Bump version to 2.1.16

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

.github/workflows/ci-build.yaml

@@ -9,6 +9,11 @@ on:
   pull_request:
     branches:
       - 'master'
+      - 'release-*'
+
+env:
+  # Golang version to use across CI steps
+  GOLANG_VERSION: '1.16.5'
 
 jobs:
   build-docker:
@@ -30,7 +35,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.16.2'
+          go-version: ${{ env.GOLANG_VERSION }}
       - name: Download all Go modules
         run: |
           go mod download
@@ -48,7 +53,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.16.2'
+          go-version: ${{ env.GOLANG_VERSION }}
       - name: Restore go build cache
         uses: actions/cache@v1
         with:
@@ -67,10 +72,10 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v2
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v3
         with:
-          version: v1.38.0
-          args: --timeout 5m --exclude SA5011
+          version: v1.46.2
+          args: --timeout 10m --exclude SA5011 --verbose
 
   test-go:
     name: Run unit tests for Go packages
@@ -87,7 +92,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.16.2'
+          go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
         run: |
           sudo apt-get install git -y
@@ -147,7 +152,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.16.2'
+          go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
         run: |
           sudo apt-get install git -y
@@ -196,7 +201,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.16.2'
+          go-version: ${{ env.GOLANG_VERSION }}
       - name: Create symlink in GOPATH
         run: |
           mkdir -p ~/go/src/github.com/argoproj
@@ -336,7 +341,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        k3s-version: [v1.20.2, v1.19.2, v1.18.9, v1.17.11, v1.16.15]
+        k3s-version: [v1.21.2, v1.20.2, v1.19.2, v1.18.9, v1.17.11]
     needs: 
       - build-go
     env:
@@ -355,7 +360,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.16.2'
+          go-version: ${{ env.GOLANG_VERSION }}
       - name: GH actions workaround - Kill XSP4 process
         run: |
           sudo pkill mono || true

.github/workflows/gh-pages.yaml

@@ -20,11 +20,4 @@ jobs:
       - name: build
         run: |
           pip install -r docs/requirements.txt
-          mkdocs build
-      - name: deploy
-        if: ${{ github.event_name == 'push' }}
-        uses: peaceiris/actions-gh-pages@v2.5.0
-        env:
-          PERSONAL_TOKEN: ${{ secrets.PERSONAL_TOKEN }}
-          PUBLISH_BRANCH: gh-pages
-          PUBLISH_DIR: ./site
+          mkdocs build

.github/workflows/image.yaml

@@ -5,6 +5,9 @@ on:
     branches:
       - master
 
+env:
+  GOLANG_VERSION: '1.16.5'
+
 jobs:
   publish:
     runs-on: ubuntu-latest
@@ -13,7 +16,7 @@ jobs:
     steps:
       - uses: actions/setup-go@v1
         with:
-          go-version: '1.16.4'
+          go-version: ${{ env.GOLANG_VERSION }}
       - uses: actions/checkout@master
         with:
           path: src/github.com/argoproj/argo-cd
@@ -26,25 +29,31 @@ jobs:
       # build
       - run: |
           docker images -a --format "{{.ID}}" | xargs -I {} docker rmi {}
-          make image DEV_IMAGE=true DOCKER_PUSH=false IMAGE_NAMESPACE=docker.pkg.github.com/argoproj/argo-cd IMAGE_TAG=${{ steps.image.outputs.tag }}
+          make image DEV_IMAGE=true DOCKER_PUSH=false IMAGE_NAMESPACE=ghcr.io/argoproj IMAGE_TAG=${{ steps.image.outputs.tag }}
         working-directory: ./src/github.com/argoproj/argo-cd
 
       # publish
       - run: |
-          docker login docker.pkg.github.com --username $USERNAME --password $PASSWORD
-          docker push docker.pkg.github.com/argoproj/argo-cd/argocd:${{ steps.image.outputs.tag }}
+          docker login ghcr.io --username $USERNAME --password $PASSWORD
+          docker push ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }}
+
+          docker login --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
+          docker tag ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }} argoproj/argocd:latest
+          docker push argoproj/argocd:latest
         env:
           USERNAME: ${{ secrets.USERNAME }}
           PASSWORD: ${{ secrets.TOKEN }}
+          DOCKER_USERNAME: ${{ secrets.RELEASE_DOCKERHUB_USERNAME }}
+          DOCKER_TOKEN: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
 
       # deploy
       - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
         env:
           TOKEN: ${{ secrets.TOKEN }}
       - run: |
-          docker run -v $(pwd):/src -w /src --rm -t lyft/kustomizer:v3.3.0 kustomize edit set image quay.io/argoproj/argocd=docker.pkg.github.com/argoproj/argo-cd/argocd:${{ steps.image.outputs.tag }}
+          docker run -v $(pwd):/src -w /src --rm -t lyft/kustomizer:v3.3.0 kustomize edit set image quay.io/argoproj/argocd=ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }}
           git config --global user.email 'ci@argoproj.com'
           git config --global user.name 'CI'
           git diff --exit-code && echo 'Already deployed' || (git commit -am 'Upgrade argocd to ${{ steps.image.outputs.tag }}' && git push)
         working-directory: argoproj-deployments/argocd
-      # TODO: clean up old images once github supports it: https://github.community/t5/How-to-use-Git-and-GitHub/Deleting-images-from-Github-Package-Registry/m-p/41202/thread-id/9811
+      # TODO: clean up old images once github supports it: https://github.community/t5/How-to-use-Git-and-GitHub/Deleting-images-from-GitHub-Package-Registry/m-p/41202/thread-id/9811

.github/workflows/release.yaml

@@ -10,6 +10,10 @@ on:
       - '!release-v1.1*'
       - '!release-v1.0*'
       - '!release-v0*'
+
+env:
+    GOLANG_VERSION: '1.16.5'
+
 jobs:
   prepare-release:
     name: Perform automatic release on trigger ${{ github.ref }}
@@ -139,7 +143,7 @@ jobs:
       - name: Setup Golang
         uses: actions/setup-go@v1
         with:
-          go-version: '1.16.4'
+          go-version: ${{ env.GOLANG_VERSION }}
 
       - name: Setup Git author information
         run: |
@@ -262,40 +266,6 @@ jobs:
           asset_content_type: application/octet-stream
         if: ${{ env.DRY_RUN != 'true' }}
 
-      # include argocd-util as part of release artifacts (argoproj/argo-cd#5174)
-      - name: Upload argocd-util-linux-amd64 binary to release assets
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./dist/argocd-linux-amd64
-          asset_name: argocd-util-linux-amd64
-          asset_content_type: application/octet-stream
-        if: ${{ env.DRY_RUN != 'true' }}
-
-      - name: Upload argocd-util-darwin-amd64 binary to release assets
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./dist/argocd-darwin-amd64
-          asset_name: argocd-util-darwin-amd64
-          asset_content_type: application/octet-stream
-        if: ${{ env.DRY_RUN != 'true' }}
-
-      - name: Upload argocd-util-windows-amd64 binary to release assets
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./dist/argocd-windows-amd64.exe
-          asset_name: argocd-util-windows-amd64.exe
-          asset_content_type: application/octet-stream
-        if: ${{ env.DRY_RUN != 'true' }}
-
       - name: Update homebrew formula
         env:
           HOMEBREW_TOKEN: ${{ secrets.RELEASE_HOMEBREW_TOKEN }}

.gitignore

@@ -2,7 +2,9 @@
 .idea/
 .DS_Store
 vendor/
-dist/
+dist/*
+ui/dist/app/*
+!ui/dist/app/gitkeep
 site/
 *.iml
 # delve debug binaries
@@ -13,10 +15,10 @@ test-results
 .scannerwork
 .scratch
 node_modules/
+.kube/
 
 # ignore built binaries
 cmd/argocd/argocd
 cmd/argocd-application-controller/argocd-application-controller
 cmd/argocd-repo-server/argocd-repo-server
-cmd/argocd-server/argocd-server
-cmd/argocd-util/argocd-util
+cmd/argocd-server/argocd-server

.gitpod.Dockerfile

@@ -0,0 +1,17 @@
+FROM gitpod/workspace-full
+
+USER root
+
+RUN curl -o /usr/local/bin/kubectl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
+    chmod +x /usr/local/bin/kubectl
+
+RUN curl -L https://go.kubebuilder.io/dl/2.3.1/$(go env GOOS)/$(go env GOARCH) | \
+    tar -xz -C /tmp/ && mv /tmp/kubebuilder_2.3.1_$(go env GOOS)_$(go env GOARCH) /usr/local/kubebuilder
+
+RUN apt-get install redis-server -y
+RUN go get github.com/mattn/goreman
+
+USER gitpod
+
+ENV ARGOCD_REDIS_LOCAL=true
+ENV KUBECONFIG=/tmp/kubeconfig

.gitpod.yml

@@ -0,0 +1,6 @@
+image:
+  file: .gitpod.Dockerfile
+
+tasks:
+  - init: make mod-download-local dep-ui-local && GO111MODULE=off go get github.com/mattn/goreman
+    command: make start-test-k8s

.golangci.yml

@@ -1,22 +0,0 @@
-run:
-  timeout: 2m
-  skip-files:
-    - ".*\\.pb\\.go"
-  skip-dirs:
-    - pkg/client/
-    - vendor/
-linters:
-  enable:
-    - vet
-    - deadcode
-    - goimports
-    - varcheck
-    - structcheck
-    - ineffassign
-    - unconvert
-    - unparam
-linters-settings:
-  goimports:
-    local-prefixes: github.com/argoproj/argo-cd
-service:
-  golangci-lint-version: 1.21.0

CHANGELOG.md

@@ -1,6 +1,100 @@
 # Changelog
 
-## v2.0.0 (Unreleased)
+## v2.1.0 (Unreleased)
+
+> [Upgrade instructions](./docs/operator-manual/upgrading/2.0-2.1.md)
+
+### Argo CD Core
+
+Argo CD Core - lightweight Argo CD distribution that packages only core GitOps features and relies
+on Kubernetes API/RBAC to power UI and CLI.
+
+### Core Features
+
+* The synchronization process became much much faster and requires significantly less memory.
+* An additional caching that ensures that each repository's target revisions are queried only once per
+  reconciliation cycle. This dramatically reduces the number of Git requests.
+* Improved Diffing Customizations: use JQ path expressions to exclude required fields from the diffing.
+* Health assessment support for new CRDs: introduced health assessment of CRDs from trident.netapp.io,
+  elasticsearch.k8s.elastic.co, cluster.x-k8s.io, and minio.min.io API groups.
+
+### Improved Settings
+
+A set of changes had been implemented to simplify configuring Argo CD.
+
+* Simplified Repository Registration: you no longer need to modify the argocd-cm ConfigMap to register a
+  new Git or Helm repository.
+* Enhanced Resource Customizations: the resource.customizations key has been deprecated in favor of
+  a separate ConfigMap key per resource.
+* Reference secret values from any Kubernetes secret: starting v2.1 you can use sensitive data stored in 
+  any Kubernetes secret to configure Argo CD.
+* Simplify parametrization of Argo CD server processes: an additional optional ConfigMap argocd-cmd-params-cm
+  has been introduced.
+
+### Refreshed User Interface
+
+* Enhanced and more consistent filters on Applications List and Applications Details pages.
+* Status bar on the Application List page.
+* The redesigned search box on the Application List page and more.
+
+### The argocd-util CLI deprecation
+
+The argocd CLI and now available under argocd admin subcommand.
+
+## v2.0.5 (2021-07-22)
+
+* fix: allow argocd-notification ingress to repo-server (#6746)
+* fix: argocd-server crashes due to nil pointer dereference (#6757)
+* fix: WebUI failure when loading pod view 't.parentRefs is undefined' (#6490) (#6535)
+* fix: prevent 'cannot read property "filter" of undefined' during nodes filtering (#6453)
+* fix: download Pod Logs button not honouring argocd-server rootpath (#6548) (#6627)
+* fix: Version warning banner in docs (#6682)
+* fix: upgrade gitops engine to fix workflow health check
+
+## v2.0.4 (2021-06-22)
+
+* fix: typo in networkPolicy definition in manifests (#6532)
+* fix: Update redis to 6.2.4 (#6475)
+* fix: allows access to dex metrics from any pod (#6420)
+* fix: add client side retry to prevent 'transport is closing' errors (#6402)
+* fix: Update documentation Argocd app CRD health with app of apps (#6281)
+* fix(ui): Crash on application pod view (#6384)
+* chore: pin mkdocs version to fix docs build (#6421)
+* chore: regenerate manifests using codegen (#6422)
+* refactor: use RLock and RUnlock for project to improve performance (#6225)
+* chore: Update Golang to v1.16.4 (#6358)
+
+## v2.0.3 (2021-05-27)
+
+### Bug Fixes
+
+* fix: add missing --container flag to 'argocd app logs' command (#6320)
+* fix: grpc web proxy must ensure to read full header (#6319)
+* fix: controller should refresh app before running sync operation (#6294)
+
+## v2.0.2 (2021-05-20)
+
+### Bug Fixes
+
+* fix: enable access to metrics port in embedded network policies (#6277)
+* fix: display log streaming error in logs viewer (#6100) (#6273)
+* fix: Don't count errored or completed neighbor pods toward resource consumption (#6259)
+* fix: Enable kex algo diffie-hellman-group-exchange-sha256 for go-git ssh (#6256)
+* fix: copy github app key from repocreds (#6140, #6197)
+* fix(ui): UI crashes after reinstalling ArgoCD (#6218)
+* fix: add network policies to restrict traffic flow between argocd components (#6156)
+* fix: Revert "feat: Add health checks for kubernetes-external-secrets (#5435)"
+* chore: Allow ingress traffic to argocd-server by default (#6179)
+
+## v2.0.1 (2021-04-15)
+
+### Bug Fixes
+
+* fix: spark application check fails on missing section (#6036)
+* fix: Adding explicit bind to redis and sentinel for IPv4 clusters #5957 (#6005)
+* fix: fix: use correct field for evaluating whether or not GitHub Enterprise is selected (#5987)
+
+## v2.0.0 (2021-04-07)
 
 > [Upgrade instructions](./docs/operator-manual/upgrading/1.8-2.0.md)
 
@@ -198,7 +292,7 @@ In addition to new features and enhancements, we’ve fixed more than 50 bugs an
 ## v1.7.5 (2020-09-15)
 
 - fix: app create with -f should not ignore other options (#4322)
-- fix: limit concurrent list requests accross all clusters (#4328)
+- fix: limit concurrent list requests across all clusters (#4328)
 - fix: fix possible deadlock in /v1/api/stream/applications and /v1/api/application APIs (#4315)
 - fix: WatchResourceTree does not enforce RBAC (#4311)
 - fix: app refresh API should use app resource version (#4303)
@@ -332,7 +426,7 @@ use cases, such as bootstrapping a Kubernetes cluster, or decentralized manageme
 
 #### Other
 
-- refactoring: Gitops engine (#3066)
+- refactoring: GitOps engine (#3066)
 
 ## v1.5.8 (2020-06-16)
 
@@ -395,7 +489,7 @@ customizations, custom resource health checks, and more.
 ### Other
 
 * New Project and Application CRD settings ([#2900](https://github.com/argoproj/argo-cd/issues/2900), [#2873](https://github.com/argoproj/argo-cd/issues/2873)) that allows customizing Argo CD behavior.
-* Upgraded Dex (v2.22.0) enables seamless [SSO integration](https://www.openshift.com/blog/openshift-authentication-integration-with-argocd) with Openshift.
+* Upgraded Dex (v2.22.0) enables seamless [SSO integration](https://www.openshift.com/blog/openshift-authentication-integration-with-argocd) with OpenShift.
 
 
 #### Enhancements
@@ -427,7 +521,7 @@ customizations, custom resource health checks, and more.
 * fix for helm repo add with flag --insecure-skip-server-verification (#3420)
 * fix: app diff --local support for helm repo. #3151 (#3407)
 * fix: Syncing apps incorrectly states "app synced", but this is not true (#3286)
-* fix: for jsonnet when it is localed in nested subdirectory and uses import (#3372)
+* fix: for jsonnet when it is located in nested subdirectory and uses import (#3372)
 * fix: Update 4.5.3 redis-ha helm manifest (#3370)
 * fix: return 401 error code if username does not exist (#3369)
 * fix: Do not panic while running hooks with short revision (#3368)
@@ -543,7 +637,7 @@ Last-minute bugs that will be addressed in 1.5.1 shortly:
 - fix: argocd-util backup produced truncated backups. import app status (#3096)
 - fix: upgrade redis-ha chart and enable haproxy (#3147)
 - fix: make dex server deployment init container resilient to restarts (#3136)
-- fix: reduct secret values of manifests stored in git (#3088)
+- fix: redact secret values of manifests stored in git (#3088)
 - fix: labels not being deleted via UI (#3081)
 - fix: HTTP|HTTPS|NO_PROXY env variable reading #3055 (#3063)
 - fix: Correct usage text for repo add command regarding insecure repos (#3068)
@@ -653,7 +747,7 @@ an in-flight state for all Kubernetes resources including `Deployment`, `PVC`, `
 [Sync Waves](https://argoproj.github.io/argo-cd/user-guide/sync-waves/) instead.
 
 #### Enhancements
-* feat: Add custom healthchecks for cert-manager v0.11.0 (#2689) 
+* feat: Add custom health checks for cert-manager v0.11.0 (#2689) 
 * feat: add git submodule support (#2495)
 * feat: Add repository credential management API and CLI (addresses #2136) (#2207)
 * feat: add support for --additional-headers cli flag (#2467)
@@ -838,7 +932,7 @@ There may be instances when you want to control the times during which an Argo C
 #### Bug Fixes
 
 - failed parsing on parameters with comma (#1660)
-- Statefulset with OnDelete Update Strategy stuck progressing (#1881)
+- StatefulSet with OnDelete Update Strategy stuck progressing (#1881)
 - Warning during secret diffing (#1923)
 - Error message "Unable to load data: key is missing" is confusing (#1944)
 - OIDC group bindings are truncated (#2006)
@@ -920,7 +1014,7 @@ There may be instances when you want to control the times during which an Argo C
 ## v1.2.3 (2019-10-1)
 * Make argo-cd docker images openshift friendly (#2362) (@duboisf)
 * Add dest-server and dest-namespace field to reconciliation logs (#2354)
-- Stop loggin /repository.RepositoryService/ValidateAccess parameters (#2386)
+- Stop logging /repository.RepositoryService/ValidateAccess parameters (#2386)
 
 ## v1.2.2 (2019-09-26)
 + Resource action equivalent to `kubectl rollout restart` (#2177)
@@ -1005,7 +1099,7 @@ Support for Git LFS enabled repositories - now you can store Helm charts as tar
 - Wait for CRD creation during sync process (#1940)
 - Added a button to select out of sync items in the sync panel (#1902)
 - Proper handling of an excluded resource in an application (#1621)
-- Stop repeating logs on stoped container (#1614)
+- Stop repeating logs on stopped container (#1614)
 - Fix git repo url parsing on application list view (#2174)
 - Fix nil pointer dereference error during app reconciliation (#2146)
 - Fix history api fallback implementation to support app names with dots (#2114)
@@ -1061,7 +1155,7 @@ optimized which significantly reduced the number of Git requests. With v1.1 rele
 #### User Defined Application Metadata
 
 User-defined Application metadata enables the user to define a list of useful URLs for their specific application and expose those links on the UI
-(e.g. reference tp a CI pipeline or an application-specific management tool). These links should provide helpful shortcuts that make easier to integrate Argo CD into existing
+(e.g. reference to a CI pipeline or an application-specific management tool). These links should provide helpful shortcuts that make easier to integrate Argo CD into existing
 systems by making it easier to find other components inside and outside Argo CD.
 
 ### Deprecation Notice
@@ -1425,7 +1519,7 @@ has a minimum client version of v0.12.0. Older CLI clients will be rejected.
 * Deprecate componentParameterOverrides in favor of source specific config (#1207)
 * Support talking to Dex using local cluster address instead of public address (#1211)
 * Use Recreate deployment strategy for controller (#1315)
-* Honor os environment variables for helm commands (#1306) (@1337andre)
+* Honor OS environment variables for helm commands (#1306) (@1337andre)
 * Disable CGO_ENABLED for server/controller binaries (#1286)
 * Documentation fixes and improvements (@twz123, @yann-soubeyrand, @OmerKahani, @dulltz)
 - Fix CRD creation/deletion handling (#1249)
@@ -1917,8 +2011,8 @@ RBAC policy rules, need to be rewritten to include one extra column with the eff
 + Override parameters
 
 ## v0.1.0 (2018-03-12)
-+ Define app in Github with dev and preprod environment using KSonnet
++ Define app in GitHub with dev and preprod environment using KSonnet
 + Add cluster Diff App with a cluster Deploy app in a cluster
 + Deploy a new version of the app in the cluster
-+ App sync based on Github app config change - polling only
++ App sync based on GitHub app config change - polling only
 + Basic UI: App diff between Git and k8s cluster for all environments Basic GUI

Dockerfile

@@ -1,10 +1,10 @@
-ARG BASE_IMAGE=ubuntu:20.10
+ARG BASE_IMAGE=docker.io/library/ubuntu:21.04
 ####################################################################################################
 # Builder image
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM golang:1.16.4 as builder
+FROM docker.io/library/golang:1.16.5 as builder
 
 RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list
 
@@ -17,6 +17,7 @@ RUN apt-get update && apt-get install -y \
     make \
     wget \
     gcc \
+    sudo \
     zip && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
@@ -27,7 +28,6 @@ ADD hack/install.sh .
 ADD hack/installers installers
 ADD hack/tool-versions.sh .
 
-RUN ./install.sh packr-linux
 RUN ./install.sh ksonnet-linux
 RUN ./install.sh helm2-linux
 RUN ./install.sh helm-linux
@@ -47,10 +47,9 @@ RUN groupadd -g 999 argocd && \
     mkdir -p /home/argocd && \
     chown argocd:0 /home/argocd && \
     chmod g=u /home/argocd && \
-    chmod g=u /etc/passwd && \
     apt-get update && \
     apt-get dist-upgrade -y && \
-    apt-get install -y git git-lfs python3-pip tini gpg && \
+    apt-get install -y git git-lfs python3-pip tini gpg tzdata && \
     apt-get clean && \
     pip3 install awscli==1.18.80 && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
@@ -62,9 +61,9 @@ COPY --from=builder /usr/local/bin/ks /usr/local/bin/ks
 COPY --from=builder /usr/local/bin/helm2 /usr/local/bin/helm2
 COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm
 COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize
-# script to add current (possibly arbitrary) user to /etc/passwd at runtime
-# (if it's not already there, to be openshift friendly)
-COPY uid_entrypoint.sh /usr/local/bin/uid_entrypoint.sh
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+# keep uid_entrypoint.sh for backward compatibility
+RUN ln -s /usr/local/bin/entrypoint.sh /usr/local/bin/uid_entrypoint.sh
 
 # support for mounting configuration from a configmap
 RUN mkdir -p /app/config/ssh && \
@@ -86,7 +85,7 @@ WORKDIR /home/argocd
 ####################################################################################################
 # Argo CD UI stage
 ####################################################################################################
-FROM node:12.18.4 as argocd-ui
+FROM docker.io/library/node:12.18.4 as argocd-ui
 
 WORKDIR /src
 ADD ["ui/package.json", "ui/yarn.lock", "./"]
@@ -102,9 +101,7 @@ RUN NODE_ENV='production' NODE_ONLINE_ENV='online' yarn build
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM golang:1.16.0 as argocd-build
-
-COPY --from=builder /usr/local/bin/packr /usr/local/bin/packr
+FROM golang:1.16.5 as argocd-build
 
 WORKDIR /go/src/github.com/argoproj/argo-cd
 
@@ -115,6 +112,7 @@ RUN go mod download
 
 # Perform the build
 COPY . .
+COPY --from=argocd-ui /src/dist/app /go/src/github.com/argoproj/argo-cd/ui/dist/app
 RUN make argocd-all
 
 ARG BUILD_ALL_CLIS=true
@@ -128,13 +126,11 @@ RUN if [ "$BUILD_ALL_CLIS" = "true" ] ; then \
 ####################################################################################################
 FROM argocd-base
 COPY --from=argocd-build /go/src/github.com/argoproj/argo-cd/dist/argocd* /usr/local/bin/
-COPY --from=argocd-ui ./src/dist/app /shared/app
 
 USER root
-RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-util
 RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server
 RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-repo-server
 RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-application-controller
 RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-dex
 
-USER 999
+USER 999

Dockerfile.dev

@@ -11,9 +11,4 @@ RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server
 RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-repo-server
 RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-application-controller
 RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-dex
-RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-util
-RUN ln -s /usr/local/bin/argocd-darwin-amd64 /usr/local/bin/argocd-util-darwin-amd64
-RUN ln -s /usr/local/bin/argocd-windows-amd64.exe /usr/local/bin/argocd-util-windows-amd64.exe
 USER 999
-
-COPY --from=argocd-ui ./src/dist/app /shared/app

Makefile

@@ -2,7 +2,6 @@ PACKAGE=github.com/argoproj/argo-cd/v2/common
 CURRENT_DIR=$(shell pwd)
 DIST_DIR=${CURRENT_DIR}/dist
 CLI_NAME=argocd
-UTIL_CLI_NAME=argocd-util
 BIN_NAME=argocd
 
 HOST_OS:=$(shell go env GOOS)
@@ -13,7 +12,6 @@ BUILD_DATE=$(shell date -u +'%Y-%m-%dT%H:%M:%SZ')
 GIT_COMMIT=$(shell git rev-parse HEAD)
 GIT_TAG=$(shell if [ -z "`git status --porcelain`" ]; then git describe --exact-match --tags HEAD 2>/dev/null; fi)
 GIT_TREE_STATE=$(shell if [ -z "`git status --porcelain`" ]; then echo "clean" ; else echo "dirty"; fi)
-PACKR_CMD=$(shell if [ "`which packr`" ]; then echo "packr"; else echo "go run github.com/gobuffalo/packr/packr"; fi)
 VOLUME_MOUNT=$(shell if test "$(go env GOOS)" = "darwin"; then echo ":delegated"; elif test selinuxenabled; then echo ":delegated"; else echo ""; fi)
 KUBECTL_VERSION=$(shell go list -m all | grep k8s.io/client-go | cut -d ' ' -f5)
 
@@ -47,6 +45,8 @@ ARGOCD_E2E_DEX_PORT?=5556
 ARGOCD_E2E_YARN_HOST?=localhost
 ARGOCD_E2E_DISABLE_AUTH?=
 
+ARGOCD_E2E_TEST_TIMEOUT?=20m
+
 ARGOCD_IN_CI?=false
 ARGOCD_TEST_E2E?=true
 
@@ -75,6 +75,9 @@ define run-in-test-server
 		-e ARGOCD_E2E_TEST=$(ARGOCD_E2E_TEST) \
 		-e ARGOCD_E2E_YARN_HOST=$(ARGOCD_E2E_YARN_HOST) \
 		-e ARGOCD_E2E_DISABLE_AUTH=$(ARGOCD_E2E_DISABLE_AUTH) \
+		-e ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} \
+		-e ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} \
+		-e ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} \
 		-v ${DOCKER_SRC_MOUNT} \
 		-v ${GOPATH}/pkg/mod:/go/pkg/mod${VOLUME_MOUNT} \
 		-v ${GOCACHE}:/tmp/go-build-cache${VOLUME_MOUNT} \
@@ -83,6 +86,7 @@ define run-in-test-server
 		-w ${DOCKER_WORKDIR} \
 		-p ${ARGOCD_E2E_APISERVER_PORT}:8080 \
 		-p 4000:4000 \
+		-p 5000:5000 \
 		$(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG) \
 		bash -c "$(1)"
 endef
@@ -154,7 +158,7 @@ IMAGE_PREFIX=${IMAGE_NAMESPACE}/
 endif
 
 .PHONY: all
-all: cli image argocd-util
+all: cli image
 
 # We have some legacy requirements for being checked out within $GOPATH.
 # The ensure-gopath target can be used as dependency to ensure we are running
@@ -205,11 +209,7 @@ cli: test-tools-image
 
 .PHONY: cli-local
 cli-local: clean-debug
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd
-
-.PHONY: cli-argocd
-cli-argocd:
-	go build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd
+	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${CLI_NAME} ./cmd
 
 .PHONY: release-cli
 release-cli: clean-debug image
@@ -219,16 +219,6 @@ release-cli: clean-debug image
 	docker cp tmp-argocd-linux:/usr/local/bin/argocd-windows-amd64.exe ${DIST_DIR}/argocd-windows-amd64.exe
 	docker rm tmp-argocd-linux
 
-.PHONY: argocd-util
-argocd-util: clean-debug
-	# Build argocd-util as a statically linked binary, so it could run within the alpine-based dex container (argoproj/argo-cd#844)
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${UTIL_CLI_NAME} ./cmd
-
-# .PHONY: dev-tools-image
-# dev-tools-image:
-# 	docker build -t $(DEV_TOOLS_PREFIX)$(DEV_TOOLS_IMAGE) . -f hack/Dockerfile.dev-tools
-# 	docker tag $(DEV_TOOLS_PREFIX)$(DEV_TOOLS_IMAGE) $(DEV_TOOLS_PREFIX)$(DEV_TOOLS_IMAGE):$(DEV_TOOLS_VERSION)
-
 .PHONY: test-tools-image
 test-tools-image:
 	docker build --build-arg UID=$(shell id -u) -t $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) -f test/container/Dockerfile .
@@ -245,25 +235,19 @@ manifests: test-tools-image
 # consolidated binary for cli, util, server, repo-server, controller
 .PHONY: argocd-all
 argocd-all: clean-debug
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${BIN_NAME} ./cmd
+	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/${BIN_NAME} ./cmd
 
-# NOTE: we use packr to do the build instead of go, since we embed swagger files and policy.csv
-# files into the go binary
 .PHONY: server
 server: clean-debug
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd
+	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-server ./cmd
 
 .PHONY: repo-server
 repo-server:
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd
+	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-repo-server ./cmd
 
 .PHONY: controller
 controller:
-	CGO_ENABLED=0 ${PACKR_CMD} build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd
-
-.PHONY: packr
-packr:
-	go build -o ${DIST_DIR}/packr github.com/gobuffalo/packr/packr/
+	CGO_ENABLED=0 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-application-controller ./cmd
 
 .PHONY: image
 ifeq ($(DEV_IMAGE), true)
@@ -271,19 +255,18 @@ ifeq ($(DEV_IMAGE), true)
 # which speeds up builds. Dockerfile.dev needs to be copied into dist to perform the build, since
 # the dist directory is under .dockerignore.
 IMAGE_TAG="dev-$(shell git describe --always --dirty)"
-image: packr
+image:
 	docker build -t argocd-base --target argocd-base .
 	docker build -t argocd-ui --target argocd-ui .
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd
-	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-darwin-amd64 ./cmd
-	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 dist/packr build -v -i -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-windows-amd64.exe ./cmd
+	find ./ui/dist -type f -not -name gitkeep -delete
+	docker run -v ${CURRENT_DIR}/ui/dist/app:/tmp/app --rm -t argocd-ui sh -c 'cp -r ./dist/app/* /tmp/app/'
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd ./cmd
+	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-darwin-amd64 ./cmd
+	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -v -ldflags '${LDFLAGS}' -o ${DIST_DIR}/argocd-windows-amd64.exe ./cmd
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-server
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-application-controller
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-repo-server
 	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-dex
-	ln -sfn ${DIST_DIR}/argocd ${DIST_DIR}/argocd-util
-	ln -sfn ${DIST_DIR}/argocd-darwin-amd64 ${DIST_DIR}/argocd-util-darwin-amd64
-	ln -sfn ${DIST_DIR}/argocd-windows-amd64.exe ${DIST_DIR}/argocd-util-windows-amd64.exe
 	cp Dockerfile.dev dist
 	docker build -t $(IMAGE_PREFIX)argocd:$(IMAGE_TAG) -f dist/Dockerfile.dev dist
 else
@@ -399,7 +382,7 @@ test-e2e:
 test-e2e-local: cli-local
 	# NO_PROXY ensures all tests don't go out through a proxy if one is configured on the test system
 	export GO111MODULE=off
-	ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout 20m -v ./test/e2e
+	ARGOCD_GPG_ENABLED=true NO_PROXY=* ./hack/test.sh -timeout $(ARGOCD_E2E_TEST_TIMEOUT) -v ./test/e2e
 
 # Spawns a shell in the test server container for debugging purposes
 debug-test-server: test-tools-image
@@ -431,14 +414,14 @@ start-e2e-local:
 	ARGOCD_TLS_DATA_PATH=/tmp/argo-e2e/app/config/tls \
 	ARGOCD_GPG_DATA_PATH=/tmp/argo-e2e/app/config/gpg/source \
 	ARGOCD_GNUPGHOME=/tmp/argo-e2e/app/config/gpg/keys \
-	ARGOCD_GPG_ENABLED=true \
+	ARGOCD_GPG_ENABLED=$(ARGOCD_GPG_ENABLED) \
 	ARGOCD_E2E_DISABLE_AUTH=false \
 	ARGOCD_ZJWT_FEATURE_FLAG=always \
 	ARGOCD_IN_CI=$(ARGOCD_IN_CI) \
 	ARGOCD_E2E_TEST=true \
 		goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START}
 
-# Cleans VSCode debug.test files from sub-dirs to prevent them from being included in packr boxes
+# Cleans VSCode debug.test files from sub-dirs to prevent them from being included in by golang embed
 .PHONY: clean-debug
 clean-debug:
 	-find ${CURRENT_DIR} -name debug.test | xargs rm -f
@@ -464,7 +447,7 @@ start-local: mod-vendor-local dep-ui-local
 	mkdir -p /tmp/argocd-local/gpg/source
 	ARGOCD_ZJWT_FEATURE_FLAG=always \
 	ARGOCD_IN_CI=false \
-	ARGOCD_GPG_ENABLED=true \
+	ARGOCD_GPG_ENABLED=$(ARGOCD_GPG_ENABLED) \
 	ARGOCD_E2E_TEST=false \
 		goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START}
 
@@ -526,16 +509,15 @@ install-tools-local: install-test-tools-local install-codegen-tools-local instal
 # Installs all tools required for running unit & end-to-end tests (Linux packages)
 .PHONY: install-test-tools-local
 install-test-tools-local:
-	sudo ./hack/install.sh packr-linux
-	sudo ./hack/install.sh kustomize-linux
-	sudo ./hack/install.sh ksonnet-linux
-	sudo ./hack/install.sh helm2-linux
-	sudo ./hack/install.sh helm-linux
+	./hack/install.sh kustomize-linux
+	./hack/install.sh ksonnet-linux
+	./hack/install.sh helm2-linux
+	./hack/install.sh helm-linux
 
 # Installs all tools required for running codegen (Linux packages)
 .PHONY: install-codegen-tools-local
 install-codegen-tools-local:
-	sudo ./hack/install.sh codegen-tools
+	./hack/install.sh codegen-tools
 
 # Installs all tools required for running codegen (Go packages)
 .PHONY: install-go-tools-local
@@ -548,3 +530,6 @@ dep-ui: test-tools-image
 
 dep-ui-local:
 	cd ui && yarn install
+
+start-test-k8s:
+	go run ./hack/k8s

OWNERS

@@ -14,3 +14,7 @@ reviewers:
 - dthomson25
 - tetchel
 - wtam2018
+- ishitasequeira
+- reginapizza
+- hblixt
+- chetan-rns

Procfile

@@ -1,8 +1,9 @@
 controller: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller go run ./cmd/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}"
-api-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server go run ./cmd/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --staticassets ui/dist/app"
+api-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server go run ./cmd/main.go --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} "
 dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v2/cmd gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:v2.27.0 serve /dex.yaml"
-redis: docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} redis:6.2.4-alpine --save "" --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}
+redis: bash -c "if [ $ARGOCD_REDIS_LOCAL == 'true' ]; then redis-server --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; else docker run --rm --name argocd-redis -i -p ${ARGOCD_E2E_REDIS_PORT:-6379}:${ARGOCD_E2E_REDIS_PORT:-6379} redis:6.2.4-alpine --save '' --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}; fi"
 repo-server: sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server go run ./cmd/main.go --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379}"
 ui: sh -c 'cd ui && ${ARGOCD_E2E_YARN_CMD:-yarn} start'
 git-server: test/fixture/testrepos/start-git.sh
+helm-registry: test/fixture/testrepos/start-helm-registry.sh
 dev-mounter: [[ "$ARGOCD_E2E_TEST" != "true" ]] && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source}

README.md

@@ -45,6 +45,8 @@ Participation in the Argo CD project is governed by the [CNCF Code of Conduct](h
 
 ### Blogs and Presentations
 
+1. [Combining Argo CD (GitOps), Crossplane (Control Plane), And KubeVela (OAM)](https://youtu.be/eEcgn_gU3SM)
+1. [How to Apply GitOps to Everything - Combining Argo CD and Crossplane](https://youtu.be/yrj4lmScKHQ)
 1. [Couchbase - How To Run a Database Cluster in Kubernetes Using Argo CD](https://youtu.be/nkPoPaVzExY)
 1. [Automation of Everything - How To Combine Argo Events, Workflows & Pipelines, CD, and Rollouts](https://youtu.be/XNXJtxkUKeY)
 1. [Environments Based On Pull Requests (PRs): Using Argo CD To Apply GitOps Principles On Previews](https://youtu.be/cpAaI8p4R60)
@@ -52,10 +54,9 @@ Participation in the Argo CD project is governed by the [CNCF Code of Conduct](h
 1. [Creating Temporary Preview Environments Based On Pull Requests With Argo CD And Codefresh](https://codefresh.io/continuous-deployment/creating-temporary-preview-environments-based-pull-requests-argo-cd-codefresh/)
 1. [Tutorial: Everything You Need To Become A GitOps Ninja](https://www.youtube.com/watch?v=r50tRQjisxw) 90m tutorial on GitOps and Argo CD.
 1. [Comparison of Argo CD, Spinnaker, Jenkins X, and Tekton](https://www.inovex.de/blog/spinnaker-vs-argo-cd-vs-tekton-vs-jenkins-x/)
-1. [Simplify and Automate Deployments Using GitOps with IBM Multicloud Manager 3.1.2](https://medium.com/ibm-cloud/simplify-and-automate-deployments-using-gitops-with-ibm-multicloud-manager-3-1-2-4395af317359)
+1. [Simplify and Automate Deployments Using GitOps with IBM Multicloud Manager 3.1.2](https://www.ibm.com/cloud/blog/simplify-and-automate-deployments-using-gitops-with-ibm-multicloud-manager-3-1-2)
 1. [GitOps for Kubeflow using Argo CD](https://v0-6.kubeflow.org/docs/use-cases/gitops-for-kubeflow/)
 1. [GitOps Toolsets on Kubernetes with CircleCI and Argo CD](https://www.digitalocean.com/community/tutorials/webinar-series-gitops-tool-sets-on-kubernetes-with-circleci-and-argo-cd)
-1. [Simplify and Automate Deployments Using GitOps with IBM Multicloud Manager](https://www.ibm.com/blogs/bluemix/2019/02/simplify-and-automate-deployments-using-gitops-with-ibm-multicloud-manager-3-1-2/)
 1. [CI/CD in Light Speed with K8s and Argo CD](https://www.youtube.com/watch?v=OdzH82VpMwI&feature=youtu.be)
 1. [Machine Learning as Code](https://www.youtube.com/watch?v=VXrGp5er1ZE&t=0s&index=135&list=PLj6h78yzYM2PZf9eA7bhWnIh_mK1vyOfU). Among other things, describes how Kubeflow uses Argo CD to implement GitOPs for ML
 1. [Argo CD - GitOps Continuous Delivery for Kubernetes](https://www.youtube.com/watch?v=aWDIQMbp1cc&feature=youtu.be&t=1m4s)
@@ -67,3 +68,4 @@ Participation in the Argo CD project is governed by the [CNCF Code of Conduct](h
 1. [Setting up Argo CD with Helm](https://www.arthurkoziel.com/setting-up-argocd-with-helm/)
 1. [Applied GitOps with Argo CD](https://thenewstack.io/applied-gitops-with-argocd/)
 1. [Solving configuration drift using GitOps with Argo CD](https://www.cncf.io/blog/2020/12/17/solving-configuration-drift-using-gitops-with-argo-cd/)
+1. [Decentralized GitOps over environments](https://blogs.sap.com/2021/05/06/decentralized-gitops-over-environments/)

SECURITY.md

@@ -1,6 +1,6 @@
 # Security Policy for Argo CD
 
-Version: **v1.0 (2020-02-26)**
+Version: **v1.1 (2020-06-29)**
 
 ## Preface
 
@@ -8,6 +8,27 @@ As a deployment tool, Argo CD needs to have production access which makes
 security a very important topic. The Argoproj team takes security very
 seriously and is continuously working on improving it. 
 
+## A word about security scanners
+
+Many organisations these days employ security scanners to validate their
+container images before letting them on their clusters, and that is a good
+thing. However, the quality and results of these scanners vary greatly,
+many of them produce false positives and require people to look at the
+issues reported and validate them for correctness. A great example of that
+is, that some scanners report kernel vulnerabilities for container images
+just because they are derived from some distribution.
+
+We kindly ask you to not raise issues or contact us regarding any issues
+that are found by your security scanner. Many of those produce a lot of false
+positives, and many of these issues don't affect Argo CD. We do have scanners
+in place for our code, dependencies and container images that we publish. We
+are well aware of the issues that may affect Argo CD and are constantly
+working on the remediation of those that affect Argo CD and our users.
+
+If you believe that we might have missed an issue that we should take a look
+at (that can happen), then please discuss it with us. But please, do validate
+that assumption before at least roughly.
+
 ## Supported Versions
 
 We currently support the most recent release (`N`, e.g. `1.8`) and the release

USERS.md

@@ -8,25 +8,33 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [3Rein](https://www.3rein.com/)
 1. [7shifts](https://www.7shifts.com/)
 1. [Adevinta](https://www.adevinta.com/)
+1. [Adventure](https://jp.adventurekk.com/)
+1. [Alibaba Group](https://www.alibabagroup.com/)
 1. [Ambassador Labs](https://www.getambassador.io/)
+1. [Ant Group](https://www.antgroup.com/)
 1. [ANSTO - Australian Synchrotron](https://www.synchrotron.org.au/)
 1. [AppDirect](https://www.appdirect.com)
 1. [Arctiq Inc.](https://www.arctiq.ca)
 1. [ARZ Allgemeines Rechenzentrum GmbH ](https://www.arz.at/)
+1. [Axual B.V.](https://axual.com)
 1. [Baloise](https://www.baloise.com)
 1. [BCDevExchange DevOps Platform](https://bcdevexchange.org/DevOpsPlatform)
 1. [Beat](https://thebeat.co/en/)
 1. [Beez Innovation Labs](https://www.beezlabs.com/)
 1. [BioBox Analytics](https://biobox.io)
+1. [BMW Group](https://www.bmwgroup.com/)
 1. [Camptocamp](https://camptocamp.com)
 1. [CARFAX](https://www.carfax.com)
 1. [Celonis](https://www.celonis.com/)
+1. [Chime](https://www.chime.com)
 1. [Codefresh](https://www.codefresh.io/)
 1. [Codility](https://www.codility.com/)
 1. [Commonbond](https://commonbond.co/)
+1. [Crédit Agricole](https://www.ca-cib.com) 
 1. [CROZ d.o.o.](https://croz.net/)
 1. [CyberAgent](https://www.cyberagent.co.jp/en/)
 1. [Cybozu](https://cybozu-global.com)
+1. [Chargetrip](https://chargetrip.com)
 1. [D2iQ](https://www.d2iq.com)
 1. [Devtron Labs](https://github.com/devtron-labs/devtron)
 1. [EDF Renewables](https://www.edf-re.com/)
@@ -38,16 +46,24 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Fave](https://myfave.com)
 1. [Future PLC](https://www.futureplc.com/)
 1. [Garner](https://www.garnercorp.com)
+1. [G DATA CyberDefense AG](https://www.gdata-software.com/)
+1. [Generali Deutschland AG](https://www.generali.de/)
+1. [Glovo](https://www.glovoapp.com)
 1. [GMETRI](https://gmetri.com/)
 1. [Gojek](https://www.gojek.io/)
 1. [Greenpass](https://www.greenpass.com.br/)
+1. [Handelsbanken](https://www.handelsbanken.se)
 1. [Healy](https://www.healyworld.net)
 1. [hipages](https://hipages.com.au/)
+1. [Hiya](https://hiya.com)
 1. [Honestbank](https://honestbank.com)
 1. [IBM](https://www.ibm.com/)
+1. [Index Exchange](https://www.indexexchange.com/)
 1. [InsideBoard](https://www.insideboard.com)
 1. [Intuit](https://www.intuit.com/)
+1. [Joblift](https://joblift.com/)
 1. [JovianX](https://www.jovianx.com/)
+1. [Karrot](https://www.daangn.com/)
 1. [Kasa](https://kasa.co.kr/)
 1. [Keptn](https://keptn.sh)
 1. [Kinguin](https://www.kinguin.net/)
@@ -65,6 +81,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Money Forward](https://corp.moneyforward.com/en/)
 1. [MOO Print](https://www.moo.com/)
 1. [MTN Group](https://www.mtn.com/)
+1. [Natura &Co](https://naturaeco.com/)
 1. [New Relic](https://newrelic.com/)
 1. [Nextdoor](https://nextdoor.com/)
 1. [Nikkei](https://www.nikkei.co.jp/nikkeiinfo/en/)
@@ -79,6 +96,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [PayPay](https://paypay.ne.jp/)
 1. [Peloton Interactive](https://www.onepeloton.com/)
 1. [Pipefy](https://www.pipefy.com/)
+1. [Polarpoint.io](https://polarpoint.io)
 1. [Preferred Networks](https://preferred.jp/en/)
 1. [Prudential](https://prudential.com.sg)
 1. [PUBG](https://www.pubg.com)
@@ -118,7 +136,22 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [VSHN - The DevOps Company](https://vshn.ch/)
 1. [Walkbase](https://www.walkbase.com/)
 1. [WeMo Scooter](https://www.wemoscooter.com/)
+1. [Webstores](https://www.webstores.nl)
 1. [Whitehat Berlin](https://whitehat.berlin) by Guido Maria Serra +Fenaroli
+1. [Witick](https://witick.io/)
+1. [WooliesX](https://wooliesx.com.au/)
+1. [Woolworths Group](https://www.woolworthsgroup.com.au/)
+1. [WSpot](https://www.wspot.com.br/)
 1. [Yieldlab](https://www.yieldlab.de/)
+1. [Zimpler](https://www.zimpler.com/)
 1. [Sap Labs](http://sap.com)
 1. [Smilee.io](https://smilee.io)
+1. [Metanet](http://www.metanet.co.kr/en/)
+1. [Unifonic Inc](https://www.unifonic.com/)
+1. [Tamkeen Technologies](https://tamkeentech.sa/)
+1. [Kaltura](https://corp.kaltura.com/)
+1. [Boticario](https://www.boticario.com.br/)
+1. [Beleza Na Web](https://www.belezanaweb.com.br/)
+1. [MariaDB](https://mariadb.com)
+1. [Lightricks](https://www.lightricks.com/)
+1. [Snapp](https://snapp.ir/)

VERSION

@@ -1 +1 @@
-2.0.4
+2.1.16

assets/embed.go

@@ -0,0 +1,7 @@
+package assets
+
+import "embed"
+
+// Embedded contains embedded assets
+//go:embed *
+var Embedded embed.FS

assets/swagger.json

@@ -2648,7 +2648,7 @@
         "tags": [
           "RepositoryService"
         ],
-        "summary": "ListApps returns list of apps in the repe",
+        "summary": "ListApps returns list of apps in the repo",
         "operationId": "RepositoryService_ListApps",
         "parameters": [
           {
@@ -2661,6 +2661,16 @@
             "type": "string",
             "name": "revision",
             "in": "query"
+          },
+          {
+            "type": "string",
+            "name": "appName",
+            "in": "query"
+          },
+          {
+            "type": "string",
+            "name": "appProject",
+            "in": "query"
           }
         ],
         "responses": {
@@ -2857,6 +2867,12 @@
             "description": "Github App Enterprise base url if empty will default to https://api.github.com.",
             "name": "githubAppEnterpriseBaseUrl",
             "in": "query"
+          },
+          {
+            "type": "string",
+            "description": "HTTP/HTTPS proxy to access the repository.",
+            "name": "proxy",
+            "in": "query"
           }
         ],
         "responses": {
@@ -3599,6 +3615,9 @@
         "oidcConfig": {
           "$ref": "#/definitions/clusterOIDCConfig"
         },
+        "passwordPattern": {
+          "type": "string"
+        },
         "plugins": {
           "type": "array",
           "items": {
@@ -3951,6 +3970,9 @@
         "appName": {
           "type": "string"
         },
+        "appProject": {
+          "type": "string"
+        },
         "source": {
           "$ref": "#/definitions/v1alpha1ApplicationSource"
         }
@@ -4887,6 +4909,14 @@
             "type": "string"
           }
         },
+        "forceCommonAnnotations": {
+          "type": "boolean",
+          "title": "ForceCommonAnnotations specifies whether to force applying common annotations to resources for Kustomize apps"
+        },
+        "forceCommonLabels": {
+          "type": "boolean",
+          "title": "ForceCommonLabels specifies whether to force applying common labels to resources for Kustomize apps"
+        },
         "images": {
           "type": "array",
           "title": "Images is a list of Kustomize image override specifications",
@@ -5092,6 +5122,10 @@
       "type": "object",
       "title": "Cluster is the definition of a cluster resource",
       "properties": {
+        "clusterResources": {
+          "description": "Indicates if cluster level resources should be managed. This setting is used only if cluster is connected in a namespaced mode.",
+          "type": "boolean"
+        },
         "config": {
           "$ref": "#/definitions/v1alpha1ClusterConfig"
         },
@@ -5179,6 +5213,13 @@
       "type": "object",
       "title": "ClusterInfo contains information about the cluster",
       "properties": {
+        "apiVersions": {
+          "type": "array",
+          "title": "APIVersions contains list of API versions supported by the cluster",
+          "items": {
+            "type": "string"
+          }
+        },
         "applicationsCount": {
           "type": "string",
           "format": "int64",
@@ -5653,6 +5694,12 @@
           "items": {
             "type": "string"
           }
+        },
+        "jqPathExpressions": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
         }
       }
     },
@@ -5684,7 +5731,7 @@
         },
         "policies": {
           "type": "array",
-          "title": "Policies Stores a list of casbin formated strings that define access policies for the role in the project",
+          "title": "Policies Stores a list of casbin formatted strings that define access policies for the role in the project",
           "items": {
             "type": "string"
           }
@@ -5695,6 +5742,10 @@
       "type": "object",
       "title": "RepoCreds holds the definition for repository credentials",
       "properties": {
+        "enableOCI": {
+          "type": "boolean",
+          "title": "EnableOCI specifies whether helm-oci support should be enabled for this repo"
+        },
         "githubAppEnterpriseBaseUrl": {
           "type": "string",
           "title": "GithubAppEnterpriseBaseURL specifies the GitHub API URL for GitHub app authentication. If empty will default to https://api.github.com"
@@ -5729,6 +5780,10 @@
           "type": "string",
           "title": "TLSClientCertKey specifies the TLS client cert key for authenticating at the repo server"
         },
+        "type": {
+          "description": "Type specifies the type of the repoCreds. Can be either \"git\" or \"helm. \"git\" is assumed if empty or absent.",
+          "type": "string"
+        },
         "url": {
           "type": "string",
           "title": "URL is the URL that this credentials matches to"
@@ -5807,6 +5862,10 @@
           "type": "string",
           "title": "Password contains the password or PAT used for authenticating at the remote repository"
         },
+        "proxy": {
+          "type": "string",
+          "title": "Proxy specifies the HTTP/HTTPS proxy used to access the repo"
+        },
         "repo": {
           "type": "string",
           "title": "Repo contains the URL to the remote repository"
@@ -5981,6 +6040,12 @@
         "group": {
           "type": "string"
         },
+        "jqPathExpressions": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
         "jsonPointers": {
           "type": "array",
           "items": {
@@ -6092,6 +6157,9 @@
           "items": {
             "$ref": "#/definitions/v1alpha1KnownTypeField"
           }
+        },
+        "useOpenLibs": {
+          "type": "boolean"
         }
       }
     },

cmd/argocd-application-controller/commands/argocd_application_controller.go

@@ -75,7 +75,14 @@ func NewCommand() *cobra.Command {
 			namespace, _, err := clientConfig.Namespace()
 			errors.CheckError(err)
 
-			resyncDuration := time.Duration(appResyncPeriod) * time.Second
+			var resyncDuration time.Duration
+			if appResyncPeriod == 0 {
+				// Re-sync should be disabled if period is 0. Set duration to a very long duration
+				resyncDuration = time.Hour * 24 * 365 * 100
+			} else {
+				resyncDuration = time.Duration(appResyncPeriod) * time.Second
+			}
+
 			tlsConfig := apiclient.TLSConfiguration{
 				DisableTLS:       repoServerPlaintext,
 				StrictValidation: repoServerStrictTLS,
@@ -137,20 +144,20 @@ func NewCommand() *cobra.Command {
 	}
 
 	clientConfig = cli.AddKubectlFlagsToCmd(&command)
-	command.Flags().Int64Var(&appResyncPeriod, "app-resync", defaultAppResyncPeriod, "Time period in seconds for application resync.")
-	command.Flags().StringVar(&repoServerAddress, "repo-server", common.DefaultRepoServerAddr, "Repo server address.")
-	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", 60, "Repo server RPC call timeout seconds.")
-	command.Flags().IntVar(&statusProcessors, "status-processors", 1, "Number of application status processors")
-	command.Flags().IntVar(&operationProcessors, "operation-processors", 1, "Number of application operation processors")
-	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
-	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
+	command.Flags().Int64Var(&appResyncPeriod, "app-resync", int64(env.ParseDurationFromEnv("ARGOCD_RECONCILIATION_TIMEOUT", defaultAppResyncPeriod*time.Second, 0, math.MaxInt64).Seconds()), "Time period in seconds for application resync.")
+	command.Flags().StringVar(&repoServerAddress, "repo-server", env.StringFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER", common.DefaultRepoServerAddr), "Repo server address.")
+	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_TIMEOUT_SECONDS", 60, 0, math.MaxInt64), "Repo server RPC call timeout seconds.")
+	command.Flags().IntVar(&statusProcessors, "status-processors", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_STATUS_PROCESSORS", 20, 0, math.MaxInt32), "Number of application status processors")
+	command.Flags().IntVar(&operationProcessors, "operation-processors", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_OPERATION_PROCESSORS", 10, 0, math.MaxInt32), "Number of application operation processors")
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", env.StringFromEnv("ARGOCD_APPLICATION_CONTROLLER_LOGFORMAT", "text"), "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", env.StringFromEnv("ARGOCD_APPLICATION_CONTROLLER_LOGLEVEL", "info"), "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().IntVar(&glogLevel, "gloglevel", 0, "Set the glog logging level")
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortArgoCDMetrics, "Start metrics server on given port")
-	command.Flags().DurationVar(&metricsCacheExpiration, "metrics-cache-expiration", 0*time.Second, "Prometheus metrics cache expiration (disabled  by default. e.g. 24h0m0s)")
-	command.Flags().IntVar(&selfHealTimeoutSeconds, "self-heal-timeout-seconds", 5, "Specifies timeout between application self heal attempts")
+	command.Flags().DurationVar(&metricsCacheExpiration, "metrics-cache-expiration", env.ParseDurationFromEnv("ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION", 0*time.Second, 0, math.MaxInt64), "Prometheus metrics cache expiration (disabled  by default. e.g. 24h0m0s)")
+	command.Flags().IntVar(&selfHealTimeoutSeconds, "self-heal-timeout-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS", 5, 0, math.MaxInt32), "Specifies timeout between application self heal attempts")
 	command.Flags().Int64Var(&kubectlParallelismLimit, "kubectl-parallelism-limit", 20, "Number of allowed concurrent kubectl fork/execs. Any value less the 1 means no limit.")
-	command.Flags().BoolVar(&repoServerPlaintext, "repo-server-plaintext", false, "Disable TLS on connections to repo server")
-	command.Flags().BoolVar(&repoServerStrictTLS, "repo-server-strict-tls", false, "Whether to use strict validation of the TLS cert presented by the repo server")
+	command.Flags().BoolVar(&repoServerPlaintext, "repo-server-plaintext", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT", false), "Disable TLS on connections to repo server")
+	command.Flags().BoolVar(&repoServerStrictTLS, "repo-server-strict-tls", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS", false), "Whether to use strict validation of the TLS cert presented by the repo server")
 	cacheSrc = appstatecache.AddCacheFlagsToCmd(&command, func(client *redis.Client) {
 		redisClient = client
 	})

cmd/argocd-repo-server/commands/argocd_repo_server.go

@@ -13,6 +13,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/health/grpc_health_v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 
 	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
 	"github.com/argoproj/argo-cd/v2/common"
@@ -63,14 +64,15 @@ func getPauseGenerationOnFailureForRequests() int {
 
 func NewCommand() *cobra.Command {
 	var (
-		parallelismLimit       int64
-		listenPort             int
-		metricsPort            int
-		cacheSrc               func() (*reposervercache.Cache, error)
-		tlsConfigCustomizer    tls.ConfigCustomizer
-		tlsConfigCustomizerSrc func() (tls.ConfigCustomizer, error)
-		redisClient            *redis.Client
-		disableTLS             bool
+		parallelismLimit                  int64
+		listenPort                        int
+		metricsPort                       int
+		cacheSrc                          func() (*reposervercache.Cache, error)
+		tlsConfigCustomizer               tls.ConfigCustomizer
+		tlsConfigCustomizerSrc            func() (tls.ConfigCustomizer, error)
+		redisClient                       *redis.Client
+		disableTLS                        bool
+		maxCombinedDirectoryManifestsSize string
 	)
 	var command = cobra.Command{
 		Use:               cliName,
@@ -90,13 +92,17 @@ func NewCommand() *cobra.Command {
 			cache, err := cacheSrc()
 			errors.CheckError(err)
 
+			maxCombinedDirectoryManifestsQuantity, err := resource.ParseQuantity(maxCombinedDirectoryManifestsSize)
+			errors.CheckError(err)
+
 			metricsServer := metrics.NewMetricsServer()
 			cacheutil.CollectMetrics(redisClient, metricsServer)
 			server, err := reposerver.NewServer(metricsServer, cache, tlsConfigCustomizer, repository.RepoServerInitConstants{
-				ParallelismLimit: parallelismLimit,
+				ParallelismLimit:                             parallelismLimit,
 				PauseGenerationAfterFailedGenerationAttempts: getPauseGenerationAfterFailedGenerationAttempts(),
 				PauseGenerationOnFailureForMinutes:           getPauseGenerationOnFailureForMinutes(),
 				PauseGenerationOnFailureForRequests:          getPauseGenerationOnFailureForRequests(),
+				MaxCombinedDirectoryManifestsSize:            maxCombinedDirectoryManifestsQuantity,
 			})
 			errors.CheckError(err)
 
@@ -151,13 +157,16 @@ func NewCommand() *cobra.Command {
 			return nil
 		},
 	}
-
-	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
-	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
-	command.Flags().Int64Var(&parallelismLimit, "parallelismlimit", 0, "Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit.")
+	if cmdutil.LogFormat == "" {
+		cmdutil.LogFormat = os.Getenv("ARGOCD_REPO_SERVER_LOGLEVEL")
+	}
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", env.StringFromEnv("ARGOCD_REPO_SERVER_LOGFORMAT", "text"), "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", env.StringFromEnv("ARGOCD_REPO_SERVER_LOGLEVEL", "info"), "Set the logging level. One of: debug|info|warn|error")
+	command.Flags().Int64Var(&parallelismLimit, "parallelismlimit", int64(env.ParseNumFromEnv("ARGOCD_REPO_SERVER_PARALLELISM_LIMIT", 0, 0, math.MaxInt32)), "Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit.")
 	command.Flags().IntVar(&listenPort, "port", common.DefaultPortRepoServer, "Listen on given port for incoming connections")
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortRepoServerMetrics, "Start metrics server on given port")
-	command.Flags().BoolVar(&disableTLS, "disable-tls", false, "Disable TLS on the gRPC endpoint")
+	command.Flags().BoolVar(&disableTLS, "disable-tls", env.ParseBoolFromEnv("ARGOCD_REPO_SERVER_DISABLE_TLS", false), "Disable TLS on the gRPC endpoint")
+	command.Flags().StringVar(&maxCombinedDirectoryManifestsSize, "max-combined-directory-manifests-size", env.StringFromEnv("ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE", "10M"), "Max combined size of manifest files in a directory-type Application")
 
 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(&command)
 	cacheSrc = reposervercache.AddCacheFlagsToCmd(&command, func(client *redis.Client) {

cmd/argocd-server/commands/argocd_server.go

@@ -3,6 +3,7 @@ package commands
 import (
 	"context"
 	"fmt"
+	"math"
 	"time"
 
 	"github.com/argoproj/pkg/stats"
@@ -51,7 +52,6 @@ func NewCommand() *cobra.Command {
 		glogLevel                int
 		clientConfig             clientcmd.ClientConfig
 		repoServerTimeoutSeconds int
-		staticAssetsDir          string
 		baseHRef                 string
 		rootPath                 string
 		repoServerAddress        string
@@ -63,6 +63,7 @@ func NewCommand() *cobra.Command {
 		frameOptions             string
 		repoServerPlaintext      bool
 		repoServerStrictTLS      bool
+		staticAssetsDir          string
 	)
 	var command = &cobra.Command{
 		Use:               cliName,
@@ -127,7 +128,6 @@ func NewCommand() *cobra.Command {
 				ListenPort:          listenPort,
 				MetricsPort:         metricsPort,
 				Namespace:           namespace,
-				StaticAssetsDir:     staticAssetsDir,
 				BaseHRef:            baseHRef,
 				RootPath:            rootPath,
 				KubeClientset:       kubeclientset,
@@ -140,6 +140,7 @@ func NewCommand() *cobra.Command {
 				Cache:               cache,
 				XFrameOptions:       frameOptions,
 				RedisClient:         redisClient,
+				StaticAssetsDir:     staticAssetsDir,
 			}
 
 			stats.RegisterStackDumper()
@@ -157,24 +158,24 @@ func NewCommand() *cobra.Command {
 	}
 
 	clientConfig = cli.AddKubectlFlagsToCmd(command)
-	command.Flags().BoolVar(&insecure, "insecure", false, "Run server without TLS")
-	command.Flags().StringVar(&staticAssetsDir, "staticassets", "", "Static assets directory path")
-	command.Flags().StringVar(&baseHRef, "basehref", "/", "Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from /")
-	command.Flags().StringVar(&rootPath, "rootpath", "", "Used if Argo CD is running behind reverse proxy under subpath different from /")
-	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
-	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
+	command.Flags().BoolVar(&insecure, "insecure", env.ParseBoolFromEnv("ARGOCD_SERVER_INSECURE", false), "Run server without TLS")
+	command.Flags().StringVar(&staticAssetsDir, "staticassets", env.StringFromEnv("ARGOCD_SERVER_STATIC_ASSETS", "/shared/app"), "Directory path that contains additional static assets")
+	command.Flags().StringVar(&baseHRef, "basehref", env.StringFromEnv("ARGOCD_SERVER_BASEHREF", "/"), "Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from /")
+	command.Flags().StringVar(&rootPath, "rootpath", env.StringFromEnv("ARGOCD_SERVER_ROOTPATH", ""), "Used if Argo CD is running behind reverse proxy under subpath different from /")
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", env.StringFromEnv("ARGOCD_SERVER_LOGFORMAT", "text"), "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", env.StringFromEnv("ARGOCD_REPO_SERVER_LOGLEVEL", "info"), "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().IntVar(&glogLevel, "gloglevel", 0, "Set the glog logging level")
-	command.Flags().StringVar(&repoServerAddress, "repo-server", common.DefaultRepoServerAddr, "Repo server address")
-	command.Flags().StringVar(&dexServerAddress, "dex-server", common.DefaultDexServerAddr, "Dex server address")
-	command.Flags().BoolVar(&disableAuth, "disable-auth", false, "Disable client authentication")
-	command.Flags().BoolVar(&enableGZip, "enable-gzip", false, "Enable GZIP compression")
+	command.Flags().StringVar(&repoServerAddress, "repo-server", env.StringFromEnv("ARGOCD_SERVER_REPO_SERVER", common.DefaultRepoServerAddr), "Repo server address")
+	command.Flags().StringVar(&dexServerAddress, "dex-server", env.StringFromEnv("ARGOCD_SERVER_DEX_SERVER", common.DefaultDexServerAddr), "Dex server address")
+	command.Flags().BoolVar(&disableAuth, "disable-auth", env.ParseBoolFromEnv("ARGOCD_SERVER_DISABLE_AUTH", false), "Disable client authentication")
+	command.Flags().BoolVar(&enableGZip, "enable-gzip", env.ParseBoolFromEnv("ARGOCD_SERVER_ENABLE_GZIP", false), "Enable GZIP compression")
 	command.AddCommand(cli.NewVersionCmd(cliName))
 	command.Flags().IntVar(&listenPort, "port", common.DefaultPortAPIServer, "Listen on given port")
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortArgoCDAPIServerMetrics, "Start metrics on given port")
-	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", 60, "Repo server RPC call timeout seconds.")
-	command.Flags().StringVar(&frameOptions, "x-frame-options", "sameorigin", "Set X-Frame-Options header in HTTP responses to `value`. To disable, set to \"\".")
-	command.Flags().BoolVar(&repoServerPlaintext, "repo-server-plaintext", false, "Use a plaintext client (non-TLS) to connect to repository server")
-	command.Flags().BoolVar(&repoServerStrictTLS, "repo-server-strict-tls", false, "Perform strict validation of TLS certificates when connecting to repo server")
+	command.Flags().IntVar(&repoServerTimeoutSeconds, "repo-server-timeout-seconds", env.ParseNumFromEnv("ARGOCD_SERVER_REPO_SERVER_TIMEOUT_SECONDS", 60, 0, math.MaxInt64), "Repo server RPC call timeout seconds.")
+	command.Flags().StringVar(&frameOptions, "x-frame-options", env.StringFromEnv("ARGOCD_SERVER_X_FRAME_OPTIONS", "sameorigin"), "Set X-Frame-Options header in HTTP responses to `value`. To disable, set to \"\".")
+	command.Flags().BoolVar(&repoServerPlaintext, "repo-server-plaintext", env.ParseBoolFromEnv("ARGOCD_SERVER_REPO_SERVER_PLAINTEXT", false), "Use a plaintext client (non-TLS) to connect to repository server")
+	command.Flags().BoolVar(&repoServerStrictTLS, "repo-server-strict-tls", env.ParseBoolFromEnv("ARGOCD_SERVER_REPO_SERVER_STRICT_TLS", false), "Perform strict validation of TLS certificates when connecting to repo server")
 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(command)
 	cacheSrc = servercache.AddCacheFlagsToCmd(command, func(client *redis.Client) {
 		redisClient = client

cmd/argocd-util/commands/cluster.go

@@ -1,237 +0,0 @@
-package commands
-
-import (
-	"context"
-	"fmt"
-	"os"
-	"text/tabwriter"
-	"time"
-
-	"github.com/argoproj/gitops-engine/pkg/utils/kube"
-	"github.com/go-redis/redis/v8"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/kubernetes"
-	"k8s.io/client-go/kubernetes/fake"
-	"k8s.io/client-go/tools/clientcmd"
-
-	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
-	"github.com/argoproj/argo-cd/v2/common"
-	"github.com/argoproj/argo-cd/v2/controller/sharding"
-	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	cacheutil "github.com/argoproj/argo-cd/v2/util/cache"
-	appstatecache "github.com/argoproj/argo-cd/v2/util/cache/appstate"
-	"github.com/argoproj/argo-cd/v2/util/cli"
-	"github.com/argoproj/argo-cd/v2/util/db"
-	"github.com/argoproj/argo-cd/v2/util/errors"
-	kubeutil "github.com/argoproj/argo-cd/v2/util/kube"
-	"github.com/argoproj/argo-cd/v2/util/settings"
-)
-
-func NewClusterCommand(pathOpts *clientcmd.PathOptions) *cobra.Command {
-	var command = &cobra.Command{
-		Use:   "cluster",
-		Short: "Manage clusters configuration",
-		Run: func(c *cobra.Command, args []string) {
-			c.HelpFunc()(c, args)
-		},
-	}
-
-	command.AddCommand(NewClusterConfig())
-	command.AddCommand(NewGenClusterConfigCommand(pathOpts))
-	command.AddCommand(NewClusterStatsCommand())
-
-	return command
-}
-
-func NewClusterStatsCommand() *cobra.Command {
-	var (
-		shard            int
-		replicas         int
-		clientConfig     clientcmd.ClientConfig
-		cacheSrc         func() (*appstatecache.Cache, error)
-		portForwardRedis bool
-	)
-	var command = cobra.Command{
-		Use:   "stats",
-		Short: "Prints information cluster statistics and inferred shard number",
-		Run: func(cmd *cobra.Command, args []string) {
-			log.SetLevel(log.WarnLevel)
-
-			clientCfg, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			namespace, _, err := clientConfig.Namespace()
-			errors.CheckError(err)
-
-			kubeClient := kubernetes.NewForConfigOrDie(clientCfg)
-			if replicas == 0 {
-				controllerPods, err := kubeClient.CoreV1().Pods(namespace).List(context.Background(), v1.ListOptions{
-					LabelSelector: "app.kubernetes.io/name=argocd-application-controller"})
-				errors.CheckError(err)
-				replicas = len(controllerPods.Items)
-			}
-
-			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClient, namespace)
-
-			argoDB := db.NewDB(namespace, settingsMgr, kubeClient)
-			clusters, err := argoDB.ListClusters(context.Background())
-			errors.CheckError(err)
-			var cache *appstatecache.Cache
-			if portForwardRedis {
-				port, err := kubeutil.PortForward("app.kubernetes.io/name=argocd-redis-ha-haproxy", 6379, namespace)
-				errors.CheckError(err)
-				client := redis.NewClient(&redis.Options{Addr: fmt.Sprintf("localhost:%d", port)})
-				cache = appstatecache.NewCache(cacheutil.NewCache(cacheutil.NewRedisCache(client, time.Hour)), time.Hour)
-			} else {
-				cache, err = cacheSrc()
-				errors.CheckError(err)
-			}
-
-			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
-			_, _ = fmt.Fprintf(w, "SERVER\tSHARD\tCONNECTION\tAPPS COUNT\tRESOURCES COUNT\n")
-
-			for _, cluster := range clusters.Items {
-				clusterShard := 0
-				if replicas > 0 {
-					clusterShard = sharding.GetShardByID(cluster.ID, replicas)
-				}
-
-				if shard != -1 && clusterShard != shard {
-					continue
-				}
-
-				var info argoappv1.ClusterInfo
-				_ = cache.GetClusterInfo(cluster.Server, &info)
-				_, _ = fmt.Fprintf(w, "%s\t%d\t%s\t%d\t%d\n", cluster.Server, clusterShard, info.ConnectionState.Status, info.ApplicationsCount, info.CacheInfo.ResourcesCount)
-			}
-			_ = w.Flush()
-		},
-	}
-	clientConfig = cli.AddKubectlFlagsToCmd(&command)
-	command.Flags().IntVar(&shard, "shard", -1, "Cluster shard filter")
-	command.Flags().IntVar(&replicas, "replicas", 0, "Application controller replicas count. Inferred from number of running controller pods if not specified")
-	command.Flags().BoolVar(&portForwardRedis, "port-forward-redis", true, "Automatically port-forward ha proxy redis from current namespace?")
-	cacheSrc = appstatecache.AddCacheFlagsToCmd(&command)
-	return &command
-}
-
-// NewClusterConfig returns a new instance of `argocd-util kubeconfig` command
-func NewClusterConfig() *cobra.Command {
-	var (
-		clientConfig clientcmd.ClientConfig
-	)
-	var command = &cobra.Command{
-		Use:               "kubeconfig CLUSTER_URL OUTPUT_PATH",
-		Short:             "Generates kubeconfig for the specified cluster",
-		DisableAutoGenTag: true,
-		Run: func(c *cobra.Command, args []string) {
-			if len(args) != 2 {
-				c.HelpFunc()(c, args)
-				os.Exit(1)
-			}
-			serverUrl := args[0]
-			output := args[1]
-			conf, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			namespace, _, err := clientConfig.Namespace()
-			errors.CheckError(err)
-			kubeclientset, err := kubernetes.NewForConfig(conf)
-			errors.CheckError(err)
-
-			cluster, err := db.NewDB(namespace, settings.NewSettingsManager(context.Background(), kubeclientset, namespace), kubeclientset).GetCluster(context.Background(), serverUrl)
-			errors.CheckError(err)
-			err = kube.WriteKubeConfig(cluster.RawRestConfig(), namespace, output)
-			errors.CheckError(err)
-		},
-	}
-	clientConfig = cli.AddKubectlFlagsToCmd(command)
-	return command
-}
-
-func NewGenClusterConfigCommand(pathOpts *clientcmd.PathOptions) *cobra.Command {
-	var (
-		clusterOpts  cmdutil.ClusterOptions
-		bearerToken  string
-		outputFormat string
-	)
-	var command = &cobra.Command{
-		Use:   "generate-spec CONTEXT",
-		Short: "Generate declarative config for a cluster",
-		Run: func(c *cobra.Command, args []string) {
-			log.SetLevel(log.WarnLevel)
-			var configAccess clientcmd.ConfigAccess = pathOpts
-			if len(args) == 0 {
-				log.Error("Choose a context name from:")
-				cmdutil.PrintKubeContexts(configAccess)
-				os.Exit(1)
-			}
-			cfgAccess, err := configAccess.GetStartingConfig()
-			errors.CheckError(err)
-			contextName := args[0]
-			clstContext := cfgAccess.Contexts[contextName]
-			if clstContext == nil {
-				log.Fatalf("Context %s does not exist in kubeconfig", contextName)
-			}
-
-			overrides := clientcmd.ConfigOverrides{
-				Context: *clstContext,
-			}
-			clientConfig := clientcmd.NewDefaultClientConfig(*cfgAccess, &overrides)
-			conf, err := clientConfig.ClientConfig()
-			errors.CheckError(err)
-			kubeClientset := fake.NewSimpleClientset()
-
-			var awsAuthConf *argoappv1.AWSAuthConfig
-			var execProviderConf *argoappv1.ExecProviderConfig
-			if clusterOpts.AwsClusterName != "" {
-				awsAuthConf = &argoappv1.AWSAuthConfig{
-					ClusterName: clusterOpts.AwsClusterName,
-					RoleARN:     clusterOpts.AwsRoleArn,
-				}
-			} else if clusterOpts.ExecProviderCommand != "" {
-				execProviderConf = &argoappv1.ExecProviderConfig{
-					Command:     clusterOpts.ExecProviderCommand,
-					Args:        clusterOpts.ExecProviderArgs,
-					Env:         clusterOpts.ExecProviderEnv,
-					APIVersion:  clusterOpts.ExecProviderAPIVersion,
-					InstallHint: clusterOpts.ExecProviderInstallHint,
-				}
-			} else if bearerToken == "" {
-				bearerToken = "bearer-token"
-			}
-			if clusterOpts.Name != "" {
-				contextName = clusterOpts.Name
-			}
-			clst := cmdutil.NewCluster(contextName, clusterOpts.Namespaces, conf, bearerToken, awsAuthConf, execProviderConf)
-			if clusterOpts.InCluster {
-				clst.Server = common.KubernetesInternalAPIServerAddr
-			}
-			if clusterOpts.Shard >= 0 {
-				clst.Shard = &clusterOpts.Shard
-			}
-
-			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, ArgoCDNamespace)
-			argoDB := db.NewDB(ArgoCDNamespace, settingsMgr, kubeClientset)
-
-			_, err = argoDB.CreateCluster(context.Background(), clst)
-			errors.CheckError(err)
-
-			secName, err := db.ServerToSecretName(clst.Server)
-			errors.CheckError(err)
-
-			secret, err := kubeClientset.CoreV1().Secrets(ArgoCDNamespace).Get(context.Background(), secName, v1.GetOptions{})
-			errors.CheckError(err)
-
-			cmdutil.ConvertSecretData(secret)
-			var printResources []interface{}
-			printResources = append(printResources, secret)
-			errors.CheckError(cmdutil.PrintResources(printResources, outputFormat))
-		},
-	}
-	command.PersistentFlags().StringVar(&pathOpts.LoadingRules.ExplicitPath, pathOpts.ExplicitFileFlag, pathOpts.LoadingRules.ExplicitPath, "use a particular kubeconfig file")
-	command.Flags().StringVar(&bearerToken, "bearer-token", "", "Authentication token that should be used to access K8S API server")
-	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
-	cmdutil.AddClusterFlags(command, &clusterOpts)
-	return command
-}

cmd/argocd-util/commands/project_allowlist_test.go

@@ -1,57 +0,0 @@
-package commands
-
-import (
-	"reflect"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/undefinedlabs/go-mpatch"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/client-go/discovery"
-	restclient "k8s.io/client-go/rest"
-	"k8s.io/client-go/tools/clientcmd"
-)
-
-func TestProjectAllowListGen(t *testing.T) {
-	useMock := true
-	rules := clientcmd.NewDefaultClientConfigLoadingRules()
-	overrides := &clientcmd.ConfigOverrides{}
-	clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(rules, overrides)
-
-	if useMock {
-		var patchClientConfig *mpatch.Patch
-		patchClientConfig, err := mpatch.PatchInstanceMethodByName(reflect.TypeOf(clientConfig), "ClientConfig", func(*clientcmd.DeferredLoadingClientConfig) (*restclient.Config, error) {
-			return nil, nil
-		})
-		assert.NoError(t, err)
-
-		patch, err := mpatch.PatchMethod(discovery.NewDiscoveryClientForConfig, func(c *restclient.Config) (*discovery.DiscoveryClient, error) {
-			return &discovery.DiscoveryClient{LegacyPrefix: "/api"}, nil
-		})
-		assert.NoError(t, err)
-
-		var patchSeverPreferedResources *mpatch.Patch
-		discoClient := &discovery.DiscoveryClient{}
-		patchSeverPreferedResources, err = mpatch.PatchInstanceMethodByName(reflect.TypeOf(discoClient), "ServerPreferredResources", func(*discovery.DiscoveryClient) ([]*metav1.APIResourceList, error) {
-			res := metav1.APIResource{
-				Name: "services",
-				Kind: "Service",
-			}
-			resourceList := []*metav1.APIResourceList{{APIResources: []metav1.APIResource{res}}}
-			return resourceList, nil
-		})
-		assert.NoError(t, err)
-
-		defer func() {
-			err = patchClientConfig.Unpatch()
-			assert.NoError(t, err)
-			err = patch.Unpatch()
-			assert.NoError(t, err)
-			err = patchSeverPreferedResources.Unpatch()
-			err = patch.Unpatch()
-		}()
-	}
-
-	globalProj := generateProjectAllowList(clientConfig, "testdata/test_clusterrole.yaml", "testproj")
-	assert.True(t, len(globalProj.Spec.NamespaceResourceWhitelist) > 0)
-}

cmd/argocd/commands/account.go

@@ -14,7 +14,7 @@ import (
 	"github.com/ghodss/yaml"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"golang.org/x/crypto/ssh/terminal"
+	"golang.org/x/term"
 
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
 	accountpkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/account"
@@ -68,7 +68,7 @@ func NewAccountUpdatePasswordCommand(clientOpts *argocdclient.ClientOptions) *co
 
 			if userInfo.Iss == sessionutil.SessionManagerClaimsIssuer && currentPassword == "" {
 				fmt.Print("*** Enter current password: ")
-				password, err := terminal.ReadPassword(int(os.Stdin.Fd()))
+				password, err := term.ReadPassword(int(os.Stdin.Fd()))
 				errors.CheckError(err)
 				currentPassword = string(password)
 				fmt.Print("\n")
@@ -362,7 +362,7 @@ argocd account generate-token --account <account-name>`,
 	}
 	cmd.Flags().StringVarP(&account, "account", "a", "", "Account name. Defaults to the current account.")
 	cmd.Flags().StringVarP(&expiresIn, "expires-in", "e", "0s", "Duration before the token will expire. (Default: No expiration)")
-	cmd.Flags().StringVar(&id, "id", "", "Optional token id. Fallback to uuid if not value specified.")
+	cmd.Flags().StringVar(&id, "id", "", "Optional token id. Fall back to uuid if not value specified.")
 	return cmd
 }
 
@@ -377,7 +377,7 @@ func NewAccountDeleteTokenCommand(clientOpts *argocdclient.ClientOptions) *cobra
 argocd account delete-token ID
 
 # Delete token of the account with the specified name
-argocd account generate-token --account <account-name>`,
+argocd account delete-token --account <account-name> ID`,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) != 1 {
 				c.HelpFunc()(c, args)

cmd/argocd/commands/admin/admin.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"reflect"
@@ -15,42 +15,38 @@ import (
 
 	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
 	"github.com/argoproj/argo-cd/v2/common"
-	"github.com/argoproj/argo-cd/v2/util/cli"
 	"github.com/argoproj/argo-cd/v2/util/errors"
 	"github.com/argoproj/argo-cd/v2/util/settings"
 )
 
 const (
-	// CLIName is the name of the CLI
-	cliName = "argocd-util"
 	// YamlSeparator separates sections of a YAML file
 	yamlSeparator = "---\n"
 )
 
 var (
-	configMapResource    = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "configmaps"}
-	secretResource       = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "secrets"}
-	applicationsResource = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "applications"}
-	appprojectsResource  = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "appprojects"}
+	configMapResource       = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "configmaps"}
+	secretResource          = schema.GroupVersionResource{Group: "", Version: "v1", Resource: "secrets"}
+	applicationsResource    = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "applications"}
+	appprojectsResource     = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "appprojects"}
+	appplicationSetResource = schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "applicationsets"}
 )
 
-// NewCommand returns a new instance of an argocd command
-func NewCommand() *cobra.Command {
+// NewAdminCommand returns a new instance of an argocd command
+func NewAdminCommand() *cobra.Command {
 	var (
 		pathOpts = clientcmd.NewDefaultPathOptions()
 	)
 
 	var command = &cobra.Command{
-		Use:               cliName,
-		Short:             "argocd-util tools used by Argo CD",
-		Long:              "argocd-util has internal utility tools used by Argo CD",
+		Use:               "admin",
+		Short:             "Contains a set of commands useful for Argo CD administrators and requires direct Kubernetes access",
 		DisableAutoGenTag: true,
 		Run: func(c *cobra.Command, args []string) {
 			c.HelpFunc()(c, args)
 		},
 	}
 
-	command.AddCommand(cli.NewVersionCmd(cliName))
 	command.AddCommand(NewClusterCommand(pathOpts))
 	command.AddCommand(NewProjectsCommand())
 	command.AddCommand(NewSettingsCommand())
@@ -58,6 +54,7 @@ func NewCommand() *cobra.Command {
 	command.AddCommand(NewRepoCommand())
 	command.AddCommand(NewImportCommand())
 	command.AddCommand(NewExportCommand())
+	command.AddCommand(NewDashboardCommand())
 
 	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
 	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
@@ -65,20 +62,22 @@ func NewCommand() *cobra.Command {
 }
 
 type argoCDClientsets struct {
-	configMaps   dynamic.ResourceInterface
-	secrets      dynamic.ResourceInterface
-	applications dynamic.ResourceInterface
-	projects     dynamic.ResourceInterface
+	configMaps      dynamic.ResourceInterface
+	secrets         dynamic.ResourceInterface
+	applications    dynamic.ResourceInterface
+	projects        dynamic.ResourceInterface
+	applicationSets dynamic.ResourceInterface
 }
 
 func newArgoCDClientsets(config *rest.Config, namespace string) *argoCDClientsets {
 	dynamicIf, err := dynamic.NewForConfig(config)
 	errors.CheckError(err)
 	return &argoCDClientsets{
-		configMaps:   dynamicIf.Resource(configMapResource).Namespace(namespace),
-		secrets:      dynamicIf.Resource(secretResource).Namespace(namespace),
-		applications: dynamicIf.Resource(applicationsResource).Namespace(namespace),
-		projects:     dynamicIf.Resource(appprojectsResource).Namespace(namespace),
+		configMaps:      dynamicIf.Resource(configMapResource).Namespace(namespace),
+		secrets:         dynamicIf.Resource(secretResource).Namespace(namespace),
+		applications:    dynamicIf.Resource(applicationsResource).Namespace(namespace),
+		projects:        dynamicIf.Resource(appprojectsResource).Namespace(namespace),
+		applicationSets: dynamicIf.Resource(appplicationSetResource).Namespace(namespace),
 	}
 }
 

cmd/argocd/commands/admin/app.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"context"
@@ -21,7 +21,6 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 
 	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
-	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/controller"
 	"github.com/argoproj/argo-cd/v2/controller/cache"
 	"github.com/argoproj/argo-cd/v2/controller/metrics"
@@ -35,6 +34,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/util/config"
 	"github.com/argoproj/argo-cd/v2/util/db"
 	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/io"
 	kubeutil "github.com/argoproj/argo-cd/v2/util/kube"
 	"github.com/argoproj/argo-cd/v2/util/settings"
 )
@@ -62,31 +62,33 @@ func NewGenAppSpecCommand() *cobra.Command {
 		appName      string
 		labels       []string
 		outputFormat string
+		annotations  []string
+		inline       bool
 	)
 	var command = &cobra.Command{
 		Use:   "generate-spec APPNAME",
 		Short: "Generate declarative config for an application",
 		Example: `
 	# Generate declarative config for a directory app
-	argocd-util app generate-spec guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --directory-recurse
+	argocd admin app generate-spec guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --directory-recurse
 
 	# Generate declarative config for a Jsonnet app
-	argocd-util app generate-spec jsonnet-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path jsonnet-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --jsonnet-ext-str replicas=2
+	argocd admin app generate-spec jsonnet-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path jsonnet-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --jsonnet-ext-str replicas=2
 
 	# Generate declarative config for a Helm app
-	argocd-util app generate-spec helm-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path helm-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --helm-set replicaCount=2
+	argocd admin app generate-spec helm-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path helm-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --helm-set replicaCount=2
 
 	# Generate declarative config for a Helm app from a Helm repo
-	argocd-util app generate-spec nginx-ingress --repo https://kubernetes-charts.storage.googleapis.com --helm-chart nginx-ingress --revision 1.24.3 --dest-namespace default --dest-server https://kubernetes.default.svc
+	argocd admin app generate-spec nginx-ingress --repo https://charts.helm.sh/stable --helm-chart nginx-ingress --revision 1.24.3 --dest-namespace default --dest-server https://kubernetes.default.svc
 
 	# Generate declarative config for a Kustomize app
-	argocd-util app generate-spec kustomize-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path kustomize-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --kustomize-image gcr.io/heptio-images/ks-guestbook-demo:0.1
+	argocd admin app generate-spec kustomize-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path kustomize-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --kustomize-image gcr.io/heptio-images/ks-guestbook-demo:0.1
 
 	# Generate declarative config for a app using a custom tool:
-	argocd-util app generate-spec ksane --repo https://github.com/argoproj/argocd-example-apps.git --path plugins/kasane --dest-namespace default --dest-server https://kubernetes.default.svc --config-management-plugin kasane
+	argocd admin app generate-spec ksane --repo https://github.com/argoproj/argocd-example-apps.git --path plugins/kasane --dest-namespace default --dest-server https://kubernetes.default.svc --config-management-plugin kasane
 `,
 		Run: func(c *cobra.Command, args []string) {
-			app, err := cmdutil.ConstructApp(fileURL, appName, labels, args, appOpts, c.Flags())
+			app, err := cmdutil.ConstructApp(fileURL, appName, labels, annotations, args, appOpts, c.Flags())
 			errors.CheckError(err)
 
 			if app.Name == "" {
@@ -94,15 +96,19 @@ func NewGenAppSpecCommand() *cobra.Command {
 				os.Exit(1)
 			}
 
-			var printResources []interface{}
-			printResources = append(printResources, app)
-			errors.CheckError(cmdutil.PrintResources(printResources, outputFormat))
+			out, closer, err := getOutWriter(inline, fileURL)
+			errors.CheckError(err)
+			defer io.Close(closer)
+
+			errors.CheckError(PrintResources(outputFormat, out, app))
 		},
 	}
 	command.Flags().StringVar(&appName, "name", "", "A name for the app, ignored if a file is set (DEPRECATED)")
 	command.Flags().StringVarP(&fileURL, "file", "f", "", "Filename or URL to Kubernetes manifests for the app")
 	command.Flags().StringArrayVarP(&labels, "label", "l", []string{}, "Labels to apply to the app")
+	command.Flags().StringArrayVarP(&annotations, "annotations", "", []string{}, "Set metadata annotations (e.g. example=value)")
 	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
+	command.Flags().BoolVarP(&inline, "inline", "i", false, "If set then generated resource is written back to the file specified in --file flag")
 
 	// Only complete files with appropriate extension.
 	err := command.Flags().SetAnnotation("file", cobra.BashCompFilenameExt, []string{"json", "yaml", "yml"})
@@ -237,7 +243,7 @@ func NewReconcileCommand() *cobra.Command {
 			}
 			outputPath := args[0]
 
-			errors.CheckError(os.Setenv(common.EnvVarFakeInClusterConfig, "true"))
+			errors.CheckError(os.Setenv(v1alpha1.EnvVarFakeInClusterConfig, "true"))
 			cfg, err := clientConfig.ClientConfig()
 			errors.CheckError(err)
 			namespace, _, err := clientConfig.Namespace()
@@ -247,7 +253,8 @@ func NewReconcileCommand() *cobra.Command {
 			if refresh {
 				if repoServerAddress == "" {
 					printLine("Repo server is not provided, trying to port-forward to argocd-repo-server pod.")
-					repoServerPort, err := kubeutil.PortForward("app.kubernetes.io/name=argocd-repo-server", 8081, namespace)
+					overrides := clientcmd.ConfigOverrides{}
+					repoServerPort, err := kubeutil.PortForward(8081, namespace, &overrides, "app.kubernetes.io/name=argocd-repo-server")
 					errors.CheckError(err)
 					repoServerAddress = fmt.Sprintf("localhost:%d", repoServerPort)
 				}
@@ -389,7 +396,7 @@ func reconcileApplications(
 			return nil, err
 		}
 
-		res := appStateManager.CompareAppState(&app, proj, app.Spec.Source.TargetRevision, app.Spec.Source, false, nil)
+		res := appStateManager.CompareAppState(&app, proj, app.Spec.Source.TargetRevision, app.Spec.Source, false, false, nil)
 		items = append(items, appReconcileResult{
 			Name:       app.Name,
 			Conditions: app.Status.Conditions,

cmd/argocd/commands/admin/app_test.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"testing"
@@ -16,7 +16,6 @@ import (
 	kubefake "k8s.io/client-go/kubernetes/fake"
 	"k8s.io/client-go/tools/cache"
 
-	"github.com/argoproj/argo-cd/v2/common"
 	statecache "github.com/argoproj/argo-cd/v2/controller/cache"
 	cachemocks "github.com/argoproj/argo-cd/v2/controller/cache/mocks"
 	"github.com/argoproj/argo-cd/v2/controller/metrics"
@@ -79,7 +78,7 @@ func TestGetReconcileResults_Refresh(t *testing.T) {
 		Spec: v1alpha1.ApplicationSpec{
 			Project: "default",
 			Destination: v1alpha1.ApplicationDestination{
-				Server:    common.KubernetesInternalAPIServerAddr,
+				Server:    v1alpha1.KubernetesInternalAPIServerAddr,
 				Namespace: "default",
 			},
 		},

cmd/argocd/commands/admin/backup.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"bufio"
@@ -10,7 +10,7 @@ import (
 
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/ghodss/yaml"
-	"github.com/sirupsen/logrus"
+	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	apierr "k8s.io/apimachinery/pkg/api/errors"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -86,6 +86,19 @@ func NewExportCommand() *cobra.Command {
 			for _, app := range applications.Items {
 				export(writer, app)
 			}
+			applicationSets, err := acdClients.applicationSets.List(context.Background(), v1.ListOptions{})
+			if err != nil && !apierr.IsNotFound(err) {
+				if apierr.IsForbidden(err) {
+					log.Warn(err)
+				} else {
+					errors.CheckError(err)
+				}
+			}
+			if applicationSets != nil {
+				for _, appSet := range applicationSets.Items {
+					export(writer, appSet)
+				}
+			}
 		},
 	}
 
@@ -167,6 +180,17 @@ func NewImportCommand() *cobra.Command {
 			for _, proj := range projects.Items {
 				pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "AppProject", Name: proj.GetName()}] = proj
 			}
+			applicationSets, err := acdClients.applicationSets.List(context.Background(), v1.ListOptions{})
+			if apierr.IsForbidden(err) || apierr.IsNotFound(err) {
+				log.Warnf("argoproj.io/ApplicationSet: %v\n", err)
+			} else {
+				errors.CheckError(err)
+			}
+			if applicationSets != nil {
+				for _, appSet := range applicationSets.Items {
+					pruneObjects[kube.ResourceKey{Group: "argoproj.io", Kind: "ApplicationSet", Name: appSet.GetName()}] = appSet
+				}
+			}
 
 			// Create or replace existing object
 			backupObjects, err := kube.SplitYAML(input)
@@ -186,24 +210,43 @@ func NewImportCommand() *cobra.Command {
 					dynClient = acdClients.projects
 				case "Application":
 					dynClient = acdClients.applications
+				case "ApplicationSet":
+					dynClient = acdClients.applicationSets
 				}
 				if !exists {
+					isForbidden := false
 					if !dryRun {
 						_, err = dynClient.Create(context.Background(), bakObj, v1.CreateOptions{})
-						errors.CheckError(err)
+						if apierr.IsForbidden(err) || apierr.IsNotFound(err) {
+							isForbidden = true
+							log.Warnf("%s/%s %s: %v", gvk.Group, gvk.Kind, bakObj.GetName(), err)
+						} else {
+							errors.CheckError(err)
+						}
 					}
-					fmt.Printf("%s/%s %s created%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
+					if !isForbidden {
+						fmt.Printf("%s/%s %s created%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
+					}
+
 				} else if specsEqual(*bakObj, liveObj) {
 					if verbose {
 						fmt.Printf("%s/%s %s unchanged%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
 					}
 				} else {
+					isForbidden := false
 					if !dryRun {
 						newLive := updateLive(bakObj, &liveObj)
 						_, err = dynClient.Update(context.Background(), newLive, v1.UpdateOptions{})
-						errors.CheckError(err)
+						if apierr.IsForbidden(err) || apierr.IsNotFound(err) {
+							isForbidden = true
+							log.Warnf("%s/%s %s: %v", gvk.Group, gvk.Kind, bakObj.GetName(), err)
+						} else {
+							errors.CheckError(err)
+						}
+					}
+					if !isForbidden {
+						fmt.Printf("%s/%s %s updated%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
 					}
-					fmt.Printf("%s/%s %s updated%s\n", gvk.Group, gvk.Kind, bakObj.GetName(), dryRunMsg)
 				}
 			}
 
@@ -228,16 +271,24 @@ func NewImportCommand() *cobra.Command {
 								}
 							}
 						}
+					case "ApplicationSet":
+						dynClient = acdClients.applicationSets
 					default:
-						logrus.Fatalf("Unexpected kind '%s' in prune list", key.Kind)
+						log.Fatalf("Unexpected kind '%s' in prune list", key.Kind)
 					}
+					isForbidden := false
 					if !dryRun {
 						err = dynClient.Delete(context.Background(), key.Name, v1.DeleteOptions{})
-						if err != nil && !apierr.IsNotFound(err) {
+						if apierr.IsForbidden(err) || apierr.IsNotFound(err) {
+							isForbidden = true
+							log.Warnf("%s/%s %s: %v\n", key.Group, key.Kind, key.Name, err)
+						} else {
 							errors.CheckError(err)
 						}
 					}
-					fmt.Printf("%s/%s %s pruned%s\n", key.Group, key.Kind, key.Name, dryRunMsg)
+					if !isForbidden {
+						fmt.Printf("%s/%s %s pruned%s\n", key.Group, key.Kind, key.Name, dryRunMsg)
+					}
 				} else {
 					fmt.Printf("%s/%s %s needs pruning\n", key.Group, key.Kind, key.Name)
 				}
@@ -293,6 +344,8 @@ func updateLive(bak, live *unstructured.Unstructured) *unstructured.Unstructured
 		if _, ok := bak.Object["status"]; ok {
 			newLive.Object["status"] = bak.Object["status"]
 		}
+	case "ApplicationSet":
+		newLive.Object["spec"] = bak.Object["spec"]
 	}
 	return newLive
 }

cmd/argocd/commands/admin/cluster.go

@@ -0,0 +1,606 @@
+package admin
+
+import (
+	"context"
+	"fmt"
+	"math"
+	"os"
+	"sort"
+	"strings"
+	"text/tabwriter"
+	"time"
+
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
+	"github.com/go-redis/redis/v8"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+
+	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/controller/sharding"
+	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
+	"github.com/argoproj/argo-cd/v2/util/argo"
+	cacheutil "github.com/argoproj/argo-cd/v2/util/cache"
+	appstatecache "github.com/argoproj/argo-cd/v2/util/cache/appstate"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/clusterauth"
+	"github.com/argoproj/argo-cd/v2/util/db"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/glob"
+	kubeutil "github.com/argoproj/argo-cd/v2/util/kube"
+	"github.com/argoproj/argo-cd/v2/util/settings"
+)
+
+func NewClusterCommand(pathOpts *clientcmd.PathOptions) *cobra.Command {
+	var command = &cobra.Command{
+		Use:   "cluster",
+		Short: "Manage clusters configuration",
+		Run: func(c *cobra.Command, args []string) {
+			c.HelpFunc()(c, args)
+		},
+	}
+
+	command.AddCommand(NewClusterConfig())
+	command.AddCommand(NewGenClusterConfigCommand(pathOpts))
+	command.AddCommand(NewClusterStatsCommand())
+	command.AddCommand(NewClusterShardsCommand())
+	namespacesCommand := NewClusterNamespacesCommand()
+	namespacesCommand.AddCommand(NewClusterEnableNamespacedMode())
+	namespacesCommand.AddCommand(NewClusterDisableNamespacedMode())
+	command.AddCommand(namespacesCommand)
+
+	return command
+}
+
+type ClusterWithInfo struct {
+	argoappv1.Cluster
+	// Shard holds controller shard number that handles the cluster
+	Shard int
+	// Namespaces holds list of namespaces managed by Argo CD in the cluster
+	Namespaces []string
+}
+
+func loadClusters(kubeClient *kubernetes.Clientset, appClient *versioned.Clientset, replicas int, namespace string, portForwardRedis bool, cacheSrc func() (*appstatecache.Cache, error), shard int) ([]ClusterWithInfo, error) {
+	settingsMgr := settings.NewSettingsManager(context.Background(), kubeClient, namespace)
+
+	argoDB := db.NewDB(namespace, settingsMgr, kubeClient)
+	clustersList, err := argoDB.ListClusters(context.Background())
+	if err != nil {
+		return nil, err
+	}
+	var cache *appstatecache.Cache
+	if portForwardRedis {
+		overrides := clientcmd.ConfigOverrides{}
+		port, err := kubeutil.PortForward(6379, namespace, &overrides,
+			"app.kubernetes.io/name=argocd-redis-ha-haproxy", "app.kubernetes.io/name=argocd-redis")
+		if err != nil {
+			return nil, err
+		}
+		client := redis.NewClient(&redis.Options{Addr: fmt.Sprintf("localhost:%d", port)})
+		cache = appstatecache.NewCache(cacheutil.NewCache(cacheutil.NewRedisCache(client, time.Hour)), time.Hour)
+	} else {
+		cache, err = cacheSrc()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	appItems, err := appClient.ArgoprojV1alpha1().Applications(namespace).List(context.Background(), v1.ListOptions{})
+	if err != nil {
+		return nil, err
+	}
+	apps := appItems.Items
+	for i, app := range apps {
+		err := argo.ValidateDestination(context.Background(), &app.Spec.Destination, argoDB)
+		if err != nil {
+			return nil, err
+		}
+		apps[i] = app
+	}
+	clusters := make([]ClusterWithInfo, len(clustersList.Items))
+	batchSize := 10
+	batchesCount := int(math.Ceil(float64(len(clusters)) / float64(batchSize)))
+	for batchNum := 0; batchNum < batchesCount; batchNum++ {
+		batchStart := batchSize * batchNum
+		batchEnd := batchSize * (batchNum + 1)
+		if batchEnd > len(clustersList.Items) {
+			batchEnd = len(clustersList.Items)
+		}
+		batch := clustersList.Items[batchStart:batchEnd]
+		_ = kube.RunAllAsync(len(batch), func(i int) error {
+			cluster := batch[i]
+			clusterShard := 0
+			if replicas > 0 {
+				clusterShard = sharding.GetShardByID(cluster.ID, replicas)
+			}
+
+			if shard != -1 && clusterShard != shard {
+				return nil
+			}
+			nsSet := map[string]bool{}
+			for _, app := range apps {
+				if app.Spec.Destination.Server == cluster.Server {
+					nsSet[app.Spec.Destination.Namespace] = true
+				}
+			}
+			var namespaces []string
+			for ns := range nsSet {
+				namespaces = append(namespaces, ns)
+			}
+			_ = cache.GetClusterInfo(cluster.Server, &cluster.Info)
+			clusters[batchStart+i] = ClusterWithInfo{cluster, clusterShard, namespaces}
+			return nil
+		})
+	}
+	return clusters, nil
+}
+
+func getControllerReplicas(kubeClient *kubernetes.Clientset, namespace string) (int, error) {
+	controllerPods, err := kubeClient.CoreV1().Pods(namespace).List(context.Background(), v1.ListOptions{
+		LabelSelector: "app.kubernetes.io/name=argocd-application-controller"})
+	if err != nil {
+		return 0, err
+	}
+	return len(controllerPods.Items), nil
+}
+
+func NewClusterShardsCommand() *cobra.Command {
+	var (
+		shard            int
+		replicas         int
+		clientConfig     clientcmd.ClientConfig
+		cacheSrc         func() (*appstatecache.Cache, error)
+		portForwardRedis bool
+	)
+	var command = cobra.Command{
+		Use:   "shards",
+		Short: "Print information about each controller shard and portion of Kubernetes resources it is responsible for.",
+		Run: func(cmd *cobra.Command, args []string) {
+			log.SetLevel(log.WarnLevel)
+
+			clientCfg, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+			kubeClient := kubernetes.NewForConfigOrDie(clientCfg)
+			appClient := versioned.NewForConfigOrDie(clientCfg)
+
+			if replicas == 0 {
+				replicas, err = getControllerReplicas(kubeClient, namespace)
+				errors.CheckError(err)
+			}
+			if replicas == 0 {
+				return
+			}
+
+			clusters, err := loadClusters(kubeClient, appClient, replicas, namespace, portForwardRedis, cacheSrc, shard)
+			errors.CheckError(err)
+			if len(clusters) == 0 {
+				return
+			}
+
+			printStatsSummary(clusters)
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().IntVar(&shard, "shard", -1, "Cluster shard filter")
+	command.Flags().IntVar(&replicas, "replicas", 0, "Application controller replicas count. Inferred from number of running controller pods if not specified")
+	command.Flags().BoolVar(&portForwardRedis, "port-forward-redis", true, "Automatically port-forward ha proxy redis from current namespace?")
+	cacheSrc = appstatecache.AddCacheFlagsToCmd(&command)
+	return &command
+}
+
+func printStatsSummary(clusters []ClusterWithInfo) {
+	totalResourcesCount := int64(0)
+	resourcesCountByShard := map[int]int64{}
+	for _, c := range clusters {
+		totalResourcesCount += c.Info.CacheInfo.ResourcesCount
+		resourcesCountByShard[c.Shard] += c.Info.CacheInfo.ResourcesCount
+	}
+
+	avgResourcesByShard := totalResourcesCount / int64(len(resourcesCountByShard))
+	w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+	_, _ = fmt.Fprintf(w, "SHARD\tRESOURCES COUNT\n")
+	for shard := 0; shard < len(resourcesCountByShard); shard++ {
+		cnt := resourcesCountByShard[shard]
+		percent := (float64(cnt) / float64(avgResourcesByShard)) * 100.0
+		_, _ = fmt.Fprintf(w, "%d\t%s\n", shard, fmt.Sprintf("%d (%.0f%%)", cnt, percent))
+	}
+	_ = w.Flush()
+}
+
+func runClusterNamespacesCommand(clientConfig clientcmd.ClientConfig, action func(appClient *versioned.Clientset, argoDB db.ArgoDB, clusters map[string][]string) error) error {
+	clientCfg, err := clientConfig.ClientConfig()
+	if err != nil {
+		return err
+	}
+	namespace, _, err := clientConfig.Namespace()
+	if err != nil {
+		return err
+	}
+
+	kubeClient := kubernetes.NewForConfigOrDie(clientCfg)
+	appClient := versioned.NewForConfigOrDie(clientCfg)
+
+	settingsMgr := settings.NewSettingsManager(context.Background(), kubeClient, namespace)
+	argoDB := db.NewDB(namespace, settingsMgr, kubeClient)
+	clustersList, err := argoDB.ListClusters(context.Background())
+	if err != nil {
+		return err
+	}
+	appItems, err := appClient.ArgoprojV1alpha1().Applications(namespace).List(context.Background(), v1.ListOptions{})
+	if err != nil {
+		return err
+	}
+	apps := appItems.Items
+	for i, app := range apps {
+		err := argo.ValidateDestination(context.Background(), &app.Spec.Destination, argoDB)
+		if err != nil {
+			return err
+		}
+		apps[i] = app
+	}
+
+	clusters := map[string][]string{}
+	for _, cluster := range clustersList.Items {
+		nsSet := map[string]bool{}
+		for _, app := range apps {
+			if app.Spec.Destination.Server != cluster.Server {
+				continue
+			}
+			// Use namespaces of actually deployed resources, since some application use dummy target namespace
+			// If resources list is empty then use target namespace
+			if len(app.Status.Resources) != 0 {
+				for _, res := range app.Status.Resources {
+					if res.Namespace != "" {
+						nsSet[res.Namespace] = true
+					}
+				}
+			} else {
+				if app.Spec.Destination.Server == cluster.Server {
+					nsSet[app.Spec.Destination.Namespace] = true
+				}
+			}
+		}
+		var namespaces []string
+		for ns := range nsSet {
+			namespaces = append(namespaces, ns)
+		}
+		clusters[cluster.Server] = namespaces
+	}
+	return action(appClient, argoDB, clusters)
+}
+
+func NewClusterNamespacesCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+	)
+	var command = cobra.Command{
+		Use:   "namespaces",
+		Short: "Print information namespaces which Argo CD manages in each cluster.",
+		Run: func(cmd *cobra.Command, args []string) {
+			log.SetLevel(log.WarnLevel)
+
+			err := runClusterNamespacesCommand(clientConfig, func(appClient *versioned.Clientset, _ db.ArgoDB, clusters map[string][]string) error {
+				w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+				_, _ = fmt.Fprintf(w, "CLUSTER\tNAMESPACES\n")
+
+				for cluster, namespaces := range clusters {
+					// print shortest namespace names first
+					sort.Slice(namespaces, func(i, j int) bool {
+						return len(namespaces[j]) > len(namespaces[i])
+					})
+					namespacesStr := ""
+					if len(namespaces) > 4 {
+						namespacesStr = fmt.Sprintf("%s (total %d)", strings.Join(namespaces[:4], ","), len(namespaces))
+					} else {
+						namespacesStr = strings.Join(namespaces, ",")
+					}
+
+					_, _ = fmt.Fprintf(w, "%s\t%s\n", cluster, namespacesStr)
+				}
+				_ = w.Flush()
+				return nil
+			})
+			errors.CheckError(err)
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	return &command
+}
+
+func NewClusterEnableNamespacedMode() *cobra.Command {
+	var (
+		clientConfig     clientcmd.ClientConfig
+		dryRun           bool
+		clusterResources bool
+		namespacesCount  int
+	)
+	var command = cobra.Command{
+		Use:   "enable-namespaced-mode PATTERN",
+		Short: "Enable namespaced mode for clusters which name matches to the specified pattern.",
+		Run: func(cmd *cobra.Command, args []string) {
+			log.SetLevel(log.WarnLevel)
+
+			if len(args) == 0 {
+				cmd.HelpFunc()(cmd, args)
+				os.Exit(1)
+			}
+			pattern := args[0]
+
+			errors.CheckError(runClusterNamespacesCommand(clientConfig, func(_ *versioned.Clientset, argoDB db.ArgoDB, clusters map[string][]string) error {
+				for server, namespaces := range clusters {
+					if len(namespaces) == 0 || len(namespaces) > namespacesCount || !glob.Match(pattern, server) {
+						continue
+					}
+
+					cluster, err := argoDB.GetCluster(context.Background(), server)
+					if err != nil {
+						return err
+					}
+					cluster.Namespaces = namespaces
+					cluster.ClusterResources = clusterResources
+					fmt.Printf("Setting cluster %s namespaces to %v...", server, namespaces)
+					if !dryRun {
+						_, err = argoDB.UpdateCluster(context.Background(), cluster)
+						if err != nil {
+							return err
+						}
+						fmt.Println("done")
+					} else {
+						fmt.Println("done (dry run)")
+					}
+
+				}
+				return nil
+			}))
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().BoolVar(&dryRun, "dry-run", true, "Print what will be performed")
+	command.Flags().BoolVar(&clusterResources, "cluster-resources", false, "Indicates if cluster level resources should be managed.")
+	command.Flags().IntVar(&namespacesCount, "max-namespace-count", 0, "Max number of namespaces that cluster should managed managed namespaces is less or equal to specified count")
+
+	return &command
+}
+
+func NewClusterDisableNamespacedMode() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+		dryRun       bool
+	)
+	var command = cobra.Command{
+		Use:   "disable-namespaced-mode PATTERN",
+		Short: "Disable namespaced mode for clusters which name matches to the specified pattern.",
+		Run: func(cmd *cobra.Command, args []string) {
+			log.SetLevel(log.WarnLevel)
+
+			if len(args) == 0 {
+				cmd.HelpFunc()(cmd, args)
+				os.Exit(1)
+			}
+
+			pattern := args[0]
+
+			errors.CheckError(runClusterNamespacesCommand(clientConfig, func(_ *versioned.Clientset, argoDB db.ArgoDB, clusters map[string][]string) error {
+				for server := range clusters {
+					if !glob.Match(pattern, server) {
+						continue
+					}
+
+					cluster, err := argoDB.GetCluster(context.Background(), server)
+					if err != nil {
+						return err
+					}
+
+					if len(cluster.Namespaces) == 0 {
+						continue
+					}
+
+					cluster.Namespaces = nil
+					fmt.Printf("Disabling namespaced mode for cluster %s...", server)
+					if !dryRun {
+						_, err = argoDB.UpdateCluster(context.Background(), cluster)
+						if err != nil {
+							return err
+						}
+						fmt.Println("done")
+					} else {
+						fmt.Println("done (dry run)")
+					}
+
+				}
+				return nil
+			}))
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().BoolVar(&dryRun, "dry-run", true, "Print what will be performed")
+	return &command
+}
+
+func NewClusterStatsCommand() *cobra.Command {
+	var (
+		shard            int
+		replicas         int
+		clientConfig     clientcmd.ClientConfig
+		cacheSrc         func() (*appstatecache.Cache, error)
+		portForwardRedis bool
+	)
+	var command = cobra.Command{
+		Use:   "stats",
+		Short: "Prints information cluster statistics and inferred shard number",
+		Run: func(cmd *cobra.Command, args []string) {
+			log.SetLevel(log.WarnLevel)
+
+			clientCfg, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+
+			kubeClient := kubernetes.NewForConfigOrDie(clientCfg)
+			appClient := versioned.NewForConfigOrDie(clientCfg)
+			if replicas == 0 {
+				replicas, err = getControllerReplicas(kubeClient, namespace)
+				errors.CheckError(err)
+			}
+			clusters, err := loadClusters(kubeClient, appClient, replicas, namespace, portForwardRedis, cacheSrc, shard)
+			errors.CheckError(err)
+
+			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
+			_, _ = fmt.Fprintf(w, "SERVER\tSHARD\tCONNECTION\tNAMESPACES COUNT\tAPPS COUNT\tRESOURCES COUNT\n")
+			for _, cluster := range clusters {
+				_, _ = fmt.Fprintf(w, "%s\t%d\t%s\t%d\t%d\t%d\n", cluster.Server, cluster.Shard, cluster.Info.ConnectionState.Status, len(cluster.Namespaces), cluster.Info.ApplicationsCount, cluster.Info.CacheInfo.ResourcesCount)
+			}
+			_ = w.Flush()
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+	command.Flags().IntVar(&shard, "shard", -1, "Cluster shard filter")
+	command.Flags().IntVar(&replicas, "replicas", 0, "Application controller replicas count. Inferred from number of running controller pods if not specified")
+	command.Flags().BoolVar(&portForwardRedis, "port-forward-redis", true, "Automatically port-forward ha proxy redis from current namespace?")
+	cacheSrc = appstatecache.AddCacheFlagsToCmd(&command)
+	return &command
+}
+
+// NewClusterConfig returns a new instance of `argocd admin kubeconfig` command
+func NewClusterConfig() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+	)
+	var command = &cobra.Command{
+		Use:               "kubeconfig CLUSTER_URL OUTPUT_PATH",
+		Short:             "Generates kubeconfig for the specified cluster",
+		DisableAutoGenTag: true,
+		Run: func(c *cobra.Command, args []string) {
+			if len(args) != 2 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			serverUrl := args[0]
+			output := args[1]
+			conf, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+			kubeclientset, err := kubernetes.NewForConfig(conf)
+			errors.CheckError(err)
+
+			cluster, err := db.NewDB(namespace, settings.NewSettingsManager(context.Background(), kubeclientset, namespace), kubeclientset).GetCluster(context.Background(), serverUrl)
+			errors.CheckError(err)
+			err = kube.WriteKubeConfig(cluster.RawRestConfig(), namespace, output)
+			errors.CheckError(err)
+		},
+	}
+	clientConfig = cli.AddKubectlFlagsToCmd(command)
+	return command
+}
+
+func NewGenClusterConfigCommand(pathOpts *clientcmd.PathOptions) *cobra.Command {
+	var (
+		clusterOpts   cmdutil.ClusterOptions
+		bearerToken   string
+		generateToken bool
+		outputFormat  string
+	)
+	var command = &cobra.Command{
+		Use:   "generate-spec CONTEXT",
+		Short: "Generate declarative config for a cluster",
+		Run: func(c *cobra.Command, args []string) {
+			log.SetLevel(log.WarnLevel)
+			var configAccess clientcmd.ConfigAccess = pathOpts
+			if len(args) == 0 {
+				log.Error("Choose a context name from:")
+				cmdutil.PrintKubeContexts(configAccess)
+				os.Exit(1)
+			}
+			cfgAccess, err := configAccess.GetStartingConfig()
+			errors.CheckError(err)
+			contextName := args[0]
+			clstContext := cfgAccess.Contexts[contextName]
+			if clstContext == nil {
+				log.Fatalf("Context %s does not exist in kubeconfig", contextName)
+				return
+			}
+
+			overrides := clientcmd.ConfigOverrides{
+				Context: *clstContext,
+			}
+			clientConfig := clientcmd.NewDefaultClientConfig(*cfgAccess, &overrides)
+			conf, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			kubeClientset := fake.NewSimpleClientset()
+
+			var awsAuthConf *argoappv1.AWSAuthConfig
+			var execProviderConf *argoappv1.ExecProviderConfig
+			if clusterOpts.AwsClusterName != "" {
+				awsAuthConf = &argoappv1.AWSAuthConfig{
+					ClusterName: clusterOpts.AwsClusterName,
+					RoleARN:     clusterOpts.AwsRoleArn,
+				}
+			} else if clusterOpts.ExecProviderCommand != "" {
+				execProviderConf = &argoappv1.ExecProviderConfig{
+					Command:     clusterOpts.ExecProviderCommand,
+					Args:        clusterOpts.ExecProviderArgs,
+					Env:         clusterOpts.ExecProviderEnv,
+					APIVersion:  clusterOpts.ExecProviderAPIVersion,
+					InstallHint: clusterOpts.ExecProviderInstallHint,
+				}
+			} else if generateToken {
+				bearerToken, err = GenerateToken(clusterOpts, conf)
+				errors.CheckError(err)
+			} else if bearerToken == "" {
+				bearerToken = "bearer-token"
+			}
+			if clusterOpts.Name != "" {
+				contextName = clusterOpts.Name
+			}
+			clst := cmdutil.NewCluster(contextName, clusterOpts.Namespaces, clusterOpts.ClusterResources, conf, bearerToken, awsAuthConf, execProviderConf)
+			if clusterOpts.InCluster {
+				clst.Server = argoappv1.KubernetesInternalAPIServerAddr
+			}
+			if clusterOpts.Shard >= 0 {
+				clst.Shard = &clusterOpts.Shard
+			}
+
+			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, ArgoCDNamespace)
+			argoDB := db.NewDB(ArgoCDNamespace, settingsMgr, kubeClientset)
+
+			_, err = argoDB.CreateCluster(context.Background(), clst)
+			errors.CheckError(err)
+
+			secName, err := db.URIToSecretName("cluster", clst.Server)
+			errors.CheckError(err)
+
+			secret, err := kubeClientset.CoreV1().Secrets(ArgoCDNamespace).Get(context.Background(), secName, v1.GetOptions{})
+			errors.CheckError(err)
+
+			errors.CheckError(PrintResources(outputFormat, os.Stdout, secret))
+		},
+	}
+	command.PersistentFlags().StringVar(&pathOpts.LoadingRules.ExplicitPath, pathOpts.ExplicitFileFlag, pathOpts.LoadingRules.ExplicitPath, "use a particular kubeconfig file")
+	command.Flags().StringVar(&bearerToken, "bearer-token", "", "Authentication token that should be used to access K8S API server")
+	command.Flags().BoolVar(&generateToken, "generate-bearer-token", false, "Generate authentication token that should be used to access K8S API server")
+	command.Flags().StringVar(&clusterOpts.ServiceAccount, "service-account", "argocd-manager", fmt.Sprintf("System namespace service account to use for kubernetes resource management. If not set then default \"%s\" SA will be used", clusterauth.ArgoCDManagerServiceAccount))
+	command.Flags().StringVar(&clusterOpts.SystemNamespace, "system-namespace", common.DefaultSystemNamespace, "Use different system namespace")
+	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
+	cmdutil.AddClusterFlags(command, &clusterOpts)
+	return command
+}
+
+func GenerateToken(clusterOpts cmdutil.ClusterOptions, conf *rest.Config) (string, error) {
+	clientset, err := kubernetes.NewForConfig(conf)
+	errors.CheckError(err)
+
+	bearerToken, err := clusterauth.GetServiceAccountBearerToken(clientset, clusterOpts.SystemNamespace, clusterOpts.ServiceAccount)
+	if err != nil {
+		return "", err
+	}
+	return bearerToken, nil
+}

cmd/argocd/commands/admin/dashboard.go

@@ -0,0 +1,30 @@
+package admin
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/spf13/cobra"
+
+	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/headless"
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/pkg/apiclient"
+)
+
+func NewDashboardCommand() *cobra.Command {
+	var (
+		port int
+	)
+	cmd := &cobra.Command{
+		Use:   "dashboard",
+		Short: "Starts Argo CD Web UI locally",
+		Run: func(cmd *cobra.Command, args []string) {
+			println(fmt.Sprintf("Argo CD UI is available at http://localhost:%d", port))
+			<-context.Background().Done()
+		},
+	}
+	clientOpts := &apiclient.ClientOptions{Core: true}
+	headless.InitCommand(cmd, clientOpts, &port)
+	cmd.Flags().IntVar(&port, "port", common.DefaultPortAPIServer, "Listen on given port")
+	return cmd
+}

cmd/argocd/commands/admin/generatespec_utils.go

@@ -0,0 +1,108 @@
+package admin
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
+	"github.com/ghodss/yaml"
+	v1 "k8s.io/api/core/v1"
+
+	ioutil "github.com/argoproj/argo-cd/v2/util/io"
+)
+
+func getOutWriter(inline bool, filePath string) (io.Writer, io.Closer, error) {
+	if !inline {
+		return os.Stdout, ioutil.NopCloser, nil
+	}
+
+	if filePath == "" {
+		return nil, nil, errors.New("The file path must be specified using flag '--file'")
+	}
+
+	err := os.Rename(filePath, fmt.Sprintf("%s.back", filePath))
+	if err != nil {
+		return nil, nil, err
+	}
+
+	fileOut, err := os.Create(filePath)
+	if err != nil {
+		return nil, nil, err
+	}
+	return fileOut, fileOut, nil
+}
+
+// PrintResources prints a single resource in YAML or JSON format to stdout according to the output format
+func PrintResources(output string, out io.Writer, resources ...interface{}) error {
+	for i, resource := range resources {
+		if secret, ok := resource.(*v1.Secret); ok {
+			convertSecretData(secret)
+		}
+		filteredResource, err := omitFields(resource)
+		if err != nil {
+			return err
+		}
+		resources[i] = filteredResource
+	}
+	var obj interface{} = resources
+	if len(resources) == 1 {
+		obj = resources[0]
+	}
+
+	switch output {
+	case "json":
+		jsonBytes, err := json.MarshalIndent(obj, "", "  ")
+		if err != nil {
+			return err
+		}
+
+		_, _ = fmt.Fprintln(out, string(jsonBytes))
+	case "yaml":
+		yamlBytes, err := yaml.Marshal(obj)
+		if err != nil {
+			return err
+		}
+		// marshaled YAML already ends with the new line character
+		_, _ = fmt.Fprint(out, string(yamlBytes))
+	default:
+		return fmt.Errorf("unknown output format: %s", output)
+	}
+	return nil
+}
+
+// omit fields such as status, creationTimestamp and metadata.namespace in k8s objects
+func omitFields(resource interface{}) (interface{}, error) {
+	jsonBytes, err := json.Marshal(resource)
+	if err != nil {
+		return nil, err
+	}
+
+	toMap := make(map[string]interface{})
+	err = json.Unmarshal(jsonBytes, &toMap)
+	if err != nil {
+		return nil, err
+	}
+
+	delete(toMap, "status")
+	if v, ok := toMap["metadata"]; ok {
+		if metadata, ok := v.(map[string]interface{}); ok {
+			delete(metadata, "creationTimestamp")
+			delete(metadata, "namespace")
+		}
+	}
+	return toMap, nil
+}
+
+// convertSecretData converts kubernetes secret's data to stringData
+func convertSecretData(secret *v1.Secret) {
+	secret.Kind = kube.SecretKind
+	secret.APIVersion = "v1"
+	secret.StringData = map[string]string{}
+	for k, v := range secret.Data {
+		secret.StringData[k] = string(v)
+	}
+	secret.Data = map[string][]byte{}
+}

cmd/argocd/commands/admin/generatespec_utils_test.go

@@ -0,0 +1,58 @@
+package admin
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/argoproj/argo-cd/v2/util/io"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestGetOutWriter_InlineOff(t *testing.T) {
+	out, closer, err := getOutWriter(false, "")
+	require.NoError(t, err)
+	defer io.Close(closer)
+
+	assert.Equal(t, os.Stdout, out)
+}
+
+func TestGetOutWriter_InlineOn(t *testing.T) {
+	tmpFile, err := ioutil.TempFile("", "")
+	require.NoError(t, err)
+	defer func() {
+		_ = os.Remove(tmpFile.Name())
+		_ = os.Remove(fmt.Sprintf("%s.back", tmpFile.Name()))
+	}()
+
+	out, closer, err := getOutWriter(true, tmpFile.Name())
+	require.NoError(t, err)
+	defer io.Close(closer)
+
+	assert.Equal(t, tmpFile.Name(), out.(*os.File).Name())
+	_, err = os.Stat(fmt.Sprintf("%s.back", tmpFile.Name()))
+	assert.NoError(t, err, "Back file must be created")
+}
+
+func TestPrintResources_Secret_YAML(t *testing.T) {
+	out := bytes.Buffer{}
+	err := PrintResources("yaml", &out, &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{Name: "my-secret"},
+		Data:       map[string][]byte{"my-secret-key": []byte("my-secret-data")},
+	})
+	assert.NoError(t, err)
+
+	assert.Equal(t, `apiVersion: v1
+kind: Secret
+metadata:
+  name: my-secret
+stringData:
+  my-secret-key: my-secret-data
+`, out.String())
+}

cmd/argocd/commands/admin/project.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"context"
@@ -13,6 +13,7 @@ import (
 	appclient "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned/typed/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v2/util/cli"
 	"github.com/argoproj/argo-cd/v2/util/errors"
+	"github.com/argoproj/argo-cd/v2/util/io"
 
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/spf13/cobra"
@@ -35,12 +36,13 @@ func NewProjectsCommand() *cobra.Command {
 	return command
 }
 
-// NewGenProjectConfigCommand generates declarative configuration file for given project
+// NewGenProjectSpecCommand generates declarative configuration file for given project
 func NewGenProjectSpecCommand() *cobra.Command {
 	var (
 		opts         cmdutil.ProjectOpts
 		fileURL      string
 		outputFormat string
+		inline       bool
 	)
 	var command = &cobra.Command{
 		Use:   "generate-spec PROJECT",
@@ -49,13 +51,16 @@ func NewGenProjectSpecCommand() *cobra.Command {
 			proj, err := cmdutil.ConstructAppProj(fileURL, args, opts, c)
 			errors.CheckError(err)
 
-			var printResources []interface{}
-			printResources = append(printResources, proj)
-			errors.CheckError(cmdutil.PrintResources(printResources, outputFormat))
+			out, closer, err := getOutWriter(inline, fileURL)
+			errors.CheckError(err)
+			defer io.Close(closer)
+
+			errors.CheckError(PrintResources(outputFormat, out, proj))
 		},
 	}
 	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")
 	command.Flags().StringVarP(&fileURL, "file", "f", "", "Filename or URL to Kubernetes manifests for the project")
+	command.Flags().BoolVarP(&inline, "inline", "i", false, "If set then generated resource is written back to the file specified in --file flag")
 
 	// Only complete files with appropriate extension.
 	err := command.Flags().SetAnnotation("file", cobra.BashCompFilenameExt, []string{"json", "yaml", "yml"})
@@ -138,10 +143,10 @@ func NewUpdatePolicyRuleCommand() *cobra.Command {
 		Use:   "update-role-policy PROJECT_GLOB MODIFICATION ACTION",
 		Short: "Implement bulk project role update. Useful to back-fill existing project policies or remove obsolete actions.",
 		Example: `  # Add policy that allows executing any action (action/*) to roles which name matches to *deployer* in all projects  
-  argocd-util projects update-role-policy '*' set 'action/*' --role '*deployer*' --resource applications --scope '*' --permission allow
+  argocd admin projects update-role-policy '*' set 'action/*' --role '*deployer*' --resource applications --scope '*' --permission allow
 
   # Remove policy that which manages running (action/*) from all roles which name matches *deployer* in all projects
-  argocd-util projects update-role-policy '*' remove override --role '*deployer*'
+  argocd admin projects update-role-policy '*' remove override --role '*deployer*'
 `,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) != 3 {

cmd/argocd/commands/admin/project_allowlist.go

@@ -1,7 +1,8 @@
-package commands
+package admin
 
 import (
 	"bufio"
+	"fmt"
 	"io"
 	"io/ioutil"
 	"os"
@@ -63,7 +64,10 @@ func NewProjectAllowListGenCommand() *cobra.Command {
 				}()
 			}
 
-			globalProj := generateProjectAllowList(clientConfig, clusterRoleFileName, projName)
+			resourceList, err := getResourceList(clientConfig)
+			errors.CheckError(err)
+			globalProj, err := generateProjectAllowList(resourceList, clusterRoleFileName, projName)
+			errors.CheckError(err)
 
 			yamlBytes, err := yaml.Marshal(globalProj)
 			errors.CheckError(err)
@@ -78,23 +82,38 @@ func NewProjectAllowListGenCommand() *cobra.Command {
 	return command
 }
 
-func generateProjectAllowList(clientConfig clientcmd.ClientConfig, clusterRoleFileName string, projName string) v1alpha1.AppProject {
+func getResourceList(clientConfig clientcmd.ClientConfig) ([]*metav1.APIResourceList, error) {
+	config, err := clientConfig.ClientConfig()
+	if err != nil {
+		return nil, fmt.Errorf("error while creating client config: %s", err)
+	}
+	disco, err := discovery.NewDiscoveryClientForConfig(config)
+	if err != nil {
+		return nil, fmt.Errorf("error while creating discovery client: %s", err)
+	}
+	serverResources, err := disco.ServerPreferredResources()
+	if err != nil {
+		return nil, fmt.Errorf("error while getting server resources: %s", err)
+	}
+	return serverResources, nil
+}
+
+func generateProjectAllowList(serverResources []*metav1.APIResourceList, clusterRoleFileName string, projName string) (*v1alpha1.AppProject, error) {
 	yamlBytes, err := ioutil.ReadFile(clusterRoleFileName)
-	errors.CheckError(err)
+	if err != nil {
+		return nil, fmt.Errorf("error reading cluster role file: %s", err)
+	}
 	var obj unstructured.Unstructured
 	err = yaml.Unmarshal(yamlBytes, &obj)
-	errors.CheckError(err)
+	if err != nil {
+		return nil, fmt.Errorf("error unmarshalling cluster role file yaml: %s", err)
+	}
 
 	clusterRole := &rbacv1.ClusterRole{}
 	err = scheme.Scheme.Convert(&obj, clusterRole, nil)
-	errors.CheckError(err)
-
-	config, err := clientConfig.ClientConfig()
-	errors.CheckError(err)
-	disco, err := discovery.NewDiscoveryClientForConfig(config)
-	errors.CheckError(err)
-	serverResources, err := disco.ServerPreferredResources()
-	errors.CheckError(err)
+	if err != nil {
+		return nil, fmt.Errorf("error converting cluster role yaml into ClusterRole struct: %s", err)
+	}
 
 	resourceList := make([]metav1.GroupKind, 0)
 	for _, rule := range clusterRole.Rules {
@@ -140,5 +159,5 @@ func generateProjectAllowList(clientConfig clientcmd.ClientConfig, clusterRoleFi
 		Spec:       v1alpha1.AppProjectSpec{},
 	}
 	globalProj.Spec.NamespaceResourceWhitelist = resourceList
-	return globalProj
+	return &globalProj, nil
 }

cmd/argocd/commands/admin/project_allowlist_test.go

@@ -0,0 +1,20 @@
+package admin
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+func TestProjectAllowListGen(t *testing.T) {
+	res := metav1.APIResource{
+		Name: "services",
+		Kind: "Service",
+	}
+	resourceList := []*metav1.APIResourceList{{APIResources: []metav1.APIResource{res}}}
+
+	globalProj, err := generateProjectAllowList(resourceList, "testdata/test_clusterrole.yaml", "testproj")
+	assert.NoError(t, err)
+	assert.True(t, len(globalProj.Spec.NamespaceResourceWhitelist) > 0)
+}

cmd/argocd/commands/admin/project_test.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"context"

cmd/argocd/commands/admin/repo.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"context"
@@ -9,7 +9,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	apiv1 "k8s.io/api/core/v1"
-	apierr "k8s.io/apimachinery/pkg/api/errors"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes/fake"
 
@@ -49,25 +48,25 @@ func NewGenRepoSpecCommand() *cobra.Command {
 	// For better readability and easier formatting
 	var repoAddExamples = `  
   # Add a Git repository via SSH using a private key for authentication, ignoring the server's host key:
-  argocd-util repo generate-spec git@git.example.com:repos/repo --insecure-ignore-host-key --ssh-private-key-path ~/id_rsa
+  argocd admin repo generate-spec git@git.example.com:repos/repo --insecure-ignore-host-key --ssh-private-key-path ~/id_rsa
 
   # Add a Git repository via SSH on a non-default port - need to use ssh:// style URLs here
-  argocd-util repo generate-spec ssh://git@git.example.com:2222/repos/repo --ssh-private-key-path ~/id_rsa
+  argocd admin repo generate-spec ssh://git@git.example.com:2222/repos/repo --ssh-private-key-path ~/id_rsa
 
   # Add a private Git repository via HTTPS using username/password and TLS client certificates:
-  argocd-util repo generate-spec https://git.example.com/repos/repo --username git --password secret --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key
+  argocd admin repo generate-spec https://git.example.com/repos/repo --username git --password secret --tls-client-cert-path ~/mycert.crt --tls-client-cert-key-path ~/mycert.key
 
   # Add a private Git repository via HTTPS using username/password without verifying the server's TLS certificate
-  argocd-util repo generate-spec https://git.example.com/repos/repo --username git --password secret --insecure-skip-server-verification
+  argocd admin repo generate-spec https://git.example.com/repos/repo --username git --password secret --insecure-skip-server-verification
 
   # Add a public Helm repository named 'stable' via HTTPS
-  argocd-util repo generate-spec https://kubernetes-charts.storage.googleapis.com --type helm --name stable  
+  argocd admin repo generate-spec https://charts.helm.sh/stable --type helm --name stable  
 
   # Add a private Helm repository named 'stable' via HTTPS
-  argocd-util repo generate-spec https://kubernetes-charts.storage.googleapis.com --type helm --name stable --username test --password test
+  argocd admin repo generate-spec https://charts.helm.sh/stable --type helm --name stable --username test --password test
 
   # Add a private Helm OCI-based repository named 'stable' via HTTPS
-  argocd-util repo generate-spec helm-oci-registry.cn-zhangjiakou.cr.aliyuncs.com --type helm --name stable --enable-oci --username test --password test
+  argocd admin repo generate-spec helm-oci-registry.cn-zhangjiakou.cr.aliyuncs.com --type helm --name stable --enable-oci --username test --password test
 `
 
 	var command = &cobra.Command{
@@ -155,25 +154,13 @@ func NewGenRepoSpecCommand() *cobra.Command {
 			settingsMgr := settings.NewSettingsManager(context.Background(), kubeClientset, ArgoCDNamespace)
 			argoDB := db.NewDB(ArgoCDNamespace, settingsMgr, kubeClientset)
 
-			var printResources []interface{}
 			_, err := argoDB.CreateRepository(context.Background(), &repoOpts.Repo)
 			errors.CheckError(err)
 
 			secret, err := kubeClientset.CoreV1().Secrets(ArgoCDNamespace).Get(context.Background(), db.RepoURLToSecretName(repoSecretPrefix, repoOpts.Repo.Repo), v1.GetOptions{})
-			if err != nil {
-				if !apierr.IsNotFound(err) {
-					errors.CheckError(err)
-				}
-			} else {
-				cmdutil.ConvertSecretData(secret)
-				printResources = append(printResources, secret)
-			}
-
-			cm, err := kubeClientset.CoreV1().ConfigMaps(ArgoCDNamespace).Get(context.Background(), common.ArgoCDConfigMapName, v1.GetOptions{})
 			errors.CheckError(err)
 
-			printResources = append(printResources, cm)
-			errors.CheckError(cmdutil.PrintResources(printResources, outputFormat))
+			errors.CheckError(PrintResources(outputFormat, os.Stdout, secret))
 		},
 	}
 	command.Flags().StringVarP(&outputFormat, "output", "o", "yaml", "Output format. One of: json|yaml")

cmd/argocd/commands/admin/secrets_redactor_test.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"testing"

cmd/argocd/commands/admin/settings.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"bytes"
@@ -303,10 +303,10 @@ func NewValidateSettingsCommand(cmdCtx commandContext) *cobra.Command {
 		Long:  "Validates settings specified in 'argocd-cm' ConfigMap and 'argocd-secret' Secret",
 		Example: `
 #Validates all settings in the specified YAML file
-argocd-util settings validate --argocd-cm-path ./argocd-cm.yaml
+argocd admin settings validate --argocd-cm-path ./argocd-cm.yaml
 
 #Validates accounts and plugins settings in Kubernetes cluster of current kubeconfig context
-argocd-util settings validate --group accounts --group plugins --load-cluster-settings`,
+argocd admin settings validate --group accounts --group plugins --load-cluster-settings`,
 		Run: func(c *cobra.Command, args []string) {
 			settingsManager, err := cmdCtx.createSettingsManager()
 			errors.CheckError(err)
@@ -392,7 +392,7 @@ func NewResourceIgnoreDifferencesCommand(cmdCtx commandContext) *cobra.Command {
 		Short: "Renders fields excluded from diffing",
 		Long:  "Renders ignored fields using the 'ignoreDifferences' setting specified in the 'resource.customizations' field of 'argocd-cm' ConfigMap",
 		Example: `
-argocd-util settings resource-overrides ignore-differences ./deploy.yaml --argocd-cm-path ./argocd-cm.yaml`,
+argocd admin settings resource-overrides ignore-differences ./deploy.yaml --argocd-cm-path ./argocd-cm.yaml`,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) < 1 {
 				c.HelpFunc()(c, args)
@@ -436,7 +436,7 @@ func NewResourceHealthCommand(cmdCtx commandContext) *cobra.Command {
 		Short: "Assess resource health",
 		Long:  "Assess resource health using the lua script configured in the 'resource.customizations' field of 'argocd-cm' ConfigMap",
 		Example: `
-argocd-util settings resource-overrides health ./deploy.yaml --argocd-cm-path ./argocd-cm.yaml`,
+argocd admin settings resource-overrides health ./deploy.yaml --argocd-cm-path ./argocd-cm.yaml`,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) < 1 {
 				c.HelpFunc()(c, args)
@@ -467,7 +467,7 @@ func NewResourceActionListCommand(cmdCtx commandContext) *cobra.Command {
 		Short: "List available resource actions",
 		Long:  "List actions available for given resource action using the lua scripts configured in the 'resource.customizations' field of 'argocd-cm' ConfigMap and outputs updated fields",
 		Example: `
-argocd-util settings resource-overrides action list /tmp/deploy.yaml --argocd-cm-path ./argocd-cm.yaml`,
+argocd admin settings resource-overrides action list /tmp/deploy.yaml --argocd-cm-path ./argocd-cm.yaml`,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) < 1 {
 				c.HelpFunc()(c, args)
@@ -510,7 +510,7 @@ func NewResourceActionRunCommand(cmdCtx commandContext) *cobra.Command {
 		Short:   "Executes resource action",
 		Long:    "Executes resource action using the lua script configured in the 'resource.customizations' field of 'argocd-cm' ConfigMap and outputs updated fields",
 		Example: `
-argocd-util settings resource-overrides action run /tmp/deploy.yaml restart --argocd-cm-path ./argocd-cm.yaml`,
+argocd admin settings resource-overrides action run /tmp/deploy.yaml restart --argocd-cm-path ./argocd-cm.yaml`,
 		Run: func(c *cobra.Command, args []string) {
 			if len(args) < 2 {
 				c.HelpFunc()(c, args)

cmd/argocd/commands/admin/settings_rbac.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"context"
@@ -101,19 +101,19 @@ something.
 		Example: `
 # Check whether role some:role has permissions to create an application in the
 # 'default' project, using a local policy.csv file
-argocd-util settings rbac can some:role create application 'default/app' --policy-file policy.csv
+argocd admin settings rbac can some:role create application 'default/app' --policy-file policy.csv
 
 # Policy file can also be K8s config map with data keys like argocd-rbac-cm,
 # i.e. 'policy.csv' and (optionally) 'policy.default'
-argocd-util settings rbac can some:role create application 'default/app' --policy-file argocd-rbac-cm.yaml
+argocd admin settings rbac can some:role create application 'default/app' --policy-file argocd-rbac-cm.yaml
 
 # If --policy-file is not given, the ConfigMap 'argocd-rbac-cm' from K8s is
 # used. You need to specify the argocd namespace, and make sure that your
 # current Kubernetes context is pointing to the cluster Argo CD is running in
-argocd-util settings rbac can some:role create application 'default/app' --namespace argocd
+argocd admin settings rbac can some:role create application 'default/app' --namespace argocd
 
 # You can override a possibly configured default role
-argocd-util settings rbac can someuser create application 'default/app' --default-role role:readonly
+argocd admin settings rbac can someuser create application 'default/app' --default-role role:readonly
 
 `,
 		Run: func(c *cobra.Command, args []string) {

cmd/argocd/commands/admin/settings_rbac_test.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"io/ioutil"

cmd/argocd/commands/admin/settings_test.go

@@ -1,4 +1,4 @@
-package commands
+package admin
 
 import (
 	"bytes"
@@ -240,6 +240,7 @@ func tempFile(content string) (string, io.Closer, error) {
 		_ = os.Remove(f.Name())
 		return "", nil, err
 	}
+	defer f.Close()
 	return f.Name(), utils.NewCloser(func() error {
 		return os.Remove(f.Name())
 	}), nil

cmd/argocd/commands/app.go

@@ -25,13 +25,13 @@ import (
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	"k8s.io/apimachinery/pkg/api/resource"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/utils/pointer"
 
 	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
-	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/controller"
 	"github.com/argoproj/argo-cd/v2/pkg/apiclient"
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
@@ -102,11 +102,12 @@ func NewApplicationCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comman
 // NewApplicationCreateCommand returns a new instance of an `argocd app create` command
 func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		appOpts cmdutil.AppOptions
-		fileURL string
-		appName string
-		upsert  bool
-		labels  []string
+		appOpts     cmdutil.AppOptions
+		fileURL     string
+		appName     string
+		upsert      bool
+		labels      []string
+		annotations []string
 	)
 	var command = &cobra.Command{
 		Use:   "create APPNAME",
@@ -122,7 +123,7 @@ func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 	argocd app create helm-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path helm-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --helm-set replicaCount=2
 
 	# Create a Helm app from a Helm repo
-	argocd app create nginx-ingress --repo https://kubernetes-charts.storage.googleapis.com --helm-chart nginx-ingress --revision 1.24.3 --dest-namespace default --dest-server https://kubernetes.default.svc
+	argocd app create nginx-ingress --repo https://charts.helm.sh/stable --helm-chart nginx-ingress --revision 1.24.3 --dest-namespace default --dest-server https://kubernetes.default.svc
 
 	# Create a Kustomize app
 	argocd app create kustomize-guestbook --repo https://github.com/argoproj/argocd-example-apps.git --path kustomize-guestbook --dest-namespace default --dest-server https://kubernetes.default.svc --kustomize-image gcr.io/heptio-images/ks-guestbook-demo:0.1
@@ -133,7 +134,7 @@ func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 		Run: func(c *cobra.Command, args []string) {
 			argocdClient := argocdclient.NewClientOrDie(clientOpts)
 
-			app, err := cmdutil.ConstructApp(fileURL, appName, labels, args, appOpts, c.Flags())
+			app, err := cmdutil.ConstructApp(fileURL, appName, labels, annotations, args, appOpts, c.Flags())
 			errors.CheckError(err)
 
 			if app.Name == "" {
@@ -157,6 +158,7 @@ func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 	command.Flags().BoolVar(&upsert, "upsert", false, "Allows to override application with the same name even if supplied application spec is different from existing spec")
 	command.Flags().StringVarP(&fileURL, "file", "f", "", "Filename or URL to Kubernetes manifests for the app")
 	command.Flags().StringArrayVarP(&labels, "label", "l", []string{}, "Labels to apply to the app")
+	command.Flags().StringArrayVarP(&annotations, "annotations", "", []string{}, "Set metadata annotations (e.g. example=value)")
 	// Only complete files with appropriate extension.
 	err := command.Flags().SetAnnotation("file", cobra.BashCompFilenameExt, []string{"json", "yaml", "yml"})
 	if err != nil {
@@ -674,9 +676,10 @@ func NewApplicationUnsetCommand(clientOpts *argocdclient.ClientOptions) *cobra.C
 				}
 				for _, env := range pluginEnvs {
 					err = app.Spec.Source.Plugin.RemoveEnvEntry(env)
-					errors.CheckError(err)
+					if err == nil {
+						updated = true
+					}
 				}
-				updated = true
 			}
 
 			if !updated {
@@ -754,7 +757,7 @@ func getLocalObjectsString(app *argoappv1.Application, local, localRepoRoot, app
 		KustomizeOptions:  kustomizeOptions,
 		KubeVersion:       kubeVersion,
 		Plugins:           configManagementPlugins,
-	}, true)
+	}, true, resource.MustParse("0"))
 	errors.CheckError(err)
 
 	return res.Manifests
@@ -1437,9 +1440,9 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command.Flags().StringArrayVar(&labels, "label", []string{}, "Sync only specific resources with a label. This option may be specified repeatedly.")
 	command.Flags().UintVar(&timeout, "timeout", defaultCheckTimeoutSeconds, "Time out after this many seconds")
 	command.Flags().Int64Var(&retryLimit, "retry-limit", 0, "Max number of allowed sync retries")
-	command.Flags().DurationVar(&retryBackoffDuration, "retry-backoff-duration", common.DefaultSyncRetryDuration, "Retry backoff base duration. Input needs to be a duration (e.g. 2m, 1h)")
-	command.Flags().DurationVar(&retryBackoffMaxDuration, "retry-backoff-max-duration", common.DefaultSyncRetryMaxDuration, "Max retry backoff duration. Input needs to be a duration (e.g. 2m, 1h)")
-	command.Flags().Int64Var(&retryBackoffFactor, "retry-backoff-factor", common.DefaultSyncRetryFactor, "Factor multiplies the base duration after each failed retry")
+	command.Flags().DurationVar(&retryBackoffDuration, "retry-backoff-duration", argoappv1.DefaultSyncRetryDuration, "Retry backoff base duration. Input needs to be a duration (e.g. 2m, 1h)")
+	command.Flags().DurationVar(&retryBackoffMaxDuration, "retry-backoff-max-duration", argoappv1.DefaultSyncRetryMaxDuration, "Max retry backoff duration. Input needs to be a duration (e.g. 2m, 1h)")
+	command.Flags().Int64Var(&retryBackoffFactor, "retry-backoff-factor", argoappv1.DefaultSyncRetryFactor, "Factor multiplies the base duration after each failed retry")
 	command.Flags().StringVar(&strategy, "strategy", "", "Sync strategy (one of: apply|hook)")
 	command.Flags().BoolVar(&force, "force", false, "Use a force apply")
 	command.Flags().BoolVar(&async, "async", false, "Do not wait for application to sync before continuing")
@@ -1812,6 +1815,23 @@ func NewApplicationHistoryCommand(clientOpts *argocdclient.ClientOptions) *cobra
 	return command
 }
 
+func findRevisionHistory(application *argoappv1.Application, historyId int64) (*argoappv1.RevisionHistory, error) {
+	// in case if history id not passed and need fetch previous history revision
+	if historyId == -1 {
+		l := len(application.Status.History)
+		if l < 2 {
+			return nil, fmt.Errorf("Application '%s' should have at least two successful deployments", application.ObjectMeta.Name)
+		}
+		return &application.Status.History[l-2], nil
+	}
+	for _, di := range application.Status.History {
+		if di.ID == historyId {
+			return &di, nil
+		}
+	}
+	return nil, fmt.Errorf("Application '%s' does not have deployment id '%d' in history\n", application.ObjectMeta.Name, historyId)
+}
+
 // NewApplicationRollbackCommand returns a new instance of an `argocd app rollback` command
 func NewApplicationRollbackCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
@@ -1819,36 +1839,33 @@ func NewApplicationRollbackCommand(clientOpts *argocdclient.ClientOptions) *cobr
 		timeout uint
 	)
 	var command = &cobra.Command{
-		Use:   "rollback APPNAME ID",
-		Short: "Rollback application to a previous deployed version by History ID",
+		Use:   "rollback APPNAME [ID]",
+		Short: "Rollback application to a previous deployed version by History ID, omitted will Rollback to the previous version",
 		Run: func(c *cobra.Command, args []string) {
-			if len(args) != 2 {
+			if len(args) == 0 {
 				c.HelpFunc()(c, args)
 				os.Exit(1)
 			}
 			appName := args[0]
-			depID, err := strconv.Atoi(args[1])
-			errors.CheckError(err)
+			var err error
+			depID := -1
+			if len(args) > 1 {
+				depID, err = strconv.Atoi(args[1])
+				errors.CheckError(err)
+			}
 			acdClient := argocdclient.NewClientOrDie(clientOpts)
 			conn, appIf := acdClient.NewApplicationClientOrDie()
 			defer argoio.Close(conn)
 			ctx := context.Background()
 			app, err := appIf.Get(ctx, &applicationpkg.ApplicationQuery{Name: &appName})
 			errors.CheckError(err)
-			var depInfo *argoappv1.RevisionHistory
-			for _, di := range app.Status.History {
-				if di.ID == int64(depID) {
-					depInfo = &di
-					break
-				}
-			}
-			if depInfo == nil {
-				log.Fatalf("Application '%s' does not have deployment id '%d' in history\n", app.ObjectMeta.Name, depID)
-			}
+
+			depInfo, err := findRevisionHistory(app, int64(depID))
+			errors.CheckError(err)
 
 			_, err = appIf.Rollback(ctx, &applicationpkg.ApplicationRollbackRequest{
 				Name:  &appName,
-				ID:    int64(depID),
+				ID:    depInfo.ID,
 				Prune: prune,
 			})
 			errors.CheckError(err)

cmd/argocd/commands/app_test.go

@@ -0,0 +1,163 @@
+package commands
+
+import (
+	"testing"
+
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+func TestFindRevisionHistoryWithoutPassedId(t *testing.T) {
+
+	histories := v1alpha1.RevisionHistories{}
+
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 1})
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 2})
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 3})
+
+	status := v1alpha1.ApplicationStatus{
+		Resources:      nil,
+		Sync:           v1alpha1.SyncStatus{},
+		Health:         v1alpha1.HealthStatus{},
+		History:        histories,
+		Conditions:     nil,
+		ReconciledAt:   nil,
+		OperationState: nil,
+		ObservedAt:     nil,
+		SourceType:     "",
+		Summary:        v1alpha1.ApplicationSummary{},
+	}
+
+	application := v1alpha1.Application{
+		Status: status,
+	}
+
+	history, err := findRevisionHistory(&application, -1)
+
+	if err != nil {
+		t.Fatal("Find revision history should fail without errors")
+	}
+
+	if history == nil {
+		t.Fatal("History should be found")
+	}
+
+}
+
+func TestFindRevisionHistoryWithoutPassedIdAndEmptyHistoryList(t *testing.T) {
+
+	histories := v1alpha1.RevisionHistories{}
+
+	status := v1alpha1.ApplicationStatus{
+		Resources:      nil,
+		Sync:           v1alpha1.SyncStatus{},
+		Health:         v1alpha1.HealthStatus{},
+		History:        histories,
+		Conditions:     nil,
+		ReconciledAt:   nil,
+		OperationState: nil,
+		ObservedAt:     nil,
+		SourceType:     "",
+		Summary:        v1alpha1.ApplicationSummary{},
+	}
+
+	application := v1alpha1.Application{
+		Status: status,
+	}
+
+	history, err := findRevisionHistory(&application, -1)
+
+	if err == nil {
+		t.Fatal("Find revision history should fail with errors")
+	}
+
+	if history != nil {
+		t.Fatal("History should be empty")
+	}
+
+	if err.Error() != "Application '' should have at least two successful deployments" {
+		t.Fatal("Find revision history should fail with correct error message")
+	}
+
+}
+
+func TestFindRevisionHistoryWithPassedId(t *testing.T) {
+
+	histories := v1alpha1.RevisionHistories{}
+
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 1})
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 2})
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 3, Revision: "123"})
+
+	status := v1alpha1.ApplicationStatus{
+		Resources:      nil,
+		Sync:           v1alpha1.SyncStatus{},
+		Health:         v1alpha1.HealthStatus{},
+		History:        histories,
+		Conditions:     nil,
+		ReconciledAt:   nil,
+		OperationState: nil,
+		ObservedAt:     nil,
+		SourceType:     "",
+		Summary:        v1alpha1.ApplicationSummary{},
+	}
+
+	application := v1alpha1.Application{
+		Status: status,
+	}
+
+	history, err := findRevisionHistory(&application, 3)
+
+	if err != nil {
+		t.Fatal("Find revision history should fail without errors")
+	}
+
+	if history == nil {
+		t.Fatal("History should be found")
+	}
+
+	if history.Revision != "123" {
+		t.Fatal("Failed to find correct history with correct revision")
+	}
+
+}
+
+func TestFindRevisionHistoryWithPassedIdThatNotExist(t *testing.T) {
+
+	histories := v1alpha1.RevisionHistories{}
+
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 1})
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 2})
+	histories = append(histories, v1alpha1.RevisionHistory{ID: 3, Revision: "123"})
+
+	status := v1alpha1.ApplicationStatus{
+		Resources:      nil,
+		Sync:           v1alpha1.SyncStatus{},
+		Health:         v1alpha1.HealthStatus{},
+		History:        histories,
+		Conditions:     nil,
+		ReconciledAt:   nil,
+		OperationState: nil,
+		ObservedAt:     nil,
+		SourceType:     "",
+		Summary:        v1alpha1.ApplicationSummary{},
+	}
+
+	application := v1alpha1.Application{
+		Status: status,
+	}
+
+	history, err := findRevisionHistory(&application, 4)
+
+	if err == nil {
+		t.Fatal("Find revision history should fail with errors")
+	}
+
+	if history != nil {
+		t.Fatal("History should be not found")
+	}
+
+	if err.Error() != "Application '' does not have deployment id '4' in history\n" {
+		t.Fatal("Find revision history should fail with correct error message")
+	}
+
+}

cmd/argocd/commands/cluster.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 	"text/tabwriter"
 
+	"github.com/mattn/go-isatty"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"k8s.io/client-go/kubernetes"
@@ -17,6 +18,7 @@ import (
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
 	clusterpkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/cluster"
 	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/cli"
 	"github.com/argoproj/argo-cd/v2/util/clusterauth"
 	"github.com/argoproj/argo-cd/v2/util/errors"
 	"github.com/argoproj/argo-cd/v2/util/io"
@@ -56,7 +58,8 @@ func NewClusterCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientc
 // NewClusterAddCommand returns a new instance of an `argocd cluster add` command
 func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientcmd.PathOptions) *cobra.Command {
 	var (
-		clusterOpts cmdutil.ClusterOptions
+		clusterOpts      cmdutil.ClusterOptions
+		skipConfirmation bool
 	)
 	var command = &cobra.Command{
 		Use:   "add CONTEXT",
@@ -76,6 +79,15 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 				log.Fatalf("Context %s does not exist in kubeconfig", contextName)
 			}
 
+			isTerminal := isatty.IsTerminal(os.Stdout.Fd()) || isatty.IsCygwinTerminal(os.Stdout.Fd())
+
+			if isTerminal && !skipConfirmation {
+				message := fmt.Sprintf("WARNING: This will create a service account `argocd-manager` on the cluster referenced by context `%s` with full cluster level admin privileges. Do you want to continue [y/N]? ", contextName)
+				if !cli.AskToProceed(message) {
+					os.Exit(1)
+				}
+			}
+
 			overrides := clientcmd.ConfigOverrides{
 				Context: *clstContext,
 			}
@@ -115,9 +127,9 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 			if clusterOpts.Name != "" {
 				contextName = clusterOpts.Name
 			}
-			clst := cmdutil.NewCluster(contextName, clusterOpts.Namespaces, conf, managerBearerToken, awsAuthConf, execProviderConf)
+			clst := cmdutil.NewCluster(contextName, clusterOpts.Namespaces, clusterOpts.ClusterResources, conf, managerBearerToken, awsAuthConf, execProviderConf)
 			if clusterOpts.InCluster {
-				clst.Server = common.KubernetesInternalAPIServerAddr
+				clst.Server = argoappv1.KubernetesInternalAPIServerAddr
 			}
 			if clusterOpts.Shard >= 0 {
 				clst.Shard = &clusterOpts.Shard
@@ -135,6 +147,7 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie
 	command.Flags().BoolVar(&clusterOpts.Upsert, "upsert", false, "Override an existing cluster with the same name even if the spec differs")
 	command.Flags().StringVar(&clusterOpts.ServiceAccount, "service-account", "", fmt.Sprintf("System namespace service account to use for kubernetes resource management. If not set then default \"%s\" SA will be created", clusterauth.ArgoCDManagerServiceAccount))
 	command.Flags().StringVar(&clusterOpts.SystemNamespace, "system-namespace", common.DefaultSystemNamespace, "Use different system namespace")
+	command.Flags().BoolVarP(&skipConfirmation, "yes", "y", false, "Skip explicit confirmation")
 	cmdutil.AddClusterFlags(command, &clusterOpts)
 	return command
 }

cmd/argocd/commands/headless/forward.go

@@ -0,0 +1,97 @@
+package headless
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/go-redis/redis/v8"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	repoapiclient "github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+	"github.com/argoproj/argo-cd/v2/util/cache"
+	"github.com/argoproj/argo-cd/v2/util/io"
+	kubeutil "github.com/argoproj/argo-cd/v2/util/kube"
+)
+
+type forwardCacheClient struct {
+	namespace string
+	init      sync.Once
+	client    cache.CacheClient
+	err       error
+}
+
+func (c *forwardCacheClient) doLazy(action func(client cache.CacheClient) error) error {
+	c.init.Do(func() {
+		overrides := clientcmd.ConfigOverrides{}
+		redisPort, err := kubeutil.PortForward(6379, c.namespace, &overrides,
+			"app.kubernetes.io/name=argocd-redis-ha-haproxy", "app.kubernetes.io/name=argocd-redis")
+		if err != nil {
+			c.err = err
+			return
+		}
+
+		redisClient := redis.NewClient(&redis.Options{Addr: fmt.Sprintf("localhost:%d", redisPort)})
+		c.client = cache.NewRedisCache(redisClient, time.Hour)
+	})
+	if c.err != nil {
+		return c.err
+	}
+	return action(c.client)
+}
+
+func (c *forwardCacheClient) Set(item *cache.Item) error {
+	return c.doLazy(func(client cache.CacheClient) error {
+		return client.Set(item)
+	})
+}
+
+func (c *forwardCacheClient) Get(key string, obj interface{}) error {
+	return c.doLazy(func(client cache.CacheClient) error {
+		return client.Get(key, obj)
+	})
+}
+
+func (c *forwardCacheClient) Delete(key string) error {
+	return c.doLazy(func(client cache.CacheClient) error {
+		return client.Delete(key)
+	})
+}
+
+func (c *forwardCacheClient) OnUpdated(ctx context.Context, key string, callback func() error) error {
+	return c.doLazy(func(client cache.CacheClient) error {
+		return client.OnUpdated(ctx, key, callback)
+	})
+}
+
+func (c *forwardCacheClient) NotifyUpdated(key string) error {
+	return c.doLazy(func(client cache.CacheClient) error {
+		return client.NotifyUpdated(key)
+	})
+}
+
+type forwardRepoClientset struct {
+	namespace     string
+	init          sync.Once
+	repoClientset repoapiclient.Clientset
+	err           error
+}
+
+func (c *forwardRepoClientset) NewRepoServerClient() (io.Closer, repoapiclient.RepoServerServiceClient, error) {
+	c.init.Do(func() {
+		overrides := clientcmd.ConfigOverrides{}
+		repoServerPort, err := kubeutil.PortForward(8081, c.namespace, &overrides, "app.kubernetes.io/name=argocd-repo-server")
+		if err != nil {
+			c.err = err
+			return
+		}
+		c.repoClientset = apiclient.NewRepoServerClientset(fmt.Sprintf("localhost:%d", repoServerPort), 60, apiclient.TLSConfiguration{
+			DisableTLS: false, StrictValidation: false})
+	})
+	if c.err != nil {
+		return nil, nil, c.err
+	}
+	return c.repoClientset.NewRepoServerClient()
+}

cmd/argocd/commands/headless/headless.go

@@ -0,0 +1,152 @@
+package headless
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"time"
+
+	"github.com/alicebob/miniredis/v2"
+	"github.com/go-redis/redis/v8"
+	"github.com/golang/protobuf/ptypes/empty"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/util/runtime"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/tools/clientcmd"
+
+	argoapi "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
+	"github.com/argoproj/argo-cd/v2/server"
+	servercache "github.com/argoproj/argo-cd/v2/server/cache"
+	cacheutil "github.com/argoproj/argo-cd/v2/util/cache"
+	appstatecache "github.com/argoproj/argo-cd/v2/util/cache/appstate"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/io"
+	"github.com/argoproj/argo-cd/v2/util/localconfig"
+)
+
+func testAPI(clientOpts *argoapi.ClientOptions) error {
+	apiClient, err := argoapi.NewClient(clientOpts)
+	if err != nil {
+		return err
+	}
+	closer, versionClient, err := apiClient.NewVersionClient()
+	if err != nil {
+		return err
+	}
+	defer io.Close(closer)
+	_, err = versionClient.Version(context.Background(), &empty.Empty{})
+	return err
+}
+
+func addKubectlFlagsToCmd(cmd *cobra.Command) clientcmd.ClientConfig {
+	loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
+	loadingRules.DefaultClientConfig = &clientcmd.DefaultClientConfig
+	overrides := clientcmd.ConfigOverrides{}
+	kflags := clientcmd.RecommendedConfigOverrideFlags("")
+	cmd.Flags().StringVar(&loadingRules.ExplicitPath, "kubeconfig", "", "Path to a kube config. Only required if out-of-cluster")
+	clientcmd.BindOverrideFlags(&overrides, cmd.Flags(), kflags)
+	return clientcmd.NewInteractiveDeferredLoadingClientConfig(loadingRules, &overrides, os.Stdin)
+}
+
+// InitCommand allows executing command in a headless mode: on the fly starts Argo CD API server and
+// changes provided client options to use started API server port
+func InitCommand(cmd *cobra.Command, clientOpts *argoapi.ClientOptions, port *int) *cobra.Command {
+	ctx, cancel := context.WithCancel(context.Background())
+	clientConfig := addKubectlFlagsToCmd(cmd)
+	cmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
+		startInProcessAPI := clientOpts.Core
+		if !startInProcessAPI {
+			localCfg, err := localconfig.ReadLocalConfig(clientOpts.ConfigPath)
+			if err != nil {
+				return err
+			}
+			if localCfg != nil {
+				configCtx, err := localCfg.ResolveContext(clientOpts.Context)
+				if err != nil {
+					return err
+				}
+				startInProcessAPI = configCtx.Server.Core
+			}
+		}
+		if !startInProcessAPI {
+			return nil
+		}
+
+		// get rid of logging error handler
+		runtime.ErrorHandlers = runtime.ErrorHandlers[1:]
+		cli.SetLogLevel(log.ErrorLevel.String())
+		log.SetLevel(log.ErrorLevel)
+		os.Setenv(v1alpha1.EnvVarFakeInClusterConfig, "true")
+		if port == nil || *port == 0 {
+			ln, err := net.Listen("tcp", "localhost:0")
+			if err != nil {
+				return err
+			}
+			port = &ln.Addr().(*net.TCPAddr).Port
+			io.Close(ln)
+		}
+
+		restConfig, err := clientConfig.ClientConfig()
+		if err != nil {
+			return err
+		}
+		appClientset, err := appclientset.NewForConfig(restConfig)
+		if err != nil {
+			return err
+		}
+		kubeClientset, err := kubernetes.NewForConfig(restConfig)
+		if err != nil {
+			return err
+		}
+
+		namespace, _, err := clientConfig.Namespace()
+		if err != nil {
+			return err
+		}
+
+		mr, err := miniredis.Run()
+		if err != nil {
+			return err
+		}
+
+		appstateCache := appstatecache.NewCache(cacheutil.NewCache(&forwardCacheClient{namespace: namespace}), time.Hour)
+		srv := server.NewServer(ctx, server.ArgoCDServerOpts{
+			EnableGZip:    false,
+			Namespace:     namespace,
+			ListenPort:    *port,
+			AppClientset:  appClientset,
+			DisableAuth:   true,
+			RedisClient:   redis.NewClient(&redis.Options{Addr: mr.Addr()}),
+			Cache:         servercache.NewCache(appstateCache, 0, 0, 0),
+			KubeClientset: kubeClientset,
+			Insecure:      true,
+			ListenHost:    "localhost",
+			RepoClientset: &forwardRepoClientset{namespace: namespace},
+		})
+
+		go srv.Run(ctx, *port, 0)
+		clientOpts.ServerAddr = fmt.Sprintf("localhost:%d", *port)
+		clientOpts.PlainText = true
+		if !cache.WaitForCacheSync(ctx.Done(), srv.Initialized) {
+			log.Fatal("Timed out waiting for project cache to sync")
+		}
+		tries := 5
+		for i := 0; i < tries; i++ {
+			err = testAPI(clientOpts)
+			if err == nil {
+				break
+			}
+			time.Sleep(time.Second)
+		}
+		return err
+	}
+	cmd.PostRun = func(cmd *cobra.Command, args []string) {
+		cancel()
+	}
+	return cmd
+}

cmd/argocd/commands/login.go

@@ -45,16 +45,26 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 		Use:   "login SERVER",
 		Short: "Log in to Argo CD",
 		Long:  "Log in to Argo CD",
+		Example: `# Login to Argo CD using a username and password
+argocd login cd.argoproj.io
+
+# Login to Argo CD using SSO
+argocd login cd.argoproj.io --sso
+
+# Configure direct access using Kubernetes API server
+argocd login cd.argoproj.io --core`,
 		Run: func(c *cobra.Command, args []string) {
 			var server string
 
-			if len(args) != 1 && !globalClientOpts.PortForward {
+			if len(args) != 1 && !globalClientOpts.PortForward && !globalClientOpts.Core {
 				c.HelpFunc()(c, args)
 				os.Exit(1)
 			}
 
 			if globalClientOpts.PortForward {
 				server = "port-forward"
+			} else if globalClientOpts.Core {
+				server = "kubernetes"
 			} else {
 				server = args[0]
 				tlsTestResult, err := grpc_util.TestTLS(server)
@@ -86,9 +96,6 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 				PortForwardNamespace: globalClientOpts.PortForwardNamespace,
 				Headers:              globalClientOpts.Headers,
 			}
-			acdClient := argocdclient.NewClientOrDie(&clientOpts)
-			setConn, setIf := acdClient.NewSettingsClientOrDie()
-			defer io.Close(setConn)
 
 			if ctxName == "" {
 				ctxName = server
@@ -101,28 +108,32 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 			// Perform the login
 			var tokenString string
 			var refreshToken string
-			if !sso {
-				tokenString = passwordLogin(acdClient, username, password)
-			} else {
-				ctx := context.Background()
-				httpClient, err := acdClient.HTTPClient()
+			if !globalClientOpts.Core {
+				acdClient := argocdclient.NewClientOrDie(&clientOpts)
+				setConn, setIf := acdClient.NewSettingsClientOrDie()
+				defer io.Close(setConn)
+				if !sso {
+					tokenString = passwordLogin(acdClient, username, password)
+				} else {
+					ctx := context.Background()
+					httpClient, err := acdClient.HTTPClient()
+					errors.CheckError(err)
+					ctx = oidc.ClientContext(ctx, httpClient)
+					acdSet, err := setIf.Get(ctx, &settingspkg.SettingsQuery{})
+					errors.CheckError(err)
+					oauth2conf, provider, err := acdClient.OIDCConfig(ctx, acdSet)
+					errors.CheckError(err)
+					tokenString, refreshToken = oauth2Login(ctx, ssoPort, acdSet.GetOIDCConfig(), oauth2conf, provider)
+				}
+				parser := &jwt.Parser{
+					ValidationHelper: jwt.NewValidationHelper(jwt.WithoutClaimsValidation(), jwt.WithoutAudienceValidation()),
+				}
+				claims := jwt.MapClaims{}
+				_, _, err := parser.ParseUnverified(tokenString, &claims)
 				errors.CheckError(err)
-				ctx = oidc.ClientContext(ctx, httpClient)
-				acdSet, err := setIf.Get(ctx, &settingspkg.SettingsQuery{})
-				errors.CheckError(err)
-				oauth2conf, provider, err := acdClient.OIDCConfig(ctx, acdSet)
-				errors.CheckError(err)
-				tokenString, refreshToken = oauth2Login(ctx, ssoPort, acdSet.GetOIDCConfig(), oauth2conf, provider)
+				fmt.Printf("'%s' logged in successfully\n", userDisplayName(claims))
 			}
 
-			parser := &jwt.Parser{
-				ValidationHelper: jwt.NewValidationHelper(jwt.WithoutClaimsValidation(), jwt.WithoutAudienceValidation()),
-			}
-			claims := jwt.MapClaims{}
-			_, _, err := parser.ParseUnverified(tokenString, &claims)
-			errors.CheckError(err)
-
-			fmt.Printf("'%s' logged in successfully\n", userDisplayName(claims))
 			// login successful. Persist the config
 			localCfg, err := localconfig.ReadLocalConfig(globalClientOpts.ConfigPath)
 			errors.CheckError(err)
@@ -135,6 +146,7 @@ func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Comman
 				Insecure:        globalClientOpts.Insecure,
 				GRPCWeb:         globalClientOpts.GRPCWeb,
 				GRPCWebRootPath: globalClientOpts.GRPCWebRootPath,
+				Core:            globalClientOpts.Core,
 			})
 			localCfg.UpsertUser(localconfig.User{
 				Name:         ctxName,
@@ -188,7 +200,10 @@ func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCCo
 	// completionChan is to signal flow completed. Non-empty string indicates error
 	completionChan := make(chan string)
 	// stateNonce is an OAuth2 state nonce
-	stateNonce := rand.RandString(10)
+	// According to the spec (https://www.rfc-editor.org/rfc/rfc6749#section-10.10), this must be guessable with
+	// probability <= 2^(-128). The following call generates one of 52^24 random strings, ~= 2^136 possibilities.
+	stateNonce, err := rand.String(24)
+	errors.CheckError(err)
 	var tokenString string
 	var refreshToken string
 
@@ -198,7 +213,8 @@ func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCCo
 	}
 
 	// PKCE implementation of https://tools.ietf.org/html/rfc7636
-	codeVerifier := rand.RandStringCharset(43, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~")
+	codeVerifier, err := rand.StringFromCharset(43, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~")
+	errors.CheckError(err)
 	codeChallengeHash := sha256.Sum256([]byte(codeVerifier))
 	codeChallenge := base64.RawURLEncoding.EncodeToString(codeChallengeHash[:])
 
@@ -282,7 +298,8 @@ func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCCo
 		opts = append(opts, oauth2.SetAuthURLParam("code_challenge_method", "S256"))
 		url = oauth2conf.AuthCodeURL(stateNonce, opts...)
 	case oidcutil.GrantTypeImplicit:
-		url = oidcutil.ImplicitFlowURL(oauth2conf, stateNonce, opts...)
+		url, err = oidcutil.ImplicitFlowURL(oauth2conf, stateNonce, opts...)
+		errors.CheckError(err)
 	default:
 		log.Fatalf("Unsupported grant type: %v", grantType)
 	}

cmd/argocd/commands/project_role.go

@@ -265,7 +265,7 @@ func NewProjectRoleCreateTokenCommand(clientOpts *argocdclient.ClientOptions) *c
 		},
 	}
 	command.Flags().StringVarP(&expiresIn, "expires-in", "e", "",
-		"Duration before the token will expire, eg \"12h\", \"7d\". (Default: No expiration)",
+		"Duration before the token will expire, e.g. \"12h\", \"7d\". (Default: No expiration)",
 	)
 	command.Flags().StringVarP(&tokenID, "id", "i", "", "Token unique identifier. (Default: Random UUID)")
 	command.Flags().BoolVarP(&outputTokenOnly, "token-only", "t", false, "Output token only - for use in scripts.")

cmd/argocd/commands/repo.go

@@ -58,10 +58,10 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
   argocd repo add https://git.example.com/repos/repo --username git --password secret --insecure-skip-server-verification
 
   # Add a public Helm repository named 'stable' via HTTPS
-  argocd repo add https://kubernetes-charts.storage.googleapis.com --type helm --name stable  
+  argocd repo add https://charts.helm.sh/stable --type helm --name stable  
 
   # Add a private Helm repository named 'stable' via HTTPS
-  argocd repo add https://kubernetes-charts.storage.googleapis.com --type helm --name stable --username test --password test
+  argocd repo add https://charts.helm.sh/stable --type helm --name stable --username test --password test
 
   # Add a private Helm OCI-based repository named 'stable' via HTTPS
   argocd repo add helm-oci-registry.cn-zhangjiakou.cr.aliyuncs.com --type helm --name stable --enable-oci --username test --password test
@@ -144,6 +144,7 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 			repoOpts.Repo.GithubAppId = repoOpts.GithubAppId
 			repoOpts.Repo.GithubAppInstallationId = repoOpts.GithubAppInstallationId
 			repoOpts.Repo.GitHubAppEnterpriseBaseURL = repoOpts.GitHubAppEnterpriseBaseURL
+			repoOpts.Repo.Proxy = repoOpts.Proxy
 
 			if repoOpts.Repo.Type == "helm" && repoOpts.Repo.Name == "" {
 				errors.CheckError(fmt.Errorf("Must specify --name for repos of type 'helm'"))
@@ -180,6 +181,7 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 				GithubAppID:                repoOpts.Repo.GithubAppId,
 				GithubAppInstallationID:    repoOpts.Repo.GithubAppInstallationId,
 				GithubAppEnterpriseBaseUrl: repoOpts.Repo.GitHubAppEnterpriseBaseURL,
+				Proxy:                      repoOpts.Proxy,
 			}
 			_, err := repoIf.ValidateAccess(context.Background(), &repoAccessReq)
 			errors.CheckError(err)

cmd/argocd/commands/repocreds.go

@@ -10,6 +10,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 
+	"github.com/argoproj/argo-cd/v2/common"
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
 	repocredspkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/repocreds"
 	appsv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -59,6 +60,9 @@ func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comma
 
   # Add credentials with GitHub App authentication to use for all repositories under https://ghe.example.com/repos
   argocd repocreds add https://ghe.example.com/repos/ --github-app-id 1 --github-app-installation-id 2 --github-app-private-key-path test.private-key.pem --github-app-enterprise-base-url https://ghe.example.com/api/v3
+
+  # Add credentials with helm oci registry so that these oci registry urls do not need to be added as repos individually.
+  argocd repocreds add localhost:5000/myrepo --enable-oci --type helm 
 `
 
 	var command = &cobra.Command{
@@ -151,6 +155,8 @@ func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comma
 	command.Flags().StringVar(&githubAppPrivateKeyPath, "github-app-private-key-path", "", "private key of the GitHub Application")
 	command.Flags().StringVar(&repo.GitHubAppEnterpriseBaseURL, "github-app-enterprise-base-url", "", "base url to use when using GitHub Enterprise (e.g. https://ghe.example.com/api/v3")
 	command.Flags().BoolVar(&upsert, "upsert", false, "Override an existing repository with the same name even if the spec differs")
+	command.Flags().BoolVar(&repo.EnableOCI, "enable-oci", false, "Specifies whether helm-oci support should be enabled for this repo")
+	command.Flags().StringVar(&repo.Type, "type", common.DefaultRepoType, "type of the repository, \"git\" or \"helm\"")
 	return command
 }
 

cmd/argocd/commands/root.go

@@ -4,6 +4,8 @@ import (
 	"github.com/spf13/cobra"
 	"k8s.io/client-go/tools/clientcmd"
 
+	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/admin"
+	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/headless"
 	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
 	"github.com/argoproj/argo-cd/v2/util/cli"
@@ -38,19 +40,20 @@ func NewCommand() *cobra.Command {
 	}
 
 	command.AddCommand(NewCompletionCommand())
-	command.AddCommand(NewVersionCmd(&clientOpts))
-	command.AddCommand(NewClusterCommand(&clientOpts, pathOpts))
-	command.AddCommand(NewApplicationCommand(&clientOpts))
+	command.AddCommand(headless.InitCommand(NewVersionCmd(&clientOpts), &clientOpts, nil))
+	command.AddCommand(headless.InitCommand(NewClusterCommand(&clientOpts, pathOpts), &clientOpts, nil))
+	command.AddCommand(headless.InitCommand(NewApplicationCommand(&clientOpts), &clientOpts, nil))
 	command.AddCommand(NewLoginCommand(&clientOpts))
 	command.AddCommand(NewReloginCommand(&clientOpts))
-	command.AddCommand(NewRepoCommand(&clientOpts))
-	command.AddCommand(NewRepoCredsCommand(&clientOpts))
+	command.AddCommand(headless.InitCommand(NewRepoCommand(&clientOpts), &clientOpts, nil))
+	command.AddCommand(headless.InitCommand(NewRepoCredsCommand(&clientOpts), &clientOpts, nil))
 	command.AddCommand(NewContextCommand(&clientOpts))
-	command.AddCommand(NewProjectCommand(&clientOpts))
-	command.AddCommand(NewAccountCommand(&clientOpts))
+	command.AddCommand(headless.InitCommand(NewProjectCommand(&clientOpts), &clientOpts, nil))
+	command.AddCommand(headless.InitCommand(NewAccountCommand(&clientOpts), &clientOpts, nil))
 	command.AddCommand(NewLogoutCommand(&clientOpts))
-	command.AddCommand(NewCertCommand(&clientOpts))
-	command.AddCommand(NewGPGCommand(&clientOpts))
+	command.AddCommand(headless.InitCommand(NewCertCommand(&clientOpts), &clientOpts, nil))
+	command.AddCommand(headless.InitCommand(NewGPGCommand(&clientOpts), &clientOpts, nil))
+	command.AddCommand(admin.NewAdminCommand())
 
 	defaultLocalConfigPath, err := localconfig.DefaultLocalConfigPath()
 	errors.CheckError(err)
@@ -69,5 +72,7 @@ func NewCommand() *cobra.Command {
 	command.PersistentFlags().StringSliceVarP(&clientOpts.Headers, "header", "H", []string{}, "Sets additional header to all requests made by Argo CD CLI. (Can be repeated multiple times to add multiple headers, also supports comma separated headers)")
 	command.PersistentFlags().BoolVar(&clientOpts.PortForward, "port-forward", config.GetBoolFlag("port-forward"), "Connect to a random argocd-server port using port forwarding")
 	command.PersistentFlags().StringVar(&clientOpts.PortForwardNamespace, "port-forward-namespace", config.GetFlag("port-forward-namespace", ""), "Namespace name which should be used for port forwarding")
+	command.PersistentFlags().IntVar(&clientOpts.HttpRetryMax, "http-retry-max", 0, "Maximum number of retries to establish http connection to Argo CD server")
+	command.PersistentFlags().BoolVar(&clientOpts.Core, "core", false, "If set to true then CLI talks directly to Kubernetes instead of talking to Argo CD API server")
 	return command
 }

cmd/main.go

@@ -11,7 +11,6 @@ import (
 	dex "github.com/argoproj/argo-cd/v2/cmd/argocd-dex/commands"
 	reposerver "github.com/argoproj/argo-cd/v2/cmd/argocd-repo-server/commands"
 	apiserver "github.com/argoproj/argo-cd/v2/cmd/argocd-server/commands"
-	util "github.com/argoproj/argo-cd/v2/cmd/argocd-util/commands"
 	cli "github.com/argoproj/argo-cd/v2/cmd/argocd/commands"
 )
 
@@ -29,8 +28,6 @@ func main() {
 	switch binaryName {
 	case "argocd", "argocd-linux-amd64", "argocd-darwin-amd64", "argocd-windows-amd64.exe":
 		command = cli.NewCommand()
-	case "argocd-util", "argocd-util-linux-amd64", "argocd-util-darwin-amd64", "argocd-util-windows-amd64.exe":
-		command = util.NewCommand()
 	case "argocd-server":
 		command = apiserver.NewCommand()
 	case "argocd-application-controller":
@@ -40,21 +37,7 @@ func main() {
 	case "argocd-dex":
 		command = dex.NewCommand()
 	default:
-		if len(os.Args[1:]) > 0 {
-			// trying to guess between argocd and argocd-util by matching sub command
-			for _, cmd := range []*cobra.Command{cli.NewCommand(), util.NewCommand()} {
-				if _, _, err := cmd.Find(os.Args[1:]); err == nil {
-					command = cmd
-					break
-				}
-			}
-		}
-
-		if command == nil {
-			fmt.Printf("Unknown binary name '%s'.Use '%s' environment variable to specify required binary name "+
-				"(possible values 'argocd' or 'argocd-util').\n", binaryName, binaryNameEnv)
-			os.Exit(1)
-		}
+		command = cli.NewCommand()
 	}
 
 	if err := command.Execute(); err != nil {

cmd/util/app.go

@@ -15,7 +15,6 @@ import (
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/utils/pointer"
 
-	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
 	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v2/util/config"
@@ -24,50 +23,52 @@ import (
 )
 
 type AppOptions struct {
-	repoURL                    string
-	appPath                    string
-	chart                      string
-	env                        string
-	revision                   string
-	revisionHistoryLimit       int
-	destName                   string
-	destServer                 string
-	destNamespace              string
-	Parameters                 []string
-	valuesFiles                []string
-	values                     string
-	releaseName                string
-	helmSets                   []string
-	helmSetStrings             []string
-	helmSetFiles               []string
-	helmVersion                string
-	project                    string
-	syncPolicy                 string
-	syncOptions                []string
-	autoPrune                  bool
-	selfHeal                   bool
-	allowEmpty                 bool
-	namePrefix                 string
-	nameSuffix                 string
-	directoryRecurse           bool
-	configManagementPlugin     string
-	jsonnetTlaStr              []string
-	jsonnetTlaCode             []string
-	jsonnetExtVarStr           []string
-	jsonnetExtVarCode          []string
-	jsonnetLibs                []string
-	kustomizeImages            []string
-	kustomizeVersion           string
-	kustomizeCommonLabels      []string
-	kustomizeCommonAnnotations []string
-	pluginEnvs                 []string
-	Validate                   bool
-	directoryExclude           string
-	directoryInclude           string
-	retryLimit                 int64
-	retryBackoffDuration       time.Duration
-	retryBackoffMaxDuration    time.Duration
-	retryBackoffFactor         int64
+	repoURL                         string
+	appPath                         string
+	chart                           string
+	env                             string
+	revision                        string
+	revisionHistoryLimit            int
+	destName                        string
+	destServer                      string
+	destNamespace                   string
+	Parameters                      []string
+	valuesFiles                     []string
+	values                          string
+	releaseName                     string
+	helmSets                        []string
+	helmSetStrings                  []string
+	helmSetFiles                    []string
+	helmVersion                     string
+	project                         string
+	syncPolicy                      string
+	syncOptions                     []string
+	autoPrune                       bool
+	selfHeal                        bool
+	allowEmpty                      bool
+	namePrefix                      string
+	nameSuffix                      string
+	directoryRecurse                bool
+	configManagementPlugin          string
+	jsonnetTlaStr                   []string
+	jsonnetTlaCode                  []string
+	jsonnetExtVarStr                []string
+	jsonnetExtVarCode               []string
+	jsonnetLibs                     []string
+	kustomizeImages                 []string
+	kustomizeVersion                string
+	kustomizeCommonLabels           []string
+	kustomizeCommonAnnotations      []string
+	kustomizeForceCommonLabels      bool
+	kustomizeForceCommonAnnotations bool
+	pluginEnvs                      []string
+	Validate                        bool
+	directoryExclude                string
+	directoryInclude                string
+	retryLimit                      int64
+	retryBackoffDuration            time.Duration
+	retryBackoffMaxDuration         time.Duration
+	retryBackoffFactor              int64
 }
 
 func AddAppFlags(command *cobra.Command, opts *AppOptions) {
@@ -76,7 +77,7 @@ func AddAppFlags(command *cobra.Command, opts *AppOptions) {
 	command.Flags().StringVar(&opts.chart, "helm-chart", "", "Helm Chart name")
 	command.Flags().StringVar(&opts.env, "env", "", "Application environment to monitor")
 	command.Flags().StringVar(&opts.revision, "revision", "", "The tracking source branch, tag, commit or Helm chart version the application will sync to")
-	command.Flags().IntVar(&opts.revisionHistoryLimit, "revision-history-limit", common.RevisionHistoryLimit, "How many items to keep in revision history")
+	command.Flags().IntVar(&opts.revisionHistoryLimit, "revision-history-limit", argoappv1.RevisionHistoryLimit, "How many items to keep in revision history")
 	command.Flags().StringVar(&opts.destServer, "dest-server", "", "K8s cluster URL (e.g. https://kubernetes.default.svc)")
 	command.Flags().StringVar(&opts.destName, "dest-name", "", "K8s cluster Name (e.g. minikube)")
 	command.Flags().StringVar(&opts.destNamespace, "dest-namespace", "", "K8s target namespace (overrides the namespace specified in the ksonnet app.yaml)")
@@ -109,12 +110,14 @@ func AddAppFlags(command *cobra.Command, opts *AppOptions) {
 	command.Flags().BoolVar(&opts.Validate, "validate", true, "Validation of repo and cluster")
 	command.Flags().StringArrayVar(&opts.kustomizeCommonLabels, "kustomize-common-label", []string{}, "Set common labels in Kustomize")
 	command.Flags().StringArrayVar(&opts.kustomizeCommonAnnotations, "kustomize-common-annotation", []string{}, "Set common labels in Kustomize")
+	command.Flags().BoolVar(&opts.kustomizeForceCommonLabels, "kustomize-force-common-label", false, "Force common labels in Kustomize")
+	command.Flags().BoolVar(&opts.kustomizeForceCommonAnnotations, "kustomize-force-common-annotation", false, "Force common annotations in Kustomize")
 	command.Flags().StringVar(&opts.directoryExclude, "directory-exclude", "", "Set glob expression used to exclude files from application source path")
 	command.Flags().StringVar(&opts.directoryInclude, "directory-include", "", "Set glob expression used to include files from application source path")
 	command.Flags().Int64Var(&opts.retryLimit, "sync-retry-limit", 0, "Max number of allowed sync retries")
-	command.Flags().DurationVar(&opts.retryBackoffDuration, "sync-retry-backoff-duration", common.DefaultSyncRetryDuration, "Sync retry backoff base duration. Input needs to be a duration (e.g. 2m, 1h)")
-	command.Flags().DurationVar(&opts.retryBackoffMaxDuration, "sync-retry-backoff-max-duration", common.DefaultSyncRetryMaxDuration, "Max sync retry backoff duration. Input needs to be a duration (e.g. 2m, 1h)")
-	command.Flags().Int64Var(&opts.retryBackoffFactor, "sync-retry-backoff-factor", common.DefaultSyncRetryFactor, "Factor multiplies the base duration after each failed sync retry")
+	command.Flags().DurationVar(&opts.retryBackoffDuration, "sync-retry-backoff-duration", argoappv1.DefaultSyncRetryDuration, "Sync retry backoff base duration. Input needs to be a duration (e.g. 2m, 1h)")
+	command.Flags().DurationVar(&opts.retryBackoffMaxDuration, "sync-retry-backoff-max-duration", argoappv1.DefaultSyncRetryMaxDuration, "Max sync retry backoff duration. Input needs to be a duration (e.g. 2m, 1h)")
+	command.Flags().Int64Var(&opts.retryBackoffFactor, "sync-retry-backoff-factor", argoappv1.DefaultSyncRetryFactor, "Factor multiplies the base duration after each failed sync retry")
 }
 
 func SetAppSpecOptions(flags *pflag.FlagSet, spec *argoappv1.ApplicationSpec, appOpts *AppOptions) int {
@@ -203,6 +206,10 @@ func SetAppSpecOptions(flags *pflag.FlagSet, spec *argoappv1.ApplicationSpec, ap
 			parsedAnnotations, err := label.Parse(appOpts.kustomizeCommonAnnotations)
 			errors.CheckError(err)
 			setKustomizeOpt(&spec.Source, kustomizeOpts{commonAnnotations: parsedAnnotations})
+		case "kustomize-force-common-label":
+			setKustomizeOpt(&spec.Source, kustomizeOpts{forceCommonLabels: appOpts.kustomizeForceCommonLabels})
+		case "kustomize-force-common-annotation":
+			setKustomizeOpt(&spec.Source, kustomizeOpts{forceCommonAnnotations: appOpts.kustomizeForceCommonAnnotations})
 		case "jsonnet-tla-str":
 			setJsonnetOpt(&spec.Source, appOpts.jsonnetTlaStr, false)
 		case "jsonnet-tla-code":
@@ -307,12 +314,14 @@ func setKsonnetOpt(src *argoappv1.ApplicationSource, env *string) {
 }
 
 type kustomizeOpts struct {
-	namePrefix        string
-	nameSuffix        string
-	images            []string
-	version           string
-	commonLabels      map[string]string
-	commonAnnotations map[string]string
+	namePrefix             string
+	nameSuffix             string
+	images                 []string
+	version                string
+	commonLabels           map[string]string
+	commonAnnotations      map[string]string
+	forceCommonLabels      bool
+	forceCommonAnnotations bool
 }
 
 func setKustomizeOpt(src *argoappv1.ApplicationSource, opts kustomizeOpts) {
@@ -334,6 +343,12 @@ func setKustomizeOpt(src *argoappv1.ApplicationSource, opts kustomizeOpts) {
 	if opts.commonAnnotations != nil {
 		src.Kustomize.CommonAnnotations = opts.commonAnnotations
 	}
+	if opts.forceCommonLabels {
+		src.Kustomize.ForceCommonLabels = opts.forceCommonLabels
+	}
+	if opts.forceCommonAnnotations {
+		src.Kustomize.ForceCommonAnnotations = opts.forceCommonAnnotations
+	}
 	for _, image := range opts.images {
 		src.Kustomize.MergeImage(argoappv1.KustomizeImage(image))
 	}
@@ -522,7 +537,7 @@ func readAppFromURI(fileURL string, app *argoappv1.Application) error {
 	return err
 }
 
-func ConstructApp(fileURL, appName string, labels, args []string, appOpts AppOptions, flags *pflag.FlagSet) (*argoappv1.Application, error) {
+func ConstructApp(fileURL, appName string, labels, annotations, args []string, appOpts AppOptions, flags *pflag.FlagSet) (*argoappv1.Application, error) {
 	var app argoappv1.Application
 	if fileURL == "-" {
 		// read stdin
@@ -548,6 +563,7 @@ func ConstructApp(fileURL, appName string, labels, args []string, appOpts AppOpt
 		SetAppSpecOptions(flags, &app.Spec, &appOpts)
 		SetParameterOverrides(&app, appOpts.Parameters)
 		mergeLabels(&app, labels)
+		setAnnotations(&app, annotations)
 	} else {
 		// read arguments
 		if len(args) == 1 {
@@ -568,6 +584,7 @@ func ConstructApp(fileURL, appName string, labels, args []string, appOpts AppOpt
 		SetAppSpecOptions(flags, &app.Spec, &appOpts)
 		SetParameterOverrides(&app, appOpts.Parameters)
 		mergeLabels(&app, labels)
+		setAnnotations(&app, annotations)
 	}
 	return &app, nil
 }
@@ -588,3 +605,17 @@ func mergeLabels(app *argoappv1.Application, labels []string) {
 
 	app.SetLabels(mergedLabels)
 }
+
+func setAnnotations(app *argoappv1.Application, annotations []string) {
+	if len(annotations) > 0 && app.Annotations == nil {
+		app.Annotations = map[string]string{}
+	}
+	for _, a := range annotations {
+		annotation := strings.SplitN(a, "=", 2)
+		if len(annotation) == 2 {
+			app.Annotations[annotation[0]] = annotation[1]
+		} else {
+			app.Annotations[annotation[0]] = ""
+		}
+	}
+}

cmd/util/app_test.go

@@ -172,3 +172,21 @@ func Test_setAppSpecOptions(t *testing.T) {
 		assert.Nil(t, f.spec.SyncPolicy.Retry)
 	})
 }
+
+func Test_setAnnotations(t *testing.T) {
+	t.Run("Annotations", func(t *testing.T) {
+		app := v1alpha1.Application{}
+		setAnnotations(&app, []string{"hoge=foo", "huga=bar"})
+		assert.Equal(t, map[string]string{"hoge": "foo", "huga": "bar"}, app.Annotations)
+	})
+	t.Run("Annotations value contains equal", func(t *testing.T) {
+		app := v1alpha1.Application{}
+		setAnnotations(&app, []string{"hoge=foo=bar"})
+		assert.Equal(t, map[string]string{"hoge": "foo=bar"}, app.Annotations)
+	})
+	t.Run("Annotations empty value", func(t *testing.T) {
+		app := v1alpha1.Application{}
+		setAnnotations(&app, []string{"hoge"})
+		assert.Equal(t, map[string]string{"hoge": ""}, app.Annotations)
+	})
+}

cmd/util/cluster.go

@@ -55,7 +55,7 @@ func PrintKubeContexts(ca clientcmd.ConfigAccess) {
 	}
 }
 
-func NewCluster(name string, namespaces []string, conf *rest.Config, managerBearerToken string, awsAuthConf *argoappv1.AWSAuthConfig, execProviderConf *argoappv1.ExecProviderConfig) *argoappv1.Cluster {
+func NewCluster(name string, namespaces []string, clusterResources bool, conf *rest.Config, managerBearerToken string, awsAuthConf *argoappv1.AWSAuthConfig, execProviderConf *argoappv1.ExecProviderConfig) *argoappv1.Cluster {
 	tlsClientConfig := argoappv1.TLSClientConfig{
 		Insecure:   conf.TLSClientConfig.Insecure,
 		ServerName: conf.TLSClientConfig.ServerName,
@@ -80,9 +80,10 @@ func NewCluster(name string, namespaces []string, conf *rest.Config, managerBear
 	}
 
 	clst := argoappv1.Cluster{
-		Server:     conf.Host,
-		Name:       name,
-		Namespaces: namespaces,
+		Server:           conf.Host,
+		Name:             name,
+		Namespaces:       namespaces,
+		ClusterResources: clusterResources,
 		Config: argoappv1.ClusterConfig{
 			TLSClientConfig:    tlsClientConfig,
 			AWSAuthConfig:      awsAuthConf,
@@ -108,6 +109,7 @@ type ClusterOptions struct {
 	AwsClusterName          string
 	SystemNamespace         string
 	Namespaces              []string
+	ClusterResources        bool
 	Name                    string
 	Shard                   int64
 	ExecProviderCommand     string
@@ -122,6 +124,7 @@ func AddClusterFlags(command *cobra.Command, opts *ClusterOptions) {
 	command.Flags().StringVar(&opts.AwsClusterName, "aws-cluster-name", "", "AWS Cluster name if set then aws cli eks token command will be used to access cluster")
 	command.Flags().StringVar(&opts.AwsRoleArn, "aws-role-arn", "", "Optional AWS role arn. If set then AWS IAM Authenticator assumes a role to perform cluster operations instead of the default AWS credential provider chain.")
 	command.Flags().StringArrayVar(&opts.Namespaces, "namespace", nil, "List of namespaces which are allowed to manage")
+	command.Flags().BoolVar(&opts.ClusterResources, "cluster-resources", false, "Indicates if cluster level resources should be managed. The setting is used only if list of managed namespaces is not empty.")
 	command.Flags().StringVar(&opts.Name, "name", "", "Overwrite the cluster name")
 	command.Flags().Int64Var(&opts.Shard, "shard", -1, "Cluster shard number; inferred from hostname if not set")
 	command.Flags().StringVar(&opts.ExecProviderCommand, "exec-command", "", "Command to run to provide client credentials to the cluster. You may need to build a custom ArgoCD image to ensure the command is available at runtime.")

cmd/util/cluster_test.go

@@ -11,7 +11,7 @@ import (
 )
 
 func Test_newCluster(t *testing.T) {
-	clusterWithData := NewCluster("test-cluster", []string{"test-namespace"}, &rest.Config{
+	clusterWithData := NewCluster("test-cluster", []string{"test-namespace"}, false, &rest.Config{
 		TLSClientConfig: rest.TLSClientConfig{
 			Insecure:   false,
 			ServerName: "test-endpoint.example.com",
@@ -29,7 +29,7 @@ func Test_newCluster(t *testing.T) {
 	assert.Equal(t, "test-key-data", string(clusterWithData.Config.KeyData))
 	assert.Equal(t, "", clusterWithData.Config.BearerToken)
 
-	clusterWithFiles := NewCluster("test-cluster", []string{"test-namespace"}, &rest.Config{
+	clusterWithFiles := NewCluster("test-cluster", []string{"test-namespace"}, false, &rest.Config{
 		TLSClientConfig: rest.TLSClientConfig{
 			Insecure:   false,
 			ServerName: "test-endpoint.example.com",
@@ -47,7 +47,7 @@ func Test_newCluster(t *testing.T) {
 	assert.True(t, strings.Contains(string(clusterWithFiles.Config.KeyData), "test-key-data"))
 	assert.Equal(t, "", clusterWithFiles.Config.BearerToken)
 
-	clusterWithBearerToken := NewCluster("test-cluster", []string{"test-namespace"}, &rest.Config{
+	clusterWithBearerToken := NewCluster("test-cluster", []string{"test-namespace"}, false, &rest.Config{
 		TLSClientConfig: rest.TLSClientConfig{
 			Insecure:   false,
 			ServerName: "test-endpoint.example.com",

cmd/util/common.go

@@ -1,85 +1,6 @@
 package util
 
-import (
-	"encoding/json"
-	"fmt"
-
-	"github.com/ghodss/yaml"
-	v1 "k8s.io/api/core/v1"
-
-	"github.com/argoproj/gitops-engine/pkg/utils/kube"
-)
-
 var (
 	LogFormat string
 	LogLevel  string
 )
-
-// PrintResource prints a single resource in YAML or JSON format to stdout according to the output format
-func PrintResources(resources []interface{}, output string) error {
-	for i, resource := range resources {
-		filteredResource, err := omitFields(resource)
-		if err != nil {
-			return err
-		}
-		resources[i] = filteredResource
-	}
-	var obj interface{} = resources
-	if len(resources) == 1 {
-		obj = resources[0]
-	}
-
-	switch output {
-	case "json":
-		jsonBytes, err := json.MarshalIndent(obj, "", "  ")
-		if err != nil {
-			return err
-		}
-
-		fmt.Println(string(jsonBytes))
-	case "yaml":
-		yamlBytes, err := yaml.Marshal(obj)
-		if err != nil {
-			return err
-		}
-		// marshaled YAML already ends with the new line character
-		fmt.Print(string(yamlBytes))
-	default:
-		return fmt.Errorf("unknown output format: %s", output)
-	}
-	return nil
-}
-
-// omit fields such as status, creationTimestamp and metadata.namespace in k8s objects
-func omitFields(resource interface{}) (interface{}, error) {
-	jsonBytes, err := json.Marshal(resource)
-	if err != nil {
-		return nil, err
-	}
-
-	toMap := make(map[string]interface{})
-	err = json.Unmarshal([]byte(string(jsonBytes)), &toMap)
-	if err != nil {
-		return nil, err
-	}
-
-	delete(toMap, "status")
-	if v, ok := toMap["metadata"]; ok {
-		if metadata, ok := v.(map[string]interface{}); ok {
-			delete(metadata, "creationTimestamp")
-			delete(metadata, "namespace")
-		}
-	}
-	return toMap, nil
-}
-
-// ConvertSecretData converts kubernetes secret's data to stringData
-func ConvertSecretData(secret *v1.Secret) {
-	secret.Kind = kube.SecretKind
-	secret.APIVersion = "v1"
-	secret.StringData = map[string]string{}
-	for k, v := range secret.Data {
-		secret.StringData[k] = string(v)
-	}
-	secret.Data = map[string][]byte{}
-}

cmd/util/repo.go

@@ -21,6 +21,7 @@ type RepoOptions struct {
 	GithubAppInstallationId        int64
 	GithubAppPrivateKeyPath        string
 	GitHubAppEnterpriseBaseURL     string
+	Proxy                          string
 }
 
 func AddRepoFlags(command *cobra.Command, opts *RepoOptions) {
@@ -39,4 +40,5 @@ func AddRepoFlags(command *cobra.Command, opts *RepoOptions) {
 	command.Flags().Int64Var(&opts.GithubAppInstallationId, "github-app-installation-id", 0, "installation id of the GitHub Application")
 	command.Flags().StringVar(&opts.GithubAppPrivateKeyPath, "github-app-private-key-path", "", "private key of the GitHub Application")
 	command.Flags().StringVar(&opts.GitHubAppEnterpriseBaseURL, "github-app-enterprise-base-url", "", "base url to use when using GitHub Enterprise (e.g. https://ghe.example.com/api/v3")
+	command.Flags().StringVar(&opts.Proxy, "proxy", "", "use proxy to access repository")
 }

common/common.go

@@ -2,7 +2,6 @@ package common
 
 import (
 	"os"
-	"strconv"
 	"time"
 )
 
@@ -57,30 +56,23 @@ const (
 	DefaultAppConfigPath = "/app/config"
 )
 
-const (
-	DefaultSyncRetryDuration    = 5 * time.Second
-	DefaultSyncRetryMaxDuration = 3 * time.Minute
-	DefaultSyncRetryFactor      = int64(2)
-)
-
 // Argo CD application related constants
 const (
-	// KubernetesInternalAPIServerAddr is address of the k8s API server when accessing internal to the cluster
-	KubernetesInternalAPIServerAddr = "https://kubernetes.default.svc"
-	// DefaultAppProjectName contains name of 'default' app project, which is available in every Argo CD installation
-	DefaultAppProjectName = "default"
+
 	// ArgoCDAdminUsername is the username of the 'admin' user
 	ArgoCDAdminUsername = "admin"
 	// ArgoCDUserAgentName is the default user-agent name used by the gRPC API client library and grpc-gateway
 	ArgoCDUserAgentName = "argocd-client"
 	// AuthCookieName is the HTTP cookie name where we store our auth token
 	AuthCookieName = "argocd.token"
-	// RevisionHistoryLimit is the max number of successful sync to keep in history
-	RevisionHistoryLimit = 10
+
 	// ChangePasswordSSOTokenMaxAge is the max token age for password change operation
 	ChangePasswordSSOTokenMaxAge = time.Minute * 5
 	// GithubAppCredsExpirationDuration is the default time used to cache the GitHub app credentials
 	GithubAppCredsExpirationDuration = time.Minute * 60
+
+	// PasswordPatten is the default password patten
+	PasswordPatten = `^.{8,32}$`
 )
 
 // Dex related constants
@@ -110,37 +102,24 @@ const (
 	// LabelKeyAppInstance is the label key to use to uniquely identify the instance of an application
 	// The Argo CD application name is used as the instance name
 	LabelKeyAppInstance = "app.kubernetes.io/instance"
-	// LegacyLabelApplicationName is the legacy label (v0.10 and below) and is superceded by 'app.kubernetes.io/instance'
+	// LabelKeyLegacyApplicationName is the legacy label (v0.10 and below) and is superseded by 'app.kubernetes.io/instance'
 	LabelKeyLegacyApplicationName = "applications.argoproj.io/app-name"
-	// LabelKeySecretType contains the type of argocd secret (currently: 'cluster')
+	// LabelKeySecretType contains the type of argocd secret (currently: 'cluster', 'repository', 'repo-config' or 'repo-creds')
 	LabelKeySecretType = "argocd.argoproj.io/secret-type"
 	// LabelValueSecretTypeCluster indicates a secret type of cluster
 	LabelValueSecretTypeCluster = "cluster"
+	// LabelValueSecretTypeRepository indicates a secret type of repository
+	LabelValueSecretTypeRepository = "repository"
+	// LabelValueSecretTypeRepoCreds indicates a secret type of repository credentials
+	LabelValueSecretTypeRepoCreds = "repo-creds"
 
 	// AnnotationCompareOptions is a comma-separated list of options for comparison
 	AnnotationCompareOptions = "argocd.argoproj.io/compare-options"
 
-	// AnnotationKeyRefresh is the annotation key which indicates that app needs to be refreshed. Removed by application controller after app is refreshed.
-	// Might take values 'normal'/'hard'. Value 'hard' means manifest cache and target cluster state cache should be invalidated before refresh.
-	AnnotationKeyRefresh = "argocd.argoproj.io/refresh"
 	// AnnotationKeyManagedBy is annotation name which indicates that k8s resource is managed by an application.
 	AnnotationKeyManagedBy = "managed-by"
 	// AnnotationValueManagedByArgoCD is a 'managed-by' annotation value for resources managed by Argo CD
 	AnnotationValueManagedByArgoCD = "argocd.argoproj.io"
-	// ResourcesFinalizerName is the finalizer value which we inject to finalize deletion of an application
-	ResourcesFinalizerName = "resources-finalizer.argocd.argoproj.io"
-
-	// ForegroundPropagationPolicyFinalizer is the finalizer we inject to delete application with foreground propagation policy
-	ForegroundPropagationPolicyFinalizer = "resources-finalizer.argocd.argoproj.io/foreground"
-
-	// BackgroundPropagationPolicyFinalizer is the finalizer we inject to delete application with background propagation policy
-	BackgroundPropagationPolicyFinalizer = "resources-finalizer.argocd.argoproj.io/background"
-
-	// AnnotationKeyManifestGeneratePaths is an annotation that contains a list of semicolon-separated paths in the
-	// manifests repository that affects the manifest generation. Paths might be either relative or absolute. The
-	// absolute path means an absolute path within the repository and the relative path is relative to the application
-	// source path within the repository.
-	AnnotationKeyManifestGeneratePaths = "argocd.argoproj.io/manifest-generate-paths"
 
 	// AnnotationKeyLinkPrefix tells the UI to add an external link icon to the application node
 	// that links to the value given in the annotation.
@@ -159,9 +138,6 @@ const (
 	EnvVarSSODebug = "ARGOCD_SSO_DEBUG"
 	// EnvVarRBACDebug is an environment variable to enable additional RBAC debugging in the API server
 	EnvVarRBACDebug = "ARGOCD_RBAC_DEBUG"
-	// EnvVarFakeInClusterConfig is an environment variable to fake an in-cluster RESTConfig using
-	// the current kubectl context (for development purposes)
-	EnvVarFakeInClusterConfig = "ARGOCD_FAKE_IN_CLUSTER"
 	// Overrides the location where SSH known hosts for repo access data is stored
 	EnvVarSSHDataPath = "ARGOCD_SSH_DATA_PATH"
 	// Overrides the location where TLS certificate for repo access data is stored
@@ -170,14 +146,6 @@ const (
 	EnvGitAttemptsCount = "ARGOCD_GIT_ATTEMPTS_COUNT"
 	// Overrides git submodule support, true by default
 	EnvGitSubmoduleEnabled = "ARGOCD_GIT_MODULES_ENABLED"
-	// EnvK8sClientQPS is the QPS value used for the kubernetes client (default: 50)
-	EnvK8sClientQPS = "ARGOCD_K8S_CLIENT_QPS"
-	// EnvK8sClientBurst is the burst value used for the kubernetes client (default: twice the client QPS)
-	EnvK8sClientBurst = "ARGOCD_K8S_CLIENT_BURST"
-	// EnvClusterCacheResyncDuration is the env variable that holds cluster cache re-sync duration
-	EnvClusterCacheResyncDuration = "ARGOCD_CLUSTER_CACHE_RESYNC_DURATION"
-	// EnvK8sClientMaxIdleConnections is the number of max idle connections in K8s REST client HTTP transport (default: 500)
-	EnvK8sClientMaxIdleConnections = "ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS"
 	// EnvGnuPGHome is the path to ArgoCD's GnuPG keyring for signature verification
 	EnvGnuPGHome = "ARGOCD_GNUPGHOME"
 	// EnvWatchAPIBufferSize is the buffer size used to transfer K8S watch events to watch API consumer
@@ -200,6 +168,10 @@ const (
 	EnvHelmIndexCacheDuration = "ARGOCD_HELM_INDEX_CACHE_DURATION"
 	// EnvRepoServerConfigPath allows to override the configuration path for repo server
 	EnvAppConfigPath = "ARGOCD_APP_CONF_PATH"
+	// EnvLogFormat log format that is defined by `--logformat` option
+	EnvLogFormat = "ARGOCD_LOG_FORMAT"
+	// EnvLogLevel log level that is defined by `--loglevel` option
+	EnvLogLevel = "ARGOCD_LOG_LEVEL"
 )
 
 const (
@@ -220,40 +192,3 @@ func GetGnuPGHomePath() string {
 		return gnuPgHome
 	}
 }
-
-var (
-	// K8sClientConfigQPS controls the QPS to be used in K8s REST client configs
-	K8sClientConfigQPS float32 = 50
-	// K8sClientConfigBurst controls the burst to be used in K8s REST client configs
-	K8sClientConfigBurst int = 100
-	// K8sMaxIdleConnections controls the number of max idle connections in K8s REST client HTTP transport
-	K8sMaxIdleConnections = 500
-	// K8sMaxIdleConnections controls the duration of cluster cache refresh
-	K8SClusterResyncDuration = 12 * time.Hour
-)
-
-func init() {
-	if envQPS := os.Getenv(EnvK8sClientQPS); envQPS != "" {
-		if qps, err := strconv.ParseFloat(envQPS, 32); err != nil {
-			K8sClientConfigQPS = float32(qps)
-		}
-	}
-	if envBurst := os.Getenv(EnvK8sClientBurst); envBurst != "" {
-		if burst, err := strconv.Atoi(envBurst); err != nil {
-			K8sClientConfigBurst = burst
-		}
-	} else {
-		K8sClientConfigBurst = 2 * int(K8sClientConfigQPS)
-	}
-
-	if envMaxConn := os.Getenv(EnvK8sClientMaxIdleConnections); envMaxConn != "" {
-		if maxConn, err := strconv.Atoi(envMaxConn); err != nil {
-			K8sMaxIdleConnections = maxConn
-		}
-	}
-	if clusterResyncDurationStr := os.Getenv(EnvClusterCacheResyncDuration); clusterResyncDurationStr != "" {
-		if duration, err := time.ParseDuration(clusterResyncDurationStr); err == nil {
-			K8SClusterResyncDuration = duration
-		}
-	}
-}

controller/OWNERS

@@ -0,0 +1,2 @@
+owners:
+- alexmt

controller/appcontroller.go

@@ -28,6 +28,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/labels"
 	apiruntime "k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -39,7 +40,6 @@ import (
 	// make sure to register workqueue prometheus metrics
 	_ "k8s.io/component-base/metrics/prometheus/workqueue"
 
-	"github.com/argoproj/argo-cd/v2/common"
 	statecache "github.com/argoproj/argo-cd/v2/controller/cache"
 	"github.com/argoproj/argo-cd/v2/controller/metrics"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
@@ -66,6 +66,8 @@ const (
 type CompareWith int
 
 const (
+	// Compare live application state against state defined in latest git revision with no resolved revision caching.
+	CompareWithLatestForceResolve CompareWith = 3
 	// Compare live application state against state defined in latest git revision.
 	CompareWithLatest CompareWith = 2
 	// Compare live application state against state defined using revision of most recent comparison.
@@ -354,8 +356,12 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 				},
 			})
 		} else {
-			err := ctrl.stateCache.IterateHierarchy(a.Spec.Destination.Server, kube.GetResourceKey(live), func(child appv1.ResourceNode, appName string) {
+			err := ctrl.stateCache.IterateHierarchy(a.Spec.Destination.Server, kube.GetResourceKey(live), func(child appv1.ResourceNode, appName string) bool {
+				if !proj.IsResourcePermitted(schema.GroupKind{Group: child.ResourceRef.Group, Kind: child.ResourceRef.Kind}, child.Namespace, a.Spec.Destination) {
+					return false
+				}
 				nodes = append(nodes, child)
+				return true
 			})
 			if err != nil {
 				return nil, err
@@ -365,16 +371,18 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 	orphanedNodes := make([]appv1.ResourceNode, 0)
 	for k := range orphanedNodesMap {
 		if k.Namespace != "" && proj.IsGroupKindPermitted(k.GroupKind(), true) && !isKnownOrphanedResourceExclusion(k, proj) {
-			err := ctrl.stateCache.IterateHierarchy(a.Spec.Destination.Server, k, func(child appv1.ResourceNode, appName string) {
+			err := ctrl.stateCache.IterateHierarchy(a.Spec.Destination.Server, k, func(child appv1.ResourceNode, appName string) bool {
 				belongToAnotherApp := false
 				if appName != "" {
 					if _, exists, err := ctrl.appInformer.GetIndexer().GetByKey(ctrl.namespace + "/" + appName); exists && err == nil {
 						belongToAnotherApp = true
 					}
 				}
-				if !belongToAnotherApp {
-					orphanedNodes = append(orphanedNodes, child)
+				if belongToAnotherApp || !proj.IsResourcePermitted(schema.GroupKind{Group: child.ResourceRef.Group, Kind: child.ResourceRef.Kind}, child.Namespace, a.Spec.Destination) {
+					return false
 				}
+				orphanedNodes = append(orphanedNodes, child)
+				return true
 			})
 			if err != nil {
 				return nil, err
@@ -517,7 +525,7 @@ func (ctrl *ApplicationController) managedResources(comparisonResult *comparison
 			}
 			resDiffPtr, err := diff.Diff(target, live,
 				diff.WithNormalizer(comparisonResult.diffNormalizer),
-				diff.WithLogr(logutils.NewLogrusLogger(log.New())),
+				diff.WithLogr(logutils.NewLogrusLogger(logutils.NewWithCurrentConfig())),
 				diff.IgnoreAggregatedRoles(compareOptions.IgnoreAggregatedRoles))
 			if err != nil {
 				return nil, err
@@ -667,7 +675,7 @@ func (ctrl *ApplicationController) processAppOperationQueueItem() (processNext b
 	if app.Operation != nil {
 		// If we get here, we are about process an operation but we cannot rely on informer since it might has stale data.
 		// So always retrieve the latest version to ensure it is not stale to avoid unnecessary syncing.
-		// This code should be deleted when https://github.com/argoproj/argo-cd/pull/6294 is implemented.
+		// We cannot rely on informer since applications might be updated by both application controller and api server.
 		freshApp, err := ctrl.applicationClientset.ArgoprojV1alpha1().Applications(ctrl.namespace).Get(context.Background(), app.ObjectMeta.Name, metav1.GetOptions{})
 		if err != nil {
 			log.Errorf("Failed to retrieve latest application state: %v", err)
@@ -766,7 +774,6 @@ func (ctrl *ApplicationController) finalizeProjectDeletion(proj *appv1.AppProjec
 	for i := range apps {
 		if apps[i].Spec.GetProject() == proj.Name {
 			appsCount++
-			break
 		}
 	}
 	if appsCount == 0 {
@@ -824,79 +831,100 @@ func (ctrl *ApplicationController) finalizeApplicationDeletion(app *appv1.Applic
 		return nil, err
 	}
 
-	err = argo.ValidateDestination(context.Background(), &app.Spec.Destination, ctrl.db)
-	if err != nil {
-		return nil, err
-	}
+	// validDestination is true if the Application destination points to a cluster that is managed by Argo CD
+	// (and thus either a cluster secret exists for it, or it's local); validDestination is false otherwise.
+	validDestination := true
 
-	objsMap, err := ctrl.getPermittedAppLiveObjects(app, proj)
-	if err != nil {
-		return nil, err
+	// Validate the cluster using the Application destination's `name` field, if applicable,
+	// and set the Server field, if needed.
+	if err := argo.ValidateDestination(context.Background(), &app.Spec.Destination, ctrl.db); err != nil {
+		log.Warnf("Unable to validate destination of the Application being deleted: %v", err)
+		validDestination = false
 	}
 
 	objs := make([]*unstructured.Unstructured, 0)
-	for k := range objsMap {
-		// Wait for objects pending deletion to complete before proceeding with next sync wave
-		if objsMap[k].GetDeletionTimestamp() != nil {
+	var cluster *appv1.Cluster
+
+	// Attempt to validate the destination via its URL
+	if validDestination {
+		if cluster, err = ctrl.db.GetCluster(context.Background(), app.Spec.Destination.Server); err != nil {
+			log.Warnf("Unable to locate cluster URL for Application being deleted: %v", err)
+			validDestination = false
+		}
+	}
+
+	if validDestination {
+		// ApplicationDestination points to a valid cluster, so we may clean up the live objects
+
+		objsMap, err := ctrl.getPermittedAppLiveObjects(app, proj)
+		if err != nil {
+			return nil, err
+		}
+
+		for k := range objsMap {
+			// Wait for objects pending deletion to complete before proceeding with next sync wave
+			if objsMap[k].GetDeletionTimestamp() != nil {
+				logCtx.Infof("%d objects remaining for deletion", len(objsMap))
+				return objs, nil
+			}
+
+			if ctrl.shouldBeDeleted(app, objsMap[k]) {
+				objs = append(objs, objsMap[k])
+			}
+		}
+
+		config := metrics.AddMetricsTransportWrapper(ctrl.metricsServer, app, cluster.RESTConfig())
+
+		filteredObjs := FilterObjectsForDeletion(objs)
+
+		propagationPolicy := metav1.DeletePropagationForeground
+		if app.GetPropagationPolicy() == appv1.BackgroundPropagationPolicyFinalizer {
+			propagationPolicy = metav1.DeletePropagationBackground
+		}
+		logCtx.Infof("Deleting application's resources with %s propagation policy", propagationPolicy)
+
+		err = kube.RunAllAsync(len(filteredObjs), func(i int) error {
+			obj := filteredObjs[i]
+			return ctrl.kubectl.DeleteResource(context.Background(), config, obj.GroupVersionKind(), obj.GetName(), obj.GetNamespace(), metav1.DeleteOptions{PropagationPolicy: &propagationPolicy})
+		})
+		if err != nil {
+			return objs, err
+		}
+
+		objsMap, err = ctrl.getPermittedAppLiveObjects(app, proj)
+		if err != nil {
+			return nil, err
+		}
+
+		for k, obj := range objsMap {
+			if !ctrl.shouldBeDeleted(app, obj) {
+				delete(objsMap, k)
+			}
+		}
+		if len(objsMap) > 0 {
 			logCtx.Infof("%d objects remaining for deletion", len(objsMap))
 			return objs, nil
 		}
-		if ctrl.shouldBeDeleted(app, objsMap[k]) {
-			objs = append(objs, objsMap[k])
-		}
 	}
 
-	cluster, err := ctrl.db.GetCluster(context.Background(), app.Spec.Destination.Server)
-	if err != nil {
-		return nil, err
-	}
-	config := metrics.AddMetricsTransportWrapper(ctrl.metricsServer, app, cluster.RESTConfig())
-
-	filteredObjs := FilterObjectsForDeletion(objs)
-
-	propagationPolicy := metav1.DeletePropagationForeground
-	if app.GetPropagationPolicy() == common.BackgroundPropagationPolicyFinalizer {
-		propagationPolicy = metav1.DeletePropagationBackground
-	}
-	logCtx.Infof("Deleting application's resources with %s propagation policy", propagationPolicy)
-
-	err = kube.RunAllAsync(len(filteredObjs), func(i int) error {
-		obj := filteredObjs[i]
-		return ctrl.kubectl.DeleteResource(context.Background(), config, obj.GroupVersionKind(), obj.GetName(), obj.GetNamespace(), metav1.DeleteOptions{PropagationPolicy: &propagationPolicy})
-	})
-	if err != nil {
+	if err := ctrl.cache.SetAppManagedResources(app.Name, nil); err != nil {
 		return objs, err
 	}
 
-	objsMap, err = ctrl.getPermittedAppLiveObjects(app, proj)
-	if err != nil {
-		return nil, err
-	}
-
-	for k, obj := range objsMap {
-		if !ctrl.shouldBeDeleted(app, obj) {
-			delete(objsMap, k)
-		}
-	}
-	if len(objsMap) > 0 {
-		logCtx.Infof("%d objects remaining for deletion", len(objsMap))
-		return objs, nil
-	}
-	err = ctrl.cache.SetAppManagedResources(app.Name, nil)
-	if err != nil {
-		return objs, err
-	}
-	err = ctrl.cache.SetAppResourcesTree(app.Name, nil)
-	if err != nil {
+	if err := ctrl.cache.SetAppResourcesTree(app.Name, nil); err != nil {
 		return objs, err
 	}
 
-	err = ctrl.removeCascadeFinalizer(app)
-	if err != nil {
+	if err := ctrl.removeCascadeFinalizer(app); err != nil {
 		return objs, err
 	}
 
-	logCtx.Infof("Successfully deleted %d resources", len(objs))
+	if validDestination {
+		logCtx.Infof("Successfully deleted %d resources", len(objs))
+	} else {
+		logCtx.Infof("Resource entries removed from undefined cluster")
+	}
+
 	ctrl.projectRefreshQueue.Add(fmt.Sprintf("%s/%s", app.Namespace, app.Spec.GetProject()))
 	return objs, nil
 }
@@ -1028,7 +1056,7 @@ func (ctrl *ApplicationController) processRequestedAppOperation(app *appv1.Appli
 	}
 
 	ctrl.setOperationState(app, state)
-	if state.Phase.Completed() && !app.Operation.Sync.DryRun {
+	if state.Phase.Completed() && (app.Operation.Sync != nil && !app.Operation.Sync.DryRun) {
 		// if we just completed an operation, force a refresh so that UI will report up-to-date
 		// sync/health information
 		if _, err := cache.MetaNamespaceKeyFunc(app); err == nil {
@@ -1041,7 +1069,7 @@ func (ctrl *ApplicationController) processRequestedAppOperation(app *appv1.Appli
 }
 
 func (ctrl *ApplicationController) setOperationState(app *appv1.Application, state *appv1.OperationState) {
-	kube.RetryUntilSucceed(context.Background(), updateOperationStateTimeout, "Update application operation state", logutils.NewLogrusLogger(log.New()), func() error {
+	kube.RetryUntilSucceed(context.Background(), updateOperationStateTimeout, "Update application operation state", logutils.NewLogrusLogger(logutils.NewWithCurrentConfig()), func() error {
 		if state.Phase == "" {
 			// expose any bugs where we neglect to set phase
 			panic("no phase was set")
@@ -1163,7 +1191,7 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 	if comparisonLevel == ComparisonWithNothing {
 		managedResources := make([]*appv1.ResourceDiff, 0)
 		if err := ctrl.cache.GetAppManagedResources(app.Name, &managedResources); err != nil {
-			logCtx.Warnf("Failed to get cached managed resources for tree reconciliation, fallback to full reconciliation")
+			logCtx.Warnf("Failed to get cached managed resources for tree reconciliation, fall back to full reconciliation")
 		} else {
 			var tree *appv1.ApplicationTree
 			if tree, err = ctrl.getResourceTree(app, managedResources); err == nil {
@@ -1184,6 +1212,13 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 		app.Status.Sync.Status = appv1.SyncStatusCodeUnknown
 		app.Status.Health.Status = health.HealthStatusUnknown
 		ctrl.persistAppStatus(origApp, &app.Status)
+
+		if err := ctrl.cache.SetAppResourcesTree(app.Name, &appv1.ApplicationTree{}); err != nil {
+			log.Warnf("failed to set app resource tree: %v", err)
+		}
+		if err := ctrl.cache.SetAppManagedResources(app.Name, nil); err != nil {
+			log.Warnf("failed to set app managed resources tree: %v", err)
+		}
 		return
 	}
 
@@ -1198,7 +1233,9 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 	}
 
 	now := metav1.Now()
-	compareResult := ctrl.appStateManager.CompareAppState(app, project, revision, app.Spec.Source, refreshType == appv1.RefreshTypeHard, localManifests)
+	compareResult := ctrl.appStateManager.CompareAppState(app, project, revision, app.Spec.Source,
+		refreshType == appv1.RefreshTypeHard,
+		comparisonLevel == CompareWithLatestForceResolve, localManifests)
 	for k, v := range compareResult.timings {
 		logCtx = logCtx.WithField(k, v.Milliseconds())
 	}
@@ -1229,7 +1266,7 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 		logCtx.Info("Sync prevented by sync window")
 	}
 
-	if app.Status.ReconciledAt == nil || comparisonLevel == CompareWithLatest {
+	if app.Status.ReconciledAt == nil || comparisonLevel >= CompareWithLatest {
 		app.Status.ReconciledAt = &now
 	}
 	app.Status.Sync = *compareResult.syncStatus
@@ -1259,9 +1296,13 @@ func (ctrl *ApplicationController) needRefreshAppStatus(app *appv1.Application,
 	expired := app.Status.ReconciledAt == nil || app.Status.ReconciledAt.Add(statusRefreshTimeout).Before(time.Now().UTC())
 
 	if requestedType, ok := app.IsRefreshRequested(); ok {
+		compareWith = CompareWithLatestForceResolve
 		// user requested app refresh.
 		refreshType = requestedType
 		reason = fmt.Sprintf("%s refresh requested", refreshType)
+	} else if !app.Spec.Source.Equals(app.Status.Sync.ComparedTo.Source) {
+		reason = "spec.source differs"
+		compareWith = CompareWithLatestForceResolve
 	} else if expired {
 		// The commented line below mysteriously crashes if app.Status.ReconciledAt is nil
 		// reason = fmt.Sprintf("comparison expired. reconciledAt: %v, expiry: %v", app.Status.ReconciledAt, statusRefreshTimeout)
@@ -1271,8 +1312,6 @@ func (ctrl *ApplicationController) needRefreshAppStatus(app *appv1.Application,
 			reconciledAtStr = app.Status.ReconciledAt.String()
 		}
 		reason = fmt.Sprintf("comparison expired. reconciledAt: %v, expiry: %v", reconciledAtStr, statusRefreshTimeout)
-	} else if !app.Spec.Source.Equals(app.Status.Sync.ComparedTo.Source) {
-		reason = "spec.source differs"
 	} else if !app.Spec.Destination.Equals(app.Status.Sync.ComparedTo.Destination) {
 		reason = "spec.destination differs"
 	} else if requested, level := ctrl.isRefreshRequested(app.Name); requested {
@@ -1355,7 +1394,7 @@ func (ctrl *ApplicationController) persistAppStatus(orig *appv1.Application, new
 		for k, v := range orig.GetAnnotations() {
 			newAnnotations[k] = v
 		}
-		delete(newAnnotations, common.AnnotationKeyRefresh)
+		delete(newAnnotations, appv1.AnnotationKeyRefresh)
 	}
 	patch, modified, err := diff.CreateTwoWayMergePatch(
 		&appv1.Application{ObjectMeta: metav1.ObjectMeta{Annotations: orig.GetAnnotations()}, Status: orig.Status},
@@ -1550,6 +1589,12 @@ func (ctrl *ApplicationController) newApplicationInformerAndLister() (cache.Shar
 			cache.NamespaceIndex: func(obj interface{}) ([]string, error) {
 				app, ok := obj.(*appv1.Application)
 				if ok {
+					// This call to 'ValidateDestination' ensures that the .spec.destination field of all Applications
+					// returned by the informer/lister will have server field set (if not already set) based on the name.
+					// (or, if not found, an error app condition)
+
+					// If the server field is not set, set it based on the cluster name; if the cluster name can't be found,
+					// log an error as an App Condition.
 					if err := argo.ValidateDestination(context.Background(), &app.Spec.Destination, ctrl.db); err != nil {
 						ctrl.setAppCondition(app, appv1.ApplicationCondition{Type: appv1.ApplicationConditionInvalidSpecError, Message: err.Error()})
 					}

controller/appcontroller_test.go

@@ -10,6 +10,7 @@ import (
 
 	clustercache "github.com/argoproj/gitops-engine/pkg/cache"
 
+	"github.com/argoproj/argo-cd/v2/common"
 	statecache "github.com/argoproj/argo-cd/v2/controller/cache"
 
 	"github.com/argoproj/gitops-engine/pkg/cache/mocks"
@@ -29,8 +30,8 @@ import (
 	kubetesting "k8s.io/client-go/testing"
 	"k8s.io/client-go/tools/cache"
 
-	"github.com/argoproj/argo-cd/v2/common"
 	mockstatecache "github.com/argoproj/argo-cd/v2/controller/cache/mocks"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned/fake"
 	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
@@ -117,6 +118,7 @@ func newFakeController(data *fakeData) *ApplicationController {
 	defer cancelApp()
 	clusterCacheMock := mocks.ClusterCache{}
 	clusterCacheMock.On("IsNamespaced", mock.Anything).Return(true, nil)
+	clusterCacheMock.On("GetOpenAPISchema").Return(nil, nil)
 
 	mockStateCache := mockstatecache.LiveStateCache{}
 	ctrl.appStateManager.(*appStateManager).liveStateCache = &mockStateCache
@@ -133,12 +135,12 @@ func newFakeController(data *fakeData) *ApplicationController {
 	mockStateCache.On("GetClusterCache", mock.Anything).Return(&clusterCacheMock, nil)
 	mockStateCache.On("IterateHierarchy", mock.Anything, mock.Anything, mock.Anything).Run(func(args mock.Arguments) {
 		key := args[1].(kube.ResourceKey)
-		action := args[2].(func(child argoappv1.ResourceNode, appName string))
+		action := args[2].(func(child argoappv1.ResourceNode, appName string) bool)
 		appName := ""
 		if res, ok := data.namespacedResources[key]; ok {
 			appName = res.AppName
 		}
-		action(argoappv1.ResourceNode{ResourceRef: argoappv1.ResourceRef{Kind: key.Kind, Group: key.Group, Namespace: key.Namespace, Name: key.Name}}, appName)
+		_ = action(argoappv1.ResourceNode{ResourceRef: argoappv1.ResourceRef{Kind: key.Kind, Group: key.Group, Namespace: key.Namespace, Name: key.Name}}, appName)
 	}).Return(nil)
 	return ctrl
 }
@@ -632,26 +634,43 @@ func TestFinalizeAppDeletion(t *testing.T) {
 		assert.True(t, patched)
 	})
 
-	t.Run("ErrorOnBothDestNameAndServer", func(t *testing.T) {
-		app := newFakeAppWithDestMismatch()
-		appObj := kube.MustToUnstructured(&app)
-		ctrl := newFakeController(&fakeData{apps: []runtime.Object{app, &defaultProj}, managedLiveObjs: map[kube.ResourceKey]*unstructured.Unstructured{
-			kube.GetResourceKey(appObj): appObj,
-		}})
-		fakeAppCs := ctrl.applicationClientset.(*appclientset.Clientset)
-		func() {
-			fakeAppCs.Lock()
-			defer fakeAppCs.Unlock()
+	// Create an Application with a cluster that doesn't exist
+	// Ensure it can be deleted.
+	t.Run("DeleteWithInvalidClusterName", func(t *testing.T) {
 
+		appTemplate := newFakeAppWithDestName()
+
+		testShouldDelete := func(app *argoappv1.Application) {
+			appObj := kube.MustToUnstructured(&app)
+			ctrl := newFakeController(&fakeData{apps: []runtime.Object{app, &defaultProj}, managedLiveObjs: map[kube.ResourceKey]*unstructured.Unstructured{
+				kube.GetResourceKey(appObj): appObj,
+			}})
+
+			fakeAppCs := ctrl.applicationClientset.(*appclientset.Clientset)
 			defaultReactor := fakeAppCs.ReactionChain[0]
 			fakeAppCs.ReactionChain = nil
 			fakeAppCs.AddReactor("get", "*", func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) {
 				return defaultReactor.React(action)
 			})
-		}()
-		_, err := ctrl.finalizeApplicationDeletion(app)
-		assert.EqualError(t, err, "application destination can't have both name and server defined: another-cluster https://localhost:6443")
+			_, err := ctrl.finalizeApplicationDeletion(app)
+			assert.NoError(t, err)
+		}
+
+		app1 := appTemplate.DeepCopy()
+		app1.Spec.Destination.Server = "https://invalid"
+		testShouldDelete(app1)
+
+		app2 := appTemplate.DeepCopy()
+		app2.Spec.Destination.Name = "invalid"
+		testShouldDelete(app2)
+
+		app3 := appTemplate.DeepCopy()
+		app3.Spec.Destination.Name = "invalid"
+		app3.Spec.Destination.Server = "https://invalid"
+		testShouldDelete(app3)
+
 	})
+
 }
 
 // TestNormalizeApplication verifies we normalize an application during reconciliation
@@ -731,7 +750,7 @@ func TestNormalizeApplication(t *testing.T) {
 func TestHandleAppUpdated(t *testing.T) {
 	app := newFakeApp()
 	app.Spec.Destination.Namespace = test.FakeArgoCDNamespace
-	app.Spec.Destination.Server = common.KubernetesInternalAPIServerAddr
+	app.Spec.Destination.Server = argoappv1.KubernetesInternalAPIServerAddr
 	ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}})
 
 	ctrl.handleObjectUpdated(map[string]bool{app.Name: true}, kube.GetObjectRef(kube.MustToUnstructured(app)))
@@ -749,12 +768,12 @@ func TestHandleOrphanedResourceUpdated(t *testing.T) {
 	app1 := newFakeApp()
 	app1.Name = "app1"
 	app1.Spec.Destination.Namespace = test.FakeArgoCDNamespace
-	app1.Spec.Destination.Server = common.KubernetesInternalAPIServerAddr
+	app1.Spec.Destination.Server = argoappv1.KubernetesInternalAPIServerAddr
 
 	app2 := newFakeApp()
 	app2.Name = "app2"
 	app2.Spec.Destination.Namespace = test.FakeArgoCDNamespace
-	app2.Spec.Destination.Server = common.KubernetesInternalAPIServerAddr
+	app2.Spec.Destination.Server = argoappv1.KubernetesInternalAPIServerAddr
 
 	proj := defaultProj.DeepCopy()
 	proj.Spec.OrphanedResources = &argoappv1.OrphanedResourcesMonitorSettings{}
@@ -855,7 +874,7 @@ func TestNeedRefreshAppStatus(t *testing.T) {
 	needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour)
 	assert.True(t, needRefresh)
 	assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
-	assert.Equal(t, CompareWithLatest, compareWith)
+	assert.Equal(t, CompareWithLatestForceResolve, compareWith)
 
 	{
 		// refresh app using the 'latest' level if comparison expired
@@ -866,7 +885,7 @@ func TestNeedRefreshAppStatus(t *testing.T) {
 		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Minute)
 		assert.True(t, needRefresh)
 		assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
-		assert.Equal(t, CompareWithLatest, compareWith)
+		assert.Equal(t, CompareWithLatestForceResolve, compareWith)
 	}
 
 	{
@@ -875,12 +894,12 @@ func TestNeedRefreshAppStatus(t *testing.T) {
 		reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
 		app.Status.ReconciledAt = &reconciledAt
 		app.Annotations = map[string]string{
-			common.AnnotationKeyRefresh: string(argoappv1.RefreshTypeHard),
+			v1alpha1.AnnotationKeyRefresh: string(argoappv1.RefreshTypeHard),
 		}
 		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour)
 		assert.True(t, needRefresh)
 		assert.Equal(t, argoappv1.RefreshTypeHard, refreshType)
-		assert.Equal(t, CompareWithLatest, compareWith)
+		assert.Equal(t, CompareWithLatestForceResolve, compareWith)
 	}
 
 	{
@@ -898,7 +917,7 @@ func TestNeedRefreshAppStatus(t *testing.T) {
 		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour)
 		assert.True(t, needRefresh)
 		assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
-		assert.Equal(t, CompareWithLatest, compareWith)
+		assert.Equal(t, CompareWithLatestForceResolve, compareWith)
 	}
 }
 

controller/cache/cache.go

@@ -3,8 +3,10 @@ package cache
 import (
 	"context"
 	"fmt"
+	"os"
 	"reflect"
 	"sync"
+	"time"
 
 	clustercache "github.com/argoproj/gitops-engine/pkg/cache"
 	"github.com/argoproj/gitops-engine/pkg/health"
@@ -18,7 +20,6 @@ import (
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/tools/cache"
 
-	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/controller/metrics"
 	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v2/util/argo"
@@ -28,6 +29,25 @@ import (
 	"github.com/argoproj/argo-cd/v2/util/settings"
 )
 
+const (
+	// EnvClusterCacheResyncDuration is the env variable that holds cluster cache re-sync duration
+	EnvClusterCacheResyncDuration = "ARGOCD_CLUSTER_CACHE_RESYNC_DURATION"
+)
+
+var (
+	// K8SClusterResyncDuration controls the duration of cluster cache refresh
+	K8SClusterResyncDuration = 12 * time.Hour
+)
+
+func init() {
+
+	if clusterResyncDurationStr := os.Getenv(EnvClusterCacheResyncDuration); clusterResyncDurationStr != "" {
+		if duration, err := time.ParseDuration(clusterResyncDurationStr); err == nil {
+			K8SClusterResyncDuration = duration
+		}
+	}
+}
+
 type LiveStateCache interface {
 	// Returns k8s server version
 	GetVersionsInfo(serverURL string) (string, []metav1.APIGroup, error)
@@ -36,7 +56,7 @@ type LiveStateCache interface {
 	// Returns synced cluster cache
 	GetClusterCache(server string) (clustercache.ClusterCache, error)
 	// Executes give callback against resource specified by the key and all its children
-	IterateHierarchy(server string, key kube.ResourceKey, action func(child appv1.ResourceNode, appName string)) error
+	IterateHierarchy(server string, key kube.ResourceKey, action func(child appv1.ResourceNode, appName string) bool) error
 	// Returns state of live nodes which correspond for target nodes of specified application.
 	GetManagedLiveObjs(a *appv1.Application, targetObjs []*unstructured.Unstructured) (map[kube.ResourceKey]*unstructured.Unstructured, error)
 	// IterateResources iterates all resource stored in cache
@@ -267,9 +287,10 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 
 	clusterCache = clustercache.NewClusterCache(cluster.RESTConfig(),
 		clustercache.SetListSemaphore(c.listSemaphore),
-		clustercache.SetResyncTimeout(common.K8SClusterResyncDuration),
+		clustercache.SetResyncTimeout(K8SClusterResyncDuration),
 		clustercache.SetSettings(cacheSettings.clusterSettings),
 		clustercache.SetNamespaces(cluster.Namespaces),
+		clustercache.SetClusterResources(cluster.ClusterResources),
 		clustercache.SetPopulateResourceInfoHandler(func(un *unstructured.Unstructured, isRoot bool) (interface{}, bool) {
 			res := &ResourceInfo{}
 			populateNodeInfo(un, res)
@@ -350,13 +371,13 @@ func (c *liveStateCache) IsNamespaced(server string, gk schema.GroupKind) (bool,
 	return clusterInfo.IsNamespaced(gk)
 }
 
-func (c *liveStateCache) IterateHierarchy(server string, key kube.ResourceKey, action func(child appv1.ResourceNode, appName string)) error {
+func (c *liveStateCache) IterateHierarchy(server string, key kube.ResourceKey, action func(child appv1.ResourceNode, appName string) bool) error {
 	clusterInfo, err := c.getSyncedCluster(server)
 	if err != nil {
 		return err
 	}
-	clusterInfo.IterateHierarchy(key, func(resource *clustercache.Resource, namespaceResources map[kube.ResourceKey]*clustercache.Resource) {
-		action(asResourceNode(resource), getApp(resource, namespaceResources))
+	clusterInfo.IterateHierarchy(key, func(resource *clustercache.Resource, namespaceResources map[kube.ResourceKey]*clustercache.Resource) bool {
+		return action(asResourceNode(resource), getApp(resource, namespaceResources))
 	})
 	return nil
 }
@@ -469,7 +490,7 @@ func (c *liveStateCache) Init() error {
 func (c *liveStateCache) Run(ctx context.Context) error {
 	go c.watchSettings(ctx)
 
-	kube.RetryUntilSucceed(ctx, clustercache.ClusterRetryTimeout, "watch clusters", logutils.NewLogrusLogger(log.New()), func() error {
+	kube.RetryUntilSucceed(ctx, clustercache.ClusterRetryTimeout, "watch clusters", logutils.NewLogrusLogger(logutils.NewWithCurrentConfig()), func() error {
 		return c.db.WatchClusters(ctx, c.handleAddEvent, c.handleModEvent, c.handleDeleteEvent)
 	})
 
@@ -524,6 +545,9 @@ func (c *liveStateCache) handleModEvent(oldCluster *appv1.Cluster, newCluster *a
 		if !reflect.DeepEqual(oldCluster.Namespaces, newCluster.Namespaces) {
 			updateSettings = append(updateSettings, clustercache.SetNamespaces(newCluster.Namespaces))
 		}
+		if !reflect.DeepEqual(oldCluster.ClusterResources, newCluster.ClusterResources) {
+			updateSettings = append(updateSettings, clustercache.SetClusterResources(newCluster.ClusterResources))
+		}
 		forceInvalidate := false
 		if newCluster.RefreshRequestedAt != nil &&
 			cluster.GetClusterInfo().LastCacheSyncTime != nil &&

controller/cache/info.go

@@ -146,6 +146,17 @@ func populateIngressInfo(un *unstructured.Unstructured, res *ResourceInfo) {
 						tlshost := tlsline["host"]
 						if tlshost == host {
 							stringPort = "https"
+							continue
+						}
+						if hosts := tlsline["hosts"]; hosts != nil {
+							tlshosts, ok := tlsline["hosts"].(map[string]interface{})
+							if ok {
+								for j := range tlshosts {
+									if tlshosts[j] == host {
+										stringPort = "https"
+									}
+								}
+							}
 						}
 					}
 				}

controller/cache/mocks/LiveStateCache.go

@@ -178,11 +178,11 @@ func (_m *LiveStateCache) IsNamespaced(server string, gk schema.GroupKind) (bool
 }
 
 // IterateHierarchy provides a mock function with given fields: server, key, action
-func (_m *LiveStateCache) IterateHierarchy(server string, key kube.ResourceKey, action func(v1alpha1.ResourceNode, string)) error {
+func (_m *LiveStateCache) IterateHierarchy(server string, key kube.ResourceKey, action func(v1alpha1.ResourceNode, string) bool) error {
 	ret := _m.Called(server, key, action)
 
 	var r0 error
-	if rf, ok := ret.Get(0).(func(string, kube.ResourceKey, func(v1alpha1.ResourceNode, string)) error); ok {
+	if rf, ok := ret.Get(0).(func(string, kube.ResourceKey, func(v1alpha1.ResourceNode, string) bool) error); ok {
 		r0 = rf(server, key, action)
 	} else {
 		r0 = ret.Error(0)

controller/clusterinfoupdater.go

@@ -106,6 +106,7 @@ func (c *clusterInfoUpdater) updateClusterInfo(cluster appv1.Cluster, info *cach
 	}
 	if info != nil {
 		clusterInfo.ServerVersion = info.K8SVersion
+		clusterInfo.APIVersions = argo.APIGroupsToVersions(info.APIGroups)
 		if info.LastCacheSyncTime == nil {
 			clusterInfo.ConnectionState.Status = appv1.ConnectionStatusUnknown
 		} else if info.SyncError == nil {

controller/health.go

@@ -0,0 +1,64 @@
+package controller
+
+import (
+	"github.com/argoproj/gitops-engine/pkg/health"
+	hookutil "github.com/argoproj/gitops-engine/pkg/sync/hook"
+	"github.com/argoproj/gitops-engine/pkg/sync/ignore"
+	kubeutil "github.com/argoproj/gitops-engine/pkg/utils/kube"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
+	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/lua"
+)
+
+// setApplicationHealth updates the health statuses of all resources performed in the comparison
+func setApplicationHealth(resources []managedResource, statuses []appv1.ResourceStatus, resourceOverrides map[string]appv1.ResourceOverride, app *appv1.Application) (*appv1.HealthStatus, error) {
+	var savedErr error
+	appHealth := appv1.HealthStatus{Status: health.HealthStatusHealthy}
+	for i, res := range resources {
+		if res.Target != nil && hookutil.Skip(res.Target) {
+			continue
+		}
+
+		if res.Live != nil && (hookutil.IsHook(res.Live) || ignore.Ignore(res.Live)) {
+			continue
+		}
+
+		var healthStatus *health.HealthStatus
+		var err error
+		healthOverrides := lua.ResourceHealthOverrides(resourceOverrides)
+		gvk := schema.GroupVersionKind{Group: res.Group, Version: res.Version, Kind: res.Kind}
+		if res.Live == nil {
+			healthStatus = &health.HealthStatus{Status: health.HealthStatusMissing}
+		} else {
+			// App the manages itself should not affect own health
+			if isSelfReferencedApp(app, kubeutil.GetObjectRef(res.Live)) {
+				continue
+			}
+			healthStatus, err = health.GetResourceHealth(res.Live, healthOverrides)
+			if err != nil && savedErr == nil {
+				savedErr = err
+			}
+		}
+		if healthStatus != nil {
+			resHealth := appv1.HealthStatus{Status: healthStatus.Status, Message: healthStatus.Message}
+			statuses[i].Health = &resHealth
+
+			// Is health status is missing but resource has not built-in/custom health check then it should not affect parent app health
+			if _, hasOverride := healthOverrides[lua.GetConfigMapKey(gvk)]; healthStatus.Status == health.HealthStatusMissing && !hasOverride && health.GetHealthCheckFunc(gvk) == nil {
+				continue
+			}
+
+			// Missing or Unknown health status of child Argo CD app should not affect parent
+			if res.Kind == application.ApplicationKind && res.Group == application.Group && (healthStatus.Status == health.HealthStatusMissing || healthStatus.Status == health.HealthStatusUnknown) {
+				continue
+			}
+
+			if health.IsWorse(appHealth.Status, healthStatus.Status) {
+				appHealth.Status = healthStatus.Status
+			}
+		}
+	}
+	return &appHealth, savedErr
+}

controller/health_test.go

@@ -0,0 +1,161 @@
+package controller
+
+import (
+	"io/ioutil"
+	"testing"
+
+	"github.com/argoproj/gitops-engine/pkg/health"
+	synccommon "github.com/argoproj/gitops-engine/pkg/sync/common"
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
+	"github.com/ghodss/yaml"
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
+	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/lua"
+)
+
+var app = &appv1.Application{}
+
+func initStatuses(resources []managedResource) []appv1.ResourceStatus {
+	statuses := make([]appv1.ResourceStatus, len(resources))
+	for i := range resources {
+		statuses[i] = appv1.ResourceStatus{Group: resources[i].Group, Kind: resources[i].Kind, Version: resources[i].Version}
+	}
+	return statuses
+}
+
+func resourceFromFile(filePath string) unstructured.Unstructured {
+	yamlBytes, err := ioutil.ReadFile(filePath)
+	if err != nil {
+		panic(err)
+	}
+	var res unstructured.Unstructured
+	err = yaml.Unmarshal(yamlBytes, &res)
+	if err != nil {
+		panic(err)
+	}
+	return res
+}
+
+func TestSetApplicationHealth(t *testing.T) {
+	failedJob := resourceFromFile("./testdata/job-failed.yaml")
+	runningPod := resourceFromFile("./testdata/pod-running-restart-always.yaml")
+
+	resources := []managedResource{{
+		Group: "", Version: "v1", Kind: "Pod", Live: &runningPod}, {
+		Group: "batch", Version: "v1", Kind: "Job", Live: &failedJob,
+	}}
+	resourceStatuses := initStatuses(resources)
+
+	healthStatus, err := setApplicationHealth(resources, resourceStatuses, lua.ResourceHealthOverrides{}, app)
+	assert.NoError(t, err)
+	assert.Equal(t, health.HealthStatusDegraded, healthStatus.Status)
+
+	// now mark the job as a hook and retry. it should ignore the hook and consider the app healthy
+	failedJob.SetAnnotations(map[string]string{synccommon.AnnotationKeyHook: "PreSync"})
+	healthStatus, err = setApplicationHealth(resources, resourceStatuses, nil, app)
+	assert.NoError(t, err)
+	assert.Equal(t, health.HealthStatusHealthy, healthStatus.Status)
+}
+
+func TestSetApplicationHealth_MissingResource(t *testing.T) {
+	pod := resourceFromFile("./testdata/pod-running-restart-always.yaml")
+
+	resources := []managedResource{{
+		Group: "", Version: "v1", Kind: "Pod", Target: &pod}, {}}
+	resourceStatuses := initStatuses(resources)
+
+	healthStatus, err := setApplicationHealth(resources, resourceStatuses, lua.ResourceHealthOverrides{}, app)
+	assert.NoError(t, err)
+	assert.Equal(t, health.HealthStatusMissing, healthStatus.Status)
+}
+
+func TestSetApplicationHealth_MissingResourceNoBuiltHealthCheck(t *testing.T) {
+	cm := resourceFromFile("./testdata/configmap.yaml")
+
+	resources := []managedResource{{
+		Group: "", Version: "v1", Kind: "ConfigMap", Target: &cm}}
+	resourceStatuses := initStatuses(resources)
+
+	t.Run("NoOverride", func(t *testing.T) {
+		healthStatus, err := setApplicationHealth(resources, resourceStatuses, lua.ResourceHealthOverrides{}, app)
+		assert.NoError(t, err)
+		assert.Equal(t, health.HealthStatusHealthy, healthStatus.Status)
+		assert.Equal(t, resourceStatuses[0].Health.Status, health.HealthStatusMissing)
+	})
+
+	t.Run("HasOverride", func(t *testing.T) {
+		healthStatus, err := setApplicationHealth(resources, resourceStatuses, lua.ResourceHealthOverrides{
+			lua.GetConfigMapKey(schema.GroupVersionKind{Version: "v1", Kind: "ConfigMap"}): appv1.ResourceOverride{
+				HealthLua: "some health check",
+			},
+		}, app)
+		assert.NoError(t, err)
+		assert.Equal(t, health.HealthStatusMissing, healthStatus.Status)
+	})
+}
+
+func newAppLiveObj(status health.HealthStatusCode) *unstructured.Unstructured {
+	app := appv1.Application{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "foo",
+		},
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "argoproj.io/v1alpha1",
+			Kind:       "Application",
+		},
+		Status: appv1.ApplicationStatus{
+			Health: appv1.HealthStatus{
+				Status: status,
+			},
+		},
+	}
+
+	return kube.MustToUnstructured(&app)
+}
+
+func TestChildAppHealth(t *testing.T) {
+	overrides := lua.ResourceHealthOverrides{
+		lua.GetConfigMapKey(appv1.ApplicationSchemaGroupVersionKind): appv1.ResourceOverride{
+			HealthLua: `
+hs = {}
+hs.status = "Progressing"
+hs.message = ""
+if obj.status ~= nil then
+  if obj.status.health ~= nil then
+	hs.status = obj.status.health.status
+	if obj.status.health.message ~= nil then
+	  hs.message = obj.status.health.message
+	end
+  end
+end
+return hs`,
+		},
+	}
+
+	t.Run("ChildAppDegraded", func(t *testing.T) {
+		degradedApp := newAppLiveObj(health.HealthStatusDegraded)
+		resources := []managedResource{{
+			Group: application.Group, Version: "v1alpha1", Kind: application.ApplicationKind, Live: degradedApp}, {}}
+		resourceStatuses := initStatuses(resources)
+
+		healthStatus, err := setApplicationHealth(resources, resourceStatuses, overrides, app)
+		assert.NoError(t, err)
+		assert.Equal(t, health.HealthStatusDegraded, healthStatus.Status)
+	})
+
+	t.Run("ChildAppMissing", func(t *testing.T) {
+		degradedApp := newAppLiveObj(health.HealthStatusMissing)
+		resources := []managedResource{{
+			Group: application.Group, Version: "v1alpha1", Kind: application.ApplicationKind, Live: degradedApp}, {}}
+		resourceStatuses := initStatuses(resources)
+
+		healthStatus, err := setApplicationHealth(resources, resourceStatuses, overrides, app)
+		assert.NoError(t, err)
+		assert.Equal(t, health.HealthStatusHealthy, healthStatus.Status)
+	})
+}

controller/metrics/metrics.go

@@ -62,14 +62,14 @@ var (
 		descAppDefaultLabels,
 		nil,
 	)
-	// DEPRECATED: superceded by sync_status label in argocd_app_info
+	// DEPRECATED: superseded by sync_status label in argocd_app_info
 	descAppSyncStatusCode = prometheus.NewDesc(
 		"argocd_app_sync_status",
 		"The application current sync status.",
 		append(descAppDefaultLabels, "sync_status"),
 		nil,
 	)
-	// DEPRECATED: superceded by health_status label in argocd_app_info
+	// DEPRECATED: superseded by health_status label in argocd_app_info
 	descAppHealthStatus = prometheus.NewDesc(
 		"argocd_app_health_status",
 		"The application current health status.",

controller/state.go

@@ -33,7 +33,6 @@ import (
 	appstatecache "github.com/argoproj/argo-cd/v2/util/cache/appstate"
 	"github.com/argoproj/argo-cd/v2/util/db"
 	"github.com/argoproj/argo-cd/v2/util/gpg"
-	argohealth "github.com/argoproj/argo-cd/v2/util/health"
 	"github.com/argoproj/argo-cd/v2/util/io"
 	"github.com/argoproj/argo-cd/v2/util/settings"
 	"github.com/argoproj/argo-cd/v2/util/stats"
@@ -59,23 +58,9 @@ type managedResource struct {
 	ResourceVersion string
 }
 
-func GetLiveObjsForApplicationHealth(resources []managedResource, statuses []appv1.ResourceStatus) ([]*appv1.ResourceStatus, []*unstructured.Unstructured) {
-	liveObjs := make([]*unstructured.Unstructured, 0)
-	resStatuses := make([]*appv1.ResourceStatus, 0)
-	for i, resource := range resources {
-		if resource.Target != nil && hookutil.Skip(resource.Target) {
-			continue
-		}
-
-		liveObjs = append(liveObjs, resource.Live)
-		resStatuses = append(resStatuses, &statuses[i])
-	}
-	return resStatuses, liveObjs
-}
-
 // AppStateManager defines methods which allow to compare application spec and actual application state.
 type AppStateManager interface {
-	CompareAppState(app *v1alpha1.Application, project *appv1.AppProject, revision string, source v1alpha1.ApplicationSource, noCache bool, localObjects []string) *comparisonResult
+	CompareAppState(app *v1alpha1.Application, project *appv1.AppProject, revision string, source v1alpha1.ApplicationSource, noCache bool, noRevisionCache bool, localObjects []string) *comparisonResult
 	SyncAppState(app *v1alpha1.Application, state *v1alpha1.OperationState)
 }
 
@@ -115,18 +100,30 @@ type appStateManager struct {
 	statusRefreshTimeout time.Duration
 }
 
-func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, source v1alpha1.ApplicationSource, appLabelKey, revision string, noCache, verifySignature bool) ([]*unstructured.Unstructured, *apiclient.ManifestResponse, error) {
+func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, source v1alpha1.ApplicationSource, appLabelKey, revision string, noCache, noRevisionCache, verifySignature bool, proj *v1alpha1.AppProject) ([]*unstructured.Unstructured, *apiclient.ManifestResponse, error) {
 	ts := stats.NewTimingStats()
 	helmRepos, err := m.db.ListHelmRepositories(context.Background())
 	if err != nil {
 		return nil, nil, err
 	}
+	permittedHelmRepos, err := argo.GetPermittedRepos(proj, helmRepos)
+	if err != nil {
+		return nil, nil, err
+	}
 	ts.AddCheckpoint("helm_ms")
 	repo, err := m.db.GetRepository(context.Background(), source.RepoURL)
 	if err != nil {
 		return nil, nil, err
 	}
 	ts.AddCheckpoint("repo_ms")
+	helmRepositoryCredentials, err := m.db.GetAllHelmRepositoryCredentials(context.Background())
+	if err != nil {
+		return nil, nil, err
+	}
+	permittedHelmCredentials, err := argo.GetPermittedReposCredentials(proj, helmRepositoryCredentials)
+	if err != nil {
+		return nil, nil, err
+	}
 	conn, repoClient, err := m.repoClientset.NewRepoServerClient()
 	if err != nil {
 		return nil, nil, err
@@ -155,6 +152,11 @@ func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, source v1alpha1
 	if err != nil {
 		return nil, nil, err
 	}
+
+	helmOptions, err := m.settingsMgr.GetHelmSettings()
+	if err != nil {
+		return nil, nil, err
+	}
 	ts.AddCheckpoint("build_options_ms")
 	serverVersion, apiGroups, err := m.liveStateCache.GetVersionsInfo(app.Spec.Destination.Server)
 	if err != nil {
@@ -163,9 +165,10 @@ func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, source v1alpha1
 	ts.AddCheckpoint("version_ms")
 	manifestInfo, err := repoClient.GenerateManifest(context.Background(), &apiclient.ManifestRequest{
 		Repo:              repo,
-		Repos:             helmRepos,
+		Repos:             permittedHelmRepos,
 		Revision:          revision,
 		NoCache:           noCache,
+		NoRevisionCache:   noRevisionCache,
 		AppLabelKey:       appLabelKey,
 		AppName:           app.Name,
 		Namespace:         app.Spec.Destination.Namespace,
@@ -175,6 +178,8 @@ func (m *appStateManager) getRepoObjs(app *v1alpha1.Application, source v1alpha1
 		KubeVersion:       serverVersion,
 		ApiVersions:       argo.APIGroupsToVersions(apiGroups),
 		VerifySignature:   verifySignature,
+		HelmRepoCreds:     permittedHelmCredentials,
+		HelmOptions:       helmOptions,
 	})
 	if err != nil {
 		return nil, nil, err
@@ -362,7 +367,7 @@ func (m *appStateManager) diffArrayCached(configArray []*unstructured.Unstructur
 // CompareAppState compares application git state to the live app state, using the specified
 // revision and supplied source. If revision or overrides are empty, then compares against
 // revision and overrides in the app spec.
-func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *appv1.AppProject, revision string, source v1alpha1.ApplicationSource, noCache bool, localManifests []string) *comparisonResult {
+func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *appv1.AppProject, revision string, source v1alpha1.ApplicationSource, noCache bool, noRevisionCache bool, localManifests []string) *comparisonResult {
 	ts := stats.NewTimingStats()
 	appLabelKey, resourceOverrides, diffNormalizer, resFilter, err := m.getComparisonSettings(app)
 	ts.AddCheckpoint("settings_ms")
@@ -396,7 +401,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 	now := metav1.Now()
 
 	if len(localManifests) == 0 {
-		targetObjs, manifestInfo, err = m.getRepoObjs(app, source, appLabelKey, revision, noCache, verifySignature)
+		targetObjs, manifestInfo, err = m.getRepoObjs(app, source, appLabelKey, revision, noCache, noRevisionCache, verifySignature, project)
 		if err != nil {
 			targetObjs = make([]*unstructured.Unstructured, 0)
 			conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now})
@@ -607,11 +612,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 	}
 	ts.AddCheckpoint("sync_ms")
 
-	resSumForAppHealth, liveObjsForAppHealth := GetLiveObjsForApplicationHealth(managedResources, resourceSummaries)
-	healthStatus, err := argohealth.SetApplicationHealth(resSumForAppHealth, liveObjsForAppHealth, resourceOverrides, func(obj *unstructured.Unstructured) bool {
-		return !isSelfReferencedApp(app, kubeutil.GetObjectRef(obj))
-	})
-
+	healthStatus, err := setApplicationHealth(managedResources, resourceSummaries, resourceOverrides, app)
 	if err != nil {
 		conditions = append(conditions, appv1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now})
 	}

controller/state_test.go

@@ -36,7 +36,7 @@ func TestCompareAppStateEmpty(t *testing.T) {
 		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 	}
 	ctrl := newFakeController(&data)
-	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, nil)
+	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, false, nil)
 	assert.NotNil(t, compRes)
 	assert.NotNil(t, compRes.syncStatus)
 	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
@@ -59,7 +59,7 @@ func TestCompareAppStateMissing(t *testing.T) {
 		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 	}
 	ctrl := newFakeController(&data)
-	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, nil)
+	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, false, nil)
 	assert.NotNil(t, compRes)
 	assert.NotNil(t, compRes.syncStatus)
 	assert.Equal(t, argoappv1.SyncStatusCodeOutOfSync, compRes.syncStatus.Status)
@@ -86,7 +86,7 @@ func TestCompareAppStateExtra(t *testing.T) {
 		},
 	}
 	ctrl := newFakeController(&data)
-	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, nil)
+	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, false, nil)
 	assert.NotNil(t, compRes)
 	assert.Equal(t, argoappv1.SyncStatusCodeOutOfSync, compRes.syncStatus.Status)
 	assert.Equal(t, 1, len(compRes.resources))
@@ -112,7 +112,7 @@ func TestCompareAppStateHook(t *testing.T) {
 		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 	}
 	ctrl := newFakeController(&data)
-	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, nil)
+	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, false, nil)
 	assert.NotNil(t, compRes)
 	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
 	assert.Equal(t, 0, len(compRes.resources))
@@ -139,7 +139,7 @@ func TestCompareAppStateSkipHook(t *testing.T) {
 		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 	}
 	ctrl := newFakeController(&data)
-	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, nil)
+	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, false, nil)
 	assert.NotNil(t, compRes)
 	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
 	assert.Equal(t, 1, len(compRes.resources))
@@ -165,7 +165,7 @@ func TestCompareAppStateCompareOptionIgnoreExtraneous(t *testing.T) {
 	}
 	ctrl := newFakeController(&data)
 
-	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, nil)
+	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, false, nil)
 
 	assert.NotNil(t, compRes)
 	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
@@ -193,7 +193,7 @@ func TestCompareAppStateExtraHook(t *testing.T) {
 		},
 	}
 	ctrl := newFakeController(&data)
-	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, nil)
+	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, false, nil)
 
 	assert.NotNil(t, compRes)
 	assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
@@ -236,7 +236,7 @@ func TestCompareAppStateDuplicatedNamespacedResources(t *testing.T) {
 		},
 	}
 	ctrl := newFakeController(&data)
-	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, nil)
+	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, false, nil)
 
 	assert.NotNil(t, compRes)
 	assert.Equal(t, 1, len(app.Status.Conditions))
@@ -287,7 +287,7 @@ func TestSetHealth(t *testing.T) {
 		},
 	})
 
-	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, nil)
+	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, false, nil)
 
 	assert.Equal(t, compRes.healthStatus.Status, health.HealthStatusHealthy)
 }
@@ -319,7 +319,7 @@ func TestSetHealthSelfReferencedApp(t *testing.T) {
 		},
 	})
 
-	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, nil)
+	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, false, nil)
 
 	assert.Equal(t, compRes.healthStatus.Status, health.HealthStatusHealthy)
 }
@@ -389,7 +389,7 @@ func TestReturnUnknownComparisonStateOnSettingLoadError(t *testing.T) {
 		},
 	})
 
-	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, nil)
+	compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, false, nil)
 
 	assert.Equal(t, health.HealthStatusUnknown, compRes.healthStatus.Status)
 	assert.Equal(t, argoappv1.SyncStatusCodeUnknown, compRes.syncStatus.Status)
@@ -525,7 +525,7 @@ func TestSignedResponseNoSignatureRequired(t *testing.T) {
 			managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 		}
 		ctrl := newFakeController(&data)
-		compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, nil)
+		compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, false, nil)
 		assert.NotNil(t, compRes)
 		assert.NotNil(t, compRes.syncStatus)
 		assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
@@ -547,7 +547,7 @@ func TestSignedResponseNoSignatureRequired(t *testing.T) {
 			managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 		}
 		ctrl := newFakeController(&data)
-		compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, nil)
+		compRes := ctrl.appStateManager.CompareAppState(app, &defaultProj, "", app.Spec.Source, false, false, nil)
 		assert.NotNil(t, compRes)
 		assert.NotNil(t, compRes.syncStatus)
 		assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
@@ -576,7 +576,7 @@ func TestSignedResponseSignatureRequired(t *testing.T) {
 			managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 		}
 		ctrl := newFakeController(&data)
-		compRes := ctrl.appStateManager.CompareAppState(app, &signedProj, "", app.Spec.Source, false, nil)
+		compRes := ctrl.appStateManager.CompareAppState(app, &signedProj, "", app.Spec.Source, false, false, nil)
 		assert.NotNil(t, compRes)
 		assert.NotNil(t, compRes.syncStatus)
 		assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
@@ -598,7 +598,7 @@ func TestSignedResponseSignatureRequired(t *testing.T) {
 			managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 		}
 		ctrl := newFakeController(&data)
-		compRes := ctrl.appStateManager.CompareAppState(app, &signedProj, "abc123", app.Spec.Source, false, nil)
+		compRes := ctrl.appStateManager.CompareAppState(app, &signedProj, "abc123", app.Spec.Source, false, false, nil)
 		assert.NotNil(t, compRes)
 		assert.NotNil(t, compRes.syncStatus)
 		assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
@@ -620,7 +620,7 @@ func TestSignedResponseSignatureRequired(t *testing.T) {
 			managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 		}
 		ctrl := newFakeController(&data)
-		compRes := ctrl.appStateManager.CompareAppState(app, &signedProj, "abc123", app.Spec.Source, false, nil)
+		compRes := ctrl.appStateManager.CompareAppState(app, &signedProj, "abc123", app.Spec.Source, false, false, nil)
 		assert.NotNil(t, compRes)
 		assert.NotNil(t, compRes.syncStatus)
 		assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
@@ -642,7 +642,7 @@ func TestSignedResponseSignatureRequired(t *testing.T) {
 			managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 		}
 		ctrl := newFakeController(&data)
-		compRes := ctrl.appStateManager.CompareAppState(app, &signedProj, "abc123", app.Spec.Source, false, nil)
+		compRes := ctrl.appStateManager.CompareAppState(app, &signedProj, "abc123", app.Spec.Source, false, false, nil)
 		assert.NotNil(t, compRes)
 		assert.NotNil(t, compRes.syncStatus)
 		assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
@@ -667,7 +667,7 @@ func TestSignedResponseSignatureRequired(t *testing.T) {
 		ctrl := newFakeController(&data)
 		testProj := signedProj
 		testProj.Spec.SignatureKeys[0].KeyID = "4AEE18F83AFDEB24"
-		compRes := ctrl.appStateManager.CompareAppState(app, &testProj, "abc123", app.Spec.Source, false, nil)
+		compRes := ctrl.appStateManager.CompareAppState(app, &testProj, "abc123", app.Spec.Source, false, false, nil)
 		assert.NotNil(t, compRes)
 		assert.NotNil(t, compRes.syncStatus)
 		assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
@@ -692,7 +692,7 @@ func TestSignedResponseSignatureRequired(t *testing.T) {
 		// it doesn't matter for our test whether local manifests are valid
 		localManifests := []string{"foobar"}
 		ctrl := newFakeController(&data)
-		compRes := ctrl.appStateManager.CompareAppState(app, &signedProj, "abc123", app.Spec.Source, false, localManifests)
+		compRes := ctrl.appStateManager.CompareAppState(app, &signedProj, "abc123", app.Spec.Source, false, false, localManifests)
 		assert.NotNil(t, compRes)
 		assert.NotNil(t, compRes.syncStatus)
 		assert.Equal(t, argoappv1.SyncStatusCodeUnknown, compRes.syncStatus.Status)
@@ -717,7 +717,7 @@ func TestSignedResponseSignatureRequired(t *testing.T) {
 			managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
 		}
 		ctrl := newFakeController(&data)
-		compRes := ctrl.appStateManager.CompareAppState(app, &signedProj, "abc123", app.Spec.Source, false, nil)
+		compRes := ctrl.appStateManager.CompareAppState(app, &signedProj, "abc123", app.Spec.Source, false, false, nil)
 		assert.NotNil(t, compRes)
 		assert.NotNil(t, compRes.syncStatus)
 		assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)
@@ -742,7 +742,7 @@ func TestSignedResponseSignatureRequired(t *testing.T) {
 		// it doesn't matter for our test whether local manifests are valid
 		localManifests := []string{""}
 		ctrl := newFakeController(&data)
-		compRes := ctrl.appStateManager.CompareAppState(app, &signedProj, "abc123", app.Spec.Source, false, localManifests)
+		compRes := ctrl.appStateManager.CompareAppState(app, &signedProj, "abc123", app.Spec.Source, false, false, localManifests)
 		assert.NotNil(t, compRes)
 		assert.NotNil(t, compRes.syncStatus)
 		assert.Equal(t, argoappv1.SyncStatusCodeSynced, compRes.syncStatus.Status)

controller/sync.go

@@ -15,6 +15,7 @@ import (
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/kubectl/pkg/util/openapi"
 
 	cdcommon "github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/controller/metrics"
@@ -34,6 +35,14 @@ const (
 	EnvVarSyncWaveDelay = "ARGOCD_SYNC_WAVE_DELAY"
 )
 
+func (m *appStateManager) getOpenAPISchema(server string) (openapi.Resources, error) {
+	cluster, err := m.liveStateCache.GetClusterCache(server)
+	if err != nil {
+		return nil, err
+	}
+	return cluster.GetOpenAPISchema(), nil
+}
+
 func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha1.OperationState) {
 	// Sync requests might be requested with ambiguous revisions (e.g. master, HEAD, v1.2.3).
 	// This can change meaning when resuming operations (e.g a hook sync). After calculating a
@@ -85,7 +94,7 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		return
 	}
 
-	compareResult := m.CompareAppState(app, proj, revision, source, false, syncOp.Manifests)
+	compareResult := m.CompareAppState(app, proj, revision, source, false, true, syncOp.Manifests)
 	// We now have a concrete commit SHA. Save this in the sync result revision so that we remember
 	// what we should be syncing to when resuming operations.
 	syncRes.Revision = compareResult.syncStatus.Revision
@@ -118,7 +127,13 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 	}
 
 	atomic.AddUint64(&syncIdPrefix, 1)
-	syncId := fmt.Sprintf("%05d-%s", syncIdPrefix, rand.RandString(5))
+	randSuffix, err := rand.String(5)
+	if err != nil {
+		state.Phase = common.OperationError
+		state.Message = fmt.Sprintf("Failed generate random sync ID: %v", err)
+		return
+	}
+	syncId := fmt.Sprintf("%05d-%s", syncIdPrefix, randSuffix)
 
 	logEntry := log.WithFields(log.Fields{"application": app.Name, "syncId": syncId})
 	initialResourcesRes := make([]common.ResourceSyncResult, 0)
@@ -146,13 +161,21 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		prunePropagationPolicy = v1.DeletePropagationOrphan
 	}
 
-	syncCtx, err := sync.NewSyncContext(
+	openAPISchema, err := m.getOpenAPISchema(clst.Server)
+	if err != nil {
+		state.Phase = common.OperationError
+		state.Message = fmt.Sprintf("failed to load openAPISchema: %v", err)
+		return
+	}
+
+	syncCtx, cleanup, err := sync.NewSyncContext(
 		compareResult.syncStatus.Revision,
 		compareResult.reconciliationResult,
 		restConfig,
 		rawConfig,
 		m.kubectl,
 		app.Spec.Destination.Namespace,
+		openAPISchema,
 		sync.WithLogr(logutils.NewLogrusLogger(logEntry)),
 		sync.WithHealthOverride(lua.ResourceHealthOverrides(resourceOverrides)),
 		sync.WithPermissionValidator(func(un *unstructured.Unstructured, res *v1.APIResource) error {
@@ -186,9 +209,12 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 
 	if err != nil {
 		state.Phase = common.OperationError
-		state.Message = fmt.Sprintf("failed to record sync to history: %v", err)
+		state.Message = fmt.Sprintf("failed to initialize sync context: %v", err)
+		return
 	}
 
+	defer cleanup()
+
 	start := time.Now()
 
 	if state.Phase == common.OperationTerminating {

controller/testdata/configmap.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: my-map
+data:
+  foo: bar

docs/CONTRIBUTING.md

@@ -1 +1 @@
-Please refer to [the Contribution Guide](https://argo-cd.readthedocs.io/en/latest/developer-guide/contributing/)
+Please refer to [the Contribution Guide](https://argo-cd.readthedocs.io/en/latest/developer-guide/code-contributions/)

docs/assets/versions.css

@@ -36,10 +36,13 @@
 
 /* Version Warning */
 div[data-md-component=announce] {
-  background-color: rgba(255,145,0,.1);
+  background-color: rgb(248, 243, 236);
+  position: sticky;
+  top: 0;
+  z-index: 2;
 }
 div[data-md-component=announce]>div#announce-msg{
-  color: var(--md-admonition-fg-color);
+  color: var(--md-code-hl-number-color);
   font-size: .8rem;
   text-align: center;
   margin: 15px;

docs/assets/versions.js

@@ -35,10 +35,24 @@ setTimeout(function() {
 // VERSION WARNINGS
 window.addEventListener("DOMContentLoaded", function() {
   var rtdData = window['READTHEDOCS_DATA'] || { version: 'latest' };
+  var margin = 30;
+  var headerHeight = document.getElementsByClassName("md-header")[0].offsetHeight; 
   if (rtdData.version === "latest") {
     document.querySelector("div[data-md-component=announce]").innerHTML = "<div id='announce-msg'>You are viewing the docs for an unreleased version of Argo CD, <a href='https://argo-cd.readthedocs.io/en/stable/'>click here to go to the latest stable version.</a></div>"
+    var bannerHeight = document.getElementById('announce-msg').offsetHeight + margin
+    document.querySelector("header.md-header").style.top = bannerHeight +"px";   
+    document.querySelector('style').textContent +=
+    "@media screen and (min-width: 76.25em){ .md-sidebar { height: 0;  top:"+ (bannerHeight+headerHeight)+"px !important; }}"
+    document.querySelector('style').textContent +=
+    "@media screen and (min-width: 60em){ .md-sidebar--secondary { height: 0;  top:"+ (bannerHeight+headerHeight)+"px !important; }}"
   }
   else if (rtdData.version !== "stable") {
     document.querySelector("div[data-md-component=announce]").innerHTML = "<div id='announce-msg'>You are viewing the docs for a previous version of Argo CD, <a href='https://argo-cd.readthedocs.io/en/stable/'>click here to go to the latest stable version.</a></div>"
+    var bannerHeight = document.getElementById('announce-msg').offsetHeight + margin
+    document.querySelector("header.md-header").style.top = bannerHeight +"px";   
+    document.querySelector('style').textContent +=
+    "@media screen and (min-width: 76.25em){ .md-sidebar { height: 0;  top:"+ (bannerHeight+headerHeight)+"px !important; }}"
+    document.querySelector('style').textContent +=
+    "@media screen and (min-width: 60em){ .md-sidebar--secondary { height: 0;  top:"+ (bannerHeight+headerHeight)+"px !important; }}"
   }
 });

docs/cli_installation.md

@@ -2,23 +2,30 @@
 
 You can download the latest Argo CD version from [the latest release page of this repository](https://github.com/argoproj/argo-cd/releases/latest), which will include the `argocd` CLI.
 
-## Linux
+## Linux and WSL
 
-You can view the latest version of Argo CD at the link above or run the following command to grab the version:
+### Homebrew
 
 ```bash
-VERSION=$(curl --silent "https://api.github.com/repos/argoproj/argo-cd/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/')
+brew install argocd
 ```
 
-Replace `VERSION` in the command below with the version of Argo CD you would like to download:
+### Download With Curl
+
+#### Download latest version
 
 ```bash
+curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64
+chmod +x /usr/local/bin/argocd
+```
+
+#### Download concrete version
+
+Set `VERSION` replacing `<TAG>` in the command below with the version of Argo CD you would like to download:
+
+```bash
+VERSION=<TAG> # Select desired TAG from https://github.com/argoproj/argo-cd/releases
 curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-linux-amd64
-```
-
-Make the `argocd` CLI executable:
-
-```bash
 chmod +x /usr/local/bin/argocd
 ```
 
@@ -57,7 +64,7 @@ After finishing either of the instructions above, you should now be able to run
 
 ## Windows
 
-### Download With Powershell: Invoke-WebRequest
+### Download With PowerShell: Invoke-WebRequest
 
 You can view the latest version of Argo CD at the link above or run the following command to grab the version:
 

docs/developer-guide/ci.md

@@ -12,7 +12,7 @@ To read more about The GitHub actions are configured in [`ci-build.yaml`](https:
 
 Since the CI pipeline is triggered on Git commits, there is currently no (known) way on how to retrigger the CI checks without pushing a new commit to your branch.
 
-If you are absolutely sure that the failure was due to a failure in the pipeline, and not an error within the changes you commited, you can push an empty commit to your branch, thus retriggering the pipeline without any code changes. To do so, issue
+If you are absolutely sure that the failure was due to a failure in the pipeline, and not an error within the changes you committed, you can push an empty commit to your branch, thus retriggering the pipeline without any code changes. To do so, issue
 
 ```bash
 git commit --allow-empty -m "Retrigger CI pipeline"
@@ -63,12 +63,12 @@ make builder-image IMAGE_NAMESPACE=argoproj IMAGE_TAG=v1.0.0
 
 ## Public CD
 
-Every commit to master is built and published to `docker.pkg.github.com/argoproj/argo-cd/argocd:<version>-<short-sha>`. The list of images is available at
+Every commit to master is built and published to `ghcr.io/argoproj/argocd:<version>-<short-sha>`. The list of images is available at
 https://github.com/argoproj/argo-cd/packages.
 
 !!! note
-    Github docker registry [requires](https://github.community/t5/GitHub-Actions/docker-pull-from-public-GitHub-Package-Registry-fail-with-quot/m-p/32888#M1294) authentication to read
+    GitHub docker registry [requires](https://github.community/t5/GitHub-Actions/docker-pull-from-public-GitHub-Package-Registry-fail-with-quot/m-p/32888#M1294) authentication to read
     even publicly available packages. Follow the steps from Kubernetes [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry)
-    to configure image pull secret if you want to use `docker.pkg.github.com/argoproj/argo-cd/argocd` image.
+    to configure image pull secret if you want to use `ghcr.io/argoproj/argocd` image.
 
 The image is automatically deployed to the dev Argo CD instance: [https://cd.apps.argoproj.io/](https://cd.apps.argoproj.io/)

docs/developer-guide/code-contributions.md

@@ -0,0 +1,112 @@
+# Submitting code contributions to Argo CD
+
+## Preface
+
+The Argo CD project continuously grows, both in terms of features and community size. It gets adopted by more and more organisations which entrust Argo CD to handle their critical production workloads. Thus, we need to take great care with any changes that affect compatibility, performance, scalability, stability and security of Argo CD. For this reason, every new feature or larger enhancement must be properly designed and discussed before it gets accepted into the code base.
+
+We do welcome and encourage everyone to participate in the Argo CD project, but please understand that we can't accept each and every contribution from the community, for various reasons. 
+
+If you want to submit code for a great new feature or enhancement, we kindly ask you to take a look at the
+enhancement process outlined below before you start to write code or submit a PR. This will ensure that your idea is well aligned with the project's strategy and technical requirements, and it will help greatly in getting your code merged into our code base.
+
+Before submitting code for a new feature (and also, to some extent, for more complex bug fixes) please
+[raise an Enhancement Proposal or Bug Issue](https://github.com/argoproj/argo-cd/issues/new/choose)
+first.
+
+Each enhancement proposal needs to go through our
+[triage process](#triage-process)
+before we accept code contributions. To facilitate triage and to provide transparency, we use
+[this GitHub project](https://github.com/orgs/argoproj/projects/18) to keep track of this process' outcome.
+
+_Please_ do not spend too much time on larger features or refactorings before the corresponding enhancement has been triaged. This may save everyone some amount of frustration and time, as the enhancement proposal might be rejected, and the code would never get merged. However, sometimes it's helpful to have some PoC code along with a proposal.
+
+We will do our best to triage incoming enhancement proposals quickly, with one of the following outcomes:
+
+* Accepted
+* Rejected
+* Proposal requires a design document to be further discussed
+
+Depending on how many enhancement proposals we receive at given times, it may take some time until we can look at yours.
+
+Also, please make sure you have read our
+[Toolchain Guide](toolchain-guide.md)
+to understand our toolchain and our continuous integration processes. It contains some invaluable information to get started with the complex code base that makes up Argo CD.
+
+## Quick start
+
+If you want a quick start contributing to Argo CD, take a look at issues that are labeled with
+[help wanted](https://github.com/argoproj/argo-cd/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22)
+or
+[good first issue](https://github.com/argoproj/argo-cd/issues?q=is%3Aopen+is%3Aissue+label%3A%22good+first+issue%22).
+
+These are issues that were already triaged and accepted. 
+
+If the issue is already attached to next
+[version milestone](https://github.com/argoproj/argo-cd/milestones),
+we have decided to also dedicate some of our time on reviews to PRs received for these issues.
+
+We encourage our community to pick up issues that are labeled in this way *and* are attached to the next version's milestone, with a promise for them to get a proper review with the clear intention for the incoming PRs to get merged.
+
+## Triage process
+
+### Overview 
+
+Our triage process for enhancements proposals ensures that we take a look at all incoming enhancements to determine whether we will accept code submissions to implement them.
+
+The process works as follows:
+
+* New Enhancement Proposals raised on our GitHub issue tracker are moved to the _Incoming_ column of the project's board. These are the proposals that are in the queue for triage.
+* The _Active_ column holds the issues that are currently being triaged, or will be triaged next.
+* The _Accepted_ column holds the issues that have been triaged and are considered good to be implemented (e.g. the project agreed that the feature would be great to have)
+* The _Declined_ column holds the issues that were rejected during triage. The issue will be updated with information about why the proposal has been rejected.
+* The _Needs discussion_ column holds the issues that were found to require additional information, or even a design document, during triage.
+
+### Triage cadence
+
+Triage of enhancement proposals is performed transparently, offline using issue comments and online in our weekly contributor's meeting. _Everyone_ is invited to participate in triaging, the process is not limited to participation only by maintainers.
+
+Usually, we will triage enhancement proposals in a First-In-First-Out order, which mean that oldest proposals will be triaged first.
+
+We aim to triage at least 10 proposals a week. Depending on our available time, we may be triaging a higher or lower number of proposals in any given week.
+
+## Proposal states
+
+### Accepted proposals
+
+When a proposal is considered _Accepted_, it was decided that this enhancement would be valuable to the community at large and fits into the overall strategic roadmap of the project. 
+
+Implementation of the issue may be started, either by the proposal's creator or another community member (including maintainers of the project). 
+
+The issue should be refined enough by now to contain any concerns and guidelines to be taken into consideration during implementation.
+
+### Declined proposals
+
+We don't decline proposals lightly, and we will do our best to give a proper reasoning why we think that the proposal does not fit with the future of the project. Reasons for declining proposals may be - amongst others - that the change would be breaking for many, or that it does not meet the strategic direction of the project. Usually, discussion will be facilitated with the enhancement's creator before declining a proposal.
+
+Once a proposal is in _Declined_ state it's unlikely that we will accept code contributions for its implementation.
+
+### Proposals that need discussion
+
+Sometimes, we can't completely understand a proposal from its GitHub issue and require more information on the original intent or on more details about the implementation. If we are confronted with such an issue during the triage, we move this issue to the _Needs discussion_ column to indicate that we expect the issue's creator to supply more information on their idea. We may ask you to provide this information, either by adding that information to the issue itself or by joining one of our
+[regular contributor's meeting](#regular-contributor-meeting)
+to discuss the proposal with us.
+
+Also, issues that we find to require a more formal design document will be moved to this column.
+
+## Design documents
+
+For some enhancement proposals (especially those that will change behavior of Argo CD substantially, are attached with some caveats or where upgrade/downgrade paths are not clear), a more formal design document will be required in order to fully discuss and understand the enhancement in the broader community. This requirement is usually determined during triage. If you submitted an enhancement proposal, we may ask you to provide this more formal write down, along with some concerns or topics that need to be adressed.
+
+Design documents are usually submitted as PR and use [this template](https://github.com/argoproj/argo-cd/blob/master/docs/proposals/001-proposal-template.md) as a guide what kind of information we're looking for. Discussion will take place in the review process. When a design document gets merged, we consider it as approved and code can be written and submitted to implement this specific design.
+
+## Regular contributor meeting
+
+Our community regularly meets virtually to discuss issues, ideas and enhancements around Argo CD. We do invite you to join this virtual meetings if you want to bring up certain things (including your enhancement proposals), participate in our triaging or just want to get to know other contributors.
+
+The current cadence of our meetings is weekly, every Thursday at 4pm UTC (9am Pacific, 12pm Eastern, 6pm Central European, 9:30pm Indian). We use Zoom to conduct these meetings.
+
+* [Agenda document (Google Docs, includes Zoom link)](https://docs.google.com/document/d/1xkoFkVviB70YBzSEa4bDnu-rUZ1sIFtwKKG1Uw8XsY8)
+
+If you want to discuss something, we kindly ask you to put your item on the
+[agenda](https://docs.google.com/document/d/1xkoFkVviB70YBzSEa4bDnu-rUZ1sIFtwKKG1Uw8XsY8)
+for one of the upcoming meetings so that we can plan in the time for discussing about it.

docs/developer-guide/contributing.md

@@ -1,321 +1,2 @@
-# Contribution guide
-
-## Preface
-
-We want to make contributing to ArgoCD as simple and smooth as possible.
-
-This guide shall help you in setting up your build & test environment, so that you can start developing and testing bug fixes and feature enhancements without having to make too much effort in setting up a local toolchain.
-
-If you want to submit a PR, please read this document carefully, as it contains important information guiding you through our PR quality gates.
-
-As is the case with the development process, this document is under constant change. If you notice any error, or if you think this document is out-of-date, or if you think it is missing something: Feel free to submit a PR or submit a bug to our GitHub issue tracker.
-
-If you need guidance with submitting a PR, or have any other questions regarding development of ArgoCD, do not hesitate to [join our Slack](https://argoproj.github.io/community/join-slack) and get in touch with us in the `#argo-dev` channel!
-
-## Before you start
-
-You will need at least the following things in your toolchain in order to develop and test ArgoCD locally:
-
-* A Kubernetes cluster. You won't need a fully blown multi-master, multi-node cluster, but you will need something like K3S, Minikube or microk8s. You will also need a working Kubernetes client (`kubectl`) configuration in your development environment. The configuration must reside in `~/.kube/config` and the API server URL must point to the IP address of your local machine (or VM), and **not** to `localhost` or `127.0.0.1` if you are using the virtualized development toolchain (see below)
-
-* You will also need a working Docker runtime environment, to be able to build and run images.
-The Docker version must be fairly recent, and support multi-stage builds. You should not work as root. Make your local user a member of the `docker` group to be able to control the Docker service on your machine.
-
-* Obviously, you will need a `git` client for pulling source code and pushing back your changes.
-
-* Last but not least, you will need a Go SDK and related tools (such as GNU `make`) installed and working on your development environment. The minimum required Go version for building ArgoCD is **v1.14.0**.
-
-* We will assume that your Go workspace is at `~/go`.
-
-!!! note
-    **Attention minikube users**: By default, minikube will create Kubernetes client configuration that uses authentication data from files. This is incompatible with the virtualized toolchain. So if you intend to use the virtualized toolchain, you have to embed this authentication data into the client configuration. To do so, issue `minikube config set embed-certs true` and restart your minikube. Please also note that minikube using the Docker driver is currently not supported with the virtualized toolchain, because the Docker driver exposes the API server on 127.0.0.1 hard-coded. If in doubt, run `make verify-kube-connect` to find out.
-
-## Submitting PRs
-
-When you submit a PR against ArgoCD's GitHub repository, a couple of CI checks will be run automatically to ensure your changes will build fine and meet certain quality standards. Your contribution needs to pass those checks in order to be merged into the repository.
-
-In general, it might be beneficial to only submit a PR for an existing issue. Especially for larger changes, an Enhancement Proposal should exist before.
-
-!!!note
-
-    Please make sure that you always create PRs from a branch that is up-to-date with the latest changes from ArgoCD's master branch. Depending on how long it takes for the maintainers to review and merge your PR, it might be necessary to pull in latest changes into your branch again.
-
-Please understand that we, as an Open Source project, have limited capacities for reviewing and merging PRs to ArgoCD. We will do our best to review your PR and give you feedback as soon as possible, but please bear with us if it takes a little longer as expected.
-
-The following read will help you to submit a PR that meets the standards of our CI tests:
-
-### Title of the PR
-
-Please use a meaningful and concise title for your PR. This will help us to pick PRs for review quickly, and the PR title will also end up in the Changelog.
-
-We use the [Semantic PR title checker](https://github.com/zeke/semantic-pull-requests) to categorize your PR into one of the following categories:
-
-* `fix` - Your PR contains one or more code bug fixes
-* `feat` - Your PR contains a new feature
-* `docs` - Your PR improves the documentation
-* `chore` - Your PR improves any internals of ArgoCD, such as the build process, unit tests, etc
-
-Please prefix the title of your PR with one of the valid categories. For example, if you chose the title your PR `Add documentation for GitHub SSO integration`, please use `docs: Add documentation for GitHub SSO integration` instead.
-
-### Contributor License Agreement
-
-Every contributor to ArgoCD must have signed the current Contributor License Agreement (CLA). You only have to sign the CLA when you are a first time contributor, or when the agreement has changed since your last time signing it. The main purpose of the CLA is to ensure that you hold the required rights for your contribution. The CLA signing is an automated process.
-
-You can read the current version of the CLA [here](https://cla-assistant.io/argoproj/argo-cd).
-
-### PR template checklist
-
-Upon opening a PR, the details will contain a checklist from a template. Please read the checklist, and tick those marks that apply to you.
-
-### Automated builds & tests
-
-After you have submitted your PR, and whenever you push new commits to that branch, GitHub will run a number of Continuous Integration checks against your code. It will execute the following actions, and each of them has to pass:
-
-* Build the Go code (`make build`)
-* Generate API glue code and manifests (`make codegen`)
-* Run a Go linter on the code (`make lint`)
-* Run the unit tests (`make test`)
-* Run the End-to-End tests (`make test-e2e`)
-* Build and lint the UI code (`make lint-ui`)
-* Build the `argocd` CLI (`make cli`)
-
-If any of these tests in the CI pipeline fail, it means that some of your contribution is considered faulty (or a test might be flaky, see below).
-
-### Code test coverage
-
-We use [CodeCov](https://codecov.io) in our CI pipeline to check for test coverage, and once you submit your PR, it will run and report on the coverage difference as a comment within your PR. If the difference is too high in the negative, i.e. your submission introduced a significant drop in code coverage, the CI check will fail.
-
-Whenever you develop a new feature or submit a bug fix, please also write appropriate unit tests for it. If you write a completely new module, please aim for at least 80% of coverage.
-If you want to see how much coverage just a specific module (i.e. your new one) has, you can set the `TEST_MODULE` to the (fully qualified) name of that module with `make test`, i.e.:
-
-```bash
- make test TEST_MODULE=github.com/argoproj/argo-cd/server/cache
-...
-ok      github.com/argoproj/argo-cd/server/cache        0.029s  coverage: 89.3% of statements
-```
-
-## Local vs Virtualized toolchain
-
-ArgoCD provides a fully virtualized development and testing toolchain using Docker images. It is recommended to use those images, as they provide the same runtime environment as the final product and it is much easier to keep up-to-date with changes to the toolchain and dependencies. But as using Docker comes with a slight performance penalty, you might want to setup a local toolchain.
-
-Most relevant targets for the build & test cycles in the `Makefile` provide two variants, one of them suffixed with `-local`. For example, `make test` will run unit tests in the Docker container, `make test-local` will run it natively on your local system.
-
-If you are going to use the virtualized toolchain, please bear in mind the following things:
-
-* Your Kubernetes API server must listen on the interface of your local machine or VM, and not on `127.0.0.1` only.
-* Your Kubernetes client configuration (`~/.kube/config`) must not use an API URL that points to `localhost` or `127.0.0.1`.
-
-You can test whether the virtualized toolchain has access to your Kubernetes cluster by running `make verify-kube-connect` (*after* you have setup your development environment, as described below), which will run `kubectl version` inside the Docker container used for running all tests.
-
-The Docker container for the virtualized toolchain will use the following local mounts from your workstation, and possibly modify its contents:
-
-* `~/go/src` - Your Go workspace's source directory (modifications expected)
-* `~/.cache/go-build` - Your Go build cache (modifications expected)
-* `~/.kube` - Your Kubernetes client configuration (no modifications)
-* `/tmp` - Your system's temp directory (modifications expected)
-
-## Setting up your development environment
-
-The following steps are required no matter whether you chose to use a virtualized or a local toolchain.
-
-### Clone the ArgoCD repository from your personal fork on GitHub
-
-* `mkdir -p ~/go/src/github.com/argoproj`
-* `cd ~/go/src/github.com/argoproj`
-* `git clone https://github.com/yourghuser/argo-cd`
-* `cd argo-cd`
-
-### Optional: Setup an additional Git remote
-
-While everyone has their own Git workflow, the author of this document recommends to create a remote called `upstream` in your local copy pointing to the original ArgoCD repository. This way, you can easily keep your local branches up-to-date by merging in latest changes from the ArgoCD repository, i.e. by doing a `git pull upstream master` in your locally checked out branch. To create the remote, run `git remote add upstream https://github.com/argoproj/argo-cd`
-
-### Install the must-have requirements
-
-Make sure you fulfill the pre-requisites above and run some preliminary tests. Neither of them should report an error.
-
-* Run `kubectl version`
-* Run `docker version`
-* Run `go version`
-
-### Build (or pull) the required Docker image
-
-Build the required Docker image by running `make test-tools-image` or pull the latest version by issuing `docker pull argoproj/argocd-test-tools`.
-
-The `Dockerfile` used to build these images can be found at `test/container/Dockerfile`.
-
-### Test connection from build container to your K8s cluster
-
-Run `make verify-kube-connect`, it should execute without error.
-
-If you receive an error similar to the following:
-
-```
-The connection to the server 127.0.0.1:6443 was refused - did you specify the right host or port?
-make: *** [Makefile:386: verify-kube-connect] Error 1
-```
-
-you should edit your `~/.kube/config` and modify the `server` option to point to your correct K8s API (as described above).
-
-### Using k3d
-
-[k3d](https://github.com/rancher/k3d) is a lightweight wrapper to run [k3s](https://github.com/rancher/k3s), a minimal Kubernetes distribution, in docker. Because it's running in a docker container, you're dealing with docker's internal networking rules when using k3d. A typical Kubernetes cluster running on your local machine is part of the same network that you're on so you can access it using **kubectl**. However, a Kubernetes cluster running within a docker container (in this case, the one launched by make) cannot access 0.0.0.0 from inside the container itself, when 0.0.0.0 is a network resource outside the container itself (and/or the container's network). This is the cost of a fully self-contained, disposable Kubernetes cluster. The following steps should help with a successful `make verify-kube-connect` execution.
-
-1. Find your host IP by executing `ifconfig` on Mac/Linux and `ipconfig` on Windows. For most users, the following command works to find the IP address.
-
-    * For Mac:
-
-    ```
-    IP=`ifconfig en0 | grep inet | grep -v inet6 | awk '{print $2}'`
-    echo $IP
-    ```
-
-    * For Linux:
-
-    ```
-    IP=`ifconfig eth0 | grep inet | grep -v inet6 | awk '{print $2}'`
-    echo $IP
-    ```
-
-    Keep in mind that this IP is dynamically assigned by the router so if your router restarts for any reason, your IP might change.
-
-2. Edit your ~/.kube/config and replace 0.0.0.0 with the above IP address.
-
-3. Execute a `kubectl version` to make sure you can still connect to the Kubernetes API server via this new IP. Run `make verify-kube-connect` and check if it works.
-
-4. Finally, so that you don't have to keep updating your kube-config whenever you spin up a new k3d cluster, add `--api-port $IP:6550` to your **k3d cluster create** command, where $IP is the value from step 1. An example command is provided here:
-
-```
-k3d cluster create my-cluster --wait --k3s-server-arg '--disable=traefik' --api-port $IP:6550 -p 443:443@loadbalancer
-```
-
-## The development cycle
-
-When you have developed and possibly manually tested the code you want to contribute, you should ensure that everything will build correctly. Commit your changes to the local copy of your Git branch and perform the following steps:
-
-### Pull in all build dependencies
-
-As build dependencies change over time, you have to synchronize your development environment with the current specification. In order to pull in all required dependencies, issue:
-
-* `make dep-ui`
-
-ArgoCD recently migrated to Go modules. Usually, dependencies will be downloaded on build time, but the Makefile provides two targets to download and vendor all dependencies:
-
-* `make mod-download` will download all required Go modules and
-* `make mod-vendor` will vendor those dependencies into the ArgoCD source tree
-
-### Generate API glue code and other assets
-
-ArgoCD relies on Google's [Protocol Buffers](https://developers.google.com/protocol-buffers) for its API, and this makes heavy use of auto-generated glue code and stubs. Whenever you touched parts of the API code, you must re-generate the auto generated code.
-
-* Run `make codegen`, this might take a while
-* Check if something has changed by running `git status` or `git diff`
-* Commit any possible changes to your local Git branch, an appropriate commit message would be `Changes from codegen`, for example.
-
-!!!note
-    There are a few non-obvious assets that are auto-generated. You should not change the autogenerated assets, as they will be overwritten by a subsequent run of `make codegen`. Instead, change their source files. Prominent examples of non-obvious auto-generated code are `swagger.json` or the installation manifest YAMLs.
-
-### Build your code and run unit tests
-
-After the code glue has been generated, your code should build and the unit tests should run without any errors. Execute the following statements:
-
-* `make build`
-* `make test`
-
-These steps are non-modifying, so there's no need to check for changes afterwards.
-
-### Lint your code base
-
-In order to keep a consistent code style in our source tree, your code must be well-formed in accordance to some widely accepted rules, which are applied by a Linter.
-
-The Linter might make some automatic changes to your code, such as indentation fixes. Some other errors reported by the Linter have to be fixed manually.
-
-* Run `make lint` and observe any errors reported by the Linter
-* Fix any of the errors reported and commit to your local branch
-* Finally, after the Linter reports no errors anymore, run `git status` or `git diff` to check for any changes made automatically by Lint
-* If there were automatic changes, commit them to your local branch
-
-If you touched UI code, you should also run the Yarn linter on it:
-
-* Run `make lint-ui`
-* Fix any of the errors reported by it
-
-## Contributing to Argo CD UI
-
-Argo CD, along with Argo Workflows, uses shared React components from [Argo UI](https://github.com/argoproj/argo-ui). Examples of some of these components include buttons, containers, form controls, 
-and others. Although you can make changes to these files and run them locally, in order to have these changes added to the Argo CD repo, you will need to follow these steps. 
-
-1. Fork and clone the [Argo UI repository](https://github.com/argoproj/argo-ui).
-
-2. `cd` into your `argo-ui` directory, and then run `yarn install`. 
-
-3. Make your file changes.
-
-4. Run `yarn start` to start a [storybook](https://storybook.js.org/) dev server and view the components in your browser. Make sure all your changes work as expected. 
-
-5. Use [yarn link](https://classic.yarnpkg.com/en/docs/cli/link/) to link Argo UI package to your Argo CD repository. (Commands below assume that `argo-ui` and `argo-cd` are both located within the same parent folder)
-
-    * `cd argo-ui`
-    * `yarn link`
-    * `cd ../argo-cd`
-    * `yarn link argo-ui`
-
-    Once `argo-ui` package has been successfully linked, test out changes in your local development environment. 
-
-6. Commit changes and open a PR to [Argo UI](https://github.com/argoproj/argo-ui). 
-
-7. Once your PR has been merged in Argo UI, `cd` into your `argo-cd` folder and run `yarn add https://github.com/argoproj/argo-ui.git`. This will update the commit SHA in the `ui/yarn.lock` file to use the lastest master commit for argo-ui. 
-
-8. Submit changes to `ui/yarn.lock`in a PR to Argo CD. 
-
-## Setting up a local toolchain
-
-For development, you can either use the fully virtualized toolchain provided as Docker images, or you can set up the toolchain on your local development machine. Due to the dynamic nature of requirements, you might want to stay with the virtualized environment.
-
-### Install required dependencies and build-tools
-
-!!!note
-    The installations instructions are valid for Linux hosts only. Mac instructions will follow shortly.
-
-For installing the tools required to build and test ArgoCD on your local system, we provide convenient installer scripts. By default, they will install binaries to `/usr/local/bin` on your system, which might require `root` privileges.
-
-You can change the target location by setting the `BIN` environment before running the installer scripts. For example, you can install the binaries into `~/go/bin` (which should then be the first component in your `PATH` environment, i.e. `export PATH=~/go/bin:$PATH`):
-
-```shell
-make BIN=~/go/bin install-tools-local
-```
-
-Additionally, you have to install at least the following tools via your OS's package manager (this list might not be always up-to-date):
-
-* Git LFS plugin
-* GnuPG version 2
-
-### Install Go dependencies
-
-You need to pull in all required Go dependencies. To do so, run
-
-* `make mod-download-local`
-* `make mod-vendor-local`
-
-### Test your build toolchain
-
-The first thing you can do whether your build toolchain is setup correctly is by generating the glue code for the API and after that, run a normal build:
-
-* `make codegen-local`
-* `make build-local`
-
-This should return without any error.
-
-### Run unit-tests
-
-The next thing is to make sure that unit tests are running correctly on your system. These will require that all dependencies, such as Helm, Kustomize, Git, GnuPG, etc are correctly installed and fully functioning:
-
-* `make test-local`
-
-### Run end-to-end tests
-
-The final step is running the End-to-End testsuite, which makes sure that your Kubernetes dependencies are working properly. This will involve starting all of the ArgoCD components locally on your computer. The end-to-end tests consists of two parts: a server component, and a client component.
-
-* First, start the End-to-End server: `make start-e2e-local`. This will spawn a number of processes and services on your system.
-* When all components have started, run `make test-e2e-local` to run the end-to-end tests against your local services.
-
-For more information about End-to-End tests, refer to the [End-to-End test documentation](test-e2e.md).
+The contents of this document have been moved to the
+[Toolchain guide](toolchain-guide.md)

docs/developer-guide/debugging-remote-environment.md

@@ -37,7 +37,6 @@ Once a connection is established, use your favorite tools to start the server lo
 
 ### VSCode
 In VSCode use the integrated terminal to run the Telepresence command to connect. Then, to run argocd-server service use the following configuration.
-Make sure to run `packr` before starting the debugging session to generate the assets. 
 Update the configuration file to point to kubeconfig file: `KUBECONFIG=` (required)
 ```json
         {

docs/developer-guide/release-process-and-cadence.md

@@ -0,0 +1,49 @@
+# Release Process And Cadence
+
+Argo CD is being developed using the following process:
+
+* Maintainers commit to work on set of features and enhancements and create GitHub milestone to track the work.
+* We are trying to avoid delaying release and prefer moving the feature into the next release if we cannot complete it on time.
+* The new release is published every **3 month**.
+* Critical bug-fixes are cherry-picked into the release branch and delivered using patch releases as frequently as needed.
+
+## Release Planning
+
+We are using GitHub milestones to perform release planning and tracking. Each release milestone includes two type of issues:
+
+* Issues that maintainers committed to working on. Maintainers decide which features they are committing to work on during the next release based on
+  their availability. Typically issues added offline by each maintainer and finalized during the contributors' meeting. Each such issue should be
+  assigned to maintainer who plans to implement and test it.
+* Nice to have improvements contributed by community contributors. Nice to have issues are typically not critical, smallish enhancements that could
+  be contributed by community contributors. Maintainers are not committing to implement them but committing to review PR from the community.
+
+The milestone should have a clear description of the most important features as well as the expected end date. This should provide clarity to end-users
+about what to expect from the next release and when.
+
+In addition to the next milestone, we need to maintain a draft of the upcoming release milestone. 
+
+## Community Contributions
+
+We receive a lot of contributions from our awesome community, and we're very grateful for that fact. However, reviewing and testing PRs is a lot of (unplanned) work and therefore, we cannot guarantee that contributions (especially large or complex ones) made by the community receive a timely review within a release's time frame. Maintainers may decide on their own to put work on a PR together with the contributor and in this case, the maintainer will self-assigned the PR and thereby committing to review, eventually merge and later test it on the release scope.
+
+## Release Testing
+
+We need to make sure that each change, both from maintainers and community contributors, is tested well and have someone who is going to fix last-minute
+bugs. In order to ensure it, each merged pull request must have an assigned maintainer before it gets merged. The assigned maintainer will be working on
+testing the introduced changes and fixing of any introduced bugs.
+
+We have a code freeze period two weeks before the release until the release branch is created. During code freeze no feature PR should be merged and it is ok
+to merge bug fixes.
+
+Maintainers assigned to a PR that's been merged should drive testing and work on fixing last-minute issues. For tracking purposes after verifying PR the assigned
+the maintainer should label it with a `verified` label.
+
+## Releasing
+
+The releasing procedure is described in [releasing](./releasing.md) document. Before closing the release milestone following should be verified:
+
+- [ ] All merged PRs and verified (verify and remove `needs-verification` label):
+- [ ] Triage issues reported by `yarn audit` and ensure there are no exploitable security issues.
+- [ ] Roadmap is updated based one current release changes
+- [ ] Next release milestone is created
+- [ ] Upcoming release milestone is updated

docs/developer-guide/running-locally.md

@@ -4,9 +4,9 @@
 
 During development, it might be viable to run ArgoCD outside of a Kubernetes cluster. This will greatly speed up development, as you don't have to constantly build, push and install new ArgoCD Docker images with your latest changes.
 
-You will still need a working Kubernetes cluster, as described in the [Contribution Guide](contributing.md), where ArgoCD will store all of its resources.
+You will still need a working Kubernetes cluster, as described in the [Toolchain Guide](toolchain-guide.md), where ArgoCD will store all of its resources and configuration.
 
-If you followed the [Contribution Guide](contributing.md) in setting up your toolchain, you can run ArgoCD locally with these simple steps:
+If you followed the [Toolchain Guide](toolchain-guide.md) in setting up your toolchain, you can run ArgoCD locally with these simple steps:
 
 ### Install ArgoCD resources to your cluster
 

docs/developer-guide/toolchain-guide.md

@@ -0,0 +1,327 @@
+# Development toolchain
+
+## Preface
+
+!!!note "Before you start"
+    The Argo CD project continuously grows, both in terms of features and community size. It gets adopted by more and more organisations which entrust Argo CD to handle their critical production workloads. Thus, we need to take great care with any changes that affect compatibility, performance, scalability, stability and security of Argo CD. For this reason, every new feature or larger enhancement must be properly designed and discussed before it gets accepted into the code base.
+
+    We do welcome and encourage everyone to participate in the Argo CD project, but please understand that we can't accept each and every contribution from the community, for various reasons. If you want to submit code for a great new feature or enhancement, we kindly ask you to take a look at the
+    [code contribution guide](code-contributions.md#) before you start to write code or submit a PR.
+
+We want to make contributing to Argo CD as simple and smooth as possible.
+
+This guide shall help you in setting up your build & test environment, so that you can start developing and testing bug fixes and feature enhancements without having to make too much effort in setting up a local toolchain.
+
+If you want to submit a PR, please read this document carefully, as it contains important information guiding you through our PR quality gates.
+
+As is the case with the development process, this document is under constant change. If you notice any error, or if you think this document is out-of-date, or if you think it is missing something: Feel free to submit a PR or submit a bug to our GitHub issue tracker.
+
+If you need guidance with submitting a PR, or have any other questions regarding development of Argo CD, do not hesitate to [join our Slack](https://argoproj.github.io/community/join-slack) and get in touch with us in the `#argo-contributors` channel!
+
+## Before you start
+
+You will need at least the following things in your toolchain in order to develop and test Argo CD locally:
+
+* A Kubernetes cluster. You won't need a fully blown multi-master, multi-node cluster, but you will need something like K3S, Minikube or microk8s. You will also need a working Kubernetes client (`kubectl`) configuration in your development environment. The configuration must reside in `~/.kube/config` and the API server URL must point to the IP address of your local machine (or VM), and **not** to `localhost` or `127.0.0.1` if you are using the virtualized development toolchain (see below)
+
+* You will also need a working Docker runtime environment, to be able to build and run images.
+The Docker version must be fairly recent, and support multi-stage builds. You should not work as root. Make your local user a member of the `docker` group to be able to control the Docker service on your machine.
+
+* Obviously, you will need a `git` client for pulling source code and pushing back your changes.
+
+* Last but not least, you will need a Go SDK and related tools (such as GNU `make`) installed and working on your development environment. The minimum required Go version for building and testing Argo CD is **v1.16**.
+
+* We will assume that your Go workspace is at `~/go`.
+
+!!! note
+    **Attention minikube users**: By default, minikube will create Kubernetes client configuration that uses authentication data from files. This is incompatible with the virtualized toolchain. So if you intend to use the virtualized toolchain, you have to embed this authentication data into the client configuration. To do so, start minikube using `minikube start --embed-certs`. Please also note that minikube using the Docker driver is currently not supported with the virtualized toolchain, because the Docker driver exposes the API server on 127.0.0.1 hard-coded. If in doubt, run `make verify-kube-connect` to find out.
+
+## Submitting PRs
+
+### Continuous Integration process
+
+When you submit a PR against Argo CD's GitHub repository, a couple of CI checks will be run automatically to ensure your changes will build fine and meet certain quality standards. Your contribution needs to pass those checks in order to be merged into the repository.
+
+!!!note
+
+    Please make sure that you always create PRs from a branch that is up-to-date with the latest changes from Argo CD's master branch. Depending on how long it takes for the maintainers to review and merge your PR, it might be necessary to pull in latest changes into your branch again.
+
+Please understand that we, as an Open Source project, have limited capacities for reviewing and merging PRs to Argo CD. We will do our best to review your PR and give you feedback as soon as possible, but please bear with us if it takes a little longer as expected.
+
+The following read will help you to submit a PR that meets the standards of our CI tests:
+
+### Title of the PR
+
+Please use a meaningful and concise title for your PR. This will help us to pick PRs for review quickly, and the PR title will also end up in the Changelog.
+
+We use the [Semantic PR title checker](https://github.com/zeke/semantic-pull-requests) to categorize your PR into one of the following categories:
+
+* `fix` - Your PR contains one or more code bug fixes
+* `feat` - Your PR contains a new feature
+* `docs` - Your PR improves the documentation
+* `chore` - Your PR improves any internals of Argo CD, such as the build process, unit tests, etc
+
+Please prefix the title of your PR with one of the valid categories. For example, if you chose the title your PR `Add documentation for GitHub SSO integration`, please use `docs: Add documentation for GitHub SSO integration` instead.
+
+### Contributor License Agreement
+
+Every contributor to Argo CD must have signed the current Contributor License Agreement (CLA). You only have to sign the CLA when you are a first time contributor, or when the agreement has changed since your last time signing it. The main purpose of the CLA is to ensure that you hold the required rights for your contribution. The CLA signing is an automated process.
+
+You can read the current version of the CLA [here](https://cla-assistant.io/argoproj/argo-cd).
+
+### PR template checklist
+
+Upon opening a PR, the details will contain a checklist from a template. Please read the checklist, and tick those marks that apply to you.
+
+### Automated builds & tests
+
+After you have submitted your PR, and whenever you push new commits to that branch, GitHub will run a number of Continuous Integration checks against your code. It will execute the following actions, and each of them has to pass:
+
+* Build the Go code (`make build`)
+* Generate API glue code and manifests (`make codegen`)
+* Run a Go linter on the code (`make lint`)
+* Run the unit tests (`make test`)
+* Run the End-to-End tests (`make test-e2e`)
+* Build and lint the UI code (`make lint-ui`)
+* Build the `argocd` CLI (`make cli`)
+
+If any of these tests in the CI pipeline fail, it means that some of your contribution is considered faulty (or a test might be flaky, see below).
+
+### Code test coverage
+
+We use [CodeCov](https://codecov.io) in our CI pipeline to check for test coverage, and once you submit your PR, it will run and report on the coverage difference as a comment within your PR. If the difference is too high in the negative, i.e. your submission introduced a significant drop in code coverage, the CI check will fail.
+
+Whenever you develop a new feature or submit a bug fix, please also write appropriate unit tests for it. If you write a completely new module, please aim for at least 80% of coverage.
+If you want to see how much coverage just a specific module (i.e. your new one) has, you can set the `TEST_MODULE` to the (fully qualified) name of that module with `make test`, i.e.:
+
+```bash
+ make test TEST_MODULE=github.com/argoproj/argo-cd/server/cache
+...
+ok      github.com/argoproj/argo-cd/server/cache        0.029s  coverage: 89.3% of statements
+```
+
+## Local vs Virtualized toolchain
+
+Argo CD provides a fully virtualized development and testing toolchain using Docker images. It is recommended to use those images, as they provide the same runtime environment as the final product and it is much easier to keep up-to-date with changes to the toolchain and dependencies. But as using Docker comes with a slight performance penalty, you might want to setup a local toolchain.
+
+Most relevant targets for the build & test cycles in the `Makefile` provide two variants, one of them suffixed with `-local`. For example, `make test` will run unit tests in the Docker container, `make test-local` will run it natively on your local system.
+
+If you are going to use the virtualized toolchain, please bear in mind the following things:
+
+* Your Kubernetes API server must listen on the interface of your local machine or VM, and not on `127.0.0.1` only.
+* Your Kubernetes client configuration (`~/.kube/config`) must not use an API URL that points to `localhost` or `127.0.0.1`.
+
+You can test whether the virtualized toolchain has access to your Kubernetes cluster by running `make verify-kube-connect` (*after* you have setup your development environment, as described below), which will run `kubectl version` inside the Docker container used for running all tests.
+
+The Docker container for the virtualized toolchain will use the following local mounts from your workstation, and possibly modify its contents:
+
+* `~/go/src` - Your Go workspace's source directory (modifications expected)
+* `~/.cache/go-build` - Your Go build cache (modifications expected)
+* `~/.kube` - Your Kubernetes client configuration (no modifications)
+* `/tmp` - Your system's temp directory (modifications expected)
+
+## Setting up your development environment
+
+The following steps are required no matter whether you chose to use a virtualized or a local toolchain.
+
+### Clone the Argo CD repository from your personal fork on GitHub
+
+* `mkdir -p ~/go/src/github.com/argoproj`
+* `cd ~/go/src/github.com/argoproj`
+* `git clone https://github.com/yourghuser/argo-cd`
+* `cd argo-cd`
+
+### Optional: Setup an additional Git remote
+
+While everyone has their own Git workflow, the author of this document recommends to create a remote called `upstream` in your local copy pointing to the original Argo CD repository. This way, you can easily keep your local branches up-to-date by merging in latest changes from the Argo CD repository, i.e. by doing a `git pull upstream master` in your locally checked out branch. To create the remote, run `git remote add upstream https://github.com/argoproj/argo-cd`
+
+### Install the must-have requirements
+
+Make sure you fulfill the pre-requisites above and run some preliminary tests. Neither of them should report an error.
+
+* Run `kubectl version`
+* Run `docker version`
+* Run `go version`
+
+### Build (or pull) the required Docker image
+
+Build the required Docker image by running `make test-tools-image` or pull the latest version by issuing `docker pull argoproj/argocd-test-tools`.
+
+The `Dockerfile` used to build these images can be found at `test/container/Dockerfile`.
+
+### Test connection from build container to your K8s cluster
+
+Run `make verify-kube-connect`, it should execute without error.
+
+If you receive an error similar to the following:
+
+```
+The connection to the server 127.0.0.1:6443 was refused - did you specify the right host or port?
+make: *** [Makefile:386: verify-kube-connect] Error 1
+```
+
+you should edit your `~/.kube/config` and modify the `server` option to point to your correct K8s API (as described above).
+
+### Using k3d
+
+[k3d](https://github.com/rancher/k3d) is a lightweight wrapper to run [k3s](https://github.com/rancher/k3s), a minimal Kubernetes distribution, in docker. Because it's running in a docker container, you're dealing with docker's internal networking rules when using k3d. A typical Kubernetes cluster running on your local machine is part of the same network that you're on so you can access it using **kubectl**. However, a Kubernetes cluster running within a docker container (in this case, the one launched by make) cannot access 0.0.0.0 from inside the container itself, when 0.0.0.0 is a network resource outside the container itself (and/or the container's network). This is the cost of a fully self-contained, disposable Kubernetes cluster. The following steps should help with a successful `make verify-kube-connect` execution.
+
+1. Find your host IP by executing `ifconfig` on Mac/Linux and `ipconfig` on Windows. For most users, the following command works to find the IP address.
+
+    * For Mac:
+
+    ```
+    IP=`ifconfig en0 | grep inet | grep -v inet6 | awk '{print $2}'`
+    echo $IP
+    ```
+
+    * For Linux:
+
+    ```
+    IP=`ifconfig eth0 | grep inet | grep -v inet6 | awk '{print $2}'`
+    echo $IP
+    ```
+
+    Keep in mind that this IP is dynamically assigned by the router so if your router restarts for any reason, your IP might change.
+
+2. Edit your ~/.kube/config and replace 0.0.0.0 with the above IP address.
+
+3. Execute a `kubectl version` to make sure you can still connect to the Kubernetes API server via this new IP. Run `make verify-kube-connect` and check if it works.
+
+4. Finally, so that you don't have to keep updating your kube-config whenever you spin up a new k3d cluster, add `--api-port $IP:6550` to your **k3d cluster create** command, where $IP is the value from step 1. An example command is provided here:
+
+```
+k3d cluster create my-cluster --wait --k3s-server-arg '--disable=traefik' --api-port $IP:6550 -p 443:443@loadbalancer
+```
+
+## The development cycle
+
+When you have developed and possibly manually tested the code you want to contribute, you should ensure that everything will build correctly. Commit your changes to the local copy of your Git branch and perform the following steps:
+
+### Pull in all build dependencies
+
+As build dependencies change over time, you have to synchronize your development environment with the current specification. In order to pull in all required dependencies, issue:
+
+* `make dep-ui`
+
+Argo CD recently migrated to Go modules. Usually, dependencies will be downloaded on build time, but the Makefile provides two targets to download and vendor all dependencies:
+
+* `make mod-download` will download all required Go modules and
+* `make mod-vendor` will vendor those dependencies into the Argo CD source tree
+
+### Generate API glue code and other assets
+
+Argo CD relies on Google's [Protocol Buffers](https://developers.google.com/protocol-buffers) for its API, and this makes heavy use of auto-generated glue code and stubs. Whenever you touched parts of the API code, you must re-generate the auto generated code.
+
+* Run `make codegen`, this might take a while
+* Check if something has changed by running `git status` or `git diff`
+* Commit any possible changes to your local Git branch, an appropriate commit message would be `Changes from codegen`, for example.
+
+!!!note
+    There are a few non-obvious assets that are auto-generated. You should not change the autogenerated assets, as they will be overwritten by a subsequent run of `make codegen`. Instead, change their source files. Prominent examples of non-obvious auto-generated code are `swagger.json` or the installation manifest YAMLs.
+
+### Build your code and run unit tests
+
+After the code glue has been generated, your code should build and the unit tests should run without any errors. Execute the following statements:
+
+* `make build`
+* `make test`
+
+These steps are non-modifying, so there's no need to check for changes afterwards.
+
+### Lint your code base
+
+In order to keep a consistent code style in our source tree, your code must be well-formed in accordance to some widely accepted rules, which are applied by a Linter.
+
+The Linter might make some automatic changes to your code, such as indentation fixes. Some other errors reported by the Linter have to be fixed manually.
+
+* Run `make lint` and observe any errors reported by the Linter
+* Fix any of the errors reported and commit to your local branch
+* Finally, after the Linter reports no errors anymore, run `git status` or `git diff` to check for any changes made automatically by Lint
+* If there were automatic changes, commit them to your local branch
+
+If you touched UI code, you should also run the Yarn linter on it:
+
+* Run `make lint-ui`
+* Fix any of the errors reported by it
+
+## Contributing to Argo CD UI
+
+Argo CD, along with Argo Workflows, uses shared React components from [Argo UI](https://github.com/argoproj/argo-ui). Examples of some of these components include buttons, containers, form controls, 
+and others. Although you can make changes to these files and run them locally, in order to have these changes added to the Argo CD repo, you will need to follow these steps. 
+
+1. Fork and clone the [Argo UI repository](https://github.com/argoproj/argo-ui).
+
+2. `cd` into your `argo-ui` directory, and then run `yarn install`. 
+
+3. Make your file changes.
+
+4. Run `yarn start` to start a [storybook](https://storybook.js.org/) dev server and view the components in your browser. Make sure all your changes work as expected. 
+
+5. Use [yarn link](https://classic.yarnpkg.com/en/docs/cli/link/) to link Argo UI package to your Argo CD repository. (Commands below assume that `argo-ui` and `argo-cd` are both located within the same parent folder)
+
+    * `cd argo-ui`
+    * `yarn link`
+    * `cd ../argo-cd/ui`
+    * `yarn link argo-ui`
+
+    Once `argo-ui` package has been successfully linked, test out changes in your local development environment. 
+
+6. Commit changes and open a PR to [Argo UI](https://github.com/argoproj/argo-ui). 
+
+7. Once your PR has been merged in Argo UI, `cd` into your `argo-cd` folder and run `yarn add https://github.com/argoproj/argo-ui.git`. This will update the commit SHA in the `ui/yarn.lock` file to use the lastest master commit for argo-ui. 
+
+8. Submit changes to `ui/yarn.lock`in a PR to Argo CD. 
+
+## Setting up a local toolchain
+
+For development, you can either use the fully virtualized toolchain provided as Docker images, or you can set up the toolchain on your local development machine. Due to the dynamic nature of requirements, you might want to stay with the virtualized environment.
+
+### Install required dependencies and build-tools
+
+!!!note
+    The installations instructions are valid for Linux hosts only. Mac instructions will follow shortly.
+
+For installing the tools required to build and test Argo CD on your local system, we provide convenient installer scripts. By default, they will install binaries to `/usr/local/bin` on your system, which might require `root` privileges.
+
+You can change the target location by setting the `BIN` environment before running the installer scripts. For example, you can install the binaries into `~/go/bin` (which should then be the first component in your `PATH` environment, i.e. `export PATH=~/go/bin:$PATH`):
+
+```shell
+make BIN=~/go/bin install-tools-local
+```
+
+Additionally, you have to install at least the following tools via your OS's package manager (this list might not be always up-to-date):
+
+* Git LFS plugin
+* GnuPG version 2
+
+### Install Go dependencies
+
+You need to pull in all required Go dependencies. To do so, run
+
+* `make mod-download-local`
+* `make mod-vendor-local`
+
+### Test your build toolchain
+
+The first thing you can do whether your build toolchain is setup correctly is by generating the glue code for the API and after that, run a normal build:
+
+* `make codegen-local`
+* `make build-local`
+
+This should return without any error.
+
+### Run unit-tests
+
+The next thing is to make sure that unit tests are running correctly on your system. These will require that all dependencies, such as Helm, Kustomize, Git, GnuPG, etc are correctly installed and fully functioning:
+
+* `make test-local`
+
+### Run end-to-end tests
+
+The final step is running the End-to-End testsuite, which makes sure that your Kubernetes dependencies are working properly. This will involve starting all of the Argo CD components locally on your computer. The end-to-end tests consists of two parts: a server component, and a client component.
+
+* First, start the End-to-End server: `make start-e2e-local`. This will spawn a number of processes and services on your system.
+* When all components have started, run `make test-e2e-local` to run the end-to-end tests against your local services.
+
+For more information about End-to-End tests, refer to the [End-to-End test documentation](test-e2e.md).

docs/developer-guide/use-gitpod.md

@@ -0,0 +1,43 @@
+# Use Gitpod
+
+[Gitpod](https://www.gitpod.io/) is an open-source platform for automated and ready-to-code development environments.
+GitPod is probably the easiest way to get ready to use development environment with the most tools that are required
+for Argo CD development.
+
+## How To Use It
+
+1. Fork [https://github.com/argoproj/argo-cd](https://github.com/argoproj/argo-cd) repository
+1. Create Gitpod workspace by opening the following url in the browser:
+   `https://gitpod.io/#https://github.com/<USERNAME>/argo-cd` where
+   `<USERNAME>` is your Github username.
+
+1. Once workspace is created you should see VSCode editor in the browser as well as workspace initialization
+   logs in the VSCode terminal. The initialization process downloads all backend and UI dependencies as well
+   as starts K8S control plane powered by Kubebuilder [envtest](https://book.kubebuilder.io/reference/envtest.html).
+   Please wait until you see `Kubeconfig is available at /tmp/kubeconfig` message:
+
+   ![image](https://user-images.githubusercontent.com/426437/113638085-e46be080-962a-11eb-943b-24c29171fb2b.png)
+
+1. You are ready to go!
+
+Once your workspace is ready you can use VS Code to make code changes. Run `goreman start` to start Argo CD components
+and test your changes. Use the Gitpod user interface or [CLI](https://www.gitpod.io/docs/command-line-interface/) to
+access Argo CD API/UI from your laptop.
+
+## Why/When To Use It?
+
+Gitpod is a perfect tool in following cases:
+
+* you are a first-time contributor and eager to start coding;
+* you are traveling and don't want to setup development tools on your laptop;
+* you want to review pull request and need to quickly run code from the PR without changing your local setup;
+
+## Limitations
+
+There are some known limitations:
+
+* You can only use VS Code
+* Free plan provides 50 hours per month
+* [Envtest](https://book.kubebuilder.io/reference/envtest.html) based Kubernetes is only control plane.
+  So you won't be able to deploy Argo CD applications that runs actual pods.
+* Codegen tools are not available. E.g. you won't be able to use `make codegen-local`.

docs/faq.md

@@ -14,7 +14,7 @@ to ignore fields when differences are expected.
 
 ## Why is my application stuck in `Progressing` state?
 
-Argo CD provides health for several standard Kubernetes types. The `Ingress` and `StatefulSet` types have known issues
+Argo CD provides health for several standard Kubernetes types. The `Ingress`, `StatefulSet` and `SealedSecret` types have known issues
 which might cause health check to return `Progressing` state instead of `Healthy`.
 
 * `Ingress` is considered healthy if `status.loadBalancer.ingress` list is non-empty, with at least one value
@@ -31,6 +31,7 @@ which might cause health check to return `Progressing` state instead of `Healthy
   in `Progressing` state.
 * Your `StatefulSet` or `DaemonSet` is using `OnDelete` instead of `RollingUpdate` strategy.
   See [#1881](https://github.com/argoproj/argo-cd/issues/1881).
+* For `SealedSecret`, see [Why are resources of type `SealedSecret` stuck in the `Progressing` state?](#sealed-secret-stuck-progressing)
 
 As workaround Argo CD allows providing [health check](operator-manual/health.md) customization which overrides default
 behavior.
@@ -97,7 +98,7 @@ Use the following steps to reconstruct configured cluster config and connect to
 
 ```bash
 kubectl exec -it <argocd-pod-name> bash # ssh into any argocd server pod
-argocd-util cluster kubeconfig https://<cluster-url> /tmp/config --namespace argocd # generate your cluster config
+argocd admin cluster kubeconfig https://<cluster-url> /tmp/config --namespace argocd # generate your cluster config
 KUBECONFIG=/tmp/config kubectl get pods # test connection manually
 ```
 
@@ -175,7 +176,15 @@ argocd ... --insecure
 Most likely you forgot to set the `url` in `argocd-cm` to point to your ArgoCD as well. See also
 [the docs](/operator-manual/user-management/#2-configure-argo-cd-for-sso).
 
-## Why are resources of type `SealedSecret` stuck in the `Progressing` state?
+## Why are `SealedSecret` resources reporting a `Status`?
+
+Versions of `SealedSecret` up to and including `v0.15.0` (especially through helm `1.15.0-r3`) don't include
+a [modern CRD](https://github.com/bitnami-labs/sealed-secrets/issues/555) and thus the status field will not
+be exposed (on k8s `1.16+`). If your Kubernetes deployment is [modern](
+https://www.openshift.com/blog/a-look-into-the-technical-details-of-kubernetes-1-16), ensure you're using a
+fixed CRD if you want this feature to work at all.
+
+## <a name="sealed-secret-stuck-progressing"></a>Why are resources of type `SealedSecret` stuck in the `Progressing` state?
 
 The controller of the `SealedSecret` resource may expose the status condition on resource it provisioned. Since
 version `v2.0.0` ArgoCD picks up that status condition to derive a health status for the `SealedSecret`.
@@ -186,14 +195,12 @@ enabled by starting the `SealedSecret` controller with the `--update-status` com
 the `SEALED_SECRETS_UPDATE_STATUS` environment variable.
 
 To disable ArgoCD from checking the status condition on `SealedSecret` resources, add the following resource
-customization in your `argocd-cm` ConfigMap:
+customization in your `argocd-cm` ConfigMap via `resource.customizations.health.<group_kind>` key.
 
 ```yaml
-resource.customizations: |
-  bitnami.com/SealedSecret:
-    health.lua: |
-      hs = {}
-      hs.status = "Healthy"
-      hs.message = "Controller doesn't report resource status"
-      return hs
+resource.customizations.health.bitnami.com_SealedSecret: |
+  hs = {}
+  hs.status = "Healthy"
+  hs.message = "Controller doesn't report resource status"
+  return hs
 ```

docs/getting_started.md

@@ -17,18 +17,24 @@ kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/st
 
 This will create a new namespace, `argocd`, where Argo CD services and application resources will live.
 
-!!! note
-    If you are not interested in UI, SSO, multi-cluster management and just want to pull changes into the cluster then you can disable
-    authentication using `--disable-auth` flag and access Argo CD via CLI using `--port-forward` or `--port-forward-namespace` flags
-    and proceed to step [#6](#6-create-an-application-from-a-git-repository):
-    
-    `kubectl patch deploy argocd-server -n argocd -p '[{"op": "add", "path": "/spec/template/spec/containers/0/command/-", "value": "--disable-auth"}]' --type json`
+!!! warning
+    The installation manifests include `ClusterRoleBinding` resources that reference `argocd` namespace. If you installing Argo CD into a different
+    namespace then make sure to update the namespace reference.
+
+If you are not interested in UI, SSO, multi-cluster features then you can install [core](operator-manual/installation.md#core) Argo CD components only:
+
+```bash
+kubectl create namespace argocd
+kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/core-install.yaml
+```
+
+Use `argocd login --core` to [configure](./user-guide/commands/argocd_login.md) CLI access and skip steps 3-5.
 
 ## 2. Download Argo CD CLI
 
 Download the latest Argo CD version from [https://github.com/argoproj/argo-cd/releases/latest](https://github.com/argoproj/argo-cd/releases/latest). More detailed installation instructions can be found via the [CLI installation documentation](cli_installation.md).
 
-Also available in Mac Homebrew:
+Also available in Mac, Linux and WSL Homebrew:
 
 ```bash
 brew install argocd
@@ -61,41 +67,6 @@ The API server can then be accessed using the localhost:8080
 
 ## 4. Login Using The CLI
 
-!!! warning
-    We strongly advise to change the initially generated administrative password
-    as soon as after your first login to the system.
-
-Depending on the Argo CD version you are installing, the method how to get the
-initial password for the `admin` user is different.
-
-> Argo CD 1.8 and earlier
-
-The initial password is autogenerated to be the pod name of the
-Argo CD API server. This can be retrieved with the command:
-
-```bash
-kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2
-```
-
-Using the username `admin` and the password from above, login to Argo CD's IP or hostname:
-
-```bash
-argocd login <ARGOCD_SERVER>  # e.g. localhost:8080 or argocd.example.com
-```
-
-Change the password using the command:
-
-```bash
-argocd account update-password
-```
-
-!!! note
-    The initial password is set in a kubernetes secret, named `argocd-secret`, during ArgoCD's initial start up. This means if you edit
-    the deployment in any way which causes a new pod to be deployed, such as disabling TLS on the Argo CD API server. Take note of the initial
-    pod name when you first install Argo CD, or reset the password by following [these instructions](../faq/#i-forgot-the-admin-password-how-do-i-reset-it)
-
-> Argo CD v1.9 and later
-
 The initial password for the `admin` account is auto-generated and stored as
 clear text in the field `password` in a secret named `argocd-initial-admin-secret`
 in your Argo CD installation namespace. You can simply retrieve this password
@@ -109,6 +80,13 @@ For better readability, e.g. if you want to copy & paste the generated password,
 you can simply append `&& echo` to above command, which will add a newline to
 the output.
 
+!!! warning
+    You should delete the `argocd-initial-admin-secret` from the Argo CD
+    namespace once you changed the password. The secret serves no other
+    purpose than to store the initially generated password in clear and can
+    safely be deleted at any time. It will be re-created on demand by Argo CD
+    if a new admin password must be re-generated.
+
 Using the username `admin` and the password from above, login to Argo CD's IP or hostname:
 
 ```bash
@@ -121,13 +99,6 @@ Change the password using the command:
 argocd account update-password
 ```
 
-!!! note
-    You should delete the `argocd-initial-admin-secret` from the Argo CD
-    namespace once you changed the password. The secret serves no other
-    purpose than to store the initially generated password in clear and can
-    safely be deleted at any time. It will be re-created on demand by Argo CD
-    if a new admin password must be re-generated.
-
 ## 5. Register A Cluster To Deploy Apps To (Optional)
 
 This step registers a cluster's credentials to Argo CD, and is only necessary when deploying to

docs/operator-manual/application.yaml

@@ -51,7 +51,7 @@ spec:
               hosts:
                 - mydomain.example.com
 
-      # Optional Helm version to template with. If omitted it will fallback to look at the 'apiVersion' in Chart.yaml
+      # Optional Helm version to template with. If omitted it will fall back to look at the 'apiVersion' in Chart.yaml
       # and decide which Helm binary to use automatically. This field can be either 'v2' or 'v3'.
       version: v2
 

docs/operator-manual/argocd-cm.yaml

@@ -18,6 +18,9 @@ data:
   # Specifies token expiration duration
   users.session.duration: "24h"
 
+  # Specifies regex expression for password
+  passwordPattern: "^.{8,32}$"
+
   # Enables google analytics tracking is specified
   ga.trackingid: "UA-12345-1"
   # Unless set to 'false' then user ids are hashed before sending to google analytics
@@ -64,120 +67,79 @@ data:
     # Optional set of OIDC claims to request on the ID token.
     requestedIDTokenClaims: {"groups": {"essential": true}}
 
-  # Git repositories configure Argo CD with (optional).
-  # This list is updated when configuring/removing repos from the UI/CLI
-  # Note: 'type: helm' field is supported in v1.3+. Use 'helm.repositories' for older versions.
-  repositories: |
-    - url: https://github.com/argoproj/my-private-repository
-      passwordSecret:
-        name: my-secret
-        key: password
-      usernameSecret:
-        name: my-secret
-        key: username
-      sshPrivateKeySecret:
-        name: my-secret
-        key: sshPrivateKey
-    - type: helm
-      url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts
-      name: istio.io
-    - type: helm
-      url: https://my-private-chart-repo.internal
-      name: private-repo
-      usernameSecret:
-        name: my-secret
-        key: username
-      passwordSecret:
-        name: my-secret
-        key: password
+  # Configuration to customize resource behavior (optional) can be configured via splitted sub keys.
+  # Keys are in the form: resource.customizations.ignoreDifferences.<group_kind>, resource.customizations.health.<group_kind>
+  # resource.customizations.actions.<group_kind>, resource.customizations.knownTypeFields.<group-kind>
+  resource.customizations.ignoreDifferences.admissionregistration.k8s.io_MutatingWebhookConfiguration: |
+    jsonPointers:
+    - /webhooks/0/clientConfig/caBundle
+    jqPathExpressions:
+    - .webhooks[0].clientConfig.caBundle
 
-  # Non-standard and private Helm repositories (deprecated in 1.3).
-  helm.repositories: |
-    - url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts
-      name: istio.io
-    - url: https://my-private-chart-repo.internal
-      name: private-repo
-      usernameSecret:
-        name: my-secret
-        key: username
-      passwordSecret:
-        name: my-secret
-        key: password
-
-  # Configuration to customize resource behavior (optional). Keys are in the form: group/Kind.
-  resource.customizations: |
-    admissionregistration.k8s.io/MutatingWebhookConfiguration:
-      # List of json pointers in the object to ignore differences
-      ignoreDifferences: |
-        jsonPointers:
-        - /webhooks/0/clientConfig/caBundle
-    certmanager.k8s.io/Certificate:
-      # Lua script for customizing the health status assessment
-      health.lua: |
-        hs = {}
-        if obj.status ~= nil then
-          if obj.status.conditions ~= nil then
-            for i, condition in ipairs(obj.status.conditions) do
-              if condition.type == "Ready" and condition.status == "False" then
-                hs.status = "Degraded"
-                hs.message = condition.message
-                return hs
-              end
-              if condition.type == "Ready" and condition.status == "True" then
-                hs.status = "Healthy"
-                hs.message = condition.message
-                return hs
-              end
-            end
+  resource.customizations.health.certmanager.k8s.io-Certificate: |
+    hs = {}
+    if obj.status ~= nil then
+      if obj.status.conditions ~= nil then
+        for i, condition in ipairs(obj.status.conditions) do
+          if condition.type == "Ready" and condition.status == "False" then
+            hs.status = "Degraded"
+            hs.message = condition.message
+            return hs
+          end
+          if condition.type == "Ready" and condition.status == "True" then
+            hs.status = "Healthy"
+            hs.message = condition.message
+            return hs
           end
         end
-        hs.status = "Progressing"
-        hs.message = "Waiting for certificate"
-        return hs
-    cert-manager.io/Certificate:
-      # Lua script for customizing the health status assessment
-      health.lua: |
-        hs = {}
-        if obj.status ~= nil then
-          if obj.status.conditions ~= nil then
-            for i, condition in ipairs(obj.status.conditions) do
-              if condition.type == "Ready" and condition.status == "False" then
-                hs.status = "Degraded"
-                hs.message = condition.message
-                return hs
-              end
-              if condition.type == "Ready" and condition.status == "True" then
-                hs.status = "Healthy"
-                hs.message = condition.message
-                return hs
-              end
-            end
+      end
+    end
+    hs.status = "Progressing"
+    hs.message = "Waiting for certificate"
+    return hs
+
+  resource.customizations.health.cert-manager.io_Certificate: |
+    hs = {}
+    if obj.status ~= nil then
+      if obj.status.conditions ~= nil then
+        for i, condition in ipairs(obj.status.conditions) do
+          if condition.type == "Ready" and condition.status == "False" then
+            hs.status = "Degraded"
+            hs.message = condition.message
+            return hs
+          end
+          if condition.type == "Ready" and condition.status == "True" then
+            hs.status = "Healthy"
+            hs.message = condition.message
+            return hs
           end
         end
-        hs.status = "Progressing"
-        hs.message = "Waiting for certificate"
-        return hs
-    apps/Deployment:
-      # List of Lua Scripts to introduce custom actions
-      actions: |
-        # Lua Script to indicate which custom actions are available on the resource
-        discovery.lua: |
-          actions = {}
-          actions["restart"] = {}
-          return actions
-        definitions:
-          - name: restart
-            # Lua Script to modify the obj
-            action.lua: |
-              local os = require("os")
-              if obj.spec.template.metadata == nil then
-                  obj.spec.template.metadata = {}
-              end
-              if obj.spec.template.metadata.annotations == nil then
-                  obj.spec.template.metadata.annotations = {}
-              end
-              obj.spec.template.metadata.annotations["kubectl.kubernetes.io/restartedAt"] = os.date("!%Y-%m-%dT%XZ")
-              return obj
+      end
+    end
+    hs.status = "Progressing"
+    hs.message = "Waiting for certificate"
+    return hs
+
+  # List of Lua Scripts to introduce custom actions
+  resource.customizations.actions.apps_Deployment: |
+    # Lua Script to indicate which custom actions are available on the resource
+    discovery.lua: |
+      actions = {}
+      actions["restart"] = {}
+      return actions
+    definitions:
+      - name: restart
+        # Lua Script to modify the obj
+        action.lua: |
+          local os = require("os")
+          if obj.spec.template.metadata == nil then
+              obj.spec.template.metadata = {}
+          end
+          if obj.spec.template.metadata.annotations == nil then
+              obj.spec.template.metadata.annotations = {}
+          end
+          obj.spec.template.metadata.annotations["kubectl.kubernetes.io/restartedAt"] = os.date("!%Y-%m-%dT%XZ")
+          return obj
 
   # Configuration to completely ignore entire classes of resource group/kinds (optional).
   # Excluding high-volume resources improves performance and memory usage, and reduces load and
@@ -232,6 +194,10 @@ data:
   kustomize.version.v3.5.1: /custom-tools/kustomize_3_5_1
   kustomize.version.v3.5.4: /custom-tools/kustomize_3_5_4
 
+  # Comma delimited list of additional custom remote values file schemes (http are https are allowed by default).
+  # Change to empty value if you want to disable remote values files altogether.
+  helm.valuesFileSchemes: http, https
+
   # The metadata.label key name where Argo CD injects the app name as a tracking label (optional).
   # Tracking labels are used to determine which resources need to be deleted when pruning.
   # If omitted, Argo CD injects the app name into the label: 'app.kubernetes.io/instance'
@@ -262,3 +228,8 @@ data:
   # Optional link for banner. If set, the entire banner text will become a link.
   # You can have bannercontent without a bannerurl, but not the other way around.
   ui.bannerurl: "https://argoproj.github.io"
+
+  # Application reconciliation timeout is the max amount of time required to discover if a new manifests version got
+  # published to the repository. Reconciliation by timeout is disabled if timeout is set to 0. Three minutes by default.
+  # > Note: argocd-repo-server deployment must be manually restarted after changing the setting.
+  timeout.reconciliation: 180s

docs/operator-manual/argocd-cmd-params-cm.yaml

@@ -0,0 +1,110 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cmd-params-cm
+  labels:
+    app.kubernetes.io/name: argocd-cmd-params-cm
+    app.kubernetes.io/part-of: argocd
+data:
+  # Repo server address. (default "argocd-repo-server:8081")
+  repo.server: "argocd-repo-server:8081"
+  
+  # Dex server address (default "http://argocd-dex-server:5556")
+  dex.server: "http://argocd-dex-server:5556"
+
+  # Redis server hostname and port (e.g. argocd-redis:6379)
+  redis.server: "argocd-redis:6379"
+  # Redis database
+  redis.db:
+
+  ## Controller Properties
+  # Repo server RPC call timeout seconds.
+  controller.repo.server.timeout.seconds: "60"
+  # Disable TLS on connections to repo server
+  controller.repo.server.plaintext: "false"
+  # Whether to use strict validation of the TLS cert presented by the repo server
+  controller.repo.server.strict.tls: "false"
+  # Number of application status processors (default 20)
+  controller.status.processors: "20"
+  # Number of application operation processors (default 10)
+  controller.operation.processors: "10"
+  # Set the logging format. One of: text|json (default "text")
+  controller.log.format: "text"
+  # Set the logging level. One of: debug|info|warn|error (default "info")
+  controller.log.level: "info"
+  # Prometheus metrics cache expiration (disabled  by default. e.g. 24h0m0s)
+  controller.metrics.cache.expiration: "24h0m0s"
+  # Specifies timeout between application self heal attempts (default 5)
+  controller.self.heal.timeout.seconds: "5"
+  # Cache expiration for app state (default 1h0m0s)
+  controller.app.state.cache.expiration: "1h0m0s"
+  # Cache expiration default (default 24h0m0s)
+  controller.default.cache.expiration: "24h0m0s"
+
+  ## Server properties
+  # Run server without TLS
+  server.insecure: "false"
+  # Value for base href in index.html. Used if Argo CD is running behind reverse proxy under subpath different from / (default "/")
+  server.basehref: "/"
+  # Used if Argo CD is running behind reverse proxy under subpath different from /
+  server.rootpath: "/"
+  # Directory path that contains additional static assets
+  server.staticassets: "/shared/app"
+
+  # Set the logging format. One of: text|json (default "text")
+  server.log.format: "text"
+  # Set the logging level. One of: debug|info|warn|error (default "info")
+  server.log.level: "info"
+  # Repo server RPC call timeout seconds. (default 60)
+  server.repo.server.timeout.seconds: "60"
+  # Use a plaintext client (non-TLS) to connect to repository server
+  server.repo.server.plaintext: "false"
+  # Perform strict validation of TLS certificates when connecting to repo server
+  server.repo.server.strict.tls: "false"
+  # Disable client authentication
+  server.disable.auth: "false"
+  # Enable GZIP compression
+  server.enable.gzip: "false"
+  # Set X-Frame-Options header in HTTP responses to value. To disable, set to "". (default "sameorigin")
+  server.x.frame.options: "sameorigin"
+  # The minimum SSL/TLS version that is acceptable (one of: 1.0|1.1|1.2|1.3) (default "1.2")
+  server.tls.minversion: "1.2"
+  # The maximum SSL/TLS version that is acceptable (one of: 1.0|1.1|1.2|1.3) (default "1.3")
+  server.tls.maxversion: "1.3"
+  # The list of acceptable ciphers to be used when establishing TLS connections. Use 'list' to list available ciphers. (default "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_GCM_SHA384")
+  server.tls.ciphers: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_GCM_SHA384"
+  # Cache expiration for cluster/repo connection status (default 1h0m0s)
+  server.connection.status.cache.expiration: "1h0m0s"
+  # Cache expiration for OIDC state (default 3m0s)
+  server.oidc.cache.expiration: "3m0s"
+  # Cache expiration for failed login attempts (default 24h0m0s)
+  server.login.attempts.expiration: "24h0m0s"
+  # Cache expiration for app state (default 1h0m0s)
+  server.app.state.cache.expiration: "1h0m0s"
+  # Cache expiration default (default 24h0m0s)
+  server.default.cache.expiration: "24h0m0s"
+
+  ## Repo-server properties
+  # Set the logging format. One of: text|json (default "text")
+  reposerver.log.format: "text"
+  # Set the logging level. One of: debug|info|warn|error (default "info")
+  reposerver.log.level: "info"
+  # Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit.
+  reposerver.parallelism.limit: "1"
+  # Disable TLS on the gRPC endpoint
+  reposerver.disable.tls: "false"
+  # The minimum SSL/TLS version that is acceptable (one of: 1.0|1.1|1.2|1.3) (default "1.2")
+  reposerver.tls.minversion: "1.2"
+  # The maximum SSL/TLS version that is acceptable (one of: 1.0|1.1|1.2|1.3) (default "1.3")
+  reposerver.tls.maxversion: "1.3"
+  # The list of acceptable ciphers to be used when establishing TLS connections. Use 'list' to list available ciphers. (default "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_GCM_SHA384")
+  reposerver.tls.ciphers: "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_GCM_SHA384"
+  # Cache expiration for repo state, incl. app lists, app details, manifest generation, revision meta-data (default 24h0m0s)
+  reposerver.repo.cache.expiration: "24h0m0s"
+  # Cache expiration default (default 24h0m0s)
+  reposerver.default.cache.expiration: "24h0m0s"
+  # Max combined manifest file size for a single directory-type Application. In-memory manifest representation may be as
+  # much as 300x the manifest file size. Limit this to stay within the memory limits of the repo-server while allowing
+  # for 300x memory expansion and N Applications running at the same time.
+  # (example 10M max * 300 expansion * 10 Apps = 30G max theoretical memory usage).
+  reposerver.max.combined.directory.manifests.size: '10M'

docs/operator-manual/argocd-repo-creds.yaml

@@ -0,0 +1,59 @@
+# Repository credentials, for using the same credentials in multiple repositories.
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argoproj-https-creds
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repo-creds
+stringData:
+  url: https://github.com/argoproj
+  password: my-password
+  username: my-username
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argoproj-ssh-creds
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repo-creds
+stringData:
+  url: git@github.com:argoproj-labs
+  sshPrivateKey: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    ...
+    -----END OPENSSH PRIVATE KEY-----
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: github-creds
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repo-creds
+stringData:
+  url: https://github.com/argoproj
+  githubAppID: 1
+  githubAppInstallationID: 2
+  githubAppPrivateKey: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    ...
+    -----END OPENSSH PRIVATE KEY-----
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: github-enterprise-creds
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repo-creds
+stringData:
+  url: https://github.com/argoproj
+  githubAppID: 1
+  githubAppInstallationID: 2
+  githubAppEnterpriseBaseUrl: https://ghe.example.com/api/v3
+  githubAppPrivateKey: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    ...
+    -----END OPENSSH PRIVATE KEY-----

docs/operator-manual/argocd-repositories.yaml

@@ -0,0 +1,54 @@
+# Git repositories configure Argo CD with (optional).
+# This list is updated when configuring/removing repos from the UI/CLI
+# Note: the last example in the list would use a repository credential template, configured under "argocd-repo-creds.yaml".
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-private-repo
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repository
+stringData:
+  url: https://github.com/argoproj/my-private-repository
+  password: my-password
+  username: my-username
+  sshPrivateKey: |
+    -----BEGIN OPENSSH PRIVATE KEY-----
+    ...
+    -----END OPENSSH PRIVATE KEY-----
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: istio-helm-repo
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repository
+stringData:
+  url: https://storage.googleapis.com/istio-prerelease/daily-build/master-latest-daily/charts
+  name: istio.io
+  type: helm
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-helm-repo
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repository
+stringData:
+  url: https://my-private-chart-repo.internal
+  name: private-repo
+  type: helm
+  password: my-password
+  username: my-username
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: private-repo
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repository
+stringData:
+  url: https://github.com/argoproj/private-repo