Bump version to 2.10.18 (#20435)

Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: crenshaw-dev <crenshaw-dev@users.noreply.github.com>

.dockerignore

@@ -11,3 +11,19 @@ cmd/**/debug
 debug.test
 coverage.out
 ui/node_modules/
+test-results/
+test/
+manifests/
+hack/
+docs/
+examples/
+.github/
+!test/container
+!test/e2e/testdata
+!test/fixture
+!test/remote
+!hack/installers
+!hack/gpg-wrapper.sh
+!hack/git-verify-wrapper.sh
+!hack/tool-versions.sh
+!hack/install.sh

.github/ISSUE_TEMPLATE/release.md

@@ -0,0 +1,26 @@
+---
+name: Argo CD Release
+about: Used by our Release Champion to track progress of a minor release
+title: 'Argo CD Release vX.X'
+labels: 'release'
+assignees: ''
+---
+
+Target RC1 date: ___. __, ____
+Target GA date: ___. __, ____
+
+ - [ ] 1wk before feature freeze post in #argo-contributors that PRs must be merged by DD-MM-YYYY to be included in the release - ask approvers to drop items from milestone they can’t merge
+ - [ ] At least two days before RC1 date, draft RC blog post and submit it for review (or delegate this task)
+ - [ ] Cut RC1 (or delegate this task to an Approver and coordinate timing)
+ - [ ] Create new release branch
+    - [ ] Add the release branch to ReadTheDocs
+    - [ ] Confirm that tweet and blog post are ready
+    - [ ] Trigger the release
+    - [ ] After the release is finished, publish tweet and blog post
+    - [ ] Post in #argo-cd and #argo-announcements with lots of emojis announcing the release and requesting help testing
+ - [ ] Monitor support channels for issues, cherry-picking bugfixes and docs fixes as appropriate (or delegate this task to an Approver and coordinate timing)
+ - [ ] At release date, evaluate if any bugs justify delaying the release. If not, cut the release (or delegate this task to an Approver and coordinate timing)
+ - [ ] If unreleased changes are on the release branch for {current minor version minus 3}, cut a final patch release for that series (or delegate this task to an Approver and coordinate timing)
+ - [ ] After the release, post in #argo-cd that the {current minor version minus 3} has reached EOL (example: https://cloud-native.slack.com/archives/C01TSERG0KZ/p1667336234059729)
+ - [ ] (For the next release champion) Review the [items scheduled for the next release](https://github.com/orgs/argoproj/projects/25). If any item does not have an assignee who can commit to finish the feature, move it to the next release.
+ - [ ] (For the next release champion) Schedule a time mid-way through the release cycle to review items again.

.github/ISSUE_TEMPLATE/security_logs.md

@@ -0,0 +1,19 @@
+---
+name: Security log
+about: Propose adding security-related logs or tagging existing logs with security fields
+title: "seclog: [Event Description]"
+labels: security-log
+assignees: notfromstatefarm
+---
+# Event to be logged
+
+Specify the event that needs to be logged or existing logs that need to be tagged.
+
+# Proposed level
+
+What security level should these events be logged under? Refer to https://argo-cd.readthedocs.io/en/latest/operator-manual/security/#security-field for more info.
+
+# Common Weakness Enumeration
+
+Is there an associated [CWE](https://cwe.mitre.org/) that could be tagged as well?
+

.github/cherry-pick-bot.yml

@@ -0,0 +1,3 @@
+enabled: true
+preservePullRequestTitle: true
+

.github/dependabot.yml

@@ -0,0 +1,43 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    ignore:
+    - dependency-name: k8s.io/*
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "npm"
+    directory: "/ui/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "docker"
+    directory: "/test/container/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "docker"
+    directory: "/test/e2e/multiarch-container/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "docker"
+    directory: "/test/remote/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "docker"
+    directory: "/ui-test/"
+    schedule:
+      interval: "daily"

.github/pr-title-checker-config.json

@@ -0,0 +1,15 @@
+{
+    "LABEL": {
+      "name": "title needs formatting",
+      "color": "EEEEEE"
+    },
+    "CHECKS": {
+      "prefixes": ["[Bot] docs: "],
+      "regexp": "^(feat|fix|docs|test|ci|chore)!?(\\(.*\\))?!?:.*"
+    },
+    "MESSAGES": {
+      "success": "PR title is valid",
+      "failure": "PR title is invalid",
+      "notice": "PR Title needs to pass regex '^(feat|fix|docs|test|ci|chore)!?(\\(.*\\))?!?:.*"
+    }
+  }

.github/pull_request_template.md

@@ -1,17 +1,24 @@
+<!--
 Note on DCO:
 
 If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the *Details* link next to the DCO action for instructions on how to resolve this.
+-->
 
 Checklist:
 
 * [ ] Either (a) I've created an [enhancement proposal](https://github.com/argoproj/argo-cd/issues/new/choose) and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
 * [ ] The title of the PR states what changed and the related issues number (used for the release note).
+* [ ] The title of the PR conforms to the [Toolchain Guide](https://argo-cd.readthedocs.io/en/latest/developer-guide/toolchain-guide/#title-of-the-pr)
 * [ ] I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
 * [ ] I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
 * [ ] Does this PR require documentation updates?
 * [ ] I've updated documentation as required by this PR.
-* [ ] Optional. My organization is added to USERS.md.
-* [ ] I have signed off all my commits as required by [DCO](https://github.com/argoproj/argoproj/tree/master/community#contributing-to-argo)
+* [ ] I have signed off all my commits as required by [DCO](https://github.com/argoproj/argoproj/blob/master/community/CONTRIBUTING.md#legal)
 * [ ] I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
-* [ ] My build is green ([troubleshooting builds](https://argo-cd.readthedocs.io/en/latest/developer-guide/ci/)). 
+* [ ] My build is green ([troubleshooting builds](https://argo-cd.readthedocs.io/en/latest/developer-guide/ci/)).
+* [ ] My new feature complies with the [feature status](https://github.com/argoproj/argoproj/blob/master/community/feature-status.md) guidelines.
+* [ ] I have added a brief description of why this PR is necessary and/or what this PR solves.
+* [ ] Optional. My organization is added to USERS.md.
+* [ ] Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).
 
+<!-- Please see [Contribution FAQs](https://argo-cd.readthedocs.io/en/latest/developer-guide/faq/) if you have questions about your pull-request. -->

.github/workflows/README.md

@@ -0,0 +1,38 @@
+# Workflows
+
+| Workflow           | Description                                                    |
+|--------------------|----------------------------------------------------------------|
+| ci-build.yaml      | Build, lint, test, codegen, build-ui, analyze, e2e-test        |
+| codeql.yaml        | CodeQL analysis                                                |
+| image-reuse.yaml   | Build, push, and Sign container images                         |
+| image.yaml         | Build container image for PR's & publish for push events       |
+| pr-title-check.yaml| Lint PR for semantic information                               |
+| init-release.yaml  | Build manifests and version then create a PR for release branch|
+| release.yaml       | Build images, cli-binaries, provenances, and post actions      |
+| update-snyk.yaml   | Scheduled snyk reports                                         |
+
+# Reusable workflows
+
+## image-reuse.yaml
+
+- The resuable workflow can be used to publish or build images with multiple container registries(Quay,GHCR, dockerhub), and then sign them with cosign when an image is published.
+- A GO version `must` be specified e.g. 1.21
+- The image name for each registry *must* contain the tag. Note: multiple tags are allowed for each registry using a CSV type.
+- Multiple platforms can be specified e.g. linux/amd64,linux/arm64
+- Images are not published by default. A boolean value must be set to `true` to push images.
+- An optional target can be specified.
+
+| Inputs            | Description                         | Type        | Required | Defaults        |
+|-------------------|-------------------------------------|-------------|----------|-----------------|
+| go-version        | Version of Go to be used            | string      | true     | none            |
+| quay_image_name   | Full image name and tag             | CSV, string | false    | none            |
+| ghcr_image_name   | Full image name and tag             | CSV, string | false    | none            |
+| docker_image_name | Full image name and tag             | CSV, string | false    | none            |
+| platforms         | Platforms to build (linux/amd64)    | CSV, string | false    | linux/amd64     |
+| push              | Whether to push image/s to registry | boolean     | false    | false           |
+| target            | Target build stage                  | string      | false    | none            |
+
+| Outputs     | Description                              | Type  |
+|-------------|------------------------------------------|-------|
+|image-digest | Image digest of image container created  | string|
+

.github/workflows/ci-build.yaml

@@ -9,10 +9,11 @@ on:
   pull_request:
     branches:
       - 'master'
+      - 'release-*'
 
 env:
   # Golang version to use across CI steps
-  GOLANG_VERSION: '1.18'
+  GOLANG_VERSION: '1.21'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -24,12 +25,12 @@ permissions:
 jobs:
   check-go:
     name: Ensure Go modules synchronicity
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Download all Go modules
@@ -42,16 +43,16 @@ jobs:
 
   build-go:
     name: Build & cache Go code
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Restore go build cache
-        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -66,23 +67,23 @@ jobs:
       contents: read  # for actions/checkout to fetch code
       pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: Lint Go code
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@0ad9a0988b3973e851ab0a07adf248ec2e100376 # v3.3.1
+        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
         with:
-          version: v1.45.2
-          args: --timeout 10m --exclude SA5011 --verbose
+          version: v1.54.0
+          args: --enable gofmt --timeout 10m --exclude SA5011 --verbose --max-issues-per-linter 0 --max-same-issues 0
 
   test-go:
     name: Run unit tests for Go packages
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs:
       - build-go
     env:
@@ -92,11 +93,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -116,7 +117,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -137,19 +138,19 @@ jobs:
       - name: Run all unit tests
         run: make test-local
       - name: Generate code coverage artifacts
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: code-coverage
           path: coverage.out
       - name: Generate test results artifacts
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: test-results
           path: test-results/
 
   test-go-race:
-    name: Run unit tests with -race, for Go packages
-    runs-on: ubuntu-latest
+    name: Run unit tests with -race for Go packages
+    runs-on: ubuntu-22.04
     needs:
       - build-go
     env:
@@ -159,11 +160,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -183,7 +184,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -204,19 +205,19 @@ jobs:
       - name: Run all unit tests
         run: make test-race-local
       - name: Generate test results artifacts
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: race-results
           path: test-results/
 
   codegen:
     name: Check changes to generated code
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Create symlink in GOPATH
@@ -259,17 +260,17 @@ jobs:
 
   build-ui:
     name: Build, test & lint UI code
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Setup NodeJS
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
-          node-version: '12.18.4'
+          node-version: '20.7.0'
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -291,7 +292,7 @@ jobs:
 
   analyze:
     name: Process & analyze test artifacts
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs:
       - test-go
       - build-ui
@@ -299,12 +300,12 @@ jobs:
       sonar_secret: ${{ secrets.SONAR_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           fetch-depth: 0
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -324,7 +325,7 @@ jobs:
           name: test-results
           path: test-results
       - name: Upload code coverage information to codecov.io
-        uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # v3.1.1
+        uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
         with:
           file: coverage.out
       - name: Perform static code analysis using SonarCloud
@@ -357,10 +358,11 @@ jobs:
 
   test-e2e:
     name: Run end-to-end tests
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
+      fail-fast: false
       matrix:
-        k3s-version: [v1.23.3, v1.22.6, v1.21.2]
+        k3s-version: [v1.28.2, v1.27.6, v1.26.9, v1.25.14]
     needs: 
       - build-go
     env:
@@ -372,27 +374,20 @@ jobs:
       ARGOCD_E2E_K3S: "true"
       ARGOCD_IN_CI: "true"
       ARGOCD_E2E_APISERVER_PORT: "8088"
+      ARGOCD_APPLICATION_NAMESPACES: "argocd-e2e-external,argocd-e2e-external-2"
       ARGOCD_SERVER: "127.0.0.1:8088"
       GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
       GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: GH actions workaround - Kill XSP4 process
         run: |
           sudo pkill mono || true
-      # ubuntu-22.04 comes with kubectl, but the version is not pinned. The version as of 2022-12-05 is 1.26.0 which
-      # breaks the `TestNamespacedResourceDiffing` e2e test. So we'll pin to 1.25 and then fix the underlying issue.
-      - name: Install kubectl
-        run: |
-          rm /usr/local/bin/kubectl
-          curl -LO https://dl.k8s.io/release/v1.25.4/bin/linux/amd64/kubectl
-          mv kubectl /usr/local/bin/kubectl
-          chmod +x /usr/local/bin/kubectl
       - name: Install K3S
         env:
           INSTALL_K3S_VERSION: ${{ matrix.k3s-version }}+k3s1
@@ -403,9 +398,10 @@ jobs:
           sudo mkdir -p $HOME/.kube && sudo chown -R runner $HOME/.kube
           sudo k3s kubectl config view --raw > $HOME/.kube/config
           sudo chown runner $HOME/.kube/config
+          sudo chmod go-r $HOME/.kube/config
           kubectl version
       - name: Restore go build cache
-        uses: actions/cache@6998d139ddd3e68c71e9e398d8e40b71a2f39812 # v3.2.5
+        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -431,9 +427,9 @@ jobs:
           git config --global user.email "john.doe@example.com"
       - name: Pull Docker image required for tests
         run: |
-          docker pull ghcr.io/dexidp/dex:v2.35.3
+          docker pull ghcr.io/dexidp/dex:v2.37.0
           docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.7-alpine
+          docker pull redis:7.0.15-alpine
       - name: Create target directory for binaries in the build-process
         run: |
           mkdir -p dist
@@ -461,7 +457,7 @@ jobs:
           set -x
           make test-e2e-local
       - name: Upload e2e-server logs
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: e2e-server-k8s${{ matrix.k3s-version }}.log
           path: /tmp/e2e-server.log

.github/workflows/codeql.yml

@@ -5,6 +5,7 @@ on:
     # Secrets aren't available for dependabot on push. https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#error-403-resource-not-accessible-by-integration-when-using-dependabot
     branches-ignore:
       - 'dependabot/**'
+      - 'cherry-pick-*'
   pull_request:
   schedule:
     - cron: '0 19 * * 0'
@@ -25,11 +26,16 @@ jobs:
     if: github.repository == 'argoproj/argo-cd'
 
     # CodeQL runs on ubuntu-latest and windows-latest
-    runs-on: ubuntu-latest
-
+    runs-on: ubuntu-22.04
     steps:
     - name: Checkout repository
-      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+    # Use correct go version. https://github.com/github/codeql-action/issues/1842#issuecomment-1704398087
+    - name: Setup Golang
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
+      with:
+        go-version-file: go.mod
       
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/image-reuse.yaml

@@ -0,0 +1,171 @@
+name: Publish and Sign Container Image
+on:
+  workflow_call:
+    inputs:
+      go-version:
+        required: true
+        type: string
+      quay_image_name:
+        required: false
+        type: string
+      ghcr_image_name:
+        required: false
+        type: string
+      docker_image_name:
+        required: false
+        type: string
+      platforms:
+        required: true
+        type: string
+        default: linux/amd64
+      push:
+        required: true
+        type: boolean
+        default: false
+      target:
+        required: false
+        type: string
+
+    secrets:
+      quay_username:
+        required: false
+      quay_password:
+        required: false
+      ghcr_username:
+        required: false
+      ghcr_password:
+        required: false
+      docker_username:
+        required: false
+      docker_password:
+        required: false
+
+    outputs:
+      image-digest:
+        description: "sha256 digest of container image"
+        value: ${{ jobs.publish.outputs.image-digest }}
+
+permissions: {}
+
+jobs:
+  publish:
+    permissions:
+      contents: read
+      packages: write # Used to push images to `ghcr.io` if used.
+      id-token: write # Needed to create an OIDC token for keyless signing
+    runs-on: ubuntu-22.04
+    outputs:
+      image-digest: ${{ steps.image.outputs.digest }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+        if: ${{ github.ref_type == 'tag'}}
+
+      - name: Checkout code
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        if: ${{ github.ref_type != 'tag'}}
+
+      - name: Setup Golang
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: ${{ inputs.go-version }}
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+
+      - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+      - uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+      - name: Setup tags for container image as a CSV type
+        run: |
+          IMAGE_TAGS=$(for str in \
+            ${{ inputs.quay_image_name }} \
+            ${{ inputs.ghcr_image_name }} \
+            ${{ inputs.docker_image_name}}; do
+            echo -n "${str}",;done | sed 's/,$//')
+
+          echo $IMAGE_TAGS
+          echo "TAGS=$IMAGE_TAGS" >> $GITHUB_ENV
+
+      - name: Setup image namespace for signing, strip off the tag
+        run: |
+          TAGS=$(for tag in \
+            ${{ inputs.quay_image_name }} \
+            ${{ inputs.ghcr_image_name }} \
+            ${{ inputs.docker_image_name}}; do
+            echo -n "${tag}" | awk -F ":" '{print $1}' -;done)
+          
+            echo $TAGS
+            echo 'SIGNING_TAGS<<EOF' >> $GITHUB_ENV
+            echo $TAGS >> $GITHUB_ENV
+            echo 'EOF' >> $GITHUB_ENV
+
+      - name: Login to Quay.io
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        with:
+          registry: quay.io
+          username: ${{ secrets.quay_username }}
+          password: ${{ secrets.quay_password }}
+        if: ${{ inputs.quay_image_name && inputs.push }}
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ secrets.ghcr_username }}
+          password: ${{ secrets.ghcr_password }}
+        if: ${{ inputs.ghcr_image_name && inputs.push }}
+
+      - name: Login to dockerhub Container Registry
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        with:
+          username: ${{ secrets.docker_username }}
+          password: ${{ secrets.docker_password }}
+        if: ${{ inputs.docker_image_name && inputs.push }}
+
+      - name: Set up build args for container image
+        run: |
+            echo "GIT_TAG=$(if [ -z "`git status --porcelain`" ]; then git describe --exact-match --tags HEAD 2>/dev/null; fi)" >> $GITHUB_ENV
+            echo "GIT_COMMIT=$(git rev-parse HEAD)" >> $GITHUB_ENV
+            echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV
+            echo "GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)" >> $GITHUB_ENV
+
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@4d9e71b726748f254fe64fa44d273194bd18ec91
+        with:
+          large-packages: false
+          docker-images: false
+          swap-storage: false
+          tool-cache: false
+
+      - name: Build and push container image
+        id: image
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 #v5.1.0
+        with:
+          context: .
+          platforms: ${{ inputs.platforms }}
+          push: ${{ inputs.push }}
+          tags: ${{ env.TAGS }}
+          target: ${{ inputs.target }}
+          provenance: false
+          sbom: false
+          build-args: |
+            GIT_TAG=${{env.GIT_TAG}}
+            GIT_COMMIT=${{env.GIT_COMMIT}}
+            BUILD_DATE=${{env.BUILD_DATE}}
+            GIT_TREE_STATE=${{env.GIT_TREE_STATE}}
+
+      - name: Sign container images
+        run: |
+          for signing_tag in $SIGNING_TAGS; do
+            cosign sign \
+            -a "repo=${{ github.repository }}" \
+            -a "workflow=${{ github.workflow }}" \
+            -a "sha=${{ github.sha }}" \
+            -y \
+            "$signing_tag"@${{ steps.image.outputs.digest }}
+          done
+        if: ${{ inputs.push }}

.github/workflows/image.yaml

@@ -9,145 +9,109 @@ on:
       - master
     types: [ labeled, unlabeled, opened, synchronize, reopened ]
 
-env:
-  GOLANG_VERSION: '1.18'
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
-  publish:
+  set-vars:
     permissions:
-      contents: write  # for git to push upgrade commit if not already deployed
+      contents: read
     if: github.repository == 'argoproj/argo-cd'
-    runs-on: ubuntu-latest
-    env:
-      GOPATH: /home/runner/work/argo-cd/argo-cd
+    runs-on: ubuntu-22.04
+    outputs:
+      image-tag: ${{ steps.image.outputs.tag}}
+      platforms: ${{ steps.platforms.outputs.platforms }}
     steps:
-      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
-        with:
-          go-version: ${{ env.GOLANG_VERSION }}
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
-        with:
-          path: src/github.com/argoproj/argo-cd
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
 
-      # get image tag
-      - run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
-        working-directory: ./src/github.com/argoproj/argo-cd
+      - name: Set image tag for ghcr
+        run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
         id: image
 
-      # login
-      - run: |
-          docker login ghcr.io --username $USERNAME --password-stdin <<< "$PASSWORD"
-          docker login quay.io --username "$DOCKER_USERNAME" --password-stdin <<< "$DOCKER_TOKEN"
-        if: github.event_name == 'push'
-        env:
-          USERNAME: ${{ secrets.USERNAME }}
-          PASSWORD: ${{ secrets.TOKEN }}
-          DOCKER_USERNAME: ${{ secrets.RELEASE_QUAY_USERNAME }}
-          DOCKER_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
-
-      # build
-      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
-      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
-
-      - name: Setup cache for argocd-ui docker layer
-        uses: actions/cache@v3
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-single-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-single-buildx
-
-      - name: Build cache for argocd-ui stage
-        uses: docker/build-push-action@v2
-        with:
-          context: ./src/github.com/argoproj/argo-cd
-          target: argocd-ui
-          push: false
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
-        if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'test-arm-image')
-
-      - name: Run non-container Snyk scans
-        if: github.event_name == 'push'
-        working-directory: ./src/github.com/argoproj/argo-cd
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      - name: Determine image platforms to use
+        id: platforms
         run: |
-          npm install -g snyk
-
-          # Run with high threshold to fail build.
-          snyk test --org=argoproj --all-projects --exclude=docs,site --severity-threshold=high --policy-path=.snyk
-          snyk iac test manifests/install.yaml --org=argoproj --severity-threshold=high --policy-path=.snyk
-
-      - run: |
           IMAGE_PLATFORMS=linux/amd64
-          if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-arm-image') }}" == "true" ]]
+          if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-multi-image') }}" == "true" ]]
           then
             IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
           fi
           echo "Building image for platforms: $IMAGE_PLATFORMS"
-          docker buildx build --platform $IMAGE_PLATFORMS --sbom=false --provenance=false --push="${{ github.event_name == 'push' }}" \
-            --cache-from "type=local,src=/tmp/.buildx-cache" \
-            -t ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }} \
-            -t quay.io/argoproj/argocd:latest .
-        working-directory: ./src/github.com/argoproj/argo-cd
+          echo "platforms=$IMAGE_PLATFORMS" >> $GITHUB_OUTPUT
 
-      - name: Run container Snyk scan
-        if: github.event_name == 'push'
-        working-directory: ./src/github.com/argoproj/argo-cd
-        env:
-          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-        run: |
-          snyk container test quay.io/argoproj/argocd:latest --org=argoproj --file=Dockerfile --severity-threshold=high
+  build-only:
+    needs: [set-vars]
+    permissions:
+      contents: read
+      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+      id-token: write # for creating OIDC tokens for signing.
+    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name != 'push' }}
+    uses: ./.github/workflows/image-reuse.yaml
+    with:
+      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      go-version: 1.21
+      platforms: ${{ needs.set-vars.outputs.platforms }}
+      push: false
 
-        # Temp fix
-        # https://github.com/docker/build-push-action/issues/252
-        # https://github.com/moby/buildkit/issues/1896
-      - name: Clean up build cache
-        run: |
-          rm -rf /tmp/.buildx-cache
-          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
-        if: github.event_name == 'push' || contains(github.event.pull_request.labels.*.name, 'test-arm-image')
+  build-and-publish:
+    needs: [set-vars]
+    permissions:
+      contents: read
+      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+      id-token: write # for creating OIDC tokens for signing.
+    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+    uses: ./.github/workflows/image-reuse.yaml
+    with:
+      quay_image_name: quay.io/argoproj/argocd:latest
+      ghcr_image_name: ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
+      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      go-version: 1.21
+      platforms: ${{ needs.set-vars.outputs.platforms }}
+      push: true
+    secrets:
+      quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }}
+      quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }}
+      ghcr_username: ${{ github.actor }}
+      ghcr_password: ${{ secrets.GITHUB_TOKEN }}
 
-      # sign container images
-      - name: Install cosign
-        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
-        with:
-          cosign-release: 'v1.13.1'
+  build-and-publish-provenance: # Push attestations to GHCR, latest image is polluting quay.io
+    needs:
+      - build-and-publish
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
+    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
+    with:
+      image: ghcr.io/argoproj/argo-cd/argocd
+      digest: ${{ needs.build-and-publish.outputs.image-digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Install crane to get digest of image
-        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c
-
-      - name: Get digest of image
-        run: |
-          echo "IMAGE_DIGEST=$(crane digest quay.io/argoproj/argocd:latest)" >> $GITHUB_ENV
-
-      - name: Sign Argo CD latest image
-        run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argocd@${{ env.IMAGE_DIGEST }}
-          # Displays the public key to share.
-          cosign public-key --key env://COSIGN_PRIVATE_KEY
-        env:
-          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
-        if: ${{ github.event_name == 'push' }}
-
-      # deploy
+  Deploy:
+    needs:
+      - build-and-publish
+      - set-vars
+    permissions:
+      contents: write  # for git to push upgrade commit if not already deployed
+      packages: write  # for pushing packages to GHCR, which is used by cd.apps.argoproj.io to avoid polluting Quay with tags
+    if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
-        if: github.event_name == 'push'
         env:
           TOKEN: ${{ secrets.TOKEN }}
       - run: |
-          docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }}
+          docker run -u $(id -u):$(id -g) -v $(pwd):/src -w /src --rm -t ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }} kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argo-cd/argocd:${{ needs.set-vars.outputs.image-tag }}
           git config --global user.email 'ci@argoproj.com'
           git config --global user.name 'CI'
-          git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ steps.image.outputs.tag }}' && git push)
-        if: github.event_name == 'push'
+          git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ needs.set-vars.outputs.image-tag }}' && git push)
         working-directory: argoproj-deployments/argocd
-      # TODO: clean up old images once github supports it: https://github.community/t5/How-to-use-Git-and-GitHub/Deleting-images-from-GitHub-Package-Registry/m-p/41202/thread-id/9811
+

.github/workflows/init-release.yaml

@@ -0,0 +1,77 @@
+name: Init ArgoCD Release
+on:
+  workflow_dispatch:
+    inputs:
+      TARGET_BRANCH:
+        description: 'TARGET_BRANCH to checkout (e.g. release-2.5)'
+        required: true
+        type: string
+
+      TARGET_VERSION:
+        description: 'TARGET_VERSION to build manifests (e.g. 2.5.0-rc1) Note: the `v` prefix is not used'
+        required: true
+        type: string
+
+permissions: {}
+
+jobs:
+  prepare-release:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
+    name: Automatically generate version and manifests on ${{ inputs.TARGET_BRANCH }}
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac  # v4.0.0
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+          ref: ${{ inputs.TARGET_BRANCH }}
+
+      - name: Check if TARGET_VERSION is well formed.
+        run: |
+          set -xue
+          # Target version must not contain 'v' prefix
+          if echo "${{ inputs.TARGET_VERSION }}" | grep -e '^v'; then
+            echo "::error::Target version '${{ inputs.TARGET_VERSION }}' should not begin with a 'v' prefix, refusing to continue." >&2
+            exit 1
+          fi
+
+      - name: Create VERSION information
+        run: |
+          set -ue
+          echo "Bumping version from $(cat VERSION) to ${{ inputs.TARGET_VERSION }}"
+          echo "${{ inputs.TARGET_VERSION }}" > VERSION
+
+        # We install kustomize in the dist directory
+      - name: Add dist to PATH
+        run: |
+          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
+
+      - name: Generate new set of manifests
+        run: |
+          set -ue
+          make install-codegen-tools-local
+          make manifests-local VERSION=${{ inputs.TARGET_VERSION }}
+          git diff
+
+      - name: Generate version compatibility table
+        run: |
+          git stash
+          bash hack/update-supported-versions.sh
+          git add -u .
+          git stash pop
+
+      - name: Create pull request
+        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38  # v5.0.2
+        with:
+          commit-message: "Bump version to ${{ inputs.TARGET_VERSION }}"
+          title: "Bump version to ${{ inputs.TARGET_VERSION }} on ${{ inputs.TARGET_BRANCH }} branch"
+          body: Updating VERSION and manifests to ${{ inputs.TARGET_VERSION }}
+          branch: update-version
+          branch-suffix: random
+          signoff: true
+          labels: release
+
+

.github/workflows/pr-title-check.yml

@@ -0,0 +1,29 @@
+name: "Lint PR"
+
+on:
+  pull_request_target:
+    types: [opened, edited, reopened, synchronize]
+
+# IMPORTANT: No checkout actions, scripts, or builds should be added to this workflow. Permissions should always be used
+# with extreme caution. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
+permissions: {}
+
+# PR updates can happen in quick succession leading to this
+# workflow being trigger a number of times. This limits it
+# to one run per PR.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+
+jobs:
+  validate:
+    permissions:
+      contents: read
+      pull-requests: read
+    name: Validate PR Title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: thehanimo/pr-title-checker@0cf5902181e78341bb97bb06646396e5bd354b3f # v1.4.0
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          configuration_path: ".github/pr-title-checker-config.json"

.github/workflows/release.yaml

@@ -1,270 +1,161 @@
-name: Create ArgoCD release
+name: Publish ArgoCD Release
 on:
   push:
     tags:
-      - "release-v*"
-      - "!release-v1.5*"
-      - "!release-v1.4*"
-      - "!release-v1.3*"
-      - "!release-v1.2*"
-      - "!release-v1.1*"
-      - "!release-v1.0*"
-      - "!release-v0*"
+      - 'v*'
+      - '!v2.4*'
+      - '!v2.5*'
+      - '!v2.6*'
+
+permissions: {}
 
 env:
-  GOLANG_VERSION: '1.18'
-
-permissions:
-  contents: read
+  GOLANG_VERSION: '1.21' # Note: go-version must also be set in job argocd-image.with.go-version
 
 jobs:
-  prepare-release:
+  argocd-image:
     permissions:
-      contents: write # To push changes to release branch
-    name: Perform automatic release on trigger ${{ github.ref }}
+      contents: read
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # used to push images to `ghcr.io` if used.
     if: github.repository == 'argoproj/argo-cd'
-    runs-on: ubuntu-latest
-    env:
-      # The name of the tag as supplied by the GitHub event
-      SOURCE_TAG: ${{ github.ref }}
-      # The image namespace where Docker image will be published to
-      IMAGE_NAMESPACE: quay.io/argoproj
-      # Whether to create & push image and release assets
-      DRY_RUN: false
-      # Whether a draft release should be created, instead of public one
-      DRAFT_RELEASE: false
-      # Whether to update homebrew with this release as well
-      # Set RELEASE_HOMEBREW_TOKEN secret in repository for this to work - needs
-      # access to public repositories
-      UPDATE_HOMEBREW: false
-      # Name of the GitHub user for Git config
-      GIT_USERNAME: argo-bot
-      # E-Mail of the GitHub user for Git config
-      GIT_EMAIL: argoproj@gmail.com
+    uses: ./.github/workflows/image-reuse.yaml
+    with:
+      quay_image_name: quay.io/argoproj/argocd:${{ github.ref_name }}
+      # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations)
+      go-version: 1.21
+      platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
+      push: true
+    secrets:
+      quay_username: ${{ secrets.RELEASE_QUAY_USERNAME }}
+      quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }}
+
+  argocd-image-provenance:
+      needs: [argocd-image]
+      permissions:
+        actions: read # for detecting the Github Actions environment.
+        id-token: write # for creating OIDC tokens for signing.
+        packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
+      # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+      if: github.repository == 'argoproj/argo-cd'
+      uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
+      with:
+        image: quay.io/argoproj/argocd
+        digest: ${{ needs.argocd-image.outputs.image-digest }}
+      secrets:
+        registry-username: ${{ secrets.RELEASE_QUAY_USERNAME }}
+        registry-password: ${{ secrets.RELEASE_QUAY_TOKEN }}
+
+  goreleaser:
+    needs:
+      - argocd-image
+      - argocd-image-provenance
+    permissions:
+      contents: write # used for uploading assets
+    if: github.repository == 'argoproj/argo-cd'
+    runs-on: ubuntu-22.04
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Check if the published tag is well formed and setup vars
+      - name: Fetch all tags
+        run: git fetch --force --tags
+
+      - name: Set GORELEASER_PREVIOUS_TAG # Workaround, GoReleaser uses 'git-describe' to determine a previous tag. Our tags are created in realease branches.
         run: |
           set -xue
-          # Target version must match major.minor.patch and optional -rcX suffix
-          # where X must be a number.
-          TARGET_VERSION=${SOURCE_TAG#*release-v}
-          if ! echo "${TARGET_VERSION}" | egrep '^[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)*$'; then
-            echo "::error::Target version '${TARGET_VERSION}' is malformed, refusing to continue." >&2
-            exit 1
+          if echo ${{ github.ref_name }} | grep -E -- '-rc1+$';then
+            echo "GORELEASER_PREVIOUS_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n 2 | head -n 1)" >> $GITHUB_ENV
+          else
+            echo "This is not the first release on the branch, Using GoReleaser defaults"
           fi
 
-          # Target branch is the release branch we're going to operate on
-          # Its name is 'release-<major>.<minor>'
-          TARGET_BRANCH="release-${TARGET_VERSION%\.[0-9]*}"
-
-          # The release tag is the source tag, minus the release- prefix
-          RELEASE_TAG="${SOURCE_TAG#*release-}"
-
-          # Whether this is a pre-release (indicated by -rc suffix)
-          PRE_RELEASE=false
-          if echo "${RELEASE_TAG}" | egrep -- '-rc[0-9]+$'; then
-            PRE_RELEASE=true
-          fi
-
-          # We must not have a release trigger within the same release branch,
-          # because that means a release for this branch is already running.
-          if git tag -l | grep "release-v${TARGET_VERSION%\.[0-9]*}" | grep -v "release-v${TARGET_VERSION}"; then
-            echo "::error::Another release for branch ${TARGET_BRANCH} is currently in progress."
-            exit 1
-          fi
-
-          # Ensure that release do not yet exist
-          if git rev-parse ${RELEASE_TAG}; then
-            echo "::error::Release tag ${RELEASE_TAG} already exists in repository. Refusing to continue."
-            exit 1
-          fi
-
-          # Make the variables available in follow-up steps
-          echo "TARGET_VERSION=${TARGET_VERSION}" >> $GITHUB_ENV
-          echo "TARGET_BRANCH=${TARGET_BRANCH}" >> $GITHUB_ENV
-          echo "RELEASE_TAG=${RELEASE_TAG}" >> $GITHUB_ENV
-          echo "PRE_RELEASE=${PRE_RELEASE}" >> $GITHUB_ENV
-
-      - name: Check if our release tag has a correct annotation
-        run: |
-          set -ue
-          # Fetch all tag information as well
-          git fetch --prune --tags --force
-
-          echo "=========== BEGIN COMMIT MESSAGE ============="
-          git show ${SOURCE_TAG}
-          echo "============ END COMMIT MESSAGE =============="
-
-          # Quite dirty hack to get the release notes from the annotated tag
-          # into a temporary file.
-          RELEASE_NOTES=$(mktemp -p /tmp release-notes.XXXXXX)
-
-          prefix=true
-          begin=false
-          git show ${SOURCE_TAG} | while read line; do
-            # Whatever is in commit history for the tag, we only want that
-            # annotation from our tag. We discard everything else.
-            if test "$begin" = "false"; then
-              if echo "$line" | grep -q "tag ${SOURCE_TAG#refs/tags/}"; then begin="true"; fi
-              continue
-            fi
-            if test "$prefix" = "true"; then
-                  if test -z "$line"; then prefix=false; fi
-            else
-                  if echo "$line" | egrep -q '^commit [0-9a-f]+'; then
-                          break
-                  fi
-                  echo "$line" >> ${RELEASE_NOTES}
-            fi
-          done
-
-          # For debug purposes
-          echo "============BEGIN RELEASE NOTES================="
-          cat ${RELEASE_NOTES}
-          echo "=============END RELEASE NOTES=================="
-
-          # Too short release notes are suspicious. We need at least 100 bytes.
-          relNoteLen=$(stat -c '%s' $RELEASE_NOTES)
-          if test $relNoteLen -lt 100; then
-            echo "::error::No release notes provided in tag annotation (or tag is not annotated)"
-            exit 1
-          fi
-
-          # Check for magic string '## Quick Start' in head of release notes
-          if ! head -2 ${RELEASE_NOTES} | grep -iq '## Quick Start'; then
-            echo "::error::Release notes seem invalid, quick start section not found."
-            exit 1
-          fi
-
-          # We store path to temporary release notes file for later reading, we
-          # need it when creating release.
-          echo "RELEASE_NOTES=${RELEASE_NOTES}" >> $GITHUB_ENV
-
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
 
-      - name: Setup Git author information
+      - name: Set environment variables for ldflags
+        id: set_ldflag
         run: |
-          set -ue
-          git config --global user.email "${GIT_EMAIL}"
-          git config --global user.name "${GIT_USERNAME}"
+          echo "KUBECTL_VERSION=$(go list -m k8s.io/client-go | head -n 1 | rev | cut -d' ' -f1 | rev)" >> $GITHUB_ENV
+          echo "GIT_TREE_STATE=$(if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)" >> $GITHUB_ENV
 
-      - name: Checkout corresponding release branch
-        run: |
-          set -ue
-          echo "Switching to release branch '${TARGET_BRANCH}'"
-          if ! git checkout ${TARGET_BRANCH}; then
-            echo "::error::Checking out release branch '${TARGET_BRANCH}' for target version '${TARGET_VERSION}' (tagged '${RELEASE_TAG}') failed. Does it exist in repo?"
-            exit 1
-          fi
-
-      - name: Create VERSION information
-        run: |
-          set -ue
-          echo "Bumping version from $(cat VERSION) to ${TARGET_VERSION}"
-          echo "${TARGET_VERSION}" > VERSION
-          git commit -m "Bump version to ${TARGET_VERSION}" VERSION
-
-      - name: Generate new set of manifests
-        run: |
-          set -ue
-          make install-codegen-tools-local
-          
-          # We install kustomize in the dist directory
-          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
-          
-          make manifests-local VERSION=${TARGET_VERSION}
-          git diff
-          git commit manifests/ -m "Bump version to ${TARGET_VERSION}"
-
-      - name: Create the release tag
-        run: |
-          set -ue
-          echo "Creating release ${RELEASE_TAG}"
-          git tag ${RELEASE_TAG}
-
-      - name: Login to docker repositories
-        env:
-          DOCKER_USERNAME: ${{ secrets.RELEASE_DOCKERHUB_USERNAME }}
-          DOCKER_TOKEN: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
-          QUAY_USERNAME: ${{ secrets.RELEASE_QUAY_USERNAME }}
-          QUAY_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
-        run: |
-          set -ue
-          docker login quay.io --username "${QUAY_USERNAME}" --password-stdin <<< "${QUAY_TOKEN}"
-          # Remove the following when Docker Hub is gone
-          docker login --username "${DOCKER_USERNAME}" --password-stdin <<< "${DOCKER_TOKEN}"
-        if: ${{ env.DRY_RUN != 'true' }}
-
-      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
-      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
-      - name: Build and push Docker image for release
-        run: |
-          set -ue
-          git clean -fd
-          mkdir -p dist/
-          docker buildx build --platform linux/amd64,linux/arm64,linux/s390x,linux/ppc64le --sbom=false --provenance=false --push -t ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION} -t argoproj/argocd:v${TARGET_VERSION} .
-          make release-cli
-          make checksums
-          chmod +x ./dist/argocd-linux-amd64
-          ./dist/argocd-linux-amd64 version --client
-        if: ${{ env.DRY_RUN != 'true' }}
-
-      - name: Install cosign
-        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@4d9e71b726748f254fe64fa44d273194bd18ec91
         with:
-          cosign-release: 'v1.13.1'
+          large-packages: false
+          docker-images: false
+          swap-storage: false
+          tool-cache: false
 
-      - name: Install crane to get digest of image
-        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c
-
-      - name: Get digest of image
-        run: |
-          echo "IMAGE_DIGEST=$(crane digest quay.io/argoproj/argocd:v${TARGET_VERSION})" >> $GITHUB_ENV
-
-      - name: Sign Argo CD container images and assets
-        run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAMESPACE}/argocd@${{ env.IMAGE_DIGEST }}
-          cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argocd-${TARGET_VERSION}-checksums.txt > ./dist/argocd-${TARGET_VERSION}-checksums.sig
-          # Retrieves the public key to release as an asset
-          cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argocd-cosign.pub
-        env:
-          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
-        if: ${{ env.DRY_RUN != 'true' }}
-
-      - name: Read release notes file
-        id: release-notes
-        uses: juliangruber/read-file-action@02bbba9876a8f870efd4ad64e3b9088d3fb94d4b # v1.1.6
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
+        id: run-goreleaser
         with:
-          path: ${{ env.RELEASE_NOTES }}
-
-      - name: Push changes to release branch
-        run: |
-          set -ue
-          git push origin ${TARGET_BRANCH}
-          git push origin ${RELEASE_TAG}
-
-      - name: Dry run GitHub release
-        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
+          version: latest
+          args: release --clean --timeout 55m
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        id: create_release
+          KUBECTL_VERSION: ${{ env.KUBECTL_VERSION }} 
+          GIT_TREE_STATE: ${{ env.GIT_TREE_STATE }}
+
+      - name: Generate subject for provenance
+        id: hash
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+
+          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          if test "$hashes" = ""; then # goreleaser < v1.13.0
+            checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+            hashes=$(cat $checksum_file | base64 -w0)
+          fi
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+
+  goreleaser-provenance:
+    needs: [goreleaser]
+    permissions:
+      actions: read # for detecting the Github Actions environment
+      id-token: write # Needed for provenance signing and ID
+      contents: write #  Needed for release uploads
+    if: github.repository == 'argoproj/argo-cd'
+    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
+    with:
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
+      provenance-name: "argocd-cli.intoto.jsonl"
+      upload-assets: true
+
+  generate-sbom:
+    name: Create SBOM and generate hash
+    needs:
+      - argocd-image
+      - goreleaser
+    permissions:
+      contents: write # Needed for release uploads
+    outputs:
+      hashes: ${{ steps.sbom-hash.outputs.hashes}}
+    if: github.repository == 'argoproj/argo-cd'
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
-          tag_name: ${{ env.RELEASE_TAG }}
-          release_name: ${{ env.RELEASE_TAG }}
-          draft: ${{ env.DRAFT_RELEASE }}
-          prerelease: ${{ env.PRE_RELEASE }}
-          body: ${{ steps.release-notes.outputs.content }}
-        if: ${{ env.DRY_RUN == 'true' }}
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Golang
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
 
       - name: Generate SBOM (spdx)
         id: spdx-builder
@@ -277,7 +168,7 @@ jobs:
           # managers (gomod, yarn, npm).
           PROJECT_FOLDERS: ".,./ui"
           # full qualified name of the docker image to be inspected
-          DOCKER_IMAGE: ${{env.IMAGE_NAMESPACE}}/argocd:v${{env.TARGET_VERSION}}
+          DOCKER_IMAGE: quay.io/argoproj/argocd:${{ github.ref_name }}
         run: |
           yarn install --cwd ./ui
           go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION
@@ -295,43 +186,122 @@ jobs:
           fi
 
           cd /tmp && tar -zcf sbom.tar.gz *.spdx
-        if: ${{ env.DRY_RUN != 'true' }}
-
-      - name: Sign sbom
+          
+      - name: Generate SBOM hash
+        shell: bash
+        id: sbom-hash
         run: |
-          cosign sign-blob --key env://COSIGN_PRIVATE_KEY /tmp/sbom.tar.gz > /tmp/sbom.tar.gz.sig
-        env:
-          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
-          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
-        if: ${{ env.DRY_RUN != 'true' }}
-
-      - name: Create GitHub release
+          # sha256sum generates sha256 hash for sbom.
+          # base64 -w0 encodes to base64 and outputs on a single line.
+          # sha256sum /tmp/sbom.tar.gz ... | base64 -w0
+          echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"
+      
+      - name: Upload SBOM
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          name: ${{ env.RELEASE_TAG }}
-          tag_name: ${{ env.RELEASE_TAG }}
-          draft: ${{ env.DRAFT_RELEASE }}
-          prerelease: ${{ env.PRE_RELEASE }}
-          body: ${{ steps.release-notes.outputs.content }}  # Pre-pended to the generated notes
           files: |
-            dist/argocd-*
             /tmp/sbom.tar.gz
-            /tmp/sbom.tar.gz.sig
-        if: ${{ env.DRY_RUN != 'true' }}
-
-      - name: Update homebrew formula
-        env:
-          HOMEBREW_TOKEN: ${{ secrets.RELEASE_HOMEBREW_TOKEN }}
-        uses: dawidd6/action-homebrew-bump-formula@02e79d9da43d79efa846d73695b6052cbbdbf48a # v3.8.3
+  
+  sbom-provenance:
+    needs: [generate-sbom]
+    permissions:
+      actions: read # for detecting the Github Actions environment
+      id-token: write # Needed for provenance signing and ID
+      contents: write #  Needed for release uploads
+    if: github.repository == 'argoproj/argo-cd'
+    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
+    with:
+      base64-subjects: "${{ needs.generate-sbom.outputs.hashes }}"
+      provenance-name: "argocd-sbom.intoto.jsonl"
+      upload-assets: true
+      
+  post-release:
+    needs:
+      - argocd-image
+      - goreleaser
+      - generate-sbom
+    permissions:
+      contents: write # Needed to push commit to update stable tag
+      pull-requests: write # Needed to create PR for VERSION update.
+    if: github.repository == 'argoproj/argo-cd'
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
-          token: ${{env.HOMEBREW_TOKEN}}
-          formula: argocd
-        if: ${{ env.HOMEBREW_TOKEN != '' && env.UPDATE_HOMEBREW == 'true' && env.PRE_RELEASE != 'true' }}
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Delete original request tag from repository
+      - name: Setup Git author information
         run: |
           set -ue
-          git push --delete origin ${SOURCE_TAG}
-        if: ${{ always() }}
+          git config --global user.email 'ci@argoproj.com'
+          git config --global user.name 'CI'
+
+      - name: Check if tag is the latest version and not a pre-release
+        run: |
+          set -xue
+          # Fetch all tag information
+          git fetch --prune --tags --force
+
+          LATEST_TAG=$(git -c 'versionsort.suffix=-rc' tag --list --sort=version:refname | tail -n1)
+
+          PRE_RELEASE=false
+          # Check if latest tag is a pre-release
+          if echo $LATEST_TAG | grep -E -- '-rc[0-9]+$';then
+            PRE_RELEASE=true
+          fi
+
+          # Ensure latest tag matches github.ref_name & not a pre-release
+          if [[ $LATEST_TAG == ${{ github.ref_name }} ]] && [[ $PRE_RELEASE != 'true' ]];then
+            echo "TAG_STABLE=true" >> $GITHUB_ENV
+          else
+            echo "TAG_STABLE=false" >> $GITHUB_ENV
+          fi
+
+      - name: Update stable tag to latest version
+        run: |
+          git tag -f stable ${{ github.ref_name }}
+          git push -f origin stable
+        if: ${{ env.TAG_STABLE == 'true' }}
+
+      - name: Check to see if VERSION should be updated on master branch
+        run: |
+          set -xue
+          SOURCE_TAG=${{ github.ref_name }}
+          VERSION_REF="${SOURCE_TAG#*v}"
+          COMMIT_HASH=$(git rev-parse HEAD)
+          if echo "$VERSION_REF" | grep -E -- '^[0-9]+\.[0-9]+\.0-rc1';then
+            VERSION=$(awk 'BEGIN {FS=OFS="."} {$2++; print}' <<< "${VERSION_REF%-rc1}")
+            echo "Updating VERSION to: $VERSION"
+            echo "UPDATE_VERSION=true" >> $GITHUB_ENV
+            echo "NEW_VERSION=$VERSION" >> $GITHUB_ENV
+            echo "COMMIT_HASH=$COMMIT_HASH" >> $GITHUB_ENV
+          else
+            echo "Not updating VERSION"
+            echo "UPDATE_VERSION=false" >> $GITHUB_ENV
+          fi
+
+      - name: Update VERSION on master branch
+        run: |
+          echo ${{ env.NEW_VERSION }} > VERSION
+          # Replace the 'project-release: vX.X.X-rcX' line in SECURITY-INSIGHTS.yml
+          sed -i "s/project-release: v.*$/project-release: v${{ env.NEW_VERSION }}/" SECURITY-INSIGHTS.yml
+          # Update the 'commit-hash: XXXXXXX' line in SECURITY-INSIGHTS.yml
+          sed -i "s/commit-hash: .*/commit-hash: ${{ env.NEW_VERSION }}/" SECURITY-INSIGHTS.yml
+        if: ${{ env.UPDATE_VERSION == 'true' }}
+
+      - name: Create PR to update VERSION on master branch
+        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
+        with:
+          commit-message: Bump version in master
+          title: "chore: Bump version in master"
+          body: All images built from master should indicate which version we are on track for.
+          signoff: true
+          branch: update-version
+          branch-suffix: random
+          base: master
+        if: ${{ env.UPDATE_VERSION == 'true' }}

.github/workflows/scorecard.yaml

@@ -0,0 +1,67 @@
+name: Scorecards supply-chain security
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+    - cron: "39 9 * * 2"
+  push:
+    branches: ["master"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-22.04
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      # Needs for private repositories.
+      contents: read
+      actions: read
+    if: github.repository == 'argoproj/argo-cd'
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) Read-only PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+
+          # Publish the results for public repositories to enable scorecard badges. For more details, see
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
+          # of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@3ebbd71c74ef574dbc558c82f70e52732c8b44fe # v2.2.1
+        with:
+          sarif_file: results.sarif

.github/workflows/update-snyk.yaml

@@ -0,0 +1,36 @@
+name: Snyk report update
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: '0 0 * * 0' # midnight every Sunday
+
+permissions:
+  contents: read
+
+jobs:
+  snyk-report:
+    permissions:
+      contents: write
+      pull-requests: write
+    if: github.repository == 'argoproj/argo-cd'
+    name: Update Snyk report in the docs directory
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build reports
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run: |
+          make snyk-report
+          pr_branch="snyk-update-$(echo $RANDOM | md5sum | head -c 20)"
+          git checkout -b "$pr_branch"
+          git config --global user.email 'ci@argoproj.com'
+          git config --global user.name 'CI'
+          git add docs/snyk
+          git commit -m "[Bot] docs: Update Snyk reports" --signoff
+          git push --set-upstream origin "$pr_branch"
+          gh pr create -B master -H "$pr_branch" --title '[Bot] docs: Update Snyk report' --body ''

.gitignore

@@ -17,6 +17,8 @@ test-results
 node_modules/
 .kube/
 ./test/cmp/*.sock
+.envrc.remote
+.*.swp
 
 # ignore built binaries
 cmd/argocd/argocd

.gitpod.Dockerfile

@@ -1,17 +1,21 @@
-FROM gitpod/workspace-full
+FROM gitpod/workspace-full@sha256:511cecde4dc129ca9eb4cc4c479d61f95e5485ebe320a07f5b902f11899956a3
 
 USER root
 
 RUN curl -o /usr/local/bin/kubectl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
     chmod +x /usr/local/bin/kubectl
 
-RUN curl -L https://go.kubebuilder.io/dl/2.3.1/$(go env GOOS)/$(go env GOARCH) | \
+RUN curl -L https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.1/kubebuilder_2.3.1_$(go env GOOS)_$(go env GOARCH).tar.gz | \
     tar -xz -C /tmp/ && mv /tmp/kubebuilder_2.3.1_$(go env GOOS)_$(go env GOARCH) /usr/local/kubebuilder
 
+ENV GOCACHE=/go-build-cache
+
 RUN apt-get install redis-server -y
 RUN go install github.com/mattn/goreman@latest
 
+RUN chown -R gitpod:gitpod /go-build-cache
+
 USER gitpod
 
 ENV ARGOCD_REDIS_LOCAL=true
-ENV KUBECONFIG=/tmp/kubeconfig
+ENV KUBECONFIG=/tmp/kubeconfig

.goreleaser.yaml

@@ -0,0 +1,121 @@
+project_name: argocd
+
+before:
+  hooks:
+    - go mod download
+    - make build-ui
+
+builds:
+  - id: argocd-cli
+    main: ./cmd
+    binary: argocd-{{ .Os}}-{{ .Arch}}
+    env:
+      - CGO_ENABLED=0
+    flags:
+      - -v
+    ldflags:
+      - -X github.com/argoproj/argo-cd/v2/common.version={{ .Version }}
+      - -X github.com/argoproj/argo-cd/v2/common.buildDate={{ .Date }}
+      - -X github.com/argoproj/argo-cd/v2/common.gitCommit={{ .FullCommit }}
+      - -X github.com/argoproj/argo-cd/v2/common.gitTreeState={{ .Env.GIT_TREE_STATE }}
+      - -X github.com/argoproj/argo-cd/v2/common.kubectlVersion={{ .Env.KUBECTL_VERSION }}
+      - -extldflags="-static"
+    goos:
+      - linux
+      - darwin
+      - windows
+    goarch:
+      - amd64
+      - arm64
+      - s390x
+      - ppc64le
+    ignore:
+      - goos: darwin
+        goarch: s390x
+      - goos: darwin
+        goarch: ppc64le
+      - goos: windows
+        goarch: s390x
+      - goos: windows
+        goarch: ppc64le
+      - goos: windows
+        goarch: arm64
+
+archives:
+  - id: argocd-archive
+    builds:
+    - argocd-cli
+    name_template: |-
+      {{ .ProjectName }}-{{ .Os }}-{{ .Arch }}
+    format: binary
+
+checksum:
+  name_template: 'cli_checksums.txt'
+  algorithm: sha256
+
+release:
+  prerelease: auto
+  draft: false
+  header: |
+    ## Quick Start
+
+    ### Non-HA:
+
+    ```shell
+    kubectl create namespace argocd
+    kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/{{.Tag}}/manifests/install.yaml
+    ```
+
+    ### HA:
+
+    ```shell
+    kubectl create namespace argocd
+    kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/{{.Tag}}/manifests/ha/install.yaml
+    ```
+
+    ## Release Signatures and Provenance
+
+    All Argo CD container images are signed by cosign.  A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the [documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/signed-release-assets) on how to verify.
+
+
+    ## Upgrading
+
+    If upgrading from a different minor version, be sure to read the [upgrading](https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/overview/) documentation.
+  footer: |
+    **Full Changelog**: https://github.com/argoproj/argo-cd/compare/{{ .PreviousTag }}...{{ .Tag }}
+    
+    <a href="https://argoproj.github.io/cd/"><img src="https://raw.githubusercontent.com/argoproj/argo-site/master/content/pages/cd/gitops-cd.png" width="25%" ></a>
+
+
+snapshot: #### To be removed for PR
+  name_template: "2.6.0"
+
+changelog:
+  use:
+    github
+  sort: asc
+  abbrev: 0
+  groups: # Regex use RE2 syntax as defined here: https://github.com/google/re2/wiki/Syntax.
+    - title: 'Features'
+      regexp: '^.*?feat(\([[:word:]]+\))??!?:.+$'
+      order: 100
+    - title: 'Bug fixes'
+      regexp: '^.*?fix(\([[:word:]]+\))??!?:.+$'
+      order: 200
+    - title: 'Documentation'
+      regexp: '^.*?docs(\([[:word:]]+\))??!?:.+$'
+      order: 300
+    - title: 'Dependency updates'
+      regexp: '^.*?(feat|fix|chore)\(deps?.+\)!?:.+$'
+      order: 400
+    - title: 'Other work'
+      order: 999
+  filters:
+    exclude:
+      - '^test:'
+      - '^.*?Bump(\([[:word:]]+\))?.+$'
+      - '^.*?\[Bot\](\([[:word:]]+\))?.+$'
+
+
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+

.readthedocs.yml

@@ -4,4 +4,8 @@ mkdocs:
   fail_on_warning: false
 python:
   install:
-    - requirements: docs/requirements.txt
+    - requirements: docs/requirements.txt
+build:
+  os: "ubuntu-22.04"
+  tools:
+    python: "3.7"

.snyk

@@ -18,5 +18,23 @@ ignore:
     - '*':
         reason: >-
           Code is only run client-side. No risk of directory traversal.
+  SNYK-GOLANG-GITHUBCOMEMICKLEIGORESTFUL-2435653:
+    - '*':
+        reason: >-
+          Argo CD uses go-restful as a transitive dependency of kube-openapi. kube-openapi is used to generate openapi
+          specs. We do not use go-restul at runtime and are therefore not vulnerable to this CORS misconfiguration
+          issue in go-restful.
+  SNYK-JS-FORMIDABLE-2838956:
+    - '*':
+        reason: >-
+          Code is only run client-side. No risk of arbitrary file upload.
+  SNYK-JS-PARSEPATH-2936439:
+    - '*':
+        reason: >-
+          The issue is that, for specific URLs, parse-path may incorrectly identify the "resource" (domain name)
+          portion. For example, in "http://127.0.0.1#@example.com", it identifies "example.com" as the "resource".
+
+          We use parse-path on the client side, but permissions for git URLs are checked server-side. This is a
+          potential usability issue, but it is not a security issue.
 patch: {}
 

CHANGELOG.md

@@ -1,14 +1,185 @@
 # Changelog
 
-## v2.4.0 (Unreleased)
+## v2.4.8 (2022-07-29)
 
-### Web Terminal In Argo CD UI
+### Bug fixes
+
+- feat: support application level extensions (#9923)
+- feat: support multiple extensions per resource group/kind (#9834)
+- fix: extensions is not loading for ConfigMap/Pods (#10010)
+- fix: upgrade moment from 2.29.2 to 2.29.3 (#9330)
+- fix: skip redirect url validation when it's the base href (#10058) (#10116)
+- fix: avoid CVE-2022-28948 (#10093)
+- fix: Set HOST_ARCH for yarn build from platform (#10018)
+
+### Other changes
+
+- chore(deps): bump moment from 2.29.3 to 2.29.4 in /ui (#9897)
+- docs: add OpenSSH breaking change notes (#10104)
+- chore: update parse-url (#10101)
+- docs: add api field example in the appset security doc (#10087)
+- chore: update redis to 7.0.4 avoid CVE-2022-30065 (#10059)
+- docs: add argocd-server grpc metric usage (#10007)
+- chore: upgrade Dex to 2.32.0 (#10036) (#10042)
+- chore: update redis to avoid CVE-2022-2097 (#10031)
+- chore: update haproxy to 2.0.29 for redis-ha (#10045)
+
+## v2.4.7 (2022-07-18)
+
+### Bug fixes
+
+fix: Support files in argocd.argoproj.io/manifest-generate-paths annotation (#9908)
+fix: terminal websocket write lock to avoid races (#10011)
+fix: updated all a tags to Link tags in app summary (#9777)
+fix: e2e test to use func from clusterauth instead creating one with old logic (#9989)
+fix: add missing download CLI tool URL response for ppc64le, s390x (#9983)
+
+### Other
+
+chore: upgrade parse-url to avoid SNYK-JS-PARSEURL-2936249 (#9826)
+docs: use quotes to emphasize that ConfigMap value is a string (#9995)
+docs: document directory app include/exclude fields (#9997)
+docs: simplify Docker toolchain docs (#9966) (#10006)
+docs: supported versions (#9876)
+
+## v2.4.6 (2022-07-12)
+
+### Features
+
+* feat: Treat connection reset as a retryable error (#9739)
+
+### Bug fixes
+
+* fix: 'unexpected reserved bits' breaking web terminal (#9605) (#9895)
+* fix: argocd login just hangs on 2.4.0 #9679 (#9935)
+* fix: CMP manifest generation fails with ENHANCE_YOUR_CALM if over 40s (#9922)
+* fix: NotAfter is not set when ValidFor is set (#9911)
+* fix: add missing download CLI tool link for ppc64le, s390x (#9649)
+* fix: Check tracking annotation for being self-referencing (#9791)
+* fix: Make change of tracking method work at runtime (#9820)
+* fix: argo-cd git submodule is using SSH auth instead of HTTPs (#3118) (#9821)
+
+### Other
+
+* docs: fix typo in Generators-Git.md (#9949)
+* docs: add terminal documentation (#9948)
+* test: Use dedicated multi-arch workloads in e2e tests (#9921)
+* docs: Adding blank line so list is formatted correctly (#9880)
+* docs: small fix for plugin stream filtering (#9871)
+* docs: Document the possibility of rendering Helm charts with Kustomize (#9841)
+* docs: getting started notes on self-signed cert (#9429) (#9784)
+* test: check for error messages from CI env (#9953)
+
+## v2.4.5 (2022-07-12)
+
+### Security fixes
+
+* HIGH: Certificate verification is skipped for connections to OIDC providers ([GHSA-7943-82jg-wmw5](https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5))
+* LOW: A leaked API server encryption key can allow XSS for SSO users ([GHSA-pmjg-52h9-72qv](https://github.com/argoproj/argo-cd/security/advisories/GHSA-pmjg-52h9-72qv))
+
+### Potentially-breaking changes
+
+The fix for GHSA-7943-82jg-wmw5 enables TLS certificate validation by default for connections to OIDC providers. If
+connections to your OIDC provider fails validation, SSO will be broken for your Argo CD instance. You should test 2.4.5
+before upgrading it to production. From the new documentation:
+
+> By default, all connections made by the API server to OIDC providers (either external providers or the bundled Dex
+> instance) must pass certificate validation. These connections occur when getting the OIDC provider's well-known
+> configuration, when getting the OIDC provider's keys, and  when exchanging an authorization code or verifying an ID
+> token as part of an OIDC login flow.
+>
+> Disabling certificate verification might make sense if:
+> * You are using the bundled Dex instance **and** your Argo CD instance has TLS configured with a self-signed certificate
+    >   **and** you understand and accept the risks of skipping OIDC provider cert verification.
+> * You are using an external OIDC provider **and** that provider uses an invalid certificate **and** you cannot solve
+    >   the problem by setting `oidcConfig.rootCA` **and** you understand and accept the risks of skipping OIDC provider cert
+    >   verification.
+>
+> If either of those two applies, then you can disable OIDC provider certificate verification by setting
+> `oidc.tls.insecure.skip.verify` to `"true"` in the `argocd-cm` ConfigMap.
+
+### Bug fixes
+
+* fix: webhook typo in case of error in GetManifests (#9671)
+
+## v2.4.4 (2022-07-07)
+
+### Bug fixes
+
+- fix: missing path segments for git file generator (#9839)
+- fix: make sure api server informer does not stop after setting change (#9842)
+- fix: support resource logs and exec (#9833)
+- fix: configurable CMP tar exclusions (#9675) (#9789)
+- fix: prune any deleted refs before fetching (#9504)
+
+### Other
+
+- test: Remove circular symlinks from testdata (#9886)
+- docs: custom secret must be labeled (#9835)
+- docs: update archlinux install with official package (#9718)
+- docs: explain rightmost git generator path parameter behavior (#9799)
+
+## v2.4.3 (2022-06-27)
+
+### Bug fixes
+
+- fix: respect OIDC providers' supported token signing algorithms (#9433) (#9761)
+- fix websockets for terminal not working on subPath (#9795)
+- fix: avoid closing and re-opening port of api server settings change (#9778)
+- fix: [ArgoCD] Fixing webhook typo in case of error in GetManifests (#9671)
+- fix: overrides should not appear in the manifest cache key (#9601)
+
+## v2.4.2 (2022-06-21)
+
+### Bug fixes
+
+* fix: project filter (#9651) (#9709)
+* fix: broken symlink in Dockerfile (#9674)
+* fix: updated baseHRefRegex to perform lazy match (#9724)
+* fix: updated config file permission requirements for windows (#9666)
+
+### Other
+
+* docs: Update sync-options.md (#9687)
+* test/remote: Allow override of base image (#9734)
+
+## v2.4.1 (2022-06-21)
+
+### Security fixes
+
+* CRITICAL: External URLs for Deployments can include javascript ([GHSA-h4w9-6x78-8vrj](https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj))
+* HIGH: Insecure entropy in PKCE/Oauth2/OIDC params ([GHSA-2m7h-86qq-fp4v](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v))
+* MODERATE: DoS through large directory app manifest files ([GHSA-jhqp-vf4w-rpwq](https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq))
+* MODERATE: Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server ([GHSA-q4w5-4gq2-98vm](https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm))
+
+### Potentially-breaking changes
+
+From the [GHSA-2m7h-86qq-fp4v](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v) description:
+
+> The patch introduces a new `reposerver.max.combined.directory.manifests.size` config parameter, which you should tune before upgrading in production. It caps the maximum total file size of .yaml/.yml/.json files in directory-type (raw manifest) Applications. The default max is 10M per Application. This max is designed to keep any single app from consuming more than 3G of memory in the repo-server (manifests consume more space in memory than on disk). The 300x ratio assumes a maliciously-crafted manifest file. If you only want to protect against accidental excessive memory use, it is probably safe to use a smaller ratio.
+>
+> If your organization uses directory-type Applications with very many manifests or very large manifests then check the size of those manifests and tune the config parameter before deploying this change to production. When testing, make sure to do a "hard refresh" in either the CLI or UI to test your directory-type App. That will make sure you're using the new max logic instead of relying on cached manifest responses from Redis.
+
+### Other
+
+* test: directory app manifest generation (#9503)
+* chore: Implement tests to validate aws auth retry (#9627)
+* chore: Implement a retry in aws auth command (#9618)
+* test: Remove temp directories from repo server tests (#9501)
+* test: Make context tests idempodent (#9502)
+* test: fix plugin var test for OSX (#9590)
+* docs: Document how to deploy from the root of the git repository (#9632)
+* docs: added environment variables documentation (#8680)
+
+## v2.4.0 (2022-06-10)
+
+### Web Terminal In Argo CD UI
 
 Feature enables engineers to start a shell in the running application container without leaving the web interface. Just find the required Kubernetes
 Pod using the Application Details page, click on it and select the Terminal tab. The shell starts automatically and enables you to execute the required
 commands, and helps to troubleshoot the application state.
 
-### Access Control For Pod Logs & Web Terminal
+### Access Control For Pod Logs & Web Terminal
 
 Argo CD is used to manage the critical infrastructure of multiple organizations, which makes security the top priority of the project. We've listened to
 your feedback and introduced additional access control settings that control access to Kubernetes Pod logs and the new Web Terminal feature.
@@ -26,12 +197,12 @@ Upon pressing the "LOGS" tab in pod view by users who don't have an explicit all
 The new feature allows emitting richer telemetry data that might make identifying performance bottlenecks easier. The new feature is available for argocd-server
 and argocd-repo-server components and can be enabled using the --otlp-address flag.
 
-### Power PC and IBM Z Support
+### Power PC and IBM Z Support
 
 The list of supported architectures has been expanded, and now includes IBM Z (s390x) and PowerPC (ppc64le). Starting with the v2.4 release the official quay.io
 repository is going to have images for amd64, arm64, ppc64le, and s390x architectures.
 
-### Other Notable Changes
+### Other Notable Changes
 
 Overall v2.4 release includes more than 300 hundred commits from nearly 90 contributors. Here is a short sample of the contributions:
 
@@ -40,6 +211,116 @@ Overall v2.4 release includes more than 300 hundred commits from nearly 90 contr
 * Secured Redis connection
 * ApplicationSet Gitea support
 
+## v2.3.7 (2022-07-29)
+
+### Notes
+
+This is mainly a security related release and updates compatibility with Kubernetes 1.24.
+
+**Attention:** The base image for 2.3.x reached end-of-life on July 14, 2022. This release upgraded the base image to Ubuntu 22.04 LTS. The change should have no effect on the majority of users. But if any of your git providers only supports now-deprecated key hash algorithms, then Application syncing might break. See the [2.2-to-2.3 upgrade notes](https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/2.2-2.3/#support-for-private-repo-ssh-keys-using-the-sha-1-signature-hash-algorithm-is-removed-in-237) for details and workaround instructions.
+
+### Bug fixes
+
+- fix: skip redirect url validation when it's the base href (#10058) (#10116)
+- fix: upgrade moment from 2.29.2 to 2.29.3 (#9330)
+- fix: avoid CVE-2022-28948 (#10093)
+- fix: use serviceaccount name instead of struct (#9614)
+- fix: create serviceaccount token for v1.24 clusters (#9546)
+
+### Other changes
+
+- test: Remove cluster e2e tests not intended for release-2.3
+- test: Remove circular symlinks from testdata (#9886)
+- chore(deps): bump moment from 2.29.3 to 2.29.4 in /ui (#9897)
+- chore: upgrade moment to latest version to fix CVE (#9005)
+- chore: move dependencies to dev dependencies (#8541)
+- docs: add OpenSSH breaking change notes (#10104)
+- chore: update parse-url (#10101)
+- chore: upgrade base image to 22.04 (#10103)
+- docs: simplify Docker toolchain docs (#9966) (#10006)
+- chore: update redis to 6.2.7 avoid CVE-2022-30065/CVE-2022-2097 (#10062)
+- chore: upgrade Dex to 2.32.0 (#10036) (#10042)
+- chore: update haproxy to 2.0.29 for redis-ha (#10045)
+- test: check for error messages from CI env (#9953)
+
+## v2.3.6 (2022-07-12)
+
+### Security fixes
+
+* HIGH: Certificate verification is skipped for connections to OIDC providers ([GHSA-7943-82jg-wmw5](https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5))
+* LOW: A leaked API server encryption key can allow XSS for SSO users ([GHSA-pmjg-52h9-72qv](https://github.com/argoproj/argo-cd/security/advisories/GHSA-pmjg-52h9-72qv))
+
+### Potentially-breaking changes
+
+The fix for GHSA-7943-82jg-wmw5 enables TLS certificate validation by default for connections to OIDC providers. If
+connections to your OIDC provider fails validation, SSO will be broken for your Argo CD instance. You should test 2.3.6
+before upgrading it to production. From the new documentation:
+
+> By default, all connections made by the API server to OIDC providers (either external providers or the bundled Dex
+> instance) must pass certificate validation. These connections occur when getting the OIDC provider's well-known
+> configuration, when getting the OIDC provider's keys, and  when exchanging an authorization code or verifying an ID
+> token as part of an OIDC login flow.
+>
+> Disabling certificate verification might make sense if:
+> * You are using the bundled Dex instance **and** your Argo CD instance has TLS configured with a self-signed certificate
+    >   **and** you understand and accept the risks of skipping OIDC provider cert verification.
+> * You are using an external OIDC provider **and** that provider uses an invalid certificate **and** you cannot solve
+    >   the problem by setting `oidcConfig.rootCA` **and** you understand and accept the risks of skipping OIDC provider cert
+    >   verification.
+>
+> If either of those two applies, then you can disable OIDC provider certificate verification by setting
+> `oidc.tls.insecure.skip.verify` to `"true"` in the `argocd-cm` ConfigMap.
+
+### Bug fixes
+
+* fix: webhook typo in case of error in GetManifests (#9671)
+
+## v2.3.5 (2022-06-21)
+
+### Security fixes
+
+* CRITICAL: External URLs for Deployments can include javascript ([GHSA-h4w9-6x78-8vrj](https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj))
+* HIGH: Insecure entropy in PKCE/Oauth2/OIDC params ([GHSA-2m7h-86qq-fp4v](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v))
+* MODERATE: DoS through large directory app manifest files ([GHSA-jhqp-vf4w-rpwq](https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq))
+* MODERATE: Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server ([GHSA-q4w5-4gq2-98vm](https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm))
+
+### Potentially-breaking changes
+
+From the [GHSA-2m7h-86qq-fp4v](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v) description:
+
+> The patch introduces a new `reposerver.max.combined.directory.manifests.size` config parameter, which you should tune before upgrading in production. It caps the maximum total file size of .yaml/.yml/.json files in directory-type (raw manifest) Applications. The default max is 10M per Application. This max is designed to keep any single app from consuming more than 3G of memory in the repo-server (manifests consume more space in memory than on disk). The 300x ratio assumes a maliciously-crafted manifest file. If you only want to protect against accidental excessive memory use, it is probably safe to use a smaller ratio.
+>
+> If your organization uses directory-type Applications with very many manifests or very large manifests then check the size of those manifests and tune the config parameter before deploying this change to production. When testing, make sure to do a "hard refresh" in either the CLI or UI to test your directory-type App. That will make sure you're using the new max logic instead of relying on cached manifest responses from Redis.
+
+### Bug fixes
+
+* fix: missing Helm params (#9565) (#9566)
+
+### Other
+
+* test: directory app manifest generation (#9503)
+* chore: eliminate go-mpatch dependency (#9045)
+* chore: Make unit tests run on platforms other than amd64 (#8995)
+* chore: remove obsolete repo-server unit test (#9559)
+* chore: update golangci-lint (#8988)
+* fix: test race (#9469)
+* chore: upgrade golangci-lint to v1.46.2 (#9448)
+* test: fix ErrorContains (#9445)
+
+## v2.3.4 (2022-05-18)
+
+### Security fixes
+
+- CRITICAL: Argo CD will trust invalid JWT claims if anonymous access is enabled (https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj)
+- LOW: Login screen allows message spoofing if SSO is enabled (https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j)
+- MODERATE: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server (https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h)
+
+### Bug Fixes
+
+- fix: Fix docs build error (#8895)
+- fix: fix broken monaco editor collapse icons (#8709)
+- chore: upgrade to go 1.17.8 (#8866) (#9004)
+- fix: allow cli/ui to follow logs (#8987) (#9065)
 
 ## v2.3.3 (2022-03-29)
 
@@ -181,6 +462,174 @@ Both bundled Helm and Kustomize binaries have been upgraded to the latest versio
 - refactor: Introduce 'byClusterName' secret index to speedup cluster server URL lookup (#8133)
 - refactor: Move project filtering to server side (#8102)
 
+## v2.2.12 (2022-07-29)
+
+### Notes
+
+This is mainly a security related release and updates compatibility with Kubernetes 1.24.
+
+**Attention:** The base image for 2.2.x reached end-of-life on January 20, 2022. This release upgraded the base image to Ubuntu 22.04 LTS. The change should have no effect on the majority of users. But if any of your git providers only supports now-deprecated key hash algorithms, then Application syncing might break. See the [2.1-to-2.2 upgrade notes](https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/2.1-2.2/#support-for-private-repo-ssh-keys-using-the-sha-1-signature-hash-algorithm-is-removed-in-2212) for details and workaround instructions.
+
+### Bug fixes
+
+- fix: create serviceaccount token for v1.24 clusters (#9546)
+- fix: upgrade moment from 2.29.2 to 2.29.3 (#9330)
+- fix: avoid CVE-2022-28948 (#10093)
+
+### Other changes
+
+- chore: Remove deprecated K8s versions from test matrix
+- chore: Go mod tidy
+- test: Remove circular symlinks from testdata (#9886)
+- test: Fix e2e tests for release-2.2 branch
+- chore: bump redoc vesion to avoid CVE-2021-23820 (#8604)
+- chore(deps): bump moment from 2.29.3 to 2.29.4 in /ui (#9897)
+- chore: upgrade moment to latest version to fix CVE (#9005)
+- chore: move dependencies to dev dependencies (#8541)
+- docs: add OpenSSH breaking change notes (#10104)
+- chore: update parse-url (#10101)
+- chore: fix codegen
+- chore: fix codegen
+- chore: upgrade base image to 22.04 (#10105)
+- docs: simplify Docker toolchain docs (#9966) (#10006)
+- chore: update redis to 6.2.7 avoid CVE-2022-30065/CVE-2022-2097 (#10068)
+- chore: upgrade Dex to 2.32.0 (#10036) (#10042)
+- chore: update haproxy to 2.0.29 for redis-ha (#10045)
+- test: check for error messages from CI env (#9953)
+
+## v2.2.11 (2022-07-12)
+
+### Security fixes
+
+* HIGH: Certificate verification is skipped for connections to OIDC providers ([GHSA-7943-82jg-wmw5](https://github.com/argoproj/argo-cd/security/advisories/GHSA-7943-82jg-wmw5))
+* LOW: A leaked API server encryption key can allow XSS for SSO users ([GHSA-pmjg-52h9-72qv](https://github.com/argoproj/argo-cd/security/advisories/GHSA-pmjg-52h9-72qv))
+
+### Potentially-breaking changes
+
+The fix for GHSA-7943-82jg-wmw5 enables TLS certificate validation by default for connections to OIDC providers. If
+connections to your OIDC provider fails validation, SSO will be broken for your Argo CD instance. You should test 2.2.11
+before upgrading it to production. From the new documentation:
+
+> By default, all connections made by the API server to OIDC providers (either external providers or the bundled Dex
+> instance) must pass certificate validation. These connections occur when getting the OIDC provider's well-known
+> configuration, when getting the OIDC provider's keys, and  when exchanging an authorization code or verifying an ID
+> token as part of an OIDC login flow.
+>
+> Disabling certificate verification might make sense if:
+> * You are using the bundled Dex instance **and** your Argo CD instance has TLS configured with a self-signed certificate
+    >   **and** you understand and accept the risks of skipping OIDC provider cert verification.
+> * You are using an external OIDC provider **and** that provider uses an invalid certificate **and** you cannot solve
+    >   the problem by setting `oidcConfig.rootCA` **and** you understand and accept the risks of skipping OIDC provider cert
+    >   verification.
+>
+> If either of those two applies, then you can disable OIDC provider certificate verification by setting
+> `oidc.tls.insecure.skip.verify` to `"true"` in the `argocd-cm` ConfigMap.
+
+### Features
+
+* feat: enable specifying root ca for oidc (#6712)
+
+### Bug fixes
+
+* fix: webhook typo in case of error in GetManifests (#9671)
+
+## v2.2.10 (2022-06-21)
+
+### Security fixes
+
+* CRITICAL: External URLs for Deployments can include javascript ([GHSA-h4w9-6x78-8vrj](https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj))
+* HIGH: Insecure entropy in PKCE/Oauth2/OIDC params ([GHSA-2m7h-86qq-fp4v](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v))
+* MODERATE: DoS through large directory app manifest files ([GHSA-jhqp-vf4w-rpwq](https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq))
+* MODERATE: Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server ([GHSA-q4w5-4gq2-98vm](https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm))
+
+### Potentially-breaking changes
+
+From the [GHSA-2m7h-86qq-fp4v](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v) description:
+
+> The patch introduces a new `reposerver.max.combined.directory.manifests.size` config parameter, which you should tune before upgrading in production. It caps the maximum total file size of .yaml/.yml/.json files in directory-type (raw manifest) Applications. The default max is 10M per Application. This max is designed to keep any single app from consuming more than 3G of memory in the repo-server (manifests consume more space in memory than on disk). The 300x ratio assumes a maliciously-crafted manifest file. If you only want to protect against accidental excessive memory use, it is probably safe to use a smaller ratio.
+>
+> If your organization uses directory-type Applications with very many manifests or very large manifests then check the size of those manifests and tune the config parameter before deploying this change to production. When testing, make sure to do a "hard refresh" in either the CLI or UI to test your directory-type App. That will make sure you're using the new max logic instead of relying on cached manifest responses from Redis.
+
+### Bug fixes
+
+* fix: missing Helm params (#9565) (#9566)
+
+### Other
+
+* test: directory app manifest generation (#9503)
+* test: fix erroneous test change
+* chore: eliminate go-mpatch dependency (#9045)
+* chore: Make unit tests run on platforms other than amd64 (#8995)
+* chore: remove obsolete repo-server unit test (#9559)
+* chore: upgrade golangci-lint to v1.46.2 (#9448)
+* chore: update golangci-lint (#8988)
+
+## v2.2.9 (2022-05-18)
+
+### Notes
+
+This is a security release. We urge all users of the 2.2.z branch to update as soon as possible. Please refer to the _Security fixes_ section below for more details.
+
+### Security fixes
+
+- CRITICAL: Argo CD will trust invalid JWT claims if anonymous access is enabled (https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj)
+- LOW: Login screen allows message spoofing if SSO is enabled (https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j)
+- MODERATE: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server (https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h)
+
+## v2.2.8 (2022-03-22)
+
+### Special notes
+
+This release contains the fix for a security issue with critical severity. We recommend users on the 2.2 release branch to update to this release as soon as possible.
+
+More information can be found in the related
+[security advisory](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2f5v-8r3f-8pww).
+
+### Changes
+
+As part of the security fix, the Argo CD UI no longer automatically presents child resources of allow-listed resources unless the child resources are also allow-listed. For example, Pods are not going to show up if only Deployment is added to the allow-list.
+
+If you have [projects](https://argo-cd.readthedocs.io/en/stable/user-guide/projects/) configured with allow-lists, make sure the allow-lists include all the resources you want users to be able to view/manage through the UI. For example, if your project allows `Deployments`, you would add `ReplicaSets` and `Pods`.
+
+#### Bug Fixes
+
+- fix: application resource APIs must enforce project restrictions
+
+## v2.2.7 (2022-03-08)
+
+### Bug Fixes
+
+- fix: correct jsonnet paths resolution (#8721)
+
+## v2.2.6 (2022-03-06)
+
+### Bug Fixes
+
+- fix: prevent file traversal using helm file values param and application details api (#8606)
+- fix!: enforce app create/update privileges when getting repo details (#8558)
+- feat: support custom helm values file schemes (#8535)
+
+## v2.2.5 (2022-02-04)
+
+- fix: Resolve symlinked value files correctly (#8387)
+
+## v2.2.4 (2022-02-03)
+
+### Special notes
+
+This release contains the fix for a security issue with high severity. We recommend users on the 2.2 release branch to update to this release as soon as possible.
+
+More information can be found in the related
+[security advisory](https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7)
+
+### Bug Fixes
+
+- fix: Prevent value files outside repository root
+
+### Other changes
+
+- chore: upgrade dex to v2.30.2 (backport of #8237) (#8257)
+
 ## v2.2.3 (2022-01-18)
 
 - fix: Application exist panic when execute api call (#8188)
@@ -238,6 +687,117 @@ as there are no conflicts with other Kubernetes tools, and you can easily instal
 * Cluster name support in project destinations (#7198)
 * around 30 more features and a total of 84 bug fixes
 
+## v2.1.16 (2022-06-21)
+
+### Security fixes
+
+* CRITICAL: External URLs for Deployments can include javascript ([GHSA-h4w9-6x78-8vrj](https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj))
+* HIGH: Insecure entropy in PKCE/Oauth2/OIDC params ([GHSA-2m7h-86qq-fp4v](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v))
+* MODERATE: DoS through large directory app manifest files ([GHSA-jhqp-vf4w-rpwq](https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq))
+* MODERATE: Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server ([GHSA-q4w5-4gq2-98vm](https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm))
+
+**Note:** This will be the last security fix release in the 2.1.x series. Please [upgrade to a newer minor version](https://argo-cd.readthedocs.io/en/latest/operator-manual/upgrading/overview/) to continue to get security fixes.
+
+### Potentially-breaking changes
+
+From the [GHSA-2m7h-86qq-fp4v](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v) description:
+
+> The patch introduces a new `reposerver.max.combined.directory.manifests.size` config parameter, which you should tune before upgrading in production. It caps the maximum total file size of .yaml/.yml/.json files in directory-type (raw manifest) Applications. The default max is 10M per Application. This max is designed to keep any single app from consuming more than 3G of memory in the repo-server (manifests consume more space in memory than on disk). The 300x ratio assumes a maliciously-crafted manifest file. If you only want to protect against accidental excessive memory use, it is probably safe to use a smaller ratio.
+>
+> If your organization uses directory-type Applications with very many manifests or very large manifests then check the size of those manifests and tune the config parameter before deploying this change to production. When testing, make sure to do a "hard refresh" in either the CLI or UI to test your directory-type App. That will make sure you're using the new max logic instead of relying on cached manifest responses from Redis.
+
+### Bug fixes
+
+* fix: missing Helm params (#9565) (#9566)
+
+### Other
+
+* test: directory app manifest generation (#9503)
+* test: fix erroneous test change
+* chore: eliminate go-mpatch dependency (#9045)
+* chore: Make unit tests run on platforms other than amd64 (#8995)
+* chore: remove obsolete repo-server unit test (#9559)
+* chore: upgrade golangci-lint to v1.46.2 (#9448)
+* chore: update golangci-lint (#8988)
+* test: fix ErrorContains (#9445)
+
+## v2.1.15 (2022-05-18)
+
+### Notes
+
+This is a security release. We urge all users of the 2.1.z branch to update as soon as possible. Please refer to the _Security fixes_ section below for more details.
+
+### Security fixes
+
+- CRITICAL: Argo CD will trust invalid JWT claims if anonymous access is enabled (https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj)
+- LOW: Login screen allows message spoofing if SSO is enabled (https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j)
+- MODERATE: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server (https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h)
+
+## v2.1.14 (2022-03-22)
+
+### Special notes
+
+This release contains the fix for a security issue with critical severity. We recommend users on the 2.1 release branch to update to this release as soon as possible.
+
+More information can be found in the related
+[security advisory](https://github.com/argoproj/argo-cd/security/advisories/GHSA-2f5v-8r3f-8pww).
+
+### Changes
+
+As part of the security fix, the Argo CD UI no longer automatically presents child resources of allow-listed resources unless the child resources are also allow-listed. For example, Pods are not going to show up if only Deployment is added to the allow-list.
+
+If you have [projects](https://argo-cd.readthedocs.io/en/stable/user-guide/projects/) configured with allow-lists, make sure the allow-lists include all the resources you want users to be able to view/manage through the UI. For example, if your project allows `Deployments`, you would add `ReplicaSets` and `Pods`.
+
+#### Bug Fixes
+
+- fix: application resource APIs must enforce project restrictions
+
+## v2.1.13 (2022-03-22)
+
+Unused release number.
+
+## v2.1.12 (2022-03-08)
+
+### Bug Fixes
+
+- fix: correct jsonnet paths resolution (#8721)
+
+## v2.1.11 (2022-03-06)
+
+### Bug Fixes
+
+- fix: prevent file traversal using helm file values param and application details api (#8606)
+- fix!: enforce app create/update privileges when getting repo details (#8558)
+- feat: support custom helm values file schemes (#8535)
+
+## v2.1.10 (2022-02-04)
+
+### Bug Fixes
+
+- fix: Resolve symlinked value files correctly (#8387)
+
+## v2.1.9 (2022-02-03)
+
+### Special notes
+
+This release contains the fix for a security issue with high severity. We recommend users on the 2.1 release branch to update to this release as soon as possible.
+
+More information can be found in the related
+[security advisory](https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7)
+
+### Bug Fixes
+
+- fix: Prevent value files outside repository root
+
+## v2.1.8 (2021-12-13)
+
+### Bug Fixes
+
+- fix: issue with keepalive (#7861)
+- fix nil pointer dereference error (#7905)
+- fix: env vars to tune cluster cache were broken (#7779)
+- fix: upgraded gitops engine to v0.4.2 (fixes #7561)
+
 ## v2.1.7 (2021-12-14)
 
 - fix: issue with keepalive (#7861)
@@ -448,7 +1008,7 @@ resources, you will have to adapt your cluster resources allow lists to explicit
 ## v1.8.4 (2021-02-05)
 
 - feat: set X-XSS-Protection while serving static content (#5412)
-- fix: version info should be avaialble if anonymous access is enabled (#5422)
+- fix: version info should be available if anonymous access is enabled (#5422)
 - fix: disable jwt claim audience validation #5381 (#5413)
 - fix: /api/version should not return tools version for unauthenticated requests (#5415)
 - fix: account tokens should be rejected if required capability is disabled (#5414)

CODEOWNERS

@@ -0,0 +1,11 @@
+# All
+** @argoproj/argocd-approvers
+
+# Docs
+/docs/**    @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
+/USERS.md   @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
+/mkdocs.yml @argoproj/argocd-approvers @argoproj/argocd-approvers-docs
+
+# CI
+/.github/**       @argoproj/argocd-approvers @argoproj/argocd-approvers-ci
+/.goreleaser.yaml @argoproj/argocd-approvers @argoproj/argocd-approvers-ci

CONTRIBUTING.md

@@ -0,0 +1 @@
+Please refer to [the Contribution Guide](https://argo-cd.readthedocs.io/en/latest/developer-guide/code-contributions/)

Dockerfile

@@ -1,12 +1,12 @@
-ARG BASE_IMAGE=docker.io/library/ubuntu:22.04
+ARG BASE_IMAGE=docker.io/library/ubuntu:22.04@sha256:0bced47fffa3361afa981854fcabcd4577cd43cebbb808cea2b1f33a3dd7f508
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM docker.io/library/golang:1.18 AS builder
+FROM docker.io/library/golang:1.21.10@sha256:16438a8e66c0c984f732e815ee5b7d715b8e33e81bac6d6a3750b1067744e7ca AS builder
 
-RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list
+RUN echo 'deb http://archive.debian.org/debian buster-backports main' >> /etc/apt/sources.list
 
 RUN apt-get update && apt-get install --no-install-recommends -y \
     openssh-server \
@@ -36,12 +36,15 @@ RUN ./install.sh helm-linux && \
 ####################################################################################################
 FROM $BASE_IMAGE AS argocd-base
 
+LABEL org.opencontainers.image.source="https://github.com/argoproj/argo-cd"
+
 USER root
 
+ENV ARGOCD_USER_ID=999
 ENV DEBIAN_FRONTEND=noninteractive
 
-RUN groupadd -g 999 argocd && \
-    useradd -r -u 999 -g argocd argocd && \
+RUN groupadd -g $ARGOCD_USER_ID argocd && \
+    useradd -r -u $ARGOCD_USER_ID -g argocd argocd && \
     mkdir -p /home/argocd && \
     chown argocd:0 /home/argocd && \
     chmod g=u /home/argocd && \
@@ -74,13 +77,13 @@ RUN mkdir -p tls && \
 
 ENV USER=argocd
 
-USER 999
+USER $ARGOCD_USER_ID
 WORKDIR /home/argocd
 
 ####################################################################################################
 # Argo CD UI stage
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/node:12.18.4 AS argocd-ui
+FROM --platform=$BUILDPLATFORM docker.io/library/node:20.6.1@sha256:14bd39208dbc0eb171cbfb26ccb9ac09fa1b2eba04ccd528ab5d12983fd9ee24 AS argocd-ui
 
 WORKDIR /src
 COPY ["ui/package.json", "ui/yarn.lock", "./"]
@@ -98,7 +101,7 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.18 AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.21.10@sha256:16438a8e66c0c984f732e815ee5b7d715b8e33e81bac6d6a3750b1067744e7ca AS argocd-build
 
 WORKDIR /go/src/github.com/argoproj/argo-cd
 
@@ -110,7 +113,18 @@ COPY . .
 COPY --from=argocd-ui /src/dist/app /go/src/github.com/argoproj/argo-cd/ui/dist/app
 ARG TARGETOS
 ARG TARGETARCH
-RUN GOOS=$TARGETOS GOARCH=$TARGETARCH make argocd-all
+# These build args are optional; if not specified the defaults will be taken from the Makefile
+ARG GIT_TAG
+ARG BUILD_DATE
+ARG GIT_TREE_STATE
+ARG GIT_COMMIT
+RUN GIT_COMMIT=$GIT_COMMIT \
+    GIT_TREE_STATE=$GIT_TREE_STATE \
+    GIT_TAG=$GIT_TAG \
+    BUILD_DATE=$BUILD_DATE \
+    GOOS=$TARGETOS \
+    GOARCH=$TARGETARCH \
+    make argocd-all
 
 ####################################################################################################
 # Final image
@@ -128,4 +142,5 @@ RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server && \
     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-applicationset-controller && \
     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-k8s-auth
 
-USER 999
+USER $ARGOCD_USER_ID
+ENTRYPOINT ["/usr/bin/tini", "--"]

Makefile

@@ -9,11 +9,13 @@ GEN_RESOURCES_CLI_NAME=argocd-resources-gen
 HOST_OS:=$(shell go env GOOS)
 HOST_ARCH:=$(shell go env GOARCH)
 
+TARGET_ARCH?=linux/amd64
+
 VERSION=$(shell cat ${CURRENT_DIR}/VERSION)
-BUILD_DATE=$(shell date -u +'%Y-%m-%dT%H:%M:%SZ')
-GIT_COMMIT=$(shell git rev-parse HEAD)
-GIT_TAG=$(shell if [ -z "`git status --porcelain`" ]; then git describe --exact-match --tags HEAD 2>/dev/null; fi)
-GIT_TREE_STATE=$(shell if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)
+BUILD_DATE:=$(if $(BUILD_DATE),$(BUILD_DATE),$(shell date -u +'%Y-%m-%dT%H:%M:%SZ'))
+GIT_COMMIT:=$(if $(GIT_COMMIT),$(GIT_COMMIT),$(shell git rev-parse HEAD))
+GIT_TAG:=$(if $(GIT_TAG),$(GIT_TAG),$(shell if [ -z "`git status --porcelain`" ]; then git describe --exact-match --tags HEAD 2>/dev/null; fi))
+GIT_TREE_STATE:=$(if $(GIT_TREE_STATE),$(GIT_TREE_STATE),$(shell if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi))
 VOLUME_MOUNT=$(shell if test "$(go env GOOS)" = "darwin"; then echo ":delegated"; elif test selinuxenabled; then echo ":delegated"; else echo ""; fi)
 KUBECTL_VERSION=$(shell go list -m k8s.io/client-go | head -n 1 | rev | cut -d' ' -f1 | rev)
 
@@ -47,7 +49,7 @@ ARGOCD_E2E_DEX_PORT?=5556
 ARGOCD_E2E_YARN_HOST?=localhost
 ARGOCD_E2E_DISABLE_AUTH?=
 
-ARGOCD_E2E_TEST_TIMEOUT?=30m
+ARGOCD_E2E_TEST_TIMEOUT?=90m
 
 ARGOCD_IN_CI?=false
 ARGOCD_TEST_E2E?=true
@@ -64,13 +66,20 @@ else
 DOCKER_SRC_MOUNT="$(PWD):/go/src/github.com/argoproj/argo-cd$(VOLUME_MOUNT)"
 endif
 
+# User and group IDs to map to the test container
+CONTAINER_UID=$(shell id -u)
+CONTAINER_GID=$(shell id -g)
+
+# Set SUDO to sudo to run privileged commands with sudo
+SUDO?=
+
 # Runs any command in the argocd-test-utils container in server mode
 # Server mode container will start with uid 0 and drop privileges during runtime
 define run-in-test-server
-	docker run --rm -it \
+	$(SUDO) docker run --rm -it \
 		--name argocd-test-server \
-		-u $(shell id -u):$(shell id -g) \
-		-e USER_ID=$(shell id -u) \
+		-u $(CONTAINER_UID):$(CONTAINER_GID) \
+		-e USER_ID=$(CONTAINER_UID) \
 		-e HOME=/home/user \
 		-e GOPATH=/go \
 		-e GOCACHE=/tmp/go-build-cache \
@@ -81,6 +90,8 @@ define run-in-test-server
 		-e ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} \
 		-e ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} \
 		-e ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} \
+		-e ARGOCD_APPLICATION_NAMESPACES \
+		-e GITHUB_TOKEN \
 		-v ${DOCKER_SRC_MOUNT} \
 		-v ${GOPATH}/pkg/mod:/go/pkg/mod${VOLUME_MOUNT} \
 		-v ${GOCACHE}:/tmp/go-build-cache${VOLUME_MOUNT} \
@@ -96,12 +107,13 @@ endef
 
 # Runs any command in the argocd-test-utils container in client mode
 define run-in-test-client
-	docker run --rm -it \
+	$(SUDO) docker run --rm -it \
 	  --name argocd-test-client \
-		-u $(shell id -u):$(shell id -g) \
+		-u $(CONTAINER_UID):$(CONTAINER_GID) \
 		-e HOME=/home/user \
 		-e GOPATH=/go \
 		-e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) \
+		-e GITHUB_TOKEN \
 		-e GOCACHE=/tmp/go-build-cache \
 		-e ARGOCD_LINT_GOGC=$(ARGOCD_LINT_GOGC) \
 		-v ${DOCKER_SRC_MOUNT} \
@@ -116,7 +128,7 @@ endef
 
 #
 define exec-in-test-server
-	docker exec -it -u $(shell id -u):$(shell id -g) -e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) argocd-test-server $(1)
+	$(SUDO) docker exec -it -u $(CONTAINER_UID):$(CONTAINER_GID) -e ARGOCD_E2E_RECORD=$(ARGOCD_E2E_RECORD) -e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) argocd-test-server $(1)
 endef
 
 PATH:=$(PATH):$(PWD)/hack
@@ -136,7 +148,8 @@ override LDFLAGS += \
   -X ${PACKAGE}.buildDate=${BUILD_DATE} \
   -X ${PACKAGE}.gitCommit=${GIT_COMMIT} \
   -X ${PACKAGE}.gitTreeState=${GIT_TREE_STATE}\
-  -X ${PACKAGE}.kubectlVersion=${KUBECTL_VERSION}
+  -X ${PACKAGE}.kubectlVersion=${KUBECTL_VERSION}\
+  -X "${PACKAGE}.extraBuildInfo=${EXTRA_BUILD_INFO}"
 
 ifeq (${STATIC_BUILD}, true)
 override LDFLAGS += -extldflags "-static"
@@ -209,7 +222,7 @@ clidocsgen: ensure-gopath
 
 
 .PHONY: codegen-local
-codegen-local: ensure-gopath mod-vendor-local notification-docs notification-catalog gogen protogen clientgen openapigen clidocsgen manifests-local
+codegen-local: ensure-gopath mod-vendor-local gogen protogen clientgen openapigen clidocsgen manifests-local notification-docs notification-catalog
 	rm -rf vendor/
 
 .PHONY: codegen
@@ -222,11 +235,11 @@ cli: test-tools-image
 
 .PHONY: cli-local
 cli-local: clean-debug
-	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd
+	CGO_ENABLED=0 GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd
 
 .PHONY: gen-resources-cli-local
 gen-resources-cli-local: clean-debug
-	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${GEN_RESOURCES_CLI_NAME} ./hack/gen-resources/cmd
+	CGO_ENABLED=0 GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${GEN_RESOURCES_CLI_NAME} ./hack/gen-resources/cmd
 
 .PHONY: release-cli
 release-cli: clean-debug build-ui
@@ -240,8 +253,10 @@ release-cli: clean-debug build-ui
 
 .PHONY: test-tools-image
 test-tools-image:
-	docker build --build-arg UID=$(shell id -u) -t $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) -f test/container/Dockerfile .
-	docker tag $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG)
+ifndef SKIP_TEST_TOOLS_IMAGE
+	$(SUDO) docker build --build-arg UID=$(CONTAINER_UID) -t $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) -f test/container/Dockerfile .
+	$(SUDO) docker tag $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG)
+endif
 
 .PHONY: manifests-local
 manifests-local:
@@ -254,23 +269,23 @@ manifests: test-tools-image
 # consolidated binary for cli, util, server, repo-server, controller
 .PHONY: argocd-all
 argocd-all: clean-debug
-	CGO_ENABLED=0 GOOS=${GOOS} GOARCH=${GOARCH} go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${BIN_NAME} ./cmd
+	CGO_ENABLED=0 GOOS=${GOOS} GOARCH=${GOARCH} GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${BIN_NAME} ./cmd
 
 .PHONY: server
 server: clean-debug
-	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd
+	CGO_ENABLED=0 GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd
 
 .PHONY: repo-server
 repo-server:
-	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd
+	CGO_ENABLED=0 GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd
 
 .PHONY: controller
 controller:
-	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd
+	CGO_ENABLED=0 GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd
 
 .PHONY: build-ui
 build-ui:
-	DOCKER_BUILDKIT=1 docker build -t argocd-ui --target argocd-ui .
+	DOCKER_BUILDKIT=1 docker build -t argocd-ui --platform=$(TARGET_ARCH) --target argocd-ui .
 	find ./ui/dist -type f -not -name gitkeep -delete
 	docker run -v ${CURRENT_DIR}/ui/dist/app:/tmp/app --rm -t argocd-ui sh -c 'cp -r ./dist/app/* /tmp/app/'
 
@@ -281,18 +296,18 @@ ifeq ($(DEV_IMAGE), true)
 # the dist directory is under .dockerignore.
 IMAGE_TAG="dev-$(shell git describe --always --dirty)"
 image: build-ui
-	DOCKER_BUILDKIT=1 docker build -t argocd-base --target argocd-base .
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd
+	DOCKER_BUILDKIT=1 docker build --platform=$(TARGET_ARCH) -t argocd-base --target argocd-base .
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-server
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-application-controller
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-repo-server
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-cmp-server
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-dex
 	cp Dockerfile.dev dist
-	docker build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) -f dist/Dockerfile.dev dist
+	DOCKER_BUILDKIT=1 docker build --platform=$(TARGET_ARCH) -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) -f dist/Dockerfile.dev dist
 else
 image:
-	DOCKER_BUILDKIT=1 docker build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) .
+	DOCKER_BUILDKIT=1 docker build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) --platform=$(TARGET_ARCH) .
 endif
 	@if [ "$(DOCKER_PUSH)" = "true" ] ; then docker push $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) ; fi
 
@@ -321,7 +336,7 @@ mod-vendor: test-tools-image
 mod-vendor-local: mod-download-local
 	go mod vendor
 
-# Deprecated - replace by install-local-tools
+# Deprecated - replace by install-tools-local
 .PHONY: install-lint-tools
 install-lint-tools:
 	./hack/install.sh lint-tools
@@ -337,7 +352,7 @@ lint-local:
 	golangci-lint --version
 	# NOTE: If you get a "Killed" OOM message, try reducing the value of GOGC
 	# See https://github.com/golangci/golangci-lint#memory-usage-of-golangci-lint
-	GOGC=$(ARGOCD_LINT_GOGC) GOMAXPROCS=2 golangci-lint run --fix --verbose --timeout 300s
+	GOGC=$(ARGOCD_LINT_GOGC) GOMAXPROCS=2 golangci-lint run --enable gofmt --fix --verbose --timeout 3000s --max-issues-per-linter 0 --max-same-issues 0
 
 .PHONY: lint-ui
 lint-ui: test-tools-image
@@ -356,7 +371,7 @@ build: test-tools-image
 # Build all Go code (local version)
 .PHONY: build-local
 build-local:
-	go build -v `go list ./... | grep -v 'resource_customizations\|test/e2e'`
+	GODEBUG="tarinsecurepath=0,zipinsecurepath=0" go build -v `go list ./... | grep -v 'resource_customizations\|test/e2e'`
 
 # Run all unit tests
 #
@@ -371,9 +386,9 @@ test: test-tools-image
 .PHONY: test-local
 test-local:
 	if test "$(TEST_MODULE)" = ""; then \
-		./hack/test.sh -coverprofile=coverage.out `go list ./... | grep -v 'test/e2e'`; \
+		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -coverprofile=coverage.out; \
 	else \
-		./hack/test.sh -coverprofile=coverage.out "$(TEST_MODULE)"; \
+		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES="$(TEST_MODULE)" ./hack/test.sh -coverprofile=coverage.out "$(TEST_MODULE)"; \
 	fi
 
 .PHONY: test-race
@@ -385,9 +400,9 @@ test-race: test-tools-image
 .PHONY: test-race-local
 test-race-local:
 	if test "$(TEST_MODULE)" = ""; then \
-		./hack/test.sh -race -coverprofile=coverage.out `go list ./... | grep -v 'test/e2e'`; \
+		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -race -coverprofile=coverage.out; \
 	else \
-		./hack/test.sh -race -coverprofile=coverage.out "$(TEST_MODULE)"; \
+		DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES="$(TEST_MODULE)" ./hack/test.sh -race -coverprofile=coverage.out; \
 	fi
 
 # Run the E2E test suite. E2E test servers (see start-e2e target) must be
@@ -401,7 +416,7 @@ test-e2e:
 test-e2e-local: cli-local
 	# NO_PROXY ensures all tests don't go out through a proxy if one is configured on the test system
 	export GO111MODULE=off
-	ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v ./test/e2e
+	DIST_DIR=${DIST_DIR} RERUN_FAILS=5 PACKAGES="./test/e2e" ARGOCD_E2E_RECORD=${ARGOCD_E2E_RECORD} ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v
 
 # Spawns a shell in the test server container for debugging purposes
 debug-test-server: test-tools-image
@@ -422,6 +437,8 @@ start-e2e: test-tools-image
 .PHONY: start-e2e-local
 start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	kubectl create ns argocd-e2e || true
+	kubectl create ns argocd-e2e-external || true
+	kubectl create ns argocd-e2e-external-2 || true
 	kubectl config set-context --current --namespace=argocd-e2e
 	kustomize build test/manifests/base | kubectl apply -f -
 	kubectl apply -f https://raw.githubusercontent.com/open-cluster-management/api/a6845f2ebcb186ec26b832f60c988537a58f3859/cluster/v1alpha1/0000_04_clusters.open-cluster-management.io_placementdecisions.crd.yaml
@@ -442,13 +459,16 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	ARGOCD_ZJWT_FEATURE_FLAG=always \
 	ARGOCD_IN_CI=$(ARGOCD_IN_CI) \
 	BIN_MODE=$(ARGOCD_BIN_MODE) \
+	ARGOCD_APPLICATION_NAMESPACES=argocd-e2e-external,argocd-e2e-external-2 \
+	ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACES=argocd-e2e-external,argocd-e2e-external-2 \
+	ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS=http://127.0.0.1:8341,http://127.0.0.1:8342,http://127.0.0.1:8343,http://127.0.0.1:8344 \
 	ARGOCD_E2E_TEST=true \
 		goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START}
 
 # Cleans VSCode debug.test files from sub-dirs to prevent them from being included in by golang embed
 .PHONY: clean-debug
 clean-debug:
-	-find ${CURRENT_DIR} -name debug.test | xargs rm -f
+	-find ${CURRENT_DIR} -name debug.test -exec rm -f {} +
 
 .PHONY: clean
 clean: clean-debug
@@ -461,7 +481,7 @@ start: test-tools-image
 
 # Starts a local instance of ArgoCD
 .PHONY: start-local
-start-local: mod-vendor-local dep-ui-local
+start-local: mod-vendor-local dep-ui-local cli-local
 	# check we can connect to Docker to start Redis
 	killall goreman || true
 	kubectl create ns argocd || true
@@ -472,7 +492,9 @@ start-local: mod-vendor-local dep-ui-local
 	ARGOCD_ZJWT_FEATURE_FLAG=always \
 	ARGOCD_IN_CI=false \
 	ARGOCD_GPG_ENABLED=$(ARGOCD_GPG_ENABLED) \
+	BIN_MODE=$(ARGOCD_BIN_MODE) \
 	ARGOCD_E2E_TEST=false \
+	ARGOCD_APPLICATION_NAMESPACES=$(ARGOCD_APPLICATION_NAMESPACES) \
 		goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START}
 
 # Run goreman start with exclude option , provide exclude env variable with list of services
@@ -504,7 +526,7 @@ build-docs-local:
 
 .PHONY: build-docs
 build-docs:
-	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} build
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -v ${CURRENT_DIR}:/docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install -r docs/requirements.txt; mkdocs build'
 
 .PHONY: serve-docs-local
 serve-docs-local:
@@ -512,7 +534,7 @@ serve-docs-local:
 
 .PHONY: serve-docs
 serve-docs:
-	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} serve -a 0.0.0.0:8000
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}/site:/site -w /site --entrypoint "" ${MKDOCS_DOCKER_IMAGE} python3 -m http.server --bind 0.0.0.0 8000
 
 
 # Verify that kubectl can connect to your K8s cluster from Docker
@@ -537,6 +559,7 @@ install-tools-local: install-test-tools-local install-codegen-tools-local instal
 install-test-tools-local:
 	./hack/install.sh kustomize
 	./hack/install.sh helm-linux
+	./hack/install.sh gotestsum
 
 # Installs all tools required for running codegen (Linux packages)
 .PHONY: install-codegen-tools-local
@@ -564,8 +587,72 @@ list:
 
 .PHONY: applicationset-controller
 applicationset-controller:
-	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-applicationset-controller ./cmd
+	GODEBUG="tarinsecurepath=0,zipinsecurepath=0" CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-applicationset-controller ./cmd
 
 .PHONY: checksums
 checksums:
 	sha256sum ./dist/$(BIN_NAME)-* | awk -F './dist/' '{print $$1 $$2}' > ./dist/$(BIN_NAME)-$(TARGET_VERSION)-checksums.txt
+
+.PHONY: snyk-container-tests
+snyk-container-tests:
+	./hack/snyk-container-tests.sh
+
+.PHONY: snyk-non-container-tests
+snyk-non-container-tests:
+	./hack/snyk-non-container-tests.sh
+
+.PHONY: snyk-report
+snyk-report:
+	./hack/snyk-report.sh $(target_branch)
+
+.PHONY: help
+help:
+	@echo 'Note: Generally an item w/ (-local) will run inside docker unless you use the -local variant'
+	@echo
+	@echo 'Common targets'
+	@echo
+	@echo 'all -- make cli and image'
+	@echo
+	@echo 'components:'
+	@echo '  applicationset-controller -- applicationset controller'
+	@echo '  cli(-local)               -- argocd cli program'
+	@echo '  controller                -- controller (orchestrator)'
+	@echo '  repo-server               -- repo server (manage repository instances)'
+	@echo '  server                    -- argocd web application'
+	@echo
+	@echo 'build:'
+	@echo '  image                     -- make image of the following items'
+	@echo '  build(-local)             -- compile go'
+	@echo '  build-docs(-local)        -- build docs'
+	@echo '  build-ui                  -- compile typescript'
+	@echo
+	@echo 'run:'
+	@echo '  run                       -- run the components locally'
+	@echo '  serve-docs(-local)        -- expose the documents for viewing in a browser'
+	@echo
+	@echo 'release:'
+	@echo '  release-cli'
+	@echo '  release-precheck'
+	@echo '  checksums'
+	@echo
+	@echo 'docs:'
+	@echo '  build-docs(-local)'
+	@echo '  serve-docs(-local)'
+	@echo '  notification-docs'
+	@echo '  clidocsgen'
+	@echo
+	@echo 'testing:'
+	@echo '  test(-local)'
+	@echo '  start-e2e(-local)'
+	@echo '  test-e2e(-local)'
+	@echo '  test-race(-local)'
+	@echo
+	@echo 'debug:'
+	@echo '  list -- list all make targets'
+	@echo '  install-tools-local -- install all the tools below'
+	@echo '  install-lint-tools(-local)'
+	@echo
+	@echo 'codegen:'
+	@echo '  codegen(-local) -- if using -local, run the following targets first'
+	@echo '  install-codegen-tools-local -- run this to install the codegen tools'
+	@echo '  install-go-tools-local -- run this to install go libraries for codegen'

OWNERS

@@ -5,6 +5,7 @@ owners:
 approvers:
 - alexec
 - alexmt
+- gdsoumya
 - jannfis
 - jessesuen
 - jgwest
@@ -27,3 +28,6 @@ reviewers:
 - wanghong230
 - ciiay
 - saumeya
+- zachaller
+- 34fathombelow
+- alexef

Procfile

@@ -1,12 +1,13 @@
-controller: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
-api-server: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
-dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v2/cmd gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:v2.30.2 dex serve /dex.yaml"
-redis: bash -c "if [ \"$ARGOCD_REDIS_LOCAL\" == 'true' ]; then redis-server --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; else docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} redis:7.0.0-alpine --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; fi"
-repo-server: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
-cmp-server: [ "$ARGOCD_E2E_TEST" == 'true' ] && exit 0 || [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-cmp-server ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp} $COMMAND --config-dir-path ./test/cmp --loglevel debug --otlp-address=${ARGOCD_OTLP_ADDRESS}"
+controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "HOSTNAME=testappcontroller-1  FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --server-side-diff-enabled=${ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF:-'false'}"
+api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''}"
+dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v2/cmd gendexcfg -o `pwd`/dist/dex.yaml && (test -f dist/dex.yaml || { echo 'Failed to generate dex configuration'; exit 1; }) && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:$(grep "image: ghcr.io/dexidp/dex" manifests/base/dex/argocd-dex-server-deployment.yaml | cut -d':' -f3) dex serve /dex.yaml"
+redis: bash -c "if [ \"$ARGOCD_REDIS_LOCAL\" = 'true' ]; then redis-server --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; else docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} docker.io/library/redis:$(grep "image: redis" manifests/base/redis/argocd-redis-deployment.yaml | cut -d':' -f3) --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; fi"
+repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"
+cmp-server: [ "$ARGOCD_E2E_TEST" = 'true' ] && exit 0 || [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-cmp-server ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp} $COMMAND --config-dir-path ./test/cmp --loglevel debug --otlp-address=${ARGOCD_OTLP_ADDRESS}"
 ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
 git-server: test/fixture/testrepos/start-git.sh
 helm-registry: test/fixture/testrepos/start-helm-registry.sh
 dev-mounter: [[ "$ARGOCD_E2E_TEST" != "true" ]] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}
-applicationset-controller: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_ASK_PASS_SOCK=/tmp/applicationset-ask-pass.sock ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
-notification: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug"
+applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
+notification: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications $COMMAND --loglevel debug --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --self-service-notification-enabled=${ARGOCD_NOTIFICATION_CONTROLLER_SELF_SERVICE_NOTIFICATION_ENABLED:-'false'}"
+

README.md

@@ -1,4 +1,18 @@
-[![Integration tests](https://github.com/argoproj/argo-cd/workflows/Integration%20tests/badge.svg?branch=master)](https://github.com/argoproj/argo-cd/actions?query=workflow%3A%22Integration+tests%22) [![slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack) [![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd) [![Release Version](https://img.shields.io/github/v/release/argoproj/argo-cd?label=argo-cd)](https://github.com/argoproj/argo-cd/releases/latest) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4486/badge)](https://bestpractices.coreinfrastructure.org/projects/4486) [![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
+**Releases:**
+[![Release Version](https://img.shields.io/github/v/release/argoproj/argo-cd?label=argo-cd)](https://github.com/argoproj/argo-cd/releases/latest)
+[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/argo-cd)](https://artifacthub.io/packages/helm/argo/argo-cd)
+[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev)
+
+**Code:** 
+[![Integration tests](https://github.com/argoproj/argo-cd/workflows/Integration%20tests/badge.svg?branch=master)](https://github.com/argoproj/argo-cd/actions?query=workflow%3A%22Integration+tests%22)
+[![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4486/badge)](https://bestpractices.coreinfrastructure.org/projects/4486)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-cd/badge)](https://api.securityscorecards.dev/projects/github.com/argoproj/argo-cd)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fargoproj%2Fargo-cd.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fargoproj%2Fargo-cd?ref=badge_shield)
+
+**Social:**
+[![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
+[![Slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack)
 
 # Argo CD - Declarative Continuous Delivery for Kubernetes
 
@@ -42,7 +56,7 @@ Participation in the Argo CD project is governed by the [CNCF Code of Conduct](h
 ### Blogs and Presentations
 
 1. [Awesome-Argo: A Curated List of Awesome Projects and Resources Related to Argo](https://github.com/terrytangyuan/awesome-argo)
-1. [Unveil the Secret Ingredients of Continuous Delivery at Enterprise Scale with Argo CD](https://blog.akuity.io/unveil-the-secret-ingredients-of-continuous-delivery-at-enterprise-scale-with-argo-cd-7c5b4057ee49)
+1. [Unveil the Secret Ingredients of Continuous Delivery at Enterprise Scale with Argo CD](https://akuity.io/blog/unveil-the-secret-ingredients-of-continuous-delivery-at-enterprise-scale-with-argocd-kubecon-china-2021/)
 1. [GitOps Without Pipelines With ArgoCD Image Updater](https://youtu.be/avPUQin9kzU)
 1. [Combining Argo CD (GitOps), Crossplane (Control Plane), And KubeVela (OAM)](https://youtu.be/eEcgn_gU3SM)
 1. [How to Apply GitOps to Everything - Combining Argo CD and Crossplane](https://youtu.be/yrj4lmScKHQ)
@@ -68,7 +82,7 @@ Participation in the Argo CD project is governed by the [CNCF Code of Conduct](h
 1. [Applied GitOps with Argo CD](https://thenewstack.io/applied-gitops-with-argocd/)
 1. [Solving configuration drift using GitOps with Argo CD](https://www.cncf.io/blog/2020/12/17/solving-configuration-drift-using-gitops-with-argo-cd/)
 1. [Decentralized GitOps over environments](https://blogs.sap.com/2021/05/06/decentralized-gitops-over-environments/)
-1. [How GitOps and Operators mark the rise of Infrastructure-As-Software](https://paytmlabs.com/blog/2021/10/how-to-improve-operational-work-with-operators-and-gitops/)
 1. [Getting Started with ArgoCD for GitOps Deployments](https://youtu.be/AvLuplh1skA)
 1. [Using Argo CD & Datree for Stable Kubernetes CI/CD Deployments](https://youtu.be/17894DTru2Y)
+1. [How to create Argo CD Applications Automatically using ApplicationSet? "Automation of GitOps"](https://amralaayassen.medium.com/how-to-create-argocd-applications-automatically-using-applicationset-automation-of-the-gitops-59455eaf4f72)
 

SECURITY-INSIGHTS.yml

@@ -0,0 +1,128 @@
+header:
+  schema-version: 1.0.0
+  expiration-date: '2024-10-31T00:00:00.000Z' # One year from initial release.
+  last-updated: '2023-10-27'
+  last-reviewed: '2023-10-27'
+  commit-hash: b71277c6beb949d0199d647a582bc25822b88838
+  project-url: https://github.com/argoproj/argo-cd
+  project-release: v2.9.0-rc3
+  changelog: https://github.com/argoproj/argo-cd/releases
+  license: https://github.com/argoproj/argo-cd/blob/master/LICENSE
+project-lifecycle:
+  status: active
+  roadmap: https://github.com/orgs/argoproj/projects/25
+  bug-fixes-only: false
+  core-maintainers:
+    - https://github.com/argoproj/argoproj/blob/master/MAINTAINERS.md
+  release-cycle: https://argo-cd.readthedocs.io/en/stable/developer-guide/release-process-and-cadence/
+  release-process: https://argo-cd.readthedocs.io/en/stable/developer-guide/release-process-and-cadence/#release-process
+contribution-policy:
+  accepts-pull-requests: true
+  accepts-automated-pull-requests: true
+  automated-tools-list:
+    - automated-tool: dependabot
+      action: allowed
+      path:
+        - /
+    - automated-tool: snyk-report
+      action: allowed
+      path:
+        - docs/snyk
+      comment: |
+        This tool runs Snyk and generates a report of vulnerabilities in the project's dependencies. The report is 
+        placed in the project's documentation. The workflow is defined here:
+        https://github.com/argoproj/argo-cd/blob/master/.github/workflows/update-snyk.yaml
+  contributing-policy: https://argo-cd.readthedocs.io/en/stable/developer-guide/code-contributions/
+  code-of-conduct: https://github.com/cncf/foundation/blob/master/code-of-conduct.md
+documentation:
+  - https://argo-cd.readthedocs.io/
+distribution-points:
+  - https://github.com/argoproj/argo-cd/releases
+  - https://quay.io/repository/argoproj/argocd
+security-artifacts:
+  threat-model:
+    threat-model-created: true
+    evidence-url:
+      - https://github.com/argoproj/argoproj/blob/master/docs/argo_threat_model.pdf
+      - https://github.com/argoproj/argoproj/blob/master/docs/end_user_threat_model.pdf
+  self-assessment:
+    self-assessment-created: false
+    comment: |
+      An extensive self-assessment was performed for CNCF graduation. Because the self-assessment process was evolving
+      at the time, no standardized document has been published.
+security-testing:
+  - tool-type: sca
+    tool-name: Dependabot
+    tool-version: "2"
+    tool-url: https://github.com/dependabot
+    integration:
+      ad-hoc: false
+      ci: false
+      before-release: false
+    tool-rulesets:
+      - https://github.com/argoproj/argo-cd/blob/master/.github/dependabot.yml
+  - tool-type: sca
+    tool-name: Snyk
+    tool-version: latest
+    tool-url: https://snyk.io/
+    integration:
+      ad-hoc: true
+      ci: true
+      before-release: false
+  - tool-type: sast
+    tool-name: CodeQL
+    tool-version: latest
+    tool-url: https://codeql.github.com/
+    integration:
+      ad-hoc: false
+      ci: true
+      before-release: false
+    comment: |
+      We use the default configuration with the latest version.
+security-assessments:
+  - auditor-name: Trail of Bits
+    auditor-url: https://trailofbits.com
+    auditor-report: https://github.com/argoproj/argoproj/blob/master/docs/argo_security_final_report.pdf
+    report-year: 2021
+  - auditor-name: Ada Logics
+    auditor-url: https://adalogics.com
+    auditor-report: https://github.com/argoproj/argoproj/blob/master/docs/argo_security_audit_2022.pdf
+    report-year: 2022
+  - auditor-name: Ada Logics
+    auditor-url: https://adalogics.com
+    auditor-report: https://github.com/argoproj/argoproj/blob/master/docs/audit_fuzzer_adalogics_2022.pdf
+    report-year: 2022
+    comment: |
+      Part of the audit was performed by Ada Logics, focussed on fuzzing.
+  - auditor-name: Chainguard
+    auditor-url: https://chainguard.dev
+    auditor-report: https://github.com/argoproj/argoproj/blob/master/docs/software_supply_chain_slsa_assessment_chainguard_2023.pdf
+    report-year: 2023
+    comment: |
+      Confirmed the project's release process as achieving SLSA (v0.1) level 3.
+security-contacts:
+  - type: email
+    value: cncf-argo-security@lists.cncf.io
+    primary: true
+vulnerability-reporting:
+  accepts-vulnerability-reports: true
+  email-contact: cncf-argo-security@lists.cncf.io
+  security-policy: https://github.com/argoproj/argo-cd/security/policy
+  bug-bounty-available: true
+  bug-bounty-url: https://hackerone.com/ibb/policy_scopes
+  out-scope:
+    - vulnerable and outdated components # See https://github.com/argoproj/argo-cd/blob/master/SECURITY.md#a-word-about-security-scanners
+    - security logging and monitoring failures
+dependencies:
+  third-party-packages: true
+  dependencies-lists:
+    - https://github.com/argoproj/argo-cd/blob/master/go.mod
+    - https://github.com/argoproj/argo-cd/blob/master/Dockerfile
+    - https://github.com/argoproj/argo-cd/blob/master/ui/package.json
+  sbom:
+    - sbom-file: https://github.com/argoproj/argo-cd/releases # Every release's assets include SBOMs.
+      sbom-format: SPDX
+  dependencies-lifecycle:
+    policy-url: https://argo-cd.readthedocs.io/en/stable/developer-guide/release-process-and-cadence/#dependencies-lifecycle-policy
+  env-dependencies-policy:
+    policy-url: https://argo-cd.readthedocs.io/en/stable/developer-guide/release-process-and-cadence/#dependencies-lifecycle-policy

SECURITY.md

@@ -1,6 +1,6 @@
 # Security Policy for Argo CD
 
-Version: **v1.4 (2022-01-23)**
+Version: **v1.5 (2023-03-06)**
 
 ## Preface
 
@@ -35,13 +35,11 @@ impact on Argo CD before opening an issue at least roughly.
 
 ## Supported Versions
 
-We currently support the most recent release (`N`, e.g. `1.8`) and the release
-previous to the most recent one (`N-1`, e.g. `1.7`). With the release of
-`N+1`, `N-1` drops out of support and `N` becomes `N-1`.
+We currently support the last 3 minor versions of Argo CD with security and bug fixes.
 
 We regularly perform patch releases (e.g. `1.8.5` and `1.7.12`) for the
 supported versions, which will contain fixes for security vulnerabilities and
-important bugs. Prior releases might receive critical security fixes on a best
+important bugs. Prior releases might receive critical security fixes on best
 effort basis, however, it cannot be guaranteed that security fixes get
 back-ported to these unsupported versions.
 
@@ -52,7 +50,7 @@ of releasing it within a patch branch for the currently supported releases.
 
 ## Reporting a Vulnerability
 
-If you find a security related bug in ArgoCD, we kindly ask you for responsible
+If you find a security related bug in Argo CD, we kindly ask you for responsible
 disclosure and for giving us appropriate time to react, analyze and develop a
 fix to mitigate the found security vulnerability.
 
@@ -61,13 +59,28 @@ and disclosure with you. Sometimes, it might take a little longer for us to
 react (e.g. out of office conditions), so please bear with us in these cases.
 
 We will publish security advisories using the
-[Git Hub Security Advisories](https://github.com/argoproj/argo-cd/security/advisories)
-feature to keep our community well informed, and will credit you for your
+[GitHub Security Advisories](https://github.com/argoproj/argo-cd/security/advisories)
+feature to keep our community well-informed, and will credit you for your
 findings (unless you prefer to stay anonymous, of course).
 
-Please report vulnerabilities by e-mail to the following address:
+There are two ways to report a vulnerability to the Argo CD team:
 
-* cncf-argo-security@lists.cncf.io
+* By opening a draft GitHub security advisory: https://github.com/argoproj/argo-cd/security/advisories/new
+* By e-mail to the following address: cncf-argo-security@lists.cncf.io
+
+## Internet Bug Bounty collaboration
+
+We're happy to announce that the Argo project is collaborating with the great
+folks over at
+[Hacker One](https://hackerone.com/) and their
+[Internet Bug Bounty program](https://hackerone.com/ibb)
+to reward the awesome people who find security vulnerabilities in the four
+main Argo projects (CD, Events, Rollouts and Workflows) and then work with
+us to fix and disclose them in a responsible manner.
+
+If you report a vulnerability to us as outlined in this security policy, we
+will work together with you to find out whether your finding is eligible for
+claiming a bounty, and also on how to claim it.
 
 ## Securing your Argo CD Instance
 

SECURITY_CONTACTS

@@ -1,7 +1,7 @@
 # Defined below are the security contacts for this repo.
 #
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
-# INSTRUCTIONS AT https://argo-cd.readthedocs.io/en/latest/security_considerations/#reporting-vulnerabilities
+# INSTRUCTIONS AT https://github.com/argoproj/argo-cd/security/policy
 
 alexmt
 edlee2121

USERS.md

@@ -1,24 +1,34 @@
 ## Who uses Argo CD?
 
-As the Argo Community grows, we'd like to keep track of our users. Please send a PR with your organization name if you are using Argo CD.
+As the Argo Community grows, we'd like to keep track of our users. Please send a
+PR with your organization name if you are using Argo CD.
 
 Currently, the following organizations are **officially** using Argo CD:
 
 1. [127Labs](https://127labs.com/)
 1. [3Rein](https://www.3rein.com/)
+1. [4data](https://4data.ch/)
 1. [7shifts](https://www.7shifts.com/)
 1. [Adevinta](https://www.adevinta.com/)
+1. [Adfinis](https://adfinis.com)
 1. [Adventure](https://jp.adventurekk.com/)
+1. [Adyen](https://www.adyen.com)
+1. [AirQo](https://airqo.net/)
 1. [Akuity](https://akuity.io/)
+1. [Albert Heijn](https://ah.nl/)
 1. [Alibaba Group](https://www.alibabagroup.com/)
 1. [Allianz Direct](https://www.allianzdirect.de/)
+1. [Amadeus IT Group](https://amadeus.com/)
 1. [Ambassador Labs](https://www.getambassador.io/)
 1. [ANSTO - Australian Synchrotron](https://www.synchrotron.org.au/)
 1. [Ant Group](https://www.antgroup.com/)
 1. [AppDirect](https://www.appdirect.com)
 1. [Arctiq Inc.](https://www.arctiq.ca)
-1. [ARZ Allgemeines Rechenzentrum GmbH ](https://www.arz.at/)
+1. [ARZ Allgemeines Rechenzentrum GmbH](https://www.arz.at/)
+1. [Autodesk](https://www.autodesk.com)
+1. [Axians ACSP](https://www.axians.fr)
 1. [Axual B.V.](https://axual.com)
+1. [Back Market](https://www.backmarket.com)
 1. [Baloise](https://www.baloise.com)
 1. [BCDevExchange DevOps Platform](https://bcdevexchange.org/DevOpsPlatform)
 1. [Beat](https://thebeat.co/en/)
@@ -29,77 +39,130 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [BMW Group](https://www.bmwgroup.com/)
 1. [Boozt](https://www.booztgroup.com/)
 1. [Boticario](https://www.boticario.com.br/)
+1. [Bulder Bank](https://bulderbank.no)
+1. [CAM](https://cam-inc.co.jp)
 1. [Camptocamp](https://camptocamp.com)
+1. [Candis](https://www.candis.io)
 1. [Capital One](https://www.capitalone.com)
 1. [CARFAX](https://www.carfax.com)
+1. [CARFAX Europe](https://www.carfax.eu)
+1. [Carrefour Group](https://www.carrefour.com)
 1. [Casavo](https://casavo.com)
 1. [Celonis](https://www.celonis.com/)
+1. [CERN](https://home.cern/)
 1. [Chargetrip](https://chargetrip.com)
+1. [Chainnodes](https://chainnodes.org)
 1. [Chime](https://www.chime.com)
 1. [Cisco ET&I](https://eti.cisco.com/)
+1. [Cloud Posse](https://www.cloudposse.com/)
+1. [Cloud Scale](https://cloudscaleinc.com/)
+1. [Cloudmate](https://cloudmt.co.kr/)
+1. [Cloudogu](https://cloudogu.com/)
 1. [Cobalt](https://www.cobalt.io/)
 1. [Codefresh](https://www.codefresh.io/)
 1. [Codility](https://www.codility.com/)
 1. [Commonbond](https://commonbond.co/)
-1. [CROZ d.o.o.](https://croz.net/)
+1. [Coralogix](https://coralogix.com/)
 1. [Crédit Agricole CIB](https://www.ca-cib.com)
+1. [CROZ d.o.o.](https://croz.net/)
 1. [CyberAgent](https://www.cyberagent.co.jp/en/)
 1. [Cybozu](https://cybozu-global.com)
 1. [D2iQ](https://www.d2iq.com)
+1. [DaoCloud](https://daocloud.io/)
 1. [Datarisk](https://www.datarisk.io/)
 1. [Deloitte](https://www.deloitte.com/)
+1. [Deutsche Telekom AG](https://telekom.com)
 1. [Devopsi - Poland Software/DevOps Consulting](https://devopsi.pl/)
 1. [Devtron Labs](https://github.com/devtron-labs/devtron)
+1. [DigitalOcean](https://www.digitalocean.com)
+1. [Divistant](https://divistant.com)
+1. [Dott](https://ridedott.com)
+1. [Doximity](https://www.doximity.com/)
 1. [EDF Renewables](https://www.edf-re.com/)
 1. [edX](https://edx.org)
-1. [Electronic Arts Inc. ](https://www.ea.com)
+1. [Elastic](https://elastic.co/)
+1. [Electronic Arts Inc.](https://www.ea.com)
+1. [Elementor](https://elementor.com/)
 1. [Elium](https://www.elium.com)
 1. [END.](https://www.endclothing.com/)
 1. [Energisme](https://energisme.com/)
+1. [enigmo](https://enigmo.co.jp/)
+1. [Envoy](https://envoy.com/)
+1. [Factorial](https://factorialhr.com/)
+1. [Farfetch](https://www.farfetch.com)
 1. [Faro](https://www.faro.com/)
 1. [Fave](https://myfave.com)
+1. [Flexport](https://www.flexport.com/)
 1. [Flip](https://flip.id)
 1. [Fonoa](https://www.fonoa.com/)
+1. [Fortra](https://www.fortra.com)
 1. [freee](https://corp.freee.co.jp/en/company/)
+1. [Freshop, Inc](https://www.freshop.com/)
 1. [Future PLC](https://www.futureplc.com/)
 1. [G DATA CyberDefense AG](https://www.gdata-software.com/)
 1. [Garner](https://www.garnercorp.com)
 1. [Generali Deutschland AG](https://www.generali.de/)
+1. [Gepardec](https://gepardec.com/)
+1. [GetYourGuide](https://www.getyourguide.com/)
 1. [Gitpod](https://www.gitpod.io)
 1. [Gllue](https://gllue.com)
+1. [gloat](https://gloat.com/)
+1. [GLOBIS](https://globis.com)
 1. [Glovo](https://www.glovoapp.com)
+1. [GlueOps](https://glueops.dev)
 1. [GMETRI](https://gmetri.com/)
 1. [Gojek](https://www.gojek.io/)
+1. [GoTo](https://www.goto.com/)
+1. [GoTo Financial](https://gotofinancial.com/)
 1. [Greenpass](https://www.greenpass.com.br/)
+1. [Gridfuse](https://gridfuse.com/)
+1. [Groww](https://groww.in)
+1. [Grupo MasMovil](https://grupomasmovil.com/en/)
 1. [Handelsbanken](https://www.handelsbanken.se)
 1. [Healy](https://www.healyworld.net)
 1. [Helio](https://helio.exchange)
+1. [Hetki](https://hetki.ai)
 1. [hipages](https://hipages.com.au/)
 1. [Hiya](https://hiya.com)
 1. [Honestbank](https://honestbank.com)
+1. [Hostinger](https://www.hostinger.com)
 1. [IBM](https://www.ibm.com/)
 1. [Ibotta](https://home.ibotta.com)
 1. [IITS-Consulting](https://iits-consulting.de)
 1. [imaware](https://imaware.health)
+1. [Indeed](https://indeed.com)
 1. [Index Exchange](https://www.indexexchange.com/)
+1. [Info Support](https://www.infosupport.com/)
 1. [InsideBoard](https://www.insideboard.com)
 1. [Intuit](https://www.intuit.com/)
+1. [Jellysmack](https://www.jellysmack.com)
 1. [Joblift](https://joblift.com/)
 1. [JovianX](https://www.jovianx.com/)
 1. [Kaltura](https://corp.kaltura.com/)
-1. [KarrotPay](https://www.daangnpay.com/)
+1. [Kandji](https://www.kandji.io/)
 1. [Karrot](https://www.daangn.com/)
+1. [KarrotPay](https://www.daangnpay.com/)
 1. [Kasa](https://kasa.co.kr/)
 1. [Keeeb](https://www.keeeb.com/)
+1. [KelkooGroup](https://www.kelkoogroup.com)
 1. [Keptn](https://keptn.sh)
 1. [Kinguin](https://www.kinguin.net/)
 1. [KintoHub](https://www.kintohub.com/)
 1. [KompiTech GmbH](https://www.kompitech.com/)
+1. [Kong Inc.](https://konghq.com/)
+1. [KPMG](https://kpmg.com/uk)
 1. [KubeSphere](https://github.com/kubesphere)
+1. [Kurly](https://www.kurly.com/)
+1. [Kvist](https://kvistsolutions.com)
 1. [LexisNexis](https://www.lexisnexis.com/)
+1. [Lian Chu Securities](https://lczq.com)
+1. [Liatrio](https://www.liatrio.com)
 1. [Lightricks](https://www.lightricks.com/)
 1. [LINE](https://linecorp.com/en/)
+1. [Loom](https://www.loom.com/)
+1. [Lucid Motors](https://www.lucidmotors.com/)
 1. [Lytt](https://www.lytt.co/)
+1. [Magic Leap](https://www.magicleap.com/)
 1. [Majid Al Futtaim](https://www.majidalfuttaim.com/)
 1. [Major League Baseball](https://mlb.com)
 1. [Mambu](https://www.mambu.com/)
@@ -107,59 +170,106 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Mattermost](https://www.mattermost.com)
 1. [Max Kelsen](https://www.maxkelsen.com/)
 1. [MeDirect](https://medirect.com.mt/)
+1. [Meican](https://meican.com/)
+1. [Meilleurs Agents](https://www.meilleursagents.com/)
+1. [Mercedes-Benz Tech Innovation](https://www.mercedes-benz-techinnovation.com/)
+1. [Mercedes-Benz.io](https://www.mercedes-benz.io/)
 1. [Metanet](http://www.metanet.co.kr/en/)
 1. [MindSpore](https://mindspore.cn)
 1. [Mirantis](https://mirantis.com/)
+1. [Mission Lane](https://missionlane.com)
 1. [mixi Group](https://mixi.co.jp/)
 1. [Moengage](https://www.moengage.com/)
 1. [Money Forward](https://corp.moneyforward.com/en/)
 1. [MOO Print](https://www.moo.com/)
 1. [MTN Group](https://www.mtn.com/)
 1. [Natura &Co](https://naturaeco.com/)
+1. [Nethopper](https://nethopper.io)
 1. [New Relic](https://newrelic.com/)
 1. [Nextdoor](https://nextdoor.com/)
 1. [Nikkei](https://www.nikkei.co.jp/nikkeiinfo/en/)
 1. [Nitro](https://gonitro.com)
+1. [NYCU, CS IT Center](https://it.cs.nycu.edu.tw)
+1. [Objective](https://www.objective.com.br/)
+1. [OCCMundial](https://occ.com.mx)
 1. [Octadesk](https://octadesk.com)
+1. [Olfeo](https://www.olfeo.com/)
 1. [omegaUp](https://omegaUp.com)
+1. [Omni](https://omni.se/)
 1. [openEuler](https://openeuler.org)
 1. [openGauss](https://opengauss.org/)
+1. [OpenGov](https://opengov.com)
 1. [openLooKeng](https://openlookeng.io)
 1. [OpenSaaS Studio](https://opensaas.studio)
 1. [Opensurvey](https://www.opensurvey.co.kr/)
+1. [OpsMx](https://opsmx.io)
+1. [OpsVerse](https://opsverse.io)
 1. [Optoro](https://www.optoro.com/)
 1. [Orbital Insight](https://orbitalinsight.com/)
+1. [Oscar Health Insurance](https://hioscar.com/)
 1. [p3r](https://www.p3r.one/)
 1. [Packlink](https://www.packlink.com/)
+1. [PagerDuty](https://www.pagerduty.com/)
+1. [Pandosearch](https://www.pandosearch.com/en/home)
+1. [Patreon](https://www.patreon.com/)
 1. [PayPay](https://paypay.ne.jp/)
 1. [Peloton Interactive](https://www.onepeloton.com/)
+1. [Percona](https://percona.com/)
+1. [PGS](https://www.pgs.com)
+1. [Pigment](https://www.gopigment.com/)
 1. [Pipefy](https://www.pipefy.com/)
+1. [Pismo](https://pismo.io/)
+1. [Platform9 Systems](https://platform9.com/)
 1. [Polarpoint.io](https://polarpoint.io)
+1. [PostFinance](https://github.com/postfinance)
 1. [Preferred Networks](https://preferred.jp/en/)
+1. [Previder BV](https://previder.nl)
+1. [Procore](https://www.procore.com)
+1. [Productboard](https://www.productboard.com/)
 1. [Prudential](https://prudential.com.sg)
+1. [PT Boer Technology (Btech)](https://btech.id/)
 1. [PUBG](https://www.pubg.com)
+1. [Puzzle ITC](https://www.puzzle.ch/)
 1. [Qonto](https://qonto.com)
 1. [QuintoAndar](https://quintoandar.com.br)
 1. [Quipper](https://www.quipper.com/)
+1. [RapidAPI](https://www.rapidapi.com/)
+1. [rebuy](https://www.rebuy.de/)
 1. [Recreation.gov](https://www.recreation.gov/)
 1. [Red Hat](https://www.redhat.com/)
+1. [Redpill Linpro](https://www.redpill-linpro.com/)
+1. [Reenigne Cloud](https://reenigne.ca)
+1. [reev.com](https://www.reev.com/)
 1. [RightRev](https://rightrev.com/)
 1. [Rise](https://www.risecard.eu/)
 1. [Riskified](https://www.riskified.com/)
 1. [Robotinfra](https://www.robotinfra.com)
 1. [Rubin Observatory](https://www.lsst.org)
 1. [Saildrone](https://www.saildrone.com/)
+1. [Salad Technologies](https://salad.com/)
 1. [Saloodo! GmbH](https://www.saloodo.com)
 1. [Sap Labs](http://sap.com)
+1. [Sauce Labs](https://saucelabs.com/)
 1. [Schwarz IT](https://jobs.schwarz/it-mission)
+1. [SCRM Lidl International Hub](https://scrm.lidl)
+1. [SEEK](https://seek.com.au)
+1. [Semgrep](https://semgrep.com)
+1. [SI Analytics](https://si-analytics.ai)
 1. [Skit](https://skit.ai/)
 1. [Skyscanner](https://www.skyscanner.net/)
+1. [Smart Pension](https://www.smartpension.co.uk/)
 1. [Smilee.io](https://smilee.io)
+1. [Smood.ch](https://www.smood.ch/)
 1. [Snapp](https://snapp.ir/)
 1. [Snyk](https://snyk.io/)
+1. [Softway Medical](https://www.softwaymedical.fr/)
+1. [South China Morning Post (SCMP)](https://www.scmp.com/)
 1. [Speee](https://speee.jp/)
 1. [Spendesk](https://spendesk.com/)
+1. [Splunk](https://splunk.com/)
 1. [Spores Labs](https://spores.app)
+1. [Statsig](https://statsig.com)
+1. [StreamNative](https://streamnative.io)
 1. [Stuart](https://stuart.com/)
 1. [Sumo Logic](https://sumologic.com/)
 1. [Sutpc](http://www.sutpc.com/)
@@ -170,39 +280,53 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [TableCheck](https://tablecheck.com/)
 1. [Tailor Brands](https://www.tailorbrands.com)
 1. [Tamkeen Technologies](https://tamkeentech.sa/)
+1. [Techcombank](https://www.techcombank.com.vn/trang-chu)
 1. [Technacy](https://www.technacy.it/)
 1. [Tesla](https://tesla.com/)
+1. [The Scale Factory](https://www.scalefactory.com/)
 1. [ThousandEyes](https://www.thousandeyes.com/)
 1. [Ticketmaster](https://ticketmaster.com)
 1. [Tiger Analytics](https://www.tigeranalytics.com/)
 1. [Tigera](https://www.tigera.io/)
 1. [Toss](https://toss.im/en)
+1. [Trendyol](https://www.trendyol.com/)
 1. [tru.ID](https://tru.id)
+1. [Trusting Social](https://trustingsocial.com/)
+1. [Twilio Segment](https://segment.com/)
 1. [Twilio SendGrid](https://sendgrid.com)
 1. [tZERO](https://www.tzero.com/)
+1. [U.S. Veterans Affairs Department](https://www.va.gov/)
 1. [UBIO](https://ub.io/)
 1. [UFirstGroup](https://www.ufirstgroup.com/en/)
 1. [ungleich.ch](https://ungleich.ch/)
 1. [Unifonic Inc](https://www.unifonic.com/)
 1. [Universidad Mesoamericana](https://www.umes.edu.gt/)
+1. [Upsider Inc.](https://up-sider.com/lp/)
+1. [Urbantz](https://urbantz.com/)
+1. [Vectra](https://www.vectra.ai)
+1. [Veepee](https://www.veepee.com)
 1. [Viaduct](https://www.viaduct.ai/)
+1. [VietMoney](https://vietmoney.vn/)
+1. [Vinted](https://vinted.com/)
 1. [Virtuo](https://www.govirtuo.com/)
 1. [VISITS Technologies](https://visits.world/en)
 1. [Volvo Cars](https://www.volvocars.com/)
+1. [Voyager Digital](https://www.investvoyager.com/)
 1. [VSHN - The DevOps Company](https://vshn.ch/)
 1. [Walkbase](https://www.walkbase.com/)
 1. [Webstores](https://www.webstores.nl)
 1. [Wehkamp](https://www.wehkamp.nl/)
+1. [WeMaintain](https://www.wemaintain.com/)
 1. [WeMo Scooter](https://www.wemoscooter.com/)
 1. [Whitehat Berlin](https://whitehat.berlin) by Guido Maria Serra +Fenaroli
 1. [Witick](https://witick.io/)
+1. [Wolffun Game](https://www.wolffungame.com/)
 1. [WooliesX](https://wooliesx.com.au/)
 1. [Woolworths Group](https://www.woolworthsgroup.com.au/)
 1. [WSpot](https://www.wspot.com.br/)
 1. [Yieldlab](https://www.yieldlab.de/)
 1. [Youverify](https://youverify.co/)
 1. [Yubo](https://www.yubo.live/)
+1. [ZDF](https://www.zdf.de/)
 1. [Zimpler](https://www.zimpler.com/)
 1. [ZOZO](https://corp.zozo.com/)
-1. [Trendyol](https://www.trendyol.com/)
-1. [RapidAPI](https://www.rapidapi.com/)

VERSION

@@ -1 +1 @@
-2.4.23
+2.10.18

applicationset/controllers/clustereventhandler.go

@@ -2,6 +2,7 @@ package controllers
 
 import (
 	"context"
+	"fmt"
 
 	log "github.com/sirupsen/logrus"
 
@@ -12,7 +13,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/event"
 
 	"github.com/argoproj/argo-cd/v2/applicationset/generators"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 
 // clusterSecretEventHandler is used when watching Secrets to check if they are ArgoCD Cluster Secrets, and if so
@@ -46,7 +47,6 @@ type addRateLimitingInterface interface {
 }
 
 func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingInterface, object client.Object) {
-
 	// Check for label, lookup all ApplicationSets that might match the cluster, queue them all
 	if object.GetLabels()[generators.ArgoCDSecretTypeLabel] != generators.ArgoCDSecretTypeCluster {
 		return
@@ -73,6 +73,40 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingI
 				foundClusterGenerator = true
 				break
 			}
+
+			if generator.Matrix != nil {
+				ok, err := nestedGeneratorsHaveClusterGenerator(generator.Matrix.Generators)
+				if err != nil {
+					h.Log.
+						WithFields(log.Fields{
+							"namespace": appSet.GetNamespace(),
+							"name":      appSet.GetName(),
+						}).
+						WithError(err).
+						Error("Unable to check if ApplicationSet matrix generators have cluster generator")
+				}
+				if ok {
+					foundClusterGenerator = true
+					break
+				}
+			}
+
+			if generator.Merge != nil {
+				ok, err := nestedGeneratorsHaveClusterGenerator(generator.Merge.Generators)
+				if err != nil {
+					h.Log.
+						WithFields(log.Fields{
+							"namespace": appSet.GetNamespace(),
+							"name":      appSet.GetName(),
+						}).
+						WithError(err).
+						Error("Unable to check if ApplicationSet merge generators have cluster generator")
+				}
+				if ok {
+					foundClusterGenerator = true
+					break
+				}
+			}
 		}
 		if foundClusterGenerator {
 
@@ -82,3 +116,50 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingI
 		}
 	}
 }
+
+// nestedGeneratorsHaveClusterGenerator iterate over provided nested generators to check if they have a cluster generator.
+func nestedGeneratorsHaveClusterGenerator(generators []argoprojiov1alpha1.ApplicationSetNestedGenerator) (bool, error) {
+	for _, generator := range generators {
+		if ok, err := nestedGeneratorHasClusterGenerator(generator); ok || err != nil {
+			return ok, err
+		}
+	}
+	return false, nil
+}
+
+// nestedGeneratorHasClusterGenerator checks if the provided generator has a cluster generator.
+func nestedGeneratorHasClusterGenerator(nested argoprojiov1alpha1.ApplicationSetNestedGenerator) (bool, error) {
+	if nested.Clusters != nil {
+		return true, nil
+	}
+
+	if nested.Matrix != nil {
+		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(nested.Matrix)
+		if err != nil {
+			return false, fmt.Errorf("unable to get nested matrix generator: %w", err)
+		}
+		if nestedMatrix != nil {
+			hasClusterGenerator, err := nestedGeneratorsHaveClusterGenerator(nestedMatrix.ToMatrixGenerator().Generators)
+			if err != nil {
+				return false, fmt.Errorf("error evaluating nested matrix generator: %w", err)
+			}
+			return hasClusterGenerator, nil
+		}
+	}
+
+	if nested.Merge != nil {
+		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(nested.Merge)
+		if err != nil {
+			return false, fmt.Errorf("unable to get nested merge generator: %w", err)
+		}
+		if nestedMerge != nil {
+			hasClusterGenerator, err := nestedGeneratorsHaveClusterGenerator(nestedMerge.ToMergeGenerator().Generators)
+			if err != nil {
+				return false, fmt.Errorf("error evaluating nested merge generator: %w", err)
+			}
+			return hasClusterGenerator, nil
+		}
+	}
+
+	return false, nil
+}

applicationset/controllers/clustereventhandler_test.go

@@ -6,6 +6,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -15,13 +16,12 @@ import (
 
 	"github.com/argoproj/argo-cd/v2/applicationset/generators"
 	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
 )
 
 func TestClusterEventHandler(t *testing.T) {
 
 	scheme := runtime.NewScheme()
-	err := argoprojiov1alpha1.AddToScheme(scheme)
+	err := argov1alpha1.AddToScheme(scheme)
 	assert.Nil(t, err)
 
 	err = argov1alpha1.AddToScheme(scheme)
@@ -29,13 +29,13 @@ func TestClusterEventHandler(t *testing.T) {
 
 	tests := []struct {
 		name             string
-		items            []argoprojiov1alpha1.ApplicationSet
+		items            []argov1alpha1.ApplicationSet
 		secret           corev1.Secret
 		expectedRequests []ctrl.Request
 	}{
 		{
 			name:  "no application sets should mean no requests",
-			items: []argoprojiov1alpha1.ApplicationSet{},
+			items: []argov1alpha1.ApplicationSet{},
 			secret: corev1.Secret{
 				ObjectMeta: v1.ObjectMeta{
 					Namespace: "argocd",
@@ -49,16 +49,16 @@ func TestClusterEventHandler(t *testing.T) {
 		},
 		{
 			name: "a cluster generator should produce a request",
-			items: []argoprojiov1alpha1.ApplicationSet{
+			items: []argov1alpha1.ApplicationSet{
 				{
 					ObjectMeta: v1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
-					Spec: argoprojiov1alpha1.ApplicationSetSpec{
-						Generators: []argoprojiov1alpha1.ApplicationSetGenerator{
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
 							{
-								Clusters: &argoprojiov1alpha1.ClusterGenerator{},
+								Clusters: &argov1alpha1.ClusterGenerator{},
 							},
 						},
 					},
@@ -79,16 +79,16 @@ func TestClusterEventHandler(t *testing.T) {
 		},
 		{
 			name: "multiple cluster generators should produce multiple requests",
-			items: []argoprojiov1alpha1.ApplicationSet{
+			items: []argov1alpha1.ApplicationSet{
 				{
 					ObjectMeta: v1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "argocd",
 					},
-					Spec: argoprojiov1alpha1.ApplicationSetSpec{
-						Generators: []argoprojiov1alpha1.ApplicationSetGenerator{
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
 							{
-								Clusters: &argoprojiov1alpha1.ClusterGenerator{},
+								Clusters: &argov1alpha1.ClusterGenerator{},
 							},
 						},
 					},
@@ -98,10 +98,10 @@ func TestClusterEventHandler(t *testing.T) {
 						Name:      "my-app-set2",
 						Namespace: "argocd",
 					},
-					Spec: argoprojiov1alpha1.ApplicationSetSpec{
-						Generators: []argoprojiov1alpha1.ApplicationSetGenerator{
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
 							{
-								Clusters: &argoprojiov1alpha1.ClusterGenerator{},
+								Clusters: &argov1alpha1.ClusterGenerator{},
 							},
 						},
 					},
@@ -123,16 +123,16 @@ func TestClusterEventHandler(t *testing.T) {
 		},
 		{
 			name: "non-cluster generator should not match",
-			items: []argoprojiov1alpha1.ApplicationSet{
+			items: []argov1alpha1.ApplicationSet{
 				{
 					ObjectMeta: v1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "another-namespace",
 					},
-					Spec: argoprojiov1alpha1.ApplicationSetSpec{
-						Generators: []argoprojiov1alpha1.ApplicationSetGenerator{
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
 							{
-								Clusters: &argoprojiov1alpha1.ClusterGenerator{},
+								Clusters: &argov1alpha1.ClusterGenerator{},
 							},
 						},
 					},
@@ -142,10 +142,10 @@ func TestClusterEventHandler(t *testing.T) {
 						Name:      "app-set-non-cluster",
 						Namespace: "argocd",
 					},
-					Spec: argoprojiov1alpha1.ApplicationSetSpec{
-						Generators: []argoprojiov1alpha1.ApplicationSetGenerator{
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
 							{
-								List: &argoprojiov1alpha1.ListGenerator{},
+								List: &argov1alpha1.ListGenerator{},
 							},
 						},
 					},
@@ -164,19 +164,18 @@ func TestClusterEventHandler(t *testing.T) {
 				{NamespacedName: types.NamespacedName{Namespace: "another-namespace", Name: "my-app-set"}},
 			},
 		},
-
 		{
 			name: "non-argo cd secret should not match",
-			items: []argoprojiov1alpha1.ApplicationSet{
+			items: []argov1alpha1.ApplicationSet{
 				{
 					ObjectMeta: v1.ObjectMeta{
 						Name:      "my-app-set",
 						Namespace: "another-namespace",
 					},
-					Spec: argoprojiov1alpha1.ApplicationSetSpec{
-						Generators: []argoprojiov1alpha1.ApplicationSetGenerator{
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
 							{
-								Clusters: &argoprojiov1alpha1.ClusterGenerator{},
+								Clusters: &argov1alpha1.ClusterGenerator{},
 							},
 						},
 					},
@@ -190,13 +189,355 @@ func TestClusterEventHandler(t *testing.T) {
 			},
 			expectedRequests: []reconcile.Request{},
 		},
+		{
+			name: "a matrix generator with a cluster generator should produce a request",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Matrix: &argov1alpha1.MatrixGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Clusters: &argov1alpha1.ClusterGenerator{},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{{
+				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
+			}},
+		},
+		{
+			name: "a matrix generator with non cluster generator should not match",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Matrix: &argov1alpha1.MatrixGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											List: &argov1alpha1.ListGenerator{},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{},
+		},
+		{
+			name: "a matrix generator with a nested matrix generator containing a cluster generator should produce a request",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Matrix: &argov1alpha1.MatrixGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Matrix: &apiextensionsv1.JSON{
+												Raw: []byte(
+													`{
+														"generators": [
+														  {
+															"clusters": {
+															  "selector": {
+																"matchLabels": {
+																  "argocd.argoproj.io/secret-type": "cluster"
+																}
+															  }
+															}
+														  }
+														]
+													  }`,
+												),
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{{
+				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
+			}},
+		},
+		{
+			name: "a matrix generator with a nested matrix generator containing non cluster generator should not match",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Matrix: &argov1alpha1.MatrixGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Matrix: &apiextensionsv1.JSON{
+												Raw: []byte(
+													`{
+														"generators": [
+														  {
+															"list": {
+															  "elements": [
+																"a",
+																"b"
+															  ]
+															}
+														  }
+														]
+													  }`,
+												),
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{},
+		},
+		{
+			name: "a merge generator with a cluster generator should produce a request",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Merge: &argov1alpha1.MergeGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Clusters: &argov1alpha1.ClusterGenerator{},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{{
+				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
+			}},
+		},
+		{
+			name: "a matrix generator with non cluster generator should not match",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Merge: &argov1alpha1.MergeGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											List: &argov1alpha1.ListGenerator{},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{},
+		},
+		{
+			name: "a merge generator with a nested merge generator containing a cluster generator should produce a request",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Merge: &argov1alpha1.MergeGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Merge: &apiextensionsv1.JSON{
+												Raw: []byte(
+													`{
+														"generators": [
+														  {
+															"clusters": {
+															  "selector": {
+																"matchLabels": {
+																  "argocd.argoproj.io/secret-type": "cluster"
+																}
+															  }
+															}
+														  }
+														]
+													  }`,
+												),
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{{
+				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
+			}},
+		},
+		{
+			name: "a merge generator with a nested merge generator containing non cluster generator should not match",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Merge: &argov1alpha1.MergeGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Merge: &apiextensionsv1.JSON{
+												Raw: []byte(
+													`{
+														"generators": [
+														  {
+															"list": {
+															  "elements": [
+																"a",
+																"b"
+															  ]
+															}
+														  }
+														]
+													  }`,
+												),
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{},
+		},
 	}
 
 	for _, test := range tests {
 
 		t.Run(test.name, func(t *testing.T) {
 
-			appSetList := argoprojiov1alpha1.ApplicationSetList{
+			appSetList := argov1alpha1.ApplicationSetList{
 				Items: test.items,
 			}
 
@@ -232,3 +573,68 @@ type mockAddRateLimitingInterface struct {
 	errorOccurred bool
 	addedItems    []ctrl.Request
 }
+
+func TestNestedGeneratorHasClusterGenerator_NestedClusterGenerator(t *testing.T) {
+	nested := argov1alpha1.ApplicationSetNestedGenerator{
+		Clusters: &argov1alpha1.ClusterGenerator{},
+	}
+
+	hasClusterGenerator, err := nestedGeneratorHasClusterGenerator(nested)
+
+	assert.Nil(t, err)
+	assert.True(t, hasClusterGenerator)
+}
+
+func TestNestedGeneratorHasClusterGenerator_NestedMergeGenerator(t *testing.T) {
+	nested := argov1alpha1.ApplicationSetNestedGenerator{
+		Merge: &apiextensionsv1.JSON{
+			Raw: []byte(
+				`{
+					"generators": [
+					  {
+						"clusters": {
+						  "selector": {
+							"matchLabels": {
+							  "argocd.argoproj.io/secret-type": "cluster"
+							}
+						  }
+						}
+					  }
+					]
+				  }`,
+			),
+		},
+	}
+
+	hasClusterGenerator, err := nestedGeneratorHasClusterGenerator(nested)
+
+	assert.Nil(t, err)
+	assert.True(t, hasClusterGenerator)
+}
+
+func TestNestedGeneratorHasClusterGenerator_NestedMergeGeneratorWithInvalidJSON(t *testing.T) {
+	nested := argov1alpha1.ApplicationSetNestedGenerator{
+		Merge: &apiextensionsv1.JSON{
+			Raw: []byte(
+				`{
+					"generators": [
+					  {
+						"clusters": {
+						  "selector": {
+							"matchLabels": {
+							  "argocd.argoproj.io/secret-type": "cluster"
+							}
+						  }
+						}
+					  }
+					]
+				  `,
+			),
+		},
+	}
+
+	hasClusterGenerator, err := nestedGeneratorHasClusterGenerator(nested)
+
+	assert.NotNil(t, err)
+	assert.False(t, hasClusterGenerator)
+}

applicationset/controllers/requeue_after_test.go

@@ -6,7 +6,6 @@ import (
 	"time"
 
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -17,14 +16,15 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	"github.com/argoproj/argo-cd/v2/applicationset/generators"
-	argoappsetv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/applicationset/services/mocks"
+	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 
 func TestRequeueAfter(t *testing.T) {
-	mockServer := argoCDServiceMock{}
+	mockServer := &mocks.Repos{}
 	ctx := context.Background()
 	scheme := runtime.NewScheme()
-	err := argoappsetv1alpha1.AddToScheme(scheme)
+	err := argov1alpha1.AddToScheme(scheme)
 	assert.Nil(t, err)
 	gvrToListKind := map[schema.GroupVersionResource]string{{
 		Group:    "mallard.io",
@@ -60,9 +60,9 @@ func TestRequeueAfter(t *testing.T) {
 		"List":                    generators.NewListGenerator(),
 		"Clusters":                generators.NewClusterGenerator(k8sClient, ctx, appClientset, "argocd"),
 		"Git":                     generators.NewGitGenerator(mockServer),
-		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build()),
+		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), generators.SCMAuthProviders{}, "", []string{""}, true),
 		"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd"),
-		"PullRequest":             generators.NewPullRequestGenerator(k8sClient),
+		"PullRequest":             generators.NewPullRequestGenerator(k8sClient, generators.SCMAuthProviders{}, "", []string{""}, true),
 	}
 
 	nestedGenerators := map[string]generators.Generator{
@@ -96,7 +96,7 @@ func TestRequeueAfter(t *testing.T) {
 	}
 
 	type args struct {
-		appset *argoappsetv1alpha1.ApplicationSet
+		appset *argov1alpha1.ApplicationSet
 	}
 	tests := []struct {
 		name    string
@@ -104,44 +104,44 @@ func TestRequeueAfter(t *testing.T) {
 		want    time.Duration
 		wantErr assert.ErrorAssertionFunc
 	}{
-		{name: "Cluster", args: args{appset: &argoappsetv1alpha1.ApplicationSet{
-			Spec: argoappsetv1alpha1.ApplicationSetSpec{
-				Generators: []argoappsetv1alpha1.ApplicationSetGenerator{{Clusters: &argoappsetv1alpha1.ClusterGenerator{}}},
+		{name: "Cluster", args: args{appset: &argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{{Clusters: &argov1alpha1.ClusterGenerator{}}},
 			},
 		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
-		{name: "ClusterMergeNested", args: args{&argoappsetv1alpha1.ApplicationSet{
-			Spec: argoappsetv1alpha1.ApplicationSetSpec{
-				Generators: []argoappsetv1alpha1.ApplicationSetGenerator{
-					{Clusters: &argoappsetv1alpha1.ClusterGenerator{}},
-					{Merge: &argoappsetv1alpha1.MergeGenerator{
-						Generators: []argoappsetv1alpha1.ApplicationSetNestedGenerator{
+		{name: "ClusterMergeNested", args: args{&argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{
+					{Clusters: &argov1alpha1.ClusterGenerator{}},
+					{Merge: &argov1alpha1.MergeGenerator{
+						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
 							{
-								Clusters: &argoappsetv1alpha1.ClusterGenerator{},
-								Git:      &argoappsetv1alpha1.GitGenerator{},
+								Clusters: &argov1alpha1.ClusterGenerator{},
+								Git:      &argov1alpha1.GitGenerator{},
 							},
 						},
 					}},
 				},
 			},
 		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
-		{name: "ClusterMatrixNested", args: args{&argoappsetv1alpha1.ApplicationSet{
-			Spec: argoappsetv1alpha1.ApplicationSetSpec{
-				Generators: []argoappsetv1alpha1.ApplicationSetGenerator{
-					{Clusters: &argoappsetv1alpha1.ClusterGenerator{}},
-					{Matrix: &argoappsetv1alpha1.MatrixGenerator{
-						Generators: []argoappsetv1alpha1.ApplicationSetNestedGenerator{
+		{name: "ClusterMatrixNested", args: args{&argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{
+					{Clusters: &argov1alpha1.ClusterGenerator{}},
+					{Matrix: &argov1alpha1.MatrixGenerator{
+						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
 							{
-								Clusters: &argoappsetv1alpha1.ClusterGenerator{},
-								Git:      &argoappsetv1alpha1.GitGenerator{},
+								Clusters: &argov1alpha1.ClusterGenerator{},
+								Git:      &argov1alpha1.GitGenerator{},
 							},
 						},
 					}},
 				},
 			},
 		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
-		{name: "ListGenerator", args: args{appset: &argoappsetv1alpha1.ApplicationSet{
-			Spec: argoappsetv1alpha1.ApplicationSetSpec{
-				Generators: []argoappsetv1alpha1.ApplicationSetGenerator{{List: &argoappsetv1alpha1.ListGenerator{}}},
+		{name: "ListGenerator", args: args{appset: &argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{{List: &argov1alpha1.ListGenerator{}}},
 			},
 		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
 	}
@@ -151,30 +151,3 @@ func TestRequeueAfter(t *testing.T) {
 		})
 	}
 }
-
-type argoCDServiceMock struct {
-	mock *mock.Mock
-}
-
-func (a argoCDServiceMock) GetApps(ctx context.Context, repoURL string, revision string) ([]string, error) {
-	args := a.mock.Called(ctx, repoURL, revision)
-
-	return args.Get(0).([]string), args.Error(1)
-}
-
-func (a argoCDServiceMock) GetFiles(ctx context.Context, repoURL string, revision string, pattern string) (map[string][]byte, error) {
-	args := a.mock.Called(ctx, repoURL, revision, pattern)
-
-	return args.Get(0).(map[string][]byte), args.Error(1)
-}
-
-func (a argoCDServiceMock) GetFileContent(ctx context.Context, repoURL string, revision string, path string) ([]byte, error) {
-	args := a.mock.Called(ctx, repoURL, revision, path)
-
-	return args.Get(0).([]byte), args.Error(1)
-}
-
-func (a argoCDServiceMock) GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error) {
-	args := a.mock.Called(ctx, repoURL, revision)
-	return args.Get(0).([]string), args.Error(1)
-}

applicationset/controllers/templatePatch.go

@@ -0,0 +1,46 @@
+package controllers
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/util/strategicpatch"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/utils"
+	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+func applyTemplatePatch(app *appv1.Application, templatePatch string) (*appv1.Application, error) {
+
+	appString, err := json.Marshal(app)
+	if err != nil {
+		return nil, fmt.Errorf("error while marhsalling Application %w", err)
+	}
+
+	convertedTemplatePatch, err := utils.ConvertYAMLToJSON(templatePatch)
+
+	if err != nil {
+		return nil, fmt.Errorf("error while converting template to json %q: %w", convertedTemplatePatch, err)
+	}
+
+	if err := json.Unmarshal([]byte(convertedTemplatePatch), &appv1.Application{}); err != nil {
+		return nil, fmt.Errorf("invalid templatePatch %q: %w", convertedTemplatePatch, err)
+	}
+
+	data, err := strategicpatch.StrategicMergePatch(appString, []byte(convertedTemplatePatch), appv1.Application{})
+
+	if err != nil {
+		return nil, fmt.Errorf("error while applying templatePatch template to json %q: %w", convertedTemplatePatch, err)
+	}
+
+	finalApp := appv1.Application{}
+	err = json.Unmarshal(data, &finalApp)
+	if err != nil {
+		return nil, fmt.Errorf("error while unmarhsalling patched application: %w", err)
+	}
+
+	// Prevent changes to the `project` field. This helps prevent malicious template patches
+	finalApp.Spec.Project = app.Spec.Project
+
+	return &finalApp, nil
+}

applicationset/controllers/templatePatch_test.go

@@ -0,0 +1,249 @@
+package controllers
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+func Test_ApplyTemplatePatch(t *testing.T) {
+	testCases := []struct {
+		name          string
+		appTemplate   *appv1.Application
+		templatePatch string
+		expectedApp   *appv1.Application
+	}{
+		{
+			name: "patch with JSON",
+			appTemplate: &appv1.Application{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "Application",
+					APIVersion: "argoproj.io/v1alpha1",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:       "my-cluster-guestbook",
+					Namespace:  "namespace",
+					Finalizers: []string{"resources-finalizer.argocd.argoproj.io"},
+				},
+				Spec: appv1.ApplicationSpec{
+					Project: "default",
+					Source: &appv1.ApplicationSource{
+						RepoURL:        "https://github.com/argoproj/argocd-example-apps.git",
+						TargetRevision: "HEAD",
+						Path:           "guestbook",
+					},
+					Destination: appv1.ApplicationDestination{
+						Server:    "https://kubernetes.default.svc",
+						Namespace: "guestbook",
+					},
+				},
+			},
+			templatePatch: `{
+				"metadata": {
+					"annotations": {
+						"annotation-some-key": "annotation-some-value"
+					}
+				},
+				"spec": {
+					"source": {
+						"helm": {
+							"valueFiles": [
+								"values.test.yaml",
+								"values.big.yaml"
+							]
+						}
+					},
+					"syncPolicy": {
+						"automated": {
+							"prune": true
+						}
+					}
+				}
+			}`,
+			expectedApp: &appv1.Application{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "Application",
+					APIVersion: "argoproj.io/v1alpha1",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:       "my-cluster-guestbook",
+					Namespace:  "namespace",
+					Finalizers: []string{"resources-finalizer.argocd.argoproj.io"},
+					Annotations: map[string]string{
+						"annotation-some-key": "annotation-some-value",
+					},
+				},
+				Spec: appv1.ApplicationSpec{
+					Project: "default",
+					Source: &appv1.ApplicationSource{
+						RepoURL:        "https://github.com/argoproj/argocd-example-apps.git",
+						TargetRevision: "HEAD",
+						Path:           "guestbook",
+						Helm: &appv1.ApplicationSourceHelm{
+							ValueFiles: []string{
+								"values.test.yaml",
+								"values.big.yaml",
+							},
+						},
+					},
+					Destination: appv1.ApplicationDestination{
+						Server:    "https://kubernetes.default.svc",
+						Namespace: "guestbook",
+					},
+					SyncPolicy: &appv1.SyncPolicy{
+						Automated: &appv1.SyncPolicyAutomated{
+							Prune: true,
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "patch with YAML",
+			appTemplate: &appv1.Application{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "Application",
+					APIVersion: "argoproj.io/v1alpha1",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:       "my-cluster-guestbook",
+					Namespace:  "namespace",
+					Finalizers: []string{"resources-finalizer.argocd.argoproj.io"},
+				},
+				Spec: appv1.ApplicationSpec{
+					Project: "default",
+					Source: &appv1.ApplicationSource{
+						RepoURL:        "https://github.com/argoproj/argocd-example-apps.git",
+						TargetRevision: "HEAD",
+						Path:           "guestbook",
+					},
+					Destination: appv1.ApplicationDestination{
+						Server:    "https://kubernetes.default.svc",
+						Namespace: "guestbook",
+					},
+				},
+			},
+			templatePatch: `
+metadata:
+  annotations:
+    annotation-some-key: annotation-some-value
+spec:
+  source:
+    helm:
+      valueFiles:
+        - values.test.yaml
+        - values.big.yaml
+  syncPolicy:
+    automated:
+      prune: true`,
+			expectedApp: &appv1.Application{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "Application",
+					APIVersion: "argoproj.io/v1alpha1",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:       "my-cluster-guestbook",
+					Namespace:  "namespace",
+					Finalizers: []string{"resources-finalizer.argocd.argoproj.io"},
+					Annotations: map[string]string{
+						"annotation-some-key": "annotation-some-value",
+					},
+				},
+				Spec: appv1.ApplicationSpec{
+					Project: "default",
+					Source: &appv1.ApplicationSource{
+						RepoURL:        "https://github.com/argoproj/argocd-example-apps.git",
+						TargetRevision: "HEAD",
+						Path:           "guestbook",
+						Helm: &appv1.ApplicationSourceHelm{
+							ValueFiles: []string{
+								"values.test.yaml",
+								"values.big.yaml",
+							},
+						},
+					},
+					Destination: appv1.ApplicationDestination{
+						Server:    "https://kubernetes.default.svc",
+						Namespace: "guestbook",
+					},
+					SyncPolicy: &appv1.SyncPolicy{
+						Automated: &appv1.SyncPolicyAutomated{
+							Prune: true,
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "project field isn't overwritten",
+			appTemplate: &appv1.Application{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "Application",
+					APIVersion: "argoproj.io/v1alpha1",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-cluster-guestbook",
+					Namespace: "namespace",
+				},
+				Spec: appv1.ApplicationSpec{
+					Project: "default",
+					Source: &appv1.ApplicationSource{
+						RepoURL:        "https://github.com/argoproj/argocd-example-apps.git",
+						TargetRevision: "HEAD",
+						Path:           "guestbook",
+					},
+					Destination: appv1.ApplicationDestination{
+						Server:    "https://kubernetes.default.svc",
+						Namespace: "guestbook",
+					},
+				},
+			},
+			templatePatch: `
+spec:
+  project: my-project`,
+			expectedApp: &appv1.Application{
+				TypeMeta: metav1.TypeMeta{
+					Kind:       "Application",
+					APIVersion: "argoproj.io/v1alpha1",
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "my-cluster-guestbook",
+					Namespace: "namespace",
+				},
+				Spec: appv1.ApplicationSpec{
+					Project: "default",
+					Source: &appv1.ApplicationSource{
+						RepoURL:        "https://github.com/argoproj/argocd-example-apps.git",
+						TargetRevision: "HEAD",
+						Path:           "guestbook",
+					},
+					Destination: appv1.ApplicationDestination{
+						Server:    "https://kubernetes.default.svc",
+						Namespace: "guestbook",
+					},
+				},
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		tcc := tc
+		t.Run(tcc.name, func(t *testing.T) {
+			result, err := applyTemplatePatch(tcc.appTemplate, tcc.templatePatch)
+			require.NoError(t, err)
+			assert.Equal(t, *tcc.expectedApp, *result)
+		})
+	}
+}
+
+func TestError(t *testing.T) {
+	app := &appv1.Application{}
+
+	result, err := applyTemplatePatch(app, "hello world")
+	require.Error(t, err)
+	require.Nil(t, result)
+}

applicationset/examples/applications-sync-policies/create-only.yaml

@@ -0,0 +1,35 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  goTemplate: true
+  generators:
+  - list:
+      elements:
+      - cluster: engineering-dev
+        url: https://kubernetes.default.svc
+        foo: bar
+      # Update foo value with foo: bar
+      # Application engineering-prod-guestbook labels will still be baz
+      # Delete this element
+      # Application engineering-prod-guestbook will be kept
+      - cluster: engineering-prod
+        url: https://kubernetes.default.svc
+        foo: baz
+  template:
+    metadata:
+      name: '{{.cluster}}-guestbook'
+      labels:
+        foo: '{{.foo}}'
+    spec:
+      project: default
+      source:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        targetRevision: HEAD
+        path: applicationset/examples/list-generator/guestbook/{{.cluster}}
+      destination:
+        server: '{{.url}}'
+        namespace: guestbook
+  syncPolicy:
+    applicationsSync: create-only

applicationset/examples/applications-sync-policies/create-update.yaml

@@ -0,0 +1,35 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  goTemplate: true
+  generators:
+  - list:
+      elements:
+      - cluster: engineering-dev
+        url: https://kubernetes.default.svc
+        foo: bar
+      # Update foo value with foo: bar
+      # Application engineering-prod-guestbook labels will change to foo: bar
+      # Delete this element
+      # Application engineering-prod-guestbook will be kept
+      - cluster: engineering-prod
+        url: https://kubernetes.default.svc
+        foo: baz
+  template:
+    metadata:
+      name: '{{.cluster}}-guestbook'
+      labels:
+        foo: '{{.foo}}'
+    spec:
+      project: default
+      source:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        targetRevision: HEAD
+        path: applicationset/examples/list-generator/guestbook/{{.cluster}}
+      destination:
+        server: '{{.url}}'
+        namespace: guestbook
+  syncPolicy:
+    applicationsSync: create-update

applicationset/examples/applications-sync-policies/guestbook/engineering-dev/guestbook-ui-deployment.yaml

@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: guestbook-ui
+spec:
+  replicas: 1
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: guestbook-ui
+  template:
+    metadata:
+      labels:
+        app: guestbook-ui
+    spec:
+      containers:
+      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
+        name: guestbook-ui
+        ports:
+        - containerPort: 80

applicationset/examples/applications-sync-policies/guestbook/engineering-dev/guestbook-ui-svc.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: guestbook-ui
+spec:
+  ports:
+  - port: 80
+    targetPort: 80
+  selector:
+    app: guestbook-ui

applicationset/examples/applications-sync-policies/guestbook/engineering-prod/guestbook-ui-deployment.yaml

@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: guestbook-ui
+spec:
+  replicas: 1
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: guestbook-ui
+  template:
+    metadata:
+      labels:
+        app: guestbook-ui
+    spec:
+      containers:
+      - image: gcr.io/heptio-images/ks-guestbook-demo:0.2
+        name: guestbook-ui
+        ports:
+        - containerPort: 80

applicationset/examples/applications-sync-policies/guestbook/engineering-prod/guestbook-ui-svc.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: guestbook-ui
+spec:
+  ports:
+  - port: 80
+    targetPort: 80
+  selector:
+    app: guestbook-ui

applicationset/examples/cluster/cluster-example-fasttemplate.yaml

@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  generators:
+  - clusters: {}
+  template:
+    metadata:
+      name: '{{name}}-guestbook'
+    spec:
+      project: "default"
+      source:
+        repoURL: https://github.com/argoproj/argocd-example-apps/
+        targetRevision: HEAD
+        path: guestbook
+      destination:
+        server: '{{server}}'
+        namespace: guestbook

applicationset/examples/cluster/cluster-example.yaml

@@ -3,11 +3,13 @@ kind: ApplicationSet
 metadata:
   name: guestbook
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
   - clusters: {}
   template:
     metadata:
-      name: '{{name}}-guestbook'
+      name: '{{.name}}-guestbook'
     spec:
       project: "default"
       source:
@@ -15,5 +17,5 @@ spec:
         targetRevision: HEAD
         path: guestbook
       destination:
-        server: '{{server}}'
+        server: '{{.server}}'
         namespace: guestbook

applicationset/examples/clusterDecisionResource/ducktype-example-fasttemplate.yaml

@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: book-import
+spec:
+  generators:
+    - clusterDecisionResource:
+        configMapRef: ocm-placement
+        name: test-placement
+        requeueAfterSeconds: 30
+  template:
+    metadata:
+      name: '{{clusterName}}-book-import'
+    spec:
+      project: "default"
+      source:
+        repoURL: https://github.com/open-cluster-management/application-samples.git
+        targetRevision: HEAD
+        path: book-import
+      destination:
+        name: '{{clusterName}}'
+        namespace: bookimport
+      syncPolicy:
+        automated:
+          prune: true
+        syncOptions:
+          - CreateNamespace=true

applicationset/examples/clusterDecisionResource/ducktype-example.yaml

@@ -3,6 +3,8 @@ kind: ApplicationSet
 metadata:
   name: book-import
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
     - clusterDecisionResource:
         configMapRef: ocm-placement
@@ -10,7 +12,7 @@ spec:
         requeueAfterSeconds: 30
   template:
     metadata:
-      name: '{{clusterName}}-book-import'
+      name: '{{.clusterName}}-book-import'
     spec:
       project: "default"
       source:
@@ -18,7 +20,7 @@ spec:
         targetRevision: HEAD
         path: book-import
       destination:
-        name: '{{clusterName}}'
+        name: '{{.clusterName}}'
         namespace: bookimport
       syncPolicy:
         automated:

applicationset/examples/design-doc/applicationset-fasttemplate.yaml

@@ -0,0 +1,22 @@
+# This is an example of a typical ApplicationSet which uses the cluster generator.
+# An ApplicationSet is comprised with two stanzas:
+#  - spec.generator - producer of a list of values supplied as arguments to an app template
+#  - spec.template - an application template, which has been parameterized
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  generators:
+  - clusters: {}
+  template:
+    metadata:
+      name: '{{name}}-guestbook'
+    spec:
+      source:
+        repoURL: https://github.com/infra-team/cluster-deployments.git
+        targetRevision: HEAD
+        chart: guestbook
+      destination:
+        server: '{{server}}'
+        namespace: guestbook

applicationset/examples/design-doc/applicationset.yaml

@@ -7,16 +7,18 @@ kind: ApplicationSet
 metadata:
   name: guestbook
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
   - clusters: {}
   template:
     metadata:
-      name: '{{name}}-guestbook'
+      name: '{{.name}}-guestbook'
     spec:
       source:
         repoURL: https://github.com/infra-team/cluster-deployments.git
         targetRevision: HEAD
         chart: guestbook
       destination:
-        server: '{{server}}'
+        server: '{{.server}}'
         namespace: guestbook

applicationset/examples/design-doc/clusters.yaml

@@ -19,15 +19,15 @@ spec:
         project: default
   template:
     metadata:
-      name: '{{name}}-guestbook'
+      name: '{{.name}}-guestbook'
       labels:
-        environment: '{{metadata.labels.environment}}'
+        environment: '{{.metadata.labels.environment}}'
     spec:
-      project: '{{values.project}}'
+      project: '{{.values.project}}'
       source:
         repoURL: https://github.com/infra-team/cluster-deployments.git
         targetRevision: HEAD
         chart: guestbook
       destination:
-        server: '{{server}}'
+        server: '{{.server}}'
         namespace: guestbook

applicationset/examples/design-doc/git-directory-discovery-fasttemplate.yaml

@@ -0,0 +1,44 @@
+# This example demonstrates the git directory generator, which produces an items list 
+# based on discovery of directories in a git repo matching a specified pattern.
+# Git generators automatically provide {{path}} and {{path.basename}} as available
+# variables to the app template.
+#
+# Suppose the following git directory structure (note the use of different config tools):
+#
+# cluster-deployments
+# └── add-ons
+#     ├── argo-rollouts
+#     │   ├── all.yaml
+#     │   └── kustomization.yaml
+#     ├── argo-workflows
+#     │   └── install.yaml
+#     ├── grafana
+#     │   ├── Chart.yaml
+#     │   └── values.yaml
+#     └── prometheus-operator
+#         ├── Chart.yaml
+#         └── values.yaml
+#
+# The following ApplicationSet would produce four applications (in different namespaces),
+# using the directory basename as both the namespace and application name. 
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: cluster-addons
+spec:
+  generators:
+  - git:
+      repoURL: https://github.com/infra-team/cluster-deployments.git
+      directories:
+      - path: add-ons/*
+  template:
+    metadata:
+      name: '{{path.basename}}'
+    spec:
+      source:
+        repoURL: https://github.com/infra-team/cluster-deployments.git
+        targetRevision: HEAD
+        path: '{{path}}'
+      destination:
+        server: http://kubernetes.default.svc
+        namespace: '{{path.basename}}'

applicationset/examples/design-doc/git-directory-discovery.yaml

@@ -26,6 +26,8 @@ kind: ApplicationSet
 metadata:
   name: cluster-addons
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
   - git:
       repoURL: https://github.com/infra-team/cluster-deployments.git
@@ -33,12 +35,12 @@ spec:
       - path: add-ons/*
   template:
     metadata:
-      name: '{{path.basename}}'
+      name: '{{.path.basename}}'
     spec:
       source:
         repoURL: https://github.com/infra-team/cluster-deployments.git
         targetRevision: HEAD
-        path: '{{path}}'
+        path: '{{.path.path}}'
       destination:
         server: http://kubernetes.default.svc
-        namespace: '{{path.basename}}'
+        namespace: '{{.path.basename}}'

applicationset/examples/design-doc/git-files-discovery-fasttemplate.yaml

@@ -0,0 +1,55 @@
+# This example demonstrates a git file generator which traverses the directory structure of a git
+# repository to discover items based on a filename convention. For each file discovered, the
+# contents of the discovered files themselves, act as the set of inputs to the app template.
+#
+# Suppose the following git directory structure:
+#
+# cluster-deployments
+# ├── apps
+# │   └── guestbook
+# │       └── install.yaml
+# └── cluster-config
+#     ├── engineering
+#     │   ├── dev
+#     │   │   └── config.json
+#     │   └── prod
+#     │       └── config.json
+#     └── finance
+#         ├── dev
+#         │   └── config.json
+#         └── prod
+#             └── config.json
+#
+# The discovered files (e.g. config.json) files can be any structured data supplied to the
+# generated application. e.g.:
+# {
+#    "aws_account": "123456",
+#    "asset_id": "11223344"
+#    "cluster": {
+#        "owner": "Jesse_Suen@intuit.com",
+#        "name": "engineering-dev",
+#        "address": "http://1.2.3.4"
+#    }
+# }
+#
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  generators:
+  - git:
+      repoURL: https://github.com/infra-team/cluster-deployments.git
+      files:
+      - path: "**/config.json"
+  template:
+    metadata:
+      name: '{{cluster.name}}-guestbook'
+    spec:
+      source:
+        repoURL: https://github.com/infra-team/cluster-deployments.git
+        targetRevision: HEAD
+        path: apps/guestbook
+      destination:
+        server: '{{cluster.address}}'
+        namespace: guestbook

applicationset/examples/design-doc/git-files-discovery.yaml

@@ -37,6 +37,8 @@ kind: ApplicationSet
 metadata:
   name: guestbook
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
   - git:
       repoURL: https://github.com/infra-team/cluster-deployments.git
@@ -44,12 +46,12 @@ spec:
       - path: "**/config.json"
   template:
     metadata:
-      name: '{{cluster.name}}-guestbook'
+      name: '{{.cluster.name}}-guestbook'
     spec:
       source:
         repoURL: https://github.com/infra-team/cluster-deployments.git
         targetRevision: HEAD
         path: apps/guestbook
       destination:
-        server: '{{cluster.address}}'
+        server: '{{.cluster.address}}'
         namespace: guestbook

applicationset/examples/design-doc/git-files-literal-fasttemplate.yaml

@@ -0,0 +1,68 @@
+# This example demonstrates a git file generator which produces its items based on one or
+# more files referenced in a git repo. The referenced files would contain a json/yaml list of
+# arbitrary structured objects. Each item of the list would become a set of parameters to a
+# generated application.
+#
+# Suppose the following git directory structure:
+#  
+# cluster-deployments
+# ├── apps
+# │   └── guestbook
+# │       ├── v1.0
+# │       │   └── install.yaml
+# │       └── v2.0
+# │           └── install.yaml
+# └── config
+#     └── clusters.json
+#
+# In this example, the `clusters.json` file is json list of structured data:
+# [
+#     {
+#         "account": "123456",
+#         "asset_id": "11223344",
+#         "cluster": {
+#             "owner": "Jesse_Suen@intuit.com",
+#             "name": "engineering-dev",
+#             "address": "http://1.2.3.4"
+#         },
+#         "appVersions": {
+#             "prometheus-operator": "v0.38",
+#             "guestbook": "v2.0"
+#         }
+#     },
+#     {
+#         "account": "456789",
+#         "asset_id": "55667788",
+#         "cluster": {
+#             "owner": "Alexander_Matyushentsev@intuit.com",
+#             "name": "engineering-prod",
+#             "address": "http://2.4.6.8"
+#         },
+#         "appVersions": {
+#             "prometheus-operator": "v0.38",
+#             "guestbook": "v1.0"
+#         }
+#     }
+# ]
+#
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  generators:
+  - git:
+      repoURL: https://github.com/infra-team/cluster-deployments.git
+      files:
+      - path: config/clusters.json
+  template:
+    metadata:
+      name: '{{cluster.name}}-guestbook'
+    spec:
+      source:
+        repoURL: https://github.com/infra-team/cluster-deployments.git
+        targetRevision: HEAD
+        path: apps/guestbook/{{appVersions.guestbook}}
+      destination:
+        server: http://kubernetes.default.svc
+        namespace: guestbook

applicationset/examples/design-doc/git-files-literal.yaml

@@ -50,6 +50,8 @@ kind: ApplicationSet
 metadata:
   name: guestbook
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
   - git:
       repoURL: https://github.com/infra-team/cluster-deployments.git
@@ -57,12 +59,12 @@ spec:
       - path: config/clusters.json
   template:
     metadata:
-      name: '{{cluster.name}}-guestbook'
+      name: '{{.cluster.name}}-guestbook'
     spec:
       source:
         repoURL: https://github.com/infra-team/cluster-deployments.git
         targetRevision: HEAD
-        path: apps/guestbook/{{appVersions.guestbook}}
+        path: apps/guestbook/{{.appVersions.guestbook}}
       destination:
         server: http://kubernetes.default.svc
         namespace: guestbook

applicationset/examples/design-doc/list-fasttemplate.yaml

@@ -0,0 +1,33 @@
+# The list generator specifies a literal list of argument values to the app spec template.
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  generators:
+  - list:
+      elements:
+      - cluster: engineering-dev
+        url: https://1.2.3.4
+        values:
+          project: dev
+      - cluster: engineering-prod
+        url: https://2.4.6.8
+        values:
+          project: prod
+      - cluster: finance-preprod
+        url: https://9.8.7.6
+        values:
+          project: preprod
+  template:
+    metadata:
+      name: '{{cluster}}-guestbook'
+    spec:
+      project: '{{values.project}}'
+      source:
+        repoURL: https://github.com/infra-team/cluster-deployments.git
+        targetRevision: HEAD
+        path: guestbook/{{cluster}}
+      destination:
+        server: '{{url}}'
+        namespace: guestbook

applicationset/examples/design-doc/list.yaml

@@ -4,6 +4,8 @@ kind: ApplicationSet
 metadata:
   name: guestbook
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
   - list:
       elements:
@@ -21,13 +23,13 @@ spec:
           project: preprod
   template:
     metadata:
-      name: '{{cluster}}-guestbook'
+      name: '{{.cluster}}-guestbook'
     spec:
-      project: '{{values.project}}'
+      project: '{{.values.project}}'
       source:
         repoURL: https://github.com/infra-team/cluster-deployments.git
         targetRevision: HEAD
-        path: guestbook/{{cluster}}
+        path: guestbook/{{.cluster}}
       destination:
-        server: '{{url}}'
+        server: '{{.url}}'
         namespace: guestbook

applicationset/examples/design-doc/template-override-fasttemplate.yaml

@@ -0,0 +1,48 @@
+# App templates can also be defined as part of the generator's template stanza. Sometimes it is
+# useful to do this in order to override the spec.template stanza, and when simple string
+# parameterization are insufficient. In the below examples, the generators[].XXX.template is 
+# a partial definition, which overrides/patch the default template.
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  generators:
+  - list:
+      elements:
+        - cluster: engineering-dev
+          url: https://1.2.3.4
+      template:
+        metadata: {}
+        spec:
+          project: "project"
+          source:
+            repoURL: https://github.com/infra-team/cluster-deployments.git
+            path: '{{cluster}}-override'
+          destination: {}
+
+  - list:
+      elements:
+        - cluster: engineering-prod
+          url: https://1.2.3.4
+      template:
+        metadata: {}
+        spec:
+          project: "project2"
+          source:
+            repoURL: https://github.com/infra-team/cluster-deployments.git
+            path: '{{cluster}}-override2'
+          destination: {}
+
+  template:
+    metadata:
+      name: '{{cluster}}-guestbook'
+    spec:
+      project: "project"
+      source:
+        repoURL: https://github.com/infra-team/cluster-deployments.git
+        targetRevision: HEAD
+        path: guestbook/{{cluster}}
+      destination:
+        server: '{{url}}'
+        namespace: guestbook

applicationset/examples/design-doc/template-override.yaml

@@ -7,6 +7,8 @@ kind: ApplicationSet
 metadata:
   name: guestbook
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
   - list:
       elements:
@@ -18,7 +20,7 @@ spec:
           project: "project"
           source:
             repoURL: https://github.com/infra-team/cluster-deployments.git
-            path: '{{cluster}}-override'
+            path: '{{.cluster}}-override'
           destination: {}
 
   - list:
@@ -31,18 +33,18 @@ spec:
           project: "project2"
           source:
             repoURL: https://github.com/infra-team/cluster-deployments.git
-            path: '{{cluster}}-override2'
+            path: '{{.cluster}}-override2'
           destination: {}
 
   template:
     metadata:
-      name: '{{cluster}}-guestbook'
+      name: '{{.cluster}}-guestbook'
     spec:
       project: "project"
       source:
         repoURL: https://github.com/infra-team/cluster-deployments.git
         targetRevision: HEAD
-        path: guestbook/{{cluster}}
+        path: guestbook/{{.cluster}}
       destination:
-        server: '{{url}}'
+        server: '{{.url}}'
         namespace: guestbook

applicationset/examples/git-generator-directory/excludes/git-directories-exclude-example-fasttemplate.yaml

@@ -0,0 +1,29 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: cluster-addons
+  namespace: argocd
+spec:
+  generators:
+  - git:
+      repoURL: https://github.com/argoproj/argo-cd.git
+      revision: HEAD
+      directories:
+      - path: applicationset/examples/git-generator-directory/excludes/cluster-addons/*
+      - exclude: true
+        path: applicationset/examples/git-generator-directory/excludes/cluster-addons/exclude-helm-guestbook
+  template:
+    metadata:
+      name: '{{path.basename}}'
+    spec:
+      project: "my-project"
+      source:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        targetRevision: HEAD
+        path: '{{path}}'
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: '{{path.basename}}'
+      syncPolicy:
+        syncOptions:
+        - CreateNamespace=true

applicationset/examples/git-generator-directory/excludes/git-directories-exclude-example.yaml

@@ -4,6 +4,8 @@ metadata:
   name: cluster-addons
   namespace: argocd
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
   - git:
       repoURL: https://github.com/argoproj/argo-cd.git
@@ -14,16 +16,16 @@ spec:
         path: applicationset/examples/git-generator-directory/excludes/cluster-addons/exclude-helm-guestbook
   template:
     metadata:
-      name: '{{path.basename}}'
+      name: '{{.path.basename}}'
     spec:
       project: "my-project"
       source:
         repoURL: https://github.com/argoproj/argo-cd.git
         targetRevision: HEAD
-        path: '{{path}}'
+        path: '{{.path}}'
       destination:
         server: https://kubernetes.default.svc
-        namespace: '{{path.basename}}'
+        namespace: '{{.path.basename}}'
       syncPolicy:
         syncOptions:
         - CreateNamespace=true

applicationset/examples/git-generator-directory/git-directories-example-fasttemplate.yaml

@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: cluster-addons
+  namespace: argocd
+spec:
+  generators:
+  - git:
+      repoURL: https://github.com/argoproj/argo-cd.git
+      revision: HEAD
+      directories:
+      - path: applicationset/examples/git-generator-directory/cluster-addons/*
+  template:
+    metadata:
+      name: '{{path.basename}}'
+    spec:
+      project: "my-project"
+      source:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        targetRevision: HEAD
+        path: '{{path}}'
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: '{{path.basename}}'
+      syncPolicy:
+        syncOptions:
+        - CreateNamespace=true

applicationset/examples/git-generator-directory/git-directories-example.yaml

@@ -4,6 +4,8 @@ metadata:
   name: cluster-addons
   namespace: argocd
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
   - git:
       repoURL: https://github.com/argoproj/argo-cd.git
@@ -12,16 +14,16 @@ spec:
       - path: applicationset/examples/git-generator-directory/cluster-addons/*
   template:
     metadata:
-      name: '{{path.basename}}'
+      name: '{{.path.basename}}'
     spec:
       project: "my-project"
       source:
         repoURL: https://github.com/argoproj/argo-cd.git
         targetRevision: HEAD
-        path: '{{path}}'
+        path: '{{.path.path}}'
       destination:
         server: https://kubernetes.default.svc
-        namespace: '{{path.basename}}'
+        namespace: '{{.path.basename}}'
       syncPolicy:
         syncOptions:
         - CreateNamespace=true

applicationset/examples/git-generator-files-discovery/git-generator-files-fasttemplate.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  generators:
+    - git:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        revision: HEAD
+        files:
+        - path: "applicationset/examples/git-generator-files-discovery/cluster-config/**/config.json"
+  template:
+    metadata:
+      name: '{{cluster.name}}-guestbook'
+    spec:
+      project: default
+      source:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        targetRevision: HEAD
+        path: "applicationset/examples/git-generator-files-discovery/apps/guestbook"
+      destination:
+        server: https://kubernetes.default.svc
+        #server: '{{cluster.address}}'
+        namespace: guestbook

applicationset/examples/git-generator-files-discovery/git-generator-files.yaml

@@ -3,6 +3,8 @@ kind: ApplicationSet
 metadata:
   name: guestbook
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
     - git:
         repoURL: https://github.com/argoproj/argo-cd.git
@@ -11,7 +13,7 @@ spec:
         - path: "applicationset/examples/git-generator-files-discovery/cluster-config/**/config.json"
   template:
     metadata:
-      name: '{{cluster.name}}-guestbook'
+      name: '{{.cluster.name}}-guestbook'
     spec:
       project: default
       source:
@@ -20,5 +22,5 @@ spec:
         path: "applicationset/examples/git-generator-files-discovery/apps/guestbook"
       destination:
         server: https://kubernetes.default.svc
-        #server: '{{cluster.address}}'
+        #server: '{{.cluster.address}}'
         namespace: guestbook

applicationset/examples/list-generator/list-elementsYaml-example.yaml

@@ -0,0 +1,14 @@
+key:
+  components:
+    - name: component1
+      chart: podinfo
+      version: "6.3.2"
+      releaseName: component1
+      repoUrl: "https://stefanprodan.github.io/podinfo"
+      namespace: component1
+    - name: component2
+      chart: podinfo
+      version: "6.3.3"
+      releaseName: component2
+      repoUrl: "ghcr.io/stefanprodan/charts"
+      namespace: component2

applicationset/examples/list-generator/list-example-fasttemplate.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  generators:
+  - list:
+      elements:
+      - cluster: engineering-dev
+        url: https://kubernetes.default.svc
+      - cluster: engineering-prod
+        url: https://kubernetes.default.svc
+  template:
+    metadata:
+      name: '{{cluster}}-guestbook'
+    spec:
+      project: default
+      source:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        targetRevision: HEAD
+        path: applicationset/examples/list-generator/guestbook/{{cluster}}
+      destination:
+        server: '{{url}}'
+        namespace: guestbook

applicationset/examples/list-generator/list-example.yaml

@@ -3,6 +3,8 @@ kind: ApplicationSet
 metadata:
   name: guestbook
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
   - list:
       elements:
@@ -12,13 +14,13 @@ spec:
         url: https://kubernetes.default.svc
   template:
     metadata:
-      name: '{{cluster}}-guestbook'
+      name: '{{.cluster}}-guestbook'
     spec:
       project: default
       source:
         repoURL: https://github.com/argoproj/argo-cd.git
         targetRevision: HEAD
-        path: applicationset/examples/list-generator/guestbook/{{cluster}}
+        path: applicationset/examples/list-generator/guestbook/{{.cluster}}
       destination:
-        server: '{{url}}'
+        server: '{{.url}}'
         namespace: guestbook

applicationset/examples/matrix/cluster-and-git-fasttemplate.yaml

@@ -0,0 +1,33 @@
+# This example demonstrates the combining of the git generator with a cluster generator
+# The expected output would be an application per git directory and a cluster (application_count = git directory * clusters)
+#
+#
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: cluster-git
+spec:
+  generators:
+  - matrix:
+      generators:
+        - git:
+            repoURL: https://github.com/argoproj/argo-cd.git
+            revision: HEAD
+            directories:
+            - path: applicationset/examples/matrix/cluster-addons/*
+        - clusters:
+            selector:
+              matchLabels:
+                argocd.argoproj.io/secret-type: cluster
+  template:
+    metadata:
+      name: '{{path.basename}}-{{name}}'
+    spec:
+      project: '{{metadata.labels.environment}}'
+      source:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        targetRevision: HEAD
+        path: '{{path}}'
+      destination:
+        server: '{{server}}'
+        namespace: '{{path.basename}}'

applicationset/examples/matrix/cluster-and-git.yaml

@@ -7,6 +7,8 @@ kind: ApplicationSet
 metadata:
   name: cluster-git
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
   - matrix:
       generators:
@@ -21,13 +23,13 @@ spec:
                 argocd.argoproj.io/secret-type: cluster
   template:
     metadata:
-      name: '{{path.basename}}-{{name}}'
+      name: '{{.path.basename}}-{{.name}}'
     spec:
-      project: '{{metadata.labels.environment}}'
+      project: '{{.metadata.labels.environment}}'
       source:
         repoURL: https://github.com/argoproj/argo-cd.git
         targetRevision: HEAD
-        path: '{{path}}'
+        path: '{{.path.path}}'
       destination:
-        server: '{{server}}'
-        namespace: '{{path.basename}}'
+        server: '{{.server}}'
+        namespace: '{{.path.basename}}'

applicationset/examples/matrix/list-and-git-fasttemplate.yaml

@@ -0,0 +1,39 @@
+# This example demonstrates the combining of the git generator with a list generator
+# The expected output would be an application per git directory and a list entry (application_count = git directory * list entries)
+#
+#
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: list-git
+spec:
+  generators:
+  - matrix:
+      generators:
+      - git:
+          repoURL: https://github.com/argoproj/argo-cd.git
+          revision: HEAD
+          directories:
+          - path: applicationset/examples/matrix/cluster-addons/*
+      - list:
+          elements:
+          - cluster: engineering-dev
+            url: https://1.2.3.4
+            values:
+              project: dev
+          - cluster: engineering-prod
+            url: https://2.4.6.8
+            values:
+              project: prod
+  template:
+    metadata:
+      name: '{{path.basename}}-{{cluster}}'
+    spec:
+      project: '{{values.project}}'
+      source:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        targetRevision: HEAD
+        path: '{{path}}'
+      destination:
+        server: '{{url}}'
+        namespace: '{{path.basename}}'

applicationset/examples/matrix/list-and-git.yaml

@@ -7,6 +7,8 @@ kind: ApplicationSet
 metadata:
   name: list-git
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
   - matrix:
       generators:
@@ -27,13 +29,13 @@ spec:
               project: prod
   template:
     metadata:
-      name: '{{path.basename}}-{{cluster}}'
+      name: '{{.path.basename}}-{{.cluster}}'
     spec:
-      project: '{{values.project}}'
+      project: '{{.values.project}}'
       source:
         repoURL: https://github.com/argoproj/argo-cd.git
         targetRevision: HEAD
-        path: '{{path}}'
+        path: '{{.path.path}}'
       destination:
-        server: '{{url}}'
-        namespace: '{{path.basename}}'
+        server: '{{.url}}'
+        namespace: '{{.path.basename}}'

applicationset/examples/matrix/list-and-list-fasttemplate.yaml

@@ -0,0 +1,37 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: list-and-list
+  namespace: argocd
+spec:
+  generators:
+    - matrix:
+        generators:
+          - list:
+              elements:
+                - cluster: engineering-dev
+                  url: https://kubernetes.default.svc
+                  values:
+                    project: default
+                - cluster: engineering-prod
+                  url: https://kubernetes.default.svc
+                  values:
+                    project: default
+          - list:
+              elements:
+                - values:
+                    suffix: '1'
+                - values:
+                    suffix: '2'
+  template:
+    metadata:
+      name: '{{cluster}}-{{values.suffix}}'
+    spec:
+      project: '{{values.project}}'
+      source:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        targetRevision: HEAD
+        path: '{{path}}'
+      destination:
+        server: '{{url}}'
+        namespace: '{{path.basename}}'

applicationset/examples/matrix/list-and-list.yaml

@@ -4,6 +4,8 @@ metadata:
   name: list-and-list
   namespace: argocd
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
     - matrix:
         generators:
@@ -25,13 +27,13 @@ spec:
                     suffix: '2'
   template:
     metadata:
-      name: '{{cluster}}-{{values.suffix}}'
+      name: '{{.cluster}}-{{.values.suffix}}'
     spec:
-      project: '{{values.project}}'
+      project: '{{.values.project}}'
       source:
         repoURL: https://github.com/argoproj/argo-cd.git
         targetRevision: HEAD
-        path: '{{path}}'
+        path: '{{.path.path}}'
       destination:
-        server: '{{url}}'
-        namespace: '{{path.basename}}'
+        server: '{{.url}}'
+        namespace: '{{.path.basename}}'

applicationset/examples/matrix/matrix-and-union-in-matrix-fasttemplate.yaml

@@ -0,0 +1,67 @@
+# The matrix generator can contain other combination-type generators (matrix and union). But nested matrix and union
+# generators cannot contain further-nested matrix or union generators.
+#
+# The generators are evaluated from most-nested to least-nested. In this case:
+#  1. The union generator joins two lists to make 3 parameter sets.
+#  2. The inner matrix generator takes the cartesian product of the two lists to make 4 parameters sets.
+#  3. The outer matrix generator takes the cartesian product of the 3 union and the 4 inner matrix parameter sets to
+#     make 3*4=12 final parameter sets.
+#  4. The 12 final parameter sets are evaluated against the top-level template to generate 12 Applications.
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: matrix-and-union-in-matrix
+spec:
+  generators:
+    - matrix:
+        generators:
+          - union:
+              mergeKeys:
+                - cluster
+              generators:
+                - list:
+                    elements:
+                      - cluster: engineering-dev
+                        url: https://kubernetes.default.svc
+                        values:
+                          project: default
+                      - cluster: engineering-prod
+                        url: https://kubernetes.default.svc
+                        values:
+                          project: default
+                - list:
+                    elements:
+                      - cluster: engineering-dev
+                        url: https://kubernetes.default.svc
+                        values:
+                          project: default
+                      - cluster: engineering-test
+                        url: https://kubernetes.default.svc
+                        values:
+                          project: default
+          - matrix:
+              generators:
+                - list:
+                    elements:
+                      - values:
+                          suffix: '1'
+                      - values:
+                          suffix: '2'
+                - list:
+                    elements:
+                      - values:
+                          prefix: 'first'
+                      - values:
+                          prefix: 'second'
+  template:
+    metadata:
+      name: '{{values.prefix}}-{{cluster}}-{{values.suffix}}'
+    spec:
+      project: '{{values.project}}'
+      source:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        targetRevision: HEAD
+        path: '{{path}}'
+      destination:
+        server: '{{url}}'
+        namespace: '{{path.basename}}'

applicationset/examples/matrix/matrix-and-union-in-matrix.yaml

@@ -12,6 +12,8 @@ kind: ApplicationSet
 metadata:
   name: matrix-and-union-in-matrix
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
     - matrix:
         generators:
@@ -55,13 +57,13 @@ spec:
                           prefix: 'second'
   template:
     metadata:
-      name: '{{values.prefix}}-{{cluster}}-{{values.suffix}}'
+      name: '{{.values.prefix}}-{{.cluster}}-{{.values.suffix}}'
     spec:
-      project: '{{values.project}}'
+      project: '{{.values.project}}'
       source:
         repoURL: https://github.com/argoproj/argo-cd.git
         targetRevision: HEAD
-        path: '{{path}}'
+        path: '{{.path.path}}'
       destination:
-        server: '{{url}}'
-        namespace: '{{path.basename}}'
+        server: '{{.url}}'
+        namespace: '{{.path.basename}}'

applicationset/examples/merge/merge-clusters-and-list-fasttemplate.yaml

@@ -0,0 +1,44 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: merge-clusters-and-list
+spec:
+  generators:
+    - merge:
+        mergeKeys:
+          - server
+        generators:
+          - clusters:
+              values:
+                kafka: 'true'
+                redis: 'false'
+          # For clusters with a specific label, enable Kafka.
+          - clusters:
+              selector:
+                matchLabels:
+                  use-kafka: 'false'
+              values:
+                kafka: 'false'
+          # For a specific cluster, enable Redis.
+          - list:
+              elements:
+                - server: https://some-specific-cluster
+                  values.redis: 'true'
+  template:
+    metadata:
+      name: '{{name}}'
+    spec:
+      project: default
+      source:
+        repoURL: https://github.com/argoproj/argocd-example-apps/
+        targetRevision: HEAD
+        path: helm-guestbook
+        helm:
+          parameters:
+            - name: kafka
+              value: '{{values.kafka}}'
+            - name: redis
+              value: '{{values.redis}}'
+      destination:
+        server: '{{server}}'
+        namespace: default

applicationset/examples/merge/merge-clusters-and-list.yaml

@@ -3,6 +3,8 @@ kind: ApplicationSet
 metadata:
   name: merge-clusters-and-list
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
     - merge:
         mergeKeys:
@@ -26,7 +28,7 @@ spec:
                   values.redis: 'true'
   template:
     metadata:
-      name: '{{name}}'
+      name: '{{.name}}'
     spec:
       project: default
       source:
@@ -36,9 +38,9 @@ spec:
         helm:
           parameters:
             - name: kafka
-              value: '{{values.kafka}}'
+              value: '{{.values.kafka}}'
             - name: redis
-              value: '{{values.redis}}'
+              value: '{{.values.redis}}'
       destination:
-        server: '{{server}}'
+        server: '{{.server}}'
         namespace: default

applicationset/examples/merge/merge-two-matrixes-fasttemplate.yaml

@@ -0,0 +1,43 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: merge-two-matrixes
+spec:
+  generators:
+    - merge:
+        mergeKeys:
+          - server
+          - environment
+        generators:
+          - matrix:
+              generators:
+                - clusters:
+                    values:
+                      replicaCount: '2'
+                - list:
+                    elements:
+                      - environment: staging
+                        namespace: guestbook-non-prod
+                      - environment: prod
+                        namespace: guestbook
+          - list:
+              elements:
+                - server: https://kubernetes.default.svc
+                  environment: staging
+                  values.replicaCount: '1'
+  template:
+    metadata:
+      name: '{{name}}-guestbook-{{environment}}'
+    spec:
+      project: default
+      source:
+        repoURL: https://github.com/argoproj/argocd-example-apps/
+        targetRevision: HEAD
+        path: helm-guestbook
+        helm:
+          parameters:
+            - name: replicaCount
+              value: '{{values.replicaCount}}'
+      destination:
+        server: '{{server}}'
+        namespace: '{{namespace}}'

applicationset/examples/merge/merge-two-matrixes.yaml

@@ -3,6 +3,8 @@ kind: ApplicationSet
 metadata:
   name: merge-two-matrixes
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
     - merge:
         mergeKeys:
@@ -27,7 +29,7 @@ spec:
                   values.replicaCount: '1'
   template:
     metadata:
-      name: '{{name}}-guestbook-{{environment}}'
+      name: '{{.name}}-guestbook-{{.environment}}'
     spec:
       project: default
       source:
@@ -37,7 +39,7 @@ spec:
         helm:
           parameters:
             - name: replicaCount
-              value: '{{values.replicaCount}}'
+              value: '{{.values.replicaCount}}'
       destination:
-        server: '{{server}}'
-        namespace: '{{namespace}}'
+        server: '{{.server}}'
+        namespace: '{{.namespace}}'

applicationset/examples/pull-request-generator/pull-request-example-fasttemplate.yaml

@@ -0,0 +1,40 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: myapp
+spec:
+  generators:
+  - pullRequest:
+      github:
+        # The GitHub organization or user.
+        owner: myorg
+        # The Github repository
+        repo: myrepo
+        # For GitHub Enterprise. (optional)
+        api: https://git.example.com/
+        # Reference to a Secret containing an access token. (optional)
+        tokenRef:
+          secretName: github-token
+          key: token
+        # Labels is used to filter the PRs that you want to target. (optional)
+        labels:
+        - preview
+  template:
+    metadata:
+      name: 'myapp-{{ branch }}-{{ number }}'
+    spec:
+      source:
+        repoURL: 'https://github.com/myorg/myrepo.git'
+        targetRevision: '{{ head_sha }}'
+        path: helm-guestbook
+        helm:
+          parameters:
+          - name: "image.tag"
+            value: "pull-{{ head_sha }}"
+      project: default
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: "{{ branch }}-{{ number }}"
+      syncPolicy:
+        syncOptions:
+        - CreateNamespace=true

applicationset/examples/pull-request-generator/pull-request-example.yaml

@@ -3,6 +3,8 @@ kind: ApplicationSet
 metadata:
   name: myapp
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
   - pullRequest:
       github:
@@ -21,20 +23,22 @@ spec:
         - preview
   template:
     metadata:
-      name: 'myapp-{{ branch }}-{{ number }}'
+      name: 'myapp-{{ .branch }}-{{ .number }}'
+      labels:
+        key1: '{{ index .labels 0 }}'
     spec:
       source:
         repoURL: 'https://github.com/myorg/myrepo.git'
-        targetRevision: '{{ head_sha }}'
+        targetRevision: '{{ .head_sha }}'
         path: helm-guestbook
         helm:
           parameters:
           - name: "image.tag"
-            value: "pull-{{ head_sha }}"
+            value: "pull-{{ .head_sha }}"
       project: default
       destination:
         server: https://kubernetes.default.svc
-        namespace: "{{ branch }}-{{ number }}"
+        namespace: "{{ .branch }}-{{ .number }}"
       syncPolicy:
         syncOptions:
         - CreateNamespace=true

applicationset/examples/scm-provider-generator/scm-provider-example-fasttemplate-gitlab.yaml

@@ -0,0 +1,26 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  generators:
+  - scmProvider:
+      gitlab:
+        api: https://gitlab.com
+        group: test-argocd-proton
+        includeSubgroups: true
+      cloneProtocol: https
+      filters:
+      - repositoryMatch: test-app
+  template:
+    metadata:
+      name: '{{ repository }}-guestbook'
+    spec:
+      project: "default"
+      source:
+        repoURL: '{{ url }}'
+        targetRevision: '{{ branch }}'
+        path: guestbook
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: guestbook

applicationset/examples/scm-provider-generator/scm-provider-example-fasttemplate.yaml

@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  generators:
+  - scmProvider:
+      github:
+        organization: argoproj
+      cloneProtocol: https
+      filters:
+      - repositoryMatch: example-apps
+  template:
+    metadata:
+      name: '{{ repository }}-guestbook'
+    spec:
+      project: "default"
+      source:
+        repoURL: '{{ url }}'
+        targetRevision: '{{ branch }}'
+        path: guestbook
+      destination:
+        server: https://kubernetes.default.svc
+        namespace: guestbook

applicationset/examples/scm-provider-generator/scm-provider-example.yaml

@@ -3,6 +3,8 @@ kind: ApplicationSet
 metadata:
   name: guestbook
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
   - scmProvider:
       github:
@@ -12,12 +14,12 @@ spec:
       - repositoryMatch: example-apps
   template:
     metadata:
-      name: '{{ repository }}-guestbook'
+      name: '{{ .repository }}-guestbook'
     spec:
       project: "default"
       source:
-        repoURL: '{{ url }}'
-        targetRevision: '{{ branch }}'
+        repoURL: '{{ .url }}'
+        targetRevision: '{{ .branch }}'
         path: guestbook
       destination:
         server: https://kubernetes.default.svc

applicationset/examples/template-override/template-overrides-example-fasttemplate.yaml

@@ -0,0 +1,36 @@
+# App templates can also be defined as part of the generator's template stanza. Sometimes it is
+# useful to do this in order to override the spec.template stanza, and when simple string
+# parameterization are insufficient. In the below examples, the generators[].XXX.template is 
+# a partial definition, which overrides/patch the default template.
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  generators:
+  - list:
+      elements:
+        - cluster: engineering-dev
+          url: https://kubernetes.default.svc
+      template:
+        metadata: {}
+        spec:
+          project: "default"
+          source:
+            targetRevision: HEAD
+            repoURL: https://github.com/argoproj/argo-cd.git
+            path: 'applicationset/examples/template-override/{{cluster}}-override'
+          destination: {}
+
+  template:
+    metadata:
+      name: '{{cluster}}-guestbook'
+    spec:
+      project: "default"
+      source:
+        repoURL: https://github.com/argoproj/argo-cd.git
+        targetRevision: HEAD
+        path: applicationset/examples/template-override/default
+      destination:
+        server: '{{url}}'
+        namespace: guestbook

applicationset/examples/template-override/template-overrides-example.yaml

@@ -7,6 +7,8 @@ kind: ApplicationSet
 metadata:
   name: guestbook
 spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
   generators:
   - list:
       elements:
@@ -19,12 +21,12 @@ spec:
           source:
             targetRevision: HEAD
             repoURL: https://github.com/argoproj/argo-cd.git
-            path: 'applicationset/examples/template-override/{{cluster}}-override'
+            path: 'applicationset/examples/template-override/{{.cluster}}-override'
           destination: {}
 
   template:
     metadata:
-      name: '{{cluster}}-guestbook'
+      name: '{{.cluster}}-guestbook'
     spec:
       project: "default"
       source:
@@ -32,5 +34,5 @@ spec:
         targetRevision: HEAD
         path: applicationset/examples/template-override/default
       destination:
-        server: '{{url}}'
+        server: '{{.url}}'
         namespace: guestbook

applicationset/generators/cluster.go

@@ -3,8 +3,6 @@ package generators
 import (
 	"context"
 	"fmt"
-	"regexp"
-	"strings"
 	"time"
 
 	log "github.com/sirupsen/logrus"
@@ -17,7 +15,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
-	argoappsetv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
+	argoappsetv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 
 const (
@@ -37,6 +35,8 @@ type ClusterGenerator struct {
 	settingsManager *settings.SettingsManager
 }
 
+var render = &utils.Render{}
+
 func NewClusterGenerator(c client.Client, ctx context.Context, clientset kubernetes.Interface, namespace string) Generator {
 
 	settingsManager := settings.NewSettingsManager(ctx, clientset, namespace)
@@ -61,8 +61,7 @@ func (g *ClusterGenerator) GetTemplate(appSetGenerator *argoappsetv1alpha1.Appli
 	return &appSetGenerator.Clusters.Template
 }
 
-func (g *ClusterGenerator) GenerateParams(
-	appSetGenerator *argoappsetv1alpha1.ApplicationSetGenerator, _ *argoappsetv1alpha1.ApplicationSet) ([]map[string]string, error) {
+func (g *ClusterGenerator) GenerateParams(appSetGenerator *argoappsetv1alpha1.ApplicationSetGenerator, appSet *argoappsetv1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
 
 	if appSetGenerator == nil {
 		return nil, EmptyAppSetGeneratorError
@@ -79,7 +78,7 @@ func (g *ClusterGenerator) GenerateParams(
 	// ListCluster from Argo CD's util/db package will include the local cluster in the list of clusters
 	clustersFromArgoCD, err := utils.ListClusters(g.ctx, g.clientset, g.namespace)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error listing clusters: %w", err)
 	}
 
 	if clustersFromArgoCD == nil {
@@ -91,7 +90,7 @@ func (g *ClusterGenerator) GenerateParams(
 		return nil, err
 	}
 
-	res := []map[string]string{}
+	res := []map[string]interface{}{}
 
 	secretsFound := []corev1.Secret{}
 
@@ -104,38 +103,59 @@ func (g *ClusterGenerator) GenerateParams(
 
 		} else if !ignoreLocalClusters {
 			// If there is no secret for the cluster, it's the local cluster, so handle it here.
-			params := map[string]string{}
+			params := map[string]interface{}{}
 			params["name"] = cluster.Name
+			params["nameNormalized"] = cluster.Name
 			params["server"] = cluster.Server
 
-			for key, value := range appSetGenerator.Clusters.Values {
-				params[fmt.Sprintf("values.%s", key)] = value
+			err = appendTemplatedValues(appSetGenerator.Clusters.Values, params, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
+			if err != nil {
+				return nil, err
 			}
 
-			log.WithField("cluster", "local cluster").Info("matched local cluster")
-
 			res = append(res, params)
+
+			log.WithField("cluster", "local cluster").Info("matched local cluster")
 		}
 	}
 
 	// For each matching cluster secret (non-local clusters only)
 	for _, cluster := range secretsFound {
-		params := map[string]string{}
+		params := map[string]interface{}{}
+
 		params["name"] = string(cluster.Data["name"])
-		params["nameNormalized"] = sanitizeName(string(cluster.Data["name"]))
+		params["nameNormalized"] = utils.SanitizeName(string(cluster.Data["name"]))
 		params["server"] = string(cluster.Data["server"])
-		for key, value := range cluster.ObjectMeta.Annotations {
-			params[fmt.Sprintf("metadata.annotations.%s", key)] = value
+
+		if appSet.Spec.GoTemplate {
+			meta := map[string]interface{}{}
+
+			if len(cluster.ObjectMeta.Annotations) > 0 {
+				meta["annotations"] = cluster.ObjectMeta.Annotations
+			}
+			if len(cluster.ObjectMeta.Labels) > 0 {
+				meta["labels"] = cluster.ObjectMeta.Labels
+			}
+
+			params["metadata"] = meta
+		} else {
+			for key, value := range cluster.ObjectMeta.Annotations {
+				params[fmt.Sprintf("metadata.annotations.%s", key)] = value
+			}
+
+			for key, value := range cluster.ObjectMeta.Labels {
+				params[fmt.Sprintf("metadata.labels.%s", key)] = value
+			}
 		}
-		for key, value := range cluster.ObjectMeta.Labels {
-			params[fmt.Sprintf("metadata.labels.%s", key)] = value
+
+		err = appendTemplatedValues(appSetGenerator.Clusters.Values, params, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
+		if err != nil {
+			return nil, err
 		}
-		for key, value := range appSetGenerator.Clusters.Values {
-			params[fmt.Sprintf("values.%s", key)] = value
-		}
-		log.WithField("cluster", cluster.Name).Info("matched cluster secret")
 
 		res = append(res, params)
+
+		log.WithField("cluster", cluster.Name).Info("matched cluster secret")
 	}
 
 	return res, nil
@@ -167,20 +187,3 @@ func (g *ClusterGenerator) getSecretsByClusterName(appSetGenerator *argoappsetv1
 	return res, nil
 
 }
-
-// sanitize the name in accordance with the below rules
-// 1. contain no more than 253 characters
-// 2. contain only lowercase alphanumeric characters, '-' or '.'
-// 3. start and end with an alphanumeric character
-func sanitizeName(name string) string {
-	invalidDNSNameChars := regexp.MustCompile("[^-a-z0-9.]")
-	maxDNSNameLength := 253
-
-	name = strings.ToLower(name)
-	name = invalidDNSNameChars.ReplaceAllString(name, "-")
-	if len(name) > maxDNSNameLength {
-		name = name[:maxDNSNameLength]
-	}
-
-	return strings.Trim(name, "-.")
-}

applicationset/generators/cluster_test.go

@@ -3,6 +3,7 @@ package generators
 import (
 	"context"
 	"fmt"
+	"testing"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -10,11 +11,10 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
-	"testing"
-
 	kubefake "k8s.io/client-go/kubernetes/fake"
 
-	argoappsetv1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/applicationset/utils"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -86,7 +86,7 @@ func TestGenerateParams(t *testing.T) {
 		name     string
 		selector metav1.LabelSelector
 		values   map[string]string
-		expected []map[string]string
+		expected []map[string]interface{}
 		// clientError is true if a k8s client error should be simulated
 		clientError   bool
 		expectedError error
@@ -94,15 +94,23 @@ func TestGenerateParams(t *testing.T) {
 		{
 			name:     "no label selector",
 			selector: metav1.LabelSelector{},
-			values:   nil,
-			expected: []map[string]string{
-				{"name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
+			values: map[string]string{
+				"lol1":  "lol",
+				"lol2":  "{{values.lol1}}{{values.lol1}}",
+				"lol3":  "{{values.lol2}}{{values.lol2}}{{values.lol2}}",
+				"foo":   "bar",
+				"bar":   "{{ metadata.annotations.foo.argoproj.io }}",
+				"bat":   "{{ metadata.labels.environment }}",
+				"aaa":   "{{ server }}",
+				"no-op": "{{ this-does-not-exist }}",
+			}, expected: []map[string]interface{}{
+				{"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "production", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "production", "values.aaa": "https://production-01.example.com", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
 					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production"},
 
-				{"name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
+				{"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "staging", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "staging", "values.aaa": "https://staging-01.example.com", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
 					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging"},
 
-				{"name": "in-cluster", "server": "https://kubernetes.default.svc"},
+				{"values.lol1": "lol", "values.lol2": "{{values.lol1}}{{values.lol1}}", "values.lol3": "{{values.lol2}}{{values.lol2}}{{values.lol2}}", "values.foo": "bar", "values.bar": "{{ metadata.annotations.foo.argoproj.io }}", "values.no-op": "{{ this-does-not-exist }}", "values.bat": "{{ metadata.labels.environment }}", "values.aaa": "https://kubernetes.default.svc", "nameNormalized": "in-cluster", "name": "in-cluster", "server": "https://kubernetes.default.svc"},
 			},
 			clientError:   false,
 			expectedError: nil,
@@ -115,7 +123,7 @@ func TestGenerateParams(t *testing.T) {
 				},
 			},
 			values: nil,
-			expected: []map[string]string{
+			expected: []map[string]interface{}{
 				{"name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
 					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production"},
 
@@ -135,7 +143,7 @@ func TestGenerateParams(t *testing.T) {
 			values: map[string]string{
 				"foo": "bar",
 			},
-			expected: []map[string]string{
+			expected: []map[string]interface{}{
 				{"values.foo": "bar", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
 					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "production"},
 			},
@@ -159,7 +167,7 @@ func TestGenerateParams(t *testing.T) {
 			values: map[string]string{
 				"foo": "bar",
 			},
-			expected: []map[string]string{
+			expected: []map[string]interface{}{
 				{"values.foo": "bar", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
 					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging"},
 				{"values.foo": "bar", "name": "production_01/west", "nameNormalized": "production-01-west", "server": "https://production-01.example.com", "metadata.labels.environment": "production", "metadata.labels.org": "bar",
@@ -188,7 +196,7 @@ func TestGenerateParams(t *testing.T) {
 			values: map[string]string{
 				"name": "baz",
 			},
-			expected: []map[string]string{
+			expected: []map[string]interface{}{
 				{"values.name": "baz", "name": "staging-01", "nameNormalized": "staging-01", "server": "https://staging-01.example.com", "metadata.labels.environment": "staging", "metadata.labels.org": "foo",
 					"metadata.labels.argocd.argoproj.io/secret-type": "cluster", "metadata.annotations.foo.argoproj.io": "staging"},
 			},
@@ -225,12 +233,395 @@ func TestGenerateParams(t *testing.T) {
 
 			var clusterGenerator = NewClusterGenerator(cl, context.Background(), appClientset, "namespace")
 
-			got, err := clusterGenerator.GenerateParams(&argoappsetv1alpha1.ApplicationSetGenerator{
-				Clusters: &argoappsetv1alpha1.ClusterGenerator{
+			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "set",
+				},
+				Spec: argoprojiov1alpha1.ApplicationSetSpec{},
+			}
+
+			got, err := clusterGenerator.GenerateParams(&argoprojiov1alpha1.ApplicationSetGenerator{
+				Clusters: &argoprojiov1alpha1.ClusterGenerator{
 					Selector: testCase.selector,
 					Values:   testCase.values,
 				},
-			}, nil)
+			}, &applicationSetInfo)
+
+			if testCase.expectedError != nil {
+				assert.EqualError(t, err, testCase.expectedError.Error())
+			} else {
+				assert.NoError(t, err)
+				assert.ElementsMatch(t, testCase.expected, got)
+			}
+
+		})
+	}
+}
+
+func TestGenerateParamsGoTemplate(t *testing.T) {
+	clusters := []client.Object{
+		&corev1.Secret{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "Secret",
+				APIVersion: "v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "staging-01",
+				Namespace: "namespace",
+				Labels: map[string]string{
+					"argocd.argoproj.io/secret-type": "cluster",
+					"environment":                    "staging",
+					"org":                            "foo",
+				},
+				Annotations: map[string]string{
+					"foo.argoproj.io": "staging",
+				},
+			},
+			Data: map[string][]byte{
+				"config": []byte("{}"),
+				"name":   []byte("staging-01"),
+				"server": []byte("https://staging-01.example.com"),
+			},
+			Type: corev1.SecretType("Opaque"),
+		},
+		&corev1.Secret{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "Secret",
+				APIVersion: "v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "production-01",
+				Namespace: "namespace",
+				Labels: map[string]string{
+					"argocd.argoproj.io/secret-type": "cluster",
+					"environment":                    "production",
+					"org":                            "bar",
+				},
+				Annotations: map[string]string{
+					"foo.argoproj.io": "production",
+				},
+			},
+			Data: map[string][]byte{
+				"config": []byte("{}"),
+				"name":   []byte("production_01/west"),
+				"server": []byte("https://production-01.example.com"),
+			},
+			Type: corev1.SecretType("Opaque"),
+		},
+	}
+	testCases := []struct {
+		name     string
+		selector metav1.LabelSelector
+		values   map[string]string
+		expected []map[string]interface{}
+		// clientError is true if a k8s client error should be simulated
+		clientError   bool
+		expectedError error
+	}{
+		{
+			name:     "no label selector",
+			selector: metav1.LabelSelector{},
+			values: map[string]string{
+				"lol1":  "lol",
+				"lol2":  "{{ .values.lol1 }}{{ .values.lol1 }}",
+				"lol3":  "{{ .values.lol2 }}{{ .values.lol2 }}{{ .values.lol2 }}",
+				"foo":   "bar",
+				"bar":   "{{ if not (empty .metadata) }}{{index .metadata.annotations \"foo.argoproj.io\" }}{{ end }}",
+				"bat":   "{{ if not (empty .metadata) }}{{.metadata.labels.environment}}{{ end }}",
+				"aaa":   "{{ .server }}",
+				"no-op": "{{ .thisDoesNotExist }}",
+			}, expected: []map[string]interface{}{
+				{
+					"name":           "production_01/west",
+					"nameNormalized": "production-01-west",
+					"server":         "https://production-01.example.com",
+					"metadata": map[string]interface{}{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "production",
+							"org":                            "bar",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "production",
+						},
+					},
+					"values": map[string]string{
+						"lol1":  "lol",
+						"lol2":  "<no value><no value>",
+						"lol3":  "<no value><no value><no value>",
+						"foo":   "bar",
+						"bar":   "production",
+						"bat":   "production",
+						"aaa":   "https://production-01.example.com",
+						"no-op": "<no value>",
+					},
+				},
+				{
+					"name":           "staging-01",
+					"nameNormalized": "staging-01",
+					"server":         "https://staging-01.example.com",
+					"metadata": map[string]interface{}{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "staging",
+							"org":                            "foo",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "staging",
+						},
+					},
+					"values": map[string]string{
+						"lol1":  "lol",
+						"lol2":  "<no value><no value>",
+						"lol3":  "<no value><no value><no value>",
+						"foo":   "bar",
+						"bar":   "staging",
+						"bat":   "staging",
+						"aaa":   "https://staging-01.example.com",
+						"no-op": "<no value>",
+					},
+				},
+				{
+					"nameNormalized": "in-cluster",
+					"name":           "in-cluster",
+					"server":         "https://kubernetes.default.svc",
+					"values": map[string]string{
+						"lol1":  "lol",
+						"lol2":  "<no value><no value>",
+						"lol3":  "<no value><no value><no value>",
+						"foo":   "bar",
+						"bar":   "",
+						"bat":   "",
+						"aaa":   "https://kubernetes.default.svc",
+						"no-op": "<no value>",
+					},
+				},
+			},
+			clientError:   false,
+			expectedError: nil,
+		},
+		{
+			name: "secret type label selector",
+			selector: metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"argocd.argoproj.io/secret-type": "cluster",
+				},
+			},
+			values: nil,
+			expected: []map[string]interface{}{
+				{
+					"name":           "production_01/west",
+					"nameNormalized": "production-01-west",
+					"server":         "https://production-01.example.com",
+					"metadata": map[string]interface{}{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "production",
+							"org":                            "bar",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "production",
+						},
+					},
+				},
+				{
+					"name":           "staging-01",
+					"nameNormalized": "staging-01",
+					"server":         "https://staging-01.example.com",
+					"metadata": map[string]interface{}{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "staging",
+							"org":                            "foo",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "staging",
+						},
+					},
+				},
+			},
+			clientError:   false,
+			expectedError: nil,
+		},
+		{
+			name: "production-only",
+			selector: metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"environment": "production",
+				},
+			},
+			values: map[string]string{
+				"foo": "bar",
+			},
+			expected: []map[string]interface{}{
+				{
+					"name":           "production_01/west",
+					"nameNormalized": "production-01-west",
+					"server":         "https://production-01.example.com",
+					"metadata": map[string]interface{}{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "production",
+							"org":                            "bar",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "production",
+						},
+					},
+					"values": map[string]string{
+						"foo": "bar",
+					},
+				},
+			},
+			clientError:   false,
+			expectedError: nil,
+		},
+		{
+			name: "production or staging",
+			selector: metav1.LabelSelector{
+				MatchExpressions: []metav1.LabelSelectorRequirement{
+					{
+						Key:      "environment",
+						Operator: "In",
+						Values: []string{
+							"production",
+							"staging",
+						},
+					},
+				},
+			},
+			values: map[string]string{
+				"foo": "bar",
+			},
+			expected: []map[string]interface{}{
+				{
+					"name":           "production_01/west",
+					"nameNormalized": "production-01-west",
+					"server":         "https://production-01.example.com",
+					"metadata": map[string]interface{}{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "production",
+							"org":                            "bar",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "production",
+						},
+					},
+					"values": map[string]string{
+						"foo": "bar",
+					},
+				},
+				{
+					"name":           "staging-01",
+					"nameNormalized": "staging-01",
+					"server":         "https://staging-01.example.com",
+					"metadata": map[string]interface{}{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "staging",
+							"org":                            "foo",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "staging",
+						},
+					},
+					"values": map[string]string{
+						"foo": "bar",
+					},
+				},
+			},
+			clientError:   false,
+			expectedError: nil,
+		},
+		{
+			name: "production or staging with match labels",
+			selector: metav1.LabelSelector{
+				MatchExpressions: []metav1.LabelSelectorRequirement{
+					{
+						Key:      "environment",
+						Operator: "In",
+						Values: []string{
+							"production",
+							"staging",
+						},
+					},
+				},
+				MatchLabels: map[string]string{
+					"org": "foo",
+				},
+			},
+			values: map[string]string{
+				"name": "baz",
+			},
+			expected: []map[string]interface{}{
+				{
+					"name":           "staging-01",
+					"nameNormalized": "staging-01",
+					"server":         "https://staging-01.example.com",
+					"metadata": map[string]interface{}{
+						"labels": map[string]string{
+							"argocd.argoproj.io/secret-type": "cluster",
+							"environment":                    "staging",
+							"org":                            "foo",
+						},
+						"annotations": map[string]string{
+							"foo.argoproj.io": "staging",
+						},
+					},
+					"values": map[string]string{
+						"name": "baz",
+					},
+				},
+			},
+			clientError:   false,
+			expectedError: nil,
+		},
+		{
+			name:          "simulate client error",
+			selector:      metav1.LabelSelector{},
+			values:        nil,
+			expected:      nil,
+			clientError:   true,
+			expectedError: fmt.Errorf("could not list Secrets"),
+		},
+	}
+
+	// convert []client.Object to []runtime.Object, for use by kubefake package
+	runtimeClusters := []runtime.Object{}
+	for _, clientCluster := range clusters {
+		runtimeClusters = append(runtimeClusters, clientCluster)
+	}
+
+	for _, testCase := range testCases {
+
+		t.Run(testCase.name, func(t *testing.T) {
+
+			appClientset := kubefake.NewSimpleClientset(runtimeClusters...)
+
+			fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
+			cl := &possiblyErroringFakeCtrlRuntimeClient{
+				fakeClient,
+				testCase.clientError,
+			}
+
+			var clusterGenerator = NewClusterGenerator(cl, context.Background(), appClientset, "namespace")
+
+			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "set",
+				},
+				Spec: argoprojiov1alpha1.ApplicationSetSpec{
+					GoTemplate: true,
+				},
+			}
+
+			got, err := clusterGenerator.GenerateParams(&argoprojiov1alpha1.ApplicationSetGenerator{
+				Clusters: &argoprojiov1alpha1.ClusterGenerator{
+					Selector: testCase.selector,
+					Values:   testCase.values,
+				},
+			}, &applicationSetInfo)
 
 			if testCase.expectedError != nil {
 				assert.EqualError(t, err, testCase.expectedError.Error())
@@ -245,10 +636,10 @@ func TestGenerateParams(t *testing.T) {
 
 func TestSanitizeClusterName(t *testing.T) {
 	t.Run("valid DNS-1123 subdomain name", func(t *testing.T) {
-		assert.Equal(t, "cluster-name", sanitizeName("cluster-name"))
+		assert.Equal(t, "cluster-name", utils.SanitizeName("cluster-name"))
 	})
 	t.Run("invalid DNS-1123 subdomain name", func(t *testing.T) {
 		invalidName := "-.--CLUSTER/name  -./.-"
-		assert.Equal(t, "cluster-name", sanitizeName(invalidName))
+		assert.Equal(t, "cluster-name", utils.SanitizeName(invalidName))
 	})
 }

applicationset/generators/duck_type.go

@@ -17,7 +17,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 
 var _ Generator = (*DuckTypeGenerator)(nil)
@@ -60,7 +60,7 @@ func (g *DuckTypeGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.Appl
 	return &appSetGenerator.ClusterDecisionResource.Template
 }
 
-func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, _ *argoprojiov1alpha1.ApplicationSet) ([]map[string]string, error) {
+func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
 
 	if appSetGenerator == nil {
 		return nil, EmptyAppSetGeneratorError
@@ -74,7 +74,7 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A
 	// ListCluster from Argo CD's util/db package will include the local cluster in the list of clusters
 	clustersFromArgoCD, err := utils.ListClusters(g.ctx, g.clientset, g.namespace)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error listing clusters: %w", err)
 	}
 
 	if clustersFromArgoCD == nil {
@@ -85,7 +85,7 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A
 	cm, err := g.clientset.CoreV1().ConfigMaps(g.namespace).Get(g.ctx, appSetGenerator.ClusterDecisionResource.ConfigMapRef, metav1.GetOptions{})
 
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error reading configMapRef: %w", err)
 	}
 
 	// Extract GVK data for the dynamic client to use
@@ -152,7 +152,7 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A
 
 	}
 
-	res := []map[string]string{}
+	res := []map[string]interface{}{}
 	clusterDecisions := []interface{}{}
 
 	// Build the decision slice
@@ -178,7 +178,7 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A
 		for _, cluster := range clusterDecisions {
 
 			// generated instance of cluster params
-			params := map[string]string{}
+			params := map[string]interface{}{}
 
 			log.Infof("cluster: %v", cluster)
 			matchValue := cluster.(map[string]interface{})[matchKey]
@@ -215,7 +215,14 @@ func (g *DuckTypeGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.A
 			}
 
 			for key, value := range appSetGenerator.ClusterDecisionResource.Values {
-				params[fmt.Sprintf("values.%s", key)] = value
+				if appSet.Spec.GoTemplate {
+					if params["values"] == nil {
+						params["values"] = map[string]string{}
+					}
+					params["values"].(map[string]string)[key] = value
+				} else {
+					params[fmt.Sprintf("values.%s", key)] = value
+				}
 			}
 
 			res = append(res, params)

applicationset/generators/duck_type_test.go

@@ -3,6 +3,7 @@ package generators
 import (
 	"context"
 	"fmt"
+	"testing"
 
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
@@ -14,9 +15,7 @@ import (
 	kubefake "k8s.io/client-go/kubernetes/fake"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
-
-	"testing"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 
 const resourceApiVersion = "mallard.io/v1"
@@ -149,7 +148,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 		labelSelector metav1.LabelSelector
 		resource      *unstructured.Unstructured
 		values        map[string]string
-		expected      []map[string]string
+		expected      []map[string]interface{}
 		expectedError error
 	}{
 		{
@@ -157,7 +156,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 			resourceName:  "",
 			resource:      duckType,
 			values:        nil,
-			expected:      []map[string]string{},
+			expected:      []map[string]interface{}{},
 			expectedError: fmt.Errorf("There is a problem with the definition of the ClusterDecisionResource generator"),
 		},
 		/*** This does not work with the FAKE runtime client, fieldSelectors are broken.
@@ -175,7 +174,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 			resourceName: resourceName,
 			resource:     duckType,
 			values:       nil,
-			expected: []map[string]string{
+			expected: []map[string]interface{}{
 				{"clusterName": "production-01", "name": "production-01", "server": "https://production-01.example.com"},
 
 				{"clusterName": "staging-01", "name": "staging-01", "server": "https://staging-01.example.com"},
@@ -189,7 +188,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 			values: map[string]string{
 				"foo": "bar",
 			},
-			expected: []map[string]string{
+			expected: []map[string]interface{}{
 				{"clusterName": "production-01", "values.foo": "bar", "name": "production-01", "server": "https://production-01.example.com"},
 			},
 			expectedError: nil,
@@ -217,7 +216,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 			labelSelector: metav1.LabelSelector{MatchLabels: map[string]string{"duck": "all-species"}},
 			resource:      duckType,
 			values:        nil,
-			expected: []map[string]string{
+			expected: []map[string]interface{}{
 				{"clusterName": "production-01", "name": "production-01", "server": "https://production-01.example.com"},
 
 				{"clusterName": "staging-01", "name": "staging-01", "server": "https://staging-01.example.com"},
@@ -232,7 +231,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 			values: map[string]string{
 				"foo": "bar",
 			},
-			expected: []map[string]string{
+			expected: []map[string]interface{}{
 				{"clusterName": "production-01", "values.foo": "bar", "name": "production-01", "server": "https://production-01.example.com"},
 			},
 			expectedError: nil,
@@ -249,7 +248,7 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 			}},
 			resource: duckType,
 			values:   nil,
-			expected: []map[string]string{
+			expected: []map[string]interface{}{
 				{"clusterName": "production-01", "name": "production-01", "server": "https://production-01.example.com"},
 
 				{"clusterName": "staging-01", "name": "staging-01", "server": "https://staging-01.example.com"},
@@ -295,6 +294,13 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 
 			var duckTypeGenerator = NewDuckTypeGenerator(context.Background(), fakeDynClient, appClientset, "namespace")
 
+			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "set",
+				},
+				Spec: argoprojiov1alpha1.ApplicationSetSpec{},
+			}
+
 			got, err := duckTypeGenerator.GenerateParams(&argoprojiov1alpha1.ApplicationSetGenerator{
 				ClusterDecisionResource: &argoprojiov1alpha1.DuckTypeGenerator{
 					ConfigMapRef:  "my-configmap",
@@ -302,7 +308,307 @@ func TestGenerateParamsForDuckType(t *testing.T) {
 					LabelSelector: testCase.labelSelector,
 					Values:        testCase.values,
 				},
-			}, nil)
+			}, &applicationSetInfo)
+
+			if testCase.expectedError != nil {
+				assert.EqualError(t, err, testCase.expectedError.Error())
+			} else {
+				assert.NoError(t, err)
+				assert.ElementsMatch(t, testCase.expected, got)
+			}
+		})
+	}
+}
+
+func TestGenerateParamsForDuckTypeGoTemplate(t *testing.T) {
+	clusters := []client.Object{
+		&corev1.Secret{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "Secret",
+				APIVersion: "v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "staging-01",
+				Namespace: "namespace",
+				Labels: map[string]string{
+					"argocd.argoproj.io/secret-type": "cluster",
+					"environment":                    "staging",
+					"org":                            "foo",
+				},
+				Annotations: map[string]string{
+					"foo.argoproj.io": "staging",
+				},
+			},
+			Data: map[string][]byte{
+				"config": []byte("{}"),
+				"name":   []byte("staging-01"),
+				"server": []byte("https://staging-01.example.com"),
+			},
+			Type: corev1.SecretType("Opaque"),
+		},
+		&corev1.Secret{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "Secret",
+				APIVersion: "v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "production-01",
+				Namespace: "namespace",
+				Labels: map[string]string{
+					"argocd.argoproj.io/secret-type": "cluster",
+					"environment":                    "production",
+					"org":                            "bar",
+				},
+				Annotations: map[string]string{
+					"foo.argoproj.io": "production",
+				},
+			},
+			Data: map[string][]byte{
+				"config": []byte("{}"),
+				"name":   []byte("production-01"),
+				"server": []byte("https://production-01.example.com"),
+			},
+			Type: corev1.SecretType("Opaque"),
+		},
+	}
+
+	duckType := &unstructured.Unstructured{
+		Object: map[string]interface{}{
+			"apiVersion": resourceApiVersion,
+			"kind":       "Duck",
+			"metadata": map[string]interface{}{
+				"name":      resourceName,
+				"namespace": "namespace",
+				"labels":    map[string]interface{}{"duck": "all-species"},
+			},
+			"status": map[string]interface{}{
+				"decisions": []interface{}{
+					map[string]interface{}{
+						"clusterName": "staging-01",
+					},
+					map[string]interface{}{
+						"clusterName": "production-01",
+					},
+				},
+			},
+		},
+	}
+
+	duckTypeProdOnly := &unstructured.Unstructured{
+		Object: map[string]interface{}{
+			"apiVersion": resourceApiVersion,
+			"kind":       "Duck",
+			"metadata": map[string]interface{}{
+				"name":      resourceName,
+				"namespace": "namespace",
+				"labels":    map[string]interface{}{"duck": "spotted"},
+			},
+			"status": map[string]interface{}{
+				"decisions": []interface{}{
+					map[string]interface{}{
+						"clusterName": "production-01",
+					},
+				},
+			},
+		},
+	}
+
+	duckTypeEmpty := &unstructured.Unstructured{
+		Object: map[string]interface{}{
+			"apiVersion": resourceApiVersion,
+			"kind":       "Duck",
+			"metadata": map[string]interface{}{
+				"name":      resourceName,
+				"namespace": "namespace",
+				"labels":    map[string]interface{}{"duck": "canvasback"},
+			},
+			"status": map[string]interface{}{},
+		},
+	}
+
+	configMap := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "my-configmap",
+			Namespace: "namespace",
+		},
+		Data: map[string]string{
+			"apiVersion":    resourceApiVersion,
+			"kind":          resourceKind,
+			"statusListKey": "decisions",
+			"matchKey":      "clusterName",
+		},
+	}
+
+	testCases := []struct {
+		name          string
+		configMapRef  string
+		resourceName  string
+		labelSelector metav1.LabelSelector
+		resource      *unstructured.Unstructured
+		values        map[string]string
+		expected      []map[string]interface{}
+		expectedError error
+	}{
+		{
+			name:          "no duck resource",
+			resourceName:  "",
+			resource:      duckType,
+			values:        nil,
+			expected:      []map[string]interface{}{},
+			expectedError: fmt.Errorf("There is a problem with the definition of the ClusterDecisionResource generator"),
+		},
+		/*** This does not work with the FAKE runtime client, fieldSelectors are broken.
+		{
+			name:          "invalid name for duck resource",
+			resourceName:  resourceName + "-different",
+			resource:      duckType,
+			values:        nil,
+			expected:      []map[string]string{},
+			expectedError: fmt.Errorf("duck.mallard.io \"quak\" not found"),
+		},
+		***/
+		{
+			name:         "duck type generator resourceName",
+			resourceName: resourceName,
+			resource:     duckType,
+			values:       nil,
+			expected: []map[string]interface{}{
+				{"clusterName": "production-01", "name": "production-01", "server": "https://production-01.example.com"},
+
+				{"clusterName": "staging-01", "name": "staging-01", "server": "https://staging-01.example.com"},
+			},
+			expectedError: nil,
+		},
+		{
+			name:         "production-only",
+			resourceName: resourceName,
+			resource:     duckTypeProdOnly,
+			values: map[string]string{
+				"foo": "bar",
+			},
+			expected: []map[string]interface{}{
+				{"clusterName": "production-01", "values": map[string]string{"foo": "bar"}, "name": "production-01", "server": "https://production-01.example.com"},
+			},
+			expectedError: nil,
+		},
+		{
+			name:          "duck type empty status",
+			resourceName:  resourceName,
+			resource:      duckTypeEmpty,
+			values:        nil,
+			expected:      nil,
+			expectedError: nil,
+		},
+		{
+			name:          "duck type empty status labelSelector.matchLabels",
+			resourceName:  "",
+			labelSelector: metav1.LabelSelector{MatchLabels: map[string]string{"duck": "canvasback"}},
+			resource:      duckTypeEmpty,
+			values:        nil,
+			expected:      nil,
+			expectedError: nil,
+		},
+		{
+			name:          "duck type generator labelSelector.matchLabels",
+			resourceName:  "",
+			labelSelector: metav1.LabelSelector{MatchLabels: map[string]string{"duck": "all-species"}},
+			resource:      duckType,
+			values:        nil,
+			expected: []map[string]interface{}{
+				{"clusterName": "production-01", "name": "production-01", "server": "https://production-01.example.com"},
+
+				{"clusterName": "staging-01", "name": "staging-01", "server": "https://staging-01.example.com"},
+			},
+			expectedError: nil,
+		},
+		{
+			name:          "production-only labelSelector.matchLabels",
+			resourceName:  "",
+			resource:      duckTypeProdOnly,
+			labelSelector: metav1.LabelSelector{MatchLabels: map[string]string{"duck": "spotted"}},
+			values: map[string]string{
+				"foo": "bar",
+			},
+			expected: []map[string]interface{}{
+				{"clusterName": "production-01", "values": map[string]string{"foo": "bar"}, "name": "production-01", "server": "https://production-01.example.com"},
+			},
+			expectedError: nil,
+		},
+		{
+			name:         "duck type generator labelSelector.matchExpressions",
+			resourceName: "",
+			labelSelector: metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{
+				{
+					Key:      "duck",
+					Operator: "In",
+					Values:   []string{"all-species", "marbled"},
+				},
+			}},
+			resource: duckType,
+			values:   nil,
+			expected: []map[string]interface{}{
+				{"clusterName": "production-01", "name": "production-01", "server": "https://production-01.example.com"},
+
+				{"clusterName": "staging-01", "name": "staging-01", "server": "https://staging-01.example.com"},
+			},
+			expectedError: nil,
+		},
+		{
+			name:         "duck type generator resourceName and labelSelector.matchExpressions",
+			resourceName: resourceName,
+			labelSelector: metav1.LabelSelector{MatchExpressions: []metav1.LabelSelectorRequirement{
+				{
+					Key:      "duck",
+					Operator: "In",
+					Values:   []string{"all-species", "marbled"},
+				},
+			}},
+			resource:      duckType,
+			values:        nil,
+			expected:      nil,
+			expectedError: fmt.Errorf("There is a problem with the definition of the ClusterDecisionResource generator"),
+		},
+	}
+
+	// convert []client.Object to []runtime.Object, for use by kubefake package
+	runtimeClusters := []runtime.Object{}
+	for _, clientCluster := range clusters {
+		runtimeClusters = append(runtimeClusters, clientCluster)
+	}
+
+	for _, testCase := range testCases {
+
+		t.Run(testCase.name, func(t *testing.T) {
+
+			appClientset := kubefake.NewSimpleClientset(append(runtimeClusters, configMap)...)
+
+			gvrToListKind := map[schema.GroupVersionResource]string{{
+				Group:    "mallard.io",
+				Version:  "v1",
+				Resource: "ducks",
+			}: "DuckList"}
+
+			fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, testCase.resource)
+
+			var duckTypeGenerator = NewDuckTypeGenerator(context.Background(), fakeDynClient, appClientset, "namespace")
+
+			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "set",
+				},
+				Spec: argoprojiov1alpha1.ApplicationSetSpec{
+					GoTemplate: true,
+				},
+			}
+
+			got, err := duckTypeGenerator.GenerateParams(&argoprojiov1alpha1.ApplicationSetGenerator{
+				ClusterDecisionResource: &argoprojiov1alpha1.DuckTypeGenerator{
+					ConfigMapRef:  "my-configmap",
+					Name:          testCase.resourceName,
+					LabelSelector: testCase.labelSelector,
+					Values:        testCase.values,
+				},
+			}, &applicationSetInfo)
 
 			if testCase.expectedError != nil {
 				assert.EqualError(t, err, testCase.expectedError.Error())

applicationset/generators/generator_spec_processor.go

@@ -1,23 +1,43 @@
 package generators
 
 import (
+	"fmt"
 	"reflect"
 
+	"github.com/jeremywohl/flatten"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/utils"
+
+	"k8s.io/apimachinery/pkg/labels"
+
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+
 	"github.com/imdario/mergo"
 	log "github.com/sirupsen/logrus"
+)
 
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
+const (
+	selectorKey = "Selector"
 )
 
 type TransformResult struct {
-	Params   []map[string]string
+	Params   []map[string]interface{}
 	Template argoprojiov1alpha1.ApplicationSetTemplate
 }
 
-//Transform a spec generator to list of paramSets and a template
-func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, allGenerators map[string]Generator, baseTemplate argoprojiov1alpha1.ApplicationSetTemplate, appSet *argoprojiov1alpha1.ApplicationSet) ([]TransformResult, error) {
+// Transform a spec generator to list of paramSets and a template
+func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, allGenerators map[string]Generator, baseTemplate argoprojiov1alpha1.ApplicationSetTemplate, appSet *argoprojiov1alpha1.ApplicationSet, genParams map[string]interface{}) ([]TransformResult, error) {
+	// This is a custom version of the `LabelSelectorAsSelector` that is in k8s.io/apimachinery. This has been copied
+	// verbatim from that package, with the difference that we do not have any restrictions on label values. This is done
+	// so that, among other things, we can match on cluster urls.
+	selector, err := utils.LabelSelectorAsSelector(requestedGenerator.Selector)
+	if err != nil {
+		return nil, fmt.Errorf("error parsing label selector: %w", err)
+	}
+
 	res := []TransformResult{}
 	var firstError error
+	interpolatedGenerator := requestedGenerator.DeepCopy()
 
 	generators := GetRelevantGenerators(&requestedGenerator, allGenerators)
 	for _, g := range generators {
@@ -31,8 +51,20 @@ func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, al
 			}
 			continue
 		}
-
-		params, err := g.GenerateParams(&requestedGenerator, appSet)
+		var params []map[string]interface{}
+		if len(genParams) != 0 {
+			tempInterpolatedGenerator, err := InterpolateGenerator(&requestedGenerator, genParams, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
+			interpolatedGenerator = &tempInterpolatedGenerator
+			if err != nil {
+				log.WithError(err).WithField("genParams", genParams).
+					Error("error interpolating params for generator")
+				if firstError == nil {
+					firstError = err
+				}
+				continue
+			}
+		}
+		params, err = g.GenerateParams(interpolatedGenerator, appSet)
 		if err != nil {
 			log.WithError(err).WithField("generator", g).
 				Error("error generating params")
@@ -41,16 +73,31 @@ func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, al
 			}
 			continue
 		}
+		var filterParams []map[string]interface{}
+		for _, param := range params {
+			flatParam, err := flattenParameters(param)
+			if err != nil {
+				log.WithError(err).WithField("generator", g).
+					Error("error flattening params")
+				if firstError == nil {
+					firstError = err
+				}
+				continue
+			}
+
+			if requestedGenerator.Selector != nil && !selector.Matches(labels.Set(flatParam)) {
+				continue
+			}
+			filterParams = append(filterParams, param)
+		}
 
 		res = append(res, TransformResult{
-			Params:   params,
+			Params:   filterParams,
 			Template: mergedTemplate,
 		})
-
 	}
 
 	return res, firstError
-
 }
 
 func GetRelevantGenerators(requestedGenerator *argoprojiov1alpha1.ApplicationSetGenerator, generators map[string]Generator) []Generator {
@@ -62,17 +109,34 @@ func GetRelevantGenerators(requestedGenerator *argoprojiov1alpha1.ApplicationSet
 		if !field.CanInterface() {
 			continue
 		}
+		name := v.Type().Field(i).Name
+		if name == selectorKey {
+			continue
+		}
 
 		if !reflect.ValueOf(field.Interface()).IsNil() {
-			res = append(res, generators[v.Type().Field(i).Name])
+			res = append(res, generators[name])
 		}
 	}
 
 	return res
 }
 
-func mergeGeneratorTemplate(g Generator, requestedGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetTemplate argoprojiov1alpha1.ApplicationSetTemplate) (argoprojiov1alpha1.ApplicationSetTemplate, error) {
+func flattenParameters(in map[string]interface{}) (map[string]string, error) {
+	flat, err := flatten.Flatten(in, "", flatten.DotStyle)
+	if err != nil {
+		return nil, fmt.Errorf("error flatenning parameters: %w", err)
+	}
 
+	out := make(map[string]string, len(flat))
+	for k, v := range flat {
+		out[k] = fmt.Sprintf("%v", v)
+	}
+
+	return out, nil
+}
+
+func mergeGeneratorTemplate(g Generator, requestedGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetTemplate argoprojiov1alpha1.ApplicationSetTemplate) (argoprojiov1alpha1.ApplicationSetTemplate, error) {
 	// Make a copy of the value from `GetTemplate()` before merge, rather than copying directly into
 	// the provided parameter (which will touch the original resource object returned by client-go)
 	dest := g.GetTemplate(requestedGenerator).DeepCopy()
@@ -81,3 +145,29 @@ func mergeGeneratorTemplate(g Generator, requestedGenerator *argoprojiov1alpha1.
 
 	return *dest, err
 }
+
+// InterpolateGenerator allows interpolating the matrix's 2nd child generator with values from the 1st child generator
+// "params" parameter is an array, where each index corresponds to a generator. Each index contains a map w/ that generator's parameters.
+func InterpolateGenerator(requestedGenerator *argoprojiov1alpha1.ApplicationSetGenerator, params map[string]interface{}, useGoTemplate bool, goTemplateOptions []string) (argoprojiov1alpha1.ApplicationSetGenerator, error) {
+	render := utils.Render{}
+	interpolatedGenerator, err := render.RenderGeneratorParams(requestedGenerator, params, useGoTemplate, goTemplateOptions)
+	if err != nil {
+		log.WithError(err).WithField("interpolatedGenerator", interpolatedGenerator).Error("error interpolating generator with other generator's parameter")
+		return argoprojiov1alpha1.ApplicationSetGenerator{}, err
+	}
+
+	return *interpolatedGenerator, nil
+}
+
+// Fixes https://github.com/argoproj/argo-cd/issues/11982 while ensuring backwards compatibility.
+// This is only a short-term solution and should be removed in a future major version.
+func dropDisabledNestedSelectors(generators []argoprojiov1alpha1.ApplicationSetNestedGenerator) bool {
+	var foundSelector bool
+	for i := range generators {
+		if generators[i].Selector != nil {
+			foundSelector = true
+			generators[i].Selector = nil
+		}
+	}
+	return foundSelector
+}

applicationset/generators/generator_spec_processor_test.go

@@ -0,0 +1,560 @@
+package generators
+
+import (
+	"context"
+	"testing"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/services/mocks"
+
+	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+
+	"github.com/stretchr/testify/mock"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	kubefake "k8s.io/client-go/kubernetes/fake"
+	crtclient "sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+func TestMatchValues(t *testing.T) {
+	testCases := []struct {
+		name     string
+		elements []apiextensionsv1.JSON
+		selector *metav1.LabelSelector
+		expected []map[string]interface{}
+	}{
+		{
+			name:     "no filter",
+			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url"}`)}},
+			selector: &metav1.LabelSelector{},
+			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url"}},
+		},
+		{
+			name:     "nil",
+			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url"}`)}},
+			selector: nil,
+			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url"}},
+		},
+		{
+			name:     "values.foo should be foo but is ignore element",
+			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":{"foo":"bar"}}`)}},
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"values.foo": "foo",
+				},
+			},
+			expected: []map[string]interface{}{},
+		},
+		{
+			name:     "values.foo should be bar",
+			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":{"foo":"bar"}}`)}},
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"values.foo": "bar",
+				},
+			},
+			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url", "values.foo": "bar"}},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			var listGenerator = NewListGenerator()
+			var data = map[string]Generator{
+				"List": listGenerator,
+			}
+
+			applicationSetInfo := argov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "set",
+				},
+				Spec: argov1alpha1.ApplicationSetSpec{
+					GoTemplate: false,
+				},
+			}
+
+			results, err := Transform(argov1alpha1.ApplicationSetGenerator{
+				Selector: testCase.selector,
+				List: &argov1alpha1.ListGenerator{
+					Elements: testCase.elements,
+					Template: emptyTemplate(),
+				}},
+				data,
+				emptyTemplate(),
+				&applicationSetInfo, nil)
+
+			assert.NoError(t, err)
+			assert.ElementsMatch(t, testCase.expected, results[0].Params)
+		})
+	}
+}
+
+func TestMatchValuesGoTemplate(t *testing.T) {
+	testCases := []struct {
+		name     string
+		elements []apiextensionsv1.JSON
+		selector *metav1.LabelSelector
+		expected []map[string]interface{}
+	}{
+		{
+			name:     "no filter",
+			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url"}`)}},
+			selector: &metav1.LabelSelector{},
+			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url"}},
+		},
+		{
+			name:     "nil",
+			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url"}`)}},
+			selector: nil,
+			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url"}},
+		},
+		{
+			name:     "values.foo should be foo but is ignore element",
+			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":{"foo":"bar"}}`)}},
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"values.foo": "foo",
+				},
+			},
+			expected: []map[string]interface{}{},
+		},
+		{
+			name:     "values.foo should be bar",
+			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":{"foo":"bar"}}`)}},
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"values.foo": "bar",
+				},
+			},
+			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url", "values": map[string]interface{}{"foo": "bar"}}},
+		},
+		{
+			name:     "values.0 should be bar",
+			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":["bar"]}`)}},
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"values.0": "bar",
+				},
+			},
+			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url", "values": []interface{}{"bar"}}},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			var listGenerator = NewListGenerator()
+			var data = map[string]Generator{
+				"List": listGenerator,
+			}
+
+			applicationSetInfo := argov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "set",
+				},
+				Spec: argov1alpha1.ApplicationSetSpec{
+					GoTemplate: true,
+				},
+			}
+
+			results, err := Transform(argov1alpha1.ApplicationSetGenerator{
+				Selector: testCase.selector,
+				List: &argov1alpha1.ListGenerator{
+					Elements: testCase.elements,
+					Template: emptyTemplate(),
+				}},
+				data,
+				emptyTemplate(),
+				&applicationSetInfo, nil)
+
+			assert.NoError(t, err)
+			assert.ElementsMatch(t, testCase.expected, results[0].Params)
+		})
+	}
+}
+
+func TestTransForm(t *testing.T) {
+	testCases := []struct {
+		name     string
+		selector *metav1.LabelSelector
+		expected []map[string]interface{}
+	}{
+		{
+			name: "server filter",
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"server": "https://production-01.example.com"},
+			},
+			expected: []map[string]interface{}{{
+				"metadata.annotations.foo.argoproj.io":           "production",
+				"metadata.labels.argocd.argoproj.io/secret-type": "cluster",
+				"metadata.labels.environment":                    "production",
+				"metadata.labels.org":                            "bar",
+				"name":                                           "production_01/west",
+				"nameNormalized":                                 "production-01-west",
+				"server":                                         "https://production-01.example.com",
+			}},
+		},
+		{
+			name: "server filter with long url",
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"server": "https://some-really-long-url-that-will-exceed-63-characters.com"},
+			},
+			expected: []map[string]interface{}{{
+				"metadata.annotations.foo.argoproj.io":           "production",
+				"metadata.labels.argocd.argoproj.io/secret-type": "cluster",
+				"metadata.labels.environment":                    "production",
+				"metadata.labels.org":                            "bar",
+				"name":                                           "some-really-long-server-url",
+				"nameNormalized":                                 "some-really-long-server-url",
+				"server":                                         "https://some-really-long-url-that-will-exceed-63-characters.com",
+			}},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			testGenerators := map[string]Generator{
+				"Clusters": getMockClusterGenerator(),
+			}
+
+			applicationSetInfo := argov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "set",
+				},
+				Spec: argov1alpha1.ApplicationSetSpec{},
+			}
+
+			results, err := Transform(
+				argov1alpha1.ApplicationSetGenerator{
+					Selector: testCase.selector,
+					Clusters: &argov1alpha1.ClusterGenerator{
+						Selector: metav1.LabelSelector{},
+						Template: argov1alpha1.ApplicationSetTemplate{},
+						Values:   nil,
+					}},
+				testGenerators,
+				emptyTemplate(),
+				&applicationSetInfo, nil)
+
+			assert.NoError(t, err)
+			assert.ElementsMatch(t, testCase.expected, results[0].Params)
+		})
+	}
+}
+
+func emptyTemplate() argov1alpha1.ApplicationSetTemplate {
+	return argov1alpha1.ApplicationSetTemplate{
+		Spec: argov1alpha1.ApplicationSpec{
+			Project: "project",
+		},
+	}
+}
+
+func getMockClusterGenerator() Generator {
+	clusters := []crtclient.Object{
+		&corev1.Secret{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "Secret",
+				APIVersion: "v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "staging-01",
+				Namespace: "namespace",
+				Labels: map[string]string{
+					"argocd.argoproj.io/secret-type": "cluster",
+					"environment":                    "staging",
+					"org":                            "foo",
+				},
+				Annotations: map[string]string{
+					"foo.argoproj.io": "staging",
+				},
+			},
+			Data: map[string][]byte{
+				"config": []byte("{}"),
+				"name":   []byte("staging-01"),
+				"server": []byte("https://staging-01.example.com"),
+			},
+			Type: corev1.SecretType("Opaque"),
+		},
+		&corev1.Secret{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "Secret",
+				APIVersion: "v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "production-01",
+				Namespace: "namespace",
+				Labels: map[string]string{
+					"argocd.argoproj.io/secret-type": "cluster",
+					"environment":                    "production",
+					"org":                            "bar",
+				},
+				Annotations: map[string]string{
+					"foo.argoproj.io": "production",
+				},
+			},
+			Data: map[string][]byte{
+				"config": []byte("{}"),
+				"name":   []byte("production_01/west"),
+				"server": []byte("https://production-01.example.com"),
+			},
+			Type: corev1.SecretType("Opaque"),
+		},
+		&corev1.Secret{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "Secret",
+				APIVersion: "v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "some-really-long-server-url",
+				Namespace: "namespace",
+				Labels: map[string]string{
+					"argocd.argoproj.io/secret-type": "cluster",
+					"environment":                    "production",
+					"org":                            "bar",
+				},
+				Annotations: map[string]string{
+					"foo.argoproj.io": "production",
+				},
+			},
+			Data: map[string][]byte{
+				"config": []byte("{}"),
+				"name":   []byte("some-really-long-server-url"),
+				"server": []byte("https://some-really-long-url-that-will-exceed-63-characters.com"),
+			},
+			Type: corev1.SecretType("Opaque"),
+		},
+	}
+	runtimeClusters := []runtime.Object{}
+	for _, clientCluster := range clusters {
+		runtimeClusters = append(runtimeClusters, clientCluster)
+	}
+	appClientset := kubefake.NewSimpleClientset(runtimeClusters...)
+
+	fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
+	return NewClusterGenerator(fakeClient, context.Background(), appClientset, "namespace")
+}
+
+func getMockGitGenerator() Generator {
+	argoCDServiceMock := mocks.Repos{}
+	argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
+	var gitGenerator = NewGitGenerator(&argoCDServiceMock)
+	return gitGenerator
+}
+
+func TestGetRelevantGenerators(t *testing.T) {
+
+	testGenerators := map[string]Generator{
+		"Clusters": getMockClusterGenerator(),
+		"Git":      getMockGitGenerator(),
+	}
+
+	testGenerators["Matrix"] = NewMatrixGenerator(testGenerators)
+	testGenerators["Merge"] = NewMergeGenerator(testGenerators)
+	testGenerators["List"] = NewListGenerator()
+
+	requestedGenerator := &argov1alpha1.ApplicationSetGenerator{
+		List: &argov1alpha1.ListGenerator{
+			Elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":{"foo":"bar"}}`)}},
+		}}
+
+	relevantGenerators := GetRelevantGenerators(requestedGenerator, testGenerators)
+	assert.Len(t, relevantGenerators, 1)
+	assert.IsType(t, &ListGenerator{}, relevantGenerators[0])
+
+	requestedGenerator = &argov1alpha1.ApplicationSetGenerator{
+		Clusters: &argov1alpha1.ClusterGenerator{
+			Selector: metav1.LabelSelector{},
+			Template: argov1alpha1.ApplicationSetTemplate{},
+			Values:   nil,
+		},
+	}
+
+	relevantGenerators = GetRelevantGenerators(requestedGenerator, testGenerators)
+	assert.Len(t, relevantGenerators, 1)
+	assert.IsType(t, &ClusterGenerator{}, relevantGenerators[0])
+
+	requestedGenerator = &argov1alpha1.ApplicationSetGenerator{
+		Git: &argov1alpha1.GitGenerator{
+			RepoURL:             "",
+			Directories:         nil,
+			Files:               nil,
+			Revision:            "",
+			RequeueAfterSeconds: nil,
+			Template:            argov1alpha1.ApplicationSetTemplate{},
+		},
+	}
+
+	relevantGenerators = GetRelevantGenerators(requestedGenerator, testGenerators)
+	assert.Len(t, relevantGenerators, 1)
+	assert.IsType(t, &GitGenerator{}, relevantGenerators[0])
+}
+
+func TestInterpolateGenerator(t *testing.T) {
+	requestedGenerator := &argov1alpha1.ApplicationSetGenerator{
+		Clusters: &argov1alpha1.ClusterGenerator{
+			Selector: metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"argocd.argoproj.io/secret-type": "cluster",
+					"path-basename":                  "{{path.basename}}",
+					"path-zero":                      "{{path[0]}}",
+					"path-full":                      "{{path}}",
+				}},
+		},
+	}
+	gitGeneratorParams := map[string]interface{}{
+		"path":                    "p1/p2/app3",
+		"path.basename":           "app3",
+		"path[0]":                 "p1",
+		"path[1]":                 "p2",
+		"path.basenameNormalized": "app3",
+	}
+	interpolatedGenerator, err := InterpolateGenerator(requestedGenerator, gitGeneratorParams, false, nil)
+	if err != nil {
+		log.WithError(err).WithField("requestedGenerator", requestedGenerator).Error("error interpolating Generator")
+		return
+	}
+	assert.Equal(t, "app3", interpolatedGenerator.Clusters.Selector.MatchLabels["path-basename"])
+	assert.Equal(t, "p1", interpolatedGenerator.Clusters.Selector.MatchLabels["path-zero"])
+	assert.Equal(t, "p1/p2/app3", interpolatedGenerator.Clusters.Selector.MatchLabels["path-full"])
+
+	fileNamePath := argov1alpha1.GitFileGeneratorItem{
+		Path: "{{name}}",
+	}
+	fileServerPath := argov1alpha1.GitFileGeneratorItem{
+		Path: "{{server}}",
+	}
+
+	requestedGenerator = &argov1alpha1.ApplicationSetGenerator{
+		Git: &argov1alpha1.GitGenerator{
+			Files:    append([]argov1alpha1.GitFileGeneratorItem{}, fileNamePath, fileServerPath),
+			Template: argov1alpha1.ApplicationSetTemplate{},
+		},
+	}
+	clusterGeneratorParams := map[string]interface{}{
+		"name": "production_01/west", "server": "https://production-01.example.com",
+	}
+	interpolatedGenerator, err = InterpolateGenerator(requestedGenerator, clusterGeneratorParams, false, nil)
+	if err != nil {
+		log.WithError(err).WithField("requestedGenerator", requestedGenerator).Error("error interpolating Generator")
+		return
+	}
+	assert.Equal(t, "production_01/west", interpolatedGenerator.Git.Files[0].Path)
+	assert.Equal(t, "https://production-01.example.com", interpolatedGenerator.Git.Files[1].Path)
+}
+
+func TestInterpolateGenerator_go(t *testing.T) {
+	requestedGenerator := &argov1alpha1.ApplicationSetGenerator{
+		Clusters: &argov1alpha1.ClusterGenerator{
+			Selector: metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"argocd.argoproj.io/secret-type": "cluster",
+					"path-basename":                  "{{base .path.path}}",
+					"path-zero":                      "{{index .path.segments 0}}",
+					"path-full":                      "{{.path.path}}",
+					"kubernetes.io/environment":      `{{default "foo" .my_label}}`,
+				}},
+		},
+	}
+	gitGeneratorParams := map[string]interface{}{
+		"path": map[string]interface{}{
+			"path":     "p1/p2/app3",
+			"segments": []string{"p1", "p2", "app3"},
+		},
+	}
+	interpolatedGenerator, err := InterpolateGenerator(requestedGenerator, gitGeneratorParams, true, nil)
+	require.NoError(t, err)
+	if err != nil {
+		log.WithError(err).WithField("requestedGenerator", requestedGenerator).Error("error interpolating Generator")
+		return
+	}
+	assert.Equal(t, "app3", interpolatedGenerator.Clusters.Selector.MatchLabels["path-basename"])
+	assert.Equal(t, "p1", interpolatedGenerator.Clusters.Selector.MatchLabels["path-zero"])
+	assert.Equal(t, "p1/p2/app3", interpolatedGenerator.Clusters.Selector.MatchLabels["path-full"])
+
+	fileNamePath := argov1alpha1.GitFileGeneratorItem{
+		Path: "{{.name}}",
+	}
+	fileServerPath := argov1alpha1.GitFileGeneratorItem{
+		Path: "{{.server}}",
+	}
+
+	requestedGenerator = &argov1alpha1.ApplicationSetGenerator{
+		Git: &argov1alpha1.GitGenerator{
+			Files:    append([]argov1alpha1.GitFileGeneratorItem{}, fileNamePath, fileServerPath),
+			Template: argov1alpha1.ApplicationSetTemplate{},
+		},
+	}
+	clusterGeneratorParams := map[string]interface{}{
+		"name": "production_01/west", "server": "https://production-01.example.com",
+	}
+	interpolatedGenerator, err = InterpolateGenerator(requestedGenerator, clusterGeneratorParams, true, nil)
+	if err != nil {
+		log.WithError(err).WithField("requestedGenerator", requestedGenerator).Error("error interpolating Generator")
+		return
+	}
+	assert.Equal(t, "production_01/west", interpolatedGenerator.Git.Files[0].Path)
+	assert.Equal(t, "https://production-01.example.com", interpolatedGenerator.Git.Files[1].Path)
+}
+
+func TestInterpolateGeneratorError(t *testing.T) {
+	type args struct {
+		requestedGenerator *argov1alpha1.ApplicationSetGenerator
+		params             map[string]interface{}
+		useGoTemplate      bool
+		goTemplateOptions  []string
+	}
+	tests := []struct {
+		name           string
+		args           args
+		want           argov1alpha1.ApplicationSetGenerator
+		expectedErrStr string
+	}{
+		{name: "Empty Gen", args: args{
+			requestedGenerator: nil,
+			params:             nil,
+			useGoTemplate:      false,
+			goTemplateOptions:  nil,
+		}, want: argov1alpha1.ApplicationSetGenerator{}, expectedErrStr: "generator is empty"},
+		{name: "No Params", args: args{
+			requestedGenerator: &argov1alpha1.ApplicationSetGenerator{},
+			params:             map[string]interface{}{},
+			useGoTemplate:      false,
+			goTemplateOptions:  nil,
+		}, want: argov1alpha1.ApplicationSetGenerator{}, expectedErrStr: ""},
+		{name: "Error templating", args: args{
+			requestedGenerator: &argov1alpha1.ApplicationSetGenerator{Git: &argov1alpha1.GitGenerator{
+				RepoURL:  "foo",
+				Files:    []argov1alpha1.GitFileGeneratorItem{{Path: "bar/"}},
+				Revision: "main",
+				Values: map[string]string{
+					"git_test":  "{{ toPrettyJson . }}",
+					"selection": "{{ default .override .test }}",
+					"resolved":  "{{ index .rmap (default .override .test) }}",
+				},
+			}},
+			params: map[string]interface{}{
+				"name":     "in-cluster",
+				"override": "foo",
+			},
+			useGoTemplate:     true,
+			goTemplateOptions: []string{},
+		}, want: argov1alpha1.ApplicationSetGenerator{}, expectedErrStr: "failed to replace parameters in generator: failed to execute go template {{ index .rmap (default .override .test) }}: template: :1:3: executing \"\" at <index .rmap (default .override .test)>: error calling index: index of untyped nil"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := InterpolateGenerator(tt.args.requestedGenerator, tt.args.params, tt.args.useGoTemplate, tt.args.goTemplateOptions)
+			if tt.expectedErrStr != "" {
+				assert.EqualError(t, err, tt.expectedErrStr)
+			} else {
+				require.NoError(t, err)
+			}
+			assert.Equalf(t, tt.want, got, "InterpolateGenerator(%v, %v, %v, %v)", tt.args.requestedGenerator, tt.args.params, tt.args.useGoTemplate, tt.args.goTemplateOptions)
+		})
+	}
+}

applicationset/generators/git.go

@@ -14,7 +14,8 @@ import (
 	"sigs.k8s.io/yaml"
 
 	"github.com/argoproj/argo-cd/v2/applicationset/services"
-	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/applicationset/utils"
+	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 
 var _ Generator = (*GitGenerator)(nil)
@@ -45,7 +46,7 @@ func (g *GitGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Appli
 	return DefaultRequeueAfterSeconds
 }
 
-func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, _ *argoprojiov1alpha1.ApplicationSet) ([]map[string]string, error) {
+func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
 
 	if appSetGenerator == nil {
 		return nil, EmptyAppSetGeneratorError
@@ -55,50 +56,56 @@ func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Applic
 		return nil, EmptyAppSetGeneratorError
 	}
 
+	noRevisionCache := appSet.RefreshRequired()
+
 	var err error
-	var res []map[string]string
-	if appSetGenerator.Git.Directories != nil {
-		res, err = g.generateParamsForGitDirectories(appSetGenerator)
-	} else if appSetGenerator.Git.Files != nil {
-		res, err = g.generateParamsForGitFiles(appSetGenerator)
+	var res []map[string]interface{}
+	if len(appSetGenerator.Git.Directories) != 0 {
+		res, err = g.generateParamsForGitDirectories(appSetGenerator, noRevisionCache, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
+	} else if len(appSetGenerator.Git.Files) != 0 {
+		res, err = g.generateParamsForGitFiles(appSetGenerator, noRevisionCache, appSet.Spec.GoTemplate, appSet.Spec.GoTemplateOptions)
 	} else {
 		return nil, EmptyAppSetGeneratorError
 	}
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error generating params from git: %w", err)
 	}
 
 	return res, nil
 }
 
-func (g *GitGenerator) generateParamsForGitDirectories(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) ([]map[string]string, error) {
+func (g *GitGenerator) generateParamsForGitDirectories(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, noRevisionCache bool, useGoTemplate bool, goTemplateOptions []string) ([]map[string]interface{}, error) {
 
 	// Directories, not files
-	allPaths, err := g.repos.GetDirectories(context.TODO(), appSetGenerator.Git.RepoURL, appSetGenerator.Git.Revision)
+	allPaths, err := g.repos.GetDirectories(context.TODO(), appSetGenerator.Git.RepoURL, appSetGenerator.Git.Revision, noRevisionCache)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error getting directories from repo: %w", err)
 	}
 
 	log.WithFields(log.Fields{
-		"allPaths": allPaths,
-		"total":    len(allPaths),
-		"repoURL":  appSetGenerator.Git.RepoURL,
-		"revision": appSetGenerator.Git.Revision,
+		"allPaths":        allPaths,
+		"total":           len(allPaths),
+		"repoURL":         appSetGenerator.Git.RepoURL,
+		"revision":        appSetGenerator.Git.Revision,
+		"pathParamPrefix": appSetGenerator.Git.PathParamPrefix,
 	}).Info("applications result from the repo service")
 
 	requestedApps := g.filterApps(appSetGenerator.Git.Directories, allPaths)
 
-	res := g.generateParamsFromApps(requestedApps, appSetGenerator)
+	res, err := g.generateParamsFromApps(requestedApps, appSetGenerator, useGoTemplate, goTemplateOptions)
+	if err != nil {
+		return nil, fmt.Errorf("error generating params from apps: %w", err)
+	}
 
 	return res, nil
 }
 
-func (g *GitGenerator) generateParamsForGitFiles(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) ([]map[string]string, error) {
+func (g *GitGenerator) generateParamsForGitFiles(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, noRevisionCache bool, useGoTemplate bool, goTemplateOptions []string) ([]map[string]interface{}, error) {
 
 	// Get all files that match the requested path string, removing duplicates
 	allFiles := make(map[string][]byte)
 	for _, requestedPath := range appSetGenerator.Git.Files {
-		files, err := g.repos.GetFiles(context.TODO(), appSetGenerator.Git.RepoURL, appSetGenerator.Git.Revision, requestedPath.Path)
+		files, err := g.repos.GetFiles(context.TODO(), appSetGenerator.Git.RepoURL, appSetGenerator.Git.Revision, requestedPath.Path, noRevisionCache)
 		if err != nil {
 			return nil, err
 		}
@@ -116,23 +123,21 @@ func (g *GitGenerator) generateParamsForGitFiles(appSetGenerator *argoprojiov1al
 	sort.Strings(allPaths)
 
 	// Generate params from each path, and return
-	res := []map[string]string{}
+	res := []map[string]interface{}{}
 	for _, path := range allPaths {
 
 		// A JSON / YAML file path can contain multiple sets of parameters (ie it is an array)
-		paramsArray, err := g.generateParamsFromGitFile(path, allFiles[path])
+		paramsArray, err := g.generateParamsFromGitFile(path, allFiles[path], appSetGenerator.Git.Values, useGoTemplate, goTemplateOptions, appSetGenerator.Git.PathParamPrefix)
 		if err != nil {
 			return nil, fmt.Errorf("unable to process file '%s': %v", path, err)
 		}
 
-		for index := range paramsArray {
-			res = append(res, paramsArray[index])
-		}
+		res = append(res, paramsArray...)
 	}
 	return res, nil
 }
 
-func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []byte) ([]map[string]string, error) {
+func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []byte, values map[string]string, useGoTemplate bool, goTemplateOptions []string, pathParamPrefix string) ([]map[string]interface{}, error) {
 	objectsFound := []map[string]interface{}{}
 
 	// First, we attempt to parse as an array
@@ -145,36 +150,68 @@ func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []
 			return nil, fmt.Errorf("unable to parse file: %v", err)
 		}
 		objectsFound = append(objectsFound, singleObj)
+	} else if len(objectsFound) == 0 {
+		// If file is valid but empty, add a default empty item
+		objectsFound = append(objectsFound, map[string]interface{}{})
 	}
 
-	res := []map[string]string{}
+	res := []map[string]interface{}{}
 
-	// Flatten all objects found, and return them
 	for _, objectFound := range objectsFound {
 
-		flat, err := flatten.Flatten(objectFound, "", flatten.DotStyle)
-		if err != nil {
-			return nil, err
-		}
-		params := map[string]string{}
-		for k, v := range flat {
-			params[k] = fmt.Sprintf("%v", v)
-		}
-		params["path"] = path.Dir(filePath)
-		params["path.basename"] = path.Base(params["path"])
-		params["path.filename"] = path.Base(filePath)
-		params["path.basenameNormalized"] = sanitizeName(path.Base(params["path"]))
-		params["path.filenameNormalized"] = sanitizeName(path.Base(params["path.filename"]))
-		for k, v := range strings.Split(params["path"], "/") {
-			if len(v) > 0 {
-				params["path["+strconv.Itoa(k)+"]"] = v
+		params := map[string]interface{}{}
+
+		if useGoTemplate {
+			for k, v := range objectFound {
+				params[k] = v
+			}
+
+			paramPath := map[string]interface{}{}
+
+			paramPath["path"] = path.Dir(filePath)
+			paramPath["basename"] = path.Base(paramPath["path"].(string))
+			paramPath["filename"] = path.Base(filePath)
+			paramPath["basenameNormalized"] = utils.SanitizeName(path.Base(paramPath["path"].(string)))
+			paramPath["filenameNormalized"] = utils.SanitizeName(path.Base(paramPath["filename"].(string)))
+			paramPath["segments"] = strings.Split(paramPath["path"].(string), "/")
+			if pathParamPrefix != "" {
+				params[pathParamPrefix] = map[string]interface{}{"path": paramPath}
+			} else {
+				params["path"] = paramPath
+			}
+		} else {
+			flat, err := flatten.Flatten(objectFound, "", flatten.DotStyle)
+			if err != nil {
+				return nil, fmt.Errorf("error flattening object: %w", err)
+			}
+			for k, v := range flat {
+				params[k] = fmt.Sprintf("%v", v)
+			}
+			pathParamName := "path"
+			if pathParamPrefix != "" {
+				pathParamName = pathParamPrefix + "." + pathParamName
+			}
+			params[pathParamName] = path.Dir(filePath)
+			params[pathParamName+".basename"] = path.Base(params[pathParamName].(string))
+			params[pathParamName+".filename"] = path.Base(filePath)
+			params[pathParamName+".basenameNormalized"] = utils.SanitizeName(path.Base(params[pathParamName].(string)))
+			params[pathParamName+".filenameNormalized"] = utils.SanitizeName(path.Base(params[pathParamName+".filename"].(string)))
+			for k, v := range strings.Split(params[pathParamName].(string), "/") {
+				if len(v) > 0 {
+					params[pathParamName+"["+strconv.Itoa(k)+"]"] = v
+				}
 			}
 		}
+
+		err := appendTemplatedValues(values, params, useGoTemplate, goTemplateOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to append templated values: %w", err)
+		}
+
 		res = append(res, params)
 	}
 
 	return res, nil
-
 }
 
 func (g *GitGenerator) filterApps(Directories []argoprojiov1alpha1.GitDirectoryGeneratorItem, allPaths []string) []string {
@@ -205,23 +242,45 @@ func (g *GitGenerator) filterApps(Directories []argoprojiov1alpha1.GitDirectoryG
 	return res
 }
 
-func (g *GitGenerator) generateParamsFromApps(requestedApps []string, _ *argoprojiov1alpha1.ApplicationSetGenerator) []map[string]string {
-	// TODO: At some point, the appicationSetGenerator param should be used
-
-	res := make([]map[string]string, len(requestedApps))
+func (g *GitGenerator) generateParamsFromApps(requestedApps []string, appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator, useGoTemplate bool, goTemplateOptions []string) ([]map[string]interface{}, error) {
+	res := make([]map[string]interface{}, len(requestedApps))
 	for i, a := range requestedApps {
 
-		params := make(map[string]string, 2)
-		params["path"] = a
-		params["path.basename"] = path.Base(a)
-		params["path.basenameNormalized"] = sanitizeName(path.Base(a))
-		for k, v := range strings.Split(params["path"], "/") {
-			if len(v) > 0 {
-				params["path["+strconv.Itoa(k)+"]"] = v
+		params := make(map[string]interface{}, 5)
+
+		if useGoTemplate {
+			paramPath := map[string]interface{}{}
+			paramPath["path"] = a
+			paramPath["basename"] = path.Base(a)
+			paramPath["basenameNormalized"] = utils.SanitizeName(path.Base(a))
+			paramPath["segments"] = strings.Split(paramPath["path"].(string), "/")
+			if appSetGenerator.Git.PathParamPrefix != "" {
+				params[appSetGenerator.Git.PathParamPrefix] = map[string]interface{}{"path": paramPath}
+			} else {
+				params["path"] = paramPath
+			}
+		} else {
+			pathParamName := "path"
+			if appSetGenerator.Git.PathParamPrefix != "" {
+				pathParamName = appSetGenerator.Git.PathParamPrefix + "." + pathParamName
+			}
+			params[pathParamName] = a
+			params[pathParamName+".basename"] = path.Base(a)
+			params[pathParamName+".basenameNormalized"] = utils.SanitizeName(path.Base(a))
+			for k, v := range strings.Split(params[pathParamName].(string), "/") {
+				if len(v) > 0 {
+					params[pathParamName+"["+strconv.Itoa(k)+"]"] = v
+				}
 			}
 		}
+
+		err := appendTemplatedValues(appSetGenerator.Git.Values, params, useGoTemplate, goTemplateOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to append templated values: %w", err)
+		}
+
 		res[i] = params
 	}
 
-	return res
+	return res, nil
 }