docs: Clarifying override RBAC needs (#16964)

Signed-off-by: Ryan Shatford <ryan@shatford.com>
Signed-off-by: Dan Garfield <dan@codefresh.io>
Co-authored-by: Ryan Shatford <ryan@shatford.com>
Co-authored-by: Dan Garfield <dan@codefresh.io>

.circleci/config.yml

@@ -1,332 +0,0 @@
-version: 2.1
-commands:
-  before:
-    steps:
-      - restore_go_cache
-      - install_golang
-      - install_tools
-      - clean_checkout
-      - configure_git
-      - install_go_deps
-      - dep_ensure
-  configure_git:
-    steps:
-      - run:
-          name: Configure Git
-          command: |
-            set -x
-            # must be configured for tests to run
-            git config --global user.email you@example.com
-            git config --global user.name "Your Name"
-            echo "export PATH=/home/circleci/.go_workspace/src/github.com/argoproj/argo-cd/hack:\$PATH" | tee -a $BASH_ENV
-            echo "export GIT_ASKPASS=git-ask-pass.sh" | tee -a $BASH_ENV
-  clean_checkout:
-    steps:
-      - run:
-          name: Remove checked out code
-          command: rm -Rf /home/circleci/.go_workspace/src/github.com/argoproj/argo-cd
-      - checkout
-  dep_ensure:
-    steps:
-      - restore_cache:
-          keys:
-            - vendor-v4-{{ checksum "Gopkg.lock" }}
-      - run:
-          name: Run dep ensure
-          command: dep ensure -v
-      - save_cache:
-          key: vendor-v4-{{ checksum "Gopkg.lock" }}
-          paths:
-            - vendor
-  install_golang:
-    steps:
-      - run:
-          name: Install Golang v1.12.6
-          command: |
-            go get golang.org/dl/go1.12.6
-            [ -e /home/circleci/sdk/go1.12.6 ] || go1.12.6 download
-            echo "export GOPATH=/home/circleci/.go_workspace" | tee -a $BASH_ENV
-            echo "export PATH=/home/circleci/sdk/go1.12.6/bin:\$PATH" | tee -a $BASH_ENV
-      - run:
-          name: Golang diagnostics
-          command: |
-            env
-            which go
-            go version
-            go env
-  install_go_deps:
-    steps:
-      - run:
-          name: Install Go deps
-          command: |
-            set -x
-            go get github.com/golangci/golangci-lint/cmd/golangci-lint
-            go get github.com/jstemmer/go-junit-report
-            go get github.com/mattn/goreman
-            go get golang.org/x/tools/cmd/goimports
-  install_tools:
-    steps:
-      - run:
-          name: Create downloads dir
-          command: mkdir -p /tmp/dl
-      - restore_cache:
-          keys:
-            - dl-v6
-      - run:
-          name: Install Kubectx v0.6.3
-          command: |
-            set -x
-            [ -e /tmp/dl/kubectx.zip ] || curl -sLf -C - -o /tmp/dl/kubectx.zip https://github.com/ahmetb/kubectx/archive/v0.6.3.zip
-            sudo unzip /tmp/dl/kubectx.zip kubectx-0.6.3/kubectx
-            sudo unzip /tmp/dl/kubectx.zip kubectx-0.6.3/kubens
-            sudo mv kubectx-0.6.3/kubectx /usr/local/bin/
-            sudo mv kubectx-0.6.3/kubens /usr/local/bin/
-            sudo chmod +x /usr/local/bin/kubectx
-            sudo chmod +x /usr/local/bin/kubens
-      - run:
-          name: Install Dep v0.5.3
-          command: |
-            set -x
-            [ -e /tmp/dl/dep ] || curl -sLf -C - -o /tmp/dl/dep https://github.com/golang/dep/releases/download/v0.5.3/dep-linux-amd64
-            sudo cp /tmp/dl/dep /usr/local/go/bin/dep
-            sudo chmod +x /usr/local/go/bin/dep
-            dep version
-      - run:
-          name: Install Ksonnet v0.13.1
-          command: |
-            set -x
-            [ -e /tmp/dl/ks.tar.gz ] || curl -sLf -C - -o /tmp/dl/ks.tar.gz https://github.com/ksonnet/ksonnet/releases/download/v0.13.1/ks_0.13.1_linux_amd64.tar.gz
-            tar -C /tmp -xf /tmp/dl/ks.tar.gz
-            sudo cp /tmp/ks_0.13.1_linux_amd64/ks /usr/local/go/bin/ks
-            sudo chmod +x /usr/local/go/bin/ks
-            ks version
-      - run:
-          name: Install Helm v2.13.1
-          command: |
-            set -x
-            [ -e /tmp/dl/helm.tar.gz ] || curl -sLf -C - -o /tmp/dl/helm.tar.gz https://storage.googleapis.com/kubernetes-helm/helm-v2.13.1-linux-amd64.tar.gz
-            tar -C /tmp/ -xf /tmp/dl/helm.tar.gz
-            sudo cp /tmp/linux-amd64/helm /usr/local/go/bin/helm
-            helm version --client
-            helm init --client-only
-      - run:
-          name: Install Kustomize v3.1.0
-          command: |
-            set -x
-            export VER=3.1.0
-            [ -e /tmp/dl/kustomize_${VER} ] || curl -sLf -C - -o /tmp/dl/kustomize_${VER} https://github.com/kubernetes-sigs/kustomize/releases/download/v${VER}/kustomize_${VER}_linux_amd64
-            sudo cp /tmp/dl/kustomize_${VER} /usr/local/go/bin/kustomize
-            sudo chmod +x /usr/local/go/bin/kustomize
-            kustomize version
-      - run:
-          name: Install Git LFS plugin
-          command: |
-            set -x
-            curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | sudo bash
-            sleep 5
-            sudo killall -9 apt-get || true
-            sudo apt-get update
-            sudo apt-get install -y git-lfs openssh-client
-      - save_cache:
-          key: dl-v6
-          paths:
-            - /tmp/dl
-  save_go_cache:
-    steps:
-      - save_cache:
-          key: go-v17-{{ .Branch }}
-          paths:
-            - /home/circleci/.go_workspace
-            - /home/circleci/.cache/go-build
-            - /home/circleci/sdk/go1.12.6
-  restore_go_cache:
-    steps:
-      - restore_cache:
-          keys:
-            - go-v17-{{ .Branch }}
-            - go-v17-master
-            - go-v16-{{ .Branch }}
-            - go-v16-master
-jobs:
-  build:
-    working_directory: /home/circleci/.go_workspace/src/github.com/argoproj/argo-cd
-    machine:
-      image: circleci/classic:201808-01
-    steps:
-      - before
-      - run:
-          name: Run unit tests
-          command: |
-            set -x
-            mkdir -p /tmp/test-results
-            trap "go-junit-report </tmp/test-results/go-test.out > /tmp/test-results/go-test-report.xml" EXIT
-            make test | tee /tmp/test-results/go-test.out
-      - save_go_cache
-      - run:
-          name: Uploading code coverage
-          command: bash <(curl -s https://codecov.io/bash) -f coverage.out
-          # This takes 2m, lets background it.
-          background: true
-      - store_test_results:
-          path: /tmp/test-results
-      - run:
-          name: Generate code
-          command: make codegen
-      - run:
-          name: Lint code
-          # use GOGC to limit memory usage in exchange for CPU usage, https://github.com/golangci/golangci-lint#memory-usage-of-golangci-lint
-          # we have 8GB RAM, 2CPUs https://circleci.com/docs/2.0/executor-types/#using-machine
-          command: LINT_GOGC=20 LINT_CONCURRENCY=1 LINT_DEADLINE=3m0s make lint
-      - run:
-          name: Check nothing has changed
-          command: |
-            set -xo pipefail
-            # This makes sure you ran `make pre-commit` before you pushed.
-            # We exclude the Swagger resources; CircleCI doesn't generate them correctly.
-            # When this fails, it will, create a patch file you can apply locally to fix it.
-            # To troubleshoot builds: https://argoproj.github.io/argo-cd/developer-guide/ci/
-            git diff --exit-code -- . ':!Gopkg.lock'  ':!assets/swagger.json' | tee codegen.patch
-      - store_artifacts:
-          path: codegen.patch
-          when: always
-  e2e:
-    working_directory: /home/circleci/.go_workspace/src/github.com/argoproj/argo-cd
-    machine:
-      image: circleci/classic:201808-01
-    steps:
-      - run:
-          name: Install and start K3S v0.5.0
-          command: |
-            curl -sfL https://get.k3s.io | sh -
-            sudo chmod -R a+rw /etc/rancher/k3s
-            kubectl version
-          background: true
-          environment:
-            INSTALL_K3S_EXEC: --docker
-            INSTALL_K3S_VERSION: v0.5.0
-      - before
-      - run:
-          # do this before we build everything else in the background, as they tend to explode
-          name: Make CLI
-          command: |
-            set -x
-            make cli
-            # must be added to path for tests
-            echo export PATH="`pwd`/dist:\$PATH" | tee -a $BASH_ENV
-      - run:
-          name: Create namespace
-          command: |
-            set -x
-            kubectl create ns argocd-e2e
-            kubens argocd-e2e
-            # install the certificates (not 100% sure we need this)
-            sudo cp /var/lib/rancher/k3s/server/tls/token-ca.crt /usr/local/share/ca-certificates/k3s.crt
-            sudo update-ca-certificates
-            # create the kubecfg, again - not sure we need this
-            cat /etc/rancher/k3s/k3s.yaml | sed "s/localhost/`hostname`/" | tee ~/.kube/config
-            echo "127.0.0.1 `hostname`" | sudo tee -a /etc/hosts
-      - run:
-          name: Apply manifests
-          command: kustomize build test/manifests/base | kubectl apply -f -
-      - run:
-          name: Start Redis
-          command: docker run --rm --name argocd-redis -i -p 6379:6379 redis:5.0.3-alpine --save "" --appendonly no
-          background: true
-      - run:
-          name: Start repo server
-          command: go run ./cmd/argocd-repo-server/main.go --loglevel debug --redis localhost:6379
-          background: true
-          environment:
-            # pft. if you do not quote "true", CircleCI turns it into "1", stoopid
-            ARGOCD_FAKE_IN_CLUSTER: "true"
-            ARGOCD_SSH_DATA_PATH: "/tmp/argo-e2e/app/config/ssh"
-            ARGOCD_TLS_DATA_PATH: "/tmp/argo-e2e/app/config/tls"
-      - run:
-          name: Start API server
-          command: go run ./cmd/argocd-server/main.go --loglevel debug --redis localhost:6379 --insecure --dex-server http://localhost:5556 --repo-server localhost:8081 --staticassets ../argo-cd-ui/dist/app
-          background: true
-          environment:
-            ARGOCD_FAKE_IN_CLUSTER: "true"
-            ARGOCD_SSH_DATA_PATH: "/tmp/argo-e2e/app/config/ssh"
-            ARGOCD_TLS_DATA_PATH: "/tmp/argo-e2e/app/config/tls"
-      - run:
-          name: Start Test Git
-          command: |
-            test/fixture/testrepos/start-git.sh
-          background: true
-      - run:
-          name: Wait for API server
-          command: |
-            set -x
-            until curl -v http://localhost:8080/healthz; do sleep 3; done
-      - run:
-          name: Start controller
-          command: go run ./cmd/argocd-application-controller/main.go --loglevel debug --redis localhost:6379 --repo-server localhost:8081 --kubeconfig ~/.kube/config
-          background: true
-          environment:
-            ARGOCD_FAKE_IN_CLUSTER: "true"
-      - run:
-          name: Smoke test
-          command: |
-            set -x
-            argocd login localhost:8080 --plaintext  --username admin --password password
-            argocd app create guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --repo https://github.com/argoproj/argocd-example-apps.git --path guestbook
-            argocd app sync guestbook
-            argocd app delete guestbook
-      - run:
-          name: Run e2e tests
-          command: |
-            set -x
-            mkdir -p /tmp/test-results
-            trap "go-junit-report </tmp/test-results/go-e2e.out > /tmp/test-results/go-e2e-report.xml" EXIT
-            make test-e2e | tee /tmp/test-results/go-e2e.out
-          environment:
-            ARGOCD_OPTS: "--server localhost:8080 --plaintext"
-            ARGOCD_E2E_EXPECT_TIMEOUT: "30"
-            ARGOCD_E2E_K3S: "true"
-      - store_test_results:
-          path: /tmp/test-results
-  ui:
-    # note that we checkout the code in ~/argo-cd/, but then work in ~/argo-cd/ui
-    working_directory: ~/argo-cd/ui
-    docker:
-      - image: node:11.15.0
-    steps:
-      - checkout:
-          path: ~/argo-cd/
-      - restore_cache:
-          name: Restore Yarn Package Cache
-          keys:
-            - yarn-packages-v3-{{ checksum "yarn.lock" }}
-      - run:
-          name: Install
-          command:
-            yarn install --frozen-lockfile --ignore-optional --non-interactive
-      - save_cache:
-          name: Save Yarn Package Cache
-          key: yarn-packages-v3-{{ checksum "yarn.lock" }}
-          paths:
-            - ~/.cache/yarn
-            - node_modules
-      - run:
-          name: Test
-          command: yarn test
-      # This does not appear to work, and I don't want to spend time on it.
-      - store_test_results:
-          path: junit.xml
-      - run:
-          name: Build
-          command: yarn build
-      - run:
-          name: Lint
-          command: yarn lint
-workflows:
-  version: 2
-  workflow:
-    jobs:
-      - build
-      - e2e
-      - ui:
-          # this isn't strictly true, we just put in here so that we 2/4 executors rather than 3/4
-          requires:
-            - build

.codecov.yml

@@ -1,17 +1,17 @@
 ignore:
 - "**/*.pb.go"
 - "**/*.pb.gw.go"
+- "**/*generated.go"
+- "**/*generated.deepcopy.go"
 - "**/*_test.go"
-- "pkg/apis/.*"
+- "pkg/apis/client/.*"
 - "pkg/client/.*"
-- "test/.*"
+- "vendor/.*"
 coverage:
   status:
-    # allow test coverage to drop by 1%, assume that it's typically due to CI problems
-    patch:
-      default:
-        enabled: no
-        if_not_found: success
+    # we've found this not to be useful
+    patch: off
     project:
       default:
-        threshold: 1
+        # allow test coverage to drop by 2%, assume that it's typically due to CI problems
+        threshold: 2

.github/ISSUE_TEMPLATE/bug_report.md

@@ -4,23 +4,30 @@ about: Create a report to help us improve
 title: ''
 labels: 'bug'
 assignees: ''
-
 ---
 
+If you are trying to resolve an environment-specific issue or have a one-off question about the edge case that does not require a feature then please consider asking a question in argocd slack [channel](https://argoproj.github.io/community/join-slack).
+
+Checklist:
+
+* [ ] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
+* [ ] I've included steps to reproduce the bug.
+* [ ] I've pasted the output of `argocd version`.
+
 **Describe the bug**
+
 A clear and concise description of what the bug is.
 
 **To Reproduce**
-If we cannot reproduce, we cannot fix! Steps to reproduce the behavior:
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
+
+A list of the steps required to reproduce the issue. Best of all, give us the URL to a repository that exhibits this issue.
 
 **Expected behavior**
+
 A clear and concise description of what you expected to happen.
 
 **Screenshots**
+
 If applicable, add screenshots to help explain your problem.
 
 **Version**
@@ -34,10 +41,3 @@ Paste the output from `argocd version` here.
 ```
 Paste any relevant application logs here.
 ```
-
-**Have you thought about contributing a fix yourself?**
-
-Open Source software thrives with your contribution. It not only gives skills you might not be able to get in your day job, it also looks amazing on your resume. 
-
-If you want to get involved, check out the 
-[contributing guide](https://github.com/argoproj/argo-cd/blob/master/docs/CONTRIBUTING.md), then reach out to us on [Slack](https://argoproj.github.io/community/join-slack) so we can see how to get you started.

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,12 @@
+blank_issues_enabled: false
+
+contact_links:
+  - name: Have you read the docs?
+    url: https://argo-cd.readthedocs.io/
+    about: Much help can be found in the docs
+  - name: Ask a question
+    url: https://github.com/argoproj/argo-cd/discussions/new
+    about: Ask a question or start a discussion about Argo CD
+  - name: Chat on Slack
+    url: https://argoproj.github.io/community/join-slack
+    about: Maybe chatting with the community can help

.github/ISSUE_TEMPLATE/enhancement_proposal.md

@@ -0,0 +1,18 @@
+---
+name: Enhancement proposal
+about: Propose an enhancement for this project
+title: ''
+labels: 'enhancement'
+assignees: ''
+---
+# Summary
+
+What change you think needs making.
+
+# Motivation
+
+Please give examples of your use case, e.g. when would you use this.
+
+# Proposal
+
+How do you think this should be implemented?

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,21 +0,0 @@
----
-name: Feature request
-about: Suggest an idea for this project
-title: ''
-labels: 'enhancement'
-assignees: ''
-
----
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Have you thought about contributing yourself?**
-
-Open Source software thrives with your contribution. It not only gives skills you might not be able to get in your day job, it also looks amazing on your resume. 
-
-If you want to get involved, check out the 
-[contributing guide](https://github.com/argoproj/argo-cd/blob/master/docs/CONTRIBUTING.md), then reach out to us on [Slack](https://argoproj.github.io/community/join-slack) so we can see how to get you started.

.github/pull_request_template.md

@@ -1,7 +1,17 @@
-<!--
-Thank you for submitting your PR! 
+Note on DCO:
 
-We'd love your organisation to be listed in the [README](https://github.com/argoproj/argo-cd). Don't forget to add it if you can!
+If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the *Details* link next to the DCO action for instructions on how to resolve this.
+
+Checklist:
+
+* [ ] Either (a) I've created an [enhancement proposal](https://github.com/argoproj/argo-cd/issues/new/choose) and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
+* [ ] The title of the PR states what changed and the related issues number (used for the release note).
+* [ ] I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
+* [ ] I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
+* [ ] Does this PR require documentation updates?
+* [ ] I've updated documentation as required by this PR.
+* [ ] Optional. My organization is added to USERS.md.
+* [ ] I have signed off all my commits as required by [DCO](https://github.com/argoproj/argoproj/tree/master/community#contributing-to-argo)
+* [ ] I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
+* [ ] My build is green ([troubleshooting builds](https://argo-cd.readthedocs.io/en/latest/developer-guide/ci/)). 
 
-To troubleshoot builds: https://argoproj.github.io/argo-cd/developer-guide/ci/
--->  

.github/workflows/ci-build.yaml

@@ -0,0 +1,427 @@
+name: Integration tests
+on: 
+  push:
+    branches:
+      - 'master'
+      - 'release-*'
+      - '!release-1.4'
+      - '!release-1.5'
+  pull_request:
+    branches:
+      - 'master'
+
+jobs:
+  build-docker:
+    name: Build Docker image
+    runs-on: ubuntu-latest
+    if: github.head_ref != ''
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build Docker image
+        run: |
+          make image
+  check-go:
+    name: Ensure Go modules synchronicity
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Golang
+        uses: actions/setup-go@v1
+        with:
+          go-version: '1.14.12'
+      - name: Download all Go modules
+        run: |
+          go mod download
+      - name: Check for tidyness of go.mod and go.sum
+        run: |
+          go mod tidy
+          git diff --exit-code -- .
+
+  build-go:
+    name: Build & cache Go code
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Golang
+        uses: actions/setup-go@v1
+        with:
+          go-version: '1.14.12'
+      - name: Restore go build cache
+        uses: actions/cache@v1
+        with:
+          path: ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
+      - name: Download all Go modules
+        run: |
+          go mod download
+      - name: Compile all packages
+        run: make build-local
+
+  lint-go:
+    name: Lint Go code
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Run golangci-lint
+        uses: golangci/golangci-lint-action@v2
+        with:
+          version: v1.29
+          args: --timeout 5m --exclude SA5011
+
+  test-go:
+    name: Run unit tests for Go packages
+    runs-on: ubuntu-latest
+    needs:
+      - build-go
+    steps:
+      - name: Create checkout directory
+        run: mkdir -p ~/go/src/github.com/argoproj
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Create symlink in GOPATH
+        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
+      - name: Setup Golang
+        uses: actions/setup-go@v1
+        with:
+          go-version: '1.14.12'
+      - name: Install required packages
+        run: |
+          sudo apt-get install git -y
+      - name: Switch to temporal branch so we re-attach head
+        run: |
+          git switch -c temporal-pr-branch
+          git status
+      - name: Fetch complete history for blame information
+        run: |
+          git fetch --prune --no-tags --depth=1 origin +refs/heads/*:refs/remotes/origin/*
+      - name: Add ~/go/bin to PATH
+        run: |
+          echo "/home/runner/go/bin" >> $GITHUB_PATH
+      - name: Add /usr/local/bin to PATH
+        run: |
+          echo "/usr/local/bin" >> $GITHUB_PATH
+      - name: Restore go build cache
+        uses: actions/cache@v1
+        with:
+          path: ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
+      - name: Install all tools required for building & testing
+        run: |
+          make install-test-tools-local
+      - name: Setup git username and email
+        run: |
+          git config --global user.name "John Doe"
+          git config --global user.email "john.doe@example.com"
+      - name: Download and vendor all required packages
+        run: |
+          go mod download
+      - name: Run all unit tests
+        run: make test-local
+      - name: Generate code coverage artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: code-coverage
+          path: coverage.out
+      - name: Generate test results artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: test-results
+          path: test-results/
+
+  test-go-race:
+    name: Run unit tests with -race, for Go packages
+    runs-on: ubuntu-latest
+    needs:
+      - build-go
+    steps:
+      - name: Create checkout directory
+        run: mkdir -p ~/go/src/github.com/argoproj
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Create symlink in GOPATH
+        run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
+      - name: Setup Golang
+        uses: actions/setup-go@v1
+        with:
+          go-version: '1.14.12'
+      - name: Install required packages
+        run: |
+          sudo apt-get install git -y
+      - name: Switch to temporal branch so we re-attach head
+        run: |
+          git switch -c temporal-pr-branch
+          git status
+      - name: Fetch complete history for blame information
+        run: |
+          git fetch --prune --no-tags --depth=1 origin +refs/heads/*:refs/remotes/origin/*
+      - name: Add ~/go/bin to PATH
+        run: |
+          echo "/home/runner/go/bin" >> $GITHUB_PATH
+      - name: Add /usr/local/bin to PATH
+        run: |
+          echo "/usr/local/bin" >> $GITHUB_PATH
+      - name: Restore go build cache
+        uses: actions/cache@v1
+        with:
+          path: ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
+      - name: Install all tools required for building & testing
+        run: |
+          make install-test-tools-local
+      - name: Setup git username and email
+        run: |
+          git config --global user.name "John Doe"
+          git config --global user.email "john.doe@example.com"
+      - name: Download and vendor all required packages
+        run: |
+          go mod download
+      - name: Run all unit tests
+        run: make test-race-local
+      - name: Generate test results artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: race-results
+          path: test-results/
+
+  codegen:
+    name: Check changes to generated code
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Golang
+        uses: actions/setup-go@v1
+        with:
+          go-version: '1.14.12'
+      - name: Create symlink in GOPATH
+        run: |
+          mkdir -p ~/go/src/github.com/argoproj
+          cp -a ../argo-cd ~/go/src/github.com/argoproj
+      - name: Add ~/go/bin to PATH
+        run: |
+          echo "/home/runner/go/bin" >> $GITHUB_PATH
+      - name: Add /usr/local/bin to PATH
+        run: |
+          echo "/usr/local/bin" >> $GITHUB_PATH
+      - name: Download & vendor dependencies
+        run: |
+          # We need to vendor go modules for codegen yet
+          go mod download
+          go mod vendor -v
+        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+      - name: Install toolchain for codegen
+        run: |
+          make install-codegen-tools-local
+          make install-go-tools-local
+        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+      - name: Initialize local Helm
+        run: |
+          helm2 init --client-only
+      - name: Run codegen
+        run: |
+          set -x
+          export GOPATH=$(go env GOPATH)
+          git checkout -- go.mod go.sum
+          make codegen-local
+        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+      - name: Check nothing has changed
+        run: |
+          set -xo pipefail
+          git diff --exit-code -- . ':!go.sum' ':!go.mod' ':!assets/swagger.json' | tee codegen.patch
+        working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
+
+  build-ui:
+    name: Build, test & lint UI code
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup NodeJS
+        uses: actions/setup-node@v1
+        with:
+          node-version: '12.18.4'
+      - name: Restore node dependency cache
+        id: cache-dependencies
+        uses: actions/cache@v1
+        with:
+          path: ui/node_modules
+          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
+      - name: Install node dependencies
+        run: |
+          cd ui && yarn install --frozen-lockfile --ignore-optional --non-interactive
+      - name: Build UI code
+        run: |
+          yarn test
+          yarn build
+        env:
+          NODE_ENV: production
+        working-directory: ui/
+      - name: Run ESLint
+        run: yarn lint
+        working-directory: ui/
+
+  analyze:
+    name: Process & analyze test artifacts
+    runs-on: ubuntu-latest
+    needs:
+      - test-go
+      - build-ui
+    env:
+      sonar_secret: ${{ secrets.SONAR_TOKEN }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Restore node dependency cache
+        id: cache-dependencies
+        uses: actions/cache@v1
+        with:
+          path: ui/node_modules
+          key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
+      - name: Remove other node_modules directory
+        run: |
+          rm -rf ui/node_modules/argo-ui/node_modules
+      - name: Create test-results directory
+        run: |
+          mkdir -p test-results
+      - name: Get code coverage artifiact
+        uses: actions/download-artifact@v2
+        with:
+          name: code-coverage
+      - name: Get test result artifact
+        uses: actions/download-artifact@v2
+        with:
+          name: test-results
+          path: test-results
+      - name: Upload code coverage information to codecov.io
+        uses: codecov/codecov-action@v1
+        with:
+          file: coverage.out
+      - name: Perform static code analysis using SonarCloud
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SCANNER_VERSION: 4.2.0.1873
+          SCANNER_PATH: /tmp/cache/scanner
+          OS: linux
+        run: |
+            # We do not use the provided action, because it does contain an old
+            # version of the scanner, and also takes time to build.
+            set -e
+            mkdir -p ${SCANNER_PATH}
+            export SONAR_USER_HOME=${SCANNER_PATH}/.sonar
+            if [[ ! -x "${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner" ]]; then
+              curl -Ol https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SCANNER_VERSION}-${OS}.zip
+              unzip -qq -o sonar-scanner-cli-${SCANNER_VERSION}-${OS}.zip -d ${SCANNER_PATH}
+            fi
+
+            chmod +x ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner
+            chmod +x ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/jre/bin/java
+
+            # Explicitly set NODE_MODULES
+            export NODE_MODULES=${PWD}/ui/node_modules
+            export NODE_PATH=${PWD}/ui/node_modules
+
+            ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner
+        if: env.sonar_secret != ''
+
+  test-e2e:
+    name: Run end-to-end tests
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        k3s-version: [v1.20.2, v1.19.2, v1.18.9, v1.17.11, v1.16.15]
+    needs: 
+      - build-go
+    env:
+      GOPATH: /home/runner/go
+      ARGOCD_FAKE_IN_CLUSTER: "true"
+      ARGOCD_SSH_DATA_PATH: "/tmp/argo-e2e/app/config/ssh"
+      ARGOCD_TLS_DATA_PATH: "/tmp/argo-e2e/app/config/tls"
+      ARGOCD_E2E_SSH_KNOWN_HOSTS: "../fixture/certs/ssh_known_hosts"
+      ARGOCD_E2E_K3S: "true"
+      ARGOCD_IN_CI: "true"
+      ARGOCD_E2E_APISERVER_PORT: "8088"
+      ARGOCD_SERVER: "127.0.0.1:8088"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Setup Golang
+        uses: actions/setup-go@v1
+        with:
+          go-version: '1.14.12'
+      - name: Install K3S
+        env:
+          INSTALL_K3S_VERSION: ${{ matrix.k3s-version }}+k3s1
+        run: |
+          set -x
+          curl -sfL https://get.k3s.io | sh -
+          sudo chmod -R a+rw /etc/rancher/k3s
+          sudo mkdir -p $HOME/.kube && sudo chown -R runner $HOME/.kube
+          sudo k3s kubectl config view --raw > $HOME/.kube/config
+          sudo chown runner $HOME/.kube/config
+          kubectl version
+      - name: Restore go build cache
+        uses: actions/cache@v1
+        with:
+          path: ~/.cache/go-build
+          key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
+      - name: Add ~/go/bin to PATH
+        run: |
+          echo "/home/runner/go/bin" >> $GITHUB_PATH
+      - name: Add /usr/local/bin to PATH
+        run: |
+          echo "/usr/local/bin" >> $GITHUB_PATH
+      - name: Download Go dependencies
+        run: |
+          go mod download
+          go get github.com/mattn/goreman
+      - name: Install all tools required for building & testing
+        run: |
+          make install-test-tools-local
+      - name: Setup git username and email
+        run: |
+          git config --global user.name "John Doe"
+          git config --global user.email "john.doe@example.com"
+      - name: Pull Docker image required for tests
+        run: |
+          docker pull quay.io/dexidp/dex:v2.25.0
+          docker pull argoproj/argo-cd-ci-builder:v1.0.0
+          docker pull redis:5.0.10-alpine
+      - name: Create target directory for binaries in the build-process
+        run: |
+          mkdir -p dist
+          chown runner dist
+      - name: Run E2E server and wait for it being available
+        timeout-minutes: 30
+        run: |
+          set -x
+          # Something is weird in GH runners -- there's a phantom listener for
+          # port 8080 which is not visible in netstat -tulpen, but still there
+          # with a HTTP listener. We have API server listening on port 8088
+          # instead.
+          make start-e2e-local 2>&1 | sed -r "s/[[:cntrl:]]\[[0-9]{1,3}m//g" > /tmp/e2e-server.log &
+          count=1
+          until curl -f http://127.0.0.1:8088/healthz; do
+            sleep 10;
+            if test $count -ge 60; then
+              echo "Timeout"
+              exit 1
+            fi
+            count=$((count+1))
+          done
+      - name: Run E2E testsuite
+        run: |
+          set -x
+          make test-e2e-local
+      - name: Upload e2e-server logs
+        uses: actions/upload-artifact@v2
+        with:
+          name: e2e-server-k8s${{ matrix.k3s-version }}.log
+          path: /tmp/e2e-server.log
+        if: ${{ failure() }}

.github/workflows/codeql.yml

@@ -0,0 +1,52 @@
+name: "Code scanning - action"
+
+on:
+  push:
+  pull_request:
+  schedule:
+    - cron: '0 19 * * 0'
+
+jobs:
+  CodeQL-Build:
+
+    # CodeQL runs on ubuntu-latest and windows-latest
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+      
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      # Override language selection by uncommenting this and choosing your languages
+      # with:
+      #   languages: go, javascript, csharp, python, cpp, java
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.github/workflows/gh-pages.yaml

@@ -0,0 +1,30 @@
+name: Deploy
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - 'master'
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v1
+      - name: Setup Python
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.x
+      - name: build
+        run: |
+          pip install -r docs/requirements.txt
+          mkdocs build
+      - name: deploy
+        if: ${{ github.event_name == 'push' }}
+        uses: peaceiris/actions-gh-pages@v2.5.0
+        env:
+          PERSONAL_TOKEN: ${{ secrets.PERSONAL_TOKEN }}
+          PUBLISH_BRANCH: gh-pages
+          PUBLISH_DIR: ./site

.github/workflows/image.yaml

@@ -0,0 +1,50 @@
+name: Image
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    env:
+      GOPATH: /home/runner/work/argo-cd/argo-cd
+    steps:
+      - uses: actions/setup-go@v1
+        with:
+          go-version: '1.14.12'
+      - uses: actions/checkout@master
+        with:
+          path: src/github.com/argoproj/argo-cd
+
+      # get image tag
+      - run: echo ::set-output name=tag::$(cat ./VERSION)-${GITHUB_SHA::8}
+        working-directory: ./src/github.com/argoproj/argo-cd
+        id: image
+
+      # build
+      - run: |
+          docker images -a --format "{{.ID}}" | xargs -I {} docker rmi {}
+          make image DEV_IMAGE=true DOCKER_PUSH=false IMAGE_NAMESPACE=docker.pkg.github.com/argoproj/argo-cd IMAGE_TAG=${{ steps.image.outputs.tag }}
+        working-directory: ./src/github.com/argoproj/argo-cd
+
+      # publish
+      - run: |
+          docker login docker.pkg.github.com --username $USERNAME --password $PASSWORD
+          docker push docker.pkg.github.com/argoproj/argo-cd/argocd:${{ steps.image.outputs.tag }}
+        env:
+          USERNAME: ${{ secrets.USERNAME }}
+          PASSWORD: ${{ secrets.TOKEN }}
+
+      # deploy
+      - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
+        env:
+          TOKEN: ${{ secrets.TOKEN }}
+      - run: |
+          docker run -v $(pwd):/src -w /src --rm -t lyft/kustomizer:v3.3.0 kustomize edit set image quay.io/argoproj/argocd=docker.pkg.github.com/argoproj/argo-cd/argocd:${{ steps.image.outputs.tag }}
+          git config --global user.email 'ci@argoproj.com'
+          git config --global user.name 'CI'
+          git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ steps.image.outputs.tag }}' && git push)
+        working-directory: argoproj-deployments/argocd
+      # TODO: clean up old images once github supports it: https://github.community/t5/How-to-use-Git-and-GitHub/Deleting-images-from-Github-Package-Registry/m-p/41202/thread-id/9811

.github/workflows/release.yaml

@@ -0,0 +1,311 @@
+name: Create ArgoCD release
+on:
+  push:
+    tags:
+      - 'release-v*'
+      - '!release-v1.5*'
+      - '!release-v1.4*'
+      - '!release-v1.3*'
+      - '!release-v1.2*'
+      - '!release-v1.1*'
+      - '!release-v1.0*'
+      - '!release-v0*'
+jobs:
+  prepare-release:
+    name: Perform automatic release on trigger ${{ github.ref }}
+    runs-on: ubuntu-latest
+    env:
+      # The name of the tag as supplied by the GitHub event
+      SOURCE_TAG: ${{ github.ref }}
+      # The image namespace where Docker image will be published to
+      IMAGE_NAMESPACE: argoproj
+      # Whether to create & push image and release assets
+      DRY_RUN: false
+      # Whether a draft release should be created, instead of public one
+      DRAFT_RELEASE: false
+      # Whether to update homebrew with this release as well
+      # Set RELEASE_HOMEBREW_TOKEN secret in repository for this to work - needs
+      # access to public repositories
+      UPDATE_HOMEBREW: false
+      # Name of the GitHub user for Git config
+      GIT_USERNAME: argo-bot
+      # E-Mail of the GitHub user for Git config
+      GIT_EMAIL: argoproj@gmail.com
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check if the published tag is well formed and setup vars
+        run: |
+          set -xue
+          # Target version must match major.minor.patch and optional -rcX suffix
+          # where X must be a number.
+          TARGET_VERSION=${SOURCE_TAG#*release-v}
+          if ! echo "${TARGET_VERSION}" | egrep '^[0-9]+\.[0-9]+\.[0-9]+(-rc[0-9]+)*$'; then
+            echo "::error::Target version '${TARGET_VERSION}' is malformed, refusing to continue." >&2
+            exit 1
+          fi
+
+          # Target branch is the release branch we're going to operate on
+          # Its name is 'release-<major>.<minor>'
+          TARGET_BRANCH="release-${TARGET_VERSION%\.[0-9]*}"
+
+          # The release tag is the source tag, minus the release- prefix
+          RELEASE_TAG="${SOURCE_TAG#*release-}"
+
+          # Whether this is a pre-release (indicated by -rc suffix)
+          PRE_RELEASE=false
+          if echo "${RELEASE_TAG}" | egrep -- '-rc[0-9]+$'; then
+            PRE_RELEASE=true
+          fi
+
+          # We must not have a release trigger within the same release branch,
+          # because that means a release for this branch is already running.
+          if git tag -l | grep "release-v${TARGET_VERSION%\.[0-9]*}" | grep -v "release-v${TARGET_VERSION}"; then
+            echo "::error::Another release for branch ${TARGET_BRANCH} is currently in progress."
+            exit 1
+          fi
+
+          # Ensure that release do not yet exist
+          if git rev-parse ${RELEASE_TAG}; then
+            echo "::error::Release tag ${RELEASE_TAG} already exists in repository. Refusing to continue."
+            exit 1
+          fi
+
+          # Make the variables available in follow-up steps
+          echo "TARGET_VERSION=${TARGET_VERSION}" >> $GITHUB_ENV
+          echo "TARGET_BRANCH=${TARGET_BRANCH}" >> $GITHUB_ENV
+          echo "RELEASE_TAG=${RELEASE_TAG}" >> $GITHUB_ENV
+          echo "PRE_RELEASE=${PRE_RELEASE}" >> $GITHUB_ENV
+
+      - name: Check if our release tag has a correct annotation
+        run: |
+          set -ue
+          # Fetch all tag information as well
+          git fetch --prune --tags --force
+
+          echo "=========== BEGIN COMMIT MESSAGE ============="
+          git show ${SOURCE_TAG}
+          echo "============ END COMMIT MESSAGE =============="
+          
+          # Quite dirty hack to get the release notes from the annotated tag
+          # into a temporary file.
+          RELEASE_NOTES=$(mktemp -p /tmp release-notes.XXXXXX)
+
+          prefix=true
+          begin=false
+          git show ${SOURCE_TAG} | while read line; do
+            # Whatever is in commit history for the tag, we only want that
+            # annotation from our tag. We discard everything else.
+            if test "$begin" = "false"; then
+              if echo "$line" | grep -q "tag ${SOURCE_TAG#refs/tags/}"; then begin="true"; fi
+              continue
+            fi
+            if test "$prefix" = "true"; then
+                  if test -z "$line"; then prefix=false; fi
+            else
+                  if echo "$line" | egrep -q '^commit [0-9a-f]+'; then
+                          break
+                  fi
+                  echo "$line" >> ${RELEASE_NOTES}
+            fi
+          done
+
+          # For debug purposes
+          echo "============BEGIN RELEASE NOTES================="
+          cat ${RELEASE_NOTES}
+          echo "=============END RELEASE NOTES=================="
+
+          # Too short release notes are suspicious. We need at least 100 bytes.
+          relNoteLen=$(stat -c '%s' $RELEASE_NOTES)
+          if test $relNoteLen -lt 100; then
+            echo "::error::No release notes provided in tag annotation (or tag is not annotated)"
+            exit 1
+          fi
+
+          # Check for magic string '## Quick Start' in head of release notes
+          if ! head -2 ${RELEASE_NOTES} | grep -iq '## Quick Start'; then
+            echo "::error::Release notes seem invalid, quick start section not found."
+            exit 1
+          fi
+
+          # We store path to temporary release notes file for later reading, we
+          # need it when creating release.
+          echo "RELEASE_NOTES=${RELEASE_NOTES}" >> $GITHUB_ENV
+
+      - name: Setup Golang
+        uses: actions/setup-go@v1
+        with:
+          go-version: '1.14.12'
+
+      - name: Setup Git author information
+        run: |
+          set -ue
+          git config --global user.email "${GIT_EMAIL}"
+          git config --global user.name "${GIT_USERNAME}"
+
+      - name: Checkout corresponding release branch
+        run: |
+          set -ue
+          echo "Switching to release branch '${TARGET_BRANCH}'"
+          if ! git checkout ${TARGET_BRANCH}; then
+            echo "::error::Checking out release branch '${TARGET_BRANCH}' for target version '${TARGET_VERSION}' (tagged '${RELEASE_TAG}') failed. Does it exist in repo?"
+            exit 1
+          fi
+
+      - name: Create VERSION information
+        run: |
+          set -ue
+          echo "Bumping version from $(cat VERSION) to ${TARGET_VERSION}"
+          echo "${TARGET_VERSION}" > VERSION
+          git commit -m "Bump version to ${TARGET_VERSION}" VERSION
+
+      - name: Generate new set of manifests
+        run: |
+          set -ue
+          make install-codegen-tools-local
+          helm2 init --client-only
+          make manifests-local VERSION=${TARGET_VERSION}
+          git diff
+          git commit manifests/ -m "Bump version to ${TARGET_VERSION}"
+
+      - name: Create the release tag
+        run: |
+          set -ue
+          echo "Creating release ${RELEASE_TAG}"
+          git tag ${RELEASE_TAG}
+
+      - name: Build Docker image for release
+        run: |
+          set -ue
+          git clean -fd
+          mkdir -p dist/
+          make image IMAGE_TAG="${TARGET_VERSION}" DOCKER_PUSH=false
+          make release-cli
+          chmod +x ./dist/argocd-linux-amd64
+          ./dist/argocd-linux-amd64 version --client
+        if: ${{ env.DRY_RUN != 'true' }}
+
+      - name: Push docker image to repository
+        env:
+          DOCKER_USERNAME: ${{ secrets.RELEASE_DOCKERHUB_USERNAME }}
+          DOCKER_TOKEN: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
+          QUAY_USERNAME: ${{ secrets.RELEASE_QUAY_USERNAME }}
+          QUAY_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
+        run: |
+          set -ue
+          docker login --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
+          docker push ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION}
+          docker login quay.io --username "${QUAY_USERNAME}" --password "${QUAY_TOKEN}"
+          docker tag ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION} quay.io/${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION}
+          docker push quay.io/${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION}
+        if: ${{ env.DRY_RUN != 'true' }}
+
+      - name: Read release notes file
+        id: release-notes
+        uses: juliangruber/read-file-action@v1
+        with: 
+          path: ${{ env.RELEASE_NOTES }}
+
+      - name: Push changes to release branch
+        run: |
+          set -ue
+          git push origin ${TARGET_BRANCH}
+          git push origin ${RELEASE_TAG}
+
+      - name: Create GitHub release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        id: create_release
+        with:
+          tag_name: ${{ env.RELEASE_TAG }}
+          release_name: ${{ env.RELEASE_TAG }}
+          draft: ${{ env.DRAFT_RELEASE }}
+          prerelease: ${{ env.PRE_RELEASE }}
+          body: ${{ steps.release-notes.outputs.content }}
+
+      - name: Upload argocd-linux-amd64 binary to release assets
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./dist/argocd-linux-amd64
+          asset_name: argocd-linux-amd64
+          asset_content_type: application/octet-stream
+        if: ${{ env.DRY_RUN != 'true' }}
+
+      - name: Upload argocd-darwin-amd64 binary to release assets
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./dist/argocd-darwin-amd64
+          asset_name: argocd-darwin-amd64
+          asset_content_type: application/octet-stream
+        if: ${{ env.DRY_RUN != 'true' }}
+
+      - name: Upload argocd-windows-amd64 binary to release assets
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./dist/argocd-windows-amd64.exe
+          asset_name: argocd-windows-amd64.exe
+          asset_content_type: application/octet-stream
+        if: ${{ env.DRY_RUN != 'true' }}
+
+      # include argocd-util as part of release artifacts (argoproj/argo-cd#5174)
+      - name: Upload argocd-util-linux-amd64 binary to release assets
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./dist/argocd-linux-amd64
+          asset_name: argocd-util-linux-amd64
+          asset_content_type: application/octet-stream
+        if: ${{ env.DRY_RUN != 'true' }}
+
+      - name: Upload argocd-util-darwin-amd64 binary to release assets
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./dist/argocd-darwin-amd64
+          asset_name: argocd-util-darwin-amd64
+          asset_content_type: application/octet-stream
+        if: ${{ env.DRY_RUN != 'true' }}
+
+      - name: Upload argocd-util-windows-amd64 binary to release assets
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./dist/argocd-windows-amd64.exe
+          asset_name: argocd-util-windows-amd64.exe
+          asset_content_type: application/octet-stream
+        if: ${{ env.DRY_RUN != 'true' }}
+
+      - name: Update homebrew formula
+        env:
+          HOMEBREW_TOKEN: ${{ secrets.RELEASE_HOMEBREW_TOKEN }}
+        uses: dawidd6/action-homebrew-bump-formula@v3
+        with:
+          token: ${{env.HOMEBREW_TOKEN}}
+          formula: argocd
+        if: ${{ env.HOMEBREW_TOKEN != '' && env.UPDATE_HOMEBREW == 'true' && env.PRE_RELEASE != 'true' }}
+
+      - name: Delete original request tag from repository
+        run: |
+          set -ue
+          git push --delete origin ${SOURCE_TAG}
+        if: ${{ always() }}

.gitignore

@@ -9,3 +9,14 @@ site/
 cmd/**/debug
 debug.test
 coverage.out
+test-results
+.scannerwork
+.scratch
+node_modules/
+
+# ignore built binaries
+cmd/argocd/argocd
+cmd/argocd-application-controller/argocd-application-controller
+cmd/argocd-repo-server/argocd-repo-server
+cmd/argocd-server/argocd-server
+cmd/argocd-util/argocd-util

.golangci.yml

@@ -1,22 +1,22 @@
 run:
-  deadline: 2m
+  timeout: 2m
   skip-files:
     - ".*\\.pb\\.go"
   skip-dirs:
-    - pkg/client
-    - vendor
-linter-settings:
-  goimports:
-    local-prefixes: github.com/argoproj/argo-cd
+    - pkg/client/
+    - vendor/
 linters:
   enable:
     - vet
-    - gofmt
-    - goimports
     - deadcode
+    - goimports
     - varcheck
     - structcheck
     - ineffassign
     - unconvert
-    - misspell
     - unparam
+linters-settings:
+  goimports:
+    local-prefixes: github.com/argoproj/argo-cd
+service:
+  golangci-lint-version: 1.21.0

.readthedocs.yml

@@ -0,0 +1,7 @@
+version: 2
+formats: all
+mkdocs:
+  fail_on_warning: false
+python:
+  install:
+    - requirements: docs/requirements.txt

CHANGELOG.md

@@ -1,5 +1,934 @@
 # Changelog
 
+## v1.8.0 (Unreleased)
+
+### Mono-Repository Improvements
+
+Enhanced performance during manifest generation from mono-repository - the repository that represents the
+desired state of the whole cluster and contains hundreds of applications. The improved argocd-repo-server
+now able to concurrently generate manifests from the same repository and for the same commit SHA. This
+might provide 10x performance improvement of manifests generation.
+
+### Annotation Based Path Detection
+
+The feature that allows specifying which source repository directories influence the application manifest generation
+using the `argocd.argoproj.io/manifest-generate-paths` annotation. The annotation improves the Git webhook handler
+behavior. The webhook avoids related applications reconciliation if no related files have been changed by the Git commit
+and even allows to skip manifests generation for new commit by re-using generation manifests for the previous commit.
+
+### Horizontal Controller Scaling
+
+This release allows scaling the `argocd-application-controller` horizontally. This allows you to manage as many Kubernetes clusters
+as needed using a single Argo CD instance.
+
+## New Core Functionality Features
+
+Besides performance improvements, Argo CD got a lot of usability enhancements and new features:
+
+* Namespace and CRD creation [#4354](https://github.com/argoproj/argo-cd/issues/4354)
+* Unknown fields of built-in K8S types [#1787](https://github.com/argoproj/argo-cd/issues/1787)
+* Endpoints Diffing [#1816](https://github.com/argoproj/argo-cd/issues/1816)
+* Better compatibility with Helm Hooks [#1816](https://github.com/argoproj/argo-cd/issues/1816)
+* App-of-Apps Health Assessment [#3781](https://github.com/argoproj/argo-cd/issues/3781)
+
+## Global Projects
+
+This release makes it easy to manage an Argo CD that has hundreds of Projects. Instead of duplicating the same organization-wide rules in all projects
+you can put such rules into one project and make this project “global” for all other projects. Rules defined in the global project are inherited by all
+other projects and therefore don’t have to be duplicated. The sample below demonstrates how you can create a global project and specify which project should
+inherit global project rules using Kubernetes labels. 
+
+## User Interface Improvements
+
+The Argo CD user interface is an important part of a project and we keep working hard on improving the user experience. Here is an incomplete list of implemented improvements:
+
+* Improved Applications Filters [#4622](https://github.com/argoproj/argo-cd/issues/4622)
+* Git tags and branches autocompletion [#4713](https://github.com/argoproj/argo-cd/issues/4713)
+* Project Details Page [#4400](https://github.com/argoproj/argo-cd/issues/4400)
+* New version information panel [#4376](https://github.com/argoproj/argo-cd/issues/4376)
+* Progress Indicators [#4411](https://github.com/argoproj/argo-cd/issues/4411)
+* External links annotations [#4380](https://github.com/argoproj/argo-cd/issues/4380) and more!
+
+## Config Management Tools Enhancements
+
+* OCI Based Repositories [#4018](https://github.com/argoproj/argo-cd/issues/4018)
+* Configurable Helm Versions [#4111](https://github.com/argoproj/argo-cd/issues/4111)
+
+## Bug fixes and under the hood changes
+
+In addition to new features and enhancements, we’ve fixed more than 50 bugs and upgraded third-party components and libraries that Argo CD relies on.
+
+## v1.7.9 (2020-11-17)
+
+- fix: improve commit verification tolerance (#4825)
+- fix: argocd diff --local should not print data of local secrets (#4850)
+- fix(ui): stack overflow crash of resource tree view for large applications (#4685)
+- chore: Update golang to v1.14.12 [backport to release-1.7] (#4834)
+- chore: Update redis to 5.0.10 (#4767)
+- chore: Replace deprecated GH actions directives for integration tests (#4589)
+
+## v1.7.8 (2020-10-15)
+
+- fix(logging.go): changing marshaler for JSON logging to use gogo (#4319)
+- fix: login with apiKey capability (#4557)
+- fix: api-server should not try creating default project it is exists already (#4517)
+- fix: JS error on application list page if app has no namespace (#4499)
+
+
+## v1.7.7 (2020-09-28)
+
+- fix: Support transition from a git managed namespace to auto create (#4401)
+- fix: reduce memory spikes during cluster cache refresh (#4298)
+- fix: No error/warning condition if application destination namespace not monitored by Argo CD (#4329)
+- fix: Fix local diff/sync of apps using cluster name (#4201)
+
+## v1.7.6 (2020-09-18)
+
+- fix: Added cluster authentication to AKS clusters (#4265)
+- fix: swagger UI stuck loading (#4377)
+- fix: prevent 'argocd app sync' hangs if sync is completed too quickly (#4373)
+- fix: argocd app wait/sync might stuck (#4350)
+- fix: failed syncs are not retried soon enough (#4353)
+
+## v1.7.5 (2020-09-15)
+
+- fix: app create with -f should not ignore other options (#4322)
+- fix: limit concurrent list requests accross all clusters (#4328)
+- fix: fix possible deadlock in /v1/api/stream/applications and /v1/api/application APIs (#4315)
+- fix: WatchResourceTree does not enforce RBAC (#4311)
+- fix: app refresh API should use app resource version (#4303)
+- fix: use informer instead of k8s watch to ensure app is refreshed (#4290)
+
+
+## v1.7.4 (2020-09-04)
+
+- fix: automatically stop watch API requests when page is hidden (#4269)
+- fix: upgrade gitops-engine dependency (issues #4242, #1881) (#4268)
+- fix: application stream API should not return 'ADDED' events if resource version is provided (#4260)
+- fix: return parsing error (#3942)
+- fix: JS error when using cluster filter in the /application view (#4247)
+- fix: improve applications list page client side performance (#4244)
+
+## v1.7.3 (2020-09-01)
+
+- fix: application details page crash when app is deleted (#4229)
+- fix: api-server unnecessary normalize projects on every start (#4219)
+- fix: load only project names in UI (#4217)
+- fix: Re-create already initialized ARGOCD_GNUPGHOME on startup (#4214) (#4223)
+- fix: Add openshift as a dex connector type which requires a redirectURI (#4222)
+- fix: Replace status.observedAt with redis pub/sub channels for resource tree updates (#1340) (#4208)
+- fix: cache inconsistency of child resources (#4053) (#4202)
+- fix: do not include kube-api check in application liveness flow (#4163)
+
+## v1.7.2 (2020-08-27)
+
+- fix: Sync hangs with cert-manager on latest RC (#4105)
+- fix: support for PKCE for cli login (#2932)
+
+## v1.7.2 (2020-08-25)
+
+- fix: Unable to create project JWT token on K8S v1.15 (#4165)
+- fix: Argo CD does not exclude creationTimestamp from diffing (#4157)
+
+## v1.7.0 (2020-08-24)
+
+### GnuPG Signature Verification
+
+The feature allows to only sync against commits that are signed in Git using GnuPG. The list of public 
+GPG keys required for verification is configured at the system level and can be managed using Argo CD CLI or Web user interface.
+The keys management is integrated with Argo CD SSO and access control system (e.g. `argocd gpg add --from <path-to-key>`)
+
+The signature verification is enabled on the project level. The ApplicationProject CRD has a new signatureKeys field that includes
+a list of imported public GPG keys. Argo CD will verify the commit signature by these keys for every project application.
+
+### Cluster Management Enhancements
+
+The feature allows using the cluster name instead of the URL to specify the application destination cluster.
+Additionally, the cluster CLI and Web user interface have been improved. Argo CD operators now can view and edit cluster
+details using the Cluster Details page. The page includes cluster settings details as well as runtime information such
+as the number of monitored Kubernetes resources.
+
+### Diffing And Synchronization Usability
+
+* **Diffing logic improvement** Argo CD performs client-side resource diffing to detect deviations and present detected
+differences in the UI and CLI. The 1.7 release aligns a comparison algorithm with server-side Kubernetes implementation
+and removes inaccuracies in some edge cases.
+
+* **Helm Hooks Compatibility** The improvement removes the discrepancy between the way how Argo CD and Helm deletes
+hooks resources. This significantly improves the compatibility and enables additional use cases.
+
+* **Namespace Auto-Creation** With a new option for applications Argo CD will ensure that namespace specified as the
+application destination exists in the destination cluster. 
+
+* **Failed Sync Retry** This feature enables retrying of failed synchronization attempts during both manually-triggered
+and automated synchronization.
+
+### Orphaned Resources Monitoring Enhancement
+
+The enhancement allows configuring an exception list in Orphaned Resources settings to avoid false alarms.
+
+## v1.6.2 (2020-08-01)
+
+- feat: adding validate for app create and app set (#4016)
+- fix: use glob matcher in casbin built-in model (#3966)
+- fix: Normalize Helm chart path when chart name contains a slash (#3987)
+- fix: allow duplicates when using generateName (#3878)
+- fix: nil pointer dereference while syncing an app (#3915)
+
+## v1.6.1 (2020-06-18)
+
+- fix: User unable to generate project token even if account has appropriate permissions (#3804)
+
+## v1.6.0 (2020-06-16)
+
+[1.6 Release blog post](https://blog.argoproj.io/argo-cd-v1-6-democratizing-gitops-with-gitops-engine-5a17cfc87d62)
+
+### GitOps Engine
+
+As part of 1.6 release, the core Argo CD functionality has been moved into [GitOps Engine](https://github.com/argoproj/gitops-engine).
+GitOps Engine is a reusable library that empowers you to quickly build specialized tools that implement specific GitOps
+use cases, such as bootstrapping a Kubernetes cluster, or decentralized management of namespaces.
+
+#### Enhancements
+
+- feat: upgrade kustomize to v3.6.1 version (#3696)
+- feat: Add build support for ARM images (#3554)
+- feat: CLI: Allow setting Helm values literal (#3601) (#3646)
+- feat: argocd-util settings resource-overrides list-actions (#3616)
+- feat: adding failure retry (#3548)
+- feat: Implement GKE ManagedCertificate CRD health checks (#3600)
+- feat: Introduce diff normalizer knobs and allow for ignoring aggregated cluster roles (#2382) (#3076)
+- feat: Implement Crossplane CRD health checks (#3581)
+- feat: Adding deploy time and duration label (#3563)
+- feat: support delete cluster from UI (#3555)
+- feat: add button loading status for time-consuming operations (#3559)
+- feat: Add --logformat switch to API server, repository server and controller (#3408)
+- feat: Add a Get Repo command to see if Argo CD has a repo (#3523)
+- feat: Allow selecting TLS ciphers on server (#3524)
+- feat: Support additional metadata in Application sync operation (#3747)
+- feat: upgrade redis to 5.0.8-alpine (#3783)
+
+#### Bug Fixes
+
+- fix: settings manager should invalidate cache after updating repositories/repository credentials (#3672)
+- fix: Allow unsetting the last remaining values file (#3644) (#3645)
+- fix: Read cert data from kubeconfig during cluster addition and use if present (#3655) (#3667)
+- fix: oidc should set samesite cookie (#3632)
+- fix: Allow underscores in hostnames in certificate module (#3596)
+- fix: apply scopes from argocd-rbac-cm to project jwt group searches (#3508)
+- fix: fix nil pointer dereference error after cluster deletion (#3634)
+- fix: Prevent possible nil pointer dereference when getting Helm client (#3613)
+- fix: Allow CLI version command to succeed without server connection (#3049) (#3550)
+- fix: Fix login with port forwarding (#3574)
+- fix: use 'git show-ref' to both retrieve and store generated manifests (#3578)
+- fix: enable redis retries; add redis request duration metric (#3575)
+- fix: Disable keep-alive for HTTPS connection to Git (#3531)
+- fix: use uid instead of named user in Dockerfile (#3108)
+
+#### Other
+
+- refactoring: Gitops engine (#3066)
+
+## v1.5.8 (2020-06-16)
+
+- fix: upgrade awscli version (#3774)
+- fix: html encode login error/description before rendering it (#3773)
+- fix: oidc should set samesite cookie (#3632)
+- fix: avoid panic in badge handler (#3741)
+
+## v1.5.7 (2020-06-09)
+
+The 1.5.7 patch release resolves issue #3719 . The ARGOCD_ENABLE_LEGACY_DIFF=true should be added to argocd-application-controller deployment.
+
+- fix: application with EnvoyFilter causes high memory/CPU usage (#3719)
+
+## v1.5.6 (2020-06-02)
+
+- feat: Upgrade kustomize to 3.6.1
+- fix: Prevent possible nil pointer dereference when getting Helm client (#3613)
+- fix: avoid deadlock in settings manager (#3637)
+
+## v1.5.5 (2020-05-16)
+
+- feat: add Rollout restart action (#3557)
+- fix: enable redis retries; add redis request duration metric (#3547)
+- fix: when --rootpath is on, 404 is returned when URL contains encoded URI (#3564)
+
+## v1.5.4 (2020-05-05)
+
+- fix: CLI commands with --grpc-web
+
+## v1.5.3 (2020-05-01)
+
+This patch release introduces a set of enhancements and bug fixes. Here are most notable changes:
+
+#### Multiple Kustomize Versions
+
+The bundled Kustomize version had been upgraded to v3.5.4. Argo CD allows changing bundled version using
+[custom image or init container](https://argoproj.github.io/argo-cd/operator-manual/custom_tools/). 
+This [feature](https://argoproj.github.io/argo-cd/user-guide/kustomize/#custom-kustomize-versions)
+enables bundling multiple Kustomize versions at the same time and allows end-users to specify the required version per application.
+
+#### Custom Root Path
+
+The feature allows accessing Argo CD UI and API using a custom root path(for example https://myhostname/argocd).
+This enables running Argo CD behind a proxy that takes care of user authentication (such as Ambassador) or hosting
+multiple Argo CD using the same hostname. A set of bug fixes and enhancements had been implemented to makes it easier.
+Use new `--rootpath` [flag](https://argoproj.github.io/argo-cd/operator-manual/ingress/#argocd-server-and-ui-root-path-v153) to enable the feature.
+
+### Login Rate Limiting
+
+The feature prevents a built-in user password brute force attack and addresses the known 
+[vulnerability](https://argoproj.github.io/argo-cd/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force).
+
+### Settings Management Tools
+
+A new set of [CLI commands](https://argoproj.github.io/argo-cd/operator-manual/troubleshooting/) that simplify configuring Argo CD.
+Using the CLI you can test settings changes offline without affecting running Argo CD instance and have ability to troubleshot diffing
+customizations, custom resource health checks, and more.
+
+### Other
+
+* New Project and Application CRD settings ([#2900](https://github.com/argoproj/argo-cd/issues/2900), [#2873](https://github.com/argoproj/argo-cd/issues/2873)) that allows customizing Argo CD behavior.
+* Upgraded Dex (v2.22.0) enables seamless [SSO integration](https://www.openshift.com/blog/openshift-authentication-integration-with-argocd) with Openshift.
+
+
+#### Enhancements
+
+* feat: added --grpc-web-root-path for CLI. (#3483)
+* feat: limit the maximum number of concurrent login attempts (#3467)
+* feat: upgrade kustomize version to 3.5.4 (#3472)
+* feat: upgrade dex to 2.22.0 (#3468)
+* feat: support user specified account token ids (#3425)
+* feat: support separate Kustomize version per application (#3414)
+* feat: add support for dex prometheus metrics (#3249)
+* feat: add settings troubleshooting commands to the 'argocd-util' binary (#3398)
+* feat: Let user to define meaningful unique JWT token name (#3388)
+* feat: Display link between OLM ClusterServiceVersion and it's OperatorGroup (#3390)
+* feat: Introduce sync-option SkipDryRunOnMissingResource=true (#2873) (#3247)
+* feat: support normalizing CRD fields that use known built-in K8S types (#3357)
+* feat: Whitelisted namespace resources (#2900)
+
+#### Bug Fixes
+
+* fix: added path to cookie (#3501)
+* fix: 'argocd sync' does not take into account IgnoreExtraneous annotation (#3486)
+* fix: CLI renders flipped diff results (#3480)
+* fix: GetApplicationSyncWindows API should not validate project permissions (#3456)
+* fix: argocd-util kubeconfig should use RawRestConfig to export config (#3447)
+* fix: javascript error on accounts list page (#3453)
+* fix: support both <group>/<kind> as well as <kind> as a resource override key (#3433)
+* fix: Updating to jsonnet v1.15.0 fix issue #3277 (#3431)
+* fix for helm repo add with flag --insecure-skip-server-verification (#3420)
+* fix: app diff --local support for helm repo. #3151 (#3407)
+* fix: Syncing apps incorrectly states "app synced", but this is not true (#3286)
+* fix: for jsonnet when it is localed in nested subdirectory and uses import (#3372)
+* fix: Update 4.5.3 redis-ha helm manifest (#3370)
+* fix: return 401 error code if username does not exist (#3369)
+* fix: Do not panic while running hooks with short revision (#3368)
+
+## v1.5.2 (2020-04-20)
+
+#### Critical security fix
+
+This release contains a critical security fix. Please refer to the
+[security document](https://argoproj.github.io/argo-cd/security_considerations/#CVE-2020-5260-possible-git-credential-leak)
+for more information.
+
+**Upgrading is strongly recommended**
+
+## v1.4.3 (2020-04-20)
+
+#### Critical security fix
+
+This release contains a critical security fix. Please refer to the
+[security document](https://argoproj.github.io/argo-cd/security_considerations/#CVE-2020-5260-possible-git-credential-leak)
+for more information.
+
+## v1.5.1 (2020-04-06)
+
+#### Bug Fixes
+
+* fix: return 401 error code if username does not exist (#3369)
+* fix: Do not panic while running hooks with short revision (#3368)
+* fix: Increase HAProxy check interval to prevent intermittent failures (#3356)
+* fix: Helm v3 CRD are not deployed (#3345)
+
+## v1.5.0 (2020-04-02)
+
+#### Helm Integration Enhancements - Helm 3 Support And More
+
+Introduced native support Helm3 charts. For backward compatibility Helm 2 charts are still rendered using Helm 2 CLI. Argo CD inspects the
+Charts.yaml file and choose the right binary based on `apiVersion` value.
+
+Following enhancement were implemented in addition to Helm 3:
+* The `--api-version` flag is passed to the `helm template` command during manifest generation.
+* The `--set-file` flag can be specified in the application specification.
+* Fixed bug that prevents automatically update Helm chart when new version is published (#3193)
+
+#### Better Performance and Improved Metrics
+
+ If you are running Argo CD instances with several hundred applications on it, you should see a
+ huge performance boost and significantly less Kubernetes API server load.
+
+ The Argo CD controller Prometheus metrics have been reworked to enable a richer Grafana dashboard.
+ The improved dashboard is available at [examples/dashboard.json](https://github.com/argoproj/argo-cd/blob/master/examples/dashboard.json).
+ You can set `ARGOCD_LEGACY_CONTROLLER_METRICS=true` environment variable and use [examples/dashboard-legacy.json](https://github.com/argoproj/argo-cd/blob/master/examples/dashboard-legacy.json)
+ to keep using old dashboard.
+
+#### Local accounts
+
+The local accounts had been introduced additional to `admin` user and SSO integration. The feature is useful for creating authentication
+tokens with limited permissions to automate Argo CD management. Local accounts also could be used small by teams when SSO integration is overkill.
+This enhancement also allows to disable admin user and enforce only SSO logins.
+
+#### Redis HA Proxy mode
+
+As part of this release, the bundled Redis was upgraded to version 4.3.4 with enabled HAProxy.
+The HA proxy replaced the sentinel and provides more reliable Redis connection.
+
+> After publishing 1.5.0 release we've discovered that default HAProxy settings might cause intermittent failures.
+> See [argo-cd#3358](https://github.com/argoproj/argo-cd/issues/3358)
+
+#### Windows CLI
+
+Windows users deploy to Kubernetes too! Now you can use Argo CD CLI on Linux, Mac OS, and Windows. The Windows compatible binary is available 
+in the release details page as well as on the Argo CD Help page.
+
+#### Breaking Changes
+
+The `argocd_app_sync_status`, `argocd_app_health_status` and `argocd_app_created_time` prometheus metrics are deprecated in favor of additional labels
+to `argocd_app_info` metric. The deprecated labels are still available can be re-enabled using `ARGOCD_LEGACY_CONTROLLER_METRICS=true` environment variable.
+The legacy example Grafana dashboard is available at [examples/dashboard-legacy.json](https://github.com/argoproj/argo-cd/blob/master/examples/dashboard-legacy.json). 
+
+####  Known issues
+Last-minute bugs that will be addressed in 1.5.1 shortly:
+ 
+* https://github.com/argoproj/argo-cd/issues/3336
+* https://github.com/argoproj/argo-cd/issues/3319
+* https://github.com/argoproj/argo-cd/issues/3339
+* https://github.com/argoproj/argo-cd/issues/3358
+
+#### Enhancements
+* feat: support helm3 (#2383) (#3178)
+* feat: Argo CD Service Account / Local Users #3185
+* feat: Disable Admin Login (fixes #3019) (#3179)
+* feat(ui): add docs to sync policy options present in create application panel (Close #3098) (#3203)
+* feat: add "service-account" flag to "cluster add" command (#3183) (#3184)
+* feat: Supports the validate-false option at an app level. Closes #1063 (#2542)
+* feat: add dest cluster and namespace in the Events (#3093)
+* feat: Rollback disables auto sync issue #2441 (#2591)
+* feat: allow ssh and http repository references in bitbucketserver webhook #2773 (#3036)
+* feat: Add helm --set-file support (#2751)
+* feat: Include resource group for Event's InvolvedObject.APIVersion
+* feat: Add argocd cmd for Windows #2121 (#3015)
+
+#### Bug Fixes
+
+- fix: app reconciliation fails with panic: index out of (#3233)
+- fix: upgrade argoproj/pkg version to fix leaked sensitive information in logs (#3230)
+- fix: set MaxCallSendMsgSize to MaxGRPCMessageSize for the GRPC caller (#3117)
+- fix: stop caching helm index (#3193)
+- fix: dex proxy should forward request to dex preserving the basehref (#3165)
+- fix: set default login redirect to baseHRef (#3164)
+- fix: don't double-prepend basehref to redirect URLs (fixes #3137)
+- fix: ui referring to /api/version using absolute path (#3092)
+- fix: Unhang UI on long app info items by using more sane URL match pattern (#3159)
+- fix: Allow multiple hostnames per SSH known hosts entry and also allow IPv6 (#2814) (#3074)
+- fix: argocd-util backup produced truncated backups. import app status (#3096)
+- fix: upgrade redis-ha chart and enable haproxy (#3147)
+- fix: make dex server deployment init container resilient to restarts (#3136)
+- fix: reduct secret values of manifests stored in git (#3088)
+- fix: labels not being deleted via UI (#3081)
+- fix: HTTP|HTTPS|NO_PROXY env variable reading #3055 (#3063)
+- fix: Correct usage text for repo add command regarding insecure repos (#3068)
+- fix: Ensure SSH private key is written out with a final newline character (#2890) (#3064)
+- fix: Handle SSH URLs in 'git@server:org/repo' notation correctly (#3062)
+- fix sso condition when several sso connectors has been configured (#3057)
+- fix: Fix bug where the same pointer is used. (#3059)
+- fix: Opening in new tab bad key binding on Linux (#3020)
+- fix: K8s secrets for repository credential templates are not deleted when credential template is deleted (#3028)
+- fix: SSH credential template not working #3016
+- fix: Unable to parse kubectl pre-release version strings (#3034)
+- fix: Jsonnet TLA parameters of same type are overwritten (#3022)
+- fix: Replace aws-iam-authenticator to support IRSA (#3010)
+- fix: Hide bindPW in dex config (#3025)
+- fix: SSH repo URL with a user different from `git` is not matched correctly when resolving a webhook (#2988)
+- fix: JWT invalid => Password for superuser has changed since token issued (#2108)
+
+#### Contributors
+* alexandrfox
+* alexec
+* alexmt
+* bergur88
+* CBytelabs
+* dbeal-wiser 
+* dnascimento
+* Elgarni
+* eSamS
+* gpaul
+* jannfis
+* jdmulloy
+* machgo
+* masa213f
+* matthyx
+* rayanebel
+* shelby-moore
+* tomcruise81
+* wecger
+* zeph
+
+## v1.4.2 (2020-01-24)
+
+- fix: correctly replace cache in namespace isolation mode (#3023)
+
+## v1.4.1 (2020-01-23)
+
+- fix: impossible to config RBAC if group name includes ',' (#3013)
+
+## v1.4.0 (2020-01-17)
+
+The v1.4.0 is a stability release that brings multiple bug fixes, security, performance enhancements, and multiple usability improvements.
+
+#### New Features
+
+#### Security
+A number of security enhancements and features have been implemented (thanks to [@jannfis](https://github.com/jannfis) for driving it! ):
+* **Repository Credential Templates Management UI/CLI**. Now you can use Argo CD CLI or UI to configure
+[credentials template](https://argoproj.github.io/argo-cd/user-guide/private-repositories/#credential-templates) for multiple repositories!
+* **X-Frame-Options header on serving static assets**. The X-Frame-Options prevents third party sites to trick users into interacting with the application.
+* **Tighten AppProject RBAC enforcement**. We've improved the enforcement of access rules specified in the
+[application project](https://argoproj.github.io/argo-cd/operator-manual/declarative-setup/#projects) configuration.
+
+#### Namespace Isolation
+With the namespace isolation feature, you are no longer have to give full read-only cluster access to the Argo CD. Instead, you can give access only to selected namespaces with-in
+the cluster:
+
+```bash
+argocd cluster add <mycluster> --namespace <mynamespace1> --namespace <mynamespace2>
+```
+
+This feature is useful if you don't have full cluster access but still want to use Argo CD to manage some cluster namespaces. The feature also improves performance if Argo CD is
+used to manage a few namespaces of a large cluster.
+
+#### Reconciliation Performance
+The Argo CD no longer fork/exec `kubectl` to apply resource changes in the target cluster or convert resource manifest to the required manifest version. This reduces
+CPU and Memory usage of large Argo CD instances.
+
+#### Resources Health based Hook Status
+The existing Argo CD [resource hooks](https://argoproj.github.io/argo-cd/user-guide/resource_hooks/) feature allows running custom logic during the syncing process. You can mark
+any Kubernetes resource as a hook and Argo CD assess hook status if resource is a `Pod`, `Job` or `Argo Workflow`. In the v1.4.0 release Argo CD is going to leverage resource
+[health assessment](https://argoproj.github.io/argo-cd/operator-manual/health/) to get sync hook status. This allows using any custom CRD as a sync hook and leverage custom health
+check logic.
+
+#### Manifest Generation
+* **Track Helm Charts By Semantic Version**. You've been able to track charts hosted in Git repositories using branches to tags. This is now possible for Helm charts. You no longer
+ need to choose the exact version, such as v1.4.0 ,instead you can use a semantic version constraint such as v1.4.* and the latest version that matches will be installed.
+* **Build Environment Variables**. Feature allows config management tool to get access to app details during manifest generation via
+[environment variables](https://argoproj.github.io/argo-cd/user-guide/build-environment/).
+* **Git submodules**. Argo CD is going to automatically fetch sub-modules if your repository has `.gitmodules` directory.
+
+#### UI and CLI
+* **Improved Resource Tree View**. The Application details page got even prettier. The resource view was tuned to fit more resources into the screen, include more information about
+each resource and don't lose usability at the same time.
+* **New Account Management CLI Command**. The CLI allows to check which actions are allowed for your account: `argocd account can-i sync applications '*'`
+
+#### Maintenance Tools
+The team put more effort into building tools that help to maintain Argo CD itself:
+* **Bulk Project Editing**. The `argocd-util` allows to add and remove permissions defined in multiple project roles using one command.
+* **More Prometheus Metrics**. A set of additional metrics that contains useful information managed clusters is exposed by application controller.
+
+More documentation and tools are coming in patch releases.
+
+#### Breaking Changes
+
+The Argo CD deletes all **in-flight** hooks if you terminate running sync operation. The hook state assessment change implemented in this release the Argo CD enables detection of 
+an in-flight state for all Kubernetes resources including `Deployment`, `PVC`, `StatefulSet`, `ReplicaSet` etc. So if you terminate the sync operation that has, for example,
+`StatefulSet` hook that is `Progressing` it will be deleted. The long-running jobs are not supposed to be used as a sync hook and you should consider using
+[Sync Waves](https://argoproj.github.io/argo-cd/user-guide/sync-waves/) instead.
+
+#### Enhancements
+* feat: Add custom healthchecks for cert-manager v0.11.0 (#2689) 
+* feat: add git submodule support (#2495)
+* feat: Add repository credential management API and CLI (addresses #2136) (#2207)
+* feat: add support for --additional-headers cli flag (#2467)
+* feat: Add support for ssh-with-port repo url (#2866) (#2948)
+* feat: Add Time to ApplicationCondition. (#2417)
+* feat: Adds `argocd auth can-i` command. Close #2255
+* feat: Adds revision history limit. Closes #2790 (#2818)
+* feat: Adds support for ARGO_CD_[TARGET_REVISION|REVISION] and pass to Custom Tool/Helm/Jsonnet 
+* feat: Adds support for Helm charts to be a semver range. Closes #2552 (#2606)
+* feat: Adds tracing to key external invocations. (#2811)
+* feat: argocd-util should allow editing project policies in bulk  (#2615)
+* feat: Displays controllerrevsion's revision in the UI. Closes #2306 (#2702)
+* feat: Issue #2559 - Add gauge Prometheus metric which represents the number of pending manifest requests. (#2658)
+* feat: Make ConvertToVersion maybe 1090% faster on average (#2820)
+* feat: namespace isolation (#2839)
+* feat: removes redundant mutex usage in controller cache and adds cluster cache metrics (#2898)
+* feat: Set X-Frame-Options on serving static assets (#2706) (#2711)
+* feat: Simplify using Argo CD without users/SSO/UI (#2688)
+* feat: Template Out Data Source in Grafana Dashboard (#2859) 
+* feat: Updates UI icons. Closes #2625 and #2757 (#2653)
+* feat: use editor arguments in InteractiveEditor (#2833)
+* feat: Use kubectl apply library instead of forking binary (#2861)
+* feat: use resource health for hook status evaluation (#2938)
+
+#### Bug Fixes
+
+- fix: Adds support for /api/v1/account* via HTTP. Fixes #2664 (#2701)
+- fix: Allow '@'-character in SSH usernames when connecting a repository (#2612)
+- fix: Allow dot in project policy. Closes #2724 (#2755)
+- fix: Allow you to sync local Helm apps.  Fixes #2741 (#2747)
+- fix: Allows Helm parameters that contains arrays or maps. (#2525)
+- fix: application-controller doesn't deal with rm/add same cluster gracefully (x509 unknown) (#2389)
+- fix: diff local ignore kustomize build options (#2942)
+- fix: Ensures that Helm charts are correctly resolved before sync. Fixes #2758 (#2760)
+- fix: Fix 'Open application' link when using basehref (#2729)
+- fix: fix a bug with cluster add when token secret is not first in list. (#2744)
+- fix: fix bug where manifests are not cached. Fixes #2770 (#2771)
+- fix: Fixes bug whereby retry does not work for CLI. Fixes #2767 (#2768)
+- fix: git contention leads applications into Unknown state (#2877)
+- fix: Issue #1944 - Gracefully handle missing cached app state (#2464)
+- fix: Issue #2668 - Delete a specified context (#2669)
+- fix: Issue #2683 - Make sure app update don't fail due to concurrent modification (#2852)
+- fix: Issue #2721 Optimize helm repo querying (#2816)
+- fix: Issue #2853 - Improve application env variables/labels editing (#2856)
+- fix: Issue 2848 - Application Deployment history panel shows incorrect info for recent releases (#2849)
+- fix: Make BeforeHookCreation the default. Fixes #2754 (#2759)
+- fix: No error on `argocd app create` in CLI if `--revision` is omitted #2665
+- fix: Only delete resources during app delete cascade if permitted to (fixes #2693) (#2695)
+- fix: prevent user from seeing/deleting resources not permitted in project (#2908) (#2910)
+- fix: self-heal should retry syncing an application after specified delay
+- fix: stop logging dex config secrets #(2904) (#2937)
+- fix: stop using jsondiffpatch on clientside to render resource difference  (#2869)
+- fix: Target Revision truncated #2736
+- fix: UI should re-trigger SSO login if SSO JWT token expires (#2891)
+- fix: update argocd-util import was not working properly (#2939)
+
+#### Contributors
+
+* Aalok Ahluwalia
+* Aananth K
+* Abhishek Jaisingh
+* Adam Johnson
+* Alan Tang
+* Alex Collins
+* Alexander Matyushentsev
+* Andrew Waters
+* Byungjin Park
+* Christine Banek
+* Daniel Helfand
+* David Hong
+* David J. M. Karlsen
+* David Maciel
+* Devan Goodwin
+* Devin Stein
+* dthomson25
+* Gene Liverman
+* Gregor Krmelj
+* Guido Maria Serra
+* Ilir Bekteshi
+* Imran Ismail
+* INOUE BANJI
+* Isaac Gaskin
+* jannfis
+* Jeff Hastings
+* Jesse Suen
+* John Girvan
+* Konstantin
+* Lev Aminov
+* Manatsawin Hanmongkolchai
+* Marco Schmid
+* Masayuki Ishii
+* Michael Bridgen
+* Naoki Oketani
+* niqdev
+* nitinpatil1992
+* Olivier Boukili
+* Olivier Lemasle
+* Omer Kahani
+* Paul Brit
+* Qingbo Zhou
+* Saradhi Sreegiriraju
+* Scott Cabrinha
+* shlo
+* Simon Behar
+* stgarf
+* Yujun Zhang
+* Zoltán Reegn
+
+## v1.3.4 (2019-12-05)
+- #2819 Fixes logging of tracing option in CLI
+
+## v1.3.3 (2019-12-05)
+- #2721 High CPU utilisation (5 cores) and spammy logs
+
+## v1.3.2 (2019-12-03)
+- #2797 Fix directory traversal edge case and enhance tests
+
+## v1.3.1 (2019-12-02)
+- #2664 update account password from API resulted 404
+- #2724 Can't use `DNS-1123` compliant app name when creating project role
+- #2726 App list does not show chart for Helm app
+- #2741 argocd local sync cannot parse kubernetes version
+- #2754 BeforeHookCreation should be the default hook
+- #2767 Fix bug whereby retry does not work for CLI
+- #2770 Always cache miss for manifests
+- #1345 argocd-application-controller: can not retrieve list of objects using index : Index with name namespace does not exist
+
+## v1.3.0 (2019-11-13)
+
+#### New Features
+
+##### Helm 1st-Class Support
+
+We know that for many of our users, they want to deploy existing Helm charts using Argo CD. Up until now that has required you to create an Argo CD app in a Git repo that does nothing but point to that chart. Now you can use a Helm chart repository is the same way as a Git repository.
+
+On top of that, we've improved support for Helm apps. The most common types of Helm hooks such as `pre-install` and `post-install` are supported as well as a the delete policy `before-hook-creation` which makes it easier to work with hooks.
+
+https://youtu.be/GP7xtrnNznw
+
+##### Orphan Resources
+
+Some users would like to make sure that resources in a namespace are managed only by Argo CD. So we've introduced the concept of an "orphan resource" - any resource that is in namespace associated with an app, but not managed by Argo CD. This is enabled in the project settings. Once enabled, Argo CD will show in the app view any resources in the app's namespace that is not managed by Argo CD. 
+
+https://youtu.be/9ZoTevVQf5I
+
+##### Sync Windows
+
+There may be instances when you want to control the times during which an Argo CD app can sync. Sync Windows now gives you the capability to create windows of time in which apps are either allowed or denied the ability to sync. This can apply to both manual and auto-sync, or just auto-sync. The windows are configured at the project level and assigned to apps using app name, namespace or cluster. Wildcards are supported for all fields.
+
+#### Enhancements
+
+* [UI] Add application labels to Applications list and Applications details page (#1099)
+* Helm repository as first class Argo CD Application source (#1145)
+* Ability to generate a warn/alert when a namespace deviates from the expected state (#1167)
+* Improve diff support for resource requests/limits (#1615)
+* HTTP API should allow JWT to be passed via Authorization header (#1642)
+* Ability to create & upsert projects from spec (#1852)
+* Support for in-line block from helm chart values (#1930)
+* Request OIDC groups claim if groups scope is not supported (#1956)
+* Add a maintenance window for Applications with automated syncing (#1995)
+* Support `argocd.argoproj.io/hook-delete-policy: BeforeHookCreation` (#2036)
+* Support setting Helm string parameters using CLI/UI (#2078)
+* Config management plugin environment variable UI/CLI support (#2203)
+* Helm: auto-detect URLs (#2260)
+* Helm: UI improvements (#2261)
+* Support `helm template --kube-version ` (#2275)
+* Use community icons for resources (#2277)
+* Make `group` optional for `ignoreDifferences` config (#2298)
+* Update Helm docs (#2315)
+* Add cluster information into Splunk (#2354)
+* argocd list command should have filter options like by project (#2396)
+* Add target/current revision to status badge (#2445)
+* Update tooling to use Kustomize v3 (#2487)
+* Update root `Dockerfile` to use the `hack/install.sh` (#2488)
+* Support and document using HPA for repo-server (#2559)
+* Upgrade Helm  (#2587)
+* UI fixes for "Sync Apps" panel. (#2604)
+* Upgrade kustomize from v3.1.0 to v3.2.1 (#2609)
+* Map helm lifecycle hooks to ArgoCD pre/post/sync hooks (#355)
+* [UI] Enhance app creation page with Helm parameters overrides (#1059)
+
+#### Bug Fixes
+
+- failed parsing on parameters with comma (#1660)
+- Statefulset with OnDelete Update Strategy stuck progressing (#1881)
+- Warning during secret diffing (#1923)
+- Error message "Unable to load data: key is missing" is confusing (#1944)
+- OIDC group bindings are truncated (#2006)
+- Multiple parallel app syncs causes OOM (#2022)
+- Unknown error when setting params with argocd app set on helm app (#2046)
+- Endpoint is no longer shown as a child of services (#2060)
+- SSH known hosts entry cannot be deleted if contains shell pattern in name (#2099)
+- Application 404s on names with periods (#2114)
+- Adding certs for hostnames ending with a dot (.) is not possible (#2116)
+- Fix `TestHookDeleteBeforeCreation` (#2141)
+- v1.2.0-rc1 nil pointer dereference when syncing (#2146)
+- Replacing services failure (#2150)
+- 1.2.0-rc1 - Authentication Required error in Repo Server (#2152)
+- v1.2.0-rc1 Applications List View doesn't work (#2174)
+- Manual sync does not trigger Presync hooks (#2185)
+- SyncError app condition disappears during app reconciliation (#2192)
+- argocd app wait\sync prints 'Unknown' for resources without health (#2198)
+- 1.2.0-rc2 Warning during secret diffing (#2206)
+- SSO redirect url is incorrect if configured Argo CD URL has trailing slash (#2212)
+- Application summary diff page shows hooks (#2215)
+- An app with a single resource and Sync hook remains progressing (#2216)
+- CONTRIBUTING documentation outdated (#2231)
+- v1.2.0-rc2 does not retrieve http(s) based git repository behind the proxy (#2243)
+- Intermittent "git ls-remote" request failures should not fail app reconciliation (#2245)
+- Result of ListApps operation for Git repo is cached incorrectly (#2263)
+- ListApps does not utilize cache (#2287)
+- Controller panics due to nil pointer error (#2290)
+- The Helm --kube-version support does not work on GKE: (#2303)
+- Fixes bug that prevents you creating repos via UI/CLI.  (#2308)
+- The 'helm.repositories' settings is dropped without migration path (#2316)
+- Badge response does not contain cache control header (#2317)
+- Inconsistent sync result from UI and CLI (#2321)
+- Failed edit application with plugin type requiring environment (#2330)
+- AutoSync doesn't work anymore (#2339)
+- End-to-End tests not working with Kubernetes v1.16 (#2371)
+- Creating an application from Helm repository should select "Helm" as source type (#2378)
+- The parameters of ValidateAccess GRPC method should not be logged  (#2386)
+- Maintenance window meaning is confusing (#2398)
+- UI bug when targetRevision is omitted (#2407)
+- Too many vulnerabilities in Docker image (#2425)
+- proj windows commands not consistent with other commands (#2443)
+- Custom resource actions cannot be executed from the UI (#2448)
+- Application controller sometimes accidentally removes duplicated/excluded resource warning condition (#2453)
+- Logic that checks sync windows state in the cli is incorrect (#2455)
+- UI don't allow to create window with `* * * * *` schedule (#2475)
+- Helm Hook is executed twice if annotated with both pre-install and pre-upgrade annotations (#2480)
+- Impossible to edit chart name using App details page (#2484)
+- ArgoCD does not provide CSRF protection (#2496)
+- ArgoCD failing to install CRDs in master from Helm Charts (#2497)
+- Timestamp in Helm package file name causes error in Application with Helm source (#2549)
+- Attempting to create a repo with password but not username panics (#2567)
+- UI incorrectly mark resources as `Required Pruning` (#2577)
+- argocd app diff prints only first difference (#2616)
+- Bump min client cache version (#2619)
+- Cluster list page fails if any cluster is not reachable (#2620)
+- Repository type should be mandatory for repo add command in CLI (#2622)
+- Repo server executes unnecessary ls-remotes (#2626)
+- Application list page incorrectly filter apps by label selector (#2633)
+- Custom actions are disabled in Argo CD UI (#2635)
+- Failure of `argocd version` in the self-building container image (#2645)
+- Application list page is not updated automatically anymore (#2655)
+- Login regression issues (#2659)
+- Regression: Cannot return Kustomize version for 3.1.0 (#2662)
+- API server does not allow creating role with action `action/*` (#2670)
+- Application controller `kubectl-parallelism-limit` flag is broken (#2673)
+- Annoying toolbar flickering (#2691)
+
+## v1.2.5 (2019-10-29)
+
+- Issue #2339 - Don't update `status.reconciledAt` unless compared with latest git version (#2581)
+
+## v1.2.4 (2019-10-23)
+
+- Issue #2185 - Manual sync don't trigger hooks (#2477)
+- Issue #2339 - Controller should compare with latest git revision if app has changed (#2543)
+- Unknown child app should not affect app health (#2544)
+- Redact secrets in dex logs (#2538)
+
+## v1.2.3 (2019-10-1)
+* Make argo-cd docker images openshift friendly (#2362) (@duboisf)
+* Add dest-server and dest-namespace field to reconciliation logs (#2354)
+- Stop loggin /repository.RepositoryService/ValidateAccess parameters (#2386)
+
+## v1.2.2 (2019-09-26)
++ Resource action equivalent to `kubectl rollout restart` (#2177)
+- Badge response does not contain cache-control header (#2317) (@greenstatic)
+- Make sure the controller uses the latest git version if app reconciliation result expired (#2339)
+
+## v1.2.1 (2019-09-12)
++ Support limiting number of concurrent kubectl fork/execs (#2022)
++ Add --self-heal flag to argocd cli (#2296)
+- Fix degraded proxy support for http(s) git repository (#2243)
+- Fix nil pointer dereference in application controller (#2290)
+
+## v1.2.0 (2019-09-05)
+
+### New Features
+
+#### Server Certificate And Known Hosts Management
+
+The Server Certificate And Known Hosts Management feature makes it really easy to connect private Git repositories to Argo CD. Now Argo CD provides UI and CLI which
+enables managing certificates and known hosts which are used to access Git repositories. It is also possible to configure both hosts and certificates in a declarative manner using
+[argocd-ssh-known-hosts-cm](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-ssh-known-hosts-cm.yaml) and 
+[argocd-tls-certs-cm.yaml](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-tls-certs-cm.yaml) config maps.
+
+#### Self-Healing
+
+The existing Automatic Sync feature allows to automatically apply any new changes in Git to the target Kubernetes cluster. However, Automatic Sync does not cover the case when the
+application is out of sync due to the unexpected change in the target cluster. The Self-Healing feature fills this gap. With Self-Healing enabled Argo CD automatically pushes the desired state from Git into the cluster every time when state deviation is detected.
+
+**Anonymous access** - enable read-only access without authentication to anyone in your organization.
+
+Support for Git LFS enabled repositories - now you can store Helm charts as tar files and enable Git LFS in your repository.
+
+**Compact diff view** - compact diff summary of the whole application in a single view.
+
+**Badge for application status** - add badge with the health and sync status of your application into README.md of your deployment repo.
+
+**Allow configuring google analytics tracking** - use Google Analytics to check how many users are visiting UI or your Argo CD instance.
+
+#### Backward Incompatible Changes
+- Kustomize v1 support is removed. All kustomize charts are built using the same Kustomize version
+- Kustomize v2.0.3 upgraded to v3.1.0 . We've noticed one backward incompatible change: https://github.com/kubernetes-sigs/kustomize/issues/42 . Starting v2.1.0 namespace prefix feature works with CRD ( which might cause renaming of generated resource definitions)
+- Argo CD config maps must be annotated with `app.kubernetes.io/part-of: argocd` label. Make sure to apply updated `install.yaml` manifest in addition to changing image version.
+
+
+#### Enhancements
++ Adds a floating action button with help and chat links to every page.… (#2124)
++ Enhances cookie warning with actual length to help users fix their co… (#2134)
++ Added 'SyncFail' to possible HookTypes in UI (#2147)
++ Support for Git LFS enabled repositories (#1853)
++ Server certificate and known hosts management (#1514)
++ Client HTTPS certificates for private git repositories (#1945)
++ Badge for application status (#1435)
++ Make the health check for APIService a built in (#1841)
++ Bitbucket Server and Gogs webhook providers (#1269)
++ Jsonnet TLA arguments in ArgoCD CLI (#1626)
++ Self Healing (#1736)
++ Compact diff view (#1831)
++ Allow Helm parameters to force ambiguously-typed values to be strings (#1846)
++ Support anonymous argocd access (#1620)
++ Allow configuring google analytics tracking (#738)
++ Bash autocompletion for argocd (#1798)
++ Additional commit metadata (#1219)
++ Displays targetRevision in app dashboards. (#1239)
++ Local path syncing (#839)
++ System level `kustomize build` options (#1789)
++ Adds support for `argocd app set` for Kustomize. (#1843)
++ Allow users to create tokens for projects where they have any role. (#1977)
++ Add Refresh button to applications table and card view (#1606)
++ Adds CLI support for adding and removing groups from project roles. (#1851)
++ Support dry run and hook vs. apply strategy during sync (#798)
++ UI should remember most recent selected tab on resource info panel (#2007)
++ Adds link to the project from the app summary page. (#1911)
++ Different icon for resources which require pruning (#1159)
+
+#### Bug Fixes
+
+- Do not panic if the type is not api.Status (an error scenario) (#2105)
+- Make sure endpoint is shown as a child of service (#2060)
+- Word-wraps app info in the table and list views. (#2004)
+- Project source/destination removal should consider wildcards (#1780)
+- Repo whitelisting in UI does not support wildcards (#2000)
+- Wait for CRD creation during sync process (#1940)
+- Added a button to select out of sync items in the sync panel (#1902)
+- Proper handling of an excluded resource in an application (#1621)
+- Stop repeating logs on stoped container (#1614)
+- Fix git repo url parsing on application list view (#2174)
+- Fix nil pointer dereference error during app reconciliation (#2146)
+- Fix history api fallback implementation to support app names with dots (#2114)
+- Fixes some code issues related to Kustomize build options. (#2146)
+- Adds checks around valid paths for apps (#2133)
+- Endpoint incorrectly considered top level managed resource (#2060)
+- Allow adding certs for hostnames ending on a dot (#2116)
+
+#### Other
+* Upgrade kustomize to v3.1.0 (#2068)
+* Remove support for Kustomize 1. (#1573)
+
+#### Contributors
+
+* [alexec](https://github.com/alexec)
+* [alexmt](https://github.com/alexmt)
+* [dmizelle](https://github.com/dmizelle)
+* [lcostea](https://github.com/lcostea)
+* [jutley](https://github.com/jutley)
+* [masa213f](https://github.com/masa213f)
+* [Rayyis](https://github.com/Rayyis)
+* [simster7](https://github.com/simster7)
+* [dthomson25](https://github.com/dthomson25)
+* [jannfis](https://github.com/jannfis)
+* [naynasiddharth](https://github.com/naynasiddharth)
+* [stgarf](https://github.com/stgarf)
+
+
 ## v1.1.2 (2019-07-30)
 - 'argocd app wait' should print correct sync status (#2049)
 - Check that TLS is enabled when registering DEX Handlers (#2047)
@@ -300,7 +1229,7 @@ Argo CD introduces some additional CLI commands:
 #### Label selector changes, dex-server rename
 
 The label selectors for deployments were been renamed to use kubernetes common labels
-(`app.kuberentes.io/name=NAME` instead of `app=NAME`). Since K8s deployment label selectors are
+(`app.kubernetes.io/name=NAME` instead of `app=NAME`). Since K8s deployment label selectors are
 immutable, during an upgrade from v0.11 to v0.12, the old deployments should be deleted using
 `--cascade=false` which allows the new deployments to be created without introducing downtime.
 Once the new deployments are ready, the older replicasets can be deleted. Use the following
@@ -397,7 +1326,7 @@ has a minimum client version of v0.12.0. Older CLI clients will be rejected.
 - Fix CRD creation/deletion handling (#1249)
 - Git cloning via SSH was not verifying host public key (#1276)
 - Fixed multiple goroutine leaks in controller and api-server
-- Fix isssue where `argocd app set -p` required repo privileges. (#1280)
+- Fix issue where `argocd app set -p` required repo privileges. (#1280)
 - Fix local diff of non-namespaced resources. Also handle duplicates in local diff (#1289)
 - Deprecated resource kinds from 'extensions' groups are not reconciled correctly (#1232)
 - Fix issue where CLI would panic after timeout when cli did not have get permissions (#1209)
@@ -575,7 +1504,7 @@ which have a dependency to external helm repositories.
 
 + Allow more fine-grained sync (issue #508)
 + Display init container logs (issue #681)
-+ Redirect to /auth/login instead of /login when SSO token is used for authenticaion (issue #348)
++ Redirect to /auth/login instead of /login when SSO token is used for authentication (issue #348)
 + Support ability to use a helm values files from a URL (issue #624)
 + Support public not-connected repo in app creation UI (issue #426)
 + Use ksonnet CLI instead of ksonnet libs (issue #626)
@@ -850,7 +1779,7 @@ RBAC policy rules, need to be rewritten to include one extra column with the eff
 + Sync/Rollback/Delete is asynchronously handled by controller
 * Refactor CRUD operation on clusters and repos
 * Sync will always perform kubectl apply
-* Synced Status considers last-applied-configuration annotatoin
+* Synced Status considers last-applied-configuration annotation
 * Server & namespace are mandatory fields (still inferred from app.yaml)
 * Manifests are memoized in repo server
 - Fix connection timeouts to SSH repos

Dockerfile

@@ -1,12 +1,12 @@
-ARG BASE_IMAGE=debian:9.5-slim
+ARG BASE_IMAGE=ubuntu:20.10
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM golang:1.12.6 as builder
+FROM golang:1.14.12 as builder
 
-RUN echo 'deb http://deb.debian.org/debian stretch-backports main' >> /etc/apt/sources.list
+RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list
 
 RUN apt-get update && apt-get install -y \
     openssh-server \
@@ -23,47 +23,15 @@ RUN apt-get update && apt-get install -y \
 
 WORKDIR /tmp
 
-# Install dep
-ENV DEP_VERSION=0.5.0
-RUN wget https://github.com/golang/dep/releases/download/v${DEP_VERSION}/dep-linux-amd64 -O /usr/local/bin/dep && \
-    chmod +x /usr/local/bin/dep
+ADD hack/install.sh .
+ADD hack/installers installers
+ADD hack/tool-versions.sh .
 
-# Install packr
-ENV PACKR_VERSION=1.21.9
-RUN wget https://github.com/gobuffalo/packr/releases/download/v${PACKR_VERSION}/packr_${PACKR_VERSION}_linux_amd64.tar.gz && \
-    tar -vxf packr*.tar.gz -C /tmp/ && \
-    mv /tmp/packr /usr/local/bin/packr
-
-# Install kubectl
-# NOTE: keep the version synced with https://storage.googleapis.com/kubernetes-release/release/stable.txt
-ENV KUBECTL_VERSION=1.14.0
-RUN curl -L -o /usr/local/bin/kubectl -LO https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl && \
-    chmod +x /usr/local/bin/kubectl && \
-    kubectl version --client
-
-# Install ksonnet
-ENV KSONNET_VERSION=0.13.1
-RUN wget https://github.com/ksonnet/ksonnet/releases/download/v${KSONNET_VERSION}/ks_${KSONNET_VERSION}_linux_amd64.tar.gz && \
-    tar -C /tmp/ -xf ks_${KSONNET_VERSION}_linux_amd64.tar.gz && \
-    mv /tmp/ks_${KSONNET_VERSION}_linux_amd64/ks /usr/local/bin/ks && \
-    ks version
-
-# Install helm
-ENV HELM_VERSION=2.12.1
-RUN wget https://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-linux-amd64.tar.gz && \
-    tar -C /tmp/ -xf helm-v${HELM_VERSION}-linux-amd64.tar.gz && \
-    mv /tmp/linux-amd64/helm /usr/local/bin/helm && \
-    helm version --client
-
-ENV KUSTOMIZE_VERSION=3.1.0
-RUN curl -L -o /usr/local/bin/kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64 && \
-    chmod +x /usr/local/bin/kustomize && \
-    kustomize version
-
-# Install AWS IAM Authenticator
-ENV AWS_IAM_AUTHENTICATOR_VERSION=0.4.0-alpha.1
-RUN curl -L -o /usr/local/bin/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/${AWS_IAM_AUTHENTICATOR_VERSION}/aws-iam-authenticator_${AWS_IAM_AUTHENTICATOR_VERSION}_linux_amd64 && \
-    chmod +x /usr/local/bin/aws-iam-authenticator
+RUN ./install.sh packr-linux
+RUN ./install.sh ksonnet-linux
+RUN ./install.sh helm2-linux
+RUN ./install.sh helm-linux
+RUN ./install.sh kustomize-linux
 
 ####################################################################################################
 # Argo CD Base - used as the base for both the release and dev argocd images
@@ -72,23 +40,31 @@ FROM $BASE_IMAGE as argocd-base
 
 USER root
 
-RUN echo 'deb http://deb.debian.org/debian stretch-backports main' >> /etc/apt/sources.list
+ENV DEBIAN_FRONTEND=noninteractive
 
 RUN groupadd -g 999 argocd && \
     useradd -r -u 999 -g argocd argocd && \
     mkdir -p /home/argocd && \
-    chown argocd:argocd /home/argocd && \
+    chown argocd:0 /home/argocd && \
+    chmod g=u /home/argocd && \
+    chmod g=u /etc/passwd && \
     apt-get update && \
-    apt-get install -y git git-lfs && \
+    apt-get dist-upgrade -y && \
+    apt-get install -y git git-lfs python3-pip tini gpg && \
     apt-get clean && \
+    pip3 install awscli==1.18.80 && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 COPY hack/git-ask-pass.sh /usr/local/bin/git-ask-pass.sh
+COPY hack/gpg-wrapper.sh /usr/local/bin/gpg-wrapper.sh
+COPY hack/git-verify-wrapper.sh /usr/local/bin/git-verify-wrapper.sh
 COPY --from=builder /usr/local/bin/ks /usr/local/bin/ks
+COPY --from=builder /usr/local/bin/helm2 /usr/local/bin/helm2
 COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
-COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize
-COPY --from=builder /usr/local/bin/aws-iam-authenticator /usr/local/bin/aws-iam-authenticator
+# script to add current (possibly arbitrary) user to /etc/passwd at runtime
+# (if it's not already there, to be openshift friendly)
+COPY uid_entrypoint.sh /usr/local/bin/uid_entrypoint.sh
 
 # support for mounting configuration from a configmap
 RUN mkdir -p /app/config/ssh && \
@@ -96,17 +72,21 @@ RUN mkdir -p /app/config/ssh && \
     ln -s /app/config/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts 
 
 RUN mkdir -p /app/config/tls
+RUN mkdir -p /app/config/gpg/source && \
+    mkdir -p /app/config/gpg/keys && \
+    chown argocd /app/config/gpg/keys && \
+    chmod 0700 /app/config/gpg/keys
 
 # workaround ksonnet issue https://github.com/ksonnet/ksonnet/issues/298
 ENV USER=argocd
 
-USER argocd
+USER 999
 WORKDIR /home/argocd
 
 ####################################################################################################
 # Argo CD UI stage
 ####################################################################################################
-FROM node:11.15.0 as argocd-ui
+FROM node:12.18.4 as argocd-ui
 
 WORKDIR /src
 ADD ["ui/package.json", "ui/yarn.lock", "./"]
@@ -122,27 +102,26 @@ RUN NODE_ENV='production' yarn build
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM golang:1.12.6 as argocd-build
+FROM golang:1.14.12 as argocd-build
 
-COPY --from=builder /usr/local/bin/dep /usr/local/bin/dep
 COPY --from=builder /usr/local/bin/packr /usr/local/bin/packr
 
-# A dummy directory is created under $GOPATH/src/dummy so we are able to use dep
-# to install all the packages of our dep lock file
-COPY Gopkg.toml ${GOPATH}/src/dummy/Gopkg.toml
-COPY Gopkg.lock ${GOPATH}/src/dummy/Gopkg.lock
+WORKDIR /go/src/github.com/argoproj/argo-cd
 
-RUN cd ${GOPATH}/src/dummy && \
-    dep ensure -vendor-only && \
-    mv vendor/* ${GOPATH}/src/ && \
-    rmdir vendor
+COPY go.mod go.mod
+COPY go.sum go.sum
+
+RUN go mod download
 
 # Perform the build
-WORKDIR /go/src/github.com/argoproj/argo-cd
 COPY . .
-RUN make cli server controller repo-server argocd-util && \
-    make CLI_NAME=argocd-darwin-amd64 GOOS=darwin cli
+RUN make argocd-all
 
+ARG BUILD_ALL_CLIS=true
+RUN if [ "$BUILD_ALL_CLIS" = "true" ] ; then \
+    make BIN_NAME=argocd-darwin-amd64 GOOS=darwin argocd-all && \
+    make BIN_NAME=argocd-windows-amd64.exe GOOS=windows argocd-all \
+    ; fi
 
 ####################################################################################################
 # Final image
@@ -151,3 +130,11 @@ FROM argocd-base
 COPY --from=argocd-build /go/src/github.com/argoproj/argo-cd/dist/argocd* /usr/local/bin/
 COPY --from=argocd-ui ./src/dist/app /shared/app
 
+USER root
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-util
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-repo-server
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-application-controller
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-dex
+
+USER 999

Dockerfile.dev

@@ -2,4 +2,18 @@
 # argocd-dev
 ####################################################################################################
 FROM argocd-base
-COPY argocd* /usr/local/bin/
+COPY argocd /usr/local/bin/
+COPY argocd-darwin-amd64 /usr/local/bin/
+COPY argocd-windows-amd64.exe /usr/local/bin/
+
+USER root
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-repo-server
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-application-controller
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-dex
+RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-util
+RUN ln -s /usr/local/bin/argocd-darwin-amd64 /usr/local/bin/argocd-util-darwin-amd64
+RUN ln -s /usr/local/bin/argocd-windows-amd64.exe /usr/local/bin/argocd-util-windows-amd64.exe
+USER 999
+
+COPY --from=argocd-ui ./src/dist/app /shared/app

Gopkg.toml

@@ -1,82 +0,0 @@
-# Packages should only be added to the following list when we use them *outside* of our go code.
-# (e.g. we want to build the binary to invoke as part of the build process, such as in
-# generate-proto.sh). Normal use of golang packages should be added via `dep ensure`, and pinned
-# with a [[constraint]] or [[override]] when version is important.
-required = [
-  "github.com/golang/protobuf/protoc-gen-go",
-  "github.com/gogo/protobuf/protoc-gen-gofast",
-  "github.com/gogo/protobuf/protoc-gen-gogofast",
-  "k8s.io/code-generator/cmd/go-to-protobuf",
-  "k8s.io/kube-openapi/cmd/openapi-gen",
-  "github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway",
-  "github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger",
-  "golang.org/x/sync/errgroup",
-]
-
-[[constraint]]
-  name = "google.golang.org/grpc"
-  version = "1.15.0"
-
-[[constraint]]
-  name = "github.com/gogo/protobuf"
-  version = "1.1.1"
-
-# override github.com/grpc-ecosystem/go-grpc-middleware's constraint on master
-[[override]]
-  name = "github.com/golang/protobuf"
-  version = "1.2.0"
-
-[[constraint]]
-  name = "github.com/grpc-ecosystem/grpc-gateway"
-  version = "v1.3.1"
-
-# prometheus does not believe in semversioning yet
-[[constraint]]
-  name = "github.com/prometheus/client_golang"
-  revision = "7858729281ec582767b20e0d696b6041d995d5e0"
-
-[[override]]
-  branch = "release-1.14"
-  name = "k8s.io/api"
-
-[[override]]
-  branch = "release-1.14"
-  name = "k8s.io/kubernetes"
-
-[[override]]
-  branch = "release-1.14"
-  name = "k8s.io/code-generator"
-
-[[override]]
-  branch = "release-1.14"
-  name = "k8s.io/apimachinery"
-
-[[override]]
-  branch = "release-11.0"
-  name = "k8s.io/client-go"
-
-[[constraint]]
-  name = "github.com/stretchr/testify"
-  version = "1.2.2"
-
-[[constraint]]
-  name = "github.com/gobuffalo/packr"
-  version = "v1.11.0"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/argoproj/pkg"
-
-[[constraint]]
-  branch = "master"
-  name = "github.com/yudai/gojsondiff"
-
-[[constraint]]
-  name = "github.com/spf13/cobra"
-  revision = "fe5e611709b0c57fa4a89136deaa8e1d4004d053"
-
-# TODO: move off of k8s.io/kube-openapi and use controller-tools for CRD spec generation
-# (override argoproj/argo contraint on master)
-[[override]]
-  revision = "411b2483e5034420675ebcdd4a55fc76fe5e55cf"
-  name = "k8s.io/kube-openapi"

Makefile

@@ -2,38 +2,133 @@ PACKAGE=github.com/argoproj/argo-cd/common
 CURRENT_DIR=$(shell pwd)
 DIST_DIR=${CURRENT_DIR}/dist
 CLI_NAME=argocd
+UTIL_CLI_NAME=argocd-util
+BIN_NAME=argocd
+
+HOST_OS:=$(shell go env GOOS)
+HOST_ARCH:=$(shell go env GOARCH)
 
 VERSION=$(shell cat ${CURRENT_DIR}/VERSION)
 BUILD_DATE=$(shell date -u +'%Y-%m-%dT%H:%M:%SZ')
 GIT_COMMIT=$(shell git rev-parse HEAD)
 GIT_TAG=$(shell if [ -z "`git status --porcelain`" ]; then git describe --exact-match --tags HEAD 2>/dev/null; fi)
 GIT_TREE_STATE=$(shell if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)
-PACKR_CMD=$(shell if [ "`which packr`" ]; then echo "packr"; else echo "go run vendor/github.com/gobuffalo/packr/packr/main.go"; fi)
+PACKR_CMD=$(shell if [ "`which packr`" ]; then echo "packr"; else echo "go run github.com/gobuffalo/packr/packr"; fi)
+VOLUME_MOUNT=$(shell if test "$(go env GOOS)" = "darwin"; then echo ":delegated"; elif test selinuxenabled; then echo ":delegated"; else echo ""; fi)
+KUBECTL_VERSION=$(shell go list -m all | grep k8s.io/client-go | cut -d ' ' -f5)
 
-define run-in-dev-tool
-    docker run --rm -it -u $(shell id -u) -e HOME=/home/user -v ${CURRENT_DIR}:/go/src/github.com/argoproj/argo-cd -w /go/src/github.com/argoproj/argo-cd argocd-dev-tools bash -c "GOPATH=/go $(1)"
+GOPATH?=$(shell if test -x `which go`; then go env GOPATH; else echo "$(HOME)/go"; fi)
+GOCACHE?=$(HOME)/.cache/go-build
+
+DOCKER_SRCDIR?=$(GOPATH)/src
+DOCKER_WORKDIR?=/go/src/github.com/argoproj/argo-cd
+
+ARGOCD_PROCFILE?=Procfile
+
+# Strict mode has been disabled in latest versions of mkdocs-material. 
+# Thus pointing to the older image of mkdocs-material matching the version used by argo-cd.
+MKDOCS_DOCKER_IMAGE?=squidfunk/mkdocs-material:4.1.1
+MKDOCS_RUN_ARGS?=
+
+# Configuration for building argocd-test-tools image
+TEST_TOOLS_NAMESPACE?=
+TEST_TOOLS_IMAGE=argocd-test-tools
+TEST_TOOLS_TAG?=latest
+ifdef TEST_TOOLS_NAMESPACE
+TEST_TOOLS_PREFIX=${TEST_TOOLS_NAMESPACE}/
+endif
+
+# You can change the ports where ArgoCD components will be listening on by
+# setting the appropriate environment variables before running make.
+ARGOCD_E2E_APISERVER_PORT?=8080
+ARGOCD_E2E_REPOSERVER_PORT?=8081
+ARGOCD_E2E_REDIS_PORT?=6379
+ARGOCD_E2E_DEX_PORT?=5556
+ARGOCD_E2E_YARN_HOST?=localhost
+
+ARGOCD_IN_CI?=false
+ARGOCD_TEST_E2E?=true
+
+ARGOCD_LINT_GOGC?=20
+
+# Depending on where we are (legacy or non-legacy pwd), we need to use
+# different Docker volume mounts for our source tree
+LEGACY_PATH=$(GOPATH)/src/github.com/argoproj/argo-cd
+ifeq ("$(PWD)","$(LEGACY_PATH)")
+DOCKER_SRC_MOUNT="$(DOCKER_SRCDIR):/go/src$(VOLUME_MOUNT)"
+else
+DOCKER_SRC_MOUNT="$(PWD):/go/src/github.com/argoproj/argo-cd$(VOLUME_MOUNT)"
+endif
+
+# Runs any command in the argocd-test-utils container in server mode
+# Server mode container will start with uid 0 and drop privileges during runtime
+define run-in-test-server
+	docker run --rm -it \
+		--name argocd-test-server \
+		-u $(shell id -u):$(shell id -g) \
+		-e USER_ID=$(shell id -u) \
+		-e HOME=/home/user \
+		-e GOPATH=/go \
+		-e GOCACHE=/tmp/go-build-cache \
+		-e ARGOCD_IN_CI=$(ARGOCD_IN_CI) \
+		-e ARGOCD_E2E_TEST=$(ARGOCD_E2E_TEST) \
+		-e ARGOCD_E2E_YARN_HOST=$(ARGOCD_E2E_YARN_HOST) \
+		-v ${DOCKER_SRC_MOUNT} \
+		-v ${GOPATH}/pkg/mod:/go/pkg/mod${VOLUME_MOUNT} \
+		-v ${GOCACHE}:/tmp/go-build-cache${VOLUME_MOUNT} \
+		-v ${HOME}/.kube:/home/user/.kube${VOLUME_MOUNT} \
+		-v /tmp:/tmp${VOLUME_MOUNT} \
+		-w ${DOCKER_WORKDIR} \
+		-p ${ARGOCD_E2E_APISERVER_PORT}:8080 \
+		-p 4000:4000 \
+		$(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG) \
+		bash -c "$(1)"
+endef
+
+# Runs any command in the argocd-test-utils container in client mode
+define run-in-test-client
+	docker run --rm -it \
+	  --name argocd-test-client \
+		-u $(shell id -u):$(shell id -g) \
+		-e HOME=/home/user \
+		-e GOPATH=/go \
+		-e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) \
+		-e GOCACHE=/tmp/go-build-cache \
+		-e ARGOCD_LINT_GOGC=$(ARGOCD_LINT_GOGC) \
+		-v ${DOCKER_SRC_MOUNT} \
+		-v ${GOPATH}/pkg/mod:/go/pkg/mod${VOLUME_MOUNT} \
+		-v ${GOCACHE}:/tmp/go-build-cache${VOLUME_MOUNT} \
+		-v ${HOME}/.kube:/home/user/.kube${VOLUME_MOUNT} \
+		-v /tmp:/tmp${VOLUME_MOUNT} \
+		-w ${DOCKER_WORKDIR} \
+		$(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG) \
+		bash -c "$(1)"
+endef
+
+# 
+define exec-in-test-server
+	docker exec -it -u $(shell id -u):$(shell id -g) -e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) argocd-test-server $(1)
 endef
 
 PATH:=$(PATH):$(PWD)/hack
 
 # docker image publishing options
 DOCKER_PUSH?=false
-IMAGE_TAG?=latest
+IMAGE_NAMESPACE?=
 # perform static compilation
 STATIC_BUILD?=true
 # build development images
 DEV_IMAGE?=false
-# lint is memory and CPU intensive, so we can limit on CI to mitigate OOM
-LINT_GOGC?=off
-LINT_CONCURRENCY?=8
-# Set timeout for linter
-LINT_DEADLINE?=1m0s
+ARGOCD_GPG_ENABLED?=true
+ARGOCD_E2E_APISERVER_PORT?=8080
 
 override LDFLAGS += \
   -X ${PACKAGE}.version=${VERSION} \
   -X ${PACKAGE}.buildDate=${BUILD_DATE} \
   -X ${PACKAGE}.gitCommit=${GIT_COMMIT} \
-  -X ${PACKAGE}.gitTreeState=${GIT_TREE_STATE}
+  -X ${PACKAGE}.gitTreeState=${GIT_TREE_STATE}\
+  -X ${PACKAGE}.gitTreeState=${GIT_TREE_STATE}\
+  -X ${PACKAGE}.kubectlVersion=${KUBECTL_VERSION}
 
 ifeq (${STATIC_BUILD}, true)
 override LDFLAGS += -extldflags "-static"
@@ -42,6 +137,8 @@ endif
 ifneq (${GIT_TAG},)
 IMAGE_TAG=${GIT_TAG}
 LDFLAGS += -X ${PACKAGE}.gitTag=${GIT_TAG}
+else
+IMAGE_TAG?=latest
 endif
 
 ifeq (${DOCKER_PUSH},true)
@@ -57,85 +154,134 @@ endif
 .PHONY: all
 all: cli image argocd-util
 
+# We have some legacy requirements for being checked out within $GOPATH.
+# The ensure-gopath target can be used as dependency to ensure we are running
+# within these boundaries.
+.PHONY: ensure-gopath
+ensure-gopath:
+ifneq ("$(PWD)","$(LEGACY_PATH)")
+	@echo "Due to legacy requirements for codegen, repository needs to be checked out within \$$GOPATH"
+	@echo "Location of this repo should be '$(LEGACY_PATH)' but is '$(PWD)'"
+	@exit 1
+endif
+
+.PHONY: gogen
+gogen: ensure-gopath
+	export GO111MODULE=off
+	go generate ./util/argo/...
+
 .PHONY: protogen
-protogen:
+protogen: ensure-gopath
+	export GO111MODULE=off
 	./hack/generate-proto.sh
 
 .PHONY: openapigen
-openapigen:
+openapigen: ensure-gopath
+	export GO111MODULE=off
 	./hack/update-openapi.sh
 
 .PHONY: clientgen
-clientgen:
+clientgen: ensure-gopath
+	export GO111MODULE=off
 	./hack/update-codegen.sh
 
+.PHONY: clidocsgen
+clidocsgen: ensure-gopath
+	go run tools/cmd-docs/main.go	
+
 .PHONY: codegen-local
-codegen-local: protogen clientgen openapigen manifests-local
+codegen-local: ensure-gopath mod-vendor-local gogen protogen clientgen openapigen clidocsgen manifests-local
+	rm -rf vendor/
 
 .PHONY: codegen
-codegen: dev-tools-image
-	$(call run-in-dev-tool,make codegen-local)
+codegen: test-tools-image
+	$(call run-in-test-client,make codegen-local)
 
 .PHONY: cli
-cli: clean-debug
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd/argocd
+cli: test-tools-image
+	$(call run-in-test-client, GOOS=${HOST_OS} GOARCH=${HOST_ARCH} make cli-local)
+
+.PHONY: cli-local
+cli-local: clean-debug
+	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd
+
+.PHONY: cli-argocd
+cli-argocd:
+	go build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd
 
 .PHONY: release-cli
 release-cli: clean-debug image
 	docker create --name tmp-argocd-linux $(IMAGE_PREFIX)argocd:$(IMAGE_TAG)
 	docker cp tmp-argocd-linux:/usr/local/bin/argocd ${DIST_DIR}/argocd-linux-amd64
 	docker cp tmp-argocd-linux:/usr/local/bin/argocd-darwin-amd64 ${DIST_DIR}/argocd-darwin-amd64
+	docker cp tmp-argocd-linux:/usr/local/bin/argocd-windows-amd64.exe ${DIST_DIR}/argocd-windows-amd64.exe
 	docker rm tmp-argocd-linux
 
 .PHONY: argocd-util
 argocd-util: clean-debug
 	# Build argocd-util as a statically linked binary, so it could run within the alpine-based dex container (argoproj/argo-cd#844)
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-util ./cmd/argocd-util
+	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${UTIL_CLI_NAME} ./cmd
 
-.PHONY: dev-tools-image
-dev-tools-image:
-	docker build -t argocd-dev-tools ./hack -f ./hack/Dockerfile.dev-tools
+# .PHONY: dev-tools-image
+# dev-tools-image:
+# 	docker build -t $(DEV_TOOLS_PREFIX)$(DEV_TOOLS_IMAGE) . -f hack/Dockerfile.dev-tools
+# 	docker tag $(DEV_TOOLS_PREFIX)$(DEV_TOOLS_IMAGE) $(DEV_TOOLS_PREFIX)$(DEV_TOOLS_IMAGE):$(DEV_TOOLS_VERSION)
+
+.PHONY: test-tools-image
+test-tools-image:
+	docker build --build-arg UID=$(shell id -u) -t $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) -f test/container/Dockerfile .
+	docker tag $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG)
 
 .PHONY: manifests-local
 manifests-local:
 	./hack/update-manifests.sh
 
 .PHONY: manifests
-manifests: dev-tools-image
-	$(call run-in-dev-tool,make manifests-local IMAGE_TAG='${IMAGE_TAG}')
+manifests: test-tools-image
+	$(call run-in-test-client,make manifests-local IMAGE_NAMESPACE='${IMAGE_NAMESPACE}' IMAGE_TAG='${IMAGE_TAG}')
 
+# consolidated binary for cli, util, server, repo-server, controller
+.PHONY: argocd-all
+argocd-all: clean-debug
+	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${BIN_NAME} ./cmd
 
 # NOTE: we use packr to do the build instead of go, since we embed swagger files and policy.csv
 # files into the go binary
 .PHONY: server
 server: clean-debug
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd/argocd-server
+	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd
 
 .PHONY: repo-server
 repo-server:
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd/argocd-repo-server
+	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd
 
 .PHONY: controller
 controller:
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd/argocd-application-controller
+	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd
 
 .PHONY: packr
 packr:
-	go build -o ${DIST_DIR}/packr ./vendor/github.com/gobuffalo/packr/packr/
+	go build -o ${DIST_DIR}/packr github.com/gobuffalo/packr/packr/
 
 .PHONY: image
 ifeq ($(DEV_IMAGE), true)
 # The "dev" image builds the binaries from the users desktop environment (instead of in Docker)
 # which speeds up builds. Dockerfile.dev needs to be copied into dist to perform the build, since
 # the dist directory is under .dockerignore.
+IMAGE_TAG="dev-$(shell git describe --always --dirty)"
 image: packr
 	docker build -t argocd-base --target argocd-base .
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd/argocd-server
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd/argocd-application-controller
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd/argocd-repo-server
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-util ./cmd/argocd-util
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd/argocd
-	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-darwin-amd64 ./cmd/argocd
+	docker build -t argocd-ui --target argocd-ui .
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd
+	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-darwin-amd64 ./cmd
+	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-windows-amd64.exe ./cmd
+	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-server
+	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-application-controller
+	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-repo-server
+	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-dex
+	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-util
+	ln -sfn ${DIST_DIR}/argocd-darwin-amd64 ${DIST_DIR}/argocd-util-darwin-amd64
+	ln -sfn ${DIST_DIR}/argocd-windows-amd64.exe ${DIST_DIR}/argocd-util-windows-amd64.exe
 	cp Dockerfile.dev dist
 	docker build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) -f dist/Dockerfile.dev dist
 else
@@ -144,49 +290,151 @@ image:
 endif
 	@if [ "$(DOCKER_PUSH)" = "true" ] ; then docker push $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) ; fi
 
+.PHONY: armimage
+# The "BUILD_ALL_CLIS" argument is to skip building the CLIs for darwin and windows
+# which would take a really long time.
+armimage:
+	docker build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG)-arm . --build-arg BUILD_ALL_CLIS="false"
+
 .PHONY: builder-image
 builder-image:
 	docker build  -t $(IMAGE_PREFIX)argo-cd-ci-builder:$(IMAGE_TAG) --target builder .
 	@if [ "$(DOCKER_PUSH)" = "true" ] ; then docker push $(IMAGE_PREFIX)argo-cd-ci-builder:$(IMAGE_TAG) ; fi
 
-.PHONY: dep-ensure
-dep-ensure:
-	dep ensure -no-vendor
+.PHONY: mod-download
+mod-download: test-tools-image
+	$(call run-in-test-client,go mod download)
 
+.PHONY: mod-download-local
+mod-download-local:
+	go mod download
+
+.PHONY: mod-vendor
+mod-vendor: test-tools-image
+	$(call run-in-test-client,go mod vendor)
+
+.PHONY: mod-vendor-local
+mod-vendor-local: mod-download-local
+	go mod vendor
+
+# Deprecated - replace by install-local-tools
+.PHONY: install-lint-tools
+install-lint-tools:
+	./hack/install.sh lint-tools
+
+# Run linter on the code
 .PHONY: lint
-lint:
-	# golangci-lint does not do a good job of formatting imports
-	goimports -local github.com/argoproj/argo-cd -w `find . ! -path './vendor/*' ! -path './pkg/client/*' -type f -name '*.go'`
-	GOGC=$(LINT_GOGC) golangci-lint run --fix --verbose --concurrency $(LINT_CONCURRENCY) --deadline $(LINT_DEADLINE)
+lint: test-tools-image
+	$(call run-in-test-client,make lint-local)
 
+# Run linter on the code (local version)
+.PHONY: lint-local
+lint-local:
+	golangci-lint --version
+	# NOTE: If you get a "Killed" OOM message, try reducing the value of GOGC
+	# See https://github.com/golangci/golangci-lint#memory-usage-of-golangci-lint
+	GOGC=$(ARGOCD_LINT_GOGC) GOMAXPROCS=2 golangci-lint run --fix --verbose --timeout 300s
+
+.PHONY: lint-ui
+lint-ui: test-tools-image
+	$(call run-in-test-client,make lint-ui-local)
+
+.PHONY: lint-ui-local
+lint-ui-local:
+	cd ui && yarn lint
+
+# Build all Go code
 .PHONY: build
-build:
+build: test-tools-image
+	mkdir -p $(GOCACHE)
+	$(call run-in-test-client, make build-local)
+
+# Build all Go code (local version)
+.PHONY: build-local
+build-local:
 	go build -v `go list ./... | grep -v 'resource_customizations\|test/e2e'`
 
+# Run all unit tests
+#
+# If TEST_MODULE is set (to fully qualified module name), only this specific
+# module will be tested.
 .PHONY: test
-test:
-	go test -v -covermode=count -coverprofile=coverage.out `go list ./... | grep -v "test/e2e"`
+test: test-tools-image
+	mkdir -p $(GOCACHE)
+	$(call run-in-test-client,make TEST_MODULE=$(TEST_MODULE) test-local)
 
-.PHONY: cover
-cover:
-	go tool cover -html=coverage.out
+# Run all unit tests (local version)
+.PHONY: test-local
+test-local:
+	if test "$(TEST_MODULE)" = ""; then \
+		./hack/test.sh -coverprofile=coverage.out `go list ./... | grep -v 'test/e2e'`; \
+	else \
+		./hack/test.sh -coverprofile=coverage.out "$(TEST_MODULE)"; \
+	fi
 
+.PHONY: test-race
+test-race: test-tools-image
+	mkdir -p $(GOCACHE)
+	$(call run-in-test-client,make TEST_MODULE=$(TEST_MODULE) test-race-local)
+
+# Run all unit tests, with data race detection, skipping known failures (local version)
+.PHONY: test-race-local
+test-race-local:
+	if test "$(TEST_MODULE)" = ""; then \
+		./hack/test.sh -race -coverprofile=coverage.out `go list ./... | grep -v 'test/e2e'`; \
+	else \
+		./hack/test.sh -race -coverprofile=coverage.out "$(TEST_MODULE)"; \
+	fi
+
+# Run the E2E test suite. E2E test servers (see start-e2e target) must be
+# started before.
 .PHONY: test-e2e
-test-e2e: cli
-	go test -v -timeout 10m ./test/e2e
+test-e2e:
+	$(call exec-in-test-server,make test-e2e-local)
 
+# Run the E2E test suite (local version)
+.PHONY: test-e2e-local
+test-e2e-local: cli-local
+	# NO_PROXY ensures all tests don't go out through a proxy if one is configured on the test system
+	export GO111MODULE=off
+	ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout 20m -v ./test/e2e
+
+# Spawns a shell in the test server container for debugging purposes
+debug-test-server: test-tools-image
+	$(call run-in-test-server,/bin/bash)
+
+# Spawns a shell in the test client container for debugging purposes
+debug-test-client: test-tools-image
+	$(call run-in-test-client,/bin/bash)
+
+# Starts e2e server in a container
 .PHONY: start-e2e
-start-e2e: cli
-	killall goreman || true
-	# check we can connect to Docker to start Redis
+start-e2e: test-tools-image
 	docker version
+	mkdir -p ${GOCACHE}
+	$(call run-in-test-server,make ARGOCD_PROCFILE=test/container/Procfile start-e2e-local)
+
+# Starts e2e server locally (or within a container)
+.PHONY: start-e2e-local
+start-e2e-local:
 	kubectl create ns argocd-e2e || true
 	kubectl config set-context --current --namespace=argocd-e2e
 	kustomize build test/manifests/base | kubectl apply -f -
+	# Create GPG keys and source directories
+	if test -d /tmp/argo-e2e/app/config/gpg; then rm -rf /tmp/argo-e2e/app/config/gpg/*; fi
+	mkdir -p /tmp/argo-e2e/app/config/gpg/keys && chmod 0700 /tmp/argo-e2e/app/config/gpg/keys
+	mkdir -p /tmp/argo-e2e/app/config/gpg/source && chmod 0700 /tmp/argo-e2e/app/config/gpg/source
 	# set paths for locally managed ssh known hosts and tls certs data
 	ARGOCD_SSH_DATA_PATH=/tmp/argo-e2e/app/config/ssh \
 	ARGOCD_TLS_DATA_PATH=/tmp/argo-e2e/app/config/tls \
-		goreman start
+	ARGOCD_GPG_DATA_PATH=/tmp/argo-e2e/app/config/gpg/source \
+	ARGOCD_GNUPGHOME=/tmp/argo-e2e/app/config/gpg/keys \
+	ARGOCD_GPG_ENABLED=true \
+	ARGOCD_E2E_DISABLE_AUTH=false \
+	ARGOCD_ZJWT_FEATURE_FLAG=always \
+	ARGOCD_IN_CI=$(ARGOCD_IN_CI) \
+	ARGOCD_E2E_TEST=true \
+		goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START}
 
 # Cleans VSCode debug.test files from sub-dirs to prevent them from being included in packr boxes
 .PHONY: clean-debug
@@ -198,15 +446,33 @@ clean: clean-debug
 	-rm -rf ${CURRENT_DIR}/dist
 
 .PHONY: start
-start:
-	killall goreman || true
-	# check we can connect to Docker to start Redis
+start: test-tools-image
 	docker version
-	kubens argocd
-	goreman start
+	$(call run-in-test-server,make ARGOCD_PROCFILE=test/container/Procfile start-local ARGOCD_START=${ARGOCD_START})
 
+# Starts a local instance of ArgoCD
+.PHONY: start-local
+start-local: mod-vendor-local dep-ui-local
+	# check we can connect to Docker to start Redis
+	killall goreman || true
+	kubectl create ns argocd || true
+	rm -rf /tmp/argocd-local
+	mkdir -p /tmp/argocd-local
+	mkdir -p /tmp/argocd-local/gpg/keys && chmod 0700 /tmp/argocd-local/gpg/keys
+	mkdir -p /tmp/argocd-local/gpg/source
+	ARGOCD_ZJWT_FEATURE_FLAG=always \
+	ARGOCD_IN_CI=false \
+	ARGOCD_GPG_ENABLED=true \
+	ARGOCD_E2E_TEST=false \
+		goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START}
+
+# Runs pre-commit validation with the virtualized toolchain
 .PHONY: pre-commit
-pre-commit: dep-ensure codegen build lint test
+pre-commit: codegen build lint test
+
+# Runs pre-commit validation with the local toolchain
+.PHONY: pre-commit-local
+pre-commit-local: codegen-local build-local lint-local test-local
 
 .PHONY: release-precheck
 release-precheck: manifests
@@ -216,3 +482,67 @@ release-precheck: manifests
 
 .PHONY: release
 release: pre-commit release-precheck image release-cli
+
+.PHONY: build-docs-local
+build-docs-local:
+	mkdocs build
+
+.PHONY: build-docs
+build-docs:
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} build
+
+.PHONY: serve-docs-local
+serve-docs-local:
+	mkdocs serve
+
+.PHONY: serve-docs
+serve-docs:
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} serve -a 0.0.0.0:8000
+
+.PHONY: lint-docs
+lint-docs:
+	#  https://github.com/dkhamsing/awesome_bot
+	find docs -name '*.md' -exec grep -l http {} + | xargs docker run --rm -v $(PWD):/mnt:ro dkhamsing/awesome_bot -t 3 --allow-dupe --allow-redirect --white-list `cat white-list | grep -v "#" | tr "\n" ','` --skip-save-results --
+
+# Verify that kubectl can connect to your K8s cluster from Docker
+.PHONY: verify-kube-connect
+verify-kube-connect: test-tools-image
+	$(call run-in-test-client,kubectl version)
+
+# Show the Go version of local and virtualized environments
+.PHONY: show-go-version
+show-go-version: test-tools-image
+	@echo -n "Local Go version: "
+	@go version
+	@echo -n "Docker Go version: "
+	$(call run-in-test-client,go version)
+
+# Installs all tools required to build and test ArgoCD locally
+.PHONY: install-tools-local
+install-tools-local: install-test-tools-local install-codegen-tools-local install-go-tools-local
+
+# Installs all tools required for running unit & end-to-end tests (Linux packages)
+.PHONY: install-test-tools-local
+install-test-tools-local:
+	sudo ./hack/install.sh packr-linux
+	sudo ./hack/install.sh kustomize-linux
+	sudo ./hack/install.sh ksonnet-linux
+	sudo ./hack/install.sh helm2-linux
+	sudo ./hack/install.sh helm-linux
+
+# Installs all tools required for running codegen (Linux packages)
+.PHONY: install-codegen-tools-local
+install-codegen-tools-local:
+	sudo ./hack/install.sh codegen-tools
+
+# Installs all tools required for running codegen (Go packages)
+.PHONY: install-go-tools-local
+install-go-tools-local:
+	./hack/install.sh codegen-go-tools
+
+.PHONY: dep-ui
+dep-ui: test-tools-image
+	$(call run-in-test-client,make dep-ui-local)
+
+dep-ui-local:
+	cd ui && yarn install

OWNERS

@@ -3,6 +3,15 @@ owners:
 - jessesuen
 
 approvers:
-- alexc
+- alexec
 - alexmt
+- dthomson25
+- jannfis
 - jessesuen
+- mayzhang2000
+- rachelwang20
+
+reviewers:
+- jgwest
+- wtam2018
+- tetchel

Procfile

@@ -1,7 +1,8 @@
-controller: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true go run ./cmd/argocd-application-controller/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
-api-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true go run ./cmd/argocd-server/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --staticassets ui/dist/app"
-dex: sh -c "go run ./cmd/argocd-util/main.go gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml quay.io/dexidp/dex:v2.14.0 serve /dex.yaml"
-redis: docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} redis:5.0.3-alpine --save "" --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}
-repo-server: sh -c "FORCE_LOG_COLORS=1 go run ./cmd/argocd-repo-server/main.go --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379}"
+controller: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller go run ./cmd/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
+api-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server go run ./cmd/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --staticassets ui/dist/app"
+dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/cmd gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:v2.27.0 serve /dex.yaml"
+redis: docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} redis:5.0.10-alpine --save "" --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}
+repo-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server go run ./cmd/main.go --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379}"
 ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
-git-server: test/fixture/testrepos/start-git.sh
+git-server: test/fixture/testrepos/start-git.sh
+dev-mounter: [[ "$ARGOCD_E2E_TEST" != "true" ]] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}

README.md

@@ -1,5 +1,8 @@
+[![Integration tests](https://github.com/argoproj/argo-cd/workflows/Integration%20tests/badge.svg?branch=master)](https://github.com/argoproj/argo-cd/actions?query=workflow%3A%22Integration+tests%22)
 [![slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack)
 [![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd)
+[![Release Version](https://img.shields.io/github/v/release/argoproj/argo-cd?label=argo-cd)](https://github.com/argoproj/argo-cd/releases/latest)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4486/badge)](https://bestpractices.coreinfrastructure.org/projects/4486)
 
 # Argo CD - Declarative Continuous Delivery for Kubernetes
 
@@ -9,48 +12,42 @@ Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
 
 ![Argo CD UI](docs/assets/argocd-ui.gif)
 
+[![Argo CD Demo](https://img.youtube.com/vi/0WAm0y2vLIo/0.jpg)](https://youtu.be/0WAm0y2vLIo)
+
 ## Why Argo CD?
 
-Application definitions, configurations, and environments should be declarative and version controlled.
-Application deployment and lifecycle management should be automated, auditable, and easy to understand.
-
+1. Application definitions, configurations, and environments should be declarative and version controlled.
+1. Application deployment and lifecycle management should be automated, auditable, and easy to understand.
 
 ## Who uses Argo CD?
 
-Organizations below are **officially** using Argo CD. Please send a PR with your organization name if you are using Argo CD.
-
-1. [ANSTO - Australian Synchrotron](https://www.synchrotron.org.au/)
-1. [Codility](https://www.codility.com/)
-1. [Commonbond](https://commonbond.co/)
-1. [CyberAgent](https://www.cyberagent.co.jp/en/)
-1. [END.](https://www.endclothing.com/)
-1. [GMETRI](https://gmetri.com/)
-1. [Intuit](https://www.intuit.com/)
-1. [KintoHub](https://www.kintohub.com/)
-1. [KompiTech GmbH](https://www.kompitech.com/)
-1. [Mambu](https://www.mambu.com/) 
-1. [Mirantis](https://mirantis.com/)
-1. [OpenSaaS Studio](https://opensaas.studio)
-1. [Optoro](https://www.optoro.com/)
-1. [Riskified](https://www.riskified.com/)
-1. [Saildrone](https://www.saildrone.com/)
-1. [Tesla](https://tesla.com/)
-1. [tZERO](https://www.tzero.com/)
-1. [Ticketmaster](https://ticketmaster.com)
-1. [Yieldlab](https://www.yieldlab.de/)
-1. [Volvo Cars](https://www.volvocars.com/)
+[Official Argo CD user list](USERS.md)
 
 ## Documentation
 
-To learn more about Argo CD [go to the complete documentation](https://argoproj.github.io/argo-cd/).
+To learn more about Argo CD [go to the complete documentation](https://argo-cd.readthedocs.io/).
+Check live demo at https://cd.apps.argoproj.io/.
 
 ## Community Blogs and Presentations
 
+1. [Automation of Everything - How To Combine Argo Events, Workflows & Pipelines, CD, and Rollouts](https://youtu.be/XNXJtxkUKeY)
+1. [Environments Based On Pull Requests (PRs): Using Argo CD To Apply GitOps Principles On Previews](https://youtu.be/cpAaI8p4R60)
+1. [Argo CD: Applying GitOps Principles To Manage Production Environment In Kubernetes](https://youtu.be/vpWQeoaiRM4)
+1. [Creating Temporary Preview Environments Based On Pull Requests With Argo CD And Codefresh](https://codefresh.io/continuous-deployment/creating-temporary-preview-environments-based-pull-requests-argo-cd-codefresh/)
+1. [Tutorial: Everything You Need To Become A GitOps Ninja](https://www.youtube.com/watch?v=r50tRQjisxw) 90m tutorial on GitOps and Argo CD.
 1. [Comparison of Argo CD, Spinnaker, Jenkins X, and Tekton](https://www.inovex.de/blog/spinnaker-vs-argo-cd-vs-tekton-vs-jenkins-x/)
 1. [Simplify and Automate Deployments Using GitOps with IBM Multicloud Manager 3.1.2](https://medium.com/ibm-cloud/simplify-and-automate-deployments-using-gitops-with-ibm-multicloud-manager-3-1-2-4395af317359)
-1. [GitOps for Kubeflow using Argo CD](https://www.kubeflow.org/docs/use-cases/gitops-for-kubeflow/)
+1. [GitOps for Kubeflow using Argo CD](https://v0-6.kubeflow.org/docs/use-cases/gitops-for-kubeflow/)
 1. [GitOps Toolsets on Kubernetes with CircleCI and Argo CD](https://www.digitalocean.com/community/tutorials/webinar-series-gitops-tool-sets-on-kubernetes-with-circleci-and-argo-cd)
 1. [Simplify and Automate Deployments Using GitOps with IBM Multicloud Manager](https://www.ibm.com/blogs/bluemix/2019/02/simplify-and-automate-deployments-using-gitops-with-ibm-multicloud-manager-3-1-2/)
 1. [CI/CD in Light Speed with K8s and Argo CD](https://www.youtube.com/watch?v=OdzH82VpMwI&feature=youtu.be)
 1. [Machine Learning as Code](https://www.youtube.com/watch?v=VXrGp5er1ZE&t=0s&index=135&list=PLj6h78yzYM2PZf9eA7bhWnIh_mK1vyOfU). Among other things, describes how Kubeflow uses Argo CD to implement GitOPs for ML
 1. [Argo CD - GitOps Continuous Delivery for Kubernetes](https://www.youtube.com/watch?v=aWDIQMbp1cc&feature=youtu.be&t=1m4s)
+1. [Introduction to Argo CD : Kubernetes DevOps CI/CD](https://www.youtube.com/watch?v=2WSJF7d8dUg&feature=youtu.be)
+1. [GitOps Deployment and Kubernetes - using ArgoCD](https://medium.com/riskified-technology/gitops-deployment-and-kubernetes-f1ab289efa4b)
+1. [Deploy Argo CD with Ingress and TLS in Three Steps: No YAML Yak Shaving Required](https://itnext.io/deploy-argo-cd-with-ingress-and-tls-in-three-steps-no-yaml-yak-shaving-required-bc536d401491)
+1. [GitOps Continuous Delivery with Argo and Codefresh](https://codefresh.io/events/cncf-member-webinar-gitops-continuous-delivery-argo-codefresh/)
+1. [Stay up to date with ArgoCD and Renovate](https://mjpitz.com/blog/2020/12/03/renovate-your-gitops/)
+1. [Setting up Argo CD with Helm](https://www.arthurkoziel.com/setting-up-argocd-with-helm/)
+1. [Applied GitOps with ArgoCD](https://thenewstack.io/applied-gitops-with-argocd/)
+1. [Solving configuration drift using GitOps with Argo CD](https://www.cncf.io/blog/2020/12/17/solving-configuration-drift-using-gitops-with-argo-cd/)

SECURITY.md

@@ -0,0 +1,47 @@
+# Security Policy for Argo CD
+
+Version: **v1.0 (2020-02-26)**
+
+## Preface
+
+As a deployment tool, Argo CD needs to have production access which makes
+security a very important topic. The Argoproj team takes security very
+seriously and is continuously working on improving it. 
+
+## Supported Versions
+
+We currently support the most recent release (`N`, e.g. `1.8`) and the release
+previous to the most recent one (`N-1`, e.g. `1.7`). With the release of
+`N+1`, `N-1` drops out of support and `N` becomes `N-1`.
+
+We regularly perform patch releases (e.g. `1.8.5` and `1.7.12`) for the
+supported versions, which will contain fixes for security vulnerabilities and
+important bugs. Prior releases might receive critical security fixes on a best
+effort basis, however, it cannot be guaranteed that security fixes get
+back-ported to these unsupported versions.
+
+In rare cases, where a security fix needs complex re-design of a feature or is
+otherwise very intrusive, and there's a workaround available, we may decide to
+provide a forward-fix only, e.g. to be released the next minor release, instead
+of releasing it within a patch branch for the currently supported releases.
+
+## Reporting a Vulnerability
+
+If you find a security related bug in ArgoCD, we kindly ask you for responsible
+disclosure and for giving us appropriate time to react, analyze and develop a
+fix to mitigate the found security vulnerability.
+
+We will do our best to react quickly on your inquiry, and to coordinate a fix
+and disclosure with you. Sometimes, it might take a little longer for us to
+react (e.g. out of office conditions), so please bear with us in these cases.
+
+We will publish security advisiories using the Git Hub SA feature to keep our
+community well informed, and will credit you for your findings (unless you
+prefer to stay anonymous, of course).
+
+Please report vulnerabilities by e-mail to all of the following people:
+
+* jfischer@redhat.com
+* Jesse_Suen@intuit.com
+* Alexander_Matyushentsev@intuit.com
+* Edward_Lee@intuit.com

SECURITY_CONTACTS

@@ -0,0 +1,8 @@
+# Defined below are the security contacts for this repo.
+#
+# DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
+# INSTRUCTIONS AT https://argo-cd.readthedocs.io/en/latest/security_considerations/#reporting-vulnerabilities
+
+alexmt
+edlee2121
+jessesuen

USERS.md

@@ -0,0 +1,120 @@
+## Who uses Argo CD?
+
+As the Argo Community grows, we'd like to keep track of our users. Please send a PR with your organization name if you are using Argo CD.
+
+Currently, the following organizations are **officially** using Argo CD:
+
+1. [127Labs](https://127labs.com/)
+1. [3Rein](https://www.3rein.com/)
+1. [7shifts](https://www.7shifts.com/)
+1. [Adevinta](https://www.adevinta.com/)
+1. [ANSTO - Australian Synchrotron](https://www.synchrotron.org.au/)
+1. [AppDirect](https://www.appdirect.com)
+1. [Arctiq Inc.](https://www.arctiq.ca)
+1. [ARZ Allgemeines Rechenzentrum GmbH ](https://www.arz.at/)
+1. [Baloise](https://www.baloise.com)
+1. [BCDevExchange DevOps Platform](https://bcdevexchange.org/DevOpsPlatform)
+1. [Beat](https://thebeat.co/en/)
+1. [Beez Innovation Labs](https://www.beezlabs.com/)
+1. [BioBox Analytics](https://biobox.io)
+1. [Camptocamp](https://camptocamp.com)
+1. [CARFAX](https://www.carfax.com)
+1. [Celonis](https://www.celonis.com/)
+1. [Codefresh](https://www.codefresh.io/)
+1. [Codility](https://www.codility.com/)
+1. [Commonbond](https://commonbond.co/)
+1. [CROZ d.o.o.](https://croz.net/)
+1. [CyberAgent](https://www.cyberagent.co.jp/en/)
+1. [Cybozu](https://cybozu-global.com)
+1. [D2iQ](https://www.d2iq.com)
+1. [Devtron Labs](https://github.com/devtron-labs/devtron)
+1. [EDF Renewables](https://www.edf-re.com/)
+1. [edX](https://edx.org)
+1. [Electronic Arts Inc. ](https://www.ea.com)
+1. [Elium](https://www.elium.com)
+1. [END.](https://www.endclothing.com/)
+1. [Energisme](https://energisme.com/)
+1. [Fave](https://myfave.com)
+1. [Future PLC](https://www.futureplc.com/)
+1. [Garner](https://www.garnercorp.com)
+1. [GMETRI](https://gmetri.com/)
+1. [Greenpass](https://www.greenpass.com.br/)
+1. [Healy](https://www.healyworld.net)
+1. [hipages](https://hipages.com.au/)
+1. [Honestbank](https://honestbank.com)
+1. [IBM](https://www.ibm.com/)
+1. [InsideBoard](https://www.insideboard.com)
+1. [Intuit](https://www.intuit.com/)
+1. [JovianX](https://www.jovianx.com/)
+1. [Kasa](https://kasa.co.kr/)
+1. [Keptn](https://keptn.sh)
+1. [Kinguin](https://www.kinguin.net/)
+1. [KintoHub](https://www.kintohub.com/)
+1. [KompiTech GmbH](https://www.kompitech.com/)
+1. [LexisNexis](https://www.lexisnexis.com/)
+1. [LINE](https://linecorp.com/en/)
+1. [Lytt](https://www.lytt.co/)
+1. [Major League Baseball](https://mlb.com)
+1. [Mambu](https://www.mambu.com/)
+1. [Max Kelsen](https://www.maxkelsen.com/)
+1. [MindSpore](https://mindspore.cn)
+1. [Mirantis](https://mirantis.com/)
+1. [Moengage](https://www.moengage.com/)
+1. [Money Forward](https://corp.moneyforward.com/en/)
+1. [MOO Print](https://www.moo.com/)
+1. [MTN Group](https://www.mtn.com/)
+1. [New Relic](https://newrelic.com/)
+1. [Nextdoor](https://nextdoor.com/)
+1. [Nikkei](https://www.nikkei.co.jp/nikkeiinfo/en/)
+1. [Octadesk](https://octadesk.com)
+1. [openEuler](https://openeuler.org)
+1. [openGauss](https://opengauss.org/)
+1. [openLooKeng](https://openlookeng.io)
+1. [OpenSaaS Studio](https://opensaas.studio)
+1. [Opensurvey](https://www.opensurvey.co.kr/)
+1. [Optoro](https://www.optoro.com/)
+1. [Orbital Insight](https://orbitalinsight.com/)
+1. [PayPay](https://paypay.ne.jp/)
+1. [Peloton Interactive](https://www.onepeloton.com/)
+1. [Pipefy](https://www.pipefy.com/)
+1. [Preferred Networks](https://preferred.jp/en/)
+1. [Prudential](https://prudential.com.sg)
+1. [PUBG](https://www.pubg.com)
+1. [Qonto](https://qonto.com)
+1. [QuintoAndar](https://quintoandar.com.br)
+1. [Quipper](https://www.quipper.com/)
+1. [Recreation.gov](https://www.recreation.gov/)
+1. [Red Hat](https://www.redhat.com/)
+1. [Riskified](https://www.riskified.com/)
+1. [Robotinfra](https://www.robotinfra.com)
+1. [Saildrone](https://www.saildrone.com/)
+1. [Saloodo! GmbH](https://www.saloodo.com)
+1. [Speee](https://speee.jp/)
+1. [Spendesk](https://spendesk.com/)
+1. [Sumo Logic](https://sumologic.com/)
+1. [Swisscom](https://www.swisscom.ch)
+1. [Swissquote](https://github.com/swissquote)
+1. [Syncier](https://syncier.com/)
+1. [TableCheck](https://tablecheck.com/)
+1. [Tailor Brands](https://www.tailorbrands.com)
+1. [Tesla](https://tesla.com/)
+1. [ThousandEyes](https://www.thousandeyes.com/)
+1. [Ticketmaster](https://ticketmaster.com)
+1. [Tiger Analytics](https://www.tigeranalytics.com/)
+1. [Toss](https://toss.im/en)
+1. [tru.ID](https://tru.id)
+1. [Twilio SendGrid](https://sendgrid.com)
+1. [tZERO](https://www.tzero.com/)
+1. [UBIO](https://ub.io/)
+1. [UFirstGroup](https://www.ufirstgroup.com/en/)
+1. [Universidad Mesoamericana](https://www.umes.edu.gt/)
+1. [Viaduct](https://www.viaduct.ai/)
+1. [Virtuo](https://www.govirtuo.com/)
+1. [VISITS Technologies](https://visits.world/en)
+1. [Volvo Cars](https://www.volvocars.com/)
+1. [VSHN - The DevOps Company](https://vshn.ch/)
+1. [Walkbase](https://www.walkbase.com/)
+1. [WeMo Scooter](https://www.wemoscooter.com/)
+1. [Whitehat Berlin](https://whitehat.berlin) by Guido Maria Serra +Fenaroli
+1. [Yieldlab](https://www.yieldlab.de/)
+1. [Sap Labs] (http://sap.com)

VERSION

@@ -1 +1 @@
-1.1.2
+1.9.0

assets/badge.svg

@@ -1,22 +1,24 @@
-<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="131" height="20">
-    <linearGradient id="b" x2="0" y2="100%">
-        <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
-        <stop offset="1" stop-opacity=".1"/>
-    </linearGradient>
-    <clipPath id="a">
-        <rect width="131" height="20" rx="3" fill="#fff"/>
+<svg width="131" height="20" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" >
+    <defs>
+        <filter id="dropShadow">
+            <feDropShadow dx="0.2" dy="0.4" stdDeviation="0.2" flood-color="#333" flood-opacity="0.5"/>
+        </filter>
+    </defs>
+
+    <clipPath id="roundedCorners">
+        <rect width="100%" height="100%" rx="3" opacity="1" />
     </clipPath>
-    <g clip-path="url(#a)">
-        <path id="leftPath" fill="#555" d="M0 0h74v20H0z"/>
-        <path id="rightPath" fill="#4c1" d="M74 0h57v20H74z"/>
-        <path fill="url(#b)" d="M0 0h131v20H0z"/>
+
+    <g clip-path="url(#roundedCorners)">
+        <rect id="leftRect" fill="#555" x="0" y="0" width="74" height="20" />
+        <rect id="rightRect" fill="#4c1" x="74" y="0" width="57" height="20" />
+        <rect id="revisionRect" fill="#4c1" x="131" y="0" width="62" height="20" display="none"/>
     </g>
-    <g fill="#fff" text-anchor="middle" font-family="DejaVu Sans,Verdana,Geneva,sans-serif" font-size="90">
+
+    <g fill="#fff" style="filter: url(#dropShadow);" text-anchor="middle" font-family="DejaVu Sans, sans-serif" font-size="90">
         <image x="5" y="3" width="14" height="14" xlink:href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAB8AAAAeCAYAAADU8sWcAAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAACXBIWXMAAABPAAAATwFjiv3XAAACC2lUWHRYTUw6Y29tLmFkb2JlLnhtcAAAAAAAPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iWE1QIENvcmUgNS40LjAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczp0aWZmPSJodHRwOi8vbnMuYWRvYmUuY29tL3RpZmYvMS4wLyI+CiAgICAgICAgIDx0aWZmOlJlc29sdXRpb25Vbml0PjI8L3RpZmY6UmVzb2x1dGlvblVuaXQ+CiAgICAgICAgIDx0aWZmOkNvbXByZXNzaW9uPjE8L3RpZmY6Q29tcHJlc3Npb24+CiAgICAgICAgIDx0aWZmOk9yaWVudGF0aW9uPjE8L3RpZmY6T3JpZW50YXRpb24+CiAgICAgICAgIDx0aWZmOlBob3RvbWV0cmljSW50ZXJwcmV0YXRpb24+MjwvdGlmZjpQaG90b21ldHJpY0ludGVycHJldGF0aW9uPgogICAgICA8L3JkZjpEZXNjcmlwdGlvbj4KICAgPC9yZGY6UkRGPgo8L3g6eG1wbWV0YT4KD0UqkwAACpZJREFUSA11VnmQFcUZ//qY4527by92WWTXwHKqEJDDg0MQUioKSWopK4oaS9RAlMofUSPGbFlBSaViKomgQSNmIdECkUS8ophdozEJArKoKCsgIFlY2Pu9N29mero7X78FxCR2Vb8309PTv+/4fb9vCHz1II2Nm+jmzYul2bJsdlMyO7LyPGlZtYqQck1ZHCgwLZWiROeJgB7bDzpYb/7o0y/emzXv4Pts8+ZGBUC0uf/vQf57wdw3NTVRnOYFfXvj6pJcadkUmbDGRoxVSEItSYAQQrUmRBP81VoRpkFTJUMuZA/3g/28q3dn89b7u885D4348vgf8NPAxY033LJmSlDizlSOU94f6UhoHaZdC/3QCHWON2gDYBhAYyRAWgyD4QSi1815f29++vv/+CoD2Lm2nAFGl8mndzyxMMgk5/iW6xzPi/xVk+oyE8+vLNt14FR/0uYW14ox0IwUJ4ZAaUpAaaBEYByiyLbikWWNnnThvPIxu+L717auVeb81tbWsyk4C34u8I3LnlhcSCameMzykg7TwzOJGIYWQj+M+voLYcSo/hxY1E65FECUq4G4RFP0nSjMCMVAIIKUnOHkw90L6qq/vXvbh02trV8yoBh2E0NMY9GiG+58fIGXTF6epyw7JOnamZQbz/tCnDrVVzgqqdwTT0ZTdWDN0wPpMh3ZPZqHLSw98C7Y4RwtnAodsTwGAg0ppkcxrlkYJFID+Z0bn/zelsFImzQRXfScNJFiOG689dcT/FT6GzlqedVJTHRpPH6yz/PyfTlx2IrLCpvSdWrv5OXkX9fOJB/Mnaz3XzItap+yMDoyZgEE7F1SceIghryeRNwnTBkEqhRIxiLF6bCpDXNybW2v/ruxcTzbt2+zZmfCvWT+zxNhbek3cxaPlyYsXVWSSHT25rxC3o+OWK6aDn7sZ3r79ZNY28w45Esxuhw5RjmVvEQPlIwgR8bOiE7VdrPaA2+TeGEEhFbhtAEmG5pzk5WqqbWTPv7jC8sLpgxNSRWZrUeWTAgor7EY9ytTiURvzg8GskGU5xxKkc33yDcX1yc7x3ijLxF+zZgoEljgCrSiXOWIG/WGrjifHxl1V9iyeKwW1lHNo5SKmDmcYinivwhjVpkor55sQj9+/D4MO9bpLW8RN6zJzMvbPDUkHaecE368N1+IUUJfIm5hPf1w2kTedlm/LgntmqEWEQGT3ScJYUh2NIxiiWupSUFasor1VgzXvPATfv6BC3Roq0E9MLqAXKQcAe1rqi/dv+q3DwQUw6djY6tiAaG1jLEw7nAn64WhcStPqZqpA6chap8aage077GwbQcJDx8Awq3T3DHlbeijUHWwytHFuuizCTergdQ+YocxLRHVPNcESRAJxqo60nbSvExvvvWx23MCVvucDyRt5hitwDRHHG09pZiaT7MlSUdUhtQGZttYRdwA4WnFQjFnDA4LX7UdIlgMYpaouBgGMnuBKVN/ZhgBRCMVynNAHOfRm777q4UcrW3EZxcEnD/kclYlpVaFKFIZrIRtluvdls/G9InnLZ9fpLXoJjwZAzZkDJ5mjkIj8HTCKETH9oD0eoikMSDQ5cTrLrUg4QoaFlxUH5MdYy6yAFAaYBHed6ODkMPOkMcFZggZKa0SkaL/jMeDpq5D1Vez9693V/wNUg1jQRY8yLX8BcSba8AaOgyBOdqtQBz7DNj8lZCeNY9SN6aiD3bTOc89s2iliDVvKa3uGxf6doQAxYE2oBbm0HQPG5IxqKhOg9ZpSSQj+pDU+jv5t7913spV5c70GcqLJwgMGw6ZJUuBLbgHPW0D4rgQdewDvnAllN58B0D918AvzVBn3jWi/p4Hq2/s+et1URgBRlVRMGVvBtITfwyuyYPAoIRmWSIrEqjZW1Ml/qN7dtRWzptfBzXDoaeri6TicWhes8Zsg9iMOaAyU0D3fw4qdSEkrryquP77xx+HZCwG3T09HEZfCBUXTxh125H9VZ9SHp1OfZF4aEWI9MM1AhmiVCmaIwV6a2F5ge2q8s7OBB8ytPiOZduw6pFHYOS4cUUQGsNWXj4MVLYdaGU9UAQ0o2H8eHh49WpAITReKqdmGC0PsvF2JB4Gu+i5RqKg5JSi82mOnu9GYGEhwbFjSOXadJII7Pa6Ed3hwU8igAU8lU7D/ffdZ1pFEUT19YI+sR9oZgLIjo8h6usDu2oIzJpxOc4ZphKQtoqFxw6LzxIV/RMxkabSUPAJRz3A5oc50x9T7Lf3xkR0R0xGSS+IRIFQOUUUkqvGXdR5tGXnLmjbYXI0OLCJykIBvFe2ABVHgCQqgMpjkH9xE9IY7cSgGd0w+8mOVjiy68DOh+sauusiwSM8F11nlhCm39/SvP7ux4qNZVfba/0TJ183Is9opWtxEXe5E/cC+Y5bf+CilmczqaC/JigEOjjYTrwtzwB8tAn4kJFGMIEmy0B98gb4B7tAYimHncd19ObLrP25rW0/rb76pQqsoKTEkKJgoT64biCObVx35xvGGz67qYW3Nl0RWYH/ftxmo7pyfpSoKFFjEiLxhE73jXaueHXlGw+PZ68rS8pQ01QlodUjTqcAfcQo8qGjQB36EwQfbFAuF8wjZbmNtStefZ4nC0uibKIHez92AeZEUln5wocGuLGxyUbg2cVEFp5a9pFz11MH/ZCP6M0V8gmbxWZL35K2paFmUmjDgCXAMQkjqv8wgFMGBFVSCw8g1wWsrB5IBrTDAvB0eaAkhVHCeGzSQDUm3bE9/1hs/d7dBhy5aSqAaNNWN6Mvdn9+e0KGfl8hZCd6vBwqABmISKSkCgkqr/a6QMWrwLpsKaYWhfrwi1ikfWBNvQmUhXItAlznICMlcopFFNXcEA25wBw/EIms2L4O1onZs5u46abFUsILDWhAc/OKo7H+/OtuEFqaUcsmIE8CR47zEMsSuJvRQcceODVmOqR/uAHKftAC6R+9AKcmzgVxci9qexwLTIDZ34+MR6FVErXECXw7kc+3/G7j8gPG0dbWJmQnum1+zDj3U2rJ0rWzvFRynu/YskMTb5vetmwI7xyeg7R0g072ynEGwa0PwZTRDbDn0GGI1j0Ii2pCKPCyqJTl+eei9tOl5Kr1eU2seuG5ZMBv2fjUIMkQymAWC6jouQE3jdlYZa43PLnsLbcn++eYVwi6FCQktTCEmO3QAx2rhOllAl6bOwsahg2FDTMvhRklWVSUMkxcWEyHJFbUqyCW9AtRSV//K18AF4XmbOWeBTegCF78ujTXf3hm+XvTeo49G8/67Sg+A0a0OGc6CDzIlFbDL3+8GPYuuxLWP7AYysprIQx9YNjdzAglyVkD3qGvd3dsWvv0infM2qBj53zr49rZsJsNZwa2WeTTFxtP3L1oe1VCzh3AWqOM2FJJsFBwbMuCUAgQyAqGrVVJ7Zdwyz2RZS/X/GbrguJ5eNYgyhfnncH5v+DmYcft18Y1T5S7fl9jPMN+4aM6IpeQPmgxThNA5AnuJFhIeI2tHafiNqEUW1XQL+8NrfRznENP1drNuTOA5/5/KezmAZ4zaJBSdVaUvQk5PsNTeqfrMsKQOui5LGKibBAjmKgSRk/RIMlc8BiWCLbI95Dx05jybrMkfsh+xfgPf+hH0AC4OlsAAAAASUVORK5CYII="/>
-
-        <text id="leftText1" x="435" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="470"></text>
-        <text id="leftText2" x="435" y="140" transform="scale(.1)" textLength="470"></text>
-
-        <text id="rightText1" x="995" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="470"></text>
-        <text id="rightText1" x="995" y="140" transform="scale(.1)" textLength="470"></text></g>
+        <text id="leftText" x="435" y="140" transform="scale(.1)" textLength="470"></text>
+        <text id="rightText" x="995" y="140" transform="scale(.1)" textLength="470"></text>
+        <text id="revisionText" x="1550" y="140" font-family="monospace" transform="scale(.1)" font-size="110" display="none"></text>
+    </g>
 </svg>

assets/builtin-policy.csv

@@ -11,12 +11,15 @@ p, role:readonly, certificates, get, *, allow
 p, role:readonly, clusters, get, *, allow
 p, role:readonly, repositories, get, *, allow
 p, role:readonly, projects, get, *, allow
+p, role:readonly, accounts, get, *, allow
+p, role:readonly, gpgkeys, get, *, allow
 
 p, role:admin, applications, create, */*, allow
 p, role:admin, applications, update, */*, allow
 p, role:admin, applications, delete, */*, allow
 p, role:admin, applications, sync, */*, allow
 p, role:admin, applications, override, */*, allow
+p, role:admin, applications, action/*, */*, allow
 p, role:admin, certificates, create, *, allow
 p, role:admin, certificates, update, *, allow
 p, role:admin, certificates, delete, *, allow
@@ -29,6 +32,9 @@ p, role:admin, repositories, delete, *, allow
 p, role:admin, projects, create, *, allow
 p, role:admin, projects, update, *, allow
 p, role:admin, projects, delete, *, allow
+p, role:admin, accounts, update, *, allow
+p, role:admin, gpgkeys, create, *, allow
+p, role:admin, gpgkeys, delete, *, allow
 
 g, role:admin, role:readonly
 g, admin, role:admin

assets/model.conf

@@ -11,4 +11,4 @@ g = _, _
 e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
 
 [matchers]
-m = g(r.sub, p.sub) && keyMatch(r.res, p.res) && keyMatch(r.act, p.act) && keyMatch(r.obj, p.obj)
+m = g(r.sub, p.sub) && globMatch(r.res, p.res) && globMatch(r.act, p.act) && globMatch(r.obj, p.obj)

cmd/argocd-application-controller/commands/argocd_application_controller.go

@@ -1,30 +1,31 @@
-package main
+package commands
 
 import (
 	"context"
-	"fmt"
-	"os"
+	"math"
 	"time"
 
+	"github.com/argoproj/pkg/stats"
+	"github.com/go-redis/redis/v8"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 
-	// load the gcp plugin (required to authenticate against GKE clusters).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
-	// load the oidc plugin (required to authenticate with OpenID Connect).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
-
+	cmdutil "github.com/argoproj/argo-cd/cmd/util"
 	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/controller"
-	"github.com/argoproj/argo-cd/errors"
+	"github.com/argoproj/argo-cd/controller/sharding"
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
 	"github.com/argoproj/argo-cd/reposerver/apiclient"
-	"github.com/argoproj/argo-cd/util/cache"
+	cacheutil "github.com/argoproj/argo-cd/util/cache"
+	appstatecache "github.com/argoproj/argo-cd/util/cache/appstate"
 	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/env"
+	"github.com/argoproj/argo-cd/util/errors"
+	kubeutil "github.com/argoproj/argo-cd/util/kube"
 	"github.com/argoproj/argo-cd/util/settings"
-	"github.com/argoproj/argo-cd/util/stats"
 )
 
 const (
@@ -34,7 +35,7 @@ const (
 	defaultAppResyncPeriod = 180
 )
 
-func newCommand() *cobra.Command {
+func NewCommand() *cobra.Command {
 	var (
 		clientConfig             clientcmd.ClientConfig
 		appResyncPeriod          int64
@@ -43,22 +44,26 @@ func newCommand() *cobra.Command {
 		selfHealTimeoutSeconds   int
 		statusProcessors         int
 		operationProcessors      int
-		logLevel                 string
 		glogLevel                int
 		metricsPort              int
-		cacheSrc                 func() (*cache.Cache, error)
+		metricsCacheExpiration   time.Duration
+		kubectlParallelismLimit  int64
+		cacheSrc                 func() (*appstatecache.Cache, error)
+		redisClient              *redis.Client
 	)
 	var command = cobra.Command{
-		Use:   cliName,
-		Short: "application-controller is a controller to operate on applications CRD",
+		Use:               cliName,
+		Short:             "Run ArgoCD Application Controller",
+		Long:              "ArgoCD application controller is a Kubernetes controller that continuously monitors running applications and compares the current, live state against the desired target state (as specified in the repo). This command runs Application Controller in the foreground.  It can be configured by following options.",
+		DisableAutoGenTag: true,
 		RunE: func(c *cobra.Command, args []string) error {
-			cli.SetLogLevel(logLevel)
+			cli.SetLogFormat(cmdutil.LogFormat)
+			cli.SetLogLevel(cmdutil.LogLevel)
 			cli.SetGLogLevel(glogLevel)
 
 			config, err := clientConfig.ClientConfig()
 			errors.CheckError(err)
-			config.QPS = common.K8sClientConfigQPS
-			config.Burst = common.K8sClientConfigBurst
+			errors.CheckError(v1alpha1.SetK8SConfigDefaults(config))
 
 			kubeClient := kubernetes.NewForConfigOrDie(config)
 			appClient := appclientset.NewForConfigOrDie(config)
@@ -73,8 +78,11 @@ func newCommand() *cobra.Command {
 
 			cache, err := cacheSrc()
 			errors.CheckError(err)
+			cache.Cache.SetClient(cacheutil.NewTwoLevelClient(cache.Cache.GetClient(), 10*time.Minute))
 
 			settingsMgr := settings.NewSettingsManager(ctx, kubeClient, namespace)
+			kubectl := kubeutil.NewKubectl()
+			clusterFilter := getClusterFilter()
 			appController, err := controller.NewApplicationController(
 				namespace,
 				settingsMgr,
@@ -82,12 +90,18 @@ func newCommand() *cobra.Command {
 				appClient,
 				repoClientset,
 				cache,
+				kubectl,
 				resyncDuration,
 				time.Duration(selfHealTimeoutSeconds)*time.Second,
-				metricsPort)
+				metricsPort,
+				metricsCacheExpiration,
+				kubectlParallelismLimit,
+				clusterFilter)
 			errors.CheckError(err)
+			cacheutil.CollectMetrics(redisClient, appController.GetMetricsServer())
 
-			log.Infof("Application Controller (version: %s) starting (namespace: %s)", common.GetVersion(), namespace)
+			vers := common.GetVersion()
+			log.Infof("Application Controller (version: %s, built: %s) starting (namespace: %s)", vers.Version, vers.BuildDate, namespace)
 			stats.RegisterStackDumper()
 			stats.StartStatsTicker(10 * time.Minute)
 			stats.RegisterHeapDumper("memprofile")
@@ -105,18 +119,33 @@ func newCommand() *cobra.Command {
 	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", 60, "Repo server RPC call timeout seconds.")
 	command.Flags().IntVar(&statusProcessors, "status-processors", 1, "Number of application status processors")
 	command.Flags().IntVar(&operationProcessors, "operation-processors", 1, "Number of application operation processors")
-	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().IntVar(&glogLevel, "gloglevel", 0, "Set the glog logging level")
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortArgoCDMetrics, "Start metrics server on given port")
+	command.Flags().DurationVar(&metricsCacheExpiration, "metrics-cache-expiration", 0*time.Second, "Prometheus metrics cache expiration (disabled  by default. e.g. 24h0m0s)")
 	command.Flags().IntVar(&selfHealTimeoutSeconds, "self-heal-timeout-seconds", 5, "Specifies timeout between application self heal attempts")
-
-	cacheSrc = cache.AddCacheFlagsToCmd(&command)
+	command.Flags().Int64Var(&kubectlParallelismLimit, "kubectl-parallelism-limit", 20, "Number of allowed concurrent kubectl fork/execs. Any value less the 1 means no limit.")
+	cacheSrc = appstatecache.AddCacheFlagsToCmd(&command, func(client *redis.Client) {
+		redisClient = client
+	})
 	return &command
 }
 
-func main() {
-	if err := newCommand().Execute(); err != nil {
-		fmt.Println(err)
-		os.Exit(1)
+func getClusterFilter() func(cluster *v1alpha1.Cluster) bool {
+	replicas := env.ParseNumFromEnv(common.EnvControllerReplicas, 0, 0, math.MaxInt32)
+	shard := env.ParseNumFromEnv(common.EnvControllerShard, -1, -math.MaxInt32, math.MaxInt32)
+	var clusterFilter func(cluster *v1alpha1.Cluster) bool
+	if replicas > 1 {
+		if shard < 0 {
+			var err error
+			shard, err = sharding.InferShard()
+			errors.CheckError(err)
+		}
+		log.Infof("Processing clusters from shard %d", shard)
+		clusterFilter = sharding.GetClusterFilter(replicas, shard)
+	} else {
+		log.Info("Processing all cluster shards")
 	}
+	return clusterFilter
 }

cmd/argocd-dex/commands/argocd_dex.go

@@ -0,0 +1,202 @@
+package commands
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"syscall"
+
+	"github.com/ghodss/yaml"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+
+	cmdutil "github.com/argoproj/argo-cd/cmd/util"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/dex"
+	"github.com/argoproj/argo-cd/util/errors"
+	"github.com/argoproj/argo-cd/util/settings"
+)
+
+const (
+	cliName = "argocd-dex"
+)
+
+func NewCommand() *cobra.Command {
+	var command = &cobra.Command{
+		Use:               cliName,
+		Short:             "argocd-dex tools used by Argo CD",
+		Long:              "argocd-dex has internal utility tools used by Argo CD",
+		DisableAutoGenTag: true,
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+		},
+	}
+
+	command.AddCommand(NewRunDexCommand())
+	command.AddCommand(NewGenDexConfigCommand())
+
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
+	return command
+}
+
+func NewRunDexCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+	)
+	var command = cobra.Command{
+		Use:   "rundex",
+		Short: "Runs dex generating a config using settings from the Argo CD configmap and secret",
+		RunE: func(c *cobra.Command, args []string) error {
+			_, err := exec.LookPath("dex")
+			errors.CheckError(err)
+			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+			kubeClientset := kubernetes.NewForConfigOrDie(config)
+			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, namespace)
+			prevSettings, err := settingsMgr.GetSettings()
+			errors.CheckError(err)
+			updateCh := make(chan *settings.ArgoCDSettings, 1)
+			settingsMgr.Subscribe(updateCh)
+
+			for {
+				var cmd *exec.Cmd
+				dexCfgBytes, err := dex.GenerateDexConfigYAML(prevSettings)
+				errors.CheckError(err)
+				if len(dexCfgBytes) == 0 {
+					log.Infof("dex is not configured")
+				} else {
+					err = ioutil.WriteFile("/tmp/dex.yaml", dexCfgBytes, 0644)
+					errors.CheckError(err)
+					log.Debug(redactor(string(dexCfgBytes)))
+					cmd = exec.Command("dex", "serve", "/tmp/dex.yaml")
+					cmd.Stdout = os.Stdout
+					cmd.Stderr = os.Stderr
+					err = cmd.Start()
+					errors.CheckError(err)
+				}
+
+				// loop until the dex config changes
+				for {
+					newSettings := <-updateCh
+					newDexCfgBytes, err := dex.GenerateDexConfigYAML(newSettings)
+					errors.CheckError(err)
+					if string(newDexCfgBytes) != string(dexCfgBytes) {
+						prevSettings = newSettings
+						log.Infof("dex config modified. restarting dex")
+						if cmd != nil && cmd.Process != nil {
+							err = cmd.Process.Signal(syscall.SIGTERM)
+							errors.CheckError(err)
+							_, err = cmd.Process.Wait()
+							errors.CheckError(err)
+						}
+						break
+					} else {
+						log.Infof("dex config unmodified")
+					}
+				}
+			}
+		},
+	}
+
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	return &command
+}
+
+func NewGenDexConfigCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+		out          string
+	)
+	var command = cobra.Command{
+		Use:   "gendexcfg",
+		Short: "Generates a dex config from Argo CD settings",
+		RunE: func(c *cobra.Command, args []string) error {
+			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+			kubeClientset := kubernetes.NewForConfigOrDie(config)
+			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, namespace)
+			settings, err := settingsMgr.GetSettings()
+			errors.CheckError(err)
+			dexCfgBytes, err := dex.GenerateDexConfigYAML(settings)
+			errors.CheckError(err)
+			if len(dexCfgBytes) == 0 {
+				log.Infof("dex is not configured")
+				return nil
+			}
+			if out == "" {
+				dexCfg := make(map[string]interface{})
+				err := yaml.Unmarshal(dexCfgBytes, &dexCfg)
+				errors.CheckError(err)
+				if staticClientsInterface, ok := dexCfg["staticClients"]; ok {
+					if staticClients, ok := staticClientsInterface.([]interface{}); ok {
+						for i := range staticClients {
+							staticClient := staticClients[i]
+							if mappings, ok := staticClient.(map[string]interface{}); ok {
+								for key := range mappings {
+									if key == "secret" {
+										mappings[key] = "******"
+									}
+								}
+								staticClients[i] = mappings
+							}
+						}
+						dexCfg["staticClients"] = staticClients
+					}
+				}
+				errors.CheckError(err)
+				maskedDexCfgBytes, err := yaml.Marshal(dexCfg)
+				errors.CheckError(err)
+				fmt.Print(string(maskedDexCfgBytes))
+			} else {
+				err = ioutil.WriteFile(out, dexCfgBytes, 0644)
+				errors.CheckError(err)
+			}
+			return nil
+		},
+	}
+
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().StringVarP(&out, "out", "o", "", "Output to the specified file instead of stdout")
+	return &command
+}
+
+func iterateStringFields(obj interface{}, callback func(name string, val string) string) {
+	if mapField, ok := obj.(map[string]interface{}); ok {
+		for field, val := range mapField {
+			if strVal, ok := val.(string); ok {
+				mapField[field] = callback(field, strVal)
+			} else {
+				iterateStringFields(val, callback)
+			}
+		}
+	} else if arrayField, ok := obj.([]interface{}); ok {
+		for i := range arrayField {
+			iterateStringFields(arrayField[i], callback)
+		}
+	}
+}
+
+func redactor(dirtyString string) string {
+	config := make(map[string]interface{})
+	err := yaml.Unmarshal([]byte(dirtyString), &config)
+	errors.CheckError(err)
+	iterateStringFields(config, func(name string, val string) string {
+		if name == "clientSecret" || name == "secret" || name == "bindPW" {
+			return "********"
+		} else {
+			return val
+		}
+	})
+	data, err := yaml.Marshal(config)
+	errors.CheckError(err)
+	return string(data)
+}

cmd/argocd-repo-server/commands/argocd_repo_server.go

@@ -0,0 +1,161 @@
+package commands
+
+import (
+	"fmt"
+	"math"
+	"net"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/argoproj/pkg/stats"
+	"github.com/go-redis/redis/v8"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/health/grpc_health_v1"
+
+	cmdutil "github.com/argoproj/argo-cd/cmd/util"
+	"github.com/argoproj/argo-cd/common"
+	"github.com/argoproj/argo-cd/reposerver"
+	"github.com/argoproj/argo-cd/reposerver/apiclient"
+	reposervercache "github.com/argoproj/argo-cd/reposerver/cache"
+	"github.com/argoproj/argo-cd/reposerver/metrics"
+	"github.com/argoproj/argo-cd/reposerver/repository"
+	cacheutil "github.com/argoproj/argo-cd/util/cache"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/env"
+	"github.com/argoproj/argo-cd/util/errors"
+	"github.com/argoproj/argo-cd/util/gpg"
+	"github.com/argoproj/argo-cd/util/healthz"
+	ioutil "github.com/argoproj/argo-cd/util/io"
+	"github.com/argoproj/argo-cd/util/tls"
+)
+
+const (
+	// CLIName is the name of the CLI
+	cliName         = "argocd-repo-server"
+	gnuPGSourcePath = "/app/config/gpg/source"
+
+	defaultPauseGenerationAfterFailedGenerationAttempts = 3
+	defaultPauseGenerationOnFailureForMinutes           = 60
+	defaultPauseGenerationOnFailureForRequests          = 0
+)
+
+func getGnuPGSourcePath() string {
+	if path := os.Getenv("ARGOCD_GPG_DATA_PATH"); path != "" {
+		return path
+	} else {
+		return gnuPGSourcePath
+	}
+}
+
+func getPauseGenerationAfterFailedGenerationAttempts() int {
+	return env.ParseNumFromEnv(common.EnvPauseGenerationAfterFailedAttempts, defaultPauseGenerationAfterFailedGenerationAttempts, 0, math.MaxInt32)
+}
+
+func getPauseGenerationOnFailureForMinutes() int {
+	return env.ParseNumFromEnv(common.EnvPauseGenerationMinutes, defaultPauseGenerationOnFailureForMinutes, 0, math.MaxInt32)
+}
+
+func getPauseGenerationOnFailureForRequests() int {
+	return env.ParseNumFromEnv(common.EnvPauseGenerationRequests, defaultPauseGenerationOnFailureForRequests, 0, math.MaxInt32)
+}
+
+func NewCommand() *cobra.Command {
+	var (
+		parallelismLimit       int64
+		listenPort             int
+		metricsPort            int
+		cacheSrc               func() (*reposervercache.Cache, error)
+		tlsConfigCustomizerSrc func() (tls.ConfigCustomizer, error)
+		redisClient            *redis.Client
+	)
+	var command = cobra.Command{
+		Use:               cliName,
+		Short:             "Run ArgoCD Repository Server",
+		Long:              "ArgoCD Repository Server is an internal service which maintains a local cache of the Git repository holding the application manifests, and is responsible for generating and returning the Kubernetes manifests.  This command runs Repository Server in the foreground.  It can be configured by following options.",
+		DisableAutoGenTag: true,
+		RunE: func(c *cobra.Command, args []string) error {
+			cli.SetLogFormat(cmdutil.LogFormat)
+			cli.SetLogLevel(cmdutil.LogLevel)
+
+			tlsConfigCustomizer, err := tlsConfigCustomizerSrc()
+			errors.CheckError(err)
+
+			cache, err := cacheSrc()
+			errors.CheckError(err)
+
+			metricsServer := metrics.NewMetricsServer()
+			cacheutil.CollectMetrics(redisClient, metricsServer)
+			server, err := reposerver.NewServer(metricsServer, cache, tlsConfigCustomizer, repository.RepoServerInitConstants{
+				ParallelismLimit: parallelismLimit,
+				PauseGenerationAfterFailedGenerationAttempts: getPauseGenerationAfterFailedGenerationAttempts(),
+				PauseGenerationOnFailureForMinutes:           getPauseGenerationOnFailureForMinutes(),
+				PauseGenerationOnFailureForRequests:          getPauseGenerationOnFailureForRequests(),
+			})
+			errors.CheckError(err)
+
+			grpc := server.CreateGRPC()
+			listener, err := net.Listen("tcp", fmt.Sprintf(":%d", listenPort))
+			errors.CheckError(err)
+
+			healthz.ServeHealthCheck(http.DefaultServeMux, func(r *http.Request) error {
+				if val, ok := r.URL.Query()["full"]; ok && len(val) > 0 && val[0] == "true" {
+					// connect to itself to make sure repo server is able to serve connection
+					// used by liveness probe to auto restart repo server
+					// see https://github.com/argoproj/argo-cd/issues/5110 for more information
+					conn, err := apiclient.NewConnection(fmt.Sprintf("localhost:%d", listenPort), 60)
+					if err != nil {
+						return err
+					}
+					defer ioutil.Close(conn)
+					client := grpc_health_v1.NewHealthClient(conn)
+					res, err := client.Check(r.Context(), &grpc_health_v1.HealthCheckRequest{})
+					if err != nil {
+						return err
+					}
+					if res.Status != grpc_health_v1.HealthCheckResponse_SERVING {
+						return fmt.Errorf("grpc health check status is '%v'", res.Status)
+					}
+					return nil
+				}
+				return nil
+			})
+			http.Handle("/metrics", metricsServer.GetHandler())
+			go func() { errors.CheckError(http.ListenAndServe(fmt.Sprintf(":%d", metricsPort), nil)) }()
+
+			if gpg.IsGPGEnabled() {
+				log.Infof("Initializing GnuPG keyring at %s", common.GetGnuPGHomePath())
+				err = gpg.InitializeGnuPG()
+				errors.CheckError(err)
+
+				log.Infof("Populating GnuPG keyring with keys from %s", getGnuPGSourcePath())
+				added, removed, err := gpg.SyncKeyRingFromDirectory(getGnuPGSourcePath())
+				errors.CheckError(err)
+				log.Infof("Loaded %d (and removed %d) keys from keyring", len(added), len(removed))
+
+				go func() { errors.CheckError(reposerver.StartGPGWatcher(getGnuPGSourcePath())) }()
+			}
+
+			log.Infof("argocd-repo-server %s serving on %s", common.GetVersion(), listener.Addr())
+			stats.RegisterStackDumper()
+			stats.StartStatsTicker(10 * time.Minute)
+			stats.RegisterHeapDumper("memprofile")
+			err = grpc.Serve(listener)
+			errors.CheckError(err)
+			return nil
+		},
+	}
+
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
+	command.Flags().Int64Var(&parallelismLimit, "parallelismlimit", 0, "Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit.")
+	command.Flags().IntVar(&listenPort, "port", common.DefaultPortRepoServer, "Listen on given port for incoming connections")
+	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortRepoServerMetrics, "Start metrics server on given port")
+
+	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(&command)
+	cacheSrc = reposervercache.AddCacheFlagsToCmd(&command, func(client *redis.Client) {
+		redisClient = client
+	})
+	return &command
+}

cmd/argocd-repo-server/main.go

@@ -1,86 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"net"
-	"net/http"
-	"os"
-	"time"
-
-	"github.com/argoproj/argo-cd/reposerver/metrics"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/errors"
-	"github.com/argoproj/argo-cd/reposerver"
-	"github.com/argoproj/argo-cd/util/cache"
-	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/git"
-	"github.com/argoproj/argo-cd/util/stats"
-	"github.com/argoproj/argo-cd/util/tls"
-)
-
-const (
-	// CLIName is the name of the CLI
-	cliName = "argocd-repo-server"
-)
-
-func newCommand() *cobra.Command {
-	var (
-		logLevel               string
-		parallelismLimit       int64
-		listenPort             int
-		metricsPort            int
-		cacheSrc               func() (*cache.Cache, error)
-		tlsConfigCustomizerSrc func() (tls.ConfigCustomizer, error)
-	)
-	var command = cobra.Command{
-		Use:   cliName,
-		Short: "Run argocd-repo-server",
-		RunE: func(c *cobra.Command, args []string) error {
-			cli.SetLogLevel(logLevel)
-
-			tlsConfigCustomizer, err := tlsConfigCustomizerSrc()
-			errors.CheckError(err)
-
-			cache, err := cacheSrc()
-			errors.CheckError(err)
-
-			metricsServer := metrics.NewMetricsServer(git.NewFactory())
-			server, err := reposerver.NewServer(metricsServer, cache, tlsConfigCustomizer, parallelismLimit)
-			errors.CheckError(err)
-
-			grpc := server.CreateGRPC()
-			listener, err := net.Listen("tcp", fmt.Sprintf(":%d", listenPort))
-			errors.CheckError(err)
-
-			http.Handle("/metrics", metricsServer.GetHandler())
-			go func() { errors.CheckError(http.ListenAndServe(fmt.Sprintf(":%d", metricsPort), nil)) }()
-
-			log.Infof("argocd-repo-server %s serving on %s", common.GetVersion(), listener.Addr())
-			stats.RegisterStackDumper()
-			stats.StartStatsTicker(10 * time.Minute)
-			stats.RegisterHeapDumper("memprofile")
-			err = grpc.Serve(listener)
-			errors.CheckError(err)
-			return nil
-		},
-	}
-
-	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
-	command.Flags().Int64Var(&parallelismLimit, "parallelismlimit", 0, "Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit.")
-	command.Flags().IntVar(&listenPort, "port", common.DefaultPortRepoServer, "Listen on given port for incoming connections")
-	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortRepoServerMetrics, "Start metrics server on given port")
-	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(&command)
-	cacheSrc = cache.AddCacheFlagsToCmd(&command)
-	return &command
-}
-
-func main() {
-	if err := newCommand().Execute(); err != nil {
-		fmt.Println(err)
-		os.Exit(1)
-	}
-}

cmd/argocd-server/commands/argocd_server.go

@@ -4,51 +4,76 @@ import (
 	"context"
 	"time"
 
+	"github.com/argoproj/pkg/stats"
+	"github.com/go-redis/redis/v8"
+	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 
+	cmdutil "github.com/argoproj/argo-cd/cmd/util"
 	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/errors"
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
 	"github.com/argoproj/argo-cd/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/server"
-	"github.com/argoproj/argo-cd/util/cache"
+	servercache "github.com/argoproj/argo-cd/server/cache"
 	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/stats"
+	"github.com/argoproj/argo-cd/util/env"
+	"github.com/argoproj/argo-cd/util/errors"
+	"github.com/argoproj/argo-cd/util/kube"
 	"github.com/argoproj/argo-cd/util/tls"
 )
 
+const (
+	failureRetryCountEnv              = "ARGOCD_K8S_RETRY_COUNT"
+	failureRetryPeriodMilliSecondsEnv = "ARGOCD_K8S_RETRY_DURATION_MILLISECONDS"
+)
+
+var (
+	failureRetryCount              = 0
+	failureRetryPeriodMilliSeconds = 100
+)
+
+func init() {
+	failureRetryCount = env.ParseNumFromEnv(failureRetryCountEnv, failureRetryCount, 0, 10)
+	failureRetryPeriodMilliSeconds = env.ParseNumFromEnv(failureRetryPeriodMilliSecondsEnv, failureRetryPeriodMilliSeconds, 0, 1000)
+}
+
 // NewCommand returns a new instance of an argocd command
 func NewCommand() *cobra.Command {
 	var (
+		redisClient              *redis.Client
 		insecure                 bool
 		listenPort               int
 		metricsPort              int
-		logLevel                 string
 		glogLevel                int
 		clientConfig             clientcmd.ClientConfig
 		repoServerTimeoutSeconds int
 		staticAssetsDir          string
 		baseHRef                 string
+		rootPath                 string
 		repoServerAddress        string
 		dexServerAddress         string
 		disableAuth              bool
+		enableGZip               bool
 		tlsConfigCustomizerSrc   func() (tls.ConfigCustomizer, error)
-		cacheSrc                 func() (*cache.Cache, error)
+		cacheSrc                 func() (*servercache.Cache, error)
+		frameOptions             string
 	)
 	var command = &cobra.Command{
-		Use:   cliName,
-		Short: "Run the argocd API server",
-		Long:  "Run the argocd API server",
+		Use:               cliName,
+		Short:             "Run the ArgoCD API server",
+		Long:              "The API server is a gRPC/REST server which exposes the API consumed by the Web UI, CLI, and CI/CD systems.  This command runs API server in the foreground.  It can be configured by following options.",
+		DisableAutoGenTag: true,
 		Run: func(c *cobra.Command, args []string) {
-			cli.SetLogLevel(logLevel)
+			cli.SetLogFormat(cmdutil.LogFormat)
+			cli.SetLogLevel(cmdutil.LogLevel)
 			cli.SetGLogLevel(glogLevel)
 
 			config, err := clientConfig.ClientConfig()
 			errors.CheckError(err)
-			config.QPS = common.K8sClientConfigQPS
-			config.Burst = common.K8sClientConfigBurst
+			errors.CheckError(v1alpha1.SetK8SConfigDefaults(config))
 
 			namespace, _, err := clientConfig.Namespace()
 			errors.CheckError(err)
@@ -59,9 +84,24 @@ func NewCommand() *cobra.Command {
 			errors.CheckError(err)
 
 			kubeclientset := kubernetes.NewForConfigOrDie(config)
-			appclientset := appclientset.NewForConfigOrDie(config)
+
+			appclientsetConfig, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			errors.CheckError(v1alpha1.SetK8SConfigDefaults(appclientsetConfig))
+
+			if failureRetryCount > 0 {
+				appclientsetConfig = kube.AddFailureRetryWrapper(appclientsetConfig, failureRetryCount, failureRetryPeriodMilliSeconds)
+			}
+			appclientset := appclientset.NewForConfigOrDie(appclientsetConfig)
 			repoclientset := apiclient.NewRepoServerClientset(repoServerAddress, repoServerTimeoutSeconds)
 
+			if rootPath != "" {
+				if baseHRef != "" && baseHRef != rootPath {
+					log.Warnf("--basehref and --rootpath had conflict: basehref: %s rootpath: %s", baseHRef, rootPath)
+				}
+				baseHRef = rootPath
+			}
+
 			argoCDOpts := server.ArgoCDServerOpts{
 				Insecure:            insecure,
 				ListenPort:          listenPort,
@@ -69,13 +109,17 @@ func NewCommand() *cobra.Command {
 				Namespace:           namespace,
 				StaticAssetsDir:     staticAssetsDir,
 				BaseHRef:            baseHRef,
+				RootPath:            rootPath,
 				KubeClientset:       kubeclientset,
 				AppClientset:        appclientset,
 				RepoClientset:       repoclientset,
 				DexServerAddr:       dexServerAddress,
 				DisableAuth:         disableAuth,
+				EnableGZip:          enableGZip,
 				TLSConfigCustomizer: tlsConfigCustomizer,
 				Cache:               cache,
+				XFrameOptions:       frameOptions,
+				RedisClient:         redisClient,
 			}
 
 			stats.RegisterStackDumper()
@@ -96,16 +140,22 @@ func NewCommand() *cobra.Command {
 	command.Flags().BoolVar(&insecure, "insecure", false, "Run server without TLS")
 	command.Flags().StringVar(&staticAssetsDir, "staticassets", "", "Static assets directory path")
 	command.Flags().StringVar(&baseHRef, "basehref", "/", "Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from /")
-	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
+	command.Flags().StringVar(&rootPath, "rootpath", "", "Used if Argo CD is running behind reverse proxy under subpath different from /")
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().IntVar(&glogLevel, "gloglevel", 0, "Set the glog logging level")
 	command.Flags().StringVar(&repoServerAddress, "repo-server", common.DefaultRepoServerAddr, "Repo server address")
 	command.Flags().StringVar(&dexServerAddress, "dex-server", common.DefaultDexServerAddr, "Dex server address")
 	command.Flags().BoolVar(&disableAuth, "disable-auth", false, "Disable client authentication")
+	command.Flags().BoolVar(&enableGZip, "enable-gzip", false, "Enable GZIP compression")
 	command.AddCommand(cli.NewVersionCmd(cliName))
 	command.Flags().IntVar(&listenPort, "port", common.DefaultPortAPIServer, "Listen on given port")
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortArgoCDAPIServerMetrics, "Start metrics on given port")
 	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", 60, "Repo server RPC call timeout seconds.")
+	command.Flags().StringVar(&frameOptions, "x-frame-options", "sameorigin", "Set X-Frame-Options header in HTTP responses to `value`. To disable, set to \"\".")
 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(command)
-	cacheSrc = cache.AddCacheFlagsToCmd(command)
+	cacheSrc = servercache.AddCacheFlagsToCmd(command, func(client *redis.Client) {
+		redisClient = client
+	})
 	return command
 }

cmd/argocd-server/main.go

@@ -1,16 +0,0 @@
-package main
-
-import (
-	commands "github.com/argoproj/argo-cd/cmd/argocd-server/commands"
-	"github.com/argoproj/argo-cd/errors"
-
-	// load the gcp plugin (required to authenticate against GKE clusters).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
-	// load the oidc plugin (required to authenticate with OpenID Connect).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
-)
-
-func main() {
-	err := commands.NewCommand().Execute()
-	errors.CheckError(err)
-}

cmd/argocd-util/commands/apps.go

@@ -0,0 +1,346 @@
+package commands
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"sort"
+	"time"
+
+	appstatecache "github.com/argoproj/argo-cd/util/cache/appstate"
+
+	"github.com/ghodss/yaml"
+	"github.com/spf13/cobra"
+	apiv1 "k8s.io/api/core/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/client-go/kubernetes"
+	kubecache "k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/argoproj/argo-cd/common"
+	"github.com/argoproj/argo-cd/controller"
+	"github.com/argoproj/argo-cd/controller/cache"
+	"github.com/argoproj/argo-cd/controller/metrics"
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
+	appinformers "github.com/argoproj/argo-cd/pkg/client/informers/externalversions"
+	"github.com/argoproj/argo-cd/reposerver/apiclient"
+	cacheutil "github.com/argoproj/argo-cd/util/cache"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/config"
+	"github.com/argoproj/argo-cd/util/db"
+	"github.com/argoproj/argo-cd/util/errors"
+	kubeutil "github.com/argoproj/argo-cd/util/kube"
+	"github.com/argoproj/argo-cd/util/settings"
+)
+
+func NewAppsCommand() *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "apps",
+		Short: "Utility commands operate on ArgoCD applications",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+		},
+	}
+
+	command.AddCommand(NewReconcileCommand())
+	command.AddCommand(NewDiffReconcileResults())
+	return command
+}
+
+type appReconcileResult struct {
+	Name       string                          `json:"name"`
+	Health     *v1alpha1.HealthStatus          `json:"health"`
+	Sync       *v1alpha1.SyncStatus            `json:"sync"`
+	Conditions []v1alpha1.ApplicationCondition `json:"conditions"`
+}
+
+type reconcileResults struct {
+	Applications []appReconcileResult `json:"applications"`
+}
+
+func (r *reconcileResults) getAppsMap() map[string]appReconcileResult {
+	res := map[string]appReconcileResult{}
+	for i := range r.Applications {
+		res[r.Applications[i].Name] = r.Applications[i]
+	}
+	return res
+}
+
+func printLine(format string, a ...interface{}) {
+	_, _ = fmt.Printf(format+"\n", a...)
+}
+
+func NewDiffReconcileResults() *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "diff-reconcile-results PATH1 PATH2",
+		Short: "Compare results of two reconciliations and print diff.",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			path1 := args[0]
+			path2 := args[1]
+			var res1 reconcileResults
+			var res2 reconcileResults
+			errors.CheckError(config.UnmarshalLocalFile(path1, &res1))
+			errors.CheckError(config.UnmarshalLocalFile(path2, &res2))
+			errors.CheckError(diffReconcileResults(res1, res2))
+		},
+	}
+
+	return command
+}
+
+func toUnstructured(val interface{}) (*unstructured.Unstructured, error) {
+	data, err := json.Marshal(val)
+	if err != nil {
+		return nil, err
+	}
+	res := make(map[string]interface{})
+	err = json.Unmarshal(data, &res)
+	if err != nil {
+		return nil, err
+	}
+	return &unstructured.Unstructured{Object: res}, nil
+}
+
+type diffPair struct {
+	name   string
+	first  *unstructured.Unstructured
+	second *unstructured.Unstructured
+}
+
+func diffReconcileResults(res1 reconcileResults, res2 reconcileResults) error {
+	var pairs []diffPair
+	resMap1 := res1.getAppsMap()
+	resMap2 := res2.getAppsMap()
+	for k, v := range resMap1 {
+		firstUn, err := toUnstructured(v)
+		if err != nil {
+			return err
+		}
+		var secondUn *unstructured.Unstructured
+		second, ok := resMap2[k]
+		if ok {
+			secondUn, err = toUnstructured(second)
+			if err != nil {
+				return err
+			}
+			delete(resMap2, k)
+		}
+		pairs = append(pairs, diffPair{name: k, first: firstUn, second: secondUn})
+	}
+	for k, v := range resMap2 {
+		secondUn, err := toUnstructured(v)
+		if err != nil {
+			return err
+		}
+		pairs = append(pairs, diffPair{name: k, first: nil, second: secondUn})
+	}
+	sort.Slice(pairs, func(i, j int) bool {
+		return pairs[i].name < pairs[j].name
+	})
+	for _, item := range pairs {
+		printLine(item.name)
+		_ = cli.PrintDiff(item.name, item.first, item.second)
+	}
+
+	return nil
+}
+
+func NewReconcileCommand() *cobra.Command {
+	var (
+		clientConfig      clientcmd.ClientConfig
+		selector          string
+		repoServerAddress string
+		outputFormat      string
+		refresh           bool
+	)
+
+	var command = &cobra.Command{
+		Use:   "get-reconcile-results PATH",
+		Short: "Reconcile all applications and stores reconciliation summary in the specified file.",
+		Run: func(c *cobra.Command, args []string) {
+			// get rid of logging error handler
+			runtime.ErrorHandlers = runtime.ErrorHandlers[1:]
+
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			outputPath := args[0]
+
+			errors.CheckError(os.Setenv(common.EnvVarFakeInClusterConfig, "true"))
+			cfg, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+
+			var result []appReconcileResult
+			if refresh {
+				if repoServerAddress == "" {
+					printLine("Repo server is not provided, trying to port-forward to argocd-repo-server pod.")
+					repoServerPort, err := kubeutil.PortForward("app.kubernetes.io/name=argocd-repo-server", 8081, namespace)
+					errors.CheckError(err)
+					repoServerAddress = fmt.Sprintf("localhost:%d", repoServerPort)
+				}
+				repoServerClient := apiclient.NewRepoServerClientset(repoServerAddress, 60)
+
+				appClientset := appclientset.NewForConfigOrDie(cfg)
+				kubeClientset := kubernetes.NewForConfigOrDie(cfg)
+				result, err = reconcileApplications(kubeClientset, appClientset, namespace, repoServerClient, selector, newLiveStateCache)
+				errors.CheckError(err)
+			} else {
+				appClientset := appclientset.NewForConfigOrDie(cfg)
+				result, err = getReconcileResults(appClientset, namespace, selector)
+			}
+
+			errors.CheckError(saveToFile(err, outputFormat, reconcileResults{Applications: result}, outputPath))
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(command)
+	command.Flags().StringVar(&repoServerAddress, "repo-server", "", "Repo server address.")
+	command.Flags().StringVar(&selector, "l", "", "Label selector")
+	command.Flags().StringVar(&outputFormat, "o", "yaml", "Output format (yaml|json)")
+	command.Flags().BoolVar(&refresh, "refresh", false, "If set to true then recalculates apps reconciliation")
+
+	return command
+}
+
+func saveToFile(err error, outputFormat string, result reconcileResults, outputPath string) error {
+	errors.CheckError(err)
+	var data []byte
+	switch outputFormat {
+	case "yaml":
+		if data, err = yaml.Marshal(result); err != nil {
+			return err
+		}
+	case "json":
+		if data, err = json.Marshal(result); err != nil {
+			return err
+		}
+	default:
+		return fmt.Errorf("format %s is not supported", outputFormat)
+	}
+
+	return ioutil.WriteFile(outputPath, data, 0644)
+}
+
+func getReconcileResults(appClientset appclientset.Interface, namespace string, selector string) ([]appReconcileResult, error) {
+	appsList, err := appClientset.ArgoprojV1alpha1().Applications(namespace).List(context.Background(), v1.ListOptions{LabelSelector: selector})
+	if err != nil {
+		return nil, err
+	}
+
+	var items []appReconcileResult
+	for _, app := range appsList.Items {
+		items = append(items, appReconcileResult{
+			Name:       app.Name,
+			Conditions: app.Status.Conditions,
+			Health:     &app.Status.Health,
+			Sync:       &app.Status.Sync,
+		})
+	}
+	return items, nil
+}
+
+func reconcileApplications(
+	kubeClientset kubernetes.Interface,
+	appClientset appclientset.Interface,
+	namespace string,
+	repoServerClient apiclient.Clientset,
+	selector string,
+	createLiveStateCache func(argoDB db.ArgoDB, appInformer kubecache.SharedIndexInformer, settingsMgr *settings.SettingsManager, server *metrics.MetricsServer) cache.LiveStateCache,
+) ([]appReconcileResult, error) {
+
+	settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, namespace)
+	argoDB := db.NewDB(namespace, settingsMgr, kubeClientset)
+	appInformerFactory := appinformers.NewFilteredSharedInformerFactory(
+		appClientset,
+		1*time.Hour,
+		namespace,
+		func(options *v1.ListOptions) {},
+	)
+
+	appInformer := appInformerFactory.Argoproj().V1alpha1().Applications().Informer()
+	projInformer := appInformerFactory.Argoproj().V1alpha1().AppProjects().Informer()
+	go appInformer.Run(context.Background().Done())
+	go projInformer.Run(context.Background().Done())
+	if !kubecache.WaitForCacheSync(context.Background().Done(), appInformer.HasSynced, projInformer.HasSynced) {
+		return nil, fmt.Errorf("failed to sync cache")
+	}
+
+	appLister := appInformerFactory.Argoproj().V1alpha1().Applications().Lister()
+	projLister := appInformerFactory.Argoproj().V1alpha1().AppProjects().Lister()
+	server, err := metrics.NewMetricsServer("", appLister, func(obj interface{}) bool {
+		return true
+	}, func(r *http.Request) error {
+		return nil
+	})
+
+	if err != nil {
+		return nil, err
+	}
+	stateCache := createLiveStateCache(argoDB, appInformer, settingsMgr, server)
+	if err := stateCache.Init(); err != nil {
+		return nil, err
+	}
+
+	cache := appstatecache.NewCache(
+		cacheutil.NewCache(cacheutil.NewInMemoryCache(1*time.Minute)),
+		1*time.Minute,
+	)
+
+	appStateManager := controller.NewAppStateManager(
+		argoDB, appClientset, repoServerClient, namespace, kubeutil.NewKubectl(), settingsMgr, stateCache, projInformer, server, cache, time.Second)
+
+	appsList, err := appClientset.ArgoprojV1alpha1().Applications(namespace).List(context.Background(), v1.ListOptions{LabelSelector: selector})
+	if err != nil {
+		return nil, err
+	}
+
+	sort.Slice(appsList.Items, func(i, j int) bool {
+		return appsList.Items[i].Spec.Destination.Server < appsList.Items[j].Spec.Destination.Server
+	})
+
+	var items []appReconcileResult
+	prevServer := ""
+	for _, app := range appsList.Items {
+		if prevServer != app.Spec.Destination.Server {
+			if prevServer != "" {
+				if clusterCache, err := stateCache.GetClusterCache(prevServer); err == nil {
+					clusterCache.Invalidate()
+				}
+			}
+			printLine("Reconciling apps of %s", app.Spec.Destination.Server)
+			prevServer = app.Spec.Destination.Server
+		}
+		printLine(app.Name)
+
+		proj, err := projLister.AppProjects(namespace).Get(app.Spec.Project)
+		if err != nil {
+			return nil, err
+		}
+
+		res := appStateManager.CompareAppState(&app, proj, app.Spec.Source.TargetRevision, app.Spec.Source, false, nil)
+		items = append(items, appReconcileResult{
+			Name:       app.Name,
+			Conditions: app.Status.Conditions,
+			Health:     res.GetHealthStatus(),
+			Sync:       res.GetSyncStatus(),
+		})
+	}
+	return items, nil
+}
+
+func newLiveStateCache(argoDB db.ArgoDB, appInformer kubecache.SharedIndexInformer, settingsMgr *settings.SettingsManager, server *metrics.MetricsServer) cache.LiveStateCache {
+	return cache.NewLiveStateCache(argoDB, appInformer, settingsMgr, kubeutil.NewKubectl(), server, func(managedByApp map[string]bool, ref apiv1.ObjectReference) {}, nil)
+}

cmd/argocd-util/commands/apps_test.go

@@ -0,0 +1,182 @@
+package commands
+
+import (
+	"testing"
+
+	"github.com/argoproj/argo-cd/test"
+
+	clustermocks "github.com/argoproj/gitops-engine/pkg/cache/mocks"
+	"github.com/argoproj/gitops-engine/pkg/health"
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	kubefake "k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/tools/cache"
+
+	"github.com/argoproj/argo-cd/common"
+	statecache "github.com/argoproj/argo-cd/controller/cache"
+	cachemocks "github.com/argoproj/argo-cd/controller/cache/mocks"
+	"github.com/argoproj/argo-cd/controller/metrics"
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	appfake "github.com/argoproj/argo-cd/pkg/client/clientset/versioned/fake"
+	"github.com/argoproj/argo-cd/reposerver/apiclient"
+	"github.com/argoproj/argo-cd/reposerver/apiclient/mocks"
+	"github.com/argoproj/argo-cd/util/db"
+	"github.com/argoproj/argo-cd/util/settings"
+)
+
+func TestGetReconcileResults(t *testing.T) {
+	appClientset := appfake.NewSimpleClientset(&v1alpha1.Application{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+		},
+		Status: v1alpha1.ApplicationStatus{
+			Health: v1alpha1.HealthStatus{Status: health.HealthStatusHealthy},
+			Sync:   v1alpha1.SyncStatus{Status: v1alpha1.SyncStatusCodeOutOfSync},
+		},
+	})
+
+	result, err := getReconcileResults(appClientset, "default", "")
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	expectedResults := []appReconcileResult{{
+		Name:   "test",
+		Health: &v1alpha1.HealthStatus{Status: health.HealthStatusHealthy},
+		Sync:   &v1alpha1.SyncStatus{Status: v1alpha1.SyncStatusCodeOutOfSync},
+	}}
+	assert.ElementsMatch(t, expectedResults, result)
+}
+
+func TestGetReconcileResults_Refresh(t *testing.T) {
+	cm := corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "argocd-cm",
+			Namespace: "default",
+			Labels: map[string]string{
+				"app.kubernetes.io/part-of": "argocd",
+			},
+		},
+	}
+	proj := &v1alpha1.AppProject{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "default",
+			Namespace: "default",
+		},
+		Spec: v1alpha1.AppProjectSpec{Destinations: []v1alpha1.ApplicationDestination{{Namespace: "*", Server: "*"}}},
+	}
+
+	app := &v1alpha1.Application{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "default",
+		},
+		Spec: v1alpha1.ApplicationSpec{
+			Project: "default",
+			Destination: v1alpha1.ApplicationDestination{
+				Server:    common.KubernetesInternalAPIServerAddr,
+				Namespace: "default",
+			},
+		},
+	}
+
+	appClientset := appfake.NewSimpleClientset(app, proj)
+	deployment := test.NewDeployment()
+	kubeClientset := kubefake.NewSimpleClientset(deployment, &cm)
+	clusterCache := clustermocks.ClusterCache{}
+	clusterCache.On("IsNamespaced", mock.Anything).Return(true, nil)
+	repoServerClient := mocks.RepoServerServiceClient{}
+	repoServerClient.On("GenerateManifest", mock.Anything, mock.Anything).Return(&apiclient.ManifestResponse{
+		Manifests: []string{test.DeploymentManifest},
+	}, nil)
+	repoServerClientset := mocks.Clientset{RepoServerServiceClient: &repoServerClient}
+	liveStateCache := cachemocks.LiveStateCache{}
+	liveStateCache.On("GetManagedLiveObjs", mock.Anything, mock.Anything).Return(map[kube.ResourceKey]*unstructured.Unstructured{
+		kube.GetResourceKey(deployment): deployment,
+	}, nil)
+	liveStateCache.On("GetVersionsInfo", mock.Anything).Return("v1.2.3", nil, nil)
+	liveStateCache.On("Init").Return(nil, nil)
+	liveStateCache.On("GetClusterCache", mock.Anything).Return(&clusterCache, nil)
+	liveStateCache.On("IsNamespaced", mock.Anything, mock.Anything).Return(true, nil)
+
+	result, err := reconcileApplications(kubeClientset, appClientset, "default", &repoServerClientset, "",
+		func(argoDB db.ArgoDB, appInformer cache.SharedIndexInformer, settingsMgr *settings.SettingsManager, server *metrics.MetricsServer) statecache.LiveStateCache {
+			return &liveStateCache
+		},
+	)
+
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	assert.Equal(t, result[0].Health.Status, health.HealthStatusMissing)
+	assert.Equal(t, result[0].Sync.Status, v1alpha1.SyncStatusCodeOutOfSync)
+}
+
+func TestDiffReconcileResults_NoDifferences(t *testing.T) {
+	logs, err := captureStdout(func() {
+		assert.NoError(t, diffReconcileResults(
+			reconcileResults{Applications: []appReconcileResult{{
+				Name: "app1",
+				Sync: &v1alpha1.SyncStatus{Status: v1alpha1.SyncStatusCodeOutOfSync},
+			}}},
+			reconcileResults{Applications: []appReconcileResult{{
+				Name: "app1",
+				Sync: &v1alpha1.SyncStatus{Status: v1alpha1.SyncStatusCodeOutOfSync},
+			}}},
+		))
+	})
+	assert.NoError(t, err)
+	assert.Equal(t, "app1\n", logs)
+}
+
+func TestDiffReconcileResults_DifferentApps(t *testing.T) {
+	logs, err := captureStdout(func() {
+		assert.NoError(t, diffReconcileResults(
+			reconcileResults{Applications: []appReconcileResult{{
+				Name: "app1",
+				Sync: &v1alpha1.SyncStatus{Status: v1alpha1.SyncStatusCodeOutOfSync},
+			}, {
+				Name: "app2",
+				Sync: &v1alpha1.SyncStatus{Status: v1alpha1.SyncStatusCodeOutOfSync},
+			}}},
+			reconcileResults{Applications: []appReconcileResult{{
+				Name: "app1",
+				Sync: &v1alpha1.SyncStatus{Status: v1alpha1.SyncStatusCodeOutOfSync},
+			}, {
+				Name: "app3",
+				Sync: &v1alpha1.SyncStatus{Status: v1alpha1.SyncStatusCodeOutOfSync},
+			}}},
+		))
+	})
+	assert.NoError(t, err)
+	assert.Equal(t, `app1
+app2
+1,9d0
+< conditions: null
+< health: null
+< name: app2
+< sync:
+<   comparedTo:
+<     destination: {}
+<     source:
+<       repoURL: ""
+<   status: OutOfSync
+app3
+0a1,9
+> conditions: null
+> health: null
+> name: app3
+> sync:
+>   comparedTo:
+>     destination: {}
+>     source:
+>       repoURL: ""
+>   status: OutOfSync
+`, logs)
+}

cmd/argocd-util/commands/argocd_util.go

@@ -1,4 +1,4 @@
-package main
+package commands
 
 import (
 	"bufio"
@@ -7,9 +7,9 @@ import (
 	"io"
 	"io/ioutil"
 	"os"
-	"os/exec"
-	"syscall"
+	"reflect"
 
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/ghodss/yaml"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -23,20 +23,12 @@ import (
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 
+	cmdutil "github.com/argoproj/argo-cd/cmd/util"
 	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/util"
-
-	"github.com/argoproj/argo-cd/errors"
 	"github.com/argoproj/argo-cd/util/cli"
 	"github.com/argoproj/argo-cd/util/db"
-	"github.com/argoproj/argo-cd/util/dex"
-	"github.com/argoproj/argo-cd/util/kube"
+	"github.com/argoproj/argo-cd/util/errors"
 	"github.com/argoproj/argo-cd/util/settings"
-
-	// load the gcp plugin (required to authenticate against GKE clusters).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
-	// load the oidc plugin (required to authenticate with OpenID Connect).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
 )
 
 const (
@@ -56,153 +48,34 @@ var (
 // NewCommand returns a new instance of an argocd command
 func NewCommand() *cobra.Command {
 	var (
-		logLevel string
+		pathOpts = clientcmd.NewDefaultPathOptions()
 	)
 
 	var command = &cobra.Command{
-		Use:   cliName,
-		Short: "argocd-util has internal tools used by Argo CD",
+		Use:               cliName,
+		Short:             "argocd-util tools used by Argo CD",
+		Long:              "argocd-util has internal utility tools used by Argo CD",
+		DisableAutoGenTag: true,
 		Run: func(c *cobra.Command, args []string) {
 			c.HelpFunc()(c, args)
 		},
 	}
 
 	command.AddCommand(cli.NewVersionCmd(cliName))
-	command.AddCommand(NewRunDexCommand())
-	command.AddCommand(NewGenDexConfigCommand())
 	command.AddCommand(NewImportCommand())
 	command.AddCommand(NewExportCommand())
 	command.AddCommand(NewClusterConfig())
+	command.AddCommand(NewProjectsCommand())
+	command.AddCommand(NewSettingsCommand())
+	command.AddCommand(NewAppsCommand())
+	command.AddCommand(NewRBACCommand())
+	command.AddCommand(NewGenerateConfigCommand(pathOpts))
 
-	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
 	return command
 }
 
-func NewRunDexCommand() *cobra.Command {
-	var (
-		clientConfig clientcmd.ClientConfig
-	)
-	var command = cobra.Command{
-		Use:   "rundex",
-		Short: "Runs dex generating a config using settings from the Argo CD configmap and secret",
-		RunE: func(c *cobra.Command, args []string) error {
-			_, err := exec.LookPath("dex")
-			errors.CheckError(err)
-			config, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			namespace, _, err := clientConfig.Namespace()
-			errors.CheckError(err)
-			kubeClientset := kubernetes.NewForConfigOrDie(config)
-			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, namespace)
-			prevSettings, err := settingsMgr.GetSettings()
-			errors.CheckError(err)
-			updateCh := make(chan *settings.ArgoCDSettings, 1)
-			settingsMgr.Subscribe(updateCh)
-
-			for {
-				var cmd *exec.Cmd
-				dexCfgBytes, err := dex.GenerateDexConfigYAML(prevSettings)
-				errors.CheckError(err)
-				if len(dexCfgBytes) == 0 {
-					log.Infof("dex is not configured")
-				} else {
-					err = ioutil.WriteFile("/tmp/dex.yaml", dexCfgBytes, 0644)
-					errors.CheckError(err)
-					log.Info(string(dexCfgBytes))
-					cmd = exec.Command("dex", "serve", "/tmp/dex.yaml")
-					cmd.Stdout = os.Stdout
-					cmd.Stderr = os.Stderr
-					err = cmd.Start()
-					errors.CheckError(err)
-				}
-
-				// loop until the dex config changes
-				for {
-					newSettings := <-updateCh
-					newDexCfgBytes, err := dex.GenerateDexConfigYAML(newSettings)
-					errors.CheckError(err)
-					if string(newDexCfgBytes) != string(dexCfgBytes) {
-						prevSettings = newSettings
-						log.Infof("dex config modified. restarting dex")
-						if cmd != nil && cmd.Process != nil {
-							err = cmd.Process.Signal(syscall.SIGTERM)
-							errors.CheckError(err)
-							_, err = cmd.Process.Wait()
-							errors.CheckError(err)
-						}
-						break
-					} else {
-						log.Infof("dex config unmodified")
-					}
-				}
-			}
-		},
-	}
-
-	clientConfig = cli.AddKubectlFlagsToCmd(&command)
-	return &command
-}
-
-func NewGenDexConfigCommand() *cobra.Command {
-	var (
-		clientConfig clientcmd.ClientConfig
-		out          string
-	)
-	var command = cobra.Command{
-		Use:   "gendexcfg",
-		Short: "Generates a dex config from Argo CD settings",
-		RunE: func(c *cobra.Command, args []string) error {
-			config, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			namespace, _, err := clientConfig.Namespace()
-			errors.CheckError(err)
-			kubeClientset := kubernetes.NewForConfigOrDie(config)
-			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, namespace)
-			settings, err := settingsMgr.GetSettings()
-			errors.CheckError(err)
-			dexCfgBytes, err := dex.GenerateDexConfigYAML(settings)
-			errors.CheckError(err)
-			if len(dexCfgBytes) == 0 {
-				log.Infof("dex is not configured")
-				return nil
-			}
-			if out == "" {
-				dexCfg := make(map[string]interface{})
-				err := yaml.Unmarshal(dexCfgBytes, &dexCfg)
-				errors.CheckError(err)
-				if staticClientsInterface, ok := dexCfg["staticClients"]; ok {
-					if staticClients, ok := staticClientsInterface.([]interface{}); ok {
-						for i := range staticClients {
-							staticClient := staticClients[i]
-							if mappings, ok := staticClient.(map[string]interface{}); ok {
-								for key := range mappings {
-									if key == "secret" {
-										mappings[key] = "******"
-									}
-								}
-								staticClients[i] = mappings
-							}
-						}
-						dexCfg["staticClients"] = staticClients
-					}
-				}
-				errors.CheckError(err)
-				maskedDexCfgBytes, err := yaml.Marshal(dexCfg)
-				errors.CheckError(err)
-				fmt.Print(string(maskedDexCfgBytes))
-			} else {
-				err = ioutil.WriteFile(out, dexCfgBytes, 0644)
-				errors.CheckError(err)
-			}
-			return nil
-		},
-	}
-
-	clientConfig = cli.AddKubectlFlagsToCmd(&command)
-	command.Flags().StringVarP(&out, "out", "o", "", "Output to the specified file instead of stdout")
-	return &command
-}
-
 // NewImportCommand defines a new command for exporting Kubernetes and Argo CD resources.
 func NewImportCommand() *cobra.Command {
 	var (
@@ -219,6 +92,7 @@ func NewImportCommand() *cobra.Command {
 				os.Exit(1)
 			}
 			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
 			config.QPS = 100
 			config.Burst = 50
 			errors.CheckError(err)
@@ -241,43 +115,49 @@ func NewImportCommand() *cobra.Command {
 			// pruneObjects tracks live objects and it's current resource version. any remaining
 			// items in this map indicates the resource should be pruned since it no longer appears
 			// in the backup
-			pruneObjects := make(map[kube.ResourceKey]string)
-			configMaps, err := acdClients.configMaps.List(metav1.ListOptions{})
+			pruneObjects := make(map[kube.ResourceKey]unstructured.Unstructured)
+			configMaps, err := acdClients.configMaps.List(context.Background(), metav1.ListOptions{})
 			errors.CheckError(err)
+			// referencedSecrets holds any secrets referenced in the argocd-cm configmap. These
+			// secrets need to be imported too
+			var referencedSecrets map[string]bool
 			for _, cm := range configMaps.Items {
-				cmName := cm.GetName()
-				if cmName == common.ArgoCDConfigMapName || cmName == common.ArgoCDRBACConfigMapName {
-					pruneObjects[kube.ResourceKey{Group: "", Kind: "ConfigMap", Name: cm.GetName()}] = cm.GetResourceVersion()
+				if isArgoCDConfigMap(cm.GetName()) {
+					pruneObjects[kube.ResourceKey{Group: "", Kind: "ConfigMap", Name: cm.GetName()}] = cm
+				}
+				if cm.GetName() == common.ArgoCDConfigMapName {
+					referencedSecrets = getReferencedSecrets(cm)
 				}
 			}
-			secrets, err := acdClients.secrets.List(metav1.ListOptions{})
+
+			secrets, err := acdClients.secrets.List(context.Background(), metav1.ListOptions{})
 			errors.CheckError(err)
 			for _, secret := range secrets.Items {
-				if isArgoCDSecret(nil, secret) {
-					pruneObjects[kube.ResourceKey{Group: "", Kind: "Secret", Name: secret.GetName()}] = secret.GetResourceVersion()
+				if isArgoCDSecret(referencedSecrets, secret) {
+					pruneObjects[kube.ResourceKey{Group: "", Kind: "Secret", Name: secret.GetName()}] = secret
 				}
 			}
-			applications, err := acdClients.applications.List(metav1.ListOptions{})
+			applications, err := acdClients.applications.List(context.Background(), metav1.ListOptions{})
 			errors.CheckError(err)
 			for _, app := range applications.Items {
-				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "Application", Name: app.GetName()}] = app.GetResourceVersion()
+				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "Application", Name: app.GetName()}] = app
 			}
-			projects, err := acdClients.projects.List(metav1.ListOptions{})
+			projects, err := acdClients.projects.List(context.Background(), metav1.ListOptions{})
 			errors.CheckError(err)
 			for _, proj := range projects.Items {
-				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "AppProject", Name: proj.GetName()}] = proj.GetResourceVersion()
+				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "AppProject", Name: proj.GetName()}] = proj
 			}
 
 			// Create or replace existing object
-			objs, err := kube.SplitYAML(string(input))
+			backupObjects, err := kube.SplitYAML(input)
 			errors.CheckError(err)
-			for _, obj := range objs {
-				gvk := obj.GroupVersionKind()
-				key := kube.ResourceKey{Group: gvk.Group, Kind: gvk.Kind, Name: obj.GetName()}
-				resourceVersion, exists := pruneObjects[key]
+			for _, bakObj := range backupObjects {
+				gvk := bakObj.GroupVersionKind()
+				key := kube.ResourceKey{Group: gvk.Group, Kind: gvk.Kind, Name: bakObj.GetName()}
+				liveObj, exists := pruneObjects[key]
 				delete(pruneObjects, key)
 				var dynClient dynamic.ResourceInterface
-				switch obj.GetKind() {
+				switch bakObj.GetKind() {
 				case "Secret":
 					dynClient = acdClients.secrets
 				case "ConfigMap":
@@ -289,17 +169,19 @@ func NewImportCommand() *cobra.Command {
 				}
 				if !exists {
 					if !dryRun {
-						_, err = dynClient.Create(obj, metav1.CreateOptions{})
+						_, err = dynClient.Create(context.Background(), bakObj, metav1.CreateOptions{})
 						errors.CheckError(err)
 					}
-					fmt.Printf("%s/%s %s created%s\n", gvk.Group, gvk.Kind, obj.GetName(), dryRunMsg)
+					fmt.Printf("%s/%s %s created%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
+				} else if specsEqual(*bakObj, liveObj) {
+					fmt.Printf("%s/%s %s unchanged%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
 				} else {
 					if !dryRun {
-						obj.SetResourceVersion(resourceVersion)
-						_, err = dynClient.Update(obj, metav1.UpdateOptions{})
+						newLive := updateLive(bakObj, &liveObj)
+						_, err = dynClient.Update(context.Background(), newLive, metav1.UpdateOptions{})
 						errors.CheckError(err)
 					}
-					fmt.Printf("%s/%s %s replaced%s\n", gvk.Group, gvk.Kind, obj.GetName(), dryRunMsg)
+					fmt.Printf("%s/%s %s updated%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
 				}
 			}
 
@@ -318,7 +200,7 @@ func NewImportCommand() *cobra.Command {
 						log.Fatalf("Unexpected kind '%s' in prune list", key.Kind)
 					}
 					if !dryRun {
-						err = dynClient.Delete(key.Name, &metav1.DeleteOptions{})
+						err = dynClient.Delete(context.Background(), key.Name, metav1.DeleteOptions{})
 						errors.CheckError(err)
 					}
 					fmt.Printf("%s/%s %s pruned%s\n", key.Group, key.Kind, key.Name, dryRunMsg)
@@ -375,38 +257,44 @@ func NewExportCommand() *cobra.Command {
 			} else {
 				f, err := os.Create(out)
 				errors.CheckError(err)
-				defer util.Close(f)
-				writer = bufio.NewWriter(f)
+				bw := bufio.NewWriter(f)
+				writer = bw
+				defer func() {
+					err = bw.Flush()
+					errors.CheckError(err)
+					err = f.Close()
+					errors.CheckError(err)
+				}()
 			}
 
 			acdClients := newArgoCDClientsets(config, namespace)
-			acdConfigMap, err := acdClients.configMaps.Get(common.ArgoCDConfigMapName, metav1.GetOptions{})
+			acdConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDConfigMapName, metav1.GetOptions{})
 			errors.CheckError(err)
 			export(writer, *acdConfigMap)
-			acdRBACConfigMap, err := acdClients.configMaps.Get(common.ArgoCDRBACConfigMapName, metav1.GetOptions{})
+			acdRBACConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDRBACConfigMapName, metav1.GetOptions{})
 			errors.CheckError(err)
 			export(writer, *acdRBACConfigMap)
-			acdKnownHostsConfigMap, err := acdClients.configMaps.Get(common.ArgoCDKnownHostsConfigMapName, metav1.GetOptions{})
+			acdKnownHostsConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDKnownHostsConfigMapName, metav1.GetOptions{})
 			errors.CheckError(err)
 			export(writer, *acdKnownHostsConfigMap)
-			acdTLSCertsConfigMap, err := acdClients.configMaps.Get(common.ArgoCDTLSCertsConfigMapName, metav1.GetOptions{})
+			acdTLSCertsConfigMap, err := acdClients.configMaps.Get(context.Background(), common.ArgoCDTLSCertsConfigMapName, metav1.GetOptions{})
 			errors.CheckError(err)
 			export(writer, *acdTLSCertsConfigMap)
 
 			referencedSecrets := getReferencedSecrets(*acdConfigMap)
-			secrets, err := acdClients.secrets.List(metav1.ListOptions{})
+			secrets, err := acdClients.secrets.List(context.Background(), metav1.ListOptions{})
 			errors.CheckError(err)
 			for _, secret := range secrets.Items {
 				if isArgoCDSecret(referencedSecrets, secret) {
 					export(writer, secret)
 				}
 			}
-			projects, err := acdClients.projects.List(metav1.ListOptions{})
+			projects, err := acdClients.projects.List(context.Background(), metav1.ListOptions{})
 			errors.CheckError(err)
 			for _, proj := range projects.Items {
 				export(writer, proj)
 			}
-			applications, err := acdClients.applications.List(metav1.ListOptions{})
+			applications, err := acdClients.applications.List(context.Background(), metav1.ListOptions{})
 			errors.CheckError(err)
 			for _, app := range applications.Items {
 				export(writer, app)
@@ -427,11 +315,13 @@ func getReferencedSecrets(un unstructured.Unstructured) map[string]bool {
 	err := runtime.DefaultUnstructuredConverter.FromUnstructured(un.Object, &cm)
 	errors.CheckError(err)
 	referencedSecrets := make(map[string]bool)
+
+	// Referenced repository secrets
 	if reposRAW, ok := cm.Data["repositories"]; ok {
-		repoCreds := make([]settings.RepoCredentials, 0)
-		err := yaml.Unmarshal([]byte(reposRAW), &repoCreds)
+		repos := make([]settings.Repository, 0)
+		err := yaml.Unmarshal([]byte(reposRAW), &repos)
 		errors.CheckError(err)
-		for _, cred := range repoCreds {
+		for _, cred := range repos {
 			if cred.PasswordSecret != nil {
 				referencedSecrets[cred.PasswordSecret.Name] = true
 			}
@@ -449,25 +339,27 @@ func getReferencedSecrets(un unstructured.Unstructured) map[string]bool {
 			}
 		}
 	}
-	if helmReposRAW, ok := cm.Data["helm.repositories"]; ok {
-		helmRepoCreds := make([]settings.HelmRepoCredentials, 0)
-		err := yaml.Unmarshal([]byte(helmReposRAW), &helmRepoCreds)
+
+	// Referenced repository credentials secrets
+	if reposRAW, ok := cm.Data["repository.credentials"]; ok {
+		creds := make([]settings.RepositoryCredentials, 0)
+		err := yaml.Unmarshal([]byte(reposRAW), &creds)
 		errors.CheckError(err)
-		for _, cred := range helmRepoCreds {
-			if cred.CASecret != nil {
-				referencedSecrets[cred.CASecret.Name] = true
+		for _, cred := range creds {
+			if cred.PasswordSecret != nil {
+				referencedSecrets[cred.PasswordSecret.Name] = true
 			}
-			if cred.CertSecret != nil {
-				referencedSecrets[cred.CertSecret.Name] = true
-			}
-			if cred.KeySecret != nil {
-				referencedSecrets[cred.KeySecret.Name] = true
+			if cred.SSHPrivateKeySecret != nil {
+				referencedSecrets[cred.SSHPrivateKeySecret.Name] = true
 			}
 			if cred.UsernameSecret != nil {
 				referencedSecrets[cred.UsernameSecret.Name] = true
 			}
-			if cred.PasswordSecret != nil {
-				referencedSecrets[cred.PasswordSecret.Name] = true
+			if cred.TLSClientCertDataSecret != nil {
+				referencedSecrets[cred.TLSClientCertDataSecret.Name] = true
+			}
+			if cred.TLSClientCertKeySecret != nil {
+				referencedSecrets[cred.TLSClientCertKeySecret.Name] = true
 			}
 		}
 	}
@@ -499,6 +391,73 @@ func isArgoCDSecret(repoSecretRefs map[string]bool, un unstructured.Unstructured
 	return false
 }
 
+// isArgoCDConfigMap returns true if the configmap name is one of argo cd's well known configmaps
+func isArgoCDConfigMap(name string) bool {
+	switch name {
+	case common.ArgoCDConfigMapName, common.ArgoCDRBACConfigMapName, common.ArgoCDKnownHostsConfigMapName, common.ArgoCDTLSCertsConfigMapName:
+		return true
+	}
+	return false
+
+}
+
+// specsEqual returns if the spec, data, labels, annotations, and finalizers of the two
+// supplied objects are equal, indicating that no update is necessary during importing
+func specsEqual(left, right unstructured.Unstructured) bool {
+	if !reflect.DeepEqual(left.GetAnnotations(), right.GetAnnotations()) {
+		return false
+	}
+	if !reflect.DeepEqual(left.GetLabels(), right.GetLabels()) {
+		return false
+	}
+	if !reflect.DeepEqual(left.GetFinalizers(), right.GetFinalizers()) {
+		return false
+	}
+	switch left.GetKind() {
+	case "Secret", "ConfigMap":
+		leftData, _, _ := unstructured.NestedMap(left.Object, "data")
+		rightData, _, _ := unstructured.NestedMap(right.Object, "data")
+		return reflect.DeepEqual(leftData, rightData)
+	case "AppProject":
+		leftSpec, _, _ := unstructured.NestedMap(left.Object, "spec")
+		rightSpec, _, _ := unstructured.NestedMap(right.Object, "spec")
+		return reflect.DeepEqual(leftSpec, rightSpec)
+	case "Application":
+		leftSpec, _, _ := unstructured.NestedMap(left.Object, "spec")
+		rightSpec, _, _ := unstructured.NestedMap(right.Object, "spec")
+		leftStatus, _, _ := unstructured.NestedMap(left.Object, "status")
+		rightStatus, _, _ := unstructured.NestedMap(right.Object, "status")
+		// reconciledAt and observedAt are constantly changing and we ignore any diff there
+		delete(leftStatus, "reconciledAt")
+		delete(rightStatus, "reconciledAt")
+		delete(leftStatus, "observedAt")
+		delete(rightStatus, "observedAt")
+		return reflect.DeepEqual(leftSpec, rightSpec) && reflect.DeepEqual(leftStatus, rightStatus)
+	}
+	return false
+}
+
+// updateLive replaces the live object's finalizers, spec, annotations, labels, and data from the
+// backup object but leaves all other fields intact (status, other metadata, etc...)
+func updateLive(bak, live *unstructured.Unstructured) *unstructured.Unstructured {
+	newLive := live.DeepCopy()
+	newLive.SetAnnotations(bak.GetAnnotations())
+	newLive.SetLabels(bak.GetLabels())
+	newLive.SetFinalizers(bak.GetFinalizers())
+	switch live.GetKind() {
+	case "Secret", "ConfigMap":
+		newLive.Object["data"] = bak.Object["data"]
+	case "AppProject":
+		newLive.Object["spec"] = bak.Object["spec"]
+	case "Application":
+		newLive.Object["spec"] = bak.Object["spec"]
+		if _, ok := bak.Object["status"]; ok {
+			newLive.Object["status"] = bak.Object["status"]
+		}
+	}
+	return newLive
+}
+
 // export writes the unstructured object and removes extraneous cruft from output before writing
 func export(w io.Writer, un unstructured.Unstructured) {
 	name := un.GetName()
@@ -528,8 +487,9 @@ func NewClusterConfig() *cobra.Command {
 		clientConfig clientcmd.ClientConfig
 	)
 	var command = &cobra.Command{
-		Use:   "kubeconfig CLUSTER_URL OUTPUT_PATH",
-		Short: "Generates kubeconfig for the specified cluster",
+		Use:               "kubeconfig CLUSTER_URL OUTPUT_PATH",
+		Short:             "Generates kubeconfig for the specified cluster",
+		DisableAutoGenTag: true,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) != 2 {
 				c.HelpFunc()(c, args)
@@ -546,7 +506,7 @@ func NewClusterConfig() *cobra.Command {
 
 			cluster, err := db.NewDB(namespace, settings.NewSettingsManager(context.Background(), kubeclientset, namespace), kubeclientset).GetCluster(context.Background(), serverUrl)
 			errors.CheckError(err)
-			err = kube.WriteKubeConfig(cluster.RESTConfig(), namespace, output)
+			err = kube.WriteKubeConfig(cluster.RawRestConfig(), namespace, output)
 			errors.CheckError(err)
 		},
 	}
@@ -554,9 +514,34 @@ func NewClusterConfig() *cobra.Command {
 	return command
 }
 
-func main() {
-	if err := NewCommand().Execute(); err != nil {
-		fmt.Println(err)
-		os.Exit(1)
+func iterateStringFields(obj interface{}, callback func(name string, val string) string) {
+	if mapField, ok := obj.(map[string]interface{}); ok {
+		for field, val := range mapField {
+			if strVal, ok := val.(string); ok {
+				mapField[field] = callback(field, strVal)
+			} else {
+				iterateStringFields(val, callback)
+			}
+		}
+	} else if arrayField, ok := obj.([]interface{}); ok {
+		for i := range arrayField {
+			iterateStringFields(arrayField[i], callback)
+		}
 	}
 }
+
+func redactor(dirtyString string) string {
+	config := make(map[string]interface{})
+	err := yaml.Unmarshal([]byte(dirtyString), &config)
+	errors.CheckError(err)
+	iterateStringFields(config, func(name string, val string) string {
+		if name == "clientSecret" || name == "secret" || name == "bindPW" {
+			return "********"
+		} else {
+			return val
+		}
+	})
+	data, err := yaml.Marshal(config)
+	errors.CheckError(err)
+	return string(data)
+}

cmd/argocd-util/commands/config.go

@@ -0,0 +1,359 @@
+package commands
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	apiv1 "k8s.io/api/core/v1"
+	apierr "k8s.io/apimachinery/pkg/api/errors"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/tools/clientcmd"
+
+	cmdutil "github.com/argoproj/argo-cd/cmd/util"
+	"github.com/argoproj/argo-cd/common"
+	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/db"
+	"github.com/argoproj/argo-cd/util/errors"
+	"github.com/argoproj/argo-cd/util/git"
+	"github.com/argoproj/argo-cd/util/settings"
+)
+
+const (
+	ArgoCDNamespace  = "argocd"
+	repoSecretPrefix = "repo"
+)
+
+func NewGenerateConfigCommand(pathOpts *clientcmd.PathOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "config",
+		Short: "Generate declarative configuration files",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+		},
+	}
+	command.AddCommand(NewGenAppConfigCommand())
+	command.AddCommand(NewGenProjectConfigCommand())
+	command.AddCommand(NewGenClusterConfigCommand(pathOpts))
+	command.AddCommand(NewGenRepoConfigCommand())
+
+	return command
+}
+
+// NewGenAppConfigCommand generates declarative configuration file for given application
+func NewGenAppConfigCommand() *cobra.Command {
+	var (
+		appOpts      cmdutil.AppOptions
+		fileURL      string
+		appName      string
+		labels       []string
+		outputFormat string
+	)
+	var command = &cobra.Command{
+		Use:   "app APPNAME",
+		Short: "Generate declarative config for an application",
+		Example: `
+	# Generate declarative config for a directory app
+	argocd-util config app guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --directory-recurse
+
+	# Generate declarative config for a Jsonnet app
+	argocd-util config app jsonnet-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path jsonnet-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --jsonnet-ext-str replicas=2
+
+	# Generate declarative config for a Helm app
+	argocd-util config app helm-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path helm-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --helm-set replicaCount=2
+
+	# Generate declarative config for a Helm app from a Helm repo
+	argocd-util config app nginx-ingress --repo https://kubernetes-charts.storage.googleapis.com --helm-chart nginx-ingress --revision 1.24.3 --dest-namespace default --dest-server https://kubernetes.default.svc
+
+	# Generate declarative config for a Kustomize app
+	argocd-util config app kustomize-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path kustomize-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --kustomize-image gcr.io/heptio-images/ks-guestbook-demo:0.1
+
+	# Generate declarative config for a app using a custom tool:
+	argocd-util config app ksane --repo https://github.com/argoproj/argocd-example-apps.git --path plugins/kasane --dest-namespace default --dest-server https://kubernetes.default.svc --config-management-plugin kasane
+`,
+		Run: func(c *cobra.Command, args []string) {
+			app, err := cmdutil.ConstructApp(fileURL, appName, labels, args, appOpts, c.Flags())
+			errors.CheckError(err)
+
+			if app.Name == "" {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			var printResources []interface{}
+			printResources = append(printResources, app)
+			errors.CheckError(cmdutil.PrintResources(printResources, outputFormat))
+		},
+	}
+	command.Flags().StringVar(&appName, "name", "", "A name for the app, ignored if a file is set (DEPRECATED)")
+	command.Flags().StringVarP(&fileURL, "file", "f", "", "Filename or URL to Kubernetes manifests for the app")
+	command.Flags().StringArrayVarP(&labels, "label", "l", []string{}, "Labels to apply to the app")
+	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
+
+	// Only complete files with appropriate extension.
+	err := command.Flags().SetAnnotation("file", cobra.BashCompFilenameExt, []string{"json", "yaml", "yml"})
+	errors.CheckError(err)
+
+	cmdutil.AddAppFlags(command, &appOpts)
+	return command
+}
+
+// NewGenProjectConfigCommand generates declarative configuration file for given project
+func NewGenProjectConfigCommand() *cobra.Command {
+	var (
+		opts         cmdutil.ProjectOpts
+		fileURL      string
+		outputFormat string
+	)
+	var command = &cobra.Command{
+		Use:   "proj PROJECT",
+		Short: "Generate declarative config for a project",
+		Run: func(c *cobra.Command, args []string) {
+			proj, err := cmdutil.ConstructAppProj(fileURL, args, opts, c)
+			errors.CheckError(err)
+
+			var printResources []interface{}
+			printResources = append(printResources, proj)
+			errors.CheckError(cmdutil.PrintResources(printResources, outputFormat))
+		},
+	}
+	command.Flags().StringVarP(&fileURL, "file", "f", "", "Filename or URL to Kubernetes manifests for the project")
+	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
+	err := command.Flags().SetAnnotation("file", cobra.BashCompFilenameExt, []string{"json", "yaml", "yml"})
+	if err != nil {
+		log.Fatal(err)
+	}
+	cmdutil.AddProjFlags(command, &opts)
+	return command
+}
+
+func NewGenClusterConfigCommand(pathOpts *clientcmd.PathOptions) *cobra.Command {
+	var (
+		clusterOpts  cmdutil.ClusterOptions
+		bearerToken  string
+		outputFormat string
+	)
+	var command = &cobra.Command{
+		Use:   "cluster CONTEXT",
+		Short: "Generate declarative config for a cluster",
+		Run: func(c *cobra.Command, args []string) {
+			var configAccess clientcmd.ConfigAccess = pathOpts
+			if len(args) == 0 {
+				log.Error("Choose a context name from:")
+				cmdutil.PrintKubeContexts(configAccess)
+				os.Exit(1)
+			}
+			cfgAccess, err := configAccess.GetStartingConfig()
+			errors.CheckError(err)
+			contextName := args[0]
+			clstContext := cfgAccess.Contexts[contextName]
+			if clstContext == nil {
+				log.Fatalf("Context %s does not exist in kubeconfig", contextName)
+			}
+
+			overrides := clientcmd.ConfigOverrides{
+				Context: *clstContext,
+			}
+			clientConfig := clientcmd.NewDefaultClientConfig(*cfgAccess, &overrides)
+			conf, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			kubeClientset := fake.NewSimpleClientset()
+
+			var awsAuthConf *argoappv1.AWSAuthConfig
+			var execProviderConf *argoappv1.ExecProviderConfig
+			if clusterOpts.AwsClusterName != "" {
+				awsAuthConf = &argoappv1.AWSAuthConfig{
+					ClusterName: clusterOpts.AwsClusterName,
+					RoleARN:     clusterOpts.AwsRoleArn,
+				}
+			} else if clusterOpts.ExecProviderCommand != "" {
+				execProviderConf = &argoappv1.ExecProviderConfig{
+					Command:     clusterOpts.ExecProviderCommand,
+					Args:        clusterOpts.ExecProviderArgs,
+					Env:         clusterOpts.ExecProviderEnv,
+					APIVersion:  clusterOpts.ExecProviderAPIVersion,
+					InstallHint: clusterOpts.ExecProviderInstallHint,
+				}
+			} else if bearerToken == "" {
+				bearerToken = "bearer-token"
+			}
+			if clusterOpts.Name != "" {
+				contextName = clusterOpts.Name
+			}
+			clst := cmdutil.NewCluster(contextName, clusterOpts.Namespaces, conf, bearerToken, awsAuthConf, execProviderConf)
+			if clusterOpts.InCluster {
+				clst.Server = common.KubernetesInternalAPIServerAddr
+			}
+			if clusterOpts.Shard >= 0 {
+				clst.Shard = &clusterOpts.Shard
+			}
+
+			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, ArgoCDNamespace)
+			argoDB := db.NewDB(ArgoCDNamespace, settingsMgr, kubeClientset)
+
+			_, err = argoDB.CreateCluster(context.Background(), clst)
+			errors.CheckError(err)
+
+			secName, err := db.ServerToSecretName(clst.Server)
+			errors.CheckError(err)
+
+			secret, err := kubeClientset.CoreV1().Secrets(ArgoCDNamespace).Get(context.Background(), secName, v1.GetOptions{})
+			errors.CheckError(err)
+
+			cmdutil.ConvertSecretData(secret)
+			var printResources []interface{}
+			printResources = append(printResources, secret)
+			errors.CheckError(cmdutil.PrintResources(printResources, outputFormat))
+		},
+	}
+	command.PersistentFlags().StringVar(&pathOpts.LoadingRules.ExplicitPath, pathOpts.ExplicitFileFlag, pathOpts.LoadingRules.ExplicitPath, "use a particular kubeconfig file")
+	command.Flags().StringVar(&bearerToken, "bearer-token", "", "Authentication token that should be used to access K8S API server")
+	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
+	cmdutil.AddClusterFlags(command, &clusterOpts)
+	return command
+}
+
+func NewGenRepoConfigCommand() *cobra.Command {
+	var (
+		repoOpts     cmdutil.RepoOptions
+		outputFormat string
+	)
+
+	// For better readability and easier formatting
+	var repoAddExamples = `  
+  # Add a Git repository via SSH using a private key for authentication, ignoring the server's host key:
+  argocd-util config repo git@git.example.com:repos/repo --insecure-ignore-host-key --ssh-private-key-path ~/id_rsa
+
+  # Add a Git repository via SSH on a non-default port - need to use ssh:// style URLs here
+  argocd-util config repo ssh://git@git.example.com:2222/repos/repo --ssh-private-key-path ~/id_rsa
+
+  # Add a private Git repository via HTTPS using username/password and TLS client certificates:
+  argocd-util config repo https://git.example.com/repos/repo --username git --password secret --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key
+
+  # Add a private Git repository via HTTPS using username/password without verifying the server's TLS certificate
+  argocd-util config repo https://git.example.com/repos/repo --username git --password secret --insecure-skip-server-verification
+
+  # Add a public Helm repository named 'stable' via HTTPS
+  argocd-util config repo https://kubernetes-charts.storage.googleapis.com --type helm --name stable  
+
+  # Add a private Helm repository named 'stable' via HTTPS
+  argocd-util config repo https://kubernetes-charts.storage.googleapis.com --type helm --name stable --username test --password test
+
+  # Add a private Helm OCI-based repository named 'stable' via HTTPS
+  argocd-util config repo helm-oci-registry.cn-zhangjiakou.cr.aliyuncs.com --type helm --name stable --enable-oci --username test --password test
+`
+
+	var command = &cobra.Command{
+		Use:     "repo REPOURL",
+		Short:   "Generate declarative config for a repo",
+		Example: repoAddExamples,
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			// Repository URL
+			repoOpts.Repo.Repo = args[0]
+
+			// Specifying ssh-private-key-path is only valid for SSH repositories
+			if repoOpts.SshPrivateKeyPath != "" {
+				if ok, _ := git.IsSSHURL(repoOpts.Repo.Repo); ok {
+					keyData, err := ioutil.ReadFile(repoOpts.SshPrivateKeyPath)
+					if err != nil {
+						log.Fatal(err)
+					}
+					repoOpts.Repo.SSHPrivateKey = string(keyData)
+				} else {
+					err := fmt.Errorf("--ssh-private-key-path is only supported for SSH repositories.")
+					errors.CheckError(err)
+				}
+			}
+
+			// tls-client-cert-path and tls-client-cert-key-key-path must always be
+			// specified together
+			if (repoOpts.TlsClientCertPath != "" && repoOpts.TlsClientCertKeyPath == "") || (repoOpts.TlsClientCertPath == "" && repoOpts.TlsClientCertKeyPath != "") {
+				err := fmt.Errorf("--tls-client-cert-path and --tls-client-cert-key-path must be specified together")
+				errors.CheckError(err)
+			}
+
+			// Specifying tls-client-cert-path is only valid for HTTPS repositories
+			if repoOpts.TlsClientCertPath != "" {
+				if git.IsHTTPSURL(repoOpts.Repo.Repo) {
+					tlsCertData, err := ioutil.ReadFile(repoOpts.TlsClientCertPath)
+					errors.CheckError(err)
+					tlsCertKey, err := ioutil.ReadFile(repoOpts.TlsClientCertKeyPath)
+					errors.CheckError(err)
+					repoOpts.Repo.TLSClientCertData = string(tlsCertData)
+					repoOpts.Repo.TLSClientCertKey = string(tlsCertKey)
+				} else {
+					err := fmt.Errorf("--tls-client-cert-path is only supported for HTTPS repositories")
+					errors.CheckError(err)
+				}
+			}
+
+			// Set repository connection properties only when creating repository, not
+			// when creating repository credentials.
+			// InsecureIgnoreHostKey is deprecated and only here for backwards compat
+			repoOpts.Repo.InsecureIgnoreHostKey = repoOpts.InsecureIgnoreHostKey
+			repoOpts.Repo.Insecure = repoOpts.InsecureSkipServerVerification
+			repoOpts.Repo.EnableLFS = repoOpts.EnableLfs
+			repoOpts.Repo.EnableOCI = repoOpts.EnableOci
+
+			if repoOpts.Repo.Type == "helm" && repoOpts.Repo.Name == "" {
+				errors.CheckError(fmt.Errorf("must specify --name for repos of type 'helm'"))
+			}
+
+			// If the user set a username, but didn't supply password via --password,
+			// then we prompt for it
+			if repoOpts.Repo.Username != "" && repoOpts.Repo.Password == "" {
+				repoOpts.Repo.Password = cli.PromptPassword(repoOpts.Repo.Password)
+			}
+
+			argoCDCM := &apiv1.ConfigMap{
+				TypeMeta: v1.TypeMeta{
+					Kind:       "ConfigMap",
+					APIVersion: "v1",
+				},
+				ObjectMeta: v1.ObjectMeta{
+					Name:      common.ArgoCDConfigMapName,
+					Namespace: ArgoCDNamespace,
+					Labels: map[string]string{
+						"app.kubernetes.io/part-of": "argocd",
+					},
+				},
+			}
+			kubeClientset := fake.NewSimpleClientset(argoCDCM)
+			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, ArgoCDNamespace)
+			argoDB := db.NewDB(ArgoCDNamespace, settingsMgr, kubeClientset)
+
+			var printResources []interface{}
+			_, err := argoDB.CreateRepository(context.Background(), &repoOpts.Repo)
+			errors.CheckError(err)
+
+			secret, err := kubeClientset.CoreV1().Secrets(ArgoCDNamespace).Get(context.Background(), db.RepoURLToSecretName(repoSecretPrefix, repoOpts.Repo.Repo), v1.GetOptions{})
+			if err != nil {
+				if !apierr.IsNotFound(err) {
+					errors.CheckError(err)
+				}
+			} else {
+				cmdutil.ConvertSecretData(secret)
+				printResources = append(printResources, secret)
+			}
+
+			cm, err := kubeClientset.CoreV1().ConfigMaps(ArgoCDNamespace).Get(context.Background(), common.ArgoCDConfigMapName, v1.GetOptions{})
+			errors.CheckError(err)
+
+			printResources = append(printResources, cm)
+			errors.CheckError(cmdutil.PrintResources(printResources, outputFormat))
+		},
+	}
+	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
+	cmdutil.AddRepoFlags(command, &repoOpts)
+	return command
+}

cmd/argocd-util/commands/project_allowlist.go

@@ -0,0 +1,144 @@
+package commands
+
+import (
+	"bufio"
+	"io"
+	"io/ioutil"
+	"os"
+	"strings"
+
+	"github.com/ghodss/yaml"
+	"github.com/spf13/cobra"
+	rbacv1 "k8s.io/api/rbac/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/argoproj/argo-cd/util/errors"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/cli"
+
+	// load the gcp plugin (required to authenticate against GKE clusters).
+	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
+	// load the oidc plugin (required to authenticate with OpenID Connect).
+	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
+	// load the azure plugin (required to authenticate with AKS clusters).
+	_ "k8s.io/client-go/plugin/pkg/client/auth/azure"
+)
+
+// NewProjectAllowListGenCommand generates a project from clusterRole
+func NewProjectAllowListGenCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+		out          string
+	)
+	var command = &cobra.Command{
+		Use:   "generate-allow-list CLUSTERROLE_PATH PROJ_NAME",
+		Short: "Generates project allow list from the specified clusterRole file",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			clusterRoleFileName := args[0]
+			projName := args[1]
+
+			var writer io.Writer
+			if out == "-" {
+				writer = os.Stdout
+			} else {
+				f, err := os.Create(out)
+				errors.CheckError(err)
+				bw := bufio.NewWriter(f)
+				writer = bw
+				defer func() {
+					err = bw.Flush()
+					errors.CheckError(err)
+					err = f.Close()
+					errors.CheckError(err)
+				}()
+			}
+
+			globalProj := generateProjectAllowList(clientConfig, clusterRoleFileName, projName)
+
+			yamlBytes, err := yaml.Marshal(globalProj)
+			errors.CheckError(err)
+
+			_, err = writer.Write(yamlBytes)
+			errors.CheckError(err)
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(command)
+	command.Flags().StringVarP(&out, "out", "o", "-", "Output to the specified file instead of stdout")
+
+	return command
+}
+
+func generateProjectAllowList(clientConfig clientcmd.ClientConfig, clusterRoleFileName string, projName string) v1alpha1.AppProject {
+	yamlBytes, err := ioutil.ReadFile(clusterRoleFileName)
+	errors.CheckError(err)
+	var obj unstructured.Unstructured
+	err = yaml.Unmarshal(yamlBytes, &obj)
+	errors.CheckError(err)
+
+	clusterRole := &rbacv1.ClusterRole{}
+	err = scheme.Scheme.Convert(&obj, clusterRole, nil)
+	errors.CheckError(err)
+
+	config, err := clientConfig.ClientConfig()
+	errors.CheckError(err)
+	disco, err := discovery.NewDiscoveryClientForConfig(config)
+	errors.CheckError(err)
+	serverResources, err := disco.ServerPreferredResources()
+	errors.CheckError(err)
+
+	resourceList := make([]metav1.GroupKind, 0)
+	for _, rule := range clusterRole.Rules {
+		if len(rule.APIGroups) <= 0 {
+			continue
+		}
+
+		canCreate := false
+		for _, verb := range rule.Verbs {
+			if strings.EqualFold(verb, "Create") {
+				canCreate = true
+				break
+			}
+		}
+
+		if !canCreate {
+			continue
+		}
+
+		ruleApiGroup := rule.APIGroups[0]
+		for _, ruleResource := range rule.Resources {
+			for _, apiResourcesList := range serverResources {
+				gv, err := schema.ParseGroupVersion(apiResourcesList.GroupVersion)
+				if err != nil {
+					gv = schema.GroupVersion{}
+				}
+				if ruleApiGroup == gv.Group {
+					for _, apiResource := range apiResourcesList.APIResources {
+						if apiResource.Name == ruleResource {
+							resourceList = append(resourceList, metav1.GroupKind{Group: ruleApiGroup, Kind: apiResource.Kind})
+						}
+					}
+				}
+			}
+		}
+	}
+	globalProj := v1alpha1.AppProject{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "AppProject",
+			APIVersion: "argoproj.io/v1alpha1",
+		},
+		ObjectMeta: metav1.ObjectMeta{Name: projName},
+		Spec:       v1alpha1.AppProjectSpec{},
+	}
+	globalProj.Spec.NamespaceResourceWhitelist = resourceList
+	return globalProj
+}

cmd/argocd-util/commands/project_allowlist_test.go

@@ -0,0 +1,57 @@
+package commands
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/undefinedlabs/go-mpatch"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/discovery"
+	restclient "k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+func TestProjectAllowListGen(t *testing.T) {
+	useMock := true
+	rules := clientcmd.NewDefaultClientConfigLoadingRules()
+	overrides := &clientcmd.ConfigOverrides{}
+	clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(rules, overrides)
+
+	if useMock {
+		var patchClientConfig *mpatch.Patch
+		patchClientConfig, err := mpatch.PatchInstanceMethodByName(reflect.TypeOf(clientConfig), "ClientConfig", func(*clientcmd.DeferredLoadingClientConfig) (*restclient.Config, error) {
+			return nil, nil
+		})
+		assert.NoError(t, err)
+
+		patch, err := mpatch.PatchMethod(discovery.NewDiscoveryClientForConfig, func(c *restclient.Config) (*discovery.DiscoveryClient, error) {
+			return &discovery.DiscoveryClient{LegacyPrefix: "/api"}, nil
+		})
+		assert.NoError(t, err)
+
+		var patchSeverPreferedResources *mpatch.Patch
+		discoClient := &discovery.DiscoveryClient{}
+		patchSeverPreferedResources, err = mpatch.PatchInstanceMethodByName(reflect.TypeOf(discoClient), "ServerPreferredResources", func(*discovery.DiscoveryClient) ([]*metav1.APIResourceList, error) {
+			res := metav1.APIResource{
+				Name: "services",
+				Kind: "Service",
+			}
+			resourceList := []*metav1.APIResourceList{{APIResources: []metav1.APIResource{res}}}
+			return resourceList, nil
+		})
+		assert.NoError(t, err)
+
+		defer func() {
+			err = patchClientConfig.Unpatch()
+			assert.NoError(t, err)
+			err = patch.Unpatch()
+			assert.NoError(t, err)
+			err = patchSeverPreferedResources.Unpatch()
+			err = patch.Unpatch()
+		}()
+	}
+
+	globalProj := generateProjectAllowList(clientConfig, "testdata/test_clusterrole.yaml", "testproj")
+	assert.True(t, len(globalProj.Spec.NamespaceResourceWhitelist) > 0)
+}

cmd/argocd-util/commands/projects.go

@@ -0,0 +1,194 @@
+package commands
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
+	appclient "github.com/argoproj/argo-cd/pkg/client/clientset/versioned/typed/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/errors"
+
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
+	"github.com/spf13/cobra"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+func NewProjectsCommand() *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "projects",
+		Short: "Utility commands operate on ArgoCD Projects",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+		},
+	}
+
+	command.AddCommand(NewUpdatePolicyRuleCommand())
+	command.AddCommand(NewProjectAllowListGenCommand())
+	return command
+}
+
+func globMatch(pattern string, val string) bool {
+	if pattern == "*" {
+		return true
+	}
+	if ok, err := filepath.Match(pattern, val); ok && err == nil {
+		return true
+	}
+	return false
+}
+
+func getModification(modification string, resource string, scope string, permission string) (func(string, string) string, error) {
+	switch modification {
+	case "set":
+		if scope == "" {
+			return nil, fmt.Errorf("Flag --group cannot be empty if permission should be set in role")
+		}
+		if permission == "" {
+			return nil, fmt.Errorf("Flag --permission cannot be empty if permission should be set in role")
+		}
+		return func(proj string, action string) string {
+			return fmt.Sprintf("%s, %s, %s/%s, %s", resource, action, proj, scope, permission)
+		}, nil
+	case "remove":
+		return func(proj string, action string) string {
+			return ""
+		}, nil
+	}
+	return nil, fmt.Errorf("modification %s is not supported", modification)
+}
+
+func saveProject(updated v1alpha1.AppProject, orig v1alpha1.AppProject, projectsIf appclient.AppProjectInterface, dryRun bool) error {
+	fmt.Printf("===== %s ======\n", updated.Name)
+	target, err := kube.ToUnstructured(&updated)
+	errors.CheckError(err)
+	live, err := kube.ToUnstructured(&orig)
+	if err != nil {
+		return err
+	}
+	_ = cli.PrintDiff(updated.Name, target, live)
+	if !dryRun {
+		_, err = projectsIf.Update(context.Background(), &updated, v1.UpdateOptions{})
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func formatPolicy(proj string, role string, permission string) string {
+	return fmt.Sprintf("p, proj:%s:%s, %s", proj, role, permission)
+}
+
+func split(input string, delimiter string) []string {
+	parts := strings.Split(input, delimiter)
+	for i := range parts {
+		parts[i] = strings.TrimSpace(parts[i])
+	}
+	return parts
+}
+
+func NewUpdatePolicyRuleCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+		resource     string
+		scope        string
+		rolePattern  string
+		permission   string
+		dryRun       bool
+	)
+	var command = &cobra.Command{
+		Use:   "update-role-policy PROJECT_GLOB MODIFICATION ACTION",
+		Short: "Implement bulk project role update. Useful to back-fill existing project policies or remove obsolete actions.",
+		Example: `  # Add policy that allows executing any action (action/*) to roles which name matches to *deployer* in all projects  
+  argocd-util projects update-role-policy '*' set 'action/*' --role '*deployer*' --resource applications --scope '*' --permission allow
+
+  # Remove policy that which manages running (action/*) from all roles which name matches *deployer* in all projects
+  argocd-util projects update-role-policy '*' remove override --role '*deployer*'
+`,
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 3 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projectGlob := args[0]
+			modificationType := args[1]
+			action := args[2]
+
+			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			config.QPS = 100
+			config.Burst = 50
+
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+			appclients := appclientset.NewForConfigOrDie(config)
+
+			modification, err := getModification(modificationType, resource, scope, permission)
+			errors.CheckError(err)
+			projIf := appclients.ArgoprojV1alpha1().AppProjects(namespace)
+
+			err = updateProjects(projIf, projectGlob, rolePattern, action, modification, dryRun)
+			errors.CheckError(err)
+		},
+	}
+	command.Flags().StringVar(&resource, "resource", "", "Resource e.g. 'applications'")
+	command.Flags().StringVar(&scope, "scope", "", "Resource scope e.g. '*'")
+	command.Flags().StringVar(&rolePattern, "role", "*", "Role name pattern e.g. '*deployer*'")
+	command.Flags().StringVar(&permission, "permission", "", "Action permission")
+	command.Flags().BoolVar(&dryRun, "dry-run", true, "Dry run")
+	clientConfig = cli.AddKubectlFlagsToCmd(command)
+	return command
+}
+
+func updateProjects(projIf appclient.AppProjectInterface, projectGlob string, rolePattern string, action string, modification func(string, string) string, dryRun bool) error {
+	projects, err := projIf.List(context.Background(), v1.ListOptions{})
+	if err != nil {
+		return err
+	}
+	for _, proj := range projects.Items {
+		if !globMatch(projectGlob, proj.Name) {
+			continue
+		}
+		origProj := proj.DeepCopy()
+		updated := false
+		for i, role := range proj.Spec.Roles {
+			if !globMatch(rolePattern, role.Name) {
+				continue
+			}
+			actionPolicyIndex := -1
+			for i := range role.Policies {
+				parts := split(role.Policies[i], ",")
+				if len(parts) != 6 || parts[3] != action {
+					continue
+				}
+				actionPolicyIndex = i
+				break
+			}
+			policyPermission := modification(proj.Name, action)
+			if actionPolicyIndex == -1 && policyPermission != "" {
+				updated = true
+				role.Policies = append(role.Policies, formatPolicy(proj.Name, role.Name, policyPermission))
+			} else if actionPolicyIndex > -1 && policyPermission == "" {
+				updated = true
+				role.Policies = append(role.Policies[:actionPolicyIndex], role.Policies[actionPolicyIndex+1:]...)
+			} else if actionPolicyIndex > -1 && policyPermission != "" {
+				updated = true
+				role.Policies[actionPolicyIndex] = formatPolicy(proj.Name, role.Name, policyPermission)
+			}
+			proj.Spec.Roles[i] = role
+		}
+		if updated {
+			err = saveProject(proj, *origProj, projIf, dryRun)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}

cmd/argocd-util/commands/projects_test.go

@@ -0,0 +1,79 @@
+package commands
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/pkg/client/clientset/versioned/fake"
+)
+
+const (
+	namespace = "default"
+)
+
+func newProj(name string, roleNames ...string) *v1alpha1.AppProject {
+	var roles []v1alpha1.ProjectRole
+	for i := range roleNames {
+		roles = append(roles, v1alpha1.ProjectRole{Name: roleNames[i]})
+	}
+	return &v1alpha1.AppProject{ObjectMeta: v1.ObjectMeta{
+		Name:      name,
+		Namespace: namespace,
+	}, Spec: v1alpha1.AppProjectSpec{
+		Roles: roles,
+	}}
+}
+
+func TestUpdateProjects_FindMatchingProject(t *testing.T) {
+	clientset := fake.NewSimpleClientset(newProj("foo", "test"), newProj("bar", "test"))
+
+	modification, err := getModification("set", "*", "*", "allow")
+	assert.NoError(t, err)
+	err = updateProjects(clientset.ArgoprojV1alpha1().AppProjects(namespace), "ba*", "*", "set", modification, false)
+	assert.NoError(t, err)
+
+	fooProj, err := clientset.ArgoprojV1alpha1().AppProjects(namespace).Get(context.Background(), "foo", v1.GetOptions{})
+	assert.NoError(t, err)
+	assert.Len(t, fooProj.Spec.Roles[0].Policies, 0)
+
+	barProj, err := clientset.ArgoprojV1alpha1().AppProjects(namespace).Get(context.Background(), "bar", v1.GetOptions{})
+	assert.NoError(t, err)
+	assert.EqualValues(t, barProj.Spec.Roles[0].Policies, []string{"p, proj:bar:test, *, set, bar/*, allow"})
+}
+
+func TestUpdateProjects_FindMatchingRole(t *testing.T) {
+	clientset := fake.NewSimpleClientset(newProj("proj", "foo", "bar"))
+
+	modification, err := getModification("set", "*", "*", "allow")
+	assert.NoError(t, err)
+	err = updateProjects(clientset.ArgoprojV1alpha1().AppProjects(namespace), "*", "fo*", "set", modification, false)
+	assert.NoError(t, err)
+
+	proj, err := clientset.ArgoprojV1alpha1().AppProjects(namespace).Get(context.Background(), "proj", v1.GetOptions{})
+	assert.NoError(t, err)
+	assert.EqualValues(t, proj.Spec.Roles[0].Policies, []string{"p, proj:proj:foo, *, set, proj/*, allow"})
+	assert.Len(t, proj.Spec.Roles[1].Policies, 0)
+}
+
+func TestGetModification_SetPolicy(t *testing.T) {
+	modification, err := getModification("set", "*", "*", "allow")
+	assert.NoError(t, err)
+	policy := modification("proj", "myaction")
+	assert.Equal(t, "*, myaction, proj/*, allow", policy)
+}
+
+func TestGetModification_RemovePolicy(t *testing.T) {
+	modification, err := getModification("remove", "*", "*", "allow")
+	assert.NoError(t, err)
+	policy := modification("proj", "myaction")
+	assert.Equal(t, "", policy)
+}
+
+func TestGetModification_NotSupported(t *testing.T) {
+	_, err := getModification("bar", "*", "*", "allow")
+	assert.Errorf(t, err, "modification bar is not supported")
+}

cmd/argocd-util/commands/rbac.go

@@ -0,0 +1,374 @@
+package commands
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/ghodss/yaml"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/argoproj/argo-cd/common"
+	"github.com/argoproj/argo-cd/server/rbacpolicy"
+	"github.com/argoproj/argo-cd/util/assets"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/rbac"
+)
+
+// Provide a mapping of short-hand resource names to their RBAC counterparts
+var resourceMap map[string]string = map[string]string{
+	"account":     rbacpolicy.ResourceAccounts,
+	"app":         rbacpolicy.ResourceApplications,
+	"apps":        rbacpolicy.ResourceApplications,
+	"application": rbacpolicy.ResourceApplications,
+	"cert":        rbacpolicy.ResourceCertificates,
+	"certs":       rbacpolicy.ResourceCertificates,
+	"certificate": rbacpolicy.ResourceCertificates,
+	"cluster":     rbacpolicy.ResourceClusters,
+	"gpgkey":      rbacpolicy.ResourceGPGKeys,
+	"key":         rbacpolicy.ResourceGPGKeys,
+	"proj":        rbacpolicy.ResourceProjects,
+	"projs":       rbacpolicy.ResourceProjects,
+	"project":     rbacpolicy.ResourceProjects,
+	"repo":        rbacpolicy.ResourceRepositories,
+	"repos":       rbacpolicy.ResourceRepositories,
+	"repository":  rbacpolicy.ResourceRepositories,
+}
+
+// List of allowed RBAC resources
+var validRBACResources map[string]bool = map[string]bool{
+	rbacpolicy.ResourceAccounts:     true,
+	rbacpolicy.ResourceApplications: true,
+	rbacpolicy.ResourceCertificates: true,
+	rbacpolicy.ResourceClusters:     true,
+	rbacpolicy.ResourceGPGKeys:      true,
+	rbacpolicy.ResourceProjects:     true,
+	rbacpolicy.ResourceRepositories: true,
+}
+
+// List of allowed RBAC actions
+var validRBACActions map[string]bool = map[string]bool{
+	rbacpolicy.ActionAction:   true,
+	rbacpolicy.ActionCreate:   true,
+	rbacpolicy.ActionDelete:   true,
+	rbacpolicy.ActionGet:      true,
+	rbacpolicy.ActionOverride: true,
+	rbacpolicy.ActionSync:     true,
+	rbacpolicy.ActionUpdate:   true,
+}
+
+// NewRBACCommand is the command for 'rbac'
+func NewRBACCommand() *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "rbac",
+		Short: "Validate and test RBAC configuration",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+		},
+	}
+	command.AddCommand(NewRBACCanCommand())
+	command.AddCommand(NewRBACValidateCommand())
+	return command
+}
+
+// NewRBACCanRoleCommand is the command for 'rbac can-role'
+func NewRBACCanCommand() *cobra.Command {
+	var (
+		policyFile   string
+		defaultRole  string
+		useBuiltin   bool
+		strict       bool
+		quiet        bool
+		subject      string
+		action       string
+		resource     string
+		subResource  string
+		clientConfig clientcmd.ClientConfig
+	)
+	var command = &cobra.Command{
+		Use:   "can ROLE/SUBJECT ACTION RESOURCE [SUB-RESOURCE]",
+		Short: "Check RBAC permissions for a role or subject",
+		Long: `
+Check whether a given role or subject has appropriate RBAC permissions to do
+something.
+`,
+		Example: `
+# Check whether role some:role has permissions to create an application in the
+# 'default' project, using a local policy.csv file
+argocd-util rbac can some:role create application 'default/app' --policy-file policy.csv
+
+# Policy file can also be K8s config map with data keys like argocd-rbac-cm,
+# i.e. 'policy.csv' and (optionally) 'policy.default'
+argocd-util rbac can some:role create application 'default/app' --policy-file argocd-rbac-cm.yaml
+
+# If --policy-file is not given, the ConfigMap 'argocd-rbac-cm' from K8s is
+# used. You need to specify the argocd namespace, and make sure that your
+# current Kubernetes context is pointing to the cluster Argo CD is running in
+argocd-util rbac can some:role create application 'default/app' --namespace argocd
+
+# You can override a possibly configured default role
+argocd-util rbac can someuser create application 'default/app' --default-role role:readonly
+
+`,
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) < 3 || len(args) > 4 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			subject = args[0]
+			action = args[1]
+			resource = args[2]
+			if len(args) > 3 {
+				subResource = args[3]
+			}
+
+			userPolicy := ""
+			builtinPolicy := ""
+
+			var newDefaultRole string
+
+			namespace, nsOverride, err := clientConfig.Namespace()
+			if err != nil {
+				log.Fatalf("could not create k8s client: %v", err)
+			}
+
+			// Exactly one of --namespace or --policy-file must be given.
+			if (!nsOverride && policyFile == "") || (nsOverride && policyFile != "") {
+				c.HelpFunc()(c, args)
+				log.Fatalf("please provide exactly one of --policy-file or --namespace")
+			}
+
+			restConfig, err := clientConfig.ClientConfig()
+			if err != nil {
+				log.Fatalf("could not create k8s client: %v", err)
+			}
+			realClientset, err := kubernetes.NewForConfig(restConfig)
+			if err != nil {
+				log.Fatalf("could not create k8s client: %v", err)
+			}
+
+			userPolicy, newDefaultRole = getPolicy(policyFile, realClientset, namespace)
+
+			// Use built-in policy as augmentation if requested
+			if useBuiltin {
+				builtinPolicy = assets.BuiltinPolicyCSV
+			}
+
+			// If no explicit default role was given, but we have one defined from
+			// a policy, use this to check for enforce.
+			if newDefaultRole != "" && defaultRole == "" {
+				defaultRole = newDefaultRole
+			}
+
+			res := checkPolicy(subject, action, resource, subResource, builtinPolicy, userPolicy, defaultRole, strict)
+			if res {
+				if !quiet {
+					fmt.Println("Yes")
+				}
+				os.Exit(0)
+			} else {
+				if !quiet {
+					fmt.Println("No")
+				}
+				os.Exit(1)
+			}
+		},
+	}
+
+	clientConfig = cli.AddKubectlFlagsToCmd(command)
+	command.Flags().StringVar(&policyFile, "policy-file", "", "path to the policy file to use")
+	command.Flags().StringVar(&defaultRole, "default-role", "", "name of the default role to use")
+	command.Flags().BoolVar(&useBuiltin, "use-builtin-policy", true, "whether to also use builtin-policy")
+	command.Flags().BoolVar(&strict, "strict", true, "whether to perform strict check on action and resource names")
+	command.Flags().BoolVarP(&quiet, "quiet", "q", false, "quiet mode - do not print results to stdout")
+	return command
+}
+
+// NewRBACValidateCommand returns a new rbac validate command
+func NewRBACValidateCommand() *cobra.Command {
+	var (
+		policyFile string
+	)
+
+	var command = &cobra.Command{
+		Use:   "validate --policy-file=POLICYFILE",
+		Short: "Validate RBAC policy",
+		Long: `
+Validates an RBAC policy for being syntactically correct. The policy must be
+a local file, and in either CSV or K8s ConfigMap format.
+`,
+		Run: func(c *cobra.Command, args []string) {
+			if policyFile == "" {
+				c.HelpFunc()(c, args)
+				log.Fatalf("Please specify policy to validate using --policy-file")
+			}
+			userPolicy, _ := getPolicy(policyFile, nil, "")
+			if userPolicy != "" {
+				if err := rbac.ValidatePolicy(userPolicy); err == nil {
+					fmt.Printf("Policy is valid.\n")
+					os.Exit(0)
+				} else {
+					fmt.Printf("Policy is invalid: %v\n", err)
+					os.Exit(1)
+				}
+			}
+		},
+	}
+
+	command.Flags().StringVar(&policyFile, "policy-file", "", "path to the policy file to use")
+	return command
+}
+
+// Load user policy file if requested or use Kubernetes client to get the
+// appropriate ConfigMap from the current context
+func getPolicy(policyFile string, kubeClient kubernetes.Interface, namespace string) (userPolicy string, defaultRole string) {
+	var err error
+	if policyFile != "" {
+		// load from file
+		userPolicy, defaultRole, err = getPolicyFromFile(policyFile)
+		if err != nil {
+			log.Fatalf("could not read policy file: %v", err)
+		}
+	} else {
+		cm, err := getPolicyConfigMap(kubeClient, namespace)
+		if err != nil {
+			log.Fatalf("could not get configmap: %v", err)
+		}
+		userPolicy, defaultRole = getPolicyFromConfigMap(cm)
+	}
+
+	return userPolicy, defaultRole
+}
+
+// getPolicyFromFile loads a RBAC policy from given path
+func getPolicyFromFile(policyFile string) (string, string, error) {
+	var (
+		userPolicy  string
+		defaultRole string
+	)
+
+	upol, err := ioutil.ReadFile(policyFile)
+	if err != nil {
+		log.Fatalf("error opening policy file: %v", err)
+		return "", "", err
+	}
+
+	// Try to unmarshal the input file as ConfigMap first. If it succeeds, we
+	// assume config map input. Otherwise, we treat it as
+	var upolCM *corev1.ConfigMap
+	err = yaml.Unmarshal(upol, &upolCM)
+	if err != nil {
+		userPolicy = string(upol)
+	} else {
+		userPolicy, defaultRole = getPolicyFromConfigMap(upolCM)
+	}
+
+	return userPolicy, defaultRole, nil
+}
+
+// Retrieve policy information from a ConfigMap
+func getPolicyFromConfigMap(cm *corev1.ConfigMap) (string, string) {
+	var (
+		userPolicy  string
+		defaultRole string
+		ok          bool
+	)
+	userPolicy, ok = cm.Data[rbac.ConfigMapPolicyCSVKey]
+	if !ok {
+		userPolicy = ""
+	}
+	if defaultRole == "" {
+		defaultRole, ok = cm.Data[rbac.ConfigMapPolicyDefaultKey]
+		if !ok {
+			defaultRole = ""
+		}
+	}
+
+	return userPolicy, defaultRole
+}
+
+// getPolicyConfigMap fetches the RBAC config map from K8s cluster
+func getPolicyConfigMap(client kubernetes.Interface, namespace string) (*corev1.ConfigMap, error) {
+	cm, err := client.CoreV1().ConfigMaps(namespace).Get(context.Background(), common.ArgoCDRBACConfigMapName, v1.GetOptions{})
+	if err != nil {
+		return nil, err
+	}
+	return cm, nil
+}
+
+// checkPolicy checks whether given subject is allowed to execute specified
+// action against specified resource
+func checkPolicy(subject, action, resource, subResource, builtinPolicy, userPolicy, defaultRole string, strict bool) bool {
+	enf := rbac.NewEnforcer(nil, "argocd", "argocd-rbac-cm", nil)
+	enf.SetDefaultRole(defaultRole)
+	if builtinPolicy != "" {
+		if err := enf.SetBuiltinPolicy(builtinPolicy); err != nil {
+			log.Fatalf("could not set built-in policy: %v", err)
+			return false
+		}
+	}
+	if userPolicy != "" {
+		if err := rbac.ValidatePolicy(userPolicy); err != nil {
+			log.Fatalf("invalid user policy: %v", err)
+			return false
+		}
+		if err := enf.SetUserPolicy(userPolicy); err != nil {
+			log.Fatalf("could not set user policy: %v", err)
+			return false
+		}
+	}
+
+	// User could have used a mutation of the resource name (i.e. 'cert' for
+	// 'certificate') - let's resolve it to the valid resource.
+	realResource := resolveRBACResourceName(resource)
+
+	// If in strict mode, validate that given RBAC resource and action are
+	// actually valid tokens.
+	if strict {
+		if !isValidRBACResource(realResource) {
+			log.Fatalf("error in RBAC request: '%s' is not a valid resource name", realResource)
+		}
+		if !isValidRBACAction(action) {
+			log.Fatalf("error in RBAC request: '%s' is not a valid action name", action)
+		}
+	}
+
+	// Application resources have a special notation - for simplicity's sake,
+	// if user gives no sub-resource (or specifies simple '*'), we construct
+	// the required notation by setting subresource to '*/*'.
+	if realResource == rbacpolicy.ResourceApplications {
+		if subResource == "*" || subResource == "" {
+			subResource = "*/*"
+		}
+	}
+
+	return enf.Enforce(subject, realResource, action, subResource)
+}
+
+// resolveRBACResourceName resolves a user supplied value to a valid RBAC
+// resource name. If no mapping is found, returns the value verbatim.
+func resolveRBACResourceName(name string) string {
+	if res, ok := resourceMap[name]; ok {
+		return res
+	} else {
+		return name
+	}
+}
+
+// isValidRBACAction checks whether a given action is a valid RBAC action
+func isValidRBACAction(action string) bool {
+	_, ok := validRBACActions[action]
+	return ok
+}
+
+// isValidRBACResource checks whether a given resource is a valid RBAC resource
+func isValidRBACResource(resource string) bool {
+	_, ok := validRBACResources[resource]
+	return ok
+}

cmd/argocd-util/commands/rbac_test.go

@@ -0,0 +1,91 @@
+package commands
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes/fake"
+
+	"github.com/argoproj/argo-cd/util/assets"
+)
+
+func Test_isValidRBACAction(t *testing.T) {
+	for k := range validRBACActions {
+		t.Run(k, func(t *testing.T) {
+			ok := isValidRBACAction(k)
+			assert.True(t, ok)
+		})
+	}
+	t.Run("invalid", func(t *testing.T) {
+		ok := isValidRBACAction("invalid")
+		assert.False(t, ok)
+	})
+}
+
+func Test_isValidRBACResource(t *testing.T) {
+	for k := range validRBACResources {
+		t.Run(k, func(t *testing.T) {
+			ok := isValidRBACResource(k)
+			assert.True(t, ok)
+		})
+	}
+	t.Run("invalid", func(t *testing.T) {
+		ok := isValidRBACResource("invalid")
+		assert.False(t, ok)
+	})
+}
+
+func Test_PolicyFromCSV(t *testing.T) {
+	uPol, dRole := getPolicy("testdata/rbac/policy.csv", nil, "")
+	require.NotEmpty(t, uPol)
+	require.Empty(t, dRole)
+}
+
+func Test_PolicyFromYAML(t *testing.T) {
+	uPol, dRole := getPolicy("testdata/rbac/argocd-rbac-cm.yaml", nil, "")
+	require.NotEmpty(t, uPol)
+	require.Equal(t, "role:unknown", dRole)
+}
+
+func Test_PolicyFromK8s(t *testing.T) {
+	data, err := ioutil.ReadFile("testdata/rbac/policy.csv")
+	require.NoError(t, err)
+	kubeclientset := fake.NewSimpleClientset(&v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "argocd-rbac-cm",
+			Namespace: "argocd",
+		},
+		Data: map[string]string{
+			"policy.csv":     string(data),
+			"policy.default": "role:unknown",
+		},
+	})
+	uPol, dRole := getPolicy("", kubeclientset, "argocd")
+	require.NotEmpty(t, uPol)
+	require.Equal(t, "role:unknown", dRole)
+
+	t.Run("get applications", func(t *testing.T) {
+		ok := checkPolicy("role:user", "get", "applications", "*/*", assets.BuiltinPolicyCSV, uPol, dRole, true)
+		require.True(t, ok)
+	})
+	t.Run("get clusters", func(t *testing.T) {
+		ok := checkPolicy("role:user", "get", "clusters", "*", assets.BuiltinPolicyCSV, uPol, dRole, true)
+		require.True(t, ok)
+	})
+	t.Run("get certificates", func(t *testing.T) {
+		ok := checkPolicy("role:user", "get", "certificates", "*", assets.BuiltinPolicyCSV, uPol, dRole, true)
+		require.False(t, ok)
+	})
+	t.Run("get certificates by default role", func(t *testing.T) {
+		ok := checkPolicy("role:user", "get", "certificates", "*", assets.BuiltinPolicyCSV, uPol, "role:readonly", true)
+		require.True(t, ok)
+	})
+	t.Run("get certificates by default role without builtin policy", func(t *testing.T) {
+		ok := checkPolicy("role:user", "get", "certificates", "*", "", uPol, "role:readonly", true)
+		require.False(t, ok)
+	})
+}

cmd/argocd-util/commands/secrets_redactor_test.go

@@ -0,0 +1,94 @@
+package commands
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var textToRedact = `
+connectors:
+- config:
+    clientID: aabbccddeeff00112233
+    clientSecret: |
+      theSecret
+    orgs:
+    - name: your-github-org
+    redirectURI: https://argocd.example.com/api/dex/callback
+  id: github
+  name: GitHub
+  type: github
+- config:
+    bindDN: uid=serviceaccount,cn=users,dc=example,dc=com
+    bindPW: theSecret
+    host: ldap.example.com:636
+  id: ldap
+  name: LDAP
+  type: ldap
+grpc:
+  addr: 0.0.0.0:5557
+telemetry:
+  http: 0.0.0.0:5558
+issuer: https://argocd.example.com/api/dex
+oauth2:
+  skipApprovalScreen: true
+staticClients:
+- id: argo-cd
+  name: Argo CD
+  redirectURIs:
+  - https://argocd.example.com/auth/callback
+  secret: Dis9M-GA11oTwZVQQWdDklPQw-sWXZkWJFyyEhMs
+- id: argo-cd-cli
+  name: Argo CD CLI
+  public: true
+  redirectURIs:
+  - http://localhost
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556`
+
+var expectedRedaction = `connectors:
+- config:
+    clientID: aabbccddeeff00112233
+    clientSecret: '********'
+    orgs:
+    - name: your-github-org
+    redirectURI: https://argocd.example.com/api/dex/callback
+  id: github
+  name: GitHub
+  type: github
+- config:
+    bindDN: uid=serviceaccount,cn=users,dc=example,dc=com
+    bindPW: '********'
+    host: ldap.example.com:636
+  id: ldap
+  name: LDAP
+  type: ldap
+grpc:
+  addr: 0.0.0.0:5557
+issuer: https://argocd.example.com/api/dex
+oauth2:
+  skipApprovalScreen: true
+staticClients:
+- id: argo-cd
+  name: Argo CD
+  redirectURIs:
+  - https://argocd.example.com/auth/callback
+  secret: '********'
+- id: argo-cd-cli
+  name: Argo CD CLI
+  public: true
+  redirectURIs:
+  - http://localhost
+storage:
+  type: memory
+telemetry:
+  http: 0.0.0.0:5558
+web:
+  http: 0.0.0.0:5556
+`
+
+func TestSecretsRedactor(t *testing.T) {
+	assert.Equal(t, expectedRedaction, redactor(textToRedact))
+}

cmd/argocd-util/commands/settings.go

@@ -0,0 +1,545 @@
+package commands
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"reflect"
+	"sort"
+	"strconv"
+	"strings"
+	"text/tabwriter"
+
+	healthutil "github.com/argoproj/gitops-engine/pkg/health"
+	"github.com/ghodss/yaml"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/argoproj/argo-cd/common"
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/argo/normalizers"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/errors"
+	"github.com/argoproj/argo-cd/util/lua"
+	"github.com/argoproj/argo-cd/util/settings"
+)
+
+type settingsOpts struct {
+	argocdCMPath        string
+	argocdSecretPath    string
+	loadClusterSettings bool
+	clientConfig        clientcmd.ClientConfig
+}
+
+type commandContext interface {
+	createSettingsManager() (*settings.SettingsManager, error)
+}
+
+func collectLogs(callback func()) string {
+	log.SetLevel(log.DebugLevel)
+	out := bytes.Buffer{}
+	log.SetOutput(&out)
+	defer log.SetLevel(log.FatalLevel)
+	callback()
+	return out.String()
+}
+
+func setSettingsMeta(obj v1.Object) {
+	obj.SetNamespace("default")
+	labels := obj.GetLabels()
+	if labels == nil {
+		labels = make(map[string]string)
+	}
+	labels["app.kubernetes.io/part-of"] = "argocd"
+	obj.SetLabels(labels)
+}
+
+func (opts *settingsOpts) createSettingsManager() (*settings.SettingsManager, error) {
+	var argocdCM *corev1.ConfigMap
+	if opts.argocdCMPath == "" && !opts.loadClusterSettings {
+		return nil, fmt.Errorf("either --argocd-cm-path must be provided or --load-cluster-settings must be set to true")
+	} else if opts.argocdCMPath == "" {
+		realClientset, ns, err := opts.getK8sClient()
+		if err != nil {
+			return nil, err
+		}
+
+		argocdCM, err = realClientset.CoreV1().ConfigMaps(ns).Get(context.Background(), common.ArgoCDConfigMapName, v1.GetOptions{})
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		data, err := ioutil.ReadFile(opts.argocdCMPath)
+		if err != nil {
+			return nil, err
+		}
+		err = yaml.Unmarshal(data, &argocdCM)
+		if err != nil {
+			return nil, err
+		}
+	}
+	setSettingsMeta(argocdCM)
+
+	var argocdSecret *corev1.Secret
+	if opts.argocdSecretPath != "" {
+		data, err := ioutil.ReadFile(opts.argocdSecretPath)
+		if err != nil {
+			return nil, err
+		}
+		err = yaml.Unmarshal(data, &argocdSecret)
+		if err != nil {
+			return nil, err
+		}
+		setSettingsMeta(argocdSecret)
+	} else if opts.loadClusterSettings {
+		realClientset, ns, err := opts.getK8sClient()
+		if err != nil {
+			return nil, err
+		}
+		argocdSecret, err = realClientset.CoreV1().Secrets(ns).Get(context.Background(), common.ArgoCDSecretName, v1.GetOptions{})
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		argocdSecret = &corev1.Secret{
+			ObjectMeta: v1.ObjectMeta{
+				Name: common.ArgoCDSecretName,
+			},
+			Data: map[string][]byte{
+				"admin.password":   []byte("test"),
+				"server.secretkey": []byte("test"),
+			},
+		}
+	}
+	setSettingsMeta(argocdSecret)
+	clientset := fake.NewSimpleClientset(argocdSecret, argocdCM)
+
+	manager := settings.NewSettingsManager(context.Background(), clientset, "default")
+	errors.CheckError(manager.ResyncInformers())
+
+	return manager, nil
+}
+
+func (opts *settingsOpts) getK8sClient() (*kubernetes.Clientset, string, error) {
+	namespace, _, err := opts.clientConfig.Namespace()
+	if err != nil {
+		return nil, "", err
+	}
+
+	restConfig, err := opts.clientConfig.ClientConfig()
+	if err != nil {
+		return nil, "", err
+	}
+
+	realClientset, err := kubernetes.NewForConfig(restConfig)
+	if err != nil {
+		return nil, "", err
+	}
+	return realClientset, namespace, nil
+}
+
+func NewSettingsCommand() *cobra.Command {
+	var (
+		opts settingsOpts
+	)
+
+	var command = &cobra.Command{
+		Use:   "settings",
+		Short: "Provides set of commands for settings validation and troubleshooting",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+		},
+	}
+	log.SetLevel(log.FatalLevel)
+
+	command.AddCommand(NewValidateSettingsCommand(&opts))
+	command.AddCommand(NewResourceOverridesCommand(&opts))
+
+	opts.clientConfig = cli.AddKubectlFlagsToCmd(command)
+	command.PersistentFlags().StringVar(&opts.argocdCMPath, "argocd-cm-path", "", "Path to local argocd-cm.yaml file")
+	command.PersistentFlags().StringVar(&opts.argocdSecretPath, "argocd-secret-path", "", "Path to local argocd-secret.yaml file")
+	command.PersistentFlags().BoolVar(&opts.loadClusterSettings, "load-cluster-settings", false,
+		"Indicates that config map and secret should be loaded from cluster unless local file path is provided")
+	return command
+}
+
+type settingValidator func(manager *settings.SettingsManager) (string, error)
+
+func joinValidators(validators ...settingValidator) settingValidator {
+	return func(manager *settings.SettingsManager) (string, error) {
+		var errorStrs []string
+		var summaries []string
+		for i := range validators {
+			summary, err := validators[i](manager)
+			if err != nil {
+				errorStrs = append(errorStrs, err.Error())
+			}
+			if summary != "" {
+				summaries = append(summaries, summary)
+			}
+		}
+		if len(errorStrs) > 0 {
+			return "", fmt.Errorf("%s", strings.Join(errorStrs, "\n"))
+		}
+		return strings.Join(summaries, "\n"), nil
+	}
+}
+
+var validatorsByGroup = map[string]settingValidator{
+	"general": joinValidators(func(manager *settings.SettingsManager) (string, error) {
+		general, err := manager.GetSettings()
+		if err != nil {
+			return "", err
+		}
+		ssoProvider := ""
+		if general.DexConfig != "" {
+			if _, err := settings.UnmarshalDexConfig(general.DexConfig); err != nil {
+				return "", fmt.Errorf("invalid dex.config: %v", err)
+			}
+			ssoProvider = "Dex"
+		} else if general.OIDCConfigRAW != "" {
+			if _, err := settings.UnmarshalOIDCConfig(general.OIDCConfigRAW); err != nil {
+				return "", fmt.Errorf("invalid oidc.config: %v", err)
+			}
+			ssoProvider = "OIDC"
+		}
+		var summary string
+		if ssoProvider != "" {
+			summary = fmt.Sprintf("%s is configured", ssoProvider)
+			if general.URL == "" {
+				summary = summary + " ('url' field is missing)"
+			}
+		} else if ssoProvider != "" && general.URL != "" {
+
+		} else {
+			summary = "SSO is not configured"
+		}
+		return summary, nil
+	}, func(manager *settings.SettingsManager) (string, error) {
+		_, err := manager.GetAppInstanceLabelKey()
+		return "", err
+	}, func(manager *settings.SettingsManager) (string, error) {
+		_, err := manager.GetHelp()
+		return "", err
+	}, func(manager *settings.SettingsManager) (string, error) {
+		_, err := manager.GetGoogleAnalytics()
+		return "", err
+	}),
+	"plugins": func(manager *settings.SettingsManager) (string, error) {
+		plugins, err := manager.GetConfigManagementPlugins()
+		if err != nil {
+			return "", err
+		}
+		return fmt.Sprintf("%d plugins", len(plugins)), nil
+	},
+	"kustomize": func(manager *settings.SettingsManager) (string, error) {
+		opts, err := manager.GetKustomizeSettings()
+		if err != nil {
+			return "", err
+		}
+		summary := "default options"
+		if opts.BuildOptions != "" {
+			summary = opts.BuildOptions
+		}
+		if len(opts.Versions) > 0 {
+			summary = fmt.Sprintf("%s (%d versions)", summary, len(opts.Versions))
+		}
+		return summary, err
+	},
+	"repositories": joinValidators(func(manager *settings.SettingsManager) (string, error) {
+		repos, err := manager.GetRepositories()
+		if err != nil {
+			return "", err
+		}
+		return fmt.Sprintf("%d repositories", len(repos)), nil
+	}, func(manager *settings.SettingsManager) (string, error) {
+		creds, err := manager.GetRepositoryCredentials()
+		if err != nil {
+			return "", err
+		}
+		return fmt.Sprintf("%d repository credentials", len(creds)), nil
+	}),
+	"accounts": func(manager *settings.SettingsManager) (string, error) {
+		accounts, err := manager.GetAccounts()
+		if err != nil {
+			return "", err
+		}
+		return fmt.Sprintf("%d accounts", len(accounts)), nil
+	},
+	"resource-overrides": func(manager *settings.SettingsManager) (string, error) {
+		overrides, err := manager.GetResourceOverrides()
+		if err != nil {
+			return "", err
+		}
+		return fmt.Sprintf("%d resource overrides", len(overrides)), nil
+	},
+}
+
+func NewValidateSettingsCommand(cmdCtx commandContext) *cobra.Command {
+	var (
+		groups []string
+	)
+
+	var allGroups []string
+	for k := range validatorsByGroup {
+		allGroups = append(allGroups, k)
+	}
+	sort.Slice(allGroups, func(i, j int) bool {
+		return allGroups[i] < allGroups[j]
+	})
+
+	var command = &cobra.Command{
+		Use:   "validate",
+		Short: "Validate settings",
+		Long:  "Validates settings specified in 'argocd-cm' ConfigMap and 'argocd-secret' Secret",
+		Example: `
+#Validates all settings in the specified YAML file
+argocd-util settings validate --argocd-cm-path ./argocd-cm.yaml
+
+#Validates accounts and plugins settings in Kubernetes cluster of current kubeconfig context
+argocd-util settings validate --group accounts --group plugins --load-cluster-settings`,
+		Run: func(c *cobra.Command, args []string) {
+			settingsManager, err := cmdCtx.createSettingsManager()
+			errors.CheckError(err)
+
+			if len(groups) == 0 {
+				groups = allGroups
+			}
+			for i, group := range groups {
+				validator := validatorsByGroup[group]
+
+				logs := collectLogs(func() {
+					summary, err := validator(settingsManager)
+
+					if err != nil {
+						_, _ = fmt.Fprintf(os.Stdout, "❌ %s\n", group)
+						_, _ = fmt.Fprintf(os.Stdout, "%s\n", err.Error())
+					} else {
+						_, _ = fmt.Fprintf(os.Stdout, "✅ %s\n", group)
+						if summary != "" {
+							_, _ = fmt.Fprintf(os.Stdout, "%s\n", summary)
+						}
+					}
+				})
+				if logs != "" {
+					_, _ = fmt.Fprintf(os.Stdout, "%s\n", logs)
+				}
+				if i != len(groups)-1 {
+					_, _ = fmt.Fprintf(os.Stdout, "\n")
+				}
+			}
+		},
+	}
+
+	command.Flags().StringArrayVar(&groups, "group", nil, fmt.Sprintf(
+		"Optional list of setting groups that have to be validated ( one of: %s)", strings.Join(allGroups, ", ")))
+
+	return command
+}
+
+func NewResourceOverridesCommand(cmdCtx commandContext) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "resource-overrides",
+		Short: "Troubleshoot resource overrides",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+		},
+	}
+	command.AddCommand(NewResourceIgnoreDifferencesCommand(cmdCtx))
+	command.AddCommand(NewResourceActionListCommand(cmdCtx))
+	command.AddCommand(NewResourceActionRunCommand(cmdCtx))
+	command.AddCommand(NewResourceHealthCommand(cmdCtx))
+	return command
+}
+
+func executeResourceOverrideCommand(cmdCtx commandContext, args []string, callback func(res unstructured.Unstructured, override v1alpha1.ResourceOverride, overrides map[string]v1alpha1.ResourceOverride)) {
+	data, err := ioutil.ReadFile(args[0])
+	errors.CheckError(err)
+
+	res := unstructured.Unstructured{}
+	errors.CheckError(yaml.Unmarshal(data, &res))
+
+	settingsManager, err := cmdCtx.createSettingsManager()
+	errors.CheckError(err)
+
+	overrides, err := settingsManager.GetResourceOverrides()
+	errors.CheckError(err)
+	gvk := res.GroupVersionKind()
+	key := gvk.Kind
+	if gvk.Group != "" {
+		key = fmt.Sprintf("%s/%s", gvk.Group, gvk.Kind)
+	}
+	override, hasOverride := overrides[key]
+	if !hasOverride {
+		_, _ = fmt.Printf("No overrides configured for '%s/%s'\n", gvk.Group, gvk.Kind)
+		return
+	}
+	callback(res, override, overrides)
+}
+
+func NewResourceIgnoreDifferencesCommand(cmdCtx commandContext) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "ignore-differences RESOURCE_YAML_PATH",
+		Short: "Renders fields excluded from diffing",
+		Long:  "Renders ignored fields using the 'ignoreDifferences' setting specified in the 'resource.customizations' field of 'argocd-cm' ConfigMap",
+		Example: `
+argocd-util settings resource-overrides ignore-differences ./deploy.yaml --argocd-cm-path ./argocd-cm.yaml`,
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) < 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			executeResourceOverrideCommand(cmdCtx, args, func(res unstructured.Unstructured, override v1alpha1.ResourceOverride, overrides map[string]v1alpha1.ResourceOverride) {
+				gvk := res.GroupVersionKind()
+				if len(override.IgnoreDifferences.JSONPointers) == 0 {
+					_, _ = fmt.Printf("Ignore differences are not configured for '%s/%s'\n", gvk.Group, gvk.Kind)
+					return
+				}
+
+				normalizer, err := normalizers.NewIgnoreNormalizer(nil, overrides)
+				errors.CheckError(err)
+
+				normalizedRes := res.DeepCopy()
+				logs := collectLogs(func() {
+					errors.CheckError(normalizer.Normalize(normalizedRes))
+				})
+				if logs != "" {
+					_, _ = fmt.Println(logs)
+				}
+
+				if reflect.DeepEqual(&res, normalizedRes) {
+					_, _ = fmt.Printf("No fields are ignored by ignoreDifferences settings: \n%s\n", override.IgnoreDifferences)
+					return
+				}
+
+				_, _ = fmt.Printf("Following fields are ignored:\n\n")
+				_ = cli.PrintDiff(res.GetName(), &res, normalizedRes)
+			})
+		},
+	}
+	return command
+}
+
+func NewResourceHealthCommand(cmdCtx commandContext) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "health RESOURCE_YAML_PATH",
+		Short: "Assess resource health",
+		Long:  "Assess resource health using the lua script configured in the 'resource.customizations' field of 'argocd-cm' ConfigMap",
+		Example: `
+argocd-util settings resource-overrides health ./deploy.yaml --argocd-cm-path ./argocd-cm.yaml`,
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) < 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			executeResourceOverrideCommand(cmdCtx, args, func(res unstructured.Unstructured, override v1alpha1.ResourceOverride, overrides map[string]v1alpha1.ResourceOverride) {
+				gvk := res.GroupVersionKind()
+				if override.HealthLua == "" {
+					_, _ = fmt.Printf("Health script is not configured for '%s/%s'\n", gvk.Group, gvk.Kind)
+					return
+				}
+
+				resHealth, err := healthutil.GetResourceHealth(&res, lua.ResourceHealthOverrides(overrides))
+				errors.CheckError(err)
+
+				_, _ = fmt.Printf("STATUS: %s\n", resHealth.Status)
+				_, _ = fmt.Printf("MESSAGE: %s\n", resHealth.Message)
+			})
+		},
+	}
+	return command
+}
+
+func NewResourceActionListCommand(cmdCtx commandContext) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "list-actions RESOURCE_YAML_PATH",
+		Short: "List available resource actions",
+		Long:  "List actions available for given resource action using the lua scripts configured in the 'resource.customizations' field of 'argocd-cm' ConfigMap and outputs updated fields",
+		Example: `
+argocd-util settings resource-overrides action list /tmp/deploy.yaml --argocd-cm-path ./argocd-cm.yaml`,
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) < 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			executeResourceOverrideCommand(cmdCtx, args, func(res unstructured.Unstructured, override v1alpha1.ResourceOverride, overrides map[string]v1alpha1.ResourceOverride) {
+				gvk := res.GroupVersionKind()
+				if override.Actions == "" {
+					_, _ = fmt.Printf("Actions are not configured for '%s/%s'\n", gvk.Group, gvk.Kind)
+					return
+				}
+
+				luaVM := lua.VM{ResourceOverrides: overrides}
+				discoveryScript, err := luaVM.GetResourceActionDiscovery(&res)
+				errors.CheckError(err)
+
+				availableActions, err := luaVM.ExecuteResourceActionDiscovery(&res, discoveryScript)
+				errors.CheckError(err)
+				sort.Slice(availableActions, func(i, j int) bool {
+					return availableActions[i].Name < availableActions[j].Name
+				})
+
+				w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+				_, _ = fmt.Fprintf(w, "NAME\tENABLED\n")
+				for _, action := range availableActions {
+					_, _ = fmt.Fprintf(w, "%s\t%s\n", action.Name, strconv.FormatBool(action.Disabled))
+				}
+				_ = w.Flush()
+			})
+		},
+	}
+	return command
+}
+
+func NewResourceActionRunCommand(cmdCtx commandContext) *cobra.Command {
+	var command = &cobra.Command{
+		Use:     "run-action RESOURCE_YAML_PATH ACTION",
+		Aliases: []string{"action"},
+		Short:   "Executes resource action",
+		Long:    "Executes resource action using the lua script configured in the 'resource.customizations' field of 'argocd-cm' ConfigMap and outputs updated fields",
+		Example: `
+argocd-util settings resource-overrides action run /tmp/deploy.yaml restart --argocd-cm-path ./argocd-cm.yaml`,
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) < 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			action := args[1]
+
+			executeResourceOverrideCommand(cmdCtx, args, func(res unstructured.Unstructured, override v1alpha1.ResourceOverride, overrides map[string]v1alpha1.ResourceOverride) {
+				gvk := res.GroupVersionKind()
+				if override.Actions == "" {
+					_, _ = fmt.Printf("Actions are not configured for '%s/%s'\n", gvk.Group, gvk.Kind)
+					return
+				}
+
+				luaVM := lua.VM{ResourceOverrides: overrides}
+				action, err := luaVM.GetResourceAction(&res, action)
+				errors.CheckError(err)
+
+				modifiedRes, err := luaVM.ExecuteResourceAction(&res, action.ActionLua)
+				errors.CheckError(err)
+
+				if reflect.DeepEqual(&res, modifiedRes) {
+					_, _ = fmt.Printf("No fields had been changed by action: \n%s\n", action.Name)
+					return
+				}
+
+				_, _ = fmt.Printf("Following fields have been changed:\n\n")
+				_ = cli.PrintDiff(res.GetName(), &res, modifiedRes)
+			})
+		},
+	}
+	return command
+}

cmd/argocd-util/commands/settings_test.go

@@ -0,0 +1,383 @@
+package commands
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/argoproj/argo-cd/common"
+	utils "github.com/argoproj/argo-cd/util/io"
+	"github.com/argoproj/argo-cd/util/settings"
+
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes/fake"
+)
+
+func captureStdout(callback func()) (string, error) {
+	oldStdout := os.Stdout
+	oldStderr := os.Stderr
+	r, w, err := os.Pipe()
+	if err != nil {
+		return "", err
+	}
+	os.Stdout = w
+	defer func() {
+		os.Stdout = oldStdout
+		os.Stderr = oldStderr
+	}()
+
+	callback()
+	utils.Close(w)
+
+	data, err := ioutil.ReadAll(r)
+
+	if err != nil {
+		return "", err
+	}
+	return string(data), err
+}
+
+func newSettingsManager(data map[string]string) *settings.SettingsManager {
+	clientset := fake.NewSimpleClientset(&v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "default",
+			Name:      common.ArgoCDConfigMapName,
+			Labels: map[string]string{
+				"app.kubernetes.io/part-of": "argocd",
+			},
+		},
+		Data: data,
+	}, &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: "default",
+			Name:      common.ArgoCDSecretName,
+		},
+		Data: map[string][]byte{
+			"admin.password":   []byte("test"),
+			"server.secretkey": []byte("test"),
+		},
+	})
+	return settings.NewSettingsManager(context.Background(), clientset, "default")
+}
+
+type fakeCmdContext struct {
+	mgr *settings.SettingsManager
+	// nolint:unused,structcheck
+	out bytes.Buffer
+}
+
+func newCmdContext(data map[string]string) *fakeCmdContext {
+	return &fakeCmdContext{mgr: newSettingsManager(data)}
+}
+
+func (ctx *fakeCmdContext) createSettingsManager() (*settings.SettingsManager, error) {
+	return ctx.mgr, nil
+}
+
+type validatorTestCase struct {
+	validator       string
+	data            map[string]string
+	containsSummary string
+	containsError   string
+}
+
+func TestCreateSettingsManager(t *testing.T) {
+	f, closer, err := tempFile(`apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+data:
+  url: https://myargocd.com`)
+	if !assert.NoError(t, err) {
+		return
+	}
+	defer utils.Close(closer)
+
+	opts := settingsOpts{argocdCMPath: f}
+	settingsManager, err := opts.createSettingsManager()
+
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	argoCDSettings, err := settingsManager.GetSettings()
+	if !assert.NoError(t, err) {
+		return
+	}
+
+	assert.Equal(t, "https://myargocd.com", argoCDSettings.URL)
+}
+
+func TestValidator(t *testing.T) {
+	testCases := map[string]validatorTestCase{
+		"General_SSOIsNotConfigured": {
+			validator: "general", containsSummary: "SSO is not configured",
+		},
+		"General_DexInvalidConfig": {
+			validator:     "general",
+			data:          map[string]string{"dex.config": "abcdefg"},
+			containsError: "invalid dex.config",
+		},
+		"General_OIDCConfigured": {
+			validator: "general",
+			data: map[string]string{
+				"url": "https://myargocd.com",
+				"oidc.config": `
+name: Okta
+issuer: https://dev-123456.oktapreview.com
+clientID: aaaabbbbccccddddeee
+clientSecret: aaaabbbbccccddddeee`,
+			},
+			containsSummary: "OIDC is configured",
+		},
+		"General_DexConfiguredMissingURL": {
+			validator: "general",
+			data: map[string]string{
+				"dex.config": `connectors:
+- type: github
+  name: GitHub
+  config:
+    clientID: aabbccddeeff00112233
+    clientSecret: aabbccddeeff00112233`,
+			},
+			containsSummary: "Dex is configured ('url' field is missing)",
+		},
+		"Plugins_ValidConfig": {
+			validator: "plugins",
+			data: map[string]string{
+				"configManagementPlugins": `[{"name": "test1"}, {"name": "test2"}]`,
+			},
+			containsSummary: "2 plugins",
+		},
+		"Kustomize_ModifiedOptions": {
+			validator:       "kustomize",
+			containsSummary: "default options",
+		},
+		"Kustomize_DefaultOptions": {
+			validator: "kustomize",
+			data: map[string]string{
+				"kustomize.buildOptions":  "updated-options (2 versions)",
+				"kustomize.versions.v123": "binary-123",
+				"kustomize.versions.v321": "binary-321",
+			},
+			containsSummary: "updated-options",
+		},
+		"Repositories": {
+			validator: "repositories",
+			data: map[string]string{
+				"repositories": `
+- url: https://github.com/argoproj/my-private-repository1
+- url: https://github.com/argoproj/my-private-repository2`,
+			},
+			containsSummary: "2 repositories",
+		},
+		"Accounts": {
+			validator: "accounts",
+			data: map[string]string{
+				"accounts.user1": "apiKey, login",
+				"accounts.user2": "login",
+				"accounts.user3": "apiKey",
+			},
+			containsSummary: "4 accounts",
+		},
+		"ResourceOverrides": {
+			validator: "resource-overrides",
+			data: map[string]string{
+				"resource.customizations": `
+admissionregistration.k8s.io/MutatingWebhookConfiguration:
+  ignoreDifferences: |
+  jsonPointers:
+  - /webhooks/0/clientConfig/caBundle`,
+			},
+			containsSummary: "2 resource overrides",
+		},
+	}
+	for name := range testCases {
+		tc := testCases[name]
+		t.Run(name, func(t *testing.T) {
+			validator, ok := validatorsByGroup[tc.validator]
+			if !assert.True(t, ok) {
+				return
+			}
+			summary, err := validator(newSettingsManager(tc.data))
+			if tc.containsSummary != "" {
+				assert.NoError(t, err)
+				assert.Contains(t, summary, tc.containsSummary)
+			} else if tc.containsError != "" {
+				if assert.Error(t, err) {
+					assert.Contains(t, err.Error(), tc.containsError)
+				}
+			}
+		})
+	}
+}
+
+const (
+	testDeploymentYAML = `apiVersion: v1
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 0`
+)
+
+func tempFile(content string) (string, io.Closer, error) {
+	f, err := ioutil.TempFile("", "*.yaml")
+	if err != nil {
+		return "", nil, err
+	}
+	_, err = f.Write([]byte(content))
+	if err != nil {
+		_ = os.Remove(f.Name())
+		return "", nil, err
+	}
+	return f.Name(), utils.NewCloser(func() error {
+		return os.Remove(f.Name())
+	}), nil
+}
+
+func TestValidateSettingsCommand_NoErrors(t *testing.T) {
+	cmd := NewValidateSettingsCommand(newCmdContext(map[string]string{}))
+	out, err := captureStdout(func() {
+		err := cmd.Execute()
+		assert.NoError(t, err)
+	})
+
+	assert.NoError(t, err)
+	for k := range validatorsByGroup {
+		assert.Contains(t, out, fmt.Sprintf("✅ %s", k))
+	}
+}
+
+func TestResourceOverrideIgnoreDifferences(t *testing.T) {
+	f, closer, err := tempFile(testDeploymentYAML)
+	if !assert.NoError(t, err) {
+		return
+	}
+	defer utils.Close(closer)
+
+	t.Run("NoOverridesConfigured", func(t *testing.T) {
+		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{}))
+		out, err := captureStdout(func() {
+			cmd.SetArgs([]string{"ignore-differences", f})
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		})
+		assert.NoError(t, err)
+		assert.Contains(t, out, "No overrides configured")
+	})
+
+	t.Run("DataIgnored", func(t *testing.T) {
+		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
+			"resource.customizations": `apps/Deployment:
+  ignoreDifferences: |
+    jsonPointers:
+    - /spec`}))
+		out, err := captureStdout(func() {
+			cmd.SetArgs([]string{"ignore-differences", f})
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		})
+		assert.NoError(t, err)
+		assert.Contains(t, out, "< spec:")
+	})
+}
+
+func TestResourceOverrideHealth(t *testing.T) {
+	f, closer, err := tempFile(testDeploymentYAML)
+	if !assert.NoError(t, err) {
+		return
+	}
+	defer utils.Close(closer)
+
+	t.Run("NoHealthAssessment", func(t *testing.T) {
+		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
+			"resource.customizations": `apps/Deployment: {}`}))
+		out, err := captureStdout(func() {
+			cmd.SetArgs([]string{"health", f})
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		})
+		assert.NoError(t, err)
+		assert.Contains(t, out, "Health script is not configured")
+	})
+
+	t.Run("HealthAssessmentConfigured", func(t *testing.T) {
+		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
+			"resource.customizations": `apps/Deployment:
+  health.lua: |
+    return { status = "Progressing" }
+`}))
+		out, err := captureStdout(func() {
+			cmd.SetArgs([]string{"health", f})
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		})
+		assert.NoError(t, err)
+		assert.Contains(t, out, "Progressing")
+	})
+}
+
+func TestResourceOverrideAction(t *testing.T) {
+	f, closer, err := tempFile(testDeploymentYAML)
+	if !assert.NoError(t, err) {
+		return
+	}
+	defer utils.Close(closer)
+
+	t.Run("NoActions", func(t *testing.T) {
+		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
+			"resource.customizations": `apps/Deployment: {}`}))
+		out, err := captureStdout(func() {
+			cmd.SetArgs([]string{"run-action", f, "test"})
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		})
+		assert.NoError(t, err)
+		assert.Contains(t, out, "Actions are not configured")
+	})
+
+	t.Run("ActionConfigured", func(t *testing.T) {
+		cmd := NewResourceOverridesCommand(newCmdContext(map[string]string{
+			"resource.customizations": `apps/Deployment:
+  actions: |
+    discovery.lua: |
+      actions = {}
+      actions["resume"] = {["disabled"] = false}
+      actions["restart"] = {["disabled"] = false}
+      return actions
+    definitions:
+    - name: test
+      action.lua: |
+        obj.metadata.labels["test"] = 'updated'
+        return obj
+`}))
+		out, err := captureStdout(func() {
+			cmd.SetArgs([]string{"run-action", f, "test"})
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		})
+		assert.NoError(t, err)
+		assert.Contains(t, out, "test: updated")
+
+		out, err = captureStdout(func() {
+			cmd.SetArgs([]string{"list-actions", f})
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		})
+		assert.NoError(t, err)
+		assert.Contains(t, out, `NAME     ENABLED
+restart  false
+resume   false
+`)
+	})
+}

cmd/argocd-util/commands/testdata/rbac/argocd-rbac-cm.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+data:
+  policy.csv: |
+    p, role:user, clusters, get, *, allow
+    p, role:user, clusters, get, https://kubernetes*, deny
+    p, role:user, projects, get, *, allow
+    p, role:user, applications, get, *, allow
+    p, role:user, applications, create, */*, allow
+    p, role:user, applications, delete, *, allow
+    p, role:user, applications, delete, */guestbook, deny
+    g, test, role:user
+  policy.default: role:unknown
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-rbac-cm
+    app.kubernetes.io/part-of: argocd
+  name: argocd-rbac-cm
+  namespace: argocd

cmd/argocd-util/commands/testdata/rbac/policy.csv

@@ -0,0 +1,9 @@
+p, role:user, clusters, get, *, allow
+p, role:user, clusters, get, https://kubernetes*, deny
+p, role:user, projects, get, *, allow
+p, role:user, applications, get, *, allow
+p, role:user, applications, create, */*, allow
+p, role:user, applications, delete, *, allow
+p, role:user, applications, delete, */guestbook, deny
+p, role:test, certificates, get, *, allow
+g, test, role:user

cmd/argocd-util/commands/testdata/test_clusterrole.yaml

@@ -0,0 +1,787 @@
+aggregationRule:
+  clusterRoleSelectors:
+    - matchLabels:
+        rbac.authorization.k8s.io/aggregate-to-admin: "true"
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+  name: admin
+rules:
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflows
+      - workflows/finalizers
+      - workflowtemplates
+      - workflowtemplates/finalizers
+      - cronworkflows
+      - cronworkflows/finalizers
+      - clusterworkflowtemplates
+      - clusterworkflowtemplates/finalizers
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - gateways
+      - gateways/finalizers
+      - sensors
+      - sensors/finalizers
+      - eventsources
+      - eventsources/finalizers
+      - eventbuses
+      - eventbuses/finalizers
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - rollouts
+      - rollouts/scale
+      - experiments
+      - analysistemplates
+      - clusteranalysistemplates
+      - analysisruns
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - metrics.k8s.io
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - iammanager.keikoproj.io
+    resources:
+      - iamroles
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods/attach
+      - pods/exec
+      - pods/portforward
+      - pods/proxy
+      - secrets
+      - services/proxy
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    verbs:
+      - impersonate
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/attach
+      - pods/exec
+      - pods/portforward
+      - pods/proxy
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - endpoints
+      - persistentvolumeclaims
+      - replicationcontrollers
+      - replicationcontrollers/scale
+      - secrets
+      - serviceaccounts
+      - services
+      - services/proxy
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+      - deployments
+      - deployments/rollback
+      - deployments/scale
+      - replicasets
+      - replicasets/scale
+      - statefulsets
+      - statefulsets/scale
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
+  - apiGroups:
+      - autoscaling
+    resources:
+      - horizontalpodautoscalers
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
+  - apiGroups:
+      - batch
+    resources:
+      - cronjobs
+      - jobs
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
+  - apiGroups:
+      - extensions
+    resources:
+      - daemonsets
+      - deployments
+      - deployments/rollback
+      - deployments/scale
+      - ingresses
+      - networkpolicies
+      - replicasets
+      - replicasets/scale
+      - replicationcontrollers/scale
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - networkpolicies
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - patch
+      - update
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - create
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - delete
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - deletecollection
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - patch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - update
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - workflows
+      - workflows/finalizers
+      - workflowtemplates
+      - workflowtemplates/finalizers
+      - cronworkflows
+      - cronworkflows/finalizers
+      - clusterworkflowtemplates
+      - clusterworkflowtemplates/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - gateways
+      - gateways/finalizers
+      - sensors
+      - sensors/finalizers
+      - eventsources
+      - eventsources/finalizers
+      - eventbuses
+      - eventbuses/finalizers
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - argoproj.io
+    resources:
+      - rollouts
+      - rollouts/scale
+      - experiments
+      - analysistemplates
+      - clusteranalysistemplates
+      - analysisruns
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resourceNames:
+      - prometheus-k8s-prometheus-1
+      - prometheus-k8s-prometheus-0
+    resources:
+      - pods/portforward
+    verbs:
+      - create
+  - apiGroups:
+      - networking.istio.io
+    resources:
+      - virtualservices
+      - destinationrules
+      - serviceentries
+      - envoyfilters
+      - gateways
+      - sidecars
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - endpoints
+      - persistentvolumeclaims
+      - pods
+      - replicationcontrollers
+      - replicationcontrollers/scale
+      - serviceaccounts
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - bindings
+      - events
+      - limitranges
+      - namespaces/status
+      - pods/log
+      - pods/status
+      - replicationcontrollers/status
+      - resourcequotas
+      - resourcequotas/status
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+      - deployments
+      - deployments/scale
+      - replicasets
+      - replicasets/scale
+      - statefulsets
+      - statefulsets/scale
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - autoscaling
+    resources:
+      - horizontalpodautoscalers
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - batch
+    resources:
+      - cronjobs
+      - jobs
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - daemonsets
+      - deployments
+      - deployments/scale
+      - ingresses
+      - networkpolicies
+      - replicasets
+      - replicasets/scale
+      - replicationcontrollers/scale
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - networkpolicies
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - controllerrevisions
+    verbs:
+      - get
+  - apiGroups:
+      - apps
+    resources:
+      - controllerrevisions
+    verbs:
+      - list
+  - apiGroups:
+      - apps
+    resources:
+      - controllerrevisions
+    verbs:
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - get
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - list
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses
+    verbs:
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumeclaims/status
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumeclaims/status
+    verbs:
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - persistentvolumeclaims/status
+    verbs:
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - services/status
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - services/status
+    verbs:
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - services/status
+    verbs:
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets/status
+    verbs:
+      - get
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets/status
+    verbs:
+      - list
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets/status
+    verbs:
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - deployments/status
+    verbs:
+      - get
+  - apiGroups:
+      - apps
+    resources:
+      - deployments/status
+    verbs:
+      - list
+  - apiGroups:
+      - apps
+    resources:
+      - deployments/status
+    verbs:
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets/status
+    verbs:
+      - get
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets/status
+    verbs:
+      - list
+  - apiGroups:
+      - apps
+    resources:
+      - replicasets/status
+    verbs:
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets/status
+    verbs:
+      - get
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets/status
+    verbs:
+      - list
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets/status
+    verbs:
+      - watch
+  - apiGroups:
+      - autoscaling
+    resources:
+      - horizontalpodautoscalers/status
+    verbs:
+      - get
+  - apiGroups:
+      - autoscaling
+    resources:
+      - horizontalpodautoscalers/status
+    verbs:
+      - list
+  - apiGroups:
+      - autoscaling
+    resources:
+      - horizontalpodautoscalers/status
+    verbs:
+      - watch
+  - apiGroups:
+      - batch
+    resources:
+      - cronjobs/status
+    verbs:
+      - get
+  - apiGroups:
+      - batch
+    resources:
+      - cronjobs/status
+    verbs:
+      - list
+  - apiGroups:
+      - batch
+    resources:
+      - cronjobs/status
+    verbs:
+      - watch
+  - apiGroups:
+      - batch
+    resources:
+      - jobs/status
+    verbs:
+      - get
+  - apiGroups:
+      - batch
+    resources:
+      - jobs/status
+    verbs:
+      - list
+  - apiGroups:
+      - batch
+    resources:
+      - jobs/status
+    verbs:
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - daemonsets/status
+    verbs:
+      - get
+  - apiGroups:
+      - extensions
+    resources:
+      - daemonsets/status
+    verbs:
+      - list
+  - apiGroups:
+      - extensions
+    resources:
+      - daemonsets/status
+    verbs:
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - deployments/status
+    verbs:
+      - get
+  - apiGroups:
+      - extensions
+    resources:
+      - deployments/status
+    verbs:
+      - list
+  - apiGroups:
+      - extensions
+    resources:
+      - deployments/status
+    verbs:
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - get
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - list
+  - apiGroups:
+      - extensions
+    resources:
+      - ingresses/status
+    verbs:
+      - watch
+  - apiGroups:
+      - extensions
+    resources:
+      - replicasets/status
+    verbs:
+      - get
+  - apiGroups:
+      - extensions
+    resources:
+      - replicasets/status
+    verbs:
+      - list
+  - apiGroups:
+      - extensions
+    resources:
+      - replicasets/status
+    verbs:
+      - watch
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets/status
+    verbs:
+      - get
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets/status
+    verbs:
+      - list
+  - apiGroups:
+      - policy
+    resources:
+      - poddisruptionbudgets/status
+    verbs:
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - get
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - list
+  - apiGroups:
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+  - apiGroups:
+      - monitoring.coreos.com
+    resources:
+      - prometheusrules
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - delete
+      - create
+  - apiGroups:
+      - hpa.orkaproj.io
+    resources:
+      - hpaalgoes
+    verbs:
+      - get
+      - watch
+      - list
+      - update
+      - delete
+      - create
+  - apiGroups:
+      - networking.istio.io
+    resources:
+      - virtualservices
+      - destinationrules
+      - serviceentries
+      - envoyfilters
+      - gateways
+      - sidecars
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+      - patch
+      - watch
+  - apiGroups:
+      - authorization.k8s.io
+    resources:
+      - localsubjectaccessreviews
+    verbs:
+      - create
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - rolebindings
+      - roles
+    verbs:
+      - create
+      - delete
+      - deletecollection
+      - get
+      - list
+      - patch
+      - update
+      - watch

cmd/argocd/commands/account.go

@@ -2,19 +2,29 @@ package commands
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
-	"syscall"
+	"strconv"
+	"strings"
+	"text/tabwriter"
+	"time"
 
+	timeutil "github.com/argoproj/pkg/time"
+	"github.com/ghodss/yaml"
+	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/ssh/terminal"
 
-	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	accountpkg "github.com/argoproj/argo-cd/pkg/apiclient/account"
-	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/pkg/apiclient/session"
+	"github.com/argoproj/argo-cd/server/rbacpolicy"
 	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/errors"
+	"github.com/argoproj/argo-cd/util/io"
 	"github.com/argoproj/argo-cd/util/localconfig"
+	sessionutil "github.com/argoproj/argo-cd/util/session"
 )
 
 func NewAccountCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
@@ -27,11 +37,18 @@ func NewAccountCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 		},
 	}
 	command.AddCommand(NewAccountUpdatePasswordCommand(clientOpts))
+	command.AddCommand(NewAccountGetUserInfoCommand(clientOpts))
+	command.AddCommand(NewAccountCanICommand(clientOpts))
+	command.AddCommand(NewAccountListCommand(clientOpts))
+	command.AddCommand(NewAccountGenerateTokenCommand(clientOpts))
+	command.AddCommand(NewAccountGetCommand(clientOpts))
+	command.AddCommand(NewAccountDeleteTokenCommand(clientOpts))
 	return command
 }
 
 func NewAccountUpdatePasswordCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
+		account         string
 		currentPassword string
 		newPassword     string
 	)
@@ -43,14 +60,20 @@ func NewAccountUpdatePasswordCommand(clientOpts *argocdclient.ClientOptions) *co
 				c.HelpFunc()(c, args)
 				os.Exit(1)
 			}
+			acdClient := argocdclient.NewClientOrDie(clientOpts)
+			conn, usrIf := acdClient.NewAccountClientOrDie()
+			defer io.Close(conn)
 
-			if currentPassword == "" {
+			userInfo := getCurrentAccount(acdClient)
+
+			if userInfo.Iss == sessionutil.SessionManagerClaimsIssuer && currentPassword == "" {
 				fmt.Print("*** Enter current password: ")
-				password, err := terminal.ReadPassword(syscall.Stdin)
+				password, err := terminal.ReadPassword(int(os.Stdin.Fd()))
 				errors.CheckError(err)
 				currentPassword = string(password)
 				fmt.Print("\n")
 			}
+
 			if newPassword == "" {
 				var err error
 				newPassword, err = cli.ReadAndConfirmPassword()
@@ -60,36 +83,318 @@ func NewAccountUpdatePasswordCommand(clientOpts *argocdclient.ClientOptions) *co
 			updatePasswordRequest := accountpkg.UpdatePasswordRequest{
 				NewPassword:     newPassword,
 				CurrentPassword: currentPassword,
+				Name:            account,
 			}
 
-			acdClient := argocdclient.NewClientOrDie(clientOpts)
-			conn, usrIf := acdClient.NewAccountClientOrDie()
-			defer util.Close(conn)
-
 			ctx := context.Background()
 			_, err := usrIf.UpdatePassword(ctx, &updatePasswordRequest)
 			errors.CheckError(err)
 			fmt.Printf("Password updated\n")
 
-			// Get a new JWT token after updating the password
-			localCfg, err := localconfig.ReadLocalConfig(clientOpts.ConfigPath)
-			errors.CheckError(err)
-			configCtx, err := localCfg.ResolveContext(clientOpts.Context)
-			errors.CheckError(err)
-			claims, err := configCtx.User.Claims()
-			errors.CheckError(err)
-			tokenString := passwordLogin(acdClient, claims.Subject, newPassword)
-			localCfg.UpsertUser(localconfig.User{
-				Name:      localCfg.CurrentContext,
-				AuthToken: tokenString,
-			})
-			err = localconfig.WriteLocalConfig(*localCfg, clientOpts.ConfigPath)
-			errors.CheckError(err)
-			fmt.Printf("Context '%s' updated\n", localCfg.CurrentContext)
+			if account == "" || account == userInfo.Username {
+				// Get a new JWT token after updating the password
+				localCfg, err := localconfig.ReadLocalConfig(clientOpts.ConfigPath)
+				errors.CheckError(err)
+				configCtx, err := localCfg.ResolveContext(clientOpts.Context)
+				errors.CheckError(err)
+				claims, err := configCtx.User.Claims()
+				errors.CheckError(err)
+				tokenString := passwordLogin(acdClient, claims.Subject, newPassword)
+				localCfg.UpsertUser(localconfig.User{
+					Name:      localCfg.CurrentContext,
+					AuthToken: tokenString,
+				})
+				err = localconfig.WriteLocalConfig(*localCfg, clientOpts.ConfigPath)
+				errors.CheckError(err)
+				fmt.Printf("Context '%s' updated\n", localCfg.CurrentContext)
+			}
 		},
 	}
 
 	command.Flags().StringVar(&currentPassword, "current-password", "", "current password you wish to change")
 	command.Flags().StringVar(&newPassword, "new-password", "", "new password you want to update to")
+	command.Flags().StringVar(&account, "account", "", "an account name that should be updated. Defaults to current user account")
 	return command
 }
+
+func NewAccountGetUserInfoCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
+	var command = &cobra.Command{
+		Use:   "get-user-info",
+		Short: "Get user info",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 0 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			conn, client := argocdclient.NewClientOrDie(clientOpts).NewSessionClientOrDie()
+			defer io.Close(conn)
+
+			ctx := context.Background()
+			response, err := client.GetUserInfo(ctx, &session.GetUserInfoRequest{})
+			errors.CheckError(err)
+
+			switch output {
+			case "yaml":
+				yamlBytes, err := yaml.Marshal(response)
+				errors.CheckError(err)
+				fmt.Println(string(yamlBytes))
+			case "json":
+				jsonBytes, err := json.MarshalIndent(response, "", "  ")
+				errors.CheckError(err)
+				fmt.Println(string(jsonBytes))
+			case "":
+				fmt.Printf("Logged In: %v\n", response.LoggedIn)
+				if response.LoggedIn {
+					fmt.Printf("Username: %s\n", response.Username)
+					fmt.Printf("Issuer: %s\n", response.Iss)
+					fmt.Printf("Groups: %v\n", strings.Join(response.Groups, ","))
+				}
+			default:
+				log.Fatalf("Unknown output format: %s", output)
+			}
+		},
+	}
+	command.Flags().StringVarP(&output, "output", "o", "", "Output format. One of: yaml, json")
+	return command
+}
+
+func NewAccountCanICommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	return &cobra.Command{
+		Use:   "can-i ACTION RESOURCE SUBRESOURCE",
+		Short: "Can I",
+		Example: fmt.Sprintf(`
+# Can I sync any app?
+argocd account can-i sync applications '*'
+
+# Can I update a project?
+argocd account can-i update projects 'default'
+
+# Can I create a cluster?
+argocd account can-i create clusters '*'
+
+Actions: %v
+Resources: %v
+`, rbacpolicy.Actions, rbacpolicy.Resources),
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 3 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			conn, client := argocdclient.NewClientOrDie(clientOpts).NewAccountClientOrDie()
+			defer io.Close(conn)
+
+			ctx := context.Background()
+			response, err := client.CanI(ctx, &accountpkg.CanIRequest{
+				Action:      args[0],
+				Resource:    args[1],
+				Subresource: args[2],
+			})
+			errors.CheckError(err)
+			fmt.Println(response.Value)
+		},
+	}
+}
+
+func printAccountNames(accounts []*accountpkg.Account) {
+	for _, p := range accounts {
+		fmt.Println(p.Name)
+	}
+}
+
+func printAccountsTable(items []*accountpkg.Account) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	fmt.Fprintf(w, "NAME\tENABLED\tCAPABILITIES\n")
+	for _, a := range items {
+		fmt.Fprintf(w, "%s\t%v\t%s\n", a.Name, a.Enabled, strings.Join(a.Capabilities, ", "))
+	}
+	_ = w.Flush()
+}
+
+func NewAccountListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
+	cmd := &cobra.Command{
+		Use:     "list",
+		Short:   "List accounts",
+		Example: "argocd account list",
+		Run: func(c *cobra.Command, args []string) {
+
+			conn, client := argocdclient.NewClientOrDie(clientOpts).NewAccountClientOrDie()
+			defer io.Close(conn)
+
+			ctx := context.Background()
+			response, err := client.ListAccounts(ctx, &accountpkg.ListAccountRequest{})
+
+			errors.CheckError(err)
+			switch output {
+			case "yaml", "json":
+				err := PrintResourceList(response.Items, output, false)
+				errors.CheckError(err)
+			case "name":
+				printAccountNames(response.Items)
+			case "wide", "":
+				printAccountsTable(response.Items)
+			default:
+				errors.CheckError(fmt.Errorf("unknown output format: %s", output))
+			}
+		},
+	}
+	cmd.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide|name")
+	return cmd
+}
+
+func getCurrentAccount(clientset argocdclient.Client) session.GetUserInfoResponse {
+	conn, client := clientset.NewSessionClientOrDie()
+	defer io.Close(conn)
+	userInfo, err := client.GetUserInfo(context.Background(), &session.GetUserInfoRequest{})
+	errors.CheckError(err)
+	return *userInfo
+}
+
+func NewAccountGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output  string
+		account string
+	)
+	cmd := &cobra.Command{
+		Use:   "get",
+		Short: "Get account details",
+		Example: `# Get the currently logged in account details
+argocd account get
+
+# Get details for an account by name
+argocd account get --account <account-name>`,
+		Run: func(c *cobra.Command, args []string) {
+			clientset := argocdclient.NewClientOrDie(clientOpts)
+
+			if account == "" {
+				account = getCurrentAccount(clientset).Username
+			}
+
+			conn, client := clientset.NewAccountClientOrDie()
+			defer io.Close(conn)
+
+			acc, err := client.GetAccount(context.Background(), &accountpkg.GetAccountRequest{Name: account})
+
+			errors.CheckError(err)
+			switch output {
+			case "yaml", "json":
+				err := PrintResourceList(acc, output, true)
+				errors.CheckError(err)
+			case "name":
+				fmt.Println(acc.Name)
+			case "wide", "":
+				printAccountDetails(acc)
+			default:
+				errors.CheckError(fmt.Errorf("unknown output format: %s", output))
+			}
+		},
+	}
+	cmd.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide|name")
+	cmd.Flags().StringVarP(&account, "account", "a", "", "Account name. Defaults to the current account.")
+	return cmd
+}
+
+func printAccountDetails(acc *accountpkg.Account) {
+	fmt.Printf(printOpFmtStr, "Name:", acc.Name)
+	fmt.Printf(printOpFmtStr, "Enabled:", strconv.FormatBool(acc.Enabled))
+	fmt.Printf(printOpFmtStr, "Capabilities:", strings.Join(acc.Capabilities, ", "))
+	fmt.Println("\nTokens:")
+	if len(acc.Tokens) == 0 {
+		fmt.Println("NONE")
+	} else {
+		w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+		fmt.Fprintf(w, "ID\tISSUED AT\tEXPIRING AT\n")
+		for _, t := range acc.Tokens {
+			expiresAtFormatted := "never"
+			if t.ExpiresAt > 0 {
+				expiresAt := time.Unix(t.ExpiresAt, 0)
+				expiresAtFormatted = expiresAt.Format(time.RFC3339)
+				if expiresAt.Before(time.Now()) {
+					expiresAtFormatted = fmt.Sprintf("%s (expired)", expiresAtFormatted)
+				}
+			}
+
+			fmt.Fprintf(w, "%s\t%s\t%s\n", t.Id, time.Unix(t.IssuedAt, 0).Format(time.RFC3339), expiresAtFormatted)
+		}
+		_ = w.Flush()
+	}
+}
+
+func NewAccountGenerateTokenCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		account   string
+		expiresIn string
+		id        string
+	)
+	cmd := &cobra.Command{
+		Use:   "generate-token",
+		Short: "Generate account token",
+		Example: `# Generate token for the currently logged in account
+argocd account generate-token
+
+# Generate token for the account with the specified name
+argocd account generate-token --account <account-name>`,
+		Run: func(c *cobra.Command, args []string) {
+
+			clientset := argocdclient.NewClientOrDie(clientOpts)
+			conn, client := clientset.NewAccountClientOrDie()
+			defer io.Close(conn)
+			if account == "" {
+				account = getCurrentAccount(clientset).Username
+			}
+			expiresIn, err := timeutil.ParseDuration(expiresIn)
+			errors.CheckError(err)
+			response, err := client.CreateToken(context.Background(), &accountpkg.CreateTokenRequest{
+				Name:      account,
+				ExpiresIn: int64(expiresIn.Seconds()),
+				Id:        id,
+			})
+			errors.CheckError(err)
+			fmt.Println(response.Token)
+		},
+	}
+	cmd.Flags().StringVarP(&account, "account", "a", "", "Account name. Defaults to the current account.")
+	cmd.Flags().StringVarP(&expiresIn, "expires-in", "e", "0s", "Duration before the token will expire. (Default: No expiration)")
+	cmd.Flags().StringVar(&id, "id", "", "Optional token id. Fallback to uuid if not value specified.")
+	return cmd
+}
+
+func NewAccountDeleteTokenCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		account string
+	)
+	cmd := &cobra.Command{
+		Use:   "delete-token",
+		Short: "Deletes account token",
+		Example: `# Delete token of the currently logged in account
+argocd account delete-token ID
+
+# Delete token of the account with the specified name
+argocd account generate-token --account <account-name>`,
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			id := args[0]
+
+			clientset := argocdclient.NewClientOrDie(clientOpts)
+			conn, client := clientset.NewAccountClientOrDie()
+			defer io.Close(conn)
+			if account == "" {
+				account = getCurrentAccount(clientset).Username
+			}
+			_, err := client.DeleteToken(context.Background(), &accountpkg.DeleteTokenRequest{Name: account, Id: id})
+			errors.CheckError(err)
+		},
+	}
+	cmd.Flags().StringVarP(&account, "account", "a", "", "Account name. Defaults to the current account.")
+	return cmd
+}

cmd/argocd/commands/app_actions.go

@@ -2,20 +2,30 @@ package commands
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
-	"sort"
+	"strconv"
 	"text/tabwriter"
 
+	"github.com/ghodss/yaml"
+	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
-	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	applicationpkg "github.com/argoproj/argo-cd/pkg/apiclient/application"
-	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/util/errors"
+	"github.com/argoproj/argo-cd/util/io"
 )
 
+type DisplayedAction struct {
+	Group    string
+	Kind     string
+	Name     string
+	Action   string
+	Disabled bool
+}
+
 // NewApplicationResourceActionsCommand returns a new instance of an `argocd app actions` command
 func NewApplicationResourceActionsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
@@ -37,7 +47,7 @@ func NewApplicationResourceActionsListCommand(clientOpts *argocdclient.ClientOpt
 	var kind string
 	var group string
 	var resourceName string
-	var all bool
+	var output string
 	var command = &cobra.Command{
 		Use:   "list APPNAME",
 		Short: "Lists available actions on a resource",
@@ -49,12 +59,12 @@ func NewApplicationResourceActionsListCommand(clientOpts *argocdclient.ClientOpt
 		}
 		appName := args[0]
 		conn, appIf := argocdclient.NewClientOrDie(clientOpts).NewApplicationClientOrDie()
-		defer util.Close(conn)
+		defer io.Close(conn)
 		ctx := context.Background()
 		resources, err := appIf.ManagedResources(ctx, &applicationpkg.ResourcesQuery{ApplicationName: &appName})
 		errors.CheckError(err)
-		filteredObjects := filterResources(command, resources.Items, group, kind, namespace, resourceName, all)
-		availableActions := make(map[string][]argoappv1.ResourceAction)
+		filteredObjects := filterResources(command, resources.Items, group, kind, namespace, resourceName, true)
+		var availableActions []DisplayedAction
 		for i := range filteredObjects {
 			obj := filteredObjects[i]
 			gvk := obj.GroupVersionKind()
@@ -66,34 +76,41 @@ func NewApplicationResourceActionsListCommand(clientOpts *argocdclient.ClientOpt
 				Kind:         gvk.Kind,
 			})
 			errors.CheckError(err)
-			availableActions[obj.GetName()] = availActionsForResource.Actions
-		}
-
-		var keys []string
-		for key := range availableActions {
-			keys = append(keys, key)
-		}
-		sort.Strings(keys)
-
-		w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-		fmt.Fprintf(w, "RESOURCE\tACTION\n")
-		fmt.Println()
-		for key := range availableActions {
-			for i := range availableActions[key] {
-				action := availableActions[key][i]
-				fmt.Fprintf(w, "%s\t%s\n", key, action.Name)
-
+			for _, action := range availActionsForResource.Actions {
+				displayAction := DisplayedAction{
+					Group:    gvk.Group,
+					Kind:     gvk.Kind,
+					Name:     obj.GetName(),
+					Action:   action.Name,
+					Disabled: action.Disabled,
+				}
+				availableActions = append(availableActions, displayAction)
 			}
 		}
-		_ = w.Flush()
+
+		switch output {
+		case "yaml":
+			yamlBytes, err := yaml.Marshal(availableActions)
+			errors.CheckError(err)
+			fmt.Println(string(yamlBytes))
+		case "json":
+			jsonBytes, err := json.MarshalIndent(availableActions, "", "  ")
+			errors.CheckError(err)
+			fmt.Println(string(jsonBytes))
+		case "":
+			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+			fmt.Fprintf(w, "GROUP\tKIND\tNAME\tACTION\tDISABLED\n")
+			for _, action := range availableActions {
+				fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", action.Group, action.Kind, action.Name, action.Action, strconv.FormatBool(action.Disabled))
+			}
+			_ = w.Flush()
+		}
 	}
 	command.Flags().StringVar(&resourceName, "resource-name", "", "Name of resource")
 	command.Flags().StringVar(&kind, "kind", "", "Kind")
-	err := command.MarkFlagRequired("kind")
-	errors.CheckError(err)
 	command.Flags().StringVar(&group, "group", "", "Group")
 	command.Flags().StringVar(&namespace, "namespace", "", "Namespace")
-	command.Flags().BoolVar(&all, "all", false, "Indicates whether to list actions on multiple matching resources")
+	command.Flags().StringVarP(&output, "out", "o", "", "Output format. One of: yaml, json")
 
 	return command
 }
@@ -101,9 +118,9 @@ func NewApplicationResourceActionsListCommand(clientOpts *argocdclient.ClientOpt
 // NewApplicationResourceActionsRunCommand returns a new instance of an `argocd app actions run` command
 func NewApplicationResourceActionsRunCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var namespace string
+	var resourceName string
 	var kind string
 	var group string
-	var resourceName string
 	var all bool
 	var command = &cobra.Command{
 		Use:   "run APPNAME ACTION",
@@ -111,11 +128,10 @@ func NewApplicationResourceActionsRunCommand(clientOpts *argocdclient.ClientOpti
 	}
 
 	command.Flags().StringVar(&resourceName, "resource-name", "", "Name of resource")
-	command.Flags().StringVar(&kind, "kind", "", "Kind")
-	err := command.MarkFlagRequired("kind")
-	errors.CheckError(err)
-	command.Flags().StringVar(&group, "group", "", "Group")
 	command.Flags().StringVar(&namespace, "namespace", "", "Namespace")
+	command.Flags().StringVar(&kind, "kind", "", "Kind")
+	command.Flags().StringVar(&group, "group", "", "Group")
+	errors.CheckError(command.MarkFlagRequired("kind"))
 	command.Flags().BoolVar(&all, "all", false, "Indicates whether to run the action on multiple matching resources")
 
 	command.Run = func(c *cobra.Command, args []string) {
@@ -125,12 +141,20 @@ func NewApplicationResourceActionsRunCommand(clientOpts *argocdclient.ClientOpti
 		}
 		appName := args[0]
 		actionName := args[1]
+
 		conn, appIf := argocdclient.NewClientOrDie(clientOpts).NewApplicationClientOrDie()
-		defer util.Close(conn)
+		defer io.Close(conn)
 		ctx := context.Background()
 		resources, err := appIf.ManagedResources(ctx, &applicationpkg.ResourcesQuery{ApplicationName: &appName})
 		errors.CheckError(err)
 		filteredObjects := filterResources(command, resources.Items, group, kind, namespace, resourceName, all)
+		var resGroup = filteredObjects[0].GroupVersionKind().Group
+		for i := range filteredObjects[1:] {
+			if filteredObjects[i].GroupVersionKind().Group != resGroup {
+				log.Fatal("Ambiguous resource group. Use flag --group to specify resource group explicitly.")
+			}
+		}
+
 		for i := range filteredObjects {
 			obj := filteredObjects[i]
 			gvk := obj.GroupVersionKind()

cmd/argocd/commands/cert.go

@@ -2,6 +2,7 @@ package commands
 
 import (
 	"context"
+	"crypto/x509"
 	"fmt"
 	"os"
 	"sort"
@@ -10,14 +11,12 @@ import (
 
 	"github.com/spf13/cobra"
 
-	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	certificatepkg "github.com/argoproj/argo-cd/pkg/apiclient/certificate"
 	appsv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util"
 	certutil "github.com/argoproj/argo-cd/util/cert"
-
-	"crypto/x509"
+	"github.com/argoproj/argo-cd/util/errors"
+	"github.com/argoproj/argo-cd/util/io"
 )
 
 // NewCertCommand returns a new instance of an `argocd repo` command
@@ -29,6 +28,24 @@ func NewCertCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 			c.HelpFunc()(c, args)
 			os.Exit(1)
 		},
+		Example: `  # Add a TLS certificate for cd.example.com to ArgoCD cert store from a file
+  argocd cert add-tls --from ~/mycert.pem cd.example.com
+
+  # Add a TLS certificate for cd.example.com to ArgoCD via stdin
+  cat ~/mycert.pem | argocd cert add-tls cd.example.com
+
+  # Add SSH known host entries for cd.example.com to ArgoCD by scanning host
+  ssh-keyscan cd.example.com | argocd cert add-ssh --batch
+
+  # List all known TLS certificates
+  argocd cert list --cert-type https
+
+  # Remove all TLS certificates for cd.example.com
+  argocd cert rm --cert-type https cd.example.com
+
+  # Remove all certificates and SSH known host entries for cd.example.com
+  argocd cert rm cd.example.com
+`,
 	}
 
 	command.AddCommand(NewCertAddSSHCommand(clientOpts))
@@ -48,7 +65,7 @@ func NewCertAddTLSCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 		Short: "Add TLS certificate data for connecting to repository server SERVERNAME",
 		Run: func(c *cobra.Command, args []string) {
 			conn, certIf := argocdclient.NewClientOrDie(clientOpts).NewCertClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 
 			if len(args) != 1 {
 				c.HelpFunc()(c, args)
@@ -131,7 +148,7 @@ func NewCertAddSSHCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 		Run: func(c *cobra.Command, args []string) {
 
 			conn, certIf := argocdclient.NewClientOrDie(clientOpts).NewCertClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 
 			var sshKnownHostsLists []string
 			var err error
@@ -156,18 +173,20 @@ func NewCertAddSSHCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 			}
 
 			for _, knownHostsEntry := range sshKnownHostsLists {
-				hostname, certSubType, certData, err := certutil.TokenizeSSHKnownHostsEntry(knownHostsEntry)
+				_, certSubType, certData, err := certutil.TokenizeSSHKnownHostsEntry(knownHostsEntry)
 				errors.CheckError(err)
-				_, _, err = certutil.KnownHostsLineToPublicKey(knownHostsEntry)
+				hostnameList, _, err := certutil.KnownHostsLineToPublicKey(knownHostsEntry)
 				errors.CheckError(err)
-				certificate := appsv1.RepositoryCertificate{
-					ServerName:  hostname,
-					CertType:    "ssh",
-					CertSubType: certSubType,
-					CertData:    certData,
+				// Each key could be valid for multiple hostnames
+				for _, hostname := range hostnameList {
+					certificate := appsv1.RepositoryCertificate{
+						ServerName:  hostname,
+						CertType:    "ssh",
+						CertSubType: certSubType,
+						CertData:    certData,
+					}
+					certificates = append(certificates, certificate)
 				}
-
-				certificates = append(certificates, certificate)
 			}
 
 			certList := &appsv1.RepositoryCertificateList{Items: certificates}
@@ -201,7 +220,7 @@ func NewCertRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 				os.Exit(1)
 			}
 			conn, certIf := argocdclient.NewClientOrDie(clientOpts).NewCertClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 			hostNamePattern := args[0]
 
 			// Prevent the user from specifying a wildcard as hostname as precaution
@@ -239,6 +258,7 @@ func NewCertListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 		certType        string
 		hostNamePattern string
 		sortOrder       string
+		output          string
 	)
 	var command = &cobra.Command{
 		Use:   "list",
@@ -255,14 +275,25 @@ func NewCertListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 			}
 
 			conn, certIf := argocdclient.NewClientOrDie(clientOpts).NewCertClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 			certificates, err := certIf.ListCertificates(context.Background(), &certificatepkg.RepositoryCertificateQuery{HostNamePattern: hostNamePattern, CertType: certType})
 			errors.CheckError(err)
-			printCertTable(certificates.Items, sortOrder)
+
+			switch output {
+			case "yaml", "json":
+				err := PrintResourceList(certificates.Items, output, false)
+				errors.CheckError(err)
+			case "wide", "":
+				printCertTable(certificates.Items, sortOrder)
+			default:
+				errors.CheckError(fmt.Errorf("unknown output format: %s", output))
+			}
+
 		},
 	}
 
-	command.Flags().StringVar(&sortOrder, "sort", "", "set display sort order, valid: 'hostname', 'type'")
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide")
+	command.Flags().StringVar(&sortOrder, "sort", "", "set display sort order for output format wide. One of: hostname|type")
 	command.Flags().StringVar(&certType, "cert-type", "", "only list certificates of given type, valid: 'ssh','https'")
 	command.Flags().StringVar(&hostNamePattern, "hostname-pattern", "", "only list certificates for hosts matching given glob-pattern")
 	return command

cmd/argocd/commands/cluster.go

@@ -3,26 +3,23 @@ package commands
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"os"
-	"sort"
 	"strings"
 	"text/tabwriter"
 
-	"github.com/ghodss/yaml"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 
+	cmdutil "github.com/argoproj/argo-cd/cmd/util"
 	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	clusterpkg "github.com/argoproj/argo-cd/pkg/apiclient/cluster"
 	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util"
 	"github.com/argoproj/argo-cd/util/clusterauth"
+	"github.com/argoproj/argo-cd/util/errors"
+	"github.com/argoproj/argo-cd/util/io"
 )
 
 // NewClusterCommand returns a new instance of an `argocd cluster` command
@@ -34,6 +31,18 @@ func NewClusterCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientc
 			c.HelpFunc()(c, args)
 			os.Exit(1)
 		},
+		Example: `  # List all known clusters in JSON format:
+  argocd cluster list -o json
+
+  # Add a target cluster configuration to ArgoCD. The context must exist in your kubectl config:
+  argocd cluster add example-cluster
+
+  # Get specific details about a cluster in plain text (wide) format:
+  argocd cluster get example-cluster -o wide
+
+  #	Remove a target cluster context from ArgoCD
+  argocd cluster rm example-cluster
+`,
 	}
 
 	command.AddCommand(NewClusterAddCommand(clientOpts, pathOpts))
@@ -47,27 +56,24 @@ func NewClusterCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientc
 // NewClusterAddCommand returns a new instance of an `argocd cluster add` command
 func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientcmd.PathOptions) *cobra.Command {
 	var (
-		inCluster       bool
-		upsert          bool
-		awsRoleArn      string
-		awsClusterName  string
-		systemNamespace string
+		clusterOpts cmdutil.ClusterOptions
 	)
 	var command = &cobra.Command{
-		Use:   "add",
+		Use:   "add CONTEXT",
 		Short: fmt.Sprintf("%s cluster add CONTEXT", cliName),
 		Run: func(c *cobra.Command, args []string) {
 			var configAccess clientcmd.ConfigAccess = pathOpts
 			if len(args) == 0 {
 				log.Error("Choose a context name from:")
-				printKubeContexts(configAccess)
+				cmdutil.PrintKubeContexts(configAccess)
 				os.Exit(1)
 			}
 			config, err := configAccess.GetStartingConfig()
 			errors.CheckError(err)
-			clstContext := config.Contexts[args[0]]
+			contextName := args[0]
+			clstContext := config.Contexts[contextName]
 			if clstContext == nil {
-				log.Fatalf("Context %s does not exist in kubeconfig", args[0])
+				log.Fatalf("Context %s does not exist in kubeconfig", contextName)
 			}
 
 			overrides := clientcmd.ConfigOverrides{
@@ -79,140 +85,145 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 
 			managerBearerToken := ""
 			var awsAuthConf *argoappv1.AWSAuthConfig
-			if awsClusterName != "" {
+			var execProviderConf *argoappv1.ExecProviderConfig
+			if clusterOpts.AwsClusterName != "" {
 				awsAuthConf = &argoappv1.AWSAuthConfig{
-					ClusterName: awsClusterName,
-					RoleARN:     awsRoleArn,
+					ClusterName: clusterOpts.AwsClusterName,
+					RoleARN:     clusterOpts.AwsRoleArn,
+				}
+			} else if clusterOpts.ExecProviderCommand != "" {
+				execProviderConf = &argoappv1.ExecProviderConfig{
+					Command:     clusterOpts.ExecProviderCommand,
+					Args:        clusterOpts.ExecProviderArgs,
+					Env:         clusterOpts.ExecProviderEnv,
+					APIVersion:  clusterOpts.ExecProviderAPIVersion,
+					InstallHint: clusterOpts.ExecProviderInstallHint,
 				}
 			} else {
 				// Install RBAC resources for managing the cluster
 				clientset, err := kubernetes.NewForConfig(conf)
 				errors.CheckError(err)
-				managerBearerToken, err = clusterauth.InstallClusterManagerRBAC(clientset, systemNamespace)
+				if clusterOpts.ServiceAccount != "" {
+					managerBearerToken, err = clusterauth.GetServiceAccountBearerToken(clientset, clusterOpts.SystemNamespace, clusterOpts.ServiceAccount)
+				} else {
+					managerBearerToken, err = clusterauth.InstallClusterManagerRBAC(clientset, clusterOpts.SystemNamespace, clusterOpts.Namespaces)
+				}
 				errors.CheckError(err)
 			}
 			conn, clusterIf := argocdclient.NewClientOrDie(clientOpts).NewClusterClientOrDie()
-			defer util.Close(conn)
-			clst := NewCluster(args[0], conf, managerBearerToken, awsAuthConf)
-			if inCluster {
+			defer io.Close(conn)
+			if clusterOpts.Name != "" {
+				contextName = clusterOpts.Name
+			}
+			clst := cmdutil.NewCluster(contextName, clusterOpts.Namespaces, conf, managerBearerToken, awsAuthConf, execProviderConf)
+			if clusterOpts.InCluster {
 				clst.Server = common.KubernetesInternalAPIServerAddr
 			}
+			if clusterOpts.Shard >= 0 {
+				clst.Shard = &clusterOpts.Shard
+			}
 			clstCreateReq := clusterpkg.ClusterCreateRequest{
 				Cluster: clst,
-				Upsert:  upsert,
+				Upsert:  clusterOpts.Upsert,
 			}
-			clst, err = clusterIf.Create(context.Background(), &clstCreateReq)
+			_, err = clusterIf.Create(context.Background(), &clstCreateReq)
 			errors.CheckError(err)
-			fmt.Printf("Cluster '%s' added\n", clst.Name)
+			fmt.Printf("Cluster '%s' added\n", clst.Server)
 		},
 	}
 	command.PersistentFlags().StringVar(&pathOpts.LoadingRules.ExplicitPath, pathOpts.ExplicitFileFlag, pathOpts.LoadingRules.ExplicitPath, "use a particular kubeconfig file")
-	command.Flags().BoolVar(&inCluster, "in-cluster", false, "Indicates Argo CD resides inside this cluster and should connect using the internal k8s hostname (kubernetes.default.svc)")
-	command.Flags().BoolVar(&upsert, "upsert", false, "Override an existing cluster with the same name even if the spec differs")
-	command.Flags().StringVar(&awsClusterName, "aws-cluster-name", "", "AWS Cluster name if set then aws-iam-authenticator will be used to access cluster")
-	command.Flags().StringVar(&awsRoleArn, "aws-role-arn", "", "Optional AWS role arn. If set then AWS IAM Authenticator assume a role to perform cluster operations instead of the default AWS credential provider chain.")
-	command.Flags().StringVar(&systemNamespace, "system-namespace", common.DefaultSystemNamespace, "Use different system namespace")
+	command.Flags().BoolVar(&clusterOpts.Upsert, "upsert", false, "Override an existing cluster with the same name even if the spec differs")
+	command.Flags().StringVar(&clusterOpts.ServiceAccount, "service-account", "", fmt.Sprintf("System namespace service account to use for kubernetes resource management. If not set then default \"%s\" SA will be created", clusterauth.ArgoCDManagerServiceAccount))
+	command.Flags().StringVar(&clusterOpts.SystemNamespace, "system-namespace", common.DefaultSystemNamespace, "Use different system namespace")
+	cmdutil.AddClusterFlags(command, &clusterOpts)
 	return command
 }
 
-func printKubeContexts(ca clientcmd.ConfigAccess) {
-	config, err := ca.GetStartingConfig()
-	errors.CheckError(err)
-	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-	defer func() { _ = w.Flush() }()
-	columnNames := []string{"CURRENT", "NAME", "CLUSTER", "SERVER"}
-	_, err = fmt.Fprintf(w, "%s\n", strings.Join(columnNames, "\t"))
-	errors.CheckError(err)
-
-	// sort names so output is deterministic
-	contextNames := make([]string, 0)
-	for name := range config.Contexts {
-		contextNames = append(contextNames, name)
-	}
-	sort.Strings(contextNames)
-
-	if config.Clusters == nil {
-		return
-	}
-
-	for _, name := range contextNames {
-		// ignore malformed kube config entries
-		context := config.Contexts[name]
-		if context == nil {
-			continue
-		}
-		cluster := config.Clusters[context.Cluster]
-		if cluster == nil {
-			continue
-		}
-		prefix := " "
-		if config.CurrentContext == name {
-			prefix = "*"
-		}
-		_, err := fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", prefix, name, context.Cluster, cluster.Server)
-		errors.CheckError(err)
-	}
-}
-
-func NewCluster(name string, conf *rest.Config, managerBearerToken string, awsAuthConf *argoappv1.AWSAuthConfig) *argoappv1.Cluster {
-	tlsClientConfig := argoappv1.TLSClientConfig{
-		Insecure:   conf.TLSClientConfig.Insecure,
-		ServerName: conf.TLSClientConfig.ServerName,
-		CAData:     conf.TLSClientConfig.CAData,
-	}
-	if len(conf.TLSClientConfig.CAData) == 0 && conf.TLSClientConfig.CAFile != "" {
-		data, err := ioutil.ReadFile(conf.TLSClientConfig.CAFile)
-		errors.CheckError(err)
-		tlsClientConfig.CAData = data
-	}
-	clst := argoappv1.Cluster{
-		Server: conf.Host,
-		Name:   name,
-		Config: argoappv1.ClusterConfig{
-			BearerToken:     managerBearerToken,
-			TLSClientConfig: tlsClientConfig,
-			AWSAuthConfig:   awsAuthConf,
-		},
-	}
-	return &clst
-}
-
 // NewClusterGetCommand returns a new instance of an `argocd cluster get` command
 func NewClusterGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
 	var command = &cobra.Command{
-		Use:   "get CLUSTER",
-		Short: "Get cluster information",
+		Use:     "get SERVER",
+		Short:   "Get cluster information",
+		Example: `argocd cluster get https://12.34.567.89`,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) == 0 {
 				c.HelpFunc()(c, args)
 				os.Exit(1)
 			}
 			conn, clusterIf := argocdclient.NewClientOrDie(clientOpts).NewClusterClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
+			clusters := make([]argoappv1.Cluster, 0)
 			for _, clusterName := range args {
 				clst, err := clusterIf.Get(context.Background(), &clusterpkg.ClusterQuery{Server: clusterName})
 				errors.CheckError(err)
-				yamlBytes, err := yaml.Marshal(clst)
+				clusters = append(clusters, *clst)
+			}
+			switch output {
+			case "yaml", "json":
+				err := PrintResourceList(clusters, output, true)
 				errors.CheckError(err)
-				fmt.Printf("%v", string(yamlBytes))
+			case "wide", "":
+				printClusterDetails(clusters)
+			case "server":
+				printClusterServers(clusters)
+			default:
+				errors.CheckError(fmt.Errorf("unknown output format: %s", output))
 			}
 		},
 	}
+	// we have yaml as default to not break backwards-compatibility
+	command.Flags().StringVarP(&output, "output", "o", "yaml", "Output format. One of: json|yaml|wide|server")
 	return command
 }
 
+func strWithDefault(value string, def string) string {
+	if value == "" {
+		return def
+	}
+	return value
+}
+
+func formatNamespaces(cluster argoappv1.Cluster) string {
+	if len(cluster.Namespaces) == 0 {
+		return "all namespaces"
+	}
+	return strings.Join(cluster.Namespaces, ", ")
+}
+
+func printClusterDetails(clusters []argoappv1.Cluster) {
+	for _, cluster := range clusters {
+		fmt.Printf("Cluster information\n\n")
+		fmt.Printf("  Server URL:            %s\n", cluster.Server)
+		fmt.Printf("  Server Name:           %s\n", strWithDefault(cluster.Name, "-"))
+		fmt.Printf("  Server Version:        %s\n", cluster.ServerVersion)
+		fmt.Printf("  Namespaces:        	 %s\n", formatNamespaces(cluster))
+		fmt.Printf("\nTLS configuration\n\n")
+		fmt.Printf("  Client cert:           %v\n", string(cluster.Config.TLSClientConfig.CertData) != "")
+		fmt.Printf("  Cert validation:       %v\n", !cluster.Config.TLSClientConfig.Insecure)
+		fmt.Printf("\nAuthentication\n\n")
+		fmt.Printf("  Basic authentication:  %v\n", cluster.Config.Username != "")
+		fmt.Printf("  oAuth authentication:  %v\n", cluster.Config.BearerToken != "")
+		fmt.Printf("  AWS authentication:    %v\n", cluster.Config.AWSAuthConfig != nil)
+		fmt.Println()
+	}
+}
+
 // NewClusterRemoveCommand returns a new instance of an `argocd cluster list` command
 func NewClusterRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
-		Use:   "rm CLUSTER",
-		Short: "Remove cluster credentials",
+		Use:     "rm SERVER",
+		Short:   "Remove cluster credentials",
+		Example: `argocd cluster rm https://12.34.567.89`,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) == 0 {
 				c.HelpFunc()(c, args)
 				os.Exit(1)
 			}
 			conn, clusterIf := argocdclient.NewClientOrDie(clientOpts).NewClusterClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 
 			// clientset, err := kubernetes.NewForConfig(conf)
 			// errors.CheckError(err)
@@ -223,6 +234,7 @@ func NewClusterRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 				// errors.CheckError(err)
 				_, err := clusterIf.Delete(context.Background(), &clusterpkg.ClusterQuery{Server: clusterName})
 				errors.CheckError(err)
+				fmt.Printf("Cluster '%s' removed\n", clusterName)
 			}
 		},
 	}
@@ -232,9 +244,13 @@ func NewClusterRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 // Print table of cluster information
 func printClusterTable(clusters []argoappv1.Cluster) {
 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-	fmt.Fprintf(w, "SERVER\tNAME\tSTATUS\tMESSAGE\n")
+	_, _ = fmt.Fprintf(w, "SERVER\tNAME\tVERSION\tSTATUS\tMESSAGE\n")
 	for _, c := range clusters {
-		fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", c.Server, c.Name, c.ConnectionState.Status, c.ConnectionState.Message)
+		server := c.Server
+		if len(c.Namespaces) > 0 {
+			server = fmt.Sprintf("%s (%d namespaces)", c.Server, len(c.Namespaces))
+		}
+		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", server, c.Name, c.ServerVersion, c.ConnectionState.Status, c.ConnectionState.Message)
 	}
 	_ = w.Flush()
 }
@@ -256,32 +272,39 @@ func NewClusterListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comman
 		Short: "List configured clusters",
 		Run: func(c *cobra.Command, args []string) {
 			conn, clusterIf := argocdclient.NewClientOrDie(clientOpts).NewClusterClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 			clusters, err := clusterIf.List(context.Background(), &clusterpkg.ClusterQuery{})
 			errors.CheckError(err)
-			if output == "server" {
+			switch output {
+			case "yaml", "json":
+				err := PrintResourceList(clusters.Items, output, false)
+				errors.CheckError(err)
+			case "server":
 				printClusterServers(clusters.Items)
-			} else {
+			case "wide", "":
 				printClusterTable(clusters.Items)
+			default:
+				errors.CheckError(fmt.Errorf("unknown output format: %s", output))
 			}
 		},
 	}
-	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: wide|server")
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide|server")
 	return command
 }
 
 // NewClusterRotateAuthCommand returns a new instance of an `argocd cluster rotate-auth` command
 func NewClusterRotateAuthCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
-		Use:   "rotate-auth CLUSTER",
-		Short: fmt.Sprintf("%s cluster rotate-auth CLUSTER", cliName),
+		Use:     "rotate-auth SERVER",
+		Short:   fmt.Sprintf("%s cluster rotate-auth SERVER", cliName),
+		Example: fmt.Sprintf("%s cluster rotate-auth https://12.34.567.89", cliName),
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) != 1 {
 				c.HelpFunc()(c, args)
 				os.Exit(1)
 			}
 			conn, clusterIf := argocdclient.NewClientOrDie(clientOpts).NewClusterClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 			clusterQuery := clusterpkg.ClusterQuery{
 				Server: args[0],
 			}

cmd/argocd/commands/cluster_test.go

@@ -0,0 +1,31 @@
+package commands
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+)
+
+func Test_printClusterTable(t *testing.T) {
+	printClusterTable([]v1alpha1.Cluster{
+		{
+			Server: "my-server",
+			Name:   "my-name",
+			Config: v1alpha1.ClusterConfig{
+				Username:        "my-username",
+				Password:        "my-password",
+				BearerToken:     "my-bearer-token",
+				TLSClientConfig: v1alpha1.TLSClientConfig{},
+				AWSAuthConfig:   nil,
+			},
+			ConnectionState: v1alpha1.ConnectionState{
+				Status:     "my-status",
+				Message:    "my-message",
+				ModifiedAt: &metav1.Time{},
+			},
+			ServerVersion: "my-version",
+		},
+	})
+}

cmd/argocd/commands/common.go

@@ -1,5 +1,13 @@
 package commands
 
+import (
+	"encoding/json"
+	"fmt"
+	"reflect"
+
+	"github.com/ghodss/yaml"
+)
+
 const (
 	cliName = "argocd"
 
@@ -7,3 +15,58 @@ const (
 	// the OAuth2 login flow.
 	DefaultSSOLocalPort = 8085
 )
+
+// PrintResource prints a single resource in YAML or JSON format to stdout according to the output format
+func PrintResource(resource interface{}, output string) error {
+	switch output {
+	case "json":
+		jsonBytes, err := json.MarshalIndent(resource, "", "  ")
+		if err != nil {
+			return err
+		}
+		fmt.Println(string(jsonBytes))
+	case "yaml":
+		yamlBytes, err := yaml.Marshal(resource)
+		if err != nil {
+			return err
+		}
+		fmt.Print(string(yamlBytes))
+	default:
+		return fmt.Errorf("unknown output format: %s", output)
+	}
+	return nil
+}
+
+// PrintResourceList marshals & prints a list of resources to stdout according to the output format
+func PrintResourceList(resources interface{}, output string, single bool) error {
+	kt := reflect.ValueOf(resources)
+	// Sometimes, we want to marshal the first resource of a slice or array as single item
+	if kt.Kind() == reflect.Slice || kt.Kind() == reflect.Array {
+		if single && kt.Len() == 1 {
+			return PrintResource(kt.Index(0).Interface(), output)
+		}
+
+		// If we have a zero len list, prevent printing "null"
+		if kt.Len() == 0 {
+			return PrintResource([]string{}, output)
+		}
+	}
+
+	switch output {
+	case "json":
+		jsonBytes, err := json.MarshalIndent(resources, "", "  ")
+		if err != nil {
+			return err
+		}
+		fmt.Println(string(jsonBytes))
+	case "yaml":
+		yamlBytes, err := yaml.Marshal(resources)
+		if err != nil {
+			return err
+		}
+		fmt.Print(string(yamlBytes))
+	default:
+		return fmt.Errorf("unknown output format: %s", output)
+	}
+	return nil
+}

cmd/argocd/commands/common_test.go

@@ -0,0 +1,142 @@
+package commands
+
+import (
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// Be careful with tabs vs. spaces in the following expected formats. Indents
+// should all be spaces, no tabs.
+const expectYamlSingle = `bar: ""
+baz: foo
+foo: bar
+`
+
+const expectJsonSingle = `{
+  "bar": "",
+  "baz": "foo",
+  "foo": "bar"
+}
+`
+const expectYamlList = `one:
+  bar: ""
+  baz: foo
+  foo: bar
+two:
+  bar: ""
+  baz: foo
+  foo: bar
+`
+
+const expectJsonList = `{
+  "one": {
+    "bar": "",
+    "baz": "foo",
+    "foo": "bar"
+  },
+  "two": {
+    "bar": "",
+    "baz": "foo",
+    "foo": "bar"
+  }
+}
+`
+
+// Rather dirty hack to capture stdout from PrintResource() and PrintResourceList()
+func captureOutput(f func() error) (string, error) {
+	stdout := os.Stdout
+	r, w, err := os.Pipe()
+	if err != nil {
+		return "", err
+	}
+	os.Stdout = w
+	err = f()
+	w.Close()
+	if err != nil {
+		os.Stdout = stdout
+		return "", err
+	}
+	str, err := ioutil.ReadAll(r)
+	os.Stdout = stdout
+	if err != nil {
+		return "", err
+	}
+	return string(str), err
+}
+
+func Test_PrintResource(t *testing.T) {
+	testResource := map[string]string{
+		"foo": "bar",
+		"bar": "",
+		"baz": "foo",
+	}
+
+	str, err := captureOutput(func() error {
+		err := PrintResource(testResource, "yaml")
+		return err
+	})
+	assert.NoError(t, err)
+	assert.Equal(t, str, expectYamlSingle)
+
+	str, err = captureOutput(func() error {
+		err := PrintResource(testResource, "json")
+		return err
+	})
+	assert.NoError(t, err)
+	assert.Equal(t, str, expectJsonSingle)
+
+	err = PrintResource(testResource, "unknown")
+	assert.Error(t, err)
+}
+
+func Test_PrintResourceList(t *testing.T) {
+	testResource := map[string]map[string]string{
+		"one": {
+			"foo": "bar",
+			"bar": "",
+			"baz": "foo",
+		},
+		"two": {
+			"foo": "bar",
+			"bar": "",
+			"baz": "foo",
+		},
+	}
+
+	testResource2 := make([]map[string]string, 0)
+	testResource2 = append(testResource2, testResource["one"])
+
+	str, err := captureOutput(func() error {
+		err := PrintResourceList(testResource, "yaml", false)
+		return err
+	})
+	assert.NoError(t, err)
+	assert.Equal(t, str, expectYamlList)
+
+	str, err = captureOutput(func() error {
+		err := PrintResourceList(testResource, "json", false)
+		return err
+	})
+	assert.NoError(t, err)
+	assert.Equal(t, str, expectJsonList)
+
+	str, err = captureOutput(func() error {
+		err := PrintResourceList(testResource2, "yaml", true)
+		return err
+	})
+	assert.NoError(t, err)
+	assert.Equal(t, str, expectYamlSingle)
+
+	str, err = captureOutput(func() error {
+		err := PrintResourceList(testResource2, "json", true)
+		return err
+	})
+	assert.NoError(t, err)
+	assert.Equal(t, str, expectJsonSingle)
+
+	err = PrintResourceList(testResource, "unknown", false)
+	assert.Error(t, err)
+}

cmd/argocd/commands/completion.go

@@ -3,9 +3,9 @@ package commands
 import (
 	"fmt"
 	"io"
-	"log"
 	"os"
 
+	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 )
 

cmd/argocd/commands/context.go

@@ -8,13 +8,11 @@ import (
 	"strings"
 	"text/tabwriter"
 
-	"github.com/spf13/pflag"
-
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
-	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	"github.com/argoproj/argo-cd/util/errors"
 	"github.com/argoproj/argo-cd/util/localconfig"
 )
 
@@ -22,7 +20,7 @@ import (
 func NewContextCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var delete bool
 	var command = &cobra.Command{
-		Use:     "context",
+		Use:     "context [CONTEXT]",
 		Aliases: []string{"ctx"},
 		Short:   "Switch between contexts",
 		Run: func(c *cobra.Command, args []string) {
@@ -30,22 +28,19 @@ func NewContextCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 			localCfg, err := localconfig.ReadLocalConfig(clientOpts.ConfigPath)
 			errors.CheckError(err)
 
-			deletePresentContext := false
-			c.Flags().Visit(func(f *pflag.Flag) {
-				if f.Name == "delete" {
-					deletePresentContext = true
+			if delete {
+				if len(args) == 0 {
+					c.HelpFunc()(c, args)
+					os.Exit(1)
 				}
-			})
+				err := deleteContext(args[0], clientOpts.ConfigPath)
+				errors.CheckError(err)
+				return
+			}
 
 			if len(args) == 0 {
-				if deletePresentContext {
-					err := deleteContext(localCfg.CurrentContext, clientOpts.ConfigPath)
-					errors.CheckError(err)
-					return
-				} else {
-					printArgoCDContexts(clientOpts.ConfigPath)
-					return
-				}
+				printArgoCDContexts(clientOpts.ConfigPath)
+				return
 			}
 
 			ctxName := args[0]
@@ -100,7 +95,7 @@ func deleteContext(context, configPath string) error {
 		errors.CheckError(err)
 	} else {
 		if localCfg.CurrentContext == context {
-			localCfg.CurrentContext = localCfg.Contexts[0].Name
+			localCfg.CurrentContext = ""
 		}
 		err = localconfig.ValidateLocalConfig(*localCfg)
 		if err != nil {

cmd/argocd/commands/context_test.go

@@ -11,20 +11,27 @@ import (
 )
 
 const testConfig = `contexts:
-- name: argocd.example.com:443
-  server: argocd.example.com:443
-  user: argocd.example.com:443
+- name: argocd1.example.com:443
+  server: argocd1.example.com:443
+  user: argocd1.example.com:443
+- name: argocd2.example.com:443
+  server: argocd2.example.com:443
+  user: argocd2.example.com:443
 - name: localhost:8080
   server: localhost:8080
   user: localhost:8080
 current-context: localhost:8080
 servers:
-- server: argocd.example.com:443
+- server: argocd1.example.com:443
+- server: argocd2.example.com:443
 - plain-text: true
   server: localhost:8080
 users:
 - auth-token: vErrYS3c3tReFRe$hToken
-  name: argocd.example.com:443
+  name: argocd1.example.com:443
+  refresh-token: vErrYS3c3tReFRe$hToken
+- auth-token: vErrYS3c3tReFRe$hToken
+  name: argocd2.example.com:443
   refresh-token: vErrYS3c3tReFRe$hToken
 - auth-token: vErrYS3c3tReFRe$hToken
   name: localhost:8080`
@@ -42,16 +49,30 @@ func TestContextDelete(t *testing.T) {
 	assert.Equal(t, localConfig.CurrentContext, "localhost:8080")
 	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "localhost:8080", Server: "localhost:8080", User: "localhost:8080"})
 
+	// Delete a non-current context
+	err = deleteContext("argocd1.example.com:443", testConfigFilePath)
+	assert.NoError(t, err)
+
+	localConfig, err = localconfig.ReadLocalConfig(testConfigFilePath)
+	assert.NoError(t, err)
+	assert.Equal(t, localConfig.CurrentContext, "localhost:8080")
+	assert.NotContains(t, localConfig.Contexts, localconfig.ContextRef{Name: "argocd1.example.com:443", Server: "argocd1.example.com:443", User: "argocd1.example.com:443"})
+	assert.NotContains(t, localConfig.Servers, localconfig.Server{Server: "argocd1.example.com:443"})
+	assert.NotContains(t, localConfig.Users, localconfig.User{AuthToken: "vErrYS3c3tReFRe$hToken", Name: "argocd1.example.com:443"})
+	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "argocd2.example.com:443", Server: "argocd2.example.com:443", User: "argocd2.example.com:443"})
+	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "localhost:8080", Server: "localhost:8080", User: "localhost:8080"})
+
+	// Delete the current context
 	err = deleteContext("localhost:8080", testConfigFilePath)
 	assert.NoError(t, err)
 
 	localConfig, err = localconfig.ReadLocalConfig(testConfigFilePath)
 	assert.NoError(t, err)
-	assert.Equal(t, localConfig.CurrentContext, "argocd.example.com:443")
+	assert.Equal(t, localConfig.CurrentContext, "")
 	assert.NotContains(t, localConfig.Contexts, localconfig.ContextRef{Name: "localhost:8080", Server: "localhost:8080", User: "localhost:8080"})
 	assert.NotContains(t, localConfig.Servers, localconfig.Server{PlainText: true, Server: "localhost:8080"})
 	assert.NotContains(t, localConfig.Users, localconfig.User{AuthToken: "vErrYS3c3tReFRe$hToken", Name: "localhost:8080"})
-	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "argocd.example.com:443", Server: "argocd.example.com:443", User: "argocd.example.com:443"})
+	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "argocd2.example.com:443", Server: "argocd2.example.com:443", User: "argocd2.example.com:443"})
 
 	// Write the file again so that no conflicts are made in git
 	err = ioutil.WriteFile(testConfigFilePath, []byte(testConfig), os.ModePerm)

cmd/argocd/commands/gpg.go

@@ -0,0 +1,162 @@
+package commands
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"strings"
+	"text/tabwriter"
+
+	"github.com/spf13/cobra"
+
+	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	gpgkeypkg "github.com/argoproj/argo-cd/pkg/apiclient/gpgkey"
+	appsv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/errors"
+	argoio "github.com/argoproj/argo-cd/util/io"
+)
+
+// NewGPGCommand returns a new instance of an `argocd repo` command
+func NewGPGCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "gpg",
+		Short: "Manage GPG keys used for signature verification",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+			os.Exit(1)
+		},
+		Example: ``,
+	}
+	command.AddCommand(NewGPGListCommand(clientOpts))
+	command.AddCommand(NewGPGGetCommand(clientOpts))
+	command.AddCommand(NewGPGAddCommand(clientOpts))
+	command.AddCommand(NewGPGDeleteCommand(clientOpts))
+	return command
+}
+
+// NewGPGListCommand lists all configured public keys from the server
+func NewGPGListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
+	var command = &cobra.Command{
+		Use:   "list",
+		Short: "List configured GPG public keys",
+		Run: func(c *cobra.Command, args []string) {
+			conn, gpgIf := argocdclient.NewClientOrDie(clientOpts).NewGPGKeyClientOrDie()
+			defer argoio.Close(conn)
+			keys, err := gpgIf.List(context.Background(), &gpgkeypkg.GnuPGPublicKeyQuery{})
+			errors.CheckError(err)
+			switch output {
+			case "yaml", "json":
+				err := PrintResourceList(keys.Items, output, false)
+				errors.CheckError(err)
+			case "wide", "":
+				printKeyTable(keys.Items)
+			default:
+				errors.CheckError(fmt.Errorf("unknown output format: %s", output))
+			}
+		},
+	}
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide")
+	return command
+}
+
+// NewGPGGetCommand retrieves a single public key from the server
+func NewGPGGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
+	var command = &cobra.Command{
+		Use:   "get KEYID",
+		Short: "Get the GPG public key with ID <KEYID> from the server",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				errors.CheckError(fmt.Errorf("Missing KEYID argument"))
+			}
+			conn, gpgIf := argocdclient.NewClientOrDie(clientOpts).NewGPGKeyClientOrDie()
+			defer argoio.Close(conn)
+			key, err := gpgIf.Get(context.Background(), &gpgkeypkg.GnuPGPublicKeyQuery{KeyID: args[0]})
+			errors.CheckError(err)
+			switch output {
+			case "yaml", "json":
+				err := PrintResourceList(key, output, false)
+				errors.CheckError(err)
+			case "wide", "":
+				fmt.Printf("Key ID:          %s\n", key.KeyID)
+				fmt.Printf("Key fingerprint: %s\n", key.Fingerprint)
+				fmt.Printf("Key subtype:     %s\n", strings.ToUpper(key.SubType))
+				fmt.Printf("Key owner:       %s\n", key.Owner)
+				fmt.Printf("Key data follows until EOF:\n%s\n", key.KeyData)
+			default:
+				errors.CheckError(fmt.Errorf("unknown output format: %s", output))
+			}
+		},
+	}
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide")
+	return command
+}
+
+// NewGPGAddCommand adds a public key to the server's configuration
+func NewGPGAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		fromFile string
+	)
+	var command = &cobra.Command{
+		Use:   "add",
+		Short: "Adds a GPG public key to the server's keyring",
+		Run: func(c *cobra.Command, args []string) {
+			if fromFile == "" {
+				errors.CheckError(fmt.Errorf("--from is mandatory"))
+			}
+			keyData, err := ioutil.ReadFile(fromFile)
+			if err != nil {
+				errors.CheckError(err)
+			}
+			conn, gpgIf := argocdclient.NewClientOrDie(clientOpts).NewGPGKeyClientOrDie()
+			defer argoio.Close(conn)
+			resp, err := gpgIf.Create(context.Background(), &gpgkeypkg.GnuPGPublicKeyCreateRequest{Publickey: &appsv1.GnuPGPublicKey{KeyData: string(keyData)}})
+			errors.CheckError(err)
+			fmt.Printf("Created %d key(s) from input file", len(resp.Created.Items))
+			if len(resp.Skipped) > 0 {
+				fmt.Printf(", and %d key(s) were skipped because they exist already", len(resp.Skipped))
+			}
+			fmt.Printf(".\n")
+		},
+	}
+	command.Flags().StringVarP(&fromFile, "from", "f", "", "Path to the file that contains the GPG public key to import")
+	return command
+
+}
+
+// NewGPGDeleteCommand removes a key from the server's keyring
+func NewGPGDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "rm KEYID",
+		Short: "Removes a GPG public key from the server's keyring",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				errors.CheckError(fmt.Errorf("Missing KEYID argument"))
+			}
+			conn, gpgIf := argocdclient.NewClientOrDie(clientOpts).NewGPGKeyClientOrDie()
+			defer argoio.Close(conn)
+			_, err := gpgIf.Delete(context.Background(), &gpgkeypkg.GnuPGPublicKeyQuery{KeyID: args[0]})
+			errors.CheckError(err)
+			fmt.Printf("Deleted key with key ID %s\n", args[0])
+		},
+	}
+	return command
+
+}
+
+// Print table of certificate info
+func printKeyTable(keys []appsv1.GnuPGPublicKey) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	fmt.Fprintf(w, "KEYID\tTYPE\tIDENTITY\n")
+
+	for _, k := range keys {
+		fmt.Fprintf(w, "%s\t%s\t%s\n", k.KeyID, strings.ToUpper(k.SubType), k.Owner)
+	}
+	_ = w.Flush()
+}

cmd/argocd/commands/login.go

@@ -2,26 +2,31 @@ package commands
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/base64"
 	"fmt"
+	"html"
 	"net/http"
 	"os"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/coreos/go-oidc"
-	"github.com/dgrijalva/jwt-go"
+	"github.com/dgrijalva/jwt-go/v4"
 	log "github.com/sirupsen/logrus"
 	"github.com/skratchdot/open-golang/open"
 	"github.com/spf13/cobra"
 	"golang.org/x/oauth2"
 
-	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	sessionpkg "github.com/argoproj/argo-cd/pkg/apiclient/session"
 	settingspkg "github.com/argoproj/argo-cd/pkg/apiclient/settings"
-	"github.com/argoproj/argo-cd/util"
 	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/errors"
 	grpc_util "github.com/argoproj/argo-cd/util/grpc"
+	"github.com/argoproj/argo-cd/util/io"
+	jwtutil "github.com/argoproj/argo-cd/util/jwt"
 	"github.com/argoproj/argo-cd/util/localconfig"
 	oidcutil "github.com/argoproj/argo-cd/util/oidc"
 	"github.com/argoproj/argo-cd/util/rand"
@@ -41,41 +46,56 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 		Short: "Log in to Argo CD",
 		Long:  "Log in to Argo CD",
 		Run: func(c *cobra.Command, args []string) {
-			if len(args) == 0 {
+			var server string
+
+			if len(args) != 1 && !globalClientOpts.PortForward {
 				c.HelpFunc()(c, args)
 				os.Exit(1)
 			}
-			server := args[0]
-			tlsTestResult, err := grpc_util.TestTLS(server)
-			errors.CheckError(err)
-			if !tlsTestResult.TLS {
-				if !globalClientOpts.PlainText {
-					if !cli.AskToProceed("WARNING: server is not configured with TLS. Proceed (y/n)? ") {
-						os.Exit(1)
+
+			if globalClientOpts.PortForward {
+				server = "port-forward"
+			} else {
+				server = args[0]
+				tlsTestResult, err := grpc_util.TestTLS(server)
+				errors.CheckError(err)
+				if !tlsTestResult.TLS {
+					if !globalClientOpts.PlainText {
+						if !cli.AskToProceed("WARNING: server is not configured with TLS. Proceed (y/n)? ") {
+							os.Exit(1)
+						}
+						globalClientOpts.PlainText = true
 					}
-					globalClientOpts.PlainText = true
-				}
-			} else if tlsTestResult.InsecureErr != nil {
-				if !globalClientOpts.Insecure {
-					if !cli.AskToProceed(fmt.Sprintf("WARNING: server certificate had error: %s. Proceed insecurely (y/n)? ", tlsTestResult.InsecureErr)) {
-						os.Exit(1)
+				} else if tlsTestResult.InsecureErr != nil {
+					if !globalClientOpts.Insecure {
+						if !cli.AskToProceed(fmt.Sprintf("WARNING: server certificate had error: %s. Proceed insecurely (y/n)? ", tlsTestResult.InsecureErr)) {
+							os.Exit(1)
+						}
+						globalClientOpts.Insecure = true
 					}
-					globalClientOpts.Insecure = true
 				}
 			}
 			clientOpts := argocdclient.ClientOptions{
-				ConfigPath: "",
-				ServerAddr: server,
-				Insecure:   globalClientOpts.Insecure,
-				PlainText:  globalClientOpts.PlainText,
-				GRPCWeb:    globalClientOpts.GRPCWeb,
+				ConfigPath:           "",
+				ServerAddr:           server,
+				Insecure:             globalClientOpts.Insecure,
+				PlainText:            globalClientOpts.PlainText,
+				GRPCWeb:              globalClientOpts.GRPCWeb,
+				GRPCWebRootPath:      globalClientOpts.GRPCWebRootPath,
+				PortForward:          globalClientOpts.PortForward,
+				PortForwardNamespace: globalClientOpts.PortForwardNamespace,
+				Headers:              globalClientOpts.Headers,
 			}
 			acdClient := argocdclient.NewClientOrDie(&clientOpts)
 			setConn, setIf := acdClient.NewSettingsClientOrDie()
-			defer util.Close(setConn)
+			defer io.Close(setConn)
 
 			if ctxName == "" {
 				ctxName = server
+				if globalClientOpts.GRPCWebRootPath != "" {
+					rootPath := strings.TrimRight(strings.TrimLeft(globalClientOpts.GRPCWebRootPath, "/"), "/")
+					ctxName = fmt.Sprintf("%s/%s", server, rootPath)
+				}
 			}
 
 			// Perform the login
@@ -92,14 +112,14 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 				errors.CheckError(err)
 				oauth2conf, provider, err := acdClient.OIDCConfig(ctx, acdSet)
 				errors.CheckError(err)
-				tokenString, refreshToken = oauth2Login(ctx, ssoPort, oauth2conf, provider)
+				tokenString, refreshToken = oauth2Login(ctx, ssoPort, acdSet.GetOIDCConfig(), oauth2conf, provider)
 			}
 
 			parser := &jwt.Parser{
-				SkipClaimsValidation: true,
+				ValidationHelper: jwt.NewValidationHelper(jwt.WithoutClaimsValidation(), jwt.WithoutAudienceValidation()),
 			}
 			claims := jwt.MapClaims{}
-			_, _, err = parser.ParseUnverified(tokenString, &claims)
+			_, _, err := parser.ParseUnverified(tokenString, &claims)
 			errors.CheckError(err)
 
 			fmt.Printf("'%s' logged in successfully\n", userDisplayName(claims))
@@ -110,10 +130,11 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 				localCfg = &localconfig.LocalConfig{}
 			}
 			localCfg.UpsertServer(localconfig.Server{
-				Server:    server,
-				PlainText: globalClientOpts.PlainText,
-				Insecure:  globalClientOpts.Insecure,
-				GRPCWeb:   globalClientOpts.GRPCWeb,
+				Server:          server,
+				PlainText:       globalClientOpts.PlainText,
+				Insecure:        globalClientOpts.Insecure,
+				GRPCWeb:         globalClientOpts.GRPCWeb,
+				GRPCWebRootPath: globalClientOpts.GRPCWebRootPath,
 			})
 			localCfg.UpsertUser(localconfig.User{
 				Name:         ctxName,
@@ -143,18 +164,18 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 }
 
 func userDisplayName(claims jwt.MapClaims) string {
-	if email, ok := claims["email"]; ok && email != nil {
-		return email.(string)
+	if email := jwtutil.StringField(claims, "email"); email != "" {
+		return email
 	}
-	if name, ok := claims["name"]; ok && name != nil {
-		return name.(string)
+	if name := jwtutil.StringField(claims, "name"); name != "" {
+		return name
 	}
-	return claims["sub"].(string)
+	return jwtutil.StringField(claims, "sub")
 }
 
 // oauth2Login opens a browser, runs a temporary HTTP server to delegate OAuth2 login flow and
 // returns the JWT token and a refresh token (if supported)
-func oauth2Login(ctx context.Context, port int, oauth2conf *oauth2.Config, provider *oidc.Provider) (string, string) {
+func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCConfig, oauth2conf *oauth2.Config, provider *oidc.Provider) (string, string) {
 	oauth2conf.RedirectURL = fmt.Sprintf("http://localhost:%d/auth/callback", port)
 	oidcConf, err := oidcutil.ParseConfig(provider)
 	errors.CheckError(err)
@@ -172,17 +193,22 @@ func oauth2Login(ctx context.Context, port int, oauth2conf *oauth2.Config, provi
 	var refreshToken string
 
 	handleErr := func(w http.ResponseWriter, errMsg string) {
-		http.Error(w, errMsg, http.StatusBadRequest)
+		http.Error(w, html.EscapeString(errMsg), http.StatusBadRequest)
 		completionChan <- errMsg
 	}
 
+	// PKCE implementation of https://tools.ietf.org/html/rfc7636
+	codeVerifier := rand.RandStringCharset(43, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~")
+	codeChallengeHash := sha256.Sum256([]byte(codeVerifier))
+	codeChallenge := base64.RawURLEncoding.EncodeToString(codeChallengeHash[:])
+
 	// Authorization redirect callback from OAuth2 auth flow.
 	// Handles both implicit and authorization code flow
 	callbackHandler := func(w http.ResponseWriter, r *http.Request) {
 		log.Debugf("Callback: %s", r.URL)
 
 		if formErr := r.FormValue("error"); formErr != "" {
-			handleErr(w, formErr+": "+r.FormValue("error_description"))
+			handleErr(w, fmt.Sprintf("%s: %s", formErr, r.FormValue("error_description")))
 			return
 		}
 
@@ -215,7 +241,8 @@ func oauth2Login(ctx context.Context, port int, oauth2conf *oauth2.Config, provi
 				handleErr(w, fmt.Sprintf("no code in request: %q", r.Form))
 				return
 			}
-			tok, err := oauth2conf.Exchange(ctx, code)
+			opts := []oauth2.AuthCodeOption{oauth2.SetAuthURLParam("code_verifier", codeVerifier)}
+			tok, err := oauth2conf.Exchange(ctx, code, opts...)
 			if err != nil {
 				handleErr(w, err.Error())
 				return
@@ -243,22 +270,30 @@ func oauth2Login(ctx context.Context, port int, oauth2conf *oauth2.Config, provi
 	fmt.Printf("Opening browser for authentication\n")
 
 	var url string
-	grantType := oidcutil.InferGrantType(oauth2conf, oidcConf)
+	grantType := oidcutil.InferGrantType(oidcConf)
+	opts := []oauth2.AuthCodeOption{oauth2.AccessTypeOffline}
+	if claimsRequested := oidcSettings.GetIDTokenClaims(); claimsRequested != nil {
+		opts = oidcutil.AppendClaimsAuthenticationRequestParameter(opts, claimsRequested)
+	}
+
 	switch grantType {
 	case oidcutil.GrantTypeAuthorizationCode:
-		url = oauth2conf.AuthCodeURL(stateNonce, oauth2.AccessTypeOffline)
+		opts = append(opts, oauth2.SetAuthURLParam("code_challenge", codeChallenge))
+		opts = append(opts, oauth2.SetAuthURLParam("code_challenge_method", "S256"))
+		url = oauth2conf.AuthCodeURL(stateNonce, opts...)
 	case oidcutil.GrantTypeImplicit:
-		url = oidcutil.ImplicitFlowURL(oauth2conf, stateNonce, oauth2.AccessTypeOffline)
+		url = oidcutil.ImplicitFlowURL(oauth2conf, stateNonce, opts...)
 	default:
 		log.Fatalf("Unsupported grant type: %v", grantType)
 	}
 	fmt.Printf("Performing %s flow login: %s\n", grantType, url)
 	time.Sleep(1 * time.Second)
-	err = open.Run(url)
+	err = open.Start(url)
 	errors.CheckError(err)
 	go func() {
+		log.Debugf("Listen: %s", srv.Addr)
 		if err := srv.ListenAndServe(); err != http.ErrServerClosed {
-			log.Fatalf("listen: %s\n", err)
+			log.Fatalf("Temporary HTTP server failed: %s", err)
 		}
 	}()
 	errMsg := <-completionChan
@@ -277,7 +312,7 @@ func oauth2Login(ctx context.Context, port int, oauth2conf *oauth2.Config, provi
 func passwordLogin(acdClient argocdclient.Client, username, password string) string {
 	username, password = cli.PromptCredentials(username, password)
 	sessConn, sessionIf := acdClient.NewSessionClientOrDie()
-	defer util.Close(sessConn)
+	defer io.Close(sessConn)
 	sessionRequest := sessionpkg.SessionCreateRequest{
 		Username: username,
 		Password: password,

cmd/argocd/commands/login_test.go

@@ -0,0 +1,31 @@
+package commands
+
+import (
+	"testing"
+
+	"github.com/dgrijalva/jwt-go/v4"
+	"github.com/stretchr/testify/assert"
+)
+
+//
+
+func Test_userDisplayName_email(t *testing.T) {
+	claims := jwt.MapClaims{"iss": "qux", "sub": "foo", "email": "firstname.lastname@example.com", "groups": []string{"baz"}}
+	actualName := userDisplayName(claims)
+	expectedName := "firstname.lastname@example.com"
+	assert.Equal(t, expectedName, actualName)
+}
+
+func Test_userDisplayName_name(t *testing.T) {
+	claims := jwt.MapClaims{"iss": "qux", "sub": "foo", "name": "Firstname Lastname", "groups": []string{"baz"}}
+	actualName := userDisplayName(claims)
+	expectedName := "Firstname Lastname"
+	assert.Equal(t, expectedName, actualName)
+}
+
+func Test_userDisplayName_sub(t *testing.T) {
+	claims := jwt.MapClaims{"iss": "qux", "sub": "foo", "groups": []string{"baz"}}
+	actualName := userDisplayName(claims)
+	expectedName := "foo"
+	assert.Equal(t, expectedName, actualName)
+}

cmd/argocd/commands/logout.go

@@ -7,8 +7,8 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
-	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	"github.com/argoproj/argo-cd/util/errors"
 	"github.com/argoproj/argo-cd/util/localconfig"
 )
 

cmd/argocd/commands/logout_test.go

@@ -30,7 +30,9 @@ func TestLogout(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, localConfig.CurrentContext, "localhost:8080")
 	assert.NotContains(t, localConfig.Users, localconfig.User{AuthToken: "vErrYS3c3tReFRe$hToken", Name: "localhost:8080"})
-	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "argocd.example.com:443", Server: "argocd.example.com:443", User: "argocd.example.com:443"})
+	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "argocd1.example.com:443", Server: "argocd1.example.com:443", User: "argocd1.example.com:443"})
+	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "argocd2.example.com:443", Server: "argocd2.example.com:443", User: "argocd2.example.com:443"})
+	assert.Contains(t, localConfig.Contexts, localconfig.ContextRef{Name: "localhost:8080", Server: "localhost:8080", User: "localhost:8080"})
 
 	// Write the file again so that no conflicts are made in git
 	err = ioutil.WriteFile(testConfigFilePath, []byte(testConfig), os.ModePerm)

cmd/argocd/commands/project.go

@@ -10,50 +10,31 @@ import (
 	"text/tabwriter"
 	"time"
 
-	"github.com/dustin/go-humanize"
+	humanize "github.com/dustin/go-humanize"
 	"github.com/ghodss/yaml"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/argoproj/argo-cd/errors"
+	cmdutil "github.com/argoproj/argo-cd/cmd/util"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	projectpkg "github.com/argoproj/argo-cd/pkg/apiclient/project"
 	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util"
 	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/errors"
 	"github.com/argoproj/argo-cd/util/git"
+	"github.com/argoproj/argo-cd/util/gpg"
+	argoio "github.com/argoproj/argo-cd/util/io"
 )
 
-type projectOpts struct {
-	description  string
-	destinations []string
-	sources      []string
-}
-
 type policyOpts struct {
 	action     string
 	permission string
 	object     string
 }
 
-func (opts *projectOpts) GetDestinations() []v1alpha1.ApplicationDestination {
-	destinations := make([]v1alpha1.ApplicationDestination, 0)
-	for _, destStr := range opts.destinations {
-		parts := strings.Split(destStr, ",")
-		if len(parts) != 2 {
-			log.Fatalf("Expected destination of the form: server,namespace. Received: %s", destStr)
-		} else {
-			destinations = append(destinations, v1alpha1.ApplicationDestination{
-				Server:    parts[0],
-				Namespace: parts[1],
-			})
-		}
-	}
-	return destinations
-}
-
 // NewProjectCommand returns a new instance of an `argocd proj` command
 func NewProjectCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
@@ -71,6 +52,8 @@ func NewProjectCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	command.AddCommand(NewProjectListCommand(clientOpts))
 	command.AddCommand(NewProjectSetCommand(clientOpts))
 	command.AddCommand(NewProjectEditCommand(clientOpts))
+	command.AddCommand(NewProjectAddSignatureKeyCommand(clientOpts))
+	command.AddCommand(NewProjectRemoveSignatureKeyCommand(clientOpts))
 	command.AddCommand(NewProjectAddDestinationCommand(clientOpts))
 	command.AddCommand(NewProjectRemoveDestinationCommand(clientOpts))
 	command.AddCommand(NewProjectAddSourceCommand(clientOpts))
@@ -79,16 +62,12 @@ func NewProjectCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	command.AddCommand(NewProjectDenyClusterResourceCommand(clientOpts))
 	command.AddCommand(NewProjectAllowNamespaceResourceCommand(clientOpts))
 	command.AddCommand(NewProjectDenyNamespaceResourceCommand(clientOpts))
+	command.AddCommand(NewProjectWindowsCommand(clientOpts))
+	command.AddCommand(NewProjectAddOrphanedIgnoreCommand(clientOpts))
+	command.AddCommand(NewProjectRemoveOrphanedIgnoreCommand(clientOpts))
 	return command
 }
 
-func addProjFlags(command *cobra.Command, opts *projectOpts) {
-	command.Flags().StringVarP(&opts.description, "description", "", "", "Project description")
-	command.Flags().StringArrayVarP(&opts.destinations, "dest", "d", []string{},
-		"Permitted destination server and namespace (e.g. https://192.168.99.100:8443,default)")
-	command.Flags().StringArrayVarP(&opts.sources, "src", "s", []string{}, "Permitted git source repository URL")
-}
-
 func addPolicyFlags(command *cobra.Command, opts *policyOpts) {
 	command.Flags().StringVarP(&opts.action, "action", "a", "", "Action to grant/deny permission on (e.g. get, create, list, update, delete)")
 	command.Flags().StringVarP(&opts.permission, "permission", "p", "allow", "Whether to allow or deny access to object with the action.  This can only be 'allow' or 'deny'")
@@ -103,40 +82,37 @@ func humanizeTimestamp(epoch int64) string {
 // NewProjectCreateCommand returns a new instance of an `argocd proj create` command
 func NewProjectCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		opts projectOpts
+		opts    cmdutil.ProjectOpts
+		fileURL string
+		upsert  bool
 	)
 	var command = &cobra.Command{
 		Use:   "create PROJECT",
 		Short: "Create a project",
 		Run: func(c *cobra.Command, args []string) {
-			if len(args) == 0 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-			projName := args[0]
-			proj := v1alpha1.AppProject{
-				ObjectMeta: v1.ObjectMeta{Name: projName},
-				Spec: v1alpha1.AppProjectSpec{
-					Description:  opts.description,
-					Destinations: opts.GetDestinations(),
-					SourceRepos:  opts.sources,
-				},
-			}
-			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			proj, err := cmdutil.ConstructAppProj(fileURL, args, opts, c)
+			errors.CheckError(err)
 
-			_, err := projIf.Create(context.Background(), &projectpkg.ProjectCreateRequest{Project: &proj})
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer argoio.Close(conn)
+			_, err = projIf.Create(context.Background(), &projectpkg.ProjectCreateRequest{Project: proj, Upsert: upsert})
 			errors.CheckError(err)
 		},
 	}
-	addProjFlags(command, &opts)
+	command.Flags().BoolVar(&upsert, "upsert", false, "Allows to override a project with the same name even if supplied project spec is different from existing spec")
+	command.Flags().StringVarP(&fileURL, "file", "f", "", "Filename or URL to Kubernetes manifests for the project")
+	err := command.Flags().SetAnnotation("file", cobra.BashCompFilenameExt, []string{"json", "yaml", "yml"})
+	if err != nil {
+		log.Fatal(err)
+	}
+	cmdutil.AddProjFlags(command, &opts)
 	return command
 }
 
 // NewProjectSetCommand returns a new instance of an `argocd proj set` command
 func NewProjectSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		opts projectOpts
+		opts cmdutil.ProjectOpts
 	)
 	var command = &cobra.Command{
 		Use:   "set PROJECT",
@@ -148,7 +124,7 @@ func NewProjectSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 			}
 			projName := args[0]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer argoio.Close(conn)
 
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
@@ -158,11 +134,15 @@ func NewProjectSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 				visited++
 				switch f.Name {
 				case "description":
-					proj.Spec.Description = opts.description
+					proj.Spec.Description = opts.Description
 				case "dest":
 					proj.Spec.Destinations = opts.GetDestinations()
 				case "src":
-					proj.Spec.SourceRepos = opts.sources
+					proj.Spec.SourceRepos = opts.Sources
+				case "signature-keys":
+					proj.Spec.SignatureKeys = opts.GetSignatureKeys()
+				case "orphaned-resources", "orphaned-resources-warn":
+					proj.Spec.OrphanedResources = cmdutil.GetOrphanedResourcesSettings(c, opts)
 				}
 			})
 			if visited == 0 {
@@ -175,7 +155,82 @@ func NewProjectSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 			errors.CheckError(err)
 		},
 	}
-	addProjFlags(command, &opts)
+	cmdutil.AddProjFlags(command, &opts)
+	return command
+}
+
+// NewProjectAddSignatureKeyCommand returns a new instance of an `argocd proj add-signature-key` command
+func NewProjectAddSignatureKeyCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "add-signature-key PROJECT KEY-ID",
+		Short: "Add GnuPG signature key to project",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			signatureKey := args[1]
+
+			if !gpg.IsShortKeyID(signatureKey) && !gpg.IsLongKeyID(signatureKey) {
+				log.Fatalf("%s is not a valid GnuPG key ID", signatureKey)
+			}
+
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer argoio.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			for _, key := range proj.Spec.SignatureKeys {
+				if key.KeyID == signatureKey {
+					log.Fatal("Specified signature key is already defined in project")
+				}
+			}
+			proj.Spec.SignatureKeys = append(proj.Spec.SignatureKeys, v1alpha1.SignatureKey{KeyID: signatureKey})
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	return command
+}
+
+// NewProjectRemoveSignatureKeyCommand returns a new instance of an `argocd proj remove-signature-key` command
+func NewProjectRemoveSignatureKeyCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "remove-signature-key PROJECT KEY-ID",
+		Short: "Remove GnuPG signature key from project",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			signatureKey := args[1]
+
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer argoio.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			index := -1
+			for i, key := range proj.Spec.SignatureKeys {
+				if key.KeyID == signatureKey {
+					index = i
+					break
+				}
+			}
+			if index == -1 {
+				log.Fatal("Specified signature key is not configured for project")
+			} else {
+				proj.Spec.SignatureKeys = append(proj.Spec.SignatureKeys[:index], proj.Spec.SignatureKeys[index+1:]...)
+				_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+				errors.CheckError(err)
+			}
+		},
+	}
+
 	return command
 }
 
@@ -193,7 +248,7 @@ func NewProjectAddDestinationCommand(clientOpts *argocdclient.ClientOptions) *co
 			server := args[1]
 			namespace := args[2]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer argoio.Close(conn)
 
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
@@ -225,7 +280,7 @@ func NewProjectRemoveDestinationCommand(clientOpts *argocdclient.ClientOptions)
 			server := args[1]
 			namespace := args[2]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer argoio.Close(conn)
 
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
@@ -250,6 +305,96 @@ func NewProjectRemoveDestinationCommand(clientOpts *argocdclient.ClientOptions)
 	return command
 }
 
+// NewProjectAddOrphanedIgnoreCommand returns a new instance of an `argocd proj add-orphaned-ignore` command
+func NewProjectAddOrphanedIgnoreCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		name string
+	)
+	var command = &cobra.Command{
+		Use:   "add-orphaned-ignore PROJECT GROUP KIND",
+		Short: "Add a resource to orphaned ignore list",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 3 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			group := args[1]
+			kind := args[2]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer argoio.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			if proj.Spec.OrphanedResources == nil {
+				settings := v1alpha1.OrphanedResourcesMonitorSettings{}
+				settings.Ignore = []v1alpha1.OrphanedResourceKey{{Group: group, Kind: kind, Name: name}}
+				proj.Spec.OrphanedResources = &settings
+			} else {
+				for _, ignore := range proj.Spec.OrphanedResources.Ignore {
+					if ignore.Group == group && ignore.Kind == kind && ignore.Name == name {
+						log.Fatal("Specified resource is already defined in the orphaned ignore list of project")
+						return
+					}
+				}
+				proj.Spec.OrphanedResources.Ignore = append(proj.Spec.OrphanedResources.Ignore, v1alpha1.OrphanedResourceKey{Group: group, Kind: kind, Name: name})
+			}
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	command.Flags().StringVar(&name, "name", "", "Resource name pattern")
+	return command
+}
+
+// NewProjectRemoveOrphanedIgnoreCommand returns a new instance of an `argocd proj remove-orphaned-ignore` command
+func NewProjectRemoveOrphanedIgnoreCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		name string
+	)
+	var command = &cobra.Command{
+		Use:   "remove-orphaned-ignore PROJECT GROUP KIND NAME",
+		Short: "Remove a resource from orphaned ignore list",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 3 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			group := args[1]
+			kind := args[2]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer argoio.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			if proj.Spec.OrphanedResources == nil {
+				log.Fatal("Specified resource does not exist in the orphaned ignore list of project")
+				return
+			}
+
+			index := -1
+			for i, ignore := range proj.Spec.OrphanedResources.Ignore {
+				if ignore.Group == group && ignore.Kind == kind && ignore.Name == name {
+					index = i
+					break
+				}
+			}
+			if index == -1 {
+				log.Fatal("Specified resource does not exist in the orphaned ignore of project")
+			} else {
+				proj.Spec.OrphanedResources.Ignore = append(proj.Spec.OrphanedResources.Ignore[:index], proj.Spec.OrphanedResources.Ignore[index+1:]...)
+				_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+				errors.CheckError(err)
+			}
+		},
+	}
+	command.Flags().StringVar(&name, "name", "", "Resource name pattern")
+	return command
+}
+
 // NewProjectAddSourceCommand returns a new instance of an `argocd proj add-src` command
 func NewProjectAddSourceCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
@@ -263,7 +408,7 @@ func NewProjectAddSourceCommand(clientOpts *argocdclient.ClientOptions) *cobra.C
 			projName := args[0]
 			url := args[1]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer argoio.Close(conn)
 
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
@@ -286,8 +431,46 @@ func NewProjectAddSourceCommand(clientOpts *argocdclient.ClientOptions) *cobra.C
 	return command
 }
 
-func modifyProjectResourceCmd(cmdUse, cmdDesc string, clientOpts *argocdclient.ClientOptions, action func(proj *v1alpha1.AppProject, group string, kind string) bool) *cobra.Command {
-	return &cobra.Command{
+func modifyResourcesList(list *[]metav1.GroupKind, add bool, listDesc string, group string, kind string) bool {
+	if add {
+		for _, item := range *list {
+			if item.Group == group && item.Kind == kind {
+				fmt.Printf("Group '%s' and kind '%s' already present in %s resources\n", group, kind, listDesc)
+				return false
+			}
+		}
+		fmt.Printf("Group '%s' and kind '%s' is added to %s resources\n", group, kind, listDesc)
+		*list = append(*list, v1.GroupKind{Group: group, Kind: kind})
+		return true
+	} else {
+		index := -1
+		for i, item := range *list {
+			if item.Group == group && item.Kind == kind {
+				index = i
+				break
+			}
+		}
+		if index == -1 {
+			fmt.Printf("Group '%s' and kind '%s' not in %s resources\n", group, kind, listDesc)
+			return false
+		}
+		*list = append((*list)[:index], (*list)[index+1:]...)
+		fmt.Printf("Group '%s' and kind '%s' is removed from %s resources\n", group, kind, listDesc)
+		return true
+	}
+}
+
+func modifyResourceListCmd(cmdUse, cmdDesc string, clientOpts *argocdclient.ClientOptions, allow bool, namespacedList bool) *cobra.Command {
+	var (
+		listType    string
+		defaultList string
+	)
+	if namespacedList {
+		defaultList = "deny"
+	} else {
+		defaultList = "allow"
+	}
+	var command = &cobra.Command{
 		Use:   cmdUse,
 		Short: cmdDesc,
 		Run: func(c *cobra.Command, args []string) {
@@ -297,91 +480,67 @@ func modifyProjectResourceCmd(cmdUse, cmdDesc string, clientOpts *argocdclient.C
 			}
 			projName, group, kind := args[0], args[1], args[2]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer argoio.Close(conn)
 
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
+			var list, allowList, denyList *[]metav1.GroupKind
+			var listAction, listDesc string
+			var add bool
+			if namespacedList {
+				allowList, denyList = &proj.Spec.NamespaceResourceWhitelist, &proj.Spec.NamespaceResourceBlacklist
+				listDesc = "namespaced"
+			} else {
+				allowList, denyList = &proj.Spec.ClusterResourceWhitelist, &proj.Spec.ClusterResourceBlacklist
+				listDesc = "cluster"
+			}
 
-			if action(proj, group, kind) {
+			if (listType == "allow") || (listType == "white") {
+				list = allowList
+				listAction = "allowed"
+				add = allow
+			} else {
+				list = denyList
+				listAction = "denied"
+				add = !allow
+			}
+
+			if modifyResourcesList(list, add, listAction+" "+listDesc, group, kind) {
 				_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
 				errors.CheckError(err)
 			}
 		},
 	}
+	command.Flags().StringVarP(&listType, "list", "l", defaultList, "Use deny list or allow list. This can only be 'allow' or 'deny'")
+	return command
 }
 
 // NewProjectAllowNamespaceResourceCommand returns a new instance of an `deny-cluster-resources` command
 func NewProjectAllowNamespaceResourceCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	use := "allow-namespace-resource PROJECT GROUP KIND"
-	desc := "Removes a namespaced API resource from the blacklist"
-	return modifyProjectResourceCmd(use, desc, clientOpts, func(proj *v1alpha1.AppProject, group string, kind string) bool {
-		index := -1
-		for i, item := range proj.Spec.NamespaceResourceBlacklist {
-			if item.Group == group && item.Kind == kind {
-				index = i
-				break
-			}
-		}
-		if index == -1 {
-			fmt.Printf("Group '%s' and kind '%s' not in blacklisted namespaced resources\n", group, kind)
-			return false
-		}
-		proj.Spec.NamespaceResourceBlacklist = append(proj.Spec.NamespaceResourceBlacklist[:index], proj.Spec.NamespaceResourceBlacklist[index+1:]...)
-		return true
-	})
+	desc := "Removes a namespaced API resource from the deny list or add a namespaced API resource to the allow list"
+	return modifyResourceListCmd(use, desc, clientOpts, true, true)
 }
 
 // NewProjectDenyNamespaceResourceCommand returns a new instance of an `argocd proj deny-namespace-resource` command
 func NewProjectDenyNamespaceResourceCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	use := "deny-namespace-resource PROJECT GROUP KIND"
-	desc := "Adds a namespaced API resource to the blacklist"
-	return modifyProjectResourceCmd(use, desc, clientOpts, func(proj *v1alpha1.AppProject, group string, kind string) bool {
-		for _, item := range proj.Spec.NamespaceResourceBlacklist {
-			if item.Group == group && item.Kind == kind {
-				fmt.Printf("Group '%s' and kind '%s' already present in blacklisted namespaced resources\n", group, kind)
-				return false
-			}
-		}
-		proj.Spec.NamespaceResourceBlacklist = append(proj.Spec.NamespaceResourceBlacklist, v1.GroupKind{Group: group, Kind: kind})
-		return true
-	})
+	desc := "Adds a namespaced API resource to the deny list or removes a namespaced API resource from the allow list"
+	return modifyResourceListCmd(use, desc, clientOpts, false, true)
 }
 
 // NewProjectDenyClusterResourceCommand returns a new instance of an `deny-cluster-resource` command
 func NewProjectDenyClusterResourceCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	use := "deny-cluster-resource PROJECT GROUP KIND"
-	desc := "Removes a cluster-scoped API resource from the whitelist"
-	return modifyProjectResourceCmd(use, desc, clientOpts, func(proj *v1alpha1.AppProject, group string, kind string) bool {
-		index := -1
-		for i, item := range proj.Spec.ClusterResourceWhitelist {
-			if item.Group == group && item.Kind == kind {
-				index = i
-				break
-			}
-		}
-		if index == -1 {
-			fmt.Printf("Group '%s' and kind '%s' not in whitelisted cluster resources\n", group, kind)
-			return false
-		}
-		proj.Spec.ClusterResourceWhitelist = append(proj.Spec.ClusterResourceWhitelist[:index], proj.Spec.ClusterResourceWhitelist[index+1:]...)
-		return true
-	})
+	desc := "Removes a cluster-scoped API resource from the allow list and adds it to deny list"
+	return modifyResourceListCmd(use, desc, clientOpts, false, false)
 }
 
 // NewProjectAllowClusterResourceCommand returns a new instance of an `argocd proj allow-cluster-resource` command
 func NewProjectAllowClusterResourceCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	use := "allow-cluster-resource PROJECT GROUP KIND"
-	desc := "Adds a cluster-scoped API resource to the whitelist"
-	return modifyProjectResourceCmd(use, desc, clientOpts, func(proj *v1alpha1.AppProject, group string, kind string) bool {
-		for _, item := range proj.Spec.ClusterResourceWhitelist {
-			if item.Group == group && item.Kind == kind {
-				fmt.Printf("Group '%s' and kind '%s' already present in whitelisted cluster resources\n", group, kind)
-				return false
-			}
-		}
-		proj.Spec.ClusterResourceWhitelist = append(proj.Spec.ClusterResourceWhitelist, v1.GroupKind{Group: group, Kind: kind})
-		return true
-	})
+	desc := "Adds a cluster-scoped API resource to the allow list and removes it from deny list"
+	return modifyResourceListCmd(use, desc, clientOpts, true, false)
 }
 
 // NewProjectRemoveSourceCommand returns a new instance of an `argocd proj remove-src` command
@@ -397,7 +556,7 @@ func NewProjectRemoveSourceCommand(clientOpts *argocdclient.ClientOptions) *cobr
 			projName := args[0]
 			url := args[1]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer argoio.Close(conn)
 
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
@@ -433,7 +592,7 @@ func NewProjectDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 				os.Exit(1)
 			}
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer argoio.Close(conn)
 			for _, name := range args {
 				_, err := projIf.Delete(context.Background(), &projectpkg.ProjectQuery{Name: name})
 				errors.CheckError(err)
@@ -453,7 +612,7 @@ func printProjectNames(projects []v1alpha1.AppProject) {
 // Print table of project info
 func printProjectTable(projects []v1alpha1.AppProject) {
 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-	fmt.Fprintf(w, "NAME\tDESCRIPTION\tDESTINATIONS\tSOURCES\tCLUSTER-RESOURCE-WHITELIST\tNAMESPACE-RESOURCE-BLACKLIST\n")
+	fmt.Fprintf(w, "NAME\tDESCRIPTION\tDESTINATIONS\tSOURCES\tCLUSTER-RESOURCE-WHITELIST\tNAMESPACE-RESOURCE-BLACKLIST\tSIGNATURE-KEYS\tORPHANED-RESOURCES\n")
 	for _, p := range projects {
 		printProjectLine(w, &p)
 	}
@@ -470,22 +629,39 @@ func NewProjectListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comman
 		Short: "List projects",
 		Run: func(c *cobra.Command, args []string) {
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer argoio.Close(conn)
 			projects, err := projIf.List(context.Background(), &projectpkg.ProjectQuery{})
 			errors.CheckError(err)
-			if output == "name" {
+			switch output {
+			case "yaml", "json":
+				err := PrintResourceList(projects.Items, output, false)
+				errors.CheckError(err)
+			case "name":
 				printProjectNames(projects.Items)
-			} else {
+			case "wide", "":
 				printProjectTable(projects.Items)
+			default:
+				errors.CheckError(fmt.Errorf("unknown output format: %s", output))
 			}
 		},
 	}
-	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: wide|name")
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide|name")
 	return command
 }
 
+func formatOrphanedResources(p *v1alpha1.AppProject) string {
+	if p.Spec.OrphanedResources == nil {
+		return "disabled"
+	}
+	details := fmt.Sprintf("warn=%v", p.Spec.OrphanedResources.IsWarn())
+	if len(p.Spec.OrphanedResources.Ignore) > 0 {
+		details = fmt.Sprintf("%s, ignored %d", details, len(p.Spec.OrphanedResources.Ignore))
+	}
+	return fmt.Sprintf("enabled (%s)", details)
+}
+
 func printProjectLine(w io.Writer, p *v1alpha1.AppProject) {
-	var destinations, sourceRepos, clusterWhitelist, namespaceBlacklist string
+	var destinations, sourceRepos, clusterWhitelist, namespaceBlacklist, signatureKeys string
 	switch len(p.Spec.Destinations) {
 	case 0:
 		destinations = "<none>"
@@ -516,12 +692,81 @@ func printProjectLine(w io.Writer, p *v1alpha1.AppProject) {
 	default:
 		namespaceBlacklist = fmt.Sprintf("%d resources", len(p.Spec.NamespaceResourceBlacklist))
 	}
-	fmt.Fprintf(w, "%s\t%s\t%v\t%v\t%v\t%v\n", p.Name, p.Spec.Description, destinations, sourceRepos, clusterWhitelist, namespaceBlacklist)
+	switch len(p.Spec.SignatureKeys) {
+	case 0:
+		signatureKeys = "<none>"
+	default:
+		signatureKeys = fmt.Sprintf("%d key(s)", len(p.Spec.SignatureKeys))
+	}
+	fmt.Fprintf(w, "%s\t%s\t%v\t%v\t%v\t%v\t%v\t%v\n", p.Name, p.Spec.Description, destinations, sourceRepos, clusterWhitelist, namespaceBlacklist, signatureKeys, formatOrphanedResources(p))
+}
+
+func printProject(p *v1alpha1.AppProject) {
+	const printProjFmtStr = "%-29s%s\n"
+
+	fmt.Printf(printProjFmtStr, "Name:", p.Name)
+	fmt.Printf(printProjFmtStr, "Description:", p.Spec.Description)
+
+	// Print destinations
+	dest0 := "<none>"
+	if len(p.Spec.Destinations) > 0 {
+		dest0 = fmt.Sprintf("%s,%s", p.Spec.Destinations[0].Server, p.Spec.Destinations[0].Namespace)
+	}
+	fmt.Printf(printProjFmtStr, "Destinations:", dest0)
+	for i := 1; i < len(p.Spec.Destinations); i++ {
+		fmt.Printf(printProjFmtStr, "", fmt.Sprintf("%s,%s", p.Spec.Destinations[i].Server, p.Spec.Destinations[i].Namespace))
+	}
+
+	// Print sources
+	src0 := "<none>"
+	if len(p.Spec.SourceRepos) > 0 {
+		src0 = p.Spec.SourceRepos[0]
+	}
+	fmt.Printf(printProjFmtStr, "Repositories:", src0)
+	for i := 1; i < len(p.Spec.SourceRepos); i++ {
+		fmt.Printf(printProjFmtStr, "", p.Spec.SourceRepos[i])
+	}
+
+	// Print allowed cluster resources
+	cwl0 := "<none>"
+	if len(p.Spec.ClusterResourceWhitelist) > 0 {
+		cwl0 = fmt.Sprintf("%s/%s", p.Spec.ClusterResourceWhitelist[0].Group, p.Spec.ClusterResourceWhitelist[0].Kind)
+	}
+	fmt.Printf(printProjFmtStr, "Allowed Cluster Resources:", cwl0)
+	for i := 1; i < len(p.Spec.ClusterResourceWhitelist); i++ {
+		fmt.Printf(printProjFmtStr, "", fmt.Sprintf("%s/%s", p.Spec.ClusterResourceWhitelist[i].Group, p.Spec.ClusterResourceWhitelist[i].Kind))
+	}
+
+	// Print denied namespaced resources
+	rbl0 := "<none>"
+	if len(p.Spec.NamespaceResourceBlacklist) > 0 {
+		rbl0 = fmt.Sprintf("%s/%s", p.Spec.NamespaceResourceBlacklist[0].Group, p.Spec.NamespaceResourceBlacklist[0].Kind)
+	}
+	fmt.Printf(printProjFmtStr, "Denied Namespaced Resources:", rbl0)
+	for i := 1; i < len(p.Spec.NamespaceResourceBlacklist); i++ {
+		fmt.Printf(printProjFmtStr, "", fmt.Sprintf("%s/%s", p.Spec.NamespaceResourceBlacklist[i].Group, p.Spec.NamespaceResourceBlacklist[i].Kind))
+	}
+
+	// Print required signature keys
+	signatureKeysStr := "<none>"
+	if len(p.Spec.SignatureKeys) > 0 {
+		kids := make([]string, 0)
+		for _, key := range p.Spec.SignatureKeys {
+			kids = append(kids, key.KeyID)
+		}
+		signatureKeysStr = strings.Join(kids, ", ")
+	}
+	fmt.Printf(printProjFmtStr, "Signature keys:", signatureKeysStr)
+
+	fmt.Printf(printProjFmtStr, "Orphaned Resources:", formatOrphanedResources(p))
+
 }
 
 // NewProjectGetCommand returns a new instance of an `argocd proj get` command
 func NewProjectGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
-	const printProjFmtStr = "%-34s%s\n"
+	var (
+		output string
+	)
 	var command = &cobra.Command{
 		Use:   "get PROJECT",
 		Short: "Get project details",
@@ -532,53 +777,22 @@ func NewProjectGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 			}
 			projName := args[0]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer argoio.Close(conn)
 			p, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
-			fmt.Printf(printProjFmtStr, "Name:", p.Name)
-			fmt.Printf(printProjFmtStr, "Description:", p.Spec.Description)
 
-			// Print destinations
-			dest0 := "<none>"
-			if len(p.Spec.Destinations) > 0 {
-				dest0 = fmt.Sprintf("%s,%s", p.Spec.Destinations[0].Server, p.Spec.Destinations[0].Namespace)
-			}
-			fmt.Printf(printProjFmtStr, "Destinations:", dest0)
-			for i := 1; i < len(p.Spec.Destinations); i++ {
-				fmt.Printf(printProjFmtStr, "", fmt.Sprintf("%s,%s", p.Spec.Destinations[i].Server, p.Spec.Destinations[i].Namespace))
-			}
-
-			// Print sources
-			src0 := "<none>"
-			if len(p.Spec.SourceRepos) > 0 {
-				src0 = p.Spec.SourceRepos[0]
-			}
-			fmt.Printf(printProjFmtStr, "Repositories:", src0)
-			for i := 1; i < len(p.Spec.SourceRepos); i++ {
-				fmt.Printf(printProjFmtStr, "", p.Spec.SourceRepos[i])
-			}
-
-			// Print whitelisted cluster resources
-			cwl0 := "<none>"
-			if len(p.Spec.ClusterResourceWhitelist) > 0 {
-				cwl0 = fmt.Sprintf("%s/%s", p.Spec.ClusterResourceWhitelist[0].Group, p.Spec.ClusterResourceWhitelist[0].Kind)
-			}
-			fmt.Printf(printProjFmtStr, "Whitelisted Cluster Resources:", cwl0)
-			for i := 1; i < len(p.Spec.ClusterResourceWhitelist); i++ {
-				fmt.Printf(printProjFmtStr, "", fmt.Sprintf("%s/%s", p.Spec.ClusterResourceWhitelist[i].Group, p.Spec.ClusterResourceWhitelist[i].Kind))
-			}
-
-			// Print blacklisted namespaced resources
-			rbl0 := "<none>"
-			if len(p.Spec.NamespaceResourceBlacklist) > 0 {
-				rbl0 = fmt.Sprintf("%s/%s", p.Spec.NamespaceResourceBlacklist[0].Group, p.Spec.NamespaceResourceBlacklist[0].Kind)
-			}
-			fmt.Printf(printProjFmtStr, "Blacklisted Namespaced Resources:", rbl0)
-			for i := 1; i < len(p.Spec.NamespaceResourceBlacklist); i++ {
-				fmt.Printf(printProjFmtStr, "", fmt.Sprintf("%s/%s", p.Spec.NamespaceResourceBlacklist[i].Group, p.Spec.NamespaceResourceBlacklist[i].Kind))
+			switch output {
+			case "yaml", "json":
+				err := PrintResource(p, output)
+				errors.CheckError(err)
+			case "wide", "":
+				printProject(p)
+			default:
+				errors.CheckError(fmt.Errorf("unknown output format: %s", output))
 			}
 		},
 	}
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide")
 	return command
 }
 
@@ -593,7 +807,7 @@ func NewProjectEditCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comman
 			}
 			projName := args[0]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer argoio.Close(conn)
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 			projData, err := json.Marshal(proj.Spec)

cmd/argocd/commands/project_role.go

@@ -6,15 +6,18 @@ import (
 	"os"
 	"strconv"
 	"text/tabwriter"
+	"time"
 
 	timeutil "github.com/argoproj/pkg/time"
+	jwtgo "github.com/dgrijalva/jwt-go/v4"
 	"github.com/spf13/cobra"
 
-	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	projectpkg "github.com/argoproj/argo-cd/pkg/apiclient/project"
 	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/util/errors"
+	"github.com/argoproj/argo-cd/util/io"
+	"github.com/argoproj/argo-cd/util/jwt"
 )
 
 const (
@@ -36,6 +39,7 @@ func NewProjectRoleCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comman
 	roleCommand.AddCommand(NewProjectRoleCreateCommand(clientOpts))
 	roleCommand.AddCommand(NewProjectRoleDeleteCommand(clientOpts))
 	roleCommand.AddCommand(NewProjectRoleCreateTokenCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectRoleListTokensCommand(clientOpts))
 	roleCommand.AddCommand(NewProjectRoleDeleteTokenCommand(clientOpts))
 	roleCommand.AddCommand(NewProjectRoleAddPolicyCommand(clientOpts))
 	roleCommand.AddCommand(NewProjectRoleRemovePolicyCommand(clientOpts))
@@ -60,7 +64,7 @@ func NewProjectRoleAddPolicyCommand(clientOpts *argocdclient.ClientOptions) *cob
 			projName := args[0]
 			roleName := args[1]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
@@ -95,7 +99,7 @@ func NewProjectRoleRemovePolicyCommand(clientOpts *argocdclient.ClientOptions) *
 			projName := args[0]
 			roleName := args[1]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
@@ -140,7 +144,7 @@ func NewProjectRoleCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 			projName := args[0]
 			roleName := args[1]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
@@ -174,7 +178,7 @@ func NewProjectRoleDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 			projName := args[0]
 			roleName := args[1]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
@@ -195,14 +199,25 @@ func NewProjectRoleDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 	return command
 }
 
+func tokenTimeToString(t int64) string {
+	tokenTimeToString := "Never"
+	if t > 0 {
+		tokenTimeToString = time.Unix(t, 0).Format(time.RFC3339)
+	}
+	return tokenTimeToString
+}
+
 // NewProjectRoleCreateTokenCommand returns a new instance of an `argocd proj role create-token` command
 func NewProjectRoleCreateTokenCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		expiresIn string
+		expiresIn       string
+		outputTokenOnly bool
+		tokenID         string
 	)
 	var command = &cobra.Command{
-		Use:   "create-token PROJECT ROLE-NAME",
-		Short: "Create a project token",
+		Use:     "create-token PROJECT ROLE-NAME",
+		Short:   "Create a project token",
+		Aliases: []string{"token-create"},
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) != 2 {
 				c.HelpFunc()(c, args)
@@ -211,24 +226,110 @@ func NewProjectRoleCreateTokenCommand(clientOpts *argocdclient.ClientOptions) *c
 			projName := args[0]
 			roleName := args[1]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
+			if expiresIn == "" {
+				expiresIn = "0s"
+			}
 			duration, err := timeutil.ParseDuration(expiresIn)
 			errors.CheckError(err)
-			token, err := projIf.CreateToken(context.Background(), &projectpkg.ProjectTokenCreateRequest{Project: projName, Role: roleName, ExpiresIn: int64(duration.Seconds())})
+			tokenResponse, err := projIf.CreateToken(context.Background(), &projectpkg.ProjectTokenCreateRequest{
+				Project:   projName,
+				Role:      roleName,
+				ExpiresIn: int64(duration.Seconds()),
+				Id:        tokenID,
+			})
 			errors.CheckError(err)
-			fmt.Println(token.Token)
+
+			token, err := jwtgo.Parse(tokenResponse.Token, nil)
+			if token == nil {
+				err = fmt.Errorf("received malformed token %v", err)
+				errors.CheckError(err)
+				return
+			}
+
+			claims := token.Claims.(jwtgo.MapClaims)
+			issuedAt, _ := jwt.IssuedAt(claims)
+			expiresAt := int64(jwt.Float64Field(claims, "exp"))
+			id := jwt.StringField(claims, "jti")
+			subject := jwt.StringField(claims, "sub")
+
+			if !outputTokenOnly {
+				fmt.Printf("Create token succeeded for %s.\n", subject)
+				fmt.Printf("  ID: %s\n  Issued At: %s\n  Expires At: %s\n",
+					id, tokenTimeToString(issuedAt), tokenTimeToString(expiresAt),
+				)
+				fmt.Println("  Token: " + tokenResponse.Token)
+			} else {
+				fmt.Println(tokenResponse.Token)
+			}
 		},
 	}
-	command.Flags().StringVarP(&expiresIn, "expires-in", "e", "0s", "Duration before the token will expire. (Default: No expiration)")
+	command.Flags().StringVarP(&expiresIn, "expires-in", "e", "",
+		"Duration before the token will expire, eg \"12h\", \"7d\". (Default: No expiration)",
+	)
+	command.Flags().StringVarP(&tokenID, "id", "i", "", "Token unique identifier. (Default: Random UUID)")
+	command.Flags().BoolVarP(&outputTokenOnly, "token-only", "t", false, "Output token only - for use in scripts.")
 
 	return command
 }
 
+func NewProjectRoleListTokensCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		useUnixTime bool
+	)
+	var command = &cobra.Command{
+		Use:     "list-tokens PROJECT ROLE-NAME",
+		Short:   "List tokens for a given role.",
+		Aliases: []string{"list-token", "token-list"},
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			roleName := args[1]
+
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer io.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+			role, _, err := proj.GetRoleByName(roleName)
+			errors.CheckError(err)
+
+			if len(role.JWTTokens) == 0 {
+				fmt.Printf("No tokens for %s.%s\n", projName, roleName)
+				return
+			}
+
+			writer := tabwriter.NewWriter(os.Stdout, 0, 0, 4, ' ', 0)
+			_, err = fmt.Fprintf(writer, "ID\tISSUED AT\tEXPIRES AT\n")
+			errors.CheckError(err)
+
+			tokenRowFormat := "%s\t%v\t%v\n"
+			for _, token := range role.JWTTokens {
+				if useUnixTime {
+					_, _ = fmt.Fprintf(writer, tokenRowFormat, token.ID, token.IssuedAt, token.ExpiresAt)
+				} else {
+					_, _ = fmt.Fprintf(writer, tokenRowFormat, token.ID, tokenTimeToString(token.IssuedAt), tokenTimeToString(token.ExpiresAt))
+				}
+			}
+			err = writer.Flush()
+			errors.CheckError(err)
+		},
+	}
+	command.Flags().BoolVarP(&useUnixTime, "unixtime", "u", false,
+		"Print timestamps as Unix time instead of converting. Useful for piping into delete-token.",
+	)
+	return command
+}
+
 // NewProjectRoleDeleteTokenCommand returns a new instance of an `argocd proj role delete-token` command
 func NewProjectRoleDeleteTokenCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
-		Use:   "delete-token PROJECT ROLE-NAME ISSUED-AT",
-		Short: "Delete a project token",
+		Use:     "delete-token PROJECT ROLE-NAME ISSUED-AT",
+		Short:   "Delete a project token",
+		Aliases: []string{"token-delete", "remove-token"},
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) != 3 {
 				c.HelpFunc()(c, args)
@@ -240,7 +341,7 @@ func NewProjectRoleDeleteTokenCommand(clientOpts *argocdclient.ClientOptions) *c
 			errors.CheckError(err)
 
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 
 			_, err = projIf.DeleteToken(context.Background(), &projectpkg.ProjectTokenDeleteRequest{Project: projName, Role: roleName, Iat: issuedAt})
 			errors.CheckError(err)
@@ -281,18 +382,24 @@ func NewProjectRoleListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			}
 			projName := args[0]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 
 			project, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
-			if output == "name" {
+			switch output {
+			case "json", "yaml":
+				err := PrintResourceList(project.Spec.Roles, output, false)
+				errors.CheckError(err)
+			case "name":
 				printProjectRoleListName(project.Spec.Roles)
-			} else {
+			case "wide", "":
 				printProjectRoleListTable(project.Spec.Roles)
+			default:
+				errors.CheckError(fmt.Errorf("unknown output format: %s", output))
 			}
 		},
 	}
-	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: wide|name")
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide|name")
 	return command
 }
 
@@ -309,7 +416,7 @@ func NewProjectRoleGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 			projName := args[0]
 			roleName := args[1]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
@@ -326,7 +433,7 @@ func NewProjectRoleGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 			// TODO(jessesuen): print groups
 			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
 			fmt.Fprintf(w, "ID\tISSUED-AT\tEXPIRES-AT\n")
-			for _, token := range role.JWTTokens {
+			for _, token := range proj.Status.JWTTokensByRole[roleName].Items {
 				expiresAt := "<none>"
 				if token.ExpiresAt > 0 {
 					expiresAt = humanizeTimestamp(token.ExpiresAt)
@@ -351,7 +458,7 @@ func NewProjectRoleAddGroupCommand(clientOpts *argocdclient.ClientOptions) *cobr
 			}
 			projName, roleName, groupName := args[0], args[1], args[2]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 			updated, err := proj.AddGroupToRole(roleName, groupName)
@@ -380,7 +487,7 @@ func NewProjectRoleRemoveGroupCommand(clientOpts *argocdclient.ClientOptions) *c
 			}
 			projName, roleName, groupName := args[0], args[1], args[2]
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
 			errors.CheckError(err)
 			updated, err := proj.RemoveGroupFromRole(roleName, groupName)

cmd/argocd/commands/projectwindows.go

@@ -0,0 +1,320 @@
+package commands
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strconv"
+	"strings"
+	"text/tabwriter"
+
+	"github.com/spf13/cobra"
+
+	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	projectpkg "github.com/argoproj/argo-cd/pkg/apiclient/project"
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/errors"
+	"github.com/argoproj/argo-cd/util/io"
+)
+
+// NewProjectWindowsCommand returns a new instance of the `argocd proj windows` command
+func NewProjectWindowsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	roleCommand := &cobra.Command{
+		Use:   "windows",
+		Short: "Manage a project's sync windows",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+			os.Exit(1)
+		},
+	}
+	roleCommand.AddCommand(NewProjectWindowsDisableManualSyncCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectWindowsEnableManualSyncCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectWindowsAddWindowCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectWindowsDeleteCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectWindowsListCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectWindowsUpdateCommand(clientOpts))
+	return roleCommand
+}
+
+// NewProjectSyncWindowsDisableManualSyncCommand returns a new instance of an `argocd proj windows disable-manual-sync` command
+func NewProjectWindowsDisableManualSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "disable-manual-sync PROJECT ID",
+		Short: "Disable manual sync for a sync window",
+		Long:  "Disable manual sync for a sync window. Requires ID which can be found by running \"argocd proj windows list PROJECT\"",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			projName := args[0]
+			id, err := strconv.Atoi(args[1])
+			errors.CheckError(err)
+
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer io.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			for i, window := range proj.Spec.SyncWindows {
+				if id == i {
+					window.ManualSync = false
+				}
+			}
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	return command
+}
+
+// NewProjectWindowsEnableManualSyncCommand returns a new instance of an `argocd proj windows enable-manual-sync` command
+func NewProjectWindowsEnableManualSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "enable-manual-sync PROJECT ID",
+		Short: "Enable manual sync for a sync window",
+		Long:  "Enable manual sync for a sync window. Requires ID which can be found by running \"argocd proj windows list PROJECT\"",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			projName := args[0]
+			id, err := strconv.Atoi(args[1])
+			errors.CheckError(err)
+
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer io.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			for i, window := range proj.Spec.SyncWindows {
+				if id == i {
+					window.ManualSync = true
+				}
+			}
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	return command
+}
+
+// NewProjectWindowsAddWindowCommand returns a new instance of an `argocd proj windows add` command
+func NewProjectWindowsAddWindowCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		kind         string
+		schedule     string
+		duration     string
+		applications []string
+		namespaces   []string
+		clusters     []string
+		manualSync   bool
+	)
+	var command = &cobra.Command{
+		Use:   "add PROJECT",
+		Short: "Add a sync window to a project",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer io.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			err = proj.Spec.AddWindow(kind, schedule, duration, applications, namespaces, clusters, manualSync)
+			errors.CheckError(err)
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	command.Flags().StringVarP(&kind, "kind", "k", "", "Sync window kind, either allow or deny")
+	command.Flags().StringVar(&schedule, "schedule", "", "Sync window schedule in cron format. (e.g. --schedule \"0 22 * * *\")")
+	command.Flags().StringVar(&duration, "duration", "", "Sync window duration. (e.g. --duration 1h)")
+	command.Flags().StringSliceVar(&applications, "applications", []string{}, "Applications that the schedule will be applied to. Comma separated, wildcards supported (e.g. --applications prod-\\*,website)")
+	command.Flags().StringSliceVar(&namespaces, "namespaces", []string{}, "Namespaces that the schedule will be applied to. Comma separated, wildcards supported (e.g. --namespaces default,\\*-prod)")
+	command.Flags().StringSliceVar(&clusters, "clusters", []string{}, "Clusters that the schedule will be applied to. Comma separated, wildcards supported (e.g. --clusters prod,staging)")
+	command.Flags().BoolVar(&manualSync, "manual-sync", false, "Allow manual syncs for both deny and allow windows")
+
+	return command
+}
+
+// NewProjectWindowsAddWindowCommand returns a new instance of an `argocd proj windows delete` command
+func NewProjectWindowsDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "delete PROJECT ID",
+		Short: "Delete a sync window from a project. Requires ID which can be found by running \"argocd proj windows list PROJECT\"",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			projName := args[0]
+			id, err := strconv.Atoi(args[1])
+			errors.CheckError(err)
+
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer io.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			err = proj.Spec.DeleteWindow(id)
+			errors.CheckError(err)
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	return command
+}
+
+// NewProjectWindowsUpdateCommand returns a new instance of an `argocd proj windows update` command
+func NewProjectWindowsUpdateCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		schedule     string
+		duration     string
+		applications []string
+		namespaces   []string
+		clusters     []string
+	)
+	var command = &cobra.Command{
+		Use:   "update PROJECT ID",
+		Short: "Update a project sync window",
+		Long:  "Update a project sync window. Requires ID which can be found by running \"argocd proj windows list PROJECT\"",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			projName := args[0]
+			id, err := strconv.Atoi(args[1])
+			errors.CheckError(err)
+
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer io.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			for i, window := range proj.Spec.SyncWindows {
+				if id == i {
+					err := window.Update(schedule, duration, applications, namespaces, clusters)
+					if err != nil {
+						errors.CheckError(err)
+					}
+				}
+			}
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	command.Flags().StringVar(&schedule, "schedule", "", "Sync window schedule in cron format. (e.g. --schedule \"0 22 * * *\")")
+	command.Flags().StringVar(&duration, "duration", "", "Sync window duration. (e.g. --duration 1h)")
+	command.Flags().StringSliceVar(&applications, "applications", []string{}, "Applications that the schedule will be applied to. Comma separated, wildcards supported (e.g. --applications prod-\\*,website)")
+	command.Flags().StringSliceVar(&namespaces, "namespaces", []string{}, "Namespaces that the schedule will be applied to. Comma separated, wildcards supported (e.g. --namespaces default,\\*-prod)")
+	command.Flags().StringSliceVar(&clusters, "clusters", []string{}, "Clusters that the schedule will be applied to. Comma separated, wildcards supported (e.g. --clusters prod,staging)")
+	return command
+}
+
+// NewProjectWindowsListCommand returns a new instance of an `argocd proj windows list` command
+func NewProjectWindowsListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
+	var command = &cobra.Command{
+		Use:   "list PROJECT",
+		Short: "List project sync windows",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer io.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+			switch output {
+			case "yaml", "json":
+				err := PrintResourceList(proj.Spec.SyncWindows, output, false)
+				errors.CheckError(err)
+			case "wide", "":
+				printSyncWindows(proj)
+			default:
+				errors.CheckError(fmt.Errorf("unknown output format: %s", output))
+			}
+		},
+	}
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide")
+	return command
+}
+
+// Print table of sync window data
+func printSyncWindows(proj *v1alpha1.AppProject) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	var fmtStr string
+	headers := []interface{}{"ID", "STATUS", "KIND", "SCHEDULE", "DURATION", "APPLICATIONS", "NAMESPACES", "CLUSTERS", "MANUALSYNC"}
+	fmtStr = "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n"
+	fmt.Fprintf(w, fmtStr, headers...)
+	if proj.Spec.SyncWindows.HasWindows() {
+		for i, window := range proj.Spec.SyncWindows {
+			vals := []interface{}{
+				strconv.Itoa(i),
+				formatBoolOutput(window.Active()),
+				window.Kind,
+				window.Schedule,
+				window.Duration,
+				formatListOutput(window.Applications),
+				formatListOutput(window.Namespaces),
+				formatListOutput(window.Clusters),
+				formatManualOutput(window.ManualSync),
+			}
+			fmt.Fprintf(w, fmtStr, vals...)
+		}
+	}
+	_ = w.Flush()
+}
+
+func formatListOutput(list []string) string {
+	var o string
+	if len(list) == 0 {
+		o = "-"
+	} else {
+		o = strings.Join(list, ",")
+	}
+	return o
+}
+func formatBoolOutput(active bool) string {
+	var o string
+	if active {
+		o = "Active"
+	} else {
+		o = "Inactive"
+	}
+	return o
+}
+func formatManualOutput(active bool) string {
+	var o string
+	if active {
+		o = "Enabled"
+	} else {
+		o = "Disabled"
+	}
+	return o
+}

cmd/argocd/commands/relogin.go

@@ -9,10 +9,10 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
-	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	settingspkg "github.com/argoproj/argo-cd/pkg/apiclient/settings"
-	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/util/errors"
+	argoio "github.com/argoproj/argo-cd/util/io"
 	"github.com/argoproj/argo-cd/util/localconfig"
 	"github.com/argoproj/argo-cd/util/session"
 )
@@ -43,11 +43,13 @@ func NewReloginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comm
 			var tokenString string
 			var refreshToken string
 			clientOpts := argocdclient.ClientOptions{
-				ConfigPath: "",
-				ServerAddr: configCtx.Server.Server,
-				Insecure:   configCtx.Server.Insecure,
-				GRPCWeb:    globalClientOpts.GRPCWeb,
-				PlainText:  configCtx.Server.PlainText,
+				ConfigPath:      "",
+				ServerAddr:      configCtx.Server.Server,
+				Insecure:        configCtx.Server.Insecure,
+				GRPCWeb:         globalClientOpts.GRPCWeb,
+				GRPCWebRootPath: globalClientOpts.GRPCWebRootPath,
+				PlainText:       configCtx.Server.PlainText,
+				Headers:         globalClientOpts.Headers,
 			}
 			acdClient := argocdclient.NewClientOrDie(&clientOpts)
 			claims, err := configCtx.User.Claims()
@@ -58,7 +60,7 @@ func NewReloginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comm
 			} else {
 				fmt.Println("Reinitiating SSO login")
 				setConn, setIf := acdClient.NewSettingsClientOrDie()
-				defer util.Close(setConn)
+				defer argoio.Close(setConn)
 				ctx := context.Background()
 				httpClient, err := acdClient.HTTPClient()
 				errors.CheckError(err)
@@ -67,7 +69,7 @@ func NewReloginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comm
 				errors.CheckError(err)
 				oauth2conf, provider, err := acdClient.OIDCConfig(ctx, acdSet)
 				errors.CheckError(err)
-				tokenString, refreshToken = oauth2Login(ctx, ssoPort, oauth2conf, provider)
+				tokenString, refreshToken = oauth2Login(ctx, ssoPort, acdSet.GetOIDCConfig(), oauth2conf, provider)
 			}
 
 			localCfg.UpsertUser(localconfig.User{

cmd/argocd/commands/repo.go

@@ -10,20 +10,21 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
-	"github.com/argoproj/argo-cd/errors"
+	cmdutil "github.com/argoproj/argo-cd/cmd/util"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	repositorypkg "github.com/argoproj/argo-cd/pkg/apiclient/repository"
 	appsv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util"
 	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/errors"
 	"github.com/argoproj/argo-cd/util/git"
+	"github.com/argoproj/argo-cd/util/io"
 )
 
 // NewRepoCommand returns a new instance of an `argocd repo` command
 func NewRepoCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
 		Use:   "repo",
-		Short: "Manage git repository connection parameters",
+		Short: "Manage repository connection parameters",
 		Run: func(c *cobra.Command, args []string) {
 			c.HelpFunc()(c, args)
 			os.Exit(1)
@@ -31,6 +32,7 @@ func NewRepoCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	}
 
 	command.AddCommand(NewRepoAddCommand(clientOpts))
+	command.AddCommand(NewRepoGetCommand(clientOpts))
 	command.AddCommand(NewRepoListCommand(clientOpts))
 	command.AddCommand(NewRepoRemoveCommand(clientOpts))
 	return command
@@ -39,24 +41,36 @@ func NewRepoCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 // NewRepoAddCommand returns a new instance of an `argocd repo add` command
 func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		repo                           appsv1.Repository
-		upsert                         bool
-		sshPrivateKeyPath              string
-		insecureIgnoreHostKey          bool
-		insecureSkipServerVerification bool
-		tlsClientCertPath              string
-		tlsClientCertKeyPath           string
-		enableLfs                      bool
+		repoOpts cmdutil.RepoOptions
 	)
 
 	// For better readability and easier formatting
-	var repoAddExamples = `
-Add a SSH repository using a private key for authentication, ignoring the server's host key:",
-  $ argocd repo add git@git.example.com --insecure-ignore-host-key --ssh-private-key-path ~/id_rsa",
-Add a HTTPS repository using username/password and TLS client certificates:",
-  $ argocd repo add https://git.example.com --username git --password secret --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key",
-Add a HTTPS repository using username/password without verifying the server's TLS certificate:",
-  $ argocd repo add https://git.example.com --username git --password secret --insecure-skip-server-verification",
+	var repoAddExamples = `  # Add a Git repository via SSH using a private key for authentication, ignoring the server's host key:
+  argocd repo add git@git.example.com:repos/repo --insecure-ignore-host-key --ssh-private-key-path ~/id_rsa
+
+  # Add a Git repository via SSH on a non-default port - need to use ssh:// style URLs here
+  argocd repo add ssh://git@git.example.com:2222/repos/repo --ssh-private-key-path ~/id_rsa
+
+  # Add a private Git repository via HTTPS using username/password and TLS client certificates:
+  argocd repo add https://git.example.com/repos/repo --username git --password secret --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key
+
+  # Add a private Git repository via HTTPS using username/password without verifying the server's TLS certificate
+  argocd repo add https://git.example.com/repos/repo --username git --password secret --insecure-skip-server-verification
+
+  # Add a public Helm repository named 'stable' via HTTPS
+  argocd repo add https://kubernetes-charts.storage.googleapis.com --type helm --name stable  
+
+  # Add a private Helm repository named 'stable' via HTTPS
+  argocd repo add https://kubernetes-charts.storage.googleapis.com --type helm --name stable --username test --password test
+
+  # Add a private Helm OCI-based repository named 'stable' via HTTPS
+  argocd repo add helm-oci-registry.cn-zhangjiakou.cr.aliyuncs.com --type helm --name stable --enable-oci --username test --password test
+
+  # Add a private Git repository on GitHub.com via GitHub App
+  argocd repo add https://git.example.com/repos/repo --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem
+
+  # Add a private Git repository on GitHub Enterprise via GitHub App
+  argocd repo add https://ghe.example.com/repos/repo --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem --github-app-enterprise-base-url https://ghe.example.com/api/v3
 `
 
 	var command = &cobra.Command{
@@ -70,16 +84,16 @@ Add a HTTPS repository using username/password without verifying the server's TL
 			}
 
 			// Repository URL
-			repo.Repo = args[0]
+			repoOpts.Repo.Repo = args[0]
 
 			// Specifying ssh-private-key-path is only valid for SSH repositories
-			if sshPrivateKeyPath != "" {
-				if ok, _ := git.IsSSHURL(repo.Repo); ok {
-					keyData, err := ioutil.ReadFile(sshPrivateKeyPath)
+			if repoOpts.SshPrivateKeyPath != "" {
+				if ok, _ := git.IsSSHURL(repoOpts.Repo.Repo); ok {
+					keyData, err := ioutil.ReadFile(repoOpts.SshPrivateKeyPath)
 					if err != nil {
 						log.Fatal(err)
 					}
-					repo.SSHPrivateKey = string(keyData)
+					repoOpts.Repo.SSHPrivateKey = string(keyData)
 				} else {
 					err := fmt.Errorf("--ssh-private-key-path is only supported for SSH repositories.")
 					errors.CheckError(err)
@@ -88,73 +102,100 @@ Add a HTTPS repository using username/password without verifying the server's TL
 
 			// tls-client-cert-path and tls-client-cert-key-key-path must always be
 			// specified together
-			if (tlsClientCertPath != "" && tlsClientCertKeyPath == "") || (tlsClientCertPath == "" && tlsClientCertKeyPath != "") {
+			if (repoOpts.TlsClientCertPath != "" && repoOpts.TlsClientCertKeyPath == "") || (repoOpts.TlsClientCertPath == "" && repoOpts.TlsClientCertKeyPath != "") {
 				err := fmt.Errorf("--tls-client-cert-path and --tls-client-cert-key-path must be specified together")
 				errors.CheckError(err)
 			}
 
 			// Specifying tls-client-cert-path is only valid for HTTPS repositories
-			if tlsClientCertPath != "" {
-				if git.IsHTTPSURL(repo.Repo) {
-					tlsCertData, err := ioutil.ReadFile(tlsClientCertPath)
+			if repoOpts.TlsClientCertPath != "" {
+				if git.IsHTTPSURL(repoOpts.Repo.Repo) {
+					tlsCertData, err := ioutil.ReadFile(repoOpts.TlsClientCertPath)
 					errors.CheckError(err)
-					tlsCertKey, err := ioutil.ReadFile(tlsClientCertKeyPath)
+					tlsCertKey, err := ioutil.ReadFile(repoOpts.TlsClientCertKeyPath)
 					errors.CheckError(err)
-					repo.TLSClientCertData = string(tlsCertData)
-					repo.TLSClientCertKey = string(tlsCertKey)
+					repoOpts.Repo.TLSClientCertData = string(tlsCertData)
+					repoOpts.Repo.TLSClientCertKey = string(tlsCertKey)
 				} else {
 					err := fmt.Errorf("--tls-client-cert-path is only supported for HTTPS repositories")
 					errors.CheckError(err)
 				}
 			}
 
+			// Specifying github-app-private-key-path is only valid for HTTPS repositories
+			if repoOpts.GithubAppPrivateKeyPath != "" {
+				if git.IsHTTPSURL(repoOpts.Repo.Repo) {
+					githubAppPrivateKey, err := ioutil.ReadFile(repoOpts.GithubAppPrivateKeyPath)
+					errors.CheckError(err)
+					repoOpts.Repo.GithubAppPrivateKey = string(githubAppPrivateKey)
+				} else {
+					err := fmt.Errorf("--github-app-private-key-path is only supported for HTTPS repositories")
+					errors.CheckError(err)
+				}
+			}
+
+			// Set repository connection properties only when creating repository, not
+			// when creating repository credentials.
 			// InsecureIgnoreHostKey is deprecated and only here for backwards compat
-			repo.InsecureIgnoreHostKey = insecureIgnoreHostKey
-			repo.Insecure = insecureSkipServerVerification
-			repo.EnableLFS = enableLfs
+			repoOpts.Repo.InsecureIgnoreHostKey = repoOpts.InsecureIgnoreHostKey
+			repoOpts.Repo.Insecure = repoOpts.InsecureSkipServerVerification
+			repoOpts.Repo.EnableLFS = repoOpts.EnableLfs
+			repoOpts.Repo.EnableOCI = repoOpts.EnableOci
+			repoOpts.Repo.GithubAppId = repoOpts.GithubAppId
+			repoOpts.Repo.GithubAppInstallationId = repoOpts.GithubAppInstallationId
+			repoOpts.Repo.GitHubAppEnterpriseBaseURL = repoOpts.GitHubAppEnterpriseBaseURL
+
+			if repoOpts.Repo.Type == "helm" && repoOpts.Repo.Name == "" {
+				errors.CheckError(fmt.Errorf("Must specify --name for repos of type 'helm'"))
+			}
 
 			conn, repoIf := argocdclient.NewClientOrDie(clientOpts).NewRepoClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 
 			// If the user set a username, but didn't supply password via --password,
 			// then we prompt for it
-			if repo.Username != "" && repo.Password == "" {
-				repo.Password = cli.PromptPassword(repo.Password)
+			if repoOpts.Repo.Username != "" && repoOpts.Repo.Password == "" {
+				repoOpts.Repo.Password = cli.PromptPassword(repoOpts.Repo.Password)
 			}
 
 			// We let the server check access to the repository before adding it. If
 			// it is a private repo, but we cannot access with with the credentials
 			// that were supplied, we bail out.
+			//
+			// Skip validation if we are just adding credentials template, chances
+			// are high that we do not have the given URL pointing to a valid Git
+			// repo anyway.
 			repoAccessReq := repositorypkg.RepoAccessQuery{
-				Repo:              repo.Repo,
-				Username:          repo.Username,
-				Password:          repo.Password,
-				SshPrivateKey:     repo.SSHPrivateKey,
-				TlsClientCertData: repo.TLSClientCertData,
-				TlsClientCertKey:  repo.TLSClientCertKey,
-				Insecure:          repo.IsInsecure(),
+				Repo:                       repoOpts.Repo.Repo,
+				Type:                       repoOpts.Repo.Type,
+				Name:                       repoOpts.Repo.Name,
+				Username:                   repoOpts.Repo.Username,
+				Password:                   repoOpts.Repo.Password,
+				SshPrivateKey:              repoOpts.Repo.SSHPrivateKey,
+				TlsClientCertData:          repoOpts.Repo.TLSClientCertData,
+				TlsClientCertKey:           repoOpts.Repo.TLSClientCertKey,
+				Insecure:                   repoOpts.Repo.IsInsecure(),
+				EnableOci:                  repoOpts.Repo.EnableOCI,
+				GithubAppPrivateKey:        repoOpts.Repo.GithubAppPrivateKey,
+				GithubAppID:                repoOpts.Repo.GithubAppId,
+				GithubAppInstallationID:    repoOpts.Repo.GithubAppInstallationId,
+				GithubAppEnterpriseBaseUrl: repoOpts.Repo.GitHubAppEnterpriseBaseURL,
 			}
 			_, err := repoIf.ValidateAccess(context.Background(), &repoAccessReq)
 			errors.CheckError(err)
 
 			repoCreateReq := repositorypkg.RepoCreateRequest{
-				Repo:   &repo,
-				Upsert: upsert,
+				Repo:   &repoOpts.Repo,
+				Upsert: repoOpts.Upsert,
 			}
+
 			createdRepo, err := repoIf.Create(context.Background(), &repoCreateReq)
 			errors.CheckError(err)
-			fmt.Printf("repository '%s' added\n", createdRepo.Repo)
+			fmt.Printf("Repository '%s' added\n", createdRepo.Repo)
 		},
 	}
-	command.Flags().StringVar(&repo.Username, "username", "", "username to the repository")
-	command.Flags().StringVar(&repo.Password, "password", "", "password to the repository")
-	command.Flags().StringVar(&sshPrivateKeyPath, "ssh-private-key-path", "", "path to the private ssh key (e.g. ~/.ssh/id_rsa)")
-	command.Flags().StringVar(&tlsClientCertPath, "tls-client-cert-path", "", "path to the TLS client cert (must be PEM format)")
-	command.Flags().StringVar(&tlsClientCertKeyPath, "tls-client-cert-key-path", "", "path to the TLS client cert's key path (must be PEM format)")
-	command.Flags().BoolVar(&insecureIgnoreHostKey, "insecure-ignore-host-key", false, "disables SSH strict host key checking (deprecated, use --insecure-skip-server-validation instead)")
-	command.Flags().BoolVar(&insecureSkipServerVerification, "insecure-skip-server-verification", false, "disables server certificate and host key checks")
-	command.Flags().BoolVar(&enableLfs, "enable-lfs", false, "enable git-lfs (Large File Support) on this repository")
-	command.Flags().BoolVar(&upsert, "upsert", false, "Override an existing repository with the same name even if the spec differs")
+	command.Flags().BoolVar(&repoOpts.Upsert, "upsert", false, "Override an existing repository with the same name even if the spec differs")
+	cmdutil.AddRepoFlags(command, &repoOpts)
 	return command
 }
 
@@ -162,17 +203,18 @@ Add a HTTPS repository using username/password without verifying the server's TL
 func NewRepoRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
 		Use:   "rm REPO",
-		Short: "Remove git repository credentials",
+		Short: "Remove repository credentials",
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) == 0 {
 				c.HelpFunc()(c, args)
 				os.Exit(1)
 			}
 			conn, repoIf := argocdclient.NewClientOrDie(clientOpts).NewRepoClientOrDie()
-			defer util.Close(conn)
+			defer io.Close(conn)
 			for _, repoURL := range args {
 				_, err := repoIf.Delete(context.Background(), &repositorypkg.RepoQuery{Repo: repoURL})
 				errors.CheckError(err)
+				fmt.Printf("Repository '%s' removed\n", repoURL)
 			}
 		},
 	}
@@ -180,23 +222,27 @@ func NewRepoRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 }
 
 // Print table of repo info
-func printRepoTable(repos []appsv1.Repository) {
+func printRepoTable(repos appsv1.Repositories) {
 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-	fmt.Fprintf(w, "REPO\tINSECURE\tLFS\tUSER\tSTATUS\tMESSAGE\n")
+	_, _ = fmt.Fprintf(w, "TYPE\tNAME\tREPO\tINSECURE\tOCI\tLFS\tCREDS\tSTATUS\tMESSAGE\n")
 	for _, r := range repos {
-		var username string
-		if r.Username == "" {
-			username = "-"
+		var hasCreds string
+		if !r.HasCredentials() {
+			hasCreds = "false"
 		} else {
-			username = r.Username
+			if r.InheritedCreds {
+				hasCreds = "inherited"
+			} else {
+				hasCreds = "true"
+			}
 		}
-		fmt.Fprintf(w, "%s\t%v\t%v\t%s\t%s\t%s\n", r.Repo, r.IsInsecure(), r.EnableLFS, username, r.ConnectionState.Status, r.ConnectionState.Message)
+		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%v\t%v\t%v\t%s\t%s\t%s\n", r.Type, r.Name, r.Repo, r.IsInsecure(), r.EnableOCI, r.EnableLFS, hasCreds, r.ConnectionState.Status, r.ConnectionState.Message)
 	}
 	_ = w.Flush()
 }
 
-// Print list of repo urls
-func printRepoUrls(repos []appsv1.Repository) {
+// Print list of repo urls or url patterns for repository credentials
+func printRepoUrls(repos appsv1.Repositories) {
 	for _, r := range repos {
 		fmt.Println(r.Repo)
 	}
@@ -205,23 +251,90 @@ func printRepoUrls(repos []appsv1.Repository) {
 // NewRepoListCommand returns a new instance of an `argocd repo rm` command
 func NewRepoListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		output string
+		output  string
+		refresh string
 	)
 	var command = &cobra.Command{
 		Use:   "list",
 		Short: "List configured repositories",
 		Run: func(c *cobra.Command, args []string) {
 			conn, repoIf := argocdclient.NewClientOrDie(clientOpts).NewRepoClientOrDie()
-			defer util.Close(conn)
-			repos, err := repoIf.List(context.Background(), &repositorypkg.RepoQuery{})
+			defer io.Close(conn)
+			forceRefresh := false
+			switch refresh {
+			case "":
+			case "hard":
+				forceRefresh = true
+			default:
+				err := fmt.Errorf("--refresh must be one of: 'hard'")
+				errors.CheckError(err)
+			}
+			repos, err := repoIf.List(context.Background(), &repositorypkg.RepoQuery{ForceRefresh: forceRefresh})
 			errors.CheckError(err)
-			if output == "url" {
+			switch output {
+			case "yaml", "json":
+				err := PrintResourceList(repos.Items, output, false)
+				errors.CheckError(err)
+			case "url":
 				printRepoUrls(repos.Items)
-			} else {
+				// wide is the default
+			case "wide", "":
 				printRepoTable(repos.Items)
+			default:
+				errors.CheckError(fmt.Errorf("unknown output format: %s", output))
 			}
 		},
 	}
-	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: wide|url")
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide|url")
+	command.Flags().StringVar(&refresh, "refresh", "", "Force a cache refresh on connection status")
+	return command
+}
+
+// NewRepoGetCommand returns a new instance of an `argocd repo rm` command
+func NewRepoGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output  string
+		refresh string
+	)
+	var command = &cobra.Command{
+		Use:   "get",
+		Short: "Get a configured repository by URL",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			// Repository URL
+			repoURL := args[0]
+			conn, repoIf := argocdclient.NewClientOrDie(clientOpts).NewRepoClientOrDie()
+			defer io.Close(conn)
+			forceRefresh := false
+			switch refresh {
+			case "":
+			case "hard":
+				forceRefresh = true
+			default:
+				err := fmt.Errorf("--refresh must be one of: 'hard'")
+				errors.CheckError(err)
+			}
+			repo, err := repoIf.Get(context.Background(), &repositorypkg.RepoQuery{Repo: repoURL, ForceRefresh: forceRefresh})
+			errors.CheckError(err)
+			switch output {
+			case "yaml", "json":
+				err := PrintResource(repo, output)
+				errors.CheckError(err)
+			case "url":
+				fmt.Println(repo.Repo)
+				// wide is the default
+			case "wide", "":
+				printRepoTable(appsv1.Repositories{repo})
+			default:
+				errors.CheckError(fmt.Errorf("unknown output format: %s", output))
+			}
+		},
+	}
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide|url")
+	command.Flags().StringVar(&refresh, "refresh", "", "Force a cache refresh on connection status")
 	return command
 }

cmd/argocd/commands/repocreds.go

@@ -0,0 +1,227 @@
+package commands
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"text/tabwriter"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	repocredspkg "github.com/argoproj/argo-cd/pkg/apiclient/repocreds"
+	appsv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/errors"
+	"github.com/argoproj/argo-cd/util/git"
+	"github.com/argoproj/argo-cd/util/io"
+)
+
+// NewRepoCredsCommand returns a new instance of an `argocd repocreds` command
+func NewRepoCredsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "repocreds",
+		Short: "Manage repository connection parameters",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+			os.Exit(1)
+		},
+	}
+
+	command.AddCommand(NewRepoCredsAddCommand(clientOpts))
+	command.AddCommand(NewRepoCredsListCommand(clientOpts))
+	command.AddCommand(NewRepoCredsRemoveCommand(clientOpts))
+	return command
+}
+
+// NewRepoCredsAddCommand returns a new instance of an `argocd repocreds add` command
+func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		repo                    appsv1.RepoCreds
+		upsert                  bool
+		sshPrivateKeyPath       string
+		tlsClientCertPath       string
+		tlsClientCertKeyPath    string
+		githubAppPrivateKeyPath string
+	)
+
+	// For better readability and easier formatting
+	var repocredsAddExamples = `  # Add credentials with user/pass authentication to use for all repositories under https://git.example.com/repos
+  argocd repocreds add https://git.example.com/repos/ --username git --password secret
+
+  # Add credentials with SSH private key authentication to use for all repositories under ssh://git@git.example.com/repos
+  argocd repocreds add ssh://git@git.example.com/repos/ --ssh-private-key-path ~/.ssh/id_rsa
+
+  # Add credentials with GitHub App authentication to use for all repositories under https://github.com/repos
+  argocd repocreds add https://github.com/repos/ --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem
+
+  # Add credentials with GitHub App authentication to use for all repositories under https://ghe.example.com/repos
+  argocd repocreds add https://ghe.example.com/repos/ --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem --github-app-enterprise-base-url https://ghe.example.com/api/v3
+`
+
+	var command = &cobra.Command{
+		Use:     "add REPOURL",
+		Short:   "Add git repository connection parameters",
+		Example: repocredsAddExamples,
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			// Repository URL
+			repo.URL = args[0]
+
+			// Specifying ssh-private-key-path is only valid for SSH repositories
+			if sshPrivateKeyPath != "" {
+				if ok, _ := git.IsSSHURL(repo.URL); ok {
+					keyData, err := ioutil.ReadFile(sshPrivateKeyPath)
+					if err != nil {
+						log.Fatal(err)
+					}
+					repo.SSHPrivateKey = string(keyData)
+				} else {
+					err := fmt.Errorf("--ssh-private-key-path is only supported for SSH repositories.")
+					errors.CheckError(err)
+				}
+			}
+
+			// tls-client-cert-path and tls-client-cert-key-key-path must always be
+			// specified together
+			if (tlsClientCertPath != "" && tlsClientCertKeyPath == "") || (tlsClientCertPath == "" && tlsClientCertKeyPath != "") {
+				err := fmt.Errorf("--tls-client-cert-path and --tls-client-cert-key-path must be specified together")
+				errors.CheckError(err)
+			}
+
+			// Specifying tls-client-cert-path is only valid for HTTPS repositories
+			if tlsClientCertPath != "" {
+				if git.IsHTTPSURL(repo.URL) {
+					tlsCertData, err := ioutil.ReadFile(tlsClientCertPath)
+					errors.CheckError(err)
+					tlsCertKey, err := ioutil.ReadFile(tlsClientCertKeyPath)
+					errors.CheckError(err)
+					repo.TLSClientCertData = string(tlsCertData)
+					repo.TLSClientCertKey = string(tlsCertKey)
+				} else {
+					err := fmt.Errorf("--tls-client-cert-path is only supported for HTTPS repositories")
+					errors.CheckError(err)
+				}
+			}
+
+			// Specifying github-app-private-key-path is only valid for HTTPS repositories
+			if githubAppPrivateKeyPath != "" {
+				if git.IsHTTPSURL(repo.URL) {
+					githubAppPrivateKey, err := ioutil.ReadFile(githubAppPrivateKeyPath)
+					errors.CheckError(err)
+					repo.GithubAppPrivateKey = string(githubAppPrivateKey)
+				} else {
+					err := fmt.Errorf("--github-app-private-key-path is only supported for HTTPS repositories")
+					errors.CheckError(err)
+				}
+			}
+
+			conn, repoIf := argocdclient.NewClientOrDie(clientOpts).NewRepoCredsClientOrDie()
+			defer io.Close(conn)
+
+			// If the user set a username, but didn't supply password via --password,
+			// then we prompt for it
+			if repo.Username != "" && repo.Password == "" {
+				repo.Password = cli.PromptPassword(repo.Password)
+			}
+
+			repoCreateReq := repocredspkg.RepoCredsCreateRequest{
+				Creds:  &repo,
+				Upsert: upsert,
+			}
+
+			createdRepo, err := repoIf.CreateRepositoryCredentials(context.Background(), &repoCreateReq)
+			errors.CheckError(err)
+			fmt.Printf("Repository credentials for '%s' added\n", createdRepo.URL)
+		},
+	}
+	command.Flags().StringVar(&repo.Username, "username", "", "username to the repository")
+	command.Flags().StringVar(&repo.Password, "password", "", "password to the repository")
+	command.Flags().StringVar(&sshPrivateKeyPath, "ssh-private-key-path", "", "path to the private ssh key (e.g. ~/.ssh/id_rsa)")
+	command.Flags().StringVar(&tlsClientCertPath, "tls-client-cert-path", "", "path to the TLS client cert (must be PEM format)")
+	command.Flags().StringVar(&tlsClientCertKeyPath, "tls-client-cert-key-path", "", "path to the TLS client cert's key path (must be PEM format)")
+	command.Flags().Int64Var(&repo.GithubAppId, "github-app-id", 0, "id of the GitHub Application")
+	command.Flags().Int64Var(&repo.GithubAppInstallationId, "github-app-installation-id", 0, "installation id of the GitHub Application")
+	command.Flags().StringVar(&githubAppPrivateKeyPath, "github-app-private-key-path", "", "private key of the GitHub Application")
+	command.Flags().StringVar(&repo.GitHubAppEnterpriseBaseURL, "github-app-enterprise-base-url", "", "base url to use when using GitHub Enterprise (e.g. https://ghe.example.com/api/v3")
+	command.Flags().BoolVar(&upsert, "upsert", false, "Override an existing repository with the same name even if the spec differs")
+	return command
+}
+
+// NewRepoCredsRemoveCommand returns a new instance of an `argocd repocreds rm` command
+func NewRepoCredsRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "rm CREDSURL",
+		Short: "Remove repository credentials",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) == 0 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			conn, repoIf := argocdclient.NewClientOrDie(clientOpts).NewRepoCredsClientOrDie()
+			defer io.Close(conn)
+			for _, repoURL := range args {
+				_, err := repoIf.DeleteRepositoryCredentials(context.Background(), &repocredspkg.RepoCredsDeleteRequest{Url: repoURL})
+				errors.CheckError(err)
+				fmt.Printf("Repository credentials for '%s' removed\n", repoURL)
+			}
+		},
+	}
+	return command
+}
+
+// Print the repository credentials as table
+func printRepoCredsTable(repos []appsv1.RepoCreds) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	fmt.Fprintf(w, "URL PATTERN\tUSERNAME\tSSH_CREDS\tTLS_CREDS\n")
+	for _, r := range repos {
+		if r.Username == "" {
+			r.Username = "-"
+		}
+		fmt.Fprintf(w, "%s\t%s\t%v\t%v\n", r.URL, r.Username, r.SSHPrivateKey != "", r.TLSClientCertData != "")
+	}
+	_ = w.Flush()
+}
+
+// Print list of repo urls or url patterns for repository credentials
+func printRepoCredsUrls(repos []appsv1.RepoCreds) {
+	for _, r := range repos {
+		fmt.Println(r.URL)
+	}
+}
+
+// NewRepoCredsListCommand returns a new instance of an `argocd repo list` command
+func NewRepoCredsListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
+	var command = &cobra.Command{
+		Use:   "list",
+		Short: "List configured repository credentials",
+		Run: func(c *cobra.Command, args []string) {
+			conn, repoIf := argocdclient.NewClientOrDie(clientOpts).NewRepoCredsClientOrDie()
+			defer io.Close(conn)
+			repos, err := repoIf.ListRepositoryCredentials(context.Background(), &repocredspkg.RepoCredsQuery{})
+			errors.CheckError(err)
+			switch output {
+			case "yaml", "json":
+				err := PrintResourceList(repos.Items, output, false)
+				errors.CheckError(err)
+			case "url":
+				printRepoCredsUrls(repos.Items)
+			case "wide", "":
+				printRepoCredsTable(repos.Items)
+			default:
+				errors.CheckError(fmt.Errorf("unknown output format: %s", output))
+			}
+		},
+	}
+	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide|url")
+	return command
+}

cmd/argocd/commands/root.go

@@ -4,10 +4,11 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/client-go/tools/clientcmd"
 
-	"github.com/argoproj/argo-cd/errors"
+	cmdutil "github.com/argoproj/argo-cd/cmd/util"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	"github.com/argoproj/argo-cd/util/cli"
 	"github.com/argoproj/argo-cd/util/config"
+	"github.com/argoproj/argo-cd/util/errors"
 	"github.com/argoproj/argo-cd/util/localconfig"
 )
 
@@ -15,10 +16,9 @@ func init() {
 	cobra.OnInitialize(initConfig)
 }
 
-var logLevel string
-
 func initConfig() {
-	cli.SetLogLevel(logLevel)
+	cli.SetLogFormat(cmdutil.LogFormat)
+	cli.SetLogLevel(cmdutil.LogLevel)
 }
 
 // NewCommand returns a new instance of an argocd command
@@ -34,6 +34,7 @@ func NewCommand() *cobra.Command {
 		Run: func(c *cobra.Command, args []string) {
 			c.HelpFunc()(c, args)
 		},
+		DisableAutoGenTag: true,
 	}
 
 	command.AddCommand(NewCompletionCommand())
@@ -43,11 +44,13 @@ func NewCommand() *cobra.Command {
 	command.AddCommand(NewLoginCommand(&clientOpts))
 	command.AddCommand(NewReloginCommand(&clientOpts))
 	command.AddCommand(NewRepoCommand(&clientOpts))
+	command.AddCommand(NewRepoCredsCommand(&clientOpts))
 	command.AddCommand(NewContextCommand(&clientOpts))
 	command.AddCommand(NewProjectCommand(&clientOpts))
 	command.AddCommand(NewAccountCommand(&clientOpts))
 	command.AddCommand(NewLogoutCommand(&clientOpts))
 	command.AddCommand(NewCertCommand(&clientOpts))
+	command.AddCommand(NewGPGCommand(&clientOpts))
 
 	defaultLocalConfigPath, err := localconfig.DefaultLocalConfigPath()
 	errors.CheckError(err)
@@ -56,8 +59,15 @@ func NewCommand() *cobra.Command {
 	command.PersistentFlags().BoolVar(&clientOpts.PlainText, "plaintext", config.GetBoolFlag("plaintext"), "Disable TLS")
 	command.PersistentFlags().BoolVar(&clientOpts.Insecure, "insecure", config.GetBoolFlag("insecure"), "Skip server certificate and domain verification")
 	command.PersistentFlags().StringVar(&clientOpts.CertFile, "server-crt", config.GetFlag("server-crt", ""), "Server certificate file")
+	command.PersistentFlags().StringVar(&clientOpts.ClientCertFile, "client-crt", config.GetFlag("client-crt", ""), "Client certificate file")
+	command.PersistentFlags().StringVar(&clientOpts.ClientCertKeyFile, "client-crt-key", config.GetFlag("client-crt-key", ""), "Client certificate key file")
 	command.PersistentFlags().StringVar(&clientOpts.AuthToken, "auth-token", config.GetFlag("auth-token", ""), "Authentication token")
 	command.PersistentFlags().BoolVar(&clientOpts.GRPCWeb, "grpc-web", config.GetBoolFlag("grpc-web"), "Enables gRPC-web protocol. Useful if Argo CD server is behind proxy which does not support HTTP2.")
-	command.PersistentFlags().StringVar(&logLevel, "loglevel", config.GetFlag("loglevel", "info"), "Set the logging level. One of: debug|info|warn|error")
+	command.PersistentFlags().StringVar(&clientOpts.GRPCWebRootPath, "grpc-web-root-path", config.GetFlag("grpc-web-root-path", ""), "Enables gRPC-web protocol. Useful if Argo CD server is behind proxy which does not support HTTP2. Set web root.")
+	command.PersistentFlags().StringVar(&cmdutil.LogFormat, "logformat", config.GetFlag("logformat", "text"), "Set the logging format. One of: text|json")
+	command.PersistentFlags().StringVar(&cmdutil.LogLevel, "loglevel", config.GetFlag("loglevel", "info"), "Set the logging level. One of: debug|info|warn|error")
+	command.PersistentFlags().StringSliceVarP(&clientOpts.Headers, "header", "H", []string{}, "Sets additional header to all requests made by Argo CD CLI. (Can be repeated multiple times to add multiple headers, also supports comma separated headers)")
+	command.PersistentFlags().BoolVar(&clientOpts.PortForward, "port-forward", config.GetBoolFlag("port-forward"), "Connect to a random argocd-server port using port forwarding")
+	command.PersistentFlags().StringVar(&clientOpts.PortForwardNamespace, "port-forward-namespace", config.GetFlag("port-forward-namespace", ""), "Namespace name which should be used for port forwarding")
 	return command
 }

cmd/argocd/commands/testdata/config

@@ -1,18 +1,25 @@
 contexts:
-- name: argocd.example.com:443
-  server: argocd.example.com:443
-  user: argocd.example.com:443
+- name: argocd1.example.com:443
+  server: argocd1.example.com:443
+  user: argocd1.example.com:443
+- name: argocd2.example.com:443
+  server: argocd2.example.com:443
+  user: argocd2.example.com:443
 - name: localhost:8080
   server: localhost:8080
   user: localhost:8080
 current-context: localhost:8080
 servers:
-- server: argocd.example.com:443
+- server: argocd1.example.com:443
+- server: argocd2.example.com:443
 - plain-text: true
   server: localhost:8080
 users:
 - auth-token: vErrYS3c3tReFRe$hToken
-  name: argocd.example.com:443
+  name: argocd1.example.com:443
+  refresh-token: vErrYS3c3tReFRe$hToken
+- auth-token: vErrYS3c3tReFRe$hToken
+  name: argocd2.example.com:443
   refresh-token: vErrYS3c3tReFRe$hToken
 - auth-token: vErrYS3c3tReFRe$hToken
   name: localhost:8080

cmd/argocd/commands/version.go

@@ -5,62 +5,151 @@ import (
 	"fmt"
 
 	"github.com/golang/protobuf/ptypes/empty"
+	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
 	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
-	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/pkg/apiclient/version"
+	"github.com/argoproj/argo-cd/util/errors"
+	argoio "github.com/argoproj/argo-cd/util/io"
 )
 
 // NewVersionCmd returns a new `version` command to be used as a sub-command to root
 func NewVersionCmd(clientOpts *argocdclient.ClientOptions) *cobra.Command {
-	var short bool
-	var client bool
+	var (
+		short  bool
+		client bool
+		output string
+	)
 
 	versionCmd := cobra.Command{
 		Use:   "version",
-		Short: fmt.Sprintf("Print version information"),
+		Short: "Print version information",
+		Example: `  # Print the full version of client and server to stdout
+  argocd version
+
+  # Print only full version of the client - no connection to server will be made
+  argocd version --client
+
+  # Print the full version of client and server in JSON format
+  argocd version -o json
+
+  # Print only client and server core version strings in YAML format
+  argocd version --short -o yaml
+`,
 		Run: func(cmd *cobra.Command, args []string) {
-			version := common.GetVersion()
-			fmt.Printf("%s: %s\n", cliName, version)
-			if !short {
-				fmt.Printf("  BuildDate: %s\n", version.BuildDate)
-				fmt.Printf("  GitCommit: %s\n", version.GitCommit)
-				fmt.Printf("  GitTreeState: %s\n", version.GitTreeState)
-				if version.GitTag != "" {
-					fmt.Printf("  GitTag: %s\n", version.GitTag)
-				}
-				fmt.Printf("  GoVersion: %s\n", version.GoVersion)
-				fmt.Printf("  Compiler: %s\n", version.Compiler)
-				fmt.Printf("  Platform: %s\n", version.Platform)
-			}
-			if client {
-				return
-			}
+			cv := common.GetVersion()
 
-			// Get Server version
-			conn, versionIf := argocdclient.NewClientOrDie(clientOpts).NewVersionClientOrDie()
-			defer util.Close(conn)
-			serverVers, err := versionIf.Version(context.Background(), &empty.Empty{})
-			errors.CheckError(err)
-			fmt.Printf("%s: %s\n", "argocd-server", serverVers.Version)
-			if !short {
-				fmt.Printf("  BuildDate: %s\n", serverVers.BuildDate)
-				fmt.Printf("  GitCommit: %s\n", serverVers.GitCommit)
-				fmt.Printf("  GitTreeState: %s\n", serverVers.GitTreeState)
-				if version.GitTag != "" {
-					fmt.Printf("  GitTag: %s\n", serverVers.GitTag)
-				}
-				fmt.Printf("  GoVersion: %s\n", serverVers.GoVersion)
-				fmt.Printf("  Compiler: %s\n", serverVers.Compiler)
-				fmt.Printf("  Platform: %s\n", serverVers.Platform)
-				fmt.Printf("  Ksonnet Version: %s\n", serverVers.KsonnetVersion)
-			}
+			switch output {
+			case "yaml", "json":
+				v := make(map[string]interface{})
 
+				if short {
+					v["client"] = map[string]string{cliName: cv.Version}
+				} else {
+					v["client"] = cv
+				}
+
+				if !client {
+					sv := getServerVersion(clientOpts)
+
+					if short {
+						v["server"] = map[string]string{"argocd-server": sv.Version}
+					} else {
+						v["server"] = sv
+					}
+				}
+
+				err := PrintResource(v, output)
+				errors.CheckError(err)
+			case "wide", "short", "":
+				printClientVersion(&cv, short || (output == "short"))
+
+				if !client {
+					sv := getServerVersion(clientOpts)
+					printServerVersion(sv, short || (output == "short"))
+				}
+			default:
+				log.Fatalf("unknown output format: %s", output)
+			}
 		},
 	}
+	versionCmd.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide|short")
 	versionCmd.Flags().BoolVar(&short, "short", false, "print just the version number")
 	versionCmd.Flags().BoolVar(&client, "client", false, "client version only (no server required)")
 	return &versionCmd
 }
+
+func getServerVersion(options *argocdclient.ClientOptions) *version.VersionMessage {
+	conn, versionIf := argocdclient.NewClientOrDie(options).NewVersionClientOrDie()
+	defer argoio.Close(conn)
+
+	v, err := versionIf.Version(context.Background(), &empty.Empty{})
+	errors.CheckError(err)
+
+	return v
+}
+
+func printClientVersion(version *common.Version, short bool) {
+	fmt.Printf("%s: %s\n", cliName, version)
+
+	if short {
+		return
+	}
+
+	fmt.Printf("  BuildDate: %s\n", version.BuildDate)
+	fmt.Printf("  GitCommit: %s\n", version.GitCommit)
+	fmt.Printf("  GitTreeState: %s\n", version.GitTreeState)
+	if version.GitTag != "" {
+		fmt.Printf("  GitTag: %s\n", version.GitTag)
+	}
+	fmt.Printf("  GoVersion: %s\n", version.GoVersion)
+	fmt.Printf("  Compiler: %s\n", version.Compiler)
+	fmt.Printf("  Platform: %s\n", version.Platform)
+}
+
+func printServerVersion(version *version.VersionMessage, short bool) {
+	fmt.Printf("%s: %s\n", "argocd-server", version.Version)
+
+	if short {
+		return
+	}
+
+	if version.BuildDate != "" {
+		fmt.Printf("  BuildDate: %s\n", version.BuildDate)
+	}
+	if version.GitCommit != "" {
+		fmt.Printf("  GitCommit: %s\n", version.GitCommit)
+	}
+	if version.GitTreeState != "" {
+		fmt.Printf("  GitTreeState: %s\n", version.GitTreeState)
+	}
+	if version.GitTag != "" {
+		fmt.Printf("  GitTag: %s\n", version.GitTag)
+	}
+	if version.GoVersion != "" {
+		fmt.Printf("  GoVersion: %s\n", version.GoVersion)
+	}
+	if version.Compiler != "" {
+		fmt.Printf("  Compiler: %s\n", version.Compiler)
+	}
+	if version.Platform != "" {
+		fmt.Printf("  Platform: %s\n", version.Platform)
+	}
+	if version.KsonnetVersion != "" {
+		fmt.Printf("  Ksonnet Version: %s\n", version.KsonnetVersion)
+	}
+	if version.KustomizeVersion != "" {
+		fmt.Printf("  Kustomize Version: %s\n", version.KustomizeVersion)
+	}
+	if version.HelmVersion != "" {
+		fmt.Printf("  Helm Version: %s\n", version.HelmVersion)
+	}
+	if version.KubectlVersion != "" {
+		fmt.Printf("  Kubectl Version: %s\n", version.KubectlVersion)
+	}
+	if version.JsonnetVersion != "" {
+		fmt.Printf("  Jsonnet Version: %s\n", version.JsonnetVersion)
+	}
+}

cmd/argocd/main.go

@@ -1,16 +0,0 @@
-package main
-
-import (
-	commands "github.com/argoproj/argo-cd/cmd/argocd/commands"
-	"github.com/argoproj/argo-cd/errors"
-
-	// load the gcp plugin (required to authenticate against GKE clusters).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
-	// load the oidc plugin (required to authenticate with OpenID Connect).
-	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
-)
-
-func main() {
-	err := commands.NewCommand().Execute()
-	errors.CheckError(err)
-}

cmd/main.go

@@ -0,0 +1,64 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/spf13/cobra"
+
+	appcontroller "github.com/argoproj/argo-cd/cmd/argocd-application-controller/commands"
+	dex "github.com/argoproj/argo-cd/cmd/argocd-dex/commands"
+	reposerver "github.com/argoproj/argo-cd/cmd/argocd-repo-server/commands"
+	apiserver "github.com/argoproj/argo-cd/cmd/argocd-server/commands"
+	util "github.com/argoproj/argo-cd/cmd/argocd-util/commands"
+	cli "github.com/argoproj/argo-cd/cmd/argocd/commands"
+)
+
+const (
+	binaryNameEnv = "ARGOCD_BINARY_NAME"
+)
+
+func main() {
+	var command *cobra.Command
+
+	binaryName := filepath.Base(os.Args[0])
+	if val := os.Getenv(binaryNameEnv); val != "" {
+		binaryName = val
+	}
+	switch binaryName {
+	case "argocd", "argocd-linux-amd64", "argocd-darwin-amd64", "argocd-windows-amd64.exe":
+		command = cli.NewCommand()
+	case "argocd-util", "argocd-util-linux-amd64", "argocd-util-darwin-amd64", "argocd-util-windows-amd64.exe":
+		command = util.NewCommand()
+	case "argocd-server":
+		command = apiserver.NewCommand()
+	case "argocd-application-controller":
+		command = appcontroller.NewCommand()
+	case "argocd-repo-server":
+		command = reposerver.NewCommand()
+	case "argocd-dex":
+		command = dex.NewCommand()
+	default:
+		if len(os.Args[1:]) > 0 {
+			// trying to guess between argocd and argocd-util by matching sub command
+			for _, cmd := range []*cobra.Command{cli.NewCommand(), util.NewCommand()} {
+				if _, _, err := cmd.Find(os.Args[1:]); err == nil {
+					command = cmd
+					break
+				}
+			}
+		}
+
+		if command == nil {
+			fmt.Printf("Unknown binary name '%s'.Use '%s' environment variable to specify required binary name "+
+				"(possible values 'argocd' or 'argocd-util').\n", binaryName, binaryNameEnv)
+			os.Exit(1)
+		}
+	}
+
+	if err := command.Execute(); err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+}

cmd/util/app.go

@@ -0,0 +1,558 @@
+package util
+
+import (
+	"bufio"
+	"fmt"
+	"io/ioutil"
+	"net/url"
+	"os"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/argoproj/argo-cd/common"
+	"github.com/argoproj/argo-cd/pkg/apis/application"
+	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/config"
+	"github.com/argoproj/argo-cd/util/errors"
+	"github.com/argoproj/argo-cd/util/text/label"
+)
+
+type AppOptions struct {
+	repoURL                    string
+	appPath                    string
+	chart                      string
+	env                        string
+	revision                   string
+	revisionHistoryLimit       int
+	destName                   string
+	destServer                 string
+	destNamespace              string
+	Parameters                 []string
+	valuesFiles                []string
+	values                     string
+	releaseName                string
+	helmSets                   []string
+	helmSetStrings             []string
+	helmSetFiles               []string
+	helmVersion                string
+	project                    string
+	syncPolicy                 string
+	syncOptions                []string
+	autoPrune                  bool
+	selfHeal                   bool
+	allowEmpty                 bool
+	namePrefix                 string
+	nameSuffix                 string
+	directoryRecurse           bool
+	configManagementPlugin     string
+	jsonnetTlaStr              []string
+	jsonnetTlaCode             []string
+	jsonnetExtVarStr           []string
+	jsonnetExtVarCode          []string
+	jsonnetLibs                []string
+	kustomizeImages            []string
+	kustomizeVersion           string
+	kustomizeCommonLabels      []string
+	kustomizeCommonAnnotations []string
+	pluginEnvs                 []string
+	Validate                   bool
+	directoryExclude           string
+	directoryInclude           string
+}
+
+func AddAppFlags(command *cobra.Command, opts *AppOptions) {
+	command.Flags().StringVar(&opts.repoURL, "repo", "", "Repository URL, ignored if a file is set")
+	command.Flags().StringVar(&opts.appPath, "path", "", "Path in repository to the app directory, ignored if a file is set")
+	command.Flags().StringVar(&opts.chart, "helm-chart", "", "Helm Chart name")
+	command.Flags().StringVar(&opts.env, "env", "", "Application environment to monitor")
+	command.Flags().StringVar(&opts.revision, "revision", "", "The tracking source branch, tag, commit or Helm chart version the application will sync to")
+	command.Flags().IntVar(&opts.revisionHistoryLimit, "revision-history-limit", common.RevisionHistoryLimit, "How many items to keep in revision history")
+	command.Flags().StringVar(&opts.destServer, "dest-server", "", "K8s cluster URL (e.g. https://kubernetes.default.svc)")
+	command.Flags().StringVar(&opts.destName, "dest-name", "", "K8s cluster Name (e.g. minikube)")
+	command.Flags().StringVar(&opts.destNamespace, "dest-namespace", "", "K8s target namespace (overrides the namespace specified in the ksonnet app.yaml)")
+	command.Flags().StringArrayVarP(&opts.Parameters, "parameter", "p", []string{}, "set a parameter override (e.g. -p guestbook=image=example/guestbook:latest)")
+	command.Flags().StringArrayVar(&opts.valuesFiles, "values", []string{}, "Helm values file(s) to use")
+	command.Flags().StringVar(&opts.values, "values-literal-file", "", "Filename or URL to import as a literal Helm values block")
+	command.Flags().StringVar(&opts.releaseName, "release-name", "", "Helm release-name")
+	command.Flags().StringVar(&opts.helmVersion, "helm-version", "", "Helm version")
+	command.Flags().StringArrayVar(&opts.helmSets, "helm-set", []string{}, "Helm set values on the command line (can be repeated to set several values: --helm-set key1=val1 --helm-set key2=val2)")
+	command.Flags().StringArrayVar(&opts.helmSetStrings, "helm-set-string", []string{}, "Helm set STRING values on the command line (can be repeated to set several values: --helm-set-string key1=val1 --helm-set-string key2=val2)")
+	command.Flags().StringArrayVar(&opts.helmSetFiles, "helm-set-file", []string{}, "Helm set values from respective files specified via the command line (can be repeated to set several values: --helm-set-file key1=path1 --helm-set-file key2=path2)")
+	command.Flags().StringVar(&opts.project, "project", "", "Application project name")
+	command.Flags().StringVar(&opts.syncPolicy, "sync-policy", "", "Set the sync policy (one of: none, automated (aliases of automated: auto, automatic))")
+	command.Flags().StringArrayVar(&opts.syncOptions, "sync-option", []string{}, "Add or remove a sync option, e.g add `Prune=false`. Remove using `!` prefix, e.g. `!Prune=false`")
+	command.Flags().BoolVar(&opts.autoPrune, "auto-prune", false, "Set automatic pruning when sync is automated")
+	command.Flags().BoolVar(&opts.selfHeal, "self-heal", false, "Set self healing when sync is automated")
+	command.Flags().BoolVar(&opts.allowEmpty, "allow-empty", false, "Set allow zero live resources when sync is automated")
+	command.Flags().StringVar(&opts.namePrefix, "nameprefix", "", "Kustomize nameprefix")
+	command.Flags().StringVar(&opts.nameSuffix, "namesuffix", "", "Kustomize namesuffix")
+	command.Flags().StringVar(&opts.kustomizeVersion, "kustomize-version", "", "Kustomize version")
+	command.Flags().BoolVar(&opts.directoryRecurse, "directory-recurse", false, "Recurse directory")
+	command.Flags().StringVar(&opts.configManagementPlugin, "config-management-plugin", "", "Config management plugin name")
+	command.Flags().StringArrayVar(&opts.jsonnetTlaStr, "jsonnet-tla-str", []string{}, "Jsonnet top level string arguments")
+	command.Flags().StringArrayVar(&opts.jsonnetTlaCode, "jsonnet-tla-code", []string{}, "Jsonnet top level code arguments")
+	command.Flags().StringArrayVar(&opts.jsonnetExtVarStr, "jsonnet-ext-var-str", []string{}, "Jsonnet string ext var")
+	command.Flags().StringArrayVar(&opts.jsonnetExtVarCode, "jsonnet-ext-var-code", []string{}, "Jsonnet ext var")
+	command.Flags().StringArrayVar(&opts.jsonnetLibs, "jsonnet-libs", []string{}, "Additional jsonnet libs (prefixed by repoRoot)")
+	command.Flags().StringArrayVar(&opts.kustomizeImages, "kustomize-image", []string{}, "Kustomize images (e.g. --kustomize-image node:8.15.0 --kustomize-image mysql=mariadb,alpine@sha256:24a0c4b4a4c0eb97a1aabb8e29f18e917d05abfe1b7a7c07857230879ce7d3d)")
+	command.Flags().StringArrayVar(&opts.pluginEnvs, "plugin-env", []string{}, "Additional plugin envs")
+	command.Flags().BoolVar(&opts.Validate, "validate", true, "Validation of repo and cluster")
+	command.Flags().StringArrayVar(&opts.kustomizeCommonLabels, "kustomize-common-label", []string{}, "Set common labels in Kustomize")
+	command.Flags().StringArrayVar(&opts.kustomizeCommonAnnotations, "kustomize-common-annotation", []string{}, "Set common labels in Kustomize")
+	command.Flags().StringVar(&opts.directoryExclude, "directory-exclude", "", "Set glob expression used to exclude files from application source path")
+	command.Flags().StringVar(&opts.directoryInclude, "directory-include", "", "Set glob expression used to include files from application source path")
+}
+
+func SetAppSpecOptions(flags *pflag.FlagSet, spec *argoappv1.ApplicationSpec, appOpts *AppOptions) int {
+	visited := 0
+	flags.Visit(func(f *pflag.Flag) {
+		visited++
+		switch f.Name {
+		case "repo":
+			spec.Source.RepoURL = appOpts.repoURL
+		case "path":
+			spec.Source.Path = appOpts.appPath
+		case "helm-chart":
+			spec.Source.Chart = appOpts.chart
+		case "env":
+			setKsonnetOpt(&spec.Source, &appOpts.env)
+		case "revision":
+			spec.Source.TargetRevision = appOpts.revision
+		case "revision-history-limit":
+			i := int64(appOpts.revisionHistoryLimit)
+			spec.RevisionHistoryLimit = &i
+		case "values":
+			setHelmOpt(&spec.Source, helmOpts{valueFiles: appOpts.valuesFiles})
+		case "values-literal-file":
+			var data []byte
+
+			// read uri
+			parsedURL, err := url.ParseRequestURI(appOpts.values)
+			if err != nil || !(parsedURL.Scheme == "http" || parsedURL.Scheme == "https") {
+				data, err = ioutil.ReadFile(appOpts.values)
+			} else {
+				data, err = config.ReadRemoteFile(appOpts.values)
+			}
+			errors.CheckError(err)
+			setHelmOpt(&spec.Source, helmOpts{values: string(data)})
+		case "release-name":
+			setHelmOpt(&spec.Source, helmOpts{releaseName: appOpts.releaseName})
+		case "helm-version":
+			setHelmOpt(&spec.Source, helmOpts{version: appOpts.helmVersion})
+		case "helm-set":
+			setHelmOpt(&spec.Source, helmOpts{helmSets: appOpts.helmSets})
+		case "helm-set-string":
+			setHelmOpt(&spec.Source, helmOpts{helmSetStrings: appOpts.helmSetStrings})
+		case "helm-set-file":
+			setHelmOpt(&spec.Source, helmOpts{helmSetFiles: appOpts.helmSetFiles})
+		case "directory-recurse":
+			if spec.Source.Directory != nil {
+				spec.Source.Directory.Recurse = appOpts.directoryRecurse
+			} else {
+				spec.Source.Directory = &argoappv1.ApplicationSourceDirectory{Recurse: appOpts.directoryRecurse}
+			}
+		case "directory-exclude":
+			if spec.Source.Directory != nil {
+				spec.Source.Directory.Exclude = appOpts.directoryExclude
+			} else {
+				spec.Source.Directory = &argoappv1.ApplicationSourceDirectory{Exclude: appOpts.directoryExclude}
+			}
+		case "directory-include":
+			if spec.Source.Directory != nil {
+				spec.Source.Directory.Include = appOpts.directoryInclude
+			} else {
+				spec.Source.Directory = &argoappv1.ApplicationSourceDirectory{Include: appOpts.directoryInclude}
+			}
+		case "config-management-plugin":
+			spec.Source.Plugin = &argoappv1.ApplicationSourcePlugin{Name: appOpts.configManagementPlugin}
+		case "dest-name":
+			spec.Destination.Name = appOpts.destName
+		case "dest-server":
+			spec.Destination.Server = appOpts.destServer
+		case "dest-namespace":
+			spec.Destination.Namespace = appOpts.destNamespace
+		case "project":
+			spec.Project = appOpts.project
+		case "nameprefix":
+			setKustomizeOpt(&spec.Source, kustomizeOpts{namePrefix: appOpts.namePrefix})
+		case "namesuffix":
+			setKustomizeOpt(&spec.Source, kustomizeOpts{nameSuffix: appOpts.nameSuffix})
+		case "kustomize-image":
+			setKustomizeOpt(&spec.Source, kustomizeOpts{images: appOpts.kustomizeImages})
+		case "kustomize-version":
+			setKustomizeOpt(&spec.Source, kustomizeOpts{version: appOpts.kustomizeVersion})
+		case "kustomize-common-label":
+			parsedLabels, err := label.Parse(appOpts.kustomizeCommonLabels)
+			errors.CheckError(err)
+			setKustomizeOpt(&spec.Source, kustomizeOpts{commonLabels: parsedLabels})
+		case "kustomize-common-annotation":
+			parsedAnnotations, err := label.Parse(appOpts.kustomizeCommonAnnotations)
+			errors.CheckError(err)
+			setKustomizeOpt(&spec.Source, kustomizeOpts{commonAnnotations: parsedAnnotations})
+		case "jsonnet-tla-str":
+			setJsonnetOpt(&spec.Source, appOpts.jsonnetTlaStr, false)
+		case "jsonnet-tla-code":
+			setJsonnetOpt(&spec.Source, appOpts.jsonnetTlaCode, true)
+		case "jsonnet-ext-var-str":
+			setJsonnetOptExtVar(&spec.Source, appOpts.jsonnetExtVarStr, false)
+		case "jsonnet-ext-var-code":
+			setJsonnetOptExtVar(&spec.Source, appOpts.jsonnetExtVarCode, true)
+		case "jsonnet-libs":
+			setJsonnetOptLibs(&spec.Source, appOpts.jsonnetLibs)
+		case "plugin-env":
+			setPluginOptEnvs(&spec.Source, appOpts.pluginEnvs)
+		case "sync-policy":
+			switch appOpts.syncPolicy {
+			case "none":
+				if spec.SyncPolicy != nil {
+					spec.SyncPolicy.Automated = nil
+				}
+				if spec.SyncPolicy.IsZero() {
+					spec.SyncPolicy = nil
+				}
+			case "automated", "automatic", "auto":
+				if spec.SyncPolicy == nil {
+					spec.SyncPolicy = &argoappv1.SyncPolicy{}
+				}
+				spec.SyncPolicy.Automated = &argoappv1.SyncPolicyAutomated{}
+			default:
+				log.Fatalf("Invalid sync-policy: %s", appOpts.syncPolicy)
+			}
+		case "sync-option":
+			if spec.SyncPolicy == nil {
+				spec.SyncPolicy = &argoappv1.SyncPolicy{}
+			}
+			for _, option := range appOpts.syncOptions {
+				// `!` means remove the option
+				if strings.HasPrefix(option, "!") {
+					option = strings.TrimPrefix(option, "!")
+					spec.SyncPolicy.SyncOptions = spec.SyncPolicy.SyncOptions.RemoveOption(option)
+				} else {
+					spec.SyncPolicy.SyncOptions = spec.SyncPolicy.SyncOptions.AddOption(option)
+				}
+			}
+			if spec.SyncPolicy.IsZero() {
+				spec.SyncPolicy = nil
+			}
+		}
+	})
+	if flags.Changed("auto-prune") {
+		if spec.SyncPolicy == nil || spec.SyncPolicy.Automated == nil {
+			log.Fatal("Cannot set --auto-prune: application not configured with automatic sync")
+		}
+		spec.SyncPolicy.Automated.Prune = appOpts.autoPrune
+	}
+	if flags.Changed("self-heal") {
+		if spec.SyncPolicy == nil || spec.SyncPolicy.Automated == nil {
+			log.Fatal("Cannot set --self-heal: application not configured with automatic sync")
+		}
+		spec.SyncPolicy.Automated.SelfHeal = appOpts.selfHeal
+	}
+	if flags.Changed("allow-empty") {
+		if spec.SyncPolicy == nil || spec.SyncPolicy.Automated == nil {
+			log.Fatal("Cannot set --allow-empty: application not configured with automatic sync")
+		}
+		spec.SyncPolicy.Automated.AllowEmpty = appOpts.allowEmpty
+	}
+
+	return visited
+}
+
+func setKsonnetOpt(src *argoappv1.ApplicationSource, env *string) {
+	if src.Ksonnet == nil {
+		src.Ksonnet = &argoappv1.ApplicationSourceKsonnet{}
+	}
+	if env != nil {
+		src.Ksonnet.Environment = *env
+	}
+	if src.Ksonnet.IsZero() {
+		src.Ksonnet = nil
+	}
+}
+
+type kustomizeOpts struct {
+	namePrefix        string
+	nameSuffix        string
+	images            []string
+	version           string
+	commonLabels      map[string]string
+	commonAnnotations map[string]string
+}
+
+func setKustomizeOpt(src *argoappv1.ApplicationSource, opts kustomizeOpts) {
+	if src.Kustomize == nil {
+		src.Kustomize = &argoappv1.ApplicationSourceKustomize{}
+	}
+	if opts.version != "" {
+		src.Kustomize.Version = opts.version
+	}
+	if opts.namePrefix != "" {
+		src.Kustomize.NamePrefix = opts.namePrefix
+	}
+	if opts.nameSuffix != "" {
+		src.Kustomize.NameSuffix = opts.nameSuffix
+	}
+	if opts.commonLabels != nil {
+		src.Kustomize.CommonLabels = opts.commonLabels
+	}
+	if opts.commonAnnotations != nil {
+		src.Kustomize.CommonAnnotations = opts.commonAnnotations
+	}
+	for _, image := range opts.images {
+		src.Kustomize.MergeImage(argoappv1.KustomizeImage(image))
+	}
+	if src.Kustomize.IsZero() {
+		src.Kustomize = nil
+	}
+}
+
+func setPluginOptEnvs(src *argoappv1.ApplicationSource, envs []string) {
+	if src.Plugin == nil {
+		src.Plugin = &argoappv1.ApplicationSourcePlugin{}
+	}
+
+	for _, text := range envs {
+		e, err := argoappv1.NewEnvEntry(text)
+		if err != nil {
+			log.Fatal(err)
+		}
+		src.Plugin.AddEnvEntry(e)
+	}
+}
+
+type helmOpts struct {
+	valueFiles     []string
+	values         string
+	releaseName    string
+	version        string
+	helmSets       []string
+	helmSetStrings []string
+	helmSetFiles   []string
+}
+
+func setHelmOpt(src *argoappv1.ApplicationSource, opts helmOpts) {
+	if src.Helm == nil {
+		src.Helm = &argoappv1.ApplicationSourceHelm{}
+	}
+	if len(opts.valueFiles) > 0 {
+		src.Helm.ValueFiles = opts.valueFiles
+	}
+	if len(opts.values) > 0 {
+		src.Helm.Values = opts.values
+	}
+	if opts.releaseName != "" {
+		src.Helm.ReleaseName = opts.releaseName
+	}
+	if opts.version != "" {
+		src.Helm.Version = opts.version
+	}
+	for _, text := range opts.helmSets {
+		p, err := argoappv1.NewHelmParameter(text, false)
+		if err != nil {
+			log.Fatal(err)
+		}
+		src.Helm.AddParameter(*p)
+	}
+	for _, text := range opts.helmSetStrings {
+		p, err := argoappv1.NewHelmParameter(text, true)
+		if err != nil {
+			log.Fatal(err)
+		}
+		src.Helm.AddParameter(*p)
+	}
+	for _, text := range opts.helmSetFiles {
+		p, err := argoappv1.NewHelmFileParameter(text)
+		if err != nil {
+			log.Fatal(err)
+		}
+		src.Helm.AddFileParameter(*p)
+	}
+	if src.Helm.IsZero() {
+		src.Helm = nil
+	}
+}
+
+func setJsonnetOpt(src *argoappv1.ApplicationSource, tlaParameters []string, code bool) {
+	if src.Directory == nil {
+		src.Directory = &argoappv1.ApplicationSourceDirectory{}
+	}
+	for _, j := range tlaParameters {
+		src.Directory.Jsonnet.TLAs = append(src.Directory.Jsonnet.TLAs, argoappv1.NewJsonnetVar(j, code))
+	}
+}
+
+func setJsonnetOptExtVar(src *argoappv1.ApplicationSource, jsonnetExtVar []string, code bool) {
+	if src.Directory == nil {
+		src.Directory = &argoappv1.ApplicationSourceDirectory{}
+	}
+	for _, j := range jsonnetExtVar {
+		src.Directory.Jsonnet.ExtVars = append(src.Directory.Jsonnet.ExtVars, argoappv1.NewJsonnetVar(j, code))
+	}
+}
+
+func setJsonnetOptLibs(src *argoappv1.ApplicationSource, libs []string) {
+	if src.Directory == nil {
+		src.Directory = &argoappv1.ApplicationSourceDirectory{}
+	}
+	src.Directory.Jsonnet.Libs = append(src.Directory.Jsonnet.Libs, libs...)
+}
+
+// SetParameterOverrides updates an existing or appends a new parameter override in the application
+// If the app is a ksonnet app, then parameters are expected to be in the form: component=param=value
+// Otherwise, the app is assumed to be a helm app and is expected to be in the form:
+// param=value
+func SetParameterOverrides(app *argoappv1.Application, parameters []string) {
+	if len(parameters) == 0 {
+		return
+	}
+	var sourceType argoappv1.ApplicationSourceType
+	if st, _ := app.Spec.Source.ExplicitType(); st != nil {
+		sourceType = *st
+	} else if app.Status.SourceType != "" {
+		sourceType = app.Status.SourceType
+	} else {
+		// HACK: we don't know the source type, so make an educated guess based on the supplied
+		// parameter string. This code handles the corner case where app doesn't exist yet, and the
+		// command is something like: `argocd app create MYAPP -p foo=bar`
+		// This logic is not foolproof, but when ksonnet is deprecated, this will no longer matter
+		// since helm will remain as the only source type which has parameters.
+		if len(strings.SplitN(parameters[0], "=", 3)) == 3 {
+			sourceType = argoappv1.ApplicationSourceTypeKsonnet
+		} else if len(strings.SplitN(parameters[0], "=", 2)) == 2 {
+			sourceType = argoappv1.ApplicationSourceTypeHelm
+		}
+	}
+
+	switch sourceType {
+	case argoappv1.ApplicationSourceTypeKsonnet:
+		if app.Spec.Source.Ksonnet == nil {
+			app.Spec.Source.Ksonnet = &argoappv1.ApplicationSourceKsonnet{}
+		}
+		for _, paramStr := range parameters {
+			parts := strings.SplitN(paramStr, "=", 3)
+			if len(parts) != 3 {
+				log.Fatalf("Expected ksonnet parameter of the form: component=param=value. Received: %s", paramStr)
+			}
+			newParam := argoappv1.KsonnetParameter{
+				Component: parts[0],
+				Name:      parts[1],
+				Value:     parts[2],
+			}
+			found := false
+			for i, cp := range app.Spec.Source.Ksonnet.Parameters {
+				if cp.Component == newParam.Component && cp.Name == newParam.Name {
+					found = true
+					app.Spec.Source.Ksonnet.Parameters[i] = newParam
+					break
+				}
+			}
+			if !found {
+				app.Spec.Source.Ksonnet.Parameters = append(app.Spec.Source.Ksonnet.Parameters, newParam)
+			}
+		}
+	case argoappv1.ApplicationSourceTypeHelm:
+		if app.Spec.Source.Helm == nil {
+			app.Spec.Source.Helm = &argoappv1.ApplicationSourceHelm{}
+		}
+		for _, p := range parameters {
+			newParam, err := argoappv1.NewHelmParameter(p, false)
+			if err != nil {
+				log.Error(err)
+				continue
+			}
+			app.Spec.Source.Helm.AddParameter(*newParam)
+		}
+	default:
+		log.Fatalf("Parameters can only be set against Ksonnet or Helm applications")
+	}
+}
+
+func readAppFromStdin(app *argoappv1.Application) error {
+	reader := bufio.NewReader(os.Stdin)
+	err := config.UnmarshalReader(reader, &app)
+	if err != nil {
+		return fmt.Errorf("unable to read manifest from stdin: %v", err)
+	}
+	return nil
+}
+
+func readAppFromURI(fileURL string, app *argoappv1.Application) error {
+	parsedURL, err := url.ParseRequestURI(fileURL)
+	if err != nil || !(parsedURL.Scheme == "http" || parsedURL.Scheme == "https") {
+		err = config.UnmarshalLocalFile(fileURL, &app)
+	} else {
+		err = config.UnmarshalRemoteFile(fileURL, &app)
+	}
+	return err
+}
+
+func ConstructApp(fileURL, appName string, labels, args []string, appOpts AppOptions, flags *pflag.FlagSet) (*argoappv1.Application, error) {
+	var app argoappv1.Application
+	if fileURL == "-" {
+		// read stdin
+		err := readAppFromStdin(&app)
+		if err != nil {
+			return nil, err
+		}
+	} else if fileURL != "" {
+		// read uri
+		err := readAppFromURI(fileURL, &app)
+		if err != nil {
+			return nil, err
+		}
+		if len(args) == 1 && args[0] != app.Name {
+			return nil, fmt.Errorf("app name '%s' does not match app spec metadata.name '%s'", args[0], app.Name)
+		}
+		if appName != "" && appName != app.Name {
+			app.Name = appName
+		}
+		if app.Name == "" {
+			return nil, fmt.Errorf("app.Name is empty. --name argument can be used to provide app.Name")
+		}
+		SetAppSpecOptions(flags, &app.Spec, &appOpts)
+		SetParameterOverrides(&app, appOpts.Parameters)
+		mergeLabels(&app, labels)
+	} else {
+		// read arguments
+		if len(args) == 1 {
+			if appName != "" && appName != args[0] {
+				return nil, fmt.Errorf("--name argument '%s' does not match app name %s", appName, args[0])
+			}
+			appName = args[0]
+		}
+		app = argoappv1.Application{
+			TypeMeta: v1.TypeMeta{
+				Kind:       application.ApplicationKind,
+				APIVersion: application.Group + "/v1alpha1",
+			},
+			ObjectMeta: v1.ObjectMeta{
+				Name: appName,
+			},
+		}
+		SetAppSpecOptions(flags, &app.Spec, &appOpts)
+		SetParameterOverrides(&app, appOpts.Parameters)
+		mergeLabels(&app, labels)
+	}
+	return &app, nil
+}
+
+func mergeLabels(app *argoappv1.Application, labels []string) {
+	mapLabels, err := label.Parse(labels)
+	errors.CheckError(err)
+
+	mergedLabels := make(map[string]string)
+
+	for name, value := range app.GetLabels() {
+		mergedLabels[name] = value
+	}
+
+	for name, value := range mapLabels {
+		mergedLabels[name] = value
+	}
+
+	app.SetLabels(mergedLabels)
+}

cmd/util/app_test.go

@@ -0,0 +1,167 @@
+package util
+
+import (
+	"testing"
+
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+)
+
+func Test_setHelmOpt(t *testing.T) {
+	t.Run("Zero", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{})
+		assert.Nil(t, src.Helm)
+	})
+	t.Run("ValueFiles", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{valueFiles: []string{"foo"}})
+		assert.Equal(t, []string{"foo"}, src.Helm.ValueFiles)
+	})
+	t.Run("ReleaseName", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{releaseName: "foo"})
+		assert.Equal(t, "foo", src.Helm.ReleaseName)
+	})
+	t.Run("HelmSets", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{helmSets: []string{"foo=bar"}})
+		assert.Equal(t, []v1alpha1.HelmParameter{{Name: "foo", Value: "bar"}}, src.Helm.Parameters)
+	})
+	t.Run("HelmSetStrings", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{helmSetStrings: []string{"foo=bar"}})
+		assert.Equal(t, []v1alpha1.HelmParameter{{Name: "foo", Value: "bar", ForceString: true}}, src.Helm.Parameters)
+	})
+	t.Run("HelmSetFiles", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{helmSetFiles: []string{"foo=bar"}})
+		assert.Equal(t, []v1alpha1.HelmFileParameter{{Name: "foo", Path: "bar"}}, src.Helm.FileParameters)
+	})
+	t.Run("Version", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{version: "v3"})
+		assert.Equal(t, "v3", src.Helm.Version)
+	})
+}
+
+func Test_setKustomizeOpt(t *testing.T) {
+	t.Run("No kustomize", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setKustomizeOpt(&src, kustomizeOpts{})
+		assert.Nil(t, src.Kustomize)
+	})
+	t.Run("Name prefix", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setKustomizeOpt(&src, kustomizeOpts{namePrefix: "test-"})
+		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{NamePrefix: "test-"}, src.Kustomize)
+	})
+	t.Run("Name suffix", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setKustomizeOpt(&src, kustomizeOpts{nameSuffix: "-test"})
+		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{NameSuffix: "-test"}, src.Kustomize)
+	})
+	t.Run("Images", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setKustomizeOpt(&src, kustomizeOpts{images: []string{"org/image:v1", "org/image:v2"}})
+		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{Images: v1alpha1.KustomizeImages{v1alpha1.KustomizeImage("org/image:v2")}}, src.Kustomize)
+	})
+	t.Run("Version", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setKustomizeOpt(&src, kustomizeOpts{version: "v0.1"})
+		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{Version: "v0.1"}, src.Kustomize)
+	})
+	t.Run("Common labels", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setKustomizeOpt(&src, kustomizeOpts{commonLabels: map[string]string{"foo1": "bar1", "foo2": "bar2"}})
+		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{CommonLabels: map[string]string{"foo1": "bar1", "foo2": "bar2"}}, src.Kustomize)
+	})
+	t.Run("Common annotations", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setKustomizeOpt(&src, kustomizeOpts{commonAnnotations: map[string]string{"foo1": "bar1", "foo2": "bar2"}})
+		assert.Equal(t, &v1alpha1.ApplicationSourceKustomize{CommonAnnotations: map[string]string{"foo1": "bar1", "foo2": "bar2"}}, src.Kustomize)
+	})
+}
+
+func Test_setJsonnetOpt(t *testing.T) {
+	t.Run("TlaSets", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setJsonnetOpt(&src, []string{"foo=bar"}, false)
+		assert.Equal(t, []v1alpha1.JsonnetVar{{Name: "foo", Value: "bar"}}, src.Directory.Jsonnet.TLAs)
+		setJsonnetOpt(&src, []string{"bar=baz"}, false)
+		assert.Equal(t, []v1alpha1.JsonnetVar{{Name: "foo", Value: "bar"}, {Name: "bar", Value: "baz"}}, src.Directory.Jsonnet.TLAs)
+	})
+	t.Run("ExtSets", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setJsonnetOptExtVar(&src, []string{"foo=bar"}, false)
+		assert.Equal(t, []v1alpha1.JsonnetVar{{Name: "foo", Value: "bar"}}, src.Directory.Jsonnet.ExtVars)
+		setJsonnetOptExtVar(&src, []string{"bar=baz"}, false)
+		assert.Equal(t, []v1alpha1.JsonnetVar{{Name: "foo", Value: "bar"}, {Name: "bar", Value: "baz"}}, src.Directory.Jsonnet.ExtVars)
+	})
+}
+
+func Test_setPluginOptEnvs(t *testing.T) {
+	t.Run("PluginEnvs", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setPluginOptEnvs(&src, []string{"FOO=bar"})
+		assert.Equal(t, v1alpha1.EnvEntry{Name: "FOO", Value: "bar"}, *src.Plugin.Env[0])
+		setPluginOptEnvs(&src, []string{"BAR=baz"})
+		assert.Equal(t, v1alpha1.EnvEntry{Name: "BAR", Value: "baz"}, *src.Plugin.Env[1])
+		setPluginOptEnvs(&src, []string{"FOO=baz"})
+		assert.Equal(t, v1alpha1.EnvEntry{Name: "FOO", Value: "baz"}, *src.Plugin.Env[0])
+	})
+}
+
+type appOptionsFixture struct {
+	spec    *v1alpha1.ApplicationSpec
+	command *cobra.Command
+	options *AppOptions
+}
+
+func (f *appOptionsFixture) SetFlag(key, value string) error {
+	err := f.command.Flags().Set(key, value)
+	if err != nil {
+		return err
+	}
+	_ = SetAppSpecOptions(f.command.Flags(), f.spec, f.options)
+	return err
+}
+
+func newAppOptionsFixture() *appOptionsFixture {
+	fixture := &appOptionsFixture{
+		spec:    &v1alpha1.ApplicationSpec{},
+		command: &cobra.Command{},
+		options: &AppOptions{},
+	}
+	AddAppFlags(fixture.command, fixture.options)
+	return fixture
+}
+
+func Test_setAppSpecOptions(t *testing.T) {
+	f := newAppOptionsFixture()
+	t.Run("SyncPolicy", func(t *testing.T) {
+		assert.NoError(t, f.SetFlag("sync-policy", "automated"))
+		assert.NotNil(t, f.spec.SyncPolicy.Automated)
+
+		f.spec.SyncPolicy = nil
+		assert.NoError(t, f.SetFlag("sync-policy", "automatic"))
+		assert.NotNil(t, f.spec.SyncPolicy.Automated)
+
+		f.spec.SyncPolicy = nil
+		assert.NoError(t, f.SetFlag("sync-policy", "auto"))
+		assert.NotNil(t, f.spec.SyncPolicy.Automated)
+
+		assert.NoError(t, f.SetFlag("sync-policy", "none"))
+		assert.Nil(t, f.spec.SyncPolicy)
+	})
+	t.Run("SyncOptions", func(t *testing.T) {
+		assert.NoError(t, f.SetFlag("sync-option", "a=1"))
+		assert.True(t, f.spec.SyncPolicy.SyncOptions.HasOption("a=1"))
+
+		// remove the options using !
+		assert.NoError(t, f.SetFlag("sync-option", "!a=1"))
+		assert.Nil(t, f.spec.SyncPolicy)
+	})
+}

cmd/util/cluster.go

@@ -0,0 +1,132 @@
+package util
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+	"sort"
+	"strings"
+	"text/tabwriter"
+
+	"github.com/spf13/cobra"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+
+	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/errors"
+)
+
+func PrintKubeContexts(ca clientcmd.ConfigAccess) {
+	config, err := ca.GetStartingConfig()
+	errors.CheckError(err)
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	defer func() { _ = w.Flush() }()
+	columnNames := []string{"CURRENT", "NAME", "CLUSTER", "SERVER"}
+	_, err = fmt.Fprintf(w, "%s\n", strings.Join(columnNames, "\t"))
+	errors.CheckError(err)
+
+	// sort names so output is deterministic
+	contextNames := make([]string, 0)
+	for name := range config.Contexts {
+		contextNames = append(contextNames, name)
+	}
+	sort.Strings(contextNames)
+
+	if config.Clusters == nil {
+		return
+	}
+
+	for _, name := range contextNames {
+		// ignore malformed kube config entries
+		context := config.Contexts[name]
+		if context == nil {
+			continue
+		}
+		cluster := config.Clusters[context.Cluster]
+		if cluster == nil {
+			continue
+		}
+		prefix := " "
+		if config.CurrentContext == name {
+			prefix = "*"
+		}
+		_, err := fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", prefix, name, context.Cluster, cluster.Server)
+		errors.CheckError(err)
+	}
+}
+
+func NewCluster(name string, namespaces []string, conf *rest.Config, managerBearerToken string, awsAuthConf *argoappv1.AWSAuthConfig, execProviderConf *argoappv1.ExecProviderConfig) *argoappv1.Cluster {
+	tlsClientConfig := argoappv1.TLSClientConfig{
+		Insecure:   conf.TLSClientConfig.Insecure,
+		ServerName: conf.TLSClientConfig.ServerName,
+		CAData:     conf.TLSClientConfig.CAData,
+		CertData:   conf.TLSClientConfig.CertData,
+		KeyData:    conf.TLSClientConfig.KeyData,
+	}
+	if len(conf.TLSClientConfig.CAData) == 0 && conf.TLSClientConfig.CAFile != "" {
+		data, err := ioutil.ReadFile(conf.TLSClientConfig.CAFile)
+		errors.CheckError(err)
+		tlsClientConfig.CAData = data
+	}
+	if len(conf.TLSClientConfig.CertData) == 0 && conf.TLSClientConfig.CertFile != "" {
+		data, err := ioutil.ReadFile(conf.TLSClientConfig.CertFile)
+		errors.CheckError(err)
+		tlsClientConfig.CertData = data
+	}
+	if len(conf.TLSClientConfig.KeyData) == 0 && conf.TLSClientConfig.KeyFile != "" {
+		data, err := ioutil.ReadFile(conf.TLSClientConfig.KeyFile)
+		errors.CheckError(err)
+		tlsClientConfig.KeyData = data
+	}
+
+	clst := argoappv1.Cluster{
+		Server:     conf.Host,
+		Name:       name,
+		Namespaces: namespaces,
+		Config: argoappv1.ClusterConfig{
+			TLSClientConfig:    tlsClientConfig,
+			AWSAuthConfig:      awsAuthConf,
+			ExecProviderConfig: execProviderConf,
+		},
+	}
+
+	// Bearer token will preferentially be used for auth if present,
+	// Even in presence of key/cert credentials
+	// So set bearer token only if the key/cert data is absent
+	if len(tlsClientConfig.CertData) == 0 || len(tlsClientConfig.KeyData) == 0 {
+		clst.Config.BearerToken = managerBearerToken
+	}
+
+	return &clst
+}
+
+type ClusterOptions struct {
+	InCluster               bool
+	Upsert                  bool
+	ServiceAccount          string
+	AwsRoleArn              string
+	AwsClusterName          string
+	SystemNamespace         string
+	Namespaces              []string
+	Name                    string
+	Shard                   int64
+	ExecProviderCommand     string
+	ExecProviderArgs        []string
+	ExecProviderEnv         map[string]string
+	ExecProviderAPIVersion  string
+	ExecProviderInstallHint string
+}
+
+func AddClusterFlags(command *cobra.Command, opts *ClusterOptions) {
+	command.Flags().BoolVar(&opts.InCluster, "in-cluster", false, "Indicates Argo CD resides inside this cluster and should connect using the internal k8s hostname (kubernetes.default.svc)")
+	command.Flags().StringVar(&opts.AwsClusterName, "aws-cluster-name", "", "AWS Cluster name if set then aws cli eks token command will be used to access cluster")
+	command.Flags().StringVar(&opts.AwsRoleArn, "aws-role-arn", "", "Optional AWS role arn. If set then AWS IAM Authenticator assumes a role to perform cluster operations instead of the default AWS credential provider chain.")
+	command.Flags().StringArrayVar(&opts.Namespaces, "namespace", nil, "List of namespaces which are allowed to manage")
+	command.Flags().StringVar(&opts.Name, "name", "", "Overwrite the cluster name")
+	command.Flags().Int64Var(&opts.Shard, "shard", -1, "Cluster shard number; inferred from hostname if not set")
+	command.Flags().StringVar(&opts.ExecProviderCommand, "exec-command", "", "Command to run to provide client credentials to the cluster. You may need to build a custom ArgoCD image to ensure the command is available at runtime.")
+	command.Flags().StringArrayVar(&opts.ExecProviderArgs, "exec-command-args", nil, "Arguments to supply to the --exec-command executable")
+	command.Flags().StringToStringVar(&opts.ExecProviderEnv, "exec-command-env", nil, "Environment vars to set when running the --exec-command executable")
+	command.Flags().StringVar(&opts.ExecProviderAPIVersion, "exec-command-api-version", "", "Preferred input version of the ExecInfo for the --exec-command executable")
+	command.Flags().StringVar(&opts.ExecProviderInstallHint, "exec-command-install-hint", "", "Text shown to the user when the --exec-command executable doesn't seem to be present")
+}

cmd/util/cluster_test.go

@@ -0,0 +1,63 @@
+package util
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"k8s.io/client-go/rest"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+)
+
+func Test_newCluster(t *testing.T) {
+	clusterWithData := NewCluster("test-cluster", []string{"test-namespace"}, &rest.Config{
+		TLSClientConfig: rest.TLSClientConfig{
+			Insecure:   false,
+			ServerName: "test-endpoint.example.com",
+			CAData:     []byte("test-ca-data"),
+			CertData:   []byte("test-cert-data"),
+			KeyData:    []byte("test-key-data"),
+		},
+		Host: "test-endpoint.example.com",
+	},
+		"test-bearer-token",
+		&v1alpha1.AWSAuthConfig{},
+		&v1alpha1.ExecProviderConfig{})
+
+	assert.Equal(t, "test-cert-data", string(clusterWithData.Config.CertData))
+	assert.Equal(t, "test-key-data", string(clusterWithData.Config.KeyData))
+	assert.Equal(t, "", clusterWithData.Config.BearerToken)
+
+	clusterWithFiles := NewCluster("test-cluster", []string{"test-namespace"}, &rest.Config{
+		TLSClientConfig: rest.TLSClientConfig{
+			Insecure:   false,
+			ServerName: "test-endpoint.example.com",
+			CAData:     []byte("test-ca-data"),
+			CertFile:   "./testdata/test.cert.pem",
+			KeyFile:    "./testdata/test.key.pem",
+		},
+		Host: "test-endpoint.example.com",
+	},
+		"test-bearer-token",
+		&v1alpha1.AWSAuthConfig{},
+		&v1alpha1.ExecProviderConfig{})
+
+	assert.True(t, strings.Contains(string(clusterWithFiles.Config.CertData), "test-cert-data"))
+	assert.True(t, strings.Contains(string(clusterWithFiles.Config.KeyData), "test-key-data"))
+	assert.Equal(t, "", clusterWithFiles.Config.BearerToken)
+
+	clusterWithBearerToken := NewCluster("test-cluster", []string{"test-namespace"}, &rest.Config{
+		TLSClientConfig: rest.TLSClientConfig{
+			Insecure:   false,
+			ServerName: "test-endpoint.example.com",
+			CAData:     []byte("test-ca-data"),
+		},
+		Host: "test-endpoint.example.com",
+	},
+		"test-bearer-token",
+		&v1alpha1.AWSAuthConfig{},
+		&v1alpha1.ExecProviderConfig{})
+
+	assert.Equal(t, "test-bearer-token", clusterWithBearerToken.Config.BearerToken)
+}

cmd/util/common.go

@@ -0,0 +1,80 @@
+package util
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/ghodss/yaml"
+	v1 "k8s.io/api/core/v1"
+
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
+)
+
+var (
+	LogFormat string
+	LogLevel  string
+)
+
+// PrintResource prints a single resource in YAML or JSON format to stdout according to the output format
+func PrintResources(resources []interface{}, output string) error {
+	for i, resource := range resources {
+		filteredResource, err := omitFields(resource)
+		if err != nil {
+			return err
+		}
+		resources[i] = filteredResource
+	}
+
+	switch output {
+	case "json":
+		jsonBytes, err := json.MarshalIndent(resources, "", "  ")
+		if err != nil {
+			return err
+		}
+
+		fmt.Println(string(jsonBytes))
+	case "yaml":
+		yamlBytes, err := yaml.Marshal(resources)
+		if err != nil {
+			return err
+		}
+		fmt.Println(string(yamlBytes))
+	default:
+		return fmt.Errorf("unknown output format: %s", output)
+	}
+	return nil
+}
+
+// omit fields such as status, creationTimestamp and metadata.namespace in k8s objects
+func omitFields(resource interface{}) (interface{}, error) {
+	jsonBytes, err := json.Marshal(resource)
+	if err != nil {
+		return nil, err
+	}
+
+	toMap := make(map[string]interface{})
+	err = json.Unmarshal([]byte(string(jsonBytes)), &toMap)
+	if err != nil {
+		return nil, err
+	}
+
+	delete(toMap, "status")
+	if v, ok := toMap["metadata"]; ok {
+		if metadata, ok := v.(map[string]interface{}); ok {
+			delete(metadata, "creationTimestamp")
+			delete(metadata, "namespace")
+		}
+	}
+	return toMap, nil
+}
+
+// ConvertSecretData converts kubernetes secret's data to stringData
+func ConvertSecretData(secret *v1.Secret) {
+	secret.Kind = kube.SecretKind
+	secret.APIVersion = "v1"
+	secret.StringData = map[string]string{}
+	for k, v := range secret.Data {
+		secret.StringData[k] = string(v)
+	}
+	secret.Data = map[string][]byte{}
+}

cmd/util/project.go

@@ -0,0 +1,141 @@
+package util
+
+import (
+	"bufio"
+	"fmt"
+	"log"
+	"net/url"
+	"os"
+	"strings"
+
+	"github.com/spf13/cobra"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/pointer"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application"
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/config"
+	"github.com/argoproj/argo-cd/util/gpg"
+)
+
+type ProjectOpts struct {
+	Description              string
+	destinations             []string
+	Sources                  []string
+	SignatureKeys            []string
+	orphanedResourcesEnabled bool
+	orphanedResourcesWarn    bool
+}
+
+func AddProjFlags(command *cobra.Command, opts *ProjectOpts) {
+	command.Flags().StringVarP(&opts.Description, "description", "", "", "Project description")
+	command.Flags().StringArrayVarP(&opts.destinations, "dest", "d", []string{},
+		"Permitted destination server and namespace (e.g. https://192.168.99.100:8443,default)")
+	command.Flags().StringArrayVarP(&opts.Sources, "src", "s", []string{}, "Permitted source repository URL")
+	command.Flags().StringSliceVar(&opts.SignatureKeys, "signature-keys", []string{}, "GnuPG public key IDs for commit signature verification")
+	command.Flags().BoolVar(&opts.orphanedResourcesEnabled, "orphaned-resources", false, "Enables orphaned resources monitoring")
+	command.Flags().BoolVar(&opts.orphanedResourcesWarn, "orphaned-resources-warn", false, "Specifies if applications should have a warning condition when orphaned resources detected")
+}
+
+func (opts *ProjectOpts) GetDestinations() []v1alpha1.ApplicationDestination {
+	destinations := make([]v1alpha1.ApplicationDestination, 0)
+	for _, destStr := range opts.destinations {
+		parts := strings.Split(destStr, ",")
+		if len(parts) != 2 {
+			log.Fatalf("Expected destination of the form: server,namespace. Received: %s", destStr)
+		} else {
+			destinations = append(destinations, v1alpha1.ApplicationDestination{
+				Server:    parts[0],
+				Namespace: parts[1],
+			})
+		}
+	}
+	return destinations
+}
+
+// TODO: Get configured keys and emit warning when a key is specified that is not configured
+func (opts *ProjectOpts) GetSignatureKeys() []v1alpha1.SignatureKey {
+	signatureKeys := make([]v1alpha1.SignatureKey, 0)
+	for _, keyStr := range opts.SignatureKeys {
+		if !gpg.IsShortKeyID(keyStr) && !gpg.IsLongKeyID(keyStr) {
+			log.Fatalf("'%s' is not a valid GnuPG key ID", keyStr)
+		}
+		signatureKeys = append(signatureKeys, v1alpha1.SignatureKey{KeyID: gpg.KeyID(keyStr)})
+	}
+	return signatureKeys
+}
+
+func GetOrphanedResourcesSettings(c *cobra.Command, opts ProjectOpts) *v1alpha1.OrphanedResourcesMonitorSettings {
+	warnChanged := c.Flag("orphaned-resources-warn").Changed
+	if opts.orphanedResourcesEnabled || warnChanged {
+		settings := v1alpha1.OrphanedResourcesMonitorSettings{}
+		if warnChanged {
+			settings.Warn = pointer.BoolPtr(opts.orphanedResourcesWarn)
+		}
+		return &settings
+	}
+	return nil
+}
+
+func readProjFromStdin(proj *v1alpha1.AppProject) error {
+	reader := bufio.NewReader(os.Stdin)
+	err := config.UnmarshalReader(reader, &proj)
+	if err != nil {
+		return fmt.Errorf("unable to read manifest from stdin: %v", err)
+	}
+	return nil
+}
+
+func readProjFromURI(fileURL string, proj *v1alpha1.AppProject) error {
+	parsedURL, err := url.ParseRequestURI(fileURL)
+	if err != nil || !(parsedURL.Scheme == "http" || parsedURL.Scheme == "https") {
+		err = config.UnmarshalLocalFile(fileURL, &proj)
+	} else {
+		err = config.UnmarshalRemoteFile(fileURL, &proj)
+	}
+	return err
+}
+
+func ConstructAppProj(fileURL string, args []string, opts ProjectOpts, c *cobra.Command) (*v1alpha1.AppProject, error) {
+	var proj v1alpha1.AppProject
+	if fileURL == "-" {
+		// read stdin
+		err := readProjFromStdin(&proj)
+		if err != nil {
+			return nil, err
+		}
+	} else if fileURL != "" {
+		// read uri
+		err := readProjFromURI(fileURL, &proj)
+		if err != nil {
+			return nil, err
+		}
+
+		if len(args) == 1 && args[0] != proj.Name {
+			return nil, fmt.Errorf("project name '%s' does not match project spec metadata.name '%s'", args[0], proj.Name)
+		}
+	} else {
+		// read arguments
+		if len(args) == 0 {
+			c.HelpFunc()(c, args)
+			os.Exit(1)
+		}
+		projName := args[0]
+		proj = v1alpha1.AppProject{
+			TypeMeta: v1.TypeMeta{
+				Kind:       application.AppProjectKind,
+				APIVersion: application.Group + "/v1alpha1",
+			},
+			ObjectMeta: v1.ObjectMeta{Name: projName},
+			Spec: v1alpha1.AppProjectSpec{
+				Description:       opts.Description,
+				Destinations:      opts.GetDestinations(),
+				SourceRepos:       opts.Sources,
+				SignatureKeys:     opts.GetSignatureKeys(),
+				OrphanedResources: GetOrphanedResourcesSettings(c, opts),
+			},
+		}
+	}
+
+	return &proj, nil
+}

cmd/util/repo.go

@@ -0,0 +1,42 @@
+package util
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/argoproj/argo-cd/common"
+	appsv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+)
+
+type RepoOptions struct {
+	Repo                           appsv1.Repository
+	Upsert                         bool
+	SshPrivateKeyPath              string
+	InsecureIgnoreHostKey          bool
+	InsecureSkipServerVerification bool
+	TlsClientCertPath              string
+	TlsClientCertKeyPath           string
+	EnableLfs                      bool
+	EnableOci                      bool
+	GithubAppId                    int64
+	GithubAppInstallationId        int64
+	GithubAppPrivateKeyPath        string
+	GitHubAppEnterpriseBaseURL     string
+}
+
+func AddRepoFlags(command *cobra.Command, opts *RepoOptions) {
+	command.Flags().StringVar(&opts.Repo.Type, "type", common.DefaultRepoType, "type of the repository, \"git\" or \"helm\"")
+	command.Flags().StringVar(&opts.Repo.Name, "name", "", "name of the repository, mandatory for repositories of type helm")
+	command.Flags().StringVar(&opts.Repo.Username, "username", "", "username to the repository")
+	command.Flags().StringVar(&opts.Repo.Password, "password", "", "password to the repository")
+	command.Flags().StringVar(&opts.SshPrivateKeyPath, "ssh-private-key-path", "", "path to the private ssh key (e.g. ~/.ssh/id_rsa)")
+	command.Flags().StringVar(&opts.TlsClientCertPath, "tls-client-cert-path", "", "path to the TLS client cert (must be PEM format)")
+	command.Flags().StringVar(&opts.TlsClientCertKeyPath, "tls-client-cert-key-path", "", "path to the TLS client cert's key path (must be PEM format)")
+	command.Flags().BoolVar(&opts.InsecureIgnoreHostKey, "insecure-ignore-host-key", false, "disables SSH strict host key checking (deprecated, use --insecure-skip-server-verification instead)")
+	command.Flags().BoolVar(&opts.InsecureSkipServerVerification, "insecure-skip-server-verification", false, "disables server certificate and host key checks")
+	command.Flags().BoolVar(&opts.EnableLfs, "enable-lfs", false, "enable git-lfs (Large File Support) on this repository")
+	command.Flags().BoolVar(&opts.EnableOci, "enable-oci", false, "enable helm-oci (Helm OCI-Based Repository)")
+	command.Flags().Int64Var(&opts.GithubAppId, "github-app-id", 0, "id of the GitHub Application")
+	command.Flags().Int64Var(&opts.GithubAppInstallationId, "github-app-installation-id", 0, "installation id of the GitHub Application")
+	command.Flags().StringVar(&opts.GithubAppPrivateKeyPath, "github-app-private-key-path", "", "private key of the GitHub Application")
+	command.Flags().StringVar(&opts.GitHubAppEnterpriseBaseURL, "github-app-enterprise-base-url", "", "base url to use when using GitHub Enterprise (e.g. https://ghe.example.com/api/v3")
+}

cmd/util/testdata/test.cert.pem

@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+test-cert-data
+-----END CERTIFICATE-----

cmd/util/testdata/test.key.pem

@@ -0,0 +1,3 @@
+-----BEGIN RSA PRIVATE KEY-----
+test-key-data
+-----END RSA PRIVATE KEY-----

common/common.go

@@ -1,5 +1,11 @@
 package common
 
+import (
+	"os"
+	"strconv"
+	"time"
+)
+
 // Default service addresses and URLS of Argo CD internal services
 const (
 	// DefaultRepoServerAddr is the gRPC address of the Argo CD repo server
@@ -19,11 +25,13 @@ const (
 	ArgoCDKnownHostsConfigMapName = "argocd-ssh-known-hosts-cm"
 	// Contains TLS certificate data for connecting repositories. Will get mounted as volume to pods
 	ArgoCDTLSCertsConfigMapName = "argocd-tls-certs-cm"
+	ArgoCDGPGKeysConfigMapName  = "argocd-gpg-keys-cm"
 )
 
-// Default system namespace
+// Some default configurables
 const (
 	DefaultSystemNamespace = "kube-system"
+	DefaultRepoType        = "git"
 )
 
 // Default listener ports for ArgoCD components
@@ -37,14 +45,20 @@ const (
 
 // Default paths on the pod's file system
 const (
-	// The default base path where application config is located
-	DefaultPathAppConfig = "/app/config"
 	// The default path where TLS certificates for repositories are located
 	DefaultPathTLSConfig = "/app/config/tls"
 	// The default path where SSH known hosts are stored
 	DefaultPathSSHConfig = "/app/config/ssh"
 	// Default name for the SSH known hosts file
 	DefaultSSHKnownHostsName = "ssh_known_hosts"
+	// Default path to GnuPG home directory
+	DefaultGnuPgHomePath = "/app/config/gpg/keys"
+)
+
+const (
+	DefaultSyncRetryDuration    = 5 * time.Second
+	DefaultSyncRetryMaxDuration = 3 * time.Minute
+	DefaultSyncRetryFactor      = int64(2)
 )
 
 // Argo CD application related constants
@@ -61,10 +75,10 @@ const (
 	AuthCookieName = "argocd.token"
 	// RevisionHistoryLimit is the max number of successful sync to keep in history
 	RevisionHistoryLimit = 10
-	// K8sClientConfigQPS controls the QPS to be used in K8s REST client configs
-	K8sClientConfigQPS = 25
-	// K8sClientConfigBurst controls the burst to be used in K8s REST client configs
-	K8sClientConfigBurst = 50
+	// ChangePasswordSSOTokenMaxAge is the max token age for password change operation
+	ChangePasswordSSOTokenMaxAge = time.Minute * 5
+	// GithubAppCredsExpirationDuration is the default time used to cache the GitHub app credentials
+	GithubAppCredsExpirationDuration = time.Minute * 60
 )
 
 // Dex related constants
@@ -73,8 +87,12 @@ const (
 	DexAPIEndpoint = "/api/dex"
 	// LoginEndpoint is Argo CD's shorthand login endpoint which redirects to dex's OAuth 2.0 provider's consent page
 	LoginEndpoint = "/auth/login"
+	// LogoutEndpoint is Argo CD's shorthand logout endpoint which invalidates OIDC session after logout
+	LogoutEndpoint = "/auth/logout"
 	// CallbackEndpoint is Argo CD's final callback endpoint we reach after OAuth 2.0 login flow has been completed
 	CallbackEndpoint = "/auth/callback"
+	// DexCallbackEndpoint is Argo CD's final callback endpoint when Dex is configured
+	DexCallbackEndpoint = "/api/dex/callback"
 	// ArgoCDClientAppName is name of the Oauth client app used when registering our web app to dex
 	ArgoCDClientAppName = "Argo CD"
 	// ArgoCDClientAppID is the Oauth client ID we will use when registering our app to dex
@@ -99,14 +117,7 @@ const (
 
 	// AnnotationCompareOptions is a comma-separated list of options for comparison
 	AnnotationCompareOptions = "argocd.argoproj.io/compare-options"
-	// AnnotationSyncOptions is a comma-separated list of options for syncing
-	AnnotationSyncOptions = "argocd.argoproj.io/sync-options"
-	// AnnotationSyncWave indicates which wave of the sync the resource or hook should be in
-	AnnotationSyncWave = "argocd.argoproj.io/sync-wave"
-	// AnnotationKeyHook contains the hook type of a resource
-	AnnotationKeyHook = "argocd.argoproj.io/hook"
-	// AnnotationKeyHookDeletePolicy is the policy of deleting a hook
-	AnnotationKeyHookDeletePolicy = "argocd.argoproj.io/hook-delete-policy"
+
 	// AnnotationKeyRefresh is the annotation key which indicates that app needs to be refreshed. Removed by application controller after app is refreshed.
 	// Might take values 'normal'/'hard'. Value 'hard' means manifest cache and target cluster state cache should be invalidated before refresh.
 	AnnotationKeyRefresh = "argocd.argoproj.io/refresh"
@@ -114,12 +125,24 @@ const (
 	AnnotationKeyManagedBy = "managed-by"
 	// AnnotationValueManagedByArgoCD is a 'managed-by' annotation value for resources managed by Argo CD
 	AnnotationValueManagedByArgoCD = "argocd.argoproj.io"
-	// AnnotationKeyHelmHook is the helm hook annotation
-	AnnotationKeyHelmHook = "helm.sh/hook"
-	// AnnotationValueHelmHookCRDInstall is a value of crd helm hook
-	AnnotationValueHelmHookCRDInstall = "crd-install"
 	// ResourcesFinalizerName the finalizer value which we inject to finalize deletion of an application
 	ResourcesFinalizerName = "resources-finalizer.argocd.argoproj.io"
+
+	// AnnotationKeyManifestGeneratePaths is an annotation that contains a list of semicolon-separated paths in the
+	// manifests repository that affects the manifest generation. Paths might be either relative or absolute. The
+	// absolute path means an absolute path within the repository and the relative path is relative to the application
+	// source path within the repository.
+	AnnotationKeyManifestGeneratePaths = "argocd.argoproj.io/manifest-generate-paths"
+
+	// AnnotationKeyLinkPrefix tells the UI to add an external link icon to the application node
+	// that links to the value given in the annotation.
+	// The annotation key must be followed by a unique identifier. Ex: link.argocd.argoproj.io/dashboard
+	// It's valid to have multiple annotations that match the prefix.
+	// Values can simply be a url or they can have
+	// an optional link title separated by a "|"
+	// Ex: "http://grafana.example.com/d/yu5UH4MMz/deployments"
+	// Ex: "Go to Dashboard|http://grafana.example.com/d/yu5UH4MMz/deployments"
+	AnnotationKeyLinkPrefix = "link.argocd.argoproj.io/"
 )
 
 // Environment variables for tuning and debugging Argo CD
@@ -135,14 +158,90 @@ const (
 	EnvVarSSHDataPath = "ARGOCD_SSH_DATA_PATH"
 	// Overrides the location where TLS certificate for repo access data is stored
 	EnvVarTLSDataPath = "ARGOCD_TLS_DATA_PATH"
+	// Specifies number of git remote operations attempts count
+	EnvGitAttemptsCount = "ARGOCD_GIT_ATTEMPTS_COUNT"
+	// Overrides git submodule support, true by default
+	EnvGitSubmoduleEnabled = "ARGOCD_GIT_MODULES_ENABLED"
+	// EnvK8sClientQPS is the QPS value used for the kubernetes client (default: 50)
+	EnvK8sClientQPS = "ARGOCD_K8S_CLIENT_QPS"
+	// EnvK8sClientBurst is the burst value used for the kubernetes client (default: twice the client QPS)
+	EnvK8sClientBurst = "ARGOCD_K8S_CLIENT_BURST"
+	// EnvClusterCacheResyncDuration is the env variable that holds cluster cache re-sync duration
+	EnvClusterCacheResyncDuration = "ARGOCD_CLUSTER_CACHE_RESYNC_DURATION"
+	// EnvK8sClientMaxIdleConnections is the number of max idle connections in K8s REST client HTTP transport (default: 500)
+	EnvK8sClientMaxIdleConnections = "ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS"
+	// EnvGnuPGHome is the path to ArgoCD's GnuPG keyring for signature verification
+	EnvGnuPGHome = "ARGOCD_GNUPGHOME"
+	// EnvWatchAPIBufferSize is the buffer size used to transfer K8S watch events to watch API consumer
+	EnvWatchAPIBufferSize = "ARGOCD_WATCH_API_BUFFER_SIZE"
+	// EnvPauseGenerationAfterFailedAttempts will pause manifest generation after the specified number of failed generation attempts
+	EnvPauseGenerationAfterFailedAttempts = "ARGOCD_PAUSE_GEN_AFTER_FAILED_ATTEMPTS"
+	// EnvPauseGenerationMinutes pauses manifest generation for the specified number of minutes, after sufficient manifest generation failures
+	EnvPauseGenerationMinutes = "ARGOCD_PAUSE_GEN_MINUTES"
+	// EnvPauseGenerationRequests pauses manifest generation for the specified number of requests, after sufficient manifest generation failures
+	EnvPauseGenerationRequests = "ARGOCD_PAUSE_GEN_REQUESTS"
+	// EnvControllerReplicas is the number of controller replicas
+	EnvControllerReplicas = "ARGOCD_CONTROLLER_REPLICAS"
+	// EnvControllerShard is the shard number that should be handled by controller
+	EnvControllerShard = "ARGOCD_CONTROLLER_SHARD"
+	// EnvEnableGRPCTimeHistogramEnv enables gRPC metrics collection
+	EnvEnableGRPCTimeHistogramEnv = "ARGOCD_ENABLE_GRPC_TIME_HISTOGRAM"
+	// EnvGithubAppCredsExpirationDuration controls the caching of Github app credentials. This value is in minutes (default: 60)
+	EnvGithubAppCredsExpirationDuration = "ARGOCD_GITHUB_APP_CREDS_EXPIRATION_DURATION"
 )
 
 const (
 	// MinClientVersion is the minimum client version that can interface with this API server.
 	// When introducing breaking changes to the API or datastructures, this number should be bumped.
 	// The value here may be lower than the current value in VERSION
-	MinClientVersion = "1.0.0"
+	MinClientVersion = "1.4.0"
 	// CacheVersion is a objects version cached using util/cache/cache.go.
 	// Number should be bumped in case of backward incompatible change to make sure cache is invalidated after upgrade.
-	CacheVersion = "1.0.0"
+	CacheVersion = "1.8.3"
 )
+
+// GetGnuPGHomePath retrieves the path to use for GnuPG home directory, which is either taken from GNUPGHOME environment or a default value
+func GetGnuPGHomePath() string {
+	if gnuPgHome := os.Getenv(EnvGnuPGHome); gnuPgHome == "" {
+		return DefaultGnuPgHomePath
+	} else {
+		return gnuPgHome
+	}
+}
+
+var (
+	// K8sClientConfigQPS controls the QPS to be used in K8s REST client configs
+	K8sClientConfigQPS float32 = 50
+	// K8sClientConfigBurst controls the burst to be used in K8s REST client configs
+	K8sClientConfigBurst int = 100
+	// K8sMaxIdleConnections controls the number of max idle connections in K8s REST client HTTP transport
+	K8sMaxIdleConnections = 500
+	// K8sMaxIdleConnections controls the duration of cluster cache refresh
+	K8SClusterResyncDuration = 12 * time.Hour
+)
+
+func init() {
+	if envQPS := os.Getenv(EnvK8sClientQPS); envQPS != "" {
+		if qps, err := strconv.ParseFloat(envQPS, 32); err != nil {
+			K8sClientConfigQPS = float32(qps)
+		}
+	}
+	if envBurst := os.Getenv(EnvK8sClientBurst); envBurst != "" {
+		if burst, err := strconv.Atoi(envBurst); err != nil {
+			K8sClientConfigBurst = burst
+		}
+	} else {
+		K8sClientConfigBurst = 2 * int(K8sClientConfigQPS)
+	}
+
+	if envMaxConn := os.Getenv(EnvK8sClientMaxIdleConnections); envMaxConn != "" {
+		if maxConn, err := strconv.Atoi(envMaxConn); err != nil {
+			K8sMaxIdleConnections = maxConn
+		}
+	}
+	if clusterResyncDurationStr := os.Getenv(EnvClusterCacheResyncDuration); clusterResyncDurationStr != "" {
+		if duration, err := time.ParseDuration(clusterResyncDurationStr); err == nil {
+			K8SClusterResyncDuration = duration
+		}
+	}
+}

common/version.go

@@ -8,23 +8,25 @@ import (
 // Version information set by link flags during build. We fall back to these sane
 // default values when we build outside the Makefile context (e.g. go run, go build, or go test).
 var (
-	version      = "99.99.99"             // value from VERSION file
-	buildDate    = "1970-01-01T00:00:00Z" // output from `date -u +'%Y-%m-%dT%H:%M:%SZ'`
-	gitCommit    = ""                     // output from `git rev-parse HEAD`
-	gitTag       = ""                     // output from `git describe --exact-match --tags HEAD` (if clean tree state)
-	gitTreeState = ""                     // determined from `git status --porcelain`. either 'clean' or 'dirty'
+	version        = "99.99.99"             // value from VERSION file
+	buildDate      = "1970-01-01T00:00:00Z" // output from `date -u +'%Y-%m-%dT%H:%M:%SZ'`
+	gitCommit      = ""                     // output from `git rev-parse HEAD`
+	gitTag         = ""                     // output from `git describe --exact-match --tags HEAD` (if clean tree state)
+	gitTreeState   = ""                     // determined from `git status --porcelain`. either 'clean' or 'dirty'
+	kubectlVersion = ""                     // determined from go.mod file
 )
 
 // Version contains Argo version information
 type Version struct {
-	Version      string
-	BuildDate    string
-	GitCommit    string
-	GitTag       string
-	GitTreeState string
-	GoVersion    string
-	Compiler     string
-	Platform     string
+	Version        string
+	BuildDate      string
+	GitCommit      string
+	GitTag         string
+	GitTreeState   string
+	GoVersion      string
+	Compiler       string
+	Platform       string
+	KubectlVersion string
 }
 
 func (v Version) String() string {
@@ -53,13 +55,14 @@ func GetVersion() Version {
 		}
 	}
 	return Version{
-		Version:      versionStr,
-		BuildDate:    buildDate,
-		GitCommit:    gitCommit,
-		GitTag:       gitTag,
-		GitTreeState: gitTreeState,
-		GoVersion:    runtime.Version(),
-		Compiler:     runtime.Compiler,
-		Platform:     fmt.Sprintf("%s/%s", runtime.GOOS, runtime.GOARCH),
+		Version:        versionStr,
+		BuildDate:      buildDate,
+		GitCommit:      gitCommit,
+		GitTag:         gitTag,
+		GitTreeState:   gitTreeState,
+		GoVersion:      runtime.Version(),
+		Compiler:       runtime.Compiler,
+		Platform:       fmt.Sprintf("%s/%s", runtime.GOOS, runtime.GOARCH),
+		KubectlVersion: kubectlVersion,
 	}
 }

controller/cache/cache.go

@@ -2,53 +2,79 @@ package cache
 
 import (
 	"context"
+	"fmt"
 	"reflect"
 	"sync"
 
+	clustercache "github.com/argoproj/gitops-engine/pkg/cache"
+	"github.com/argoproj/gitops-engine/pkg/health"
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/sync/semaphore"
 	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/tools/cache"
 
+	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/controller/metrics"
 	appv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util"
+	"github.com/argoproj/argo-cd/util/argo"
 	"github.com/argoproj/argo-cd/util/db"
-	"github.com/argoproj/argo-cd/util/kube"
+	logutils "github.com/argoproj/argo-cd/util/log"
+	"github.com/argoproj/argo-cd/util/lua"
 	"github.com/argoproj/argo-cd/util/settings"
 )
 
-type cacheSettings struct {
-	ResourceOverrides   map[string]appv1.ResourceOverride
-	AppInstanceLabelKey string
-	ResourcesFilter     *settings.ResourcesFilter
-}
-
 type LiveStateCache interface {
-	IsNamespaced(server string, obj *unstructured.Unstructured) (bool, error)
+	// Returns k8s server version
+	GetVersionsInfo(serverURL string) (string, []metav1.APIGroup, error)
+	// Returns true of given group kind is a namespaced resource
+	IsNamespaced(server string, gk schema.GroupKind) (bool, error)
+	// Returns synced cluster cache
+	GetClusterCache(server string) (clustercache.ClusterCache, error)
 	// Executes give callback against resource specified by the key and all its children
-	IterateHierarchy(server string, obj *unstructured.Unstructured, action func(child appv1.ResourceNode)) error
+	IterateHierarchy(server string, key kube.ResourceKey, action func(child appv1.ResourceNode, appName string)) error
 	// Returns state of live nodes which correspond for target nodes of specified application.
 	GetManagedLiveObjs(a *appv1.Application, targetObjs []*unstructured.Unstructured) (map[kube.ResourceKey]*unstructured.Unstructured, error)
+	// IterateResources iterates all resource stored in cache
+	IterateResources(server string, callback func(res *clustercache.Resource, info *ResourceInfo)) error
+	// Returns all top level resources (resources without owner references) of a specified namespace
+	GetNamespaceTopLevelResources(server string, namespace string) (map[kube.ResourceKey]appv1.ResourceNode, error)
 	// Starts watching resources of each controlled cluster.
 	Run(ctx context.Context) error
-	// Invalidate invalidates the entire cluster state cache
-	Invalidate()
+	// Returns information about monitored clusters
+	GetClustersInfo() []clustercache.ClusterInfo
+	// Init must be executed before cache can be used
+	Init() error
 }
 
-type AppUpdatedHandler = func(appName string, isManagedResource bool, ref v1.ObjectReference)
+type ObjectUpdatedHandler = func(managedByApp map[string]bool, ref v1.ObjectReference)
 
-func GetTargetObjKey(a *appv1.Application, un *unstructured.Unstructured, isNamespaced bool) kube.ResourceKey {
-	key := kube.GetResourceKey(un)
-	if !isNamespaced {
-		key.Namespace = ""
-	} else if isNamespaced && key.Namespace == "" {
-		key.Namespace = a.Spec.Destination.Namespace
-	}
+type PodInfo struct {
+	NodeName         string
+	ResourceRequests v1.ResourceList
+}
 
-	return key
+type NodeInfo struct {
+	Name       string
+	Capacity   v1.ResourceList
+	SystemInfo v1.NodeSystemInfo
+}
+
+type ResourceInfo struct {
+	Info    []appv1.InfoItem
+	AppName string
+	Images  []string
+	Health  *health.HealthStatus
+	// NetworkingInfo are available only for known types involved into networking: Ingress, Service, Pod
+	NetworkingInfo *appv1.ResourceNetworkingInfo
+	// PodInfo is available for pods only
+	PodInfo *PodInfo
+	// NodeInfo is available for nodes only
+	NodeInfo *NodeInfo
 }
 
 func NewLiveStateCache(
@@ -57,32 +83,44 @@ func NewLiveStateCache(
 	settingsMgr *settings.SettingsManager,
 	kubectl kube.Kubectl,
 	metricsServer *metrics.MetricsServer,
-	onAppUpdated AppUpdatedHandler) LiveStateCache {
+	onObjectUpdated ObjectUpdatedHandler,
+	clusterFilter func(cluster *appv1.Cluster) bool) LiveStateCache {
 
 	return &liveStateCache{
-		appInformer:       appInformer,
-		db:                db,
-		clusters:          make(map[string]*clusterInfo),
-		lock:              &sync.Mutex{},
-		onAppUpdated:      onAppUpdated,
-		kubectl:           kubectl,
-		settingsMgr:       settingsMgr,
-		metricsServer:     metricsServer,
-		cacheSettingsLock: &sync.Mutex{},
+		appInformer:     appInformer,
+		db:              db,
+		clusters:        make(map[string]clustercache.ClusterCache),
+		onObjectUpdated: onObjectUpdated,
+		kubectl:         kubectl,
+		settingsMgr:     settingsMgr,
+		metricsServer:   metricsServer,
+		// The default limit of 50 is chosen based on experiments.
+		listSemaphore: semaphore.NewWeighted(50),
+		clusterFilter: clusterFilter,
 	}
 }
 
+type cacheSettings struct {
+	clusterSettings     clustercache.Settings
+	appInstanceLabelKey string
+}
+
 type liveStateCache struct {
-	db                db.ArgoDB
-	clusters          map[string]*clusterInfo
-	lock              *sync.Mutex
-	appInformer       cache.SharedIndexInformer
-	onAppUpdated      AppUpdatedHandler
-	kubectl           kube.Kubectl
-	settingsMgr       *settings.SettingsManager
-	metricsServer     *metrics.MetricsServer
-	cacheSettingsLock *sync.Mutex
-	cacheSettings     *cacheSettings
+	db              db.ArgoDB
+	appInformer     cache.SharedIndexInformer
+	onObjectUpdated ObjectUpdatedHandler
+	kubectl         kube.Kubectl
+	settingsMgr     *settings.SettingsManager
+	metricsServer   *metrics.MetricsServer
+	clusterFilter   func(cluster *appv1.Cluster) bool
+
+	// listSemaphore is used to limit the number of concurrent memory consuming operations on the
+	// k8s list queries results across all clusters to avoid memory spikes during cache initialization.
+	listSemaphore *semaphore.Weighted
+
+	clusters      map[string]clustercache.ClusterCache
+	cacheSettings cacheSettings
+	lock          sync.RWMutex
 }
 
 func (c *liveStateCache) loadCacheSettings() (*cacheSettings, error) {
@@ -98,101 +136,292 @@ func (c *liveStateCache) loadCacheSettings() (*cacheSettings, error) {
 	if err != nil {
 		return nil, err
 	}
-	return &cacheSettings{AppInstanceLabelKey: appInstanceLabelKey, ResourceOverrides: resourceOverrides, ResourcesFilter: resourcesFilter}, nil
+	clusterSettings := clustercache.Settings{
+		ResourceHealthOverride: lua.ResourceHealthOverrides(resourceOverrides),
+		ResourcesFilter:        resourcesFilter,
+	}
+	return &cacheSettings{clusterSettings, appInstanceLabelKey}, nil
 }
 
-func (c *liveStateCache) getCluster(server string) (*clusterInfo, error) {
+func asResourceNode(r *clustercache.Resource) appv1.ResourceNode {
+	gv, err := schema.ParseGroupVersion(r.Ref.APIVersion)
+	if err != nil {
+		gv = schema.GroupVersion{}
+	}
+	parentRefs := make([]appv1.ResourceRef, len(r.OwnerRefs))
+	for _, ownerRef := range r.OwnerRefs {
+		ownerGvk := schema.FromAPIVersionAndKind(ownerRef.APIVersion, ownerRef.Kind)
+		ownerKey := kube.NewResourceKey(ownerGvk.Group, ownerRef.Kind, r.Ref.Namespace, ownerRef.Name)
+		parentRefs[0] = appv1.ResourceRef{Name: ownerRef.Name, Kind: ownerKey.Kind, Namespace: r.Ref.Namespace, Group: ownerKey.Group, UID: string(ownerRef.UID)}
+	}
+	var resHealth *appv1.HealthStatus
+	resourceInfo := resInfo(r)
+	if resourceInfo.Health != nil {
+		resHealth = &appv1.HealthStatus{Status: resourceInfo.Health.Status, Message: resourceInfo.Health.Message}
+	}
+	return appv1.ResourceNode{
+		ResourceRef: appv1.ResourceRef{
+			UID:       string(r.Ref.UID),
+			Name:      r.Ref.Name,
+			Group:     gv.Group,
+			Version:   gv.Version,
+			Kind:      r.Ref.Kind,
+			Namespace: r.Ref.Namespace,
+		},
+		ParentRefs:      parentRefs,
+		Info:            resourceInfo.Info,
+		ResourceVersion: r.ResourceVersion,
+		NetworkingInfo:  resourceInfo.NetworkingInfo,
+		Images:          resourceInfo.Images,
+		Health:          resHealth,
+		CreatedAt:       r.CreationTimestamp,
+	}
+}
+
+func resInfo(r *clustercache.Resource) *ResourceInfo {
+	info, ok := r.Info.(*ResourceInfo)
+	if !ok || info == nil {
+		info = &ResourceInfo{}
+	}
+	return info
+}
+
+func isRootAppNode(r *clustercache.Resource) bool {
+	return resInfo(r).AppName != "" && len(r.OwnerRefs) == 0
+}
+
+func getApp(r *clustercache.Resource, ns map[kube.ResourceKey]*clustercache.Resource) string {
+	return getAppRecursive(r, ns, map[kube.ResourceKey]bool{})
+}
+
+func ownerRefGV(ownerRef metav1.OwnerReference) schema.GroupVersion {
+	gv, err := schema.ParseGroupVersion(ownerRef.APIVersion)
+	if err != nil {
+		gv = schema.GroupVersion{}
+	}
+	return gv
+}
+
+func getAppRecursive(r *clustercache.Resource, ns map[kube.ResourceKey]*clustercache.Resource, visited map[kube.ResourceKey]bool) string {
+	if !visited[r.ResourceKey()] {
+		visited[r.ResourceKey()] = true
+	} else {
+		log.Warnf("Circular dependency detected: %v.", visited)
+		return resInfo(r).AppName
+	}
+
+	if resInfo(r).AppName != "" {
+		return resInfo(r).AppName
+	}
+	for _, ownerRef := range r.OwnerRefs {
+		gv := ownerRefGV(ownerRef)
+		if parent, ok := ns[kube.NewResourceKey(gv.Group, ownerRef.Kind, r.Ref.Namespace, ownerRef.Name)]; ok {
+			app := getAppRecursive(parent, ns, visited)
+			if app != "" {
+				return app
+			}
+		}
+	}
+	return ""
+}
+
+var (
+	ignoredRefreshResources = map[string]bool{
+		"/" + kube.EndpointsKind: true,
+	}
+)
+
+// skipAppRequeuing checks if the object is an API type which we want to skip requeuing against.
+// We ignore API types which have a high churn rate, and/or whose updates are irrelevant to the app
+func skipAppRequeuing(key kube.ResourceKey) bool {
+	return ignoredRefreshResources[key.Group+"/"+key.Kind]
+}
+
+func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, error) {
+	c.lock.RLock()
+	clusterCache, ok := c.clusters[server]
+	cacheSettings := c.cacheSettings
+	c.lock.RUnlock()
+
+	if ok {
+		return clusterCache, nil
+	}
+
 	c.lock.Lock()
 	defer c.lock.Unlock()
-	info, ok := c.clusters[server]
-	if !ok {
-		cluster, err := c.db.GetCluster(context.Background(), server)
-		if err != nil {
-			return nil, err
-		}
-		info = &clusterInfo{
-			apisMeta:         make(map[schema.GroupKind]*apiMeta),
-			lock:             &sync.Mutex{},
-			nodes:            make(map[kube.ResourceKey]*node),
-			nsIndex:          make(map[string]map[kube.ResourceKey]*node),
-			onAppUpdated:     c.onAppUpdated,
-			kubectl:          c.kubectl,
-			cluster:          cluster,
-			syncTime:         nil,
-			syncLock:         &sync.Mutex{},
-			log:              log.WithField("server", cluster.Server),
-			cacheSettingsSrc: c.getCacheSettings,
-		}
 
-		c.clusters[cluster.Server] = info
+	clusterCache, ok = c.clusters[server]
+	if ok {
+		return clusterCache, nil
 	}
-	return info, nil
-}
 
-func (c *liveStateCache) getSyncedCluster(server string) (*clusterInfo, error) {
-	info, err := c.getCluster(server)
+	cluster, err := c.db.GetCluster(context.Background(), server)
 	if err != nil {
 		return nil, err
 	}
-	err = info.ensureSynced()
+
+	if !c.canHandleCluster(cluster) {
+		return nil, fmt.Errorf("controller is configured to ignore cluster %s", cluster.Server)
+	}
+
+	clusterCache = clustercache.NewClusterCache(cluster.RESTConfig(),
+		clustercache.SetListSemaphore(c.listSemaphore),
+		clustercache.SetResyncTimeout(common.K8SClusterResyncDuration),
+		clustercache.SetSettings(cacheSettings.clusterSettings),
+		clustercache.SetNamespaces(cluster.Namespaces),
+		clustercache.SetPopulateResourceInfoHandler(func(un *unstructured.Unstructured, isRoot bool) (interface{}, bool) {
+			res := &ResourceInfo{}
+			populateNodeInfo(un, res)
+			res.Health, _ = health.GetResourceHealth(un, cacheSettings.clusterSettings.ResourceHealthOverride)
+			appName := kube.GetAppInstanceLabel(un, cacheSettings.appInstanceLabelKey)
+			if isRoot && appName != "" {
+				res.AppName = appName
+			}
+			gvk := un.GroupVersionKind()
+
+			// edge case. we do not label CRDs, so they miss the tracking label we inject. But we still
+			// want the full resource to be available in our cache (to diff), so we store all CRDs
+			return res, res.AppName != "" || gvk.Kind == kube.CustomResourceDefinitionKind
+		}),
+		clustercache.SetLogr(logutils.NewLogrusLogger(log.WithField("server", cluster.Server))),
+	)
+
+	_ = clusterCache.OnResourceUpdated(func(newRes *clustercache.Resource, oldRes *clustercache.Resource, namespaceResources map[kube.ResourceKey]*clustercache.Resource) {
+		toNotify := make(map[string]bool)
+		var ref v1.ObjectReference
+		if newRes != nil {
+			ref = newRes.Ref
+		} else {
+			ref = oldRes.Ref
+		}
+		for _, r := range []*clustercache.Resource{newRes, oldRes} {
+			if r == nil {
+				continue
+			}
+			app := getApp(r, namespaceResources)
+			if app == "" || skipAppRequeuing(r.ResourceKey()) {
+				continue
+			}
+			toNotify[app] = isRootAppNode(r) || toNotify[app]
+		}
+		c.onObjectUpdated(toNotify, ref)
+	})
+
+	_ = clusterCache.OnEvent(func(event watch.EventType, un *unstructured.Unstructured) {
+		gvk := un.GroupVersionKind()
+		c.metricsServer.IncClusterEventsCount(cluster.Server, gvk.Group, gvk.Kind)
+	})
+
+	c.clusters[server] = clusterCache
+
+	return clusterCache, nil
+}
+
+func (c *liveStateCache) getSyncedCluster(server string) (clustercache.ClusterCache, error) {
+	clusterCache, err := c.getCluster(server)
 	if err != nil {
 		return nil, err
 	}
-	return info, nil
+	err = clusterCache.EnsureSynced()
+	if err != nil {
+		return nil, err
+	}
+	return clusterCache, nil
 }
 
-func (c *liveStateCache) Invalidate() {
+func (c *liveStateCache) invalidate(cacheSettings cacheSettings) {
 	log.Info("invalidating live state cache")
 	c.lock.Lock()
 	defer c.lock.Unlock()
+
+	c.cacheSettings = cacheSettings
 	for _, clust := range c.clusters {
-		clust.lock.Lock()
-		clust.invalidate()
-		clust.lock.Unlock()
+		clust.Invalidate(clustercache.SetSettings(cacheSettings.clusterSettings))
 	}
 	log.Info("live state cache invalidated")
 }
 
-func (c *liveStateCache) IsNamespaced(server string, obj *unstructured.Unstructured) (bool, error) {
+func (c *liveStateCache) IsNamespaced(server string, gk schema.GroupKind) (bool, error) {
 	clusterInfo, err := c.getSyncedCluster(server)
 	if err != nil {
 		return false, err
 	}
-	return clusterInfo.isNamespaced(obj), nil
+	return clusterInfo.IsNamespaced(gk)
 }
 
-func (c *liveStateCache) IterateHierarchy(server string, obj *unstructured.Unstructured, action func(child appv1.ResourceNode)) error {
+func (c *liveStateCache) IterateHierarchy(server string, key kube.ResourceKey, action func(child appv1.ResourceNode, appName string)) error {
 	clusterInfo, err := c.getSyncedCluster(server)
 	if err != nil {
 		return err
 	}
-	clusterInfo.iterateHierarchy(obj, action)
+	clusterInfo.IterateHierarchy(key, func(resource *clustercache.Resource, namespaceResources map[kube.ResourceKey]*clustercache.Resource) {
+		action(asResourceNode(resource), getApp(resource, namespaceResources))
+	})
 	return nil
 }
 
+func (c *liveStateCache) IterateResources(server string, callback func(res *clustercache.Resource, info *ResourceInfo)) error {
+	clusterInfo, err := c.getSyncedCluster(server)
+	if err != nil {
+		return err
+	}
+	_ = clusterInfo.FindResources("", func(r *clustercache.Resource) bool {
+		if info, ok := r.Info.(*ResourceInfo); ok {
+			callback(r, info)
+		}
+		return false
+	})
+	return nil
+}
+
+func (c *liveStateCache) GetNamespaceTopLevelResources(server string, namespace string) (map[kube.ResourceKey]appv1.ResourceNode, error) {
+	clusterInfo, err := c.getSyncedCluster(server)
+	if err != nil {
+		return nil, err
+	}
+	resources := clusterInfo.FindResources(namespace, clustercache.TopLevelResource)
+	res := make(map[kube.ResourceKey]appv1.ResourceNode)
+	for k, r := range resources {
+		res[k] = asResourceNode(r)
+	}
+	return res, nil
+}
+
 func (c *liveStateCache) GetManagedLiveObjs(a *appv1.Application, targetObjs []*unstructured.Unstructured) (map[kube.ResourceKey]*unstructured.Unstructured, error) {
 	clusterInfo, err := c.getSyncedCluster(a.Spec.Destination.Server)
 	if err != nil {
 		return nil, err
 	}
-	return clusterInfo.getManagedLiveObjs(a, targetObjs, c.metricsServer)
+	return clusterInfo.GetManagedLiveObjs(targetObjs, func(r *clustercache.Resource) bool {
+		return resInfo(r).AppName == a.Name
+	})
 }
 
-func isClusterHasApps(apps []interface{}, cluster *appv1.Cluster) bool {
+func (c *liveStateCache) GetVersionsInfo(serverURL string) (string, []metav1.APIGroup, error) {
+	clusterInfo, err := c.getSyncedCluster(serverURL)
+	if err != nil {
+		return "", nil, err
+	}
+	return clusterInfo.GetServerVersion(), clusterInfo.GetAPIGroups(), nil
+}
+
+func (c *liveStateCache) isClusterHasApps(apps []interface{}, cluster *appv1.Cluster) bool {
 	for _, obj := range apps {
-		if app, ok := obj.(*appv1.Application); ok && app.Spec.Destination.Server == cluster.Server {
+		app, ok := obj.(*appv1.Application)
+		if !ok {
+			continue
+		}
+		err := argo.ValidateDestination(context.Background(), &app.Spec.Destination, c.db)
+		if err != nil {
+			continue
+		}
+		if app.Spec.Destination.Server == cluster.Server {
 			return true
 		}
 	}
 	return false
 }
 
-func (c *liveStateCache) getCacheSettings() *cacheSettings {
-	c.cacheSettingsLock.Lock()
-	defer c.cacheSettingsLock.Unlock()
-	return c.cacheSettings
-}
-
 func (c *liveStateCache) watchSettings(ctx context.Context) {
 	updateCh := make(chan *settings.ArgoCDSettings, 1)
 	c.settingsMgr.Subscribe(updateCh)
@@ -207,15 +436,15 @@ func (c *liveStateCache) watchSettings(ctx context.Context) {
 				continue
 			}
 
-			c.cacheSettingsLock.Lock()
+			c.lock.Lock()
 			needInvalidate := false
-			if !reflect.DeepEqual(c.cacheSettings, nextCacheSettings) {
-				c.cacheSettings = nextCacheSettings
+			if !reflect.DeepEqual(c.cacheSettings, *nextCacheSettings) {
+				c.cacheSettings = *nextCacheSettings
 				needInvalidate = true
 			}
-			c.cacheSettingsLock.Unlock()
+			c.lock.Unlock()
 			if needInvalidate {
-				c.Invalidate()
+				c.invalidate(*nextCacheSettings)
 			}
 		case <-ctx.Done():
 			done = true
@@ -226,40 +455,119 @@ func (c *liveStateCache) watchSettings(ctx context.Context) {
 	close(updateCh)
 }
 
-// Run watches for resource changes annotated with application label on all registered clusters and schedule corresponding app refresh.
-func (c *liveStateCache) Run(ctx context.Context) error {
+func (c *liveStateCache) Init() error {
 	cacheSettings, err := c.loadCacheSettings()
 	if err != nil {
 		return err
 	}
-	c.cacheSettings = cacheSettings
-
-	go c.watchSettings(ctx)
-
-	util.RetryUntilSucceed(func() error {
-		clusterEventCallback := func(event *db.ClusterEvent) {
-			c.lock.Lock()
-			defer c.lock.Unlock()
-			if cluster, ok := c.clusters[event.Cluster.Server]; ok {
-				if event.Type == watch.Deleted {
-					cluster.invalidate()
-					delete(c.clusters, event.Cluster.Server)
-				} else if event.Type == watch.Modified {
-					cluster.cluster = event.Cluster
-					cluster.invalidate()
-				}
-			} else if event.Type == watch.Added && isClusterHasApps(c.appInformer.GetStore().List(), event.Cluster) {
-				go func() {
-					// warm up cache for cluster with apps
-					_, _ = c.getSyncedCluster(event.Cluster.Server)
-				}()
-			}
-		}
-
-		return c.db.WatchClusters(ctx, clusterEventCallback)
-
-	}, "watch clusters", ctx, clusterRetryTimeout)
-
-	<-ctx.Done()
+	c.cacheSettings = *cacheSettings
 	return nil
 }
+
+// Run watches for resource changes annotated with application label on all registered clusters and schedule corresponding app refresh.
+func (c *liveStateCache) Run(ctx context.Context) error {
+	go c.watchSettings(ctx)
+
+	kube.RetryUntilSucceed(ctx, clustercache.ClusterRetryTimeout, "watch clusters", logutils.NewLogrusLogger(log.New()), func() error {
+		return c.db.WatchClusters(ctx, c.handleAddEvent, c.handleModEvent, c.handleDeleteEvent)
+	})
+
+	<-ctx.Done()
+	c.invalidate(c.cacheSettings)
+	return nil
+}
+
+func (c *liveStateCache) canHandleCluster(cluster *appv1.Cluster) bool {
+	if c.clusterFilter == nil {
+		return true
+	}
+	return c.clusterFilter(cluster)
+}
+
+func (c *liveStateCache) handleAddEvent(cluster *appv1.Cluster) {
+	if !c.canHandleCluster(cluster) {
+		log.Infof("Ignoring cluster %s", cluster.Server)
+		return
+	}
+
+	c.lock.Lock()
+	_, ok := c.clusters[cluster.Server]
+	c.lock.Unlock()
+	if !ok {
+		if c.isClusterHasApps(c.appInformer.GetStore().List(), cluster) {
+			go func() {
+				// warm up cache for cluster with apps
+				_, _ = c.getSyncedCluster(cluster.Server)
+			}()
+		}
+	}
+}
+
+func (c *liveStateCache) handleModEvent(oldCluster *appv1.Cluster, newCluster *appv1.Cluster) {
+	c.lock.Lock()
+	cluster, ok := c.clusters[newCluster.Server]
+	c.lock.Unlock()
+	if ok {
+		if !c.canHandleCluster(newCluster) {
+			cluster.Invalidate()
+			c.lock.Lock()
+			delete(c.clusters, newCluster.Server)
+			c.lock.Unlock()
+			return
+		}
+
+		var updateSettings []clustercache.UpdateSettingsFunc
+		if !reflect.DeepEqual(oldCluster.Config, newCluster.Config) {
+			updateSettings = append(updateSettings, clustercache.SetConfig(newCluster.RESTConfig()))
+		}
+		if !reflect.DeepEqual(oldCluster.Namespaces, newCluster.Namespaces) {
+			updateSettings = append(updateSettings, clustercache.SetNamespaces(newCluster.Namespaces))
+		}
+		forceInvalidate := false
+		if newCluster.RefreshRequestedAt != nil &&
+			cluster.GetClusterInfo().LastCacheSyncTime != nil &&
+			cluster.GetClusterInfo().LastCacheSyncTime.Before(newCluster.RefreshRequestedAt.Time) {
+			forceInvalidate = true
+		}
+
+		if len(updateSettings) > 0 || forceInvalidate {
+			cluster.Invalidate(updateSettings...)
+			go func() {
+				// warm up cluster cache
+				_ = cluster.EnsureSynced()
+			}()
+		}
+	}
+
+}
+
+func (c *liveStateCache) handleDeleteEvent(clusterServer string) {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	cluster, ok := c.clusters[clusterServer]
+	if ok {
+		cluster.Invalidate()
+		delete(c.clusters, clusterServer)
+	}
+}
+
+func (c *liveStateCache) GetClustersInfo() []clustercache.ClusterInfo {
+	clusters := make(map[string]clustercache.ClusterCache)
+	c.lock.RLock()
+	for k := range c.clusters {
+		clusters[k] = c.clusters[k]
+	}
+	c.lock.RUnlock()
+
+	res := make([]clustercache.ClusterInfo, 0)
+	for server, c := range clusters {
+		info := c.GetClusterInfo()
+		info.Server = server
+		res = append(res, info)
+	}
+	return res
+}
+
+func (c *liveStateCache) GetClusterCache(server string) (clustercache.ClusterCache, error) {
+	return c.getSyncedCluster(server)
+}

controller/cache/cache_test.go

@@ -0,0 +1,95 @@
+package cache
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/argoproj/gitops-engine/pkg/cache"
+	"github.com/argoproj/gitops-engine/pkg/cache/mocks"
+	"github.com/stretchr/testify/mock"
+
+	appv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+)
+
+func TestHandleModEvent_HasChanges(t *testing.T) {
+	clusterCache := &mocks.ClusterCache{}
+	clusterCache.On("Invalidate", mock.Anything, mock.Anything).Return(nil).Once()
+	clusterCache.On("EnsureSynced").Return(nil).Once()
+
+	clustersCache := liveStateCache{
+		clusters: map[string]cache.ClusterCache{
+			"https://mycluster": clusterCache,
+		},
+	}
+
+	clustersCache.handleModEvent(&appv1.Cluster{
+		Server: "https://mycluster",
+		Config: appv1.ClusterConfig{Username: "foo"},
+	}, &appv1.Cluster{
+		Server:     "https://mycluster",
+		Config:     appv1.ClusterConfig{Username: "bar"},
+		Namespaces: []string{"default"},
+	})
+}
+
+func TestHandleModEvent_ClusterExcluded(t *testing.T) {
+	clusterCache := &mocks.ClusterCache{}
+	clusterCache.On("Invalidate", mock.Anything, mock.Anything).Return(nil).Once()
+	clusterCache.On("EnsureSynced").Return(nil).Once()
+
+	clustersCache := liveStateCache{
+		clusters: map[string]cache.ClusterCache{
+			"https://mycluster": clusterCache,
+		},
+		clusterFilter: func(cluster *appv1.Cluster) bool {
+			return false
+		},
+	}
+
+	clustersCache.handleModEvent(&appv1.Cluster{
+		Server: "https://mycluster",
+		Config: appv1.ClusterConfig{Username: "foo"},
+	}, &appv1.Cluster{
+		Server:     "https://mycluster",
+		Config:     appv1.ClusterConfig{Username: "bar"},
+		Namespaces: []string{"default"},
+	})
+
+	assert.Len(t, clustersCache.clusters, 0)
+}
+
+func TestHandleModEvent_NoChanges(t *testing.T) {
+	clusterCache := &mocks.ClusterCache{}
+	clusterCache.On("Invalidate", mock.Anything).Panic("should not invalidate")
+	clusterCache.On("EnsureSynced").Return(nil).Panic("should not re-sync")
+
+	clustersCache := liveStateCache{
+		clusters: map[string]cache.ClusterCache{
+			"https://mycluster": clusterCache,
+		},
+	}
+
+	clustersCache.handleModEvent(&appv1.Cluster{
+		Server: "https://mycluster",
+		Config: appv1.ClusterConfig{Username: "bar"},
+	}, &appv1.Cluster{
+		Server: "https://mycluster",
+		Config: appv1.ClusterConfig{Username: "bar"},
+	})
+}
+
+func TestHandleAddEvent_ClusterExcluded(t *testing.T) {
+	clustersCache := liveStateCache{
+		clusters: map[string]cache.ClusterCache{},
+		clusterFilter: func(cluster *appv1.Cluster) bool {
+			return false
+		},
+	}
+	clustersCache.handleAddEvent(&appv1.Cluster{
+		Server: "https://mycluster",
+		Config: appv1.ClusterConfig{Username: "bar"},
+	})
+
+	assert.Len(t, clustersCache.clusters, 0)
+}

controller/cache/cluster.go

@@ -1,494 +0,0 @@
-package cache
-
-import (
-	"context"
-	"fmt"
-	"runtime/debug"
-	"sort"
-	"strings"
-	"sync"
-	"time"
-
-	"k8s.io/apimachinery/pkg/types"
-
-	"github.com/argoproj/argo-cd/controller/metrics"
-
-	log "github.com/sirupsen/logrus"
-	"k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/apimachinery/pkg/watch"
-
-	appv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util"
-	"github.com/argoproj/argo-cd/util/health"
-	"github.com/argoproj/argo-cd/util/kube"
-)
-
-const (
-	clusterSyncTimeout         = 24 * time.Hour
-	clusterRetryTimeout        = 10 * time.Second
-	watchResourcesRetryTimeout = 1 * time.Second
-)
-
-type apiMeta struct {
-	namespaced      bool
-	resourceVersion string
-	watchCancel     context.CancelFunc
-}
-
-type clusterInfo struct {
-	syncLock  *sync.Mutex
-	syncTime  *time.Time
-	syncError error
-	apisMeta  map[schema.GroupKind]*apiMeta
-
-	lock    *sync.Mutex
-	nodes   map[kube.ResourceKey]*node
-	nsIndex map[string]map[kube.ResourceKey]*node
-
-	onAppUpdated     AppUpdatedHandler
-	kubectl          kube.Kubectl
-	cluster          *appv1.Cluster
-	log              *log.Entry
-	cacheSettingsSrc func() *cacheSettings
-}
-
-func (c *clusterInfo) replaceResourceCache(gk schema.GroupKind, resourceVersion string, objs []unstructured.Unstructured) {
-	c.lock.Lock()
-	defer c.lock.Unlock()
-	info, ok := c.apisMeta[gk]
-	if ok {
-		objByKind := make(map[kube.ResourceKey]*unstructured.Unstructured)
-		for i := range objs {
-			objByKind[kube.GetResourceKey(&objs[i])] = &objs[i]
-		}
-
-		for i := range objs {
-			obj := &objs[i]
-			key := kube.GetResourceKey(&objs[i])
-			existingNode, exists := c.nodes[key]
-			c.onNodeUpdated(exists, existingNode, obj, key)
-		}
-
-		for key, existingNode := range c.nodes {
-			if key.Kind != gk.Kind || key.Group != gk.Group {
-				continue
-			}
-
-			if _, ok := objByKind[key]; !ok {
-				c.onNodeRemoved(key, existingNode)
-			}
-		}
-		info.resourceVersion = resourceVersion
-	}
-}
-
-func (c *clusterInfo) createObjInfo(un *unstructured.Unstructured, appInstanceLabel string) *node {
-	ownerRefs := un.GetOwnerReferences()
-	nodeInfo := &node{
-		resourceVersion: un.GetResourceVersion(),
-		ref:             kube.GetObjectRef(un),
-		ownerRefs:       ownerRefs,
-	}
-	populateNodeInfo(un, nodeInfo)
-	appName := kube.GetAppInstanceLabel(un, appInstanceLabel)
-	if len(ownerRefs) == 0 && appName != "" {
-		nodeInfo.appName = appName
-		nodeInfo.resource = un
-	}
-	nodeInfo.health, _ = health.GetResourceHealth(un, c.cacheSettingsSrc().ResourceOverrides)
-	return nodeInfo
-}
-
-func (c *clusterInfo) setNode(n *node) {
-	key := n.resourceKey()
-	c.nodes[key] = n
-	ns, ok := c.nsIndex[key.Namespace]
-	if !ok {
-		ns = make(map[kube.ResourceKey]*node)
-		c.nsIndex[key.Namespace] = ns
-	}
-	ns[key] = n
-}
-
-func (c *clusterInfo) removeNode(key kube.ResourceKey) {
-	delete(c.nodes, key)
-	if ns, ok := c.nsIndex[key.Namespace]; ok {
-		delete(ns, key)
-		if len(ns) == 0 {
-			delete(c.nsIndex, key.Namespace)
-		}
-	}
-}
-
-func (c *clusterInfo) invalidate() {
-	c.syncLock.Lock()
-	defer c.syncLock.Unlock()
-	c.syncTime = nil
-	for i := range c.apisMeta {
-		c.apisMeta[i].watchCancel()
-	}
-	c.apisMeta = nil
-}
-
-func (c *clusterInfo) synced() bool {
-	if c.syncTime == nil {
-		return false
-	}
-	if c.syncError != nil {
-		return time.Now().Before(c.syncTime.Add(clusterRetryTimeout))
-	}
-	return time.Now().Before(c.syncTime.Add(clusterSyncTimeout))
-}
-
-func (c *clusterInfo) stopWatching(gk schema.GroupKind) {
-	c.syncLock.Lock()
-	defer c.syncLock.Unlock()
-	if info, ok := c.apisMeta[gk]; ok {
-		info.watchCancel()
-		delete(c.apisMeta, gk)
-		c.replaceResourceCache(gk, "", []unstructured.Unstructured{})
-		log.Warnf("Stop watching %s not found on %s.", gk, c.cluster.Server)
-	}
-}
-
-// startMissingWatches lists supported cluster resources and start watching for changes unless watch is already running
-func (c *clusterInfo) startMissingWatches() error {
-
-	apis, err := c.kubectl.GetAPIResources(c.cluster.RESTConfig(), c.cacheSettingsSrc().ResourcesFilter)
-	if err != nil {
-		return err
-	}
-
-	for i := range apis {
-		api := apis[i]
-		if _, ok := c.apisMeta[api.GroupKind]; !ok {
-			ctx, cancel := context.WithCancel(context.Background())
-			info := &apiMeta{namespaced: api.Meta.Namespaced, watchCancel: cancel}
-			c.apisMeta[api.GroupKind] = info
-			go c.watchEvents(ctx, api, info)
-		}
-	}
-	return nil
-}
-
-func runSynced(lock *sync.Mutex, action func() error) error {
-	lock.Lock()
-	defer lock.Unlock()
-	return action()
-}
-
-func (c *clusterInfo) watchEvents(ctx context.Context, api kube.APIResourceInfo, info *apiMeta) {
-	util.RetryUntilSucceed(func() (err error) {
-		defer func() {
-			if r := recover(); r != nil {
-				err = fmt.Errorf("Recovered from panic: %+v\n%s", r, debug.Stack())
-			}
-		}()
-
-		err = runSynced(c.syncLock, func() error {
-			if info.resourceVersion == "" {
-				list, err := api.Interface.List(metav1.ListOptions{})
-				if err != nil {
-					return err
-				}
-				c.replaceResourceCache(api.GroupKind, list.GetResourceVersion(), list.Items)
-			}
-			return nil
-		})
-
-		if err != nil {
-			return err
-		}
-
-		w, err := api.Interface.Watch(metav1.ListOptions{ResourceVersion: info.resourceVersion})
-		if errors.IsNotFound(err) {
-			c.stopWatching(api.GroupKind)
-			return nil
-		}
-
-		err = runSynced(c.syncLock, func() error {
-			if errors.IsGone(err) {
-				info.resourceVersion = ""
-				log.Warnf("Resource version of %s on %s is too old.", api.GroupKind, c.cluster.Server)
-			}
-			return err
-		})
-
-		if err != nil {
-			return err
-		}
-		defer w.Stop()
-		for {
-			select {
-			case <-ctx.Done():
-				return nil
-			case event, ok := <-w.ResultChan():
-				if ok {
-					obj := event.Object.(*unstructured.Unstructured)
-					info.resourceVersion = obj.GetResourceVersion()
-					c.processEvent(event.Type, obj)
-					if kube.IsCRD(obj) {
-						if event.Type == watch.Deleted {
-							group, groupOk, groupErr := unstructured.NestedString(obj.Object, "spec", "group")
-							kind, kindOk, kindErr := unstructured.NestedString(obj.Object, "spec", "names", "kind")
-
-							if groupOk && groupErr == nil && kindOk && kindErr == nil {
-								gk := schema.GroupKind{Group: group, Kind: kind}
-								c.stopWatching(gk)
-							}
-						} else {
-							err = runSynced(c.syncLock, func() error {
-								return c.startMissingWatches()
-							})
-
-						}
-					}
-					if err != nil {
-						log.Warnf("Failed to start missing watch: %v", err)
-					}
-				} else {
-					return fmt.Errorf("Watch %s on %s has closed", api.GroupKind, c.cluster.Server)
-				}
-			}
-		}
-
-	}, fmt.Sprintf("watch %s on %s", api.GroupKind, c.cluster.Server), ctx, watchResourcesRetryTimeout)
-}
-
-func (c *clusterInfo) sync() (err error) {
-
-	c.log.Info("Start syncing cluster")
-
-	for i := range c.apisMeta {
-		c.apisMeta[i].watchCancel()
-	}
-	c.apisMeta = make(map[schema.GroupKind]*apiMeta)
-	c.nodes = make(map[kube.ResourceKey]*node)
-
-	apis, err := c.kubectl.GetAPIResources(c.cluster.RESTConfig(), c.cacheSettingsSrc().ResourcesFilter)
-	if err != nil {
-		return err
-	}
-	lock := sync.Mutex{}
-	err = util.RunAllAsync(len(apis), func(i int) error {
-		api := apis[i]
-		list, err := api.Interface.List(metav1.ListOptions{})
-		if err != nil {
-			return err
-		}
-
-		lock.Lock()
-		for i := range list.Items {
-			c.setNode(c.createObjInfo(&list.Items[i], c.cacheSettingsSrc().AppInstanceLabelKey))
-		}
-		lock.Unlock()
-		return nil
-	})
-
-	if err == nil {
-		err = c.startMissingWatches()
-	}
-
-	if err != nil {
-		log.Errorf("Failed to sync cluster %s: %v", c.cluster.Server, err)
-		return err
-	}
-
-	c.log.Info("Cluster successfully synced")
-	return nil
-}
-
-func (c *clusterInfo) ensureSynced() error {
-	c.syncLock.Lock()
-	defer c.syncLock.Unlock()
-	if c.synced() {
-		return c.syncError
-	}
-
-	err := c.sync()
-	syncTime := time.Now()
-	c.syncTime = &syncTime
-	c.syncError = err
-	return c.syncError
-}
-
-func (c *clusterInfo) iterateHierarchy(obj *unstructured.Unstructured, action func(child appv1.ResourceNode)) {
-	c.lock.Lock()
-	defer c.lock.Unlock()
-	key := kube.GetResourceKey(obj)
-	if objInfo, ok := c.nodes[key]; ok {
-		action(objInfo.asResourceNode())
-		nsNodes := c.nsIndex[key.Namespace]
-		childrenByUID := make(map[types.UID][]*node)
-		for _, child := range nsNodes {
-			if objInfo.isParentOf(child) {
-				childrenByUID[child.ref.UID] = append(childrenByUID[child.ref.UID], child)
-			}
-		}
-		// make sure children has no duplicates
-		for _, children := range childrenByUID {
-			if len(children) > 0 {
-				// The object might have multiple children with the same UID (e.g. replicaset from apps and extensions group). It is ok to pick any object but we need to make sure
-				// we pick the same child after every refresh.
-				sort.Slice(children, func(i, j int) bool {
-					key1 := children[i].resourceKey()
-					key2 := children[j].resourceKey()
-					return strings.Compare(key1.String(), key2.String()) < 0
-				})
-				child := children[0]
-				action(child.asResourceNode())
-				child.iterateChildren(nsNodes, map[kube.ResourceKey]bool{objInfo.resourceKey(): true}, action)
-			}
-		}
-	} else {
-		action(c.createObjInfo(obj, c.cacheSettingsSrc().AppInstanceLabelKey).asResourceNode())
-	}
-}
-
-func (c *clusterInfo) isNamespaced(obj *unstructured.Unstructured) bool {
-	if api, ok := c.apisMeta[kube.GetResourceKey(obj).GroupKind()]; ok && !api.namespaced {
-		return false
-	}
-	return true
-}
-
-func (c *clusterInfo) getManagedLiveObjs(a *appv1.Application, targetObjs []*unstructured.Unstructured, metricsServer *metrics.MetricsServer) (map[kube.ResourceKey]*unstructured.Unstructured, error) {
-	c.lock.Lock()
-	defer c.lock.Unlock()
-
-	managedObjs := make(map[kube.ResourceKey]*unstructured.Unstructured)
-	// iterate all objects in live state cache to find ones associated with app
-	for key, o := range c.nodes {
-		if o.appName == a.Name && o.resource != nil && len(o.ownerRefs) == 0 {
-			managedObjs[key] = o.resource
-		}
-	}
-	config := metrics.AddMetricsTransportWrapper(metricsServer, a, c.cluster.RESTConfig())
-	// iterate target objects and identify ones that already exist in the cluster,\
-	// but are simply missing our label
-	lock := &sync.Mutex{}
-	err := util.RunAllAsync(len(targetObjs), func(i int) error {
-		targetObj := targetObjs[i]
-		key := GetTargetObjKey(a, targetObj, c.isNamespaced(targetObj))
-		lock.Lock()
-		managedObj := managedObjs[key]
-		lock.Unlock()
-
-		if managedObj == nil {
-			if existingObj, exists := c.nodes[key]; exists {
-				if existingObj.resource != nil {
-					managedObj = existingObj.resource
-				} else {
-					var err error
-					managedObj, err = c.kubectl.GetResource(config, targetObj.GroupVersionKind(), existingObj.ref.Name, existingObj.ref.Namespace)
-					if err != nil {
-						if errors.IsNotFound(err) {
-							return nil
-						}
-						return err
-					}
-				}
-			} else if _, watched := c.apisMeta[key.GroupKind()]; !watched {
-				var err error
-				managedObj, err = c.kubectl.GetResource(config, targetObj.GroupVersionKind(), targetObj.GetName(), targetObj.GetNamespace())
-				if err != nil {
-					if errors.IsNotFound(err) {
-						return nil
-					}
-					return err
-				}
-			}
-		}
-
-		if managedObj != nil {
-			converted, err := c.kubectl.ConvertToVersion(managedObj, targetObj.GroupVersionKind().Group, targetObj.GroupVersionKind().Version)
-			if err != nil {
-				// fallback to loading resource from kubernetes if conversion fails
-				log.Warnf("Failed to convert resource: %v", err)
-				managedObj, err = c.kubectl.GetResource(config, targetObj.GroupVersionKind(), managedObj.GetName(), managedObj.GetNamespace())
-				if err != nil {
-					if errors.IsNotFound(err) {
-						return nil
-					}
-					return err
-				}
-			} else {
-				managedObj = converted
-			}
-			lock.Lock()
-			managedObjs[key] = managedObj
-			lock.Unlock()
-		}
-		return nil
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	return managedObjs, nil
-}
-
-func (c *clusterInfo) processEvent(event watch.EventType, un *unstructured.Unstructured) {
-	c.lock.Lock()
-	defer c.lock.Unlock()
-	key := kube.GetResourceKey(un)
-	existingNode, exists := c.nodes[key]
-	if event == watch.Deleted {
-		if exists {
-			c.onNodeRemoved(key, existingNode)
-		}
-	} else if event != watch.Deleted {
-		c.onNodeUpdated(exists, existingNode, un, key)
-	}
-}
-
-func (c *clusterInfo) onNodeUpdated(exists bool, existingNode *node, un *unstructured.Unstructured, key kube.ResourceKey) {
-	nodes := make([]*node, 0)
-	if exists {
-		nodes = append(nodes, existingNode)
-	}
-	newObj := c.createObjInfo(un, c.cacheSettingsSrc().AppInstanceLabelKey)
-	c.setNode(newObj)
-	nodes = append(nodes, newObj)
-	toNotify := make(map[string]bool)
-	for i := range nodes {
-		n := nodes[i]
-		if ns, ok := c.nsIndex[n.ref.Namespace]; ok {
-			app := n.getApp(ns)
-			if app == "" || skipAppRequeing(key) {
-				continue
-			}
-			toNotify[app] = n.isRootAppNode() || toNotify[app]
-		}
-	}
-	for name, isRootAppNode := range toNotify {
-		c.onAppUpdated(name, isRootAppNode, newObj.ref)
-	}
-}
-
-func (c *clusterInfo) onNodeRemoved(key kube.ResourceKey, n *node) {
-	appName := n.appName
-	if ns, ok := c.nsIndex[key.Namespace]; ok {
-		appName = n.getApp(ns)
-	}
-
-	c.removeNode(key)
-	if appName != "" {
-		c.onAppUpdated(appName, n.isRootAppNode(), n.ref)
-	}
-}
-
-var (
-	ignoredRefreshResources = map[string]bool{
-		"/" + kube.EndpointsKind: true,
-	}
-)
-
-// skipAppRequeing checks if the object is an API type which we want to skip requeuing against.
-// We ignore API types which have a high churn rate, and/or whose updates are irrelevant to the app
-func skipAppRequeing(key kube.ResourceKey) bool {
-	return ignoredRefreshResources[key.Group+"/"+key.Kind]
-}

controller/cache/cluster_test.go

@@ -1,453 +0,0 @@
-package cache
-
-import (
-	"fmt"
-	"sort"
-	"strings"
-	"sync"
-	"testing"
-
-	"github.com/ghodss/yaml"
-	log "github.com/sirupsen/logrus"
-	"github.com/stretchr/testify/assert"
-	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/apimachinery/pkg/watch"
-	"k8s.io/client-go/dynamic/fake"
-
-	"github.com/argoproj/argo-cd/common"
-	"github.com/argoproj/argo-cd/errors"
-	appv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util/kube"
-	"github.com/argoproj/argo-cd/util/kube/kubetest"
-)
-
-func strToUnstructured(jsonStr string) *unstructured.Unstructured {
-	obj := make(map[string]interface{})
-	err := yaml.Unmarshal([]byte(jsonStr), &obj)
-	errors.CheckError(err)
-	return &unstructured.Unstructured{Object: obj}
-}
-
-func mustToUnstructured(obj interface{}) *unstructured.Unstructured {
-	un, err := kube.ToUnstructured(obj)
-	errors.CheckError(err)
-	return un
-}
-
-var (
-	testPod = strToUnstructured(`
-  apiVersion: v1
-  kind: Pod
-  metadata:
-    uid: "1"
-    name: helm-guestbook-pod
-    namespace: default
-    ownerReferences:
-    - apiVersion: apps/v1
-      kind: ReplicaSet
-      name: helm-guestbook-rs
-      uid: "2"
-    resourceVersion: "123"`)
-
-	testRS = strToUnstructured(`
-  apiVersion: apps/v1
-  kind: ReplicaSet
-  metadata:
-    uid: "2"
-    name: helm-guestbook-rs
-    namespace: default
-    annotations:
-      deployment.kubernetes.io/revision: "2"
-    ownerReferences:
-    - apiVersion: apps/v1beta1
-      kind: Deployment
-      name: helm-guestbook
-      uid: "3"
-    resourceVersion: "123"`)
-
-	testDeploy = strToUnstructured(`
-  apiVersion: apps/v1
-  kind: Deployment
-  metadata:
-    labels:
-      app.kubernetes.io/instance: helm-guestbook
-    uid: "3"
-    name: helm-guestbook
-    namespace: default
-    resourceVersion: "123"`)
-
-	testService = strToUnstructured(`
-  apiVersion: v1
-  kind: Service
-  metadata:
-    name: helm-guestbook
-    namespace: default
-    resourceVersion: "123"
-  spec:
-    selector:
-      app: guestbook
-    type: LoadBalancer
-  status:
-    loadBalancer:
-      ingress:
-      - hostname: localhost`)
-
-	testIngress = strToUnstructured(`
-  apiVersion: extensions/v1beta1
-  kind: Ingress
-  metadata:
-    name: helm-guestbook
-    namespace: default
-  spec:
-    backend:
-      serviceName: not-found-service
-      servicePort: 443
-    rules:
-    - host: helm-guestbook.com
-      http:
-        paths:
-        - backend:
-            serviceName: helm-guestbook
-            servicePort: 443
-          path: /
-        - backend:
-            serviceName: helm-guestbook
-            servicePort: https
-          path: /
-  status:
-    loadBalancer:
-      ingress:
-      - ip: 107.178.210.11`)
-)
-
-func newCluster(objs ...*unstructured.Unstructured) *clusterInfo {
-	runtimeObjs := make([]runtime.Object, len(objs))
-	for i := range objs {
-		runtimeObjs[i] = objs[i]
-	}
-	scheme := runtime.NewScheme()
-	client := fake.NewSimpleDynamicClient(scheme, runtimeObjs...)
-
-	apiResources := []kube.APIResourceInfo{{
-		GroupKind: schema.GroupKind{Group: "", Kind: "Pod"},
-		Interface: client.Resource(schema.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}),
-		Meta:      metav1.APIResource{Namespaced: true},
-	}, {
-		GroupKind: schema.GroupKind{Group: "apps", Kind: "ReplicaSet"},
-		Interface: client.Resource(schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "replicasets"}),
-		Meta:      metav1.APIResource{Namespaced: true},
-	}, {
-		GroupKind: schema.GroupKind{Group: "apps", Kind: "Deployment"},
-		Interface: client.Resource(schema.GroupVersionResource{Group: "apps", Version: "v1", Resource: "deployments"}),
-		Meta:      metav1.APIResource{Namespaced: true},
-	}}
-
-	return newClusterExt(&kubetest.MockKubectlCmd{APIResources: apiResources})
-}
-
-func newClusterExt(kubectl kube.Kubectl) *clusterInfo {
-	return &clusterInfo{
-		lock:         &sync.Mutex{},
-		nodes:        make(map[kube.ResourceKey]*node),
-		onAppUpdated: func(appName string, fullRefresh bool, reference corev1.ObjectReference) {},
-		kubectl:      kubectl,
-		nsIndex:      make(map[string]map[kube.ResourceKey]*node),
-		cluster:      &appv1.Cluster{},
-		syncTime:     nil,
-		syncLock:     &sync.Mutex{},
-		apisMeta:     make(map[schema.GroupKind]*apiMeta),
-		log:          log.WithField("cluster", "test"),
-		cacheSettingsSrc: func() *cacheSettings {
-			return &cacheSettings{AppInstanceLabelKey: common.LabelKeyAppInstance}
-		},
-	}
-}
-
-func getChildren(cluster *clusterInfo, un *unstructured.Unstructured) []appv1.ResourceNode {
-	hierarchy := make([]appv1.ResourceNode, 0)
-	cluster.iterateHierarchy(un, func(child appv1.ResourceNode) {
-		hierarchy = append(hierarchy, child)
-	})
-	return hierarchy[1:]
-}
-
-func TestGetChildren(t *testing.T) {
-	cluster := newCluster(testPod, testRS, testDeploy)
-	err := cluster.ensureSynced()
-	assert.Nil(t, err)
-
-	rsChildren := getChildren(cluster, testRS)
-	assert.Equal(t, []appv1.ResourceNode{{
-		ResourceRef: appv1.ResourceRef{
-			Kind:      "Pod",
-			Namespace: "default",
-			Name:      "helm-guestbook-pod",
-			Group:     "",
-			Version:   "v1",
-			UID:       "1",
-		},
-		ParentRefs: []appv1.ResourceRef{{
-			Group:     "apps",
-			Version:   "",
-			Kind:      "ReplicaSet",
-			Namespace: "default",
-			Name:      "helm-guestbook-rs",
-			UID:       "2",
-		}},
-		Health:          &appv1.HealthStatus{Status: appv1.HealthStatusUnknown},
-		NetworkingInfo:  &appv1.ResourceNetworkingInfo{Labels: testPod.GetLabels()},
-		ResourceVersion: "123",
-		Info:            []appv1.InfoItem{{Name: "Containers", Value: "0/0"}},
-	}}, rsChildren)
-	deployChildren := getChildren(cluster, testDeploy)
-
-	assert.Equal(t, append([]appv1.ResourceNode{{
-		ResourceRef: appv1.ResourceRef{
-			Kind:      "ReplicaSet",
-			Namespace: "default",
-			Name:      "helm-guestbook-rs",
-			Group:     "apps",
-			Version:   "v1",
-			UID:       "2",
-		},
-		ResourceVersion: "123",
-		Health:          &appv1.HealthStatus{Status: appv1.HealthStatusHealthy},
-		Info:            []appv1.InfoItem{{Name: "Revision", Value: "Rev:2"}},
-		ParentRefs:      []appv1.ResourceRef{{Group: "apps", Version: "", Kind: "Deployment", Namespace: "default", Name: "helm-guestbook", UID: "3"}},
-	}}, rsChildren...), deployChildren)
-}
-
-func TestGetManagedLiveObjs(t *testing.T) {
-	cluster := newCluster(testPod, testRS, testDeploy)
-	err := cluster.ensureSynced()
-	assert.Nil(t, err)
-
-	targetDeploy := strToUnstructured(`
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: helm-guestbook
-  labels:
-    app: helm-guestbook`)
-
-	managedObjs, err := cluster.getManagedLiveObjs(&appv1.Application{
-		ObjectMeta: metav1.ObjectMeta{Name: "helm-guestbook"},
-		Spec: appv1.ApplicationSpec{
-			Destination: appv1.ApplicationDestination{
-				Namespace: "default",
-			},
-		},
-	}, []*unstructured.Unstructured{targetDeploy}, nil)
-	assert.Nil(t, err)
-	assert.Equal(t, managedObjs, map[kube.ResourceKey]*unstructured.Unstructured{
-		kube.NewResourceKey("apps", "Deployment", "default", "helm-guestbook"): testDeploy,
-	})
-}
-
-func TestChildDeletedEvent(t *testing.T) {
-	cluster := newCluster(testPod, testRS, testDeploy)
-	err := cluster.ensureSynced()
-	assert.Nil(t, err)
-
-	cluster.processEvent(watch.Deleted, testPod)
-
-	rsChildren := getChildren(cluster, testRS)
-	assert.Equal(t, []appv1.ResourceNode{}, rsChildren)
-}
-
-func TestProcessNewChildEvent(t *testing.T) {
-	cluster := newCluster(testPod, testRS, testDeploy)
-	err := cluster.ensureSynced()
-	assert.Nil(t, err)
-
-	newPod := strToUnstructured(`
-  apiVersion: v1
-  kind: Pod
-  metadata:
-    uid: "4"
-    name: helm-guestbook-pod2
-    namespace: default
-    ownerReferences:
-    - apiVersion: apps/v1
-      kind: ReplicaSet
-      name: helm-guestbook-rs
-      uid: "2"
-    resourceVersion: "123"`)
-
-	cluster.processEvent(watch.Added, newPod)
-
-	rsChildren := getChildren(cluster, testRS)
-	sort.Slice(rsChildren, func(i, j int) bool {
-		return strings.Compare(rsChildren[i].Name, rsChildren[j].Name) < 0
-	})
-	assert.Equal(t, []appv1.ResourceNode{{
-		ResourceRef: appv1.ResourceRef{
-			Kind:      "Pod",
-			Namespace: "default",
-			Name:      "helm-guestbook-pod",
-			Group:     "",
-			Version:   "v1",
-			UID:       "1",
-		},
-		Info:           []appv1.InfoItem{{Name: "Containers", Value: "0/0"}},
-		Health:         &appv1.HealthStatus{Status: appv1.HealthStatusUnknown},
-		NetworkingInfo: &appv1.ResourceNetworkingInfo{Labels: testPod.GetLabels()},
-		ParentRefs: []appv1.ResourceRef{{
-			Group:     "apps",
-			Version:   "",
-			Kind:      "ReplicaSet",
-			Namespace: "default",
-			Name:      "helm-guestbook-rs",
-			UID:       "2",
-		}},
-		ResourceVersion: "123",
-	}, {
-		ResourceRef: appv1.ResourceRef{
-			Kind:      "Pod",
-			Namespace: "default",
-			Name:      "helm-guestbook-pod2",
-			Group:     "",
-			Version:   "v1",
-			UID:       "4",
-		},
-		NetworkingInfo: &appv1.ResourceNetworkingInfo{Labels: testPod.GetLabels()},
-		Info:           []appv1.InfoItem{{Name: "Containers", Value: "0/0"}},
-		Health:         &appv1.HealthStatus{Status: appv1.HealthStatusUnknown},
-		ParentRefs: []appv1.ResourceRef{{
-			Group:     "apps",
-			Version:   "",
-			Kind:      "ReplicaSet",
-			Namespace: "default",
-			Name:      "helm-guestbook-rs",
-			UID:       "2",
-		}},
-		ResourceVersion: "123",
-	}}, rsChildren)
-}
-
-func TestUpdateResourceTags(t *testing.T) {
-	pod := &corev1.Pod{
-		TypeMeta:   metav1.TypeMeta{Kind: "Pod", APIVersion: "v1"},
-		ObjectMeta: metav1.ObjectMeta{Name: "testPod", Namespace: "default"},
-		Spec: corev1.PodSpec{
-			Containers: []corev1.Container{{
-				Name:  "test",
-				Image: "test",
-			}},
-		},
-	}
-	cluster := newCluster(mustToUnstructured(pod))
-
-	err := cluster.ensureSynced()
-	assert.Nil(t, err)
-
-	podNode := cluster.nodes[kube.GetResourceKey(mustToUnstructured(pod))]
-
-	assert.NotNil(t, podNode)
-	assert.Equal(t, []appv1.InfoItem{{Name: "Containers", Value: "0/1"}}, podNode.info)
-
-	pod.Status = corev1.PodStatus{
-		ContainerStatuses: []corev1.ContainerStatus{{
-			State: corev1.ContainerState{
-				Terminated: &corev1.ContainerStateTerminated{
-					ExitCode: -1,
-				},
-			},
-		}},
-	}
-	cluster.processEvent(watch.Modified, mustToUnstructured(pod))
-
-	podNode = cluster.nodes[kube.GetResourceKey(mustToUnstructured(pod))]
-
-	assert.NotNil(t, podNode)
-	assert.Equal(t, []appv1.InfoItem{{Name: "Status Reason", Value: "ExitCode:-1"}, {Name: "Containers", Value: "0/1"}}, podNode.info)
-}
-
-func TestUpdateAppResource(t *testing.T) {
-	updatesReceived := make([]string, 0)
-	cluster := newCluster(testPod, testRS, testDeploy)
-	cluster.onAppUpdated = func(appName string, fullRefresh bool, _ corev1.ObjectReference) {
-		updatesReceived = append(updatesReceived, fmt.Sprintf("%s: %v", appName, fullRefresh))
-	}
-
-	err := cluster.ensureSynced()
-	assert.Nil(t, err)
-
-	cluster.processEvent(watch.Modified, mustToUnstructured(testPod))
-
-	assert.Contains(t, updatesReceived, "helm-guestbook: false")
-}
-
-func TestCircularReference(t *testing.T) {
-	dep := testDeploy.DeepCopy()
-	dep.SetOwnerReferences([]metav1.OwnerReference{{
-		Name:       testPod.GetName(),
-		Kind:       testPod.GetKind(),
-		APIVersion: testPod.GetAPIVersion(),
-	}})
-	cluster := newCluster(testPod, testRS, dep)
-	err := cluster.ensureSynced()
-
-	assert.Nil(t, err)
-
-	children := getChildren(cluster, dep)
-	assert.Len(t, children, 2)
-
-	node := cluster.nodes[kube.GetResourceKey(dep)]
-	assert.NotNil(t, node)
-	app := node.getApp(cluster.nodes)
-	assert.Equal(t, "", app)
-}
-
-func TestWatchCacheUpdated(t *testing.T) {
-	removed := testPod.DeepCopy()
-	removed.SetName(testPod.GetName() + "-removed-pod")
-
-	updated := testPod.DeepCopy()
-	updated.SetName(testPod.GetName() + "-updated-pod")
-	updated.SetResourceVersion("updated-pod-version")
-
-	cluster := newCluster(removed, updated)
-	err := cluster.ensureSynced()
-
-	assert.Nil(t, err)
-
-	added := testPod.DeepCopy()
-	added.SetName(testPod.GetName() + "-new-pod")
-
-	podGroupKind := testPod.GroupVersionKind().GroupKind()
-
-	cluster.replaceResourceCache(podGroupKind, "updated-list-version", []unstructured.Unstructured{*updated, *added})
-
-	_, ok := cluster.nodes[kube.GetResourceKey(removed)]
-	assert.False(t, ok)
-
-	updatedNode, ok := cluster.nodes[kube.GetResourceKey(updated)]
-	assert.True(t, ok)
-	assert.Equal(t, updatedNode.resourceVersion, "updated-pod-version")
-
-	_, ok = cluster.nodes[kube.GetResourceKey(added)]
-	assert.True(t, ok)
-}
-
-func TestGetDuplicatedChildren(t *testing.T) {
-	extensionsRS := testRS.DeepCopy()
-	extensionsRS.SetGroupVersionKind(schema.GroupVersionKind{Group: "extensions", Kind: kube.ReplicaSetKind, Version: "v1beta1"})
-	cluster := newCluster(testDeploy, testRS, extensionsRS)
-	err := cluster.ensureSynced()
-
-	assert.Nil(t, err)
-
-	// Get children multiple times to make sure the right child is picked up every time.
-	for i := 0; i < 5; i++ {
-		children := getChildren(cluster, testDeploy)
-		assert.Len(t, children, 1)
-		assert.Equal(t, "apps", children[0].Group)
-		assert.Equal(t, kube.ReplicaSetKind, children[0].Kind)
-		assert.Equal(t, testRS.GetName(), children[0].Name)
-	}
-}

controller/cache/info.go

@@ -2,41 +2,60 @@ package cache
 
 import (
 	"fmt"
+	"strings"
 
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
+	"github.com/argoproj/gitops-engine/pkg/utils/text"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
-	k8snode "k8s.io/kubernetes/pkg/util/node"
+	resourcehelper "k8s.io/kubectl/pkg/util/resource"
 
+	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util"
-	"github.com/argoproj/argo-cd/util/kube"
 	"github.com/argoproj/argo-cd/util/resource"
 )
 
-func populateNodeInfo(un *unstructured.Unstructured, node *node) {
-
+func populateNodeInfo(un *unstructured.Unstructured, res *ResourceInfo) {
 	gvk := un.GroupVersionKind()
 	revision := resource.GetRevision(un)
 	if revision > 0 {
-		node.info = append(node.info, v1alpha1.InfoItem{Name: "Revision", Value: fmt.Sprintf("Rev:%v", revision)})
+		res.Info = append(res.Info, v1alpha1.InfoItem{Name: "Revision", Value: fmt.Sprintf("Rev:%v", revision)})
 	}
 	switch gvk.Group {
 	case "":
 		switch gvk.Kind {
 		case kube.PodKind:
-			populatePodInfo(un, node)
+			populatePodInfo(un, res)
 			return
 		case kube.ServiceKind:
-			populateServiceInfo(un, node)
+			populateServiceInfo(un, res)
+			return
+		case "Node":
+			populateHostNodeInfo(un, res)
 			return
 		}
-	case "extensions":
+	case "extensions", "networking.k8s.io":
 		switch gvk.Kind {
 		case kube.IngressKind:
-			populateIngressInfo(un, node)
+			populateIngressInfo(un, res)
 			return
 		}
+	case "networking.istio.io":
+		switch gvk.Kind {
+		case "VirtualService":
+			populateIstioVirtualServiceInfo(un, res)
+			return
+		}
+	}
+
+	for k, v := range un.GetAnnotations() {
+		if strings.HasPrefix(k, common.AnnotationKeyLinkPrefix) {
+			if res.NetworkingInfo == nil {
+				res.NetworkingInfo = &v1alpha1.ResourceNetworkingInfo{}
+			}
+			res.NetworkingInfo.ExternalURLs = append(res.NetworkingInfo.ExternalURLs, v)
+		}
 	}
 }
 
@@ -58,16 +77,16 @@ func getIngress(un *unstructured.Unstructured) []v1.LoadBalancerIngress {
 	return res
 }
 
-func populateServiceInfo(un *unstructured.Unstructured, node *node) {
+func populateServiceInfo(un *unstructured.Unstructured, res *ResourceInfo) {
 	targetLabels, _, _ := unstructured.NestedStringMap(un.Object, "spec", "selector")
 	ingress := make([]v1.LoadBalancerIngress, 0)
 	if serviceType, ok, err := unstructured.NestedString(un.Object, "spec", "type"); ok && err == nil && serviceType == string(v1.ServiceTypeLoadBalancer) {
 		ingress = getIngress(un)
 	}
-	node.networkingInfo = &v1alpha1.ResourceNetworkingInfo{TargetLabels: targetLabels, Ingress: ingress}
+	res.NetworkingInfo = &v1alpha1.ResourceNetworkingInfo{TargetLabels: targetLabels, Ingress: ingress}
 }
 
-func populateIngressInfo(un *unstructured.Unstructured, node *node) {
+func populateIngressInfo(un *unstructured.Unstructured, res *ResourceInfo) {
 	ingress := getIngress(un)
 	targetsMap := make(map[v1alpha1.ResourceRef]bool)
 	if backend, ok, err := unstructured.NestedMap(un.Object, "spec", "backend"); ok && err == nil {
@@ -88,7 +107,7 @@ func populateIngressInfo(un *unstructured.Unstructured, node *node) {
 			host := rule["host"]
 			if host == nil || host == "" {
 				for i := range ingress {
-					host = util.FirstNonEmpty(ingress[i].Hostname, ingress[i].IP)
+					host = text.FirstNonEmpty(ingress[i].Hostname, ingress[i].IP)
 					if host != "" {
 						break
 					}
@@ -113,27 +132,85 @@ func populateIngressInfo(un *unstructured.Unstructured, node *node) {
 					}] = true
 				}
 
-				if port, ok, err := unstructured.NestedFieldNoCopy(path, "backend", "servicePort"); ok && err == nil && host != "" && host != nil {
-					stringPort := ""
-					switch typedPod := port.(type) {
-					case int64:
-						stringPort = fmt.Sprintf("%d", typedPod)
-					case float64:
-						stringPort = fmt.Sprintf("%d", int64(typedPod))
-					case string:
-						stringPort = typedPod
-					default:
-						stringPort = fmt.Sprintf("%v", port)
+				if host == nil || host == "" {
+					continue
+				}
+				stringPort := "http"
+				if tls, ok, err := unstructured.NestedSlice(un.Object, "spec", "tls"); ok && err == nil {
+					for i := range tls {
+						tlsline, ok := tls[i].(map[string]interface{})
+						secretName := tlsline["secretName"]
+						if ok && secretName != nil {
+							stringPort = "https"
+						}
+						tlshost := tlsline["host"]
+						if tlshost == host {
+							stringPort = "https"
+						}
+					}
+				}
+
+				externalURL := fmt.Sprintf("%s://%s", stringPort, host)
+
+				subPath := ""
+				if nestedPath, ok, err := unstructured.NestedString(path, "path"); ok && err == nil {
+					subPath = strings.TrimSuffix(nestedPath, "*")
+				}
+				externalURL += subPath
+				urlsSet[externalURL] = true
+			}
+		}
+	}
+	targets := make([]v1alpha1.ResourceRef, 0)
+	for target := range targetsMap {
+		targets = append(targets, target)
+	}
+
+	var urls []string
+	if res.NetworkingInfo != nil {
+		urls = res.NetworkingInfo.ExternalURLs
+	}
+	for url := range urlsSet {
+		urls = append(urls, url)
+	}
+	res.NetworkingInfo = &v1alpha1.ResourceNetworkingInfo{TargetRefs: targets, Ingress: ingress, ExternalURLs: urls}
+}
+
+func populateIstioVirtualServiceInfo(un *unstructured.Unstructured, res *ResourceInfo) {
+	targetsMap := make(map[v1alpha1.ResourceRef]bool)
+
+	if rules, ok, err := unstructured.NestedSlice(un.Object, "spec", "http"); ok && err == nil {
+		for i := range rules {
+			rule, ok := rules[i].(map[string]interface{})
+			if !ok {
+				continue
+			}
+			routes, ok, err := unstructured.NestedSlice(rule, "route")
+			if !ok || err != nil {
+				continue
+			}
+			for i := range routes {
+				route, ok := routes[i].(map[string]interface{})
+				if !ok {
+					continue
+				}
+
+				if hostName, ok, err := unstructured.NestedString(route, "destination", "host"); ok && err == nil {
+					hostSplits := strings.Split(hostName, ".")
+					serviceName := hostSplits[0]
+
+					var namespace string
+					if len(hostSplits) >= 2 {
+						namespace = hostSplits[1]
+					} else {
+						namespace = un.GetNamespace()
 					}
 
-					switch stringPort {
-					case "80", "http":
-						urlsSet[fmt.Sprintf("http://%s", host)] = true
-					case "443", "https":
-						urlsSet[fmt.Sprintf("https://%s", host)] = true
-					default:
-						urlsSet[fmt.Sprintf("http://%s:%s", host, stringPort)] = true
-					}
+					targetsMap[v1alpha1.ResourceRef{
+						Kind:      kube.ServiceKind,
+						Name:      serviceName,
+						Namespace: namespace,
+					}] = true
 				}
 			}
 		}
@@ -142,14 +219,11 @@ func populateIngressInfo(un *unstructured.Unstructured, node *node) {
 	for target := range targetsMap {
 		targets = append(targets, target)
 	}
-	urls := make([]string, 0)
-	for url := range urlsSet {
-		urls = append(urls, url)
-	}
-	node.networkingInfo = &v1alpha1.ResourceNetworkingInfo{TargetRefs: targets, Ingress: ingress, ExternalURLs: urls}
+
+	res.NetworkingInfo = &v1alpha1.ResourceNetworkingInfo{TargetRefs: targets}
 }
 
-func populatePodInfo(un *unstructured.Unstructured, node *node) {
+func populatePodInfo(un *unstructured.Unstructured, res *ResourceInfo) {
 	pod := v1.Pod{}
 	err := runtime.DefaultUnstructuredConverter.FromUnstructured(un.Object, &pod)
 	if err != nil {
@@ -172,9 +246,9 @@ func populatePodInfo(un *unstructured.Unstructured, node *node) {
 		imagesSet[container.Image] = true
 	}
 
-	node.images = nil
+	res.Images = nil
 	for image := range imagesSet {
-		node.images = append(node.images, image)
+		res.Images = append(res.Images, image)
 	}
 
 	initializing := false
@@ -234,15 +308,41 @@ func populatePodInfo(un *unstructured.Unstructured, node *node) {
 		}
 	}
 
-	if pod.DeletionTimestamp != nil && pod.Status.Reason == k8snode.NodeUnreachablePodReason {
+	// "NodeLost" = https://github.com/kubernetes/kubernetes/blob/cb8ad64243d48d9a3c26b11b2e0945c098457282/pkg/util/node/node.go#L46
+	// But depending on the k8s.io/kubernetes package just for a constant
+	// is not worth it.
+	// See https://github.com/argoproj/argo-cd/issues/5173
+	// and https://github.com/kubernetes/kubernetes/issues/90358#issuecomment-617859364
+	if pod.DeletionTimestamp != nil && pod.Status.Reason == "NodeLost" {
 		reason = "Unknown"
 	} else if pod.DeletionTimestamp != nil {
 		reason = "Terminating"
 	}
 
 	if reason != "" {
-		node.info = append(node.info, v1alpha1.InfoItem{Name: "Status Reason", Value: reason})
+		res.Info = append(res.Info, v1alpha1.InfoItem{Name: "Status Reason", Value: reason})
+	}
+
+	req, _ := resourcehelper.PodRequestsAndLimits(&pod)
+	res.PodInfo = &PodInfo{NodeName: pod.Spec.NodeName, ResourceRequests: req}
+
+	res.Info = append(res.Info, v1alpha1.InfoItem{Name: "Node", Value: pod.Spec.NodeName})
+	res.Info = append(res.Info, v1alpha1.InfoItem{Name: "Containers", Value: fmt.Sprintf("%d/%d", readyContainers, totalContainers)})
+	if restarts > 0 {
+		res.Info = append(res.Info, v1alpha1.InfoItem{Name: "Restart Count", Value: fmt.Sprintf("%d", restarts)})
+	}
+	res.NetworkingInfo = &v1alpha1.ResourceNetworkingInfo{Labels: un.GetLabels()}
+}
+
+func populateHostNodeInfo(un *unstructured.Unstructured, res *ResourceInfo) {
+	node := v1.Node{}
+	err := runtime.DefaultUnstructuredConverter.FromUnstructured(un.Object, &node)
+	if err != nil {
+		return
+	}
+	res.NodeInfo = &NodeInfo{
+		Name:       node.Name,
+		Capacity:   node.Status.Capacity,
+		SystemInfo: node.Status.NodeInfo,
 	}
-	node.info = append(node.info, v1alpha1.InfoItem{Name: "Containers", Value: fmt.Sprintf("%d/%d", readyContainers, totalContainers)})
-	node.networkingInfo = &v1alpha1.ResourceNetworkingInfo{Labels: un.GetLabels()}
 }

controller/cache/info_test.go

@@ -5,12 +5,157 @@ import (
 	"strings"
 	"testing"
 
+	"k8s.io/apimachinery/pkg/api/resource"
+
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
+	"github.com/argoproj/pkg/errors"
+	"github.com/ghodss/yaml"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	v1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
 	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/util/kube"
+)
 
-	"github.com/stretchr/testify/assert"
+func strToUnstructured(jsonStr string) *unstructured.Unstructured {
+	obj := make(map[string]interface{})
+	err := yaml.Unmarshal([]byte(jsonStr), &obj)
+	errors.CheckError(err)
+	return &unstructured.Unstructured{Object: obj}
+}
+
+var (
+	testService = strToUnstructured(`
+  apiVersion: v1
+  kind: Service
+  metadata:
+    name: helm-guestbook
+    namespace: default
+    resourceVersion: "123"
+    uid: "4"
+  spec:
+    selector:
+      app: guestbook
+    type: LoadBalancer
+  status:
+    loadBalancer:
+      ingress:
+      - hostname: localhost`)
+
+	testIngress = strToUnstructured(`
+  apiVersion: extensions/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+    uid: "4"
+  spec:
+    backend:
+      serviceName: not-found-service
+      servicePort: 443
+    rules:
+    - host: helm-guestbook.com
+      http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+          path: /
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: https
+          path: /
+    tls:
+    - host: helm-guestbook.com
+    secretName: my-tls-secret
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	testIngressWildCardPath = strToUnstructured(`
+  apiVersion: extensions/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+    uid: "4"
+  spec:
+    backend:
+      serviceName: not-found-service
+      servicePort: 443
+    rules:
+    - host: helm-guestbook.com
+      http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+          path: /*
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: https
+          path: /*
+    tls:
+    - host: helm-guestbook.com
+    secretName: my-tls-secret
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	testIngressWithoutTls = strToUnstructured(`
+  apiVersion: extensions/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+    uid: "4"
+  spec:
+    backend:
+      serviceName: not-found-service
+      servicePort: 443
+    rules:
+    - host: helm-guestbook.com
+      http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+          path: /
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: https
+          path: /
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	testIstioVirtualService = strToUnstructured(`
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: hello-world
+  namespace: demo
+spec:
+  http:
+    - match:
+        - uri:
+            prefix: "/1"
+      route:
+        - destination:
+            host: service_full.demo.svc.cluster.local
+        - destination:
+            host: service_namespace.namespace
+    - match:
+        - uri:
+            prefix: "/2"
+      route:
+        - destination:
+            host: service
+`)
 )
 
 func TestGetPodInfo(t *testing.T) {
@@ -28,32 +173,93 @@ func TestGetPodInfo(t *testing.T) {
     labels:
       app: guestbook
   spec:
+    nodeName: minikube
     containers:
-    - image: bar`)
+    - image: bar
+      resources:
+        requests:
+          memory: 128Mi
+`)
 
-	node := &node{}
-	populateNodeInfo(pod, node)
-	assert.Equal(t, []v1alpha1.InfoItem{{Name: "Containers", Value: "0/1"}}, node.info)
-	assert.Equal(t, []string{"bar"}, node.images)
-	assert.Equal(t, &v1alpha1.ResourceNetworkingInfo{Labels: map[string]string{"app": "guestbook"}}, node.networkingInfo)
+	info := &ResourceInfo{}
+	populateNodeInfo(pod, info)
+	assert.Equal(t, []v1alpha1.InfoItem{
+		{Name: "Node", Value: "minikube"},
+		{Name: "Containers", Value: "0/1"},
+	}, info.Info)
+	assert.Equal(t, []string{"bar"}, info.Images)
+	assert.Equal(t, &PodInfo{
+		NodeName:         "minikube",
+		ResourceRequests: v1.ResourceList{v1.ResourceMemory: resource.MustParse("128Mi")},
+	}, info.PodInfo)
+	assert.Equal(t, &v1alpha1.ResourceNetworkingInfo{Labels: map[string]string{"app": "guestbook"}}, info.NetworkingInfo)
+}
+
+func TestGetNodeInfo(t *testing.T) {
+	node := strToUnstructured(`
+apiVersion: v1
+kind: Node
+metadata:
+  name: minikube
+spec: {}
+status:
+  capacity:
+    cpu: "6"
+    memory: 6091320Ki
+  nodeInfo:
+    architecture: amd64
+    operatingSystem: linux
+    osImage: Ubuntu 20.04 LTS
+`)
+
+	info := &ResourceInfo{}
+	populateNodeInfo(node, info)
+	assert.Equal(t, &NodeInfo{
+		Name:       "minikube",
+		Capacity:   v1.ResourceList{v1.ResourceMemory: resource.MustParse("6091320Ki"), v1.ResourceCPU: resource.MustParse("6")},
+		SystemInfo: v1.NodeSystemInfo{Architecture: "amd64", OperatingSystem: "linux", OSImage: "Ubuntu 20.04 LTS"},
+	}, info.NodeInfo)
 }
 
 func TestGetServiceInfo(t *testing.T) {
-	node := &node{}
-	populateNodeInfo(testService, node)
-	assert.Equal(t, 0, len(node.info))
+	info := &ResourceInfo{}
+	populateNodeInfo(testService, info)
+	assert.Equal(t, 0, len(info.Info))
 	assert.Equal(t, &v1alpha1.ResourceNetworkingInfo{
 		TargetLabels: map[string]string{"app": "guestbook"},
 		Ingress:      []v1.LoadBalancerIngress{{Hostname: "localhost"}},
-	}, node.networkingInfo)
+	}, info.NetworkingInfo)
+}
+
+func TestGetIstioVirtualServiceInfo(t *testing.T) {
+	info := &ResourceInfo{}
+	populateNodeInfo(testIstioVirtualService, info)
+	assert.Equal(t, 0, len(info.Info))
+	require.NotNil(t, info.NetworkingInfo)
+	require.NotNil(t, info.NetworkingInfo.TargetRefs)
+	assert.Contains(t, info.NetworkingInfo.TargetRefs, v1alpha1.ResourceRef{
+		Kind:      kube.ServiceKind,
+		Name:      "service_full",
+		Namespace: "demo",
+	})
+	assert.Contains(t, info.NetworkingInfo.TargetRefs, v1alpha1.ResourceRef{
+		Kind:      kube.ServiceKind,
+		Name:      "service_namespace",
+		Namespace: "namespace",
+	})
+	assert.Contains(t, info.NetworkingInfo.TargetRefs, v1alpha1.ResourceRef{
+		Kind:      kube.ServiceKind,
+		Name:      "service",
+		Namespace: "demo",
+	})
 }
 
 func TestGetIngressInfo(t *testing.T) {
-	node := &node{}
-	populateNodeInfo(testIngress, node)
-	assert.Equal(t, 0, len(node.info))
-	sort.Slice(node.networkingInfo.TargetRefs, func(i, j int) bool {
-		return strings.Compare(node.networkingInfo.TargetRefs[j].Name, node.networkingInfo.TargetRefs[i].Name) < 0
+	info := &ResourceInfo{}
+	populateNodeInfo(testIngress, info)
+	assert.Equal(t, 0, len(info.Info))
+	sort.Slice(info.NetworkingInfo.TargetRefs, func(i, j int) bool {
+		return strings.Compare(info.NetworkingInfo.TargetRefs[j].Name, info.NetworkingInfo.TargetRefs[i].Name) < 0
 	})
 	assert.Equal(t, &v1alpha1.ResourceNetworkingInfo{
 		Ingress: []v1.LoadBalancerIngress{{IP: "107.178.210.11"}},
@@ -68,10 +274,94 @@ func TestGetIngressInfo(t *testing.T) {
 			Kind:      kube.ServiceKind,
 			Name:      "helm-guestbook",
 		}},
-		ExternalURLs: []string{"https://helm-guestbook.com"},
-	}, node.networkingInfo)
+		ExternalURLs: []string{"https://helm-guestbook.com/"},
+	}, info.NetworkingInfo)
 }
 
+func TestGetIngressInfoWildCardPath(t *testing.T) {
+	info := &ResourceInfo{}
+	populateNodeInfo(testIngressWildCardPath, info)
+	assert.Equal(t, 0, len(info.Info))
+	sort.Slice(info.NetworkingInfo.TargetRefs, func(i, j int) bool {
+		return strings.Compare(info.NetworkingInfo.TargetRefs[j].Name, info.NetworkingInfo.TargetRefs[i].Name) < 0
+	})
+	assert.Equal(t, &v1alpha1.ResourceNetworkingInfo{
+		Ingress: []v1.LoadBalancerIngress{{IP: "107.178.210.11"}},
+		TargetRefs: []v1alpha1.ResourceRef{{
+			Namespace: "default",
+			Group:     "",
+			Kind:      kube.ServiceKind,
+			Name:      "not-found-service",
+		}, {
+			Namespace: "default",
+			Group:     "",
+			Kind:      kube.ServiceKind,
+			Name:      "helm-guestbook",
+		}},
+		ExternalURLs: []string{"https://helm-guestbook.com/"},
+	}, info.NetworkingInfo)
+}
+
+func TestGetIngressInfoWithoutTls(t *testing.T) {
+	info := &ResourceInfo{}
+	populateNodeInfo(testIngressWithoutTls, info)
+	assert.Equal(t, 0, len(info.Info))
+	sort.Slice(info.NetworkingInfo.TargetRefs, func(i, j int) bool {
+		return strings.Compare(info.NetworkingInfo.TargetRefs[j].Name, info.NetworkingInfo.TargetRefs[i].Name) < 0
+	})
+	assert.Equal(t, &v1alpha1.ResourceNetworkingInfo{
+		Ingress: []v1.LoadBalancerIngress{{IP: "107.178.210.11"}},
+		TargetRefs: []v1alpha1.ResourceRef{{
+			Namespace: "default",
+			Group:     "",
+			Kind:      kube.ServiceKind,
+			Name:      "not-found-service",
+		}, {
+			Namespace: "default",
+			Group:     "",
+			Kind:      kube.ServiceKind,
+			Name:      "helm-guestbook",
+		}},
+		ExternalURLs: []string{"http://helm-guestbook.com/"},
+	}, info.NetworkingInfo)
+}
+
+func TestGetIngressInfoWithHost(t *testing.T) {
+	ingress := strToUnstructured(`
+  apiVersion: extensions/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+  spec:
+    rules:
+    - http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+          path: /
+    tls:
+    - secretName: my-tls
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	info := &ResourceInfo{}
+	populateNodeInfo(ingress, info)
+
+	assert.Equal(t, &v1alpha1.ResourceNetworkingInfo{
+		Ingress: []v1.LoadBalancerIngress{{IP: "107.178.210.11"}},
+		TargetRefs: []v1alpha1.ResourceRef{{
+			Namespace: "default",
+			Group:     "",
+			Kind:      kube.ServiceKind,
+			Name:      "helm-guestbook",
+		}},
+		ExternalURLs: []string{"https://107.178.210.11/"},
+	}, info.NetworkingInfo)
+}
 func TestGetIngressInfoNoHost(t *testing.T) {
 	ingress := strToUnstructured(`
   apiVersion: extensions/v1beta1
@@ -87,22 +377,142 @@ func TestGetIngressInfoNoHost(t *testing.T) {
             serviceName: helm-guestbook
             servicePort: 443
           path: /
-  status:
-    loadBalancer:
-      ingress:
-      - ip: 107.178.210.11`)
+    tls:
+    - secretName: my-tls
+      `)
 
-	node := &node{}
-	populateNodeInfo(ingress, node)
+	info := &ResourceInfo{}
+	populateNodeInfo(ingress, info)
 
 	assert.Equal(t, &v1alpha1.ResourceNetworkingInfo{
-		Ingress: []v1.LoadBalancerIngress{{IP: "107.178.210.11"}},
 		TargetRefs: []v1alpha1.ResourceRef{{
 			Namespace: "default",
 			Group:     "",
 			Kind:      kube.ServiceKind,
 			Name:      "helm-guestbook",
 		}},
-		ExternalURLs: []string{"https://107.178.210.11"},
-	}, node.networkingInfo)
+	}, info.NetworkingInfo)
+	assert.Equal(t, len(info.NetworkingInfo.ExternalURLs), 0)
+}
+func TestExternalUrlWithSubPath(t *testing.T) {
+	ingress := strToUnstructured(`
+  apiVersion: extensions/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+  spec:
+    rules:
+    - http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+          path: /my/sub/path/
+    tls:
+    - secretName: my-tls
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	info := &ResourceInfo{}
+	populateNodeInfo(ingress, info)
+
+	expectedExternalUrls := []string{"https://107.178.210.11/my/sub/path/"}
+	assert.Equal(t, expectedExternalUrls, info.NetworkingInfo.ExternalURLs)
+}
+func TestExternalUrlWithMultipleSubPaths(t *testing.T) {
+	ingress := strToUnstructured(`
+  apiVersion: extensions/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+  spec:
+    rules:
+    - host: helm-guestbook.com
+      http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+          path: /my/sub/path/
+        - backend:
+            serviceName: helm-guestbook-2
+            servicePort: 443
+          path: /my/sub/path/2
+        - backend:
+            serviceName: helm-guestbook-3
+            servicePort: 443
+    tls:
+    - secretName: my-tls
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	info := &ResourceInfo{}
+	populateNodeInfo(ingress, info)
+
+	expectedExternalUrls := []string{"https://helm-guestbook.com/my/sub/path/", "https://helm-guestbook.com/my/sub/path/2", "https://helm-guestbook.com"}
+	actualURLs := info.NetworkingInfo.ExternalURLs
+	sort.Strings(expectedExternalUrls)
+	sort.Strings(actualURLs)
+	assert.Equal(t, expectedExternalUrls, actualURLs)
+}
+func TestExternalUrlWithNoSubPath(t *testing.T) {
+	ingress := strToUnstructured(`
+  apiVersion: extensions/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+  spec:
+    rules:
+    - http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+    tls:
+    - secretName: my-tls
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	info := &ResourceInfo{}
+	populateNodeInfo(ingress, info)
+
+	expectedExternalUrls := []string{"https://107.178.210.11"}
+	assert.Equal(t, expectedExternalUrls, info.NetworkingInfo.ExternalURLs)
+}
+
+func TestExternalUrlWithNetworkingApi(t *testing.T) {
+	ingress := strToUnstructured(`
+  apiVersion: networking.k8s.io/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+  spec:
+    rules:
+    - http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+    tls:
+    - secretName: my-tls
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	info := &ResourceInfo{}
+	populateNodeInfo(ingress, info)
+
+	expectedExternalUrls := []string{"https://107.178.210.11"}
+	assert.Equal(t, expectedExternalUrls, info.NetworkingInfo.ExternalURLs)
 }