Bump version to 2.2.4

Signed-off-by: jannfis <jann@mistrust.net>

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,12 @@
+blank_issues_enabled: false
+
+contact_links:
+  - name: Have you read the docs?
+    url: https://argo-cd.readthedocs.io/
+    about: Much help can be found in the docs
+  - name: Ask a question
+    url: https://github.com/argoproj/argo-cd/discussions/new
+    about: Ask a question or start a discussion about Argo CD
+  - name: Chat on Slack
+    url: https://argoproj.github.io/community/join-slack
+    about: Maybe chatting with the community can help

.github/pull_request_template.md

@@ -1,9 +1,17 @@
+Note on DCO:
+
+If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the *Details* link next to the DCO action for instructions on how to resolve this.
+
 Checklist:
 
 * [ ] Either (a) I've created an [enhancement proposal](https://github.com/argoproj/argo-cd/issues/new/choose) and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
 * [ ] The title of the PR states what changed and the related issues number (used for the release note).
+* [ ] I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
 * [ ] I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
 * [ ] Does this PR require documentation updates?
 * [ ] I've updated documentation as required by this PR.
 * [ ] Optional. My organization is added to USERS.md.
-* [ ] I've signed the CLA and my build is green ([troubleshooting builds](https://argoproj.github.io/argo-cd/developer-guide/ci/)). 
+* [ ] I have signed off all my commits as required by [DCO](https://github.com/argoproj/argoproj/tree/master/community#contributing-to-argo)
+* [ ] I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
+* [ ] My build is green ([troubleshooting builds](https://argo-cd.readthedocs.io/en/latest/developer-guide/ci/)). 
+

.github/workflows/ci-build.yaml

@@ -10,6 +10,10 @@ on:
     branches:
       - 'master'
 
+env:
+  # Golang version to use across CI steps
+  GOLANG_VERSION: '1.16.11'
+
 jobs:
   build-docker:
     name: Build Docker image
@@ -30,7 +34,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.14.12'
+          go-version: ${{ env.GOLANG_VERSION }}
       - name: Download all Go modules
         run: |
           go mod download
@@ -48,7 +52,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.14.12'
+          go-version: ${{ env.GOLANG_VERSION }}
       - name: Restore go build cache
         uses: actions/cache@v1
         with:
@@ -69,8 +73,8 @@ jobs:
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@v2
         with:
-          version: v1.29
-          args: --timeout 5m --exclude SA5011
+          version: v1.38.0
+          args: --timeout 10m --exclude SA5011
 
   test-go:
     name: Run unit tests for Go packages
@@ -87,7 +91,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.14.12'
+          go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
         run: |
           sudo apt-get install git -y
@@ -147,7 +151,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.14.12'
+          go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
         run: |
           sudo apt-get install git -y
@@ -196,7 +200,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.14.12'
+          go-version: ${{ env.GOLANG_VERSION }}
       - name: Create symlink in GOPATH
         run: |
           mkdir -p ~/go/src/github.com/argoproj
@@ -259,6 +263,7 @@ jobs:
           yarn build
         env:
           NODE_ENV: production
+          NODE_ONLINE_ENV: online
         working-directory: ui/
       - name: Run ESLint
         run: yarn lint
@@ -335,7 +340,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        k3s-version: [v1.19.2, v1.18.9, v1.17.11, v1.16.15]
+        k3s-version: [v1.21.2, v1.20.2, v1.19.2, v1.18.9, v1.17.11]
     needs: 
       - build-go
     env:
@@ -354,7 +359,10 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.14.12'
+          go-version: ${{ env.GOLANG_VERSION }}
+      - name: GH actions workaround - Kill XSP4 process
+        run: |
+          sudo pkill mono || true
       - name: Install K3S
         env:
           INSTALL_K3S_VERSION: ${{ matrix.k3s-version }}+k3s1
@@ -392,7 +400,7 @@ jobs:
         run: |
           docker pull quay.io/dexidp/dex:v2.25.0
           docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:5.0.10-alpine
+          docker pull redis:6.2.6-alpine
       - name: Create target directory for binaries in the build-process
         run: |
           mkdir -p dist

.github/workflows/gh-pages.yaml

@@ -16,16 +16,8 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@v1
         with:
-          python-version: 3.x
+          python-version: 3.9.8
       - name: build
         run: |
-          pip install mkdocs==1.0.4 mkdocs_material==4.1.1
-          mkdocs build
-          mkdir ./site/.circleci && echo '{version: 2, jobs: {build: {branches: {ignore: gh-pages}}}}' > ./site/.circleci/config.yml
-      - name: deploy
-        if: ${{ github.event_name == 'push' }}
-        uses: peaceiris/actions-gh-pages@v2.5.0
-        env:
-          PERSONAL_TOKEN: ${{ secrets.PERSONAL_TOKEN }}
-          PUBLISH_BRANCH: gh-pages
-          PUBLISH_DIR: ./site
+          pip install -r docs/requirements.txt
+          mkdocs build

.github/workflows/image.yaml

@@ -5,6 +5,9 @@ on:
     branches:
       - master
 
+env:
+  GOLANG_VERSION: '1.16.11'
+
 jobs:
   publish:
     runs-on: ubuntu-latest
@@ -13,7 +16,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v1
         with:
-          go-version: '1.14.12'
+          go-version: ${{ env.GOLANG_VERSION }}
       - uses: actions/checkout@master
         with:
           path: src/github.com/argoproj/argo-cd
@@ -26,25 +29,31 @@ jobs:
       # build
       - run: |
           docker images -a --format "{{.ID}}" | xargs -I {} docker rmi {}
-          make image DEV_IMAGE=true DOCKER_PUSH=false IMAGE_NAMESPACE=docker.pkg.github.com/argoproj/argo-cd IMAGE_TAG=${{ steps.image.outputs.tag }}
+          make image DEV_IMAGE=true DOCKER_PUSH=false IMAGE_NAMESPACE=ghcr.io/argoproj IMAGE_TAG=${{ steps.image.outputs.tag }}
         working-directory: ./src/github.com/argoproj/argo-cd
 
       # publish
       - run: |
-          docker login docker.pkg.github.com --username $USERNAME --password $PASSWORD
-          docker push docker.pkg.github.com/argoproj/argo-cd/argocd:${{ steps.image.outputs.tag }}
+          docker login ghcr.io --username $USERNAME --password $PASSWORD
+          docker push ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }}
+
+          docker login --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
+          docker tag ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }} argoproj/argocd:latest
+          docker push argoproj/argocd:latest
         env:
           USERNAME: ${{ secrets.USERNAME }}
           PASSWORD: ${{ secrets.TOKEN }}
+          DOCKER_USERNAME: ${{ secrets.RELEASE_DOCKERHUB_USERNAME }}
+          DOCKER_TOKEN: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
 
       # deploy
       - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
         env:
           TOKEN: ${{ secrets.TOKEN }}
       - run: |
-          docker run -v $(pwd):/src -w /src --rm -t lyft/kustomizer:v3.3.0 kustomize edit set image argoproj/argocd=docker.pkg.github.com/argoproj/argo-cd/argocd:${{ steps.image.outputs.tag }}
+          docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }}
           git config --global user.email 'ci@argoproj.com'
           git config --global user.name 'CI'
           git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ steps.image.outputs.tag }}' && git push)
         working-directory: argoproj-deployments/argocd
-      # TODO: clean up old images once github supports it: https://github.community/t5/How-to-use-Git-and-GitHub/Deleting-images-from-Github-Package-Registry/m-p/41202/thread-id/9811
+      # TODO: clean up old images once github supports it: https://github.community/t5/How-to-use-Git-and-GitHub/Deleting-images-from-GitHub-Package-Registry/m-p/41202/thread-id/9811

.github/workflows/release.yaml

@@ -10,6 +10,10 @@ on:
       - '!release-v1.1*'
       - '!release-v1.0*'
       - '!release-v0*'
+
+env:
+    GOLANG_VERSION: '1.16.11'
+
 jobs:
   prepare-release:
     name: Perform automatic release on trigger ${{ github.ref }}
@@ -18,7 +22,7 @@ jobs:
       # The name of the tag as supplied by the GitHub event
       SOURCE_TAG: ${{ github.ref }}
       # The image namespace where Docker image will be published to
-      IMAGE_NAMESPACE: argoproj
+      IMAGE_NAMESPACE: quay.io/argoproj
       # Whether to create & push image and release assets
       DRY_RUN: false
       # Whether a draft release should be created, instead of public one
@@ -44,7 +48,7 @@ jobs:
           # Target version must match major.minor.patch and optional -rcX suffix
           # where X must be a number.
           TARGET_VERSION=${SOURCE_TAG#*release-v}
-          if ! echo ${TARGET_VERSION} | egrep '^[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)*$'; then
+          if ! echo "${TARGET_VERSION}" | egrep '^[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)*$'; then
             echo "::error::Target version '${TARGET_VERSION}' is malformed, refusing to continue." >&2
             exit 1
           fi
@@ -101,16 +105,16 @@ jobs:
             # Whatever is in commit history for the tag, we only want that
             # annotation from our tag. We discard everything else.
             if test "$begin" = "false"; then
-              if echo $line | grep -q "tag ${SOURCE_TAG#refs/tags/}"; then begin="true"; fi
+              if echo "$line" | grep -q "tag ${SOURCE_TAG#refs/tags/}"; then begin="true"; fi
               continue
             fi
             if test "$prefix" = "true"; then
                   if test -z "$line"; then prefix=false; fi
             else
-                  if echo $line | egrep -q '^commit [0-9a-f]+'; then
+                  if echo "$line" | egrep -q '^commit [0-9a-f]+'; then
                           break
                   fi
-                  echo $line >> ${RELEASE_NOTES}
+                  echo "$line" >> ${RELEASE_NOTES}
             fi
           done
 
@@ -139,7 +143,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.14.12'
+          go-version: ${{ env.GOLANG_VERSION }}
 
       - name: Setup Git author information
         run: |
@@ -193,10 +197,16 @@ jobs:
         env:
           DOCKER_USERNAME: ${{ secrets.RELEASE_DOCKERHUB_USERNAME }}
           DOCKER_TOKEN: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
+          QUAY_USERNAME: ${{ secrets.RELEASE_QUAY_USERNAME }}
+          QUAY_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
         run: |
           set -ue
-          docker login --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
+          docker login quay.io --username "${QUAY_USERNAME}" --password "${QUAY_TOKEN}"
           docker push ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION}
+          # Remove the following when Docker Hub is gone
+          docker login --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
+          docker tag ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION} argoproj/argocd:v${TARGET_VERSION}
+          docker push argoproj/argocd:v${TARGET_VERSION}
         if: ${{ env.DRY_RUN != 'true' }}
 
       - name: Read release notes file

.gitignore

@@ -2,7 +2,9 @@
 .idea/
 .DS_Store
 vendor/
-dist/
+dist/*
+ui/dist/app/*
+!ui/dist/app/gitkeep
 site/
 *.iml
 # delve debug binaries
@@ -13,10 +15,10 @@ test-results
 .scannerwork
 .scratch
 node_modules/
+.kube/
 
 # ignore built binaries
 cmd/argocd/argocd
 cmd/argocd-application-controller/argocd-application-controller
 cmd/argocd-repo-server/argocd-repo-server
-cmd/argocd-server/argocd-server
-cmd/argocd-util/argocd-util
+cmd/argocd-server/argocd-server

.gitpod.Dockerfile

@@ -0,0 +1,17 @@
+FROM gitpod/workspace-full
+
+USER root
+
+RUN curl -o /usr/local/bin/kubectl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
+    chmod +x /usr/local/bin/kubectl
+
+RUN curl -L https://go.kubebuilder.io/dl/2.3.1/$(go env GOOS)/$(go env GOARCH) | \
+    tar -xz -C /tmp/ && mv /tmp/kubebuilder_2.3.1_$(go env GOOS)_$(go env GOARCH) /usr/local/kubebuilder
+
+RUN apt-get install redis-server -y
+RUN go get github.com/mattn/goreman
+
+USER gitpod
+
+ENV ARGOCD_REDIS_LOCAL=true
+ENV KUBECONFIG=/tmp/kubeconfig

.gitpod.yml

@@ -0,0 +1,6 @@
+image:
+  file: .gitpod.Dockerfile
+
+tasks:
+  - init: make mod-download-local dep-ui-local && GO111MODULE=off go get github.com/mattn/goreman
+    command: make start-test-k8s

.readthedocs.yml

@@ -0,0 +1,7 @@
+version: 2
+formats: all
+mkdocs:
+  fail_on_warning: false
+python:
+  install:
+    - requirements: docs/requirements.txt

CHANGELOG.md

@@ -1,5 +1,271 @@
 # Changelog
 
+## v2.1.1 (2021-08-25)
+
+### Bug Fixes
+
+- fix: password reset requirements (#7071)
+- fix: Custom Styles feature is broken (#7067)
+- fix(ui): Add State to props passed to Extensions (#7045)
+- fix: keep uid_entrypoint.sh for backward compatibility (#7047)
+
+## v2.1.0 (2021-08-20)
+
+> [Upgrade instructions](./docs/operator-manual/upgrading/2.0-2.1.md)
+
+### Argo CD Core
+
+Argo CD Core - lightweight Argo CD distribution that packages only core GitOps features and relies
+on Kubernetes API/RBAC to power UI and CLI.
+
+### Core Features
+
+* The synchronization process became much much faster and requires significantly less memory.
+* An additional caching that ensures that each repository's target revisions are queried only once per
+  reconciliation cycle. This dramatically reduces the number of Git requests.
+* Improved Diffing Customizations: use JQ path expressions to exclude required fields from the diffing.
+* Health assessment support for new CRDs: introduced health assessment of CRDs from trident.netapp.io,
+  elasticsearch.k8s.elastic.co, cluster.x-k8s.io, and minio.min.io API groups.
+
+### Improved Settings
+
+A set of changes had been implemented to simplify configuring Argo CD.
+
+* Simplified Repository Registration: you no longer need to modify the argocd-cm ConfigMap to register a
+  new Git or Helm repository.
+* Enhanced Resource Customizations: the resource.customizations key has been deprecated in favor of
+  a separate ConfigMap key per resource.
+* Reference secret values from any Kubernetes secret: starting v2.1 you can use sensitive data stored in 
+  any Kubernetes secret to configure Argo CD.
+* Simplify parametrization of Argo CD server processes: an additional optional ConfigMap argocd-cmd-params-cm
+  has been introduced.
+
+### Refreshed User Interface
+
+* Enhanced and more consistent filters on Applications List and Applications Details pages.
+* Status bar on the Application List page.
+* The redesigned search box on the Application List page and more.
+
+### The argocd-util CLI deprecation
+
+The argocd CLI and now available under argocd admin subcommand.
+
+## v2.0.5 (2021-07-22)
+
+* fix: allow argocd-notification ingress to repo-server (#6746)
+* fix: argocd-server crashes due to nil pointer dereference (#6757)
+* fix: WebUI failure when loading pod view 't.parentRefs is undefined' (#6490) (#6535)
+* fix: prevent 'cannot read property "filter" of undefined' during nodes filtering (#6453)
+* fix: download Pod Logs button not honouring argocd-server rootpath (#6548) (#6627)
+* fix: Version warning banner in docs (#6682)
+* fix: upgrade gitops engine to fix workflow health check
+
+## v2.0.4 (2021-06-22)
+
+* fix: typo in networkPolicy definition in manifests (#6532)
+* fix: Update redis to 6.2.4 (#6475)
+* fix: allows access to dex metrics from any pod (#6420)
+* fix: add client side retry to prevent 'transport is closing' errors (#6402)
+* fix: Update documentation Argocd app CRD health with app of apps (#6281)
+* fix(ui): Crash on application pod view (#6384)
+* chore: pin mkdocs version to fix docs build (#6421)
+* chore: regenerate manifests using codegen (#6422)
+* refactor: use RLock and RUnlock for project to improve performance (#6225)
+* chore: Update Golang to v1.16.4 (#6358)
+
+## v2.0.3 (2021-05-27)
+
+### Bug Fixes
+
+* fix: add missing --container flag to 'argocd app logs' command (#6320)
+* fix: grpc web proxy must ensure to read full header (#6319)
+* fix: controller should refresh app before running sync operation (#6294)
+
+## v2.0.2 (2021-05-20)
+
+### Bug Fixes
+
+* fix: enable access to metrics port in embedded network policies (#6277)
+* fix: display log streaming error in logs viewer (#6100) (#6273)
+* fix: Don't count errored or completed neighbor pods toward resource consumption (#6259)
+* fix: Enable kex algo diffie-hellman-group-exchange-sha256 for go-git ssh (#6256)
+* fix: copy github app key from repocreds (#6140, #6197)
+* fix(ui): UI crashes after reinstalling ArgoCD (#6218)
+* fix: add network policies to restrict traffic flow between argocd components (#6156)
+* fix: Revert "feat: Add health checks for kubernetes-external-secrets (#5435)"
+* chore: Allow ingress traffic to argocd-server by default (#6179)
+
+## v2.0.1 (2021-04-15)
+
+### Bug Fixes
+
+* fix: spark application check fails on missing section (#6036)
+* fix: Adding explicit bind to redis and sentinel for IPv4 clusters #5957 (#6005)
+* fix: fix: use correct field for evaluating whether or not GitHub Enterprise is selected (#5987)
+
+## v2.0.0 (2021-04-07)
+
+> [Upgrade instructions](./docs/operator-manual/upgrading/1.8-2.0.md)
+
+### Pods View
+
+Pods View is particularly useful for applications that have hundreds of pods. Instead of visualizing all Kubernetes
+resources for the application, it only shows Kubernetes pods and closely related resources. The Pods View supports
+grouping related resources by Parent Resource, Top Level Parent, or by Node. Each way of grouping solves a particular
+use case. For example grouping by Top Level Parent allows you to quickly find how many pods your application is running
+and which resources created them. Grouping by Node allows to see how Pods are spread across the nodes and how many
+resources they requested.
+
+
+### Logs Viewer
+
+Argo CD provides a way to see live logs of pods, which is very useful for debugging and troubleshooting. In the v2.0
+release, the log visualization has been rewritten to support pagination, filtering, the ability to disable/enable log
+streaming, and even a dark mode for terminal lovers. Do you want to see aggregated logs of multiple deployment pods?
+Not a problem! Just click on the parent resource such as Deployment, ReplicaSet, or StatefulSet and navigate
+to the Logs tab.
+
+### Banner Feature
+
+Want to notify your Argo CD users of upcoming changes? Just specify the notification message and optional URL using the
+`ui.bannercontent` and `ui.bannerurl` attributes in the `argocd-cm` ConfigMap. 
+
+### Core Features
+
+* The new sync option `PrunePropagationPolicy=background` allows using background deletion during syncing
+* New application finalizer `resources-finalizer.argocd.argoproj.io:background` allows using background deletion when the application is deleted
+* The new sync option `ApplyOutOfSyncOnly=true` allows skipping syncing resources that are already in the desired state.
+* The new sync option `PruneLast=true` allows deferring resource pruning until the last synchronization phase after all other resources are synced and healthy.
+
+### The argocd-util CLI
+
+Argo CD Util is a CLI tool that contains useful commands for operators who manage Argo CD. Starting from this release
+the Argo CD Utility is published with every Argo CD release as a Homebrew installation.
+
+## v1.8.7 (2021-02-26)
+
+### Important note
+This release fixed a regression regarding which cluster resources are permitted on the AppProject level.
+Previous to this fix, after #3960 has been merged, all cluster resources were allowed on project level when neither of
+the allow or deny lists was defined. However, the correct behavior is to block all resources in this case.
+
+If you have Projects with empty allow and deny lists, but want the associated applications be able to sync cluster
+resources, you will have to adapt your cluster resources allow lists to explicitly allow the resources.
+
+- fix: redact sensitive data in logs (#5662)
+- fix: Properly escape HTML for error message from CLI SSO (#5563)
+- fix: Empty resource whitelist allowed all resources (#5540) (#5551)
+
+## v1.8.6 (2021-02-26)
+
+- fix: Properly escape HTML for error message from CLI SSO (#5563)
+- fix: API server should not print resource body when resource update fails (#5617)
+- fix: fix memory leak in application controller (#5604)
+
+## v1.8.5 (2021-02-19)
+
+- fix: 'argocd app wait --suspended' stuck if operation is in progress (#5511)
+- fix: Presync hooks stop working after namespace resource is added in a Helm chart #5522
+- docs: add the missing rbac resources to the documentation (#5476)
+- refactor: optimize argocd-application-controller redis usage (#5345)
+
+## v1.8.4 (2021-02-05)
+
+- feat: set X-XSS-Protection while serving static content (#5412)
+- fix: version info should be avaialble if anonymous access is enabled (#5422)
+- fix: disable jwt claim audience validation #5381 (#5413)
+- fix: /api/version should not return tools version for unauthenticated requests (#5415)
+- fix: account tokens should be rejected if required capability is disabled (#5414)
+- fix: tokens keep working after account is deactivated (#5402)
+- fix: a request which was using a revoked project token, would still be allowed to perform requests allowed by default policy (#5378)
+
+## v1.8.3 (2021-01-21)
+
+- fix: make sure JWT token time fields contain only integer values (#5228)
+
+## v1.8.2 (2021-01-09)
+
+### Bug Fixes
+
+- fix: updating cluster drops secret (#5220)
+- fix: remove invalid assumption about OCI helm chart path (#5179)
+- fix: Possible nil pointer dereference in repository API (#5128)
+- fix: Possible nil pointer dereference in repocreds API (#5130)
+- fix: use json serialization to store cache instead of github.com/vmihailenco/msgpack (#4965)
+- fix: add liveness probe to restart repo server if it fails to server tls requests (#5110) (#5119)
+- fix: Allow correct SSO redirect URL for CLI static client (#5098)
+- fix: add grpc health check (#5060)
+- fix: setting 'revision history limit' errors in UI (#5035)
+- fix: add api-server liveness probe that catches bad data in informer (#5026)
+
+### Refactoring
+
+- chore: Update Dex to v2.27.0 (#5058)
+- chore: Upgrade gorilla/handlers and gorilla/websocket (#5186)
+- chore: Upgrade jwt-go to 4.0.0-preview1 (#5184)
+
+## v1.8.1 (2020-12-09)
+
+- fix: sync retry is broken for multi-phase syncs (#5017)
+
+## v1.8.0 (2020-12-09)
+
+### Mono-Repository Improvements
+
+Enhanced performance during manifest generation from mono-repository - the repository that represents the
+desired state of the whole cluster and contains hundreds of applications. The improved argocd-repo-server
+now able to concurrently generate manifests from the same repository and for the same commit SHA. This
+might provide 10x performance improvement of manifests generation.
+
+### Annotation Based Path Detection
+
+The feature that allows specifying which source repository directories influence the application manifest generation
+using the `argocd.argoproj.io/manifest-generate-paths` annotation. The annotation improves the Git webhook handler
+behavior. The webhook avoids related applications reconciliation if no related files have been changed by the Git commit
+and even allows to skip manifests generation for new commit by re-using generation manifests for the previous commit.
+
+### Horizontal Controller Scaling
+
+This release allows scaling the `argocd-application-controller` horizontally. This allows you to manage as many Kubernetes clusters
+as needed using a single Argo CD instance.
+
+## New Core Functionality Features
+
+Besides performance improvements, Argo CD got a lot of usability enhancements and new features:
+
+* Namespace and CRD creation [#4354](https://github.com/argoproj/argo-cd/issues/4354)
+* Unknown fields of built-in K8S types [#1787](https://github.com/argoproj/argo-cd/issues/1787)
+* Endpoints Diffing [#1816](https://github.com/argoproj/argo-cd/issues/1816)
+* Better compatibility with Helm Hooks [#1816](https://github.com/argoproj/argo-cd/issues/1816)
+* App-of-Apps Health Assessment [#3781](https://github.com/argoproj/argo-cd/issues/3781)
+
+## Global Projects
+
+This release makes it easy to manage an Argo CD that has hundreds of Projects. Instead of duplicating the same organization-wide rules in all projects
+you can put such rules into one project and make this project “global” for all other projects. Rules defined in the global project are inherited by all
+other projects and therefore don’t have to be duplicated. The sample below demonstrates how you can create a global project and specify which project should
+inherit global project rules using Kubernetes labels. 
+
+## User Interface Improvements
+
+The Argo CD user interface is an important part of a project and we keep working hard on improving the user experience. Here is an incomplete list of implemented improvements:
+
+* Improved Applications Filters [#4622](https://github.com/argoproj/argo-cd/issues/4622)
+* Git tags and branches autocompletion [#4713](https://github.com/argoproj/argo-cd/issues/4713)
+* Project Details Page [#4400](https://github.com/argoproj/argo-cd/issues/4400)
+* New version information panel [#4376](https://github.com/argoproj/argo-cd/issues/4376)
+* Progress Indicators [#4411](https://github.com/argoproj/argo-cd/issues/4411)
+* External links annotations [#4380](https://github.com/argoproj/argo-cd/issues/4380) and more!
+
+## Config Management Tools Enhancements
+
+* OCI Based Repositories [#4018](https://github.com/argoproj/argo-cd/issues/4018)
+* Configurable Helm Versions [#4111](https://github.com/argoproj/argo-cd/issues/4111)
+
+## Bug fixes and under the hood changes
+
+In addition to new features and enhancements, we’ve fixed more than 50 bugs and upgraded third-party components and libraries that Argo CD relies on.
+
 ## v1.7.9 (2020-11-17)
 
 - fix: improve commit verification tolerance (#4825)
@@ -35,7 +301,7 @@
 ## v1.7.5 (2020-09-15)
 
 - fix: app create with -f should not ignore other options (#4322)
-- fix: limit concurrent list requests accross all clusters (#4328)
+- fix: limit concurrent list requests across all clusters (#4328)
 - fix: fix possible deadlock in /v1/api/stream/applications and /v1/api/application APIs (#4315)
 - fix: WatchResourceTree does not enforce RBAC (#4311)
 - fix: app refresh API should use app resource version (#4303)
@@ -169,7 +435,7 @@ use cases, such as bootstrapping a Kubernetes cluster, or decentralized manageme
 
 #### Other
 
-- refactoring: Gitops engine (#3066)
+- refactoring: GitOps engine (#3066)
 
 ## v1.5.8 (2020-06-16)
 
@@ -232,7 +498,7 @@ customizations, custom resource health checks, and more.
 ### Other
 
 * New Project and Application CRD settings ([#2900](https://github.com/argoproj/argo-cd/issues/2900), [#2873](https://github.com/argoproj/argo-cd/issues/2873)) that allows customizing Argo CD behavior.
-* Upgraded Dex (v2.22.0) enables seamless [SSO integration](https://www.openshift.com/blog/openshift-authentication-integration-with-argocd) with Openshift.
+* Upgraded Dex (v2.22.0) enables seamless [SSO integration](https://www.openshift.com/blog/openshift-authentication-integration-with-argocd) with OpenShift.
 
 
 #### Enhancements
@@ -264,7 +530,7 @@ customizations, custom resource health checks, and more.
 * fix for helm repo add with flag --insecure-skip-server-verification (#3420)
 * fix: app diff --local support for helm repo. #3151 (#3407)
 * fix: Syncing apps incorrectly states "app synced", but this is not true (#3286)
-* fix: for jsonnet when it is localed in nested subdirectory and uses import (#3372)
+* fix: for jsonnet when it is located in nested subdirectory and uses import (#3372)
 * fix: Update 4.5.3 redis-ha helm manifest (#3370)
 * fix: return 401 error code if username does not exist (#3369)
 * fix: Do not panic while running hooks with short revision (#3368)
@@ -380,7 +646,7 @@ Last-minute bugs that will be addressed in 1.5.1 shortly:
 - fix: argocd-util backup produced truncated backups. import app status (#3096)
 - fix: upgrade redis-ha chart and enable haproxy (#3147)
 - fix: make dex server deployment init container resilient to restarts (#3136)
-- fix: reduct secret values of manifests stored in git (#3088)
+- fix: redact secret values of manifests stored in git (#3088)
 - fix: labels not being deleted via UI (#3081)
 - fix: HTTP|HTTPS|NO_PROXY env variable reading #3055 (#3063)
 - fix: Correct usage text for repo add command regarding insecure repos (#3068)
@@ -490,7 +756,7 @@ an in-flight state for all Kubernetes resources including `Deployment`, `PVC`, `
 [Sync Waves](https://argoproj.github.io/argo-cd/user-guide/sync-waves/) instead.
 
 #### Enhancements
-* feat: Add custom healthchecks for cert-manager v0.11.0 (#2689) 
+* feat: Add custom health checks for cert-manager v0.11.0 (#2689) 
 * feat: add git submodule support (#2495)
 * feat: Add repository credential management API and CLI (addresses #2136) (#2207)
 * feat: add support for --additional-headers cli flag (#2467)
@@ -675,7 +941,7 @@ There may be instances when you want to control the times during which an Argo C
 #### Bug Fixes
 
 - failed parsing on parameters with comma (#1660)
-- Statefulset with OnDelete Update Strategy stuck progressing (#1881)
+- StatefulSet with OnDelete Update Strategy stuck progressing (#1881)
 - Warning during secret diffing (#1923)
 - Error message "Unable to load data: key is missing" is confusing (#1944)
 - OIDC group bindings are truncated (#2006)
@@ -757,7 +1023,7 @@ There may be instances when you want to control the times during which an Argo C
 ## v1.2.3 (2019-10-1)
 * Make argo-cd docker images openshift friendly (#2362) (@duboisf)
 * Add dest-server and dest-namespace field to reconciliation logs (#2354)
-- Stop loggin /repository.RepositoryService/ValidateAccess parameters (#2386)
+- Stop logging /repository.RepositoryService/ValidateAccess parameters (#2386)
 
 ## v1.2.2 (2019-09-26)
 + Resource action equivalent to `kubectl rollout restart` (#2177)
@@ -842,7 +1108,7 @@ Support for Git LFS enabled repositories - now you can store Helm charts as tar
 - Wait for CRD creation during sync process (#1940)
 - Added a button to select out of sync items in the sync panel (#1902)
 - Proper handling of an excluded resource in an application (#1621)
-- Stop repeating logs on stoped container (#1614)
+- Stop repeating logs on stopped container (#1614)
 - Fix git repo url parsing on application list view (#2174)
 - Fix nil pointer dereference error during app reconciliation (#2146)
 - Fix history api fallback implementation to support app names with dots (#2114)
@@ -898,7 +1164,7 @@ optimized which significantly reduced the number of Git requests. With v1.1 rele
 #### User Defined Application Metadata
 
 User-defined Application metadata enables the user to define a list of useful URLs for their specific application and expose those links on the UI
-(e.g. reference tp a CI pipeline or an application-specific management tool). These links should provide helpful shortcuts that make easier to integrate Argo CD into existing
+(e.g. reference to a CI pipeline or an application-specific management tool). These links should provide helpful shortcuts that make easier to integrate Argo CD into existing
 systems by making it easier to find other components inside and outside Argo CD.
 
 ### Deprecation Notice
@@ -1262,7 +1528,7 @@ has a minimum client version of v0.12.0. Older CLI clients will be rejected.
 * Deprecate componentParameterOverrides in favor of source specific config (#1207)
 * Support talking to Dex using local cluster address instead of public address (#1211)
 * Use Recreate deployment strategy for controller (#1315)
-* Honor os environment variables for helm commands (#1306) (@1337andre)
+* Honor OS environment variables for helm commands (#1306) (@1337andre)
 * Disable CGO_ENABLED for server/controller binaries (#1286)
 * Documentation fixes and improvements (@twz123, @yann-soubeyrand, @OmerKahani, @dulltz)
 - Fix CRD creation/deletion handling (#1249)
@@ -1352,7 +1618,7 @@ running Dex (e.g. Okta, OneLogin, Auth0, Microsoft, etc...)
 The optional, [Dex IDP OIDC provider](https://github.com/dexidp/dex) is still bundled as part of the
 default installation, in order to provide a seamless out-of-box experience, enabling Argo CD to
 integrate with non-OIDC providers, and to benefit from Dex's full range of
-[connectors](https://github.com/dexidp/dex/tree/master/Documentation/connectors).
+[connectors](https://dexidp.io/docs/connectors/).
 
 #### OIDC group bindings to Project Roles
 OIDC group claims from an OAuth2 provider can now be bound to a Argo CD project roles. Previously,
@@ -1754,8 +2020,8 @@ RBAC policy rules, need to be rewritten to include one extra column with the eff
 + Override parameters
 
 ## v0.1.0 (2018-03-12)
-+ Define app in Github with dev and preprod environment using KSonnet
++ Define app in GitHub with dev and preprod environment using KSonnet
 + Add cluster Diff App with a cluster Deploy app in a cluster
 + Deploy a new version of the app in the cluster
-+ App sync based on Github app config change - polling only
++ App sync based on GitHub app config change - polling only
 + Basic UI: App diff between Git and k8s cluster for all environments Basic GUI

Dockerfile

@@ -1,10 +1,10 @@
-ARG BASE_IMAGE=debian:10-slim
+ARG BASE_IMAGE=docker.io/library/ubuntu:21.04
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM golang:1.14.12 as builder
+FROM docker.io/library/golang:1.16.11 as builder
 
 RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list
 
@@ -17,6 +17,7 @@ RUN apt-get update && apt-get install -y \
     make \
     wget \
     gcc \
+    sudo \
     zip && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
@@ -27,8 +28,6 @@ ADD hack/install.sh .
 ADD hack/installers installers
 ADD hack/tool-versions.sh .
 
-RUN ./install.sh packr-linux
-RUN ./install.sh kubectl-linux
 RUN ./install.sh ksonnet-linux
 RUN ./install.sh helm2-linux
 RUN ./install.sh helm-linux
@@ -41,16 +40,16 @@ FROM $BASE_IMAGE as argocd-base
 
 USER root
 
-RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list
+ENV DEBIAN_FRONTEND=noninteractive
 
 RUN groupadd -g 999 argocd && \
     useradd -r -u 999 -g argocd argocd && \
     mkdir -p /home/argocd && \
     chown argocd:0 /home/argocd && \
     chmod g=u /home/argocd && \
-    chmod g=u /etc/passwd && \
     apt-get update && \
-    apt-get install -y git git-lfs python3-pip tini gpg && \
+    apt-get dist-upgrade -y && \
+    apt-get install -y git git-lfs python3-pip tini gpg tzdata && \
     apt-get clean && \
     pip3 install awscli==1.18.80 && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
@@ -61,11 +60,10 @@ COPY hack/git-verify-wrapper.sh /usr/local/bin/git-verify-wrapper.sh
 COPY --from=builder /usr/local/bin/ks /usr/local/bin/ks
 COPY --from=builder /usr/local/bin/helm2 /usr/local/bin/helm2
 COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
-COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize
-# script to add current (possibly arbitrary) user to /etc/passwd at runtime
-# (if it's not already there, to be openshift friendly)
-COPY uid_entrypoint.sh /usr/local/bin/uid_entrypoint.sh
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+# keep uid_entrypoint.sh for backward compatibility
+RUN ln -s /usr/local/bin/entrypoint.sh /usr/local/bin/uid_entrypoint.sh
 
 # support for mounting configuration from a configmap
 RUN mkdir -p /app/config/ssh && \
@@ -87,7 +85,7 @@ WORKDIR /home/argocd
 ####################################################################################################
 # Argo CD UI stage
 ####################################################################################################
-FROM node:12.18.4 as argocd-ui
+FROM docker.io/library/node:12.18.4 as argocd-ui
 
 WORKDIR /src
 ADD ["ui/package.json", "ui/yarn.lock", "./"]
@@ -98,14 +96,12 @@ ADD ["ui/", "."]
 
 ARG ARGO_VERSION=latest
 ENV ARGO_VERSION=$ARGO_VERSION
-RUN NODE_ENV='production' yarn build
+RUN NODE_ENV='production' NODE_ONLINE_ENV='online' yarn build
 
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM golang:1.14.12 as argocd-build
-
-COPY --from=builder /usr/local/bin/packr /usr/local/bin/packr
+FROM docker.io/library/golang:1.16.11 as argocd-build
 
 WORKDIR /go/src/github.com/argoproj/argo-cd
 
@@ -116,12 +112,13 @@ RUN go mod download
 
 # Perform the build
 COPY . .
-RUN make cli-local server controller repo-server argocd-util
+COPY --from=argocd-ui /src/dist/app /go/src/github.com/argoproj/argo-cd/ui/dist/app
+RUN make argocd-all
 
 ARG BUILD_ALL_CLIS=true
 RUN if [ "$BUILD_ALL_CLIS" = "true" ] ; then \
-    make CLI_NAME=argocd-darwin-amd64 GOOS=darwin cli-local && \
-    make CLI_NAME=argocd-windows-amd64.exe GOOS=windows cli-local \
+    make BIN_NAME=argocd-darwin-amd64 GOOS=darwin argocd-all && \
+    make BIN_NAME=argocd-windows-amd64.exe GOOS=windows argocd-all \
     ; fi
 
 ####################################################################################################
@@ -129,4 +126,12 @@ RUN if [ "$BUILD_ALL_CLIS" = "true" ] ; then \
 ####################################################################################################
 FROM argocd-base
 COPY --from=argocd-build /go/src/github.com/argoproj/argo-cd/dist/argocd* /usr/local/bin/
-COPY --from=argocd-ui ./src/dist/app /shared/app
+
+USER root
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-repo-server
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-cmp-server
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-application-controller
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-dex
+
+USER 999

Dockerfile.dev

@@ -2,5 +2,13 @@
 # argocd-dev
 ####################################################################################################
 FROM argocd-base
-COPY argocd* /usr/local/bin/
-COPY --from=argocd-ui ./src/dist/app /shared/app
+COPY argocd /usr/local/bin/
+COPY argocd-darwin-amd64 /usr/local/bin/
+COPY argocd-windows-amd64.exe /usr/local/bin/
+
+USER root
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-repo-server
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-application-controller
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-dex
+USER 999

Makefile

@@ -1,7 +1,8 @@
-PACKAGE=github.com/argoproj/argo-cd/common
+PACKAGE=github.com/argoproj/argo-cd/v2/common
 CURRENT_DIR=$(shell pwd)
 DIST_DIR=${CURRENT_DIR}/dist
 CLI_NAME=argocd
+BIN_NAME=argocd
 
 HOST_OS:=$(shell go env GOOS)
 HOST_ARCH:=$(shell go env GOARCH)
@@ -11,8 +12,8 @@ BUILD_DATE=$(shell date -u +'%Y-%m-%dT%H:%M:%SZ')
 GIT_COMMIT=$(shell git rev-parse HEAD)
 GIT_TAG=$(shell if [ -z "`git status --porcelain`" ]; then git describe --exact-match --tags HEAD 2>/dev/null; fi)
 GIT_TREE_STATE=$(shell if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)
-PACKR_CMD=$(shell if [ "`which packr`" ]; then echo "packr"; else echo "go run github.com/gobuffalo/packr/packr"; fi)
 VOLUME_MOUNT=$(shell if test "$(go env GOOS)" = "darwin"; then echo ":delegated"; elif test selinuxenabled; then echo ":delegated"; else echo ""; fi)
+KUBECTL_VERSION=$(shell go list -m all | grep k8s.io/client-go | cut -d ' ' -f5)
 
 GOPATH?=$(shell if test -x `which go`; then go env GOPATH; else echo "$(HOME)/go"; fi)
 GOCACHE?=$(HOME)/.cache/go-build
@@ -22,6 +23,11 @@ DOCKER_WORKDIR?=/go/src/github.com/argoproj/argo-cd
 
 ARGOCD_PROCFILE?=Procfile
 
+# Strict mode has been disabled in latest versions of mkdocs-material. 
+# Thus pointing to the older image of mkdocs-material matching the version used by argo-cd.
+MKDOCS_DOCKER_IMAGE?=squidfunk/mkdocs-material:4.1.1
+MKDOCS_RUN_ARGS?=
+
 # Configuration for building argocd-test-tools image
 TEST_TOOLS_NAMESPACE?=
 TEST_TOOLS_IMAGE=argocd-test-tools
@@ -37,6 +43,9 @@ ARGOCD_E2E_REPOSERVER_PORT?=8081
 ARGOCD_E2E_REDIS_PORT?=6379
 ARGOCD_E2E_DEX_PORT?=5556
 ARGOCD_E2E_YARN_HOST?=localhost
+ARGOCD_E2E_DISABLE_AUTH?=
+
+ARGOCD_E2E_TEST_TIMEOUT?=20m
 
 ARGOCD_IN_CI?=false
 ARGOCD_TEST_E2E?=true
@@ -65,6 +74,10 @@ define run-in-test-server
 		-e ARGOCD_IN_CI=$(ARGOCD_IN_CI) \
 		-e ARGOCD_E2E_TEST=$(ARGOCD_E2E_TEST) \
 		-e ARGOCD_E2E_YARN_HOST=$(ARGOCD_E2E_YARN_HOST) \
+		-e ARGOCD_E2E_DISABLE_AUTH=$(ARGOCD_E2E_DISABLE_AUTH) \
+		-e ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} \
+		-e ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} \
+		-e ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} \
 		-v ${DOCKER_SRC_MOUNT} \
 		-v ${GOPATH}/pkg/mod:/go/pkg/mod${VOLUME_MOUNT} \
 		-v ${GOCACHE}:/tmp/go-build-cache${VOLUME_MOUNT} \
@@ -73,6 +86,7 @@ define run-in-test-server
 		-w ${DOCKER_WORKDIR} \
 		-p ${ARGOCD_E2E_APISERVER_PORT}:8080 \
 		-p 4000:4000 \
+		-p 5000:5000 \
 		$(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG) \
 		bash -c "$(1)"
 endef
@@ -118,7 +132,9 @@ override LDFLAGS += \
   -X ${PACKAGE}.version=${VERSION} \
   -X ${PACKAGE}.buildDate=${BUILD_DATE} \
   -X ${PACKAGE}.gitCommit=${GIT_COMMIT} \
-  -X ${PACKAGE}.gitTreeState=${GIT_TREE_STATE}
+  -X ${PACKAGE}.gitTreeState=${GIT_TREE_STATE}\
+  -X ${PACKAGE}.gitTreeState=${GIT_TREE_STATE}\
+  -X ${PACKAGE}.kubectlVersion=${KUBECTL_VERSION}
 
 ifeq (${STATIC_BUILD}, true)
 override LDFLAGS += -extldflags "-static"
@@ -142,7 +158,7 @@ IMAGE_PREFIX=${IMAGE_NAMESPACE}/
 endif
 
 .PHONY: all
-all: cli image argocd-util
+all: cli image
 
 # We have some legacy requirements for being checked out within $GOPATH.
 # The ensure-gopath target can be used as dependency to ensure we are running
@@ -193,11 +209,7 @@ cli: test-tools-image
 
 .PHONY: cli-local
 cli-local: clean-debug
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd/argocd
-
-.PHONY: cli-argocd
-cli-argocd:
-	go build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd/argocd
+	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd
 
 .PHONY: release-cli
 release-cli: clean-debug image
@@ -207,16 +219,6 @@ release-cli: clean-debug image
 	docker cp tmp-argocd-linux:/usr/local/bin/argocd-windows-amd64.exe ${DIST_DIR}/argocd-windows-amd64.exe
 	docker rm tmp-argocd-linux
 
-.PHONY: argocd-util
-argocd-util: clean-debug
-	# Build argocd-util as a statically linked binary, so it could run within the alpine-based dex container (argoproj/argo-cd#844)
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-util ./cmd/argocd-util
-
-# .PHONY: dev-tools-image
-# dev-tools-image:
-# 	docker build -t $(DEV_TOOLS_PREFIX)$(DEV_TOOLS_IMAGE) . -f hack/Dockerfile.dev-tools
-# 	docker tag $(DEV_TOOLS_PREFIX)$(DEV_TOOLS_IMAGE) $(DEV_TOOLS_PREFIX)$(DEV_TOOLS_IMAGE):$(DEV_TOOLS_VERSION)
-
 .PHONY: test-tools-image
 test-tools-image:
 	docker build --build-arg UID=$(shell id -u) -t $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) -f test/container/Dockerfile .
@@ -230,24 +232,22 @@ manifests-local:
 manifests: test-tools-image
 	$(call run-in-test-client,make manifests-local IMAGE_NAMESPACE='${IMAGE_NAMESPACE}' IMAGE_TAG='${IMAGE_TAG}')
 
+# consolidated binary for cli, util, server, repo-server, controller
+.PHONY: argocd-all
+argocd-all: clean-debug
+	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${BIN_NAME} ./cmd
 
-# NOTE: we use packr to do the build instead of go, since we embed swagger files and policy.csv
-# files into the go binary
 .PHONY: server
 server: clean-debug
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd/argocd-server
+	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd
 
 .PHONY: repo-server
 repo-server:
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd/argocd-repo-server
+	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd
 
 .PHONY: controller
 controller:
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd/argocd-application-controller
-
-.PHONY: packr
-packr:
-	go build -o ${DIST_DIR}/packr github.com/gobuffalo/packr/packr/
+	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd
 
 .PHONY: image
 ifeq ($(DEV_IMAGE), true)
@@ -255,16 +255,19 @@ ifeq ($(DEV_IMAGE), true)
 # which speeds up builds. Dockerfile.dev needs to be copied into dist to perform the build, since
 # the dist directory is under .dockerignore.
 IMAGE_TAG="dev-$(shell git describe --always --dirty)"
-image: packr
+image:
 	docker build -t argocd-base --target argocd-base .
 	docker build -t argocd-ui --target argocd-ui .
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd/argocd-server
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd/argocd-application-controller
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd/argocd-repo-server
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-util ./cmd/argocd-util
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd/argocd
-	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-darwin-amd64 ./cmd/argocd
-	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-windows-amd64.exe ./cmd/argocd
+	find ./ui/dist -type f -not -name gitkeep -delete
+	docker run -v ${CURRENT_DIR}/ui/dist/app:/tmp/app --rm -t argocd-ui sh -c 'cp -r ./dist/app/* /tmp/app/'
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd
+	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-darwin-amd64 ./cmd
+	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-windows-amd64.exe ./cmd
+	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-server
+	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-application-controller
+	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-repo-server
+	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-cmp-server
+	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-dex
 	cp Dockerfile.dev dist
 	docker build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) -f dist/Dockerfile.dev dist
 else
@@ -290,7 +293,7 @@ mod-download: test-tools-image
 
 .PHONY: mod-download-local
 mod-download-local:
-	go mod download
+	go mod download && go mod tidy # go mod download changes go.sum https://github.com/golang/go/issues/42970
 
 .PHONY: mod-vendor
 mod-vendor: test-tools-image
@@ -380,7 +383,7 @@ test-e2e:
 test-e2e-local: cli-local
 	# NO_PROXY ensures all tests don't go out through a proxy if one is configured on the test system
 	export GO111MODULE=off
-	ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout 20m -v ./test/e2e
+	ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v ./test/e2e
 
 # Spawns a shell in the test server container for debugging purposes
 debug-test-server: test-tools-image
@@ -407,19 +410,21 @@ start-e2e-local:
 	if test -d /tmp/argo-e2e/app/config/gpg; then rm -rf /tmp/argo-e2e/app/config/gpg/*; fi
 	mkdir -p /tmp/argo-e2e/app/config/gpg/keys && chmod 0700 /tmp/argo-e2e/app/config/gpg/keys
 	mkdir -p /tmp/argo-e2e/app/config/gpg/source && chmod 0700 /tmp/argo-e2e/app/config/gpg/source
+	mkdir -p /tmp/argo-e2e/app/config/plugin && chmod 0700 /tmp/argo-e2e/app/config/plugin
 	# set paths for locally managed ssh known hosts and tls certs data
 	ARGOCD_SSH_DATA_PATH=/tmp/argo-e2e/app/config/ssh \
 	ARGOCD_TLS_DATA_PATH=/tmp/argo-e2e/app/config/tls \
 	ARGOCD_GPG_DATA_PATH=/tmp/argo-e2e/app/config/gpg/source \
 	ARGOCD_GNUPGHOME=/tmp/argo-e2e/app/config/gpg/keys \
-	ARGOCD_GPG_ENABLED=true \
+	ARGOCD_GPG_ENABLED=$(ARGOCD_GPG_ENABLED) \
+	ARGOCD_PLUGINCONFIGFILEPATH=/tmp/argo-e2e/app/config/plugin \
 	ARGOCD_E2E_DISABLE_AUTH=false \
 	ARGOCD_ZJWT_FEATURE_FLAG=always \
 	ARGOCD_IN_CI=$(ARGOCD_IN_CI) \
 	ARGOCD_E2E_TEST=true \
 		goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START}
 
-# Cleans VSCode debug.test files from sub-dirs to prevent them from being included in packr boxes
+# Cleans VSCode debug.test files from sub-dirs to prevent them from being included in by golang embed
 .PHONY: clean-debug
 clean-debug:
 	-find ${CURRENT_DIR} -name debug.test | xargs rm -f
@@ -435,7 +440,7 @@ start: test-tools-image
 
 # Starts a local instance of ArgoCD
 .PHONY: start-local
-start-local: mod-vendor-local
+start-local: mod-vendor-local dep-ui-local
 	# check we can connect to Docker to start Redis
 	killall goreman || true
 	kubectl create ns argocd || true
@@ -445,10 +450,16 @@ start-local: mod-vendor-local
 	mkdir -p /tmp/argocd-local/gpg/source
 	ARGOCD_ZJWT_FEATURE_FLAG=always \
 	ARGOCD_IN_CI=false \
-	ARGOCD_GPG_ENABLED=true \
+	ARGOCD_GPG_ENABLED=$(ARGOCD_GPG_ENABLED) \
 	ARGOCD_E2E_TEST=false \
 		goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START}
 
+# Run goreman start with exclude option , provide exclude env variable with list of services
+.PHONY: run
+run:
+	bash ./hack/goreman-start.sh
+
+
 # Runs pre-commit validation with the virtualized toolchain
 .PHONY: pre-commit
 pre-commit: codegen build lint test
@@ -466,23 +477,27 @@ release-precheck: manifests
 .PHONY: release
 release: pre-commit release-precheck image release-cli
 
+.PHONY: build-docs-local
+build-docs-local:
+	mkdocs build
+
 .PHONY: build-docs
 build-docs:
-	mkdocs build
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} build
+
+.PHONY: serve-docs-local
+serve-docs-local:
+	mkdocs serve
 
 .PHONY: serve-docs
 serve-docs:
-	mkdocs serve
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} serve -a 0.0.0.0:8000
 
 .PHONY: lint-docs
 lint-docs:
 	#  https://github.com/dkhamsing/awesome_bot
 	find docs -name '*.md' -exec grep -l http {} + | xargs docker run --rm -v $(PWD):/mnt:ro dkhamsing/awesome_bot -t 3 --allow-dupe --allow-redirect --white-list `cat white-list | grep -v "#" | tr "\n" ','` --skip-save-results --
 
-.PHONY: publish-docs
-publish-docs: lint-docs
-	mkdocs gh-deploy
-
 # Verify that kubectl can connect to your K8s cluster from Docker
 .PHONY: verify-kube-connect
 verify-kube-connect: test-tools-image
@@ -503,17 +518,15 @@ install-tools-local: install-test-tools-local install-codegen-tools-local instal
 # Installs all tools required for running unit & end-to-end tests (Linux packages)
 .PHONY: install-test-tools-local
 install-test-tools-local:
-	sudo ./hack/install.sh packr-linux
-	sudo ./hack/install.sh kubectl-linux
-	sudo ./hack/install.sh kustomize-linux
-	sudo ./hack/install.sh ksonnet-linux
-	sudo ./hack/install.sh helm2-linux
-	sudo ./hack/install.sh helm-linux
+	./hack/install.sh kustomize-linux
+	./hack/install.sh ksonnet-linux
+	./hack/install.sh helm2-linux
+	./hack/install.sh helm-linux
 
 # Installs all tools required for running codegen (Linux packages)
 .PHONY: install-codegen-tools-local
 install-codegen-tools-local:
-	sudo ./hack/install.sh codegen-tools
+	./hack/install.sh codegen-tools
 
 # Installs all tools required for running codegen (Go packages)
 .PHONY: install-go-tools-local
@@ -526,3 +539,6 @@ dep-ui: test-tools-image
 
 dep-ui-local:
 	cd ui && yarn install
+
+start-test-k8s:
+	go run ./hack/k8s

OWNERS

@@ -5,13 +5,19 @@ owners:
 approvers:
 - alexec
 - alexmt
-- dthomson25
 - jannfis
 - jessesuen
+- jgwest
 - mayzhang2000
-- rachelwang20
+- rbreeze
 
 reviewers:
-- jgwest
-- wtam2018
+- dthomson25
 - tetchel
+- wtam2018
+- ishitasequeira
+- reginapizza
+- hblixt
+- chetan-rns
+- wanghong230
+- pasha-codefresh

Procfile

@@ -1,8 +1,9 @@
-controller: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} go run ./cmd/argocd-application-controller/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
-api-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} go run ./cmd/argocd-server/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --staticassets ui/dist/app"
-dex: sh -c "go run github.com/argoproj/argo-cd/cmd/argocd-util gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml quay.io/dexidp/dex:v2.25.0 serve /dex.yaml"
-redis: docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} redis:5.0.10-alpine --save "" --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}
-repo-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} go run ./cmd/argocd-repo-server/main.go --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379}"
+controller: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller go run ./cmd/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
+api-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server go run ./cmd/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} "
+dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v2/cmd gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:v2.30.2 dex serve /dex.yaml"
+redis: bash -c "if [ \"$ARGOCD_REDIS_LOCAL\" == 'true' ]; then redis-server --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; else docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} redis:6.2.6-alpine --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; fi"
+repo-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-/tmp/argo-e2e/app/config/plugin}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} go run ./cmd/main.go --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379}"
 ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
 git-server: test/fixture/testrepos/start-git.sh
+helm-registry: test/fixture/testrepos/start-helm-registry.sh
 dev-mounter: [[ "$ARGOCD_E2E_TEST" != "true" ]] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}

README.md

@@ -2,6 +2,7 @@
 [![slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack)
 [![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd)
 [![Release Version](https://img.shields.io/github/v/release/argoproj/argo-cd?label=argo-cd)](https://github.com/argoproj/argo-cd/releases/latest)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4486/badge)](https://bestpractices.coreinfrastructure.org/projects/4486)
 
 # Argo CD - Declarative Continuous Delivery for Kubernetes
 
@@ -11,6 +12,8 @@ Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
 
 ![Argo CD UI](docs/assets/argocd-ui.gif)
 
+[![Argo CD Demo](https://img.youtube.com/vi/0WAm0y2vLIo/0.jpg)](https://youtu.be/0WAm0y2vLIo)
+
 ## Why Argo CD?
 
 1. Application definitions, configurations, and environments should be declarative and version controlled.
@@ -22,23 +25,50 @@ Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
 
 ## Documentation
 
-To learn more about Argo CD [go to the complete documentation](https://argoproj.github.io/argo-cd/).
+To learn more about Argo CD [go to the complete documentation](https://argo-cd.readthedocs.io/).
 Check live demo at https://cd.apps.argoproj.io/.
 
-## Community Blogs and Presentations
+## Community
 
+### Contribution, Discussion and Support
+
+ You can reach the Argo CD community and developers via the following channels:
+
+* Q & A : [Github Discussions](https://github.com/argoproj/argo-cd/discussions)
+* Chat : [The #argo-cd Slack channel](https://argoproj.github.io/community/join-slack)
+* Contributors Office Hours: [Every Thursday](https://calendar.google.com/calendar/u/0/embed?src=argoproj@gmail.com) | [Agenda](https://docs.google.com/document/d/1ttgw98MO45Dq7ZUHpIiOIEfbyeitKHNfMjbY5dLLMKQ)
+* User Community meeting: [Every other Wednesday](https://calendar.google.com/calendar/u/0/embed?src=argoproj@gmail.com) | [Agenda](https://docs.google.com/document/d/1xkoFkVviB70YBzSEa4bDnu-rUZ1sIFtwKKG1Uw8XsY8)
+
+
+Participation in the Argo CD project is governed by the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md)
+
+
+### Blogs and Presentations
+
+1. [Awesome-Argo: A Curated List of Awesome Projects and Resources Related to Argo](https://github.com/terrytangyuan/awesome-argo)
+1. [GitOps Without Pipelines With ArgoCD Image Updater](https://youtu.be/avPUQin9kzU)
+1. [Combining Argo CD (GitOps), Crossplane (Control Plane), And KubeVela (OAM)](https://youtu.be/eEcgn_gU3SM)
+1. [How to Apply GitOps to Everything - Combining Argo CD and Crossplane](https://youtu.be/yrj4lmScKHQ)
+1. [Couchbase - How To Run a Database Cluster in Kubernetes Using Argo CD](https://youtu.be/nkPoPaVzExY)
+1. [Automation of Everything - How To Combine Argo Events, Workflows & Pipelines, CD, and Rollouts](https://youtu.be/XNXJtxkUKeY)
 1. [Environments Based On Pull Requests (PRs): Using Argo CD To Apply GitOps Principles On Previews](https://youtu.be/cpAaI8p4R60)
 1. [Argo CD: Applying GitOps Principles To Manage Production Environment In Kubernetes](https://youtu.be/vpWQeoaiRM4)
+1. [Creating Temporary Preview Environments Based On Pull Requests With Argo CD And Codefresh](https://codefresh.io/continuous-deployment/creating-temporary-preview-environments-based-pull-requests-argo-cd-codefresh/)
 1. [Tutorial: Everything You Need To Become A GitOps Ninja](https://www.youtube.com/watch?v=r50tRQjisxw) 90m tutorial on GitOps and Argo CD.
 1. [Comparison of Argo CD, Spinnaker, Jenkins X, and Tekton](https://www.inovex.de/blog/spinnaker-vs-argo-cd-vs-tekton-vs-jenkins-x/)
-1. [Simplify and Automate Deployments Using GitOps with IBM Multicloud Manager 3.1.2](https://medium.com/ibm-cloud/simplify-and-automate-deployments-using-gitops-with-ibm-multicloud-manager-3-1-2-4395af317359)
+1. [Simplify and Automate Deployments Using GitOps with IBM Multicloud Manager 3.1.2](https://www.ibm.com/cloud/blog/simplify-and-automate-deployments-using-gitops-with-ibm-multicloud-manager-3-1-2)
 1. [GitOps for Kubeflow using Argo CD](https://v0-6.kubeflow.org/docs/use-cases/gitops-for-kubeflow/)
 1. [GitOps Toolsets on Kubernetes with CircleCI and Argo CD](https://www.digitalocean.com/community/tutorials/webinar-series-gitops-tool-sets-on-kubernetes-with-circleci-and-argo-cd)
-1. [Simplify and Automate Deployments Using GitOps with IBM Multicloud Manager](https://www.ibm.com/blogs/bluemix/2019/02/simplify-and-automate-deployments-using-gitops-with-ibm-multicloud-manager-3-1-2/)
 1. [CI/CD in Light Speed with K8s and Argo CD](https://www.youtube.com/watch?v=OdzH82VpMwI&feature=youtu.be)
 1. [Machine Learning as Code](https://www.youtube.com/watch?v=VXrGp5er1ZE&t=0s&index=135&list=PLj6h78yzYM2PZf9eA7bhWnIh_mK1vyOfU). Among other things, describes how Kubeflow uses Argo CD to implement GitOPs for ML
 1. [Argo CD - GitOps Continuous Delivery for Kubernetes](https://www.youtube.com/watch?v=aWDIQMbp1cc&feature=youtu.be&t=1m4s)
 1. [Introduction to Argo CD : Kubernetes DevOps CI/CD](https://www.youtube.com/watch?v=2WSJF7d8dUg&feature=youtu.be)
-1. [GitOps Deployment and Kubernetes - using ArgoCD](https://medium.com/riskified-technology/gitops-deployment-and-kubernetes-f1ab289efa4b)
+1. [GitOps Deployment and Kubernetes - using Argo CD](https://medium.com/riskified-technology/gitops-deployment-and-kubernetes-f1ab289efa4b)
 1. [Deploy Argo CD with Ingress and TLS in Three Steps: No YAML Yak Shaving Required](https://itnext.io/deploy-argo-cd-with-ingress-and-tls-in-three-steps-no-yaml-yak-shaving-required-bc536d401491)
 1. [GitOps Continuous Delivery with Argo and Codefresh](https://codefresh.io/events/cncf-member-webinar-gitops-continuous-delivery-argo-codefresh/)
+1. [Stay up to date with Argo CD and Renovate](https://mjpitz.com/blog/2020/12/03/renovate-your-gitops/)
+1. [Setting up Argo CD with Helm](https://www.arthurkoziel.com/setting-up-argocd-with-helm/)
+1. [Applied GitOps with Argo CD](https://thenewstack.io/applied-gitops-with-argocd/)
+1. [Solving configuration drift using GitOps with Argo CD](https://www.cncf.io/blog/2020/12/17/solving-configuration-drift-using-gitops-with-argo-cd/)
+1. [Decentralized GitOps over environments](https://blogs.sap.com/2021/05/06/decentralized-gitops-over-environments/)
+1. [How GitOps and Operators mark the rise of Infrastructure-As-Software](https://paytmlabs.com/blog/2021/10/how-to-improve-operational-work-with-operators-and-gitops/)

SECURITY.md

@@ -0,0 +1,66 @@
+# Security Policy for Argo CD
+
+Version: **v1.2 (2020-08-07)**
+
+## Preface
+
+As a deployment tool, Argo CD needs to have production access which makes
+security a very important topic. The Argoproj team takes security very
+seriously and is continuously working on improving it. 
+
+## A word about security scanners
+
+Many organisations these days employ security scanners to validate their
+container images before letting them on their clusters, and that is a good
+thing. However, the quality and results of these scanners vary greatly,
+many of them produce false positives and require people to look at the
+issues reported and validate them for correctness. A great example of that
+is, that some scanners report kernel vulnerabilities for container images
+just because they are derived from some distribution.
+
+We kindly ask you to not raise issues or contact us regarding any issues
+that are found by your security scanner. Many of those produce a lot of false
+positives, and many of these issues don't affect Argo CD. We do have scanners
+in place for our code, dependencies and container images that we publish. We
+are well aware of the issues that may affect Argo CD and are constantly
+working on the remediation of those that affect Argo CD and our users.
+
+If you believe that we might have missed an issue that we should take a look
+at (that can happen), then please discuss it with us. But please, do validate
+that assumption before at least roughly.
+
+## Supported Versions
+
+We currently support the most recent release (`N`, e.g. `1.8`) and the release
+previous to the most recent one (`N-1`, e.g. `1.7`). With the release of
+`N+1`, `N-1` drops out of support and `N` becomes `N-1`.
+
+We regularly perform patch releases (e.g. `1.8.5` and `1.7.12`) for the
+supported versions, which will contain fixes for security vulnerabilities and
+important bugs. Prior releases might receive critical security fixes on a best
+effort basis, however, it cannot be guaranteed that security fixes get
+back-ported to these unsupported versions.
+
+In rare cases, where a security fix needs complex re-design of a feature or is
+otherwise very intrusive, and there's a workaround available, we may decide to
+provide a forward-fix only, e.g. to be released the next minor release, instead
+of releasing it within a patch branch for the currently supported releases.
+
+## Reporting a Vulnerability
+
+If you find a security related bug in ArgoCD, we kindly ask you for responsible
+disclosure and for giving us appropriate time to react, analyze and develop a
+fix to mitigate the found security vulnerability.
+
+We will do our best to react quickly on your inquiry, and to coordinate a fix
+and disclosure with you. Sometimes, it might take a little longer for us to
+react (e.g. out of office conditions), so please bear with us in these cases.
+
+We will publish security advisiories using the
+[Git Hub Security Advisories](https://github.com/argoproj/argo-cd/security/advisories)
+feature to keep our community well informed, and will credit you for your
+findings (unless you prefer to stay anonymous, of course).
+
+Please report vulnerabilities by e-mail to the following address: 
+
+* cncf-argo-security@lists.cncf.io

SECURITY_CONTACTS

@@ -1,7 +1,7 @@
 # Defined below are the security contacts for this repo.
 #
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
-# INSTRUCTIONS AT https://argoproj.github.io/argo-cd/security_considerations/#reporting-vulnerabilities
+# INSTRUCTIONS AT https://argo-cd.readthedocs.io/en/latest/security_considerations/#reporting-vulnerabilities
 
 alexmt
 edlee2121

USERS.md

@@ -6,101 +6,175 @@ Currently, the following organizations are **officially** using Argo CD:
 
 1. [127Labs](https://127labs.com/)
 1. [3Rein](https://www.3rein.com/)
+1. [7shifts](https://www.7shifts.com/)
 1. [Adevinta](https://www.adevinta.com/)
-1. [AppDirect](https://www.appdirect.com)
+1. [Adventure](https://jp.adventurekk.com/)
+1. [Akuity](https://akuity.io/)
+1. [Alibaba Group](https://www.alibabagroup.com/)
+1. [Ambassador Labs](https://www.getambassador.io/)
+1. [Ant Group](https://www.antgroup.com/)
 1. [ANSTO - Australian Synchrotron](https://www.synchrotron.org.au/)
-1. [ARZ Allgemeines Rechenzentrum GmbH ](https://www.arz.at/)
+1. [AppDirect](https://www.appdirect.com)
 1. [Arctiq Inc.](https://www.arctiq.ca)
+1. [ARZ Allgemeines Rechenzentrum GmbH ](https://www.arz.at/)
+1. [Axual B.V.](https://axual.com)
 1. [Baloise](https://www.baloise.com)
 1. [BCDevExchange DevOps Platform](https://bcdevexchange.org/DevOpsPlatform)
 1. [Beat](https://thebeat.co/en/)
 1. [Beez Innovation Labs](https://www.beezlabs.com/)
 1. [BioBox Analytics](https://biobox.io)
+1. [BigPanda](https://bigpanda.io)
+1. [BMW Group](https://www.bmwgroup.com/)
 1. [Camptocamp](https://camptocamp.com)
+1. [Capital One](https://www.capitalone.com)
 1. [CARFAX](https://www.carfax.com)
 1. [Celonis](https://www.celonis.com/)
+1. [Chime](https://www.chime.com)
+1. [Codefresh](https://www.codefresh.io/)
 1. [Codility](https://www.codility.com/)
 1. [Commonbond](https://commonbond.co/)
+1. [Crédit Agricole CIB](https://www.ca-cib.com)
+1. [CROZ d.o.o.](https://croz.net/)
 1. [CyberAgent](https://www.cyberagent.co.jp/en/)
 1. [Cybozu](https://cybozu-global.com)
+1. [Chargetrip](https://chargetrip.com)
 1. [D2iQ](https://www.d2iq.com)
+1. [Devtron Labs](https://github.com/devtron-labs/devtron)
 1. [EDF Renewables](https://www.edf-re.com/)
 1. [edX](https://edx.org)
 1. [Electronic Arts Inc. ](https://www.ea.com)
 1. [Elium](https://www.elium.com)
 1. [END.](https://www.endclothing.com/)
+1. [Energisme](https://energisme.com/)
 1. [Fave](https://myfave.com)
 1. [Future PLC](https://www.futureplc.com/)
 1. [Garner](https://www.garnercorp.com)
+1. [G DATA CyberDefense AG](https://www.gdata-software.com/)
+1. [Generali Deutschland AG](https://www.generali.de/)
+1. [Gitpod](https://www.gitpod.io)
+1. [Glovo](https://www.glovoapp.com)
 1. [GMETRI](https://gmetri.com/)
+1. [Gojek](https://www.gojek.io/)
 1. [Greenpass](https://www.greenpass.com.br/)
+1. [Handelsbanken](https://www.handelsbanken.se)
 1. [Healy](https://www.healyworld.net)
 1. [hipages](https://hipages.com.au/)
+1. [Hiya](https://hiya.com)
 1. [Honestbank](https://honestbank.com)
+1. [IBM](https://www.ibm.com/)
+1. [IITS-Consulting](https://iits-consulting.de)
+1. [Index Exchange](https://www.indexexchange.com/)
 1. [InsideBoard](https://www.insideboard.com)
 1. [Intuit](https://www.intuit.com/)
+1. [Joblift](https://joblift.com/)
+1. [JovianX](https://www.jovianx.com/)
+1. [Karrot](https://www.daangn.com/)
+1. [KarrotPay](https://www.daangnpay.com/)
 1. [Kasa](https://kasa.co.kr/)
+1. [Keptn](https://keptn.sh)
+1. [Kinguin](https://www.kinguin.net/)
 1. [KintoHub](https://www.kintohub.com/)
 1. [KompiTech GmbH](https://www.kompitech.com/)
+1. [LexisNexis](https://www.lexisnexis.com/)
 1. [LINE](https://linecorp.com/en/)
 1. [Lytt](https://www.lytt.co/)
 1. [Major League Baseball](https://mlb.com)
 1. [Mambu](https://www.mambu.com/)
+1. [Mattermost](https://www.mattermost.com)
 1. [Max Kelsen](https://www.maxkelsen.com/)
+1. [MindSpore](https://mindspore.cn)
 1. [Mirantis](https://mirantis.com/)
+1. [mixi Group](https://mixi.co.jp/)
+1. [Moengage](https://www.moengage.com/)
 1. [Money Forward](https://corp.moneyforward.com/en/)
 1. [MOO Print](https://www.moo.com/)
+1. [MTN Group](https://www.mtn.com/)
+1. [Natura &Co](https://naturaeco.com/)
+1. [New Relic](https://newrelic.com/)
+1. [Nextdoor](https://nextdoor.com/)
 1. [Nikkei](https://www.nikkei.co.jp/nikkeiinfo/en/)
+1. [Octadesk](https://octadesk.com)
+1. [openEuler](https://openeuler.org)
+1. [openGauss](https://opengauss.org/)
+1. [openLooKeng](https://openlookeng.io)
 1. [OpenSaaS Studio](https://opensaas.studio)
 1. [Opensurvey](https://www.opensurvey.co.kr/)
 1. [Optoro](https://www.optoro.com/)
+1. [Orbital Insight](https://orbitalinsight.com/)
+1. [Packlink](https://www.packlink.com/)
+1. [PayPay](https://paypay.ne.jp/)
 1. [Peloton Interactive](https://www.onepeloton.com/)
 1. [Pipefy](https://www.pipefy.com/)
+1. [Polarpoint.io](https://polarpoint.io)
 1. [Preferred Networks](https://preferred.jp/en/)
 1. [Prudential](https://prudential.com.sg)
 1. [PUBG](https://www.pubg.com)
+1. [Qonto](https://qonto.com)
 1. [QuintoAndar](https://quintoandar.com.br)
 1. [Quipper](https://www.quipper.com/)
+1. [Recreation.gov](https://www.recreation.gov/)
 1. [Red Hat](https://www.redhat.com/)
-1. [Robotinfra](https://www.robotinfra.com)
 1. [Riskified](https://www.riskified.com/)
+1. [Robotinfra](https://www.robotinfra.com)
 1. [Saildrone](https://www.saildrone.com/)
 1. [Saloodo! GmbH](https://www.saloodo.com)
+1. [Schwarz IT](https://jobs.schwarz/it-mission)
+1. [Snyk](https://snyk.io/)
+1. [Speee](https://speee.jp/)
+1. [Spendesk](https://spendesk.com/)
+1. [Sumo Logic](https://sumologic.com/)
+1. [Sutpc](http://www.sutpc.com/)
 1. [Swisscom](https://www.swisscom.ch)
 1. [Swissquote](https://github.com/swissquote)
 1. [Syncier](https://syncier.com/)
 1. [TableCheck](https://tablecheck.com/)
+1. [Tailor Brands](https://www.tailorbrands.com)
 1. [Tesla](https://tesla.com/)
 1. [ThousandEyes](https://www.thousandeyes.com/)
 1. [Ticketmaster](https://ticketmaster.com)
 1. [Tiger Analytics](https://www.tigeranalytics.com/)
+1. [Tigera](https://www.tigera.io/)
 1. [Toss](https://toss.im/en)
 1. [tru.ID](https://tru.id)
 1. [Twilio SendGrid](https://sendgrid.com)
 1. [tZERO](https://www.tzero.com/)
+1. [ungleich.ch](https://ungleich.ch/)
 1. [UBIO](https://ub.io/)
 1. [UFirstGroup](https://www.ufirstgroup.com/en/)
 1. [Universidad Mesoamericana](https://www.umes.edu.gt/)
 1. [Viaduct](https://www.viaduct.ai/)
+1. [Virtuo](https://www.govirtuo.com/)
+1. [VISITS Technologies](https://visits.world/en)
 1. [Volvo Cars](https://www.volvocars.com/)
 1. [VSHN - The DevOps Company](https://vshn.ch/)
 1. [Walkbase](https://www.walkbase.com/)
-1. [Whitehat Berlin](https://whitehat.berlin) by Guido Maria Serra +Fenaroli
-1. [Yieldlab](https://www.yieldlab.de/)
-1. [MTN Group](https://www.mtn.com/)
-1. [Moengage](https://www.moengage.com/)
-1. [LexisNexis](https://www.lexisnexis.com/)
-1. [PayPay](https://paypay.ne.jp/)
-1. [New Relic](https://newrelic.com/)
-1. [Sumo Logic](https://sumologic.com/)
-1. [Kinguin](https://www.kinguin.net/)
-1. [Speee](https://speee.jp/)
-1. [VISITS Technologies](https://visits.world/en)
-1. [Qonto](https://qonto.com)
-1. [openEuler](https://openeuler.org)
-1. [MindSpore](https://mindspore.cn)
-1. [openLooKeng](https://openlookeng.io)
-1. [openGauss](https://opengauss.org/)
-1. [Virtuo](https://www.govirtuo.com/)
+1. [Wehkamp](https://www.wehkamp.nl/)
 1. [WeMo Scooter](https://www.wemoscooter.com/)
-1. [Codefresh](https://www.codefresh.io/)
+1. [Webstores](https://www.webstores.nl)
+1. [Whitehat Berlin](https://whitehat.berlin) by Guido Maria Serra +Fenaroli
+1. [Witick](https://witick.io/)
+1. [WooliesX](https://wooliesx.com.au/)
+1. [Woolworths Group](https://www.woolworthsgroup.com.au/)
+1. [WSpot](https://www.wspot.com.br/)
+1. [Yieldlab](https://www.yieldlab.de/)
+1. [Zimpler](https://www.zimpler.com/)
+1. [Sap Labs](http://sap.com)
+1. [Smilee.io](https://smilee.io)
+1. [Metanet](http://www.metanet.co.kr/en/)
+1. [Unifonic Inc](https://www.unifonic.com/)
+1. [Tamkeen Technologies](https://tamkeentech.sa/)
+1. [Kaltura](https://corp.kaltura.com/)
+1. [Boticario](https://www.boticario.com.br/)
+1. [Beleza Na Web](https://www.belezanaweb.com.br/)
+1. [MariaDB](https://mariadb.com)
+1. [Lightricks](https://www.lightricks.com/)
+1. [RightRev](https://rightrev.com/)
+1. [MeDirect](https://medirect.com.mt/)
+1. [Snapp](https://snapp.ir/)
+1. [Technacy](https://www.technacy.it/)
+1. [freee](https://corp.freee.co.jp/en/company/)
+1. [Youverify](https://youverify.co/)
+1. [Keeeb](https://www.keeeb.com/)
+1. [p3r](https://www.p3r.one/)
+1. [Faro](https://www.faro.com/)
+1. [Rise](https://www.risecard.eu/)

VERSION

@@ -1 +1 @@
-1.8.0
+2.2.4

assets/embed.go

@@ -0,0 +1,7 @@
+package assets
+
+import "embed"
+
+// Embedded contains embedded assets
+//go:embed *
+var Embedded embed.FS

assets/model.conf

@@ -11,4 +11,4 @@ g = _, _
 e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
 
 [matchers]
-m = g(r.sub, p.sub) && globMatch(r.res, p.res) && globMatch(r.act, p.act) && globMatch(r.obj, p.obj)
+m = g(r.sub, p.sub) && globOrRegexMatch(r.res, p.res) && globOrRegexMatch(r.act, p.act) && globOrRegexMatch(r.obj, p.obj)

cmd/argocd-application-controller/commands/argocd_application_controller.go

@@ -2,6 +2,7 @@ package commands
 
 import (
 	"context"
+	"fmt"
 	"math"
 	"time"
 
@@ -12,19 +13,21 @@ import (
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 
-	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/controller"
-	"github.com/argoproj/argo-cd/controller/sharding"
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
-	"github.com/argoproj/argo-cd/reposerver/apiclient"
-	cacheutil "github.com/argoproj/argo-cd/util/cache"
-	appstatecache "github.com/argoproj/argo-cd/util/cache/appstate"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/env"
-	"github.com/argoproj/argo-cd/util/errors"
-	kubeutil "github.com/argoproj/argo-cd/util/kube"
-	"github.com/argoproj/argo-cd/util/settings"
+	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/controller"
+	"github.com/argoproj/argo-cd/v2/controller/sharding"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
+	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	cacheutil "github.com/argoproj/argo-cd/v2/util/cache"
+	appstatecache "github.com/argoproj/argo-cd/v2/util/cache/appstate"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/env"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	kubeutil "github.com/argoproj/argo-cd/v2/util/kube"
+	"github.com/argoproj/argo-cd/v2/util/settings"
+	"github.com/argoproj/argo-cd/v2/util/tls"
 )
 
 const (
@@ -43,13 +46,15 @@ func NewCommand() *cobra.Command {
 		selfHealTimeoutSeconds   int
 		statusProcessors         int
 		operationProcessors      int
-		logFormat                string
-		logLevel                 string
 		glogLevel                int
 		metricsPort              int
+		metricsCacheExpiration   time.Duration
+		metricsAplicationLabels  []string
 		kubectlParallelismLimit  int64
 		cacheSrc                 func() (*appstatecache.Cache, error)
 		redisClient              *redis.Client
+		repoServerPlaintext      bool
+		repoServerStrictTLS      bool
 	)
 	var command = cobra.Command{
 		Use:               cliName,
@@ -57,8 +62,8 @@ func NewCommand() *cobra.Command {
 		Long:              "ArgoCD application controller is a Kubernetes controller that continuously monitors running applications and compares the current, live state against the desired target state (as specified in the repo). This command runs Application Controller in the foreground.  It can be configured by following options.",
 		DisableAutoGenTag: true,
 		RunE: func(c *cobra.Command, args []string) error {
-			cli.SetLogFormat(logFormat)
-			cli.SetLogLevel(logLevel)
+			cli.SetLogFormat(cmdutil.LogFormat)
+			cli.SetLogLevel(cmdutil.LogLevel)
 			cli.SetGLogLevel(glogLevel)
 
 			config, err := clientConfig.ClientConfig()
@@ -71,18 +76,49 @@ func NewCommand() *cobra.Command {
 			namespace, _, err := clientConfig.Namespace()
 			errors.CheckError(err)
 
-			resyncDuration := time.Duration(appResyncPeriod) * time.Second
-			repoClientset := apiclient.NewRepoServerClientset(repoServerAddress, repoServerTimeoutSeconds)
+			var resyncDuration time.Duration
+			if appResyncPeriod == 0 {
+				// Re-sync should be disabled if period is 0. Set duration to a very long duration
+				resyncDuration = time.Hour * 24 * 365 * 100
+			} else {
+				resyncDuration = time.Duration(appResyncPeriod) * time.Second
+			}
+
+			tlsConfig := apiclient.TLSConfiguration{
+				DisableTLS:       repoServerPlaintext,
+				StrictValidation: repoServerStrictTLS,
+			}
+
+			// Load CA information to use for validating connections to the
+			// repository server, if strict TLS validation was requested.
+			if !repoServerPlaintext && repoServerStrictTLS {
+				pool, err := tls.LoadX509CertPool(
+					fmt.Sprintf("%s/controller/tls/tls.crt", env.StringFromEnv(common.EnvAppConfigPath, common.DefaultAppConfigPath)),
+					fmt.Sprintf("%s/controller/tls/ca.crt", env.StringFromEnv(common.EnvAppConfigPath, common.DefaultAppConfigPath)),
+				)
+				if err != nil {
+					log.Fatalf("%v", err)
+				}
+				tlsConfig.Certificates = pool
+			}
+
+			repoClientset := apiclient.NewRepoServerClientset(repoServerAddress, repoServerTimeoutSeconds, tlsConfig)
+
 			ctx, cancel := context.WithCancel(context.Background())
 			defer cancel()
 
 			cache, err := cacheSrc()
 			errors.CheckError(err)
+			cache.Cache.SetClient(cacheutil.NewTwoLevelClient(cache.Cache.GetClient(), 10*time.Minute))
 
-			settingsMgr := settings.NewSettingsManager(ctx, kubeClient, namespace)
+			var appController *controller.ApplicationController
+
+			settingsMgr := settings.NewSettingsManager(ctx, kubeClient, namespace, settings.WithRepoOrClusterChangedHandler(func() {
+				appController.InvalidateProjectsCache()
+			}))
 			kubectl := kubeutil.NewKubectl()
 			clusterFilter := getClusterFilter()
-			appController, err := controller.NewApplicationController(
+			appController, err = controller.NewApplicationController(
 				namespace,
 				settingsMgr,
 				kubeClient,
@@ -93,6 +129,8 @@ func NewCommand() *cobra.Command {
 				resyncDuration,
 				time.Duration(selfHealTimeoutSeconds)*time.Second,
 				metricsPort,
+				metricsCacheExpiration,
+				metricsAplicationLabels,
 				kubectlParallelismLimit,
 				clusterFilter)
 			errors.CheckError(err)
@@ -112,17 +150,21 @@ func NewCommand() *cobra.Command {
 	}
 
 	clientConfig = cli.AddKubectlFlagsToCmd(&command)
-	command.Flags().Int64Var(&appResyncPeriod, "app-resync", defaultAppResyncPeriod, "Time period in seconds for application resync.")
-	command.Flags().StringVar(&repoServerAddress, "repo-server", common.DefaultRepoServerAddr, "Repo server address.")
-	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", 60, "Repo server RPC call timeout seconds.")
-	command.Flags().IntVar(&statusProcessors, "status-processors", 1, "Number of application status processors")
-	command.Flags().IntVar(&operationProcessors, "operation-processors", 1, "Number of application operation processors")
-	command.Flags().StringVar(&logFormat, "logformat", "text", "Set the logging format. One of: text|json")
-	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
+	command.Flags().Int64Var(&appResyncPeriod, "app-resync", int64(env.ParseDurationFromEnv("ARGOCD_RECONCILIATION_TIMEOUT", defaultAppResyncPeriod*time.Second, 0, math.MaxInt64).Seconds()), "Time period in seconds for application resync.")
+	command.Flags().StringVar(&repoServerAddress, "repo-server", env.StringFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER", common.DefaultRepoServerAddr), "Repo server address.")
+	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS", 60, 0, math.MaxInt64), "Repo server RPC call timeout seconds.")
+	command.Flags().IntVar(&statusProcessors, "status-processors", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS", 20, 0, math.MaxInt32), "Number of application status processors")
+	command.Flags().IntVar(&operationProcessors, "operation-processors", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS", 10, 0, math.MaxInt32), "Number of application operation processors")
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", env.StringFromEnv("ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT", "text"), "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", env.StringFromEnv("ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL", "info"), "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().IntVar(&glogLevel, "gloglevel", 0, "Set the glog logging level")
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortArgoCDMetrics, "Start metrics server on given port")
-	command.Flags().IntVar(&selfHealTimeoutSeconds, "self-heal-timeout-seconds", 5, "Specifies timeout between application self heal attempts")
+	command.Flags().DurationVar(&metricsCacheExpiration, "metrics-cache-expiration", env.ParseDurationFromEnv("ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION", 0*time.Second, 0, math.MaxInt64), "Prometheus metrics cache expiration (disabled  by default. e.g. 24h0m0s)")
+	command.Flags().IntVar(&selfHealTimeoutSeconds, "self-heal-timeout-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS", 5, 0, math.MaxInt32), "Specifies timeout between application self heal attempts")
 	command.Flags().Int64Var(&kubectlParallelismLimit, "kubectl-parallelism-limit", 20, "Number of allowed concurrent kubectl fork/execs. Any value less the 1 means no limit.")
+	command.Flags().BoolVar(&repoServerPlaintext, "repo-server-plaintext", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT", false), "Disable TLS on connections to repo server")
+	command.Flags().BoolVar(&repoServerStrictTLS, "repo-server-strict-tls", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS", false), "Whether to use strict validation of the TLS cert presented by the repo server")
+	command.Flags().StringSliceVar(&metricsAplicationLabels, "metrics-application-labels", []string{}, "List of Application labels that will be added to the argocd_application_labels metric")
 	cacheSrc = appstatecache.AddCacheFlagsToCmd(&command, func(client *redis.Client) {
 		redisClient = client
 	})

cmd/argocd-application-controller/main.go

@@ -1,22 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"os"
-
-	// load the gcp plugin (required to authenticate against GKE clusters).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
-	// load the oidc plugin (required to authenticate with OpenID Connect).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
-	// load the azure plugin (required to authenticate with AKS clusters).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/azure"
-
-	"github.com/argoproj/argo-cd/cmd/argocd-application-controller/commands"
-)
-
-func main() {
-	if err := commands.NewCommand().Execute(); err != nil {
-		fmt.Println(err)
-		os.Exit(1)
-	}
-}

cmd/argocd-cmp-server/commands/argocd_cmp_server.go

@@ -0,0 +1,58 @@
+package commands
+
+import (
+	"time"
+
+	"github.com/argoproj/pkg/stats"
+	"github.com/spf13/cobra"
+
+	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	"github.com/argoproj/argo-cd/v2/cmpserver"
+	"github.com/argoproj/argo-cd/v2/cmpserver/plugin"
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+)
+
+const (
+	// CLIName is the name of the CLI
+	cliName = "argocd-cmp-server"
+)
+
+func NewCommand() *cobra.Command {
+	var (
+		configFilePath string
+	)
+	var command = cobra.Command{
+		Use:               cliName,
+		Short:             "Run ArgoCD ConfigManagementPlugin Server",
+		Long:              "ArgoCD ConfigManagementPlugin Server is an internal service which runs as sidecar container in reposerver deployment. It can be configured by following options.",
+		DisableAutoGenTag: true,
+		RunE: func(c *cobra.Command, args []string) error {
+			cli.SetLogFormat(cmdutil.LogFormat)
+			cli.SetLogLevel(cmdutil.LogLevel)
+
+			config, err := plugin.ReadPluginConfig(configFilePath)
+			errors.CheckError(err)
+
+			server, err := cmpserver.NewServer(plugin.CMPServerInitConstants{
+				PluginConfig: *config,
+			})
+			errors.CheckError(err)
+
+			// register dumper
+			stats.RegisterStackDumper()
+			stats.StartStatsTicker(10 * time.Minute)
+			stats.RegisterHeapDumper("memprofile")
+
+			// run argocd-cmp-server server
+			server.Run()
+			return nil
+		},
+	}
+
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
+	command.Flags().StringVar(&configFilePath, "config-dir-path", common.DefaultPluginConfigFilePath, "Config management plugin configuration file location, Default is '/home/argocd/cmp-server/config/'")
+	return &command
+}

cmd/argocd-dex/commands/argocd_dex.go

@@ -0,0 +1,202 @@
+package commands
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"syscall"
+
+	"github.com/ghodss/yaml"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+
+	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/dex"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/settings"
+)
+
+const (
+	cliName = "argocd-dex"
+)
+
+func NewCommand() *cobra.Command {
+	var command = &cobra.Command{
+		Use:               cliName,
+		Short:             "argocd-dex tools used by Argo CD",
+		Long:              "argocd-dex has internal utility tools used by Argo CD",
+		DisableAutoGenTag: true,
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+		},
+	}
+
+	command.AddCommand(NewRunDexCommand())
+	command.AddCommand(NewGenDexConfigCommand())
+
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
+	return command
+}
+
+func NewRunDexCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+	)
+	var command = cobra.Command{
+		Use:   "rundex",
+		Short: "Runs dex generating a config using settings from the Argo CD configmap and secret",
+		RunE: func(c *cobra.Command, args []string) error {
+			_, err := exec.LookPath("dex")
+			errors.CheckError(err)
+			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+			kubeClientset := kubernetes.NewForConfigOrDie(config)
+			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, namespace)
+			prevSettings, err := settingsMgr.GetSettings()
+			errors.CheckError(err)
+			updateCh := make(chan *settings.ArgoCDSettings, 1)
+			settingsMgr.Subscribe(updateCh)
+
+			for {
+				var cmd *exec.Cmd
+				dexCfgBytes, err := dex.GenerateDexConfigYAML(prevSettings)
+				errors.CheckError(err)
+				if len(dexCfgBytes) == 0 {
+					log.Infof("dex is not configured")
+				} else {
+					err = ioutil.WriteFile("/tmp/dex.yaml", dexCfgBytes, 0644)
+					errors.CheckError(err)
+					log.Debug(redactor(string(dexCfgBytes)))
+					cmd = exec.Command("dex", "serve", "/tmp/dex.yaml")
+					cmd.Stdout = os.Stdout
+					cmd.Stderr = os.Stderr
+					err = cmd.Start()
+					errors.CheckError(err)
+				}
+
+				// loop until the dex config changes
+				for {
+					newSettings := <-updateCh
+					newDexCfgBytes, err := dex.GenerateDexConfigYAML(newSettings)
+					errors.CheckError(err)
+					if string(newDexCfgBytes) != string(dexCfgBytes) {
+						prevSettings = newSettings
+						log.Infof("dex config modified. restarting dex")
+						if cmd != nil && cmd.Process != nil {
+							err = cmd.Process.Signal(syscall.SIGTERM)
+							errors.CheckError(err)
+							_, err = cmd.Process.Wait()
+							errors.CheckError(err)
+						}
+						break
+					} else {
+						log.Infof("dex config unmodified")
+					}
+				}
+			}
+		},
+	}
+
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	return &command
+}
+
+func NewGenDexConfigCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+		out          string
+	)
+	var command = cobra.Command{
+		Use:   "gendexcfg",
+		Short: "Generates a dex config from Argo CD settings",
+		RunE: func(c *cobra.Command, args []string) error {
+			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+			kubeClientset := kubernetes.NewForConfigOrDie(config)
+			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, namespace)
+			settings, err := settingsMgr.GetSettings()
+			errors.CheckError(err)
+			dexCfgBytes, err := dex.GenerateDexConfigYAML(settings)
+			errors.CheckError(err)
+			if len(dexCfgBytes) == 0 {
+				log.Infof("dex is not configured")
+				return nil
+			}
+			if out == "" {
+				dexCfg := make(map[string]interface{})
+				err := yaml.Unmarshal(dexCfgBytes, &dexCfg)
+				errors.CheckError(err)
+				if staticClientsInterface, ok := dexCfg["staticClients"]; ok {
+					if staticClients, ok := staticClientsInterface.([]interface{}); ok {
+						for i := range staticClients {
+							staticClient := staticClients[i]
+							if mappings, ok := staticClient.(map[string]interface{}); ok {
+								for key := range mappings {
+									if key == "secret" {
+										mappings[key] = "******"
+									}
+								}
+								staticClients[i] = mappings
+							}
+						}
+						dexCfg["staticClients"] = staticClients
+					}
+				}
+				errors.CheckError(err)
+				maskedDexCfgBytes, err := yaml.Marshal(dexCfg)
+				errors.CheckError(err)
+				fmt.Print(string(maskedDexCfgBytes))
+			} else {
+				err = ioutil.WriteFile(out, dexCfgBytes, 0644)
+				errors.CheckError(err)
+			}
+			return nil
+		},
+	}
+
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().StringVarP(&out, "out", "o", "", "Output to the specified file instead of stdout")
+	return &command
+}
+
+func iterateStringFields(obj interface{}, callback func(name string, val string) string) {
+	if mapField, ok := obj.(map[string]interface{}); ok {
+		for field, val := range mapField {
+			if strVal, ok := val.(string); ok {
+				mapField[field] = callback(field, strVal)
+			} else {
+				iterateStringFields(val, callback)
+			}
+		}
+	} else if arrayField, ok := obj.([]interface{}); ok {
+		for i := range arrayField {
+			iterateStringFields(arrayField[i], callback)
+		}
+	}
+}
+
+func redactor(dirtyString string) string {
+	config := make(map[string]interface{})
+	err := yaml.Unmarshal([]byte(dirtyString), &config)
+	errors.CheckError(err)
+	iterateStringFields(config, func(name string, val string) string {
+		if name == "clientSecret" || name == "secret" || name == "bindPW" {
+			return "********"
+		} else {
+			return val
+		}
+	})
+	data, err := yaml.Marshal(config)
+	errors.CheckError(err)
+	return string(data)
+}

cmd/argocd-repo-server/commands/argocd_repo_server.go

@@ -12,18 +12,23 @@ import (
 	"github.com/go-redis/redis/v8"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"google.golang.org/grpc/health/grpc_health_v1"
 
-	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/reposerver"
-	reposervercache "github.com/argoproj/argo-cd/reposerver/cache"
-	"github.com/argoproj/argo-cd/reposerver/metrics"
-	"github.com/argoproj/argo-cd/reposerver/repository"
-	cacheutil "github.com/argoproj/argo-cd/util/cache"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/env"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/gpg"
-	"github.com/argoproj/argo-cd/util/tls"
+	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/reposerver"
+	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	reposervercache "github.com/argoproj/argo-cd/v2/reposerver/cache"
+	"github.com/argoproj/argo-cd/v2/reposerver/metrics"
+	"github.com/argoproj/argo-cd/v2/reposerver/repository"
+	cacheutil "github.com/argoproj/argo-cd/v2/util/cache"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/env"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/gpg"
+	"github.com/argoproj/argo-cd/v2/util/healthz"
+	ioutil "github.com/argoproj/argo-cd/v2/util/io"
+	"github.com/argoproj/argo-cd/v2/util/tls"
 )
 
 const (
@@ -32,8 +37,8 @@ const (
 	gnuPGSourcePath = "/app/config/gpg/source"
 
 	defaultPauseGenerationAfterFailedGenerationAttempts = 3
-	defaultPauseGenerationOnFailureForMinutes           = 0
-	defaultPauseGenerationOnFailureForRequests          = 12
+	defaultPauseGenerationOnFailureForMinutes           = 60
+	defaultPauseGenerationOnFailureForRequests          = 0
 )
 
 func getGnuPGSourcePath() string {
@@ -58,14 +63,14 @@ func getPauseGenerationOnFailureForRequests() int {
 
 func NewCommand() *cobra.Command {
 	var (
-		logFormat              string
-		logLevel               string
 		parallelismLimit       int64
 		listenPort             int
 		metricsPort            int
 		cacheSrc               func() (*reposervercache.Cache, error)
+		tlsConfigCustomizer    tls.ConfigCustomizer
 		tlsConfigCustomizerSrc func() (tls.ConfigCustomizer, error)
 		redisClient            *redis.Client
+		disableTLS             bool
 	)
 	var command = cobra.Command{
 		Use:               cliName,
@@ -73,11 +78,14 @@ func NewCommand() *cobra.Command {
 		Long:              "ArgoCD Repository Server is an internal service which maintains a local cache of the Git repository holding the application manifests, and is responsible for generating and returning the Kubernetes manifests.  This command runs Repository Server in the foreground.  It can be configured by following options.",
 		DisableAutoGenTag: true,
 		RunE: func(c *cobra.Command, args []string) error {
-			cli.SetLogFormat(logFormat)
-			cli.SetLogLevel(logLevel)
+			cli.SetLogFormat(cmdutil.LogFormat)
+			cli.SetLogLevel(cmdutil.LogLevel)
 
-			tlsConfigCustomizer, err := tlsConfigCustomizerSrc()
-			errors.CheckError(err)
+			if !disableTLS {
+				var err error
+				tlsConfigCustomizer, err = tlsConfigCustomizerSrc()
+				errors.CheckError(err)
+			}
 
 			cache, err := cacheSrc()
 			errors.CheckError(err)
@@ -96,6 +104,28 @@ func NewCommand() *cobra.Command {
 			listener, err := net.Listen("tcp", fmt.Sprintf(":%d", listenPort))
 			errors.CheckError(err)
 
+			healthz.ServeHealthCheck(http.DefaultServeMux, func(r *http.Request) error {
+				if val, ok := r.URL.Query()["full"]; ok && len(val) > 0 && val[0] == "true" {
+					// connect to itself to make sure repo server is able to serve connection
+					// used by liveness probe to auto restart repo server
+					// see https://github.com/argoproj/argo-cd/issues/5110 for more information
+					conn, err := apiclient.NewConnection(fmt.Sprintf("localhost:%d", listenPort), 60, &apiclient.TLSConfiguration{DisableTLS: disableTLS})
+					if err != nil {
+						return err
+					}
+					defer ioutil.Close(conn)
+					client := grpc_health_v1.NewHealthClient(conn)
+					res, err := client.Check(r.Context(), &grpc_health_v1.HealthCheckRequest{})
+					if err != nil {
+						return err
+					}
+					if res.Status != grpc_health_v1.HealthCheckResponse_SERVING {
+						return fmt.Errorf("grpc health check status is '%v'", res.Status)
+					}
+					return nil
+				}
+				return nil
+			})
 			http.Handle("/metrics", metricsServer.GetHandler())
 			go func() { errors.CheckError(http.ListenAndServe(fmt.Sprintf(":%d", metricsPort), nil)) }()
 
@@ -121,12 +151,15 @@ func NewCommand() *cobra.Command {
 			return nil
 		},
 	}
-
-	command.Flags().StringVar(&logFormat, "logformat", "text", "Set the logging format. One of: text|json")
-	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
-	command.Flags().Int64Var(&parallelismLimit, "parallelismlimit", 0, "Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit.")
+	if cmdutil.LogFormat == "" {
+		cmdutil.LogFormat = os.Getenv("ARGOCD_REPO_SERVER_LOGLEVEL")
+	}
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", env.StringFromEnv("ARGOCD_REPO_SERVER_LOGFORMAT", "text"), "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", env.StringFromEnv("ARGOCD_REPO_SERVER_LOGLEVEL", "info"), "Set the logging level. One of: debug|info|warn|error")
+	command.Flags().Int64Var(&parallelismLimit, "parallelismlimit", int64(env.ParseNumFromEnv("ARGOCD_REPO_SERVER_PARALLELISM_LIMIT", 0, 0, math.MaxInt32)), "Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit.")
 	command.Flags().IntVar(&listenPort, "port", common.DefaultPortRepoServer, "Listen on given port for incoming connections")
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortRepoServerMetrics, "Start metrics server on given port")
+	command.Flags().BoolVar(&disableTLS, "disable-tls", env.ParseBoolFromEnv("ARGOCD_REPO_SERVER_DISABLE_TLS", false), "Disable TLS on the gRPC endpoint")
 
 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(&command)
 	cacheSrc = reposervercache.AddCacheFlagsToCmd(&command, func(client *redis.Client) {

cmd/argocd-repo-server/main.go

@@ -1,15 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"os"
-
-	"github.com/argoproj/argo-cd/cmd/argocd-repo-server/commands"
-)
-
-func main() {
-	if err := commands.NewCommand().Execute(); err != nil {
-		fmt.Println(err)
-		os.Exit(1)
-	}
-}

cmd/argocd-server/commands/argocd_server.go

@@ -2,6 +2,8 @@ package commands
 
 import (
 	"context"
+	"fmt"
+	"math"
 	"time"
 
 	"github.com/argoproj/pkg/stats"
@@ -11,17 +13,18 @@ import (
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 
-	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
-	"github.com/argoproj/argo-cd/reposerver/apiclient"
-	"github.com/argoproj/argo-cd/server"
-	servercache "github.com/argoproj/argo-cd/server/cache"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/env"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/kube"
-	"github.com/argoproj/argo-cd/util/tls"
+	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
+	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	"github.com/argoproj/argo-cd/v2/server"
+	servercache "github.com/argoproj/argo-cd/v2/server/cache"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/env"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/kube"
+	"github.com/argoproj/argo-cd/v2/util/tls"
 )
 
 const (
@@ -46,12 +49,9 @@ func NewCommand() *cobra.Command {
 		insecure                 bool
 		listenPort               int
 		metricsPort              int
-		logFormat                string
-		logLevel                 string
 		glogLevel                int
 		clientConfig             clientcmd.ClientConfig
 		repoServerTimeoutSeconds int
-		staticAssetsDir          string
 		baseHRef                 string
 		rootPath                 string
 		repoServerAddress        string
@@ -61,6 +61,9 @@ func NewCommand() *cobra.Command {
 		tlsConfigCustomizerSrc   func() (tls.ConfigCustomizer, error)
 		cacheSrc                 func() (*servercache.Cache, error)
 		frameOptions             string
+		repoServerPlaintext      bool
+		repoServerStrictTLS      bool
+		staticAssetsDir          string
 	)
 	var command = &cobra.Command{
 		Use:               cliName,
@@ -68,8 +71,8 @@ func NewCommand() *cobra.Command {
 		Long:              "The API server is a gRPC/REST server which exposes the API consumed by the Web UI, CLI, and CI/CD systems.  This command runs API server in the foreground.  It can be configured by following options.",
 		DisableAutoGenTag: true,
 		Run: func(c *cobra.Command, args []string) {
-			cli.SetLogFormat(logFormat)
-			cli.SetLogLevel(logLevel)
+			cli.SetLogFormat(cmdutil.LogFormat)
+			cli.SetLogLevel(cmdutil.LogLevel)
 			cli.SetGLogLevel(glogLevel)
 
 			config, err := clientConfig.ClientConfig()
@@ -94,8 +97,25 @@ func NewCommand() *cobra.Command {
 				appclientsetConfig = kube.AddFailureRetryWrapper(appclientsetConfig, failureRetryCount, failureRetryPeriodMilliSeconds)
 			}
 			appclientset := appclientset.NewForConfigOrDie(appclientsetConfig)
-			repoclientset := apiclient.NewRepoServerClientset(repoServerAddress, repoServerTimeoutSeconds)
+			tlsConfig := apiclient.TLSConfiguration{
+				DisableTLS:       repoServerPlaintext,
+				StrictValidation: repoServerStrictTLS,
+			}
 
+			// Load CA information to use for validating connections to the
+			// repository server, if strict TLS validation was requested.
+			if !repoServerPlaintext && repoServerStrictTLS {
+				pool, err := tls.LoadX509CertPool(
+					fmt.Sprintf("%s/server/tls/tls.crt", env.StringFromEnv(common.EnvAppConfigPath, common.DefaultAppConfigPath)),
+					fmt.Sprintf("%s/server/tls/ca.crt", env.StringFromEnv(common.EnvAppConfigPath, common.DefaultAppConfigPath)),
+				)
+				if err != nil {
+					log.Fatalf("%v", err)
+				}
+				tlsConfig.Certificates = pool
+			}
+
+			repoclientset := apiclient.NewRepoServerClientset(repoServerAddress, repoServerTimeoutSeconds, tlsConfig)
 			if rootPath != "" {
 				if baseHRef != "" && baseHRef != rootPath {
 					log.Warnf("--basehref and --rootpath had conflict: basehref: %s rootpath: %s", baseHRef, rootPath)
@@ -108,7 +128,6 @@ func NewCommand() *cobra.Command {
 				ListenPort:          listenPort,
 				MetricsPort:         metricsPort,
 				Namespace:           namespace,
-				StaticAssetsDir:     staticAssetsDir,
 				BaseHRef:            baseHRef,
 				RootPath:            rootPath,
 				KubeClientset:       kubeclientset,
@@ -121,6 +140,7 @@ func NewCommand() *cobra.Command {
 				Cache:               cache,
 				XFrameOptions:       frameOptions,
 				RedisClient:         redisClient,
+				StaticAssetsDir:     staticAssetsDir,
 			}
 
 			stats.RegisterStackDumper()
@@ -138,22 +158,24 @@ func NewCommand() *cobra.Command {
 	}
 
 	clientConfig = cli.AddKubectlFlagsToCmd(command)
-	command.Flags().BoolVar(&insecure, "insecure", false, "Run server without TLS")
-	command.Flags().StringVar(&staticAssetsDir, "staticassets", "", "Static assets directory path")
-	command.Flags().StringVar(&baseHRef, "basehref", "/", "Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from /")
-	command.Flags().StringVar(&rootPath, "rootpath", "", "Used if Argo CD is running behind reverse proxy under subpath different from /")
-	command.Flags().StringVar(&logFormat, "logformat", "text", "Set the logging format. One of: text|json")
-	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
+	command.Flags().BoolVar(&insecure, "insecure", env.ParseBoolFromEnv("ARGOCD_SERVER_INSECURE", false), "Run server without TLS")
+	command.Flags().StringVar(&staticAssetsDir, "staticassets", env.StringFromEnv("ARGOCD_SERVER_STATIC_ASSETS", "/shared/app"), "Directory path that contains additional static assets")
+	command.Flags().StringVar(&baseHRef, "basehref", env.StringFromEnv("ARGOCD_SERVER_BASEHREF", "/"), "Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from /")
+	command.Flags().StringVar(&rootPath, "rootpath", env.StringFromEnv("ARGOCD_SERVER_ROOTPATH", ""), "Used if Argo CD is running behind reverse proxy under subpath different from /")
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", env.StringFromEnv("ARGOCD_SERVER_LOGFORMAT", "text"), "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", env.StringFromEnv("ARGOCD_REPO_SERVER_LOGLEVEL", "info"), "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().IntVar(&glogLevel, "gloglevel", 0, "Set the glog logging level")
-	command.Flags().StringVar(&repoServerAddress, "repo-server", common.DefaultRepoServerAddr, "Repo server address")
-	command.Flags().StringVar(&dexServerAddress, "dex-server", common.DefaultDexServerAddr, "Dex server address")
-	command.Flags().BoolVar(&disableAuth, "disable-auth", false, "Disable client authentication")
-	command.Flags().BoolVar(&enableGZip, "enable-gzip", false, "Enable GZIP compression")
+	command.Flags().StringVar(&repoServerAddress, "repo-server", env.StringFromEnv("ARGOCD_SERVER_REPO_SERVER", common.DefaultRepoServerAddr), "Repo server address")
+	command.Flags().StringVar(&dexServerAddress, "dex-server", env.StringFromEnv("ARGOCD_SERVER_DEX_SERVER", common.DefaultDexServerAddr), "Dex server address")
+	command.Flags().BoolVar(&disableAuth, "disable-auth", env.ParseBoolFromEnv("ARGOCD_SERVER_DISABLE_AUTH", false), "Disable client authentication")
+	command.Flags().BoolVar(&enableGZip, "enable-gzip", env.ParseBoolFromEnv("ARGOCD_SERVER_ENABLE_GZIP", false), "Enable GZIP compression")
 	command.AddCommand(cli.NewVersionCmd(cliName))
 	command.Flags().IntVar(&listenPort, "port", common.DefaultPortAPIServer, "Listen on given port")
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortArgoCDAPIServerMetrics, "Start metrics on given port")
-	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", 60, "Repo server RPC call timeout seconds.")
-	command.Flags().StringVar(&frameOptions, "x-frame-options", "sameorigin", "Set X-Frame-Options header in HTTP responses to `value`. To disable, set to \"\".")
+	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", env.ParseNumFromEnv("ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS", 60, 0, math.MaxInt64), "Repo server RPC call timeout seconds.")
+	command.Flags().StringVar(&frameOptions, "x-frame-options", env.StringFromEnv("ARGOCD_SERVER_X_FRAME_OPTIONS", "sameorigin"), "Set X-Frame-Options header in HTTP responses to `value`. To disable, set to \"\".")
+	command.Flags().BoolVar(&repoServerPlaintext, "repo-server-plaintext", env.ParseBoolFromEnv("ARGOCD_SERVER_REPO_SERVER_PLAINTEXT", false), "Use a plaintext client (non-TLS) to connect to repository server")
+	command.Flags().BoolVar(&repoServerStrictTLS, "repo-server-strict-tls", env.ParseBoolFromEnv("ARGOCD_SERVER_REPO_SERVER_STRICT_TLS", false), "Perform strict validation of TLS certificates when connecting to repo server")
 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(command)
 	cacheSrc = servercache.AddCacheFlagsToCmd(command, func(client *redis.Client) {
 		redisClient = client

cmd/argocd-server/main.go

@@ -1,18 +0,0 @@
-package main
-
-import (
-	commands "github.com/argoproj/argo-cd/cmd/argocd-server/commands"
-	"github.com/argoproj/argo-cd/util/errors"
-
-	// load the gcp plugin (required to authenticate against GKE clusters).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
-	// load the oidc plugin (required to authenticate with OpenID Connect).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
-	// load the azure plugin (required to authenticate with AKS clusters).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/azure"
-)
-
-func main() {
-	err := commands.NewCommand().Execute()
-	errors.CheckError(err)
-}

cmd/argocd-util/commands/argocd_util.go

@@ -1,675 +0,0 @@
-package commands
-
-import (
-	"bufio"
-	"context"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"os"
-	"os/exec"
-	"reflect"
-	"syscall"
-
-	"github.com/argoproj/gitops-engine/pkg/utils/kube"
-	"github.com/ghodss/yaml"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	apiv1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/client-go/dynamic"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
-	"k8s.io/client-go/tools/clientcmd"
-
-	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/db"
-	"github.com/argoproj/argo-cd/util/dex"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/settings"
-)
-
-const (
-	// CLIName is the name of the CLI
-	cliName = "argocd-util"
-	// YamlSeparator separates sections of a YAML file
-	yamlSeparator = "---\n"
-)
-
-var (
-	configMapResource    = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "configmaps"}
-	secretResource       = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "secrets"}
-	applicationsResource = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "applications"}
-	appprojectsResource  = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "appprojects"}
-)
-
-// NewCommand returns a new instance of an argocd command
-func NewCommand() *cobra.Command {
-	var (
-		logFormat string
-		logLevel  string
-	)
-
-	var command = &cobra.Command{
-		Use:               cliName,
-		Short:             "argocd-util tools used by Argo CD",
-		Long:              "argocd-util has internal utility tools used by Argo CD",
-		DisableAutoGenTag: true,
-		Run: func(c *cobra.Command, args []string) {
-			c.HelpFunc()(c, args)
-		},
-	}
-
-	command.AddCommand(cli.NewVersionCmd(cliName))
-	command.AddCommand(NewRunDexCommand())
-	command.AddCommand(NewGenDexConfigCommand())
-	command.AddCommand(NewImportCommand())
-	command.AddCommand(NewExportCommand())
-	command.AddCommand(NewClusterConfig())
-	command.AddCommand(NewProjectsCommand())
-	command.AddCommand(NewSettingsCommand())
-	command.AddCommand(NewAppsCommand())
-
-	command.Flags().StringVar(&logFormat, "logformat", "text", "Set the logging format. One of: text|json")
-	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
-	return command
-}
-
-func NewRunDexCommand() *cobra.Command {
-	var (
-		clientConfig clientcmd.ClientConfig
-	)
-	var command = cobra.Command{
-		Use:   "rundex",
-		Short: "Runs dex generating a config using settings from the Argo CD configmap and secret",
-		RunE: func(c *cobra.Command, args []string) error {
-			_, err := exec.LookPath("dex")
-			errors.CheckError(err)
-			config, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			namespace, _, err := clientConfig.Namespace()
-			errors.CheckError(err)
-			kubeClientset := kubernetes.NewForConfigOrDie(config)
-			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, namespace)
-			prevSettings, err := settingsMgr.GetSettings()
-			errors.CheckError(err)
-			updateCh := make(chan *settings.ArgoCDSettings, 1)
-			settingsMgr.Subscribe(updateCh)
-
-			for {
-				var cmd *exec.Cmd
-				dexCfgBytes, err := dex.GenerateDexConfigYAML(prevSettings)
-				errors.CheckError(err)
-				if len(dexCfgBytes) == 0 {
-					log.Infof("dex is not configured")
-				} else {
-					err = ioutil.WriteFile("/tmp/dex.yaml", dexCfgBytes, 0644)
-					errors.CheckError(err)
-					log.Debug(redactor(string(dexCfgBytes)))
-					cmd = exec.Command("dex", "serve", "/tmp/dex.yaml")
-					cmd.Stdout = os.Stdout
-					cmd.Stderr = os.Stderr
-					err = cmd.Start()
-					errors.CheckError(err)
-				}
-
-				// loop until the dex config changes
-				for {
-					newSettings := <-updateCh
-					newDexCfgBytes, err := dex.GenerateDexConfigYAML(newSettings)
-					errors.CheckError(err)
-					if string(newDexCfgBytes) != string(dexCfgBytes) {
-						prevSettings = newSettings
-						log.Infof("dex config modified. restarting dex")
-						if cmd != nil && cmd.Process != nil {
-							err = cmd.Process.Signal(syscall.SIGTERM)
-							errors.CheckError(err)
-							_, err = cmd.Process.Wait()
-							errors.CheckError(err)
-						}
-						break
-					} else {
-						log.Infof("dex config unmodified")
-					}
-				}
-			}
-		},
-	}
-
-	clientConfig = cli.AddKubectlFlagsToCmd(&command)
-	return &command
-}
-
-func NewGenDexConfigCommand() *cobra.Command {
-	var (
-		clientConfig clientcmd.ClientConfig
-		out          string
-	)
-	var command = cobra.Command{
-		Use:   "gendexcfg",
-		Short: "Generates a dex config from Argo CD settings",
-		RunE: func(c *cobra.Command, args []string) error {
-			config, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			namespace, _, err := clientConfig.Namespace()
-			errors.CheckError(err)
-			kubeClientset := kubernetes.NewForConfigOrDie(config)
-			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, namespace)
-			settings, err := settingsMgr.GetSettings()
-			errors.CheckError(err)
-			dexCfgBytes, err := dex.GenerateDexConfigYAML(settings)
-			errors.CheckError(err)
-			if len(dexCfgBytes) == 0 {
-				log.Infof("dex is not configured")
-				return nil
-			}
-			if out == "" {
-				dexCfg := make(map[string]interface{})
-				err := yaml.Unmarshal(dexCfgBytes, &dexCfg)
-				errors.CheckError(err)
-				if staticClientsInterface, ok := dexCfg["staticClients"]; ok {
-					if staticClients, ok := staticClientsInterface.([]interface{}); ok {
-						for i := range staticClients {
-							staticClient := staticClients[i]
-							if mappings, ok := staticClient.(map[string]interface{}); ok {
-								for key := range mappings {
-									if key == "secret" {
-										mappings[key] = "******"
-									}
-								}
-								staticClients[i] = mappings
-							}
-						}
-						dexCfg["staticClients"] = staticClients
-					}
-				}
-				errors.CheckError(err)
-				maskedDexCfgBytes, err := yaml.Marshal(dexCfg)
-				errors.CheckError(err)
-				fmt.Print(string(maskedDexCfgBytes))
-			} else {
-				err = ioutil.WriteFile(out, dexCfgBytes, 0644)
-				errors.CheckError(err)
-			}
-			return nil
-		},
-	}
-
-	clientConfig = cli.AddKubectlFlagsToCmd(&command)
-	command.Flags().StringVarP(&out, "out", "o", "", "Output to the specified file instead of stdout")
-	return &command
-}
-
-// NewImportCommand defines a new command for exporting Kubernetes and Argo CD resources.
-func NewImportCommand() *cobra.Command {
-	var (
-		clientConfig clientcmd.ClientConfig
-		prune        bool
-		dryRun       bool
-	)
-	var command = cobra.Command{
-		Use:   "import SOURCE",
-		Short: "Import Argo CD data from stdin (specify `-') or a file",
-		Run: func(c *cobra.Command, args []string) {
-			if len(args) != 1 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-			config, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			config.QPS = 100
-			config.Burst = 50
-			errors.CheckError(err)
-			namespace, _, err := clientConfig.Namespace()
-			errors.CheckError(err)
-			acdClients := newArgoCDClientsets(config, namespace)
-
-			var input []byte
-			if in := args[0]; in == "-" {
-				input, err = ioutil.ReadAll(os.Stdin)
-			} else {
-				input, err = ioutil.ReadFile(in)
-			}
-			errors.CheckError(err)
-			var dryRunMsg string
-			if dryRun {
-				dryRunMsg = " (dry run)"
-			}
-
-			// pruneObjects tracks live objects and it's current resource version. any remaining
-			// items in this map indicates the resource should be pruned since it no longer appears
-			// in the backup
-			pruneObjects := make(map[kube.ResourceKey]unstructured.Unstructured)
-			configMaps, err := acdClients.configMaps.List(context.Background(), metav1.ListOptions{})
-			errors.CheckError(err)
-			// referencedSecrets holds any secrets referenced in the argocd-cm configmap. These
-			// secrets need to be imported too
-			var referencedSecrets map[string]bool
-			for _, cm := range configMaps.Items {
-				if isArgoCDConfigMap(cm.GetName()) {
-					pruneObjects[kube.ResourceKey{Group: "", Kind: "ConfigMap", Name: cm.GetName()}] = cm
-				}
-				if cm.GetName() == common.ArgoCDConfigMapName {
-					referencedSecrets = getReferencedSecrets(cm)
-				}
-			}
-
-			secrets, err := acdClients.secrets.List(context.Background(), metav1.ListOptions{})
-			errors.CheckError(err)
-			for _, secret := range secrets.Items {
-				if isArgoCDSecret(referencedSecrets, secret) {
-					pruneObjects[kube.ResourceKey{Group: "", Kind: "Secret", Name: secret.GetName()}] = secret
-				}
-			}
-			applications, err := acdClients.applications.List(context.Background(), metav1.ListOptions{})
-			errors.CheckError(err)
-			for _, app := range applications.Items {
-				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "Application", Name: app.GetName()}] = app
-			}
-			projects, err := acdClients.projects.List(context.Background(), metav1.ListOptions{})
-			errors.CheckError(err)
-			for _, proj := range projects.Items {
-				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "AppProject", Name: proj.GetName()}] = proj
-			}
-
-			// Create or replace existing object
-			backupObjects, err := kube.SplitYAML(input)
-			errors.CheckError(err)
-			for _, bakObj := range backupObjects {
-				gvk := bakObj.GroupVersionKind()
-				key := kube.ResourceKey{Group: gvk.Group, Kind: gvk.Kind, Name: bakObj.GetName()}
-				liveObj, exists := pruneObjects[key]
-				delete(pruneObjects, key)
-				var dynClient dynamic.ResourceInterface
-				switch bakObj.GetKind() {
-				case "Secret":
-					dynClient = acdClients.secrets
-				case "ConfigMap":
-					dynClient = acdClients.configMaps
-				case "AppProject":
-					dynClient = acdClients.projects
-				case "Application":
-					dynClient = acdClients.applications
-				}
-				if !exists {
-					if !dryRun {
-						_, err = dynClient.Create(context.Background(), bakObj, metav1.CreateOptions{})
-						errors.CheckError(err)
-					}
-					fmt.Printf("%s/%s %s created%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
-				} else if specsEqual(*bakObj, liveObj) {
-					fmt.Printf("%s/%s %s unchanged%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
-				} else {
-					if !dryRun {
-						newLive := updateLive(bakObj, &liveObj)
-						_, err = dynClient.Update(context.Background(), newLive, metav1.UpdateOptions{})
-						errors.CheckError(err)
-					}
-					fmt.Printf("%s/%s %s updated%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
-				}
-			}
-
-			// Delete objects not in backup
-			for key := range pruneObjects {
-				if prune {
-					var dynClient dynamic.ResourceInterface
-					switch key.Kind {
-					case "Secret":
-						dynClient = acdClients.secrets
-					case "AppProject":
-						dynClient = acdClients.projects
-					case "Application":
-						dynClient = acdClients.applications
-					default:
-						log.Fatalf("Unexpected kind '%s' in prune list", key.Kind)
-					}
-					if !dryRun {
-						err = dynClient.Delete(context.Background(), key.Name, metav1.DeleteOptions{})
-						errors.CheckError(err)
-					}
-					fmt.Printf("%s/%s %s pruned%s\n", key.Group, key.Kind, key.Name, dryRunMsg)
-				} else {
-					fmt.Printf("%s/%s %s needs pruning\n", key.Group, key.Kind, key.Name)
-				}
-			}
-		},
-	}
-
-	clientConfig = cli.AddKubectlFlagsToCmd(&command)
-	command.Flags().BoolVar(&dryRun, "dry-run", false, "Print what will be performed")
-	command.Flags().BoolVar(&prune, "prune", false, "Prune secrets, applications and projects which do not appear in the backup")
-
-	return &command
-}
-
-type argoCDClientsets struct {
-	configMaps   dynamic.ResourceInterface
-	secrets      dynamic.ResourceInterface
-	applications dynamic.ResourceInterface
-	projects     dynamic.ResourceInterface
-}
-
-func newArgoCDClientsets(config *rest.Config, namespace string) *argoCDClientsets {
-	dynamicIf, err := dynamic.NewForConfig(config)
-	errors.CheckError(err)
-	return &argoCDClientsets{
-		configMaps:   dynamicIf.Resource(configMapResource).Namespace(namespace),
-		secrets:      dynamicIf.Resource(secretResource).Namespace(namespace),
-		applications: dynamicIf.Resource(applicationsResource).Namespace(namespace),
-		projects:     dynamicIf.Resource(appprojectsResource).Namespace(namespace),
-	}
-}
-
-// NewExportCommand defines a new command for exporting Kubernetes and Argo CD resources.
-func NewExportCommand() *cobra.Command {
-	var (
-		clientConfig clientcmd.ClientConfig
-		out          string
-	)
-	var command = cobra.Command{
-		Use:   "export",
-		Short: "Export all Argo CD data to stdout (default) or a file",
-		Run: func(c *cobra.Command, args []string) {
-			config, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			namespace, _, err := clientConfig.Namespace()
-			errors.CheckError(err)
-
-			var writer io.Writer
-			if out == "-" {
-				writer = os.Stdout
-			} else {
-				f, err := os.Create(out)
-				errors.CheckError(err)
-				bw := bufio.NewWriter(f)
-				writer = bw
-				defer func() {
-					err = bw.Flush()
-					errors.CheckError(err)
-					err = f.Close()
-					errors.CheckError(err)
-				}()
-			}
-
-			acdClients := newArgoCDClientsets(config, namespace)
-			acdConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDConfigMapName, metav1.GetOptions{})
-			errors.CheckError(err)
-			export(writer, *acdConfigMap)
-			acdRBACConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDRBACConfigMapName, metav1.GetOptions{})
-			errors.CheckError(err)
-			export(writer, *acdRBACConfigMap)
-			acdKnownHostsConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDKnownHostsConfigMapName, metav1.GetOptions{})
-			errors.CheckError(err)
-			export(writer, *acdKnownHostsConfigMap)
-			acdTLSCertsConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDTLSCertsConfigMapName, metav1.GetOptions{})
-			errors.CheckError(err)
-			export(writer, *acdTLSCertsConfigMap)
-
-			referencedSecrets := getReferencedSecrets(*acdConfigMap)
-			secrets, err := acdClients.secrets.List(context.Background(), metav1.ListOptions{})
-			errors.CheckError(err)
-			for _, secret := range secrets.Items {
-				if isArgoCDSecret(referencedSecrets, secret) {
-					export(writer, secret)
-				}
-			}
-			projects, err := acdClients.projects.List(context.Background(), metav1.ListOptions{})
-			errors.CheckError(err)
-			for _, proj := range projects.Items {
-				export(writer, proj)
-			}
-			applications, err := acdClients.applications.List(context.Background(), metav1.ListOptions{})
-			errors.CheckError(err)
-			for _, app := range applications.Items {
-				export(writer, app)
-			}
-		},
-	}
-
-	clientConfig = cli.AddKubectlFlagsToCmd(&command)
-	command.Flags().StringVarP(&out, "out", "o", "-", "Output to the specified file instead of stdout")
-
-	return &command
-}
-
-// getReferencedSecrets examines the argocd-cm config for any referenced repo secrets and returns a
-// map of all referenced secrets.
-func getReferencedSecrets(un unstructured.Unstructured) map[string]bool {
-	var cm apiv1.ConfigMap
-	err := runtime.DefaultUnstructuredConverter.FromUnstructured(un.Object, &cm)
-	errors.CheckError(err)
-	referencedSecrets := make(map[string]bool)
-
-	// Referenced repository secrets
-	if reposRAW, ok := cm.Data["repositories"]; ok {
-		repos := make([]settings.Repository, 0)
-		err := yaml.Unmarshal([]byte(reposRAW), &repos)
-		errors.CheckError(err)
-		for _, cred := range repos {
-			if cred.PasswordSecret != nil {
-				referencedSecrets[cred.PasswordSecret.Name] = true
-			}
-			if cred.SSHPrivateKeySecret != nil {
-				referencedSecrets[cred.SSHPrivateKeySecret.Name] = true
-			}
-			if cred.UsernameSecret != nil {
-				referencedSecrets[cred.UsernameSecret.Name] = true
-			}
-			if cred.TLSClientCertDataSecret != nil {
-				referencedSecrets[cred.TLSClientCertDataSecret.Name] = true
-			}
-			if cred.TLSClientCertKeySecret != nil {
-				referencedSecrets[cred.TLSClientCertKeySecret.Name] = true
-			}
-		}
-	}
-
-	// Referenced repository credentials secrets
-	if reposRAW, ok := cm.Data["repository.credentials"]; ok {
-		creds := make([]settings.RepositoryCredentials, 0)
-		err := yaml.Unmarshal([]byte(reposRAW), &creds)
-		errors.CheckError(err)
-		for _, cred := range creds {
-			if cred.PasswordSecret != nil {
-				referencedSecrets[cred.PasswordSecret.Name] = true
-			}
-			if cred.SSHPrivateKeySecret != nil {
-				referencedSecrets[cred.SSHPrivateKeySecret.Name] = true
-			}
-			if cred.UsernameSecret != nil {
-				referencedSecrets[cred.UsernameSecret.Name] = true
-			}
-			if cred.TLSClientCertDataSecret != nil {
-				referencedSecrets[cred.TLSClientCertDataSecret.Name] = true
-			}
-			if cred.TLSClientCertKeySecret != nil {
-				referencedSecrets[cred.TLSClientCertKeySecret.Name] = true
-			}
-		}
-	}
-	return referencedSecrets
-}
-
-// isArgoCDSecret returns whether or not the given secret is a part of Argo CD configuration
-// (e.g. argocd-secret, repo credentials, or cluster credentials)
-func isArgoCDSecret(repoSecretRefs map[string]bool, un unstructured.Unstructured) bool {
-	secretName := un.GetName()
-	if secretName == common.ArgoCDSecretName {
-		return true
-	}
-	if repoSecretRefs != nil {
-		if _, ok := repoSecretRefs[secretName]; ok {
-			return true
-		}
-	}
-	if labels := un.GetLabels(); labels != nil {
-		if _, ok := labels[common.LabelKeySecretType]; ok {
-			return true
-		}
-	}
-	if annotations := un.GetAnnotations(); annotations != nil {
-		if annotations[common.AnnotationKeyManagedBy] == common.AnnotationValueManagedByArgoCD {
-			return true
-		}
-	}
-	return false
-}
-
-// isArgoCDConfigMap returns true if the configmap name is one of argo cd's well known configmaps
-func isArgoCDConfigMap(name string) bool {
-	switch name {
-	case common.ArgoCDConfigMapName, common.ArgoCDRBACConfigMapName, common.ArgoCDKnownHostsConfigMapName, common.ArgoCDTLSCertsConfigMapName:
-		return true
-	}
-	return false
-
-}
-
-// specsEqual returns if the spec, data, labels, annotations, and finalizers of the two
-// supplied objects are equal, indicating that no update is necessary during importing
-func specsEqual(left, right unstructured.Unstructured) bool {
-	if !reflect.DeepEqual(left.GetAnnotations(), right.GetAnnotations()) {
-		return false
-	}
-	if !reflect.DeepEqual(left.GetLabels(), right.GetLabels()) {
-		return false
-	}
-	if !reflect.DeepEqual(left.GetFinalizers(), right.GetFinalizers()) {
-		return false
-	}
-	switch left.GetKind() {
-	case "Secret", "ConfigMap":
-		leftData, _, _ := unstructured.NestedMap(left.Object, "data")
-		rightData, _, _ := unstructured.NestedMap(right.Object, "data")
-		return reflect.DeepEqual(leftData, rightData)
-	case "AppProject":
-		leftSpec, _, _ := unstructured.NestedMap(left.Object, "spec")
-		rightSpec, _, _ := unstructured.NestedMap(right.Object, "spec")
-		return reflect.DeepEqual(leftSpec, rightSpec)
-	case "Application":
-		leftSpec, _, _ := unstructured.NestedMap(left.Object, "spec")
-		rightSpec, _, _ := unstructured.NestedMap(right.Object, "spec")
-		leftStatus, _, _ := unstructured.NestedMap(left.Object, "status")
-		rightStatus, _, _ := unstructured.NestedMap(right.Object, "status")
-		// reconciledAt and observedAt are constantly changing and we ignore any diff there
-		delete(leftStatus, "reconciledAt")
-		delete(rightStatus, "reconciledAt")
-		delete(leftStatus, "observedAt")
-		delete(rightStatus, "observedAt")
-		return reflect.DeepEqual(leftSpec, rightSpec) && reflect.DeepEqual(leftStatus, rightStatus)
-	}
-	return false
-}
-
-// updateLive replaces the live object's finalizers, spec, annotations, labels, and data from the
-// backup object but leaves all other fields intact (status, other metadata, etc...)
-func updateLive(bak, live *unstructured.Unstructured) *unstructured.Unstructured {
-	newLive := live.DeepCopy()
-	newLive.SetAnnotations(bak.GetAnnotations())
-	newLive.SetLabels(bak.GetLabels())
-	newLive.SetFinalizers(bak.GetFinalizers())
-	switch live.GetKind() {
-	case "Secret", "ConfigMap":
-		newLive.Object["data"] = bak.Object["data"]
-	case "AppProject":
-		newLive.Object["spec"] = bak.Object["spec"]
-	case "Application":
-		newLive.Object["spec"] = bak.Object["spec"]
-		if _, ok := bak.Object["status"]; ok {
-			newLive.Object["status"] = bak.Object["status"]
-		}
-	}
-	return newLive
-}
-
-// export writes the unstructured object and removes extraneous cruft from output before writing
-func export(w io.Writer, un unstructured.Unstructured) {
-	name := un.GetName()
-	finalizers := un.GetFinalizers()
-	apiVersion := un.GetAPIVersion()
-	kind := un.GetKind()
-	labels := un.GetLabels()
-	annotations := un.GetAnnotations()
-	unstructured.RemoveNestedField(un.Object, "metadata")
-	un.SetName(name)
-	un.SetFinalizers(finalizers)
-	un.SetAPIVersion(apiVersion)
-	un.SetKind(kind)
-	un.SetLabels(labels)
-	un.SetAnnotations(annotations)
-	data, err := yaml.Marshal(un.Object)
-	errors.CheckError(err)
-	_, err = w.Write(data)
-	errors.CheckError(err)
-	_, err = w.Write([]byte(yamlSeparator))
-	errors.CheckError(err)
-}
-
-// NewClusterConfig returns a new instance of `argocd-util kubeconfig` command
-func NewClusterConfig() *cobra.Command {
-	var (
-		clientConfig clientcmd.ClientConfig
-	)
-	var command = &cobra.Command{
-		Use:               "kubeconfig CLUSTER_URL OUTPUT_PATH",
-		Short:             "Generates kubeconfig for the specified cluster",
-		DisableAutoGenTag: true,
-		Run: func(c *cobra.Command, args []string) {
-			if len(args) != 2 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-			serverUrl := args[0]
-			output := args[1]
-			conf, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			namespace, _, err := clientConfig.Namespace()
-			errors.CheckError(err)
-			kubeclientset, err := kubernetes.NewForConfig(conf)
-			errors.CheckError(err)
-
-			cluster, err := db.NewDB(namespace, settings.NewSettingsManager(context.Background(), kubeclientset, namespace), kubeclientset).GetCluster(context.Background(), serverUrl)
-			errors.CheckError(err)
-			err = kube.WriteKubeConfig(cluster.RawRestConfig(), namespace, output)
-			errors.CheckError(err)
-		},
-	}
-	clientConfig = cli.AddKubectlFlagsToCmd(command)
-	return command
-}
-
-func iterateStringFields(obj interface{}, callback func(name string, val string) string) {
-	if mapField, ok := obj.(map[string]interface{}); ok {
-		for field, val := range mapField {
-			if strVal, ok := val.(string); ok {
-				mapField[field] = callback(field, strVal)
-			} else {
-				iterateStringFields(val, callback)
-			}
-		}
-	} else if arrayField, ok := obj.([]interface{}); ok {
-		for i := range arrayField {
-			iterateStringFields(arrayField[i], callback)
-		}
-	}
-}
-
-func redactor(dirtyString string) string {
-	config := make(map[string]interface{})
-	err := yaml.Unmarshal([]byte(dirtyString), &config)
-	errors.CheckError(err)
-	iterateStringFields(config, func(name string, val string) string {
-		if name == "clientSecret" || name == "secret" || name == "bindPW" {
-			return "********"
-		} else {
-			return val
-		}
-	})
-	data, err := yaml.Marshal(config)
-	errors.CheckError(err)
-	return string(data)
-}

cmd/argocd-util/main.go

@@ -1,22 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"os"
-
-	"github.com/argoproj/argo-cd/cmd/argocd-util/commands"
-
-	// load the gcp plugin (required to authenticate against GKE clusters).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
-	// load the oidc plugin (required to authenticate with OpenID Connect).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
-	// load the azure plugin (required to authenticate with AKS clusters).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/azure"
-)
-
-func main() {
-	if err := commands.NewCommand().Execute(); err != nil {
-		fmt.Println(err)
-		os.Exit(1)
-	}
-}

cmd/argocd/commands/account.go

@@ -14,17 +14,17 @@ import (
 	"github.com/ghodss/yaml"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"golang.org/x/crypto/ssh/terminal"
+	"golang.org/x/term"
 
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	accountpkg "github.com/argoproj/argo-cd/pkg/apiclient/account"
-	"github.com/argoproj/argo-cd/pkg/apiclient/session"
-	"github.com/argoproj/argo-cd/server/rbacpolicy"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/io"
-	"github.com/argoproj/argo-cd/util/localconfig"
-	sessionutil "github.com/argoproj/argo-cd/util/session"
+	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	accountpkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/account"
+	"github.com/argoproj/argo-cd/v2/pkg/apiclient/session"
+	"github.com/argoproj/argo-cd/v2/server/rbacpolicy"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/io"
+	"github.com/argoproj/argo-cd/v2/util/localconfig"
+	sessionutil "github.com/argoproj/argo-cd/v2/util/session"
 )
 
 func NewAccountCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
@@ -54,7 +54,19 @@ func NewAccountUpdatePasswordCommand(clientOpts *argocdclient.ClientOptions) *co
 	)
 	var command = &cobra.Command{
 		Use:   "update-password",
-		Short: "Update password",
+		Short: "Update an account's password",
+		Long: `
+This command can be used to update the password of the currently logged on
+user, or an arbitrary local user account when the currently logged on user
+has appropriate RBAC permissions to change other accounts.
+`,
+		Example: `
+	# Update the current user's password
+	argocd account update-password
+
+	# Update the password for user foobar
+	argocd account update-password --account foobar
+`,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) != 0 {
 				c.HelpFunc()(c, args)
@@ -67,16 +79,20 @@ func NewAccountUpdatePasswordCommand(clientOpts *argocdclient.ClientOptions) *co
 			userInfo := getCurrentAccount(acdClient)
 
 			if userInfo.Iss == sessionutil.SessionManagerClaimsIssuer && currentPassword == "" {
-				fmt.Print("*** Enter current password: ")
-				password, err := terminal.ReadPassword(int(os.Stdin.Fd()))
+				fmt.Printf("*** Enter password of currently logged in user (%s): ", userInfo.Username)
+				password, err := term.ReadPassword(int(os.Stdin.Fd()))
 				errors.CheckError(err)
 				currentPassword = string(password)
 				fmt.Print("\n")
 			}
 
+			if account == "" {
+				account = userInfo.Username
+			}
+
 			if newPassword == "" {
 				var err error
-				newPassword, err = cli.ReadAndConfirmPassword()
+				newPassword, err = cli.ReadAndConfirmPassword(account)
 				errors.CheckError(err)
 			}
 
@@ -99,7 +115,7 @@ func NewAccountUpdatePasswordCommand(clientOpts *argocdclient.ClientOptions) *co
 				errors.CheckError(err)
 				claims, err := configCtx.User.Claims()
 				errors.CheckError(err)
-				tokenString := passwordLogin(acdClient, claims.Subject, newPassword)
+				tokenString := passwordLogin(acdClient, localconfig.GetUsername(claims.Subject), newPassword)
 				localCfg.UpsertUser(localconfig.User{
 					Name:      localCfg.CurrentContext,
 					AuthToken: tokenString,
@@ -111,7 +127,7 @@ func NewAccountUpdatePasswordCommand(clientOpts *argocdclient.ClientOptions) *co
 		},
 	}
 
-	command.Flags().StringVar(&currentPassword, "current-password", "", "current password you wish to change")
+	command.Flags().StringVar(&currentPassword, "current-password", "", "password of the currently logged on user")
 	command.Flags().StringVar(&newPassword, "new-password", "", "new password you want to update to")
 	command.Flags().StringVar(&account, "account", "", "an account name that should be updated. Defaults to current user account")
 	return command
@@ -362,7 +378,7 @@ argocd account generate-token --account <account-name>`,
 	}
 	cmd.Flags().StringVarP(&account, "account", "a", "", "Account name. Defaults to the current account.")
 	cmd.Flags().StringVarP(&expiresIn, "expires-in", "e", "0s", "Duration before the token will expire. (Default: No expiration)")
-	cmd.Flags().StringVar(&id, "id", "", "Optional token id. Fallback to uuid if not value specified.")
+	cmd.Flags().StringVar(&id, "id", "", "Optional token id. Fall back to uuid if not value specified.")
 	return cmd
 }
 
@@ -377,7 +393,7 @@ func NewAccountDeleteTokenCommand(clientOpts *argocdclient.ClientOptions) *cobra
 argocd account delete-token ID
 
 # Delete token of the account with the specified name
-argocd account generate-token --account <account-name>`,
+argocd account delete-token --account <account-name> ID`,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) != 1 {
 				c.HelpFunc()(c, args)

cmd/argocd/commands/admin/admin.go

@@ -0,0 +1,243 @@
+package admin
+
+import (
+	"reflect"
+
+	"github.com/ghodss/yaml"
+	"github.com/spf13/cobra"
+	apiv1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+
+	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/settings"
+)
+
+const (
+	// YamlSeparator separates sections of a YAML file
+	yamlSeparator = "---\n"
+)
+
+var (
+	configMapResource       = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "configmaps"}
+	secretResource          = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "secrets"}
+	applicationsResource    = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "applications"}
+	appprojectsResource     = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "appprojects"}
+	appplicationSetResource = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "applicationsets"}
+)
+
+// NewAdminCommand returns a new instance of an argocd command
+func NewAdminCommand() *cobra.Command {
+	var (
+		pathOpts = clientcmd.NewDefaultPathOptions()
+	)
+
+	var command = &cobra.Command{
+		Use:               "admin",
+		Short:             "Contains a set of commands useful for Argo CD administrators and requires direct Kubernetes access",
+		DisableAutoGenTag: true,
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+		},
+	}
+
+	command.AddCommand(NewClusterCommand(pathOpts))
+	command.AddCommand(NewProjectsCommand())
+	command.AddCommand(NewSettingsCommand())
+	command.AddCommand(NewAppCommand())
+	command.AddCommand(NewRepoCommand())
+	command.AddCommand(NewImportCommand())
+	command.AddCommand(NewExportCommand())
+	command.AddCommand(NewDashboardCommand())
+
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
+	return command
+}
+
+type argoCDClientsets struct {
+	configMaps      dynamic.ResourceInterface
+	secrets         dynamic.ResourceInterface
+	applications    dynamic.ResourceInterface
+	projects        dynamic.ResourceInterface
+	applicationSets dynamic.ResourceInterface
+}
+
+func newArgoCDClientsets(config *rest.Config, namespace string) *argoCDClientsets {
+	dynamicIf, err := dynamic.NewForConfig(config)
+	errors.CheckError(err)
+	return &argoCDClientsets{
+		configMaps:      dynamicIf.Resource(configMapResource).Namespace(namespace),
+		secrets:         dynamicIf.Resource(secretResource).Namespace(namespace),
+		applications:    dynamicIf.Resource(applicationsResource).Namespace(namespace),
+		projects:        dynamicIf.Resource(appprojectsResource).Namespace(namespace),
+		applicationSets: dynamicIf.Resource(appplicationSetResource).Namespace(namespace),
+	}
+}
+
+// getReferencedSecrets examines the argocd-cm config for any referenced repo secrets and returns a
+// map of all referenced secrets.
+func getReferencedSecrets(un unstructured.Unstructured) map[string]bool {
+	var cm apiv1.ConfigMap
+	err := runtime.DefaultUnstructuredConverter.FromUnstructured(un.Object, &cm)
+	errors.CheckError(err)
+	referencedSecrets := make(map[string]bool)
+
+	// Referenced repository secrets
+	if reposRAW, ok := cm.Data["repositories"]; ok {
+		repos := make([]settings.Repository, 0)
+		err := yaml.Unmarshal([]byte(reposRAW), &repos)
+		errors.CheckError(err)
+		for _, cred := range repos {
+			if cred.PasswordSecret != nil {
+				referencedSecrets[cred.PasswordSecret.Name] = true
+			}
+			if cred.SSHPrivateKeySecret != nil {
+				referencedSecrets[cred.SSHPrivateKeySecret.Name] = true
+			}
+			if cred.UsernameSecret != nil {
+				referencedSecrets[cred.UsernameSecret.Name] = true
+			}
+			if cred.TLSClientCertDataSecret != nil {
+				referencedSecrets[cred.TLSClientCertDataSecret.Name] = true
+			}
+			if cred.TLSClientCertKeySecret != nil {
+				referencedSecrets[cred.TLSClientCertKeySecret.Name] = true
+			}
+		}
+	}
+
+	// Referenced repository credentials secrets
+	if reposRAW, ok := cm.Data["repository.credentials"]; ok {
+		creds := make([]settings.RepositoryCredentials, 0)
+		err := yaml.Unmarshal([]byte(reposRAW), &creds)
+		errors.CheckError(err)
+		for _, cred := range creds {
+			if cred.PasswordSecret != nil {
+				referencedSecrets[cred.PasswordSecret.Name] = true
+			}
+			if cred.SSHPrivateKeySecret != nil {
+				referencedSecrets[cred.SSHPrivateKeySecret.Name] = true
+			}
+			if cred.UsernameSecret != nil {
+				referencedSecrets[cred.UsernameSecret.Name] = true
+			}
+			if cred.TLSClientCertDataSecret != nil {
+				referencedSecrets[cred.TLSClientCertDataSecret.Name] = true
+			}
+			if cred.TLSClientCertKeySecret != nil {
+				referencedSecrets[cred.TLSClientCertKeySecret.Name] = true
+			}
+		}
+	}
+	return referencedSecrets
+}
+
+// isArgoCDSecret returns whether or not the given secret is a part of Argo CD configuration
+// (e.g. argocd-secret, repo credentials, or cluster credentials)
+func isArgoCDSecret(repoSecretRefs map[string]bool, un unstructured.Unstructured) bool {
+	secretName := un.GetName()
+	if secretName == common.ArgoCDSecretName {
+		return true
+	}
+	if repoSecretRefs != nil {
+		if _, ok := repoSecretRefs[secretName]; ok {
+			return true
+		}
+	}
+	if labels := un.GetLabels(); labels != nil {
+		if _, ok := labels[common.LabelKeySecretType]; ok {
+			return true
+		}
+	}
+	if annotations := un.GetAnnotations(); annotations != nil {
+		if annotations[common.AnnotationKeyManagedBy] == common.AnnotationValueManagedByArgoCD {
+			return true
+		}
+	}
+	return false
+}
+
+// isArgoCDConfigMap returns true if the configmap name is one of argo cd's well known configmaps
+func isArgoCDConfigMap(name string) bool {
+	switch name {
+	case common.ArgoCDConfigMapName, common.ArgoCDRBACConfigMapName, common.ArgoCDKnownHostsConfigMapName, common.ArgoCDTLSCertsConfigMapName:
+		return true
+	}
+	return false
+
+}
+
+// specsEqual returns if the spec, data, labels, annotations, and finalizers of the two
+// supplied objects are equal, indicating that no update is necessary during importing
+func specsEqual(left, right unstructured.Unstructured) bool {
+	if !reflect.DeepEqual(left.GetAnnotations(), right.GetAnnotations()) {
+		return false
+	}
+	if !reflect.DeepEqual(left.GetLabels(), right.GetLabels()) {
+		return false
+	}
+	if !reflect.DeepEqual(left.GetFinalizers(), right.GetFinalizers()) {
+		return false
+	}
+	switch left.GetKind() {
+	case "Secret", "ConfigMap":
+		leftData, _, _ := unstructured.NestedMap(left.Object, "data")
+		rightData, _, _ := unstructured.NestedMap(right.Object, "data")
+		return reflect.DeepEqual(leftData, rightData)
+	case "AppProject":
+		leftSpec, _, _ := unstructured.NestedMap(left.Object, "spec")
+		rightSpec, _, _ := unstructured.NestedMap(right.Object, "spec")
+		return reflect.DeepEqual(leftSpec, rightSpec)
+	case "Application":
+		leftSpec, _, _ := unstructured.NestedMap(left.Object, "spec")
+		rightSpec, _, _ := unstructured.NestedMap(right.Object, "spec")
+		leftStatus, _, _ := unstructured.NestedMap(left.Object, "status")
+		rightStatus, _, _ := unstructured.NestedMap(right.Object, "status")
+		// reconciledAt and observedAt are constantly changing and we ignore any diff there
+		delete(leftStatus, "reconciledAt")
+		delete(rightStatus, "reconciledAt")
+		delete(leftStatus, "observedAt")
+		delete(rightStatus, "observedAt")
+		return reflect.DeepEqual(leftSpec, rightSpec) && reflect.DeepEqual(leftStatus, rightStatus)
+	}
+	return false
+}
+
+func iterateStringFields(obj interface{}, callback func(name string, val string) string) {
+	if mapField, ok := obj.(map[string]interface{}); ok {
+		for field, val := range mapField {
+			if strVal, ok := val.(string); ok {
+				mapField[field] = callback(field, strVal)
+			} else {
+				iterateStringFields(val, callback)
+			}
+		}
+	} else if arrayField, ok := obj.([]interface{}); ok {
+		for i := range arrayField {
+			iterateStringFields(arrayField[i], callback)
+		}
+	}
+}
+
+func redactor(dirtyString string) string {
+	config := make(map[string]interface{})
+	err := yaml.Unmarshal([]byte(dirtyString), &config)
+	errors.CheckError(err)
+	iterateStringFields(config, func(name string, val string) string {
+		if name == "clientSecret" || name == "secret" || name == "bindPW" {
+			return "********"
+		} else {
+			return val
+		}
+	})
+	data, err := yaml.Marshal(config)
+	errors.CheckError(err)
+	return string(data)
+}

cmd/argocd/commands/admin/app.go

@@ -1,14 +1,17 @@
-package commands
+package admin
 
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
+	"net/http"
 	"os"
 	"sort"
 	"time"
 
+	"github.com/argoproj/argo-cd/v2/util/argo"
+
 	"github.com/ghodss/yaml"
 	"github.com/spf13/cobra"
 	apiv1 "k8s.io/api/core/v1"
@@ -19,36 +22,107 @@ import (
 	kubecache "k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/clientcmd"
 
-	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/controller"
-	"github.com/argoproj/argo-cd/controller/cache"
-	"github.com/argoproj/argo-cd/controller/metrics"
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
-	appinformers "github.com/argoproj/argo-cd/pkg/client/informers/externalversions"
-	"github.com/argoproj/argo-cd/reposerver/apiclient"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/config"
-	"github.com/argoproj/argo-cd/util/db"
-	"github.com/argoproj/argo-cd/util/errors"
-	kubeutil "github.com/argoproj/argo-cd/util/kube"
-	"github.com/argoproj/argo-cd/util/settings"
+	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	"github.com/argoproj/argo-cd/v2/controller"
+	"github.com/argoproj/argo-cd/v2/controller/cache"
+	"github.com/argoproj/argo-cd/v2/controller/metrics"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
+	appinformers "github.com/argoproj/argo-cd/v2/pkg/client/informers/externalversions"
+	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	cacheutil "github.com/argoproj/argo-cd/v2/util/cache"
+	appstatecache "github.com/argoproj/argo-cd/v2/util/cache/appstate"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/config"
+	"github.com/argoproj/argo-cd/v2/util/db"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/io"
+	kubeutil "github.com/argoproj/argo-cd/v2/util/kube"
+	"github.com/argoproj/argo-cd/v2/util/settings"
 )
 
-func NewAppsCommand() *cobra.Command {
+func NewAppCommand() *cobra.Command {
 	var command = &cobra.Command{
-		Use:   "apps",
-		Short: "Utility commands operate on ArgoCD applications",
+		Use:   "app",
+		Short: "Manage applications configuration",
 		Run: func(c *cobra.Command, args []string) {
 			c.HelpFunc()(c, args)
 		},
 	}
 
+	command.AddCommand(NewGenAppSpecCommand())
 	command.AddCommand(NewReconcileCommand())
 	command.AddCommand(NewDiffReconcileResults())
 	return command
 }
 
+// NewGenAppSpecCommand generates declarative configuration file for given application
+func NewGenAppSpecCommand() *cobra.Command {
+	var (
+		appOpts      cmdutil.AppOptions
+		fileURL      string
+		appName      string
+		labels       []string
+		outputFormat string
+		annotations  []string
+		inline       bool
+	)
+	var command = &cobra.Command{
+		Use:   "generate-spec APPNAME",
+		Short: "Generate declarative config for an application",
+		Example: `
+	# Generate declarative config for a directory app
+	argocd admin app generate-spec guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --directory-recurse
+
+	# Generate declarative config for a Jsonnet app
+	argocd admin app generate-spec jsonnet-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path jsonnet-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --jsonnet-ext-str replicas=2
+
+	# Generate declarative config for a Helm app
+	argocd admin app generate-spec helm-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path helm-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --helm-set replicaCount=2
+
+	# Generate declarative config for a Helm app from a Helm repo
+	argocd admin app generate-spec nginx-ingress --repo https://charts.helm.sh/stable --helm-chart nginx-ingress --revision 1.24.3 --dest-namespace default --dest-server https://kubernetes.default.svc
+
+	# Generate declarative config for a Kustomize app
+	argocd admin app generate-spec kustomize-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path kustomize-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --kustomize-image gcr.io/heptio-images/ks-guestbook-demo:0.1
+
+	# Generate declarative config for a app using a custom tool:
+	argocd admin app generate-spec ksane --repo https://github.com/argoproj/argocd-example-apps.git --path plugins/kasane --dest-namespace default --dest-server https://kubernetes.default.svc --config-management-plugin kasane
+`,
+		Run: func(c *cobra.Command, args []string) {
+			apps, err := cmdutil.ConstructApps(fileURL, appName, labels, annotations, args, appOpts, c.Flags())
+			errors.CheckError(err)
+			if len(apps) > 1 {
+				errors.CheckError(fmt.Errorf("failed to generate spec, more than one application is not supported"))
+			}
+			app := apps[0]
+			if app.Name == "" {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			out, closer, err := getOutWriter(inline, fileURL)
+			errors.CheckError(err)
+			defer io.Close(closer)
+
+			errors.CheckError(PrintResources(outputFormat, out, app))
+		},
+	}
+	command.Flags().StringVar(&appName, "name", "", "A name for the app, ignored if a file is set (DEPRECATED)")
+	command.Flags().StringVarP(&fileURL, "file", "f", "", "Filename or URL to Kubernetes manifests for the app")
+	command.Flags().StringArrayVarP(&labels, "label", "l", []string{}, "Labels to apply to the app")
+	command.Flags().StringArrayVarP(&annotations, "annotations", "", []string{}, "Set metadata annotations (e.g. example=value)")
+	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
+	command.Flags().BoolVarP(&inline, "inline", "i", false, "If set then generated resource is written back to the file specified in --file flag")
+
+	// Only complete files with appropriate extension.
+	err := command.Flags().SetAnnotation("file", cobra.BashCompFilenameExt, []string{"json", "yaml", "yml"})
+	errors.CheckError(err)
+
+	cmdutil.AddAppFlags(command, &appOpts)
+	return command
+}
+
 type appReconcileResult struct {
 	Name       string                          `json:"name"`
 	Health     *v1alpha1.HealthStatus          `json:"health"`
@@ -174,7 +248,7 @@ func NewReconcileCommand() *cobra.Command {
 			}
 			outputPath := args[0]
 
-			errors.CheckError(os.Setenv(common.EnvVarFakeInClusterConfig, "true"))
+			errors.CheckError(os.Setenv(v1alpha1.EnvVarFakeInClusterConfig, "true"))
 			cfg, err := clientConfig.ClientConfig()
 			errors.CheckError(err)
 			namespace, _, err := clientConfig.Namespace()
@@ -184,11 +258,12 @@ func NewReconcileCommand() *cobra.Command {
 			if refresh {
 				if repoServerAddress == "" {
 					printLine("Repo server is not provided, trying to port-forward to argocd-repo-server pod.")
-					repoServerPort, err := kubeutil.PortForward("app.kubernetes.io/name=argocd-repo-server", 8081, namespace)
+					overrides := clientcmd.ConfigOverrides{}
+					repoServerPort, err := kubeutil.PortForward(8081, namespace, &overrides, "app.kubernetes.io/name=argocd-repo-server")
 					errors.CheckError(err)
 					repoServerAddress = fmt.Sprintf("localhost:%d", repoServerPort)
 				}
-				repoServerClient := apiclient.NewRepoServerClientset(repoServerAddress, 60)
+				repoServerClient := apiclient.NewRepoServerClientset(repoServerAddress, 60, apiclient.TLSConfiguration{DisableTLS: false, StrictValidation: false})
 
 				appClientset := appclientset.NewForConfigOrDie(cfg)
 				kubeClientset := kubernetes.NewForConfigOrDie(cfg)
@@ -259,11 +334,11 @@ func reconcileApplications(
 
 	settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, namespace)
 	argoDB := db.NewDB(namespace, settingsMgr, kubeClientset)
-	appInformerFactory := appinformers.NewFilteredSharedInformerFactory(
+	appInformerFactory := appinformers.NewSharedInformerFactoryWithOptions(
 		appClientset,
 		1*time.Hour,
-		namespace,
-		func(options *v1.ListOptions) {},
+		appinformers.WithNamespace(namespace),
+		appinformers.WithTweakListOptions(func(options *v1.ListOptions) {}),
 	)
 
 	appInformer := appInformerFactory.Argoproj().V1alpha1().Applications().Informer()
@@ -278,9 +353,9 @@ func reconcileApplications(
 	projLister := appInformerFactory.Argoproj().V1alpha1().AppProjects().Lister()
 	server, err := metrics.NewMetricsServer("", appLister, func(obj interface{}) bool {
 		return true
-	}, func() error {
+	}, func(r *http.Request) error {
 		return nil
-	})
+	}, []string{})
 
 	if err != nil {
 		return nil, err
@@ -290,8 +365,13 @@ func reconcileApplications(
 		return nil, err
 	}
 
+	cache := appstatecache.NewCache(
+		cacheutil.NewCache(cacheutil.NewInMemoryCache(1*time.Minute)),
+		1*time.Minute,
+	)
+
 	appStateManager := controller.NewAppStateManager(
-		argoDB, appClientset, repoServerClient, namespace, kubeutil.NewKubectl(), settingsMgr, stateCache, projInformer, server)
+		argoDB, appClientset, repoServerClient, namespace, kubeutil.NewKubectl(), settingsMgr, stateCache, projInformer, server, cache, time.Second, argo.NewResourceTracking())
 
 	appsList, err := appClientset.ArgoprojV1alpha1().Applications(namespace).List(context.Background(), v1.ListOptions{LabelSelector: selector})
 	if err != nil {
@@ -321,7 +401,7 @@ func reconcileApplications(
 			return nil, err
 		}
 
-		res := appStateManager.CompareAppState(&app, proj, app.Spec.Source.TargetRevision, app.Spec.Source, false, nil)
+		res := appStateManager.CompareAppState(&app, proj, app.Spec.Source.TargetRevision, app.Spec.Source, false, false, nil)
 		items = append(items, appReconcileResult{
 			Name:       app.Name,
 			Conditions: app.Status.Conditions,
@@ -333,5 +413,5 @@ func reconcileApplications(
 }
 
 func newLiveStateCache(argoDB db.ArgoDB, appInformer kubecache.SharedIndexInformer, settingsMgr *settings.SettingsManager, server *metrics.MetricsServer) cache.LiveStateCache {
-	return cache.NewLiveStateCache(argoDB, appInformer, settingsMgr, kubeutil.NewKubectl(), server, func(managedByApp map[string]bool, ref apiv1.ObjectReference) {}, nil)
+	return cache.NewLiveStateCache(argoDB, appInformer, settingsMgr, kubeutil.NewKubectl(), server, func(managedByApp map[string]bool, ref apiv1.ObjectReference) {}, nil, argo.NewResourceTracking())
 }

cmd/argocd/commands/admin/app_test.go

@@ -1,9 +1,9 @@
-package commands
+package admin
 
 import (
 	"testing"
 
-	"github.com/argoproj/argo-cd/test"
+	"github.com/argoproj/argo-cd/v2/test"
 
 	clustermocks "github.com/argoproj/gitops-engine/pkg/cache/mocks"
 	"github.com/argoproj/gitops-engine/pkg/health"
@@ -16,16 +16,15 @@ import (
 	kubefake "k8s.io/client-go/kubernetes/fake"
 	"k8s.io/client-go/tools/cache"
 
-	"github.com/argoproj/argo-cd/common"
-	statecache "github.com/argoproj/argo-cd/controller/cache"
-	cachemocks "github.com/argoproj/argo-cd/controller/cache/mocks"
-	"github.com/argoproj/argo-cd/controller/metrics"
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	appfake "github.com/argoproj/argo-cd/pkg/client/clientset/versioned/fake"
-	"github.com/argoproj/argo-cd/reposerver/apiclient"
-	"github.com/argoproj/argo-cd/reposerver/apiclient/mocks"
-	"github.com/argoproj/argo-cd/util/db"
-	"github.com/argoproj/argo-cd/util/settings"
+	statecache "github.com/argoproj/argo-cd/v2/controller/cache"
+	cachemocks "github.com/argoproj/argo-cd/v2/controller/cache/mocks"
+	"github.com/argoproj/argo-cd/v2/controller/metrics"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	appfake "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned/fake"
+	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	"github.com/argoproj/argo-cd/v2/reposerver/apiclient/mocks"
+	"github.com/argoproj/argo-cd/v2/util/db"
+	"github.com/argoproj/argo-cd/v2/util/settings"
 )
 
 func TestGetReconcileResults(t *testing.T) {
@@ -79,7 +78,7 @@ func TestGetReconcileResults_Refresh(t *testing.T) {
 		Spec: v1alpha1.ApplicationSpec{
 			Project: "default",
 			Destination: v1alpha1.ApplicationDestination{
-				Server:    common.KubernetesInternalAPIServerAddr,
+				Server:    v1alpha1.KubernetesInternalAPIServerAddr,
 				Namespace: "default",
 			},
 		},

cmd/argocd/commands/admin/backup.go

@@ -0,0 +1,351 @@
+package admin
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
+	"github.com/ghodss/yaml"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	apierr "k8s.io/apimachinery/pkg/api/errors"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+)
+
+// NewExportCommand defines a new command for exporting Kubernetes and Argo CD resources.
+func NewExportCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+		out          string
+	)
+	var command = cobra.Command{
+		Use:   "export",
+		Short: "Export all Argo CD data to stdout (default) or a file",
+		Run: func(c *cobra.Command, args []string) {
+			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+
+			var writer io.Writer
+			if out == "-" {
+				writer = os.Stdout
+			} else {
+				f, err := os.Create(out)
+				errors.CheckError(err)
+				bw := bufio.NewWriter(f)
+				writer = bw
+				defer func() {
+					err = bw.Flush()
+					errors.CheckError(err)
+					err = f.Close()
+					errors.CheckError(err)
+				}()
+			}
+
+			acdClients := newArgoCDClientsets(config, namespace)
+			acdConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDConfigMapName, v1.GetOptions{})
+			errors.CheckError(err)
+			export(writer, *acdConfigMap)
+			acdRBACConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDRBACConfigMapName, v1.GetOptions{})
+			errors.CheckError(err)
+			export(writer, *acdRBACConfigMap)
+			acdKnownHostsConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDKnownHostsConfigMapName, v1.GetOptions{})
+			errors.CheckError(err)
+			export(writer, *acdKnownHostsConfigMap)
+			acdTLSCertsConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDTLSCertsConfigMapName, v1.GetOptions{})
+			errors.CheckError(err)
+			export(writer, *acdTLSCertsConfigMap)
+
+			referencedSecrets := getReferencedSecrets(*acdConfigMap)
+			secrets, err := acdClients.secrets.List(context.Background(), v1.ListOptions{})
+			errors.CheckError(err)
+			for _, secret := range secrets.Items {
+				if isArgoCDSecret(referencedSecrets, secret) {
+					export(writer, secret)
+				}
+			}
+			projects, err := acdClients.projects.List(context.Background(), v1.ListOptions{})
+			errors.CheckError(err)
+			for _, proj := range projects.Items {
+				export(writer, proj)
+			}
+			applications, err := acdClients.applications.List(context.Background(), v1.ListOptions{})
+			errors.CheckError(err)
+			for _, app := range applications.Items {
+				export(writer, app)
+			}
+			applicationSets, err := acdClients.applicationSets.List(context.Background(), v1.ListOptions{})
+			if err != nil && !apierr.IsNotFound(err) {
+				if apierr.IsForbidden(err) {
+					log.Warn(err)
+				} else {
+					errors.CheckError(err)
+				}
+			}
+			if applicationSets != nil {
+				for _, appSet := range applicationSets.Items {
+					export(writer, appSet)
+				}
+			}
+		},
+	}
+
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().StringVarP(&out, "out", "o", "-", "Output to the specified file instead of stdout")
+
+	return &command
+}
+
+// NewImportCommand defines a new command for exporting Kubernetes and Argo CD resources.
+func NewImportCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+		prune        bool
+		dryRun       bool
+		verbose      bool
+	)
+	var command = cobra.Command{
+		Use:   "import SOURCE",
+		Short: "Import Argo CD data from stdin (specify `-') or a file",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			config.QPS = 100
+			config.Burst = 50
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+			acdClients := newArgoCDClientsets(config, namespace)
+
+			var input []byte
+			if in := args[0]; in == "-" {
+				input, err = ioutil.ReadAll(os.Stdin)
+			} else {
+				input, err = ioutil.ReadFile(in)
+			}
+			errors.CheckError(err)
+			var dryRunMsg string
+			if dryRun {
+				dryRunMsg = " (dry run)"
+			}
+
+			// pruneObjects tracks live objects and it's current resource version. any remaining
+			// items in this map indicates the resource should be pruned since it no longer appears
+			// in the backup
+			pruneObjects := make(map[kube.ResourceKey]unstructured.Unstructured)
+			configMaps, err := acdClients.configMaps.List(context.Background(), v1.ListOptions{})
+			errors.CheckError(err)
+			// referencedSecrets holds any secrets referenced in the argocd-cm configmap. These
+			// secrets need to be imported too
+			var referencedSecrets map[string]bool
+			for _, cm := range configMaps.Items {
+				if isArgoCDConfigMap(cm.GetName()) {
+					pruneObjects[kube.ResourceKey{Group: "", Kind: "ConfigMap", Name: cm.GetName()}] = cm
+				}
+				if cm.GetName() == common.ArgoCDConfigMapName {
+					referencedSecrets = getReferencedSecrets(cm)
+				}
+			}
+
+			secrets, err := acdClients.secrets.List(context.Background(), v1.ListOptions{})
+			errors.CheckError(err)
+			for _, secret := range secrets.Items {
+				if isArgoCDSecret(referencedSecrets, secret) {
+					pruneObjects[kube.ResourceKey{Group: "", Kind: "Secret", Name: secret.GetName()}] = secret
+				}
+			}
+			applications, err := acdClients.applications.List(context.Background(), v1.ListOptions{})
+			errors.CheckError(err)
+			for _, app := range applications.Items {
+				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "Application", Name: app.GetName()}] = app
+			}
+			projects, err := acdClients.projects.List(context.Background(), v1.ListOptions{})
+			errors.CheckError(err)
+			for _, proj := range projects.Items {
+				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "AppProject", Name: proj.GetName()}] = proj
+			}
+			applicationSets, err := acdClients.applicationSets.List(context.Background(), v1.ListOptions{})
+			if apierr.IsForbidden(err) || apierr.IsNotFound(err) {
+				log.Warnf("argoproj.io/ApplicationSet: %v\n", err)
+			} else {
+				errors.CheckError(err)
+			}
+			if applicationSets != nil {
+				for _, appSet := range applicationSets.Items {
+					pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "ApplicationSet", Name: appSet.GetName()}] = appSet
+				}
+			}
+
+			// Create or replace existing object
+			backupObjects, err := kube.SplitYAML(input)
+			errors.CheckError(err)
+			for _, bakObj := range backupObjects {
+				gvk := bakObj.GroupVersionKind()
+				key := kube.ResourceKey{Group: gvk.Group, Kind: gvk.Kind, Name: bakObj.GetName()}
+				liveObj, exists := pruneObjects[key]
+				delete(pruneObjects, key)
+				var dynClient dynamic.ResourceInterface
+				switch bakObj.GetKind() {
+				case "Secret":
+					dynClient = acdClients.secrets
+				case "ConfigMap":
+					dynClient = acdClients.configMaps
+				case "AppProject":
+					dynClient = acdClients.projects
+				case "Application":
+					dynClient = acdClients.applications
+				case "ApplicationSet":
+					dynClient = acdClients.applicationSets
+				}
+				if !exists {
+					isForbidden := false
+					if !dryRun {
+						_, err = dynClient.Create(context.Background(), bakObj, v1.CreateOptions{})
+						if apierr.IsForbidden(err) || apierr.IsNotFound(err) {
+							isForbidden = true
+							log.Warnf("%s/%s %s: %v", gvk.Group, gvk.Kind, bakObj.GetName(), err)
+						} else {
+							errors.CheckError(err)
+						}
+					}
+					if !isForbidden {
+						fmt.Printf("%s/%s %s created%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
+					}
+
+				} else if specsEqual(*bakObj, liveObj) {
+					if verbose {
+						fmt.Printf("%s/%s %s unchanged%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
+					}
+				} else {
+					isForbidden := false
+					if !dryRun {
+						newLive := updateLive(bakObj, &liveObj)
+						_, err = dynClient.Update(context.Background(), newLive, v1.UpdateOptions{})
+						if apierr.IsForbidden(err) || apierr.IsNotFound(err) {
+							isForbidden = true
+							log.Warnf("%s/%s %s: %v", gvk.Group, gvk.Kind, bakObj.GetName(), err)
+						} else {
+							errors.CheckError(err)
+						}
+					}
+					if !isForbidden {
+						fmt.Printf("%s/%s %s updated%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
+					}
+				}
+			}
+
+			// Delete objects not in backup
+			for key, liveObj := range pruneObjects {
+				if prune {
+					var dynClient dynamic.ResourceInterface
+					switch key.Kind {
+					case "Secret":
+						dynClient = acdClients.secrets
+					case "AppProject":
+						dynClient = acdClients.projects
+					case "Application":
+						dynClient = acdClients.applications
+						if !dryRun {
+							if finalizers := liveObj.GetFinalizers(); len(finalizers) > 0 {
+								newLive := liveObj.DeepCopy()
+								newLive.SetFinalizers(nil)
+								_, err = dynClient.Update(context.Background(), newLive, v1.UpdateOptions{})
+								if err != nil && !apierr.IsNotFound(err) {
+									errors.CheckError(err)
+								}
+							}
+						}
+					case "ApplicationSet":
+						dynClient = acdClients.applicationSets
+					default:
+						log.Fatalf("Unexpected kind '%s' in prune list", key.Kind)
+					}
+					isForbidden := false
+					if !dryRun {
+						err = dynClient.Delete(context.Background(), key.Name, v1.DeleteOptions{})
+						if apierr.IsForbidden(err) || apierr.IsNotFound(err) {
+							isForbidden = true
+							log.Warnf("%s/%s %s: %v\n", key.Group, key.Kind, key.Name, err)
+						} else {
+							errors.CheckError(err)
+						}
+					}
+					if !isForbidden {
+						fmt.Printf("%s/%s %s pruned%s\n", key.Group, key.Kind, key.Name, dryRunMsg)
+					}
+				} else {
+					fmt.Printf("%s/%s %s needs pruning\n", key.Group, key.Kind, key.Name)
+				}
+			}
+		},
+	}
+
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().BoolVar(&dryRun, "dry-run", false, "Print what will be performed")
+	command.Flags().BoolVar(&prune, "prune", false, "Prune secrets, applications and projects which do not appear in the backup")
+	command.Flags().BoolVar(&verbose, "verbose", false, "Verbose output (versus only changed output)")
+
+	return &command
+}
+
+// export writes the unstructured object and removes extraneous cruft from output before writing
+func export(w io.Writer, un unstructured.Unstructured) {
+	name := un.GetName()
+	finalizers := un.GetFinalizers()
+	apiVersion := un.GetAPIVersion()
+	kind := un.GetKind()
+	labels := un.GetLabels()
+	annotations := un.GetAnnotations()
+	unstructured.RemoveNestedField(un.Object, "metadata")
+	un.SetName(name)
+	un.SetFinalizers(finalizers)
+	un.SetAPIVersion(apiVersion)
+	un.SetKind(kind)
+	un.SetLabels(labels)
+	un.SetAnnotations(annotations)
+	data, err := yaml.Marshal(un.Object)
+	errors.CheckError(err)
+	_, err = w.Write(data)
+	errors.CheckError(err)
+	_, err = w.Write([]byte(yamlSeparator))
+	errors.CheckError(err)
+}
+
+// updateLive replaces the live object's finalizers, spec, annotations, labels, and data from the
+// backup object but leaves all other fields intact (status, other metadata, etc...)
+func updateLive(bak, live *unstructured.Unstructured) *unstructured.Unstructured {
+	newLive := live.DeepCopy()
+	newLive.SetAnnotations(bak.GetAnnotations())
+	newLive.SetLabels(bak.GetLabels())
+	newLive.SetFinalizers(bak.GetFinalizers())
+	switch live.GetKind() {
+	case "Secret", "ConfigMap":
+		newLive.Object["data"] = bak.Object["data"]
+	case "AppProject":
+		newLive.Object["spec"] = bak.Object["spec"]
+	case "Application":
+		newLive.Object["spec"] = bak.Object["spec"]
+		if _, ok := bak.Object["status"]; ok {
+			newLive.Object["status"] = bak.Object["status"]
+		}
+	case "ApplicationSet":
+		newLive.Object["spec"] = bak.Object["spec"]
+	}
+	return newLive
+}

cmd/argocd/commands/admin/cluster.go

@@ -0,0 +1,617 @@
+package admin
+
+import (
+	"context"
+	"fmt"
+	"math"
+	"os"
+	"sort"
+	"strings"
+	"text/tabwriter"
+	"time"
+
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
+	"github.com/go-redis/redis/v8"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+
+	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/controller/sharding"
+	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
+	"github.com/argoproj/argo-cd/v2/util/argo"
+	cacheutil "github.com/argoproj/argo-cd/v2/util/cache"
+	appstatecache "github.com/argoproj/argo-cd/v2/util/cache/appstate"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/clusterauth"
+	"github.com/argoproj/argo-cd/v2/util/db"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/glob"
+	kubeutil "github.com/argoproj/argo-cd/v2/util/kube"
+	"github.com/argoproj/argo-cd/v2/util/settings"
+	"github.com/argoproj/argo-cd/v2/util/text/label"
+)
+
+func NewClusterCommand(pathOpts *clientcmd.PathOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "cluster",
+		Short: "Manage clusters configuration",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+		},
+	}
+
+	command.AddCommand(NewClusterConfig())
+	command.AddCommand(NewGenClusterConfigCommand(pathOpts))
+	command.AddCommand(NewClusterStatsCommand())
+	command.AddCommand(NewClusterShardsCommand())
+	namespacesCommand := NewClusterNamespacesCommand()
+	namespacesCommand.AddCommand(NewClusterEnableNamespacedMode())
+	namespacesCommand.AddCommand(NewClusterDisableNamespacedMode())
+	command.AddCommand(namespacesCommand)
+
+	return command
+}
+
+type ClusterWithInfo struct {
+	argoappv1.Cluster
+	// Shard holds controller shard number that handles the cluster
+	Shard int
+	// Namespaces holds list of namespaces managed by Argo CD in the cluster
+	Namespaces []string
+}
+
+func loadClusters(kubeClient *kubernetes.Clientset, appClient *versioned.Clientset, replicas int, namespace string, portForwardRedis bool, cacheSrc func() (*appstatecache.Cache, error), shard int) ([]ClusterWithInfo, error) {
+	settingsMgr := settings.NewSettingsManager(context.Background(), kubeClient, namespace)
+
+	argoDB := db.NewDB(namespace, settingsMgr, kubeClient)
+	clustersList, err := argoDB.ListClusters(context.Background())
+	if err != nil {
+		return nil, err
+	}
+	var cache *appstatecache.Cache
+	if portForwardRedis {
+		overrides := clientcmd.ConfigOverrides{}
+		port, err := kubeutil.PortForward(6379, namespace, &overrides,
+			"app.kubernetes.io/name=argocd-redis-ha-haproxy", "app.kubernetes.io/name=argocd-redis")
+		if err != nil {
+			return nil, err
+		}
+		client := redis.NewClient(&redis.Options{Addr: fmt.Sprintf("localhost:%d", port)})
+		cache = appstatecache.NewCache(cacheutil.NewCache(cacheutil.NewRedisCache(client, time.Hour)), time.Hour)
+	} else {
+		cache, err = cacheSrc()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	appItems, err := appClient.ArgoprojV1alpha1().Applications(namespace).List(context.Background(), v1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	apps := appItems.Items
+	for i, app := range apps {
+		err := argo.ValidateDestination(context.Background(), &app.Spec.Destination, argoDB)
+		if err != nil {
+			return nil, err
+		}
+		apps[i] = app
+	}
+	clusters := make([]ClusterWithInfo, len(clustersList.Items))
+	batchSize := 10
+	batchesCount := int(math.Ceil(float64(len(clusters)) / float64(batchSize)))
+	for batchNum := 0; batchNum < batchesCount; batchNum++ {
+		batchStart := batchSize * batchNum
+		batchEnd := batchSize * (batchNum + 1)
+		if batchEnd > len(clustersList.Items) {
+			batchEnd = len(clustersList.Items)
+		}
+		batch := clustersList.Items[batchStart:batchEnd]
+		_ = kube.RunAllAsync(len(batch), func(i int) error {
+			cluster := batch[i]
+			clusterShard := 0
+			if replicas > 0 {
+				clusterShard = sharding.GetShardByID(cluster.ID, replicas)
+			}
+
+			if shard != -1 && clusterShard != shard {
+				return nil
+			}
+			nsSet := map[string]bool{}
+			for _, app := range apps {
+				if app.Spec.Destination.Server == cluster.Server {
+					nsSet[app.Spec.Destination.Namespace] = true
+				}
+			}
+			var namespaces []string
+			for ns := range nsSet {
+				namespaces = append(namespaces, ns)
+			}
+			_ = cache.GetClusterInfo(cluster.Server, &cluster.Info)
+			clusters[batchStart+i] = ClusterWithInfo{cluster, clusterShard, namespaces}
+			return nil
+		})
+	}
+	return clusters, nil
+}
+
+func getControllerReplicas(kubeClient *kubernetes.Clientset, namespace string) (int, error) {
+	controllerPods, err := kubeClient.CoreV1().Pods(namespace).List(context.Background(), v1.ListOptions{
+		LabelSelector: "app.kubernetes.io/name=argocd-application-controller"})
+	if err != nil {
+		return 0, err
+	}
+	return len(controllerPods.Items), nil
+}
+
+func NewClusterShardsCommand() *cobra.Command {
+	var (
+		shard            int
+		replicas         int
+		clientConfig     clientcmd.ClientConfig
+		cacheSrc         func() (*appstatecache.Cache, error)
+		portForwardRedis bool
+	)
+	var command = cobra.Command{
+		Use:   "shards",
+		Short: "Print information about each controller shard and portion of Kubernetes resources it is responsible for.",
+		Run: func(cmd *cobra.Command, args []string) {
+			log.SetLevel(log.WarnLevel)
+
+			clientCfg, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+			kubeClient := kubernetes.NewForConfigOrDie(clientCfg)
+			appClient := versioned.NewForConfigOrDie(clientCfg)
+
+			if replicas == 0 {
+				replicas, err = getControllerReplicas(kubeClient, namespace)
+				errors.CheckError(err)
+			}
+			if replicas == 0 {
+				return
+			}
+
+			clusters, err := loadClusters(kubeClient, appClient, replicas, namespace, portForwardRedis, cacheSrc, shard)
+			errors.CheckError(err)
+			if len(clusters) == 0 {
+				return
+			}
+
+			printStatsSummary(clusters)
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().IntVar(&shard, "shard", -1, "Cluster shard filter")
+	command.Flags().IntVar(&replicas, "replicas", 0, "Application controller replicas count. Inferred from number of running controller pods if not specified")
+	command.Flags().BoolVar(&portForwardRedis, "port-forward-redis", true, "Automatically port-forward ha proxy redis from current namespace?")
+	cacheSrc = appstatecache.AddCacheFlagsToCmd(&command)
+	return &command
+}
+
+func printStatsSummary(clusters []ClusterWithInfo) {
+	totalResourcesCount := int64(0)
+	resourcesCountByShard := map[int]int64{}
+	for _, c := range clusters {
+		totalResourcesCount += c.Info.CacheInfo.ResourcesCount
+		resourcesCountByShard[c.Shard] += c.Info.CacheInfo.ResourcesCount
+	}
+
+	avgResourcesByShard := totalResourcesCount / int64(len(resourcesCountByShard))
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	_, _ = fmt.Fprintf(w, "SHARD\tRESOURCES COUNT\n")
+	for shard := 0; shard < len(resourcesCountByShard); shard++ {
+		cnt := resourcesCountByShard[shard]
+		percent := (float64(cnt) / float64(avgResourcesByShard)) * 100.0
+		_, _ = fmt.Fprintf(w, "%d\t%s\n", shard, fmt.Sprintf("%d (%.0f%%)", cnt, percent))
+	}
+	_ = w.Flush()
+}
+
+func runClusterNamespacesCommand(clientConfig clientcmd.ClientConfig, action func(appClient *versioned.Clientset, argoDB db.ArgoDB, clusters map[string][]string) error) error {
+	clientCfg, err := clientConfig.ClientConfig()
+	if err != nil {
+		return err
+	}
+	namespace, _, err := clientConfig.Namespace()
+	if err != nil {
+		return err
+	}
+
+	kubeClient := kubernetes.NewForConfigOrDie(clientCfg)
+	appClient := versioned.NewForConfigOrDie(clientCfg)
+
+	settingsMgr := settings.NewSettingsManager(context.Background(), kubeClient, namespace)
+	argoDB := db.NewDB(namespace, settingsMgr, kubeClient)
+	clustersList, err := argoDB.ListClusters(context.Background())
+	if err != nil {
+		return err
+	}
+	appItems, err := appClient.ArgoprojV1alpha1().Applications(namespace).List(context.Background(), v1.ListOptions{})
+	if err != nil {
+		return err
+	}
+	apps := appItems.Items
+	for i, app := range apps {
+		err := argo.ValidateDestination(context.Background(), &app.Spec.Destination, argoDB)
+		if err != nil {
+			return err
+		}
+		apps[i] = app
+	}
+
+	clusters := map[string][]string{}
+	for _, cluster := range clustersList.Items {
+		nsSet := map[string]bool{}
+		for _, app := range apps {
+			if app.Spec.Destination.Server != cluster.Server {
+				continue
+			}
+			// Use namespaces of actually deployed resources, since some application use dummy target namespace
+			// If resources list is empty then use target namespace
+			if len(app.Status.Resources) != 0 {
+				for _, res := range app.Status.Resources {
+					if res.Namespace != "" {
+						nsSet[res.Namespace] = true
+					}
+				}
+			} else {
+				if app.Spec.Destination.Server == cluster.Server {
+					nsSet[app.Spec.Destination.Namespace] = true
+				}
+			}
+		}
+		var namespaces []string
+		for ns := range nsSet {
+			namespaces = append(namespaces, ns)
+		}
+		clusters[cluster.Server] = namespaces
+	}
+	return action(appClient, argoDB, clusters)
+}
+
+func NewClusterNamespacesCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+	)
+	var command = cobra.Command{
+		Use:   "namespaces",
+		Short: "Print information namespaces which Argo CD manages in each cluster.",
+		Run: func(cmd *cobra.Command, args []string) {
+			log.SetLevel(log.WarnLevel)
+
+			err := runClusterNamespacesCommand(clientConfig, func(appClient *versioned.Clientset, _ db.ArgoDB, clusters map[string][]string) error {
+				w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+				_, _ = fmt.Fprintf(w, "CLUSTER\tNAMESPACES\n")
+
+				for cluster, namespaces := range clusters {
+					// print shortest namespace names first
+					sort.Slice(namespaces, func(i, j int) bool {
+						return len(namespaces[j]) > len(namespaces[i])
+					})
+					namespacesStr := ""
+					if len(namespaces) > 4 {
+						namespacesStr = fmt.Sprintf("%s (total %d)", strings.Join(namespaces[:4], ","), len(namespaces))
+					} else {
+						namespacesStr = strings.Join(namespaces, ",")
+					}
+
+					_, _ = fmt.Fprintf(w, "%s\t%s\n", cluster, namespacesStr)
+				}
+				_ = w.Flush()
+				return nil
+			})
+			errors.CheckError(err)
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	return &command
+}
+
+func NewClusterEnableNamespacedMode() *cobra.Command {
+	var (
+		clientConfig     clientcmd.ClientConfig
+		dryRun           bool
+		clusterResources bool
+		namespacesCount  int
+	)
+	var command = cobra.Command{
+		Use:   "enable-namespaced-mode PATTERN",
+		Short: "Enable namespaced mode for clusters which name matches to the specified pattern.",
+		Run: func(cmd *cobra.Command, args []string) {
+			log.SetLevel(log.WarnLevel)
+
+			if len(args) == 0 {
+				cmd.HelpFunc()(cmd, args)
+				os.Exit(1)
+			}
+			pattern := args[0]
+
+			errors.CheckError(runClusterNamespacesCommand(clientConfig, func(_ *versioned.Clientset, argoDB db.ArgoDB, clusters map[string][]string) error {
+				for server, namespaces := range clusters {
+					if len(namespaces) == 0 || len(namespaces) > namespacesCount || !glob.Match(pattern, server) {
+						continue
+					}
+
+					cluster, err := argoDB.GetCluster(context.Background(), server)
+					if err != nil {
+						return err
+					}
+					cluster.Namespaces = namespaces
+					cluster.ClusterResources = clusterResources
+					fmt.Printf("Setting cluster %s namespaces to %v...", server, namespaces)
+					if !dryRun {
+						_, err = argoDB.UpdateCluster(context.Background(), cluster)
+						if err != nil {
+							return err
+						}
+						fmt.Println("done")
+					} else {
+						fmt.Println("done (dry run)")
+					}
+
+				}
+				return nil
+			}))
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().BoolVar(&dryRun, "dry-run", true, "Print what will be performed")
+	command.Flags().BoolVar(&clusterResources, "cluster-resources", false, "Indicates if cluster level resources should be managed.")
+	command.Flags().IntVar(&namespacesCount, "max-namespace-count", 0, "Max number of namespaces that cluster should managed managed namespaces is less or equal to specified count")
+
+	return &command
+}
+
+func NewClusterDisableNamespacedMode() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+		dryRun       bool
+	)
+	var command = cobra.Command{
+		Use:   "disable-namespaced-mode PATTERN",
+		Short: "Disable namespaced mode for clusters which name matches to the specified pattern.",
+		Run: func(cmd *cobra.Command, args []string) {
+			log.SetLevel(log.WarnLevel)
+
+			if len(args) == 0 {
+				cmd.HelpFunc()(cmd, args)
+				os.Exit(1)
+			}
+
+			pattern := args[0]
+
+			errors.CheckError(runClusterNamespacesCommand(clientConfig, func(_ *versioned.Clientset, argoDB db.ArgoDB, clusters map[string][]string) error {
+				for server := range clusters {
+					if !glob.Match(pattern, server) {
+						continue
+					}
+
+					cluster, err := argoDB.GetCluster(context.Background(), server)
+					if err != nil {
+						return err
+					}
+
+					if len(cluster.Namespaces) == 0 {
+						continue
+					}
+
+					cluster.Namespaces = nil
+					fmt.Printf("Disabling namespaced mode for cluster %s...", server)
+					if !dryRun {
+						_, err = argoDB.UpdateCluster(context.Background(), cluster)
+						if err != nil {
+							return err
+						}
+						fmt.Println("done")
+					} else {
+						fmt.Println("done (dry run)")
+					}
+
+				}
+				return nil
+			}))
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().BoolVar(&dryRun, "dry-run", true, "Print what will be performed")
+	return &command
+}
+
+func NewClusterStatsCommand() *cobra.Command {
+	var (
+		shard            int
+		replicas         int
+		clientConfig     clientcmd.ClientConfig
+		cacheSrc         func() (*appstatecache.Cache, error)
+		portForwardRedis bool
+	)
+	var command = cobra.Command{
+		Use:   "stats",
+		Short: "Prints information cluster statistics and inferred shard number",
+		Run: func(cmd *cobra.Command, args []string) {
+			log.SetLevel(log.WarnLevel)
+
+			clientCfg, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+
+			kubeClient := kubernetes.NewForConfigOrDie(clientCfg)
+			appClient := versioned.NewForConfigOrDie(clientCfg)
+			if replicas == 0 {
+				replicas, err = getControllerReplicas(kubeClient, namespace)
+				errors.CheckError(err)
+			}
+			clusters, err := loadClusters(kubeClient, appClient, replicas, namespace, portForwardRedis, cacheSrc, shard)
+			errors.CheckError(err)
+
+			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+			_, _ = fmt.Fprintf(w, "SERVER\tSHARD\tCONNECTION\tNAMESPACES COUNT\tAPPS COUNT\tRESOURCES COUNT\n")
+			for _, cluster := range clusters {
+				_, _ = fmt.Fprintf(w, "%s\t%d\t%s\t%d\t%d\t%d\n", cluster.Server, cluster.Shard, cluster.Info.ConnectionState.Status, len(cluster.Namespaces), cluster.Info.ApplicationsCount, cluster.Info.CacheInfo.ResourcesCount)
+			}
+			_ = w.Flush()
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().IntVar(&shard, "shard", -1, "Cluster shard filter")
+	command.Flags().IntVar(&replicas, "replicas", 0, "Application controller replicas count. Inferred from number of running controller pods if not specified")
+	command.Flags().BoolVar(&portForwardRedis, "port-forward-redis", true, "Automatically port-forward ha proxy redis from current namespace?")
+	cacheSrc = appstatecache.AddCacheFlagsToCmd(&command)
+	return &command
+}
+
+// NewClusterConfig returns a new instance of `argocd admin kubeconfig` command
+func NewClusterConfig() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+	)
+	var command = &cobra.Command{
+		Use:               "kubeconfig CLUSTER_URL OUTPUT_PATH",
+		Short:             "Generates kubeconfig for the specified cluster",
+		DisableAutoGenTag: true,
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			serverUrl := args[0]
+			output := args[1]
+			conf, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+			kubeclientset, err := kubernetes.NewForConfig(conf)
+			errors.CheckError(err)
+
+			cluster, err := db.NewDB(namespace, settings.NewSettingsManager(context.Background(), kubeclientset, namespace), kubeclientset).GetCluster(context.Background(), serverUrl)
+			errors.CheckError(err)
+			err = kube.WriteKubeConfig(cluster.RawRestConfig(), namespace, output)
+			errors.CheckError(err)
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(command)
+	return command
+}
+
+func NewGenClusterConfigCommand(pathOpts *clientcmd.PathOptions) *cobra.Command {
+	var (
+		clusterOpts   cmdutil.ClusterOptions
+		bearerToken   string
+		generateToken bool
+		outputFormat  string
+		labels        []string
+		annotations   []string
+	)
+	var command = &cobra.Command{
+		Use:   "generate-spec CONTEXT",
+		Short: "Generate declarative config for a cluster",
+		Run: func(c *cobra.Command, args []string) {
+			log.SetLevel(log.WarnLevel)
+			var configAccess clientcmd.ConfigAccess = pathOpts
+			if len(args) == 0 {
+				log.Error("Choose a context name from:")
+				cmdutil.PrintKubeContexts(configAccess)
+				os.Exit(1)
+			}
+			cfgAccess, err := configAccess.GetStartingConfig()
+			errors.CheckError(err)
+			contextName := args[0]
+			clstContext := cfgAccess.Contexts[contextName]
+			if clstContext == nil {
+				log.Fatalf("Context %s does not exist in kubeconfig", contextName)
+				return
+			}
+
+			overrides := clientcmd.ConfigOverrides{
+				Context: *clstContext,
+			}
+			clientConfig := clientcmd.NewDefaultClientConfig(*cfgAccess, &overrides)
+			conf, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			kubeClientset := fake.NewSimpleClientset()
+
+			var awsAuthConf *argoappv1.AWSAuthConfig
+			var execProviderConf *argoappv1.ExecProviderConfig
+			if clusterOpts.AwsClusterName != "" {
+				awsAuthConf = &argoappv1.AWSAuthConfig{
+					ClusterName: clusterOpts.AwsClusterName,
+					RoleARN:     clusterOpts.AwsRoleArn,
+				}
+			} else if clusterOpts.ExecProviderCommand != "" {
+				execProviderConf = &argoappv1.ExecProviderConfig{
+					Command:     clusterOpts.ExecProviderCommand,
+					Args:        clusterOpts.ExecProviderArgs,
+					Env:         clusterOpts.ExecProviderEnv,
+					APIVersion:  clusterOpts.ExecProviderAPIVersion,
+					InstallHint: clusterOpts.ExecProviderInstallHint,
+				}
+			} else if generateToken {
+				bearerToken, err = GenerateToken(clusterOpts, conf)
+				errors.CheckError(err)
+			} else if bearerToken == "" {
+				bearerToken = "bearer-token"
+			}
+			if clusterOpts.Name != "" {
+				contextName = clusterOpts.Name
+			}
+
+			labelsMap, err := label.Parse(labels)
+			errors.CheckError(err)
+			annotationsMap, err := label.Parse(annotations)
+			errors.CheckError(err)
+
+			clst := cmdutil.NewCluster(contextName, clusterOpts.Namespaces, clusterOpts.ClusterResources, conf, bearerToken, awsAuthConf, execProviderConf, labelsMap, annotationsMap)
+			if clusterOpts.InCluster {
+				clst.Server = argoappv1.KubernetesInternalAPIServerAddr
+			}
+			if clusterOpts.Shard >= 0 {
+				clst.Shard = &clusterOpts.Shard
+			}
+
+			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, ArgoCDNamespace)
+			argoDB := db.NewDB(ArgoCDNamespace, settingsMgr, kubeClientset)
+
+			_, err = argoDB.CreateCluster(context.Background(), clst)
+			errors.CheckError(err)
+
+			secName, err := db.URIToSecretName("cluster", clst.Server)
+			errors.CheckError(err)
+
+			secret, err := kubeClientset.CoreV1().Secrets(ArgoCDNamespace).Get(context.Background(), secName, v1.GetOptions{})
+			errors.CheckError(err)
+
+			errors.CheckError(PrintResources(outputFormat, os.Stdout, secret))
+		},
+	}
+	command.PersistentFlags().StringVar(&pathOpts.LoadingRules.ExplicitPath, pathOpts.ExplicitFileFlag, pathOpts.LoadingRules.ExplicitPath, "use a particular kubeconfig file")
+	command.Flags().StringVar(&bearerToken, "bearer-token", "", "Authentication token that should be used to access K8S API server")
+	command.Flags().BoolVar(&generateToken, "generate-bearer-token", false, "Generate authentication token that should be used to access K8S API server")
+	command.Flags().StringVar(&clusterOpts.ServiceAccount, "service-account", "argocd-manager", fmt.Sprintf("System namespace service account to use for kubernetes resource management. If not set then default \"%s\" SA will be used", clusterauth.ArgoCDManagerServiceAccount))
+	command.Flags().StringVar(&clusterOpts.SystemNamespace, "system-namespace", common.DefaultSystemNamespace, "Use different system namespace")
+	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
+	command.Flags().StringArrayVar(&labels, "label", nil, "Set metadata labels (e.g. --label key=value)")
+	command.Flags().StringArrayVar(&annotations, "annotation", nil, "Set metadata annotations (e.g. --annotation key=value)")
+	cmdutil.AddClusterFlags(command, &clusterOpts)
+	return command
+}
+
+func GenerateToken(clusterOpts cmdutil.ClusterOptions, conf *rest.Config) (string, error) {
+	clientset, err := kubernetes.NewForConfig(conf)
+	errors.CheckError(err)
+
+	bearerToken, err := clusterauth.GetServiceAccountBearerToken(clientset, clusterOpts.SystemNamespace, clusterOpts.ServiceAccount)
+	if err != nil {
+		return "", err
+	}
+	return bearerToken, nil
+}

cmd/argocd/commands/admin/dashboard.go

@@ -0,0 +1,30 @@
+package admin
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/headless"
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/pkg/apiclient"
+)
+
+func NewDashboardCommand() *cobra.Command {
+	var (
+		port int
+	)
+	cmd := &cobra.Command{
+		Use:   "dashboard",
+		Short: "Starts Argo CD Web UI locally",
+		Run: func(cmd *cobra.Command, args []string) {
+			println(fmt.Sprintf("Argo CD UI is available at http://localhost:%d", port))
+			<-context.Background().Done()
+		},
+	}
+	clientOpts := &apiclient.ClientOptions{Core: true}
+	headless.InitCommand(cmd, clientOpts, &port)
+	cmd.Flags().IntVar(&port, "port", common.DefaultPortAPIServer, "Listen on given port")
+	return cmd
+}

cmd/argocd/commands/admin/generatespec_utils.go

@@ -0,0 +1,108 @@
+package admin
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
+	"github.com/ghodss/yaml"
+	v1 "k8s.io/api/core/v1"
+
+	ioutil "github.com/argoproj/argo-cd/v2/util/io"
+)
+
+func getOutWriter(inline bool, filePath string) (io.Writer, io.Closer, error) {
+	if !inline {
+		return os.Stdout, ioutil.NopCloser, nil
+	}
+
+	if filePath == "" {
+		return nil, nil, errors.New("The file path must be specified using flag '--file'")
+	}
+
+	err := os.Rename(filePath, fmt.Sprintf("%s.back", filePath))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	fileOut, err := os.Create(filePath)
+	if err != nil {
+		return nil, nil, err
+	}
+	return fileOut, fileOut, nil
+}
+
+// PrintResources prints a single resource in YAML or JSON format to stdout according to the output format
+func PrintResources(output string, out io.Writer, resources ...interface{}) error {
+	for i, resource := range resources {
+		if secret, ok := resource.(*v1.Secret); ok {
+			convertSecretData(secret)
+		}
+		filteredResource, err := omitFields(resource)
+		if err != nil {
+			return err
+		}
+		resources[i] = filteredResource
+	}
+	var obj interface{} = resources
+	if len(resources) == 1 {
+		obj = resources[0]
+	}
+
+	switch output {
+	case "json":
+		jsonBytes, err := json.MarshalIndent(obj, "", "  ")
+		if err != nil {
+			return err
+		}
+
+		_, _ = fmt.Fprintln(out, string(jsonBytes))
+	case "yaml":
+		yamlBytes, err := yaml.Marshal(obj)
+		if err != nil {
+			return err
+		}
+		// marshaled YAML already ends with the new line character
+		_, _ = fmt.Fprint(out, string(yamlBytes))
+	default:
+		return fmt.Errorf("unknown output format: %s", output)
+	}
+	return nil
+}
+
+// omit fields such as status, creationTimestamp and metadata.namespace in k8s objects
+func omitFields(resource interface{}) (interface{}, error) {
+	jsonBytes, err := json.Marshal(resource)
+	if err != nil {
+		return nil, err
+	}
+
+	toMap := make(map[string]interface{})
+	err = json.Unmarshal(jsonBytes, &toMap)
+	if err != nil {
+		return nil, err
+	}
+
+	delete(toMap, "status")
+	if v, ok := toMap["metadata"]; ok {
+		if metadata, ok := v.(map[string]interface{}); ok {
+			delete(metadata, "creationTimestamp")
+			delete(metadata, "namespace")
+		}
+	}
+	return toMap, nil
+}
+
+// convertSecretData converts kubernetes secret's data to stringData
+func convertSecretData(secret *v1.Secret) {
+	secret.Kind = kube.SecretKind
+	secret.APIVersion = "v1"
+	secret.StringData = map[string]string{}
+	for k, v := range secret.Data {
+		secret.StringData[k] = string(v)
+	}
+	secret.Data = map[string][]byte{}
+}

cmd/argocd/commands/admin/generatespec_utils_test.go

@@ -0,0 +1,58 @@
+package admin
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/argoproj/argo-cd/v2/util/io"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestGetOutWriter_InlineOff(t *testing.T) {
+	out, closer, err := getOutWriter(false, "")
+	require.NoError(t, err)
+	defer io.Close(closer)
+
+	assert.Equal(t, os.Stdout, out)
+}
+
+func TestGetOutWriter_InlineOn(t *testing.T) {
+	tmpFile, err := ioutil.TempFile("", "")
+	require.NoError(t, err)
+	defer func() {
+		_ = os.Remove(tmpFile.Name())
+		_ = os.Remove(fmt.Sprintf("%s.back", tmpFile.Name()))
+	}()
+
+	out, closer, err := getOutWriter(true, tmpFile.Name())
+	require.NoError(t, err)
+	defer io.Close(closer)
+
+	assert.Equal(t, tmpFile.Name(), out.(*os.File).Name())
+	_, err = os.Stat(fmt.Sprintf("%s.back", tmpFile.Name()))
+	assert.NoError(t, err, "Back file must be created")
+}
+
+func TestPrintResources_Secret_YAML(t *testing.T) {
+	out := bytes.Buffer{}
+	err := PrintResources("yaml", &out, &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{Name: "my-secret"},
+		Data:       map[string][]byte{"my-secret-key": []byte("my-secret-data")},
+	})
+	assert.NoError(t, err)
+
+	assert.Equal(t, `apiVersion: v1
+kind: Secret
+metadata:
+  name: my-secret
+stringData:
+  my-secret-key: my-secret-data
+`, out.String())
+}

cmd/argocd/commands/admin/project.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"context"
@@ -7,11 +7,13 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
-	appclient "github.com/argoproj/argo-cd/pkg/client/clientset/versioned/typed/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/errors"
+	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
+	appclient "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned/typed/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/io"
 
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/spf13/cobra"
@@ -21,18 +23,53 @@ import (
 
 func NewProjectsCommand() *cobra.Command {
 	var command = &cobra.Command{
-		Use:   "projects",
-		Short: "Utility commands operate on ArgoCD Projects",
+		Use:   "proj",
+		Short: "Manage projects configuration",
 		Run: func(c *cobra.Command, args []string) {
 			c.HelpFunc()(c, args)
 		},
 	}
 
+	command.AddCommand(NewGenProjectSpecCommand())
 	command.AddCommand(NewUpdatePolicyRuleCommand())
 	command.AddCommand(NewProjectAllowListGenCommand())
 	return command
 }
 
+// NewGenProjectSpecCommand generates declarative configuration file for given project
+func NewGenProjectSpecCommand() *cobra.Command {
+	var (
+		opts         cmdutil.ProjectOpts
+		fileURL      string
+		outputFormat string
+		inline       bool
+	)
+	var command = &cobra.Command{
+		Use:   "generate-spec PROJECT",
+		Short: "Generate declarative config for a project",
+		Run: func(c *cobra.Command, args []string) {
+			proj, err := cmdutil.ConstructAppProj(fileURL, args, opts, c)
+			errors.CheckError(err)
+
+			out, closer, err := getOutWriter(inline, fileURL)
+			errors.CheckError(err)
+			defer io.Close(closer)
+
+			errors.CheckError(PrintResources(outputFormat, out, proj))
+		},
+	}
+	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
+	command.Flags().StringVarP(&fileURL, "file", "f", "", "Filename or URL to Kubernetes manifests for the project")
+	command.Flags().BoolVarP(&inline, "inline", "i", false, "If set then generated resource is written back to the file specified in --file flag")
+
+	// Only complete files with appropriate extension.
+	err := command.Flags().SetAnnotation("file", cobra.BashCompFilenameExt, []string{"json", "yaml", "yml"})
+	errors.CheckError(err)
+
+	cmdutil.AddProjFlags(command, &opts)
+	return command
+}
+
 func globMatch(pattern string, val string) bool {
 	if pattern == "*" {
 		return true
@@ -106,10 +143,10 @@ func NewUpdatePolicyRuleCommand() *cobra.Command {
 		Use:   "update-role-policy PROJECT_GLOB MODIFICATION ACTION",
 		Short: "Implement bulk project role update. Useful to back-fill existing project policies or remove obsolete actions.",
 		Example: `  # Add policy that allows executing any action (action/*) to roles which name matches to *deployer* in all projects  
-  argocd-util projects update-role-policy '*' set 'action/*' --role '*deployer*' --resource applications --scope '*' --permission allow
+  argocd admin projects update-role-policy '*' set 'action/*' --role '*deployer*' --resource applications --scope '*' --permission allow
 
   # Remove policy that which manages running (action/*) from all roles which name matches *deployer* in all projects
-  argocd-util projects update-role-policy '*' remove override --role '*deployer*'
+  argocd admin projects update-role-policy '*' remove override --role '*deployer*'
 `,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) != 3 {

cmd/argocd/commands/admin/project_allowlist.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"bufio"
@@ -17,10 +17,10 @@ import (
 	"k8s.io/client-go/kubernetes/scheme"
 	"k8s.io/client-go/tools/clientcmd"
 
-	"github.com/argoproj/argo-cd/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/errors"
 
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/cli"
 
 	// load the gcp plugin (required to authenticate against GKE clusters).
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"

cmd/argocd/commands/admin/project_allowlist_test.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"reflect"
@@ -30,9 +30,9 @@ func TestProjectAllowListGen(t *testing.T) {
 		})
 		assert.NoError(t, err)
 
-		var patchSeverPreferedResources *mpatch.Patch
+		var patchSeverPreferredResources *mpatch.Patch
 		discoClient := &discovery.DiscoveryClient{}
-		patchSeverPreferedResources, err = mpatch.PatchInstanceMethodByName(reflect.TypeOf(discoClient), "ServerPreferredResources", func(*discovery.DiscoveryClient) ([]*metav1.APIResourceList, error) {
+		patchSeverPreferredResources, err = mpatch.PatchInstanceMethodByName(reflect.TypeOf(discoClient), "ServerPreferredResources", func(*discovery.DiscoveryClient) ([]*metav1.APIResourceList, error) {
 			res := metav1.APIResource{
 				Name: "services",
 				Kind: "Service",
@@ -47,7 +47,7 @@ func TestProjectAllowListGen(t *testing.T) {
 			assert.NoError(t, err)
 			err = patch.Unpatch()
 			assert.NoError(t, err)
-			err = patchSeverPreferedResources.Unpatch()
+			err = patchSeverPreferredResources.Unpatch()
 			err = patch.Unpatch()
 		}()
 	}

cmd/argocd/commands/admin/project_test.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"context"
@@ -7,8 +7,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/pkg/client/clientset/versioned/fake"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned/fake"
 )
 
 const (

cmd/argocd/commands/admin/repo.go

@@ -0,0 +1,169 @@
+package admin
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	apiv1 "k8s.io/api/core/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes/fake"
+
+	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/db"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/git"
+	"github.com/argoproj/argo-cd/v2/util/settings"
+)
+
+const (
+	ArgoCDNamespace  = "argocd"
+	repoSecretPrefix = "repo"
+)
+
+func NewRepoCommand() *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "repo",
+		Short: "Manage repositories configuration",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+		},
+	}
+	command.AddCommand(NewGenRepoSpecCommand())
+
+	return command
+}
+
+func NewGenRepoSpecCommand() *cobra.Command {
+	var (
+		repoOpts     cmdutil.RepoOptions
+		outputFormat string
+	)
+
+	// For better readability and easier formatting
+	var repoAddExamples = `  
+  # Add a Git repository via SSH using a private key for authentication, ignoring the server's host key:
+  argocd admin repo generate-spec git@git.example.com:repos/repo --insecure-ignore-host-key --ssh-private-key-path ~/id_rsa
+
+  # Add a Git repository via SSH on a non-default port - need to use ssh:// style URLs here
+  argocd admin repo generate-spec ssh://git@git.example.com:2222/repos/repo --ssh-private-key-path ~/id_rsa
+
+  # Add a private Git repository via HTTPS using username/password and TLS client certificates:
+  argocd admin repo generate-spec https://git.example.com/repos/repo --username git --password secret --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key
+
+  # Add a private Git repository via HTTPS using username/password without verifying the server's TLS certificate
+  argocd admin repo generate-spec https://git.example.com/repos/repo --username git --password secret --insecure-skip-server-verification
+
+  # Add a public Helm repository named 'stable' via HTTPS
+  argocd admin repo generate-spec https://charts.helm.sh/stable --type helm --name stable  
+
+  # Add a private Helm repository named 'stable' via HTTPS
+  argocd admin repo generate-spec https://charts.helm.sh/stable --type helm --name stable --username test --password test
+
+  # Add a private Helm OCI-based repository named 'stable' via HTTPS
+  argocd admin repo generate-spec helm-oci-registry.cn-zhangjiakou.cr.aliyuncs.com --type helm --name stable --enable-oci --username test --password test
+`
+
+	var command = &cobra.Command{
+		Use:     "generate-spec REPOURL",
+		Short:   "Generate declarative config for a repo",
+		Example: repoAddExamples,
+		Run: func(c *cobra.Command, args []string) {
+			log.SetLevel(log.WarnLevel)
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			// Repository URL
+			repoOpts.Repo.Repo = args[0]
+
+			// Specifying ssh-private-key-path is only valid for SSH repositories
+			if repoOpts.SshPrivateKeyPath != "" {
+				if ok, _ := git.IsSSHURL(repoOpts.Repo.Repo); ok {
+					keyData, err := ioutil.ReadFile(repoOpts.SshPrivateKeyPath)
+					if err != nil {
+						log.Fatal(err)
+					}
+					repoOpts.Repo.SSHPrivateKey = string(keyData)
+				} else {
+					err := fmt.Errorf("--ssh-private-key-path is only supported for SSH repositories.")
+					errors.CheckError(err)
+				}
+			}
+
+			// tls-client-cert-path and tls-client-cert-key-key-path must always be
+			// specified together
+			if (repoOpts.TlsClientCertPath != "" && repoOpts.TlsClientCertKeyPath == "") || (repoOpts.TlsClientCertPath == "" && repoOpts.TlsClientCertKeyPath != "") {
+				err := fmt.Errorf("--tls-client-cert-path and --tls-client-cert-key-path must be specified together")
+				errors.CheckError(err)
+			}
+
+			// Specifying tls-client-cert-path is only valid for HTTPS repositories
+			if repoOpts.TlsClientCertPath != "" {
+				if git.IsHTTPSURL(repoOpts.Repo.Repo) {
+					tlsCertData, err := ioutil.ReadFile(repoOpts.TlsClientCertPath)
+					errors.CheckError(err)
+					tlsCertKey, err := ioutil.ReadFile(repoOpts.TlsClientCertKeyPath)
+					errors.CheckError(err)
+					repoOpts.Repo.TLSClientCertData = string(tlsCertData)
+					repoOpts.Repo.TLSClientCertKey = string(tlsCertKey)
+				} else {
+					err := fmt.Errorf("--tls-client-cert-path is only supported for HTTPS repositories")
+					errors.CheckError(err)
+				}
+			}
+
+			// Set repository connection properties only when creating repository, not
+			// when creating repository credentials.
+			// InsecureIgnoreHostKey is deprecated and only here for backwards compat
+			repoOpts.Repo.InsecureIgnoreHostKey = repoOpts.InsecureIgnoreHostKey
+			repoOpts.Repo.Insecure = repoOpts.InsecureSkipServerVerification
+			repoOpts.Repo.EnableLFS = repoOpts.EnableLfs
+			repoOpts.Repo.EnableOCI = repoOpts.EnableOci
+
+			if repoOpts.Repo.Type == "helm" && repoOpts.Repo.Name == "" {
+				errors.CheckError(fmt.Errorf("must specify --name for repos of type 'helm'"))
+			}
+
+			// If the user set a username, but didn't supply password via --password,
+			// then we prompt for it
+			if repoOpts.Repo.Username != "" && repoOpts.Repo.Password == "" {
+				repoOpts.Repo.Password = cli.PromptPassword(repoOpts.Repo.Password)
+			}
+
+			argoCDCM := &apiv1.ConfigMap{
+				TypeMeta: v1.TypeMeta{
+					Kind:       "ConfigMap",
+					APIVersion: "v1",
+				},
+				ObjectMeta: v1.ObjectMeta{
+					Name:      common.ArgoCDConfigMapName,
+					Namespace: ArgoCDNamespace,
+					Labels: map[string]string{
+						"app.kubernetes.io/part-of": "argocd",
+					},
+				},
+			}
+			kubeClientset := fake.NewSimpleClientset(argoCDCM)
+			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, ArgoCDNamespace)
+			argoDB := db.NewDB(ArgoCDNamespace, settingsMgr, kubeClientset)
+
+			_, err := argoDB.CreateRepository(context.Background(), &repoOpts.Repo)
+			errors.CheckError(err)
+
+			secret, err := kubeClientset.CoreV1().Secrets(ArgoCDNamespace).Get(context.Background(), db.RepoURLToSecretName(repoSecretPrefix, repoOpts.Repo.Repo), v1.GetOptions{})
+			errors.CheckError(err)
+
+			errors.CheckError(PrintResources(outputFormat, os.Stdout, secret))
+		},
+	}
+	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
+	cmdutil.AddRepoFlags(command, &repoOpts)
+	return command
+}

cmd/argocd/commands/admin/secrets_redactor_test.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"testing"

cmd/argocd/commands/admin/settings.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"bytes"
@@ -23,13 +23,13 @@ import (
 	"k8s.io/client-go/kubernetes/fake"
 	"k8s.io/client-go/tools/clientcmd"
 
-	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util/argo/normalizers"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/lua"
-	"github.com/argoproj/argo-cd/util/settings"
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/argo/normalizers"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/lua"
+	"github.com/argoproj/argo-cd/v2/util/settings"
 )
 
 type settingsOpts struct {
@@ -162,6 +162,7 @@ func NewSettingsCommand() *cobra.Command {
 
 	command.AddCommand(NewValidateSettingsCommand(&opts))
 	command.AddCommand(NewResourceOverridesCommand(&opts))
+	command.AddCommand(NewRBACCommand())
 
 	opts.clientConfig = cli.AddKubectlFlagsToCmd(command)
 	command.PersistentFlags().StringVar(&opts.argocdCMPath, "argocd-cm-path", "", "Path to local argocd-cm.yaml file")
@@ -302,10 +303,10 @@ func NewValidateSettingsCommand(cmdCtx commandContext) *cobra.Command {
 		Long:  "Validates settings specified in 'argocd-cm' ConfigMap and 'argocd-secret' Secret",
 		Example: `
 #Validates all settings in the specified YAML file
-argocd-util settings validate --argocd-cm-path ./argocd-cm.yaml
+argocd admin settings validate --argocd-cm-path ./argocd-cm.yaml
 
 #Validates accounts and plugins settings in Kubernetes cluster of current kubeconfig context
-argocd-util settings validate --group accounts --group plugins --load-cluster-settings`,
+argocd admin settings validate --group accounts --group plugins --load-cluster-settings`,
 		Run: func(c *cobra.Command, args []string) {
 			settingsManager, err := cmdCtx.createSettingsManager()
 			errors.CheckError(err)
@@ -391,7 +392,7 @@ func NewResourceIgnoreDifferencesCommand(cmdCtx commandContext) *cobra.Command {
 		Short: "Renders fields excluded from diffing",
 		Long:  "Renders ignored fields using the 'ignoreDifferences' setting specified in the 'resource.customizations' field of 'argocd-cm' ConfigMap",
 		Example: `
-argocd-util settings resource-overrides ignore-differences ./deploy.yaml --argocd-cm-path ./argocd-cm.yaml`,
+argocd admin settings resource-overrides ignore-differences ./deploy.yaml --argocd-cm-path ./argocd-cm.yaml`,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) < 1 {
 				c.HelpFunc()(c, args)
@@ -400,7 +401,7 @@ argocd-util settings resource-overrides ignore-differences ./deploy.yaml --argoc
 
 			executeResourceOverrideCommand(cmdCtx, args, func(res unstructured.Unstructured, override v1alpha1.ResourceOverride, overrides map[string]v1alpha1.ResourceOverride) {
 				gvk := res.GroupVersionKind()
-				if len(override.IgnoreDifferences.JSONPointers) == 0 {
+				if len(override.IgnoreDifferences.JSONPointers) == 0 && len(override.IgnoreDifferences.JQPathExpressions) == 0 {
 					_, _ = fmt.Printf("Ignore differences are not configured for '%s/%s'\n", gvk.Group, gvk.Kind)
 					return
 				}
@@ -435,7 +436,7 @@ func NewResourceHealthCommand(cmdCtx commandContext) *cobra.Command {
 		Short: "Assess resource health",
 		Long:  "Assess resource health using the lua script configured in the 'resource.customizations' field of 'argocd-cm' ConfigMap",
 		Example: `
-argocd-util settings resource-overrides health ./deploy.yaml --argocd-cm-path ./argocd-cm.yaml`,
+argocd admin settings resource-overrides health ./deploy.yaml --argocd-cm-path ./argocd-cm.yaml`,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) < 1 {
 				c.HelpFunc()(c, args)
@@ -466,7 +467,7 @@ func NewResourceActionListCommand(cmdCtx commandContext) *cobra.Command {
 		Short: "List available resource actions",
 		Long:  "List actions available for given resource action using the lua scripts configured in the 'resource.customizations' field of 'argocd-cm' ConfigMap and outputs updated fields",
 		Example: `
-argocd-util settings resource-overrides action list /tmp/deploy.yaml --argocd-cm-path ./argocd-cm.yaml`,
+argocd admin settings resource-overrides action list /tmp/deploy.yaml --argocd-cm-path ./argocd-cm.yaml`,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) < 1 {
 				c.HelpFunc()(c, args)
@@ -509,7 +510,7 @@ func NewResourceActionRunCommand(cmdCtx commandContext) *cobra.Command {
 		Short:   "Executes resource action",
 		Long:    "Executes resource action using the lua script configured in the 'resource.customizations' field of 'argocd-cm' ConfigMap and outputs updated fields",
 		Example: `
-argocd-util settings resource-overrides action run /tmp/deploy.yaml restart --argocd-cm-path ./argocd-cm.yaml`,
+argocd admin settings resource-overrides action run /tmp/deploy.yaml restart --argocd-cm-path ./argocd-cm.yaml`,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) < 2 {
 				c.HelpFunc()(c, args)

cmd/argocd/commands/admin/settings_rbac.go

@@ -0,0 +1,374 @@
+package admin
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/ghodss/yaml"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/server/rbacpolicy"
+	"github.com/argoproj/argo-cd/v2/util/assets"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/rbac"
+)
+
+// Provide a mapping of short-hand resource names to their RBAC counterparts
+var resourceMap map[string]string = map[string]string{
+	"account":     rbacpolicy.ResourceAccounts,
+	"app":         rbacpolicy.ResourceApplications,
+	"apps":        rbacpolicy.ResourceApplications,
+	"application": rbacpolicy.ResourceApplications,
+	"cert":        rbacpolicy.ResourceCertificates,
+	"certs":       rbacpolicy.ResourceCertificates,
+	"certificate": rbacpolicy.ResourceCertificates,
+	"cluster":     rbacpolicy.ResourceClusters,
+	"gpgkey":      rbacpolicy.ResourceGPGKeys,
+	"key":         rbacpolicy.ResourceGPGKeys,
+	"proj":        rbacpolicy.ResourceProjects,
+	"projs":       rbacpolicy.ResourceProjects,
+	"project":     rbacpolicy.ResourceProjects,
+	"repo":        rbacpolicy.ResourceRepositories,
+	"repos":       rbacpolicy.ResourceRepositories,
+	"repository":  rbacpolicy.ResourceRepositories,
+}
+
+// List of allowed RBAC resources
+var validRBACResources map[string]bool = map[string]bool{
+	rbacpolicy.ResourceAccounts:     true,
+	rbacpolicy.ResourceApplications: true,
+	rbacpolicy.ResourceCertificates: true,
+	rbacpolicy.ResourceClusters:     true,
+	rbacpolicy.ResourceGPGKeys:      true,
+	rbacpolicy.ResourceProjects:     true,
+	rbacpolicy.ResourceRepositories: true,
+}
+
+// List of allowed RBAC actions
+var validRBACActions map[string]bool = map[string]bool{
+	rbacpolicy.ActionAction:   true,
+	rbacpolicy.ActionCreate:   true,
+	rbacpolicy.ActionDelete:   true,
+	rbacpolicy.ActionGet:      true,
+	rbacpolicy.ActionOverride: true,
+	rbacpolicy.ActionSync:     true,
+	rbacpolicy.ActionUpdate:   true,
+}
+
+// NewRBACCommand is the command for 'rbac'
+func NewRBACCommand() *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "rbac",
+		Short: "Validate and test RBAC configuration",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+		},
+	}
+	command.AddCommand(NewRBACCanCommand())
+	command.AddCommand(NewRBACValidateCommand())
+	return command
+}
+
+// NewRBACCanRoleCommand is the command for 'rbac can-role'
+func NewRBACCanCommand() *cobra.Command {
+	var (
+		policyFile   string
+		defaultRole  string
+		useBuiltin   bool
+		strict       bool
+		quiet        bool
+		subject      string
+		action       string
+		resource     string
+		subResource  string
+		clientConfig clientcmd.ClientConfig
+	)
+	var command = &cobra.Command{
+		Use:   "can ROLE/SUBJECT ACTION RESOURCE [SUB-RESOURCE]",
+		Short: "Check RBAC permissions for a role or subject",
+		Long: `
+Check whether a given role or subject has appropriate RBAC permissions to do
+something.
+`,
+		Example: `
+# Check whether role some:role has permissions to create an application in the
+# 'default' project, using a local policy.csv file
+argocd admin settings rbac can some:role create application 'default/app' --policy-file policy.csv
+
+# Policy file can also be K8s config map with data keys like argocd-rbac-cm,
+# i.e. 'policy.csv' and (optionally) 'policy.default'
+argocd admin settings rbac can some:role create application 'default/app' --policy-file argocd-rbac-cm.yaml
+
+# If --policy-file is not given, the ConfigMap 'argocd-rbac-cm' from K8s is
+# used. You need to specify the argocd namespace, and make sure that your
+# current Kubernetes context is pointing to the cluster Argo CD is running in
+argocd admin settings rbac can some:role create application 'default/app' --namespace argocd
+
+# You can override a possibly configured default role
+argocd admin settings rbac can someuser create application 'default/app' --default-role role:readonly
+
+`,
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) < 3 || len(args) > 4 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			subject = args[0]
+			action = args[1]
+			resource = args[2]
+			if len(args) > 3 {
+				subResource = args[3]
+			}
+
+			userPolicy := ""
+			builtinPolicy := ""
+
+			var newDefaultRole string
+
+			namespace, nsOverride, err := clientConfig.Namespace()
+			if err != nil {
+				log.Fatalf("could not create k8s client: %v", err)
+			}
+
+			// Exactly one of --namespace or --policy-file must be given.
+			if (!nsOverride && policyFile == "") || (nsOverride && policyFile != "") {
+				c.HelpFunc()(c, args)
+				log.Fatalf("please provide exactly one of --policy-file or --namespace")
+			}
+
+			restConfig, err := clientConfig.ClientConfig()
+			if err != nil {
+				log.Fatalf("could not create k8s client: %v", err)
+			}
+			realClientset, err := kubernetes.NewForConfig(restConfig)
+			if err != nil {
+				log.Fatalf("could not create k8s client: %v", err)
+			}
+
+			userPolicy, newDefaultRole = getPolicy(policyFile, realClientset, namespace)
+
+			// Use built-in policy as augmentation if requested
+			if useBuiltin {
+				builtinPolicy = assets.BuiltinPolicyCSV
+			}
+
+			// If no explicit default role was given, but we have one defined from
+			// a policy, use this to check for enforce.
+			if newDefaultRole != "" && defaultRole == "" {
+				defaultRole = newDefaultRole
+			}
+
+			res := checkPolicy(subject, action, resource, subResource, builtinPolicy, userPolicy, defaultRole, strict)
+			if res {
+				if !quiet {
+					fmt.Println("Yes")
+				}
+				os.Exit(0)
+			} else {
+				if !quiet {
+					fmt.Println("No")
+				}
+				os.Exit(1)
+			}
+		},
+	}
+
+	clientConfig = cli.AddKubectlFlagsToCmd(command)
+	command.Flags().StringVar(&policyFile, "policy-file", "", "path to the policy file to use")
+	command.Flags().StringVar(&defaultRole, "default-role", "", "name of the default role to use")
+	command.Flags().BoolVar(&useBuiltin, "use-builtin-policy", true, "whether to also use builtin-policy")
+	command.Flags().BoolVar(&strict, "strict", true, "whether to perform strict check on action and resource names")
+	command.Flags().BoolVarP(&quiet, "quiet", "q", false, "quiet mode - do not print results to stdout")
+	return command
+}
+
+// NewRBACValidateCommand returns a new rbac validate command
+func NewRBACValidateCommand() *cobra.Command {
+	var (
+		policyFile string
+	)
+
+	var command = &cobra.Command{
+		Use:   "validate --policy-file=POLICYFILE",
+		Short: "Validate RBAC policy",
+		Long: `
+Validates an RBAC policy for being syntactically correct. The policy must be
+a local file, and in either CSV or K8s ConfigMap format.
+`,
+		Run: func(c *cobra.Command, args []string) {
+			if policyFile == "" {
+				c.HelpFunc()(c, args)
+				log.Fatalf("Please specify policy to validate using --policy-file")
+			}
+			userPolicy, _ := getPolicy(policyFile, nil, "")
+			if userPolicy != "" {
+				if err := rbac.ValidatePolicy(userPolicy); err == nil {
+					fmt.Printf("Policy is valid.\n")
+					os.Exit(0)
+				} else {
+					fmt.Printf("Policy is invalid: %v\n", err)
+					os.Exit(1)
+				}
+			}
+		},
+	}
+
+	command.Flags().StringVar(&policyFile, "policy-file", "", "path to the policy file to use")
+	return command
+}
+
+// Load user policy file if requested or use Kubernetes client to get the
+// appropriate ConfigMap from the current context
+func getPolicy(policyFile string, kubeClient kubernetes.Interface, namespace string) (userPolicy string, defaultRole string) {
+	var err error
+	if policyFile != "" {
+		// load from file
+		userPolicy, defaultRole, err = getPolicyFromFile(policyFile)
+		if err != nil {
+			log.Fatalf("could not read policy file: %v", err)
+		}
+	} else {
+		cm, err := getPolicyConfigMap(kubeClient, namespace)
+		if err != nil {
+			log.Fatalf("could not get configmap: %v", err)
+		}
+		userPolicy, defaultRole = getPolicyFromConfigMap(cm)
+	}
+
+	return userPolicy, defaultRole
+}
+
+// getPolicyFromFile loads a RBAC policy from given path
+func getPolicyFromFile(policyFile string) (string, string, error) {
+	var (
+		userPolicy  string
+		defaultRole string
+	)
+
+	upol, err := ioutil.ReadFile(policyFile)
+	if err != nil {
+		log.Fatalf("error opening policy file: %v", err)
+		return "", "", err
+	}
+
+	// Try to unmarshal the input file as ConfigMap first. If it succeeds, we
+	// assume config map input. Otherwise, we treat it as
+	var upolCM *corev1.ConfigMap
+	err = yaml.Unmarshal(upol, &upolCM)
+	if err != nil {
+		userPolicy = string(upol)
+	} else {
+		userPolicy, defaultRole = getPolicyFromConfigMap(upolCM)
+	}
+
+	return userPolicy, defaultRole, nil
+}
+
+// Retrieve policy information from a ConfigMap
+func getPolicyFromConfigMap(cm *corev1.ConfigMap) (string, string) {
+	var (
+		userPolicy  string
+		defaultRole string
+		ok          bool
+	)
+	userPolicy, ok = cm.Data[rbac.ConfigMapPolicyCSVKey]
+	if !ok {
+		userPolicy = ""
+	}
+	if defaultRole == "" {
+		defaultRole, ok = cm.Data[rbac.ConfigMapPolicyDefaultKey]
+		if !ok {
+			defaultRole = ""
+		}
+	}
+
+	return userPolicy, defaultRole
+}
+
+// getPolicyConfigMap fetches the RBAC config map from K8s cluster
+func getPolicyConfigMap(client kubernetes.Interface, namespace string) (*corev1.ConfigMap, error) {
+	cm, err := client.CoreV1().ConfigMaps(namespace).Get(context.Background(), common.ArgoCDRBACConfigMapName, v1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+	return cm, nil
+}
+
+// checkPolicy checks whether given subject is allowed to execute specified
+// action against specified resource
+func checkPolicy(subject, action, resource, subResource, builtinPolicy, userPolicy, defaultRole string, strict bool) bool {
+	enf := rbac.NewEnforcer(nil, "argocd", "argocd-rbac-cm", nil)
+	enf.SetDefaultRole(defaultRole)
+	if builtinPolicy != "" {
+		if err := enf.SetBuiltinPolicy(builtinPolicy); err != nil {
+			log.Fatalf("could not set built-in policy: %v", err)
+			return false
+		}
+	}
+	if userPolicy != "" {
+		if err := rbac.ValidatePolicy(userPolicy); err != nil {
+			log.Fatalf("invalid user policy: %v", err)
+			return false
+		}
+		if err := enf.SetUserPolicy(userPolicy); err != nil {
+			log.Fatalf("could not set user policy: %v", err)
+			return false
+		}
+	}
+
+	// User could have used a mutation of the resource name (i.e. 'cert' for
+	// 'certificate') - let's resolve it to the valid resource.
+	realResource := resolveRBACResourceName(resource)
+
+	// If in strict mode, validate that given RBAC resource and action are
+	// actually valid tokens.
+	if strict {
+		if !isValidRBACResource(realResource) {
+			log.Fatalf("error in RBAC request: '%s' is not a valid resource name", realResource)
+		}
+		if !isValidRBACAction(action) {
+			log.Fatalf("error in RBAC request: '%s' is not a valid action name", action)
+		}
+	}
+
+	// Application resources have a special notation - for simplicity's sake,
+	// if user gives no sub-resource (or specifies simple '*'), we construct
+	// the required notation by setting subresource to '*/*'.
+	if realResource == rbacpolicy.ResourceApplications {
+		if subResource == "*" || subResource == "" {
+			subResource = "*/*"
+		}
+	}
+
+	return enf.Enforce(subject, realResource, action, subResource)
+}
+
+// resolveRBACResourceName resolves a user supplied value to a valid RBAC
+// resource name. If no mapping is found, returns the value verbatim.
+func resolveRBACResourceName(name string) string {
+	if res, ok := resourceMap[name]; ok {
+		return res
+	} else {
+		return name
+	}
+}
+
+// isValidRBACAction checks whether a given action is a valid RBAC action
+func isValidRBACAction(action string) bool {
+	_, ok := validRBACActions[action]
+	return ok
+}
+
+// isValidRBACResource checks whether a given resource is a valid RBAC resource
+func isValidRBACResource(resource string) bool {
+	_, ok := validRBACResources[resource]
+	return ok
+}

cmd/argocd/commands/admin/settings_rbac_test.go

@@ -0,0 +1,91 @@
+package admin
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes/fake"
+
+	"github.com/argoproj/argo-cd/v2/util/assets"
+)
+
+func Test_isValidRBACAction(t *testing.T) {
+	for k := range validRBACActions {
+		t.Run(k, func(t *testing.T) {
+			ok := isValidRBACAction(k)
+			assert.True(t, ok)
+		})
+	}
+	t.Run("invalid", func(t *testing.T) {
+		ok := isValidRBACAction("invalid")
+		assert.False(t, ok)
+	})
+}
+
+func Test_isValidRBACResource(t *testing.T) {
+	for k := range validRBACResources {
+		t.Run(k, func(t *testing.T) {
+			ok := isValidRBACResource(k)
+			assert.True(t, ok)
+		})
+	}
+	t.Run("invalid", func(t *testing.T) {
+		ok := isValidRBACResource("invalid")
+		assert.False(t, ok)
+	})
+}
+
+func Test_PolicyFromCSV(t *testing.T) {
+	uPol, dRole := getPolicy("testdata/rbac/policy.csv", nil, "")
+	require.NotEmpty(t, uPol)
+	require.Empty(t, dRole)
+}
+
+func Test_PolicyFromYAML(t *testing.T) {
+	uPol, dRole := getPolicy("testdata/rbac/argocd-rbac-cm.yaml", nil, "")
+	require.NotEmpty(t, uPol)
+	require.Equal(t, "role:unknown", dRole)
+}
+
+func Test_PolicyFromK8s(t *testing.T) {
+	data, err := ioutil.ReadFile("testdata/rbac/policy.csv")
+	require.NoError(t, err)
+	kubeclientset := fake.NewSimpleClientset(&v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "argocd-rbac-cm",
+			Namespace: "argocd",
+		},
+		Data: map[string]string{
+			"policy.csv":     string(data),
+			"policy.default": "role:unknown",
+		},
+	})
+	uPol, dRole := getPolicy("", kubeclientset, "argocd")
+	require.NotEmpty(t, uPol)
+	require.Equal(t, "role:unknown", dRole)
+
+	t.Run("get applications", func(t *testing.T) {
+		ok := checkPolicy("role:user", "get", "applications", "*/*", assets.BuiltinPolicyCSV, uPol, dRole, true)
+		require.True(t, ok)
+	})
+	t.Run("get clusters", func(t *testing.T) {
+		ok := checkPolicy("role:user", "get", "clusters", "*", assets.BuiltinPolicyCSV, uPol, dRole, true)
+		require.True(t, ok)
+	})
+	t.Run("get certificates", func(t *testing.T) {
+		ok := checkPolicy("role:user", "get", "certificates", "*", assets.BuiltinPolicyCSV, uPol, dRole, true)
+		require.False(t, ok)
+	})
+	t.Run("get certificates by default role", func(t *testing.T) {
+		ok := checkPolicy("role:user", "get", "certificates", "*", assets.BuiltinPolicyCSV, uPol, "role:readonly", true)
+		require.True(t, ok)
+	})
+	t.Run("get certificates by default role without builtin policy", func(t *testing.T) {
+		ok := checkPolicy("role:user", "get", "certificates", "*", "", uPol, "role:readonly", true)
+		require.False(t, ok)
+	})
+}

cmd/argocd/commands/admin/settings_test.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"bytes"
@@ -9,9 +9,9 @@ import (
 	"os"
 	"testing"
 
-	"github.com/argoproj/argo-cd/common"
-	utils "github.com/argoproj/argo-cd/util/io"
-	"github.com/argoproj/argo-cd/util/settings"
+	"github.com/argoproj/argo-cd/v2/common"
+	utils "github.com/argoproj/argo-cd/v2/util/io"
+	"github.com/argoproj/argo-cd/v2/util/settings"
 
 	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/api/core/v1"
@@ -240,6 +240,7 @@ func tempFile(content string) (string, io.Closer, error) {
 		_ = os.Remove(f.Name())
 		return "", nil, err
 	}
+	defer f.Close()
 	return f.Name(), utils.NewCloser(func() error {
 		return os.Remove(f.Name())
 	}), nil

cmd/argocd/commands/admin/testdata/rbac/argocd-rbac-cm.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+data:
+  policy.csv: |
+    p, role:user, clusters, get, *, allow
+    p, role:user, clusters, get, https://kubernetes*, deny
+    p, role:user, projects, get, *, allow
+    p, role:user, applications, get, *, allow
+    p, role:user, applications, create, */*, allow
+    p, role:user, applications, delete, *, allow
+    p, role:user, applications, delete, */guestbook, deny
+    g, test, role:user
+  policy.default: role:unknown
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-rbac-cm
+    app.kubernetes.io/part-of: argocd
+  name: argocd-rbac-cm
+  namespace: argocd

cmd/argocd/commands/admin/testdata/rbac/policy.csv

@@ -0,0 +1,9 @@
+p, role:user, clusters, get, *, allow
+p, role:user, clusters, get, https://kubernetes*, deny
+p, role:user, projects, get, *, allow
+p, role:user, applications, get, *, allow
+p, role:user, applications, create, */*, allow
+p, role:user, applications, delete, *, allow
+p, role:user, applications, delete, */guestbook, deny
+p, role:test, certificates, get, *, allow
+g, test, role:user

cmd/argocd/commands/app_actions.go

@@ -12,10 +12,10 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	applicationpkg "github.com/argoproj/argo-cd/pkg/apiclient/application"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/io"
+	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	applicationpkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/application"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/io"
 )
 
 type DisplayedAction struct {

cmd/argocd/commands/app_test.go

@@ -3,153 +3,161 @@ package commands
 import (
 	"testing"
 
-	"github.com/spf13/cobra"
-	"github.com/stretchr/testify/assert"
-
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 
-func Test_setHelmOpt(t *testing.T) {
-	t.Run("Zero", func(t *testing.T) {
-		src := v1alpha1.ApplicationSource{}
-		setHelmOpt(&src, helmOpts{})
-		assert.Nil(t, src.Helm)
-	})
-	t.Run("ValueFiles", func(t *testing.T) {
-		src := v1alpha1.ApplicationSource{}
-		setHelmOpt(&src, helmOpts{valueFiles: []string{"foo"}})
-		assert.Equal(t, []string{"foo"}, src.Helm.ValueFiles)
-	})
-	t.Run("ReleaseName", func(t *testing.T) {
-		src := v1alpha1.ApplicationSource{}
-		setHelmOpt(&src, helmOpts{releaseName: "foo"})
-		assert.Equal(t, "foo", src.Helm.ReleaseName)
-	})
-	t.Run("HelmSets", func(t *testing.T) {
-		src := v1alpha1.ApplicationSource{}
-		setHelmOpt(&src, helmOpts{helmSets: []string{"foo=bar"}})
-		assert.Equal(t, []v1alpha1.HelmParameter{{Name: "foo", Value: "bar"}}, src.Helm.Parameters)
-	})
-	t.Run("HelmSetStrings", func(t *testing.T) {
-		src := v1alpha1.ApplicationSource{}
-		setHelmOpt(&src, helmOpts{helmSetStrings: []string{"foo=bar"}})
-		assert.Equal(t, []v1alpha1.HelmParameter{{Name: "foo", Value: "bar", ForceString: true}}, src.Helm.Parameters)
-	})
-	t.Run("HelmSetFiles", func(t *testing.T) {
-		src := v1alpha1.ApplicationSource{}
-		setHelmOpt(&src, helmOpts{helmSetFiles: []string{"foo=bar"}})
-		assert.Equal(t, []v1alpha1.HelmFileParameter{{Name: "foo", Path: "bar"}}, src.Helm.FileParameters)
-	})
-	t.Run("Version", func(t *testing.T) {
-		src := v1alpha1.ApplicationSource{}
-		setHelmOpt(&src, helmOpts{version: "v3"})
-		assert.Equal(t, "v3", src.Helm.Version)
-	})
-}
+func TestFindRevisionHistoryWithoutPassedId(t *testing.T) {
 
-func Test_setKustomizeOpt(t *testing.T) {
-	t.Run("No kustomize", func(t *testing.T) {
-		src := v1alpha1.ApplicationSource{}
-		setKustomizeOpt(&src, kustomizeOpts{})
-		assert.Nil(t, src.Kustomize)
-	})
-	t.Run("Name prefix", func(t *testing.T) {
-		src := v1alpha1.ApplicationSource{}
-		setKustomizeOpt(&src, kustomizeOpts{namePrefix: "test-"})
-		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{NamePrefix: "test-"}, src.Kustomize)
-	})
-	t.Run("Name suffix", func(t *testing.T) {
-		src := v1alpha1.ApplicationSource{}
-		setKustomizeOpt(&src, kustomizeOpts{nameSuffix: "-test"})
-		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{NameSuffix: "-test"}, src.Kustomize)
-	})
-	t.Run("Images", func(t *testing.T) {
-		src := v1alpha1.ApplicationSource{}
-		setKustomizeOpt(&src, kustomizeOpts{images: []string{"org/image:v1", "org/image:v2"}})
-		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{Images: v1alpha1.KustomizeImages{v1alpha1.KustomizeImage("org/image:v2")}}, src.Kustomize)
-	})
-	t.Run("Version", func(t *testing.T) {
-		src := v1alpha1.ApplicationSource{}
-		setKustomizeOpt(&src, kustomizeOpts{version: "v0.1"})
-		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{Version: "v0.1"}, src.Kustomize)
-	})
-	t.Run("Common labels", func(t *testing.T) {
-		src := v1alpha1.ApplicationSource{}
-		setKustomizeOpt(&src, kustomizeOpts{commonLabels: map[string]string{"foo1": "bar1", "foo2": "bar2"}})
-		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{CommonLabels: map[string]string{"foo1": "bar1", "foo2": "bar2"}}, src.Kustomize)
-	})
-	t.Run("Common annotations", func(t *testing.T) {
-		src := v1alpha1.ApplicationSource{}
-		setKustomizeOpt(&src, kustomizeOpts{commonAnnotations: map[string]string{"foo1": "bar1", "foo2": "bar2"}})
-		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{CommonAnnotations: map[string]string{"foo1": "bar1", "foo2": "bar2"}}, src.Kustomize)
-	})
-}
+	histories := v1alpha1.RevisionHistories{}
 
-func Test_setJsonnetOpt(t *testing.T) {
-	t.Run("TlaSets", func(t *testing.T) {
-		src := v1alpha1.ApplicationSource{}
-		setJsonnetOpt(&src, []string{"foo=bar"}, false)
-		assert.Equal(t, []v1alpha1.JsonnetVar{{Name: "foo", Value: "bar"}}, src.Directory.Jsonnet.TLAs)
-		setJsonnetOpt(&src, []string{"bar=baz"}, false)
-		assert.Equal(t, []v1alpha1.JsonnetVar{{Name: "foo", Value: "bar"}, {Name: "bar", Value: "baz"}}, src.Directory.Jsonnet.TLAs)
-	})
-	t.Run("ExtSets", func(t *testing.T) {
-		src := v1alpha1.ApplicationSource{}
-		setJsonnetOptExtVar(&src, []string{"foo=bar"}, false)
-		assert.Equal(t, []v1alpha1.JsonnetVar{{Name: "foo", Value: "bar"}}, src.Directory.Jsonnet.ExtVars)
-		setJsonnetOptExtVar(&src, []string{"bar=baz"}, false)
-		assert.Equal(t, []v1alpha1.JsonnetVar{{Name: "foo", Value: "bar"}, {Name: "bar", Value: "baz"}}, src.Directory.Jsonnet.ExtVars)
-	})
-}
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 1})
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 2})
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 3})
 
-type appOptionsFixture struct {
-	spec    *v1alpha1.ApplicationSpec
-	command *cobra.Command
-	options *appOptions
-}
+	status := v1alpha1.ApplicationStatus{
+		Resources:      nil,
+		Sync:           v1alpha1.SyncStatus{},
+		Health:         v1alpha1.HealthStatus{},
+		History:        histories,
+		Conditions:     nil,
+		ReconciledAt:   nil,
+		OperationState: nil,
+		ObservedAt:     nil,
+		SourceType:     "",
+		Summary:        v1alpha1.ApplicationSummary{},
+	}
+
+	application := v1alpha1.Application{
+		Status: status,
+	}
+
+	history, err := findRevisionHistory(&application, -1)
 
-func (f *appOptionsFixture) SetFlag(key, value string) error {
-	err := f.command.Flags().Set(key, value)
 	if err != nil {
-		return err
+		t.Fatal("Find revision history should fail without errors")
 	}
-	_ = setAppSpecOptions(f.command.Flags(), f.spec, f.options)
-	return err
-}
 
-func newAppOptionsFixture() *appOptionsFixture {
-	fixture := &appOptionsFixture{
-		spec:    &v1alpha1.ApplicationSpec{},
-		command: &cobra.Command{},
-		options: &appOptions{},
+	if history == nil {
+		t.Fatal("History should be found")
 	}
-	addAppFlags(fixture.command, fixture.options)
-	return fixture
+
 }
 
-func Test_setAppSpecOptions(t *testing.T) {
-	f := newAppOptionsFixture()
-	t.Run("SyncPolicy", func(t *testing.T) {
-		assert.NoError(t, f.SetFlag("sync-policy", "automated"))
-		assert.NotNil(t, f.spec.SyncPolicy.Automated)
+func TestFindRevisionHistoryWithoutPassedIdAndEmptyHistoryList(t *testing.T) {
 
-		f.spec.SyncPolicy = nil
-		assert.NoError(t, f.SetFlag("sync-policy", "automatic"))
-		assert.NotNil(t, f.spec.SyncPolicy.Automated)
+	histories := v1alpha1.RevisionHistories{}
 
-		f.spec.SyncPolicy = nil
-		assert.NoError(t, f.SetFlag("sync-policy", "auto"))
-		assert.NotNil(t, f.spec.SyncPolicy.Automated)
+	status := v1alpha1.ApplicationStatus{
+		Resources:      nil,
+		Sync:           v1alpha1.SyncStatus{},
+		Health:         v1alpha1.HealthStatus{},
+		History:        histories,
+		Conditions:     nil,
+		ReconciledAt:   nil,
+		OperationState: nil,
+		ObservedAt:     nil,
+		SourceType:     "",
+		Summary:        v1alpha1.ApplicationSummary{},
+	}
 
-		assert.NoError(t, f.SetFlag("sync-policy", "none"))
-		assert.Nil(t, f.spec.SyncPolicy)
-	})
-	t.Run("SyncOptions", func(t *testing.T) {
-		assert.NoError(t, f.SetFlag("sync-option", "a=1"))
-		assert.True(t, f.spec.SyncPolicy.SyncOptions.HasOption("a=1"))
+	application := v1alpha1.Application{
+		Status: status,
+	}
+
+	history, err := findRevisionHistory(&application, -1)
+
+	if err == nil {
+		t.Fatal("Find revision history should fail with errors")
+	}
+
+	if history != nil {
+		t.Fatal("History should be empty")
+	}
+
+	if err.Error() != "Application '' should have at least two successful deployments" {
+		t.Fatal("Find revision history should fail with correct error message")
+	}
+
+}
+
+func TestFindRevisionHistoryWithPassedId(t *testing.T) {
+
+	histories := v1alpha1.RevisionHistories{}
+
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 1})
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 2})
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 3, Revision: "123"})
+
+	status := v1alpha1.ApplicationStatus{
+		Resources:      nil,
+		Sync:           v1alpha1.SyncStatus{},
+		Health:         v1alpha1.HealthStatus{},
+		History:        histories,
+		Conditions:     nil,
+		ReconciledAt:   nil,
+		OperationState: nil,
+		ObservedAt:     nil,
+		SourceType:     "",
+		Summary:        v1alpha1.ApplicationSummary{},
+	}
+
+	application := v1alpha1.Application{
+		Status: status,
+	}
+
+	history, err := findRevisionHistory(&application, 3)
+
+	if err != nil {
+		t.Fatal("Find revision history should fail without errors")
+	}
+
+	if history == nil {
+		t.Fatal("History should be found")
+	}
+
+	if history.Revision != "123" {
+		t.Fatal("Failed to find correct history with correct revision")
+	}
+
+}
+
+func TestFindRevisionHistoryWithPassedIdThatNotExist(t *testing.T) {
+
+	histories := v1alpha1.RevisionHistories{}
+
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 1})
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 2})
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 3, Revision: "123"})
+
+	status := v1alpha1.ApplicationStatus{
+		Resources:      nil,
+		Sync:           v1alpha1.SyncStatus{},
+		Health:         v1alpha1.HealthStatus{},
+		History:        histories,
+		Conditions:     nil,
+		ReconciledAt:   nil,
+		OperationState: nil,
+		ObservedAt:     nil,
+		SourceType:     "",
+		Summary:        v1alpha1.ApplicationSummary{},
+	}
+
+	application := v1alpha1.Application{
+		Status: status,
+	}
+
+	history, err := findRevisionHistory(&application, 4)
+
+	if err == nil {
+		t.Fatal("Find revision history should fail with errors")
+	}
+
+	if history != nil {
+		t.Fatal("History should be not found")
+	}
+
+	if err.Error() != "Application '' does not have deployment id '4' in history\n" {
+		t.Fatal("Find revision history should fail with correct error message")
+	}
 
-		// remove the options using !
-		assert.NoError(t, f.SetFlag("sync-option", "!a=1"))
-		assert.Nil(t, f.spec.SyncPolicy)
-	})
 }

cmd/argocd/commands/cert.go

@@ -11,12 +11,12 @@ import (
 
 	"github.com/spf13/cobra"
 
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	certificatepkg "github.com/argoproj/argo-cd/pkg/apiclient/certificate"
-	appsv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	certutil "github.com/argoproj/argo-cd/util/cert"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/io"
+	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	certificatepkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/certificate"
+	appsv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	certutil "github.com/argoproj/argo-cd/v2/util/cert"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/io"
 )
 
 // NewCertCommand returns a new instance of an `argocd repo` command

cmd/argocd/commands/cluster.go

@@ -3,25 +3,29 @@ package commands
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"os"
-	"sort"
+	"regexp"
 	"strings"
 	"text/tabwriter"
 
+	"github.com/mattn/go-isatty"
+	"k8s.io/client-go/kubernetes"
+
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/text/label"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 
-	"github.com/argoproj/argo-cd/common"
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	clusterpkg "github.com/argoproj/argo-cd/pkg/apiclient/cluster"
-	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util/clusterauth"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/io"
+	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	"github.com/argoproj/argo-cd/v2/common"
+	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	clusterpkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/cluster"
+	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/clusterauth"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/io"
 )
 
 // NewClusterCommand returns a new instance of an `argocd cluster` command
@@ -58,20 +62,10 @@ func NewClusterCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientc
 // NewClusterAddCommand returns a new instance of an `argocd cluster add` command
 func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientcmd.PathOptions) *cobra.Command {
 	var (
-		inCluster               bool
-		upsert                  bool
-		serviceAccount          string
-		awsRoleArn              string
-		awsClusterName          string
-		systemNamespace         string
-		namespaces              []string
-		name                    string
-		shard                   int64
-		execProviderCommand     string
-		execProviderArgs        []string
-		execProviderEnv         map[string]string
-		execProviderAPIVersion  string
-		execProviderInstallHint string
+		clusterOpts      cmdutil.ClusterOptions
+		skipConfirmation bool
+		labels           []string
+		annotations      []string
 	)
 	var command = &cobra.Command{
 		Use:   "add CONTEXT",
@@ -80,7 +74,7 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 			var configAccess clientcmd.ConfigAccess = pathOpts
 			if len(args) == 0 {
 				log.Error("Choose a context name from:")
-				printKubeContexts(configAccess)
+				cmdutil.PrintKubeContexts(configAccess)
 				os.Exit(1)
 			}
 			config, err := configAccess.GetStartingConfig()
@@ -91,6 +85,15 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 				log.Fatalf("Context %s does not exist in kubeconfig", contextName)
 			}
 
+			isTerminal := isatty.IsTerminal(os.Stdout.Fd()) || isatty.IsCygwinTerminal(os.Stdout.Fd())
+
+			if isTerminal && !skipConfirmation {
+				message := fmt.Sprintf("WARNING: This will create a service account `argocd-manager` on the cluster referenced by context `%s` with full cluster level admin privileges. Do you want to continue [y/N]? ", contextName)
+				if !cli.AskToProceed(message) {
+					os.Exit(1)
+				}
+			}
+
 			overrides := clientcmd.ConfigOverrides{
 				Context: *clstContext,
 			}
@@ -101,45 +104,54 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 			managerBearerToken := ""
 			var awsAuthConf *argoappv1.AWSAuthConfig
 			var execProviderConf *argoappv1.ExecProviderConfig
-			if awsClusterName != "" {
+			if clusterOpts.AwsClusterName != "" {
 				awsAuthConf = &argoappv1.AWSAuthConfig{
-					ClusterName: awsClusterName,
-					RoleARN:     awsRoleArn,
+					ClusterName: clusterOpts.AwsClusterName,
+					RoleARN:     clusterOpts.AwsRoleArn,
 				}
-			} else if execProviderCommand != "" {
+			} else if clusterOpts.ExecProviderCommand != "" {
 				execProviderConf = &argoappv1.ExecProviderConfig{
-					Command:     execProviderCommand,
-					Args:        execProviderArgs,
-					Env:         execProviderEnv,
-					APIVersion:  execProviderAPIVersion,
-					InstallHint: execProviderInstallHint,
+					Command:     clusterOpts.ExecProviderCommand,
+					Args:        clusterOpts.ExecProviderArgs,
+					Env:         clusterOpts.ExecProviderEnv,
+					APIVersion:  clusterOpts.ExecProviderAPIVersion,
+					InstallHint: clusterOpts.ExecProviderInstallHint,
 				}
 			} else {
 				// Install RBAC resources for managing the cluster
 				clientset, err := kubernetes.NewForConfig(conf)
 				errors.CheckError(err)
-				if serviceAccount != "" {
-					managerBearerToken, err = clusterauth.GetServiceAccountBearerToken(clientset, systemNamespace, serviceAccount)
+				if clusterOpts.ServiceAccount != "" {
+					managerBearerToken, err = clusterauth.GetServiceAccountBearerToken(clientset, clusterOpts.SystemNamespace, clusterOpts.ServiceAccount)
 				} else {
-					managerBearerToken, err = clusterauth.InstallClusterManagerRBAC(clientset, systemNamespace, namespaces)
+					managerBearerToken, err = clusterauth.InstallClusterManagerRBAC(clientset, clusterOpts.SystemNamespace, clusterOpts.Namespaces)
 				}
 				errors.CheckError(err)
 			}
+
+			labelsMap, err := label.Parse(labels)
+			errors.CheckError(err)
+			annotationsMap, err := label.Parse(annotations)
+			errors.CheckError(err)
+
 			conn, clusterIf := argocdclient.NewClientOrDie(clientOpts).NewClusterClientOrDie()
 			defer io.Close(conn)
-			if name != "" {
-				contextName = name
+			if clusterOpts.Name != "" {
+				contextName = clusterOpts.Name
 			}
-			clst := newCluster(contextName, namespaces, conf, managerBearerToken, awsAuthConf, execProviderConf)
-			if inCluster {
-				clst.Server = common.KubernetesInternalAPIServerAddr
+			clst := cmdutil.NewCluster(contextName, clusterOpts.Namespaces, clusterOpts.ClusterResources, conf, managerBearerToken, awsAuthConf, execProviderConf, labelsMap, annotationsMap)
+			if clusterOpts.InCluster {
+				clst.Server = argoappv1.KubernetesInternalAPIServerAddr
 			}
-			if shard >= 0 {
-				clst.Shard = &shard
+			if clusterOpts.Shard >= 0 {
+				clst.Shard = &clusterOpts.Shard
+			}
+			if clusterOpts.Project != "" {
+				clst.Project = clusterOpts.Project
 			}
 			clstCreateReq := clusterpkg.ClusterCreateRequest{
 				Cluster: clst,
-				Upsert:  upsert,
+				Upsert:  clusterOpts.Upsert,
 			}
 			_, err = clusterIf.Create(context.Background(), &clstCreateReq)
 			errors.CheckError(err)
@@ -147,116 +159,26 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 		},
 	}
 	command.PersistentFlags().StringVar(&pathOpts.LoadingRules.ExplicitPath, pathOpts.ExplicitFileFlag, pathOpts.LoadingRules.ExplicitPath, "use a particular kubeconfig file")
-	command.Flags().BoolVar(&inCluster, "in-cluster", false, "Indicates Argo CD resides inside this cluster and should connect using the internal k8s hostname (kubernetes.default.svc)")
-	command.Flags().BoolVar(&upsert, "upsert", false, "Override an existing cluster with the same name even if the spec differs")
-	command.Flags().StringVar(&serviceAccount, "service-account", "", fmt.Sprintf("System namespace service account to use for kubernetes resource management. If not set then default \"%s\" SA will be created", clusterauth.ArgoCDManagerServiceAccount))
-	command.Flags().StringVar(&awsClusterName, "aws-cluster-name", "", "AWS Cluster name if set then aws cli eks token command will be used to access cluster")
-	command.Flags().StringVar(&awsRoleArn, "aws-role-arn", "", "Optional AWS role arn. If set then AWS IAM Authenticator assume a role to perform cluster operations instead of the default AWS credential provider chain.")
-	command.Flags().StringVar(&systemNamespace, "system-namespace", common.DefaultSystemNamespace, "Use different system namespace")
-	command.Flags().StringArrayVar(&namespaces, "namespace", nil, "List of namespaces which are allowed to manage")
-	command.Flags().StringVar(&name, "name", "", "Overwrite the cluster name")
-	command.Flags().Int64Var(&shard, "shard", -1, "Cluster shard number; inferred from hostname if not set")
-	command.Flags().StringVar(&execProviderCommand, "exec-command", "", "Command to run to provide client credentials to the cluster. You may need to build a custom ArgoCD image to ensure the command is available at runtime.")
-	command.Flags().StringArrayVar(&execProviderArgs, "exec-command-args", nil, "Arguments to supply to the --exec-command command")
-	command.Flags().StringToStringVar(&execProviderEnv, "exec-command-env", nil, "Environment vars to set when running the --exec-command command")
-	command.Flags().StringVar(&execProviderAPIVersion, "exec-command-api-version", "", "Preferred input version of the ExecInfo for the --exec-command")
-	command.Flags().StringVar(&execProviderInstallHint, "exec-command-install-hint", "", "Text shown to the user when the --exec-command executable doesn't seem to be present")
+	command.Flags().BoolVar(&clusterOpts.Upsert, "upsert", false, "Override an existing cluster with the same name even if the spec differs")
+	command.Flags().StringVar(&clusterOpts.ServiceAccount, "service-account", "", fmt.Sprintf("System namespace service account to use for kubernetes resource management. If not set then default \"%s\" SA will be created", clusterauth.ArgoCDManagerServiceAccount))
+	command.Flags().StringVar(&clusterOpts.SystemNamespace, "system-namespace", common.DefaultSystemNamespace, "Use different system namespace")
+	command.Flags().BoolVarP(&skipConfirmation, "yes", "y", false, "Skip explicit confirmation")
+	command.Flags().StringArrayVar(&labels, "label", nil, "Set metadata labels (e.g. --label key=value)")
+	command.Flags().StringArrayVar(&annotations, "annotation", nil, "Set metadata annotations (e.g. --annotation key=value)")
+	cmdutil.AddClusterFlags(command, &clusterOpts)
 	return command
 }
 
-func printKubeContexts(ca clientcmd.ConfigAccess) {
-	config, err := ca.GetStartingConfig()
-	errors.CheckError(err)
-	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-	defer func() { _ = w.Flush() }()
-	columnNames := []string{"CURRENT", "NAME", "CLUSTER", "SERVER"}
-	_, err = fmt.Fprintf(w, "%s\n", strings.Join(columnNames, "\t"))
-	errors.CheckError(err)
-
-	// sort names so output is deterministic
-	contextNames := make([]string, 0)
-	for name := range config.Contexts {
-		contextNames = append(contextNames, name)
-	}
-	sort.Strings(contextNames)
-
-	if config.Clusters == nil {
-		return
-	}
-
-	for _, name := range contextNames {
-		// ignore malformed kube config entries
-		context := config.Contexts[name]
-		if context == nil {
-			continue
-		}
-		cluster := config.Clusters[context.Cluster]
-		if cluster == nil {
-			continue
-		}
-		prefix := " "
-		if config.CurrentContext == name {
-			prefix = "*"
-		}
-		_, err := fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", prefix, name, context.Cluster, cluster.Server)
-		errors.CheckError(err)
-	}
-}
-
-func newCluster(name string, namespaces []string, conf *rest.Config, managerBearerToken string, awsAuthConf *argoappv1.AWSAuthConfig, execProviderConf *argoappv1.ExecProviderConfig) *argoappv1.Cluster {
-	tlsClientConfig := argoappv1.TLSClientConfig{
-		Insecure:   conf.TLSClientConfig.Insecure,
-		ServerName: conf.TLSClientConfig.ServerName,
-		CAData:     conf.TLSClientConfig.CAData,
-		CertData:   conf.TLSClientConfig.CertData,
-		KeyData:    conf.TLSClientConfig.KeyData,
-	}
-	if len(conf.TLSClientConfig.CAData) == 0 && conf.TLSClientConfig.CAFile != "" {
-		data, err := ioutil.ReadFile(conf.TLSClientConfig.CAFile)
-		errors.CheckError(err)
-		tlsClientConfig.CAData = data
-	}
-	if len(conf.TLSClientConfig.CertData) == 0 && conf.TLSClientConfig.CertFile != "" {
-		data, err := ioutil.ReadFile(conf.TLSClientConfig.CertFile)
-		errors.CheckError(err)
-		tlsClientConfig.CertData = data
-	}
-	if len(conf.TLSClientConfig.KeyData) == 0 && conf.TLSClientConfig.KeyFile != "" {
-		data, err := ioutil.ReadFile(conf.TLSClientConfig.KeyFile)
-		errors.CheckError(err)
-		tlsClientConfig.KeyData = data
-	}
-
-	clst := argoappv1.Cluster{
-		Server:     conf.Host,
-		Name:       name,
-		Namespaces: namespaces,
-		Config: argoappv1.ClusterConfig{
-			TLSClientConfig:    tlsClientConfig,
-			AWSAuthConfig:      awsAuthConf,
-			ExecProviderConfig: execProviderConf,
-		},
-	}
-
-	// Bearer token will preferentially be used for auth if present,
-	// Even in presence of key/cert credentials
-	// So set bearer token only if the key/cert data is absent
-	if len(tlsClientConfig.CertData) == 0 || len(tlsClientConfig.KeyData) == 0 {
-		clst.Config.BearerToken = managerBearerToken
-	}
-
-	return &clst
-}
-
 // NewClusterGetCommand returns a new instance of an `argocd cluster get` command
 func NewClusterGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
 		output string
 	)
 	var command = &cobra.Command{
-		Use:     "get SERVER",
-		Short:   "Get cluster information",
-		Example: `argocd cluster get https://12.34.567.89`,
+		Use:   "get SERVER/NAME",
+		Short: "Get cluster information",
+		Example: `argocd cluster get https://12.34.567.89
+argocd cluster get in-cluster`,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) == 0 {
 				c.HelpFunc()(c, args)
@@ -265,8 +187,8 @@ func NewClusterGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 			conn, clusterIf := argocdclient.NewClientOrDie(clientOpts).NewClusterClientOrDie()
 			defer io.Close(conn)
 			clusters := make([]argoappv1.Cluster, 0)
-			for _, clusterName := range args {
-				clst, err := clusterIf.Get(context.Background(), &clusterpkg.ClusterQuery{Server: clusterName})
+			for _, clusterSelector := range args {
+				clst, err := clusterIf.Get(context.Background(), getQueryBySelector(clusterSelector))
 				errors.CheckError(err)
 				clusters = append(clusters, *clst)
 			}
@@ -343,6 +265,7 @@ func NewClusterRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 				// errors.CheckError(err)
 				_, err := clusterIf.Delete(context.Background(), &clusterpkg.ClusterQuery{Server: clusterName})
 				errors.CheckError(err)
+				fmt.Printf("Cluster '%s' removed\n", clusterName)
 			}
 		},
 	}
@@ -352,17 +275,29 @@ func NewClusterRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 // Print table of cluster information
 func printClusterTable(clusters []argoappv1.Cluster) {
 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-	_, _ = fmt.Fprintf(w, "SERVER\tNAME\tVERSION\tSTATUS\tMESSAGE\n")
+	_, _ = fmt.Fprintf(w, "SERVER\tNAME\tVERSION\tSTATUS\tMESSAGE\tPROJECT\n")
 	for _, c := range clusters {
 		server := c.Server
 		if len(c.Namespaces) > 0 {
 			server = fmt.Sprintf("%s (%d namespaces)", c.Server, len(c.Namespaces))
 		}
-		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", server, c.Name, c.ServerVersion, c.ConnectionState.Status, c.ConnectionState.Message)
+		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\n", server, c.Name, c.ServerVersion, c.ConnectionState.Status, c.ConnectionState.Message, c.Project)
 	}
 	_ = w.Flush()
 }
 
+// Returns cluster query for getting cluster depending on the cluster selector
+func getQueryBySelector(clusterSelector string) *clusterpkg.ClusterQuery {
+	var query clusterpkg.ClusterQuery
+	isServer, err := regexp.MatchString(`^https?://`, clusterSelector)
+	if isServer || err != nil {
+		query.Server = clusterSelector
+	} else {
+		query.Name = clusterSelector
+	}
+	return &query
+}
+
 // Print list of cluster servers
 func printClusterServers(clusters []argoappv1.Cluster) {
 	for _, c := range clusters {

cmd/argocd/commands/cluster_test.go

@@ -1,16 +1,29 @@
 package commands
 
 import (
-	"strings"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/rest"
 
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+
+	"github.com/stretchr/testify/assert"
 )
 
+func Test_getQueryBySelector(t *testing.T) {
+	query := getQueryBySelector("my-cluster")
+	assert.Equal(t, query.Name, "my-cluster")
+	assert.Equal(t, query.Server, "")
+
+	query = getQueryBySelector("http://my-server")
+	assert.Equal(t, query.Name, "")
+	assert.Equal(t, query.Server, "http://my-server")
+
+	query = getQueryBySelector("https://my-server")
+	assert.Equal(t, query.Name, "")
+	assert.Equal(t, query.Server, "https://my-server")
+}
+
 func Test_printClusterTable(t *testing.T) {
 	printClusterTable([]v1alpha1.Cluster{
 		{
@@ -32,55 +45,3 @@ func Test_printClusterTable(t *testing.T) {
 		},
 	})
 }
-
-func Test_newCluster(t *testing.T) {
-	clusterWithData := newCluster("test-cluster", []string{"test-namespace"}, &rest.Config{
-		TLSClientConfig: rest.TLSClientConfig{
-			Insecure:   false,
-			ServerName: "test-endpoint.example.com",
-			CAData:     []byte("test-ca-data"),
-			CertData:   []byte("test-cert-data"),
-			KeyData:    []byte("test-key-data"),
-		},
-		Host: "test-endpoint.example.com",
-	},
-		"test-bearer-token",
-		&v1alpha1.AWSAuthConfig{},
-		&v1alpha1.ExecProviderConfig{})
-
-	assert.Equal(t, "test-cert-data", string(clusterWithData.Config.CertData))
-	assert.Equal(t, "test-key-data", string(clusterWithData.Config.KeyData))
-	assert.Equal(t, "", clusterWithData.Config.BearerToken)
-
-	clusterWithFiles := newCluster("test-cluster", []string{"test-namespace"}, &rest.Config{
-		TLSClientConfig: rest.TLSClientConfig{
-			Insecure:   false,
-			ServerName: "test-endpoint.example.com",
-			CAData:     []byte("test-ca-data"),
-			CertFile:   "./testdata/test.cert.pem",
-			KeyFile:    "./testdata/test.key.pem",
-		},
-		Host: "test-endpoint.example.com",
-	},
-		"test-bearer-token",
-		&v1alpha1.AWSAuthConfig{},
-		&v1alpha1.ExecProviderConfig{})
-
-	assert.True(t, strings.Contains(string(clusterWithFiles.Config.CertData), "test-cert-data"))
-	assert.True(t, strings.Contains(string(clusterWithFiles.Config.KeyData), "test-key-data"))
-	assert.Equal(t, "", clusterWithFiles.Config.BearerToken)
-
-	clusterWithBearerToken := newCluster("test-cluster", []string{"test-namespace"}, &rest.Config{
-		TLSClientConfig: rest.TLSClientConfig{
-			Insecure:   false,
-			ServerName: "test-endpoint.example.com",
-			CAData:     []byte("test-ca-data"),
-		},
-		Host: "test-endpoint.example.com",
-	},
-		"test-bearer-token",
-		&v1alpha1.AWSAuthConfig{},
-		&v1alpha1.ExecProviderConfig{})
-
-	assert.Equal(t, "test-bearer-token", clusterWithBearerToken.Config.BearerToken)
-}

cmd/argocd/commands/context.go

@@ -11,9 +11,9 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/localconfig"
+	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/localconfig"
 )
 
 // NewContextCommand returns a new instance of an `argocd ctx` command

cmd/argocd/commands/context_test.go

@@ -7,7 +7,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
-	"github.com/argoproj/argo-cd/util/localconfig"
+	"github.com/argoproj/argo-cd/v2/util/localconfig"
 )
 
 const testConfig = `contexts:

cmd/argocd/commands/gpg.go

@@ -10,11 +10,11 @@ import (
 
 	"github.com/spf13/cobra"
 
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	gpgkeypkg "github.com/argoproj/argo-cd/pkg/apiclient/gpgkey"
-	appsv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util/errors"
-	argoio "github.com/argoproj/argo-cd/util/io"
+	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	gpgkeypkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/gpgkey"
+	appsv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	argoio "github.com/argoproj/argo-cd/v2/util/io"
 )
 
 // NewGPGCommand returns a new instance of an `argocd repo` command

cmd/argocd/commands/headless/forward.go

@@ -0,0 +1,103 @@
+package headless
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/go-redis/redis/v8"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	repoapiclient "github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	"github.com/argoproj/argo-cd/v2/util/cache"
+	"github.com/argoproj/argo-cd/v2/util/io"
+	kubeutil "github.com/argoproj/argo-cd/v2/util/kube"
+)
+
+type forwardCacheClient struct {
+	namespace string
+	context   string
+	init      sync.Once
+	client    cache.CacheClient
+	err       error
+}
+
+func (c *forwardCacheClient) doLazy(action func(client cache.CacheClient) error) error {
+	c.init.Do(func() {
+		overrides := clientcmd.ConfigOverrides{
+			CurrentContext: c.context,
+		}
+		redisPort, err := kubeutil.PortForward(6379, c.namespace, &overrides,
+			"app.kubernetes.io/name=argocd-redis-ha-haproxy", "app.kubernetes.io/name=argocd-redis")
+		if err != nil {
+			c.err = err
+			return
+		}
+
+		redisClient := redis.NewClient(&redis.Options{Addr: fmt.Sprintf("localhost:%d", redisPort)})
+		c.client = cache.NewRedisCache(redisClient, time.Hour)
+	})
+	if c.err != nil {
+		return c.err
+	}
+	return action(c.client)
+}
+
+func (c *forwardCacheClient) Set(item *cache.Item) error {
+	return c.doLazy(func(client cache.CacheClient) error {
+		return client.Set(item)
+	})
+}
+
+func (c *forwardCacheClient) Get(key string, obj interface{}) error {
+	return c.doLazy(func(client cache.CacheClient) error {
+		return client.Get(key, obj)
+	})
+}
+
+func (c *forwardCacheClient) Delete(key string) error {
+	return c.doLazy(func(client cache.CacheClient) error {
+		return client.Delete(key)
+	})
+}
+
+func (c *forwardCacheClient) OnUpdated(ctx context.Context, key string, callback func() error) error {
+	return c.doLazy(func(client cache.CacheClient) error {
+		return client.OnUpdated(ctx, key, callback)
+	})
+}
+
+func (c *forwardCacheClient) NotifyUpdated(key string) error {
+	return c.doLazy(func(client cache.CacheClient) error {
+		return client.NotifyUpdated(key)
+	})
+}
+
+type forwardRepoClientset struct {
+	namespace     string
+	context       string
+	init          sync.Once
+	repoClientset repoapiclient.Clientset
+	err           error
+}
+
+func (c *forwardRepoClientset) NewRepoServerClient() (io.Closer, repoapiclient.RepoServerServiceClient, error) {
+	c.init.Do(func() {
+		overrides := clientcmd.ConfigOverrides{
+			CurrentContext: c.context,
+		}
+		repoServerPort, err := kubeutil.PortForward(8081, c.namespace, &overrides, "app.kubernetes.io/name=argocd-repo-server")
+		if err != nil {
+			c.err = err
+			return
+		}
+		c.repoClientset = apiclient.NewRepoServerClientset(fmt.Sprintf("localhost:%d", repoServerPort), 60, apiclient.TLSConfiguration{
+			DisableTLS: false, StrictValidation: false})
+	})
+	if c.err != nil {
+		return nil, nil, c.err
+	}
+	return c.repoClientset.NewRepoServerClient()
+}

cmd/argocd/commands/headless/headless.go

@@ -0,0 +1,162 @@
+package headless
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"time"
+
+	"github.com/alicebob/miniredis/v2"
+	"github.com/go-redis/redis/v8"
+	"github.com/golang/protobuf/ptypes/empty"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/cache"
+
+	argoapi "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
+	"github.com/argoproj/argo-cd/v2/server"
+	servercache "github.com/argoproj/argo-cd/v2/server/cache"
+	cacheutil "github.com/argoproj/argo-cd/v2/util/cache"
+	appstatecache "github.com/argoproj/argo-cd/v2/util/cache/appstate"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/io"
+	"github.com/argoproj/argo-cd/v2/util/localconfig"
+
+	flag "github.com/spf13/pflag"
+)
+
+func testAPI(clientOpts *argoapi.ClientOptions) error {
+	apiClient, err := argoapi.NewClient(clientOpts)
+	if err != nil {
+		return err
+	}
+	closer, versionClient, err := apiClient.NewVersionClient()
+	if err != nil {
+		return err
+	}
+	defer io.Close(closer)
+	_, err = versionClient.Version(context.Background(), &empty.Empty{})
+	return err
+}
+
+func retrieveContextIfChanged(contextFlag *flag.Flag) string {
+	if contextFlag != nil && contextFlag.Changed {
+		return contextFlag.Value.String()
+	}
+	return ""
+}
+
+// InitCommand allows executing command in a headless mode: on the fly starts Argo CD API server and
+// changes provided client options to use started API server port
+func InitCommand(cmd *cobra.Command, clientOpts *argoapi.ClientOptions, port *int) *cobra.Command {
+	ctx, cancel := context.WithCancel(context.Background())
+	flags := pflag.NewFlagSet("tmp", pflag.ContinueOnError)
+	clientConfig := cli.AddKubectlFlagsToSet(flags)
+	// copy k8s persistent flags into argocd command flags
+	flags.VisitAll(func(flag *pflag.Flag) {
+		// skip Kubernetes server flags since argocd has it's own server flag
+		if flag.Name == "server" {
+			return
+		}
+		cmd.Flags().AddFlag(flag)
+	})
+	cmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
+		startInProcessAPI := clientOpts.Core
+		if !startInProcessAPI {
+			localCfg, err := localconfig.ReadLocalConfig(clientOpts.ConfigPath)
+			if err != nil {
+				return err
+			}
+			if localCfg != nil {
+				configCtx, err := localCfg.ResolveContext(clientOpts.Context)
+				if err != nil {
+					return err
+				}
+				startInProcessAPI = configCtx.Server.Core
+			}
+		}
+		if !startInProcessAPI {
+			return nil
+		}
+
+		// get rid of logging error handler
+		runtime.ErrorHandlers = runtime.ErrorHandlers[1:]
+		cli.SetLogLevel(log.ErrorLevel.String())
+		log.SetLevel(log.ErrorLevel)
+		os.Setenv(v1alpha1.EnvVarFakeInClusterConfig, "true")
+		if port == nil || *port == 0 {
+			ln, err := net.Listen("tcp", "localhost:0")
+			if err != nil {
+				return err
+			}
+			port = &ln.Addr().(*net.TCPAddr).Port
+			io.Close(ln)
+		}
+
+		restConfig, err := clientConfig.ClientConfig()
+		if err != nil {
+			return err
+		}
+		appClientset, err := appclientset.NewForConfig(restConfig)
+		if err != nil {
+			return err
+		}
+		kubeClientset, err := kubernetes.NewForConfig(restConfig)
+		if err != nil {
+			return err
+		}
+
+		namespace, _, err := clientConfig.Namespace()
+		if err != nil {
+			return err
+		}
+
+		context := retrieveContextIfChanged(cmd.Flag("context"))
+
+		mr, err := miniredis.Run()
+		if err != nil {
+			return err
+		}
+
+		appstateCache := appstatecache.NewCache(cacheutil.NewCache(&forwardCacheClient{namespace: namespace, context: context}), time.Hour)
+		srv := server.NewServer(ctx, server.ArgoCDServerOpts{
+			EnableGZip:    false,
+			Namespace:     namespace,
+			ListenPort:    *port,
+			AppClientset:  appClientset,
+			DisableAuth:   true,
+			RedisClient:   redis.NewClient(&redis.Options{Addr: mr.Addr()}),
+			Cache:         servercache.NewCache(appstateCache, 0, 0, 0),
+			KubeClientset: kubeClientset,
+			Insecure:      true,
+			ListenHost:    "localhost",
+			RepoClientset: &forwardRepoClientset{namespace: namespace, context: context},
+		})
+
+		go srv.Run(ctx, *port, 0)
+		clientOpts.ServerAddr = fmt.Sprintf("localhost:%d", *port)
+		clientOpts.PlainText = true
+		if !cache.WaitForCacheSync(ctx.Done(), srv.Initialized) {
+			log.Fatal("Timed out waiting for project cache to sync")
+		}
+		tries := 5
+		for i := 0; i < tries; i++ {
+			err = testAPI(clientOpts)
+			if err == nil {
+				break
+			}
+			time.Sleep(time.Second)
+		}
+		return err
+	}
+	cmd.PostRun = func(cmd *cobra.Command, args []string) {
+		cancel()
+	}
+	return cmd
+}

cmd/argocd/commands/headless/headless_test.go

@@ -0,0 +1,80 @@
+package headless
+
+import (
+	"testing"
+
+	flag "github.com/spf13/pflag"
+	"github.com/stretchr/testify/assert"
+)
+
+type StringFlag struct {
+	// The exact value provided on the flag
+	value string
+}
+
+func (f StringFlag) String() string {
+	return f.value
+}
+
+func (f *StringFlag) Set(value string) error {
+	f.value = value
+	return nil
+}
+
+func (f *StringFlag) Type() string {
+	return "string"
+}
+
+func Test_FlagContextNotChanged(t *testing.T) {
+	res := retrieveContextIfChanged(&flag.Flag{
+		Name:                "",
+		Shorthand:           "",
+		Usage:               "",
+		Value:               &StringFlag{value: "test"},
+		DefValue:            "",
+		Changed:             false,
+		NoOptDefVal:         "",
+		Deprecated:          "",
+		Hidden:              false,
+		ShorthandDeprecated: "",
+		Annotations:         nil,
+	})
+
+	assert.Equal(t, "", res)
+}
+
+func Test_FlagContextChanged(t *testing.T) {
+	res := retrieveContextIfChanged(&flag.Flag{
+		Name:                "",
+		Shorthand:           "",
+		Usage:               "",
+		Value:               &StringFlag{value: "test"},
+		DefValue:            "",
+		Changed:             true,
+		NoOptDefVal:         "",
+		Deprecated:          "",
+		Hidden:              false,
+		ShorthandDeprecated: "",
+		Annotations:         nil,
+	})
+
+	assert.Equal(t, "test", res)
+}
+
+func Test_FlagContextNil(t *testing.T) {
+	res := retrieveContextIfChanged(&flag.Flag{
+		Name:                "",
+		Shorthand:           "",
+		Usage:               "",
+		Value:               nil,
+		DefValue:            "",
+		Changed:             false,
+		NoOptDefVal:         "",
+		Deprecated:          "",
+		Hidden:              false,
+		ShorthandDeprecated: "",
+		Annotations:         nil,
+	})
+
+	assert.Equal(t, "", res)
+}

cmd/argocd/commands/login.go

@@ -5,6 +5,7 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
+	"html"
 	"net/http"
 	"os"
 	"strconv"
@@ -12,22 +13,23 @@ import (
 	"time"
 
 	"github.com/coreos/go-oidc"
-	"github.com/dgrijalva/jwt-go"
+	"github.com/dgrijalva/jwt-go/v4"
 	log "github.com/sirupsen/logrus"
 	"github.com/skratchdot/open-golang/open"
 	"github.com/spf13/cobra"
 	"golang.org/x/oauth2"
 
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	sessionpkg "github.com/argoproj/argo-cd/pkg/apiclient/session"
-	settingspkg "github.com/argoproj/argo-cd/pkg/apiclient/settings"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/errors"
-	grpc_util "github.com/argoproj/argo-cd/util/grpc"
-	"github.com/argoproj/argo-cd/util/io"
-	"github.com/argoproj/argo-cd/util/localconfig"
-	oidcutil "github.com/argoproj/argo-cd/util/oidc"
-	"github.com/argoproj/argo-cd/util/rand"
+	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	sessionpkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/session"
+	settingspkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/settings"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	grpc_util "github.com/argoproj/argo-cd/v2/util/grpc"
+	"github.com/argoproj/argo-cd/v2/util/io"
+	jwtutil "github.com/argoproj/argo-cd/v2/util/jwt"
+	"github.com/argoproj/argo-cd/v2/util/localconfig"
+	oidcutil "github.com/argoproj/argo-cd/v2/util/oidc"
+	"github.com/argoproj/argo-cd/v2/util/rand"
 )
 
 // NewLoginCommand returns a new instance of `argocd login` command
@@ -43,16 +45,26 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 		Use:   "login SERVER",
 		Short: "Log in to Argo CD",
 		Long:  "Log in to Argo CD",
+		Example: `# Login to Argo CD using a username and password
+argocd login cd.argoproj.io
+
+# Login to Argo CD using SSO
+argocd login cd.argoproj.io --sso
+
+# Configure direct access using Kubernetes API server
+argocd login cd.argoproj.io --core`,
 		Run: func(c *cobra.Command, args []string) {
 			var server string
 
-			if len(args) != 1 && !globalClientOpts.PortForward {
+			if len(args) != 1 && !globalClientOpts.PortForward && !globalClientOpts.Core {
 				c.HelpFunc()(c, args)
 				os.Exit(1)
 			}
 
 			if globalClientOpts.PortForward {
 				server = "port-forward"
+			} else if globalClientOpts.Core {
+				server = "kubernetes"
 			} else {
 				server = args[0]
 				tlsTestResult, err := grpc_util.TestTLS(server)
@@ -78,14 +90,14 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 				ServerAddr:           server,
 				Insecure:             globalClientOpts.Insecure,
 				PlainText:            globalClientOpts.PlainText,
+				ClientCertFile:       globalClientOpts.ClientCertFile,
+				ClientCertKeyFile:    globalClientOpts.ClientCertKeyFile,
 				GRPCWeb:              globalClientOpts.GRPCWeb,
 				GRPCWebRootPath:      globalClientOpts.GRPCWebRootPath,
 				PortForward:          globalClientOpts.PortForward,
 				PortForwardNamespace: globalClientOpts.PortForwardNamespace,
+				Headers:              globalClientOpts.Headers,
 			}
-			acdClient := argocdclient.NewClientOrDie(&clientOpts)
-			setConn, setIf := acdClient.NewSettingsClientOrDie()
-			defer io.Close(setConn)
 
 			if ctxName == "" {
 				ctxName = server
@@ -98,28 +110,32 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 			// Perform the login
 			var tokenString string
 			var refreshToken string
-			if !sso {
-				tokenString = passwordLogin(acdClient, username, password)
-			} else {
-				ctx := context.Background()
-				httpClient, err := acdClient.HTTPClient()
+			if !globalClientOpts.Core {
+				acdClient := argocdclient.NewClientOrDie(&clientOpts)
+				setConn, setIf := acdClient.NewSettingsClientOrDie()
+				defer io.Close(setConn)
+				if !sso {
+					tokenString = passwordLogin(acdClient, username, password)
+				} else {
+					ctx := context.Background()
+					httpClient, err := acdClient.HTTPClient()
+					errors.CheckError(err)
+					ctx = oidc.ClientContext(ctx, httpClient)
+					acdSet, err := setIf.Get(ctx, &settingspkg.SettingsQuery{})
+					errors.CheckError(err)
+					oauth2conf, provider, err := acdClient.OIDCConfig(ctx, acdSet)
+					errors.CheckError(err)
+					tokenString, refreshToken = oauth2Login(ctx, ssoPort, acdSet.GetOIDCConfig(), oauth2conf, provider)
+				}
+				parser := &jwt.Parser{
+					ValidationHelper: jwt.NewValidationHelper(jwt.WithoutClaimsValidation(), jwt.WithoutAudienceValidation()),
+				}
+				claims := jwt.MapClaims{}
+				_, _, err := parser.ParseUnverified(tokenString, &claims)
 				errors.CheckError(err)
-				ctx = oidc.ClientContext(ctx, httpClient)
-				acdSet, err := setIf.Get(ctx, &settingspkg.SettingsQuery{})
-				errors.CheckError(err)
-				oauth2conf, provider, err := acdClient.OIDCConfig(ctx, acdSet)
-				errors.CheckError(err)
-				tokenString, refreshToken = oauth2Login(ctx, ssoPort, acdSet.GetOIDCConfig(), oauth2conf, provider)
+				fmt.Printf("'%s' logged in successfully\n", userDisplayName(claims))
 			}
 
-			parser := &jwt.Parser{
-				SkipClaimsValidation: true,
-			}
-			claims := jwt.MapClaims{}
-			_, _, err := parser.ParseUnverified(tokenString, &claims)
-			errors.CheckError(err)
-
-			fmt.Printf("'%s' logged in successfully\n", userDisplayName(claims))
 			// login successful. Persist the config
 			localCfg, err := localconfig.ReadLocalConfig(globalClientOpts.ConfigPath)
 			errors.CheckError(err)
@@ -132,6 +148,7 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 				Insecure:        globalClientOpts.Insecure,
 				GRPCWeb:         globalClientOpts.GRPCWeb,
 				GRPCWebRootPath: globalClientOpts.GRPCWebRootPath,
+				Core:            globalClientOpts.Core,
 			})
 			localCfg.UpsertUser(localconfig.User{
 				Name:         ctxName,
@@ -161,13 +178,13 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 }
 
 func userDisplayName(claims jwt.MapClaims) string {
-	if email, ok := claims["email"]; ok && email != nil {
-		return email.(string)
+	if email := jwtutil.StringField(claims, "email"); email != "" {
+		return email
 	}
-	if name, ok := claims["name"]; ok && name != nil {
-		return name.(string)
+	if name := jwtutil.StringField(claims, "name"); name != "" {
+		return name
 	}
-	return claims["sub"].(string)
+	return jwtutil.StringField(claims, "sub")
 }
 
 // oauth2Login opens a browser, runs a temporary HTTP server to delegate OAuth2 login flow and
@@ -190,7 +207,7 @@ func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCCo
 	var refreshToken string
 
 	handleErr := func(w http.ResponseWriter, errMsg string) {
-		http.Error(w, errMsg, http.StatusBadRequest)
+		http.Error(w, html.EscapeString(errMsg), http.StatusBadRequest)
 		completionChan <- errMsg
 	}
 
@@ -205,7 +222,7 @@ func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCCo
 		log.Debugf("Callback: %s", r.URL)
 
 		if formErr := r.FormValue("error"); formErr != "" {
-			handleErr(w, formErr+": "+r.FormValue("error_description"))
+			handleErr(w, fmt.Sprintf("%s: %s", formErr, r.FormValue("error_description")))
 			return
 		}
 

cmd/argocd/commands/login_test.go

@@ -0,0 +1,31 @@
+package commands
+
+import (
+	"testing"
+
+	"github.com/dgrijalva/jwt-go/v4"
+	"github.com/stretchr/testify/assert"
+)
+
+//
+
+func Test_userDisplayName_email(t *testing.T) {
+	claims := jwt.MapClaims{"iss": "qux", "sub": "foo", "email": "firstname.lastname@example.com", "groups": []string{"baz"}}
+	actualName := userDisplayName(claims)
+	expectedName := "firstname.lastname@example.com"
+	assert.Equal(t, expectedName, actualName)
+}
+
+func Test_userDisplayName_name(t *testing.T) {
+	claims := jwt.MapClaims{"iss": "qux", "sub": "foo", "name": "Firstname Lastname", "groups": []string{"baz"}}
+	actualName := userDisplayName(claims)
+	expectedName := "Firstname Lastname"
+	assert.Equal(t, expectedName, actualName)
+}
+
+func Test_userDisplayName_sub(t *testing.T) {
+	claims := jwt.MapClaims{"iss": "qux", "sub": "foo", "groups": []string{"baz"}}
+	actualName := userDisplayName(claims)
+	expectedName := "foo"
+	assert.Equal(t, expectedName, actualName)
+}

cmd/argocd/commands/logout.go

@@ -7,9 +7,9 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/localconfig"
+	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/localconfig"
 )
 
 // NewLogoutCommand returns a new instance of `argocd logout` command

cmd/argocd/commands/logout_test.go

@@ -5,11 +5,11 @@ import (
 	"os"
 	"testing"
 
-	"github.com/argoproj/argo-cd/pkg/apiclient"
+	"github.com/argoproj/argo-cd/v2/pkg/apiclient"
 
 	"github.com/stretchr/testify/assert"
 
-	"github.com/argoproj/argo-cd/util/localconfig"
+	"github.com/argoproj/argo-cd/v2/util/localconfig"
 )
 
 func TestLogout(t *testing.T) {

cmd/argocd/commands/project.go

@@ -1,12 +1,10 @@
 package commands
 
 import (
-	"bufio"
 	"context"
 	"encoding/json"
 	"fmt"
 	"io"
-	"net/url"
 	"os"
 	"strings"
 	"text/tabwriter"
@@ -16,65 +14,26 @@ import (
 	"github.com/ghodss/yaml"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/utils/pointer"
 
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	projectpkg "github.com/argoproj/argo-cd/pkg/apiclient/project"
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/config"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/git"
-	"github.com/argoproj/argo-cd/util/gpg"
-	argoio "github.com/argoproj/argo-cd/util/io"
+	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	projectpkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/project"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/git"
+	"github.com/argoproj/argo-cd/v2/util/gpg"
+	argoio "github.com/argoproj/argo-cd/v2/util/io"
 )
 
-type projectOpts struct {
-	description              string
-	destinations             []string
-	sources                  []string
-	signatureKeys            []string
-	orphanedResourcesEnabled bool
-	orphanedResourcesWarn    bool
-}
-
 type policyOpts struct {
 	action     string
 	permission string
 	object     string
 }
 
-func (opts *projectOpts) GetDestinations() []v1alpha1.ApplicationDestination {
-	destinations := make([]v1alpha1.ApplicationDestination, 0)
-	for _, destStr := range opts.destinations {
-		parts := strings.Split(destStr, ",")
-		if len(parts) != 2 {
-			log.Fatalf("Expected destination of the form: server,namespace. Received: %s", destStr)
-		} else {
-			destinations = append(destinations, v1alpha1.ApplicationDestination{
-				Server:    parts[0],
-				Namespace: parts[1],
-			})
-		}
-	}
-	return destinations
-}
-
-// TODO: Get configured keys and emit warning when a key is specified that is not configured
-func (opts *projectOpts) GetSignatureKeys() []v1alpha1.SignatureKey {
-	signatureKeys := make([]v1alpha1.SignatureKey, 0)
-	for _, keyStr := range opts.signatureKeys {
-		if !gpg.IsShortKeyID(keyStr) && !gpg.IsLongKeyID(keyStr) {
-			log.Fatalf("'%s' is not a valid GnuPG key ID", keyStr)
-		}
-		signatureKeys = append(signatureKeys, v1alpha1.SignatureKey{KeyID: gpg.KeyID(keyStr)})
-	}
-	return signatureKeys
-}
-
 // NewProjectCommand returns a new instance of an `argocd proj` command
 func NewProjectCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
@@ -108,28 +67,6 @@ func NewProjectCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	return command
 }
 
-func addProjFlags(command *cobra.Command, opts *projectOpts) {
-	command.Flags().StringVarP(&opts.description, "description", "", "", "Project description")
-	command.Flags().StringArrayVarP(&opts.destinations, "dest", "d", []string{},
-		"Permitted destination server and namespace (e.g. https://192.168.99.100:8443,default)")
-	command.Flags().StringArrayVarP(&opts.sources, "src", "s", []string{}, "Permitted source repository URL")
-	command.Flags().StringSliceVar(&opts.signatureKeys, "signature-keys", []string{}, "GnuPG public key IDs for commit signature verification")
-	command.Flags().BoolVar(&opts.orphanedResourcesEnabled, "orphaned-resources", false, "Enables orphaned resources monitoring")
-	command.Flags().BoolVar(&opts.orphanedResourcesWarn, "orphaned-resources-warn", false, "Specifies if applications should be a warning condition when orphaned resources detected")
-}
-
-func getOrphanedResourcesSettings(c *cobra.Command, opts projectOpts) *v1alpha1.OrphanedResourcesMonitorSettings {
-	warnChanged := c.Flag("orphaned-resources-warn").Changed
-	if opts.orphanedResourcesEnabled || warnChanged {
-		settings := v1alpha1.OrphanedResourcesMonitorSettings{}
-		if warnChanged {
-			settings.Warn = pointer.BoolPtr(opts.orphanedResourcesWarn)
-		}
-		return &settings
-	}
-	return nil
-}
-
 func addPolicyFlags(command *cobra.Command, opts *policyOpts) {
 	command.Flags().StringVarP(&opts.action, "action", "a", "", "Action to grant/deny permission on (e.g. get, create, list, update, delete)")
 	command.Flags().StringVarP(&opts.permission, "permission", "p", "allow", "Whether to allow or deny access to object with the action.  This can only be 'allow' or 'deny'")
@@ -144,7 +81,7 @@ func humanizeTimestamp(epoch int64) string {
 // NewProjectCreateCommand returns a new instance of an `argocd proj create` command
 func NewProjectCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		opts    projectOpts
+		opts    cmdutil.ProjectOpts
 		fileURL string
 		upsert  bool
 	)
@@ -152,48 +89,12 @@ func NewProjectCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 		Use:   "create PROJECT",
 		Short: "Create a project",
 		Run: func(c *cobra.Command, args []string) {
-			var proj v1alpha1.AppProject
-			fmt.Printf("EE: %d/%v\n", len(opts.signatureKeys), opts.signatureKeys)
-			if fileURL == "-" {
-				// read stdin
-				reader := bufio.NewReader(os.Stdin)
-				err := config.UnmarshalReader(reader, &proj)
-				if err != nil {
-					log.Fatalf("unable to read manifest from stdin: %v", err)
-				}
-			} else if fileURL != "" {
-				// read uri
-				parsedURL, err := url.ParseRequestURI(fileURL)
-				if err != nil || !(parsedURL.Scheme == "http" || parsedURL.Scheme == "https") {
-					err = config.UnmarshalLocalFile(fileURL, &proj)
-				} else {
-					err = config.UnmarshalRemoteFile(fileURL, &proj)
-				}
-				errors.CheckError(err)
-				if len(args) == 1 && args[0] != proj.Name {
-					log.Fatalf("project name '%s' does not match project spec metadata.name '%s'", args[0], proj.Name)
-				}
-			} else {
-				// read arguments
-				if len(args) == 0 {
-					c.HelpFunc()(c, args)
-					os.Exit(1)
-				}
-				projName := args[0]
-				proj = v1alpha1.AppProject{
-					ObjectMeta: v1.ObjectMeta{Name: projName},
-					Spec: v1alpha1.AppProjectSpec{
-						Description:       opts.description,
-						Destinations:      opts.GetDestinations(),
-						SourceRepos:       opts.sources,
-						SignatureKeys:     opts.GetSignatureKeys(),
-						OrphanedResources: getOrphanedResourcesSettings(c, opts),
-					},
-				}
-			}
+			proj, err := cmdutil.ConstructAppProj(fileURL, args, opts, c)
+			errors.CheckError(err)
+
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
 			defer argoio.Close(conn)
-			_, err := projIf.Create(context.Background(), &projectpkg.ProjectCreateRequest{Project: &proj, Upsert: upsert})
+			_, err = projIf.Create(context.Background(), &projectpkg.ProjectCreateRequest{Project: proj, Upsert: upsert})
 			errors.CheckError(err)
 		},
 	}
@@ -203,14 +104,14 @@ func NewProjectCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 	if err != nil {
 		log.Fatal(err)
 	}
-	addProjFlags(command, &opts)
+	cmdutil.AddProjFlags(command, &opts)
 	return command
 }
 
 // NewProjectSetCommand returns a new instance of an `argocd proj set` command
 func NewProjectSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		opts projectOpts
+		opts cmdutil.ProjectOpts
 	)
 	var command = &cobra.Command{
 		Use:   "set PROJECT",
@@ -227,23 +128,7 @@ func NewProjectSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 
-			visited := 0
-			c.Flags().Visit(func(f *pflag.Flag) {
-				visited++
-				switch f.Name {
-				case "description":
-					proj.Spec.Description = opts.description
-				case "dest":
-					proj.Spec.Destinations = opts.GetDestinations()
-				case "src":
-					proj.Spec.SourceRepos = opts.sources
-				case "signature-keys":
-					proj.Spec.SignatureKeys = opts.GetSignatureKeys()
-				case "orphaned-resources", "orphaned-resources-warn":
-					proj.Spec.OrphanedResources = getOrphanedResourcesSettings(c, opts)
-				}
-			})
-			if visited == 0 {
+			if visited := cmdutil.SetProjSpecOptions(c.Flags(), &proj.Spec, &opts); visited == 0 {
 				log.Error("Please set at least one option to update")
 				c.HelpFunc()(c, args)
 				os.Exit(1)
@@ -253,7 +138,7 @@ func NewProjectSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 			errors.CheckError(err)
 		},
 	}
-	addProjFlags(command, &opts)
+	cmdutil.AddProjFlags(command, &opts)
 	return command
 }
 
@@ -334,8 +219,17 @@ func NewProjectRemoveSignatureKeyCommand(clientOpts *argocdclient.ClientOptions)
 
 // NewProjectAddDestinationCommand returns a new instance of an `argocd proj add-destination` command
 func NewProjectAddDestinationCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var nameInsteadServer bool
+
+	buildApplicationDestination := func(destination string, namespace string, nameInsteadServer bool) v1alpha1.ApplicationDestination {
+		if nameInsteadServer {
+			return v1alpha1.ApplicationDestination{Name: destination, Namespace: namespace}
+		}
+		return v1alpha1.ApplicationDestination{Server: destination, Namespace: namespace}
+	}
+
 	var command = &cobra.Command{
-		Use:   "add-destination PROJECT SERVER NAMESPACE",
+		Use:   "add-destination PROJECT SERVER/NAME NAMESPACE",
 		Short: "Add project destination",
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) != 3 {
@@ -343,8 +237,8 @@ func NewProjectAddDestinationCommand(clientOpts *argocdclient.ClientOptions) *co
 				os.Exit(1)
 			}
 			projName := args[0]
-			server := args[1]
 			namespace := args[2]
+			destination := buildApplicationDestination(args[1], namespace, nameInsteadServer)
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
 			defer argoio.Close(conn)
 
@@ -352,15 +246,18 @@ func NewProjectAddDestinationCommand(clientOpts *argocdclient.ClientOptions) *co
 			errors.CheckError(err)
 
 			for _, dest := range proj.Spec.Destinations {
-				if dest.Namespace == namespace && dest.Server == server {
+				dstServerExist := destination.Server != "" && dest.Server == destination.Server
+				dstNameExist := destination.Name != "" && dest.Name == destination.Name
+				if dest.Namespace == namespace && (dstServerExist || dstNameExist) {
 					log.Fatal("Specified destination is already defined in project")
 				}
 			}
-			proj.Spec.Destinations = append(proj.Spec.Destinations, v1alpha1.ApplicationDestination{Server: server, Namespace: namespace})
+			proj.Spec.Destinations = append(proj.Spec.Destinations, destination)
 			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
 			errors.CheckError(err)
 		},
 	}
+	command.Flags().BoolVar(&nameInsteadServer, "name", false, "Use name as destination instead server")
 	return command
 }
 

cmd/argocd/commands/project_role.go

@@ -9,14 +9,15 @@ import (
 	"time"
 
 	timeutil "github.com/argoproj/pkg/time"
-	jwtgo "github.com/dgrijalva/jwt-go"
+	jwtgo "github.com/dgrijalva/jwt-go/v4"
 	"github.com/spf13/cobra"
 
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	projectpkg "github.com/argoproj/argo-cd/pkg/apiclient/project"
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/io"
+	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	projectpkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/project"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/io"
+	"github.com/argoproj/argo-cd/v2/util/jwt"
 )
 
 const (
@@ -247,13 +248,10 @@ func NewProjectRoleCreateTokenCommand(clientOpts *argocdclient.ClientOptions) *c
 			}
 
 			claims := token.Claims.(jwtgo.MapClaims)
-			issuedAt := int64(claims["iat"].(float64))
-			expiresAt := int64(0)
-			if expires, ok := claims["exp"]; ok {
-				expiresAt = int64(expires.(float64))
-			}
-			id := claims["jti"].(string)
-			subject := claims["sub"].(string)
+			issuedAt, _ := jwt.IssuedAt(claims)
+			expiresAt := int64(jwt.Float64Field(claims, "exp"))
+			id := jwt.StringField(claims, "jti")
+			subject := jwt.StringField(claims, "sub")
 
 			if !outputTokenOnly {
 				fmt.Printf("Create token succeeded for %s.\n", subject)
@@ -267,7 +265,7 @@ func NewProjectRoleCreateTokenCommand(clientOpts *argocdclient.ClientOptions) *c
 		},
 	}
 	command.Flags().StringVarP(&expiresIn, "expires-in", "e", "",
-		"Duration before the token will expire, eg \"12h\", \"7d\". (Default: No expiration)",
+		"Duration before the token will expire, e.g. \"12h\", \"7d\". (Default: No expiration)",
 	)
 	command.Flags().StringVarP(&tokenID, "id", "i", "", "Token unique identifier. (Default: Random UUID)")
 	command.Flags().BoolVarP(&outputTokenOnly, "token-only", "t", false, "Output token only - for use in scripts.")

cmd/argocd/commands/projectwindows.go

@@ -10,11 +10,11 @@ import (
 
 	"github.com/spf13/cobra"
 
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	projectpkg "github.com/argoproj/argo-cd/pkg/apiclient/project"
-	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/io"
+	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	projectpkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/project"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/io"
 )
 
 // NewProjectWindowsCommand returns a new instance of the `argocd proj windows` command
@@ -116,6 +116,7 @@ func NewProjectWindowsAddWindowCommand(clientOpts *argocdclient.ClientOptions) *
 		namespaces   []string
 		clusters     []string
 		manualSync   bool
+		timeZone     string
 	)
 	var command = &cobra.Command{
 		Use:   "add PROJECT",
@@ -132,7 +133,7 @@ func NewProjectWindowsAddWindowCommand(clientOpts *argocdclient.ClientOptions) *
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 
-			err = proj.Spec.AddWindow(kind, schedule, duration, applications, namespaces, clusters, manualSync)
+			err = proj.Spec.AddWindow(kind, schedule, duration, applications, namespaces, clusters, manualSync, timeZone)
 			errors.CheckError(err)
 
 			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
@@ -146,6 +147,7 @@ func NewProjectWindowsAddWindowCommand(clientOpts *argocdclient.ClientOptions) *
 	command.Flags().StringSliceVar(&namespaces, "namespaces", []string{}, "Namespaces that the schedule will be applied to. Comma separated, wildcards supported (e.g. --namespaces default,\\*-prod)")
 	command.Flags().StringSliceVar(&clusters, "clusters", []string{}, "Clusters that the schedule will be applied to. Comma separated, wildcards supported (e.g. --clusters prod,staging)")
 	command.Flags().BoolVar(&manualSync, "manual-sync", false, "Allow manual syncs for both deny and allow windows")
+	command.Flags().StringVar(&timeZone, "time-zone", "UTC", "Time zone of the sync window")
 
 	return command
 }
@@ -189,6 +191,7 @@ func NewProjectWindowsUpdateCommand(clientOpts *argocdclient.ClientOptions) *cob
 		applications []string
 		namespaces   []string
 		clusters     []string
+		timeZone     string
 	)
 	var command = &cobra.Command{
 		Use:   "update PROJECT ID",
@@ -212,7 +215,7 @@ func NewProjectWindowsUpdateCommand(clientOpts *argocdclient.ClientOptions) *cob
 
 			for i, window := range proj.Spec.SyncWindows {
 				if id == i {
-					err := window.Update(schedule, duration, applications, namespaces, clusters)
+					err := window.Update(schedule, duration, applications, namespaces, clusters, timeZone)
 					if err != nil {
 						errors.CheckError(err)
 					}
@@ -228,6 +231,7 @@ func NewProjectWindowsUpdateCommand(clientOpts *argocdclient.ClientOptions) *cob
 	command.Flags().StringSliceVar(&applications, "applications", []string{}, "Applications that the schedule will be applied to. Comma separated, wildcards supported (e.g. --applications prod-\\*,website)")
 	command.Flags().StringSliceVar(&namespaces, "namespaces", []string{}, "Namespaces that the schedule will be applied to. Comma separated, wildcards supported (e.g. --namespaces default,\\*-prod)")
 	command.Flags().StringSliceVar(&clusters, "clusters", []string{}, "Clusters that the schedule will be applied to. Comma separated, wildcards supported (e.g. --clusters prod,staging)")
+	command.Flags().StringVar(&timeZone, "time-zone", "UTC", "Time zone of the sync window. (e.g. --time-zone \"America/New_York\")")
 	return command
 }
 

cmd/argocd/commands/relogin.go

@@ -9,12 +9,12 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	settingspkg "github.com/argoproj/argo-cd/pkg/apiclient/settings"
-	"github.com/argoproj/argo-cd/util/errors"
-	argoio "github.com/argoproj/argo-cd/util/io"
-	"github.com/argoproj/argo-cd/util/localconfig"
-	"github.com/argoproj/argo-cd/util/session"
+	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	settingspkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/settings"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	argoio "github.com/argoproj/argo-cd/v2/util/io"
+	"github.com/argoproj/argo-cd/v2/util/localconfig"
+	"github.com/argoproj/argo-cd/v2/util/session"
 )
 
 // NewReloginCommand returns a new instance of `argocd relogin` command
@@ -43,19 +43,22 @@ func NewReloginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comm
 			var tokenString string
 			var refreshToken string
 			clientOpts := argocdclient.ClientOptions{
-				ConfigPath:      "",
-				ServerAddr:      configCtx.Server.Server,
-				Insecure:        configCtx.Server.Insecure,
-				GRPCWeb:         globalClientOpts.GRPCWeb,
-				GRPCWebRootPath: globalClientOpts.GRPCWebRootPath,
-				PlainText:       configCtx.Server.PlainText,
+				ConfigPath:        "",
+				ServerAddr:        configCtx.Server.Server,
+				Insecure:          configCtx.Server.Insecure,
+				ClientCertFile:    globalClientOpts.ClientCertFile,
+				ClientCertKeyFile: globalClientOpts.ClientCertKeyFile,
+				GRPCWeb:           globalClientOpts.GRPCWeb,
+				GRPCWebRootPath:   globalClientOpts.GRPCWebRootPath,
+				PlainText:         configCtx.Server.PlainText,
+				Headers:           globalClientOpts.Headers,
 			}
 			acdClient := argocdclient.NewClientOrDie(&clientOpts)
 			claims, err := configCtx.User.Claims()
 			errors.CheckError(err)
 			if claims.Issuer == session.SessionManagerClaimsIssuer {
-				fmt.Printf("Relogging in as '%s'\n", claims.Subject)
-				tokenString = passwordLogin(acdClient, claims.Subject, password)
+				fmt.Printf("Relogging in as '%s'\n", localconfig.GetUsername(claims.Subject))
+				tokenString = passwordLogin(acdClient, localconfig.GetUsername(claims.Subject), password)
 			} else {
 				fmt.Println("Reinitiating SSO login")
 				setConn, setIf := acdClient.NewSettingsClientOrDie()

cmd/argocd/commands/repo.go

@@ -10,14 +10,14 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
-	"github.com/argoproj/argo-cd/common"
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	repositorypkg "github.com/argoproj/argo-cd/pkg/apiclient/repository"
-	appsv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/git"
-	"github.com/argoproj/argo-cd/util/io"
+	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	repositorypkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/repository"
+	appsv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/git"
+	"github.com/argoproj/argo-cd/v2/util/io"
 )
 
 // NewRepoCommand returns a new instance of an `argocd repo` command
@@ -41,23 +41,15 @@ func NewRepoCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 // NewRepoAddCommand returns a new instance of an `argocd repo add` command
 func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		repo                           appsv1.Repository
-		upsert                         bool
-		sshPrivateKeyPath              string
-		insecureIgnoreHostKey          bool
-		insecureSkipServerVerification bool
-		tlsClientCertPath              string
-		tlsClientCertKeyPath           string
-		enableLfs                      bool
-		enableOci                      bool
+		repoOpts cmdutil.RepoOptions
 	)
 
 	// For better readability and easier formatting
 	var repoAddExamples = `  # Add a Git repository via SSH using a private key for authentication, ignoring the server's host key:
-	argocd repo add git@git.example.com:repos/repo --insecure-ignore-host-key --ssh-private-key-path ~/id_rsa
+  argocd repo add git@git.example.com:repos/repo --insecure-ignore-host-key --ssh-private-key-path ~/id_rsa
 
-	# Add a Git repository via SSH on a non-default port - need to use ssh:// style URLs here
-	argocd repo add ssh://git@git.example.com:2222/repos/repo --ssh-private-key-path ~/id_rsa
+  # Add a Git repository via SSH on a non-default port - need to use ssh:// style URLs here
+  argocd repo add ssh://git@git.example.com:2222/repos/repo --ssh-private-key-path ~/id_rsa
 
   # Add a private Git repository via HTTPS using username/password and TLS client certificates:
   argocd repo add https://git.example.com/repos/repo --username git --password secret --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key
@@ -66,13 +58,19 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
   argocd repo add https://git.example.com/repos/repo --username git --password secret --insecure-skip-server-verification
 
   # Add a public Helm repository named 'stable' via HTTPS
-  argocd repo add https://kubernetes-charts.storage.googleapis.com --type helm --name stable  
+  argocd repo add https://charts.helm.sh/stable --type helm --name stable  
 
   # Add a private Helm repository named 'stable' via HTTPS
-  argocd repo add https://kubernetes-charts.storage.googleapis.com --type helm --name stable --username test --password test
+  argocd repo add https://charts.helm.sh/stable --type helm --name stable --username test --password test
 
   # Add a private Helm OCI-based repository named 'stable' via HTTPS
   argocd repo add helm-oci-registry.cn-zhangjiakou.cr.aliyuncs.com --type helm --name stable --enable-oci --username test --password test
+
+  # Add a private Git repository on GitHub.com via GitHub App
+  argocd repo add https://git.example.com/repos/repo --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem
+
+  # Add a private Git repository on GitHub Enterprise via GitHub App
+  argocd repo add https://ghe.example.com/repos/repo --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem --github-app-enterprise-base-url https://ghe.example.com/api/v3
 `
 
 	var command = &cobra.Command{
@@ -86,16 +84,16 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 			}
 
 			// Repository URL
-			repo.Repo = args[0]
+			repoOpts.Repo.Repo = args[0]
 
 			// Specifying ssh-private-key-path is only valid for SSH repositories
-			if sshPrivateKeyPath != "" {
-				if ok, _ := git.IsSSHURL(repo.Repo); ok {
-					keyData, err := ioutil.ReadFile(sshPrivateKeyPath)
+			if repoOpts.SshPrivateKeyPath != "" {
+				if ok, _ := git.IsSSHURL(repoOpts.Repo.Repo); ok {
+					keyData, err := ioutil.ReadFile(repoOpts.SshPrivateKeyPath)
 					if err != nil {
 						log.Fatal(err)
 					}
-					repo.SSHPrivateKey = string(keyData)
+					repoOpts.Repo.SSHPrivateKey = string(keyData)
 				} else {
 					err := fmt.Errorf("--ssh-private-key-path is only supported for SSH repositories.")
 					errors.CheckError(err)
@@ -104,35 +102,51 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 
 			// tls-client-cert-path and tls-client-cert-key-key-path must always be
 			// specified together
-			if (tlsClientCertPath != "" && tlsClientCertKeyPath == "") || (tlsClientCertPath == "" && tlsClientCertKeyPath != "") {
+			if (repoOpts.TlsClientCertPath != "" && repoOpts.TlsClientCertKeyPath == "") || (repoOpts.TlsClientCertPath == "" && repoOpts.TlsClientCertKeyPath != "") {
 				err := fmt.Errorf("--tls-client-cert-path and --tls-client-cert-key-path must be specified together")
 				errors.CheckError(err)
 			}
 
 			// Specifying tls-client-cert-path is only valid for HTTPS repositories
-			if tlsClientCertPath != "" {
-				if git.IsHTTPSURL(repo.Repo) {
-					tlsCertData, err := ioutil.ReadFile(tlsClientCertPath)
+			if repoOpts.TlsClientCertPath != "" {
+				if git.IsHTTPSURL(repoOpts.Repo.Repo) {
+					tlsCertData, err := ioutil.ReadFile(repoOpts.TlsClientCertPath)
 					errors.CheckError(err)
-					tlsCertKey, err := ioutil.ReadFile(tlsClientCertKeyPath)
+					tlsCertKey, err := ioutil.ReadFile(repoOpts.TlsClientCertKeyPath)
 					errors.CheckError(err)
-					repo.TLSClientCertData = string(tlsCertData)
-					repo.TLSClientCertKey = string(tlsCertKey)
+					repoOpts.Repo.TLSClientCertData = string(tlsCertData)
+					repoOpts.Repo.TLSClientCertKey = string(tlsCertKey)
 				} else {
 					err := fmt.Errorf("--tls-client-cert-path is only supported for HTTPS repositories")
 					errors.CheckError(err)
 				}
 			}
 
+			// Specifying github-app-private-key-path is only valid for HTTPS repositories
+			if repoOpts.GithubAppPrivateKeyPath != "" {
+				if git.IsHTTPSURL(repoOpts.Repo.Repo) {
+					githubAppPrivateKey, err := ioutil.ReadFile(repoOpts.GithubAppPrivateKeyPath)
+					errors.CheckError(err)
+					repoOpts.Repo.GithubAppPrivateKey = string(githubAppPrivateKey)
+				} else {
+					err := fmt.Errorf("--github-app-private-key-path is only supported for HTTPS repositories")
+					errors.CheckError(err)
+				}
+			}
+
 			// Set repository connection properties only when creating repository, not
 			// when creating repository credentials.
 			// InsecureIgnoreHostKey is deprecated and only here for backwards compat
-			repo.InsecureIgnoreHostKey = insecureIgnoreHostKey
-			repo.Insecure = insecureSkipServerVerification
-			repo.EnableLFS = enableLfs
-			repo.EnableOCI = enableOci
+			repoOpts.Repo.InsecureIgnoreHostKey = repoOpts.InsecureIgnoreHostKey
+			repoOpts.Repo.Insecure = repoOpts.InsecureSkipServerVerification
+			repoOpts.Repo.EnableLFS = repoOpts.EnableLfs
+			repoOpts.Repo.EnableOCI = repoOpts.EnableOci
+			repoOpts.Repo.GithubAppId = repoOpts.GithubAppId
+			repoOpts.Repo.GithubAppInstallationId = repoOpts.GithubAppInstallationId
+			repoOpts.Repo.GitHubAppEnterpriseBaseURL = repoOpts.GitHubAppEnterpriseBaseURL
+			repoOpts.Repo.Proxy = repoOpts.Proxy
 
-			if repo.Type == "helm" && repo.Name == "" {
+			if repoOpts.Repo.Type == "helm" && repoOpts.Repo.Name == "" {
 				errors.CheckError(fmt.Errorf("Must specify --name for repos of type 'helm'"))
 			}
 
@@ -141,8 +155,8 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 
 			// If the user set a username, but didn't supply password via --password,
 			// then we prompt for it
-			if repo.Username != "" && repo.Password == "" {
-				repo.Password = cli.PromptPassword(repo.Password)
+			if repoOpts.Repo.Username != "" && repoOpts.Repo.Password == "" {
+				repoOpts.Repo.Password = cli.PromptPassword(repoOpts.Repo.Password)
 			}
 
 			// We let the server check access to the repository before adding it. If
@@ -153,42 +167,38 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 			// are high that we do not have the given URL pointing to a valid Git
 			// repo anyway.
 			repoAccessReq := repositorypkg.RepoAccessQuery{
-				Repo:              repo.Repo,
-				Type:              repo.Type,
-				Name:              repo.Name,
-				Username:          repo.Username,
-				Password:          repo.Password,
-				SshPrivateKey:     repo.SSHPrivateKey,
-				TlsClientCertData: repo.TLSClientCertData,
-				TlsClientCertKey:  repo.TLSClientCertKey,
-				Insecure:          repo.IsInsecure(),
-				EnableOci:         repo.EnableOCI,
+				Repo:                       repoOpts.Repo.Repo,
+				Type:                       repoOpts.Repo.Type,
+				Name:                       repoOpts.Repo.Name,
+				Username:                   repoOpts.Repo.Username,
+				Password:                   repoOpts.Repo.Password,
+				SshPrivateKey:              repoOpts.Repo.SSHPrivateKey,
+				TlsClientCertData:          repoOpts.Repo.TLSClientCertData,
+				TlsClientCertKey:           repoOpts.Repo.TLSClientCertKey,
+				Insecure:                   repoOpts.Repo.IsInsecure(),
+				EnableOci:                  repoOpts.Repo.EnableOCI,
+				GithubAppPrivateKey:        repoOpts.Repo.GithubAppPrivateKey,
+				GithubAppID:                repoOpts.Repo.GithubAppId,
+				GithubAppInstallationID:    repoOpts.Repo.GithubAppInstallationId,
+				GithubAppEnterpriseBaseUrl: repoOpts.Repo.GitHubAppEnterpriseBaseURL,
+				Proxy:                      repoOpts.Proxy,
+				Project:                    repoOpts.Repo.Project,
 			}
 			_, err := repoIf.ValidateAccess(context.Background(), &repoAccessReq)
 			errors.CheckError(err)
 
 			repoCreateReq := repositorypkg.RepoCreateRequest{
-				Repo:   &repo,
-				Upsert: upsert,
+				Repo:   &repoOpts.Repo,
+				Upsert: repoOpts.Upsert,
 			}
 
 			createdRepo, err := repoIf.Create(context.Background(), &repoCreateReq)
 			errors.CheckError(err)
-			fmt.Printf("repository '%s' added\n", createdRepo.Repo)
+			fmt.Printf("Repository '%s' added\n", createdRepo.Repo)
 		},
 	}
-	command.Flags().StringVar(&repo.Type, "type", common.DefaultRepoType, "type of the repository, \"git\" or \"helm\"")
-	command.Flags().StringVar(&repo.Name, "name", "", "name of the repository, mandatory for repositories of type helm")
-	command.Flags().StringVar(&repo.Username, "username", "", "username to the repository")
-	command.Flags().StringVar(&repo.Password, "password", "", "password to the repository")
-	command.Flags().StringVar(&sshPrivateKeyPath, "ssh-private-key-path", "", "path to the private ssh key (e.g. ~/.ssh/id_rsa)")
-	command.Flags().StringVar(&tlsClientCertPath, "tls-client-cert-path", "", "path to the TLS client cert (must be PEM format)")
-	command.Flags().StringVar(&tlsClientCertKeyPath, "tls-client-cert-key-path", "", "path to the TLS client cert's key path (must be PEM format)")
-	command.Flags().BoolVar(&insecureIgnoreHostKey, "insecure-ignore-host-key", false, "disables SSH strict host key checking (deprecated, use --insecure-skip-server-verification instead)")
-	command.Flags().BoolVar(&insecureSkipServerVerification, "insecure-skip-server-verification", false, "disables server certificate and host key checks")
-	command.Flags().BoolVar(&enableLfs, "enable-lfs", false, "enable git-lfs (Large File Support) on this repository")
-	command.Flags().BoolVar(&enableOci, "enable-oci", false, "enable helm-oci (Helm OCI-Based Repository)")
-	command.Flags().BoolVar(&upsert, "upsert", false, "Override an existing repository with the same name even if the spec differs")
+	command.Flags().BoolVar(&repoOpts.Upsert, "upsert", false, "Override an existing repository with the same name even if the spec differs")
+	cmdutil.AddRepoFlags(command, &repoOpts)
 	return command
 }
 
@@ -207,6 +217,7 @@ func NewRepoRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 			for _, repoURL := range args {
 				_, err := repoIf.Delete(context.Background(), &repositorypkg.RepoQuery{Repo: repoURL})
 				errors.CheckError(err)
+				fmt.Printf("Repository '%s' removed\n", repoURL)
 			}
 		},
 	}
@@ -216,7 +227,7 @@ func NewRepoRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 // Print table of repo info
 func printRepoTable(repos appsv1.Repositories) {
 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-	_, _ = fmt.Fprintf(w, "TYPE\tNAME\tREPO\tINSECURE\tOCI\tLFS\tCREDS\tSTATUS\tMESSAGE\n")
+	_, _ = fmt.Fprintf(w, "TYPE\tNAME\tREPO\tINSECURE\tOCI\tLFS\tCREDS\tSTATUS\tMESSAGE\tPROJECT\n")
 	for _, r := range repos {
 		var hasCreds string
 		if !r.HasCredentials() {
@@ -228,7 +239,7 @@ func printRepoTable(repos appsv1.Repositories) {
 				hasCreds = "true"
 			}
 		}
-		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%v\t%v\t%v\t%s\t%s\t%s\n", r.Type, r.Name, r.Repo, r.IsInsecure(), r.EnableOCI, r.EnableLFS, hasCreds, r.ConnectionState.Status, r.ConnectionState.Message)
+		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%v\t%v\t%v\t%s\t%s\t%s\t%s\n", r.Type, r.Name, r.Repo, r.IsInsecure(), r.EnableOCI, r.EnableLFS, hasCreds, r.ConnectionState.Status, r.ConnectionState.Message, r.Project)
 	}
 	_ = w.Flush()
 }

cmd/argocd/commands/repocreds.go

@@ -10,13 +10,14 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	repocredspkg "github.com/argoproj/argo-cd/pkg/apiclient/repocreds"
-	appsv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/git"
-	"github.com/argoproj/argo-cd/util/io"
+	"github.com/argoproj/argo-cd/v2/common"
+	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	repocredspkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/repocreds"
+	appsv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/git"
+	"github.com/argoproj/argo-cd/v2/util/io"
 )
 
 // NewRepoCredsCommand returns a new instance of an `argocd repocreds` command
@@ -39,11 +40,12 @@ func NewRepoCredsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 // NewRepoCredsAddCommand returns a new instance of an `argocd repocreds add` command
 func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		repo                 appsv1.RepoCreds
-		upsert               bool
-		sshPrivateKeyPath    string
-		tlsClientCertPath    string
-		tlsClientCertKeyPath string
+		repo                    appsv1.RepoCreds
+		upsert                  bool
+		sshPrivateKeyPath       string
+		tlsClientCertPath       string
+		tlsClientCertKeyPath    string
+		githubAppPrivateKeyPath string
 	)
 
 	// For better readability and easier formatting
@@ -52,6 +54,15 @@ func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comma
 
   # Add credentials with SSH private key authentication to use for all repositories under ssh://git@git.example.com/repos
   argocd repocreds add ssh://git@git.example.com/repos/ --ssh-private-key-path ~/.ssh/id_rsa
+
+  # Add credentials with GitHub App authentication to use for all repositories under https://github.com/repos
+  argocd repocreds add https://github.com/repos/ --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem
+
+  # Add credentials with GitHub App authentication to use for all repositories under https://ghe.example.com/repos
+  argocd repocreds add https://ghe.example.com/repos/ --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem --github-app-enterprise-base-url https://ghe.example.com/api/v3
+
+  # Add credentials with helm oci registry so that these oci registry urls do not need to be added as repos individually.
+  argocd repocreds add localhost:5000/myrepo --enable-oci --type helm 
 `
 
 	var command = &cobra.Command{
@@ -103,6 +114,18 @@ func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comma
 				}
 			}
 
+			// Specifying github-app-private-key-path is only valid for HTTPS repositories
+			if githubAppPrivateKeyPath != "" {
+				if git.IsHTTPSURL(repo.URL) {
+					githubAppPrivateKey, err := ioutil.ReadFile(githubAppPrivateKeyPath)
+					errors.CheckError(err)
+					repo.GithubAppPrivateKey = string(githubAppPrivateKey)
+				} else {
+					err := fmt.Errorf("--github-app-private-key-path is only supported for HTTPS repositories")
+					errors.CheckError(err)
+				}
+			}
+
 			conn, repoIf := argocdclient.NewClientOrDie(clientOpts).NewRepoCredsClientOrDie()
 			defer io.Close(conn)
 
@@ -119,7 +142,7 @@ func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comma
 
 			createdRepo, err := repoIf.CreateRepositoryCredentials(context.Background(), &repoCreateReq)
 			errors.CheckError(err)
-			fmt.Printf("repository credentials for '%s' added\n", createdRepo.URL)
+			fmt.Printf("Repository credentials for '%s' added\n", createdRepo.URL)
 		},
 	}
 	command.Flags().StringVar(&repo.Username, "username", "", "username to the repository")
@@ -127,7 +150,13 @@ func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comma
 	command.Flags().StringVar(&sshPrivateKeyPath, "ssh-private-key-path", "", "path to the private ssh key (e.g. ~/.ssh/id_rsa)")
 	command.Flags().StringVar(&tlsClientCertPath, "tls-client-cert-path", "", "path to the TLS client cert (must be PEM format)")
 	command.Flags().StringVar(&tlsClientCertKeyPath, "tls-client-cert-key-path", "", "path to the TLS client cert's key path (must be PEM format)")
+	command.Flags().Int64Var(&repo.GithubAppId, "github-app-id", 0, "id of the GitHub Application")
+	command.Flags().Int64Var(&repo.GithubAppInstallationId, "github-app-installation-id", 0, "installation id of the GitHub Application")
+	command.Flags().StringVar(&githubAppPrivateKeyPath, "github-app-private-key-path", "", "private key of the GitHub Application")
+	command.Flags().StringVar(&repo.GitHubAppEnterpriseBaseURL, "github-app-enterprise-base-url", "", "base url to use when using GitHub Enterprise (e.g. https://ghe.example.com/api/v3")
 	command.Flags().BoolVar(&upsert, "upsert", false, "Override an existing repository with the same name even if the spec differs")
+	command.Flags().BoolVar(&repo.EnableOCI, "enable-oci", false, "Specifies whether helm-oci support should be enabled for this repo")
+	command.Flags().StringVar(&repo.Type, "type", common.DefaultRepoType, "type of the repository, \"git\" or \"helm\"")
 	return command
 }
 
@@ -146,6 +175,7 @@ func NewRepoCredsRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			for _, repoURL := range args {
 				_, err := repoIf.DeleteRepositoryCredentials(context.Background(), &repocredspkg.RepoCredsDeleteRequest{Url: repoURL})
 				errors.CheckError(err)
+				fmt.Printf("Repository credentials for '%s' removed\n", repoURL)
 			}
 		},
 	}

cmd/argocd/commands/root.go

@@ -4,25 +4,23 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/client-go/tools/clientcmd"
 
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/config"
-	"github.com/argoproj/argo-cd/util/errors"
-	"github.com/argoproj/argo-cd/util/localconfig"
+	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/admin"
+	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/headless"
+	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/config"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/localconfig"
 )
 
 func init() {
 	cobra.OnInitialize(initConfig)
 }
 
-var (
-	logFormat string
-	logLevel  string
-)
-
 func initConfig() {
-	cli.SetLogFormat(logFormat)
-	cli.SetLogLevel(logLevel)
+	cli.SetLogFormat(cmdutil.LogFormat)
+	cli.SetLogLevel(cmdutil.LogLevel)
 }
 
 // NewCommand returns a new instance of an argocd command
@@ -42,19 +40,20 @@ func NewCommand() *cobra.Command {
 	}
 
 	command.AddCommand(NewCompletionCommand())
-	command.AddCommand(NewVersionCmd(&clientOpts))
-	command.AddCommand(NewClusterCommand(&clientOpts, pathOpts))
-	command.AddCommand(NewApplicationCommand(&clientOpts))
+	command.AddCommand(headless.InitCommand(NewVersionCmd(&clientOpts), &clientOpts, nil))
+	command.AddCommand(headless.InitCommand(NewClusterCommand(&clientOpts, pathOpts), &clientOpts, nil))
+	command.AddCommand(headless.InitCommand(NewApplicationCommand(&clientOpts), &clientOpts, nil))
 	command.AddCommand(NewLoginCommand(&clientOpts))
 	command.AddCommand(NewReloginCommand(&clientOpts))
-	command.AddCommand(NewRepoCommand(&clientOpts))
-	command.AddCommand(NewRepoCredsCommand(&clientOpts))
+	command.AddCommand(headless.InitCommand(NewRepoCommand(&clientOpts), &clientOpts, nil))
+	command.AddCommand(headless.InitCommand(NewRepoCredsCommand(&clientOpts), &clientOpts, nil))
 	command.AddCommand(NewContextCommand(&clientOpts))
-	command.AddCommand(NewProjectCommand(&clientOpts))
-	command.AddCommand(NewAccountCommand(&clientOpts))
+	command.AddCommand(headless.InitCommand(NewProjectCommand(&clientOpts), &clientOpts, nil))
+	command.AddCommand(headless.InitCommand(NewAccountCommand(&clientOpts), &clientOpts, nil))
 	command.AddCommand(NewLogoutCommand(&clientOpts))
-	command.AddCommand(NewCertCommand(&clientOpts))
-	command.AddCommand(NewGPGCommand(&clientOpts))
+	command.AddCommand(headless.InitCommand(NewCertCommand(&clientOpts), &clientOpts, nil))
+	command.AddCommand(headless.InitCommand(NewGPGCommand(&clientOpts), &clientOpts, nil))
+	command.AddCommand(admin.NewAdminCommand())
 
 	defaultLocalConfigPath, err := localconfig.DefaultLocalConfigPath()
 	errors.CheckError(err)
@@ -68,10 +67,12 @@ func NewCommand() *cobra.Command {
 	command.PersistentFlags().StringVar(&clientOpts.AuthToken, "auth-token", config.GetFlag("auth-token", ""), "Authentication token")
 	command.PersistentFlags().BoolVar(&clientOpts.GRPCWeb, "grpc-web", config.GetBoolFlag("grpc-web"), "Enables gRPC-web protocol. Useful if Argo CD server is behind proxy which does not support HTTP2.")
 	command.PersistentFlags().StringVar(&clientOpts.GRPCWebRootPath, "grpc-web-root-path", config.GetFlag("grpc-web-root-path", ""), "Enables gRPC-web protocol. Useful if Argo CD server is behind proxy which does not support HTTP2. Set web root.")
-	command.PersistentFlags().StringVar(&logFormat, "logformat", config.GetFlag("logformat", "text"), "Set the logging format. One of: text|json")
-	command.PersistentFlags().StringVar(&logLevel, "loglevel", config.GetFlag("loglevel", "info"), "Set the logging level. One of: debug|info|warn|error")
+	command.PersistentFlags().StringVar(&cmdutil.LogFormat, "logformat", config.GetFlag("logformat", "text"), "Set the logging format. One of: text|json")
+	command.PersistentFlags().StringVar(&cmdutil.LogLevel, "loglevel", config.GetFlag("loglevel", "info"), "Set the logging level. One of: debug|info|warn|error")
 	command.PersistentFlags().StringSliceVarP(&clientOpts.Headers, "header", "H", []string{}, "Sets additional header to all requests made by Argo CD CLI. (Can be repeated multiple times to add multiple headers, also supports comma separated headers)")
 	command.PersistentFlags().BoolVar(&clientOpts.PortForward, "port-forward", config.GetBoolFlag("port-forward"), "Connect to a random argocd-server port using port forwarding")
 	command.PersistentFlags().StringVar(&clientOpts.PortForwardNamespace, "port-forward-namespace", config.GetFlag("port-forward-namespace", ""), "Namespace name which should be used for port forwarding")
+	command.PersistentFlags().IntVar(&clientOpts.HttpRetryMax, "http-retry-max", 0, "Maximum number of retries to establish http connection to Argo CD server")
+	command.PersistentFlags().BoolVar(&clientOpts.Core, "core", false, "If set to true then CLI talks directly to Kubernetes instead of talking to Argo CD API server")
 	return command
 }

cmd/argocd/commands/version.go

@@ -8,11 +8,11 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
-	"github.com/argoproj/argo-cd/common"
-	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	"github.com/argoproj/argo-cd/pkg/apiclient/version"
-	"github.com/argoproj/argo-cd/util/errors"
-	argoio "github.com/argoproj/argo-cd/util/io"
+	"github.com/argoproj/argo-cd/v2/common"
+	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	"github.com/argoproj/argo-cd/v2/pkg/apiclient/version"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	argoio "github.com/argoproj/argo-cd/v2/util/io"
 )
 
 // NewVersionCmd returns a new `version` command to be used as a sub-command to root
@@ -116,18 +116,40 @@ func printServerVersion(version *version.VersionMessage, short bool) {
 		return
 	}
 
-	fmt.Printf("  BuildDate: %s\n", version.BuildDate)
-	fmt.Printf("  GitCommit: %s\n", version.GitCommit)
-	fmt.Printf("  GitTreeState: %s\n", version.GitTreeState)
+	if version.BuildDate != "" {
+		fmt.Printf("  BuildDate: %s\n", version.BuildDate)
+	}
+	if version.GitCommit != "" {
+		fmt.Printf("  GitCommit: %s\n", version.GitCommit)
+	}
+	if version.GitTreeState != "" {
+		fmt.Printf("  GitTreeState: %s\n", version.GitTreeState)
+	}
 	if version.GitTag != "" {
 		fmt.Printf("  GitTag: %s\n", version.GitTag)
 	}
-	fmt.Printf("  GoVersion: %s\n", version.GoVersion)
-	fmt.Printf("  Compiler: %s\n", version.Compiler)
-	fmt.Printf("  Platform: %s\n", version.Platform)
-	fmt.Printf("  Ksonnet Version: %s\n", version.KsonnetVersion)
-	fmt.Printf("  Kustomize Version: %s\n", version.KustomizeVersion)
-	fmt.Printf("  Helm Version: %s\n", version.HelmVersion)
-	fmt.Printf("  Kubectl Version: %s\n", version.KubectlVersion)
-	fmt.Printf("  Jsonnet Version: %s\n", version.JsonnetVersion)
+	if version.GoVersion != "" {
+		fmt.Printf("  GoVersion: %s\n", version.GoVersion)
+	}
+	if version.Compiler != "" {
+		fmt.Printf("  Compiler: %s\n", version.Compiler)
+	}
+	if version.Platform != "" {
+		fmt.Printf("  Platform: %s\n", version.Platform)
+	}
+	if version.KsonnetVersion != "" {
+		fmt.Printf("  Ksonnet Version: %s\n", version.KsonnetVersion)
+	}
+	if version.KustomizeVersion != "" {
+		fmt.Printf("  Kustomize Version: %s\n", version.KustomizeVersion)
+	}
+	if version.HelmVersion != "" {
+		fmt.Printf("  Helm Version: %s\n", version.HelmVersion)
+	}
+	if version.KubectlVersion != "" {
+		fmt.Printf("  Kubectl Version: %s\n", version.KubectlVersion)
+	}
+	if version.JsonnetVersion != "" {
+		fmt.Printf("  Jsonnet Version: %s\n", version.JsonnetVersion)
+	}
 }

cmd/argocd/main.go

@@ -1,18 +0,0 @@
-package main
-
-import (
-	commands "github.com/argoproj/argo-cd/cmd/argocd/commands"
-	"github.com/argoproj/argo-cd/util/errors"
-
-	// load the gcp plugin (required to authenticate against GKE clusters).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
-	// load the oidc plugin (required to authenticate with OpenID Connect).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
-	// load the azure plugin (required to authenticate with AKS clusters).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/azure"
-)
-
-func main() {
-	err := commands.NewCommand().Execute()
-	errors.CheckError(err)
-}

cmd/main.go

@@ -0,0 +1,50 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/spf13/cobra"
+
+	appcontroller "github.com/argoproj/argo-cd/v2/cmd/argocd-application-controller/commands"
+	cmpserver "github.com/argoproj/argo-cd/v2/cmd/argocd-cmp-server/commands"
+	dex "github.com/argoproj/argo-cd/v2/cmd/argocd-dex/commands"
+	reposerver "github.com/argoproj/argo-cd/v2/cmd/argocd-repo-server/commands"
+	apiserver "github.com/argoproj/argo-cd/v2/cmd/argocd-server/commands"
+	cli "github.com/argoproj/argo-cd/v2/cmd/argocd/commands"
+)
+
+const (
+	binaryNameEnv = "ARGOCD_BINARY_NAME"
+)
+
+func main() {
+	var command *cobra.Command
+
+	binaryName := filepath.Base(os.Args[0])
+	if val := os.Getenv(binaryNameEnv); val != "" {
+		binaryName = val
+	}
+	switch binaryName {
+	case "argocd", "argocd-linux-amd64", "argocd-darwin-amd64", "argocd-windows-amd64.exe":
+		command = cli.NewCommand()
+	case "argocd-server":
+		command = apiserver.NewCommand()
+	case "argocd-application-controller":
+		command = appcontroller.NewCommand()
+	case "argocd-repo-server":
+		command = reposerver.NewCommand()
+	case "argocd-cmp-server":
+		command = cmpserver.NewCommand()
+	case "argocd-dex":
+		command = dex.NewCommand()
+	default:
+		command = cli.NewCommand()
+	}
+
+	if err := command.Execute(); err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+}

cmd/util/app.go

@@ -0,0 +1,682 @@
+package util
+
+import (
+	"bufio"
+	"fmt"
+	"io/ioutil"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/pointer"
+
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
+	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/config"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/text/label"
+)
+
+type AppOptions struct {
+	repoURL                         string
+	appPath                         string
+	chart                           string
+	env                             string
+	revision                        string
+	revisionHistoryLimit            int
+	destName                        string
+	destServer                      string
+	destNamespace                   string
+	Parameters                      []string
+	valuesFiles                     []string
+	values                          string
+	releaseName                     string
+	helmSets                        []string
+	helmSetStrings                  []string
+	helmSetFiles                    []string
+	helmVersion                     string
+	helmPassCredentials             bool
+	project                         string
+	syncPolicy                      string
+	syncOptions                     []string
+	autoPrune                       bool
+	selfHeal                        bool
+	allowEmpty                      bool
+	namePrefix                      string
+	nameSuffix                      string
+	directoryRecurse                bool
+	configManagementPlugin          string
+	jsonnetTlaStr                   []string
+	jsonnetTlaCode                  []string
+	jsonnetExtVarStr                []string
+	jsonnetExtVarCode               []string
+	jsonnetLibs                     []string
+	kustomizeImages                 []string
+	kustomizeVersion                string
+	kustomizeCommonLabels           []string
+	kustomizeCommonAnnotations      []string
+	kustomizeForceCommonLabels      bool
+	kustomizeForceCommonAnnotations bool
+	pluginEnvs                      []string
+	Validate                        bool
+	directoryExclude                string
+	directoryInclude                string
+	retryLimit                      int64
+	retryBackoffDuration            time.Duration
+	retryBackoffMaxDuration         time.Duration
+	retryBackoffFactor              int64
+}
+
+func AddAppFlags(command *cobra.Command, opts *AppOptions) {
+	command.Flags().StringVar(&opts.repoURL, "repo", "", "Repository URL, ignored if a file is set")
+	command.Flags().StringVar(&opts.appPath, "path", "", "Path in repository to the app directory, ignored if a file is set")
+	command.Flags().StringVar(&opts.chart, "helm-chart", "", "Helm Chart name")
+	command.Flags().StringVar(&opts.env, "env", "", "Application environment to monitor")
+	command.Flags().StringVar(&opts.revision, "revision", "", "The tracking source branch, tag, commit or Helm chart version the application will sync to")
+	command.Flags().IntVar(&opts.revisionHistoryLimit, "revision-history-limit", argoappv1.RevisionHistoryLimit, "How many items to keep in revision history")
+	command.Flags().StringVar(&opts.destServer, "dest-server", "", "K8s cluster URL (e.g. https://kubernetes.default.svc)")
+	command.Flags().StringVar(&opts.destName, "dest-name", "", "K8s cluster Name (e.g. minikube)")
+	command.Flags().StringVar(&opts.destNamespace, "dest-namespace", "", "K8s target namespace (overrides the namespace specified in the ksonnet app.yaml)")
+	command.Flags().StringArrayVarP(&opts.Parameters, "parameter", "p", []string{}, "set a parameter override (e.g. -p guestbook=image=example/guestbook:latest)")
+	command.Flags().StringArrayVar(&opts.valuesFiles, "values", []string{}, "Helm values file(s) to use")
+	command.Flags().StringVar(&opts.values, "values-literal-file", "", "Filename or URL to import as a literal Helm values block")
+	command.Flags().StringVar(&opts.releaseName, "release-name", "", "Helm release-name")
+	command.Flags().StringVar(&opts.helmVersion, "helm-version", "", "Helm version")
+	command.Flags().BoolVar(&opts.helmPassCredentials, "helm-pass-credentials", false, "Pass credentials to all domain")
+	command.Flags().StringArrayVar(&opts.helmSets, "helm-set", []string{}, "Helm set values on the command line (can be repeated to set several values: --helm-set key1=val1 --helm-set key2=val2)")
+	command.Flags().StringArrayVar(&opts.helmSetStrings, "helm-set-string", []string{}, "Helm set STRING values on the command line (can be repeated to set several values: --helm-set-string key1=val1 --helm-set-string key2=val2)")
+	command.Flags().StringArrayVar(&opts.helmSetFiles, "helm-set-file", []string{}, "Helm set values from respective files specified via the command line (can be repeated to set several values: --helm-set-file key1=path1 --helm-set-file key2=path2)")
+	command.Flags().StringVar(&opts.project, "project", "", "Application project name")
+	command.Flags().StringVar(&opts.syncPolicy, "sync-policy", "", "Set the sync policy (one of: none, automated (aliases of automated: auto, automatic))")
+	command.Flags().StringArrayVar(&opts.syncOptions, "sync-option", []string{}, "Add or remove a sync option, e.g add `Prune=false`. Remove using `!` prefix, e.g. `!Prune=false`")
+	command.Flags().BoolVar(&opts.autoPrune, "auto-prune", false, "Set automatic pruning when sync is automated")
+	command.Flags().BoolVar(&opts.selfHeal, "self-heal", false, "Set self healing when sync is automated")
+	command.Flags().BoolVar(&opts.allowEmpty, "allow-empty", false, "Set allow zero live resources when sync is automated")
+	command.Flags().StringVar(&opts.namePrefix, "nameprefix", "", "Kustomize nameprefix")
+	command.Flags().StringVar(&opts.nameSuffix, "namesuffix", "", "Kustomize namesuffix")
+	command.Flags().StringVar(&opts.kustomizeVersion, "kustomize-version", "", "Kustomize version")
+	command.Flags().BoolVar(&opts.directoryRecurse, "directory-recurse", false, "Recurse directory")
+	command.Flags().StringVar(&opts.configManagementPlugin, "config-management-plugin", "", "Config management plugin name")
+	command.Flags().StringArrayVar(&opts.jsonnetTlaStr, "jsonnet-tla-str", []string{}, "Jsonnet top level string arguments")
+	command.Flags().StringArrayVar(&opts.jsonnetTlaCode, "jsonnet-tla-code", []string{}, "Jsonnet top level code arguments")
+	command.Flags().StringArrayVar(&opts.jsonnetExtVarStr, "jsonnet-ext-var-str", []string{}, "Jsonnet string ext var")
+	command.Flags().StringArrayVar(&opts.jsonnetExtVarCode, "jsonnet-ext-var-code", []string{}, "Jsonnet ext var")
+	command.Flags().StringArrayVar(&opts.jsonnetLibs, "jsonnet-libs", []string{}, "Additional jsonnet libs (prefixed by repoRoot)")
+	command.Flags().StringArrayVar(&opts.kustomizeImages, "kustomize-image", []string{}, "Kustomize images (e.g. --kustomize-image node:8.15.0 --kustomize-image mysql=mariadb,alpine@sha256:24a0c4b4a4c0eb97a1aabb8e29f18e917d05abfe1b7a7c07857230879ce7d3d)")
+	command.Flags().StringArrayVar(&opts.pluginEnvs, "plugin-env", []string{}, "Additional plugin envs")
+	command.Flags().BoolVar(&opts.Validate, "validate", true, "Validation of repo and cluster")
+	command.Flags().StringArrayVar(&opts.kustomizeCommonLabels, "kustomize-common-label", []string{}, "Set common labels in Kustomize")
+	command.Flags().StringArrayVar(&opts.kustomizeCommonAnnotations, "kustomize-common-annotation", []string{}, "Set common labels in Kustomize")
+	command.Flags().BoolVar(&opts.kustomizeForceCommonLabels, "kustomize-force-common-label", false, "Force common labels in Kustomize")
+	command.Flags().BoolVar(&opts.kustomizeForceCommonAnnotations, "kustomize-force-common-annotation", false, "Force common annotations in Kustomize")
+	command.Flags().StringVar(&opts.directoryExclude, "directory-exclude", "", "Set glob expression used to exclude files from application source path")
+	command.Flags().StringVar(&opts.directoryInclude, "directory-include", "", "Set glob expression used to include files from application source path")
+	command.Flags().Int64Var(&opts.retryLimit, "sync-retry-limit", 0, "Max number of allowed sync retries")
+	command.Flags().DurationVar(&opts.retryBackoffDuration, "sync-retry-backoff-duration", argoappv1.DefaultSyncRetryDuration, "Sync retry backoff base duration. Input needs to be a duration (e.g. 2m, 1h)")
+	command.Flags().DurationVar(&opts.retryBackoffMaxDuration, "sync-retry-backoff-max-duration", argoappv1.DefaultSyncRetryMaxDuration, "Max sync retry backoff duration. Input needs to be a duration (e.g. 2m, 1h)")
+	command.Flags().Int64Var(&opts.retryBackoffFactor, "sync-retry-backoff-factor", argoappv1.DefaultSyncRetryFactor, "Factor multiplies the base duration after each failed sync retry")
+}
+
+func SetAppSpecOptions(flags *pflag.FlagSet, spec *argoappv1.ApplicationSpec, appOpts *AppOptions) int {
+	visited := 0
+	if flags == nil {
+		return visited
+	}
+	flags.Visit(func(f *pflag.Flag) {
+		visited++
+		switch f.Name {
+		case "repo":
+			spec.Source.RepoURL = appOpts.repoURL
+		case "path":
+			spec.Source.Path = appOpts.appPath
+		case "helm-chart":
+			spec.Source.Chart = appOpts.chart
+		case "env":
+			setKsonnetOpt(&spec.Source, &appOpts.env)
+		case "revision":
+			spec.Source.TargetRevision = appOpts.revision
+		case "revision-history-limit":
+			i := int64(appOpts.revisionHistoryLimit)
+			spec.RevisionHistoryLimit = &i
+		case "values":
+			setHelmOpt(&spec.Source, helmOpts{valueFiles: appOpts.valuesFiles})
+		case "values-literal-file":
+			var data []byte
+
+			// read uri
+			parsedURL, err := url.ParseRequestURI(appOpts.values)
+			if err != nil || !(parsedURL.Scheme == "http" || parsedURL.Scheme == "https") {
+				data, err = ioutil.ReadFile(appOpts.values)
+			} else {
+				data, err = config.ReadRemoteFile(appOpts.values)
+			}
+			errors.CheckError(err)
+			setHelmOpt(&spec.Source, helmOpts{values: string(data)})
+		case "release-name":
+			setHelmOpt(&spec.Source, helmOpts{releaseName: appOpts.releaseName})
+		case "helm-version":
+			setHelmOpt(&spec.Source, helmOpts{version: appOpts.helmVersion})
+		case "helm-pass-credentials":
+			setHelmOpt(&spec.Source, helmOpts{passCredentials: appOpts.helmPassCredentials})
+		case "helm-set":
+			setHelmOpt(&spec.Source, helmOpts{helmSets: appOpts.helmSets})
+		case "helm-set-string":
+			setHelmOpt(&spec.Source, helmOpts{helmSetStrings: appOpts.helmSetStrings})
+		case "helm-set-file":
+			setHelmOpt(&spec.Source, helmOpts{helmSetFiles: appOpts.helmSetFiles})
+		case "directory-recurse":
+			if spec.Source.Directory != nil {
+				spec.Source.Directory.Recurse = appOpts.directoryRecurse
+			} else {
+				spec.Source.Directory = &argoappv1.ApplicationSourceDirectory{Recurse: appOpts.directoryRecurse}
+			}
+		case "directory-exclude":
+			if spec.Source.Directory != nil {
+				spec.Source.Directory.Exclude = appOpts.directoryExclude
+			} else {
+				spec.Source.Directory = &argoappv1.ApplicationSourceDirectory{Exclude: appOpts.directoryExclude}
+			}
+		case "directory-include":
+			if spec.Source.Directory != nil {
+				spec.Source.Directory.Include = appOpts.directoryInclude
+			} else {
+				spec.Source.Directory = &argoappv1.ApplicationSourceDirectory{Include: appOpts.directoryInclude}
+			}
+		case "config-management-plugin":
+			spec.Source.Plugin = &argoappv1.ApplicationSourcePlugin{Name: appOpts.configManagementPlugin}
+		case "dest-name":
+			spec.Destination.Name = appOpts.destName
+		case "dest-server":
+			spec.Destination.Server = appOpts.destServer
+		case "dest-namespace":
+			spec.Destination.Namespace = appOpts.destNamespace
+		case "project":
+			spec.Project = appOpts.project
+		case "nameprefix":
+			setKustomizeOpt(&spec.Source, kustomizeOpts{namePrefix: appOpts.namePrefix})
+		case "namesuffix":
+			setKustomizeOpt(&spec.Source, kustomizeOpts{nameSuffix: appOpts.nameSuffix})
+		case "kustomize-image":
+			setKustomizeOpt(&spec.Source, kustomizeOpts{images: appOpts.kustomizeImages})
+		case "kustomize-version":
+			setKustomizeOpt(&spec.Source, kustomizeOpts{version: appOpts.kustomizeVersion})
+		case "kustomize-common-label":
+			parsedLabels, err := label.Parse(appOpts.kustomizeCommonLabels)
+			errors.CheckError(err)
+			setKustomizeOpt(&spec.Source, kustomizeOpts{commonLabels: parsedLabels})
+		case "kustomize-common-annotation":
+			parsedAnnotations, err := label.Parse(appOpts.kustomizeCommonAnnotations)
+			errors.CheckError(err)
+			setKustomizeOpt(&spec.Source, kustomizeOpts{commonAnnotations: parsedAnnotations})
+		case "kustomize-force-common-label":
+			setKustomizeOpt(&spec.Source, kustomizeOpts{forceCommonLabels: appOpts.kustomizeForceCommonLabels})
+		case "kustomize-force-common-annotation":
+			setKustomizeOpt(&spec.Source, kustomizeOpts{forceCommonAnnotations: appOpts.kustomizeForceCommonAnnotations})
+		case "jsonnet-tla-str":
+			setJsonnetOpt(&spec.Source, appOpts.jsonnetTlaStr, false)
+		case "jsonnet-tla-code":
+			setJsonnetOpt(&spec.Source, appOpts.jsonnetTlaCode, true)
+		case "jsonnet-ext-var-str":
+			setJsonnetOptExtVar(&spec.Source, appOpts.jsonnetExtVarStr, false)
+		case "jsonnet-ext-var-code":
+			setJsonnetOptExtVar(&spec.Source, appOpts.jsonnetExtVarCode, true)
+		case "jsonnet-libs":
+			setJsonnetOptLibs(&spec.Source, appOpts.jsonnetLibs)
+		case "plugin-env":
+			setPluginOptEnvs(&spec.Source, appOpts.pluginEnvs)
+		case "sync-policy":
+			switch appOpts.syncPolicy {
+			case "none":
+				if spec.SyncPolicy != nil {
+					spec.SyncPolicy.Automated = nil
+				}
+				if spec.SyncPolicy.IsZero() {
+					spec.SyncPolicy = nil
+				}
+			case "automated", "automatic", "auto":
+				if spec.SyncPolicy == nil {
+					spec.SyncPolicy = &argoappv1.SyncPolicy{}
+				}
+				spec.SyncPolicy.Automated = &argoappv1.SyncPolicyAutomated{}
+			default:
+				log.Fatalf("Invalid sync-policy: %s", appOpts.syncPolicy)
+			}
+		case "sync-option":
+			if spec.SyncPolicy == nil {
+				spec.SyncPolicy = &argoappv1.SyncPolicy{}
+			}
+			for _, option := range appOpts.syncOptions {
+				// `!` means remove the option
+				if strings.HasPrefix(option, "!") {
+					option = strings.TrimPrefix(option, "!")
+					spec.SyncPolicy.SyncOptions = spec.SyncPolicy.SyncOptions.RemoveOption(option)
+				} else {
+					spec.SyncPolicy.SyncOptions = spec.SyncPolicy.SyncOptions.AddOption(option)
+				}
+			}
+			if spec.SyncPolicy.IsZero() {
+				spec.SyncPolicy = nil
+			}
+		case "sync-retry-limit":
+			if appOpts.retryLimit > 0 {
+				if spec.SyncPolicy == nil {
+					spec.SyncPolicy = &argoappv1.SyncPolicy{}
+				}
+				spec.SyncPolicy.Retry = &argoappv1.RetryStrategy{
+					Limit: appOpts.retryLimit,
+					Backoff: &argoappv1.Backoff{
+						Duration:    appOpts.retryBackoffDuration.String(),
+						MaxDuration: appOpts.retryBackoffMaxDuration.String(),
+						Factor:      pointer.Int64Ptr(appOpts.retryBackoffFactor),
+					},
+				}
+			} else if appOpts.retryLimit == 0 {
+				if spec.SyncPolicy.IsZero() {
+					spec.SyncPolicy = nil
+				} else {
+					spec.SyncPolicy.Retry = nil
+				}
+			} else {
+				log.Fatalf("Invalid sync-retry-limit [%d]", appOpts.retryLimit)
+			}
+		}
+	})
+	if flags.Changed("auto-prune") {
+		if spec.SyncPolicy == nil || spec.SyncPolicy.Automated == nil {
+			log.Fatal("Cannot set --auto-prune: application not configured with automatic sync")
+		}
+		spec.SyncPolicy.Automated.Prune = appOpts.autoPrune
+	}
+	if flags.Changed("self-heal") {
+		if spec.SyncPolicy == nil || spec.SyncPolicy.Automated == nil {
+			log.Fatal("Cannot set --self-heal: application not configured with automatic sync")
+		}
+		spec.SyncPolicy.Automated.SelfHeal = appOpts.selfHeal
+	}
+	if flags.Changed("allow-empty") {
+		if spec.SyncPolicy == nil || spec.SyncPolicy.Automated == nil {
+			log.Fatal("Cannot set --allow-empty: application not configured with automatic sync")
+		}
+		spec.SyncPolicy.Automated.AllowEmpty = appOpts.allowEmpty
+	}
+
+	return visited
+}
+
+func setKsonnetOpt(src *argoappv1.ApplicationSource, env *string) {
+	if src.Ksonnet == nil {
+		src.Ksonnet = &argoappv1.ApplicationSourceKsonnet{}
+	}
+	if env != nil {
+		src.Ksonnet.Environment = *env
+	}
+	if src.Ksonnet.IsZero() {
+		src.Ksonnet = nil
+	}
+}
+
+type kustomizeOpts struct {
+	namePrefix             string
+	nameSuffix             string
+	images                 []string
+	version                string
+	commonLabels           map[string]string
+	commonAnnotations      map[string]string
+	forceCommonLabels      bool
+	forceCommonAnnotations bool
+}
+
+func setKustomizeOpt(src *argoappv1.ApplicationSource, opts kustomizeOpts) {
+	if src.Kustomize == nil {
+		src.Kustomize = &argoappv1.ApplicationSourceKustomize{}
+	}
+	if opts.version != "" {
+		src.Kustomize.Version = opts.version
+	}
+	if opts.namePrefix != "" {
+		src.Kustomize.NamePrefix = opts.namePrefix
+	}
+	if opts.nameSuffix != "" {
+		src.Kustomize.NameSuffix = opts.nameSuffix
+	}
+	if opts.commonLabels != nil {
+		src.Kustomize.CommonLabels = opts.commonLabels
+	}
+	if opts.commonAnnotations != nil {
+		src.Kustomize.CommonAnnotations = opts.commonAnnotations
+	}
+	if opts.forceCommonLabels {
+		src.Kustomize.ForceCommonLabels = opts.forceCommonLabels
+	}
+	if opts.forceCommonAnnotations {
+		src.Kustomize.ForceCommonAnnotations = opts.forceCommonAnnotations
+	}
+	for _, image := range opts.images {
+		src.Kustomize.MergeImage(argoappv1.KustomizeImage(image))
+	}
+	if src.Kustomize.IsZero() {
+		src.Kustomize = nil
+	}
+}
+
+func setPluginOptEnvs(src *argoappv1.ApplicationSource, envs []string) {
+	if src.Plugin == nil {
+		src.Plugin = &argoappv1.ApplicationSourcePlugin{}
+	}
+
+	for _, text := range envs {
+		e, err := argoappv1.NewEnvEntry(text)
+		if err != nil {
+			log.Fatal(err)
+		}
+		src.Plugin.AddEnvEntry(e)
+	}
+}
+
+type helmOpts struct {
+	valueFiles      []string
+	values          string
+	releaseName     string
+	version         string
+	helmSets        []string
+	helmSetStrings  []string
+	helmSetFiles    []string
+	passCredentials bool
+}
+
+func setHelmOpt(src *argoappv1.ApplicationSource, opts helmOpts) {
+	if src.Helm == nil {
+		src.Helm = &argoappv1.ApplicationSourceHelm{}
+	}
+	if len(opts.valueFiles) > 0 {
+		src.Helm.ValueFiles = opts.valueFiles
+	}
+	if len(opts.values) > 0 {
+		src.Helm.Values = opts.values
+	}
+	if opts.releaseName != "" {
+		src.Helm.ReleaseName = opts.releaseName
+	}
+	if opts.version != "" {
+		src.Helm.Version = opts.version
+	}
+	if opts.passCredentials {
+		src.Helm.PassCredentials = opts.passCredentials
+	}
+	for _, text := range opts.helmSets {
+		p, err := argoappv1.NewHelmParameter(text, false)
+		if err != nil {
+			log.Fatal(err)
+		}
+		src.Helm.AddParameter(*p)
+	}
+	for _, text := range opts.helmSetStrings {
+		p, err := argoappv1.NewHelmParameter(text, true)
+		if err != nil {
+			log.Fatal(err)
+		}
+		src.Helm.AddParameter(*p)
+	}
+	for _, text := range opts.helmSetFiles {
+		p, err := argoappv1.NewHelmFileParameter(text)
+		if err != nil {
+			log.Fatal(err)
+		}
+		src.Helm.AddFileParameter(*p)
+	}
+	if src.Helm.IsZero() {
+		src.Helm = nil
+	}
+}
+
+func setJsonnetOpt(src *argoappv1.ApplicationSource, tlaParameters []string, code bool) {
+	if src.Directory == nil {
+		src.Directory = &argoappv1.ApplicationSourceDirectory{}
+	}
+	for _, j := range tlaParameters {
+		src.Directory.Jsonnet.TLAs = append(src.Directory.Jsonnet.TLAs, argoappv1.NewJsonnetVar(j, code))
+	}
+}
+
+func setJsonnetOptExtVar(src *argoappv1.ApplicationSource, jsonnetExtVar []string, code bool) {
+	if src.Directory == nil {
+		src.Directory = &argoappv1.ApplicationSourceDirectory{}
+	}
+	for _, j := range jsonnetExtVar {
+		src.Directory.Jsonnet.ExtVars = append(src.Directory.Jsonnet.ExtVars, argoappv1.NewJsonnetVar(j, code))
+	}
+}
+
+func setJsonnetOptLibs(src *argoappv1.ApplicationSource, libs []string) {
+	if src.Directory == nil {
+		src.Directory = &argoappv1.ApplicationSourceDirectory{}
+	}
+	src.Directory.Jsonnet.Libs = append(src.Directory.Jsonnet.Libs, libs...)
+}
+
+// SetParameterOverrides updates an existing or appends a new parameter override in the application
+// If the app is a ksonnet app, then parameters are expected to be in the form: component=param=value
+// Otherwise, the app is assumed to be a helm app and is expected to be in the form:
+// param=value
+func SetParameterOverrides(app *argoappv1.Application, parameters []string) {
+	if len(parameters) == 0 {
+		return
+	}
+	var sourceType argoappv1.ApplicationSourceType
+	if st, _ := app.Spec.Source.ExplicitType(); st != nil {
+		sourceType = *st
+	} else if app.Status.SourceType != "" {
+		sourceType = app.Status.SourceType
+	} else {
+		// HACK: we don't know the source type, so make an educated guess based on the supplied
+		// parameter string. This code handles the corner case where app doesn't exist yet, and the
+		// command is something like: `argocd app create MYAPP -p foo=bar`
+		// This logic is not foolproof, but when ksonnet is deprecated, this will no longer matter
+		// since helm will remain as the only source type which has parameters.
+		if len(strings.SplitN(parameters[0], "=", 3)) == 3 {
+			sourceType = argoappv1.ApplicationSourceTypeKsonnet
+		} else if len(strings.SplitN(parameters[0], "=", 2)) == 2 {
+			sourceType = argoappv1.ApplicationSourceTypeHelm
+		}
+	}
+
+	switch sourceType {
+	case argoappv1.ApplicationSourceTypeKsonnet:
+		if app.Spec.Source.Ksonnet == nil {
+			app.Spec.Source.Ksonnet = &argoappv1.ApplicationSourceKsonnet{}
+		}
+		for _, paramStr := range parameters {
+			parts := strings.SplitN(paramStr, "=", 3)
+			if len(parts) != 3 {
+				log.Fatalf("Expected ksonnet parameter of the form: component=param=value. Received: %s", paramStr)
+			}
+			newParam := argoappv1.KsonnetParameter{
+				Component: parts[0],
+				Name:      parts[1],
+				Value:     parts[2],
+			}
+			found := false
+			for i, cp := range app.Spec.Source.Ksonnet.Parameters {
+				if cp.Component == newParam.Component && cp.Name == newParam.Name {
+					found = true
+					app.Spec.Source.Ksonnet.Parameters[i] = newParam
+					break
+				}
+			}
+			if !found {
+				app.Spec.Source.Ksonnet.Parameters = append(app.Spec.Source.Ksonnet.Parameters, newParam)
+			}
+		}
+	case argoappv1.ApplicationSourceTypeHelm:
+		if app.Spec.Source.Helm == nil {
+			app.Spec.Source.Helm = &argoappv1.ApplicationSourceHelm{}
+		}
+		for _, p := range parameters {
+			newParam, err := argoappv1.NewHelmParameter(p, false)
+			if err != nil {
+				log.Error(err)
+				continue
+			}
+			app.Spec.Source.Helm.AddParameter(*newParam)
+		}
+	default:
+		log.Fatalf("Parameters can only be set against Ksonnet or Helm applications")
+	}
+}
+
+func readApps(yml []byte, apps *[]*argoappv1.Application) error {
+	yamls, _ := kube.SplitYAMLToString(yml)
+
+	var err error
+
+	for _, yml := range yamls {
+		var app argoappv1.Application
+		err = config.Unmarshal([]byte(yml), &app)
+		*apps = append(*apps, &app)
+		if err != nil {
+			return err
+		}
+	}
+
+	return err
+}
+
+func readAppsFromStdin(apps *[]*argoappv1.Application) error {
+	reader := bufio.NewReader(os.Stdin)
+	data, err := ioutil.ReadAll(reader)
+	if err != nil {
+		return err
+	}
+	err = readApps(data, apps)
+	if err != nil {
+		return fmt.Errorf("unable to read manifest from stdin: %v", err)
+	}
+	return nil
+}
+
+func readAppsFromURI(fileURL string, apps *[]*argoappv1.Application) error {
+
+	readFilePayload := func() ([]byte, error) {
+		parsedURL, err := url.ParseRequestURI(fileURL)
+		if err != nil || !(parsedURL.Scheme == "http" || parsedURL.Scheme == "https") {
+			return ioutil.ReadFile(fileURL)
+		}
+		return config.ReadRemoteFile(fileURL)
+	}
+
+	yml, err := readFilePayload()
+	if err != nil {
+		return err
+	}
+
+	return readApps(yml, apps)
+}
+
+func constructAppsFromStdin() ([]*argoappv1.Application, error) {
+	apps := make([]*argoappv1.Application, 0)
+	// read stdin
+	err := readAppsFromStdin(&apps)
+	if err != nil {
+		return nil, err
+	}
+	return apps, nil
+}
+
+func constructAppsBaseOnName(appName string, labels, annotations, args []string, appOpts AppOptions, flags *pflag.FlagSet) ([]*argoappv1.Application, error) {
+	var app *argoappv1.Application
+	// read arguments
+	if len(args) == 1 {
+		if appName != "" && appName != args[0] {
+			return nil, fmt.Errorf("--name argument '%s' does not match app name %s", appName, args[0])
+		}
+		appName = args[0]
+	}
+	app = &argoappv1.Application{
+		TypeMeta: v1.TypeMeta{
+			Kind:       application.ApplicationKind,
+			APIVersion: application.Group + "/v1alpha1",
+		},
+		ObjectMeta: v1.ObjectMeta{
+			Name: appName,
+		},
+	}
+	SetAppSpecOptions(flags, &app.Spec, &appOpts)
+	SetParameterOverrides(app, appOpts.Parameters)
+	mergeLabels(app, labels)
+	setAnnotations(app, annotations)
+	return []*argoappv1.Application{
+		app,
+	}, nil
+}
+
+func constructAppsFromFileUrl(fileURL, appName string, labels, annotations, args []string, appOpts AppOptions, flags *pflag.FlagSet) ([]*argoappv1.Application, error) {
+	apps := make([]*argoappv1.Application, 0)
+	// read uri
+	err := readAppsFromURI(fileURL, &apps)
+	if err != nil {
+		return nil, err
+	}
+	for _, app := range apps {
+		if len(args) == 1 && args[0] != app.Name {
+			return nil, fmt.Errorf("app name '%s' does not match app spec metadata.name '%s'", args[0], app.Name)
+		}
+		if appName != "" && appName != app.Name {
+			app.Name = appName
+		}
+		if app.Name == "" {
+			return nil, fmt.Errorf("app.Name is empty. --name argument can be used to provide app.Name")
+		}
+		SetAppSpecOptions(flags, &app.Spec, &appOpts)
+		SetParameterOverrides(app, appOpts.Parameters)
+		mergeLabels(app, labels)
+		setAnnotations(app, annotations)
+	}
+	return apps, nil
+}
+
+func ConstructApps(fileURL, appName string, labels, annotations, args []string, appOpts AppOptions, flags *pflag.FlagSet) ([]*argoappv1.Application, error) {
+	if fileURL == "-" {
+		return constructAppsFromStdin()
+	} else if fileURL != "" {
+		return constructAppsFromFileUrl(fileURL, appName, labels, annotations, args, appOpts, flags)
+	}
+	return constructAppsBaseOnName(appName, labels, annotations, args, appOpts, flags)
+}
+
+func mergeLabels(app *argoappv1.Application, labels []string) {
+	mapLabels, err := label.Parse(labels)
+	errors.CheckError(err)
+
+	mergedLabels := make(map[string]string)
+
+	for name, value := range app.GetLabels() {
+		mergedLabels[name] = value
+	}
+
+	for name, value := range mapLabels {
+		mergedLabels[name] = value
+	}
+
+	app.SetLabels(mergedLabels)
+}
+
+func setAnnotations(app *argoappv1.Application, annotations []string) {
+	if len(annotations) > 0 && app.Annotations == nil {
+		app.Annotations = map[string]string{}
+	}
+	for _, a := range annotations {
+		annotation := strings.SplitN(a, "=", 2)
+		if len(annotation) == 2 {
+			app.Annotations[annotation[0]] = annotation[1]
+		} else {
+			app.Annotations[annotation[0]] = ""
+		}
+	}
+}

cmd/util/app_test.go

@@ -0,0 +1,304 @@
+package util
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+func Test_setHelmOpt(t *testing.T) {
+	t.Run("Zero", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{})
+		assert.Nil(t, src.Helm)
+	})
+	t.Run("ValueFiles", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{valueFiles: []string{"foo"}})
+		assert.Equal(t, []string{"foo"}, src.Helm.ValueFiles)
+	})
+	t.Run("ReleaseName", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{releaseName: "foo"})
+		assert.Equal(t, "foo", src.Helm.ReleaseName)
+	})
+	t.Run("HelmSets", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{helmSets: []string{"foo=bar"}})
+		assert.Equal(t, []v1alpha1.HelmParameter{{Name: "foo", Value: "bar"}}, src.Helm.Parameters)
+	})
+	t.Run("HelmSetStrings", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{helmSetStrings: []string{"foo=bar"}})
+		assert.Equal(t, []v1alpha1.HelmParameter{{Name: "foo", Value: "bar", ForceString: true}}, src.Helm.Parameters)
+	})
+	t.Run("HelmSetFiles", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{helmSetFiles: []string{"foo=bar"}})
+		assert.Equal(t, []v1alpha1.HelmFileParameter{{Name: "foo", Path: "bar"}}, src.Helm.FileParameters)
+	})
+	t.Run("Version", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{version: "v3"})
+		assert.Equal(t, "v3", src.Helm.Version)
+	})
+	t.Run("HelmPassCredentials", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{passCredentials: true})
+		assert.Equal(t, true, src.Helm.PassCredentials)
+	})
+}
+
+func Test_setKustomizeOpt(t *testing.T) {
+	t.Run("No kustomize", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setKustomizeOpt(&src, kustomizeOpts{})
+		assert.Nil(t, src.Kustomize)
+	})
+	t.Run("Name prefix", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setKustomizeOpt(&src, kustomizeOpts{namePrefix: "test-"})
+		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{NamePrefix: "test-"}, src.Kustomize)
+	})
+	t.Run("Name suffix", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setKustomizeOpt(&src, kustomizeOpts{nameSuffix: "-test"})
+		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{NameSuffix: "-test"}, src.Kustomize)
+	})
+	t.Run("Images", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setKustomizeOpt(&src, kustomizeOpts{images: []string{"org/image:v1", "org/image:v2"}})
+		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{Images: v1alpha1.KustomizeImages{v1alpha1.KustomizeImage("org/image:v2")}}, src.Kustomize)
+	})
+	t.Run("Version", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setKustomizeOpt(&src, kustomizeOpts{version: "v0.1"})
+		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{Version: "v0.1"}, src.Kustomize)
+	})
+	t.Run("Common labels", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setKustomizeOpt(&src, kustomizeOpts{commonLabels: map[string]string{"foo1": "bar1", "foo2": "bar2"}})
+		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{CommonLabels: map[string]string{"foo1": "bar1", "foo2": "bar2"}}, src.Kustomize)
+	})
+	t.Run("Common annotations", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setKustomizeOpt(&src, kustomizeOpts{commonAnnotations: map[string]string{"foo1": "bar1", "foo2": "bar2"}})
+		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{CommonAnnotations: map[string]string{"foo1": "bar1", "foo2": "bar2"}}, src.Kustomize)
+	})
+}
+
+func Test_setJsonnetOpt(t *testing.T) {
+	t.Run("TlaSets", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setJsonnetOpt(&src, []string{"foo=bar"}, false)
+		assert.Equal(t, []v1alpha1.JsonnetVar{{Name: "foo", Value: "bar"}}, src.Directory.Jsonnet.TLAs)
+		setJsonnetOpt(&src, []string{"bar=baz"}, false)
+		assert.Equal(t, []v1alpha1.JsonnetVar{{Name: "foo", Value: "bar"}, {Name: "bar", Value: "baz"}}, src.Directory.Jsonnet.TLAs)
+	})
+	t.Run("ExtSets", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setJsonnetOptExtVar(&src, []string{"foo=bar"}, false)
+		assert.Equal(t, []v1alpha1.JsonnetVar{{Name: "foo", Value: "bar"}}, src.Directory.Jsonnet.ExtVars)
+		setJsonnetOptExtVar(&src, []string{"bar=baz"}, false)
+		assert.Equal(t, []v1alpha1.JsonnetVar{{Name: "foo", Value: "bar"}, {Name: "bar", Value: "baz"}}, src.Directory.Jsonnet.ExtVars)
+	})
+}
+
+func Test_setPluginOptEnvs(t *testing.T) {
+	t.Run("PluginEnvs", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setPluginOptEnvs(&src, []string{"FOO=bar"})
+		assert.Equal(t, v1alpha1.EnvEntry{Name: "FOO", Value: "bar"}, *src.Plugin.Env[0])
+		setPluginOptEnvs(&src, []string{"BAR=baz"})
+		assert.Equal(t, v1alpha1.EnvEntry{Name: "BAR", Value: "baz"}, *src.Plugin.Env[1])
+		setPluginOptEnvs(&src, []string{"FOO=baz"})
+		assert.Equal(t, v1alpha1.EnvEntry{Name: "FOO", Value: "baz"}, *src.Plugin.Env[0])
+	})
+}
+
+type appOptionsFixture struct {
+	spec    *v1alpha1.ApplicationSpec
+	command *cobra.Command
+	options *AppOptions
+}
+
+func (f *appOptionsFixture) SetFlag(key, value string) error {
+	err := f.command.Flags().Set(key, value)
+	if err != nil {
+		return err
+	}
+	_ = SetAppSpecOptions(f.command.Flags(), f.spec, f.options)
+	return err
+}
+
+func newAppOptionsFixture() *appOptionsFixture {
+	fixture := &appOptionsFixture{
+		spec:    &v1alpha1.ApplicationSpec{},
+		command: &cobra.Command{},
+		options: &AppOptions{},
+	}
+	AddAppFlags(fixture.command, fixture.options)
+	return fixture
+}
+
+func Test_setAppSpecOptions(t *testing.T) {
+	f := newAppOptionsFixture()
+	t.Run("SyncPolicy", func(t *testing.T) {
+		assert.NoError(t, f.SetFlag("sync-policy", "automated"))
+		assert.NotNil(t, f.spec.SyncPolicy.Automated)
+
+		f.spec.SyncPolicy = nil
+		assert.NoError(t, f.SetFlag("sync-policy", "automatic"))
+		assert.NotNil(t, f.spec.SyncPolicy.Automated)
+
+		f.spec.SyncPolicy = nil
+		assert.NoError(t, f.SetFlag("sync-policy", "auto"))
+		assert.NotNil(t, f.spec.SyncPolicy.Automated)
+
+		assert.NoError(t, f.SetFlag("sync-policy", "none"))
+		assert.Nil(t, f.spec.SyncPolicy)
+	})
+	t.Run("SyncOptions", func(t *testing.T) {
+		assert.NoError(t, f.SetFlag("sync-option", "a=1"))
+		assert.True(t, f.spec.SyncPolicy.SyncOptions.HasOption("a=1"))
+
+		// remove the options using !
+		assert.NoError(t, f.SetFlag("sync-option", "!a=1"))
+		assert.Nil(t, f.spec.SyncPolicy)
+	})
+	t.Run("RetryLimit", func(t *testing.T) {
+		assert.NoError(t, f.SetFlag("sync-retry-limit", "5"))
+		assert.True(t, f.spec.SyncPolicy.Retry.Limit == 5)
+
+		assert.NoError(t, f.SetFlag("sync-retry-limit", "0"))
+		assert.Nil(t, f.spec.SyncPolicy.Retry)
+	})
+}
+
+func Test_setAnnotations(t *testing.T) {
+	t.Run("Annotations", func(t *testing.T) {
+		app := v1alpha1.Application{}
+		setAnnotations(&app, []string{"hoge=foo", "huga=bar"})
+		assert.Equal(t, map[string]string{"hoge": "foo", "huga": "bar"}, app.Annotations)
+	})
+	t.Run("Annotations value contains equal", func(t *testing.T) {
+		app := v1alpha1.Application{}
+		setAnnotations(&app, []string{"hoge=foo=bar"})
+		assert.Equal(t, map[string]string{"hoge": "foo=bar"}, app.Annotations)
+	})
+	t.Run("Annotations empty value", func(t *testing.T) {
+		app := v1alpha1.Application{}
+		setAnnotations(&app, []string{"hoge"})
+		assert.Equal(t, map[string]string{"hoge": ""}, app.Annotations)
+	})
+}
+
+const appsYaml = `---
+# Source: apps/templates/helm.yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: sth1
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: sth
+    server: 'https://kubernetes.default.svc'
+  project: default
+  source:
+    repoURL: 'https://github.com/pasha-codefresh/argocd-example-apps'
+    targetRevision: HEAD
+    path: apps
+    helm:
+      valueFiles:
+        - values.yaml
+---
+# Source: apps/templates/helm.yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: sth2
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: sth
+    server: 'https://kubernetes.default.svc'
+  project: default
+  source:
+    repoURL: 'https://github.com/pasha-codefresh/argocd-example-apps'
+    targetRevision: HEAD
+    path: apps
+    helm:
+      valueFiles:
+        - values.yaml`
+
+func TestReadAppsFromURI(t *testing.T) {
+	file, err := ioutil.TempFile(os.TempDir(), "")
+	if err != nil {
+		panic(err)
+	}
+	defer func() {
+		_ = os.Remove(file.Name())
+	}()
+
+	_, _ = file.WriteString(appsYaml)
+	_ = file.Sync()
+
+	apps := make([]*argoappv1.Application, 0)
+	err = readAppsFromURI(file.Name(), &apps)
+	assert.NoError(t, err)
+	assert.Equal(t, 2, len(apps))
+
+	assert.Equal(t, "sth1", apps[0].Name)
+	assert.Equal(t, "sth2", apps[1].Name)
+
+}
+
+func TestConstructAppFromStdin(t *testing.T) {
+	file, err := ioutil.TempFile(os.TempDir(), "")
+	if err != nil {
+		panic(err)
+	}
+	defer func() {
+		_ = os.Remove(file.Name())
+	}()
+
+	_, _ = file.WriteString(appsYaml)
+	_ = file.Sync()
+
+	if _, err := file.Seek(0, 0); err != nil {
+		log.Fatal(err)
+	}
+
+	os.Stdin = file
+
+	apps, err := ConstructApps("-", "test", []string{}, []string{}, []string{}, AppOptions{}, nil)
+
+	if err := file.Close(); err != nil {
+		log.Fatal(err)
+	}
+	assert.NoError(t, err)
+	assert.Equal(t, 2, len(apps))
+	assert.Equal(t, "sth1", apps[0].Name)
+	assert.Equal(t, "sth2", apps[1].Name)
+
+}
+
+func TestConstructBasedOnName(t *testing.T) {
+	apps, err := ConstructApps("", "test", []string{}, []string{}, []string{}, AppOptions{}, nil)
+
+	assert.NoError(t, err)
+	assert.Equal(t, 1, len(apps))
+	assert.Equal(t, "test", apps[0].Name)
+}

cmd/util/cluster.go

@@ -0,0 +1,139 @@
+package util
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"sort"
+	"strings"
+	"text/tabwriter"
+
+	"github.com/spf13/cobra"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+
+	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+)
+
+func PrintKubeContexts(ca clientcmd.ConfigAccess) {
+	config, err := ca.GetStartingConfig()
+	errors.CheckError(err)
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	defer func() { _ = w.Flush() }()
+	columnNames := []string{"CURRENT", "NAME", "CLUSTER", "SERVER"}
+	_, err = fmt.Fprintf(w, "%s\n", strings.Join(columnNames, "\t"))
+	errors.CheckError(err)
+
+	// sort names so output is deterministic
+	contextNames := make([]string, 0)
+	for name := range config.Contexts {
+		contextNames = append(contextNames, name)
+	}
+	sort.Strings(contextNames)
+
+	if config.Clusters == nil {
+		return
+	}
+
+	for _, name := range contextNames {
+		// ignore malformed kube config entries
+		context := config.Contexts[name]
+		if context == nil {
+			continue
+		}
+		cluster := config.Clusters[context.Cluster]
+		if cluster == nil {
+			continue
+		}
+		prefix := " "
+		if config.CurrentContext == name {
+			prefix = "*"
+		}
+		_, err := fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", prefix, name, context.Cluster, cluster.Server)
+		errors.CheckError(err)
+	}
+}
+
+func NewCluster(name string, namespaces []string, clusterResources bool, conf *rest.Config, managerBearerToken string, awsAuthConf *argoappv1.AWSAuthConfig, execProviderConf *argoappv1.ExecProviderConfig, labels, annotations map[string]string) *argoappv1.Cluster {
+	tlsClientConfig := argoappv1.TLSClientConfig{
+		Insecure:   conf.TLSClientConfig.Insecure,
+		ServerName: conf.TLSClientConfig.ServerName,
+		CAData:     conf.TLSClientConfig.CAData,
+		CertData:   conf.TLSClientConfig.CertData,
+		KeyData:    conf.TLSClientConfig.KeyData,
+	}
+	if len(conf.TLSClientConfig.CAData) == 0 && conf.TLSClientConfig.CAFile != "" {
+		data, err := ioutil.ReadFile(conf.TLSClientConfig.CAFile)
+		errors.CheckError(err)
+		tlsClientConfig.CAData = data
+	}
+	if len(conf.TLSClientConfig.CertData) == 0 && conf.TLSClientConfig.CertFile != "" {
+		data, err := ioutil.ReadFile(conf.TLSClientConfig.CertFile)
+		errors.CheckError(err)
+		tlsClientConfig.CertData = data
+	}
+	if len(conf.TLSClientConfig.KeyData) == 0 && conf.TLSClientConfig.KeyFile != "" {
+		data, err := ioutil.ReadFile(conf.TLSClientConfig.KeyFile)
+		errors.CheckError(err)
+		tlsClientConfig.KeyData = data
+	}
+
+	clst := argoappv1.Cluster{
+		Server:           conf.Host,
+		Name:             name,
+		Namespaces:       namespaces,
+		ClusterResources: clusterResources,
+		Config: argoappv1.ClusterConfig{
+			TLSClientConfig:    tlsClientConfig,
+			AWSAuthConfig:      awsAuthConf,
+			ExecProviderConfig: execProviderConf,
+		},
+		Labels:      labels,
+		Annotations: annotations,
+	}
+
+	// Bearer token will preferentially be used for auth if present,
+	// Even in presence of key/cert credentials
+	// So set bearer token only if the key/cert data is absent
+	if len(tlsClientConfig.CertData) == 0 || len(tlsClientConfig.KeyData) == 0 {
+		clst.Config.BearerToken = managerBearerToken
+	}
+
+	return &clst
+}
+
+type ClusterOptions struct {
+	InCluster               bool
+	Upsert                  bool
+	ServiceAccount          string
+	AwsRoleArn              string
+	AwsClusterName          string
+	SystemNamespace         string
+	Namespaces              []string
+	ClusterResources        bool
+	Name                    string
+	Project                 string
+	Shard                   int64
+	ExecProviderCommand     string
+	ExecProviderArgs        []string
+	ExecProviderEnv         map[string]string
+	ExecProviderAPIVersion  string
+	ExecProviderInstallHint string
+}
+
+func AddClusterFlags(command *cobra.Command, opts *ClusterOptions) {
+	command.Flags().BoolVar(&opts.InCluster, "in-cluster", false, "Indicates Argo CD resides inside this cluster and should connect using the internal k8s hostname (kubernetes.default.svc)")
+	command.Flags().StringVar(&opts.AwsClusterName, "aws-cluster-name", "", "AWS Cluster name if set then aws cli eks token command will be used to access cluster")
+	command.Flags().StringVar(&opts.AwsRoleArn, "aws-role-arn", "", "Optional AWS role arn. If set then AWS IAM Authenticator assumes a role to perform cluster operations instead of the default AWS credential provider chain.")
+	command.Flags().StringArrayVar(&opts.Namespaces, "namespace", nil, "List of namespaces which are allowed to manage")
+	command.Flags().BoolVar(&opts.ClusterResources, "cluster-resources", false, "Indicates if cluster level resources should be managed. The setting is used only if list of managed namespaces is not empty.")
+	command.Flags().StringVar(&opts.Name, "name", "", "Overwrite the cluster name")
+	command.Flags().StringVar(&opts.Project, "project", "", "project of the cluster")
+	command.Flags().Int64Var(&opts.Shard, "shard", -1, "Cluster shard number; inferred from hostname if not set")
+	command.Flags().StringVar(&opts.ExecProviderCommand, "exec-command", "", "Command to run to provide client credentials to the cluster. You may need to build a custom ArgoCD image to ensure the command is available at runtime.")
+	command.Flags().StringArrayVar(&opts.ExecProviderArgs, "exec-command-args", nil, "Arguments to supply to the --exec-command executable")
+	command.Flags().StringToStringVar(&opts.ExecProviderEnv, "exec-command-env", nil, "Environment vars to set when running the --exec-command executable")
+	command.Flags().StringVar(&opts.ExecProviderAPIVersion, "exec-command-api-version", "", "Preferred input version of the ExecInfo for the --exec-command executable")
+	command.Flags().StringVar(&opts.ExecProviderInstallHint, "exec-command-install-hint", "", "Text shown to the user when the --exec-command executable doesn't seem to be present")
+}

cmd/util/cluster_test.go

@@ -0,0 +1,71 @@
+package util
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"k8s.io/client-go/rest"
+
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+func Test_newCluster(t *testing.T) {
+	labels := map[string]string{"key1": "val1"}
+	annotations := map[string]string{"key2": "val2"}
+	clusterWithData := NewCluster("test-cluster", []string{"test-namespace"}, false, &rest.Config{
+		TLSClientConfig: rest.TLSClientConfig{
+			Insecure:   false,
+			ServerName: "test-endpoint.example.com",
+			CAData:     []byte("test-ca-data"),
+			CertData:   []byte("test-cert-data"),
+			KeyData:    []byte("test-key-data"),
+		},
+		Host: "test-endpoint.example.com",
+	},
+		"test-bearer-token",
+		&v1alpha1.AWSAuthConfig{},
+		&v1alpha1.ExecProviderConfig{}, labels, annotations)
+
+	assert.Equal(t, "test-cert-data", string(clusterWithData.Config.CertData))
+	assert.Equal(t, "test-key-data", string(clusterWithData.Config.KeyData))
+	assert.Equal(t, "", clusterWithData.Config.BearerToken)
+	assert.Equal(t, labels, clusterWithData.Labels)
+	assert.Equal(t, annotations, clusterWithData.Annotations)
+
+	clusterWithFiles := NewCluster("test-cluster", []string{"test-namespace"}, false, &rest.Config{
+		TLSClientConfig: rest.TLSClientConfig{
+			Insecure:   false,
+			ServerName: "test-endpoint.example.com",
+			CAData:     []byte("test-ca-data"),
+			CertFile:   "./testdata/test.cert.pem",
+			KeyFile:    "./testdata/test.key.pem",
+		},
+		Host: "test-endpoint.example.com",
+	},
+		"test-bearer-token",
+		&v1alpha1.AWSAuthConfig{},
+		&v1alpha1.ExecProviderConfig{}, labels, nil)
+
+	assert.True(t, strings.Contains(string(clusterWithFiles.Config.CertData), "test-cert-data"))
+	assert.True(t, strings.Contains(string(clusterWithFiles.Config.KeyData), "test-key-data"))
+	assert.Equal(t, "", clusterWithFiles.Config.BearerToken)
+	assert.Equal(t, labels, clusterWithFiles.Labels)
+	assert.Nil(t, clusterWithFiles.Annotations)
+
+	clusterWithBearerToken := NewCluster("test-cluster", []string{"test-namespace"}, false, &rest.Config{
+		TLSClientConfig: rest.TLSClientConfig{
+			Insecure:   false,
+			ServerName: "test-endpoint.example.com",
+			CAData:     []byte("test-ca-data"),
+		},
+		Host: "test-endpoint.example.com",
+	},
+		"test-bearer-token",
+		&v1alpha1.AWSAuthConfig{},
+		&v1alpha1.ExecProviderConfig{}, nil, nil)
+
+	assert.Equal(t, "test-bearer-token", clusterWithBearerToken.Config.BearerToken)
+	assert.Nil(t, clusterWithBearerToken.Labels)
+	assert.Nil(t, clusterWithBearerToken.Annotations)
+}

cmd/util/common.go

@@ -0,0 +1,6 @@
+package util
+
+var (
+	LogFormat string
+	LogLevel  string
+)

cmd/util/project.go

@@ -0,0 +1,202 @@
+package util
+
+import (
+	"bufio"
+	"fmt"
+	"log"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/pointer"
+
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/config"
+	"github.com/argoproj/argo-cd/v2/util/gpg"
+)
+
+type ProjectOpts struct {
+	Description   string
+	destinations  []string
+	Sources       []string
+	SignatureKeys []string
+
+	orphanedResourcesEnabled   bool
+	orphanedResourcesWarn      bool
+	allowedClusterResources    []string
+	deniedClusterResources     []string
+	allowedNamespacedResources []string
+	deniedNamespacedResources  []string
+}
+
+func AddProjFlags(command *cobra.Command, opts *ProjectOpts) {
+	command.Flags().StringVarP(&opts.Description, "description", "", "", "Project description")
+	command.Flags().StringArrayVarP(&opts.destinations, "dest", "d", []string{},
+		"Permitted destination server and namespace (e.g. https://192.168.99.100:8443,default)")
+	command.Flags().StringArrayVarP(&opts.Sources, "src", "s", []string{}, "Permitted source repository URL")
+	command.Flags().StringSliceVar(&opts.SignatureKeys, "signature-keys", []string{}, "GnuPG public key IDs for commit signature verification")
+	command.Flags().BoolVar(&opts.orphanedResourcesEnabled, "orphaned-resources", false, "Enables orphaned resources monitoring")
+	command.Flags().BoolVar(&opts.orphanedResourcesWarn, "orphaned-resources-warn", false, "Specifies if applications should have a warning condition when orphaned resources detected")
+	command.Flags().StringArrayVar(&opts.allowedClusterResources, "allow-cluster-resource", []string{}, "List of allowed cluster level resources")
+	command.Flags().StringArrayVar(&opts.deniedClusterResources, "deny-cluster-resource", []string{}, "List of denied cluster level resources")
+	command.Flags().StringArrayVar(&opts.allowedNamespacedResources, "allow-namespaced-resource", []string{}, "List of allowed namespaced resources")
+	command.Flags().StringArrayVar(&opts.deniedNamespacedResources, "deny-namespaced-resource", []string{}, "List of denied namespaced resources")
+
+}
+
+func getGroupKindList(values []string) []v1.GroupKind {
+	var res []v1.GroupKind
+	for _, val := range values {
+		if parts := strings.Split(val, "/"); len(parts) == 2 {
+			res = append(res, v1.GroupKind{Group: parts[0], Kind: parts[1]})
+		} else if len(parts) == 1 {
+			res = append(res, v1.GroupKind{Kind: parts[0]})
+		}
+	}
+	return res
+}
+
+func (opts *ProjectOpts) GetAllowedClusterResources() []v1.GroupKind {
+	return getGroupKindList(opts.allowedClusterResources)
+}
+
+func (opts *ProjectOpts) GetDeniedClusterResources() []v1.GroupKind {
+	return getGroupKindList(opts.deniedClusterResources)
+}
+
+func (opts *ProjectOpts) GetAllowedNamespacedResources() []v1.GroupKind {
+	return getGroupKindList(opts.allowedNamespacedResources)
+}
+
+func (opts *ProjectOpts) GetDeniedNamespacedResources() []v1.GroupKind {
+	return getGroupKindList(opts.deniedNamespacedResources)
+}
+
+func (opts *ProjectOpts) GetDestinations() []v1alpha1.ApplicationDestination {
+	destinations := make([]v1alpha1.ApplicationDestination, 0)
+	for _, destStr := range opts.destinations {
+		parts := strings.Split(destStr, ",")
+		if len(parts) != 2 {
+			log.Fatalf("Expected destination of the form: server,namespace. Received: %s", destStr)
+		} else {
+			destinations = append(destinations, v1alpha1.ApplicationDestination{
+				Server:    parts[0],
+				Namespace: parts[1],
+			})
+		}
+	}
+	return destinations
+}
+
+// TODO: Get configured keys and emit warning when a key is specified that is not configured
+func (opts *ProjectOpts) GetSignatureKeys() []v1alpha1.SignatureKey {
+	signatureKeys := make([]v1alpha1.SignatureKey, 0)
+	for _, keyStr := range opts.SignatureKeys {
+		if !gpg.IsShortKeyID(keyStr) && !gpg.IsLongKeyID(keyStr) {
+			log.Fatalf("'%s' is not a valid GnuPG key ID", keyStr)
+		}
+		signatureKeys = append(signatureKeys, v1alpha1.SignatureKey{KeyID: gpg.KeyID(keyStr)})
+	}
+	return signatureKeys
+}
+
+func GetOrphanedResourcesSettings(flagSet *pflag.FlagSet, opts ProjectOpts) *v1alpha1.OrphanedResourcesMonitorSettings {
+	warnChanged := flagSet.Changed("orphaned-resources-warn")
+	if opts.orphanedResourcesEnabled || warnChanged {
+		settings := v1alpha1.OrphanedResourcesMonitorSettings{}
+		if warnChanged {
+			settings.Warn = pointer.BoolPtr(opts.orphanedResourcesWarn)
+		}
+		return &settings
+	}
+	return nil
+}
+
+func readProjFromStdin(proj *v1alpha1.AppProject) error {
+	reader := bufio.NewReader(os.Stdin)
+	err := config.UnmarshalReader(reader, &proj)
+	if err != nil {
+		return fmt.Errorf("unable to read manifest from stdin: %v", err)
+	}
+	return nil
+}
+
+func readProjFromURI(fileURL string, proj *v1alpha1.AppProject) error {
+	parsedURL, err := url.ParseRequestURI(fileURL)
+	if err != nil || !(parsedURL.Scheme == "http" || parsedURL.Scheme == "https") {
+		err = config.UnmarshalLocalFile(fileURL, &proj)
+	} else {
+		err = config.UnmarshalRemoteFile(fileURL, &proj)
+	}
+	return err
+}
+
+func SetProjSpecOptions(flags *pflag.FlagSet, spec *v1alpha1.AppProjectSpec, projOpts *ProjectOpts) int {
+	visited := 0
+	flags.Visit(func(f *pflag.Flag) {
+		visited++
+		switch f.Name {
+		case "description":
+			spec.Description = projOpts.Description
+		case "dest":
+			spec.Destinations = projOpts.GetDestinations()
+		case "src":
+			spec.SourceRepos = projOpts.Sources
+		case "signature-keys":
+			spec.SignatureKeys = projOpts.GetSignatureKeys()
+		case "allow-cluster-resource":
+			spec.ClusterResourceWhitelist = projOpts.GetAllowedClusterResources()
+		case "deny-cluster-resource":
+			spec.ClusterResourceBlacklist = projOpts.GetDeniedClusterResources()
+		case "allow-namespaced-resource":
+			spec.NamespaceResourceWhitelist = projOpts.GetAllowedNamespacedResources()
+		case "deny-namespaced-resource":
+			spec.NamespaceResourceBlacklist = projOpts.GetDeniedNamespacedResources()
+		}
+	})
+	if flags.Changed("orphaned-resources") || flags.Changed("orphaned-resources-warn") {
+		spec.OrphanedResources = GetOrphanedResourcesSettings(flags, *projOpts)
+		visited++
+	}
+	return visited
+}
+
+func ConstructAppProj(fileURL string, args []string, opts ProjectOpts, c *cobra.Command) (*v1alpha1.AppProject, error) {
+	var proj = v1alpha1.AppProject{
+		TypeMeta: v1.TypeMeta{
+			Kind:       application.AppProjectKind,
+			APIVersion: application.Group + "/v1alpha1",
+		},
+	}
+	if fileURL == "-" {
+		// read stdin
+		err := readProjFromStdin(&proj)
+		if err != nil {
+			return nil, err
+		}
+	} else if fileURL != "" {
+		// read uri
+		err := readProjFromURI(fileURL, &proj)
+		if err != nil {
+			return nil, err
+		}
+
+		if len(args) == 1 && args[0] != proj.Name {
+			return nil, fmt.Errorf("project name '%s' does not match project spec metadata.name '%s'", args[0], proj.Name)
+		}
+	} else {
+		// read arguments
+		if len(args) == 0 {
+			c.HelpFunc()(c, args)
+			os.Exit(1)
+		}
+		proj.Name = args[0]
+	}
+	SetProjSpecOptions(c.Flags(), &proj.Spec, &opts)
+
+	return &proj, nil
+}

cmd/util/project_test.go

@@ -0,0 +1,24 @@
+package util
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestProjectOpts_ResourceLists(t *testing.T) {
+	opts := ProjectOpts{
+		allowedNamespacedResources: []string{"ConfigMap"},
+		deniedNamespacedResources:  []string{"apps/DaemonSet"},
+		allowedClusterResources:    []string{"apiextensions.k8s.io/CustomResourceDefinition"},
+		deniedClusterResources:     []string{"rbac.authorization.k8s.io/ClusterRole"},
+	}
+
+	assert.ElementsMatch(t,
+		[]v1.GroupKind{{Kind: "ConfigMap"}}, opts.GetAllowedNamespacedResources(),
+		[]v1.GroupKind{{Group: "apps", Kind: "DaemonSet"}}, opts.GetDeniedNamespacedResources(),
+		[]v1.GroupKind{{Group: "apiextensions.k8s.io", Kind: "CustomResourceDefinition"}}, opts.GetAllowedClusterResources(),
+		[]v1.GroupKind{{Group: "rbac.authorization.k8s.io", Kind: "ClusterRole"}}, opts.GetDeniedClusterResources(),
+	)
+}

cmd/util/repo.go

@@ -0,0 +1,45 @@
+package util
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/argoproj/argo-cd/v2/common"
+	appsv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+type RepoOptions struct {
+	Repo                           appsv1.Repository
+	Upsert                         bool
+	SshPrivateKeyPath              string
+	InsecureIgnoreHostKey          bool
+	InsecureSkipServerVerification bool
+	TlsClientCertPath              string
+	TlsClientCertKeyPath           string
+	EnableLfs                      bool
+	EnableOci                      bool
+	GithubAppId                    int64
+	GithubAppInstallationId        int64
+	GithubAppPrivateKeyPath        string
+	GitHubAppEnterpriseBaseURL     string
+	Proxy                          string
+}
+
+func AddRepoFlags(command *cobra.Command, opts *RepoOptions) {
+	command.Flags().StringVar(&opts.Repo.Type, "type", common.DefaultRepoType, "type of the repository, \"git\" or \"helm\"")
+	command.Flags().StringVar(&opts.Repo.Name, "name", "", "name of the repository, mandatory for repositories of type helm")
+	command.Flags().StringVar(&opts.Repo.Project, "project", "", "project of the repository")
+	command.Flags().StringVar(&opts.Repo.Username, "username", "", "username to the repository")
+	command.Flags().StringVar(&opts.Repo.Password, "password", "", "password to the repository")
+	command.Flags().StringVar(&opts.SshPrivateKeyPath, "ssh-private-key-path", "", "path to the private ssh key (e.g. ~/.ssh/id_rsa)")
+	command.Flags().StringVar(&opts.TlsClientCertPath, "tls-client-cert-path", "", "path to the TLS client cert (must be PEM format)")
+	command.Flags().StringVar(&opts.TlsClientCertKeyPath, "tls-client-cert-key-path", "", "path to the TLS client cert's key path (must be PEM format)")
+	command.Flags().BoolVar(&opts.InsecureIgnoreHostKey, "insecure-ignore-host-key", false, "disables SSH strict host key checking (deprecated, use --insecure-skip-server-verification instead)")
+	command.Flags().BoolVar(&opts.InsecureSkipServerVerification, "insecure-skip-server-verification", false, "disables server certificate and host key checks")
+	command.Flags().BoolVar(&opts.EnableLfs, "enable-lfs", false, "enable git-lfs (Large File Support) on this repository")
+	command.Flags().BoolVar(&opts.EnableOci, "enable-oci", false, "enable helm-oci (Helm OCI-Based Repository)")
+	command.Flags().Int64Var(&opts.GithubAppId, "github-app-id", 0, "id of the GitHub Application")
+	command.Flags().Int64Var(&opts.GithubAppInstallationId, "github-app-installation-id", 0, "installation id of the GitHub Application")
+	command.Flags().StringVar(&opts.GithubAppPrivateKeyPath, "github-app-private-key-path", "", "private key of the GitHub Application")
+	command.Flags().StringVar(&opts.GitHubAppEnterpriseBaseURL, "github-app-enterprise-base-url", "", "base url to use when using GitHub Enterprise (e.g. https://ghe.example.com/api/v3")
+	command.Flags().StringVar(&opts.Proxy, "proxy", "", "use proxy to access repository")
+}

cmpserver/apiclient/clientset.go

@@ -0,0 +1,66 @@
+package apiclient
+
+import (
+	"context"
+	"time"
+
+	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
+	grpc_retry "github.com/grpc-ecosystem/go-grpc-middleware/retry"
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc"
+
+	grpc_util "github.com/argoproj/argo-cd/v2/util/grpc"
+	"github.com/argoproj/argo-cd/v2/util/io"
+)
+
+const (
+	// MaxGRPCMessageSize contains max grpc message size
+	MaxGRPCMessageSize = 100 * 1024 * 1024
+)
+
+// Clientset represents config management plugin server api clients
+type Clientset interface {
+	NewConfigManagementPluginClient() (io.Closer, ConfigManagementPluginServiceClient, error)
+}
+
+type clientSet struct {
+	address        string
+	timeoutSeconds int
+}
+
+func (c *clientSet) NewConfigManagementPluginClient() (io.Closer, ConfigManagementPluginServiceClient, error) {
+	conn, err := NewConnection(c.address, c.timeoutSeconds)
+	if err != nil {
+		return nil, nil, err
+	}
+	return conn, NewConfigManagementPluginServiceClient(conn), nil
+}
+
+func NewConnection(address string, timeoutSeconds int) (*grpc.ClientConn, error) {
+	retryOpts := []grpc_retry.CallOption{
+		grpc_retry.WithMax(3),
+		grpc_retry.WithBackoff(grpc_retry.BackoffLinear(1000 * time.Millisecond)),
+	}
+	unaryInterceptors := []grpc.UnaryClientInterceptor{grpc_retry.UnaryClientInterceptor(retryOpts...)}
+	if timeoutSeconds > 0 {
+		unaryInterceptors = append(unaryInterceptors, grpc_util.WithTimeout(time.Duration(timeoutSeconds)*time.Second))
+	}
+	dialOpts := []grpc.DialOption{
+		grpc.WithStreamInterceptor(grpc_retry.StreamClientInterceptor(retryOpts...)),
+		grpc.WithUnaryInterceptor(grpc_middleware.ChainUnaryClient(unaryInterceptors...)),
+		grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(MaxGRPCMessageSize), grpc.MaxCallSendMsgSize(MaxGRPCMessageSize)),
+	}
+
+	dialOpts = append(dialOpts, grpc.WithInsecure())
+	conn, err := grpc_util.BlockingDial(context.Background(), "unix", address, nil, dialOpts...)
+	if err != nil {
+		log.Errorf("Unable to connect to config management plugin service with address %s", address)
+		return nil, err
+	}
+	return conn, nil
+}
+
+// NewCMPServerClientset creates new instance of config management plugin server Clientset
+func NewConfigManagementPluginClientSet(address string, timeoutSeconds int) Clientset {
+	return &clientSet{address: address, timeoutSeconds: timeoutSeconds}
+}

cmpserver/plugin/config.go

@@ -0,0 +1,91 @@
+package plugin
+
+import (
+	"fmt"
+	"strings"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/argoproj/argo-cd/v2/common"
+	configUtil "github.com/argoproj/argo-cd/v2/util/config"
+)
+
+const (
+	ConfigManagementPluginKind string = "ConfigManagementPlugin"
+)
+
+type PluginConfig struct {
+	metav1.TypeMeta `json:",inline"`
+	Metadata        metav1.ObjectMeta `json:"metadata"`
+	Spec            PluginConfigSpec  `json:"spec"`
+}
+
+type PluginConfigSpec struct {
+	Version          string   `json:"version"`
+	Init             Command  `json:"init,omitempty"`
+	Generate         Command  `json:"generate"`
+	Discover         Discover `json:"discover"`
+	AllowConcurrency bool     `json:"allowConcurrency"`
+	LockRepo         bool     `json:"lockRepo"`
+}
+
+//Discover holds find and fileName
+type Discover struct {
+	Find     Find   `json:"find"`
+	FileName string `json:"fileName"`
+}
+
+// Command holds binary path and arguments list
+type Command struct {
+	Command []string `json:"command,omitempty"`
+	Args    []string `json:"args,omitempty"`
+}
+
+// Find holds find command or glob pattern
+type Find struct {
+	Command
+	Glob string `json:"glob"`
+}
+
+func ReadPluginConfig(filePath string) (*PluginConfig, error) {
+	path := fmt.Sprintf("%s/%s", strings.TrimRight(filePath, "/"), common.PluginConfigFileName)
+
+	var config PluginConfig
+	err := configUtil.UnmarshalLocalFile(path, &config)
+	if err != nil {
+		return nil, err
+	}
+
+	if err = ValidatePluginConfig(config); err != nil {
+		return nil, err
+	}
+
+	return &config, nil
+}
+
+func ValidatePluginConfig(config PluginConfig) error {
+	if config.Metadata.Name == "" {
+		return fmt.Errorf("invalid plugin configuration file. metadata.name should be non-empty.")
+	}
+	if config.TypeMeta.Kind != ConfigManagementPluginKind {
+		return fmt.Errorf("invalid plugin configuration file. kind should be %s, found %s", ConfigManagementPluginKind, config.TypeMeta.Kind)
+	}
+	if len(config.Spec.Generate.Command) == 0 {
+		return fmt.Errorf("invalid plugin configuration file. spec.generate command should be non-empty")
+	}
+	if config.Spec.Discover.Find.Glob == "" && len(config.Spec.Discover.Find.Command.Command) == 0 && config.Spec.Discover.FileName == "" {
+		return fmt.Errorf("invalid plugin configuration file. atleast one of discover.find.command or discover.find.glob or discover.fineName should be non-empty")
+	}
+	return nil
+}
+
+func (cfg *PluginConfig) Address() string {
+	var address string
+	pluginSockFilePath := common.GetPluginSockFilePath()
+	if cfg.Spec.Version != "" {
+		address = fmt.Sprintf("%s/%s-%s.sock", pluginSockFilePath, cfg.Metadata.Name, cfg.Spec.Version)
+	} else {
+		address = fmt.Sprintf("%s/%s.sock", pluginSockFilePath, cfg.Metadata.Name)
+	}
+	return address
+}

cmpserver/plugin/plugin.go

@@ -0,0 +1,137 @@
+package plugin
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
+	"github.com/mattn/go-zglob"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/argoproj/argo-cd/v2/cmpserver/apiclient"
+	executil "github.com/argoproj/argo-cd/v2/util/exec"
+)
+
+// Service implements ConfigManagementPluginService interface
+type Service struct {
+	initConstants CMPServerInitConstants
+}
+
+type CMPServerInitConstants struct {
+	PluginConfig PluginConfig
+}
+
+// NewService returns a new instance of the ConfigManagementPluginService
+func NewService(initConstants CMPServerInitConstants) *Service {
+	return &Service{
+		initConstants: initConstants,
+	}
+}
+
+func runCommand(command Command, path string, env []string) (string, error) {
+	if len(command.Command) == 0 {
+		return "", fmt.Errorf("Command is empty")
+	}
+	cmd := exec.Command(command.Command[0], append(command.Command[1:], command.Args...)...)
+	cmd.Env = env
+	cmd.Dir = path
+	return executil.Run(cmd)
+}
+
+// Environ returns a list of environment variables in name=value format from a list of variables
+func environ(envVars []*apiclient.EnvEntry) []string {
+	var environ []string
+	for _, item := range envVars {
+		if item != nil && item.Name != "" && item.Value != "" {
+			environ = append(environ, fmt.Sprintf("%s=%s", item.Name, item.Value))
+		}
+	}
+	return environ
+}
+
+// GenerateManifest runs generate command from plugin config file and returns generated manifest files
+func (s *Service) GenerateManifest(ctx context.Context, q *apiclient.ManifestRequest) (*apiclient.ManifestResponse, error) {
+	config := s.initConstants.PluginConfig
+
+	env := append(os.Environ(), environ(q.Env)...)
+	if len(config.Spec.Init.Command) > 0 {
+		_, err := runCommand(config.Spec.Init, q.AppPath, env)
+		if err != nil {
+			return &apiclient.ManifestResponse{}, err
+		}
+	}
+
+	out, err := runCommand(config.Spec.Generate, q.AppPath, env)
+	if err != nil {
+		return &apiclient.ManifestResponse{}, err
+	}
+
+	manifests, err := kube.SplitYAMLToString([]byte(out))
+	if err != nil {
+		return &apiclient.ManifestResponse{}, err
+	}
+
+	return &apiclient.ManifestResponse{
+		Manifests: manifests,
+	}, err
+}
+
+// MatchRepository checks whether the application repository type is supported by config management plugin server
+func (s *Service) MatchRepository(ctx context.Context, q *apiclient.RepositoryRequest) (*apiclient.RepositoryResponse, error) {
+	var repoResponse apiclient.RepositoryResponse
+	config := s.initConstants.PluginConfig
+	if config.Spec.Discover.FileName != "" {
+		log.Debugf("config.Spec.Discover.FileName is provided")
+		pattern := strings.TrimSuffix(q.Path, "/") + "/" + strings.TrimPrefix(config.Spec.Discover.FileName, "/")
+		matches, err := filepath.Glob(pattern)
+		if err != nil || len(matches) == 0 {
+			log.Debugf("Could not find match for pattern %s. Error is %v.", pattern, err)
+			return &repoResponse, err
+		} else if len(matches) > 0 {
+			repoResponse.IsSupported = true
+			return &repoResponse, nil
+		}
+	}
+
+	if config.Spec.Discover.Find.Glob != "" {
+		log.Debugf("config.Spec.Discover.Find.Glob is provided")
+		pattern := strings.TrimSuffix(q.Path, "/") + "/" + strings.TrimPrefix(config.Spec.Discover.Find.Glob, "/")
+		// filepath.Glob doesn't have '**' support hence selecting third-party lib
+		// https://github.com/golang/go/issues/11862
+		matches, err := zglob.Glob(pattern)
+		if err != nil || len(matches) == 0 {
+			log.Debugf("Could not find match for pattern %s. Error is %v.", pattern, err)
+			return &repoResponse, err
+		} else if len(matches) > 0 {
+			repoResponse.IsSupported = true
+			return &repoResponse, nil
+		}
+	}
+
+	log.Debugf("Going to try runCommand.")
+	find, err := runCommand(config.Spec.Discover.Find.Command, q.Path, os.Environ())
+	if err != nil {
+		return &repoResponse, err
+	}
+
+	var isSupported bool
+	if find != "" {
+		isSupported = true
+	}
+	return &apiclient.RepositoryResponse{
+		IsSupported: isSupported,
+	}, nil
+}
+
+// GetPluginConfig returns plugin config
+func (s *Service) GetPluginConfig(ctx context.Context, q *apiclient.ConfigRequest) (*apiclient.ConfigResponse, error) {
+	config := s.initConstants.PluginConfig
+	return &apiclient.ConfigResponse{
+		AllowConcurrency: config.Spec.AllowConcurrency,
+		LockRepo:         config.Spec.LockRepo,
+	}, nil
+}

cmpserver/plugin/plugin.proto

@@ -0,0 +1,61 @@
+syntax = "proto3";
+option go_package = "github.com/argoproj/argo-cd/v2/cmpserver/apiclient";
+
+package plugin;
+
+import "k8s.io/api/core/v1/generated.proto";
+
+// ManifestRequest is a query for manifest generation.
+message ManifestRequest {
+    // Name of the application for which the request is triggered
+    string appName = 1;
+    string appPath = 2;
+    string repoPath = 3;
+    bool noCache = 4;
+    repeated EnvEntry env = 5;
+}
+
+// EnvEntry represents an entry in the application's environment
+message EnvEntry {
+    // Name is the name of the variable, usually expressed in uppercase
+    string name = 1;
+    // Value is the value of the variable
+    string value = 2;
+}
+
+message ManifestResponse {
+    repeated string manifests = 1;
+    string sourceType = 2;
+}
+
+message RepositoryRequest {
+    string path = 1;
+    repeated EnvEntry env = 2;
+}
+
+message RepositoryResponse {
+    bool isSupported = 1;
+}
+
+message ConfigRequest {
+}
+
+message ConfigResponse {
+    bool allowConcurrency = 1;
+    bool lockRepo = 2;
+}
+
+// ConfigManagementPlugin Service
+service ConfigManagementPluginService {
+    // GenerateManifest generates manifest for application in specified repo name and revision
+    rpc GenerateManifest(ManifestRequest) returns (ManifestResponse) {
+    }
+
+    // MatchRepository returns whether or not the given path is supported by the plugin
+    rpc MatchRepository(RepositoryRequest) returns (RepositoryResponse) {
+    }
+
+    // Get configuration of the plugin
+    rpc GetPluginConfig(ConfigRequest) returns (ConfigResponse) {
+    }
+}

cmpserver/plugin/plugin_test.go

@@ -0,0 +1,65 @@
+package plugin
+
+import (
+	"context"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/argoproj/argo-cd/v2/cmpserver/apiclient"
+)
+
+func newService(configFilePath string) (*Service, error) {
+	config, err := ReadPluginConfig(configFilePath)
+	if err != nil {
+		return nil, err
+	}
+
+	initConstants := CMPServerInitConstants{
+		PluginConfig: *config,
+	}
+
+	service := &Service{
+		initConstants: initConstants,
+	}
+	return service, nil
+}
+
+func TestMatchRepository(t *testing.T) {
+	configFilePath := "./testdata/ksonnet/config"
+	service, err := newService(configFilePath)
+	require.NoError(t, err)
+
+	q := apiclient.RepositoryRequest{}
+	path, err := os.Getwd()
+	require.NoError(t, err)
+	q.Path = path
+
+	res1, err := service.MatchRepository(context.Background(), &q)
+	require.NoError(t, err)
+	require.True(t, res1.IsSupported)
+}
+
+func Test_Negative_ConfigFile_DoesnotExist(t *testing.T) {
+	configFilePath := "./testdata/kustomize-neg/config"
+	service, err := newService(configFilePath)
+	require.Error(t, err)
+	require.Nil(t, service)
+}
+
+func TestGenerateManifest(t *testing.T) {
+	configFilePath := "./testdata/kustomize/config"
+	service, err := newService(configFilePath)
+	require.NoError(t, err)
+
+	q := apiclient.ManifestRequest{}
+	res1, err := service.GenerateManifest(context.Background(), &q)
+	require.NoError(t, err)
+	require.NotNil(t, res1)
+
+	expectedOutput := "{\"apiVersion\":\"v1\",\"data\":{\"foo\":\"bar\"},\"kind\":\"ConfigMap\",\"metadata\":{\"name\":\"my-map\"}}"
+	if res1 != nil {
+		require.Equal(t, expectedOutput, res1.Manifests[0])
+	}
+}

cmpserver/plugin/testdata/ksonnet/config/plugin.yaml

@@ -0,0 +1,15 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ConfigManagementPlugin
+metadata:
+  name: ksonnet
+spec:
+  version: v1.0
+  init:
+    command: [ks, version]
+  generate:
+    command: [sh, -c, "ks show $ARGOCD_APP_ENV"]
+  discover:
+    find:
+      glob: "**/*/main.jsonnet"
+  allowConcurrency: false
+  lockRepo: false