chore(deps): bump slsa-framework/slsa-github-generator from 2.0.0 to 2.1.0 (#23166) (#24470)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/ci-build.yaml

@@ -78,7 +78,7 @@ jobs:
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Restore go build cache
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -148,7 +148,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -217,7 +217,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -309,7 +309,7 @@ jobs:
           node-version: '21.6.1'
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -346,7 +346,7 @@ jobs:
           fetch-depth: 0
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -444,7 +444,7 @@ jobs:
           sudo chmod go-r $HOME/.kube/config
           kubectl version
       - name: Restore go build cache
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}

.github/workflows/image.yaml

@@ -86,7 +86,7 @@ jobs:
       packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
     if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
     # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
     with:
       image: ghcr.io/argoproj/argo-cd/argocd
       digest: ${{ needs.build-and-publish.outputs.image-digest }}

.github/workflows/release.yaml

@@ -31,20 +31,20 @@ jobs:
       quay_password: ${{ secrets.RELEASE_QUAY_TOKEN }}
 
   argocd-image-provenance:
-      needs: [argocd-image]
-      permissions:
-        actions: read # for detecting the Github Actions environment.
-        id-token: write # for creating OIDC tokens for signing.
-        packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
-      # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
-      if: github.repository == 'argoproj/argo-cd'
-      uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
-      with:
-        image: quay.io/argoproj/argocd
-        digest: ${{ needs.argocd-image.outputs.image-digest }}
-      secrets:
-        registry-username: ${{ secrets.RELEASE_QUAY_USERNAME }}
-        registry-password: ${{ secrets.RELEASE_QUAY_TOKEN }}
+    needs: [argocd-image]
+    permissions:
+      actions: read # for detecting the Github Actions environment.
+      id-token: write # for creating OIDC tokens for signing.
+      packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
+    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+    if: github.repository == 'argoproj/argo-cd'
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
+    with:
+      image: quay.io/argoproj/argocd
+      digest: ${{ needs.argocd-image.outputs.image-digest }}
+    secrets:
+      registry-username: ${{ secrets.RELEASE_QUAY_USERNAME }}
+      registry-password: ${{ secrets.RELEASE_QUAY_TOKEN }}
 
   goreleaser:
     needs:
@@ -128,7 +128,7 @@ jobs:
       contents: write #  Needed for release uploads
     if: github.repository == 'argoproj/argo-cd'
     # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
     with:
       base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
       provenance-name: "argocd-cli.intoto.jsonl"
@@ -211,8 +211,8 @@ jobs:
       id-token: write # Needed for provenance signing and ID
       contents: write #  Needed for release uploads
     if: github.repository == 'argoproj/argo-cd'
-    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
+    # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
     with:
       base64-subjects: "${{ needs.generate-sbom.outputs.hashes }}"
       provenance-name: "argocd-sbom.intoto.jsonl"

.goreleaser.yaml

@@ -114,7 +114,7 @@ changelog:
     exclude:
       - '^test:'
       - '^.*?Bump(\([[:word:]]+\))?.+$'
-      - '^.*?[Bot](\([[:word:]]+\))?.+$'
+      - '^.*?\[Bot\](\([[:word:]]+\))?.+$'
 
 
 # yaml-language-server: $schema=https://goreleaser.com/static/schema.json

Dockerfile

@@ -4,7 +4,7 @@ ARG BASE_IMAGE=docker.io/library/ubuntu:22.04@sha256:0bced47fffa3361afa981854fca
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM docker.io/library/golang:1.21.9@sha256:7d0dcbe5807b1ad7272a598fbf9d7af15b5e2bed4fd6c4c2b5b3684df0b317dd AS builder
+FROM docker.io/library/golang:1.21.10@sha256:16438a8e66c0c984f732e815ee5b7d715b8e33e81bac6d6a3750b1067744e7ca AS builder
 
 RUN echo 'deb http://archive.debian.org/debian buster-backports main' >> /etc/apt/sources.list
 
@@ -101,7 +101,7 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.21.9@sha256:7d0dcbe5807b1ad7272a598fbf9d7af15b5e2bed4fd6c4c2b5b3684df0b317dd AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.21.10@sha256:16438a8e66c0c984f732e815ee5b7d715b8e33e81bac6d6a3750b1067744e7ca AS argocd-build
 
 WORKDIR /go/src/github.com/argoproj/argo-cd
 

VERSION

@@ -1 +1 @@
-2.11.0
+2.11.14

applicationset/controllers/applicationset_controller.go

@@ -127,20 +127,18 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 	// Log a warning if there are unrecognized generators
 	_ = utils.CheckInvalidGenerators(&applicationSetInfo)
 	// desiredApplications is the main list of all expected Applications from all generators in this appset.
-	desiredApplications, applicationSetReason, generatorsErr := r.generateApplications(logCtx, applicationSetInfo)
-	if generatorsErr != nil {
+	desiredApplications, applicationSetReason, err := r.generateApplications(logCtx, applicationSetInfo)
+	if err != nil {
 		_ = r.setApplicationSetStatusCondition(ctx,
 			&applicationSetInfo,
 			argov1alpha1.ApplicationSetCondition{
 				Type:    argov1alpha1.ApplicationSetConditionErrorOccurred,
-				Message: generatorsErr.Error(),
+				Message: err.Error(),
 				Reason:  string(applicationSetReason),
 				Status:  argov1alpha1.ApplicationSetConditionStatusTrue,
 			}, parametersGenerated,
 		)
-		if len(desiredApplications) < 1 {
-			return ctrl.Result{}, generatorsErr
-		}
+		return ctrl.Result{RequeueAfter: ReconcileRequeueOnValidationError}, err
 	}
 
 	parametersGenerated = true
@@ -314,7 +312,7 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 
 	requeueAfter := r.getMinRequeueAfter(&applicationSetInfo)
 
-	if len(validateErrors) == 0 && generatorsErr == nil {
+	if len(validateErrors) == 0 {
 		if err := r.setApplicationSetStatusCondition(ctx,
 			&applicationSetInfo,
 			argov1alpha1.ApplicationSetCondition{
@@ -578,11 +576,9 @@ func (r *ApplicationSetReconciler) applyTemplatePatch(app *argov1alpha1.Applicat
 }
 
 func ignoreNotAllowedNamespaces(namespaces []string) predicate.Predicate {
-	return predicate.Funcs{
-		CreateFunc: func(e event.CreateEvent) bool {
-			return glob.MatchStringInList(namespaces, e.Object.GetNamespace(), false)
-		},
-	}
+	return predicate.NewPredicateFuncs(func(object client.Object) bool {
+		return glob.MatchStringInList(namespaces, object.GetNamespace(), false)
+	})
 }
 
 func appControllerIndexer(rawObj client.Object) []string {

applicationset/controllers/applicationset_controller_test.go

@@ -9,6 +9,9 @@ import (
 	"testing"
 	"time"
 
+	"github.com/argoproj/argo-cd/v2/applicationset/generators/mocks"
+	"github.com/stretchr/testify/require"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
@@ -110,7 +113,6 @@ func (r *rendererMock) RenderTemplateParams(tmpl *v1alpha1.Application, syncPoli
 	}
 
 	return args.Get(0).(*v1alpha1.Application), args.Error(1)
-
 }
 
 func (r *rendererMock) Replace(tmpl string, replaceMap map[string]interface{}, useGoTemplate bool, goTemplateOptions []string) (string, error) {
@@ -179,7 +181,6 @@ func TestExtractApplications(t *testing.T) {
 		}
 
 		t.Run(cc.name, func(t *testing.T) {
-
 			appSet := &v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "name",
@@ -206,7 +207,6 @@ func TestExtractApplications(t *testing.T) {
 
 			if cc.generateParamsError == nil {
 				for _, p := range cc.params {
-
 					if cc.rendererError != nil {
 						rendererMock.On("RenderTemplateParams", getTempApplication(cc.template), p, false, []string(nil)).
 							Return(nil, cc.rendererError)
@@ -253,10 +253,8 @@ func TestExtractApplications(t *testing.T) {
 			if cc.generateParamsError == nil {
 				rendererMock.AssertNumberOfCalls(t, "RenderTemplateParams", len(cc.params))
 			}
-
 		})
 	}
-
 }
 
 func TestMergeTemplateApplications(t *testing.T) {
@@ -315,7 +313,6 @@ func TestMergeTemplateApplications(t *testing.T) {
 		cc := c
 
 		t.Run(cc.name, func(t *testing.T) {
-
 			generatorMock := generatorMock{}
 			generator := v1alpha1.ApplicationSetGenerator{
 				List: &v1alpha1.ListGenerator{},
@@ -358,11 +355,9 @@ func TestMergeTemplateApplications(t *testing.T) {
 			assert.Equal(t, cc.expectedApps, got)
 		})
 	}
-
 }
 
 func TestCreateOrUpdateInCluster(t *testing.T) {
-
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
 	assert.Nil(t, err)
@@ -870,7 +865,8 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 					},
 				},
 			},
-		}, {
+		},
+		{
 			name: "Ensure that configured preserved annotations are preserved from an existing app",
 			appSet: v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -937,7 +933,8 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 					},
 				},
 			},
-		}, {
+		},
+		{
 			name: "Ensure that the app spec is normalized before applying",
 			appSet: v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -991,7 +988,8 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 					},
 				},
 			},
-		}, {
+		},
+		{
 			// For this use case: https://github.com/argoproj/argo-cd/issues/9101#issuecomment-1191138278
 			name: "Ensure that ignored targetRevision difference doesn't cause an update, even if another field changes",
 			appSet: v1alpha1.ApplicationSet{
@@ -1082,7 +1080,8 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 					},
 				},
 			},
-		}, {
+		},
+		{
 			// For this use case: https://github.com/argoproj/argo-cd/pull/14743#issuecomment-1761954799
 			name: "ignore parameters added to a multi-source app in the cluster",
 			appSet: v1alpha1.ApplicationSet{
@@ -1183,7 +1182,8 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 					},
 				},
 			},
-		}, {
+		},
+		{
 			name: "Demonstrate limitation of MergePatch", // Maybe we can fix this in Argo CD 3.0: https://github.com/argoproj/argo-cd/issues/15975
 			appSet: v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -1281,7 +1281,8 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 					},
 				},
 			},
-		}, {
+		},
+		{
 			name: "Ensure that argocd post-delete finalizers are preserved from an existing app",
 			appSet: v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
@@ -1348,9 +1349,7 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 			},
 		},
 	} {
-
 		t.Run(c.name, func(t *testing.T) {
-
 			initObjs := []crtclient.Object{&c.appSet}
 
 			for _, a := range c.existingApps {
@@ -1386,7 +1385,6 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 }
 
 func TestRemoveFinalizerOnInvalidDestination_FinalizerTypes(t *testing.T) {
-
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
 	assert.Nil(t, err)
@@ -1422,7 +1420,6 @@ func TestRemoveFinalizerOnInvalidDestination_FinalizerTypes(t *testing.T) {
 		},
 	} {
 		t.Run(c.name, func(t *testing.T) {
-
 			appSet := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "name",
@@ -1480,9 +1477,9 @@ func TestRemoveFinalizerOnInvalidDestination_FinalizerTypes(t *testing.T) {
 				KubeClientset: kubeclientset,
 				Cache:         &fakeCache{},
 			}
-			//settingsMgr := settings.NewSettingsManager(context.TODO(), kubeclientset, "namespace")
-			//argoDB := db.NewDB("namespace", settingsMgr, r.KubeClientset)
-			//clusterList, err := argoDB.ListClusters(context.Background())
+			// settingsMgr := settings.NewSettingsManager(context.TODO(), kubeclientset, "namespace")
+			// argoDB := db.NewDB("namespace", settingsMgr, r.KubeClientset)
+			// clusterList, err := argoDB.ListClusters(context.Background())
 			clusterList, err := utils.ListClusters(context.Background(), kubeclientset, "namespace")
 			assert.NoError(t, err, "Unexpected error")
 
@@ -1505,13 +1502,11 @@ func TestRemoveFinalizerOnInvalidDestination_FinalizerTypes(t *testing.T) {
 
 			bytes, _ := json.MarshalIndent(retrievedApp, "", "  ")
 			t.Log("Contents of app after call:", string(bytes))
-
 		})
 	}
 }
 
 func TestRemoveFinalizerOnInvalidDestination_DestinationTypes(t *testing.T) {
-
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
 	assert.Nil(t, err)
@@ -1583,9 +1578,7 @@ func TestRemoveFinalizerOnInvalidDestination_DestinationTypes(t *testing.T) {
 			expectFinalizerRemoved: false,
 		},
 	} {
-
 		t.Run(c.name, func(t *testing.T) {
-
 			appSet := v1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "name",
@@ -1665,7 +1658,6 @@ func TestRemoveFinalizerOnInvalidDestination_DestinationTypes(t *testing.T) {
 
 			bytes, _ := json.MarshalIndent(retrievedApp, "", "  ")
 			t.Log("Contents of app after call:", string(bytes))
-
 		})
 	}
 }
@@ -1746,7 +1738,6 @@ func TestRemoveOwnerReferencesOnDeleteAppSet(t *testing.T) {
 }
 
 func TestCreateApplications(t *testing.T) {
-
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
 	assert.Nil(t, err)
@@ -1950,7 +1941,6 @@ func TestCreateApplications(t *testing.T) {
 }
 
 func TestDeleteInCluster(t *testing.T) {
-
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
 	assert.Nil(t, err)
@@ -2152,8 +2142,59 @@ func TestGetMinRequeueAfter(t *testing.T) {
 	assert.Equal(t, time.Duration(1)*time.Second, got)
 }
 
-func TestValidateGeneratedApplications(t *testing.T) {
+func TestRequeueGeneratorFails(t *testing.T) {
+	scheme := runtime.NewScheme()
+	err := v1alpha1.AddToScheme(scheme)
+	require.NoError(t, err)
+	err = v1alpha1.AddToScheme(scheme)
+	require.NoError(t, err)
 
+	appSet := v1alpha1.ApplicationSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "name",
+			Namespace: "argocd",
+		},
+		Spec: v1alpha1.ApplicationSetSpec{
+			Generators: []v1alpha1.ApplicationSetGenerator{{
+				PullRequest: &v1alpha1.PullRequestGenerator{},
+			}},
+		},
+	}
+	client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appSet).Build()
+
+	generator := v1alpha1.ApplicationSetGenerator{
+		PullRequest: &v1alpha1.PullRequestGenerator{},
+	}
+
+	generatorMock := mocks.Generator{}
+	generatorMock.On("GetTemplate", &generator).
+		Return(&v1alpha1.ApplicationSetTemplate{})
+	generatorMock.On("GenerateParams", &generator, mock.AnythingOfType("*v1alpha1.ApplicationSet"), mock.Anything).
+		Return([]map[string]interface{}{}, fmt.Errorf("Simulated error generating params that could be related to an external service/API call"))
+
+	r := ApplicationSetReconciler{
+		Client:   client,
+		Scheme:   scheme,
+		Recorder: record.NewFakeRecorder(0),
+		Cache:    &fakeCache{},
+		Generators: map[string]generators.Generator{
+			"PullRequest": &generatorMock,
+		},
+	}
+
+	req := ctrl.Request{
+		NamespacedName: types.NamespacedName{
+			Namespace: "argocd",
+			Name:      "name",
+		},
+	}
+
+	res, err := r.Reconcile(context.Background(), req)
+	require.Error(t, err)
+	assert.Equal(t, ReconcileRequeueOnValidationError, res.RequeueAfter)
+}
+
+func TestValidateGeneratedApplications(t *testing.T) {
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
 	assert.Nil(t, err)
@@ -2313,9 +2354,7 @@ func TestValidateGeneratedApplications(t *testing.T) {
 			validationErrors: map[int]error{0: fmt.Errorf("application destination spec is invalid: unable to find destination server: there are no clusters with this name: nonexistent-cluster")},
 		},
 	} {
-
 		t.Run(cc.name, func(t *testing.T) {
-
 			secret := &corev1.Secret{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "my-secret",
@@ -2393,7 +2432,6 @@ func TestValidateGeneratedApplications(t *testing.T) {
 }
 
 func TestReconcilerValidationProjectErrorBehaviour(t *testing.T) {
-
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
 	assert.Nil(t, err)
@@ -2488,91 +2526,6 @@ func TestReconcilerValidationProjectErrorBehaviour(t *testing.T) {
 	assert.Error(t, err)
 }
 
-func TestReconcilerCreateAppsRecoveringRenderError(t *testing.T) {
-
-	scheme := runtime.NewScheme()
-	err := v1alpha1.AddToScheme(scheme)
-	assert.Nil(t, err)
-	err = v1alpha1.AddToScheme(scheme)
-	assert.Nil(t, err)
-
-	project := v1alpha1.AppProject{
-		ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: "argocd"},
-	}
-	appSet := v1alpha1.ApplicationSet{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "name",
-			Namespace: "argocd",
-		},
-		Spec: v1alpha1.ApplicationSetSpec{
-			GoTemplate: true,
-			Generators: []v1alpha1.ApplicationSetGenerator{
-				{
-					List: &v1alpha1.ListGenerator{
-						Elements: []apiextensionsv1.JSON{{
-							Raw: []byte(`{"name": "very-good-app"}`),
-						}, {
-							Raw: []byte(`{"name": "bad-app"}`),
-						}},
-					},
-				},
-			},
-			Template: v1alpha1.ApplicationSetTemplate{
-				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
-					Name:      "{{ index (splitList \"-\" .name ) 2 }}",
-					Namespace: "argocd",
-				},
-				Spec: v1alpha1.ApplicationSpec{
-					Source:      &v1alpha1.ApplicationSource{RepoURL: "https://github.com/argoproj/argocd-example-apps", Path: "guestbook"},
-					Project:     "default",
-					Destination: v1alpha1.ApplicationDestination{Server: "https://kubernetes.default.svc"},
-				},
-			},
-		},
-	}
-
-	kubeclientset := kubefake.NewSimpleClientset()
-	argoDBMock := dbmocks.ArgoDB{}
-	argoObjs := []runtime.Object{&project}
-
-	client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appSet).WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer).Build()
-
-	r := ApplicationSetReconciler{
-		Client:   client,
-		Scheme:   scheme,
-		Renderer: &utils.Render{},
-		Recorder: record.NewFakeRecorder(1),
-		Cache:    &fakeCache{},
-		Generators: map[string]generators.Generator{
-			"List": generators.NewListGenerator(),
-		},
-		ArgoDB:           &argoDBMock,
-		ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...),
-		KubeClientset:    kubeclientset,
-		Policy:           v1alpha1.ApplicationsSyncPolicySync,
-		ArgoCDNamespace:  "argocd",
-	}
-
-	req := ctrl.Request{
-		NamespacedName: types.NamespacedName{
-			Namespace: "argocd",
-			Name:      "name",
-		},
-	}
-
-	// Verify that on generatorsError, no error is returned, but the object is requeued
-	res, err := r.Reconcile(context.Background(), req)
-	assert.Nil(t, err)
-	assert.True(t, res.RequeueAfter == ReconcileRequeueOnValidationError)
-
-	var app v1alpha1.Application
-
-	// make sure good app got created
-	err = r.Client.Get(context.TODO(), crtclient.ObjectKey{Namespace: "argocd", Name: "app"}, &app)
-	assert.NoError(t, err)
-	assert.Equal(t, app.Name, "app")
-}
-
 func TestSetApplicationSetStatusCondition(t *testing.T) {
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
@@ -2631,7 +2584,6 @@ func TestSetApplicationSetStatusCondition(t *testing.T) {
 }
 
 func applicationsUpdateSyncPolicyTest(t *testing.T, applicationsSyncPolicy v1alpha1.ApplicationsSyncPolicy, recordBuffer int, allowPolicyOverride bool) v1alpha1.Application {
-
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
 	assert.Nil(t, err)
@@ -2748,7 +2700,6 @@ func applicationsUpdateSyncPolicyTest(t *testing.T, applicationsSyncPolicy v1alp
 }
 
 func TestUpdateNotPerformedWithSyncPolicyCreateOnly(t *testing.T) {
-
 	applicationsSyncPolicy := v1alpha1.ApplicationsSyncPolicyCreateOnly
 
 	app := applicationsUpdateSyncPolicyTest(t, applicationsSyncPolicy, 1, true)
@@ -2758,7 +2709,6 @@ func TestUpdateNotPerformedWithSyncPolicyCreateOnly(t *testing.T) {
 }
 
 func TestUpdateNotPerformedWithSyncPolicyCreateDelete(t *testing.T) {
-
 	applicationsSyncPolicy := v1alpha1.ApplicationsSyncPolicyCreateDelete
 
 	app := applicationsUpdateSyncPolicyTest(t, applicationsSyncPolicy, 1, true)
@@ -2768,7 +2718,6 @@ func TestUpdateNotPerformedWithSyncPolicyCreateDelete(t *testing.T) {
 }
 
 func TestUpdatePerformedWithSyncPolicyCreateUpdate(t *testing.T) {
-
 	applicationsSyncPolicy := v1alpha1.ApplicationsSyncPolicyCreateUpdate
 
 	app := applicationsUpdateSyncPolicyTest(t, applicationsSyncPolicy, 2, true)
@@ -2779,7 +2728,6 @@ func TestUpdatePerformedWithSyncPolicyCreateUpdate(t *testing.T) {
 }
 
 func TestUpdatePerformedWithSyncPolicySync(t *testing.T) {
-
 	applicationsSyncPolicy := v1alpha1.ApplicationsSyncPolicySync
 
 	app := applicationsUpdateSyncPolicyTest(t, applicationsSyncPolicy, 2, true)
@@ -2790,7 +2738,6 @@ func TestUpdatePerformedWithSyncPolicySync(t *testing.T) {
 }
 
 func TestUpdatePerformedWithSyncPolicyCreateOnlyAndAllowPolicyOverrideFalse(t *testing.T) {
-
 	applicationsSyncPolicy := v1alpha1.ApplicationsSyncPolicyCreateOnly
 
 	app := applicationsUpdateSyncPolicyTest(t, applicationsSyncPolicy, 2, false)
@@ -2801,7 +2748,6 @@ func TestUpdatePerformedWithSyncPolicyCreateOnlyAndAllowPolicyOverrideFalse(t *t
 }
 
 func applicationsDeleteSyncPolicyTest(t *testing.T, applicationsSyncPolicy v1alpha1.ApplicationsSyncPolicy, recordBuffer int, allowPolicyOverride bool) v1alpha1.ApplicationList {
-
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
 	assert.Nil(t, err)
@@ -2919,7 +2865,6 @@ func applicationsDeleteSyncPolicyTest(t *testing.T, applicationsSyncPolicy v1alp
 }
 
 func TestDeleteNotPerformedWithSyncPolicyCreateOnly(t *testing.T) {
-
 	applicationsSyncPolicy := v1alpha1.ApplicationsSyncPolicyCreateOnly
 
 	apps := applicationsDeleteSyncPolicyTest(t, applicationsSyncPolicy, 1, true)
@@ -2928,7 +2873,6 @@ func TestDeleteNotPerformedWithSyncPolicyCreateOnly(t *testing.T) {
 }
 
 func TestDeleteNotPerformedWithSyncPolicyCreateUpdate(t *testing.T) {
-
 	applicationsSyncPolicy := v1alpha1.ApplicationsSyncPolicyCreateUpdate
 
 	apps := applicationsDeleteSyncPolicyTest(t, applicationsSyncPolicy, 2, true)
@@ -2937,7 +2881,6 @@ func TestDeleteNotPerformedWithSyncPolicyCreateUpdate(t *testing.T) {
 }
 
 func TestDeletePerformedWithSyncPolicyCreateDelete(t *testing.T) {
-
 	applicationsSyncPolicy := v1alpha1.ApplicationsSyncPolicyCreateDelete
 
 	apps := applicationsDeleteSyncPolicyTest(t, applicationsSyncPolicy, 3, true)
@@ -2946,7 +2889,6 @@ func TestDeletePerformedWithSyncPolicyCreateDelete(t *testing.T) {
 }
 
 func TestDeletePerformedWithSyncPolicySync(t *testing.T) {
-
 	applicationsSyncPolicy := v1alpha1.ApplicationsSyncPolicySync
 
 	apps := applicationsDeleteSyncPolicyTest(t, applicationsSyncPolicy, 3, true)
@@ -2955,7 +2897,6 @@ func TestDeletePerformedWithSyncPolicySync(t *testing.T) {
 }
 
 func TestDeletePerformedWithSyncPolicyCreateOnlyAndAllowPolicyOverrideFalse(t *testing.T) {
-
 	applicationsSyncPolicy := v1alpha1.ApplicationsSyncPolicyCreateOnly
 
 	apps := applicationsDeleteSyncPolicyTest(t, applicationsSyncPolicy, 3, false)
@@ -2976,16 +2917,18 @@ func TestGenerateAppsUsingPullRequestGenerator(t *testing.T) {
 	}{
 		{
 			name: "Generate an application from a go template application set manifest using a pull request generator",
-			params: []map[string]interface{}{{
-				"number":                                "1",
-				"branch":                                "branch1",
-				"branch_slug":                           "branchSlug1",
-				"head_sha":                              "089d92cbf9ff857a39e6feccd32798ca700fb958",
-				"head_short_sha":                        "089d92cb",
-				"branch_slugify_default":                "feat/a_really+long_pull_request_name_to_test_argo_slugification_and_branch_name_shortening_feature",
-				"branch_slugify_smarttruncate_disabled": "feat/areallylongpullrequestnametotestargoslugificationandbranchnameshorteningfeature",
-				"branch_slugify_smarttruncate_enabled":  "feat/testwithsmarttruncateenabledramdomlonglistofcharacters",
-				"labels":                                []string{"label1"}},
+			params: []map[string]interface{}{
+				{
+					"number":                                "1",
+					"branch":                                "branch1",
+					"branch_slug":                           "branchSlug1",
+					"head_sha":                              "089d92cbf9ff857a39e6feccd32798ca700fb958",
+					"head_short_sha":                        "089d92cb",
+					"branch_slugify_default":                "feat/a_really+long_pull_request_name_to_test_argo_slugification_and_branch_name_shortening_feature",
+					"branch_slugify_smarttruncate_disabled": "feat/areallylongpullrequestnametotestargoslugificationandbranchnameshorteningfeature",
+					"branch_slugify_smarttruncate_enabled":  "feat/testwithsmarttruncateenabledramdomlonglistofcharacters",
+					"labels":                                []string{"label1"},
+				},
 			},
 			template: v1alpha1.ApplicationSetTemplate{
 				ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{
@@ -3033,9 +2976,7 @@ func TestGenerateAppsUsingPullRequestGenerator(t *testing.T) {
 			},
 		},
 	} {
-
 		t.Run(cases.name, func(t *testing.T) {
-
 			generatorMock := generatorMock{}
 			generator := v1alpha1.ApplicationSetGenerator{
 				PullRequest: &v1alpha1.PullRequestGenerator{},
@@ -3329,9 +3270,7 @@ func TestSetApplicationSetApplicationStatus(t *testing.T) {
 			expectedAppStatuses: nil,
 		},
 	} {
-
 		t.Run(cc.name, func(t *testing.T) {
-
 			client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&cc.appSet).Build()
 
 			r := ApplicationSetReconciler{
@@ -3357,7 +3296,6 @@ func TestSetApplicationSetApplicationStatus(t *testing.T) {
 }
 
 func TestBuildAppDependencyList(t *testing.T) {
-
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
 	assert.Nil(t, err)
@@ -4093,9 +4031,7 @@ func TestBuildAppDependencyList(t *testing.T) {
 			},
 		},
 	} {
-
 		t.Run(cc.name, func(t *testing.T) {
-
 			kubeclientset := kubefake.NewSimpleClientset([]runtime.Object{}...)
 			argoDBMock := dbmocks.ArgoDB{}
 			argoObjs := []runtime.Object{}
@@ -4120,7 +4056,6 @@ func TestBuildAppDependencyList(t *testing.T) {
 }
 
 func TestBuildAppSyncMap(t *testing.T) {
-
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
 	assert.Nil(t, err)
@@ -4687,9 +4622,7 @@ func TestBuildAppSyncMap(t *testing.T) {
 			},
 		},
 	} {
-
 		t.Run(cc.name, func(t *testing.T) {
-
 			kubeclientset := kubefake.NewSimpleClientset([]runtime.Object{}...)
 			argoDBMock := dbmocks.ArgoDB{}
 			argoObjs := []runtime.Object{}
@@ -4713,7 +4646,6 @@ func TestBuildAppSyncMap(t *testing.T) {
 }
 
 func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
-
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
 	assert.Nil(t, err)
@@ -5345,9 +5277,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 			},
 		},
 	} {
-
 		t.Run(cc.name, func(t *testing.T) {
-
 			kubeclientset := kubefake.NewSimpleClientset([]runtime.Object{}...)
 			argoDBMock := dbmocks.ArgoDB{}
 			argoObjs := []runtime.Object{}
@@ -5379,7 +5309,6 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 }
 
 func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
-
 	scheme := runtime.NewScheme()
 	err := v1alpha1.AddToScheme(scheme)
 	assert.Nil(t, err)
@@ -6099,9 +6028,7 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 			},
 		},
 	} {
-
 		t.Run(cc.name, func(t *testing.T) {
-
 			kubeclientset := kubefake.NewSimpleClientset([]runtime.Object{}...)
 			argoDBMock := dbmocks.ArgoDB{}
 			argoObjs := []runtime.Object{}
@@ -6165,60 +6092,64 @@ func TestOwnsHandler(t *testing.T) {
 				ResourceVersion: "bar",
 			}},
 		}}, want: false},
-		{name: "ApplicationHealthStatusDiff", args: args{e: event.UpdateEvent{
-			ObjectOld: &v1alpha1.Application{Status: v1alpha1.ApplicationStatus{
-				Health: v1alpha1.HealthStatus{
-					Status: "Unknown",
-				},
-			}},
-			ObjectNew: &v1alpha1.Application{Status: v1alpha1.ApplicationStatus{
-				Health: v1alpha1.HealthStatus{
-					Status: "Healthy",
-				},
-			}},
-		},
+		{name: "ApplicationHealthStatusDiff", args: args{
+			e: event.UpdateEvent{
+				ObjectOld: &v1alpha1.Application{Status: v1alpha1.ApplicationStatus{
+					Health: v1alpha1.HealthStatus{
+						Status: "Unknown",
+					},
+				}},
+				ObjectNew: &v1alpha1.Application{Status: v1alpha1.ApplicationStatus{
+					Health: v1alpha1.HealthStatus{
+						Status: "Healthy",
+					},
+				}},
+			},
 			enableProgressiveSyncs: true,
 		}, want: true},
-		{name: "ApplicationSyncStatusDiff", args: args{e: event.UpdateEvent{
-			ObjectOld: &v1alpha1.Application{Status: v1alpha1.ApplicationStatus{
-				Sync: v1alpha1.SyncStatus{
-					Status: "OutOfSync",
-				},
-			}},
-			ObjectNew: &v1alpha1.Application{Status: v1alpha1.ApplicationStatus{
-				Sync: v1alpha1.SyncStatus{
-					Status: "Synced",
-				},
-			}},
-		},
+		{name: "ApplicationSyncStatusDiff", args: args{
+			e: event.UpdateEvent{
+				ObjectOld: &v1alpha1.Application{Status: v1alpha1.ApplicationStatus{
+					Sync: v1alpha1.SyncStatus{
+						Status: "OutOfSync",
+					},
+				}},
+				ObjectNew: &v1alpha1.Application{Status: v1alpha1.ApplicationStatus{
+					Sync: v1alpha1.SyncStatus{
+						Status: "Synced",
+					},
+				}},
+			},
 			enableProgressiveSyncs: true,
 		}, want: true},
-		{name: "ApplicationOperationStateDiff", args: args{e: event.UpdateEvent{
-			ObjectOld: &v1alpha1.Application{Status: v1alpha1.ApplicationStatus{
-				OperationState: &v1alpha1.OperationState{
-					Phase: "foo",
-				},
-			}},
-			ObjectNew: &v1alpha1.Application{Status: v1alpha1.ApplicationStatus{
-				OperationState: &v1alpha1.OperationState{
-					Phase: "bar",
-				},
-			}},
-		},
+		{name: "ApplicationOperationStateDiff", args: args{
+			e: event.UpdateEvent{
+				ObjectOld: &v1alpha1.Application{Status: v1alpha1.ApplicationStatus{
+					OperationState: &v1alpha1.OperationState{
+						Phase: "foo",
+					},
+				}},
+				ObjectNew: &v1alpha1.Application{Status: v1alpha1.ApplicationStatus{
+					OperationState: &v1alpha1.OperationState{
+						Phase: "bar",
+					},
+				}},
+			},
 			enableProgressiveSyncs: true,
 		}, want: true},
-		{name: "ApplicationOperationStartedAtDiff", args: args{e: event.UpdateEvent{
-			ObjectOld: &v1alpha1.Application{Status: v1alpha1.ApplicationStatus{
-				OperationState: &v1alpha1.OperationState{
-					StartedAt: now,
-				},
-			}},
-			ObjectNew: &v1alpha1.Application{Status: v1alpha1.ApplicationStatus{
-				OperationState: &v1alpha1.OperationState{
-					StartedAt: metav1.NewTime(now.Add(time.Minute * 1)),
-				},
-			}},
-		},
+		{name: "ApplicationOperationStartedAtDiff", args: args{
+			e: event.UpdateEvent{
+				ObjectOld: &v1alpha1.Application{Status: v1alpha1.ApplicationStatus{
+					OperationState: &v1alpha1.OperationState{
+						StartedAt: now,
+					},
+				}},
+				ObjectNew: &v1alpha1.Application{Status: v1alpha1.ApplicationStatus{
+					OperationState: &v1alpha1.OperationState{
+						StartedAt: metav1.NewTime(now.Add(time.Minute * 1)),
+					},
+				}},
+			},
 			enableProgressiveSyncs: true,
 		}, want: true},
 		{name: "SameApplicationGeneration", args: args{e: event.UpdateEvent{
@@ -6257,48 +6188,50 @@ func TestOwnsHandler(t *testing.T) {
 			ObjectOld: &v1alpha1.Application{ObjectMeta: metav1.ObjectMeta{Finalizers: []string{}}},
 			ObjectNew: &v1alpha1.Application{ObjectMeta: metav1.ObjectMeta{Finalizers: nil}},
 		}}, want: false},
-		{name: "ApplicationDestinationSame", args: args{e: event.UpdateEvent{
-			ObjectOld: &v1alpha1.Application{
-				Spec: v1alpha1.ApplicationSpec{
-					Destination: v1alpha1.ApplicationDestination{
-						Server:    "server",
-						Namespace: "ns",
-						Name:      "name",
+		{name: "ApplicationDestinationSame", args: args{
+			e: event.UpdateEvent{
+				ObjectOld: &v1alpha1.Application{
+					Spec: v1alpha1.ApplicationSpec{
+						Destination: v1alpha1.ApplicationDestination{
+							Server:    "server",
+							Namespace: "ns",
+							Name:      "name",
+						},
+					},
+				},
+				ObjectNew: &v1alpha1.Application{
+					Spec: v1alpha1.ApplicationSpec{
+						Destination: v1alpha1.ApplicationDestination{
+							Server:    "server",
+							Namespace: "ns",
+							Name:      "name",
+						},
 					},
 				},
 			},
-			ObjectNew: &v1alpha1.Application{
-				Spec: v1alpha1.ApplicationSpec{
-					Destination: v1alpha1.ApplicationDestination{
-						Server:    "server",
-						Namespace: "ns",
-						Name:      "name",
-					},
-				},
-			},
-		},
 			enableProgressiveSyncs: true,
 		}, want: false},
-		{name: "ApplicationDestinationDiff", args: args{e: event.UpdateEvent{
-			ObjectOld: &v1alpha1.Application{
-				Spec: v1alpha1.ApplicationSpec{
-					Destination: v1alpha1.ApplicationDestination{
-						Server:    "server",
-						Namespace: "ns",
-						Name:      "name",
+		{name: "ApplicationDestinationDiff", args: args{
+			e: event.UpdateEvent{
+				ObjectOld: &v1alpha1.Application{
+					Spec: v1alpha1.ApplicationSpec{
+						Destination: v1alpha1.ApplicationDestination{
+							Server:    "server",
+							Namespace: "ns",
+							Name:      "name",
+						},
+					},
+				},
+				ObjectNew: &v1alpha1.Application{
+					Spec: v1alpha1.ApplicationSpec{
+						Destination: v1alpha1.ApplicationDestination{
+							Server:    "notSameServer",
+							Namespace: "ns",
+							Name:      "name",
+						},
 					},
 				},
 			},
-			ObjectNew: &v1alpha1.Application{
-				Spec: v1alpha1.ApplicationSpec{
-					Destination: v1alpha1.ApplicationDestination{
-						Server:    "notSameServer",
-						Namespace: "ns",
-						Name:      "name",
-					},
-				},
-			},
-		},
 			enableProgressiveSyncs: true,
 		}, want: true},
 		{name: "NotAnAppOld", args: args{e: event.UpdateEvent{
@@ -6317,3 +6250,80 @@ func TestOwnsHandler(t *testing.T) {
 		})
 	}
 }
+
+func TestIgnoreNotAllowedNamespaces(t *testing.T) {
+	tests := []struct {
+		name       string
+		namespaces []string
+		objectNS   string
+		expected   bool
+	}{
+		{
+			name:       "Namespace allowed",
+			namespaces: []string{"allowed-namespace"},
+			objectNS:   "allowed-namespace",
+			expected:   true,
+		},
+		{
+			name:       "Namespace not allowed",
+			namespaces: []string{"allowed-namespace"},
+			objectNS:   "not-allowed-namespace",
+			expected:   false,
+		},
+		{
+			name:       "Empty allowed namespaces",
+			namespaces: []string{},
+			objectNS:   "any-namespace",
+			expected:   false,
+		},
+		{
+			name:       "Multiple allowed namespaces",
+			namespaces: []string{"allowed-namespace-1", "allowed-namespace-2"},
+			objectNS:   "allowed-namespace-2",
+			expected:   true,
+		},
+		{
+			name:       "Namespace not in multiple allowed namespaces",
+			namespaces: []string{"allowed-namespace-1", "allowed-namespace-2"},
+			objectNS:   "not-allowed-namespace",
+			expected:   false,
+		},
+		{
+			name:       "Namespace matched by glob pattern",
+			namespaces: []string{"allowed-namespace-*"},
+			objectNS:   "allowed-namespace-1",
+			expected:   true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			predicate := ignoreNotAllowedNamespaces(tt.namespaces)
+			object := &v1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: tt.objectNS,
+				},
+			}
+
+			t.Run(tt.name+":Create", func(t *testing.T) {
+				result := predicate.Create(event.CreateEvent{Object: object})
+				assert.Equal(t, tt.expected, result)
+			})
+
+			t.Run(tt.name+":Update", func(t *testing.T) {
+				result := predicate.Update(event.UpdateEvent{ObjectNew: object})
+				assert.Equal(t, tt.expected, result)
+			})
+
+			t.Run(tt.name+":Delete", func(t *testing.T) {
+				result := predicate.Delete(event.DeleteEvent{Object: object})
+				assert.Equal(t, tt.expected, result)
+			})
+
+			t.Run(tt.name+":Generic", func(t *testing.T) {
+				result := predicate.Generic(event.GenericEvent{Object: object})
+				assert.Equal(t, tt.expected, result)
+			})
+		})
+	}
+}

applicationset/generators/interface.go

@@ -7,6 +7,8 @@ import (
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 
+//go:generate go run github.com/vektra/mockery/v2@v2.40.2 --name=Generator
+
 // Generator defines the interface implemented by all ApplicationSet generators.
 type Generator interface {
 	// GenerateParams interprets the ApplicationSet and generates all relevant parameters for the application template.

applicationset/generators/mocks/Generator.go

@@ -0,0 +1,98 @@
+// Code generated by mockery v2.40.2. DO NOT EDIT.
+
+package mocks
+
+import (
+	time "time"
+
+	mock "github.com/stretchr/testify/mock"
+
+	v1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+)
+
+// Generator is an autogenerated mock type for the Generator type
+type Generator struct {
+	mock.Mock
+}
+
+// GenerateParams provides a mock function with given fields: appSetGenerator, applicationSetInfo
+func (_m *Generator) GenerateParams(appSetGenerator *v1alpha1.ApplicationSetGenerator, applicationSetInfo *v1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
+	ret := _m.Called(appSetGenerator, applicationSetInfo)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GenerateParams")
+	}
+
+	var r0 []map[string]interface{}
+	var r1 error
+	if rf, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator, *v1alpha1.ApplicationSet) ([]map[string]interface{}, error)); ok {
+		return rf(appSetGenerator, applicationSetInfo)
+	}
+	if rf, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator, *v1alpha1.ApplicationSet) []map[string]interface{}); ok {
+		r0 = rf(appSetGenerator, applicationSetInfo)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]map[string]interface{})
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(*v1alpha1.ApplicationSetGenerator, *v1alpha1.ApplicationSet) error); ok {
+		r1 = rf(appSetGenerator, applicationSetInfo)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// GetRequeueAfter provides a mock function with given fields: appSetGenerator
+func (_m *Generator) GetRequeueAfter(appSetGenerator *v1alpha1.ApplicationSetGenerator) time.Duration {
+	ret := _m.Called(appSetGenerator)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetRequeueAfter")
+	}
+
+	var r0 time.Duration
+	if rf, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator) time.Duration); ok {
+		r0 = rf(appSetGenerator)
+	} else {
+		r0 = ret.Get(0).(time.Duration)
+	}
+
+	return r0
+}
+
+// GetTemplate provides a mock function with given fields: appSetGenerator
+func (_m *Generator) GetTemplate(appSetGenerator *v1alpha1.ApplicationSetGenerator) *v1alpha1.ApplicationSetTemplate {
+	ret := _m.Called(appSetGenerator)
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetTemplate")
+	}
+
+	var r0 *v1alpha1.ApplicationSetTemplate
+	if rf, ok := ret.Get(0).(func(*v1alpha1.ApplicationSetGenerator) *v1alpha1.ApplicationSetTemplate); ok {
+		r0 = rf(appSetGenerator)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*v1alpha1.ApplicationSetTemplate)
+		}
+	}
+
+	return r0
+}
+
+// NewGenerator creates a new instance of Generator. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+// The first argument is typically a *testing.T value.
+func NewGenerator(t interface {
+	mock.TestingT
+	Cleanup(func())
+}) *Generator {
+	mock := &Generator{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

assets/swagger.json

@@ -4558,6 +4558,9 @@
         "help": {
           "$ref": "#/definitions/clusterHelp"
         },
+        "installationID": {
+          "type": "string"
+        },
         "kustomizeOptions": {
           "$ref": "#/definitions/v1alpha1KustomizeOptions"
         },
@@ -8884,6 +8887,11 @@
       "description": "SyncOperation contains details about a sync operation.",
       "type": "object",
       "properties": {
+        "autoHealAttemptsCount": {
+          "type": "integer",
+          "format": "int64",
+          "title": "SelfHealAttemptsCount contains the number of auto-heal attempts"
+        },
         "dryRun": {
           "type": "boolean",
           "title": "DryRun specifies to perform a `kubectl apply --dry-run` without actually performing the sync"

cmd/argocd-application-controller/commands/argocd_application_controller.go

@@ -10,6 +10,7 @@ import (
 	"github.com/redis/go-redis/v9"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 
@@ -53,6 +54,9 @@ func NewCommand() *cobra.Command {
 		repoServerAddress                string
 		repoServerTimeoutSeconds         int
 		selfHealTimeoutSeconds           int
+		selfHealBackoffTimeoutSeconds    int
+		selfHealBackoffFactor            int
+		selfHealBackoffCapSeconds        int
 		statusProcessors                 int
 		operationProcessors              int
 		glogLevel                        int
@@ -148,6 +152,14 @@ func NewCommand() *cobra.Command {
 			kubectl := kubeutil.NewKubectl()
 			clusterSharding, err := sharding.GetClusterSharding(kubeClient, settingsMgr, shardingAlgorithm, enableDynamicClusterDistribution)
 			errors.CheckError(err)
+			var selfHealBackoff *wait.Backoff
+			if selfHealBackoffTimeoutSeconds != 0 {
+				selfHealBackoff = &wait.Backoff{
+					Duration: time.Duration(selfHealBackoffTimeoutSeconds) * time.Second,
+					Factor:   float64(selfHealBackoffFactor),
+					Cap:      time.Duration(selfHealBackoffCapSeconds) * time.Second,
+				}
+			}
 			appController, err = controller.NewApplicationController(
 				namespace,
 				settingsMgr,
@@ -160,6 +172,7 @@ func NewCommand() *cobra.Command {
 				hardResyncDuration,
 				time.Duration(appResyncJitter)*time.Second,
 				time.Duration(selfHealTimeoutSeconds)*time.Second,
+				selfHealBackoff,
 				time.Duration(repoErrorGracePeriod)*time.Second,
 				metricsPort,
 				metricsCacheExpiration,
@@ -209,7 +222,10 @@ func NewCommand() *cobra.Command {
 	command.Flags().IntVar(&glogLevel, "gloglevel", 0, "Set the glog logging level")
 	command.Flags().IntVar(&metricsPort, "metrics-port", common.DefaultPortArgoCDMetrics, "Start metrics server on given port")
 	command.Flags().DurationVar(&metricsCacheExpiration, "metrics-cache-expiration", env.ParseDurationFromEnv("ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION", 0*time.Second, 0, math.MaxInt64), "Prometheus metrics cache expiration (disabled  by default. e.g. 24h0m0s)")
-	command.Flags().IntVar(&selfHealTimeoutSeconds, "self-heal-timeout-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS", 5, 0, math.MaxInt32), "Specifies timeout between application self heal attempts")
+	command.Flags().IntVar(&selfHealTimeoutSeconds, "self-heal-timeout-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_TIMEOUT_SECONDS", 0, 0, math.MaxInt32), "Specifies timeout between application self heal attempts")
+	command.Flags().IntVar(&selfHealBackoffTimeoutSeconds, "self-heal-backoff-timeout-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS", 2, 0, math.MaxInt32), "Specifies initial timeout of exponential backoff between self heal attempts")
+	command.Flags().IntVar(&selfHealBackoffFactor, "self-heal-backoff-factor", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR", 3, 0, math.MaxInt32), "Specifies factor of exponential timeout between application self heal attempts")
+	command.Flags().IntVar(&selfHealBackoffCapSeconds, "self-heal-backoff-cap-seconds", env.ParseNumFromEnv("ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS", 300, 0, math.MaxInt32), "Specifies max timeout of exponential backoff between application self heal attempts")
 	command.Flags().Int64Var(&kubectlParallelismLimit, "kubectl-parallelism-limit", env.ParseInt64FromEnv("ARGOCD_APPLICATION_CONTROLLER_KUBECTL_PARALLELISM_LIMIT", 20, 0, math.MaxInt64), "Number of allowed concurrent kubectl fork/execs. Any value less than 1 means no limit.")
 	command.Flags().BoolVar(&repoServerPlaintext, "repo-server-plaintext", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT", false), "Disable TLS on connections to repo server")
 	command.Flags().BoolVar(&repoServerStrictTLS, "repo-server-strict-tls", env.ParseBoolFromEnv("ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_STRICT_TLS", false), "Whether to use strict validation of the TLS cert presented by the repo server")

cmd/argocd/commands/admin/admin.go

@@ -66,6 +66,7 @@ $ argocd admin initial-password reset
 	command.AddCommand(NewDashboardCommand(clientOpts))
 	command.AddCommand(NewNotificationsCommand())
 	command.AddCommand(NewInitialPasswordCommand())
+	command.AddCommand(NewRedisInitialPasswordCommand())
 
 	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
 	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")

cmd/argocd/commands/admin/cluster.go

@@ -104,7 +104,12 @@ func loadClusters(ctx context.Context, kubeClient *kubernetes.Clientset, appClie
 		if err != nil {
 			return nil, err
 		}
-		client := redis.NewClient(&redis.Options{Addr: fmt.Sprintf("localhost:%d", port)})
+
+		redisOptions := &redis.Options{Addr: fmt.Sprintf("localhost:%d", port)}
+		if err = common.SetOptionalRedisPasswordFromKubeConfig(ctx, kubeClient, namespace, redisOptions); err != nil {
+			log.Warnf("Failed to fetch & set redis password for namespace %s: %v", namespace, err)
+		}
+		client := redis.NewClient(redisOptions)
 		compressionType, err := cacheutil.CompressionTypeFromString(redisCompressionStr)
 		if err != nil {
 			return nil, err

cmd/argocd/commands/admin/redis_initial_password.go

@@ -0,0 +1,95 @@
+package admin
+
+import (
+	"context"
+	"crypto/rand"
+	"fmt"
+	"math/big"
+
+	"github.com/spf13/cobra"
+	corev1 "k8s.io/api/core/v1"
+	apierr "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/cli"
+	"github.com/argoproj/argo-cd/v2/util/errors"
+)
+
+func generateRandomPassword() (string, error) {
+	const initialPasswordLength = 16
+	const letters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-"
+	randBytes := make([]byte, initialPasswordLength)
+	for i := 0; i < initialPasswordLength; i++ {
+		num, err := rand.Int(rand.Reader, big.NewInt(int64(len(letters))))
+		if err != nil {
+			return "", err
+		}
+		randBytes[i] = letters[num.Int64()]
+	}
+	initialPassword := string(randBytes)
+	return initialPassword, nil
+}
+
+// NewRedisInitialPasswordCommand defines a new command to ensure Argo CD Redis password secret exists.
+func NewRedisInitialPasswordCommand() *cobra.Command {
+	var (
+		clientConfig clientcmd.ClientConfig
+	)
+	var command = cobra.Command{
+		Use:   "redis-initial-password",
+		Short: "Ensure the Redis password exists, creating a new one if necessary.",
+		Run: func(c *cobra.Command, args []string) {
+			namespace, _, err := clientConfig.Namespace()
+			errors.CheckError(err)
+
+			redisInitialPasswordSecretName := common.DefaultRedisInitialPasswordSecretName
+			redisInitialPasswordKey := common.DefaultRedisInitialPasswordKey
+			fmt.Printf("Checking for initial Redis password in secret %s/%s at key %s. \n", namespace, redisInitialPasswordSecretName, redisInitialPasswordKey)
+
+			config, err := clientConfig.ClientConfig()
+			errors.CheckError(err)
+			errors.CheckError(v1alpha1.SetK8SConfigDefaults(config))
+
+			kubeClientset := kubernetes.NewForConfigOrDie(config)
+
+			randomPassword, err := generateRandomPassword()
+			errors.CheckError(err)
+
+			data := map[string][]byte{
+				redisInitialPasswordKey: []byte(randomPassword),
+			}
+			secret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      redisInitialPasswordSecretName,
+					Namespace: namespace,
+				},
+				Data: data,
+				Type: corev1.SecretTypeOpaque,
+			}
+			_, err = kubeClientset.CoreV1().Secrets(namespace).Create(context.Background(), secret, metav1.CreateOptions{})
+			if err != nil && !apierr.IsAlreadyExists(err) {
+				errors.CheckError(err)
+			}
+
+			fmt.Println("Argo CD Redis secret state confirmed: secret name argocd-redis.")
+			secret, err = kubeClientset.CoreV1().Secrets(namespace).Get(context.Background(), redisInitialPasswordSecretName, v1.GetOptions{})
+			errors.CheckError(err)
+
+			if _, ok := secret.Data[redisInitialPasswordKey]; ok {
+				fmt.Println("Password secret is configured properly.")
+			} else {
+				err := fmt.Errorf("key %s doesn't exist in secret %s. \n", redisInitialPasswordKey, redisInitialPasswordSecretName)
+				errors.CheckError(err)
+			}
+		},
+	}
+
+	clientConfig = cli.AddKubectlFlagsToCmd(&command)
+
+	return &command
+}

cmd/argocd/commands/app.go

@@ -781,8 +781,6 @@ func NewApplicationSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Com
 				}
 			}
 
-			// sourcePosition startes with 1, thus, it needs to be decreased by 1 to find the correct index in the list of sources
-			sourcePosition = sourcePosition - 1
 			visited := cmdutil.SetAppSpecOptions(c.Flags(), &app.Spec, &appOpts, sourcePosition)
 			if visited == 0 {
 				log.Error("Please set at least one option to update")
@@ -1354,7 +1352,7 @@ func groupObjsForDiff(resources *application.ManagedResourcesResponse, objs map[
 		}
 		if local, ok := objs[key]; ok || live != nil {
 			if local != nil && !kube.IsCRD(local) {
-				err = resourceTracking.SetAppInstance(local, argoSettings.AppLabelKey, appName, namespace, argoappv1.TrackingMethod(argoSettings.GetTrackingMethod()))
+				err = resourceTracking.SetAppInstance(local, argoSettings.AppLabelKey, appName, namespace, argoappv1.TrackingMethod(argoSettings.GetTrackingMethod()), argoSettings.GetInstallationID())
 				errors.CheckError(err)
 			}
 

cmd/argocd/commands/headless/headless.go

@@ -8,15 +8,11 @@ import (
 	"sync"
 	"time"
 
-	"github.com/spf13/cobra"
-
-	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/initialize"
-	"github.com/argoproj/argo-cd/v2/common"
-
 	"github.com/alicebob/miniredis/v2"
 	"github.com/golang/protobuf/ptypes/empty"
 	"github.com/redis/go-redis/v9"
 	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/runtime"
@@ -25,6 +21,8 @@ import (
 	"k8s.io/client-go/tools/clientcmd"
 	"k8s.io/utils/pointer"
 
+	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/initialize"
+	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/pkg/apiclient"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
@@ -48,6 +46,7 @@ type forwardCacheClient struct {
 	err              error
 	redisHaProxyName string
 	redisName        string
+	redisPassword    string
 }
 
 func (c *forwardCacheClient) doLazy(action func(client cache.CacheClient) error) error {
@@ -64,7 +63,7 @@ func (c *forwardCacheClient) doLazy(action func(client cache.CacheClient) error)
 			return
 		}
 
-		redisClient := redis.NewClient(&redis.Options{Addr: fmt.Sprintf("localhost:%d", redisPort)})
+		redisClient := redis.NewClient(&redis.Options{Addr: fmt.Sprintf("localhost:%d", redisPort), Password: c.redisPassword})
 		c.client = cache.NewRedisCache(redisClient, time.Hour, c.compression)
 	})
 	if c.err != nil {
@@ -239,14 +238,19 @@ func MaybeStartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOpti
 	if err != nil {
 		return fmt.Errorf("error running miniredis: %w", err)
 	}
-	appstateCache := appstatecache.NewCache(cache.NewCache(&forwardCacheClient{namespace: namespace, context: ctxStr, compression: compression, redisHaProxyName: clientOpts.RedisHaProxyName, redisName: clientOpts.RedisName}), time.Hour)
+	redisOptions := &redis.Options{Addr: mr.Addr()}
+	if err = common.SetOptionalRedisPasswordFromKubeConfig(ctx, kubeClientset, namespace, redisOptions); err != nil {
+		log.Warnf("Failed to fetch & set redis password for namespace %s: %v", namespace, err)
+	}
+
+	appstateCache := appstatecache.NewCache(cache.NewCache(&forwardCacheClient{namespace: namespace, context: ctxStr, compression: compression, redisHaProxyName: clientOpts.RedisHaProxyName, redisName: clientOpts.RedisName, redisPassword: redisOptions.Password}), time.Hour)
 	srv := server.NewServer(ctx, server.ArgoCDServerOpts{
 		EnableGZip:           false,
 		Namespace:            namespace,
 		ListenPort:           *port,
 		AppClientset:         appClientset,
 		DisableAuth:          true,
-		RedisClient:          redis.NewClient(&redis.Options{Addr: mr.Addr()}),
+		RedisClient:          redis.NewClient(redisOptions),
 		Cache:                servercache.NewCache(appstateCache, 0, 0, 0),
 		KubeClientset:        kubeClientset,
 		Insecure:             true,

cmpserver/server.go

@@ -46,13 +46,13 @@ func NewServer(initConstants plugin.CMPServerInitConstants) (*ArgoCDCMPServer, e
 
 	serverLog := log.NewEntry(log.StandardLogger())
 	streamInterceptors := []grpc.StreamServerInterceptor{
-		otelgrpc.StreamServerInterceptor(),
+		otelgrpc.StreamServerInterceptor(), //nolint:staticcheck // TODO: ignore SA1019 for depreciation: see https://github.com/argoproj/argo-cd/issues/18258
 		grpc_logrus.StreamServerInterceptor(serverLog),
 		grpc_prometheus.StreamServerInterceptor,
 		grpc_util.PanicLoggerStreamServerInterceptor(serverLog),
 	}
 	unaryInterceptors := []grpc.UnaryServerInterceptor{
-		otelgrpc.UnaryServerInterceptor(),
+		otelgrpc.UnaryServerInterceptor(), //nolint:staticcheck // TODO: ignore SA1019 for depreciation: see https://github.com/argoproj/argo-cd/issues/18258
 		grpc_logrus.UnaryServerInterceptor(serverLog),
 		grpc_prometheus.UnaryServerInterceptor,
 		grpc_util.PanicLoggerUnaryServerInterceptor(serverLog),

common/common.go

@@ -1,15 +1,20 @@
 package common
 
 import (
-	"errors"
+	"context"
+	"fmt"
 	"os"
 	"path/filepath"
 	"strconv"
 	"time"
 
+	"github.com/pkg/errors"
+	"github.com/redis/go-redis/v9"
 	"github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
 )
 
 // Component names
@@ -166,6 +171,7 @@ const (
 
 	// AnnotationKeyAppInstance is the Argo CD application name is used as the instance name
 	AnnotationKeyAppInstance = "argocd.argoproj.io/tracking-id"
+	AnnotationInstallationID = "argocd.argoproj.io/installation-id"
 
 	// AnnotationCompareOptions is a comma-separated list of options for comparison
 	AnnotationCompareOptions = "argocd.argoproj.io/compare-options"
@@ -406,3 +412,30 @@ const TokenVerificationError = "failed to verify the token"
 var TokenVerificationErr = errors.New(TokenVerificationError)
 
 var PermissionDeniedAPIError = status.Error(codes.PermissionDenied, "permission denied")
+
+// Redis password consts
+const (
+	DefaultRedisInitialPasswordSecretName = "argocd-redis"
+	DefaultRedisInitialPasswordKey        = "auth"
+)
+
+/*
+SetOptionalRedisPasswordFromKubeConfig sets the optional Redis password if it exists in the k8s namespace's secrets.
+
+We specify kubeClient as kubernetes.Interface to allow for mocking in tests, but this should be treated as a kubernetes.Clientset param.
+*/
+func SetOptionalRedisPasswordFromKubeConfig(ctx context.Context, kubeClient kubernetes.Interface, namespace string, redisOptions *redis.Options) error {
+	secret, err := kubeClient.CoreV1().Secrets(namespace).Get(ctx, DefaultRedisInitialPasswordSecretName, v1.GetOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to get secret %s/%s: %w", namespace, DefaultRedisInitialPasswordSecretName, err)
+	}
+	if secret == nil {
+		return fmt.Errorf("failed to get secret %s/%s: secret is nil", namespace, DefaultRedisInitialPasswordSecretName)
+	}
+	_, ok := secret.Data[DefaultRedisInitialPasswordKey]
+	if !ok {
+		return fmt.Errorf("secret %s/%s does not contain key %s", namespace, DefaultRedisInitialPasswordSecretName, DefaultRedisInitialPasswordKey)
+	}
+	redisOptions.Password = string(secret.Data[DefaultRedisInitialPasswordKey])
+	return nil
+}

common/common_test.go

@@ -1,12 +1,18 @@
 package common
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"testing"
 	"time"
 
+	"github.com/redis/go-redis/v9"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kubefake "k8s.io/client-go/kubernetes/fake"
 )
 
 // Test env var not set for EnvGRPCKeepAliveMin
@@ -44,3 +50,63 @@ func Test_GRPCKeepAliveMinIncorrectlySet(t *testing.T) {
 	grpcKeepAliveTime := GetGRPCKeepAliveTime()
 	assert.Equal(t, 2*grpcKeepAliveExpectedMin, grpcKeepAliveTime)
 }
+
+func TestSetOptionalRedisPasswordFromKubeConfig(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		name, namespace, expectedPassword, expectedErr string
+		secret                                         *corev1.Secret
+	}{
+		{
+			name:             "Secret exists with correct key",
+			namespace:        "default",
+			expectedPassword: "password123",
+			expectedErr:      "",
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{Name: DefaultRedisInitialPasswordSecretName},
+				Data:       map[string][]byte{DefaultRedisInitialPasswordKey: []byte("password123")},
+			},
+		},
+		{
+			name:             "Secret does not exist",
+			namespace:        "default",
+			expectedPassword: "",
+			expectedErr:      fmt.Sprintf("failed to get secret default/%s", DefaultRedisInitialPasswordSecretName),
+			secret:           nil,
+		},
+		{
+			name:             "Secret exists without correct key",
+			namespace:        "default",
+			expectedPassword: "",
+			expectedErr:      fmt.Sprintf("secret default/%s does not contain key %s", DefaultRedisInitialPasswordSecretName, DefaultRedisInitialPasswordKey),
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{Name: DefaultRedisInitialPasswordSecretName},
+				Data:       map[string][]byte{},
+			},
+		},
+	}
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			var (
+				ctx          = context.TODO()
+				kubeClient   = kubefake.NewSimpleClientset()
+				redisOptions = &redis.Options{}
+			)
+			if tc.secret != nil {
+				if _, err := kubeClient.CoreV1().Secrets(tc.namespace).Create(ctx, tc.secret, metav1.CreateOptions{}); err != nil {
+					t.Fatalf("Failed to create secret: %v", err)
+				}
+			}
+			err := SetOptionalRedisPasswordFromKubeConfig(ctx, kubeClient, tc.namespace, redisOptions)
+			if tc.expectedErr != "" {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tc.expectedErr)
+			} else {
+				require.NoError(t, err)
+			}
+			require.Equal(t, tc.expectedPassword, redisOptions.Password)
+		})
+	}
+}

controller/appcontroller.go

@@ -120,6 +120,7 @@ type ApplicationController struct {
 	statusHardRefreshTimeout      time.Duration
 	statusRefreshJitter           time.Duration
 	selfHealTimeout               time.Duration
+	selfHealBackOff               *wait.Backoff
 	repoClientset                 apiclient.Clientset
 	db                            db.ArgoDB
 	settingsMgr                   *settings_util.SettingsManager
@@ -150,6 +151,7 @@ func NewApplicationController(
 	appHardResyncPeriod time.Duration,
 	appResyncJitter time.Duration,
 	selfHealTimeout time.Duration,
+	selfHealBackoff *wait.Backoff,
 	repoErrorGracePeriod time.Duration,
 	metricsPort int,
 	metricsCacheExpiration time.Duration,
@@ -189,6 +191,7 @@ func NewApplicationController(
 		auditLogger:                       argo.NewAuditLogger(namespace, kubeClientset, common.ApplicationController),
 		settingsMgr:                       settingsMgr,
 		selfHealTimeout:                   selfHealTimeout,
+		selfHealBackOff:                   selfHealBackoff,
 		clusterSharding:                   clusterSharding,
 		projByNameCache:                   sync.Map{},
 		applicationNamespaces:             applicationNamespaces,
@@ -1763,6 +1766,22 @@ func (ctrl *ApplicationController) normalizeApplication(orig, app *appv1.Applica
 	}
 }
 
+func createMergePatch(orig, new interface{}) ([]byte, bool, error) {
+	origBytes, err := json.Marshal(orig)
+	if err != nil {
+		return nil, false, err
+	}
+	newBytes, err := json.Marshal(new)
+	if err != nil {
+		return nil, false, err
+	}
+	patch, err := jsonpatch.CreateMergePatch(origBytes, newBytes)
+	if err != nil {
+		return nil, false, err
+	}
+	return patch, string(patch) != "{}", nil
+}
+
 // persistAppStatus persists updates to application status. If no changes were made, it is a no-op
 func (ctrl *ApplicationController) persistAppStatus(orig *appv1.Application, newStatus *appv1.ApplicationStatus) (patchMs time.Duration) {
 	logCtx := log.WithFields(log.Fields{"application": orig.QualifiedName()})
@@ -1782,9 +1801,9 @@ func (ctrl *ApplicationController) persistAppStatus(orig *appv1.Application, new
 		}
 		delete(newAnnotations, appv1.AnnotationKeyRefresh)
 	}
-	patch, modified, err := diff.CreateTwoWayMergePatch(
+	patch, modified, err := createMergePatch(
 		&appv1.Application{ObjectMeta: metav1.ObjectMeta{Annotations: orig.GetAnnotations()}, Status: orig.Status},
-		&appv1.Application{ObjectMeta: metav1.ObjectMeta{Annotations: newAnnotations}, Status: *newStatus}, appv1.Application{})
+		&appv1.Application{ObjectMeta: metav1.ObjectMeta{Annotations: newAnnotations}, Status: *newStatus})
 	if err != nil {
 		logCtx.Errorf("Error constructing app status patch: %v", err)
 		return
@@ -1858,6 +1877,9 @@ func (ctrl *ApplicationController) autoSync(app *appv1.Application, syncStatus *
 		InitiatedBy: appv1.OperationInitiator{Automated: true},
 		Retry:       appv1.RetryStrategy{Limit: 5},
 	}
+	if app.Status.OperationState != nil && app.Status.OperationState.Operation.Sync != nil {
+		op.Sync.SelfHealAttemptsCount = app.Status.OperationState.Operation.Sync.SelfHealAttemptsCount
+	}
 	if app.Spec.SyncPolicy.Retry != nil {
 		op.Retry = *app.Spec.SyncPolicy.Retry
 	}
@@ -1875,6 +1897,7 @@ func (ctrl *ApplicationController) autoSync(app *appv1.Application, syncStatus *
 		return nil, 0
 	} else if alreadyAttempted && selfHeal {
 		if shouldSelfHeal, retryAfter := ctrl.shouldSelfHeal(app); shouldSelfHeal {
+			op.Sync.SelfHealAttemptsCount++
 			for _, resource := range resources {
 				if resource.Status != appv1.SyncStatusCodeSynced {
 					op.Sync.Resources = append(op.Sync.Resources, appv1.SyncOperationResource{
@@ -1923,7 +1946,15 @@ func (ctrl *ApplicationController) autoSync(app *appv1.Application, syncStatus *
 	} else {
 		ctrl.writeBackToInformer(updatedApp)
 	}
-	message := fmt.Sprintf("Initiated automated sync to '%s'", desiredCommitSHA)
+
+	var target string
+	if updatedApp.Spec.HasMultipleSources() {
+		target = strings.Join(desiredCommitSHAsMS, ", ")
+	} else {
+		target = desiredCommitSHA
+	}
+	message := fmt.Sprintf("Initiated automated sync to '%s'", target)
+
 	ctrl.auditLogger.LogAppEvent(app, argo.EventInfo{Reason: argo.EventReasonOperationStarted, Type: v1.EventTypeNormal}, message, "")
 	logCtx.Info(message)
 	return nil, setOpTime
@@ -1974,10 +2005,24 @@ func (ctrl *ApplicationController) shouldSelfHeal(app *appv1.Application) (bool,
 	}
 
 	var retryAfter time.Duration
-	if app.Status.OperationState.FinishedAt == nil {
-		retryAfter = ctrl.selfHealTimeout
+	if ctrl.selfHealBackOff == nil {
+		if app.Status.OperationState.FinishedAt == nil {
+			retryAfter = ctrl.selfHealTimeout
+		} else {
+			retryAfter = ctrl.selfHealTimeout - time.Since(app.Status.OperationState.FinishedAt.Time)
+		}
 	} else {
-		retryAfter = ctrl.selfHealTimeout - time.Since(app.Status.OperationState.FinishedAt.Time)
+		backOff := *ctrl.selfHealBackOff
+		backOff.Steps = int(app.Status.OperationState.Operation.Sync.SelfHealAttemptsCount)
+		var delay time.Duration
+		for backOff.Steps > 0 {
+			delay = backOff.Step()
+		}
+		if app.Status.OperationState.FinishedAt == nil {
+			retryAfter = delay
+		} else {
+			retryAfter = delay - time.Since(app.Status.OperationState.FinishedAt.Time)
+		}
 	}
 	return retryAfter <= 0, retryAfter
 }

controller/appcontroller_test.go

@@ -4,17 +4,18 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"testing"
 	"time"
 
+	clustercache "github.com/argoproj/gitops-engine/pkg/cache"
 	"github.com/argoproj/gitops-engine/pkg/utils/kube/kubetest"
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/require"
 	"k8s.io/apimachinery/pkg/api/resource"
+	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/rest"
 
-	clustercache "github.com/argoproj/gitops-engine/pkg/cache"
-
 	"github.com/argoproj/argo-cd/v2/common"
 	statecache "github.com/argoproj/argo-cd/v2/controller/cache"
 	"github.com/argoproj/argo-cd/v2/controller/sharding"
@@ -150,6 +151,7 @@ func newFakeController(data *fakeData, repoErr error) *ApplicationController {
 		time.Hour,
 		time.Second,
 		time.Minute,
+		nil,
 		time.Second*10,
 		common.DefaultPortArgoCDMetrics,
 		data.metricsCacheExpiration,
@@ -989,7 +991,7 @@ func TestNormalizeApplication(t *testing.T) {
 		normalized := false
 		fakeAppCs.AddReactor("patch", "*", func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) {
 			if patchAction, ok := action.(kubetesting.PatchAction); ok {
-				if string(patchAction.GetPatch()) == `{"spec":{"project":"default"},"status":{"sync":{"comparedTo":{"destination":{},"source":{"repoURL":""}}}}}` {
+				if string(patchAction.GetPatch()) == `{"spec":{"project":"default"}}` {
 					normalized = true
 				}
 			}
@@ -1914,3 +1916,129 @@ func TestAddControllerNamespace(t *testing.T) {
 		assert.Equal(t, test.FakeArgoCDNamespace, updatedApp.Status.ControllerNamespace)
 	})
 }
+
+func TestHelmValuesObjectHasReplaceStrategy(t *testing.T) {
+	app := v1alpha1.Application{
+		Status: v1alpha1.ApplicationStatus{Sync: v1alpha1.SyncStatus{ComparedTo: v1alpha1.ComparedTo{
+			Source: v1alpha1.ApplicationSource{
+				Helm: &v1alpha1.ApplicationSourceHelm{
+					ValuesObject: &runtime.RawExtension{
+						Object: &unstructured.Unstructured{Object: map[string]interface{}{"key": []string{"value"}}},
+					},
+				},
+			},
+		}}},
+	}
+
+	appModified := v1alpha1.Application{
+		Status: v1alpha1.ApplicationStatus{Sync: v1alpha1.SyncStatus{ComparedTo: v1alpha1.ComparedTo{
+			Source: v1alpha1.ApplicationSource{
+				Helm: &v1alpha1.ApplicationSourceHelm{
+					ValuesObject: &runtime.RawExtension{
+						Object: &unstructured.Unstructured{Object: map[string]interface{}{"key": []string{"value-modified1"}}},
+					},
+				},
+			},
+		}}},
+	}
+
+	patch, _, err := createMergePatch(
+		app,
+		appModified)
+	require.NoError(t, err)
+	assert.Equal(t, `{"status":{"sync":{"comparedTo":{"source":{"helm":{"valuesObject":{"key":["value-modified1"]}}}}}}}`, string(patch))
+}
+
+func TestAppStatusIsReplaced(t *testing.T) {
+	original := &v1alpha1.ApplicationStatus{Sync: v1alpha1.SyncStatus{
+		ComparedTo: v1alpha1.ComparedTo{
+			Destination: v1alpha1.ApplicationDestination{
+				Server: "https://mycluster",
+			},
+		},
+	}}
+
+	updated := &v1alpha1.ApplicationStatus{Sync: v1alpha1.SyncStatus{
+		ComparedTo: v1alpha1.ComparedTo{
+			Destination: v1alpha1.ApplicationDestination{
+				Name: "mycluster",
+			},
+		},
+	}}
+
+	patchData, ok, err := createMergePatch(original, updated)
+
+	require.NoError(t, err)
+	require.True(t, ok)
+	patchObj := map[string]interface{}{}
+	require.NoError(t, json.Unmarshal(patchData, &patchObj))
+
+	val, has, err := unstructured.NestedFieldNoCopy(patchObj, "sync", "comparedTo", "destination", "server")
+	require.NoError(t, err)
+	require.True(t, has)
+	require.Nil(t, val)
+}
+
+func assertDurationAround(t *testing.T, expected time.Duration, actual time.Duration) {
+	delta := time.Second / 2
+	assert.GreaterOrEqual(t, expected, actual-delta)
+	assert.LessOrEqual(t, expected, actual+delta)
+}
+
+func TestSelfHealExponentialBackoff(t *testing.T) {
+	ctrl := newFakeController(&fakeData{}, nil)
+	ctrl.selfHealBackOff = &wait.Backoff{
+		Factor:   3,
+		Duration: 2 * time.Second,
+		Cap:      5 * time.Minute,
+	}
+
+	app := &v1alpha1.Application{
+		Status: v1alpha1.ApplicationStatus{
+			OperationState: &v1alpha1.OperationState{
+				Operation: v1alpha1.Operation{
+					Sync: &v1alpha1.SyncOperation{},
+				},
+			},
+		},
+	}
+	now := metav1.Now()
+
+	testCases := []struct {
+		attempts         int64
+		finishedAt       *metav1.Time
+		expectedDuration time.Duration
+		shouldSelfHeal   bool
+	}{{
+		attempts:         0,
+		finishedAt:       &now,
+		expectedDuration: 0,
+		shouldSelfHeal:   true,
+	}, {
+		attempts:         1,
+		finishedAt:       &now,
+		expectedDuration: 2 * time.Second,
+		shouldSelfHeal:   false,
+	}, {
+		attempts:         2,
+		finishedAt:       &now,
+		expectedDuration: 6 * time.Second,
+		shouldSelfHeal:   false,
+	}, {
+		attempts:         3,
+		finishedAt:       nil,
+		expectedDuration: 18 * time.Second,
+		shouldSelfHeal:   false,
+	}}
+
+	for i := range testCases {
+		tc := testCases[i]
+		t.Run(fmt.Sprintf("test case %d", i), func(t *testing.T) {
+			app.Status.OperationState.Operation.Sync.SelfHealAttemptsCount = tc.attempts
+			app.Status.OperationState.FinishedAt = tc.finishedAt
+			ok, duration := ctrl.shouldSelfHeal(app)
+			require.Equal(t, ok, tc.shouldSelfHeal)
+			assertDurationAround(t, tc.expectedDuration, duration)
+		})
+	}
+}

controller/cache/cache.go

@@ -190,6 +190,7 @@ type cacheSettings struct {
 	clusterSettings     clustercache.Settings
 	appInstanceLabelKey string
 	trackingMethod      appv1.TrackingMethod
+	installationID      string
 	// resourceOverrides provides a list of ignored differences to ignore watched resource updates
 	resourceOverrides map[string]appv1.ResourceOverride
 
@@ -218,6 +219,10 @@ func (c *liveStateCache) loadCacheSettings() (*cacheSettings, error) {
 	if err != nil {
 		return nil, err
 	}
+	installationID, err := c.settingsMgr.GetInstallationID()
+	if err != nil {
+		return nil, err
+	}
 	resourceUpdatesOverrides, err := c.settingsMgr.GetIgnoreResourceUpdatesOverrides()
 	if err != nil {
 		return nil, err
@@ -239,7 +244,7 @@ func (c *liveStateCache) loadCacheSettings() (*cacheSettings, error) {
 		ResourcesFilter:        resourcesFilter,
 	}
 
-	return &cacheSettings{clusterSettings, appInstanceLabelKey, argo.GetTrackingMethod(c.settingsMgr), resourceUpdatesOverrides, ignoreResourceUpdatesEnabled}, nil
+	return &cacheSettings{clusterSettings, appInstanceLabelKey, argo.GetTrackingMethod(c.settingsMgr), installationID, resourceUpdatesOverrides, ignoreResourceUpdatesEnabled}, nil
 }
 
 func asResourceNode(r *clustercache.Resource) appv1.ResourceNode {
@@ -290,7 +295,8 @@ func isRootAppNode(r *clustercache.Resource) bool {
 }
 
 func getApp(r *clustercache.Resource, ns map[kube.ResourceKey]*clustercache.Resource) string {
-	return getAppRecursive(r, ns, map[kube.ResourceKey]bool{})
+	name, _ := getAppRecursive(r, ns, map[kube.ResourceKey]bool{})
+	return name
 }
 
 func ownerRefGV(ownerRef metav1.OwnerReference) schema.GroupVersion {
@@ -301,27 +307,31 @@ func ownerRefGV(ownerRef metav1.OwnerReference) schema.GroupVersion {
 	return gv
 }
 
-func getAppRecursive(r *clustercache.Resource, ns map[kube.ResourceKey]*clustercache.Resource, visited map[kube.ResourceKey]bool) string {
+func getAppRecursive(r *clustercache.Resource, ns map[kube.ResourceKey]*clustercache.Resource, visited map[kube.ResourceKey]bool) (string, bool) {
 	if !visited[r.ResourceKey()] {
 		visited[r.ResourceKey()] = true
 	} else {
 		log.Warnf("Circular dependency detected: %v.", visited)
-		return resInfo(r).AppName
+		return resInfo(r).AppName, false
 	}
 
 	if resInfo(r).AppName != "" {
-		return resInfo(r).AppName
+		return resInfo(r).AppName, true
 	}
 	for _, ownerRef := range r.OwnerRefs {
 		gv := ownerRefGV(ownerRef)
 		if parent, ok := ns[kube.NewResourceKey(gv.Group, ownerRef.Kind, r.Ref.Namespace, ownerRef.Name)]; ok {
-			app := getAppRecursive(parent, ns, visited)
-			if app != "" {
-				return app
+			visited_branch := make(map[kube.ResourceKey]bool, len(visited))
+			for k, v := range visited {
+				visited_branch[k] = v
+			}
+			app, ok := getAppRecursive(parent, ns, visited_branch)
+			if app != "" || !ok {
+				return app, ok
 			}
 		}
 	}
-	return ""
+	return "", true
 }
 
 var (
@@ -490,7 +500,7 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 
 			res.Health, _ = health.GetResourceHealth(un, cacheSettings.clusterSettings.ResourceHealthOverride)
 
-			appName := c.resourceTracking.GetAppName(un, cacheSettings.appInstanceLabelKey, cacheSettings.trackingMethod)
+			appName := c.resourceTracking.GetAppName(un, cacheSettings.appInstanceLabelKey, cacheSettings.trackingMethod, cacheSettings.installationID)
 			if isRoot && appName != "" {
 				res.AppName = appName
 			}

controller/cache/cache_test.go

@@ -18,6 +18,7 @@ import (
 	"github.com/argoproj/gitops-engine/pkg/cache"
 	"github.com/argoproj/gitops-engine/pkg/cache/mocks"
 	"github.com/argoproj/gitops-engine/pkg/health"
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/stretchr/testify/mock"
 	"k8s.io/client-go/kubernetes/fake"
 
@@ -319,6 +320,216 @@ func Test_asResourceNode_owner_refs(t *testing.T) {
 	assert.Equal(t, expected, resNode)
 }
 
+func Test_getAppRecursive(t *testing.T) {
+	for _, tt := range []struct {
+		name     string
+		r        *cache.Resource
+		ns       map[kube.ResourceKey]*cache.Resource
+		wantName string
+		wantOK   assert.BoolAssertionFunc
+	}{
+		{
+			name: "ok: cm1->app1",
+			r: &cache.Resource{
+				Ref: v1.ObjectReference{
+					Name: "cm1",
+				},
+				OwnerRefs: []metav1.OwnerReference{
+					{Name: "app1"},
+				},
+			},
+			ns: map[kube.ResourceKey]*cache.Resource{
+				kube.NewResourceKey("", "", "", "app1"): {
+					Info: &ResourceInfo{
+						AppName: "app1",
+					},
+				},
+			},
+			wantName: "app1",
+			wantOK:   assert.True,
+		},
+		{
+			name: "ok: cm1->cm2->app1",
+			r: &cache.Resource{
+				Ref: v1.ObjectReference{
+					Name: "cm1",
+				},
+				OwnerRefs: []metav1.OwnerReference{
+					{Name: "cm2"},
+				},
+			},
+			ns: map[kube.ResourceKey]*cache.Resource{
+				kube.NewResourceKey("", "", "", "cm2"): {
+					Ref: v1.ObjectReference{
+						Name: "cm2",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "app1"},
+					},
+				},
+				kube.NewResourceKey("", "", "", "app1"): {
+					Info: &ResourceInfo{
+						AppName: "app1",
+					},
+				},
+			},
+			wantName: "app1",
+			wantOK:   assert.True,
+		},
+		{
+			name: "cm1->cm2->app1 & cm1->cm3->app1",
+			r: &cache.Resource{
+				Ref: v1.ObjectReference{
+					Name: "cm1",
+				},
+				OwnerRefs: []metav1.OwnerReference{
+					{Name: "cm2"},
+					{Name: "cm3"},
+				},
+			},
+			ns: map[kube.ResourceKey]*cache.Resource{
+				kube.NewResourceKey("", "", "", "cm2"): {
+					Ref: v1.ObjectReference{
+						Name: "cm2",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "app1"},
+					},
+				},
+				kube.NewResourceKey("", "", "", "cm3"): {
+					Ref: v1.ObjectReference{
+						Name: "cm3",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "app1"},
+					},
+				},
+				kube.NewResourceKey("", "", "", "app1"): {
+					Info: &ResourceInfo{
+						AppName: "app1",
+					},
+				},
+			},
+			wantName: "app1",
+			wantOK:   assert.True,
+		},
+		{
+			// Nothing cycle.
+			// Issue #11699, fixed #12667.
+			name: "ok: cm1->cm2 & cm1->cm3->cm2 & cm1->cm3->app1",
+			r: &cache.Resource{
+				Ref: v1.ObjectReference{
+					Name: "cm1",
+				},
+				OwnerRefs: []metav1.OwnerReference{
+					{Name: "cm2"},
+					{Name: "cm3"},
+				},
+			},
+			ns: map[kube.ResourceKey]*cache.Resource{
+				kube.NewResourceKey("", "", "", "cm2"): {
+					Ref: v1.ObjectReference{
+						Name: "cm2",
+					},
+				},
+				kube.NewResourceKey("", "", "", "cm3"): {
+					Ref: v1.ObjectReference{
+						Name: "cm3",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "cm2"},
+						{Name: "app1"},
+					},
+				},
+				kube.NewResourceKey("", "", "", "app1"): {
+					Info: &ResourceInfo{
+						AppName: "app1",
+					},
+				},
+			},
+			wantName: "app1",
+			wantOK:   assert.True,
+		},
+		{
+			name: "cycle: cm1<->cm2",
+			r: &cache.Resource{
+				Ref: v1.ObjectReference{
+					Name: "cm1",
+				},
+				OwnerRefs: []metav1.OwnerReference{
+					{Name: "cm2"},
+				},
+			},
+			ns: map[kube.ResourceKey]*cache.Resource{
+				kube.NewResourceKey("", "", "", "cm1"): {
+					Ref: v1.ObjectReference{
+						Name: "cm1",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "cm2"},
+					},
+				},
+				kube.NewResourceKey("", "", "", "cm2"): {
+					Ref: v1.ObjectReference{
+						Name: "cm2",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "cm1"},
+					},
+				},
+			},
+			wantName: "",
+			wantOK:   assert.False,
+		},
+		{
+			name: "cycle: cm1->cm2->cm3->cm1",
+			r: &cache.Resource{
+				Ref: v1.ObjectReference{
+					Name: "cm1",
+				},
+				OwnerRefs: []metav1.OwnerReference{
+					{Name: "cm2"},
+				},
+			},
+			ns: map[kube.ResourceKey]*cache.Resource{
+				kube.NewResourceKey("", "", "", "cm1"): {
+					Ref: v1.ObjectReference{
+						Name: "cm1",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "cm2"},
+					},
+				},
+				kube.NewResourceKey("", "", "", "cm2"): {
+					Ref: v1.ObjectReference{
+						Name: "cm2",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "cm3"},
+					},
+				},
+				kube.NewResourceKey("", "", "", "cm3"): {
+					Ref: v1.ObjectReference{
+						Name: "cm3",
+					},
+					OwnerRefs: []metav1.OwnerReference{
+						{Name: "cm1"},
+					},
+				},
+			},
+			wantName: "",
+			wantOK:   assert.False,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			visited := map[kube.ResourceKey]bool{}
+			got, ok := getAppRecursive(tt.r, tt.ns, visited)
+			assert.Equal(t, tt.wantName, got)
+			tt.wantOK(t, ok)
+		})
+	}
+}
+
 func TestSkipResourceUpdate(t *testing.T) {
 	var (
 		hash1_x string = "x"

controller/state.go

@@ -163,6 +163,11 @@ func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alp
 		return nil, nil, fmt.Errorf("failed to get Helm settings: %w", err)
 	}
 
+	installationID, err := m.settingsMgr.GetInstallationID()
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to get installation ID: %w", err)
+	}
+
 	ts.AddCheckpoint("build_options_ms")
 	serverVersion, apiResources, err := m.liveStateCache.GetVersionsInfo(app.Spec.Destination.Server)
 	if err != nil {
@@ -223,6 +228,7 @@ func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alp
 				TrackingMethod:     string(argo.GetTrackingMethod(m.settingsMgr)),
 				RefSources:         refSources,
 				HasMultipleSources: app.Spec.HasMultipleSources(),
+				InstallationID:     installationID,
 			})
 			if err != nil {
 				return nil, nil, fmt.Errorf("failed to compare revisions for source %d of %d: %w", i+1, len(sources), err)
@@ -253,6 +259,7 @@ func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alp
 			RefSources:         refSources,
 			ProjectName:        proj.Name,
 			ProjectSourceRepos: proj.Spec.SourceRepos,
+			InstallationID:     installationID,
 		})
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to generate manifest for source %d of %d: %w", i+1, len(sources), err)
@@ -333,20 +340,24 @@ func DeduplicateTargetObjects(
 
 // getComparisonSettings will return the system level settings related to the
 // diff/normalization process.
-func (m *appStateManager) getComparisonSettings() (string, map[string]v1alpha1.ResourceOverride, *settings.ResourcesFilter, error) {
+func (m *appStateManager) getComparisonSettings() (string, map[string]v1alpha1.ResourceOverride, *settings.ResourcesFilter, string, error) {
 	resourceOverrides, err := m.settingsMgr.GetResourceOverrides()
 	if err != nil {
-		return "", nil, nil, err
+		return "", nil, nil, "", err
 	}
 	appLabelKey, err := m.settingsMgr.GetAppInstanceLabelKey()
 	if err != nil {
-		return "", nil, nil, err
+		return "", nil, nil, "", err
 	}
 	resFilter, err := m.settingsMgr.GetResourcesFilter()
 	if err != nil {
-		return "", nil, nil, err
+		return "", nil, nil, "", err
 	}
-	return appLabelKey, resourceOverrides, resFilter, nil
+	installationID, err := m.settingsMgr.GetInstallationID()
+	if err != nil {
+		return "", nil, nil, "", err
+	}
+	return appLabelKey, resourceOverrides, resFilter, installationID, nil
 }
 
 // verifyGnuPGSignature verifies the result of a GnuPG operation for a given git
@@ -397,7 +408,7 @@ func isManagedNamespace(ns *unstructured.Unstructured, app *v1alpha1.Application
 // revision and overrides in the app spec.
 func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1alpha1.AppProject, revisions []string, sources []v1alpha1.ApplicationSource, noCache bool, noRevisionCache bool, localManifests []string, hasMultipleSources bool) (*comparisonResult, error) {
 	ts := stats.NewTimingStats()
-	appLabelKey, resourceOverrides, resFilter, err := m.getComparisonSettings()
+	appLabelKey, resourceOverrides, resFilter, installationID, err := m.getComparisonSettings()
 
 	ts.AddCheckpoint("settings_ms")
 
@@ -564,7 +575,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1
 
 	for _, liveObj := range liveObjByKey {
 		if liveObj != nil {
-			appInstanceName := m.resourceTracking.GetAppName(liveObj, appLabelKey, trackingMethod)
+			appInstanceName := m.resourceTracking.GetAppName(liveObj, appLabelKey, trackingMethod, installationID)
 			if appInstanceName != "" && appInstanceName != app.InstanceName(m.namespace) {
 				fqInstanceName := strings.ReplaceAll(appInstanceName, "_", "/")
 				conditions = append(conditions, v1alpha1.ApplicationCondition{
@@ -704,7 +715,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1
 		}
 		gvk := obj.GroupVersionKind()
 
-		isSelfReferencedObj := m.isSelfReferencedObj(liveObj, targetObj, app.GetName(), appLabelKey, trackingMethod)
+		isSelfReferencedObj := m.isSelfReferencedObj(liveObj, targetObj, app.GetName(), appLabelKey, trackingMethod, installationID)
 
 		resState := v1alpha1.ResourceStatus{
 			Namespace:       obj.GetNamespace(),
@@ -904,9 +915,7 @@ func useDiffCache(noCache bool, manifestInfos []*apiclient.ManifestResponse, sou
 		return false
 	}
 
-	currentSpec := app.BuildComparedToStatus()
-	specChanged := !reflect.DeepEqual(app.Status.Sync.ComparedTo, currentSpec)
-	if specChanged {
+	if !specEqualsCompareTo(app.Spec, app.Status.Sync.ComparedTo) {
 		log.WithField("useDiffCache", "false").Debug("specChanged")
 		return false
 	}
@@ -915,6 +924,29 @@ func useDiffCache(noCache bool, manifestInfos []*apiclient.ManifestResponse, sou
 	return true
 }
 
+// specEqualsCompareTo compares the application spec to the comparedTo status. It normalizes the destination to match
+// the comparedTo destination before comparing. It does not mutate the original spec or comparedTo.
+func specEqualsCompareTo(spec v1alpha1.ApplicationSpec, comparedTo v1alpha1.ComparedTo) bool {
+	// Make a copy to be sure we don't mutate the original.
+	specCopy := spec.DeepCopy()
+	currentSpec := specCopy.BuildComparedToStatus()
+
+	// The spec might have been augmented to include both server and name, so change it to match the comparedTo before
+	// comparing.
+	if comparedTo.Destination.Server == "" {
+		currentSpec.Destination.Server = ""
+	}
+	if comparedTo.Destination.Name == "" {
+		currentSpec.Destination.Name = ""
+	}
+
+	// Set IsServerInferred to false on both, because that field is not important for comparison.
+	comparedTo.Destination.SetIsServerInferred(false)
+	currentSpec.Destination.SetIsServerInferred(false)
+
+	return reflect.DeepEqual(comparedTo, currentSpec)
+}
+
 func (m *appStateManager) persistRevisionHistory(
 	app *v1alpha1.Application,
 	revision string,
@@ -1009,7 +1041,7 @@ func NewAppStateManager(
 // group and kind) match the properties of the live object, or if the tracking method
 // used does not provide the required properties for matching.
 // Reference: https://github.com/argoproj/argo-cd/issues/8683
-func (m *appStateManager) isSelfReferencedObj(live, config *unstructured.Unstructured, appName, appLabelKey string, trackingMethod v1alpha1.TrackingMethod) bool {
+func (m *appStateManager) isSelfReferencedObj(live, config *unstructured.Unstructured, appName, appLabelKey string, trackingMethod v1alpha1.TrackingMethod, installationID string) bool {
 	if live == nil {
 		return true
 	}
@@ -1042,7 +1074,7 @@ func (m *appStateManager) isSelfReferencedObj(live, config *unstructured.Unstruc
 	// to match the properties from the live object. Cluster scoped objects
 	// carry the app's destination namespace in the tracking annotation,
 	// but are unique in GVK + name combination.
-	appInstance := m.resourceTracking.GetAppInstance(live, appLabelKey, trackingMethod)
+	appInstance := m.resourceTracking.GetAppInstance(live, appLabelKey, trackingMethod, installationID)
 	if appInstance != nil {
 		return isSelfReferencedObj(live, *appInstance)
 	}

controller/state_test.go

@@ -1372,8 +1372,8 @@ func TestIsLiveResourceManaged(t *testing.T) {
 		configObj := managedObj.DeepCopy()
 
 		// then
-		assert.True(t, manager.isSelfReferencedObj(managedObj, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-		assert.True(t, manager.isSelfReferencedObj(managedObj, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+		assert.True(t, manager.isSelfReferencedObj(managedObj, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel, ""))
+		assert.True(t, manager.isSelfReferencedObj(managedObj, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation, ""))
 	})
 	t.Run("will return true if tracked with label", func(t *testing.T) {
 		// given
@@ -1381,43 +1381,43 @@ func TestIsLiveResourceManaged(t *testing.T) {
 		configObj := managedObjWithLabel.DeepCopy()
 
 		// then
-		assert.True(t, manager.isSelfReferencedObj(managedObjWithLabel, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+		assert.True(t, manager.isSelfReferencedObj(managedObjWithLabel, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel, ""))
 	})
 	t.Run("will handle if trackingId has wrong resource name and config is nil", func(t *testing.T) {
 		// given
 		t.Parallel()
 
 		// then
-		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongName, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongName, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongName, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel, ""))
+		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongName, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation, ""))
 	})
 	t.Run("will handle if trackingId has wrong resource group and config is nil", func(t *testing.T) {
 		// given
 		t.Parallel()
 
 		// then
-		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel, ""))
+		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation, ""))
 	})
 	t.Run("will handle if trackingId has wrong kind and config is nil", func(t *testing.T) {
 		// given
 		t.Parallel()
 
 		// then
-		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel, ""))
+		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation, ""))
 	})
 	t.Run("will handle if trackingId has wrong namespace and config is nil", func(t *testing.T) {
 		// given
 		t.Parallel()
 
 		// then
-		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotationAndLabel))
+		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel, ""))
+		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotationAndLabel, ""))
 	})
 	t.Run("will return true if live is nil", func(t *testing.T) {
 		t.Parallel()
-		assert.True(t, manager.isSelfReferencedObj(nil, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+		assert.True(t, manager.isSelfReferencedObj(nil, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation, ""))
 	})
 
 	t.Run("will handle upgrade in desired state APIGroup", func(t *testing.T) {
@@ -1427,11 +1427,13 @@ func TestIsLiveResourceManaged(t *testing.T) {
 		delete(config.GetAnnotations(), common.AnnotationKeyAppInstance)
 
 		// then
-		assert.True(t, manager.isSelfReferencedObj(managedWrongAPIGroup, config, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+		assert.True(t, manager.isSelfReferencedObj(managedWrongAPIGroup, config, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation, ""))
 	})
 }
 
 func TestUseDiffCache(t *testing.T) {
+	t.Parallel()
+
 	type fixture struct {
 		testName             string
 		noCache              bool
@@ -1527,6 +1529,10 @@ func TestUseDiffCache(t *testing.T) {
 				t.Fatalf("error merging app: %s", err)
 			}
 		}
+		if app.Spec.Destination.Name != "" && app.Spec.Destination.Server != "" {
+			// Simulate the controller's process for populating both of these fields.
+			app.Spec.Destination.SetInferredServer(app.Spec.Destination.Server)
+		}
 		return app
 	}
 
@@ -1692,6 +1698,44 @@ func TestUseDiffCache(t *testing.T) {
 			expectedUseCache:     false,
 			serverSideDiff:       false,
 		},
+		{
+			// There are code paths that modify the ApplicationSpec and augment the destination field with both the
+			// destination server and name. Since both fields are populated in the app spec but not in the comparedTo,
+			// we need to make sure we correctly compare the fields and don't miss the cache.
+			testName:      "will return true if the app spec destination contains both server and name, but otherwise matches comparedTo",
+			noCache:       false,
+			manifestInfos: manifestInfos("rev1"),
+			sources:       sources(),
+			app: app("httpbin", "rev1", false, &argoappv1.Application{
+				Spec: argoappv1.ApplicationSpec{
+					Destination: argoappv1.ApplicationDestination{
+						Server:    "https://kubernetes.default.svc",
+						Name:      "httpbin",
+						Namespace: "httpbin",
+					},
+				},
+				Status: argoappv1.ApplicationStatus{
+					Resources: []argoappv1.ResourceStatus{},
+					Sync: argoappv1.SyncStatus{
+						Status: argoappv1.SyncStatusCodeSynced,
+						ComparedTo: argoappv1.ComparedTo{
+							Destination: argoappv1.ApplicationDestination{
+								Server:    "https://kubernetes.default.svc",
+								Namespace: "httpbin",
+							},
+						},
+						Revision: "rev1",
+					},
+					ReconciledAt: &metav1.Time{
+						Time: time.Now().Add(-time.Hour),
+					},
+				},
+			}),
+			manifestRevisions:    []string{"rev1"},
+			statusRefreshTimeout: time.Hour * 24,
+			expectedUseCache:     true,
+			serverSideDiff:       true,
+		},
 	}
 
 	for _, tc := range cases {

controller/sync.go

@@ -283,6 +283,11 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		log.Errorf("Could not get appInstanceLabelKey: %v", err)
 		return
 	}
+	installationID, err := m.settingsMgr.GetInstallationID()
+	if err != nil {
+		log.Errorf("Could not get installation ID: %v", err)
+		return
+	}
 	trackingMethod := argo.GetTrackingMethod(m.settingsMgr)
 
 	opts := []sync.SyncOpt{
@@ -313,7 +318,7 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 			return (len(syncOp.Resources) == 0 ||
 				isPostDeleteHook(target) ||
 				argo.ContainsSyncResource(key.Name, key.Namespace, schema.GroupVersionKind{Kind: key.Kind, Group: key.Group}, syncOp.Resources)) &&
-				m.isSelfReferencedObj(live, target, app.GetName(), appLabelKey, trackingMethod)
+				m.isSelfReferencedObj(live, target, app.GetName(), appLabelKey, trackingMethod, installationID)
 		}),
 		sync.WithManifestValidation(!syncOp.SyncOptions.HasOption(common.SyncOptionsDisableValidation)),
 		sync.WithSyncWaveHook(delayBetweenSyncWaves),

docs/assets/versions.js

@@ -1,48 +1,83 @@
-setTimeout(function() {
-  const callbackName = 'callback_' + new Date().getTime();
-  window[callbackName] = function (response) {
-  const div = document.createElement('div');
-  div.innerHTML = response.html;
-  document.querySelector(".md-header__inner > .md-header__title").appendChild(div);
-  const container = div.querySelector('.rst-versions');
-  var caret = document.createElement('div');
-  caret.innerHTML = "<i class='fa fa-caret-down dropdown-caret'></i>"
-  caret.classList.add('dropdown-caret')
-  div.querySelector('.rst-current-version').appendChild(caret);
+const targetNode = document.querySelector('.md-header__inner');
+const observerOptions = {
+  childList: true,
+  subtree: true
+};
+
+const observerCallback = function(mutationsList, observer) {
+  for (let mutation of mutationsList) {
+    if (mutation.type === 'childList') {
+      const titleElement = document.querySelector('.md-header__inner > .md-header__title');
+      if (titleElement) {
+        initializeVersionDropdown();
+        observer.disconnect();
+      }
+    }
   }
+};
+
+const observer = new MutationObserver(observerCallback);
+observer.observe(targetNode, observerOptions);
+
+function getCurrentVersion() {
+  const currentVersion = window.location.href.match(/\/en\/(release-(?:v\d+|[\d\.]+|\w+)|latest|stable)\//);
+  if (currentVersion && currentVersion.length > 1) {
+    return currentVersion[1];
+  }
+  return null;
+}
+
+function initializeVersionDropdown() {
+  const callbackName = 'callback_' + new Date().getTime();
+  window[callbackName] = function(response) {
+    const div = document.createElement('div');
+    div.innerHTML = response.html;
+    document.querySelector(".md-header__inner > .md-header__title").appendChild(div);
+    const container = div.querySelector('.rst-versions');
+    var caret = document.createElement('div');
+    caret.innerHTML = "<i class='fa fa-caret-down dropdown-caret'></i>";
+    caret.classList.add('dropdown-caret');
+    div.querySelector('.rst-current-version').appendChild(caret);
+
+    div.querySelector('.rst-current-version').addEventListener('click', function() {
+      container.classList.toggle('shift-up');
+    });
+  };
 
   var CSSLink = document.createElement('link');
-  CSSLink.rel='stylesheet';
+  CSSLink.rel = 'stylesheet';
   CSSLink.href = '/assets/versions.css';
   document.getElementsByTagName('head')[0].appendChild(CSSLink);
 
   var script = document.createElement('script');
-  script.src = 'https://argo-cd.readthedocs.io/_/api/v2/footer_html/?'+
-      'callback=' + callbackName + '&project=argo-cd&page=&theme=mkdocs&format=jsonp&docroot=docs&source_suffix=.md&version=' + (window['READTHEDOCS_DATA'] || { version: 'latest' }).version;
+  const currentVersion = getCurrentVersion();
+  script.src = 'https://argo-cd.readthedocs.io/_/api/v2/footer_html/?' +
+      'callback=' + callbackName + '&project=argo-cd&page=&theme=mkdocs&format=jsonp&docroot=docs&source_suffix=.md&version=' + (currentVersion || 'latest');
   document.getElementsByTagName('head')[0].appendChild(script);
-}, 0);
+}
 
 // VERSION WARNINGS
 window.addEventListener("DOMContentLoaded", function() {
-  var rtdData = window['READTHEDOCS_DATA'] || { version: 'latest' };
   var margin = 30;
-  var headerHeight = document.getElementsByClassName("md-header")[0].offsetHeight; 
-  if (rtdData.version === "latest") {
-    document.querySelector("div[data-md-component=announce]").innerHTML = "<div id='announce-msg'>You are viewing the docs for an unreleased version of Argo CD, <a href='https://argo-cd.readthedocs.io/en/stable/'>click here to go to the latest stable version.</a></div>"
-    var bannerHeight = document.getElementById('announce-msg').offsetHeight + margin
-    document.querySelector("header.md-header").style.top = bannerHeight +"px";   
-    document.querySelector('style').textContent +=
-    "@media screen and (min-width: 76.25em){ .md-sidebar { height: 0;  top:"+ (bannerHeight+headerHeight)+"px !important; }}"
-    document.querySelector('style').textContent +=
-    "@media screen and (min-width: 60em){ .md-sidebar--secondary { height: 0;  top:"+ (bannerHeight+headerHeight)+"px !important; }}"
-  }
-  else if (rtdData.version !== "stable") {
-    document.querySelector("div[data-md-component=announce]").innerHTML = "<div id='announce-msg'>You are viewing the docs for a previous version of Argo CD, <a href='https://argo-cd.readthedocs.io/en/stable/'>click here to go to the latest stable version.</a></div>"
-    var bannerHeight = document.getElementById('announce-msg').offsetHeight + margin
-    document.querySelector("header.md-header").style.top = bannerHeight +"px";   
-    document.querySelector('style').textContent +=
-    "@media screen and (min-width: 76.25em){ .md-sidebar { height: 0;  top:"+ (bannerHeight+headerHeight)+"px !important; }}"
-    document.querySelector('style').textContent +=
-    "@media screen and (min-width: 60em){ .md-sidebar--secondary { height: 0;  top:"+ (bannerHeight+headerHeight)+"px !important; }}"
+  var headerHeight = document.getElementsByClassName("md-header")[0].offsetHeight;
+  const currentVersion = getCurrentVersion();
+  if (currentVersion) {
+    if (currentVersion === "latest") {
+      document.querySelector("div[data-md-component=announce]").innerHTML = "<div id='announce-msg'>You are viewing the docs for an unreleased version of Argo CD, <a href='https://argo-cd.readthedocs.io/en/stable/'>click here to go to the latest stable version.</a></div>";
+      var bannerHeight = document.getElementById('announce-msg').offsetHeight + margin;
+      document.querySelector("header.md-header").style.top = bannerHeight + "px";
+      document.querySelector('style').textContent +=
+          "@media screen and (min-width: 76.25em){ .md-sidebar { height: 0;  top:" + (bannerHeight + headerHeight) + "px !important; }}";
+      document.querySelector('style').textContent +=
+          "@media screen and (min-width: 60em){ .md-sidebar--secondary { height: 0;  top:" + (bannerHeight + headerHeight) + "px !important; }}";
+    } else if (currentVersion !== "stable") {
+      document.querySelector("div[data-md-component=announce]").innerHTML = "<div id='announce-msg'>You are viewing the docs for a previous version of Argo CD, <a href='https://argo-cd.readthedocs.io/en/stable/'>click here to go to the latest stable version.</a></div>";
+      var bannerHeight = document.getElementById('announce-msg').offsetHeight + margin;
+      document.querySelector("header.md-header").style.top = bannerHeight + "px";
+      document.querySelector('style').textContent +=
+          "@media screen and (min-width: 76.25em){ .md-sidebar { height: 0;  top:" + (bannerHeight + headerHeight) + "px !important; }}";
+      document.querySelector('style').textContent +=
+          "@media screen and (min-width: 60em){ .md-sidebar--secondary { height: 0;  top:" + (bannerHeight + headerHeight) + "px !important; }}";
+    }
   }
 });

docs/faq.md

@@ -268,3 +268,45 @@ The most common instance of this error is with `env:` fields for `containers`.
 
 !!! note "Dynamic applications"
     It's possible that your application is being generated by a tool in which case the duplication might not be evident within the scope of a single file. If you have trouble debugging this problem, consider filing a ticket to the owner of the generator tool asking them to improve its validation and error reporting.
+
+## How to rotate Redis secret?
+* Delete `argocd-redis` secret in the namespace where Argo CD is installed. 
+```bash
+kubectl delete secret argocd-redis -n <argocd namesapce>
+```
+* If you are running Redis in HA mode, restart Redis in HA.
+```bash
+kubectl rollout restart deployment argocd-redis-ha-haproxy
+kubectl rollout restart statefulset argocd-redis-ha-server
+```
+* If you are running Redis in non-HA mode, restart Redis.
+```bash
+kubectl rollout restart deployment argocd-redis
+```
+* Restart other components.
+```bash
+kubectl rollout restart deployment argocd-server argocd-repo-server
+kubectl rollout restart statefulset argocd-application-controller
+```
+
+## How to turn off Redis auth if users really want to?
+
+Argo CD default installation is now configured automatically enable Redis authentication. 
+If for some reason authenticated Redis does not work for you and you want to use non-authenticated Redis, here are the steps:
+
+* You need to have your own Redis installation.
+* Configure Argo CD to use your own Redis instance. See this [doc](https://argo-cd.readthedocs.io/en/stable/operator-manual/argocd-cmd-params-cm-yaml/) for the Argo CD configuration.
+* If you already installed Redis shipped with Argo CD, you also need to clean up the existing components:
+  * When HA Redis is used:
+    * kubectl delete deployment argocd-redis-ha-haproxy
+    * kubectl delete statefulset argocd-redis-ha-server
+  * When non-HA Redis is used:
+    * kubectl delete deployment argocd-redis
+* Remove environment variable `REDIS_PASSWORD` from the following manifests
+    * Deployment: argocd-repo-server:
+    * Deployment: argocd-server
+    * StatefulSet: argocd-application-controller
+  
+## How do I provide my own Redis credentials?
+The Redis password is stored in Kubernetes secret `argocd-redis` with key `auth` in the namespace where Argo CD is installed.
+You can config your secret provider to generate Kubernetes secret accordingly.

docs/getting_started.md

@@ -40,6 +40,9 @@ Do one of:
 
 Use `argocd login --core` to [configure](./user-guide/commands/argocd_login.md) CLI access and skip steps 3-5.
 
+!!! note
+    This default installation for Redis is using password authentication. The Redis password is stored in Kubernetes secret `argocd-redis` with key `auth` in the namespace where Argo CD is installed.
+
 ## 2. Download Argo CD CLI
 
 Download the latest Argo CD version from [https://github.com/argoproj/argo-cd/releases/latest](https://github.com/argoproj/argo-cd/releases/latest). More detailed installation instructions can be found via the [CLI installation documentation](cli_installation.md).

docs/operator-manual/applicationset/Generators-Git.md

@@ -326,7 +326,7 @@ As with other generators, clusters *must* already be defined within Argo CD, in
 In addition to the flattened key/value pairs from the configuration file, the following generator parameters are provided:
 
 - `{{.path.path}}`: The path to the directory containing matching configuration file within the Git repository. Example: `/clusters/clusterA`, if the config file was `/clusters/clusterA/config.json`
-- `{{index .path n}}`: The path to the matching configuration file within the Git repository, split into array elements (`n` - array index). Example: `index .path 0: clusters`, `index .path 1: clusterA`
+- `{{index .path.segments n}}`: The path to the matching configuration file within the Git repository, split into array elements (`n` - array index). Example: `index .path.segments 0: clusters`, `index .path.segments 1: clusterA`
 - `{{.path.basename}}`: Basename of the path to the directory containing the configuration file (e.g. `clusterA`, with the above example.)
 - `{{.path.basenameNormalized}}`: This field is the same as `.path.basename` with unsupported characters replaced with `-` (e.g. a `path` of `/directory/directory_2`, and `.path.basename` of `directory_2` would produce `directory-2` here).
 - `{{.path.filename}}`: The matched filename. e.g., `config.json` in the above example.
@@ -360,7 +360,7 @@ spec:
       files:
       - path: "applicationset/examples/git-generator-files-discovery/cluster-config/**/config.json"
       values:
-        base_dir: "{{index .path 0}}/{{index .path 1}}/{{index .path 2}}"
+        base_dir: "{{index .path.segments 0}}/{{index .path.segments 1}}/{{index .path.segments 2}}"
   template:
     metadata:
       name: '{{.cluster.name}}-guestbook'

docs/operator-manual/argocd-cm.yaml

@@ -269,6 +269,9 @@ data:
   # - annotation+label : Also uses an annotation for tracking, but additionally labels the resource with the application name
   application.resourceTrackingMethod: annotation
 
+  # Optional installation id. Allows to have multiple installations of Argo CD in the same cluster.
+  installationID: "my-unique-id"
+
   # disables admin user. Admin is enabled by default
   admin.enabled: "false"
   # add an additional local user with apiKey and login capabilities
@@ -410,3 +413,6 @@ data:
               cluster:
                 name: some-cluster
                 server: https://some-cluster
+          
+          # The maximum size of the payload that can be sent to the webhook server.
+          webhook.maxPayloadSizeMB: 1024

docs/operator-manual/argocd-cmd-params-cm.yaml

@@ -47,8 +47,11 @@ data:
   controller.log.level: "info"
   # Prometheus metrics cache expiration (disabled  by default. e.g. 24h0m0s)
   controller.metrics.cache.expiration: "24h0m0s"
-  # Specifies timeout between application self heal attempts (default 5)
-  controller.self.heal.timeout.seconds: "5"
+  # Specifies exponential backoff timeout parameters between application self heal attempts
+  controller.self.heal.timeout.seconds: "2"
+  controller.self.heal.backoff.factor: "3"
+  controller.self.heal.backoff.cap.seconds: "300"
+
   # Cache expiration for app state (default 1h0m0s)
   controller.app.state.cache.expiration: "1h0m0s"
   # Specifies if resource health should be persisted in app CRD (default true)

docs/operator-manual/server-commands/argocd-application-controller.md

@@ -65,7 +65,10 @@ argocd-application-controller [flags]
       --repo-server-strict-tls                                    Whether to use strict validation of the TLS cert presented by the repo server
       --repo-server-timeout-seconds int                           Repo server RPC call timeout seconds. (default 60)
       --request-timeout string                                    The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
-      --self-heal-timeout-seconds int                             Specifies timeout between application self heal attempts (default 5)
+      --self-heal-backoff-cap-seconds int                         Specifies max timeout of exponential backoff between application self heal attempts (default 300)
+      --self-heal-backoff-factor int                              Specifies factor of exponential timeout between application self heal attempts (default 3)
+      --self-heal-backoff-timeout-seconds int                     Specifies initial timeout of exponential backoff between self heal attempts (default 2)
+      --self-heal-timeout-seconds int                             Specifies timeout between application self heal attempts
       --sentinel stringArray                                      Redis sentinel hostname and port (e.g. argocd-redis-ha-announce-0:6379). 
       --sentinelmaster string                                     Redis sentinel master group name. (default "master")
       --server string                                             The address and port of the Kubernetes API server

docs/operator-manual/upgrading/2.10-2.11.md

@@ -2,4 +2,66 @@
 
 ## initiatedBy added in Application CRD
 
-In order to address [argoproj/argo-cd#16612](https://github.com/argoproj/argo-cd/issues/16612), initiatedBy has been added in the Application CRD.
+In order to address [argoproj/argo-cd#16612](https://github.com/argoproj/argo-cd/issues/16612), initiatedBy has been added in the Application CRD.
+
+## Egress NetworkPolicy for `argocd-redis` and `argocd-redis-ha-haproxy`
+
+Starting with Argo CD 2.11.2, the NetworkPolicy for the `argocd-redis` and `argocd-redis-ha-haproxy` dropped Egress restrictions. This change was made
+to allow access to the Kubernetes API to create a secret to secure Redis access.
+
+To retain similar networking restrictions as before 2.11.2, you can add an Egress rule to allow access only to the
+Kubernetes API and access needed by Redis itself. The Egress rule for Kubernetes access will depend entirely on your
+Kubernetes setup. The access for Redis itself can be allowed by adding the following to the
+`argocd-redis-network-policy` NetworkPolicy:
+
+```diff
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: argocd-redis-network-policy
+spec:
+  policyTypes:
+  - Ingress
++  - Egress
++  egress:
++  - ports:
++    - port: 53
++      protocol: UDP
++    - port: 53
++      protocol: TCP
+```
+
+```diff
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: argocd-redis-ha-haproxy
+spec:
+  policyTypes:
+  - Ingress
++  - Egress
++  egress:
++  - ports:
++    - port: 6379
++      protocol: TCP
++    - port: 26379
++      protocol: TCP
++    to:
++    - podSelector:
++        matchLabels:
++          app.kubernetes.io/name: argocd-redis-ha
++  - ports:
++    - port: 53
++      protocol: UDP
++    - port: 53
++      protocol: TCP
+```
+
+## Sanitized project API response
+
+Due to security reasons ([GHSA-786q-9hcg-v9ff](https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff)),
+the project API response was sanitized to remove sensitive information. This includes
+credentials of project-scoped repositories and clusters.
+
+> **Note:** The 2.11 series has been EOL for some time and has not received security updates. 2.11.14 was patched for critical 
+> CVE-2025-55190 but was not patched for other vulnerabilities. It is important to upgrade to a supported version as quickly as possible.

docs/operator-manual/upgrading/2.8-2.9.md

@@ -3,3 +3,56 @@
 ## Upgraded Kustomize Version
 
 Note that bundled Kustomize version has been upgraded from 5.1.0 to 5.2.1.
+
+## Egress NetworkPolicy for `argocd-redis` and `argocd-redis-ha-haproxy`
+
+Starting with Argo CD 2.9.16, the NetworkPolicy for the `argocd-redis` and `argocd-redis-ha-haproxy` dropped Egress restrictions. This change was made
+to allow access to the Kubernetes API to create a secret to secure Redis access.
+
+To retain similar networking restrictions as before 2.9.16, you can add an Egress rule to allow access only to the
+Kubernetes API and access needed by Redis itself. The Egress rule for Kubernetes access will depend entirely on your
+Kubernetes setup. The access for Redis itself can be allowed by adding the following to the
+`argocd-redis-network-policy` NetworkPolicy:
+
+```diff
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: argocd-redis-network-policy
+spec:
+  policyTypes:
+  - Ingress
++  - Egress
++  egress:
++  - ports:
++    - port: 53
++      protocol: UDP
++    - port: 53
++      protocol: TCP
+```
+
+```diff
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: argocd-redis-ha-haproxy
+spec:
+  policyTypes:
+  - Ingress
++  - Egress
++  egress:
++  - ports:
++    - port: 6379
++      protocol: TCP
++    - port: 26379
++      protocol: TCP
++    to:
++    - podSelector:
++        matchLabels:
++          app.kubernetes.io/name: argocd-redis-ha
++  - ports:
++    - port: 53
++      protocol: UDP
++    - port: 53
++      protocol: TCP
+```

docs/operator-manual/upgrading/2.9-2.10.md

@@ -14,3 +14,56 @@ before enabling `managedNamespaceMetadata` on an existing namespace.
 ## Upgraded Helm Version
 
 Note that bundled Helm version has been upgraded from 3.13.2 to 3.14.3.
+
+## Egress NetworkPolicy for `argocd-redis` and `argocd-redis-ha-haproxy`
+
+Starting with Argo CD 2.10.11, the NetworkPolicy for the `argocd-redis` and `argocd-redis-ha-haproxy` dropped Egress restrictions. This change was made
+to allow access to the Kubernetes API to create a secret to secure Redis access.
+
+To retain similar networking restrictions as before 2.10.11, you can add an Egress rule to allow access only to the
+Kubernetes API and access needed by Redis itself. The Egress rule for Kubernetes access will depend entirely on your
+Kubernetes setup. The access for Redis itself can be allowed by adding the following to the
+`argocd-redis-network-policy` NetworkPolicy:
+
+```diff
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: argocd-redis-network-policy
+spec:
+  policyTypes:
+  - Ingress
++  - Egress
++  egress:
++  - ports:
++    - port: 53
++      protocol: UDP
++    - port: 53
++      protocol: TCP
+```
+
+```diff
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: argocd-redis-ha-haproxy
+spec:
+  policyTypes:
+  - Ingress
++  - Egress
++  egress:
++  - ports:
++    - port: 6379
++      protocol: TCP
++    - port: 26379
++      protocol: TCP
++    to:
++    - podSelector:
++        matchLabels:
++          app.kubernetes.io/name: argocd-redis-ha
++  - ports:
++    - port: 53
++      protocol: UDP
++    - port: 53
++      protocol: TCP
+```

docs/operator-manual/upgrading/overview.md

@@ -37,6 +37,7 @@ kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/<v
 
 <hr/>
 
+* [v2.10 to v2.11](./2.10-2.11.md)
 * [v2.9 to v2.10](./2.9-2.10.md)
 * [v2.8 to v2.9](./2.8-2.9.md)
 * [v2.7 to v2.8](./2.7-2.8.md)

docs/operator-manual/webhook.md

@@ -19,6 +19,7 @@ URL configured in the Git provider should use the `/api/webhook` endpoint of you
 (e.g. `https://argocd.example.com/api/webhook`). If you wish to use a shared secret, input an
 arbitrary value in the secret. This value will be used when configuring the webhook in the next step.
 
+To prevent DDoS attacks with unauthenticated webhook events (the `/api/webhook` endpoint currently lacks rate limiting protection), it is recommended to limit the payload size. You can achieve this by configuring the `argocd-cm` ConfigMap with the `webhook.maxPayloadSizeMB` attribute. The default value is 1GB.
 ## Github
 
 ![Add Webhook](../assets/webhook-config.png "Add Webhook")

docs/user-guide/commands/argocd_admin.md

@@ -64,6 +64,7 @@ $ argocd admin initial-password reset
 * [argocd admin initial-password](argocd_admin_initial-password.md)	 - Prints initial password to log in to Argo CD for the first time
 * [argocd admin notifications](argocd_admin_notifications.md)	 - Set of CLI commands that helps manage notifications settings
 * [argocd admin proj](argocd_admin_proj.md)	 - Manage projects configuration
+* [argocd admin redis-initial-password](argocd_admin_redis-initial-password.md)	 - Ensure the Redis password exists, creating a new one if necessary.
 * [argocd admin repo](argocd_admin_repo.md)	 - Manage repositories configuration
 * [argocd admin settings](argocd_admin_settings.md)	 - Provides set of commands for settings validation and troubleshooting
 

docs/user-guide/commands/argocd_admin_redis-initial-password.md

@@ -0,0 +1,67 @@
+# `argocd admin redis-initial-password` Command Reference
+
+## argocd admin redis-initial-password
+
+Ensure the Redis password exists, creating a new one if necessary.
+
+```
+argocd admin redis-initial-password [flags]
+```
+
+### Options
+
+```
+      --as string                      Username to impersonate for the operation
+      --as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
+      --as-uid string                  UID to impersonate for the operation
+      --certificate-authority string   Path to a cert file for the certificate authority
+      --client-certificate string      Path to a client certificate file for TLS
+      --client-key string              Path to a client key file for TLS
+      --cluster string                 The name of the kubeconfig cluster to use
+      --context string                 The name of the kubeconfig context to use
+      --disable-compression            If true, opt-out of response compression for all requests to the server
+  -h, --help                           help for redis-initial-password
+      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
+      --kubeconfig string              Path to a kube config. Only required if out-of-cluster
+  -n, --namespace string               If present, the namespace scope for this CLI request
+      --password string                Password for basic authentication to the API server
+      --proxy-url string               If provided, this URL will be used to connect via proxy
+      --request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
+      --server string                  The address and port of the Kubernetes API server
+      --tls-server-name string         If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.
+      --token string                   Bearer token for authentication to the API server
+      --user string                    The name of the kubeconfig user to use
+      --username string                Username for basic authentication to the API server
+```
+
+### Options inherited from parent commands
+
+```
+      --auth-token string               Authentication token
+      --client-crt string               Client certificate file
+      --client-crt-key string           Client certificate key file
+      --config string                   Path to Argo CD config (default "/home/user/.config/argocd/config")
+      --controller-name string          Name of the Argo CD Application controller; set this or the ARGOCD_APPLICATION_CONTROLLER_NAME environment variable when the controller's name label differs from the default, for example when installing via the Helm chart (default "argocd-application-controller")
+      --core                            If set to true then CLI talks directly to Kubernetes instead of talking to Argo CD API server
+      --grpc-web                        Enables gRPC-web protocol. Useful if Argo CD server is behind proxy which does not support HTTP2.
+      --grpc-web-root-path string       Enables gRPC-web protocol. Useful if Argo CD server is behind proxy which does not support HTTP2. Set web root.
+  -H, --header strings                  Sets additional header to all requests made by Argo CD CLI. (Can be repeated multiple times to add multiple headers, also supports comma separated headers)
+      --http-retry-max int              Maximum number of retries to establish http connection to Argo CD server
+      --insecure                        Skip server certificate and domain verification
+      --kube-context string             Directs the command to the given kube-context
+      --logformat string                Set the logging format. One of: text|json (default "text")
+      --loglevel string                 Set the logging level. One of: debug|info|warn|error (default "info")
+      --plaintext                       Disable TLS
+      --port-forward                    Connect to a random argocd-server port using port forwarding
+      --port-forward-namespace string   Namespace name which should be used for port forwarding
+      --redis-haproxy-name string       Name of the Redis HA Proxy; set this or the ARGOCD_REDIS_HAPROXY_NAME environment variable when the HA Proxy's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis-ha-haproxy")
+      --redis-name string               Name of the Redis deployment; set this or the ARGOCD_REDIS_NAME environment variable when the Redis's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis")
+      --repo-server-name string         Name of the Argo CD Repo server; set this or the ARGOCD_REPO_SERVER_NAME environment variable when the server's name label differs from the default, for example when installing via the Helm chart (default "argocd-repo-server")
+      --server-crt string               Server certificate file
+      --server-name string              Name of the Argo CD API server; set this or the ARGOCD_SERVER_NAME environment variable when the server's name label differs from the default, for example when installing via the Helm chart (default "argocd-server")
+```
+
+### SEE ALSO
+
+* [argocd admin](argocd_admin.md)	 - Contains a set of commands useful for Argo CD administrators and requires direct Kubernetes access
+

docs/user-guide/resource_tracking.md

@@ -65,6 +65,14 @@ metadata:
 The advantages of using the tracking id annotation is that there are no clashes any
 more with other Kubernetes tools and Argo CD is never confused about the owner of a resource. The `annotation+label` can also be used if you want other tools to understand resources managed by Argo CD.
 
+### Installation ID
+
+If you are managing one cluster using multiple Argo CD instances, you will need to set `installationID` in the Argo CD ConfigMap. This will prevent conflicts between
+the different Argo CD instances:
+
+* Each managed resource will have the annotation `argocd.argoproj.io/tracking-id: <installation-id>`
+* It is possible to have applications with the same name in Argo CD instances without causing conflicts.
+
 ### Non self-referencing annotations
 When using the tracking method `annotation` or `annotation+label`, Argo CD will consider the resource properties in the annotation (name, namespace, group and kind) to determine whether the resource should be compared against the desired state. If the tracking annotation does not reference the resource it is applied to, the resource will neither affect the application's sync status nor be marked for pruning. 
 

docs/user-guide/sync-options.md

@@ -165,6 +165,21 @@ metadata:
     argocd.argoproj.io/sync-options: Replace=true
 ```
 
+## Force Sync
+
+For certain resources you might want to delete and recreate. e.g. job resources that should run every time when syncing.
+
+!!! warning
+      During the sync process, the resources will be synchronized using the 'kubectl delete/create' command.
+      This sync option has a destructive action, which could cause an outage for your application.
+
+In such cases you might use `Force=true` sync option in target resources annotation:
+```yaml
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-options: Force=true,Replace=true
+```
+
 ## Server-Side Apply
 
 This option enables Kubernetes

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/TomOnTime/utfutil v0.0.0-20180511104225-09c41003ee1d
 	github.com/alicebob/miniredis/v2 v2.30.4
 	github.com/antonmedv/expr v1.15.2
-	github.com/argoproj/gitops-engine v0.7.1-0.20240124052710-5fd9f449e757
+	github.com/argoproj/gitops-engine v0.7.1-0.20250129155113-a4b7cc110bf1
 	github.com/argoproj/notifications-engine v0.4.1-0.20240403133627-f48567108f01
 	github.com/argoproj/pkg v0.13.7-0.20230626144333-d56162821bd1
 	github.com/aws/aws-sdk-go v1.50.8
@@ -24,13 +24,13 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0
 	github.com/chainguard-dev/git-urls v1.0.2
 	github.com/coreos/go-oidc/v3 v3.6.0
-	github.com/cyphar/filepath-securejoin v0.2.4
+	github.com/cyphar/filepath-securejoin v0.3.6
 	github.com/dustin/go-humanize v1.0.1
 	github.com/evanphx/json-patch v5.9.0+incompatible
 	github.com/felixge/httpsnoop v1.0.3
 	github.com/fsnotify/fsnotify v1.6.0
 	github.com/gfleury/go-bitbucket-v1 v0.0.0-20220301131131-8e7ed04b843e
-	github.com/go-git/go-git/v5 v5.11.0
+	github.com/go-git/go-git/v5 v5.13.1
 	github.com/go-jose/go-jose/v3 v3.0.3
 	github.com/go-logr/logr v1.3.0
 	github.com/go-openapi/loads v0.21.2
@@ -41,7 +41,7 @@ require (
 	github.com/gogits/go-gogs-client v0.0.0-20200905025246-8bb8a50cb355
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang-jwt/jwt/v4 v4.5.0
-	github.com/golang/protobuf v1.5.3
+	github.com/golang/protobuf v1.5.4
 	github.com/google/go-cmp v0.6.0
 	github.com/google/go-github/v35 v35.3.0
 	github.com/google/go-jsonnet v0.20.0
@@ -74,22 +74,22 @@ require (
 	github.com/soheilhy/cmux v0.1.5
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.10.0
 	github.com/valyala/fasttemplate v1.2.2
 	github.com/xanzy/go-gitlab v0.91.1
 	github.com/yuin/gopher-lua v1.1.0
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1
 	go.opentelemetry.io/otel v1.21.0
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0
 	go.opentelemetry.io/otel/sdk v1.21.0
-	golang.org/x/crypto v0.19.0
-	golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1
+	golang.org/x/crypto v0.31.0
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
 	golang.org/x/oauth2 v0.11.0
-	golang.org/x/sync v0.3.0
-	golang.org/x/term v0.17.0
+	golang.org/x/sync v0.10.0
+	golang.org/x/term v0.27.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20230822172742-b8732ec3820d
 	google.golang.org/grpc v1.59.0
-	google.golang.org/protobuf v1.31.0
+	google.golang.org/protobuf v1.33.0
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.26.11
@@ -161,7 +161,7 @@ require (
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/PagerDuty/go-pagerduty v1.7.0 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
+	github.com/ProtonMail/go-crypto v1.1.3 // indirect
 	github.com/RocketChat/Rocket.Chat.Go.SDK v0.0.0-20210112200207-10ab4d695d60 // indirect
 	github.com/alicebob/gopher-json v0.0.0-20200520072559-a9ecdc9d1d3a // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
@@ -169,7 +169,7 @@ require (
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
-	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect
@@ -184,7 +184,7 @@ require (
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/go-git/go-billy/v5 v5.6.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.21.4 // indirect
 	github.com/go-openapi/errors v0.20.3 // indirect
@@ -240,7 +240,7 @@ require (
 	github.com/opsgenie/opsgenie-go-sdk-v2 v1.0.5 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pkg/errors v0.9.1
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.3.0
 	github.com/prometheus/common v0.42.0 // indirect
@@ -248,12 +248,12 @@ require (
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/rs/cors v1.9.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sergi/go-diff v1.1.0 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/shopspring/decimal v1.2.0 // indirect
-	github.com/skeema/knownhosts v1.2.2 // indirect
+	github.com/skeema/knownhosts v1.3.0 // indirect
 	github.com/slack-go/slack v0.12.2 // indirect
 	github.com/spf13/cast v1.6.0 // indirect
-	github.com/stretchr/objx v0.5.0 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/vmihailenco/go-tinylfu v0.2.2 // indirect
 	github.com/vmihailenco/msgpack/v5 v5.3.4 // indirect
@@ -266,12 +266,12 @@ require (
 	go.opentelemetry.io/otel/trace v1.21.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.0.0 // indirect
 	go.starlark.net v0.0.0-20220328144851-d1966c6b9fcd // indirect
-	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/net v0.19.0
-	golang.org/x/sys v0.17.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/mod v0.19.0 // indirect
+	golang.org/x/net v0.33.0
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.5.0
-	golang.org/x/tools v0.13.0 // indirect
+	golang.org/x/tools v0.23.0 // indirect
 	gomodules.xyz/envconfig v1.3.1-0.20190308184047-426f31af0d45 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	gomodules.xyz/notify v0.1.1 // indirect
@@ -297,7 +297,7 @@ replace (
 
 	github.com/go-telegram-bot-api/telegram-bot-api/v5 => github.com/OvyFlash/telegram-bot-api/v5 v5.0.0-20240108230938-63e5c59035bf
 
-	github.com/golang/protobuf => github.com/golang/protobuf v1.4.2
+	github.com/golang/protobuf => github.com/golang/protobuf v1.5.4
 	github.com/grpc-ecosystem/grpc-gateway => github.com/grpc-ecosystem/grpc-gateway v1.16.0
 
 	// Avoid  CVE-2023-46402

go.sum

@@ -659,8 +659,8 @@ github.com/OvyFlash/telegram-bot-api/v5 v5.0.0-20240108230938-63e5c59035bf/go.mo
 github.com/PagerDuty/go-pagerduty v1.7.0 h1:S1NcMKECxT5hJwV4VT+QzeSsSiv4oWl1s2821dUqG/8=
 github.com/PagerDuty/go-pagerduty v1.7.0/go.mod h1:PuFyJKRz1liIAH4h5KVXVD18Obpp1ZXRdxHvmGXooro=
 github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8/go.mod h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g=
-github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg=
-github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
+github.com/ProtonMail/go-crypto v1.1.3 h1:nRBOetoydLeUb4nHajyO2bKqMLfWQ/ZPwkXqXxPxCFk=
+github.com/ProtonMail/go-crypto v1.1.3/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/RocketChat/Rocket.Chat.Go.SDK v0.0.0-20210112200207-10ab4d695d60 h1:prBTRx78AQnXzivNT9Crhu564W/zPPr3ibSlpT9xKcE=
@@ -696,8 +696,8 @@ github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb
 github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/apache/thrift v0.16.0/go.mod h1:PHK3hniurgQaNMZYaCLEqXKsYK8upmhPbmdP2FXSqgU=
 github.com/appscode/go v0.0.0-20191119085241-0887d8ec2ecc/go.mod h1:OawnOmAL4ZX3YaPdN+8HTNwBveT1jMsqP74moa9XUbE=
-github.com/argoproj/gitops-engine v0.7.1-0.20240124052710-5fd9f449e757 h1:5fKAhTQcTBom0vin56cz/UTPx2GMuvdb+lJRAUOPbHA=
-github.com/argoproj/gitops-engine v0.7.1-0.20240124052710-5fd9f449e757/go.mod h1:gWE8uROi7hIkWGNAVM+8FWkMfo0vZ03SLx/aFw/DBzg=
+github.com/argoproj/gitops-engine v0.7.1-0.20250129155113-a4b7cc110bf1 h1:OnH8vIp1+uahKtk/Rz9Y3mYt6krDw3ArhhtOMgcEAJ8=
+github.com/argoproj/gitops-engine v0.7.1-0.20250129155113-a4b7cc110bf1/go.mod h1:d4eLldeEFyZIcVySAMhXhnh1tTa4qfvPYfut9B8UClw=
 github.com/argoproj/notifications-engine v0.4.1-0.20240403133627-f48567108f01 h1:/V8+HM0VPPTrdjTwUrkIj5a+SjaU//tJwfIXJ1QAOvg=
 github.com/argoproj/notifications-engine v0.4.1-0.20240403133627-f48567108f01/go.mod h1:N0A4sEws2soZjEpY4hgZpQS8mRIEw6otzwfkgc3g9uQ=
 github.com/argoproj/pkg v0.13.7-0.20230626144333-d56162821bd1 h1:qsHwwOJ21K2Ao0xPju1sNuqphyMnMYkyB3ZLoLtxWpo=
@@ -796,8 +796,9 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn
 github.com/clbanning/x2j v0.0.0-20191024224557-825249438eec/go.mod h1:jMjuTZXRI4dUb/I5gc9Hdhagfvm9+RyrPryS/auMzxE=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
-github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
 github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
+github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
+github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -829,8 +830,8 @@ github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7Do
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.11 h1:07n33Z8lZxZ2qwegKbObQohDhXDQxiMMz1NOUGYlesw=
 github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.3.6 h1:4d9N5ykBnSp5Xn2JkhocYDkOpURL/18CYMpo6xB9uWM=
+github.com/cyphar/filepath-securejoin v0.3.6/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -854,8 +855,8 @@ github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1
 github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
 github.com/edsrzf/mmap-go v1.0.0/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M=
 github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
+github.com/elazarl/goproxy v1.2.3 h1:xwIyKHbaP5yfT6O9KIeYJR5549MXRQkoQMRXGztz8YQ=
+github.com/elazarl/goproxy v1.2.3/go.mod h1:YfEbZtqP4AetfO6d40vWchF3znWX7C7Vd6ZMfdL8z64=
 github.com/emicklei/go-restful/v3 v3.8.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE=
 github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
@@ -918,8 +919,8 @@ github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE
 github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
 github.com/gin-gonic/gin v1.6.3 h1:ahKqKTFpO5KTPHxWZjEdPScmYaGtLo8Y4DMHoEsnp14=
 github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M=
-github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
-github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
+github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
+github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-fonts/dejavu v0.1.0/go.mod h1:4Wt4I4OU2Nq9asgDCteaAaWZOV24E+0/Pwo0gppep4g=
@@ -929,12 +930,12 @@ github.com/go-fonts/liberation v0.2.0/go.mod h1:K6qoJYypsmfVjWg8KOVDQhLc8UDgIK2H
 github.com/go-fonts/stix v0.1.0/go.mod h1:w/c1f0ldAUlJmLBvlbkvVXLAD+tAMqobIIQpmnUIzUY=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
-github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
+github.com/go-git/go-billy/v5 v5.6.1 h1:u+dcrgaguSSkbjzHwelEjc0Yj300NUevrrPphk/SoRA=
+github.com/go-git/go-billy/v5 v5.6.1/go.mod h1:0AsLr1z2+Uksi4NlElmMblP5rPcDZNRCD8ujZCRR2BE=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.11.0 h1:XIZc1p+8YzypNr34itUfSvYJcv+eYdTnTvOZ2vD3cA4=
-github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY=
+github.com/go-git/go-git/v5 v5.13.1 h1:DAQ9APonnlvSWpvolXWIuV6Q6zXy2wHbN4cVlNR5Q+M=
+github.com/go-git/go-git/v5 v5.13.1/go.mod h1:qryJB4cSBoq3FRoBRf5A77joojuBcmPJ0qu3XXXVixc=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -1090,8 +1091,8 @@ github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71
 github.com/golang/mock v1.5.0/go.mod h1:CWnOUgYIOo4TcNZ0wHX3YZCqsaM1I1Jvs6v3mP3KVu8=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
-github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
-github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
@@ -1499,8 +1500,8 @@ github.com/onsi/gomega v1.23.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2
 github.com/onsi/gomega v1.24.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg=
 github.com/onsi/gomega v1.24.1/go.mod h1:3AOiACssS3/MajrniINInwbfOOtfZvplPzuRSmvt1jM=
 github.com/onsi/gomega v1.25.0/go.mod h1:r+zV744Re+DiYCIPRlYOTxn0YkOLcAnW8k1xXdMPGhM=
-github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
-github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
+github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
+github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
@@ -1597,8 +1598,8 @@ github.com/rogpeppe/go-internal v1.2.2/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
-github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
-github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
 github.com/rs/cors v1.9.0 h1:l9HGsTsHJcvW14Nk7J9KFz8bzeAWXn3CG6bgt7LsrAE=
 github.com/rs/cors v1.9.0/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
@@ -1611,8 +1612,8 @@ github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZ
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
 github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
-github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
-github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
 github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
 github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
@@ -1626,8 +1627,8 @@ github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic
 github.com/sirupsen/logrus v1.9.2/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/skeema/knownhosts v1.2.2 h1:Iug2P4fLmDw9f41PB6thxUkNUkJzB5i+1/exaj40L3A=
-github.com/skeema/knownhosts v1.2.2/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
+github.com/skeema/knownhosts v1.3.0 h1:AM+y0rI04VksttfwjkSTNQorvGqmwATnvnAHpSgc0LY=
+github.com/skeema/knownhosts v1.3.0/go.mod h1:sPINvnADmT/qYH1kfv+ePMmOBTH6Tbl7b5LvTDjFK7M=
 github.com/skratchdot/open-golang v0.0.0-20160302144031-75fb7ed4208c h1:fyKiXKO1/I/B6Y2U8T7WdQGWzwehOuGIrljPtt7YTTI=
 github.com/skratchdot/open-golang v0.0.0-20160302144031-75fb7ed4208c/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
 github.com/slack-go/slack v0.12.2 h1:x3OppyMyGIbbiyFhsBmpf9pwkUzMhthJMRNmNlA4LaQ=
@@ -1664,8 +1665,9 @@ github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5J
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
-github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@@ -1675,8 +1677,9 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tidwall/gjson v1.14.4 h1:uo0p8EbA09J7RQaflQ1aBRffTR7xedD2bcIVSYxLnkM=
 github.com/tidwall/gjson v1.14.4/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
@@ -1746,8 +1749,8 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0 h1:ZOLJc06r4CB42laIXg/7udr0pbZyuAihN10A/XuiQRY=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.42.0/go.mod h1:5z+/ZWJQKXa9YT34fQNx5K8Hd1EoIhvtUygUQPqEOgQ=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 h1:SpGay3w+nEwMpfVnbqOLH5gY52/foP8RE8UzTZ1pdSE=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1/go.mod h1:4UoMYEZOC0yN/sPGH76KPkkU7zgiEWYWL9vwmbnTJPE=
 go.opentelemetry.io/otel v1.21.0 h1:hzLeKBZEL7Okw2mGzZ0cc4k/A7Fta0uoPgaJCr8fsFc=
 go.opentelemetry.io/otel v1.21.0/go.mod h1:QZzNPQPm1zLX4gZK4cMi+71eaorMSGT3A4znnUvNNEo=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 h1:cl5P5/GIfFh4t6xyruOgJP5QiA1pw4fYYdv6nc6CBWw=
@@ -1814,8 +1817,9 @@ golang.org/x/crypto v0.10.0/go.mod h1:o4eNf7Ede1fv+hwOwZsTHl9EsPFO6q6ZvYR8vYfY45
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -1832,8 +1836,8 @@ golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EH
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw=
 golang.org/x/exp v0.0.0-20220827204233-334a2380cb91/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
-golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1 h1:k/i9J1pBpvlfR+9QsetwPyERsqu1GIbi967PQMq3Ivc=
-golang.org/x/exp v0.0.0-20230522175609-2e198f4a06a1/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
@@ -1878,8 +1882,8 @@ golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
 golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
-golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
+golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1961,8 +1965,8 @@ golang.org/x/net v0.11.0/go.mod h1:2L/ixqYpgIVXmeoSA/4Lu7BzTG4KIyPIryS4IsOd1oQ=
 golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/net v0.19.0 h1:zTwKpTd2XuCqf8huc7Fo2iSy+4RHPd10s4KzeTnVr1c=
-golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -2013,8 +2017,8 @@ golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.2.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
-golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -2134,8 +2138,9 @@ golang.org/x/sys v0.9.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.17.0 h1:25cE3gD+tdBA7lp7QfhuV+rJiE9YXTcS3VG1SqssI/Y=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -2150,8 +2155,9 @@ golang.org/x/term v0.9.0/go.mod h1:M6DEAAIenWoTxdKrOltXcmDY3rSplQUkrvaDU5FcQyo=
 golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
-golang.org/x/term v0.17.0 h1:mkTF7LCd6WGJNL3K1Ad7kwxNfYAW6a8a8QqtMblp/4U=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -2171,8 +2177,9 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -2263,8 +2270,8 @@ golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k=
 golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.7.0/go.mod h1:4pg6aUX35JBAogB10C9AtvVL+qowtN4pT3CGSQex14s=
-golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
-golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
+golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -2577,8 +2584,9 @@ google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqw
 google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.29.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
 google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=

hack/installers/checksums/helm-v3.14.4-darwin-amd64.tar.gz.sha256

@@ -0,0 +1 @@
+73434aeac36ad068ce2e5582b8851a286dc628eae16494a26e2ad0b24a7199f9  helm-v3.14.4-darwin-amd64.tar.gz

hack/installers/checksums/helm-v3.14.4-darwin-arm64.tar.gz.sha256

@@ -0,0 +1 @@
+61e9c5455f06b2ad0a1280975bf65892e707adc19d766b0cf4e9006e3b7b4b6c  helm-v3.14.4-darwin-arm64.tar.gz

hack/installers/checksums/helm-v3.14.4-linux-amd64.tar.gz.sha256

@@ -0,0 +1 @@
+a5844ef2c38ef6ddf3b5a8f7d91e7e0e8ebc39a38bb3fc8013d629c1ef29c259  helm-v3.14.4-linux-amd64.tar.gz

hack/installers/checksums/helm-v3.14.4-linux-arm64.tar.gz.sha256

@@ -0,0 +1 @@
+113ccc53b7c57c2aba0cd0aa560b5500841b18b5210d78641acfddc53dac8ab2  helm-v3.14.4-linux-arm64.tar.gz

hack/installers/checksums/helm-v3.14.4-linux-ppc64le.tar.gz.sha256

@@ -0,0 +1 @@
+d0d625b43f6650ad376428520b2238baa2400bfedb43b2e0f24ad7247f0f59b5  helm-v3.14.4-linux-ppc64le.tar.gz

hack/installers/checksums/helm-v3.14.4-linux-s390x.tar.gz.sha256

@@ -0,0 +1 @@
+a5750d0cb1ba34ce84ab3be6382a14617130661d15dd2aa1b36630b293437936  helm-v3.14.4-linux-s390x.tar.gz

hack/tool-versions.sh

@@ -11,7 +11,7 @@
 # Use ./hack/installers/checksums/add-helm-checksums.sh and
 # add-kustomize-checksums.sh to help download checksums.
 ###############################################################################
-helm3_version=3.14.3
+helm3_version=3.14.4
 kubectl_version=1.17.8
 kubectx_version=0.6.3
 kustomize5_version=5.2.1

manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml

@@ -20,6 +20,11 @@ spec:
       - args:
         - /usr/local/bin/argocd-application-controller
         env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_RECONCILIATION_TIMEOUT
           valueFrom:
             configMapKeyRef:
@@ -92,6 +97,24 @@ spec:
               name: argocd-cmd-params-cm
               key: controller.self.heal.timeout.seconds
               optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              name: argocd-cmd-params-cm
+              key: controller.self.heal.backoff.timeout.seconds
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR
+          valueFrom:
+            configMapKeyRef:
+              name: argocd-cmd-params-cm
+              key: controller.self.heal.backoff.factor
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              name: argocd-cmd-params-cm
+              key: controller.self.heal.backoff.cap.seconds
+              optional: true
         - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
           valueFrom:
             configMapKeyRef:

manifests/base/application-controller/argocd-application-controller-statefulset.yaml

@@ -21,6 +21,11 @@ spec:
       - args:
         - /usr/local/bin/argocd-application-controller
         env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_CONTROLLER_REPLICAS
           value: "1"
         - name: ARGOCD_RECONCILIATION_TIMEOUT
@@ -95,6 +100,24 @@ spec:
               name: argocd-cmd-params-cm
               key: controller.self.heal.timeout.seconds
               optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              name: argocd-cmd-params-cm
+              key: controller.self.heal.backoff.timeout.seconds
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR
+          valueFrom:
+            configMapKeyRef:
+              name: argocd-cmd-params-cm
+              key: controller.self.heal.backoff.factor
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              name: argocd-cmd-params-cm
+              key: controller.self.heal.backoff.cap.seconds
+              optional: true
         - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
           valueFrom:
             configMapKeyRef:

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.11.0
+  newTag: v2.11.14
 resources:
 - ./application-controller
 - ./dex

manifests/base/redis/argocd-redis-deployment.yaml

@@ -15,6 +15,23 @@ spec:
       labels:
         app.kubernetes.io/name: argocd-redis
     spec:
+      initContainers:
+        - command:
+            - argocd
+            - admin
+            - redis-initial-password
+          image: quay.io/argoproj/argocd:latest
+          imagePullPolicy: IfNotPresent
+          name: secret-init
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
       securityContext:
         runAsNonRoot: true
         runAsUser: 999
@@ -23,13 +40,20 @@ spec:
       serviceAccountName: argocd-redis        
       containers:
       - name: redis
-        image: redis:7.0.14-alpine
+        image: redis:7.0.15-alpine
         imagePullPolicy: Always
         args:
         - "--save"
         - ""
         - "--appendonly"
         - "no"
+        - --requirepass $(REDIS_PASSWORD)
+        env:
+          - name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                key: auth
+                name: argocd-redis
         ports:
         - containerPort: 6379
         securityContext:

manifests/base/redis/argocd-redis-network-policy.yaml

@@ -8,7 +8,6 @@ spec:
       app.kubernetes.io/name: argocd-redis
   policyTypes:
   - Ingress
-  - Egress
   ingress:
   - from:
     - podSelector:
@@ -23,9 +22,3 @@ spec:
     ports:
     - protocol: TCP
       port: 6379
-  egress:
-  - ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP

manifests/base/redis/argocd-redis-role.yaml

@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - argocd-redis
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create

manifests/base/redis/argocd-redis-rolebinding.yaml

@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-redis
+subjects:
+  - kind: ServiceAccount
+    name: argocd-redis

manifests/base/redis/kustomization.yaml

@@ -6,3 +6,5 @@ resources:
 - argocd-redis-sa.yaml
 - argocd-redis-service.yaml
 - argocd-redis-network-policy.yaml
+- argocd-redis-role.yaml
+- argocd-redis-rolebinding.yaml

manifests/base/repo-server/argocd-repo-server-deployment.yaml

@@ -24,6 +24,11 @@ spec:
         args:
           - /usr/local/bin/argocd-repo-server
         env:
+          - name: REDIS_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                key: auth
+                name: argocd-redis
           - name: ARGOCD_RECONCILIATION_TIMEOUT
             valueFrom:
               configMapKeyRef:

manifests/base/server/argocd-server-deployment.yaml

@@ -23,6 +23,11 @@ spec:
         args:
           - /usr/local/bin/argocd-server
         env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_SERVER_INSECURE
           valueFrom:
             configMapKeyRef:

manifests/core-install.yaml

@@ -106,6 +106,11 @@ spec:
               sync:
                 description: Sync contains parameters for the operation
                 properties:
+                  autoHealAttemptsCount:
+                    description: SelfHealAttemptsCount contains the number of auto-heal
+                      attempts
+                    format: int64
+                    type: integer
                   dryRun:
                     description: DryRun specifies to perform a `kubectl apply --dry-run`
                       without actually performing the sync
@@ -2534,6 +2539,11 @@ spec:
                       sync:
                         description: Sync contains parameters for the operation
                         properties:
+                          autoHealAttemptsCount:
+                            description: SelfHealAttemptsCount contains the number
+                              of auto-heal attempts
+                            format: int64
+                            type: integer
                           dryRun:
                             description: DryRun specifies to perform a `kubectl apply
                               --dry-run` without actually performing the sync
@@ -20816,6 +20826,30 @@ rules:
   - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - argocd-redis
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
@@ -20868,6 +20902,22 @@ subjects:
   name: argocd-applicationset-controller
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-redis
+subjects:
+- kind: ServiceAccount
+  name: argocd-redis
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   labels:
@@ -21184,7 +21234,7 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -21279,7 +21329,14 @@ spec:
         - ""
         - --appendonly
         - "no"
-        image: redis:7.0.14-alpine
+        - --requirepass $(REDIS_PASSWORD)
+        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
+        image: redis:7.0.15-alpine
         imagePullPolicy: Always
         name: redis
         ports:
@@ -21290,6 +21347,23 @@ spec:
             drop:
             - ALL
           readOnlyRootFilesystem: true
+      initContainers:
+      - command:
+        - argocd
+        - admin
+        - redis-initial-password
+        image: quay.io/argoproj/argocd:v2.11.14
+        imagePullPolicy: IfNotPresent
+        name: secret-init
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
       securityContext:
         runAsNonRoot: true
         runAsUser: 999
@@ -21334,6 +21408,11 @@ spec:
       - args:
         - /usr/local/bin/argocd-repo-server
         env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_RECONCILIATION_TIMEOUT
           valueFrom:
             configMapKeyRef:
@@ -21514,7 +21593,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -21566,7 +21645,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -21651,6 +21730,11 @@ spec:
       - args:
         - /usr/local/bin/argocd-application-controller
         env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_CONTROLLER_REPLICAS
           value: "1"
         - name: ARGOCD_RECONCILIATION_TIMEOUT
@@ -21725,6 +21809,24 @@ spec:
               key: controller.self.heal.timeout.seconds
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              key: controller.self.heal.backoff.timeout.seconds
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR
+          valueFrom:
+            configMapKeyRef:
+              key: controller.self.heal.backoff.factor
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              key: controller.self.heal.backoff.cap.seconds
+              name: argocd-cmd-params-cm
+              optional: true
         - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
           valueFrom:
             configMapKeyRef:
@@ -21833,7 +21935,7 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -21915,12 +22017,6 @@ kind: NetworkPolicy
 metadata:
   name: argocd-redis-network-policy
 spec:
-  egress:
-  - ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
   ingress:
   - from:
     - podSelector:
@@ -21940,7 +22036,6 @@ spec:
       app.kubernetes.io/name: argocd-redis
   policyTypes:
   - Ingress
-  - Egress
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy

manifests/core-install/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.11.0
+  newTag: v2.11.14

manifests/crds/application-crd.yaml

@@ -105,6 +105,11 @@ spec:
               sync:
                 description: Sync contains parameters for the operation
                 properties:
+                  autoHealAttemptsCount:
+                    description: SelfHealAttemptsCount contains the number of auto-heal
+                      attempts
+                    format: int64
+                    type: integer
                   dryRun:
                     description: DryRun specifies to perform a `kubectl apply --dry-run`
                       without actually performing the sync
@@ -2533,6 +2538,11 @@ spec:
                       sync:
                         description: Sync contains parameters for the operation
                         properties:
+                          autoHealAttemptsCount:
+                            description: SelfHealAttemptsCount contains the number
+                              of auto-heal attempts
+                            format: int64
+                            type: integer
                           dryRun:
                             description: DryRun specifies to perform a `kubectl apply
                               --dry-run` without actually performing the sync

manifests/ha/base/kustomization.yaml

@@ -12,7 +12,7 @@ patches:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.11.0
+  newTag: v2.11.14
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller

manifests/ha/base/redis-ha/argocd-redis-ha-proxy-network-policy.yaml

@@ -8,7 +8,6 @@ spec:
       app.kubernetes.io/name: argocd-redis-ha-haproxy
   policyTypes:
   - Ingress
-  - Egress
   ingress:
   - from:
     - podSelector:
@@ -25,18 +24,4 @@ spec:
       protocol: TCP
     - port: 26379
       protocol: TCP
-  egress:
-  - to:
-    - podSelector:
-        matchLabels:
-          app.kubernetes.io/name: argocd-redis-ha
-    ports:
-    - port: 6379
-      protocol: TCP
-    - port: 26379
-      protocol: TCP
-  - ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
+

manifests/ha/base/redis-ha/chart/requirements.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: redis-ha
   repository: https://dandydeveloper.github.io/charts
-  version: 4.22.3
-digest: sha256:ae773caf65b172bdd2216072c03ba76ef3c0383dbd1e2478934a67b9455f6a2e
-generated: "2022-11-02T16:57:25.047025473-07:00"
+  version: 4.26.6
+digest: sha256:c363f48ea8339c4bdb7c8a2cca62aa487b69d0a52a6fe6267fbbbbc07e468abd
+generated: "2024-04-10T11:02:32.957812-07:00"

manifests/ha/base/redis-ha/chart/requirements.yaml

@@ -1,4 +1,4 @@
 dependencies:
 - name: redis-ha
-  version: 4.22.3
+  version: 4.26.6
   repository: https://dandydeveloper.github.io/charts

manifests/ha/base/redis-ha/chart/upstream.yaml

@@ -9,8 +9,10 @@ metadata:
   labels:
     heritage: Helm
     release: argocd
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
     app: argocd-redis-ha
+secrets:
+- name: argocd-redis
 ---
 # Source: redis-ha/charts/redis-ha/templates/redis-haproxy-serviceaccount.yaml
 apiVersion: v1
@@ -21,7 +23,7 @@ metadata:
   labels:
     heritage: Helm
     release: argocd
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
     app: argocd-redis-ha
 ---
 # Source: redis-ha/charts/redis-ha/templates/redis-ha-configmap.yaml
@@ -33,7 +35,7 @@ metadata:
   labels:
     heritage: Helm
     release: argocd
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
     app: argocd-redis-ha
 data:
   redis.conf: |
@@ -50,6 +52,8 @@ data:
     rdbcompression yes
     repl-diskless-sync yes
     save ""
+    requirepass replace-default-auth
+    masterauth replace-default-auth
 
   sentinel.conf: |
     dir "/data"
@@ -59,6 +63,7 @@ data:
         sentinel failover-timeout argocd 180000
         maxclients 10000
         sentinel parallel-syncs argocd 5
+    sentinel auth-pass argocd replace-default-auth
 
   init.sh: |
     echo "$(date) Start..."
@@ -82,7 +87,7 @@ data:
     sentinel_get_master() {
     set +e
         if [ "$SENTINEL_PORT" -eq 0 ]; then
-            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
+            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
             grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
         else
             redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}"  sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
@@ -191,9 +196,9 @@ data:
     redis_ping() {
     set +e
         if [ "$REDIS_PORT" -eq 0 ]; then
-            redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
         else
-            redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping
         fi
     set -e
     }
@@ -226,7 +231,7 @@ data:
 
             if [ "$SENTINEL_PORT" -eq 0 ]; then
                 echo "  on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
-                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
+                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
                     echo "  $(date) Failover returned with 'NOGOODSLAVE'"
                     echo "Setting defaults for this pod.."
                     setup_defaults
@@ -345,7 +350,7 @@ data:
     sentinel_get_master() {
     set +e
         if [ "$SENTINEL_PORT" -eq 0 ]; then
-            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
+            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
             grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
         else
             redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}"  sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
@@ -454,9 +459,9 @@ data:
     redis_ping() {
     set +e
         if [ "$REDIS_PORT" -eq 0 ]; then
-            redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
         else
-            redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping
         fi
     set -e
     }
@@ -489,7 +494,7 @@ data:
 
             if [ "$SENTINEL_PORT" -eq 0 ]; then
                 echo "  on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
-                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
+                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
                     echo "  $(date) Failover returned with 'NOGOODSLAVE'"
                     echo "Setting defaults for this pod.."
                     setup_defaults
@@ -554,9 +559,9 @@ data:
     redis_role() {
     set +e
         if [ "$REDIS_PORT" -eq 0 ]; then
-            ROLE=$(redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//')
+            ROLE=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//')
         else
-            ROLE=$(redis-cli  -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
+            ROLE=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
         fi
     set -e
     }
@@ -564,9 +569,9 @@ data:
     identify_redis_master() {
     set +e
         if [ "$REDIS_PORT" -eq 0 ]; then
-            REDIS_MASTER=$(redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//')
+            REDIS_MASTER=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//')
         else
-            REDIS_MASTER=$(redis-cli  -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
+            REDIS_MASTER=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
         fi
     set -e
     }
@@ -576,9 +581,9 @@ data:
         sh /readonly-config/init.sh
 
         if [ "$REDIS_PORT" -eq 0 ]; then
-            echo "shutdown" | redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key
+            echo "shutdown" | redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key
         else
-            echo "shutdown" | redis-cli  -p "${REDIS_PORT}"
+            echo "shutdown" | redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}"
         fi
     set -e
     }
@@ -591,6 +596,7 @@ data:
         identify_announce_ip
     done
 
+    trap "exit 0" TERM
     while true; do
         sleep 60
 
@@ -674,6 +680,8 @@ data:
       mode tcp
       option tcp-check
       tcp-check connect
+      tcp-check send "AUTH ${AUTH}"\r\n
+      tcp-check expect string +OK
       tcp-check send PING\r\n
       tcp-check expect string +PONG
       tcp-check send info\ replication\r\n
@@ -730,6 +738,7 @@ data:
     get_redis_role() {
       is_master=$(
         redis-cli \
+          -a "${AUTH}" --no-auth-warning \
           -h localhost \
           -p 6379 \
           info | grep -c 'role:master' || true
@@ -766,12 +775,13 @@ metadata:
   labels:
     heritage: Helm
     release: argocd
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
     app: argocd-redis-ha
 data:
   redis_liveness.sh: |
     response=$(
       redis-cli \
+        -a "${AUTH}" --no-auth-warning \
         -h localhost \
         -p 6379 \
         ping
@@ -784,6 +794,7 @@ data:
   redis_readiness.sh: |
     response=$(
       redis-cli \
+        -a "${AUTH}" --no-auth-warning \
         -h localhost \
         -p 6379 \
         ping
@@ -816,7 +827,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
 rules:
 - apiGroups:
     - ""
@@ -835,7 +846,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
     component: argocd-redis-ha-haproxy
 rules:
 - apiGroups:
@@ -855,7 +866,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
 subjects:
 - kind: ServiceAccount
   name: argocd-redis-ha
@@ -874,7 +885,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
     component: argocd-redis-ha-haproxy
 subjects:
 - kind: ServiceAccount
@@ -894,9 +905,8 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
   annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
 spec:
   publishNotReadyAddresses: true
   type: ClusterIP
@@ -924,9 +934,8 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
   annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
 spec:
   publishNotReadyAddresses: true
   type: ClusterIP
@@ -954,9 +963,8 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
   annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
 spec:
   publishNotReadyAddresses: true
   type: ClusterIP
@@ -984,7 +992,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
   annotations:
 spec:
   type: ClusterIP
@@ -1012,7 +1020,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
     component: argocd-redis-ha-haproxy
   annotations:
 spec:
@@ -1040,7 +1048,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
 spec:
   strategy:
     type: RollingUpdate
@@ -1056,12 +1064,11 @@ spec:
       labels:
         app: redis-ha-haproxy
         release: argocd
-        revision: "1"
       annotations:
         prometheus.io/port: "9101"
         prometheus.io/scrape: "true"
         prometheus.io/path: "/metrics"
-        checksum/config: 492a6adabb741e0cee39be9aa5155c41a4456629f862d0006a2d892dbecfbcae
+        checksum/config: e34e8124c38bcfd2f16e75620bbde30158686692b13bc449eecc44c51b207d54
     spec:
       # Needed when using unmodified rbac-setup.yml
       
@@ -1081,7 +1088,6 @@ spec:
                 matchLabels:
                   app: redis-ha-haproxy
                   release: argocd
-                  revision: "1"
               topologyKey: kubernetes.io/hostname
       initContainers:
       - name: config-init
@@ -1119,6 +1125,12 @@ spec:
           runAsNonRoot: true
           seccompProfile:
             type: RuntimeDefault
+        env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              name: argocd-redis
+              key: auth
         livenessProbe:
           httpGet:
             path: /healthz
@@ -1167,7 +1179,7 @@ metadata:
     app: redis-ha
     heritage: "Helm"
     release: "argocd"
-    chart: redis-ha-4.22.3
+    chart: redis-ha-4.26.6
   annotations:
     {}
 spec:
@@ -1183,7 +1195,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/init-config: 69130412bda04eacad3530cb7bcf26cf121401e725e15d0959dd71a7380afe75
+        checksum/init-config: 9d3c019a5ea1fd98ab5cde397d8eecd351da884f15e6ba346c607cb2446c2198
       labels:
         release: argocd
         app: redis-ha
@@ -1207,7 +1219,7 @@ spec:
       automountServiceAccountToken: false
       initContainers:
       - name: config-init
-        image: redis:7.0.14-alpine
+        image: redis:7.0.15-alpine
         imagePullPolicy: IfNotPresent
         resources:
           {}
@@ -1231,6 +1243,11 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              name: argocd-redis
+              key: auth
         volumeMounts:
         - name: config
           mountPath: /readonly-config
@@ -1241,12 +1258,12 @@ spec:
 
       containers:
       - name: redis
-        image: redis:7.0.14-alpine
+        image: redis:7.0.15-alpine
         imagePullPolicy: IfNotPresent
         command:
-        - redis-server
+          - redis-server
         args:
-        - /data/conf/redis.conf
+          - /data/conf/redis.conf
         securityContext: 
           allowPrivilegeEscalation: false
           capabilities:
@@ -1256,6 +1273,12 @@ spec:
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
+        env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              name: argocd-redis
+              key: auth
         livenessProbe:
           initialDelaySeconds: 30
           periodSeconds: 15
@@ -1298,7 +1321,7 @@ spec:
               - /bin/sh
               - /readonly-config/trigger-failover-if-master.sh
       - name: sentinel
-        image: redis:7.0.14-alpine
+        image: redis:7.0.15-alpine
         imagePullPolicy: IfNotPresent
         command:
           - redis-sentinel
@@ -1313,6 +1336,12 @@ spec:
           runAsUser: 1000
           seccompProfile:
             type: RuntimeDefault
+        env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              name: argocd-redis
+              key: auth
         livenessProbe:
           initialDelaySeconds: 30
           periodSeconds: 15
@@ -1349,7 +1378,7 @@ spec:
           {}
 
       - name: split-brain-fix
-        image: redis:7.0.14-alpine
+        image: redis:7.0.15-alpine
         imagePullPolicy: IfNotPresent
         command:
           - sh
@@ -1371,6 +1400,11 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              name: argocd-redis
+              key: auth
         resources:
           {}
         volumeMounts:

manifests/ha/base/redis-ha/chart/values.yaml

@@ -1,4 +1,7 @@
 redis-ha:
+  auth: true
+  authKey: auth
+  existingSecret: argocd-redis
   persistentVolume:
     enabled: false
   redis:
@@ -11,6 +14,7 @@ redis-ha:
     IPv6:
       enabled: false
     image:
+      repository: haproxy
       tag: 2.6.14-alpine
     containerSecurityContext: null
     timeout:
@@ -20,7 +24,8 @@ redis-ha:
     metrics:
       enabled: true
   image:
-    tag: 7.0.14-alpine
+    repository: redis
+    tag: 7.0.15-alpine
   containerSecurityContext: null
   sentinel:
     bind: "0.0.0.0"

manifests/ha/base/redis-ha/kustomization.yaml

@@ -20,7 +20,7 @@ patches:
     kind: ConfigMap
     name: argocd-redis-ha-configmap
     namespace: argocd
-  path: overlays/remove-namespace.yaml  
+  path: overlays/remove-namespace.yaml
 - target:
     version: v1
     group: ""
@@ -34,28 +34,28 @@ patches:
     kind: ServiceAccount
     name: argocd-redis-ha-haproxy
     namespace: argocd
-  path: overlays/remove-namespace.yaml 
+  path: overlays/remove-namespace.yaml
 - target:
     group: rbac.authorization.k8s.io
     version: v1
     kind: Role
     name: argocd-redis-ha
     namespace: argocd
-  path: overlays/remove-namespace.yaml 
+  path: overlays/remove-namespace.yaml
 - target:
     group: rbac.authorization.k8s.io
     version: v1
     kind: Role
     name: argocd-redis-ha-haproxy
     namespace: argocd
-  path: overlays/remove-namespace.yaml 
+  path: overlays/remove-namespace.yaml
 - target:
     group: rbac.authorization.k8s.io
     version: v1
     kind: RoleBinding
     name: argocd-redis-ha
     namespace: argocd
-  path: overlays/remove-namespace.yaml      
+  path: overlays/remove-namespace.yaml
 - target:
     group: rbac.authorization.k8s.io
     version: v1
@@ -294,3 +294,15 @@ patches:
     kind: StatefulSet
     name: argocd-redis-ha-server
   path: overlays/statefulset-containers-securityContext.yaml
+- target:
+      group: rbac.authorization.k8s.io
+      version: v1
+      kind: Role
+      name: argocd-redis-ha-haproxy
+  path: overlays/haproxy-role.yaml
+- target:
+    group: apps
+    version: v1
+    kind: Deployment
+    name: argocd-redis-ha-haproxy
+  path: overlays/deployment-initContainers.yaml

manifests/ha/base/redis-ha/overlays/deployment-initContainers.yaml

@@ -0,0 +1,16 @@
+- op: add
+  path: /spec/template/spec/initContainers/0
+  value:
+    name: secret-init
+    command: [ 'argocd', 'admin', 'redis-initial-password' ]
+    image: quay.io/argoproj/argocd:latest
+    imagePullPolicy: IfNotPresent
+    securityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+      seccompProfile:
+        type: RuntimeDefault

manifests/ha/base/redis-ha/overlays/haproxy-role.yaml

@@ -0,0 +1,20 @@
+- op: add
+  path: /rules/0
+  value:
+    apiGroups:
+      - ""
+    resources:
+      - secrets
+    resourceNames:
+      - argocd-redis
+    verbs:
+      - get
+- op: add
+  path: /rules/0
+  value:
+    apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create

manifests/ha/install.yaml

@@ -106,6 +106,11 @@ spec:
               sync:
                 description: Sync contains parameters for the operation
                 properties:
+                  autoHealAttemptsCount:
+                    description: SelfHealAttemptsCount contains the number of auto-heal
+                      attempts
+                    format: int64
+                    type: integer
                   dryRun:
                     description: DryRun specifies to perform a `kubectl apply --dry-run`
                       without actually performing the sync
@@ -2534,6 +2539,11 @@ spec:
                       sync:
                         description: Sync contains parameters for the operation
                         properties:
+                          autoHealAttemptsCount:
+                            description: SelfHealAttemptsCount contains the number
+                              of auto-heal attempts
+                            format: int64
+                            type: integer
                           dryRun:
                             description: DryRun specifies to perform a `kubectl apply
                               --dry-run` without actually performing the sync
@@ -20710,6 +20720,8 @@ metadata:
     app.kubernetes.io/name: argocd-redis-ha
     app.kubernetes.io/part-of: argocd
   name: argocd-redis-ha
+secrets:
+- name: argocd-redis
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -20940,6 +20952,20 @@ metadata:
     app.kubernetes.io/part-of: argocd
   name: argocd-redis-ha-haproxy
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resourceNames:
+  - argocd-redis
+  resources:
+  - secrets
+  verbs:
+  - get
 - apiGroups:
   - ""
   resources:
@@ -21384,7 +21410,7 @@ data:
     sentinel_get_master() {
     set +e
         if [ "$SENTINEL_PORT" -eq 0 ]; then
-            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
+            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
             grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
         else
             redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}"  sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
@@ -21493,9 +21519,9 @@ data:
     redis_ping() {
     set +e
         if [ "$REDIS_PORT" -eq 0 ]; then
-            redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
         else
-            redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping
         fi
     set -e
     }
@@ -21528,7 +21554,7 @@ data:
 
             if [ "$SENTINEL_PORT" -eq 0 ]; then
                 echo "  on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
-                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
+                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
                     echo "  $(date) Failover returned with 'NOGOODSLAVE'"
                     echo "Setting defaults for this pod.."
                     setup_defaults
@@ -21593,9 +21619,9 @@ data:
     redis_role() {
     set +e
         if [ "$REDIS_PORT" -eq 0 ]; then
-            ROLE=$(redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//')
+            ROLE=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//')
         else
-            ROLE=$(redis-cli  -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
+            ROLE=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
         fi
     set -e
     }
@@ -21603,9 +21629,9 @@ data:
     identify_redis_master() {
     set +e
         if [ "$REDIS_PORT" -eq 0 ]; then
-            REDIS_MASTER=$(redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//')
+            REDIS_MASTER=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//')
         else
-            REDIS_MASTER=$(redis-cli  -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
+            REDIS_MASTER=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
         fi
     set -e
     }
@@ -21615,9 +21641,9 @@ data:
         sh /readonly-config/init.sh
 
         if [ "$REDIS_PORT" -eq 0 ]; then
-            echo "shutdown" | redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key
+            echo "shutdown" | redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key
         else
-            echo "shutdown" | redis-cli  -p "${REDIS_PORT}"
+            echo "shutdown" | redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}"
         fi
     set -e
     }
@@ -21630,6 +21656,7 @@ data:
         identify_announce_ip
     done
 
+    trap "exit 0" TERM
     while true; do
         sleep 60
 
@@ -21672,9 +21699,10 @@ data:
     decide redis backend to use\n#master\nfrontend ft_redis_master\n  bind :6379 \n
     \ use_backend bk_redis_master\n# Check all redis servers to see if they think
     they are master\nbackend bk_redis_master\n  mode tcp\n  option tcp-check\n  tcp-check
-    connect\n  tcp-check send PING\\r\\n\n  tcp-check expect string +PONG\n  tcp-check
-    send info\\ replication\\r\\n\n  tcp-check expect string role:master\n  tcp-check
-    send QUIT\\r\\n\n  tcp-check expect string +OK\n  use-server R0 if { srv_is_up(R0)
+    connect\n  tcp-check send \"AUTH ${AUTH}\"\\r\\n\n  tcp-check expect string +OK\n
+    \ tcp-check send PING\\r\\n\n  tcp-check expect string +PONG\n  tcp-check send
+    info\\ replication\\r\\n\n  tcp-check expect string role:master\n  tcp-check send
+    QUIT\\r\\n\n  tcp-check expect string +OK\n  use-server R0 if { srv_is_up(R0)
     } { nbsrv(check_if_redis_is_master_0) ge 2 }\n  server R0 argocd-redis-ha-announce-0:6379
     check inter 3s fall 1 rise 1\n  use-server R1 if { srv_is_up(R1) } { nbsrv(check_if_redis_is_master_1)
     ge 2 }\n  server R1 argocd-redis-ha-announce-1:6379 check inter 3s fall 1 rise
@@ -21737,7 +21765,7 @@ data:
     sentinel_get_master() {
     set +e
         if [ "$SENTINEL_PORT" -eq 0 ]; then
-            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
+            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
             grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
         else
             redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}"  sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
@@ -21846,9 +21874,9 @@ data:
     redis_ping() {
     set +e
         if [ "$REDIS_PORT" -eq 0 ]; then
-            redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
         else
-            redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping
         fi
     set -e
     }
@@ -21881,7 +21909,7 @@ data:
 
             if [ "$SENTINEL_PORT" -eq 0 ]; then
                 echo "  on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
-                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
+                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
                     echo "  $(date) Failover returned with 'NOGOODSLAVE'"
                     echo "Setting defaults for this pod.."
                     setup_defaults
@@ -21989,6 +22017,8 @@ data:
     rdbcompression yes
     repl-diskless-sync yes
     save ""
+    requirepass replace-default-auth
+    masterauth replace-default-auth
   sentinel.conf: |
     dir "/data"
     port 26379
@@ -21997,10 +22027,12 @@ data:
         sentinel failover-timeout argocd 180000
         maxclients 10000
         sentinel parallel-syncs argocd 5
+    sentinel auth-pass argocd replace-default-auth
   trigger-failover-if-master.sh: |
     get_redis_role() {
       is_master=$(
         redis-cli \
+          -a "${AUTH}" --no-auth-warning \
           -h localhost \
           -p 6379 \
           info | grep -c 'role:master' || true
@@ -22040,6 +22072,7 @@ data:
   redis_liveness.sh: |
     response=$(
       redis-cli \
+        -a "${AUTH}" --no-auth-warning \
         -h localhost \
         -p 6379 \
         ping
@@ -22052,6 +22085,7 @@ data:
   redis_readiness.sh: |
     response=$(
       redis-cli \
+        -a "${AUTH}" --no-auth-warning \
         -h localhost \
         -p 6379 \
         ping
@@ -22240,8 +22274,6 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
   labels:
     app.kubernetes.io/component: redis
     app.kubernetes.io/name: argocd-redis-ha
@@ -22266,8 +22298,6 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
   labels:
     app.kubernetes.io/component: redis
     app.kubernetes.io/name: argocd-redis-ha
@@ -22292,8 +22322,6 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
   labels:
     app.kubernetes.io/component: redis
     app.kubernetes.io/name: argocd-redis-ha
@@ -22547,7 +22575,7 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -22670,7 +22698,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -22752,7 +22780,7 @@ spec:
               key: notificationscontroller.selfservice.enabled
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -22810,7 +22838,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: 492a6adabb741e0cee39be9aa5155c41a4456629f862d0006a2d892dbecfbcae
+        checksum/config: e34e8124c38bcfd2f16e75620bbde30158686692b13bc449eecc44c51b207d54
         prometheus.io/path: /metrics
         prometheus.io/port: "9101"
         prometheus.io/scrape: "true"
@@ -22826,7 +22854,13 @@ spec:
                 app.kubernetes.io/name: argocd-redis-ha-haproxy
             topologyKey: kubernetes.io/hostname
       containers:
-      - image: haproxy:2.6.14-alpine
+      - env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
+        image: haproxy:2.6.14-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -22861,6 +22895,22 @@ spec:
         - mountPath: /run/haproxy
           name: shared-socket
       initContainers:
+      - command:
+        - argocd
+        - admin
+        - redis-initial-password
+        image: quay.io/argoproj/argocd:v2.11.14
+        imagePullPolicy: IfNotPresent
+        name: secret-init
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
       - args:
         - /readonly/haproxy_init.sh
         command:
@@ -22933,6 +22983,11 @@ spec:
       - args:
         - /usr/local/bin/argocd-repo-server
         env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_RECONCILIATION_TIMEOUT
           valueFrom:
             configMapKeyRef:
@@ -23113,7 +23168,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -23165,7 +23220,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -23250,6 +23305,11 @@ spec:
         env:
         - name: ARGOCD_API_SERVER_REPLICAS
           value: "2"
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_SERVER_INSECURE
           valueFrom:
             configMapKeyRef:
@@ -23484,7 +23544,7 @@ spec:
               key: server.api.content.types
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -23596,6 +23656,11 @@ spec:
       - args:
         - /usr/local/bin/argocd-application-controller
         env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_CONTROLLER_REPLICAS
           value: "1"
         - name: ARGOCD_RECONCILIATION_TIMEOUT
@@ -23670,6 +23735,24 @@ spec:
               key: controller.self.heal.timeout.seconds
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              key: controller.self.heal.backoff.timeout.seconds
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR
+          valueFrom:
+            configMapKeyRef:
+              key: controller.self.heal.backoff.factor
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              key: controller.self.heal.backoff.cap.seconds
+              name: argocd-cmd-params-cm
+              optional: true
         - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
           valueFrom:
             configMapKeyRef:
@@ -23778,7 +23861,7 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -23838,7 +23921,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/init-config: 69130412bda04eacad3530cb7bcf26cf121401e725e15d0959dd71a7380afe75
+        checksum/init-config: 9d3c019a5ea1fd98ab5cde397d8eecd351da884f15e6ba346c607cb2446c2198
       labels:
         app.kubernetes.io/name: argocd-redis-ha
     spec:
@@ -23855,7 +23938,13 @@ spec:
         - /data/conf/redis.conf
         command:
         - redis-server
-        image: redis:7.0.14-alpine
+        env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
+        image: redis:7.0.15-alpine
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -23909,7 +23998,13 @@ spec:
         - /data/conf/sentinel.conf
         command:
         - redis-sentinel
-        image: redis:7.0.14-alpine
+        env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
+        image: redis:7.0.15-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -23962,7 +24057,12 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.14-alpine
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
+        image: redis:7.0.15-alpine
         imagePullPolicy: IfNotPresent
         name: split-brain-fix
         resources: {}
@@ -23992,7 +24092,12 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.14-alpine
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
+        image: redis:7.0.15-alpine
         imagePullPolicy: IfNotPresent
         name: config-init
         securityContext:
@@ -24115,21 +24220,6 @@ kind: NetworkPolicy
 metadata:
   name: argocd-redis-ha-proxy-network-policy
 spec:
-  egress:
-  - ports:
-    - port: 6379
-      protocol: TCP
-    - port: 26379
-      protocol: TCP
-    to:
-    - podSelector:
-        matchLabels:
-          app.kubernetes.io/name: argocd-redis-ha
-  - ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
   ingress:
   - from:
     - podSelector:
@@ -24151,7 +24241,6 @@ spec:
       app.kubernetes.io/name: argocd-redis-ha-haproxy
   policyTypes:
   - Ingress
-  - Egress
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy

manifests/ha/namespace-install.yaml

@@ -43,6 +43,8 @@ metadata:
     app.kubernetes.io/name: argocd-redis-ha
     app.kubernetes.io/part-of: argocd
   name: argocd-redis-ha
+secrets:
+- name: argocd-redis
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -273,6 +275,20 @@ metadata:
     app.kubernetes.io/part-of: argocd
   name: argocd-redis-ha-haproxy
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+- apiGroups:
+  - ""
+  resourceNames:
+  - argocd-redis
+  resources:
+  - secrets
+  verbs:
+  - get
 - apiGroups:
   - ""
   resources:
@@ -505,7 +521,7 @@ data:
     sentinel_get_master() {
     set +e
         if [ "$SENTINEL_PORT" -eq 0 ]; then
-            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
+            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
             grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
         else
             redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}"  sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
@@ -614,9 +630,9 @@ data:
     redis_ping() {
     set +e
         if [ "$REDIS_PORT" -eq 0 ]; then
-            redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
         else
-            redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping
         fi
     set -e
     }
@@ -649,7 +665,7 @@ data:
 
             if [ "$SENTINEL_PORT" -eq 0 ]; then
                 echo "  on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
-                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
+                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
                     echo "  $(date) Failover returned with 'NOGOODSLAVE'"
                     echo "Setting defaults for this pod.."
                     setup_defaults
@@ -714,9 +730,9 @@ data:
     redis_role() {
     set +e
         if [ "$REDIS_PORT" -eq 0 ]; then
-            ROLE=$(redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//')
+            ROLE=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep role | sed 's/role://' | sed 's/\r//')
         else
-            ROLE=$(redis-cli  -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
+            ROLE=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep role | sed 's/role://' | sed 's/\r//')
         fi
     set -e
     }
@@ -724,9 +740,9 @@ data:
     identify_redis_master() {
     set +e
         if [ "$REDIS_PORT" -eq 0 ]; then
-            REDIS_MASTER=$(redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//')
+            REDIS_MASTER=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key info | grep master_host | sed 's/master_host://' | sed 's/\r//')
         else
-            REDIS_MASTER=$(redis-cli  -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
+            REDIS_MASTER=$(redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" info | grep master_host | sed 's/master_host://' | sed 's/\r//')
         fi
     set -e
     }
@@ -736,9 +752,9 @@ data:
         sh /readonly-config/init.sh
 
         if [ "$REDIS_PORT" -eq 0 ]; then
-            echo "shutdown" | redis-cli  -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key
+            echo "shutdown" | redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key
         else
-            echo "shutdown" | redis-cli  -p "${REDIS_PORT}"
+            echo "shutdown" | redis-cli  -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}"
         fi
     set -e
     }
@@ -751,6 +767,7 @@ data:
         identify_announce_ip
     done
 
+    trap "exit 0" TERM
     while true; do
         sleep 60
 
@@ -793,9 +810,10 @@ data:
     decide redis backend to use\n#master\nfrontend ft_redis_master\n  bind :6379 \n
     \ use_backend bk_redis_master\n# Check all redis servers to see if they think
     they are master\nbackend bk_redis_master\n  mode tcp\n  option tcp-check\n  tcp-check
-    connect\n  tcp-check send PING\\r\\n\n  tcp-check expect string +PONG\n  tcp-check
-    send info\\ replication\\r\\n\n  tcp-check expect string role:master\n  tcp-check
-    send QUIT\\r\\n\n  tcp-check expect string +OK\n  use-server R0 if { srv_is_up(R0)
+    connect\n  tcp-check send \"AUTH ${AUTH}\"\\r\\n\n  tcp-check expect string +OK\n
+    \ tcp-check send PING\\r\\n\n  tcp-check expect string +PONG\n  tcp-check send
+    info\\ replication\\r\\n\n  tcp-check expect string role:master\n  tcp-check send
+    QUIT\\r\\n\n  tcp-check expect string +OK\n  use-server R0 if { srv_is_up(R0)
     } { nbsrv(check_if_redis_is_master_0) ge 2 }\n  server R0 argocd-redis-ha-announce-0:6379
     check inter 3s fall 1 rise 1\n  use-server R1 if { srv_is_up(R1) } { nbsrv(check_if_redis_is_master_1)
     ge 2 }\n  server R1 argocd-redis-ha-announce-1:6379 check inter 3s fall 1 rise
@@ -858,7 +876,7 @@ data:
     sentinel_get_master() {
     set +e
         if [ "$SENTINEL_PORT" -eq 0 ]; then
-            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
+            redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
             grep -E '((^\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\s*$)|(^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?s*$))'
         else
             redis-cli -h "${SERVICE}" -p "${SENTINEL_PORT}"  sentinel get-master-addr-by-name "${MASTER_GROUP}" |\
@@ -967,9 +985,9 @@ data:
     redis_ping() {
     set +e
         if [ "$REDIS_PORT" -eq 0 ]; then
-            redis-cli -h "${MASTER}" -p "${REDIS_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_TLS_PORT}" --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key ping
         else
-            redis-cli -h "${MASTER}" -p "${REDIS_PORT}" ping
+            redis-cli -h "${MASTER}" -a "${AUTH}" --no-auth-warning -p "${REDIS_PORT}" ping
         fi
     set -e
     }
@@ -1002,7 +1020,7 @@ data:
 
             if [ "$SENTINEL_PORT" -eq 0 ]; then
                 echo "  on sentinel (${SERVICE}:${SENTINEL_TLS_PORT}), sentinel grp (${MASTER_GROUP})"
-                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"   --tls --cacert /tls-certs/ca.crt --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
+                if redis-cli -h "${SERVICE}" -p "${SENTINEL_TLS_PORT}"  --tls --cacert /tls-certs/ca.crt  --cert /tls-certs/redis.crt --key /tls-certs/redis.key sentinel failover "${MASTER_GROUP}" | grep -q 'NOGOODSLAVE' ; then
                     echo "  $(date) Failover returned with 'NOGOODSLAVE'"
                     echo "Setting defaults for this pod.."
                     setup_defaults
@@ -1110,6 +1128,8 @@ data:
     rdbcompression yes
     repl-diskless-sync yes
     save ""
+    requirepass replace-default-auth
+    masterauth replace-default-auth
   sentinel.conf: |
     dir "/data"
     port 26379
@@ -1118,10 +1138,12 @@ data:
         sentinel failover-timeout argocd 180000
         maxclients 10000
         sentinel parallel-syncs argocd 5
+    sentinel auth-pass argocd replace-default-auth
   trigger-failover-if-master.sh: |
     get_redis_role() {
       is_master=$(
         redis-cli \
+          -a "${AUTH}" --no-auth-warning \
           -h localhost \
           -p 6379 \
           info | grep -c 'role:master' || true
@@ -1161,6 +1183,7 @@ data:
   redis_liveness.sh: |
     response=$(
       redis-cli \
+        -a "${AUTH}" --no-auth-warning \
         -h localhost \
         -p 6379 \
         ping
@@ -1173,6 +1196,7 @@ data:
   redis_readiness.sh: |
     response=$(
       redis-cli \
+        -a "${AUTH}" --no-auth-warning \
         -h localhost \
         -p 6379 \
         ping
@@ -1361,8 +1385,6 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
   labels:
     app.kubernetes.io/component: redis
     app.kubernetes.io/name: argocd-redis-ha
@@ -1387,8 +1409,6 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
   labels:
     app.kubernetes.io/component: redis
     app.kubernetes.io/name: argocd-redis-ha
@@ -1413,8 +1433,6 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  annotations:
-    service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
   labels:
     app.kubernetes.io/component: redis
     app.kubernetes.io/name: argocd-redis-ha
@@ -1668,7 +1686,7 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1791,7 +1809,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1873,7 +1891,7 @@ spec:
               key: notificationscontroller.selfservice.enabled
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1931,7 +1949,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: 492a6adabb741e0cee39be9aa5155c41a4456629f862d0006a2d892dbecfbcae
+        checksum/config: e34e8124c38bcfd2f16e75620bbde30158686692b13bc449eecc44c51b207d54
         prometheus.io/path: /metrics
         prometheus.io/port: "9101"
         prometheus.io/scrape: "true"
@@ -1947,7 +1965,13 @@ spec:
                 app.kubernetes.io/name: argocd-redis-ha-haproxy
             topologyKey: kubernetes.io/hostname
       containers:
-      - image: haproxy:2.6.14-alpine
+      - env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
+        image: haproxy:2.6.14-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -1982,6 +2006,22 @@ spec:
         - mountPath: /run/haproxy
           name: shared-socket
       initContainers:
+      - command:
+        - argocd
+        - admin
+        - redis-initial-password
+        image: quay.io/argoproj/argocd:v2.11.14
+        imagePullPolicy: IfNotPresent
+        name: secret-init
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
       - args:
         - /readonly/haproxy_init.sh
         command:
@@ -2054,6 +2094,11 @@ spec:
       - args:
         - /usr/local/bin/argocd-repo-server
         env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_RECONCILIATION_TIMEOUT
           valueFrom:
             configMapKeyRef:
@@ -2234,7 +2279,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2286,7 +2331,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2371,6 +2416,11 @@ spec:
         env:
         - name: ARGOCD_API_SERVER_REPLICAS
           value: "2"
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_SERVER_INSECURE
           valueFrom:
             configMapKeyRef:
@@ -2605,7 +2655,7 @@ spec:
               key: server.api.content.types
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2717,6 +2767,11 @@ spec:
       - args:
         - /usr/local/bin/argocd-application-controller
         env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_CONTROLLER_REPLICAS
           value: "1"
         - name: ARGOCD_RECONCILIATION_TIMEOUT
@@ -2791,6 +2846,24 @@ spec:
               key: controller.self.heal.timeout.seconds
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              key: controller.self.heal.backoff.timeout.seconds
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR
+          valueFrom:
+            configMapKeyRef:
+              key: controller.self.heal.backoff.factor
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              key: controller.self.heal.backoff.cap.seconds
+              name: argocd-cmd-params-cm
+              optional: true
         - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
           valueFrom:
             configMapKeyRef:
@@ -2899,7 +2972,7 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -2959,7 +3032,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/init-config: 69130412bda04eacad3530cb7bcf26cf121401e725e15d0959dd71a7380afe75
+        checksum/init-config: 9d3c019a5ea1fd98ab5cde397d8eecd351da884f15e6ba346c607cb2446c2198
       labels:
         app.kubernetes.io/name: argocd-redis-ha
     spec:
@@ -2976,7 +3049,13 @@ spec:
         - /data/conf/redis.conf
         command:
         - redis-server
-        image: redis:7.0.14-alpine
+        env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
+        image: redis:7.0.15-alpine
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -3030,7 +3109,13 @@ spec:
         - /data/conf/sentinel.conf
         command:
         - redis-sentinel
-        image: redis:7.0.14-alpine
+        env:
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
+        image: redis:7.0.15-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -3083,7 +3168,12 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.14-alpine
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
+        image: redis:7.0.15-alpine
         imagePullPolicy: IfNotPresent
         name: split-brain-fix
         resources: {}
@@ -3113,7 +3203,12 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.14-alpine
+        - name: AUTH
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
+        image: redis:7.0.15-alpine
         imagePullPolicy: IfNotPresent
         name: config-init
         securityContext:
@@ -3236,21 +3331,6 @@ kind: NetworkPolicy
 metadata:
   name: argocd-redis-ha-proxy-network-policy
 spec:
-  egress:
-  - ports:
-    - port: 6379
-      protocol: TCP
-    - port: 26379
-      protocol: TCP
-    to:
-    - podSelector:
-        matchLabels:
-          app.kubernetes.io/name: argocd-redis-ha
-  - ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
   ingress:
   - from:
     - podSelector:
@@ -3272,7 +3352,6 @@ spec:
       app.kubernetes.io/name: argocd-redis-ha-haproxy
   policyTypes:
   - Ingress
-  - Egress
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy

manifests/install.yaml

@@ -106,6 +106,11 @@ spec:
               sync:
                 description: Sync contains parameters for the operation
                 properties:
+                  autoHealAttemptsCount:
+                    description: SelfHealAttemptsCount contains the number of auto-heal
+                      attempts
+                    format: int64
+                    type: integer
                   dryRun:
                     description: DryRun specifies to perform a `kubectl apply --dry-run`
                       without actually performing the sync
@@ -2534,6 +2539,11 @@ spec:
                       sync:
                         description: Sync contains parameters for the operation
                         properties:
+                          autoHealAttemptsCount:
+                            description: SelfHealAttemptsCount contains the number
+                              of auto-heal attempts
+                            format: int64
+                            type: integer
                           dryRun:
                             description: DryRun specifies to perform a `kubectl apply
                               --dry-run` without actually performing the sync
@@ -20908,6 +20918,30 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - argocd-redis
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
   labels:
     app.kubernetes.io/component: server
@@ -21177,6 +21211,22 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-redis
+subjects:
+- kind: ServiceAccount
+  name: argocd-redis
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
   labels:
     app.kubernetes.io/component: server
@@ -21642,7 +21692,7 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -21765,7 +21815,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -21847,7 +21897,7 @@ spec:
               key: notificationscontroller.selfservice.enabled
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -21924,7 +21974,14 @@ spec:
         - ""
         - --appendonly
         - "no"
-        image: redis:7.0.14-alpine
+        - --requirepass $(REDIS_PASSWORD)
+        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
+        image: redis:7.0.15-alpine
         imagePullPolicy: Always
         name: redis
         ports:
@@ -21935,6 +21992,23 @@ spec:
             drop:
             - ALL
           readOnlyRootFilesystem: true
+      initContainers:
+      - command:
+        - argocd
+        - admin
+        - redis-initial-password
+        image: quay.io/argoproj/argocd:v2.11.14
+        imagePullPolicy: IfNotPresent
+        name: secret-init
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
       securityContext:
         runAsNonRoot: true
         runAsUser: 999
@@ -21979,6 +22053,11 @@ spec:
       - args:
         - /usr/local/bin/argocd-repo-server
         env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_RECONCILIATION_TIMEOUT
           valueFrom:
             configMapKeyRef:
@@ -22159,7 +22238,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -22211,7 +22290,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -22294,6 +22373,11 @@ spec:
       - args:
         - /usr/local/bin/argocd-server
         env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_SERVER_INSECURE
           valueFrom:
             configMapKeyRef:
@@ -22528,7 +22612,7 @@ spec:
               key: server.api.content.types
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -22640,6 +22724,11 @@ spec:
       - args:
         - /usr/local/bin/argocd-application-controller
         env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_CONTROLLER_REPLICAS
           value: "1"
         - name: ARGOCD_RECONCILIATION_TIMEOUT
@@ -22714,6 +22803,24 @@ spec:
               key: controller.self.heal.timeout.seconds
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              key: controller.self.heal.backoff.timeout.seconds
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR
+          valueFrom:
+            configMapKeyRef:
+              key: controller.self.heal.backoff.factor
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              key: controller.self.heal.backoff.cap.seconds
+              name: argocd-cmd-params-cm
+              optional: true
         - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
           valueFrom:
             configMapKeyRef:
@@ -22822,7 +22929,7 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -22951,12 +23058,6 @@ kind: NetworkPolicy
 metadata:
   name: argocd-redis-network-policy
 spec:
-  egress:
-  - ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
   ingress:
   - from:
     - podSelector:
@@ -22976,7 +23077,6 @@ spec:
       app.kubernetes.io/name: argocd-redis
   policyTypes:
   - Ingress
-  - Egress
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy

manifests/namespace-install.yaml

@@ -241,6 +241,30 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+rules:
+- apiGroups:
+  - ""
+  resourceNames:
+  - argocd-redis
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
 metadata:
   labels:
     app.kubernetes.io/component: server
@@ -349,6 +373,22 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-redis
+subjects:
+- kind: ServiceAccount
+  name: argocd-redis
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
 metadata:
   labels:
     app.kubernetes.io/component: server
@@ -763,7 +803,7 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -886,7 +926,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -968,7 +1008,7 @@ spec:
               key: notificationscontroller.selfservice.enabled
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1045,7 +1085,14 @@ spec:
         - ""
         - --appendonly
         - "no"
-        image: redis:7.0.14-alpine
+        - --requirepass $(REDIS_PASSWORD)
+        env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
+        image: redis:7.0.15-alpine
         imagePullPolicy: Always
         name: redis
         ports:
@@ -1056,6 +1103,23 @@ spec:
             drop:
             - ALL
           readOnlyRootFilesystem: true
+      initContainers:
+      - command:
+        - argocd
+        - admin
+        - redis-initial-password
+        image: quay.io/argoproj/argocd:v2.11.14
+        imagePullPolicy: IfNotPresent
+        name: secret-init
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
       securityContext:
         runAsNonRoot: true
         runAsUser: 999
@@ -1100,6 +1164,11 @@ spec:
       - args:
         - /usr/local/bin/argocd-repo-server
         env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_RECONCILIATION_TIMEOUT
           valueFrom:
             configMapKeyRef:
@@ -1280,7 +1349,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1332,7 +1401,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -1415,6 +1484,11 @@ spec:
       - args:
         - /usr/local/bin/argocd-server
         env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_SERVER_INSECURE
           valueFrom:
             configMapKeyRef:
@@ -1649,7 +1723,7 @@ spec:
               key: server.api.content.types
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -1761,6 +1835,11 @@ spec:
       - args:
         - /usr/local/bin/argocd-application-controller
         env:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: auth
+              name: argocd-redis
         - name: ARGOCD_CONTROLLER_REPLICAS
           value: "1"
         - name: ARGOCD_RECONCILIATION_TIMEOUT
@@ -1835,6 +1914,24 @@ spec:
               key: controller.self.heal.timeout.seconds
               name: argocd-cmd-params-cm
               optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_TIMEOUT_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              key: controller.self.heal.backoff.timeout.seconds
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_FACTOR
+          valueFrom:
+            configMapKeyRef:
+              key: controller.self.heal.backoff.factor
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_APPLICATION_CONTROLLER_SELF_HEAL_BACKOFF_CAP_SECONDS
+          valueFrom:
+            configMapKeyRef:
+              key: controller.self.heal.backoff.cap.seconds
+              name: argocd-cmd-params-cm
+              optional: true
         - name: ARGOCD_APPLICATION_CONTROLLER_REPO_SERVER_PLAINTEXT
           valueFrom:
             configMapKeyRef:
@@ -1943,7 +2040,7 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.11.0
+        image: quay.io/argoproj/argocd:v2.11.14
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -2072,12 +2169,6 @@ kind: NetworkPolicy
 metadata:
   name: argocd-redis-network-policy
 spec:
-  egress:
-  - ports:
-    - port: 53
-      protocol: UDP
-    - port: 53
-      protocol: TCP
   ingress:
   - from:
     - podSelector:
@@ -2097,7 +2188,6 @@ spec:
       app.kubernetes.io/name: argocd-redis
   policyTypes:
   - Ingress
-  - Egress
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy

pkg/apiclient/settings/settings.pb.go

@@ -101,6 +101,7 @@ type Settings struct {
 	ExecEnabled               bool                               `protobuf:"varint,22,opt,name=execEnabled,proto3" json:"execEnabled,omitempty"`
 	ControllerNamespace       string                             `protobuf:"bytes,23,opt,name=controllerNamespace,proto3" json:"controllerNamespace,omitempty"`
 	AppsInAnyNamespaceEnabled bool                               `protobuf:"varint,24,opt,name=appsInAnyNamespaceEnabled,proto3" json:"appsInAnyNamespaceEnabled,omitempty"`
+	InstallationID            string                             `protobuf:"bytes,26,opt,name=installationID,proto3" json:"installationID,omitempty"`
 	XXX_NoUnkeyedLiteral      struct{}                           `json:"-"`
 	XXX_unrecognized          []byte                             `json:"-"`
 	XXX_sizecache             int32                              `json:"-"`
@@ -307,6 +308,13 @@ func (m *Settings) GetAppsInAnyNamespaceEnabled() bool {
 	return false
 }
 
+func (m *Settings) GetInstallationID() string {
+	if m != nil {
+		return m.InstallationID
+	}
+	return ""
+}
+
 type GoogleAnalyticsConfig struct {
 	TrackingID           string   `protobuf:"bytes,1,opt,name=trackingID,proto3" json:"trackingID,omitempty"`
 	AnonymizeUsers       bool     `protobuf:"varint,2,opt,name=anonymizeUsers,proto3" json:"anonymizeUsers,omitempty"`
@@ -740,83 +748,84 @@ func init() {
 func init() { proto.RegisterFile("server/settings/settings.proto", fileDescriptor_a480d494da040caa) }
 
 var fileDescriptor_a480d494da040caa = []byte{
-	// 1215 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x56, 0x4f, 0x6f, 0x1b, 0x45,
-	0x14, 0xd7, 0xd6, 0x69, 0x62, 0x3f, 0x37, 0x75, 0x32, 0x6d, 0xd3, 0xad, 0x55, 0x12, 0xe3, 0x43,
-	0x65, 0x10, 0xac, 0x9b, 0x54, 0x08, 0x54, 0x51, 0x41, 0x6d, 0x57, 0xad, 0x69, 0xda, 0x86, 0x69,
-	0xd3, 0x03, 0x97, 0x6a, 0xb2, 0x7e, 0xac, 0x97, 0xac, 0x67, 0x56, 0x33, 0xb3, 0xa6, 0xee, 0x91,
-	0x0f, 0xc0, 0x05, 0x3e, 0x0b, 0x07, 0xee, 0x08, 0x8e, 0x48, 0xdc, 0x23, 0x64, 0xf1, 0x41, 0xd0,
-	0xce, 0xfe, 0xc9, 0x66, 0xed, 0x14, 0xa4, 0xde, 0x66, 0x7e, 0xbf, 0xf7, 0x6f, 0xde, 0xbc, 0x37,
-	0xf3, 0x60, 0x5b, 0xa1, 0x9c, 0xa2, 0xec, 0x2a, 0xd4, 0xda, 0xe7, 0x9e, 0xca, 0x17, 0x4e, 0x28,
-	0x85, 0x16, 0x64, 0xcd, 0x0d, 0x22, 0xa5, 0x51, 0x36, 0xaf, 0x7a, 0xc2, 0x13, 0x06, 0xeb, 0xc6,
-	0xab, 0x84, 0x6e, 0xde, 0xf4, 0x84, 0xf0, 0x02, 0xec, 0xb2, 0xd0, 0xef, 0x32, 0xce, 0x85, 0x66,
-	0xda, 0x17, 0x3c, 0x55, 0x6e, 0xee, 0x7b, 0xbe, 0x1e, 0x47, 0x47, 0x8e, 0x2b, 0x26, 0x5d, 0x26,
-	0x8d, 0xfa, 0x77, 0x66, 0xf1, 0xb1, 0x3b, 0xea, 0x4e, 0xf7, 0xba, 0xe1, 0xb1, 0x17, 0x6b, 0xaa,
-	0x2e, 0x0b, 0xc3, 0xc0, 0x77, 0x8d, 0x6e, 0x77, 0xba, 0xcb, 0x82, 0x70, 0xcc, 0x76, 0xbb, 0x1e,
-	0x72, 0x94, 0x4c, 0xe3, 0x28, 0xb5, 0xf6, 0xe5, 0x7f, 0x58, 0x2b, 0x9f, 0x44, 0xf8, 0x23, 0xb7,
-	0xeb, 0x06, 0xcc, 0x9f, 0xa4, 0xf1, 0xb4, 0x1b, 0xb0, 0xfe, 0x3c, 0x65, 0xbf, 0x8e, 0x50, 0xce,
-	0xda, 0xbf, 0xd4, 0xa1, 0x9a, 0x21, 0xe4, 0x06, 0x54, 0x22, 0x19, 0xd8, 0x56, 0xcb, 0xea, 0xd4,
-	0x7a, 0x6b, 0xf3, 0x93, 0x9d, 0xca, 0x21, 0xdd, 0xa7, 0x31, 0x46, 0x6e, 0x43, 0x6d, 0x84, 0xaf,
-	0xfb, 0x82, 0x7f, 0xeb, 0x7b, 0xf6, 0x85, 0x96, 0xd5, 0xa9, 0xef, 0x11, 0x27, 0xcd, 0x8c, 0x33,
-	0xc8, 0x18, 0x7a, 0x2a, 0x44, 0xfa, 0x00, 0xb1, 0xff, 0x54, 0xa5, 0x62, 0x54, 0xae, 0xe4, 0x2a,
-	0xcf, 0x86, 0x83, 0x7e, 0x42, 0xf5, 0x2e, 0xcf, 0x4f, 0x76, 0xe0, 0x74, 0x4f, 0x0b, 0x6a, 0xa4,
-	0x05, 0x75, 0x16, 0x86, 0xfb, 0xec, 0x08, 0x83, 0xc7, 0x38, 0xb3, 0x57, 0xe2, 0xc8, 0x68, 0x11,
-	0x22, 0x2f, 0x61, 0x53, 0xa2, 0x12, 0x91, 0x74, 0xf1, 0xd9, 0x14, 0xa5, 0xf4, 0x47, 0xa8, 0xec,
-	0x8b, 0xad, 0x4a, 0xa7, 0xbe, 0xd7, 0xc9, 0xbd, 0x65, 0x27, 0x74, 0x68, 0x59, 0xf4, 0x01, 0xd7,
-	0x72, 0x46, 0x17, 0x4d, 0x10, 0x07, 0x88, 0xd2, 0x4c, 0x47, 0xaa, 0xc7, 0x46, 0x1e, 0x3e, 0xe0,
-	0xec, 0x28, 0xc0, 0x91, 0xbd, 0xda, 0xb2, 0x3a, 0x55, 0xba, 0x84, 0x21, 0x8f, 0xa0, 0x91, 0x54,
-	0xc2, 0x7d, 0xce, 0x82, 0x99, 0xf6, 0x5d, 0x65, 0xaf, 0x99, 0x33, 0x6f, 0xe7, 0x51, 0x3c, 0x3c,
-	0xcb, 0xa7, 0xc7, 0x2d, 0xab, 0x91, 0x37, 0xb0, 0x71, 0x1c, 0x29, 0x2d, 0x26, 0xfe, 0x1b, 0x7c,
-	0x16, 0x9a, 0x6a, 0xb2, 0xab, 0xc6, 0xd4, 0x53, 0xe7, 0xb4, 0x00, 0x9c, 0xac, 0x00, 0xcc, 0xe2,
-	0x95, 0x3b, 0x72, 0xa6, 0x7b, 0x4e, 0x78, 0xec, 0x39, 0x71, 0x39, 0x39, 0x85, 0x72, 0x72, 0xb2,
-	0x72, 0x72, 0x1e, 0x97, 0xac, 0xd2, 0x05, 0x3f, 0xe4, 0x7d, 0x58, 0x19, 0x63, 0x10, 0xda, 0x35,
-	0xe3, 0x6f, 0x3d, 0x0f, 0xfd, 0x11, 0x06, 0x21, 0x35, 0x14, 0xf9, 0x00, 0xd6, 0xc2, 0x20, 0xf2,
-	0x7c, 0xae, 0x6c, 0x30, 0x69, 0x6e, 0xe4, 0x52, 0x07, 0x06, 0xa7, 0x19, 0x1f, 0xe7, 0x30, 0x52,
-	0x28, 0xf7, 0x45, 0xbc, 0x1b, 0xf8, 0x2a, 0xc9, 0x61, 0x3d, 0xc9, 0xe1, 0x22, 0x43, 0x7e, 0xb4,
-	0xe0, 0xba, 0x6b, 0xb2, 0xf2, 0x84, 0x71, 0xe6, 0xe1, 0x04, 0xb9, 0x3e, 0x48, 0x7d, 0x5d, 0x32,
-	0xbe, 0x5e, 0xbc, 0x5b, 0x06, 0xfa, 0x4b, 0x8d, 0xd3, 0xf3, 0x9c, 0x92, 0x8f, 0x60, 0x33, 0x4f,
-	0xd1, 0x4b, 0x94, 0xca, 0xdc, 0xc5, 0x7a, 0xab, 0xd2, 0xa9, 0xd1, 0x45, 0x82, 0x34, 0xa1, 0x1a,
-	0xf9, 0x7d, 0xa5, 0x0e, 0xe9, 0xbe, 0x7d, 0xd9, 0x54, 0x6a, 0xbe, 0x27, 0x1d, 0x68, 0x44, 0x7e,
-	0x8f, 0x71, 0x8e, 0xb2, 0x2f, 0xb8, 0x46, 0xae, 0xed, 0x86, 0x11, 0x29, 0xc3, 0x71, 0xc9, 0x67,
-	0x50, 0x6c, 0x68, 0x23, 0x29, 0xf9, 0x02, 0x14, 0xdb, 0x0a, 0x99, 0x52, 0xdf, 0x0b, 0x39, 0x3a,
-	0x60, 0x5a, 0xa3, 0xe4, 0xf6, 0x66, 0x62, 0xab, 0x04, 0x93, 0x5b, 0x70, 0x59, 0x4b, 0xe6, 0x1e,
-	0xfb, 0xdc, 0x7b, 0x82, 0x7a, 0x2c, 0x46, 0x36, 0x31, 0x82, 0x25, 0x34, 0x3e, 0x67, 0xe6, 0xe0,
-	0x00, 0xe5, 0x84, 0xf1, 0x38, 0xbe, 0x2b, 0xe6, 0x9e, 0x16, 0x09, 0xf2, 0x21, 0x6c, 0xe4, 0xa0,
-	0x50, 0x7e, 0x9c, 0x62, 0xfb, 0xaa, 0xb1, 0xbb, 0x80, 0x97, 0xda, 0x88, 0x0a, 0xa1, 0x0f, 0x65,
-	0x60, 0x5f, 0x33, 0xd2, 0x4b, 0x98, 0xf8, 0xf4, 0xf8, 0x1a, 0xdd, 0xac, 0xdf, 0xb6, 0x4c, 0x0c,
-	0x45, 0x88, 0xdc, 0x86, 0x2b, 0xae, 0xe0, 0x5a, 0x8a, 0x20, 0x40, 0xf9, 0x94, 0x4d, 0x50, 0x85,
-	0xcc, 0x45, 0xfb, 0xba, 0x31, 0xb9, 0x8c, 0x22, 0x9f, 0xc3, 0x0d, 0x16, 0x86, 0x6a, 0xc8, 0xef,
-	0xf3, 0x59, 0x8e, 0x66, 0x1e, 0x6c, 0xe3, 0xe1, 0x7c, 0x81, 0xe6, 0xcf, 0x16, 0x6c, 0x2d, 0x7f,
-	0x36, 0xc8, 0x06, 0x54, 0x8e, 0x71, 0x96, 0xbc, 0x97, 0x34, 0x5e, 0x92, 0x11, 0x5c, 0x9c, 0xb2,
-	0x20, 0xc2, 0xf4, 0x89, 0x7c, 0xc7, 0x86, 0x2d, 0xbb, 0xa5, 0x89, 0xf1, 0xbb, 0x17, 0x3e, 0xb3,
-	0xda, 0xaf, 0xe0, 0xda, 0xd2, 0xf7, 0x84, 0x6c, 0x03, 0x64, 0xb7, 0x3b, 0x1c, 0xa4, 0xb1, 0x15,
-	0x90, 0xb8, 0x26, 0x18, 0x17, 0x7c, 0x16, 0x97, 0xee, 0xa1, 0x42, 0xa9, 0x4c, 0xac, 0x55, 0x5a,
-	0x42, 0xdb, 0x03, 0xb8, 0x9e, 0x3d, 0x9b, 0x69, 0x3b, 0x50, 0x54, 0xa1, 0xe0, 0x0a, 0x8b, 0x4f,
-	0x80, 0xf5, 0xf6, 0x27, 0xa0, 0xfd, 0xab, 0x05, 0x2b, 0xf1, 0xe3, 0x41, 0x6c, 0x58, 0x73, 0xc7,
-	0xcc, 0xdc, 0x7e, 0x12, 0x53, 0xb6, 0x8d, 0xdb, 0x26, 0x5e, 0xbe, 0xc0, 0xd7, 0xda, 0x84, 0x52,
-	0xa3, 0xf9, 0x9e, 0xdc, 0x03, 0x38, 0xf2, 0x39, 0x93, 0xb3, 0x43, 0x19, 0x28, 0xbb, 0x62, 0x9c,
-	0xbd, 0x77, 0xe6, 0x55, 0x72, 0x7a, 0x39, 0x9f, 0xbc, 0xe5, 0x05, 0x85, 0xe6, 0x3d, 0x68, 0x94,
-	0xe8, 0x25, 0x77, 0x76, 0xb5, 0x78, 0x67, 0xb5, 0x62, 0x8e, 0x6f, 0xc2, 0x6a, 0x72, 0x1e, 0x42,
-	0x60, 0x85, 0xb3, 0x09, 0xa6, 0x6a, 0x66, 0xdd, 0xfe, 0x02, 0x6a, 0xf9, 0xc7, 0x47, 0xf6, 0x00,
-	0x5c, 0xc1, 0x39, 0xba, 0x5a, 0xc8, 0x2c, 0x2b, 0xa7, 0x1f, 0x64, 0x3f, 0xa3, 0x68, 0x41, 0xaa,
-	0x7d, 0x07, 0x6a, 0x39, 0xb1, 0xcc, 0x43, 0x8c, 0xe9, 0x59, 0x98, 0x05, 0x66, 0xd6, 0xed, 0xdf,
-	0x2a, 0x50, 0xf8, 0x2c, 0x97, 0xaa, 0x6d, 0xc1, 0xaa, 0xaf, 0x54, 0x84, 0x32, 0x55, 0x4c, 0x77,
-	0xa4, 0x03, 0x55, 0x37, 0xf0, 0x91, 0xeb, 0xe1, 0xc0, 0xfc, 0xc7, 0xb5, 0xde, 0xa5, 0xf9, 0xc9,
-	0x4e, 0xb5, 0x9f, 0x62, 0x34, 0x67, 0xc9, 0x2e, 0xd4, 0xdd, 0xc0, 0xcf, 0x88, 0xe4, 0xdb, 0xed,
-	0x35, 0xe6, 0x27, 0x3b, 0xf5, 0xfe, 0xfe, 0x30, 0x97, 0x2f, 0xca, 0xc4, 0x4e, 0x95, 0x2b, 0xc2,
-	0xf4, 0xf3, 0xad, 0xd1, 0x74, 0x47, 0x5e, 0xc1, 0xba, 0x3f, 0x7a, 0x21, 0x8e, 0x91, 0xf7, 0xcd,
-	0x20, 0x62, 0xaf, 0x9a, 0xdc, 0xdc, 0x5a, 0x32, 0x09, 0x38, 0xc3, 0xa2, 0xa0, 0xb9, 0xae, 0xde,
-	0xe6, 0xfc, 0x64, 0x67, 0x7d, 0x38, 0x28, 0xe0, 0xf4, 0xac, 0x3d, 0x72, 0x17, 0x6c, 0x34, 0xad,
-	0x7a, 0xf0, 0xb8, 0xff, 0xe0, 0x7e, 0xa4, 0xc7, 0xc8, 0x75, 0xda, 0x49, 0xe6, 0x07, 0xae, 0xd2,
-	0x73, 0xf9, 0xe6, 0x0c, 0xc8, 0xa2, 0xcf, 0x25, 0x25, 0xf2, 0xe4, 0x6c, 0x5b, 0x7f, 0xfa, 0xd6,
-	0xb6, 0x4e, 0xa6, 0x30, 0x27, 0x1f, 0x23, 0xe3, 0x71, 0xc6, 0x31, 0xf6, 0x0b, 0xb5, 0xb5, 0xf7,
-	0xbb, 0x05, 0x8d, 0xac, 0xbf, 0x9e, 0xa3, 0x9c, 0xfa, 0x2e, 0x92, 0xaf, 0xa0, 0xf2, 0x10, 0x35,
-	0xd9, 0x5a, 0x98, 0x5b, 0xcc, 0xac, 0xd6, 0xdc, 0x5c, 0xc0, 0xdb, 0xf6, 0x0f, 0x7f, 0xfd, 0xf3,
-	0xd3, 0x05, 0x42, 0x36, 0xcc, 0xfc, 0x39, 0xdd, 0xcd, 0x67, 0x3f, 0x32, 0x06, 0x78, 0x88, 0xf9,
-	0x47, 0x76, 0x9e, 0xc9, 0xd6, 0x02, 0x5e, 0xea, 0xf5, 0x76, 0xcb, 0x78, 0x68, 0x12, 0xbb, 0xec,
-	0xa1, 0x9b, 0xb6, 0x78, 0xaf, 0xff, 0xc7, 0x7c, 0xdb, 0xfa, 0x73, 0xbe, 0x6d, 0xfd, 0x3d, 0xdf,
-	0xb6, 0xbe, 0xf9, 0xe4, 0xff, 0x4d, 0xbc, 0x49, 0xa9, 0xe5, 0xc6, 0x8e, 0x56, 0xcd, 0x7c, 0x7a,
-	0xe7, 0xdf, 0x00, 0x00, 0x00, 0xff, 0xff, 0xf1, 0x4f, 0xb0, 0x2d, 0x8e, 0x0b, 0x00, 0x00,
+	// 1231 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x56, 0xcf, 0x6f, 0x1b, 0xc5,
+	0x17, 0xd7, 0xd6, 0x69, 0x62, 0x3f, 0x37, 0x75, 0x32, 0x6d, 0xd3, 0xad, 0xd5, 0x6f, 0xe2, 0xaf,
+	0x0f, 0x95, 0x41, 0xb0, 0x6e, 0x52, 0x21, 0x50, 0x45, 0x05, 0xb5, 0x5d, 0xb5, 0xa6, 0x69, 0x1b,
+	0xb6, 0x4d, 0x0f, 0x5c, 0xaa, 0xc9, 0xfa, 0xb1, 0x5e, 0xb2, 0x9e, 0x59, 0xcd, 0xcc, 0x9a, 0xb8,
+	0x47, 0xfe, 0x00, 0x2e, 0xf0, 0xd7, 0x70, 0x47, 0x70, 0x44, 0xe2, 0x1e, 0x21, 0x8b, 0x3f, 0x04,
+	0xcd, 0xec, 0x8f, 0x6c, 0xd6, 0x4e, 0x41, 0xea, 0x6d, 0xe6, 0xf3, 0x79, 0xbf, 0xe6, 0xcd, 0x7b,
+	0x33, 0x0f, 0xb6, 0x25, 0x8a, 0x29, 0x8a, 0xae, 0x44, 0xa5, 0x02, 0xe6, 0xcb, 0x7c, 0xe1, 0x44,
+	0x82, 0x2b, 0x4e, 0xd6, 0xbc, 0x30, 0x96, 0x0a, 0x45, 0xf3, 0xba, 0xcf, 0x7d, 0x6e, 0xb0, 0xae,
+	0x5e, 0x25, 0x74, 0xf3, 0xb6, 0xcf, 0xb9, 0x1f, 0x62, 0x97, 0x46, 0x41, 0x97, 0x32, 0xc6, 0x15,
+	0x55, 0x01, 0x67, 0xa9, 0x72, 0x73, 0xdf, 0x0f, 0xd4, 0x38, 0x3e, 0x72, 0x3c, 0x3e, 0xe9, 0x52,
+	0x61, 0xd4, 0xbf, 0x33, 0x8b, 0x8f, 0xbd, 0x51, 0x77, 0xba, 0xd7, 0x8d, 0x8e, 0x7d, 0xad, 0x29,
+	0xbb, 0x34, 0x8a, 0xc2, 0xc0, 0x33, 0xba, 0xdd, 0xe9, 0x2e, 0x0d, 0xa3, 0x31, 0xdd, 0xed, 0xfa,
+	0xc8, 0x50, 0x50, 0x85, 0xa3, 0xd4, 0xda, 0x97, 0xff, 0x62, 0xad, 0x7c, 0x12, 0x1e, 0x8c, 0xbc,
+	0xae, 0x17, 0xd2, 0x60, 0x92, 0xc6, 0xd3, 0x6e, 0xc0, 0xfa, 0xcb, 0x94, 0xfd, 0x3a, 0x46, 0x31,
+	0x6b, 0x9f, 0xd6, 0xa1, 0x9a, 0x21, 0xe4, 0x16, 0x54, 0x62, 0x11, 0xda, 0x56, 0xcb, 0xea, 0xd4,
+	0x7a, 0x6b, 0xf3, 0xd3, 0x9d, 0xca, 0xa1, 0xbb, 0xef, 0x6a, 0x8c, 0xdc, 0x85, 0xda, 0x08, 0x4f,
+	0xfa, 0x9c, 0x7d, 0x1b, 0xf8, 0xf6, 0xa5, 0x96, 0xd5, 0xa9, 0xef, 0x11, 0x27, 0xcd, 0x8c, 0x33,
+	0xc8, 0x18, 0xf7, 0x4c, 0x88, 0xf4, 0x01, 0xb4, 0xff, 0x54, 0xa5, 0x62, 0x54, 0xae, 0xe5, 0x2a,
+	0x2f, 0x86, 0x83, 0x7e, 0x42, 0xf5, 0xae, 0xce, 0x4f, 0x77, 0xe0, 0x6c, 0xef, 0x16, 0xd4, 0x48,
+	0x0b, 0xea, 0x34, 0x8a, 0xf6, 0xe9, 0x11, 0x86, 0x4f, 0x71, 0x66, 0xaf, 0xe8, 0xc8, 0xdc, 0x22,
+	0x44, 0x5e, 0xc3, 0xa6, 0x40, 0xc9, 0x63, 0xe1, 0xe1, 0x8b, 0x29, 0x0a, 0x11, 0x8c, 0x50, 0xda,
+	0x97, 0x5b, 0x95, 0x4e, 0x7d, 0xaf, 0x93, 0x7b, 0xcb, 0x4e, 0xe8, 0xb8, 0x65, 0xd1, 0x47, 0x4c,
+	0x89, 0x99, 0xbb, 0x68, 0x82, 0x38, 0x40, 0xa4, 0xa2, 0x2a, 0x96, 0x3d, 0x3a, 0xf2, 0xf1, 0x11,
+	0xa3, 0x47, 0x21, 0x8e, 0xec, 0xd5, 0x96, 0xd5, 0xa9, 0xba, 0x4b, 0x18, 0xf2, 0x04, 0x1a, 0x49,
+	0x25, 0x3c, 0x64, 0x34, 0x9c, 0xa9, 0xc0, 0x93, 0xf6, 0x9a, 0x39, 0xf3, 0x76, 0x1e, 0xc5, 0xe3,
+	0xf3, 0x7c, 0x7a, 0xdc, 0xb2, 0x1a, 0x79, 0x0b, 0x1b, 0xc7, 0xb1, 0x54, 0x7c, 0x12, 0xbc, 0xc5,
+	0x17, 0x91, 0xa9, 0x26, 0xbb, 0x6a, 0x4c, 0x3d, 0x77, 0xce, 0x0a, 0xc0, 0xc9, 0x0a, 0xc0, 0x2c,
+	0xde, 0x78, 0x23, 0x67, 0xba, 0xe7, 0x44, 0xc7, 0xbe, 0xa3, 0xcb, 0xc9, 0x29, 0x94, 0x93, 0x93,
+	0x95, 0x93, 0xf3, 0xb4, 0x64, 0xd5, 0x5d, 0xf0, 0x43, 0xfe, 0x0f, 0x2b, 0x63, 0x0c, 0x23, 0xbb,
+	0x66, 0xfc, 0xad, 0xe7, 0xa1, 0x3f, 0xc1, 0x30, 0x72, 0x0d, 0x45, 0x3e, 0x80, 0xb5, 0x28, 0x8c,
+	0xfd, 0x80, 0x49, 0x1b, 0x4c, 0x9a, 0x1b, 0xb9, 0xd4, 0x81, 0xc1, 0xdd, 0x8c, 0xd7, 0x39, 0x8c,
+	0x25, 0x8a, 0x7d, 0xae, 0x77, 0x83, 0x40, 0x26, 0x39, 0xac, 0x27, 0x39, 0x5c, 0x64, 0xc8, 0x8f,
+	0x16, 0xdc, 0xf4, 0x4c, 0x56, 0x9e, 0x51, 0x46, 0x7d, 0x9c, 0x20, 0x53, 0x07, 0xa9, 0xaf, 0x2b,
+	0xc6, 0xd7, 0xab, 0xf7, 0xcb, 0x40, 0x7f, 0xa9, 0x71, 0xf7, 0x22, 0xa7, 0xe4, 0x23, 0xd8, 0xcc,
+	0x53, 0xf4, 0x1a, 0x85, 0x34, 0x77, 0xb1, 0xde, 0xaa, 0x74, 0x6a, 0xee, 0x22, 0x41, 0x9a, 0x50,
+	0x8d, 0x83, 0xbe, 0x94, 0x87, 0xee, 0xbe, 0x7d, 0xd5, 0x54, 0x6a, 0xbe, 0x27, 0x1d, 0x68, 0xc4,
+	0x41, 0x8f, 0x32, 0x86, 0xa2, 0xcf, 0x99, 0x42, 0xa6, 0xec, 0x86, 0x11, 0x29, 0xc3, 0xba, 0xe4,
+	0x33, 0x48, 0x1b, 0xda, 0x48, 0x4a, 0xbe, 0x00, 0x69, 0x5b, 0x11, 0x95, 0xf2, 0x7b, 0x2e, 0x46,
+	0x07, 0x54, 0x29, 0x14, 0xcc, 0xde, 0x4c, 0x6c, 0x95, 0x60, 0x72, 0x07, 0xae, 0x2a, 0x41, 0xbd,
+	0xe3, 0x80, 0xf9, 0xcf, 0x50, 0x8d, 0xf9, 0xc8, 0x26, 0x46, 0xb0, 0x84, 0xea, 0x73, 0x66, 0x0e,
+	0x0e, 0x50, 0x4c, 0x28, 0xd3, 0xf1, 0x5d, 0x33, 0xf7, 0xb4, 0x48, 0x90, 0x0f, 0x61, 0x23, 0x07,
+	0xb9, 0x0c, 0x74, 0x8a, 0xed, 0xeb, 0xc6, 0xee, 0x02, 0x5e, 0x6a, 0x23, 0x97, 0x73, 0x75, 0x28,
+	0x42, 0xfb, 0x86, 0x91, 0x5e, 0xc2, 0xe8, 0xd3, 0xe3, 0x09, 0x7a, 0x59, 0xbf, 0x6d, 0x99, 0x18,
+	0x8a, 0x10, 0xb9, 0x0b, 0xd7, 0x3c, 0xce, 0x94, 0xe0, 0x61, 0x88, 0xe2, 0x39, 0x9d, 0xa0, 0x8c,
+	0xa8, 0x87, 0xf6, 0x4d, 0x63, 0x72, 0x19, 0x45, 0x3e, 0x87, 0x5b, 0x34, 0x8a, 0xe4, 0x90, 0x3d,
+	0x64, 0xb3, 0x1c, 0xcd, 0x3c, 0xd8, 0xc6, 0xc3, 0xc5, 0x02, 0x3a, 0x87, 0x01, 0x93, 0x8a, 0x86,
+	0xa1, 0x29, 0xa6, 0xe1, 0xc0, 0x6e, 0x26, 0x39, 0x3c, 0x8f, 0x36, 0x7f, 0xb6, 0x60, 0x6b, 0xf9,
+	0xf3, 0x42, 0x36, 0xa0, 0x72, 0x8c, 0xb3, 0xe4, 0x5d, 0x75, 0xf5, 0x92, 0x8c, 0xe0, 0xf2, 0x94,
+	0x86, 0x31, 0xa6, 0x4f, 0xe9, 0x7b, 0x36, 0x76, 0xd9, 0xad, 0x9b, 0x18, 0xbf, 0x7f, 0xe9, 0x33,
+	0xab, 0xfd, 0x06, 0x6e, 0x2c, 0x7d, 0x77, 0xc8, 0x36, 0x40, 0x56, 0x05, 0xc3, 0x41, 0x1a, 0x5b,
+	0x01, 0xd1, 0xe7, 0xa6, 0x8c, 0xb3, 0x99, 0x2e, 0xf1, 0x43, 0x89, 0x42, 0x9a, 0x58, 0xab, 0x6e,
+	0x09, 0x6d, 0x0f, 0xe0, 0x66, 0xf6, 0xbc, 0xa6, 0x6d, 0xe3, 0xa2, 0x8c, 0x38, 0x93, 0x58, 0x7c,
+	0x2a, 0xac, 0x77, 0x3f, 0x15, 0xed, 0x5f, 0x2c, 0x58, 0xd1, 0x8f, 0x0c, 0xb1, 0x61, 0xcd, 0x1b,
+	0x53, 0x53, 0x25, 0x49, 0x4c, 0xd9, 0x56, 0xb7, 0x97, 0x5e, 0xbe, 0xc2, 0x13, 0x65, 0x42, 0xa9,
+	0xb9, 0xf9, 0x9e, 0x3c, 0x00, 0x38, 0x0a, 0x18, 0x15, 0xb3, 0x43, 0x11, 0x4a, 0xbb, 0x62, 0x9c,
+	0xfd, 0xef, 0xdc, 0xeb, 0xe5, 0xf4, 0x72, 0x3e, 0x79, 0xf3, 0x0b, 0x0a, 0xcd, 0x07, 0xd0, 0x28,
+	0xd1, 0x4b, 0xee, 0xec, 0x7a, 0xf1, 0xce, 0x6a, 0xc5, 0x1c, 0xdf, 0x86, 0xd5, 0xe4, 0x3c, 0x84,
+	0xc0, 0x0a, 0xa3, 0x13, 0x4c, 0xd5, 0xcc, 0xba, 0xfd, 0x05, 0xd4, 0xf2, 0x0f, 0x92, 0xec, 0x01,
+	0x78, 0x9c, 0x31, 0xf4, 0x14, 0x17, 0x59, 0x56, 0xce, 0x3e, 0xd2, 0x7e, 0x46, 0xb9, 0x05, 0xa9,
+	0xf6, 0x3d, 0xa8, 0xe5, 0xc4, 0x32, 0x0f, 0x1a, 0x53, 0xb3, 0x28, 0x0b, 0xcc, 0xac, 0xdb, 0xbf,
+	0x56, 0xa0, 0xf0, 0xa9, 0x2e, 0x55, 0xdb, 0x82, 0xd5, 0x40, 0xca, 0x18, 0x45, 0xaa, 0x98, 0xee,
+	0x48, 0x07, 0xaa, 0x5e, 0x18, 0x20, 0x53, 0xc3, 0x81, 0xf9, 0xb7, 0x6b, 0xbd, 0x2b, 0xf3, 0xd3,
+	0x9d, 0x6a, 0x3f, 0xc5, 0xdc, 0x9c, 0x25, 0xbb, 0x50, 0xf7, 0xc2, 0x20, 0x23, 0x92, 0xef, 0xb9,
+	0xd7, 0x98, 0x9f, 0xee, 0xd4, 0xfb, 0xfb, 0xc3, 0x5c, 0xbe, 0x28, 0xa3, 0x9d, 0x4a, 0x8f, 0x47,
+	0xe9, 0x27, 0x5d, 0x73, 0xd3, 0x1d, 0x79, 0x03, 0xeb, 0xc1, 0xe8, 0x15, 0x3f, 0x46, 0xd6, 0x37,
+	0x03, 0x8b, 0xbd, 0x6a, 0x72, 0x73, 0x67, 0xc9, 0xc4, 0xe0, 0x0c, 0x8b, 0x82, 0xe6, 0xba, 0x7a,
+	0x9b, 0xf3, 0xd3, 0x9d, 0xf5, 0xe1, 0xa0, 0x80, 0xbb, 0xe7, 0xed, 0x91, 0xfb, 0x60, 0xa3, 0x69,
+	0xe9, 0x83, 0xa7, 0xfd, 0x47, 0x0f, 0x63, 0x35, 0x46, 0xa6, 0xd2, 0x4e, 0x32, 0x3f, 0x75, 0xd5,
+	0xbd, 0x90, 0x6f, 0xce, 0x80, 0x2c, 0xfa, 0x5c, 0x52, 0x22, 0xcf, 0xce, 0xb7, 0xf5, 0xa7, 0xef,
+	0x6c, 0xeb, 0x64, 0x5a, 0x73, 0xf2, 0x71, 0x53, 0x8f, 0x3d, 0x8e, 0xb1, 0x5f, 0xa8, 0xad, 0xbd,
+	0xdf, 0x2c, 0x68, 0x64, 0xfd, 0xf5, 0x12, 0xc5, 0x34, 0xf0, 0x90, 0x7c, 0x05, 0x95, 0xc7, 0xa8,
+	0xc8, 0xd6, 0xc2, 0x7c, 0x63, 0x66, 0xba, 0xe6, 0xe6, 0x02, 0xde, 0xb6, 0x7f, 0xf8, 0xf3, 0xef,
+	0x9f, 0x2e, 0x11, 0xb2, 0x61, 0xe6, 0xd4, 0xe9, 0x6e, 0x3e, 0x23, 0x92, 0x31, 0xc0, 0x63, 0xcc,
+	0x3f, 0xbc, 0x8b, 0x4c, 0xb6, 0x16, 0xf0, 0x52, 0xaf, 0xb7, 0x5b, 0xc6, 0x43, 0x93, 0xd8, 0x65,
+	0x0f, 0xdd, 0xb4, 0xc5, 0x7b, 0xfd, 0xdf, 0xe7, 0xdb, 0xd6, 0x1f, 0xf3, 0x6d, 0xeb, 0xaf, 0xf9,
+	0xb6, 0xf5, 0xcd, 0x27, 0xff, 0x6d, 0x32, 0x4e, 0x4a, 0x2d, 0x37, 0x76, 0xb4, 0x6a, 0xe6, 0xd8,
+	0x7b, 0xff, 0x04, 0x00, 0x00, 0xff, 0xff, 0x1d, 0x4a, 0xd6, 0x7b, 0xb6, 0x0b, 0x00, 0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
@@ -990,6 +999,15 @@ func (m *Settings) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if len(m.InstallationID) > 0 {
+		i -= len(m.InstallationID)
+		copy(dAtA[i:], m.InstallationID)
+		i = encodeVarintSettings(dAtA, i, uint64(len(m.InstallationID)))
+		i--
+		dAtA[i] = 0x1
+		i--
+		dAtA[i] = 0xd2
+	}
 	if m.AppsInAnyNamespaceEnabled {
 		i--
 		if m.AppsInAnyNamespaceEnabled {
@@ -1750,6 +1768,10 @@ func (m *Settings) Size() (n int) {
 	if m.AppsInAnyNamespaceEnabled {
 		n += 3
 	}
+	l = len(m.InstallationID)
+	if l > 0 {
+		n += 2 + l + sovSettings(uint64(l))
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -2840,6 +2862,38 @@ func (m *Settings) Unmarshal(dAtA []byte) error {
 				}
 			}
 			m.AppsInAnyNamespaceEnabled = bool(v != 0)
+		case 26:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field InstallationID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowSettings
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthSettings
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthSettings
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.InstallationID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipSettings(dAtA[iNdEx:])

pkg/apis/application/v1alpha1/generated.pb.go

@@ -4477,7 +4477,7 @@ func init() {
 }
 
 var fileDescriptor_030104ce3b95bcac = []byte{
-	// 11054 bytes of a gzipped FileDescriptorProto
+	// 11081 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x7d, 0x6d, 0x70, 0x24, 0xc7,
 	0x75, 0x98, 0x66, 0x17, 0x0b, 0xec, 0x3e, 0x7c, 0xdc, 0x5d, 0xdf, 0x1d, 0x09, 0x9e, 0x48, 0xe2,
 	0x3c, 0xb4, 0x29, 0x2a, 0x22, 0x01, 0xf3, 0x44, 0xca, 0x8c, 0x68, 0x4b, 0xc6, 0x02, 0x77, 0x38,
@@ -4485,8 +4485,8 @@ var fileDescriptor_030104ce3b95bcac = []byte{
 	0xcc, 0x70, 0x66, 0x16, 0x07, 0xd0, 0x92, 0x2c, 0x59, 0xb2, 0xad, 0x44, 0x1f, 0x54, 0xa4, 0xa4,
 	0x4c, 0x27, 0x96, 0x22, 0x5b, 0x4e, 0x2a, 0xae, 0x44, 0x15, 0x27, 0xf9, 0x11, 0x27, 0x4e, 0xca,
 	0x65, 0x3b, 0x95, 0x52, 0x4a, 0x49, 0xd9, 0xe5, 0x72, 0x59, 0x4e, 0x62, 0x23, 0xd2, 0xa5, 0x52,
-	0x49, 0xa5, 0x2a, 0xae, 0x72, 0xe2, 0x1f, 0xc9, 0x25, 0x3f, 0x52, 0xfd, 0xdd, 0x33, 0x3b, 0x0b,
-	0x2c, 0x80, 0xc1, 0xdd, 0x49, 0xe6, 0xbf, 0xdd, 0x7e, 0x6f, 0xde, 0xeb, 0xe9, 0xe9, 0x7e, 0xef,
+	0x4e, 0xa5, 0x2a, 0xae, 0x72, 0xe2, 0x1f, 0xc9, 0x25, 0x3f, 0x52, 0xfd, 0xdd, 0x33, 0x3b, 0x0b,
+	0x2c, 0x80, 0xc1, 0xdd, 0x49, 0xe1, 0xbf, 0xdd, 0x7e, 0x6f, 0xde, 0xeb, 0xe9, 0xe9, 0x7e, 0xef,
 	0xf5, 0xeb, 0xf7, 0x5e, 0xc3, 0x42, 0xcb, 0x4d, 0x36, 0x3a, 0x6b, 0x93, 0x8d, 0xa0, 0x3d, 0xe5,
 	0x44, 0xad, 0x20, 0x8c, 0x82, 0x5b, 0xec, 0xc7, 0x33, 0x8d, 0xe6, 0xd4, 0xd6, 0x85, 0xa9, 0x70,
 	0xb3, 0x35, 0xe5, 0x84, 0x6e, 0x3c, 0xe5, 0x84, 0xa1, 0xe7, 0x36, 0x9c, 0xc4, 0x0d, 0xfc, 0xa9,
@@ -4570,7 +4570,7 @@ var fileDescriptor_030104ce3b95bcac = []byte{
 	0xba, 0xf7, 0x2e, 0xf7, 0xb7, 0x4a, 0x30, 0x91, 0x7e, 0xa0, 0x4b, 0xda, 0xd2, 0x2d, 0x95, 0xc1,
 	0x28, 0xeb, 0xef, 0x30, 0xf0, 0xb1, 0x89, 0xd7, 0x43, 0x60, 0x95, 0x8e, 0x53, 0x60, 0x99, 0xf2,
 	0xb4, 0xbc, 0x8f, 0x3c, 0x7d, 0x52, 0x8d, 0xfa, 0x40, 0x46, 0x80, 0xa5, 0x75, 0xca, 0x79, 0x18,
-	0x88, 0x13, 0x12, 0x8e, 0x57, 0xd2, 0xf2, 0x68, 0x25, 0x21, 0x21, 0x66, 0x10, 0xfb, 0xbf, 0x97,
+	0x88, 0x13, 0x12, 0x8e, 0x57, 0xd2, 0xf2, 0x68, 0x25, 0x21, 0x21, 0x66, 0x10, 0xfb, 0xbf, 0x95,
 	0xe0, 0xe1, 0xf4, 0x18, 0x6a, 0x15, 0xf0, 0xfe, 0x94, 0x0a, 0x78, 0x97, 0xa9, 0x02, 0xee, 0xee,
 	0x4e, 0xbc, 0xbd, 0xc7, 0x63, 0xdf, 0x33, 0x1a, 0x02, 0xcd, 0x65, 0x46, 0x71, 0x2a, 0x3d, 0x8a,
 	0x77, 0x77, 0x27, 0x1e, 0xeb, 0xf1, 0x8e, 0x99, 0x61, 0x7e, 0x12, 0x06, 0x23, 0xe2, 0xc4, 0x81,
@@ -4596,154 +4596,154 @@ var fileDescriptor_030104ce3b95bcac = []byte{
 	0x83, 0x6b, 0x24, 0x4e, 0x48, 0xf3, 0x2d, 0x11, 0xfe, 0x96, 0x08, 0x7f, 0x4b, 0x84, 0x2b, 0x11,
 	0xbe, 0x96, 0x11, 0xe1, 0xef, 0x33, 0x56, 0xbd, 0x3e, 0x80, 0x7d, 0x55, 0x9d, 0xd0, 0x9a, 0x3d,
 	0x30, 0x10, 0xa8, 0x24, 0xb8, 0xb2, 0xb2, 0x74, 0x2d, 0x57, 0x66, 0xbf, 0x9a, 0x96, 0xd9, 0x47,
-	0x65, 0xf1, 0x17, 0x41, 0x4a, 0xff, 0x6b, 0x0b, 0xde, 0x91, 0x96, 0x5e, 0x72, 0xe6, 0xcc, 0xb7,
-	0xfc, 0x20, 0x22, 0xb3, 0xee, 0xfa, 0x3a, 0x89, 0x88, 0xdf, 0x20, 0xb1, 0xf2, 0x62, 0x58, 0xbd,
-	0xbc, 0x18, 0xe8, 0x39, 0x18, 0xb9, 0x15, 0x07, 0xfe, 0x72, 0xe0, 0xfa, 0x42, 0x04, 0xd1, 0x8d,
-	0xf0, 0xc9, 0x3b, 0xbb, 0x13, 0x23, 0x74, 0x44, 0x65, 0x3b, 0x4e, 0x61, 0xa1, 0x19, 0x38, 0x75,
-	0xeb, 0xb5, 0x65, 0x27, 0x31, 0xdc, 0x01, 0x72, 0xe3, 0xce, 0x0e, 0x2c, 0xae, 0xbc, 0x94, 0x01,
-	0xe2, 0x6e, 0x7c, 0xfb, 0x6f, 0x95, 0xe0, 0x91, 0xcc, 0x8b, 0x04, 0x9e, 0x17, 0x74, 0x12, 0xba,
-	0xa9, 0x41, 0x5f, 0xb5, 0xe0, 0x64, 0x3b, 0xed, 0x71, 0x88, 0x85, 0x63, 0xf7, 0x03, 0x85, 0xe9,
-	0x88, 0x8c, 0x4b, 0xa3, 0x3e, 0x2e, 0x46, 0xe8, 0x64, 0x06, 0x10, 0xe3, 0xae, 0xbe, 0xa0, 0x57,
-	0xa0, 0xd6, 0x76, 0xb6, 0xaf, 0x87, 0x4d, 0x27, 0x91, 0xfb, 0xc9, 0xde, 0x6e, 0x80, 0x4e, 0xe2,
-	0x7a, 0x93, 0xfc, 0x68, 0x7f, 0x72, 0xde, 0x4f, 0x96, 0xa2, 0x95, 0x24, 0x72, 0xfd, 0x16, 0x77,
-	0xe7, 0x2d, 0x4a, 0x32, 0x58, 0x53, 0xb4, 0xbf, 0x62, 0x65, 0x95, 0x94, 0x1a, 0x9d, 0xc8, 0x49,
-	0x48, 0x6b, 0x07, 0x7d, 0x14, 0x2a, 0x74, 0xe3, 0x27, 0x47, 0xe5, 0x66, 0x91, 0x9a, 0xd3, 0xf8,
-	0x12, 0x5a, 0x89, 0xd2, 0x7f, 0x31, 0xe6, 0x4c, 0xed, 0xaf, 0xd6, 0xb2, 0xc6, 0x02, 0x3b, 0xbc,
-	0xbd, 0x00, 0xd0, 0x0a, 0x56, 0x49, 0x3b, 0xf4, 0xe8, 0xb0, 0x58, 0xec, 0x04, 0x40, 0xf9, 0x3a,
-	0xe6, 0x14, 0x04, 0x1b, 0x58, 0xe8, 0xaf, 0x58, 0x00, 0x2d, 0x39, 0xe7, 0xa5, 0x21, 0x70, 0xbd,
-	0xc8, 0xd7, 0xd1, 0x2b, 0x4a, 0xf7, 0x45, 0x31, 0xc4, 0x06, 0x73, 0xf4, 0xd3, 0x16, 0x54, 0x13,
-	0xd9, 0x7d, 0xae, 0x1a, 0x57, 0x8b, 0xec, 0x89, 0x7c, 0x69, 0x6d, 0x13, 0xa9, 0x21, 0x51, 0x7c,
-	0xd1, 0xcf, 0x5a, 0x00, 0xf1, 0x8e, 0xdf, 0x58, 0x0e, 0x3c, 0xb7, 0xb1, 0x23, 0x34, 0xe6, 0x8d,
-	0x42, 0xfd, 0x31, 0x8a, 0x7a, 0x7d, 0x8c, 0x8e, 0x86, 0xfe, 0x8f, 0x0d, 0xce, 0xe8, 0xe3, 0x50,
-	0x8d, 0xc5, 0x74, 0x13, 0x3a, 0x72, 0xb5, 0x58, 0xaf, 0x10, 0xa7, 0x2d, 0xc4, 0xab, 0xf8, 0x87,
-	0x15, 0x4f, 0xf4, 0xf3, 0x16, 0x9c, 0x08, 0xd3, 0x7e, 0x3e, 0xa1, 0x0e, 0x8b, 0x93, 0x01, 0x19,
-	0x3f, 0x62, 0xfd, 0xf4, 0x9d, 0xdd, 0x89, 0x13, 0x99, 0x46, 0x9c, 0xed, 0x05, 0x95, 0x80, 0x7a,
-	0x06, 0x2f, 0x85, 0xdc, 0xe7, 0x38, 0xa4, 0x25, 0xe0, 0x5c, 0x16, 0x88, 0xbb, 0xf1, 0xd1, 0x32,
-	0x9c, 0xa1, 0xbd, 0xdb, 0xe1, 0xe6, 0xa7, 0x54, 0x2f, 0x31, 0x53, 0x86, 0xd5, 0xfa, 0xa3, 0x62,
-	0x86, 0x30, 0xaf, 0x7e, 0x16, 0x07, 0xe7, 0x3e, 0x89, 0x7e, 0xd7, 0x82, 0x47, 0x5d, 0xa6, 0x06,
-	0x4c, 0x87, 0xb9, 0xd6, 0x08, 0xe2, 0x24, 0x96, 0x14, 0x2a, 0x2b, 0x7a, 0xa9, 0x9f, 0xfa, 0x0f,
-	0x8a, 0x37, 0x78, 0x74, 0x7e, 0x8f, 0x2e, 0xe1, 0x3d, 0x3b, 0x8c, 0x7e, 0x04, 0x46, 0xe5, 0xba,
-	0x58, 0xa6, 0x22, 0x98, 0x29, 0xda, 0x5a, 0xfd, 0xd4, 0x9d, 0xdd, 0x89, 0xd1, 0x55, 0x13, 0x80,
-	0xd3, 0x78, 0xf6, 0xb7, 0x4a, 0xa9, 0xf3, 0x10, 0xe5, 0x84, 0x64, 0xe2, 0xa6, 0x21, 0xfd, 0x3f,
-	0x52, 0x7a, 0x16, 0x2a, 0x6e, 0x94, 0x77, 0x49, 0x8b, 0x1b, 0xd5, 0x14, 0x63, 0x83, 0x39, 0x35,
-	0x4a, 0x4f, 0x39, 0x59, 0x57, 0xa7, 0x90, 0x80, 0xaf, 0x14, 0xd9, 0xa5, 0xee, 0xd3, 0xab, 0x47,
-	0x44, 0xd7, 0x4e, 0x75, 0x81, 0x70, 0x77, 0x97, 0xec, 0x6f, 0xa5, 0xcf, 0x60, 0x8c, 0xc5, 0xdb,
-	0xc7, 0xf9, 0xd2, 0x17, 0x2c, 0x18, 0x8e, 0x02, 0xcf, 0x73, 0xfd, 0x16, 0x15, 0x34, 0x42, 0x5b,
-	0x7e, 0xe8, 0x58, 0x14, 0x96, 0x90, 0x28, 0xcc, 0xb4, 0xc5, 0x9a, 0x27, 0x36, 0x3b, 0x60, 0xff,
-	0x89, 0x05, 0xe3, 0xbd, 0x04, 0x22, 0x22, 0xf0, 0x76, 0xb9, 0xda, 0x55, 0x74, 0xc5, 0x92, 0x3f,
-	0x4b, 0x3c, 0xa2, 0x1c, 0xcf, 0xd5, 0xfa, 0x13, 0xe2, 0x35, 0xdf, 0xbe, 0xdc, 0x1b, 0x15, 0xef,
-	0x45, 0x07, 0xbd, 0x0c, 0x27, 0x8d, 0xf7, 0x8a, 0xd5, 0xc0, 0xd4, 0xea, 0x93, 0xd4, 0x02, 0x99,
-	0xce, 0xc0, 0xee, 0xee, 0x4e, 0x3c, 0x94, 0x6d, 0x13, 0x12, 0xbb, 0x8b, 0x8e, 0xfd, 0x2b, 0xa5,
-	0xec, 0xd7, 0x52, 0xca, 0xf6, 0x4d, 0xab, 0x6b, 0x3b, 0xff, 0x81, 0xe3, 0x50, 0x70, 0x6c, 0xe3,
-	0xaf, 0x02, 0x38, 0x7a, 0xe3, 0xdc, 0xc7, 0x13, 0x62, 0xfb, 0xdf, 0x0e, 0xc0, 0x1e, 0x3d, 0xeb,
-	0xc3, 0x7a, 0x3e, 0xf0, 0xb1, 0xe2, 0xe7, 0x2c, 0x75, 0xe4, 0x54, 0x66, 0x8b, 0xbc, 0x79, 0x5c,
-	0x63, 0xcf, 0x37, 0x30, 0x31, 0x8f, 0x52, 0x50, 0x6e, 0xec, 0xf4, 0xe1, 0x16, 0xfa, 0x9a, 0x95,
-	0x3e, 0x34, 0xe3, 0x61, 0x67, 0xee, 0xb1, 0xf5, 0xc9, 0x38, 0x89, 0xe3, 0x1d, 0xd3, 0xe7, 0x37,
-	0xbd, 0xce, 0xe8, 0x26, 0x01, 0xd6, 0x5d, 0xdf, 0xf1, 0xdc, 0xd7, 0xe9, 0xf6, 0xa4, 0xc2, 0x34,
-	0x2c, 0x33, 0x59, 0x2e, 0xa9, 0x56, 0x6c, 0x60, 0x9c, 0xfb, 0xcb, 0x30, 0x6c, 0xbc, 0x79, 0x4e,
-	0x70, 0xc5, 0x19, 0x33, 0xb8, 0xa2, 0x66, 0xc4, 0x44, 0x9c, 0x7b, 0x1f, 0x9c, 0xcc, 0x76, 0xf0,
-	0x20, 0xcf, 0xdb, 0xff, 0x7b, 0x28, 0x7b, 0x8a, 0xb5, 0x4a, 0xa2, 0x36, 0xed, 0xda, 0x5b, 0x9e,
-	0xa5, 0xb7, 0x3c, 0x4b, 0x6f, 0x79, 0x96, 0xcc, 0xc3, 0x01, 0xe1, 0x35, 0x19, 0xba, 0x47, 0x5e,
-	0x93, 0x94, 0x1f, 0xa8, 0x5a, 0xb8, 0x1f, 0xc8, 0xbe, 0x53, 0x81, 0x94, 0x1d, 0xc5, 0xc7, 0xfb,
-	0x9d, 0x30, 0x14, 0x91, 0x30, 0xb8, 0x8e, 0x17, 0x84, 0x0e, 0xd1, 0xb1, 0xf6, 0xbc, 0x19, 0x4b,
-	0x38, 0xd5, 0x35, 0xa1, 0x93, 0x6c, 0x08, 0x25, 0xa2, 0x74, 0xcd, 0xb2, 0x93, 0x6c, 0x60, 0x06,
-	0x41, 0xef, 0x83, 0xb1, 0xc4, 0x89, 0x5a, 0xd4, 0xde, 0xde, 0x62, 0x9f, 0x55, 0x9c, 0x75, 0x3e,
-	0x24, 0x70, 0xc7, 0x56, 0x53, 0x50, 0x9c, 0xc1, 0x46, 0xaf, 0xc1, 0xc0, 0x06, 0xf1, 0xda, 0x62,
-	0xc8, 0x57, 0x8a, 0x93, 0xf1, 0xec, 0x5d, 0x2f, 0x13, 0xaf, 0xcd, 0x25, 0x10, 0xfd, 0x85, 0x19,
-	0x2b, 0x3a, 0xdf, 0x6a, 0x9b, 0x9d, 0x38, 0x09, 0xda, 0xee, 0xeb, 0xd2, 0xc5, 0xf7, 0x81, 0x82,
-	0x19, 0x5f, 0x95, 0xf4, 0xb9, 0x2f, 0x45, 0xfd, 0xc5, 0x9a, 0x33, 0xeb, 0x47, 0xd3, 0x8d, 0xd8,
-	0xa7, 0xda, 0x11, 0x9e, 0xba, 0xa2, 0xfb, 0x31, 0x2b, 0xe9, 0xf3, 0x7e, 0xa8, 0xbf, 0x58, 0x73,
-	0x46, 0x3b, 0x6a, 0xde, 0x0f, 0xb3, 0x3e, 0x5c, 0x2f, 0xb8, 0x0f, 0x7c, 0xce, 0xe7, 0xce, 0xff,
-	0x27, 0xa0, 0xd2, 0xd8, 0x70, 0xa2, 0x64, 0x7c, 0x84, 0x4d, 0x1a, 0xe5, 0xd3, 0x99, 0xa1, 0x8d,
-	0x98, 0xc3, 0xd0, 0x63, 0x50, 0x8e, 0xc8, 0x3a, 0x8b, 0xdb, 0x34, 0x22, 0x7a, 0x30, 0x59, 0xc7,
-	0xb4, 0xdd, 0xfe, 0xa5, 0x52, 0xda, 0x5c, 0x4a, 0xbf, 0x37, 0x9f, 0xed, 0x8d, 0x4e, 0x14, 0x4b,
-	0xbf, 0x8f, 0x31, 0xdb, 0x59, 0x33, 0x96, 0x70, 0xf4, 0x49, 0x0b, 0x86, 0x6e, 0xc5, 0x81, 0xef,
-	0x93, 0x44, 0xa8, 0xa6, 0x1b, 0x05, 0x0f, 0xc5, 0x15, 0x4e, 0x5d, 0xf7, 0x41, 0x34, 0x60, 0xc9,
-	0x97, 0x76, 0x97, 0x6c, 0x37, 0xbc, 0x4e, 0xb3, 0x2b, 0x48, 0xe3, 0x22, 0x6f, 0xc6, 0x12, 0x4e,
-	0x51, 0x5d, 0x9f, 0xa3, 0x0e, 0xa4, 0x51, 0xe7, 0x7d, 0x81, 0x2a, 0xe0, 0xf6, 0xdf, 0x18, 0x84,
-	0xb3, 0xb9, 0x8b, 0x83, 0x1a, 0x32, 0xcc, 0x54, 0xb8, 0xe4, 0x7a, 0x44, 0x86, 0x27, 0x31, 0x43,
-	0xe6, 0x86, 0x6a, 0xc5, 0x06, 0x06, 0xfa, 0x29, 0x80, 0xd0, 0x89, 0x9c, 0x36, 0x51, 0x7e, 0xd9,
-	0x23, 0xdb, 0x0b, 0xb4, 0x1f, 0xcb, 0x92, 0xa6, 0xde, 0x9b, 0xaa, 0xa6, 0x18, 0x1b, 0x2c, 0xd1,
-	0xf3, 0x30, 0x1c, 0x11, 0x8f, 0x38, 0x31, 0x0b, 0xfb, 0xcd, 0xe6, 0x30, 0x60, 0x0d, 0xc2, 0x26,
-	0x1e, 0x7a, 0x52, 0x45, 0x72, 0x65, 0x22, 0x5a, 0xd2, 0xd1, 0x5c, 0xe8, 0x0d, 0x0b, 0xc6, 0xd6,
-	0x5d, 0x8f, 0x68, 0xee, 0x22, 0xe3, 0x60, 0xe9, 0xe8, 0x2f, 0x79, 0xc9, 0xa4, 0xab, 0x25, 0x64,
-	0xaa, 0x39, 0xc6, 0x19, 0xf6, 0xf4, 0x33, 0x6f, 0x91, 0x88, 0x89, 0xd6, 0xc1, 0xf4, 0x67, 0xbe,
-	0xc1, 0x9b, 0xb1, 0x84, 0xa3, 0x69, 0x38, 0x11, 0x3a, 0x71, 0x3c, 0x13, 0x91, 0x26, 0xf1, 0x13,
-	0xd7, 0xf1, 0x78, 0x3e, 0x40, 0x55, 0xc7, 0x03, 0x2f, 0xa7, 0xc1, 0x38, 0x8b, 0x8f, 0x3e, 0x08,
-	0x0f, 0x73, 0xc7, 0xc7, 0xa2, 0x1b, 0xc7, 0xae, 0xdf, 0xd2, 0xd3, 0x40, 0xf8, 0x7f, 0x26, 0x04,
-	0xa9, 0x87, 0xe7, 0xf3, 0xd1, 0x70, 0xaf, 0xe7, 0xd1, 0xd3, 0x50, 0x8d, 0x37, 0xdd, 0x70, 0x26,
-	0x6a, 0xc6, 0xec, 0xd0, 0xa3, 0xaa, 0xbd, 0x8d, 0x2b, 0xa2, 0x1d, 0x2b, 0x0c, 0xd4, 0x80, 0x11,
-	0xfe, 0x49, 0x78, 0x28, 0x9a, 0x90, 0x8f, 0xcf, 0xf4, 0x54, 0x8f, 0x22, 0xbd, 0x6d, 0x12, 0x3b,
-	0xb7, 0x2f, 0xca, 0x23, 0x18, 0x7e, 0x62, 0x70, 0xc3, 0x20, 0x83, 0x53, 0x44, 0xed, 0x5f, 0x28,
-	0xa5, 0x77, 0xdc, 0xe6, 0x22, 0x45, 0x31, 0x5d, 0x8a, 0xc9, 0x0d, 0x27, 0x92, 0xde, 0x98, 0x23,
-	0xa6, 0x2d, 0x08, 0xba, 0x37, 0x9c, 0xc8, 0x5c, 0xd4, 0x8c, 0x01, 0x96, 0x9c, 0xd0, 0x2d, 0x18,
-	0x48, 0x3c, 0xa7, 0xa0, 0x3c, 0x27, 0x83, 0xa3, 0x76, 0x80, 0x2c, 0x4c, 0xc7, 0x98, 0xf1, 0x40,
-	0x8f, 0x52, 0xab, 0x7f, 0x4d, 0x1e, 0x91, 0x08, 0x43, 0x7d, 0x2d, 0xc6, 0xac, 0xd5, 0xbe, 0x0b,
-	0x39, 0x72, 0x55, 0x29, 0x32, 0x74, 0x01, 0x80, 0x6e, 0x20, 0x97, 0x23, 0xb2, 0xee, 0x6e, 0x0b,
-	0x43, 0x42, 0xad, 0xdd, 0x6b, 0x0a, 0x82, 0x0d, 0x2c, 0xf9, 0xcc, 0x4a, 0x67, 0x9d, 0x3e, 0x53,
-	0xea, 0x7e, 0x86, 0x43, 0xb0, 0x81, 0x85, 0x9e, 0x83, 0x41, 0xb7, 0xed, 0xb4, 0x54, 0x08, 0xe6,
-	0xa3, 0x74, 0xd1, 0xce, 0xb3, 0x96, 0xbb, 0xbb, 0x13, 0x63, 0xaa, 0x43, 0xac, 0x09, 0x0b, 0x5c,
-	0xf4, 0x2b, 0x16, 0x8c, 0x34, 0x82, 0x76, 0x3b, 0xf0, 0xf9, 0xb6, 0x4b, 0xec, 0x21, 0x6f, 0x1d,
-	0x97, 0x9a, 0x9f, 0x9c, 0x31, 0x98, 0xf1, 0x4d, 0xa4, 0x4a, 0xc8, 0x32, 0x41, 0x38, 0xd5, 0x2b,
-	0x73, 0x6d, 0x57, 0xf6, 0x59, 0xdb, 0xbf, 0x6e, 0xc1, 0x29, 0xfe, 0xac, 0xb1, 0x1b, 0x14, 0xb9,
-	0x47, 0xc1, 0x31, 0xbf, 0x56, 0xd7, 0x06, 0x59, 0x79, 0xe9, 0xba, 0xe0, 0xb8, 0xbb, 0x93, 0x68,
-	0x0e, 0x4e, 0xad, 0x07, 0x51, 0x83, 0x98, 0x03, 0x21, 0x04, 0x93, 0x22, 0x74, 0x29, 0x8b, 0x80,
-	0xbb, 0x9f, 0x41, 0x37, 0xe0, 0x21, 0xa3, 0xd1, 0x1c, 0x07, 0x2e, 0x9b, 0x1e, 0x17, 0xd4, 0x1e,
-	0xba, 0x94, 0x8b, 0x85, 0x7b, 0x3c, 0x9d, 0x76, 0x98, 0xd4, 0xfa, 0x70, 0x98, 0xbc, 0x0a, 0x8f,
-	0x34, 0xba, 0x47, 0x66, 0x2b, 0xee, 0xac, 0xc5, 0x5c, 0x52, 0x55, 0xeb, 0x3f, 0x20, 0x08, 0x3c,
-	0x32, 0xd3, 0x0b, 0x11, 0xf7, 0xa6, 0x81, 0x3e, 0x0a, 0xd5, 0x88, 0xb0, 0xaf, 0x12, 0x8b, 0x44,
-	0x9c, 0x23, 0xee, 0x92, 0xb5, 0x05, 0xca, 0xc9, 0x6a, 0xd9, 0x2b, 0x1a, 0x62, 0xac, 0x38, 0xa2,
-	0xdb, 0x30, 0x14, 0x3a, 0x49, 0x63, 0x43, 0xa4, 0xdf, 0x1c, 0x39, 0xfe, 0x45, 0x31, 0x67, 0x3e,
-	0x70, 0x23, 0x61, 0x97, 0x33, 0xc1, 0x92, 0x1b, 0xb5, 0x46, 0x1a, 0x41, 0x3b, 0x0c, 0x7c, 0xe2,
-	0x27, 0xf1, 0xf8, 0xa8, 0xb6, 0x46, 0x66, 0x54, 0x2b, 0x36, 0x30, 0xd0, 0x32, 0x9c, 0x61, 0x3e,
-	0xa3, 0x9b, 0x6e, 0xb2, 0x11, 0x74, 0x12, 0xb9, 0x05, 0x1a, 0x1f, 0x4b, 0x1f, 0x55, 0x2c, 0xe4,
-	0xe0, 0xe0, 0xdc, 0x27, 0xcf, 0xbd, 0x1f, 0x4e, 0x75, 0x2d, 0xe5, 0x03, 0xb9, 0x6b, 0x66, 0xe1,
-	0xa1, 0xfc, 0x45, 0x73, 0x20, 0xa7, 0xcd, 0x3f, 0xc9, 0x84, 0xcd, 0x1a, 0x86, 0x74, 0x1f, 0x0e,
-	0x40, 0x07, 0xca, 0xc4, 0xdf, 0x12, 0x3a, 0xe4, 0xd2, 0xd1, 0xbe, 0xdd, 0x45, 0x7f, 0x8b, 0xaf,
-	0x79, 0xe6, 0xe5, 0xb8, 0xe8, 0x6f, 0x61, 0x4a, 0x1b, 0x7d, 0xc9, 0x4a, 0x19, 0x82, 0xdc, 0x6d,
-	0xf8, 0xe1, 0x63, 0xd9, 0x39, 0xf4, 0x6d, 0x1b, 0xda, 0xff, 0xae, 0x04, 0xe7, 0xf7, 0x23, 0xd2,
-	0xc7, 0xf0, 0x3d, 0x01, 0x83, 0x31, 0x3b, 0x08, 0x17, 0x42, 0x79, 0x98, 0xce, 0x55, 0x7e, 0x34,
-	0xfe, 0x2a, 0x16, 0x20, 0xe4, 0x41, 0xb9, 0xed, 0x84, 0xc2, 0x9b, 0x34, 0x7f, 0xd4, 0x44, 0x1a,
-	0xfa, 0xdf, 0xf1, 0x16, 0x9d, 0x90, 0xfb, 0x28, 0x8c, 0x06, 0x4c, 0xd9, 0xa0, 0x04, 0x2a, 0x4e,
-	0x14, 0x39, 0xf2, 0xd4, 0xf5, 0x6a, 0x31, 0xfc, 0xa6, 0x29, 0x49, 0x7e, 0x68, 0x95, 0x6a, 0xc2,
-	0x9c, 0x99, 0xfd, 0xb9, 0xa1, 0x54, 0x32, 0x09, 0x3b, 0x4a, 0x8f, 0x61, 0x50, 0x38, 0x91, 0xac,
-	0xa2, 0xf3, 0x97, 0x78, 0x36, 0x20, 0xdb, 0x27, 0x8a, 0x9c, 0x6a, 0xc1, 0x0a, 0x7d, 0xd6, 0x62,
-	0x99, 0xcb, 0x32, 0xc1, 0x46, 0xec, 0xce, 0x8e, 0x27, 0x91, 0xda, 0xcc, 0x87, 0x96, 0x8d, 0xd8,
-	0xe4, 0x2e, 0x2a, 0x10, 0x30, 0xab, 0xb4, 0xbb, 0x02, 0x01, 0xb3, 0x32, 0x25, 0x1c, 0x6d, 0xe7,
-	0x1c, 0x99, 0x17, 0x90, 0xfd, 0xda, 0xc7, 0x21, 0xf9, 0xd7, 0x2c, 0x38, 0xe5, 0x66, 0xcf, 0x3e,
-	0xc5, 0x5e, 0xe6, 0x88, 0x41, 0x19, 0xbd, 0x8f, 0x56, 0x95, 0x3a, 0xef, 0x02, 0xe1, 0xee, 0xce,
-	0xa0, 0x26, 0x0c, 0xb8, 0xfe, 0x7a, 0x20, 0x8c, 0x98, 0xfa, 0xd1, 0x3a, 0x35, 0xef, 0xaf, 0x07,
-	0x7a, 0x35, 0xd3, 0x7f, 0x98, 0x51, 0x47, 0x0b, 0x70, 0x26, 0x12, 0xde, 0xa6, 0xcb, 0x6e, 0x9c,
-	0x04, 0xd1, 0xce, 0x82, 0xdb, 0x76, 0x13, 0x66, 0x80, 0x94, 0xeb, 0xe3, 0x54, 0x3f, 0xe0, 0x1c,
-	0x38, 0xce, 0x7d, 0x0a, 0xbd, 0x0e, 0x43, 0x32, 0xd5, 0xba, 0x5a, 0xc4, 0xbe, 0xb0, 0x7b, 0xfe,
-	0xab, 0xc9, 0xb4, 0x22, 0xb2, 0xaa, 0x25, 0x43, 0xfb, 0x8d, 0x61, 0xe8, 0x3e, 0x16, 0x45, 0x1f,
-	0x83, 0x5a, 0xa4, 0xd2, 0xbf, 0xad, 0x22, 0xd4, 0xb5, 0xfc, 0xbe, 0xe2, 0x48, 0x56, 0x99, 0x42,
-	0x3a, 0xd1, 0x5b, 0x73, 0xa4, 0x1b, 0x96, 0x58, 0x9f, 0x9e, 0x16, 0x30, 0xb7, 0x05, 0x57, 0x7d,
-	0x32, 0xb6, 0xe3, 0x37, 0x30, 0xe3, 0x81, 0x22, 0x18, 0xdc, 0x20, 0x8e, 0x97, 0x6c, 0x14, 0xe3,
-	0xc4, 0xbf, 0xcc, 0x68, 0x65, 0x93, 0x80, 0x78, 0x2b, 0x16, 0x9c, 0xd0, 0x36, 0x0c, 0x6d, 0xf0,
-	0x09, 0x20, 0xf6, 0x10, 0x8b, 0x47, 0x1d, 0xdc, 0xd4, 0xac, 0xd2, 0x9f, 0x5b, 0x34, 0x60, 0xc9,
-	0x8e, 0xc5, 0xdb, 0x18, 0x11, 0x01, 0x7c, 0xe9, 0x16, 0x97, 0xff, 0xd4, 0x7f, 0x38, 0xc0, 0x47,
-	0x60, 0x24, 0x22, 0x8d, 0xc0, 0x6f, 0xb8, 0x1e, 0x69, 0x4e, 0x4b, 0x07, 0xfd, 0x41, 0xb2, 0x66,
-	0xd8, 0x3e, 0x1c, 0x1b, 0x34, 0x70, 0x8a, 0x22, 0xfa, 0x8c, 0x05, 0x63, 0x2a, 0x67, 0x94, 0x7e,
-	0x10, 0x22, 0x1c, 0xc2, 0x0b, 0x05, 0x65, 0xa8, 0x32, 0x9a, 0x75, 0x74, 0x67, 0x77, 0x62, 0x2c,
-	0xdd, 0x86, 0x33, 0x7c, 0xd1, 0xcb, 0x00, 0xc1, 0x1a, 0x0f, 0xaa, 0x99, 0x4e, 0x84, 0x77, 0xf8,
-	0x20, 0xaf, 0x3a, 0xc6, 0xd3, 0xe7, 0x24, 0x05, 0x6c, 0x50, 0x43, 0x57, 0x01, 0xf8, 0xb2, 0x59,
-	0xdd, 0x09, 0xe5, 0x46, 0x43, 0xa6, 0x3d, 0xc1, 0x8a, 0x82, 0xdc, 0xdd, 0x9d, 0xe8, 0xf6, 0xd6,
-	0xb1, 0xc0, 0x05, 0xe3, 0x71, 0xf4, 0x93, 0x30, 0x14, 0x77, 0xda, 0x6d, 0x47, 0xf9, 0x8e, 0x0b,
-	0x4c, 0xc8, 0xe3, 0x74, 0x0d, 0x51, 0xc4, 0x1b, 0xb0, 0xe4, 0x88, 0x6e, 0x51, 0xa1, 0x1a, 0x0b,
-	0x37, 0x22, 0x5b, 0x45, 0xdc, 0x26, 0x18, 0x66, 0xef, 0xf4, 0x1e, 0x69, 0x78, 0xe3, 0x1c, 0x9c,
-	0xbb, 0xbb, 0x13, 0x0f, 0xa5, 0xdb, 0x17, 0x02, 0x91, 0x22, 0x97, 0x4b, 0x13, 0x5d, 0x91, 0x95,
-	0x57, 0xe8, 0x6b, 0xcb, 0x82, 0x00, 0x4f, 0xe9, 0xca, 0x2b, 0xac, 0xb9, 0xf7, 0x98, 0x99, 0x0f,
-	0xa3, 0x45, 0x38, 0xdd, 0x08, 0xfc, 0x24, 0x0a, 0x3c, 0x8f, 0x57, 0x1e, 0xe2, 0x7b, 0x3e, 0xee,
-	0x5b, 0x7e, 0xbb, 0xe8, 0xf6, 0xe9, 0x99, 0x6e, 0x14, 0x9c, 0xf7, 0x9c, 0xed, 0xa7, 0xa3, 0x0d,
-	0xc5, 0xe0, 0x3c, 0x07, 0x23, 0x64, 0x3b, 0x21, 0x91, 0xef, 0x78, 0xd7, 0xf1, 0x82, 0xf4, 0xaa,
-	0xb2, 0x35, 0x70, 0xd1, 0x68, 0xc7, 0x29, 0x2c, 0x64, 0x2b, 0x47, 0x87, 0x91, 0xf6, 0xc9, 0x1d,
-	0x1d, 0xd2, 0xad, 0x61, 0xff, 0x9f, 0x52, 0xca, 0x20, 0x5b, 0x8d, 0x08, 0x41, 0x01, 0x54, 0xfc,
-	0xa0, 0xa9, 0x64, 0xff, 0x95, 0x62, 0x64, 0xff, 0xb5, 0xa0, 0x69, 0x94, 0x67, 0xa1, 0xff, 0x62,
-	0xcc, 0xf9, 0xb0, 0xfa, 0x15, 0xb2, 0xd0, 0x07, 0x03, 0x88, 0x8d, 0x46, 0x91, 0x9c, 0x55, 0xfd,
-	0x8a, 0x25, 0x93, 0x11, 0x4e, 0xf3, 0x45, 0x9b, 0x50, 0xd9, 0x08, 0xe2, 0x44, 0x6e, 0x3f, 0x8e,
-	0xb8, 0xd3, 0xb9, 0x1c, 0xc4, 0x09, 0xb3, 0x22, 0xd4, 0x6b, 0xd3, 0x96, 0x18, 0x73, 0x1e, 0xf6,
-	0x7f, 0xb5, 0x52, 0x3e, 0xf4, 0x9b, 0x2c, 0xf2, 0x76, 0x8b, 0xf8, 0x74, 0x59, 0x9b, 0xa1, 0x46,
+	0x65, 0xf1, 0xff, 0x83, 0x94, 0xfe, 0xd7, 0x16, 0xbc, 0x23, 0x2d, 0xbd, 0xe4, 0xcc, 0x99, 0x6f,
+	0xf9, 0x41, 0x44, 0x66, 0xdd, 0xf5, 0x75, 0x12, 0x11, 0xbf, 0x41, 0x62, 0xe5, 0xc5, 0xb0, 0x7a,
+	0x79, 0x31, 0xd0, 0x73, 0x30, 0x72, 0x2b, 0x0e, 0xfc, 0xe5, 0xc0, 0xf5, 0x85, 0x08, 0xa2, 0x1b,
+	0xe1, 0x93, 0x77, 0x76, 0x27, 0x46, 0xe8, 0x88, 0xca, 0x76, 0x9c, 0xc2, 0x42, 0x33, 0x70, 0xea,
+	0xd6, 0x6b, 0xcb, 0x4e, 0x62, 0xb8, 0x03, 0xe4, 0xc6, 0x9d, 0x1d, 0x58, 0x5c, 0x79, 0x29, 0x03,
+	0xc4, 0xdd, 0xf8, 0xf6, 0xdf, 0x2a, 0xc1, 0x23, 0x99, 0x17, 0x09, 0x3c, 0x2f, 0xe8, 0x24, 0x74,
+	0x53, 0x83, 0xbe, 0x6a, 0xc1, 0xc9, 0x76, 0xda, 0xe3, 0x10, 0x0b, 0xc7, 0xee, 0x07, 0x0a, 0xd3,
+	0x11, 0x19, 0x97, 0x46, 0x7d, 0x5c, 0x8c, 0xd0, 0xc9, 0x0c, 0x20, 0xc6, 0x5d, 0x7d, 0x41, 0xaf,
+	0x40, 0xad, 0xed, 0x6c, 0x5f, 0x0f, 0x9b, 0x4e, 0x22, 0xf7, 0x93, 0xbd, 0xdd, 0x00, 0x9d, 0xc4,
+	0xf5, 0x26, 0xf9, 0xd1, 0xfe, 0xe4, 0xbc, 0x9f, 0x2c, 0x45, 0x2b, 0x49, 0xe4, 0xfa, 0x2d, 0xee,
+	0xce, 0x5b, 0x94, 0x64, 0xb0, 0xa6, 0x68, 0x7f, 0xc5, 0xca, 0x2a, 0x29, 0x35, 0x3a, 0x91, 0x93,
+	0x90, 0xd6, 0x0e, 0xfa, 0x28, 0x54, 0xe8, 0xc6, 0x4f, 0x8e, 0xca, 0xcd, 0x22, 0x35, 0xa7, 0xf1,
+	0x25, 0xb4, 0x12, 0xa5, 0xff, 0x62, 0xcc, 0x99, 0xda, 0x5f, 0xad, 0x65, 0x8d, 0x05, 0x76, 0x78,
+	0x7b, 0x01, 0xa0, 0x15, 0xac, 0x92, 0x76, 0xe8, 0xd1, 0x61, 0xb1, 0xd8, 0x09, 0x80, 0xf2, 0x75,
+	0xcc, 0x29, 0x08, 0x36, 0xb0, 0xd0, 0x5f, 0xb1, 0x00, 0x5a, 0x72, 0xce, 0x4b, 0x43, 0xe0, 0x7a,
+	0x91, 0xaf, 0xa3, 0x57, 0x94, 0xee, 0x8b, 0x62, 0x88, 0x0d, 0xe6, 0xe8, 0xa7, 0x2d, 0xa8, 0x26,
+	0xb2, 0xfb, 0x5c, 0x35, 0xae, 0x16, 0xd9, 0x13, 0xf9, 0xd2, 0xda, 0x26, 0x52, 0x43, 0xa2, 0xf8,
+	0xa2, 0x9f, 0xb5, 0x00, 0xe2, 0x1d, 0xbf, 0xb1, 0x1c, 0x78, 0x6e, 0x63, 0x47, 0x68, 0xcc, 0x1b,
+	0x85, 0xfa, 0x63, 0x14, 0xf5, 0xfa, 0x18, 0x1d, 0x0d, 0xfd, 0x1f, 0x1b, 0x9c, 0xd1, 0xc7, 0xa1,
+	0x1a, 0x8b, 0xe9, 0x26, 0x74, 0xe4, 0x6a, 0xb1, 0x5e, 0x21, 0x4e, 0x5b, 0x88, 0x57, 0xf1, 0x0f,
+	0x2b, 0x9e, 0xe8, 0xe7, 0x2d, 0x38, 0x11, 0xa6, 0xfd, 0x7c, 0x42, 0x1d, 0x16, 0x27, 0x03, 0x32,
+	0x7e, 0xc4, 0xfa, 0xe9, 0x3b, 0xbb, 0x13, 0x27, 0x32, 0x8d, 0x38, 0xdb, 0x0b, 0x2a, 0x01, 0xf5,
+	0x0c, 0x5e, 0x0a, 0xb9, 0xcf, 0x71, 0x48, 0x4b, 0xc0, 0xb9, 0x2c, 0x10, 0x77, 0xe3, 0xa3, 0x65,
+	0x38, 0x43, 0x7b, 0xb7, 0xc3, 0xcd, 0x4f, 0xa9, 0x5e, 0x62, 0xa6, 0x0c, 0xab, 0xf5, 0x47, 0xc5,
+	0x0c, 0x61, 0x5e, 0xfd, 0x2c, 0x0e, 0xce, 0x7d, 0x12, 0xfd, 0xae, 0x05, 0x8f, 0xba, 0x4c, 0x0d,
+	0x98, 0x0e, 0x73, 0xad, 0x11, 0xc4, 0x49, 0x2c, 0x29, 0x54, 0x56, 0xf4, 0x52, 0x3f, 0xf5, 0x1f,
+	0x14, 0x6f, 0xf0, 0xe8, 0xfc, 0x1e, 0x5d, 0xc2, 0x7b, 0x76, 0x18, 0xfd, 0x08, 0x8c, 0xca, 0x75,
+	0xb1, 0x4c, 0x45, 0x30, 0x53, 0xb4, 0xb5, 0xfa, 0xa9, 0x3b, 0xbb, 0x13, 0xa3, 0xab, 0x26, 0x00,
+	0xa7, 0xf1, 0xec, 0x6f, 0x95, 0x52, 0xe7, 0x21, 0xca, 0x09, 0xc9, 0xc4, 0x4d, 0x43, 0xfa, 0x7f,
+	0xa4, 0xf4, 0x2c, 0x54, 0xdc, 0x28, 0xef, 0x92, 0x16, 0x37, 0xaa, 0x29, 0xc6, 0x06, 0x73, 0x6a,
+	0x94, 0x9e, 0x72, 0xb2, 0xae, 0x4e, 0x21, 0x01, 0x5f, 0x29, 0xb2, 0x4b, 0xdd, 0xa7, 0x57, 0x8f,
+	0x88, 0xae, 0x9d, 0xea, 0x02, 0xe1, 0xee, 0x2e, 0xd9, 0xdf, 0x4a, 0x9f, 0xc1, 0x18, 0x8b, 0xb7,
+	0x8f, 0xf3, 0xa5, 0x2f, 0x58, 0x30, 0x1c, 0x05, 0x9e, 0xe7, 0xfa, 0x2d, 0x2a, 0x68, 0x84, 0xb6,
+	0xfc, 0xd0, 0xb1, 0x28, 0x2c, 0x21, 0x51, 0x98, 0x69, 0x8b, 0x35, 0x4f, 0x6c, 0x76, 0xc0, 0xfe,
+	0x13, 0x0b, 0xc6, 0x7b, 0x09, 0x44, 0x44, 0xe0, 0xed, 0x72, 0xb5, 0xab, 0xe8, 0x8a, 0x25, 0x7f,
+	0x96, 0x78, 0x44, 0x39, 0x9e, 0xab, 0xf5, 0x27, 0xc4, 0x6b, 0xbe, 0x7d, 0xb9, 0x37, 0x2a, 0xde,
+	0x8b, 0x0e, 0x7a, 0x19, 0x4e, 0x1a, 0xef, 0x15, 0xab, 0x81, 0xa9, 0xd5, 0x27, 0xa9, 0x05, 0x32,
+	0x9d, 0x81, 0xdd, 0xdd, 0x9d, 0x78, 0x28, 0xdb, 0x26, 0x24, 0x76, 0x17, 0x1d, 0xfb, 0x57, 0x4a,
+	0xd9, 0xaf, 0xa5, 0x94, 0xed, 0x9b, 0x56, 0xd7, 0x76, 0xfe, 0x03, 0xc7, 0xa1, 0xe0, 0xd8, 0xc6,
+	0x5f, 0x05, 0x70, 0xf4, 0xc6, 0xb9, 0x8f, 0x27, 0xc4, 0xf6, 0xbf, 0x1d, 0x80, 0x3d, 0x7a, 0xd6,
+	0x87, 0xf5, 0x7c, 0xe0, 0x63, 0xc5, 0xcf, 0x59, 0xea, 0xc8, 0xa9, 0xcc, 0x16, 0x79, 0xf3, 0xb8,
+	0xc6, 0x9e, 0x6f, 0x60, 0x62, 0x1e, 0xa5, 0xa0, 0xdc, 0xd8, 0xe9, 0xc3, 0x2d, 0xf4, 0x35, 0x2b,
+	0x7d, 0x68, 0xc6, 0xc3, 0xce, 0xdc, 0x63, 0xeb, 0x93, 0x71, 0x12, 0xc7, 0x3b, 0xa6, 0xcf, 0x6f,
+	0x7a, 0x9d, 0xd1, 0x4d, 0x02, 0xac, 0xbb, 0xbe, 0xe3, 0xb9, 0xaf, 0xd3, 0xed, 0x49, 0x85, 0x69,
+	0x58, 0x66, 0xb2, 0x5c, 0x52, 0xad, 0xd8, 0xc0, 0x38, 0xf7, 0x97, 0x61, 0xd8, 0x78, 0xf3, 0x9c,
+	0xe0, 0x8a, 0x33, 0x66, 0x70, 0x45, 0xcd, 0x88, 0x89, 0x38, 0xf7, 0x3e, 0x38, 0x99, 0xed, 0xe0,
+	0x41, 0x9e, 0xb7, 0xff, 0xd7, 0x50, 0xf6, 0x14, 0x6b, 0x95, 0x44, 0x6d, 0xda, 0xb5, 0xb7, 0x3c,
+	0x4b, 0x6f, 0x79, 0x96, 0xde, 0xf2, 0x2c, 0x99, 0x87, 0x03, 0xc2, 0x6b, 0x32, 0x74, 0x8f, 0xbc,
+	0x26, 0x29, 0x3f, 0x50, 0xb5, 0x70, 0x3f, 0x90, 0x7d, 0xa7, 0x02, 0x29, 0x3b, 0x8a, 0x8f, 0xf7,
+	0x3b, 0x61, 0x28, 0x22, 0x61, 0x70, 0x1d, 0x2f, 0x08, 0x1d, 0xa2, 0x63, 0xed, 0x79, 0x33, 0x96,
+	0x70, 0xaa, 0x6b, 0x42, 0x27, 0xd9, 0x10, 0x4a, 0x44, 0xe9, 0x9a, 0x65, 0x27, 0xd9, 0xc0, 0x0c,
+	0x82, 0xde, 0x07, 0x63, 0x89, 0x13, 0xb5, 0xa8, 0xbd, 0xbd, 0xc5, 0x3e, 0xab, 0x38, 0xeb, 0x7c,
+	0x48, 0xe0, 0x8e, 0xad, 0xa6, 0xa0, 0x38, 0x83, 0x8d, 0x5e, 0x83, 0x81, 0x0d, 0xe2, 0xb5, 0xc5,
+	0x90, 0xaf, 0x14, 0x27, 0xe3, 0xd9, 0xbb, 0x5e, 0x26, 0x5e, 0x9b, 0x4b, 0x20, 0xfa, 0x0b, 0x33,
+	0x56, 0x74, 0xbe, 0xd5, 0x36, 0x3b, 0x71, 0x12, 0xb4, 0xdd, 0xd7, 0xa5, 0x8b, 0xef, 0x03, 0x05,
+	0x33, 0xbe, 0x2a, 0xe9, 0x73, 0x5f, 0x8a, 0xfa, 0x8b, 0x35, 0x67, 0xd6, 0x8f, 0xa6, 0x1b, 0xb1,
+	0x4f, 0xb5, 0x23, 0x3c, 0x75, 0x45, 0xf7, 0x63, 0x56, 0xd2, 0xe7, 0xfd, 0x50, 0x7f, 0xb1, 0xe6,
+	0x8c, 0x76, 0xd4, 0xbc, 0x1f, 0x66, 0x7d, 0xb8, 0x5e, 0x70, 0x1f, 0xf8, 0x9c, 0xcf, 0x9d, 0xff,
+	0x4f, 0x40, 0xa5, 0xb1, 0xe1, 0x44, 0xc9, 0xf8, 0x08, 0x9b, 0x34, 0xca, 0xa7, 0x33, 0x43, 0x1b,
+	0x31, 0x87, 0xa1, 0xc7, 0xa0, 0x1c, 0x91, 0x75, 0x16, 0xb7, 0x69, 0x44, 0xf4, 0x60, 0xb2, 0x8e,
+	0x69, 0xbb, 0xfd, 0x4b, 0xa5, 0xb4, 0xb9, 0x94, 0x7e, 0x6f, 0x3e, 0xdb, 0x1b, 0x9d, 0x28, 0x96,
+	0x7e, 0x1f, 0x63, 0xb6, 0xb3, 0x66, 0x2c, 0xe1, 0xe8, 0x93, 0x16, 0x0c, 0xdd, 0x8a, 0x03, 0xdf,
+	0x27, 0x89, 0x50, 0x4d, 0x37, 0x0a, 0x1e, 0x8a, 0x2b, 0x9c, 0xba, 0xee, 0x83, 0x68, 0xc0, 0x92,
+	0x2f, 0xed, 0x2e, 0xd9, 0x6e, 0x78, 0x9d, 0x66, 0x57, 0x90, 0xc6, 0x45, 0xde, 0x8c, 0x25, 0x9c,
+	0xa2, 0xba, 0x3e, 0x47, 0x1d, 0x48, 0xa3, 0xce, 0xfb, 0x02, 0x55, 0xc0, 0xed, 0xbf, 0x31, 0x08,
+	0x67, 0x73, 0x17, 0x07, 0x35, 0x64, 0x98, 0xa9, 0x70, 0xc9, 0xf5, 0x88, 0x0c, 0x4f, 0x62, 0x86,
+	0xcc, 0x0d, 0xd5, 0x8a, 0x0d, 0x0c, 0xf4, 0x53, 0x00, 0xa1, 0x13, 0x39, 0x6d, 0xa2, 0xfc, 0xb2,
+	0x47, 0xb6, 0x17, 0x68, 0x3f, 0x96, 0x25, 0x4d, 0xbd, 0x37, 0x55, 0x4d, 0x31, 0x36, 0x58, 0xa2,
+	0xe7, 0x61, 0x38, 0x22, 0x1e, 0x71, 0x62, 0x16, 0xf6, 0x9b, 0xcd, 0x61, 0xc0, 0x1a, 0x84, 0x4d,
+	0x3c, 0xf4, 0xa4, 0x8a, 0xe4, 0xca, 0x44, 0xb4, 0xa4, 0xa3, 0xb9, 0xd0, 0x1b, 0x16, 0x8c, 0xad,
+	0xbb, 0x1e, 0xd1, 0xdc, 0x45, 0xc6, 0xc1, 0xd2, 0xd1, 0x5f, 0xf2, 0x92, 0x49, 0x57, 0x4b, 0xc8,
+	0x54, 0x73, 0x8c, 0x33, 0xec, 0xe9, 0x67, 0xde, 0x22, 0x11, 0x13, 0xad, 0x83, 0xe9, 0xcf, 0x7c,
+	0x83, 0x37, 0x63, 0x09, 0x47, 0xd3, 0x70, 0x22, 0x74, 0xe2, 0x78, 0x26, 0x22, 0x4d, 0xe2, 0x27,
+	0xae, 0xe3, 0xf1, 0x7c, 0x80, 0xaa, 0x8e, 0x07, 0x5e, 0x4e, 0x83, 0x71, 0x16, 0x1f, 0x7d, 0x10,
+	0x1e, 0xe6, 0x8e, 0x8f, 0x45, 0x37, 0x8e, 0x5d, 0xbf, 0xa5, 0xa7, 0x81, 0xf0, 0xff, 0x4c, 0x08,
+	0x52, 0x0f, 0xcf, 0xe7, 0xa3, 0xe1, 0x5e, 0xcf, 0xa3, 0xa7, 0xa1, 0x1a, 0x6f, 0xba, 0xe1, 0x4c,
+	0xd4, 0x8c, 0xd9, 0xa1, 0x47, 0x55, 0x7b, 0x1b, 0x57, 0x44, 0x3b, 0x56, 0x18, 0xa8, 0x01, 0x23,
+	0xfc, 0x93, 0xf0, 0x50, 0x34, 0x21, 0x1f, 0x9f, 0xe9, 0xa9, 0x1e, 0x45, 0x7a, 0xdb, 0x24, 0x76,
+	0x6e, 0x5f, 0x94, 0x47, 0x30, 0xfc, 0xc4, 0xe0, 0x86, 0x41, 0x06, 0xa7, 0x88, 0xda, 0xbf, 0x50,
+	0x4a, 0xef, 0xb8, 0xcd, 0x45, 0x8a, 0x62, 0xba, 0x14, 0x93, 0x1b, 0x4e, 0x24, 0xbd, 0x31, 0x47,
+	0x4c, 0x5b, 0x10, 0x74, 0x6f, 0x38, 0x91, 0xb9, 0xa8, 0x19, 0x03, 0x2c, 0x39, 0xa1, 0x5b, 0x30,
+	0x90, 0x78, 0x4e, 0x41, 0x79, 0x4e, 0x06, 0x47, 0xed, 0x00, 0x59, 0x98, 0x8e, 0x31, 0xe3, 0x81,
+	0x1e, 0xa5, 0x56, 0xff, 0x9a, 0x3c, 0x22, 0x11, 0x86, 0xfa, 0x5a, 0x8c, 0x59, 0xab, 0x7d, 0x17,
+	0x72, 0xe4, 0xaa, 0x52, 0x64, 0xe8, 0x02, 0x00, 0xdd, 0x40, 0x2e, 0x47, 0x64, 0xdd, 0xdd, 0x16,
+	0x86, 0x84, 0x5a, 0xbb, 0xd7, 0x14, 0x04, 0x1b, 0x58, 0xf2, 0x99, 0x95, 0xce, 0x3a, 0x7d, 0xa6,
+	0xd4, 0xfd, 0x0c, 0x87, 0x60, 0x03, 0x0b, 0x3d, 0x07, 0x83, 0x6e, 0xdb, 0x69, 0xa9, 0x10, 0xcc,
+	0x47, 0xe9, 0xa2, 0x9d, 0x67, 0x2d, 0x77, 0x77, 0x27, 0xc6, 0x54, 0x87, 0x58, 0x13, 0x16, 0xb8,
+	0xe8, 0x57, 0x2c, 0x18, 0x69, 0x04, 0xed, 0x76, 0xe0, 0xf3, 0x6d, 0x97, 0xd8, 0x43, 0xde, 0x3a,
+	0x2e, 0x35, 0x3f, 0x39, 0x63, 0x30, 0xe3, 0x9b, 0x48, 0x95, 0x90, 0x65, 0x82, 0x70, 0xaa, 0x57,
+	0xe6, 0xda, 0xae, 0xec, 0xb3, 0xb6, 0x7f, 0xdd, 0x82, 0x53, 0xfc, 0x59, 0x63, 0x37, 0x28, 0x72,
+	0x8f, 0x82, 0x63, 0x7e, 0xad, 0xae, 0x0d, 0xb2, 0xf2, 0xd2, 0x75, 0xc1, 0x71, 0x77, 0x27, 0xd1,
+	0x1c, 0x9c, 0x5a, 0x0f, 0xa2, 0x06, 0x31, 0x07, 0x42, 0x08, 0x26, 0x45, 0xe8, 0x52, 0x16, 0x01,
+	0x77, 0x3f, 0x83, 0x6e, 0xc0, 0x43, 0x46, 0xa3, 0x39, 0x0e, 0x5c, 0x36, 0x3d, 0x2e, 0xa8, 0x3d,
+	0x74, 0x29, 0x17, 0x0b, 0xf7, 0x78, 0x3a, 0xed, 0x30, 0xa9, 0xf5, 0xe1, 0x30, 0x79, 0x15, 0x1e,
+	0x69, 0x74, 0x8f, 0xcc, 0x56, 0xdc, 0x59, 0x8b, 0xb9, 0xa4, 0xaa, 0xd6, 0x7f, 0x40, 0x10, 0x78,
+	0x64, 0xa6, 0x17, 0x22, 0xee, 0x4d, 0x03, 0x7d, 0x14, 0xaa, 0x11, 0x61, 0x5f, 0x25, 0x16, 0x89,
+	0x38, 0x47, 0xdc, 0x25, 0x6b, 0x0b, 0x94, 0x93, 0xd5, 0xb2, 0x57, 0x34, 0xc4, 0x58, 0x71, 0x44,
+	0xb7, 0x61, 0x28, 0x74, 0x92, 0xc6, 0x86, 0x48, 0xbf, 0x39, 0x72, 0xfc, 0x8b, 0x62, 0xce, 0x7c,
+	0xe0, 0x46, 0xc2, 0x2e, 0x67, 0x82, 0x25, 0x37, 0x6a, 0x8d, 0x34, 0x82, 0x76, 0x18, 0xf8, 0xc4,
+	0x4f, 0xe2, 0xf1, 0x51, 0x6d, 0x8d, 0xcc, 0xa8, 0x56, 0x6c, 0x60, 0xa0, 0x65, 0x38, 0xc3, 0x7c,
+	0x46, 0x37, 0xdd, 0x64, 0x23, 0xe8, 0x24, 0x72, 0x0b, 0x34, 0x3e, 0x96, 0x3e, 0xaa, 0x58, 0xc8,
+	0xc1, 0xc1, 0xb9, 0x4f, 0x9e, 0x7b, 0x3f, 0x9c, 0xea, 0x5a, 0xca, 0x07, 0x72, 0xd7, 0xcc, 0xc2,
+	0x43, 0xf9, 0x8b, 0xe6, 0x40, 0x4e, 0x9b, 0x7f, 0x92, 0x09, 0x9b, 0x35, 0x0c, 0xe9, 0x3e, 0x1c,
+	0x80, 0x0e, 0x94, 0x89, 0xbf, 0x25, 0x74, 0xc8, 0xa5, 0xa3, 0x7d, 0xbb, 0x8b, 0xfe, 0x16, 0x5f,
+	0xf3, 0xcc, 0xcb, 0x71, 0xd1, 0xdf, 0xc2, 0x94, 0x36, 0xfa, 0x92, 0x95, 0x32, 0x04, 0xb9, 0xdb,
+	0xf0, 0xc3, 0xc7, 0xb2, 0x73, 0xe8, 0xdb, 0x36, 0xb4, 0xff, 0x5d, 0x09, 0xce, 0xef, 0x47, 0xa4,
+	0x8f, 0xe1, 0x7b, 0x02, 0x06, 0x63, 0x76, 0x10, 0x2e, 0x84, 0xf2, 0x30, 0x9d, 0xab, 0xfc, 0x68,
+	0xfc, 0x55, 0x2c, 0x40, 0xc8, 0x83, 0x72, 0xdb, 0x09, 0x85, 0x37, 0x69, 0xfe, 0xa8, 0x89, 0x34,
+	0xf4, 0xbf, 0xe3, 0x2d, 0x3a, 0x21, 0xf7, 0x51, 0x18, 0x0d, 0x98, 0xb2, 0x41, 0x09, 0x54, 0x9c,
+	0x28, 0x72, 0xe4, 0xa9, 0xeb, 0xd5, 0x62, 0xf8, 0x4d, 0x53, 0x92, 0xfc, 0xd0, 0x2a, 0xd5, 0x84,
+	0x39, 0x33, 0xfb, 0x73, 0x43, 0xa9, 0x64, 0x12, 0x76, 0x94, 0x1e, 0xc3, 0xa0, 0x70, 0x22, 0x59,
+	0x45, 0xe7, 0x2f, 0xf1, 0x6c, 0x40, 0xb6, 0x4f, 0x14, 0x39, 0xd5, 0x82, 0x15, 0xfa, 0xac, 0xc5,
+	0x32, 0x97, 0x65, 0x82, 0x8d, 0xd8, 0x9d, 0x1d, 0x4f, 0x22, 0xb5, 0x99, 0x0f, 0x2d, 0x1b, 0xb1,
+	0xc9, 0x5d, 0x54, 0x20, 0x60, 0x56, 0x69, 0x77, 0x05, 0x02, 0x66, 0x65, 0x4a, 0x38, 0xda, 0xce,
+	0x39, 0x32, 0x2f, 0x20, 0xfb, 0xb5, 0x8f, 0x43, 0xf2, 0xaf, 0x59, 0x70, 0xca, 0xcd, 0x9e, 0x7d,
+	0x8a, 0xbd, 0xcc, 0x11, 0x83, 0x32, 0x7a, 0x1f, 0xad, 0x2a, 0x75, 0xde, 0x05, 0xc2, 0xdd, 0x9d,
+	0x41, 0x4d, 0x18, 0x70, 0xfd, 0xf5, 0x40, 0x18, 0x31, 0xf5, 0xa3, 0x75, 0x6a, 0xde, 0x5f, 0x0f,
+	0xf4, 0x6a, 0xa6, 0xff, 0x30, 0xa3, 0x8e, 0x16, 0xe0, 0x4c, 0x24, 0xbc, 0x4d, 0x97, 0xdd, 0x38,
+	0x09, 0xa2, 0x9d, 0x05, 0xb7, 0xed, 0x26, 0xcc, 0x00, 0x29, 0xd7, 0xc7, 0xa9, 0x7e, 0xc0, 0x39,
+	0x70, 0x9c, 0xfb, 0x14, 0x7a, 0x1d, 0x86, 0x64, 0xaa, 0x75, 0xb5, 0x88, 0x7d, 0x61, 0xf7, 0xfc,
+	0x57, 0x93, 0x69, 0x45, 0x64, 0x55, 0x4b, 0x86, 0xf6, 0x1b, 0xc3, 0xd0, 0x7d, 0x2c, 0x8a, 0x3e,
+	0x06, 0xb5, 0x48, 0xa5, 0x7f, 0x5b, 0x45, 0xa8, 0x6b, 0xf9, 0x7d, 0xc5, 0x91, 0xac, 0x32, 0x85,
+	0x74, 0xa2, 0xb7, 0xe6, 0x48, 0x37, 0x2c, 0xb1, 0x3e, 0x3d, 0x2d, 0x60, 0x6e, 0x0b, 0xae, 0xfa,
+	0x64, 0x6c, 0xc7, 0x6f, 0x60, 0xc6, 0x03, 0x45, 0x30, 0xb8, 0x41, 0x1c, 0x2f, 0xd9, 0x28, 0xc6,
+	0x89, 0x7f, 0x99, 0xd1, 0xca, 0x26, 0x01, 0xf1, 0x56, 0x2c, 0x38, 0xa1, 0x6d, 0x18, 0xda, 0xe0,
+	0x13, 0x40, 0xec, 0x21, 0x16, 0x8f, 0x3a, 0xb8, 0xa9, 0x59, 0xa5, 0x3f, 0xb7, 0x68, 0xc0, 0x92,
+	0x1d, 0x8b, 0xb7, 0x31, 0x22, 0x02, 0xf8, 0xd2, 0x2d, 0x2e, 0xff, 0xa9, 0xff, 0x70, 0x80, 0x8f,
+	0xc0, 0x48, 0x44, 0x1a, 0x81, 0xdf, 0x70, 0x3d, 0xd2, 0x9c, 0x96, 0x0e, 0xfa, 0x83, 0x64, 0xcd,
+	0xb0, 0x7d, 0x38, 0x36, 0x68, 0xe0, 0x14, 0x45, 0xf4, 0x19, 0x0b, 0xc6, 0x54, 0xce, 0x28, 0xfd,
+	0x20, 0x44, 0x38, 0x84, 0x17, 0x0a, 0xca, 0x50, 0x65, 0x34, 0xeb, 0xe8, 0xce, 0xee, 0xc4, 0x58,
+	0xba, 0x0d, 0x67, 0xf8, 0xa2, 0x97, 0x01, 0x82, 0x35, 0x1e, 0x54, 0x33, 0x9d, 0x08, 0xef, 0xf0,
+	0x41, 0x5e, 0x75, 0x8c, 0xa7, 0xcf, 0x49, 0x0a, 0xd8, 0xa0, 0x86, 0xae, 0x02, 0xf0, 0x65, 0xb3,
+	0xba, 0x13, 0xca, 0x8d, 0x86, 0x4c, 0x7b, 0x82, 0x15, 0x05, 0xb9, 0xbb, 0x3b, 0xd1, 0xed, 0xad,
+	0x63, 0x81, 0x0b, 0xc6, 0xe3, 0xe8, 0x27, 0x61, 0x28, 0xee, 0xb4, 0xdb, 0x8e, 0xf2, 0x1d, 0x17,
+	0x98, 0x90, 0xc7, 0xe9, 0x1a, 0xa2, 0x88, 0x37, 0x60, 0xc9, 0x11, 0xdd, 0xa2, 0x42, 0x35, 0x16,
+	0x6e, 0x44, 0xb6, 0x8a, 0xb8, 0x4d, 0x30, 0xcc, 0xde, 0xe9, 0x3d, 0xd2, 0xf0, 0xc6, 0x39, 0x38,
+	0x77, 0x77, 0x27, 0x1e, 0x4a, 0xb7, 0x2f, 0x04, 0x22, 0x45, 0x2e, 0x97, 0x26, 0xba, 0x22, 0x2b,
+	0xaf, 0xd0, 0xd7, 0x96, 0x05, 0x01, 0x9e, 0xd2, 0x95, 0x57, 0x58, 0x73, 0xef, 0x31, 0x33, 0x1f,
+	0x46, 0x8b, 0x70, 0xba, 0x11, 0xf8, 0x49, 0x14, 0x78, 0x1e, 0xaf, 0x3c, 0xc4, 0xf7, 0x7c, 0xdc,
+	0xb7, 0xfc, 0x76, 0xd1, 0xed, 0xd3, 0x33, 0xdd, 0x28, 0x38, 0xef, 0x39, 0xdb, 0x4f, 0x47, 0x1b,
+	0x8a, 0xc1, 0x79, 0x0e, 0x46, 0xc8, 0x76, 0x42, 0x22, 0xdf, 0xf1, 0xae, 0xe3, 0x05, 0xe9, 0x55,
+	0x65, 0x6b, 0xe0, 0xa2, 0xd1, 0x8e, 0x53, 0x58, 0xc8, 0x56, 0x8e, 0x0e, 0x23, 0xed, 0x93, 0x3b,
+	0x3a, 0xa4, 0x5b, 0xc3, 0xfe, 0xdf, 0xa5, 0x94, 0x41, 0xb6, 0x1a, 0x11, 0x82, 0x02, 0xa8, 0xf8,
+	0x41, 0x53, 0xc9, 0xfe, 0x2b, 0xc5, 0xc8, 0xfe, 0x6b, 0x41, 0xd3, 0x28, 0xcf, 0x42, 0xff, 0xc5,
+	0x98, 0xf3, 0x61, 0xf5, 0x2b, 0x64, 0xa1, 0x0f, 0x06, 0x10, 0x1b, 0x8d, 0x22, 0x39, 0xab, 0xfa,
+	0x15, 0x4b, 0x26, 0x23, 0x9c, 0xe6, 0x8b, 0x36, 0xa1, 0xb2, 0x11, 0xc4, 0x89, 0xdc, 0x7e, 0x1c,
+	0x71, 0xa7, 0x73, 0x39, 0x88, 0x13, 0x66, 0x45, 0xa8, 0xd7, 0xa6, 0x2d, 0x31, 0xe6, 0x3c, 0xec,
+	0x3f, 0xb5, 0x52, 0x3e, 0xf4, 0x9b, 0x2c, 0xf2, 0x76, 0x8b, 0xf8, 0x74, 0x59, 0x9b, 0xa1, 0x46,
 	0x3f, 0x92, 0xc9, 0x63, 0x7c, 0x47, 0xaf, 0xc2, 0x5a, 0xb7, 0x29, 0x85, 0x49, 0x46, 0xc2, 0x88,
 	0x4a, 0xfa, 0x84, 0x95, 0xce, 0x28, 0x2d, 0x15, 0xb1, 0xc1, 0x30, 0xb3, 0xaa, 0xf7, 0x4d, 0x4e,
 	0xb5, 0xbf, 0x64, 0xc1, 0x50, 0xdd, 0x69, 0x6c, 0x06, 0xeb, 0xeb, 0xe8, 0x69, 0xa8, 0x36, 0x3b,
@@ -4772,7 +4772,7 @@ var fileDescriptor_030104ce3b95bcac = []byte{
 	0xf9, 0x28, 0x16, 0xbe, 0x62, 0x95, 0xe0, 0x91, 0xa9, 0x99, 0x14, 0xe3, 0xae, 0x27, 0x4c, 0xe7,
 	0xc3, 0xf0, 0x3e, 0xce, 0x87, 0x1d, 0x15, 0xd5, 0xc7, 0xbd, 0xb8, 0x2f, 0x15, 0x32, 0x00, 0x7d,
 	0x85, 0xf0, 0x7d, 0x3e, 0x13, 0xc2, 0x37, 0xca, 0x3a, 0x70, 0xa3, 0x98, 0x0e, 0x1c, 0x3c, 0x5e,
-	0xef, 0x7e, 0xc6, 0xdf, 0xfd, 0xb9, 0x05, 0xf2, 0xbb, 0xce, 0x38, 0x8d, 0x0d, 0x42, 0xa7, 0x0c,
+	0xef, 0x7e, 0xc6, 0xdf, 0xfd, 0x85, 0x05, 0xf2, 0xbb, 0xce, 0x38, 0x8d, 0x0d, 0x42, 0xa7, 0x0c,
 	0x7a, 0x1f, 0x8c, 0xa9, 0x2d, 0xf4, 0x4c, 0xd0, 0xf1, 0x79, 0xe8, 0x5d, 0x59, 0x1f, 0x0a, 0xe3,
 	0x14, 0x14, 0x67, 0xb0, 0xd1, 0x14, 0xd4, 0xe8, 0x38, 0xf1, 0x47, 0xb9, 0xae, 0x55, 0xdb, 0xf4,
 	0xe9, 0xe5, 0x79, 0xf1, 0x94, 0xc6, 0x41, 0x01, 0x9c, 0xf2, 0x9c, 0x38, 0x61, 0x3d, 0xa0, 0x3b,
@@ -4807,7 +4807,7 @@ var fileDescriptor_030104ce3b95bcac = []byte{
 	0xb1, 0x89, 0x49, 0x18, 0x30, 0xb9, 0x6b, 0x84, 0x39, 0x2e, 0x88, 0x76, 0xac, 0x30, 0xec, 0xdf,
 	0xb6, 0x20, 0xab, 0x91, 0x8c, 0xea, 0x6b, 0xd6, 0x9e, 0xd5, 0xd7, 0x0e, 0x50, 0xfe, 0xec, 0x27,
 	0x60, 0xd8, 0x49, 0xa8, 0x11, 0xc1, 0xb7, 0xdd, 0xe5, 0xc3, 0x1d, 0x6b, 0x2c, 0x06, 0x4d, 0x77,
-	0xdd, 0x65, 0xdb, 0x6d, 0x93, 0x9c, 0xfd, 0x3f, 0x07, 0xe0, 0x54, 0x57, 0x36, 0x08, 0x7a, 0x01,
+	0xdd, 0x65, 0xdb, 0x6d, 0x93, 0x9c, 0xfd, 0x3f, 0x06, 0xe0, 0x54, 0x57, 0x36, 0x08, 0x7a, 0x01,
 	0x46, 0x1a, 0x62, 0x7a, 0x84, 0xd2, 0xa1, 0x55, 0x33, 0xc3, 0xe2, 0x34, 0x0c, 0xa7, 0x30, 0xfb,
 	0x98, 0xa0, 0xf3, 0x70, 0x3a, 0xa2, 0x1b, 0xfd, 0x0e, 0x99, 0x5e, 0x4f, 0x48, 0xb4, 0x42, 0x1a,
 	0x81, 0xdf, 0xe4, 0x35, 0x02, 0xcb, 0xf5, 0x87, 0xef, 0xec, 0x4e, 0x9c, 0xc6, 0xdd, 0x60, 0x9c,
@@ -4957,7 +4957,7 @@ var fileDescriptor_030104ce3b95bcac = []byte{
 	0x27, 0xfa, 0x90, 0xde, 0xe6, 0x2c, 0xb6, 0xfa, 0x9c, 0xc5, 0xdf, 0xdb, 0x9f, 0xc9, 0xfe, 0xeb,
 	0x16, 0x9c, 0xeb, 0xad, 0x3c, 0xd0, 0xb3, 0x30, 0xbc, 0x16, 0x39, 0x7e, 0x63, 0x83, 0x5d, 0xce,
 	0x29, 0x07, 0x85, 0x8d, 0xb5, 0x6e, 0xc6, 0x26, 0x0e, 0xdd, 0xde, 0xf2, 0x98, 0x04, 0x03, 0x43,
-	0x26, 0x99, 0xd2, 0xed, 0xed, 0x6a, 0x16, 0x88, 0xbb, 0xf1, 0xed, 0x3f, 0x2b, 0xe5, 0x77, 0x8b,
+	0x26, 0x99, 0xd2, 0xed, 0xed, 0x6a, 0x16, 0x88, 0xbb, 0xf1, 0xed, 0x3f, 0x2f, 0xe5, 0x77, 0x8b,
 	0x1b, 0x19, 0x07, 0xf9, 0x4e, 0xe2, 0x2b, 0x94, 0xfa, 0x90, 0x25, 0xe5, 0x7b, 0x2d, 0x4b, 0x06,
 	0x7a, 0xc9, 0x12, 0x34, 0x0b, 0x27, 0x8d, 0xcb, 0x5b, 0x78, 0xe2, 0x30, 0x0f, 0xb8, 0x55, 0xd5,
 	0x34, 0x96, 0x33, 0x70, 0xdc, 0xf5, 0x04, 0x7a, 0x1a, 0xaa, 0xae, 0x1f, 0x93, 0x46, 0x27, 0xe2,
@@ -5002,7 +5002,7 @@ var fileDescriptor_030104ce3b95bcac = []byte{
 	0xcb, 0x31, 0x22, 0x11, 0x2b, 0xb7, 0x9b, 0x15, 0xd2, 0x33, 0xa2, 0x1d, 0x2b, 0x0c, 0x3a, 0xbf,
 	0xe8, 0x6f, 0x91, 0xb7, 0x99, 0x2d, 0x2a, 0x37, 0xa3, 0x41, 0xd8, 0xc4, 0x43, 0x4f, 0x71, 0x26,
 	0x4c, 0x40, 0x50, 0x41, 0x3d, 0x22, 0x6e, 0xa4, 0x95, 0x32, 0x41, 0x41, 0x65, 0x77, 0x58, 0x32,
-	0x59, 0xa5, 0xbb, 0x3b, 0x2c, 0x04, 0x4a, 0x61, 0xd8, 0xff, 0xcb, 0x82, 0x47, 0x72, 0x87, 0xe2,
+	0x59, 0xa5, 0xbb, 0x3b, 0x2c, 0x04, 0x4a, 0x61, 0xd8, 0xff, 0xd3, 0x82, 0x47, 0x72, 0x87, 0xe2,
 	0x1e, 0x28, 0xdf, 0xed, 0xb4, 0xf2, 0x5d, 0x29, 0x6a, 0xbb, 0x61, 0xbc, 0x45, 0x0f, 0x45, 0xfc,
 	0xef, 0x2d, 0x18, 0xd3, 0xf8, 0xf7, 0xe0, 0x55, 0xdd, 0xf4, 0xab, 0x16, 0xb7, 0xb3, 0xaa, 0x75,
 	0xbd, 0xdb, 0xef, 0x94, 0x40, 0x15, 0x7a, 0x9c, 0x6e, 0xc8, 0x32, 0xba, 0xfb, 0x9c, 0x24, 0xee,
@@ -5014,7 +5014,7 @@ var fileDescriptor_030104ce3b95bcac = []byte{
 	0xce, 0x02, 0x14, 0xfb, 0x1a, 0xce, 0x29, 0xa8, 0x39, 0xec, 0xa9, 0x85, 0x8e, 0x93, 0xbd, 0x2c,
 	0x7d, 0x5a, 0x02, 0xb0, 0xc6, 0xb1, 0x7f, 0xd5, 0x82, 0xd3, 0x39, 0x83, 0x56, 0x60, 0xda, 0x5b,
 	0xa2, 0xa5, 0x4d, 0x9e, 0x62, 0x7f, 0x27, 0x0c, 0x35, 0xc9, 0xba, 0x23, 0x43, 0xe0, 0x0c, 0xd9,
-	0x3e, 0xcb, 0x9b, 0xb1, 0x84, 0xdb, 0xff, 0xc3, 0x82, 0x13, 0xe9, 0xbe, 0xc6, 0x2c, 0x95, 0x84,
+	0x3e, 0xcb, 0x9b, 0xb1, 0x84, 0xdb, 0xff, 0xdd, 0x82, 0x13, 0xe9, 0xbe, 0xc6, 0x2c, 0x95, 0x84,
 	0x0f, 0x93, 0x1b, 0x37, 0x82, 0x2d, 0x12, 0xed, 0xd0, 0x37, 0xb7, 0x32, 0xa9, 0x24, 0x5d, 0x18,
 	0x38, 0xe7, 0x29, 0x56, 0xe6, 0xb5, 0xa9, 0x46, 0x5b, 0xce, 0xc8, 0x1b, 0x45, 0xce, 0x48, 0xfd,
 	0x31, 0xcd, 0xe3, 0x72, 0xc5, 0x12, 0x9b, 0xfc, 0xed, 0xef, 0x0c, 0x80, 0xca, 0x8b, 0x65, 0xf1,
@@ -5045,7 +5045,7 @@ var fileDescriptor_030104ce3b95bcac = []byte{
 	0xcc, 0x2d, 0x26, 0x8c, 0x34, 0x7f, 0x55, 0xf0, 0x1b, 0xa8, 0xd2, 0x6d, 0x38, 0xc3, 0x3f, 0x4f,
 	0xa5, 0x55, 0x0e, 0xa8, 0xd2, 0xf4, 0x5d, 0x42, 0x83, 0xbd, 0xee, 0x12, 0x42, 0xbe, 0xba, 0x4c,
 	0x6d, 0xa8, 0xf0, 0xcb, 0xd4, 0x20, 0xe7, 0x22, 0xb5, 0x9b, 0x50, 0x6b, 0x44, 0xc4, 0x49, 0x0e,
-	0x79, 0xaf, 0x16, 0x3b, 0xa0, 0x9f, 0x91, 0x04, 0xb0, 0xa6, 0x65, 0xff, 0xdf, 0x01, 0x38, 0x29,
+	0x79, 0xaf, 0x16, 0x3b, 0xa0, 0x9f, 0x91, 0x04, 0xb0, 0xa6, 0x65, 0xff, 0x9f, 0x01, 0x38, 0x29,
 	0x47, 0x44, 0x86, 0xa0, 0x53, 0xfd, 0xc8, 0xf9, 0x6a, 0xe3, 0x56, 0xe9, 0xc7, 0xcb, 0x12, 0x80,
 	0x35, 0x0e, 0xb5, 0xc7, 0x3a, 0x31, 0x59, 0x0a, 0x89, 0xbf, 0xe0, 0xae, 0xc5, 0xe2, 0x9c, 0x53,
 	0x2d, 0x94, 0xeb, 0x1a, 0x84, 0x4d, 0x3c, 0x6a, 0x8c, 0x73, 0xbb, 0x38, 0xce, 0xa6, 0xaf, 0x08,
@@ -5053,7 +5053,7 @@ var fileDescriptor_030104ce3b95bcac = []byte{
 	0xf0, 0x2a, 0xc6, 0xbf, 0x63, 0xc1, 0x59, 0xde, 0x2a, 0x47, 0xf2, 0x7a, 0xd8, 0x74, 0x12, 0x12,
 	0x17, 0x53, 0xf1, 0x3d, 0xa7, 0x7f, 0xda, 0xc9, 0x9b, 0xc7, 0x16, 0xe7, 0xf7, 0x06, 0xbd, 0x61,
 	0xc1, 0x89, 0xcd, 0x54, 0xcd, 0x0f, 0xa9, 0x3a, 0x8e, 0x9a, 0x8e, 0x9f, 0x22, 0xaa, 0x97, 0x5a,
-	0xba, 0x3d, 0xc6, 0x59, 0xee, 0xf6, 0x9f, 0x59, 0x60, 0x8a, 0xd1, 0x7b, 0x5f, 0x2a, 0xe4, 0xe0,
+	0xba, 0x3d, 0xc6, 0x59, 0xee, 0xf6, 0x9f, 0x5b, 0x60, 0x8a, 0xd1, 0x7b, 0x5f, 0x2a, 0xe4, 0xe0,
 	0xa6, 0xa0, 0xb4, 0x2e, 0x2b, 0x3d, 0xad, 0xcb, 0xc7, 0xa0, 0xdc, 0x71, 0x9b, 0x62, 0x7f, 0xa1,
 	0x4f, 0x5f, 0xe7, 0x67, 0x31, 0x6d, 0xb7, 0xff, 0x59, 0x45, 0xfb, 0x2d, 0x44, 0x5e, 0xd4, 0xf7,
 	0xc5, 0x6b, 0xaf, 0xab, 0x62, 0x63, 0xfc, 0xcd, 0xaf, 0x75, 0x15, 0x1b, 0xfb, 0xd1, 0x83, 0xa7,
@@ -5097,7 +5097,7 @@ var fileDescriptor_030104ce3b95bcac = []byte{
 	0x21, 0x7f, 0xb3, 0xa8, 0xca, 0xc0, 0xeb, 0x2a, 0xdd, 0x88, 0x03, 0x8f, 0x60, 0x06, 0xa1, 0xea,
 	0x3f, 0x22, 0x2d, 0x7d, 0x4f, 0xb4, 0xfa, 0x7c, 0x98, 0xb5, 0x62, 0x01, 0x45, 0xcf, 0xc3, 0xb0,
 	0xe3, 0x79, 0x3c, 0x3f, 0x86, 0xc4, 0xe2, 0xde, 0x1d, 0x5d, 0x43, 0x4e, 0x83, 0xb0, 0x89, 0x67,
-	0xff, 0x69, 0x09, 0x26, 0xf6, 0x91, 0x29, 0x5d, 0x19, 0x7f, 0x95, 0xbe, 0x33, 0xfe, 0x44, 0x8e,
+	0xff, 0x59, 0x09, 0x26, 0xf6, 0x91, 0x29, 0x5d, 0x19, 0x7f, 0x95, 0xbe, 0x33, 0xfe, 0x44, 0x8e,
 	0xc2, 0x60, 0x8f, 0x1c, 0x85, 0xe7, 0x61, 0x38, 0x21, 0x4e, 0x5b, 0x04, 0x64, 0x09, 0x4f, 0x80,
 	0x3e, 0x01, 0xd6, 0x20, 0x6c, 0xe2, 0x51, 0x29, 0x36, 0xe6, 0x34, 0x1a, 0x24, 0x8e, 0x65, 0x12,
 	0x82, 0xf0, 0xa6, 0x16, 0x96, 0xe1, 0xc0, 0x9c, 0xd4, 0xd3, 0x29, 0x16, 0x38, 0xc3, 0x32, 0x3b,
@@ -5113,7 +5113,7 @@ var fileDescriptor_030104ce3b95bcac = []byte{
 	0x6a, 0xc5, 0x06, 0x46, 0x36, 0xff, 0xb0, 0xb2, 0x7f, 0xfe, 0xa1, 0xfd, 0x4f, 0x4b, 0xf0, 0x48,
 	0x4f, 0x53, 0xae, 0xbf, 0x05, 0xf8, 0xe0, 0xe5, 0x0c, 0x1e, 0x6e, 0xee, 0x1c, 0x30, 0xb7, 0xed,
 	0x8f, 0x7b, 0xcc, 0x34, 0x91, 0xdb, 0x76, 0xf8, 0xe4, 0xf0, 0x07, 0x6f, 0x3c, 0xbb, 0xd2, 0xd9,
-	0x06, 0x0e, 0x90, 0xce, 0x96, 0xf9, 0x18, 0x95, 0x3e, 0x17, 0xf2, 0x9f, 0x97, 0x7b, 0x0e, 0x2f,
+	0x06, 0x0e, 0x90, 0xce, 0x96, 0xf9, 0x18, 0x95, 0x3e, 0x17, 0xf2, 0x5f, 0x94, 0x7b, 0x0e, 0x2f,
 	0xdd, 0xfa, 0xf5, 0xe5, 0xa7, 0x9d, 0x85, 0x93, 0xae, 0xcf, 0xee, 0x6f, 0x5a, 0xe9, 0xac, 0x89,
 	0xc2, 0x24, 0xa5, 0xf4, 0x2d, 0xeb, 0xf3, 0x19, 0x38, 0xee, 0x7a, 0xe2, 0x01, 0x4c, 0x2f, 0x3c,
 	0xdc, 0x90, 0x1e, 0x2c, 0xc1, 0x15, 0x2d, 0xc1, 0x59, 0x39, 0x14, 0x1b, 0x4e, 0x44, 0x9a, 0x42,
@@ -5121,54 +5121,56 @@ var fileDescriptor_030104ce3b95bcac = []byte{
 	0x04, 0xa1, 0xdb, 0x10, 0x9b, 0x1c, 0x7d, 0x65, 0x0e, 0x6d, 0xc4, 0x1c, 0x66, 0x7f, 0x18, 0x6a,
 	0xea, 0xfd, 0x79, 0x58, 0xb7, 0x9a, 0x74, 0x5d, 0x61, 0xdd, 0x6a, 0xc6, 0x19, 0x58, 0xf4, 0x6b,
 	0x51, 0x93, 0x38, 0xb3, 0x7a, 0xae, 0x92, 0x1d, 0x66, 0x1f, 0xdb, 0xef, 0x86, 0x11, 0xe5, 0x67,
-	0xe9, 0xf7, 0x22, 0x21, 0xfb, 0x4b, 0x83, 0x30, 0x9a, 0x2a, 0x0e, 0x98, 0x72, 0xb0, 0x5a, 0xfb,
-	0x3a, 0x58, 0x59, 0x98, 0x7e, 0xc7, 0x97, 0xb7, 0x8c, 0x19, 0x61, 0xfa, 0x1d, 0x9f, 0x60, 0x0e,
-	0xa3, 0xe6, 0x6d, 0x33, 0xda, 0xc1, 0x1d, 0x5f, 0x84, 0xd3, 0x2a, 0xf3, 0x76, 0x96, 0xb5, 0x62,
-	0x01, 0x45, 0x9f, 0xb0, 0x60, 0x24, 0x66, 0xde, 0x7b, 0xee, 0x9e, 0x16, 0x93, 0xee, 0xca, 0xd1,
-	0x6b, 0x1f, 0xaa, 0x42, 0x98, 0x2c, 0x42, 0xc6, 0x6c, 0xc1, 0x29, 0x8e, 0xe8, 0xd3, 0x16, 0xd4,
-	0xd4, 0x65, 0x28, 0xe2, 0xca, 0xc0, 0x95, 0x62, 0x6b, 0x2f, 0x72, 0xbf, 0xa6, 0x3a, 0x08, 0x51,
-	0x45, 0xf0, 0xb0, 0x66, 0x8c, 0x62, 0xe5, 0x3b, 0x1e, 0x3a, 0x1e, 0xdf, 0x31, 0xe4, 0xf8, 0x8d,
-	0xdf, 0x05, 0xb5, 0xb6, 0xe3, 0xbb, 0xeb, 0x24, 0x4e, 0xb8, 0x3b, 0x57, 0x96, 0x84, 0x95, 0x8d,
-	0x58, 0xc3, 0xa9, 0x42, 0x8e, 0xd9, 0x8b, 0x25, 0x86, 0xff, 0x95, 0x29, 0xe4, 0x15, 0xdd, 0x8c,
-	0x4d, 0x1c, 0xd3, 0x59, 0x0c, 0xf7, 0xd5, 0x59, 0x3c, 0xbc, 0xb7, 0xb3, 0xd8, 0xfe, 0x47, 0x16,
-	0x9c, 0xcd, 0xfd, 0x6a, 0x0f, 0x6e, 0xe0, 0xa3, 0xfd, 0xe5, 0x0a, 0x9c, 0xce, 0xa9, 0xf2, 0x89,
-	0x76, 0xcc, 0xf9, 0x6c, 0x15, 0x11, 0x43, 0x90, 0x3e, 0x12, 0x97, 0xc3, 0x98, 0x33, 0x89, 0x0f,
-	0x76, 0x54, 0xa3, 0x8f, 0x4b, 0xca, 0xf7, 0xf6, 0xb8, 0xc4, 0x98, 0x96, 0x03, 0xf7, 0x75, 0x5a,
-	0x56, 0xf6, 0x39, 0xc3, 0xf8, 0x35, 0x0b, 0xc6, 0xdb, 0x3d, 0x4a, 0xcb, 0x0b, 0xc7, 0xe3, 0x8d,
-	0xe3, 0x29, 0x5c, 0x5f, 0x7f, 0xf4, 0xce, 0xee, 0x44, 0xcf, 0x8a, 0xfe, 0xb8, 0x67, 0xaf, 0xec,
-	0xef, 0x94, 0x81, 0x95, 0x98, 0x65, 0x95, 0xdc, 0x76, 0xd0, 0xc7, 0xcd, 0x62, 0xc1, 0x56, 0x51,
-	0x85, 0x6d, 0x39, 0x71, 0x55, 0x6c, 0x98, 0x8f, 0x60, 0x5e, 0xed, 0xe1, 0xac, 0xd0, 0x2a, 0xf5,
-	0x21, 0xb4, 0x3c, 0x59, 0x95, 0xb9, 0x5c, 0x7c, 0x55, 0xe6, 0x5a, 0xb6, 0x22, 0xf3, 0xde, 0x9f,
-	0x78, 0xe0, 0x81, 0xfc, 0xc4, 0xbf, 0x68, 0x71, 0xc1, 0x93, 0xf9, 0x0a, 0xda, 0x32, 0xb0, 0xf6,
-	0xb0, 0x0c, 0x9e, 0x86, 0x6a, 0x4c, 0xbc, 0xf5, 0xcb, 0xc4, 0xf1, 0x84, 0x05, 0xa1, 0xcf, 0xaf,
-	0x45, 0x3b, 0x56, 0x18, 0xec, 0xda, 0x56, 0xcf, 0x0b, 0x6e, 0x5f, 0x6c, 0x87, 0xc9, 0x8e, 0xb0,
-	0x25, 0xf4, 0xb5, 0xad, 0x0a, 0x82, 0x0d, 0x2c, 0xfb, 0x6f, 0x97, 0xf8, 0x0c, 0x14, 0x41, 0x10,
-	0x2f, 0x64, 0x2e, 0xda, 0xeb, 0x3f, 0x7e, 0xe0, 0xa3, 0x00, 0x0d, 0x75, 0x95, 0xbd, 0x38, 0x13,
-	0xba, 0x7c, 0xe4, 0x7b, 0xb6, 0x05, 0x3d, 0xfd, 0x1a, 0xba, 0x0d, 0x1b, 0xfc, 0x52, 0xb2, 0xb4,
-	0xbc, 0xaf, 0x2c, 0x4d, 0x89, 0x95, 0x81, 0x7d, 0xb4, 0xdd, 0x9f, 0x5a, 0x90, 0xb2, 0x88, 0x50,
-	0x08, 0x15, 0xda, 0xdd, 0x9d, 0x62, 0x6e, 0xe9, 0x37, 0x49, 0x53, 0xd1, 0x28, 0xa6, 0x3d, 0xfb,
-	0x89, 0x39, 0x23, 0xe4, 0x89, 0x58, 0x09, 0x3e, 0xaa, 0xd7, 0x8a, 0x63, 0x78, 0x39, 0x08, 0x36,
-	0xf9, 0xc1, 0xa6, 0x8e, 0xbb, 0xb0, 0x5f, 0x80, 0x53, 0x5d, 0x9d, 0x62, 0x77, 0x6a, 0x05, 0x54,
-	0xfb, 0x64, 0xa6, 0x2b, 0x4b, 0xe0, 0xc4, 0x1c, 0x66, 0x7f, 0xc3, 0x82, 0x93, 0x59, 0xf2, 0xe8,
-	0x4d, 0x0b, 0x4e, 0xc5, 0x59, 0x7a, 0xc7, 0x35, 0x76, 0x2a, 0xde, 0xb1, 0x0b, 0x84, 0xbb, 0x3b,
-	0x61, 0xff, 0x3f, 0x31, 0xf9, 0x6f, 0xba, 0x7e, 0x33, 0xb8, 0xad, 0x0c, 0x13, 0xab, 0xa7, 0x61,
-	0x42, 0xd7, 0x63, 0x63, 0x83, 0x34, 0x3b, 0x5e, 0x57, 0xe6, 0xe8, 0x8a, 0x68, 0xc7, 0x0a, 0x83,
-	0x25, 0xca, 0x75, 0x44, 0xd9, 0xf6, 0xcc, 0xa4, 0x9c, 0x15, 0xed, 0x58, 0x61, 0xa0, 0xe7, 0x60,
-	0xc4, 0x78, 0x49, 0x39, 0x2f, 0x99, 0x41, 0x6e, 0xa8, 0xcc, 0x18, 0xa7, 0xb0, 0xd0, 0x24, 0x80,
-	0x32, 0x72, 0xa4, 0x8a, 0x64, 0x8e, 0x22, 0x25, 0x89, 0x62, 0x6c, 0x60, 0xb0, 0xb4, 0x54, 0xaf,
-	0x13, 0x33, 0x1f, 0xff, 0xa0, 0x2e, 0x25, 0x3a, 0x23, 0xda, 0xb0, 0x82, 0x52, 0x69, 0xd2, 0x76,
-	0xfc, 0x8e, 0xe3, 0xd1, 0x11, 0x12, 0x5b, 0x3f, 0xb5, 0x0c, 0x17, 0x15, 0x04, 0x1b, 0x58, 0xf4,
-	0x8d, 0x13, 0xb7, 0x4d, 0x5e, 0x0e, 0x7c, 0x19, 0xa7, 0xa6, 0x8f, 0x7d, 0x44, 0x3b, 0x56, 0x18,
-	0xf6, 0x7f, 0xb3, 0xe0, 0x84, 0x4e, 0x72, 0xe7, 0xb7, 0x67, 0x9b, 0x3b, 0x55, 0x6b, 0xdf, 0x9d,
-	0x6a, 0x3a, 0xfb, 0xb7, 0xd4, 0x57, 0xf6, 0xaf, 0x99, 0x98, 0x5b, 0xde, 0x33, 0x31, 0xf7, 0x87,
-	0xf4, 0xcd, 0xac, 0x3c, 0x83, 0x77, 0x38, 0xef, 0x56, 0x56, 0x64, 0xc3, 0x60, 0xc3, 0x51, 0x15,
-	0x5e, 0x46, 0xf8, 0xde, 0x61, 0x66, 0x9a, 0x21, 0x09, 0x88, 0xbd, 0x04, 0x35, 0x75, 0xfa, 0x21,
-	0x37, 0xaa, 0x56, 0xfe, 0x46, 0xb5, 0xaf, 0x04, 0xc1, 0xfa, 0xda, 0x37, 0xbf, 0xfb, 0xf8, 0xdb,
-	0x7e, 0xef, 0xbb, 0x8f, 0xbf, 0xed, 0x8f, 0xbe, 0xfb, 0xf8, 0xdb, 0x3e, 0x71, 0xe7, 0x71, 0xeb,
-	0x9b, 0x77, 0x1e, 0xb7, 0x7e, 0xef, 0xce, 0xe3, 0xd6, 0x1f, 0xdd, 0x79, 0xdc, 0xfa, 0xce, 0x9d,
-	0xc7, 0xad, 0x2f, 0xfe, 0xe7, 0xc7, 0xdf, 0xf6, 0x72, 0x6e, 0xa0, 0x22, 0xfd, 0xf1, 0x4c, 0xa3,
-	0x39, 0xb5, 0x75, 0x81, 0xc5, 0xca, 0xd1, 0xe5, 0x35, 0x65, 0xcc, 0xa9, 0x29, 0xb9, 0xbc, 0xfe,
-	0x7f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xb2, 0x18, 0x73, 0x0d, 0xd5, 0xe1, 0x00, 0x00,
+	0xe9, 0xf7, 0x22, 0x21, 0xfb, 0x4f, 0x07, 0x61, 0x34, 0x55, 0x1c, 0x30, 0xe5, 0x60, 0xb5, 0xf6,
+	0x75, 0xb0, 0xb2, 0x30, 0xfd, 0x8e, 0x2f, 0x6f, 0x19, 0x33, 0xc2, 0xf4, 0x3b, 0x3e, 0xc1, 0x1c,
+	0x46, 0xcd, 0xdb, 0x66, 0xb4, 0x83, 0x3b, 0xbe, 0x08, 0xa7, 0x55, 0xe6, 0xed, 0x2c, 0x6b, 0xc5,
+	0x02, 0x8a, 0x3e, 0x61, 0xc1, 0x48, 0xcc, 0xbc, 0xf7, 0xdc, 0x3d, 0x2d, 0x26, 0xdd, 0x95, 0xa3,
+	0xd7, 0x3e, 0x54, 0x85, 0x30, 0x59, 0x84, 0x8c, 0xd9, 0x82, 0x53, 0x1c, 0xd1, 0xa7, 0x2d, 0xa8,
+	0xa9, 0xcb, 0x50, 0xc4, 0x95, 0x81, 0x2b, 0xc5, 0xd6, 0x5e, 0xe4, 0x7e, 0x4d, 0x75, 0x10, 0xa2,
+	0x8a, 0xe0, 0x61, 0xcd, 0x18, 0xc5, 0xca, 0x77, 0x3c, 0x74, 0x3c, 0xbe, 0x63, 0xc8, 0xf1, 0x1b,
+	0xbf, 0x0b, 0x6a, 0x6d, 0xc7, 0x77, 0xd7, 0x49, 0x9c, 0x70, 0x77, 0xae, 0x2c, 0x09, 0x2b, 0x1b,
+	0xb1, 0x86, 0x53, 0x85, 0x1c, 0xb3, 0x17, 0x4b, 0x0c, 0xff, 0x2b, 0x53, 0xc8, 0x2b, 0xba, 0x19,
+	0x9b, 0x38, 0xa6, 0xb3, 0x18, 0xee, 0xab, 0xb3, 0x78, 0x78, 0x1f, 0x67, 0xf1, 0x0a, 0x9c, 0x75,
+	0x3a, 0x49, 0x70, 0x99, 0x38, 0xde, 0x34, 0xbf, 0xff, 0x53, 0x5c, 0x30, 0x3d, 0xc2, 0x1c, 0x10,
+	0xea, 0x4c, 0x7f, 0x85, 0x78, 0xeb, 0x5d, 0x48, 0x38, 0xff, 0x59, 0xfb, 0x1f, 0x59, 0x70, 0x36,
+	0x77, 0x2a, 0x3c, 0xb8, 0xd1, 0x94, 0xf6, 0x97, 0x2b, 0x70, 0x3a, 0xa7, 0x74, 0x28, 0xda, 0x31,
+	0x17, 0x89, 0x55, 0x44, 0x60, 0x42, 0xfa, 0x9c, 0x5d, 0x7e, 0x9b, 0x9c, 0x95, 0x71, 0xb0, 0xf3,
+	0x1f, 0x7d, 0x06, 0x53, 0xbe, 0xb7, 0x67, 0x30, 0xc6, 0x5c, 0x1f, 0xb8, 0xaf, 0x73, 0xbd, 0xb2,
+	0xcf, 0x5c, 0xff, 0x35, 0x0b, 0xc6, 0xdb, 0x3d, 0xea, 0xd5, 0x0b, 0x6f, 0xe6, 0x8d, 0xe3, 0xa9,
+	0x86, 0x5f, 0x7f, 0xf4, 0xce, 0xee, 0x44, 0xcf, 0x6b, 0x02, 0x70, 0xcf, 0x5e, 0xd9, 0xdf, 0x29,
+	0x03, 0xab, 0x5b, 0xcb, 0xca, 0xc3, 0xed, 0xa0, 0x8f, 0x9b, 0x15, 0x88, 0xad, 0xa2, 0xaa, 0xe5,
+	0x72, 0xe2, 0xaa, 0x82, 0x31, 0x1f, 0xc1, 0xbc, 0x82, 0xc6, 0x59, 0x49, 0x58, 0xea, 0x43, 0x12,
+	0x7a, 0xb2, 0xd4, 0x73, 0xb9, 0xf8, 0x52, 0xcf, 0xb5, 0x6c, 0x99, 0xe7, 0xbd, 0x3f, 0xf1, 0xc0,
+	0x03, 0xf9, 0x89, 0x7f, 0xd1, 0xe2, 0x82, 0x27, 0xf3, 0x15, 0xb4, 0xb9, 0x61, 0xed, 0x61, 0x6e,
+	0x3c, 0x0d, 0xd5, 0x58, 0x48, 0x66, 0x61, 0x96, 0xe8, 0x43, 0x71, 0xd1, 0x8e, 0x15, 0x06, 0xbb,
+	0x0b, 0xd6, 0xf3, 0x82, 0xdb, 0x17, 0xdb, 0x61, 0xb2, 0x23, 0x0c, 0x14, 0x7d, 0x17, 0xac, 0x82,
+	0x60, 0x03, 0xcb, 0xfe, 0xdb, 0x25, 0x3e, 0x03, 0x45, 0x64, 0xc5, 0x0b, 0x99, 0xdb, 0xfb, 0xfa,
+	0x0f, 0x4a, 0xf8, 0x28, 0x40, 0x43, 0xdd, 0x8f, 0x2f, 0x0e, 0x9a, 0x2e, 0x1f, 0xf9, 0xf2, 0x6e,
+	0x41, 0x4f, 0xbf, 0x86, 0x6e, 0xc3, 0x06, 0xbf, 0x94, 0x2c, 0x2d, 0xef, 0x2b, 0x4b, 0x53, 0x62,
+	0x65, 0x60, 0x6f, 0xb1, 0x62, 0xff, 0x99, 0x05, 0x29, 0x33, 0x0b, 0x85, 0x50, 0xa1, 0xdd, 0xdd,
+	0x29, 0xe6, 0xea, 0x7f, 0x93, 0x34, 0x15, 0x8d, 0x62, 0xda, 0xb3, 0x9f, 0x98, 0x33, 0x42, 0x9e,
+	0x08, 0xc0, 0xe0, 0xa3, 0x7a, 0xad, 0x38, 0x86, 0x97, 0x83, 0x60, 0x93, 0x9f, 0x96, 0xea, 0x60,
+	0x0e, 0xfb, 0x05, 0x38, 0xd5, 0xd5, 0x29, 0x76, 0x51, 0x57, 0x40, 0xb5, 0x4f, 0x66, 0xba, 0xb2,
+	0xac, 0x50, 0xcc, 0x61, 0xf6, 0x37, 0x2c, 0x38, 0x99, 0x25, 0x8f, 0xde, 0xb4, 0xe0, 0x54, 0x9c,
+	0xa5, 0x77, 0x5c, 0x63, 0xa7, 0x82, 0x28, 0xbb, 0x40, 0xb8, 0xbb, 0x13, 0xf6, 0xff, 0x15, 0x93,
+	0xff, 0xa6, 0xeb, 0x37, 0x83, 0xdb, 0xca, 0x30, 0xb1, 0x7a, 0x1a, 0x26, 0x74, 0x3d, 0x36, 0x36,
+	0x48, 0xb3, 0xe3, 0x75, 0xa5, 0xa3, 0xae, 0x88, 0x76, 0xac, 0x30, 0x58, 0xf6, 0x5d, 0x47, 0xd4,
+	0x82, 0xcf, 0x4c, 0xca, 0x59, 0xd1, 0x8e, 0x15, 0x06, 0x7a, 0x0e, 0x46, 0x8c, 0x97, 0x94, 0xf3,
+	0x92, 0x59, 0xf9, 0x86, 0xca, 0x8c, 0x71, 0x0a, 0x0b, 0x4d, 0x02, 0x28, 0x23, 0x47, 0xaa, 0x48,
+	0xe6, 0x7d, 0x52, 0x92, 0x28, 0xc6, 0x06, 0x06, 0xcb, 0x75, 0xf5, 0x3a, 0x31, 0x3b, 0x38, 0x18,
+	0xd4, 0xf5, 0x49, 0x67, 0x44, 0x1b, 0x56, 0x50, 0x2a, 0x4d, 0xda, 0x8e, 0xdf, 0x71, 0x3c, 0x3a,
+	0x42, 0x62, 0x3f, 0xa9, 0x96, 0xe1, 0xa2, 0x82, 0x60, 0x03, 0x8b, 0xbe, 0x71, 0xe2, 0xb6, 0xc9,
+	0xcb, 0x81, 0x2f, 0x83, 0xdf, 0xf4, 0x59, 0x92, 0x68, 0xc7, 0x0a, 0xc3, 0xfe, 0xaf, 0x16, 0x9c,
+	0xd0, 0x99, 0xf3, 0xfc, 0x4a, 0x6e, 0x73, 0xfb, 0x6b, 0xed, 0xbb, 0xfd, 0x4d, 0xa7, 0x14, 0x97,
+	0xfa, 0x4a, 0x29, 0x36, 0xb3, 0x7d, 0xcb, 0x7b, 0x66, 0xfb, 0xfe, 0x90, 0xbe, 0xee, 0x95, 0xa7,
+	0x05, 0x0f, 0xe7, 0x5d, 0xf5, 0x8a, 0x6c, 0x18, 0x6c, 0x38, 0xaa, 0x6c, 0xcc, 0x08, 0xdf, 0x90,
+	0xcc, 0x4c, 0x33, 0x24, 0x01, 0xb1, 0x97, 0xa0, 0xa6, 0x8e, 0x54, 0xe4, 0xee, 0xd7, 0xca, 0xdf,
+	0xfd, 0xf6, 0x95, 0x75, 0x58, 0x5f, 0xfb, 0xe6, 0x77, 0x1f, 0x7f, 0xdb, 0xef, 0x7d, 0xf7, 0xf1,
+	0xb7, 0xfd, 0xd1, 0x77, 0x1f, 0x7f, 0xdb, 0x27, 0xee, 0x3c, 0x6e, 0x7d, 0xf3, 0xce, 0xe3, 0xd6,
+	0xef, 0xdd, 0x79, 0xdc, 0xfa, 0xa3, 0x3b, 0x8f, 0x5b, 0xdf, 0xb9, 0xf3, 0xb8, 0xf5, 0xc5, 0xff,
+	0xfc, 0xf8, 0xdb, 0x5e, 0xce, 0x8d, 0x7e, 0xa4, 0x3f, 0x9e, 0x69, 0x34, 0xa7, 0xb6, 0x2e, 0xb0,
+	0x00, 0x3c, 0xba, 0xbc, 0xa6, 0x8c, 0x39, 0x35, 0x25, 0x97, 0xd7, 0xff, 0x0b, 0x00, 0x00, 0xff,
+	0xff, 0x0e, 0x08, 0x8c, 0xe8, 0x2a, 0xe2, 0x00, 0x00,
 }
 
 func (m *AWSAuthConfig) Marshal() (dAtA []byte, err error) {
@@ -13726,6 +13728,9 @@ func (m *SyncOperation) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 	_ = i
 	var l int
 	_ = l
+	i = encodeVarintGenerated(dAtA, i, uint64(m.SelfHealAttemptsCount))
+	i--
+	dAtA[i] = 0x60
 	if len(m.Revisions) > 0 {
 		for iNdEx := len(m.Revisions) - 1; iNdEx >= 0; iNdEx-- {
 			i -= len(m.Revisions[iNdEx])
@@ -17648,6 +17653,7 @@ func (m *SyncOperation) Size() (n int) {
 			n += 1 + l + sovGenerated(uint64(l))
 		}
 	}
+	n += 1 + sovGenerated(uint64(m.SelfHealAttemptsCount))
 	return n
 }
 
@@ -20294,6 +20300,7 @@ func (this *SyncOperation) String() string {
 		`SyncOptions:` + fmt.Sprintf("%v", this.SyncOptions) + `,`,
 		`Sources:` + repeatedStringForSources + `,`,
 		`Revisions:` + fmt.Sprintf("%v", this.Revisions) + `,`,
+		`SelfHealAttemptsCount:` + fmt.Sprintf("%v", this.SelfHealAttemptsCount) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -48897,6 +48904,25 @@ func (m *SyncOperation) Unmarshal(dAtA []byte) error {
 			}
 			m.Revisions = append(m.Revisions, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
+		case 12:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SelfHealAttemptsCount", wireType)
+			}
+			m.SelfHealAttemptsCount = 0
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				m.SelfHealAttemptsCount |= int64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])

pkg/apis/application/v1alpha1/generated.proto

@@ -2160,6 +2160,9 @@ message SyncOperation {
   // Revisions is the list of revision (Git) or chart version (Helm) which to sync each source in sources field for the application to
   // If omitted, will use the revision specified in app spec.
   repeated string revisions = 11;
+
+  // SelfHealAttemptsCount contains the number of auto-heal attempts
+  optional int64 autoHealAttemptsCount = 12;
 }
 
 // SyncOperationResource contains resources to sync.
@@ -2227,7 +2230,6 @@ message SyncStatus {
   optional string status = 1;
 
   // ComparedTo contains information about what has been compared
-  // +patchStrategy=replace
   optional ComparedTo comparedTo = 2;
 
   // Revision contains information about the revision the comparison has been performed to

pkg/apis/application/v1alpha1/openapi_generated.go

@@ -7705,11 +7705,6 @@ func schema_pkg_apis_application_v1alpha1_SyncStatus(ref common.ReferenceCallbac
 						},
 					},
 					"comparedTo": {
-						VendorExtensible: spec.VendorExtensible{
-							Extensions: spec.Extensions{
-								"x-kubernetes-patch-strategy": "replace",
-							},
-						},
 						SchemaProps: spec.SchemaProps{
 							Description: "ComparedTo contains information about what has been compared",
 							Default:     map[string]interface{}{},

pkg/apis/application/v1alpha1/repository_types.go

@@ -3,7 +3,9 @@ package v1alpha1
 import (
 	"fmt"
 	"net/url"
+	"strings"
 
+	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/util/cert"
 	"github.com/argoproj/argo-cd/v2/util/git"
 	"github.com/argoproj/argo-cd/v2/util/helm"
@@ -227,21 +229,22 @@ func getCAPath(repoURL string) string {
 	}
 
 	hostname := ""
-	// url.Parse() will happily parse most things thrown at it. When the URL
-	// is either https or oci, we use the parsed hostname to retrieve the cert,
-	// otherwise we'll use the parsed path (OCI repos are often specified as
-	// hostname, without protocol).
-	parsedURL, err := url.Parse(repoURL)
+	var parsedURL *url.URL
+	var err error
+	// Without schema in url, url.Parse() treats the url as differently
+	// and may incorrectly parses the hostname if url contains a path or port.
+	// To ensure proper parsing, prepend a dummy schema.
+	if !strings.Contains(repoURL, "://") {
+		parsedURL, err = url.Parse("protocol://" + repoURL)
+	} else {
+		parsedURL, err = url.Parse(repoURL)
+	}
 	if err != nil {
 		log.Warnf("Could not parse repo URL '%s': %v", repoURL, err)
 		return ""
 	}
-	if parsedURL.Scheme == "https" || parsedURL.Scheme == "oci" {
-		hostname = parsedURL.Host
-	} else if parsedURL.Scheme == "" {
-		hostname = parsedURL.Path
-	}
 
+	hostname = parsedURL.Hostname()
 	if hostname == "" {
 		log.Warnf("Could not get hostname for repository '%s'", repoURL)
 		return ""
@@ -274,6 +277,32 @@ func (m *Repository) StringForLogging() string {
 	return fmt.Sprintf("&Repository{Repo: %q, Type: %q, Name: %q, Project: %q}", m.Repo, m.Type, m.Name, m.Project)
 }
 
+// Sanitized returns a copy of the Repository with sensitive information removed.
+func (repo *Repository) Sanitized() *Repository {
+	return &Repository{
+		Repo:                       repo.Repo,
+		Type:                       repo.Type,
+		Name:                       repo.Name,
+		Insecure:                   repo.IsInsecure(),
+		EnableLFS:                  repo.EnableLFS,
+		EnableOCI:                  repo.EnableOCI,
+		Proxy:                      repo.Proxy,
+		Project:                    repo.Project,
+		ForceHttpBasicAuth:         repo.ForceHttpBasicAuth,
+		InheritedCreds:             repo.InheritedCreds,
+		GithubAppId:                repo.GithubAppId,
+		GithubAppInstallationId:    repo.GithubAppInstallationId,
+		GitHubAppEnterpriseBaseURL: repo.GitHubAppEnterpriseBaseURL,
+	}
+}
+
+func (repo *Repository) Normalize() *Repository {
+	if repo.Type == "" {
+		repo.Type = common.DefaultRepoType
+	}
+	return repo
+}
+
 // Repositories defines a list of Repository configurations
 type Repositories []*Repository
 

pkg/apis/application/v1alpha1/types.go

@@ -927,6 +927,12 @@ type ApplicationDestination struct {
 	isServerInferred bool `json:"-"`
 }
 
+// SetIsServerInferred sets the isServerInferred flag. This is used to allow comparison between two destinations where
+// one server is inferred and the other is not.
+func (d *ApplicationDestination) SetIsServerInferred(inferred bool) {
+	d.isServerInferred = inferred
+}
+
 type ResourceHealthLocation string
 
 var (
@@ -981,15 +987,15 @@ func (a *ApplicationStatus) GetRevisions() []string {
 
 // BuildComparedToStatus will build a ComparedTo object based on the current
 // Application state.
-func (app *Application) BuildComparedToStatus() ComparedTo {
+func (spec *ApplicationSpec) BuildComparedToStatus() ComparedTo {
 	ct := ComparedTo{
-		Destination:       app.Spec.Destination,
-		IgnoreDifferences: app.Spec.IgnoreDifferences,
+		Destination:       spec.Destination,
+		IgnoreDifferences: spec.IgnoreDifferences,
 	}
-	if app.Spec.HasMultipleSources() {
-		ct.Sources = app.Spec.Sources
+	if spec.HasMultipleSources() {
+		ct.Sources = spec.Sources
 	} else {
-		ct.Source = app.Spec.GetSource()
+		ct.Source = spec.GetSource()
 	}
 	return ct
 }
@@ -1099,6 +1105,8 @@ type SyncOperation struct {
 	// Revisions is the list of revision (Git) or chart version (Helm) which to sync each source in sources field for the application to
 	// If omitted, will use the revision specified in app spec.
 	Revisions []string `json:"revisions,omitempty" protobuf:"bytes,11,opt,name=revisions"`
+	// SelfHealAttemptsCount contains the number of auto-heal attempts
+	SelfHealAttemptsCount int64 `json:"autoHealAttemptsCount,omitempty" protobuf:"bytes,12,opt,name=autoHealAttemptsCount"`
 }
 
 // IsApplyStrategy returns true if the sync strategy is "apply"
@@ -1509,8 +1517,7 @@ type SyncStatus struct {
 	// Status is the sync state of the comparison
 	Status SyncStatusCode `json:"status" protobuf:"bytes,1,opt,name=status,casttype=SyncStatusCode"`
 	// ComparedTo contains information about what has been compared
-	// +patchStrategy=replace
-	ComparedTo ComparedTo `json:"comparedTo,omitempty" protobuf:"bytes,2,opt,name=comparedTo" patchStrategy:"replace"`
+	ComparedTo ComparedTo `json:"comparedTo,omitempty" protobuf:"bytes,2,opt,name=comparedTo"`
 	// Revision contains information about the revision the comparison has been performed to
 	Revision string `json:"revision,omitempty" protobuf:"bytes,3,opt,name=revision"`
 	// Revisions contains information about the revisions of multiple sources the comparison has been performed to
@@ -1784,6 +1791,30 @@ type Cluster struct {
 	Annotations map[string]string `json:"annotations,omitempty" protobuf:"bytes,13,opt,name=annotations"`
 }
 
+func (c *Cluster) Sanitized() *Cluster {
+	return &Cluster{
+		ID:                 c.ID,
+		Server:             c.Server,
+		Name:               c.Name,
+		Project:            c.Project,
+		Namespaces:         c.Namespaces,
+		Shard:              c.Shard,
+		Labels:             c.Labels,
+		Annotations:        c.Annotations,
+		ClusterResources:   c.ClusterResources,
+		ConnectionState:    c.ConnectionState,
+		ServerVersion:      c.ServerVersion,
+		Info:               c.Info,
+		RefreshRequestedAt: c.RefreshRequestedAt,
+		Config: ClusterConfig{
+			AWSAuthConfig: c.Config.AWSAuthConfig,
+			TLSClientConfig: TLSClientConfig{
+				Insecure: c.Config.Insecure,
+			},
+		},
+	}
+}
+
 // Equals returns true if two cluster objects are considered to be equal
 func (c *Cluster) Equals(other *Cluster) bool {
 	if c.Server != other.Server {

pkg/apis/application/v1alpha1/types_test.go

@@ -11,13 +11,9 @@ import (
 	"testing"
 	"time"
 
-	"github.com/argoproj/gitops-engine/pkg/diff"
-	"github.com/stretchr/testify/require"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/utils/pointer"
-
 	argocdcommon "github.com/argoproj/argo-cd/v2/common"
+	"github.com/stretchr/testify/require"
+	"k8s.io/utils/pointer"
 
 	"github.com/argoproj/gitops-engine/pkg/sync/common"
 	"github.com/stretchr/testify/assert"
@@ -3174,18 +3170,25 @@ func TestGetCAPath(t *testing.T) {
 		"https://foo.example.com",
 		"oci://foo.example.com",
 		"foo.example.com",
+		"foo.example.com/charts",
+		"https://foo.example.com:5000",
+		"foo.example.com:5000",
+		"foo.example.com:5000/charts",
+		"ssh://foo.example.com",
 	}
 	invalidpath := []string{
 		"https://bar.example.com",
 		"oci://bar.example.com",
 		"bar.example.com",
-		"ssh://foo.example.com",
-		"git@example.com:organization/reponame.git",
+		"ssh://bar.example.com",
+		"git@foo.example.com:organization/reponame.git",
+		"ssh://git@foo.example.com:organization/reponame.git",
 		"/some/invalid/thing",
 		"../another/invalid/thing",
 		"./also/invalid",
 		"$invalid/as/well",
 		"..",
+		"://invalid",
 	}
 
 	for _, str := range validcert {
@@ -3671,34 +3674,57 @@ func TestApplicationSpec_GetSourcePtrByIndex(t *testing.T) {
 	}
 }
 
-func TestHelmValuesObjectHasReplaceStrategy(t *testing.T) {
-	app := Application{
-		Status: ApplicationStatus{Sync: SyncStatus{ComparedTo: ComparedTo{
-			Source: ApplicationSource{
-				Helm: &ApplicationSourceHelm{
-					ValuesObject: &runtime.RawExtension{
-						Object: &unstructured.Unstructured{Object: map[string]interface{}{"key": []string{"value"}}},
-					},
-				},
+func TestSanitized(t *testing.T) {
+	now := metav1.Now()
+	cluster := &Cluster{
+		ID:            "123",
+		Server:        "https://example.com",
+		Name:          "example",
+		ServerVersion: "v1.0.0",
+		Namespaces:    []string{"default", "kube-system"},
+		Project:       "default",
+		Labels: map[string]string{
+			"env": "production",
+		},
+		Annotations: map[string]string{
+			"annotation-key": "annotation-value",
+		},
+		ConnectionState: ConnectionState{
+			Status:     ConnectionStatusSuccessful,
+			Message:    "Connection successful",
+			ModifiedAt: &now,
+		},
+		Config: ClusterConfig{
+			Username:    "admin",
+			Password:    "password123",
+			BearerToken: "abc",
+			TLSClientConfig: TLSClientConfig{
+				Insecure: true,
 			},
-		}}},
+			ExecProviderConfig: &ExecProviderConfig{
+				Command: "test",
+			},
+		},
 	}
 
-	appModified := Application{
-		Status: ApplicationStatus{Sync: SyncStatus{ComparedTo: ComparedTo{
-			Source: ApplicationSource{
-				Helm: &ApplicationSourceHelm{
-					ValuesObject: &runtime.RawExtension{
-						Object: &unstructured.Unstructured{Object: map[string]interface{}{"key": []string{"value-modified1"}}},
-					},
-				},
+	assert.Equal(t, &Cluster{
+		ID:            "123",
+		Server:        "https://example.com",
+		Name:          "example",
+		ServerVersion: "v1.0.0",
+		Namespaces:    []string{"default", "kube-system"},
+		Project:       "default",
+		Labels:        map[string]string{"env": "production"},
+		Annotations:   map[string]string{"annotation-key": "annotation-value"},
+		ConnectionState: ConnectionState{
+			Status:     ConnectionStatusSuccessful,
+			Message:    "Connection successful",
+			ModifiedAt: &now,
+		},
+		Config: ClusterConfig{
+			TLSClientConfig: TLSClientConfig{
+				Insecure: true,
 			},
-		}}},
-	}
-
-	patch, _, err := diff.CreateTwoWayMergePatch(
-		app,
-		appModified, Application{})
-	require.NoError(t, err)
-	assert.Equal(t, `{"status":{"sync":{"comparedTo":{"destination":{},"source":{"helm":{"valuesObject":{"key":["value-modified1"]}},"repoURL":""}}}}}`, string(patch))
+		},
+	}, cluster.Sanitized())
 }

reposerver/apiclient/repository.pb.go

@@ -57,7 +57,9 @@ type ManifestRequest struct {
 	// This is used to surface "source not permitted" errors for Helm repositories
 	ProjectSourceRepos []string `protobuf:"bytes,24,rep,name=projectSourceRepos,proto3" json:"projectSourceRepos,omitempty"`
 	// This is used to surface "source not permitted" errors for Helm repositories
-	ProjectName          string   `protobuf:"bytes,25,opt,name=projectName,proto3" json:"projectName,omitempty"`
+	ProjectName string `protobuf:"bytes,25,opt,name=projectName,proto3" json:"projectName,omitempty"`
+	// Holds instance installation id
+	InstallationID       string   `protobuf:"bytes,27,opt,name=installationID,proto3" json:"installationID,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
 	XXX_sizecache        int32    `json:"-"`
@@ -250,6 +252,13 @@ func (m *ManifestRequest) GetProjectName() string {
 	return ""
 }
 
+func (m *ManifestRequest) GetInstallationID() string {
+	if m != nil {
+		return m.InstallationID
+	}
+	return ""
+}
+
 type ManifestRequestWithFiles struct {
 	// Types that are valid to be assigned to Part:
 	//	*ManifestRequestWithFiles_Request
@@ -2180,6 +2189,7 @@ type UpdateRevisionForPathsRequest struct {
 	SyncedRevision       string                         `protobuf:"bytes,11,opt,name=syncedRevision,proto3" json:"syncedRevision,omitempty"`
 	Revision             string                         `protobuf:"bytes,12,opt,name=revision,proto3" json:"revision,omitempty"`
 	Paths                []string                       `protobuf:"bytes,13,rep,name=paths,proto3" json:"paths,omitempty"`
+	InstallationID       string                         `protobuf:"bytes,15,opt,name=installationID,proto3" json:"installationID,omitempty"`
 	XXX_NoUnkeyedLiteral struct{}                       `json:"-"`
 	XXX_unrecognized     []byte                         `json:"-"`
 	XXX_sizecache        int32                          `json:"-"`
@@ -2309,6 +2319,13 @@ func (m *UpdateRevisionForPathsRequest) GetPaths() []string {
 	return nil
 }
 
+func (m *UpdateRevisionForPathsRequest) GetInstallationID() string {
+	if m != nil {
+		return m.InstallationID
+	}
+	return ""
+}
+
 type UpdateRevisionForPathsResponse struct {
 	Changes              bool     `protobuf:"varint,1,opt,name=changes,proto3" json:"changes,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
@@ -2406,151 +2423,153 @@ func init() {
 }
 
 var fileDescriptor_dd8723cfcc820480 = []byte{
-	// 2298 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5a, 0x5f, 0x73, 0x1b, 0x49,
-	0x11, 0xf7, 0xea, 0x9f, 0xa5, 0x96, 0x63, 0xcb, 0x93, 0xc4, 0xd9, 0xe8, 0x12, 0x97, 0x6f, 0x21,
-	0xa9, 0x5c, 0x72, 0x27, 0x55, 0x9c, 0xba, 0x0b, 0xe4, 0x8e, 0xa3, 0x7c, 0xb9, 0xc4, 0xce, 0x25,
-	0x4e, 0xcc, 0x26, 0x07, 0x15, 0x08, 0x50, 0xa3, 0xd5, 0x68, 0xb5, 0xa7, 0xd5, 0xee, 0x64, 0x77,
-	0xd6, 0x87, 0x52, 0xc5, 0x13, 0x14, 0x1f, 0x81, 0x07, 0x5e, 0xf9, 0x02, 0x54, 0x51, 0x14, 0x8f,
-	0x3c, 0x50, 0xfc, 0x79, 0xa4, 0xf8, 0x02, 0x50, 0x79, 0xa1, 0x8a, 0x4f, 0x41, 0xcd, 0xec, 0xec,
-	0x5f, 0xad, 0x14, 0x1f, 0x72, 0x7c, 0x70, 0x2f, 0xf6, 0x4e, 0xcf, 0x4c, 0x77, 0x4f, 0x4f, 0x77,
-	0xcf, 0xaf, 0x67, 0x04, 0x97, 0x3d, 0x42, 0x5d, 0x9f, 0x78, 0x87, 0xc4, 0xeb, 0x8a, 0x4f, 0x8b,
-	0xb9, 0xde, 0x24, 0xf5, 0xd9, 0xa1, 0x9e, 0xcb, 0x5c, 0x04, 0x09, 0xa5, 0xfd, 0xc0, 0xb4, 0xd8,
-	0x30, 0xe8, 0x75, 0x0c, 0x77, 0xdc, 0xc5, 0x9e, 0xe9, 0x52, 0xcf, 0xfd, 0x4c, 0x7c, 0xbc, 0x63,
-	0xf4, 0xbb, 0x87, 0xdb, 0x5d, 0x3a, 0x32, 0xbb, 0x98, 0x5a, 0x7e, 0x17, 0x53, 0x6a, 0x5b, 0x06,
-	0x66, 0x96, 0xeb, 0x74, 0x0f, 0xaf, 0x63, 0x9b, 0x0e, 0xf1, 0xf5, 0xae, 0x49, 0x1c, 0xe2, 0x61,
-	0x46, 0xfa, 0x21, 0xe7, 0xf6, 0x1b, 0xa6, 0xeb, 0x9a, 0x36, 0xe9, 0x8a, 0x56, 0x2f, 0x18, 0x74,
-	0xc9, 0x98, 0x32, 0x29, 0x56, 0xfb, 0xf7, 0x0a, 0xac, 0xed, 0x63, 0xc7, 0x1a, 0x10, 0x9f, 0xe9,
-	0xe4, 0x79, 0x40, 0x7c, 0x86, 0x9e, 0x41, 0x85, 0x2b, 0xa3, 0x2a, 0x5b, 0xca, 0x95, 0xe6, 0xf6,
-	0x5e, 0x27, 0xd1, 0xa6, 0x13, 0x69, 0x23, 0x3e, 0x7e, 0x6c, 0xf4, 0x3b, 0x87, 0xdb, 0x1d, 0x3a,
-	0x32, 0x3b, 0x5c, 0x9b, 0x4e, 0x4a, 0x9b, 0x4e, 0xa4, 0x4d, 0x47, 0x8f, 0x97, 0xa5, 0x0b, 0xae,
-	0xa8, 0x0d, 0x75, 0x8f, 0x1c, 0x5a, 0xbe, 0xe5, 0x3a, 0x6a, 0x69, 0x4b, 0xb9, 0xd2, 0xd0, 0xe3,
-	0x36, 0x52, 0x61, 0xd9, 0x71, 0x6f, 0x63, 0x63, 0x48, 0xd4, 0xf2, 0x96, 0x72, 0xa5, 0xae, 0x47,
-	0x4d, 0xb4, 0x05, 0x4d, 0x4c, 0xe9, 0x03, 0xdc, 0x23, 0xf6, 0x7d, 0x32, 0x51, 0x2b, 0x62, 0x62,
-	0x9a, 0xc4, 0xe7, 0x62, 0x4a, 0x1f, 0xe2, 0x31, 0x51, 0xab, 0xa2, 0x37, 0x6a, 0xa2, 0x0b, 0xd0,
-	0x70, 0xf0, 0x98, 0xf8, 0x14, 0x1b, 0x44, 0xad, 0x8b, 0xbe, 0x84, 0x80, 0x7e, 0x0a, 0xeb, 0x29,
-	0xc5, 0x1f, 0xbb, 0x81, 0x67, 0x10, 0x15, 0xc4, 0xd2, 0x1f, 0x2d, 0xb6, 0xf4, 0x9d, 0x3c, 0x5b,
-	0x7d, 0x5a, 0x12, 0xfa, 0x11, 0x54, 0xc5, 0xce, 0xab, 0xcd, 0xad, 0xf2, 0xb1, 0x5a, 0x3b, 0x64,
-	0x8b, 0x1c, 0x58, 0xa6, 0x76, 0x60, 0x5a, 0x8e, 0xaf, 0xae, 0x08, 0x09, 0x4f, 0x16, 0x93, 0x70,
-	0xdb, 0x75, 0x06, 0x96, 0xb9, 0x8f, 0x1d, 0x6c, 0x92, 0x31, 0x71, 0xd8, 0x81, 0x60, 0xae, 0x47,
-	0x42, 0xd0, 0x0b, 0x68, 0x8d, 0x02, 0x9f, 0xb9, 0x63, 0xeb, 0x05, 0x79, 0x44, 0xf9, 0x5c, 0x5f,
-	0x3d, 0x25, 0xac, 0xf9, 0x70, 0x31, 0xc1, 0xf7, 0x73, 0x5c, 0xf5, 0x29, 0x39, 0xdc, 0x49, 0x46,
-	0x41, 0x8f, 0x7c, 0x97, 0x78, 0xc2, 0xbb, 0x56, 0x43, 0x27, 0x49, 0x91, 0x42, 0x37, 0xb2, 0x64,
-	0xcb, 0x57, 0xd7, 0xb6, 0xca, 0xa1, 0x1b, 0xc5, 0x24, 0x74, 0x05, 0xd6, 0x0e, 0x89, 0x67, 0x0d,
-	0x26, 0x8f, 0x2d, 0xd3, 0xc1, 0x2c, 0xf0, 0x88, 0xda, 0x12, 0xae, 0x98, 0x27, 0xa3, 0x31, 0x9c,
-	0x1a, 0x12, 0x7b, 0xcc, 0x4d, 0x7e, 0xdb, 0x23, 0x7d, 0x5f, 0x5d, 0x17, 0xf6, 0xdd, 0x5d, 0x7c,
-	0x07, 0x05, 0x3b, 0x3d, 0xcb, 0x9d, 0x2b, 0xe6, 0xb8, 0xba, 0x8c, 0x94, 0x30, 0x46, 0x50, 0xa8,
-	0x58, 0x8e, 0x8c, 0x2e, 0xc3, 0x2a, 0xf3, 0xb0, 0x31, 0xb2, 0x1c, 0x73, 0x9f, 0xb0, 0xa1, 0xdb,
-	0x57, 0x4f, 0x0b, 0x4b, 0xe4, 0xa8, 0xc8, 0x00, 0x44, 0x1c, 0xdc, 0xb3, 0x49, 0x3f, 0xf4, 0xc5,
-	0x27, 0x13, 0x4a, 0x7c, 0xf5, 0x8c, 0x58, 0xc5, 0x8d, 0x4e, 0x2a, 0x43, 0xe5, 0x12, 0x44, 0xe7,
-	0xce, 0xd4, 0xac, 0x3b, 0x0e, 0xf3, 0x26, 0x7a, 0x01, 0x3b, 0x34, 0x82, 0x26, 0x5f, 0x47, 0xe4,
-	0x0a, 0x67, 0x85, 0x2b, 0xdc, 0x5b, 0xcc, 0x46, 0x7b, 0x09, 0x43, 0x3d, 0xcd, 0x1d, 0x75, 0x00,
-	0x0d, 0xb1, 0xbf, 0x1f, 0xd8, 0xcc, 0xa2, 0x36, 0x09, 0xd5, 0xf0, 0xd5, 0x0d, 0x61, 0xa6, 0x82,
-	0x1e, 0x74, 0x1f, 0xc0, 0x23, 0x83, 0x68, 0xdc, 0x39, 0xb1, 0xf2, 0x6b, 0xf3, 0x56, 0xae, 0xc7,
-	0xa3, 0xc3, 0x15, 0xa7, 0xa6, 0x73, 0xe1, 0x7c, 0x19, 0xc4, 0x60, 0x32, 0xda, 0x45, 0x58, 0xab,
-	0xc2, 0xc5, 0x0a, 0x7a, 0xb8, 0x2f, 0x4a, 0xaa, 0x48, 0x5a, 0xe7, 0x43, 0x6f, 0x4d, 0x91, 0xda,
-	0x77, 0xe0, 0xdc, 0x0c, 0x53, 0xa3, 0x16, 0x94, 0x47, 0x64, 0x22, 0x52, 0x74, 0x43, 0xe7, 0x9f,
-	0xe8, 0x0c, 0x54, 0x0f, 0xb1, 0x1d, 0x10, 0x91, 0x54, 0xeb, 0x7a, 0xd8, 0xb8, 0x55, 0xfa, 0x86,
-	0xd2, 0xfe, 0x85, 0x02, 0x6b, 0x39, 0xc5, 0x0b, 0xe6, 0xff, 0x30, 0x3d, 0xff, 0x18, 0xdc, 0x78,
-	0xf0, 0x04, 0x7b, 0x26, 0x61, 0x29, 0x45, 0xb4, 0xbf, 0x2b, 0xa0, 0xe6, 0x2c, 0xfa, 0x3d, 0x8b,
-	0x0d, 0xef, 0x5a, 0x36, 0xf1, 0xd1, 0x4d, 0x58, 0xf6, 0x42, 0x9a, 0x3c, 0x78, 0xde, 0x98, 0xb3,
-	0x11, 0x7b, 0x4b, 0x7a, 0x34, 0x1a, 0x7d, 0x08, 0xf5, 0x31, 0x61, 0xb8, 0x8f, 0x19, 0x96, 0xba,
-	0x6f, 0x15, 0xcd, 0xe4, 0x52, 0xf6, 0xe5, 0xb8, 0xbd, 0x25, 0x3d, 0x9e, 0x83, 0xde, 0x85, 0xaa,
-	0x31, 0x0c, 0x9c, 0x91, 0x38, 0x72, 0x9a, 0xdb, 0x17, 0x67, 0x4d, 0xbe, 0xcd, 0x07, 0xed, 0x2d,
-	0xe9, 0xe1, 0xe8, 0x8f, 0x6a, 0x50, 0xa1, 0xd8, 0x63, 0xda, 0x5d, 0x38, 0x53, 0x24, 0x82, 0x9f,
-	0x73, 0xc6, 0x90, 0x18, 0x23, 0x3f, 0x18, 0x4b, 0x33, 0xc7, 0x6d, 0x84, 0xa0, 0xe2, 0x5b, 0x2f,
-	0x42, 0x53, 0x97, 0x75, 0xf1, 0xad, 0xbd, 0x05, 0xeb, 0x53, 0xd2, 0xf8, 0xa6, 0x86, 0xba, 0x71,
-	0x0e, 0x2b, 0x52, 0xb4, 0x16, 0xc0, 0xd9, 0x27, 0xc2, 0x16, 0x71, 0xb2, 0x3f, 0x89, 0x93, 0x5b,
-	0xdb, 0x83, 0x8d, 0xbc, 0x58, 0x9f, 0xba, 0x8e, 0x4f, 0xb8, 0xeb, 0x8b, 0xec, 0x68, 0x91, 0x7e,
-	0xd2, 0x2b, 0xb4, 0xa8, 0xeb, 0x05, 0x3d, 0xda, 0xaf, 0x4b, 0xb0, 0xa1, 0x13, 0xdf, 0xb5, 0x0f,
-	0x49, 0x94, 0xba, 0x4e, 0x06, 0x7c, 0xfc, 0x00, 0xca, 0x98, 0x52, 0xe9, 0x26, 0xf7, 0x8e, 0xed,
-	0x78, 0xd7, 0x39, 0x57, 0xf4, 0x36, 0xac, 0xe3, 0x71, 0xcf, 0x32, 0x03, 0x37, 0xf0, 0xa3, 0x65,
-	0x09, 0xa7, 0x6a, 0xe8, 0xd3, 0x1d, 0x3c, 0xfc, 0x7d, 0x11, 0x91, 0xf7, 0x9c, 0x3e, 0xf9, 0x89,
-	0x40, 0x34, 0x65, 0x3d, 0x4d, 0xd2, 0x0c, 0x38, 0x37, 0x65, 0x24, 0x69, 0xf0, 0x34, 0x88, 0x52,
-	0x72, 0x20, 0xaa, 0x50, 0x8d, 0xd2, 0x0c, 0x35, 0xb4, 0x3f, 0x2b, 0xd0, 0x4a, 0x82, 0x4b, 0xb2,
-	0xbf, 0x00, 0x8d, 0xb1, 0xa4, 0xf9, 0xaa, 0x22, 0x32, 0x58, 0x42, 0xc8, 0xe2, 0xa9, 0x52, 0x1e,
-	0x4f, 0x6d, 0x40, 0x2d, 0x84, 0xbb, 0x72, 0xe9, 0xb2, 0x95, 0x51, 0xb9, 0x92, 0x53, 0x79, 0x13,
-	0xc0, 0x8f, 0x33, 0x9c, 0x5a, 0x13, 0xbd, 0x29, 0x0a, 0xd2, 0x60, 0x25, 0x3c, 0x7d, 0x75, 0xe2,
-	0x07, 0x36, 0x53, 0x97, 0xc5, 0x88, 0x0c, 0x4d, 0x73, 0x61, 0xed, 0x81, 0xc5, 0xd7, 0x30, 0xf0,
-	0x4f, 0x26, 0x1c, 0xde, 0x83, 0x0a, 0x17, 0xc6, 0x17, 0xd6, 0xf3, 0xb0, 0x63, 0x0c, 0x49, 0x64,
-	0xab, 0xb8, 0xcd, 0x03, 0x9d, 0x61, 0xd3, 0x57, 0x4b, 0x82, 0x2e, 0xbe, 0xb5, 0xdf, 0x97, 0x42,
-	0x4d, 0x77, 0x28, 0xf5, 0xbf, 0x7c, 0xc8, 0x5d, 0x0c, 0x02, 0xca, 0xd3, 0x20, 0x20, 0xa7, 0xf2,
-	0x17, 0x01, 0x01, 0xc7, 0x74, 0x90, 0x69, 0x01, 0x2c, 0xef, 0x50, 0xca, 0x15, 0x41, 0xd7, 0xa1,
-	0x82, 0x29, 0x0d, 0x0d, 0x9e, 0xcb, 0xd9, 0x72, 0x08, 0xff, 0x2f, 0x55, 0x12, 0x43, 0xdb, 0x37,
-	0xa1, 0x11, 0x93, 0x5e, 0x25, 0xb6, 0x91, 0x16, 0xbb, 0x05, 0x10, 0xa2, 0xdc, 0x7b, 0xce, 0xc0,
-	0xe5, 0x5b, 0xca, 0x9d, 0x5d, 0x4e, 0x15, 0xdf, 0xda, 0xad, 0x68, 0x84, 0xd0, 0xed, 0x6d, 0xa8,
-	0x5a, 0x8c, 0x8c, 0x23, 0xe5, 0x36, 0xd2, 0xca, 0x25, 0x8c, 0xf4, 0x70, 0x90, 0xf6, 0x97, 0x3a,
-	0x9c, 0xe7, 0x3b, 0xf6, 0x58, 0x84, 0xc9, 0x0e, 0xa5, 0x1f, 0x13, 0x86, 0x2d, 0xdb, 0xff, 0x4e,
-	0x40, 0xbc, 0xc9, 0x6b, 0x76, 0x0c, 0x13, 0x6a, 0x61, 0x94, 0xc9, 0x8c, 0x78, 0xec, 0x05, 0x8f,
-	0x64, 0x9f, 0x54, 0x39, 0xe5, 0xd7, 0x53, 0xe5, 0x14, 0x55, 0x1d, 0x95, 0x13, 0xaa, 0x3a, 0x66,
-	0x17, 0x9e, 0xa9, 0x72, 0xb6, 0x96, 0x2d, 0x67, 0x0b, 0xc0, 0xfc, 0xf2, 0x51, 0xc1, 0x7c, 0xbd,
-	0x10, 0xcc, 0x8f, 0x0b, 0xe3, 0xb8, 0x21, 0xcc, 0xfd, 0xad, 0xb4, 0x07, 0xce, 0xf4, 0xb5, 0x45,
-	0x60, 0x3d, 0xbc, 0x56, 0x58, 0xff, 0x69, 0x06, 0xa6, 0x87, 0x85, 0xf2, 0xbb, 0x47, 0x5b, 0xd3,
-	0x1c, 0xc0, 0xfe, 0x95, 0x83, 0xd7, 0x3f, 0x17, 0xa8, 0x8a, 0xba, 0x89, 0x0d, 0xe2, 0x03, 0x9d,
-	0x9f, 0x43, 0xfc, 0x68, 0x95, 0x49, 0x8b, 0x7f, 0xa3, 0x6b, 0x50, 0xe1, 0x46, 0x96, 0xb0, 0xf7,
-	0x5c, 0xda, 0x9e, 0x7c, 0x27, 0x76, 0x28, 0x7d, 0x4c, 0x89, 0xa1, 0x8b, 0x41, 0xe8, 0x16, 0x34,
-	0x62, 0xc7, 0x97, 0x91, 0x75, 0x21, 0x3d, 0x23, 0x8e, 0x93, 0x68, 0x5a, 0x32, 0x9c, 0xcf, 0xed,
-	0x5b, 0x1e, 0x31, 0x04, 0x28, 0xac, 0x4e, 0xcf, 0xfd, 0x38, 0xea, 0x8c, 0xe7, 0xc6, 0xc3, 0xd1,
-	0x75, 0xa8, 0x85, 0x37, 0x0b, 0x22, 0x82, 0x9a, 0xdb, 0xe7, 0xa7, 0x93, 0x69, 0x34, 0x4b, 0x0e,
-	0xd4, 0xfe, 0xa4, 0xc0, 0x9b, 0x89, 0x43, 0x44, 0xd1, 0x14, 0xe1, 0xf2, 0x2f, 0xff, 0xc4, 0xbd,
-	0x0c, 0xab, 0xa2, 0x10, 0x48, 0x2e, 0x18, 0xc2, 0xbb, 0xae, 0x1c, 0x55, 0xfb, 0x9d, 0x02, 0x97,
-	0xa6, 0xd7, 0x71, 0x7b, 0x88, 0x3d, 0x16, 0x6f, 0xef, 0x49, 0xac, 0x25, 0x3a, 0xf0, 0x4a, 0xc9,
-	0x81, 0x97, 0x59, 0x5f, 0x39, 0xbb, 0x3e, 0xed, 0x0f, 0x25, 0x68, 0xa6, 0x1c, 0xa8, 0xe8, 0xc0,
-	0xe4, 0x80, 0x4f, 0xf8, 0xad, 0x28, 0xfd, 0xc4, 0xa1, 0xd0, 0xd0, 0x53, 0x14, 0x34, 0x02, 0xa0,
-	0xd8, 0xc3, 0x63, 0xc2, 0x88, 0xc7, 0x33, 0x39, 0x8f, 0xf8, 0xfb, 0x8b, 0x67, 0x97, 0x83, 0x88,
-	0xa7, 0x9e, 0x62, 0xcf, 0x11, 0xab, 0x10, 0xed, 0xcb, 0xfc, 0x2d, 0x5b, 0xe8, 0x73, 0x58, 0x1d,
-	0x58, 0x36, 0x39, 0x48, 0x14, 0xa9, 0x09, 0x45, 0x1e, 0x2d, 0xae, 0xc8, 0xdd, 0x34, 0x5f, 0x3d,
-	0x27, 0x46, 0xbb, 0x0a, 0xad, 0x7c, 0x3c, 0x71, 0x25, 0xad, 0x31, 0x36, 0x63, 0x6b, 0xc9, 0x96,
-	0x86, 0xa0, 0x95, 0x8f, 0x1f, 0xed, 0x1f, 0x25, 0x38, 0x1b, 0xb3, 0xdb, 0x71, 0x1c, 0x37, 0x70,
-	0x0c, 0x71, 0x59, 0x57, 0xb8, 0x17, 0x67, 0xa0, 0xca, 0x2c, 0x66, 0xc7, 0xc0, 0x47, 0x34, 0xf8,
-	0xd9, 0xc5, 0x5c, 0xd7, 0x66, 0x16, 0x95, 0x1b, 0x1c, 0x35, 0xc3, 0xbd, 0x7f, 0x1e, 0x58, 0x1e,
-	0xe9, 0x8b, 0x4c, 0x50, 0xd7, 0xe3, 0x36, 0xef, 0xe3, 0xa8, 0x46, 0xc0, 0xf8, 0xd0, 0x98, 0x71,
-	0x5b, 0xf8, 0xbd, 0x6b, 0xdb, 0xc4, 0xe0, 0xe6, 0x48, 0x01, 0xfd, 0x1c, 0x55, 0x14, 0x10, 0xcc,
-	0xb3, 0x1c, 0x53, 0xc2, 0x7c, 0xd9, 0xe2, 0x7a, 0x62, 0xcf, 0xc3, 0x13, 0xb5, 0x2e, 0x0c, 0x10,
-	0x36, 0xd0, 0x07, 0x50, 0x1e, 0x63, 0x2a, 0x0f, 0xba, 0xab, 0x99, 0xec, 0x50, 0x64, 0x81, 0xce,
-	0x3e, 0xa6, 0xe1, 0x49, 0xc0, 0xa7, 0xb5, 0xdf, 0x83, 0x7a, 0x44, 0xf8, 0x42, 0x90, 0xf0, 0x33,
-	0x38, 0x95, 0x49, 0x3e, 0xe8, 0x29, 0x6c, 0x24, 0x1e, 0x95, 0x16, 0x28, 0x41, 0xe0, 0x9b, 0xaf,
-	0xd4, 0x4c, 0x9f, 0xc1, 0x40, 0x7b, 0x0e, 0xeb, 0xdc, 0x65, 0x44, 0xe0, 0x9f, 0x50, 0x69, 0xf3,
-	0x3e, 0x34, 0x62, 0x91, 0x85, 0x3e, 0xd3, 0x86, 0xfa, 0x61, 0x74, 0x89, 0x1a, 0xd6, 0x36, 0x71,
-	0x5b, 0xdb, 0x01, 0x94, 0xd6, 0x57, 0x9e, 0x40, 0xd7, 0xb2, 0xa0, 0xf8, 0x6c, 0xfe, 0xb8, 0x11,
-	0xc3, 0x23, 0x4c, 0xfc, 0xdb, 0x12, 0xac, 0xed, 0x5a, 0xe2, 0x1e, 0xe4, 0x84, 0x92, 0xdc, 0x55,
-	0x68, 0xf9, 0x41, 0x6f, 0xec, 0xf6, 0x03, 0x9b, 0x48, 0x50, 0x20, 0x4f, 0xfa, 0x29, 0xfa, 0xbc,
-	0xe4, 0xc7, 0x8d, 0x45, 0x31, 0x1b, 0xca, 0x0a, 0x57, 0x7c, 0xa3, 0x0f, 0xe0, 0xfc, 0x43, 0xf2,
-	0xb9, 0x5c, 0xcf, 0xae, 0xed, 0xf6, 0x7a, 0x96, 0x63, 0x46, 0x42, 0xaa, 0x42, 0xc8, 0xec, 0x01,
-	0x45, 0x50, 0xb1, 0x56, 0x08, 0x15, 0xb5, 0x9f, 0x29, 0xd0, 0x4a, 0xac, 0x26, 0xed, 0x7e, 0x33,
-	0x8c, 0x8f, 0xd0, 0xea, 0x97, 0xd2, 0x56, 0xcf, 0x0f, 0xfd, 0xef, 0x43, 0x63, 0x25, 0x1d, 0x1a,
-	0xff, 0x52, 0xe0, 0xec, 0xae, 0xc5, 0xa2, 0xa4, 0x64, 0xfd, 0xbf, 0xed, 0x60, 0x81, 0xbd, 0x2b,
-	0xc5, 0xf6, 0xee, 0xc0, 0x46, 0x7e, 0xa1, 0xd2, 0xe8, 0x67, 0xa0, 0xca, 0x77, 0x3e, 0xba, 0x0f,
-	0x08, 0x1b, 0xda, 0x6f, 0x6a, 0x70, 0xf1, 0x53, 0xda, 0xc7, 0x2c, 0xbe, 0xcf, 0xb9, 0xeb, 0x7a,
-	0x07, 0xbc, 0xeb, 0x64, 0x2c, 0x94, 0x7b, 0x43, 0x2b, 0xcd, 0x7d, 0x43, 0x2b, 0xcf, 0x79, 0x43,
-	0xab, 0x1c, 0xe9, 0x0d, 0xad, 0x7a, 0x62, 0x6f, 0x68, 0xd3, 0x35, 0x52, 0xad, 0xb0, 0x46, 0x7a,
-	0x9a, 0xa9, 0x23, 0x96, 0x45, 0x48, 0x7c, 0x33, 0x1d, 0x12, 0x73, 0x77, 0x67, 0xee, 0xe5, 0x7f,
-	0xee, 0xe9, 0xa9, 0xfe, 0xca, 0xa7, 0xa7, 0xc6, 0xf4, 0xd3, 0x53, 0xf1, 0xeb, 0x05, 0xcc, 0x7c,
-	0xbd, 0xb8, 0x0c, 0xab, 0xfe, 0xc4, 0x31, 0x48, 0x3f, 0xbe, 0xe5, 0x6b, 0x86, 0xcb, 0xce, 0x52,
-	0x33, 0xde, 0xbe, 0x92, 0xf3, 0xf6, 0xd8, 0x53, 0x4f, 0xa5, 0x3c, 0xf5, 0x7f, 0xa7, 0xa4, 0xb9,
-	0x05, 0x9b, 0xb3, 0xf6, 0x44, 0x86, 0x9a, 0x0a, 0xcb, 0xc6, 0x10, 0x3b, 0xa6, 0xb8, 0x7c, 0x13,
-	0x35, 0xb6, 0x6c, 0x6e, 0xff, 0x11, 0x60, 0x3d, 0xc1, 0xcf, 0xfc, 0xaf, 0x65, 0x10, 0xf4, 0x08,
-	0x5a, 0xbb, 0xf2, 0x81, 0x3c, 0xba, 0xf6, 0x44, 0xf3, 0x5e, 0x1a, 0xda, 0x17, 0x8a, 0x3b, 0x43,
-	0xf1, 0xda, 0x12, 0x32, 0xe0, 0x7c, 0x9e, 0x61, 0xf2, 0xa8, 0xf1, 0xf5, 0x39, 0x9c, 0xe3, 0x51,
-	0xaf, 0x12, 0x71, 0x45, 0x41, 0x4f, 0x61, 0x35, 0x7b, 0xf5, 0x8e, 0x32, 0x80, 0xa2, 0xf0, 0x35,
-	0xa0, 0xad, 0xcd, 0x1b, 0x12, 0xeb, 0xff, 0x8c, 0x6f, 0x75, 0xe6, 0x96, 0x19, 0x69, 0xd9, 0xda,
-	0xba, 0xe8, 0x9e, 0xbe, 0xfd, 0xb5, 0xb9, 0x63, 0x62, 0xee, 0xef, 0x43, 0x3d, 0xba, 0x95, 0xcd,
-	0x9a, 0x39, 0x77, 0x57, 0xdb, 0x6e, 0x65, 0xf9, 0x0d, 0x7c, 0x6d, 0x09, 0x7d, 0x18, 0x4e, 0xde,
-	0xa1, 0xb4, 0x60, 0x72, 0xea, 0x2e, 0xb2, 0x7d, 0xba, 0xe0, 0xfe, 0x4f, 0x5b, 0x42, 0xdf, 0x86,
-	0x26, 0xff, 0x3a, 0x90, 0x4f, 0xd3, 0x1b, 0x9d, 0xf0, 0x97, 0x10, 0x9d, 0xe8, 0x97, 0x10, 0x9d,
-	0x3b, 0x63, 0xca, 0x26, 0xed, 0x82, 0x0b, 0x3a, 0xc9, 0xe0, 0x19, 0x9c, 0xda, 0x25, 0x2c, 0xa9,
-	0xa7, 0xd1, 0xa5, 0x23, 0xdd, 0x3a, 0xb4, 0xb5, 0xfc, 0xb0, 0xe9, 0x92, 0x5c, 0x5b, 0x42, 0xbf,
-	0x54, 0xe0, 0xf4, 0x2e, 0x61, 0xf9, 0x0a, 0x15, 0xbd, 0x53, 0x2c, 0x64, 0x46, 0x25, 0xdb, 0x7e,
-	0xb8, 0x68, 0xdc, 0x65, 0xd9, 0x6a, 0x4b, 0xe8, 0x57, 0x0a, 0x9c, 0x4b, 0x29, 0x96, 0x2e, 0x39,
-	0xd1, 0xf5, 0xf9, 0xca, 0x15, 0x94, 0xa7, 0xed, 0x4f, 0x16, 0xfc, 0xc5, 0x41, 0x8a, 0xa5, 0xb6,
-	0x84, 0x0e, 0xc4, 0x9e, 0x24, 0x08, 0x13, 0x5d, 0x2c, 0x84, 0x92, 0xb1, 0xf4, 0xcd, 0x59, 0xdd,
-	0xf1, 0x3e, 0x7c, 0x02, 0xcd, 0x5d, 0xc2, 0x22, 0x38, 0x94, 0xf5, 0xb4, 0x1c, 0x0a, 0xcd, 0x86,
-	0x6a, 0x1e, 0x41, 0x09, 0x8f, 0x59, 0x0f, 0x79, 0xa5, 0x60, 0x41, 0x36, 0x56, 0x0b, 0xb1, 0x51,
-	0xd6, 0x63, 0x8a, 0x51, 0x85, 0xb6, 0x84, 0x9e, 0xc3, 0x46, 0x71, 0x3a, 0x44, 0x6f, 0x1d, 0xf9,
-	0x18, 0x6b, 0x5f, 0x3d, 0xca, 0xd0, 0x48, 0xe4, 0x47, 0x3b, 0x7f, 0x7d, 0xb9, 0xa9, 0xfc, 0xed,
-	0xe5, 0xa6, 0xf2, 0xcf, 0x97, 0x9b, 0xca, 0xf7, 0x6f, 0xbc, 0xe2, 0x97, 0x49, 0xa9, 0x1f, 0x3b,
-	0x61, 0x6a, 0x19, 0xb6, 0x45, 0x1c, 0xd6, 0xab, 0x89, 0x78, 0xbb, 0xf1, 0x9f, 0x00, 0x00, 0x00,
-	0xff, 0xff, 0xe7, 0xa3, 0xda, 0xab, 0x0b, 0x25, 0x00, 0x00,
+	// 2321 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5a, 0xcd, 0x73, 0x1b, 0x49,
+	0x15, 0xf7, 0x48, 0xb2, 0x2c, 0x3d, 0xc7, 0x5f, 0x9d, 0xc4, 0x99, 0x28, 0x89, 0xcb, 0x3b, 0x90,
+	0x54, 0x36, 0xd9, 0x95, 0x2b, 0x4e, 0xed, 0x06, 0xb2, 0xcb, 0x52, 0xde, 0x7c, 0xd8, 0xd9, 0xc4,
+	0x89, 0x99, 0x64, 0xa1, 0x02, 0x01, 0xaa, 0x35, 0x6a, 0x8d, 0x66, 0x35, 0x9a, 0xe9, 0xcc, 0xf4,
+	0x78, 0x51, 0xaa, 0x38, 0x41, 0xf1, 0x07, 0x70, 0xe0, 0xc0, 0x95, 0x3f, 0x81, 0xa2, 0x38, 0x72,
+	0xa0, 0xf8, 0x38, 0x52, 0x9c, 0xb8, 0x41, 0xe5, 0xc2, 0xbf, 0x41, 0xf5, 0xc7, 0x7c, 0x6a, 0xa4,
+	0x78, 0x51, 0xe2, 0x85, 0xbd, 0xd8, 0xd3, 0xaf, 0xbb, 0xdf, 0x7b, 0xfd, 0xfa, 0xbd, 0xd7, 0xbf,
+	0xd7, 0x2d, 0xb8, 0x14, 0x10, 0xea, 0x87, 0x24, 0x38, 0x24, 0xc1, 0x96, 0xf8, 0x74, 0x98, 0x1f,
+	0x8c, 0x32, 0x9f, 0x6d, 0x1a, 0xf8, 0xcc, 0x47, 0x90, 0x52, 0x5a, 0x0f, 0x6c, 0x87, 0xf5, 0xa3,
+	0x4e, 0xdb, 0xf2, 0x87, 0x5b, 0x38, 0xb0, 0x7d, 0x1a, 0xf8, 0x9f, 0x89, 0x8f, 0x77, 0xad, 0xee,
+	0xd6, 0xe1, 0xf6, 0x16, 0x1d, 0xd8, 0x5b, 0x98, 0x3a, 0xe1, 0x16, 0xa6, 0xd4, 0x75, 0x2c, 0xcc,
+	0x1c, 0xdf, 0xdb, 0x3a, 0xbc, 0x86, 0x5d, 0xda, 0xc7, 0xd7, 0xb6, 0x6c, 0xe2, 0x91, 0x00, 0x33,
+	0xd2, 0x95, 0x9c, 0x5b, 0xe7, 0x6c, 0xdf, 0xb7, 0x5d, 0xb2, 0x25, 0x5a, 0x9d, 0xa8, 0xb7, 0x45,
+	0x86, 0x94, 0x29, 0xb1, 0xc6, 0x2f, 0x97, 0x60, 0x65, 0x1f, 0x7b, 0x4e, 0x8f, 0x84, 0xcc, 0x24,
+	0xcf, 0x23, 0x12, 0x32, 0xf4, 0x0c, 0x6a, 0x5c, 0x19, 0x5d, 0xdb, 0xd4, 0x2e, 0x2f, 0x6e, 0xef,
+	0xb5, 0x53, 0x6d, 0xda, 0xb1, 0x36, 0xe2, 0xe3, 0xc7, 0x56, 0xb7, 0x7d, 0xb8, 0xdd, 0xa6, 0x03,
+	0xbb, 0xcd, 0xb5, 0x69, 0x67, 0xb4, 0x69, 0xc7, 0xda, 0xb4, 0xcd, 0x64, 0x59, 0xa6, 0xe0, 0x8a,
+	0x5a, 0xd0, 0x08, 0xc8, 0xa1, 0x13, 0x3a, 0xbe, 0xa7, 0x57, 0x36, 0xb5, 0xcb, 0x4d, 0x33, 0x69,
+	0x23, 0x1d, 0x16, 0x3c, 0xff, 0x16, 0xb6, 0xfa, 0x44, 0xaf, 0x6e, 0x6a, 0x97, 0x1b, 0x66, 0xdc,
+	0x44, 0x9b, 0xb0, 0x88, 0x29, 0x7d, 0x80, 0x3b, 0xc4, 0xbd, 0x4f, 0x46, 0x7a, 0x4d, 0x4c, 0xcc,
+	0x92, 0xf8, 0x5c, 0x4c, 0xe9, 0x43, 0x3c, 0x24, 0xfa, 0xbc, 0xe8, 0x8d, 0x9b, 0xe8, 0x3c, 0x34,
+	0x3d, 0x3c, 0x24, 0x21, 0xc5, 0x16, 0xd1, 0x1b, 0xa2, 0x2f, 0x25, 0xa0, 0x9f, 0xc2, 0x5a, 0x46,
+	0xf1, 0xc7, 0x7e, 0x14, 0x58, 0x44, 0x07, 0xb1, 0xf4, 0x47, 0xb3, 0x2d, 0x7d, 0xa7, 0xc8, 0xd6,
+	0x1c, 0x97, 0x84, 0x7e, 0x04, 0xf3, 0x62, 0xe7, 0xf5, 0xc5, 0xcd, 0xea, 0x6b, 0xb5, 0xb6, 0x64,
+	0x8b, 0x3c, 0x58, 0xa0, 0x6e, 0x64, 0x3b, 0x5e, 0xa8, 0x9f, 0x10, 0x12, 0x9e, 0xcc, 0x26, 0xe1,
+	0x96, 0xef, 0xf5, 0x1c, 0x7b, 0x1f, 0x7b, 0xd8, 0x26, 0x43, 0xe2, 0xb1, 0x03, 0xc1, 0xdc, 0x8c,
+	0x85, 0xa0, 0x17, 0xb0, 0x3a, 0x88, 0x42, 0xe6, 0x0f, 0x9d, 0x17, 0xe4, 0x11, 0xe5, 0x73, 0x43,
+	0x7d, 0x49, 0x58, 0xf3, 0xe1, 0x6c, 0x82, 0xef, 0x17, 0xb8, 0x9a, 0x63, 0x72, 0xb8, 0x93, 0x0c,
+	0xa2, 0x0e, 0xf9, 0x2e, 0x09, 0x84, 0x77, 0x2d, 0x4b, 0x27, 0xc9, 0x90, 0xa4, 0x1b, 0x39, 0xaa,
+	0x15, 0xea, 0x2b, 0x9b, 0x55, 0xe9, 0x46, 0x09, 0x09, 0x5d, 0x86, 0x95, 0x43, 0x12, 0x38, 0xbd,
+	0xd1, 0x63, 0xc7, 0xf6, 0x30, 0x8b, 0x02, 0xa2, 0xaf, 0x0a, 0x57, 0x2c, 0x92, 0xd1, 0x10, 0x96,
+	0xfa, 0xc4, 0x1d, 0x72, 0x93, 0xdf, 0x0a, 0x48, 0x37, 0xd4, 0xd7, 0x84, 0x7d, 0x77, 0x67, 0xdf,
+	0x41, 0xc1, 0xce, 0xcc, 0x73, 0xe7, 0x8a, 0x79, 0xbe, 0xa9, 0x22, 0x45, 0xc6, 0x08, 0x92, 0x8a,
+	0x15, 0xc8, 0xe8, 0x12, 0x2c, 0xb3, 0x00, 0x5b, 0x03, 0xc7, 0xb3, 0xf7, 0x09, 0xeb, 0xfb, 0x5d,
+	0xfd, 0xa4, 0xb0, 0x44, 0x81, 0x8a, 0x2c, 0x40, 0xc4, 0xc3, 0x1d, 0x97, 0x74, 0xa5, 0x2f, 0x3e,
+	0x19, 0x51, 0x12, 0xea, 0xa7, 0xc4, 0x2a, 0xae, 0xb7, 0x33, 0x19, 0xaa, 0x90, 0x20, 0xda, 0x77,
+	0xc6, 0x66, 0xdd, 0xf1, 0x58, 0x30, 0x32, 0x4b, 0xd8, 0xa1, 0x01, 0x2c, 0xf2, 0x75, 0xc4, 0xae,
+	0x70, 0x5a, 0xb8, 0xc2, 0xbd, 0xd9, 0x6c, 0xb4, 0x97, 0x32, 0x34, 0xb3, 0xdc, 0x51, 0x1b, 0x50,
+	0x1f, 0x87, 0xfb, 0x91, 0xcb, 0x1c, 0xea, 0x12, 0xa9, 0x46, 0xa8, 0xaf, 0x0b, 0x33, 0x95, 0xf4,
+	0xa0, 0xfb, 0x00, 0x01, 0xe9, 0xc5, 0xe3, 0xce, 0x88, 0x95, 0x5f, 0x9d, 0xb6, 0x72, 0x33, 0x19,
+	0x2d, 0x57, 0x9c, 0x99, 0xce, 0x85, 0xf3, 0x65, 0x10, 0x8b, 0xa9, 0x68, 0x17, 0x61, 0xad, 0x0b,
+	0x17, 0x2b, 0xe9, 0xe1, 0xbe, 0xa8, 0xa8, 0x22, 0x69, 0x9d, 0x95, 0xde, 0x9a, 0x21, 0xf1, 0x8d,
+	0x74, 0xbc, 0x90, 0x61, 0xd7, 0x15, 0x06, 0xb8, 0x77, 0x5b, 0x3f, 0x27, 0x37, 0x32, 0x4f, 0x6d,
+	0xdd, 0x81, 0x33, 0x13, 0xb6, 0x04, 0xad, 0x42, 0x75, 0x40, 0x46, 0x22, 0x95, 0x37, 0x4d, 0xfe,
+	0x89, 0x4e, 0xc1, 0xfc, 0x21, 0x76, 0x23, 0x22, 0x92, 0x6f, 0xc3, 0x94, 0x8d, 0x9b, 0x95, 0x6f,
+	0x68, 0xad, 0x5f, 0x68, 0xb0, 0x52, 0x58, 0x60, 0xc9, 0xfc, 0x1f, 0x66, 0xe7, 0xbf, 0x06, 0x77,
+	0xef, 0x3d, 0xc1, 0x81, 0x4d, 0x58, 0x46, 0x11, 0xe3, 0xef, 0x1a, 0xe8, 0x05, 0xcb, 0x7f, 0xcf,
+	0x61, 0xfd, 0xbb, 0x8e, 0x4b, 0x42, 0x74, 0x03, 0x16, 0x02, 0x49, 0x53, 0x07, 0xd4, 0xb9, 0x29,
+	0x1b, 0xb6, 0x37, 0x67, 0xc6, 0xa3, 0xd1, 0x47, 0xd0, 0x18, 0x12, 0x86, 0xbb, 0x98, 0x61, 0xa5,
+	0xfb, 0x66, 0xd9, 0x4c, 0x2e, 0x65, 0x5f, 0x8d, 0xdb, 0x9b, 0x33, 0x93, 0x39, 0xe8, 0x3d, 0x98,
+	0xb7, 0xfa, 0x91, 0x37, 0x10, 0x47, 0xd3, 0xe2, 0xf6, 0x85, 0x49, 0x93, 0x6f, 0xf1, 0x41, 0x7b,
+	0x73, 0xa6, 0x1c, 0xfd, 0x71, 0x1d, 0x6a, 0x14, 0x07, 0xcc, 0xb8, 0x0b, 0xa7, 0xca, 0x44, 0xf0,
+	0xf3, 0xd0, 0xea, 0x13, 0x6b, 0x10, 0x46, 0x43, 0x65, 0xe6, 0xa4, 0x8d, 0x10, 0xd4, 0x42, 0xe7,
+	0x85, 0x34, 0x75, 0xd5, 0x14, 0xdf, 0xc6, 0xdb, 0xb0, 0x36, 0x26, 0x8d, 0x6f, 0xaa, 0xd4, 0x8d,
+	0x73, 0x38, 0xa1, 0x44, 0x1b, 0x11, 0x9c, 0x7e, 0x22, 0x6c, 0x91, 0x1c, 0x0a, 0xc7, 0x71, 0xc2,
+	0x1b, 0x7b, 0xb0, 0x5e, 0x14, 0x1b, 0x52, 0xdf, 0x0b, 0x09, 0x0f, 0x11, 0x91, 0x45, 0x1d, 0xd2,
+	0x4d, 0x7b, 0x85, 0x16, 0x0d, 0xb3, 0xa4, 0xc7, 0xf8, 0x4d, 0x05, 0xd6, 0x4d, 0x12, 0xfa, 0xee,
+	0x21, 0x89, 0x53, 0xdc, 0xf1, 0x80, 0x94, 0x1f, 0x40, 0x15, 0x53, 0xaa, 0xdc, 0xe4, 0xde, 0x6b,
+	0x83, 0x01, 0x26, 0xe7, 0x8a, 0xde, 0x81, 0x35, 0x3c, 0xec, 0x38, 0x76, 0xe4, 0x47, 0x61, 0xbc,
+	0x2c, 0xe1, 0x54, 0x4d, 0x73, 0xbc, 0x83, 0xa7, 0x89, 0x50, 0x44, 0xe4, 0x3d, 0xaf, 0x4b, 0x7e,
+	0x22, 0x90, 0x4f, 0xd5, 0xcc, 0x92, 0x0c, 0x0b, 0xce, 0x8c, 0x19, 0x49, 0x19, 0x3c, 0x0b, 0xb6,
+	0xb4, 0x02, 0xd8, 0x2a, 0x55, 0xa3, 0x32, 0x41, 0x0d, 0xe3, 0xcf, 0x1a, 0xac, 0xa6, 0xc1, 0xa5,
+	0xd8, 0x9f, 0x87, 0xe6, 0x50, 0xd1, 0x42, 0x5d, 0x13, 0x99, 0x2e, 0x25, 0xe4, 0x71, 0x57, 0xa5,
+	0x88, 0xbb, 0xd6, 0xa1, 0x2e, 0x61, 0xb1, 0x5a, 0xba, 0x6a, 0xe5, 0x54, 0xae, 0x15, 0x54, 0xde,
+	0x00, 0x08, 0x93, 0x0c, 0xa7, 0xd7, 0x45, 0x6f, 0x86, 0x82, 0x0c, 0x38, 0x21, 0x4f, 0x69, 0x93,
+	0x84, 0x91, 0xcb, 0xf4, 0x05, 0x31, 0x22, 0x47, 0x33, 0x7c, 0x58, 0x79, 0xe0, 0xf0, 0x35, 0xf4,
+	0xc2, 0xe3, 0x09, 0x87, 0xf7, 0xa1, 0xc6, 0x85, 0xf1, 0x85, 0x75, 0x02, 0xec, 0x59, 0x7d, 0x12,
+	0xdb, 0x2a, 0x69, 0xf3, 0x40, 0x67, 0xd8, 0x0e, 0xf5, 0x8a, 0xa0, 0x8b, 0x6f, 0xe3, 0xf7, 0x15,
+	0xa9, 0xe9, 0x0e, 0xa5, 0xe1, 0x97, 0x0f, 0xcd, 0xcb, 0xc1, 0x42, 0x75, 0x1c, 0x2c, 0x14, 0x54,
+	0xfe, 0x22, 0x60, 0xe1, 0x35, 0x1d, 0x64, 0x46, 0x04, 0x0b, 0x3b, 0x94, 0x72, 0x45, 0xd0, 0x35,
+	0xa8, 0x61, 0x4a, 0xa5, 0xc1, 0x0b, 0x39, 0x5b, 0x0d, 0xe1, 0xff, 0x95, 0x4a, 0x62, 0x68, 0xeb,
+	0x06, 0x34, 0x13, 0xd2, 0xab, 0xc4, 0x36, 0xb3, 0x62, 0x37, 0x01, 0x24, 0x1a, 0xbe, 0xe7, 0xf5,
+	0x7c, 0xbe, 0xa5, 0xdc, 0xd9, 0xd5, 0x54, 0xf1, 0x6d, 0xdc, 0x8c, 0x47, 0x08, 0xdd, 0xde, 0x81,
+	0x79, 0x87, 0x91, 0x61, 0xac, 0xdc, 0x7a, 0x56, 0xb9, 0x94, 0x91, 0x29, 0x07, 0x19, 0x7f, 0x69,
+	0xc0, 0x59, 0xbe, 0x63, 0x8f, 0x45, 0x98, 0xec, 0x50, 0x7a, 0x9b, 0x30, 0xec, 0xb8, 0xe1, 0x77,
+	0x22, 0x12, 0x8c, 0xde, 0xb0, 0x63, 0xd8, 0x50, 0x97, 0x51, 0xa6, 0x32, 0xe2, 0x6b, 0x2f, 0x8c,
+	0x14, 0xfb, 0xb4, 0x1a, 0xaa, 0xbe, 0x99, 0x6a, 0xa8, 0xac, 0x3a, 0xa9, 0x1d, 0x53, 0x75, 0x32,
+	0xb9, 0x40, 0xcd, 0x94, 0xbd, 0xf5, 0x7c, 0xd9, 0x5b, 0x02, 0xfa, 0x17, 0x8e, 0x0a, 0xfa, 0x1b,
+	0xa5, 0xa0, 0x7f, 0x58, 0x1a, 0xc7, 0x4d, 0x61, 0xee, 0x6f, 0x65, 0x3d, 0x70, 0xa2, 0xaf, 0xcd,
+	0x02, 0xff, 0xe1, 0x8d, 0xc2, 0xff, 0x4f, 0x73, 0x70, 0x5e, 0x16, 0xd4, 0xef, 0x1d, 0x6d, 0x4d,
+	0x53, 0x80, 0xfd, 0x57, 0x0e, 0x5e, 0xff, 0x5c, 0xa0, 0x2a, 0xea, 0xa7, 0x36, 0x48, 0x0e, 0x74,
+	0x7e, 0x0e, 0xf1, 0xa3, 0x55, 0x25, 0x2d, 0xfe, 0x8d, 0xae, 0x42, 0x8d, 0x1b, 0x59, 0xc1, 0xde,
+	0x33, 0x59, 0x7b, 0xf2, 0x9d, 0xd8, 0xa1, 0xf4, 0x31, 0x25, 0x96, 0x29, 0x06, 0xa1, 0x9b, 0xd0,
+	0x4c, 0x1c, 0x5f, 0x45, 0xd6, 0xf9, 0xec, 0x8c, 0x24, 0x4e, 0xe2, 0x69, 0xe9, 0x70, 0x3e, 0xb7,
+	0xeb, 0x04, 0xc4, 0x12, 0xa0, 0x70, 0x7e, 0x7c, 0xee, 0xed, 0xb8, 0x33, 0x99, 0x9b, 0x0c, 0x47,
+	0xd7, 0xa0, 0x2e, 0x6f, 0x20, 0x44, 0x04, 0x2d, 0x6e, 0x9f, 0x1d, 0x4f, 0xa6, 0xf1, 0x2c, 0x35,
+	0xd0, 0xf8, 0x93, 0x06, 0x6f, 0xa5, 0x0e, 0x11, 0x47, 0x53, 0x8c, 0xcb, 0xbf, 0xfc, 0x13, 0xf7,
+	0x12, 0x2c, 0x8b, 0x42, 0x20, 0xbd, 0x88, 0x90, 0x77, 0x62, 0x05, 0xaa, 0xf1, 0x3b, 0x0d, 0x2e,
+	0x8e, 0xaf, 0xe3, 0x56, 0x1f, 0x07, 0x2c, 0xd9, 0xde, 0xe3, 0x58, 0x4b, 0x7c, 0xe0, 0x55, 0xd2,
+	0x03, 0x2f, 0xb7, 0xbe, 0x6a, 0x7e, 0x7d, 0xc6, 0x1f, 0x2a, 0xb0, 0x98, 0x71, 0xa0, 0xb2, 0x03,
+	0x93, 0x03, 0x3e, 0xe1, 0xb7, 0xa2, 0xf4, 0x13, 0x87, 0x42, 0xd3, 0xcc, 0x50, 0xd0, 0x00, 0x80,
+	0xe2, 0x00, 0x0f, 0x09, 0x23, 0x01, 0xcf, 0xe4, 0x3c, 0xe2, 0xef, 0xcf, 0x9e, 0x5d, 0x0e, 0x62,
+	0x9e, 0x66, 0x86, 0x3d, 0x47, 0xac, 0x42, 0x74, 0xa8, 0xf2, 0xb7, 0x6a, 0xa1, 0xcf, 0x61, 0xb9,
+	0xe7, 0xb8, 0xe4, 0x20, 0x55, 0xa4, 0x2e, 0x14, 0x79, 0x34, 0xbb, 0x22, 0x77, 0xb3, 0x7c, 0xcd,
+	0x82, 0x18, 0xe3, 0x0a, 0xac, 0x16, 0xe3, 0x89, 0x2b, 0xe9, 0x0c, 0xb1, 0x9d, 0x58, 0x4b, 0xb5,
+	0x0c, 0x04, 0xab, 0xc5, 0xf8, 0x31, 0xfe, 0x59, 0x81, 0xd3, 0x09, 0xbb, 0x1d, 0xcf, 0xf3, 0x23,
+	0xcf, 0x12, 0x97, 0x7a, 0xa5, 0x7b, 0x71, 0x0a, 0xe6, 0x99, 0xc3, 0xdc, 0x04, 0xf8, 0x88, 0x06,
+	0x3f, 0xbb, 0x98, 0xef, 0xbb, 0xcc, 0xa1, 0x6a, 0x83, 0xe3, 0xa6, 0xdc, 0xfb, 0xe7, 0x91, 0x13,
+	0x90, 0xae, 0xc8, 0x04, 0x0d, 0x33, 0x69, 0xf3, 0x3e, 0x8e, 0x6a, 0x04, 0x8c, 0x97, 0xc6, 0x4c,
+	0xda, 0xc2, 0xef, 0x7d, 0xd7, 0x25, 0x16, 0x37, 0x47, 0x06, 0xe8, 0x17, 0xa8, 0xa2, 0x80, 0x60,
+	0x81, 0xe3, 0xd9, 0x0a, 0xe6, 0xab, 0x16, 0xd7, 0x13, 0x07, 0x01, 0x1e, 0xe9, 0x0d, 0x61, 0x00,
+	0xd9, 0x40, 0x1f, 0x42, 0x75, 0x88, 0xa9, 0x3a, 0xe8, 0xae, 0xe4, 0xb2, 0x43, 0x99, 0x05, 0xda,
+	0xfb, 0x98, 0xca, 0x93, 0x80, 0x4f, 0x6b, 0xbd, 0x0f, 0x8d, 0x98, 0xf0, 0x85, 0x20, 0xe1, 0x67,
+	0xb0, 0x94, 0x4b, 0x3e, 0xe8, 0x29, 0xac, 0xa7, 0x1e, 0x95, 0x15, 0xa8, 0x40, 0xe0, 0x5b, 0xaf,
+	0xd4, 0xcc, 0x9c, 0xc0, 0xc0, 0x78, 0x0e, 0x6b, 0xdc, 0x65, 0x44, 0xe0, 0x1f, 0x53, 0x69, 0xf3,
+	0x01, 0x34, 0x13, 0x91, 0xa5, 0x3e, 0xd3, 0x82, 0xc6, 0x61, 0x7c, 0xd9, 0x2a, 0x6b, 0x9b, 0xa4,
+	0x6d, 0xec, 0x00, 0xca, 0xea, 0xab, 0x4e, 0xa0, 0xab, 0x79, 0x50, 0x7c, 0xba, 0x78, 0xdc, 0x88,
+	0xe1, 0x31, 0x26, 0xfe, 0x6d, 0x05, 0x56, 0x76, 0x1d, 0x71, 0x0f, 0x72, 0x4c, 0x49, 0xee, 0x0a,
+	0xac, 0x86, 0x51, 0x67, 0xe8, 0x77, 0x23, 0x97, 0x28, 0x50, 0xa0, 0x4e, 0xfa, 0x31, 0xfa, 0xb4,
+	0xe4, 0xc7, 0x8d, 0x45, 0x31, 0xeb, 0xab, 0x0a, 0x57, 0x7c, 0xa3, 0x0f, 0xe1, 0xec, 0x43, 0xf2,
+	0xb9, 0x5a, 0xcf, 0xae, 0xeb, 0x77, 0x3a, 0x8e, 0x67, 0xc7, 0x42, 0xe6, 0x85, 0x90, 0xc9, 0x03,
+	0xca, 0xa0, 0x62, 0xbd, 0x14, 0x2a, 0x1a, 0x3f, 0xd3, 0x60, 0x35, 0xb5, 0x9a, 0xb2, 0xfb, 0x0d,
+	0x19, 0x1f, 0xd2, 0xea, 0x17, 0xb3, 0x56, 0x2f, 0x0e, 0xfd, 0xef, 0x43, 0xe3, 0x44, 0x36, 0x34,
+	0xfe, 0xad, 0xc1, 0xe9, 0x5d, 0x87, 0xc5, 0x49, 0xc9, 0xf9, 0x7f, 0xdb, 0xc1, 0x12, 0x7b, 0xd7,
+	0xca, 0xed, 0xdd, 0x86, 0xf5, 0xe2, 0x42, 0x95, 0xd1, 0x4f, 0xc1, 0x3c, 0xdf, 0xf9, 0xf8, 0x3e,
+	0x40, 0x36, 0x8c, 0x7f, 0xd4, 0xe1, 0xc2, 0xa7, 0xb4, 0x8b, 0x59, 0x72, 0x9f, 0x73, 0xd7, 0x0f,
+	0x0e, 0x78, 0xd7, 0xf1, 0x58, 0xa8, 0xf0, 0xd6, 0x56, 0x99, 0xfa, 0xd6, 0x56, 0x9d, 0xf2, 0xd6,
+	0x56, 0x3b, 0xd2, 0x5b, 0xdb, 0xfc, 0xb1, 0xbd, 0xb5, 0x8d, 0xd7, 0x48, 0xf5, 0xd2, 0x1a, 0xe9,
+	0x69, 0xae, 0x8e, 0x58, 0x10, 0x21, 0xf1, 0xcd, 0x6c, 0x48, 0x4c, 0xdd, 0x9d, 0xa9, 0x8f, 0x04,
+	0x85, 0x27, 0xaa, 0xc6, 0x2b, 0x9f, 0xa8, 0x9a, 0xe3, 0x4f, 0x54, 0xe5, 0xaf, 0x1c, 0x30, 0xf1,
+	0x95, 0xe3, 0x12, 0x2c, 0x87, 0x23, 0xcf, 0x22, 0xdd, 0xe4, 0x96, 0x6f, 0x51, 0x2e, 0x3b, 0x4f,
+	0xcd, 0x79, 0xfb, 0x89, 0x82, 0xb7, 0x27, 0x9e, 0xba, 0x94, 0xf1, 0xd4, 0x92, 0x07, 0x8a, 0x95,
+	0xd2, 0x07, 0x8a, 0xff, 0x99, 0xd2, 0xe7, 0x26, 0x6c, 0x4c, 0xda, 0x3b, 0x15, 0x92, 0x3a, 0x2c,
+	0x58, 0x7d, 0xec, 0xd9, 0xe2, 0x92, 0x4e, 0xd4, 0xe2, 0xaa, 0xb9, 0xfd, 0x47, 0x80, 0xb5, 0x14,
+	0x67, 0xf3, 0xbf, 0x8e, 0x45, 0xd0, 0x23, 0x58, 0xdd, 0x55, 0x0f, 0xee, 0xf1, 0xf5, 0x28, 0x9a,
+	0xf6, 0x22, 0xd1, 0x3a, 0x5f, 0xde, 0x29, 0xc5, 0x1b, 0x73, 0xc8, 0x82, 0xb3, 0x45, 0x86, 0xe9,
+	0xe3, 0xc7, 0xd7, 0xa7, 0x70, 0x4e, 0x46, 0xbd, 0x4a, 0xc4, 0x65, 0x0d, 0x3d, 0x85, 0xe5, 0xfc,
+	0x15, 0x3d, 0xca, 0x01, 0x8f, 0xd2, 0x57, 0x83, 0x96, 0x31, 0x6d, 0x48, 0xa2, 0xff, 0x33, 0xbe,
+	0xd5, 0xb9, 0xdb, 0x68, 0x64, 0xe4, 0x6b, 0xf0, 0xb2, 0xfb, 0xfc, 0xd6, 0xd7, 0xa6, 0x8e, 0x49,
+	0xb8, 0x7f, 0x00, 0x8d, 0xf8, 0xf6, 0x36, 0x6f, 0xe6, 0xc2, 0x9d, 0x6e, 0x6b, 0x35, 0xcf, 0xaf,
+	0x17, 0x1a, 0x73, 0xe8, 0x23, 0x39, 0x79, 0x87, 0xd2, 0x92, 0xc9, 0x99, 0x3b, 0xcb, 0xd6, 0xc9,
+	0x92, 0x7b, 0x42, 0x63, 0x0e, 0x7d, 0x1b, 0x16, 0xf9, 0xd7, 0x81, 0x7a, 0xea, 0x5e, 0x6f, 0xcb,
+	0x5f, 0x56, 0xb4, 0xe3, 0x5f, 0x56, 0xb4, 0xef, 0x0c, 0x29, 0x1b, 0xb5, 0x4a, 0x2e, 0xf2, 0x14,
+	0x83, 0x67, 0xb0, 0xb4, 0x4b, 0x58, 0x5a, 0x77, 0xa3, 0x8b, 0x47, 0xba, 0x9d, 0x68, 0x19, 0xc5,
+	0x61, 0xe3, 0xa5, 0xbb, 0x31, 0x87, 0x7e, 0xa5, 0xc1, 0xc9, 0x5d, 0xc2, 0x8a, 0x95, 0x2c, 0x7a,
+	0xb7, 0x5c, 0xc8, 0x84, 0x8a, 0xb7, 0xf5, 0x70, 0xd6, 0xb8, 0xcb, 0xb3, 0x35, 0xe6, 0xd0, 0xaf,
+	0x35, 0x38, 0x93, 0x51, 0x2c, 0x5b, 0x9a, 0xa2, 0x6b, 0xd3, 0x95, 0x2b, 0x29, 0x63, 0x5b, 0x9f,
+	0xcc, 0xf8, 0x0b, 0x86, 0x0c, 0x4b, 0x63, 0x0e, 0x1d, 0x88, 0x3d, 0x49, 0x91, 0x28, 0xba, 0x50,
+	0x0a, 0x39, 0x13, 0xe9, 0x1b, 0x93, 0xba, 0x93, 0x7d, 0xf8, 0x04, 0x16, 0x77, 0x09, 0x8b, 0x61,
+	0x53, 0xde, 0xd3, 0x0a, 0x68, 0x35, 0x1f, 0xaa, 0x45, 0xa4, 0x25, 0x3c, 0x66, 0x4d, 0xf2, 0xca,
+	0xc0, 0x87, 0x7c, 0xac, 0x96, 0x62, 0xa8, 0xbc, 0xc7, 0x94, 0xa3, 0x0f, 0x63, 0x0e, 0x3d, 0x87,
+	0xf5, 0xf2, 0x74, 0x88, 0xde, 0x3e, 0xf2, 0x71, 0xd7, 0xba, 0x72, 0x94, 0xa1, 0xb1, 0xc8, 0x8f,
+	0x77, 0xfe, 0xfa, 0x72, 0x43, 0xfb, 0xdb, 0xcb, 0x0d, 0xed, 0x5f, 0x2f, 0x37, 0xb4, 0xef, 0x5f,
+	0x7f, 0xc5, 0x2f, 0x9d, 0x32, 0x3f, 0x9e, 0xc2, 0xd4, 0xb1, 0x5c, 0x87, 0x78, 0xac, 0x53, 0x17,
+	0xf1, 0x76, 0xfd, 0x3f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x9a, 0xc9, 0x91, 0xdb, 0x5b, 0x25, 0x00,
+	0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
@@ -3188,6 +3207,15 @@ func (m *ManifestRequest) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if len(m.InstallationID) > 0 {
+		i -= len(m.InstallationID)
+		copy(dAtA[i:], m.InstallationID)
+		i = encodeVarintRepository(dAtA, i, uint64(len(m.InstallationID)))
+		i--
+		dAtA[i] = 0x1
+		i--
+		dAtA[i] = 0xda
+	}
 	if len(m.ProjectName) > 0 {
 		i -= len(m.ProjectName)
 		copy(dAtA[i:], m.ProjectName)
@@ -5183,6 +5211,13 @@ func (m *UpdateRevisionForPathsRequest) MarshalToSizedBuffer(dAtA []byte) (int,
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if len(m.InstallationID) > 0 {
+		i -= len(m.InstallationID)
+		copy(dAtA[i:], m.InstallationID)
+		i = encodeVarintRepository(dAtA, i, uint64(len(m.InstallationID)))
+		i--
+		dAtA[i] = 0x7a
+	}
 	if len(m.Paths) > 0 {
 		for iNdEx := len(m.Paths) - 1; iNdEx >= 0; iNdEx-- {
 			i -= len(m.Paths[iNdEx])
@@ -5474,6 +5509,10 @@ func (m *ManifestRequest) Size() (n int) {
 	if l > 0 {
 		n += 2 + l + sovRepository(uint64(l))
 	}
+	l = len(m.InstallationID)
+	if l > 0 {
+		n += 2 + l + sovRepository(uint64(l))
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -6318,6 +6357,10 @@ func (m *UpdateRevisionForPathsRequest) Size() (n int) {
 			n += 1 + l + sovRepository(uint64(l))
 		}
 	}
+	l = len(m.InstallationID)
+	if l > 0 {
+		n += 1 + l + sovRepository(uint64(l))
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -7232,6 +7275,38 @@ func (m *ManifestRequest) Unmarshal(dAtA []byte) error {
 			}
 			m.ProjectName = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 27:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field InstallationID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRepository
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthRepository
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthRepository
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.InstallationID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipRepository(dAtA[iNdEx:])
@@ -12476,6 +12551,38 @@ func (m *UpdateRevisionForPathsRequest) Unmarshal(dAtA []byte) error {
 			}
 			m.Paths = append(m.Paths, string(dAtA[iNdEx:postIndex]))
 			iNdEx = postIndex
+		case 15:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field InstallationID", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowRepository
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthRepository
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthRepository
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.InstallationID = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipRepository(dAtA[iNdEx:])

reposerver/cache/cache.go

@@ -285,13 +285,17 @@ func (c *Cache) UnlockGitReferences(repo string, lockId string) error {
 
 // refSourceCommitSHAs is a list of resolved revisions for each ref source. This allows us to invalidate the cache
 // when someone pushes a commit to a source which is referenced from the main source (the one referred to by `revision`).
-func manifestCacheKey(revision string, appSrc *appv1.ApplicationSource, srcRefs appv1.RefTargetRevisionMapping, namespace string, trackingMethod string, appLabelKey string, appName string, info ClusterRuntimeInfo, refSourceCommitSHAs ResolvedRevisions) string {
+func manifestCacheKey(revision string, appSrc *appv1.ApplicationSource, srcRefs appv1.RefTargetRevisionMapping, namespace string, trackingMethod string, appLabelKey string, appName string, info ClusterRuntimeInfo, refSourceCommitSHAs ResolvedRevisions, installationID string) string {
 	// TODO: this function is getting unwieldy. We should probably consolidate some of this stuff into a struct. For
 	//       example, revision could be part of ResolvedRevisions. And srcRefs is probably redundant now that
 	//       refSourceCommitSHAs has been added. We don't need to know the _target_ revisions of the referenced sources
 	//       when the _resolved_ revisions are already part of the key.
 	trackingKey := trackingKey(appLabelKey, trackingMethod)
-	return fmt.Sprintf("mfst|%s|%s|%s|%s|%d", trackingKey, appName, revision, namespace, appSourceKey(appSrc, srcRefs, refSourceCommitSHAs)+clusterRuntimeInfoKey(info))
+	key := fmt.Sprintf("mfst|%s|%s|%s|%s|%d", trackingKey, appName, revision, namespace, appSourceKey(appSrc, srcRefs, refSourceCommitSHAs)+clusterRuntimeInfoKey(info))
+	if installationID != "" {
+		key = fmt.Sprintf("%s|%s", key, installationID)
+	}
+	return key
 }
 
 func trackingKey(appLabelKey string, trackingMethod string) string {
@@ -318,15 +322,14 @@ func LogDebugManifestCacheKeyFields(message string, reason string, revision stri
 	}
 }
 
-func (c *Cache) SetNewRevisionManifests(newRevision string, revision string, appSrc *appv1.ApplicationSource, srcRefs appv1.RefTargetRevisionMapping, clusterInfo ClusterRuntimeInfo, namespace string, trackingMethod string, appLabelKey string, appName string, refSourceCommitSHAs ResolvedRevisions) error {
-	oldKey := manifestCacheKey(revision, appSrc, srcRefs, namespace, trackingMethod, appLabelKey, appName, clusterInfo, refSourceCommitSHAs)
-	newKey := manifestCacheKey(newRevision, appSrc, srcRefs, namespace, trackingMethod, appLabelKey, appName, clusterInfo, refSourceCommitSHAs)
+func (c *Cache) SetNewRevisionManifests(newRevision string, revision string, appSrc *appv1.ApplicationSource, srcRefs appv1.RefTargetRevisionMapping, clusterInfo ClusterRuntimeInfo, namespace string, trackingMethod string, appLabelKey string, appName string, refSourceCommitSHAs ResolvedRevisions, installationID string) error {
+	oldKey := manifestCacheKey(revision, appSrc, srcRefs, namespace, trackingMethod, appLabelKey, appName, clusterInfo, refSourceCommitSHAs, installationID)
+	newKey := manifestCacheKey(newRevision, appSrc, srcRefs, namespace, trackingMethod, appLabelKey, appName, clusterInfo, refSourceCommitSHAs, installationID)
 	return c.cache.RenameItem(oldKey, newKey, c.repoCacheExpiration)
 }
 
-func (c *Cache) GetManifests(revision string, appSrc *appv1.ApplicationSource, srcRefs appv1.RefTargetRevisionMapping, clusterInfo ClusterRuntimeInfo, namespace string, trackingMethod string, appLabelKey string, appName string, res *CachedManifestResponse, refSourceCommitSHAs ResolvedRevisions) error {
-	err := c.cache.GetItem(manifestCacheKey(revision, appSrc, srcRefs, namespace, trackingMethod, appLabelKey, appName, clusterInfo, refSourceCommitSHAs), res)
-
+func (c *Cache) GetManifests(revision string, appSrc *appv1.ApplicationSource, srcRefs appv1.RefTargetRevisionMapping, clusterInfo ClusterRuntimeInfo, namespace string, trackingMethod string, appLabelKey string, appName string, res *CachedManifestResponse, refSourceCommitSHAs ResolvedRevisions, installationID string) error {
+	err := c.cache.GetItem(manifestCacheKey(revision, appSrc, srcRefs, namespace, trackingMethod, appLabelKey, appName, clusterInfo, refSourceCommitSHAs, installationID), res)
 	if err != nil {
 		return err
 	}
@@ -342,7 +345,7 @@ func (c *Cache) GetManifests(revision string, appSrc *appv1.ApplicationSource, s
 
 		LogDebugManifestCacheKeyFields("deleting manifests cache", "manifest hash did not match or cached response is empty", revision, appSrc, srcRefs, clusterInfo, namespace, trackingMethod, appLabelKey, appName, refSourceCommitSHAs)
 
-		err = c.DeleteManifests(revision, appSrc, srcRefs, clusterInfo, namespace, trackingMethod, appLabelKey, appName, refSourceCommitSHAs)
+		err = c.DeleteManifests(revision, appSrc, srcRefs, clusterInfo, namespace, trackingMethod, appLabelKey, appName, refSourceCommitSHAs, installationID)
 		if err != nil {
 			return fmt.Errorf("Unable to delete manifest after hash mismatch, %v", err)
 		}
@@ -362,7 +365,7 @@ func (c *Cache) GetManifests(revision string, appSrc *appv1.ApplicationSource, s
 	return nil
 }
 
-func (c *Cache) SetManifests(revision string, appSrc *appv1.ApplicationSource, srcRefs appv1.RefTargetRevisionMapping, clusterInfo ClusterRuntimeInfo, namespace string, trackingMethod string, appLabelKey string, appName string, res *CachedManifestResponse, refSourceCommitSHAs ResolvedRevisions) error {
+func (c *Cache) SetManifests(revision string, appSrc *appv1.ApplicationSource, srcRefs appv1.RefTargetRevisionMapping, clusterInfo ClusterRuntimeInfo, namespace string, trackingMethod string, appLabelKey string, appName string, res *CachedManifestResponse, refSourceCommitSHAs ResolvedRevisions, installationID string) error {
 	// Generate and apply the cache entry hash, before writing
 	if res != nil {
 		res = res.shallowCopy()
@@ -374,16 +377,16 @@ func (c *Cache) SetManifests(revision string, appSrc *appv1.ApplicationSource, s
 	}
 
 	return c.cache.SetItem(
-		manifestCacheKey(revision, appSrc, srcRefs, namespace, trackingMethod, appLabelKey, appName, clusterInfo, refSourceCommitSHAs),
+		manifestCacheKey(revision, appSrc, srcRefs, namespace, trackingMethod, appLabelKey, appName, clusterInfo, refSourceCommitSHAs, installationID),
 		res,
 		&cacheutil.CacheActionOpts{
 			Expiration: c.repoCacheExpiration,
 			Delete:     res == nil})
 }
 
-func (c *Cache) DeleteManifests(revision string, appSrc *appv1.ApplicationSource, srcRefs appv1.RefTargetRevisionMapping, clusterInfo ClusterRuntimeInfo, namespace, trackingMethod, appLabelKey, appName string, refSourceCommitSHAs ResolvedRevisions) error {
+func (c *Cache) DeleteManifests(revision string, appSrc *appv1.ApplicationSource, srcRefs appv1.RefTargetRevisionMapping, clusterInfo ClusterRuntimeInfo, namespace, trackingMethod, appLabelKey, appName string, refSourceCommitSHAs ResolvedRevisions, installationID string) error {
 	return c.cache.SetItem(
-		manifestCacheKey(revision, appSrc, srcRefs, namespace, trackingMethod, appLabelKey, appName, clusterInfo, refSourceCommitSHAs),
+		manifestCacheKey(revision, appSrc, srcRefs, namespace, trackingMethod, appLabelKey, appName, clusterInfo, refSourceCommitSHAs, installationID),
 		"",
 		&cacheutil.CacheActionOpts{Delete: true})
 }

reposerver/cache/cache_test.go

@@ -93,43 +93,44 @@ func TestCache_GetManifests(t *testing.T) {
 	// cache miss
 	q := &apiclient.ManifestRequest{}
 	value := &CachedManifestResponse{}
-	err := cache.GetManifests("my-revision", &ApplicationSource{}, q.RefSources, q, "my-namespace", "", "my-app-label-key", "my-app-label-value", value, nil)
+	err := cache.GetManifests("my-revision", &ApplicationSource{}, q.RefSources, q, "my-namespace", "", "my-app-label-key", "my-app-label-value", value, nil, "")
 	assert.Equal(t, ErrCacheMiss, err)
 	// populate cache
 	res := &CachedManifestResponse{ManifestResponse: &apiclient.ManifestResponse{SourceType: "my-source-type"}}
-	err = cache.SetManifests("my-revision", &ApplicationSource{}, q.RefSources, q, "my-namespace", "", "my-app-label-key", "my-app-label-value", res, nil)
+
+	err = cache.SetManifests("my-revision", &ApplicationSource{}, q.RefSources, q, "my-namespace", "", "my-app-label-key", "my-app-label-value", res, nil, "")
 	assert.NoError(t, err)
 	t.Run("expect cache miss because of changed revision", func(t *testing.T) {
-		err = cache.GetManifests("other-revision", &ApplicationSource{}, q.RefSources, q, "my-namespace", "", "my-app-label-key", "my-app-label-value", value, nil)
+		err = cache.GetManifests("other-revision", &ApplicationSource{}, q.RefSources, q, "my-namespace", "", "my-app-label-key", "my-app-label-value", value, nil, "")
 		assert.Equal(t, ErrCacheMiss, err)
 	})
 	t.Run("expect cache miss because of changed path", func(t *testing.T) {
-		err = cache.GetManifests("my-revision", &ApplicationSource{Path: "other-path"}, q.RefSources, q, "my-namespace", "", "my-app-label-key", "my-app-label-value", value, nil)
+		err = cache.GetManifests("my-revision", &ApplicationSource{Path: "other-path"}, q.RefSources, q, "my-namespace", "", "my-app-label-key", "my-app-label-value", value, nil, "")
 		assert.Equal(t, ErrCacheMiss, err)
 	})
 	t.Run("expect cache miss because of changed namespace", func(t *testing.T) {
-		err = cache.GetManifests("my-revision", &ApplicationSource{}, q.RefSources, q, "other-namespace", "", "my-app-label-key", "my-app-label-value", value, nil)
+		err = cache.GetManifests("my-revision", &ApplicationSource{}, q.RefSources, q, "other-namespace", "", "my-app-label-key", "my-app-label-value", value, nil, "")
 		assert.Equal(t, ErrCacheMiss, err)
 	})
 	t.Run("expect cache miss because of changed app label key", func(t *testing.T) {
-		err = cache.GetManifests("my-revision", &ApplicationSource{}, q.RefSources, q, "my-namespace", "", "other-app-label-key", "my-app-label-value", value, nil)
+		err = cache.GetManifests("my-revision", &ApplicationSource{}, q.RefSources, q, "my-namespace", "", "other-app-label-key", "my-app-label-value", value, nil, "")
 		assert.Equal(t, ErrCacheMiss, err)
 	})
 	t.Run("expect cache miss because of changed app label value", func(t *testing.T) {
-		err = cache.GetManifests("my-revision", &ApplicationSource{}, q.RefSources, q, "my-namespace", "", "my-app-label-key", "other-app-label-value", value, nil)
+		err = cache.GetManifests("my-revision", &ApplicationSource{}, q.RefSources, q, "my-namespace", "", "my-app-label-key", "other-app-label-value", value, nil, "")
 		assert.Equal(t, ErrCacheMiss, err)
 	})
 	t.Run("expect cache miss because of changed referenced source", func(t *testing.T) {
-		err = cache.GetManifests("my-revision", &ApplicationSource{}, q.RefSources, q, "my-namespace", "", "my-app-label-key", "other-app-label-value", value, map[string]string{"my-referenced-source": "my-referenced-revision"})
+		err = cache.GetManifests("my-revision", &ApplicationSource{}, q.RefSources, q, "my-namespace", "", "my-app-label-key", "other-app-label-value", value, map[string]string{"my-referenced-source": "my-referenced-revision"}, "")
 		assert.Equal(t, ErrCacheMiss, err)
 	})
 	t.Run("expect cache hit", func(t *testing.T) {
 		err = cache.SetManifests(
 			"my-revision1", &ApplicationSource{}, q.RefSources, q, "my-namespace", "", "my-app-label-key", "my-app-label-value",
-			&CachedManifestResponse{ManifestResponse: &apiclient.ManifestResponse{SourceType: "my-source-type", Revision: "my-revision2"}}, nil)
+			&CachedManifestResponse{ManifestResponse: &apiclient.ManifestResponse{SourceType: "my-source-type", Revision: "my-revision2"}}, nil, "")
 		assert.NoError(t, err)
 
-		err = cache.GetManifests("my-revision1", &ApplicationSource{}, q.RefSources, q, "my-namespace", "", "my-app-label-key", "my-app-label-value", value, nil)
+		err = cache.GetManifests("my-revision1", &ApplicationSource{}, q.RefSources, q, "my-namespace", "", "my-app-label-key", "my-app-label-value", value, nil, "")
 		assert.NoError(t, err)
 
 		assert.Equal(t, "my-source-type", value.ManifestResponse.SourceType)
@@ -199,7 +200,7 @@ func TestCachedManifestResponse_HashBehavior(t *testing.T) {
 		NumberOfConsecutiveFailures:     0,
 	}
 	q := &apiclient.ManifestRequest{}
-	err := repoCache.SetManifests(response.Revision, appSrc, q.RefSources, q, response.Namespace, "", appKey, appValue, store, nil)
+	err := repoCache.SetManifests(response.Revision, appSrc, q.RefSources, q, response.Namespace, "", appKey, appValue, store, nil, "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -230,7 +231,7 @@ func TestCachedManifestResponse_HashBehavior(t *testing.T) {
 
 	// Retrieve the value using 'GetManifests' and confirm it works
 	retrievedVal := &CachedManifestResponse{}
-	err = repoCache.GetManifests(response.Revision, appSrc, q.RefSources, q, response.Namespace, "", appKey, appValue, retrievedVal, nil)
+	err = repoCache.GetManifests(response.Revision, appSrc, q.RefSources, q, response.Namespace, "", appKey, appValue, retrievedVal, nil, "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -253,7 +254,7 @@ func TestCachedManifestResponse_HashBehavior(t *testing.T) {
 
 	// Retrieve the value using GetManifests and confirm it returns a cache miss
 	retrievedVal = &CachedManifestResponse{}
-	err = repoCache.GetManifests(response.Revision, appSrc, q.RefSources, q, response.Namespace, "", appKey, appValue, retrievedVal, nil)
+	err = repoCache.GetManifests(response.Revision, appSrc, q.RefSources, q, response.Namespace, "", appKey, appValue, retrievedVal, nil, "")
 
 	assert.True(t, err == cacheutil.ErrCacheMiss)
 

reposerver/repository/repository.go

@@ -819,7 +819,7 @@ func (s *Service) runManifestGenAsync(ctx context.Context, repoRoot, commitSHA,
 			// Retrieve a new copy (if available) of the cached response: this ensures we are updating the latest copy of the cache,
 			// rather than a copy of the cache that occurred before (a potentially lengthy) manifest generation.
 			innerRes := &cache.CachedManifestResponse{}
-			cacheErr := s.cache.GetManifests(cacheKey, appSourceCopy, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, innerRes, refSourceCommitSHAs)
+			cacheErr := s.cache.GetManifests(cacheKey, appSourceCopy, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, innerRes, refSourceCommitSHAs, q.InstallationID)
 			if cacheErr != nil && cacheErr != cache.ErrCacheMiss {
 				logCtx.Warnf("manifest cache get error %s: %v", appSourceCopy.String(), cacheErr)
 				ch.errCh <- cacheErr
@@ -837,7 +837,7 @@ func (s *Service) runManifestGenAsync(ctx context.Context, repoRoot, commitSHA,
 			// Update the cache to include failure information
 			innerRes.NumberOfConsecutiveFailures++
 			innerRes.MostRecentError = err.Error()
-			cacheErr = s.cache.SetManifests(cacheKey, appSourceCopy, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, innerRes, refSourceCommitSHAs)
+			cacheErr = s.cache.SetManifests(cacheKey, appSourceCopy, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, innerRes, refSourceCommitSHAs, q.InstallationID)
 
 			if cacheErr != nil {
 				logCtx.Warnf("manifest cache set error %s: %v", appSourceCopy.String(), cacheErr)
@@ -862,7 +862,7 @@ func (s *Service) runManifestGenAsync(ctx context.Context, repoRoot, commitSHA,
 	}
 	manifestGenResult.Revision = commitSHA
 	manifestGenResult.VerifyResult = opContext.verificationResult
-	err = s.cache.SetManifests(cacheKey, appSourceCopy, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, &manifestGenCacheEntry, refSourceCommitSHAs)
+	err = s.cache.SetManifests(cacheKey, appSourceCopy, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, &manifestGenCacheEntry, refSourceCommitSHAs, q.InstallationID)
 	if err != nil {
 		log.Warnf("manifest cache set error %s/%s: %v", appSourceCopy.String(), cacheKey, err)
 	}
@@ -879,7 +879,7 @@ func (s *Service) getManifestCacheEntry(cacheKey string, q *apiclient.ManifestRe
 	cache.LogDebugManifestCacheKeyFields("getting manifests cache", "GenerateManifest API call", cacheKey, q.ApplicationSource, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, refSourceCommitSHAs)
 
 	res := cache.CachedManifestResponse{}
-	err := s.cache.GetManifests(cacheKey, q.ApplicationSource, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, &res, refSourceCommitSHAs)
+	err := s.cache.GetManifests(cacheKey, q.ApplicationSource, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, &res, refSourceCommitSHAs, q.InstallationID)
 	if err == nil {
 
 		// The cache contains an existing value
@@ -900,7 +900,7 @@ func (s *Service) getManifestCacheEntry(cacheKey string, q *apiclient.ManifestRe
 						cache.LogDebugManifestCacheKeyFields("deleting manifests cache", "manifest hash did not match or cached response is empty", cacheKey, q.ApplicationSource, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, refSourceCommitSHAs)
 
 						// We can now try again, so reset the cache state and run the operation below
-						err = s.cache.DeleteManifests(cacheKey, q.ApplicationSource, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, refSourceCommitSHAs)
+						err = s.cache.DeleteManifests(cacheKey, q.ApplicationSource, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, refSourceCommitSHAs, q.InstallationID)
 						if err != nil {
 							log.Warnf("manifest cache set error %s/%s: %v", q.ApplicationSource.String(), cacheKey, err)
 						}
@@ -916,7 +916,7 @@ func (s *Service) getManifestCacheEntry(cacheKey string, q *apiclient.ManifestRe
 						cache.LogDebugManifestCacheKeyFields("deleting manifests cache", "reset after paused generation count", cacheKey, q.ApplicationSource, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, refSourceCommitSHAs)
 
 						// We can now try again, so reset the error cache state and run the operation below
-						err = s.cache.DeleteManifests(cacheKey, q.ApplicationSource, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, refSourceCommitSHAs)
+						err = s.cache.DeleteManifests(cacheKey, q.ApplicationSource, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, refSourceCommitSHAs, q.InstallationID)
 						if err != nil {
 							log.Warnf("manifest cache set error %s/%s: %v", q.ApplicationSource.String(), cacheKey, err)
 						}
@@ -936,7 +936,7 @@ func (s *Service) getManifestCacheEntry(cacheKey string, q *apiclient.ManifestRe
 					// Increment the number of returned cached responses and push that new value to the cache
 					// (if we have not already done so previously in this function)
 					res.NumberOfCachedResponsesReturned++
-					err = s.cache.SetManifests(cacheKey, q.ApplicationSource, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, &res, refSourceCommitSHAs)
+					err = s.cache.SetManifests(cacheKey, q.ApplicationSource, q.RefSources, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, &res, refSourceCommitSHAs, q.InstallationID)
 					if err != nil {
 						log.Warnf("manifest cache set error %s/%s: %v", q.ApplicationSource.String(), cacheKey, err)
 					}
@@ -1446,7 +1446,7 @@ func GenerateManifests(ctx context.Context, appPath, repoRoot, revision string,
 
 		for _, target := range targets {
 			if q.AppLabelKey != "" && q.AppName != "" && !kube.IsCRD(target) {
-				err = resourceTracking.SetAppInstance(target, q.AppLabelKey, q.AppName, q.Namespace, v1alpha1.TrackingMethod(q.TrackingMethod))
+				err = resourceTracking.SetAppInstance(target, q.AppLabelKey, q.AppName, q.Namespace, v1alpha1.TrackingMethod(q.TrackingMethod), q.InstallationID)
 				if err != nil {
 					return nil, fmt.Errorf("failed to set app instance tracking info on manifest: %w", err)
 				}
@@ -2731,7 +2731,10 @@ func (s *Service) UpdateRevisionForPaths(_ context.Context, request *apiclient.U
 		return nil, status.Errorf(codes.Internal, "unable to get changed files for repo %s with revision %s: %v", repo.Repo, revision, err)
 	}
 
-	changed := apppathutil.AppFilesHaveChanged(refreshPaths, files)
+	changed := false
+	if len(files) != 0 {
+		changed = apppathutil.AppFilesHaveChanged(refreshPaths, files)
+	}
 
 	if !changed {
 		logCtx.Debugf("no changes found for application %s in repo %s from revision %s to revision %s", request.AppName, repo.Repo, syncedRevision, revision)
@@ -2767,7 +2770,7 @@ func (s *Service) updateCachedRevision(logCtx *log.Entry, oldRev string, newRev
 		}
 	}
 
-	err := s.cache.SetNewRevisionManifests(newRev, oldRev, request.ApplicationSource, request.RefSources, request, request.Namespace, request.TrackingMethod, request.AppLabelKey, request.AppName, repoRefs)
+	err := s.cache.SetNewRevisionManifests(newRev, oldRev, request.ApplicationSource, request.RefSources, request, request.Namespace, request.TrackingMethod, request.AppLabelKey, request.AppName, repoRefs, request.InstallationID)
 	if err != nil {
 		if err == cache.ErrCacheMiss {
 			logCtx.Debugf("manifest cache miss during comparison for application %s in repo %s from revision %s", request.AppName, request.GetRepo().Repo, oldRev)

reposerver/repository/repository.proto

@@ -36,6 +36,8 @@ message ManifestRequest {
     repeated string projectSourceRepos = 24;
     // This is used to surface "source not permitted" errors for Helm repositories
     string projectName = 25;
+    // Holds instance installation id
+    string installationID = 27;
 }
 
 message ManifestRequestWithFiles {
@@ -273,6 +275,7 @@ message UpdateRevisionForPathsRequest {
     string syncedRevision = 11;
     string revision = 12;
     repeated string paths = 13;
+    string installationID = 15;
 }
 
 message UpdateRevisionForPathsResponse {

reposerver/repository/repository_test.go

@@ -205,7 +205,7 @@ func TestGenerateYamlManifestInDir(t *testing.T) {
 	}
 
 	// update this value if we add/remove manifests
-	const countOfManifests = 48
+	const countOfManifests = 50
 
 	res1, err := service.GenerateManifest(context.Background(), &q)
 
@@ -304,7 +304,7 @@ func TestGenerateManifests_K8SAPIResetCache(t *testing.T) {
 
 	cachedFakeResponse := &apiclient.ManifestResponse{Manifests: []string{"Fake"}, Revision: mock.Anything}
 
-	err := service.cache.SetManifests(mock.Anything, &src, q.RefSources, &q, "", "", "", "", &cache.CachedManifestResponse{ManifestResponse: cachedFakeResponse}, nil)
+	err := service.cache.SetManifests(mock.Anything, &src, q.RefSources, &q, "", "", "", "", &cache.CachedManifestResponse{ManifestResponse: cachedFakeResponse}, nil, "")
 	assert.NoError(t, err)
 
 	res, err := service.GenerateManifest(context.Background(), &q)
@@ -329,7 +329,7 @@ func TestGenerateManifests_EmptyCache(t *testing.T) {
 		ProjectSourceRepos: []string{"*"},
 	}
 
-	err := service.cache.SetManifests(mock.Anything, &src, q.RefSources, &q, "", "", "", "", &cache.CachedManifestResponse{ManifestResponse: nil}, nil)
+	err := service.cache.SetManifests(mock.Anything, &src, q.RefSources, &q, "", "", "", "", &cache.CachedManifestResponse{ManifestResponse: nil}, nil, "")
 	assert.NoError(t, err)
 
 	res, err := service.GenerateManifest(context.Background(), &q)
@@ -743,7 +743,7 @@ func TestManifestGenErrorCacheByNumRequests(t *testing.T) {
 		assert.NotNil(t, manifestRequest)
 
 		cachedManifestResponse := &cache.CachedManifestResponse{}
-		err := service.cache.GetManifests(mock.Anything, manifestRequest.ApplicationSource, manifestRequest.RefSources, manifestRequest, manifestRequest.Namespace, "", manifestRequest.AppLabelKey, manifestRequest.AppName, cachedManifestResponse, nil)
+		err := service.cache.GetManifests(mock.Anything, manifestRequest.ApplicationSource, manifestRequest.RefSources, manifestRequest, manifestRequest.Namespace, "", manifestRequest.AppLabelKey, manifestRequest.AppName, cachedManifestResponse, nil, "")
 		assert.Nil(t, err)
 		return cachedManifestResponse
 	}
@@ -2084,7 +2084,7 @@ func TestGenerateManifestsWithAppParameterFile(t *testing.T) {
 			// Try to pull from the cache with a `source` that does not include any overrides. Overrides should not be
 			// part of the cache key, because you can't get the overrides without a repo operation. And avoiding repo
 			// operations is the point of the cache.
-			err = service.cache.GetManifests(mock.Anything, source, argoappv1.RefTargetRevisionMapping{}, &argoappv1.ClusterInfo{}, "", "", "", "test", res, nil)
+			err = service.cache.GetManifests(mock.Anything, source, argoappv1.RefTargetRevisionMapping{}, &argoappv1.ClusterInfo{}, "", "", "", "test", res, nil, "")
 			assert.NoError(t, err)
 		})
 	})

reposerver/server.go

@@ -70,13 +70,13 @@ func NewServer(metricsServer *metrics.MetricsServer, cache *reposervercache.Cach
 
 	serverLog := log.NewEntry(log.StandardLogger())
 	streamInterceptors := []grpc.StreamServerInterceptor{
-		otelgrpc.StreamServerInterceptor(),
+		otelgrpc.StreamServerInterceptor(), //nolint:staticcheck // TODO: ignore SA1019 for depreciation: see https://github.com/argoproj/argo-cd/issues/18258
 		grpc_logrus.StreamServerInterceptor(serverLog),
 		grpc_prometheus.StreamServerInterceptor,
 		grpc_util.PanicLoggerStreamServerInterceptor(serverLog),
 	}
 	unaryInterceptors := []grpc.UnaryServerInterceptor{
-		otelgrpc.UnaryServerInterceptor(),
+		otelgrpc.UnaryServerInterceptor(), //nolint:staticcheck // TODO: ignore SA1019 for depreciation: see https://github.com/argoproj/argo-cd/issues/18258
 		grpc_logrus.UnaryServerInterceptor(serverLog),
 		grpc_prometheus.UnaryServerInterceptor,
 		grpc_util.PanicLoggerUnaryServerInterceptor(serverLog),

server/application/application.go

@@ -469,15 +469,16 @@ func (s *Server) GetManifests(ctx context.Context, q *application.ApplicationMan
 		}
 
 		sources := make([]appv1.ApplicationSource, 0)
+		appSpec := a.Spec.DeepCopy()
 		if a.Spec.HasMultipleSources() {
 			numOfSources := int64(len(a.Spec.GetSources()))
 			for i, pos := range q.SourcePositions {
 				if pos <= 0 || pos > numOfSources {
 					return fmt.Errorf("source position is out of range")
 				}
-				a.Spec.Sources[pos-1].TargetRevision = q.Revisions[i]
+				appSpec.Sources[pos-1].TargetRevision = q.Revisions[i]
 			}
-			sources = a.Spec.GetSources()
+			sources = appSpec.GetSources()
 		} else {
 			source := a.Spec.GetSource()
 			if q.GetRevision() != "" {
@@ -487,7 +488,7 @@ func (s *Server) GetManifests(ctx context.Context, q *application.ApplicationMan
 		}
 
 		// Store the map of all sources having ref field into a map for applications with sources field
-		refSources, err := argo.GetRefSources(context.Background(), a.Spec, s.db)
+		refSources, err := argo.GetRefSources(context.Background(), *appSpec, s.db)
 		if err != nil {
 			return fmt.Errorf("failed to get ref sources: %v", err)
 		}
@@ -507,6 +508,10 @@ func (s *Server) GetManifests(ctx context.Context, q *application.ApplicationMan
 			if err != nil {
 				return fmt.Errorf("error getting kustomize settings options: %w", err)
 			}
+			installationID, err := s.settingsMgr.GetInstallationID()
+			if err != nil {
+				return fmt.Errorf("error getting installation ID: %w", err)
+			}
 
 			manifestInfo, err := client.GenerateManifest(ctx, &apiclient.ManifestRequest{
 				Repo:               repo,
@@ -527,6 +532,7 @@ func (s *Server) GetManifests(ctx context.Context, q *application.ApplicationMan
 				ProjectSourceRepos: proj.Spec.SourceRepos,
 				HasMultipleSources: a.Spec.HasMultipleSources(),
 				RefSources:         refSources,
+				InstallationID:     installationID,
 			})
 			if err != nil {
 				return fmt.Errorf("error generating manifests: %w", err)
@@ -560,7 +566,7 @@ func (s *Server) GetManifests(ctx context.Context, q *application.ApplicationMan
 				manifestInfo.Manifests[i] = string(data)
 			}
 		}
-		manifests.Manifests = manifestInfo.Manifests
+		manifests.Manifests = append(manifests.Manifests, manifestInfo.Manifests...)
 	}
 
 	return manifests, nil
@@ -2139,7 +2145,12 @@ func (s *Server) resolveRevision(ctx context.Context, app *appv1.Application, sy
 
 	ambiguousRevision := getAmbiguousRevision(app, syncReq, sourceIndex)
 
-	repo, err := s.db.GetRepository(ctx, app.Spec.GetSource().RepoURL)
+	repoUrl := app.Spec.GetSource().RepoURL
+	if app.Spec.HasMultipleSources() {
+		repoUrl = app.Spec.Sources[sourceIndex].RepoURL
+	}
+
+	repo, err := s.db.GetRepository(ctx, repoUrl)
 	if err != nil {
 		return "", "", fmt.Errorf("error getting repository by URL: %w", err)
 	}

server/application/terminal.go

@@ -225,7 +225,7 @@ func (s *terminalHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	fieldLog.Info("terminal session starting")
 
-	session, err := newTerminalSession(w, r, nil, s.sessionManager)
+	session, err := newTerminalSession(ctx, w, r, nil, s.sessionManager, appRBACName, s.enf)
 	if err != nil {
 		http.Error(w, "Failed to start terminal session", http.StatusBadRequest)
 		return

server/application/websocket.go

@@ -1,15 +1,19 @@
 package application
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
-	"github.com/argoproj/argo-cd/v2/common"
-	httputil "github.com/argoproj/argo-cd/v2/util/http"
-	util_session "github.com/argoproj/argo-cd/v2/util/session"
 	"net/http"
 	"sync"
 	"time"
 
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/server/rbacpolicy"
+	httputil "github.com/argoproj/argo-cd/v2/util/http"
+	"github.com/argoproj/argo-cd/v2/util/rbac"
+	util_session "github.com/argoproj/argo-cd/v2/util/session"
+
 	"github.com/gorilla/websocket"
 	log "github.com/sirupsen/logrus"
 	"k8s.io/client-go/tools/remotecommand"
@@ -31,6 +35,7 @@ var upgrader = func() websocket.Upgrader {
 
 // terminalSession implements PtyHandler
 type terminalSession struct {
+	ctx            context.Context
 	wsConn         *websocket.Conn
 	sizeChan       chan remotecommand.TerminalSize
 	doneChan       chan struct{}
@@ -39,6 +44,8 @@ type terminalSession struct {
 	writeLock      sync.Mutex
 	sessionManager *util_session.SessionManager
 	token          *string
+	appRBACName    string
+	enf            *rbac.Enforcer
 }
 
 // getToken get auth token from web socket request
@@ -48,7 +55,7 @@ func getToken(r *http.Request) (string, error) {
 }
 
 // newTerminalSession create terminalSession
-func newTerminalSession(w http.ResponseWriter, r *http.Request, responseHeader http.Header, sessionManager *util_session.SessionManager) (*terminalSession, error) {
+func newTerminalSession(ctx context.Context, w http.ResponseWriter, r *http.Request, responseHeader http.Header, sessionManager *util_session.SessionManager, appRBACName string, enf *rbac.Enforcer) (*terminalSession, error) {
 	token, err := getToken(r)
 	if err != nil {
 		return nil, err
@@ -59,12 +66,15 @@ func newTerminalSession(w http.ResponseWriter, r *http.Request, responseHeader h
 		return nil, err
 	}
 	session := &terminalSession{
+		ctx:            ctx,
 		wsConn:         conn,
 		tty:            true,
 		sizeChan:       make(chan remotecommand.TerminalSize),
 		doneChan:       make(chan struct{}),
 		sessionManager: sessionManager,
 		token:          &token,
+		appRBACName:    appRBACName,
+		enf:            enf,
 	}
 	return session, nil
 }
@@ -125,6 +135,29 @@ func (t *terminalSession) reconnect() (int, error) {
 	return 0, nil
 }
 
+func (t *terminalSession) validatePermissions(p []byte) (int, error) {
+	permissionDeniedMessage, _ := json.Marshal(TerminalMessage{
+		Operation: "stdout",
+		Data:      "Permission denied",
+	})
+	if err := t.enf.EnforceErr(t.ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, t.appRBACName); err != nil {
+		err = t.wsConn.WriteMessage(websocket.TextMessage, permissionDeniedMessage)
+		if err != nil {
+			log.Errorf("permission denied message err: %v", err)
+		}
+		return copy(p, EndOfTransmission), permissionDeniedErr
+	}
+
+	if err := t.enf.EnforceErr(t.ctx.Value("claims"), rbacpolicy.ResourceExec, rbacpolicy.ActionCreate, t.appRBACName); err != nil {
+		err = t.wsConn.WriteMessage(websocket.TextMessage, permissionDeniedMessage)
+		if err != nil {
+			log.Errorf("permission denied message err: %v", err)
+		}
+		return copy(p, EndOfTransmission), permissionDeniedErr
+	}
+	return 0, nil
+}
+
 // Read called in a loop from remotecommand as long as the process is running
 func (t *terminalSession) Read(p []byte) (int, error) {
 	// check if token still valid
@@ -135,6 +168,12 @@ func (t *terminalSession) Read(p []byte) (int, error) {
 		return t.reconnect()
 	}
 
+	// validate permissions
+	code, err := t.validatePermissions(p)
+	if err != nil {
+		return code, err
+	}
+
 	t.readLock.Lock()
 	_, message, err := t.wsConn.ReadMessage()
 	t.readLock.Unlock()

server/application/websocket_test.go

@@ -1,23 +1,65 @@
 package application
 
 import (
+	"context"
 	"encoding/json"
-	"github.com/gorilla/websocket"
-	"github.com/stretchr/testify/assert"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes/fake"
+
+	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/util/assets"
+	"github.com/argoproj/argo-cd/v2/util/rbac"
+
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/gorilla/websocket"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
-func reconnect(w http.ResponseWriter, r *http.Request) {
+func newTestTerminalSession(w http.ResponseWriter, r *http.Request) terminalSession {
 	var upgrader = websocket.Upgrader{}
 	c, err := upgrader.Upgrade(w, r, nil)
 	if err != nil {
-		return
+		return terminalSession{}
 	}
 
-	ts := terminalSession{wsConn: c}
+	return terminalSession{wsConn: c}
+}
+
+func newEnforcer() *rbac.Enforcer {
+	additionalConfig := make(map[string]string, 0)
+	kubeclientset := fake.NewSimpleClientset(&v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: testNamespace,
+			Name:      "argocd-cm",
+			Labels: map[string]string{
+				"app.kubernetes.io/part-of": "argocd",
+			},
+		},
+		Data: additionalConfig,
+	}, &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "argocd-secret",
+			Namespace: testNamespace,
+		},
+		Data: map[string][]byte{
+			"admin.password":   []byte("test"),
+			"server.secretkey": []byte("test"),
+		},
+	})
+
+	enforcer := rbac.NewEnforcer(kubeclientset, testNamespace, common.ArgoCDRBACConfigMapName, nil)
+	return enforcer
+}
+
+func reconnect(w http.ResponseWriter, r *http.Request) {
+	ts := newTestTerminalSession(w, r)
 	_, _ = ts.reconnect()
 }
 
@@ -44,3 +86,71 @@ func TestReconnect(t *testing.T) {
 	assert.Equal(t, message.Data, ReconnectMessage)
 
 }
+
+func TestValidateWithAdminPermissions(t *testing.T) {
+	validate := func(w http.ResponseWriter, r *http.Request) {
+		enf := newEnforcer()
+		_ = enf.SetBuiltinPolicy(assets.BuiltinPolicyCSV)
+		enf.SetDefaultRole("role:admin")
+		enf.SetClaimsEnforcerFunc(func(claims jwt.Claims, rvals ...interface{}) bool {
+			return true
+		})
+		ts := newTestTerminalSession(w, r)
+		ts.enf = enf
+		ts.appRBACName = "test"
+		// nolint:staticcheck
+		ts.ctx = context.WithValue(context.Background(), "claims", &jwt.MapClaims{"groups": []string{"admin"}})
+		_, err := ts.validatePermissions([]byte{})
+		require.NoError(t, err)
+	}
+
+	s := httptest.NewServer(http.HandlerFunc(validate))
+	defer s.Close()
+
+	u := "ws" + strings.TrimPrefix(s.URL, "http")
+
+	// Connect to the server
+	ws, _, err := websocket.DefaultDialer.Dial(u, nil)
+	require.NoError(t, err)
+
+	defer ws.Close()
+}
+
+func TestValidateWithoutPermissions(t *testing.T) {
+	validate := func(w http.ResponseWriter, r *http.Request) {
+		enf := newEnforcer()
+		_ = enf.SetBuiltinPolicy(assets.BuiltinPolicyCSV)
+		enf.SetDefaultRole("role:test")
+		enf.SetClaimsEnforcerFunc(func(claims jwt.Claims, rvals ...interface{}) bool {
+			return false
+		})
+		ts := newTestTerminalSession(w, r)
+		ts.enf = enf
+		ts.appRBACName = "test"
+		// nolint:staticcheck
+		ts.ctx = context.WithValue(context.Background(), "claims", &jwt.MapClaims{"groups": []string{"test"}})
+		_, err := ts.validatePermissions([]byte{})
+		require.Error(t, err)
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error())
+	}
+
+	s := httptest.NewServer(http.HandlerFunc(validate))
+	defer s.Close()
+
+	u := "ws" + strings.TrimPrefix(s.URL, "http")
+
+	// Connect to the server
+	ws, _, err := websocket.DefaultDialer.Dial(u, nil)
+	require.NoError(t, err)
+
+	defer ws.Close()
+
+	_, p, _ := ws.ReadMessage()
+
+	var message TerminalMessage
+
+	err = json.Unmarshal(p, &message)
+
+	require.NoError(t, err)
+	assert.Equal(t, "Permission denied", message.Data)
+}

server/cluster/cluster.go

@@ -187,15 +187,11 @@ func (s *Server) Create(ctx context.Context, q *cluster.ClusterCreateRequest) (*
 
 // Get returns a cluster from a query
 func (s *Server) Get(ctx context.Context, q *cluster.ClusterQuery) (*appv1.Cluster, error) {
-	c, err := s.getClusterWith403IfNotExist(ctx, q)
+	c, err := s.getClusterAndVerifyAccess(ctx, q, rbacpolicy.ActionGet)
 	if err != nil {
 		return nil, err
 	}
 
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceClusters, rbacpolicy.ActionGet, CreateClusterRBACObject(c.Project, q.Server)); err != nil {
-		return nil, err
-	}
-
 	return s.toAPIResponse(c), nil
 }
 
@@ -207,6 +203,21 @@ func (s *Server) getClusterWith403IfNotExist(ctx context.Context, q *cluster.Clu
 	return repo, nil
 }
 
+func (s *Server) getClusterAndVerifyAccess(ctx context.Context, q *cluster.ClusterQuery, action string) (*appv1.Cluster, error) {
+	c, err := s.getClusterWith403IfNotExist(ctx, q)
+	if err != nil {
+		return nil, err
+	}
+
+	// verify that user can do the specified action inside project where cluster is located
+	if !s.enf.Enforce(ctx.Value("claims"), rbacpolicy.ResourceClusters, action, CreateClusterRBACObject(c.Project, c.Server)) {
+		log.WithField("cluster", q.Server).Warnf("encountered permissions issue while processing request: %v", err)
+		return nil, common.PermissionDeniedAPIError
+	}
+
+	return c, nil
+}
+
 func (s *Server) getCluster(ctx context.Context, q *cluster.ClusterQuery) (*appv1.Cluster, error) {
 	if q.Id != nil {
 		q.Server = ""
@@ -278,20 +289,16 @@ var clusterFieldsByPath = map[string]func(updated *appv1.Cluster, existing *appv
 
 // Update updates a cluster
 func (s *Server) Update(ctx context.Context, q *cluster.ClusterUpdateRequest) (*appv1.Cluster, error) {
-	c, err := s.getClusterWith403IfNotExist(ctx, &cluster.ClusterQuery{
+	c, err := s.getClusterAndVerifyAccess(ctx, &cluster.ClusterQuery{
 		Server: q.Cluster.Server,
 		Name:   q.Cluster.Name,
 		Id:     q.Id,
-	})
+	}, rbacpolicy.ActionUpdate)
+
 	if err != nil {
 		return nil, err
 	}
 
-	// verify that user can do update inside project where cluster is located
-	if !s.enf.Enforce(ctx.Value("claims"), rbacpolicy.ResourceClusters, rbacpolicy.ActionUpdate, CreateClusterRBACObject(c.Project, c.Server)) {
-		return nil, common.PermissionDeniedAPIError
-	}
-
 	if len(q.UpdatedFields) == 0 || sets.NewString(q.UpdatedFields...).Has("project") {
 		// verify that user can do update inside project where cluster will be located
 		if !s.enf.Enforce(ctx.Value("claims"), rbacpolicy.ResourceClusters, rbacpolicy.ActionUpdate, CreateClusterRBACObject(q.Cluster.Project, c.Server)) {
@@ -341,7 +348,8 @@ func (s *Server) Delete(ctx context.Context, q *cluster.ClusterQuery) (*cluster.
 	if q.Name != "" {
 		servers, err := s.db.GetClusterServersByName(ctx, q.Name)
 		if err != nil {
-			return nil, err
+			log.WithField("cluster", q.Name).Warnf("failed to get cluster servers by name: %v", err)
+			return nil, common.PermissionDeniedAPIError
 		}
 		for _, server := range servers {
 			if err := enforceAndDelete(s, ctx, server, c.Project); err != nil {
@@ -359,7 +367,8 @@ func (s *Server) Delete(ctx context.Context, q *cluster.ClusterQuery) (*cluster.
 
 func enforceAndDelete(s *Server, ctx context.Context, server, project string) error {
 	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceClusters, rbacpolicy.ActionDelete, CreateClusterRBACObject(project, server)); err != nil {
-		return err
+		log.WithField("cluster", server).Warnf("encountered permissions issue while processing request: %v", err)
+		return common.PermissionDeniedAPIError
 	}
 	if err := s.db.DeleteCluster(ctx, server); err != nil {
 		return err
@@ -378,16 +387,19 @@ func (s *Server) RotateAuth(ctx context.Context, q *cluster.ClusterQuery) (*clus
 	if q.Name != "" {
 		servers, err = s.db.GetClusterServersByName(ctx, q.Name)
 		if err != nil {
-			return nil, status.Errorf(codes.NotFound, "failed to get cluster servers by name: %v", err)
+			log.WithField("cluster", q.Name).Warnf("failed to get cluster servers by name: %v", err)
+			return nil, common.PermissionDeniedAPIError
 		}
 		for _, server := range servers {
 			if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceClusters, rbacpolicy.ActionUpdate, CreateClusterRBACObject(clust.Project, server)); err != nil {
-				return nil, status.Errorf(codes.PermissionDenied, "encountered permissions issue while processing request: %v", err)
+				log.WithField("cluster", server).Warnf("encountered permissions issue while processing request: %v", err)
+				return nil, common.PermissionDeniedAPIError
 			}
 		}
 	} else {
 		if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceClusters, rbacpolicy.ActionUpdate, CreateClusterRBACObject(clust.Project, q.Server)); err != nil {
-			return nil, status.Errorf(codes.PermissionDenied, "encountered permissions issue while processing request: %v", err)
+			log.WithField("cluster", q.Server).Warnf("encountered permissions issue while processing request: %v", err)
+			return nil, common.PermissionDeniedAPIError
 		}
 		servers = append(servers, q.Server)
 	}
@@ -446,19 +458,8 @@ func (s *Server) RotateAuth(ctx context.Context, q *cluster.ClusterQuery) (*clus
 }
 
 func (s *Server) toAPIResponse(clust *appv1.Cluster) *appv1.Cluster {
+	clust = clust.Sanitized()
 	_ = s.cache.GetClusterInfo(clust.Server, &clust.Info)
-
-	clust.Config.Password = ""
-	clust.Config.BearerToken = ""
-	clust.Config.TLSClientConfig.KeyData = nil
-	if clust.Config.ExecProviderConfig != nil {
-		// We can't know what the user has put into args or
-		// env vars on the exec provider that might be sensitive
-		// (e.g. --private-key=XXX, PASSWORD=XXX)
-		// Implicitly assumes the command executable name is non-sensitive
-		clust.Config.ExecProviderConfig.Env = make(map[string]string)
-		clust.Config.ExecProviderConfig.Args = nil
-	}
 	// populate deprecated fields for backward compatibility
 	clust.ServerVersion = clust.Info.ServerVersion
 	clust.ConnectionState = clust.Info.ConnectionState
@@ -467,13 +468,10 @@ func (s *Server) toAPIResponse(clust *appv1.Cluster) *appv1.Cluster {
 
 // InvalidateCache invalidates cluster cache
 func (s *Server) InvalidateCache(ctx context.Context, q *cluster.ClusterQuery) (*appv1.Cluster, error) {
-	cls, err := s.getClusterWith403IfNotExist(ctx, q)
+	cls, err := s.getClusterAndVerifyAccess(ctx, q, rbacpolicy.ActionUpdate)
 	if err != nil {
 		return nil, err
 	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceClusters, rbacpolicy.ActionUpdate, CreateClusterRBACObject(cls.Project, q.Server)); err != nil {
-		return nil, err
-	}
 	now := v1.Now()
 	cls.RefreshRequestedAt = &now
 	cls, err = s.db.UpdateCluster(ctx, cls)

server/cluster/cluster_test.go

@@ -4,6 +4,9 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"github.com/argoproj/argo-cd/v2/server/rbacpolicy"
+	"github.com/argoproj/argo-cd/v2/util/assets"
+	"github.com/golang-jwt/jwt/v4"
 	"reflect"
 	"testing"
 	"time"
@@ -51,6 +54,16 @@ func newNoopEnforcer() *rbac.Enforcer {
 	return enf
 }
 
+func newEnforcer() *rbac.Enforcer {
+	enforcer := rbac.NewEnforcer(fake.NewSimpleClientset(test.NewFakeConfigMap()), test.FakeArgoCDNamespace, common.ArgoCDRBACConfigMapName, nil)
+	_ = enforcer.SetBuiltinPolicy(assets.BuiltinPolicyCSV)
+	enforcer.SetDefaultRole("role:test")
+	enforcer.SetClaimsEnforcerFunc(func(claims jwt.Claims, rvals ...interface{}) bool {
+		return true
+	})
+	return enforcer
+}
+
 func TestUpdateCluster_RejectInvalidParams(t *testing.T) {
 	testCases := []struct {
 		name    string
@@ -604,3 +617,152 @@ func TestListCluster(t *testing.T) {
 		})
 	}
 }
+
+func TestGetClusterAndVerifyAccess(t *testing.T) {
+	t.Run("GetClusterAndVerifyAccess - No Cluster", func(t *testing.T) {
+		db := &dbmocks.ArgoDB{}
+
+		mockCluster := v1alpha1.Cluster{
+			Name:       "test/ing",
+			Server:     "https://127.0.0.1",
+			Namespaces: []string{"default", "kube-system"},
+		}
+		mockClusterList := v1alpha1.ClusterList{
+			ListMeta: v1.ListMeta{},
+			Items: []v1alpha1.Cluster{
+				mockCluster,
+			},
+		}
+
+		db.On("ListClusters", mock.Anything).Return(&mockClusterList, nil)
+
+		server := NewServer(db, newNoopEnforcer(), newServerInMemoryCache(), &kubetest.MockKubectlCmd{})
+		cluster, err := server.getClusterAndVerifyAccess(context.Background(), &clusterapi.ClusterQuery{
+			Name: "test/not-exists",
+		}, rbacpolicy.ActionGet)
+
+		assert.Nil(t, cluster)
+		assert.ErrorIs(t, err, common.PermissionDeniedAPIError)
+	})
+
+	t.Run("GetClusterAndVerifyAccess - Permissions Denied", func(t *testing.T) {
+		db := &dbmocks.ArgoDB{}
+
+		mockCluster := v1alpha1.Cluster{
+			Name:       "test/ing",
+			Server:     "https://127.0.0.1",
+			Namespaces: []string{"default", "kube-system"},
+		}
+		mockClusterList := v1alpha1.ClusterList{
+			ListMeta: v1.ListMeta{},
+			Items: []v1alpha1.Cluster{
+				mockCluster,
+			},
+		}
+
+		db.On("ListClusters", mock.Anything).Return(&mockClusterList, nil)
+
+		server := NewServer(db, newEnforcer(), newServerInMemoryCache(), &kubetest.MockKubectlCmd{})
+		cluster, err := server.getClusterAndVerifyAccess(context.Background(), &clusterapi.ClusterQuery{
+			Name: "test/ing",
+		}, rbacpolicy.ActionGet)
+
+		assert.Nil(t, cluster)
+		assert.ErrorIs(t, err, common.PermissionDeniedAPIError)
+	})
+}
+
+func TestNoClusterEnumeration(t *testing.T) {
+	db := &dbmocks.ArgoDB{}
+
+	mockCluster := v1alpha1.Cluster{
+		Name:       "test/ing",
+		Server:     "https://127.0.0.1",
+		Namespaces: []string{"default", "kube-system"},
+	}
+	mockClusterList := v1alpha1.ClusterList{
+		ListMeta: v1.ListMeta{},
+		Items: []v1alpha1.Cluster{
+			mockCluster,
+		},
+	}
+
+	db.On("ListClusters", mock.Anything).Return(&mockClusterList, nil)
+	db.On("GetCluster", mock.Anything, mock.Anything).Return(&mockCluster, nil)
+
+	server := NewServer(db, newEnforcer(), newServerInMemoryCache(), &kubetest.MockKubectlCmd{})
+
+	t.Run("Get", func(t *testing.T) {
+		_, err := server.Get(context.Background(), &clusterapi.ClusterQuery{
+			Name: "cluster-not-exists",
+		})
+		assert.Error(t, err)
+		assert.Equal(t, common.PermissionDeniedAPIError.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about cluster existence")
+
+		_, err = server.Get(context.Background(), &clusterapi.ClusterQuery{
+			Name: "test/ing",
+		})
+		assert.Error(t, err)
+		assert.Equal(t, common.PermissionDeniedAPIError.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about cluster existence")
+	})
+
+	t.Run("Update", func(t *testing.T) {
+		_, err := server.Update(context.Background(), &clusterapi.ClusterUpdateRequest{
+			Cluster: &v1alpha1.Cluster{
+				Name: "cluster-not-exists",
+			},
+		})
+		assert.Error(t, err)
+		assert.Equal(t, common.PermissionDeniedAPIError.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about cluster existence")
+
+		_, err = server.Update(context.Background(), &clusterapi.ClusterUpdateRequest{
+			Cluster: &v1alpha1.Cluster{
+				Name: "test/ing",
+			},
+		})
+		assert.Error(t, err)
+		assert.Equal(t, common.PermissionDeniedAPIError.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about cluster existence")
+	})
+
+	t.Run("Delete", func(t *testing.T) {
+		_, err := server.Delete(context.Background(), &clusterapi.ClusterQuery{
+			Server: "https://127.0.0.2",
+		})
+		assert.Error(t, err)
+		assert.Equal(t, common.PermissionDeniedAPIError.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about cluster existence")
+
+		_, err = server.Delete(context.Background(), &clusterapi.ClusterQuery{
+			Server: "https://127.0.0.1",
+		})
+		assert.Error(t, err)
+		assert.Equal(t, common.PermissionDeniedAPIError.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about cluster existence")
+	})
+
+	t.Run("RotateAuth", func(t *testing.T) {
+		_, err := server.RotateAuth(context.Background(), &clusterapi.ClusterQuery{
+			Server: "https://127.0.0.2",
+		})
+		assert.Error(t, err)
+		assert.Equal(t, common.PermissionDeniedAPIError.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about cluster existence")
+
+		_, err = server.RotateAuth(context.Background(), &clusterapi.ClusterQuery{
+			Server: "https://127.0.0.1",
+		})
+		assert.Error(t, err)
+		assert.Equal(t, common.PermissionDeniedAPIError.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about cluster existence")
+	})
+
+	t.Run("InvalidateCache", func(t *testing.T) {
+		_, err := server.InvalidateCache(context.Background(), &clusterapi.ClusterQuery{
+			Server: "https://127.0.0.2",
+		})
+		assert.Error(t, err)
+		assert.Equal(t, common.PermissionDeniedAPIError.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about cluster existence")
+
+		_, err = server.InvalidateCache(context.Background(), &clusterapi.ClusterQuery{
+			Server: "https://127.0.0.1",
+		})
+		assert.Error(t, err)
+		assert.Equal(t, common.PermissionDeniedAPIError.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about cluster existence")
+	})
+}

server/project/project.go

@@ -307,12 +307,20 @@ func (s *Server) GetDetailedProject(ctx context.Context, q *project.ProjectQuery
 	}
 	proj.NormalizeJWTTokens()
 	globalProjects := argo.GetGlobalProjects(proj, listersv1alpha1.NewAppProjectLister(s.projInformer.GetIndexer()), s.settingsMgr)
+	var apiRepos []*v1alpha1.Repository
+	for _, repo := range repositories {
+		apiRepos = append(apiRepos, repo.Normalize().Sanitized())
+	}
+	var apiClusters []*v1alpha1.Cluster
+	for _, cluster := range clusters {
+		apiClusters = append(apiClusters, cluster.Sanitized())
+	}
 
 	return &project.DetailedProjectsResponse{
 		GlobalProjects: globalProjects,
 		Project:        proj,
-		Repositories:   repositories,
-		Clusters:       clusters,
+		Repositories:   apiRepos,
+		Clusters:       apiClusters,
 	}, err
 }
 

server/repository/repository_test.go

@@ -309,7 +309,7 @@ func TestRepositoryServer(t *testing.T) {
 		testRepo := &appsv1.Repository{
 			Repo:           url,
 			Type:           "git",
-			Username:       "foo",
+			Username:       "",
 			InheritedCreds: true,
 		}
 		db.On("GetRepository", context.TODO(), url).Return(testRepo, nil)