Update manifests to v1.2.2

Since we serve the badge as an image using HTTP GET, cache systems
(incl. GitHub's CDN - Fastly) like to cache the image thus the
badge becomes stale rendering it useless. Adding the appropriate
Cache-Control HTTP header we direct cache systems and web browsers
not to cache the contents of the response.

.argo-ci/ci.yaml

@@ -1,163 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Workflow
-metadata:
-  generateName: argo-cd-ci-
-spec:
-  entrypoint: argo-cd-ci
-  arguments:
-    parameters:
-    - name: revision
-      value: master
-    - name: repo
-      value: https://github.com/argoproj/argo-cd.git
-  volumes:
-    - name: k3setc
-      emptyDir: {}
-    - name: k3svar
-      emptyDir: {}
-    - name: tmp
-      emptyDir: {}
-
-  templates:
-  - name: argo-cd-ci
-    steps:
-    - - name: build-e2e
-        template: build-e2e
-
-      - name: test
-        template: ci-builder
-        arguments:
-          parameters:
-          - name: cmd
-            value: "dep ensure && make lint test && bash <(curl -s https://codecov.io/bash) -f coverage.out"
-
-  # The step builds argo cd image, deploy argo cd components into throw-away kubernetes cluster provisioned using k3s and run e2e tests against it.
-  - name: build-e2e
-    inputs:
-      artifacts:
-        - name: code
-          path: /go/src/github.com/argoproj/argo-cd
-          git:
-            repo: "{{workflow.parameters.repo}}"
-            revision: "{{workflow.parameters.revision}}"
-    container:
-      image: argoproj/argo-cd-ci-builder:v0.13.1
-      imagePullPolicy: Always
-      command: [sh, -c]
-      # Main contains build argocd image. The image is saved it into k3s agent images directory so it could be preloaded by the k3s cluster.
-      args: ["
-          dep ensure && until docker ps; do sleep 3; done && \
-          make image DEV_IMAGE=true && mkdir -p /var/lib/rancher/k3s/agent/images && \
-          docker save argocd:latest > /var/lib/rancher/k3s/agent/images/argocd.tar && \
-          touch /var/lib/rancher/k3s/ready && until ls /etc/rancher/k3s/k3s.yaml; do sleep 3; done && \
-          kubectl create ns argocd-e2e && kustomize build ./test/manifests/ci | kubectl apply -n argocd-e2e -f - && \
-          kubectl rollout status deployment -n argocd-e2e argocd-application-controller && kubectl rollout status deployment -n argocd-e2e argocd-server && \
-          git config --global user.email \"test@example.com\" && \
-          export ARGOCD_SERVER=$(kubectl get service argocd-server -o=jsonpath={.spec.clusterIP} -n argocd-e2e):443 && make test-e2e"
-      ]
-      workingDir: /go/src/github.com/argoproj/argo-cd
-      env:
-        - name: USER
-          value: argocd
-        - name: DOCKER_HOST
-          value: 127.0.0.1
-        - name: DOCKER_BUILDKIT
-          value: "1"
-        - name: KUBECONFIG
-          value: /etc/rancher/k3s/k3s.yaml
-      volumeMounts:
-        - name: tmp
-          mountPath: /tmp
-        - name: k3setc
-          mountPath: /etc/rancher/k3s
-        - name: k3svar
-          mountPath: /var/lib/rancher/k3s
-    sidecars:
-      - name: dind
-        image: docker:18.09-dind
-        securityContext:
-          privileged: true
-        resources:
-          requests:
-            memory: 2048Mi
-            cpu: 500m
-        mirrorVolumeMounts: true
-
-      # Steps waits for file /var/lib/rancher/k3s/ready which indicates that all required images are ready, then starts the cluster.
-      - name: k3s
-        image: rancher/k3s:v0.3.0-rc1
-        imagePullPolicy: Always
-        command: [sh, -c]
-        args: ["until ls /var/lib/rancher/k3s/ready; do sleep 3; done && k3s server || true"]
-        securityContext:
-          privileged: true
-        volumeMounts:
-          - name: tmp
-            mountPath: /tmp
-          - name: k3setc
-            mountPath: /etc/rancher/k3s
-          - name: k3svar
-            mountPath: /var/lib/rancher/k3s
-
-  - name: ci-builder
-    inputs:
-      parameters:
-      - name: cmd
-      artifacts:
-      - name: code
-        path: /go/src/github.com/argoproj/argo-cd
-        git:
-          repo: "{{workflow.parameters.repo}}"
-          revision: "{{workflow.parameters.revision}}"
-    container:
-      image: argoproj/argo-cd-ci-builder:v0.13.1
-      imagePullPolicy: Always
-      command: [bash, -c]
-      args: ["{{inputs.parameters.cmd}}"]
-      workingDir: /go/src/github.com/argoproj/argo-cd
-      env:
-      - name: CODECOV_TOKEN
-        valueFrom:
-          secretKeyRef:
-            name: codecov-token
-            key: codecov-token
-      resources:
-        requests:
-          memory: 1024Mi
-          cpu: 200m
-    archiveLocation:
-      archiveLogs: true
-
-  - name: ci-dind
-    inputs:
-      parameters:
-      - name: cmd
-      artifacts:
-      - name: code
-        path: /go/src/github.com/argoproj/argo-cd
-        git:
-          repo: "{{workflow.parameters.repo}}"
-          revision: "{{workflow.parameters.revision}}"
-    container:
-      image: argoproj/argo-cd-ci-builder:v0.13.1
-      imagePullPolicy: Always
-      command: [sh, -c]
-      args: ["until docker ps; do sleep 3; done && {{inputs.parameters.cmd}}"]
-      workingDir: /go/src/github.com/argoproj/argo-cd
-      env:
-      - name: DOCKER_HOST
-        value: 127.0.0.1
-      - name: DOCKER_BUILDKIT
-        value: "1"
-      resources:
-        requests:
-          memory: 1024Mi
-          cpu: 200m
-    sidecars:
-    - name: dind
-      image: docker:18.09-dind
-      securityContext:
-        privileged: true
-      mirrorVolumeMounts: true
-    archiveLocation:
-      archiveLogs: true

.circleci/config.yml

@@ -20,36 +20,12 @@ commands:
             git config --global user.name "Your Name"
             echo "export PATH=/home/circleci/.go_workspace/src/github.com/argoproj/argo-cd/hack:\$PATH" | tee -a $BASH_ENV
             echo "export GIT_ASKPASS=git-ask-pass.sh" | tee -a $BASH_ENV
-      - run:
-          name: Make sure we can clone out the test private repo
-          command: |
-            set -x
-              export GIT_USERNAME=blah
-              export GIT_PASSWORD=B5sBDeoqAVUouoHkrovy
-              git-ask-pass.sh Username
-              git-ask-pass.sh Password
-              git clone https://gitlab.com/argo-cd-test/test-apps.git /tmp/test-apps
   clean_checkout:
     steps:
       - run:
           name: Remove checked out code
           command: rm -Rf /home/circleci/.go_workspace/src/github.com/argoproj/argo-cd
       - checkout
-  install_go_deps:
-    steps:
-      - run:
-          name: Install Go deps
-          command: |
-            set -x
-            go get github.com/gobuffalo/packr/packr
-            go get github.com/gogo/protobuf/gogoproto
-            go get github.com/golang/protobuf/protoc-gen-go
-            go get github.com/golangci/golangci-lint/cmd/golangci-lint
-            go get github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway
-            go get github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger
-            go get github.com/jstemmer/go-junit-report
-            go get github.com/mattn/goreman
-            go get golang.org/x/tools/cmd/goimports
   dep_ensure:
     steps:
       - restore_cache:
@@ -65,12 +41,12 @@ commands:
   install_golang:
     steps:
       - run:
-          name: Install Golang v1.11.4
+          name: Install Golang v1.12.6
           command: |
-            go get golang.org/dl/go1.11.4
-            [ -e /home/circleci/sdk/go1.11.4 ] || go1.11.4 download
+            go get golang.org/dl/go1.12.6
+            [ -e /home/circleci/sdk/go1.12.6 ] || go1.12.6 download
             echo "export GOPATH=/home/circleci/.go_workspace" | tee -a $BASH_ENV
-            echo "export PATH=/home/circleci/sdk/go1.11.4/bin:\$PATH" | tee -a $BASH_ENV
+            echo "export PATH=/home/circleci/sdk/go1.12.6/bin:\$PATH" | tee -a $BASH_ENV
       - run:
           name: Golang diagnostics
           command: |
@@ -78,6 +54,14 @@ commands:
             which go
             go version
             go env
+  install_go_deps:
+    steps:
+      - run:
+          name: Install Go deps
+          command: |
+            set -x
+            go get github.com/jstemmer/go-junit-report
+            go get github.com/mattn/goreman
   install_tools:
     steps:
       - run:
@@ -85,16 +69,14 @@ commands:
           command: mkdir -p /tmp/dl
       - restore_cache:
           keys:
-            - dl-v4
-            - dl-v3
+            - dl-v7
       - run:
-          name: Install JQ v1.6
+          name: Install Kubectl v1.14.0
           command: |
             set -x
-            [ -e /tmp/dl/jq ] || curl -sLf -C - -o /tmp/dl/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
-            sudo cp /tmp/dl/jq /usr/local/bin/jq
-            sudo chmod +x /usr/local/bin/jq
-            jq --version
+            [ -e /tmp/dl/kubectl ] || curl -sLf -C - -o /tmp/dl/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.14.0/bin/linux/amd64/kubectl
+            sudo cp /tmp/dl/kubectl /usr/local/bin/kubectl
+            sudo chmod +x /usr/local/bin/kubectl
       - run:
           name: Install Kubectx v0.6.3
           command: |
@@ -114,14 +96,6 @@ commands:
             sudo cp /tmp/dl/dep /usr/local/go/bin/dep
             sudo chmod +x /usr/local/go/bin/dep
             dep version
-      - run:
-          name: Install Go Swagger v0.19.0
-          command: |
-            set -x
-            [ -e /tmp/dl/swagger ] || curl -sLf -C - -o /tmp/dl/swagger https://github.com/go-swagger/go-swagger/releases/download/v0.19.0/swagger_linux_amd64
-            sudo cp /tmp/dl/swagger /usr/local/bin/swagger
-            sudo chmod +x /usr/local/bin/swagger
-            swagger version
       - run:
           name: Install Ksonnet v0.13.1
           command: |
@@ -141,48 +115,34 @@ commands:
             helm version --client
             helm init --client-only
       - run:
-          name: Install Kustomize v1.0.11
+          name: Install Kustomize v3.1.0
           command: |
             set -x
-            [ -e /tmp/dl/kustomize1 ] || curl -sLf -C - -o /tmp/dl/kustomize1 https://github.com/kubernetes-sigs/kustomize/releases/download/v1.0.11/kustomize_1.0.11_linux_amd64
-            sudo cp /tmp/dl/kustomize1 /usr/local/go/bin/
-            sudo chmod +x /usr/local/go/bin/kustomize1
-            kustomize1 version
-      - run:
-          name: Install Kustomize v2.0.3
-          command: |
-            set -x
-            [ -e /tmp/dl/kustomize ] || curl -sLf -C - -o /tmp/dl/kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v2.0.3/kustomize_2.0.3_linux_amd64
-            sudo cp /tmp/dl/kustomize /usr/local/go/bin/
+            export VER=3.1.0
+            [ -e /tmp/dl/kustomize_${VER} ] || curl -sLf -C - -o /tmp/dl/kustomize_${VER} https://github.com/kubernetes-sigs/kustomize/releases/download/v${VER}/kustomize_${VER}_linux_amd64
+            sudo cp /tmp/dl/kustomize_${VER} /usr/local/go/bin/kustomize
             sudo chmod +x /usr/local/go/bin/kustomize
             kustomize version
-      - run:
-          name: Install Protobuf compiler v3.7.1
-          command: |
-            set -x
-            [ -e /tmp/dl/protoc.zip ] || curl -sLf -C - -o /tmp/dl/protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v3.7.1/protoc-3.7.1-linux-x86_64.zip
-            sudo unzip /tmp/dl/protoc.zip bin/protoc -d /usr/local/
-            sudo chmod +x /usr/local/bin/protoc
-            sudo unzip /tmp/dl/protoc.zip include/* -d /usr/local/
-            protoc --version
       - save_cache:
-          key: dl-v4
+          key: dl-v7
           paths:
             - /tmp/dl
   save_go_cache:
     steps:
       - save_cache:
-          key: go-v15-{{ .Branch }}
+          key: go-v17-{{ .Branch }}
           paths:
             - /home/circleci/.go_workspace
             - /home/circleci/.cache/go-build
-            - /home/circleci/sdk/go1.11.4
+            - /home/circleci/sdk/go1.12.6
   restore_go_cache:
     steps:
       - restore_cache:
           keys:
-            - go-v15-{{ .Branch }}
-            - go-v15-master
+            - go-v17-{{ .Branch }}
+            - go-v17-master
+            - go-v16-{{ .Branch }}
+            - go-v16-master
 jobs:
   build:
     working_directory: /home/circleci/.go_workspace/src/github.com/argoproj/argo-cd
@@ -212,7 +172,7 @@ jobs:
           name: Lint code
           # use GOGC to limit memory usage in exchange for CPU usage, https://github.com/golangci/golangci-lint#memory-usage-of-golangci-lint
           # we have 8GB RAM, 2CPUs https://circleci.com/docs/2.0/executor-types/#using-machine
-          command: LINT_GOGC=50 LINT_CONCURRENCY=2 make lint
+          command: LINT_GOGC=20 LINT_CONCURRENCY=1 LINT_DEADLINE=3m0s make lint
       - run:
           name: Check nothing has changed
           command: |
@@ -221,7 +181,7 @@ jobs:
             # We exclude the Swagger resources; CircleCI doesn't generate them correctly.
             # When this fails, it will, create a patch file you can apply locally to fix it.
             # To troubleshoot builds: https://argoproj.github.io/argo-cd/developer-guide/ci/
-            git diff --exit-code -- . ':!Gopkg.lock' ':!assets/swagger.json' ':!pkg/apis/api-rules/violation_exceptions.list' ':!pkg/apis/application/v1alpha1/openapi_generated.go' | tee codegen.patch
+            git diff --exit-code -- . ':!Gopkg.lock'  ':!assets/swagger.json' | tee codegen.patch
       - store_artifacts:
           path: codegen.patch
           when: always
@@ -253,14 +213,13 @@ jobs:
           name: Create namespace
           command: |
             set -x
+            cat /etc/rancher/k3s/k3s.yaml | sed "s/localhost/`hostname`/" | tee ~/.kube/config
+            echo "127.0.0.1 `hostname`" | sudo tee -a /etc/hosts
             kubectl create ns argocd-e2e
             kubens argocd-e2e
             # install the certificates (not 100% sure we need this)
             sudo cp /var/lib/rancher/k3s/server/tls/token-ca.crt /usr/local/share/ca-certificates/k3s.crt
             sudo update-ca-certificates
-            # create the kubecfg, again - not sure we need this
-            cat /etc/rancher/k3s/k3s.yaml | sed "s/localhost/`hostname`/" | tee ~/.kube/config
-            echo "127.0.0.1 `hostname`" | sudo tee -a /etc/hosts
       - run:
           name: Apply manifests
           command: kustomize build test/manifests/base | kubectl apply -f -
@@ -275,12 +234,21 @@ jobs:
           environment:
             # pft. if you do not quote "true", CircleCI turns it into "1", stoopid
             ARGOCD_FAKE_IN_CLUSTER: "true"
+            ARGOCD_SSH_DATA_PATH: "/tmp/argo-e2e/app/config/ssh"
+            ARGOCD_TLS_DATA_PATH: "/tmp/argo-e2e/app/config/tls"
       - run:
           name: Start API server
           command: go run ./cmd/argocd-server/main.go --loglevel debug --redis localhost:6379 --insecure --dex-server http://localhost:5556 --repo-server localhost:8081 --staticassets ../argo-cd-ui/dist/app
           background: true
           environment:
             ARGOCD_FAKE_IN_CLUSTER: "true"
+            ARGOCD_SSH_DATA_PATH: "/tmp/argo-e2e/app/config/ssh"
+            ARGOCD_TLS_DATA_PATH: "/tmp/argo-e2e/app/config/tls"
+      - run:
+          name: Start Test Git
+          command: |
+            test/fixture/testrepos/start-git.sh
+          background: true
       - run:
           name: Wait for API server
           command: |
@@ -309,6 +277,8 @@ jobs:
             make test-e2e | tee /tmp/test-results/go-e2e.out
           environment:
             ARGOCD_OPTS: "--server localhost:8080 --plaintext"
+            ARGOCD_E2E_EXPECT_TIMEOUT: "30"
+            ARGOCD_E2E_K3S: "true"
       - store_test_results:
           path: /tmp/test-results
   ui:
@@ -339,6 +309,9 @@ jobs:
       # This does not appear to work, and I don't want to spend time on it.
       - store_test_results:
           path: junit.xml
+      - run:
+          name: Build
+          command: yarn build
       - run:
           name: Lint
           command: yarn lint

.codecov.yml

@@ -7,10 +7,11 @@ ignore:
 - "test/.*"
 coverage:
   status:
-    # allow test coverage to drop by 0.1%, assume that it's typically due to CI problems
+    # allow test coverage to drop by 1%, assume that it's typically due to CI problems
     patch:
       default:
-        threshold: 0.1
+        enabled: no
+        if_not_found: success
     project:
       default:
-        threshold: 0.1
+        threshold: 1

.github/stale.yml

@@ -1 +1,4 @@
 # See https://github.com/probot/stale
+# See https://github.com/probot/stale
+exemptLabels:
+  - backlog

.golangci.yml

@@ -19,3 +19,4 @@ linters:
     - ineffassign
     - unconvert
     - misspell
+    - unparam

CHANGELOG.md

@@ -1,5 +1,102 @@
 # Changelog
 
+## v1.1.2 (2019-07-30)
+- 'argocd app wait' should print correct sync status (#2049)
+- Check that TLS is enabled when registering DEX Handlers (#2047)
+- Do not ignore Argo hooks when there is a Helm hook. (#1952)
+
+## v1.1.1 (2019-07-25)
++ Support 'override' action in UI/API (#1984)
+- Fix argocd app wait message (#1982)
+
+## v1.1.0 (2019-07-24)
+
+### New Features
+
+#### Sync Waves
+
+Sync waves feature allows executing a sync operation in a number of steps or waves. Within each synchronization phase (pre-sync, sync, post-sync) you can have one or more waves,
+than allows you to ensure certain resources are healthy before subsequent resources are synced.
+
+#### Optimized Interaction With Git
+
+Argo CD needs to execute `git fetch` operation to access application manifests and `git ls-remote` to resolve ambiguous git revision. The `git ls-remote` is executed very frequently
+and although the operation is very lightweight it adds unnecessary load on Git server and might cause performance issues. In v1.1 release, the application reconciliation process was
+optimized which significantly reduced the number of Git requests. With v1.1 release, Argo CD should send 3x ~ 5x fewer Git requests.
+
+#### User Defined Application Metadata
+
+User-defined Application metadata enables the user to define a list of useful URLs for their specific application and expose those links on the UI
+(e.g. reference tp a CI pipeline or an application-specific management tool). These links should provide helpful shortcuts that make easier to integrate Argo CD into existing
+systems by making it easier to find other components inside and outside Argo CD.
+
+### Deprecation Notice
+
+* Kustomize v1.0 is deprecated and support will be removed in the Argo CD v1.2 release.
+
+#### Enhancements
+
+- Sync waves [#1544](https://github.com/argoproj/argo-cd/issues/1544)
+- Adds Prune=false and IgnoreExtraneous options [#1629](https://github.com/argoproj/argo-cd/issues/1629)
+- Forward Git credentials to config management plugins [#1628](https://github.com/argoproj/argo-cd/issues/1628)
+- Improve Kustomize 2 parameters UI [#1609](https://github.com/argoproj/argo-cd/issues/1609)
+- Adds `argocd logout` [#1210](https://github.com/argoproj/argo-cd/issues/1210)
+- Make it possible to set Helm release name different from Argo CD app name.  [#1066](https://github.com/argoproj/argo-cd/issues/1066)
+- Add ability to specify system namespace during cluster add operation [#1661](https://github.com/argoproj/argo-cd/pull/1661) 
+- Make listener and metrics ports configurable [#1647](https://github.com/argoproj/argo-cd/pull/1647) 
+- Using SSH keys to authenticate kustomize bases from git [#827](https://github.com/argoproj/argo-cd/issues/827)
+- Adds `argocd app sync APPNAME --async` [#1728](https://github.com/argoproj/argo-cd/issues/1728)
+- Allow users to define app specific urls to expose in the UI [#1677](https://github.com/argoproj/argo-cd/issues/1677)
+- Error view instead of blank page in UI [#1375](https://github.com/argoproj/argo-cd/issues/1375)
+- Project Editor: Whitelisted Cluster Resources doesn't strip whitespace [#1693](https://github.com/argoproj/argo-cd/issues/1693)
+- Eliminate unnecessary git interactions for top-level resource changes (#1919)
+- Ability to rotate the bearer token used to manage external clusters (#1084)
+
+#### Bug Fixes
+
+- Project Editor: Whitelisted Cluster Resources doesn't strip whitespace [#1693](https://github.com/argoproj/argo-cd/issues/1693)
+- \[ui small bug\] menu position outside block [#1711](https://github.com/argoproj/argo-cd/issues/1711)
+- UI will crash when create application without destination namespace [#1701](https://github.com/argoproj/argo-cd/issues/1701)
+- ArgoCD synchronization failed due to internal error [#1697](https://github.com/argoproj/argo-cd/issues/1697)
+- Replicasets ordering is not stable on app tree view [#1668](https://github.com/argoproj/argo-cd/issues/1668)
+- Stuck processor on App Controller after deleting application with incomplete operation [#1665](https://github.com/argoproj/argo-cd/issues/1665)
+- Role edit page fails with JS error [#1662](https://github.com/argoproj/argo-cd/issues/1662)
+- failed parsing on parameters with comma [#1660](https://github.com/argoproj/argo-cd/issues/1660)
+- Handle nil obj when processing custom actions [#1700](https://github.com/argoproj/argo-cd/pull/1700)
+- Account for missing fields in Rollout HealthStatus [#1699](https://github.com/argoproj/argo-cd/pull/1699) 
+- Sync operation unnecessary waits for a healthy state of all resources [#1715](https://github.com/argoproj/argo-cd/issues/1715)
+- failed parsing on parameters with comma [#1660](https://github.com/argoproj/argo-cd/issues/1660)
+- argocd app sync hangs when cluster is not configured (#1935)
+- Do not allow app-of-app child app's Missing status to affect parent (#1954)
+- Argo CD don't handle well k8s objects which size exceeds 1mb (#1685)
+- Secret data not redacted in last-applied-configuration (#897)
+- Running app actions requires only read privileges (#1827)
+- UI should allow editing repo URL (#1763)
+- Make status fields as optional fields (#1779)
+- Use correct healthcheck for Rollout with empty steps list (#1776)
+
+#### Other
+
+- Add Prometheus metrics for git repo interactions (#1912)
+- App controller should log additional information during app syncing (#1909)
+- Make sure api server to repo server grpc calls have timeout (#1820)
+- Forked tool processes should timeout (#1821)
+- Add health check to the controller deployment (#1785)
+
+#### Contributors
+
+* [Aditya Gupta](https://github.com/AdityaGupta1)
+* [Alex Collins](https://github.com/alexec)
+* [Alex Matyushentsev](https://github.com/alexmt)
+* [Danny Thomson](https://github.com/dthomson25)
+* [jannfis](https://github.com/jannfis)
+* [Jesse Suen](https://github.com/jessesuen)
+* [Liviu Costea](https://github.com/lcostea)
+* [narg95](https://github.com/narg95)
+* [Simon Behar](https://github.com/simster7)
+
+See also [milestone v1.1](https://github.com/argoproj/argo-cd/milestone/13)
+
 ## v1.0.0 (2019-05-16)
 
 ### New Features

Dockerfile

@@ -4,10 +4,16 @@ ARG BASE_IMAGE=debian:9.5-slim
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM golang:1.11.4 as builder
+FROM golang:1.12.6 as builder
+
+RUN echo 'deb http://deb.debian.org/debian stretch-backports main' >> /etc/apt/sources.list
 
 RUN apt-get update && apt-get install -y \
+    openssh-server \
+    nginx \
+    fcgiwrap \
     git \
+    git-lfs \
     make \
     wget \
     gcc \
@@ -17,24 +23,11 @@ RUN apt-get update && apt-get install -y \
 
 WORKDIR /tmp
 
-# Install docker
-ENV DOCKER_CHANNEL stable
-ENV DOCKER_VERSION 18.09.1
-RUN wget -O docker.tgz "https://download.docker.com/linux/static/${DOCKER_CHANNEL}/x86_64/docker-${DOCKER_VERSION}.tgz" && \
-    tar --extract --file docker.tgz --strip-components 1 --directory /usr/local/bin/ && \
-    rm docker.tgz
-
 # Install dep
 ENV DEP_VERSION=0.5.0
 RUN wget https://github.com/golang/dep/releases/download/v${DEP_VERSION}/dep-linux-amd64 -O /usr/local/bin/dep && \
     chmod +x /usr/local/bin/dep
 
-# Install gometalinter
-ENV GOMETALINTER_VERSION=2.0.12
-RUN curl -sLo- https://github.com/alecthomas/gometalinter/releases/download/v${GOMETALINTER_VERSION}/gometalinter-${GOMETALINTER_VERSION}-linux-amd64.tar.gz | \
-    tar -xzC "$GOPATH/bin" --exclude COPYING --exclude README.md --strip-components 1 -f- && \
-    ln -s $GOPATH/bin/gometalinter $GOPATH/bin/gometalinter.v2
-
 # Install packr
 ENV PACKR_VERSION=1.21.9
 RUN wget https://github.com/gobuffalo/packr/releases/download/v${PACKR_VERSION}/packr_${PACKR_VERSION}_linux_amd64.tar.gz && \
@@ -62,14 +55,7 @@ RUN wget https://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-li
     mv /tmp/linux-amd64/helm /usr/local/bin/helm && \
     helm version --client
 
-# Install kustomize
-ENV KUSTOMIZE1_VERSION=1.0.11
-RUN curl -L -o /usr/local/bin/kustomize1 https://github.com/kubernetes-sigs/kustomize/releases/download/v${KUSTOMIZE1_VERSION}/kustomize_${KUSTOMIZE1_VERSION}_linux_amd64 && \
-    chmod +x /usr/local/bin/kustomize1 && \
-    kustomize1 version
-
-
-ENV KUSTOMIZE_VERSION=2.0.3
+ENV KUSTOMIZE_VERSION=3.1.0
 RUN curl -L -o /usr/local/bin/kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64 && \
     chmod +x /usr/local/bin/kustomize && \
     kustomize version
@@ -79,52 +65,64 @@ ENV AWS_IAM_AUTHENTICATOR_VERSION=0.4.0-alpha.1
 RUN curl -L -o /usr/local/bin/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/${AWS_IAM_AUTHENTICATOR_VERSION}/aws-iam-authenticator_${AWS_IAM_AUTHENTICATOR_VERSION}_linux_amd64 && \
     chmod +x /usr/local/bin/aws-iam-authenticator
 
-# Install golangci-lint
-RUN wget https://install.goreleaser.com/github.com/golangci/golangci-lint.sh  && \
-    chmod +x ./golangci-lint.sh && \
-    ./golangci-lint.sh -b $GOPATH/bin && \
-    golangci-lint linters
-
-COPY .golangci.yml ${GOPATH}/src/dummy/.golangci.yml
-
-RUN cd ${GOPATH}/src/dummy && \
-    touch dummy.go \
-    golangci-lint run
-
 ####################################################################################################
 # Argo CD Base - used as the base for both the release and dev argocd images
 ####################################################################################################
 FROM $BASE_IMAGE as argocd-base
 
+USER root
+
+RUN echo 'deb http://deb.debian.org/debian stretch-backports main' >> /etc/apt/sources.list
+
 RUN groupadd -g 999 argocd && \
     useradd -r -u 999 -g argocd argocd && \
     mkdir -p /home/argocd && \
     chown argocd:argocd /home/argocd && \
     apt-get update && \
-    apt-get install -y git && \
+    apt-get install -y git git-lfs && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
-COPY hack/ssh_known_hosts /etc/ssh/ssh_known_hosts
 COPY hack/git-ask-pass.sh /usr/local/bin/git-ask-pass.sh
 COPY --from=builder /usr/local/bin/ks /usr/local/bin/ks
 COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
 COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/kubectl
-COPY --from=builder /usr/local/bin/kustomize1 /usr/local/bin/kustomize1
 COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize
 COPY --from=builder /usr/local/bin/aws-iam-authenticator /usr/local/bin/aws-iam-authenticator
 
+# support for mounting configuration from a configmap
+RUN mkdir -p /app/config/ssh && \
+    touch /app/config/ssh/ssh_known_hosts && \
+    ln -s /app/config/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts 
+
+RUN mkdir -p /app/config/tls
+
 # workaround ksonnet issue https://github.com/ksonnet/ksonnet/issues/298
 ENV USER=argocd
 
 USER argocd
 WORKDIR /home/argocd
 
+####################################################################################################
+# Argo CD UI stage
+####################################################################################################
+FROM node:11.15.0 as argocd-ui
+
+WORKDIR /src
+ADD ["ui/package.json", "ui/yarn.lock", "./"]
+
+RUN yarn install
+
+ADD ["ui/", "."]
+
+ARG ARGO_VERSION=latest
+ENV ARGO_VERSION=$ARGO_VERSION
+RUN NODE_ENV='production' yarn build
 
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM golang:1.11.4 as argocd-build
+FROM golang:1.12.6 as argocd-build
 
 COPY --from=builder /usr/local/bin/dep /usr/local/bin/dep
 COPY --from=builder /usr/local/bin/packr /usr/local/bin/packr
@@ -151,3 +149,5 @@ RUN make cli server controller repo-server argocd-util && \
 ####################################################################################################
 FROM argocd-base
 COPY --from=argocd-build /go/src/github.com/argoproj/argo-cd/dist/argocd* /usr/local/bin/
+COPY --from=argocd-ui ./src/dist/app /shared/app
+

Gopkg.lock

@@ -48,14 +48,6 @@
   pruneopts = ""
   revision = "09c41003ee1d5015b75f331e52215512e7145b8d"
 
-[[projects]]
-  branch = "master"
-  digest = "1:0cac9c70f3308d54ed601878aa66423eb95c374616fdd7d2ea4e2d18b045ae62"
-  name = "github.com/ant31/crd-validation"
-  packages = ["pkg"]
-  pruneopts = ""
-  revision = "38f6a293f140402953f884b015014e0cd519bbb3"
-
 [[projects]]
   branch = "master"
   digest = "1:0caf9208419fa5db5a0ca7112affaa9550c54291dda8e2abac0c0e76181c959e"
@@ -70,14 +62,16 @@
 
 [[projects]]
   branch = "master"
-  digest = "1:e8ec0abbf32fdcc9f7eb14c0656c1d0fc2fc7ec8f60dff4b7ac080c50afd8e49"
+  digest = "1:4f6afcf4ebe041b3d4aa7926d09344b48d2f588e1f957526bbbe54f9cbb366a1"
   name = "github.com/argoproj/pkg"
   packages = [
+    "errors",
     "exec",
+    "rand",
     "time",
   ]
   pruneopts = ""
-  revision = "88ab0e836a8e8c70bc297c5764669bd7da27afd1"
+  revision = "38dba6e98495680ff1f8225642b63db10a96bb06"
 
 [[projects]]
   digest = "1:d8a2bb36a048d1571bcc1aee208b61f39dc16c6c53823feffd37449dde162507"
@@ -95,6 +89,14 @@
   pruneopts = ""
   revision = "3a771d992973f24aa725d07868b467d1ddfceafb"
 
+[[projects]]
+  digest = "1:a6ee710e45210bafe11f2f28963571be2ac8809f9a7b675a6d2c02302a1ce1a9"
+  name = "github.com/bouk/monkey"
+  packages = ["."]
+  pruneopts = ""
+  revision = "5df1f207ff77e025801505ae4d903133a0b4353f"
+  version = "v1.0.0"
+
 [[projects]]
   digest = "1:e04162bd6a6d4950541bae744c968108e14913b1cebccf29f7650b573f44adb3"
   name = "github.com/casbin/casbin"
@@ -349,6 +351,14 @@
   revision = "5ccd90ef52e1e632236f7326478d4faa74f99438"
   version = "v0.2.3"
 
+[[projects]]
+  branch = "master"
+  digest = "1:9a06e7365c6039daf4db9bbf79650e2933a2880982cbab8106cb74a36617f40d"
+  name = "github.com/gogits/go-gogs-client"
+  packages = ["."]
+  pruneopts = ""
+  revision = "5a05380e4bc2440e0ec12f54f6f45648dbdd5e55"
+
 [[projects]]
   digest = "1:6e73003ecd35f4487a5e88270d3ca0a81bc80dc88053ac7e4dcfec5fba30d918"
   name = "github.com/gogo/protobuf"
@@ -417,14 +427,6 @@
   revision = "aa810b61a9c79d51363740d207bb46cf8e620ed5"
   version = "v1.2.0"
 
-[[projects]]
-  branch = "master"
-  digest = "1:1e5b1e14524ed08301977b7b8e10c719ed853cbf3f24ecb66fae783a46f207a6"
-  name = "github.com/google/btree"
-  packages = ["."]
-  pruneopts = ""
-  revision = "4030bb1f1f0c35b30ca7009e9ebd06849dd45306"
-
 [[projects]]
   digest = "1:14d826ee25139b4674e9768ac287a135f4e7c14e1134a5b15e4e152edfd49f41"
   name = "github.com/google/go-jsonnet"
@@ -472,17 +474,6 @@
   revision = "66b9c49e59c6c48f0ffce28c2d8b8a5678502c6d"
   version = "v1.4.0"
 
-[[projects]]
-  branch = "master"
-  digest = "1:009a1928b8c096338b68b5822d838a72b4d8520715c1463614476359f3282ec8"
-  name = "github.com/gregjones/httpcache"
-  packages = [
-    ".",
-    "diskcache",
-  ]
-  pruneopts = ""
-  revision = "9cad4c3443a7200dd6400aef47183728de563a38"
-
 [[projects]]
   branch = "master"
   digest = "1:9dca8c981b8aed7448d94e78bc68a76784867a38b3036d5aabc0b32d92ffd1f4"
@@ -680,22 +671,6 @@
   revision = "c37440a7cf42ac63b919c752ca73a85067e05992"
   version = "v0.2.0"
 
-[[projects]]
-  branch = "master"
-  digest = "1:c24598ffeadd2762552269271b3b1510df2d83ee6696c1e543a0ff653af494bc"
-  name = "github.com/petar/GoLLRB"
-  packages = ["llrb"]
-  pruneopts = ""
-  revision = "53be0d36a84c2a886ca057d34b6aa4468df9ccb4"
-
-[[projects]]
-  digest = "1:b46305723171710475f2dd37547edd57b67b9de9f2a6267cafdd98331fd6897f"
-  name = "github.com/peterbourgon/diskv"
-  packages = ["."]
-  pruneopts = ""
-  revision = "5f041e8faa004a95c88a202771f4cc3e991971e6"
-  version = "v2.0.1"
-
 [[projects]]
   digest = "1:7365acd48986e205ccb8652cc746f09c8b7876030d53710ea6ef7d0bd0dcd7ca"
   name = "github.com/pkg/errors"
@@ -786,7 +761,10 @@
 [[projects]]
   digest = "1:01d968ff6535945510c944983eee024e81f1c949043e9bbfe5ab206ebc3588a4"
   name = "github.com/sirupsen/logrus"
-  packages = ["."]
+  packages = [
+    ".",
+    "hooks/test",
+  ]
   pruneopts = ""
   revision = "a67f783a3814b8729bd2dac5780b5f78f8dbd64d"
   version = "v1.1.0"
@@ -808,19 +786,19 @@
   version = "v0.1.4"
 
 [[projects]]
-  digest = "1:2208a80fc3259291e43b30f42f844d18f4218036dff510f42c653ec9890d460a"
+  digest = "1:9ba49264cef4386aded205f9cb5b1f2d30f983d7dc37a21c780d9db3edfac9a7"
   name = "github.com/spf13/cobra"
   packages = ["."]
   pruneopts = ""
-  revision = "7b2c5ac9fc04fc5efafb60700713d4fa609b777b"
-  version = "v0.0.1"
+  revision = "fe5e611709b0c57fa4a89136deaa8e1d4004d053"
 
 [[projects]]
-  digest = "1:261bc565833ef4f02121450d74eb88d5ae4bd74bfe5d0e862cddb8550ec35000"
+  digest = "1:8e243c568f36b09031ec18dff5f7d2769dcf5ca4d624ea511c8e3197dc3d352d"
   name = "github.com/spf13/pflag"
   packages = ["."]
   pruneopts = ""
-  revision = "e57e3eeb33f795204c1ca35f56c44f83227c6e66"
+  revision = "583c0c0531f06d5278b7d917446061adc344b5cd"
+  version = "v1.0.1"
 
 [[projects]]
   digest = "1:b1861b9a1aa0801b0b62945ed7477c1ab61a4bd03b55dfbc27f6d4f378110c8c"
@@ -1033,6 +1011,39 @@
   pruneopts = ""
   revision = "5e776fee60db37e560cee3fb46db699d2f095386"
 
+[[projects]]
+  branch = "master"
+  digest = "1:e9e4b928898842a138bc345d42aae33741baa6d64f3ca69b0931f9c7a4fd0437"
+  name = "gonum.org/v1/gonum"
+  packages = [
+    "blas",
+    "blas/blas64",
+    "blas/cblas128",
+    "blas/gonum",
+    "floats",
+    "graph",
+    "graph/internal/linear",
+    "graph/internal/ordered",
+    "graph/internal/set",
+    "graph/internal/uid",
+    "graph/iterator",
+    "graph/simple",
+    "graph/topo",
+    "graph/traverse",
+    "internal/asm/c128",
+    "internal/asm/c64",
+    "internal/asm/f32",
+    "internal/asm/f64",
+    "internal/cmplx64",
+    "internal/math32",
+    "lapack",
+    "lapack/gonum",
+    "lapack/lapack64",
+    "mat",
+  ]
+  pruneopts = ""
+  revision = "90b7154515874cee6c33cf56b29e257403a09a69"
+
 [[projects]]
   digest = "1:934fb8966f303ede63aa405e2c8d7f0a427a05ea8df335dfdc1833dd4d40756f"
   name = "google.golang.org/appengine"
@@ -1102,17 +1113,18 @@
   version = "v1.15.0"
 
 [[projects]]
-  digest = "1:bf7444e1e6a36e633f4f1624a67b9e4734cfb879c27ac0a2082ac16aff8462ac"
-  name = "gopkg.in/go-playground/webhooks.v3"
+  digest = "1:adf5b0ae3467c3182757ecb86fbfe819939473bb870a42789dc1a3e7729397cd"
+  name = "gopkg.in/go-playground/webhooks.v5"
   packages = [
-    ".",
     "bitbucket",
+    "bitbucket-server",
     "github",
     "gitlab",
+    "gogs",
   ]
   pruneopts = ""
-  revision = "5580947e3ec83427ef5f6f2392eddca8dde5d99a"
-  version = "v3.11.0"
+  revision = "175186584584a83966dc9a7b8ec6c3d3a4ce6110"
+  version = "v5.11.0"
 
 [[projects]]
   digest = "1:e5d1fb981765b6f7513f793a3fcaac7158408cca77f75f7311ac82cc88e9c445"
@@ -1225,16 +1237,16 @@
   version = "v2.2.2"
 
 [[projects]]
-  branch = "release-1.12"
-  digest = "1:3e3e9df293bd6f9fd64effc9fa1f0edcd97e6c74145cd9ab05d35719004dc41f"
+  branch = "release-1.14"
+  digest = "1:d8a6f1ec98713e685346a2e4b46c6ec4a1792a5535f8b0dffe3b1c08c9d69b12"
   name = "k8s.io/api"
   packages = [
     "admission/v1beta1",
-    "admissionregistration/v1alpha1",
     "admissionregistration/v1beta1",
     "apps/v1",
     "apps/v1beta1",
     "apps/v1beta2",
+    "auditregistration/v1alpha1",
     "authentication/v1",
     "authentication/v1beta1",
     "authorization/v1",
@@ -1246,16 +1258,21 @@
     "batch/v1beta1",
     "batch/v2alpha1",
     "certificates/v1beta1",
+    "coordination/v1",
     "coordination/v1beta1",
     "core/v1",
     "events/v1beta1",
     "extensions/v1beta1",
     "imagepolicy/v1alpha1",
     "networking/v1",
+    "networking/v1beta1",
+    "node/v1alpha1",
+    "node/v1beta1",
     "policy/v1beta1",
     "rbac/v1",
     "rbac/v1alpha1",
     "rbac/v1beta1",
+    "scheduling/v1",
     "scheduling/v1alpha1",
     "scheduling/v1beta1",
     "settings/v1alpha1",
@@ -1264,7 +1281,7 @@
     "storage/v1beta1",
   ]
   pruneopts = ""
-  revision = "6db15a15d2d3874a6c3ddb2140ac9f3bc7058428"
+  revision = "40a48860b5abbba9aa891b02b32da429b08d96a0"
 
 [[projects]]
   branch = "master"
@@ -1273,14 +1290,16 @@
   packages = [
     "pkg/apis/apiextensions",
     "pkg/apis/apiextensions/v1beta1",
-    "pkg/features",
+    "pkg/client/clientset/clientset",
+    "pkg/client/clientset/clientset/scheme",
+    "pkg/client/clientset/clientset/typed/apiextensions/v1beta1",
   ]
   pruneopts = ""
   revision = "7f7d2b94eca3a7a1c49840e119a8bc03c3afb1e3"
 
 [[projects]]
-  branch = "release-1.12"
-  digest = "1:5899da40e41bcc8c1df101b72954096bba9d85b763bc17efc846062ccc111c7b"
+  branch = "release-1.14"
+  digest = "1:a802c91b189a31200cfb66744441fe62dac961ec7c5c58c47716570de7da195c"
   name = "k8s.io/apimachinery"
   packages = [
     "pkg/api/equality",
@@ -1332,22 +1351,11 @@
     "third_party/forked/golang/reflect",
   ]
   pruneopts = ""
-  revision = "f71dbbc36e126f5a371b85f6cca96bc8c57db2b6"
+  revision = "6a84e37a896db9780c75367af8d2ed2bb944022e"
 
 [[projects]]
-  branch = "release-1.12"
-  digest = "1:b2c55ff9df6d053e40094b943f949c257c3f7dcdbb035c11487c93c96df9eade"
-  name = "k8s.io/apiserver"
-  packages = [
-    "pkg/features",
-    "pkg/util/feature",
-  ]
-  pruneopts = ""
-  revision = "5e1c1f41ee34b3bb153f928f8c91c2a6dd9482a9"
-
-[[projects]]
-  branch = "release-9.0"
-  digest = "1:77bf3d9f18ec82e08ac6c4c7e2d9d1a2ef8d16b25d3ff72fcefcf9256d751573"
+  branch = "release-11.0"
+  digest = "1:794140b3ac07405646ea3d4a57e1f6155186e672aed8aa0c996779381cd92fe6"
   name = "k8s.io/client-go"
   packages = [
     "discovery",
@@ -1359,8 +1367,6 @@
     "kubernetes",
     "kubernetes/fake",
     "kubernetes/scheme",
-    "kubernetes/typed/admissionregistration/v1alpha1",
-    "kubernetes/typed/admissionregistration/v1alpha1/fake",
     "kubernetes/typed/admissionregistration/v1beta1",
     "kubernetes/typed/admissionregistration/v1beta1/fake",
     "kubernetes/typed/apps/v1",
@@ -1369,6 +1375,8 @@
     "kubernetes/typed/apps/v1beta1/fake",
     "kubernetes/typed/apps/v1beta2",
     "kubernetes/typed/apps/v1beta2/fake",
+    "kubernetes/typed/auditregistration/v1alpha1",
+    "kubernetes/typed/auditregistration/v1alpha1/fake",
     "kubernetes/typed/authentication/v1",
     "kubernetes/typed/authentication/v1/fake",
     "kubernetes/typed/authentication/v1beta1",
@@ -1391,6 +1399,8 @@
     "kubernetes/typed/batch/v2alpha1/fake",
     "kubernetes/typed/certificates/v1beta1",
     "kubernetes/typed/certificates/v1beta1/fake",
+    "kubernetes/typed/coordination/v1",
+    "kubernetes/typed/coordination/v1/fake",
     "kubernetes/typed/coordination/v1beta1",
     "kubernetes/typed/coordination/v1beta1/fake",
     "kubernetes/typed/core/v1",
@@ -1401,6 +1411,12 @@
     "kubernetes/typed/extensions/v1beta1/fake",
     "kubernetes/typed/networking/v1",
     "kubernetes/typed/networking/v1/fake",
+    "kubernetes/typed/networking/v1beta1",
+    "kubernetes/typed/networking/v1beta1/fake",
+    "kubernetes/typed/node/v1alpha1",
+    "kubernetes/typed/node/v1alpha1/fake",
+    "kubernetes/typed/node/v1beta1",
+    "kubernetes/typed/node/v1beta1/fake",
     "kubernetes/typed/policy/v1beta1",
     "kubernetes/typed/policy/v1beta1/fake",
     "kubernetes/typed/rbac/v1",
@@ -1409,6 +1425,8 @@
     "kubernetes/typed/rbac/v1alpha1/fake",
     "kubernetes/typed/rbac/v1beta1",
     "kubernetes/typed/rbac/v1beta1/fake",
+    "kubernetes/typed/scheduling/v1",
+    "kubernetes/typed/scheduling/v1/fake",
     "kubernetes/typed/scheduling/v1alpha1",
     "kubernetes/typed/scheduling/v1alpha1/fake",
     "kubernetes/typed/scheduling/v1beta1",
@@ -1445,23 +1463,22 @@
     "tools/remotecommand",
     "transport",
     "transport/spdy",
-    "util/buffer",
     "util/cert",
     "util/connrotation",
     "util/exec",
     "util/flowcontrol",
     "util/homedir",
-    "util/integer",
     "util/jsonpath",
+    "util/keyutil",
     "util/retry",
     "util/workqueue",
   ]
   pruneopts = ""
-  revision = "13596e875accbd333e0b5bd5fd9462185acd9958"
+  revision = "11646d1007e006f6f24995cb905c68bc62901c81"
 
 [[projects]]
-  branch = "release-1.12"
-  digest = "1:8108815d1aef9159daabdb3f0fcef04a88765536daf0c0cd29a31fdba135ee54"
+  branch = "release-1.14"
+  digest = "1:742ce70d2c6de0f02b5331a25d4d549f55de6b214af22044455fd6e6b451cad9"
   name = "k8s.io/code-generator"
   packages = [
     "cmd/go-to-protobuf",
@@ -1470,7 +1487,7 @@
     "third_party/forked/golang/reflect",
   ]
   pruneopts = ""
-  revision = "b1289fc74931d4b6b04bd1a259acfc88a2cb0a66"
+  revision = "50b561225d70b3eb79a1faafd3dfe7b1a62cbe73"
 
 [[projects]]
   branch = "master"
@@ -1488,15 +1505,27 @@
   revision = "e17681d19d3ac4837a019ece36c2a0ec31ffe985"
 
 [[projects]]
-  digest = "1:4f5eb833037cc0ba0bf8fe9cae6be9df62c19dd1c869415275c708daa8ccfda5"
+  digest = "1:9eaf86f4f6fb4a8f177220d488ef1e3255d06a691cca95f14ef085d4cd1cef3c"
   name = "k8s.io/klog"
   packages = ["."]
   pruneopts = ""
-  revision = "a5bc97fbc634d635061f3146511332c7e313a55a"
-  version = "v0.1.0"
+  revision = "d98d8acdac006fb39831f1b25640813fef9c314f"
+  version = "v0.3.3"
 
 [[projects]]
-  digest = "1:aae856b28533bfdb39112514290f7722d00a55a99d2d0b897c6ee82e6feb87b3"
+  branch = "master"
+  digest = "1:0d737d598e9db0a38d6ef6cba514c358b9fe7e1bc6b1128d02b2622700c75f2a"
+  name = "k8s.io/kube-aggregator"
+  packages = [
+    "pkg/apis/apiregistration",
+    "pkg/apis/apiregistration/v1",
+    "pkg/apis/apiregistration/v1beta1",
+  ]
+  pruneopts = ""
+  revision = "e80910364765199a4baebd4dec54c885fe52b680"
+
+[[projects]]
+  digest = "1:42ea993b351fdd39b9aad3c9ebe71f2fdb5d1f8d12eed24e71c3dff1a31b2a43"
   name = "k8s.io/kube-openapi"
   packages = [
     "cmd/openapi-gen",
@@ -1508,10 +1537,11 @@
     "pkg/util/sets",
   ]
   pruneopts = ""
-  revision = "master"
+  revision = "411b2483e5034420675ebcdd4a55fc76fe5e55cf"
 
 [[projects]]
-  digest = "1:6061aa42761235df375f20fa4a1aa6d1845cba3687575f3adb2ef3f3bc540af5"
+  branch = "release-1.14"
+  digest = "1:78aa6079e011ece0d28513c7fe1bd64284fa9eb5d671760803a839ffdf0e9e38"
   name = "k8s.io/kubernetes"
   packages = [
     "pkg/api/v1/pod",
@@ -1519,19 +1549,26 @@
     "pkg/apis/autoscaling",
     "pkg/apis/batch",
     "pkg/apis/core",
-    "pkg/apis/extensions",
-    "pkg/apis/networking",
-    "pkg/apis/policy",
-    "pkg/features",
     "pkg/kubectl/scheme",
     "pkg/kubectl/util/term",
-    "pkg/kubelet/apis",
     "pkg/util/interrupt",
     "pkg/util/node",
   ]
   pruneopts = ""
-  revision = "17c77c7898218073f14c8d573582e8d2313dc740"
-  version = "v1.12.2"
+  revision = "2d20b5759406ded89f8b25cf085ff4733b144ba5"
+
+[[projects]]
+  branch = "master"
+  digest = "1:4c5d39f7ca1c940d7e74dbc62d2221e2c59b3d35c54f1fa9c77f3fd3113bbcb1"
+  name = "k8s.io/utils"
+  packages = [
+    "buffer",
+    "integer",
+    "pointer",
+    "trace",
+  ]
+  pruneopts = ""
+  revision = "c55fbcfc754a5b2ec2fbae8fb9dcac36bdba6a12"
 
 [[projects]]
   branch = "master"
@@ -1541,17 +1578,26 @@
   pruneopts = ""
   revision = "97fed8db84274c421dbfffbb28ec859901556b97"
 
+[[projects]]
+  digest = "1:321081b4a44256715f2b68411d8eda9a17f17ebfe6f0cc61d2cc52d11c08acfa"
+  name = "sigs.k8s.io/yaml"
+  packages = ["."]
+  pruneopts = ""
+  revision = "fd68e9863619f6ec2fdd8625fe1f02e7c877e480"
+  version = "v1.1.0"
+
 [solve-meta]
   analyzer-name = "dep"
   analyzer-version = 1
   input-imports = [
     "github.com/Masterminds/semver",
     "github.com/TomOnTime/utfutil",
-    "github.com/ant31/crd-validation/pkg",
     "github.com/argoproj/argo/pkg/apis/workflow/v1alpha1",
     "github.com/argoproj/argo/util",
+    "github.com/argoproj/pkg/errors",
     "github.com/argoproj/pkg/exec",
     "github.com/argoproj/pkg/time",
+    "github.com/bouk/monkey",
     "github.com/casbin/casbin",
     "github.com/casbin/casbin/model",
     "github.com/casbin/casbin/persist",
@@ -1567,6 +1613,7 @@
     "github.com/go-redis/redis",
     "github.com/gobuffalo/packr",
     "github.com/gobwas/glob",
+    "github.com/gogits/go-gogs-client",
     "github.com/gogo/protobuf/gogoproto",
     "github.com/gogo/protobuf/proto",
     "github.com/gogo/protobuf/protoc-gen-gofast",
@@ -1595,6 +1642,7 @@
     "github.com/prometheus/client_golang/prometheus",
     "github.com/prometheus/client_golang/prometheus/promhttp",
     "github.com/sirupsen/logrus",
+    "github.com/sirupsen/logrus/hooks/test",
     "github.com/skratchdot/open-golang/open",
     "github.com/soheilhy/cmux",
     "github.com/spf13/cobra",
@@ -1607,6 +1655,7 @@
     "github.com/yuin/gopher-lua",
     "golang.org/x/crypto/bcrypt",
     "golang.org/x/crypto/ssh",
+    "golang.org/x/crypto/ssh/knownhosts",
     "golang.org/x/crypto/ssh/terminal",
     "golang.org/x/net/context",
     "golang.org/x/oauth2",
@@ -1620,17 +1669,20 @@
     "google.golang.org/grpc/metadata",
     "google.golang.org/grpc/reflection",
     "google.golang.org/grpc/status",
-    "gopkg.in/go-playground/webhooks.v3",
-    "gopkg.in/go-playground/webhooks.v3/bitbucket",
-    "gopkg.in/go-playground/webhooks.v3/github",
-    "gopkg.in/go-playground/webhooks.v3/gitlab",
+    "gopkg.in/go-playground/webhooks.v5/bitbucket",
+    "gopkg.in/go-playground/webhooks.v5/bitbucket-server",
+    "gopkg.in/go-playground/webhooks.v5/github",
+    "gopkg.in/go-playground/webhooks.v5/gitlab",
+    "gopkg.in/go-playground/webhooks.v5/gogs",
     "gopkg.in/src-d/go-git.v4",
     "gopkg.in/src-d/go-git.v4/config",
     "gopkg.in/src-d/go-git.v4/plumbing",
     "gopkg.in/src-d/go-git.v4/plumbing/transport",
+    "gopkg.in/src-d/go-git.v4/plumbing/transport/client",
     "gopkg.in/src-d/go-git.v4/plumbing/transport/http",
     "gopkg.in/src-d/go-git.v4/plumbing/transport/ssh",
     "gopkg.in/src-d/go-git.v4/storage/memory",
+    "gopkg.in/src-d/go-git.v4/utils/ioutil",
     "gopkg.in/yaml.v2",
     "k8s.io/api/apps/v1",
     "k8s.io/api/batch/v1",
@@ -1638,6 +1690,7 @@
     "k8s.io/api/extensions/v1beta1",
     "k8s.io/api/rbac/v1",
     "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1",
+    "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset",
     "k8s.io/apimachinery/pkg/api/equality",
     "k8s.io/apimachinery/pkg/api/errors",
     "k8s.io/apimachinery/pkg/apis/meta/v1",
@@ -1671,6 +1724,9 @@
     "k8s.io/client-go/util/flowcontrol",
     "k8s.io/client-go/util/workqueue",
     "k8s.io/code-generator/cmd/go-to-protobuf",
+    "k8s.io/klog",
+    "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1",
+    "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1",
     "k8s.io/kube-openapi/cmd/openapi-gen",
     "k8s.io/kube-openapi/pkg/common",
     "k8s.io/kubernetes/pkg/api/v1/pod",

Gopkg.toml

@@ -35,16 +35,24 @@ required = [
   name = "github.com/prometheus/client_golang"
   revision = "7858729281ec582767b20e0d696b6041d995d5e0"
 
-[[constraint]]
-  branch = "release-1.12"
+[[override]]
+  branch = "release-1.14"
   name = "k8s.io/api"
 
-[[constraint]]
-  branch = "release-1.12"
+[[override]]
+  branch = "release-1.14"
+  name = "k8s.io/kubernetes"
+
+[[override]]
+  branch = "release-1.14"
   name = "k8s.io/code-generator"
 
-[[constraint]]
-  branch = "release-9.0"
+[[override]]
+  branch = "release-1.14"
+  name = "k8s.io/apimachinery"
+
+[[override]]
+  branch = "release-11.0"
   name = "k8s.io/client-go"
 
 [[constraint]]
@@ -63,6 +71,12 @@ required = [
   branch = "master"
   name = "github.com/yudai/gojsondiff"
 
+[[constraint]]
+  name = "github.com/spf13/cobra"
+  revision = "fe5e611709b0c57fa4a89136deaa8e1d4004d053"
+
+# TODO: move off of k8s.io/kube-openapi and use controller-tools for CRD spec generation
+# (override argoproj/argo contraint on master)
 [[override]]
-  revision = "master"
+  revision = "411b2483e5034420675ebcdd4a55fc76fe5e55cf"
   name = "k8s.io/kube-openapi"

Makefile

@@ -10,11 +10,15 @@ GIT_TAG=$(shell if [ -z "`git status --porcelain`" ]; then git describe --exact-
 GIT_TREE_STATE=$(shell if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)
 PACKR_CMD=$(shell if [ "`which packr`" ]; then echo "packr"; else echo "go run vendor/github.com/gobuffalo/packr/packr/main.go"; fi)
 
+define run-in-dev-tool
+    docker run --rm -it -u $(shell id -u) -e HOME=/home/user -v ${CURRENT_DIR}:/go/src/github.com/argoproj/argo-cd -w /go/src/github.com/argoproj/argo-cd argocd-dev-tools bash -c "GOPATH=/go $(1)"
+endef
+
 PATH:=$(PATH):$(PWD)/hack
 
 # docker image publishing options
 DOCKER_PUSH?=false
-IMAGE_TAG?=latest
+IMAGE_TAG?=
 # perform static compilation
 STATIC_BUILD?=true
 # build development images
@@ -22,6 +26,8 @@ DEV_IMAGE?=false
 # lint is memory and CPU intensive, so we can limit on CI to mitigate OOM
 LINT_GOGC?=off
 LINT_CONCURRENCY?=8
+# Set timeout for linter
+LINT_DEADLINE?=1m0s
 
 override LDFLAGS += \
   -X ${PACKAGE}.version=${VERSION} \
@@ -63,8 +69,12 @@ openapigen:
 clientgen:
 	./hack/update-codegen.sh
 
+.PHONY: codegen-local
+codegen-local: protogen clientgen openapigen manifests-local
+
 .PHONY: codegen
-codegen: protogen clientgen openapigen manifests
+codegen: dev-tools-image
+	$(call run-in-dev-tool,make codegen-local)
 
 .PHONY: cli
 cli: clean-debug
@@ -80,11 +90,20 @@ release-cli: clean-debug image
 .PHONY: argocd-util
 argocd-util: clean-debug
 	# Build argocd-util as a statically linked binary, so it could run within the alpine-based dex container (argoproj/argo-cd#844)
-	CGO_ENABLED=0 go build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-util ./cmd/argocd-util
+	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-util ./cmd/argocd-util
+
+.PHONY: dev-tools-image
+dev-tools-image:
+	docker build -t argocd-dev-tools ./hack -f ./hack/Dockerfile.dev-tools
+
+.PHONY: manifests-local
+manifests-local:
+	./hack/update-manifests.sh
 
 .PHONY: manifests
-manifests:
-	./hack/update-manifests.sh
+manifests: dev-tools-image
+	$(call run-in-dev-tool,make manifests-local IMAGE_TAG='${IMAGE_TAG}')
+
 
 # NOTE: we use packr to do the build instead of go, since we embed swagger files and policy.csv
 # files into the go binary
@@ -94,7 +113,7 @@ server: clean-debug
 
 .PHONY: repo-server
 repo-server:
-	CGO_ENABLED=0 go build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd/argocd-repo-server
+	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd/argocd-repo-server
 
 .PHONY: controller
 controller:
@@ -128,17 +147,21 @@ endif
 .PHONY: builder-image
 builder-image:
 	docker build  -t $(IMAGE_PREFIX)argo-cd-ci-builder:$(IMAGE_TAG) --target builder .
-	docker push $(IMAGE_PREFIX)argo-cd-ci-builder:$(IMAGE_TAG)
+	@if [ "$(DOCKER_PUSH)" = "true" ] ; then docker push $(IMAGE_PREFIX)argo-cd-ci-builder:$(IMAGE_TAG) ; fi
 
 .PHONY: dep-ensure
 dep-ensure:
 	dep ensure -no-vendor
 
-.PHONY: lint
-lint:
+.PHONY: lint-local
+lint-local: build
 	# golangci-lint does not do a good job of formatting imports
-	goimports -local github.com/argoproj/argo-cd -w `find . ! -path './vendor/*' ! -path './pkg/client/*' -type f -name '*.go'`
-	GOGC=$(LINT_GOGC) golangci-lint run --fix --verbose --concurrency $(LINT_CONCURRENCY)
+	goimports -local github.com/argoproj/argo-cd -w `find . ! -path './vendor/*' ! -path './pkg/client/*' ! -path '*.pb.go' ! -path '*.gw.go' -type f -name '*.go'`
+	GOGC=$(LINT_GOGC) golangci-lint run --fix --verbose --concurrency $(LINT_CONCURRENCY) --deadline $(LINT_DEADLINE)
+
+.PHONY: lint
+lint: dev-tools-image
+	$(call run-in-dev-tool,make lint-local LINT_CONCURRENCY=$(LINT_CONCURRENCY) LINT_DEADLINE=$(LINT_DEADLINE) LINT_GOGC=$(LINT_GOGC))
 
 .PHONY: build
 build:
@@ -159,10 +182,15 @@ test-e2e: cli
 .PHONY: start-e2e
 start-e2e: cli
 	killall goreman || true
+	# check we can connect to Docker to start Redis
+	docker version
 	kubectl create ns argocd-e2e || true
-	kubens argocd-e2e
+	kubectl config set-context --current --namespace=argocd-e2e
 	kustomize build test/manifests/base | kubectl apply -f -
-	goreman start
+	# set paths for locally managed ssh known hosts and tls certs data
+	ARGOCD_SSH_DATA_PATH=/tmp/argo-e2e/app/config/ssh \
+	ARGOCD_TLS_DATA_PATH=/tmp/argo-e2e/app/config/tls \
+		goreman start
 
 # Cleans VSCode debug.test files from sub-dirs to prevent them from being included in packr boxes
 .PHONY: clean-debug
@@ -176,6 +204,8 @@ clean: clean-debug
 .PHONY: start
 start:
 	killall goreman || true
+	# check we can connect to Docker to start Redis
+	docker version
 	kubens argocd
 	goreman start
 
@@ -189,4 +219,4 @@ release-precheck: manifests
 	@if [ "$(GIT_TAG)" != "v`cat VERSION`" ]; then echo 'VERSION does not match git tag'; exit 1; fi
 
 .PHONY: release
-release: release-precheck pre-commit image release-cli
+release: pre-commit release-precheck image release-cli

OWNERS

@@ -3,6 +3,6 @@ owners:
 - jessesuen
 
 approvers:
+- alexc
 - alexmt
 - jessesuen
-- merenbach

Procfile

@@ -1,6 +1,7 @@
-controller: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true go run ./cmd/argocd-application-controller/main.go --loglevel debug --redis localhost:6379 --repo-server localhost:8081"
-api-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true go run ./cmd/argocd-server/main.go --loglevel debug --redis localhost:6379 --disable-auth --insecure --dex-server http://localhost:5556 --repo-server localhost:8081 --staticassets ui/dist/app"
-dex: sh -c "go run ./cmd/argocd-util/main.go gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p 5556:5556 -v `pwd`/dist/dex.yaml:/dex.yaml quay.io/dexidp/dex:v2.14.0 serve /dex.yaml"
-redis: docker run --rm --name argocd-redis -i -p 6379:6379 redis:5.0.3-alpine --save "" --appendonly no
-repo-server: sh -c "FORCE_LOG_COLORS=1 go run ./cmd/argocd-repo-server/main.go --loglevel debug --redis localhost:6379"
-ui: sh -c 'cd ui && yarn start'
+controller: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true go run ./cmd/argocd-application-controller/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
+api-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true go run ./cmd/argocd-server/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --staticassets ui/dist/app"
+dex: sh -c "go run ./cmd/argocd-util/main.go gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml quay.io/dexidp/dex:v2.14.0 serve /dex.yaml"
+redis: docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} redis:5.0.3-alpine --save "" --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}
+repo-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true go run ./cmd/argocd-repo-server/main.go --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379}"
+ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
+git-server: test/fixture/testrepos/start-git.sh

README.md

@@ -19,6 +19,7 @@ Application deployment and lifecycle management should be automated, auditable,
 
 Organizations below are **officially** using Argo CD. Please send a PR with your organization name if you are using Argo CD.
 
+1. [ANSTO - Australian Synchrotron](https://www.synchrotron.org.au/)
 1. [Codility](https://www.codility.com/)
 1. [Commonbond](https://commonbond.co/)
 1. [CyberAgent](https://www.cyberagent.co.jp/en/)
@@ -27,10 +28,12 @@ Organizations below are **officially** using Argo CD. Please send a PR with your
 1. [Intuit](https://www.intuit.com/)
 1. [KintoHub](https://www.kintohub.com/)
 1. [KompiTech GmbH](https://www.kompitech.com/)
+1. [Mambu](https://www.mambu.com/) 
 1. [Mirantis](https://mirantis.com/)
 1. [OpenSaaS Studio](https://opensaas.studio)
 1. [Optoro](https://www.optoro.com/)
 1. [Riskified](https://www.riskified.com/)
+1. [Saildrone](https://www.saildrone.com/)
 1. [Tesla](https://tesla.com/)
 1. [tZERO](https://www.tzero.com/)
 1. [Ticketmaster](https://ticketmaster.com)
@@ -40,3 +43,14 @@ Organizations below are **officially** using Argo CD. Please send a PR with your
 ## Documentation
 
 To learn more about Argo CD [go to the complete documentation](https://argoproj.github.io/argo-cd/).
+
+## Community Blogs and Presentations
+
+1. [Comparison of Argo CD, Spinnaker, Jenkins X, and Tekton](https://www.inovex.de/blog/spinnaker-vs-argo-cd-vs-tekton-vs-jenkins-x/)
+1. [Simplify and Automate Deployments Using GitOps with IBM Multicloud Manager 3.1.2](https://medium.com/ibm-cloud/simplify-and-automate-deployments-using-gitops-with-ibm-multicloud-manager-3-1-2-4395af317359)
+1. [GitOps for Kubeflow using Argo CD](https://www.kubeflow.org/docs/use-cases/gitops-for-kubeflow/)
+1. [GitOps Toolsets on Kubernetes with CircleCI and Argo CD](https://www.digitalocean.com/community/tutorials/webinar-series-gitops-tool-sets-on-kubernetes-with-circleci-and-argo-cd)
+1. [Simplify and Automate Deployments Using GitOps with IBM Multicloud Manager](https://www.ibm.com/blogs/bluemix/2019/02/simplify-and-automate-deployments-using-gitops-with-ibm-multicloud-manager-3-1-2/)
+1. [CI/CD in Light Speed with K8s and Argo CD](https://www.youtube.com/watch?v=OdzH82VpMwI&feature=youtu.be)
+1. [Machine Learning as Code](https://www.youtube.com/watch?v=VXrGp5er1ZE&t=0s&index=135&list=PLj6h78yzYM2PZf9eA7bhWnIh_mK1vyOfU). Among other things, describes how Kubeflow uses Argo CD to implement GitOPs for ML
+1. [Argo CD - GitOps Continuous Delivery for Kubernetes](https://www.youtube.com/watch?v=aWDIQMbp1cc&feature=youtu.be&t=1m4s)

VERSION

@@ -1 +1 @@
-1.0.0
+1.2.2

assets/badge.svg

@@ -0,0 +1,22 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="131" height="20">
+    <linearGradient id="b" x2="0" y2="100%">
+        <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
+        <stop offset="1" stop-opacity=".1"/>
+    </linearGradient>
+    <clipPath id="a">
+        <rect width="131" height="20" rx="3" fill="#fff"/>
+    </clipPath>
+    <g clip-path="url(#a)">
+        <path id="leftPath" fill="#555" d="M0 0h74v20H0z"/>
+        <path id="rightPath" fill="#4c1" d="M74 0h57v20H74z"/>
+        <path fill="url(#b)" d="M0 0h131v20H0z"/>
+    </g>
+    <g fill="#fff" text-anchor="middle" font-family="DejaVu Sans,Verdana,Geneva,sans-serif" font-size="90">
+        <image x="5" y="3" width="14" height="14" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB8AAAAeCAYAAADU8sWcAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAACXBIWXMAAABPAAAATwFjiv3XAAACC2lUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyI+CiAgICAgICAgIDx0aWZmOlJlc29sdXRpb25Vbml0PjI8L3RpZmY6UmVzb2x1dGlvblVuaXQ+CiAgICAgICAgIDx0aWZmOkNvbXByZXNzaW9uPjE8L3RpZmY6Q29tcHJlc3Npb24+CiAgICAgICAgIDx0aWZmOk9yaWVudGF0aW9uPjE8L3RpZmY6T3JpZW50YXRpb24+CiAgICAgICAgIDx0aWZmOlBob3RvbWV0cmljSW50ZXJwcmV0YXRpb24+MjwvdGlmZjpQaG90b21ldHJpY0ludGVycHJldGF0aW9uPgogICAgICA8L3JkZjpEZXNjcmlwdGlvbj4KICAgPC9yZGY6UkRGPgo8L3g6eG1wbWV0YT4KD0UqkwAACpZJREFUSA11VnmQFcUZ//qY4527by92WWTXwHKqEJDDg0MQUioKSWopK4oaS9RAlMofUSPGbFlBSaViKomgQSNmIdECkUS8ophdozEJArKoKCsgIFlY2Pu9N29mero7X78FxCR2Vb8309PTv+/4fb9vCHz1II2Nm+jmzYul2bJsdlMyO7LyPGlZtYqQck1ZHCgwLZWiROeJgB7bDzpYb/7o0y/emzXv4Pts8+ZGBUC0uf/vQf57wdw3NTVRnOYFfXvj6pJcadkUmbDGRoxVSEItSYAQQrUmRBP81VoRpkFTJUMuZA/3g/28q3dn89b7u885D4348vgf8NPAxY033LJmSlDizlSOU94f6UhoHaZdC/3QCHWON2gDYBhAYyRAWgyD4QSi1815f29++vv/+CoD2Lm2nAFGl8mndzyxMMgk5/iW6xzPi/xVk+oyE8+vLNt14FR/0uYW14ox0IwUJ4ZAaUpAaaBEYByiyLbikWWNnnThvPIxu+L717auVeb81tbWsyk4C34u8I3LnlhcSCameMzykg7TwzOJGIYWQj+M+voLYcSo/hxY1E65FECUq4G4RFP0nSjMCMVAIIKUnOHkw90L6qq/vXvbh02trV8yoBh2E0NMY9GiG+58fIGXTF6epyw7JOnamZQbz/tCnDrVVzgqqdwTT0ZTdWDN0wPpMh3ZPZqHLSw98C7Y4RwtnAodsTwGAg0ppkcxrlkYJFID+Z0bn/zelsFImzQRXfScNJFiOG689dcT/FT6GzlqedVJTHRpPH6yz/PyfTlx2IrLCpvSdWrv5OXkX9fOJB/Mnaz3XzItap+yMDoyZgEE7F1SceIghryeRNwnTBkEqhRIxiLF6bCpDXNybW2v/ruxcTzbt2+zZmfCvWT+zxNhbek3cxaPlyYsXVWSSHT25rxC3o+OWK6aDn7sZ3r79ZNY28w45Esxuhw5RjmVvEQPlIwgR8bOiE7VdrPaA2+TeGEEhFbhtAEmG5pzk5WqqbWTPv7jC8sLpgxNSRWZrUeWTAgor7EY9ytTiURvzg8GskGU5xxKkc33yDcX1yc7x3ijLxF+zZgoEljgCrSiXOWIG/WGrjifHxl1V9iyeKwW1lHNo5SKmDmcYinivwhjVpkor55sQj9+/D4MO9bpLW8RN6zJzMvbPDUkHaecE368N1+IUUJfIm5hPf1w2kTedlm/LgntmqEWEQGT3ScJYUh2NIxiiWupSUFasor1VgzXvPATfv6BC3Roq0E9MLqAXKQcAe1rqi/dv+q3DwQUw6djY6tiAaG1jLEw7nAn64WhcStPqZqpA6chap8aage077GwbQcJDx8Awq3T3DHlbeijUHWwytHFuuizCTergdQ+YocxLRHVPNcESRAJxqo60nbSvExvvvWx23MCVvucDyRt5hitwDRHHG09pZiaT7MlSUdUhtQGZttYRdwA4WnFQjFnDA4LX7UdIlgMYpaouBgGMnuBKVN/ZhgBRCMVynNAHOfRm777q4UcrW3EZxcEnD/kclYlpVaFKFIZrIRtluvdls/G9InnLZ9fpLXoJjwZAzZkDJ5mjkIj8HTCKETH9oD0eoikMSDQ5cTrLrUg4QoaFlxUH5MdYy6yAFAaYBHed6ODkMPOkMcFZggZKa0SkaL/jMeDpq5D1Vez9693V/wNUg1jQRY8yLX8BcSba8AaOgyBOdqtQBz7DNj8lZCeNY9SN6aiD3bTOc89s2iliDVvKa3uGxf6doQAxYE2oBbm0HQPG5IxqKhOg9ZpSSQj+pDU+jv5t7913spV5c70GcqLJwgMGw6ZJUuBLbgHPW0D4rgQdewDvnAllN58B0D918AvzVBn3jWi/p4Hq2/s+et1URgBRlVRMGVvBtITfwyuyYPAoIRmWSIrEqjZW1Ml/qN7dtRWzptfBzXDoaeri6TicWhes8Zsg9iMOaAyU0D3fw4qdSEkrryquP77xx+HZCwG3T09HEZfCBUXTxh125H9VZ9SHp1OfZF4aEWI9MM1AhmiVCmaIwV6a2F5ge2q8s7OBB8ytPiOZduw6pFHYOS4cUUQGsNWXj4MVLYdaGU9UAQ0o2H8eHh49WpAITReKqdmGC0PsvF2JB4Gu+i5RqKg5JSi82mOnu9GYGEhwbFjSOXadJII7Pa6Ed3hwU8igAU8lU7D/ffdZ1pFEUT19YI+sR9oZgLIjo8h6usDu2oIzJpxOc4ZphKQtoqFxw6LzxIV/RMxkabSUPAJRz3A5oc50x9T7Lf3xkR0R0xGSS+IRIFQOUUUkqvGXdR5tGXnLmjbYXI0OLCJykIBvFe2ABVHgCQqgMpjkH9xE9IY7cSgGd0w+8mOVjiy68DOh+sauusiwSM8F11nlhCm39/SvP7ux4qNZVfba/0TJ183Is9opWtxEXe5E/cC+Y5bf+CilmczqaC/JigEOjjYTrwtzwB8tAn4kJFGMIEmy0B98gb4B7tAYimHncd19ObLrP25rW0/rb76pQqsoKTEkKJgoT64biCObVx35xvGGz67qYW3Nl0RWYH/ftxmo7pyfpSoKFFjEiLxhE73jXaueHXlGw+PZ68rS8pQ01QlodUjTqcAfcQo8qGjQB36EwQfbFAuF8wjZbmNtStefZ4nC0uibKIHez92AeZEUln5wocGuLGxyUbg2cVEFp5a9pFz11MH/ZCP6M0V8gmbxWZL35K2paFmUmjDgCXAMQkjqv8wgFMGBFVSCw8g1wWsrB5IBrTDAvB0eaAkhVHCeGzSQDUm3bE9/1hs/d7dBhy5aSqAaNNWN6Mvdn9+e0KGfl8hZCd6vBwqABmISKSkCgkqr/a6QMWrwLpsKaYWhfrwi1ikfWBNvQmUhXItAlznICMlcopFFNXcEA25wBw/EIms2L4O1onZs5u46abFUsILDWhAc/OKo7H+/OtuEFqaUcsmIE8CR47zEMsSuJvRQcceODVmOqR/uAHKftAC6R+9AKcmzgVxci9qexwLTIDZ34+MR6FVErXECXw7kc+3/G7j8gPG0dbWJmQnum1+zDj3U2rJ0rWzvFRynu/YskMTb5vetmwI7xyeg7R0g072ynEGwa0PwZTRDbDn0GGI1j0Ii2pCKPCyqJTl+eei9tOl5Kr1eU2seuG5ZMBv2fjUIMkQymAWC6jouQE3jdlYZa43PLnsLbcn++eYVwi6FCQktTCEmO3QAx2rhOllAl6bOwsahg2FDTMvhRklWVSUMkxcWEyHJFbUqyCW9AtRSV//K18AF4XmbOWeBTegCF78ujTXf3hm+XvTeo49G8/67Sg+A0a0OGc6CDzIlFbDL3+8GPYuuxLWP7AYysprIQx9YNjdzAglyVkD3qGvd3dsWvv0infM2qBj53zr49rZsJsNZwa2WeTTFxtP3L1oe1VCzh3AWqOM2FJJsFBwbMuCUAgQyAqGrVVJ7Zdwyz2RZS/X/GbrguJ5eNYgyhfnncH5v+DmYcft18Y1T5S7fl9jPMN+4aM6IpeQPmgxThNA5AnuJFhIeI2tHafiNqEUW1XQL+8NrfRznENP1drNuTOA5/5/KezmAZ4zaJBSdVaUvQk5PsNTeqfrMsKQOui5LGKibBAjmKgSRk/RIMlc8BiWCLbI95Dx05jybrMkfsh+xfgPf+hH0AC4OlsAAAAASUVORK5CYII="/>
+
+        <text id="leftText1" x="435" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="470"></text>
+        <text id="leftText2" x="435" y="140" transform="scale(.1)" textLength="470"></text>
+
+        <text id="rightText1" x="995" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="470"></text>
+        <text id="rightText1" x="995" y="140" transform="scale(.1)" textLength="470"></text></g>
+</svg>

assets/builtin-policy.csv

@@ -7,6 +7,7 @@
 # p, <user/group>, <resource>, <action>, <object>
 
 p, role:readonly, applications, get, */*, allow
+p, role:readonly, certificates, get, *, allow
 p, role:readonly, clusters, get, *, allow
 p, role:readonly, repositories, get, *, allow
 p, role:readonly, projects, get, *, allow
@@ -15,6 +16,10 @@ p, role:admin, applications, create, */*, allow
 p, role:admin, applications, update, */*, allow
 p, role:admin, applications, delete, */*, allow
 p, role:admin, applications, sync, */*, allow
+p, role:admin, applications, override, */*, allow
+p, role:admin, certificates, create, *, allow
+p, role:admin, certificates, update, *, allow
+p, role:admin, certificates, delete, *, allow
 p, role:admin, clusters, create, *, allow
 p, role:admin, clusters, update, *, allow
 p, role:admin, clusters, delete, *, allow

assets/swagger.json

@@ -49,7 +49,7 @@
           "ApplicationService"
         ],
         "summary": "List returns list of applications",
-        "operationId": "ListMixin5",
+        "operationId": "ListMixin6",
         "parameters": [
           {
             "type": "string",
@@ -89,7 +89,7 @@
           "ApplicationService"
         ],
         "summary": "Create creates an application",
-        "operationId": "CreateMixin5",
+        "operationId": "CreateMixin6",
         "parameters": [
           {
             "name": "body",
@@ -116,7 +116,7 @@
           "ApplicationService"
         ],
         "summary": "Update updates an application",
-        "operationId": "UpdateMixin5",
+        "operationId": "UpdateMixin6",
         "parameters": [
           {
             "type": "string",
@@ -197,7 +197,7 @@
           "ApplicationService"
         ],
         "summary": "Get returns an application by name",
-        "operationId": "GetMixin5",
+        "operationId": "GetMixin6",
         "parameters": [
           {
             "type": "string",
@@ -238,7 +238,7 @@
           "ApplicationService"
         ],
         "summary": "Delete deletes an application",
-        "operationId": "DeleteMixin5",
+        "operationId": "DeleteMixin6",
         "parameters": [
           {
             "type": "string",
@@ -639,6 +639,37 @@
         }
       }
     },
+    "/api/v1/applications/{name}/revisions/{revision}/metadata": {
+      "get": {
+        "tags": [
+          "ApplicationService"
+        ],
+        "summary": "Get the meta-data (author, date, tags, message) for a specific revision of the application",
+        "operationId": "RevisionMetadata",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "name",
+            "in": "path",
+            "required": true
+          },
+          {
+            "type": "string",
+            "name": "revision",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "(empty)",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RevisionMetadata"
+            }
+          }
+        }
+      }
+    },
     "/api/v1/applications/{name}/rollback": {
       "post": {
         "tags": [
@@ -738,6 +769,83 @@
         }
       }
     },
+    "/api/v1/certificates": {
+      "get": {
+        "tags": [
+          "CertificateService"
+        ],
+        "summary": "List all available repository certificates",
+        "operationId": "ListCertificates",
+        "parameters": [
+          {
+            "type": "string",
+            "description": "A file-glob pattern (not regular expression) the host name has to match.",
+            "name": "hostNamePattern",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "The type of the certificate to match (ssh or https).",
+            "name": "certType",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "The sub type of the certificate to match (protocol dependent, usually only used for ssh certs).",
+            "name": "certSubType",
+            "in": "query"
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "(empty)",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RepositoryCertificateList"
+            }
+          }
+        }
+      },
+      "post": {
+        "tags": [
+          "CertificateService"
+        ],
+        "summary": "Creates repository certificates on the server",
+        "operationId": "CreateCertificate",
+        "parameters": [
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RepositoryCertificateList"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "(empty)",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RepositoryCertificateList"
+            }
+          }
+        }
+      },
+      "delete": {
+        "tags": [
+          "CertificateService"
+        ],
+        "summary": "Delete the certificates that match the RepositoryCertificateQuery",
+        "operationId": "DeleteCertificate",
+        "responses": {
+          "200": {
+            "description": "(empty)",
+            "schema": {
+              "$ref": "#/definitions/v1alpha1RepositoryCertificateList"
+            }
+          }
+        }
+      }
+    },
     "/api/v1/clusters": {
       "get": {
         "tags": [
@@ -868,13 +976,38 @@
         }
       }
     },
+    "/api/v1/clusters/{server}/rotate-auth": {
+      "post": {
+        "tags": [
+          "ClusterService"
+        ],
+        "summary": "RotateAuth returns a cluster by server address",
+        "operationId": "RotateAuth",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "server",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "(empty)",
+            "schema": {
+              "$ref": "#/definitions/clusterClusterResponse"
+            }
+          }
+        }
+      }
+    },
     "/api/v1/projects": {
       "get": {
         "tags": [
           "ProjectService"
         ],
         "summary": "List returns list of projects",
-        "operationId": "ListMixin3",
+        "operationId": "ListMixin4",
         "parameters": [
           {
             "type": "string",
@@ -896,7 +1029,7 @@
           "ProjectService"
         ],
         "summary": "Create a new project.",
-        "operationId": "CreateMixin3",
+        "operationId": "CreateMixin4",
         "parameters": [
           {
             "name": "body",
@@ -923,7 +1056,7 @@
           "ProjectService"
         ],
         "summary": "Get returns a project by name",
-        "operationId": "GetMixin3",
+        "operationId": "GetMixin4",
         "parameters": [
           {
             "type": "string",
@@ -946,7 +1079,7 @@
           "ProjectService"
         ],
         "summary": "Delete deletes a project",
-        "operationId": "DeleteMixin3",
+        "operationId": "DeleteMixin4",
         "parameters": [
           {
             "type": "string",
@@ -996,7 +1129,7 @@
           "ProjectService"
         ],
         "summary": "Update updates a project",
-        "operationId": "UpdateMixin3",
+        "operationId": "UpdateMixin4",
         "parameters": [
           {
             "type": "string",
@@ -1286,13 +1419,46 @@
         }
       }
     },
+    "/api/v1/repositories/{repo}/validate": {
+      "post": {
+        "tags": [
+          "RepositoryService"
+        ],
+        "summary": "ValidateAccess validates access to a repository with given parameters",
+        "operationId": "ValidateAccess",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "repo",
+            "in": "path",
+            "required": true
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "(empty)",
+            "schema": {
+              "$ref": "#/definitions/repositoryRepoResponse"
+            }
+          }
+        }
+      }
+    },
     "/api/v1/session": {
       "post": {
         "tags": [
           "SessionService"
         ],
         "summary": "Create a new JWT for authentication and set a cookie if using HTTP.",
-        "operationId": "CreateMixin7",
+        "operationId": "CreateMixin8",
         "parameters": [
           {
             "name": "body",
@@ -1317,7 +1483,7 @@
           "SessionService"
         ],
         "summary": "Delete an existing JWT cookie if using HTTP.",
-        "operationId": "DeleteMixin7",
+        "operationId": "DeleteMixin8",
         "responses": {
           "200": {
             "description": "(empty)",
@@ -1429,6 +1595,9 @@
         },
         "patch": {
           "type": "string"
+        },
+        "patchType": {
+          "type": "string"
         }
       }
     },
@@ -1471,6 +1640,12 @@
           "type": "boolean",
           "format": "boolean"
         },
+        "manifests": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
         "name": {
           "type": "string"
         },
@@ -1553,6 +1728,32 @@
         }
       }
     },
+    "clusterGoogleAnalyticsConfig": {
+      "type": "object",
+      "properties": {
+        "anonymizeUsers": {
+          "type": "boolean",
+          "format": "boolean"
+        },
+        "trackingID": {
+          "type": "string"
+        }
+      }
+    },
+    "clusterHelp": {
+      "type": "object",
+      "title": "Help settings",
+      "properties": {
+        "chatText": {
+          "type": "string",
+          "title": "the text for getting chat help, defaults to \"Chat now!\""
+        },
+        "chatUrl": {
+          "type": "string",
+          "title": "the URL for getting chat help, this will typically be your Slack channel for support"
+        }
+      }
+    },
     "clusterOIDCConfig": {
       "type": "object",
       "properties": {
@@ -1585,6 +1786,15 @@
         "dexConfig": {
           "$ref": "#/definitions/clusterDexConfig"
         },
+        "googleAnalytics": {
+          "$ref": "#/definitions/clusterGoogleAnalyticsConfig"
+        },
+        "help": {
+          "$ref": "#/definitions/clusterHelp"
+        },
+        "kustomizeOptions": {
+          "$ref": "#/definitions/v1alpha1KustomizeOptions"
+        },
         "oidcConfig": {
           "$ref": "#/definitions/clusterOIDCConfig"
         },
@@ -1594,6 +1804,10 @@
             "$ref": "#/definitions/v1alpha1ResourceOverride"
           }
         },
+        "statusBadgeEnabled": {
+          "type": "boolean",
+          "format": "boolean"
+        },
         "url": {
           "type": "string"
         }
@@ -1768,15 +1982,8 @@
       "type": "object",
       "title": "KustomizeAppSpec contains kustomize app name and path in source repo",
       "properties": {
-        "imageTags": {
-          "description": "imageTags is a list of available image tags. This is only populated for Kustomize 1.",
-          "type": "array",
-          "items": {
-            "$ref": "#/definitions/v1alpha1KustomizeImageTag"
-          }
-        },
         "images": {
-          "description": "images is a list of available images. This is only populated for Kustomize 2.",
+          "description": "images is a list of available images.",
           "type": "array",
           "items": {
             "type": "string"
@@ -1977,6 +2184,19 @@
         }
       }
     },
+    "v1Fields": {
+      "type": "object",
+      "title": "Fields stores a set of fields in a data structure like a Trie.\nTo understand how this is used, see: https://github.com/kubernetes-sigs/structured-merge-diff",
+      "properties": {
+        "map": {
+          "description": "Map stores a set of fields in a data structure like a Trie.\n\nEach key is either a '.' representing the field itself, and will always map to an empty set,\nor a string representing a sub-field or item. The string will follow one of these four formats:\n'f:<name>', where <name> is the name of a field in a struct, or key in a map\n'v:<value>', where <value> is the exact json formatted value of a list item\n'i:<index>', where <index> is position of a item in a list\n'k:<keys>', where <keys> is a map of  a list item's key fields to their unique values\nIf a key maps to an empty Fields value, the field that key represents is part of the set.\n\nThe exact format is defined in k8s.io/apiserver/pkg/endpoints/handlers/fieldmanager/internal",
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/definitions/v1Fields"
+          }
+        }
+      }
+    },
     "v1GroupKind": {
       "description": "+protobuf.options.(gogoproto.goproto_stringer)=false",
       "type": "object",
@@ -2048,6 +2268,30 @@
         }
       }
     },
+    "v1ManagedFieldsEntry": {
+      "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource\nthat the fieldset applies to.",
+      "type": "object",
+      "properties": {
+        "apiVersion": {
+          "description": "APIVersion defines the version of this resource that this field set\napplies to. The format is \"group/version\" just like the top-level\nAPIVersion field. It is necessary to track the version of a field\nset because it cannot be automatically converted.",
+          "type": "string"
+        },
+        "fields": {
+          "$ref": "#/definitions/v1Fields"
+        },
+        "manager": {
+          "description": "Manager is an identifier of the workflow managing these fields.",
+          "type": "string"
+        },
+        "operation": {
+          "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created.\nThe only valid values for this field are 'Apply' and 'Update'.",
+          "type": "string"
+        },
+        "time": {
+          "$ref": "#/definitions/v1Time"
+        }
+      }
+    },
     "v1MicroTime": {
       "description": "MicroTime is version of Time with microsecond level precision.\n\n+protobuf.options.marshal=false\n+protobuf.as=Timestamp\n+protobuf.options.(gogoproto.goproto_stringer)=false",
       "type": "object",
@@ -2116,6 +2360,13 @@
             "type": "string"
           }
         },
+        "managedFields": {
+          "description": "ManagedFields maps workflow-id and version to the set of fields\nthat are managed by that workflow. This is mostly for internal\nhousekeeping, and users typically shouldn't need to set or\nunderstand this field. A workflow can be the user's name, a\ncontroller's name, or the name of a specific apply path like\n\"ci-cd\". The set of fields is always in the version that the\nworkflow used when modifying the object.\n\nThis field is alpha and can be changed or removed without notice.\n\n+optional",
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1ManagedFieldsEntry"
+          }
+        },
         "name": {
           "type": "string",
           "title": "Name must be unique within a namespace. Is required when creating resources, although\nsome resources may allow a client to request the generation of an appropriate name\nautomatically. Name is primarily intended for creation idempotence and configuration\ndefinition.\nCannot be updated.\nMore info: http://kubernetes.io/docs/user-guide/identifiers#names\n+optional"
@@ -2180,7 +2431,7 @@
       }
     },
     "v1OwnerReference": {
-      "description": "OwnerReference contains enough information to let you identify an owning\nobject. Currently, an owning object must be in the same namespace, so there\nis no namespace field.",
+      "description": "OwnerReference contains enough information to let you identify an owning\nobject. An owning object must be in the same namespace as the dependent, or\nbe cluster-scoped, so there is no namespace field.",
       "type": "object",
       "properties": {
         "apiVersion": {
@@ -2324,7 +2575,7 @@
     },
     "v1alpha1AppProject": {
       "type": "object",
-      "title": "AppProject provides a logical grouping of applications, providing controls for:\n* where the apps may deploy to (cluster whitelist)\n* what may be deployed (repository whitelist, resource whitelist/blacklist)\n* who can access these applications (roles, OIDC group claims bindings)\n* and what they can do (RBAC policies)\n* automation access to these roles (JWT tokens)\n+genclient\n+genclient:noStatus\n+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object",
+      "title": "AppProject provides a logical grouping of applications, providing controls for:\n* where the apps may deploy to (cluster whitelist)\n* what may be deployed (repository whitelist, resource whitelist/blacklist)\n* who can access these applications (roles, OIDC group claims bindings)\n* and what they can do (RBAC policies)\n* automation access to these roles (JWT tokens)\n+genclient\n+genclient:noStatus\n+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object\n+kubebuilder:resource:path=appprojects,shortName=appproj;appprojs",
       "properties": {
         "metadata": {
           "$ref": "#/definitions/v1ObjectMeta"
@@ -2396,7 +2647,7 @@
     },
     "v1alpha1Application": {
       "type": "object",
-      "title": "Application is a definition of Application resource.\n+genclient\n+genclient:noStatus\n+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object",
+      "title": "Application is a definition of Application resource.\n+genclient\n+genclient:noStatus\n+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object\n+kubebuilder:resource:path=applications,shortName=app;apps",
       "properties": {
         "metadata": {
           "$ref": "#/definitions/v1ObjectMeta"
@@ -2484,7 +2735,7 @@
         },
         "targetRevision": {
           "type": "string",
-          "title": "Environment is a ksonnet application environment name\nTargetRevision defines the commit, tag, or branch in which to sync the application to.\nIf omitted, will sync to HEAD"
+          "title": "TargetRevision defines the commit, tag, or branch in which to sync the application to.\nIf omitted, will sync to HEAD"
         }
       }
     },
@@ -2572,16 +2823,9 @@
             "type": "string"
           }
         },
-        "imageTags": {
-          "type": "array",
-          "title": "ImageTags are kustomize 1.0 image tag overrides",
-          "items": {
-            "$ref": "#/definitions/v1alpha1KustomizeImageTag"
-          }
-        },
         "images": {
           "type": "array",
-          "title": "Images are kustomize 2.0 image overrides",
+          "title": "Images are kustomize image overrides",
           "items": {
             "type": "string"
           }
@@ -2596,6 +2840,12 @@
       "type": "object",
       "title": "ApplicationSourcePlugin holds config management plugin specific options",
       "properties": {
+        "env": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1alpha1EnvEntry"
+          }
+        },
         "name": {
           "type": "string"
         }
@@ -2807,6 +3057,19 @@
         }
       }
     },
+    "v1alpha1EnvEntry": {
+      "type": "object",
+      "properties": {
+        "name": {
+          "type": "string",
+          "title": "the name, usually uppercase"
+        },
+        "value": {
+          "type": "string",
+          "title": "the value"
+        }
+      }
+    },
     "v1alpha1HealthStatus": {
       "type": "object",
       "properties": {
@@ -2822,6 +3085,11 @@
       "type": "object",
       "title": "HelmParameter is a parameter to a helm template",
       "properties": {
+        "forceString": {
+          "type": "boolean",
+          "format": "boolean",
+          "title": "ForceString determines whether to tell Helm to interpret booleans and numbers as strings"
+        },
         "name": {
           "type": "string",
           "title": "Name is the name of the helm parameter"
@@ -2902,17 +3170,13 @@
         }
       }
     },
-    "v1alpha1KustomizeImageTag": {
+    "v1alpha1KustomizeOptions": {
       "type": "object",
-      "title": "KustomizeImageTag is a kustomize image tag",
+      "title": "KustomizeOptions are options for kustomize to use when building manifests",
       "properties": {
-        "name": {
+        "buildOptions": {
           "type": "string",
-          "title": "Name is the name of the image (e.g. nginx)"
-        },
-        "value": {
-          "type": "string",
-          "title": "Value is the value for the new tag (e.g. 1.8.0)"
+          "title": "BuildOptions is a string of build parameters to use when calling `kustomize build`"
         }
       }
     },
@@ -2993,21 +3257,87 @@
         "connectionState": {
           "$ref": "#/definitions/v1alpha1ConnectionState"
         },
+        "enableLfs": {
+          "type": "boolean",
+          "format": "boolean",
+          "title": "Whether git-lfs support should be enabled for this repo"
+        },
+        "insecure": {
+          "type": "boolean",
+          "format": "boolean",
+          "title": "Whether the repo is insecure"
+        },
         "insecureIgnoreHostKey": {
           "type": "boolean",
-          "format": "boolean"
+          "format": "boolean",
+          "title": "InsecureIgnoreHostKey should not be used anymore, Insecure is favoured"
         },
         "password": {
-          "type": "string"
+          "type": "string",
+          "title": "Password for authenticating at the repo server"
         },
         "repo": {
-          "type": "string"
+          "type": "string",
+          "title": "URL of the repo"
         },
         "sshPrivateKey": {
-          "type": "string"
+          "type": "string",
+          "title": "SSH private key data for authenticating at the repo server"
+        },
+        "tlsClientCertData": {
+          "type": "string",
+          "title": "TLS client cert data for authenticating at the repo server"
+        },
+        "tlsClientCertKey": {
+          "type": "string",
+          "title": "TLS client cert key for authenticating at the repo server"
         },
         "username": {
-          "type": "string"
+          "type": "string",
+          "title": "Username for authenticating at the repo server"
+        }
+      }
+    },
+    "v1alpha1RepositoryCertificate": {
+      "type": "object",
+      "title": "A RepositoryCertificate is either SSH known hosts entry or TLS certificate",
+      "properties": {
+        "certData": {
+          "type": "string",
+          "format": "byte",
+          "title": "Actual certificate data, protocol dependent"
+        },
+        "certInfo": {
+          "type": "string",
+          "title": "Additional certificate info (e.g. SSH fingerprint, X509 CommonName)"
+        },
+        "certSubType": {
+          "type": "string",
+          "title": "The sub type of the cert, i.e. \"ssh-rsa\""
+        },
+        "certType": {
+          "type": "string",
+          "title": "Type of certificate - currently \"https\" or \"ssh\""
+        },
+        "serverName": {
+          "type": "string",
+          "title": "Name of the server the certificate is intended for"
+        }
+      }
+    },
+    "v1alpha1RepositoryCertificateList": {
+      "type": "object",
+      "title": "RepositoryCertificateList is a collection of RepositoryCertificates",
+      "properties": {
+        "items": {
+          "type": "array",
+          "title": "List of certificates to be processed",
+          "items": {
+            "$ref": "#/definitions/v1alpha1RepositoryCertificate"
+          }
+        },
+        "metadata": {
+          "$ref": "#/definitions/v1ListMeta"
         }
       }
     },
@@ -3067,6 +3397,10 @@
         "group": {
           "type": "string"
         },
+        "hook": {
+          "type": "boolean",
+          "format": "boolean"
+        },
         "kind": {
           "type": "string"
         },
@@ -3284,6 +3618,10 @@
         "namespace": {
           "type": "string"
         },
+        "requiresPruning": {
+          "type": "boolean",
+          "format": "boolean"
+        },
         "status": {
           "type": "string"
         },
@@ -3311,6 +3649,30 @@
         }
       }
     },
+    "v1alpha1RevisionMetadata": {
+      "type": "object",
+      "title": "data about a specific revision within a repo",
+      "properties": {
+        "author": {
+          "type": "string",
+          "title": "who authored this revision,\ntypically their name and email, e.g. \"John Doe <john_doe@my-company.com>\",\nbut might not match this example"
+        },
+        "date": {
+          "$ref": "#/definitions/v1Time"
+        },
+        "message": {
+          "type": "string",
+          "title": "the message associated with the revision,\nprobably the commit message,\nthis is truncated to the first newline or 64 characters (which ever comes first)"
+        },
+        "tags": {
+          "type": "array",
+          "title": "tags on the revision,\nnote - tags can move from one revision to another",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
     "v1alpha1SyncOperation": {
       "description": "SyncOperation contains sync operation details.",
       "type": "object",
@@ -3320,6 +3682,13 @@
           "format": "boolean",
           "title": "DryRun will perform a `kubectl apply --dry-run` without actually performing the sync"
         },
+        "manifests": {
+          "type": "array",
+          "title": "Manifests is an optional field that overrides sync source with a local directory for development",
+          "items": {
+            "type": "string"
+          }
+        },
         "prune": {
           "type": "boolean",
           "format": "boolean",
@@ -3396,6 +3765,11 @@
           "type": "boolean",
           "format": "boolean",
           "title": "Prune will prune resources automatically as part of automated sync (default: false)"
+        },
+        "selfHeal": {
+          "type": "boolean",
+          "format": "boolean",
+          "title": "SelfHeal enables auto-syncing if  (default: false)"
         }
       }
     },

cmd/argocd-application-controller/main.go

@@ -20,7 +20,7 @@ import (
 	"github.com/argoproj/argo-cd/controller"
 	"github.com/argoproj/argo-cd/errors"
 	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
-	"github.com/argoproj/argo-cd/reposerver"
+	"github.com/argoproj/argo-cd/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/util/cache"
 	"github.com/argoproj/argo-cd/util/cli"
 	"github.com/argoproj/argo-cd/util/settings"
@@ -40,11 +40,13 @@ func newCommand() *cobra.Command {
 		appResyncPeriod          int64
 		repoServerAddress        string
 		repoServerTimeoutSeconds int
+		selfHealTimeoutSeconds   int
 		statusProcessors         int
 		operationProcessors      int
 		logLevel                 string
 		glogLevel                int
 		metricsPort              int
+		kubectlParallelismLimit  int64
 		cacheSrc                 func() (*cache.Cache, error)
 	)
 	var command = cobra.Command{
@@ -66,7 +68,7 @@ func newCommand() *cobra.Command {
 			errors.CheckError(err)
 
 			resyncDuration := time.Duration(appResyncPeriod) * time.Second
-			repoClientset := reposerver.NewRepoServerClientset(repoServerAddress, repoServerTimeoutSeconds)
+			repoClientset := apiclient.NewRepoServerClientset(repoServerAddress, repoServerTimeoutSeconds)
 			ctx, cancel := context.WithCancel(context.Background())
 			defer cancel()
 
@@ -82,7 +84,9 @@ func newCommand() *cobra.Command {
 				repoClientset,
 				cache,
 				resyncDuration,
-				metricsPort)
+				time.Duration(selfHealTimeoutSeconds)*time.Second,
+				metricsPort,
+				kubectlParallelismLimit)
 			errors.CheckError(err)
 
 			log.Infof("Application Controller (version: %s) starting (namespace: %s)", common.GetVersion(), namespace)
@@ -106,6 +110,9 @@ func newCommand() *cobra.Command {
 	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().IntVar(&glogLevel, "gloglevel", 0, "Set the glog logging level")
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortArgoCDMetrics, "Start metrics server on given port")
+	command.Flags().IntVar(&selfHealTimeoutSeconds, "self-heal-timeout-seconds", 5, "Specifies timeout between application self heal attempts")
+	command.Flags().Int64Var(&kubectlParallelismLimit, "kubectl-parallelism-limit", 0, "Number of allowed concurrent kubectl fork/execs.")
+
 	cacheSrc = cache.AddCacheFlagsToCmd(&command)
 	return &command
 }

cmd/argocd-repo-server/main.go

@@ -7,7 +7,8 @@ import (
 	"os"
 	"time"
 
-	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/argoproj/argo-cd/reposerver/metrics"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
@@ -47,13 +48,15 @@ func newCommand() *cobra.Command {
 			cache, err := cacheSrc()
 			errors.CheckError(err)
 
-			server, err := reposerver.NewServer(git.NewFactory(), cache, tlsConfigCustomizer, parallelismLimit)
+			metricsServer := metrics.NewMetricsServer(git.NewFactory())
+			server, err := reposerver.NewServer(metricsServer, cache, tlsConfigCustomizer, parallelismLimit)
 			errors.CheckError(err)
+
 			grpc := server.CreateGRPC()
 			listener, err := net.Listen("tcp", fmt.Sprintf(":%d", listenPort))
 			errors.CheckError(err)
 
-			http.Handle("/metrics", promhttp.Handler())
+			http.Handle("/metrics", metricsServer.GetHandler())
 			go func() { errors.CheckError(http.ListenAndServe(fmt.Sprintf(":%d", metricsPort), nil)) }()
 
 			log.Infof("argocd-repo-server %s serving on %s", common.GetVersion(), listener.Addr())

cmd/argocd-server/commands/root.go

@@ -11,7 +11,7 @@ import (
 	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/errors"
 	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
-	"github.com/argoproj/argo-cd/reposerver"
+	"github.com/argoproj/argo-cd/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/server"
 	"github.com/argoproj/argo-cd/util/cache"
 	"github.com/argoproj/argo-cd/util/cli"
@@ -22,19 +22,20 @@ import (
 // NewCommand returns a new instance of an argocd command
 func NewCommand() *cobra.Command {
 	var (
-		insecure               bool
-		listenPort             int
-		metricsPort            int
-		logLevel               string
-		glogLevel              int
-		clientConfig           clientcmd.ClientConfig
-		staticAssetsDir        string
-		baseHRef               string
-		repoServerAddress      string
-		dexServerAddress       string
-		disableAuth            bool
-		tlsConfigCustomizerSrc func() (tls.ConfigCustomizer, error)
-		cacheSrc               func() (*cache.Cache, error)
+		insecure                 bool
+		listenPort               int
+		metricsPort              int
+		logLevel                 string
+		glogLevel                int
+		clientConfig             clientcmd.ClientConfig
+		repoServerTimeoutSeconds int
+		staticAssetsDir          string
+		baseHRef                 string
+		repoServerAddress        string
+		dexServerAddress         string
+		disableAuth              bool
+		tlsConfigCustomizerSrc   func() (tls.ConfigCustomizer, error)
+		cacheSrc                 func() (*cache.Cache, error)
 	)
 	var command = &cobra.Command{
 		Use:   cliName,
@@ -59,7 +60,7 @@ func NewCommand() *cobra.Command {
 
 			kubeclientset := kubernetes.NewForConfigOrDie(config)
 			appclientset := appclientset.NewForConfigOrDie(config)
-			repoclientset := reposerver.NewRepoServerClientset(repoServerAddress, 0)
+			repoclientset := apiclient.NewRepoServerClientset(repoServerAddress, repoServerTimeoutSeconds)
 
 			argoCDOpts := server.ArgoCDServerOpts{
 				Insecure:            insecure,
@@ -103,6 +104,7 @@ func NewCommand() *cobra.Command {
 	command.AddCommand(cli.NewVersionCmd(cliName))
 	command.Flags().IntVar(&listenPort, "port", common.DefaultPortAPIServer, "Listen on given port")
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortArgoCDAPIServerMetrics, "Start metrics on given port")
+	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", 60, "Repo server RPC call timeout seconds.")
 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(command)
 	cacheSrc = cache.AddCacheFlagsToCmd(command)
 	return command

cmd/argocd-util/main.go

@@ -386,6 +386,12 @@ func NewExportCommand() *cobra.Command {
 			acdRBACConfigMap, err := acdClients.configMaps.Get(common.ArgoCDRBACConfigMapName, metav1.GetOptions{})
 			errors.CheckError(err)
 			export(writer, *acdRBACConfigMap)
+			acdKnownHostsConfigMap, err := acdClients.configMaps.Get(common.ArgoCDKnownHostsConfigMapName, metav1.GetOptions{})
+			errors.CheckError(err)
+			export(writer, *acdKnownHostsConfigMap)
+			acdTLSCertsConfigMap, err := acdClients.configMaps.Get(common.ArgoCDTLSCertsConfigMapName, metav1.GetOptions{})
+			errors.CheckError(err)
+			export(writer, *acdTLSCertsConfigMap)
 
 			referencedSecrets := getReferencedSecrets(*acdConfigMap)
 			secrets, err := acdClients.secrets.List(metav1.ListOptions{})
@@ -435,6 +441,12 @@ func getReferencedSecrets(un unstructured.Unstructured) map[string]bool {
 			if cred.UsernameSecret != nil {
 				referencedSecrets[cred.UsernameSecret.Name] = true
 			}
+			if cred.TLSClientCertDataSecret != nil {
+				referencedSecrets[cred.TLSClientCertDataSecret.Name] = true
+			}
+			if cred.TLSClientCertKeySecret != nil {
+				referencedSecrets[cred.TLSClientCertKeySecret.Name] = true
+			}
 		}
 	}
 	if helmReposRAW, ok := cm.Data["helm.repositories"]; ok {

cmd/argocd/commands/app.go

@@ -5,20 +5,18 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/url"
 	"os"
-	"os/exec"
-	"path"
+	"path/filepath"
 	"reflect"
 	"regexp"
+	"sort"
 	"strconv"
 	"strings"
 	"text/tabwriter"
 	"time"
 
 	"github.com/ghodss/yaml"
-	"github.com/google/shlex"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -35,6 +33,7 @@ import (
 	applicationpkg "github.com/argoproj/argo-cd/pkg/apiclient/application"
 	settingspkg "github.com/argoproj/argo-cd/pkg/apiclient/settings"
 	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	repoapiclient "github.com/argoproj/argo-cd/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/reposerver/repository"
 	"github.com/argoproj/argo-cd/util"
 	"github.com/argoproj/argo-cd/util/argo"
@@ -149,9 +148,14 @@ func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 			fmt.Printf("application '%s' created\n", created.ObjectMeta.Name)
 		},
 	}
-	command.Flags().StringVarP(&fileURL, "file", "f", "", "Filename or URL to Kubernetes manifests for the app")
 	command.Flags().StringVar(&appName, "name", "", "A name for the app, ignored if a file is set (DEPRECATED)")
 	command.Flags().BoolVar(&upsert, "upsert", false, "Allows to override application with the same name even if supplied application spec is different from existing spec")
+	command.Flags().StringVarP(&fileURL, "file", "f", "", "Filename or URL to Kubernetes manifests for the app")
+	// Only complete files with appropriate extension.
+	err := command.Flags().SetAnnotation("file", cobra.BashCompFilenameExt, []string{"json", "yaml", "yml"})
+	if err != nil {
+		log.Fatal(err)
+	}
 	addAppFlags(command, &appOpts)
 	return command
 }
@@ -218,7 +222,7 @@ func NewApplicationGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 					printOperationResult(app.Status.OperationState)
 				}
 				if showParams {
-					printParams(app, appIf)
+					printParams(app)
 				}
 				if len(app.Status.Resources) > 0 {
 					fmt.Println()
@@ -324,7 +328,7 @@ func truncateString(str string, num int) string {
 }
 
 // printParams prints parameters and overrides
-func printParams(app *argoappv1.Application, appIf applicationpkg.ApplicationServiceClient) {
+func printParams(app *argoappv1.Application) {
 	paramLenLimit := 80
 	fmt.Println()
 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
@@ -411,6 +415,12 @@ func setAppOptions(flags *pflag.FlagSet, app *argoappv1.Application, appOpts *ap
 			app.Spec.Project = appOpts.project
 		case "nameprefix":
 			setKustomizeOpt(&app.Spec.Source, &appOpts.namePrefix)
+		case "kustomize-image":
+			setKustomizeImages(&app.Spec.Source, appOpts.kustomizeImages)
+		case "jsonnet-tla-str":
+			setJsonnetOpt(&app.Spec.Source, appOpts.jsonnetTlaStr, false)
+		case "jsonnet-tla-code":
+			setJsonnetOpt(&app.Spec.Source, appOpts.jsonnetTlaCode, true)
 		case "sync-policy":
 			switch appOpts.syncPolicy {
 			case "automated":
@@ -430,6 +440,12 @@ func setAppOptions(flags *pflag.FlagSet, app *argoappv1.Application, appOpts *ap
 		}
 		app.Spec.SyncPolicy.Automated.Prune = appOpts.autoPrune
 	}
+	if flags.Changed("self-heal") {
+		if app.Spec.SyncPolicy == nil || app.Spec.SyncPolicy.Automated == nil {
+			log.Fatal("Cannot set --self-helf: application not configured with automatic sync")
+		}
+		app.Spec.SyncPolicy.Automated.SelfHeal = appOpts.selfHeal
+	}
 
 	return visited
 }
@@ -457,6 +473,17 @@ func setKustomizeOpt(src *argoappv1.ApplicationSource, namePrefix *string) {
 		src.Kustomize = nil
 	}
 }
+func setKustomizeImages(src *argoappv1.ApplicationSource, images []string) {
+	if src.Kustomize == nil {
+		src.Kustomize = &argoappv1.ApplicationSourceKustomize{}
+	}
+	for _, image := range images {
+		src.Kustomize.MergeImage(argoappv1.KustomizeImage(image))
+	}
+	if src.Kustomize.IsZero() {
+		src.Kustomize = nil
+	}
+}
 
 func setHelmOpt(src *argoappv1.ApplicationSource, valueFiles []string, releaseName *string) {
 	if src.Helm == nil {
@@ -473,6 +500,39 @@ func setHelmOpt(src *argoappv1.ApplicationSource, valueFiles []string, releaseNa
 	}
 }
 
+func setJsonnetOpt(src *argoappv1.ApplicationSource, tlaParameters []string, code bool) {
+	if src.Directory == nil {
+		src.Directory = &argoappv1.ApplicationSourceDirectory{}
+	}
+
+	if len(tlaParameters) != 0 {
+		tlas := make([]argoappv1.JsonnetVar, len(tlaParameters))
+		for index, paramStr := range tlaParameters {
+			parts := strings.SplitN(paramStr, "=", 2)
+			if len(parts) != 2 {
+				log.Fatalf("Expected parameter of the form: param=value. Received: %s", paramStr)
+				break
+			}
+			tlas[index] = argoappv1.JsonnetVar{
+				Name:  parts[0],
+				Value: parts[1],
+				Code:  code}
+		}
+		existingTLAs := []argoappv1.JsonnetVar{}
+		for i := range src.Directory.Jsonnet.TLAs {
+			if src.Directory.Jsonnet.TLAs[i].Code != code {
+				existingTLAs = append(existingTLAs, src.Directory.Jsonnet.TLAs[i])
+			}
+		}
+		src.Directory.Jsonnet.TLAs = append(existingTLAs, tlas...)
+	}
+
+	if src.Directory.IsZero() {
+		src.Directory = nil
+	}
+
+}
+
 type appOptions struct {
 	repoURL                string
 	appPath                string
@@ -486,9 +546,13 @@ type appOptions struct {
 	project                string
 	syncPolicy             string
 	autoPrune              bool
+	selfHeal               bool
 	namePrefix             string
 	directoryRecurse       bool
 	configManagementPlugin string
+	jsonnetTlaStr          []string
+	jsonnetTlaCode         []string
+	kustomizeImages        []string
 }
 
 func addAppFlags(command *cobra.Command, opts *appOptions) {
@@ -504,9 +568,13 @@ func addAppFlags(command *cobra.Command, opts *appOptions) {
 	command.Flags().StringVar(&opts.project, "project", "", "Application project name")
 	command.Flags().StringVar(&opts.syncPolicy, "sync-policy", "", "Set the sync policy (one of: automated, none)")
 	command.Flags().BoolVar(&opts.autoPrune, "auto-prune", false, "Set automatic pruning when sync is automated")
+	command.Flags().BoolVar(&opts.selfHeal, "self-heal", false, "Set self healing when sync is automated")
 	command.Flags().StringVar(&opts.namePrefix, "nameprefix", "", "Kustomize nameprefix")
 	command.Flags().BoolVar(&opts.directoryRecurse, "directory-recurse", false, "Recurse directory")
 	command.Flags().StringVar(&opts.configManagementPlugin, "config-management-plugin", "", "Config management plugin name")
+	command.Flags().StringArrayVar(&opts.jsonnetTlaStr, "jsonnet-tla-str", []string{}, "Jsonnet top level string arguments")
+	command.Flags().StringArrayVar(&opts.jsonnetTlaCode, "jsonnet-tla-code", []string{}, "Jsonnet top level code arguments")
+	command.Flags().StringArrayVar(&opts.kustomizeImages, "kustomize-image", []string{}, "Kustomize images (e.g. --kustomize-image node:8.15.0 --kustomize-image mysql=mariadb,alpine@sha256:24a0c4b4a4c0eb97a1aabb8e29f18e917d05abfe1b7a7c07857230879ce7d3d)")
 }
 
 // NewApplicationUnsetCommand returns a new instance of an `argocd app unset` command
@@ -612,23 +680,30 @@ func liveObjects(resources []*argoappv1.ResourceDiff) ([]*unstructured.Unstructu
 }
 
 func getLocalObjects(app *argoappv1.Application, local string, appLabelKey string) []*unstructured.Unstructured {
-	res, err := repository.GenerateManifests(local, &repository.ManifestRequest{
-		ApplicationSource: &app.Spec.Source,
-		AppLabelKey:       appLabelKey,
-		AppLabelValue:     app.Name,
-		Namespace:         app.Spec.Destination.Namespace,
-	})
-	errors.CheckError(err)
-	objs := make([]*unstructured.Unstructured, len(res.Manifests))
-	for i := range res.Manifests {
+	manifestStrings := getLocalObjectsString(app, local, appLabelKey, nil)
+	objs := make([]*unstructured.Unstructured, len(manifestStrings))
+	for i := range manifestStrings {
 		obj := unstructured.Unstructured{}
-		err = json.Unmarshal([]byte(res.Manifests[i]), &obj)
+		err := json.Unmarshal([]byte(manifestStrings[i]), &obj)
 		errors.CheckError(err)
 		objs[i] = &obj
 	}
 	return objs
 }
 
+func getLocalObjectsString(app *argoappv1.Application, local string, appLabelKey string, kustomizeOptions *argoappv1.KustomizeOptions) []string {
+	res, err := repository.GenerateManifests(filepath.Dir(local), filepath.Base(local), &repoapiclient.ManifestRequest{
+		ApplicationSource: &app.Spec.Source,
+		AppLabelKey:       appLabelKey,
+		AppLabelValue:     app.Name,
+		Namespace:         app.Spec.Destination.Namespace,
+		KustomizeOptions:  kustomizeOptions,
+	})
+	errors.CheckError(err)
+
+	return res.Manifests
+}
+
 type resourceInfoProvider struct {
 	namespacedByGk map[schema.GroupKind]bool
 }
@@ -673,7 +748,7 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 		Short: shortDesc,
 		Long:  shortDesc + "\nUses 'diff' to render the difference. KUBECTL_EXTERNAL_DIFF environment variable can be used to select your own diff tool.\nReturns the following exit codes: 2 on general errors, 1 when a diff is found, and 0 when no diff is found",
 		Run: func(c *cobra.Command, args []string) {
-			if len(args) == 0 {
+			if len(args) != 1 {
 				c.HelpFunc()(c, args)
 				os.Exit(2)
 			}
@@ -773,8 +848,10 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			}
 
 			foundDiffs := false
-			for i := range items {
-				item := items[i]
+			for _, item := range items {
+				if item.target != nil && hook.IsHook(item.target) || item.live != nil && hook.IsHook(item.live) {
+					continue
+				}
 				overrides := make(map[string]argoappv1.ResourceOverride)
 				for k := range argoSettings.ResourceOverrides {
 					val := argoSettings.ResourceOverrides[k]
@@ -798,7 +875,8 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 					}
 
 					foundDiffs = true
-					printDiff(item.key.Name, target, live)
+					err = diff.PrintDiff(item.key.Name, target, live)
+					errors.CheckError(err)
 				}
 			}
 			if foundDiffs {
@@ -813,43 +891,6 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	return command
 }
 
-func printDiff(name string, live *unstructured.Unstructured, target *unstructured.Unstructured) {
-	tempDir, err := ioutil.TempDir("", "argocd-diff")
-	errors.CheckError(err)
-
-	targetFile := path.Join(tempDir, name)
-	targetData := []byte("")
-	if target != nil {
-		targetData, err = yaml.Marshal(target)
-		errors.CheckError(err)
-	}
-	err = ioutil.WriteFile(targetFile, targetData, 0644)
-	errors.CheckError(err)
-
-	liveFile := path.Join(tempDir, fmt.Sprintf("%s-live.yaml", name))
-	liveData := []byte("")
-	if live != nil {
-		liveData, err = yaml.Marshal(live)
-		errors.CheckError(err)
-	}
-	err = ioutil.WriteFile(liveFile, liveData, 0644)
-	errors.CheckError(err)
-
-	cmdBinary := "diff"
-	var args []string
-	if envDiff := os.Getenv("KUBECTL_EXTERNAL_DIFF"); envDiff != "" {
-		parts, err := shlex.Split(envDiff)
-		errors.CheckError(err)
-		cmdBinary = parts[0]
-		args = parts[1:]
-	}
-
-	cmd := exec.Command(cmdBinary, append(args, liveFile, targetFile)...)
-	cmd.Stderr = os.Stderr
-	cmd.Stdout = os.Stdout
-	_ = cmd.Run()
-}
-
 // NewApplicationDeleteCommand returns a new instance of an `argocd app delete` command
 func NewApplicationDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
@@ -881,6 +922,44 @@ func NewApplicationDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 	return command
 }
 
+// Print simple list of application names
+func printApplicationNames(apps []argoappv1.Application) {
+	for _, app := range apps {
+		fmt.Println(app.Name)
+	}
+}
+
+// Print table of application data
+func printApplicationTable(apps []argoappv1.Application, output *string) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	var fmtStr string
+	headers := []interface{}{"NAME", "CLUSTER", "NAMESPACE", "PROJECT", "STATUS", "HEALTH", "SYNCPOLICY", "CONDITIONS"}
+	if *output == "wide" {
+		fmtStr = "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n"
+		headers = append(headers, "REPO", "PATH", "TARGET")
+	} else {
+		fmtStr = "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n"
+	}
+	fmt.Fprintf(w, fmtStr, headers...)
+	for _, app := range apps {
+		vals := []interface{}{
+			app.Name,
+			app.Spec.Destination.Server,
+			app.Spec.Destination.Namespace,
+			app.Spec.GetProject(),
+			app.Status.Sync.Status,
+			app.Status.Health.Status,
+			formatSyncPolicy(app),
+			formatConditionsSummary(app),
+		}
+		if *output == "wide" {
+			vals = append(vals, app.Spec.Source.RepoURL, app.Spec.Source.Path, app.Spec.Source.TargetRevision)
+		}
+		fmt.Fprintf(w, fmtStr, vals...)
+	}
+	_ = w.Flush()
+}
+
 // NewApplicationListCommand returns a new instance of an `argocd app list` command
 func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
@@ -894,36 +973,14 @@ func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			defer util.Close(conn)
 			apps, err := appIf.List(context.Background(), &applicationpkg.ApplicationQuery{})
 			errors.CheckError(err)
-			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-			var fmtStr string
-			headers := []interface{}{"NAME", "CLUSTER", "NAMESPACE", "PROJECT", "STATUS", "HEALTH", "SYNCPOLICY", "CONDITIONS"}
-			if output == "wide" {
-				fmtStr = "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n"
-				headers = append(headers, "REPO", "PATH", "TARGET")
+			if output == "name" {
+				printApplicationNames(apps.Items)
 			} else {
-				fmtStr = "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n"
+				printApplicationTable(apps.Items, &output)
 			}
-			fmt.Fprintf(w, fmtStr, headers...)
-			for _, app := range apps.Items {
-				vals := []interface{}{
-					app.Name,
-					app.Spec.Destination.Server,
-					app.Spec.Destination.Namespace,
-					app.Spec.GetProject(),
-					app.Status.Sync.Status,
-					app.Status.Health.Status,
-					formatSyncPolicy(app),
-					formatConditionsSummary(app),
-				}
-				if output == "wide" {
-					vals = append(vals, app.Spec.Source.RepoURL, app.Spec.Source.Path, app.Spec.Source.TargetRevision)
-				}
-				fmt.Fprintf(w, fmtStr, vals...)
-			}
-			_ = w.Flush()
 		},
 	}
-	command.Flags().StringVarP(&output, "output", "o", "", "Output format. One of: wide")
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: wide|name")
 	return command
 }
 
@@ -1047,29 +1104,8 @@ func NewApplicationWaitCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 // printAppResources prints the resources of an application in a tabwriter table
 func printAppResources(w io.Writer, app *argoappv1.Application) {
 	_, _ = fmt.Fprintf(w, "GROUP\tKIND\tNAMESPACE\tNAME\tSTATUS\tHEALTH\tHOOK\tMESSAGE\n")
-	for _, res := range app.Status.Resources {
-		status := ""
-		if res.Health != nil {
-			status = res.Health.Status
-		}
-
-		// if an operation has occurred, we search for the result and print that out
-		operationState := app.Status.OperationState
-		if operationState != nil && operationState.SyncResult != nil {
-			// in most cases you'll only get one instance (if it is a non-hook resource, or a hook for a single phase),
-			// but in edge-cases you may get more than one
-			for _, result := range operationState.SyncResult.Resources.Filter(func(r *argoappv1.ResourceResult) bool {
-				return r.Group == res.Group && r.Kind == res.Kind && r.Namespace == res.Namespace && r.Name == res.Name
-			}) {
-				// for hooks, we print the result of the operation, not the sync status
-				if res.Hook {
-					status = string(result.HookPhase)
-				}
-				_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", res.Group, res.Kind, res.Namespace, res.Name, res.Status, status, result.HookType, result.Message)
-			}
-		} else {
-			_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", res.Group, res.Kind, res.Namespace, res.Name, res.Status, status, "", "")
-		}
+	for _, res := range getResourceStates(app, nil) {
+		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", res.Group, res.Kind, res.Namespace, res.Name, res.Status, res.Health, res.Hook, res.Message)
 	}
 }
 
@@ -1085,6 +1121,7 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 		strategy  string
 		force     bool
 		async     bool
+		local     string
 	)
 	var command = &cobra.Command{
 		Use:   "sync APPNAME",
@@ -1143,12 +1180,31 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 
 			selectedResources := parseSelectedResources(resources)
 
+			var localObjsStrings []string
+			if local != "" {
+				app, err := appIf.Get(context.Background(), &applicationpkg.ApplicationQuery{Name: &appName})
+				errors.CheckError(err)
+				if app.Spec.SyncPolicy != nil && app.Spec.SyncPolicy.Automated != nil {
+					log.Fatal("Cannot use local sync when Automatic Sync Policy is enabled")
+				}
+
+				errors.CheckError(err)
+				conn, settingsIf := acdClient.NewSettingsClientOrDie()
+				argoSettings, err := settingsIf.Get(context.Background(), &settingspkg.SettingsQuery{})
+				errors.CheckError(err)
+				util.Close(conn)
+
+				localObjsStrings = getLocalObjectsString(app, local, argoSettings.AppLabelKey, argoSettings.KustomizeOptions)
+
+			}
+
 			syncReq := applicationpkg.ApplicationSyncRequest{
 				Name:      &appName,
 				DryRun:    dryRun,
 				Revision:  revision,
 				Resources: selectedResources,
 				Prune:     prune,
+				Manifests: localObjsStrings,
 			}
 			switch strategy {
 			case "apply":
@@ -1191,6 +1247,7 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command.Flags().StringVar(&strategy, "strategy", "", "Sync strategy (one of: apply|hook)")
 	command.Flags().BoolVar(&force, "force", false, "Use a force apply")
 	command.Flags().BoolVar(&async, "async", false, "Do not wait for application to sync before continuing")
+	command.Flags().StringVar(&local, "local", "", "Path to a local directory. When this flag is present no git queries will be made")
 	return command
 }
 
@@ -1206,33 +1263,6 @@ type resourceState struct {
 	Message   string
 }
 
-func newResourceStateFromStatus(res *argoappv1.ResourceStatus) *resourceState {
-	healthStatus := ""
-	if res.Health != nil {
-		healthStatus = res.Health.Status
-	}
-	return &resourceState{
-		Group:     res.Group,
-		Kind:      res.Kind,
-		Namespace: res.Namespace,
-		Name:      res.Name,
-		Status:    string(res.Status),
-		Health:    healthStatus,
-	}
-}
-
-func newResourceStateFromResult(res *argoappv1.ResourceResult) *resourceState {
-	return &resourceState{
-		Group:     res.Group,
-		Kind:      res.Kind,
-		Namespace: res.Namespace,
-		Name:      res.Name,
-		Status:    string(res.HookPhase),
-		Hook:      string(res.HookType),
-		Message:   res.Message,
-	}
-}
-
 // Key returns a unique-ish key for the resource.
 func (rs *resourceState) Key() string {
 	return fmt.Sprintf("%s/%s/%s/%s", rs.Group, rs.Kind, rs.Namespace, rs.Name)
@@ -1261,44 +1291,69 @@ func (rs *resourceState) Merge(newState *resourceState) bool {
 	return updated
 }
 
-func calculateResourceStates(app *argoappv1.Application, selectedResources []argoappv1.SyncOperationResource) map[string]*resourceState {
-	resStates := getResourceStates(app, selectedResources)
+func getResourceStates(app *argoappv1.Application, selectedResources []argoappv1.SyncOperationResource) []*resourceState {
+	var states []*resourceState
+	resourceByKey := make(map[kube.ResourceKey]argoappv1.ResourceStatus)
+	for i := range app.Status.Resources {
+		res := app.Status.Resources[i]
+		resourceByKey[kube.NewResourceKey(res.Group, res.Kind, res.Namespace, res.Name)] = res
+	}
 
-	var opResult *argoappv1.SyncOperationResult
-	if app.Status.OperationState != nil {
-		if app.Status.OperationState.SyncResult != nil {
-			opResult = app.Status.OperationState.SyncResult
+	// print most resources info along with most recent operation results
+	if app.Status.OperationState != nil && app.Status.OperationState.SyncResult != nil {
+		for _, res := range app.Status.OperationState.SyncResult.Resources {
+			sync := string(res.HookPhase)
+			health := string(res.Status)
+			key := kube.NewResourceKey(res.Group, res.Kind, res.Namespace, res.Name)
+			if resource, ok := resourceByKey[key]; ok && res.HookType == "" {
+				health = argoappv1.HealthStatusUnknown
+				if resource.Health != nil {
+					health = resource.Health.Status
+				}
+				sync = string(resource.Status)
+			}
+			states = append(states, &resourceState{
+				Group: res.Group, Kind: res.Kind, Namespace: res.Namespace, Name: res.Name, Status: sync, Health: health, Hook: string(res.HookType), Message: res.Message})
+			delete(resourceByKey, kube.NewResourceKey(res.Group, res.Kind, res.Namespace, res.Name))
 		}
 	}
-	if opResult == nil {
-		return resStates
+	resKeys := make([]kube.ResourceKey, 0)
+	for k := range resourceByKey {
+		resKeys = append(resKeys, k)
 	}
-
-	for _, result := range opResult.Resources {
-		newState := newResourceStateFromResult(result)
-		key := newState.Key()
-		if prev, ok := resStates[key]; ok {
-			prev.Merge(newState)
-		} else {
-			resStates[key] = newState
+	sort.Slice(resKeys, func(i, j int) bool {
+		return resKeys[i].String() < resKeys[j].String()
+	})
+	// print rest of resources which were not part of most recent operation
+	for _, resKey := range resKeys {
+		res := resourceByKey[resKey]
+		health := argoappv1.HealthStatusUnknown
+		if res.Health != nil {
+			health = res.Health.Status
+		}
+		states = append(states, &resourceState{
+			Group: res.Group, Kind: res.Kind, Namespace: res.Namespace, Name: res.Name, Status: string(res.Status), Health: health, Hook: "", Message: ""})
+	}
+	// filter out not selected resources
+	if len(selectedResources) > 0 {
+		for i := len(states) - 1; i >= 0; i-- {
+			res := states[i]
+			if !argo.ContainsSyncResource(res.Name, schema.GroupVersionKind{Group: res.Group, Kind: res.Kind}, selectedResources) {
+				states = append(states[:i], states[i+1:]...)
+			}
 		}
 	}
-
-	return resStates
+	return states
 }
 
-func getResourceStates(app *argoappv1.Application, selectedResources []argoappv1.SyncOperationResource) map[string]*resourceState {
+func groupResourceStates(app *argoappv1.Application, selectedResources []argoappv1.SyncOperationResource) map[string]*resourceState {
 	resStates := make(map[string]*resourceState)
-	for _, res := range app.Status.Resources {
-		if len(selectedResources) > 0 && !argo.ContainsSyncResource(res.Name, res.GroupVersionKind(), selectedResources) {
-			continue
-		}
-		newState := newResourceStateFromStatus(&res)
-		key := newState.Key()
+	for _, result := range getResourceStates(app, selectedResources) {
+		key := result.Key()
 		if prev, ok := resStates[key]; ok {
-			prev.Merge(newState)
+			prev.Merge(result)
 		} else {
-			resStates[key] = newState
+			resStates[key] = result
 		}
 	}
 	return resStates
@@ -1395,12 +1450,12 @@ func waitOnApplicationStatus(acdClient apiclient.Client, appName string, timeout
 			selectedResourcesAreReady = checkResourceStatus(watchSync, watchHealth, watchOperation, watchSuspended, app.Status.Health.Status, string(app.Status.Sync.Status), appEvent.Application.Operation)
 		}
 
-		if len(app.Status.GetErrorConditions()) == 0 && selectedResourcesAreReady {
+		if selectedResourcesAreReady {
 			printFinalStatus(app)
 			return app, nil
 		}
 
-		newStates := calculateResourceStates(app, selectedResources)
+		newStates := groupResourceStates(app, selectedResources)
 		for _, newState := range newStates {
 			var doPrint bool
 			stateKey := newState.Key()
@@ -1508,6 +1563,27 @@ func setParameterOverrides(app *argoappv1.Application, parameters []string) {
 	}
 }
 
+// Print list of history ID's for an application.
+func printApplicationHistoryIds(revHistory []argoappv1.RevisionHistory) {
+	for _, depInfo := range revHistory {
+		fmt.Println(depInfo.ID)
+	}
+}
+
+// Print a history table for an application.
+func printApplicationHistoryTable(revHistory []argoappv1.RevisionHistory) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	fmt.Fprintf(w, "ID\tDATE\tREVISION\n")
+	for _, depInfo := range revHistory {
+		rev := depInfo.Source.TargetRevision
+		if len(depInfo.Revision) >= 7 {
+			rev = fmt.Sprintf("%s (%s)", rev, depInfo.Revision[0:7])
+		}
+		fmt.Fprintf(w, "%d\t%s\t%s\n", depInfo.ID, depInfo.DeployedAt, rev)
+	}
+	_ = w.Flush()
+}
+
 // NewApplicationHistoryCommand returns a new instance of an `argocd app history` command
 func NewApplicationHistoryCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
@@ -1526,19 +1602,14 @@ func NewApplicationHistoryCommand(clientOpts *argocdclient.ClientOptions) *cobra
 			appName := args[0]
 			app, err := appIf.Get(context.Background(), &applicationpkg.ApplicationQuery{Name: &appName})
 			errors.CheckError(err)
-			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-			fmt.Fprintf(w, "ID\tDATE\tREVISION\n")
-			for _, depInfo := range app.Status.History {
-				rev := depInfo.Source.TargetRevision
-				if len(depInfo.Revision) >= 7 {
-					rev = fmt.Sprintf("%s (%s)", rev, depInfo.Revision[0:7])
-				}
-				fmt.Fprintf(w, "%d\t%s\t%s\n", depInfo.ID, depInfo.DeployedAt, rev)
+			if output == "id" {
+				printApplicationHistoryIds(app.Status.History)
+			} else {
+				printApplicationHistoryTable(app.Status.History)
 			}
-			_ = w.Flush()
 		},
 	}
-	command.Flags().StringVarP(&output, "output", "o", "", "Output format. One of: wide")
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: wide|id")
 	return command
 }
 
@@ -1744,10 +1815,17 @@ func NewApplicationEditCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 
 func NewApplicationPatchCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var patch string
+	var patchType string
 
 	command := cobra.Command{
 		Use:   "patch APPNAME",
 		Short: "Patch application",
+		Long: `Examples:
+	# Update an application's source path using json patch
+	argocd app patch myapplication --patch='[{"op": "replace", "path": "/spec/source/path", "value": "newPath"}]' --type json
+
+	# Update an application's repository target revision using merge patch
+	argocd app patch myapplication --patch '{"spec": { "source": { "targetRevision": "master" } }}' --type merge`,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) != 1 {
 				c.HelpFunc()(c, args)
@@ -1758,8 +1836,9 @@ func NewApplicationPatchCommand(clientOpts *argocdclient.ClientOptions) *cobra.C
 			defer util.Close(conn)
 
 			patchedApp, err := appIf.Patch(context.Background(), &applicationpkg.ApplicationPatchRequest{
-				Name:  &appName,
-				Patch: patch,
+				Name:      &appName,
+				Patch:     patch,
+				PatchType: patchType,
 			})
 			errors.CheckError(err)
 
@@ -1770,7 +1849,8 @@ func NewApplicationPatchCommand(clientOpts *argocdclient.ClientOptions) *cobra.C
 		},
 	}
 
-	command.Flags().StringVar(&patch, "patch", "", "Patch")
+	command.Flags().StringVar(&patch, "patch", "", "Patch body")
+	command.Flags().StringVar(&patchType, "type", "json", "The type of patch being provided; one of [json merge]")
 	return &command
 }
 

cmd/argocd/commands/cert.go

@@ -0,0 +1,290 @@
+package commands
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"sort"
+	"strings"
+	"text/tabwriter"
+
+	"github.com/spf13/cobra"
+
+	"github.com/argoproj/argo-cd/errors"
+	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	certificatepkg "github.com/argoproj/argo-cd/pkg/apiclient/certificate"
+	appsv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util"
+	certutil "github.com/argoproj/argo-cd/util/cert"
+
+	"crypto/x509"
+)
+
+// NewCertCommand returns a new instance of an `argocd repo` command
+func NewCertCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "cert",
+		Short: "Manage repository certificates and SSH known hosts entries",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+			os.Exit(1)
+		},
+	}
+
+	command.AddCommand(NewCertAddSSHCommand(clientOpts))
+	command.AddCommand(NewCertAddTLSCommand(clientOpts))
+	command.AddCommand(NewCertListCommand(clientOpts))
+	command.AddCommand(NewCertRemoveCommand(clientOpts))
+	return command
+}
+
+func NewCertAddTLSCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		fromFile string
+		upsert   bool
+	)
+	var command = &cobra.Command{
+		Use:   "add-tls SERVERNAME",
+		Short: "Add TLS certificate data for connecting to repository server SERVERNAME",
+		Run: func(c *cobra.Command, args []string) {
+			conn, certIf := argocdclient.NewClientOrDie(clientOpts).NewCertClientOrDie()
+			defer util.Close(conn)
+
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			var certificateArray []string
+			var err error
+
+			if fromFile != "" {
+				fmt.Printf("Reading TLS certificate data in PEM format from '%s'\n", fromFile)
+				certificateArray, err = certutil.ParseTLSCertificatesFromPath(fromFile)
+			} else {
+				fmt.Println("Enter TLS certificate data in PEM format. Press CTRL-D when finished.")
+				certificateArray, err = certutil.ParseTLSCertificatesFromStream(os.Stdin)
+			}
+
+			errors.CheckError(err)
+
+			certificateList := make([]appsv1.RepositoryCertificate, 0)
+
+			subjectMap := make(map[string]*x509.Certificate)
+
+			for _, entry := range certificateArray {
+				// We want to make sure to only send valid certificate data to the
+				// server, so we decode the certificate into X509 structure before
+				// further processing it.
+				x509cert, err := certutil.DecodePEMCertificateToX509(entry)
+				errors.CheckError(err)
+
+				// TODO: We need a better way to detect duplicates sent in the stream,
+				// maybe by using fingerprints? For now, no two certs with the same
+				// subject may be sent.
+				if subjectMap[x509cert.Subject.String()] != nil {
+					fmt.Printf("ERROR: Cert with subject '%s' already seen in the input stream.\n", x509cert.Subject.String())
+					continue
+				} else {
+					subjectMap[x509cert.Subject.String()] = x509cert
+				}
+			}
+
+			serverName := args[0]
+
+			if len(certificateArray) > 0 {
+				certificateList = append(certificateList, appsv1.RepositoryCertificate{
+					ServerName: serverName,
+					CertType:   "https",
+					CertData:   []byte(strings.Join(certificateArray, "\n")),
+				})
+				certificates, err := certIf.CreateCertificate(context.Background(), &certificatepkg.RepositoryCertificateCreateRequest{
+					Certificates: &appsv1.RepositoryCertificateList{
+						Items: certificateList,
+					},
+					Upsert: upsert,
+				})
+				errors.CheckError(err)
+				fmt.Printf("Created entry with %d PEM certificates for repository server %s\n", len(certificates.Items), serverName)
+			} else {
+				fmt.Printf("No valid certificates have been detected in the stream.\n")
+			}
+		},
+	}
+	command.Flags().StringVar(&fromFile, "from", "", "read TLS certificate data from file (default is to read from stdin)")
+	command.Flags().BoolVar(&upsert, "upsert", false, "Replace existing TLS certificate if certificate is different in input")
+	return command
+}
+
+// NewCertAddCommand returns a new instance of an `argocd cert add` command
+func NewCertAddSSHCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		fromFile     string
+		batchProcess bool
+		upsert       bool
+		certificates []appsv1.RepositoryCertificate
+	)
+
+	var command = &cobra.Command{
+		Use:   "add-ssh --batch",
+		Short: "Add SSH known host entries for repository servers",
+		Run: func(c *cobra.Command, args []string) {
+
+			conn, certIf := argocdclient.NewClientOrDie(clientOpts).NewCertClientOrDie()
+			defer util.Close(conn)
+
+			var sshKnownHostsLists []string
+			var err error
+
+			// --batch is a flag, but it is mandatory for now.
+			if batchProcess {
+				if fromFile != "" {
+					fmt.Printf("Reading SSH known hosts entries from file '%s'\n", fromFile)
+					sshKnownHostsLists, err = certutil.ParseSSHKnownHostsFromPath(fromFile)
+				} else {
+					fmt.Println("Enter SSH known hosts entries, one per line. Press CTRL-D when finished.")
+					sshKnownHostsLists, err = certutil.ParseSSHKnownHostsFromStream(os.Stdin)
+				}
+			} else {
+				err = fmt.Errorf("You need to specify --batch or specify --help for usage instructions")
+			}
+
+			errors.CheckError(err)
+
+			if len(sshKnownHostsLists) == 0 {
+				errors.CheckError(fmt.Errorf("No valid SSH known hosts data found."))
+			}
+
+			for _, knownHostsEntry := range sshKnownHostsLists {
+				hostname, certSubType, certData, err := certutil.TokenizeSSHKnownHostsEntry(knownHostsEntry)
+				errors.CheckError(err)
+				_, _, err = certutil.KnownHostsLineToPublicKey(knownHostsEntry)
+				errors.CheckError(err)
+				certificate := appsv1.RepositoryCertificate{
+					ServerName:  hostname,
+					CertType:    "ssh",
+					CertSubType: certSubType,
+					CertData:    certData,
+				}
+
+				certificates = append(certificates, certificate)
+			}
+
+			certList := &appsv1.RepositoryCertificateList{Items: certificates}
+			response, err := certIf.CreateCertificate(context.Background(), &certificatepkg.RepositoryCertificateCreateRequest{
+				Certificates: certList,
+				Upsert:       upsert,
+			})
+			errors.CheckError(err)
+			fmt.Printf("Successfully created %d SSH known host entries\n", len(response.Items))
+		},
+	}
+	command.Flags().StringVar(&fromFile, "from", "", "Read SSH known hosts data from file (default is to read from stdin)")
+	command.Flags().BoolVar(&batchProcess, "batch", false, "Perform batch processing by reading in SSH known hosts data (mandatory flag)")
+	command.Flags().BoolVar(&upsert, "upsert", false, "Replace existing SSH server public host keys if key is different in input")
+	return command
+}
+
+// NewCertRemoveCommand returns a new instance of an `argocd cert rm` command
+func NewCertRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		certType    string
+		certSubType string
+		certQuery   certificatepkg.RepositoryCertificateQuery
+	)
+	var command = &cobra.Command{
+		Use:   "rm REPOSERVER",
+		Short: "Remove certificate of TYPE for REPOSERVER",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) < 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			conn, certIf := argocdclient.NewClientOrDie(clientOpts).NewCertClientOrDie()
+			defer util.Close(conn)
+			hostNamePattern := args[0]
+
+			// Prevent the user from specifying a wildcard as hostname as precaution
+			// measure -- the user could still use "?*" or any other pattern to
+			// remove all certificates, but it's less likely that it happens by
+			// accident.
+			if hostNamePattern == "*" {
+				err := fmt.Errorf("A single wildcard is not allowed as REPOSERVER name.")
+				errors.CheckError(err)
+			}
+			certQuery = certificatepkg.RepositoryCertificateQuery{
+				HostNamePattern: hostNamePattern,
+				CertType:        certType,
+				CertSubType:     certSubType,
+			}
+			removed, err := certIf.DeleteCertificate(context.Background(), &certQuery)
+			errors.CheckError(err)
+			if len(removed.Items) > 0 {
+				for _, cert := range removed.Items {
+					fmt.Printf("Removed cert for '%s' of type '%s' (subtype '%s')\n", cert.ServerName, cert.CertType, cert.CertSubType)
+				}
+			} else {
+				fmt.Println("No certificates were removed (none matched the given patterns)")
+			}
+		},
+	}
+	command.Flags().StringVar(&certType, "cert-type", "", "Only remove certs of given type (ssh, https)")
+	command.Flags().StringVar(&certSubType, "cert-sub-type", "", "Only remove certs of given sub-type (only for ssh)")
+	return command
+}
+
+// NewCertListCommand returns a new instance of an `argocd cert rm` command
+func NewCertListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		certType        string
+		hostNamePattern string
+		sortOrder       string
+	)
+	var command = &cobra.Command{
+		Use:   "list",
+		Short: "List configured certificates",
+		Run: func(c *cobra.Command, args []string) {
+			if certType != "" {
+				switch certType {
+				case "ssh":
+				case "https":
+				default:
+					fmt.Println("cert-type must be either ssh or https")
+					os.Exit(1)
+				}
+			}
+
+			conn, certIf := argocdclient.NewClientOrDie(clientOpts).NewCertClientOrDie()
+			defer util.Close(conn)
+			certificates, err := certIf.ListCertificates(context.Background(), &certificatepkg.RepositoryCertificateQuery{HostNamePattern: hostNamePattern, CertType: certType})
+			errors.CheckError(err)
+			printCertTable(certificates.Items, sortOrder)
+		},
+	}
+
+	command.Flags().StringVar(&sortOrder, "sort", "", "set display sort order, valid: 'hostname', 'type'")
+	command.Flags().StringVar(&certType, "cert-type", "", "only list certificates of given type, valid: 'ssh','https'")
+	command.Flags().StringVar(&hostNamePattern, "hostname-pattern", "", "only list certificates for hosts matching given glob-pattern")
+	return command
+}
+
+// Print table of certificate info
+func printCertTable(certs []appsv1.RepositoryCertificate, sortOrder string) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	fmt.Fprintf(w, "HOSTNAME\tTYPE\tSUBTYPE\tINFO\n")
+
+	if sortOrder == "hostname" || sortOrder == "" {
+		sort.Slice(certs, func(i, j int) bool {
+			return certs[i].ServerName < certs[j].ServerName
+		})
+	} else if sortOrder == "type" {
+		sort.Slice(certs, func(i, j int) bool {
+			return certs[i].CertType < certs[j].CertType
+		})
+	}
+
+	for _, c := range certs {
+		fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", c.ServerName, c.CertType, c.CertSubType, c.CertInfo)
+	}
+	_ = w.Flush()
+}

cmd/argocd/commands/cluster.go

@@ -22,6 +22,7 @@ import (
 	clusterpkg "github.com/argoproj/argo-cd/pkg/apiclient/cluster"
 	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/util/clusterauth"
 )
 
 // NewClusterCommand returns a new instance of an `argocd cluster` command
@@ -39,6 +40,7 @@ func NewClusterCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientc
 	command.AddCommand(NewClusterGetCommand(clientOpts))
 	command.AddCommand(NewClusterListCommand(clientOpts))
 	command.AddCommand(NewClusterRemoveCommand(clientOpts))
+	command.AddCommand(NewClusterRotateAuthCommand(clientOpts))
 	return command
 }
 
@@ -86,7 +88,7 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 				// Install RBAC resources for managing the cluster
 				clientset, err := kubernetes.NewForConfig(conf)
 				errors.CheckError(err)
-				managerBearerToken, err = common.InstallClusterManagerRBAC(clientset, systemNamespace)
+				managerBearerToken, err = clusterauth.InstallClusterManagerRBAC(clientset, systemNamespace)
 				errors.CheckError(err)
 			}
 			conn, clusterIf := argocdclient.NewClientOrDie(clientOpts).NewClusterClientOrDie()
@@ -178,7 +180,7 @@ func NewCluster(name string, conf *rest.Config, managerBearerToken string, awsAu
 // NewClusterGetCommand returns a new instance of an `argocd cluster get` command
 func NewClusterGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
-		Use:   "get",
+		Use:   "get CLUSTER",
 		Short: "Get cluster information",
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) == 0 {
@@ -202,7 +204,7 @@ func NewClusterGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 // NewClusterRemoveCommand returns a new instance of an `argocd cluster list` command
 func NewClusterRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
-		Use:   "rm",
+		Use:   "rm CLUSTER",
 		Short: "Remove cluster credentials",
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) == 0 {
@@ -217,7 +219,7 @@ func NewClusterRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 
 			for _, clusterName := range args {
 				// TODO(jessesuen): find the right context and remove manager RBAC artifacts
-				// err := common.UninstallClusterManagerRBAC(clientset)
+				// err := clusterauth.UninstallClusterManagerRBAC(clientset)
 				// errors.CheckError(err)
 				_, err := clusterIf.Delete(context.Background(), &clusterpkg.ClusterQuery{Server: clusterName})
 				errors.CheckError(err)
@@ -227,8 +229,28 @@ func NewClusterRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 	return command
 }
 
+// Print table of cluster information
+func printClusterTable(clusters []argoappv1.Cluster) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	fmt.Fprintf(w, "SERVER\tNAME\tSTATUS\tMESSAGE\n")
+	for _, c := range clusters {
+		fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", c.Server, c.Name, c.ConnectionState.Status, c.ConnectionState.Message)
+	}
+	_ = w.Flush()
+}
+
+// Print list of cluster servers
+func printClusterServers(clusters []argoappv1.Cluster) {
+	for _, c := range clusters {
+		fmt.Println(c.Server)
+	}
+}
+
 // NewClusterListCommand returns a new instance of an `argocd cluster rm` command
 func NewClusterListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
 	var command = &cobra.Command{
 		Use:   "list",
 		Short: "List configured clusters",
@@ -237,12 +259,35 @@ func NewClusterListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comman
 			defer util.Close(conn)
 			clusters, err := clusterIf.List(context.Background(), &clusterpkg.ClusterQuery{})
 			errors.CheckError(err)
-			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-			fmt.Fprintf(w, "SERVER\tNAME\tSTATUS\tMESSAGE\n")
-			for _, c := range clusters.Items {
-				fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", c.Server, c.Name, c.ConnectionState.Status, c.ConnectionState.Message)
+			if output == "server" {
+				printClusterServers(clusters.Items)
+			} else {
+				printClusterTable(clusters.Items)
 			}
-			_ = w.Flush()
+		},
+	}
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: wide|server")
+	return command
+}
+
+// NewClusterRotateAuthCommand returns a new instance of an `argocd cluster rotate-auth` command
+func NewClusterRotateAuthCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "rotate-auth CLUSTER",
+		Short: fmt.Sprintf("%s cluster rotate-auth CLUSTER", cliName),
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			conn, clusterIf := argocdclient.NewClientOrDie(clientOpts).NewClusterClientOrDie()
+			defer util.Close(conn)
+			clusterQuery := clusterpkg.ClusterQuery{
+				Server: args[0],
+			}
+			_, err := clusterIf.RotateAuth(context.Background(), &clusterQuery)
+			errors.CheckError(err)
+			fmt.Printf("Cluster '%s' rotated auth\n", clusterQuery.Server)
 		},
 	}
 	return command

cmd/argocd/commands/completion.go

@@ -0,0 +1,233 @@
+package commands
+
+import (
+	"fmt"
+	"io"
+	"log"
+	"os"
+
+	"github.com/spf13/cobra"
+)
+
+const (
+	bashCompletionFunc = `
+__argocd_list_apps() {
+	local -a argocd_out
+	if argocd_out=($(argocd app list --output name 2>/dev/null)); then
+		COMPREPLY+=( $( compgen -W "${argocd_out[*]}" -- "$cur" ) )
+	fi
+}
+
+__argocd_list_app_history() {
+	local app=$1
+	local -a argocd_out
+	if argocd_out=($(argocd app history $app --output id 2>/dev/null)); then
+		COMPREPLY+=( $( compgen -W "${argocd_out[*]}" -- "$cur" ) )
+	fi
+}
+
+__argocd_app_rollback() {
+	local -a command
+	for comp_word in "${COMP_WORDS[@]}"; do
+		if [[ $comp_word =~ ^-.*$ ]]; then
+			continue
+		fi
+		command+=($comp_word)
+	done
+
+	# fourth arg is app (if present): e.g.- argocd app rollback guestbook
+	local app=${command[3]}
+	local id=${command[4]}
+	if [[ -z $app || $app == $cur ]]; then
+		__argocd_list_apps
+	elif [[ -z $id || $id == $cur ]]; then
+		__argocd_list_app_history $app
+	fi
+}
+
+__argocd_list_servers() {
+	local -a argocd_out
+	if argocd_out=($(argocd cluster list --output server 2>/dev/null)); then
+		COMPREPLY+=( $( compgen -W "${argocd_out[*]}" -- "$cur" ) )
+	fi
+}
+
+__argocd_list_repos() {
+	local -a argocd_out
+	if argocd_out=($(argocd repo list --output url 2>/dev/null)); then
+		COMPREPLY+=( $( compgen -W "${argocd_out[*]}" -- "$cur" ) )
+	fi
+}
+
+__argocd_list_projects() {
+	local -a argocd_out
+	if argocd_out=($(argocd proj list --output name 2>/dev/null)); then
+		COMPREPLY+=( $( compgen -W "${argocd_out[*]}" -- "$cur" ) )
+	fi
+}
+
+__argocd_list_namespaces() {
+	local -a argocd_out
+	if argocd_out=($(kubectl get namespaces --no-headers 2>/dev/null | cut -f1 -d' ' 2>/dev/null)); then
+		COMPREPLY+=( $( compgen -W "${argocd_out[*]}" -- "$cur" ) )
+	fi
+}
+
+__argocd_proj_server_namespace() {
+	local -a command
+	for comp_word in "${COMP_WORDS[@]}"; do
+		if [[ $comp_word =~ ^-.*$ ]]; then
+			continue
+		fi
+		command+=($comp_word)
+	done
+
+	# expect something like this: argocd proj add-destination PROJECT SERVER NAMESPACE
+	local project=${command[3]}
+	local server=${command[4]}
+	local namespace=${command[5]}
+	if [[ -z $project || $project == $cur ]]; then
+		__argocd_list_projects
+	elif [[ -z $server || $server == $cur ]]; then
+		__argocd_list_servers
+	elif [[ -z $namespace || $namespace == $cur ]]; then
+		__argocd_list_namespaces
+	fi
+}
+
+__argocd_list_project_role() {
+	local project="$1"
+	local -a argocd_out
+	if argocd_out=($(argocd proj role list "$project" --output=name 2>/dev/null)); then
+		COMPREPLY+=( $( compgen -W "${argocd_out[*]}" -- "$cur" ) )
+	fi
+}
+
+__argocd_proj_role(){
+	local -a command
+	for comp_word in "${COMP_WORDS[@]}"; do
+		if [[ $comp_word =~ ^-.*$ ]]; then
+			continue
+		fi
+		command+=($comp_word)
+	done
+
+	# expect something like this: argocd proj role add-policy PROJECT ROLE-NAME
+	local project=${command[4]}
+	local role=${command[5]}
+	if [[ -z $project || $project == $cur ]]; then
+		__argocd_list_projects
+	elif [[ -z $role || $role == $cur ]]; then
+		__argocd_list_project_role $project
+	fi
+}
+
+__argocd_custom_func() {
+	case ${last_command} in
+		argocd_app_delete | \
+		argocd_app_diff | \
+		argocd_app_edit | \
+		argocd_app_get | \
+		argocd_app_history | \
+		argocd_app_manifests | \
+		argocd_app_patch-resource | \
+		argocd_app_set | \
+		argocd_app_sync | \
+		argocd_app_terminate-op | \
+		argocd_app_unset | \
+		argocd_app_wait | \
+		argocd_app_create)
+			__argocd_list_apps
+			return
+			;;
+		argocd_app_rollback)
+			__argocd_app_rollback
+			return
+			;;
+		argocd_cluster_get | \
+		argocd_cluster_rm | \
+		argocd_login | \
+		argocd_cluster_add)
+			__argocd_list_servers
+			return
+			;;
+		argocd_repo_rm | \
+		argocd_repo_add)
+			__argocd_list_repos
+			return
+			;;
+		argocd_proj_add-destination | \
+		argocd_proj_remove-destination)
+			__argocd_proj_server_namespace
+			return
+			;;
+		argocd_proj_add-source | \
+		argocd_proj_remove-source | \
+		argocd_proj_allow-cluster-resource | \
+		argocd_proj_allow-namespace-resource | \
+		argocd_proj_deny-cluster-resource | \
+		argocd_proj_deny-namespace-resource | \
+		argocd_proj_delete | \
+		argocd_proj_edit | \
+		argocd_proj_get | \
+		argocd_proj_set | \
+		argocd_proj_role_list)
+			__argocd_list_projects
+			return
+			;;
+		argocd_proj_role_remove-policy | \
+		argocd_proj_role_add-policy | \
+		argocd_proj_role_create | \
+		argocd_proj_role_delete | \
+		argocd_proj_role_get | \
+		argocd_proj_role_create-token | \
+		argocd_proj_role_delete-token)
+			__argocd_proj_role
+			return
+			;;
+		*)
+			;;
+	esac
+}
+	`
+)
+
+func NewCompletionCommand() *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "completion SHELL",
+		Short: "output shell completion code for the specified shell (bash or zsh)",
+		Long: `Write bash or zsh shell completion code to standard output.
+
+For bash, ensure you have bash completions installed and enabled.
+To access completions in your current shell, run
+$ source <(argocd completion bash)
+Alternatively, write it to a file and source in .bash_profile
+
+For zsh, output to a file in a directory referenced by the $fpath shell
+variable.
+`,
+		Run: func(cmd *cobra.Command, args []string) {
+			if len(args) != 1 {
+				cmd.HelpFunc()(cmd, args)
+				os.Exit(1)
+			}
+			shell := args[0]
+			rootCommand := NewCommand()
+			rootCommand.BashCompletionFunction = bashCompletionFunc
+			availableCompletions := map[string]func(io.Writer) error{
+				"bash": rootCommand.GenBashCompletion,
+				"zsh":  rootCommand.GenZshCompletion,
+			}
+			completion, ok := availableCompletions[shell]
+			if !ok {
+				fmt.Printf("Invalid shell '%s'. The supported shells are bash and zsh.\n", shell)
+				os.Exit(1)
+			}
+			if err := completion(os.Stdout); err != nil {
+				log.Fatal(err)
+			}
+		},
+	}
+
+	return command
+}

cmd/argocd/commands/project.go

@@ -443,8 +443,28 @@ func NewProjectDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 	return command
 }
 
+// Print list of project names
+func printProjectNames(projects []v1alpha1.AppProject) {
+	for _, p := range projects {
+		fmt.Println(p.Name)
+	}
+}
+
+// Print table of project info
+func printProjectTable(projects []v1alpha1.AppProject) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	fmt.Fprintf(w, "NAME\tDESCRIPTION\tDESTINATIONS\tSOURCES\tCLUSTER-RESOURCE-WHITELIST\tNAMESPACE-RESOURCE-BLACKLIST\n")
+	for _, p := range projects {
+		printProjectLine(w, &p)
+	}
+	_ = w.Flush()
+}
+
 // NewProjectListCommand returns a new instance of an `argocd proj list` command
 func NewProjectListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
 	var command = &cobra.Command{
 		Use:   "list",
 		Short: "List projects",
@@ -453,14 +473,14 @@ func NewProjectListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comman
 			defer util.Close(conn)
 			projects, err := projIf.List(context.Background(), &projectpkg.ProjectQuery{})
 			errors.CheckError(err)
-			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-			fmt.Fprintf(w, "NAME\tDESCRIPTION\tDESTINATIONS\tSOURCES\tCLUSTER-RESOURCE-WHITELIST\tNAMESPACE-RESOURCE-BLACKLIST\n")
-			for _, p := range projects.Items {
-				printProjectLine(w, &p)
+			if output == "name" {
+				printProjectNames(projects.Items)
+			} else {
+				printProjectTable(projects.Items)
 			}
-			_ = w.Flush()
 		},
 	}
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: wide|name")
 	return command
 }
 

cmd/argocd/commands/project_role.go

@@ -15,7 +15,6 @@ import (
 	projectpkg "github.com/argoproj/argo-cd/pkg/apiclient/project"
 	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/util"
-	projectutil "github.com/argoproj/argo-cd/util/project"
 )
 
 const (
@@ -40,6 +39,8 @@ func NewProjectRoleCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comman
 	roleCommand.AddCommand(NewProjectRoleDeleteTokenCommand(clientOpts))
 	roleCommand.AddCommand(NewProjectRoleAddPolicyCommand(clientOpts))
 	roleCommand.AddCommand(NewProjectRoleRemovePolicyCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectRoleAddGroupCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectRoleRemoveGroupCommand(clientOpts))
 	return roleCommand
 }
 
@@ -64,7 +65,7 @@ func NewProjectRoleAddPolicyCommand(clientOpts *argocdclient.ClientOptions) *cob
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 
-			role, roleIndex, err := projectutil.GetRoleByName(proj, roleName)
+			role, roleIndex, err := proj.GetRoleByName(roleName)
 			errors.CheckError(err)
 
 			policy := fmt.Sprintf(policyTemplate, proj.Name, role.Name, opts.action, proj.Name, opts.object, opts.permission)
@@ -99,7 +100,7 @@ func NewProjectRoleRemovePolicyCommand(clientOpts *argocdclient.ClientOptions) *
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 
-			role, roleIndex, err := projectutil.GetRoleByName(proj, roleName)
+			role, roleIndex, err := proj.GetRoleByName(roleName)
 			errors.CheckError(err)
 
 			policyToRemove := fmt.Sprintf(policyTemplate, proj.Name, role.Name, opts.action, proj.Name, opts.object, opts.permission)
@@ -144,7 +145,7 @@ func NewProjectRoleCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 
-			_, _, err = projectutil.GetRoleByName(proj, roleName)
+			_, _, err = proj.GetRoleByName(roleName)
 			if err == nil {
 				fmt.Printf("Role '%s' already exists\n", roleName)
 				return
@@ -178,7 +179,7 @@ func NewProjectRoleDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 
-			_, index, err := projectutil.GetRoleByName(proj, roleName)
+			_, index, err := proj.GetRoleByName(roleName)
 			if err != nil {
 				fmt.Printf("Role '%s' does not exist in project\n", roleName)
 				return
@@ -248,8 +249,28 @@ func NewProjectRoleDeleteTokenCommand(clientOpts *argocdclient.ClientOptions) *c
 	return command
 }
 
+// Print list of project role names
+func printProjectRoleListName(roles []v1alpha1.ProjectRole) {
+	for _, role := range roles {
+		fmt.Println(role.Name)
+	}
+}
+
+// Print table of project roles
+func printProjectRoleListTable(roles []v1alpha1.ProjectRole) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	fmt.Fprintf(w, "ROLE-NAME\tDESCRIPTION\n")
+	for _, role := range roles {
+		fmt.Fprintf(w, "%s\t%s\n", role.Name, role.Description)
+	}
+	_ = w.Flush()
+}
+
 // NewProjectRoleListCommand returns a new instance of an `argocd proj roles list` command
 func NewProjectRoleListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
 	var command = &cobra.Command{
 		Use:   "list PROJECT",
 		Short: "List all the roles in a project",
@@ -264,14 +285,14 @@ func NewProjectRoleListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 
 			project, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
-			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-			fmt.Fprintf(w, "ROLE-NAME\tDESCRIPTION\n")
-			for _, role := range project.Spec.Roles {
-				fmt.Fprintf(w, "%s\t%s\n", role.Name, role.Description)
+			if output == "name" {
+				printProjectRoleListName(project.Spec.Roles)
+			} else {
+				printProjectRoleListTable(project.Spec.Roles)
 			}
-			_ = w.Flush()
 		},
 	}
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: wide|name")
 	return command
 }
 
@@ -293,7 +314,7 @@ func NewProjectRoleGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 
-			role, _, err := projectutil.GetRoleByName(proj, roleName)
+			role, _, err := proj.GetRoleByName(roleName)
 			errors.CheckError(err)
 
 			printRoleFmtStr := "%-15s%s\n"
@@ -322,9 +343,9 @@ func NewProjectRoleGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 func NewProjectRoleAddGroupCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
 		Use:   "add-group PROJECT ROLE-NAME GROUP-CLAIM",
-		Short: "Add a policy to a project role",
+		Short: "Add a group claim to a project role",
 		Run: func(c *cobra.Command, args []string) {
-			if len(args) != 2 {
+			if len(args) != 3 {
 				c.HelpFunc()(c, args)
 				os.Exit(1)
 			}
@@ -333,9 +354,9 @@ func NewProjectRoleAddGroupCommand(clientOpts *argocdclient.ClientOptions) *cobr
 			defer util.Close(conn)
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
-			updated, err := projectutil.AddGroupToRole(proj, roleName, groupName)
+			updated, err := proj.AddGroupToRole(roleName, groupName)
 			errors.CheckError(err)
-			if updated {
+			if !updated {
 				fmt.Printf("Group '%s' already present in role '%s'\n", groupName, roleName)
 				return
 			}
@@ -362,7 +383,7 @@ func NewProjectRoleRemoveGroupCommand(clientOpts *argocdclient.ClientOptions) *c
 			defer util.Close(conn)
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
-			updated, err := projectutil.RemoveGroupFromRole(proj, roleName, groupName)
+			updated, err := proj.RemoveGroupFromRole(roleName, groupName)
 			errors.CheckError(err)
 			if !updated {
 				fmt.Printf("Group '%s' not present in role '%s'\n", groupName, roleName)

cmd/argocd/commands/repo.go

@@ -23,7 +23,7 @@ import (
 func NewRepoCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
 		Use:   "repo",
-		Short: "Manage git repository credentials",
+		Short: "Manage git repository connection parameters",
 		Run: func(c *cobra.Command, args []string) {
 			c.HelpFunc()(c, args)
 			os.Exit(1)
@@ -39,45 +39,104 @@ func NewRepoCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 // NewRepoAddCommand returns a new instance of an `argocd repo add` command
 func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		repo                  appsv1.Repository
-		upsert                bool
-		sshPrivateKeyPath     string
-		insecureIgnoreHostKey bool
+		repo                           appsv1.Repository
+		upsert                         bool
+		sshPrivateKeyPath              string
+		insecureIgnoreHostKey          bool
+		insecureSkipServerVerification bool
+		tlsClientCertPath              string
+		tlsClientCertKeyPath           string
+		enableLfs                      bool
 	)
+
+	// For better readability and easier formatting
+	var repoAddExamples = `
+Add a SSH repository using a private key for authentication, ignoring the server's host key:",
+  $ argocd repo add git@git.example.com --insecure-ignore-host-key --ssh-private-key-path ~/id_rsa",
+Add a HTTPS repository using username/password and TLS client certificates:",
+  $ argocd repo add https://git.example.com --username git --password secret --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key",
+Add a HTTPS repository using username/password without verifying the server's TLS certificate:",
+  $ argocd repo add https://git.example.com --username git --password secret --insecure-skip-server-verification",
+`
+
 	var command = &cobra.Command{
-		Use:   "add REPO",
-		Short: "Add git repository credentials",
+		Use:     "add REPOURL",
+		Short:   "Add git repository connection parameters",
+		Example: repoAddExamples,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) != 1 {
 				c.HelpFunc()(c, args)
 				os.Exit(1)
 			}
+
+			// Repository URL
 			repo.Repo = args[0]
+
+			// Specifying ssh-private-key-path is only valid for SSH repositories
 			if sshPrivateKeyPath != "" {
-				keyData, err := ioutil.ReadFile(sshPrivateKeyPath)
-				if err != nil {
-					log.Fatal(err)
+				if ok, _ := git.IsSSHURL(repo.Repo); ok {
+					keyData, err := ioutil.ReadFile(sshPrivateKeyPath)
+					if err != nil {
+						log.Fatal(err)
+					}
+					repo.SSHPrivateKey = string(keyData)
+				} else {
+					err := fmt.Errorf("--ssh-private-key-path is only supported for SSH repositories.")
+					errors.CheckError(err)
 				}
-				repo.SSHPrivateKey = string(keyData)
 			}
+
+			// tls-client-cert-path and tls-client-cert-key-key-path must always be
+			// specified together
+			if (tlsClientCertPath != "" && tlsClientCertKeyPath == "") || (tlsClientCertPath == "" && tlsClientCertKeyPath != "") {
+				err := fmt.Errorf("--tls-client-cert-path and --tls-client-cert-key-path must be specified together")
+				errors.CheckError(err)
+			}
+
+			// Specifying tls-client-cert-path is only valid for HTTPS repositories
+			if tlsClientCertPath != "" {
+				if git.IsHTTPSURL(repo.Repo) {
+					tlsCertData, err := ioutil.ReadFile(tlsClientCertPath)
+					errors.CheckError(err)
+					tlsCertKey, err := ioutil.ReadFile(tlsClientCertKeyPath)
+					errors.CheckError(err)
+					repo.TLSClientCertData = string(tlsCertData)
+					repo.TLSClientCertKey = string(tlsCertKey)
+				} else {
+					err := fmt.Errorf("--tls-client-cert-path is only supported for HTTPS repositories")
+					errors.CheckError(err)
+				}
+			}
+
+			// InsecureIgnoreHostKey is deprecated and only here for backwards compat
 			repo.InsecureIgnoreHostKey = insecureIgnoreHostKey
-			// First test the repo *without* username/password. This gives us a hint on whether this
-			// is a private repo.
-			// NOTE: it is important not to run git commands to test git credentials on the user's
-			// system since it may mess with their git credential store (e.g. osx keychain).
-			// See issue #315
-			err := git.TestRepo(repo.Repo, "", "", repo.SSHPrivateKey, repo.InsecureIgnoreHostKey)
-			if err != nil {
-				if yes, _ := git.IsSSHURL(repo.Repo); yes {
-					// If we failed using git SSH credentials, then the repo is automatically bad
-					log.Fatal(err)
-				}
-				// If we can't test the repo, it's probably private. Prompt for credentials and
-				// let the server test it.
-				repo.Username, repo.Password = cli.PromptCredentials(repo.Username, repo.Password)
-			}
+			repo.Insecure = insecureSkipServerVerification
+			repo.EnableLFS = enableLfs
+
 			conn, repoIf := argocdclient.NewClientOrDie(clientOpts).NewRepoClientOrDie()
 			defer util.Close(conn)
+
+			// If the user set a username, but didn't supply password via --password,
+			// then we prompt for it
+			if repo.Username != "" && repo.Password == "" {
+				repo.Password = cli.PromptPassword(repo.Password)
+			}
+
+			// We let the server check access to the repository before adding it. If
+			// it is a private repo, but we cannot access with with the credentials
+			// that were supplied, we bail out.
+			repoAccessReq := repositorypkg.RepoAccessQuery{
+				Repo:              repo.Repo,
+				Username:          repo.Username,
+				Password:          repo.Password,
+				SshPrivateKey:     repo.SSHPrivateKey,
+				TlsClientCertData: repo.TLSClientCertData,
+				TlsClientCertKey:  repo.TLSClientCertKey,
+				Insecure:          repo.IsInsecure(),
+			}
+			_, err := repoIf.ValidateAccess(context.Background(), &repoAccessReq)
+			errors.CheckError(err)
+
 			repoCreateReq := repositorypkg.RepoCreateRequest{
 				Repo:   &repo,
 				Upsert: upsert,
@@ -90,7 +149,11 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	command.Flags().StringVar(&repo.Username, "username", "", "username to the repository")
 	command.Flags().StringVar(&repo.Password, "password", "", "password to the repository")
 	command.Flags().StringVar(&sshPrivateKeyPath, "ssh-private-key-path", "", "path to the private ssh key (e.g. ~/.ssh/id_rsa)")
-	command.Flags().BoolVar(&insecureIgnoreHostKey, "insecure-ignore-host-key", false, "disables SSH strict host key checking")
+	command.Flags().StringVar(&tlsClientCertPath, "tls-client-cert-path", "", "path to the TLS client cert (must be PEM format)")
+	command.Flags().StringVar(&tlsClientCertKeyPath, "tls-client-cert-key-path", "", "path to the TLS client cert's key path (must be PEM format)")
+	command.Flags().BoolVar(&insecureIgnoreHostKey, "insecure-ignore-host-key", false, "disables SSH strict host key checking (deprecated, use --insecure-skip-server-validation instead)")
+	command.Flags().BoolVar(&insecureSkipServerVerification, "insecure-skip-server-verification", false, "disables server certificate and host key checks")
+	command.Flags().BoolVar(&enableLfs, "enable-lfs", false, "enable git-lfs (Large File Support) on this repository")
 	command.Flags().BoolVar(&upsert, "upsert", false, "Override an existing repository with the same name even if the spec differs")
 	return command
 }
@@ -116,8 +179,34 @@ func NewRepoRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 	return command
 }
 
+// Print table of repo info
+func printRepoTable(repos []appsv1.Repository) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	fmt.Fprintf(w, "REPO\tINSECURE\tLFS\tUSER\tSTATUS\tMESSAGE\n")
+	for _, r := range repos {
+		var username string
+		if r.Username == "" {
+			username = "-"
+		} else {
+			username = r.Username
+		}
+		fmt.Fprintf(w, "%s\t%v\t%v\t%s\t%s\t%s\n", r.Repo, r.IsInsecure(), r.EnableLFS, username, r.ConnectionState.Status, r.ConnectionState.Message)
+	}
+	_ = w.Flush()
+}
+
+// Print list of repo urls
+func printRepoUrls(repos []appsv1.Repository) {
+	for _, r := range repos {
+		fmt.Println(r.Repo)
+	}
+}
+
 // NewRepoListCommand returns a new instance of an `argocd repo rm` command
 func NewRepoListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
 	var command = &cobra.Command{
 		Use:   "list",
 		Short: "List configured repositories",
@@ -126,13 +215,13 @@ func NewRepoListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 			defer util.Close(conn)
 			repos, err := repoIf.List(context.Background(), &repositorypkg.RepoQuery{})
 			errors.CheckError(err)
-			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-			fmt.Fprintf(w, "REPO\tUSER\tSTATUS\tMESSAGE\n")
-			for _, r := range repos.Items {
-				fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", r.Repo, r.Username, r.ConnectionState.Status, r.ConnectionState.Message)
+			if output == "url" {
+				printRepoUrls(repos.Items)
+			} else {
+				printRepoTable(repos.Items)
 			}
-			_ = w.Flush()
 		},
 	}
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: wide|url")
 	return command
 }

cmd/argocd/commands/root.go

@@ -36,6 +36,7 @@ func NewCommand() *cobra.Command {
 		},
 	}
 
+	command.AddCommand(NewCompletionCommand())
 	command.AddCommand(NewVersionCmd(&clientOpts))
 	command.AddCommand(NewClusterCommand(&clientOpts, pathOpts))
 	command.AddCommand(NewApplicationCommand(&clientOpts))
@@ -46,6 +47,7 @@ func NewCommand() *cobra.Command {
 	command.AddCommand(NewProjectCommand(&clientOpts))
 	command.AddCommand(NewAccountCommand(&clientOpts))
 	command.AddCommand(NewLogoutCommand(&clientOpts))
+	command.AddCommand(NewCertCommand(&clientOpts))
 
 	defaultLocalConfigPath, err := localconfig.DefaultLocalConfigPath()
 	errors.CheckError(err)

common/common.go

@@ -15,6 +15,10 @@ const (
 	ArgoCDConfigMapName     = "argocd-cm"
 	ArgoCDSecretName        = "argocd-secret"
 	ArgoCDRBACConfigMapName = "argocd-rbac-cm"
+	// Contains SSH known hosts data for connecting repositories. Will get mounted as volume to pods
+	ArgoCDKnownHostsConfigMapName = "argocd-ssh-known-hosts-cm"
+	// Contains TLS certificate data for connecting repositories. Will get mounted as volume to pods
+	ArgoCDTLSCertsConfigMapName = "argocd-tls-certs-cm"
 )
 
 // Default system namespace
@@ -31,6 +35,18 @@ const (
 	DefaultPortRepoServerMetrics      = 8084
 )
 
+// Default paths on the pod's file system
+const (
+	// The default base path where application config is located
+	DefaultPathAppConfig = "/app/config"
+	// The default path where TLS certificates for repositories are located
+	DefaultPathTLSConfig = "/app/config/tls"
+	// The default path where SSH known hosts are stored
+	DefaultPathSSHConfig = "/app/config/ssh"
+	// Default name for the SSH known hosts file
+	DefaultSSHKnownHostsName = "ssh_known_hosts"
+)
+
 // Argo CD application related constants
 const (
 	// KubernetesInternalAPIServerAddr is address of the k8s API server when accessing internal to the cluster
@@ -115,6 +131,10 @@ const (
 	// EnvVarFakeInClusterConfig is an environment variable to fake an in-cluster RESTConfig using
 	// the current kubectl context (for development purposes)
 	EnvVarFakeInClusterConfig = "ARGOCD_FAKE_IN_CLUSTER"
+	// Overrides the location where SSH known hosts for repo access data is stored
+	EnvVarSSHDataPath = "ARGOCD_SSH_DATA_PATH"
+	// Overrides the location where TLS certificate for repo access data is stored
+	EnvVarTLSDataPath = "ARGOCD_TLS_DATA_PATH"
 )
 
 const (

controller/appcontroller.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"math"
 	"reflect"
 	"runtime/debug"
 	"strings"
@@ -11,6 +12,7 @@ import (
 	"time"
 
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/sync/semaphore"
 	v1 "k8s.io/api/core/v1"
 	apierr "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -32,7 +34,7 @@ import (
 	appinformers "github.com/argoproj/argo-cd/pkg/client/informers/externalversions"
 	"github.com/argoproj/argo-cd/pkg/client/informers/externalversions/application/v1alpha1"
 	applisters "github.com/argoproj/argo-cd/pkg/client/listers/application/v1alpha1"
-	"github.com/argoproj/argo-cd/reposerver"
+	"github.com/argoproj/argo-cd/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/util"
 	"github.com/argoproj/argo-cd/util/argo"
 	argocache "github.com/argoproj/argo-cd/util/cache"
@@ -46,6 +48,21 @@ const (
 	updateOperationStateTimeout = 1 * time.Second
 )
 
+type CompareWith int
+
+const (
+	// Compare live application state against state defined in latest git revision.
+	CompareWithLatest CompareWith = 2
+	// Compare live application state against state defined using revision of most recent comparison.
+	CompareWithRecent CompareWith = 1
+	// Skip comparison and only refresh application resources tree
+	ComparisonWithNothing CompareWith = 0
+)
+
+func (a CompareWith) Max(b CompareWith) CompareWith {
+	return CompareWith(math.Max(float64(a), float64(b)))
+}
+
 // ApplicationController is the controller for application resources.
 type ApplicationController struct {
 	cache                     *argocache.Cache
@@ -62,13 +79,14 @@ type ApplicationController struct {
 	appStateManager           AppStateManager
 	stateCache                statecache.LiveStateCache
 	statusRefreshTimeout      time.Duration
-	repoClientset             reposerver.Clientset
+	selfHealTimeout           time.Duration
+	repoClientset             apiclient.Clientset
 	db                        db.ArgoDB
-	settings                  *settings_util.ArgoCDSettings
 	settingsMgr               *settings_util.SettingsManager
-	refreshRequestedApps      map[string]bool
+	refreshRequestedApps      map[string]CompareWith
 	refreshRequestedAppsMutex *sync.Mutex
 	metricsServer             *metrics.MetricsServer
+	kubectlSemaphore          *semaphore.Weighted
 }
 
 type ApplicationControllerConfig struct {
@@ -82,16 +100,14 @@ func NewApplicationController(
 	settingsMgr *settings_util.SettingsManager,
 	kubeClientset kubernetes.Interface,
 	applicationClientset appclientset.Interface,
-	repoClientset reposerver.Clientset,
+	repoClientset apiclient.Clientset,
 	argoCache *argocache.Cache,
 	appResyncPeriod time.Duration,
+	selfHealTimeout time.Duration,
 	metricsPort int,
+	kubectlParallelismLimit int64,
 ) (*ApplicationController, error) {
 	db := db.NewDB(namespace, settingsMgr, kubeClientset)
-	settings, err := settingsMgr.GetSettings()
-	if err != nil {
-		return nil, err
-	}
 	kubectlCmd := kube.KubectlCmd{}
 	ctrl := ApplicationController{
 		cache:                     argoCache,
@@ -104,18 +120,26 @@ func NewApplicationController(
 		appOperationQueue:         workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()),
 		db:                        db,
 		statusRefreshTimeout:      appResyncPeriod,
-		refreshRequestedApps:      make(map[string]bool),
+		refreshRequestedApps:      make(map[string]CompareWith),
 		refreshRequestedAppsMutex: &sync.Mutex{},
 		auditLogger:               argo.NewAuditLogger(namespace, kubeClientset, "argocd-application-controller"),
 		settingsMgr:               settingsMgr,
-		settings:                  settings,
+		selfHealTimeout:           selfHealTimeout,
 	}
+	if kubectlParallelismLimit > 0 {
+		ctrl.kubectlSemaphore = semaphore.NewWeighted(kubectlParallelismLimit)
+	}
+	kubectlCmd.OnKubectlRun = ctrl.onKubectlRun
 	appInformer, appLister := ctrl.newApplicationInformerAndLister()
+
 	projInformer := v1alpha1.NewAppProjectInformer(applicationClientset, namespace, appResyncPeriod, cache.Indexers{})
 	metricsAddr := fmt.Sprintf("0.0.0.0:%d", metricsPort)
-	ctrl.metricsServer = metrics.NewMetricsServer(metricsAddr, appLister)
-	stateCache := statecache.NewLiveStateCache(db, appInformer, ctrl.settings, kubectlCmd, ctrl.metricsServer, ctrl.handleAppUpdated)
-	appStateManager := NewAppStateManager(db, applicationClientset, repoClientset, namespace, kubectlCmd, ctrl.settings, stateCache, projInformer, ctrl.metricsServer)
+	ctrl.metricsServer = metrics.NewMetricsServer(metricsAddr, appLister, func() error {
+		_, err := kubeClientset.Discovery().ServerVersion()
+		return err
+	})
+	stateCache := statecache.NewLiveStateCache(db, appInformer, ctrl.settingsMgr, kubectlCmd, ctrl.metricsServer, ctrl.handleAppUpdated)
+	appStateManager := NewAppStateManager(db, applicationClientset, repoClientset, namespace, kubectlCmd, ctrl.settingsMgr, stateCache, projInformer, ctrl.metricsServer)
 	ctrl.appInformer = appInformer
 	ctrl.appLister = appLister
 	ctrl.projInformer = projInformer
@@ -125,6 +149,23 @@ func NewApplicationController(
 	return &ctrl, nil
 }
 
+func (ctrl *ApplicationController) onKubectlRun(command string) (util.Closer, error) {
+	ctrl.metricsServer.IncKubectlExec(command)
+	if ctrl.kubectlSemaphore != nil {
+		if err := ctrl.kubectlSemaphore.Acquire(context.Background(), 1); err != nil {
+			return nil, err
+		}
+		ctrl.metricsServer.IncKubectlExecPending(command)
+	}
+	return util.NewCloser(func() error {
+		if ctrl.kubectlSemaphore != nil {
+			ctrl.kubectlSemaphore.Release(1)
+			ctrl.metricsServer.DecKubectlExecPending(command)
+		}
+		return nil
+	}), nil
+}
+
 func isSelfReferencedApp(app *appv1.Application, ref v1.ObjectReference) bool {
 	gvk := ref.GroupVersionKind()
 	return ref.UID == app.UID &&
@@ -134,7 +175,7 @@ func isSelfReferencedApp(app *appv1.Application, ref v1.ObjectReference) bool {
 		gvk.Kind == application.ApplicationKind
 }
 
-func (ctrl *ApplicationController) handleAppUpdated(appName string, fullRefresh bool, ref v1.ObjectReference) {
+func (ctrl *ApplicationController) handleAppUpdated(appName string, isManagedResource bool, ref v1.ObjectReference) {
 	skipForceRefresh := false
 
 	obj, exists, err := ctrl.appInformer.GetIndexer().GetByKey(ctrl.namespace + "/" + appName)
@@ -144,13 +185,17 @@ func (ctrl *ApplicationController) handleAppUpdated(appName string, fullRefresh
 	}
 
 	if !skipForceRefresh {
-		ctrl.requestAppRefresh(appName, fullRefresh)
+		level := ComparisonWithNothing
+		if isManagedResource {
+			level = CompareWithRecent
+		}
+		ctrl.requestAppRefresh(appName, level)
 	}
 	ctrl.appRefreshQueue.Add(fmt.Sprintf("%s/%s", ctrl.namespace, appName))
 }
 
 func (ctrl *ApplicationController) setAppManagedResources(a *appv1.Application, comparisonResult *comparisonResult) (*appv1.ApplicationTree, error) {
-	managedResources, err := ctrl.managedResources(a, comparisonResult)
+	managedResources, err := ctrl.managedResources(comparisonResult)
 	if err != nil {
 		return nil, err
 	}
@@ -204,7 +249,7 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 	return &appv1.ApplicationTree{Nodes: nodes}, nil
 }
 
-func (ctrl *ApplicationController) managedResources(a *appv1.Application, comparisonResult *comparisonResult) ([]*appv1.ResourceDiff, error) {
+func (ctrl *ApplicationController) managedResources(comparisonResult *comparisonResult) ([]*appv1.ResourceDiff, error) {
 	items := make([]*appv1.ResourceDiff, len(comparisonResult.managedResources))
 	for i := range comparisonResult.managedResources {
 		res := comparisonResult.managedResources[i]
@@ -213,6 +258,7 @@ func (ctrl *ApplicationController) managedResources(a *appv1.Application, compar
 			Name:      res.Name,
 			Group:     res.Group,
 			Kind:      res.Kind,
+			Hook:      res.Hook,
 		}
 
 		target := res.Target
@@ -264,14 +310,13 @@ func (ctrl *ApplicationController) Run(ctx context.Context, statusProcessors int
 
 	go ctrl.appInformer.Run(ctx.Done())
 	go ctrl.projInformer.Run(ctx.Done())
-	go ctrl.watchSettings(ctx)
 
 	if !cache.WaitForCacheSync(ctx.Done(), ctrl.appInformer.HasSynced, ctrl.projInformer.HasSynced) {
 		log.Error("Timed out waiting for caches to sync")
 		return
 	}
 
-	go ctrl.stateCache.Run(ctx)
+	go func() { errors.CheckError(ctrl.stateCache.Run(ctx)) }()
 	go func() { errors.CheckError(ctrl.metricsServer.ListenAndServe()) }()
 
 	for i := 0; i < statusProcessors; i++ {
@@ -291,20 +336,20 @@ func (ctrl *ApplicationController) Run(ctx context.Context, statusProcessors int
 	<-ctx.Done()
 }
 
-func (ctrl *ApplicationController) requestAppRefresh(appName string, fullRefresh bool) {
+func (ctrl *ApplicationController) requestAppRefresh(appName string, compareWith CompareWith) {
 	ctrl.refreshRequestedAppsMutex.Lock()
 	defer ctrl.refreshRequestedAppsMutex.Unlock()
-	ctrl.refreshRequestedApps[appName] = fullRefresh || ctrl.refreshRequestedApps[appName]
+	ctrl.refreshRequestedApps[appName] = compareWith.Max(ctrl.refreshRequestedApps[appName])
 }
 
-func (ctrl *ApplicationController) isRefreshRequested(appName string) (bool, bool) {
+func (ctrl *ApplicationController) isRefreshRequested(appName string) (bool, CompareWith) {
 	ctrl.refreshRequestedAppsMutex.Lock()
 	defer ctrl.refreshRequestedAppsMutex.Unlock()
-	fullRefresh, ok := ctrl.refreshRequestedApps[appName]
+	level, ok := ctrl.refreshRequestedApps[appName]
 	if ok {
 		delete(ctrl.refreshRequestedApps, appName)
 	}
-	return ok, fullRefresh
+	return ok, level
 }
 
 func (ctrl *ApplicationController) processAppOperationQueueItem() (processNext bool) {
@@ -494,6 +539,7 @@ func (ctrl *ApplicationController) processRequestedAppOperation(app *appv1.Appli
 		ctrl.setOperationState(app, state)
 		logCtx.Infof("Initialized new operation: %v", *app.Operation)
 	}
+
 	ctrl.appStateManager.SyncAppState(app, state)
 
 	if state.Phase == appv1.OperationRunning {
@@ -515,7 +561,13 @@ func (ctrl *ApplicationController) processRequestedAppOperation(app *appv1.Appli
 	if state.Phase.Completed() {
 		// if we just completed an operation, force a refresh so that UI will report up-to-date
 		// sync/health information
-		ctrl.requestAppRefresh(app.ObjectMeta.Name, true)
+		if key, err := cache.MetaNamespaceKeyFunc(app); err == nil {
+			// force app refresh with using CompareWithLatest comparison type and trigger app reconciliation loop
+			ctrl.requestAppRefresh(app.Name, CompareWithLatest)
+			ctrl.appRefreshQueue.Add(key)
+		} else {
+			logCtx.Warnf("Fails to requeue application: %v", err)
+		}
 	}
 }
 
@@ -610,7 +662,7 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 		log.Warnf("Key '%s' in index is not an application", appKey)
 		return
 	}
-	needRefresh, refreshType, fullRefresh := ctrl.needRefreshAppStatus(origApp, ctrl.statusRefreshTimeout)
+	needRefresh, refreshType, comparisonLevel := ctrl.needRefreshAppStatus(origApp, ctrl.statusRefreshTimeout)
 
 	if !needRefresh {
 		return
@@ -620,13 +672,13 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 	defer func() {
 		reconcileDuration := time.Since(startTime)
 		ctrl.metricsServer.IncReconcile(origApp, reconcileDuration)
-		logCtx := log.WithFields(log.Fields{"application": origApp.Name, "time_ms": reconcileDuration.Seconds() * 1e3, "full": fullRefresh})
+		logCtx := log.WithFields(log.Fields{"application": origApp.Name, "time_ms": reconcileDuration.Seconds() * 1e3, "level": comparisonLevel})
 		logCtx.Info("Reconciliation completed")
 	}()
 
 	app := origApp.DeepCopy()
 	logCtx := log.WithFields(log.Fields{"application": app.Name})
-	if !fullRefresh {
+	if comparisonLevel == ComparisonWithNothing {
 		if managedResources, err := ctrl.cache.GetAppManagedResources(app.Name); err != nil {
 			logCtx.Warnf("Failed to get cached managed resources for tree reconciliation, fallback to full reconciliation")
 		} else {
@@ -639,7 +691,8 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 					return
 				}
 			}
-			app.Status.ObservedAt = metav1.Now()
+			now := metav1.Now()
+			app.Status.ObservedAt = &now
 			ctrl.persistAppStatus(origApp, &app.Status)
 			return
 		}
@@ -654,13 +707,22 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 		return
 	}
 
-	compareResult, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, refreshType == appv1.RefreshTypeHard)
-	if err != nil {
-		conditions = append(conditions, appv1.ApplicationCondition{Type: appv1.ApplicationConditionComparisonError, Message: err.Error()})
-	} else {
-		ctrl.normalizeApplication(origApp, app, compareResult.appSourceType)
-		conditions = append(conditions, compareResult.conditions...)
+	var localManifests []string
+	if opState := app.Status.OperationState; opState != nil && opState.Operation.Sync != nil {
+		localManifests = opState.Operation.Sync.Manifests
 	}
+
+	revision := app.Spec.Source.TargetRevision
+	if comparisonLevel == CompareWithRecent {
+		revision = app.Status.Sync.Revision
+	}
+
+	compareResult := ctrl.appStateManager.CompareAppState(app, revision, app.Spec.Source, refreshType == appv1.RefreshTypeHard, localManifests)
+
+	ctrl.normalizeApplication(origApp, app, compareResult.appSourceType)
+
+	conditions = append(conditions, compareResult.conditions...)
+
 	tree, err := ctrl.setAppManagedResources(app, compareResult)
 	if err != nil {
 		logCtx.Errorf("Failed to cache app resources: %v", err)
@@ -668,13 +730,13 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 		app.Status.Summary = tree.GetSummary()
 	}
 
-	syncErrCond := ctrl.autoSync(app, compareResult.syncStatus)
+	syncErrCond := ctrl.autoSync(app, compareResult.syncStatus, compareResult.resources)
 	if syncErrCond != nil {
 		conditions = append(conditions, *syncErrCond)
 	}
 
-	app.Status.ObservedAt = compareResult.reconciledAt
-	app.Status.ReconciledAt = compareResult.reconciledAt
+	app.Status.ObservedAt = &compareResult.reconciledAt
+	app.Status.ReconciledAt = &compareResult.reconciledAt
 	app.Status.Sync = *compareResult.syncStatus
 	app.Status.Health = *compareResult.healthStatus
 	app.Status.Resources = compareResult.resources
@@ -688,17 +750,21 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 // Returns true if application never been compared, has changed or comparison result has expired.
 // Additionally returns whether full refresh was requested or not.
 // If full refresh is requested then target and live state should be reconciled, else only live state tree should be updated.
-func (ctrl *ApplicationController) needRefreshAppStatus(app *appv1.Application, statusRefreshTimeout time.Duration) (bool, appv1.RefreshType, bool) {
+func (ctrl *ApplicationController) needRefreshAppStatus(app *appv1.Application, statusRefreshTimeout time.Duration) (bool, appv1.RefreshType, CompareWith) {
 	logCtx := log.WithFields(log.Fields{"application": app.Name})
 	var reason string
-	fullRefresh := true
+	compareWith := CompareWithLatest
 	refreshType := appv1.RefreshTypeNormal
-	expired := app.Status.ReconciledAt.Add(statusRefreshTimeout).Before(time.Now().UTC())
-	if requestedType, ok := app.IsRefreshRequested(); ok {
-		refreshType = requestedType
-		reason = fmt.Sprintf("%s refresh requested", refreshType)
-	} else if requested, full := ctrl.isRefreshRequested(app.Name); requested {
-		fullRefresh = full
+	expired := app.Status.ReconciledAt == nil || app.Status.ReconciledAt.Add(statusRefreshTimeout).Before(time.Now().UTC())
+	if requestedType, ok := app.IsRefreshRequested(); ok || expired {
+		if ok {
+			refreshType = requestedType
+			reason = fmt.Sprintf("%s refresh requested", refreshType)
+		} else if expired {
+			reason = fmt.Sprintf("comparison expired. reconciledAt: %v, expiry: %v", app.Status.ReconciledAt, statusRefreshTimeout)
+		}
+	} else if requested, level := ctrl.isRefreshRequested(app.Name); requested {
+		compareWith = level
 		reason = fmt.Sprintf("controller refresh requested")
 	} else if app.Status.Sync.Status == appv1.SyncStatusCodeUnknown && expired {
 		reason = "comparison status unknown"
@@ -706,14 +772,12 @@ func (ctrl *ApplicationController) needRefreshAppStatus(app *appv1.Application,
 		reason = "spec.source differs"
 	} else if !app.Spec.Destination.Equals(app.Status.Sync.ComparedTo.Destination) {
 		reason = "spec.destination differs"
-	} else if expired {
-		reason = fmt.Sprintf("comparison expired. reconciledAt: %v, expiry: %v", app.Status.ReconciledAt, statusRefreshTimeout)
 	}
 	if reason != "" {
-		logCtx.Infof("Refreshing app status (%s)", reason)
-		return true, refreshType, fullRefresh
+		logCtx.Infof("Refreshing app status (%s), level (%d)", reason, compareWith)
+		return true, refreshType, compareWith
 	}
-	return false, refreshType, fullRefresh
+	return false, refreshType, compareWith
 }
 
 func (ctrl *ApplicationController) refreshAppConditions(app *appv1.Application) ([]appv1.ApplicationCondition, bool) {
@@ -751,6 +815,7 @@ func (ctrl *ApplicationController) refreshAppConditions(app *appv1.Application)
 		appv1.ApplicationConditionSharedResourceWarning:   true,
 		appv1.ApplicationConditionSyncError:               true,
 		appv1.ApplicationConditionRepeatedResourceWarning: true,
+		appv1.ApplicationConditionExcludedResourceWarning: true,
 	}
 	appConditions := make([]appv1.ApplicationCondition, 0)
 	for i := 0; i < len(app.Status.Conditions); i++ {
@@ -830,7 +895,7 @@ func (ctrl *ApplicationController) persistAppStatus(orig *appv1.Application, new
 }
 
 // autoSync will initiate a sync operation for an application configured with automated sync
-func (ctrl *ApplicationController) autoSync(app *appv1.Application, syncStatus *appv1.SyncStatus) *appv1.ApplicationCondition {
+func (ctrl *ApplicationController) autoSync(app *appv1.Application, syncStatus *appv1.SyncStatus, resources []appv1.ResourceStatus) *appv1.ApplicationCondition {
 	if app.Spec.SyncPolicy == nil || app.Spec.SyncPolicy.Automated == nil {
 		return nil
 	}
@@ -849,28 +914,52 @@ func (ctrl *ApplicationController) autoSync(app *appv1.Application, syncStatus *
 		logCtx.Infof("Skipping auto-sync: application status is %s", syncStatus.Status)
 		return nil
 	}
+
 	desiredCommitSHA := syncStatus.Revision
-
-	// It is possible for manifests to remain OutOfSync even after a sync/kubectl apply (e.g.
-	// auto-sync with pruning disabled). We need to ensure that we do not keep Syncing an
-	// application in an infinite loop. To detect this, we only attempt the Sync if the revision
-	// and parameter overrides are different from our most recent sync operation.
-	if alreadyAttemptedSync(app, desiredCommitSHA) {
-		if app.Status.OperationState.Phase != appv1.OperationSucceeded {
-			logCtx.Warnf("Skipping auto-sync: failed previous sync attempt to %s", desiredCommitSHA)
-			message := fmt.Sprintf("Failed sync attempt to %s: %s", desiredCommitSHA, app.Status.OperationState.Message)
-			return &appv1.ApplicationCondition{Type: appv1.ApplicationConditionSyncError, Message: message}
-		}
-		logCtx.Infof("Skipping auto-sync: most recent sync already to %s", desiredCommitSHA)
-		return nil
-	}
-
+	alreadyAttempted, attemptPhase := alreadyAttemptedSync(app, desiredCommitSHA)
+	selfHeal := app.Spec.SyncPolicy.Automated.SelfHeal
 	op := appv1.Operation{
 		Sync: &appv1.SyncOperation{
 			Revision: desiredCommitSHA,
 			Prune:    app.Spec.SyncPolicy.Automated.Prune,
 		},
 	}
+	// It is possible for manifests to remain OutOfSync even after a sync/kubectl apply (e.g.
+	// auto-sync with pruning disabled). We need to ensure that we do not keep Syncing an
+	// application in an infinite loop. To detect this, we only attempt the Sync if the revision
+	// and parameter overrides are different from our most recent sync operation.
+	if alreadyAttempted && (!selfHeal || !attemptPhase.Successful()) {
+		if !attemptPhase.Successful() {
+			logCtx.Warnf("Skipping auto-sync: failed previous sync attempt to %s", desiredCommitSHA)
+			message := fmt.Sprintf("Failed sync attempt to %s: %s", desiredCommitSHA, app.Status.OperationState.Message)
+			return &appv1.ApplicationCondition{Type: appv1.ApplicationConditionSyncError, Message: message}
+		}
+		logCtx.Infof("Skipping auto-sync: most recent sync already to %s", desiredCommitSHA)
+		return nil
+	} else if alreadyAttempted && selfHeal {
+		if shouldSelfHeal, retryAfter := ctrl.shouldSelfHeal(app); shouldSelfHeal {
+			for _, resource := range resources {
+				if resource.Status != appv1.SyncStatusCodeSynced {
+					op.Sync.Resources = append(op.Sync.Resources, appv1.SyncOperationResource{
+						Kind:  resource.Kind,
+						Group: resource.Group,
+						Name:  resource.Name,
+					})
+				}
+			}
+		} else {
+			logCtx.Infof("Skipping auto-sync: already attempted sync to %s with timeout %v (retrying in %v)", desiredCommitSHA, ctrl.selfHealTimeout, retryAfter)
+			if key, err := cache.MetaNamespaceKeyFunc(app); err == nil {
+				ctrl.requestAppRefresh(app.Name, CompareWithLatest)
+				ctrl.appRefreshQueue.AddAfter(key, retryAfter)
+			} else {
+				logCtx.Warnf("Fails to requeue application: %v", err)
+			}
+			return nil
+		}
+
+	}
+
 	appIf := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(app.Namespace)
 	_, err := argo.SetAppOperation(appIf, app.Name, &op)
 	if err != nil {
@@ -885,12 +974,12 @@ func (ctrl *ApplicationController) autoSync(app *appv1.Application, syncStatus *
 
 // alreadyAttemptedSync returns whether or not the most recent sync was performed against the
 // commitSHA and with the same app source config which are currently set in the app
-func alreadyAttemptedSync(app *appv1.Application, commitSHA string) bool {
+func alreadyAttemptedSync(app *appv1.Application, commitSHA string) (bool, appv1.OperationPhase) {
 	if app.Status.OperationState == nil || app.Status.OperationState.Operation.Sync == nil || app.Status.OperationState.SyncResult == nil {
-		return false
+		return false, ""
 	}
 	if app.Status.OperationState.SyncResult.Revision != commitSHA {
-		return false
+		return false, ""
 	}
 	// Ignore differences in target revision, since we already just verified commitSHAs are equal,
 	// and we do not want to trigger auto-sync due to things like HEAD != master
@@ -898,7 +987,21 @@ func alreadyAttemptedSync(app *appv1.Application, commitSHA string) bool {
 	specSource.TargetRevision = ""
 	syncResSource := app.Status.OperationState.SyncResult.Source.DeepCopy()
 	syncResSource.TargetRevision = ""
-	return reflect.DeepEqual(app.Spec.Source, app.Status.OperationState.SyncResult.Source)
+	return reflect.DeepEqual(app.Spec.Source, app.Status.OperationState.SyncResult.Source), app.Status.OperationState.Phase
+}
+
+func (ctrl *ApplicationController) shouldSelfHeal(app *appv1.Application) (bool, time.Duration) {
+	if app.Status.OperationState == nil {
+		return true, time.Duration(0)
+	}
+
+	var retryAfter time.Duration
+	if app.Status.OperationState.FinishedAt == nil {
+		retryAfter = ctrl.selfHealTimeout
+	} else {
+		retryAfter = ctrl.selfHealTimeout - time.Since(app.Status.OperationState.FinishedAt.Time)
+	}
+	return retryAfter <= 0, retryAfter
 }
 
 func (ctrl *ApplicationController) newApplicationInformerAndLister() (cache.SharedIndexInformer, applisters.ApplicationLister) {
@@ -929,7 +1032,7 @@ func (ctrl *ApplicationController) newApplicationInformerAndLister() (cache.Shar
 				if oldOK && newOK {
 					if toggledAutomatedSync(oldApp, newApp) {
 						log.WithField("application", newApp.Name).Info("Enabled automated sync")
-						ctrl.requestAppRefresh(newApp.Name, true)
+						ctrl.requestAppRefresh(newApp.Name, CompareWithLatest)
 					}
 				}
 				ctrl.appRefreshQueue.Add(key)
@@ -965,45 +1068,3 @@ func toggledAutomatedSync(old *appv1.Application, new *appv1.Application) bool {
 	// nothing changed
 	return false
 }
-
-func (ctrl *ApplicationController) watchSettings(ctx context.Context) {
-	updateCh := make(chan *settings_util.ArgoCDSettings, 1)
-	ctrl.settingsMgr.Subscribe(updateCh)
-	prevAppLabelKey := ctrl.settings.GetAppInstanceLabelKey()
-	prevResourceExclusions := ctrl.settings.ResourceExclusions
-	prevResourceInclusions := ctrl.settings.ResourceInclusions
-	prevConfigManagementPlugins := ctrl.settings.ConfigManagementPlugins
-	done := false
-	for !done {
-		select {
-		case newSettings := <-updateCh:
-			newAppLabelKey := newSettings.GetAppInstanceLabelKey()
-			*ctrl.settings = *newSettings
-			if prevAppLabelKey != newAppLabelKey {
-				log.Infof("label key changed: %s -> %s", prevAppLabelKey, newAppLabelKey)
-				ctrl.stateCache.Invalidate()
-				prevAppLabelKey = newAppLabelKey
-			}
-			if !reflect.DeepEqual(prevResourceExclusions, newSettings.ResourceExclusions) {
-				log.WithFields(log.Fields{"prevResourceExclusions": prevResourceExclusions, "newResourceExclusions": newSettings.ResourceExclusions}).Info("resource exclusions modified")
-				ctrl.stateCache.Invalidate()
-				prevResourceExclusions = newSettings.ResourceExclusions
-			}
-			if !reflect.DeepEqual(prevResourceInclusions, newSettings.ResourceInclusions) {
-				log.WithFields(log.Fields{"prevResourceInclusions": prevResourceInclusions, "newResourceInclusions": newSettings.ResourceInclusions}).Info("resource inclusions modified")
-				ctrl.stateCache.Invalidate()
-				prevResourceInclusions = newSettings.ResourceInclusions
-			}
-			if !reflect.DeepEqual(prevConfigManagementPlugins, newSettings.ConfigManagementPlugins) {
-				log.WithFields(log.Fields{"prevConfigManagementPlugins": prevConfigManagementPlugins, "newConfigManagementPlugins": newSettings.ConfigManagementPlugins}).Info("config management plugins modified")
-				ctrl.stateCache.Invalidate()
-				prevConfigManagementPlugins = newSettings.ConfigManagementPlugins
-			}
-		case <-ctx.Done():
-			done = true
-		}
-	}
-	log.Info("shutting down settings watch")
-	ctrl.settingsMgr.Unsubscribe(updateCh)
-	close(updateCh)
-}

controller/appcontroller_test.go

@@ -22,9 +22,9 @@ import (
 	mockstatecache "github.com/argoproj/argo-cd/controller/cache/mocks"
 	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned/fake"
+	"github.com/argoproj/argo-cd/reposerver/apiclient"
+	mockrepoclient "github.com/argoproj/argo-cd/reposerver/apiclient/mocks"
 	mockreposerver "github.com/argoproj/argo-cd/reposerver/mocks"
-	"github.com/argoproj/argo-cd/reposerver/repository"
-	mockrepoclient "github.com/argoproj/argo-cd/reposerver/repository/mocks"
 	"github.com/argoproj/argo-cd/test"
 	utilcache "github.com/argoproj/argo-cd/util/cache"
 	"github.com/argoproj/argo-cd/util/kube"
@@ -33,8 +33,9 @@ import (
 
 type fakeData struct {
 	apps             []runtime.Object
-	manifestResponse *repository.ManifestResponse
+	manifestResponse *apiclient.ManifestResponse
 	managedLiveObjs  map[kube.ResourceKey]*unstructured.Unstructured
+	configMapData    map[string]string
 }
 
 func newFakeController(data *fakeData) *ApplicationController {
@@ -64,8 +65,11 @@ func newFakeController(data *fakeData) *ApplicationController {
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "argocd-cm",
 			Namespace: test.FakeArgoCDNamespace,
+			Labels: map[string]string{
+				"app.kubernetes.io/part-of": "argocd",
+			},
 		},
-		Data: nil,
+		Data: data.configMapData,
 	}
 	kubeClient := fake.NewSimpleClientset(&clust, &cm, &secret)
 	settingsMgr := settings.NewSettingsManager(context.Background(), kubeClient, test.FakeArgoCDNamespace)
@@ -77,7 +81,9 @@ func newFakeController(data *fakeData) *ApplicationController {
 		&mockRepoClientset,
 		utilcache.NewCache(utilcache.NewInMemoryCache(1*time.Hour)),
 		time.Minute,
+		time.Minute,
 		common.DefaultPortArgoCDMetrics,
+		0,
 	)
 	if err != nil {
 		panic(err)
@@ -176,7 +182,7 @@ func TestAutoSync(t *testing.T) {
 		Status:   argoappv1.SyncStatusCodeOutOfSync,
 		Revision: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
 	}
-	cond := ctrl.autoSync(app, &syncStatus)
+	cond := ctrl.autoSync(app, &syncStatus, []argoappv1.ResourceStatus{})
 	assert.Nil(t, cond)
 	app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(test.FakeArgoCDNamespace).Get("my-app", metav1.GetOptions{})
 	assert.NoError(t, err)
@@ -195,7 +201,7 @@ func TestSkipAutoSync(t *testing.T) {
 			Status:   argoappv1.SyncStatusCodeOutOfSync,
 			Revision: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
 		}
-		cond := ctrl.autoSync(app, &syncStatus)
+		cond := ctrl.autoSync(app, &syncStatus, []argoappv1.ResourceStatus{})
 		assert.Nil(t, cond)
 		app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(test.FakeArgoCDNamespace).Get("my-app", metav1.GetOptions{})
 		assert.NoError(t, err)
@@ -210,7 +216,7 @@ func TestSkipAutoSync(t *testing.T) {
 			Status:   argoappv1.SyncStatusCodeSynced,
 			Revision: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
 		}
-		cond := ctrl.autoSync(app, &syncStatus)
+		cond := ctrl.autoSync(app, &syncStatus, []argoappv1.ResourceStatus{})
 		assert.Nil(t, cond)
 		app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(test.FakeArgoCDNamespace).Get("my-app", metav1.GetOptions{})
 		assert.NoError(t, err)
@@ -226,7 +232,7 @@ func TestSkipAutoSync(t *testing.T) {
 			Status:   argoappv1.SyncStatusCodeOutOfSync,
 			Revision: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
 		}
-		cond := ctrl.autoSync(app, &syncStatus)
+		cond := ctrl.autoSync(app, &syncStatus, []argoappv1.ResourceStatus{})
 		assert.Nil(t, cond)
 		app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(test.FakeArgoCDNamespace).Get("my-app", metav1.GetOptions{})
 		assert.NoError(t, err)
@@ -243,7 +249,7 @@ func TestSkipAutoSync(t *testing.T) {
 			Status:   argoappv1.SyncStatusCodeOutOfSync,
 			Revision: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
 		}
-		cond := ctrl.autoSync(app, &syncStatus)
+		cond := ctrl.autoSync(app, &syncStatus, []argoappv1.ResourceStatus{})
 		assert.Nil(t, cond)
 		app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(test.FakeArgoCDNamespace).Get("my-app", metav1.GetOptions{})
 		assert.NoError(t, err)
@@ -269,7 +275,7 @@ func TestSkipAutoSync(t *testing.T) {
 			Status:   argoappv1.SyncStatusCodeOutOfSync,
 			Revision: "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
 		}
-		cond := ctrl.autoSync(app, &syncStatus)
+		cond := ctrl.autoSync(app, &syncStatus, []argoappv1.ResourceStatus{})
 		assert.NotNil(t, cond)
 		app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(test.FakeArgoCDNamespace).Get("my-app", metav1.GetOptions{})
 		assert.NoError(t, err)
@@ -305,7 +311,7 @@ func TestAutoSyncIndicateError(t *testing.T) {
 			Source:   *app.Spec.Source.DeepCopy(),
 		},
 	}
-	cond := ctrl.autoSync(app, &syncStatus)
+	cond := ctrl.autoSync(app, &syncStatus, []argoappv1.ResourceStatus{})
 	assert.NotNil(t, cond)
 	app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(test.FakeArgoCDNamespace).Get("my-app", metav1.GetOptions{})
 	assert.NoError(t, err)
@@ -348,7 +354,7 @@ func TestAutoSyncParameterOverrides(t *testing.T) {
 			Revision: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
 		},
 	}
-	cond := ctrl.autoSync(app, &syncStatus)
+	cond := ctrl.autoSync(app, &syncStatus, []argoappv1.ResourceStatus{})
 	assert.Nil(t, cond)
 	app, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(test.FakeArgoCDNamespace).Get("my-app", metav1.GetOptions{})
 	assert.NoError(t, err)
@@ -402,7 +408,7 @@ func TestNormalizeApplication(t *testing.T) {
 	app.Spec.Source.Kustomize = &argoappv1.ApplicationSourceKustomize{NamePrefix: "foo-"}
 	data := fakeData{
 		apps: []runtime.Object{app, &defaultProj},
-		manifestResponse: &repository.ManifestResponse{
+		manifestResponse: &apiclient.ManifestResponse{
 			Manifests: []string{},
 			Namespace: test.FakeDestNamespace,
 			Server:    test.FakeClusterURL,
@@ -461,12 +467,14 @@ func TestHandleAppUpdated(t *testing.T) {
 	ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}})
 
 	ctrl.handleAppUpdated(app.Name, true, kube.GetObjectRef(kube.MustToUnstructured(app)))
-	isRequested, _ := ctrl.isRefreshRequested(app.Name)
+	isRequested, level := ctrl.isRefreshRequested(app.Name)
 	assert.False(t, isRequested)
+	assert.Equal(t, ComparisonWithNothing, level)
 
 	ctrl.handleAppUpdated(app.Name, true, corev1.ObjectReference{UID: "test", Kind: kube.DeploymentKind, Name: "test", Namespace: "default"})
-	isRequested, _ = ctrl.isRefreshRequested(app.Name)
+	isRequested, level = ctrl.isRefreshRequested(app.Name)
 	assert.True(t, isRequested)
+	assert.Equal(t, CompareWithRecent, level)
 }
 
 func TestSetOperationStateOnDeletedApp(t *testing.T) {
@@ -481,3 +489,65 @@ func TestSetOperationStateOnDeletedApp(t *testing.T) {
 	ctrl.setOperationState(newFakeApp(), &argoappv1.OperationState{Phase: argoappv1.OperationSucceeded})
 	assert.True(t, patched)
 }
+
+func TestNeedRefreshAppStatus(t *testing.T) {
+	ctrl := newFakeController(&fakeData{apps: []runtime.Object{}})
+
+	app := newFakeApp()
+	now := metav1.Now()
+	app.Status.ReconciledAt = &now
+	app.Status.Sync = argoappv1.SyncStatus{
+		Status: argoappv1.SyncStatusCodeSynced,
+		ComparedTo: argoappv1.ComparedTo{
+			Source:      app.Spec.Source,
+			Destination: app.Spec.Destination,
+		},
+	}
+
+	// no need to refresh just reconciled application
+	needRefresh, _, _ := ctrl.needRefreshAppStatus(app, 1*time.Hour)
+	assert.False(t, needRefresh)
+
+	// refresh app using the 'deepest' requested comparison level
+	ctrl.requestAppRefresh(app.Name, CompareWithRecent)
+	ctrl.requestAppRefresh(app.Name, ComparisonWithNothing)
+
+	needRefresh, refreshType, compareWith := ctrl.needRefreshAppStatus(app, 1*time.Hour)
+	assert.True(t, needRefresh)
+	assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+	assert.Equal(t, CompareWithRecent, compareWith)
+
+	// refresh application which status is not reconciled using latest commit
+	app.Status.Sync = argoappv1.SyncStatus{Status: argoappv1.SyncStatusCodeUnknown}
+
+	needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour)
+	assert.True(t, needRefresh)
+	assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+	assert.Equal(t, CompareWithLatest, compareWith)
+
+	{
+		// refresh app using the 'latest' level if comparison expired
+		app := app.DeepCopy()
+		ctrl.requestAppRefresh(app.Name, CompareWithRecent)
+		reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
+		app.Status.ReconciledAt = &reconciledAt
+		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Minute)
+		assert.True(t, needRefresh)
+		assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+		assert.Equal(t, CompareWithLatest, compareWith)
+	}
+
+	{
+		app := app.DeepCopy()
+		// execute hard refresh if app has refresh annotation
+		reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
+		app.Status.ReconciledAt = &reconciledAt
+		app.Annotations = map[string]string{
+			common.AnnotationKeyRefresh: string(argoappv1.RefreshTypeHard),
+		}
+		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour)
+		assert.True(t, needRefresh)
+		assert.Equal(t, argoappv1.RefreshTypeHard, refreshType)
+		assert.Equal(t, CompareWithLatest, compareWith)
+	}
+}

controller/cache/cache.go

@@ -2,6 +2,7 @@ package cache
 
 import (
 	"context"
+	"reflect"
 	"sync"
 
 	log "github.com/sirupsen/logrus"
@@ -19,6 +20,12 @@ import (
 	"github.com/argoproj/argo-cd/util/settings"
 )
 
+type cacheSettings struct {
+	ResourceOverrides   map[string]appv1.ResourceOverride
+	AppInstanceLabelKey string
+	ResourcesFilter     *settings.ResourcesFilter
+}
+
 type LiveStateCache interface {
 	IsNamespaced(server string, obj *unstructured.Unstructured) (bool, error)
 	// Executes give callback against resource specified by the key and all its children
@@ -26,12 +33,12 @@ type LiveStateCache interface {
 	// Returns state of live nodes which correspond for target nodes of specified application.
 	GetManagedLiveObjs(a *appv1.Application, targetObjs []*unstructured.Unstructured) (map[kube.ResourceKey]*unstructured.Unstructured, error)
 	// Starts watching resources of each controlled cluster.
-	Run(ctx context.Context)
+	Run(ctx context.Context) error
 	// Invalidate invalidates the entire cluster state cache
 	Invalidate()
 }
 
-type AppUpdatedHandler = func(appName string, fullRefresh bool, ref v1.ObjectReference)
+type AppUpdatedHandler = func(appName string, isManagedResource bool, ref v1.ObjectReference)
 
 func GetTargetObjKey(a *appv1.Application, un *unstructured.Unstructured, isNamespaced bool) kube.ResourceKey {
 	key := kube.GetResourceKey(un)
@@ -47,32 +54,51 @@ func GetTargetObjKey(a *appv1.Application, un *unstructured.Unstructured, isName
 func NewLiveStateCache(
 	db db.ArgoDB,
 	appInformer cache.SharedIndexInformer,
-	settings *settings.ArgoCDSettings,
+	settingsMgr *settings.SettingsManager,
 	kubectl kube.Kubectl,
 	metricsServer *metrics.MetricsServer,
 	onAppUpdated AppUpdatedHandler) LiveStateCache {
 
 	return &liveStateCache{
-		appInformer:   appInformer,
-		db:            db,
-		clusters:      make(map[string]*clusterInfo),
-		lock:          &sync.Mutex{},
-		onAppUpdated:  onAppUpdated,
-		kubectl:       kubectl,
-		settings:      settings,
-		metricsServer: metricsServer,
+		appInformer:       appInformer,
+		db:                db,
+		clusters:          make(map[string]*clusterInfo),
+		lock:              &sync.Mutex{},
+		onAppUpdated:      onAppUpdated,
+		kubectl:           kubectl,
+		settingsMgr:       settingsMgr,
+		metricsServer:     metricsServer,
+		cacheSettingsLock: &sync.Mutex{},
 	}
 }
 
 type liveStateCache struct {
-	db            db.ArgoDB
-	clusters      map[string]*clusterInfo
-	lock          *sync.Mutex
-	appInformer   cache.SharedIndexInformer
-	onAppUpdated  AppUpdatedHandler
-	kubectl       kube.Kubectl
-	settings      *settings.ArgoCDSettings
-	metricsServer *metrics.MetricsServer
+	db                db.ArgoDB
+	clusters          map[string]*clusterInfo
+	lock              *sync.Mutex
+	appInformer       cache.SharedIndexInformer
+	onAppUpdated      AppUpdatedHandler
+	kubectl           kube.Kubectl
+	settingsMgr       *settings.SettingsManager
+	metricsServer     *metrics.MetricsServer
+	cacheSettingsLock *sync.Mutex
+	cacheSettings     *cacheSettings
+}
+
+func (c *liveStateCache) loadCacheSettings() (*cacheSettings, error) {
+	appInstanceLabelKey, err := c.settingsMgr.GetAppInstanceLabelKey()
+	if err != nil {
+		return nil, err
+	}
+	resourcesFilter, err := c.settingsMgr.GetResourcesFilter()
+	if err != nil {
+		return nil, err
+	}
+	resourceOverrides, err := c.settingsMgr.GetResourceOverrides()
+	if err != nil {
+		return nil, err
+	}
+	return &cacheSettings{AppInstanceLabelKey: appInstanceLabelKey, ResourceOverrides: resourceOverrides, ResourcesFilter: resourcesFilter}, nil
 }
 
 func (c *liveStateCache) getCluster(server string) (*clusterInfo, error) {
@@ -85,17 +111,17 @@ func (c *liveStateCache) getCluster(server string) (*clusterInfo, error) {
 			return nil, err
 		}
 		info = &clusterInfo{
-			apisMeta:     make(map[schema.GroupKind]*apiMeta),
-			lock:         &sync.Mutex{},
-			nodes:        make(map[kube.ResourceKey]*node),
-			nsIndex:      make(map[string]map[kube.ResourceKey]*node),
-			onAppUpdated: c.onAppUpdated,
-			kubectl:      c.kubectl,
-			cluster:      cluster,
-			syncTime:     nil,
-			syncLock:     &sync.Mutex{},
-			log:          log.WithField("server", cluster.Server),
-			settings:     c.settings,
+			apisMeta:         make(map[schema.GroupKind]*apiMeta),
+			lock:             &sync.Mutex{},
+			nodes:            make(map[kube.ResourceKey]*node),
+			nsIndex:          make(map[string]map[kube.ResourceKey]*node),
+			onAppUpdated:     c.onAppUpdated,
+			kubectl:          c.kubectl,
+			cluster:          cluster,
+			syncTime:         nil,
+			syncLock:         &sync.Mutex{},
+			log:              log.WithField("server", cluster.Server),
+			cacheSettingsSrc: c.getCacheSettings,
 		}
 
 		c.clusters[cluster.Server] = info
@@ -161,8 +187,55 @@ func isClusterHasApps(apps []interface{}, cluster *appv1.Cluster) bool {
 	return false
 }
 
+func (c *liveStateCache) getCacheSettings() *cacheSettings {
+	c.cacheSettingsLock.Lock()
+	defer c.cacheSettingsLock.Unlock()
+	return c.cacheSettings
+}
+
+func (c *liveStateCache) watchSettings(ctx context.Context) {
+	updateCh := make(chan *settings.ArgoCDSettings, 1)
+	c.settingsMgr.Subscribe(updateCh)
+
+	done := false
+	for !done {
+		select {
+		case <-updateCh:
+			nextCacheSettings, err := c.loadCacheSettings()
+			if err != nil {
+				log.Warnf("Failed to read updated settings: %v", err)
+				continue
+			}
+
+			c.cacheSettingsLock.Lock()
+			needInvalidate := false
+			if !reflect.DeepEqual(c.cacheSettings, nextCacheSettings) {
+				c.cacheSettings = nextCacheSettings
+				needInvalidate = true
+			}
+			c.cacheSettingsLock.Unlock()
+			if needInvalidate {
+				c.Invalidate()
+			}
+		case <-ctx.Done():
+			done = true
+		}
+	}
+	log.Info("shutting down settings watch")
+	c.settingsMgr.Unsubscribe(updateCh)
+	close(updateCh)
+}
+
 // Run watches for resource changes annotated with application label on all registered clusters and schedule corresponding app refresh.
-func (c *liveStateCache) Run(ctx context.Context) {
+func (c *liveStateCache) Run(ctx context.Context) error {
+	cacheSettings, err := c.loadCacheSettings()
+	if err != nil {
+		return err
+	}
+	c.cacheSettings = cacheSettings
+
+	go c.watchSettings(ctx)
+
 	util.RetryUntilSucceed(func() error {
 		clusterEventCallback := func(event *db.ClusterEvent) {
 			c.lock.Lock()
@@ -188,4 +261,5 @@ func (c *liveStateCache) Run(ctx context.Context) {
 	}, "watch clusters", ctx, clusterRetryTimeout)
 
 	<-ctx.Done()
+	return nil
 }

controller/cache/cluster.go

@@ -24,7 +24,6 @@ import (
 	"github.com/argoproj/argo-cd/util"
 	"github.com/argoproj/argo-cd/util/health"
 	"github.com/argoproj/argo-cd/util/kube"
-	"github.com/argoproj/argo-cd/util/settings"
 )
 
 const (
@@ -49,11 +48,11 @@ type clusterInfo struct {
 	nodes   map[kube.ResourceKey]*node
 	nsIndex map[string]map[kube.ResourceKey]*node
 
-	onAppUpdated AppUpdatedHandler
-	kubectl      kube.Kubectl
-	cluster      *appv1.Cluster
-	log          *log.Entry
-	settings     *settings.ArgoCDSettings
+	onAppUpdated     AppUpdatedHandler
+	kubectl          kube.Kubectl
+	cluster          *appv1.Cluster
+	log              *log.Entry
+	cacheSettingsSrc func() *cacheSettings
 }
 
 func (c *clusterInfo) replaceResourceCache(gk schema.GroupKind, resourceVersion string, objs []unstructured.Unstructured) {
@@ -93,7 +92,7 @@ func (c *clusterInfo) createObjInfo(un *unstructured.Unstructured, appInstanceLa
 		ownerRefs = append(ownerRefs, metav1.OwnerReference{
 			Name:       un.GetName(),
 			Kind:       kube.ServiceKind,
-			APIVersion: "",
+			APIVersion: "v1",
 		})
 	}
 	nodeInfo := &node{
@@ -107,7 +106,7 @@ func (c *clusterInfo) createObjInfo(un *unstructured.Unstructured, appInstanceLa
 		nodeInfo.appName = appName
 		nodeInfo.resource = un
 	}
-	nodeInfo.health, _ = health.GetResourceHealth(un, c.settings.ResourceOverrides)
+	nodeInfo.health, _ = health.GetResourceHealth(un, c.cacheSettingsSrc().ResourceOverrides)
 	return nodeInfo
 }
 
@@ -166,7 +165,7 @@ func (c *clusterInfo) stopWatching(gk schema.GroupKind) {
 // startMissingWatches lists supported cluster resources and start watching for changes unless watch is already running
 func (c *clusterInfo) startMissingWatches() error {
 
-	apis, err := c.kubectl.GetAPIResources(c.cluster.RESTConfig(), c.settings)
+	apis, err := c.kubectl.GetAPIResources(c.cluster.RESTConfig(), c.cacheSettingsSrc().ResourcesFilter)
 	if err != nil {
 		return err
 	}
@@ -238,12 +237,7 @@ func (c *clusterInfo) watchEvents(ctx context.Context, api kube.APIResourceInfo,
 				if ok {
 					obj := event.Object.(*unstructured.Unstructured)
 					info.resourceVersion = obj.GetResourceVersion()
-					err = c.processEvent(event.Type, obj)
-					if err != nil {
-						log.Warnf("Failed to process event %s %s/%s/%s: %v", event.Type, obj.GroupVersionKind(), obj.GetNamespace(), obj.GetName(), err)
-						continue
-					}
-
+					c.processEvent(event.Type, obj)
 					if kube.IsCRD(obj) {
 						if event.Type == watch.Deleted {
 							group, groupOk, groupErr := unstructured.NestedString(obj.Object, "spec", "group")
@@ -282,7 +276,7 @@ func (c *clusterInfo) sync() (err error) {
 	c.apisMeta = make(map[schema.GroupKind]*apiMeta)
 	c.nodes = make(map[kube.ResourceKey]*node)
 
-	apis, err := c.kubectl.GetAPIResources(c.cluster.RESTConfig(), c.settings)
+	apis, err := c.kubectl.GetAPIResources(c.cluster.RESTConfig(), c.cacheSettingsSrc().ResourcesFilter)
 	if err != nil {
 		return err
 	}
@@ -296,7 +290,7 @@ func (c *clusterInfo) sync() (err error) {
 
 		lock.Lock()
 		for i := range list.Items {
-			c.setNode(c.createObjInfo(&list.Items[i], c.settings.GetAppInstanceLabelKey()))
+			c.setNode(c.createObjInfo(&list.Items[i], c.cacheSettingsSrc().AppInstanceLabelKey))
 		}
 		lock.Unlock()
 		return nil
@@ -358,7 +352,7 @@ func (c *clusterInfo) iterateHierarchy(obj *unstructured.Unstructured, action fu
 			}
 		}
 	} else {
-		action(c.createObjInfo(obj, c.settings.GetAppInstanceLabelKey()).asResourceNode())
+		action(c.createObjInfo(obj, c.cacheSettingsSrc().AppInstanceLabelKey).asResourceNode())
 	}
 }
 
@@ -445,7 +439,7 @@ func (c *clusterInfo) getManagedLiveObjs(a *appv1.Application, targetObjs []*uns
 	return managedObjs, nil
 }
 
-func (c *clusterInfo) processEvent(event watch.EventType, un *unstructured.Unstructured) error {
+func (c *clusterInfo) processEvent(event watch.EventType, un *unstructured.Unstructured) {
 	c.lock.Lock()
 	defer c.lock.Unlock()
 	key := kube.GetResourceKey(un)
@@ -457,8 +451,6 @@ func (c *clusterInfo) processEvent(event watch.EventType, un *unstructured.Unstr
 	} else if event != watch.Deleted {
 		c.onNodeUpdated(exists, existingNode, un, key)
 	}
-
-	return nil
 }
 
 func (c *clusterInfo) onNodeUpdated(exists bool, existingNode *node, un *unstructured.Unstructured, key kube.ResourceKey) {
@@ -466,7 +458,7 @@ func (c *clusterInfo) onNodeUpdated(exists bool, existingNode *node, un *unstruc
 	if exists {
 		nodes = append(nodes, existingNode)
 	}
-	newObj := c.createObjInfo(un, c.settings.GetAppInstanceLabelKey())
+	newObj := c.createObjInfo(un, c.cacheSettingsSrc().AppInstanceLabelKey)
 	c.setNode(newObj)
 	nodes = append(nodes, newObj)
 	toNotify := make(map[string]bool)
@@ -480,8 +472,8 @@ func (c *clusterInfo) onNodeUpdated(exists bool, existingNode *node, un *unstruc
 			toNotify[app] = n.isRootAppNode() || toNotify[app]
 		}
 	}
-	for name, full := range toNotify {
-		c.onAppUpdated(name, full, newObj.ref)
+	for name, isRootAppNode := range toNotify {
+		c.onAppUpdated(name, isRootAppNode, newObj.ref)
 	}
 }
 

controller/cache/cluster_test.go

@@ -18,11 +18,11 @@ import (
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/dynamic/fake"
 
+	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/errors"
 	appv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/util/kube"
 	"github.com/argoproj/argo-cd/util/kube/kubetest"
-	"github.com/argoproj/argo-cd/util/settings"
 )
 
 func strToUnstructured(jsonStr string) *unstructured.Unstructured {
@@ -60,6 +60,8 @@ var (
     uid: "2"
     name: helm-guestbook-rs
     namespace: default
+    annotations:
+      deployment.kubernetes.io/revision: "2"
     ownerReferences:
     - apiVersion: apps/v1beta1
       kind: Deployment
@@ -85,6 +87,7 @@ var (
     name: helm-guestbook
     namespace: default
     resourceVersion: "123"
+    uid: "4"
   spec:
     selector:
       app: guestbook
@@ -100,6 +103,7 @@ var (
   metadata:
     name: helm-guestbook
     namespace: default
+    uid: "4"
   spec:
     backend:
       serviceName: not-found-service
@@ -144,7 +148,7 @@ func newCluster(objs ...*unstructured.Unstructured) *clusterInfo {
 		Meta:      metav1.APIResource{Namespaced: true},
 	}}
 
-	return newClusterExt(kubetest.MockKubectlCmd{APIResources: apiResources})
+	return newClusterExt(&kubetest.MockKubectlCmd{APIResources: apiResources})
 }
 
 func newClusterExt(kubectl kube.Kubectl) *clusterInfo {
@@ -159,7 +163,9 @@ func newClusterExt(kubectl kube.Kubectl) *clusterInfo {
 		syncLock:     &sync.Mutex{},
 		apisMeta:     make(map[schema.GroupKind]*apiMeta),
 		log:          log.WithField("cluster", "test"),
-		settings:     &settings.ArgoCDSettings{},
+		cacheSettingsSrc: func() *cacheSettings {
+			return &cacheSettings{AppInstanceLabelKey: common.LabelKeyAppInstance}
+		},
 	}
 }
 
@@ -212,7 +218,7 @@ func TestGetChildren(t *testing.T) {
 		},
 		ResourceVersion: "123",
 		Health:          &appv1.HealthStatus{Status: appv1.HealthStatusHealthy},
-		Info:            []appv1.InfoItem{},
+		Info:            []appv1.InfoItem{{Name: "Revision", Value: "Rev:2"}},
 		ParentRefs:      []appv1.ResourceRef{{Group: "apps", Version: "", Kind: "Deployment", Namespace: "default", Name: "helm-guestbook", UID: "3"}},
 	}}, rsChildren...), deployChildren)
 }
@@ -249,8 +255,7 @@ func TestChildDeletedEvent(t *testing.T) {
 	err := cluster.ensureSynced()
 	assert.Nil(t, err)
 
-	err = cluster.processEvent(watch.Deleted, testPod)
-	assert.Nil(t, err)
+	cluster.processEvent(watch.Deleted, testPod)
 
 	rsChildren := getChildren(cluster, testRS)
 	assert.Equal(t, []appv1.ResourceNode{}, rsChildren)
@@ -275,8 +280,7 @@ func TestProcessNewChildEvent(t *testing.T) {
       uid: "2"
     resourceVersion: "123"`)
 
-	err = cluster.processEvent(watch.Added, newPod)
-	assert.Nil(t, err)
+	cluster.processEvent(watch.Added, newPod)
 
 	rsChildren := getChildren(cluster, testRS)
 	sort.Slice(rsChildren, func(i, j int) bool {
@@ -357,8 +361,7 @@ func TestUpdateResourceTags(t *testing.T) {
 			},
 		}},
 	}
-	err = cluster.processEvent(watch.Modified, mustToUnstructured(pod))
-	assert.Nil(t, err)
+	cluster.processEvent(watch.Modified, mustToUnstructured(pod))
 
 	podNode = cluster.nodes[kube.GetResourceKey(mustToUnstructured(pod))]
 
@@ -376,8 +379,7 @@ func TestUpdateAppResource(t *testing.T) {
 	err := cluster.ensureSynced()
 	assert.Nil(t, err)
 
-	err = cluster.processEvent(watch.Modified, mustToUnstructured(testPod))
-	assert.Nil(t, err)
+	cluster.processEvent(watch.Modified, mustToUnstructured(testPod))
 
 	assert.Contains(t, updatesReceived, "helm-guestbook: false")
 }

controller/cache/info.go

@@ -11,11 +11,16 @@ import (
 	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/util"
 	"github.com/argoproj/argo-cd/util/kube"
+	"github.com/argoproj/argo-cd/util/resource"
 )
 
 func populateNodeInfo(un *unstructured.Unstructured, node *node) {
 
 	gvk := un.GroupVersionKind()
+	revision := resource.GetRevision(un)
+	if revision > 0 {
+		node.info = append(node.info, v1alpha1.InfoItem{Name: "Revision", Value: fmt.Sprintf("Rev:%v", revision)})
+	}
 	switch gvk.Group {
 	case "":
 		switch gvk.Kind {
@@ -33,7 +38,6 @@ func populateNodeInfo(un *unstructured.Unstructured, node *node) {
 			return
 		}
 	}
-	node.info = []v1alpha1.InfoItem{}
 }
 
 func getIngress(un *unstructured.Unstructured) []v1.LoadBalancerIngress {
@@ -149,7 +153,6 @@ func populatePodInfo(un *unstructured.Unstructured, node *node) {
 	pod := v1.Pod{}
 	err := runtime.DefaultUnstructuredConverter.FromUnstructured(un.Object, &pod)
 	if err != nil {
-		node.info = []v1alpha1.InfoItem{}
 		return
 	}
 	restarts := 0
@@ -237,7 +240,6 @@ func populatePodInfo(un *unstructured.Unstructured, node *node) {
 		reason = "Terminating"
 	}
 
-	node.info = make([]v1alpha1.InfoItem, 0)
 	if reason != "" {
 		node.info = append(node.info, v1alpha1.InfoItem{Name: "Status Reason", Value: reason})
 	}

controller/cache/mocks/LiveStateCache.go

@@ -77,6 +77,15 @@ func (_m *LiveStateCache) IterateHierarchy(server string, obj *unstructured.Unst
 }
 
 // Run provides a mock function with given fields: ctx
-func (_m *LiveStateCache) Run(ctx context.Context) {
-	_m.Called(ctx)
+func (_m *LiveStateCache) Run(ctx context.Context) error {
+	ret := _m.Called(ctx)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(context.Context) error); ok {
+		r0 = rf(ctx)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
 }

controller/cache/node.go

@@ -35,7 +35,15 @@ func (n *node) resourceKey() kube.ResourceKey {
 }
 
 func (n *node) isParentOf(child *node) bool {
-	for _, ownerRef := range child.ownerRefs {
+	for i, ownerRef := range child.ownerRefs {
+
+		// backfill UID of inferred owner child references
+		if ownerRef.UID == "" && n.ref.Kind == ownerRef.Kind && n.ref.APIVersion == ownerRef.APIVersion && n.ref.Name == ownerRef.Name {
+			ownerRef.UID = n.ref.UID
+			child.ownerRefs[i] = ownerRef
+			return true
+		}
+
 		if n.ref.UID == ownerRef.UID {
 			return true
 		}

controller/cache/node_test.go

@@ -3,12 +3,14 @@ package cache
 import (
 	"testing"
 
-	"github.com/stretchr/testify/assert"
+	"github.com/argoproj/argo-cd/common"
 
-	"github.com/argoproj/argo-cd/util/settings"
+	"github.com/stretchr/testify/assert"
 )
 
-var c = &clusterInfo{settings: &settings.ArgoCDSettings{}}
+var c = &clusterInfo{cacheSettingsSrc: func() *cacheSettings {
+	return &cacheSettings{AppInstanceLabelKey: common.LabelKeyAppInstance}
+}}
 
 func TestIsParentOf(t *testing.T) {
 	child := c.createObjInfo(testPod, "")
@@ -28,3 +30,27 @@ func TestIsParentOfSameKindDifferentGroupAndUID(t *testing.T) {
 
 	assert.False(t, invalidParent.isParentOf(child))
 }
+
+func TestIsServiceParentOfEndPointWithTheSameName(t *testing.T) {
+	nonMatchingNameEndPoint := c.createObjInfo(strToUnstructured(`
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: not-matching-name
+  namespace: default
+`), "")
+
+	matchingNameEndPoint := c.createObjInfo(strToUnstructured(`
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: helm-guestbook
+  namespace: default
+`), "")
+
+	parent := c.createObjInfo(testService, "")
+
+	assert.True(t, parent.isParentOf(matchingNameEndPoint))
+	assert.Equal(t, parent.ref.UID, matchingNameEndPoint.ownerRefs[0].UID)
+	assert.False(t, parent.isParentOf(nonMatchingNameEndPoint))
+}

controller/metrics/metrics.go

@@ -13,13 +13,16 @@ import (
 	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	applister "github.com/argoproj/argo-cd/pkg/client/listers/application/v1alpha1"
 	"github.com/argoproj/argo-cd/util/git"
+	"github.com/argoproj/argo-cd/util/healthz"
 )
 
 type MetricsServer struct {
 	*http.Server
-	syncCounter        *prometheus.CounterVec
-	k8sRequestCounter  *prometheus.CounterVec
-	reconcileHistogram *prometheus.HistogramVec
+	syncCounter             *prometheus.CounterVec
+	k8sRequestCounter       *prometheus.CounterVec
+	kubectlExecCounter      *prometheus.CounterVec
+	kubectlExecPendingGauge *prometheus.GaugeVec
+	reconcileHistogram      *prometheus.HistogramVec
 }
 
 const (
@@ -59,12 +62,13 @@ var (
 )
 
 // NewMetricsServer returns a new prometheus server which collects application metrics
-func NewMetricsServer(addr string, appLister applister.ApplicationLister) *MetricsServer {
+func NewMetricsServer(addr string, appLister applister.ApplicationLister, healthCheck func() error) *MetricsServer {
 	mux := http.NewServeMux()
 	appRegistry := NewAppRegistry(appLister)
 	appRegistry.MustRegister(prometheus.NewProcessCollector(prometheus.ProcessCollectorOpts{}))
 	appRegistry.MustRegister(prometheus.NewGoCollector())
 	mux.Handle(MetricsPath, promhttp.HandlerFor(appRegistry, promhttp.HandlerOpts{}))
+	healthz.ServeHealthCheck(mux, healthCheck)
 
 	syncCounter := prometheus.NewCounterVec(
 		prometheus.CounterOpts{
@@ -74,6 +78,16 @@ func NewMetricsServer(addr string, appLister applister.ApplicationLister) *Metri
 		append(descAppDefaultLabels, "phase"),
 	)
 	appRegistry.MustRegister(syncCounter)
+	kubectlExecCounter := prometheus.NewCounterVec(prometheus.CounterOpts{
+		Name: "argocd_kubectl_exec_total",
+		Help: "Number of kubectl executions",
+	}, []string{"command"})
+	appRegistry.MustRegister(kubectlExecCounter)
+	kubectlExecPendingGauge := prometheus.NewGaugeVec(prometheus.GaugeOpts{
+		Name: "argocd_kubectl_exec_pending",
+		Help: "Number of pending kubectl executions",
+	}, []string{"command"})
+	appRegistry.MustRegister(kubectlExecPendingGauge)
 	k8sRequestCounter := prometheus.NewCounterVec(
 		prometheus.CounterOpts{
 			Name: "argocd_app_k8s_request_total",
@@ -100,9 +114,11 @@ func NewMetricsServer(addr string, appLister applister.ApplicationLister) *Metri
 			Addr:    addr,
 			Handler: mux,
 		},
-		syncCounter:        syncCounter,
-		k8sRequestCounter:  k8sRequestCounter,
-		reconcileHistogram: reconcileHistogram,
+		syncCounter:             syncCounter,
+		k8sRequestCounter:       k8sRequestCounter,
+		reconcileHistogram:      reconcileHistogram,
+		kubectlExecCounter:      kubectlExecCounter,
+		kubectlExecPendingGauge: kubectlExecPendingGauge,
 	}
 }
 
@@ -124,6 +140,18 @@ func (m *MetricsServer) IncReconcile(app *argoappv1.Application, duration time.D
 	m.reconcileHistogram.WithLabelValues(app.Namespace, app.Name, app.Spec.GetProject()).Observe(duration.Seconds())
 }
 
+func (m *MetricsServer) IncKubectlExec(command string) {
+	m.kubectlExecCounter.WithLabelValues(command).Inc()
+}
+
+func (m *MetricsServer) IncKubectlExecPending(command string) {
+	m.kubectlExecPendingGauge.WithLabelValues(command).Inc()
+}
+
+func (m *MetricsServer) DecKubectlExecPending(command string) {
+	m.kubectlExecPendingGauge.WithLabelValues(command).Dec()
+}
+
 type appCollector struct {
 	store applister.ApplicationLister
 }

controller/metrics/metrics_test.go

@@ -104,6 +104,10 @@ argocd_app_sync_status{name="my-app",namespace="argocd",project="default",sync_s
 argocd_app_sync_status{name="my-app",namespace="argocd",project="default",sync_status="Unknown"} 0
 `
 
+var noOpHealthCheck = func() error {
+	return nil
+}
+
 func newFakeApp(fakeApp string) *argoappv1.Application {
 	var app argoappv1.Application
 	err := yaml.Unmarshal([]byte(fakeApp), &app)
@@ -133,7 +137,7 @@ func newFakeLister(fakeApp ...string) (context.CancelFunc, applister.Application
 func testApp(t *testing.T, fakeApp string, expectedResponse string) {
 	cancel, appLister := newFakeLister(fakeApp)
 	defer cancel()
-	metricsServ := NewMetricsServer("localhost:8082", appLister)
+	metricsServ := NewMetricsServer("localhost:8082", appLister, noOpHealthCheck)
 	req, err := http.NewRequest("GET", "/metrics", nil)
 	assert.NoError(t, err)
 	rr := httptest.NewRecorder()
@@ -176,7 +180,7 @@ argocd_app_sync_total{name="my-app",namespace="argocd",phase="Succeeded",project
 func TestMetricsSyncCounter(t *testing.T) {
 	cancel, appLister := newFakeLister()
 	defer cancel()
-	metricsServ := NewMetricsServer("localhost:8082", appLister)
+	metricsServ := NewMetricsServer("localhost:8082", appLister, noOpHealthCheck)
 
 	fakeApp := newFakeApp(fakeApp)
 	metricsServ.IncSync(fakeApp, &argoappv1.OperationState{Phase: argoappv1.OperationRunning})
@@ -217,7 +221,7 @@ argocd_app_reconcile_count{name="my-app",namespace="argocd",project="important-p
 func TestReconcileMetrics(t *testing.T) {
 	cancel, appLister := newFakeLister()
 	defer cancel()
-	metricsServ := NewMetricsServer("localhost:8082", appLister)
+	metricsServ := NewMetricsServer("localhost:8082", appLister, noOpHealthCheck)
 
 	fakeApp := newFakeApp(fakeApp)
 	metricsServ.IncReconcile(fakeApp, 5*time.Second)

controller/state.go

@@ -18,8 +18,7 @@ import (
 	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	appv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
-	"github.com/argoproj/argo-cd/reposerver"
-	"github.com/argoproj/argo-cd/reposerver/repository"
+	"github.com/argoproj/argo-cd/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/util"
 	"github.com/argoproj/argo-cd/util/argo"
 	"github.com/argoproj/argo-cd/util/db"
@@ -57,7 +56,7 @@ type ResourceInfoProvider interface {
 
 // AppStateManager defines methods which allow to compare application spec and actual application state.
 type AppStateManager interface {
-	CompareAppState(app *v1alpha1.Application, revision string, source v1alpha1.ApplicationSource, noCache bool) (*comparisonResult, error)
+	CompareAppState(app *v1alpha1.Application, revision string, source v1alpha1.ApplicationSource, noCache bool, localObjects []string) *comparisonResult
 	SyncAppState(app *v1alpha1.Application, state *v1alpha1.OperationState)
 }
 
@@ -77,16 +76,16 @@ type comparisonResult struct {
 type appStateManager struct {
 	metricsServer  *metrics.MetricsServer
 	db             db.ArgoDB
-	settings       *settings.ArgoCDSettings
+	settingsMgr    *settings.SettingsManager
 	appclientset   appclientset.Interface
 	projInformer   cache.SharedIndexInformer
 	kubectl        kubeutil.Kubectl
-	repoClientset  reposerver.Clientset
+	repoClientset  apiclient.Clientset
 	liveStateCache statecache.LiveStateCache
 	namespace      string
 }
 
-func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, source v1alpha1.ApplicationSource, appLabelKey, revision string, noCache bool) ([]*unstructured.Unstructured, []*unstructured.Unstructured, *repository.ManifestResponse, error) {
+func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, source v1alpha1.ApplicationSource, appLabelKey, revision string, noCache bool) ([]*unstructured.Unstructured, []*unstructured.Unstructured, *apiclient.ManifestResponse, error) {
 	helmRepos, err := m.db.ListHelmRepos(context.Background())
 	if err != nil {
 		return nil, nil, nil, err
@@ -105,12 +104,21 @@ func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, source v1alpha1
 		revision = source.TargetRevision
 	}
 
-	tools := make([]*appv1.ConfigManagementPlugin, len(m.settings.ConfigManagementPlugins))
-	for i := range m.settings.ConfigManagementPlugins {
-		tools[i] = &m.settings.ConfigManagementPlugins[i]
+	plugins, err := m.settingsMgr.GetConfigManagementPlugins()
+	if err != nil {
+		return nil, nil, nil, err
 	}
 
-	manifestInfo, err := repoClient.GenerateManifest(context.Background(), &repository.ManifestRequest{
+	tools := make([]*appv1.ConfigManagementPlugin, len(plugins))
+	for i := range plugins {
+		tools[i] = &plugins[i]
+	}
+
+	buildOptions, err := m.settingsMgr.GetKustomizeBuildOptions()
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	manifestInfo, err := repoClient.GenerateManifest(context.Background(), &apiclient.ManifestRequest{
 		Repo:              repo,
 		HelmRepos:         helmRepos,
 		Revision:          revision,
@@ -120,17 +128,27 @@ func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, source v1alpha1
 		Namespace:         app.Spec.Destination.Namespace,
 		ApplicationSource: &source,
 		Plugins:           tools,
+		KustomizeOptions: &appv1.KustomizeOptions{
+			BuildOptions: buildOptions,
+		},
 	})
 	if err != nil {
 		return nil, nil, nil, err
 	}
+	targetObjs, hooks, err := unmarshalManifests(manifestInfo.Manifests)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+	return targetObjs, hooks, manifestInfo, nil
+}
 
+func unmarshalManifests(manifests []string) ([]*unstructured.Unstructured, []*unstructured.Unstructured, error) {
 	targetObjs := make([]*unstructured.Unstructured, 0)
 	hooks := make([]*unstructured.Unstructured, 0)
-	for _, manifest := range manifestInfo.Manifests {
+	for _, manifest := range manifests {
 		obj, err := v1alpha1.UnmarshalToUnstructured(manifest)
 		if err != nil {
-			return nil, nil, nil, err
+			return nil, nil, err
 		}
 		if resource.Ignore(obj) {
 			continue
@@ -141,7 +159,7 @@ func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, source v1alpha1
 			targetObjs = append(targetObjs, obj)
 		}
 	}
-	return targetObjs, hooks, manifestInfo, nil
+	return targetObjs, hooks, nil
 }
 
 func DeduplicateTargetObjects(
@@ -217,32 +235,92 @@ func dedupLiveResources(targetObjs []*unstructured.Unstructured, liveObjsByKey m
 	}
 }
 
+func (m *appStateManager) getComparisonSettings(app *appv1.Application) (string, map[string]v1alpha1.ResourceOverride, diff.Normalizer, error) {
+	resourceOverrides, err := m.settingsMgr.GetResourceOverrides()
+	if err != nil {
+		return "", nil, nil, err
+	}
+	appLabelKey, err := m.settingsMgr.GetAppInstanceLabelKey()
+	if err != nil {
+		return "", nil, nil, err
+	}
+	diffNormalizer, err := argo.NewDiffNormalizer(app.Spec.IgnoreDifferences, resourceOverrides)
+	if err != nil {
+		return "", nil, nil, err
+	}
+	return appLabelKey, resourceOverrides, diffNormalizer, nil
+}
+
 // CompareAppState compares application git state to the live app state, using the specified
 // revision and supplied source. If revision or overrides are empty, then compares against
 // revision and overrides in the app spec.
-func (m *appStateManager) CompareAppState(app *v1alpha1.Application, revision string, source v1alpha1.ApplicationSource, noCache bool) (*comparisonResult, error) {
-	diffNormalizer, err := argo.NewDiffNormalizer(app.Spec.IgnoreDifferences, m.settings.ResourceOverrides)
+func (m *appStateManager) CompareAppState(app *v1alpha1.Application, revision string, source v1alpha1.ApplicationSource, noCache bool, localManifests []string) *comparisonResult {
+	reconciledAt := metav1.Now()
+	appLabelKey, resourceOverrides, diffNormalizer, err := m.getComparisonSettings(app)
+
+	// return unknown comparison result if basic comparison settings cannot be loaded
 	if err != nil {
-		return nil, err
+		return &comparisonResult{
+			reconciledAt: reconciledAt,
+			syncStatus: &v1alpha1.SyncStatus{
+				ComparedTo: appv1.ComparedTo{Source: source, Destination: app.Spec.Destination},
+				Status:     appv1.SyncStatusCodeUnknown,
+			},
+			healthStatus: &appv1.HealthStatus{Status: appv1.HealthStatusUnknown},
+		}
 	}
-	logCtx := log.WithField("application", app.Name)
-	logCtx.Infof("Comparing app state (cluster: %s, namespace: %s)", app.Spec.Destination.Server, app.Spec.Destination.Namespace)
-	observedAt := metav1.Now()
+
+	// do best effort loading live and target state to present as much information about app state as possible
 	failedToLoadObjs := false
 	conditions := make([]v1alpha1.ApplicationCondition, 0)
-	appLabelKey := m.settings.GetAppInstanceLabelKey()
-	targetObjs, hooks, manifestInfo, err := m.getRepoObjs(app, source, appLabelKey, revision, noCache)
-	if err != nil {
-		targetObjs = make([]*unstructured.Unstructured, 0)
-		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
-		failedToLoadObjs = true
+
+	logCtx := log.WithField("application", app.Name)
+	logCtx.Infof("Comparing app state (cluster: %s, namespace: %s)", app.Spec.Destination.Server, app.Spec.Destination.Namespace)
+
+	var targetObjs []*unstructured.Unstructured
+	var hooks []*unstructured.Unstructured
+	var manifestInfo *apiclient.ManifestResponse
+
+	if len(localManifests) == 0 {
+		targetObjs, hooks, manifestInfo, err = m.getRepoObjs(app, source, appLabelKey, revision, noCache)
+		if err != nil {
+			targetObjs = make([]*unstructured.Unstructured, 0)
+			conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
+			failedToLoadObjs = true
+		}
+	} else {
+		targetObjs, hooks, err = unmarshalManifests(localManifests)
+		if err != nil {
+			targetObjs = make([]*unstructured.Unstructured, 0)
+			conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
+			failedToLoadObjs = true
+		}
+		manifestInfo = nil
 	}
+
 	targetObjs, dedupConditions, err := DeduplicateTargetObjects(app.Spec.Destination.Server, app.Spec.Destination.Namespace, targetObjs, m.liveStateCache)
 	if err != nil {
 		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
 	}
 	conditions = append(conditions, dedupConditions...)
 
+	resFilter, err := m.settingsMgr.GetResourcesFilter()
+	if err != nil {
+		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
+	} else {
+		for i := len(targetObjs) - 1; i >= 0; i-- {
+			targetObj := targetObjs[i]
+			gvk := targetObj.GroupVersionKind()
+			if resFilter.IsExcludedResource(gvk.Group, gvk.Kind, app.Spec.Destination.Server) {
+				targetObjs = append(targetObjs[:i], targetObjs[i+1:]...)
+				conditions = append(conditions, v1alpha1.ApplicationCondition{
+					Type:    v1alpha1.ApplicationConditionExcludedResourceWarning,
+					Message: fmt.Sprintf("Resource %s/%s %s is excluded in the settings", gvk.Group, gvk.Kind, targetObj.GetName()),
+				})
+			}
+		}
+	}
+
 	logCtx.Debugf("Generated config manifests")
 	liveObjByKey, err := m.liveStateCache.GetManagedLiveObjs(app, targetObjs)
 	dedupLiveResources(targetObjs, liveObjByKey)
@@ -291,7 +369,9 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, revision st
 	// Do the actual comparison
 	diffResults, err := diff.DiffArray(targetObjs, managedLiveObj, diffNormalizer)
 	if err != nil {
-		return nil, err
+		diffResults = &diff.DiffResultList{}
+		failedToLoadObjs = true
+		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
 	}
 
 	syncCode := v1alpha1.SyncStatusCodeSynced
@@ -309,12 +389,13 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, revision st
 		gvk := obj.GroupVersionKind()
 
 		resState := v1alpha1.ResourceStatus{
-			Namespace: obj.GetNamespace(),
-			Name:      obj.GetName(),
-			Kind:      gvk.Kind,
-			Version:   gvk.Version,
-			Group:     gvk.Group,
-			Hook:      hookutil.IsHook(obj),
+			Namespace:       obj.GetNamespace(),
+			Name:            obj.GetName(),
+			Kind:            gvk.Kind,
+			Version:         gvk.Version,
+			Group:           gvk.Group,
+			Hook:            hookutil.IsHook(obj),
+			RequiresPruning: targetObj == nil && liveObj != nil,
 		}
 
 		diffResult := diffResults.Diffs[i]
@@ -362,7 +443,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, revision st
 		syncStatus.Revision = manifestInfo.Revision
 	}
 
-	healthStatus, err := health.SetApplicationHealth(resourceSummaries, GetLiveObjs(managedResources), m.settings.ResourceOverrides, func(obj *unstructured.Unstructured) bool {
+	healthStatus, err := health.SetApplicationHealth(resourceSummaries, GetLiveObjs(managedResources), resourceOverrides, func(obj *unstructured.Unstructured) bool {
 		return !isSelfReferencedApp(app, kubeutil.GetObjectRef(obj))
 	})
 
@@ -371,7 +452,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, revision st
 	}
 
 	compRes := comparisonResult{
-		reconciledAt:     observedAt,
+		reconciledAt:     reconciledAt,
 		syncStatus:       &syncStatus,
 		healthStatus:     healthStatus,
 		resources:        resourceSummaries,
@@ -383,7 +464,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, revision st
 	if manifestInfo != nil {
 		compRes.appSourceType = v1alpha1.ApplicationSourceType(manifestInfo.SourceType)
 	}
-	return &compRes, nil
+	return &compRes
 }
 
 func (m *appStateManager) persistRevisionHistory(app *v1alpha1.Application, revision string, source v1alpha1.ApplicationSource) error {
@@ -418,10 +499,10 @@ func (m *appStateManager) persistRevisionHistory(app *v1alpha1.Application, revi
 func NewAppStateManager(
 	db db.ArgoDB,
 	appclientset appclientset.Interface,
-	repoClientset reposerver.Clientset,
+	repoClientset apiclient.Clientset,
 	namespace string,
 	kubectl kubeutil.Kubectl,
-	settings *settings.ArgoCDSettings,
+	settingsMgr *settings.SettingsManager,
 	liveStateCache statecache.LiveStateCache,
 	projInformer cache.SharedIndexInformer,
 	metricsServer *metrics.MetricsServer,
@@ -433,7 +514,7 @@ func NewAppStateManager(
 		kubectl:        kubectl,
 		repoClientset:  repoClientset,
 		namespace:      namespace,
-		settings:       settings,
+		settingsMgr:    settingsMgr,
 		projInformer:   projInformer,
 		metricsServer:  metricsServer,
 	}

controller/state_test.go

@@ -12,7 +12,7 @@ import (
 
 	"github.com/argoproj/argo-cd/common"
 	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/reposerver/repository"
+	"github.com/argoproj/argo-cd/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/test"
 	"github.com/argoproj/argo-cd/util/kube"
 )
@@ -21,7 +21,7 @@ import (
 func TestCompareAppStateEmpty(t *testing.T) {
 	app := newFakeApp()
 	data := fakeData{
-		manifestResponse: &repository.ManifestResponse{
+		manifestResponse: &apiclient.ManifestResponse{
 			Manifests: []string{},
 			Namespace: test.FakeDestNamespace,
 			Server:    test.FakeClusterURL,
@@ -30,8 +30,7 @@ func TestCompareAppStateEmpty(t *testing.T) {
 		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 	}
 	ctrl := newFakeController(&data)
-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false)
-	assert.NoError(t, err)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
 	assert.NotNil(t, compRes)
 	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
 	assert.Equal(t, 0, len(compRes.resources))
@@ -44,7 +43,7 @@ func TestCompareAppStateMissing(t *testing.T) {
 	app := newFakeApp()
 	data := fakeData{
 		apps: []runtime.Object{app},
-		manifestResponse: &repository.ManifestResponse{
+		manifestResponse: &apiclient.ManifestResponse{
 			Manifests: []string{string(test.PodManifest)},
 			Namespace: test.FakeDestNamespace,
 			Server:    test.FakeClusterURL,
@@ -53,8 +52,7 @@ func TestCompareAppStateMissing(t *testing.T) {
 		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 	}
 	ctrl := newFakeController(&data)
-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false)
-	assert.NoError(t, err)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
 	assert.NotNil(t, compRes)
 	assert.Equal(t, argoappv1.SyncStatusCodeOutOfSync, compRes.syncStatus.Status)
 	assert.Equal(t, 1, len(compRes.resources))
@@ -69,7 +67,7 @@ func TestCompareAppStateExtra(t *testing.T) {
 	app := newFakeApp()
 	key := kube.ResourceKey{Group: "", Kind: "Pod", Namespace: test.FakeDestNamespace, Name: app.Name}
 	data := fakeData{
-		manifestResponse: &repository.ManifestResponse{
+		manifestResponse: &apiclient.ManifestResponse{
 			Manifests: []string{},
 			Namespace: test.FakeDestNamespace,
 			Server:    test.FakeClusterURL,
@@ -80,8 +78,7 @@ func TestCompareAppStateExtra(t *testing.T) {
 		},
 	}
 	ctrl := newFakeController(&data)
-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false)
-	assert.NoError(t, err)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
 	assert.NotNil(t, compRes)
 	assert.Equal(t, argoappv1.SyncStatusCodeOutOfSync, compRes.syncStatus.Status)
 	assert.Equal(t, 1, len(compRes.resources))
@@ -98,7 +95,7 @@ func TestCompareAppStateHook(t *testing.T) {
 	app := newFakeApp()
 	data := fakeData{
 		apps: []runtime.Object{app},
-		manifestResponse: &repository.ManifestResponse{
+		manifestResponse: &apiclient.ManifestResponse{
 			Manifests: []string{string(podBytes)},
 			Namespace: test.FakeDestNamespace,
 			Server:    test.FakeClusterURL,
@@ -107,8 +104,7 @@ func TestCompareAppStateHook(t *testing.T) {
 		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 	}
 	ctrl := newFakeController(&data)
-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false)
-	assert.NoError(t, err)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
 	assert.NotNil(t, compRes)
 	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
 	assert.Equal(t, 0, len(compRes.resources))
@@ -124,7 +120,7 @@ func TestCompareAppStateCompareOptionIgnoreExtraneous(t *testing.T) {
 	app := newFakeApp()
 	data := fakeData{
 		apps: []runtime.Object{app},
-		manifestResponse: &repository.ManifestResponse{
+		manifestResponse: &apiclient.ManifestResponse{
 			Manifests: []string{},
 			Namespace: test.FakeDestNamespace,
 			Server:    test.FakeClusterURL,
@@ -134,9 +130,8 @@ func TestCompareAppStateCompareOptionIgnoreExtraneous(t *testing.T) {
 	}
 	ctrl := newFakeController(&data)
 
-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
 
-	assert.NoError(t, err)
 	assert.NotNil(t, compRes)
 	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
 	assert.Len(t, compRes.resources, 0)
@@ -152,7 +147,7 @@ func TestCompareAppStateExtraHook(t *testing.T) {
 	app := newFakeApp()
 	key := kube.ResourceKey{Group: "", Kind: "Pod", Namespace: test.FakeDestNamespace, Name: app.Name}
 	data := fakeData{
-		manifestResponse: &repository.ManifestResponse{
+		manifestResponse: &apiclient.ManifestResponse{
 			Manifests: []string{},
 			Namespace: test.FakeDestNamespace,
 			Server:    test.FakeClusterURL,
@@ -163,8 +158,8 @@ func TestCompareAppStateExtraHook(t *testing.T) {
 		},
 	}
 	ctrl := newFakeController(&data)
-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false)
-	assert.NoError(t, err)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
+
 	assert.NotNil(t, compRes)
 	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
 	assert.Equal(t, 1, len(compRes.resources))
@@ -188,7 +183,7 @@ func TestCompareAppStateDuplicatedNamespacedResources(t *testing.T) {
 
 	app := newFakeApp()
 	data := fakeData{
-		manifestResponse: &repository.ManifestResponse{
+		manifestResponse: &apiclient.ManifestResponse{
 			Manifests: []string{toJSON(t, obj1), toJSON(t, obj2), toJSON(t, obj3)},
 			Namespace: test.FakeDestNamespace,
 			Server:    test.FakeClusterURL,
@@ -200,8 +195,8 @@ func TestCompareAppStateDuplicatedNamespacedResources(t *testing.T) {
 		},
 	}
 	ctrl := newFakeController(&data)
-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false)
-	assert.NoError(t, err)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
+
 	assert.NotNil(t, compRes)
 	assert.Contains(t, compRes.conditions, argoappv1.ApplicationCondition{
 		Message: "Resource /Pod/fake-dest-ns/my-pod appeared 2 times among application resources.",
@@ -240,7 +235,7 @@ func TestSetHealth(t *testing.T) {
 	})
 	ctrl := newFakeController(&fakeData{
 		apps: []runtime.Object{app, &defaultProj},
-		manifestResponse: &repository.ManifestResponse{
+		manifestResponse: &apiclient.ManifestResponse{
 			Manifests: []string{},
 			Namespace: test.FakeDestNamespace,
 			Server:    test.FakeClusterURL,
@@ -251,8 +246,7 @@ func TestSetHealth(t *testing.T) {
 		},
 	})
 
-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false)
-	assert.NoError(t, err)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
 
 	assert.Equal(t, compRes.healthStatus.Status, argoappv1.HealthStatusHealthy)
 }
@@ -272,7 +266,7 @@ func TestSetHealthSelfReferencedApp(t *testing.T) {
 	})
 	ctrl := newFakeController(&fakeData{
 		apps: []runtime.Object{app, &defaultProj},
-		manifestResponse: &repository.ManifestResponse{
+		manifestResponse: &apiclient.ManifestResponse{
 			Manifests: []string{},
 			Namespace: test.FakeDestNamespace,
 			Server:    test.FakeClusterURL,
@@ -284,8 +278,7 @@ func TestSetHealthSelfReferencedApp(t *testing.T) {
 		},
 	})
 
-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false)
-	assert.NoError(t, err)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
 
 	assert.Equal(t, compRes.healthStatus.Status, argoappv1.HealthStatusHealthy)
 }

controller/sync.go

@@ -7,11 +7,15 @@ import (
 	"sort"
 	"strings"
 	"sync"
+	"time"
 
 	log "github.com/sirupsen/logrus"
+	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
+	"k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	apierr "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/discovery"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/rest"
@@ -27,22 +31,27 @@ import (
 	"github.com/argoproj/argo-cd/util/resource"
 )
 
+const (
+	crdReadinessTimeout = time.Duration(3) * time.Second
+)
+
 type syncContext struct {
-	resourceOverrides map[string]v1alpha1.ResourceOverride
-	appName           string
-	proj              *v1alpha1.AppProject
-	compareResult     *comparisonResult
-	config            *rest.Config
-	dynamicIf         dynamic.Interface
-	disco             discovery.DiscoveryInterface
-	kubectl           kube.Kubectl
-	namespace         string
-	server            string
-	syncOp            *v1alpha1.SyncOperation
-	syncRes           *v1alpha1.SyncOperationResult
-	syncResources     []v1alpha1.SyncOperationResource
-	opState           *v1alpha1.OperationState
-	log               *log.Entry
+	resourceOverrides   map[string]v1alpha1.ResourceOverride
+	appName             string
+	proj                *v1alpha1.AppProject
+	compareResult       *comparisonResult
+	config              *rest.Config
+	dynamicIf           dynamic.Interface
+	disco               discovery.DiscoveryInterface
+	extensionsclientset *clientset.Clientset
+	kubectl             kube.Kubectl
+	namespace           string
+	server              string
+	syncOp              *v1alpha1.SyncOperation
+	syncRes             *v1alpha1.SyncOperationResult
+	syncResources       []v1alpha1.SyncOperationResource
+	opState             *v1alpha1.OperationState
+	log                 *log.Entry
 	// lock to protect concurrent updates of the result list
 	lock sync.Mutex
 }
@@ -92,12 +101,7 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		revision = syncOp.Revision
 	}
 
-	compareResult, err := m.CompareAppState(app, revision, source, false)
-	if err != nil {
-		state.Phase = v1alpha1.OperationError
-		state.Message = err.Error()
-		return
-	}
+	compareResult := m.CompareAppState(app, revision, source, false, syncOp.Manifests)
 
 	// If there are any error conditions, do not perform the operation
 	errConditions := make([]v1alpha1.ApplicationCondition, 0)
@@ -137,6 +141,13 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		return
 	}
 
+	extensionsclientset, err := clientset.NewForConfig(restConfig)
+	if err != nil {
+		state.Phase = v1alpha1.OperationError
+		state.Message = fmt.Sprintf("Failed to initialize extensions client: %v", err)
+		return
+	}
+
 	proj, err := argo.GetAppProject(&app.Spec, listersv1alpha1.NewAppProjectLister(m.projInformer.GetIndexer()), m.namespace)
 	if err != nil {
 		state.Phase = v1alpha1.OperationError
@@ -144,22 +155,30 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		return
 	}
 
+	resourceOverrides, err := m.settingsMgr.GetResourceOverrides()
+	if err != nil {
+		state.Phase = v1alpha1.OperationError
+		state.Message = fmt.Sprintf("Failed to load resource overrides: %v", err)
+		return
+	}
+
 	syncCtx := syncContext{
-		resourceOverrides: m.settings.ResourceOverrides,
-		appName:           app.Name,
-		proj:              proj,
-		compareResult:     compareResult,
-		config:            restConfig,
-		dynamicIf:         dynamicIf,
-		disco:             disco,
-		kubectl:           m.kubectl,
-		namespace:         app.Spec.Destination.Namespace,
-		server:            app.Spec.Destination.Server,
-		syncOp:            &syncOp,
-		syncRes:           syncRes,
-		syncResources:     syncResources,
-		opState:           state,
-		log:               log.WithFields(log.Fields{"application": app.Name}),
+		resourceOverrides:   resourceOverrides,
+		appName:             app.Name,
+		proj:                proj,
+		compareResult:       compareResult,
+		config:              restConfig,
+		dynamicIf:           dynamicIf,
+		disco:               disco,
+		extensionsclientset: extensionsclientset,
+		kubectl:             m.kubectl,
+		namespace:           app.Spec.Destination.Namespace,
+		server:              app.Spec.Destination.Server,
+		syncOp:              &syncOp,
+		syncRes:             syncRes,
+		syncResources:       syncResources,
+		opState:             state,
+		log:                 log.WithFields(log.Fields{"application": app.Name}),
 	}
 
 	if state.Phase == v1alpha1.OperationTerminating {
@@ -240,21 +259,27 @@ func (sc *syncContext) sync() {
 		}
 	}
 
-	// any running tasks, lets wait...
-	if tasks.Find(func(t *syncTask) bool { return t.running() }) != nil {
+	// if (a) we are multi-step and we have any running tasks,
+	// or (b) there are any running hooks,
+	// then wait...
+	multiStep := tasks.multiStep()
+	if tasks.Any(func(t *syncTask) bool { return (multiStep || t.isHook()) && t.running() }) {
 		sc.setOperationPhase(v1alpha1.OperationRunning, "one or more tasks are running")
 		return
 	}
 
+	// syncFailTasks only run during failure, so separate them from regular tasks
+	syncFailTasks, tasks := tasks.Split(func(t *syncTask) bool { return t.phase == v1alpha1.SyncPhaseSyncFail })
+
 	// if there are any completed but unsuccessful tasks, sync is a failure.
-	if tasks.Find(func(t *syncTask) bool { return t.completed() && !t.successful() }) != nil {
-		sc.setOperationPhase(v1alpha1.OperationFailed, "one or more synchronization tasks completed unsuccessfully")
+	if tasks.Any(func(t *syncTask) bool { return t.completed() && !t.successful() }) {
+		sc.setOperationFailed(syncFailTasks, "one or more synchronization tasks completed unsuccessfully")
 		return
 	}
 
-	sc.log.WithFields(log.Fields{"tasks": tasks}).Debug("filtering out completed tasks")
+	sc.log.WithFields(log.Fields{"tasks": tasks}).Debug("filtering out non-pending tasks")
 	// remove tasks that are completed, we can assume that there are no running tasks
-	tasks = tasks.Filter(func(t *syncTask) bool { return !t.completed() })
+	tasks = tasks.Filter(func(t *syncTask) bool { return t.pending() })
 
 	// If no sync tasks were generated (e.g., in case all application manifests have been removed),
 	// the sync operation is successful.
@@ -270,16 +295,16 @@ func (sc *syncContext) sync() {
 	// if it is the last phase/wave and the only remaining tasks are non-hooks, the we are successful
 	// EVEN if those objects subsequently degraded
 	// This handles the common case where neither hooks or waves are used and a sync equates to simply an (asynchronous) kubectl apply of manifests, which succeeds immediately.
-	complete := tasks.Find(func(t *syncTask) bool { return t.phase != phase || wave != t.wave() || t.isHook() }) == nil
+	complete := !tasks.Any(func(t *syncTask) bool { return t.phase != phase || wave != t.wave() || t.isHook() })
 
-	sc.log.WithFields(log.Fields{"phase": phase, "wave": wave, "tasks": tasks}).Debug("filtering tasks in correct phase and wave")
+	sc.log.WithFields(log.Fields{"phase": phase, "wave": wave, "tasks": tasks, "syncFailTasks": syncFailTasks}).Debug("filtering tasks in correct phase and wave")
 	tasks = tasks.Filter(func(t *syncTask) bool { return t.phase == phase && t.wave() == wave })
 
 	sc.setOperationPhase(v1alpha1.OperationRunning, "one or more tasks are running")
 
 	sc.log.WithFields(log.Fields{"tasks": tasks}).Debug("wet-run")
 	if !sc.runTasks(tasks, false) {
-		sc.setOperationPhase(v1alpha1.OperationFailed, "one or more objects failed to apply")
+		sc.setOperationFailed(syncFailTasks, "one or more objects failed to apply")
 	} else {
 		if complete {
 			sc.setOperationPhase(v1alpha1.OperationSucceeded, "successfully synced (all tasks run)")
@@ -287,6 +312,24 @@ func (sc *syncContext) sync() {
 	}
 }
 
+func (sc *syncContext) setOperationFailed(syncFailTasks syncTasks, message string) {
+	if len(syncFailTasks) > 0 {
+		// if all the failure hooks are completed, don't run them again, and mark the sync as failed
+		if syncFailTasks.All(func(task *syncTask) bool { return task.completed() }) {
+			sc.setOperationPhase(v1alpha1.OperationFailed, message)
+			return
+		}
+		// otherwise, we need to start the failure hooks, and then return without setting
+		// the phase, so we make sure we have at least one more sync
+		sc.log.WithFields(log.Fields{"syncFailTasks": syncFailTasks}).Debug("running sync fail tasks")
+		if !sc.runTasks(syncFailTasks, false) {
+			sc.setOperationPhase(v1alpha1.OperationFailed, message)
+		}
+	} else {
+		sc.setOperationPhase(v1alpha1.OperationFailed, message)
+	}
+}
+
 func (sc *syncContext) started() bool {
 	return len(sc.syncRes.Resources) > 0
 }
@@ -457,7 +500,8 @@ func (sc *syncContext) liveObj(obj *unstructured.Unstructured) *unstructured.Uns
 	for _, resource := range sc.compareResult.managedResources {
 		if resource.Group == obj.GroupVersionKind().Group &&
 			resource.Kind == obj.GetKind() &&
-			resource.Namespace == obj.GetNamespace() &&
+			// cluster scoped objects will not have a namespace, even if the user has defined it
+			(resource.Namespace == "" || resource.Namespace == obj.GetNamespace()) &&
 			resource.Name == obj.GetName() {
 			return resource.Live
 		}
@@ -473,12 +517,32 @@ func (sc *syncContext) setOperationPhase(phase v1alpha1.OperationPhase, message
 	sc.opState.Message = message
 }
 
+// ensureCRDReady waits until specified CRD is ready (established condition is true). Method is best effort - it does not fail even if CRD is not ready without timeout.
+func (sc *syncContext) ensureCRDReady(name string) {
+	_ = wait.PollImmediate(time.Duration(100)*time.Millisecond, crdReadinessTimeout, func() (bool, error) {
+		crd, err := sc.extensionsclientset.ApiextensionsV1beta1().CustomResourceDefinitions().Get(name, metav1.GetOptions{})
+		if err != nil {
+			return false, err
+		}
+		for _, condition := range crd.Status.Conditions {
+			if condition.Type == v1beta1.Established {
+				return condition.Status == v1beta1.ConditionTrue, nil
+			}
+		}
+		return false, nil
+	})
+}
+
 // applyObject performs a `kubectl apply` of a single resource
 func (sc *syncContext) applyObject(targetObj *unstructured.Unstructured, dryRun bool, force bool) (v1alpha1.ResultCode, string) {
-	message, err := sc.kubectl.ApplyResource(sc.config, targetObj, targetObj.GetNamespace(), dryRun, force)
+	validate := !resource.HasAnnotationOption(targetObj, common.AnnotationSyncOptions, "Validate=false")
+	message, err := sc.kubectl.ApplyResource(sc.config, targetObj, targetObj.GetNamespace(), dryRun, force, validate)
 	if err != nil {
 		return v1alpha1.ResultCodeSyncFailed, err.Error()
 	}
+	if kube.IsCRD(targetObj) && !dryRun {
+		sc.ensureCRDReady(targetObj.GetName())
+	}
 	return v1alpha1.ResultCodeSynced, message
 }
 

controller/sync_phase.go

@@ -14,7 +14,7 @@ func syncPhases(obj *unstructured.Unstructured) []v1alpha1.SyncPhase {
 		var phases []v1alpha1.SyncPhase
 		for _, hookType := range hook.Types(obj) {
 			switch hookType {
-			case v1alpha1.HookTypePreSync, v1alpha1.HookTypeSync, v1alpha1.HookTypePostSync:
+			case v1alpha1.HookTypePreSync, v1alpha1.HookTypeSync, v1alpha1.HookTypePostSync, v1alpha1.HookTypeSyncFail:
 				phases = append(phases, v1alpha1.SyncPhase(hookType))
 			}
 		}

controller/sync_phase_test.go

@@ -35,6 +35,10 @@ func TestSyncPhasePost(t *testing.T) {
 	assert.Equal(t, []SyncPhase{SyncPhasePostSync}, syncPhases(pod("PostSync")))
 }
 
+func TestSyncPhaseFail(t *testing.T) {
+	assert.Equal(t, []SyncPhase{SyncPhaseSyncFail}, syncPhases(pod("SyncFail")))
+}
+
 func TestSyncPhaseTwoPhases(t *testing.T) {
 	assert.Equal(t, []SyncPhase{SyncPhasePreSync, SyncPhasePostSync}, syncPhases(pod("PreSync,PostSync")))
 }

controller/sync_task.go

@@ -94,6 +94,10 @@ func (t *syncTask) namespace() string {
 	return t.obj().GetNamespace()
 }
 
+func (t *syncTask) pending() bool {
+	return t.operationState == ""
+}
+
 func (t *syncTask) running() bool {
 	return t.operationState == v1alpha1.OperationRunning
 }

controller/sync_tasks.go

@@ -11,6 +11,7 @@ var syncPhaseOrder = map[v1alpha1.SyncPhase]int{
 	v1alpha1.SyncPhasePreSync:  -1,
 	v1alpha1.SyncPhaseSync:     0,
 	v1alpha1.SyncPhasePostSync: 1,
+	v1alpha1.SyncPhaseSyncFail: 2,
 }
 
 // kindOrder represents the correct order of Kubernetes resources within a manifest
@@ -105,6 +106,35 @@ func (s syncTasks) Filter(predicate func(task *syncTask) bool) (tasks syncTasks)
 	return tasks
 }
 
+func (s syncTasks) Split(predicate func(task *syncTask) bool) (trueTasks, falseTasks syncTasks) {
+	for _, task := range s {
+		if predicate(task) {
+			trueTasks = append(trueTasks, task)
+		} else {
+			falseTasks = append(falseTasks, task)
+		}
+	}
+	return trueTasks, falseTasks
+}
+
+func (s syncTasks) All(predicate func(task *syncTask) bool) bool {
+	for _, task := range s {
+		if !predicate(task) {
+			return false
+		}
+	}
+	return true
+}
+
+func (s syncTasks) Any(predicate func(task *syncTask) bool) bool {
+	for _, task := range s {
+		if predicate(task) {
+			return true
+		}
+	}
+	return false
+}
+
 func (s syncTasks) Find(predicate func(task *syncTask) bool) *syncTask {
 	for _, task := range s {
 		if predicate(task) {
@@ -135,3 +165,21 @@ func (s syncTasks) wave() int {
 	}
 	return 0
 }
+
+func (s syncTasks) lastPhase() v1alpha1.SyncPhase {
+	if len(s) > 0 {
+		return s[len(s)-1].phase
+	}
+	return ""
+}
+
+func (s syncTasks) lastWave() int {
+	if len(s) > 0 {
+		return s[len(s)-1].wave()
+	}
+	return 0
+}
+
+func (s syncTasks) multiStep() bool {
+	return s.wave() != s.lastWave() || s.phase() != s.lastPhase()
+}

controller/sync_tasks_test.go

@@ -8,7 +8,9 @@ import (
 	apiv1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
+	"github.com/argoproj/argo-cd/common"
 	. "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	. "github.com/argoproj/argo-cd/test"
 )
 
 func Test_syncTasks_kindOrder(t *testing.T) {
@@ -22,6 +24,39 @@ func TestSortSyncTask(t *testing.T) {
 	assert.Equal(t, sortedTasks, unsortedTasks)
 }
 
+func TestAnySyncTasks(t *testing.T) {
+	res := unsortedTasks.Any(func(task *syncTask) bool {
+		return task.name() == "a"
+	})
+	assert.True(t, res)
+
+	res = unsortedTasks.Any(func(task *syncTask) bool {
+		return task.name() == "does-not-exist"
+	})
+	assert.False(t, res)
+
+}
+
+func TestAllSyncTasks(t *testing.T) {
+	res := unsortedTasks.All(func(task *syncTask) bool {
+		return task.name() != ""
+	})
+	assert.False(t, res)
+
+	res = unsortedTasks.All(func(task *syncTask) bool {
+		return task.name() == "a"
+	})
+	assert.False(t, res)
+}
+
+func TestSplitSyncTasks(t *testing.T) {
+	named, unnamed := sortedTasks.Split(func(task *syncTask) bool {
+		return task.name() != ""
+	})
+	assert.Equal(t, named, namedObjTasks)
+	assert.Equal(t, unnamed, unnamedTasks)
+}
+
 var unsortedTasks = syncTasks{
 	{
 		targetObj: &unstructured.Unstructured{
@@ -47,6 +82,9 @@ var unsortedTasks = syncTasks{
 			},
 		},
 	},
+	{
+		phase: SyncPhaseSyncFail, targetObj: &unstructured.Unstructured{},
+	},
 	{
 		targetObj: &unstructured.Unstructured{
 			Object: map[string]interface{}{
@@ -199,6 +237,107 @@ var sortedTasks = syncTasks{
 		phase:     SyncPhasePostSync,
 		targetObj: &unstructured.Unstructured{},
 	},
+	{
+		phase:     SyncPhaseSyncFail,
+		targetObj: &unstructured.Unstructured{},
+	},
+}
+
+var namedObjTasks = syncTasks{
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"name": "a",
+				},
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"name": "b",
+				},
+			},
+		},
+	},
+}
+
+var unnamedTasks = syncTasks{
+	{
+		phase:     SyncPhasePreSync,
+		targetObj: &unstructured.Unstructured{},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"annotations": map[string]interface{}{
+						"argocd.argoproj.io/sync-wave": "-1",
+					},
+				},
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+				"kind":         "ConfigMap",
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+				"kind":         "PersistentVolume",
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+				"kind":         "Service",
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+				"kind":         "Pod",
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"GroupVersion": apiv1.SchemeGroupVersion.String(),
+			},
+		},
+	},
+	{
+		targetObj: &unstructured.Unstructured{
+			Object: map[string]interface{}{
+				"metadata": map[string]interface{}{
+					"annotations": map[string]interface{}{
+						"argocd.argoproj.io/sync-wave": "1",
+					},
+				},
+			},
+		},
+	},
+	{
+		phase:     SyncPhasePostSync,
+		targetObj: &unstructured.Unstructured{},
+	},
+	{
+		phase:     SyncPhaseSyncFail,
+		targetObj: &unstructured.Unstructured{},
+	},
 }
 
 func Test_syncTasks_Filter(t *testing.T) {
@@ -229,3 +368,25 @@ func TestSyncNamespaceAgainstCRD(t *testing.T) {
 
 	assert.Equal(t, syncTasks{namespace, crd}, unsorted)
 }
+
+func Test_syncTasks_multiStep(t *testing.T) {
+	t.Run("Single", func(t *testing.T) {
+		tasks := syncTasks{{liveObj: Annotate(NewPod(), common.AnnotationSyncWave, "-1"), phase: SyncPhaseSync}}
+		assert.Equal(t, SyncPhaseSync, tasks.phase())
+		assert.Equal(t, -1, tasks.wave())
+		assert.Equal(t, SyncPhaseSync, tasks.lastPhase())
+		assert.Equal(t, -1, tasks.lastWave())
+		assert.False(t, tasks.multiStep())
+	})
+	t.Run("Double", func(t *testing.T) {
+		tasks := syncTasks{
+			{liveObj: Annotate(NewPod(), common.AnnotationSyncWave, "-1"), phase: SyncPhasePreSync},
+			{liveObj: Annotate(NewPod(), common.AnnotationSyncWave, "1"), phase: SyncPhasePostSync},
+		}
+		assert.Equal(t, SyncPhasePreSync, tasks.phase())
+		assert.Equal(t, -1, tasks.wave())
+		assert.Equal(t, SyncPhasePostSync, tasks.lastPhase())
+		assert.Equal(t, 1, tasks.lastWave())
+		assert.True(t, tasks.multiStep())
+	})
+}

controller/sync_test.go

@@ -2,6 +2,7 @@ package controller
 
 import (
 	"fmt"
+	"reflect"
 	"testing"
 
 	log "github.com/sirupsen/logrus"
@@ -18,7 +19,7 @@ import (
 	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	. "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/reposerver/repository"
+	"github.com/argoproj/argo-cd/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/test"
 	"github.com/argoproj/argo-cd/util/kube"
 	"github.com/argoproj/argo-cd/util/kube/kubetest"
@@ -71,7 +72,7 @@ func newTestSyncCtx(resources ...*v1.APIResourceList) *syncContext {
 		disco:   fakeDisco,
 		log:     log.WithFields(log.Fields{"application": "fake-app"}),
 	}
-	sc.kubectl = kubetest.MockKubectlCmd{}
+	sc.kubectl = &kubetest.MockKubectlCmd{}
 	return &sc
 }
 
@@ -138,7 +139,7 @@ func TestSyncCreateNotWhitelistedClusterResources(t *testing.T) {
 		{Group: "argoproj.io", Kind: "*"},
 	}
 
-	syncCtx.kubectl = kubetest.MockKubectlCmd{}
+	syncCtx.kubectl = &kubetest.MockKubectlCmd{}
 	syncCtx.compareResult = &comparisonResult{
 		managedResources: []managedResource{{
 			Live: nil,
@@ -238,7 +239,7 @@ func TestSyncDeleteSuccessfully(t *testing.T) {
 func TestSyncCreateFailure(t *testing.T) {
 	syncCtx := newTestSyncCtx()
 	testSvc := test.NewService()
-	syncCtx.kubectl = kubetest.MockKubectlCmd{
+	syncCtx.kubectl = &kubetest.MockKubectlCmd{
 		Commands: map[string]kubetest.KubectlOutput{
 			testSvc.GetName(): {
 				Output: "",
@@ -261,7 +262,7 @@ func TestSyncCreateFailure(t *testing.T) {
 
 func TestSyncPruneFailure(t *testing.T) {
 	syncCtx := newTestSyncCtx()
-	syncCtx.kubectl = kubetest.MockKubectlCmd{
+	syncCtx.kubectl = &kubetest.MockKubectlCmd{
 		Commands: map[string]kubetest.KubectlOutput{
 			"test-service": {
 				Output: "",
@@ -325,6 +326,33 @@ func TestDontPrunePruneFalse(t *testing.T) {
 	assert.Equal(t, v1alpha1.OperationSucceeded, syncCtx.opState.Phase)
 }
 
+// make sure Validate=false means we don't validate
+func TestSyncOptionValidate(t *testing.T) {
+	tests := []struct {
+		name          string
+		annotationVal string
+		want          bool
+	}{
+		{"Empty", "", true},
+		{"True", "Validate=true", true},
+		{"False", "Validate=false", false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			syncCtx := newTestSyncCtx()
+			pod := test.NewPod()
+			pod.SetAnnotations(map[string]string{common.AnnotationSyncOptions: tt.annotationVal})
+			pod.SetNamespace(test.FakeArgoCDNamespace)
+			syncCtx.compareResult = &comparisonResult{managedResources: []managedResource{{Target: pod, Live: pod}}}
+
+			syncCtx.sync()
+
+			kubectl, _ := syncCtx.kubectl.(*kubetest.MockKubectlCmd)
+			assert.Equal(t, tt.want, kubectl.LastValidate)
+		})
+	}
+}
+
 func TestSelectiveSyncOnly(t *testing.T) {
 	syncCtx := newTestSyncCtx()
 	pod1 := test.NewPod()
@@ -416,7 +444,7 @@ func TestPersistRevisionHistory(t *testing.T) {
 	}
 	data := fakeData{
 		apps: []runtime.Object{app, defaultProject},
-		manifestResponse: &repository.ManifestResponse{
+		manifestResponse: &apiclient.ManifestResponse{
 			Manifests: []string{},
 			Namespace: test.FakeDestNamespace,
 			Server:    test.FakeClusterURL,
@@ -453,7 +481,7 @@ func TestPersistRevisionHistoryRollback(t *testing.T) {
 	}
 	data := fakeData{
 		apps: []runtime.Object{app, defaultProject},
-		manifestResponse: &repository.ManifestResponse{
+		manifestResponse: &apiclient.ManifestResponse{
 			Manifests: []string{},
 			Namespace: test.FakeDestNamespace,
 			Server:    test.FakeClusterURL,
@@ -490,6 +518,78 @@ func TestPersistRevisionHistoryRollback(t *testing.T) {
 	assert.Equal(t, "abc123", updatedApp.Status.History[0].Revision)
 }
 
+func TestSyncFailureHookWithSuccessfulSync(t *testing.T) {
+	syncCtx := newTestSyncCtx()
+	syncCtx.syncOp.SyncStrategy.Apply = nil
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{{Target: test.NewPod()}},
+		hooks:            []*unstructured.Unstructured{test.NewHook(HookTypeSyncFail)},
+	}
+
+	syncCtx.sync()
+
+	assert.Equal(t, OperationSucceeded, syncCtx.opState.Phase)
+	// only one result, we did not run the failure failureHook
+	assert.Len(t, syncCtx.syncRes.Resources, 1)
+}
+
+func TestSyncFailureHookWithFailedSync(t *testing.T) {
+	syncCtx := newTestSyncCtx()
+	syncCtx.syncOp.SyncStrategy.Apply = nil
+	pod := test.NewPod()
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{{Target: pod}},
+		hooks:            []*unstructured.Unstructured{test.NewHook(HookTypeSyncFail)},
+	}
+	syncCtx.kubectl = &kubetest.MockKubectlCmd{
+		Commands: map[string]kubetest.KubectlOutput{pod.GetName(): {Err: fmt.Errorf("")}},
+	}
+
+	syncCtx.sync()
+	syncCtx.sync()
+
+	assert.Equal(t, OperationFailed, syncCtx.opState.Phase)
+	assert.Len(t, syncCtx.syncRes.Resources, 2)
+}
+
+func TestRunSyncFailHooksFailed(t *testing.T) {
+	// Tests that other SyncFail Hooks run even if one of them fail.
+
+	syncCtx := newTestSyncCtx()
+	syncCtx.syncOp.SyncStrategy.Apply = nil
+	pod := test.NewPod()
+	successfulSyncFailHook := test.NewHook(HookTypeSyncFail)
+	successfulSyncFailHook.SetName("successful-sync-fail-hook")
+	failedSyncFailHook := test.NewHook(HookTypeSyncFail)
+	failedSyncFailHook.SetName("failed-sync-fail-hook")
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{{Target: pod}},
+		hooks:            []*unstructured.Unstructured{successfulSyncFailHook, failedSyncFailHook},
+	}
+
+	syncCtx.kubectl = &kubetest.MockKubectlCmd{
+		Commands: map[string]kubetest.KubectlOutput{
+			// Fail operation
+			pod.GetName(): {Err: fmt.Errorf("")},
+			// Fail a single SyncFail hook
+			failedSyncFailHook.GetName(): {Err: fmt.Errorf("")}},
+	}
+
+	syncCtx.sync()
+	syncCtx.sync()
+
+	fmt.Println(syncCtx.syncRes.Resources)
+	fmt.Println(syncCtx.opState.Phase)
+	// Operation as a whole should fail
+	assert.Equal(t, OperationFailed, syncCtx.opState.Phase)
+	// failedSyncFailHook should fail
+	assert.Equal(t, OperationFailed, syncCtx.syncRes.Resources[1].HookPhase)
+	assert.Equal(t, ResultCodeSyncFailed, syncCtx.syncRes.Resources[1].Status)
+	// successfulSyncFailHook should be synced running (it is an nginx pod)
+	assert.Equal(t, OperationRunning, syncCtx.syncRes.Resources[2].HookPhase)
+	assert.Equal(t, ResultCodeSynced, syncCtx.syncRes.Resources[2].Status)
+}
+
 func Test_syncContext_isSelectiveSync(t *testing.T) {
 	type fields struct {
 		compareResult *comparisonResult
@@ -526,3 +626,37 @@ func Test_syncContext_isSelectiveSync(t *testing.T) {
 		})
 	}
 }
+
+func Test_syncContext_liveObj(t *testing.T) {
+	type fields struct {
+		compareResult *comparisonResult
+	}
+	type args struct {
+		obj *unstructured.Unstructured
+	}
+	obj := test.NewPod()
+	obj.SetNamespace("my-ns")
+
+	found := test.NewPod()
+
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		want   *unstructured.Unstructured
+	}{
+		{"None", fields{compareResult: &comparisonResult{managedResources: []managedResource{}}}, args{obj: &unstructured.Unstructured{}}, nil},
+		{"Found", fields{compareResult: &comparisonResult{managedResources: []managedResource{{Group: obj.GroupVersionKind().Group, Kind: obj.GetKind(), Namespace: obj.GetNamespace(), Name: obj.GetName(), Live: found}}}}, args{obj: obj}, found},
+		{"EmptyNamespace", fields{compareResult: &comparisonResult{managedResources: []managedResource{{Group: obj.GroupVersionKind().Group, Kind: obj.GetKind(), Name: obj.GetName(), Live: found}}}}, args{obj: obj}, found},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			sc := &syncContext{
+				compareResult: tt.fields.compareResult,
+			}
+			if got := sc.liveObj(tt.args.obj); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("syncContext.liveObj() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

docs/CONTRIBUTING.md

@@ -10,39 +10,22 @@ Then, to get a good grounding in Go, try out [the tutorial](https://tour.golang.
 Install:
 
 * [docker](https://docs.docker.com/install/#supported-platforms)
+* [git](https://git-scm.com/) and [git-lfs](https://git-lfs.github.com/)
 * [golang](https://golang.org/)
 * [dep](https://github.com/golang/dep)
-* [protobuf](https://developers.google.com/protocol-buffers/)
 * [ksonnet](https://github.com/ksonnet/ksonnet#install)
 * [helm](https://github.com/helm/helm/releases)
 * [kustomize](https://github.com/kubernetes-sigs/kustomize/releases)
-* [go-swagger](https://github.com/go-swagger/go-swagger/blob/master/docs/install.md)
-* [jq](https://stedolan.github.io/jq/)
 * [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
 * [kubectx](https://kubectx.dev)
 * [minikube](https://kubernetes.io/docs/setup/minikube/) or Docker for Desktop
 
-!!! warning "Versions"
-    You will find problems generating code if you do not have the correct versions of `protoc` and `swagger`
-    
-```bash
-$ protoc --version
-libprotoc 3.7.1
-~/go/src/github.com/argoproj/argo-cd (ui)
-$ swagger version
-version: v0.19.0
-```
-
 Brew users can quickly install the lot:
     
 ```bash
-brew tap go-swagger/go-swagger
-brew install go dep protobuf kubectl kubectx ksonnet/tap/ks kubernetes-helm jq go-swagger kustomize 
+brew install git-lfs go dep kubectl kubectx ksonnet/tap/ks kubernetes-helm kustomize 
 ```
 
-!!! note "Kustomize"
-    Since Argo CD supports Kustomize v1.0 and v2.0, you will need to install both versions in order for the unit tests to run. The Kustomize 1 unit test expects to find a `kustomize1` binary in the path.  You can use this [link](https://github.com/argoproj/argo-cd/blob/master/Dockerfile#L66-L69) to find the Kustomize 1 currently used by Argo CD and modify the curl command to download the correct OS.
-
 Set up environment variables (e.g. is `~/.bashrc`):
 
 ```bash
@@ -57,21 +40,15 @@ go get -u github.com/argoproj/argo-cd
 cd ~/go/src/github.com/argoproj/argo-cd
 ```
 
-Install go dependencies:
+## Building
 
-```bash
-go get github.com/gobuffalo/packr/packr
-go get github.com/gogo/protobuf/gogoproto
-go get github.com/golang/protobuf/protoc-gen-go
-go get github.com/golangci/golangci-lint/cmd/golangci-lint
-go get github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway
-go get github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger
-go get github.com/jstemmer/go-junit-report
-go get github.com/mattn/goreman
-go get golang.org/x/tools/cmd/goimports
+Ensure dependencies are up to date first:
+
+```shell
+make dep
 ```
 
-## Building
+Build `cli`, `image`, and `argocd-util` as default targets by running make:
 
 ```bash
 make
@@ -79,7 +56,11 @@ make
 
 The make command can take a while, and we recommend building the specific component you are working on
 
-* `make codegen` - Builds protobuf and swagger files
+* `make codegen` - Builds protobuf and swagger files.
+
+Note: `make codegen` is slow because it uses docker + volume mounts. To improve performance you might install binaries from `./hack/Dockerfile.dev-tools`
+and use `make codegen-local`. It is still recommended to run `make codegen` once before sending PR to make sure correct version of codegen tools is used.   
+
 * `make cli` - Make the argocd CLI tool
 * `make server` - Make the API/repo/controller server
 * `make argocd-util` - Make the administrator's utility, used for certain tasks such as import/export

docs/developer-guide/releasing.md

@@ -19,35 +19,13 @@ Set the `VERSION` environment variable:
 # release candidate
 VERSION=v1.0.0-rc1
 # GA release
-VERSION=v1.0.0
-```
-
-If not already created, create UI release branch:
-
-```bash
-cd argo-cd-ui
-git checkout -b $BRANCH
-```
-
-Tag UI:
-
-```bash
-git tag $VERSION
-git push $REPO $BRANCH --tags
-IMAGE_NAMESPACE=argoproj IMAGE_TAG=$VERSION DOCKER_PUSH=true yarn docker
-```
-
-If not already created, create release branch:
-
-```bash
-cd argo-cd
-git checkout -b $BRANCH
-git push $REPO $BRANCH
+VERSION=v1.0.2
 ```
 
 Update `VERSION` and manifests with new version:
 
 ```bash
+git checkout $BRANCH
 echo ${VERSION:1} > VERSION
 make manifests IMAGE_TAG=$VERSION
 git commit -am "Update manifests to $VERSION"
@@ -58,6 +36,7 @@ Tag, build, and push release to Docker Hub
 
 ```bash
 git tag $VERSION
+git clean -fd
 make release IMAGE_NAMESPACE=argoproj IMAGE_TAG=$VERSION DOCKER_PUSH=true
 git push $REPO $VERSION
 ```
@@ -66,7 +45,7 @@ Update [Github releases](https://github.com/argoproj/argo-cd/releases) with:
 
 * Getting started (copy from previous release)
 * Changelog
-* Binaries (e.g. dist/argocd-darwin-amd64).
+* Binaries (e.g. `dist/argocd-darwin-amd64`).
 
 
 If GA, update `stable` tag:
@@ -80,8 +59,10 @@ If GA, update Brew formula:
 ```bash
 git clone https://github.com/argoproj/homebrew-tap
 cd homebrew-tap
+git checkout master
+git pull
 ./update.sh ~/go/src/github.com/argoproj/argo-cd/dist/argocd-darwin-amd64
-git commit -a -m "Update argocd to $VERSION"
+git commit -am "Update argocd to $VERSION"
 git push
 ```
 

docs/developer-guide/test-e2e.md

@@ -13,6 +13,18 @@ Git repository via file url: `file:///tmp/argocd-e2e***`.
 
 You can observe the tests by using the UI [http://localhost:8080/applications](http://localhost:8080/applications).
 
+## Configuration of E2E Tests execution
+
+The Makefile's `start-e2e` target starts instances of ArgoCD on your local machine, of which the most will require a network listener. If for whatever reason you already have network services on your machine listening on the same ports, the e2e tests will not be able to run. You can derive from the defaults by setting the following environment variables before you run `make start-e2e`:
+
+* `ARGOCD_E2E_APISERVER_PORT`: Listener port for `argocd-server` (default: `8080`)
+* `ARGOCD_E2E_REPOSERVER_PORT`: Listener port for `argocd-reposerver` (default: `8081`)
+* `ARGOCD_E2E_DEX_PORT`: Listener port for `dex` (default: `5556`)
+* `ARGOCD_E2E_REDIS_PORT`: Listener port for `redis` (default: `6379`)
+* `ARGOCD_E2E_YARN_CMD`: Command to use for starting the UI via Yarn (default: `yarn`)
+
+If you have changed the port for `argocd-server`, be sure to also set `ARGOCD_SERVER` environment variable to point to that port, e.g. `export ARGOCD_SERVER=localhost:8888` before running `make test-e2e` so that the test will communicate to the correct server component.
+
 ## CI Set-up
 
 The tests are executed by Argo Workflow defined at `.argo-ci/ci.yaml`. CI job The builds an Argo CD image, deploy argo cd components into throw-away kubernetes cluster provisioned
@@ -21,7 +33,7 @@ using k3s and run e2e tests against it.
 ## Test Isolation
 
 Some effort has been made to balance test isolation with speed. Tests are isolated as follows as each test gets:
- 
+
 * A random 5 character ID.
 * A unique Git repository containing the `testdata` in `/tmp/argocd-e2e/${id}`.
 * A namespace `argocd-e2e-ns-${id}`.
@@ -34,7 +46,7 @@ Some effort has been made to balance test isolation with speed. Tests are isolat
 This maybe due to the metrics server, run this:
 
 ```bash
-kubectl api-resources 
+kubectl api-resources
 ```
 
 If it exits with status code 1, run:
@@ -47,4 +59,4 @@ Remove `/spec/finalizers` from the namespace
 
 ```bash
 kubectl edit ns argocd-e2e-ns-*
-```
+```

docs/faq.md

@@ -1,5 +1,12 @@
 # FAQ
 
+## I've deleted/corrupted my repo and can't delete my app.
+
+Argo CD can't delete an app if it cannot generate manifests. You need to either: 
+
+1. Reinstate/fix your repo.
+1. Delete the app using `--cascade=false` and then manually deleting the resources.
+
 ## Why is my application still `OutOfSync` immediately after a successful Sync?
 
 See [Diffing](user-guide/diffing.md) documentation for reasons resources can be OutOfSync, and ways to configure
@@ -15,7 +22,7 @@ to return `Progressing` state instead of `Healthy`.
  ([contour](https://github.com/heptio/contour/issues/403), [traefik](https://github.com/argoproj/argo-cd/issues/968#issuecomment-451082913)) don't update
  `status.loadBalancer.ingress` field which causes `Ingress` to stuck in `Progressing` state forever.
 
-* `StatufulSet` is considered healthy if value of `status.updatedReplicas` field matches to `spec.replicas` field. Due to Kubernetes bug
+* `StatefulSet` is considered healthy if value of `status.updatedReplicas` field matches to `spec.replicas` field. Due to Kubernetes bug
 [kubernetes/kubernetes#68573](https://github.com/kubernetes/kubernetes/issues/68573) the `status.updatedReplicas` is not populated. So unless you run Kubernetes version which
 include the fix [kubernetes/kubernetes#67570](https://github.com/kubernetes/kubernetes/pull/67570) `StatefulSet` might stay in `Progressing` state.
 
@@ -23,9 +30,22 @@ As workaround Argo CD allows providing [health check](operator-manual/health.md)
 
 ## I forgot the admin password, how do I reset it?
 
-Edit the `argocd-secret` secret and update the `admin.password` field with a new bcrypt hash. You
-can use a site like https://www.browserling.com/tools/bcrypt to generate a new hash. Another option
-is to delete both the `admin.password` and `admin.passwordMtime` keys and restart argocd-server.
+By default the password is set to the name of the server pod, as per [the getting started guide](getting_started.md).
+
+To change the password, edit the `argocd-secret` secret and update the `admin.password` field with a new bcrypt hash. You
+can use a site like https://www.browserling.com/tools/bcrypt to generate a new hash. For example:
+
+```bash
+# bcrypt(Password1!)=$2a$10$hDj12Tw9xVmvybSahN1Y0.f9DZixxN8oybyA32Uy/eqWklFU4Mo8O
+kubectl -n argocd patch secret argocd-secret \
+  -p "{\"data\": \
+    {\
+      \"admin.password\": \"$(echo -n '$2a$10$hDj12Tw9xVmvybSahN1Y0.f9DZixxN8oybyA32Uy/eqWklFU4Mo8O' | base64)\", \
+      \"admin.passwordMtime\": \"$(date +%FT%T%Z | base64)\" \
+  }}"
+```
+
+Another option is to delete both the `admin.password` and `admin.passwordMtime` keys and restart argocd-server. This will set the password back to the pod name as per [the getting started guide](getting_started.md).
 
 ## Argo CD cannot deploy Helm Chart based applications without internet access, how can I solve it?
 
@@ -61,4 +81,47 @@ Now you can manually verify that cluster is accessible from the Argo CD pod.
 
 To terminate the sync, click on the "synchronisation" then "terminate":
 
-![Synchronization](assets/synchronization-button.png) ![Terminate](assets/terminate-button.png)
+![Synchronization](assets/synchronization-button.png) ![Terminate](assets/terminate-button.png)
+
+## Why Is My App Out Of Sync Even After Syncing?
+
+Is some cases, the tool you use may conflict with Argo CD by adding the `app.kubernetes.io/instance` label. E.g. using Kustomize common labels feature.
+
+Argo CD automatically sets the `app.kubernetes.io/instance` label and uses it to determine which resources form the app. If the tool does this too, this causes confusion. You can change this label by setting the `application.instanceLabelKey` value in the `argocd-cm`.  We recommend that you use `argocd.argoproj.io/instance`. 
+
+!!! note    When you make this change your applications will become out of sync and will need re-syncing.
+
+See [#1482](https://github.com/argoproj/argo-cd/issues/1482).
+
+
+# How Do I Fix "invalid cookie, longer than max length 4093"?
+
+Argo CD uses a JWT as the auth token. You likely are part of many groups and have gone over the 4KB limit which is set for cookies.
+You can get the list of groups by opening "developer tools -> network"
+
+* Click log in
+* Find the call to `<argocd_instance>/auth/callback?code=<random_string>`
+
+Decode the token at https://jwt.io/. That will provide the list of teams that you can remove yourself from.
+
+See [#2165](https://github.com/argoproj/argo-cd/issues/2165).
+
+## Why Am I Getting `rpc error: code = Unavailable desc = transport is closing` When Using The CLI?
+
+Maybe you're behind a proxy that does not support HTTP 2? Try the `--grcp-web` flag.:
+
+```bash
+argocd ... --grcp-web
+```
+
+## Why Am I Getting `x509: certificate signed by unknown authority` When Using The CLI?
+
+Your not running your server with correct certs.
+
+If you're not running in a production system (e.g. you're testing Argo CD out), try the `--insecure` flag:
+
+```bash
+argocd ... --insecure
+```
+
+!!! warning "Do not use `--insecure` in production"

docs/index.md

@@ -79,14 +79,6 @@ For additional details, see [architecture overview](operator-manual/architecture
 * Prometheus metrics
 * Parameter overrides for overriding ksonnet/helm parameters in Git
 
-## Community Blogs And Presentations
-
-* GitOps with Argo CD: [Simplify and Automate Deployments Using GitOps with IBM Multicloud Manager](https://www.ibm.com/blogs/bluemix/2019/02/simplify-and-automate-deployments-using-gitops-with-ibm-multicloud-manager-3-1-2/)
-* KubeCon talk: [CI/CD in Light Speed with K8s and Argo CD](https://www.youtube.com/watch?v=OdzH82VpMwI&feature=youtu.be)
-* KubeCon talk: [Machine Learning as Code](https://www.youtube.com/watch?v=VXrGp5er1ZE&t=0s&index=135&list=PLj6h78yzYM2PZf9eA7bhWnIh_mK1vyOfU)
-  * Among other things, describes how Kubeflow uses Argo CD to implement GitOPs for ML
-* SIG Apps demo: [Argo CD - GitOps Continuous Delivery for Kubernetes](https://www.youtube.com/watch?v=aWDIQMbp1cc&feature=youtu.be&t=1m4s)
-
 ## Development Status
 
 Argo CD is actively developed and is being used in production to deploy SaaS services at Intuit

docs/operator-manual/application.yaml

@@ -19,6 +19,14 @@ spec:
 
     # helm specific config
     helm:
+      # Extra parameters to set (same as setting through values.yaml, but these take precedence)
+      parameters:
+      - name: "nginx-ingress.controller.service.annotations.external-dns\\.alpha\\.kubernetes\\.io/hostname"
+        value: mydomain.example.com
+
+      # Release name override (defaults to application name)
+      releaseName: guestbook
+
       valueFiles:
       - values-prod.yaml
 
@@ -26,36 +34,35 @@ spec:
     kustomize:
       # Optional image name prefix
       namePrefix: prod-
-      # Optional image tags passed to "kustomize edit set imagetag" is Kustomize 1 only.
-      imageTags:
-      - name: gcr.io/heptio-images/ks-guestbook-demo
-        value: "0.2"
-      # Optional images passed to "kustomize edit set image" is Kustomize 2 only.
+      # Optional images passed to "kustomize edit set image".
       images:
       - gcr.io/heptio-images/ks-guestbook-demo:0.2
 
     # directory
     directory:
       recurse: true
-
-    jsonnet:
-      # A list of Jsonnet External Variables
-      extVars:
-      - name: foo
-        value: bar
-        # You can use "code to determine if the value is either string (false, the default) or Jsonnet code (if code is true).
-      - code: true
-        name: baz
-        value: "true"
-      # A list of Jsonnet Top-level Arguments
-      tlas:
-      - code: false
-        name: foo
-        value: bar
+      jsonnet:
+        # A list of Jsonnet External Variables
+        extVars:
+        - name: foo
+          value: bar
+          # You can use "code to determine if the value is either string (false, the default) or Jsonnet code (if code is true).
+        - code: true
+          name: baz
+          value: "true"
+        # A list of Jsonnet Top-level Arguments
+        tlas:
+        - code: false
+          name: foo
+          value: bar
 
     # plugin specific config
     plugin:
-    - name: mypluginname
+      name: mypluginname
+      # environment variables passed to the plugin
+      env:
+        - name: FOO
+          value: bar
 
   # Destination cluster and namespace to deploy the application
   destination:
@@ -65,7 +72,8 @@ spec:
   # Sync policy
   syncPolicy:
     automated:
-      prune: true
+      prune: true # Specifies if resources should be pruned during auto-syncing ( false by default ).
+      selfHeal: true # Specifies if partial app sync should be executed when resources are changed only in target Kubernetes cluster and no git change detected ( false by default ).
 
   # Ignore differences at the specified json pointers
   ignoreDifferences:

docs/operator-manual/argocd-cm.yaml

@@ -2,10 +2,27 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-cm
+  namespace: argocd
 data:
   # Argo CD's externally facing base URL (optional). Required when configuring SSO
   url: https://argo-cd-demo.argoproj.io
 
+  # Enables application status badge feature
+  statusbadge.enabled: 'true'
+
+  # Enables anonymous user access. The anonymous users get default role permissions specified argocd-rbac-cm.yaml.
+  users.anonymous.enabled: "true"
+
+  # Enables google analytics tracking is specified
+  ga.trackingid: 'UA-12345-1'
+  # Unless set to 'false' then user ids are hashed before sending to google analytics
+  ga.anonymizeusers: 'false'
+
+  # the URL for getting chat help, this will typically be your Slack channel for support
+  help.chatUrl: 'https://mycorp.slack.com/argo-cd'
+  # the text for getting chat help, defaults to "Chat now!"
+  help.chatText: 'Chat now!'
+
   # A dex connector configuration (optional). See SSO configuration documentation:
   # https://github.com/argoproj/argo-cd/blob/master/docs/sso.md
   # https://github.com/dexidp/dex/tree/master/Documentation/connectors
@@ -112,6 +129,9 @@ data:
       generate:
         command: [kasane, show]
 
+  # Build options/parameters to use with `kustomize build` (optional)
+  kustomize.buildOptions: --load_restrictor none
+
   # The metadata.label key name where Argo CD injects the app name as a tracking label (optional).
   # Tracking labels are used to determine which resources need to be deleted when pruning.
   # If omitted, Argo CD injects the app name into the label: 'app.kubernetes.io/instance'

docs/operator-manual/argocd-rbac-cm.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-rbac-cm
+  namespace: argocd
 data:
   # policy.csv is an file containing user-defined RBAC policies and role definitions (optional).
   # Policy rules are in the form:
@@ -21,6 +22,6 @@ data:
   policy.default: role:readonly
 
   # scopes controls which OIDC scopes to examine during rbac enforcement (in addition to `sub` scope).
-  # If omitted, defaults to: `[groups]`. The scope value can be a string, or a list of strings.
-  scopes: [cognito:groups, email]
+  # If omitted, defaults to: '[groups]'. The scope value can be a string, or a list of strings.
+  scopes: '[cognito:groups, email]'
 

docs/operator-manual/argocd-secret.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: argocd-secret
+  namespace: argocd
 type: Opaque
 data:
   # TLS certificate and private key for API server (required).

docs/operator-manual/declarative-setup.md

@@ -8,6 +8,8 @@ Argo CD applications, projects and settings can be defined declaratively using K
 | [`argocd-cm.yaml`](argocd-cm.yaml) | ConfigMap | General Argo CD configuration |
 | [`argocd-secret.yaml`](argocd-secret.yaml) | Secret | Password, Certificates, Signing Key |
 | [`argocd-rbac-cm.yaml`](argocd-rbac-cm.yaml) | ConfigMap | RBAC Configuration |
+| [`argocd-tls-certs-cm.yaml`](argocd-rbac-cm.yaml) | ConfigMap | Custom TLS certificates for connecting Git repositories via HTTPS (v1.2 and later) |
+| [`argocd-ssh-known-hosts-cm.yaml`](argocd-rbac-cm.yaml) | ConfigMap | SSH known hosts data for connecting Git repositories via SSH (v1.2 and later) |
 | [`application.yaml`](application.yaml) | Application | Example application spec |
 | [`project.yaml`](project.yaml) | AppProject | Example project spec |
 
@@ -26,6 +28,7 @@ apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
   name: guestbook
+  namespace: argocd
 spec:
   project: default
   source:
@@ -39,6 +42,9 @@ spec:
 
 See [application.yaml](application.yaml) for additional fields
 
+!!! note
+    The namespace must match the namespace of your Argo cd, typically this is `argocd`.
+
 !!! warning
     By default, deleting an application will not perform a cascade delete, thereby deleting its resources. You must add the finalizer if you want this behaviour - which you may well not want.
     
@@ -70,6 +76,7 @@ apiVersion: argoproj.io/v1alpha1
 kind: AppProject
 metadata:
   name: my-project
+  namespace: argocd
 spec:
   description: Example Project
   # Allow manifests to deploy from any Git repos
@@ -126,6 +133,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-cm
+  namespace: argocd
 data:
   repositories: |
     - url: https://github.com/argoproj/my-private-repository
@@ -144,6 +152,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-cm
+  namespace: argocd
 data:
   repositories: |
     - url: git@github.com:argoproj/my-private-repository
@@ -156,7 +165,9 @@ data:
     The Kubernetes documentation has [instructions for creating a secret containing a private key](https://kubernetes.io/docs/concepts/configuration/secret/#use-case-pod-with-ssh-keys). 
 
 
-### Repository Credentials (v1.1+)
+### Repository Credentials
+ 
+>v1.1
 
 If you want to use the same credentials for multiple repositories, you can use `repository.credentials`:
 
@@ -165,6 +176,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-cm
+  namespace: argocd
 data:
   repositories: |
     - url: https://github.com/argoproj/private-repo
@@ -193,6 +205,10 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-cm
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-cm
+    app.kubernetes.io/part-of: argocd
 data:
   repositories: |
     # this has it's own credentials
@@ -233,6 +249,96 @@ data:
         key: sshPrivateKey
 ```
 
+### Repositories using self-signed TLS certificates (or are signed by custom CA)
+
+> v1.2 or later
+
+You can manage the TLS certificates used to verify the authenticity of your repository servers in a ConfigMap object named `argocd-tls-certs-cm`. The data section should contain a map, with the repository server's hostname part (not the complete URL) as key, and the certificate(s) in PEM format as data. So, if you connect to a repository with the URL `https://server.example.com/repos/my-repo`, you should use `server.example.com` as key. The certificate data should be either the server's certificate (in case of self-signed certificate) or the certificate of the CA that was used to sign the server's certificate. You can configure multiple certificates for each server, e.g. if you are having a certificate roll-over planned.
+
+If there are no dedicated certificates configured for a repository server, the system's default trust store is used for validating the server's repository. This should be good enough for most (if not all) public Git repository services such as GitLab, GitHub and Bitbucket as well as most privately hosted sites which use certificates from well-known CAs, including Let's Encrypt certificates.
+
+An example ConfigMap object:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-tls-certs-cm
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-cm
+    app.kubernetes.io/part-of: argocd
+data:
+  server.example.com: |
+    -----BEGIN CERTIFICATE-----
+    MIIF1zCCA7+gAwIBAgIUQdTcSHY2Sxd3Tq/v1eIEZPCNbOowDQYJKoZIhvcNAQEL
+    BQAwezELMAkGA1UEBhMCREUxFTATBgNVBAgMDExvd2VyIFNheG9ueTEQMA4GA1UE
+    BwwHSGFub3ZlcjEVMBMGA1UECgwMVGVzdGluZyBDb3JwMRIwEAYDVQQLDAlUZXN0
+    c3VpdGUxGDAWBgNVBAMMD2Jhci5leGFtcGxlLmNvbTAeFw0xOTA3MDgxMzU2MTda
+    Fw0yMDA3MDcxMzU2MTdaMHsxCzAJBgNVBAYTAkRFMRUwEwYDVQQIDAxMb3dlciBT
+    YXhvbnkxEDAOBgNVBAcMB0hhbm92ZXIxFTATBgNVBAoMDFRlc3RpbmcgQ29ycDES
+    MBAGA1UECwwJVGVzdHN1aXRlMRgwFgYDVQQDDA9iYXIuZXhhbXBsZS5jb20wggIi
+    MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCv4mHMdVUcafmaSHVpUM0zZWp5
+    NFXfboxA4inuOkE8kZlbGSe7wiG9WqLirdr39Ts+WSAFA6oANvbzlu3JrEQ2CHPc
+    CNQm6diPREFwcDPFCe/eMawbwkQAPVSHPts0UoRxnpZox5pn69ghncBR+jtvx+/u
+    P6HdwW0qqTvfJnfAF1hBJ4oIk2AXiip5kkIznsAh9W6WRy6nTVCeetmIepDOGe0G
+    ZJIRn/OfSz7NzKylfDCat2z3EAutyeT/5oXZoWOmGg/8T7pn/pR588GoYYKRQnp+
+    YilqCPFX+az09EqqK/iHXnkdZ/Z2fCuU+9M/Zhrnlwlygl3RuVBI6xhm/ZsXtL2E
+    Gxa61lNy6pyx5+hSxHEFEJshXLtioRd702VdLKxEOuYSXKeJDs1x9o6cJ75S6hko
+    Ml1L4zCU+xEsMcvb1iQ2n7PZdacqhkFRUVVVmJ56th8aYyX7KNX6M9CD+kMpNm6J
+    kKC1li/Iy+RI138bAvaFplajMF551kt44dSvIoJIbTr1LigudzWPqk31QaZXV/4u
+    kD1n4p/XMc9HYU/was/CmQBFqmIZedTLTtK7clkuFN6wbwzdo1wmUNgnySQuMacO
+    gxhHxxzRWxd24uLyk9Px+9U3BfVPaRLiOPaPoC58lyVOykjSgfpgbus7JS69fCq7
+    bEH4Jatp/10zkco+UQIDAQABo1MwUTAdBgNVHQ4EFgQUjXH6PHi92y4C4hQpey86
+    r6+x1ewwHwYDVR0jBBgwFoAUjXH6PHi92y4C4hQpey86r6+x1ewwDwYDVR0TAQH/
+    BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAFE4SdKsX9UsLy+Z0xuHSxhTd0jfn
+    Iih5mtzb8CDNO5oTw4z0aMeAvpsUvjJ/XjgxnkiRACXh7K9hsG2r+ageRWGevyvx
+    CaRXFbherV1kTnZw4Y9/pgZTYVWs9jlqFOppz5sStkfjsDQ5lmPJGDii/StENAz2
+    XmtiPOgfG9Upb0GAJBCuKnrU9bIcT4L20gd2F4Y14ccyjlf8UiUi192IX6yM9OjT
+    +TuXwZgqnTOq6piVgr+FTSa24qSvaXb5z/mJDLlk23npecTouLg83TNSn3R6fYQr
+    d/Y9eXuUJ8U7/qTh2Ulz071AO9KzPOmleYPTx4Xty4xAtWi1QE5NHW9/Ajlv5OtO
+    OnMNWIs7ssDJBsB7VFC8hcwf79jz7kC0xmQqDfw51Xhhk04kla+v+HZcFW2AO9so
+    6ZdVHHQnIbJa7yQJKZ+hK49IOoBR6JgdB5kymoplLLiuqZSYTcwSBZ72FYTm3iAr
+    jzvt1hxpxVDmXvRnkhRrIRhK4QgJL0jRmirBjDY+PYYd7bdRIjN7WNZLFsgplnS8
+    9w6CwG32pRlm0c8kkiQ7FXA6BYCqOsDI8f1VGQv331OpR2Ck+FTv+L7DAmg6l37W
+    +LB9LGh4OAp68ImTjqf6ioGKG0RBSznwME+r4nXtT1S/qLR6ASWUS4ViWRhbRlNK
+    XWyb96wrUlv+E8I=
+    -----END CERTIFICATE-----
+
+```
+
+!!! note
+    The `argocd-tls-certs-cm` ConfigMap will be mounted as a volume at the mount path `/app/config/tls` in the pods of `argocd-server` and `argocd-repo-server`. It will create files for each data key in the mount path directory, so above example would leave the file `/app/config/tls/server.example.com`, which contains the certificate data. It might take a while for changes in the ConfigMap to be reflected in your pods, depending on your Kubernetes configuration. 
+
+### SSH known host public keys
+
+If you are connecting repositories via SSH, ArgoCD will need to know the SSH known hosts public key of the repository servers. You can manage the SSH known hosts data in the ConfigMap named `argocd-ssh-known-hosts-cm`. This ConfigMap contains a single key/value pair, with `ssh_known_hosts` as the key and the actual public keys of the SSH servers as data. As opposed to TLS configuration, the public key(s) of each single repository server ArgoCD will connect via SSH must be configured, otherwise the connections to the repository will fail. There is no fallback. The data can be copied from any existing `ssh_known_hosts` file, or from the output of the `ssh-keyscan` utility. The basic format is `<servername> <keydata>`, one entry per line.
+
+An example ConfigMap object:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-ssh-known-hosts-cm
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-cm
+    app.kubernetes.io/part-of: argocd
+data:
+  ssh_known_hosts: |
+    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
+    github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+    gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
+    gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
+    gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
+    ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
+    vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
+```
+
+!!! note
+    The `argocd-ssh-known-hosts-cm` ConfigMap will be mounted as a volume at the mount path `/app/config/ssh` in the pods of `argocd-server` and `argocd-repo-server`. It will create a file `ssh_known_hosts` in that directory, which contains the SSH known hosts data used by ArgoCD for connecting to Git repositories via SSH. It might take a while for changes in the ConfigMap to be reflected in your pods, depending on your Kubernetes configuration. 
+
 
 ## Clusters
 
@@ -309,6 +415,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-cm
+  namespace: argocd
 data:
   helm.repositories: |
     - url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts

docs/operator-manual/ingress.md

@@ -126,6 +126,10 @@ Neither ALBs and Classic ELB in HTTP mode, do not have full support for HTTP2/gR
 protocol used by the `argocd` CLI. Thus, when using an AWS load balancer, either Classic ELB in
 passthrough mode is needed, or NLBs.
 
+```shell
+$ argocd login <host>:<port> --grpc-web
+```
+
 
 ## UI Base Path
 

docs/operator-manual/metrics.md

@@ -43,7 +43,7 @@ metadata:
 spec:
   selector:
     matchLabels:
-      app.kubernetes.io/name: argocd-server-metrics
+      app.kubernetes.io/name: argocd-server
   endpoints:
   - port: metrics
 ```

docs/operator-manual/project.yaml

@@ -2,6 +2,7 @@ apiVersion: argoproj.io/v1alpha1
 kind: AppProject
 metadata:
   name: my-project
+  namespace: argocd
 spec:
   # Project description
   description: Example Project

docs/operator-manual/rbac.md

@@ -28,6 +28,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-rbac-cm
+  namespace: argocd
 data:
   policy.default: role:readonly
   policy.csv: |
@@ -40,3 +41,8 @@ data:
 
     g, your-github-org:your-team, role:org-admin
 ```
+
+## Anonymous Access
+
+THe anonymous access to Argo CD can be enabled using `users.anonymous.enabled` field in `argocd-cm` (see [./argocd-cm.yaml](argocd-cm.yaml)).
+The anonymous users get default role permissions specified argocd-rbac-cm.yaml.

docs/operator-manual/webhook.md

@@ -4,7 +4,7 @@
 
 Argo CD polls Git repositories every three minutes to detect changes to the manifests. To eliminate
 this delay from polling, the API server can be configured to receive webhook events. Argo CD supports
-Git webhook notifications from GitHub, GitLab, and BitBucket. The following explains how to configure
+Git webhook notifications from GitHub, GitLab, Bitbucket, Bitbucket Server and Gogs. The following explains how to configure
 a Git webhook for GitHub, but the same process should be applicable to other providers.
 
 ### 1. Create The WebHook In The Git Provider
@@ -27,11 +27,13 @@ accessible, then configuring a webhook secret is recommended to prevent a DDoS a
 In the `argocd-secret` kubernetes secret, configure one of the following keys with the Git
 provider's webhook secret configured in step 1.
 
-| Provider  | K8s Secret Key           |
-|---------- | ------------------------ |
-| GitHub    | `github.webhook.secret`  |
-| GitLab    | `gitlab.webhook.secret`  |
-| BitBucket | `bitbucket.webhook.uuid` |
+| Provider        | K8s Secret Key                   |
+|-----------------| ---------------------------------|
+| GitHub          | `webhook.github.secret`          |
+| GitLab          | `webhook.gitlab.secret`          |
+| BitBucket       | `webhook.bitbucket.uuid`         |
+| BitBucketServer | `webhook.bitbucketserver.secret` |
+| Gogs            | `webhook.gogs.secret`            |
 
 Edit the Argo CD kubernetes secret:
 
@@ -56,13 +58,19 @@ data:
 
 stringData:
   # github webhook secret
-  github.webhook.secret: shhhh! it's a github secret
+  webhook.github.secret: shhhh! it's a github secret
 
   # gitlab webhook secret
-  gitlab.webhook.secret: shhhh! it's a gitlab secret
+  webhook.gitlab.secret: shhhh! it's a gitlab secret
 
   # bitbucket webhook secret
-  bitbucket.webhook.uuid: your-bitbucket-uuid
+  webhook.bitbucket.uuid: your-bitbucket-uuid
+
+  # bitbucket server webhook secret
+  webhook.bitbucketserver.secret: shhhh! it's a bitbucket server secret
+
+  # gogs server webhook secret
+  webhook.gogs.secret: shhhh! it's a gogs server secret
 ```
 
 After saving, the changes should take affect automatically.

docs/user-guide/application_sources.md

@@ -1,9 +1,21 @@
 # Tools
 
+## Production
+
 Argo CD supports several different ways in which Kubernetes manifests can be defined:
 
 * [Kustomize](kustomize.md) applications
 * [Helm](helm.md) charts
 * [Ksonnet](ksonnet.md) applications
-* A directory of YAML/JSO/Jsonnet manifests
+* A directory of YAML/JSON/Jsonnet manifests
 * Any [custom config management tool](config-management-plugins.md) configured as a config management plugin
+
+## Development
+Argo CD also supports uploading local manifests directly. Since this is an anti-pattern of the
+GitOps paradigm, this should only be done for development purposes. A user with an `override` permission is required
+to upload manifests locally (typically an admin). All of the different Kubernetes deployment tools above are supported.
+To upload a local application:
+
+```bash
+$ argocd app sync APPNAME --local /path/to/dir/
+```

docs/user-guide/auto_sync.md

@@ -37,6 +37,7 @@ spec:
   syncPolicy:
     automated:
       prune: true
+      selfHeal: true
 ```
 
 ## Automated Sync Semantics
@@ -45,7 +46,10 @@ spec:
   Synced or error state will not attempt automated sync.
 * Automated sync will only attempt one synchronization per unique combination of commit SHA1 and
   application parameters. If the most recent successful sync in the history was already performed
-  against the same commit-SHA and parameters, a second sync will not be attempted.
+  against the same commit-SHA and parameters, a second sync will not be attempted, unless `selfHeal` flag is set to true.
+* If `selfHeal` flag is set to true then sync will be attempted again after self heal timeout (5 seconds by default)
+which is controller by `--self-heal-timeout-seconds` flag of `argocd-application-controller` deployment.
 * Automatic sync will not reattempt a sync if the previous sync attempt against the same commit-SHA
   and parameters had failed.
+
 * Rollback cannot be performed against an application with automated sync enabled.

docs/user-guide/compare-options.md

@@ -2,6 +2,8 @@
 
 ## Ignoring Resources That Are Extraneous
 
+>v1.1
+
 You may wish to exclude resources from the app's overall sync status under certain circumstances. E.g. if they are generated by a tool. This can be done by adding this annotation:
 
 ```yaml

docs/user-guide/config-management-plugins.md

@@ -18,9 +18,6 @@ data:
 ```
 
 The `generate` command must print a valid YAML stream to stdout. Both `init` and `generate` commands are executed inside the application source directory.
-Commands have access to system environment variables and following additional variables:
-
-`ARGOCD_APP_NAME` - name of application; `ARGOCD_APP_NAMESPACE` - destination application namespace
 
  * Create an application and specify required config management plugin name.
 
@@ -29,3 +26,26 @@ argocd app create <appName> --config-management-plugin <pluginName>
 ```
 
 More config management plugin examples are available in [argocd-example-apps](https://github.com/argoproj/argocd-example-apps/tree/master/plugins).
+
+## Environment
+
+Commands have access to
+
+(1) The system environment variables
+(2) Argo CD  environment variables:
+
+* `ARGOCD_APP_NAME` - name of application
+* `ARGOCD_APP_NAMESPACE` - destination application namespace.
+
+(3) Variables in the application spec:
+
+> v1.2
+
+```yaml
+spec:
+  source:
+    plugin:
+      env:
+        - name: FOO
+          value: bar
+```

docs/user-guide/helm.md

@@ -43,15 +43,8 @@ source:
       releaseName: myRelease
 ```
 
-```diff
-- Important notice on overriding the release name
-```
-Please not that overriding the Helm release name might cause problems when the chart you are deploying is using the `app.kubernetes.io/instance` label. 
-ArgoCD injects this label with the value of the Application name for tracking purposes. So when overriding the release name, the Application name will 
-stop being equal to the release name. Because ArgoCD will overwrite the label with the Application name it might cause some selectors on the resources 
-to stop working. In order to avoid this we can configure ArgoCD to use another label for tracking in the [ArgoCD configmap argocd-cm.yaml](./../operator-manual/argocd-cm.yaml) - 
-check the lines describing `application.instanceLabelKey`
-
+!!! warning "Important notice on overriding the release name"
+    Please note that overriding the Helm release name might cause problems when the chart you are deploying is using the `app.kubernetes.io/instance` label. ArgoCD injects this label with the value of the Application name for tracking purposes. So when overriding the release name, the Application name will stop being equal to the release name. Because ArgoCD will overwrite the label with the Application name it might cause some selectors on the resources to stop working. In order to avoid this we can configure ArgoCD to use another label for tracking in the [ArgoCD configmap argocd-cm.yaml](./../operator-manual/argocd-cm.yaml) - check the lines describing `application.instanceLabelKey`.
 
 ## Helm Hooks
 

docs/user-guide/kustomize.md

@@ -1,14 +1,9 @@
 # Kustomize
 
-!!! warning Kustomize 1 vs 2
-    Argo CD supports both versions, and auto-detects then by looking for `apiVersion/kind` is `kustomize.yaml`. 
-    You're probably using version 2 now, so make sure you you have those fields.
-    
 You have three configuration options for Kustomize:
 
 * `namePrefix` is a prefix appended to resources for Kustomize apps
-* `imageTags` is a list of Kustomize 1.0 image tag overrides
-* `images` is a list of Kustomize 2.0 image overrides
+* `images` is a list of Kustomize image overrides
     
 To use Kustomize with an overlay, point your path to the overlay.
 
@@ -22,3 +17,17 @@ If you have remote bases that are either (a) HTTPS and need username/password (b
 This will work if the remote bases uses the same credentials/private key. It will not work if they use different ones. For security reasons your app only ever knows about it's own repo (not other team's or users repos), and so you won't be able to access other private repo, even if Argo CD knows about them.
 
 Read more about [private repos](private-repositories.md).
+
+## `kustomize build` Options/Parameters
+
+To provide build options to `kustomize build` add a property to the ArgoCD CM under data:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+  namespace: argocd
+data:
+    kustomize.buildOptions: --load_restrictor none
+```

docs/user-guide/private-repositories.md

@@ -6,7 +6,7 @@ If application manifests are located in private repository then repository crede
 
 ### HTTPS Username And Password Credential
 
-Private repositories that require a username and password typically have a URL that start with "https://" rather than "git@" or "ssh://". 
+Private repositories that require a username and password typically have a URL that start with `https://` rather than `git@` or `ssh://`. 
 
 Credentials can be configured using Argo CD CLI:
 
@@ -16,6 +16,22 @@ argocd repo add https://github.com/argoproj/argocd-example-apps --username <user
 
 or UI:
 
+> v1.2 or later
+
+1. Navigate to `Settings/Repositories`
+
+    ![connect repo overview](../assets/repo-add-overview.png)
+
+1. Click `Connect Repo using HTTPS` button and enter credentials 
+
+    ![connect repo](../assets/repo-add-https.png)
+
+    *Note: username in screenshot is for illustration purposes only , we have no relationship to this GitHub account should it exists*
+
+1. Click `Connect` to test the connection and have the repository added 
+
+> earlier than v1.2
+
 1. Navigate to `Settings/Repositories`
 1. Click `Connect Repo` button and enter HTTP credentials
 
@@ -29,11 +45,61 @@ Instead of using username and password you might use access token. Following ins
 * [Gitlab](https://docs.gitlab.com/ee/user/project/deploy_tokens/)
 * [Bitbucket](https://confluence.atlassian.com/bitbucketserver/personal-access-tokens-939515499.html)
 
-Then, connect the repository using an empty string as a username and access token value as a password.
+Then, connect the repository using any non-empty string as username and the access token value as a password. 
+
+!!!note
+    For some services, you might have to specify your account name as the username instead of any string.
+
+### TLS Client Certificates for HTTPS repositories
+
+> v1.2 and later
+
+If your repository server requires you to use TLS client certificates for authentication, you can configure ArgoCD repositories to make use of them. For this purpose, `--tls-client-cert-path` and `--tls-client-cert-key-path` switches to the `argocd repo add` command can be used to specify the files on your local system containing client certificate and the corresponding key, respectively:
+
+```
+argocd repo add https://repo.example.com/repo.git --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key
+```
+
+Of course, you can also use this in combination with the `--username` and `--password` switches, if your repository server should require this. The options `--tls-client-cert-path` and `--tls-client-cert-key-path` must always be specified together.
+
+Your TLS client certificate and corresponding key can also be configured using the UI, see instructions for adding Git repos using HTTPS.
+
+!!! note
+    Your client certificate and key data must be in PEM format, other formats (such as PKCS12) are not understood. Also make sure that your certificate's key is not password protected, otherwise it cannot be used by ArgoCD.
+
+!!! note
+    When pasting TLS client certificate and key in the text areas in the web UI, make sure they contain no unintended line breaks or additional characters.
 
 ### SSH Private Key Credential
 
-Private repositories that require an SSH private key have a URL that typically start with "git@" or "ssh://" rather than "https://".  
+Private repositories that require an SSH private key have a URL that typically start with `git@` or `ssh://` rather than `https://`.  
+
+> v1.2 or later
+
+You can configure your Git repository using HTTPS either using the CLI or the UI.
+
+Using the CLI:
+
+```
+argocd repo add git@github.com:argoproj/argocd-example-apps.git --ssh-private-key-path ~/.ssh/id_rsa
+```
+
+Using the UI:
+
+1. Navigate to `Settings/Repositories`
+
+    ![connect repo overview](../assets/repo-add-overview.png)
+
+1. Click `Connect Repo using SSH` button, enter the URL and paste the SSH private key 
+
+    ![connect repo](../assets/repo-add-ssh.png)
+
+1. Click `Connect` to test the connection and have the repository added 
+
+!!!note
+    When pasting SSH private key in the UI, make sure there are no unintended line breaks or additional characters in the text area
+
+> earlier than v1.2
 
 The Argo CD UI don't support configuring SSH credentials. The SSH credentials can only be configured using the Argo CD CLI:
 
@@ -43,6 +109,88 @@ argocd repo add git@github.com:argoproj/argocd-example-apps.git --ssh-private-ke
 
 ## Self-signed & Untrusted TLS Certificates
 
+> v1.2 or later
+
+If you are connecting a repository on a HTTPS server using a self-signed certificate, or a certificate signed by a custom Certificate Authority (CA) which are not known to ArgoCD, the repository will not be added due to security reasons. This is indicated by an error message such as `x509: certificate signed by unknown authority`.
+
+1. You can let ArgoCD connect the repository in an insecure way, without verifying the server's certificate at all. This can be accomplished by using the `--insecure-skip-server-verification` flag when adding the repository with the `argocd` CLI utility. However, this should be done only for non-production setups, as it imposes a serious security issue through possible man-in-the-middle attacks.
+
+2. You can configure ArgoCD to use a custom certificate for the verification of the server's certificate using the `cert add-tls` command of the `argocd` CLI utility. This is the recommended method and suitable for production use. In order to do so, you will need the server's certificate, or the certificate of the CA used to sign the server's certificate, in PEM format.
+
+!!! note
+    For invalid server certificates, such as those without matching server name, or those that are expired, adding a CA certificate will not help. In this case, your only option will be to use the `--insecure-skip-server-verification` flag to connect the repository. You are strongly urged to use a valid certificate on the repository server, or to urge the server's administrator to replace the faulty certificate with a valid one.
+
+!!! note
+    TLS certificates are configured on a per-server, not on a per-repository basis. If you connect multiple repositories from the same server, you only have to configure the certificates once for this server.
+
+!!! note
+    It can take up to a couple of minutes until the changes performed by the `argocd cert` command are propagated across your cluster, depending on your Kubernetes setup.
+
+### Managing TLS certificates using the CLI
+
+You can list all configured TLS certificates by using the `argocd cert list` command using the `--cert-type https` modifier:
+
+```bash
+$ argocd cert list --cert-type https
+HOSTNAME      TYPE   SUBTYPE  FINGERPRINT/SUBJECT
+docker-build  https  rsa      CN=ArgoCD Test CA
+localhost     https  rsa      CN=localhost
+```
+
+Example for adding  a HTTPS repository to ArgoCD without verifying the server's certificate (**Caution:** This is **not** recommended for production use):
+
+```bash
+argocd repo add --insecure-skip-server-verification https://git.example.com/test-repo
+
+```
+
+Example for adding a CA certificate contained in file `~/myca-cert.pem` to properly verify the repository server:
+
+```bash
+argocd cert add-tls git.example.com --from ~/myca-cert.pem
+argocd repo add https://git.example.com/test-repo
+```
+
+You can also add more than one PEM for a server by concatenating them into the input stream. This might be useful if the repository server is about to replace the server certificate, possibly with one signed by a different CA. This way, you can have the old (current) as well as the new (future) certificate co-existing. If you already have the old certificate configured, use the `--upsert` flag and add the old and the new one in a single run:
+
+```bash
+cat cert1.pem cert2.pem | argocd cert add-tls git.example.com --upsert
+```
+
+!!! note
+    To replace an existing certificate for a server, use the `--upsert` flag to the `cert add-tls` CLI command. 
+
+Finally, TLS certificates can be removed using the `argocd cert rm` command with the `--cert-type https` modifier:
+
+```bash
+argocd cert rm --cert-type https localhost
+```
+
+### Managing TLS certificates using the ArgoCD web UI
+
+It is possible to add and remove TLS certificates using the ArgoCD web UI:
+
+1. In the navigation pane to the left, click on "Settings" and choose "Certificates" from the settings menu
+
+1. The following page lists all currently configured certificates and provides you with the option to add either a new TLS certificate or SSH known entries: 
+
+    ![manage certificates](../assets/cert-management-overview.png)
+
+1. Click on "Add TLS certificate", fill in relevant data and click on "Create". Take care to specify only the FQDN of your repository server (not the URL) and that you C&P the complete PEM of your TLS certificate into the text area field, including the `----BEGIN CERTIFICATE----` and `----END CERTIFICATE----` lines:
+
+    ![add tls certificate](../assets/cert-management-add-tls.png)
+
+1. To remove a certificate, click on the small three-dotted button next to the certificate entry, select "Remove" from the pop-up menu and confirm the removal in the following dialogue.
+
+    ![remove certificate](../assets/cert-management-remove.png)
+
+### Managing TLS certificates using declarative configuration
+
+You can also manage TLS certificates in a declarative, self-managed ArgoCD setup. All TLS certificates are stored in the ConfigMap object `argocd-tls-cert-cm`.
+Please refer to the [Operator Manual](../../operator-manual/declarative-setup/#repositories-using-self-signed-tls-certificates-or-are-signed-by-custom-ca) for more information.
+
+> Before v1.2
+
 We do not currently have first-class support for this. See [#1513](https://github.com/argoproj/argo-cd/issues/1513).
 
 As a work-around, you can customize your Argo CD image. See [#1344](https://github.com/argoproj/argo-cd/issues/1344#issuecomment-479811810)
@@ -50,6 +198,86 @@ As a work-around, you can customize your Argo CD image. See [#1344](https://gith
 ## Unknown SSH Hosts
 
 If you are using a privately hosted Git service over SSH, then you have the following  options:
+
+> v1.2 or later
+
+1. You can let ArgoCD connect the repository in an insecure way, without verifying the server's SSH host key at all. This can be accomplished by using the `--insecure-skip-server-verification` flag when adding the repository with the `argocd` CLI utility. However, this should be done only for non-production setups, as it imposes a serious security issue through possible man-in-the-middle attacks.
+
+2. You can make the server's SSH public key known to ArgoCD by using the `cert add-ssh` command of the `argocd` CLI utility. This is the recommended method and suitable for production use. In order to do so, you will need the server's SSH public host key, in the `known_hosts` format understood by `ssh`. You can get the server's public SSH host key e.g. by using the `ssh-keyscan` utility.
+
+!!! note
+    It can take up to a couple of minutes until the changes performed by the `argocd cert` command are propagated across your cluster, depending on your Kubernetes setup.
+  
+!!! note
+    When importing SSH known hosts key from a `known_hosts` file, the hostnames or IP addresses in the input data must **not** be hashed. If your `known_hosts` file contains hashed entries, it cannot be used as input source for adding SSH known hosts - neither in the CLI nor in the UI. If you absolutely wish to use hashed known hosts data, the only option will be using declarative setup (see below). Be aware that this will break CLI and UI certificate management, so it is generally not recommended.
+
+### Managing SSH Known Hosts using the CLI
+
+You can list all configured SSH known host entries using the `argocd cert list` command with the `--cert-type ssh` modifier:
+
+```bash
+$ argocd cert list --cert-type ssh
+HOSTNAME                 TYPE  SUBTYPE              FINGERPRINT/SUBJECT
+bitbucket.org            ssh   ssh-rsa              SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A
+github.com               ssh   ssh-rsa              SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
+gitlab.com               ssh   ecdsa-sha2-nistp256  SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw
+gitlab.com               ssh   ssh-ed25519          SHA256:eUXGGm1YGsMAS7vkcx6JOJdOGHPem5gQp4taiCfCLB8
+gitlab.com               ssh   ssh-rsa              SHA256:ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ
+ssh.dev.azure.com        ssh   ssh-rsa              SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og
+vs-ssh.visualstudio.com  ssh   ssh-rsa              SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og
+```
+
+For adding SSH known host entries, the `argocd cert add-ssh` command can be used. You can either add from a file (using the `--from <file>` modifier), or by reading `stdin` when the `--batch` modifier was specified. In both cases, input must be in `known_hosts` format as understood by the OpenSSH client.
+
+Example for adding all available SSH public host keys for a server to ArgoCD, as collected by `ssh-keyscan`:
+
+```bash
+ssh-keyscan server.example.com | argocd cert add-ssh --batch 
+
+```
+
+Example for importing an existing `known_hosts` file to ArgoCD:
+
+```bash
+argocd cert add-ssh --batch --from /etc/ssh/ssh_known_hosts
+```
+
+Finally, SSH known host entries can be removed using the `argocd cert rm` command with the `--cert-type ssh` modifier:
+
+```bash
+argocd cert rm bitbucket.org --cert-type ssh
+```
+
+If you have multiple SSH known host entries for a given host with different key sub-types (e.g. as for gitlab.com in the example above, there are keys of sub-types `ssh-rsa`, `ssh-ed25519` and `ecdsa-sha2-nistp256`) and you want to only remove one of them, you can further narrow down the selection using the `--cert-sub-type` modifier:
+
+```bash
+argocd cert rm gitlab.com --cert-type ssh --cert-sub-type ssh-ed25519
+```
+
+### Managing SSH known hosts data using the ArgoCD web UI
+
+It is possible to add and remove SSH known hosts entries using the ArgoCD web UI:
+
+1. In the navigation pane to the left, click on "Settings" and choose "Certificates" from the settings menu
+
+1. The following page lists all currently configured certificates and provides you with the option to add either a new TLS certificate or SSH known entries: 
+
+    ![manage certificates](../assets/cert-management-overview.png)
+
+1. Click on "Add SSH known hosts" and paste your SSH known hosts data in the following mask. **Important**: Make sure there are no line breaks in the entries (key data) when you paste the data. Afterwards, click on "Create".
+
+    ![manage ssh known hosts](../assets/cert-management-add-ssh.png)
+
+1. To remove a certificate, click on the small three-dotted button next to the certificate entry, select "Remove" from the pop-up menu and confirm the removal in the following dialogue.
+
+    ![remove certificate](../assets/cert-management-remove.png)
+
+### Managing SSH known hosts data using declarative setup
+
+You can also manage SSH known hosts entries in a declarative, self-managed ArgoCD setup. All SSH public host keys are stored in the ConfigMap object `argocd-ssh-known-hosts-cm`. For more details, please refer to the [Operator Manual](../../operator-manual/declarative-setup/#ssh-known-host-public-keys)
+
+> Before v1.2
+
  
 (1) You can customize the Argo CD Docker image by adding the host's SSH public key to `/etc/ssh/ssh_known_hosts`. Additional entries to this file can be generated using the `ssh-keyscan` utility (e.g. `ssh-keyscan your-private-git-server.com`. For more information see [example](https://github.com/argoproj/argo-cd/tree/master/examples/known-hosts) which demonstrates how `/etc/ssh/ssh_known_hosts` can be customized.
 
@@ -71,5 +299,5 @@ argocd repo add git@github.com:argoproj/argocd-example-apps.git --ssh-private-ke
 
 ## Declarative Configuration
 
-See [declarative setup](../operator-manual/declarative-setup#Repositories)
+See [declarative setup](../../operator-manual/declarative-setup#Repositories)
 

docs/user-guide/projects.md

@@ -89,6 +89,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: argocd-rbac-cm
+  namespace: argocd
 data:
   policy.default: ""
   policy.csv: |

docs/user-guide/resource_hooks.md

@@ -12,6 +12,7 @@ and after a Sync operation. Some use cases for hooks are:
 * Using a `Sync` hook to orchestrate a complex deployment requiring more sophistication than the
 kubernetes rolling update strategy (e.g. a blue/green deployment).
 * Using a `PostSync` hook to run integration and health checks after a deployment.
+* Using a `SyncFail` hook to run clean-up or finalizer logic if a Sync operation fails.
 
 ## Usage
 Hooks are simply kubernetes manifests annotated with the `argocd.argoproj.io/hook` annotation. To
@@ -41,6 +42,7 @@ The following hooks are defined:
 | `Sync`  | Executes after all `PreSync` hooks completed and were successful. Occurs in conjuction with the apply of the manifests. |
 | `Skip` | Indicates to Argo CD to skip the apply of the manifest. This is typically used in conjunction with a `Sync` hook which is presumably handling the deployment in an alternate way (e.g. blue-green deployment) |
 | `PostSync` | Executes after all `Sync` hooks completed and were successful, a succcessful apply, and all resources in a `Healthy` state. |
+| `SyncFail` | Executes if and only if any part of the Sync operation fails. |
 
 
 ## Selective Sync

docs/user-guide/status-badge.md

@@ -0,0 +1,17 @@
+# Status Badge
+
+> v1.2
+
+Argo CD can display a badge with health and sync status for any application. The feature is disabled by default because badge image is available to any user without authentication.
+The feature can be enabled using `statusbadge.enabled` key of `argocd-cm` ConfigMap (see [argocd-cm.yaml](../operator-manual/argocd-cm.yaml)).
+
+![healthy and synced](../assets/status-badge-healthy-synced.png)
+
+To show this badge, use the following URL format `${argoCdBaseUrl}/api/badge?name=${appName}`, e.g. http://localhost:8080/api/badge?name=guestbook.
+The URLs for status image are available on application details page:
+
+1. Navigate to application details page and click on 'Details' button.
+1. Scroll down to 'Status Badge' section.
+1. Select required template such as URL, Markdown etc.
+for the status image URL in markdown, html, etc are available .
+1. Copy the text and paste it into your README or website.

docs/user-guide/sync-options.md

@@ -2,6 +2,8 @@
 
 ## No Prune Resources
 
+>v1.1
+
 You may wish to prevent an object from being pruned:
 
 ```yaml
@@ -19,6 +21,20 @@ The sync-status panel shows that pruning was skipped, and why:
 
 ![sync option no prune](../assets/sync-option-no-prune-sync-status.png)
 
-!!! note
-    The app will be out of sync if Argo CD expects a resource to be pruned. You may wish to use this along with [compare options](compare-options.md).
+The app will be out of sync if Argo CD expects a resource to be pruned. You may wish to use this along with [compare options](compare-options.md).
 
+## Disable Kubectl Validation
+
+>v1.2
+
+For a certain class of objects, it is necessary to `kubectl apply` them using the `--validate=false` flag. Examples of this are kubernetes types which uses `RawExtension`, such as [ServiceCatalog](https://github.com/kubernetes-incubator/service-catalog/blob/master/pkg/apis/servicecatalog/v1beta1/types.go#L497). You can do using this annotations:
+
+
+```yaml
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: Validate=false
+```
+
+If you want to exclude a whole class of objects globally, consider setting `resource.customizations` in [system level configuation](../user-guide/diffing.md#system-level-configuration). 
+    

docs/user-guide/sync-waves.md

@@ -1,5 +1,7 @@
 # Sync Phases and Waves
 
+>v1.1
+
 <iframe width="560" height="315" src="https://www.youtube.com/embed/zIHe3EVp528" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
 
 Argo CD executes a sync operation in a number of steps. At a high-level, there are three phases *pre-sync*, *sync* and *post-sync*.  

errors/errors.go

@@ -11,6 +11,10 @@ func CheckError(err error) {
 	}
 }
 
-func FailOnErr(_ interface{}, err error) {
+// panics if there is an error.
+// This returns the first value so you can use it if you cast it:
+// text := FailOrErr(Foo)).(string)
+func FailOnErr(v interface{}, err error) interface{} {
 	CheckError(err)
+	return v
 }

hack/.dockerignore

@@ -0,0 +1 @@
+Dockerfile.dev-tools

hack/Dockerfile.dev-tools

@@ -0,0 +1,60 @@
+FROM golang:1.12.6 as builder
+
+ENV KUSTOMIZE_VERSION=2.0.3
+RUN curl -L -o /usr/local/bin/kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64 && \
+    chmod +x /usr/local/bin/kustomize && \
+    kustomize version
+
+ADD . /src
+
+WORKDIR /src
+
+RUN GO111MODULE=on go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.0-alpha.2 && \
+    GO111MODULE=on go get github.com/gobuffalo/packr/packr@v1.30.1 && \
+    GO111MODULE=on go get github.com/gogo/protobuf/gogoproto@v1.2.1 && \
+    GO111MODULE=on go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.0-beta.2 && \
+    GO111MODULE=on go get github.com/golang/protobuf/protoc-gen-go@v1.3.1 && \
+    GO111MODULE=on go get github.com/golangci/golangci-lint/cmd/golangci-lint@v1.17.1 && \
+    GO111MODULE=on go get github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway@v1.9.2 && \
+    GO111MODULE=on go get github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger@v1.9.2 && \
+    GO111MODULE=on go get github.com/jstemmer/go-junit-report@v0.0.0-20190106144839-af01ea7f8024 && \
+    GO111MODULE=on go get github.com/mattn/goreman@v0.2.1 && \
+    GO111MODULE=on go get golang.org/x/tools/cmd/goimports@v0.0.0-20190627203933-19ff4fff8850
+
+ENV KUSTOMIZE_VERSION=2.0.3
+RUN curl -L -o /usr/local/bin/kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64 && \
+    chmod +x /usr/local/bin/kustomize && \
+    kustomize version
+
+# Install helm
+ENV HELM_VERSION=2.12.1
+RUN wget https://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-linux-amd64.tar.gz && \
+    tar -C /tmp/ -xf helm-v${HELM_VERSION}-linux-amd64.tar.gz && \
+    mv /tmp/linux-amd64/helm /usr/local/bin/helm && \
+    helm version --client
+
+RUN mkdir -p /home/user && chmod 777 /home/user
+RUN HELM_HOME=/home/user/.helm helm init --client-only
+
+RUN apt-get update && apt-get install -y \
+    zip && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+RUN curl -sLf -C - -o /tmp/swagger https://github.com/go-swagger/go-swagger/releases/download/v0.19.0/swagger_linux_amd64 && \
+    cp /tmp/swagger /usr/local/bin/swagger && \
+    chmod +x /usr/local/bin/swagger && \
+    swagger version
+
+RUN curl -sLf -C - -o /tmp/protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v3.7.1/protoc-3.7.1-linux-x86_64.zip && \
+    unzip /tmp/protoc.zip bin/protoc -d /usr/local/ && \
+    chmod +x /usr/local/bin/protoc && \
+    unzip /tmp/protoc.zip include/* -d /usr/local/ && \
+    protoc --version
+
+RUN curl -sLf -C - -o /tmp/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \
+    cp /tmp/jq /usr/local/bin/jq && \
+    chmod +x /usr/local/bin/jq && \
+    jq --version
+
+RUN mkdir -p /go/pkg && chmod 777 /go/pkg

hack/gen-crd-spec/main.go

@@ -0,0 +1,120 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"strings"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application"
+	"github.com/argoproj/argo-cd/util/kube"
+
+	"github.com/ghodss/yaml"
+	extensionsobj "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+var (
+	kindToCRDPath = map[string]string{
+		application.ApplicationFullName: "manifests/crds/application-crd.yaml",
+		application.AppProjectFullName:  "manifests/crds/appproject-crd.yaml",
+	}
+)
+
+func getCustomResourceDefinitions() map[string]*extensionsobj.CustomResourceDefinition {
+	crdYamlBytes, err := exec.Command(
+		"controller-gen",
+		"paths=./pkg/apis/application/...",
+		"crd:trivialVersions=true",
+		"output:crd:stdout",
+	).Output()
+	checkErr(err)
+
+	// clean up stuff left by controller-gen
+	deleteFile("config/webhook/manifests.yaml")
+	deleteFile("config/webhook")
+	deleteFile("config")
+
+	objs, err := kube.SplitYAML(string(crdYamlBytes))
+	checkErr(err)
+	crds := make(map[string]*extensionsobj.CustomResourceDefinition)
+	for i := range objs {
+		un := objs[i]
+
+		// We need to completely remove validation of problematic fields such as creationTimestamp,
+		// which get marshalled to `null`, but are typed as as a `string` during Open API validation
+		removeValidataion(un, "metadata.creationTimestamp")
+
+		crd := toCRD(un)
+		crd.Labels = map[string]string{
+			"app.kubernetes.io/name":    crd.Name,
+			"app.kubernetes.io/part-of": "argocd",
+		}
+		crd.Spec.Scope = "Namespaced"
+		crds[crd.Name] = crd
+	}
+	return crds
+}
+
+func deleteFile(path string) {
+	if _, err := os.Stat(path); os.IsNotExist(err) {
+		return
+	}
+	checkErr(os.Remove(path))
+}
+
+func removeValidataion(un *unstructured.Unstructured, path string) {
+	schemaPath := []string{"spec", "validation", "openAPIV3Schema"}
+	for _, part := range strings.Split(path, ".") {
+		schemaPath = append(schemaPath, "properties", part)
+	}
+	unstructured.RemoveNestedField(un.Object, schemaPath...)
+}
+
+func toCRD(un *unstructured.Unstructured) *extensionsobj.CustomResourceDefinition {
+	unBytes, err := json.Marshal(un)
+	checkErr(err)
+
+	var crd extensionsobj.CustomResourceDefinition
+	err = json.Unmarshal(unBytes, &crd)
+	checkErr(err)
+
+	return &crd
+}
+
+func checkErr(err error) {
+	if err != nil {
+		panic(err)
+	}
+}
+
+func main() {
+	crds := getCustomResourceDefinitions()
+	for kind, path := range kindToCRDPath {
+		crd := crds[kind]
+		if crd == nil {
+			panic(fmt.Sprintf("CRD of kind %s was not generated", kind))
+		}
+
+		jsonBytes, err := json.Marshal(crd)
+		checkErr(err)
+
+		var r unstructured.Unstructured
+		err = json.Unmarshal(jsonBytes, &r.Object)
+		checkErr(err)
+
+		// clean up crd yaml before marshalling
+		unstructured.RemoveNestedField(r.Object, "status")
+		unstructured.RemoveNestedField(r.Object, "metadata", "creationTimestamp")
+		jsonBytes, err = json.MarshalIndent(r.Object, "", "    ")
+		checkErr(err)
+
+		yamlBytes, err := yaml.JSONToYAML(jsonBytes)
+		checkErr(err)
+
+		err = ioutil.WriteFile(path, yamlBytes, 0644)
+		checkErr(err)
+	}
+}

hack/generate-proto.sh

@@ -65,15 +65,8 @@ go build -i -o dist/protoc-gen-swagger ./vendor/github.com/grpc-ecosystem/grpc-g
 # Generate server/<service>/(<service>.pb.go|<service>.pb.gw.go)
 PROTO_FILES=$(find $PROJECT_ROOT \( -name "*.proto" -and -path '*/server/*' -or -path '*/reposerver/*' -and -name "*.proto" \) | sort)
 for i in ${PROTO_FILES}; do
-    # Path to the google API gateway annotations.proto will be different depending if we are
-    # building natively (e.g. from workspace) vs. part of a docker build.
-    if [ -f /.dockerenv ]; then
-        GOOGLE_PROTO_API_PATH=$GOPATH/src/github.com/grpc-ecosystem/grpc-gateway/third_party/googleapis
-        GOGO_PROTOBUF_PATH=$GOPATH/src/github.com/gogo/protobuf
-    else
-        GOOGLE_PROTO_API_PATH=${PROJECT_ROOT}/vendor/github.com/grpc-ecosystem/grpc-gateway/third_party/googleapis
-        GOGO_PROTOBUF_PATH=${PROJECT_ROOT}/vendor/github.com/gogo/protobuf
-    fi
+    GOOGLE_PROTO_API_PATH=${PROJECT_ROOT}/vendor/github.com/grpc-ecosystem/grpc-gateway/third_party/googleapis
+    GOGO_PROTOBUF_PATH=${PROJECT_ROOT}/vendor/github.com/gogo/protobuf
     protoc \
         -I${PROJECT_ROOT} \
         -I/usr/local/include \
@@ -121,7 +114,7 @@ clean_swagger() {
     /usr/bin/find "${SWAGGER_ROOT}" -name '*.swagger.json' -delete
 }
 
-collect_swagger server 24
+collect_swagger server 26
 clean_swagger server
 clean_swagger reposerver
 clean_swagger controller

hack/go.mod

@@ -0,0 +1,14 @@
+module _/tmp
+
+go 1.11
+
+require (
+	github.com/gobuffalo/packr v1.30.1 // indirect
+	github.com/golang/protobuf v1.3.1 // indirect
+	github.com/golangci/golangci-lint v1.17.1 // indirect
+	github.com/grpc-ecosystem/grpc-gateway v1.9.2 // indirect
+	github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024 // indirect
+	github.com/mattn/goreman v0.2.1 // indirect
+	golang.org/x/tools v0.0.0-20190627203933-19ff4fff8850 // indirect
+	sigs.k8s.io/controller-tools v0.2.0-beta.2 // indirect
+)

hack/go.sum

@@ -0,0 +1,331 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/OpenPeeDeeP/depguard v0.0.0-20180806142446-a69c782687b2 h1:HTOmFEEYrWi4MW5ZKUx6xfeyM10Sx3kQF65xiQJMPYA=
+github.com/OpenPeeDeeP/depguard v0.0.0-20180806142446-a69c782687b2/go.mod h1:7/4sitnI9YlQgTLLk734QlzXT8DuHVnAyztLplQjk+o=
+github.com/StackExchange/wmi v0.0.0-20180116203802-5d049714c4a6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
+github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
+github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
+github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fatih/color v1.6.0 h1:66qjqZk8kalYAvDRtM1AdAJQI0tj4Wrue3Eq3B3pmFU=
+github.com/fatih/color v1.6.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-critic/go-critic v0.0.0-20181204210945-1df300866540 h1:7CU1IXBpPvxpQ/NqJrpuMXMHAw+FB2vfqtRF8tgW9fw=
+github.com/go-critic/go-critic v0.0.0-20181204210945-1df300866540/go.mod h1:+sE8vrLDS2M0pZkBk0wy6+nLdKexVDrl/jBqQOTDThA=
+github.com/go-lintpack/lintpack v0.5.2 h1:DI5mA3+eKdWeJ40nU4d6Wc26qmdG8RCi/btYq0TuRN0=
+github.com/go-lintpack/lintpack v0.5.2/go.mod h1:NwZuYi2nUHho8XEIZ6SIxihrnPoqBTDqfpXvXAN0sXM=
+github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8=
+github.com/go-toolsmith/astcast v1.0.0 h1:JojxlmI6STnFVG9yOImLeGREv8W2ocNUM+iOhR6jE7g=
+github.com/go-toolsmith/astcast v1.0.0/go.mod h1:mt2OdQTeAQcY4DQgPSArJjHCcOwlX+Wl/kwN+LbLGQ4=
+github.com/go-toolsmith/astcopy v1.0.0 h1:OMgl1b1MEpjFQ1m5ztEO06rz5CUd3oBv9RF7+DyvdG8=
+github.com/go-toolsmith/astcopy v1.0.0/go.mod h1:vrgyG+5Bxrnz4MZWPF+pI4R8h3qKRjjyvV/DSez4WVQ=
+github.com/go-toolsmith/astequal v0.0.0-20180903214952-dcb477bfacd6/go.mod h1:H+xSiq0+LtiDC11+h1G32h7Of5O3CYFJ99GVbS5lDKY=
+github.com/go-toolsmith/astequal v1.0.0 h1:4zxD8j3JRFNyLN46lodQuqz3xdKSrur7U/sr0SDS/gQ=
+github.com/go-toolsmith/astequal v1.0.0/go.mod h1:H+xSiq0+LtiDC11+h1G32h7Of5O3CYFJ99GVbS5lDKY=
+github.com/go-toolsmith/astfmt v0.0.0-20180903215011-8f8ee99c3086/go.mod h1:mP93XdblcopXwlyN4X4uodxXQhldPGZbcEJIimQHrkg=
+github.com/go-toolsmith/astfmt v1.0.0 h1:A0vDDXt+vsvLEdbMFJAUBI/uTbRw1ffOPnxsILnFL6k=
+github.com/go-toolsmith/astfmt v1.0.0/go.mod h1:cnWmsOAuq4jJY6Ct5YWlVLmcmLMn1JUPuQIHCY7CJDw=
+github.com/go-toolsmith/astinfo v0.0.0-20180906194353-9809ff7efb21/go.mod h1:dDStQCHtmZpYOmjRP/8gHHnCCch3Zz3oEgCdZVdtweU=
+github.com/go-toolsmith/astp v0.0.0-20180903215135-0af7e3c24f30/go.mod h1:SV2ur98SGypH1UjcPpCatrV5hPazG6+IfNHbkDXBRrk=
+github.com/go-toolsmith/astp v1.0.0 h1:alXE75TXgcmupDsMK1fRAy0YUzLzqPVvBKoyWV+KPXg=
+github.com/go-toolsmith/astp v1.0.0/go.mod h1:RSyrtpVlfTFGDYRbrjyWP1pYu//tSFcvdYrA8meBmLI=
+github.com/go-toolsmith/pkgload v0.0.0-20181119091011-e9e65178eee8/go.mod h1:WoMrjiy4zvdS+Bg6z9jZH82QXwkcgCBX6nOfnmdaHks=
+github.com/go-toolsmith/pkgload v1.0.0/go.mod h1:5eFArkbO80v7Z0kdngIxsRXRMTaX4Ilcwuh3clNrQJc=
+github.com/go-toolsmith/strparse v1.0.0 h1:Vcw78DnpCAKlM20kSbAyO4mPfJn/lyYA4BJUDxe2Jb4=
+github.com/go-toolsmith/strparse v1.0.0/go.mod h1:YI2nUKP9YGZnL/L1/DLFBfixrcjslWct4wyljWhSRy8=
+github.com/go-toolsmith/typep v1.0.0 h1:zKymWyA1TRYvqYrYDrfEMZULyrhcnGY3x7LDKU2XQaA=
+github.com/go-toolsmith/typep v1.0.0/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2Ns5AIQkATU=
+github.com/gobuffalo/envy v1.6.5/go.mod h1:N+GkhhZ/93bGZc6ZKhJLP6+m+tCNPKwgSpH9kaifseQ=
+github.com/gobuffalo/envy v1.6.15 h1:OsV5vOpHYUpP7ZLS6sem1y40/lNX1BZj+ynMiRi21lQ=
+github.com/gobuffalo/envy v1.6.15/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI=
+github.com/gobuffalo/envy v1.7.0 h1:GlXgaiBkmrYMHco6t4j7SacKO4XUjvh5pwXh0f4uxXU=
+github.com/gobuffalo/envy v1.7.0/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI=
+github.com/gobuffalo/logger v1.0.0 h1:xw9Ko9EcC5iAFprrjJ6oZco9UpzS5MQ4jAwghsLHdy4=
+github.com/gobuffalo/logger v1.0.0/go.mod h1:2zbswyIUa45I+c+FLXuWl9zSWEiVuthsk8ze5s8JvPs=
+github.com/gobuffalo/packd v0.3.0 h1:eMwymTkA1uXsqxS0Tpoop3Lc0u3kTfiMBE6nKtQU4g4=
+github.com/gobuffalo/packd v0.3.0/go.mod h1:zC7QkmNkYVGKPw4tHpBQ+ml7W/3tIebgeo1b36chA3Q=
+github.com/gobuffalo/packr v1.30.1 h1:hu1fuVR3fXEZR7rXNW3h8rqSML8EVAf6KNm0NKO/wKg=
+github.com/gobuffalo/packr v1.30.1/go.mod h1:ljMyFO2EcrnzsHsN99cvbq055Y9OhRrIaviy289eRuk=
+github.com/gobuffalo/packr/v2 v2.5.1 h1:TFOeY2VoGamPjQLiNDT3mn//ytzk236VMO2j7iHxJR4=
+github.com/gobuffalo/packr/v2 v2.5.1/go.mod h1:8f9c96ITobJlPzI44jj+4tHnEKNt0xXWSVlXRN9X1Iw=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
+github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE=
+github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/mock v1.0.0 h1:HzcpUG60pfl43n9d2qbdi/3l1uKpAmxlfWEPWtV/QxM=
+github.com/golang/mock v1.0.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.1.1 h1:G5FRp8JnTd7RQH5kemVNlMeyXQAztQ3mOWV95KxsXH8=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2 h1:23T5iq8rbUYlhpt5DB4XJkc6BU31uODLD1o1gKvZmD0=
+github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2/go.mod h1:k9Qvh+8juN+UKMCS/3jFtGICgW8O96FVaZsaxdzDkR4=
+github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a h1:w8hkcTqaFpzKqonE9uMCefW1WDie15eSP/4MssdenaM=
+github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a/go.mod h1:ryS0uhF+x9jgbj/N71xsEqODy9BN81/GonCZiOzirOk=
+github.com/golangci/errcheck v0.0.0-20181003203344-ef45e06d44b6 h1:i2jIkQFb8RG45DuQs+ElyROY848cSJIoIkBM+7XXypA=
+github.com/golangci/errcheck v0.0.0-20181003203344-ef45e06d44b6/go.mod h1:DbHgvLiFKX1Sh2T1w8Q/h4NAI8MHIpzCdnBUDTXU3I0=
+github.com/golangci/go-misc v0.0.0-20180628070357-927a3d87b613 h1:9kfjN3AdxcbsZBf8NjltjWihK2QfBBBZuv91cMFfDHw=
+github.com/golangci/go-misc v0.0.0-20180628070357-927a3d87b613/go.mod h1:SyvUF2NxV+sN8upjjeVYr5W7tyxaT1JVtvhKhOn2ii8=
+github.com/golangci/go-tools v0.0.0-20180109140146-af6baa5dc196 h1:9rtVlONXLF1rJZzvLt4tfOXtnAFUEhxCJ64Ibzj6ECo=
+github.com/golangci/go-tools v0.0.0-20180109140146-af6baa5dc196/go.mod h1:unzUULGw35sjyOYjUt0jMTXqHlZPpPc6e+xfO4cd6mM=
+github.com/golangci/goconst v0.0.0-20180610141641-041c5f2b40f3 h1:pe9JHs3cHHDQgOFXJJdYkK6fLz2PWyYtP4hthoCMvs8=
+github.com/golangci/goconst v0.0.0-20180610141641-041c5f2b40f3/go.mod h1:JXrF4TWy4tXYn62/9x8Wm/K/dm06p8tCKwFRDPZG/1o=
+github.com/golangci/gocyclo v0.0.0-20180528134321-2becd97e67ee h1:J2XAy40+7yz70uaOiMbNnluTg7gyQhtGqLQncQh+4J8=
+github.com/golangci/gocyclo v0.0.0-20180528134321-2becd97e67ee/go.mod h1:ozx7R9SIwqmqf5pRP90DhR2Oay2UIjGuKheCBCNwAYU=
+github.com/golangci/gofmt v0.0.0-20181105071733-0b8337e80d98 h1:ir6/L2ZOJfFrJlOTsuf/hlzdPuUwXV/VzkSlgS6f1vs=
+github.com/golangci/gofmt v0.0.0-20181105071733-0b8337e80d98/go.mod h1:9qCChq59u/eW8im404Q2WWTrnBUQKjpNYKMbU4M7EFU=
+github.com/golangci/golangci-lint v1.17.1 h1:lc8Hf9GPCjIr0hg3S/xhvFT1+Hydass8F1xchr8jkME=
+github.com/golangci/golangci-lint v1.17.1/go.mod h1:+5sJSl2h3aly+fpmL2meSP8CaSKua2E4Twi9LPy7b1g=
+github.com/golangci/gosec v0.0.0-20180901114220-66fb7fc33547 h1:qMomh8bv+kDazm1dSLZ9S3zZ2PJZMHL4ilfBjxFOlmI=
+github.com/golangci/gosec v0.0.0-20180901114220-66fb7fc33547/go.mod h1:0qUabqiIQgfmlAmulqxyiGkkyF6/tOGSnY2cnPVwrzU=
+github.com/golangci/ineffassign v0.0.0-20180808204949-42439a7714cc h1:XRFao922N8F3EcIXBSNX8Iywk+GI0dxD/8FicMX2D/c=
+github.com/golangci/ineffassign v0.0.0-20180808204949-42439a7714cc/go.mod h1:e5tpTHCfVze+7EpLEozzMB3eafxo2KT5veNg1k6byQU=
+github.com/golangci/lint-1 v0.0.0-20180610141402-ee948d087217 h1:r7vyX+SN24x6+5AnpnrRn/bdwBb7U+McZqCHOVtXDuk=
+github.com/golangci/lint-1 v0.0.0-20180610141402-ee948d087217/go.mod h1:66R6K6P6VWk9I95jvqGxkqJxVWGFy9XlDwLwVz1RCFg=
+github.com/golangci/maligned v0.0.0-20180506175553-b1d89398deca h1:kNY3/svz5T29MYHubXix4aDDuE3RWHkPvopM/EDv/MA=
+github.com/golangci/maligned v0.0.0-20180506175553-b1d89398deca/go.mod h1:tvlJhZqDe4LMs4ZHD0oMUlt9G2LWuDGoisJTBzLMV9o=
+github.com/golangci/misspell v0.0.0-20180809174111-950f5d19e770 h1:EL/O5HGrF7Jaq0yNhBLucz9hTuRzj2LdwGBOaENgxIk=
+github.com/golangci/misspell v0.0.0-20180809174111-950f5d19e770/go.mod h1:dEbvlSfYbMQDtrpRMQU675gSDLDNa8sCPPChZ7PhiVA=
+github.com/golangci/prealloc v0.0.0-20180630174525-215b22d4de21 h1:leSNB7iYzLYSSx3J/s5sVf4Drkc68W2wm4Ixh/mr0us=
+github.com/golangci/prealloc v0.0.0-20180630174525-215b22d4de21/go.mod h1:tf5+bzsHdTM0bsB7+8mt0GUMvjCgwLpTapNZHU8AajI=
+github.com/golangci/revgrep v0.0.0-20180526074752-d9c87f5ffaf0 h1:HVfrLniijszjS1aiNg8JbBMO2+E1WIQ+j/gL4SQqGPg=
+github.com/golangci/revgrep v0.0.0-20180526074752-d9c87f5ffaf0/go.mod h1:qOQCunEYvmd/TLamH+7LlVccLvUH5kZNhbCgTHoBbp4=
+github.com/golangci/unconvert v0.0.0-20180507085042-28b1c447d1f4 h1:zwtduBRr5SSWhqsYNgcuWO2kFlpdOZbP0+yRjmvPGys=
+github.com/golangci/unconvert v0.0.0-20180507085042-28b1c447d1f4/go.mod h1:Izgrg8RkN3rCIMLGE9CyYmU9pY2Jer6DgANEnZ/L/cQ=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf h1:+RRA9JqSOZFfKrOeqr2z77+8R2RKyh8PG66dcu1V0ck=
+github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
+github.com/gostaticanalysis/analysisutil v0.0.0-20190318220348-4088753ea4d3 h1:JVnpOZS+qxli+rgVl98ILOXVNbW+kb5wcxeGx8ShUIw=
+github.com/gostaticanalysis/analysisutil v0.0.0-20190318220348-4088753ea4d3/go.mod h1:eEOZF4jCKGi+aprrirO9e7WKB3beBRtWgqGunKl6pKE=
+github.com/grpc-ecosystem/grpc-gateway v1.9.2 h1:S+ef0492XaIknb8LMjcwgW2i3cNTzDYMmDrOThOJNWc=
+github.com/grpc-ecosystem/grpc-gateway v1.9.2/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
+github.com/hashicorp/hcl v0.0.0-20180404174102-ef8a98b0bbce/go.mod h1:oZtUIOe8dh44I2q6ScRibXws4Ajl+d+nod3AaR9vL5w=
+github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
+github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
+github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
+github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
+github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024 h1:rBMNdlhTLzJjJSDIjNEXX1Pz3Hmwmz91v+zycvx9PJc=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/karrick/godirwalk v1.10.12 h1:BqUm+LuJcXjGv1d2mj3gBiQyrQ57a0rYoAmhvJQ7RDU=
+github.com/karrick/godirwalk v1.10.12/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA=
+github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
+github.com/kisielk/gotool v0.0.0-20161130080628-0de1eaf82fa3/go.mod h1:jxZFDH7ILpTPQTk+E2s+z4CUas9lVNjIuKR4c5/zKgM=
+github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.4.0/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
+github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
+github.com/klauspost/cpuid v0.0.0-20180405133222-e7e905edc00e/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
+github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/logrusorgru/aurora v0.0.0-20181002194514-a7b3b318ed4e/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
+github.com/magiconair/properties v1.7.6/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/magiconair/properties v1.8.0 h1:LLgXmsheXeRoUOBOjtwPQCWIYqM/LU1ayDtDePerRcY=
+github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/markbates/inflect v1.0.4 h1:5fh1gzTFhfae06u3hzHYO9xe3l3v3nW5Pwt3naLTP5g=
+github.com/markbates/inflect v1.0.4/go.mod h1:1fR9+pO2KHEO9ZRtto13gDwwZaAKstQzferVeWqbgNs=
+github.com/mattn/go-colorable v0.0.9 h1:UVL0vNpWh04HeJXV0KLcaT7r06gOH2l4OW6ddYRUIY4=
+github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
+github.com/mattn/go-isatty v0.0.3 h1:ns/ykhmWi7G9O+8a448SecJU3nSMBXJfqQkl0upE1jI=
+github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/go-isatty v0.0.4 h1:bnP0vzxcAdeI1zdubAl5PjU6zsERjGZb7raWodagDYs=
+github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
+github.com/mattn/goreman v0.2.1 h1:6Kdjka0uWKsVM5t4d9UqzzIm2jcPJIP7QWu0ByKvlDE=
+github.com/mattn/goreman v0.2.1/go.mod h1:8HCyYaC38XwX0AOu0+fuY02Y5Z7CkITW0oVJavbna4Q=
+github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpevwGNQEw=
+github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/go-ps v0.0.0-20170309133038-4fdf99ab2936/go.mod h1:r1VsdOzOPt1ZSrGZWFoNhsAedKnEd6r9Np1+5blZCWk=
+github.com/mitchellh/mapstructure v0.0.0-20180220230111-00c29f56e238/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/mozilla/tls-observatory v0.0.0-20180409132520-8791a200eb40/go.mod h1:SrKMQvPiws7F7iqYp8/TX+IhxCYhzr6N/1yb8cwHsGk=
+github.com/nbutton23/zxcvbn-go v0.0.0-20160627004424-a22cb81b2ecd/go.mod h1:o96djdrsSGy3AWPyBgZMAGfxZNfgntdJG+11KU4QvbU=
+github.com/nbutton23/zxcvbn-go v0.0.0-20171102151520-eafdab6b0663 h1:Ri1EhipkbhWsffPJ3IPlrb4SkTOPa2PfRXp3jchBczw=
+github.com/nbutton23/zxcvbn-go v0.0.0-20171102151520-eafdab6b0663/go.mod h1:o96djdrsSGy3AWPyBgZMAGfxZNfgntdJG+11KU4QvbU=
+github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
+github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/pelletier/go-toml v1.1.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc=
+github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:5STLWrekHfjyYwxBRVRXNOSewLJ3PWfDJd1VyTS21fI=
+github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
+github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/go-internal v1.2.2 h1:J7U/N7eRtzjhs26d6GqMh2HBuXP8/Z64Densiiieafo=
+github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/rogpeppe/go-internal v1.3.0 h1:RR9dF3JtopPvtkroDZuVD7qquD0bnHlKSqaQhgwt8yk=
+github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
+github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
+github.com/ryanuber/go-glob v0.0.0-20170128012129-256dc444b735/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
+github.com/shirou/gopsutil v0.0.0-20180427012116-c95755e4bcd7/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
+github.com/shirou/w32 v0.0.0-20160930032740-bb4de0191aa4/go.mod h1:qsXQc7+bwAM3Q1u/4XEfrquwF8Lw7D7y5cD8CuHnfIc=
+github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
+github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ=
+github.com/sirupsen/logrus v1.0.5/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
+github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/sourcegraph/go-diff v0.5.1 h1:gO6i5zugwzo1RVTvgvfwCOSVegNuvnNi6bAD1QCmkHs=
+github.com/sourcegraph/go-diff v0.5.1/go.mod h1:j2dHj3m8aZgQO8lMTcTnBcXkRRRqi34cd2MNlA9u1mE=
+github.com/spf13/afero v1.1.0/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
+github.com/spf13/afero v1.1.2 h1:m8/z1t7/fwjysjQRYbP0RD+bUIF/8tJwPdEZsI83ACI=
+github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
+github.com/spf13/cast v1.2.0/go.mod h1:r2rcYCSwa1IExKTDiTfzaxqT2FNHs8hODu4LnUfgKEg=
+github.com/spf13/cast v1.3.0 h1:oget//CVOEoFewqQxwr0Ej5yjygnqGkvggSE/gB35Q8=
+github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cobra v0.0.2/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
+github.com/spf13/cobra v0.0.3 h1:ZlrZ4XsMRm04Fr5pSFxBgfND2EBVa1nLpiy1stUsX/8=
+github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
+github.com/spf13/cobra v0.0.5 h1:f0B+LkLX6DtmRH1isoNA9VTtNUK9K8xYd28JNNfOv/s=
+github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
+github.com/spf13/jwalterweatherman v0.0.0-20180109140146-7c0cea34c8ec/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
+github.com/spf13/jwalterweatherman v1.0.0 h1:XHEdyB+EcvlqZamSM4ZOMGlc93t6AcsBEu9Gc1vn7yk=
+github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
+github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg=
+github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/viper v1.0.2/go.mod h1:A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM=
+github.com/spf13/viper v1.3.2 h1:VUFqw5KcqRf7i70GOzW7N+Q7+gxVBkSSqiXB12+JQ4M=
+github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/timakin/bodyclose v0.0.0-20190407043127-4a873e97b2bb h1:lI9ufgFfvuqRctP9Ny8lDDLbSWCMxBPletcSqrnyFYM=
+github.com/timakin/bodyclose v0.0.0-20190407043127-4a873e97b2bb/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk=
+github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
+github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
+github.com/valyala/fasthttp v1.2.0/go.mod h1:4vX61m6KN+xDduDNwXrhIAVZaZaZiQ1luJk8LWSxF3s=
+github.com/valyala/quicktemplate v1.1.1/go.mod h1:EH+4AkTd43SvgIbQHYu59/cJyxDoOVRUAfrukLPuGJ4=
+github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio=
+github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
+golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4 h1:ydJNl0ENAG67pFbB+9tfhiL2pYqLhfoaZFw/cjLhY4A=
+golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/net v0.0.0-20170915142106-8351a756f30f/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180911220305-26e67e76b6c3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190313220215-9f648a60d977/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09 h1:KaQtG+aDELoNmXYas3TVkGNYRuq8JQ1aa7LJt8EXVyo=
+golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20171026204733-164713f0dfce/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180925112736-b09afc3d579e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190429190828-d89cdac9e872/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190515120540-06a5c4944438 h1:khxRGsvPk4n2y8I/mLLjp7e5dMTJmH75wvqS6nMwUtY=
+golang.org/x/sys v0.0.0-20190515120540-06a5c4944438/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.0.0-20170915090833-1cbadb444a80/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/tools v0.0.0-20170915040203-e531a2a1c15f/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181117154741-2ddaf7f79a09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190110163146-51295c7ec13a/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190121143147-24cd39ecf745/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190311215038-5c2858a9cfe5/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190322203728-c1a832b0ad89/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190501045030-23463209683d h1:D7DVZUZEUgsSIDTivnUtVeGfN5AvhDIKtdIZAqx0ieE=
+golang.org/x/tools v0.0.0-20190501045030-23463209683d/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190521203540-521d6ed310dd/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190624180213-70d37148ca0c h1:KfpJVdWhuRqNk4XVXzjXf2KAV4TBEP77SYdFGjeGuIE=
+golang.org/x/tools v0.0.0-20190624180213-70d37148ca0c/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190627203933-19ff4fff8850 h1:fA72gpMxsjJw+HAMdKku/cilEAHBQ9yEhmYkRO3wzyM=
+golang.org/x/tools v0.0.0-20190627203933-19ff4fff8850/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190627220010-94c5763a7c84 h1:1uDU8V+48dIbLhClJHiB9XfbmbbJ8h7DFqeIdQTFC68=
+golang.org/x/tools v0.0.0-20190627220010-94c5763a7c84/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8 h1:Nw54tB0rB7hY/N0NQvRW8DG4Yk3Q6T9cu9RcFQDu1tc=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
+gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
+gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+k8s.io/api v0.0.0-20190222213804-5cb15d344471/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA=
+k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b h1:aBGgKJUM9Hk/3AE8WaZIApnTxG35kbuQba2w+SXqezo=
+k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA=
+k8s.io/apiextensions-apiserver v0.0.0-20190228180357-d002e88f6236/go.mod h1:IxkesAMoaCRoLrPJdZNZUQp9NfZnzqaVzLhb2VEQzXE=
+k8s.io/apiextensions-apiserver v0.0.0-20190409022649-727a075fdec8 h1:q1Qvjzs/iEdXF6A1a8H3AKVFDzJNcJn3nXMs6R6qFtA=
+k8s.io/apiextensions-apiserver v0.0.0-20190409022649-727a075fdec8/go.mod h1:IxkesAMoaCRoLrPJdZNZUQp9NfZnzqaVzLhb2VEQzXE=
+k8s.io/apimachinery v0.0.0-20190221213512-86fb29eff628/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0=
+k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d h1:Jmdtdt1ZnoGfWWIIik61Z7nKYgO3J+swQJtPYsP9wHA=
+k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0=
+k8s.io/klog v0.2.0 h1:0ElL0OHzF3N+OhoJTL0uca20SxtYt4X4+bzHeqrB83c=
+k8s.io/klog v0.2.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
+mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed h1:WX1yoOaKQfddO/mLzdV4wptyWgoH/6hwLs7QHTixo0I=
+mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc=
+mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b h1:DxJ5nJdkhDlLok9K6qO+5290kphDJbHOQO1DFFFTeBo=
+mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4=
+mvdan.cc/unparam v0.0.0-20190124213536-fbb59629db34 h1:B1LAOfRqg2QUyCdzfjf46quTSYUTAK5OCwbh6pljHbM=
+mvdan.cc/unparam v0.0.0-20190124213536-fbb59629db34/go.mod h1:H6SUd1XjIs+qQCyskXg5OFSrilMRUkD8ePJpHKDPaeY=
+sigs.k8s.io/controller-tools v0.2.0-alpha.1 h1:WAFYSisW4Nmp/WPCs40FfkmGMglf+QauHB8mWPpYqxM=
+sigs.k8s.io/controller-tools v0.2.0-alpha.1/go.mod h1:iog+z/LWZwDaOb2rfxUBZsTTPbloVgyVdXMye0kg8H8=
+sigs.k8s.io/controller-tools v0.2.0-alpha.2 h1:zrVHUPo3BCiC82uWbY7upoH88y7GScDyO+iQKXc1wCE=
+sigs.k8s.io/controller-tools v0.2.0-alpha.2/go.mod h1:gC5UAnK1jbxWnDaqTi0yxKIsRsRwshzeRtTUGbM9vos=
+sigs.k8s.io/controller-tools v0.2.0-beta.2 h1:ucniFzEuW7PFfFDuUxacdY4Fy4q065wPguVl+BE2/t0=
+sigs.k8s.io/controller-tools v0.2.0-beta.2/go.mod h1:gC5UAnK1jbxWnDaqTi0yxKIsRsRwshzeRtTUGbM9vos=
+sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
+sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
+sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4 h1:JPJh2pk3+X4lXAkZIk2RuE/7/FoK9maXw+TNPJhVS/c=
+sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0=

hack/update-manifests.sh

@@ -10,7 +10,20 @@ AUTOGENMSG="# This is an auto-generated file. DO NOT EDIT"
 cd ${SRCROOT}/manifests/ha/base/redis-ha && ./generate.sh
 
 IMAGE_NAMESPACE="${IMAGE_NAMESPACE:-argoproj}"
-IMAGE_TAG="${IMAGE_TAG:-latest}"
+IMAGE_TAG="${IMAGE_TAG:-}"
+
+# if the tag has not been declared, and we are on a release branch, use the VERSION file.
+if [ "$IMAGE_TAG" = "" ]; then
+  branch=$(git rev-parse --abbrev-ref HEAD)
+  if [[ $branch = release-* ]]; then
+    pwd
+    IMAGE_TAG=v$(cat $SRCROOT/VERSION)
+  fi
+fi
+# otherwise, use latest
+if [ "$IMAGE_TAG" = "" ]; then
+  IMAGE_TAG=latest
+fi
 
 cd ${SRCROOT}/manifests/base && kustomize edit set image argoproj/argocd=${IMAGE_NAMESPACE}/argocd:${IMAGE_TAG} argoproj/argocd-ui=${IMAGE_NAMESPACE}/argocd-ui:${IMAGE_TAG}
 cd ${SRCROOT}/manifests/ha/base && kustomize edit set image argoproj/argocd=${IMAGE_NAMESPACE}/argocd:${IMAGE_TAG} argoproj/argocd-ui=${IMAGE_NAMESPACE}/argocd-ui:${IMAGE_TAG}

hack/update-openapi-validation/main.go

@@ -1,63 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"io/ioutil"
-	"log"
-	"os"
-
-	crdutil "github.com/ant31/crd-validation/pkg"
-	"github.com/ghodss/yaml"
-	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-)
-
-// Generate OpenAPI spec definitions for Rollout Resource
-func main() {
-	if len(os.Args) != 3 {
-		log.Fatalf("Usage: %s CRDSPEC TYPE", os.Args[0])
-	}
-	crdPath := os.Args[1]
-	typePath := os.Args[2]
-
-	data, err := ioutil.ReadFile(crdPath)
-	if err != nil {
-		log.Fatal(err)
-	}
-	var crd apiextensions.CustomResourceDefinition
-	err = yaml.Unmarshal(data, &crd)
-	if err != nil {
-		log.Fatal(err)
-	}
-	crd.Spec.Validation = crdutil.GetCustomResourceValidation(typePath, v1alpha1.GetOpenAPIDefinitions)
-
-	jsonBytes, err := json.Marshal(crd)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	var r unstructured.Unstructured
-	if err := json.Unmarshal(jsonBytes, &r.Object); err != nil {
-		log.Fatal(err)
-	}
-
-	unstructured.RemoveNestedField(r.Object, "status")
-	unstructured.RemoveNestedField(r.Object, "metadata", "creationTimestamp")
-	jsonBytes, err = json.MarshalIndent(r.Object, "", "    ")
-	if err != nil {
-		log.Fatal(err)
-	}
-	yamlBytes, err := yaml.JSONToYAML(jsonBytes)
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	err = ioutil.WriteFile(crdPath, yamlBytes, 0644)
-	if err != nil {
-		panic(err)
-	}
-	os.Exit(0)
-
-}

hack/update-openapi.sh

@@ -15,11 +15,4 @@ go run ${CODEGEN_PKG}/cmd/openapi-gen/openapi-gen.go \
   --report-filename pkg/apis/api-rules/violation_exceptions.list \
   $@
 
-go run ./hack/update-openapi-validation/main.go \
-  ./manifests/crds/application-crd.yaml \
-  github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1.Application
-
-go run ./hack/update-openapi-validation/main.go \
-  ./manifests/crds/appproject-crd.yaml \
-  github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1.AppProject
-
+go run ./hack/gen-crd-spec/main.go

manifests/base/application-controller/argocd-application-controller-deployment.yaml

@@ -30,7 +30,14 @@ spec:
         ports:
         - containerPort: 8082
         readinessProbe:
-          tcpSocket:
+          httpGet:
+            path: /healthz
+            port: 8082
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        livenessProbe:
+          httpGet:
+            path: /healthz
             port: 8082
           initialDelaySeconds: 5
           periodSeconds: 10

manifests/base/config/argocd-ssh-known-hosts-cm.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-ssh-known-hosts-cm
+    app.kubernetes.io/part-of: argocd
+  name: argocd-ssh-known-hosts-cm
+data:
+  ssh_known_hosts: |
+    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
+    github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+    gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
+    gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
+    gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
+    ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
+    vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H

manifests/base/config/argocd-tls-certs-cm.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-tls-certs-cm
+    app.kubernetes.io/part-of: argocd
+  name: argocd-tls-certs-cm
+data:

manifests/base/config/kustomization.yaml

@@ -4,4 +4,6 @@ kind: Kustomization
 resources:
 - argocd-cm.yaml
 - argocd-secret.yaml
-- argocd-rbac-cm.yaml
+- argocd-rbac-cm.yaml
+- argocd-ssh-known-hosts-cm.yaml
+- argocd-tls-certs-cm.yaml