Bump version to 2.0.2

Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>

VERSION

@@ -1 +1 @@
-2.0.0
+2.0.2

controller/appcontroller.go

@@ -413,11 +413,13 @@ func (ctrl *ApplicationController) getAppHosts(a *appv1.Application, appNodes []
 			appPods[kube.NewResourceKey(node.Group, node.Kind, node.Namespace, node.Name)] = true
 		}
 	}
+
 	allNodesInfo := map[string]statecache.NodeInfo{}
 	allPodsByNode := map[string][]statecache.PodInfo{}
 	appPodsByNode := map[string][]statecache.PodInfo{}
 	err := ctrl.stateCache.IterateResources(a.Spec.Destination.Server, func(res *clustercache.Resource, info *statecache.ResourceInfo) {
 		key := res.ResourceKey()
+
 		switch {
 		case info.NodeInfo != nil && key.Group == "" && key.Kind == "Node":
 			allNodesInfo[key.Name] = *info.NodeInfo
@@ -464,7 +466,7 @@ func (ctrl *ApplicationController) getAppHosts(a *appv1.Application, appNodes []
 
 		for _, pod := range neighbors {
 			for name, resource := range pod.ResourceRequests {
-				if !supportedResourceNames[name] {
+				if !supportedResourceNames[name] || pod.Phase == v1.PodSucceeded || pod.Phase == v1.PodFailed {
 					continue
 				}
 				info := resources[name]

controller/cache/cache.go

@@ -56,6 +56,7 @@ type ObjectUpdatedHandler = func(managedByApp map[string]bool, ref v1.ObjectRefe
 type PodInfo struct {
 	NodeName         string
 	ResourceRequests v1.ResourceList
+	Phase            v1.PodPhase
 }
 
 type NodeInfo struct {

controller/cache/info.go

@@ -324,7 +324,7 @@ func populatePodInfo(un *unstructured.Unstructured, res *ResourceInfo) {
 	}
 
 	req, _ := resourcehelper.PodRequestsAndLimits(&pod)
-	res.PodInfo = &PodInfo{NodeName: pod.Spec.NodeName, ResourceRequests: req}
+	res.PodInfo = &PodInfo{NodeName: pod.Spec.NodeName, ResourceRequests: req, Phase: pod.Status.Phase}
 
 	res.Info = append(res.Info, v1alpha1.InfoItem{Name: "Node", Value: pod.Spec.NodeName})
 	res.Info = append(res.Info, v1alpha1.InfoItem{Name: "Containers", Value: fmt.Sprintf("%d/%d", readyContainers, totalContainers)})

manifests/base/application-controller/argocd-application-controller-network-policy.yaml

@@ -0,0 +1,15 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-application-controller-network-policy
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-application-controller
+  ingress:
+    - from:
+        - namespaceSelector: { }
+      ports:
+        - port: 8082
+  policyTypes:
+  - Ingress

manifests/base/application-controller/kustomization.yaml

@@ -7,3 +7,4 @@ resources:
 - argocd-application-controller-rolebinding.yaml
 - argocd-application-controller-statefulset.yaml
 - argocd-metrics.yaml
+- argocd-application-controller-network-policy.yaml

manifests/base/dex/argocd-dex-server-network-policy.yaml

@@ -0,0 +1,22 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-dex-server-network-policy
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-dex-server
+  policyTypes:
+  - Ingress
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            app.kubernetes.io/name: argocd-server
+      ports:
+        - protocol: TCP
+          port: 5556
+        - protocol: TCP
+          port: 5557
+        - protocol: TCP
+          port: 5558

manifests/base/dex/kustomization.yaml

@@ -7,3 +7,4 @@ resources:
 - argocd-dex-server-rolebinding.yaml
 - argocd-dex-server-sa.yaml
 - argocd-dex-server-service.yaml
+- argocd-dex-server-network-policy.yaml

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.0.0
+  newTag: v2.0.2
 resources:
 - ./application-controller
 - ./dex

manifests/base/redis/argocd-redis-network-policy.yaml

@@ -0,0 +1,24 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: argocd-redis-network-policy
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-redis
+  policyTypes:
+  - Ingress
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            app.kubernetes.io/name: argocd-server
+      - podSelector:
+          matchLabels:
+            app.kubernetes.io/name: argocd-repo-server
+      - podSelector:
+          matchLabels:
+            app.kubernetes.io/name: argocd-application-controller
+      ports:
+        - protocol: TCP
+          port: 6379

manifests/base/redis/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
 - argocd-redis-rolebinding.yaml
 - argocd-redis-sa.yaml
 - argocd-redis-service.yaml
+- argocd-redis-network-policy.yaml
 
 vars:
 - name: ARGOCD_REDIS_SERVICE

manifests/base/repo-server/argocd-repo-server-network-policy.yaml

@@ -0,0 +1,25 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: argocd-repo-server-network-policy
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-repo-server
+  policyTypes:
+  - Ingress
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            app.kubernetes.io/name: argocd-server
+      - podSelector:
+          matchLabels:
+            app.kubernetes.io/name: argocd-application-controller
+      ports:
+        - protocol: TCP
+          port: 8081
+    - from:
+        - namespaceSelector: { }
+      ports:
+        - port: 8084

manifests/base/repo-server/kustomization.yaml

@@ -4,3 +4,4 @@ kind: Kustomization
 resources:
 - argocd-repo-server-deployment.yaml
 - argocd-repo-server-service.yaml
+- argocd-repo-server-network-policy.yaml

manifests/base/server/argocd-server-network-policy.yaml

@@ -0,0 +1,12 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-server-network-policy
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-server
+  ingress:
+  - {}
+  policyTypes:
+  - Ingress

manifests/base/server/kustomization.yaml

@@ -8,3 +8,4 @@ resources:
 - argocd-server-sa.yaml
 - argocd-server-service.yaml
 - argocd-server-metrics.yaml
+- argocd-server-network-policy.yaml

manifests/ha/base/kustomization.yaml

@@ -11,7 +11,7 @@ patchesStrategicMerge:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.0.0
+  newTag: v2.0.2
 resources:
 - ../../base/application-controller
 - ../../base/dex

manifests/ha/base/redis-ha/argocd-redis-ha-proxy-network-policy.yaml

@@ -0,0 +1,25 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: argocd-redis-ha-proxy-network-policy
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-redis-ha-haproxy
+  policyTypes:
+  - Ingress
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            app.kubernetes.io/name: argocd-server
+      - podSelector:
+          matchLabels:
+            app.kubernetes.io/name: argocd-repo-server
+      - podSelector:
+          matchLabels:
+            app.kubernetes.io/name: argocd-application-controller
+      # Redis HA server need to talk to proxy as well
+      - podSelector:
+          matchLabels:
+            app.kubernetes.io/name: argocd-redis-ha

manifests/ha/base/redis-ha/argocd-redis-ha-server-network-policy.yaml

@@ -0,0 +1,20 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: argocd-redis-ha-server-network-policy
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-redis-ha
+  policyTypes:
+  - Ingress
+  ingress:
+    - from:
+      - podSelector:
+          matchLabels:
+            app.kubernetes.io/name: argocd-redis-ha-haproxy
+      # Redis HA server pods need to talk to each other
+      - podSelector:
+          matchLabels:
+            app.kubernetes.io/name: argocd-redis-ha
+

manifests/ha/base/redis-ha/chart/upstream.yaml

@@ -39,6 +39,7 @@ data:
   redis.conf: |
     dir "/data"
     port 6379
+    bind 0.0.0.0
     maxmemory 0
     maxmemory-policy volatile-lru
     min-replicas-max-lag 5
@@ -55,6 +56,7 @@ data:
         sentinel failover-timeout argocd 180000
         maxclients 10000
         sentinel parallel-syncs argocd 5
+    bind 0.0.0.0
 
   init.sh: |
     echo "$(date) Start..."
@@ -852,7 +854,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/init-config: f967dc53802e37a7bd0a7097785686e65cefc3002881b7c2a1936b3988698c11
+        checksum/init-config: 7128bfbb51eafaffe3c33b1b463e15f0cf6514cec570f9d9c4f2396f28c724ac
       labels:
         release: argocd
         app: redis-ha

manifests/ha/base/redis-ha/chart/values.yaml

@@ -5,9 +5,13 @@ redis-ha:
     masterGroupName: argocd
     config:
       save: "\"\""
+      bind: "0.0.0.0"
   haproxy:
     enabled: true
     image:
       tag: 2.0.20-alpine
   image:
     tag: 6.2.1-alpine
+  sentinel:
+    config:
+      replaceme: "0.0.0.0"

manifests/ha/base/redis-ha/generate.sh

@@ -14,3 +14,4 @@ helm template argocd ./chart \
 sed -e 's/check inter 1s/check inter 3s/' ./chart/upstream_orig.yaml >> ./chart/upstream.yaml && rm ./chart/upstream_orig.yaml
 sed -i.bak 's/timeout server 30s/timeout server 6m/' ./chart/upstream.yaml && rm ./chart/upstream.yaml.bak
 sed -i.bak 's/timeout client 30s/timeout client 6m/' ./chart/upstream.yaml && rm ./chart/upstream.yaml.bak
+sed -i.bak -E 's/^([[:space:]]){8}sentinel replaceme argocd/    bind/' ./chart/upstream.yaml && rm ./chart/upstream.yaml.bak

manifests/ha/base/redis-ha/kustomization.yaml

@@ -3,6 +3,8 @@ kind: Kustomization
 
 resources:
 - chart/upstream.yaml
+- argocd-redis-ha-proxy-network-policy.yaml
+- argocd-redis-ha-server-network-policy.yaml
 
 patchesJson6902:
 - target:

manifests/ha/install.yaml

@@ -2850,6 +2850,7 @@ data:
   redis.conf: |
     dir "/data"
     port 6379
+    bind 0.0.0.0
     maxmemory 0
     maxmemory-policy volatile-lru
     min-replicas-max-lag 5
@@ -2865,6 +2866,7 @@ data:
         sentinel failover-timeout argocd 180000
         maxclients 10000
         sentinel parallel-syncs argocd 5
+    bind 0.0.0.0
 kind: ConfigMap
 metadata:
   labels:
@@ -3176,7 +3178,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.0.0
+        image: quay.io/argoproj/argocd:v2.0.2
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -3310,7 +3312,7 @@ spec:
         - argocd-repo-server
         - --redis
         - argocd-redis-ha-haproxy:6379
-        image: quay.io/argoproj/argocd:v2.0.0
+        image: quay.io/argoproj/argocd:v2.0.2
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -3411,7 +3413,7 @@ spec:
         env:
         - name: ARGOCD_API_SERVER_REPLICAS
           value: "2"
-        image: quay.io/argoproj/argocd:v2.0.0
+        image: quay.io/argoproj/argocd:v2.0.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3506,7 +3508,7 @@ spec:
         - "10"
         - --redis
         - argocd-redis-ha-haproxy:6379
-        image: quay.io/argoproj/argocd:v2.0.0
+        image: quay.io/argoproj/argocd:v2.0.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3564,7 +3566,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/init-config: f967dc53802e37a7bd0a7097785686e65cefc3002881b7c2a1936b3988698c11
+        checksum/init-config: 7128bfbb51eafaffe3c33b1b463e15f0cf6514cec570f9d9c4f2396f28c724ac
       labels:
         app.kubernetes.io/name: argocd-redis-ha
     spec:
@@ -3692,3 +3694,125 @@ spec:
         name: data
   updateStrategy:
     type: RollingUpdate
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-application-controller-network-policy
+spec:
+  ingress:
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: 8082
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-application-controller
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-dex-server-network-policy
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    ports:
+    - port: 5556
+      protocol: TCP
+    - port: 5557
+      protocol: TCP
+    - port: 5558
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-dex-server
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-redis-ha-proxy-network-policy
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-repo-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-application-controller
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-redis-ha-haproxy
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-redis-ha-server-network-policy
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha-haproxy
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-redis-ha
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-repo-server-network-policy
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-application-controller
+    ports:
+    - port: 8081
+      protocol: TCP
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: 8084
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-repo-server
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-server-network-policy
+spec:
+  ingress:
+  - {}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-server
+  policyTypes:
+  - Ingress

manifests/ha/namespace-install.yaml

@@ -2765,6 +2765,7 @@ data:
   redis.conf: |
     dir "/data"
     port 6379
+    bind 0.0.0.0
     maxmemory 0
     maxmemory-policy volatile-lru
     min-replicas-max-lag 5
@@ -2780,6 +2781,7 @@ data:
         sentinel failover-timeout argocd 180000
         maxclients 10000
         sentinel parallel-syncs argocd 5
+    bind 0.0.0.0
 kind: ConfigMap
 metadata:
   labels:
@@ -3091,7 +3093,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.0.0
+        image: quay.io/argoproj/argocd:v2.0.2
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -3225,7 +3227,7 @@ spec:
         - argocd-repo-server
         - --redis
         - argocd-redis-ha-haproxy:6379
-        image: quay.io/argoproj/argocd:v2.0.0
+        image: quay.io/argoproj/argocd:v2.0.2
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -3326,7 +3328,7 @@ spec:
         env:
         - name: ARGOCD_API_SERVER_REPLICAS
           value: "2"
-        image: quay.io/argoproj/argocd:v2.0.0
+        image: quay.io/argoproj/argocd:v2.0.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3421,7 +3423,7 @@ spec:
         - "10"
         - --redis
         - argocd-redis-ha-haproxy:6379
-        image: quay.io/argoproj/argocd:v2.0.0
+        image: quay.io/argoproj/argocd:v2.0.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3479,7 +3481,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/init-config: f967dc53802e37a7bd0a7097785686e65cefc3002881b7c2a1936b3988698c11
+        checksum/init-config: 7128bfbb51eafaffe3c33b1b463e15f0cf6514cec570f9d9c4f2396f28c724ac
       labels:
         app.kubernetes.io/name: argocd-redis-ha
     spec:
@@ -3607,3 +3609,125 @@ spec:
         name: data
   updateStrategy:
     type: RollingUpdate
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-application-controller-network-policy
+spec:
+  ingress:
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: 8082
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-application-controller
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-dex-server-network-policy
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    ports:
+    - port: 5556
+      protocol: TCP
+    - port: 5557
+      protocol: TCP
+    - port: 5558
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-dex-server
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-redis-ha-proxy-network-policy
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-repo-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-application-controller
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-redis-ha-haproxy
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-redis-ha-server-network-policy
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha-haproxy
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-redis-ha
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-repo-server-network-policy
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-application-controller
+    ports:
+    - port: 8081
+      protocol: TCP
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: 8084
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-repo-server
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-server-network-policy
+spec:
+  ingress:
+  - {}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-server
+  policyTypes:
+  - Ingress

manifests/install.yaml

@@ -2544,7 +2544,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.0.0
+        image: quay.io/argoproj/argocd:v2.0.2
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -2644,7 +2644,7 @@ spec:
         - argocd-repo-server
         - --redis
         - argocd-redis:6379
-        image: quay.io/argoproj/argocd:v2.0.0
+        image: quay.io/argoproj/argocd:v2.0.2
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2740,7 +2740,7 @@ spec:
         - argocd-server
         - --staticassets
         - /shared/app
-        image: quay.io/argoproj/argocd:v2.0.0
+        image: quay.io/argoproj/argocd:v2.0.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2833,7 +2833,7 @@ spec:
         - "20"
         - --operation-processors
         - "10"
-        image: quay.io/argoproj/argocd:v2.0.0
+        image: quay.io/argoproj/argocd:v2.0.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2871,3 +2871,106 @@ spec:
             path: ca.crt
           optional: true
           secretName: argocd-repo-server-tls
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-application-controller-network-policy
+spec:
+  ingress:
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: 8082
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-application-controller
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-dex-server-network-policy
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    ports:
+    - port: 5556
+      protocol: TCP
+    - port: 5557
+      protocol: TCP
+    - port: 5558
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-dex-server
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-redis-network-policy
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-repo-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-application-controller
+    ports:
+    - port: 6379
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-redis
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-repo-server-network-policy
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-application-controller
+    ports:
+    - port: 8081
+      protocol: TCP
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: 8084
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-repo-server
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-server-network-policy
+spec:
+  ingress:
+  - {}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-server
+  policyTypes:
+  - Ingress

manifests/namespace-install.yaml

@@ -2459,7 +2459,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.0.0
+        image: quay.io/argoproj/argocd:v2.0.2
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -2559,7 +2559,7 @@ spec:
         - argocd-repo-server
         - --redis
         - argocd-redis:6379
-        image: quay.io/argoproj/argocd:v2.0.0
+        image: quay.io/argoproj/argocd:v2.0.2
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2655,7 +2655,7 @@ spec:
         - argocd-server
         - --staticassets
         - /shared/app
-        image: quay.io/argoproj/argocd:v2.0.0
+        image: quay.io/argoproj/argocd:v2.0.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2748,7 +2748,7 @@ spec:
         - "20"
         - --operation-processors
         - "10"
-        image: quay.io/argoproj/argocd:v2.0.0
+        image: quay.io/argoproj/argocd:v2.0.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2786,3 +2786,106 @@ spec:
             path: ca.crt
           optional: true
           secretName: argocd-repo-server-tls
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-application-controller-network-policy
+spec:
+  ingress:
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: 8082
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-application-controller
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-dex-server-network-policy
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    ports:
+    - port: 5556
+      protocol: TCP
+    - port: 5557
+      protocol: TCP
+    - port: 5558
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-dex-server
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-redis-network-policy
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-repo-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-application-controller
+    ports:
+    - port: 6379
+      protocol: TCP
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-redis
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-repo-server-network-policy
+spec:
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-application-controller
+    ports:
+    - port: 8081
+      protocol: TCP
+  - from:
+    - namespaceSelector: {}
+    ports:
+    - port: 8084
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-repo-server
+  policyTypes:
+  - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: argocd-server-network-policy
+spec:
+  ingress:
+  - {}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: argocd-server
+  policyTypes:
+  - Ingress

reposerver/repository/repository_test.go

@@ -129,7 +129,7 @@ func TestGenerateYamlManifestInDir(t *testing.T) {
 	q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src}
 
 	// update this value if we add/remove manifests
-	const countOfManifests = 29
+	const countOfManifests = 34
 
 	res1, err := service.GenerateManifest(context.Background(), &q)
 

resource_customizations/kubernetes-client.io/ExternalSecret/health.lua

@@ -1,17 +0,0 @@
-health_status = {}
-if obj.status ~= nil then
-  if obj.status.status == "SUCCESS" then
-    health_status.status = "Healthy"
-    health_status.message = "Fetched ExternalSecret."
-  elseif obj.status.status:find('^ERROR') ~= nil then
-    health_status.status = "Degraded"
-    health_status.message = obj.status.status:gsub("ERROR, ", "")
-  else
-    health_status.status = "Progressing"
-    health_status.message = "Waiting for ExternalSecret."
-  end
-  return health_status
-end
-health_status.status = "Progressing"
-health_status.message = "Waiting for ExternalSecret."
-return health_status

resource_customizations/kubernetes-client.io/ExternalSecret/health_test.yaml

@@ -1,13 +0,0 @@
-tests:
-- healthStatus:
-    status: Progressing
-    message: "Waiting for ExternalSecret."
-  inputPath: testdata/progressing.yaml
-- healthStatus:
-    status: Degraded
-    message: "Secrets Manager can't find the specified secret."
-  inputPath: testdata/degraded.yaml
-- healthStatus:
-    status: Healthy
-    message: "Fetched ExternalSecret."
-  inputPath: testdata/healthy.yaml

resource_customizations/kubernetes-client.io/ExternalSecret/testdata/degraded.yaml

@@ -1,14 +0,0 @@
-apiVersion: kubernetes-client.io/v1
-kind: ExternalSecret
-metadata:
-  name: external-secret
-  namespace: external-secret
-spec:
-  backendType: secretsManager
-  data:
-    - key: /external/secret/name
-      name: EXTERNAL_SECRET_NAME
-status:
-  lastSync: "2021-02-06T21:44:40.631Z"
-  observedGeneration: 1
-  status: ERROR, Secrets Manager can't find the specified secret.

resource_customizations/kubernetes-client.io/ExternalSecret/testdata/healthy.yaml

@@ -1,14 +0,0 @@
-apiVersion: kubernetes-client.io/v1
-kind: ExternalSecret
-metadata:
-  name: external-secret
-  namespace: external-secret
-spec:
-  backendType: secretsManager
-  data:
-    - key: /external/secret/name
-      name: EXTERNAL_SECRET_NAME
-status:
-  lastSync: "2021-02-06T21:44:40.631Z"
-  observedGeneration: 1
-  status: SUCCESS

resource_customizations/kubernetes-client.io/ExternalSecret/testdata/progressing.yaml

@@ -1,10 +0,0 @@
-apiVersion: kubernetes-client.io/v1
-kind: ExternalSecret
-metadata:
-  name: external-secret
-  namespace: external-secret
-spec:
-  backendType: secretsManager
-  data:
-    - key: /external/secret/name
-      name: EXTERNAL_SECRET_NAME

resource_customizations/sparkoperator.k8s.io/SparkApplication/health.lua

@@ -6,18 +6,20 @@ if obj.status ~= nil then
       health_status.message = "SparkApplication was added, enqueuing it for submission"
       return health_k9sstatus
     end
-    count=0
-    executor_instances = obj.spec.executor.instances
-    for i, executorState in pairs(obj.status.executorState) do
-      if executorState == "RUNNING" then
-          count=count+1
+    if obj.status.applicationState.state == "RUNNING" then
+      if obj.status.executorState ~= nil then
+        count=0
+        executor_instances = obj.spec.executor.instances
+        for i, executorState in pairs(obj.status.executorState) do
+          if executorState == "RUNNING" then
+            count=count+1
+          end
+        end
+        if executor_instances == count then
+          health_status.status = "Healthy"
+          health_status.message = "SparkApplication is Running"
+          return health_status
         end
-    end
-    if executor_instances == count then
-      if obj.status.applicationState.state == "RUNNING" then
-        health_status.status = "Healthy"
-        health_status.message = "SparkApplication is in RunningState"
-        return health_status
       end
     end
     if obj.status.applicationState.state == "SUBMITTED" then

resource_customizations/sparkoperator.k8s.io/SparkApplication/health_test.yaml

@@ -9,5 +9,5 @@ tests:
   inputPath: testdata/degraded.yaml
 - healthStatus:
     status: Healthy
-    message: "SparkApplication is in RunningState"
+    message: "SparkApplication is Running"
   inputPath: testdata/healthy.yaml

server/application/application.go

@@ -1159,16 +1159,21 @@ func (s *Server) PodLogs(q *application.ApplicationPodLogsQuery, ws application.
 			SinceTime:    q.SinceTime,
 			TailLines:    tailLines,
 		}).Stream(ws.Context())
-		if err != nil {
-			return err
-		}
 		podName := pod.Name
 		logStream := make(chan logEntry)
-		defer ioutil.Close(stream)
+		if err == nil {
+			defer ioutil.Close(stream)
+		}
 
 		streams = append(streams, logStream)
 		go func() {
-			parseLogsStream(podName, stream, logStream)
+			// if k8s failed to start steaming logs (typically because Pod is not ready yet)
+			// then the error should be shown in the UI so that user know the reason
+			if err != nil {
+				logStream <- logEntry{line: err.Error()}
+			} else {
+				parseLogsStream(podName, stream, logStream)
+			}
 			close(logStream)
 		}()
 	}

test/fixture/testrepos/Procfile

@@ -1,3 +1,5 @@
-sshd: mkdir -p /var/run/sshd && mkdir -p ~/.ssh && cat ./test/fixture/testrepos/id_rsa.pub > ~/.ssh/authorized_keys && /usr/sbin/sshd -p 2222 -D -e
+# To prevent regression of https://github.com/argoproj/argo-cd/pull/6253, we
+# start sshd with -o KexAlgorithms=diffie-hellman-group-exchange-sha256
+sshd: mkdir -p /var/run/sshd && mkdir -p ~/.ssh && cat ./test/fixture/testrepos/id_rsa.pub > ~/.ssh/authorized_keys && /usr/sbin/sshd -p 2222 -D -e -o KexAlgorithms=diffie-hellman-group-exchange-sha256
 fcgiwrap: fcgiwrap -s unix:/var/run/fcgiwrap.socket & sleep 1 && chmod 777 /var/run/fcgiwrap.socket && wait
 nginx: nginx -prefix=$(pwd) -g 'daemon off;' -c $(pwd)/test/fixture/testrepos/nginx.conf

ui/src/app/app.tsx

@@ -188,15 +188,18 @@ export class App extends React.Component<{}, {popupProps: PopupProps; showVersio
                                                         navItems={navItems}
                                                         version={() => (
                                                             <DataLoader load={() => versionLoader}>
-                                                                {version => (
-                                                                    <React.Fragment>
-                                                                        <Tooltip content={version.Version}>
-                                                                            <a style={{color: 'white'}} onClick={() => this.setState({showVersionPanel: true})}>
-                                                                                {version.Version}
-                                                                            </a>
-                                                                        </Tooltip>
-                                                                    </React.Fragment>
-                                                                )}
+                                                                {version => {
+                                                                    const versionString = version ? version.Version : 'Unknown';
+                                                                    return (
+                                                                        <React.Fragment>
+                                                                            <Tooltip content={versionString}>
+                                                                                <a style={{color: 'white'}} onClick={() => this.setState({showVersionPanel: true})}>
+                                                                                    {versionString}
+                                                                                </a>
+                                                                            </Tooltip>
+                                                                        </React.Fragment>
+                                                                    );
+                                                                }}
                                                             </DataLoader>
                                                         )}>
                                                         <Banner>

ui/src/app/settings/components/repos-list/repos-list.tsx

@@ -410,7 +410,7 @@ export class ReposList extends React.Component<RouteComponentProps<any>, {connec
                                 <div className='argo-form-row'>
                                     <FormField formApi={formApi} label='Type' field='ghType' component={FormSelect} componentProps={{options: ['GitHub', 'GitHub Enterprise']}} />
                                 </div>
-                                {formApi.getFormState().values.type === 'GitHub Enterprise' && (
+                                {formApi.getFormState().values.ghType === 'GitHub Enterprise' && (
                                     <React.Fragment>
                                         <div className='argo-form-row'>
                                             <FormField

util/db/db_test.go

@@ -381,6 +381,15 @@ func TestRepositorySecretsTrim(t *testing.T) {
   sshPrivateKeySecret:
     name: managed-secret
     key: sshPrivateKey
+  tlsClientCertDataSecret:
+    name: managed-secret
+    key: tlsClientCertData
+  tlsClientCertKeySecret:
+    name: managed-secret
+    key: tlsClientCertKey
+  githubAppPrivateKeySecret:
+    name: managed-secret
+    key: githubAppPrivateKey
 `}
 	clientset := getClientset(config, &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
@@ -391,9 +400,12 @@ func TestRepositorySecretsTrim(t *testing.T) {
 			},
 		},
 		Data: map[string][]byte{
-			username:      []byte("test-username\n\n"),
-			password:      []byte("test-password\r\r"),
-			sshPrivateKey: []byte("test-ssh-private-key\n\r"),
+			username:            []byte("test-username\n\n"),
+			password:            []byte("test-password\r\r"),
+			sshPrivateKey:       []byte("test-ssh-private-key\n\r"),
+			tlsClientCertData:   []byte("test-tls-client-cert-data\n\r"),
+			tlsClientCertKey:    []byte("test-tls-client-cert-key\n\r"),
+			githubAppPrivateKey: []byte("test-github-app-private-key\n\r"),
 		},
 	})
 	db := NewDB(testNamespace, settings.NewSettingsManager(context.Background(), clientset, testNamespace), clientset)
@@ -416,6 +428,18 @@ func TestRepositorySecretsTrim(t *testing.T) {
 			"test-ssh-private-key",
 			repo.SSHPrivateKey,
 		},
+		{
+			"test-tls-client-cert-data",
+			repo.TLSClientCertData,
+		},
+		{
+			"test-tls-client-cert-key",
+			repo.TLSClientCertKey,
+		},
+		{
+			"test-github-app-private-key",
+			repo.GithubAppPrivateKey,
+		},
 	}
 	for _, tt := range teststruct {
 		assert.Equal(t, tt.expectedSecret, tt.retrievedSecret)

util/db/repository.go

@@ -186,11 +186,12 @@ func (db *db) credentialsToRepository(repoInfo settings.Repository) (*appsv1.Rep
 		GitHubAppEnterpriseBaseURL: repoInfo.GithubAppEnterpriseBaseURL,
 	}
 	err := db.unmarshalFromSecretsStr(map[*SecretMaperValidation]*apiv1.SecretKeySelector{
-		&SecretMaperValidation{Dest: &repo.Username, Transform: StripCRLFCharacter}:          repoInfo.UsernameSecret,
-		&SecretMaperValidation{Dest: &repo.Password, Transform: StripCRLFCharacter}:          repoInfo.PasswordSecret,
-		&SecretMaperValidation{Dest: &repo.SSHPrivateKey, Transform: StripCRLFCharacter}:     repoInfo.SSHPrivateKeySecret,
-		&SecretMaperValidation{Dest: &repo.TLSClientCertData, Transform: StripCRLFCharacter}: repoInfo.TLSClientCertDataSecret,
-		&SecretMaperValidation{Dest: &repo.TLSClientCertKey, Transform: StripCRLFCharacter}:  repoInfo.TLSClientCertKeySecret,
+		&SecretMaperValidation{Dest: &repo.Username, Transform: StripCRLFCharacter}:            repoInfo.UsernameSecret,
+		&SecretMaperValidation{Dest: &repo.Password, Transform: StripCRLFCharacter}:            repoInfo.PasswordSecret,
+		&SecretMaperValidation{Dest: &repo.SSHPrivateKey, Transform: StripCRLFCharacter}:       repoInfo.SSHPrivateKeySecret,
+		&SecretMaperValidation{Dest: &repo.TLSClientCertData, Transform: StripCRLFCharacter}:   repoInfo.TLSClientCertDataSecret,
+		&SecretMaperValidation{Dest: &repo.TLSClientCertKey, Transform: StripCRLFCharacter}:    repoInfo.TLSClientCertKeySecret,
+		&SecretMaperValidation{Dest: &repo.GithubAppPrivateKey, Transform: StripCRLFCharacter}: repoInfo.GithubAppPrivateKeySecret,
 	}, make(map[string]*apiv1.Secret))
 	return repo, err
 }
@@ -203,11 +204,12 @@ func (db *db) credentialsToRepositoryCredentials(repoInfo settings.RepositoryCre
 		GitHubAppEnterpriseBaseURL: repoInfo.GithubAppEnterpriseBaseURL,
 	}
 	err := db.unmarshalFromSecretsStr(map[*SecretMaperValidation]*apiv1.SecretKeySelector{
-		&SecretMaperValidation{Dest: &creds.Username}:          repoInfo.UsernameSecret,
-		&SecretMaperValidation{Dest: &creds.Password}:          repoInfo.PasswordSecret,
-		&SecretMaperValidation{Dest: &creds.SSHPrivateKey}:     repoInfo.SSHPrivateKeySecret,
-		&SecretMaperValidation{Dest: &creds.TLSClientCertData}: repoInfo.TLSClientCertDataSecret,
-		&SecretMaperValidation{Dest: &creds.TLSClientCertKey}:  repoInfo.TLSClientCertKeySecret,
+		&SecretMaperValidation{Dest: &creds.Username}:            repoInfo.UsernameSecret,
+		&SecretMaperValidation{Dest: &creds.Password}:            repoInfo.PasswordSecret,
+		&SecretMaperValidation{Dest: &creds.SSHPrivateKey}:       repoInfo.SSHPrivateKeySecret,
+		&SecretMaperValidation{Dest: &creds.TLSClientCertData}:   repoInfo.TLSClientCertDataSecret,
+		&SecretMaperValidation{Dest: &creds.TLSClientCertKey}:    repoInfo.TLSClientCertKeySecret,
+		&SecretMaperValidation{Dest: &creds.GithubAppPrivateKey}: repoInfo.GithubAppPrivateKeySecret,
 	}, make(map[string]*apiv1.Secret))
 	return creds, err
 }

util/git/client.go

@@ -22,7 +22,6 @@ import (
 	"gopkg.in/src-d/go-git.v4/plumbing"
 	"gopkg.in/src-d/go-git.v4/plumbing/transport"
 	githttp "gopkg.in/src-d/go-git.v4/plumbing/transport/http"
-	ssh2 "gopkg.in/src-d/go-git.v4/plumbing/transport/ssh"
 	"gopkg.in/src-d/go-git.v4/storage/memory"
 
 	"github.com/argoproj/argo-cd/v2/common"
@@ -203,7 +202,9 @@ func newAuth(repoURL string, creds Creds) (transport.AuthMethod, error) {
 		if err != nil {
 			return nil, err
 		}
-		auth := &ssh2.PublicKeys{User: sshUser, Signer: signer}
+		auth := &PublicKeysWithOptions{}
+		auth.User = sshUser
+		auth.Signer = signer
 		if creds.insecure {
 			auth.HostKeyCallback = ssh.InsecureIgnoreHostKey()
 		} else {

util/git/ssh.go

@@ -0,0 +1,59 @@
+package git
+
+import (
+	"fmt"
+
+	"golang.org/x/crypto/ssh"
+	gitssh "gopkg.in/src-d/go-git.v4/plumbing/transport/ssh"
+)
+
+// List of all currently supported algorithms for SSH key exchange
+// Unfortunately, crypto/ssh does not offer public constants or list for
+// this.
+var SupportedSSHKeyExchangeAlgorithms = []string{
+	"diffie-hellman-group1-sha1",
+	"diffie-hellman-group14-sha1",
+	"ecdh-sha2-nistp256",
+	"ecdh-sha2-nistp384",
+	"ecdh-sha2-nistp521",
+	"curve25519-sha256@libssh.org",
+	"diffie-hellman-group-exchange-sha1",
+	"diffie-hellman-group-exchange-sha256",
+}
+
+// List of default key exchange algorithms to use. We use those that are
+// available by default, we can become more opinionated later on (when
+// we support configuration of algorithms to use).
+var DefaultSSHKeyExchangeAlgorithms = SupportedSSHKeyExchangeAlgorithms
+
+// PublicKeysWithOptions is an auth method for go-git's SSH client that
+// inherits from PublicKeys, but provides the possibility to override
+// some client options.
+type PublicKeysWithOptions struct {
+	KexAlgorithms []string
+	gitssh.PublicKeys
+}
+
+// Name returns the name of the auth method
+func (a *PublicKeysWithOptions) Name() string {
+	return gitssh.PublicKeysName
+}
+
+// String returns the configured user and auth method name as string
+func (a *PublicKeysWithOptions) String() string {
+	return fmt.Sprintf("user: %s, name: %s", a.User, a.Name())
+}
+
+// ClientConfig returns a custom SSH client configuration
+func (a *PublicKeysWithOptions) ClientConfig() (*ssh.ClientConfig, error) {
+	// Algorithms used for kex can be configured
+	var kexAlgos []string
+	if len(a.KexAlgorithms) > 0 {
+		kexAlgos = a.KexAlgorithms
+	} else {
+		kexAlgos = DefaultSSHKeyExchangeAlgorithms
+	}
+	config := ssh.Config{KeyExchanges: kexAlgos}
+	opts := &ssh.ClientConfig{Config: config, User: a.User, Auth: []ssh.AuthMethod{ssh.PublicKeys(a.Signer)}}
+	return a.SetHostKeyCallback(opts)
+}