Bump version to 1.7.2

* fix: Badge links are not generating properly when using --rootpath

* fix: fix lint error

* fix: use context.baseHref

VERSION

@@ -1 +1 @@
-1.7.0
+1.7.2

cmd/argocd-util/commands/apps.go

@@ -9,7 +9,6 @@ import (
 	"sort"
 	"time"
 
-	"github.com/argoproj/gitops-engine/pkg/diff"
 	"github.com/argoproj/gitops-engine/pkg/utils/errors"
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/ghodss/yaml"
@@ -147,7 +146,7 @@ func diffReconcileResults(res1 reconcileResults, res2 reconcileResults) error {
 	})
 	for _, item := range pairs {
 		printLine(item.name)
-		_ = diff.PrintDiff(item.name, item.first, item.second)
+		_ = cli.PrintDiff(item.name, item.first, item.second)
 	}
 
 	return nil

cmd/argocd-util/commands/projects.go

@@ -12,7 +12,6 @@ import (
 	appclient "github.com/argoproj/argo-cd/pkg/client/clientset/versioned/typed/application/v1alpha1"
 	"github.com/argoproj/argo-cd/util/cli"
 
-	"github.com/argoproj/gitops-engine/pkg/diff"
 	"github.com/argoproj/gitops-engine/pkg/utils/errors"
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/spf13/cobra"
@@ -70,7 +69,7 @@ func saveProject(updated v1alpha1.AppProject, orig v1alpha1.AppProject, projects
 	if err != nil {
 		return err
 	}
-	_ = diff.PrintDiff(updated.Name, target, live)
+	_ = cli.PrintDiff(updated.Name, target, live)
 	if !dryRun {
 		_, err = projectsIf.Update(context.Background(), &updated, v1.UpdateOptions{})
 		if err != nil {

cmd/argocd-util/commands/settings.go

@@ -12,7 +12,6 @@ import (
 	"strings"
 	"text/tabwriter"
 
-	"github.com/argoproj/gitops-engine/pkg/diff"
 	healthutil "github.com/argoproj/gitops-engine/pkg/health"
 	"github.com/argoproj/gitops-engine/pkg/utils/errors"
 	"github.com/ghodss/yaml"
@@ -423,7 +422,7 @@ argocd-util settings resource-overrides ignore-differences ./deploy.yaml --argoc
 				}
 
 				_, _ = fmt.Printf("Following fields are ignored:\n\n")
-				_ = diff.PrintDiff(res.GetName(), &res, normalizedRes)
+				_ = cli.PrintDiff(res.GetName(), &res, normalizedRes)
 			})
 		},
 	}
@@ -538,7 +537,7 @@ argocd-util settings resource-overrides action run /tmp/deploy.yaml restart --ar
 				}
 
 				_, _ = fmt.Printf("Following fields have been changed:\n\n")
-				_ = diff.PrintDiff(res.GetName(), &res, modifiedRes)
+				_ = cli.PrintDiff(res.GetName(), &res, modifiedRes)
 			})
 		},
 	}

cmd/argocd/commands/app.go

@@ -1154,7 +1154,7 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 					}
 
 					foundDiffs = true
-					_ = diff.PrintDiff(item.key.Name, live, target)
+					_ = cli.PrintDiff(item.key.Name, live, target)
 				}
 			}
 			if foundDiffs {

cmd/argocd/commands/login.go

@@ -2,6 +2,8 @@ package commands
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/base64"
 	"fmt"
 	"net/http"
 	"os"
@@ -192,6 +194,11 @@ func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCCo
 		completionChan <- errMsg
 	}
 
+	// PKCE implementation of https://tools.ietf.org/html/rfc7636
+	codeVerifier := rand.RandStringCharset(43, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~")
+	codeChallengeHash := sha256.Sum256([]byte(codeVerifier))
+	codeChallenge := base64.RawURLEncoding.EncodeToString(codeChallengeHash[:])
+
 	// Authorization redirect callback from OAuth2 auth flow.
 	// Handles both implicit and authorization code flow
 	callbackHandler := func(w http.ResponseWriter, r *http.Request) {
@@ -231,7 +238,8 @@ func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCCo
 				handleErr(w, fmt.Sprintf("no code in request: %q", r.Form))
 				return
 			}
-			tok, err := oauth2conf.Exchange(ctx, code)
+			opts := []oauth2.AuthCodeOption{oauth2.SetAuthURLParam("code_verifier", codeVerifier)}
+			tok, err := oauth2conf.Exchange(ctx, code, opts...)
 			if err != nil {
 				handleErr(w, err.Error())
 				return
@@ -267,6 +275,8 @@ func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCCo
 
 	switch grantType {
 	case oidcutil.GrantTypeAuthorizationCode:
+		opts = append(opts, oauth2.SetAuthURLParam("code_challenge", codeChallenge))
+		opts = append(opts, oauth2.SetAuthURLParam("code_challenge_method", "S256"))
 		url = oauth2conf.AuthCodeURL(stateNonce, opts...)
 	case oidcutil.GrantTypeImplicit:
 		url = oidcutil.ImplicitFlowURL(oauth2conf, stateNonce, opts...)

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/TomOnTime/utfutil v0.0.0-20180511104225-09c41003ee1d
 	github.com/alicebob/gopher-json v0.0.0-20180125190556-5a6b3ba71ee6 // indirect
 	github.com/alicebob/miniredis v2.5.0+incompatible
-	github.com/argoproj/gitops-engine v0.1.3-0.20200805021302-90979fe432d4
+	github.com/argoproj/gitops-engine v0.1.3-0.20200826062957-2cf3a72c659c
 	github.com/argoproj/pkg v0.0.0-20200624215116-23e74cb168fe
 	github.com/casbin/casbin v1.9.1
 	github.com/chai2010/gettext-go v0.0.0-20170215093142-bf70f2a70fb1 // indirect
@@ -17,7 +17,7 @@ require (
 	github.com/docker/docker v17.12.0-ce-rc1.0.20200514230353-811a247d06e8+incompatible // indirect
 	github.com/docker/spdystream v0.0.0-20181023171402-6480d4af844c // indirect
 	github.com/dustin/go-humanize v1.0.0
-	github.com/evanphx/json-patch v4.5.0+incompatible
+	github.com/evanphx/json-patch v4.9.0+incompatible
 	github.com/fsnotify/fsnotify v1.4.7
 	github.com/ghodss/yaml v1.0.0
 	github.com/go-openapi/loads v0.19.4
@@ -33,6 +33,7 @@ require (
 	github.com/gomodule/redigo v2.0.0+incompatible // indirect
 	github.com/google/go-cmp v0.3.1
 	github.com/google/go-jsonnet v0.16.0
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/google/uuid v1.1.1
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/grpc-ecosystem/go-grpc-middleware v1.0.1-0.20190118093823-f849b5445de4
@@ -65,20 +66,21 @@ require (
 	gopkg.in/go-playground/webhooks.v5 v5.11.0
 	gopkg.in/src-d/go-git.v4 v4.13.1
 	gopkg.in/yaml.v2 v2.3.0
-	k8s.io/api v0.18.6
-	k8s.io/apiextensions-apiserver v0.18.6
-	k8s.io/apimachinery v0.18.6
+	k8s.io/api v0.18.8
+	k8s.io/apiextensions-apiserver v0.18.8
+	k8s.io/apimachinery v0.18.8
 	k8s.io/client-go v11.0.1-0.20190816222228-6d55c1b1f1ca+incompatible
-	k8s.io/code-generator v0.18.6
-	k8s.io/component-base v0.18.6
+	k8s.io/code-generator v0.18.8
+	k8s.io/component-base v0.18.8
 	k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac // indirect
 	k8s.io/klog v1.0.0
 	k8s.io/klog/v2 v2.3.0 // indirect
 	k8s.io/kube-openapi v0.0.0-20200410145947-bcb3869e6f29
-	k8s.io/kubectl v0.18.6
-	k8s.io/kubernetes v1.18.6
+	k8s.io/kubectl v0.18.8
+	k8s.io/kubernetes v1.18.8
 	k8s.io/utils v0.0.0-20200619165400-6e3d28b6ed19
 	layeh.com/gopher-json v0.0.0-20190114024228-97fed8db8427
+	sigs.k8s.io/yaml v1.2.0
 )
 
 replace (
@@ -88,25 +90,25 @@ replace (
 
 	google.golang.org/grpc => google.golang.org/grpc v1.15.0
 
-	k8s.io/api => k8s.io/api v0.18.6
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.18.6
-	k8s.io/apimachinery => k8s.io/apimachinery v0.18.6
-	k8s.io/apiserver => k8s.io/apiserver v0.18.6
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.18.6
-	k8s.io/client-go => k8s.io/client-go v0.18.6
-	k8s.io/cloud-provider => k8s.io/cloud-provider v0.18.6
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.18.6
-	k8s.io/code-generator => k8s.io/code-generator v0.18.6
-	k8s.io/component-base => k8s.io/component-base v0.18.6
-	k8s.io/cri-api => k8s.io/cri-api v0.18.6
-	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.18.6
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.18.6
-	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.18.6
-	k8s.io/kube-proxy => k8s.io/kube-proxy v0.18.6
-	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.18.6
-	k8s.io/kubectl => k8s.io/kubectl v0.18.6
-	k8s.io/kubelet => k8s.io/kubelet v0.18.6
-	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.18.6
-	k8s.io/metrics => k8s.io/metrics v0.18.6
-	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.18.6
+	k8s.io/api => k8s.io/api v0.18.8
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.18.8
+	k8s.io/apimachinery => k8s.io/apimachinery v0.18.8
+	k8s.io/apiserver => k8s.io/apiserver v0.18.8
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.18.8
+	k8s.io/client-go => k8s.io/client-go v0.18.8
+	k8s.io/cloud-provider => k8s.io/cloud-provider v0.18.8
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.18.8
+	k8s.io/code-generator => k8s.io/code-generator v0.18.8
+	k8s.io/component-base => k8s.io/component-base v0.18.8
+	k8s.io/cri-api => k8s.io/cri-api v0.18.8
+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.18.8
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.18.8
+	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.18.8
+	k8s.io/kube-proxy => k8s.io/kube-proxy v0.18.8
+	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.18.8
+	k8s.io/kubectl => k8s.io/kubectl v0.18.8
+	k8s.io/kubelet => k8s.io/kubelet v0.18.8
+	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.18.8
+	k8s.io/metrics => k8s.io/metrics v0.18.8
+	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.18.8
 )

go.sum

@@ -57,8 +57,8 @@ github.com/alicebob/miniredis v2.5.0+incompatible/go.mod h1:8HZjEj4yU0dwhYHky+Dx
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo4JG6LR5AXSUEsOjtdm0kw0FtQtMJA=
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
-github.com/argoproj/gitops-engine v0.1.3-0.20200805021302-90979fe432d4 h1:o5k/SkhxfmowXFdo1G729T7pF1oQ8mom7TMFrOtxDIA=
-github.com/argoproj/gitops-engine v0.1.3-0.20200805021302-90979fe432d4/go.mod h1:8rDcKzsoaTXlDBBqUpgUD8VxKRDXeKKlHNEyo0TUlWM=
+github.com/argoproj/gitops-engine v0.1.3-0.20200826062957-2cf3a72c659c h1:sX3CD5rYfYe9l/tcVq6Zp09byT29EFOSDTggY8Zimgg=
+github.com/argoproj/gitops-engine v0.1.3-0.20200826062957-2cf3a72c659c/go.mod h1:LhzAS5UB6MusZ8MJj1dys1Em5xGPxEIZHdp2oz81ViY=
 github.com/argoproj/pkg v0.0.0-20200624215116-23e74cb168fe h1:HjTM7H8Z+J1xt340LNpH9q4jc8pXeqzkC8QKIjQphp4=
 github.com/argoproj/pkg v0.0.0-20200624215116-23e74cb168fe/go.mod h1:2EZ44RG/CcgtPTwrRR0apOc7oU6UIw8GjCUJWZ8X3bM=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
@@ -154,9 +154,10 @@ github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT
 github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg=
 github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o=
 github.com/euank/go-kmsg-parser v2.0.0+incompatible/go.mod h1:MhmAMZ8V4CYH4ybgdRwPr2TU5ThnS43puaKEMpja1uw=
+github.com/evanphx/json-patch v0.0.0-20200808040245-162e5629780b/go.mod h1:NAJj0yf/KaRKURN6nyi7A9IZydMivZEm9oQLWNjfKDc=
 github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch v4.5.0+incompatible h1:ouOWdg56aJriqS0huScTkVXPC5IcNrDCXZ6OoTAWu7M=
-github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch v4.9.0+incompatible h1:kLcOMZeuLAJvL2BPWLMIj5oaZQobrkAqrL+WFZwQses=
+github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d h1:105gxyaGwCFad8crR9dcMQWvV9Hvulu6hwUh4tWPJnM=
 github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4=
 github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8=
@@ -879,26 +880,26 @@ honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.2/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-k8s.io/api v0.18.6 h1:osqrAXbOQjkKIWDTjrqxWQ3w0GkKb1KA1XkUGHHYpeE=
-k8s.io/api v0.18.6/go.mod h1:eeyxr+cwCjMdLAmr2W3RyDI0VvTawSg/3RFFBEnmZGI=
-k8s.io/apiextensions-apiserver v0.18.6 h1:vDlk7cyFsDyfwn2rNAO2DbmUbvXy5yT5GE3rrqOzaMo=
-k8s.io/apiextensions-apiserver v0.18.6/go.mod h1:lv89S7fUysXjLZO7ke783xOwVTm6lKizADfvUM/SS/M=
-k8s.io/apimachinery v0.18.6 h1:RtFHnfGNfd1N0LeSrKCUznz5xtUP1elRGvHJbL3Ntag=
-k8s.io/apimachinery v0.18.6/go.mod h1:OaXp26zu/5J7p0f92ASynJa1pZo06YlV9fG7BoWbCko=
-k8s.io/apiserver v0.18.6 h1:HcWwcOfhj4Yv6y2igP4ZUuovyPjVLGoZcG0Tsph4Mxo=
-k8s.io/apiserver v0.18.6/go.mod h1:Zt2XvTHuaZjBz6EFYzpp+X4hTmgWGy8AthNVnTdm3Wg=
-k8s.io/cli-runtime v0.18.6 h1:I8BkH5NyqMQ4zqUBmpXJ1LxIqpCH88H/1edPkPVWzjQ=
-k8s.io/cli-runtime v0.18.6/go.mod h1:+G/WTNqHgUv636e5y7rhOQ7epUbRXnwmPnhOhD6t9uM=
-k8s.io/client-go v0.18.6 h1:I+oWqJbibLSGsZj8Xs8F0aWVXJVIoUHWaaJV3kUN/Zw=
-k8s.io/client-go v0.18.6/go.mod h1:/fwtGLjYMS1MaM5oi+eXhKwG+1UHidUEXRh6cNsdO0Q=
-k8s.io/cloud-provider v0.18.6/go.mod h1:QnPLLdFkvtx1dEyVMaPUdzVWB+ECzEf+PA3DXwIr8bo=
-k8s.io/cluster-bootstrap v0.18.6/go.mod h1:lnM1CXtPImlEBTh5874ZI+ofZzdIy1t2JV9Y+NxvojU=
-k8s.io/code-generator v0.18.6 h1:QdfvGfs4gUCS1dru+rLbCKIFxYEV0IRfF8MXwY/ozLk=
-k8s.io/code-generator v0.18.6/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c=
-k8s.io/component-base v0.18.6 h1:Wd6cHGwJN2qpufnirVOB3oMhyhbioGsKEi5HeDBsV+s=
-k8s.io/component-base v0.18.6/go.mod h1:knSVsibPR5K6EW2XOjEHik6sdU5nCvKMrzMt2D4In14=
-k8s.io/cri-api v0.18.6/go.mod h1:OJtpjDvfsKoLGhvcc0qfygved0S0dGX56IJzPbqTG1s=
-k8s.io/csi-translation-lib v0.18.6/go.mod h1:w13PRDbRWol3Z9lM3RjxRd5vi/R9wog1DQHAbzzuKOI=
+k8s.io/api v0.18.8 h1:aIKUzJPb96f3fKec2lxtY7acZC9gQNDLVhfSGpxBAC4=
+k8s.io/api v0.18.8/go.mod h1:d/CXqwWv+Z2XEG1LgceeDmHQwpUJhROPx16SlxJgERY=
+k8s.io/apiextensions-apiserver v0.18.8 h1:pkqYPKTHa0/3lYwH7201RpF9eFm0lmZDFBNzhN+k/sA=
+k8s.io/apiextensions-apiserver v0.18.8/go.mod h1:7f4ySEkkvifIr4+BRrRWriKKIJjPyg9mb/p63dJKnlM=
+k8s.io/apimachinery v0.18.8 h1:jimPrycCqgx2QPearX3to1JePz7wSbVLq+7PdBTTwQ0=
+k8s.io/apimachinery v0.18.8/go.mod h1:6sQd+iHEqmOtALqOFjSWp2KZ9F0wlU/nWm0ZgsYWMig=
+k8s.io/apiserver v0.18.8 h1:Au4kMn8sb1zFdyKqc8iMHLsYLxRI6Y+iAhRNKKQtlBY=
+k8s.io/apiserver v0.18.8/go.mod h1:12u5FuGql8Cc497ORNj79rhPdiXQC4bf53X/skR/1YM=
+k8s.io/cli-runtime v0.18.8 h1:ycmbN3hs7CfkJIYxJAOB10iW7BVPmXGXkfEyiV9NJ+k=
+k8s.io/cli-runtime v0.18.8/go.mod h1:7EzWiDbS9PFd0hamHHVoCY4GrokSTPSL32MA4rzIu0M=
+k8s.io/client-go v0.18.8 h1:SdbLpIxk5j5YbFr1b7fq8S7mDgDjYmUxSbszyoesoDM=
+k8s.io/client-go v0.18.8/go.mod h1:HqFqMllQ5NnQJNwjro9k5zMyfhZlOwpuTLVrxjkYSxU=
+k8s.io/cloud-provider v0.18.8/go.mod h1:cn9AlzMPVIXA4HHLVbgGUigaQlZyHSZ7WAwDEFNrQSs=
+k8s.io/cluster-bootstrap v0.18.8/go.mod h1:guq0Uc+QwazHgpS1yAw5Z7yUlBCtGppbgWQkbN3lxIY=
+k8s.io/code-generator v0.18.8 h1:lgO1P1wjikEtzNvj7ia+x1VC4svJ28a/r0wnOLhhOTU=
+k8s.io/code-generator v0.18.8/go.mod h1:TgNEVx9hCyPGpdtCWA34olQYLkh3ok9ar7XfSsr8b6c=
+k8s.io/component-base v0.18.8 h1:BW5CORobxb6q5mb+YvdwQlyXXS6NVH5fDXWbU7tf2L8=
+k8s.io/component-base v0.18.8/go.mod h1:00frPRDas29rx58pPCxNkhUfPbwajlyyvu8ruNgSErU=
+k8s.io/cri-api v0.18.8/go.mod h1:OJtpjDvfsKoLGhvcc0qfygved0S0dGX56IJzPbqTG1s=
+k8s.io/csi-translation-lib v0.18.8/go.mod h1:6cA6Btlzxy9s3QrS4BCZzQqclIWnTLr6Jx3H2ctAzY4=
 k8s.io/gengo v0.0.0-20190128074634-0689ccc1d7d6/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20200114144118-36b2048a9120/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac h1:sAvhNk5RRuc6FNYGqe7Ygz3PSo/2wGWbulskmzRX8Vs=
@@ -911,23 +912,23 @@ k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.3.0 h1:WmkrnW7fdrm0/DMClc+HIxtftvxVIPAhlVwMQo5yLco=
 k8s.io/klog/v2 v2.3.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
-k8s.io/kube-aggregator v0.18.6 h1:xGP3oe0tAWEYnGWTnDPjXiIItekrnwDA2O7w0WqvGoo=
-k8s.io/kube-aggregator v0.18.6/go.mod h1:MKm8inLHdeiXQJCl6UdmgMosRrqJgyxO2obTXOkey/s=
-k8s.io/kube-controller-manager v0.18.6/go.mod h1:T+Ayh47y1IrvwDSUAh4QT/aIrRcKWlvgdqV5PHrMwNs=
+k8s.io/kube-aggregator v0.18.8 h1:8VQxblQqRInpJ+DS2aGgbdWq6xP8UG/jzV6v8cFccOc=
+k8s.io/kube-aggregator v0.18.8/go.mod h1:CyLoGZB+io8eEwnn+6RbV7QWJQhj8a3TBH8ZM8sLbhI=
+k8s.io/kube-controller-manager v0.18.8/go.mod h1:IYZteddXJFD1TVgAw8eRP3c9OOA2WtHdXdE8aH6gXnc=
 k8s.io/kube-openapi v0.0.0-20200410145947-61e04a5be9a6/go.mod h1:GRQhZsXIAJ1xR0C9bd8UpWHZ5plfAS9fzPjJuQ6JL3E=
 k8s.io/kube-openapi v0.0.0-20200410145947-bcb3869e6f29 h1:NeQXVJ2XFSkRoPzRo8AId01ZER+j8oV4SZADT4iBOXQ=
 k8s.io/kube-openapi v0.0.0-20200410145947-bcb3869e6f29/go.mod h1:F+5wygcW0wmRTnM3cOgIqGivxkwSWIWT5YdsDbeAOaU=
-k8s.io/kube-proxy v0.18.6/go.mod h1:r3ScLxYTuskh8l2dDfAPdrFK3QnWIMsZI/+Bq5kkmWc=
-k8s.io/kube-scheduler v0.18.6/go.mod h1:J+GApeR/QkU6eYonXir0i7+rcUVWzZPZbNHqjq4FpoQ=
-k8s.io/kubectl v0.18.6 h1:IFPNuLPkZ59vSGQzynXY8XGz9yuOSRpkJupnobdYvO4=
-k8s.io/kubectl v0.18.6/go.mod h1:3TLzFOrF9h4mlRPAvdNkDbs5NWspN4e0EnPnEB41CGo=
-k8s.io/kubelet v0.18.6/go.mod h1:5e0PJYialWMWZgsYWJqI6zVW58y+MaQvmOQwEGFF4Xc=
-k8s.io/kubernetes v1.18.6 h1:2rkR3ffvd5YVyPYU4LAUDCKoKQZtjuuj8ga15mbv96o=
-k8s.io/kubernetes v1.18.6/go.mod h1:Efg82S+Ti02A/Mww53bxroc7IgzX2bgPsf6hT8gAs3M=
-k8s.io/legacy-cloud-providers v0.18.6/go.mod h1:0bU6t0dTOd0YkcByIdjx7WD4ihApa+aUrTgVJpqciZU=
-k8s.io/metrics v0.18.6/go.mod h1:iAwGeabusQNO3duHDM7BBExTUB8L+iq8PM7N9EtQw6g=
+k8s.io/kube-proxy v0.18.8/go.mod h1:u4E8OsUpUzfZ9CEFf9rdLsbYiusZr8utbtF4WQrX+qs=
+k8s.io/kube-scheduler v0.18.8/go.mod h1:OeliYiILv1XkSq0nmQjRewgt5NimKsTidZFEhfL5fqA=
+k8s.io/kubectl v0.18.8 h1:qTkHCz21YmK0+S0oE6TtjtxmjeDP42gJcZJyRKsIenA=
+k8s.io/kubectl v0.18.8/go.mod h1:PlEgIAjOMua4hDFTEkVf+W5M0asHUKfE4y7VDZkpLHM=
+k8s.io/kubelet v0.18.8/go.mod h1:6z1jHCk0NPE6WshFStfqcgQ1bnD3tetcPmhC2915aio=
+k8s.io/kubernetes v1.18.8 h1:wcpO1nbbcsRGNu7sQMROrPqtjPVMIlzWpRle5OFSoZQ=
+k8s.io/kubernetes v1.18.8/go.mod h1:SU7bBi8ZNHRjqzNhY4U78gClS1O7Q7avCrfF5aSiDko=
+k8s.io/legacy-cloud-providers v0.18.8/go.mod h1:tgp4xYf6lvjrWnjQwTOPvWQE9IVqSBGPF4on0IyICQE=
+k8s.io/metrics v0.18.8/go.mod h1:j7JzZdiyhLP2BsJm/Fzjs+j5Lb1Y7TySjhPWqBPwRXA=
 k8s.io/repo-infra v0.0.1-alpha.1/go.mod h1:wO1t9WaB99V80ljbeENTnayuEEwNZt7gECYh/CEyOJ8=
-k8s.io/sample-apiserver v0.18.6/go.mod h1:NSRGjwumFclVpq8zewaqGVwiyIR7DQbLAE6wQZ0uljI=
+k8s.io/sample-apiserver v0.18.8/go.mod h1:qXPfVwaZwM2owoSMNRRm9vw+HNJGLNsBpGckv1uxWy4=
 k8s.io/system-validators v1.0.4/go.mod h1:HgSgTg4NAGNoYYjKsUyk52gdNi2PVDswQ9Iyn66R7NI=
 k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 k8s.io/utils v0.0.0-20200619165400-6e3d28b6ed19 h1:7Nu2dTj82c6IaWvL7hImJzcXoTPz1MsSCH7r+0m6rfo=

hack/gen-crd-spec/main.go

@@ -46,6 +46,10 @@ func getCustomResourceDefinitions() map[string]*extensionsobj.CustomResourceDefi
 		// We need to completely remove validation of problematic fields such as creationTimestamp,
 		// which get marshalled to `null`, but are typed as as a `string` during Open API validation
 		removeValidation(un, "metadata.creationTimestamp")
+		// remove status validation for AppProject CRD as workaround for https://github.com/argoproj/argo-cd/issues/4158
+		if un.GetName() == "appprojects.argoproj.io" {
+			removeValidation(un, "status")
+		}
 
 		crd := toCRD(un)
 		crd.Labels = map[string]string{

hack/versions.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 # Update required versions of dependencies here whenever you change them in 
 # go.mod
-kube_version=v0.18.6
+kube_version=v0.18.8
 grpc_version=v1.26.0
 protobuf_version=v1.3.2
 grpc_gateway_version=v1.9.5

manifests/base/kustomization.yaml

@@ -12,4 +12,4 @@ bases:
 images:
 - name: argoproj/argocd
   newName: argoproj/argocd
-  newTag: latest
+  newTag: v1.7.2

manifests/base/repo-server/argocd-repo-server-deployment.yaml

@@ -40,6 +40,8 @@ spec:
           mountPath: /app/config/tls
         - name: gpg-keys
           mountPath: /app/config/gpg/source
+        - name: gpg-keyring
+          mountPath: /app/config/gpg/keys
       volumes:
         - name: ssh-known-hosts
           configMap:
@@ -50,3 +52,5 @@ spec:
         - name: gpg-keys
           configMap:
             name: argocd-gpg-keys-cm
+        - name: gpg-keyring
+          emptyDir: {}

manifests/crds/appproject-crd.yaml

@@ -218,31 +218,6 @@ spec:
                 type: object
               type: array
           type: object
-        status:
-          description: AppProjectStatus contains information about appproj
-          properties:
-            jwtTokensByRole:
-              additionalProperties:
-                properties:
-                  items:
-                    items:
-                      description: JWTToken holds the issuedAt and expiresAt values of a token
-                      properties:
-                        exp:
-                          format: int64
-                          type: integer
-                        iat:
-                          format: int64
-                          type: integer
-                        id:
-                          type: string
-                      required:
-                      - iat
-                      type: object
-                    type: array
-                type: object
-              type: object
-          type: object
       required:
       - metadata
       - spec

manifests/ha/base/kustomization.yaml

@@ -18,4 +18,4 @@ bases:
 images:
 - name: argoproj/argocd
   newName: argoproj/argocd
-  newTag: latest
+  newTag: v1.7.2

manifests/ha/install.yaml

@@ -2109,32 +2109,6 @@ spec:
                 type: object
               type: array
           type: object
-        status:
-          description: AppProjectStatus contains information about appproj
-          properties:
-            jwtTokensByRole:
-              additionalProperties:
-                properties:
-                  items:
-                    items:
-                      description: JWTToken holds the issuedAt and expiresAt values
-                        of a token
-                      properties:
-                        exp:
-                          format: int64
-                          type: integer
-                        iat:
-                          format: int64
-                          type: integer
-                        id:
-                          type: string
-                      required:
-                      - iat
-                      type: object
-                    type: array
-                type: object
-              type: object
-          type: object
       required:
       - metadata
       - spec
@@ -3108,7 +3082,7 @@ spec:
         - "10"
         - --redis
         - argocd-redis-ha-haproxy:6379
-        image: argoproj/argocd:latest
+        image: argoproj/argocd:v1.7.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3164,7 +3138,7 @@ spec:
         - -n
         - /usr/local/bin/argocd-util
         - /shared
-        image: argoproj/argocd:latest
+        image: argoproj/argocd:v1.7.2
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -3214,7 +3188,7 @@ spec:
         - argocd-repo-server
         - --redis
         - argocd-redis-ha-haproxy:6379
-        image: argoproj/argocd:latest
+        image: argoproj/argocd:v1.7.2
         imagePullPolicy: Always
         name: argocd-repo-server
         ports:
@@ -3232,6 +3206,8 @@ spec:
           name: tls-certs
         - mountPath: /app/config/gpg/source
           name: gpg-keys
+        - mountPath: /app/config/gpg/keys
+          name: gpg-keyring
       volumes:
       - configMap:
           name: argocd-ssh-known-hosts-cm
@@ -3242,6 +3218,8 @@ spec:
       - configMap:
           name: argocd-gpg-keys-cm
         name: gpg-keys
+      - emptyDir: {}
+        name: gpg-keyring
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -3285,7 +3263,7 @@ spec:
         env:
         - name: ARGOCD_API_SERVER_REPLICAS
           value: "2"
-        image: argoproj/argocd:latest
+        image: argoproj/argocd:v1.7.2
         imagePullPolicy: Always
         name: argocd-server
         ports:

manifests/ha/namespace-install.yaml

@@ -2109,32 +2109,6 @@ spec:
                 type: object
               type: array
           type: object
-        status:
-          description: AppProjectStatus contains information about appproj
-          properties:
-            jwtTokensByRole:
-              additionalProperties:
-                properties:
-                  items:
-                    items:
-                      description: JWTToken holds the issuedAt and expiresAt values
-                        of a token
-                      properties:
-                        exp:
-                          format: int64
-                          type: integer
-                        iat:
-                          format: int64
-                          type: integer
-                        id:
-                          type: string
-                      required:
-                      - iat
-                      type: object
-                    type: array
-                type: object
-              type: object
-          type: object
       required:
       - metadata
       - spec
@@ -3023,7 +2997,7 @@ spec:
         - "10"
         - --redis
         - argocd-redis-ha-haproxy:6379
-        image: argoproj/argocd:latest
+        image: argoproj/argocd:v1.7.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3079,7 +3053,7 @@ spec:
         - -n
         - /usr/local/bin/argocd-util
         - /shared
-        image: argoproj/argocd:latest
+        image: argoproj/argocd:v1.7.2
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -3129,7 +3103,7 @@ spec:
         - argocd-repo-server
         - --redis
         - argocd-redis-ha-haproxy:6379
-        image: argoproj/argocd:latest
+        image: argoproj/argocd:v1.7.2
         imagePullPolicy: Always
         name: argocd-repo-server
         ports:
@@ -3147,6 +3121,8 @@ spec:
           name: tls-certs
         - mountPath: /app/config/gpg/source
           name: gpg-keys
+        - mountPath: /app/config/gpg/keys
+          name: gpg-keyring
       volumes:
       - configMap:
           name: argocd-ssh-known-hosts-cm
@@ -3157,6 +3133,8 @@ spec:
       - configMap:
           name: argocd-gpg-keys-cm
         name: gpg-keys
+      - emptyDir: {}
+        name: gpg-keyring
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -3200,7 +3178,7 @@ spec:
         env:
         - name: ARGOCD_API_SERVER_REPLICAS
           value: "2"
-        image: argoproj/argocd:latest
+        image: argoproj/argocd:v1.7.2
         imagePullPolicy: Always
         name: argocd-server
         ports:

manifests/install.yaml

@@ -2109,32 +2109,6 @@ spec:
                 type: object
               type: array
           type: object
-        status:
-          description: AppProjectStatus contains information about appproj
-          properties:
-            jwtTokensByRole:
-              additionalProperties:
-                properties:
-                  items:
-                    items:
-                      description: JWTToken holds the issuedAt and expiresAt values
-                        of a token
-                      properties:
-                        exp:
-                          format: int64
-                          type: integer
-                        iat:
-                          format: int64
-                          type: integer
-                        id:
-                          type: string
-                      required:
-                      - iat
-                      type: object
-                    type: array
-                type: object
-              type: object
-          type: object
       required:
       - metadata
       - spec
@@ -2608,7 +2582,7 @@ spec:
         - "20"
         - --operation-processors
         - "10"
-        image: argoproj/argocd:latest
+        image: argoproj/argocd:v1.7.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2664,7 +2638,7 @@ spec:
         - -n
         - /usr/local/bin/argocd-util
         - /shared
-        image: argoproj/argocd:latest
+        image: argoproj/argocd:v1.7.2
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -2733,7 +2707,7 @@ spec:
         - argocd-repo-server
         - --redis
         - argocd-redis:6379
-        image: argoproj/argocd:latest
+        image: argoproj/argocd:v1.7.2
         imagePullPolicy: Always
         name: argocd-repo-server
         ports:
@@ -2751,6 +2725,8 @@ spec:
           name: tls-certs
         - mountPath: /app/config/gpg/source
           name: gpg-keys
+        - mountPath: /app/config/gpg/keys
+          name: gpg-keyring
       volumes:
       - configMap:
           name: argocd-ssh-known-hosts-cm
@@ -2761,6 +2737,8 @@ spec:
       - configMap:
           name: argocd-gpg-keys-cm
         name: gpg-keys
+      - emptyDir: {}
+        name: gpg-keyring
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -2784,7 +2762,7 @@ spec:
         - argocd-server
         - --staticassets
         - /shared/app
-        image: argoproj/argocd:latest
+        image: argoproj/argocd:v1.7.2
         imagePullPolicy: Always
         name: argocd-server
         ports:

manifests/namespace-install.yaml

@@ -2109,32 +2109,6 @@ spec:
                 type: object
               type: array
           type: object
-        status:
-          description: AppProjectStatus contains information about appproj
-          properties:
-            jwtTokensByRole:
-              additionalProperties:
-                properties:
-                  items:
-                    items:
-                      description: JWTToken holds the issuedAt and expiresAt values
-                        of a token
-                      properties:
-                        exp:
-                          format: int64
-                          type: integer
-                        iat:
-                          format: int64
-                          type: integer
-                        id:
-                          type: string
-                      required:
-                      - iat
-                      type: object
-                    type: array
-                type: object
-              type: object
-          type: object
       required:
       - metadata
       - spec
@@ -2523,7 +2497,7 @@ spec:
         - "20"
         - --operation-processors
         - "10"
-        image: argoproj/argocd:latest
+        image: argoproj/argocd:v1.7.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2579,7 +2553,7 @@ spec:
         - -n
         - /usr/local/bin/argocd-util
         - /shared
-        image: argoproj/argocd:latest
+        image: argoproj/argocd:v1.7.2
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -2648,7 +2622,7 @@ spec:
         - argocd-repo-server
         - --redis
         - argocd-redis:6379
-        image: argoproj/argocd:latest
+        image: argoproj/argocd:v1.7.2
         imagePullPolicy: Always
         name: argocd-repo-server
         ports:
@@ -2666,6 +2640,8 @@ spec:
           name: tls-certs
         - mountPath: /app/config/gpg/source
           name: gpg-keys
+        - mountPath: /app/config/gpg/keys
+          name: gpg-keyring
       volumes:
       - configMap:
           name: argocd-ssh-known-hosts-cm
@@ -2676,6 +2652,8 @@ spec:
       - configMap:
           name: argocd-gpg-keys-cm
         name: gpg-keys
+      - emptyDir: {}
+        name: gpg-keyring
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -2699,7 +2677,7 @@ spec:
         - argocd-server
         - --staticassets
         - /shared/app
-        image: argoproj/argocd:latest
+        image: argoproj/argocd:v1.7.2
         imagePullPolicy: Always
         name: argocd-server
         ports:

resource_customizations/custom_actions_test.go

@@ -16,6 +16,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
 	appsv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/cli"
 	"github.com/argoproj/argo-cd/util/lua"
 )
 
@@ -98,7 +99,7 @@ func TestLuaResourceActionsScript(t *testing.T) {
 				assert.NoError(t, err)
 				if diffResult.Modified {
 					t.Error("Output does not match input:")
-					err = diff.PrintDiff(test.Action, expectedObj, result)
+					err = cli.PrintDiff(test.Action, expectedObj, result)
 					assert.NoError(t, err)
 				}
 			})

ui/src/app/applications/components/application-create-panel/application-create-panel.tsx

@@ -56,7 +56,7 @@ const AutoSyncFormField = ReactFormField((props: {fieldApi: FieldApi; className:
                 value={automated ? auto : manual}
                 options={[manual, auto]}
                 onChange={opt => {
-                    setValue(opt.value === auto ? {automated: {prune: false, selfHeal: false}} : null);
+                    setValue(opt.value === auto ? {prune: false, selfHeal: false} : null);
                 }}
             />
             {automated && (

ui/src/app/applications/components/application-summary/application-summary.tsx

@@ -2,7 +2,7 @@ import {AutocompleteField, DropDownMenu, FormField, FormSelect, HelpIcon, PopupA
 import * as React from 'react';
 import {FormApi, Text} from 'react-form';
 import {Cluster, DataLoader, EditablePanel, EditablePanelItem, Expandable, MapInputField, Repo, Revision, RevisionHelpIcon} from '../../../shared/components';
-import {Consumer} from '../../../shared/context';
+import {Consumer, Context} from '../../../shared/context';
 import * as models from '../../../shared/models';
 import {services} from '../../../shared/services';
 
@@ -369,8 +369,9 @@ export const ApplicationSummary = (props: {app: models.Application; updateApp: (
             edit: null
         });
     const [badgeType, setBadgeType] = React.useState('URL');
-    const badgeURL = `${location.protocol}//${location.host}/api/badge?name=${props.app.metadata.name}&revision=true`;
-    const appURL = `${location.protocol}//${location.host}/applications/${props.app.metadata.name}`;
+    const context = React.useContext(Context);
+    const badgeURL = `${location.protocol}//${location.host}${context.baseHref}api/badge?name=${props.app.metadata.name}&revision=true`;
+    const appURL = `${location.protocol}//${location.host}${context.baseHref}applications/${props.app.metadata.name}`;
 
     return (
         <div className='application-summary'>

util/cli/cli.go

@@ -10,17 +10,21 @@ import (
 	"io/ioutil"
 	"os"
 	"os/exec"
+	"path"
 	"strconv"
 	"strings"
 
 	"github.com/argoproj/gitops-engine/pkg/utils/errors"
 	"github.com/argoproj/gitops-engine/pkg/utils/io"
+	"github.com/google/shlex"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/ssh/terminal"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/klog"
 	"k8s.io/kubectl/pkg/util/term"
+	"sigs.k8s.io/yaml"
 
 	"github.com/argoproj/argo-cd/common"
 )
@@ -254,3 +258,50 @@ func InteractiveEdit(filePattern string, data []byte, save func(input []byte) er
 		errorComment = err.Error()
 	}
 }
+
+// PrintDiff prints a diff between two unstructured objects to stdout using an external diff utility
+// Honors the diff utility set in the KUBECTL_EXTERNAL_DIFF environment variable
+func PrintDiff(name string, live *unstructured.Unstructured, target *unstructured.Unstructured) error {
+	tempDir, err := ioutil.TempDir("", "argocd-diff")
+	if err != nil {
+		return err
+	}
+	targetFile := path.Join(tempDir, name)
+	targetData := []byte("")
+	if target != nil {
+		targetData, err = yaml.Marshal(target)
+		if err != nil {
+			return err
+		}
+	}
+	err = ioutil.WriteFile(targetFile, targetData, 0644)
+	if err != nil {
+		return err
+	}
+	liveFile := path.Join(tempDir, fmt.Sprintf("%s-live.yaml", name))
+	liveData := []byte("")
+	if live != nil {
+		liveData, err = yaml.Marshal(live)
+		if err != nil {
+			return err
+		}
+	}
+	err = ioutil.WriteFile(liveFile, liveData, 0644)
+	if err != nil {
+		return err
+	}
+	cmdBinary := "diff"
+	var args []string
+	if envDiff := os.Getenv("KUBECTL_EXTERNAL_DIFF"); envDiff != "" {
+		parts, err := shlex.Split(envDiff)
+		if err != nil {
+			return err
+		}
+		cmdBinary = parts[0]
+		args = parts[1:]
+	}
+	cmd := exec.Command(cmdBinary, append(args, liveFile, targetFile)...)
+	cmd.Stderr = os.Stderr
+	cmd.Stdout = os.Stdout
+	return cmd.Run()
+}

util/gpg/gpg.go

@@ -191,11 +191,6 @@ func InitializeGnuPG() error {
 		return fmt.Errorf("%s ('%s') does not point to a directory", common.EnvGnuPGHome, gnuPgHome)
 	}
 
-	// Check for sane permissions as well (GPG will issue a warning otherwise)
-	if st.Mode().Perm() != 0700 {
-		return fmt.Errorf("%s at '%s' has too wide permissions, must be 0700", common.EnvGnuPGHome, gnuPgHome)
-	}
-
 	_, err = os.Stat(path.Join(gnuPgHome, "trustdb.gpg"))
 	if err != nil {
 		if !os.IsNotExist(err) {
@@ -220,7 +215,7 @@ func InitializeGnuPG() error {
 
 	f.Close()
 
-	cmd := exec.Command("gpg", "--logger-fd", "1", "--batch", "--generate-key", f.Name())
+	cmd := exec.Command("gpg", "--no-permission-warning", "--logger-fd", "1", "--batch", "--generate-key", f.Name())
 	cmd.Env = getGPGEnviron()
 
 	_, err = executil.Run(cmd)
@@ -250,7 +245,7 @@ func ImportPGPKeysFromString(keyData string) ([]*appsv1.GnuPGPublicKey, error) {
 func ImportPGPKeys(keyFile string) ([]*appsv1.GnuPGPublicKey, error) {
 	keys := make([]*appsv1.GnuPGPublicKey, 0)
 
-	cmd := exec.Command("gpg", "--logger-fd", "1", "--import", keyFile)
+	cmd := exec.Command("gpg", "--no-permission-warning", "--logger-fd", "1", "--import", keyFile)
 	cmd.Env = getGPGEnviron()
 
 	out, err := executil.Run(cmd)
@@ -364,7 +359,7 @@ func SetPGPTrustLevel(pgpKeys []*appsv1.GnuPGPublicKey, trustLevel string) error
 	f.Close()
 
 	// Load ownertrust from the file we have constructed and instruct gpg to update the trustdb
-	cmd := exec.Command("gpg", "--import-ownertrust", f.Name())
+	cmd := exec.Command("gpg", "--no-permission-warning", "--import-ownertrust", f.Name())
 	cmd.Env = getGPGEnviron()
 
 	_, err = executil.Run(cmd)
@@ -373,7 +368,7 @@ func SetPGPTrustLevel(pgpKeys []*appsv1.GnuPGPublicKey, trustLevel string) error
 	}
 
 	// Update the trustdb once we updated the ownertrust, to prevent gpg to do it once we validate a signature
-	cmd = exec.Command("gpg", "--update-trustdb")
+	cmd = exec.Command("gpg", "--no-permission-warning", "--update-trustdb")
 	cmd.Env = getGPGEnviron()
 	_, err = executil.Run(cmd)
 	if err != nil {
@@ -385,7 +380,7 @@ func SetPGPTrustLevel(pgpKeys []*appsv1.GnuPGPublicKey, trustLevel string) error
 
 // DeletePGPKey deletes a key from our GnuPG key ring
 func DeletePGPKey(keyID string) error {
-	args := append([]string{}, "--yes", "--batch", "--delete-keys", keyID)
+	args := append([]string{}, "--no-permission-warning", "--yes", "--batch", "--delete-keys", keyID)
 	cmd := exec.Command("gpg", args...)
 	cmd.Env = getGPGEnviron()
 
@@ -399,7 +394,7 @@ func DeletePGPKey(keyID string) error {
 
 // IsSecretKey returns true if the keyID also has a private key in the keyring
 func IsSecretKey(keyID string) (bool, error) {
-	args := append([]string{}, "--list-secret-keys", keyID)
+	args := append([]string{}, "--no-permission-warning", "--list-secret-keys", keyID)
 	cmd := exec.Command("gpg-wrapper.sh", args...)
 	cmd.Env = getGPGEnviron()
 	out, err := executil.Run(cmd)
@@ -416,7 +411,7 @@ func IsSecretKey(keyID string) (bool, error) {
 func GetInstalledPGPKeys(kids []string) ([]*appsv1.GnuPGPublicKey, error) {
 	keys := make([]*appsv1.GnuPGPublicKey, 0)
 
-	args := append([]string{}, "--list-public-keys")
+	args := append([]string{}, "--no-permission-warning", "--list-public-keys")
 	// kids can contain an arbitrary list of key IDs we want to list. If empty, we list all keys.
 	if len(kids) > 0 {
 		args = append(args, kids...)
@@ -496,7 +491,7 @@ func GetInstalledPGPKeys(kids []string) ([]*appsv1.GnuPGPublicKey, error) {
 
 	// We need to get the final key for each imported key, so we run --export on each key
 	for _, key := range keys {
-		cmd := exec.Command("gpg", "-a", "--export", key.KeyID)
+		cmd := exec.Command("gpg", "--no-permission-warning", "-a", "--export", key.KeyID)
 		cmd.Env = getGPGEnviron()
 
 		out, err := executil.Run(cmd)
@@ -617,6 +612,12 @@ func SyncKeyRingFromDirectory(basePath string) ([]string, []string, error) {
 
 	// Collect configuration, i.e. files in basePath
 	err = filepath.Walk(basePath, func(path string, fi os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if fi == nil {
+			return nil
+		}
 		if IsShortKeyID(fi.Name()) {
 			configured[fi.Name()] = true
 		}

util/gpg/gpg_test.go

@@ -96,6 +96,8 @@ func Test_GPG_InitializeGnuPG(t *testing.T) {
 	}
 
 	// GNUPGHOME with too wide permissions
+	// We do not expect an error here, because of openshift's random UIDs that
+	// forced us to use an emptyDir mount (#4127)
 	p = initTempDir()
 	defer os.RemoveAll(p)
 	err = os.Chmod(p, 0777)
@@ -104,8 +106,7 @@ func Test_GPG_InitializeGnuPG(t *testing.T) {
 	}
 	os.Setenv(common.EnvGnuPGHome, p)
 	err = InitializeGnuPG()
-	assert.Error(t, err)
-
+	assert.NoError(t, err)
 }
 
 func Test_GPG_KeyManagement(t *testing.T) {