Bump version to 2.12.2 (#19657)

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: crenshaw-dev <350466+crenshaw-dev@users.noreply.github.com>

VERSION

@@ -1 +1 @@
-2.12.0
+2.12.2

applicationset/controllers/applicationset_controller.go

@@ -31,11 +31,9 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/client-go/kubernetes"
-	k8scache "k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
-	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
@@ -88,7 +86,6 @@ type ApplicationSetReconciler struct {
 	SCMRootCAPath              string
 	GlobalPreservedAnnotations []string
 	GlobalPreservedLabels      []string
-	Cache                      cache.Cache
 }
 
 // +kubebuilder:rbac:groups=argoproj.io,resources=applicationsets,verbs=get;list;watch;create;update;patch;delete
@@ -626,25 +623,6 @@ func (r *ApplicationSetReconciler) SetupWithManager(mgr ctrl.Manager, enableProg
 		Complete(r)
 }
 
-func (r *ApplicationSetReconciler) updateCache(ctx context.Context, obj client.Object, logger *log.Entry) {
-	informer, err := r.Cache.GetInformer(ctx, obj)
-	if err != nil {
-		logger.Errorf("failed to get informer: %v", err)
-		return
-	}
-	// The controller runtime abstract away informers creation
-	// so unfortunately could not find any other way to access informer store.
-	k8sInformer, ok := informer.(k8scache.SharedInformer)
-	if !ok {
-		logger.Error("informer is not a kubernetes informer")
-		return
-	}
-	if err := k8sInformer.GetStore().Update(obj); err != nil {
-		logger.Errorf("failed to update cache: %v", err)
-		return
-	}
-}
-
 // createOrUpdateInCluster will create / update application resources in the cluster.
 // - For new applications, it will call create
 // - For existing application, it will call update
@@ -746,7 +724,6 @@ func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context,
 			}
 			continue
 		}
-		r.updateCache(ctx, found, appLog)
 
 		if action != controllerutil.OperationResultNone {
 			// Don't pollute etcd with "unchanged Application" events
@@ -913,7 +890,6 @@ func (r *ApplicationSetReconciler) removeFinalizerOnInvalidDestination(ctx conte
 			if err := r.Client.Patch(ctx, updated, patch); err != nil {
 				return fmt.Errorf("error updating finalizers: %w", err)
 			}
-			r.updateCache(ctx, updated, appLog)
 			// Application must have updated list of finalizers
 			updated.DeepCopyInto(app)
 

applicationset/controllers/applicationset_controller_test.go

@@ -22,11 +22,8 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	kubefake "k8s.io/client-go/kubernetes/fake"
-	k8scache "k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/cache"
-	crtcache "sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	crtclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
@@ -47,34 +44,6 @@ import (
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application"
 )
 
-type fakeStore struct {
-	k8scache.Store
-}
-
-func (f *fakeStore) Update(obj interface{}) error {
-	return nil
-}
-
-type fakeInformer struct {
-	k8scache.SharedInformer
-}
-
-func (f *fakeInformer) AddIndexers(indexers k8scache.Indexers) error {
-	return nil
-}
-
-func (f *fakeInformer) GetStore() k8scache.Store {
-	return &fakeStore{}
-}
-
-type fakeCache struct {
-	cache.Cache
-}
-
-func (f *fakeCache) GetInformer(ctx context.Context, obj crtclient.Object, opt ...crtcache.InformerGetOption) (cache.Informer, error) {
-	return &fakeInformer{}, nil
-}
-
 type generatorMock struct {
 	mock.Mock
 }
@@ -226,7 +195,6 @@ func TestExtractApplications(t *testing.T) {
 				},
 				Renderer:      &rendererMock,
 				KubeClientset: kubefake.NewSimpleClientset(),
-				Cache:         &fakeCache{},
 			}
 
 			got, reason, err := r.generateApplications(log.NewEntry(log.StandardLogger()), v1alpha1.ApplicationSet{
@@ -1363,7 +1331,6 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 				Client:   client,
 				Scheme:   scheme,
 				Recorder: record.NewFakeRecorder(len(initObjs) + len(c.expected)),
-				Cache:    &fakeCache{},
 			}
 
 			err = r.createOrUpdateInCluster(context.TODO(), log.NewEntry(log.StandardLogger()), c.appSet, c.desiredApps)
@@ -1474,7 +1441,6 @@ func TestRemoveFinalizerOnInvalidDestination_FinalizerTypes(t *testing.T) {
 				Scheme:        scheme,
 				Recorder:      record.NewFakeRecorder(10),
 				KubeClientset: kubeclientset,
-				Cache:         &fakeCache{},
 			}
 			// settingsMgr := settings.NewSettingsManager(context.TODO(), kubeclientset, "namespace")
 			// argoDB := db.NewDB("namespace", settingsMgr, r.KubeClientset)
@@ -1632,7 +1598,6 @@ func TestRemoveFinalizerOnInvalidDestination_DestinationTypes(t *testing.T) {
 				Scheme:        scheme,
 				Recorder:      record.NewFakeRecorder(10),
 				KubeClientset: kubeclientset,
-				Cache:         &fakeCache{},
 			}
 			// settingsMgr := settings.NewSettingsManager(context.TODO(), kubeclientset, "argocd")
 			// argoDB := db.NewDB("argocd", settingsMgr, r.KubeClientset)
@@ -1720,7 +1685,6 @@ func TestRemoveOwnerReferencesOnDeleteAppSet(t *testing.T) {
 				Scheme:        scheme,
 				Recorder:      record.NewFakeRecorder(10),
 				KubeClientset: nil,
-				Cache:         &fakeCache{},
 			}
 
 			err = r.removeOwnerReferencesOnDeleteAppSet(context.Background(), appSet)
@@ -1917,7 +1881,6 @@ func TestCreateApplications(t *testing.T) {
 				Client:   client,
 				Scheme:   scheme,
 				Recorder: record.NewFakeRecorder(len(initObjs) + len(c.expected)),
-				Cache:    &fakeCache{},
 			}
 
 			err = r.createInCluster(context.TODO(), log.NewEntry(log.StandardLogger()), c.appSet, c.apps)
@@ -2124,7 +2087,6 @@ func TestGetMinRequeueAfter(t *testing.T) {
 		Client:   client,
 		Scheme:   scheme,
 		Recorder: record.NewFakeRecorder(0),
-		Cache:    &fakeCache{},
 		Generators: map[string]generators.Generator{
 			"List":     &generatorMock10,
 			"Git":      &generatorMock1,
@@ -2175,7 +2137,6 @@ func TestRequeueGeneratorFails(t *testing.T) {
 		Client:   client,
 		Scheme:   scheme,
 		Recorder: record.NewFakeRecorder(0),
-		Cache:    &fakeCache{},
 		Generators: map[string]generators.Generator{
 			"PullRequest": &generatorMock,
 		},
@@ -2387,7 +2348,6 @@ func TestValidateGeneratedApplications(t *testing.T) {
 				Client:           client,
 				Scheme:           scheme,
 				Recorder:         record.NewFakeRecorder(1),
-				Cache:            &fakeCache{},
 				Generators:       map[string]generators.Generator{},
 				ArgoDB:           &argoDBMock,
 				ArgoCDNamespace:  "namespace",
@@ -2490,7 +2450,6 @@ func TestReconcilerValidationProjectErrorBehaviour(t *testing.T) {
 		Scheme:   scheme,
 		Renderer: &utils.Render{},
 		Recorder: record.NewFakeRecorder(1),
-		Cache:    &fakeCache{},
 		Generators: map[string]generators.Generator{
 			"List": generators.NewListGenerator(),
 		},
@@ -2567,7 +2526,6 @@ func TestSetApplicationSetStatusCondition(t *testing.T) {
 		Scheme:   scheme,
 		Renderer: &utils.Render{},
 		Recorder: record.NewFakeRecorder(1),
-		Cache:    &fakeCache{},
 		Generators: map[string]generators.Generator{
 			"List": generators.NewListGenerator(),
 		},
@@ -2641,7 +2599,6 @@ func applicationsUpdateSyncPolicyTest(t *testing.T, applicationsSyncPolicy v1alp
 		Scheme:   scheme,
 		Renderer: &utils.Render{},
 		Recorder: record.NewFakeRecorder(recordBuffer),
-		Cache:    &fakeCache{},
 		Generators: map[string]generators.Generator{
 			"List": generators.NewListGenerator(),
 		},
@@ -2805,7 +2762,6 @@ func applicationsDeleteSyncPolicyTest(t *testing.T, applicationsSyncPolicy v1alp
 		Scheme:   scheme,
 		Renderer: &utils.Render{},
 		Recorder: record.NewFakeRecorder(recordBuffer),
-		Cache:    &fakeCache{},
 		Generators: map[string]generators.Generator{
 			"List": generators.NewListGenerator(),
 		},
@@ -2991,7 +2947,6 @@ func TestGenerateAppsUsingPullRequestGenerator(t *testing.T) {
 				Client:   client,
 				Scheme:   scheme,
 				Recorder: record.NewFakeRecorder(1),
-				Cache:    &fakeCache{},
 				Generators: map[string]generators.Generator{
 					"PullRequest": &generatorMock,
 				},
@@ -3116,7 +3071,6 @@ func TestPolicies(t *testing.T) {
 				Scheme:   scheme,
 				Renderer: &utils.Render{},
 				Recorder: record.NewFakeRecorder(10),
-				Cache:    &fakeCache{},
 				Generators: map[string]generators.Generator{
 					"List": generators.NewListGenerator(),
 				},
@@ -3277,7 +3231,6 @@ func TestSetApplicationSetApplicationStatus(t *testing.T) {
 				Scheme:   scheme,
 				Renderer: &utils.Render{},
 				Recorder: record.NewFakeRecorder(1),
-				Cache:    &fakeCache{},
 				Generators: map[string]generators.Generator{
 					"List": generators.NewListGenerator(),
 				},
@@ -4039,7 +3992,6 @@ func TestBuildAppDependencyList(t *testing.T) {
 				Client:           client,
 				Scheme:           scheme,
 				Recorder:         record.NewFakeRecorder(1),
-				Cache:            &fakeCache{},
 				Generators:       map[string]generators.Generator{},
 				ArgoDB:           &argoDBMock,
 				ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...),
@@ -4630,7 +4582,6 @@ func TestBuildAppSyncMap(t *testing.T) {
 				Client:           client,
 				Scheme:           scheme,
 				Recorder:         record.NewFakeRecorder(1),
-				Cache:            &fakeCache{},
 				Generators:       map[string]generators.Generator{},
 				ArgoDB:           &argoDBMock,
 				ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...),
@@ -5420,7 +5371,6 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 				Client:           client,
 				Scheme:           scheme,
 				Recorder:         record.NewFakeRecorder(1),
-				Cache:            &fakeCache{},
 				Generators:       map[string]generators.Generator{},
 				ArgoDB:           &argoDBMock,
 				ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...),
@@ -6173,7 +6123,6 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 				Client:           client,
 				Scheme:           scheme,
 				Recorder:         record.NewFakeRecorder(1),
-				Cache:            &fakeCache{},
 				Generators:       map[string]generators.Generator{},
 				ArgoDB:           &argoDBMock,
 				ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...),
@@ -6388,7 +6337,6 @@ func TestUpdateResourceStatus(t *testing.T) {
 				Client:           client,
 				Scheme:           scheme,
 				Recorder:         record.NewFakeRecorder(1),
-				Cache:            &fakeCache{},
 				Generators:       map[string]generators.Generator{},
 				ArgoDB:           &argoDBMock,
 				ArgoAppClientset: appclientset.NewSimpleClientset(argoObjs...),

applicationset/controllers/requeue_after_test.go

@@ -60,7 +60,7 @@ func TestRequeueAfter(t *testing.T) {
 	terminalGenerators := map[string]generators.Generator{
 		"List":                    generators.NewListGenerator(),
 		"Clusters":                generators.NewClusterGenerator(k8sClient, ctx, appClientset, "argocd"),
-		"Git":                     generators.NewGitGenerator(mockServer),
+		"Git":                     generators.NewGitGenerator(mockServer, "namespace"),
 		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), generators.SCMAuthProviders{}, "", []string{""}, true),
 		"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd"),
 		"PullRequest":             generators.NewPullRequestGenerator(k8sClient, generators.SCMAuthProviders{}, "", []string{""}, true),

applicationset/generators/generator_spec_processor_test.go

@@ -346,7 +346,7 @@ func getMockClusterGenerator() Generator {
 func getMockGitGenerator() Generator {
 	argoCDServiceMock := mocks.Repos{}
 	argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
-	gitGenerator := NewGitGenerator(&argoCDServiceMock)
+	gitGenerator := NewGitGenerator(&argoCDServiceMock, "namespace")
 	return gitGenerator
 }
 

applicationset/generators/git.go

@@ -24,13 +24,16 @@ import (
 var _ Generator = (*GitGenerator)(nil)
 
 type GitGenerator struct {
-	repos services.Repos
+	repos     services.Repos
+	namespace string
 }
 
-func NewGitGenerator(repos services.Repos) Generator {
+func NewGitGenerator(repos services.Repos, namespace string) Generator {
 	g := &GitGenerator{
-		repos: repos,
+		repos:     repos,
+		namespace: namespace,
 	}
+
 	return g
 }
 
@@ -59,21 +62,25 @@ func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Applic
 
 	noRevisionCache := appSet.RefreshRequired()
 
-	var project string
-	if strings.Contains(appSet.Spec.Template.Spec.Project, "{{") {
-		project = appSetGenerator.Git.Template.Spec.Project
-	} else {
-		project = appSet.Spec.Template.Spec.Project
-	}
+	verifyCommit := false
 
-	appProject := &argoprojiov1alpha1.AppProject{}
-	if err := client.Get(context.TODO(), types.NamespacedName{Name: appSet.Spec.Template.Spec.Project, Namespace: appSet.Namespace}, appProject); err != nil {
-		return nil, fmt.Errorf("error getting project %s: %w", project, err)
+	// When the project field is templated, the contents of the git repo are required to run the git generator and get the templated value,
+	// but git generator cannot be called without verifying the commit signature.
+	// In this case, we skip the signature verification.
+	if !strings.Contains(appSet.Spec.Template.Spec.Project, "{{") {
+		project := appSet.Spec.Template.Spec.Project
+		appProject := &argoprojiov1alpha1.AppProject{}
+		namespace := g.namespace
+		if namespace == "" {
+			namespace = appSet.Namespace
+		}
+		if err := client.Get(context.TODO(), types.NamespacedName{Name: project, Namespace: namespace}, appProject); err != nil {
+			return nil, fmt.Errorf("error getting project %s: %w", project, err)
+		}
+		// we need to verify the signature on the Git revision if GPG is enabled
+		verifyCommit = appProject.Spec.SignatureKeys != nil && len(appProject.Spec.SignatureKeys) > 0 && gpg.IsGPGEnabled()
 	}
 
-	// we need to verify the signature on the Git revision if GPG is enabled
-	verifyCommit := appProject.Spec.SignatureKeys != nil && len(appProject.Spec.SignatureKeys) > 0 && gpg.IsGPGEnabled()
-
 	var err error
 	var res []map[string]interface{}
 	if len(appSetGenerator.Git.Directories) != 0 {

applicationset/generators/git_test.go

@@ -323,7 +323,7 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 
 			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
 
-			gitGenerator := NewGitGenerator(&argoCDServiceMock)
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -624,7 +624,7 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 
 			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
 
-			gitGenerator := NewGitGenerator(&argoCDServiceMock)
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -989,7 +989,7 @@ cluster:
 			argoCDServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)
 
-			gitGenerator := NewGitGenerator(&argoCDServiceMock)
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -1345,7 +1345,7 @@ cluster:
 			argoCDServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)
 
-			gitGenerator := NewGitGenerator(&argoCDServiceMock)
+			gitGenerator := NewGitGenerator(&argoCDServiceMock, "")
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name: "set",
@@ -1383,3 +1383,114 @@ cluster:
 		})
 	}
 }
+
+func TestGitGenerator_GenerateParams(t *testing.T) {
+	cases := []struct {
+		name               string
+		directories        []argoprojiov1alpha1.GitDirectoryGeneratorItem
+		pathParamPrefix    string
+		repoApps           []string
+		repoPathsError     error
+		repoFileContents   map[string][]byte
+		values             map[string]string
+		expected           []map[string]interface{}
+		expectedError      error
+		appset             argoprojiov1alpha1.ApplicationSet
+		callGetDirectories bool
+	}{
+		{
+			name: "Signature Verification - ignores templated project field",
+			repoApps: []string{
+				"app1",
+			},
+			repoPathsError: nil,
+			appset: argoprojiov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "set",
+					Namespace: "namespace",
+				},
+				Spec: argoprojiov1alpha1.ApplicationSetSpec{
+					Generators: []argoprojiov1alpha1.ApplicationSetGenerator{{
+						Git: &argoprojiov1alpha1.GitGenerator{
+							RepoURL:         "RepoURL",
+							Revision:        "Revision",
+							Directories:     []argoprojiov1alpha1.GitDirectoryGeneratorItem{{Path: "*"}},
+							PathParamPrefix: "",
+							Values: map[string]string{
+								"foo": "bar",
+							},
+						},
+					}},
+					Template: argoprojiov1alpha1.ApplicationSetTemplate{
+						Spec: argoprojiov1alpha1.ApplicationSpec{
+							Project: "{{.project}}",
+						},
+					},
+				},
+			},
+			callGetDirectories: true,
+			expected:           []map[string]interface{}{{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1", "path[0]": "app1", "values.foo": "bar"}},
+			expectedError:      nil,
+		},
+		{
+			name: "Signature Verification - Checks for non-templated project field",
+			repoApps: []string{
+				"app1",
+			},
+			repoPathsError: nil,
+			appset: argoprojiov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "set",
+					Namespace: "namespace",
+				},
+				Spec: argoprojiov1alpha1.ApplicationSetSpec{
+					Generators: []argoprojiov1alpha1.ApplicationSetGenerator{{
+						Git: &argoprojiov1alpha1.GitGenerator{
+							RepoURL:         "RepoURL",
+							Revision:        "Revision",
+							Directories:     []argoprojiov1alpha1.GitDirectoryGeneratorItem{{Path: "*"}},
+							PathParamPrefix: "",
+							Values: map[string]string{
+								"foo": "bar",
+							},
+						},
+					}},
+					Template: argoprojiov1alpha1.ApplicationSetTemplate{
+						Spec: argoprojiov1alpha1.ApplicationSpec{
+							Project: "project",
+						},
+					},
+				},
+			},
+			callGetDirectories: false,
+			expected:           []map[string]interface{}{{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1", "path[0]": "app1", "values.foo": "bar"}},
+			expectedError:      fmt.Errorf("error getting project project: appprojects.argoproj.io \"project\" not found"),
+		},
+	}
+	for _, testCase := range cases {
+		argoCDServiceMock := mocks.Repos{}
+
+		if testCase.callGetDirectories {
+			argoCDServiceMock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(testCase.repoApps, testCase.repoPathsError)
+		}
+		gitGenerator := NewGitGenerator(&argoCDServiceMock, "namespace")
+
+		scheme := runtime.NewScheme()
+		err := v1alpha1.AddToScheme(scheme)
+		require.NoError(t, err)
+		appProject := argoprojiov1alpha1.AppProject{}
+
+		client := fake.NewClientBuilder().WithScheme(scheme).WithObjects(&appProject).Build()
+
+		got, err := gitGenerator.GenerateParams(&testCase.appset.Spec.Generators[0], &testCase.appset, client)
+
+		if testCase.expectedError != nil {
+			require.EqualError(t, err, testCase.expectedError.Error())
+		} else {
+			require.NoError(t, err)
+			assert.Equal(t, testCase.expected, got)
+		}
+
+		argoCDServiceMock.AssertExpectations(t)
+	}
+}

applicationset/generators/matrix_test.go

@@ -1089,7 +1089,7 @@ func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
 	repoServiceMock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(map[string][]byte{
 		"some/path.json": []byte("test: content"),
 	}, nil)
-	gitGenerator := NewGitGenerator(repoServiceMock)
+	gitGenerator := NewGitGenerator(repoServiceMock, "")
 
 	matrixGenerator := NewMatrixGenerator(map[string]Generator{
 		"List": listGeneratorMock,

cmd/argocd-applicationset-controller/commands/applicationset_controller.go

@@ -177,7 +177,7 @@ func NewCommand() *cobra.Command {
 			terminalGenerators := map[string]generators.Generator{
 				"List":                    generators.NewListGenerator(),
 				"Clusters":                generators.NewClusterGenerator(mgr.GetClient(), ctx, k8sClient, namespace),
-				"Git":                     generators.NewGitGenerator(argoCDService),
+				"Git":                     generators.NewGitGenerator(argoCDService, namespace),
 				"SCMProvider":             generators.NewSCMProviderGenerator(mgr.GetClient(), scmAuth, scmRootCAPath, allowedScmProviders, enableScmProviders),
 				"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, dynamicClient, k8sClient, namespace),
 				"PullRequest":             generators.NewPullRequestGenerator(mgr.GetClient(), scmAuth, scmRootCAPath, allowedScmProviders, enableScmProviders),
@@ -234,7 +234,6 @@ func NewCommand() *cobra.Command {
 				SCMRootCAPath:              scmRootCAPath,
 				GlobalPreservedAnnotations: globalPreservedAnnotations,
 				GlobalPreservedLabels:      globalPreservedLabels,
-				Cache:                      mgr.GetCache(),
 			}).SetupWithManager(mgr, enableProgressiveSyncs, maxConcurrentReconciliations); err != nil {
 				log.Error(err, "unable to create controller", "controller", "ApplicationSet")
 				os.Exit(1)

docs/assets/versions.js

@@ -19,6 +19,14 @@ const observerCallback = function(mutationsList, observer) {
 const observer = new MutationObserver(observerCallback);
 observer.observe(targetNode, observerOptions);
 
+function getCurrentVersion() {
+  const currentVersion = window.location.href.match(/\/en\/(release-(?:v\d+|[\d\.]+|\w+)|latest|stable)\//);
+  if (currentVersion && currentVersion.length > 1) {
+    return currentVersion[1];
+  }
+  return null;
+}
+
 function initializeVersionDropdown() {
   const callbackName = 'callback_' + new Date().getTime();
   window[callbackName] = function(response) {
@@ -42,18 +50,18 @@ function initializeVersionDropdown() {
   document.getElementsByTagName('head')[0].appendChild(CSSLink);
 
   var script = document.createElement('script');
+  const currentVersion = getCurrentVersion();
   script.src = 'https://argo-cd.readthedocs.io/_/api/v2/footer_html/?' +
-      'callback=' + callbackName + '&project=argo-cd&page=&theme=mkdocs&format=jsonp&docroot=docs&source_suffix=.md&version=' + (window['READTHEDOCS_DATA'] || { version: 'latest' }).version;
+      'callback=' + callbackName + '&project=argo-cd&page=&theme=mkdocs&format=jsonp&docroot=docs&source_suffix=.md&version=' + (currentVersion || 'latest');
   document.getElementsByTagName('head')[0].appendChild(script);
 }
 
 // VERSION WARNINGS
 window.addEventListener("DOMContentLoaded", function() {
-  var currentVersion = window.location.href.match(/\/en\/(release-(?:v\d+|\w+)|latest|stable)\//);
   var margin = 30;
   var headerHeight = document.getElementsByClassName("md-header")[0].offsetHeight;
-  if (currentVersion && currentVersion.length > 1) {
-    currentVersion = currentVersion[1];
+  const currentVersion = getCurrentVersion();
+  if (currentVersion) {
     if (currentVersion === "latest") {
       document.querySelector("div[data-md-component=announce]").innerHTML = "<div id='announce-msg'>You are viewing the docs for an unreleased version of Argo CD, <a href='https://argo-cd.readthedocs.io/en/stable/'>click here to go to the latest stable version.</a></div>";
       var bannerHeight = document.getElementById('announce-msg').offsetHeight + margin;
@@ -72,4 +80,4 @@ window.addEventListener("DOMContentLoaded", function() {
           "@media screen and (min-width: 60em){ .md-sidebar--secondary { height: 0;  top:" + (bannerHeight + headerHeight) + "px !important; }}";
     }
   }
-});
+});

docs/operator-manual/applicationset/Generators-Git.md

@@ -7,6 +7,8 @@ The Git generator contains two subtypes: the Git directory generator, and Git fi
     If the `project` field in your ApplicationSet is templated, developers may be able to create Applications under Projects with excessive permissions.
     For ApplicationSets with a templated `project` field, [the source of truth _must_ be controlled by admins](./Security.md#templated-project-field)
     - in the case of git generators, PRs must require admin approval.
+    - Git generator does not support Signature Verification For ApplicationSets with a templated `project` field.
+    
 
 ## Git Generator: Directories
 

docs/operator-manual/applicationset/GoTemplate.md

@@ -100,6 +100,17 @@ possible with Go text templates:
                   - name: throw-away
                     value: "{{end}}"
 
+- Signature verification is not supported for the templated `project` field when using the Git generator.
+
+        ::yaml
+        apiVersion: argoproj.io/v1alpha1
+        kind: ApplicationSet
+        spec:
+          goTemplate: true
+          template:
+            spec:
+              project: {{.project}}
+
 
 ## Migration guide
 

docs/operator-manual/applicationset/Template.md

@@ -40,6 +40,7 @@ Note:
 
 - Referenced clusters must already be defined in Argo CD, for the ApplicationSet controller to use them
 - Only **one** of `name` or `server` may be specified: if both are specified, an error is returned.
+- Signature Verification does not work with the templated `project` field when using git generator.
 
 The `metadata` field of template may also be used to set an Application `name`, or to add labels or annotations to the Application.
 

docs/user-guide/gpg-verification.md

@@ -29,6 +29,11 @@ not possible using Helm repositories.
     trust models, and it is not necessary (nor possible) to sign the public keys
     you are going to import into ArgoCD.
 
+
+!!!note Limitations
+  Signature verification is not supported for the templated `project` field when 
+  using the Git generator.
+
 ## Signature verification targets
 
 If signature verification is enforced, ArgoCD will verify the signature using

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.12.0
+  newTag: v2.12.2
 resources:
 - ./application-controller
 - ./dex

manifests/cluster-rbac/applicationset-controller/argocd-applicationset-controller-clusterrole.yaml

@@ -35,6 +35,8 @@ rules:
   - appprojects
   verbs:
   - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:

manifests/core-install.yaml

@@ -21270,7 +21270,7 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -21388,7 +21388,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -21641,7 +21641,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -21693,7 +21693,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -21965,7 +21965,7 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.12.0
+  newTag: v2.12.2

manifests/ha/base/kustomization.yaml

@@ -12,7 +12,7 @@ patches:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.12.0
+  newTag: v2.12.2
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller

manifests/ha/install.yaml

@@ -21110,6 +21110,8 @@ rules:
   - appprojects
   verbs:
   - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -22611,7 +22613,7 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -22734,7 +22736,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -22816,7 +22818,7 @@ spec:
               key: notificationscontroller.selfservice.enabled
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -22935,7 +22937,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -23216,7 +23218,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -23268,7 +23270,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -23592,7 +23594,7 @@ spec:
               key: server.api.content.types
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -23891,7 +23893,7 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/namespace-install.yaml

@@ -1688,7 +1688,7 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1811,7 +1811,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1893,7 +1893,7 @@ spec:
               key: notificationscontroller.selfservice.enabled
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -2012,7 +2012,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -2293,7 +2293,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2345,7 +2345,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2669,7 +2669,7 @@ spec:
               key: server.api.content.types
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2968,7 +2968,7 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/install.yaml

@@ -21077,6 +21077,8 @@ rules:
   - appprojects
   verbs:
   - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:
@@ -21728,7 +21730,7 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -21851,7 +21853,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -21933,7 +21935,7 @@ spec:
               key: notificationscontroller.selfservice.enabled
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -22033,7 +22035,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -22286,7 +22288,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -22338,7 +22340,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -22660,7 +22662,7 @@ spec:
               key: server.api.content.types
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -22959,7 +22961,7 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/namespace-install.yaml

@@ -805,7 +805,7 @@ spec:
               key: applicationsetcontroller.enable.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -928,7 +928,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1010,7 +1010,7 @@ spec:
               key: notificationscontroller.selfservice.enabled
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1110,7 +1110,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -1363,7 +1363,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1415,7 +1415,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -1737,7 +1737,7 @@ spec:
               key: server.api.content.types
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2036,7 +2036,7 @@ spec:
               key: controller.ignore.normalizer.jq.timeout
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.12.0
+        image: quay.io/argoproj/argocd:v2.12.2
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

pkg/apis/application/v1alpha1/repository_types.go

@@ -3,6 +3,7 @@ package v1alpha1
 import (
 	"fmt"
 	"net/url"
+	"strings"
 
 	"github.com/argoproj/argo-cd/v2/util/cert"
 	"github.com/argoproj/argo-cd/v2/util/git"
@@ -227,21 +228,22 @@ func getCAPath(repoURL string) string {
 	}
 
 	hostname := ""
-	// url.Parse() will happily parse most things thrown at it. When the URL
-	// is either https or oci, we use the parsed hostname to retrieve the cert,
-	// otherwise we'll use the parsed path (OCI repos are often specified as
-	// hostname, without protocol).
-	parsedURL, err := url.Parse(repoURL)
+	var parsedURL *url.URL
+	var err error
+	// Without schema in url, url.Parse() treats the url as differently
+	// and may incorrectly parses the hostname if url contains a path or port.
+	// To ensure proper parsing, prepend a dummy schema.
+	if !strings.Contains(repoURL, "://") {
+		parsedURL, err = url.Parse("protocol://" + repoURL)
+	} else {
+		parsedURL, err = url.Parse(repoURL)
+	}
 	if err != nil {
 		log.Warnf("Could not parse repo URL '%s': %v", repoURL, err)
 		return ""
 	}
-	if parsedURL.Scheme == "https" || parsedURL.Scheme == "oci" {
-		hostname = parsedURL.Host
-	} else if parsedURL.Scheme == "" {
-		hostname = parsedURL.Path
-	}
 
+	hostname = parsedURL.Hostname()
 	if hostname == "" {
 		log.Warnf("Could not get hostname for repository '%s'", repoURL)
 		return ""

pkg/apis/application/v1alpha1/types_test.go

@@ -3240,18 +3240,25 @@ func TestGetCAPath(t *testing.T) {
 		"https://foo.example.com",
 		"oci://foo.example.com",
 		"foo.example.com",
+		"foo.example.com/charts",
+		"https://foo.example.com:5000",
+		"foo.example.com:5000",
+		"foo.example.com:5000/charts",
+		"ssh://foo.example.com",
 	}
 	invalidpath := []string{
 		"https://bar.example.com",
 		"oci://bar.example.com",
 		"bar.example.com",
-		"ssh://foo.example.com",
-		"git@example.com:organization/reponame.git",
+		"ssh://bar.example.com",
+		"git@foo.example.com:organization/reponame.git",
+		"ssh://git@foo.example.com:organization/reponame.git",
 		"/some/invalid/thing",
 		"../another/invalid/thing",
 		"./also/invalid",
 		"$invalid/as/well",
 		"..",
+		"://invalid",
 	}
 
 	for _, str := range validcert {

ui/src/app/applications/components/application-parameters/application-parameters.tsx

@@ -248,7 +248,7 @@ export const ApplicationParameters = (props: {
                         </React.Fragment>
                     )}
                     <DataLoader input={app.spec.sources[index]} load={src => getSourceFromAppSources(src, app.metadata.name, app.spec.project, index, 0)}>
-                        {(details: models.RepoAppDetails) => getEditablePanelForOneSource(details, index, source)}
+                        {(details: models.RepoAppDetails) => getEditablePanelForOneSource(details, index, app.spec.sources[index])}
                     </DataLoader>
                 </div>
             </div>