chore: disable codeql workflow on cherry-pick branches (#12893)

Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>

.github/workflows/ci-build.yaml

@@ -9,6 +9,7 @@ on:
   pull_request:
     branches:
       - 'master'
+      - 'release-*'
 
 env:
   # Golang version to use across CI steps
@@ -27,9 +28,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Download all Go modules
@@ -45,13 +46,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Restore go build cache
-        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -69,9 +70,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Run golangci-lint
@@ -92,11 +93,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -116,7 +117,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -159,11 +160,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -183,7 +184,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -214,9 +215,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Create symlink in GOPATH
@@ -262,14 +263,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup NodeJS
         uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: '12.18.4'
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -299,12 +300,12 @@ jobs:
       sonar_secret: ${{ secrets.SONAR_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
         with:
           fetch-depth: 0
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -377,9 +378,9 @@ jobs:
       GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: GH actions workaround - Kill XSP4 process
@@ -405,7 +406,7 @@ jobs:
           sudo chown runner $HOME/.kube/config
           kubectl version
       - name: Restore go build cache
-        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -431,9 +432,9 @@ jobs:
           git config --global user.email "john.doe@example.com"
       - name: Pull Docker image required for tests
         run: |
-          docker pull ghcr.io/dexidp/dex:v2.35.3
+          docker pull ghcr.io/dexidp/dex:v2.36.0
           docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.7-alpine
+          docker pull redis:7.0.8-alpine
       - name: Create target directory for binaries in the build-process
         run: |
           mkdir -p dist

.github/workflows/codeql.yml

@@ -5,6 +5,7 @@ on:
     # Secrets aren't available for dependabot on push. https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#error-403-resource-not-accessible-by-integration-when-using-dependabot
     branches-ignore:
       - 'dependabot/**'
+      - 'cherry-pick-*'
   pull_request:
   schedule:
     - cron: '0 19 * * 0'
@@ -29,7 +30,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/image.yaml

@@ -28,10 +28,10 @@ jobs:
     env:
       GOPATH: /home/runner/work/argo-cd/argo-cd
     steps:
-      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
         with:
           path: src/github.com/argoproj/argo-cd
 
@@ -117,7 +117,7 @@ jobs:
 
       # sign container images
       - name: Install cosign
-        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
+        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
         with:
           cosign-release: 'v1.13.1'
 

.github/workflows/release.yaml

@@ -43,7 +43,7 @@ jobs:
       GIT_EMAIL: argoproj@gmail.com
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -147,7 +147,7 @@ jobs:
           echo "RELEASE_NOTES=${RELEASE_NOTES}" >> $GITHUB_ENV
 
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
 
@@ -219,7 +219,7 @@ jobs:
         if: ${{ env.DRY_RUN != 'true' }}
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
+        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
         with:
           cosign-release: 'v1.13.1'
 

USERS.md

@@ -82,6 +82,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [IITS-Consulting](https://iits-consulting.de)
 1. [imaware](https://imaware.health)
 1. [Index Exchange](https://www.indexexchange.com/)
+1. [Info Support](https://www.infosupport.com/)
 1. [InsideBoard](https://www.insideboard.com)
 1. [Intuit](https://www.intuit.com/)
 1. [Joblift](https://joblift.com/)

VERSION

@@ -1 +1 @@
-2.4.23
+2.4.28

assets/swagger.json

@@ -265,6 +265,16 @@
             "description": "the repoURL to restrict returned list applications.",
             "name": "repo",
             "in": "query"
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi",
+            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
+            "name": "project",
+            "in": "query"
           }
         ],
         "responses": {
@@ -529,6 +539,16 @@
             "description": "the repoURL to restrict returned list applications.",
             "name": "repo",
             "in": "query"
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi",
+            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
+            "name": "project",
+            "in": "query"
           }
         ],
         "responses": {
@@ -3167,6 +3187,16 @@
             "description": "the repoURL to restrict returned list applications.",
             "name": "repo",
             "in": "query"
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi",
+            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
+            "name": "project",
+            "in": "query"
           }
         ],
         "responses": {

cmpserver/plugin/plugin.go

@@ -8,8 +8,10 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"time"
+	"unicode"
 
 	"github.com/argoproj/pkg/rand"
 
@@ -73,9 +75,8 @@ func runCommand(ctx context.Context, command Command, path string, env []string)
 	}
 	logCtx := log.WithFields(log.Fields{"execID": execId})
 
-	// log in a way we can copy-and-paste into a terminal
-	args := strings.Join(cmd.Args, " ")
-	logCtx.WithFields(log.Fields{"dir": cmd.Dir}).Info(args)
+	argsToLog := getCommandArgsToLog(cmd)
+	logCtx.WithFields(log.Fields{"dir": cmd.Dir}).Info(argsToLog)
 
 	var stdout bytes.Buffer
 	var stderr bytes.Buffer
@@ -106,7 +107,7 @@ func runCommand(ctx context.Context, command Command, path string, env []string)
 	logCtx.WithFields(log.Fields{"duration": duration}).Debug(output)
 
 	if err != nil {
-		err := newCmdError(args, errors.New(err.Error()), strings.TrimSpace(stderr.String()))
+		err := newCmdError(argsToLog, errors.New(err.Error()), strings.TrimSpace(stderr.String()))
 		logCtx.Error(err.Error())
 		return strings.TrimSuffix(output, "\n"), err
 	}
@@ -114,6 +115,28 @@ func runCommand(ctx context.Context, command Command, path string, env []string)
 	return strings.TrimSuffix(output, "\n"), nil
 }
 
+// getCommandArgsToLog represents the given command in a way that we can copy-and-paste into a terminal
+func getCommandArgsToLog(cmd *exec.Cmd) string {
+	var argsToLog []string
+	for _, arg := range cmd.Args {
+		containsSpace := false
+		for _, r := range arg {
+			if unicode.IsSpace(r) {
+				containsSpace = true
+				break
+			}
+		}
+		if containsSpace {
+			// add quotes and escape any internal quotes
+			argsToLog = append(argsToLog, strconv.Quote(arg))
+		} else {
+			argsToLog = append(argsToLog, arg)
+		}
+	}
+	args := strings.Join(argsToLog, " ")
+	return args
+}
+
 type CmdError struct {
 	Args   string
 	Stderr string

cmpserver/plugin/plugin_test.go

@@ -2,6 +2,7 @@ package plugin
 
 import (
 	"context"
+	"os/exec"
 	"path/filepath"
 	"testing"
 	"time"
@@ -266,3 +267,30 @@ func TestRunCommandContextTimeout(t *testing.T) {
 	assert.Error(t, err) // The command should time out, causing an error.
 	assert.Less(t, after.Sub(before), 1*time.Second)
 }
+
+func Test_getCommandArgsToLog(t *testing.T) {
+	testCases := []struct {
+		name     string
+		args     []string
+		expected string
+	}{
+		{
+			name:     "no spaces",
+			args:     []string{"sh", "-c", "cat"},
+			expected: "sh -c cat",
+		},
+		{
+			name:     "spaces",
+			args:     []string{"sh", "-c", `echo "hello world"`},
+			expected: `sh -c "echo \"hello world\""`,
+		},
+	}
+
+	for _, tc := range testCases {
+		tcc := tc
+		t.Run(tcc.name, func(t *testing.T) {
+			t.Parallel()
+			assert.Equal(t, tcc.expected, getCommandArgsToLog(exec.Command(tcc.args[0], tcc.args[1:]...)))
+		})
+	}
+}

controller/cache/cache.go

@@ -25,6 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
 
 	"github.com/argoproj/argo-cd/v2/controller/metrics"
@@ -389,6 +390,20 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		return nil, fmt.Errorf("controller is configured to ignore cluster %s", cluster.Server)
 	}
 
+	clusterCacheConfig := cluster.RESTConfig()
+	// Controller dynamically fetches all resource types available on the cluster
+	// using a discovery API that may contain deprecated APIs.
+	// This causes log flooding when managing a large number of clusters.
+	// https://github.com/argoproj/argo-cd/issues/11973
+	// However, we can safely suppress deprecation warnings
+	// because we do not rely on resources with a particular API group or version.
+	// https://kubernetes.io/blog/2020/09/03/warnings/#customize-client-handling
+	//
+	// Completely suppress warning logs only for log levels that are less than Debug.
+	if log.GetLevel() < log.DebugLevel {
+		clusterCacheConfig.WarningHandler = rest.NoWarnings{}
+	}
+
 	clusterCacheOpts := []clustercache.UpdateSettingsFunc{
 		clustercache.SetListSemaphore(semaphore.NewWeighted(clusterCacheListSemaphoreSize)),
 		clustercache.SetListPageSize(clusterCacheListPageSize),
@@ -420,7 +435,7 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		clustercache.SetRetryOptions(clusterCacheAttemptLimit, clusterCacheRetryUseBackoff, isRetryableError),
 	}
 
-	clusterCache = clustercache.NewClusterCache(cluster.RESTConfig(), clusterCacheOpts...)
+	clusterCache = clustercache.NewClusterCache(clusterCacheConfig, clusterCacheOpts...)
 
 	_ = clusterCache.OnResourceUpdated(func(newRes *clustercache.Resource, oldRes *clustercache.Resource, namespaceResources map[kube.ResourceKey]*clustercache.Resource) {
 		toNotify := make(map[string]bool)

docs/assets/versions.js

@@ -9,16 +9,6 @@ setTimeout(function() {
   caret.innerHTML = "<i class='fa fa-caret-down dropdown-caret'></i>"
   caret.classList.add('dropdown-caret')
   div.querySelector('.rst-current-version').appendChild(caret);
-  div.querySelector('.rst-current-version').addEventListener('click', function() {
-      const classes = container.className.split(' ');
-      const index = classes.indexOf('shift-up');
-      if (index === -1) {
-          classes.push('shift-up');
-      } else {
-          classes.splice(index, 1);
-      }
-      container.className = classes.join(' ');
-  });
   }
 
   var CSSLink = document.createElement('link');

docs/operator-manual/high_availability.md

@@ -1,10 +1,8 @@
 # High Availability
 
-Argo CD is largely stateless, all data is persisted as Kubernetes objects, which in turn is stored in Kubernetes' etcd. Redis is only used as a throw-away cache and can be lost. When lost, it will be rebuilt without loss of service.
+Argo CD is largely stateless. All data is persisted as Kubernetes objects, which in turn is stored in Kubernetes' etcd. Redis is only used as a throw-away cache and can be lost. When lost, it will be rebuilt without loss of service.
 
-A set of HA manifests are provided for users who wish to run Argo CD in a highly available manner. This runs more containers, and runs Redis in HA mode.
-
-[Manifests ⧉](https://github.com/argoproj/argo-cd/tree/master/manifests) 
+A set of [HA manifests](https://github.com/argoproj/argo-cd/tree/master/manifests/ha) are provided for users who wish to run Argo CD in a highly available manner. This runs more containers, and runs Redis in HA mode.
 
 !!! note
     The HA installation will require at least three different nodes due to pod anti-affinity roles in the specs.
@@ -17,11 +15,11 @@ A set of HA manifests are provided for users who wish to run Argo CD in a highly
 
 The `argocd-repo-server` is responsible for cloning Git repository, keeping it up to date and generating manifests using the appropriate tool.
 
-* `argocd-repo-server` fork/exec config management tool to generate manifests. The fork can fail due to lack of memory and limit on the number of OS threads.
-The `--parallelismlimit` flag controls how many manifests generations are running concurrently and allows avoiding OOM kills.
+* `argocd-repo-server` fork/exec config management tool to generate manifests. The fork can fail due to lack of memory or limit on the number of OS threads.
+The `--parallelismlimit` flag controls how many manifests generations are running concurrently and helps avoid OOM kills.
 
 * the `argocd-repo-server` ensures that repository is in the clean state during the manifest generation using config management tools such as Kustomize, Helm
-or custom plugin. As a result Git repositories with multiple applications might be affect repository server performance.
+or custom plugin. As a result Git repositories with multiple applications might affect repository server performance.
 Read [Monorepo Scaling Considerations](#monorepo-scaling-considerations) for more information.
 
 * `argocd-repo-server` clones repository into `/tmp` ( of path specified in `TMPDIR` env variable ). Pod might run out of disk space if have too many repository
@@ -30,7 +28,7 @@ or repositories has a lot of files. To avoid this problem mount persistent volum
 * `argocd-repo-server` `git ls-remote` to resolve ambiguous revision such as `HEAD`, branch or tag name. This operation is happening pretty frequently
 and might fail. To avoid failed syncs use `ARGOCD_GIT_ATTEMPTS_COUNT` environment variable to retry failed requests.
 
-* `argocd-repo-server` Every 3m (by default) Argo CD checks for changes to the app manifests. Argo CD assumes by default that manifests only change when the repo changes, so it caches generated manifests (for 24h by default). With Kustomize remote bases, or Helm patch releases, the manifests can change even though the repo has not changed. By reducing the cache time, you can get the changes without waiting for 24h. Use `--repo-cache-expiration duration`, and we'd suggest in low volume environments you try '1h'. Bear in mind this will negate the benefit of caching if set too low. 
+* `argocd-repo-server` Every 3m (by default) Argo CD checks for changes to the app manifests. Argo CD assumes by default that manifests only change when the repo changes, so it caches the generated manifests (for 24h by default). With Kustomize remote bases, or Helm patch releases, the manifests can change even though the repo has not changed. By reducing the cache time, you can get the changes without waiting for 24h. Use `--repo-cache-expiration duration`, and we'd suggest in low volume environments you try '1h'. Bear in mind that this will negate the benefits of caching if set too low. 
 
 * `argocd-repo-server` fork exec config management tools such as `helm` or `kustomize` and enforces 90 seconds timeout. The timeout can be increased using `ARGOCD_EXEC_TIMEOUT` env variable. The value should be in Go time duration string format, for example, `2m30s`.
 

docs/operator-manual/installation.md

@@ -74,7 +74,7 @@ kind: Kustomization
 
 namespace: argocd
 resources:
-- https://raw.githubusercontent.com/argoproj/argo-cd/v2.0.4/manifests/ha/install.yaml
+- github.com/argoproj/argo-cd/manifests/ha?ref=v2.6.2
 ```
 
 ## Helm

docs/operator-manual/upgrading/2.3-2.4.md

@@ -1,5 +1,26 @@
 # v2.3 to 2.4
 
+## Known Issues
+
+### Broken `project` filter before 2.4.27
+
+Argo CD 2.4.0 introduced a breaking API change, renaming the `project` filter to `projects`.
+
+#### Impact to API clients
+
+A similar issue applies to other API clients which communicate with the Argo CD API server via its REST API. If the
+client uses the `project` field to filter projects, the filter will not be applied. **The failing project filter could 
+have detrimental consequences if, for example, you rely on it to list Applications to be deleted.**
+
+#### Impact to CLI clients
+
+CLI clients older that v2.4.0 rely on client-side filtering and are not impacted by this bug.
+
+#### How to fix the problem
+
+Upgrade to Argo CD >=2.4.27, >=2.5.15, or >=2.6.6. This version of Argo CD will accept both `project` and `projects` as
+valid filters.
+
 ## KSonnet support is removed
 
 Ksonnet was deprecated in [2019](https://github.com/ksonnet/ksonnet/pull/914/files) and is no longer maintained.

docs/understand_the_basics.md

@@ -14,4 +14,4 @@ Before effectively using Argo CD, it is necessary to understand the underlying t
     * [Helm](https://helm.sh)
 * If you're integrating with a CI tool:
 	* [GitHub Actions Documentation](https://docs.github.com/en/actions)
-	* [Jenkins User Guide](https://jenkins.io](https://www.jenkins.io/doc/book/)
+	* [Jenkins User Guide](https://www.jenkins.io/doc/book/)

docs/user-guide/app_deletion.md

@@ -24,9 +24,10 @@ argocd app delete APPNAME
 
 # Deletion Using `kubectl`
 
-To perform a non-cascade delete:
+To perform a non-cascade delete, make sure the finalizer is unset and then delete the app:
 
 ```bash
+kubectl patch app APPNAME  -p '{"metadata": {"finalizers": null}}' --type merge
 kubectl delete app APPNAME
 ```
 

go.mod

@@ -76,10 +76,10 @@ require (
 	github.com/xanzy/go-gitlab v0.60.0
 	github.com/yuin/gopher-lua v0.0.0-20200816102855-ee81675732da
 	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e
-	golang.org/x/net v0.0.0-20220621193019-9d032be2e588
+	golang.org/x/net v0.7.0
 	golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
+	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
+	golang.org/x/term v0.5.0
 	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa
 	google.golang.org/grpc v1.45.0
 	google.golang.org/protobuf v1.28.0
@@ -201,11 +201,11 @@ require (
 	go.mongodb.org/mongo-driver v1.1.2 // indirect
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	golang.org/x/exp v0.0.0-20210901193431-a062eea981d2 // indirect
-	golang.org/x/mod v0.5.1-0.20210830214625-1b1db11ec8f4 // indirect
-	golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect
-	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 // indirect
+	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/text v0.7.0 // indirect
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
-	golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff // indirect
+	golang.org/x/tools v0.1.12 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	gomodules.xyz/envconfig v1.3.1-0.20190308184047-426f31af0d45 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect

go.sum

@@ -1283,8 +1283,9 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
-golang.org/x/mod v0.5.1-0.20210830214625-1b1db11ec8f4 h1:7Qds88gNaRx0Dz/1wOwXlR7asekh1B1u26wEwN6FcEI=
 golang.org/x/mod v0.5.1-0.20210830214625-1b1db11ec8f4/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4 h1:6zppjxzCulZykYSLyVDYbneBfbaBIQPYMevg0bEwv2s=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1347,8 +1348,8 @@ golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220621193019-9d032be2e588 h1:9ubFuySsnAJYGyJrZ3koiEv8FyqofCBdz3G9Mbf2YFc=
-golang.org/x/net v0.0.0-20220621193019-9d032be2e588/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
+golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/oauth2 v0.0.0-20180227000427-d7d64896b5ff/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1381,8 +1382,9 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20210220032951-036812b2e83c h1:5KslGYwFpkhGh+Q16bwMP3cOontH8FOep7tGV86Y7SQ=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180224232135-f6cff0780e54/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1492,12 +1494,13 @@ golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a h1:dGzPydgVsqGcTRVwiLJ1jVbufYwmzD3LfVPLKsKg+0k=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1506,8 +1509,9 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1589,8 +1593,9 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff h1:VX/uD7MK0AHXGiScH3fsieUQUcpmRERPDYtqZdJnA+Q=
 golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff/go.mod h1:YD9qOF0M9xpSpdWTBbzEl5e/RnCefISl8E5Noe10jFM=
+golang.org/x/tools v0.1.12 h1:VveCTK38A2rkS8ZqFY25HIDFscX5X9OoEhJd3quQmXU=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

manifests/base/dex/argocd-dex-server-deployment.yaml

@@ -35,7 +35,7 @@ spec:
           runAsNonRoot: true
       containers:
       - name: dex
-        image: ghcr.io/dexidp/dex:v2.35.3
+        image: ghcr.io/dexidp/dex:v2.36.0
         imagePullPolicy: Always
         command: [/shared/argocd-dex, rundex]
         securityContext:

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.4.23
+  newTag: v2.4.28
 resources:
 - ./application-controller
 - ./dex

manifests/base/redis/argocd-redis-deployment.yaml

@@ -21,7 +21,7 @@ spec:
       serviceAccountName: argocd-redis        
       containers:
       - name: redis
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: Always
         args:
         - "--save"

manifests/core-install.yaml

@@ -9384,7 +9384,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -9464,7 +9464,7 @@ spec:
         - ""
         - --appendonly
         - "no"
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: Always
         name: redis
         ports:
@@ -9614,7 +9614,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -9663,7 +9663,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -9850,7 +9850,7 @@ spec:
               key: otlp.address
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

manifests/core-install/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.4.23
+  newTag: v2.4.28

manifests/ha/base/kustomization.yaml

@@ -11,7 +11,7 @@ patchesStrategicMerge:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.4.23
+  newTag: v2.4.28
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller

manifests/ha/base/redis-ha/chart/upstream.yaml

@@ -770,7 +770,7 @@ spec:
               topologyKey: kubernetes.io/hostname
       initContainers:
       - name: config-init
-        image: haproxy:2.0.29-alpine
+        image: haproxy:2.0.31-alpine
         imagePullPolicy: IfNotPresent
         resources:
           {}
@@ -790,7 +790,7 @@ spec:
         runAsUser: 1000
       containers:
       - name: haproxy
-        image: haproxy:2.0.29-alpine
+        image: haproxy:2.0.31-alpine
         imagePullPolicy: IfNotPresent
         livenessProbe:
           httpGet:
@@ -878,7 +878,7 @@ spec:
       automountServiceAccountToken: false
       initContainers:
       - name: config-init
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         resources:
           {}
@@ -906,7 +906,7 @@ spec:
 
       containers:
       - name: redis
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         command:
         - redis-server
@@ -947,7 +947,7 @@ spec:
         lifecycle:
           {}
       - name: sentinel
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         command:
           - redis-sentinel

manifests/ha/base/redis-ha/chart/values.yaml

@@ -9,12 +9,12 @@ redis-ha:
   haproxy:
     enabled: true
     image:
-      tag: 2.0.29-alpine
+      tag: 2.0.31-alpine
     timeout:
       server: 6m
       client: 6m
     checkInterval: 3s
   image:
-    tag: 7.0.7-alpine
+    tag: 7.0.8-alpine
   sentinel:
     bind: "0.0.0.0"

manifests/ha/install.yaml

@@ -10319,7 +10319,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -10391,7 +10391,7 @@ spec:
       - command:
         - /shared/argocd-dex
         - rundex
-        image: ghcr.io/dexidp/dex:v2.35.3
+        image: ghcr.io/dexidp/dex:v2.36.0
         imagePullPolicy: Always
         name: dex
         ports:
@@ -10416,7 +10416,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -10456,7 +10456,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -10525,7 +10525,7 @@ spec:
                 app.kubernetes.io/name: argocd-redis-ha-haproxy
             topologyKey: kubernetes.io/hostname
       containers:
-      - image: haproxy:2.0.29-alpine
+      - image: haproxy:2.0.31-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -10554,7 +10554,7 @@ spec:
         - /readonly/haproxy_init.sh
         command:
         - sh
-        image: haproxy:2.0.29-alpine
+        image: haproxy:2.0.31-alpine
         imagePullPolicy: IfNotPresent
         name: config-init
         volumeMounts:
@@ -10713,7 +10713,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -10762,7 +10762,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -11009,7 +11009,7 @@ spec:
               key: otlp.address
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -11217,7 +11217,7 @@ spec:
               key: otlp.address
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -11298,7 +11298,7 @@ spec:
         - /data/conf/redis.conf
         command:
         - redis-server
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -11336,7 +11336,7 @@ spec:
         - /data/conf/sentinel.conf
         command:
         - redis-sentinel
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -11382,7 +11382,7 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         name: config-init
         volumeMounts:

manifests/ha/namespace-install.yaml

@@ -1244,7 +1244,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1316,7 +1316,7 @@ spec:
       - command:
         - /shared/argocd-dex
         - rundex
-        image: ghcr.io/dexidp/dex:v2.35.3
+        image: ghcr.io/dexidp/dex:v2.36.0
         imagePullPolicy: Always
         name: dex
         ports:
@@ -1341,7 +1341,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1381,7 +1381,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1450,7 +1450,7 @@ spec:
                 app.kubernetes.io/name: argocd-redis-ha-haproxy
             topologyKey: kubernetes.io/hostname
       containers:
-      - image: haproxy:2.0.29-alpine
+      - image: haproxy:2.0.31-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -1479,7 +1479,7 @@ spec:
         - /readonly/haproxy_init.sh
         command:
         - sh
-        image: haproxy:2.0.29-alpine
+        image: haproxy:2.0.31-alpine
         imagePullPolicy: IfNotPresent
         name: config-init
         volumeMounts:
@@ -1638,7 +1638,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1687,7 +1687,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -1934,7 +1934,7 @@ spec:
               key: otlp.address
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2142,7 +2142,7 @@ spec:
               key: otlp.address
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2223,7 +2223,7 @@ spec:
         - /data/conf/redis.conf
         command:
         - redis-server
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -2261,7 +2261,7 @@ spec:
         - /data/conf/sentinel.conf
         command:
         - redis-sentinel
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -2307,7 +2307,7 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         name: config-init
         volumeMounts:

manifests/install.yaml

@@ -9691,7 +9691,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -9763,7 +9763,7 @@ spec:
       - command:
         - /shared/argocd-dex
         - rundex
-        image: ghcr.io/dexidp/dex:v2.35.3
+        image: ghcr.io/dexidp/dex:v2.36.0
         imagePullPolicy: Always
         name: dex
         ports:
@@ -9788,7 +9788,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -9828,7 +9828,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -9903,7 +9903,7 @@ spec:
         - ""
         - --appendonly
         - "no"
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: Always
         name: redis
         ports:
@@ -10053,7 +10053,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -10102,7 +10102,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -10345,7 +10345,7 @@ spec:
               key: otlp.address
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -10547,7 +10547,7 @@ spec:
               key: otlp.address
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

manifests/namespace-install.yaml

@@ -616,7 +616,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -688,7 +688,7 @@ spec:
       - command:
         - /shared/argocd-dex
         - rundex
-        image: ghcr.io/dexidp/dex:v2.35.3
+        image: ghcr.io/dexidp/dex:v2.36.0
         imagePullPolicy: Always
         name: dex
         ports:
@@ -713,7 +713,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -753,7 +753,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -828,7 +828,7 @@ spec:
         - ""
         - --appendonly
         - "no"
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: Always
         name: redis
         ports:
@@ -978,7 +978,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1027,7 +1027,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -1270,7 +1270,7 @@ spec:
               key: otlp.address
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -1472,7 +1472,7 @@ spec:
               key: otlp.address
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.4.23
+        image: quay.io/argoproj/argocd:v2.4.28
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

pkg/apiclient/application/application.pb.go

@@ -49,7 +49,9 @@ type ApplicationQuery struct {
 	// the selector to restrict returned list to applications only with matched labels
 	Selector *string `protobuf:"bytes,5,opt,name=selector" json:"selector,omitempty"`
 	// the repoURL to restrict returned list applications
-	Repo                 *string  `protobuf:"bytes,6,opt,name=repo" json:"repo,omitempty"`
+	Repo *string `protobuf:"bytes,6,opt,name=repo" json:"repo,omitempty"`
+	// the project names to restrict returned list applications (legacy name for backwards-compatibility)
+	Project              []string `protobuf:"bytes,8,rep,name=project" json:"project,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
 	XXX_sizecache        int32    `json:"-"`
@@ -130,6 +132,13 @@ func (m *ApplicationQuery) GetRepo() string {
 	return ""
 }
 
+func (m *ApplicationQuery) GetProject() []string {
+	if m != nil {
+		return m.Project
+	}
+	return nil
+}
+
 type NodeQuery struct {
 	// the application's name
 	Name                 *string  `protobuf:"bytes,1,opt,name=name" json:"name,omitempty"`
@@ -2100,147 +2109,148 @@ func init() {
 }
 
 var fileDescriptor_df6e82b174b5eaec = []byte{
-	// 2236 bytes of a gzipped FileDescriptorProto
+	// 2243 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x5a, 0xcd, 0x8f, 0x1b, 0x49,
 	0x15, 0x57, 0xcd, 0xa7, 0xfd, 0x9c, 0xcf, 0xda, 0x4d, 0xe8, 0xed, 0x4c, 0x66, 0x47, 0x95, 0xaf,
 	0xc9, 0x24, 0x63, 0x27, 0x26, 0x42, 0xd9, 0x59, 0x10, 0x64, 0x77, 0xc3, 0x6c, 0x96, 0x99, 0xd9,
 	0xd0, 0x93, 0x10, 0xb4, 0x1c, 0xa0, 0xb6, 0xbb, 0xec, 0x69, 0xc6, 0xee, 0xea, 0x74, 0xb7, 0x1d,
 	0x59, 0x21, 0x97, 0x45, 0xdc, 0x10, 0x48, 0xb0, 0x07, 0x84, 0x10, 0x42, 0xac, 0x56, 0xe2, 0x06,
-	0x5c, 0x56, 0x48, 0x5c, 0xe0, 0xc2, 0x87, 0xc4, 0x01, 0xc1, 0x3f, 0x00, 0x11, 0x27, 0x2e, 0x5c,
-	0x39, 0xa2, 0xaa, 0xae, 0x6a, 0x57, 0x7b, 0xec, 0xb6, 0xc3, 0x78, 0xb5, 0xb9, 0xf5, 0x2b, 0x57,
-	0xbd, 0xf7, 0xab, 0x57, 0xbf, 0x7a, 0xaf, 0xde, 0x93, 0xe1, 0x7c, 0xcc, 0xa2, 0x2e, 0x8b, 0x6a,
-	0x34, 0x0c, 0x5b, 0xbe, 0x4b, 0x13, 0x9f, 0x07, 0xe6, 0x77, 0x35, 0x8c, 0x78, 0xc2, 0x71, 0xc5,
-	0x18, 0xb2, 0x97, 0x9a, 0x9c, 0x37, 0x5b, 0xac, 0x46, 0x43, 0xbf, 0x46, 0x83, 0x80, 0x27, 0x72,
-	0x38, 0x4e, 0xa7, 0xda, 0x64, 0xff, 0x66, 0x5c, 0xf5, 0xb9, 0xfc, 0xd5, 0xe5, 0x11, 0xab, 0x75,
-	0xaf, 0xd7, 0x9a, 0x2c, 0x60, 0x11, 0x4d, 0x98, 0xa7, 0xe6, 0xdc, 0xe8, 0xcf, 0x69, 0x53, 0x77,
-	0xcf, 0x0f, 0x58, 0xd4, 0xab, 0x85, 0xfb, 0x4d, 0x31, 0x10, 0xd7, 0xda, 0x2c, 0xa1, 0xc3, 0x56,
-	0x6d, 0x35, 0xfd, 0x64, 0xaf, 0xf3, 0x6e, 0xd5, 0xe5, 0xed, 0x1a, 0x8d, 0x9a, 0x3c, 0x8c, 0xf8,
-	0x37, 0xe5, 0xc7, 0xba, 0xeb, 0xd5, 0xba, 0xf5, 0xbe, 0x02, 0x73, 0x2f, 0xdd, 0xeb, 0xb4, 0x15,
-	0xee, 0xd1, 0x83, 0xda, 0x6e, 0x8f, 0xd1, 0x16, 0xb1, 0x90, 0x2b, 0xdf, 0xc8, 0x4f, 0x3f, 0xe1,
-	0x51, 0xcf, 0xf8, 0x4c, 0xd5, 0x90, 0x8f, 0x10, 0x9c, 0xb8, 0xd5, 0xb7, 0xf7, 0xe5, 0x0e, 0x8b,
-	0x7a, 0x18, 0xc3, 0x5c, 0x40, 0xdb, 0xcc, 0x42, 0x2b, 0x68, 0xb5, 0xec, 0xc8, 0x6f, 0x6c, 0xc1,
-	0x62, 0xc4, 0x1a, 0x11, 0x8b, 0xf7, 0xac, 0x19, 0x39, 0xac, 0x45, 0x6c, 0x43, 0x49, 0x18, 0x67,
-	0x6e, 0x12, 0x5b, 0xb3, 0x2b, 0xb3, 0xab, 0x65, 0x27, 0x93, 0xf1, 0x2a, 0x1c, 0x8f, 0x58, 0xcc,
-	0x3b, 0x91, 0xcb, 0xbe, 0xc2, 0xa2, 0xd8, 0xe7, 0x81, 0x35, 0x27, 0x57, 0x0f, 0x0e, 0x0b, 0x2d,
-	0x31, 0x6b, 0x31, 0x37, 0xe1, 0x91, 0x35, 0x2f, 0xa7, 0x64, 0xb2, 0xc0, 0x23, 0x80, 0x5b, 0x0b,
-	0x29, 0x1e, 0xf1, 0x4d, 0x5e, 0x86, 0xf2, 0x0e, 0xf7, 0xd8, 0x48, 0xc0, 0x64, 0x13, 0x4e, 0x39,
-	0xac, 0xeb, 0x0b, 0xe5, 0xdb, 0x2c, 0xa1, 0x1e, 0x4d, 0xe8, 0xe0, 0xe4, 0x99, 0x6c, 0x77, 0x36,
-	0x94, 0x22, 0x35, 0xd9, 0x9a, 0x91, 0xe3, 0x99, 0x4c, 0x7e, 0x81, 0x60, 0xd9, 0x70, 0x91, 0xa3,
-	0x80, 0xdf, 0xee, 0xb2, 0x20, 0x89, 0x47, 0xab, 0xbc, 0x0a, 0x27, 0xf5, 0x1e, 0x77, 0x68, 0x9b,
-	0xc5, 0x21, 0x75, 0x99, 0x72, 0xdd, 0xc1, 0x1f, 0x30, 0x81, 0x23, 0xe6, 0xa0, 0x35, 0x2b, 0x27,
-	0xe6, 0xc6, 0xf0, 0x0a, 0x54, 0xb4, 0x7c, 0xff, 0xce, 0x1b, 0xca, 0x91, 0xe6, 0x10, 0x79, 0x0b,
-	0x2c, 0x03, 0xe9, 0x36, 0x0d, 0xfc, 0x06, 0x8b, 0x93, 0x49, 0xb7, 0x8d, 0x72, 0xdb, 0x3e, 0x05,
-	0x2f, 0xe4, 0x77, 0x1d, 0xf2, 0x20, 0x66, 0xe4, 0xb7, 0x28, 0x67, 0xe3, 0xf5, 0x88, 0xd1, 0x84,
-	0x39, 0xec, 0x61, 0x87, 0xc5, 0x09, 0xde, 0x07, 0xf3, 0xa6, 0x49, 0x53, 0x95, 0xfa, 0x9d, 0x6a,
-	0x9f, 0xaa, 0x55, 0x4d, 0x55, 0xf9, 0xf1, 0x75, 0xd7, 0xab, 0x76, 0xeb, 0xd5, 0x70, 0xbf, 0x59,
-	0x15, 0xc4, 0xaf, 0x9a, 0x17, 0x57, 0x13, 0xbf, 0x6a, 0x82, 0x30, 0xb5, 0xe3, 0xd3, 0xb0, 0xd0,
-	0x09, 0x63, 0x16, 0x25, 0x12, 0x7a, 0xc9, 0x51, 0x92, 0xd8, 0x54, 0x97, 0xb6, 0x7c, 0x8f, 0x26,
-	0xa9, 0x1b, 0x4b, 0x4e, 0x26, 0x93, 0x0f, 0xf2, 0xe8, 0xef, 0x87, 0xde, 0x27, 0x85, 0xde, 0x44,
-	0x39, 0x33, 0x80, 0xb2, 0x9b, 0x03, 0xf9, 0x06, 0x6b, 0xb1, 0x3e, 0xc8, 0x61, 0xc7, 0x68, 0xc1,
-	0xa2, 0x4b, 0x63, 0x97, 0x7a, 0x5a, 0x95, 0x16, 0x05, 0x09, 0xc3, 0x88, 0x87, 0xb4, 0x29, 0x35,
-	0xdd, 0xe5, 0x2d, 0xdf, 0xed, 0x29, 0x6e, 0x1d, 0xfc, 0x81, 0x9c, 0x83, 0xca, 0x6e, 0x2f, 0x70,
-	0xdf, 0x0e, 0x65, 0x40, 0xc4, 0x2f, 0xc2, 0xbc, 0x9f, 0xb0, 0x76, 0x6c, 0x21, 0x79, 0xab, 0x53,
-	0x81, 0xfc, 0x77, 0x0e, 0x4e, 0x1b, 0xe8, 0xc4, 0x82, 0x22, 0x6c, 0x05, 0x14, 0x13, 0x27, 0xe8,
-	0x45, 0x3d, 0xa7, 0x13, 0xa8, 0x73, 0x52, 0x92, 0x30, 0x1c, 0x46, 0x9d, 0x80, 0x49, 0x8a, 0x97,
-	0x9c, 0x54, 0xc0, 0x0d, 0x28, 0xc5, 0x89, 0x08, 0x81, 0xcd, 0x9e, 0x8c, 0x10, 0x95, 0xfa, 0x5b,
-	0x87, 0x3b, 0x1b, 0x01, 0x7d, 0x57, 0x69, 0x74, 0x32, 0xdd, 0xf8, 0x21, 0x94, 0xf5, 0x9d, 0x8a,
-	0xad, 0xc5, 0x95, 0xd9, 0xd5, 0x4a, 0x7d, 0xf7, 0xf0, 0x86, 0xde, 0x0e, 0x45, 0xf8, 0x36, 0xe2,
-	0x87, 0xd3, 0xb7, 0x82, 0x97, 0xa0, 0xdc, 0x56, 0x97, 0x35, 0xb6, 0x4a, 0xd2, 0xdb, 0xfd, 0x01,
-	0xfc, 0x55, 0x98, 0xf7, 0x83, 0x06, 0x8f, 0xad, 0xb2, 0x04, 0xf3, 0xda, 0xe1, 0xc0, 0xdc, 0x09,
-	0x1a, 0xdc, 0x49, 0x15, 0xe2, 0x87, 0x70, 0x34, 0x62, 0x49, 0xd4, 0xd3, 0x5e, 0xb0, 0x40, 0xfa,
-	0xf5, 0x4b, 0x87, 0xb3, 0xe0, 0x98, 0x2a, 0x9d, 0xbc, 0x05, 0xbc, 0x01, 0x95, 0xb8, 0xcf, 0x31,
-	0xab, 0x22, 0x0d, 0x5a, 0x39, 0x45, 0x06, 0x07, 0x1d, 0x73, 0x32, 0xf9, 0x35, 0x82, 0xa5, 0x03,
-	0xb7, 0x77, 0x37, 0x64, 0x85, 0x04, 0xa4, 0x30, 0x17, 0x87, 0xcc, 0x95, 0x61, 0xbd, 0x52, 0xdf,
-	0x9e, 0xda, 0x75, 0x96, 0x76, 0xa5, 0xea, 0xc2, 0x88, 0x43, 0xe1, 0x53, 0xc6, 0xa2, 0xbb, 0x34,
-	0x71, 0xf7, 0x8a, 0xd0, 0x0a, 0xea, 0x8b, 0x39, 0x2a, 0x0b, 0xa5, 0x82, 0xe0, 0x87, 0xfc, 0xb8,
-	0xd7, 0x0b, 0x85, 0x05, 0xf1, 0x4b, 0x7f, 0x80, 0x04, 0x60, 0x9b, 0x61, 0x86, 0xb7, 0x5a, 0xef,
-	0x52, 0x77, 0xbf, 0xc8, 0xca, 0x31, 0x98, 0xf1, 0x3d, 0x69, 0x62, 0xd6, 0x99, 0xf1, 0xbd, 0x67,
-	0xbb, 0x88, 0xe2, 0xcd, 0x60, 0x0f, 0x49, 0x88, 0x45, 0x06, 0x97, 0xa0, 0x1c, 0x0c, 0x24, 0xc1,
-	0xfe, 0xc0, 0x90, 0xe4, 0x37, 0x73, 0x20, 0xf9, 0x59, 0xb0, 0xd8, 0xcd, 0x5e, 0x10, 0xe2, 0x67,
-	0x2d, 0x0a, 0x90, 0xcd, 0x88, 0x77, 0x42, 0xf5, 0x6c, 0x48, 0x05, 0x81, 0x62, 0xdf, 0x0f, 0x3c,
-	0x6b, 0x21, 0x45, 0x21, 0xbe, 0xc9, 0x7f, 0x10, 0xbc, 0x3c, 0x04, 0xf8, 0xd8, 0x43, 0x79, 0x2e,
-	0xd0, 0xf7, 0xa9, 0xb1, 0x38, 0x92, 0x1a, 0xa5, 0x41, 0x6a, 0xfc, 0x1b, 0xc1, 0xca, 0x90, 0x1d,
-	0x8f, 0x4f, 0x29, 0xcf, 0xcd, 0x96, 0x1b, 0x3c, 0x72, 0x99, 0xb5, 0x98, 0xf2, 0x4f, 0x0a, 0x82,
-	0xad, 0x3c, 0x0a, 0xf7, 0x68, 0x60, 0x95, 0x52, 0xb6, 0xa6, 0x12, 0xf9, 0x0b, 0x02, 0x4b, 0xef,
-	0xf0, 0x96, 0x2b, 0xf7, 0xdb, 0x09, 0x9e, 0xff, 0x4d, 0x9e, 0x86, 0x05, 0x2a, 0xd1, 0xaa, 0x83,
-	0x55, 0x12, 0xf9, 0x0e, 0x82, 0x33, 0xf9, 0xed, 0xc4, 0x5b, 0x7e, 0x9c, 0xe8, 0x97, 0x18, 0x6e,
-	0xc0, 0x62, 0x3a, 0x33, 0x4d, 0xd0, 0x95, 0xfa, 0xd6, 0x61, 0xc3, 0x76, 0xce, 0x75, 0x5a, 0x39,
-	0x79, 0x05, 0xce, 0x0c, 0xbd, 0xed, 0x0a, 0x86, 0x0d, 0x25, 0x9d, 0xaa, 0x94, 0x73, 0x33, 0x99,
-	0xfc, 0x71, 0x36, 0x1f, 0xfd, 0xb8, 0xb7, 0xc5, 0x9b, 0x05, 0x6f, 0xe6, 0xe2, 0x03, 0xb1, 0x60,
-	0x31, 0xe4, 0x9e, 0xf1, 0x3c, 0xd6, 0xa2, 0x58, 0xe7, 0xf2, 0x20, 0xa1, 0xa2, 0x12, 0x53, 0xef,
-	0xe2, 0xfe, 0x80, 0x38, 0xc8, 0xd8, 0x0f, 0x5c, 0xb6, 0xcb, 0x5c, 0x1e, 0x78, 0xb1, 0x3c, 0x91,
-	0x59, 0x27, 0x37, 0x86, 0xdf, 0x84, 0xb2, 0x94, 0xef, 0xf9, 0x6d, 0x26, 0xeb, 0x8c, 0x4a, 0x7d,
-	0xad, 0x9a, 0x96, 0x79, 0x55, 0xb3, 0xcc, 0xeb, 0xfb, 0x50, 0x94, 0x79, 0xd5, 0xee, 0xf5, 0xaa,
-	0x58, 0xe1, 0xf4, 0x17, 0x0b, 0x2c, 0x09, 0xf5, 0x5b, 0x5b, 0x7e, 0x20, 0x9f, 0x0f, 0xc2, 0x54,
-	0x7f, 0x40, 0x1c, 0x76, 0x83, 0xb7, 0x5a, 0xfc, 0x91, 0xe6, 0x6e, 0x2a, 0x89, 0x55, 0x9d, 0x20,
-	0xf1, 0x5b, 0xd2, 0x7e, 0x39, 0xdd, 0x41, 0x36, 0x20, 0x57, 0xf9, 0xad, 0x84, 0x45, 0x32, 0x41,
-	0x97, 0x1d, 0x25, 0x65, 0x74, 0xaa, 0xa4, 0x75, 0x8f, 0xbe, 0x33, 0x29, 0xf1, 0x8e, 0x98, 0xc4,
-	0x1b, 0x24, 0xf3, 0xd1, 0x21, 0xf5, 0x85, 0x2c, 0xe4, 0x58, 0xd7, 0xe7, 0x9d, 0xd8, 0x3a, 0x96,
-	0xa6, 0x31, 0x2d, 0x93, 0xdf, 0x21, 0x28, 0x6d, 0xf1, 0xe6, 0xed, 0x20, 0x89, 0x7a, 0xf2, 0xbd,
-	0xc9, 0x83, 0x84, 0x05, 0xfa, 0xc4, 0xb5, 0x28, 0xdc, 0x98, 0xf8, 0x6d, 0xb6, 0x9b, 0xd0, 0x76,
-	0xa8, 0x32, 0xee, 0x33, 0xb9, 0x31, 0x5b, 0x2c, 0xb6, 0xd6, 0xa2, 0x71, 0x22, 0x6f, 0x5d, 0xc9,
-	0x91, 0xdf, 0x62, 0x13, 0xd9, 0x84, 0xdd, 0x24, 0x52, 0x57, 0x2e, 0x37, 0x66, 0x92, 0x64, 0x3e,
-	0xc5, 0xa6, 0x44, 0x52, 0x83, 0x97, 0xb2, 0x47, 0xd8, 0x3d, 0x16, 0xb5, 0xfd, 0x80, 0x16, 0xc6,
-	0x40, 0x72, 0x3d, 0x47, 0x7c, 0xf1, 0x2a, 0x79, 0xe0, 0x07, 0x1e, 0x7f, 0x34, 0x9a, 0xc0, 0xe4,
-	0x6f, 0xf9, 0x5a, 0xd1, 0x58, 0x93, 0xdd, 0x97, 0x37, 0xe1, 0xa8, 0xb8, 0x59, 0x5d, 0xa6, 0x7e,
-	0x50, 0x97, 0x97, 0xe4, 0x2e, 0xe5, 0x50, 0x1d, 0x4e, 0x7e, 0x21, 0xde, 0x82, 0xe3, 0x34, 0x8e,
-	0xfd, 0x66, 0xc0, 0x3c, 0xad, 0x6b, 0x66, 0x62, 0x5d, 0x83, 0x4b, 0xd3, 0x22, 0x42, 0xce, 0x50,
-	0x3e, 0xd7, 0x22, 0xf9, 0x36, 0x82, 0x53, 0x43, 0x95, 0x64, 0xfc, 0x43, 0x46, 0x38, 0x13, 0x85,
-	0xbc, 0xbb, 0xc7, 0xbc, 0x4e, 0x8b, 0xe9, 0x52, 0x5a, 0xcb, 0xe2, 0x37, 0xaf, 0x93, 0x9e, 0x80,
-	0x0a, 0xa7, 0x99, 0x8c, 0x97, 0x01, 0xda, 0x34, 0xe8, 0xd0, 0x96, 0x84, 0x30, 0x27, 0x21, 0x18,
-	0x23, 0x64, 0x09, 0xec, 0x61, 0xc7, 0xa7, 0xca, 0xd2, 0x5f, 0x21, 0x38, 0xa6, 0x43, 0x93, 0x3a,
-	0x9f, 0x55, 0x38, 0x6e, 0xb8, 0x61, 0xa7, 0x7f, 0x54, 0x83, 0xc3, 0x63, 0xc2, 0x8e, 0x3e, 0xe7,
-	0xd9, 0x7c, 0x37, 0xa4, 0x9b, 0xeb, 0x67, 0x4c, 0x1c, 0xf7, 0xb3, 0x8b, 0x4a, 0xbe, 0x05, 0xd6,
-	0x36, 0x0d, 0x68, 0x93, 0x79, 0x19, 0xf0, 0x8c, 0x24, 0xdf, 0x30, 0x4b, 0xaf, 0x43, 0x17, 0x3a,
-	0x59, 0xda, 0xf7, 0x1b, 0x0d, 0x55, 0xc6, 0xd5, 0xff, 0xb9, 0x0c, 0xd8, 0x3c, 0x54, 0x16, 0x75,
-	0x7d, 0x97, 0xe1, 0x1f, 0x20, 0x98, 0x13, 0x59, 0x06, 0x9f, 0x1d, 0xc5, 0x21, 0xe9, 0x5c, 0x7b,
-	0x7a, 0xef, 0x68, 0x61, 0x8d, 0x2c, 0xbd, 0xf7, 0xf7, 0x7f, 0xfd, 0x70, 0xe6, 0x34, 0x7e, 0x51,
-	0xf6, 0xdd, 0xba, 0xd7, 0xcd, 0x1e, 0x58, 0x8c, 0xbf, 0x8b, 0x00, 0xab, 0xd4, 0x67, 0xb4, 0x5e,
-	0xf0, 0x95, 0x51, 0x10, 0x87, 0xb4, 0x68, 0xec, 0xb3, 0x46, 0x18, 0xaa, 0xba, 0x3c, 0x62, 0x22,
-	0xe8, 0xc8, 0x09, 0x12, 0xc0, 0x9a, 0x04, 0x70, 0x1e, 0x93, 0x61, 0x00, 0x6a, 0x8f, 0xc5, 0xa1,
-	0x3f, 0xa9, 0xb1, 0xd4, 0xee, 0xcf, 0x11, 0xcc, 0x3f, 0x90, 0x8f, 0xaf, 0x31, 0x4e, 0xda, 0x9d,
-	0x9a, 0x93, 0xa4, 0x39, 0x89, 0x96, 0x9c, 0x93, 0x48, 0xcf, 0xe2, 0x33, 0x1a, 0x69, 0x9c, 0x44,
-	0x8c, 0xb6, 0x73, 0x80, 0xaf, 0x21, 0xfc, 0x21, 0x82, 0x85, 0xb4, 0x39, 0x83, 0x2f, 0x8c, 0x42,
-	0x99, 0x6b, 0xde, 0xd8, 0xd3, 0xeb, 0x74, 0x90, 0xcb, 0x12, 0xe3, 0x39, 0x32, 0xf4, 0x38, 0x37,
-	0x72, 0x7d, 0x90, 0xf7, 0x11, 0xcc, 0x6e, 0xb2, 0xb1, 0x7c, 0x9b, 0x22, 0xb8, 0x03, 0x0e, 0x1c,
-	0x72, 0xd4, 0xf8, 0x03, 0x04, 0x2f, 0x6d, 0xb2, 0x64, 0x78, 0x2c, 0xc7, 0xab, 0xe3, 0x03, 0xac,
-	0xa2, 0xdd, 0x95, 0x09, 0x66, 0x66, 0x41, 0xac, 0x26, 0x91, 0x5d, 0xc6, 0x97, 0x8a, 0x48, 0x28,
-	0x0a, 0xe2, 0x47, 0x0a, 0xc7, 0x9f, 0x11, 0x9c, 0x18, 0x6c, 0x72, 0xe2, 0x7c, 0xf4, 0x1f, 0xda,
-	0x03, 0xb5, 0x77, 0x0e, 0x1b, 0x50, 0xf2, 0x4a, 0xc9, 0x2d, 0x89, 0xfc, 0x55, 0xfc, 0x4a, 0x11,
-	0x72, 0xdd, 0xf7, 0x89, 0x6b, 0x8f, 0xf5, 0xe7, 0x13, 0xd9, 0x2d, 0x97, 0xb0, 0xdf, 0x43, 0x70,
-	0x64, 0x93, 0x25, 0xdb, 0x59, 0xdb, 0x63, 0x24, 0x6d, 0x73, 0x7d, 0x4d, 0x7b, 0xa9, 0x6a, 0x34,
-	0xb5, 0xf5, 0x4f, 0x99, 0x4b, 0xd7, 0x25, 0xb0, 0x4b, 0xf8, 0x42, 0x11, 0xb0, 0x7e, 0xab, 0xe5,
-	0xf7, 0x08, 0x16, 0xd2, 0xb6, 0xc2, 0x68, 0xf3, 0xb9, 0xa6, 0xe1, 0x34, 0x89, 0x79, 0x5b, 0x62,
-	0xfd, 0xbc, 0x7d, 0x6d, 0x38, 0x56, 0x73, 0xbd, 0xf6, 0x5a, 0x55, 0x6e, 0x20, 0x7f, 0xa3, 0x3e,
-	0x42, 0x00, 0xfd, 0xd6, 0x08, 0xbe, 0x5c, 0xbc, 0x0f, 0xa3, 0x7d, 0x62, 0x4f, 0xb7, 0x39, 0x42,
-	0xaa, 0x72, 0x3f, 0xab, 0xf6, 0x4a, 0x21, 0x9d, 0x43, 0xe6, 0x6e, 0xa4, 0x6d, 0x94, 0x9f, 0x21,
-	0x98, 0x97, 0xb5, 0x38, 0x3e, 0x3f, 0x0a, 0xb3, 0x59, 0xaa, 0x4f, 0xd3, 0xf5, 0x17, 0x25, 0xd4,
-	0x95, 0x7a, 0x51, 0x4c, 0xd8, 0x40, 0x6b, 0xb8, 0x0b, 0x0b, 0x69, 0xed, 0x3c, 0x9a, 0x1e, 0xb9,
-	0xda, 0xda, 0x5e, 0x29, 0xc8, 0x51, 0x29, 0x43, 0x55, 0x38, 0x5a, 0x1b, 0x17, 0x8e, 0xe6, 0x44,
-	0xc4, 0xc0, 0xe7, 0x8a, 0xe2, 0xc9, 0xc7, 0xe0, 0x98, 0x2b, 0x12, 0xdd, 0x05, 0xb2, 0x32, 0x2e,
-	0x24, 0x09, 0xef, 0xfc, 0x08, 0xc1, 0x89, 0xc1, 0x27, 0x0d, 0x3e, 0x33, 0x10, 0x8e, 0xcc, 0x37,
-	0x9a, 0x9d, 0xf7, 0xe2, 0xa8, 0xe7, 0x10, 0xf9, 0x82, 0x44, 0xb1, 0x81, 0x6f, 0x8e, 0xbd, 0x19,
-	0x3b, 0xfa, 0x42, 0x0b, 0x45, 0xeb, 0xfd, 0x0e, 0xeb, 0x6f, 0x10, 0x1c, 0xd1, 0x7a, 0xef, 0x45,
-	0x8c, 0x15, 0xc3, 0x9a, 0xde, 0x45, 0x10, 0xb6, 0xc8, 0x67, 0x25, 0xfc, 0xcf, 0xe0, 0x1b, 0x13,
-	0xc2, 0xd7, 0xb0, 0xd7, 0x13, 0x81, 0xf4, 0x0f, 0x08, 0x4e, 0x3e, 0x48, 0x79, 0xff, 0x09, 0xe1,
-	0x7f, 0x5d, 0xe2, 0xff, 0x1c, 0x7e, 0xb5, 0xe0, 0xc9, 0x31, 0x6e, 0x1b, 0xd7, 0x10, 0xfe, 0x25,
-	0x82, 0x92, 0xee, 0x4e, 0xe2, 0x4b, 0x23, 0x2f, 0x46, 0xbe, 0x7f, 0x39, 0x4d, 0x32, 0xab, 0xfc,
-	0x4a, 0xce, 0x17, 0x66, 0x29, 0x65, 0x5f, 0x10, 0xfa, 0x7d, 0x04, 0x38, 0xab, 0x35, 0xb2, 0xea,
-	0x03, 0x5f, 0xcc, 0x99, 0x1a, 0x59, 0x54, 0xda, 0x97, 0xc6, 0xce, 0xcb, 0x67, 0xa9, 0xb5, 0xc2,
-	0x2c, 0xc5, 0x33, 0xfb, 0xdf, 0x43, 0x50, 0xd9, 0x64, 0xd9, 0x73, 0xb8, 0xc0, 0x97, 0xf9, 0xd6,
-	0xac, 0xbd, 0x3a, 0x7e, 0xa2, 0x42, 0x74, 0x55, 0x22, 0xba, 0x88, 0x8b, 0x5d, 0xa5, 0x01, 0xfc,
-	0x04, 0xc1, 0xd1, 0xbb, 0x26, 0x45, 0xf1, 0xd5, 0x71, 0x96, 0x72, 0x91, 0x7c, 0x72, 0x5c, 0x9f,
-	0x96, 0xb8, 0xd6, 0xc9, 0x44, 0xb8, 0x36, 0x54, 0x8f, 0xf4, 0xa7, 0x08, 0x5e, 0x30, 0xeb, 0x07,
-	0xd5, 0x4d, 0xfb, 0x7f, 0xfd, 0x56, 0xd0, 0x94, 0x23, 0x37, 0x24, 0xbe, 0x2a, 0xbe, 0x3a, 0x09,
-	0xbe, 0x9a, 0x6a, 0xb1, 0xe1, 0x1f, 0x23, 0x38, 0x29, 0x7b, 0x95, 0xa6, 0xe2, 0x81, 0x14, 0x33,
-	0xaa, 0xb3, 0x39, 0x41, 0x8a, 0x51, 0xf1, 0x87, 0x3c, 0x13, 0xa8, 0x0d, 0xd5, 0x87, 0xc4, 0xdf,
-	0x47, 0x70, 0x4c, 0x27, 0x35, 0x75, 0xba, 0xeb, 0xe3, 0x1c, 0xf7, 0xac, 0x49, 0x50, 0xd1, 0x6d,
-	0x6d, 0x32, 0xba, 0x7d, 0x88, 0x60, 0x51, 0xf5, 0x12, 0x0b, 0x9e, 0x0a, 0x46, 0xb3, 0xd1, 0x3e,
-	0x95, 0x9b, 0xa5, 0x1b, 0x59, 0xe4, 0x6b, 0xd2, 0xec, 0x7d, 0x5c, 0x2b, 0x32, 0x1b, 0x72, 0x2f,
-	0xae, 0x3d, 0x56, 0x5d, 0xa4, 0x27, 0xb5, 0x16, 0x6f, 0xc6, 0xef, 0x10, 0x5c, 0x98, 0x10, 0xc5,
-	0x9c, 0x6b, 0xe8, 0xb5, 0x2f, 0xfe, 0xe9, 0xe9, 0x32, 0xfa, 0xeb, 0xd3, 0x65, 0xf4, 0x8f, 0xa7,
-	0xcb, 0xe8, 0x9d, 0x9b, 0x93, 0xfd, 0xff, 0xc3, 0x6d, 0xf9, 0x2c, 0x48, 0x4c, 0xb5, 0xff, 0x0b,
-	0x00, 0x00, 0xff, 0xff, 0xa3, 0x87, 0x84, 0x43, 0xe5, 0x22, 0x00, 0x00,
+	0x5c, 0x56, 0x48, 0x5c, 0xe0, 0xc2, 0x87, 0xc4, 0x61, 0x05, 0xff, 0x00, 0x44, 0x9c, 0xb8, 0x70,
+	0xe5, 0x88, 0xaa, 0xba, 0xaa, 0x5d, 0xed, 0xb1, 0xdb, 0x0e, 0x63, 0xb4, 0xb9, 0xf5, 0x2b, 0x57,
+	0xbd, 0xf7, 0x7b, 0xaf, 0xde, 0x47, 0xbd, 0x27, 0xc3, 0xf9, 0x98, 0x45, 0x5d, 0x16, 0xd5, 0x68,
+	0x18, 0xb6, 0x7c, 0x97, 0x26, 0x3e, 0x0f, 0xcc, 0xef, 0x6a, 0x18, 0xf1, 0x84, 0xe3, 0x8a, 0xb1,
+	0x64, 0x2f, 0x35, 0x39, 0x6f, 0xb6, 0x58, 0x8d, 0x86, 0x7e, 0x8d, 0x06, 0x01, 0x4f, 0xe4, 0x72,
+	0x9c, 0x6e, 0xb5, 0xc9, 0xfe, 0xcd, 0xb8, 0xea, 0x73, 0xf9, 0xab, 0xcb, 0x23, 0x56, 0xeb, 0x5e,
+	0xaf, 0x35, 0x59, 0xc0, 0x22, 0x9a, 0x30, 0x4f, 0xed, 0xb9, 0xd1, 0xdf, 0xd3, 0xa6, 0xee, 0x9e,
+	0x1f, 0xb0, 0xa8, 0x57, 0x0b, 0xf7, 0x9b, 0x62, 0x21, 0xae, 0xb5, 0x59, 0x42, 0x87, 0x9d, 0xda,
+	0x6a, 0xfa, 0xc9, 0x5e, 0xe7, 0xdd, 0xaa, 0xcb, 0xdb, 0x35, 0x1a, 0x35, 0x79, 0x18, 0xf1, 0x6f,
+	0xca, 0x8f, 0x75, 0xd7, 0xab, 0x75, 0xeb, 0x7d, 0x06, 0xa6, 0x2e, 0xdd, 0xeb, 0xb4, 0x15, 0xee,
+	0xd1, 0x83, 0xdc, 0x6e, 0x8f, 0xe1, 0x16, 0xb1, 0x90, 0x2b, 0xdb, 0xc8, 0x4f, 0x3f, 0xe1, 0x51,
+	0xcf, 0xf8, 0x4c, 0xd9, 0x90, 0x8f, 0x11, 0x9c, 0xb8, 0xd5, 0x97, 0xf7, 0xe5, 0x0e, 0x8b, 0x7a,
+	0x18, 0xc3, 0x5c, 0x40, 0xdb, 0xcc, 0x42, 0x2b, 0x68, 0xb5, 0xec, 0xc8, 0x6f, 0x6c, 0xc1, 0x62,
+	0xc4, 0x1a, 0x11, 0x8b, 0xf7, 0xac, 0x19, 0xb9, 0xac, 0x49, 0x6c, 0x43, 0x49, 0x08, 0x67, 0x6e,
+	0x12, 0x5b, 0xb3, 0x2b, 0xb3, 0xab, 0x65, 0x27, 0xa3, 0xf1, 0x2a, 0x1c, 0x8f, 0x58, 0xcc, 0x3b,
+	0x91, 0xcb, 0xbe, 0xc2, 0xa2, 0xd8, 0xe7, 0x81, 0x35, 0x27, 0x4f, 0x0f, 0x2e, 0x0b, 0x2e, 0x31,
+	0x6b, 0x31, 0x37, 0xe1, 0x91, 0x35, 0x2f, 0xb7, 0x64, 0xb4, 0xc0, 0x23, 0x80, 0x5b, 0x0b, 0x29,
+	0x1e, 0xf1, 0x2d, 0xf0, 0x28, 0x29, 0x56, 0x49, 0x0a, 0xd5, 0x24, 0x79, 0x19, 0xca, 0x3b, 0xdc,
+	0x63, 0x23, 0x55, 0x21, 0x9b, 0x70, 0xca, 0x61, 0x5d, 0x5f, 0x88, 0xdd, 0x66, 0x09, 0xf5, 0x68,
+	0x42, 0x07, 0x37, 0xcf, 0x64, 0x7a, 0xdb, 0x50, 0x8a, 0xd4, 0x66, 0x6b, 0x46, 0xae, 0x67, 0x34,
+	0xf9, 0x05, 0x82, 0x65, 0xc3, 0x78, 0x8e, 0x52, 0xe9, 0x76, 0x97, 0x05, 0x49, 0x3c, 0x9a, 0xe5,
+	0x55, 0x38, 0xa9, 0xb5, 0xdf, 0xa1, 0x6d, 0x16, 0x87, 0xd4, 0x65, 0xca, 0xa8, 0x07, 0x7f, 0xc0,
+	0x04, 0x8e, 0x98, 0x8b, 0xd6, 0xac, 0xdc, 0x98, 0x5b, 0xc3, 0x2b, 0x50, 0xd1, 0xf4, 0xfd, 0x3b,
+	0x6f, 0x28, 0x13, 0x9b, 0x4b, 0xe4, 0x2d, 0xb0, 0x0c, 0xa4, 0xdb, 0x34, 0xf0, 0x1b, 0x2c, 0x4e,
+	0x26, 0x55, 0x1b, 0xe5, 0xd4, 0x3e, 0x05, 0x2f, 0xe4, 0xb5, 0x0e, 0x79, 0x10, 0x33, 0xf2, 0x5b,
+	0x94, 0x93, 0xf1, 0x7a, 0xc4, 0x68, 0xc2, 0x1c, 0xf6, 0xb0, 0xc3, 0xe2, 0x04, 0xef, 0x83, 0x19,
+	0x83, 0x52, 0x54, 0xa5, 0x7e, 0xa7, 0xda, 0x77, 0xe2, 0xaa, 0x76, 0x62, 0xf9, 0xf1, 0x75, 0xd7,
+	0xab, 0x76, 0xeb, 0xd5, 0x70, 0xbf, 0x59, 0x15, 0x21, 0x51, 0x35, 0x43, 0x5a, 0x87, 0x44, 0xd5,
+	0x04, 0x61, 0x72, 0xc7, 0xa7, 0x61, 0xa1, 0x13, 0xc6, 0x2c, 0x4a, 0x24, 0xf4, 0x92, 0xa3, 0x28,
+	0xa1, 0x54, 0x97, 0xb6, 0x7c, 0x8f, 0x26, 0xa9, 0x19, 0x4b, 0x4e, 0x46, 0x93, 0x0f, 0xf2, 0xe8,
+	0xef, 0x87, 0xde, 0x27, 0x85, 0xde, 0x44, 0x39, 0x33, 0x80, 0xb2, 0x9b, 0x03, 0xf9, 0x06, 0x6b,
+	0xb1, 0x3e, 0xc8, 0x61, 0xd7, 0x68, 0xc1, 0xa2, 0x4b, 0x63, 0x97, 0x7a, 0x9a, 0x95, 0x26, 0x85,
+	0x13, 0x86, 0x11, 0x0f, 0x69, 0x53, 0x72, 0xba, 0xcb, 0x5b, 0xbe, 0xdb, 0x53, 0xbe, 0x75, 0xf0,
+	0x07, 0x72, 0x0e, 0x2a, 0xbb, 0xbd, 0xc0, 0x7d, 0x3b, 0x94, 0xa9, 0x12, 0xbf, 0x08, 0xf3, 0x7e,
+	0xc2, 0xda, 0xb1, 0x85, 0x64, 0xe8, 0xa5, 0x04, 0xf9, 0xcf, 0x1c, 0x9c, 0x36, 0xd0, 0x89, 0x03,
+	0x45, 0xd8, 0x0a, 0x5c, 0x4c, 0xdc, 0xa0, 0x17, 0xf5, 0x9c, 0x4e, 0xa0, 0xee, 0x49, 0x51, 0x42,
+	0x70, 0x18, 0x75, 0x02, 0x26, 0x5d, 0xbc, 0xe4, 0xa4, 0x04, 0x6e, 0x40, 0x29, 0x4e, 0x44, 0x72,
+	0x6c, 0xf6, 0x64, 0xee, 0xa8, 0xd4, 0xdf, 0x3a, 0xdc, 0xdd, 0x08, 0xe8, 0xbb, 0x8a, 0xa3, 0x93,
+	0xf1, 0xc6, 0x0f, 0xa1, 0xac, 0x63, 0x2a, 0xb6, 0x16, 0x57, 0x66, 0x57, 0x2b, 0xf5, 0xdd, 0xc3,
+	0x0b, 0x7a, 0x3b, 0x14, 0x89, 0xdd, 0xc8, 0x1f, 0x4e, 0x5f, 0x0a, 0x5e, 0x82, 0x72, 0x5b, 0x05,
+	0x6b, 0xac, 0x12, 0x5d, 0x7f, 0x01, 0x7f, 0x15, 0xe6, 0xfd, 0xa0, 0xc1, 0x63, 0xab, 0x2c, 0xc1,
+	0xbc, 0x76, 0x38, 0x30, 0x77, 0x82, 0x06, 0x77, 0x52, 0x86, 0xf8, 0x21, 0x1c, 0x8d, 0x58, 0x12,
+	0xf5, 0xb4, 0x15, 0x2c, 0x90, 0x76, 0xfd, 0xd2, 0xe1, 0x24, 0x38, 0x26, 0x4b, 0x27, 0x2f, 0x01,
+	0x6f, 0x40, 0x25, 0xee, 0xfb, 0x98, 0x55, 0x91, 0x02, 0xad, 0x1c, 0x23, 0xc3, 0x07, 0x1d, 0x73,
+	0x33, 0xf9, 0x35, 0x82, 0xa5, 0x03, 0xd1, 0xbb, 0x1b, 0xb2, 0x42, 0x07, 0xa4, 0x30, 0x17, 0x87,
+	0xcc, 0x95, 0x69, 0xbd, 0x52, 0xdf, 0x9e, 0x5a, 0x38, 0x4b, 0xb9, 0x92, 0x75, 0x61, 0xc6, 0xa1,
+	0xf0, 0x29, 0xe3, 0xd0, 0x5d, 0x9a, 0xb8, 0x7b, 0x45, 0x68, 0x85, 0xeb, 0x8b, 0x3d, 0xaa, 0x0a,
+	0xa5, 0x84, 0xf0, 0x0f, 0xf9, 0x71, 0xaf, 0x17, 0x0a, 0x09, 0xe2, 0x97, 0xfe, 0x02, 0x09, 0xc0,
+	0x36, 0xd3, 0x0c, 0x6f, 0xb5, 0xde, 0xa5, 0xee, 0x7e, 0x91, 0x94, 0x63, 0x30, 0xe3, 0x7b, 0x52,
+	0xc4, 0xac, 0x33, 0xe3, 0x7b, 0xcf, 0x16, 0x88, 0xe4, 0x23, 0x94, 0x17, 0xa8, 0x1d, 0xba, 0x40,
+	0xe0, 0x12, 0x94, 0x83, 0x81, 0x22, 0xd8, 0x5f, 0x18, 0x52, 0xfc, 0x66, 0x0e, 0x14, 0x3f, 0x0b,
+	0x16, 0xbb, 0xd9, 0xdb, 0x42, 0xfc, 0xac, 0x49, 0x01, 0xb2, 0x19, 0xf1, 0x4e, 0xa8, 0x1e, 0x14,
+	0x29, 0x21, 0x50, 0xec, 0xfb, 0x81, 0x67, 0x2d, 0xa4, 0x28, 0xc4, 0x37, 0xf9, 0x37, 0x82, 0x97,
+	0x87, 0x00, 0x1f, 0x7b, 0x29, 0xcf, 0x05, 0xfa, 0xbe, 0x6b, 0x2c, 0x8e, 0x74, 0x8d, 0xd2, 0xa0,
+	0x6b, 0xfc, 0x0b, 0xc1, 0xca, 0x10, 0x8d, 0xc7, 0x97, 0x94, 0xe7, 0x46, 0xe5, 0x06, 0x8f, 0x5c,
+	0x66, 0x2d, 0xa6, 0xfe, 0x27, 0x09, 0xe1, 0xad, 0x3c, 0x0a, 0xf7, 0x68, 0x60, 0x95, 0x52, 0x6f,
+	0x4d, 0x29, 0xf2, 0x17, 0x04, 0x96, 0xd6, 0xf0, 0x96, 0x2b, 0xf5, 0xed, 0x04, 0xcf, 0xbf, 0x92,
+	0xa7, 0x61, 0x81, 0x4a, 0xb4, 0xea, 0x62, 0x15, 0x45, 0xbe, 0x83, 0xe0, 0x4c, 0x5e, 0x9d, 0x78,
+	0xcb, 0x8f, 0x13, 0xfd, 0x12, 0xc3, 0x0d, 0x58, 0x4c, 0x77, 0xa6, 0x05, 0xba, 0x52, 0xdf, 0x3a,
+	0x6c, 0xda, 0xce, 0x99, 0x4e, 0x33, 0x27, 0xaf, 0xc0, 0x99, 0xa1, 0xd1, 0xae, 0x60, 0xd8, 0x50,
+	0xd2, 0xa5, 0x4a, 0x19, 0x37, 0xa3, 0xc9, 0x1f, 0x67, 0xf3, 0xd9, 0x8f, 0x7b, 0x5b, 0xbc, 0x59,
+	0xf0, 0x66, 0x2e, 0xbe, 0x10, 0xd1, 0x0c, 0x70, 0xcf, 0x78, 0x1e, 0x6b, 0x52, 0x9c, 0x73, 0x79,
+	0x90, 0x50, 0xd1, 0xa3, 0xa9, 0x77, 0x71, 0x7f, 0x41, 0x5c, 0x64, 0xec, 0x07, 0x2e, 0xdb, 0x65,
+	0x2e, 0x0f, 0xbc, 0x58, 0xde, 0xc8, 0xac, 0x93, 0x5b, 0xc3, 0x6f, 0x42, 0x59, 0xd2, 0xf7, 0xfc,
+	0x36, 0x93, 0x1d, 0x48, 0xa5, 0xbe, 0x56, 0x4d, 0x1b, 0xc0, 0xaa, 0xd9, 0x00, 0xf6, 0x6d, 0x28,
+	0x1a, 0xc0, 0x6a, 0xf7, 0x7a, 0x55, 0x9c, 0x70, 0xfa, 0x87, 0x05, 0x96, 0x84, 0xfa, 0xad, 0x2d,
+	0x3f, 0x90, 0xcf, 0x07, 0x21, 0xaa, 0xbf, 0x20, 0x2e, 0xbb, 0xc1, 0x5b, 0x2d, 0xfe, 0x48, 0xfb,
+	0x6e, 0x4a, 0x89, 0x53, 0x9d, 0x20, 0xf1, 0x5b, 0x52, 0x7e, 0x39, 0xd5, 0x20, 0x5b, 0x90, 0xa7,
+	0xfc, 0x56, 0xc2, 0x22, 0x59, 0xa0, 0xcb, 0x8e, 0xa2, 0x32, 0x77, 0xaa, 0xa4, 0x7d, 0x8f, 0x8e,
+	0x99, 0xd4, 0xf1, 0x8e, 0x98, 0x8e, 0x37, 0xe8, 0xcc, 0x47, 0x87, 0xf4, 0x17, 0xb2, 0xc5, 0x63,
+	0x5d, 0x9f, 0x77, 0x62, 0xeb, 0x58, 0x5a, 0xc6, 0x34, 0x4d, 0x7e, 0x87, 0xa0, 0xb4, 0xc5, 0x9b,
+	0xb7, 0x83, 0x24, 0xea, 0xc9, 0xf7, 0x26, 0x0f, 0x12, 0x16, 0xe8, 0x1b, 0xd7, 0xa4, 0x30, 0x63,
+	0xe2, 0xb7, 0xd9, 0x6e, 0x42, 0xdb, 0xa1, 0xaa, 0xb8, 0xcf, 0x64, 0xc6, 0xec, 0xb0, 0x50, 0xad,
+	0x45, 0xe3, 0x44, 0x46, 0x5d, 0xc9, 0x91, 0xdf, 0x42, 0x89, 0x6c, 0xc3, 0x6e, 0x12, 0xa9, 0x90,
+	0xcb, 0xad, 0x99, 0x4e, 0x32, 0x9f, 0x62, 0x53, 0x24, 0xa9, 0xc1, 0x4b, 0xd9, 0x23, 0xec, 0x1e,
+	0x8b, 0xda, 0x7e, 0x40, 0x0b, 0x73, 0x20, 0xb9, 0x9e, 0x73, 0x7c, 0xf1, 0x2a, 0x79, 0xe0, 0x07,
+	0x1e, 0x7f, 0x34, 0xda, 0x81, 0xc9, 0x5f, 0xf3, 0xbd, 0xa2, 0x71, 0x26, 0x8b, 0x97, 0x37, 0xe1,
+	0xa8, 0x88, 0xac, 0x2e, 0x53, 0x3f, 0xa8, 0xe0, 0x25, 0xb9, 0xa0, 0x1c, 0xca, 0xc3, 0xc9, 0x1f,
+	0xc4, 0x5b, 0x70, 0x9c, 0xc6, 0xb1, 0xdf, 0x0c, 0x98, 0xa7, 0x79, 0xcd, 0x4c, 0xcc, 0x6b, 0xf0,
+	0x68, 0xda, 0x44, 0xc8, 0x1d, 0xca, 0xe6, 0x9a, 0x24, 0xdf, 0x46, 0x70, 0x6a, 0x28, 0x93, 0xcc,
+	0xff, 0x90, 0x91, 0xce, 0x44, 0x8b, 0xef, 0xee, 0x31, 0xaf, 0xd3, 0x62, 0xba, 0x95, 0xd6, 0xb4,
+	0xf8, 0xcd, 0xeb, 0xa4, 0x37, 0xa0, 0xd2, 0x69, 0x46, 0xe3, 0x65, 0x80, 0x36, 0x0d, 0x3a, 0xb4,
+	0x25, 0x21, 0xcc, 0x49, 0x08, 0xc6, 0x0a, 0x59, 0x02, 0x7b, 0xd8, 0xf5, 0xa9, 0xb6, 0xf4, 0x57,
+	0x08, 0x8e, 0xe9, 0xd4, 0xa4, 0xee, 0x67, 0x15, 0x8e, 0x1b, 0x66, 0xd8, 0xe9, 0x5f, 0xd5, 0xe0,
+	0xf2, 0x98, 0xb4, 0xa3, 0xef, 0x79, 0x36, 0x3f, 0x27, 0xe9, 0xe6, 0x26, 0x1d, 0x13, 0xe7, 0xfd,
+	0x2c, 0x50, 0xc9, 0xb7, 0xc0, 0xda, 0xa6, 0x01, 0x6d, 0x32, 0x2f, 0x03, 0x9e, 0x39, 0xc9, 0x37,
+	0xcc, 0xd6, 0xeb, 0xd0, 0x8d, 0x4e, 0x56, 0xf6, 0xfd, 0x46, 0x43, 0xb5, 0x71, 0xf5, 0x7f, 0x2c,
+	0x03, 0x36, 0x2f, 0x95, 0x45, 0x5d, 0xdf, 0x65, 0xf8, 0x07, 0x08, 0xe6, 0x44, 0x95, 0xc1, 0x67,
+	0x47, 0xf9, 0x90, 0x34, 0xae, 0x3d, 0xbd, 0x77, 0xb4, 0x90, 0x46, 0x96, 0xde, 0xfb, 0xdb, 0x3f,
+	0x7f, 0x38, 0x73, 0x1a, 0xbf, 0x28, 0x27, 0x72, 0xdd, 0xeb, 0xe6, 0x74, 0x2c, 0xc6, 0xdf, 0x45,
+	0x80, 0x55, 0xe9, 0x33, 0x46, 0x2f, 0xf8, 0xca, 0x28, 0x88, 0x43, 0x46, 0x34, 0xf6, 0x59, 0x23,
+	0x0d, 0x55, 0x5d, 0x1e, 0x31, 0x91, 0x74, 0xe4, 0x06, 0x09, 0x60, 0x4d, 0x02, 0x38, 0x8f, 0xc9,
+	0x30, 0x00, 0xb5, 0xc7, 0xe2, 0xd2, 0x9f, 0xd4, 0x58, 0x2a, 0xf7, 0xe7, 0x08, 0xe6, 0x1f, 0xc8,
+	0xc7, 0xd7, 0x18, 0x23, 0xed, 0x4e, 0xcd, 0x48, 0x52, 0x9c, 0x44, 0x4b, 0xce, 0x49, 0xa4, 0x67,
+	0xf1, 0x19, 0x8d, 0x34, 0x4e, 0x22, 0x46, 0xdb, 0x39, 0xc0, 0xd7, 0x10, 0xfe, 0x10, 0xc1, 0x42,
+	0x3a, 0x9c, 0xc1, 0x17, 0x46, 0xa1, 0xcc, 0x0d, 0x6f, 0xec, 0xe9, 0x4d, 0x3a, 0xc8, 0x65, 0x89,
+	0xf1, 0x1c, 0x19, 0x7a, 0x9d, 0x1b, 0xb9, 0x39, 0xc8, 0xfb, 0x08, 0x66, 0x37, 0xd9, 0x58, 0x7f,
+	0x9b, 0x22, 0xb8, 0x03, 0x06, 0x1c, 0x72, 0xd5, 0xf8, 0x03, 0x04, 0x2f, 0x6d, 0xb2, 0x64, 0x78,
+	0x2e, 0xc7, 0xab, 0xe3, 0x13, 0xac, 0x72, 0xbb, 0x2b, 0x13, 0xec, 0xcc, 0x92, 0x58, 0x4d, 0x22,
+	0xbb, 0x8c, 0x2f, 0x15, 0x39, 0xa1, 0x68, 0x88, 0x1f, 0x29, 0x1c, 0x7f, 0x46, 0x70, 0x62, 0x70,
+	0xc8, 0x89, 0xf3, 0xd9, 0x7f, 0xe8, 0x0c, 0xd4, 0xde, 0x39, 0x6c, 0x42, 0xc9, 0x33, 0x25, 0xb7,
+	0x24, 0xf2, 0x57, 0xf1, 0x2b, 0x45, 0xc8, 0xf5, 0xdc, 0x27, 0xae, 0x3d, 0xd6, 0x9f, 0x4f, 0xe4,
+	0x1c, 0x5d, 0xc2, 0x7e, 0x0f, 0xc1, 0x91, 0x4d, 0x96, 0x6c, 0x67, 0x63, 0x8f, 0x91, 0x6e, 0x9b,
+	0x9b, 0x6b, 0xda, 0x4b, 0x55, 0x63, 0xdc, 0xad, 0x7f, 0xca, 0x4c, 0xba, 0x2e, 0x81, 0x5d, 0xc2,
+	0x17, 0x8a, 0x80, 0xf5, 0x47, 0x2d, 0xbf, 0x47, 0xb0, 0x90, 0x8e, 0x15, 0x46, 0x8b, 0xcf, 0x0d,
+	0x0d, 0xa7, 0xe9, 0x98, 0xb7, 0x25, 0xd6, 0xcf, 0xdb, 0xd7, 0x86, 0x63, 0x35, 0xcf, 0x6b, 0xab,
+	0x55, 0xa5, 0x02, 0xf9, 0x88, 0xfa, 0x08, 0x01, 0xf4, 0x47, 0x23, 0xf8, 0x72, 0xb1, 0x1e, 0xc6,
+	0xf8, 0xc4, 0x9e, 0xee, 0x70, 0x84, 0x54, 0xa5, 0x3e, 0xab, 0xf6, 0x4a, 0xa1, 0x3b, 0x87, 0xcc,
+	0xdd, 0x48, 0xc7, 0x28, 0x3f, 0x43, 0x30, 0x2f, 0x7b, 0x71, 0x7c, 0x7e, 0x14, 0x66, 0xb3, 0x55,
+	0x9f, 0xa6, 0xe9, 0x2f, 0x4a, 0xa8, 0x2b, 0xf5, 0xa2, 0x9c, 0xb0, 0x81, 0xd6, 0x70, 0x17, 0x16,
+	0xd2, 0xde, 0x79, 0xb4, 0x7b, 0xe4, 0x7a, 0x6b, 0x7b, 0xa5, 0xa0, 0x46, 0xa5, 0x1e, 0xaa, 0xd2,
+	0xd1, 0xda, 0xb8, 0x74, 0x34, 0x27, 0x32, 0x06, 0x3e, 0x57, 0x94, 0x4f, 0xfe, 0x0f, 0x86, 0xb9,
+	0x22, 0xd1, 0x5d, 0x20, 0x2b, 0xe3, 0x52, 0x92, 0xb0, 0xce, 0x8f, 0x10, 0x9c, 0x18, 0x7c, 0xd2,
+	0xe0, 0x33, 0x03, 0xe9, 0xc8, 0x7c, 0xa3, 0xd9, 0x79, 0x2b, 0x8e, 0x7a, 0x0e, 0x91, 0x2f, 0x48,
+	0x14, 0x1b, 0xf8, 0xe6, 0xd8, 0xc8, 0xd8, 0xd1, 0x01, 0x2d, 0x18, 0xad, 0xf7, 0x27, 0xac, 0xbf,
+	0x41, 0x70, 0x44, 0xf3, 0xbd, 0x17, 0x31, 0x56, 0x0c, 0x6b, 0x7a, 0x81, 0x20, 0x64, 0x91, 0xcf,
+	0x4a, 0xf8, 0x9f, 0xc1, 0x37, 0x26, 0x84, 0xaf, 0x61, 0xaf, 0x27, 0x02, 0xe9, 0x1f, 0x10, 0x9c,
+	0x7c, 0x90, 0xfa, 0xfd, 0x27, 0x84, 0xff, 0x75, 0x89, 0xff, 0x73, 0xf8, 0xd5, 0x82, 0x27, 0xc7,
+	0x38, 0x35, 0xae, 0x21, 0xfc, 0x4b, 0x04, 0x25, 0x3d, 0x9d, 0xc4, 0x97, 0x46, 0x06, 0x46, 0x7e,
+	0x7e, 0x39, 0x4d, 0x67, 0x56, 0xf5, 0x95, 0x9c, 0x2f, 0xac, 0x52, 0x4a, 0xbe, 0x70, 0xe8, 0xf7,
+	0x11, 0xe0, 0xac, 0xd7, 0xc8, 0xba, 0x0f, 0x7c, 0x31, 0x27, 0x6a, 0x64, 0x53, 0x69, 0x5f, 0x1a,
+	0xbb, 0x2f, 0x5f, 0xa5, 0xd6, 0x0a, 0xab, 0x14, 0xcf, 0xe4, 0x7f, 0x0f, 0x41, 0x65, 0x93, 0x65,
+	0xcf, 0xe1, 0x02, 0x5b, 0xe6, 0x47, 0xb3, 0xf6, 0xea, 0xf8, 0x8d, 0x0a, 0xd1, 0x55, 0x89, 0xe8,
+	0x22, 0x2e, 0x36, 0x95, 0x06, 0xf0, 0x13, 0x04, 0x47, 0xef, 0x9a, 0x2e, 0x8a, 0xaf, 0x8e, 0x93,
+	0x94, 0xcb, 0xe4, 0x93, 0xe3, 0xfa, 0xb4, 0xc4, 0xb5, 0x4e, 0x26, 0xc2, 0xb5, 0xa1, 0x66, 0xa4,
+	0x3f, 0x45, 0xf0, 0x82, 0xd9, 0x3f, 0xa8, 0x69, 0xda, 0xff, 0x6a, 0xb7, 0x82, 0xa1, 0x1c, 0xb9,
+	0x21, 0xf1, 0x55, 0xf1, 0xd5, 0x49, 0xf0, 0xd5, 0xd4, 0x88, 0x0d, 0xff, 0x18, 0xc1, 0x49, 0x39,
+	0xab, 0x34, 0x19, 0x0f, 0x94, 0x98, 0x51, 0x93, 0xcd, 0x09, 0x4a, 0x8c, 0xca, 0x3f, 0xe4, 0x99,
+	0x40, 0x6d, 0xa8, 0x39, 0x24, 0xfe, 0x3e, 0x82, 0x63, 0xba, 0xa8, 0xa9, 0xdb, 0x5d, 0x1f, 0x67,
+	0xb8, 0x67, 0x2d, 0x82, 0xca, 0xdd, 0xd6, 0x26, 0x73, 0xb7, 0x0f, 0x11, 0x2c, 0xaa, 0x59, 0x62,
+	0xc1, 0x53, 0xc1, 0x18, 0x36, 0xda, 0xa7, 0x72, 0xbb, 0xf4, 0x20, 0x8b, 0x7c, 0x4d, 0x8a, 0xbd,
+	0x8f, 0x6b, 0x45, 0x62, 0x43, 0xee, 0xc5, 0xb5, 0xc7, 0x6a, 0x8a, 0xf4, 0xa4, 0xd6, 0xe2, 0xcd,
+	0xf8, 0x1d, 0x82, 0x0b, 0x0b, 0xa2, 0xd8, 0x73, 0x0d, 0xbd, 0xf6, 0xc5, 0x3f, 0x3d, 0x5d, 0x46,
+	0x1f, 0x3f, 0x5d, 0x46, 0x7f, 0x7f, 0xba, 0x8c, 0xde, 0xb9, 0x39, 0xd9, 0x3f, 0x43, 0xdc, 0x96,
+	0xcf, 0x82, 0xc4, 0x64, 0xfb, 0xdf, 0x00, 0x00, 0x00, 0xff, 0xff, 0xaf, 0x09, 0x16, 0xc3, 0xff,
+	0x22, 0x00, 0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
@@ -3305,6 +3315,15 @@ func (m *ApplicationQuery) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if len(m.Project) > 0 {
+		for iNdEx := len(m.Project) - 1; iNdEx >= 0; iNdEx-- {
+			i -= len(m.Project[iNdEx])
+			copy(dAtA[i:], m.Project[iNdEx])
+			i = encodeVarintApplication(dAtA, i, uint64(len(m.Project[iNdEx])))
+			i--
+			dAtA[i] = 0x42
+		}
+	}
 	if m.Repo != nil {
 		i -= len(*m.Repo)
 		copy(dAtA[i:], *m.Repo)
@@ -5105,6 +5124,12 @@ func (m *ApplicationQuery) Size() (n int) {
 		l = len(*m.Repo)
 		n += 1 + l + sovApplication(uint64(l))
 	}
+	if len(m.Project) > 0 {
+		for _, s := range m.Project {
+			l = len(s)
+			n += 1 + l + sovApplication(uint64(l))
+		}
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -6092,6 +6117,38 @@ func (m *ApplicationQuery) Unmarshal(dAtA []byte) error {
 			s := string(dAtA[iNdEx:postIndex])
 			m.Repo = &s
 			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowApplication
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthApplication
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthApplication
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Project = append(m.Project, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipApplication(dAtA[iNdEx:])

pkg/apis/application/register.go

@@ -18,8 +18,8 @@ const (
 	AppProjectShortName string = "appproject"
 	AppProjectFullName  string = AppProjectPlural + "." + Group
 
-	// AppProject constants
-	ApplicationSetKind      string = "Applicationset"
+	// ApplicationSet constants
+	ApplicationSetKind      string = "ApplicationSet"
 	ApplicationSetSingular  string = "applicationset"
 	ApplicationSetPlural    string = "applicationsets"
 	ApplicationSetShortName string = "appset"

pkg/apis/applicationset/v1alpha1/applicationset_types.go

@@ -496,7 +496,7 @@ const (
 // prefix "Info" means informational condition
 type ApplicationSetConditionType string
 
-//ErrorOccurred / ParametersGenerated / TemplateRendered / ResourcesUpToDate
+// ErrorOccurred / ParametersGenerated / TemplateRendered / ResourcesUpToDate
 const (
 	ApplicationSetConditionErrorOccurred       ApplicationSetConditionType = "ErrorOccurred"
 	ApplicationSetConditionParametersGenerated ApplicationSetConditionType = "ParametersGenerated"

server/application/application.go

@@ -67,7 +67,8 @@ const (
 )
 
 var (
-	watchAPIBufferSize = env.ParseNumFromEnv(argocommon.EnvWatchAPIBufferSize, 1000, 0, math.MaxInt32)
+	watchAPIBufferSize  = env.ParseNumFromEnv(argocommon.EnvWatchAPIBufferSize, 1000, 0, math.MaxInt32)
+	permissionDeniedErr = status.Error(codes.PermissionDenied, "permission denied")
 )
 
 // Server provides an Application service
@@ -77,7 +78,7 @@ type Server struct {
 	appclientset   appclientset.Interface
 	appLister      applisters.ApplicationNamespaceLister
 	appInformer    cache.SharedIndexInformer
-	appBroadcaster *broadcasterHandler
+	appBroadcaster Broadcaster
 	repoClientset  apiclient.Clientset
 	kubectl        kube.Kubectl
 	db             db.ArgoDB
@@ -96,6 +97,7 @@ func NewServer(
 	appclientset appclientset.Interface,
 	appLister applisters.ApplicationNamespaceLister,
 	appInformer cache.SharedIndexInformer,
+	appBroadcaster Broadcaster,
 	repoClientset apiclient.Clientset,
 	cache *servercache.Cache,
 	kubectl kube.Kubectl,
@@ -105,7 +107,9 @@ func NewServer(
 	settingsMgr *settings.SettingsManager,
 	projInformer cache.SharedIndexInformer,
 ) (application.ApplicationServiceServer, AppResourceTreeFn) {
-	appBroadcaster := &broadcasterHandler{}
+	if appBroadcaster == nil {
+		appBroadcaster = &broadcasterHandler{}
+	}
 	appInformer.AddEventHandler(appBroadcaster)
 	s := &Server{
 		ns:             namespace,
@@ -127,6 +131,57 @@ func NewServer(
 	return s, s.GetAppResources
 }
 
+// getAppEnforceRBAC gets the Application with the given name in the given namespace. If no namespace is
+// specified, the Application is fetched from the default namespace (the one in which the API server is running).
+//
+// If the Application does not exist, then we have no way of determining if the user would have had access to get that
+// Application. Verifying access requires knowing the Application's name, namespace, and project. The user may specify,
+// at minimum, the Application name.
+//
+// So to prevent a malicious user from inferring the existence or absense of the Application or namespace, we respond
+// "permission denied" if the Application does not exist.
+func (s *Server) getAppEnforceRBAC(ctx context.Context, action, name string, getApp func() (*appv1.Application, error)) (*appv1.Application, error) {
+	logCtx := log.WithFields(map[string]interface{}{
+		"application": name,
+	})
+	a, err := getApp()
+	if err != nil {
+		if apierr.IsNotFound(err) {
+			logCtx.Warn("application does not exist")
+			return nil, permissionDeniedErr
+		}
+		logCtx.Errorf("failed to get application: %s", err)
+		return nil, permissionDeniedErr
+	}
+	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, action, apputil.AppRBACName(*a)); err != nil {
+		logCtx.WithFields(map[string]interface{}{
+			"project": a.Spec.Project,
+		}).Warnf("user tried to %s application which they do not have access to: %s", action, err)
+		return nil, permissionDeniedErr
+	}
+	return a, nil
+}
+
+// getApplicationEnforceRBACInformer uses an informer to get an Application. If the app does not exist, permission is
+// denied, or any other error occurs when getting the app, we return a permission denied error to obscure any sensitive
+// information.
+func (s *Server) getApplicationEnforceRBACInformer(ctx context.Context, action, name string) (*appv1.Application, error) {
+	return s.getAppEnforceRBAC(ctx, action, name, func() (*appv1.Application, error) {
+		return s.appLister.Get(name)
+	})
+}
+
+// getApplicationEnforceRBACClient uses a client to get an Application. If the app does not exist, permission is denied,
+// or any other error occurs when getting the app, we return a permission denied error to obscure any sensitive
+// information.
+func (s *Server) getApplicationEnforceRBACClient(ctx context.Context, action, name, resourceVersion string) (*appv1.Application, error) {
+	return s.getAppEnforceRBAC(ctx, action, name, func() (*appv1.Application, error) {
+		return s.appclientset.ArgoprojV1alpha1().Applications(s.ns).Get(ctx, name, metav1.GetOptions{
+			ResourceVersion: resourceVersion,
+		})
+	})
+}
+
 // List returns list of applications
 func (s *Server) List(ctx context.Context, q *application.ApplicationQuery) (*appv1.ApplicationList, error) {
 	labelsMap, err := labels.ConvertSelectorToLabelsMap(q.GetSelector())
@@ -150,8 +205,8 @@ func (s *Server) List(ctx context.Context, q *application.ApplicationQuery) (*ap
 		}
 	}
 
-	// Filter applications by name
-	newItems = argoutil.FilterByProjects(newItems, q.Projects)
+	// Filter applications by projects
+	newItems = argoutil.FilterByProjects(newItems, getProjectsFromApplicationQuery(*q))
 
 	// Filter applications by source repo URL
 	newItems = argoutil.FilterByRepo(newItems, q.GetRepo())
@@ -291,11 +346,11 @@ func (s *Server) queryRepoServer(ctx context.Context, a *v1alpha1.Application, a
 
 // GetManifests returns application manifests
 func (s *Server) GetManifests(ctx context.Context, q *application.ApplicationManifestQuery) (*apiclient.ManifestResponse, error) {
-	a, err := s.appLister.Get(*q.Name)
-	if err != nil {
-		return nil, fmt.Errorf("error getting application: %w", err)
+	if q.Name == nil || *q.Name == "" {
+		return nil, fmt.Errorf("invalid request: application name is missing")
 	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, apputil.AppRBACName(*a)); err != nil {
+	a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetName())
+	if err != nil {
 		return nil, err
 	}
 
@@ -381,17 +436,13 @@ func (s *Server) GetManifests(ctx context.Context, q *application.ApplicationMan
 
 // Get returns an application by name
 func (s *Server) Get(ctx context.Context, q *application.ApplicationQuery) (*appv1.Application, error) {
+	appName := q.GetName()
+
 	// We must use a client Get instead of an informer Get, because it's common to call Get immediately
 	// following a Watch (which is not yet powered by an informer), and the Get must reflect what was
 	// previously seen by the client.
-	a, err := s.appclientset.ArgoprojV1alpha1().Applications(s.ns).Get(ctx, q.GetName(), metav1.GetOptions{
-		ResourceVersion: q.GetResourceVersion(),
-	})
-
+	a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, appName, q.GetResourceVersion())
 	if err != nil {
-		return nil, fmt.Errorf("error getting application: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, apputil.AppRBACName(*a)); err != nil {
 		return nil, err
 	}
 	if q.Refresh == nil {
@@ -469,11 +520,8 @@ func (s *Server) Get(ctx context.Context, q *application.ApplicationQuery) (*app
 
 // ListResourceEvents returns a list of event resources
 func (s *Server) ListResourceEvents(ctx context.Context, q *application.ApplicationResourceEventsQuery) (*v1.EventList, error) {
-	a, err := s.appLister.Get(*q.Name)
+	a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetName())
 	if err != nil {
-		return nil, fmt.Errorf("error getting application: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, apputil.AppRBACName(*a)); err != nil {
 		return nil, err
 	}
 	var (
@@ -533,13 +581,13 @@ func (s *Server) ListResourceEvents(ctx context.Context, q *application.Applicat
 	return list, nil
 }
 
-func (s *Server) validateAndUpdateApp(ctx context.Context, newApp *appv1.Application, merge bool, validate bool) (*appv1.Application, error) {
+func (s *Server) validateAndUpdateApp(ctx context.Context, newApp *appv1.Application, merge bool, validate bool, action string) (*appv1.Application, error) {
 	s.projectLock.RLock(newApp.Spec.GetProject())
 	defer s.projectLock.RUnlock(newApp.Spec.GetProject())
 
-	app, err := s.appclientset.ArgoprojV1alpha1().Applications(s.ns).Get(ctx, newApp.Name, metav1.GetOptions{})
+	app, err := s.getApplicationEnforceRBACClient(ctx, action, newApp.Name, "")
 	if err != nil {
-		return nil, fmt.Errorf("error getting application: %w", err)
+		return nil, err
 	}
 
 	err = s.validateAndNormalizeApp(ctx, newApp, validate)
@@ -641,7 +689,7 @@ func (s *Server) Update(ctx context.Context, q *application.ApplicationUpdateReq
 	if q.Validate != nil {
 		validate = *q.Validate
 	}
-	return s.validateAndUpdateApp(ctx, q.Application, false, validate)
+	return s.validateAndUpdateApp(ctx, q.Application, false, validate, rbacpolicy.ActionUpdate)
 }
 
 // UpdateSpec updates an application spec and filters out any invalid parameter overrides
@@ -649,11 +697,8 @@ func (s *Server) UpdateSpec(ctx context.Context, q *application.ApplicationUpdat
 	if q.GetSpec() == nil {
 		return nil, fmt.Errorf("error updating application spec: spec is nil in request")
 	}
-	a, err := s.appclientset.ArgoprojV1alpha1().Applications(s.ns).Get(ctx, *q.Name, metav1.GetOptions{})
+	a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionUpdate, q.GetName(), "")
 	if err != nil {
-		return nil, fmt.Errorf("error getting application: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionUpdate, apputil.AppRBACName(*a)); err != nil {
 		return nil, err
 	}
 	a.Spec = *q.GetSpec()
@@ -661,7 +706,7 @@ func (s *Server) UpdateSpec(ctx context.Context, q *application.ApplicationUpdat
 	if q.Validate != nil {
 		validate = *q.Validate
 	}
-	a, err = s.validateAndUpdateApp(ctx, a, false, validate)
+	a, err = s.validateAndUpdateApp(ctx, a, false, validate, rbacpolicy.ActionUpdate)
 	if err != nil {
 		return nil, fmt.Errorf("error validating and updating app: %w", err)
 	}
@@ -670,10 +715,9 @@ func (s *Server) UpdateSpec(ctx context.Context, q *application.ApplicationUpdat
 
 // Patch patches an application
 func (s *Server) Patch(ctx context.Context, q *application.ApplicationPatchRequest) (*appv1.Application, error) {
-
-	app, err := s.appclientset.ArgoprojV1alpha1().Applications(s.ns).Get(ctx, *q.Name, metav1.GetOptions{})
+	app, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, q.GetName(), "")
 	if err != nil {
-		return nil, fmt.Errorf("error getting application: %w", err)
+		return nil, err
 	}
 
 	if err = s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionUpdate, apputil.AppRBACName(*app)); err != nil {
@@ -711,14 +755,15 @@ func (s *Server) Patch(ctx context.Context, q *application.ApplicationPatchReque
 	if err != nil {
 		return nil, fmt.Errorf("error unmarshaling patched app: %w", err)
 	}
-	return s.validateAndUpdateApp(ctx, newApp, false, true)
+	return s.validateAndUpdateApp(ctx, newApp, false, true, rbacpolicy.ActionUpdate)
 }
 
 // Delete removes an application and all associated resources
 func (s *Server) Delete(ctx context.Context, q *application.ApplicationDeleteRequest) (*application.ApplicationResponse, error) {
-	a, err := s.appclientset.ArgoprojV1alpha1().Applications(s.ns).Get(ctx, *q.Name, metav1.GetOptions{})
+	appName := q.GetName()
+	a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, appName, "")
 	if err != nil {
-		return nil, fmt.Errorf("error getting application: %w", err)
+		return nil, err
 	}
 
 	s.projectLock.RLock(a.Spec.Project)
@@ -782,8 +827,8 @@ func (s *Server) Watch(q *application.ApplicationQuery, ws application.Applicati
 		logCtx = logCtx.WithField("application", *q.Name)
 	}
 	projects := map[string]bool{}
-	for i := range q.Projects {
-		projects[q.Projects[i]] = true
+	for _, project := range getProjectsFromApplicationQuery(*q) {
+		projects[project] = true
 	}
 	claims := ws.Context().Value("claims")
 	selector, err := labels.Parse(q.GetSelector())
@@ -859,7 +904,9 @@ func (s *Server) validateAndNormalizeApp(ctx context.Context, app *appv1.Applica
 	proj, err := argo.GetAppProject(&app.Spec, applisters.NewAppProjectLister(s.projInformer.GetIndexer()), s.ns, s.settingsMgr, s.db, ctx)
 	if err != nil {
 		if apierr.IsNotFound(err) {
-			return status.Errorf(codes.InvalidArgument, "application references project %s which does not exist", app.Spec.Project)
+			// Offer no hint that the project does not exist.
+			log.Warnf("User attempted to create/update application in non-existent project %q", app.Spec.Project)
+			return permissionDeniedErr
 		}
 		return fmt.Errorf("error getting application's project: %w", err)
 	}
@@ -966,20 +1013,16 @@ func (s *Server) GetAppResources(ctx context.Context, a *appv1.Application) (*ap
 		return s.cache.GetAppResourcesTree(a.Name, &tree)
 	})
 	if err != nil {
-		return &tree, fmt.Errorf("error getting cached app state: %w", err)
+		return &tree, fmt.Errorf("error getting cached app resource tree: %w", err)
 	}
 	return &tree, nil
 }
 
 func (s *Server) getAppLiveResource(ctx context.Context, action string, q *application.ApplicationResourceRequest) (*appv1.ResourceNode, *rest.Config, *appv1.Application, error) {
-	a, err := s.appLister.Get(*q.Name)
+	a, err := s.getApplicationEnforceRBACInformer(ctx, action, q.GetName())
 	if err != nil {
-		return nil, nil, nil, fmt.Errorf("error getting app by name: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, action, apputil.AppRBACName(*a)); err != nil {
 		return nil, nil, nil, err
 	}
-
 	tree, err := s.GetAppResources(ctx, a)
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("error getting app resources: %w", err)
@@ -999,7 +1042,7 @@ func (s *Server) getAppLiveResource(ctx context.Context, action string, q *appli
 func (s *Server) GetResource(ctx context.Context, q *application.ApplicationResourceRequest) (*application.ApplicationResourceResponse, error) {
 	res, config, _, err := s.getAppLiveResource(ctx, rbacpolicy.ActionGet, q)
 	if err != nil {
-		return nil, fmt.Errorf("error getting app live resource: %w", err)
+		return nil, err
 	}
 
 	// make sure to use specified resource version if provided
@@ -1045,9 +1088,6 @@ func (s *Server) PatchResource(ctx context.Context, q *application.ApplicationRe
 	}
 	res, config, a, err := s.getAppLiveResource(ctx, rbacpolicy.ActionUpdate, resourceRequest)
 	if err != nil {
-		return nil, fmt.Errorf("error getting app live resource: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionUpdate, apputil.AppRBACName(*a)); err != nil {
 		return nil, err
 	}
 
@@ -1059,6 +1099,9 @@ func (s *Server) PatchResource(ctx context.Context, q *application.ApplicationRe
 		}
 		return nil, fmt.Errorf("error patching resource: %w", err)
 	}
+	if manifest == nil {
+		return nil, fmt.Errorf("failed to patch resource: manifest was nil")
+	}
 	manifest, err = replaceSecretValues(manifest)
 	if err != nil {
 		return nil, fmt.Errorf("error replacing secret values: %w", err)
@@ -1086,9 +1129,6 @@ func (s *Server) DeleteResource(ctx context.Context, q *application.ApplicationR
 	}
 	res, config, a, err := s.getAppLiveResource(ctx, rbacpolicy.ActionDelete, resourceRequest)
 	if err != nil {
-		return nil, fmt.Errorf("error getting live resource for delete: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionDelete, apputil.AppRBACName(*a)); err != nil {
 		return nil, err
 	}
 	var deleteOption metav1.DeleteOptions
@@ -1112,23 +1152,16 @@ func (s *Server) DeleteResource(ctx context.Context, q *application.ApplicationR
 }
 
 func (s *Server) ResourceTree(ctx context.Context, q *application.ResourcesQuery) (*appv1.ApplicationTree, error) {
-	a, err := s.appLister.Get(q.GetApplicationName())
+	a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetApplicationName())
 	if err != nil {
-		return nil, fmt.Errorf("error getting application by name: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, apputil.AppRBACName(*a)); err != nil {
 		return nil, err
 	}
 	return s.GetAppResources(ctx, a)
 }
 
 func (s *Server) WatchResourceTree(q *application.ResourcesQuery, ws application.ApplicationService_WatchResourceTreeServer) error {
-	a, err := s.appLister.Get(q.GetApplicationName())
+	_, err := s.getApplicationEnforceRBACInformer(ws.Context(), rbacpolicy.ActionGet, q.GetApplicationName())
 	if err != nil {
-		return fmt.Errorf("error getting application by name: %w", err)
-	}
-
-	if err := s.enf.EnforceErr(ws.Context().Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, apputil.AppRBACName(*a)); err != nil {
 		return err
 	}
 
@@ -1143,11 +1176,8 @@ func (s *Server) WatchResourceTree(q *application.ResourcesQuery, ws application
 }
 
 func (s *Server) RevisionMetadata(ctx context.Context, q *application.RevisionMetadataQuery) (*v1alpha1.RevisionMetadata, error) {
-	a, err := s.appLister.Get(q.GetName())
+	a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetName())
 	if err != nil {
-		return nil, fmt.Errorf("error getting app by name: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, apputil.AppRBACName(*a)); err != nil {
 		return nil, err
 	}
 	repo, err := s.db.GetRepository(ctx, a.Spec.Source.RepoURL)
@@ -1180,19 +1210,16 @@ func isMatchingResource(q *application.ResourcesQuery, key kube.ResourceKey) boo
 }
 
 func (s *Server) ManagedResources(ctx context.Context, q *application.ResourcesQuery) (*application.ManagedResourcesResponse, error) {
-	a, err := s.appLister.Get(*q.ApplicationName)
+	a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetApplicationName())
 	if err != nil {
-		return nil, fmt.Errorf("error getting application: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, apputil.AppRBACName(*a)); err != nil {
-		return nil, fmt.Errorf("error verifying rbac: %w", err)
+		return nil, err
 	}
 	items := make([]*appv1.ResourceDiff, 0)
 	err = s.getCachedAppState(ctx, a, func() error {
 		return s.cache.GetAppManagedResources(a.Name, &items)
 	})
 	if err != nil {
-		return nil, fmt.Errorf("error getting cached app state: %w", err)
+		return nil, fmt.Errorf("error getting cached app managed resources: %w", err)
 	}
 	res := &application.ManagedResourcesResponse{}
 	for i := range items {
@@ -1239,12 +1266,8 @@ func (s *Server) PodLogs(q *application.ApplicationPodLogsQuery, ws application.
 		}
 	}
 
-	a, err := s.appLister.Get(q.GetName())
+	a, err := s.getApplicationEnforceRBACInformer(ws.Context(), rbacpolicy.ActionGet, q.GetName())
 	if err != nil {
-		return fmt.Errorf("error getting application by name: %w", err)
-	}
-
-	if err := s.enf.EnforceErr(ws.Context().Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, apputil.AppRBACName(*a)); err != nil {
 		return err
 	}
 
@@ -1436,10 +1459,9 @@ func isTheSelectedOne(currentNode *appv1.ResourceNode, q *application.Applicatio
 
 // Sync syncs an application to its target state
 func (s *Server) Sync(ctx context.Context, syncReq *application.ApplicationSyncRequest) (*appv1.Application, error) {
-	appIf := s.appclientset.ArgoprojV1alpha1().Applications(s.ns)
-	a, err := appIf.Get(ctx, *syncReq.Name, metav1.GetOptions{})
+	a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, syncReq.GetName(), "")
 	if err != nil {
-		return nil, fmt.Errorf("error getting application by name: %w", err)
+		return nil, err
 	}
 
 	proj, err := argo.GetAppProject(&a.Spec, applisters.NewAppProjectLister(s.projInformer.GetIndexer()), a.Namespace, s.settingsMgr, s.db, ctx)
@@ -1521,7 +1543,9 @@ func (s *Server) Sync(ctx context.Context, syncReq *application.ApplicationSyncR
 		op.Retry = *retry
 	}
 
-	a, err = argo.SetAppOperation(appIf, *syncReq.Name, &op)
+	appName := syncReq.GetName()
+	appIf := s.appclientset.ArgoprojV1alpha1().Applications(s.ns)
+	a, err = argo.SetAppOperation(appIf, appName, &op)
 	if err != nil {
 		return nil, fmt.Errorf("error setting app operation: %w", err)
 	}
@@ -1538,12 +1562,8 @@ func (s *Server) Sync(ctx context.Context, syncReq *application.ApplicationSyncR
 }
 
 func (s *Server) Rollback(ctx context.Context, rollbackReq *application.ApplicationRollbackRequest) (*appv1.Application, error) {
-	appIf := s.appclientset.ArgoprojV1alpha1().Applications(s.ns)
-	a, err := appIf.Get(ctx, *rollbackReq.Name, metav1.GetOptions{})
+	a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionSync, rollbackReq.GetName(), "")
 	if err != nil {
-		return nil, fmt.Errorf("error getting application by name: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionSync, apputil.AppRBACName(*a)); err != nil {
 		return nil, err
 	}
 	if a.DeletionTimestamp != nil {
@@ -1585,7 +1605,9 @@ func (s *Server) Rollback(ctx context.Context, rollbackReq *application.Applicat
 			Source:       &deploymentInfo.Source,
 		},
 	}
-	a, err = argo.SetAppOperation(appIf, *rollbackReq.Name, &op)
+	appName := rollbackReq.GetName()
+	appIf := s.appclientset.ArgoprojV1alpha1().Applications(s.ns)
+	a, err = argo.SetAppOperation(appIf, appName, &op)
 	if err != nil {
 		return nil, fmt.Errorf("error setting app operation: %w", err)
 	}
@@ -1632,11 +1654,9 @@ func (s *Server) resolveRevision(ctx context.Context, app *appv1.Application, sy
 }
 
 func (s *Server) TerminateOperation(ctx context.Context, termOpReq *application.OperationTerminateRequest) (*application.OperationTerminateResponse, error) {
-	a, err := s.appclientset.ArgoprojV1alpha1().Applications(s.ns).Get(ctx, *termOpReq.Name, metav1.GetOptions{})
+	appName := termOpReq.GetName()
+	a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionSync, appName, "")
 	if err != nil {
-		return nil, fmt.Errorf("error getting application by name: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionSync, apputil.AppRBACName(*a)); err != nil {
 		return nil, err
 	}
 
@@ -1687,7 +1707,7 @@ func (s *Server) logResourceEvent(res *appv1.ResourceNode, ctx context.Context,
 func (s *Server) ListResourceActions(ctx context.Context, q *application.ApplicationResourceRequest) (*application.ResourceActionsListResponse, error) {
 	res, config, _, err := s.getAppLiveResource(ctx, rbacpolicy.ActionGet, q)
 	if err != nil {
-		return nil, fmt.Errorf("error getting app live resource: %w", err)
+		return nil, err
 	}
 	obj, err := s.kubectl.GetResource(ctx, config, res.GroupKindVersion(), res.Name, res.Namespace)
 	if err != nil {
@@ -1742,7 +1762,7 @@ func (s *Server) RunResourceAction(ctx context.Context, q *application.ResourceA
 	actionRequest := fmt.Sprintf("%s/%s/%s/%s", rbacpolicy.ActionAction, q.GetGroup(), q.GetKind(), q.GetAction())
 	res, config, a, err := s.getAppLiveResource(ctx, actionRequest, resourceRequest)
 	if err != nil {
-		return nil, fmt.Errorf("error getting app live resource: %w", err)
+		return nil, err
 	}
 	liveObj, err := s.kubectl.GetResource(ctx, config, res.GroupKindVersion(), res.Name, res.Namespace)
 	if err != nil {
@@ -1869,13 +1889,8 @@ func (s *Server) plugins() ([]*v1alpha1.ConfigManagementPlugin, error) {
 }
 
 func (s *Server) GetApplicationSyncWindows(ctx context.Context, q *application.ApplicationSyncWindowsQuery) (*application.ApplicationSyncWindowsResponse, error) {
-	appIf := s.appclientset.ArgoprojV1alpha1().Applications(s.ns)
-	a, err := appIf.Get(ctx, *q.Name, metav1.GetOptions{})
+	a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, q.GetName(), "")
 	if err != nil {
-		return nil, fmt.Errorf("error getting application by name: %w", err)
-	}
-
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, apputil.AppRBACName(*a)); err != nil {
 		return nil, err
 	}
 
@@ -1927,3 +1942,12 @@ func getPropagationPolicyFinalizer(policy string) string {
 		return ""
 	}
 }
+
+// getProjectFromApplicationQuery gets the project names from a query. If the legacy "project" field was specified, use
+// that. Otherwise, use the newer "projects" field.
+func getProjectsFromApplicationQuery(q application.ApplicationQuery) []string {
+	if q.Project != nil {
+		return q.Project
+	}
+	return q.Projects
+}

server/application/application.proto

@@ -27,6 +27,8 @@ message ApplicationQuery {
 	optional string selector = 5;
 	// the repoURL to restrict returned list applications
 	optional string repo = 6;
+	// the project names to restrict returned list applications (legacy name for backwards-compatibility)
+	repeated string project = 8;
 }
 
 message NodeQuery {

server/application/application_test.go

@@ -4,11 +4,13 @@ import (
 	"context"
 	coreerrors "errors"
 	"fmt"
+	"strconv"
 	"sync/atomic"
 	"testing"
 	"time"
 
 	synccommon "github.com/argoproj/gitops-engine/pkg/sync/common"
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/argoproj/gitops-engine/pkg/utils/kube/kubetest"
 	"github.com/argoproj/pkg/sync"
 	"github.com/ghodss/yaml"
@@ -17,13 +19,17 @@ import (
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
+	k8sappsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/rest"
 	kubetesting "k8s.io/client-go/testing"
 	k8scache "k8s.io/client-go/tools/cache"
 	"k8s.io/utils/pointer"
@@ -35,10 +41,13 @@ import (
 	appinformer "github.com/argoproj/argo-cd/v2/pkg/client/informers/externalversions"
 	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/v2/reposerver/apiclient/mocks"
+	appmocks "github.com/argoproj/argo-cd/v2/server/application/mocks"
+	servercache "github.com/argoproj/argo-cd/v2/server/cache"
 	"github.com/argoproj/argo-cd/v2/server/rbacpolicy"
 	"github.com/argoproj/argo-cd/v2/test"
 	"github.com/argoproj/argo-cd/v2/util/assets"
 	"github.com/argoproj/argo-cd/v2/util/cache"
+	"github.com/argoproj/argo-cd/v2/util/cache/appstate"
 	"github.com/argoproj/argo-cd/v2/util/db"
 	"github.com/argoproj/argo-cd/v2/util/errors"
 	"github.com/argoproj/argo-cd/v2/util/grpc"
@@ -93,6 +102,7 @@ func fakeRepoServerClient(isHelm bool) *mocks.RepoServerServiceClient {
 	mockRepoServiceClient.On("GenerateManifest", mock.Anything, mock.Anything).Return(&apiclient.ManifestResponse{}, nil)
 	mockRepoServiceClient.On("GetAppDetails", mock.Anything, mock.Anything).Return(&apiclient.RepoAppDetailsResponse{}, nil)
 	mockRepoServiceClient.On("TestRepository", mock.Anything, mock.Anything).Return(&apiclient.TestRepositoryResponse{}, nil)
+	mockRepoServiceClient.On("GetRevisionMetadata", mock.Anything, mock.Anything).Return(&appsv1.RevisionMetadata{}, nil)
 
 	if isHelm {
 		mockRepoServiceClient.On("ResolveRevision", mock.Anything, mock.Anything).Return(fakeResolveRevesionResponseHelm(), nil)
@@ -104,15 +114,15 @@ func fakeRepoServerClient(isHelm bool) *mocks.RepoServerServiceClient {
 }
 
 // return an ApplicationServiceServer which returns fake data
-func newTestAppServer(objects ...runtime.Object) *Server {
+func newTestAppServer(t *testing.T, objects ...runtime.Object) *Server {
 	f := func(enf *rbac.Enforcer) {
 		_ = enf.SetBuiltinPolicy(assets.BuiltinPolicyCSV)
 		enf.SetDefaultRole("role:admin")
 	}
-	return newTestAppServerWithEnforcerConfigure(f, objects...)
+	return newTestAppServerWithEnforcerConfigure(f, t, objects...)
 }
 
-func newTestAppServerWithEnforcerConfigure(f func(*rbac.Enforcer), objects ...runtime.Object) *Server {
+func newTestAppServerWithEnforcerConfigure(f func(*rbac.Enforcer), t *testing.T, objects ...runtime.Object) *Server {
 	kubeclientset := fake.NewSimpleClientset(&v1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: testNamespace,
@@ -197,15 +207,83 @@ func newTestAppServerWithEnforcerConfigure(f func(*rbac.Enforcer), objects ...ru
 		panic("Timed out waiting for caches to sync")
 	}
 
+	broadcaster := new(appmocks.Broadcaster)
+	broadcaster.On("Subscribe", mock.Anything, mock.Anything).Return(func() {}).Run(func(args mock.Arguments) {
+		// Simulate the broadcaster notifying the subscriber of an application update.
+		// The second parameter to Subscribe is filters. For the purposes of tests, we ignore the filters. Future tests
+		// might require implementing those.
+		go func() {
+			events := args.Get(0).(chan *appsv1.ApplicationWatchEvent)
+			for _, obj := range objects {
+				app, ok := obj.(*appsv1.Application)
+				if ok {
+					oldVersion, err := strconv.Atoi(app.ResourceVersion)
+					if err != nil {
+						oldVersion = 0
+					}
+					clonedApp := app.DeepCopy()
+					clonedApp.ResourceVersion = fmt.Sprintf("%d", oldVersion+1)
+					events <- &appsv1.ApplicationWatchEvent{Type: watch.Added, Application: *clonedApp}
+				}
+			}
+		}()
+	})
+	broadcaster.On("OnAdd", mock.Anything).Return()
+	broadcaster.On("OnUpdate", mock.Anything, mock.Anything).Return()
+	broadcaster.On("OnDelete", mock.Anything).Return()
+
+	appStateCache := appstate.NewCache(cache.NewCache(cache.NewInMemoryCache(time.Hour)), time.Hour)
+	// pre-populate the app cache
+	for _, obj := range objects {
+		app, ok := obj.(*appsv1.Application)
+		if ok {
+			err := appStateCache.SetAppManagedResources(app.Name, []*appsv1.ResourceDiff{})
+			require.NoError(t, err)
+
+			// Pre-populate the resource tree based on the app's resources.
+			nodes := make([]appsv1.ResourceNode, len(app.Status.Resources))
+			for i, res := range app.Status.Resources {
+				nodes[i] = appsv1.ResourceNode{
+					ResourceRef: appsv1.ResourceRef{
+						Group:     res.Group,
+						Kind:      res.Kind,
+						Version:   res.Version,
+						Name:      res.Name,
+						Namespace: res.Namespace,
+						UID:       "fake",
+					},
+				}
+			}
+			err = appStateCache.SetAppResourcesTree(app.Name, &appsv1.ApplicationTree{
+				Nodes: nodes,
+			})
+			require.NoError(t, err)
+		}
+	}
+	appCache := servercache.NewCache(appStateCache, time.Hour, time.Hour, time.Hour)
+
+	kubectl := &kubetest.MockKubectlCmd{}
+	kubectl = kubectl.WithGetResourceFunc(func(_ context.Context, _ *rest.Config, gvk schema.GroupVersionKind, name string, namespace string) (*unstructured.Unstructured, error) {
+		for _, obj := range objects {
+			if obj.GetObjectKind().GroupVersionKind().GroupKind() == gvk.GroupKind() {
+				if obj, ok := obj.(*unstructured.Unstructured); ok && obj.GetName() == name && obj.GetNamespace() == namespace {
+					return obj, nil
+				}
+			}
+		}
+		return nil, nil
+	})
+
 	server, _ := NewServer(
 		testNamespace,
 		kubeclientset,
 		fakeAppsClientset,
 		factory.Argoproj().V1alpha1().Applications().Lister().Applications(testNamespace),
 		appInformer,
+		broadcaster,
 		mockRepoClient,
-		nil,
-		&kubetest.MockKubectlCmd{},
+		appCache,
+		kubectl,
 		db,
 		enforcer,
 		sync.NewKeyLock(),
@@ -295,8 +373,462 @@ func createTestApp(testApp string, opts ...func(app *appsv1.Application)) *appsv
 	return &app
 }
 
+type TestResourceTreeServer struct {
+	ctx context.Context
+}
+
+func (t *TestResourceTreeServer) Send(tree *appsv1.ApplicationTree) error {
+	return nil
+}
+
+func (t *TestResourceTreeServer) SetHeader(metadata.MD) error {
+	return nil
+}
+
+func (t *TestResourceTreeServer) SendHeader(metadata.MD) error {
+	return nil
+}
+
+func (t *TestResourceTreeServer) SetTrailer(metadata.MD) {}
+
+func (t *TestResourceTreeServer) Context() context.Context {
+	return t.ctx
+}
+
+func (t *TestResourceTreeServer) SendMsg(m interface{}) error {
+	return nil
+}
+
+func (t *TestResourceTreeServer) RecvMsg(m interface{}) error {
+	return nil
+}
+
+type TestPodLogsServer struct {
+	ctx context.Context
+}
+
+func (t *TestPodLogsServer) Send(log *application.LogEntry) error {
+	return nil
+}
+
+func (t *TestPodLogsServer) SetHeader(metadata.MD) error {
+	return nil
+}
+
+func (t *TestPodLogsServer) SendHeader(metadata.MD) error {
+	return nil
+}
+
+func (t *TestPodLogsServer) SetTrailer(metadata.MD) {}
+
+func (t *TestPodLogsServer) Context() context.Context {
+	return t.ctx
+}
+
+func (t *TestPodLogsServer) SendMsg(m interface{}) error {
+	return nil
+}
+
+func (t *TestPodLogsServer) RecvMsg(m interface{}) error {
+	return nil
+}
+
+func TestNoAppEnumeration(t *testing.T) {
+	// This test ensures that malicious users can't infer the existence or non-existence of Applications by inspecting
+	// error messages. The errors for "app does not exist" must be the same as errors for "you aren't allowed to
+	// interact with this app."
+
+	// These tests are only important on API calls where the full app RBAC name (project, namespace, and name) is _not_
+	// known based on the query parameters. For example, the Create call cannot leak existence of Applications, because
+	// the Application's project, namespace, and name are all specified in the API call. The call can be rejected
+	// immediately if the user does not have access. But the Delete endpoint may be called with just the Application
+	// name. So we cannot return a different error message for "does not exist" and "you don't have delete permissions,"
+	// because the user could infer that the Application exists if they do not get the "does not exist" message. For
+	// endpoints that do not require the full RBAC name, we must return a generic "permission denied" for both "does not
+	// exist" and "no access."
+
+	f := func(enf *rbac.Enforcer) {
+		_ = enf.SetBuiltinPolicy(assets.BuiltinPolicyCSV)
+		enf.SetDefaultRole("role:none")
+	}
+	deployment := k8sappsv1.Deployment{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "apps/v1",
+			Kind:       "Deployment",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "test",
+		},
+	}
+	testApp := newTestApp(func(app *appsv1.Application) {
+		app.Name = "test"
+		app.Status.Resources = []appsv1.ResourceStatus{
+			{
+				Group:     deployment.GroupVersionKind().Group,
+				Kind:      deployment.GroupVersionKind().Kind,
+				Version:   deployment.GroupVersionKind().Version,
+				Name:      deployment.Name,
+				Namespace: deployment.Namespace,
+				Status:    "Synced",
+			},
+		}
+		app.Status.History = []appsv1.RevisionHistory{
+			{
+				ID: 0,
+				Source: appsv1.ApplicationSource{
+					TargetRevision: "something-old",
+				},
+			},
+		}
+	})
+	testDeployment := kube.MustToUnstructured(&deployment)
+	appServer := newTestAppServerWithEnforcerConfigure(f, t, testApp, testDeployment)
+
+	noRoleCtx := context.Background()
+	// nolint:staticcheck
+	adminCtx := context.WithValue(noRoleCtx, "claims", &jwt.MapClaims{"groups": []string{"admin"}})
+
+	t.Run("Get", func(t *testing.T) {
+		_, err := appServer.Get(adminCtx, &application.ApplicationQuery{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.Get(noRoleCtx, &application.ApplicationQuery{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.Get(adminCtx, &application.ApplicationQuery{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("GetManifests", func(t *testing.T) {
+		_, err := appServer.GetManifests(adminCtx, &application.ApplicationManifestQuery{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.GetManifests(noRoleCtx, &application.ApplicationManifestQuery{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.GetManifests(adminCtx, &application.ApplicationManifestQuery{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("ListResourceEvents", func(t *testing.T) {
+		_, err := appServer.ListResourceEvents(adminCtx, &application.ApplicationResourceEventsQuery{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.ListResourceEvents(noRoleCtx, &application.ApplicationResourceEventsQuery{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.ListResourceEvents(adminCtx, &application.ApplicationResourceEventsQuery{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("UpdateSpec", func(t *testing.T) {
+		_, err := appServer.UpdateSpec(adminCtx, &application.ApplicationUpdateSpecRequest{Name: pointer.String("test"), Spec: &appsv1.ApplicationSpec{
+			Destination: appsv1.ApplicationDestination{Namespace: "default", Server: "https://cluster-api.com"},
+			Source:      appsv1.ApplicationSource{RepoURL: "https://some-fake-source", Path: "."},
+		}})
+		assert.NoError(t, err)
+		_, err = appServer.UpdateSpec(noRoleCtx, &application.ApplicationUpdateSpecRequest{Name: pointer.String("test"), Spec: &appsv1.ApplicationSpec{
+			Destination: appsv1.ApplicationDestination{Namespace: "default", Server: "https://cluster-api.com"},
+			Source:      appsv1.ApplicationSource{RepoURL: "https://some-fake-source", Path: "."},
+		}})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.UpdateSpec(adminCtx, &application.ApplicationUpdateSpecRequest{Name: pointer.String("doest-not-exist"), Spec: &appsv1.ApplicationSpec{
+			Destination: appsv1.ApplicationDestination{Namespace: "default", Server: "https://cluster-api.com"},
+			Source:      appsv1.ApplicationSource{RepoURL: "https://some-fake-source", Path: "."},
+		}})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("Patch", func(t *testing.T) {
+		_, err := appServer.Patch(adminCtx, &application.ApplicationPatchRequest{Name: pointer.String("test"), Patch: pointer.String(`[{"op": "replace", "path": "/spec/source/path", "value": "foo"}]`)})
+		assert.NoError(t, err)
+		_, err = appServer.Patch(noRoleCtx, &application.ApplicationPatchRequest{Name: pointer.String("test"), Patch: pointer.String(`[{"op": "replace", "path": "/spec/source/path", "value": "foo"}]`)})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.Patch(adminCtx, &application.ApplicationPatchRequest{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("GetResource", func(t *testing.T) {
+		_, err := appServer.GetResource(adminCtx, &application.ApplicationResourceRequest{Name: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.GetResource(noRoleCtx, &application.ApplicationResourceRequest{Name: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.GetResource(adminCtx, &application.ApplicationResourceRequest{Name: pointer.String("doest-not-exist"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("PatchResource", func(t *testing.T) {
+		_, err := appServer.PatchResource(adminCtx, &application.ApplicationResourcePatchRequest{Name: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test"), Patch: pointer.String(`[{"op": "replace", "path": "/spec/replicas", "value": 3}]`)})
+		// This will always throw an error, because the kubectl mock for PatchResource is hard-coded to return nil.
+		// The best we can do is to confirm we get past the permission check.
+		assert.NotEqual(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.PatchResource(noRoleCtx, &application.ApplicationResourcePatchRequest{Name: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test"), Patch: pointer.String(`[{"op": "replace", "path": "/spec/replicas", "value": 3}]`)})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.PatchResource(adminCtx, &application.ApplicationResourcePatchRequest{Name: pointer.String("doest-not-exist"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test"), Patch: pointer.String(`[{"op": "replace", "path": "/spec/replicas", "value": 3}]`)})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("DeleteResource", func(t *testing.T) {
+		_, err := appServer.DeleteResource(adminCtx, &application.ApplicationResourceDeleteRequest{Name: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.DeleteResource(noRoleCtx, &application.ApplicationResourceDeleteRequest{Name: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.DeleteResource(adminCtx, &application.ApplicationResourceDeleteRequest{Name: pointer.String("doest-not-exist"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("ResourceTree", func(t *testing.T) {
+		_, err := appServer.ResourceTree(adminCtx, &application.ResourcesQuery{ApplicationName: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.ResourceTree(noRoleCtx, &application.ResourcesQuery{ApplicationName: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.ResourceTree(adminCtx, &application.ResourcesQuery{ApplicationName: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("RevisionMetadata", func(t *testing.T) {
+		_, err := appServer.RevisionMetadata(adminCtx, &application.RevisionMetadataQuery{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.RevisionMetadata(noRoleCtx, &application.RevisionMetadataQuery{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.RevisionMetadata(adminCtx, &application.RevisionMetadataQuery{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("ManagedResources", func(t *testing.T) {
+		_, err := appServer.ManagedResources(adminCtx, &application.ResourcesQuery{ApplicationName: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.ManagedResources(noRoleCtx, &application.ResourcesQuery{ApplicationName: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.ManagedResources(adminCtx, &application.ResourcesQuery{ApplicationName: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("Sync", func(t *testing.T) {
+		_, err := appServer.Sync(adminCtx, &application.ApplicationSyncRequest{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.Sync(noRoleCtx, &application.ApplicationSyncRequest{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.Sync(adminCtx, &application.ApplicationSyncRequest{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("TerminateOperation", func(t *testing.T) {
+		// The sync operation is already started from the previous test. We just need to set the field that the
+		// controller would set if this were an actual Argo CD environment.
+		setSyncRunningOperationState(t, appServer)
+		_, err := appServer.TerminateOperation(adminCtx, &application.OperationTerminateRequest{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.TerminateOperation(noRoleCtx, &application.OperationTerminateRequest{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.TerminateOperation(adminCtx, &application.OperationTerminateRequest{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("Rollback", func(t *testing.T) {
+		unsetSyncRunningOperationState(t, appServer)
+		_, err := appServer.Rollback(adminCtx, &application.ApplicationRollbackRequest{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.Rollback(noRoleCtx, &application.ApplicationRollbackRequest{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.Rollback(adminCtx, &application.ApplicationRollbackRequest{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("ListResourceActions", func(t *testing.T) {
+		_, err := appServer.ListResourceActions(adminCtx, &application.ApplicationResourceRequest{Name: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.ListResourceActions(noRoleCtx, &application.ApplicationResourceRequest{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.ListResourceActions(noRoleCtx, &application.ApplicationResourceRequest{Group: pointer.String("argoproj.io"), Kind: pointer.String("Application"), Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.ListResourceActions(adminCtx, &application.ApplicationResourceRequest{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("RunResourceAction", func(t *testing.T) {
+		_, err := appServer.RunResourceAction(adminCtx, &application.ResourceActionRunRequest{Name: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test"), Action: pointer.String("restart")})
+		assert.NoError(t, err)
+		_, err = appServer.RunResourceAction(noRoleCtx, &application.ResourceActionRunRequest{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.RunResourceAction(noRoleCtx, &application.ResourceActionRunRequest{Group: pointer.String("argoproj.io"), Kind: pointer.String("Application"), Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.RunResourceAction(adminCtx, &application.ResourceActionRunRequest{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("GetApplicationSyncWindows", func(t *testing.T) {
+		_, err := appServer.GetApplicationSyncWindows(adminCtx, &application.ApplicationSyncWindowsQuery{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.GetApplicationSyncWindows(noRoleCtx, &application.ApplicationSyncWindowsQuery{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.GetApplicationSyncWindows(adminCtx, &application.ApplicationSyncWindowsQuery{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("WatchResourceTree", func(t *testing.T) {
+		err := appServer.WatchResourceTree(&application.ResourcesQuery{ApplicationName: pointer.String("test")}, &TestResourceTreeServer{ctx: adminCtx})
+		assert.NoError(t, err)
+		err = appServer.WatchResourceTree(&application.ResourcesQuery{ApplicationName: pointer.String("test")}, &TestResourceTreeServer{ctx: noRoleCtx})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		err = appServer.WatchResourceTree(&application.ResourcesQuery{ApplicationName: pointer.String("does-not-exist")}, &TestResourceTreeServer{ctx: adminCtx})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("PodLogs", func(t *testing.T) {
+		err := appServer.PodLogs(&application.ApplicationPodLogsQuery{Name: pointer.String("test")}, &TestPodLogsServer{ctx: adminCtx})
+		assert.NoError(t, err)
+		err = appServer.PodLogs(&application.ApplicationPodLogsQuery{Name: pointer.String("test")}, &TestPodLogsServer{ctx: noRoleCtx})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		err = appServer.PodLogs(&application.ApplicationPodLogsQuery{Name: pointer.String("does-not-exist")}, &TestPodLogsServer{ctx: adminCtx})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	// Do this last so other stuff doesn't fail.
+	t.Run("Delete", func(t *testing.T) {
+		_, err := appServer.Delete(adminCtx, &application.ApplicationDeleteRequest{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.Delete(noRoleCtx, &application.ApplicationDeleteRequest{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.Delete(adminCtx, &application.ApplicationDeleteRequest{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+}
+
+// setSyncRunningOperationState simulates starting a sync operation on the given app.
+func setSyncRunningOperationState(t *testing.T, appServer *Server) {
+	appIf := appServer.appclientset.ArgoprojV1alpha1().Applications("default")
+	app, err := appIf.Get(context.Background(), "test", metav1.GetOptions{})
+	require.NoError(t, err)
+	// This sets the status that would be set by the controller usually.
+	app.Status.OperationState = &appsv1.OperationState{Phase: synccommon.OperationRunning, Operation: appsv1.Operation{Sync: &appsv1.SyncOperation{}}}
+	_, err = appIf.Update(context.Background(), app, metav1.UpdateOptions{})
+	require.NoError(t, err)
+}
+
+// unsetSyncRunningOperationState simulates finishing a sync operation on the given app.
+func unsetSyncRunningOperationState(t *testing.T, appServer *Server) {
+	appIf := appServer.appclientset.ArgoprojV1alpha1().Applications("default")
+	app, err := appIf.Get(context.Background(), "test", metav1.GetOptions{})
+	require.NoError(t, err)
+	app.Operation = nil
+	app.Status.OperationState = nil
+	_, err = appIf.Update(context.Background(), app, metav1.UpdateOptions{})
+	require.NoError(t, err)
+}
+
+func testListAppsWithLabels(t *testing.T, appQuery application.ApplicationQuery, appServer *Server) {
+	validTests := []struct {
+		testName       string
+		label          string
+		expectedResult []string
+	}{
+		{testName: "Equality based filtering using '=' operator",
+			label:          "key1=value1",
+			expectedResult: []string{"App1"}},
+		{testName: "Equality based filtering using '==' operator",
+			label:          "key1==value1",
+			expectedResult: []string{"App1"}},
+		{testName: "Equality based filtering using '!=' operator",
+			label:          "key1!=value1",
+			expectedResult: []string{"App2", "App3"}},
+		{testName: "Set based filtering using 'in' operator",
+			label:          "key1 in (value1, value3)",
+			expectedResult: []string{"App1", "App3"}},
+		{testName: "Set based filtering using 'notin' operator",
+			label:          "key1 notin (value1, value3)",
+			expectedResult: []string{"App2"}},
+		{testName: "Set based filtering using 'exists' operator",
+			label:          "key1",
+			expectedResult: []string{"App1", "App2", "App3"}},
+		{testName: "Set based filtering using 'not exists' operator",
+			label:          "!key2",
+			expectedResult: []string{"App2", "App3"}},
+	}
+	//test valid scenarios
+	for _, validTest := range validTests {
+		t.Run(validTest.testName, func(t *testing.T) {
+			appQuery.Selector = &validTest.label
+			res, err := appServer.List(context.Background(), &appQuery)
+			assert.NoError(t, err)
+			apps := []string{}
+			for i := range res.Items {
+				apps = append(apps, res.Items[i].Name)
+			}
+			assert.Equal(t, validTest.expectedResult, apps)
+		})
+	}
+
+	invalidTests := []struct {
+		testName    string
+		label       string
+		errorMesage string
+	}{
+		{testName: "Set based filtering using '>' operator",
+			label:       "key1>value1",
+			errorMesage: "error parsing the selector"},
+		{testName: "Set based filtering using '<' operator",
+			label:       "key1<value1",
+			errorMesage: "error parsing the selector"},
+	}
+	//test invalid scenarios
+	for _, invalidTest := range invalidTests {
+		t.Run(invalidTest.testName, func(t *testing.T) {
+			appQuery.Selector = &invalidTest.label
+			_, err := appServer.List(context.Background(), &appQuery)
+			assert.ErrorContains(t, err, invalidTest.errorMesage)
+		})
+	}
+}
+
+func TestListAppWithProjects(t *testing.T) {
+	appServer := newTestAppServer(t, newTestApp(func(app *appsv1.Application) {
+		app.Name = "App1"
+		app.Spec.Project = "test-project1"
+	}), newTestApp(func(app *appsv1.Application) {
+		app.Name = "App2"
+		app.Spec.Project = "test-project2"
+	}), newTestApp(func(app *appsv1.Application) {
+		app.Name = "App3"
+		app.Spec.Project = "test-project3"
+	}))
+
+	t.Run("List all apps", func(t *testing.T) {
+		appQuery := application.ApplicationQuery{}
+		appList, err := appServer.List(context.Background(), &appQuery)
+		assert.NoError(t, err)
+		assert.Len(t, appList.Items, 3)
+	})
+
+	t.Run("List apps with projects filter set", func(t *testing.T) {
+		appQuery := application.ApplicationQuery{Projects: []string{"test-project1"}}
+		appList, err := appServer.List(context.Background(), &appQuery)
+		assert.NoError(t, err)
+		assert.Len(t, appList.Items, 1)
+		for _, app := range appList.Items {
+			assert.Equal(t, "test-project1", app.Spec.Project)
+		}
+	})
+
+	t.Run("List apps with project filter set (legacy field)", func(t *testing.T) {
+		appQuery := application.ApplicationQuery{Project: []string{"test-project1"}}
+		appList, err := appServer.List(context.Background(), &appQuery)
+		assert.NoError(t, err)
+		assert.Len(t, appList.Items, 1)
+		for _, app := range appList.Items {
+			assert.Equal(t, "test-project1", app.Spec.Project)
+		}
+	})
+
+	t.Run("List apps with both projects and project filter set", func(t *testing.T) {
+		// If the older field is present, we should use it instead of the newer field.
+		appQuery := application.ApplicationQuery{Project: []string{"test-project1"}, Projects: []string{"test-project2"}}
+		appList, err := appServer.List(context.Background(), &appQuery)
+		assert.NoError(t, err)
+		assert.Len(t, appList.Items, 1)
+		for _, app := range appList.Items {
+			assert.Equal(t, "test-project1", app.Spec.Project)
+		}
+	})
+}
+
 func TestListApps(t *testing.T) {
-	appServer := newTestAppServer(newTestApp(func(app *appsv1.Application) {
+	appServer := newTestAppServer(t, newTestApp(func(app *appsv1.Application) {
 		app.Name = "bcd"
 	}), newTestApp(func(app *appsv1.Application) {
 		app.Name = "abc"
@@ -344,7 +876,7 @@ g, group-49, role:test3
 `
 		_ = enf.SetUserPolicy(policy)
 	}
-	appServer := newTestAppServerWithEnforcerConfigure(f, objects...)
+	appServer := newTestAppServerWithEnforcerConfigure(f, t, objects...)
 
 	res, err := appServer.List(ctx, &application.ApplicationQuery{})
 
@@ -358,7 +890,7 @@ g, group-49, role:test3
 
 func TestCreateApp(t *testing.T) {
 	testApp := newTestApp()
-	appServer := newTestAppServer()
+	appServer := newTestAppServer(t)
 	testApp.Spec.Project = ""
 	createReq := application.ApplicationCreateRequest{
 		Application: testApp,
@@ -371,7 +903,7 @@ func TestCreateApp(t *testing.T) {
 }
 
 func TestCreateAppWithDestName(t *testing.T) {
-	appServer := newTestAppServer()
+	appServer := newTestAppServer(t)
 	testApp := newTestAppWithDestName()
 	createReq := application.ApplicationCreateRequest{
 		Application: testApp,
@@ -384,7 +916,7 @@ func TestCreateAppWithDestName(t *testing.T) {
 
 func TestUpdateApp(t *testing.T) {
 	testApp := newTestApp()
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 	testApp.Spec.Project = ""
 	app, err := appServer.Update(context.Background(), &application.ApplicationUpdateRequest{
 		Application: testApp,
@@ -395,7 +927,7 @@ func TestUpdateApp(t *testing.T) {
 
 func TestUpdateAppSpec(t *testing.T) {
 	testApp := newTestApp()
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 	testApp.Spec.Project = ""
 	spec, err := appServer.UpdateSpec(context.Background(), &application.ApplicationUpdateSpecRequest{
 		Name: &testApp.Name,
@@ -410,7 +942,7 @@ func TestUpdateAppSpec(t *testing.T) {
 
 func TestDeleteApp(t *testing.T) {
 	ctx := context.Background()
-	appServer := newTestAppServer()
+	appServer := newTestAppServer(t)
 	createReq := application.ApplicationCreateRequest{
 		Application: newTestApp(),
 	}
@@ -495,20 +1027,9 @@ func TestDeleteApp(t *testing.T) {
 	})
 }
 
-func TestDeleteApp_InvalidName(t *testing.T) {
-	appServer := newTestAppServer()
-	_, err := appServer.Delete(context.Background(), &application.ApplicationDeleteRequest{
-		Name: pointer.StringPtr("foo"),
-	})
-	if !assert.Error(t, err) {
-		return
-	}
-	assert.True(t, apierrors.IsNotFound(err))
-}
-
 func TestSyncAndTerminate(t *testing.T) {
 	ctx := context.Background()
-	appServer := newTestAppServer()
+	appServer := newTestAppServer(t)
 	testApp := newTestApp()
 	testApp.Spec.Source.RepoURL = "https://github.com/argoproj/argo-cd.git"
 	createReq := application.ApplicationCreateRequest{
@@ -548,7 +1069,7 @@ func TestSyncAndTerminate(t *testing.T) {
 
 func TestSyncHelm(t *testing.T) {
 	ctx := context.Background()
-	appServer := newTestAppServer()
+	appServer := newTestAppServer(t)
 	testApp := newTestApp()
 	testApp.Spec.Source.RepoURL = "https://argoproj.github.io/argo-helm"
 	testApp.Spec.Source.Path = ""
@@ -572,7 +1093,7 @@ func TestSyncHelm(t *testing.T) {
 
 func TestSyncGit(t *testing.T) {
 	ctx := context.Background()
-	appServer := newTestAppServer()
+	appServer := newTestAppServer(t)
 	testApp := newTestApp()
 	testApp.Spec.Source.RepoURL = "https://github.com/org/test"
 	testApp.Spec.Source.Path = "deploy"
@@ -605,7 +1126,7 @@ func TestRollbackApp(t *testing.T) {
 		Revision: "abc",
 		Source:   *testApp.Spec.Source.DeepCopy(),
 	}}
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 
 	updatedApp, err := appServer.Rollback(context.Background(), &application.ApplicationRollbackRequest{
 		Name: &testApp.Name,
@@ -625,56 +1146,63 @@ func TestUpdateAppProject(t *testing.T) {
 	ctx := context.Background()
 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, "claims", &jwt.StandardClaims{Subject: "admin"})
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 	appServer.enf.SetDefaultRole("")
 
-	// Verify normal update works (without changing project)
-	_ = appServer.enf.SetBuiltinPolicy(`p, admin, applications, update, default/test-app, allow`)
-	_, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
-	assert.NoError(t, err)
+	t.Run("update without changing project", func(t *testing.T) {
+		_ = appServer.enf.SetBuiltinPolicy(`p, admin, applications, update, default/test-app, allow`)
+		_, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
+		assert.NoError(t, err)
+	})
 
-	// Verify caller cannot update to another project
-	testApp.Spec.Project = "my-proj"
-	_, err = appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
-	assert.Equal(t, status.Code(err), codes.PermissionDenied)
+	t.Run("cannot update to another project", func(t *testing.T) {
+		testApp.Spec.Project = "my-proj"
+		_, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
+		assert.Equal(t, status.Code(err), codes.PermissionDenied)
+	})
 
-	// Verify inability to change projects without create privileges in new project
-	_ = appServer.enf.SetBuiltinPolicy(`
+	t.Run("cannot change projects without create privileges", func(t *testing.T) {
+		_ = appServer.enf.SetBuiltinPolicy(`
 p, admin, applications, update, default/test-app, allow
 p, admin, applications, update, my-proj/test-app, allow
 `)
-	_, err = appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
-	statusErr := grpc.UnwrapGRPCStatus(err)
-	assert.NotNil(t, statusErr)
-	assert.Equal(t, codes.PermissionDenied, statusErr.Code())
+		_, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
+		statusErr := grpc.UnwrapGRPCStatus(err)
+		assert.NotNil(t, statusErr)
+		assert.Equal(t, codes.PermissionDenied, statusErr.Code())
+	})
 
-	// Verify inability to change projects without update privileges in new project
-	_ = appServer.enf.SetBuiltinPolicy(`
+	t.Run("cannot change projects without update privileges in new project", func(t *testing.T) {
+		_ = appServer.enf.SetBuiltinPolicy(`
 p, admin, applications, update, default/test-app, allow
 p, admin, applications, create, my-proj/test-app, allow
 `)
-	_, err = appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
-	assert.Equal(t, status.Code(err), codes.PermissionDenied)
+		_, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
+		assert.Equal(t, status.Code(err), codes.PermissionDenied)
+	})
 
-	// Verify inability to change projects without update privileges in old project
-	_ = appServer.enf.SetBuiltinPolicy(`
+	t.Run("cannot change projects without update privileges in old project", func(t *testing.T) {
+		_ = appServer.enf.SetBuiltinPolicy(`
 p, admin, applications, create, my-proj/test-app, allow
 p, admin, applications, update, my-proj/test-app, allow
 `)
-	_, err = appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
-	statusErr = grpc.UnwrapGRPCStatus(err)
-	assert.NotNil(t, statusErr)
-	assert.Equal(t, codes.PermissionDenied, statusErr.Code())
+		_, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
+		statusErr := grpc.UnwrapGRPCStatus(err)
+		assert.NotNil(t, statusErr)
+		assert.Equal(t, codes.PermissionDenied, statusErr.Code())
+	})
 
-	// Verify can update project with proper permissions
-	_ = appServer.enf.SetBuiltinPolicy(`
+	t.Run("can update project with proper permissions", func(t *testing.T) {
+		// Verify can update project with proper permissions
+		_ = appServer.enf.SetBuiltinPolicy(`
 p, admin, applications, update, default/test-app, allow
 p, admin, applications, create, my-proj/test-app, allow
 p, admin, applications, update, my-proj/test-app, allow
 `)
-	updatedApp, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
-	assert.NoError(t, err)
-	assert.Equal(t, "my-proj", updatedApp.Spec.Project)
+		updatedApp, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
+		assert.NoError(t, err)
+		assert.Equal(t, "my-proj", updatedApp.Spec.Project)
+	})
 }
 
 func TestAppJsonPatch(t *testing.T) {
@@ -682,7 +1210,7 @@ func TestAppJsonPatch(t *testing.T) {
 	ctx := context.Background()
 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, "claims", &jwt.StandardClaims{Subject: "admin"})
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 	appServer.enf.SetDefaultRole("")
 
 	app, err := appServer.Patch(ctx, &application.ApplicationPatchRequest{Name: &testApp.Name, Patch: pointer.String("garbage")})
@@ -707,7 +1235,7 @@ func TestAppMergePatch(t *testing.T) {
 	ctx := context.Background()
 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, "claims", &jwt.StandardClaims{Subject: "admin"})
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 	appServer.enf.SetDefaultRole("")
 
 	app, err := appServer.Patch(ctx, &application.ApplicationPatchRequest{
@@ -720,7 +1248,7 @@ func TestServer_GetApplicationSyncWindowsState(t *testing.T) {
 	t.Run("Active", func(t *testing.T) {
 		testApp := newTestApp()
 		testApp.Spec.Project = "proj-maint"
-		appServer := newTestAppServer(testApp)
+		appServer := newTestAppServer(t, testApp)
 
 		active, err := appServer.GetApplicationSyncWindows(context.Background(), &application.ApplicationSyncWindowsQuery{Name: &testApp.Name})
 		assert.NoError(t, err)
@@ -729,7 +1257,7 @@ func TestServer_GetApplicationSyncWindowsState(t *testing.T) {
 	t.Run("Inactive", func(t *testing.T) {
 		testApp := newTestApp()
 		testApp.Spec.Project = "default"
-		appServer := newTestAppServer(testApp)
+		appServer := newTestAppServer(t, testApp)
 
 		active, err := appServer.GetApplicationSyncWindows(context.Background(), &application.ApplicationSyncWindowsQuery{Name: &testApp.Name})
 		assert.NoError(t, err)
@@ -738,7 +1266,7 @@ func TestServer_GetApplicationSyncWindowsState(t *testing.T) {
 	t.Run("ProjectDoesNotExist", func(t *testing.T) {
 		testApp := newTestApp()
 		testApp.Spec.Project = "none"
-		appServer := newTestAppServer(testApp)
+		appServer := newTestAppServer(t, testApp)
 
 		active, err := appServer.GetApplicationSyncWindows(context.Background(), &application.ApplicationSyncWindowsQuery{Name: &testApp.Name})
 		assert.Contains(t, err.Error(), "not found")
@@ -749,8 +1277,14 @@ func TestServer_GetApplicationSyncWindowsState(t *testing.T) {
 func TestGetCachedAppState(t *testing.T) {
 	testApp := newTestApp()
 	testApp.ObjectMeta.ResourceVersion = "1"
-	testApp.Spec.Project = "none"
-	appServer := newTestAppServer(testApp)
+	testApp.Spec.Project = "test-proj"
+	testProj := &appsv1.AppProject{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-proj",
+			Namespace: testNamespace,
+		},
+	}
+	appServer := newTestAppServer(t, testApp, testProj)
 	fakeClientSet := appServer.appclientset.(*apps.Clientset)
 	t.Run("NoError", func(t *testing.T) {
 		err := appServer.getCachedAppState(context.Background(), testApp, func() error {
@@ -922,7 +1456,7 @@ func TestGetAppRefresh_NormalRefresh(t *testing.T) {
 	defer cancel()
 	testApp := newTestApp()
 	testApp.ObjectMeta.ResourceVersion = "1"
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 
 	var patched int32
 
@@ -950,7 +1484,7 @@ func TestGetAppRefresh_HardRefresh(t *testing.T) {
 	defer cancel()
 	testApp := newTestApp()
 	testApp.ObjectMeta.ResourceVersion = "1"
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 
 	var getAppDetailsQuery *apiclient.RepoServerAppDetailsQuery
 	mockRepoServiceClient := mocks.RepoServerServiceClient{}

server/application/broadcaster.go

@@ -23,6 +23,14 @@ func (s *subscriber) matches(event *appv1.ApplicationWatchEvent) bool {
 	return true
 }
 
+// Broadcaster is an interface for broadcasting application informer watch events to multiple subscribers.
+type Broadcaster interface {
+	Subscribe(ch chan *appv1.ApplicationWatchEvent, filters ...func(event *appv1.ApplicationWatchEvent) bool) func()
+	OnAdd(interface{})
+	OnUpdate(interface{}, interface{})
+	OnDelete(interface{})
+}
+
 type broadcasterHandler struct {
 	lock        sync.Mutex
 	subscribers []*subscriber

server/application/mocks/Broadcaster.go

@@ -0,0 +1,66 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package mocks
+
+import (
+	v1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// Broadcaster is an autogenerated mock type for the Broadcaster type
+type Broadcaster struct {
+	mock.Mock
+}
+
+// OnAdd provides a mock function with given fields: _a0
+func (_m *Broadcaster) OnAdd(_a0 interface{}) {
+	_m.Called(_a0)
+}
+
+// OnDelete provides a mock function with given fields: _a0
+func (_m *Broadcaster) OnDelete(_a0 interface{}) {
+	_m.Called(_a0)
+}
+
+// OnUpdate provides a mock function with given fields: _a0, _a1
+func (_m *Broadcaster) OnUpdate(_a0 interface{}, _a1 interface{}) {
+	_m.Called(_a0, _a1)
+}
+
+// Subscribe provides a mock function with given fields: ch, filters
+func (_m *Broadcaster) Subscribe(ch chan *v1alpha1.ApplicationWatchEvent, filters ...func(*v1alpha1.ApplicationWatchEvent) bool) func() {
+	_va := make([]interface{}, len(filters))
+	for _i := range filters {
+		_va[_i] = filters[_i]
+	}
+	var _ca []interface{}
+	_ca = append(_ca, ch)
+	_ca = append(_ca, _va...)
+	ret := _m.Called(_ca...)
+
+	var r0 func()
+	if rf, ok := ret.Get(0).(func(chan *v1alpha1.ApplicationWatchEvent, ...func(*v1alpha1.ApplicationWatchEvent) bool) func()); ok {
+		r0 = rf(ch, filters...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(func())
+		}
+	}
+
+	return r0
+}
+
+type mockConstructorTestingTNewBroadcaster interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewBroadcaster creates a new instance of Broadcaster. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewBroadcaster(t mockConstructorTestingTNewBroadcaster) *Broadcaster {
+	mock := &Broadcaster{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

server/server.go

@@ -423,8 +423,9 @@ func (a *ArgoCDServer) Run(ctx context.Context, listeners *Listeners) {
 
 		// If not matched, we assume that its TLS.
 		tlsl := tcpm.Match(cmux.Any())
-		tlsConfig := tls.Config{
-			Certificates: []tls.Certificate{*a.settings.Certificate},
+		tlsConfig := tls.Config{}
+		tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			return a.settings.Certificate, nil
 		}
 		if a.TLSConfigCustomizer != nil {
 			a.TLSConfigCustomizer(&tlsConfig)
@@ -566,8 +567,8 @@ func (a *ArgoCDServer) watchSettings() {
 				newCert, newCertKey = tlsutil.EncodeX509KeyPairString(*a.settings.Certificate)
 			}
 			if newCert != prevCert || newCertKey != prevCertKey {
-				log.Infof("tls certificate modified. restarting")
-				break
+				log.Infof("tls certificate modified. reloading certificate")
+				// No need to break out of this loop since TlsConfig.GetCertificate will automagically reload the cert.
 			}
 		}
 	}
@@ -680,6 +681,7 @@ func (a *ArgoCDServer) newGRPCServer() (*grpc.Server, application.AppResourceTre
 		a.AppClientset,
 		a.appLister,
 		a.appInformer,
+		nil,
 		a.RepoClientset,
 		a.Cache,
 		kubectl,

test/container/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/library/redis:7.0.5 as redis
+FROM docker.io/library/redis:7.0.8-alpine as redis
 
 FROM node:12.18.4-buster as node
 

test/container/Procfile

@@ -1,6 +1,6 @@
-controller: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
-api-server: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} "
-dex: sh -c "test $ARGOCD_IN_CI = true && exit 0; ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/cmd gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:v2.35.3 serve /dex.yaml"
+controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
+api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} "
+dex: sh -c "test $ARGOCD_IN_CI = true && exit 0; ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/cmd gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:v2.36.0 serve /dex.yaml"
 redis: sh -c "/usr/local/bin/redis-server --save "" --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}"
 repo-server: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_BINARY_NAME=argocd-repo-server $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379}"
 ui: sh -c "test $ARGOCD_IN_CI = true && exit 0; cd ui && ARGOCD_E2E_YARN_HOST=0.0.0.0 ${ARGOCD_E2E_YARN_CMD:-yarn} start"

test/e2e/app_management_test.go

@@ -416,7 +416,9 @@ func TestInvalidAppProject(t *testing.T) {
 		IgnoreErrors().
 		CreateApp().
 		Then().
-		Expect(Error("", "application references project does-not-exist which does not exist"))
+		// We're not allowed to infer whether the project exists based on this error message. Instead, we get a generic
+		// permission denied error.
+		Expect(Error("", "permission denied"))
 }
 
 func TestAppDeletion(t *testing.T) {

test/e2e/fixture/fixture.go

@@ -782,6 +782,8 @@ func RestartRepoServer() {
 		}
 		FailOnErr(Run("", "kubectl", "rollout", "restart", "deployment", workload))
 		FailOnErr(Run("", "kubectl", "rollout", "status", "deployment", workload))
+		// wait longer to avoid error on s390x
+		time.Sleep(10 * time.Second)
 	}
 }
 

ui/src/app/ui-banner/ui-banner.tsx

@@ -68,11 +68,13 @@ export const Banner = (props: React.Props<any>) => {
                         chatBottomPosition = 85;
                     }
                 }
-                try {
-                    const externalLink = new ExternalLink(chatUrl);
-                    chatUrl = externalLink.ref;
-                } catch (InvalidExternalLinkError) {
-                    chatUrl = 'invalid-url';
+                if (chatUrl) {
+                    try {
+                        const externalLink = new ExternalLink(chatUrl);
+                        chatUrl = externalLink.ref;
+                    } catch (InvalidExternalLinkError) {
+                        chatUrl = 'invalid-url';
+                    }
                 }
                 return (
                     <React.Fragment>