList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested appProjects.
+func (c *FakeAppProjects) Watch(opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(appprojectsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a appProject and creates it.  Returns the server's representation of the appProject, and an error, if there is any.
+func (c *FakeAppProjects) Create(appProject *v1alpha1.AppProject) (result *v1alpha1.AppProject, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(appprojectsResource, c.ns, appProject), &v1alpha1.AppProject{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.AppProject), err
+}
+
+// Update takes the representation of a appProject and updates it. Returns the server's representation of the appProject, and an error, if there is any.
+func (c *FakeAppProjects) Update(appProject *v1alpha1.AppProject) (result *v1alpha1.AppProject, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(appprojectsResource, c.ns, appProject), &v1alpha1.AppProject{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.AppProject), err
+}
+
+// Delete takes name of the appProject and deletes it. Returns an error if one occurs.
+func (c *FakeAppProjects) Delete(name string, options *v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(appprojectsResource, c.ns, name), &v1alpha1.AppProject{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeAppProjects) DeleteCollection(options *v1.DeleteOptions, listOptions v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(appprojectsResource, c.ns, listOptions)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.AppProjectList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched appProject.
+func (c *FakeAppProjects) Patch(name string, pt types.PatchType, data []byte, subresources ...string) (result *v1alpha1.AppProject, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(appprojectsResource, c.ns, name, data, subresources...), &v1alpha1.AppProject{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.AppProject), err
+}

pkg/client/clientset/versioned/typed/application/v1alpha1/generated_expansion.go

@@ -1,3 +1,5 @@
 package v1alpha1
 
+type AppProjectExpansion interface{}
+
 type ApplicationExpansion interface{}

pkg/client/informers/externalversions/application/interface.go

@@ -1,5 +1,3 @@
-// This file was automatically generated by informer-gen
-
 package argoproj
 
 import (

pkg/client/informers/externalversions/application/v1alpha1/application.go

@@ -1,5 +1,3 @@
-// This file was automatically generated by informer-gen
-
 package v1alpha1
 
 import (

pkg/client/informers/externalversions/application/v1alpha1/appproject.go

@@ -0,0 +1,71 @@
+package v1alpha1
+
+import (
+	time "time"
+
+	application_v1alpha1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	versioned "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
+	internalinterfaces "github.com/argoproj/argo-cd/pkg/client/informers/externalversions/internalinterfaces"
+	v1alpha1 "github.com/argoproj/argo-cd/pkg/client/listers/application/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// AppProjectInformer provides access to a shared informer and lister for
+// AppProjects.
+type AppProjectInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.AppProjectLister
+}
+
+type appProjectInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewAppProjectInformer constructs a new informer for AppProject type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewAppProjectInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredAppProjectInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredAppProjectInformer constructs a new informer for AppProject type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredAppProjectInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ArgoprojV1alpha1().AppProjects(namespace).List(options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.ArgoprojV1alpha1().AppProjects(namespace).Watch(options)
+			},
+		},
+		&application_v1alpha1.AppProject{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *appProjectInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredAppProjectInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *appProjectInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&application_v1alpha1.AppProject{}, f.defaultInformer)
+}
+
+func (f *appProjectInformer) Lister() v1alpha1.AppProjectLister {
+	return v1alpha1.NewAppProjectLister(f.Informer().GetIndexer())
+}

pkg/client/informers/externalversions/application/v1alpha1/interface.go

@@ -1,5 +1,3 @@
-// This file was automatically generated by informer-gen
-
 package v1alpha1
 
 import (
@@ -8,6 +6,8 @@ import (
 
 // Interface provides access to all the informers in this group version.
 type Interface interface {
+	// AppProjects returns a AppProjectInformer.
+	AppProjects() AppProjectInformer
 	// Applications returns a ApplicationInformer.
 	Applications() ApplicationInformer
 }
@@ -23,6 +23,11 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList
 	return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions}
 }
 
+// AppProjects returns a AppProjectInformer.
+func (v *version) AppProjects() AppProjectInformer {
+	return &appProjectInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
 // Applications returns a ApplicationInformer.
 func (v *version) Applications() ApplicationInformer {
 	return &applicationInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}

pkg/client/informers/externalversions/factory.go

@@ -1,5 +1,3 @@
-// This file was automatically generated by informer-gen
-
 package externalversions
 
 import (

pkg/client/informers/externalversions/generic.go

@@ -1,5 +1,3 @@
-// This file was automatically generated by informer-gen
-
 package externalversions
 
 import (
@@ -37,6 +35,8 @@ func (f *genericInformer) Lister() cache.GenericLister {
 func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) {
 	switch resource {
 	// Group=argoproj.io, Version=v1alpha1
+	case v1alpha1.SchemeGroupVersion.WithResource("appprojects"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Argoproj().V1alpha1().AppProjects().Informer()}, nil
 	case v1alpha1.SchemeGroupVersion.WithResource("applications"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Argoproj().V1alpha1().Applications().Informer()}, nil
 

pkg/client/informers/externalversions/internalinterfaces/factory_interfaces.go

@@ -1,5 +1,3 @@
-// This file was automatically generated by informer-gen
-
 package internalinterfaces
 
 import (

pkg/client/listers/application/v1alpha1/application.go

@@ -1,5 +1,3 @@
-// This file was automatically generated by lister-gen
-
 package v1alpha1
 
 import (

pkg/client/listers/application/v1alpha1/appproject.go

@@ -0,0 +1,76 @@
+package v1alpha1
+
+import (
+	v1alpha1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// AppProjectLister helps list AppProjects.
+type AppProjectLister interface {
+	// List lists all AppProjects in the indexer.
+	List(selector labels.Selector) (ret []*v1alpha1.AppProject, err error)
+	// AppProjects returns an object that can list and get AppProjects.
+	AppProjects(namespace string) AppProjectNamespaceLister
+	AppProjectListerExpansion
+}
+
+// appProjectLister implements the AppProjectLister interface.
+type appProjectLister struct {
+	indexer cache.Indexer
+}
+
+// NewAppProjectLister returns a new AppProjectLister.
+func NewAppProjectLister(indexer cache.Indexer) AppProjectLister {
+	return &appProjectLister{indexer: indexer}
+}
+
+// List lists all AppProjects in the indexer.
+func (s *appProjectLister) List(selector labels.Selector) (ret []*v1alpha1.AppProject, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.AppProject))
+	})
+	return ret, err
+}
+
+// AppProjects returns an object that can list and get AppProjects.
+func (s *appProjectLister) AppProjects(namespace string) AppProjectNamespaceLister {
+	return appProjectNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// AppProjectNamespaceLister helps list and get AppProjects.
+type AppProjectNamespaceLister interface {
+	// List lists all AppProjects in the indexer for a given namespace.
+	List(selector labels.Selector) (ret []*v1alpha1.AppProject, err error)
+	// Get retrieves the AppProject from the indexer for a given namespace and name.
+	Get(name string) (*v1alpha1.AppProject, error)
+	AppProjectNamespaceListerExpansion
+}
+
+// appProjectNamespaceLister implements the AppProjectNamespaceLister
+// interface.
+type appProjectNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all AppProjects in the indexer for a given namespace.
+func (s appProjectNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.AppProject, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.AppProject))
+	})
+	return ret, err
+}
+
+// Get retrieves the AppProject from the indexer for a given namespace and name.
+func (s appProjectNamespaceLister) Get(name string) (*v1alpha1.AppProject, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("appproject"), name)
+	}
+	return obj.(*v1alpha1.AppProject), nil
+}

pkg/client/listers/application/v1alpha1/expansion_generated.go

@@ -1,7 +1,13 @@
-// This file was automatically generated by lister-gen
-
 package v1alpha1
 
+// AppProjectListerExpansion allows custom methods to be added to
+// AppProjectLister.
+type AppProjectListerExpansion interface{}
+
+// AppProjectNamespaceListerExpansion allows custom methods to be added to
+// AppProjectNamespaceLister.
+type AppProjectNamespaceListerExpansion interface{}
+
 // ApplicationListerExpansion allows custom methods to be added to
 // ApplicationLister.
 type ApplicationListerExpansion interface{}

reposerver/mocks/Clientset.go

@@ -0,0 +1,44 @@
+// Code generated by mockery v1.0.0
+package mocks
+
+import mock "github.com/stretchr/testify/mock"
+
+import repository "github.com/argoproj/argo-cd/reposerver/repository"
+import util "github.com/argoproj/argo-cd/util"
+
+// Clientset is an autogenerated mock type for the Clientset type
+type Clientset struct {
+	mock.Mock
+}
+
+// NewRepositoryClient provides a mock function with given fields:
+func (_m *Clientset) NewRepositoryClient() (util.Closer, repository.RepositoryServiceClient, error) {
+	ret := _m.Called()
+
+	var r0 util.Closer
+	if rf, ok := ret.Get(0).(func() util.Closer); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(util.Closer)
+		}
+	}
+
+	var r1 repository.RepositoryServiceClient
+	if rf, ok := ret.Get(1).(func() repository.RepositoryServiceClient); ok {
+		r1 = rf()
+	} else {
+		if ret.Get(1) != nil {
+			r1 = ret.Get(1).(repository.RepositoryServiceClient)
+		}
+	}
+
+	var r2 error
+	if rf, ok := ret.Get(2).(func() error); ok {
+		r2 = rf()
+	} else {
+		r2 = ret.Error(2)
+	}
+
+	return r0, r1, r2
+}

reposerver/repository/mocks/RepositoryServiceClient.go

@@ -0,0 +1,102 @@
+// Code generated by mockery v1.0.0
+package mocks
+
+import context "context"
+import grpc "google.golang.org/grpc"
+import mock "github.com/stretchr/testify/mock"
+import repository "github.com/argoproj/argo-cd/reposerver/repository"
+
+// RepositoryServiceClient is an autogenerated mock type for the RepositoryServiceClient type
+type RepositoryServiceClient struct {
+	mock.Mock
+}
+
+// GenerateManifest provides a mock function with given fields: ctx, in, opts
+func (_m *RepositoryServiceClient) GenerateManifest(ctx context.Context, in *repository.ManifestRequest, opts ...grpc.CallOption) (*repository.ManifestResponse, error) {
+	_va := make([]interface{}, len(opts))
+	for _i := range opts {
+		_va[_i] = opts[_i]
+	}
+	var _ca []interface{}
+	_ca = append(_ca, ctx, in)
+	_ca = append(_ca, _va...)
+	ret := _m.Called(_ca...)
+
+	var r0 *repository.ManifestResponse
+	if rf, ok := ret.Get(0).(func(context.Context, *repository.ManifestRequest, ...grpc.CallOption) *repository.ManifestResponse); ok {
+		r0 = rf(ctx, in, opts...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*repository.ManifestResponse)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, *repository.ManifestRequest, ...grpc.CallOption) error); ok {
+		r1 = rf(ctx, in, opts...)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// GetFile provides a mock function with given fields: ctx, in, opts
+func (_m *RepositoryServiceClient) GetFile(ctx context.Context, in *repository.GetFileRequest, opts ...grpc.CallOption) (*repository.GetFileResponse, error) {
+	_va := make([]interface{}, len(opts))
+	for _i := range opts {
+		_va[_i] = opts[_i]
+	}
+	var _ca []interface{}
+	_ca = append(_ca, ctx, in)
+	_ca = append(_ca, _va...)
+	ret := _m.Called(_ca...)
+
+	var r0 *repository.GetFileResponse
+	if rf, ok := ret.Get(0).(func(context.Context, *repository.GetFileRequest, ...grpc.CallOption) *repository.GetFileResponse); ok {
+		r0 = rf(ctx, in, opts...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*repository.GetFileResponse)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, *repository.GetFileRequest, ...grpc.CallOption) error); ok {
+		r1 = rf(ctx, in, opts...)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// ListDir provides a mock function with given fields: ctx, in, opts
+func (_m *RepositoryServiceClient) ListDir(ctx context.Context, in *repository.ListDirRequest, opts ...grpc.CallOption) (*repository.FileList, error) {
+	_va := make([]interface{}, len(opts))
+	for _i := range opts {
+		_va[_i] = opts[_i]
+	}
+	var _ca []interface{}
+	_ca = append(_ca, ctx, in)
+	_ca = append(_ca, _va...)
+	ret := _m.Called(_ca...)
+
+	var r0 *repository.FileList
+	if rf, ok := ret.Get(0).(func(context.Context, *repository.ListDirRequest, ...grpc.CallOption) *repository.FileList); ok {
+		r0 = rf(ctx, in, opts...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*repository.FileList)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(context.Context, *repository.ListDirRequest, ...grpc.CallOption) error); ok {
+		r1 = rf(ctx, in, opts...)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}

reposerver/repository/repository.go

@@ -1,6 +1,7 @@
 package repository
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -9,15 +10,14 @@ import (
 	"strings"
 	"time"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/util"
 	"github.com/argoproj/argo-cd/util/cache"
 	"github.com/argoproj/argo-cd/util/git"
 	ksutil "github.com/argoproj/argo-cd/util/ksonnet"
 	"github.com/argoproj/argo-cd/util/kube"
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/net/context"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
 const (
@@ -61,7 +61,7 @@ func (s *Service) ListDir(ctx context.Context, q *ListDirRequest) (*FileList, er
 	var res FileList
 	err = s.cache.Get(cacheKey, &res)
 	if err == nil {
-		log.Infof("manifest cache hit: %s", cacheKey)
+		log.Infof("listdir cache hit: %s", cacheKey)
 		return &res, nil
 	}
 
@@ -84,7 +84,7 @@ func (s *Service) ListDir(ctx context.Context, q *ListDirRequest) (*FileList, er
 		Expiration: DefaultRepoCacheExpiration,
 	})
 	if err != nil {
-		return nil, err
+		log.Warnf("listdir cache set error %s: %v", cacheKey, err)
 	}
 	return &res, nil
 }
@@ -114,6 +114,15 @@ func (s *Service) GetFile(ctx context.Context, q *GetFileRequest) (*GetFileRespo
 }
 
 func (s *Service) GenerateManifest(c context.Context, q *ManifestRequest) (*ManifestResponse, error) {
+	var res ManifestResponse
+	if git.IsCommitSHA(q.Revision) {
+		cacheKey := manifestCacheKey(q.Revision, q)
+		err := s.cache.Get(cacheKey, &res)
+		if err == nil {
+			log.Infof("manifest cache hit: %s", cacheKey)
+			return &res, nil
+		}
+	}
 	appRepoPath := tempRepoPath(q.Repo.Repo)
 	s.repoLock.Lock(appRepoPath)
 	defer s.repoLock.Unlock(appRepoPath)
@@ -128,7 +137,6 @@ func (s *Service) GenerateManifest(c context.Context, q *ManifestRequest) (*Mani
 		return nil, err
 	}
 	cacheKey := manifestCacheKey(commitSHA, q)
-	var res ManifestResponse
 	err = s.cache.Get(cacheKey, &res)
 	if err == nil {
 		log.Infof("manifest cache hit: %s", cacheKey)
@@ -152,7 +160,7 @@ func (s *Service) GenerateManifest(c context.Context, q *ManifestRequest) (*Mani
 
 	params, err := ksApp.ListEnvParams(q.Environment)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("Failed to list ksonnet app params: %v", err)
 	}
 
 	if q.ComponentParameterOverrides != nil {
@@ -177,7 +185,7 @@ func (s *Service) GenerateManifest(c context.Context, q *ManifestRequest) (*Mani
 	manifests := make([]string, len(targetObjs))
 	for i, target := range targetObjs {
 		if q.AppLabel != "" {
-			err = setAppLabels(target, q.AppLabel)
+			err = kube.SetLabel(target, common.LabelApplicationName, q.AppLabel)
 			if err != nil {
 				return nil, err
 			}
@@ -188,6 +196,7 @@ func (s *Service) GenerateManifest(c context.Context, q *ManifestRequest) (*Mani
 		}
 		manifests[i] = string(manifestStr)
 	}
+
 	res = ManifestResponse{
 		Revision:  commitSHA,
 		Manifests: manifests,
@@ -206,28 +215,6 @@ func (s *Service) GenerateManifest(c context.Context, q *ManifestRequest) (*Mani
 	return &res, nil
 }
 
-// setAppLabels sets our app labels against an unstructured object
-func setAppLabels(target *unstructured.Unstructured, appName string) error {
-	labels := target.GetLabels()
-	if labels == nil {
-		labels = make(map[string]string)
-	}
-	labels[common.LabelApplicationName] = appName
-	target.SetLabels(labels)
-	// special case for deployment: make sure that derived replicaset and pod has application label
-	if target.GetKind() == kube.DeploymentKind {
-		labels, ok := unstructured.NestedMap(target.UnstructuredContent(), "spec", "template", "metadata", "labels")
-		if ok {
-			if labels == nil {
-				labels = make(map[string]interface{})
-			}
-			labels[common.LabelApplicationName] = appName
-		}
-		unstructured.SetNestedMap(target.UnstructuredContent(), labels, "spec", "template", "metadata", "labels")
-	}
-	return nil
-}
-
 // tempRepoPath returns a formulated temporary directory location to clone a repository
 func tempRepoPath(repo string) string {
 	return path.Join(os.TempDir(), strings.Replace(repo, "/", "_", -1))

server/account/account.go

@@ -0,0 +1,77 @@
+package account
+
+import (
+	jwt "github.com/dgrijalva/jwt-go"
+	"golang.org/x/net/context"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	jwtutil "github.com/argoproj/argo-cd/util/jwt"
+	"github.com/argoproj/argo-cd/util/password"
+	"github.com/argoproj/argo-cd/util/session"
+	"github.com/argoproj/argo-cd/util/settings"
+)
+
+// Server provides a Session service
+type Server struct {
+	sessionMgr  *session.SessionManager
+	settingsMgr *settings.SettingsManager
+}
+
+// NewServer returns a new instance of the Session service
+func NewServer(sessionMgr *session.SessionManager, settingsMgr *settings.SettingsManager) *Server {
+	return &Server{
+		sessionMgr:  sessionMgr,
+		settingsMgr: settingsMgr,
+	}
+
+}
+
+//UpdatePassword is used to Update a User's Passwords
+func (s *Server) UpdatePassword(ctx context.Context, q *UpdatePasswordRequest) (*UpdatePasswordResponse, error) {
+	username := getAuthenticatedUser(ctx)
+	cdSettings, err := s.settingsMgr.GetSettings()
+	if err != nil {
+		return nil, err
+	}
+	if _, ok := cdSettings.LocalUsers[username]; !ok {
+		return nil, status.Errorf(codes.InvalidArgument, "password can only be changed for local users")
+	}
+
+	err = s.sessionMgr.VerifyUsernamePassword(username, q.CurrentPassword)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "current password does not match")
+	}
+
+	hashedPassword, err := password.HashPassword(q.NewPassword)
+	if err != nil {
+		return nil, err
+	}
+
+	cdSettings.LocalUsers[username] = hashedPassword
+
+	err = s.settingsMgr.SaveSettings(cdSettings)
+	if err != nil {
+		return nil, err
+	}
+
+	return &UpdatePasswordResponse{}, nil
+
+}
+
+// getAuthenticatedUser returns the currently authenticated user (via JWT 'sub' field)
+func getAuthenticatedUser(ctx context.Context) string {
+	claimsIf := ctx.Value("claims")
+	if claimsIf == nil {
+		return ""
+	}
+	claims, ok := claimsIf.(jwt.Claims)
+	if !ok {
+		return ""
+	}
+	mapClaims, err := jwtutil.MapClaims(claims)
+	if err != nil {
+		return ""
+	}
+	return jwtutil.GetField(mapClaims, "sub")
+}