fixes tests

Update manifests to v1.3.6
Add support for hidden directories with directory enforcer (#2821 )
2026-02-27 04:58:47 +01:00 · 2019-12-10 14:38:52 -08:00 · 2019-12-10 14:08:42 -08:00 · 2019-12-10 14:07:40 -08:00 · 2019-12-09 12:07:51 -08:00 · 2019-12-09 11:30:03 -08:00
515 changed files with 23693 additions and 8667 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,14 +1,5 @@
 version: 2.1
 commands:
-  before:
-    steps:
-      - restore_go_cache
-      - install_golang
-      - install_tools
-      - clean_checkout
-      - configure_git
-      - install_go_deps
-      - dep_ensure
  configure_git:
    steps:
      - run:
@@ -20,12 +11,6 @@ commands:
            git config --global user.name "Your Name"
            echo "export PATH=/home/circleci/.go_workspace/src/github.com/argoproj/argo-cd/hack:\$PATH" | tee -a $BASH_ENV
            echo "export GIT_ASKPASS=git-ask-pass.sh" | tee -a $BASH_ENV
-  clean_checkout:
-    steps:
-      - run:
-          name: Remove checked out code
-          command: rm -Rf /home/circleci/.go_workspace/src/github.com/argoproj/argo-cd
-      - checkout
  dep_ensure:
    steps:
      - restore_cache:
@@ -47,94 +32,10 @@ commands:
            [ -e /home/circleci/sdk/go1.12.6 ] || go1.12.6 download
            echo "export GOPATH=/home/circleci/.go_workspace" | tee -a $BASH_ENV
            echo "export PATH=/home/circleci/sdk/go1.12.6/bin:\$PATH" | tee -a $BASH_ENV
-      - run:
-          name: Golang diagnostics
-          command: |
-            env
-            which go
-            go version
-            go env
-  install_go_deps:
-    steps:
-      - run:
-          name: Install Go deps
-          command: |
-            set -x
-            go get github.com/golangci/golangci-lint/cmd/golangci-lint
-            go get github.com/jstemmer/go-junit-report
-            go get github.com/mattn/goreman
-            go get golang.org/x/tools/cmd/goimports
-  install_tools:
-    steps:
-      - run:
-          name: Create downloads dir
-          command: mkdir -p /tmp/dl
-      - restore_cache:
-          keys:
-            - dl-v6
-      - run:
-          name: Install Kubectx v0.6.3
-          command: |
-            set -x
-            [ -e /tmp/dl/kubectx.zip ] || curl -sLf -C - -o /tmp/dl/kubectx.zip https://github.com/ahmetb/kubectx/archive/v0.6.3.zip
-            sudo unzip /tmp/dl/kubectx.zip kubectx-0.6.3/kubectx
-            sudo unzip /tmp/dl/kubectx.zip kubectx-0.6.3/kubens
-            sudo mv kubectx-0.6.3/kubectx /usr/local/bin/
-            sudo mv kubectx-0.6.3/kubens /usr/local/bin/
-            sudo chmod +x /usr/local/bin/kubectx
-            sudo chmod +x /usr/local/bin/kubens
-      - run:
-          name: Install Dep v0.5.3
-          command: |
-            set -x
-            [ -e /tmp/dl/dep ] || curl -sLf -C - -o /tmp/dl/dep https://github.com/golang/dep/releases/download/v0.5.3/dep-linux-amd64
-            sudo cp /tmp/dl/dep /usr/local/go/bin/dep
-            sudo chmod +x /usr/local/go/bin/dep
-            dep version
-      - run:
-          name: Install Ksonnet v0.13.1
-          command: |
-            set -x
-            [ -e /tmp/dl/ks.tar.gz ] || curl -sLf -C - -o /tmp/dl/ks.tar.gz https://github.com/ksonnet/ksonnet/releases/download/v0.13.1/ks_0.13.1_linux_amd64.tar.gz
-            tar -C /tmp -xf /tmp/dl/ks.tar.gz
-            sudo cp /tmp/ks_0.13.1_linux_amd64/ks /usr/local/go/bin/ks
-            sudo chmod +x /usr/local/go/bin/ks
-            ks version
-      - run:
-          name: Install Helm v2.13.1
-          command: |
-            set -x
-            [ -e /tmp/dl/helm.tar.gz ] || curl -sLf -C - -o /tmp/dl/helm.tar.gz https://storage.googleapis.com/kubernetes-helm/helm-v2.13.1-linux-amd64.tar.gz
-            tar -C /tmp/ -xf /tmp/dl/helm.tar.gz
-            sudo cp /tmp/linux-amd64/helm /usr/local/go/bin/helm
-            helm version --client
-            helm init --client-only
-      - run:
-          name: Install Kustomize v3.1.0
-          command: |
-            set -x
-            export VER=3.1.0
-            [ -e /tmp/dl/kustomize_${VER} ] || curl -sLf -C - -o /tmp/dl/kustomize_${VER} https://github.com/kubernetes-sigs/kustomize/releases/download/v${VER}/kustomize_${VER}_linux_amd64
-            sudo cp /tmp/dl/kustomize_${VER} /usr/local/go/bin/kustomize
-            sudo chmod +x /usr/local/go/bin/kustomize
-            kustomize version
-      - run:
-          name: Install Git LFS plugin
-          command: |
-            set -x
-            curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | sudo bash
-            sleep 5
-            sudo killall -9 apt-get || true
-            sudo apt-get update
-            sudo apt-get install -y git-lfs openssh-client
-      - save_cache:
-          key: dl-v6
-          paths:
-            - /tmp/dl
  save_go_cache:
    steps:
      - save_cache:
-          key: go-v17-{{ .Branch }}
+          key: go-v18-{{ .Branch }}
          paths:
            - /home/circleci/.go_workspace
            - /home/circleci/.cache/go-build
@@ -143,40 +44,27 @@ commands:
    steps:
      - restore_cache:
          keys:
+            - go-v18-{{ .Branch }}
+            - go-v18-master
            - go-v17-{{ .Branch }}
            - go-v17-master
-            - go-v16-{{ .Branch }}
-            - go-v16-master
 jobs:
-  build:
-    working_directory: /home/circleci/.go_workspace/src/github.com/argoproj/argo-cd
-    machine:
-      image: circleci/classic:201808-01
+  codegen:
+    docker:
+      - image: circleci/golang:1.12
+    working_directory: /go/src/github.com/argoproj/argo-cd
    steps:
-      - before
-      - run:
-          name: Run unit tests
-          command: |
-            set -x
-            mkdir -p /tmp/test-results
-            trap "go-junit-report </tmp/test-results/go-test.out > /tmp/test-results/go-test-report.xml" EXIT
-            make test | tee /tmp/test-results/go-test.out
-      - save_go_cache
-      - run:
-          name: Uploading code coverage
-          command: bash <(curl -s https://codecov.io/bash) -f coverage.out
-          # This takes 2m, lets background it.
-          background: true
-      - store_test_results:
-          path: /tmp/test-results
-      - run:
-          name: Generate code
-          command: make codegen
-      - run:
-          name: Lint code
-          # use GOGC to limit memory usage in exchange for CPU usage, https://github.com/golangci/golangci-lint#memory-usage-of-golangci-lint
-          # we have 8GB RAM, 2CPUs https://circleci.com/docs/2.0/executor-types/#using-machine
-          command: LINT_GOGC=20 LINT_CONCURRENCY=1 LINT_DEADLINE=3m0s make lint
+      - checkout
+      - restore_cache:
+          keys: [codegen-v2]
+      - run: ./hack/install.sh codegen-go-tools
+      - run: sudo ./hack/install.sh codegen-tools
+      - run: dep ensure
+      - save_cache:
+          key: codegen-v2
+          paths: [vendor, /tmp/dl, /go/pkg]
+      - run: helm init --client-only
+      - run: make codegen-local
      - run:
          name: Check nothing has changed
          command: |
@@ -188,11 +76,42 @@ jobs:
            git diff --exit-code -- . ':!Gopkg.lock'  ':!assets/swagger.json' | tee codegen.patch
      - store_artifacts:
          path: codegen.patch
-          when: always
+          destination: .
+  test:
+    working_directory: /home/circleci/.go_workspace/src/github.com/argoproj/argo-cd
+    machine:
+      image: circleci/classic:201808-01
+    steps:
+      - restore_go_cache
+      - install_golang
+      - checkout
+      - restore_cache:
+          key: test-dl-v1
+      - run: sudo ./hack/install.sh kubectl-linux kubectx-linux dep-linux ksonnet-linux helm-linux kustomize-linux
+      - save_cache:
+          key: test-dl-v1
+          paths: [/tmp/dl]
+      - configure_git
+      - run: go get github.com/jstemmer/go-junit-report
+      - dep_ensure
+      - save_go_cache
+      - run: make test
+      - run:
+          name: Uploading code coverage
+          command: bash <(curl -s https://codecov.io/bash) -f coverage.out
+      - store_test_results:
+          path: test-results
+      - store_artifacts:
+          path: test-results
+          destination: .
  e2e:
    working_directory: /home/circleci/.go_workspace/src/github.com/argoproj/argo-cd
    machine:
      image: circleci/classic:201808-01
+    environment:
+      ARGOCD_FAKE_IN_CLUSTER: "true"
+      ARGOCD_SSH_DATA_PATH: "/tmp/argo-e2e/app/config/ssh"
+      ARGOCD_TLS_DATA_PATH: "/tmp/argo-e2e/app/config/tls"
    steps:
      - run:
          name: Install and start K3S v0.5.0
@@ -204,15 +123,19 @@ jobs:
          environment:
            INSTALL_K3S_EXEC: --docker
            INSTALL_K3S_VERSION: v0.5.0
-      - before
-      - run:
-          # do this before we build everything else in the background, as they tend to explode
-          name: Make CLI
-          command: |
-            set -x
-            make cli
-            # must be added to path for tests
-            echo export PATH="`pwd`/dist:\$PATH" | tee -a $BASH_ENV
+      - restore_go_cache
+      - install_golang
+      - checkout
+      - restore_cache:
+          keys: [e2e-dl-v1]
+      - run: sudo ./hack/install.sh kubectx-linux dep-linux ksonnet-linux helm-linux kustomize-linux
+      - run: go get github.com/jstemmer/go-junit-report
+      - save_cache:
+          key: e2e-dl-v10
+          paths: [/tmp/dl]
+      - dep_ensure
+      - configure_git
+      - run: make cli
      - run:
          name: Create namespace
          command: |
@@ -236,97 +159,56 @@ jobs:
          name: Start repo server
          command: go run ./cmd/argocd-repo-server/main.go --loglevel debug --redis localhost:6379
          background: true
-          environment:
-            # pft. if you do not quote "true", CircleCI turns it into "1", stoopid
-            ARGOCD_FAKE_IN_CLUSTER: "true"
-            ARGOCD_SSH_DATA_PATH: "/tmp/argo-e2e/app/config/ssh"
-            ARGOCD_TLS_DATA_PATH: "/tmp/argo-e2e/app/config/tls"
      - run:
          name: Start API server
          command: go run ./cmd/argocd-server/main.go --loglevel debug --redis localhost:6379 --insecure --dex-server http://localhost:5556 --repo-server localhost:8081 --staticassets ../argo-cd-ui/dist/app
          background: true
-          environment:
-            ARGOCD_FAKE_IN_CLUSTER: "true"
-            ARGOCD_SSH_DATA_PATH: "/tmp/argo-e2e/app/config/ssh"
-            ARGOCD_TLS_DATA_PATH: "/tmp/argo-e2e/app/config/tls"
      - run:
          name: Start Test Git
          command: |
            test/fixture/testrepos/start-git.sh
          background: true
-      - run:
-          name: Wait for API server
-          command: |
-            set -x
-            until curl -v http://localhost:8080/healthz; do sleep 3; done
+      - run: until curl -v http://localhost:8080/healthz; do sleep 10; done
      - run:
          name: Start controller
          command: go run ./cmd/argocd-application-controller/main.go --loglevel debug --redis localhost:6379 --repo-server localhost:8081 --kubeconfig ~/.kube/config
          background: true
-          environment:
-            ARGOCD_FAKE_IN_CLUSTER: "true"
      - run:
-          name: Smoke test
-          command: |
-            set -x
-            argocd login localhost:8080 --plaintext  --username admin --password password
-            argocd app create guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --repo https://github.com/argoproj/argocd-example-apps.git --path guestbook
-            argocd app sync guestbook
-            argocd app delete guestbook
-      - run:
-          name: Run e2e tests
-          command: |
-            set -x
-            mkdir -p /tmp/test-results
-            trap "go-junit-report </tmp/test-results/go-e2e.out > /tmp/test-results/go-e2e-report.xml" EXIT
-            make test-e2e | tee /tmp/test-results/go-e2e.out
+          command: PATH=dist:$PATH make test-e2e
          environment:
            ARGOCD_OPTS: "--server localhost:8080 --plaintext"
-            ARGOCD_E2E_EXPECT_TIMEOUT: "30"
            ARGOCD_E2E_K3S: "true"
      - store_test_results:
-          path: /tmp/test-results
+          path: test-results
+      - store_artifacts:
+          path: test-results
+          destination: .
  ui:
-    # note that we checkout the code in ~/argo-cd/, but then work in ~/argo-cd/ui
-    working_directory: ~/argo-cd/ui
    docker:
      - image: node:11.15.0
+    working_directory: ~/argo-cd/ui
    steps:
      - checkout:
          path: ~/argo-cd/
      - restore_cache:
-          name: Restore Yarn Package Cache
          keys:
-            - yarn-packages-v3-{{ checksum "yarn.lock" }}
-      - run:
-          name: Install
-          command:
-            yarn install --frozen-lockfile --ignore-optional --non-interactive
+            - yarn-packages-v4-{{ checksum "yarn.lock" }}
+      - run: yarn install --frozen-lockfile --ignore-optional --non-interactive
      - save_cache:
-          name: Save Yarn Package Cache
-          key: yarn-packages-v3-{{ checksum "yarn.lock" }}
-          paths:
-            - ~/.cache/yarn
-            - node_modules
-      - run:
-          name: Test
-          command: yarn test
-      # This does not appear to work, and I don't want to spend time on it.
-      - store_test_results:
-          path: junit.xml
-      - run:
-          name: Build
-          command: yarn build
-      - run:
-          name: Lint
-          command: yarn lint
+          key: yarn-packages-v4-{{ checksum "yarn.lock" }}
+          paths: [~/.cache/yarn, node_modules]
+      - run: yarn test
+      - run: yarn build
+      - run: yarn lint
 workflows:
  version: 2
  workflow:
    jobs:
-      - build
-      - e2e
-      - ui:
-          # this isn't strictly true, we just put in here so that we 2/4 executors rather than 3/4
+      - test
+      - codegen:
          requires:
-            - build
+            - test
+      - ui:
+          requires:
+            - codegen
+      - e2e
--- a/.codecov.yml
+++ b/.codecov.yml
@@ -1,17 +1,17 @@
 ignore:
 - "**/*.pb.go"
 - "**/*.pb.gw.go"
+- "**/*generated.go"
+- "**/*generated.deepcopy.go"
 - "**/*_test.go"
- "pkg/apis/.*"
+- "pkg/apis/client/.*"
 - "pkg/client/.*"
- "test/.*"
+- "vendor/.*"
 coverage:
  status:
-    # allow test coverage to drop by 1%, assume that it's typically due to CI problems
-    patch:
-      default:
-        enabled: no
-        if_not_found: success
+    # we've found this not to be useful
+    patch: off
    project:
      default:
+        # allow test coverage to drop by 1%, assume that it's typically due to CI problems
        threshold: 1
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -4,23 +4,26 @@ about: Create a report to help us improve
 title: ''
 labels: 'bug'
 assignees: ''
-
 ---
+Checklist:
+
+* [ ] I've included steps to reproduce the bug.
+* [ ] I've pasted the output of `argocd version`.

 **Describe the bug**
+
 A clear and concise description of what the bug is.

 **To Reproduce**
-If we cannot reproduce, we cannot fix! Steps to reproduce the behavior:
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
+
+A list of the steps required to reproduce the issue. Best of all, give us the URL to a repository that exhibits this issue.

 **Expected behavior**
+
 A clear and concise description of what you expected to happen.

 **Screenshots**
+
 If applicable, add screenshots to help explain your problem.

 **Version**
@@ -34,10 +37,3 @@ Paste the output from `argocd version` here.
 ```
 Paste any relevant application logs here.
 ```
-
-**Have you thought about contributing a fix yourself?**
-
-Open Source software thrives with your contribution. It not only gives skills you might not be able to get in your day job, it also looks amazing on your resume. 
-
-If you want to get involved, check out the 
-[contributing guide](https://github.com/argoproj/argo-cd/blob/master/docs/CONTRIBUTING.md), then reach out to us on [Slack](https://argoproj.github.io/community/join-slack) so we can see how to get you started.
--- a/.github/ISSUE_TEMPLATE/enhancement_proposal.md
+++ b/.github/ISSUE_TEMPLATE/enhancement_proposal.md
@@ -0,0 +1,18 @@
+---
+name: Enhancement proposal
+about: Propose an enhancement for this project
+title: ''
+labels: 'enhancement'
+assignees: ''
+---
+# Summary
+
+What change you think needs making.
+
+# Motivation
+
+Please give examples of your use case, e.g. when would you use this.
+
+# Proposal
+
+How do you think this should be implemented?
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,21 +0,0 @@
---
-name: Feature request
-about: Suggest an idea for this project
-title: ''
-labels: 'enhancement'
-assignees: ''
-
---
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Have you thought about contributing yourself?**
-
-Open Source software thrives with your contribution. It not only gives skills you might not be able to get in your day job, it also looks amazing on your resume. 
-
-If you want to get involved, check out the 
-[contributing guide](https://github.com/argoproj/argo-cd/blob/master/docs/CONTRIBUTING.md), then reach out to us on [Slack](https://argoproj.github.io/community/join-slack) so we can see how to get you started.
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,7 +1,5 @@
-<!--
-Thank you for submitting your PR! 
+Checklist:

-We'd love your organisation to be listed in the [README](https://github.com/argoproj/argo-cd). Don't forget to add it if you can!
-
-To troubleshoot builds: https://argoproj.github.io/argo-cd/developer-guide/ci/
-->  
+* [ ] I've created an [enhancement proposal](https://github.com/argoproj/argo-cd/issues/new/choose) and I feel I've gotten a green light from the community. 
+* [ ] My build is green ([troubleshooting builds](https://argoproj.github.io/argo-cd/developer-guide/ci/)). 
+* [ ] Optional. My organisation is added to the README.
--- a/.gitignore
+++ b/.gitignore
@@ -9,3 +9,4 @@ site/
 cmd/**/debug
 debug.test
 coverage.out
+test-results
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -3,20 +3,20 @@ run:
  skip-files:
    - ".*\\.pb\\.go"
  skip-dirs:
-    - pkg/client
-    - vendor
-linter-settings:
-  goimports:
-    local-prefixes: github.com/argoproj/argo-cd
+    - pkg/client/
+    - vendor/
 linters:
  enable:
    - vet
-    - gofmt
-    - goimports
    - deadcode
+    - goimports
    - varcheck
    - structcheck
    - ineffassign
    - unconvert
-    - misspell
    - unparam
+linters-settings:
+  goimports:
+    local-prefixes: github.com/argoproj/argo-cd
+service:
+  golangci-lint-version: 1.21.0
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,122 @@
 # Changelog

+## v1.2.3 (2019-10-1)
+* Make argo-cd docker images openshift friendly (#2362) (@duboisf)
+* Add dest-server and dest-namespace field to reconciliation logs (#2354)
+- Stop loggin /repository.RepositoryService/ValidateAccess parameters (#2386)
+
+## v1.2.2 (2019-09-26)
+ Resource action equivalent to `kubectl rollout restart` (#2177)
+- Badge response does not contain cache-control header (#2317) (@greenstatic)
+- Make sure the controller uses the latest git version if app reconciliation result expired (#2339)
+
+## v1.2.1 (2019-09-12)
+ Support limiting number of concurrent kubectl fork/execs (#2022)
+ Add --self-heal flag to argocd cli (#2296)
+- Fix degraded proxy support for http(s) git repository (#2243)
+- Fix nil pointer dereference in application controller (#2290)
+
+## v1.2.0 (2019-09-05)
+
+### New Features
+
+#### Server Certificate And Known Hosts Management
+
+The Server Certificate And Known Hosts Management feature makes it really easy to connect private Git repositories to Argo CD. Now Argo CD provides UI and CLI which
+enables managing certificates and known hosts which are used to access Git repositories. It is also possible to configure both hosts and certificates in a declarative manner using
+[argocd-ssh-known-hosts-cm](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-ssh-known-hosts-cm.yaml) and 
+[argocd-tls-certs-cm.yaml](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-tls-certs-cm.yaml) config maps.
+
+#### Self-Healing
+
+The existing Automatic Sync feature allows to automatically apply any new changes in Git to the target Kubernetes cluster. However, Automatic Sync does not cover the case when the
+application is out of sync due to the unexpected change in the target cluster. The Self-Healing feature fills this gap. With Self-Healing enabled Argo CD automatically pushes the desired state from Git into the cluster every time when state deviation is detected.
+
+**Anonymous access** - enable read-only access without authentication to anyone in your organization.
+
+Support for Git LFS enabled repositories - now you can store Helm charts as tar files and enable Git LFS in your repository.
+
+**Compact diff view** - compact diff summary of the whole application in a single view.
+
+**Badge for application status** - add badge with the health and sync status of your application into README.md of your deployment repo.
+
+**Allow configuring google analytics tracking** - use Google Analytics to check how many users are visiting UI or your Argo CD instance.
+
+#### Backward Incompatible Changes
+- Kustomize v1 support is removed. All kustomize charts are built using the same Kustomize version
+- Kustomize v2.0.3 upgraded to v3.1.0 . We've noticed one backward incompatible change: https://github.com/kubernetes-sigs/kustomize/issues/42 . Starting v2.1.0 namespace prefix feature works with CRD ( which might cause renaming of generated resource definitions)
+- Argo CD config maps must be annotated with `app.kubernetes.io/part-of: argocd` label. Make sure to apply updated `install.yaml` manifest in addition to changing image version.
+
+
+#### Enhancements
+ Adds a floating action button with help and chat links to every page.… (#2124)
+ Enhances cookie warning with actual length to help users fix their co… (#2134)
+ Added 'SyncFail' to possible HookTypes in UI (#2147)
+ Support for Git LFS enabled repositories (#1853)
+ Server certificate and known hosts management (#1514)
+ Client HTTPS certifcates for private git repositories (#1945)
+ Badge for application status (#1435)
+ Make the health check for APIService a built in (#1841)
+ Bitbucket Server and Gogs webhook providers (#1269)
+ Jsonnet TLA arguments in ArgoCD CLI (#1626)
+ Self Healing (#1736)
+ Compact diff view (#1831)
+ Allow Helm parameters to force ambiguously-typed values to be strings (#1846)
+ Support anonymous argocd access (#1620)
+ Allow configuring google analytics tracking (#738)
+ Bash autocompletion for argocd (#1798)
+ Additional commit metadata (#1219)
+ Displays targetRevision in app dashboards. (#1239)
+ Local path syncing (#839)
+ System level `kustomize build` options (#1789)
+ Adds support for `argocd app set` for Kustomize. (#1843)
+ Allow users to create tokens for projects where they have any role. (#1977)
+ Add Refresh button to applications table and card view (#1606)
+ Adds CLI support for adding and removing groups from project roles. (#1851)
+ Support dry run and hook vs. apply strategy during sync (#798)
+ UI should remember most recent selected tab on resource info panel (#2007)
+ Adds link to the project from the app summary page. (#1911)
+ Different icon for resources which require pruning (#1159)
+
+#### Bug Fixes
+
+- Do not panic if the type is not api.Status (an error scenario) (#2105)
+- Make sure endpoint is shown as a child of service (#2060)
+- Word-wraps app info in the table and list views. (#2004)
+- Project source/destination removal should consider wildcards (#1780)
+- Repo whitelisting in UI does not support wildcards (#2000)
+- Wait for CRD creation during sync process (#1940)
+- Added a button to select out of sync items in the sync panel (#1902)
+- Proper handling of an excluded resource in an application (#1621)
+- Stop repeating logs on stoped container (#1614)
+- Fix git repo url parsing on application list view (#2174)
+- Fix nil pointer dereference error during app reconciliation (#2146)
+- Fix history api fallback implementation to support app names with dots (#2114)
+- Fixes some code issues related to Kustomize build options. (#2146)
+- Adds checks around valid paths for apps (#2133)
+- Enpoint incorrectly considered top level managed resource (#2060)
+- Allow adding certs for hostnames ending on a dot (#2116)
+
+#### Other
+* Upgrade kustomize to v3.1.0 (#2068)
+* Remove support for Kustomize 1. (#1573)
+
+#### Contributors
+
+* [alexec](https://github.com/alexec)
+* [alexmt](https://github.com/alexmt)
+* [dmizelle](https://github.com/dmizelle)
+* [lcostea](https://github.com/lcostea)
+* [jutley](https://github.com/jutley)
+* [masa213f](https://github.com/masa213f)
+* [Rayyis](https://github.com/Rayyis)
+* [simster7](https://github.com/simster7)
+* [dthomson25](https://github.com/dthomson25)
+* [jannfis](https://github.com/jannfis)
+* [naynasiddharth](https://github.com/naynasiddharth)
+* [stgarf](https://github.com/stgarf)
+
+
 ## v1.1.2 (2019-07-30)
 - 'argocd app wait' should print correct sync status (#2049)
 - Check that TLS is enabled when registering DEX Handlers (#2047)
--- a/62
+++ b/62
@@ -1,4 +1,4 @@
-ARG BASE_IMAGE=debian:9.5-slim
+ARG BASE_IMAGE=debian:10-slim
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
@@ -6,7 +6,7 @@ ARG BASE_IMAGE=debian:9.5-slim
 ####################################################################################################
 FROM golang:1.12.6 as builder

-RUN echo 'deb http://deb.debian.org/debian stretch-backports main' >> /etc/apt/sources.list
+RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list

 RUN apt-get update && apt-get install -y \
    openssh-server \
@@ -23,47 +23,16 @@ RUN apt-get update && apt-get install -y \

 WORKDIR /tmp

-# Install dep
-ENV DEP_VERSION=0.5.0
-RUN wget https://github.com/golang/dep/releases/download/v${DEP_VERSION}/dep-linux-amd64 -O /usr/local/bin/dep && \
-    chmod +x /usr/local/bin/dep
+ADD hack/install.sh .
+ADD hack/installers installers

-# Install packr
-ENV PACKR_VERSION=1.21.9
-RUN wget https://github.com/gobuffalo/packr/releases/download/v${PACKR_VERSION}/packr_${PACKR_VERSION}_linux_amd64.tar.gz && \
-    tar -vxf packr*.tar.gz -C /tmp/ && \
-    mv /tmp/packr /usr/local/bin/packr
-
-# Install kubectl
-# NOTE: keep the version synced with https://storage.googleapis.com/kubernetes-release/release/stable.txt
-ENV KUBECTL_VERSION=1.14.0
-RUN curl -L -o /usr/local/bin/kubectl -LO https://storage.googleapis.com/kubernetes-release/release/v${KUBECTL_VERSION}/bin/linux/amd64/kubectl && \
-    chmod +x /usr/local/bin/kubectl && \
-    kubectl version --client
-
-# Install ksonnet
-ENV KSONNET_VERSION=0.13.1
-RUN wget https://github.com/ksonnet/ksonnet/releases/download/v${KSONNET_VERSION}/ks_${KSONNET_VERSION}_linux_amd64.tar.gz && \
-    tar -C /tmp/ -xf ks_${KSONNET_VERSION}_linux_amd64.tar.gz && \
-    mv /tmp/ks_${KSONNET_VERSION}_linux_amd64/ks /usr/local/bin/ks && \
-    ks version
-
-# Install helm
-ENV HELM_VERSION=2.12.1
-RUN wget https://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-linux-amd64.tar.gz && \
-    tar -C /tmp/ -xf helm-v${HELM_VERSION}-linux-amd64.tar.gz && \
-    mv /tmp/linux-amd64/helm /usr/local/bin/helm && \
-    helm version --client
-
-ENV KUSTOMIZE_VERSION=3.1.0
-RUN curl -L -o /usr/local/bin/kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64 && \
-    chmod +x /usr/local/bin/kustomize && \
-    kustomize version
-
-# Install AWS IAM Authenticator
-ENV AWS_IAM_AUTHENTICATOR_VERSION=0.4.0-alpha.1
-RUN curl -L -o /usr/local/bin/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/${AWS_IAM_AUTHENTICATOR_VERSION}/aws-iam-authenticator_${AWS_IAM_AUTHENTICATOR_VERSION}_linux_amd64 && \
-    chmod +x /usr/local/bin/aws-iam-authenticator
+RUN ./install.sh dep-linux
+RUN ./install.sh packr-linux
+RUN ./install.sh kubectl-linux
+RUN ./install.sh ksonnet-linux
+RUN ./install.sh helm-linux
+RUN ./install.sh kustomize-linux
+RUN ./install.sh aws-iam-authenticator-linux

 ####################################################################################################
 # Argo CD Base - used as the base for both the release and dev argocd images
@@ -72,12 +41,14 @@ FROM $BASE_IMAGE as argocd-base

 USER root

-RUN echo 'deb http://deb.debian.org/debian stretch-backports main' >> /etc/apt/sources.list
+RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list

 RUN groupadd -g 999 argocd && \
    useradd -r -u 999 -g argocd argocd && \
    mkdir -p /home/argocd && \
-    chown argocd:argocd /home/argocd && \
+    chown argocd:0 /home/argocd && \
+    chmod g=u /home/argocd && \
+    chmod g=u /etc/passwd && \
    apt-get update && \
    apt-get install -y git git-lfs && \
    apt-get clean && \
@@ -89,6 +60,9 @@ COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
 COPY --from=builder /usr/local/bin/kubectl /usr/local/bin/kubectl
 COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize
 COPY --from=builder /usr/local/bin/aws-iam-authenticator /usr/local/bin/aws-iam-authenticator
+# script to add current (possibly arbitrary) user to /etc/passwd at runtime
+# (if it's not already there, to be openshift friendly)
+COPY uid_entrypoint.sh /usr/local/bin/uid_entrypoint.sh

 # support for mounting configuration from a configmap
 RUN mkdir -p /app/config/ssh && \
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -3,3 +3,4 @@
 ####################################################################################################
 FROM argocd-base
 COPY argocd* /usr/local/bin/
+COPY --from=argocd-ui ./src/dist/app /shared/app
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -1,6 +1,14 @@
 # This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.


+[[projects]]
+  digest = "1:6d5a057da97a9dbdb10e7beedd2f43452b6bf7691001c0c8886e8dacf5610349"
+  name = "bou.ke/monkey"
+  packages = ["."]
+  pruneopts = ""
+  revision = "bdf6dea004c6fd1cdf4b25da8ad45a606c09409a"
+  version = "v1.0.1"
+
 [[projects]]
  digest = "1:9702dc153c9bb6ee7ee0587c248b7024700e89e4a7be284faaeeab9da32e1c6b"
  name = "cloud.google.com/go"
@@ -52,11 +60,7 @@
  branch = "master"
  digest = "1:0caf9208419fa5db5a0ca7112affaa9550c54291dda8e2abac0c0e76181c959e"
  name = "github.com/argoproj/argo"
-  packages = [
-    "pkg/apis/workflow",
-    "pkg/apis/workflow/v1alpha1",
-    "util",
-  ]
+  packages = ["util"]
  pruneopts = ""
  revision = "7ef1cea68c94f7f0e1e2f8bd75bedc5a7df8af90"

@@ -131,6 +135,17 @@
  revision = "06ea1031745cb8b3dab3f6a236daf2b0aa468b7e"
  version = "v3.2.0"

+[[projects]]
+  digest = "1:c05f1899f086e3b4613d94d9e6f7ba6f4b6587498a1aa6037c5c294b22f5a743"
+  name = "github.com/docker/distribution"
+  packages = [
+    "digestset",
+    "reference",
+  ]
+  pruneopts = ""
+  revision = "2461543d988979529609e8cb6fca9ca190dc48da"
+  version = "v2.7.1"
+
 [[projects]]
  digest = "1:b021ef379356343bdc13ec101e546b756fcef4b1186d08163bef7d3bc8c1e07f"
  name = "github.com/docker/docker"
@@ -647,6 +662,14 @@
  revision = "4b7aa43c6742a2c18fdef89dd197aaae7dac7ccd"
  version = "1.0.1"

+[[projects]]
+  digest = "1:5d9b668b0b4581a978f07e7d2e3314af18eb27b3fb5d19b70185b7c575723d11"
+  name = "github.com/opencontainers/go-digest"
+  packages = ["."]
+  pruneopts = ""
+  revision = "279bed98673dd5bef374d3b6e4b09e2af76183bf"
+  version = "v1.0.0-rc1"
+
 [[projects]]
  digest = "1:4c0404dc03d974acd5fcd8b8d3ce687b13bd169db032b89275e8b9d77b98ce8c"
  name = "github.com/patrickmn/go-cache"
@@ -734,6 +757,14 @@
  pruneopts = ""
  revision = "05ee40e3a273f7245e8777337fc7b46e533a9a92"

+[[projects]]
+  digest = "1:6bb048133650d1fb7fbff9fb3c35bd5c7e8653fc95c3bae6df94cd17d1580278"
+  name = "github.com/robfig/cron"
+  packages = ["."]
+  pruneopts = ""
+  revision = "45fbe1491cdd47d74d1bf1396286d67faee8b8b5"
+  version = "v3.0.0"
+
 [[projects]]
  digest = "1:5f47c69f85311c4dc292be6cc995a0a3fe8337a6ce38ef4f71e5b7efd5ad42e0"
  name = "github.com/rs/cors"
@@ -1536,15 +1567,74 @@
  digest = "1:78aa6079e011ece0d28513c7fe1bd64284fa9eb5d671760803a839ffdf0e9e38"
  name = "k8s.io/kubernetes"
  packages = [
+    "pkg/api/legacyscheme",
    "pkg/api/v1/pod",
    "pkg/apis/apps",
+    "pkg/apis/apps/install",
+    "pkg/apis/apps/v1",
+    "pkg/apis/apps/v1beta1",
+    "pkg/apis/apps/v1beta2",
+    "pkg/apis/authentication",
+    "pkg/apis/authentication/install",
+    "pkg/apis/authentication/v1",
+    "pkg/apis/authentication/v1beta1",
+    "pkg/apis/authorization",
+    "pkg/apis/authorization/install",
+    "pkg/apis/authorization/v1",
+    "pkg/apis/authorization/v1beta1",
    "pkg/apis/autoscaling",
+    "pkg/apis/autoscaling/install",
+    "pkg/apis/autoscaling/v1",
+    "pkg/apis/autoscaling/v2beta1",
+    "pkg/apis/autoscaling/v2beta2",
    "pkg/apis/batch",
+    "pkg/apis/batch/install",
+    "pkg/apis/batch/v1",
+    "pkg/apis/batch/v1beta1",
+    "pkg/apis/batch/v2alpha1",
+    "pkg/apis/certificates",
+    "pkg/apis/certificates/install",
+    "pkg/apis/certificates/v1beta1",
+    "pkg/apis/coordination",
+    "pkg/apis/coordination/install",
+    "pkg/apis/coordination/v1",
+    "pkg/apis/coordination/v1beta1",
    "pkg/apis/core",
+    "pkg/apis/core/install",
+    "pkg/apis/core/v1",
+    "pkg/apis/events",
+    "pkg/apis/events/install",
+    "pkg/apis/events/v1beta1",
+    "pkg/apis/extensions",
+    "pkg/apis/extensions/install",
+    "pkg/apis/extensions/v1beta1",
+    "pkg/apis/networking",
+    "pkg/apis/policy",
+    "pkg/apis/policy/install",
+    "pkg/apis/policy/v1beta1",
+    "pkg/apis/rbac",
+    "pkg/apis/rbac/install",
+    "pkg/apis/rbac/v1",
+    "pkg/apis/rbac/v1alpha1",
+    "pkg/apis/rbac/v1beta1",
+    "pkg/apis/scheduling",
+    "pkg/apis/scheduling/install",
+    "pkg/apis/scheduling/v1",
+    "pkg/apis/scheduling/v1alpha1",
+    "pkg/apis/scheduling/v1beta1",
+    "pkg/apis/settings",
+    "pkg/apis/settings/install",
+    "pkg/apis/settings/v1alpha1",
+    "pkg/apis/storage",
+    "pkg/apis/storage/install",
+    "pkg/apis/storage/v1",
+    "pkg/apis/storage/v1alpha1",
+    "pkg/apis/storage/v1beta1",
    "pkg/kubectl/scheme",
    "pkg/kubectl/util/term",
    "pkg/util/interrupt",
    "pkg/util/node",
+    "pkg/util/parsers",
  ]
  pruneopts = ""
  revision = "2d20b5759406ded89f8b25cf085ff4733b144ba5"
@@ -1582,9 +1672,9 @@
  analyzer-name = "dep"
  analyzer-version = 1
  input-imports = [
+    "bou.ke/monkey",
    "github.com/Masterminds/semver",
    "github.com/TomOnTime/utfutil",
-    "github.com/argoproj/argo/pkg/apis/workflow/v1alpha1",
    "github.com/argoproj/argo/util",
    "github.com/argoproj/pkg/errors",
    "github.com/argoproj/pkg/exec",
@@ -1632,6 +1722,7 @@
    "github.com/pkg/errors",
    "github.com/prometheus/client_golang/prometheus",
    "github.com/prometheus/client_golang/prometheus/promhttp",
+    "github.com/robfig/cron",
    "github.com/sirupsen/logrus",
    "github.com/sirupsen/logrus/hooks/test",
    "github.com/skratchdot/open-golang/open",
@@ -1646,6 +1737,7 @@
    "github.com/yuin/gopher-lua",
    "golang.org/x/crypto/bcrypt",
    "golang.org/x/crypto/ssh",
+    "golang.org/x/crypto/ssh/knownhosts",
    "golang.org/x/crypto/ssh/terminal",
    "golang.org/x/net/context",
    "golang.org/x/oauth2",
@@ -1719,13 +1811,30 @@
    "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1",
    "k8s.io/kube-openapi/cmd/openapi-gen",
    "k8s.io/kube-openapi/pkg/common",
+    "k8s.io/kubernetes/pkg/api/legacyscheme",
    "k8s.io/kubernetes/pkg/api/v1/pod",
    "k8s.io/kubernetes/pkg/apis/apps",
+    "k8s.io/kubernetes/pkg/apis/apps/install",
+    "k8s.io/kubernetes/pkg/apis/authentication/install",
+    "k8s.io/kubernetes/pkg/apis/authorization/install",
+    "k8s.io/kubernetes/pkg/apis/autoscaling/install",
    "k8s.io/kubernetes/pkg/apis/batch",
+    "k8s.io/kubernetes/pkg/apis/batch/install",
+    "k8s.io/kubernetes/pkg/apis/certificates/install",
+    "k8s.io/kubernetes/pkg/apis/coordination/install",
    "k8s.io/kubernetes/pkg/apis/core",
+    "k8s.io/kubernetes/pkg/apis/core/install",
+    "k8s.io/kubernetes/pkg/apis/events/install",
+    "k8s.io/kubernetes/pkg/apis/extensions/install",
+    "k8s.io/kubernetes/pkg/apis/policy/install",
+    "k8s.io/kubernetes/pkg/apis/rbac/install",
+    "k8s.io/kubernetes/pkg/apis/scheduling/install",
+    "k8s.io/kubernetes/pkg/apis/settings/install",
+    "k8s.io/kubernetes/pkg/apis/storage/install",
    "k8s.io/kubernetes/pkg/kubectl/scheme",
    "k8s.io/kubernetes/pkg/kubectl/util/term",
    "k8s.io/kubernetes/pkg/util/node",
+    "k8s.io/utils/pointer",
    "layeh.com/gopher-json",
  ]
  solver-name = "gps-cdcl"
--- a/45
+++ b/45
@@ -9,25 +9,21 @@ GIT_COMMIT=$(shell git rev-parse HEAD)
 GIT_TAG=$(shell if [ -z "`git status --porcelain`" ]; then git describe --exact-match --tags HEAD 2>/dev/null; fi)
 GIT_TREE_STATE=$(shell if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)
 PACKR_CMD=$(shell if [ "`which packr`" ]; then echo "packr"; else echo "go run vendor/github.com/gobuffalo/packr/packr/main.go"; fi)
+VOLUME_MOUNT=$(shell [[ $(go env GOOS)=="darwin" ]] && echo ":delegated" || echo "")

 define run-in-dev-tool
-    docker run --rm -it -u $(shell id -u) -e HOME=/home/user -v ${CURRENT_DIR}:/go/src/github.com/argoproj/argo-cd -w /go/src/github.com/argoproj/argo-cd argocd-dev-tools bash -c "GOPATH=/go $(1)"
+    docker run --rm -it -u $(shell id -u) -e HOME=/home/user -v ${CURRENT_DIR}:/go/src/github.com/argoproj/argo-cd${VOLUME_MOUNT} -w /go/src/github.com/argoproj/argo-cd argocd-dev-tools bash -c "GOPATH=/go $(1)"
 endef

 PATH:=$(PATH):$(PWD)/hack

 # docker image publishing options
 DOCKER_PUSH?=false
-IMAGE_TAG?=latest
+IMAGE_NAMESPACE?=
 # perform static compilation
 STATIC_BUILD?=true
 # build development images
 DEV_IMAGE?=false
-# lint is memory and CPU intensive, so we can limit on CI to mitigate OOM
-LINT_GOGC?=off
-LINT_CONCURRENCY?=8
-# Set timeout for linter
-LINT_DEADLINE?=1m0s

 override LDFLAGS += \
  -X ${PACKAGE}.version=${VERSION} \
@@ -94,14 +90,14 @@ argocd-util: clean-debug

 .PHONY: dev-tools-image
 dev-tools-image:
-	docker build -t argocd-dev-tools ./hack -f ./hack/Dockerfile.dev-tools
+	cd hack && docker build -t argocd-dev-tools . -f Dockerfile.dev-tools

 .PHONY: manifests-local
 manifests-local:
 	./hack/update-manifests.sh

 .PHONY: manifests
-manifests: dev-tools-image
+manifests:
 	$(call run-in-dev-tool,make manifests-local IMAGE_TAG='${IMAGE_TAG}')


@@ -128,8 +124,10 @@ ifeq ($(DEV_IMAGE), true)
 # The "dev" image builds the binaries from the users desktop environment (instead of in Docker)
 # which speeds up builds. Dockerfile.dev needs to be copied into dist to perform the build, since
 # the dist directory is under .dockerignore.
+IMAGE_TAG="dev-$(shell git describe --always --dirty)"
 image: packr
 	docker build -t argocd-base --target argocd-base .
+	docker build -t argocd-ui --target argocd-ui .
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd/argocd-server
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd/argocd-application-controller
 	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd/argocd-repo-server
@@ -149,15 +147,22 @@ builder-image:
 	docker build  -t $(IMAGE_PREFIX)argo-cd-ci-builder:$(IMAGE_TAG) --target builder .
 	@if [ "$(DOCKER_PUSH)" = "true" ] ; then docker push $(IMAGE_PREFIX)argo-cd-ci-builder:$(IMAGE_TAG) ; fi

+.PHONY: dep
+dep:
+	dep ensure -v
+
 .PHONY: dep-ensure
 dep-ensure:
 	dep ensure -no-vendor

+.PHONY: install-lint-tools
+install-lint-tools:
+	./hack/install.sh lint-tools
+
 .PHONY: lint
 lint:
-	# golangci-lint does not do a good job of formatting imports
-	goimports -local github.com/argoproj/argo-cd -w `find . ! -path './vendor/*' ! -path './pkg/client/*' -type f -name '*.go'`
-	GOGC=$(LINT_GOGC) golangci-lint run --fix --verbose --concurrency $(LINT_CONCURRENCY) --deadline $(LINT_DEADLINE)
+	golangci-lint --version
+	golangci-lint run --fix --verbose

 .PHONY: build
 build:
@@ -165,15 +170,11 @@ build:

 .PHONY: test
 test:
-	go test -v -covermode=count -coverprofile=coverage.out `go list ./... | grep -v "test/e2e"`
-
-.PHONY: cover
-cover:
-	go tool cover -html=coverage.out
+	 ./hack/test.sh -coverprofile=coverage.out `go list ./... | grep -v 'test/e2e'`

 .PHONY: test-e2e
-test-e2e: cli
-	go test -v -timeout 10m ./test/e2e
+test-e2e:
+	./hack/test.sh -timeout 15m ./test/e2e

 .PHONY: start-e2e
 start-e2e: cli
@@ -186,6 +187,8 @@ start-e2e: cli
 	# set paths for locally managed ssh known hosts and tls certs data
 	ARGOCD_SSH_DATA_PATH=/tmp/argo-e2e/app/config/ssh \
 	ARGOCD_TLS_DATA_PATH=/tmp/argo-e2e/app/config/tls \
+	ARGOCD_E2E_DISABLE_AUTH=false \
+	ARGOCD_ZJWT_FEATURE_FLAG=always \
 		goreman start

 # Cleans VSCode debug.test files from sub-dirs to prevent them from being included in packr boxes
@@ -202,8 +205,10 @@ start:
 	killall goreman || true
 	# check we can connect to Docker to start Redis
 	docker version
+	kubectl create ns argocd || true
 	kubens argocd
-	goreman start
+	ARGOCD_ZJWT_FEATURE_FLAG=always \
+		goreman start

 .PHONY: pre-commit
 pre-commit: dep-ensure codegen build lint test
--- a/6
+++ b/6
@@ -1,8 +1,12 @@
 owners:
+- alexec
 - alexmt
 - jessesuen

+reviewers:
+- jannfis
+
 approvers:
- alexc
+- alexec
 - alexmt
 - jessesuen
--- a/6
+++ b/6
@@ -1,7 +1,7 @@
 controller: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true go run ./cmd/argocd-application-controller/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
-api-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true go run ./cmd/argocd-server/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --staticassets ui/dist/app"
+api-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true go run ./cmd/argocd-server/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --staticassets ui/dist/app"
 dex: sh -c "go run ./cmd/argocd-util/main.go gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml quay.io/dexidp/dex:v2.14.0 serve /dex.yaml"
 redis: docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} redis:5.0.3-alpine --save "" --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}
-repo-server: sh -c "FORCE_LOG_COLORS=1 go run ./cmd/argocd-repo-server/main.go --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379}"
+repo-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true go run ./cmd/argocd-repo-server/main.go --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379}"
 ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
-git-server: test/fixture/testrepos/start-git.sh
+git-server: test/fixture/testrepos/start-git.sh
--- a/README.md
+++ b/README.md
@@ -1,5 +1,6 @@
 [![slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack)
 [![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd)
+[![Release Version](https://img.shields.io/github/v/release/argoproj/argo-cd?label=argo-cd)](https://github.com/argoproj/argo-cd/releases/latest)

 # Argo CD - Declarative Continuous Delivery for Kubernetes

@@ -12,6 +13,7 @@ Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.
 ## Why Argo CD?

 Application definitions, configurations, and environments should be declarative and version controlled.
+
 Application deployment and lifecycle management should be automated, auditable, and easy to understand.


@@ -24,10 +26,12 @@ Organizations below are **officially** using Argo CD. Please send a PR with your
 1. [Commonbond](https://commonbond.co/)
 1. [CyberAgent](https://www.cyberagent.co.jp/en/)
 1. [END.](https://www.endclothing.com/)
+1. [Future PLC](https://www.futureplc.com/)
 1. [GMETRI](https://gmetri.com/)
 1. [Intuit](https://www.intuit.com/)
 1. [KintoHub](https://www.kintohub.com/)
 1. [KompiTech GmbH](https://www.kompitech.com/)
+1. [Lytt](https://www.lytt.co/)
 1. [Mambu](https://www.mambu.com/) 
 1. [Mirantis](https://mirantis.com/)
 1. [OpenSaaS Studio](https://opensaas.studio)
@@ -38,6 +42,7 @@ Organizations below are **officially** using Argo CD. Please send a PR with your
 1. [tZERO](https://www.tzero.com/)
 1. [Ticketmaster](https://ticketmaster.com)
 1. [Yieldlab](https://www.yieldlab.de/)
+1. [UBIO](https://ub.io/)
 1. [Volvo Cars](https://www.volvocars.com/)

 ## Documentation
--- a/2
+++ b/2
@@ -1 +1 @@
-1.1.2
+1.3.6
--- a/assets/builtin-policy.csv
+++ b/assets/builtin-policy.csv
@@ -17,6 +17,7 @@ p, role:admin, applications, update, */*, allow
 p, role:admin, applications, delete, */*, allow
 p, role:admin, applications, sync, */*, allow
 p, role:admin, applications, override, */*, allow
+p, role:admin, applications, action/*, */*, allow
 p, role:admin, certificates, create, *, allow
 p, role:admin, certificates, update, *, allow
 p, role:admin, certificates, delete, *, allow
--- a/assets/swagger.json
+++ b/assets/swagger.json
@@ -49,15 +49,17 @@
          "ApplicationService"
        ],
        "summary": "List returns list of applications",
-        "operationId": "ListMixin6",
+        "operationId": "ListMixin7",
        "parameters": [
          {
            "type": "string",
+            "description": "the application's name.",
            "name": "name",
            "in": "query"
          },
          {
            "type": "string",
+            "description": "forces application reconciliation if set to true.",
            "name": "refresh",
            "in": "query"
          },
@@ -66,13 +68,21 @@
            "items": {
              "type": "string"
            },
+            "description": "the project names to restrict returned list applications.",
            "name": "project",
            "in": "query"
          },
          {
            "type": "string",
+            "description": "when specified with a watch call, shows changes that occur after that particular version of a resource.",
            "name": "resourceVersion",
            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "the selector to to restrict returned list to applications only with matched labels.",
+            "name": "selector",
+            "in": "query"
          }
        ],
        "responses": {
@@ -89,7 +99,7 @@
          "ApplicationService"
        ],
        "summary": "Create creates an application",
-        "operationId": "CreateMixin6",
+        "operationId": "CreateMixin7",
        "parameters": [
          {
            "name": "body",
@@ -116,7 +126,7 @@
          "ApplicationService"
        ],
        "summary": "Update updates an application",
-        "operationId": "UpdateMixin6",
+        "operationId": "UpdateMixin7",
        "parameters": [
          {
            "type": "string",
@@ -197,7 +207,7 @@
          "ApplicationService"
        ],
        "summary": "Get returns an application by name",
-        "operationId": "GetMixin6",
+        "operationId": "GetMixin7",
        "parameters": [
          {
            "type": "string",
@@ -207,6 +217,7 @@
          },
          {
            "type": "string",
+            "description": "forces application reconciliation if set to true.",
            "name": "refresh",
            "in": "query"
          },
@@ -215,13 +226,21 @@
            "items": {
              "type": "string"
            },
+            "description": "the project names to restrict returned list applications.",
            "name": "project",
            "in": "query"
          },
          {
            "type": "string",
+            "description": "when specified with a watch call, shows changes that occur after that particular version of a resource.",
            "name": "resourceVersion",
            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "the selector to to restrict returned list to applications only with matched labels.",
+            "name": "selector",
+            "in": "query"
          }
        ],
        "responses": {
@@ -238,7 +257,7 @@
          "ApplicationService"
        ],
        "summary": "Delete deletes an application",
-        "operationId": "DeleteMixin6",
+        "operationId": "DeleteMixin7",
        "parameters": [
          {
            "type": "string",
@@ -769,6 +788,31 @@
        }
      }
    },
+    "/api/v1/applications/{name}/syncwindows": {
+      "get": {
+        "tags": [
+          "ApplicationService"
+        ],
+        "summary": "Get returns an application by name",
+        "operationId": "GetApplicationSyncWindows",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "name",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "(empty)",
+            "schema": {
+              "$ref": "#/definitions/applicationApplicationSyncWindowsResponse"
+            }
+          }
+        }
+      }
+    },
    "/api/v1/certificates": {
      "get": {
        "tags": [
@@ -934,7 +978,7 @@
          "ClusterService"
        ],
        "summary": "Get returns a cluster by server address",
-        "operationId": "GetMixin1",
+        "operationId": "GetMixin2",
        "parameters": [
          {
            "type": "string",
@@ -1007,7 +1051,7 @@
          "ProjectService"
        ],
        "summary": "List returns list of projects",
-        "operationId": "ListMixin4",
+        "operationId": "ListMixin5",
        "parameters": [
          {
            "type": "string",
@@ -1029,7 +1073,7 @@
          "ProjectService"
        ],
        "summary": "Create a new project.",
-        "operationId": "CreateMixin4",
+        "operationId": "CreateMixin5",
        "parameters": [
          {
            "name": "body",
@@ -1056,7 +1100,7 @@
          "ProjectService"
        ],
        "summary": "Get returns a project by name",
-        "operationId": "GetMixin4",
+        "operationId": "GetMixin5",
        "parameters": [
          {
            "type": "string",
@@ -1079,7 +1123,7 @@
          "ProjectService"
        ],
        "summary": "Delete deletes a project",
-        "operationId": "DeleteMixin4",
+        "operationId": "DeleteMixin5",
        "parameters": [
          {
            "type": "string",
@@ -1123,13 +1167,38 @@
        }
      }
    },
+    "/api/v1/projects/{name}/syncwindows": {
+      "get": {
+        "tags": [
+          "ProjectService"
+        ],
+        "summary": "GetSchedulesState returns true if there are any active sync syncWindows",
+        "operationId": "GetSyncWindowsState",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "name",
+            "in": "path",
+            "required": true
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "(empty)",
+            "schema": {
+              "$ref": "#/definitions/projectSyncWindowsResponse"
+            }
+          }
+        }
+      }
+    },
    "/api/v1/projects/{project.metadata.name}": {
      "put": {
        "tags": [
          "ProjectService"
        ],
        "summary": "Update updates a project",
-        "operationId": "UpdateMixin4",
+        "operationId": "UpdateMixin5",
        "parameters": [
          {
            "type": "string",
@@ -1239,7 +1308,7 @@
          "RepositoryService"
        ],
        "summary": "List returns list of repos",
-        "operationId": "ListMixin2",
+        "operationId": "ListMixin3",
        "parameters": [
          {
            "type": "string",
@@ -1261,7 +1330,7 @@
          "RepositoryService"
        ],
        "summary": "Create creates a repo",
-        "operationId": "CreateMixin2",
+        "operationId": "CreateMixin3",
        "parameters": [
          {
            "name": "body",
@@ -1288,7 +1357,7 @@
          "RepositoryService"
        ],
        "summary": "Update updates a repo",
-        "operationId": "UpdateMixin2",
+        "operationId": "UpdateMixin3",
        "parameters": [
          {
            "type": "string",
@@ -1321,7 +1390,7 @@
          "RepositoryService"
        ],
        "summary": "Delete deletes a repo",
-        "operationId": "DeleteMixin2",
+        "operationId": "DeleteMixin3",
        "parameters": [
          {
            "type": "string",
@@ -1370,50 +1439,25 @@
        }
      }
    },
-    "/api/v1/repositories/{repo}/apps/{path}": {
+    "/api/v1/repositories/{repo}/helmcharts": {
      "get": {
        "tags": [
          "RepositoryService"
        ],
-        "summary": "GetAppDetails returns application details by given path",
-        "operationId": "GetAppDetails",
+        "operationId": "GetHelmCharts",
        "parameters": [
          {
            "type": "string",
            "name": "repo",
            "in": "path",
            "required": true
-          },
-          {
-            "type": "string",
-            "name": "path",
-            "in": "path",
-            "required": true
-          },
-          {
-            "type": "string",
-            "name": "revision",
-            "in": "query"
-          },
-          {
-            "type": "array",
-            "items": {
-              "type": "string"
-            },
-            "name": "helm.valueFiles",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "name": "ksonnet.environment",
-            "in": "query"
          }
        ],
        "responses": {
          "200": {
            "description": "(empty)",
            "schema": {
-              "$ref": "#/definitions/repositoryRepoAppDetailsResponse"
+              "$ref": "#/definitions/repositoryHelmChartsResponse"
            }
          }
        }
@@ -1452,13 +1496,46 @@
        }
      }
    },
+    "/api/v1/repositories/{source.repoURL}/appdetails": {
+      "post": {
+        "tags": [
+          "RepositoryService"
+        ],
+        "summary": "GetAppDetails returns application details by given path",
+        "operationId": "GetAppDetails",
+        "parameters": [
+          {
+            "type": "string",
+            "name": "source.repoURL",
+            "in": "path",
+            "required": true
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/repositoryRepoAppDetailsQuery"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "(empty)",
+            "schema": {
+              "$ref": "#/definitions/repositoryRepoAppDetailsResponse"
+            }
+          }
+        }
+      }
+    },
    "/api/v1/session": {
      "post": {
        "tags": [
          "SessionService"
        ],
        "summary": "Create a new JWT for authentication and set a cookie if using HTTP.",
-        "operationId": "CreateMixin8",
+        "operationId": "CreateMixin9",
        "parameters": [
          {
            "name": "body",
@@ -1483,7 +1560,7 @@
          "SessionService"
        ],
        "summary": "Delete an existing JWT cookie if using HTTP.",
-        "operationId": "DeleteMixin8",
+        "operationId": "DeleteMixin9",
        "responses": {
          "200": {
            "description": "(empty)",
@@ -1494,6 +1571,23 @@
        }
      }
    },
+    "/api/v1/session/userinfo": {
+      "get": {
+        "tags": [
+          "SessionService"
+        ],
+        "summary": "Get the current user's info",
+        "operationId": "GetUserInfo",
+        "responses": {
+          "200": {
+            "description": "(empty)",
+            "schema": {
+              "$ref": "#/definitions/sessionGetUserInfoResponse"
+            }
+          }
+        }
+      }
+    },
    "/api/v1/settings": {
      "get": {
        "tags": [
@@ -1521,11 +1615,13 @@
        "parameters": [
          {
            "type": "string",
+            "description": "the application's name.",
            "name": "name",
            "in": "query"
          },
          {
            "type": "string",
+            "description": "forces application reconciliation if set to true.",
            "name": "refresh",
            "in": "query"
          },
@@ -1534,13 +1630,21 @@
            "items": {
              "type": "string"
            },
+            "description": "the project names to restrict returned list applications.",
            "name": "project",
            "in": "query"
          },
          {
            "type": "string",
+            "description": "when specified with a watch call, shows changes that occur after that particular version of a resource.",
            "name": "resourceVersion",
            "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "the selector to to restrict returned list to applications only with matched labels.",
+            "name": "selector",
+            "in": "query"
          }
        ],
        "responses": {
@@ -1667,6 +1771,45 @@
        }
      }
    },
+    "applicationApplicationSyncWindow": {
+      "type": "object",
+      "properties": {
+        "duration": {
+          "type": "string"
+        },
+        "kind": {
+          "type": "string"
+        },
+        "manualSync": {
+          "type": "boolean",
+          "format": "boolean"
+        },
+        "schedule": {
+          "type": "string"
+        }
+      }
+    },
+    "applicationApplicationSyncWindowsResponse": {
+      "type": "object",
+      "properties": {
+        "activeWindows": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/applicationApplicationSyncWindow"
+          }
+        },
+        "assignedWindows": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/applicationApplicationSyncWindow"
+          }
+        },
+        "canSync": {
+          "type": "boolean",
+          "format": "boolean"
+        }
+      }
+    },
    "applicationLogEntry": {
      "type": "object",
      "properties": {
@@ -1740,6 +1883,20 @@
        }
      }
    },
+    "clusterHelp": {
+      "type": "object",
+      "title": "Help settings",
+      "properties": {
+        "chatText": {
+          "type": "string",
+          "title": "the text for getting chat help, defaults to \"Chat now!\""
+        },
+        "chatUrl": {
+          "type": "string",
+          "title": "the URL for getting chat help, this will typically be your Slack channel for support"
+        }
+      }
+    },
    "clusterOIDCConfig": {
      "type": "object",
      "properties": {
@@ -1749,6 +1906,12 @@
        "clientID": {
          "type": "string"
        },
+        "idTokenClaims": {
+          "type": "object",
+          "additionalProperties": {
+            "$ref": "#/definitions/oidcClaim"
+          }
+        },
        "issuer": {
          "type": "string"
        },
@@ -1763,6 +1926,16 @@
        }
      }
    },
+    "clusterPlugin": {
+      "type": "object",
+      "title": "Plugin settings",
+      "properties": {
+        "name": {
+          "type": "string",
+          "title": "the name of the plugin, e.g. \"kasane\""
+        }
+      }
+    },
    "clusterSettings": {
      "type": "object",
      "properties": {
@@ -1775,12 +1948,21 @@
        "googleAnalytics": {
          "$ref": "#/definitions/clusterGoogleAnalyticsConfig"
        },
+        "help": {
+          "$ref": "#/definitions/clusterHelp"
+        },
        "kustomizeOptions": {
          "$ref": "#/definitions/v1alpha1KustomizeOptions"
        },
        "oidcConfig": {
          "$ref": "#/definitions/clusterOIDCConfig"
        },
+        "plugins": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/clusterPlugin"
+          }
+        },
        "resourceOverrides": {
          "type": "object",
          "additionalProperties": {
@@ -1796,6 +1978,24 @@
        }
      }
    },
+    "oidcClaim": {
+      "type": "object",
+      "properties": {
+        "essential": {
+          "type": "boolean",
+          "format": "boolean"
+        },
+        "value": {
+          "type": "string"
+        },
+        "values": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        }
+      }
+    },
    "projectEmptyResponse": {
      "type": "object"
    },
@@ -1805,6 +2005,10 @@
      "properties": {
        "project": {
          "$ref": "#/definitions/v1alpha1AppProject"
+        },
+        "upsert": {
+          "type": "boolean",
+          "format": "boolean"
        }
      }
    },
@@ -1845,6 +2049,17 @@
        }
      }
    },
+    "projectSyncWindowsResponse": {
+      "type": "object",
+      "properties": {
+        "windows": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1alpha1SyncWindow"
+          }
+        }
+      }
+    },
    "repositoryAppInfo": {
      "type": "object",
      "title": "AppInfo contains application type and app file path",
@@ -1861,34 +2076,39 @@
      "type": "object",
      "title": "DirectoryAppSpec contains directory"
    },
-    "repositoryHelmAppDetailsQuery": {
-      "type": "object",
-      "properties": {
-        "valueFiles": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
-        }
-      }
-    },
    "repositoryHelmAppSpec": {
      "type": "object",
-      "title": "HelmAppSpec contains helm app name and path in source repo",
+      "title": "HelmAppSpec contains helm app name  in source repo",
      "properties": {
        "name": {
          "type": "string"
        },
        "parameters": {
          "type": "array",
+          "title": "the output of `helm inspect values`",
          "items": {
            "$ref": "#/definitions/v1alpha1HelmParameter"
          }
        },
-        "path": {
+        "valueFiles": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "values": {
+          "type": "string",
+          "title": "the contents of values.yaml"
+        }
+      }
+    },
+    "repositoryHelmChart": {
+      "type": "object",
+      "properties": {
+        "name": {
          "type": "string"
        },
-        "valueFiles": {
+        "versions": {
          "type": "array",
          "items": {
            "type": "string"
@@ -1896,11 +2116,14 @@
        }
      }
    },
-    "repositoryKsonnetAppDetailsQuery": {
+    "repositoryHelmChartsResponse": {
      "type": "object",
      "properties": {
-        "environment": {
-          "type": "string"
+        "items": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/repositoryHelmChart"
+          }
        }
      }
    },
@@ -1922,9 +2145,6 @@
          "items": {
            "$ref": "#/definitions/v1alpha1KsonnetParameter"
          }
-        },
-        "path": {
-          "type": "string"
        }
      }
    },
@@ -1941,10 +2161,6 @@
        "name": {
          "type": "string",
          "title": "Name is the user defined name of an environment"
-        },
-        "path": {
-          "description": "Path is the relative project path containing metadata for this environment.",
-          "type": "string"
        }
      }
    },
@@ -1963,7 +2179,7 @@
    },
    "repositoryKustomizeAppSpec": {
      "type": "object",
-      "title": "KustomizeAppSpec contains kustomize app name and path in source repo",
+      "title": "KustomizeAppSpec contains kustomize images",
      "properties": {
        "images": {
          "description": "images is a list of available images.",
@@ -1971,9 +2187,6 @@
          "items": {
            "type": "string"
          }
-        },
-        "path": {
-          "type": "string"
        }
      }
    },
@@ -2000,6 +2213,15 @@
        }
      }
    },
+    "repositoryRepoAppDetailsQuery": {
+      "type": "object",
+      "title": "RepoAppDetailsQuery contains query information for app details request",
+      "properties": {
+        "source": {
+          "$ref": "#/definitions/v1alpha1ApplicationSource"
+        }
+      }
+    },
    "repositoryRepoAppDetailsResponse": {
      "type": "object",
      "title": "RepoAppDetailsResponse application details",
@@ -2036,6 +2258,28 @@
    "repositoryRepoResponse": {
      "type": "object"
    },
+    "sessionGetUserInfoResponse": {
+      "type": "object",
+      "title": "The current user's userInfo info",
+      "properties": {
+        "groups": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "iss": {
+          "type": "string"
+        },
+        "loggedIn": {
+          "type": "boolean",
+          "format": "boolean"
+        },
+        "username": {
+          "type": "string"
+        }
+      }
+    },
    "sessionSessionCreateRequest": {
      "description": "SessionCreateRequest is for logging in.",
      "type": "object",
@@ -2612,6 +2856,9 @@
            "$ref": "#/definitions/v1GroupKind"
          }
        },
+        "orphanedResources": {
+          "$ref": "#/definitions/v1alpha1OrphanedResourcesMonitorSettings"
+        },
        "roles": {
          "type": "array",
          "title": "Roles are user defined RBAC roles associated with this project",
@@ -2621,10 +2868,17 @@
        },
        "sourceRepos": {
          "type": "array",
-          "title": "SourceRepos contains list of git repository URLs which can be used for deployment",
+          "title": "SourceRepos contains list of repository URLs which can be used for deployment",
          "items": {
            "type": "string"
          }
+        },
+        "syncWindows": {
+          "type": "array",
+          "title": "SyncWindows controls when syncs can be run for apps in this project",
+          "items": {
+            "$ref": "#/definitions/v1alpha1SyncWindow"
+          }
        }
      }
    },
@@ -2693,6 +2947,10 @@
      "description": "ApplicationSource contains information about github repository, path within repository and target application environment.",
      "type": "object",
      "properties": {
+        "chart": {
+          "type": "string",
+          "title": "Chart is a Helm chart name"
+        },
        "directory": {
          "$ref": "#/definitions/v1alpha1ApplicationSourceDirectory"
        },
@@ -2707,14 +2965,14 @@
        },
        "path": {
          "type": "string",
-          "title": "Path is a directory path within the repository containing a"
+          "title": "Path is a directory path within the Git repository"
        },
        "plugin": {
          "$ref": "#/definitions/v1alpha1ApplicationSourcePlugin"
        },
        "repoURL": {
          "type": "string",
-          "title": "RepoURL is the git repository URL of the application manifests"
+          "title": "RepoURL is the repository URL of the application manifests"
        },
        "targetRevision": {
          "type": "string",
@@ -2755,6 +3013,10 @@
          "items": {
            "type": "string"
          }
+        },
+        "values": {
+          "type": "string",
+          "title": "Values is Helm values, typically defined as a block"
        }
      }
    },
@@ -2936,6 +3198,14 @@
      "title": "ApplicationTree holds nodes which belongs to the application",
      "properties": {
        "nodes": {
+          "description": "Nodes contains list of nodes which either directly managed by the application and children of directly managed nodes.",
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1alpha1ResourceNode"
+          }
+        },
+        "orphanedNodes": {
+          "description": "OrphanedNodes contains if or orphaned nodes: nodes which are not managed by the app but in the same namespace. List is populated only if orphaned resources enabled in app project.",
          "type": "array",
          "items": {
            "$ref": "#/definitions/v1alpha1ResourceNode"
@@ -2972,6 +3242,10 @@
        "server": {
          "type": "string",
          "title": "Server is the API server URL of the Kubernetes cluster"
+        },
+        "serverVersion": {
+          "type": "string",
+          "title": "The server version"
        }
      }
    },
@@ -3198,6 +3472,17 @@
        }
      }
    },
+    "v1alpha1OrphanedResourcesMonitorSettings": {
+      "type": "object",
+      "title": "OrphanedResourcesMonitorSettings holds settings of orphaned resources monitoring",
+      "properties": {
+        "warn": {
+          "type": "boolean",
+          "format": "boolean",
+          "title": "Warn indicates if warning condition should be created for apps which have orphaned resources"
+        }
+      }
+    },
    "v1alpha1ProjectRole": {
      "type": "object",
      "title": "ProjectRole represents a role that has access to a project",
@@ -3235,7 +3520,7 @@
    },
    "v1alpha1Repository": {
      "type": "object",
-      "title": "Repository is a Git repository holding application configurations",
+      "title": "Repository is a repository holding application configurations",
      "properties": {
        "connectionState": {
          "$ref": "#/definitions/v1alpha1ConnectionState"
@@ -3253,7 +3538,11 @@
        "insecureIgnoreHostKey": {
          "type": "boolean",
          "format": "boolean",
-          "title": "InsecureIgnoreHostKey should not be used anymore, Insecure is favoured"
+          "title": "InsecureIgnoreHostKey should not be used anymore, Insecure is favoured\nonly for Git repos"
+        },
+        "name": {
+          "type": "string",
+          "title": "only for Helm repos"
        },
        "password": {
          "type": "string",
@@ -3265,7 +3554,7 @@
        },
        "sshPrivateKey": {
          "type": "string",
-          "title": "SSH private key data for authenticating at the repo server"
+          "title": "SSH private key data for authenticating at the repo server\nonly for Git repos"
        },
        "tlsClientCertData": {
          "type": "string",
@@ -3275,6 +3564,10 @@
          "type": "string",
          "title": "TLS client cert key for authenticating at the repo server"
        },
+        "type": {
+          "type": "string",
+          "title": "type of the repo, maybe \"git or \"helm, \"git\" is assumed if empty or absent"
+        },
        "username": {
          "type": "string",
          "title": "Username for authenticating at the repo server"
@@ -3342,6 +3635,10 @@
    "v1alpha1ResourceAction": {
      "type": "object",
      "properties": {
+        "disabled": {
+          "type": "boolean",
+          "format": "boolean"
+        },
        "name": {
          "type": "string"
        },
@@ -3380,6 +3677,10 @@
        "group": {
          "type": "string"
        },
+        "hook": {
+          "type": "boolean",
+          "format": "boolean"
+        },
        "kind": {
          "type": "string"
        },
@@ -3681,7 +3982,7 @@
          }
        },
        "revision": {
-          "description": "Revision is the git revision in which to sync the application to.\nIf omitted, will use the revision specified in app spec.",
+          "description": "Revision is the revision in which to sync the application to.\nIf omitted, will use the revision specified in app spec.",
          "type": "string"
        },
        "source": {
@@ -3720,7 +4021,7 @@
        },
        "revision": {
          "type": "string",
-          "title": "Revision holds the git commit SHA of the sync"
+          "title": "Revision holds the revision of the sync"
        },
        "source": {
          "$ref": "#/definitions/v1alpha1ApplicationSource"
@@ -3799,6 +4100,50 @@
        }
      }
    },
+    "v1alpha1SyncWindow": {
+      "type": "object",
+      "title": "SyncWindow contains the kind, time, duration and attributes that are used to assign the syncWindows to apps",
+      "properties": {
+        "applications": {
+          "type": "array",
+          "title": "Applications contains a list of applications that the window will apply to",
+          "items": {
+            "type": "string"
+          }
+        },
+        "clusters": {
+          "type": "array",
+          "title": "Clusters contains a list of clusters that the window will apply to",
+          "items": {
+            "type": "string"
+          }
+        },
+        "duration": {
+          "type": "string",
+          "title": "Duration is the amount of time the sync window will be open"
+        },
+        "kind": {
+          "type": "string",
+          "title": "Kind defines if the window allows or blocks syncs"
+        },
+        "manualSync": {
+          "type": "boolean",
+          "format": "boolean",
+          "title": "ManualSync enables manual syncs when they would otherwise be blocked"
+        },
+        "namespaces": {
+          "type": "array",
+          "title": "Namespaces contains a list of namespaces that the window will apply to",
+          "items": {
+            "type": "string"
+          }
+        },
+        "schedule": {
+          "type": "string",
+          "title": "Schedule is the time the window will begin, specified in cron format"
+        }
+      }
+    },
    "v1alpha1TLSClientConfig": {
      "type": "object",
      "title": "TLSClientConfig contains settings to enable transport layer security",
@@ -3851,9 +4196,18 @@
        "GoVersion": {
          "type": "string"
        },
+        "HelmVersion": {
+          "type": "string"
+        },
        "KsonnetVersion": {
          "type": "string"
        },
+        "KubectlVersion": {
+          "type": "string"
+        },
+        "KustomizeVersion": {
+          "type": "string"
+        },
        "Platform": {
          "type": "string"
        },
--- a/cmd/argocd-application-controller/main.go
+++ b/cmd/argocd-application-controller/main.go
@@ -23,6 +23,7 @@ import (
 	"github.com/argoproj/argo-cd/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/util/cache"
 	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/kube"
 	"github.com/argoproj/argo-cd/util/settings"
 	"github.com/argoproj/argo-cd/util/stats"
 )
@@ -46,6 +47,7 @@ func newCommand() *cobra.Command {
 		logLevel                 string
 		glogLevel                int
 		metricsPort              int
+		kubectlParallelismLimit  int64
 		cacheSrc                 func() (*cache.Cache, error)
 	)
 	var command = cobra.Command{
@@ -75,6 +77,7 @@ func newCommand() *cobra.Command {
 			errors.CheckError(err)

 			settingsMgr := settings.NewSettingsManager(ctx, kubeClient, namespace)
+			kubectl := &kube.KubectlCmd{}
 			appController, err := controller.NewApplicationController(
 				namespace,
 				settingsMgr,
@@ -82,9 +85,11 @@ func newCommand() *cobra.Command {
 				appClient,
 				repoClientset,
 				cache,
+				kubectl,
 				resyncDuration,
 				time.Duration(selfHealTimeoutSeconds)*time.Second,
-				metricsPort)
+				metricsPort,
+				kubectlParallelismLimit)
 			errors.CheckError(err)

 			log.Infof("Application Controller (version: %s) starting (namespace: %s)", common.GetVersion(), namespace)
@@ -109,6 +114,7 @@ func newCommand() *cobra.Command {
 	command.Flags().IntVar(&glogLevel, "gloglevel", 0, "Set the glog logging level")
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortArgoCDMetrics, "Start metrics server on given port")
 	command.Flags().IntVar(&selfHealTimeoutSeconds, "self-heal-timeout-seconds", 5, "Specifies timeout between application self heal attempts")
+	command.Flags().Int64Var(&kubectlParallelismLimit, "kubectl-parallelism-limit", 20, "Number of allowed concurrent kubectl fork/execs. Any value less the 1 means no limit.")

 	cacheSrc = cache.AddCacheFlagsToCmd(&command)
 	return &command
--- a/cmd/argocd-repo-server/main.go
+++ b/cmd/argocd-repo-server/main.go
@@ -7,17 +7,15 @@ import (
 	"os"
 	"time"

-	"github.com/argoproj/argo-cd/reposerver/metrics"
-
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"

 	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/errors"
 	"github.com/argoproj/argo-cd/reposerver"
+	"github.com/argoproj/argo-cd/reposerver/metrics"
 	"github.com/argoproj/argo-cd/util/cache"
 	"github.com/argoproj/argo-cd/util/cli"
-	"github.com/argoproj/argo-cd/util/git"
 	"github.com/argoproj/argo-cd/util/stats"
 	"github.com/argoproj/argo-cd/util/tls"
 )
@@ -48,7 +46,7 @@ func newCommand() *cobra.Command {
 			cache, err := cacheSrc()
 			errors.CheckError(err)

-			metricsServer := metrics.NewMetricsServer(git.NewFactory())
+			metricsServer := metrics.NewMetricsServer()
 			server, err := reposerver.NewServer(metricsServer, cache, tlsConfigCustomizer, parallelismLimit)
 			errors.CheckError(err)

--- a/cmd/argocd-util/main.go
+++ b/cmd/argocd-util/main.go
@@ -8,6 +8,7 @@ import (
 	"io/ioutil"
 	"os"
 	"os/exec"
+	"regexp"
 	"syscall"

 	"github.com/ghodss/yaml"
@@ -73,6 +74,7 @@ func NewCommand() *cobra.Command {
 	command.AddCommand(NewImportCommand())
 	command.AddCommand(NewExportCommand())
 	command.AddCommand(NewClusterConfig())
+	command.AddCommand(NewProjectsCommand())

 	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
 	return command
@@ -108,7 +110,7 @@ func NewRunDexCommand() *cobra.Command {
 				} else {
 					err = ioutil.WriteFile("/tmp/dex.yaml", dexCfgBytes, 0644)
 					errors.CheckError(err)
-					log.Info(string(dexCfgBytes))
+					log.Info(redactor(string(dexCfgBytes)))
 					cmd = exec.Command("dex", "serve", "/tmp/dex.yaml")
 					cmd.Stdout = os.Stdout
 					cmd.Stderr = os.Stderr
@@ -219,6 +221,7 @@ func NewImportCommand() *cobra.Command {
 				os.Exit(1)
 			}
 			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
 			config.QPS = 100
 			config.Burst = 50
 			errors.CheckError(err)
@@ -449,28 +452,6 @@ func getReferencedSecrets(un unstructured.Unstructured) map[string]bool {
 			}
 		}
 	}
-	if helmReposRAW, ok := cm.Data["helm.repositories"]; ok {
-		helmRepoCreds := make([]settings.HelmRepoCredentials, 0)
-		err := yaml.Unmarshal([]byte(helmReposRAW), &helmRepoCreds)
-		errors.CheckError(err)
-		for _, cred := range helmRepoCreds {
-			if cred.CASecret != nil {
-				referencedSecrets[cred.CASecret.Name] = true
-			}
-			if cred.CertSecret != nil {
-				referencedSecrets[cred.CertSecret.Name] = true
-			}
-			if cred.KeySecret != nil {
-				referencedSecrets[cred.KeySecret.Name] = true
-			}
-			if cred.UsernameSecret != nil {
-				referencedSecrets[cred.UsernameSecret.Name] = true
-			}
-			if cred.PasswordSecret != nil {
-				referencedSecrets[cred.PasswordSecret.Name] = true
-			}
-		}
-	}
 	return referencedSecrets
 }

@@ -554,6 +535,11 @@ func NewClusterConfig() *cobra.Command {
 	return command
 }

+func redactor(dirtyString string) string {
+	dirtyString = regexp.MustCompile("(clientSecret: )[^ \n]*").ReplaceAllString(dirtyString, "$1********")
+	return regexp.MustCompile("(secret: )[^ \n]*").ReplaceAllString(dirtyString, "$1********")
+}
+
 func main() {
 	if err := NewCommand().Execute(); err != nil {
 		fmt.Println(err)
--- a/cmd/argocd-util/main_test.go
+++ b/cmd/argocd-util/main_test.go
@@ -0,0 +1,73 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+var textToRedact = `
+- config:
+    clientID: aabbccddeeff00112233
+    clientSecret: $dex.github.clientSecret
+    orgs:
+    - name: your-github-org
+    redirectURI: https://argocd.example.com/api/dex/callback
+  id: github
+  name: GitHub
+  type: github
+grpc:
+  addr: 0.0.0.0:5557
+issuer: https://argocd.example.com/api/dex
+oauth2:
+  skipApprovalScreen: true
+staticClients:
+- id: argo-cd
+  name: Argo CD
+  redirectURIs:
+  - https://argocd.example.com/auth/callback
+  secret: Dis9M-GA11oTwZVQQWdDklPQw-sWXZkWJFyyEhMs
+- id: argo-cd-cli
+  name: Argo CD CLI
+  public: true
+  redirectURIs:
+  - http://localhost
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556`
+
+var expectedRedaction = `
+- config:
+    clientID: aabbccddeeff00112233
+    clientSecret: ********
+    orgs:
+    - name: your-github-org
+    redirectURI: https://argocd.example.com/api/dex/callback
+  id: github
+  name: GitHub
+  type: github
+grpc:
+  addr: 0.0.0.0:5557
+issuer: https://argocd.example.com/api/dex
+oauth2:
+  skipApprovalScreen: true
+staticClients:
+- id: argo-cd
+  name: Argo CD
+  redirectURIs:
+  - https://argocd.example.com/auth/callback
+  secret: ********
+- id: argo-cd-cli
+  name: Argo CD CLI
+  public: true
+  redirectURIs:
+  - http://localhost
+storage:
+  type: memory
+web:
+  http: 0.0.0.0:5556`
+
+func TestSecretsRedactor(t *testing.T) {
+	assert.Equal(t, expectedRedaction, redactor(textToRedact))
+}
--- a/cmd/argocd-util/projects.go
+++ b/cmd/argocd-util/projects.go
@@ -0,0 +1,192 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/argoproj/argo-cd/errors"
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	appclientset "github.com/argoproj/argo-cd/pkg/client/clientset/versioned"
+	appclient "github.com/argoproj/argo-cd/pkg/client/clientset/versioned/typed/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/diff"
+	"github.com/argoproj/argo-cd/util/kube"
+
+	"github.com/spf13/cobra"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+func NewProjectsCommand() *cobra.Command {
+	var command = &cobra.Command{
+		Use: "projects",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+		},
+	}
+
+	command.AddCommand(NewUpdatePolicyRuleCommand())
+	return command
+}
+
+func globMatch(pattern string, val string) bool {
+	if pattern == "*" {
+		return true
+	}
+	if ok, err := filepath.Match(pattern, val); ok && err == nil {
+		return true
+	}
+	return false
+}
+
+func getModification(modification string, resource string, scope string, permission string) (func(string, string) string, error) {
+	switch modification {
+	case "set":
+		if scope == "" {
+			return nil, fmt.Errorf("Flag --group cannot be empty if permission should be set in role")
+		}
+		if permission == "" {
+			return nil, fmt.Errorf("Flag --permission cannot be empty if permission should be set in role")
+		}
+		return func(proj string, action string) string {
+			return fmt.Sprintf("%s, %s, %s/%s, %s", resource, action, proj, scope, permission)
+		}, nil
+	case "remove":
+		return func(proj string, action string) string {
+			return ""
+		}, nil
+	}
+	return nil, fmt.Errorf("modification %s is not supported", modification)
+}
+
+func saveProject(updated v1alpha1.AppProject, orig v1alpha1.AppProject, projectsIf appclient.AppProjectInterface, dryRun bool) error {
+	fmt.Printf("===== %s ======\n", updated.Name)
+	target, err := kube.ToUnstructured(&updated)
+	errors.CheckError(err)
+	live, err := kube.ToUnstructured(&orig)
+	if err != nil {
+		return err
+	}
+	_ = diff.PrintDiff(updated.Name, target, live)
+	if !dryRun {
+		_, err = projectsIf.Update(&updated)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func formatPolicy(proj string, role string, permission string) string {
+	return fmt.Sprintf("p, proj:%s:%s, %s", proj, role, permission)
+}
+
+func split(input string, delimiter string) []string {
+	parts := strings.Split(input, delimiter)
+	for i := range parts {
+		parts[i] = strings.TrimSpace(parts[i])
+	}
+	return parts
+}
+
+func NewUpdatePolicyRuleCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+		resource     string
+		scope        string
+		rolePattern  string
+		permission   string
+		dryRun       bool
+	)
+	var command = &cobra.Command{
+		Use:   "update-role-policy PROJECT_GLOB MODIFICATION ACTION",
+		Short: "Implement bulk project role update. Useful to back-fill existing project policies or remove obsolete actions.",
+		Example: `  # Add policy that allows executing any action (action/*) to roles which name matches to *deployer* in all projects  
+  argocd-util projects update-role-policy '*' set 'action/*' --role '*deployer*' --resource applications --scope '*' --permission allow
+
+  # Remove policy that which manages running (action/*) from all roles which name matches *deployer* in all projects
+  argocd-util projects update-role-policy '*' remove override --role '*deployer*'
+`,
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 3 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projectGlob := args[0]
+			modificationType := args[1]
+			action := args[2]
+
+			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			config.QPS = 100
+			config.Burst = 50
+
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+			appclients := appclientset.NewForConfigOrDie(config)
+
+			modification, err := getModification(modificationType, resource, scope, permission)
+			errors.CheckError(err)
+			projIf := appclients.ArgoprojV1alpha1().AppProjects(namespace)
+
+			err = updateProjects(projIf, projectGlob, rolePattern, action, modification, dryRun)
+			errors.CheckError(err)
+		},
+	}
+	command.Flags().StringVar(&resource, "resource", "", "Resource e.g. 'applications'")
+	command.Flags().StringVar(&scope, "scope", "", "Resource scope e.g. '*'")
+	command.Flags().StringVar(&rolePattern, "role", "*", "Role name pattern e.g. '*deployer*'")
+	command.Flags().StringVar(&permission, "permission", "", "Action permission")
+	command.Flags().BoolVar(&dryRun, "dry-run", true, "Dry run")
+	clientConfig = cli.AddKubectlFlagsToCmd(command)
+	return command
+}
+
+func updateProjects(projIf appclient.AppProjectInterface, projectGlob string, rolePattern string, action string, modification func(string, string) string, dryRun bool) error {
+	projects, err := projIf.List(v1.ListOptions{})
+	if err != nil {
+		return err
+	}
+	for _, proj := range projects.Items {
+		if !globMatch(projectGlob, proj.Name) {
+			continue
+		}
+		origProj := proj.DeepCopy()
+		updated := false
+		for i, role := range proj.Spec.Roles {
+			if !globMatch(rolePattern, role.Name) {
+				continue
+			}
+			actionPolicyIndex := -1
+			for i := range role.Policies {
+				parts := split(role.Policies[i], ",")
+				if len(parts) != 6 || parts[3] != action {
+					continue
+				}
+				actionPolicyIndex = i
+				break
+			}
+			policyPermission := modification(proj.Name, action)
+			if actionPolicyIndex == -1 && policyPermission != "" {
+				updated = true
+				role.Policies = append(role.Policies, formatPolicy(proj.Name, role.Name, policyPermission))
+			} else if actionPolicyIndex > -1 && policyPermission == "" {
+				updated = true
+				role.Policies = append(role.Policies[:actionPolicyIndex], role.Policies[actionPolicyIndex+1:]...)
+			} else if actionPolicyIndex > -1 && policyPermission != "" {
+				updated = true
+				role.Policies[actionPolicyIndex] = formatPolicy(proj.Name, role.Name, policyPermission)
+			}
+			proj.Spec.Roles[i] = role
+		}
+		if updated {
+			err = saveProject(proj, *origProj, projIf, dryRun)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
--- a/cmd/argocd-util/projects_test.go
+++ b/cmd/argocd-util/projects_test.go
@@ -0,0 +1,78 @@
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/pkg/client/clientset/versioned/fake"
+)
+
+const (
+	namespace = "default"
+)
+
+func newProj(name string, roleNames ...string) *v1alpha1.AppProject {
+	var roles []v1alpha1.ProjectRole
+	for i := range roleNames {
+		roles = append(roles, v1alpha1.ProjectRole{Name: roleNames[i]})
+	}
+	return &v1alpha1.AppProject{ObjectMeta: v1.ObjectMeta{
+		Name:      name,
+		Namespace: namespace,
+	}, Spec: v1alpha1.AppProjectSpec{
+		Roles: roles,
+	}}
+}
+
+func TestUpdateProjects_FindMatchingProject(t *testing.T) {
+	clientset := fake.NewSimpleClientset(newProj("foo", "test"), newProj("bar", "test"))
+
+	modification, err := getModification("set", "*", "*", "allow")
+	assert.NoError(t, err)
+	err = updateProjects(clientset.ArgoprojV1alpha1().AppProjects(namespace), "ba*", "*", "set", modification, false)
+	assert.NoError(t, err)
+
+	fooProj, err := clientset.ArgoprojV1alpha1().AppProjects(namespace).Get("foo", v1.GetOptions{})
+	assert.NoError(t, err)
+	assert.Len(t, fooProj.Spec.Roles[0].Policies, 0)
+
+	barProj, err := clientset.ArgoprojV1alpha1().AppProjects(namespace).Get("bar", v1.GetOptions{})
+	assert.NoError(t, err)
+	assert.EqualValues(t, barProj.Spec.Roles[0].Policies, []string{"p, proj:bar:test, *, set, bar/*, allow"})
+}
+
+func TestUpdateProjects_FindMatchingRole(t *testing.T) {
+	clientset := fake.NewSimpleClientset(newProj("proj", "foo", "bar"))
+
+	modification, err := getModification("set", "*", "*", "allow")
+	assert.NoError(t, err)
+	err = updateProjects(clientset.ArgoprojV1alpha1().AppProjects(namespace), "*", "fo*", "set", modification, false)
+	assert.NoError(t, err)
+
+	proj, err := clientset.ArgoprojV1alpha1().AppProjects(namespace).Get("proj", v1.GetOptions{})
+	assert.NoError(t, err)
+	assert.EqualValues(t, proj.Spec.Roles[0].Policies, []string{"p, proj:proj:foo, *, set, proj/*, allow"})
+	assert.Len(t, proj.Spec.Roles[1].Policies, 0)
+}
+
+func TestGetModification_SetPolicy(t *testing.T) {
+	modification, err := getModification("set", "*", "*", "allow")
+	assert.NoError(t, err)
+	policy := modification("proj", "myaction")
+	assert.Equal(t, "*, myaction, proj/*, allow", policy)
+}
+
+func TestGetModification_RemovePolicy(t *testing.T) {
+	modification, err := getModification("remove", "*", "*", "allow")
+	assert.NoError(t, err)
+	policy := modification("proj", "myaction")
+	assert.Equal(t, "", policy)
+}
+
+func TestGetModification_NotSupported(t *testing.T) {
+	_, err := getModification("bar", "*", "*", "allow")
+	assert.Errorf(t, err, "modification bar is not supported")
+}
--- a/cmd/argocd/commands/account.go
+++ b/cmd/argocd/commands/account.go
@@ -2,16 +2,21 @@ package commands

 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
+	"strings"
 	"syscall"

+	"github.com/ghodss/yaml"
+	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/ssh/terminal"

 	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	accountpkg "github.com/argoproj/argo-cd/pkg/apiclient/account"
+	"github.com/argoproj/argo-cd/pkg/apiclient/session"
 	"github.com/argoproj/argo-cd/util"
 	"github.com/argoproj/argo-cd/util/cli"
 	"github.com/argoproj/argo-cd/util/localconfig"
@@ -27,6 +32,7 @@ func NewAccountCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 		},
 	}
 	command.AddCommand(NewAccountUpdatePasswordCommand(clientOpts))
+	command.AddCommand(NewAccountGetUserInfoCommand(clientOpts))
 	return command
 }

@@ -93,3 +99,48 @@ func NewAccountUpdatePasswordCommand(clientOpts *argocdclient.ClientOptions) *co
 	command.Flags().StringVar(&newPassword, "new-password", "", "new password you want to update to")
 	return command
 }
+
+func NewAccountGetUserInfoCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		output string
+	)
+	var command = &cobra.Command{
+		Use:   "get-user-info",
+		Short: "Get user info",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 0 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			conn, client := argocdclient.NewClientOrDie(clientOpts).NewSessionClientOrDie()
+			defer util.Close(conn)
+
+			ctx := context.Background()
+			response, err := client.GetUserInfo(ctx, &session.GetUserInfoRequest{})
+			errors.CheckError(err)
+
+			switch output {
+			case "yaml":
+				yamlBytes, err := yaml.Marshal(response)
+				errors.CheckError(err)
+				fmt.Println(string(yamlBytes))
+			case "json":
+				jsonBytes, err := json.MarshalIndent(response, "", "  ")
+				errors.CheckError(err)
+				fmt.Println(string(jsonBytes))
+			case "":
+				fmt.Printf("Logged In: %v\n", response.LoggedIn)
+				if response.LoggedIn {
+					fmt.Printf("Username: %s\n", response.Username)
+					fmt.Printf("Issuer: %s\n", response.Iss)
+					fmt.Printf("Groups: %v\n", strings.Join(response.Groups, ","))
+				}
+			default:
+				log.Fatalf("Unknown output format: %s", output)
+			}
+		},
+	}
+	command.Flags().StringVarP(&output, "output", "o", "", "Output format. One of: yaml, json")
+	return command
+}
--- a/cmd/argocd/commands/app.go
+++ b/cmd/argocd/commands/app.go
@@ -1,18 +1,14 @@
 package commands

 import (
+	"bufio"
 	"context"
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/url"
 	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
 	"reflect"
-	"regexp"
 	"sort"
 	"strconv"
 	"strings"
@@ -20,7 +16,6 @@ import (
 	"time"

 	"github.com/ghodss/yaml"
-	"github.com/google/shlex"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -35,6 +30,8 @@ import (
 	"github.com/argoproj/argo-cd/pkg/apiclient"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	applicationpkg "github.com/argoproj/argo-cd/pkg/apiclient/application"
+	clusterpkg "github.com/argoproj/argo-cd/pkg/apiclient/cluster"
+	projectpkg "github.com/argoproj/argo-cd/pkg/apiclient/project"
 	settingspkg "github.com/argoproj/argo-cd/pkg/apiclient/settings"
 	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	repoapiclient "github.com/argoproj/argo-cd/reposerver/apiclient"
@@ -47,7 +44,7 @@ import (
 	"github.com/argoproj/argo-cd/util/git"
 	"github.com/argoproj/argo-cd/util/hook"
 	"github.com/argoproj/argo-cd/util/kube"
-	"github.com/argoproj/argo-cd/util/resource"
+	"github.com/argoproj/argo-cd/util/resource/ignore"
 	"github.com/argoproj/argo-cd/util/templates"
 )

@@ -104,11 +101,19 @@ func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 	)
 	var command = &cobra.Command{
 		Use:   "create APPNAME",
-		Short: "Create an application from a git location",
+		Short: "Create an application",
 		Run: func(c *cobra.Command, args []string) {
 			var app argoappv1.Application
 			argocdClient := argocdclient.NewClientOrDie(clientOpts)
-			if fileURL != "" {
+			if fileURL == "-" {
+				// read stdin
+				reader := bufio.NewReader(os.Stdin)
+				err := config.UnmarshalReader(reader, &app)
+				if err != nil {
+					log.Fatalf("unable to read manifest from stdin: %v", err)
+				}
+			} else if fileURL != "" {
+				// read uri
 				parsedURL, err := url.ParseRequestURI(fileURL)
 				if err != nil || !(parsedURL.Scheme == "http" || parsedURL.Scheme == "https") {
 					err = config.UnmarshalLocalFile(fileURL, &app)
@@ -123,6 +128,7 @@ func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 					log.Fatalf("--name argument '%s' does not match app spec metadata.name '%s'", appName, app.Name)
 				}
 			} else {
+				// read arguments
 				if len(args) == 1 {
 					if appName != "" && appName != args[0] {
 						log.Fatalf("--name argument '%s' does not match app name %s", appName, args[0])
@@ -201,6 +207,14 @@ func NewApplicationGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 			appName := args[0]
 			app, err := appIf.Get(context.Background(), &applicationpkg.ApplicationQuery{Name: &appName, Refresh: getRefreshType(refresh, hardRefresh)})
 			errors.CheckError(err)
+
+			pConn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(pConn)
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: app.Spec.Project})
+			errors.CheckError(err)
+
+			windows := proj.Spec.SyncWindows.Matches(app)
+
 			switch output {
 			case "yaml":
 				yamlBytes, err := yaml.Marshal(app)
@@ -212,7 +226,7 @@ func NewApplicationGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 				fmt.Println(string(jsonBytes))
 			case "":
 				aURL := appURL(acdClient, app.Name)
-				printAppSummaryTable(app, aURL)
+				printAppSummaryTable(app, aURL, windows)

 				if len(app.Status.Conditions) > 0 {
 					fmt.Println()
@@ -247,7 +261,7 @@ func NewApplicationGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 	return command
 }

-func printAppSummaryTable(app *argoappv1.Application, appURL string) {
+func printAppSummaryTable(app *argoappv1.Application, appURL string, windows *argoappv1.SyncWindows) {
 	fmt.Printf(printOpFmtStr, "Name:", app.Name)
 	fmt.Printf(printOpFmtStr, "Project:", app.Spec.GetProject())
 	fmt.Printf(printOpFmtStr, "Server:", app.Spec.Destination.Server)
@@ -257,6 +271,47 @@ func printAppSummaryTable(app *argoappv1.Application, appURL string) {
 	fmt.Printf(printOpFmtStr, "Target:", app.Spec.Source.TargetRevision)
 	fmt.Printf(printOpFmtStr, "Path:", app.Spec.Source.Path)
 	printAppSourceDetails(&app.Spec.Source)
+	var wds []string
+	var status string
+	var allow, deny, inactiveAllows bool
+	if windows.HasWindows() {
+		active := windows.Active()
+		if active.HasWindows() {
+			for _, w := range *active {
+				if w.Kind == "deny" {
+					deny = true
+				} else {
+					allow = true
+				}
+			}
+		}
+		if windows.InactiveAllows().HasWindows() {
+			inactiveAllows = true
+		}
+
+		s := windows.CanSync(true)
+		if deny || !deny && !allow && inactiveAllows {
+			if s {
+				status = "Manual Allowed"
+			} else {
+				status = "Sync Denied"
+
+			}
+		} else {
+			status = "Sync Allowed"
+		}
+		for _, w := range *windows {
+			s := w.Kind + ":" + w.Schedule + ":" + w.Duration
+			wds = append(wds, s)
+		}
+	} else {
+		status = "Sync Allowed"
+	}
+	fmt.Printf(printOpFmtStr, "SyncWindow:", status)
+	if len(wds) > 0 {
+		fmt.Printf(printOpFmtStr, "Assigned Windows:", strings.Join(wds, ","))
+	}
+
 	var syncPolicy string
 	if app.Spec.SyncPolicy != nil && app.Spec.SyncPolicy.Automated != nil {
 		syncPolicy = "Automated"
@@ -399,14 +454,20 @@ func setAppOptions(flags *pflag.FlagSet, app *argoappv1.Application, appOpts *ap
 			app.Spec.Source.RepoURL = appOpts.repoURL
 		case "path":
 			app.Spec.Source.Path = appOpts.appPath
+		case "helm-chart":
+			app.Spec.Source.Chart = appOpts.chart
 		case "env":
 			setKsonnetOpt(&app.Spec.Source, &appOpts.env)
 		case "revision":
 			app.Spec.Source.TargetRevision = appOpts.revision
 		case "values":
-			setHelmOpt(&app.Spec.Source, appOpts.valuesFiles, nil)
+			setHelmOpt(&app.Spec.Source, helmOpts{valueFiles: appOpts.valuesFiles})
 		case "release-name":
-			setHelmOpt(&app.Spec.Source, nil, &appOpts.releaseName)
+			setHelmOpt(&app.Spec.Source, helmOpts{releaseName: appOpts.releaseName})
+		case "helm-set":
+			setHelmOpt(&app.Spec.Source, helmOpts{helmSets: appOpts.helmSets})
+		case "helm-set-string":
+			setHelmOpt(&app.Spec.Source, helmOpts{helmSetStrings: appOpts.helmSetStrings})
 		case "directory-recurse":
 			app.Spec.Source.Directory = &argoappv1.ApplicationSourceDirectory{Recurse: appOpts.directoryRecurse}
 		case "config-management-plugin":
@@ -444,6 +505,12 @@ func setAppOptions(flags *pflag.FlagSet, app *argoappv1.Application, appOpts *ap
 		}
 		app.Spec.SyncPolicy.Automated.Prune = appOpts.autoPrune
 	}
+	if flags.Changed("self-heal") {
+		if app.Spec.SyncPolicy == nil || app.Spec.SyncPolicy.Automated == nil {
+			log.Fatal("Cannot set --self-helf: application not configured with automatic sync")
+		}
+		app.Spec.SyncPolicy.Automated.SelfHeal = appOpts.selfHeal
+	}

 	return visited
 }
@@ -483,15 +550,36 @@ func setKustomizeImages(src *argoappv1.ApplicationSource, images []string) {
 	}
 }

-func setHelmOpt(src *argoappv1.ApplicationSource, valueFiles []string, releaseName *string) {
+type helmOpts struct {
+	valueFiles     []string
+	releaseName    string
+	helmSets       []string
+	helmSetStrings []string
+}
+
+func setHelmOpt(src *argoappv1.ApplicationSource, opts helmOpts) {
 	if src.Helm == nil {
 		src.Helm = &argoappv1.ApplicationSourceHelm{}
 	}
-	if valueFiles != nil {
-		src.Helm.ValueFiles = valueFiles
+	if len(opts.valueFiles) > 0 {
+		src.Helm.ValueFiles = opts.valueFiles
 	}
-	if releaseName != nil {
-		src.Helm.ReleaseName = *releaseName
+	if opts.releaseName != "" {
+		src.Helm.ReleaseName = opts.releaseName
+	}
+	for _, text := range opts.helmSets {
+		p, err := argoappv1.NewHelmParameter(text, false)
+		if err != nil {
+			log.Fatal(err)
+		}
+		src.Helm.AddParameter(*p)
+	}
+	for _, text := range opts.helmSetStrings {
+		p, err := argoappv1.NewHelmParameter(text, true)
+		if err != nil {
+			log.Fatal(err)
+		}
+		src.Helm.AddParameter(*p)
 	}
 	if src.Helm.IsZero() {
 		src.Helm = nil
@@ -534,6 +622,7 @@ func setJsonnetOpt(src *argoappv1.ApplicationSource, tlaParameters []string, cod
 type appOptions struct {
 	repoURL                string
 	appPath                string
+	chart                  string
 	env                    string
 	revision               string
 	destServer             string
@@ -541,9 +630,12 @@ type appOptions struct {
 	parameters             []string
 	valuesFiles            []string
 	releaseName            string
+	helmSets               []string
+	helmSetStrings         []string
 	project                string
 	syncPolicy             string
 	autoPrune              bool
+	selfHeal               bool
 	namePrefix             string
 	directoryRecurse       bool
 	configManagementPlugin string
@@ -554,17 +646,21 @@ type appOptions struct {

 func addAppFlags(command *cobra.Command, opts *appOptions) {
 	command.Flags().StringVar(&opts.repoURL, "repo", "", "Repository URL, ignored if a file is set")
-	command.Flags().StringVar(&opts.appPath, "path", "", "Path in repository to the ksonnet app directory, ignored if a file is set")
+	command.Flags().StringVar(&opts.appPath, "path", "", "Path in repository to the app directory, ignored if a file is set")
+	command.Flags().StringVar(&opts.chart, "helm-chart", "", "Helm Chart name")
 	command.Flags().StringVar(&opts.env, "env", "", "Application environment to monitor")
-	command.Flags().StringVar(&opts.revision, "revision", "HEAD", "The tracking source branch, tag, or commit the application will sync to")
+	command.Flags().StringVar(&opts.revision, "revision", "", "The tracking source branch, tag, or commit the application will sync to")
 	command.Flags().StringVar(&opts.destServer, "dest-server", "", "K8s cluster URL (overrides the server URL specified in the ksonnet app.yaml)")
 	command.Flags().StringVar(&opts.destNamespace, "dest-namespace", "", "K8s target namespace (overrides the namespace specified in the ksonnet app.yaml)")
 	command.Flags().StringArrayVarP(&opts.parameters, "parameter", "p", []string{}, "set a parameter override (e.g. -p guestbook=image=example/guestbook:latest)")
 	command.Flags().StringArrayVar(&opts.valuesFiles, "values", []string{}, "Helm values file(s) to use")
 	command.Flags().StringVar(&opts.releaseName, "release-name", "", "Helm release-name")
+	command.Flags().StringArrayVar(&opts.helmSets, "helm-set", []string{}, "Helm set values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)")
+	command.Flags().StringArrayVar(&opts.helmSetStrings, "helm-set-string", []string{}, "Helm set STRING values on the command line (can specify multiple or separate values with commas: key1=val1,key2=val2)")
 	command.Flags().StringVar(&opts.project, "project", "", "Application project name")
 	command.Flags().StringVar(&opts.syncPolicy, "sync-policy", "", "Set the sync policy (one of: automated, none)")
 	command.Flags().BoolVar(&opts.autoPrune, "auto-prune", false, "Set automatic pruning when sync is automated")
+	command.Flags().BoolVar(&opts.selfHeal, "self-heal", false, "Set self healing when sync is automated")
 	command.Flags().StringVar(&opts.namePrefix, "nameprefix", "", "Kustomize nameprefix")
 	command.Flags().BoolVar(&opts.directoryRecurse, "directory-recurse", false, "Recurse directory")
 	command.Flags().StringVar(&opts.configManagementPlugin, "config-management-plugin", "", "Config management plugin name")
@@ -631,7 +727,7 @@ func NewApplicationUnsetCommand(clientOpts *argocdclient.ClientOptions) *cobra.C
 						}
 					}
 				}
-				setHelmOpt(&app.Spec.Source, specValueFiles, nil)
+				setHelmOpt(&app.Spec.Source, helmOpts{valueFiles: specValueFiles})
 				if !updated {
 					return
 				}
@@ -675,8 +771,8 @@ func liveObjects(resources []*argoappv1.ResourceDiff) ([]*unstructured.Unstructu
 	return objs, nil
 }

-func getLocalObjects(app *argoappv1.Application, local string, appLabelKey string) []*unstructured.Unstructured {
-	manifestStrings := getLocalObjectsString(app, local, appLabelKey, nil)
+func getLocalObjects(app *argoappv1.Application, local, appLabelKey, kubeVersion string) []*unstructured.Unstructured {
+	manifestStrings := getLocalObjectsString(app, local, appLabelKey, kubeVersion, nil)
 	objs := make([]*unstructured.Unstructured, len(manifestStrings))
 	for i := range manifestStrings {
 		obj := unstructured.Unstructured{}
@@ -687,13 +783,14 @@ func getLocalObjects(app *argoappv1.Application, local string, appLabelKey strin
 	return objs
 }

-func getLocalObjectsString(app *argoappv1.Application, local string, appLabelKey string, kustomizeOptions *argoappv1.KustomizeOptions) []string {
-	res, err := repository.GenerateManifests(filepath.Dir(local), filepath.Base(local), &repoapiclient.ManifestRequest{
+func getLocalObjectsString(app *argoappv1.Application, local, appLabelKey, kubeVersion string, kustomizeOptions *argoappv1.KustomizeOptions) []string {
+	res, err := repository.GenerateManifests(local, "/", &repoapiclient.ManifestRequest{
 		ApplicationSource: &app.Spec.Source,
 		AppLabelKey:       appLabelKey,
 		AppLabelValue:     app.Name,
 		Namespace:         app.Spec.Destination.Namespace,
 		KustomizeOptions:  kustomizeOptions,
+		KubeVersion:       kubeVersion,
 	})
 	errors.CheckError(err)

@@ -706,9 +803,8 @@ type resourceInfoProvider struct {

 // Infer if obj is namespaced or not from corresponding live objects list. If corresponding live object has namespace then target object is also namespaced.
 // If live object is missing then it does not matter if target is namespaced or not.
-func (p *resourceInfoProvider) IsNamespaced(server string, obj *unstructured.Unstructured) (bool, error) {
-	key := kube.GetResourceKey(obj)
-	return p.namespacedByGk[key.GroupKind()], nil
+func (p *resourceInfoProvider) IsNamespaced(server string, gk schema.GroupKind) (bool, error) {
+	return p.namespacedByGk[gk], nil
 }

 func groupLocalObjs(localObs []*unstructured.Unstructured, liveObjs []*unstructured.Unstructured, appNamespace string) map[kube.ResourceKey]*unstructured.Unstructured {
@@ -724,7 +820,7 @@ func groupLocalObjs(localObs []*unstructured.Unstructured, liveObjs []*unstructu
 	objByKey := make(map[kube.ResourceKey]*unstructured.Unstructured)
 	for i := range localObs {
 		obj := localObs[i]
-		if !(hook.IsHook(obj) || resource.Ignore(obj)) {
+		if !(hook.IsHook(obj) || ignore.Ignore(obj)) {
 			objByKey[kube.GetResourceKey(obj)] = obj
 		}
 	}
@@ -744,7 +840,7 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 		Short: shortDesc,
 		Long:  shortDesc + "\nUses 'diff' to render the difference. KUBECTL_EXTERNAL_DIFF environment variable can be used to select your own diff tool.\nReturns the following exit codes: 2 on general errors, 1 when a diff is found, and 0 when no diff is found",
 		Run: func(c *cobra.Command, args []string) {
-			if len(args) == 0 {
+			if len(args) != 1 {
 				c.HelpFunc()(c, args)
 				os.Exit(2)
 			}
@@ -771,7 +867,12 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			errors.CheckError(err)

 			if local != "" {
-				localObjs := groupLocalObjs(getLocalObjects(app, local, argoSettings.AppLabelKey), liveObjs, app.Spec.Destination.Namespace)
+				conn, clusterIf := clientset.NewClusterClientOrDie()
+				defer util.Close(conn)
+				cluster, err := clusterIf.Get(context.Background(), &clusterpkg.ClusterQuery{Server: app.Spec.Destination.Server})
+				errors.CheckError(err)
+				util.Close(conn)
+				localObjs := groupLocalObjs(getLocalObjects(app, local, argoSettings.AppLabelKey, cluster.ServerVersion), liveObjs, app.Spec.Destination.Namespace)
 				for _, res := range resources.Items {
 					var live = &unstructured.Unstructured{}
 					err := json.Unmarshal([]byte(res.LiveState), &live)
@@ -844,8 +945,10 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			}

 			foundDiffs := false
-			for i := range items {
-				item := items[i]
+			for _, item := range items {
+				if item.target != nil && hook.IsHook(item.target) || item.live != nil && hook.IsHook(item.live) {
+					continue
+				}
 				overrides := make(map[string]argoappv1.ResourceOverride)
 				for k := range argoSettings.ResourceOverrides {
 					val := argoSettings.ResourceOverrides[k]
@@ -869,7 +972,7 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 					}

 					foundDiffs = true
-					printDiff(item.key.Name, target, live)
+					_ = diff.PrintDiff(item.key.Name, target, live)
 				}
 			}
 			if foundDiffs {
@@ -884,43 +987,6 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	return command
 }

-func printDiff(name string, live *unstructured.Unstructured, target *unstructured.Unstructured) {
-	tempDir, err := ioutil.TempDir("", "argocd-diff")
-	errors.CheckError(err)
-
-	targetFile := path.Join(tempDir, name)
-	targetData := []byte("")
-	if target != nil {
-		targetData, err = yaml.Marshal(target)
-		errors.CheckError(err)
-	}
-	err = ioutil.WriteFile(targetFile, targetData, 0644)
-	errors.CheckError(err)
-
-	liveFile := path.Join(tempDir, fmt.Sprintf("%s-live.yaml", name))
-	liveData := []byte("")
-	if live != nil {
-		liveData, err = yaml.Marshal(live)
-		errors.CheckError(err)
-	}
-	err = ioutil.WriteFile(liveFile, liveData, 0644)
-	errors.CheckError(err)
-
-	cmdBinary := "diff"
-	var args []string
-	if envDiff := os.Getenv("KUBECTL_EXTERNAL_DIFF"); envDiff != "" {
-		parts, err := shlex.Split(envDiff)
-		errors.CheckError(err)
-		cmdBinary = parts[0]
-		args = parts[1:]
-	}
-
-	cmd := exec.Command(cmdBinary, append(args, liveFile, targetFile)...)
-	cmd.Stderr = os.Stderr
-	cmd.Stdout = os.Stdout
-	_ = cmd.Run()
-}
-
 // NewApplicationDeleteCommand returns a new instance of an `argocd app delete` command
 func NewApplicationDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
@@ -993,7 +1059,8 @@ func printApplicationTable(apps []argoappv1.Application, output *string) {
 // NewApplicationListCommand returns a new instance of an `argocd app list` command
 func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		output string
+		output   string
+		projects []string
 	)
 	var command = &cobra.Command{
 		Use:   "list",
@@ -1003,14 +1070,19 @@ func NewApplicationListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			defer util.Close(conn)
 			apps, err := appIf.List(context.Background(), &applicationpkg.ApplicationQuery{})
 			errors.CheckError(err)
+			appList := apps.Items
+			if len(projects) != 0 {
+				appList = argo.FilterByProjects(appList, projects)
+			}
 			if output == "name" {
-				printApplicationNames(apps.Items)
+				printApplicationNames(appList)
 			} else {
-				printApplicationTable(apps.Items, &output)
+				printApplicationTable(appList, &output)
 			}
 		},
 	}
 	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: wide|name")
+	command.Flags().StringArrayVarP(&projects, "project", "p", []string{}, "Filter by project name")
 	return command
 }

@@ -1175,10 +1247,6 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			if len(selectedLabels) > 0 {
 				ctx := context.Background()

-				if revision == "" {
-					revision = "HEAD"
-				}
-
 				q := applicationpkg.ApplicationManifestQuery{
 					Name:     &appName,
 					Revision: revision,
@@ -1213,7 +1281,7 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			var localObjsStrings []string
 			if local != "" {
 				app, err := appIf.Get(context.Background(), &applicationpkg.ApplicationQuery{Name: &appName})
-
+				errors.CheckError(err)
 				if app.Spec.SyncPolicy != nil && app.Spec.SyncPolicy.Automated != nil {
 					log.Fatal("Cannot use local sync when Automatic Sync Policy is enabled")
 				}
@@ -1224,8 +1292,12 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 				errors.CheckError(err)
 				util.Close(conn)

-				localObjsStrings = getLocalObjectsString(app, local, argoSettings.AppLabelKey, argoSettings.KustomizeOptions)
-
+				conn, clusterIf := acdClient.NewClusterClientOrDie()
+				defer util.Close(conn)
+				cluster, err := clusterIf.Get(context.Background(), &clusterpkg.ClusterQuery{Server: app.Spec.Destination.Server})
+				errors.CheckError(err)
+				util.Close(conn)
+				localObjsStrings = getLocalObjectsString(app, local, argoSettings.AppLabelKey, cluster.ServerVersion, argoSettings.KustomizeOptions)
 			}

 			syncReq := applicationpkg.ApplicationSyncRequest{
@@ -1336,7 +1408,7 @@ func getResourceStates(app *argoappv1.Application, selectedResources []argoappv1
 			health := string(res.Status)
 			key := kube.NewResourceKey(res.Group, res.Kind, res.Namespace, res.Name)
 			if resource, ok := resourceByKey[key]; ok && res.HookType == "" {
-				health = argoappv1.HealthStatusUnknown
+				health = ""
 				if resource.Health != nil {
 					health = resource.Health.Status
 				}
@@ -1357,7 +1429,7 @@ func getResourceStates(app *argoappv1.Application, selectedResources []argoappv1
 	// print rest of resources which were not part of most recent operation
 	for _, resKey := range resKeys {
 		res := resourceByKey[resKey]
-		health := argoappv1.HealthStatusUnknown
+		health := ""
 		if res.Health != nil {
 			health = res.Health.Status
 		}
@@ -1427,7 +1499,7 @@ func waitOnApplicationStatus(acdClient apiclient.Client, appName string, timeout
 		}

 		fmt.Println()
-		printAppSummaryTable(app, appURL(acdClient, appName))
+		printAppSummaryTable(app, appURL(acdClient, appName), nil)
 		fmt.Println()
 		if watchOperation {
 			printOperationResult(app.Status.OperationState)
@@ -1566,27 +1638,13 @@ func setParameterOverrides(app *argoappv1.Application, parameters []string) {
 		if app.Spec.Source.Helm == nil {
 			app.Spec.Source.Helm = &argoappv1.ApplicationSourceHelm{}
 		}
-		re := regexp.MustCompile(`([^\\]),`)
-		for _, paramStr := range parameters {
-			parts := strings.SplitN(paramStr, "=", 2)
-			if len(parts) != 2 {
-				log.Fatalf("Expected helm parameter of the form: param=value. Received: %s", paramStr)
-			}
-			newParam := argoappv1.HelmParameter{
-				Name:  parts[0],
-				Value: re.ReplaceAllString(parts[1], `$1\,`),
-			}
-			found := false
-			for i, cp := range app.Spec.Source.Helm.Parameters {
-				if cp.Name == newParam.Name {
-					found = true
-					app.Spec.Source.Helm.Parameters[i] = newParam
-					break
-				}
-			}
-			if !found {
-				app.Spec.Source.Helm.Parameters = append(app.Spec.Source.Helm.Parameters, newParam)
+		for _, p := range parameters {
+			newParam, err := argoappv1.NewHelmParameter(p, false)
+			if err != nil {
+				log.Error(err)
+				continue
 			}
+			app.Spec.Source.Helm.AddParameter(*newParam)
 		}
 	default:
 		log.Fatalf("Parameters can only be set against Ksonnet or Helm applications")
@@ -1903,10 +1961,11 @@ func filterResources(command *cobra.Command, resources []*argoappv1.ResourceDiff
 		if resourceName != "" && resourceName != obj.GetName() {
 			continue
 		}
-		if kind == gvk.Kind {
-			copy := obj.DeepCopy()
-			filteredObjects = append(filteredObjects, copy)
+		if kind != gvk.Kind {
+			continue
 		}
+		copy := obj.DeepCopy()
+		filteredObjects = append(filteredObjects, copy)
 	}
 	if len(filteredObjects) == 0 {
 		log.Fatal("No matching resource found")
@@ -1914,13 +1973,6 @@ func filterResources(command *cobra.Command, resources []*argoappv1.ResourceDiff
 	if len(filteredObjects) > 1 && !all {
 		log.Fatal("Multiple resources match inputs. Use the --all flag to patch multiple resources")
 	}
-	firstGroup := filteredObjects[0].GroupVersionKind().Group
-	for i := range filteredObjects {
-		obj := filteredObjects[i]
-		if obj.GroupVersionKind().Group != firstGroup {
-			log.Fatal("Multiple groups found in objects to patch. Specify which group to patch with --group flag")
-		}
-	}
 	return filteredObjects
 }

--- a/cmd/argocd/commands/app_actions.go
+++ b/cmd/argocd/commands/app_actions.go
@@ -2,20 +2,30 @@ package commands

 import (
 	"context"
+	"encoding/json"
 	"fmt"
+	"log"
 	"os"
-	"sort"
+	"strconv"
 	"text/tabwriter"

+	"github.com/ghodss/yaml"
 	"github.com/spf13/cobra"

 	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	applicationpkg "github.com/argoproj/argo-cd/pkg/apiclient/application"
-	argoappv1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/util"
 )

+type DisplayedAction struct {
+	Group    string
+	Kind     string
+	Name     string
+	Action   string
+	Disabled bool
+}
+
 // NewApplicationResourceActionsCommand returns a new instance of an `argocd app actions` command
 func NewApplicationResourceActionsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
@@ -37,7 +47,7 @@ func NewApplicationResourceActionsListCommand(clientOpts *argocdclient.ClientOpt
 	var kind string
 	var group string
 	var resourceName string
-	var all bool
+	var output string
 	var command = &cobra.Command{
 		Use:   "list APPNAME",
 		Short: "Lists available actions on a resource",
@@ -53,8 +63,8 @@ func NewApplicationResourceActionsListCommand(clientOpts *argocdclient.ClientOpt
 		ctx := context.Background()
 		resources, err := appIf.ManagedResources(ctx, &applicationpkg.ResourcesQuery{ApplicationName: &appName})
 		errors.CheckError(err)
-		filteredObjects := filterResources(command, resources.Items, group, kind, namespace, resourceName, all)
-		availableActions := make(map[string][]argoappv1.ResourceAction)
+		filteredObjects := filterResources(command, resources.Items, group, kind, namespace, resourceName, true)
+		var availableActions []DisplayedAction
 		for i := range filteredObjects {
 			obj := filteredObjects[i]
 			gvk := obj.GroupVersionKind()
@@ -66,34 +76,42 @@ func NewApplicationResourceActionsListCommand(clientOpts *argocdclient.ClientOpt
 				Kind:         gvk.Kind,
 			})
 			errors.CheckError(err)
-			availableActions[obj.GetName()] = availActionsForResource.Actions
-		}
-
-		var keys []string
-		for key := range availableActions {
-			keys = append(keys, key)
-		}
-		sort.Strings(keys)
-
-		w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-		fmt.Fprintf(w, "RESOURCE\tACTION\n")
-		fmt.Println()
-		for key := range availableActions {
-			for i := range availableActions[key] {
-				action := availableActions[key][i]
-				fmt.Fprintf(w, "%s\t%s\n", key, action.Name)
-
+			for _, action := range availActionsForResource.Actions {
+				displayAction := DisplayedAction{
+					Group:    gvk.Group,
+					Kind:     gvk.Kind,
+					Name:     obj.GetName(),
+					Action:   action.Name,
+					Disabled: action.Disabled,
+				}
+				availableActions = append(availableActions, displayAction)
 			}
 		}
-		_ = w.Flush()
+
+		switch output {
+		case "yaml":
+			yamlBytes, err := yaml.Marshal(availableActions)
+			errors.CheckError(err)
+			fmt.Println(string(yamlBytes))
+		case "json":
+			jsonBytes, err := json.MarshalIndent(availableActions, "", "  ")
+			errors.CheckError(err)
+			fmt.Println(string(jsonBytes))
+		case "":
+			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+			fmt.Fprintf(w, "GROUP\tKIND\tNAME\tACTION\tDISABLED\n")
+			fmt.Println()
+			for _, action := range availableActions {
+				fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", action.Group, action.Kind, action.Name, action.Action, strconv.FormatBool(action.Disabled))
+			}
+			_ = w.Flush()
+		}
 	}
 	command.Flags().StringVar(&resourceName, "resource-name", "", "Name of resource")
 	command.Flags().StringVar(&kind, "kind", "", "Kind")
-	err := command.MarkFlagRequired("kind")
-	errors.CheckError(err)
 	command.Flags().StringVar(&group, "group", "", "Group")
 	command.Flags().StringVar(&namespace, "namespace", "", "Namespace")
-	command.Flags().BoolVar(&all, "all", false, "Indicates whether to list actions on multiple matching resources")
+	command.Flags().StringVarP(&output, "out", "o", "", "Output format. One of: yaml, json")

 	return command
 }
@@ -101,9 +119,9 @@ func NewApplicationResourceActionsListCommand(clientOpts *argocdclient.ClientOpt
 // NewApplicationResourceActionsRunCommand returns a new instance of an `argocd app actions run` command
 func NewApplicationResourceActionsRunCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var namespace string
+	var resourceName string
 	var kind string
 	var group string
-	var resourceName string
 	var all bool
 	var command = &cobra.Command{
 		Use:   "run APPNAME ACTION",
@@ -111,11 +129,10 @@ func NewApplicationResourceActionsRunCommand(clientOpts *argocdclient.ClientOpti
 	}

 	command.Flags().StringVar(&resourceName, "resource-name", "", "Name of resource")
-	command.Flags().StringVar(&kind, "kind", "", "Kind")
-	err := command.MarkFlagRequired("kind")
-	errors.CheckError(err)
-	command.Flags().StringVar(&group, "group", "", "Group")
 	command.Flags().StringVar(&namespace, "namespace", "", "Namespace")
+	command.Flags().StringVar(&kind, "kind", "", "Kind")
+	command.Flags().StringVar(&group, "group", "", "Group")
+	errors.CheckError(command.MarkFlagRequired("kind"))
 	command.Flags().BoolVar(&all, "all", false, "Indicates whether to run the action on multiple matching resources")

 	command.Run = func(c *cobra.Command, args []string) {
@@ -125,12 +142,20 @@ func NewApplicationResourceActionsRunCommand(clientOpts *argocdclient.ClientOpti
 		}
 		appName := args[0]
 		actionName := args[1]
+
 		conn, appIf := argocdclient.NewClientOrDie(clientOpts).NewApplicationClientOrDie()
 		defer util.Close(conn)
 		ctx := context.Background()
 		resources, err := appIf.ManagedResources(ctx, &applicationpkg.ResourcesQuery{ApplicationName: &appName})
 		errors.CheckError(err)
 		filteredObjects := filterResources(command, resources.Items, group, kind, namespace, resourceName, all)
+		var resGroup = filteredObjects[0].GroupVersionKind().Group
+		for i := range filteredObjects[1:] {
+			if filteredObjects[i].GroupVersionKind().Group != resGroup {
+				log.Fatal("Ambiguous resource group. Use flag --group to specify resource group explicitly.")
+			}
+		}
+
 		for i := range filteredObjects {
 			obj := filteredObjects[i]
 			gvk := obj.GroupVersionKind()
--- a/cmd/argocd/commands/app_test.go
+++ b/cmd/argocd/commands/app_test.go
@@ -4,6 +4,8 @@ import (
 	"testing"

 	"github.com/stretchr/testify/assert"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 )

 func TestParseLabels(t *testing.T) {
@@ -23,3 +25,31 @@ func TestParseLabels(t *testing.T) {
 	assert.Len(t, result, 0)

 }
+
+func Test_setHelmOpt(t *testing.T) {
+	t.Run("Zero", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{})
+		assert.Nil(t, src.Helm)
+	})
+	t.Run("ValueFiles", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{valueFiles: []string{"foo"}})
+		assert.Equal(t, []string{"foo"}, src.Helm.ValueFiles)
+	})
+	t.Run("ReleaseName", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{releaseName: "foo"})
+		assert.Equal(t, "foo", src.Helm.ReleaseName)
+	})
+	t.Run("HelmSets", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{helmSets: []string{"foo=bar"}})
+		assert.Equal(t, []v1alpha1.HelmParameter{{Name: "foo", Value: "bar"}}, src.Helm.Parameters)
+	})
+	t.Run("HelmSetStrings", func(t *testing.T) {
+		src := v1alpha1.ApplicationSource{}
+		setHelmOpt(&src, helmOpts{helmSetStrings: []string{"foo=bar"}})
+		assert.Equal(t, []v1alpha1.HelmParameter{{Name: "foo", Value: "bar", ForceString: true}}, src.Helm.Parameters)
+	})
+}
--- a/cmd/argocd/commands/cluster.go
+++ b/cmd/argocd/commands/cluster.go
@@ -232,9 +232,9 @@ func NewClusterRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 // Print table of cluster information
 func printClusterTable(clusters []argoappv1.Cluster) {
 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-	fmt.Fprintf(w, "SERVER\tNAME\tSTATUS\tMESSAGE\n")
+	_, _ = fmt.Fprintf(w, "SERVER\tNAME\tVERSION\tSTATUS\tMESSAGE\n")
 	for _, c := range clusters {
-		fmt.Fprintf(w, "%s\t%s\t%s\t%s\n", c.Server, c.Name, c.ConnectionState.Status, c.ConnectionState.Message)
+		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", c.Server, c.Name, c.ServerVersion, c.ConnectionState.Status, c.ConnectionState.Message)
 	}
 	_ = w.Flush()
 }
--- a/cmd/argocd/commands/cluster_test.go
+++ b/cmd/argocd/commands/cluster_test.go
@@ -0,0 +1,31 @@
+package commands
+
+import (
+	"testing"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+)
+
+func Test_printClusterTable(t *testing.T) {
+	printClusterTable([]v1alpha1.Cluster{
+		{
+			Server: "my-server",
+			Name:   "my-name",
+			Config: v1alpha1.ClusterConfig{
+				Username:        "my-username",
+				Password:        "my-password",
+				BearerToken:     "my-bearer-token",
+				TLSClientConfig: v1alpha1.TLSClientConfig{},
+				AWSAuthConfig:   nil,
+			},
+			ConnectionState: v1alpha1.ConnectionState{
+				Status:     "my-status",
+				Message:    "my-message",
+				ModifiedAt: &metav1.Time{},
+			},
+			ServerVersion: "my-version",
+		},
+	})
+}
--- a/cmd/argocd/commands/login.go
+++ b/cmd/argocd/commands/login.go
@@ -92,7 +92,7 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 				errors.CheckError(err)
 				oauth2conf, provider, err := acdClient.OIDCConfig(ctx, acdSet)
 				errors.CheckError(err)
-				tokenString, refreshToken = oauth2Login(ctx, ssoPort, oauth2conf, provider)
+				tokenString, refreshToken = oauth2Login(ctx, ssoPort, acdSet.GetOIDCConfig(), oauth2conf, provider)
 			}

 			parser := &jwt.Parser{
@@ -154,7 +154,7 @@ func userDisplayName(claims jwt.MapClaims) string {

 // oauth2Login opens a browser, runs a temporary HTTP server to delegate OAuth2 login flow and
 // returns the JWT token and a refresh token (if supported)
-func oauth2Login(ctx context.Context, port int, oauth2conf *oauth2.Config, provider *oidc.Provider) (string, string) {
+func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCConfig, oauth2conf *oauth2.Config, provider *oidc.Provider) (string, string) {
 	oauth2conf.RedirectURL = fmt.Sprintf("http://localhost:%d/auth/callback", port)
 	oidcConf, err := oidcutil.ParseConfig(provider)
 	errors.CheckError(err)
@@ -243,12 +243,17 @@ func oauth2Login(ctx context.Context, port int, oauth2conf *oauth2.Config, provi
 	fmt.Printf("Opening browser for authentication\n")

 	var url string
-	grantType := oidcutil.InferGrantType(oauth2conf, oidcConf)
+	grantType := oidcutil.InferGrantType(oidcConf)
+	opts := []oauth2.AuthCodeOption{oauth2.AccessTypeOffline}
+	if claimsRequested := oidcSettings.GetIDTokenClaims(); claimsRequested != nil {
+		opts = oidcutil.AppendClaimsAuthenticationRequestParameter(opts, claimsRequested)
+	}
+
 	switch grantType {
 	case oidcutil.GrantTypeAuthorizationCode:
-		url = oauth2conf.AuthCodeURL(stateNonce, oauth2.AccessTypeOffline)
+		url = oauth2conf.AuthCodeURL(stateNonce, opts...)
 	case oidcutil.GrantTypeImplicit:
-		url = oidcutil.ImplicitFlowURL(oauth2conf, stateNonce, oauth2.AccessTypeOffline)
+		url = oidcutil.ImplicitFlowURL(oauth2conf, stateNonce, opts...)
 	default:
 		log.Fatalf("Unsupported grant type: %v", grantType)
 	}
--- a/cmd/argocd/commands/project.go
+++ b/cmd/argocd/commands/project.go
@@ -1,10 +1,12 @@
 package commands

 import (
+	"bufio"
 	"context"
 	"encoding/json"
 	"fmt"
 	"io"
+	"net/url"
 	"os"
 	"strings"
 	"text/tabwriter"
@@ -16,6 +18,7 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/pointer"

 	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
@@ -23,13 +26,16 @@ import (
 	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/util"
 	"github.com/argoproj/argo-cd/util/cli"
+	"github.com/argoproj/argo-cd/util/config"
 	"github.com/argoproj/argo-cd/util/git"
 )

 type projectOpts struct {
-	description  string
-	destinations []string
-	sources      []string
+	description              string
+	destinations             []string
+	sources                  []string
+	orphanedResourcesEnabled bool
+	orphanedResourcesWarn    bool
 }

 type policyOpts struct {
@@ -79,6 +85,7 @@ func NewProjectCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	command.AddCommand(NewProjectDenyClusterResourceCommand(clientOpts))
 	command.AddCommand(NewProjectAllowNamespaceResourceCommand(clientOpts))
 	command.AddCommand(NewProjectDenyNamespaceResourceCommand(clientOpts))
+	command.AddCommand(NewProjectWindowsCommand(clientOpts))
 	return command
 }

@@ -86,7 +93,21 @@ func addProjFlags(command *cobra.Command, opts *projectOpts) {
 	command.Flags().StringVarP(&opts.description, "description", "", "", "Project description")
 	command.Flags().StringArrayVarP(&opts.destinations, "dest", "d", []string{},
 		"Permitted destination server and namespace (e.g. https://192.168.99.100:8443,default)")
-	command.Flags().StringArrayVarP(&opts.sources, "src", "s", []string{}, "Permitted git source repository URL")
+	command.Flags().StringArrayVarP(&opts.sources, "src", "s", []string{}, "Permitted source repository URL")
+	command.Flags().BoolVar(&opts.orphanedResourcesEnabled, "orphaned-resources", false, "Enables orphaned resources monitoring")
+	command.Flags().BoolVar(&opts.orphanedResourcesWarn, "orphaned-resources-warn", false, "Specifies if applications should be a warning condition when orphaned resources detected")
+}
+
+func getOrphanedResourcesSettings(c *cobra.Command, opts projectOpts) *v1alpha1.OrphanedResourcesMonitorSettings {
+	warnChanged := c.Flag("orphaned-resources-warn").Changed
+	if opts.orphanedResourcesEnabled || warnChanged {
+		settings := v1alpha1.OrphanedResourcesMonitorSettings{}
+		if warnChanged {
+			settings.Warn = pointer.BoolPtr(opts.orphanedResourcesWarn)
+		}
+		return &settings
+	}
+	return nil
 }

 func addPolicyFlags(command *cobra.Command, opts *policyOpts) {
@@ -103,32 +124,63 @@ func humanizeTimestamp(epoch int64) string {
 // NewProjectCreateCommand returns a new instance of an `argocd proj create` command
 func NewProjectCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		opts projectOpts
+		opts    projectOpts
+		fileURL string
+		upsert  bool
 	)
 	var command = &cobra.Command{
 		Use:   "create PROJECT",
 		Short: "Create a project",
 		Run: func(c *cobra.Command, args []string) {
-			if len(args) == 0 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-			projName := args[0]
-			proj := v1alpha1.AppProject{
-				ObjectMeta: v1.ObjectMeta{Name: projName},
-				Spec: v1alpha1.AppProjectSpec{
-					Description:  opts.description,
-					Destinations: opts.GetDestinations(),
-					SourceRepos:  opts.sources,
-				},
+			var proj v1alpha1.AppProject
+			if fileURL == "-" {
+				// read stdin
+				reader := bufio.NewReader(os.Stdin)
+				err := config.UnmarshalReader(reader, &proj)
+				if err != nil {
+					log.Fatalf("unable to read manifest from stdin: %v", err)
+				}
+			} else if fileURL != "" {
+				// read uri
+				parsedURL, err := url.ParseRequestURI(fileURL)
+				if err != nil || !(parsedURL.Scheme == "http" || parsedURL.Scheme == "https") {
+					err = config.UnmarshalLocalFile(fileURL, &proj)
+				} else {
+					err = config.UnmarshalRemoteFile(fileURL, &proj)
+				}
+				errors.CheckError(err)
+				if len(args) == 1 && args[0] != proj.Name {
+					log.Fatalf("project name '%s' does not match project spec metadata.name '%s'", args[0], proj.Name)
+				}
+			} else {
+				// read arguments
+				if len(args) == 0 {
+					c.HelpFunc()(c, args)
+					os.Exit(1)
+				}
+				projName := args[0]
+				proj = v1alpha1.AppProject{
+					ObjectMeta: v1.ObjectMeta{Name: projName},
+					Spec: v1alpha1.AppProjectSpec{
+						Description:       opts.description,
+						Destinations:      opts.GetDestinations(),
+						SourceRepos:       opts.sources,
+						OrphanedResources: getOrphanedResourcesSettings(c, opts),
+					},
+				}
 			}
 			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
 			defer util.Close(conn)
-
-			_, err := projIf.Create(context.Background(), &projectpkg.ProjectCreateRequest{Project: &proj})
+			_, err := projIf.Create(context.Background(), &projectpkg.ProjectCreateRequest{Project: &proj, Upsert: upsert})
 			errors.CheckError(err)
 		},
 	}
+	command.Flags().BoolVar(&upsert, "upsert", false, "Allows to override a project with the same name even if supplied project spec is different from existing spec")
+	command.Flags().StringVarP(&fileURL, "file", "f", "", "Filename or URL to Kubernetes manifests for the project")
+	err := command.Flags().SetAnnotation("file", cobra.BashCompFilenameExt, []string{"json", "yaml", "yml"})
+	if err != nil {
+		log.Fatal(err)
+	}
 	addProjFlags(command, &opts)
 	return command
 }
@@ -163,6 +215,8 @@ func NewProjectSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 					proj.Spec.Destinations = opts.GetDestinations()
 				case "src":
 					proj.Spec.SourceRepos = opts.sources
+				case "orphaned-resources", "orphaned-resources-warn":
+					proj.Spec.OrphanedResources = getOrphanedResourcesSettings(c, opts)
 				}
 			})
 			if visited == 0 {
@@ -453,7 +507,7 @@ func printProjectNames(projects []v1alpha1.AppProject) {
 // Print table of project info
 func printProjectTable(projects []v1alpha1.AppProject) {
 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-	fmt.Fprintf(w, "NAME\tDESCRIPTION\tDESTINATIONS\tSOURCES\tCLUSTER-RESOURCE-WHITELIST\tNAMESPACE-RESOURCE-BLACKLIST\n")
+	fmt.Fprintf(w, "NAME\tDESCRIPTION\tDESTINATIONS\tSOURCES\tCLUSTER-RESOURCE-WHITELIST\tNAMESPACE-RESOURCE-BLACKLIST\tORPHANED-RESOURCES\n")
 	for _, p := range projects {
 		printProjectLine(w, &p)
 	}
@@ -484,6 +538,13 @@ func NewProjectListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comman
 	return command
 }

+func formatOrphanedResources(p *v1alpha1.AppProject) string {
+	if p.Spec.OrphanedResources == nil {
+		return "disabled"
+	}
+	return fmt.Sprintf("enabled (warn=%v)", p.Spec.OrphanedResources.IsWarn())
+}
+
 func printProjectLine(w io.Writer, p *v1alpha1.AppProject) {
 	var destinations, sourceRepos, clusterWhitelist, namespaceBlacklist string
 	switch len(p.Spec.Destinations) {
@@ -516,7 +577,7 @@ func printProjectLine(w io.Writer, p *v1alpha1.AppProject) {
 	default:
 		namespaceBlacklist = fmt.Sprintf("%d resources", len(p.Spec.NamespaceResourceBlacklist))
 	}
-	fmt.Fprintf(w, "%s\t%s\t%v\t%v\t%v\t%v\n", p.Name, p.Spec.Description, destinations, sourceRepos, clusterWhitelist, namespaceBlacklist)
+	fmt.Fprintf(w, "%s\t%s\t%v\t%v\t%v\t%v\t%v\n", p.Name, p.Spec.Description, destinations, sourceRepos, clusterWhitelist, namespaceBlacklist, formatOrphanedResources(p))
 }

 // NewProjectGetCommand returns a new instance of an `argocd proj get` command
@@ -577,6 +638,7 @@ func NewProjectGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 			for i := 1; i < len(p.Spec.NamespaceResourceBlacklist); i++ {
 				fmt.Printf(printProjFmtStr, "", fmt.Sprintf("%s/%s", p.Spec.NamespaceResourceBlacklist[i].Group, p.Spec.NamespaceResourceBlacklist[i].Kind))
 			}
+			fmt.Printf(printProjFmtStr, "Orphaned Resources:", formatOrphanedResources(p))
 		},
 	}
 	return command
--- a/cmd/argocd/commands/projectwindows.go
+++ b/cmd/argocd/commands/projectwindows.go
@@ -0,0 +1,311 @@
+package commands
+
+import (
+	"context"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	"fmt"
+	"strings"
+	"text/tabwriter"
+
+	"strconv"
+
+	"github.com/argoproj/argo-cd/errors"
+	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
+	projectpkg "github.com/argoproj/argo-cd/pkg/apiclient/project"
+	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/util"
+)
+
+// NewProjectWindowsCommand returns a new instance of the `argocd proj windows` command
+func NewProjectWindowsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	roleCommand := &cobra.Command{
+		Use:   "windows",
+		Short: "Manage a project's sync windows",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+			os.Exit(1)
+		},
+	}
+	roleCommand.AddCommand(NewProjectWindowsDisableManualSyncCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectWindowsEnableManualSyncCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectWindowsAddWindowCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectWindowsDeleteCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectWindowsListCommand(clientOpts))
+	roleCommand.AddCommand(NewProjectWindowsUpdateCommand(clientOpts))
+	return roleCommand
+}
+
+// NewProjectSyncWindowsDisableManualSyncCommand returns a new instance of an `argocd proj windows disable-manual-sync` command
+func NewProjectWindowsDisableManualSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "disable-manual-sync PROJECT ID",
+		Short: "Disable manual sync for a sync window",
+		Long:  "Disable manual sync for a sync window. Requires ID which can be found by running \"argocd proj windows list PROJECT\"",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			projName := args[0]
+			id, err := strconv.Atoi(args[1])
+			errors.CheckError(err)
+
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			for i, window := range proj.Spec.SyncWindows {
+				if id == i {
+					window.ManualSync = false
+				}
+			}
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	return command
+}
+
+// NewProjectWindowsEnableManualSyncCommand returns a new instance of an `argocd proj windows enable-manual-sync` command
+func NewProjectWindowsEnableManualSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "enable-manual-sync PROJECT ID",
+		Short: "Enable manual sync for a sync window",
+		Long:  "Enable manual sync for a sync window. Requires ID which can be found by running \"argocd proj windows list PROJECT\"",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			projName := args[0]
+			id, err := strconv.Atoi(args[1])
+			errors.CheckError(err)
+
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			for i, window := range proj.Spec.SyncWindows {
+				if id == i {
+					window.ManualSync = true
+				}
+			}
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	return command
+}
+
+// NewProjectWindowsAddWindowCommand returns a new instance of an `argocd proj windows add` command
+func NewProjectWindowsAddWindowCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		kind         string
+		schedule     string
+		duration     string
+		applications []string
+		namespaces   []string
+		clusters     []string
+		manualSync   bool
+	)
+	var command = &cobra.Command{
+		Use:   "add PROJECT",
+		Short: "Add a sync window to a project",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			err = proj.Spec.AddWindow(kind, schedule, duration, applications, namespaces, clusters, manualSync)
+			errors.CheckError(err)
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	command.Flags().StringVarP(&kind, "kind", "k", "", "Sync window kind, either allow or deny")
+	command.Flags().StringVar(&schedule, "schedule", "", "Sync window schedule in cron format. (e.g. --schedule \"0 22 * * *\")")
+	command.Flags().StringVar(&duration, "duration", "", "Sync window duration. (e.g. --duration 1h)")
+	command.Flags().StringSliceVar(&applications, "applications", []string{}, "Applications that the schedule will be applied to. Comma separated, wildcards supported (e.g. --applications prod-\\*,website)")
+	command.Flags().StringSliceVar(&namespaces, "namespaces", []string{}, "Namespaces that the schedule will be applied to. Comma separated, wildcards supported (e.g. --namespaces default,\\*-prod)")
+	command.Flags().StringSliceVar(&clusters, "clusters", []string{}, "Clusters that the schedule will be applied to. Comma separated, wildcards supported (e.g. --clusters prod,staging)")
+	command.Flags().BoolVar(&manualSync, "manual-sync", false, "Allow manual syncs for both deny and allow windows")
+
+	return command
+}
+
+// NewProjectWindowsAddWindowCommand returns a new instance of an `argocd proj windows delete` command
+func NewProjectWindowsDeleteCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "delete PROJECT ID",
+		Short: "Delete a sync window from a project. Requires ID which can be found by running \"argocd proj windows list PROJECT\"",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			projName := args[0]
+			id, err := strconv.Atoi(args[1])
+			errors.CheckError(err)
+
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			err = proj.Spec.DeleteWindow(id)
+			errors.CheckError(err)
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	return command
+}
+
+// NewProjectWindowsUpdateCommand returns a new instance of an `argocd proj windows update` command
+func NewProjectWindowsUpdateCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		schedule     string
+		duration     string
+		applications []string
+		namespaces   []string
+		clusters     []string
+	)
+	var command = &cobra.Command{
+		Use:   "update PROJECT ID",
+		Short: "Update a project sync window",
+		Long:  "Update a project sync window. Requires ID which can be found by running \"argocd proj windows list PROJECT\"",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+
+			projName := args[0]
+			id, err := strconv.Atoi(args[1])
+			errors.CheckError(err)
+
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			for i, window := range proj.Spec.SyncWindows {
+				if id == i {
+					err := window.Update(schedule, duration, applications, namespaces, clusters)
+					if err != nil {
+						errors.CheckError(err)
+					}
+				}
+			}
+
+			_, err = projIf.Update(context.Background(), &projectpkg.ProjectUpdateRequest{Project: proj})
+			errors.CheckError(err)
+		},
+	}
+	command.Flags().StringVar(&schedule, "schedule", "", "Sync window schedule in cron format. (e.g. --schedule \"0 22 * * *\")")
+	command.Flags().StringVar(&duration, "duration", "", "Sync window duration. (e.g. --duration 1h)")
+	command.Flags().StringSliceVar(&applications, "applications", []string{}, "Applications that the schedule will be applied to. Comma separated, wildcards supported (e.g. --applications prod-\\*,website)")
+	command.Flags().StringSliceVar(&namespaces, "namespaces", []string{}, "Namespaces that the schedule will be applied to. Comma separated, wildcards supported (e.g. --namespaces default,\\*-prod)")
+	command.Flags().StringSliceVar(&clusters, "clusters", []string{}, "Clusters that the schedule will be applied to. Comma separated, wildcards supported (e.g. --clusters prod,staging)")
+	return command
+}
+
+// NewProjectWindowsListCommand returns a new instance of an `argocd proj windows list` command
+func NewProjectWindowsListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "list PROJECT",
+		Short: "List project sync windows",
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			projName := args[0]
+			conn, projIf := argocdclient.NewClientOrDie(clientOpts).NewProjectClientOrDie()
+			defer util.Close(conn)
+
+			proj, err := projIf.Get(context.Background(), &projectpkg.ProjectQuery{Name: projName})
+			errors.CheckError(err)
+
+			printSyncWindows(proj)
+		},
+	}
+	return command
+}
+
+// Print table of sync window data
+func printSyncWindows(proj *v1alpha1.AppProject) {
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	var fmtStr string
+	headers := []interface{}{"ID", "STATUS", "KIND", "SCHEDULE", "DURATION", "APPLICATIONS", "NAMESPACES", "CLUSTERS", "MANUALSYNC"}
+	fmtStr = "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n"
+	fmt.Fprintf(w, fmtStr, headers...)
+	if proj.Spec.SyncWindows.HasWindows() {
+		for i, window := range proj.Spec.SyncWindows {
+			vals := []interface{}{
+				strconv.Itoa(i),
+				formatBoolOutput(window.Active()),
+				window.Kind,
+				window.Schedule,
+				window.Duration,
+				formatListOutput(window.Applications),
+				formatListOutput(window.Namespaces),
+				formatListOutput(window.Clusters),
+				formatManualOutput(window.ManualSync),
+			}
+			fmt.Fprintf(w, fmtStr, vals...)
+		}
+	}
+	_ = w.Flush()
+}
+
+func formatListOutput(list []string) string {
+	var o string
+	if len(list) == 0 {
+		o = "-"
+	} else {
+		o = strings.Join(list, ",")
+	}
+	return o
+}
+func formatBoolOutput(active bool) string {
+	var o string
+	if active {
+		o = "Active"
+	} else {
+		o = "Inactive"
+	}
+	return o
+}
+func formatManualOutput(active bool) string {
+	var o string
+	if active {
+		o = "Enabled"
+	} else {
+		o = "Disabled"
+	}
+	return o
+}
--- a/cmd/argocd/commands/relogin.go
+++ b/cmd/argocd/commands/relogin.go
@@ -67,7 +67,7 @@ func NewReloginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comm
 				errors.CheckError(err)
 				oauth2conf, provider, err := acdClient.OIDCConfig(ctx, acdSet)
 				errors.CheckError(err)
-				tokenString, refreshToken = oauth2Login(ctx, ssoPort, oauth2conf, provider)
+				tokenString, refreshToken = oauth2Login(ctx, ssoPort, acdSet.GetOIDCConfig(), oauth2conf, provider)
 			}

 			localCfg.UpsertUser(localconfig.User{
--- a/cmd/argocd/commands/repo.go
+++ b/cmd/argocd/commands/repo.go
@@ -10,6 +10,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"

+	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/errors"
 	argocdclient "github.com/argoproj/argo-cd/pkg/apiclient"
 	repositorypkg "github.com/argoproj/argo-cd/pkg/apiclient/repository"
@@ -23,7 +24,7 @@ import (
 func NewRepoCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
 		Use:   "repo",
-		Short: "Manage git repository connection parameters",
+		Short: "Manage repository connection parameters",
 		Run: func(c *cobra.Command, args []string) {
 			c.HelpFunc()(c, args)
 			os.Exit(1)
@@ -50,13 +51,20 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	)

 	// For better readability and easier formatting
-	var repoAddExamples = `
-Add a SSH repository using a private key for authentication, ignoring the server's host key:",
-  $ argocd repo add git@git.example.com --insecure-ignore-host-key --ssh-private-key-path ~/id_rsa",
-Add a HTTPS repository using username/password and TLS client certificates:",
-  $ argocd repo add https://git.example.com --username git --password secret --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key",
-Add a HTTPS repository using username/password without verifying the server's TLS certificate:",
-  $ argocd repo add https://git.example.com --username git --password secret --insecure-skip-server-verification",
+	var repoAddExamples = `  # Add a Git repository via SSH using a private key for authentication, ignoring the server's host key:
+  argocd repo add git@git.example.com:repos/repo --insecure-ignore-host-key --ssh-private-key-path ~/id_rsa
+
+  # Add a private Git repository via HTTPS using username/password and TLS client certificates:
+  argocd repo add https://git.example.com/repos/repo --username git --password secret --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key
+
+  # Add a private Git repository via HTTPS using username/password without verifying the server's TLS certificate
+  argocd repo add https://git.example.com/repos/repo --username git --password secret --insecure-skip-server-verification
+
+  # Add a public Helm repository named 'stable' via HTTPS
+  argocd repo add https://kubernetes-charts.storage.googleapis.com --type helm --name stable  
+
+  # Add a private Helm repository named 'stable' via HTTPS
+  argocd repo add https://kubernetes-charts.storage.googleapis.com --type helm --name stable --username test --password test
 `

 	var command = &cobra.Command{
@@ -113,6 +121,10 @@ Add a HTTPS repository using username/password without verifying the server's TL
 			repo.Insecure = insecureSkipServerVerification
 			repo.EnableLFS = enableLfs

+			if repo.Type == "helm" && repo.Name == "" {
+				errors.CheckError(fmt.Errorf("Must specify --name for repos of type 'helm'"))
+			}
+
 			conn, repoIf := argocdclient.NewClientOrDie(clientOpts).NewRepoClientOrDie()
 			defer util.Close(conn)

@@ -127,6 +139,8 @@ Add a HTTPS repository using username/password without verifying the server's TL
 			// that were supplied, we bail out.
 			repoAccessReq := repositorypkg.RepoAccessQuery{
 				Repo:              repo.Repo,
+				Type:              repo.Type,
+				Name:              repo.Name,
 				Username:          repo.Username,
 				Password:          repo.Password,
 				SshPrivateKey:     repo.SSHPrivateKey,
@@ -146,6 +160,8 @@ Add a HTTPS repository using username/password without verifying the server's TL
 			fmt.Printf("repository '%s' added\n", createdRepo.Repo)
 		},
 	}
+	command.Flags().StringVar(&repo.Type, "type", common.DefaultRepoType, "type of the repository, \"git\" or \"helm\"")
+	command.Flags().StringVar(&repo.Name, "name", "", "name of the repository, mandatory for repositories of type helm")
 	command.Flags().StringVar(&repo.Username, "username", "", "username to the repository")
 	command.Flags().StringVar(&repo.Password, "password", "", "password to the repository")
 	command.Flags().StringVar(&sshPrivateKeyPath, "ssh-private-key-path", "", "path to the private ssh key (e.g. ~/.ssh/id_rsa)")
@@ -162,7 +178,7 @@ Add a HTTPS repository using username/password without verifying the server's TL
 func NewRepoRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var command = &cobra.Command{
 		Use:   "rm REPO",
-		Short: "Remove git repository credentials",
+		Short: "Remove repository credentials",
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) == 0 {
 				c.HelpFunc()(c, args)
@@ -180,9 +196,9 @@ func NewRepoRemoveCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 }

 // Print table of repo info
-func printRepoTable(repos []appsv1.Repository) {
+func printRepoTable(repos appsv1.Repositories) {
 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-	fmt.Fprintf(w, "REPO\tINSECURE\tLFS\tUSER\tSTATUS\tMESSAGE\n")
+	_, _ = fmt.Fprintf(w, "TYPE\tNAME\tREPO\tINSECURE\tLFS\tUSER\tSTATUS\tMESSAGE\n")
 	for _, r := range repos {
 		var username string
 		if r.Username == "" {
@@ -190,13 +206,13 @@ func printRepoTable(repos []appsv1.Repository) {
 		} else {
 			username = r.Username
 		}
-		fmt.Fprintf(w, "%s\t%v\t%v\t%s\t%s\t%s\n", r.Repo, r.IsInsecure(), r.EnableLFS, username, r.ConnectionState.Status, r.ConnectionState.Message)
+		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%v\t%v\t%s\t%s\t%s\n", r.Type, r.Name, r.Repo, r.IsInsecure(), r.EnableLFS, username, r.ConnectionState.Status, r.ConnectionState.Message)
 	}
 	_ = w.Flush()
 }

 // Print list of repo urls
-func printRepoUrls(repos []appsv1.Repository) {
+func printRepoUrls(repos appsv1.Repositories) {
 	for _, r := range repos {
 		fmt.Println(r.Repo)
 	}
--- a/cmd/argocd/commands/root.go
+++ b/cmd/argocd/commands/root.go
@@ -59,5 +59,6 @@ func NewCommand() *cobra.Command {
 	command.PersistentFlags().StringVar(&clientOpts.AuthToken, "auth-token", config.GetFlag("auth-token", ""), "Authentication token")
 	command.PersistentFlags().BoolVar(&clientOpts.GRPCWeb, "grpc-web", config.GetBoolFlag("grpc-web"), "Enables gRPC-web protocol. Useful if Argo CD server is behind proxy which does not support HTTP2.")
 	command.PersistentFlags().StringVar(&logLevel, "loglevel", config.GetFlag("loglevel", "info"), "Set the logging level. One of: debug|info|warn|error")
+	command.PersistentFlags().StringSliceVarP(&clientOpts.Headers, "header", "H", []string{}, "Sets additional header to all requests made by Argo CD CLI. (Can be repeated multiple times to add multiple headers, also supports comma separated headers)")
 	return command
 }
--- a/cmd/argocd/commands/version.go
+++ b/cmd/argocd/commands/version.go
@@ -56,6 +56,9 @@ func NewVersionCmd(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 				fmt.Printf("  Compiler: %s\n", serverVers.Compiler)
 				fmt.Printf("  Platform: %s\n", serverVers.Platform)
 				fmt.Printf("  Ksonnet Version: %s\n", serverVers.KsonnetVersion)
+				fmt.Printf("  Kustomize Version: %s\n", serverVers.KustomizeVersion)
+				fmt.Printf("  Helm Version: %s\n", serverVers.HelmVersion)
+				fmt.Printf("  Kubectl Version: %s\n", serverVers.KubectlVersion)
 			}

 		},
--- a/common/common.go
+++ b/common/common.go
@@ -21,9 +21,10 @@ const (
 	ArgoCDTLSCertsConfigMapName = "argocd-tls-certs-cm"
 )

-// Default system namespace
+// Some default configurables
 const (
 	DefaultSystemNamespace = "kube-system"
+	DefaultRepoType        = "git"
 )

 // Default listener ports for ArgoCD components
@@ -75,6 +76,8 @@ const (
 	LoginEndpoint = "/auth/login"
 	// CallbackEndpoint is Argo CD's final callback endpoint we reach after OAuth 2.0 login flow has been completed
 	CallbackEndpoint = "/auth/callback"
+	// DexCallbackEndpoint is Argo CD's final callback endpoint when Dex is configured
+	DexCallbackEndpoint = "/api/dex/callback"
 	// ArgoCDClientAppName is name of the Oauth client app used when registering our web app to dex
 	ArgoCDClientAppName = "Argo CD"
 	// ArgoCDClientAppID is the Oauth client ID we will use when registering our app to dex
@@ -114,10 +117,6 @@ const (
 	AnnotationKeyManagedBy = "managed-by"
 	// AnnotationValueManagedByArgoCD is a 'managed-by' annotation value for resources managed by Argo CD
 	AnnotationValueManagedByArgoCD = "argocd.argoproj.io"
-	// AnnotationKeyHelmHook is the helm hook annotation
-	AnnotationKeyHelmHook = "helm.sh/hook"
-	// AnnotationValueHelmHookCRDInstall is a value of crd helm hook
-	AnnotationValueHelmHookCRDInstall = "crd-install"
 	// ResourcesFinalizerName the finalizer value which we inject to finalize deletion of an application
 	ResourcesFinalizerName = "resources-finalizer.argocd.argoproj.io"
 )
@@ -135,13 +134,15 @@ const (
 	EnvVarSSHDataPath = "ARGOCD_SSH_DATA_PATH"
 	// Overrides the location where TLS certificate for repo access data is stored
 	EnvVarTLSDataPath = "ARGOCD_TLS_DATA_PATH"
+	// Specifies number of git remote operations attempts count
+	EnvGitAttemptsCount = "ARGOCD_GIT_ATTEMPTS_COUNT"
 )

 const (
 	// MinClientVersion is the minimum client version that can interface with this API server.
 	// When introducing breaking changes to the API or datastructures, this number should be bumped.
 	// The value here may be lower than the current value in VERSION
-	MinClientVersion = "1.0.0"
+	MinClientVersion = "1.3.0"
 	// CacheVersion is a objects version cached using util/cache/cache.go.
 	// Number should be bumped in case of backward incompatible change to make sure cache is invalidated after upgrade.
 	CacheVersion = "1.0.0"
--- a/controller/appcontroller.go
+++ b/controller/appcontroller.go
@@ -12,6 +12,7 @@ import (
 	"time"

 	log "github.com/sirupsen/logrus"
+	"golang.org/x/sync/semaphore"
 	v1 "k8s.io/api/core/v1"
 	apierr "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -45,6 +46,8 @@ import (

 const (
 	updateOperationStateTimeout = 1 * time.Second
+	// orphanedIndex contains application which monitor orphaned resources by namespace
+	orphanedIndex = "orphaned"
 )

 type CompareWith int
@@ -85,6 +88,7 @@ type ApplicationController struct {
 	refreshRequestedApps      map[string]CompareWith
 	refreshRequestedAppsMutex *sync.Mutex
 	metricsServer             *metrics.MetricsServer
+	kubectlSemaphore          *semaphore.Weighted
 }

 type ApplicationControllerConfig struct {
@@ -100,17 +104,18 @@ func NewApplicationController(
 	applicationClientset appclientset.Interface,
 	repoClientset apiclient.Clientset,
 	argoCache *argocache.Cache,
+	kubectl kube.Kubectl,
 	appResyncPeriod time.Duration,
 	selfHealTimeout time.Duration,
 	metricsPort int,
+	kubectlParallelismLimit int64,
 ) (*ApplicationController, error) {
 	db := db.NewDB(namespace, settingsMgr, kubeClientset)
-	kubectlCmd := kube.KubectlCmd{}
 	ctrl := ApplicationController{
 		cache:                     argoCache,
 		namespace:                 namespace,
 		kubeClientset:             kubeClientset,
-		kubectl:                   kubectlCmd,
+		kubectl:                   kubectl,
 		applicationClientset:      applicationClientset,
 		repoClientset:             repoClientset,
 		appRefreshQueue:           workqueue.NewRateLimitingQueue(workqueue.DefaultControllerRateLimiter()),
@@ -123,15 +128,23 @@ func NewApplicationController(
 		settingsMgr:               settingsMgr,
 		selfHealTimeout:           selfHealTimeout,
 	}
-	appInformer, appLister := ctrl.newApplicationInformerAndLister()
-	projInformer := v1alpha1.NewAppProjectInformer(applicationClientset, namespace, appResyncPeriod, cache.Indexers{})
+	if kubectlParallelismLimit > 0 {
+		ctrl.kubectlSemaphore = semaphore.NewWeighted(kubectlParallelismLimit)
+	}
+	kubectl.SetOnKubectlRun(ctrl.onKubectlRun)
+	appInformer, appLister, err := ctrl.newApplicationInformerAndLister()
+	if err != nil {
+		return nil, err
+	}
+	indexers := cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}
+	projInformer := v1alpha1.NewAppProjectInformer(applicationClientset, namespace, appResyncPeriod, indexers)
 	metricsAddr := fmt.Sprintf("0.0.0.0:%d", metricsPort)
 	ctrl.metricsServer = metrics.NewMetricsServer(metricsAddr, appLister, func() error {
 		_, err := kubeClientset.Discovery().ServerVersion()
 		return err
 	})
-	stateCache := statecache.NewLiveStateCache(db, appInformer, ctrl.settingsMgr, kubectlCmd, ctrl.metricsServer, ctrl.handleAppUpdated)
-	appStateManager := NewAppStateManager(db, applicationClientset, repoClientset, namespace, kubectlCmd, ctrl.settingsMgr, stateCache, projInformer, ctrl.metricsServer)
+	stateCache := statecache.NewLiveStateCache(db, appInformer, ctrl.settingsMgr, kubectl, ctrl.metricsServer, ctrl.handleObjectUpdated)
+	appStateManager := NewAppStateManager(db, applicationClientset, repoClientset, namespace, kubectl, ctrl.settingsMgr, stateCache, projInformer, ctrl.metricsServer)
 	ctrl.appInformer = appInformer
 	ctrl.appLister = appLister
 	ctrl.projInformer = projInformer
@@ -141,6 +154,23 @@ func NewApplicationController(
 	return &ctrl, nil
 }

+func (ctrl *ApplicationController) onKubectlRun(command string) (util.Closer, error) {
+	ctrl.metricsServer.IncKubectlExec(command)
+	if ctrl.kubectlSemaphore != nil {
+		if err := ctrl.kubectlSemaphore.Acquire(context.Background(), 1); err != nil {
+			return nil, err
+		}
+		ctrl.metricsServer.IncKubectlExecPending(command)
+	}
+	return util.NewCloser(func() error {
+		if ctrl.kubectlSemaphore != nil {
+			ctrl.kubectlSemaphore.Release(1)
+			ctrl.metricsServer.DecKubectlExecPending(command)
+		}
+		return nil
+	}), nil
+}
+
 func isSelfReferencedApp(app *appv1.Application, ref v1.ObjectReference) bool {
 	gvk := ref.GroupVersionKind()
 	return ref.UID == app.UID &&
@@ -150,23 +180,47 @@ func isSelfReferencedApp(app *appv1.Application, ref v1.ObjectReference) bool {
 		gvk.Kind == application.ApplicationKind
 }

-func (ctrl *ApplicationController) handleAppUpdated(appName string, isManagedResource bool, ref v1.ObjectReference) {
-	skipForceRefresh := false
+func (ctrl *ApplicationController) getAppProj(app *appv1.Application) (*appv1.AppProject, error) {
+	return argo.GetAppProject(&app.Spec, applisters.NewAppProjectLister(ctrl.projInformer.GetIndexer()), ctrl.namespace)
+}

-	obj, exists, err := ctrl.appInformer.GetIndexer().GetByKey(ctrl.namespace + "/" + appName)
-	if app, ok := obj.(*appv1.Application); exists && err == nil && ok && isSelfReferencedApp(app, ref) {
-		// Don't force refresh app if related resource is application itself. This prevents infinite reconciliation loop.
-		skipForceRefresh = true
-	}
+func (ctrl *ApplicationController) handleObjectUpdated(managedByApp map[string]bool, ref v1.ObjectReference) {
+	// if namespaced resource is not managed by any app it might be orphaned resource of some other apps
+	if len(managedByApp) == 0 && ref.Namespace != "" {
+		// retrieve applications which monitor orphaned resources in the same namespace and refresh them unless resource is blacklisted in app project
+		if objs, err := ctrl.appInformer.GetIndexer().ByIndex(orphanedIndex, ref.Namespace); err == nil {
+			for i := range objs {
+				app, ok := objs[i].(*appv1.Application)
+				if !ok {
+					continue
+				}
+				// exclude resource unless it is permitted in the app project. If project is not permitted then it is not controlled by the user and there is no point showing the warning.
+				if proj, err := ctrl.getAppProj(app); err == nil && proj.IsResourcePermitted(metav1.GroupKind{Group: ref.GroupVersionKind().Group, Kind: ref.Kind}, true) &&
+					!isKnownOrphanedResourceExclusion(kube.NewResourceKey(ref.GroupVersionKind().Group, ref.GroupVersionKind().Kind, ref.Namespace, ref.Name)) {

-	if !skipForceRefresh {
-		level := ComparisonWithNothing
-		if isManagedResource {
-			level = CompareWithRecent
+					managedByApp[app.Name] = false
+				}
+			}
 		}
-		ctrl.requestAppRefresh(appName, level)
 	}
-	ctrl.appRefreshQueue.Add(fmt.Sprintf("%s/%s", ctrl.namespace, appName))
+	for appName, isManagedResource := range managedByApp {
+		skipForceRefresh := false
+
+		obj, exists, err := ctrl.appInformer.GetIndexer().GetByKey(ctrl.namespace + "/" + appName)
+		if app, ok := obj.(*appv1.Application); exists && err == nil && ok && isSelfReferencedApp(app, ref) {
+			// Don't force refresh app if related resource is application itself. This prevents infinite reconciliation loop.
+			skipForceRefresh = true
+		}
+
+		if !skipForceRefresh {
+			level := ComparisonWithNothing
+			if isManagedResource {
+				level = CompareWithRecent
+			}
+			ctrl.requestAppRefresh(appName, level)
+		}
+		ctrl.appRefreshQueue.Add(fmt.Sprintf("%s/%s", ctrl.namespace, appName))
+	}
 }

 func (ctrl *ApplicationController) setAppManagedResources(a *appv1.Application, comparisonResult *comparisonResult) (*appv1.ApplicationTree, error) {
@@ -185,11 +239,37 @@ func (ctrl *ApplicationController) setAppManagedResources(a *appv1.Application,
 	return tree, ctrl.cache.SetAppManagedResources(a.Name, managedResources)
 }

+// returns true of given resources exist in the namespace by default and not managed by the user
+func isKnownOrphanedResourceExclusion(key kube.ResourceKey) bool {
+	if key.Namespace == "default" && key.Group == "" && key.Kind == kube.ServiceKind && key.Name == "kubernetes" {
+		return true
+	}
+	if key.Group == "" && key.Kind == kube.ServiceAccountKind && key.Name == "default" {
+		return true
+	}
+	return false
+}
+
 func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managedResources []*appv1.ResourceDiff) (*appv1.ApplicationTree, error) {
 	nodes := make([]appv1.ResourceNode, 0)

+	proj, err := argo.GetAppProject(&a.Spec, applisters.NewAppProjectLister(ctrl.projInformer.GetIndexer()), ctrl.namespace)
+	if err != nil {
+		return nil, err
+	}
+	orphanedNodesMap := make(map[kube.ResourceKey]appv1.ResourceNode)
+	warnOrphaned := true
+	if proj.Spec.OrphanedResources != nil {
+		orphanedNodesMap, err = ctrl.stateCache.GetNamespaceTopLevelResources(a.Spec.Destination.Server, a.Spec.Destination.Namespace)
+		if err != nil {
+			return nil, err
+		}
+		warnOrphaned = proj.Spec.OrphanedResources.IsWarn()
+	}
+
 	for i := range managedResources {
 		managedResource := managedResources[i]
+		delete(orphanedNodesMap, kube.NewResourceKey(managedResource.Group, managedResource.Kind, managedResource.Namespace, managedResource.Name))
 		var live = &unstructured.Unstructured{}
 		err := json.Unmarshal([]byte(managedResource.LiveState), &live)
 		if err != nil {
@@ -212,16 +292,42 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 				},
 			})
 		} else {
-			err := ctrl.stateCache.IterateHierarchy(a.Spec.Destination.Server, live, func(child appv1.ResourceNode) {
+			err := ctrl.stateCache.IterateHierarchy(a.Spec.Destination.Server, kube.GetResourceKey(live), func(child appv1.ResourceNode, appName string) {
 				nodes = append(nodes, child)
 			})
 			if err != nil {
 				return nil, err
 			}
-
 		}
 	}
-	return &appv1.ApplicationTree{Nodes: nodes}, nil
+	orphanedNodes := make([]appv1.ResourceNode, 0)
+	for k := range orphanedNodesMap {
+		if k.Namespace != "" && proj.IsResourcePermitted(metav1.GroupKind{Group: k.Group, Kind: k.Kind}, true) && !isKnownOrphanedResourceExclusion(k) {
+			err := ctrl.stateCache.IterateHierarchy(a.Spec.Destination.Server, k, func(child appv1.ResourceNode, appName string) {
+				belongToAnotherApp := false
+				if appName != "" {
+					if _, exists, err := ctrl.appInformer.GetIndexer().GetByKey(ctrl.namespace + "/" + appName); exists && err == nil {
+						belongToAnotherApp = true
+					}
+				}
+				if !belongToAnotherApp {
+					orphanedNodes = append(orphanedNodes, child)
+				}
+			})
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+	var conditions []appv1.ApplicationCondition
+	if len(orphanedNodes) > 0 && warnOrphaned {
+		conditions = []appv1.ApplicationCondition{{
+			Type:    appv1.ApplicationConditionOrphanedResourceWarning,
+			Message: fmt.Sprintf("Application has %d orphaned resources", len(orphanedNodes)),
+		}}
+	}
+	a.Status.SetConditions(conditions, map[appv1.ApplicationConditionType]bool{appv1.ApplicationConditionOrphanedResourceWarning: true})
+	return &appv1.ApplicationTree{Nodes: nodes, OrphanedNodes: orphanedNodes}, nil
 }

 func (ctrl *ApplicationController) managedResources(comparisonResult *comparisonResult) ([]*appv1.ResourceDiff, error) {
@@ -233,6 +339,7 @@ func (ctrl *ApplicationController) managedResources(comparisonResult *comparison
 			Name:      res.Name,
 			Group:     res.Group,
 			Kind:      res.Kind,
+			Hook:      res.Hook,
 		}

 		target := res.Target
@@ -646,14 +753,21 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 	defer func() {
 		reconcileDuration := time.Since(startTime)
 		ctrl.metricsServer.IncReconcile(origApp, reconcileDuration)
-		logCtx := log.WithFields(log.Fields{"application": origApp.Name, "time_ms": reconcileDuration.Seconds() * 1e3, "level": comparisonLevel})
+		logCtx := log.WithFields(log.Fields{
+			"application":    origApp.Name,
+			"time_ms":        reconcileDuration.Seconds() * 1e3,
+			"level":          comparisonLevel,
+			"dest-server":    origApp.Spec.Destination.Server,
+			"dest-namespace": origApp.Spec.Destination.Namespace,
+		})
 		logCtx.Info("Reconciliation completed")
 	}()

 	app := origApp.DeepCopy()
 	logCtx := log.WithFields(log.Fields{"application": app.Name})
 	if comparisonLevel == ComparisonWithNothing {
-		if managedResources, err := ctrl.cache.GetAppManagedResources(app.Name); err != nil {
+		managedResources := make([]*appv1.ResourceDiff, 0)
+		if err := ctrl.cache.GetAppManagedResources(app.Name, &managedResources); err != nil {
 			logCtx.Warnf("Failed to get cached managed resources for tree reconciliation, fallback to full reconciliation")
 		} else {
 			if tree, err := ctrl.getResourceTree(app, managedResources); err != nil {
@@ -672,17 +786,16 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 		}
 	}

-	conditions, hasErrors := ctrl.refreshAppConditions(app)
+	hasErrors := ctrl.refreshAppConditions(app)
 	if hasErrors {
 		app.Status.Sync.Status = appv1.SyncStatusCodeUnknown
 		app.Status.Health.Status = appv1.HealthStatusUnknown
-		app.Status.Conditions = conditions
 		ctrl.persistAppStatus(origApp, &app.Status)
 		return
 	}

 	var localManifests []string
-	if opState := app.Status.OperationState; opState != nil {
+	if opState := app.Status.OperationState; opState != nil && opState.Operation.Sync != nil {
 		localManifests = opState.Operation.Sync.Manifests
 	}

@@ -690,13 +803,12 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 	if comparisonLevel == CompareWithRecent {
 		revision = app.Status.Sync.Revision
 	}
-	compareResult, err := ctrl.appStateManager.CompareAppState(app, revision, app.Spec.Source, refreshType == appv1.RefreshTypeHard, localManifests)
-	if err != nil {
-		conditions = append(conditions, appv1.ApplicationCondition{Type: appv1.ApplicationConditionComparisonError, Message: err.Error()})
-	} else {
-		ctrl.normalizeApplication(origApp, app, compareResult.appSourceType)
-		conditions = append(conditions, compareResult.conditions...)
-	}
+
+	observedAt := metav1.Now()
+	compareResult := ctrl.appStateManager.CompareAppState(app, revision, app.Spec.Source, refreshType == appv1.RefreshTypeHard, localManifests)
+
+	ctrl.normalizeApplication(origApp, app)
+
 	tree, err := ctrl.setAppManagedResources(app, compareResult)
 	if err != nil {
 		logCtx.Errorf("Failed to cache app resources: %v", err)
@@ -704,17 +816,29 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 		app.Status.Summary = tree.GetSummary()
 	}

-	syncErrCond := ctrl.autoSync(app, compareResult.syncStatus, compareResult.resources)
-	if syncErrCond != nil {
-		conditions = append(conditions, *syncErrCond)
+	project, err := ctrl.getAppProj(app)
+	if err != nil {
+		logCtx.Infof("Could not lookup project for %s in order to check schedules state", app.Name)
+	} else {
+		if project.Spec.SyncWindows.Matches(app).CanSync(false) {
+			syncErrCond := ctrl.autoSync(app, compareResult.syncStatus, compareResult.resources)
+			if syncErrCond != nil {
+				app.Status.SetConditions([]appv1.ApplicationCondition{*syncErrCond}, map[appv1.ApplicationConditionType]bool{appv1.ApplicationConditionSyncError: true})
+			} else {
+				app.Status.SetConditions([]appv1.ApplicationCondition{}, map[appv1.ApplicationConditionType]bool{appv1.ApplicationConditionSyncError: true})
+			}
+		} else {
+			logCtx.Infof("Sync prevented by sync window")
+		}
 	}

-	app.Status.ObservedAt = &compareResult.reconciledAt
-	app.Status.ReconciledAt = &compareResult.reconciledAt
+	if app.Status.ReconciledAt == nil || comparisonLevel == CompareWithLatest {
+		app.Status.ReconciledAt = &observedAt
+	}
+	app.Status.ObservedAt = &observedAt
 	app.Status.Sync = *compareResult.syncStatus
 	app.Status.Health = *compareResult.healthStatus
 	app.Status.Resources = compareResult.resources
-	app.Status.Conditions = conditions
 	app.Status.SourceType = compareResult.appSourceType
 	ctrl.persistAppStatus(origApp, &app.Status)
 	return
@@ -730,21 +854,22 @@ func (ctrl *ApplicationController) needRefreshAppStatus(app *appv1.Application,
 	compareWith := CompareWithLatest
 	refreshType := appv1.RefreshTypeNormal
 	expired := app.Status.ReconciledAt == nil || app.Status.ReconciledAt.Add(statusRefreshTimeout).Before(time.Now().UTC())
+
 	if requestedType, ok := app.IsRefreshRequested(); ok {
+		// user requested app refresh.
 		refreshType = requestedType
 		reason = fmt.Sprintf("%s refresh requested", refreshType)
-	} else if requested, level := ctrl.isRefreshRequested(app.Name); requested {
-		compareWith = level
-		reason = fmt.Sprintf("controller refresh requested")
-	} else if app.Status.Sync.Status == appv1.SyncStatusCodeUnknown && expired {
-		reason = "comparison status unknown"
+	} else if expired {
+		reason = fmt.Sprintf("comparison expired. reconciledAt: %v, expiry: %v", app.Status.ReconciledAt, statusRefreshTimeout)
 	} else if !app.Spec.Source.Equals(app.Status.Sync.ComparedTo.Source) {
 		reason = "spec.source differs"
 	} else if !app.Spec.Destination.Equals(app.Status.Sync.ComparedTo.Destination) {
 		reason = "spec.destination differs"
-	} else if expired {
-		reason = fmt.Sprintf("comparison expired. reconciledAt: %v, expiry: %v", app.Status.ReconciledAt, statusRefreshTimeout)
+	} else if requested, level := ctrl.isRefreshRequested(app.Name); requested {
+		compareWith = level
+		reason = fmt.Sprintf("controller refresh requested")
 	}
+
 	if reason != "" {
 		logCtx.Infof("Refreshing app status (%s), level (%d)", reason, compareWith)
 		return true, refreshType, compareWith
@@ -752,17 +877,17 @@ func (ctrl *ApplicationController) needRefreshAppStatus(app *appv1.Application,
 	return false, refreshType, compareWith
 }

-func (ctrl *ApplicationController) refreshAppConditions(app *appv1.Application) ([]appv1.ApplicationCondition, bool) {
-	conditions := make([]appv1.ApplicationCondition, 0)
-	proj, err := argo.GetAppProject(&app.Spec, applisters.NewAppProjectLister(ctrl.projInformer.GetIndexer()), ctrl.namespace)
+func (ctrl *ApplicationController) refreshAppConditions(app *appv1.Application) bool {
+	errorConditions := make([]appv1.ApplicationCondition, 0)
+	proj, err := ctrl.getAppProj(app)
 	if err != nil {
 		if apierr.IsNotFound(err) {
-			conditions = append(conditions, appv1.ApplicationCondition{
+			errorConditions = append(errorConditions, appv1.ApplicationCondition{
 				Type:    appv1.ApplicationConditionInvalidSpecError,
 				Message: fmt.Sprintf("Application referencing project %s which does not exist", app.Spec.Project),
 			})
 		} else {
-			conditions = append(conditions, appv1.ApplicationCondition{
+			errorConditions = append(errorConditions, appv1.ApplicationCondition{
 				Type:    appv1.ApplicationConditionUnknownError,
 				Message: err.Error(),
 			})
@@ -770,48 +895,25 @@ func (ctrl *ApplicationController) refreshAppConditions(app *appv1.Application)
 	} else {
 		specConditions, err := argo.ValidatePermissions(context.Background(), &app.Spec, proj, ctrl.db)
 		if err != nil {
-			conditions = append(conditions, appv1.ApplicationCondition{
+			errorConditions = append(errorConditions, appv1.ApplicationCondition{
 				Type:    appv1.ApplicationConditionUnknownError,
 				Message: err.Error(),
 			})
 		} else {
-			conditions = append(conditions, specConditions...)
+			errorConditions = append(errorConditions, specConditions...)
 		}
 	}
-
-	// List of condition types which have to be reevaluated by controller; all remaining conditions should stay as is.
-	reevaluateTypes := map[appv1.ApplicationConditionType]bool{
-		appv1.ApplicationConditionInvalidSpecError:        true,
-		appv1.ApplicationConditionUnknownError:            true,
-		appv1.ApplicationConditionComparisonError:         true,
-		appv1.ApplicationConditionSharedResourceWarning:   true,
-		appv1.ApplicationConditionSyncError:               true,
-		appv1.ApplicationConditionRepeatedResourceWarning: true,
-		appv1.ApplicationConditionExcludedResourceWarning: true,
-	}
-	appConditions := make([]appv1.ApplicationCondition, 0)
-	for i := 0; i < len(app.Status.Conditions); i++ {
-		condition := app.Status.Conditions[i]
-		if _, ok := reevaluateTypes[condition.Type]; !ok {
-			appConditions = append(appConditions, condition)
-		}
-	}
-	hasErrors := false
-	for i := range conditions {
-		condition := conditions[i]
-		appConditions = append(appConditions, condition)
-		if condition.IsError() {
-			hasErrors = true
-		}
-
-	}
-	return appConditions, hasErrors
+	app.Status.SetConditions(errorConditions, map[appv1.ApplicationConditionType]bool{
+		appv1.ApplicationConditionInvalidSpecError: true,
+		appv1.ApplicationConditionUnknownError:     true,
+	})
+	return len(errorConditions) > 0
 }

 // normalizeApplication normalizes an application.spec and additionally persists updates if it changed
-func (ctrl *ApplicationController) normalizeApplication(orig, app *appv1.Application, sourceType appv1.ApplicationSourceType) {
+func (ctrl *ApplicationController) normalizeApplication(orig, app *appv1.Application) {
 	logCtx := log.WithFields(log.Fields{"application": app.Name})
-	app.Spec = *argo.NormalizeApplicationSpec(&app.Spec, sourceType)
+	app.Spec = *argo.NormalizeApplicationSpec(&app.Spec)
 	patch, modified, err := diff.CreateTwoWayMergePatch(orig, app, appv1.Application{})
 	if err != nil {
 		logCtx.Errorf("error constructing app spec patch: %v", err)
@@ -880,6 +982,7 @@ func (ctrl *ApplicationController) autoSync(app *appv1.Application, syncStatus *
 		logCtx.Infof("Skipping auto-sync: deletion in progress")
 		return nil
 	}
+
 	// Only perform auto-sync if we detect OutOfSync status. This is to prevent us from attempting
 	// a sync when application is already in a Synced or Unknown state
 	if syncStatus.Status != appv1.SyncStatusCodeOutOfSync {
@@ -976,7 +1079,7 @@ func (ctrl *ApplicationController) shouldSelfHeal(app *appv1.Application) (bool,
 	return retryAfter <= 0, retryAfter
 }

-func (ctrl *ApplicationController) newApplicationInformerAndLister() (cache.SharedIndexInformer, applisters.ApplicationLister) {
+func (ctrl *ApplicationController) newApplicationInformerAndLister() (cache.SharedIndexInformer, applisters.ApplicationLister, error) {
 	appInformerFactory := appinformers.NewFilteredSharedInformerFactory(
 		ctrl.applicationClientset,
 		ctrl.statusRefreshTimeout,
@@ -1020,7 +1123,24 @@ func (ctrl *ApplicationController) newApplicationInformerAndLister() (cache.Shar
 			},
 		},
 	)
-	return informer, lister
+	err := informer.AddIndexers(cache.Indexers{
+		orphanedIndex: func(obj interface{}) (i []string, e error) {
+			app, ok := obj.(*appv1.Application)
+			if !ok {
+				return nil, nil
+			}
+
+			proj, err := ctrl.getAppProj(app)
+			if err != nil {
+				return nil, nil
+			}
+			if proj.Spec.OrphanedResources != nil {
+				return []string{app.Spec.Destination.Namespace}, nil
+			}
+			return nil, nil
+		},
+	})
+	return informer, lister, err
 }

 func isOperationInProgress(app *appv1.Application) bool {
--- a/controller/appcontroller_test.go
+++ b/controller/appcontroller_test.go
@@ -2,6 +2,7 @@ package controller

 import (
 	"context"
+	"encoding/json"
 	"testing"
 	"time"

@@ -28,13 +29,21 @@ import (
 	"github.com/argoproj/argo-cd/test"
 	utilcache "github.com/argoproj/argo-cd/util/cache"
 	"github.com/argoproj/argo-cd/util/kube"
+	"github.com/argoproj/argo-cd/util/kube/kubetest"
 	"github.com/argoproj/argo-cd/util/settings"
 )

+type namespacedResource struct {
+	argoappv1.ResourceNode
+	AppName string
+}
+
 type fakeData struct {
-	apps             []runtime.Object
-	manifestResponse *apiclient.ManifestResponse
-	managedLiveObjs  map[kube.ResourceKey]*unstructured.Unstructured
+	apps                []runtime.Object
+	manifestResponse    *apiclient.ManifestResponse
+	managedLiveObjs     map[kube.ResourceKey]*unstructured.Unstructured
+	namespacedResources map[kube.ResourceKey]namespacedResource
+	configMapData       map[string]string
 }

 func newFakeController(data *fakeData) *ApplicationController {
@@ -68,10 +77,11 @@ func newFakeController(data *fakeData) *ApplicationController {
 				"app.kubernetes.io/part-of": "argocd",
 			},
 		},
-		Data: nil,
+		Data: data.configMapData,
 	}
 	kubeClient := fake.NewSimpleClientset(&clust, &cm, &secret)
 	settingsMgr := settings.NewSettingsManager(context.Background(), kubeClient, test.FakeArgoCDNamespace)
+	kubectl := &kubetest.MockKubectlCmd{}
 	ctrl, err := NewApplicationController(
 		test.FakeArgoCDNamespace,
 		settingsMgr,
@@ -79,9 +89,11 @@ func newFakeController(data *fakeData) *ApplicationController {
 		appclientset.NewSimpleClientset(data.apps...),
 		&mockRepoClientset,
 		utilcache.NewCache(utilcache.NewInMemoryCache(1*time.Hour)),
+		kubectl,
 		time.Minute,
 		time.Minute,
 		common.DefaultPortArgoCDMetrics,
+		0,
 	)
 	if err != nil {
 		panic(err)
@@ -90,14 +102,26 @@ func newFakeController(data *fakeData) *ApplicationController {
 	defer cancelProj()
 	cancelApp := test.StartInformer(ctrl.appInformer)
 	defer cancelApp()
-	// Mock out call to GetManagedLiveObjs if fake data supplied
-	if data.managedLiveObjs != nil {
-		mockStateCache := mockstatecache.LiveStateCache{}
-		mockStateCache.On("GetManagedLiveObjs", mock.Anything, mock.Anything).Return(data.managedLiveObjs, nil)
-		mockStateCache.On("IsNamespaced", mock.Anything, mock.Anything).Return(true, nil)
-		ctrl.stateCache = &mockStateCache
-		ctrl.appStateManager.(*appStateManager).liveStateCache = &mockStateCache
+	mockStateCache := mockstatecache.LiveStateCache{}
+	ctrl.appStateManager.(*appStateManager).liveStateCache = &mockStateCache
+	ctrl.stateCache = &mockStateCache
+	mockStateCache.On("IsNamespaced", mock.Anything, mock.Anything).Return(true, nil)
+	mockStateCache.On("GetManagedLiveObjs", mock.Anything, mock.Anything).Return(data.managedLiveObjs, nil)
+	mockStateCache.On("GetServerVersion", mock.Anything).Return("v1.2.3", nil)
+	response := make(map[kube.ResourceKey]argoappv1.ResourceNode)
+	for k, v := range data.namespacedResources {
+		response[k] = v.ResourceNode
 	}
+	mockStateCache.On("GetNamespaceTopLevelResources", mock.Anything, mock.Anything).Return(response, nil)
+	mockStateCache.On("IterateHierarchy", mock.Anything, mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
+		key := args[1].(kube.ResourceKey)
+		action := args[2].(func(child argoappv1.ResourceNode, appName string))
+		appName := ""
+		if res, ok := data.namespacedResources[key]; ok {
+			appName = res.AppName
+		}
+		action(argoappv1.ResourceNode{ResourceRef: argoappv1.ResourceRef{Group: key.Group, Namespace: key.Namespace, Name: key.Name}}, appName)
+	}).Return(nil)
 	return ctrl
 }

@@ -464,17 +488,44 @@ func TestHandleAppUpdated(t *testing.T) {
 	app.Spec.Destination.Server = common.KubernetesInternalAPIServerAddr
 	ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}})

-	ctrl.handleAppUpdated(app.Name, true, kube.GetObjectRef(kube.MustToUnstructured(app)))
+	ctrl.handleObjectUpdated(map[string]bool{app.Name: true}, kube.GetObjectRef(kube.MustToUnstructured(app)))
 	isRequested, level := ctrl.isRefreshRequested(app.Name)
 	assert.False(t, isRequested)
 	assert.Equal(t, ComparisonWithNothing, level)

-	ctrl.handleAppUpdated(app.Name, true, corev1.ObjectReference{UID: "test", Kind: kube.DeploymentKind, Name: "test", Namespace: "default"})
+	ctrl.handleObjectUpdated(map[string]bool{app.Name: true}, corev1.ObjectReference{UID: "test", Kind: kube.DeploymentKind, Name: "test", Namespace: "default"})
 	isRequested, level = ctrl.isRefreshRequested(app.Name)
 	assert.True(t, isRequested)
 	assert.Equal(t, CompareWithRecent, level)
 }

+func TestHandleOrphanedResourceUpdated(t *testing.T) {
+	app1 := newFakeApp()
+	app1.Name = "app1"
+	app1.Spec.Destination.Namespace = test.FakeArgoCDNamespace
+	app1.Spec.Destination.Server = common.KubernetesInternalAPIServerAddr
+
+	app2 := newFakeApp()
+	app2.Name = "app2"
+	app2.Spec.Destination.Namespace = test.FakeArgoCDNamespace
+	app2.Spec.Destination.Server = common.KubernetesInternalAPIServerAddr
+
+	proj := defaultProj.DeepCopy()
+	proj.Spec.OrphanedResources = &argoappv1.OrphanedResourcesMonitorSettings{}
+
+	ctrl := newFakeController(&fakeData{apps: []runtime.Object{app1, app2, proj}})
+
+	ctrl.handleObjectUpdated(map[string]bool{}, corev1.ObjectReference{UID: "test", Kind: kube.DeploymentKind, Name: "test", Namespace: test.FakeArgoCDNamespace})
+
+	isRequested, level := ctrl.isRefreshRequested(app1.Name)
+	assert.True(t, isRequested)
+	assert.Equal(t, ComparisonWithNothing, level)
+
+	isRequested, level = ctrl.isRefreshRequested(app2.Name)
+	assert.True(t, isRequested)
+	assert.Equal(t, ComparisonWithNothing, level)
+}
+
 func TestSetOperationStateOnDeletedApp(t *testing.T) {
 	ctrl := newFakeController(&fakeData{apps: []runtime.Object{}})
 	fakeAppCs := ctrl.applicationClientset.(*appclientset.Clientset)
@@ -523,13 +574,160 @@ func TestNeedRefreshAppStatus(t *testing.T) {
 	assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
 	assert.Equal(t, CompareWithLatest, compareWith)

-	// execute hard refresh if app has refresh annotation
-	app.Annotations = map[string]string{
-		common.AnnotationKeyRefresh: string(argoappv1.RefreshTypeHard),
+	{
+		// refresh app using the 'latest' level if comparison expired
+		app := app.DeepCopy()
+		ctrl.requestAppRefresh(app.Name, CompareWithRecent)
+		reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
+		app.Status.ReconciledAt = &reconciledAt
+		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Minute)
+		assert.True(t, needRefresh)
+		assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+		assert.Equal(t, CompareWithLatest, compareWith)
 	}
-	needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour)
-	assert.True(t, needRefresh)
-	assert.Equal(t, argoappv1.RefreshTypeHard, refreshType)
-	assert.Equal(t, CompareWithLatest, compareWith)
+
+	{
+		app := app.DeepCopy()
+		// execute hard refresh if app has refresh annotation
+		reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
+		app.Status.ReconciledAt = &reconciledAt
+		app.Annotations = map[string]string{
+			common.AnnotationKeyRefresh: string(argoappv1.RefreshTypeHard),
+		}
+		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour)
+		assert.True(t, needRefresh)
+		assert.Equal(t, argoappv1.RefreshTypeHard, refreshType)
+		assert.Equal(t, CompareWithLatest, compareWith)
+	}
+
+	{
+		app := app.DeepCopy()
+		// ensure that CompareWithLatest level is used if application source has changed
+		ctrl.requestAppRefresh(app.Name, ComparisonWithNothing)
+		// sample app source change
+		app.Spec.Source.Helm = &argoappv1.ApplicationSourceHelm{
+			Parameters: []argoappv1.HelmParameter{{
+				Name:  "foo",
+				Value: "bar",
+			}},
+		}
+
+		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour)
+		assert.True(t, needRefresh)
+		assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+		assert.Equal(t, CompareWithLatest, compareWith)
+	}
+}
+
+func TestRefreshAppConditions(t *testing.T) {
+	defaultProj := argoappv1.AppProject{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "default",
+			Namespace: test.FakeArgoCDNamespace,
+		},
+		Spec: argoappv1.AppProjectSpec{
+			SourceRepos: []string{"*"},
+			Destinations: []argoappv1.ApplicationDestination{
+				{
+					Server:    "*",
+					Namespace: "*",
+				},
+			},
+		},
+	}
+
+	t.Run("NoErrorConditions", func(t *testing.T) {
+		app := newFakeApp()
+		ctrl := newFakeController(&fakeData{apps: []runtime.Object{app, &defaultProj}})
+
+		hasErrors := ctrl.refreshAppConditions(app)
+		assert.False(t, hasErrors)
+		assert.Len(t, app.Status.Conditions, 0)
+	})
+
+	t.Run("PreserveExistingWarningCondition", func(t *testing.T) {
+		app := newFakeApp()
+		app.Status.SetConditions([]argoappv1.ApplicationCondition{{Type: argoappv1.ApplicationConditionExcludedResourceWarning}}, nil)
+
+		ctrl := newFakeController(&fakeData{apps: []runtime.Object{app, &defaultProj}})
+
+		hasErrors := ctrl.refreshAppConditions(app)
+		assert.False(t, hasErrors)
+		assert.Len(t, app.Status.Conditions, 1)
+		assert.Equal(t, argoappv1.ApplicationConditionExcludedResourceWarning, app.Status.Conditions[0].Type)
+	})
+
+	t.Run("ReplacesSpecErrorCondition", func(t *testing.T) {
+		app := newFakeApp()
+		app.Spec.Project = "wrong project"
+		app.Status.SetConditions([]argoappv1.ApplicationCondition{{Type: argoappv1.ApplicationConditionInvalidSpecError, Message: "old message"}}, nil)
+
+		ctrl := newFakeController(&fakeData{apps: []runtime.Object{app, &defaultProj}})
+
+		hasErrors := ctrl.refreshAppConditions(app)
+		assert.True(t, hasErrors)
+		assert.Len(t, app.Status.Conditions, 1)
+		assert.Equal(t, argoappv1.ApplicationConditionInvalidSpecError, app.Status.Conditions[0].Type)
+		assert.Equal(t, "Application referencing project wrong project which does not exist", app.Status.Conditions[0].Message)
+	})
+}
+
+func TestUpdateReconciledAt(t *testing.T) {
+	app := newFakeApp()
+	reconciledAt := metav1.NewTime(time.Now().Add(-1 * time.Second))
+	app.Status = argoappv1.ApplicationStatus{ReconciledAt: &reconciledAt}
+	app.Status.Sync = argoappv1.SyncStatus{ComparedTo: argoappv1.ComparedTo{Source: app.Spec.Source, Destination: app.Spec.Destination}}
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app, &defaultProj},
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
+	})
+	key, _ := cache.MetaNamespaceKeyFunc(app)
+	fakeAppCs := ctrl.applicationClientset.(*appclientset.Clientset)
+	fakeAppCs.ReactionChain = nil
+	receivedPatch := map[string]interface{}{}
+	fakeAppCs.AddReactor("patch", "*", func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) {
+		if patchAction, ok := action.(kubetesting.PatchAction); ok {
+			assert.NoError(t, json.Unmarshal(patchAction.GetPatch(), &receivedPatch))
+		}
+		return true, nil, nil
+	})
+
+	t.Run("UpdatedOnFullReconciliation", func(t *testing.T) {
+		receivedPatch = map[string]interface{}{}
+		ctrl.requestAppRefresh(app.Name, CompareWithLatest)
+		ctrl.appRefreshQueue.Add(key)
+
+		ctrl.processAppRefreshQueueItem()
+
+		_, updated, err := unstructured.NestedString(receivedPatch, "status", "reconciledAt")
+		assert.NoError(t, err)
+		assert.True(t, updated)
+
+		_, updated, err = unstructured.NestedString(receivedPatch, "status", "observedAt")
+		assert.NoError(t, err)
+		assert.True(t, updated)
+	})
+
+	t.Run("NotUpdatedOnPartialReconciliation", func(t *testing.T) {
+		receivedPatch = map[string]interface{}{}
+		ctrl.appRefreshQueue.Add(key)
+		ctrl.requestAppRefresh(app.Name, CompareWithRecent)
+
+		ctrl.processAppRefreshQueueItem()
+
+		_, updated, err := unstructured.NestedString(receivedPatch, "status", "reconciledAt")
+		assert.NoError(t, err)
+		assert.False(t, updated)
+
+		_, updated, err = unstructured.NestedString(receivedPatch, "status", "observedAt")
+		assert.NoError(t, err)
+		assert.True(t, updated)
+	})

 }
--- a/controller/cache/cache.go
+++ b/controller/cache/cache.go
@@ -27,18 +27,23 @@ type cacheSettings struct {
 }

 type LiveStateCache interface {
-	IsNamespaced(server string, obj *unstructured.Unstructured) (bool, error)
+	// Returns k8s server version
+	GetServerVersion(serverURL string) (string, error)
+	// Returns true of given group kind is a namespaced resource
+	IsNamespaced(server string, gk schema.GroupKind) (bool, error)
 	// Executes give callback against resource specified by the key and all its children
-	IterateHierarchy(server string, obj *unstructured.Unstructured, action func(child appv1.ResourceNode)) error
+	IterateHierarchy(server string, key kube.ResourceKey, action func(child appv1.ResourceNode, appName string)) error
 	// Returns state of live nodes which correspond for target nodes of specified application.
 	GetManagedLiveObjs(a *appv1.Application, targetObjs []*unstructured.Unstructured) (map[kube.ResourceKey]*unstructured.Unstructured, error)
+	// Returns all top level resources (resources without owner references) of a specified namespace
+	GetNamespaceTopLevelResources(server string, namespace string) (map[kube.ResourceKey]appv1.ResourceNode, error)
 	// Starts watching resources of each controlled cluster.
 	Run(ctx context.Context) error
 	// Invalidate invalidates the entire cluster state cache
 	Invalidate()
 }

-type AppUpdatedHandler = func(appName string, isManagedResource bool, ref v1.ObjectReference)
+type ObjectUpdatedHandler = func(managedByApp map[string]bool, ref v1.ObjectReference)

 func GetTargetObjKey(a *appv1.Application, un *unstructured.Unstructured, isNamespaced bool) kube.ResourceKey {
 	key := kube.GetResourceKey(un)
@@ -57,14 +62,14 @@ func NewLiveStateCache(
 	settingsMgr *settings.SettingsManager,
 	kubectl kube.Kubectl,
 	metricsServer *metrics.MetricsServer,
-	onAppUpdated AppUpdatedHandler) LiveStateCache {
+	onObjectUpdated ObjectUpdatedHandler) LiveStateCache {

 	return &liveStateCache{
 		appInformer:       appInformer,
 		db:                db,
 		clusters:          make(map[string]*clusterInfo),
 		lock:              &sync.Mutex{},
-		onAppUpdated:      onAppUpdated,
+		onObjectUpdated:   onObjectUpdated,
 		kubectl:           kubectl,
 		settingsMgr:       settingsMgr,
 		metricsServer:     metricsServer,
@@ -77,7 +82,7 @@ type liveStateCache struct {
 	clusters          map[string]*clusterInfo
 	lock              *sync.Mutex
 	appInformer       cache.SharedIndexInformer
-	onAppUpdated      AppUpdatedHandler
+	onObjectUpdated   ObjectUpdatedHandler
 	kubectl           kube.Kubectl
 	settingsMgr       *settings.SettingsManager
 	metricsServer     *metrics.MetricsServer
@@ -115,7 +120,7 @@ func (c *liveStateCache) getCluster(server string) (*clusterInfo, error) {
 			lock:             &sync.Mutex{},
 			nodes:            make(map[kube.ResourceKey]*node),
 			nsIndex:          make(map[string]map[kube.ResourceKey]*node),
-			onAppUpdated:     c.onAppUpdated,
+			onObjectUpdated:  c.onObjectUpdated,
 			kubectl:          c.kubectl,
 			cluster:          cluster,
 			syncTime:         nil,
@@ -153,23 +158,31 @@ func (c *liveStateCache) Invalidate() {
 	log.Info("live state cache invalidated")
 }

-func (c *liveStateCache) IsNamespaced(server string, obj *unstructured.Unstructured) (bool, error) {
+func (c *liveStateCache) IsNamespaced(server string, gk schema.GroupKind) (bool, error) {
 	clusterInfo, err := c.getSyncedCluster(server)
 	if err != nil {
 		return false, err
 	}
-	return clusterInfo.isNamespaced(obj), nil
+	return clusterInfo.isNamespaced(gk), nil
 }

-func (c *liveStateCache) IterateHierarchy(server string, obj *unstructured.Unstructured, action func(child appv1.ResourceNode)) error {
+func (c *liveStateCache) IterateHierarchy(server string, key kube.ResourceKey, action func(child appv1.ResourceNode, appName string)) error {
 	clusterInfo, err := c.getSyncedCluster(server)
 	if err != nil {
 		return err
 	}
-	clusterInfo.iterateHierarchy(obj, action)
+	clusterInfo.iterateHierarchy(key, action)
 	return nil
 }

+func (c *liveStateCache) GetNamespaceTopLevelResources(server string, namespace string) (map[kube.ResourceKey]appv1.ResourceNode, error) {
+	clusterInfo, err := c.getSyncedCluster(server)
+	if err != nil {
+		return nil, err
+	}
+	return clusterInfo.getNamespaceTopLevelResources(namespace), nil
+}
+
 func (c *liveStateCache) GetManagedLiveObjs(a *appv1.Application, targetObjs []*unstructured.Unstructured) (map[kube.ResourceKey]*unstructured.Unstructured, error) {
 	clusterInfo, err := c.getSyncedCluster(a.Spec.Destination.Server)
 	if err != nil {
@@ -177,6 +190,13 @@ func (c *liveStateCache) GetManagedLiveObjs(a *appv1.Application, targetObjs []*
 	}
 	return clusterInfo.getManagedLiveObjs(a, targetObjs, c.metricsServer)
 }
+func (c *liveStateCache) GetServerVersion(serverURL string) (string, error) {
+	clusterInfo, err := c.getSyncedCluster(serverURL)
+	if err != nil {
+		return "", err
+	}
+	return clusterInfo.serverVersion, nil
+}

 func isClusterHasApps(apps []interface{}, cluster *appv1.Cluster) bool {
 	for _, obj := range apps {
--- a/controller/cache/cache_test.go
+++ b/controller/cache/cache_test.go
@@ -0,0 +1,27 @@
+package cache
+
+import (
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestGetServerVersion(t *testing.T) {
+	now := time.Now()
+	cache := &liveStateCache{
+		lock: &sync.Mutex{},
+		clusters: map[string]*clusterInfo{
+			"http://localhost": {
+				syncTime:      &now,
+				syncLock:      &sync.Mutex{},
+				lock:          &sync.Mutex{},
+				serverVersion: "123",
+			},
+		}}
+
+	version, err := cache.GetServerVersion("http://localhost")
+	assert.NoError(t, err)
+	assert.Equal(t, "123", version)
+}
--- a/controller/cache/cluster.go
+++ b/controller/cache/cluster.go
@@ -39,16 +39,17 @@ type apiMeta struct {
 }

 type clusterInfo struct {
-	syncLock  *sync.Mutex
-	syncTime  *time.Time
-	syncError error
-	apisMeta  map[schema.GroupKind]*apiMeta
+	syncLock      *sync.Mutex
+	syncTime      *time.Time
+	syncError     error
+	apisMeta      map[schema.GroupKind]*apiMeta
+	serverVersion string

 	lock    *sync.Mutex
 	nodes   map[kube.ResourceKey]*node
 	nsIndex map[string]map[kube.ResourceKey]*node

-	onAppUpdated     AppUpdatedHandler
+	onObjectUpdated  ObjectUpdatedHandler
 	kubectl          kube.Kubectl
 	cluster          *appv1.Cluster
 	log              *log.Entry
@@ -85,13 +86,55 @@ func (c *clusterInfo) replaceResourceCache(gk schema.GroupKind, resourceVersion
 	}
 }

+func isServiceAccountTokenSecret(un *unstructured.Unstructured) (bool, metav1.OwnerReference) {
+	ref := metav1.OwnerReference{
+		APIVersion: "v1",
+		Kind:       kube.ServiceAccountKind,
+	}
+	if un.GetKind() != kube.SecretKind || un.GroupVersionKind().Group != "" {
+		return false, ref
+	}
+
+	if typeVal, ok, err := unstructured.NestedString(un.Object, "type"); !ok || err != nil || typeVal != "kubernetes.io/service-account-token" {
+		return false, ref
+	}
+
+	annotations := un.GetAnnotations()
+	if annotations == nil {
+		return false, ref
+	}
+
+	id, okId := annotations["kubernetes.io/service-account.uid"]
+	name, okName := annotations["kubernetes.io/service-account.name"]
+	if okId && okName {
+		ref.Name = name
+		ref.UID = types.UID(id)
+	}
+	return ref.Name != "" && ref.UID != "", ref
+}
+
 func (c *clusterInfo) createObjInfo(un *unstructured.Unstructured, appInstanceLabel string) *node {
 	ownerRefs := un.GetOwnerReferences()
+	// Special case for endpoint. Remove after https://github.com/kubernetes/kubernetes/issues/28483 is fixed
+	if un.GroupVersionKind().Group == "" && un.GetKind() == kube.EndpointsKind && len(un.GetOwnerReferences()) == 0 {
+		ownerRefs = append(ownerRefs, metav1.OwnerReference{
+			Name:       un.GetName(),
+			Kind:       kube.ServiceKind,
+			APIVersion: "v1",
+		})
+	}
+
+	// edge case. Consider auto-created service account tokens as a child of service account objects
+	if yes, ref := isServiceAccountTokenSecret(un); yes {
+		ownerRefs = append(ownerRefs, ref)
+	}
+
 	nodeInfo := &node{
 		resourceVersion: un.GetResourceVersion(),
 		ref:             kube.GetObjectRef(un),
 		ownerRefs:       ownerRefs,
 	}
+
 	populateNodeInfo(un, nodeInfo)
 	appName := kube.GetAppInstanceLabel(un, appInstanceLabel)
 	if len(ownerRefs) == 0 && appName != "" {
@@ -267,8 +310,13 @@ func (c *clusterInfo) sync() (err error) {
 	}
 	c.apisMeta = make(map[schema.GroupKind]*apiMeta)
 	c.nodes = make(map[kube.ResourceKey]*node)
-
-	apis, err := c.kubectl.GetAPIResources(c.cluster.RESTConfig(), c.cacheSettingsSrc().ResourcesFilter)
+	config := c.cluster.RESTConfig()
+	version, err := c.kubectl.GetServerVersion(config)
+	if err != nil {
+		return err
+	}
+	c.serverVersion = version
+	apis, err := c.kubectl.GetAPIResources(config, c.cacheSettingsSrc().ResourcesFilter)
 	if err != nil {
 		return err
 	}
@@ -315,13 +363,24 @@ func (c *clusterInfo) ensureSynced() error {
 	return c.syncError
 }

-func (c *clusterInfo) iterateHierarchy(obj *unstructured.Unstructured, action func(child appv1.ResourceNode)) {
+func (c *clusterInfo) getNamespaceTopLevelResources(namespace string) map[kube.ResourceKey]appv1.ResourceNode {
+	c.lock.Lock()
+	defer c.lock.Unlock()
+	nodes := make(map[kube.ResourceKey]appv1.ResourceNode)
+	for _, node := range c.nsIndex[namespace] {
+		if len(node.ownerRefs) == 0 {
+			nodes[node.resourceKey()] = node.asResourceNode()
+		}
+	}
+	return nodes
+}
+
+func (c *clusterInfo) iterateHierarchy(key kube.ResourceKey, action func(child appv1.ResourceNode, appName string)) {
 	c.lock.Lock()
 	defer c.lock.Unlock()
-	key := kube.GetResourceKey(obj)
 	if objInfo, ok := c.nodes[key]; ok {
-		action(objInfo.asResourceNode())
 		nsNodes := c.nsIndex[key.Namespace]
+		action(objInfo.asResourceNode(), objInfo.getApp(nsNodes))
 		childrenByUID := make(map[types.UID][]*node)
 		for _, child := range nsNodes {
 			if objInfo.isParentOf(child) {
@@ -339,17 +398,15 @@ func (c *clusterInfo) iterateHierarchy(obj *unstructured.Unstructured, action fu
 					return strings.Compare(key1.String(), key2.String()) < 0
 				})
 				child := children[0]
-				action(child.asResourceNode())
+				action(child.asResourceNode(), child.getApp(nsNodes))
 				child.iterateChildren(nsNodes, map[kube.ResourceKey]bool{objInfo.resourceKey(): true}, action)
 			}
 		}
-	} else {
-		action(c.createObjInfo(obj, c.cacheSettingsSrc().AppInstanceLabelKey).asResourceNode())
 	}
 }

-func (c *clusterInfo) isNamespaced(obj *unstructured.Unstructured) bool {
-	if api, ok := c.apisMeta[kube.GetResourceKey(obj).GroupKind()]; ok && !api.namespaced {
+func (c *clusterInfo) isNamespaced(gk schema.GroupKind) bool {
+	if api, ok := c.apisMeta[gk]; ok && !api.namespaced {
 		return false
 	}
 	return true
@@ -372,7 +429,7 @@ func (c *clusterInfo) getManagedLiveObjs(a *appv1.Application, targetObjs []*uns
 	lock := &sync.Mutex{}
 	err := util.RunAllAsync(len(targetObjs), func(i int) error {
 		targetObj := targetObjs[i]
-		key := GetTargetObjKey(a, targetObj, c.isNamespaced(targetObj))
+		key := GetTargetObjKey(a, targetObj, c.isNamespaced(targetObj.GroupVersionKind().GroupKind()))
 		lock.Lock()
 		managedObj := managedObjs[key]
 		lock.Unlock()
@@ -464,9 +521,7 @@ func (c *clusterInfo) onNodeUpdated(exists bool, existingNode *node, un *unstruc
 			toNotify[app] = n.isRootAppNode() || toNotify[app]
 		}
 	}
-	for name, isRootAppNode := range toNotify {
-		c.onAppUpdated(name, isRootAppNode, newObj.ref)
-	}
+	c.onObjectUpdated(toNotify, newObj.ref)
 }

 func (c *clusterInfo) onNodeRemoved(key kube.ResourceKey, n *node) {
@@ -476,9 +531,11 @@ func (c *clusterInfo) onNodeRemoved(key kube.ResourceKey, n *node) {
 	}

 	c.removeNode(key)
+	managedByApp := make(map[string]bool)
 	if appName != "" {
-		c.onAppUpdated(appName, n.isRootAppNode(), n.ref)
+		managedByApp[appName] = n.isRootAppNode()
 	}
+	c.onObjectUpdated(managedByApp, n.ref)
 }

 var (
--- a/controller/cache/cluster_test.go
+++ b/controller/cache/cluster_test.go
@@ -87,6 +87,7 @@ var (
    name: helm-guestbook
    namespace: default
    resourceVersion: "123"
+    uid: "4"
  spec:
    selector:
      app: guestbook
@@ -102,6 +103,7 @@ var (
  metadata:
    name: helm-guestbook
    namespace: default
+    uid: "4"
  spec:
    backend:
      serviceName: not-found-service
@@ -151,16 +153,16 @@ func newCluster(objs ...*unstructured.Unstructured) *clusterInfo {

 func newClusterExt(kubectl kube.Kubectl) *clusterInfo {
 	return &clusterInfo{
-		lock:         &sync.Mutex{},
-		nodes:        make(map[kube.ResourceKey]*node),
-		onAppUpdated: func(appName string, fullRefresh bool, reference corev1.ObjectReference) {},
-		kubectl:      kubectl,
-		nsIndex:      make(map[string]map[kube.ResourceKey]*node),
-		cluster:      &appv1.Cluster{},
-		syncTime:     nil,
-		syncLock:     &sync.Mutex{},
-		apisMeta:     make(map[schema.GroupKind]*apiMeta),
-		log:          log.WithField("cluster", "test"),
+		lock:            &sync.Mutex{},
+		nodes:           make(map[kube.ResourceKey]*node),
+		onObjectUpdated: func(managedByApp map[string]bool, reference corev1.ObjectReference) {},
+		kubectl:         kubectl,
+		nsIndex:         make(map[string]map[kube.ResourceKey]*node),
+		cluster:         &appv1.Cluster{},
+		syncTime:        nil,
+		syncLock:        &sync.Mutex{},
+		apisMeta:        make(map[schema.GroupKind]*apiMeta),
+		log:             log.WithField("cluster", "test"),
 		cacheSettingsSrc: func() *cacheSettings {
 			return &cacheSettings{AppInstanceLabelKey: common.LabelKeyAppInstance}
 		},
@@ -169,12 +171,43 @@ func newClusterExt(kubectl kube.Kubectl) *clusterInfo {

 func getChildren(cluster *clusterInfo, un *unstructured.Unstructured) []appv1.ResourceNode {
 	hierarchy := make([]appv1.ResourceNode, 0)
-	cluster.iterateHierarchy(un, func(child appv1.ResourceNode) {
+	cluster.iterateHierarchy(kube.GetResourceKey(un), func(child appv1.ResourceNode, app string) {
 		hierarchy = append(hierarchy, child)
 	})
 	return hierarchy[1:]
 }

+func TestGetNamespaceResources(t *testing.T) {
+	defaultNamespaceTopLevel1 := strToUnstructured(`
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata: {"name": "helm-guestbook1", "namespace": "default"}
+`)
+	defaultNamespaceTopLevel2 := strToUnstructured(`
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata: {"name": "helm-guestbook2", "namespace": "default"}
+`)
+	kubesystemNamespaceTopLevel2 := strToUnstructured(`
+  apiVersion: apps/v1
+  kind: Deployment
+  metadata: {"name": "helm-guestbook3", "namespace": "kube-system"}
+`)
+
+	cluster := newCluster(defaultNamespaceTopLevel1, defaultNamespaceTopLevel2, kubesystemNamespaceTopLevel2)
+	err := cluster.ensureSynced()
+	assert.Nil(t, err)
+
+	resources := cluster.getNamespaceTopLevelResources("default")
+	assert.Len(t, resources, 2)
+	assert.Equal(t, resources[kube.GetResourceKey(defaultNamespaceTopLevel1)].Name, "helm-guestbook1")
+	assert.Equal(t, resources[kube.GetResourceKey(defaultNamespaceTopLevel2)].Name, "helm-guestbook2")
+
+	resources = cluster.getNamespaceTopLevelResources("kube-system")
+	assert.Len(t, resources, 1)
+	assert.Equal(t, resources[kube.GetResourceKey(kubesystemNamespaceTopLevel2)].Name, "helm-guestbook3")
+}
+
 func TestGetChildren(t *testing.T) {
 	cluster := newCluster(testPod, testRS, testDeploy)
 	err := cluster.ensureSynced()
@@ -370,8 +403,10 @@ func TestUpdateResourceTags(t *testing.T) {
 func TestUpdateAppResource(t *testing.T) {
 	updatesReceived := make([]string, 0)
 	cluster := newCluster(testPod, testRS, testDeploy)
-	cluster.onAppUpdated = func(appName string, fullRefresh bool, _ corev1.ObjectReference) {
-		updatesReceived = append(updatesReceived, fmt.Sprintf("%s: %v", appName, fullRefresh))
+	cluster.onObjectUpdated = func(managedByApp map[string]bool, _ corev1.ObjectReference) {
+		for appName, fullRefresh := range managedByApp {
+			updatesReceived = append(updatesReceived, fmt.Sprintf("%s: %v", appName, fullRefresh))
+		}
 	}

 	err := cluster.ensureSynced()
--- a/controller/cache/info.go
+++ b/controller/cache/info.go
@@ -31,7 +31,7 @@ func populateNodeInfo(un *unstructured.Unstructured, node *node) {
 			populateServiceInfo(un, node)
 			return
 		}
-	case "extensions":
+	case "extensions", "networking.k8s.io":
 		switch gvk.Kind {
 		case kube.IngressKind:
 			populateIngressInfo(un, node)
@@ -126,14 +126,23 @@ func populateIngressInfo(un *unstructured.Unstructured, node *node) {
 						stringPort = fmt.Sprintf("%v", port)
 					}

+					var externalURL string
 					switch stringPort {
 					case "80", "http":
-						urlsSet[fmt.Sprintf("http://%s", host)] = true
+						externalURL = fmt.Sprintf("http://%s", host)
 					case "443", "https":
-						urlsSet[fmt.Sprintf("https://%s", host)] = true
+						externalURL = fmt.Sprintf("https://%s", host)
 					default:
-						urlsSet[fmt.Sprintf("http://%s:%s", host, stringPort)] = true
+						externalURL = fmt.Sprintf("http://%s:%s", host, stringPort)
 					}
+
+					subPath := ""
+					if nestedPath, ok, err := unstructured.NestedString(path, "path"); ok && err == nil {
+						subPath = nestedPath
+					}
+
+					externalURL += subPath
+					urlsSet[externalURL] = true
 				}
 			}
 		}
--- a/controller/cache/info_test.go
+++ b/controller/cache/info_test.go
@@ -68,7 +68,7 @@ func TestGetIngressInfo(t *testing.T) {
 			Kind:      kube.ServiceKind,
 			Name:      "helm-guestbook",
 		}},
-		ExternalURLs: []string{"https://helm-guestbook.com"},
+		ExternalURLs: []string{"https://helm-guestbook.com/"},
 	}, node.networkingInfo)
 }

@@ -103,6 +103,120 @@ func TestGetIngressInfoNoHost(t *testing.T) {
 			Kind:      kube.ServiceKind,
 			Name:      "helm-guestbook",
 		}},
-		ExternalURLs: []string{"https://107.178.210.11"},
+		ExternalURLs: []string{"https://107.178.210.11/"},
 	}, node.networkingInfo)
 }
+func TestExternalUrlWithSubPath(t *testing.T) {
+	ingress := strToUnstructured(`
+  apiVersion: extensions/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+  spec:
+    rules:
+    - http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+          path: /my/sub/path/
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	node := &node{}
+	populateNodeInfo(ingress, node)
+
+	expectedExternalUrls := []string{"https://107.178.210.11/my/sub/path/"}
+	assert.Equal(t, expectedExternalUrls, node.networkingInfo.ExternalURLs)
+}
+func TestExternalUrlWithMultipleSubPaths(t *testing.T) {
+	ingress := strToUnstructured(`
+  apiVersion: extensions/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+  spec:
+    rules:
+    - host: helm-guestbook.com
+      http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+          path: /my/sub/path/
+        - backend:
+            serviceName: helm-guestbook-2
+            servicePort: 443
+          path: /my/sub/path/2
+        - backend:
+            serviceName: helm-guestbook-3
+            servicePort: 443
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	node := &node{}
+	populateNodeInfo(ingress, node)
+
+	expectedExternalUrls := []string{"https://helm-guestbook.com/my/sub/path/", "https://helm-guestbook.com/my/sub/path/2", "https://helm-guestbook.com"}
+	actualURLs := node.networkingInfo.ExternalURLs
+	sort.Strings(expectedExternalUrls)
+	sort.Strings(actualURLs)
+	assert.Equal(t, expectedExternalUrls, actualURLs)
+}
+func TestExternalUrlWithNoSubPath(t *testing.T) {
+	ingress := strToUnstructured(`
+  apiVersion: extensions/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+  spec:
+    rules:
+    - http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	node := &node{}
+	populateNodeInfo(ingress, node)
+
+	expectedExternalUrls := []string{"https://107.178.210.11"}
+	assert.Equal(t, expectedExternalUrls, node.networkingInfo.ExternalURLs)
+}
+
+func TestExternalUrlWithNetworkingApi(t *testing.T) {
+	ingress := strToUnstructured(`
+  apiVersion: networking.k8s.io/v1beta1
+  kind: Ingress
+  metadata:
+    name: helm-guestbook
+    namespace: default
+  spec:
+    rules:
+    - http:
+        paths:
+        - backend:
+            serviceName: helm-guestbook
+            servicePort: 443
+  status:
+    loadBalancer:
+      ingress:
+      - ip: 107.178.210.11`)
+
+	node := &node{}
+	populateNodeInfo(ingress, node)
+
+	expectedExternalUrls := []string{"https://107.178.210.11"}
+	assert.Equal(t, expectedExternalUrls, node.networkingInfo.ExternalURLs)
+}
--- a/controller/cache/mocks/LiveStateCache.go
+++ b/controller/cache/mocks/LiveStateCache.go
@@ -2,11 +2,18 @@

 package mocks

-import context "context"
-import kube "github.com/argoproj/argo-cd/util/kube"
-import mock "github.com/stretchr/testify/mock"
-import unstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-import v1alpha1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+import (
+	context "context"
+
+	kube "github.com/argoproj/argo-cd/util/kube"
+	mock "github.com/stretchr/testify/mock"
+
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+
+	unstructured "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+
+	v1alpha1 "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+)

 // LiveStateCache is an autogenerated mock type for the LiveStateCache type
 type LiveStateCache struct {
@@ -36,25 +43,22 @@ func (_m *LiveStateCache) GetManagedLiveObjs(a *v1alpha1.Application, targetObjs
 	return r0, r1
 }

-// Invalidate provides a mock function with given fields:
-func (_m *LiveStateCache) Invalidate() {
-	_m.Called()
-}
+// GetNamespaceTopLevelResources provides a mock function with given fields: server, namespace
+func (_m *LiveStateCache) GetNamespaceTopLevelResources(server string, namespace string) (map[kube.ResourceKey]v1alpha1.ResourceNode, error) {
+	ret := _m.Called(server, namespace)

-// IsNamespaced provides a mock function with given fields: server, obj
-func (_m *LiveStateCache) IsNamespaced(server string, obj *unstructured.Unstructured) (bool, error) {
-	ret := _m.Called(server, obj)
-
-	var r0 bool
-	if rf, ok := ret.Get(0).(func(string, *unstructured.Unstructured) bool); ok {
-		r0 = rf(server, obj)
+	var r0 map[kube.ResourceKey]v1alpha1.ResourceNode
+	if rf, ok := ret.Get(0).(func(string, string) map[kube.ResourceKey]v1alpha1.ResourceNode); ok {
+		r0 = rf(server, namespace)
 	} else {
-		r0 = ret.Get(0).(bool)
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(map[kube.ResourceKey]v1alpha1.ResourceNode)
+		}
 	}

 	var r1 error
-	if rf, ok := ret.Get(1).(func(string, *unstructured.Unstructured) error); ok {
-		r1 = rf(server, obj)
+	if rf, ok := ret.Get(1).(func(string, string) error); ok {
+		r1 = rf(server, namespace)
 	} else {
 		r1 = ret.Error(1)
 	}
@@ -62,13 +66,60 @@ func (_m *LiveStateCache) IsNamespaced(server string, obj *unstructured.Unstruct
 	return r0, r1
 }

-// IterateHierarchy provides a mock function with given fields: server, obj, action
-func (_m *LiveStateCache) IterateHierarchy(server string, obj *unstructured.Unstructured, action func(v1alpha1.ResourceNode)) error {
-	ret := _m.Called(server, obj, action)
+// GetServerVersion provides a mock function with given fields: server
+func (_m *LiveStateCache) GetServerVersion(server string) (string, error) {
+	ret := _m.Called(server)
+
+	var r0 string
+	if rf, ok := ret.Get(0).(func(string) string); ok {
+		r0 = rf(server)
+	} else {
+		r0 = ret.Get(0).(string)
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(string) error); ok {
+		r1 = rf(server)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// Invalidate provides a mock function with given fields:
+func (_m *LiveStateCache) Invalidate() {
+	_m.Called()
+}
+
+// IsNamespaced provides a mock function with given fields: server, gk
+func (_m *LiveStateCache) IsNamespaced(server string, gk schema.GroupKind) (bool, error) {
+	ret := _m.Called(server, gk)
+
+	var r0 bool
+	if rf, ok := ret.Get(0).(func(string, schema.GroupKind) bool); ok {
+		r0 = rf(server, gk)
+	} else {
+		r0 = ret.Get(0).(bool)
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func(string, schema.GroupKind) error); ok {
+		r1 = rf(server, gk)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// IterateHierarchy provides a mock function with given fields: server, key, action
+func (_m *LiveStateCache) IterateHierarchy(server string, key kube.ResourceKey, action func(v1alpha1.ResourceNode, string)) error {
+	ret := _m.Called(server, key, action)

 	var r0 error
-	if rf, ok := ret.Get(0).(func(string, *unstructured.Unstructured, func(v1alpha1.ResourceNode)) error); ok {
-		r0 = rf(server, obj, action)
+	if rf, ok := ret.Get(0).(func(string, kube.ResourceKey, func(v1alpha1.ResourceNode, string)) error); ok {
+		r0 = rf(server, key, action)
 	} else {
 		r0 = ret.Error(0)
 	}
--- a/controller/cache/node.go
+++ b/controller/cache/node.go
@@ -35,12 +35,15 @@ func (n *node) resourceKey() kube.ResourceKey {
 }

 func (n *node) isParentOf(child *node) bool {
-	// Special case for endpoint. Remove after https://github.com/kubernetes/kubernetes/issues/28483 is fixed
-	if len(child.ownerRefs) == 0 && child.ref.APIVersion == "v1" && child.ref.Kind == kube.EndpointsKind && n.ref.APIVersion == "v1" && n.ref.Kind == kube.ServiceKind && n.ref.Name == child.ref.Name {
-		child.ownerRefs = []metav1.OwnerReference{{Name: n.ref.Name, Kind: n.ref.Kind, APIVersion: n.ref.APIVersion, UID: n.ref.UID}}
-	}
+	for i, ownerRef := range child.ownerRefs {
+
+		// backfill UID of inferred owner child references
+		if ownerRef.UID == "" && n.ref.Kind == ownerRef.Kind && n.ref.APIVersion == ownerRef.APIVersion && n.ref.Name == ownerRef.Name {
+			ownerRef.UID = n.ref.UID
+			child.ownerRefs[i] = ownerRef
+			return true
+		}

-	for _, ownerRef := range child.ownerRefs {
 		if n.ref.UID == ownerRef.UID {
 			return true
 		}
@@ -124,14 +127,14 @@ func (n *node) asResourceNode() appv1.ResourceNode {
 	}
 }

-func (n *node) iterateChildren(ns map[kube.ResourceKey]*node, parents map[kube.ResourceKey]bool, action func(child appv1.ResourceNode)) {
+func (n *node) iterateChildren(ns map[kube.ResourceKey]*node, parents map[kube.ResourceKey]bool, action func(child appv1.ResourceNode, appName string)) {
 	for childKey, child := range ns {
 		if n.isParentOf(ns[childKey]) {
 			if parents[childKey] {
 				key := n.resourceKey()
 				log.Warnf("Circular dependency detected. %s is child and parent of %s", childKey.String(), key.String())
 			} else {
-				action(child.asResourceNode())
+				action(child.asResourceNode(), child.getApp(ns))
 				child.iterateChildren(ns, newResourceKeySet(parents, n.resourceKey()), action)
 			}
 		}
--- a/controller/cache/node_test.go
+++ b/controller/cache/node_test.go
@@ -51,5 +51,33 @@ metadata:
 	parent := c.createObjInfo(testService, "")

 	assert.True(t, parent.isParentOf(matchingNameEndPoint))
+	assert.Equal(t, parent.ref.UID, matchingNameEndPoint.ownerRefs[0].UID)
 	assert.False(t, parent.isParentOf(nonMatchingNameEndPoint))
 }
+
+func TestIsServiceAccoountParentOfSecret(t *testing.T) {
+	serviceAccount := c.createObjInfo(strToUnstructured(`
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: default
+  namespace: default
+  uid: '123'
+secrets:
+- name: default-token-123
+`), "")
+	tokenSecret := c.createObjInfo(strToUnstructured(`
+apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: default
+    kubernetes.io/service-account.uid: '123'
+  name: default-token-123
+  namespace: default
+  uid: '345'
+type: kubernetes.io/service-account-token
+`), "")
+
+	assert.True(t, serviceAccount.isParentOf(tokenSecret))
+}
--- a/controller/metrics/metrics.go
+++ b/controller/metrics/metrics.go
@@ -18,9 +18,11 @@ import (

 type MetricsServer struct {
 	*http.Server
-	syncCounter        *prometheus.CounterVec
-	k8sRequestCounter  *prometheus.CounterVec
-	reconcileHistogram *prometheus.HistogramVec
+	syncCounter             *prometheus.CounterVec
+	k8sRequestCounter       *prometheus.CounterVec
+	kubectlExecCounter      *prometheus.CounterVec
+	kubectlExecPendingGauge *prometheus.GaugeVec
+	reconcileHistogram      *prometheus.HistogramVec
 }

 const (
@@ -76,6 +78,16 @@ func NewMetricsServer(addr string, appLister applister.ApplicationLister, health
 		append(descAppDefaultLabels, "phase"),
 	)
 	appRegistry.MustRegister(syncCounter)
+	kubectlExecCounter := prometheus.NewCounterVec(prometheus.CounterOpts{
+		Name: "argocd_kubectl_exec_total",
+		Help: "Number of kubectl executions",
+	}, []string{"command"})
+	appRegistry.MustRegister(kubectlExecCounter)
+	kubectlExecPendingGauge := prometheus.NewGaugeVec(prometheus.GaugeOpts{
+		Name: "argocd_kubectl_exec_pending",
+		Help: "Number of pending kubectl executions",
+	}, []string{"command"})
+	appRegistry.MustRegister(kubectlExecPendingGauge)
 	k8sRequestCounter := prometheus.NewCounterVec(
 		prometheus.CounterOpts{
 			Name: "argocd_app_k8s_request_total",
@@ -92,7 +104,7 @@ func NewMetricsServer(addr string, appLister applister.ApplicationLister, health
 			// Buckets chosen after observing a ~2100ms mean reconcile time
 			Buckets: []float64{0.25, .5, 1, 2, 4, 8, 16},
 		},
-		append(descAppDefaultLabels),
+		descAppDefaultLabels,
 	)

 	appRegistry.MustRegister(reconcileHistogram)
@@ -102,9 +114,11 @@ func NewMetricsServer(addr string, appLister applister.ApplicationLister, health
 			Addr:    addr,
 			Handler: mux,
 		},
-		syncCounter:        syncCounter,
-		k8sRequestCounter:  k8sRequestCounter,
-		reconcileHistogram: reconcileHistogram,
+		syncCounter:             syncCounter,
+		k8sRequestCounter:       k8sRequestCounter,
+		reconcileHistogram:      reconcileHistogram,
+		kubectlExecCounter:      kubectlExecCounter,
+		kubectlExecPendingGauge: kubectlExecPendingGauge,
 	}
 }

@@ -126,6 +140,18 @@ func (m *MetricsServer) IncReconcile(app *argoappv1.Application, duration time.D
 	m.reconcileHistogram.WithLabelValues(app.Namespace, app.Name, app.Spec.GetProject()).Observe(duration.Seconds())
 }

+func (m *MetricsServer) IncKubectlExec(command string) {
+	m.kubectlExecCounter.WithLabelValues(command).Inc()
+}
+
+func (m *MetricsServer) IncKubectlExecPending(command string) {
+	m.kubectlExecPendingGauge.WithLabelValues(command).Inc()
+}
+
+func (m *MetricsServer) DecKubectlExecPending(command string) {
+	m.kubectlExecPendingGauge.WithLabelValues(command).Dec()
+}
+
 type appCollector struct {
 	store applister.ApplicationLister
 }
--- a/controller/state.go
+++ b/controller/state.go
@@ -9,6 +9,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/cache"

@@ -27,6 +28,7 @@ import (
 	hookutil "github.com/argoproj/argo-cd/util/hook"
 	kubeutil "github.com/argoproj/argo-cd/util/kube"
 	"github.com/argoproj/argo-cd/util/resource"
+	"github.com/argoproj/argo-cd/util/resource/ignore"
 	"github.com/argoproj/argo-cd/util/settings"
 )

@@ -51,27 +53,35 @@ func GetLiveObjs(res []managedResource) []*unstructured.Unstructured {
 }

 type ResourceInfoProvider interface {
-	IsNamespaced(server string, obj *unstructured.Unstructured) (bool, error)
+	IsNamespaced(server string, gk schema.GroupKind) (bool, error)
 }

 // AppStateManager defines methods which allow to compare application spec and actual application state.
 type AppStateManager interface {
-	CompareAppState(app *v1alpha1.Application, revision string, source v1alpha1.ApplicationSource, noCache bool, localObjects []string) (*comparisonResult, error)
+	CompareAppState(app *v1alpha1.Application, revision string, source v1alpha1.ApplicationSource, noCache bool, localObjects []string) *comparisonResult
 	SyncAppState(app *v1alpha1.Application, state *v1alpha1.OperationState)
 }

 type comparisonResult struct {
-	reconciledAt     metav1.Time
 	syncStatus       *v1alpha1.SyncStatus
 	healthStatus     *v1alpha1.HealthStatus
 	resources        []v1alpha1.ResourceStatus
 	managedResources []managedResource
-	conditions       []v1alpha1.ApplicationCondition
 	hooks            []*unstructured.Unstructured
 	diffNormalizer   diff.Normalizer
 	appSourceType    v1alpha1.ApplicationSourceType
 }

+func (cr *comparisonResult) targetObjs() []*unstructured.Unstructured {
+	objs := cr.hooks
+	for _, r := range cr.managedResources {
+		if r.Target != nil {
+			objs = append(objs, r.Target)
+		}
+	}
+	return objs
+}
+
 // appStateManager allows to compare applications to git
 type appStateManager struct {
 	metricsServer  *metrics.MetricsServer
@@ -86,7 +96,7 @@ type appStateManager struct {
 }

 func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, source v1alpha1.ApplicationSource, appLabelKey, revision string, noCache bool) ([]*unstructured.Unstructured, []*unstructured.Unstructured, *apiclient.ManifestResponse, error) {
-	helmRepos, err := m.db.ListHelmRepos(context.Background())
+	helmRepos, err := m.db.ListHelmRepositories(context.Background())
 	if err != nil {
 		return nil, nil, nil, err
 	}
@@ -118,9 +128,13 @@ func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, source v1alpha1
 	if err != nil {
 		return nil, nil, nil, err
 	}
+	serverVersion, err := m.liveStateCache.GetServerVersion(app.Spec.Destination.Server)
+	if err != nil {
+		return nil, nil, nil, err
+	}
 	manifestInfo, err := repoClient.GenerateManifest(context.Background(), &apiclient.ManifestRequest{
 		Repo:              repo,
-		HelmRepos:         helmRepos,
+		Repos:             helmRepos,
 		Revision:          revision,
 		NoCache:           noCache,
 		AppLabelKey:       appLabelKey,
@@ -131,14 +145,16 @@ func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, source v1alpha1
 		KustomizeOptions: &appv1.KustomizeOptions{
 			BuildOptions: buildOptions,
 		},
+		KubeVersion: serverVersion,
 	})
 	if err != nil {
 		return nil, nil, nil, err
 	}
-
-	targetObjs, hooks, nil := unmarshalManifests(manifestInfo.Manifests)
+	targetObjs, hooks, err := unmarshalManifests(manifestInfo.Manifests)
+	if err != nil {
+		return nil, nil, nil, err
+	}
 	return targetObjs, hooks, manifestInfo, nil
-
 }

 func unmarshalManifests(manifests []string) ([]*unstructured.Unstructured, []*unstructured.Unstructured, error) {
@@ -149,7 +165,7 @@ func unmarshalManifests(manifests []string) ([]*unstructured.Unstructured, []*un
 		if err != nil {
 			return nil, nil, err
 		}
-		if resource.Ignore(obj) {
+		if ignore.Ignore(obj) {
 			continue
 		}
 		if hookutil.IsHook(obj) {
@@ -171,7 +187,7 @@ func DeduplicateTargetObjects(
 	targetByKey := make(map[kubeutil.ResourceKey][]*unstructured.Unstructured)
 	for i := range objs {
 		obj := objs[i]
-		isNamespaced, err := infoProvider.IsNamespaced(server, obj)
+		isNamespaced, err := infoProvider.IsNamespaced(server, obj.GroupVersionKind().GroupKind())
 		if err != nil {
 			return objs, nil, err
 		}
@@ -234,28 +250,46 @@ func dedupLiveResources(targetObjs []*unstructured.Unstructured, liveObjsByKey m
 	}
 }

-// CompareAppState compares application git state to the live app state, using the specified
-// revision and supplied source. If revision or overrides are empty, then compares against
-// revision and overrides in the app spec.
-func (m *appStateManager) CompareAppState(app *v1alpha1.Application, revision string, source v1alpha1.ApplicationSource, noCache bool, localManifests []string) (*comparisonResult, error) {
+func (m *appStateManager) getComparisonSettings(app *appv1.Application) (string, map[string]v1alpha1.ResourceOverride, diff.Normalizer, error) {
 	resourceOverrides, err := m.settingsMgr.GetResourceOverrides()
 	if err != nil {
-		return nil, err
+		return "", nil, nil, err
 	}
 	appLabelKey, err := m.settingsMgr.GetAppInstanceLabelKey()
 	if err != nil {
-		return nil, err
+		return "", nil, nil, err
 	}
 	diffNormalizer, err := argo.NewDiffNormalizer(app.Spec.IgnoreDifferences, resourceOverrides)
 	if err != nil {
-		return nil, err
+		return "", nil, nil, err
 	}
-	logCtx := log.WithField("application", app.Name)
-	logCtx.Infof("Comparing app state (cluster: %s, namespace: %s)", app.Spec.Destination.Server, app.Spec.Destination.Namespace)
-	observedAt := metav1.Now()
+	return appLabelKey, resourceOverrides, diffNormalizer, nil
+}
+
+// CompareAppState compares application git state to the live app state, using the specified
+// revision and supplied source. If revision or overrides are empty, then compares against
+// revision and overrides in the app spec.
+func (m *appStateManager) CompareAppState(app *v1alpha1.Application, revision string, source v1alpha1.ApplicationSource, noCache bool, localManifests []string) *comparisonResult {
+	appLabelKey, resourceOverrides, diffNormalizer, err := m.getComparisonSettings(app)
+
+	// return unknown comparison result if basic comparison settings cannot be loaded
+	if err != nil {
+		return &comparisonResult{
+			syncStatus: &v1alpha1.SyncStatus{
+				ComparedTo: appv1.ComparedTo{Source: source, Destination: app.Spec.Destination},
+				Status:     appv1.SyncStatusCodeUnknown,
+			},
+			healthStatus: &appv1.HealthStatus{Status: appv1.HealthStatusUnknown},
+		}
+	}
+
+	// do best effort loading live and target state to present as much information about app state as possible
 	failedToLoadObjs := false
 	conditions := make([]v1alpha1.ApplicationCondition, 0)

+	logCtx := log.WithField("application", app.Name)
+	logCtx.Infof("Comparing app state (cluster: %s, namespace: %s)", app.Spec.Destination.Server, app.Spec.Destination.Namespace)
+
 	var targetObjs []*unstructured.Unstructured
 	var hooks []*unstructured.Unstructured
 	var manifestInfo *apiclient.ManifestResponse
@@ -325,7 +359,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, revision st
 	for i, obj := range targetObjs {
 		gvk := obj.GroupVersionKind()
 		ns := util.FirstNonEmpty(obj.GetNamespace(), app.Spec.Destination.Namespace)
-		if namespaced, err := m.liveStateCache.IsNamespaced(app.Spec.Destination.Server, obj); err == nil && !namespaced {
+		if namespaced, err := m.liveStateCache.IsNamespaced(app.Spec.Destination.Server, obj.GroupVersionKind().GroupKind()); err == nil && !namespaced {
 			ns = ""
 		}
 		key := kubeutil.NewResourceKey(gvk.Group, gvk.Kind, ns, obj.GetName())
@@ -348,7 +382,9 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, revision st
 	// Do the actual comparison
 	diffResults, err := diff.DiffArray(targetObjs, managedLiveObj, diffNormalizer)
 	if err != nil {
-		return nil, err
+		diffResults = &diff.DiffResultList{}
+		failedToLoadObjs = true
+		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error()})
 	}

 	syncCode := v1alpha1.SyncStatusCodeSynced
@@ -376,7 +412,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, revision st
 		}

 		diffResult := diffResults.Diffs[i]
-		if resState.Hook || resource.Ignore(obj) {
+		if resState.Hook || ignore.Ignore(obj) {
 			// For resource hooks, don't store sync status, and do not affect overall sync status
 		} else if diffResult.Modified || targetObj == nil || liveObj == nil {
 			// Set resource state to OutOfSync since one of the following is true:
@@ -392,6 +428,10 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, revision st
 		} else {
 			resState.Status = v1alpha1.SyncStatusCodeSynced
 		}
+		// we can't say anything about the status if we were unable to get the target objects
+		if failedToLoadObjs {
+			resState.Status = v1alpha1.SyncStatusCodeUnknown
+		}
 		managedResources[i] = managedResource{
 			Name:      resState.Name,
 			Namespace: resState.Namespace,
@@ -429,19 +469,23 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, revision st
 	}

 	compRes := comparisonResult{
-		reconciledAt:     observedAt,
 		syncStatus:       &syncStatus,
 		healthStatus:     healthStatus,
 		resources:        resourceSummaries,
 		managedResources: managedResources,
-		conditions:       conditions,
 		hooks:            hooks,
 		diffNormalizer:   diffNormalizer,
 	}
 	if manifestInfo != nil {
 		compRes.appSourceType = v1alpha1.ApplicationSourceType(manifestInfo.SourceType)
 	}
-	return &compRes, nil
+	app.Status.SetConditions(conditions, map[appv1.ApplicationConditionType]bool{
+		appv1.ApplicationConditionComparisonError:         true,
+		appv1.ApplicationConditionSharedResourceWarning:   true,
+		appv1.ApplicationConditionRepeatedResourceWarning: true,
+		appv1.ApplicationConditionExcludedResourceWarning: true,
+	})
+	return &compRes
 }

 func (m *appStateManager) persistRevisionHistory(app *v1alpha1.Application, revision string, source v1alpha1.ApplicationSource) error {
--- a/controller/state_test.go
+++ b/controller/state_test.go
@@ -30,22 +30,22 @@ func TestCompareAppStateEmpty(t *testing.T) {
 		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 	}
 	ctrl := newFakeController(&data)
-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
-	assert.NoError(t, err)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
 	assert.NotNil(t, compRes)
+	assert.NotNil(t, compRes.syncStatus)
 	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
-	assert.Equal(t, 0, len(compRes.resources))
-	assert.Equal(t, 0, len(compRes.managedResources))
-	assert.Equal(t, 0, len(compRes.conditions))
+	assert.Len(t, compRes.resources, 0)
+	assert.Len(t, compRes.managedResources, 0)
+	assert.Len(t, app.Status.Conditions, 0)
 }

-// TestCompareAppStateMissing tests when there is a manifest defined in git which doesn't exist in live
+// TestCompareAppStateMissing tests when there is a manifest defined in the repo which doesn't exist in live
 func TestCompareAppStateMissing(t *testing.T) {
 	app := newFakeApp()
 	data := fakeData{
 		apps: []runtime.Object{app},
 		manifestResponse: &apiclient.ManifestResponse{
-			Manifests: []string{string(test.PodManifest)},
+			Manifests: []string{test.PodManifest},
 			Namespace: test.FakeDestNamespace,
 			Server:    test.FakeClusterURL,
 			Revision:  "abc123",
@@ -53,13 +53,13 @@ func TestCompareAppStateMissing(t *testing.T) {
 		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 	}
 	ctrl := newFakeController(&data)
-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
-	assert.NoError(t, err)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
 	assert.NotNil(t, compRes)
+	assert.NotNil(t, compRes.syncStatus)
 	assert.Equal(t, argoappv1.SyncStatusCodeOutOfSync, compRes.syncStatus.Status)
-	assert.Equal(t, 1, len(compRes.resources))
-	assert.Equal(t, 1, len(compRes.managedResources))
-	assert.Equal(t, 0, len(compRes.conditions))
+	assert.Len(t, compRes.resources, 1)
+	assert.Len(t, compRes.managedResources, 1)
+	assert.Len(t, app.Status.Conditions, 0)
 }

 // TestCompareAppStateExtra tests when there is an extra object in live but not defined in git
@@ -80,13 +80,12 @@ func TestCompareAppStateExtra(t *testing.T) {
 		},
 	}
 	ctrl := newFakeController(&data)
-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
-	assert.NoError(t, err)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
 	assert.NotNil(t, compRes)
 	assert.Equal(t, argoappv1.SyncStatusCodeOutOfSync, compRes.syncStatus.Status)
 	assert.Equal(t, 1, len(compRes.resources))
 	assert.Equal(t, 1, len(compRes.managedResources))
-	assert.Equal(t, 0, len(compRes.conditions))
+	assert.Equal(t, 0, len(app.Status.Conditions))
 }

 // TestCompareAppStateHook checks that hooks are detected during manifest generation, and not
@@ -107,14 +106,13 @@ func TestCompareAppStateHook(t *testing.T) {
 		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 	}
 	ctrl := newFakeController(&data)
-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
-	assert.NoError(t, err)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
 	assert.NotNil(t, compRes)
 	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
 	assert.Equal(t, 0, len(compRes.resources))
 	assert.Equal(t, 0, len(compRes.managedResources))
 	assert.Equal(t, 1, len(compRes.hooks))
-	assert.Equal(t, 0, len(compRes.conditions))
+	assert.Equal(t, 0, len(app.Status.Conditions))
 }

 // checks that ignore resources are detected, but excluded from status
@@ -134,14 +132,13 @@ func TestCompareAppStateCompareOptionIgnoreExtraneous(t *testing.T) {
 	}
 	ctrl := newFakeController(&data)

-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)

-	assert.NoError(t, err)
 	assert.NotNil(t, compRes)
 	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
 	assert.Len(t, compRes.resources, 0)
 	assert.Len(t, compRes.managedResources, 0)
-	assert.Len(t, compRes.conditions, 0)
+	assert.Len(t, app.Status.Conditions, 0)
 }

 // TestCompareAppStateExtraHook tests when there is an extra _hook_ object in live but not defined in git
@@ -163,14 +160,14 @@ func TestCompareAppStateExtraHook(t *testing.T) {
 		},
 	}
 	ctrl := newFakeController(&data)
-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
-	assert.NoError(t, err)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
+
 	assert.NotNil(t, compRes)
 	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
 	assert.Equal(t, 1, len(compRes.resources))
 	assert.Equal(t, 1, len(compRes.managedResources))
 	assert.Equal(t, 0, len(compRes.hooks))
-	assert.Equal(t, 0, len(compRes.conditions))
+	assert.Equal(t, 0, len(app.Status.Conditions))
 }

 func toJSON(t *testing.T, obj *unstructured.Unstructured) string {
@@ -200,10 +197,10 @@ func TestCompareAppStateDuplicatedNamespacedResources(t *testing.T) {
 		},
 	}
 	ctrl := newFakeController(&data)
-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
-	assert.NoError(t, err)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
+
 	assert.NotNil(t, compRes)
-	assert.Contains(t, compRes.conditions, argoappv1.ApplicationCondition{
+	assert.Contains(t, app.Status.Conditions, argoappv1.ApplicationCondition{
 		Message: "Resource /Pod/fake-dest-ns/my-pod appeared 2 times among application resources.",
 		Type:    argoappv1.ApplicationConditionRepeatedResourceWarning,
 	})
@@ -251,8 +248,7 @@ func TestSetHealth(t *testing.T) {
 		},
 	})

-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
-	assert.NoError(t, err)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)

 	assert.Equal(t, compRes.healthStatus.Status, argoappv1.HealthStatusHealthy)
 }
@@ -284,8 +280,114 @@ func TestSetHealthSelfReferencedApp(t *testing.T) {
 		},
 	})

-	compRes, err := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
-	assert.NoError(t, err)
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)

 	assert.Equal(t, compRes.healthStatus.Status, argoappv1.HealthStatusHealthy)
 }
+
+func TestSetManagedResourcesWithOrphanedResources(t *testing.T) {
+	proj := defaultProj.DeepCopy()
+	proj.Spec.OrphanedResources = &argoappv1.OrphanedResourcesMonitorSettings{}
+
+	app := newFakeApp()
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app, proj},
+		namespacedResources: map[kube.ResourceKey]namespacedResource{
+			kube.NewResourceKey("apps", kube.DeploymentKind, app.Namespace, "guestbook"): {
+				ResourceNode: argoappv1.ResourceNode{
+					ResourceRef: argoappv1.ResourceRef{Kind: kube.DeploymentKind, Name: "guestbook", Namespace: app.Namespace},
+				},
+				AppName: "",
+			},
+		},
+	})
+
+	tree, err := ctrl.setAppManagedResources(app, &comparisonResult{managedResources: make([]managedResource, 0)})
+
+	assert.NoError(t, err)
+	assert.Equal(t, len(tree.OrphanedNodes), 1)
+	assert.Equal(t, "guestbook", tree.OrphanedNodes[0].Name)
+	assert.Equal(t, app.Namespace, tree.OrphanedNodes[0].Namespace)
+}
+
+func TestSetManagedResourcesWithResourcesOfAnotherApp(t *testing.T) {
+	proj := defaultProj.DeepCopy()
+	proj.Spec.OrphanedResources = &argoappv1.OrphanedResourcesMonitorSettings{}
+
+	app1 := newFakeApp()
+	app1.Name = "app1"
+	app2 := newFakeApp()
+	app2.Name = "app2"
+
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app1, app2, proj},
+		namespacedResources: map[kube.ResourceKey]namespacedResource{
+			kube.NewResourceKey("apps", kube.DeploymentKind, app2.Namespace, "guestbook"): {
+				ResourceNode: argoappv1.ResourceNode{
+					ResourceRef: argoappv1.ResourceRef{Kind: kube.DeploymentKind, Name: "guestbook", Namespace: app2.Namespace},
+				},
+				AppName: "app2",
+			},
+		},
+	})
+
+	tree, err := ctrl.setAppManagedResources(app1, &comparisonResult{managedResources: make([]managedResource, 0)})
+
+	assert.NoError(t, err)
+	assert.Equal(t, len(tree.OrphanedNodes), 0)
+}
+
+func TestReturnUnknownComparisonStateOnSettingLoadError(t *testing.T) {
+	proj := defaultProj.DeepCopy()
+	proj.Spec.OrphanedResources = &argoappv1.OrphanedResourcesMonitorSettings{}
+
+	app := newFakeApp()
+
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app, proj},
+		configMapData: map[string]string{
+			"resource.customizations": "invalid setting",
+		},
+	})
+
+	compRes := ctrl.appStateManager.CompareAppState(app, "", app.Spec.Source, false, nil)
+
+	assert.Equal(t, argoappv1.HealthStatusUnknown, compRes.healthStatus.Status)
+	assert.Equal(t, argoappv1.SyncStatusCodeUnknown, compRes.syncStatus.Status)
+}
+
+func TestSetManagedResourcesKnownOrphanedResourceExceptions(t *testing.T) {
+	proj := defaultProj.DeepCopy()
+	proj.Spec.OrphanedResources = &argoappv1.OrphanedResourcesMonitorSettings{}
+
+	app := newFakeApp()
+	app.Namespace = "default"
+
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app, proj},
+		namespacedResources: map[kube.ResourceKey]namespacedResource{
+			kube.NewResourceKey("apps", kube.DeploymentKind, app.Namespace, "guestbook"): {
+				ResourceNode: argoappv1.ResourceNode{ResourceRef: argoappv1.ResourceRef{Group: "apps", Kind: kube.DeploymentKind, Name: "guestbook", Namespace: app.Namespace}},
+			},
+			kube.NewResourceKey("", kube.ServiceAccountKind, app.Namespace, "default"): {
+				ResourceNode: argoappv1.ResourceNode{ResourceRef: argoappv1.ResourceRef{Kind: kube.ServiceAccountKind, Name: "default", Namespace: app.Namespace}},
+			},
+			kube.NewResourceKey("", kube.ServiceKind, app.Namespace, "kubernetes"): {
+				ResourceNode: argoappv1.ResourceNode{ResourceRef: argoappv1.ResourceRef{Kind: kube.ServiceAccountKind, Name: "kubernetes", Namespace: app.Namespace}},
+			},
+		},
+	})
+
+	tree, err := ctrl.setAppManagedResources(app, &comparisonResult{managedResources: make([]managedResource, 0)})
+
+	assert.NoError(t, err)
+	assert.Len(t, tree.OrphanedNodes, 1)
+	assert.Equal(t, "guestbook", tree.OrphanedNodes[0].Name)
+}
+
+func Test_comparisonResult_obs(t *testing.T) {
+	assert.Len(t, (&comparisonResult{}).targetObjs(), 0)
+	assert.Len(t, (&comparisonResult{managedResources: []managedResource{{}}}).targetObjs(), 0)
+	assert.Len(t, (&comparisonResult{managedResources: []managedResource{{Target: test.NewPod()}}}).targetObjs(), 1)
+	assert.Len(t, (&comparisonResult{hooks: []*unstructured.Unstructured{{}}}).targetObjs(), 1)
+}
--- a/controller/sync.go
+++ b/controller/sync.go
@@ -7,11 +7,13 @@ import (
 	"sort"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"time"

 	log "github.com/sirupsen/logrus"
 	"k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 	"k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	"k8s.io/apimachinery/pkg/api/errors"
 	apierr "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -28,6 +30,7 @@ import (
 	"github.com/argoproj/argo-cd/util/health"
 	"github.com/argoproj/argo-cd/util/hook"
 	"github.com/argoproj/argo-cd/util/kube"
+	"github.com/argoproj/argo-cd/util/rand"
 	"github.com/argoproj/argo-cd/util/resource"
 )

@@ -35,6 +38,8 @@ const (
 	crdReadinessTimeout = time.Duration(3) * time.Second
 )

+var syncIdPrefix uint64 = 0
+
 type syncContext struct {
 	resourceOverrides   map[string]v1alpha1.ResourceOverride
 	appName             string
@@ -101,21 +106,13 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		revision = syncOp.Revision
 	}

-	compareResult, err := m.CompareAppState(app, revision, source, false, syncOp.Manifests)
-	if err != nil {
-		state.Phase = v1alpha1.OperationError
-		state.Message = err.Error()
-		return
-	}
+	compareResult := m.CompareAppState(app, revision, source, false, syncOp.Manifests)

-	// If there are any error conditions, do not perform the operation
-	errConditions := make([]v1alpha1.ApplicationCondition, 0)
-	for i := range compareResult.conditions {
-		if compareResult.conditions[i].IsError() {
-			errConditions = append(errConditions, compareResult.conditions[i])
-		}
-	}
-	if len(errConditions) > 0 {
+	// If there are any comparison or spec errors error conditions do not perform the operation
+	if errConditions := app.Status.GetConditions(map[v1alpha1.ApplicationConditionType]bool{
+		v1alpha1.ApplicationConditionComparisonError:  true,
+		v1alpha1.ApplicationConditionInvalidSpecError: true,
+	}); len(errConditions) > 0 {
 		state.Phase = v1alpha1.OperationError
 		state.Message = argo.FormatAppConditions(errConditions)
 		return
@@ -167,6 +164,8 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		return
 	}

+	atomic.AddUint64(&syncIdPrefix, 1)
+	syncId := fmt.Sprintf("%05d-%s", syncIdPrefix, rand.RandString(5))
 	syncCtx := syncContext{
 		resourceOverrides:   resourceOverrides,
 		appName:             app.Name,
@@ -183,16 +182,18 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		syncRes:             syncRes,
 		syncResources:       syncResources,
 		opState:             state,
-		log:                 log.WithFields(log.Fields{"application": app.Name}),
+		log:                 log.WithFields(log.Fields{"application": app.Name, "syncId": syncId}),
 	}

+	start := time.Now()
+
 	if state.Phase == v1alpha1.OperationTerminating {
 		syncCtx.terminate()
 	} else {
 		syncCtx.sync()
 	}

-	syncCtx.log.Info("sync/terminate complete")
+	syncCtx.log.WithField("duration", time.Since(start)).Info("sync/terminate complete")

 	if !syncOp.DryRun && !syncCtx.isSelectiveSync() && syncCtx.opState.Phase.Successful() {
 		err := m.persistRevisionHistory(app, compareResult.syncStatus.Revision, source)
@@ -205,8 +206,8 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 // sync has performs the actual apply or hook based sync
 func (sc *syncContext) sync() {
 	sc.log.WithFields(log.Fields{"isSelectiveSync": sc.isSelectiveSync(), "skipHooks": sc.skipHooks(), "started": sc.started()}).Info("syncing")
-	tasks, successful := sc.getSyncTasks()
-	if !successful {
+	tasks, ok := sc.getSyncTasks()
+	if !ok {
 		sc.setOperationPhase(v1alpha1.OperationFailed, "one or more synchronization tasks are not valid")
 		return
 	}
@@ -221,7 +222,7 @@ func (sc *syncContext) sync() {
 	// the dry-run for this operation, is if the resource or hook list is empty.
 	if !sc.started() {
 		sc.log.Debug("dry-run")
-		if !sc.runTasks(tasks, true) {
+		if sc.runTasks(tasks, true) == failed {
 			sc.setOperationPhase(v1alpha1.OperationFailed, "one or more objects failed to apply (dry run)")
 			return
 		}
@@ -238,9 +239,9 @@ func (sc *syncContext) sync() {
 			sc.setResourceResult(task, "", operationState, message)

 			// maybe delete the hook
-			if enforceHookDeletePolicy(task.liveObj, task.operationState) {
+			if task.needsDeleting() {
 				err := sc.deleteResource(task)
-				if err != nil {
+				if err != nil && !errors.IsNotFound(err) {
 					sc.setResourceResult(task, "", v1alpha1.OperationError, fmt.Sprintf("failed to delete resource: %v", err))
 				}
 			}
@@ -264,8 +265,11 @@ func (sc *syncContext) sync() {
 		}
 	}

-	// any running tasks, lets wait...
-	if tasks.Any(func(t *syncTask) bool { return t.running() }) {
+	// if (a) we are multi-step and we have any running tasks,
+	// or (b) there are any running hooks,
+	// then wait...
+	multiStep := tasks.multiStep()
+	if tasks.Any(func(t *syncTask) bool { return (multiStep || t.isHook()) && t.running() }) {
 		sc.setOperationPhase(v1alpha1.OperationRunning, "one or more tasks are running")
 		return
 	}
@@ -279,9 +283,9 @@ func (sc *syncContext) sync() {
 		return
 	}

-	sc.log.WithFields(log.Fields{"tasks": tasks}).Debug("filtering out completed tasks")
+	sc.log.WithFields(log.Fields{"tasks": tasks}).Debug("filtering out non-pending tasks")
 	// remove tasks that are completed, we can assume that there are no running tasks
-	tasks = tasks.Filter(func(t *syncTask) bool { return !t.completed() })
+	tasks = tasks.Filter(func(t *syncTask) bool { return t.pending() })

 	// If no sync tasks were generated (e.g., in case all application manifests have been removed),
 	// the sync operation is successful.
@@ -305,9 +309,11 @@ func (sc *syncContext) sync() {
 	sc.setOperationPhase(v1alpha1.OperationRunning, "one or more tasks are running")

 	sc.log.WithFields(log.Fields{"tasks": tasks}).Debug("wet-run")
-	if !sc.runTasks(tasks, false) {
+	runState := sc.runTasks(tasks, false)
+	switch runState {
+	case failed:
 		sc.setOperationFailed(syncFailTasks, "one or more objects failed to apply")
-	} else {
+	case successful:
 		if complete {
 			sc.setOperationPhase(v1alpha1.OperationSucceeded, "successfully synced (all tasks run)")
 		}
@@ -324,7 +330,7 @@ func (sc *syncContext) setOperationFailed(syncFailTasks syncTasks, message strin
 		// otherwise, we need to start the failure hooks, and then return without setting
 		// the phase, so we make sure we have at least one more sync
 		sc.log.WithFields(log.Fields{"syncFailTasks": syncFailTasks}).Debug("running sync fail tasks")
-		if !sc.runTasks(syncFailTasks, false) {
+		if sc.runTasks(syncFailTasks, false) == failed {
 			sc.setOperationPhase(v1alpha1.OperationFailed, message)
 		}
 	} else {
@@ -380,7 +386,7 @@ func (sc *syncContext) getSyncTasks() (_ syncTasks, successful bool) {

 	for _, resource := range sc.compareResult.managedResources {
 		if !sc.containsResource(resource) {
-			log.WithFields(log.Fields{"group": resource.Group, "kind": resource.Kind, "name": resource.Name}).
+			sc.log.WithFields(log.Fields{"group": resource.Group, "kind": resource.Kind, "name": resource.Name}).
 				Debug("skipping")
 			continue
 		}
@@ -389,7 +395,7 @@ func (sc *syncContext) getSyncTasks() (_ syncTasks, successful bool) {

 		// this creates garbage tasks
 		if hook.IsHook(obj) {
-			log.WithFields(log.Fields{"group": obj.GroupVersionKind().Group, "kind": obj.GetKind(), "namespace": obj.GetNamespace(), "name": obj.GetName()}).
+			sc.log.WithFields(log.Fields{"group": obj.GroupVersionKind().Group, "kind": obj.GetKind(), "namespace": obj.GetNamespace(), "name": obj.GetName()}).
 				Debug("skipping hook")
 			continue
 		}
@@ -572,13 +578,13 @@ func (sc *syncContext) pruneObject(liveObj *unstructured.Unstructured, prune, dr
 }

 func (sc *syncContext) hasCRDOfGroupKind(group string, kind string) bool {
-	for _, res := range sc.compareResult.managedResources {
-		if res.Target != nil && kube.IsCRD(res.Target) {
-			crdGroup, ok, err := unstructured.NestedString(res.Target.Object, "spec", "group")
+	for _, obj := range sc.compareResult.targetObjs() {
+		if kube.IsCRD(obj) {
+			crdGroup, ok, err := unstructured.NestedString(obj.Object, "spec", "group")
 			if err != nil || !ok {
 				continue
 			}
-			crdKind, ok, err := unstructured.NestedString(res.Target.Object, "spec", "names", "kind")
+			crdKind, ok, err := unstructured.NestedString(obj.Object, "spec", "names", "kind")
 			if err != nil || !ok {
 				continue
 			}
@@ -617,17 +623,25 @@ func (sc *syncContext) terminate() {
 }

 func (sc *syncContext) deleteResource(task *syncTask) error {
-	sc.log.WithFields(log.Fields{"task": task}).Debug("deleting task")
-	apiResource, err := kube.ServerResourceForGroupVersionKind(sc.disco, task.groupVersionKind())
+	sc.log.WithFields(log.Fields{"task": task}).Debug("deleting resource")
+	resIf, err := sc.getResourceIf(task)
 	if err != nil {
 		return err
 	}
-	resource := kube.ToGroupVersionResource(task.groupVersionKind().GroupVersion().String(), apiResource)
-	resIf := kube.ToResourceInterface(sc.dynamicIf, apiResource, resource, task.namespace())
 	propagationPolicy := metav1.DeletePropagationForeground
 	return resIf.Delete(task.name(), &metav1.DeleteOptions{PropagationPolicy: &propagationPolicy})
 }

+func (sc *syncContext) getResourceIf(task *syncTask) (dynamic.ResourceInterface, error) {
+	apiResource, err := kube.ServerResourceForGroupVersionKind(sc.disco, task.groupVersionKind())
+	if err != nil {
+		return nil, err
+	}
+	res := kube.ToGroupVersionResource(task.groupVersionKind().GroupVersion().String(), apiResource)
+	resIf := kube.ToResourceInterface(sc.dynamicIf, apiResource, res, task.namespace())
+	return resIf, err
+}
+
 var operationPhases = map[v1alpha1.ResultCode]v1alpha1.OperationPhase{
 	v1alpha1.ResultCodeSynced:       v1alpha1.OperationRunning,
 	v1alpha1.ResultCodeSyncFailed:   v1alpha1.OperationFailed,
@@ -635,13 +649,22 @@ var operationPhases = map[v1alpha1.ResultCode]v1alpha1.OperationPhase{
 	v1alpha1.ResultCodePruneSkipped: v1alpha1.OperationSucceeded,
 }

-func (sc *syncContext) runTasks(tasks syncTasks, dryRun bool) bool {
+// tri-state
+type runState = int
+
+const (
+	successful = iota
+	pending
+	failed
+)
+
+func (sc *syncContext) runTasks(tasks syncTasks, dryRun bool) runState {

 	dryRun = dryRun || sc.syncOp.DryRun

 	sc.log.WithFields(log.Fields{"numTasks": len(tasks), "dryRun": dryRun}).Debug("running tasks")

-	successful := true
+	runState := successful
 	var createTasks syncTasks
 	var pruneTasks syncTasks

@@ -652,60 +675,92 @@ func (sc *syncContext) runTasks(tasks syncTasks, dryRun bool) bool {
 			createTasks = append(createTasks, task)
 		}
 	}
-
-	var wg sync.WaitGroup
-	for _, task := range pruneTasks {
-		wg.Add(1)
-		go func(t *syncTask) {
-			defer wg.Done()
-			sc.log.WithFields(log.Fields{"dryRun": dryRun, "task": t}).Debug("pruning")
-			result, message := sc.pruneObject(t.liveObj, sc.syncOp.Prune, dryRun)
-			if result == v1alpha1.ResultCodeSyncFailed {
-				successful = false
-			}
-			if !dryRun || result == v1alpha1.ResultCodeSyncFailed {
-				sc.setResourceResult(t, result, operationPhases[result], message)
-			}
-		}(task)
-	}
-	wg.Wait()
-
-	processCreateTasks := func(tasks syncTasks) {
-		var createWg sync.WaitGroup
-		for _, task := range tasks {
-			if dryRun && task.skipDryRun {
-				continue
-			}
-			createWg.Add(1)
+	// prune first
+	{
+		var wg sync.WaitGroup
+		for _, task := range pruneTasks {
+			wg.Add(1)
 			go func(t *syncTask) {
-				defer createWg.Done()
-				sc.log.WithFields(log.Fields{"dryRun": dryRun, "task": t}).Debug("applying")
-				result, message := sc.applyObject(t.targetObj, dryRun, sc.syncOp.SyncStrategy.Force())
+				defer wg.Done()
+				sc.log.WithFields(log.Fields{"dryRun": dryRun, "task": t}).Debug("pruning")
+				result, message := sc.pruneObject(t.liveObj, sc.syncOp.Prune, dryRun)
 				if result == v1alpha1.ResultCodeSyncFailed {
-					successful = false
+					runState = failed
 				}
 				if !dryRun || result == v1alpha1.ResultCodeSyncFailed {
 					sc.setResourceResult(t, result, operationPhases[result], message)
 				}
 			}(task)
 		}
-		createWg.Wait()
+		wg.Wait()
 	}

-	var tasksGroup syncTasks
-	for _, task := range createTasks {
-		//Only wait if the type of the next task is different than the previous type
-		if len(tasksGroup) > 0 && tasksGroup[0].targetObj.GetKind() != task.kind() {
+	// delete anything that need deleting
+	if runState == successful && createTasks.Any(func(t *syncTask) bool { return t.needsDeleting() }) {
+		var wg sync.WaitGroup
+		for _, task := range createTasks.Filter(func(t *syncTask) bool { return t.needsDeleting() }) {
+			wg.Add(1)
+			go func(t *syncTask) {
+				defer wg.Done()
+				sc.log.WithFields(log.Fields{"dryRun": dryRun, "task": t}).Debug("deleting")
+				if !dryRun {
+					err := sc.deleteResource(t)
+					if err != nil {
+						// it is possible to get a race condition here, such that the resource does not exist when
+						// delete is requested, we treat this as a nop
+						if !apierr.IsNotFound(err) {
+							runState = failed
+							sc.setResourceResult(t, "", v1alpha1.OperationError, fmt.Sprintf("failed to delete resource: %v", err))
+						}
+					} else {
+						// if there is anything that needs deleting, we are at best now in pending and
+						// want to return and wait for sync to be invoked again
+						runState = pending
+					}
+				}
+			}(task)
+		}
+		wg.Wait()
+	}
+	// finally create resources
+	if runState == successful {
+		processCreateTasks := func(tasks syncTasks) {
+			var createWg sync.WaitGroup
+			for _, task := range tasks {
+				if dryRun && task.skipDryRun {
+					continue
+				}
+				createWg.Add(1)
+				go func(t *syncTask) {
+					defer createWg.Done()
+					sc.log.WithFields(log.Fields{"dryRun": dryRun, "task": t}).Debug("applying")
+					result, message := sc.applyObject(t.targetObj, dryRun, sc.syncOp.SyncStrategy.Force())
+					if result == v1alpha1.ResultCodeSyncFailed {
+						runState = failed
+					}
+					if !dryRun || result == v1alpha1.ResultCodeSyncFailed {
+						sc.setResourceResult(t, result, operationPhases[result], message)
+					}
+				}(task)
+			}
+			createWg.Wait()
+		}
+
+		var tasksGroup syncTasks
+		for _, task := range createTasks {
+			//Only wait if the type of the next task is different than the previous type
+			if len(tasksGroup) > 0 && tasksGroup[0].targetObj.GetKind() != task.kind() {
+				processCreateTasks(tasksGroup)
+				tasksGroup = syncTasks{task}
+			} else {
+				tasksGroup = append(tasksGroup, task)
+			}
+		}
+		if len(tasksGroup) > 0 {
 			processCreateTasks(tasksGroup)
-			tasksGroup = syncTasks{task}
-		} else {
-			tasksGroup = append(tasksGroup, task)
 		}
 	}
-	if len(tasksGroup) > 0 {
-		processCreateTasks(tasksGroup)
-	}
-	return successful
+	return runState
 }

 // setResourceResult sets a resource details in the SyncResult.Resources list
--- a/controller/sync_hooks.go
+++ b/controller/sync_hooks.go
@@ -2,46 +2,25 @@ package controller

 import (
 	"fmt"
-	"strings"

-	wfv1 "github.com/argoproj/argo/pkg/apis/workflow/v1alpha1"
+	"github.com/argoproj/argo-cd/util/health"
+
 	apiv1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/kubernetes/pkg/apis/batch"

-	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 )

-// enforceHookDeletePolicy examines the hook deletion policy of a object and deletes it based on the status
-func enforceHookDeletePolicy(hook *unstructured.Unstructured, operation v1alpha1.OperationPhase) bool {
-
-	annotations := hook.GetAnnotations()
-	if annotations == nil {
-		return false
-	}
-	deletePolicies := strings.Split(annotations[common.AnnotationKeyHookDeletePolicy], ",")
-	for _, dp := range deletePolicies {
-		policy := v1alpha1.HookDeletePolicy(strings.TrimSpace(dp))
-		if policy == v1alpha1.HookDeletePolicyHookSucceeded && operation == v1alpha1.OperationSucceeded {
-			return true
-		}
-		if policy == v1alpha1.HookDeletePolicyHookFailed && operation == v1alpha1.OperationFailed {
-			return true
-		}
-	}
-	return false
-}
-
 // getOperationPhase returns a hook status from an _live_ unstructured object
 func getOperationPhase(hook *unstructured.Unstructured) (operation v1alpha1.OperationPhase, message string) {
 	gvk := hook.GroupVersionKind()
 	if isBatchJob(gvk) {
 		return getStatusFromBatchJob(hook)
 	} else if isArgoWorkflow(gvk) {
-		return getStatusFromArgoWorkflow(hook)
+		return health.GetStatusFromArgoWorkflow(hook)
 	} else if isPod(gvk) {
 		return getStatusFromPod(hook)
 	} else {
@@ -92,26 +71,6 @@ func isArgoWorkflow(gvk schema.GroupVersionKind) bool {
 	return gvk.Group == "argoproj.io" && gvk.Kind == "Workflow"
 }

-// TODO - should we move this to health.go?
-func getStatusFromArgoWorkflow(hook *unstructured.Unstructured) (operation v1alpha1.OperationPhase, message string) {
-	var wf wfv1.Workflow
-	err := runtime.DefaultUnstructuredConverter.FromUnstructured(hook.Object, &wf)
-	if err != nil {
-		return v1alpha1.OperationError, err.Error()
-	}
-	switch wf.Status.Phase {
-	case wfv1.NodePending, wfv1.NodeRunning:
-		return v1alpha1.OperationRunning, wf.Status.Message
-	case wfv1.NodeSucceeded:
-		return v1alpha1.OperationSucceeded, wf.Status.Message
-	case wfv1.NodeFailed:
-		return v1alpha1.OperationFailed, wf.Status.Message
-	case wfv1.NodeError:
-		return v1alpha1.OperationError, wf.Status.Message
-	}
-	return v1alpha1.OperationSucceeded, wf.Status.Message
-}
-
 func isPod(gvk schema.GroupVersionKind) bool {
 	return gvk.Group == "" && gvk.Kind == "Pod"
 }
--- a/controller/sync_phase.go
+++ b/controller/sync_phase.go
@@ -11,13 +11,17 @@ func syncPhases(obj *unstructured.Unstructured) []v1alpha1.SyncPhase {
 	if hook.Skip(obj) {
 		return nil
 	} else if hook.IsHook(obj) {
-		var phases []v1alpha1.SyncPhase
+		phasesMap := make(map[v1alpha1.SyncPhase]bool)
 		for _, hookType := range hook.Types(obj) {
 			switch hookType {
 			case v1alpha1.HookTypePreSync, v1alpha1.HookTypeSync, v1alpha1.HookTypePostSync, v1alpha1.HookTypeSyncFail:
-				phases = append(phases, v1alpha1.SyncPhase(hookType))
+				phasesMap[v1alpha1.SyncPhase(hookType)] = true
 			}
 		}
+		var phases []v1alpha1.SyncPhase
+		for phase := range phasesMap {
+			phases = append(phases, phase)
+		}
 		return phases
 	} else {
 		return []v1alpha1.SyncPhase{v1alpha1.SyncPhaseSync}
--- a/controller/sync_phase_test.go
+++ b/controller/sync_phase_test.go
@@ -40,11 +40,18 @@ func TestSyncPhaseFail(t *testing.T) {
 }

 func TestSyncPhaseTwoPhases(t *testing.T) {
-	assert.Equal(t, []SyncPhase{SyncPhasePreSync, SyncPhasePostSync}, syncPhases(pod("PreSync,PostSync")))
+	assert.ElementsMatch(t, []SyncPhase{SyncPhasePreSync, SyncPhasePostSync}, syncPhases(pod("PreSync,PostSync")))
+}
+
+func TestSyncDuplicatedPhases(t *testing.T) {
+	assert.ElementsMatch(t, []SyncPhase{SyncPhasePreSync}, syncPhases(pod("PreSync,PreSync")))
+	assert.ElementsMatch(t, []SyncPhase{SyncPhasePreSync}, syncPhases(podWithHelmHook("pre-install,pre-upgrade")))
 }

 func pod(hookType string) *unstructured.Unstructured {
-	pod := test.NewPod()
-	pod.SetAnnotations(map[string]string{"argocd.argoproj.io/hook": hookType})
-	return pod
+	return test.Annotate(test.NewPod(), "argocd.argoproj.io/hook", hookType)
+}
+
+func podWithHelmHook(hookType string) *unstructured.Unstructured {
+	return test.Annotate(test.NewPod(), "helm.sh/hook", hookType)
 }
--- a/controller/sync_task.go
+++ b/controller/sync_task.go
@@ -2,14 +2,13 @@ package controller

 import (
 	"fmt"
-	"strconv"

 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"

-	"github.com/argoproj/argo-cd/common"
 	"github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/util/hook"
+	"github.com/argoproj/argo-cd/util/resource/syncwaves"
 )

 // syncTask holds the live and target object. At least one should be non-nil. A targetObj of nil
@@ -53,18 +52,7 @@ func (t *syncTask) obj() *unstructured.Unstructured {
 }

 func (t *syncTask) wave() int {
-
-	text := t.obj().GetAnnotations()[common.AnnotationSyncWave]
-	if text == "" {
-		return 0
-	}
-
-	val, err := strconv.Atoi(text)
-	if err != nil {
-		return 0
-	}
-
-	return val
+	return syncwaves.Wave(t.obj())
 }

 func (t *syncTask) isHook() bool {
@@ -94,8 +82,12 @@ func (t *syncTask) namespace() string {
 	return t.obj().GetNamespace()
 }

+func (t *syncTask) pending() bool {
+	return t.operationState == ""
+}
+
 func (t *syncTask) running() bool {
-	return t.operationState == v1alpha1.OperationRunning
+	return t.operationState.Running()
 }

 func (t *syncTask) completed() bool {
@@ -106,6 +98,10 @@ func (t *syncTask) successful() bool {
 	return t.operationState.Successful()
 }

+func (t *syncTask) failed() bool {
+	return t.operationState.Failed()
+}
+
 func (t *syncTask) hookType() v1alpha1.HookType {
 	if t.isHook() {
 		return v1alpha1.HookType(t.phase)
@@ -113,3 +109,22 @@ func (t *syncTask) hookType() v1alpha1.HookType {
 		return ""
 	}
 }
+
+func (t *syncTask) hasHookDeletePolicy(policy v1alpha1.HookDeletePolicy) bool {
+	// cannot have a policy if it is not a hook, it is meaningless
+	if !t.isHook() {
+		return false
+	}
+	for _, p := range hook.DeletePolicies(t.obj()) {
+		if p == policy {
+			return true
+		}
+	}
+	return false
+}
+
+func (t *syncTask) needsDeleting() bool {
+	return t.liveObj != nil && (t.pending() && t.hasHookDeletePolicy(v1alpha1.HookDeletePolicyBeforeHookCreation) ||
+		t.successful() && t.hasHookDeletePolicy(v1alpha1.HookDeletePolicyHookSucceeded) ||
+		t.failed() && t.hasHookDeletePolicy(v1alpha1.HookDeletePolicyHookFailed))
+}
--- a/controller/sync_task_test.go
+++ b/controller/sync_task_test.go
@@ -7,7 +7,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"

 	. "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/test"
+	. "github.com/argoproj/argo-cd/test"
 )

 func Test_syncTask_hookType(t *testing.T) {
@@ -20,10 +20,10 @@ func Test_syncTask_hookType(t *testing.T) {
 		fields fields
 		want   HookType
 	}{
-		{"Empty", fields{SyncPhaseSync, test.NewPod()}, ""},
-		{"PreSyncHook", fields{SyncPhasePreSync, test.NewHook(HookTypePreSync)}, HookTypePreSync},
-		{"SyncHook", fields{SyncPhaseSync, test.NewHook(HookTypeSync)}, HookTypeSync},
-		{"PostSyncHook", fields{SyncPhasePostSync, test.NewHook(HookTypePostSync)}, HookTypePostSync},
+		{"Empty", fields{SyncPhaseSync, NewPod()}, ""},
+		{"PreSyncHook", fields{SyncPhasePreSync, NewHook(HookTypePreSync)}, HookTypePreSync},
+		{"SyncHook", fields{SyncPhaseSync, NewHook(HookTypeSync)}, HookTypeSync},
+		{"PostSyncHook", fields{SyncPhasePostSync, NewHook(HookTypePostSync)}, HookTypePostSync},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -36,3 +36,31 @@ func Test_syncTask_hookType(t *testing.T) {
 		})
 	}
 }
+
+func Test_syncTask_hasHookDeletePolicy(t *testing.T) {
+	assert.False(t, (&syncTask{targetObj: NewPod()}).hasHookDeletePolicy(HookDeletePolicyBeforeHookCreation))
+	assert.False(t, (&syncTask{targetObj: NewPod()}).hasHookDeletePolicy(HookDeletePolicyHookSucceeded))
+	assert.False(t, (&syncTask{targetObj: NewPod()}).hasHookDeletePolicy(HookDeletePolicyHookFailed))
+	// must be hook
+	assert.False(t, (&syncTask{targetObj: Annotate(NewPod(), "argocd.argoproj.io/hook-delete-policy", "BeforeHookCreation")}).hasHookDeletePolicy(HookDeletePolicyBeforeHookCreation))
+	assert.True(t, (&syncTask{targetObj: Annotate(Annotate(NewPod(), "argocd.argoproj.io/hook", "Sync"), "argocd.argoproj.io/hook-delete-policy", "BeforeHookCreation")}).hasHookDeletePolicy(HookDeletePolicyBeforeHookCreation))
+	assert.True(t, (&syncTask{targetObj: Annotate(Annotate(NewPod(), "argocd.argoproj.io/hook", "Sync"), "argocd.argoproj.io/hook-delete-policy", "HookSucceeded")}).hasHookDeletePolicy(HookDeletePolicyHookSucceeded))
+	assert.True(t, (&syncTask{targetObj: Annotate(Annotate(NewPod(), "argocd.argoproj.io/hook", "Sync"), "argocd.argoproj.io/hook-delete-policy", "HookFailed")}).hasHookDeletePolicy(HookDeletePolicyHookFailed))
+}
+
+func Test_syncTask_needsDeleting(t *testing.T) {
+	assert.False(t, (&syncTask{liveObj: NewPod()}).needsDeleting())
+	// must be hook
+	assert.False(t, (&syncTask{liveObj: Annotate(NewPod(), "argocd.argoproj.io/hook-delete-policy", "BeforeHookCreation")}).needsDeleting())
+	// no need to delete if no live obj
+	assert.False(t, (&syncTask{targetObj: Annotate(Annotate(NewPod(), "argoocd.argoproj.io/hook", "Sync"), "argocd.argoproj.io/hook-delete-policy", "BeforeHookCreation")}).needsDeleting())
+	assert.True(t, (&syncTask{liveObj: Annotate(Annotate(NewPod(), "argocd.argoproj.io/hook", "Sync"), "argocd.argoproj.io/hook-delete-policy", "BeforeHookCreation")}).needsDeleting())
+	assert.True(t, (&syncTask{liveObj: Annotate(Annotate(NewPod(), "argocd.argoproj.io/hook", "Sync"), "argocd.argoproj.io/hook-delete-policy", "BeforeHookCreation")}).needsDeleting())
+	assert.True(t, (&syncTask{operationState: OperationSucceeded, liveObj: Annotate(Annotate(NewPod(), "argocd.argoproj.io/hook", "Sync"), "argocd.argoproj.io/hook-delete-policy", "HookSucceeded")}).needsDeleting())
+	assert.True(t, (&syncTask{operationState: OperationFailed, liveObj: Annotate(Annotate(NewPod(), "argocd.argoproj.io/hook", "Sync"), "argocd.argoproj.io/hook-delete-policy", "HookFailed")}).needsDeleting())
+}
+
+func Test_syncTask_wave(t *testing.T) {
+	assert.Equal(t, 0, (&syncTask{targetObj: NewPod()}).wave())
+	assert.Equal(t, 1, (&syncTask{targetObj: Annotate(NewPod(), "argocd.argoproj.io/sync-wave", "1")}).wave())
+}
--- a/controller/sync_tasks.go
+++ b/controller/sync_tasks.go
@@ -165,3 +165,21 @@ func (s syncTasks) wave() int {
 	}
 	return 0
 }
+
+func (s syncTasks) lastPhase() v1alpha1.SyncPhase {
+	if len(s) > 0 {
+		return s[len(s)-1].phase
+	}
+	return ""
+}
+
+func (s syncTasks) lastWave() int {
+	if len(s) > 0 {
+		return s[len(s)-1].wave()
+	}
+	return 0
+}
+
+func (s syncTasks) multiStep() bool {
+	return s.wave() != s.lastWave() || s.phase() != s.lastPhase()
+}
--- a/controller/sync_tasks_test.go
+++ b/controller/sync_tasks_test.go
@@ -8,7 +8,9 @@ import (
 	apiv1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"

+	"github.com/argoproj/argo-cd/common"
 	. "github.com/argoproj/argo-cd/pkg/apis/application/v1alpha1"
+	. "github.com/argoproj/argo-cd/test"
 )

 func Test_syncTasks_kindOrder(t *testing.T) {
@@ -366,3 +368,25 @@ func TestSyncNamespaceAgainstCRD(t *testing.T) {

 	assert.Equal(t, syncTasks{namespace, crd}, unsorted)
 }
+
+func Test_syncTasks_multiStep(t *testing.T) {
+	t.Run("Single", func(t *testing.T) {
+		tasks := syncTasks{{liveObj: Annotate(NewPod(), common.AnnotationSyncWave, "-1"), phase: SyncPhaseSync}}
+		assert.Equal(t, SyncPhaseSync, tasks.phase())
+		assert.Equal(t, -1, tasks.wave())
+		assert.Equal(t, SyncPhaseSync, tasks.lastPhase())
+		assert.Equal(t, -1, tasks.lastWave())
+		assert.False(t, tasks.multiStep())
+	})
+	t.Run("Double", func(t *testing.T) {
+		tasks := syncTasks{
+			{liveObj: Annotate(NewPod(), common.AnnotationSyncWave, "-1"), phase: SyncPhasePreSync},
+			{liveObj: Annotate(NewPod(), common.AnnotationSyncWave, "1"), phase: SyncPhasePostSync},
+		}
+		assert.Equal(t, SyncPhasePreSync, tasks.phase())
+		assert.Equal(t, -1, tasks.wave())
+		assert.Equal(t, SyncPhasePostSync, tasks.lastPhase())
+		assert.Equal(t, 1, tasks.lastWave())
+		assert.True(t, tasks.multiStep())
+	})
+}
--- a/controller/sync_test.go
+++ b/controller/sync_test.go
@@ -13,6 +13,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	fakedisco "k8s.io/client-go/discovery/fake"
+	"k8s.io/client-go/dynamic/fake"
 	"k8s.io/client-go/rest"
 	testcore "k8s.io/client-go/testing"

@@ -76,6 +77,17 @@ func newTestSyncCtx(resources ...*v1.APIResourceList) *syncContext {
 	return &sc
 }

+func newManagedResource(live *unstructured.Unstructured) managedResource {
+	return managedResource{
+		Live:      live,
+		Group:     live.GroupVersionKind().Group,
+		Version:   live.GroupVersionKind().Version,
+		Kind:      live.GroupVersionKind().Kind,
+		Namespace: live.GetNamespace(),
+		Name:      live.GetName(),
+	}
+}
+
 func TestSyncNotPermittedNamespace(t *testing.T) {
 	syncCtx := newTestSyncCtx()
 	targetPod := test.NewPod()
@@ -552,6 +564,22 @@ func TestSyncFailureHookWithFailedSync(t *testing.T) {
 	assert.Len(t, syncCtx.syncRes.Resources, 2)
 }

+func TestBeforeHookCreation(t *testing.T) {
+	syncCtx := newTestSyncCtx()
+	syncCtx.syncOp.SyncStrategy.Apply = nil
+	hook := test.Annotate(test.Annotate(test.NewPod(), common.AnnotationKeyHook, "Sync"), common.AnnotationKeyHookDeletePolicy, "BeforeHookCreation")
+	hook.SetNamespace(test.FakeArgoCDNamespace)
+	syncCtx.compareResult = &comparisonResult{
+		managedResources: []managedResource{newManagedResource(hook)},
+		hooks:            []*unstructured.Unstructured{hook},
+	}
+	syncCtx.dynamicIf = fake.NewSimpleDynamicClient(runtime.NewScheme())
+
+	syncCtx.sync()
+	assert.Len(t, syncCtx.syncRes.Resources, 1)
+	assert.Empty(t, syncCtx.syncRes.Resources[0].Message)
+}
+
 func TestRunSyncFailHooksFailed(t *testing.T) {
 	// Tests that other SyncFail Hooks run even if one of them fail.

@@ -660,3 +688,12 @@ func Test_syncContext_liveObj(t *testing.T) {
 		})
 	}
 }
+
+func Test_syncContext_hasCRDOfGroupKind(t *testing.T) {
+	// target
+	assert.False(t, (&syncContext{compareResult: &comparisonResult{managedResources: []managedResource{{Target: test.NewCRD()}}}}).hasCRDOfGroupKind("", ""))
+	assert.True(t, (&syncContext{compareResult: &comparisonResult{managedResources: []managedResource{{Target: test.NewCRD()}}}}).hasCRDOfGroupKind("argoproj.io", "TestCrd"))
+	// hook
+	assert.False(t, (&syncContext{compareResult: &comparisonResult{hooks: []*unstructured.Unstructured{test.NewCRD()}}}).hasCRDOfGroupKind("", ""))
+	assert.True(t, (&syncContext{compareResult: &comparisonResult{hooks: []*unstructured.Unstructured{test.NewCRD()}}}).hasCRDOfGroupKind("argoproj.io", "TestCrd"))
+}
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -23,7 +23,15 @@ Install:
 Brew users can quickly install the lot:
    
 ```bash
-brew install git-lfs go dep kubectl kubectx ksonnet/tap/ks kubernetes-helm kustomize 
+brew install go git-lfs kubectl kubectx dep ksonnet/tap/ks kubernetes-helm kustomize kustomize
+```
+
+Check the versions:
+
+```
+go version ;# must be v1.12.x
+helm version ;# must be v2.13.x
+kustomize version ;# must be v3.10.x
 ```

 Set up environment variables (e.g. is `~/.bashrc`):
@@ -45,33 +53,19 @@ cd ~/go/src/github.com/argoproj/argo-cd
 Ensure dependencies are up to date first:

 ```shell
-make dep
+dep ensure
+make dev-builder-image
+make install-lint-tools
+go get github.com/mattn/goreman
+go get github.com/jstemmer/go-junit-report
 ```

-Build `cli`, `image`, and `argocd-util` as default targets by running make:
+Common make targets:

-```bash
-make
-```
-
-The make command can take a while, and we recommend building the specific component you are working on
-
-* `make codegen` - Builds protobuf and swagger files.
-
-Note: `make codegen` is slow because it uses docker + volume mounts. To improve performance you might install binaries from `./hack/Dockerfile.dev-tools`
-and use `make codegen-local`. It is still recommended to run `make codegen` once before sending PR to make sure correct version of codegen tools is used.   
-
-* `make cli` - Make the argocd CLI tool
-* `make server` - Make the API/repo/controller server
-* `make argocd-util` - Make the administrator's utility, used for certain tasks such as import/export
-
-## Running Tests
-
-To run unit tests:
-
-```bash
-make test
-```
+* `make codegen` - Run code generation
+* `make lint` - Lint code
+* `make test` - Run unit tests
+* `make cli` - Make the `argocd` CLI tool

 Check out the following [documentation](https://github.com/argoproj/argo-cd/blob/master/docs/developer-guide/test-e2e.md) for instructions on running the e2e tests.

@@ -82,14 +76,20 @@ It is much easier to run and debug if you run ArgoCD on your local machine than
 You should scale the deployments to zero:

 ```bash
-kubectl -n argocd scale deployment.extensions/argocd-application-controller --replicas 0
-kubectl -n argocd scale deployment.extensions/argocd-dex-server --replicas 0
-kubectl -n argocd scale deployment.extensions/argocd-repo-server --replicas 0
-kubectl -n argocd scale deployment.extensions/argocd-server --replicas 0
-kubectl -n argocd scale deployment.extensions/argocd-redis --replicas 0
+kubectl -n argocd scale deployment/argocd-application-controller --replicas 0
+kubectl -n argocd scale deployment/argocd-dex-server --replicas 0
+kubectl -n argocd scale deployment/argocd-repo-server --replicas 0
+kubectl -n argocd scale deployment/argocd-server --replicas 0
+kubectl -n argocd scale deployment/argocd-redis --replicas 0
 ```

-Note: you'll need to use the https://localhost:6443 cluster now.
+Download Yarn dependencies and Compile:
+
+```bash
+~/go/src/github.com/argoproj/argo-cd/ui 
+yarn install
+yarn build
+```

 Then start the services:

@@ -101,12 +101,17 @@ make start
 You can now execute `argocd` command against your locally running ArgoCD by appending `--server localhost:8080 --plaintext --insecure`, e.g.:

 ```bash
-argocd app set guestbook --path guestbook --repo https://github.com/argoproj/argocd-example-apps.git --dest-server https://localhost:6443  --dest-namespace default --server localhost:8080 --plaintext --insecure
+argocd app create guestbook --path guestbook --repo https://github.com/argoproj/argocd-example-apps.git --dest-server https://kubernetes.default.svc  --dest-namespace default --server localhost:8080 --plaintext --insecure
 ```

-You can open the UI: http://localhost:8080
+You can open the UI: http://localhost:4000

-Note: you'll need to use the https://kubernetes.default.svc cluster now.
+As an alternative to using the above command line parameters each time you call `argocd` CLI, you can set the following environment variables:
+
+```bash
+export ARGOCD_SERVER=127.0.0.1:8080
+export ARGOCD_OPTS="--plaintext --insecure"
+```

 ## Running Local Containers

@@ -124,21 +129,19 @@ Add your username as the environment variable, e.g. to your `~/.bash_profile`:
 export IMAGE_NAMESPACE=alexcollinsintuit
 ```

-If you have not built the UI image (see [the UI README](https://github.com/argoproj/argo-cd/blob/master/ui/README.md)), then do the following:
+If you don't want to use `latest` as the image's tag (the default), you can set it from the environment too:

 ```bash
-docker pull argoproj/argocd-ui:latest
-docker tag argoproj/argocd-ui:latest $IMAGE_NAMESPACE/argocd-ui:latest
-docker push $IMAGE_NAMESPACE/argocd-ui:latest
+export IMAGE_TAG=yourtag
 ```

-Build the images:
+Build the image:

 ```bash
 DOCKER_PUSH=true make image
 ```

-Update the manifests:
+Update the manifests (be sure to do that from a shell that has above environment variables set)

 ```bash
 make manifests
@@ -153,11 +156,11 @@ kubectl -n argocd apply --force -f manifests/install.yaml
 Scale your deployments up:

 ```bash
-kubectl -n argocd scale deployment.extensions/argocd-application-controller --replicas 1
-kubectl -n argocd scale deployment.extensions/argocd-dex-server --replicas 1
-kubectl -n argocd scale deployment.extensions/argocd-repo-server --replicas 1
-kubectl -n argocd scale deployment.extensions/argocd-server --replicas 1
-kubectl -n argocd scale deployment.extensions/argocd-redis --replicas 1
+kubectl -n argocd scale deployment/argocd-application-controller --replicas 1
+kubectl -n argocd scale deployment/argocd-dex-server --replicas 1
+kubectl -n argocd scale deployment/argocd-repo-server --replicas 1
+kubectl -n argocd scale deployment/argocd-server --replicas 1
+kubectl -n argocd scale deployment/argocd-redis --replicas 1
 ```

 Now you can set-up the port-forwarding and open the UI or CLI.
--- a/docs/assets/orphaned-resources.png
+++ b/docs/assets/orphaned-resources.png
--- a/docs/developer-guide/api-docs.md
+++ b/docs/developer-guide/api-docs.md
@@ -1,3 +1,32 @@
 # API Docs

-You can find Swagger docs but setting the path `/swagger-ui` to your Argo CD UI's. E.g. [http://localhost:8080/swagger-ui](http://localhost:8080/swagger-ui). 
+You can find Swagger docs but setting the path `/swagger-ui` to your Argo CD UI's. E.g. [http://localhost:8080/swagger-ui](http://localhost:8080/swagger-ui).
+
+## Authorization
+
+You'll need to authorize your API using a bearer token. To get a token:
+
+```bash
+$ curl $ARGOCD_SERVER/api/v1/session -d $'{"username":"admin","password":"password"}'
+{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1Njc4MTIzODcsImlzcyI6ImFyZ29jZCIsIm5iZiI6MTU2NzgxMjM4Nywic3ViIjoiYWRtaW4ifQ.ejyTgFxLhuY9mOBtKhcnvobg3QZXJ4_RusN_KIdVwao"} 
+```
+
+> <=v1.2
+
+Then pass using the HTTP `SetCookie` header, prefixing with `argocd.token`:
+
+```bash
+$ curl $ARGOCD_SERVER/api/v1/applications --cookie "argocd.token=$ARGOCD_TOKEN" 
+{"metadata":{"selfLink":"/apis/argoproj.io/v1alpha1/namespaces/argocd/applications","resourceVersion":"37755"},"items":...}
+```
+
+> >v1.3
+
+Then pass using the HTTP `Authorization` header, prefixing with `Bearer `:
+
+```bash
+$ curl $ARGOCD_SERVER/api/v1/applications -H "Authorization: Bearer $ARGOCD_TOKEN" 
+{"metadata":{"selfLink":"/apis/argoproj.io/v1alpha1/namespaces/argocd/applications","resourceVersion":"37755"},"items":...}
+```
+ 
+ You sh
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -25,6 +25,7 @@ to return `Progressing` state instead of `Healthy`.
 * `StatefulSet` is considered healthy if value of `status.updatedReplicas` field matches to `spec.replicas` field. Due to Kubernetes bug
 [kubernetes/kubernetes#68573](https://github.com/kubernetes/kubernetes/issues/68573) the `status.updatedReplicas` is not populated. So unless you run Kubernetes version which
 include the fix [kubernetes/kubernetes#67570](https://github.com/kubernetes/kubernetes/pull/67570) `StatefulSet` might stay in `Progressing` state.
+* Your `StatefulSet` or `DaemonSet` is using `OnDelete` instead of `RollingUpdate` strategy. See [#1881](https://github.com/argoproj/argo-cd/issues/1881).

 As workaround Argo CD allows providing [health check](operator-manual/health.md) customization which overrides default behavior.

@@ -36,13 +37,12 @@ To change the password, edit the `argocd-secret` secret and update the `admin.pa
 can use a site like https://www.browserling.com/tools/bcrypt to generate a new hash. For example:

 ```bash
-# bcrypt(Password1!)=$2a$10$hDj12Tw9xVmvybSahN1Y0.f9DZixxN8oybyA32Uy/eqWklFU4Mo8O
+# bcrypt(password)=$2a$10$rRyBsGSHK6.uc8fntPwVIuLVHgsAhAX7TcdrqW/RADU0uh7CaChLa
 kubectl -n argocd patch secret argocd-secret \
-  -p "{\"data\": \
-    {\
-      \"admin.password\": \"$(echo -n '$2a$10$hDj12Tw9xVmvybSahN1Y0.f9DZixxN8oybyA32Uy/eqWklFU4Mo8O' | base64)\", \
-      \"admin.passwordMtime\": \"$(date +%FT%T%Z | base64)\" \
-  }}"
+  -p '{"stringData": {
+    "admin.password": "$2a$10$rRyBsGSHK6.uc8fntPwVIuLVHgsAhAX7TcdrqW/RADU0uh7CaChLa",
+    "admin.passwordMtime": "'$(date +%FT%T%Z)'"
+  }}'
 ```

 Another option is to delete both the `admin.password` and `admin.passwordMtime` keys and restart argocd-server. This will set the password back to the pod name as per [the getting started guide](getting_started.md).
@@ -55,9 +55,15 @@ uses only internally available Helm repositories. Even if the chart uses only de

 ```yaml
 data:
+  # v1.2 or earlier use `helm.repositories`
  helm.repositories: |
    - url: http://<internal-helm-repo-host>:8080
      name: stable
+  # v1.3 or later use `repositories` with `type: helm`
+  repositories: |
+    - type: helm
+      url: http://<internal-helm-repo-host>:8080
+      name: stable
 ```

 ## I've configured [cluster secret](./operator-manual/declarative-setup.md#clusters) but it does not show up in CLI/UI, how do I fix it?
@@ -89,6 +95,54 @@ Is some cases, the tool you use may conflict with Argo CD by adding the `app.kub

 Argo CD automatically sets the `app.kubernetes.io/instance` label and uses it to determine which resources form the app. If the tool does this too, this causes confusion. You can change this label by setting the `application.instanceLabelKey` value in the `argocd-cm`.  We recommend that you use `argocd.argoproj.io/instance`. 

-!!! note    When you make this change your applications will become out of sync and will need re-syncing.
+!!! note 
+    When you make this change your applications will become out of sync and will need re-syncing.

-See [#1482](https://github.com/argoproj/argo-cd/issues/1482).
+See [#1482](https://github.com/argoproj/argo-cd/issues/1482).
+
+## Why Are My Resource Limits Out Of Sync?
+
+Kubernetes has normalized your resource limits when they are applied, and then Argo CD has then compared the version in your generated manifests to the normalized one is Kubernetes - they won't match. 
+
+E.g. 
+
+* `'1000m'` normalized to `'1'`
+* `'0.1'` normalized to `'100m'`
+* `'3072Mi'` normalized to `'3Gi'`
+* `3072` normalized to `'3072'` (quotes added)
+
+To fix this - replace your values with the normalized values.
+
+See [#1615](https://github.com/argoproj/argo-cd/issues/1615)
+
+# How Do I Fix "invalid cookie, longer than max length 4093"?
+
+Argo CD uses a JWT as the auth token. You likely are part of many groups and have gone over the 4KB limit which is set for cookies.
+You can get the list of groups by opening "developer tools -> network"
+
+* Click log in
+* Find the call to `<argocd_instance>/auth/callback?code=<random_string>`
+
+Decode the token at https://jwt.io/. That will provide the list of teams that you can remove yourself from.
+
+See [#2165](https://github.com/argoproj/argo-cd/issues/2165).
+
+## Why Am I Getting `rpc error: code = Unavailable desc = transport is closing` When Using The CLI?
+
+Maybe you're behind a proxy that does not support HTTP 2? Try the `--grcp-web` flag.:
+
+```bash
+argocd ... --grcp-web
+```
+
+## Why Am I Getting `x509: certificate signed by unknown authority` When Using The CLI?
+
+Your not running your server with correct certs.
+
+If you're not running in a production system (e.g. you're testing Argo CD out), try the `--insecure` flag:
+
+```bash
+argocd ... --insecure
+```
+
+!!! warning "Do not use `--insecure` in production"
--- a/docs/getting_started.md
+++ b/docs/getting_started.md
@@ -25,7 +25,7 @@ kubectl create clusterrolebinding YOURNAME-cluster-admin-binding --clusterrole=c

 ## 2. Download Argo CD CLI

-Download the latest Argo CD version from [https://github.com/argoproj/argo-cd/releases/latest].
+Download the latest Argo CD version from [https://github.com/argoproj/argo-cd/releases/latest](https://github.com/argoproj/argo-cd/releases/latest).

 Also available in Mac Homebrew:

@@ -110,7 +110,7 @@ service account token to perform its management tasks (i.e. deploy/monitoring).
 ## 6. Create An Application From A Git Repository

 An example repository containing a guestbook application is available at
-https://github.com/argoproj/argocd-example-apps.git to demonstrate how Argo CD works.
+[https://github.com/argoproj/argocd-example-apps.git](https://github.com/argoproj/argocd-example-apps.git) to demonstrate how Argo CD works.

 ### Creating Apps Via CLI

@@ -125,7 +125,7 @@ argocd app create guestbook \
 ### Creating Apps Via UI

 Open a browser to the Argo CD external UI, and login using the credentials, IP/hostname set in step 4.
-Connect the https://github.com/argoproj/argocd-example-apps.git repo to Argo CD:
+Connect the [https://github.com/argoproj/argocd-example-apps.git](https://github.com/argoproj/argocd-example-apps.git) repo to Argo CD:

 ![connect repo](assets/connect_repo.png)

--- a/docs/operator-manual/architecture.md
+++ b/docs/operator-manual/architecture.md
@@ -30,5 +30,5 @@ manifests when provided the following inputs:
 The application controller is a Kubernetes controller which continuously monitors running
 applications and compares the current, live state against the desired target state (as specified in
 the repo). It detects `OutOfSync` application state and optionally takes corrective action. It
-is responsible for invoking any user-defined hooks for lifcecycle events (PreSync, Sync, PostSync)
+is responsible for invoking any user-defined hooks for lifecycle events (PreSync, Sync, PostSync)

--- a/docs/operator-manual/argocd-cm.yaml
+++ b/docs/operator-manual/argocd-cm.yaml
@@ -3,6 +3,9 @@ kind: ConfigMap
 metadata:
  name: argocd-cm
  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-cm
+    app.kubernetes.io/part-of: argocd
 data:
  # Argo CD's externally facing base URL (optional). Required when configuring SSO
  url: https://argo-cd-demo.argoproj.io
@@ -18,8 +21,13 @@ data:
  # Unless set to 'false' then user ids are hashed before sending to google analytics
  ga.anonymizeusers: 'false'

+  # the URL for getting chat help, this will typically be your Slack channel for support
+  help.chatUrl: 'https://mycorp.slack.com/argo-cd'
+  # the text for getting chat help, defaults to "Chat now!"
+  help.chatText: 'Chat now!'
+
  # A dex connector configuration (optional). See SSO configuration documentation:
-  # https://github.com/argoproj/argo-cd/blob/master/docs/sso.md
+  # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/sso.md
  # https://github.com/dexidp/dex/tree/master/Documentation/connectors
  dex.config: |
    connectors:
@@ -43,9 +51,12 @@ data:
    clientSecret: $oidc.okta.clientSecret
    # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
    requestedScopes: ["openid", "profile", "email"]
+    # Optional set of OIDC claims to request on the ID token.
+    requestedIDTokenClaims: {"groups": {"essential": true}}

  # Git repositories configure Argo CD with (optional).
  # This list is updated when configuring/removing repos from the UI/CLI
+  # Note: 'type: helm' field is supported in v1.3+. Use 'helm.repositories' for older versions.
  repositories: |
    - url: https://github.com/argoproj/my-private-repository
      passwordSecret:
@@ -57,8 +68,20 @@ data:
      sshPrivateKeySecret:
        name: my-secret
        key: sshPrivateKey
+    - type: helm
+      url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts
+      name: istio.io
+    - type: helm
+      url: https://my-private-chart-repo.internal
+      name: private-repo
+      usernameSecret:
+        name: my-secret
+        key: username
+      passwordSecret:
+        name: my-secret
+        key: password

-  # Non-standard and private Helm repositories (optional).
+  # Non-standard and private Helm repositories (deprecated in 1.3).
  helm.repositories: |
    - url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts
      name: istio.io
@@ -101,6 +124,27 @@ data:
        hs.status = "Progressing"
        hs.message = "Waiting for certificate"
        return hs
+    apps/Deployment:
+      # List of Lua Scripts to introduce custom actions
+      actions: |
+        # Lua Script to indicate which custom actions are available on the resource
+        discovery.lua: |
+          actions = {}
+          actions["restart"] = {}
+          return actions
+        definitions:
+          - name: restart
+            # Lua Script to modify the obj
+            action.lua: |
+              local os = require("os")
+              if obj.spec.template.metadata == nil then
+                  obj.spec.template.metadata = {}
+              end
+              if obj.spec.template.metadata.annotations == nil then
+                  obj.spec.template.metadata.annotations = {}
+              end
+              obj.spec.template.metadata.annotations["kubectl.kubernetes.io/restartedAt"] = os.date("!%Y-%m-%dT%XZ")
+              return obj

  # Configuration to completely ignore entire classes of resource group/kinds (optional).
  # Excluding high-volume resources improves performance and memory usage, and reduces load and 
--- a/docs/operator-manual/argocd-rbac-cm.yaml
+++ b/docs/operator-manual/argocd-rbac-cm.yaml
@@ -3,13 +3,16 @@ kind: ConfigMap
 metadata:
  name: argocd-rbac-cm
  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-rbac-cm
+    app.kubernetes.io/part-of: argocd
 data:
  # policy.csv is an file containing user-defined RBAC policies and role definitions (optional).
  # Policy rules are in the form:
  #   p, subject, resource, action, object, effect
  # Role definitions and bindings are in the form:
  #   g, subject, inherited-subject
-  # See https://github.com/argoproj/argo-cd/blob/master/docs/rbac.md for additional information.
+  # See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/rbac.md for additional information.
  policy.csv: |
    # Grant all members of the group 'my-org:team-alpha; the ability to sync apps in 'my-project'
    p, my-org:team-alpha, applications, sync, my-project/*, allow
--- a/docs/operator-manual/argocd-secret.yaml
+++ b/docs/operator-manual/argocd-secret.yaml
@@ -3,6 +3,9 @@ kind: Secret
 metadata:
  name: argocd-secret
  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-secret
+    app.kubernetes.io/part-of: argocd
 type: Opaque
 data:
  # TLS certificate and private key for API server (required).
@@ -20,7 +23,7 @@ data:
  server.secretkey:

  # Shared secrets for authenticating GitHub, GitLab, BitBucket webhook events (optional).
-  # See https://github.com/argoproj/argo-cd/blob/master/docs/webhook.md for additional details.
+  # See https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/webhook.md for additional details.
  github.webhook.secret:
  gitlab.webhook.secret:
  bitbucket.webhook.uuid:
--- a/docs/operator-manual/argocd-ssh-known-hosts-cm.yaml
+++ b/docs/operator-manual/argocd-ssh-known-hosts-cm.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-ssh-known-hosts-cm
+    app.kubernetes.io/part-of: argocd
+  name: argocd-ssh-known-hosts-cm
+data:
+  ssh_known_hosts: |
+    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
+    github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+    gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
+    gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
+    gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
+    ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
+    vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
--- a/docs/operator-manual/argocd-tls-certs-cm.yaml
+++ b/docs/operator-manual/argocd-tls-certs-cm.yaml
@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-tls-certs-cm
+  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-cm
+    app.kubernetes.io/part-of: argocd
+data:
+  server.example.com: |
+    -----BEGIN CERTIFICATE-----
+    MIIF1zCCA7+gAwIBAgIUQdTcSHY2Sxd3Tq/v1eIEZPCNbOowDQYJKoZIhvcNAQEL
+    BQAwezELMAkGA1UEBhMCREUxFTATBgNVBAgMDExvd2VyIFNheG9ueTEQMA4GA1UE
+    BwwHSGFub3ZlcjEVMBMGA1UECgwMVGVzdGluZyBDb3JwMRIwEAYDVQQLDAlUZXN0
+    c3VpdGUxGDAWBgNVBAMMD2Jhci5leGFtcGxlLmNvbTAeFw0xOTA3MDgxMzU2MTda
+    Fw0yMDA3MDcxMzU2MTdaMHsxCzAJBgNVBAYTAkRFMRUwEwYDVQQIDAxMb3dlciBT
+    YXhvbnkxEDAOBgNVBAcMB0hhbm92ZXIxFTATBgNVBAoMDFRlc3RpbmcgQ29ycDES
+    MBAGA1UECwwJVGVzdHN1aXRlMRgwFgYDVQQDDA9iYXIuZXhhbXBsZS5jb20wggIi
+    MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCv4mHMdVUcafmaSHVpUM0zZWp5
+    NFXfboxA4inuOkE8kZlbGSe7wiG9WqLirdr39Ts+WSAFA6oANvbzlu3JrEQ2CHPc
+    CNQm6diPREFwcDPFCe/eMawbwkQAPVSHPts0UoRxnpZox5pn69ghncBR+jtvx+/u
+    P6HdwW0qqTvfJnfAF1hBJ4oIk2AXiip5kkIznsAh9W6WRy6nTVCeetmIepDOGe0G
+    ZJIRn/OfSz7NzKylfDCat2z3EAutyeT/5oXZoWOmGg/8T7pn/pR588GoYYKRQnp+
+    YilqCPFX+az09EqqK/iHXnkdZ/Z2fCuU+9M/Zhrnlwlygl3RuVBI6xhm/ZsXtL2E
+    Gxa61lNy6pyx5+hSxHEFEJshXLtioRd702VdLKxEOuYSXKeJDs1x9o6cJ75S6hko
+    Ml1L4zCU+xEsMcvb1iQ2n7PZdacqhkFRUVVVmJ56th8aYyX7KNX6M9CD+kMpNm6J
+    kKC1li/Iy+RI138bAvaFplajMF551kt44dSvIoJIbTr1LigudzWPqk31QaZXV/4u
+    kD1n4p/XMc9HYU/was/CmQBFqmIZedTLTtK7clkuFN6wbwzdo1wmUNgnySQuMacO
+    gxhHxxzRWxd24uLyk9Px+9U3BfVPaRLiOPaPoC58lyVOykjSgfpgbus7JS69fCq7
+    bEH4Jatp/10zkco+UQIDAQABo1MwUTAdBgNVHQ4EFgQUjXH6PHi92y4C4hQpey86
+    r6+x1ewwHwYDVR0jBBgwFoAUjXH6PHi92y4C4hQpey86r6+x1ewwDwYDVR0TAQH/
+    BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAFE4SdKsX9UsLy+Z0xuHSxhTd0jfn
+    Iih5mtzb8CDNO5oTw4z0aMeAvpsUvjJ/XjgxnkiRACXh7K9hsG2r+ageRWGevyvx
+    CaRXFbherV1kTnZw4Y9/pgZTYVWs9jlqFOppz5sStkfjsDQ5lmPJGDii/StENAz2
+    XmtiPOgfG9Upb0GAJBCuKnrU9bIcT4L20gd2F4Y14ccyjlf8UiUi192IX6yM9OjT
+    +TuXwZgqnTOq6piVgr+FTSa24qSvaXb5z/mJDLlk23npecTouLg83TNSn3R6fYQr
+    d/Y9eXuUJ8U7/qTh2Ulz071AO9KzPOmleYPTx4Xty4xAtWi1QE5NHW9/Ajlv5OtO
+    OnMNWIs7ssDJBsB7VFC8hcwf79jz7kC0xmQqDfw51Xhhk04kla+v+HZcFW2AO9so
+    6ZdVHHQnIbJa7yQJKZ+hK49IOoBR6JgdB5kymoplLLiuqZSYTcwSBZ72FYTm3iAr
+    jzvt1hxpxVDmXvRnkhRrIRhK4QgJL0jRmirBjDY+PYYd7bdRIjN7WNZLFsgplnS8
+    9w6CwG32pRlm0c8kkiQ7FXA6BYCqOsDI8f1VGQv331OpR2Ck+FTv+L7DAmg6l37W
+    +LB9LGh4OAp68ImTjqf6ioGKG0RBSznwME+r4nXtT1S/qLR6ASWUS4ViWRhbRlNK
+    XWyb96wrUlv+E8I=
+    -----END CERTIFICATE-----
+
--- a/docs/operator-manual/cluster-bootstrapping.md
+++ b/docs/operator-manual/cluster-bootstrapping.md
@@ -1,12 +1,12 @@
 # Cluster Bootstrapping

-This guide for operators who have already installed Argo CD, and have a new cluster and are looking to install many applications in that cluster.
+This guide for operators who have already installed Argo CD, and have a new cluster and are looking to install many apps in that cluster.

-There's no one particular pattern to solve this problem, e.g. you could write a script to create your applications, or you could even manually create them. However, users of Argo CD tend to use the **application of applications pattern**.
+There's no one particular pattern to solve this problem, e.g. you could write a script to create your apps, or you could even manually create them. However, users of Argo CD tend to use the **app of apps pattern**.

-## Application Of Applications Pattern
+## App Of Apps Pattern

-[Declaratively](declarative-setup.md) specify one Argo CD application that consists only of other applications.
+[Declaratively](declarative-setup.md) specify one Argo CD app that consists only of other apps.

 ![Application of Applications](../assets/application-of-applications.png)

@@ -28,7 +28,7 @@ A typical layout of your Git repository for this might be:

 `Chart.yaml` is boiler-plate.

-`templates` contains one file for each application, roughly:
+`templates` contains one file for each child app, roughly:

 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -46,15 +46,17 @@ spec:
  source:
    path: guestbook
    repoURL: https://github.com/argoproj/argocd-example-apps
-    targetRevision: {{ .Values.spec.source.targetRevision }}
+    targetRevision: 08836bd970037ebcd14494831de4635bad961139
  syncPolicy:
    automated:
      prune: true
 ``` 

-In this example, I've set the sync policy to automated + prune, so that applications are automatically created, synced, and deleted when the manifest is changed, but you may wish to disable this. I've also added the finalizer, which will ensure that you applications are deleted correctly.
+The sync policy to automated + prune, so that child app is are automatically created, synced, and deleted when the manifest is changed, but you may wish to disable this. I've also added the finalizer, which will ensure that you apps are deleted correctly.

-As you probably want to override the cluster server and maybe the revision, these are templated values.
+Fix the revision to a specific Git commit SHA to make sure that, even if the child apps repo changes, the app will only change when the parent app change that revision. Alternatively, you can set it to HEAD or a branch name.
+
+As you probably want to override the cluster server, this is a templated values.

 `values.yaml` contains the default values:

@@ -62,21 +64,19 @@ As you probably want to override the cluster server and maybe the revision, thes
 spec:
  destination:
    server: https://kubernetes.default.svc
-  source:
-    targetRevision: HEAD
 ```

-Finally, you need to create your application, e.g.:
+Finally, you need to create your parent app, e.g.:

 ```bash
 argocd app create applications \
    --dest-namespace argocd \
    --dest-server https://kubernetes.default.svc \
    --repo https://github.com/argoproj/argocd-example-apps.git \
-    --path applications \
+    --path apps \
    --sync-policy automated 
 ```

-In this example, I excluded auto-prune, as this would result in all applications being deleted if some accidentally deleted the *application of applications*.
+In this example, I excluded auto-prune, as this would result in all apps being deleted if some accidentally deleted the *app of apps*.

-View [the example on Github](https://github.com/argoproj/argocd-example-apps/tree/master/applications).
+View [the example on Github](https://github.com/argoproj/argocd-example-apps/tree/master/apps).
--- a/docs/operator-manual/declarative-setup.md
+++ b/docs/operator-manual/declarative-setup.md
@@ -8,8 +8,8 @@ Argo CD applications, projects and settings can be defined declaratively using K
 | [`argocd-cm.yaml`](argocd-cm.yaml) | ConfigMap | General Argo CD configuration |
 | [`argocd-secret.yaml`](argocd-secret.yaml) | Secret | Password, Certificates, Signing Key |
 | [`argocd-rbac-cm.yaml`](argocd-rbac-cm.yaml) | ConfigMap | RBAC Configuration |
-| [`argocd-tls-certs-cm.yaml`](argocd-rbac-cm.yaml) | ConfigMap | Custom TLS certificates for connecting Git repositories via HTTPS (v1.2 and later) |
-| [`argocd-ssh-known-hosts-cm.yaml`](argocd-rbac-cm.yaml) | ConfigMap | SSH known hosts data for connecting Git repositories via SSH (v1.2 and later) |
+| [`argocd-tls-certs-cm.yaml`](argocd-tls-certs-cm.yaml) | ConfigMap | Custom TLS certificates for connecting Git repositories via HTTPS (v1.2 and later) |
+| [`argocd-ssh-known-hosts-cm.yaml`](argocd-ssh-known-hosts-cm.yaml) | ConfigMap | SSH known hosts data for connecting Git repositories via SSH (v1.2 and later) |
 | [`application.yaml`](application.yaml) | Application | Example application spec |
 | [`project.yaml`](project.yaml) | AppProject | Example project spec |

@@ -54,10 +54,10 @@ metadata:
    - resources-finalizer.argocd.argoproj.io
 ```

-### Application of Applications
+### App of Apps

-You can create an application that creates other applications, which in turn can create other applications. 
-This allows you to declaratively manage a group of applications that can be deployed and configured in concert.
+You can create an app that creates other apps, which in turn can create other apps. 
+This allows you to declaratively manage a group of app that can be deployed and configured in concert.

 See [cluster bootstrapping](cluster-bootstrapping.md).

@@ -134,6 +134,9 @@ kind: ConfigMap
 metadata:
  name: argocd-cm
  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-cm
+    app.kubernetes.io/part-of: argocd
 data:
  repositories: |
    - url: https://github.com/argoproj/my-private-repository
@@ -153,6 +156,9 @@ kind: ConfigMap
 metadata:
  name: argocd-cm
  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-cm
+    app.kubernetes.io/part-of: argocd
 data:
  repositories: |
    - url: git@github.com:argoproj/my-private-repository
@@ -177,6 +183,9 @@ kind: ConfigMap
 metadata:
  name: argocd-cm
  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-cm
+    app.kubernetes.io/part-of: argocd
 data:
  repositories: |
    - url: https://github.com/argoproj/private-repo
@@ -403,8 +412,8 @@ stringData:

 ## Helm Chart Repositories

-Non standard Helm Chart repositories have to be registered under the `helm.repositories` key in the
-`argocd-cm` ConfigMap. Each repository must have `url` and `name` fields. For private Helm repos you
+Non standard Helm Chart repositories have to be registered under the `repositories` key in the
+`argocd-cm` ConfigMap. Each repository must have `url`, `type` and `name` fields. For private Helm repos you
 may need to configure access credentials and HTTPS settings using `usernameSecret`, `passwordSecret`,
 `caSecret`, `certSecret` and `keySecret` fields.

@@ -416,11 +425,21 @@ kind: ConfigMap
 metadata:
  name: argocd-cm
  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-cm
+    app.kubernetes.io/part-of: argocd
 data:
+  # v1.2 or earlier use `helm.repositories`
  helm.repositories: |
    - url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts
      name: istio.io
-    - url: https://argoproj.github.io/argo-helm
+  # v1.3 or later use `repositories` with `type: helm`
+  repositories: |
+    - type: helm
+      url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts
+      name: istio.io
+    - type: helm
+      url: https://argoproj.github.io/argo-helm
      name: argo
      usernameSecret:
        name: my-secret
--- a/docs/operator-manual/high_availability.md
+++ b/docs/operator-manual/high_availability.md
@@ -11,9 +11,61 @@ A set HA of manifests are provided for users who wish to run Argo CD in a highly
 
 ## Scaling Up

-You might scale up some Argo CD services in the following circumstances:
+### argocd-repo-server

-* The `argocd-repo-server` can scale up when there is too much contention on a single git repo (e.g. many apps defined in a single git repo).
-* The `argocd-server` can scale up to support more front-end load.
+**settings:**

-All other services should run with their pre-determined number of replicas. The `argocd-application-controller` must not be increased because multiple controllers will fight. The `argocd-dex-server` uses an in-memory database, and two or more instances would have inconsistent data. `argocd-redis` is pre-configured with the understanding of only three total redis servers/sentinels.
+The `argocd-repo-server` is responsible for cloning Git repository, keeping it up to date and generating manifests using the appropriate tool.
+
+* `argocd-repo-server` fork/exec config management tool to generate manifests. The fork can fail due to lack of memory and limit on the number of OS threads.
+The `--parallelismlimit` flag controls how many manifests generations are running concurrently and allows avoiding OOM kills.
+
+* one instance of `argocd-repo-server` executes only one operation on one Git repo concurrently. Increase the number of `argocd-repo-server` replica count if you have a lot of
+applications in the same repository.
+
+* `argocd-repo-server` clones repository into `/tmp` ( of path specified in `TMPDIR` env variable ). Pod might run out of disk space if have too many repository
+or repositories has a lot of files. To avoid this problem mount persistent volume.
+
+* `argocd-repo-server` `git ls-remote` to resolve ambiguous revision such as `HEAD`, branch or tag name. This operation is happening pretty frequently
+and might fail. To avoid failed syncs use `ARGOCD_GIT_ATTEMPTS_COUNT` environment variable to retry failed requests.
+
+**metrics:**
+
+* `argocd_git_request_total` - Number of git requests. The metric provides two tags: `repo` - Git repo URL; `request_type` - `ls-remote` or `fetch`.
+
+### argocd-application-controller
+
+**settings:**
+
+The `argocd-application-controller` uses `argocd-repo-server` to get generated manifests and Kubernetes API server to get actual cluster state.
+
+* controller uses two separate queues to process application reconciliation (milliseconds) and app syncing (seconds). Number of queue processors for each queue is controlled by
+`--status-processors` (20 by default) and `--operation-processors` (10 by default) flags. Increase number of processors if your Argo CD instance manages too many applications.
+For 1000 application we use 50 for `--status-processors` and 25 for `--operation-processors`
+
+* The manifest generation typically takes the most time during reconciliation. The duration of manifest generation is limited to make sure controller refresh queue does not overflow.
+The app reconciliation fails with `Context deadline exceeded` error if manifest generating taking too much time. As workaround increase value of `--repo-server-timeout-seconds` and
+consider scaling up `argocd-repo-server` deployment.
+
+* controller uses `kubectl` fork/exec to push changes into the cluster and to convert resource from preferred version into user specified version
+(e.g. Deployment `apps/v1` into `extensions/v1beta1`). Same as config management tool `kubectl` fork/exec might cause pod OOM kill. Use `--kubectl-parallelism-limit` flag to limit
+number of allowed concurrent kubectl fork/execs.
+
+* controller uses Kubernetes watch APIs to maintain lightweight Kubernetes cluster cache. This allows to avoid querying Kubernetes during app reconciliation and significantly improve
+performance. For performance reasons controller monitors and caches only preferred the version of a resource. During reconciliation, the controller might have to convert cached resource from
+preferred version into a version of the resource stored in Git. If `kubectl convert` fails because conversion is not supported than controller fallback to Kubernetes API query which slows down
+reconciliation. In this case advice user-preferred resource version in Git.
+
+**metrics**
+
+* `argocd_app_reconcile` - reports application reconciliation duration. Can be used to build reconciliation duration heat map to get high-level reconciliation performance picture.
+* `argocd_app_k8s_request_total` - number of k8s requests per application. The number of fallback Kubernetes API queries - useful to identify which application has a resource with
+non-preferred version and causes performance issues.
+
+### argocd-server
+
+The `argocd-server` is stateless and probably least likely to cause issues. You might consider increasing number of replicas to 3 or more to ensure there is no downtime during upgrades.
+
+### argocd-dex-server, argocd-redis
+
+The `argocd-dex-server` uses an in-memory database, and two or more instances would have inconsistent data. `argocd-redis` is pre-configured with the understanding of only three total redis servers/sentinels.
--- a/docs/operator-manual/ingress.md
+++ b/docs/operator-manual/ingress.md
@@ -12,7 +12,7 @@ There are several ways how Ingress can be configured.

 ### Option 1: SSL-Passthrough

-Because Argo CD serves multiple protocols (gRPC/HTTPS) on the same port (443), this provides a
+Argo CD serves multiple protocols (gRPC/HTTPS) on the same port (443), this provides a
 challenge when attempting to define a single nginx ingress object and rule for the argocd-service,
 since the `nginx.ingress.kubernetes.io/backend-protocol` [annotation](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#backend-protocol)
 accepts only a single value for the backend protocol (e.g. HTTP, HTTPS, GRPC, GRPCS).
@@ -115,26 +115,60 @@ spec:
        - --insecure
 ```

-The obvious disadvantage to this approach is that this technique require two separate hostnames for
-the API server -- one for gRPC and the other for HTTP/HTTPS. However it allow TLS termination to
+The obvious disadvantage to this approach is that this technique requires two separate hostnames for
+the API server -- one for gRPC and the other for HTTP/HTTPS. However it allows TLS termination to
 happen at the ingress controller.


+## [Traefik (v2.0)](https://docs.traefik.io/)
+
+Traefik can be used as an edge router and provide [TLS](https://docs.traefik.io/user-guides/crd-acme/) termination within the same deployment.
+
+It currently has an advantage over NGINX in that it can terminate both TCP and HTTP connections _on the same port_ meaning you do not require multiple ingress objects and hosts.
+
+```yaml
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: argocd-server-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`argocd.example.com`)
+      kind: Rule
+      services:
+        - name: argocd-server
+          port: 80
+  tls:
+    certResolver: default
+    options: {}
+```
+
+
 ## AWS Application Load Balancers (ALBs) And Classic ELB (HTTP Mode)

-Neither ALBs and Classic ELB in HTTP mode, do not have full support for HTTP2/gRPC which is the
-protocol used by the `argocd` CLI. Thus, when using an AWS load balancer, either Classic ELB in
+ALBs and Classic ELBs don't fully support HTTP2/gRPC, which is used by the `argocd` CLI.
+Thus, when using an AWS load balancer, either Classic ELB in
 passthrough mode is needed, or NLBs.

 ```shell
 $ argocd login <host>:<port> --grpc-web
 ```

+## Authenticating through multiple layers of authenticating reverse proxies
+
+ArgoCD endpoints may be protected by one or more reverse proxies layers, in that case, you can provide additional headers through the `argocd` CLI `--header` parameter to authenticate through those layers.
+
+```shell
+$ argocd login <host>:<port> --header 'x-token1:foo' --header 'x-token2:bar' # can be repeated multiple times
+$ argocd login <host>:<port> --header 'x-token1:foo,x-token2:bar' # headers can also be comma separated
+```

 ## UI Base Path

-If Argo CD UI is available under non-root path (e.g. `/argo-cd` instead of `/`) then UI path should be configured in API server.
-To configure UI path add `--basehref` flag into `argocd-server` deployment command:
+If the Argo CD UI is available under a non-root path (e.g. `/argo-cd` instead of `/`) then the UI path should be configured in the API server.
+To configure the UI path add the `--basehref` flag into the `argocd-server` deployment command:

 ```yaml
 spec:
@@ -152,7 +186,7 @@ spec:
        - /argo-cd
 ```

-NOTE: flag `--basehref` only changes UI base URL. API server keep using `/` path so you need to add URL rewrite rule to proxy config.
+NOTE: The flag `--basehref` only changes the UI base URL. The API server will keep using the `/` path so you need to add a URL rewrite rule to the proxy config.
 Example nginx.conf with URL rewrite:

 ```
--- a/docs/operator-manual/project.yaml
+++ b/docs/operator-manual/project.yaml
@@ -30,6 +30,10 @@ spec:
  - group: ''
    kind: NetworkPolicy

+  # Enables namespace orphaned resource monitoring.
+  orphanedResources:
+    warn: false
+
  roles:
  # A role which provides read-only access to all applications in the project
  - name: read-only
--- a/docs/operator-manual/rbac.md
+++ b/docs/operator-manual/rbac.md
@@ -44,5 +44,5 @@ data:

 ## Anonymous Access

-THe anonymous access to Argo CD can be enabled using `users.anonymous.enabled` field in `argocd-cm` (see [./argocd-cm.yaml](argocd-cm.yaml)).
-The anonymous users get default role permissions specified argocd-rbac-cm.yaml.
+The anonymous access to Argo CD can be enabled using `users.anonymous.enabled` field in `argocd-cm` (see [./argocd-cm.yaml](argocd-cm.yaml)).
+The anonymous users get default role permissions specified by `policy.default` in `argocd-rbac-cm.yaml. For read-only access you'll want `policy.default: role:readonly` as above
--- a/docs/operator-manual/sso.md
+++ b/docs/operator-manual/sso.md
@@ -86,6 +86,8 @@ NOTES:

 * Any values which start with '$' will look to a key in argocd-secret of the same name (minus the $),
  to obtain the actual value. This allows you to store the `clientSecret` as a kubernetes secret.
+    * If you are editing the secret using `kubectl edit secret` remember that the `data` field expects a base64 encoded value (`echo -n "<CLIENT_SECRET>" | base64`).
+    * The error: *Failed to authenticate: github: get user: github: get URL Get https://api.github.com/user: oauth2: token expired and refresh token is not set* can be attributed to the secret value not being interpreted correctly by dex (e.g. incorrect client secret value).
 * There is no need to set `redirectURI` in the `connectors.config` as shown in the dex documentation.
  Argo CD will automatically use the correct `redirectURI` for any OAuth2 connectors, to match the
  correct external callback URL (e.g. https://argocd.example.com/api/dex/callback)
@@ -106,9 +108,47 @@ data:
    clientID: aaaabbbbccccddddeee
    clientSecret: $oidc.okta.clientSecret

+    # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
+    requestedScopes: ["openid", "profile", "email", "groups"]
+
+    # Optional set of OIDC claims to request on the ID token.
+    requestedIDTokenClaims: {"groups": {"essential": true}}
+
    # Some OIDC providers require a separate clientID for different callback URLs.
    # For example, if configuring Argo CD with self-hosted Dex, you will need a separate client ID
    # for the 'localhost' (CLI) client to Dex. This field is optional. If omitted, the CLI will
    # use the same clientID as the Argo CD server
    cliClientID: vvvvwwwwxxxxyyyyzzzz
 ```
+
+### Requesting additional ID token claims
+
+Not all OIDC providers support a special `groups` scope. E.g. Okta, OneLogin and Microsoft do support a special
+`groups` scope and will return group membership with the default `requestedScopes`.
+
+Other OIDC providers might be able to return a claim with group membership if explicitly requested to do so.
+Individual claims can be requested with `requestedIDTokenClaims`, see
+[OpenID Connect Claims Parameter](https://connect2id.com/products/server/docs/guides/requesting-openid-claims#claims-parameter)
+for details. The Argo CD configuration for claims is as follows:
+
+```yaml
+  oidc.config: |
+    requestedIDTokenClaims:
+      email:
+        essential: true
+      groups:
+        essential: true
+        value: org:myorg
+      acr:
+        essential: true
+        values:
+        - urn:mace:incommon:iap:silver
+        - urn:mace:incommon:iap:bronze
+```
+
+For a simple case this can be:
+
+```yaml
+  oidc.config: |
+    requestedIDTokenClaims: {"groups": {"essential": true}}
+```
--- a/docs/user-guide/app_deletion.md
+++ b/docs/user-guide/app_deletion.md
@@ -1,10 +1,10 @@
 # App Deletion

-Apps can be deleted with or without a cascade option. A **cascade delete**, deletes the both app's and its resources, rather than only the app. 
+Apps can be deleted with or without a cascade option. A **cascade delete**, deletes both the app and its resources, rather than only the app. 

 ## Deletion Using `argocd`

-To perform an non-cascade delete:
+To perform a non-cascade delete:

 ```bash
 argocd app delete APPNAME
@@ -43,4 +43,4 @@ metadata:

 Argo CD's app controller watches for this and will then delete both the app and its resources.

-When you invoke `argocd app delete` with `--cascade`, the finalizer is added automatically. 
+When you invoke `argocd app delete` with `--cascade`, the finalizer is added automatically. 
--- a/docs/user-guide/helm.md
+++ b/docs/user-guide/helm.md
@@ -9,6 +9,8 @@ flag. The flag can be repeated to support multiple values files:
 ```bash
 argocd app set helm-guestbook --values values-production.yaml
 ```
+!!! note
+    Values files must be on the same directory or a subdirectory of the Helm application

 ## Helm Parameters

@@ -48,12 +50,43 @@ source:

 ## Helm Hooks

-Helm hooks are equivalent in concept to [Argo CD resource hooks](resource_hooks.md). In helm, a hook
-is any normal kubernetes resource annotated with the `helm.sh/hook` annotation. When Argo CD deploys
-helm application which contains helm hooks, all helm hook resources are currently ignored during
-the `kubectl apply` of the manifests. There is an
-[open issue](https://github.com/argoproj/argo-cd/issues/355) to map Helm hooks to Argo CD's concept
-of Pre/Post/Sync hooks.
+> v1.3 or later
+
+Helm hooks are similar to [Argo CD hooks](resource_hooks.md). In Helm, a hook
+is any normal Kubernetes resource annotated with the `helm.sh/hook` annotation. 
+
+Argo CD supports many (most?) Helm hooks by mapping the Helm annotations onto Argo CD's own hook annotations: 
+
+| Helm Annotation | Notes |
+|---|---|
+| `helm.sh/hook: crd-install` | Supported as equivalent to `argocd.argoproj.io/hook: PreSync`. |
+| `helm.sh/hook: pre-delete` | Not supported. In Helm stable there are 3 cases used to clean up CRDs and 3 to clean-up jobs. |
+| `helm.sh/hook: pre-rollback` | Not supported. Never used in Helm stable. |
+| `helm.sh/hook: pre-install` | Supported as equivalent to `argocd.argoproj.io/hook: PreSync`. |
+| `helm.sh/hook: pre-upgrade` | Supported as equivalent to `argocd.argoproj.io/hook: PreSync`. |
+| `helm.sh/hook: post-upgrade` | Supported as equivalent to `argocd.argoproj.io/hook: PostSync`. |
+| `helm.sh/hook: post-install` | Supported as equivalent to `argocd.argoproj.io/hook: PostSync`. |
+| `helm.sh/hook: post-delete` | Not supported. Never used in Helm stable. |
+| `helm.sh/hook: post-rollback` | Not supported. Never used in Helm stable. |
+| `helm.sh/hook: test-success` | Not supported. No equivalent in Argo CD. |
+| `helm.sh/hook: test-failure` | Not supported. No equivalent in Argo CD. |
+| `helm.sh/hook-delete-policy` | Supported. See also `argocd.argoproj.io/hook-delete-policy`). |
+| `helm.sh/hook-delete-timeout` | No supported. Never used in Helm stable |
+| `helm.sh/hook-weight` | Supported as equivalent to `argocd.argoproj.io/sync-wave`. |
+
+Unsupported hooks are ignored. In Argo CD, hooks are created by using `kubectl apply`, rather than `kubectl create`. This means that if the hook is named and already exists, it will not change unless you have annotated it with `before-hook-creation`.
+
+!!! warning "'install' vs 'upgrade' vs 'sync'"
+    Argo CD cannot know if it is running a first-time "install" or an "upgrade" - every operation is a "sync'. This means that, by default, apps that have `pre-install` and `pre-upgrade` will have those hooks run at the same time.
+
+### Hook Tips
+
+* Make your hook idempotent. 
+* Annotate `crd-install` with `hook-weight: "-2"` to make sure it runs to success before any install or upgrade hooks.
+* Annotate  `pre-install` and `post-install` with `hook-weight: "-1"`. This will make sure it runs to success before any upgrade hooks.
+* Annotate `pre-upgrade` and `post-upgrade` with `hook-delete-policy: before-hook-creation` to make sure it runs on every sync.
+
+Read more about [Argo hooks](resource_hooks.md) and [Helm hooks](https://github.com/kubernetes/helm/blob/master/docs/charts_hooks.md). 

 ## Random Data

@@ -80,3 +113,4 @@ value, in the values.yaml such that the value is stable between each comparison.
 ```bash
 argocd app set redis -p password=abc123
 ```
+
--- a/docs/user-guide/kustomize.md
+++ b/docs/user-guide/kustomize.md
@@ -28,6 +28,9 @@ kind: ConfigMap
 metadata:
  name: argocd-cm
  namespace: argocd
+  labels:
+    app.kubernetes.io/name: argocd-cm
+    app.kubernetes.io/part-of: argocd
 data:
    kustomize.buildOptions: --load_restrictor none
 ```
--- a/docs/user-guide/orphaned-resources.md
+++ b/docs/user-guide/orphaned-resources.md
@@ -0,0 +1,19 @@
+# Orphaned Resources Monitoring
+
+Orphaned Kubernetes resource is a top-level namespaced resource which does not belong to any Argo CD Application. The Orphaned Resources Monitoring feature allows detecting
+orphaned resources, generate a warning and inspect/remove resources using Argo CD UI.
+
+The Orphaned Resources monitoring is enabled in [Project](projects.md) settings. Once the feature is enabled each project application which target namespace has orphaned resource
+will get a warning condition. The orphaned resources can be located using the application details page:
+
+![orphaned resources](../assets/orphaned-resources.png)
+
+Before enabling feature you might consider disabling warning. In this case application users are going to see orphaned resources in the UI but application is won't get a warning condition.
+
+## Exceptions
+
+Not every resource in the Kuberenetes cluster is controlled by the end user. Following resources are never considered as orphaned:
+
+* Namespaced resources blacklisted in the project. Usually, such resources are managed by cluster administrators and not supposed to be modified by namespace user.
+* `ServiceAccount` with name `default` ( and corresponding auto-generated `ServiceAccountToken` ).
+* `Service` with name `kubernetes` in the `default` namespace.
--- a/docs/user-guide/projects.md
+++ b/docs/user-guide/projects.md
@@ -94,7 +94,7 @@ data:
  policy.default: ""
  policy.csv: |
    p, some-github-org:team1, applications, *, project-a/*, allow
-    p, some-github-org:team2, applications, *, project-a/*, allow
+    p, some-github-org:team2, applications, *, project-b/*, allow

    p, role:org-admin, repositories, get, *, allow
    p, role:org-admin, repositories, create, *, allow
--- a/docs/user-guide/resource_hooks.md
+++ b/docs/user-guide/resource_hooks.md
@@ -1,22 +1,18 @@
 # Resource Hooks
-
-!!! warning
-    Helm hooks are currently ignored. [Read more](helm.md).
-
 ## Overview

-Synchronization can be configured using resource hooks. Hooks are ways to interject custom logic before, during,
-and after a Sync operation. Some use cases for hooks are:
+Synchronization can be configured using resource hooks. Hooks are ways to run scripts before, during,
+and after a Sync operation. Hooks can also be run if a Sync operation fails at any point. Some use cases for hooks are:

 * Using a `PreSync` hook to perform a database schema migration before deploying a new version of the app.
 * Using a `Sync` hook to orchestrate a complex deployment requiring more sophistication than the
-kubernetes rolling update strategy (e.g. a blue/green deployment).
+Kubernetes rolling update strategy.
 * Using a `PostSync` hook to run integration and health checks after a deployment.
-* Using a `SyncFail` hook to run clean-up or finalizer logic if a Sync operation fails.
+* Using a `SyncFail` hook to run clean-up or finalizer logic if a Sync operation fails. _`SyncFail` hooks are only available starting in v1.2_

 ## Usage
-Hooks are simply kubernetes manifests annotated with the `argocd.argoproj.io/hook` annotation. To
-make use of hooks, simply add the annotation to any resource:
+
+Hooks are simply Kubernetes manifests annotated with `argocd.argoproj.io/hook`, e.g.:

 ```yaml
 apiVersion: batch/v1
@@ -27,27 +23,29 @@ metadata:
    argocd.argoproj.io/hook: PreSync
 ```

-During a Sync operation, Argo CD will create the resource during the appropriate stage of the
-deployment. Hooks can be any type of Kuberentes resource kind, but tend to be most useful as a Pod,
+During a Sync operation, Argo CD will apply the resource during the appropriate phase of the
+deployment. Hooks can be any type of Kubernetes resource kind, but tend to be Pod,
 [Job](https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/)
 or [Argo Workflows](https://github.com/argoproj/argo). Multiple hooks can be specified as a comma
 separated list.

-## Available Hooks
 The following hooks are defined:

 | Hook | Description |
 |------|-------------|
 | `PreSync` | Executes prior to the apply of the manifests. |
-| `Sync`  | Executes after all `PreSync` hooks completed and were successful. Occurs in conjuction with the apply of the manifests. |
-| `Skip` | Indicates to Argo CD to skip the apply of the manifest. This is typically used in conjunction with a `Sync` hook which is presumably handling the deployment in an alternate way (e.g. blue-green deployment) |
-| `PostSync` | Executes after all `Sync` hooks completed and were successful, a succcessful apply, and all resources in a `Healthy` state. |
-| `SyncFail` | Executes if and only if any part of the Sync operation fails. |
+| `Sync`  | Executes after all `PreSync` hooks completed and were successful, at the same time as the apply of the manifests. |
+| `Skip` | Indicates to Argo CD to skip the apply of the manifest. |
+| `PostSync` | Executes after all `Sync` hooks completed and were successful, a successful apply, and all resources in a `Healthy` state. |
+| `SyncFail` | Executes when the sync operation fails. _Available starting in v1.2_ |

+### Generate Name
+
+Named hooks (i.e. ones with `/metadata/name`) will only be created once. If you want a hook to be re-created each time either use `BeforeHookCreation` policy (see below) or `/metadata/generateName`. 

 ## Selective Sync

-Hooks are run during [selective sync](selective_sync.md).
+Hooks are not run during [selective sync](selective_sync.md).

 ## Hook Deletion Policies

@@ -69,6 +67,7 @@ The following policies define when the hook will be deleted.
 |--------|-------------|
 | `HookSucceeded` | The hook resource is deleted after the hook succeeded (e.g. Job/Workflow completed successfully). |
 | `HookFailed` | The hook resource is deleted after the hook failed. |
+| `BeforeHookCreation` | Any existing hook resource is deleted before the new one is created (since v1.3). |

 As an alternative to hook deletion policies, both Jobs and Argo Workflows support the
 [`ttlSecondsAfterFinished`](https://kubernetes.io/docs/concepts/workloads/controllers/ttlafterfinished/)
@@ -78,3 +77,57 @@ field in the spec, which let their respective controllers delete the Job/Workflo
 spec:
  ttlSecondsAfterFinished: 600
 ```
+
+## Using A Hook To Send A Slack Message
+
+The following example uses the Slack API to send a a Slack message when sync completes or fails: 
+
+```yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  generateName: app-slack-notification-
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+spec:
+  template:
+    spec:
+      containers:
+      - name: slack-notification
+        image: appropriate/curl
+        command:
+          - "curl"
+          - "-X"
+          - "POST"
+          - "--data-urlencode"
+          - "payload={\"channel\": \"#somechannel\", \"username\": \"hello\", \"text\": \"App Sync succeeded\", \"icon_emoji\": \":ghost:\"}"
+          - "https://hooks.slack.com/services/..."
+      restartPolicy: Never
+  backoffLimit: 2
+```
+
+```yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  generateName: app-slack-notification-fail-
+  annotations:
+    argocd.argoproj.io/hook: SyncFail
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+spec:
+  template:
+    spec:
+      containers:
+      - name: slack-notification
+        image: appropriate/curl
+        command: 
+          - "curl"
+          - "-X"
+          - "POST"
+          - "--data-urlencode"
+          - "payload={\"channel\": \"#somechannel\", \"username\": \"hello\", \"text\": \"App Sync failed\", \"icon_emoji\": \":ghost:\"}"
+          - "https://hooks.slack.com/services/..."
+      restartPolicy: Never
+  backoffLimit: 2
+  ```
--- a/docs/user-guide/selective_sync.md
+++ b/docs/user-guide/selective_sync.md
@@ -6,4 +6,5 @@ A *selective sync* is one where only some resources are sync'd. You can choose w

 When doing so, bear in mind:

-* Your sync is not recorded in the history, and so rollback is not possible.
+* Your sync is not recorded in the history, and so rollback is not possible.
+* Hooks are not run.
--- a/docs/user-guide/sync_windows.md
+++ b/docs/user-guide/sync_windows.md
@@ -0,0 +1,111 @@
+# Sync Windows
+
+Sync windows are configurable windows of time where syncs will either be blocked or allowed. These are defined
+by a kind, which can be either `allow` or `deny`, a `schedule` in cron format and a duration along with one or 
+more of either `applications`, `namespaces` and `clusters`. Wildcards are supported. These windows affect the running 
+of both manual and automated syncs but allow an override for manual syncs which is useful if you are only interested
+in preventing automated syncs or if you need to temporarily override a window to perform a sync.
+
+The windows work in the following way. If there are no windows matching an application then all syncs are allowed. If there
+are any `allow` windows matching an application then syncs will only be allowed when there ia an active `allow` windows. If there
+are any `deny` windows matching an application then all syncs will be denied when the `deny` windows are active. If there is an
+active matching `allow` and an active matching `deny` then syncs will be denied as `deny` windows override `allow` windows. The
+UI and the CLI will both display the state of the sync windows. The UI has a panel which will display different colours depending
+on the state. The colours are as follows. `Red: sync denied`, `Orange: manual allowed` and `Green: sync allowed`.
+
+To display the sync state using the CLI:
+
+```bash
+argocd app get APP
+```
+
+Which will return the sync state and any matching windows.
+
+```
+Name:               guestbook
+Project:            default
+Server:             in-cluster
+Namespace:          default
+URL:                http://localhost:8080/applications/guestbook
+Repo:               https://github.com/argoproj/argocd-example-apps.git
+Target:
+Path:               guestbook
+SyncWindow:         Sync Denied
+Assigned Windows:   deny:0 2 * * *:1h,allow:0 2 3 3 3:1h
+Sync Policy:        Automated
+Sync Status:        Synced to  (5c2d89b)
+Health Status:      Healthy
+```
+
+Windows can be created using the CLI:
+
+```bash
+argocd proj windows add PROJECT \
+    --kind allow \
+    --schedule "0 22 * * *" \
+    --duration 1h \
+    --applications "*"
+```
+
+Alternatively, they can be created directly in the `AppProject` manifest:
+ 
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: default
+spec:
+  syncWindows:
+  - kind: allow
+    schedule: '10 1 * * *'
+    duration: 1h
+    applications:
+    - '*-prod'
+    manualSync: true
+  - kind: deny
+    schedule: '0 22 * * *'
+    duration: 1h
+    namespaces:
+    - default
+   - kind: allow
+     schedule: '0 23 * * *'
+     duration: 1h
+     clusters:
+     - in-cluster
+     - cluster1
+```
+
+In order to perform a sync when syncs are being prevented by a window, you can configure the window to allow manual syncs
+using the CLI, UI or directly in the `AppProject` manifest:
+
+```bash
+argocd proj windows enable-manual-sync PROJECT ID
+```
+
+To disable
+
+```bash
+argocd proj windows disable-manual-sync PROJECT ID
+```
+
+Windows can be listed using the CLI or viewed in the UI:
+
+```bash
+argocd proj windows list PROJECT
+```
+
+```bash
+ID  STATUS    KIND   SCHEDULE    DURATION  APPLICATIONS  NAMESPACES  CLUSTERS  MANUALSYNC
+0   Active    allow  * * * * *   1h        -             -           prod1     Disabled
+1   Inactive  deny   * * * * 1   3h        -             default     -         Disabled
+2   Inactive  allow  1 2 * * *   1h        prod-*        -           -         Enabled
+3   Active    deny   * * * * *   1h        -             default     -         Disabled
+```
+
+All fields of a window can be updated using either the CLI or UI. The `applications`, `namespaces` and `clusters` fields
+require the update to contain all of the required values. For example if updating the `namespaces` field and it already
+contains default and kube-system then the new value would have to include those in the list. 
+
+```bash
+argocd proj windows update PROJECT ID --namespaces default,kube-system,prod1
+```
--- a/errors/errors.go
+++ b/errors/errors.go
@@ -11,6 +11,10 @@ func CheckError(err error) {
 	}
 }

-func FailOnErr(_ interface{}, err error) {
+// panics if there is an error.
+// This returns the first value so you can use it if you cast it:
+// text := FailOrErr(Foo)).(string)
+func FailOnErr(v interface{}, err error) interface{} {
 	CheckError(err)
+	return v
 }
--- a/examples/dashboard.json
+++ b/examples/dashboard.json
@@ -108,7 +108,7 @@
      "tableColumn": "",
      "targets": [
        {
-          "expr": "time() - max(process_start_time_seconds{job=\"argocd-server-metrics\",namespace=~\"$namespace\"})",
+          "expr": "time() - max(process_start_time_seconds{job=\"argocd-server-metrics\",namespace=~\"$namespace\",project=~\"$project\"})",
          "format": "time_series",
          "intervalFactor": 1,
          "refId": "A"
@@ -138,6 +138,7 @@
        "rgba(237, 129, 40, 0.89)",
        "#d44a3a"
      ],
+      "datasource": "Prometheus",
      "format": "none",
      "gauge": {
        "maxValue": 100,
@@ -217,6 +218,7 @@
      "bars": false,
      "cacheTimeout": null,
      "dashLength": 10,
+      "datasource": "Prometheus",
      "dashes": false,
      "fill": 0,
      "gridPos": {
@@ -378,7 +380,7 @@
      "tableColumn": "",
      "targets": [
        {
-          "expr": "sum(argocd_app_health_status{health_status=\"Healthy\",namespace=~\"$namespace\"} == 1)",
+          "expr": "sum(argocd_app_health_status{health_status=\"Healthy\",namespace=~\"$namespace\",project=~\"$project\"} == 1)",
          "format": "time_series",
          "intervalFactor": 1,
          "refId": "A"
@@ -539,7 +541,7 @@
      "tableColumn": "",
      "targets": [
        {
-          "expr": "sum(argocd_app_health_status{health_status=\"Suspended\",namespace=~\"$namespace\"})",
+          "expr": "sum(argocd_app_health_status{health_status=\"Suspended\",namespace=~\"$namespace\",project=~\"$project\"})",
          "format": "time_series",
          "intervalFactor": 1,
          "refId": "A"
@@ -619,7 +621,7 @@
      "tableColumn": "",
      "targets": [
        {
-          "expr": "sum(argocd_app_health_status{health_status=\"Degraded\",namespace=~\"$namespace\"})",
+          "expr": "sum(argocd_app_health_status{health_status=\"Degraded\",namespace=~\"$namespace\",project=~\"$project\"})",
          "format": "time_series",
          "intervalFactor": 1,
          "refId": "A"
@@ -699,7 +701,7 @@
      "tableColumn": "",
      "targets": [
        {
-          "expr": "sum(argocd_app_health_status{health_status=\"Missing\",namespace=~\"$namespace\"})",
+          "expr": "sum(argocd_app_health_status{health_status=\"Missing\",namespace=~\"$namespace\",project=~\"$project\"})",
          "format": "time_series",
          "intervalFactor": 1,
          "refId": "A"
@@ -779,7 +781,7 @@
      "tableColumn": "",
      "targets": [
        {
-          "expr": "sum(argocd_app_health_status{health_status=\"Unknown\",namespace=~\"$namespace\"})",
+          "expr": "sum(argocd_app_health_status{health_status=\"Unknown\",namespace=~\"$namespace\",project=~\"$project\"})",
          "format": "time_series",
          "intervalFactor": 1,
          "refId": "A"
@@ -820,6 +822,7 @@
        "rgba(237, 129, 40, 0.89)",
        "#299c46"
      ],
+      "datasource": "Prometheus",
      "format": "none",
      "gauge": {
        "maxValue": 100,
@@ -871,7 +874,7 @@
      "tableColumn": "",
      "targets": [
        {
-          "expr": "sum(argocd_app_sync_status{sync_status=\"Synced\",namespace=~\"$namespace\"})",
+          "expr": "sum(argocd_app_sync_status{sync_status=\"Synced\",namespace=~\"$namespace\",project=~\"$project\"})",
          "format": "time_series",
          "intervalFactor": 1,
          "refId": "A"
@@ -899,6 +902,7 @@
        "#F2495C",
        "#F2495C"
      ],
+      "datasource": "Prometheus",
      "format": "none",
      "gauge": {
        "maxValue": 100,
@@ -950,7 +954,7 @@
      "tableColumn": "",
      "targets": [
        {
-          "expr": "sum(argocd_app_sync_status{sync_status=\"OutOfSync\",namespace=~\"$namespace\"})",
+          "expr": "sum(argocd_app_sync_status{sync_status=\"OutOfSync\",namespace=~\"$namespace\",project=~\"$project\"})",
          "format": "time_series",
          "intervalFactor": 1,
          "refId": "A"
@@ -1030,7 +1034,7 @@
      "tableColumn": "",
      "targets": [
        {
-          "expr": "sum(argocd_app_sync_status{sync_status=\"Unknown\",namespace=~\"$namespace\"})",
+          "expr": "sum(argocd_app_sync_status{sync_status=\"Unknown\",namespace=~\"$namespace\",project=~\"$project\"})",
          "format": "time_series",
          "intervalFactor": 1,
          "refId": "A"
@@ -1067,6 +1071,7 @@
      "bars": false,
      "dashLength": 10,
      "dashes": false,
+      "datasource": "Prometheus",
      "fill": 1,
      "gridPos": {
        "h": 5,
@@ -1158,6 +1163,7 @@
      "bars": false,
      "dashLength": 10,
      "dashes": false,
+      "datasource": "Prometheus",
      "fill": 1,
      "gridPos": {
        "h": 5,
@@ -1192,7 +1198,7 @@
      "steppedLine": false,
      "targets": [
        {
-          "expr": "sum(changes(argocd_app_sync_total{namespace=~\"$namespace\",phase=~\"Error|Failed\"}[5m])) by (namespace, phase)",
+          "expr": "sum(changes(argocd_app_sync_total{namespace=~\"$namespace\",phase=~\"Error|Failed\",project=~\"$project\"}[5m])) by (namespace, phase, project)",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "{{namespace}} {{phase}}",
@@ -1246,6 +1252,7 @@
      "bars": false,
      "dashLength": 10,
      "dashes": false,
+      "datasource": "Prometheus",
      "fill": 1,
      "gridPos": {
        "h": 8,
@@ -1278,7 +1285,7 @@
      "steppedLine": false,
      "targets": [
        {
-          "expr": "sum(increase(argocd_app_reconcile_count{namespace=~\"$namespace\"}[10m])) by (namespace)",
+          "expr": "sum(increase(argocd_app_reconcile_count{namespace=~\"$namespace\", project=~\"$project\"}[10m])) by (namespace, project)",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "{{namespace}}",
@@ -1331,6 +1338,7 @@
      "bars": false,
      "dashLength": 10,
      "dashes": false,
+      "datasource": "Prometheus",
      "fill": 1,
      "gridPos": {
        "h": 8,
@@ -1363,7 +1371,7 @@
      "steppedLine": false,
      "targets": [
        {
-          "expr": "sum(increase(argocd_app_k8s_request_total{namespace=~\"$namespace\"}[5m])) by (namespace)",
+          "expr": "sum(increase(argocd_app_k8s_request_total{namespace=~\"$namespace\",project=~\"$project\"}[5m])) by (namespace, project)",
          "format": "time_series",
          "intervalFactor": 1,
          "legendFormat": "{{namespace}}",
@@ -1424,6 +1432,7 @@
        "mode": "spectrum"
      },
      "dataFormat": "tsbuckets",
+      "datasource": "Prometheus",
      "gridPos": {
        "h": 9,
        "w": 24,
@@ -1441,7 +1450,7 @@
      "reverseYBuckets": false,
      "targets": [
        {
-          "expr": "sum(increase(argocd_app_reconcile_bucket{namespace=~\"$namespace\"}[10m])) by (le)",
+          "expr": "sum(increase(argocd_app_reconcile_bucket{namespace=~\"$namespace\",project=~\"$project\"}[10m])) by (le)",
          "format": "heatmap",
          "intervalFactor": 5,
          "legendFormat": "{{le}}",
@@ -2783,6 +2792,7 @@
      "bars": false,
      "dashLength": 10,
      "dashes": false,
+      "datasource": "Prometheus",
      "fill": 1,
      "gridPos": {
        "h": 8,
@@ -2866,6 +2876,7 @@
      "bars": false,
      "dashLength": 10,
      "dashes": false,
+      "datasource": "Prometheus",
      "fill": 1,
      "gridPos": {
        "h": 8,
@@ -2975,6 +2986,33 @@
        "tagsQuery": "",
        "type": "query",
        "useTags": false
+      },
+      {
+        "allValue": ".*",
+        "current": {
+          "text": "All",
+          "value": [
+            "$__all"
+          ]
+        },
+        "datasource": "Prometheus",
+        "definition": "label_values(argocd_app_health_status, project)",
+        "hide": 0,
+        "includeAll": true,
+        "label": null,
+        "multi": true,
+        "name": "project",
+        "options": [],
+        "query": "label_values(argocd_app_health_status, project)",
+        "refresh": 1,
+        "regex": "",
+        "skipUrlSync": false,
+        "sort": 0,
+        "tagValuesQuery": "",
+        "tags": [],
+        "tagsQuery": "",
+        "type": "query",
+        "useTags": false
      }
    ]
  },
@@ -3010,5 +3048,5 @@
  "timezone": "",
  "title": "ArgoCD",
  "uid": "BjWwX3jik",
-  "version": 4
+  "version": 5
 }
--- a/hack/Dockerfile.dev-tools
+++ b/hack/Dockerfile.dev-tools
@@ -1,60 +1,17 @@
 FROM golang:1.12.6 as builder

-ENV KUSTOMIZE_VERSION=2.0.3
-RUN curl -L -o /usr/local/bin/kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64 && \
-    chmod +x /usr/local/bin/kustomize && \
-    kustomize version
+RUN apt-get update && apt-get install -y zip

-ADD . /src
+ADD install.sh .
+ADD installers installers

-WORKDIR /src
-
-RUN GO111MODULE=on go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.0-alpha.2 && \
-    GO111MODULE=on go get github.com/gobuffalo/packr/packr@v1.30.1 && \
-    GO111MODULE=on go get github.com/gogo/protobuf/gogoproto@v1.2.1 && \
-    GO111MODULE=on go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.0-beta.2 && \
-    GO111MODULE=on go get github.com/golang/protobuf/protoc-gen-go@v1.3.1 && \
-    GO111MODULE=on go get github.com/golangci/golangci-lint/cmd/golangci-lint@v1.17.1 && \
-    GO111MODULE=on go get github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway@v1.9.2 && \
-    GO111MODULE=on go get github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger@v1.9.2 && \
-    GO111MODULE=on go get github.com/jstemmer/go-junit-report@v0.0.0-20190106144839-af01ea7f8024 && \
-    GO111MODULE=on go get github.com/mattn/goreman@v0.2.1 && \
-    GO111MODULE=on go get golang.org/x/tools/cmd/goimports@v0.0.0-20190627203933-19ff4fff8850
-
-ENV KUSTOMIZE_VERSION=2.0.3
-RUN curl -L -o /usr/local/bin/kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64 && \
-    chmod +x /usr/local/bin/kustomize && \
-    kustomize version
-
-# Install helm
-ENV HELM_VERSION=2.12.1
-RUN wget https://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-linux-amd64.tar.gz && \
-    tar -C /tmp/ -xf helm-v${HELM_VERSION}-linux-amd64.tar.gz && \
-    mv /tmp/linux-amd64/helm /usr/local/bin/helm && \
-    helm version --client
+RUN ./install.sh codegen-tools
+RUN ./install.sh codegen-go-tools

 RUN mkdir -p /home/user && chmod 777 /home/user
 RUN HELM_HOME=/home/user/.helm helm init --client-only

-RUN apt-get update && apt-get install -y \
-    zip && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
-
-RUN curl -sLf -C - -o /tmp/swagger https://github.com/go-swagger/go-swagger/releases/download/v0.19.0/swagger_linux_amd64 && \
-    cp /tmp/swagger /usr/local/bin/swagger && \
-    chmod +x /usr/local/bin/swagger && \
-    swagger version
-
-RUN curl -sLf -C - -o /tmp/protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v3.7.1/protoc-3.7.1-linux-x86_64.zip && \
-    unzip /tmp/protoc.zip bin/protoc -d /usr/local/ && \
-    chmod +x /usr/local/bin/protoc && \
-    unzip /tmp/protoc.zip include/* -d /usr/local/ && \
-    protoc --version
-
-RUN curl -sLf -C - -o /tmp/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && \
-    cp /tmp/jq /usr/local/bin/jq && \
-    chmod +x /usr/local/bin/jq && \
-    jq --version
-
 RUN mkdir -p /go/pkg && chmod 777 /go/pkg
+
+RUN apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
--- a/hack/generate-proto.sh
+++ b/hack/generate-proto.sh
@@ -100,10 +100,10 @@ collect_swagger() {
 }
 EOF

-    /bin/rm -f "${SWAGGER_OUT}"
+    rm -f "${SWAGGER_OUT}"

-    /usr/bin/find "${SWAGGER_ROOT}" -name '*.swagger.json' -exec /usr/local/bin/swagger mixin -c "${EXPECTED_COLLISIONS}" "${PRIMARY_SWAGGER}" '{}' \+ > "${COMBINED_SWAGGER}"
-    /usr/local/bin/jq -r 'del(.definitions[].properties[]? | select(."$ref"!=null and .description!=null).description) | del(.definitions[].properties[]? | select(."$ref"!=null and .title!=null).title)' "${COMBINED_SWAGGER}" > "${SWAGGER_OUT}"
+    find "${SWAGGER_ROOT}" -name '*.swagger.json' -exec swagger mixin -c "${EXPECTED_COLLISIONS}" "${PRIMARY_SWAGGER}" '{}' \+ > "${COMBINED_SWAGGER}"
+    jq -r 'del(.definitions[].properties[]? | select(."$ref"!=null and .description!=null).description) | del(.definitions[].properties[]? | select(."$ref"!=null and .title!=null).title)' "${COMBINED_SWAGGER}" > "${SWAGGER_OUT}"

    /bin/rm "${PRIMARY_SWAGGER}" "${COMBINED_SWAGGER}"
 }
@@ -111,10 +111,10 @@ EOF
 # clean up generated swagger files (should come after collect_swagger)
 clean_swagger() {
    SWAGGER_ROOT="$1"
-    /usr/bin/find "${SWAGGER_ROOT}" -name '*.swagger.json' -delete
+    find "${SWAGGER_ROOT}" -name '*.swagger.json' -delete
 }

-collect_swagger server 26
+collect_swagger server 35
 clean_swagger server
 clean_swagger reposerver
 clean_swagger controller
--- a/hack/go.mod
+++ b/hack/go.mod
@@ -1,14 +0,0 @@
-module _/tmp
-
-go 1.11
-
-require (
-	github.com/gobuffalo/packr v1.30.1 // indirect
-	github.com/golang/protobuf v1.3.1 // indirect
-	github.com/golangci/golangci-lint v1.17.1 // indirect
-	github.com/grpc-ecosystem/grpc-gateway v1.9.2 // indirect
-	github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024 // indirect
-	github.com/mattn/goreman v0.2.1 // indirect
-	golang.org/x/tools v0.0.0-20190627203933-19ff4fff8850 // indirect
-	sigs.k8s.io/controller-tools v0.2.0-beta.2 // indirect
-)
--- a/hack/go.sum
+++ b/hack/go.sum
@@ -1,331 +0,0 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/OpenPeeDeeP/depguard v0.0.0-20180806142446-a69c782687b2 h1:HTOmFEEYrWi4MW5ZKUx6xfeyM10Sx3kQF65xiQJMPYA=
-github.com/OpenPeeDeeP/depguard v0.0.0-20180806142446-a69c782687b2/go.mod h1:7/4sitnI9YlQgTLLk734QlzXT8DuHVnAyztLplQjk+o=
-github.com/StackExchange/wmi v0.0.0-20180116203802-5d049714c4a6/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
-github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
-github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
-github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
-github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/fatih/color v1.6.0 h1:66qjqZk8kalYAvDRtM1AdAJQI0tj4Wrue3Eq3B3pmFU=
-github.com/fatih/color v1.6.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
-github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
-github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
-github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-critic/go-critic v0.0.0-20181204210945-1df300866540 h1:7CU1IXBpPvxpQ/NqJrpuMXMHAw+FB2vfqtRF8tgW9fw=
-github.com/go-critic/go-critic v0.0.0-20181204210945-1df300866540/go.mod h1:+sE8vrLDS2M0pZkBk0wy6+nLdKexVDrl/jBqQOTDThA=
-github.com/go-lintpack/lintpack v0.5.2 h1:DI5mA3+eKdWeJ40nU4d6Wc26qmdG8RCi/btYq0TuRN0=
-github.com/go-lintpack/lintpack v0.5.2/go.mod h1:NwZuYi2nUHho8XEIZ6SIxihrnPoqBTDqfpXvXAN0sXM=
-github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8=
-github.com/go-toolsmith/astcast v1.0.0 h1:JojxlmI6STnFVG9yOImLeGREv8W2ocNUM+iOhR6jE7g=
-github.com/go-toolsmith/astcast v1.0.0/go.mod h1:mt2OdQTeAQcY4DQgPSArJjHCcOwlX+Wl/kwN+LbLGQ4=
-github.com/go-toolsmith/astcopy v1.0.0 h1:OMgl1b1MEpjFQ1m5ztEO06rz5CUd3oBv9RF7+DyvdG8=
-github.com/go-toolsmith/astcopy v1.0.0/go.mod h1:vrgyG+5Bxrnz4MZWPF+pI4R8h3qKRjjyvV/DSez4WVQ=
-github.com/go-toolsmith/astequal v0.0.0-20180903214952-dcb477bfacd6/go.mod h1:H+xSiq0+LtiDC11+h1G32h7Of5O3CYFJ99GVbS5lDKY=
-github.com/go-toolsmith/astequal v1.0.0 h1:4zxD8j3JRFNyLN46lodQuqz3xdKSrur7U/sr0SDS/gQ=
-github.com/go-toolsmith/astequal v1.0.0/go.mod h1:H+xSiq0+LtiDC11+h1G32h7Of5O3CYFJ99GVbS5lDKY=
-github.com/go-toolsmith/astfmt v0.0.0-20180903215011-8f8ee99c3086/go.mod h1:mP93XdblcopXwlyN4X4uodxXQhldPGZbcEJIimQHrkg=
-github.com/go-toolsmith/astfmt v1.0.0 h1:A0vDDXt+vsvLEdbMFJAUBI/uTbRw1ffOPnxsILnFL6k=
-github.com/go-toolsmith/astfmt v1.0.0/go.mod h1:cnWmsOAuq4jJY6Ct5YWlVLmcmLMn1JUPuQIHCY7CJDw=
-github.com/go-toolsmith/astinfo v0.0.0-20180906194353-9809ff7efb21/go.mod h1:dDStQCHtmZpYOmjRP/8gHHnCCch3Zz3oEgCdZVdtweU=
-github.com/go-toolsmith/astp v0.0.0-20180903215135-0af7e3c24f30/go.mod h1:SV2ur98SGypH1UjcPpCatrV5hPazG6+IfNHbkDXBRrk=
-github.com/go-toolsmith/astp v1.0.0 h1:alXE75TXgcmupDsMK1fRAy0YUzLzqPVvBKoyWV+KPXg=
-github.com/go-toolsmith/astp v1.0.0/go.mod h1:RSyrtpVlfTFGDYRbrjyWP1pYu//tSFcvdYrA8meBmLI=
-github.com/go-toolsmith/pkgload v0.0.0-20181119091011-e9e65178eee8/go.mod h1:WoMrjiy4zvdS+Bg6z9jZH82QXwkcgCBX6nOfnmdaHks=
-github.com/go-toolsmith/pkgload v1.0.0/go.mod h1:5eFArkbO80v7Z0kdngIxsRXRMTaX4Ilcwuh3clNrQJc=
-github.com/go-toolsmith/strparse v1.0.0 h1:Vcw78DnpCAKlM20kSbAyO4mPfJn/lyYA4BJUDxe2Jb4=
-github.com/go-toolsmith/strparse v1.0.0/go.mod h1:YI2nUKP9YGZnL/L1/DLFBfixrcjslWct4wyljWhSRy8=
-github.com/go-toolsmith/typep v1.0.0 h1:zKymWyA1TRYvqYrYDrfEMZULyrhcnGY3x7LDKU2XQaA=
-github.com/go-toolsmith/typep v1.0.0/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2Ns5AIQkATU=
-github.com/gobuffalo/envy v1.6.5/go.mod h1:N+GkhhZ/93bGZc6ZKhJLP6+m+tCNPKwgSpH9kaifseQ=
-github.com/gobuffalo/envy v1.6.15 h1:OsV5vOpHYUpP7ZLS6sem1y40/lNX1BZj+ynMiRi21lQ=
-github.com/gobuffalo/envy v1.6.15/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI=
-github.com/gobuffalo/envy v1.7.0 h1:GlXgaiBkmrYMHco6t4j7SacKO4XUjvh5pwXh0f4uxXU=
-github.com/gobuffalo/envy v1.7.0/go.mod h1:n7DRkBerg/aorDM8kbduw5dN3oXGswK5liaSCx4T5NI=
-github.com/gobuffalo/logger v1.0.0 h1:xw9Ko9EcC5iAFprrjJ6oZco9UpzS5MQ4jAwghsLHdy4=
-github.com/gobuffalo/logger v1.0.0/go.mod h1:2zbswyIUa45I+c+FLXuWl9zSWEiVuthsk8ze5s8JvPs=
-github.com/gobuffalo/packd v0.3.0 h1:eMwymTkA1uXsqxS0Tpoop3Lc0u3kTfiMBE6nKtQU4g4=
-github.com/gobuffalo/packd v0.3.0/go.mod h1:zC7QkmNkYVGKPw4tHpBQ+ml7W/3tIebgeo1b36chA3Q=
-github.com/gobuffalo/packr v1.30.1 h1:hu1fuVR3fXEZR7rXNW3h8rqSML8EVAf6KNm0NKO/wKg=
-github.com/gobuffalo/packr v1.30.1/go.mod h1:ljMyFO2EcrnzsHsN99cvbq055Y9OhRrIaviy289eRuk=
-github.com/gobuffalo/packr/v2 v2.5.1 h1:TFOeY2VoGamPjQLiNDT3mn//ytzk236VMO2j7iHxJR4=
-github.com/gobuffalo/packr/v2 v2.5.1/go.mod h1:8f9c96ITobJlPzI44jj+4tHnEKNt0xXWSVlXRN9X1Iw=
-github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
-github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
-github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
-github.com/gogo/protobuf v1.2.1 h1:/s5zKNz0uPFCZ5hddgPdo2TK2TVrUNMn0OOX8/aZMTE=
-github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/mock v1.0.0 h1:HzcpUG60pfl43n9d2qbdi/3l1uKpAmxlfWEPWtV/QxM=
-github.com/golang/mock v1.0.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.1.1 h1:G5FRp8JnTd7RQH5kemVNlMeyXQAztQ3mOWV95KxsXH8=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/protobuf v1.2.0 h1:P3YflyNX/ehuJFLhxviNdFxQPkGK5cDcApsge1SqnvM=
-github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1 h1:YF8+flBXS5eO826T4nzqPrxfhQThhXl0YzfuUPu4SBg=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2 h1:23T5iq8rbUYlhpt5DB4XJkc6BU31uODLD1o1gKvZmD0=
-github.com/golangci/check v0.0.0-20180506172741-cfe4005ccda2/go.mod h1:k9Qvh+8juN+UKMCS/3jFtGICgW8O96FVaZsaxdzDkR4=
-github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a h1:w8hkcTqaFpzKqonE9uMCefW1WDie15eSP/4MssdenaM=
-github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a/go.mod h1:ryS0uhF+x9jgbj/N71xsEqODy9BN81/GonCZiOzirOk=
-github.com/golangci/errcheck v0.0.0-20181003203344-ef45e06d44b6 h1:i2jIkQFb8RG45DuQs+ElyROY848cSJIoIkBM+7XXypA=
-github.com/golangci/errcheck v0.0.0-20181003203344-ef45e06d44b6/go.mod h1:DbHgvLiFKX1Sh2T1w8Q/h4NAI8MHIpzCdnBUDTXU3I0=
-github.com/golangci/go-misc v0.0.0-20180628070357-927a3d87b613 h1:9kfjN3AdxcbsZBf8NjltjWihK2QfBBBZuv91cMFfDHw=
-github.com/golangci/go-misc v0.0.0-20180628070357-927a3d87b613/go.mod h1:SyvUF2NxV+sN8upjjeVYr5W7tyxaT1JVtvhKhOn2ii8=
-github.com/golangci/go-tools v0.0.0-20180109140146-af6baa5dc196 h1:9rtVlONXLF1rJZzvLt4tfOXtnAFUEhxCJ64Ibzj6ECo=
-github.com/golangci/go-tools v0.0.0-20180109140146-af6baa5dc196/go.mod h1:unzUULGw35sjyOYjUt0jMTXqHlZPpPc6e+xfO4cd6mM=
-github.com/golangci/goconst v0.0.0-20180610141641-041c5f2b40f3 h1:pe9JHs3cHHDQgOFXJJdYkK6fLz2PWyYtP4hthoCMvs8=
-github.com/golangci/goconst v0.0.0-20180610141641-041c5f2b40f3/go.mod h1:JXrF4TWy4tXYn62/9x8Wm/K/dm06p8tCKwFRDPZG/1o=
-github.com/golangci/gocyclo v0.0.0-20180528134321-2becd97e67ee h1:J2XAy40+7yz70uaOiMbNnluTg7gyQhtGqLQncQh+4J8=
-github.com/golangci/gocyclo v0.0.0-20180528134321-2becd97e67ee/go.mod h1:ozx7R9SIwqmqf5pRP90DhR2Oay2UIjGuKheCBCNwAYU=
-github.com/golangci/gofmt v0.0.0-20181105071733-0b8337e80d98 h1:ir6/L2ZOJfFrJlOTsuf/hlzdPuUwXV/VzkSlgS6f1vs=
-github.com/golangci/gofmt v0.0.0-20181105071733-0b8337e80d98/go.mod h1:9qCChq59u/eW8im404Q2WWTrnBUQKjpNYKMbU4M7EFU=
-github.com/golangci/golangci-lint v1.17.1 h1:lc8Hf9GPCjIr0hg3S/xhvFT1+Hydass8F1xchr8jkME=
-github.com/golangci/golangci-lint v1.17.1/go.mod h1:+5sJSl2h3aly+fpmL2meSP8CaSKua2E4Twi9LPy7b1g=
-github.com/golangci/gosec v0.0.0-20180901114220-66fb7fc33547 h1:qMomh8bv+kDazm1dSLZ9S3zZ2PJZMHL4ilfBjxFOlmI=
-github.com/golangci/gosec v0.0.0-20180901114220-66fb7fc33547/go.mod h1:0qUabqiIQgfmlAmulqxyiGkkyF6/tOGSnY2cnPVwrzU=
-github.com/golangci/ineffassign v0.0.0-20180808204949-42439a7714cc h1:XRFao922N8F3EcIXBSNX8Iywk+GI0dxD/8FicMX2D/c=
-github.com/golangci/ineffassign v0.0.0-20180808204949-42439a7714cc/go.mod h1:e5tpTHCfVze+7EpLEozzMB3eafxo2KT5veNg1k6byQU=
-github.com/golangci/lint-1 v0.0.0-20180610141402-ee948d087217 h1:r7vyX+SN24x6+5AnpnrRn/bdwBb7U+McZqCHOVtXDuk=
-github.com/golangci/lint-1 v0.0.0-20180610141402-ee948d087217/go.mod h1:66R6K6P6VWk9I95jvqGxkqJxVWGFy9XlDwLwVz1RCFg=
-github.com/golangci/maligned v0.0.0-20180506175553-b1d89398deca h1:kNY3/svz5T29MYHubXix4aDDuE3RWHkPvopM/EDv/MA=
-github.com/golangci/maligned v0.0.0-20180506175553-b1d89398deca/go.mod h1:tvlJhZqDe4LMs4ZHD0oMUlt9G2LWuDGoisJTBzLMV9o=
-github.com/golangci/misspell v0.0.0-20180809174111-950f5d19e770 h1:EL/O5HGrF7Jaq0yNhBLucz9hTuRzj2LdwGBOaENgxIk=
-github.com/golangci/misspell v0.0.0-20180809174111-950f5d19e770/go.mod h1:dEbvlSfYbMQDtrpRMQU675gSDLDNa8sCPPChZ7PhiVA=
-github.com/golangci/prealloc v0.0.0-20180630174525-215b22d4de21 h1:leSNB7iYzLYSSx3J/s5sVf4Drkc68W2wm4Ixh/mr0us=
-github.com/golangci/prealloc v0.0.0-20180630174525-215b22d4de21/go.mod h1:tf5+bzsHdTM0bsB7+8mt0GUMvjCgwLpTapNZHU8AajI=
-github.com/golangci/revgrep v0.0.0-20180526074752-d9c87f5ffaf0 h1:HVfrLniijszjS1aiNg8JbBMO2+E1WIQ+j/gL4SQqGPg=
-github.com/golangci/revgrep v0.0.0-20180526074752-d9c87f5ffaf0/go.mod h1:qOQCunEYvmd/TLamH+7LlVccLvUH5kZNhbCgTHoBbp4=
-github.com/golangci/unconvert v0.0.0-20180507085042-28b1c447d1f4 h1:zwtduBRr5SSWhqsYNgcuWO2kFlpdOZbP0+yRjmvPGys=
-github.com/golangci/unconvert v0.0.0-20180507085042-28b1c447d1f4/go.mod h1:Izgrg8RkN3rCIMLGE9CyYmU9pY2Jer6DgANEnZ/L/cQ=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf h1:+RRA9JqSOZFfKrOeqr2z77+8R2RKyh8PG66dcu1V0ck=
-github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
-github.com/gostaticanalysis/analysisutil v0.0.0-20190318220348-4088753ea4d3 h1:JVnpOZS+qxli+rgVl98ILOXVNbW+kb5wcxeGx8ShUIw=
-github.com/gostaticanalysis/analysisutil v0.0.0-20190318220348-4088753ea4d3/go.mod h1:eEOZF4jCKGi+aprrirO9e7WKB3beBRtWgqGunKl6pKE=
-github.com/grpc-ecosystem/grpc-gateway v1.9.2 h1:S+ef0492XaIknb8LMjcwgW2i3cNTzDYMmDrOThOJNWc=
-github.com/grpc-ecosystem/grpc-gateway v1.9.2/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
-github.com/hashicorp/hcl v0.0.0-20180404174102-ef8a98b0bbce/go.mod h1:oZtUIOe8dh44I2q6ScRibXws4Ajl+d+nod3AaR9vL5w=
-github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
-github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
-github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
-github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
-github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024 h1:rBMNdlhTLzJjJSDIjNEXX1Pz3Hmwmz91v+zycvx9PJc=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/karrick/godirwalk v1.10.12 h1:BqUm+LuJcXjGv1d2mj3gBiQyrQ57a0rYoAmhvJQ7RDU=
-github.com/karrick/godirwalk v1.10.12/go.mod h1:RoGL9dQei4vP9ilrpETWE8CLOZ1kiN0LhBygSwrAsHA=
-github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
-github.com/kisielk/gotool v0.0.0-20161130080628-0de1eaf82fa3/go.mod h1:jxZFDH7ILpTPQTk+E2s+z4CUas9lVNjIuKR4c5/zKgM=
-github.com/kisielk/gotool v1.0.0 h1:AV2c/EiW3KqPNT9ZKl07ehoAGi4C5/01Cfbblndcapg=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.4.0/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
-github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
-github.com/klauspost/cpuid v0.0.0-20180405133222-e7e905edc00e/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
-github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
-github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
-github.com/logrusorgru/aurora v0.0.0-20181002194514-a7b3b318ed4e/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
-github.com/magiconair/properties v1.7.6/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
-github.com/magiconair/properties v1.8.0 h1:LLgXmsheXeRoUOBOjtwPQCWIYqM/LU1ayDtDePerRcY=
-github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
-github.com/markbates/inflect v1.0.4 h1:5fh1gzTFhfae06u3hzHYO9xe3l3v3nW5Pwt3naLTP5g=
-github.com/markbates/inflect v1.0.4/go.mod h1:1fR9+pO2KHEO9ZRtto13gDwwZaAKstQzferVeWqbgNs=
-github.com/mattn/go-colorable v0.0.9 h1:UVL0vNpWh04HeJXV0KLcaT7r06gOH2l4OW6ddYRUIY4=
-github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
-github.com/mattn/go-isatty v0.0.3 h1:ns/ykhmWi7G9O+8a448SecJU3nSMBXJfqQkl0upE1jI=
-github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/go-isatty v0.0.4 h1:bnP0vzxcAdeI1zdubAl5PjU6zsERjGZb7raWodagDYs=
-github.com/mattn/go-isatty v0.0.4/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4=
-github.com/mattn/goreman v0.2.1 h1:6Kdjka0uWKsVM5t4d9UqzzIm2jcPJIP7QWu0ByKvlDE=
-github.com/mattn/goreman v0.2.1/go.mod h1:8HCyYaC38XwX0AOu0+fuY02Y5Z7CkITW0oVJavbna4Q=
-github.com/mattn/goveralls v0.0.2/go.mod h1:8d1ZMHsd7fW6IRPKQh46F2WRpyib5/X4FOpevwGNQEw=
-github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
-github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
-github.com/mitchellh/go-ps v0.0.0-20170309133038-4fdf99ab2936/go.mod h1:r1VsdOzOPt1ZSrGZWFoNhsAedKnEd6r9Np1+5blZCWk=
-github.com/mitchellh/mapstructure v0.0.0-20180220230111-00c29f56e238/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
-github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/mozilla/tls-observatory v0.0.0-20180409132520-8791a200eb40/go.mod h1:SrKMQvPiws7F7iqYp8/TX+IhxCYhzr6N/1yb8cwHsGk=
-github.com/nbutton23/zxcvbn-go v0.0.0-20160627004424-a22cb81b2ecd/go.mod h1:o96djdrsSGy3AWPyBgZMAGfxZNfgntdJG+11KU4QvbU=
-github.com/nbutton23/zxcvbn-go v0.0.0-20171102151520-eafdab6b0663 h1:Ri1EhipkbhWsffPJ3IPlrb4SkTOPa2PfRXp3jchBczw=
-github.com/nbutton23/zxcvbn-go v0.0.0-20171102151520-eafdab6b0663/go.mod h1:o96djdrsSGy3AWPyBgZMAGfxZNfgntdJG+11KU4QvbU=
-github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo v1.8.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
-github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/pelletier/go-toml v1.1.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
-github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc=
-github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
-github.com/pkg/errors v0.8.0 h1:WdK/asTD0HN+q6hsWO3/vpuAkAr+tw6aNJNDFFf0+qw=
-github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:5STLWrekHfjyYwxBRVRXNOSewLJ3PWfDJd1VyTS21fI=
-github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
-github.com/rogpeppe/go-internal v1.1.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.2.2 h1:J7U/N7eRtzjhs26d6GqMh2HBuXP8/Z64Densiiieafo=
-github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.3.0 h1:RR9dF3JtopPvtkroDZuVD7qquD0bnHlKSqaQhgwt8yk=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
-github.com/ryanuber/go-glob v0.0.0-20170128012129-256dc444b735/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc=
-github.com/shirou/gopsutil v0.0.0-20180427012116-c95755e4bcd7/go.mod h1:5b4v6he4MtMOwMlS0TUMTu2PcXUg8+E1lC7eC3UO/RA=
-github.com/shirou/w32 v0.0.0-20160930032740-bb4de0191aa4/go.mod h1:qsXQc7+bwAM3Q1u/4XEfrquwF8Lw7D7y5cD8CuHnfIc=
-github.com/shurcooL/go v0.0.0-20180423040247-9e1955d9fb6e/go.mod h1:TDJrrUr11Vxrven61rcy3hJMUqaf/CLWYhHNPmT14Lk=
-github.com/shurcooL/go-goon v0.0.0-20170922171312-37c2f522c041/go.mod h1:N5mDOmsrJOB+vfqUK+7DmDyjhSLIIBnXo9lvZJj3MWQ=
-github.com/sirupsen/logrus v1.0.5/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
-github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
-github.com/sourcegraph/go-diff v0.5.1 h1:gO6i5zugwzo1RVTvgvfwCOSVegNuvnNi6bAD1QCmkHs=
-github.com/sourcegraph/go-diff v0.5.1/go.mod h1:j2dHj3m8aZgQO8lMTcTnBcXkRRRqi34cd2MNlA9u1mE=
-github.com/spf13/afero v1.1.0/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
-github.com/spf13/afero v1.1.2 h1:m8/z1t7/fwjysjQRYbP0RD+bUIF/8tJwPdEZsI83ACI=
-github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
-github.com/spf13/cast v1.2.0/go.mod h1:r2rcYCSwa1IExKTDiTfzaxqT2FNHs8hODu4LnUfgKEg=
-github.com/spf13/cast v1.3.0 h1:oget//CVOEoFewqQxwr0Ej5yjygnqGkvggSE/gB35Q8=
-github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cobra v0.0.2/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/cobra v0.0.3 h1:ZlrZ4XsMRm04Fr5pSFxBgfND2EBVa1nLpiy1stUsX/8=
-github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/cobra v0.0.5 h1:f0B+LkLX6DtmRH1isoNA9VTtNUK9K8xYd28JNNfOv/s=
-github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
-github.com/spf13/jwalterweatherman v0.0.0-20180109140146-7c0cea34c8ec/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
-github.com/spf13/jwalterweatherman v1.0.0 h1:XHEdyB+EcvlqZamSM4ZOMGlc93t6AcsBEu9Gc1vn7yk=
-github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
-github.com/spf13/pflag v1.0.1/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg=
-github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/viper v1.0.2/go.mod h1:A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM=
-github.com/spf13/viper v1.3.2 h1:VUFqw5KcqRf7i70GOzW7N+Q7+gxVBkSSqiXB12+JQ4M=
-github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
-github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/timakin/bodyclose v0.0.0-20190407043127-4a873e97b2bb h1:lI9ufgFfvuqRctP9Ny8lDDLbSWCMxBPletcSqrnyFYM=
-github.com/timakin/bodyclose v0.0.0-20190407043127-4a873e97b2bb/go.mod h1:Qimiffbc6q9tBWlVV6x0P9sat/ao1xEkREYPPj9hphk=
-github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
-github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
-github.com/valyala/fasthttp v1.2.0/go.mod h1:4vX61m6KN+xDduDNwXrhIAVZaZaZiQ1luJk8LWSxF3s=
-github.com/valyala/quicktemplate v1.1.1/go.mod h1:EH+4AkTd43SvgIbQHYu59/cJyxDoOVRUAfrukLPuGJ4=
-github.com/valyala/tcplisten v0.0.0-20161114210144-ceec8f93295a/go.mod h1:v3UYOV9WzVtRmSR+PDvWpU/qWl4Wa5LApYYX4ZtKbio=
-github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
-golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
-golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190313024323-a1f597ede03a/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4 h1:ydJNl0ENAG67pFbB+9tfhiL2pYqLhfoaZFw/cjLhY4A=
-golang.org/x/crypto v0.0.0-20190621222207-cc06ce4a13d4/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/net v0.0.0-20170915142106-8351a756f30f/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180911220305-26e67e76b6c3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190313220215-9f648a60d977/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09 h1:KaQtG+aDELoNmXYas3TVkGNYRuq8JQ1aa7LJt8EXVyo=
-golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58 h1:8gQV6CLnAEikrhgkHFbMAEhagSSnXWGV915qUMm9mrU=
-golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sys v0.0.0-20171026204733-164713f0dfce/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20180925112736-b09afc3d579e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20181205085412-a5c9d58dba9a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190429190828-d89cdac9e872/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190515120540-06a5c4944438 h1:khxRGsvPk4n2y8I/mLLjp7e5dMTJmH75wvqS6nMwUtY=
-golang.org/x/sys v0.0.0-20190515120540-06a5c4944438/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.0.0-20170915090833-1cbadb444a80/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
-golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/tools v0.0.0-20170915040203-e531a2a1c15f/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20181117154741-2ddaf7f79a09/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190110163146-51295c7ec13a/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190121143147-24cd39ecf745/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190311215038-5c2858a9cfe5/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190322203728-c1a832b0ad89/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190501045030-23463209683d h1:D7DVZUZEUgsSIDTivnUtVeGfN5AvhDIKtdIZAqx0ieE=
-golang.org/x/tools v0.0.0-20190501045030-23463209683d/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190521203540-521d6ed310dd/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190624180213-70d37148ca0c h1:KfpJVdWhuRqNk4XVXzjXf2KAV4TBEP77SYdFGjeGuIE=
-golang.org/x/tools v0.0.0-20190624180213-70d37148ca0c/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190627203933-19ff4fff8850 h1:fA72gpMxsjJw+HAMdKku/cilEAHBQ9yEhmYkRO3wzyM=
-golang.org/x/tools v0.0.0-20190627203933-19ff4fff8850/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190627220010-94c5763a7c84 h1:1uDU8V+48dIbLhClJHiB9XfbmbbJ8h7DFqeIdQTFC68=
-golang.org/x/tools v0.0.0-20190627220010-94c5763a7c84/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8 h1:Nw54tB0rB7hY/N0NQvRW8DG4Yk3Q6T9cu9RcFQDu1tc=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
-gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
-gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
-gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
-gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
-gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
-gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
-gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-k8s.io/api v0.0.0-20190222213804-5cb15d344471/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA=
-k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b h1:aBGgKJUM9Hk/3AE8WaZIApnTxG35kbuQba2w+SXqezo=
-k8s.io/api v0.0.0-20190409021203-6e4e0e4f393b/go.mod h1:iuAfoD4hCxJ8Onx9kaTIt30j7jUFS00AXQi6QMi99vA=
-k8s.io/apiextensions-apiserver v0.0.0-20190228180357-d002e88f6236/go.mod h1:IxkesAMoaCRoLrPJdZNZUQp9NfZnzqaVzLhb2VEQzXE=
-k8s.io/apiextensions-apiserver v0.0.0-20190409022649-727a075fdec8 h1:q1Qvjzs/iEdXF6A1a8H3AKVFDzJNcJn3nXMs6R6qFtA=
-k8s.io/apiextensions-apiserver v0.0.0-20190409022649-727a075fdec8/go.mod h1:IxkesAMoaCRoLrPJdZNZUQp9NfZnzqaVzLhb2VEQzXE=
-k8s.io/apimachinery v0.0.0-20190221213512-86fb29eff628/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0=
-k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d h1:Jmdtdt1ZnoGfWWIIik61Z7nKYgO3J+swQJtPYsP9wHA=
-k8s.io/apimachinery v0.0.0-20190404173353-6a84e37a896d/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0=
-k8s.io/klog v0.2.0 h1:0ElL0OHzF3N+OhoJTL0uca20SxtYt4X4+bzHeqrB83c=
-k8s.io/klog v0.2.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
-mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed h1:WX1yoOaKQfddO/mLzdV4wptyWgoH/6hwLs7QHTixo0I=
-mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc=
-mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b h1:DxJ5nJdkhDlLok9K6qO+5290kphDJbHOQO1DFFFTeBo=
-mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4=
-mvdan.cc/unparam v0.0.0-20190124213536-fbb59629db34 h1:B1LAOfRqg2QUyCdzfjf46quTSYUTAK5OCwbh6pljHbM=
-mvdan.cc/unparam v0.0.0-20190124213536-fbb59629db34/go.mod h1:H6SUd1XjIs+qQCyskXg5OFSrilMRUkD8ePJpHKDPaeY=
-sigs.k8s.io/controller-tools v0.2.0-alpha.1 h1:WAFYSisW4Nmp/WPCs40FfkmGMglf+QauHB8mWPpYqxM=
-sigs.k8s.io/controller-tools v0.2.0-alpha.1/go.mod h1:iog+z/LWZwDaOb2rfxUBZsTTPbloVgyVdXMye0kg8H8=
-sigs.k8s.io/controller-tools v0.2.0-alpha.2 h1:zrVHUPo3BCiC82uWbY7upoH88y7GScDyO+iQKXc1wCE=
-sigs.k8s.io/controller-tools v0.2.0-alpha.2/go.mod h1:gC5UAnK1jbxWnDaqTi0yxKIsRsRwshzeRtTUGbM9vos=
-sigs.k8s.io/controller-tools v0.2.0-beta.2 h1:ucniFzEuW7PFfFDuUxacdY4Fy4q065wPguVl+BE2/t0=
-sigs.k8s.io/controller-tools v0.2.0-beta.2/go.mod h1:gC5UAnK1jbxWnDaqTi0yxKIsRsRwshzeRtTUGbM9vos=
-sigs.k8s.io/yaml v1.1.0 h1:4A07+ZFc2wgJwo8YNlQpr1rVlgUDlxXHhPJciaPY5gs=
-sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
-sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4 h1:JPJh2pk3+X4lXAkZIk2RuE/7/FoK9maXw+TNPJhVS/c=
-sourcegraph.com/sqs/pbtypes v0.0.0-20180604144634-d3ebe8f20ae4/go.mod h1:ketZ/q3QxT9HOBeFhu6RdvsftgpsbFHBF5Cas6cDKZ0=
--- a/hack/install.sh
+++ b/hack/install.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+set -eux -o pipefail
+
+export DOWNLOADS=/tmp/dl
+export BIN=${BIN:-/usr/local/bin}
+
+mkdir -p $DOWNLOADS
+
+for product in $*; do
+  "$(dirname $0)/installers/install-${product}.sh"
+done
--- a/hack/installers/install-aws-iam-authenticator-linux.sh
+++ b/hack/installers/install-aws-iam-authenticator-linux.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -eux -o pipefail
+
+AWS_IAM_AUTHENTICATOR_VERSION=0.4.0-alpha.1
+[ -e $DOWNLOADS/aws-iam-authenticator ] || curl -sLf --retry 3 -o $DOWNLOADS/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/${AWS_IAM_AUTHENTICATOR_VERSION}/aws-iam-authenticator_${AWS_IAM_AUTHENTICATOR_VERSION}_linux_amd64
+cp $DOWNLOADS/aws-iam-authenticator $BIN/
+chmod +x $BIN/aws-iam-authenticator
+aws-iam-authenticator version
--- a/hack/installers/install-codegen-go-tools.sh
+++ b/hack/installers/install-codegen-go-tools.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+set -eux -o pipefail
+
+mkdir -p $DOWNLOADS/codegen-tools
+cd $DOWNLOADS/codegen-tools
+
+GO111MODULE=on go get github.com/gogo/protobuf/gogoproto@v1.2.1
+GO111MODULE=on go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.0-beta.2
+GO111MODULE=on go get github.com/golang/protobuf/protoc-gen-go@v1.3.1
+GO111MODULE=on go get github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway@v1.9.2
+GO111MODULE=on go get github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger@v1.9.2
+GO111MODULE=on go get golang.org/x/tools/cmd/goimports@v0.0.0-20190627203933-19ff4fff8850
--- a/hack/installers/install-codegen-tools.sh
+++ b/hack/installers/install-codegen-tools.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+set -eux -o pipefail
+
+KUSTOMIZE_VERSION=2.0.3 "$(dirname $0)/../install.sh" helm-linux jq-linux kustomize-linux protoc-linux swagger-linux
--- a/hack/installers/install-dep-linux.sh
+++ b/hack/installers/install-dep-linux.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -eux -o pipefail
+
+[ -e $DOWNLOADS/dep ] || curl -sLf --retry 3 -o $DOWNLOADS/dep https://github.com/golang/dep/releases/download/v0.5.3/dep-linux-amd64
+cp $DOWNLOADS/dep $BIN/
+chmod +x $BIN/dep
+dep version
--- a/hack/installers/install-helm-linux.sh
+++ b/hack/installers/install-helm-linux.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -eux -o pipefail
+
+[ -e $DOWNLOADS/helm.tar.gz ] || curl -sLf --retry 3 -o $DOWNLOADS/helm.tar.gz https://storage.googleapis.com/kubernetes-helm/helm-v2.15.2-linux-amd64.tar.gz
+tar -C /tmp/ -xf $DOWNLOADS/helm.tar.gz
+cp /tmp/linux-amd64/helm $BIN/helm
+helm version --client
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .1.2
 .3.6