set hydrator enabled key when using hydrator manifests

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

fix manifests

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

.github/workflows/ci-build.yaml

@@ -393,7 +393,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        uses: SonarSource/sonarqube-scan-action@bfd4e558cda28cda6b5defafb9232d191be8c203 # v4.2.1
+        uses: SonarSource/sonarqube-scan-action@1b442ee39ac3fa7c2acdd410208dcb2bcfaae6c4 # v4.1.0
         if: env.sonar_secret != ''
   test-e2e:
     name: Run end-to-end tests
@@ -429,13 +429,6 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
       GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
     steps:
-      - name: Free Disk Space (Ubuntu)
-        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be
-        with:
-          large-packages: false
-          docker-images: false
-          swap-storage: false
-          tool-cache: false
       - name: Checkout code
         uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
       - name: Setup Golang
@@ -549,4 +542,4 @@ jobs:
             exit 0
           else
             exit 1
-          fi
+          fi

.github/workflows/image-reuse.yaml

@@ -17,9 +17,11 @@ on:
       platforms:
         required: true
         type: string
+        default: linux/amd64
       push:
         required: true
         type: boolean
+        default: false
       target:
         required: false
         type: string

.github/workflows/release.yaml

@@ -195,7 +195,7 @@ jobs:
           echo "hashes=$(sha256sum /tmp/sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"
 
       - name: Upload SBOM
-        uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2.2.1
+        uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.mockery.yaml

@@ -74,6 +74,3 @@ packages:
   github.com/argoproj/argo-cd/v2/pkg/apiclient/cluster:
     interfaces:
       ClusterServiceServer:
-  github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned/typed/application/v1alpha1:
-    interfaces:
-      AppProjectInterface:

.readthedocs.yaml

@@ -2,7 +2,6 @@ version: 2
 formats: all
 mkdocs:
   fail_on_warning: false
-  configuration: mkdocs.yml
 python:
   install:
     - requirements: docs/requirements.txt

Makefile

@@ -490,7 +490,6 @@ start-e2e-local: mod-vendor-local dep-ui-local cli-local
 	ARGOCD_APPLICATIONSET_CONTROLLER_TOKENREF_STRICT_MODE=true \
 	ARGOCD_APPLICATIONSET_CONTROLLER_ALLOWED_SCM_PROVIDERS=http://127.0.0.1:8341,http://127.0.0.1:8342,http://127.0.0.1:8343,http://127.0.0.1:8344 \
 	ARGOCD_E2E_TEST=true \
-	ARGOCD_HYDRATOR_ENABLED=true \
 		goreman -f $(ARGOCD_PROCFILE) start ${ARGOCD_START}
 	ls -lrt /tmp/coverage
 

Procfile

@@ -1,5 +1,5 @@
-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/app-controller} HOSTNAME=testappcontroller-1  FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --commit-server localhost:${ARGOCD_E2E_COMMITSERVER_PORT:-8086} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --server-side-diff-enabled=${ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF:-'false'} --hydrator-enabled=${ARGOCD_HYDRATOR_ENABLED:='false'}"
-api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/api-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --hydrator-enabled=${ARGOCD_HYDRATOR_ENABLED:='false'}"
+controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/app-controller} HOSTNAME=testappcontroller-1  FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --commit-server localhost:${ARGOCD_E2E_COMMITSERVER_PORT:-8086} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} --server-side-diff-enabled=${ARGOCD_APPLICATION_CONTROLLER_SERVER_SIDE_DIFF:-'false'} --hydrator-enabled=${ARGOCD_APPLICATION_CONTROLLER_HYDRATOR_ENABLED:='false'}"
+api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/api-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --otlp-address=${ARGOCD_OTLP_ADDRESS} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''}"
 dex: sh -c "ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/v2/cmd gendexcfg -o `pwd`/dist/dex.yaml && (test -f dist/dex.yaml || { echo 'Failed to generate dex configuration'; exit 1; }) && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:$(grep "image: ghcr.io/dexidp/dex" manifests/base/dex/argocd-dex-server-deployment.yaml | cut -d':' -f3) dex serve /dex.yaml"
 redis: hack/start-redis-with-password.sh
 repo-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "GOCOVERDIR=${ARGOCD_COVERAGE_DIR:-/tmp/coverage/repo-server} FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-repo-server ARGOCD_GPG_ENABLED=${ARGOCD_GPG_ENABLED:-false} $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --otlp-address=${ARGOCD_OTLP_ADDRESS}"

USERS.md

@@ -335,7 +335,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Swisscom](https://www.swisscom.ch)
 1. [Swissquote](https://github.com/swissquote)
 1. [Syncier](https://syncier.com/)
-1. [Synergy](https://synergy.net.au)
 1. [Syself](https://syself.com)
 1. [TableCheck](https://tablecheck.com/)
 1. [Tailor Brands](https://www.tailorbrands.com)

VERSION

@@ -1 +1 @@
-2.14.10
+2.14.0

applicationset/controllers/applicationset_controller.go

@@ -525,9 +525,11 @@ func (r *ApplicationSetReconciler) getMinRequeueAfter(applicationSetInfo *argov1
 }
 
 func ignoreNotAllowedNamespaces(namespaces []string) predicate.Predicate {
-	return predicate.NewPredicateFuncs(func(object client.Object) bool {
-		return utils.IsNamespaceAllowed(namespaces, object.GetNamespace())
-	})
+	return predicate.Funcs{
+		CreateFunc: func(e event.CreateEvent) bool {
+			return utils.IsNamespaceAllowed(namespaces, e.Object.GetNamespace())
+		},
+	}
 }
 
 func appControllerIndexer(rawObj client.Object) []string {
@@ -1060,20 +1062,19 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 				Message:            "No Application status found, defaulting status to Waiting.",
 				Status:             "Waiting",
 				Step:               strconv.Itoa(getAppStep(app.Name, appStepMap)),
+				TargetRevisions:    app.Status.GetRevisions(),
 			}
 		} else {
 			// we have an existing AppStatus
 			currentAppStatus = applicationSet.Status.ApplicationStatus[idx]
-			if !reflect.DeepEqual(currentAppStatus.TargetRevisions, app.Status.GetRevisions()) {
-				currentAppStatus.Message = "Application has pending changes, setting status to Waiting."
+
+			// upgrade any existing AppStatus that might have been set by an older argo-cd version
+			// note: currentAppStatus.TargetRevisions may be set to empty list earlier during migrations,
+			// to prevent other usage of r.Client.Status().Update to fail before reaching here.
+			if len(currentAppStatus.TargetRevisions) == 0 {
+				currentAppStatus.TargetRevisions = app.Status.GetRevisions()
 			}
 		}
-		if !reflect.DeepEqual(currentAppStatus.TargetRevisions, app.Status.GetRevisions()) {
-			currentAppStatus.TargetRevisions = app.Status.GetRevisions()
-			currentAppStatus.Status = "Waiting"
-			currentAppStatus.LastTransitionTime = &now
-			currentAppStatus.Step = strconv.Itoa(getAppStep(currentAppStatus.Application, appStepMap))
-		}
 
 		appOutdated := false
 		if progressiveSyncsRollingSyncStrategyEnabled(applicationSet) {
@@ -1086,15 +1087,25 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 			currentAppStatus.Status = "Waiting"
 			currentAppStatus.Message = "Application has pending changes, setting status to Waiting."
 			currentAppStatus.Step = strconv.Itoa(getAppStep(currentAppStatus.Application, appStepMap))
+			currentAppStatus.TargetRevisions = app.Status.GetRevisions()
 		}
 
 		if currentAppStatus.Status == "Pending" {
-			if !appOutdated && operationPhaseString == "Succeeded" {
-				logCtx.Infof("Application %v has completed a sync successfully, updating its ApplicationSet status to Progressing", app.Name)
-				currentAppStatus.LastTransitionTime = &now
-				currentAppStatus.Status = "Progressing"
-				currentAppStatus.Message = "Application resource completed a sync successfully, updating status from Pending to Progressing."
-				currentAppStatus.Step = strconv.Itoa(getAppStep(currentAppStatus.Application, appStepMap))
+			if operationPhaseString == "Succeeded" {
+				revisions := []string{}
+				if len(app.Status.OperationState.SyncResult.Revisions) > 0 {
+					revisions = app.Status.OperationState.SyncResult.Revisions
+				} else if app.Status.OperationState.SyncResult.Revision != "" {
+					revisions = append(revisions, app.Status.OperationState.SyncResult.Revision)
+				}
+
+				if reflect.DeepEqual(currentAppStatus.TargetRevisions, revisions) {
+					logCtx.Infof("Application %v has completed a sync successfully, updating its ApplicationSet status to Progressing", app.Name)
+					currentAppStatus.LastTransitionTime = &now
+					currentAppStatus.Status = "Progressing"
+					currentAppStatus.Message = "Application resource completed a sync successfully, updating status from Pending to Progressing."
+					currentAppStatus.Step = strconv.Itoa(getAppStep(currentAppStatus.Application, appStepMap))
+				}
 			} else if operationPhaseString == "Running" || healthStatusString == "Progressing" {
 				logCtx.Infof("Application %v has entered Progressing status, updating its ApplicationSet status to Progressing", app.Name)
 				currentAppStatus.LastTransitionTime = &now

applicationset/controllers/applicationset_controller_test.go

@@ -4733,9 +4733,6 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 						Health: v1alpha1.HealthStatus{
 							Status: health.HealthStatusProgressing,
 						},
-						Sync: v1alpha1.SyncStatus{
-							Revision: "Next",
-						},
 					},
 				},
 			},
@@ -4799,8 +4796,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 							Phase: common.OperationRunning,
 						},
 						Sync: v1alpha1.SyncStatus{
-							Status:   v1alpha1.SyncStatusCodeSynced,
-							Revision: "Current",
+							Status: v1alpha1.SyncStatusCodeSynced,
 						},
 					},
 				},
@@ -4865,8 +4861,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 							Phase: common.OperationSucceeded,
 						},
 						Sync: v1alpha1.SyncStatus{
-							Status:   v1alpha1.SyncStatusCodeSynced,
-							Revision: "Next",
+							Status: v1alpha1.SyncStatusCodeSynced,
 						},
 					},
 				},
@@ -4931,8 +4926,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 							Phase: common.OperationSucceeded,
 						},
 						Sync: v1alpha1.SyncStatus{
-							Revision: "Current",
-							Status:   v1alpha1.SyncStatusCodeSynced,
+							Status: v1alpha1.SyncStatusCodeSynced,
 						},
 					},
 				},
@@ -5171,6 +5165,86 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "does not progresses a pending application with a successful sync triggered by controller with invalid revision to progressing",
+			appSet: v1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "name",
+					Namespace: "argocd",
+				},
+				Spec: v1alpha1.ApplicationSetSpec{
+					Strategy: &v1alpha1.ApplicationSetStrategy{
+						Type: "RollingSync",
+						RollingSync: &v1alpha1.ApplicationSetRolloutStrategy{
+							Steps: []v1alpha1.ApplicationSetRolloutStep{
+								{
+									MatchExpressions: []v1alpha1.ApplicationMatchExpression{},
+								},
+								{
+									MatchExpressions: []v1alpha1.ApplicationMatchExpression{},
+								},
+							},
+						},
+					},
+				},
+				Status: v1alpha1.ApplicationSetStatus{
+					ApplicationStatus: []v1alpha1.ApplicationSetApplicationStatus{
+						{
+							Application: "app1",
+							LastTransitionTime: &metav1.Time{
+								Time: time.Now().Add(time.Duration(-1) * time.Minute),
+							},
+							Message:         "",
+							Status:          "Pending",
+							Step:            "1",
+							TargetRevisions: []string{"Next"},
+						},
+					},
+				},
+			},
+			apps: []v1alpha1.Application{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "app1",
+					},
+					Status: v1alpha1.ApplicationStatus{
+						Health: v1alpha1.HealthStatus{
+							Status: health.HealthStatusDegraded,
+						},
+						OperationState: &v1alpha1.OperationState{
+							Phase: common.OperationSucceeded,
+							StartedAt: metav1.Time{
+								Time: time.Now(),
+							},
+							Operation: v1alpha1.Operation{
+								InitiatedBy: v1alpha1.OperationInitiator{
+									Username:  "applicationset-controller",
+									Automated: true,
+								},
+							},
+							SyncResult: &v1alpha1.SyncOperationResult{
+								Revision: "Previous",
+							},
+						},
+						Sync: v1alpha1.SyncStatus{
+							Status: v1alpha1.SyncStatusCodeSynced,
+						},
+					},
+				},
+			},
+			appStepMap: map[string]int{
+				"app1": 0,
+			},
+			expectedAppStatus: []v1alpha1.ApplicationSetApplicationStatus{
+				{
+					Application:     "app1",
+					Message:         "",
+					Status:          "Pending",
+					Step:            "1",
+					TargetRevisions: []string{"Next"},
+				},
+			},
+		},
 		{
 			name: "removes the appStatus for applications that no longer exist",
 			appSet: v1alpha1.ApplicationSet{
@@ -5225,77 +5299,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 							Phase: common.OperationSucceeded,
 						},
 						Sync: v1alpha1.SyncStatus{
-							Status:   v1alpha1.SyncStatusCodeSynced,
-							Revision: "Current",
-						},
-					},
-				},
-			},
-			appStepMap: map[string]int{
-				"app1": 0,
-			},
-			expectedAppStatus: []v1alpha1.ApplicationSetApplicationStatus{
-				{
-					Application:     "app1",
-					Message:         "Application resource is already Healthy, updating status from Waiting to Healthy.",
-					Status:          "Healthy",
-					Step:            "1",
-					TargetRevisions: []string{"Current"},
-				},
-			},
-		},
-		{
-			name: "progresses a pending synced application with an old revision to progressing with the Current one",
-			appSet: v1alpha1.ApplicationSet{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "name",
-					Namespace: "argocd",
-				},
-				Spec: v1alpha1.ApplicationSetSpec{
-					Strategy: &v1alpha1.ApplicationSetStrategy{
-						Type: "RollingSync",
-						RollingSync: &v1alpha1.ApplicationSetRolloutStrategy{
-							Steps: []v1alpha1.ApplicationSetRolloutStep{
-								{
-									MatchExpressions: []v1alpha1.ApplicationMatchExpression{},
-								},
-								{
-									MatchExpressions: []v1alpha1.ApplicationMatchExpression{},
-								},
-							},
-						},
-					},
-				},
-				Status: v1alpha1.ApplicationSetStatus{
-					ApplicationStatus: []v1alpha1.ApplicationSetApplicationStatus{
-						{
-							Application:     "app1",
-							Message:         "",
-							Status:          "Pending",
-							Step:            "1",
-							TargetRevisions: []string{"Old"},
-						},
-					},
-				},
-			},
-			apps: []v1alpha1.Application{
-				{
-					ObjectMeta: metav1.ObjectMeta{
-						Name: "app1",
-					},
-					Status: v1alpha1.ApplicationStatus{
-						Health: v1alpha1.HealthStatus{
-							Status: health.HealthStatusHealthy,
-						},
-						OperationState: &v1alpha1.OperationState{
-							Phase: common.OperationSucceeded,
-							SyncResult: &v1alpha1.SyncOperationResult{
-								Revision: "Current",
-							},
-						},
-						Sync: v1alpha1.SyncStatus{
-							Status:    v1alpha1.SyncStatusCodeSynced,
-							Revisions: []string{"Current"},
+							Status: v1alpha1.SyncStatusCodeSynced,
 						},
 					},
 				},
@@ -6653,86 +6657,3 @@ func TestMigrateStatus(t *testing.T) {
 		})
 	}
 }
-
-func TestIgnoreNotAllowedNamespaces(t *testing.T) {
-	tests := []struct {
-		name       string
-		namespaces []string
-		objectNS   string
-		expected   bool
-	}{
-		{
-			name:       "Namespace allowed",
-			namespaces: []string{"allowed-namespace"},
-			objectNS:   "allowed-namespace",
-			expected:   true,
-		},
-		{
-			name:       "Namespace not allowed",
-			namespaces: []string{"allowed-namespace"},
-			objectNS:   "not-allowed-namespace",
-			expected:   false,
-		},
-		{
-			name:       "Empty allowed namespaces",
-			namespaces: []string{},
-			objectNS:   "any-namespace",
-			expected:   false,
-		},
-		{
-			name:       "Multiple allowed namespaces",
-			namespaces: []string{"allowed-namespace-1", "allowed-namespace-2"},
-			objectNS:   "allowed-namespace-2",
-			expected:   true,
-		},
-		{
-			name:       "Namespace not in multiple allowed namespaces",
-			namespaces: []string{"allowed-namespace-1", "allowed-namespace-2"},
-			objectNS:   "not-allowed-namespace",
-			expected:   false,
-		},
-		{
-			name:       "Namespace matched by glob pattern",
-			namespaces: []string{"allowed-namespace-*"},
-			objectNS:   "allowed-namespace-1",
-			expected:   true,
-		},
-		{
-			name:       "Namespace matched by regex pattern",
-			namespaces: []string{"/^allowed-namespace-[^-]+$/"},
-			objectNS:   "allowed-namespace-1",
-			expected:   true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			predicate := ignoreNotAllowedNamespaces(tt.namespaces)
-			object := &v1alpha1.ApplicationSet{
-				ObjectMeta: metav1.ObjectMeta{
-					Namespace: tt.objectNS,
-				},
-			}
-
-			t.Run(tt.name+":Create", func(t *testing.T) {
-				result := predicate.Create(event.CreateEvent{Object: object})
-				assert.Equal(t, tt.expected, result)
-			})
-
-			t.Run(tt.name+":Update", func(t *testing.T) {
-				result := predicate.Update(event.UpdateEvent{ObjectNew: object})
-				assert.Equal(t, tt.expected, result)
-			})
-
-			t.Run(tt.name+":Delete", func(t *testing.T) {
-				result := predicate.Delete(event.DeleteEvent{Object: object})
-				assert.Equal(t, tt.expected, result)
-			})
-
-			t.Run(tt.name+":Generic", func(t *testing.T) {
-				result := predicate.Generic(event.GenericEvent{Object: object})
-				assert.Equal(t, tt.expected, result)
-			})
-		})
-	}
-}

applicationset/services/scm_provider/gitlab.go

@@ -2,10 +2,10 @@ package scm_provider
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"net/http"
 	"os"
+	pathpkg "path"
 
 	"github.com/hashicorp/go-retryablehttp"
 	"github.com/xanzy/go-gitlab"
@@ -129,31 +129,40 @@ func (g *GitlabProvider) ListRepos(ctx context.Context, cloneProtocol string) ([
 func (g *GitlabProvider) RepoHasPath(_ context.Context, repo *Repository, path string) (bool, error) {
 	p, _, err := g.client.Projects.GetProject(repo.Organization+"/"+repo.Repository, nil)
 	if err != nil {
-		return false, fmt.Errorf("error getting Project Info: %w", err)
-	}
-
-	// search if the path is a file and exists in the repo
-	fileOptions := gitlab.GetFileOptions{Ref: &repo.Branch}
-	_, _, err = g.client.RepositoryFiles.GetFile(p.ID, path, &fileOptions)
-	if err != nil {
-		if errors.Is(err, gitlab.ErrNotFound) {
-			// no file found, check for a directory
-			options := gitlab.ListTreeOptions{
-				Path: &path,
-				Ref:  &repo.Branch,
-			}
-			_, _, err := g.client.Repositories.ListTree(p.ID, &options)
-			if err != nil {
-				if errors.Is(err, gitlab.ErrNotFound) {
-					return false, nil // no file or directory found
-				}
-				return false, err
-			}
-			return true, nil // directory found
-		}
 		return false, err
 	}
-	return true, nil // file found
+	directories := []string{
+		path,
+		pathpkg.Dir(path),
+	}
+	for _, directory := range directories {
+		options := gitlab.ListTreeOptions{
+			Path: &directory,
+			Ref:  &repo.Branch,
+		}
+		for {
+			treeNode, resp, err := g.client.Repositories.ListTree(p.ID, &options)
+			if err != nil {
+				return false, err
+			}
+			if path == directory {
+				if resp.TotalItems > 0 {
+					return true, nil
+				}
+			}
+			for i := range treeNode {
+				if treeNode[i].Path == path {
+					return true, nil
+				}
+			}
+			if resp.NextPage == 0 {
+				// no future pages
+				break
+			}
+			options.Page = resp.NextPage
+		}
+	}
+	return false, nil
 }
 
 func (g *GitlabProvider) listBranches(_ context.Context, repo *Repository) ([]gitlab.Branch, error) {

applicationset/services/scm_provider/gitlab_test.go

@@ -20,7 +20,6 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 	t.Helper()
 	return func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "application/json")
-		fmt.Println(r.RequestURI)
 		switch r.RequestURI {
 		case "/api/v4":
 			fmt.Println("here1")
@@ -1041,32 +1040,6 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			if err != nil {
 				t.Fail()
 			}
-			// Recent versions of the Gitlab API (v17.7+) listTree return 404 not only when a file doesn't exist, but also
-			// when a path is to a file instead of a directory. Code was refactored to explicitly search for file then
-			// search for directory, catching 404 errors as "file not found".
-		case "/api/v4/projects/27084533/repository/files/argocd?ref=master":
-			w.WriteHeader(http.StatusNotFound)
-		case "/api/v4/projects/27084533/repository/files/argocd%2Finstall%2Eyaml?ref=master":
-			_, err := io.WriteString(w, `{"file_name":"install.yaml","file_path":"argocd/install.yaml","size":0,"encoding":"base64","content_sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","ref":"main","blob_id":"e69de29bb2d1d6434b8b29ae775ad8c2e48c5391","commit_id":"6d4c0f9d34534ccc73aa3f3180b25e2aebe630eb","last_commit_id":"b50eb63f9c0e09bfdb070db26fd32c7210291f52","execute_filemode":false,"content":""}`)
-			if err != nil {
-				t.Fail()
-			}
-		case "/api/v4/projects/27084533/repository/files/notathing?ref=master":
-			w.WriteHeader(http.StatusNotFound)
-		case "/api/v4/projects/27084533/repository/tree?path=notathing&ref=master":
-			w.WriteHeader(http.StatusNotFound)
-		case "/api/v4/projects/27084533/repository/files/argocd%2Fnotathing%2Eyaml?ref=master":
-			w.WriteHeader(http.StatusNotFound)
-		case "/api/v4/projects/27084533/repository/tree?path=argocd%2Fnotathing.yaml&ref=master":
-			w.WriteHeader(http.StatusNotFound)
-		case "/api/v4/projects/27084533/repository/files/notathing%2Fnotathing%2Eyaml?ref=master":
-			w.WriteHeader(http.StatusNotFound)
-		case "/api/v4/projects/27084533/repository/tree?path=notathing%2Fnotathing.yaml&ref=master":
-			w.WriteHeader(http.StatusNotFound)
-		case "/api/v4/projects/27084533/repository/files/notathing%2Fnotathing%2Fnotathing%2Eyaml?ref=master":
-			w.WriteHeader(http.StatusNotFound)
-		case "/api/v4/projects/27084533/repository/tree?path=notathing%2Fnotathing%2Fnotathing.yaml&ref=master":
-			w.WriteHeader(http.StatusNotFound)
 		case "/api/v4/projects/27084533/repository/branches/foo":
 			w.WriteHeader(http.StatusNotFound)
 		default:
@@ -1221,16 +1194,6 @@ func TestGitlabHasPath(t *testing.T) {
 			path:   "argocd/notathing.yaml",
 			exists: false,
 		},
-		{
-			name:   "noexistent file in noexistent directory",
-			path:   "notathing/notathing.yaml",
-			exists: false,
-		},
-		{
-			name:   "noexistent file in nested noexistent directory",
-			path:   "notathing/notathing/notathing.yaml",
-			exists: false,
-		},
 	}
 
 	for _, c := range cases {

applicationset/utils/clusterUtils.go

@@ -2,15 +2,22 @@ package utils
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
+	"strconv"
+	"strings"
 	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/argoproj/argo-cd/v2/common"
 	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/v2/util/db"
 
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/utils/ptr"
 )
 
 // The contents of this file are from
@@ -119,15 +126,11 @@ func ListClusters(ctx context.Context, clientset kubernetes.Interface, namespace
 	hasInClusterCredentials := false
 	for i, clusterSecret := range clusterSecrets {
 		// This line has changed from the original Argo CD code: now receives an error, and handles it
-		cluster, err := db.SecretToCluster(&clusterSecret)
+		cluster, err := secretToCluster(&clusterSecret)
 		if err != nil || cluster == nil {
 			return nil, fmt.Errorf("unable to convert cluster secret to cluster object '%s': %w", clusterSecret.Name, err)
 		}
 
-		// db.SecretToCluster populates these, but they're not meant to be available to the caller.
-		cluster.Labels = nil
-		cluster.Annotations = nil
-
 		clusterList.Items[i] = *cluster
 		if cluster.Server == appv1.KubernetesInternalAPIServerAddr {
 			hasInClusterCredentials = true
@@ -164,3 +167,48 @@ func getLocalCluster(clientset kubernetes.Interface) *appv1.Cluster {
 	cluster.ConnectionState.ModifiedAt = &now
 	return cluster
 }
+
+// secretToCluster converts a secret into a Cluster object
+func secretToCluster(s *corev1.Secret) (*appv1.Cluster, error) {
+	var config appv1.ClusterConfig
+	if len(s.Data["config"]) > 0 {
+		if err := json.Unmarshal(s.Data["config"], &config); err != nil {
+			// This line has changed from the original Argo CD: now returns an error rather than panicing.
+			return nil, err
+		}
+	}
+
+	var namespaces []string
+	for _, ns := range strings.Split(string(s.Data["namespaces"]), ",") {
+		if ns = strings.TrimSpace(ns); ns != "" {
+			namespaces = append(namespaces, ns)
+		}
+	}
+	var refreshRequestedAt *metav1.Time
+	if v, found := s.Annotations[appv1.AnnotationKeyRefresh]; found {
+		requestedAt, err := time.Parse(time.RFC3339, v)
+		if err != nil {
+			log.Warnf("Error while parsing date in cluster secret '%s': %v", s.Name, err)
+		} else {
+			refreshRequestedAt = &metav1.Time{Time: requestedAt}
+		}
+	}
+	var shard *int64
+	if shardStr := s.Data["shard"]; shardStr != nil {
+		if val, err := strconv.Atoi(string(shardStr)); err != nil {
+			log.Warnf("Error while parsing shard in cluster secret '%s': %v", s.Name, err)
+		} else {
+			shard = ptr.To(int64(val))
+		}
+	}
+	cluster := appv1.Cluster{
+		ID:                 string(s.UID),
+		Server:             strings.TrimRight(string(s.Data["server"]), "/"),
+		Name:               string(s.Data["name"]),
+		Namespaces:         namespaces,
+		Config:             config,
+		RefreshRequestedAt: refreshRequestedAt,
+		Shard:              shard,
+	}
+	return &cluster, nil
+}

applicationset/utils/clusterUtils_test.go

@@ -20,6 +20,51 @@ const (
 	fakeNamespace = "fake-ns"
 )
 
+// From Argo CD util/db/cluster_test.go
+func Test_secretToCluster(t *testing.T) {
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "mycluster",
+			Namespace: fakeNamespace,
+		},
+		Data: map[string][]byte{
+			"name":   []byte("test"),
+			"server": []byte("http://mycluster"),
+			"config": []byte("{\"username\":\"foo\", \"disableCompression\":true}"),
+		},
+	}
+	cluster, err := secretToCluster(secret)
+	require.NoError(t, err)
+	assert.Equal(t, argoappv1.Cluster{
+		Name:   "test",
+		Server: "http://mycluster",
+		Config: argoappv1.ClusterConfig{
+			Username:           "foo",
+			DisableCompression: true,
+		},
+	}, *cluster)
+}
+
+// From Argo CD util/db/cluster_test.go
+func Test_secretToCluster_NoConfig(t *testing.T) {
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "mycluster",
+			Namespace: fakeNamespace,
+		},
+		Data: map[string][]byte{
+			"name":   []byte("test"),
+			"server": []byte("http://mycluster"),
+		},
+	}
+	cluster, err := secretToCluster(secret)
+	require.NoError(t, err)
+	assert.Equal(t, argoappv1.Cluster{
+		Name:   "test",
+		Server: "http://mycluster",
+	}, *cluster)
+}
+
 func createClusterSecret(secretName string, clusterName string, clusterServer string) *corev1.Secret {
 	secret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{

assets/builtin-policy.csv

@@ -10,7 +10,6 @@ p, role:readonly, applications, get, */*, allow
 p, role:readonly, certificates, get, *, allow
 p, role:readonly, clusters, get, *, allow
 p, role:readonly, repositories, get, *, allow
-p, role:readonly, write-repositories, get, *, allow
 p, role:readonly, projects, get, *, allow
 p, role:readonly, accounts, get, *, allow
 p, role:readonly, gpgkeys, get, *, allow
@@ -18,9 +17,7 @@ p, role:readonly, logs, get, */*, allow
 
 p, role:admin, applications, create, */*, allow
 p, role:admin, applications, update, */*, allow
-p, role:admin, applications, update/*, */*, allow
 p, role:admin, applications, delete, */*, allow
-p, role:admin, applications, delete/*, */*, allow
 p, role:admin, applications, sync, */*, allow
 p, role:admin, applications, override, */*, allow
 p, role:admin, applications, action/*, */*, allow
@@ -37,9 +34,6 @@ p, role:admin, clusters, delete, *, allow
 p, role:admin, repositories, create, *, allow
 p, role:admin, repositories, update, *, allow
 p, role:admin, repositories, delete, *, allow
-p, role:admin, write-repositories, create, *, allow
-p, role:admin, write-repositories, update, *, allow
-p, role:admin, write-repositories, delete, *, allow
 p, role:admin, projects, create, *, allow
 p, role:admin, projects, update, *, allow
 p, role:admin, projects, delete, *, allow
@@ -49,4 +43,4 @@ p, role:admin, gpgkeys, delete, *, allow
 p, role:admin, exec, create, */*, allow
 
 g, role:admin, role:readonly
-g, admin, role:admin
+g, admin, role:admin

assets/swagger.json

@@ -1990,39 +1990,6 @@
         }
       }
     },
-    "/api/v1/applicationsets/generate": {
-      "post": {
-        "tags": [
-          "ApplicationSetService"
-        ],
-        "summary": "Generate generates",
-        "operationId": "ApplicationSetService_Generate",
-        "parameters": [
-          {
-            "name": "body",
-            "in": "body",
-            "required": true,
-            "schema": {
-              "$ref": "#/definitions/applicationsetApplicationSetGenerateRequest"
-            }
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "A successful response.",
-            "schema": {
-              "$ref": "#/definitions/applicationsetApplicationSetGenerateResponse"
-            }
-          },
-          "default": {
-            "description": "An unexpected error response.",
-            "schema": {
-              "$ref": "#/definitions/runtimeError"
-            }
-          }
-        }
-      }
-    },
     "/api/v1/applicationsets/{name}": {
       "get": {
         "tags": [
@@ -4117,504 +4084,6 @@
         }
       }
     },
-    "/api/v1/write-repocreds": {
-      "get": {
-        "tags": [
-          "RepoCredsService"
-        ],
-        "summary": "ListWriteRepositoryCredentials gets a list of all configured repository credential sets that have write access",
-        "operationId": "RepoCredsService_ListWriteRepositoryCredentials",
-        "parameters": [
-          {
-            "type": "string",
-            "description": "Repo URL for query.",
-            "name": "url",
-            "in": "query"
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "A successful response.",
-            "schema": {
-              "$ref": "#/definitions/v1alpha1RepoCredsList"
-            }
-          },
-          "default": {
-            "description": "An unexpected error response.",
-            "schema": {
-              "$ref": "#/definitions/runtimeError"
-            }
-          }
-        }
-      },
-      "post": {
-        "tags": [
-          "RepoCredsService"
-        ],
-        "summary": "CreateWriteRepositoryCredentials creates a new repository credential set with write access",
-        "operationId": "RepoCredsService_CreateWriteRepositoryCredentials",
-        "parameters": [
-          {
-            "description": "Repository definition",
-            "name": "body",
-            "in": "body",
-            "required": true,
-            "schema": {
-              "$ref": "#/definitions/v1alpha1RepoCreds"
-            }
-          },
-          {
-            "type": "boolean",
-            "description": "Whether to create in upsert mode.",
-            "name": "upsert",
-            "in": "query"
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "A successful response.",
-            "schema": {
-              "$ref": "#/definitions/v1alpha1RepoCreds"
-            }
-          },
-          "default": {
-            "description": "An unexpected error response.",
-            "schema": {
-              "$ref": "#/definitions/runtimeError"
-            }
-          }
-        }
-      }
-    },
-    "/api/v1/write-repocreds/{creds.url}": {
-      "put": {
-        "tags": [
-          "RepoCredsService"
-        ],
-        "summary": "UpdateWriteRepositoryCredentials updates a repository credential set with write access",
-        "operationId": "RepoCredsService_UpdateWriteRepositoryCredentials",
-        "parameters": [
-          {
-            "type": "string",
-            "description": "URL is the URL to which these credentials match",
-            "name": "creds.url",
-            "in": "path",
-            "required": true
-          },
-          {
-            "name": "body",
-            "in": "body",
-            "required": true,
-            "schema": {
-              "$ref": "#/definitions/v1alpha1RepoCreds"
-            }
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "A successful response.",
-            "schema": {
-              "$ref": "#/definitions/v1alpha1RepoCreds"
-            }
-          },
-          "default": {
-            "description": "An unexpected error response.",
-            "schema": {
-              "$ref": "#/definitions/runtimeError"
-            }
-          }
-        }
-      }
-    },
-    "/api/v1/write-repocreds/{url}": {
-      "delete": {
-        "tags": [
-          "RepoCredsService"
-        ],
-        "summary": "DeleteWriteRepositoryCredentials deletes a repository credential set with write access from the configuration",
-        "operationId": "RepoCredsService_DeleteWriteRepositoryCredentials",
-        "parameters": [
-          {
-            "type": "string",
-            "name": "url",
-            "in": "path",
-            "required": true
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "A successful response.",
-            "schema": {
-              "$ref": "#/definitions/repocredsRepoCredsResponse"
-            }
-          },
-          "default": {
-            "description": "An unexpected error response.",
-            "schema": {
-              "$ref": "#/definitions/runtimeError"
-            }
-          }
-        }
-      }
-    },
-    "/api/v1/write-repositories": {
-      "get": {
-        "tags": [
-          "RepositoryService"
-        ],
-        "summary": "ListWriteRepositories gets a list of all configured write repositories",
-        "operationId": "RepositoryService_ListWriteRepositories",
-        "parameters": [
-          {
-            "type": "string",
-            "description": "Repo URL for query.",
-            "name": "repo",
-            "in": "query"
-          },
-          {
-            "type": "boolean",
-            "description": "Whether to force a cache refresh on repo's connection state.",
-            "name": "forceRefresh",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "description": "App project for query.",
-            "name": "appProject",
-            "in": "query"
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "A successful response.",
-            "schema": {
-              "$ref": "#/definitions/v1alpha1RepositoryList"
-            }
-          },
-          "default": {
-            "description": "An unexpected error response.",
-            "schema": {
-              "$ref": "#/definitions/runtimeError"
-            }
-          }
-        }
-      },
-      "post": {
-        "tags": [
-          "RepositoryService"
-        ],
-        "summary": "CreateWriteRepository creates a new write repository configuration",
-        "operationId": "RepositoryService_CreateWriteRepository",
-        "parameters": [
-          {
-            "description": "Repository definition",
-            "name": "body",
-            "in": "body",
-            "required": true,
-            "schema": {
-              "$ref": "#/definitions/v1alpha1Repository"
-            }
-          },
-          {
-            "type": "boolean",
-            "description": "Whether to create in upsert mode.",
-            "name": "upsert",
-            "in": "query"
-          },
-          {
-            "type": "boolean",
-            "description": "Whether to operate on credential set instead of repository.",
-            "name": "credsOnly",
-            "in": "query"
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "A successful response.",
-            "schema": {
-              "$ref": "#/definitions/v1alpha1Repository"
-            }
-          },
-          "default": {
-            "description": "An unexpected error response.",
-            "schema": {
-              "$ref": "#/definitions/runtimeError"
-            }
-          }
-        }
-      }
-    },
-    "/api/v1/write-repositories/{repo.repo}": {
-      "put": {
-        "tags": [
-          "RepositoryService"
-        ],
-        "summary": "UpdateWriteRepository updates a write repository configuration",
-        "operationId": "RepositoryService_UpdateWriteRepository",
-        "parameters": [
-          {
-            "type": "string",
-            "description": "Repo contains the URL to the remote repository",
-            "name": "repo.repo",
-            "in": "path",
-            "required": true
-          },
-          {
-            "name": "body",
-            "in": "body",
-            "required": true,
-            "schema": {
-              "$ref": "#/definitions/v1alpha1Repository"
-            }
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "A successful response.",
-            "schema": {
-              "$ref": "#/definitions/v1alpha1Repository"
-            }
-          },
-          "default": {
-            "description": "An unexpected error response.",
-            "schema": {
-              "$ref": "#/definitions/runtimeError"
-            }
-          }
-        }
-      }
-    },
-    "/api/v1/write-repositories/{repo}": {
-      "get": {
-        "tags": [
-          "RepositoryService"
-        ],
-        "summary": "GetWrite returns a repository or its write credentials",
-        "operationId": "RepositoryService_GetWrite",
-        "parameters": [
-          {
-            "type": "string",
-            "description": "Repo URL for query",
-            "name": "repo",
-            "in": "path",
-            "required": true
-          },
-          {
-            "type": "boolean",
-            "description": "Whether to force a cache refresh on repo's connection state.",
-            "name": "forceRefresh",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "description": "App project for query.",
-            "name": "appProject",
-            "in": "query"
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "A successful response.",
-            "schema": {
-              "$ref": "#/definitions/v1alpha1Repository"
-            }
-          },
-          "default": {
-            "description": "An unexpected error response.",
-            "schema": {
-              "$ref": "#/definitions/runtimeError"
-            }
-          }
-        }
-      },
-      "delete": {
-        "tags": [
-          "RepositoryService"
-        ],
-        "summary": "DeleteWriteRepository deletes a write repository from the configuration",
-        "operationId": "RepositoryService_DeleteWriteRepository",
-        "parameters": [
-          {
-            "type": "string",
-            "description": "Repo URL for query",
-            "name": "repo",
-            "in": "path",
-            "required": true
-          },
-          {
-            "type": "boolean",
-            "description": "Whether to force a cache refresh on repo's connection state.",
-            "name": "forceRefresh",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "description": "App project for query.",
-            "name": "appProject",
-            "in": "query"
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "A successful response.",
-            "schema": {
-              "$ref": "#/definitions/repositoryRepoResponse"
-            }
-          },
-          "default": {
-            "description": "An unexpected error response.",
-            "schema": {
-              "$ref": "#/definitions/runtimeError"
-            }
-          }
-        }
-      }
-    },
-    "/api/v1/write-repositories/{repo}/validate": {
-      "post": {
-        "tags": [
-          "RepositoryService"
-        ],
-        "summary": "ValidateWriteAccess validates write access to a repository with given parameters",
-        "operationId": "RepositoryService_ValidateWriteAccess",
-        "parameters": [
-          {
-            "type": "string",
-            "description": "The URL to the repo",
-            "name": "repo",
-            "in": "path",
-            "required": true
-          },
-          {
-            "description": "The URL to the repo",
-            "name": "body",
-            "in": "body",
-            "required": true,
-            "schema": {
-              "type": "string"
-            }
-          },
-          {
-            "type": "string",
-            "description": "Username for accessing repo.",
-            "name": "username",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "description": "Password for accessing repo.",
-            "name": "password",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "description": "Private key data for accessing SSH repository.",
-            "name": "sshPrivateKey",
-            "in": "query"
-          },
-          {
-            "type": "boolean",
-            "description": "Whether to skip certificate or host key validation.",
-            "name": "insecure",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "description": "TLS client cert data for accessing HTTPS repository.",
-            "name": "tlsClientCertData",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "description": "TLS client cert key for accessing HTTPS repository.",
-            "name": "tlsClientCertKey",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "description": "The type of the repo.",
-            "name": "type",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "description": "The name of the repo.",
-            "name": "name",
-            "in": "query"
-          },
-          {
-            "type": "boolean",
-            "description": "Whether helm-oci support should be enabled for this repo.",
-            "name": "enableOci",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "description": "Github App Private Key PEM data.",
-            "name": "githubAppPrivateKey",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "format": "int64",
-            "description": "Github App ID of the app used to access the repo.",
-            "name": "githubAppID",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "format": "int64",
-            "description": "Github App Installation ID of the installed GitHub App.",
-            "name": "githubAppInstallationID",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "description": "Github App Enterprise base url if empty will default to https://api.github.com.",
-            "name": "githubAppEnterpriseBaseUrl",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "description": "HTTP/HTTPS proxy to access the repository.",
-            "name": "proxy",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "description": "Reference between project and repository that allow you automatically to be added as item inside SourceRepos project entity.",
-            "name": "project",
-            "in": "query"
-          },
-          {
-            "type": "string",
-            "description": "Google Cloud Platform service account key.",
-            "name": "gcpServiceAccountKey",
-            "in": "query"
-          },
-          {
-            "type": "boolean",
-            "description": "Whether to force HTTP basic auth.",
-            "name": "forceHttpBasicAuth",
-            "in": "query"
-          }
-        ],
-        "responses": {
-          "200": {
-            "description": "A successful response.",
-            "schema": {
-              "$ref": "#/definitions/repositoryRepoResponse"
-            }
-          },
-          "default": {
-            "description": "An unexpected error response.",
-            "schema": {
-              "$ref": "#/definitions/runtimeError"
-            }
-          }
-        }
-      }
-    },
     "/api/version": {
       "get": {
         "tags": [
@@ -5256,9 +4725,6 @@
         "help": {
           "$ref": "#/definitions/clusterHelp"
         },
-        "hydratorEnabled": {
-          "type": "boolean"
-        },
         "impersonationEnabled": {
           "type": "boolean"
         },

cmd/argocd-server/commands/argocd_server.go

@@ -87,7 +87,6 @@ func NewCommand() *cobra.Command {
 		applicationNamespaces    []string
 		enableProxyExtension     bool
 		webhookParallelism       int
-		hydratorEnabled          bool
 
 		// ApplicationSet
 		enableNewGitFileGlobbing bool
@@ -244,7 +243,6 @@ func NewCommand() *cobra.Command {
 				EnableProxyExtension:    enableProxyExtension,
 				WebhookParallelism:      webhookParallelism,
 				EnableK8sEvent:          enableK8sEvent,
-				HydratorEnabled:         hydratorEnabled,
 			}
 
 			appsetOpts := server.ApplicationSetOpts{
@@ -323,7 +321,6 @@ func NewCommand() *cobra.Command {
 	command.Flags().BoolVar(&enableProxyExtension, "enable-proxy-extension", env.ParseBoolFromEnv("ARGOCD_SERVER_ENABLE_PROXY_EXTENSION", false), "Enable Proxy Extension feature")
 	command.Flags().IntVar(&webhookParallelism, "webhook-parallelism-limit", env.ParseNumFromEnv("ARGOCD_SERVER_WEBHOOK_PARALLELISM_LIMIT", 50, 1, 1000), "Number of webhook requests processed concurrently")
 	command.Flags().StringSliceVar(&enableK8sEvent, "enable-k8s-event", env.StringsFromEnv("ARGOCD_ENABLE_K8S_EVENT", argo.DefaultEnableEventList(), ","), "Enable ArgoCD to use k8s event. For disabling all events, set the value as `none`. (e.g --enable-k8s-event=none), For enabling specific events, set the value as `event reason`. (e.g --enable-k8s-event=StatusRefreshed,ResourceCreated)")
-	command.Flags().BoolVar(&hydratorEnabled, "hydrator-enabled", env.ParseBoolFromEnv("ARGOCD_HYDRATOR_ENABLED", false), "Feature flag to enable Hydrator. Default (\"false\")")
 
 	// Flags related to the applicationSet component.
 	command.Flags().StringVar(&scmRootCAPath, "appset-scm-root-ca-path", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_SCM_ROOT_CA_PATH", ""), "Provide Root CA Path for self-signed TLS Certificates")

cmd/argocd/commands/account.go

@@ -16,13 +16,12 @@ import (
 	"golang.org/x/term"
 	"sigs.k8s.io/yaml"
 
-	"github.com/argoproj/argo-cd/v2/util/rbac"
-
 	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/headless"
 	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/utils"
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
 	accountpkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/account"
 	"github.com/argoproj/argo-cd/v2/pkg/apiclient/session"
+	"github.com/argoproj/argo-cd/v2/server/rbacpolicy"
 	"github.com/argoproj/argo-cd/v2/util/cli"
 	"github.com/argoproj/argo-cd/v2/util/errors"
 	"github.com/argoproj/argo-cd/v2/util/io"
@@ -219,7 +218,7 @@ argocd account can-i create clusters '*'
 
 Actions: %v
 Resources: %v
-`, rbac.Actions, rbac.Resources),
+`, rbacpolicy.Actions, rbacpolicy.Resources),
 		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
 
@@ -263,7 +262,7 @@ func NewAccountListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comman
 		Use:     "list",
 		Short:   "List accounts",
 		Example: "argocd account list",
-		Run: func(c *cobra.Command, _ []string) {
+		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
 
 			conn, client := headless.NewClientOrDie(clientOpts, c).NewAccountClientOrDie()
@@ -310,7 +309,7 @@ argocd account get
 
 # Get details for an account by name
 argocd account get --account <account-name>`,
-		Run: func(c *cobra.Command, _ []string) {
+		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
 
 			clientset := headless.NewClientOrDie(clientOpts, c)
@@ -359,7 +358,7 @@ func printAccountDetails(acc *accountpkg.Account) {
 				expiresAt := time.Unix(t.ExpiresAt, 0)
 				expiresAtFormatted = expiresAt.Format(time.RFC3339)
 				if expiresAt.Before(time.Now()) {
-					expiresAtFormatted = expiresAtFormatted + " (expired)"
+					expiresAtFormatted = fmt.Sprintf("%s (expired)", expiresAtFormatted)
 				}
 			}
 
@@ -383,7 +382,7 @@ argocd account generate-token
 
 # Generate token for the account with the specified name
 argocd account generate-token --account <account-name>`,
-		Run: func(c *cobra.Command, _ []string) {
+		Run: func(c *cobra.Command, args []string) {
 			ctx := c.Context()
 
 			clientset := headless.NewClientOrDie(clientOpts, c)

cmd/argocd/commands/admin/app.go

@@ -9,7 +9,6 @@ import (
 	"sort"
 	"time"
 
-	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/spf13/cobra"
 	apiv1 "k8s.io/api/core/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -403,26 +402,7 @@ func reconcileApplications(
 	)
 
 	appStateManager := controller.NewAppStateManager(
-		argoDB,
-		appClientset,
-		repoServerClient,
-		namespace,
-		kubeutil.NewKubectl(),
-		func(_ string) (kube.CleanupFunc, error) {
-			return func() {}, nil
-		},
-		settingsMgr,
-		stateCache,
-		projInformer,
-		server,
-		cache,
-		time.Second,
-		argo.NewResourceTracking(),
-		false,
-		0,
-		serverSideDiff,
-		ignoreNormalizerOpts,
-	)
+		argoDB, appClientset, repoServerClient, namespace, kubeutil.NewKubectl(), settingsMgr, stateCache, projInformer, server, cache, time.Second, argo.NewResourceTracking(), false, 0, serverSideDiff, ignoreNormalizerOpts)
 
 	appsList, err := appClientset.ArgoprojV1alpha1().Applications(namespace).List(ctx, v1.ListOptions{LabelSelector: selector})
 	if err != nil {

cmd/argocd/commands/admin/app_test.go

@@ -91,7 +91,7 @@ func TestGetReconcileResults_Refresh(t *testing.T) {
 
 	appClientset := appfake.NewSimpleClientset(app, proj)
 	deployment := test.NewDeployment()
-	kubeClientset := kubefake.NewClientset(deployment, &cm)
+	kubeClientset := kubefake.NewSimpleClientset(deployment, &cm)
 	clusterCache := clustermocks.ClusterCache{}
 	clusterCache.On("IsNamespaced", mock.Anything).Return(true, nil)
 	clusterCache.On("GetGVKParser", mock.Anything).Return(nil)

cmd/argocd/commands/admin/cluster.go

@@ -183,12 +183,13 @@ func getControllerReplicas(ctx context.Context, kubeClient *kubernetes.Clientset
 
 func NewClusterShardsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		shard             int
-		replicas          int
-		shardingAlgorithm string
-		clientConfig      clientcmd.ClientConfig
-		cacheSrc          func() (*appstatecache.Cache, error)
-		portForwardRedis  bool
+		shard               int
+		replicas            int
+		shardingAlgorithm   string
+		clientConfig        clientcmd.ClientConfig
+		cacheSrc            func() (*appstatecache.Cache, error)
+		portForwardRedis    bool
+		redisCompressionStr string
 	)
 	command := cobra.Command{
 		Use:   "shards",
@@ -212,7 +213,7 @@ func NewClusterShardsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 			if replicas == 0 {
 				return
 			}
-			clusters, err := loadClusters(ctx, kubeClient, appClient, replicas, shardingAlgorithm, namespace, portForwardRedis, cacheSrc, shard, clientOpts.RedisName, clientOpts.RedisHaProxyName, clientOpts.RedisCompression)
+			clusters, err := loadClusters(ctx, kubeClient, appClient, replicas, shardingAlgorithm, namespace, portForwardRedis, cacheSrc, shard, clientOpts.RedisName, clientOpts.RedisHaProxyName, redisCompressionStr)
 			errors.CheckError(err)
 			if len(clusters) == 0 {
 				return
@@ -233,6 +234,7 @@ func NewClusterShardsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comm
 	// we can ignore unchecked error here as the command will be parsed again and checked when command.Execute() is run later
 	// nolint:errcheck
 	command.ParseFlags(os.Args[1:])
+	redisCompressionStr, _ = command.Flags().GetString(cacheutil.CLIFlagRedisCompress)
 	return &command
 }
 
@@ -464,12 +466,13 @@ func NewClusterDisableNamespacedMode() *cobra.Command {
 
 func NewClusterStatsCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		shard             int
-		replicas          int
-		shardingAlgorithm string
-		clientConfig      clientcmd.ClientConfig
-		cacheSrc          func() (*appstatecache.Cache, error)
-		portForwardRedis  bool
+		shard               int
+		replicas            int
+		shardingAlgorithm   string
+		clientConfig        clientcmd.ClientConfig
+		cacheSrc            func() (*appstatecache.Cache, error)
+		portForwardRedis    bool
+		redisCompressionStr string
 	)
 	command := cobra.Command{
 		Use:   "stats",
@@ -499,7 +502,7 @@ argocd admin cluster stats target-cluster`,
 				replicas, err = getControllerReplicas(ctx, kubeClient, namespace, clientOpts.AppControllerName)
 				errors.CheckError(err)
 			}
-			clusters, err := loadClusters(ctx, kubeClient, appClient, replicas, shardingAlgorithm, namespace, portForwardRedis, cacheSrc, shard, clientOpts.RedisName, clientOpts.RedisHaProxyName, clientOpts.RedisCompression)
+			clusters, err := loadClusters(ctx, kubeClient, appClient, replicas, shardingAlgorithm, namespace, portForwardRedis, cacheSrc, shard, clientOpts.RedisName, clientOpts.RedisHaProxyName, redisCompressionStr)
 			errors.CheckError(err)
 
 			w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0)
@@ -521,6 +524,7 @@ argocd admin cluster stats target-cluster`,
 	// we can ignore unchecked error here as the command will be parsed again and checked when command.Execute() is run later
 	// nolint:errcheck
 	command.ParseFlags(os.Args[1:])
+	redisCompressionStr, _ = command.Flags().GetString(cacheutil.CLIFlagRedisCompress)
 	return &command
 }
 
@@ -613,7 +617,7 @@ func NewGenClusterConfigCommand(pathOpts *clientcmd.PathOptions) *cobra.Command
 			clientConfig := clientcmd.NewDefaultClientConfig(*cfgAccess, &overrides)
 			conf, err := clientConfig.ClientConfig()
 			errors.CheckError(err)
-			kubeClientset := fake.NewClientset()
+			kubeClientset := fake.NewSimpleClientset()
 
 			var awsAuthConf *v1alpha1.AWSAuthConfig
 			var execProviderConf *v1alpha1.ExecProviderConfig

cmd/argocd/commands/admin/dashboard.go

@@ -12,14 +12,17 @@ import (
 	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/initialize"
 	"github.com/argoproj/argo-cd/v2/common"
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	"github.com/argoproj/argo-cd/v2/util/cache"
+	"github.com/argoproj/argo-cd/v2/util/env"
 	"github.com/argoproj/argo-cd/v2/util/errors"
 )
 
 func NewDashboardCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		port         int
-		address      string
-		clientConfig clientcmd.ClientConfig
+		port           int
+		address        string
+		compressionStr string
+		clientConfig   clientcmd.ClientConfig
 	)
 	cmd := &cobra.Command{
 		Use:   "dashboard",
@@ -27,8 +30,10 @@ func NewDashboardCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command
 		Run: func(cmd *cobra.Command, args []string) {
 			ctx := cmd.Context()
 
+			compression, err := cache.CompressionTypeFromString(compressionStr)
+			errors.CheckError(err)
 			clientOpts.Core = true
-			errors.CheckError(headless.MaybeStartLocalServer(ctx, clientOpts, initialize.RetrieveContextIfChanged(cmd.Flag("context")), &port, &address, clientConfig))
+			errors.CheckError(headless.MaybeStartLocalServer(ctx, clientOpts, initialize.RetrieveContextIfChanged(cmd.Flag("context")), &port, &address, compression, clientConfig))
 			println(fmt.Sprintf("Argo CD UI is available at http://%s:%d", address, port))
 			<-ctx.Done()
 		},
@@ -45,5 +50,6 @@ $ argocd admin dashboard --redis-compress gzip
 	clientConfig = cli.AddKubectlFlagsToSet(cmd.Flags())
 	cmd.Flags().IntVar(&port, "port", common.DefaultPortAPIServer, "Listen on given port")
 	cmd.Flags().StringVar(&address, "address", common.DefaultAddressAdminDashboard, "Listen on given address")
+	cmd.Flags().StringVar(&compressionStr, "redis-compress", env.StringFromEnv("REDIS_COMPRESSION", string(cache.RedisCompressionGZip)), "Enable this if the application controller is configured with redis compression enabled. (possible values: gzip, none)")
 	return cmd
 }

cmd/argocd/commands/admin/repo.go

@@ -150,7 +150,7 @@ func NewGenRepoSpecCommand() *cobra.Command {
 					},
 				},
 			}
-			kubeClientset := fake.NewClientset(argoCDCM)
+			kubeClientset := fake.NewSimpleClientset(argoCDCM)
 			settingsMgr := settings.NewSettingsManager(ctx, kubeClientset, ArgoCDNamespace)
 			argoDB := db.NewDB(ArgoCDNamespace, settingsMgr, kubeClientset)
 

cmd/argocd/commands/admin/settings.go

@@ -119,7 +119,7 @@ func (opts *settingsOpts) createSettingsManager(ctx context.Context) (*settings.
 		}
 	}
 	setSettingsMeta(argocdSecret)
-	clientset := fake.NewClientset(argocdSecret, argocdCM)
+	clientset := fake.NewSimpleClientset(argocdSecret, argocdCM)
 
 	manager := settings.NewSettingsManager(ctx, clientset, "default")
 	errors.CheckError(manager.ResyncInformers())

cmd/argocd/commands/admin/settings_rbac.go

@@ -9,12 +9,13 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	corev1 "k8s.io/api/core/v1"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
 	"sigs.k8s.io/yaml"
 
 	"github.com/argoproj/argo-cd/v2/common"
+	"github.com/argoproj/argo-cd/v2/server/rbacpolicy"
 	"github.com/argoproj/argo-cd/v2/util/assets"
 	"github.com/argoproj/argo-cd/v2/util/cli"
 	"github.com/argoproj/argo-cd/v2/util/errors"
@@ -27,85 +28,94 @@ type rbacTrait struct {
 	allowPath bool
 }
 
-// Provide a mapping of shorthand resource names to their RBAC counterparts
+// Provide a mapping of short-hand resource names to their RBAC counterparts
 var resourceMap = map[string]string{
-	"account":         rbac.ResourceAccounts,
-	"app":             rbac.ResourceApplications,
-	"apps":            rbac.ResourceApplications,
-	"application":     rbac.ResourceApplications,
-	"applicationsets": rbac.ResourceApplicationSets,
-	"cert":            rbac.ResourceCertificates,
-	"certs":           rbac.ResourceCertificates,
-	"certificate":     rbac.ResourceCertificates,
-	"cluster":         rbac.ResourceClusters,
-	"extension":       rbac.ResourceExtensions,
-	"gpgkey":          rbac.ResourceGPGKeys,
-	"key":             rbac.ResourceGPGKeys,
-	"log":             rbac.ResourceLogs,
-	"logs":            rbac.ResourceLogs,
-	"exec":            rbac.ResourceExec,
-	"proj":            rbac.ResourceProjects,
-	"projs":           rbac.ResourceProjects,
-	"project":         rbac.ResourceProjects,
-	"repo":            rbac.ResourceRepositories,
-	"repos":           rbac.ResourceRepositories,
-	"repository":      rbac.ResourceRepositories,
+	"account":         rbacpolicy.ResourceAccounts,
+	"app":             rbacpolicy.ResourceApplications,
+	"apps":            rbacpolicy.ResourceApplications,
+	"application":     rbacpolicy.ResourceApplications,
+	"applicationsets": rbacpolicy.ResourceApplicationSets,
+	"cert":            rbacpolicy.ResourceCertificates,
+	"certs":           rbacpolicy.ResourceCertificates,
+	"certificate":     rbacpolicy.ResourceCertificates,
+	"cluster":         rbacpolicy.ResourceClusters,
+	"extension":       rbacpolicy.ResourceExtensions,
+	"gpgkey":          rbacpolicy.ResourceGPGKeys,
+	"key":             rbacpolicy.ResourceGPGKeys,
+	"log":             rbacpolicy.ResourceLogs,
+	"logs":            rbacpolicy.ResourceLogs,
+	"exec":            rbacpolicy.ResourceExec,
+	"proj":            rbacpolicy.ResourceProjects,
+	"projs":           rbacpolicy.ResourceProjects,
+	"project":         rbacpolicy.ResourceProjects,
+	"repo":            rbacpolicy.ResourceRepositories,
+	"repos":           rbacpolicy.ResourceRepositories,
+	"repository":      rbacpolicy.ResourceRepositories,
+}
+
+var projectScoped = map[string]bool{
+	rbacpolicy.ResourceApplications:    true,
+	rbacpolicy.ResourceApplicationSets: true,
+	rbacpolicy.ResourceLogs:            true,
+	rbacpolicy.ResourceExec:            true,
+	rbacpolicy.ResourceClusters:        true,
+	rbacpolicy.ResourceRepositories:    true,
 }
 
 // List of allowed RBAC resources
 var validRBACResourcesActions = map[string]actionTraitMap{
-	rbac.ResourceAccounts:        accountsActions,
-	rbac.ResourceApplications:    applicationsActions,
-	rbac.ResourceApplicationSets: defaultCRUDActions,
-	rbac.ResourceCertificates:    defaultCRDActions,
-	rbac.ResourceClusters:        defaultCRUDActions,
-	rbac.ResourceExtensions:      extensionActions,
-	rbac.ResourceGPGKeys:         defaultCRDActions,
-	rbac.ResourceLogs:            logsActions,
-	rbac.ResourceExec:            execActions,
-	rbac.ResourceProjects:        defaultCRUDActions,
-	rbac.ResourceRepositories:    defaultCRUDActions,
+	rbacpolicy.ResourceAccounts:        accountsActions,
+	rbacpolicy.ResourceApplications:    applicationsActions,
+	rbacpolicy.ResourceApplicationSets: defaultCRUDActions,
+	rbacpolicy.ResourceCertificates:    defaultCRDActions,
+	rbacpolicy.ResourceClusters:        defaultCRUDActions,
+	rbacpolicy.ResourceExtensions:      extensionActions,
+	rbacpolicy.ResourceGPGKeys:         defaultCRDActions,
+	rbacpolicy.ResourceLogs:            logsActions,
+	rbacpolicy.ResourceExec:            execActions,
+	rbacpolicy.ResourceProjects:        defaultCRUDActions,
+	rbacpolicy.ResourceRepositories:    defaultCRUDActions,
 }
 
 // List of allowed RBAC actions
 var defaultCRUDActions = actionTraitMap{
-	rbac.ActionCreate: rbacTrait{},
-	rbac.ActionGet:    rbacTrait{},
-	rbac.ActionUpdate: rbacTrait{},
-	rbac.ActionDelete: rbacTrait{},
+	rbacpolicy.ActionCreate: rbacTrait{},
+	rbacpolicy.ActionGet:    rbacTrait{},
+	rbacpolicy.ActionUpdate: rbacTrait{},
+	rbacpolicy.ActionDelete: rbacTrait{},
 }
 
 var defaultCRDActions = actionTraitMap{
-	rbac.ActionCreate: rbacTrait{},
-	rbac.ActionGet:    rbacTrait{},
-	rbac.ActionDelete: rbacTrait{},
+	rbacpolicy.ActionCreate: rbacTrait{},
+	rbacpolicy.ActionGet:    rbacTrait{},
+	rbacpolicy.ActionDelete: rbacTrait{},
 }
 
 var applicationsActions = actionTraitMap{
-	rbac.ActionCreate:   rbacTrait{},
-	rbac.ActionGet:      rbacTrait{},
-	rbac.ActionUpdate:   rbacTrait{allowPath: true},
-	rbac.ActionDelete:   rbacTrait{allowPath: true},
-	rbac.ActionAction:   rbacTrait{allowPath: true},
-	rbac.ActionOverride: rbacTrait{},
-	rbac.ActionSync:     rbacTrait{},
+	rbacpolicy.ActionCreate:   rbacTrait{},
+	rbacpolicy.ActionGet:      rbacTrait{},
+	rbacpolicy.ActionUpdate:   rbacTrait{allowPath: true},
+	rbacpolicy.ActionDelete:   rbacTrait{allowPath: true},
+	rbacpolicy.ActionAction:   rbacTrait{allowPath: true},
+	rbacpolicy.ActionOverride: rbacTrait{},
+	rbacpolicy.ActionSync:     rbacTrait{},
 }
 
 var accountsActions = actionTraitMap{
-	rbac.ActionCreate: rbacTrait{},
-	rbac.ActionUpdate: rbacTrait{},
+	rbacpolicy.ActionCreate: rbacTrait{},
+	rbacpolicy.ActionUpdate: rbacTrait{},
 }
 
 var execActions = actionTraitMap{
-	rbac.ActionCreate: rbacTrait{},
+	rbacpolicy.ActionCreate: rbacTrait{},
 }
 
 var logsActions = actionTraitMap{
-	rbac.ActionGet: rbacTrait{},
+	rbacpolicy.ActionGet: rbacTrait{},
 }
 
 var extensionActions = actionTraitMap{
-	rbac.ActionInvoke: rbacTrait{},
+	rbacpolicy.ActionInvoke: rbacTrait{},
 }
 
 // NewRBACCommand is the command for 'rbac'
@@ -216,7 +226,7 @@ argocd admin settings rbac can someuser create application 'default/app' --defau
 			// even if there is no explicit RBAC allow, or if there is an explicit RBAC deny)
 			var isLogRbacEnforced func() bool
 			if nsOverride && policyFile == "" {
-				if resolveRBACResourceName(resource) == rbac.ResourceLogs {
+				if resolveRBACResourceName(resource) == rbacpolicy.ResourceLogs {
 					isLogRbacEnforced = func() bool {
 						if opts, ok := cmdCtx.(*settingsOpts); ok {
 							opts.loadClusterSettings = true
@@ -238,11 +248,12 @@ argocd admin settings rbac can someuser create application 'default/app' --defau
 					fmt.Println("Yes")
 				}
 				os.Exit(0)
+			} else {
+				if !quiet {
+					fmt.Println("No")
+				}
+				os.Exit(1)
 			}
-			if !quiet {
-				fmt.Println("No")
-			}
-			os.Exit(1)
 		},
 	}
 	clientConfig = cli.AddKubectlFlagsToCmd(command)
@@ -310,11 +321,13 @@ argocd admin settings rbac validate --namespace argocd
 				if err := rbac.ValidatePolicy(userPolicy); err == nil {
 					fmt.Printf("Policy is valid.\n")
 					os.Exit(0)
+				} else {
+					fmt.Printf("Policy is invalid: %v\n", err)
+					os.Exit(1)
 				}
-				fmt.Printf("Policy is invalid: %v\n", err)
-				os.Exit(1)
+			} else {
+				log.Fatalf("Policy is empty or could not be loaded.")
 			}
-			log.Fatalf("Policy is empty or could not be loaded.")
 		},
 	}
 	clientConfig = cli.AddKubectlFlagsToCmd(command)
@@ -389,7 +402,7 @@ func getPolicyFromConfigMap(cm *corev1.ConfigMap) (string, string, string) {
 
 // getPolicyConfigMap fetches the RBAC config map from K8s cluster
 func getPolicyConfigMap(ctx context.Context, client kubernetes.Interface, namespace string) (*corev1.ConfigMap, error) {
-	cm, err := client.CoreV1().ConfigMaps(namespace).Get(ctx, common.ArgoCDRBACConfigMapName, metav1.GetOptions{})
+	cm, err := client.CoreV1().ConfigMaps(namespace).Get(ctx, common.ArgoCDRBACConfigMapName, v1.GetOptions{})
 	if err != nil {
 		return nil, err
 	}
@@ -435,12 +448,12 @@ func checkPolicy(subject, action, resource, subResource, builtinPolicy, userPoli
 	// Some project scoped resources have a special notation - for simplicity's sake,
 	// if user gives no sub-resource (or specifies simple '*'), we construct
 	// the required notation by setting subresource to '*/*'.
-	if rbac.ProjectScoped[realResource] {
+	if projectScoped[realResource] {
 		if subResource == "*" || subResource == "" {
 			subResource = "*/*"
 		}
 	}
-	if realResource == rbac.ResourceLogs {
+	if realResource == rbacpolicy.ResourceLogs {
 		if isLogRbacEnforced != nil && !isLogRbacEnforced() {
 			return true
 		}
@@ -453,8 +466,9 @@ func checkPolicy(subject, action, resource, subResource, builtinPolicy, userPoli
 func resolveRBACResourceName(name string) string {
 	if res, ok := resourceMap[name]; ok {
 		return res
+	} else {
+		return name
 	}
-	return name
 }
 
 // validateRBACResourceAction checks whether a given resource is a valid RBAC resource.

cmd/argocd/commands/admin/settings_rbac_test.go

@@ -7,15 +7,14 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes/fake"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
 
-	"github.com/argoproj/argo-cd/v2/util/rbac"
-
+	"github.com/argoproj/argo-cd/v2/server/rbacpolicy"
 	"github.com/argoproj/argo-cd/v2/util/assets"
 )
 
@@ -57,8 +56,8 @@ func Test_validateRBACResourceAction(t *testing.T) {
 		{
 			name: "Test valid resource and action",
 			args: args{
-				resource: rbac.ResourceApplications,
-				action:   rbac.ActionCreate,
+				resource: rbacpolicy.ResourceApplications,
+				action:   rbacpolicy.ActionCreate,
 			},
 			valid: true,
 		},
@@ -72,7 +71,7 @@ func Test_validateRBACResourceAction(t *testing.T) {
 		{
 			name: "Test invalid action",
 			args: args{
-				resource: rbac.ResourceApplications,
+				resource: rbacpolicy.ResourceApplications,
 				action:   "invalid",
 			},
 			valid: false,
@@ -80,24 +79,24 @@ func Test_validateRBACResourceAction(t *testing.T) {
 		{
 			name: "Test invalid action for resource",
 			args: args{
-				resource: rbac.ResourceLogs,
-				action:   rbac.ActionCreate,
+				resource: rbacpolicy.ResourceLogs,
+				action:   rbacpolicy.ActionCreate,
 			},
 			valid: false,
 		},
 		{
 			name: "Test valid action with path",
 			args: args{
-				resource: rbac.ResourceApplications,
-				action:   rbac.ActionAction + "/apps/Deployment/restart",
+				resource: rbacpolicy.ResourceApplications,
+				action:   rbacpolicy.ActionAction + "/apps/Deployment/restart",
 			},
 			valid: true,
 		},
 		{
 			name: "Test invalid action with path",
 			args: args{
-				resource: rbac.ResourceApplications,
-				action:   rbac.ActionGet + "/apps/Deployment/restart",
+				resource: rbacpolicy.ResourceApplications,
+				action:   rbacpolicy.ActionGet + "/apps/Deployment/restart",
 			},
 			valid: false,
 		},
@@ -148,7 +147,7 @@ func Test_PolicyFromK8s(t *testing.T) {
 	ctx := context.Background()
 
 	require.NoError(t, err)
-	kubeclientset := fake.NewClientset(&corev1.ConfigMap{
+	kubeclientset := fake.NewSimpleClientset(&v1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "argocd-rbac-cm",
 			Namespace: "argocd",
@@ -281,7 +280,7 @@ p, role:user, logs, get, .*/.*, allow
 p, role:user, exec, create, .*/.*, allow
 `
 
-	kubeclientset := fake.NewClientset(&corev1.ConfigMap{
+	kubeclientset := fake.NewSimpleClientset(&v1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "argocd-rbac-cm",
 			Namespace: "argocd",

cmd/argocd/commands/admin/settings_test.go

@@ -45,7 +45,7 @@ func captureStdout(callback func()) (string, error) {
 func newSettingsManager(data map[string]string) *settings.SettingsManager {
 	ctx := context.Background()
 
-	clientset := fake.NewClientset(&v1.ConfigMap{
+	clientset := fake.NewSimpleClientset(&v1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: "default",
 			Name:      common.ArgoCDConfigMapName,

cmd/argocd/commands/app.go

@@ -2482,8 +2482,8 @@ func checkResourceStatus(watch watchOpts, healthStatus string, syncStatus string
 
 	synced := !watch.sync || syncStatus == string(argoappv1.SyncStatusCodeSynced)
 	operational := !watch.operation || operationStatus == nil
-	hydrated := !watch.hydrated || hydrationFinished
-	return synced && healthCheckPassed && operational && hydrated
+	hydration := !watch.hydrated || hydrationFinished
+	return synced && healthCheckPassed && operational && hydration
 }
 
 // resourceParentChild gets the latest state of the app and the latest state of the app's resource tree and then

cmd/argocd/commands/headless/headless.go

@@ -14,8 +14,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
-	corev1 "k8s.io/api/core/v1"
-	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	runtimeUtil "k8s.io/apimachinery/pkg/util/runtime"
 	"k8s.io/client-go/dynamic"
@@ -129,7 +128,7 @@ func (c *forwardRepoClientset) NewRepoServerClient() (io.Closer, repoapiclient.R
 		}
 		repoServerName := c.repoServerName
 		repoServererviceLabelSelector := common.LabelKeyComponentRepoServer + "=" + common.LabelValueComponentRepoServer
-		repoServerServices, err := c.kubeClientset.CoreV1().Services(c.namespace).List(context.Background(), metaV1.ListOptions{LabelSelector: repoServererviceLabelSelector})
+		repoServerServices, err := c.kubeClientset.CoreV1().Services(c.namespace).List(context.Background(), v1.ListOptions{LabelSelector: repoServererviceLabelSelector})
 		if err != nil {
 			c.err = err
 			return
@@ -177,7 +176,7 @@ func testAPI(ctx context.Context, clientOpts *apiclient.ClientOptions) error {
 //
 // If the clientOpts enables core mode, but the local config does not have core mode enabled, this function will
 // not start the local server.
-func MaybeStartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOptions, ctxStr string, port *int, address *string, clientConfig clientcmd.ClientConfig) error {
+func MaybeStartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOptions, ctxStr string, port *int, address *string, compression cache.RedisCompressionType, clientConfig clientcmd.ClientConfig) error {
 	if clientConfig == nil {
 		flags := pflag.NewFlagSet("tmp", pflag.ContinueOnError)
 		clientConfig = cli.AddKubectlFlagsToSet(flags)
@@ -244,10 +243,6 @@ func MaybeStartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOpti
 	if err != nil {
 		return fmt.Errorf("error adding argo resources to scheme: %w", err)
 	}
-	err = corev1.AddToScheme(scheme)
-	if err != nil {
-		return fmt.Errorf("error adding corev1 resources to scheme: %w", err)
-	}
 	controllerClientset, err := client.New(restConfig, client.Options{
 		Scheme: scheme,
 	})
@@ -270,7 +265,7 @@ func MaybeStartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOpti
 		log.Warnf("Failed to fetch & set redis password for namespace %s: %v", namespace, err)
 	}
 
-	appstateCache := appstatecache.NewCache(cache.NewCache(&forwardCacheClient{namespace: namespace, context: ctxStr, compression: cache.RedisCompressionType(clientOpts.RedisCompression), redisHaProxyName: clientOpts.RedisHaProxyName, redisName: clientOpts.RedisName, redisPassword: redisOptions.Password}), time.Hour)
+	appstateCache := appstatecache.NewCache(cache.NewCache(&forwardCacheClient{namespace: namespace, context: ctxStr, compression: compression, redisHaProxyName: clientOpts.RedisHaProxyName, redisName: clientOpts.RedisName, redisPassword: redisOptions.Password}), time.Hour)
 	srv := server.NewServer(ctx, server.ArgoCDServerOpts{
 		EnableGZip:              false,
 		Namespace:               namespace,
@@ -321,7 +316,7 @@ func NewClientOrDie(opts *apiclient.ClientOptions, c *cobra.Command) apiclient.C
 	ctxStr := initialize.RetrieveContextIfChanged(c.Flag("context"))
 	// If we're in core mode, start the API server on the fly and configure the client `opts` to use it.
 	// If we're not in core mode, this function call will do nothing.
-	err := MaybeStartLocalServer(ctx, opts, ctxStr, nil, nil, nil)
+	err := MaybeStartLocalServer(ctx, opts, ctxStr, nil, nil, cache.RedisCompressionNone, nil)
 	if err != nil {
 		log.Fatal(err)
 	}

cmd/argocd/commands/root.go

@@ -11,7 +11,6 @@ import (
 	cmdutil "github.com/argoproj/argo-cd/v2/cmd/util"
 	"github.com/argoproj/argo-cd/v2/common"
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
-	"github.com/argoproj/argo-cd/v2/util/cache"
 	"github.com/argoproj/argo-cd/v2/util/cli"
 	"github.com/argoproj/argo-cd/v2/util/config"
 	"github.com/argoproj/argo-cd/v2/util/env"
@@ -88,7 +87,6 @@ func NewCommand() *cobra.Command {
 	command.PersistentFlags().StringVar(&clientOpts.RedisHaProxyName, "redis-haproxy-name", env.StringFromEnv(common.EnvRedisHaProxyName, common.DefaultRedisHaProxyName), fmt.Sprintf("Name of the Redis HA Proxy; set this or the %s environment variable when the HA Proxy's name label differs from the default, for example when installing via the Helm chart", common.EnvRedisHaProxyName))
 	command.PersistentFlags().StringVar(&clientOpts.RedisName, "redis-name", env.StringFromEnv(common.EnvRedisName, common.DefaultRedisName), fmt.Sprintf("Name of the Redis deployment; set this or the %s environment variable when the Redis's name label differs from the default, for example when installing via the Helm chart", common.EnvRedisName))
 	command.PersistentFlags().StringVar(&clientOpts.RepoServerName, "repo-server-name", env.StringFromEnv(common.EnvRepoServerName, common.DefaultRepoServerName), fmt.Sprintf("Name of the Argo CD Repo server; set this or the %s environment variable when the server's name label differs from the default, for example when installing via the Helm chart", common.EnvRepoServerName))
-	command.PersistentFlags().StringVar(&clientOpts.RedisCompression, "redis-compress", env.StringFromEnv("REDIS_COMPRESSION", string(cache.RedisCompressionGZip)), "Enable this if the application controller is configured with redis compression enabled. (possible values: gzip, none)")
 	command.PersistentFlags().BoolVar(&clientOpts.PromptsEnabled, "prompts-enabled", localconfig.GetPromptsEnabled(true), "Force optional interactive prompts to be enabled or disabled, overriding local configuration. If not specified, the local configuration value will be used, which is false by default.")
 
 	clientOpts.KubeOverrides = &clientcmd.ConfigOverrides{}

cmd/argocd/commands/utils/prompt.go

@@ -53,7 +53,7 @@ func (p *Prompt) ConfirmBaseOnCount(messageForSingle string, messageForArray str
 	}
 
 	if count == 1 {
-		return p.Confirm(messageForSingle), false
+		return p.Confirm(messageForSingle), true
 	}
 
 	return p.ConfirmAll(messageForArray)

cmd/argocd/commands/utils/prompt_test.go

@@ -38,47 +38,11 @@ func TestConfirmBaseOnCountPromptDisabled(t *testing.T) {
 	assert.True(t, result2)
 }
 
-func TestConfirmBaseOnCount(t *testing.T) {
-	tests := []struct {
-		input  string
-		output bool
-		count  int
-	}{
-		{
-			input:  "y\n",
-			output: true,
-			count:  0,
-		},
-		{
-			input:  "y\n",
-			output: true,
-			count:  1,
-		},
-		{
-			input:  "n\n",
-			output: false,
-			count:  1,
-		},
-	}
-
-	origStdin := os.Stdin
-
-	for _, tt := range tests {
-		tmpFile, err := writeToStdin(tt.input)
-		require.NoError(t, err)
-		p := &Prompt{enabled: true}
-		result1, result2 := p.ConfirmBaseOnCount("Proceed?", "Proceed all?", tt.count)
-		assert.Equal(t, tt.output, result1)
-		if tt.count == 1 {
-			assert.False(t, result2)
-		} else {
-			assert.Equal(t, tt.output, result2)
-		}
-		_ = tmpFile.Close()
-		os.Remove(tmpFile.Name())
-	}
-
-	os.Stdin = origStdin
+func TestConfirmBaseOnCountZeroApps(t *testing.T) {
+	p := &Prompt{enabled: true}
+	result1, result2 := p.ConfirmBaseOnCount("Proceed?", "Process all?", 0)
+	assert.True(t, result1)
+	assert.True(t, result2)
 }
 
 func TestConfirmPrompt(t *testing.T) {
@@ -98,8 +62,8 @@ func TestConfirmPrompt(t *testing.T) {
 		p := &Prompt{enabled: true}
 		result := p.Confirm("Are you sure you want to run this command? (y/n) \n")
 		assert.Equal(t, c.output, result)
-		_ = tmpFile.Close()
 		os.Remove(tmpFile.Name())
+		_ = tmpFile.Close()
 	}
 
 	os.Stdin = origStdin
@@ -125,8 +89,8 @@ func TestConfirmAllPrompt(t *testing.T) {
 		confirm, confirmAll := p.ConfirmAll("Are you sure you want to run this command? (y/n) \n")
 		assert.Equal(t, c.confirm, confirm)
 		assert.Equal(t, c.confirmAll, confirmAll)
-		_ = tmpFile.Close()
 		os.Remove(tmpFile.Name())
+		_ = tmpFile.Close()
 	}
 
 	os.Stdin = origStdin

cmd/util/cluster_test.go

@@ -162,7 +162,7 @@ func TestGetKubePublicEndpoint(t *testing.T) {
 			if tc.clusterInfo != nil {
 				objects = append(objects, tc.clusterInfo)
 			}
-			clientset := fake.NewClientset(objects...)
+			clientset := fake.NewSimpleClientset(objects...)
 			endpoint, err := GetKubePublicEndpoint(clientset)
 			if tc.expectError {
 				require.Error(t, err)

cmd/util/repo.go

@@ -45,7 +45,7 @@ func AddRepoFlags(command *cobra.Command, opts *RepoOptions) {
 	command.Flags().StringVar(&opts.GithubAppPrivateKeyPath, "github-app-private-key-path", "", "private key of the GitHub Application")
 	command.Flags().StringVar(&opts.GitHubAppEnterpriseBaseURL, "github-app-enterprise-base-url", "", "base url to use when using GitHub Enterprise (e.g. https://ghe.example.com/api/v3")
 	command.Flags().StringVar(&opts.Proxy, "proxy", "", "use proxy to access repository")
-	command.Flags().StringVar(&opts.NoProxy, "no-proxy", "", "don't access these targets via proxy")
+	command.Flags().StringVar(&opts.Proxy, "no-proxy", "", "don't access these targets via proxy")
 	command.Flags().StringVar(&opts.GCPServiceAccountKeyPath, "gcp-service-account-key-path", "", "service account key for the Google Cloud Platform")
 	command.Flags().BoolVar(&opts.ForceHttpBasicAuth, "force-http-basic-auth", false, "whether to force use of basic auth when connecting repository via HTTP")
 }

common/common_test.go

@@ -92,7 +92,7 @@ func TestSetOptionalRedisPasswordFromKubeConfig(t *testing.T) {
 			t.Parallel()
 			var (
 				ctx          = context.TODO()
-				kubeClient   = kubefake.NewClientset()
+				kubeClient   = kubefake.NewSimpleClientset()
 				redisOptions = &redis.Options{}
 			)
 			if tc.secret != nil {

controller/appcontroller.go

@@ -309,7 +309,7 @@ func NewApplicationController(
 		}
 	}
 	stateCache := statecache.NewLiveStateCache(db, appInformer, ctrl.settingsMgr, kubectl, ctrl.metricsServer, ctrl.handleObjectUpdated, clusterSharding, argo.NewResourceTracking())
-	appStateManager := NewAppStateManager(db, applicationClientset, repoClientset, namespace, kubectl, ctrl.onKubectlRun, ctrl.settingsMgr, stateCache, projInformer, ctrl.metricsServer, argoCache, ctrl.statusRefreshTimeout, argo.NewResourceTracking(), persistResourceHealth, repoErrorGracePeriod, serverSideDiff, ignoreNormalizerOpts)
+	appStateManager := NewAppStateManager(db, applicationClientset, repoClientset, namespace, kubectl, ctrl.settingsMgr, stateCache, projInformer, ctrl.metricsServer, argoCache, ctrl.statusRefreshTimeout, argo.NewResourceTracking(), persistResourceHealth, repoErrorGracePeriod, serverSideDiff, ignoreNormalizerOpts)
 	ctrl.appInformer = appInformer
 	ctrl.appLister = appLister
 	ctrl.projInformer = projInformer
@@ -940,7 +940,7 @@ func (ctrl *ApplicationController) requestAppRefresh(appName string, compareWith
 	key := ctrl.toAppKey(appName)
 
 	if compareWith != nil && after != nil {
-		ctrl.appComparisonTypeRefreshQueue.AddAfter(fmt.Sprintf("%s/%d", key, *compareWith), *after)
+		ctrl.appComparisonTypeRefreshQueue.AddAfter(fmt.Sprintf("%s/%d", key, compareWith), *after)
 	} else {
 		if compareWith != nil {
 			ctrl.refreshRequestedAppsMutex.Lock()
@@ -2103,7 +2103,9 @@ func (ctrl *ApplicationController) autoSync(app *appv1.Application, syncStatus *
 		InitiatedBy: appv1.OperationInitiator{Automated: true},
 		Retry:       appv1.RetryStrategy{Limit: 5},
 	}
-
+	if app.Status.OperationState != nil && app.Status.OperationState.Operation.Sync != nil {
+		op.Sync.SelfHealAttemptsCount = app.Status.OperationState.Operation.Sync.SelfHealAttemptsCount
+	}
 	if app.Spec.SyncPolicy.Retry != nil {
 		op.Retry = *app.Spec.SyncPolicy.Retry
 	}
@@ -2119,18 +2121,8 @@ func (ctrl *ApplicationController) autoSync(app *appv1.Application, syncStatus *
 		}
 		logCtx.Infof("Skipping auto-sync: most recent sync already to %s", desiredCommitSHA)
 		return nil, 0
-	} else if selfHeal {
-		shouldSelfHeal, retryAfter := ctrl.shouldSelfHeal(app, alreadyAttempted)
-		if app.Status.OperationState != nil && app.Status.OperationState.Operation.Sync != nil {
-			op.Sync.SelfHealAttemptsCount = app.Status.OperationState.Operation.Sync.SelfHealAttemptsCount
-		}
-
-		if alreadyAttempted {
-			if !shouldSelfHeal {
-				logCtx.Infof("Skipping auto-sync: already attempted sync to %s with timeout %v (retrying in %v)", desiredCommitSHA, ctrl.selfHealTimeout, retryAfter)
-				ctrl.requestAppRefresh(app.QualifiedName(), CompareWithLatest.Pointer(), &retryAfter)
-				return nil, 0
-			}
+	} else if alreadyAttempted && selfHeal {
+		if shouldSelfHeal, retryAfter := ctrl.shouldSelfHeal(app); shouldSelfHeal {
 			op.Sync.SelfHealAttemptsCount++
 			for _, resource := range resources {
 				if resource.Status != appv1.SyncStatusCodeSynced {
@@ -2141,6 +2133,10 @@ func (ctrl *ApplicationController) autoSync(app *appv1.Application, syncStatus *
 					})
 				}
 			}
+		} else {
+			logCtx.Infof("Skipping auto-sync: already attempted sync to %s with timeout %v (retrying in %v)", desiredCommitSHA, ctrl.selfHealTimeout, retryAfter)
+			ctrl.requestAppRefresh(app.QualifiedName(), CompareWithLatest.Pointer(), &retryAfter)
+			return nil, 0
 		}
 	}
 	ts.AddCheckpoint("already_attempted_check_ms")
@@ -2224,16 +2220,11 @@ func alreadyAttemptedSync(app *appv1.Application, commitSHA string, commitSHAsMS
 	}
 }
 
-func (ctrl *ApplicationController) shouldSelfHeal(app *appv1.Application, alreadyAttempted bool) (bool, time.Duration) {
+func (ctrl *ApplicationController) shouldSelfHeal(app *appv1.Application) (bool, time.Duration) {
 	if app.Status.OperationState == nil {
 		return true, time.Duration(0)
 	}
 
-	// Reset counter if the prior sync was successful OR if the revision has changed
-	if !alreadyAttempted || app.Status.Sync.Status == appv1.SyncStatusCodeSynced {
-		app.Status.OperationState.Operation.Sync.SelfHealAttemptsCount = 0
-	}
-
 	var retryAfter time.Duration
 	if ctrl.selfHealBackOff == nil {
 		if app.Status.OperationState.FinishedAt == nil {
@@ -2245,8 +2236,7 @@ func (ctrl *ApplicationController) shouldSelfHeal(app *appv1.Application, alread
 		backOff := *ctrl.selfHealBackOff
 		backOff.Steps = int(app.Status.OperationState.Operation.Sync.SelfHealAttemptsCount)
 		var delay time.Duration
-		steps := backOff.Steps
-		for i := 0; i < steps; i++ {
+		for backOff.Steps > 0 {
 			delay = backOff.Step()
 		}
 		if app.Status.OperationState.FinishedAt == nil {

controller/appcontroller_test.go

@@ -151,7 +151,7 @@ func newFakeControllerWithResync(data *fakeData, appResyncPeriod time.Duration,
 	}
 	runtimeObjs := []runtime.Object{&clust, &secret, &cm}
 	runtimeObjs = append(runtimeObjs, data.additionalObjs...)
-	kubeClient := fake.NewClientset(runtimeObjs...)
+	kubeClient := fake.NewSimpleClientset(runtimeObjs...)
 	settingsMgr := settings.NewSettingsManager(context.Background(), kubeClient, test.FakeArgoCDNamespace)
 	kubectl := &MockKubectl{Kubectl: &kubetest.MockKubectlCmd{}}
 	ctrl, err := NewApplicationController(
@@ -1409,25 +1409,6 @@ func TestNeedRefreshAppStatus(t *testing.T) {
 				assert.Equal(t, CompareWithRecent, compareWith)
 			})
 
-			t.Run("requesting refresh with delay gives correct compression level", func(t *testing.T) {
-				needRefresh, _, _ := ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
-				assert.False(t, needRefresh)
-
-				// use a one-off controller so other tests don't have a manual refresh request
-				ctrl := newFakeController(&fakeData{apps: []runtime.Object{}}, nil)
-
-				// refresh app with a non-nil delay
-				// use zero-second delay to test the add later logic without waiting in the test
-				delay := time.Duration(0)
-				ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), &delay)
-
-				ctrl.processAppComparisonTypeQueueItem()
-				needRefresh, refreshType, compareWith := ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
-				assert.True(t, needRefresh)
-				assert.Equal(t, v1alpha1.RefreshTypeNormal, refreshType)
-				assert.Equal(t, CompareWithRecent, compareWith)
-			})
-
 			t.Run("refresh application which status is not reconciled using latest commit", func(t *testing.T) {
 				app := app.DeepCopy()
 				needRefresh, _, _ := ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
@@ -2533,7 +2514,7 @@ func TestSelfHealExponentialBackoff(t *testing.T) {
 	ctrl.selfHealBackOff = &wait.Backoff{
 		Factor:   3,
 		Duration: 2 * time.Second,
-		Cap:      2 * time.Minute,
+		Cap:      5 * time.Minute,
 	}
 
 	app := &v1alpha1.Application{
@@ -2548,84 +2529,29 @@ func TestSelfHealExponentialBackoff(t *testing.T) {
 
 	testCases := []struct {
 		attempts         int64
-		expectedAttempts int64
 		finishedAt       *metav1.Time
 		expectedDuration time.Duration
 		shouldSelfHeal   bool
-		alreadyAttempted bool
-		syncStatus       v1alpha1.SyncStatusCode
 	}{{
 		attempts:         0,
 		finishedAt:       ptr.To(metav1.Now()),
 		expectedDuration: 0,
 		shouldSelfHeal:   true,
-		alreadyAttempted: true,
-		expectedAttempts: 0,
-		syncStatus:       v1alpha1.SyncStatusCodeOutOfSync,
 	}, {
 		attempts:         1,
 		finishedAt:       ptr.To(metav1.Now()),
 		expectedDuration: 2 * time.Second,
 		shouldSelfHeal:   false,
-		alreadyAttempted: true,
-		expectedAttempts: 1,
-		syncStatus:       v1alpha1.SyncStatusCodeOutOfSync,
 	}, {
 		attempts:         2,
 		finishedAt:       ptr.To(metav1.Now()),
 		expectedDuration: 6 * time.Second,
 		shouldSelfHeal:   false,
-		alreadyAttempted: true,
-		expectedAttempts: 2,
-		syncStatus:       v1alpha1.SyncStatusCodeOutOfSync,
 	}, {
 		attempts:         3,
 		finishedAt:       nil,
 		expectedDuration: 18 * time.Second,
 		shouldSelfHeal:   false,
-		alreadyAttempted: true,
-		expectedAttempts: 3,
-		syncStatus:       v1alpha1.SyncStatusCodeOutOfSync,
-	}, {
-		attempts:         4,
-		finishedAt:       nil,
-		expectedDuration: 54 * time.Second,
-		shouldSelfHeal:   false,
-		alreadyAttempted: true,
-		expectedAttempts: 4,
-		syncStatus:       v1alpha1.SyncStatusCodeOutOfSync,
-	}, {
-		attempts:         5,
-		finishedAt:       nil,
-		expectedDuration: 120 * time.Second,
-		shouldSelfHeal:   false,
-		alreadyAttempted: true,
-		expectedAttempts: 5,
-		syncStatus:       v1alpha1.SyncStatusCodeOutOfSync,
-	}, {
-		attempts:         6,
-		finishedAt:       nil,
-		expectedDuration: 120 * time.Second,
-		shouldSelfHeal:   false,
-		alreadyAttempted: true,
-		expectedAttempts: 6,
-		syncStatus:       v1alpha1.SyncStatusCodeOutOfSync,
-	}, {
-		attempts:         6,
-		finishedAt:       nil,
-		expectedDuration: 0,
-		shouldSelfHeal:   true,
-		alreadyAttempted: false,
-		expectedAttempts: 0,
-		syncStatus:       v1alpha1.SyncStatusCodeOutOfSync,
-	}, {
-		attempts:         6,
-		finishedAt:       nil,
-		expectedDuration: 0,
-		shouldSelfHeal:   true,
-		alreadyAttempted: true,
-		expectedAttempts: 0,
-		syncStatus:       v1alpha1.SyncStatusCodeSynced,
 	}}
 
 	for i := range testCases {
@@ -2633,10 +2559,8 @@ func TestSelfHealExponentialBackoff(t *testing.T) {
 		t.Run(fmt.Sprintf("test case %d", i), func(t *testing.T) {
 			app.Status.OperationState.Operation.Sync.SelfHealAttemptsCount = tc.attempts
 			app.Status.OperationState.FinishedAt = tc.finishedAt
-			app.Status.Sync.Status = tc.syncStatus
-			ok, duration := ctrl.shouldSelfHeal(app, tc.alreadyAttempted)
+			ok, duration := ctrl.shouldSelfHeal(app)
 			require.Equal(t, ok, tc.shouldSelfHeal)
-			require.Equal(t, tc.expectedAttempts, app.Status.OperationState.Operation.Sync.SelfHealAttemptsCount)
 			assertDurationAround(t, tc.expectedDuration, duration)
 		})
 	}

controller/cache/cache.go

@@ -69,12 +69,6 @@ const (
 	// EnvClusterCacheRetryUseBackoff is the env variable to control whether to use a backoff strategy with the retry during cluster cache sync
 	EnvClusterCacheRetryUseBackoff = "ARGOCD_CLUSTER_CACHE_RETRY_USE_BACKOFF"
 
-	// EnvClusterCacheBatchEventsProcessing is the env variable to control whether to enable batch events processing
-	EnvClusterCacheBatchEventsProcessing = "ARGOCD_CLUSTER_CACHE_BATCH_EVENTS_PROCESSING"
-
-	// EnvClusterCacheEventsProcessingInterval is the env variable to control the interval between processing events when BatchEventsProcessing is enabled
-	EnvClusterCacheEventsProcessingInterval = "ARGOCD_CLUSTER_CACHE_EVENTS_PROCESSING_INTERVAL"
-
 	// AnnotationIgnoreResourceUpdates when set to true on an untracked resource,
 	// argo will apply `ignoreResourceUpdates` configuration on it.
 	AnnotationIgnoreResourceUpdates = "argocd.argoproj.io/ignore-resource-updates"
@@ -109,12 +103,6 @@ var (
 
 	// clusterCacheRetryUseBackoff specifies whether to use a backoff strategy on cluster cache sync, if retry is enabled
 	clusterCacheRetryUseBackoff bool = false
-
-	// clusterCacheBatchEventsProcessing specifies whether to enable batch events processing
-	clusterCacheBatchEventsProcessing bool = false
-
-	// clusterCacheEventsProcessingInterval specifies the interval between processing events when BatchEventsProcessing is enabled
-	clusterCacheEventsProcessingInterval = 100 * time.Millisecond
 )
 
 func init() {
@@ -126,8 +114,6 @@ func init() {
 	clusterCacheListSemaphoreSize = env.ParseInt64FromEnv(EnvClusterCacheListSemaphore, clusterCacheListSemaphoreSize, 0, math.MaxInt64)
 	clusterCacheAttemptLimit = int32(env.ParseNumFromEnv(EnvClusterCacheAttemptLimit, int(clusterCacheAttemptLimit), 1, math.MaxInt32))
 	clusterCacheRetryUseBackoff = env.ParseBoolFromEnv(EnvClusterCacheRetryUseBackoff, false)
-	clusterCacheBatchEventsProcessing = env.ParseBoolFromEnv(EnvClusterCacheBatchEventsProcessing, false)
-	clusterCacheEventsProcessingInterval = env.ParseDurationFromEnv(EnvClusterCacheEventsProcessingInterval, clusterCacheEventsProcessingInterval, 0, math.MaxInt64)
 }
 
 type LiveStateCache interface {
@@ -568,8 +554,6 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		clustercache.SetLogr(logutils.NewLogrusLogger(log.WithField("server", cluster.Server))),
 		clustercache.SetRetryOptions(clusterCacheAttemptLimit, clusterCacheRetryUseBackoff, isRetryableError),
 		clustercache.SetRespectRBAC(respectRBAC),
-		clustercache.SetBatchEventsProcessing(clusterCacheBatchEventsProcessing),
-		clustercache.SetEventProcessingInterval(clusterCacheEventsProcessingInterval),
 	}
 
 	clusterCache = clustercache.NewClusterCache(clusterCacheConfig, clusterCacheOpts...)
@@ -624,10 +608,6 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		c.metricsServer.IncClusterEventsCount(cluster.Server, gvk.Group, gvk.Kind)
 	})
 
-	_ = clusterCache.OnProcessEventsHandler(func(duration time.Duration, processedEventsNumber int) {
-		c.metricsServer.ObserveResourceEventsProcessingDuration(cluster.Server, duration, processedEventsNumber)
-	})
-
 	c.clusters[server] = clusterCache
 
 	return clusterCache, nil

controller/cache/cache_test.go

@@ -140,7 +140,7 @@ func TestHandleDeleteEvent_CacheDeadlock(t *testing.T) {
 	}
 	db := &dbmocks.ArgoDB{}
 	db.On("GetApplicationControllerReplicas").Return(1)
-	fakeClient := fake.NewClientset()
+	fakeClient := fake.NewSimpleClientset()
 	settingsMgr := argosettings.NewSettingsManager(context.TODO(), fakeClient, "argocd")
 	liveStateCacheLock := sync.RWMutex{}
 	gitopsEngineClusterCache := &mocks.ClusterCache{}

controller/clusterinfoupdater_test.go

@@ -67,7 +67,7 @@ func TestClusterSecretUpdater(t *testing.T) {
 			"server.secretkey": nil,
 		},
 	}
-	kubeclientset := fake.NewClientset(emptyArgoCDConfigMap, argoCDSecret)
+	kubeclientset := fake.NewSimpleClientset(emptyArgoCDConfigMap, argoCDSecret)
 	appclientset := appsfake.NewSimpleClientset()
 	appInformer := appinformers.NewApplicationInformer(appclientset, "", time.Minute, cache.Indexers{})
 	settingsManager := settings.NewSettingsManager(context.Background(), kubeclientset, fakeNamespace)

controller/hydrator/hydrator.go

@@ -27,7 +27,8 @@ type Dependencies interface {
 	GetProcessableApps() (*appv1.ApplicationList, error)
 	GetRepoObjs(app *appv1.Application, source appv1.ApplicationSource, revision string, project *appv1.AppProject) ([]*unstructured.Unstructured, *apiclient.ManifestResponse, error)
 	GetWriteCredentials(ctx context.Context, repoURL string, project string) (*appv1.Repository, error)
-	RequestAppRefresh(appName string, appNamespace string) error
+	ResolveGitRevision(repoURL, targetRevision string) (string, error)
+	RequestAppRefresh(appName string)
 	// TODO: only allow access to the hydrator status
 	PersistAppHydratorStatus(orig *appv1.Application, newStatus *appv1.SourceHydratorStatus)
 	AddHydrationQueueItem(key HydrationQueueKey)
@@ -59,15 +60,27 @@ func (h *Hydrator) ProcessAppHydrateQueueItem(origApp *appv1.Application) {
 
 	logCtx.Debug("Processing app hydrate queue item")
 
+	// If we're using a source hydrator, see if the dry source has changed.
+	latestRevision, err := h.dependencies.ResolveGitRevision(app.Spec.SourceHydrator.DrySource.RepoURL, app.Spec.SourceHydrator.DrySource.TargetRevision)
+	if err != nil {
+		logCtx.Errorf("Failed to check whether dry source has changed, skipping: %v", err)
+		return
+	}
+
 	// TODO: don't reuse statusRefreshTimeout. Create a new timeout for hydration.
-	needsHydration, reason := appNeedsHydration(origApp, h.statusRefreshTimeout)
+	needsHydration, reason := appNeedsHydration(origApp, h.statusRefreshTimeout, latestRevision)
 	if !needsHydration {
 		return
 	}
+	if latestRevision == "" {
+		logCtx.Errorf("Dry source has not been resolved, skipping")
+		return
+	}
 
 	logCtx.WithField("reason", reason).Info("Hydrating app")
 
 	app.Status.SourceHydrator.CurrentOperation = &appv1.HydrateOperation{
+		DrySHA:         latestRevision,
 		StartedAt:      metav1.Now(),
 		FinishedAt:     nil,
 		Phase:          appv1.HydrateOperationPhaseHydrating,
@@ -125,10 +138,7 @@ func (h *Hydrator) ProcessHydrationQueueItem(hydrationKey HydrationQueueKey) (pr
 			app.Status.SourceHydrator.CurrentOperation.Phase = appv1.HydrateOperationPhaseFailed
 			failedAt := metav1.Now()
 			app.Status.SourceHydrator.CurrentOperation.FinishedAt = &failedAt
-			app.Status.SourceHydrator.CurrentOperation.Message = fmt.Sprintf("Failed to hydrate revision %q: %v", drySHA, err.Error())
-			// We may or may not have gotten far enough in the hydration process to get a non-empty SHA, but set it just
-			// in case we did.
-			app.Status.SourceHydrator.CurrentOperation.DrySHA = drySHA
+			app.Status.SourceHydrator.CurrentOperation.Message = fmt.Sprintf("Failed to hydrated revision %s: %v", drySHA, err.Error())
 			h.dependencies.PersistAppHydratorStatus(origApp, &app.Status.SourceHydrator)
 			logCtx = logCtx.WithField("app", app.QualifiedName())
 			logCtx.Errorf("Failed to hydrate app: %v", err)
@@ -156,10 +166,7 @@ func (h *Hydrator) ProcessHydrationQueueItem(hydrationKey HydrationQueueKey) (pr
 		}
 		h.dependencies.PersistAppHydratorStatus(origApp, &app.Status.SourceHydrator)
 		// Request a refresh since we pushed a new commit.
-		err := h.dependencies.RequestAppRefresh(app.Name, app.Namespace)
-		if err != nil {
-			logCtx.WithField("app", app.QualifiedName()).WithError(err).Error("Failed to request app refresh after hydration")
-		}
+		h.dependencies.RequestAppRefresh(app.QualifiedName())
 	}
 	return
 }
@@ -170,7 +177,12 @@ func (h *Hydrator) hydrateAppsLatestCommit(logCtx *log.Entry, hydrationKey Hydra
 		return nil, "", "", fmt.Errorf("failed to get relevant apps for hydration: %w", err)
 	}
 
-	dryRevision, hydratedRevision, err := h.hydrate(logCtx, relevantApps)
+	dryRevision, err := h.dependencies.ResolveGitRevision(hydrationKey.SourceRepoURL, hydrationKey.SourceTargetRevision)
+	if err != nil {
+		return relevantApps, "", "", fmt.Errorf("failed to resolve dry revision: %w", err)
+	}
+
+	hydratedRevision, err := h.hydrate(logCtx, relevantApps, dryRevision)
 	if err != nil {
 		return relevantApps, dryRevision, "", fmt.Errorf("failed to hydrate apps: %w", err)
 	}
@@ -233,21 +245,20 @@ func (h *Hydrator) getRelevantAppsForHydration(logCtx *log.Entry, hydrationKey H
 	return relevantApps, nil
 }
 
-func (h *Hydrator) hydrate(logCtx *log.Entry, apps []*appv1.Application) (string, string, error) {
+func (h *Hydrator) hydrate(logCtx *log.Entry, apps []*appv1.Application, revision string) (string, error) {
 	if len(apps) == 0 {
-		return "", "", nil
+		return "", nil
 	}
 	repoURL := apps[0].Spec.SourceHydrator.DrySource.RepoURL
 	syncBranch := apps[0].Spec.SourceHydrator.SyncSource.TargetBranch
 	targetBranch := apps[0].Spec.GetHydrateToSource().TargetRevision
 	var paths []*commitclient.PathDetails
 	projects := make(map[string]bool, len(apps))
-	var targetRevision string
 	// TODO: parallelize this loop
 	for _, app := range apps {
 		project, err := h.dependencies.GetProcessableAppProj(app)
 		if err != nil {
-			return "", "", fmt.Errorf("failed to get project: %w", err)
+			return "", fmt.Errorf("failed to get project: %w", err)
 		}
 		projects[project.Name] = true
 		drySource := appv1.ApplicationSource{
@@ -255,26 +266,20 @@ func (h *Hydrator) hydrate(logCtx *log.Entry, apps []*appv1.Application) (string
 			Path:           app.Spec.SourceHydrator.DrySource.Path,
 			TargetRevision: app.Spec.SourceHydrator.DrySource.TargetRevision,
 		}
-		if targetRevision == "" {
-			targetRevision = app.Spec.SourceHydrator.DrySource.TargetRevision
-		}
+		targetRevision := app.Spec.SourceHydrator.DrySource.TargetRevision
 
 		// TODO: enable signature verification
 		objs, resp, err := h.dependencies.GetRepoObjs(app, drySource, targetRevision, project)
 		if err != nil {
-			return "", "", fmt.Errorf("failed to get repo objects: %w", err)
+			return "", fmt.Errorf("failed to get repo objects: %w", err)
 		}
 
-		// This should be the DRY SHA. We set it here so that after processing the first app, all apps are hydrated
-		// using the same SHA.
-		targetRevision = resp.Revision
-
 		// Set up a ManifestsRequest
 		manifestDetails := make([]*commitclient.HydratedManifestDetails, len(objs))
 		for i, obj := range objs {
 			objJson, err := json.Marshal(obj)
 			if err != nil {
-				return "", "", fmt.Errorf("failed to marshal object: %w", err)
+				return "", fmt.Errorf("failed to marshal object: %w", err)
 			}
 			manifestDetails[i] = &commitclient.HydratedManifestDetails{ManifestJSON: string(objJson)}
 		}
@@ -297,7 +302,7 @@ func (h *Hydrator) hydrate(logCtx *log.Entry, apps []*appv1.Application) (string
 
 	repo, err := h.dependencies.GetWriteCredentials(context.Background(), repoURL, project)
 	if err != nil {
-		return "", "", fmt.Errorf("failed to get hydrator credentials: %w", err)
+		return "", fmt.Errorf("failed to get hydrator credentials: %w", err)
 	}
 	if repo == nil {
 		// Try without credentials.
@@ -311,25 +316,25 @@ func (h *Hydrator) hydrate(logCtx *log.Entry, apps []*appv1.Application) (string
 		Repo:          repo,
 		SyncBranch:    syncBranch,
 		TargetBranch:  targetBranch,
-		DrySha:        targetRevision,
-		CommitMessage: fmt.Sprintf("[Argo CD Bot] hydrate %s", targetRevision),
+		DrySha:        revision,
+		CommitMessage: fmt.Sprintf("[Argo CD Bot] hydrate %s", revision),
 		Paths:         paths,
 	}
 
 	closer, commitService, err := h.commitClientset.NewCommitServerClient()
 	if err != nil {
-		return targetRevision, "", fmt.Errorf("failed to create commit service: %w", err)
+		return "", fmt.Errorf("failed to create commit service: %w", err)
 	}
 	defer argoio.Close(closer)
 	resp, err := commitService.CommitHydratedManifests(context.Background(), &manifestsRequest)
 	if err != nil {
-		return targetRevision, "", fmt.Errorf("failed to commit hydrated manifests: %w", err)
+		return "", fmt.Errorf("failed to commit hydrated manifests: %w", err)
 	}
-	return targetRevision, resp.HydratedSha, nil
+	return resp.HydratedSha, nil
 }
 
 // appNeedsHydration answers if application needs manifests hydrated.
-func appNeedsHydration(app *appv1.Application, statusHydrateTimeout time.Duration) (needsHydration bool, reason string) {
+func appNeedsHydration(app *appv1.Application, statusHydrateTimeout time.Duration, latestRevision string) (needsHydration bool, reason string) {
 	if app.Spec.SourceHydrator == nil {
 		return false, "source hydrator not configured"
 	}
@@ -345,6 +350,8 @@ func appNeedsHydration(app *appv1.Application, statusHydrateTimeout time.Duratio
 		return true, "no previous hydrate operation"
 	} else if !app.Spec.SourceHydrator.DeepEquals(app.Status.SourceHydrator.CurrentOperation.SourceHydrator) {
 		return true, "spec.sourceHydrator differs"
+	} else if app.Status.SourceHydrator.CurrentOperation.DrySHA != latestRevision {
+		return true, "revision differs"
 	} else if app.Status.SourceHydrator.CurrentOperation.Phase == appv1.HydrateOperationPhaseFailed && metav1.Now().Sub(app.Status.SourceHydrator.CurrentOperation.FinishedAt.Time) > 2*time.Minute {
 		return true, "previous hydrate operation failed more than 2 minutes ago"
 	} else if hydratedAt == nil || hydratedAt.Add(statusHydrateTimeout).Before(time.Now().UTC()) {

controller/hydrator/hydrator_test.go

@@ -17,17 +17,16 @@ func Test_appNeedsHydration(t *testing.T) {
 	oneHourAgo := metav1.NewTime(now.Add(-1 * time.Hour))
 
 	testCases := []struct {
-		name                   string
-		app                    *v1alpha1.Application
-		timeout                time.Duration
-		expectedNeedsHydration bool
-		expectedMessage        string
+		name           string
+		app            *v1alpha1.Application
+		timeout        time.Duration
+		latestRevision string
+		expected       string
 	}{
 		{
-			name:                   "source hydrator not configured",
-			app:                    &v1alpha1.Application{},
-			expectedNeedsHydration: false,
-			expectedMessage:        "source hydrator not configured",
+			name:     "source hydrator not configured",
+			app:      &v1alpha1.Application{},
+			expected: "source hydrator not configured",
 		},
 		{
 			name: "hydrate requested",
@@ -35,18 +34,18 @@ func Test_appNeedsHydration(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{Annotations: map[string]string{v1alpha1.AnnotationKeyHydrate: "normal"}},
 				Spec:       v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
 			},
-			timeout:                1 * time.Hour,
-			expectedNeedsHydration: true,
-			expectedMessage:        "hydrate requested",
+			timeout:        1 * time.Hour,
+			latestRevision: "abc123",
+			expected:       "hydrate requested",
 		},
 		{
 			name: "no previous hydrate operation",
 			app: &v1alpha1.Application{
 				Spec: v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
 			},
-			timeout:                1 * time.Hour,
-			expectedNeedsHydration: true,
-			expectedMessage:        "no previous hydrate operation",
+			timeout:        1 * time.Hour,
+			latestRevision: "abc123",
+			expected:       "no previous hydrate operation",
 		},
 		{
 			name: "spec.sourceHydrator differs",
@@ -56,9 +55,19 @@ func Test_appNeedsHydration(t *testing.T) {
 					SourceHydrator: v1alpha1.SourceHydrator{DrySource: v1alpha1.DrySource{RepoURL: "something new"}},
 				}}},
 			},
-			timeout:                1 * time.Hour,
-			expectedNeedsHydration: true,
-			expectedMessage:        "spec.sourceHydrator differs",
+			timeout:        1 * time.Hour,
+			latestRevision: "abc123",
+			expected:       "spec.sourceHydrator differs",
+		},
+		{
+			name: "dry SHA has changed",
+			app: &v1alpha1.Application{
+				Spec:   v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
+				Status: v1alpha1.ApplicationStatus{SourceHydrator: v1alpha1.SourceHydratorStatus{CurrentOperation: &v1alpha1.HydrateOperation{DrySHA: "xyz123"}}},
+			},
+			timeout:        1 * time.Hour,
+			latestRevision: "abc123",
+			expected:       "revision differs",
 		},
 		{
 			name: "hydration failed more than two minutes ago",
@@ -66,9 +75,9 @@ func Test_appNeedsHydration(t *testing.T) {
 				Spec:   v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
 				Status: v1alpha1.ApplicationStatus{SourceHydrator: v1alpha1.SourceHydratorStatus{CurrentOperation: &v1alpha1.HydrateOperation{DrySHA: "abc123", FinishedAt: &oneHourAgo, Phase: v1alpha1.HydrateOperationPhaseFailed}}},
 			},
-			timeout:                1 * time.Hour,
-			expectedNeedsHydration: true,
-			expectedMessage:        "previous hydrate operation failed more than 2 minutes ago",
+			timeout:        1 * time.Hour,
+			latestRevision: "abc123",
+			expected:       "previous hydrate operation failed more than 2 minutes ago",
 		},
 		{
 			name: "timeout reached",
@@ -76,9 +85,9 @@ func Test_appNeedsHydration(t *testing.T) {
 				Spec:   v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
 				Status: v1alpha1.ApplicationStatus{SourceHydrator: v1alpha1.SourceHydratorStatus{CurrentOperation: &v1alpha1.HydrateOperation{StartedAt: oneHourAgo}}},
 			},
-			timeout:                1 * time.Minute,
-			expectedNeedsHydration: true,
-			expectedMessage:        "hydration expired",
+			timeout:        1 * time.Minute,
+			latestRevision: "",
+			expected:       "hydration expired",
 		},
 		{
 			name: "hydrate not needed",
@@ -86,18 +95,20 @@ func Test_appNeedsHydration(t *testing.T) {
 				Spec:   v1alpha1.ApplicationSpec{SourceHydrator: &v1alpha1.SourceHydrator{}},
 				Status: v1alpha1.ApplicationStatus{SourceHydrator: v1alpha1.SourceHydratorStatus{CurrentOperation: &v1alpha1.HydrateOperation{DrySHA: "abc123", StartedAt: now, FinishedAt: &now, Phase: v1alpha1.HydrateOperationPhaseFailed}}},
 			},
-			timeout:                1 * time.Hour,
-			expectedNeedsHydration: false,
-			expectedMessage:        "",
+			timeout:        1 * time.Hour,
+			latestRevision: "abc123",
+			expected:       "",
 		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
-			needsHydration, message := appNeedsHydration(tc.app, tc.timeout)
-			assert.Equal(t, tc.expectedNeedsHydration, needsHydration)
-			assert.Equal(t, tc.expectedMessage, message)
+			needsHydration, result := appNeedsHydration(tc.app, tc.timeout, tc.latestRevision)
+			assert.Equal(t, tc.expected, result)
+			if !needsHydration {
+				assert.Empty(t, result)
+			}
 		})
 	}
 }

controller/hydrator_dependencies.go

@@ -7,7 +7,6 @@ import (
 	"github.com/argoproj/argo-cd/v2/controller/hydrator"
 	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
-	argoutil "github.com/argoproj/argo-cd/v2/util/argo"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -31,26 +30,17 @@ func (ctrl *ApplicationController) GetProcessableApps() (*appv1.ApplicationList,
 	return ctrl.getAppList(metav1.ListOptions{})
 }
 
-func (ctrl *ApplicationController) GetRepoObjs(origApp *appv1.Application, drySource appv1.ApplicationSource, revision string, project *appv1.AppProject) ([]*unstructured.Unstructured, *apiclient.ManifestResponse, error) {
-	drySources := []appv1.ApplicationSource{drySource}
-	dryRevisions := []string{revision}
+func (ctrl *ApplicationController) GetRepoObjs(app *appv1.Application, source appv1.ApplicationSource, revision string, project *appv1.AppProject) ([]*unstructured.Unstructured, *apiclient.ManifestResponse, error) {
+	sources := []appv1.ApplicationSource{source}
+	revisions := []string{revision}
 
 	appLabelKey, err := ctrl.settingsMgr.GetAppInstanceLabelKey()
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to get app instance label key: %w", err)
 	}
 
-	app := origApp.DeepCopy()
-	// Remove the manifest generate path annotation, because the feature will misbehave for apps using source hydrator.
-	// Setting this annotation causes GetRepoObjs to compare the dry source commit to the most recent synced commit. The
-	// problem is that the most recent synced commit is likely on the hydrated branch, not the dry branch. The
-	// comparison will throw an error and break hydration.
-	//
-	// The long-term solution will probably be to persist the synced _dry_ revision and use that for the comparison.
-	delete(app.Annotations, appv1.AnnotationKeyManifestGeneratePaths)
-
 	// FIXME: use cache and revision cache
-	objs, resp, _, err := ctrl.appStateManager.GetRepoObjs(app, drySources, appLabelKey, dryRevisions, true, true, false, project, false, false)
+	objs, resp, _, err := ctrl.appStateManager.GetRepoObjs(app, sources, appLabelKey, revisions, true, true, false, project, false, false)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to get repo objects: %w", err)
 	}
@@ -66,17 +56,12 @@ func (ctrl *ApplicationController) GetWriteCredentials(ctx context.Context, repo
 	return ctrl.db.GetWriteRepository(ctx, repoURL, project)
 }
 
-func (ctrl *ApplicationController) RequestAppRefresh(appName string, appNamespace string) error {
-	// We request a refresh by setting the annotation instead of by adding it to the refresh queue, because there is no
-	// guarantee that the hydrator is running on the same controller shard as is processing the application.
+func (ctrl *ApplicationController) ResolveGitRevision(repoURL, targetRevision string) (string, error) {
+	return ctrl.appStateManager.ResolveGitRevision(repoURL, targetRevision)
+}
 
-	// This function is called for each app after a hydrate operation is completed so that the app controller can pick
-	// up the newly-hydrated changes. So we set hydrate=false to avoid a hydrate loop.
-	_, err := argoutil.RefreshApp(ctrl.applicationClientset.ArgoprojV1alpha1().Applications(appNamespace), appName, appv1.RefreshTypeNormal, false)
-	if err != nil {
-		return fmt.Errorf("failed to request app refresh: %w", err)
-	}
-	return nil
+func (ctrl *ApplicationController) RequestAppRefresh(appName string) {
+	ctrl.requestAppRefresh(appName, CompareWithLatest.Pointer(), nil)
 }
 
 func (ctrl *ApplicationController) PersistAppHydratorStatus(orig *appv1.Application, newStatus *appv1.SourceHydratorStatus) {

controller/log_utils.go

@@ -0,0 +1 @@
+package controller

controller/metrics/metrics.go

@@ -30,20 +30,18 @@ import (
 
 type MetricsServer struct {
 	*http.Server
-	syncCounter                       *prometheus.CounterVec
-	kubectlExecCounter                *prometheus.CounterVec
-	kubectlExecPendingGauge           *prometheus.GaugeVec
-	orphanedResourcesGauge            *prometheus.GaugeVec
-	k8sRequestCounter                 *prometheus.CounterVec
-	clusterEventsCounter              *prometheus.CounterVec
-	redisRequestCounter               *prometheus.CounterVec
-	reconcileHistogram                *prometheus.HistogramVec
-	redisRequestHistogram             *prometheus.HistogramVec
-	resourceEventsProcessingHistogram *prometheus.HistogramVec
-	resourceEventsNumberGauge         *prometheus.GaugeVec
-	registry                          *prometheus.Registry
-	hostname                          string
-	cron                              *cron.Cron
+	syncCounter             *prometheus.CounterVec
+	kubectlExecCounter      *prometheus.CounterVec
+	kubectlExecPendingGauge *prometheus.GaugeVec
+	orphanedResourcesGauge  *prometheus.GaugeVec
+	k8sRequestCounter       *prometheus.CounterVec
+	clusterEventsCounter    *prometheus.CounterVec
+	redisRequestCounter     *prometheus.CounterVec
+	reconcileHistogram      *prometheus.HistogramVec
+	redisRequestHistogram   *prometheus.HistogramVec
+	registry                *prometheus.Registry
+	hostname                string
+	cron                    *cron.Cron
 }
 
 const (
@@ -155,20 +153,6 @@ var (
 		},
 		descAppDefaultLabels,
 	)
-
-	resourceEventsProcessingHistogram = prometheus.NewHistogramVec(
-		prometheus.HistogramOpts{
-			Name:    "argocd_resource_events_processing",
-			Help:    "Time to process resource events in seconds.",
-			Buckets: []float64{0.25, .5, 1, 2, 4, 8, 16},
-		},
-		[]string{"server"},
-	)
-
-	resourceEventsNumberGauge = prometheus.NewGaugeVec(prometheus.GaugeOpts{
-		Name: "argocd_resource_events_processed_in_batch",
-		Help: "Number of resource events processed in batch",
-	}, []string{"server"})
 )
 
 // NewMetricsServer returns a new prometheus server which collects application metrics
@@ -218,8 +202,6 @@ func NewMetricsServer(addr string, appLister applister.ApplicationLister, appFil
 	registry.MustRegister(clusterEventsCounter)
 	registry.MustRegister(redisRequestCounter)
 	registry.MustRegister(redisRequestHistogram)
-	registry.MustRegister(resourceEventsProcessingHistogram)
-	registry.MustRegister(resourceEventsNumberGauge)
 
 	return &MetricsServer{
 		registry: registry,
@@ -227,18 +209,16 @@ func NewMetricsServer(addr string, appLister applister.ApplicationLister, appFil
 			Addr:    addr,
 			Handler: mux,
 		},
-		syncCounter:                       syncCounter,
-		k8sRequestCounter:                 k8sRequestCounter,
-		kubectlExecCounter:                kubectlExecCounter,
-		kubectlExecPendingGauge:           kubectlExecPendingGauge,
-		orphanedResourcesGauge:            orphanedResourcesGauge,
-		reconcileHistogram:                reconcileHistogram,
-		clusterEventsCounter:              clusterEventsCounter,
-		redisRequestCounter:               redisRequestCounter,
-		redisRequestHistogram:             redisRequestHistogram,
-		resourceEventsProcessingHistogram: resourceEventsProcessingHistogram,
-		resourceEventsNumberGauge:         resourceEventsNumberGauge,
-		hostname:                          hostname,
+		syncCounter:             syncCounter,
+		k8sRequestCounter:       k8sRequestCounter,
+		kubectlExecCounter:      kubectlExecCounter,
+		kubectlExecPendingGauge: kubectlExecPendingGauge,
+		orphanedResourcesGauge:  orphanedResourcesGauge,
+		reconcileHistogram:      reconcileHistogram,
+		clusterEventsCounter:    clusterEventsCounter,
+		redisRequestCounter:     redisRequestCounter,
+		redisRequestHistogram:   redisRequestHistogram,
+		hostname:                hostname,
 		// This cron is used to expire the metrics cache.
 		// Currently clearing the metrics cache is logging and deleting from the map
 		// so there is no possibility of panic, but we will add a chain to keep robfig/cron v1 behavior.
@@ -304,12 +284,6 @@ func (m *MetricsServer) ObserveRedisRequestDuration(duration time.Duration) {
 	m.redisRequestHistogram.WithLabelValues(m.hostname, common.ApplicationController).Observe(duration.Seconds())
 }
 
-// ObserveResourceEventsProcessingDuration observes resource events processing duration
-func (m *MetricsServer) ObserveResourceEventsProcessingDuration(server string, duration time.Duration, processedEventsNumber int) {
-	m.resourceEventsProcessingHistogram.WithLabelValues(server).Observe(duration.Seconds())
-	m.resourceEventsNumberGauge.WithLabelValues(server).Set(float64(processedEventsNumber))
-}
-
 // IncReconcile increments the reconcile counter for an application
 func (m *MetricsServer) IncReconcile(app *argoappv1.Application, duration time.Duration) {
 	m.reconcileHistogram.WithLabelValues(app.Namespace, app.Spec.Destination.Server).Observe(duration.Seconds())
@@ -337,8 +311,6 @@ func (m *MetricsServer) SetExpiration(cacheExpiration time.Duration) error {
 		m.redisRequestCounter.Reset()
 		m.reconcileHistogram.Reset()
 		m.redisRequestHistogram.Reset()
-		m.resourceEventsProcessingHistogram.Reset()
-		m.resourceEventsNumberGauge.Reset()
 	})
 	if err != nil {
 		return err

controller/state.go

@@ -72,6 +72,7 @@ type AppStateManager interface {
 	CompareAppState(app *v1alpha1.Application, project *v1alpha1.AppProject, revisions []string, sources []v1alpha1.ApplicationSource, noCache bool, noRevisionCache bool, localObjects []string, hasMultipleSources bool, rollback bool) (*comparisonResult, error)
 	SyncAppState(app *v1alpha1.Application, state *v1alpha1.OperationState)
 	GetRepoObjs(app *v1alpha1.Application, sources []v1alpha1.ApplicationSource, appLabelKey string, revisions []string, noCache, noRevisionCache, verifySignature bool, proj *v1alpha1.AppProject, rollback, sendRuntimeState bool) ([]*unstructured.Unstructured, []*apiclient.ManifestResponse, bool, error)
+	ResolveGitRevision(repoURL string, revision string) (string, error)
 }
 
 // comparisonResult holds the state of an application after the reconciliation
@@ -108,7 +109,6 @@ type appStateManager struct {
 	appclientset          appclientset.Interface
 	projInformer          cache.SharedIndexInformer
 	kubectl               kubeutil.Kubectl
-	onKubectlRun          kubeutil.OnKubectlRunFunc
 	repoClientset         apiclient.Clientset
 	liveStateCache        statecache.LiveStateCache
 	cache                 *appstatecache.Cache
@@ -169,13 +169,9 @@ func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alp
 	}
 
 	ts.AddCheckpoint("build_options_ms")
-	var serverVersion string
-	var apiResources []kubeutil.APIResourceInfo
-	if sendRuntimeState {
-		serverVersion, apiResources, err = m.liveStateCache.GetVersionsInfo(app.Spec.Destination.Server)
-		if err != nil {
-			return nil, nil, false, fmt.Errorf("failed to get cluster version for cluster %q: %w", app.Spec.Destination.Server, err)
-		}
+	serverVersion, apiResources, err := m.liveStateCache.GetVersionsInfo(app.Spec.Destination.Server)
+	if err != nil {
+		return nil, nil, false, fmt.Errorf("failed to get cluster version for cluster %q: %w", app.Spec.Destination.Server, err)
 	}
 	conn, repoClient, err := m.repoClientset.NewRepoServerClient()
 	if err != nil {
@@ -228,6 +224,8 @@ func (m *appStateManager) GetRepoObjs(app *v1alpha1.Application, sources []v1alp
 		apiVersions := argo.APIResourcesToStrings(apiResources, true)
 		if !sendRuntimeState {
 			appNamespace = ""
+			apiVersions = nil
+			serverVersion = ""
 		}
 
 		if !source.IsHelm() && syncedRevision != "" && keyManifestGenerateAnnotationExists && keyManifestGenerateAnnotationVal != "" {
@@ -485,7 +483,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1
 		if hasMultipleSources {
 			return &comparisonResult{
 				syncStatus: &v1alpha1.SyncStatus{
-					ComparedTo: app.Spec.BuildComparedToStatus(),
+					ComparedTo: v1alpha1.ComparedTo{Destination: app.Spec.Destination, Sources: sources, IgnoreDifferences: app.Spec.IgnoreDifferences},
 					Status:     v1alpha1.SyncStatusCodeUnknown,
 					Revisions:  revisions,
 				},
@@ -494,7 +492,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1
 		} else {
 			return &comparisonResult{
 				syncStatus: &v1alpha1.SyncStatus{
-					ComparedTo: app.Spec.BuildComparedToStatus(),
+					ComparedTo: v1alpha1.ComparedTo{Source: sources[0], Destination: app.Spec.Destination, IgnoreDifferences: app.Spec.IgnoreDifferences},
 					Status:     v1alpha1.SyncStatusCodeUnknown,
 					Revision:   revisions[0],
 				},
@@ -742,13 +740,13 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1
 	diffConfigBuilder.WithServerSideDiff(serverSideDiff)
 
 	if serverSideDiff {
-		applier, cleanup, err := m.getServerSideDiffDryRunApplier(app.Spec.Destination.Server)
+		resourceOps, cleanup, err := m.getResourceOperations(app.Spec.Destination.Server)
 		if err != nil {
-			log.Errorf("CompareAppState error getting server side diff dry run applier: %s", err)
+			log.Errorf("CompareAppState error getting resource operations: %s", err)
 			conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionUnknownError, Message: err.Error(), LastTransitionTime: &now})
 		}
 		defer cleanup()
-		diffConfigBuilder.WithServerSideDryRunner(diff.NewK8sServerSideDryRunner(applier))
+		diffConfigBuilder.WithServerSideDryRunner(diff.NewK8sServerSideDryRunner(resourceOps))
 	}
 
 	// enable structured merge diff if application syncs with server-side apply
@@ -1073,7 +1071,6 @@ func NewAppStateManager(
 	repoClientset apiclient.Clientset,
 	namespace string,
 	kubectl kubeutil.Kubectl,
-	onKubectlRun kubeutil.OnKubectlRunFunc,
 	settingsMgr *settings.SettingsManager,
 	liveStateCache statecache.LiveStateCache,
 	projInformer cache.SharedIndexInformer,
@@ -1092,7 +1089,6 @@ func NewAppStateManager(
 		db:                    db,
 		appclientset:          appclientset,
 		kubectl:               kubectl,
-		onKubectlRun:          onKubectlRun,
 		repoClientset:         repoClientset,
 		namespace:             namespace,
 		settingsMgr:           settingsMgr,

controller/sync.go

@@ -14,7 +14,6 @@ import (
 
 	cdcommon "github.com/argoproj/argo-cd/v2/common"
 
-	gitopsDiff "github.com/argoproj/gitops-engine/pkg/diff"
 	"github.com/argoproj/gitops-engine/pkg/sync"
 	"github.com/argoproj/gitops-engine/pkg/sync/common"
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
@@ -34,7 +33,6 @@ import (
 	"github.com/argoproj/argo-cd/v2/util/argo"
 	"github.com/argoproj/argo-cd/v2/util/argo/diff"
 	"github.com/argoproj/argo-cd/v2/util/glob"
-	kubeutil "github.com/argoproj/argo-cd/v2/util/kube"
 	logutils "github.com/argoproj/argo-cd/v2/util/log"
 	"github.com/argoproj/argo-cd/v2/util/lua"
 	"github.com/argoproj/argo-cd/v2/util/rand"
@@ -68,11 +66,11 @@ func (m *appStateManager) getGVKParser(server string) (*managedfields.GvkParser,
 	return cluster.GetGVKParser(), nil
 }
 
-// getServerSideDiffDryRunApplier will return the kubectl implementation of the KubeApplier
-// interface that provides functionality to dry run apply kubernetes resources. Returns a
+// getResourceOperations will return the kubectl implementation of the ResourceOperations
+// interface that provides functionality to manage kubernetes resources. Returns a
 // cleanup function that must be called to remove the generated kube config for this
 // server.
-func (m *appStateManager) getServerSideDiffDryRunApplier(server string) (gitopsDiff.KubeApplier, func(), error) {
+func (m *appStateManager) getResourceOperations(server string) (kube.ResourceOperations, func(), error) {
 	clusterCache, err := m.liveStateCache.GetClusterCache(server)
 	if err != nil {
 		return nil, nil, fmt.Errorf("error getting cluster cache: %w", err)
@@ -87,7 +85,7 @@ func (m *appStateManager) getServerSideDiffDryRunApplier(server string) (gitopsD
 	if err != nil {
 		return nil, nil, fmt.Errorf("error getting cluster REST config: %w", err)
 	}
-	ops, cleanup, err := kubeutil.ManageServerSideDiffDryRuns(rawConfig, clusterCache.GetOpenAPISchema(), m.onKubectlRun)
+	ops, cleanup, err := m.kubectl.ManageResources(rawConfig, clusterCache.GetOpenAPISchema())
 	if err != nil {
 		return nil, nil, fmt.Errorf("error creating kubectl ResourceOperations: %w", err)
 	}

docs/developer-guide/extensions/proxy-extensions.md

@@ -184,11 +184,12 @@ the argocd-secret with key 'some.argocd.secret.key'.
 If provided, and multiple services are configured, will have to match
 the application destination name or server to have requests properly
 forwarded to this service URL. If there are multiple backends for the
-same extension this field is required. In this case, it is necessary
-to provide both values to avoid problems with applications unable to
-send requests to the proper backend service. If only one backend
-service is configured, this field is ignored, and all requests are
-forwarded to the configured one.
+same extension this field is required. In this case at least one of
+the two will be required: name or server. It is better to provide both
+values to avoid problems with applications unable to send requests to
+the proper backend service. If only one backend service is
+configured, this field is ignored, and all requests are forwarded to
+the configured one.
 
 #### `extensions.backend.services.cluster.name` (*string*)
 (optional)

docs/operator-manual/argocd-cmd-params-cm.yaml

@@ -85,13 +85,6 @@ data:
   controller.diff.server.side: "false"
   # Enables profile endpoint on the internal metrics port
   controller.profile.enabled: "false"
-  # Enables batch-processing mode in the controller's cluster cache. This can help improve performance for clusters that
-  # have high "churn," i.e. lots of resource modifications.
-  controller.cluster.cache.batch.events.processing: "false"
-  # This sets the interval at which the controller's cluster cache processes a batch of cluster events. A lower value
-  # will increase the speed at which Argo CD becomes aware of external cluster state. A higher value will reduce cluster
-  # cache lock contention and better handle high-churn clusters.
-  controller.cluster.cache.events.processing.interval: "100ms"
 
   ## Server properties
   # Listen on given address for incoming connections (default "0.0.0.0")

docs/operator-manual/feature-maturity.md

@@ -15,7 +15,7 @@ to indicate their stability and maturity. These are the statuses of non-stable f
 ## Overview
 
 | Feature                                   | Introduced | Status |
-|-------------------------------------------|------------|--------|
+| ----------------------------------------- | ---------- | ------ |
 | [AppSet Progressive Syncs][2]             | v2.6.0     | Alpha  |
 | [Proxy Extensions][3]                     | v2.7.0     | Alpha  |
 | [Skip Application Reconcile][4]           | v2.7.0     | Alpha  |
@@ -25,7 +25,6 @@ to indicate their stability and maturity. These are the statuses of non-stable f
 | [Server Side Diff][8]                     | v2.10.0    | Beta   |
 | [Cluster Sharding: consistent-hashing][9] | v2.12.0    | Alpha  |
 | [Service Account Impersonation][10]       | v2.13.0    | Alpha  |
-| [Source Hydrator][11]                     | v2.14.0    | Alpha  |
 
 ## Unstable Configurations
 
@@ -84,4 +83,3 @@ to indicate their stability and maturity. These are the statuses of non-stable f
 [8]: ../user-guide/diff-strategies.md#server-side-diff
 [9]: ./high_availability.md#argocd-application-controller
 [10]: app-sync-using-impersonation.md
-[11]: ../user-guide/source-hydrator.md

docs/operator-manual/high_availability.md

@@ -130,15 +130,6 @@ stringData:
   count (grouped by k8s api version, the granule of parallelism for list operations). In this case, all resources will
   be buffered in memory -- no api server request will be blocked by processing.
 
-* `ARGOCD_CLUSTER_CACHE_BATCH_EVENTS_PROCESSING` - environment variable that enables the controller to collect events
-  for Kubernetes resources and process them in a batch. This is useful when the cluster contains a large number of resources,
-  and the controller is overwhelmed by the number of events. The default value is `false`, which means that the controller
-  processes events one by one.
-
-* `ARGOCD_CLUSTER_CACHE_EVENTS_PROCESSING_INTERVAL` - environment variable controlling the interval for processing events in a batch.
-  The valid value is in the format of Go time duration string, e.g. `1ms`, `1s`, `1m`, `1h`. The default value is `100ms`.
-  The variable is used only when `ARGOCD_CLUSTER_CACHE_BATCH_EVENTS_PROCESSING` is set to `true`.
-
 * `ARGOCD_APPLICATION_TREE_SHARD_SIZE` - environment variable controlling the max number of resources stored in one Redis
   key. Splitting application tree into multiple keys helps to reduce the amount of traffic between the controller and Redis.
   The default value is 0, which means that the application tree is stored in a single Redis key. The reasonable value is 100.

docs/operator-manual/metrics.md

@@ -24,8 +24,6 @@ Metrics about applications. Scraped at the `argocd-metrics:8082/metrics` endpoin
 | `argocd_kubectl_exec_total` | counter | Number of kubectl executions |
 | `argocd_redis_request_duration` | histogram | Redis requests duration. |
 | `argocd_redis_request_total` | counter | Number of redis requests executed during application reconciliation |
-| `argocd_resource_events_processing` | histogram | Time to process resource events in batch in seconds |
-| `argocd_resource_events_processed_in_batch` | gauge | Number of resource events processed in batch |
 
 If you use Argo CD with many application and project creation and deletion,
 the metrics page will keep in cache your application and project's history.

docs/operator-manual/notifications/templates.md

@@ -57,7 +57,7 @@ kind: Secret
 metadata:
   name: argocd-notifications-secret
 stringData:
-  sampleWebhookToken: secret-token
+  sampleWebhookToken: secret-token 
 type: Opaque
 ```
 
@@ -112,7 +112,7 @@ You can change the timezone to show in notifications as follows.
 
 ## Functions
 
-Templates have access to the set of built-in functions such as the functions of the [Sprig](https://masterminds.github.io/sprig/) package
+Templates have access to the set of built-in functions:
 
 ```yaml
 apiVersion: v1

docs/operator-manual/rbac.md

@@ -130,9 +130,9 @@ p, example-user, applications, delete/*/Pod/*/*, default/prod-app, allow
     Argo CD RBAC does not use `/` as a separator when evaluating glob patterns. So the pattern `delete/*/kind/*`
     will match `delete/<group>/kind/<namespace>/<name>` but also `delete/<group>/<kind>/kind/<name>`.
 
-    The fact that both of these match will generally not be a problem, because resource kinds generally contain capital
-    letters, and namespaces cannot contain capital letters. However, it is possible for a resource kind to be lowercase.
-    So it is better to just always include all the parts of the resource in the pattern (in other words, always use four
+    The fact that both of these match will generally not be a problem, because resource kinds generally contain capital 
+    letters, and namespaces cannot contain capital letters. However, it is possible for a resource kind to be lowercase. 
+    So it is better to just always include all the parts of the resource in the pattern (in other words, always use four 
     slashes).
 
 If we want to grant access to the user to update all resources of an application, but not the application itself:
@@ -148,9 +148,9 @@ p, example-user, applications, delete, default/prod-app, deny
 p, example-user, applications, delete/*/Pod/*/*, default/prod-app, allow
 ```
 
-!!! note "Disable Application permission Inheritance"
+!!! note
 
-    By default, it is not possible to deny fine-grained permissions for a sub-resource if the action was **explicitly allowed on the application**.
+    It is not possible to deny fine-grained permissions for a sub-resource if the action was **explicitly allowed on the application**.
     For instance, the following policies will **allow** a user to delete the Pod and any other resources in the application:
 
     ```csv
@@ -158,20 +158,6 @@ p, example-user, applications, delete/*/Pod/*/*, default/prod-app, allow
     p, example-user, applications, delete/*/Pod/*/*, default/prod-app, deny
     ```
 
-    To change this behavior, you can set the config value
-    `server.rbac.disableApplicationFineGrainedRBACInheritance` to `true` in
-    the Argo CD ConfigMap `argocd-cm`.
-
-    When inheritance is disabled, it is now possible to deny fine-grained permissions for a sub-resource
-    if the action was **explicitly allowed on the application**.
-
-    For instance, if we want to explicitly allow updates to the application, but deny updates to any sub-resources:
-
-    ```csv
-    p, example-user, applications, update, default/prod-app, allow
-    p, example-user, applications, update/*, default/prod-app, deny
-    ```
-
 #### The `action` action
 
 The `action` action corresponds to either built-in resource customizations defined

docs/operator-manual/server-commands/argocd-server.md

@@ -55,7 +55,6 @@ argocd-server [flags]
       --enable-proxy-extension                          Enable Proxy Extension feature
       --gloglevel int                                   Set the glog logging level
   -h, --help                                            help for argocd-server
-      --hydrator-enabled                                Feature flag to enable Hydrator. Default ("false")
       --insecure                                        Run server without TLS
       --insecure-skip-tls-verify                        If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
       --kubeconfig string                               Path to a kube config. Only required if out-of-cluster

docs/operator-manual/tested-kubernetes-versions.md

@@ -1,5 +1,2 @@
-| Argo CD version | Kubernetes versions |
-|-----------------|---------------------|
-| 2.14 | v1.31, v1.30, v1.29, v1.28 |
-| 2.13 | v1.30, v1.29, v1.28, v1.27 |
-| 2.12 | v1.29, v1.28, v1.27, v1.26 |
+This page is populated for released Argo CD versions. Use the version selector to view this table for a specific 
+version. 

docs/operator-manual/upgrading/2.13-2.14.md

@@ -1,6 +0,0 @@
-# v2.13 to 2.14
-
-## Upgraded Helm Version
-
-Helm was upgraded to 3.16.2 and the skipSchemaValidation Flag was added to
-the [CLI and Application CR](https://argo-cd.readthedocs.io/en/latest/user-guide/helm/#helm-skip-schema-validation). 

docs/proposals/manifest-hydrator.md

@@ -1,538 +0,0 @@
----
-title: Manifest Hydrator
-authors:
-  - "@crenshaw-dev"
-  - "@zachaller"
-sponsors:
-  - TBD        # List all interested parties here.
-reviewers:
-  - TBD
-approvers:
-  - TBD
-
-creation-date: 2024-03-26
-last-updated: 2024-03-26
----
-
-# Manifest Hydrator
-
-This proposal describes a feature to make manifest hydration (i.e. the "rendered manifest pattern") a first-class feature of Argo CD.
-
-## Terms
-
-* dry manifests: DRY or Don't Repeat Yourself - things like Kustomize overlays and Helm charts that produce Kubernetes manifests but are not themselves Kubernetes Manifests
-* hydrated manifests: the output from dry manifest tools, i.e. plain Kubernetes manifests
-
-## Summary
-
-Manifest hydration tools like Helm and Kustomize are indispensable in GitOps. These tools transform "dry" (Don't Repeat Yourself) sources into plain Kubernetes manifests. The effects of a change to dry sources are not always obvious. So storing only dry sources in git leaves the user with an incomplete and confusing history of their application. This undercuts some of the main benefits of GitOps.
-
-The "rendered manifests" pattern has emerged as a way to mitigate the downsides of using hydration tools in GitOps. Today, developers use CI tools to automatically hydrate manifests and push to separate branches. They then configure Argo CD to deploy from the hydrated branches. (For more information, see the awesome [blog post](https://akuity.io/blog/the-rendered-manifests-pattern/) and [ArgoCon talk](https://www.youtube.com/watch?v=TonN-369Qfo) by Nicholas Morey.)
-
-This proposal describes manifest hydration and pushing to git as a first-class feature of Argo CD.
-
-It offers two modes of operation: push-to-deploy and push-to-stage. In push-to-deploy, hydrated manifests are pushed to the same branch from which Argo CD deploys. In push-to-stage, manifests are pushed to a different branch, and Argo CD relies on some external system to move changes to the deployment branch; this provides an integration point for automated environment promotion systems.
-
-### Opinions
-
-This proposal is opinionated. It is based on the belief that, in order to reap the full benefits of GitOps, every change to an application's desired state must originate from a commit to a single GitOps repository. In other words, the full history of the application's desired state must be visible as the commit history on a git repository.
-
-This requirement is incompatible with tooling which injects nondeterministic configuration into the desired state before it is deployed by the GitOps controller. Examples of nondeterministic external configuration are:
-
-1) Helm chart dependencies on unpinned chart versions
-2) Kustomize remote bases to unpinned git revisions
-3) Config tool parameter overrides in the Argo CD Application `spec.source` fields
-4) Multiple sources referenced in the same application (knowledge of combination of source versions is held externally to git)
-
-Injecting nondeterministic configuration makes it impossible to know the complete history of an application by looking at a git branch history. Even if the nondeterministic output is databased (for example, in a hydrated source branch in git), it is impossible for developers to confidently make changes to desired state, because they cannot know ahead of time what other configuration will be injected at deploy time.
-
-We believe that the problems of injecting external configuration are best solved by asking these two questions:
-
-1) Does the configuration belong in the developer's interface (i.e. the dry manifests)?
-2) Does the configuration need to be mutable at runtime, or only at deploy time?
-
-If the configuration belongs in the developer's interface, write a tool to push the information to git. Image tags are a good example of such configuration, and the Argo CD Image Updater is a good example of such tooling.
-
-If the configuration doesn't belong in the developer's interface, and it needs to be updated at runtime, write a controller. The developer shouldn't be expected to maintain configuration which is not an immediate part of their desired state. An example would be an auto-sizing controller which eliminates the need for the developer to manage their own autoscaler config.
-
-If the configuration doesn't belong in the developer's interface and doesn't need to be updated at runtime (only at deploy time), write a mutating webhook. This is a great option for injecting cluster-specific configuration that the developer doesn't need to directly control.
-
-With these three options available (git-pushers, controllers, and mutating webhooks), we believe that it is not generally necessary to inject nondeterministic configuration into the manifest hydration process. Instead, we can have a full history of the developer's minimal intent (dry branch) and the full expression of that intent (hydrated branch) completely recorded in a series of commits on a git branch.
-
-By respecting these limitations, we unlock the ability to manage change promotion/reversion entirely via git. Change lineage is fully represented as a series of dry commit hashes. This makes it possible to write reliable rules around how these hashes are promoted to different environments and how they are reverted (i.e. we can meaningfully say "`prod` may never be more than one dry hash ahead of `test`"). If information about the lineage of an application is scattered among multiple sources, it is difficult or even impossible to meaningfully define rules about how one environment's lineage must relate to that of another environment.
-
-Being opinionated unlocks the full benefits of GitOps as well as the ability to build a reasonable, reliable preview/promotion/reversion system. 
-
-These opinions will lock out use cases where configuration injection cannot be avoided by writing git-pushers, controllers, or mutating webhooks. We believe that the benefits of making an opinionated system outweigh the costs of compromising those opinions.
-
-## Motivation
-
-Many organizations have implemented their own manifest hydration system. By implementing it in Argo CD, we can lower the cost to our users of maintaining those systems, and we can encourage best practices related to the pattern.
-
-### Goals
-
-1) Make manifest hydration easy and intuitive for Argo CD users
-2) Make it possible to implement a promotion system which relies on the manifest hydration's push-to-stage mode
-3) Emphasize maintaining as much of the system's state as possible in git rather than in the Application CR (e.g. source hydrator config values, such as Helm values)
-4) Every deployed change must have a corresponding dry commit - i.e. git is always the source of any changes
-5) Developers should be able to easily reproduce the manifest hydration process locally, i.e. by running some commands
-
-#### Hydration Reproducibility
-
-One goal of this proposal is to make hydration reproducibility easy. Reproducibility brings a couple benefits: easy iteration/debugging and reliable previews.
-
-##### Easy Iteration/Debugging
-
-The hydration system should enable developers to easily reproduce the hydration process locally. The developer should be able to run a short series of commands and perform the exact same tasks that Argo CD would take to hydrate their manifests. This allows the developer to verify that Argo CD is behaving as expected and to quickly tweak inputs and see the results. This lets them iterate quickly and improves developer satisfaction and change velocity.
-
-To provide this experience, the hydrator needs to provide the developer with a few pieces of information:
-
-1) The input repo URL, path, and commit SHA
-2) The hydration tool CLI version(s) (for example, the version of the Helm CLI used for hydration)
-3) A series of commands and arguments which the developer can run locally
-
-Equipped with this information, the developer can perform the exact same steps as Argo CD and be confident that their dry manifest changes will produce the desired output.
-
-Ensuring that hydration is deterministic assures the developer that the output for a given dry state will be the same next week as it is today.
-
-###### Avoiding Esoteric Behavior
-
-We should avoid the developer needing to know Argo CD-specific behavior in order to reproduce hydration. Tools like Helm, Kustimize, etc. have excellent public-facing documentation which the developer should be able to take advantage of without needing to know quirks of Argo CD.
-
-##### Reliable Previews
-
-Deterministic hydration output allows Argo CD to produce a reliable change preview when a developer proposes a change to the dry manifests via a PR.
-
-If output is not deterministic, then a preview generated today might not be valid/correct a week, day, or even hour later. Non-determinism makes it so that developers can't trust that the change they review will be the change actually applied.
-
-### Non-Goals
-
-1) Implementing a change promotion system
-
-## Open Questions
-
-* The `sourceHydrator` field is mutually exclusive with the `source` and the `sources` field. Should we throw an error if they're both configured, or should we just pick one and ignore the others?
-* How will/should this feature relate to the image updater? Is there an opportunity to share code, since both tools involve pushing to git?
-* Should we enforce a naming convention for hydrated manifest branches, e.g. `argo/...`? This would make it easier to recommend branch protection rules, for example, only allow pushes to `argo/*` from the argo bot.
-* Should we enforce setting a `sourceHydrator.syncSource.path` to something besides `.`? Setting a path makes it easier to add/remove other apps later if desired.
-
-## Proposal
-
-Today, Argo CD watches one or more git repositories (configured in the `spec.source` or `spec.sources` field). When a new commit appears, Argo CD updates the desired state by rendering the manifests with the configured manifest hydration tool. If auto-sync is enabled, Argo CD applies the new manifests to the cluster.
-
-With the introduction of this change, Argo CD will watch two revisions in the same git repository: the first is the "dry source", i.e. the git repo/revision where the un-rendered manifests reside, and the second is the "hydrated source," where the rendered manifests are places and retrieved for syncing to the cluster.
-
-### New `spec.sourceHydrator` Application Field
-
-A `sourceHydrator` field will be added to the Argo CD Application spec:
-
-```yaml
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: example
-spec:
-  # The sourceHydrator field is mutually-exclusive with `source` and with `sources`. If this field is configured, we 
-  # should either throw an error or ignore the other two.
-  sourceHydrator:
-    drySource:
-      repoURL: https://github.com/argoproj/argocd-example-apps
-      targetRevision: main
-      # This assumes the Application's environments are modeled as directories.
-      path: environments/e2e
-    syncSource:
-      targetBranch: environments/e2e
-      path: .
-    # The hydrateTo field is optional. If specified, Argo CD will write hydrated manifests to this branch instead of the
-    # syncSource.targetBranch. This allows the user to "stage" a hydrated commit before actually deploying the changes
-    # by merging them into the syncSource branch. A complete change promotion system can be built around this feature. 
-    hydrateTo:
-      targetBranch: environments/e2e-next
-      # The path is assumed to be the same as that in syncSource.
-```
-
-When the Argo CD application controller detects a new commit on the `drySource`, it queue up the hydration process.
-
-When the application controller detects a new (hydrated) commit on the `syncSource.targetBranch`, it will sync the manifests.
-
-### Processing a New Dry Commit
-
-On noticing a new dry commit, Argo CD will first collect all Applications which have the same `drySource` repo and targetRevision.
-
-Argo CD will then group those sources by the configured `syncSource` targetBranch.
-
-```go
-package hydrator
-
-import "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-
-type DrySource struct {
-	repoURL        string
-	targetRevision string
-}
-
-type SyncSource struct {
-	targetBranch string
-}
-
-var appGroups map[DrySource]map[SyncSource][]v1alpha1.Application
-```
-
-Then Argo CD will loop over the apps in each group. For each group, it will run manifest hydration on the configured `drySource.path` and write the result to the configured `syncSource.path`. After looping over all apps in the group and writing all their manifests, it will commit the changes to the configured `syncSource` repoURL and targetBranch (or, if configured, the `hydratedTo` targetBranch). Finally, it will push those changes to git. Then it will repeat this process for the remaining groups.
-
-The actual push operation should be delegated to the [commit server](./manifest-hydrator/commit-server/README.md).
-
-To understand how this would work for a simple dev/test/prod setup with two regions, consider this example:
-
-```yaml
-### DEV APPS ###
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: dev-west
-spec:
-  sourceHydrator:
-    drySource:
-      repoURL: https://github.com/argoproj/argocd-example-apps
-      targetRevision: main
-      path: environments/dev/west
-    syncSource:
-      targetBranch: environments/dev
-      path: west
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: dev-east
-spec:
-  sourceHydrator:
-    drySource:
-      repoURL: https://github.com/argoproj/argocd-example-apps
-      targetRevision: main
-      path: environments/dev/east
-    syncSource:
-      targetBranch: environments/dev
-      path: east
----
-### TEST APPS ###
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: test-west
-spec:
-  sourceHydrator:
-    drySource:
-      repoURL: https://github.com/argoproj/argocd-example-apps
-      targetRevision: main
-      path: environments/test/west
-    syncSource:
-      targetBranch: environments/test
-      path: west
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: test-east
-spec:
-  sourceHydrator:
-    drySource:
-      repoURL: https://github.com/argoproj/argocd-example-apps
-      targetRevision: main
-      path: environments/test/east
-    syncSource:
-      targetBranch: environments/prod
-      path: east
----
-### PROD APPS ###
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: prod-west
-spec:
-  sourceHydrator:
-    drySource:
-      repoURL: https://github.com/argoproj/argocd-example-apps
-      targetRevision: main
-      path: environments/prod/west
-    syncSource:
-      targetBranch: environments/prod
-      path: west
----
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: prod-east
-spec:
-  sourceHydrator:
-    drySource:
-      repoURL: https://github.com/argoproj/argocd-example-apps
-      targetRevision: main
-      path: environments/prod/east
-    syncSource:
-      targetBranch: environments/prod
-      path: east
----
-```
-
-Each commit to the dry branch will result in a commit to up to three branches. Each commit to an environment branch will contain changes for west, east, or both (depending on which is affected). Changes originating from a single dry commit are always grouped into a single hydrated commit.
-
-### Handling External Values Files
-
-Since only one source may be used in as the dry source, the multi-source approach to external Helm values files will not work here. Instead, we'll recommend that users use the umbrella chart approach. The main reasons for multi-source as an alternative were convenience (no need to maintain the parent chart) and resolving issues with authentication to dependency charts. We believe the simplification is worth the cost of convenience, and we can address the auth issues as standalone bugs.
-
-An earlier iteration of this proposal attempted to preserve the multi-source style of external value file inclusion by introducing a "magic" `.argocd-hydrator.yaml` file containing `additionalSources` to reference the Helm chart. In the end, it felt like we were re-implementing Helm's dependencies feature or git submodules. It's better to just rely on one of those existing tools.
-
-### `.argocd-source.yaml` Support
-
-The `spec.sourceHydrator.drySource` field contains only three fields: `repoURL`, `targetRevision`, and `path`.
-
-`spec.source` contains a number of fields for configuring manifest hydration tools (`helm`, `kustomize`, and `directory`). That functionality is still available for `spec.sourceHydrator`. But instead of being configured in the Application CR, those values are set in `.argocd-source.yaml`, an existing "override" mechanism for `spec.source`. By requiring that this configuration be set in `.argocd-source.yaml`, we respect the principle that all changes must be made in git instead of in the Application CR.
-
-### `spec.destination.namespace` Behavior
-
-The Application `spec.destination.namespace` field is used to set the `metadata.namespace` field of any namespace resources for which that field is not set in the manifests.
-
-The hydrator will not inject `metadata.namespace` into the hydrated manifests pushed to git. Instead, Argo CD's behavior of injecting that value immediately before applying to the cluster will continue to be used with the `spec.sourceHydrator.syncSource`.
-
-### Build Environment Support
-
-For sources specified in `spec.source` or `spec.sources`, Argo CD [sets certain environment variables](https://argo-cd.readthedocs.io/en/stable/user-guide/build-environment/) before running the manifest hydration tool.
-
-Some of these environment variables may change independently of the dry source and therefore break the reproducibility of manifest hydration (see the [Opinions](#opinions) section). Therefore, only some environment variables will be populated for the `spec.sourceHydrator` source.
-
-These environment variables will **not** be set:
-
-* `ARGOCD_APP_NAME`
-* `ARGOCD_APP_NAMESPACE`
-* `KUBE_VERSION`
-* `KUBE_API_VERSIONS`
-
-These environment variables will be set because they are commit SHAs and are directly and immutably tied to the dry manifest commit:
-
-* `ARGOCD_APP_REVISION`
-* `ARGOCD_APP_REVISION_SHORT`
-
-These environment variables will be set because they are inherently tied to the manifest hydrator configuration. If these fields set in `spec.sourceHydrator.drySource` change, we are breaking the connection to the original hydrator configuration anyway.
-
-* `ARGOCD_APP_SOURCE_PATH`
-* `ARGOCD_APP_SOURCE_REPO_URL`
-* `ARGOCD_APP_SOURCE_TARGET_REVISION`
-
-### Support for Helm-Specific Features
-
-#### App Name / Release Name
-
-By default, Argo CD's `source` and `sources` fields use the Application's name as the release name when hydrating Helm manifests.
-
-To centralize the source of truth when using `spec.sourceHydrator`, the default release name will be an empty string, and any different release name should be specified in the `helm.releaseName` field in `.argocd-source.yaml`.
-
-#### Kube API Versions
-
-`helm install` supports dynamically reading Kube API versions from the destination cluster to adjust manifest output. `helm template` accepts a list of Kube API versions to simulate the same behavior, and Argo CD's `spec.source` and `spec.sources` fields set those API versions when running `helm template`.
-
-To centralize the source of truth when using `spec.sourceHydrator`, the Kube API versions will not be populated by default.
-
-Instead, a new field will be added to the Application's `spec.source.helm` field:
-
-```yaml
-kind: Application
-spec:
-  source:
-    helm:
-      apiVersions:
-        - admissionregistration.k8s.io/v1/MutatingWebhookConfiguration
-        - admissionregistration.k8s.io/v1/ValidatingWebhookConfiguration
-        - ... etc.
-```
-
-That field will also be available in `.argocd-source.yaml`:
-
-```yaml
-helm:
-  apiVersions:
-    - admissionregistration.k8s.io/v1/MutatingWebhookConfiguration
-    - admissionregistration.k8s.io/v1/ValidatingWebhookConfiguration
-    - ... etc.
-```
-
-So the appropriate way to set Kube API versions for the source hydrator will be to populate the `.argocd-source.yaml` file.
-
-#### Hydrated Environment Branches
-
-Representing the dry manifests of environments as branches has well-documented downsides for developer experience. Specifically, it's toilsome for developers to manage moving changes from one branch to another and avoid drift.
-
-So environments-as-directories has emerged as the standard for good GitOps practices. Change management across directories in a single branch is much easier to perform and reason about.
-
-**This proposal does not suggest using branches to represent the dry manifests of environments.** As a matter of fact, this proposal codifies the current best practice of representing the dry manifests as directories in a single branch.
-
-This proposal recommends using different branches for the _hydrated_ representation of environments only. Using different branches has some benefits:
-
-1) Intuitive grouping of "changes to ship at once" - for example, if you have app-1-east and app-1-west, it makes sense to merge a single hydrated PR to deploy to both of those apps at once
-2) Easy-to-read history of a single environment via the commits history
-3) Easy comparison between environments using the SCMs' "compare" interfaces
-
-In other words, branches make a very nice _read_ interface for _hydrated_ manifests while preserving the best-practice of using _directories_ for the _write_ interface.
-
-### Commit Metadata
-
-Each output directory should contain two files: manifest.yaml and README.md. manifest.yaml should contain the plain hydrated manifests. The resources should be sorted by namespace, name, group, and kind (in that order).
-
-The README will be built using the following template:
-
-````gotemplate
-{{ if eq (len .applications) 1 }}
-{{ $appName := (index .applications 0).metadata.name }}
-# {{ $appName }} Manifests
-
-[manifest.yaml](./manifest.yaml) contains the hydrated manifests for the {{ $appName }} application.
-{{ end }}
-{{ if gt (len .applications) 1 }}
-{{ $appName := (index .applications 0).metadata.name }}
-# Manifests for {{ len .applications }} Applications
-
-[manifest.yaml](./manifest.yaml) contains the hydrated manifests for these applications:
-{{ range $i, $app := .applications }}
-- {{ $app.name }}
-{{ end }}
-{{ end }}
-
-These are the details of the most recent change;
-* Author: {{ .commitAuthor }}
-* Message: {{ .commitMessage }}
-* Time: {{ .commitTime }}
-
-To reproduce the manifest hydration, do the following:
-
-```
-git clone {{ .repoURL }}
-cd {{ .repoName }}
-git checkout {{ .dryShortSHA }}
-{{ range $i, $command := .commands }}
-{{ $command }}
-{{ end }}
-```
-````
-
-This template should be admin-configurable.
-
-Example output might look like this:
-
-````markdown
-# dev-west Manifests
-
-[manifest.yaml](./manifest.yaml) contains the hydrated manifests for the dev-west application.
-
-These are the details of the most recent change;
-* Author: Michael Crenshaw <michael@example.com>
-* Message: chore: bumped image tag to v0.0.2
-* Time: 2024-03-27 10:32:04 UTC
-
-To reproduce the manifest hydration, do the following:
-
-```
-git clone https://github.com/argoproj/argocd-example-apps
-cd argocd-example-apps
-git checkout ab2382f
-kustomize edit set image my-app:v0.0.2
-kustomize build environments/dev/west
-```
-````
-
-The hydrator will also write a `hydrator.metadata` file containing a JSON representation of all the values available for README templating. This metadata can be used by external systems (e.g. a PR-based promoter system) to generate contextual information about the hydrated manifest's provenance.
-
-```json
-{
-  "commands": ["kustomize edit set image my-app:v0.0.2", "kustomize build ."],
-  "drySHA": "ab2382f",
-  "commitAuthor": "Michael Crenshaw <michael@example.com>",
-  "commitMessage": "chore: bump Helm dependency chart to 32.1.12",
-  "repoURL": "https://github.com/argoproj/argocd-example-apps"
-}
-```
-
-To request a commit to the hydrated branch, the application controller will make a call to the CommitManifests service.
-
-A single call will bundle all the changes destined for a given targetBranch.
-
-It's the application controller's job to ensure that the user has write access to the repo before making the call.
-
-```protobuf
-// CommitManifests represents the caller's request for some Kubernetes manifests to be pushed to a git repository.
-message CommitManifests {
-  // repoURL is the URL of the repo we're pushing to. HTTPS or SSH URLs are acceptable.
-  required string repoURL = 1;
-  // targetBranch is the name of the branch we're pushing to.
-  required string targetBranch = 2;
-  // drySHA is the full SHA256 hash of the "dry commit" from which the manifests were hydrated.
-  required string drySHA = 3;
-  // commitAuthor is the name of the author of the dry commit.
-  required string commitAuthor = 4;
-  // commitMessage is the short commit message from the dry commit.
-  required string commitMessage = 5;
-  // commitTime is the dry commit timestamp.
-  required string commitTime = 6;
-  // details holds the information about the actual hydrated manifests.
-  repeated CommitPathDetails details = 7;
-}
-
-// CommitManifestDetails represents the details about a 
-message CommitPathDetails {
-  // path is the path to the directory to which these manifests should be written.
-  required string path = 1;
-  // manifests is a list of JSON documents representing the Kubernetes manifests.
-  repeated string manifests = 2;
-  // readme is a string which will be written to a README.md alongside the manifest.yaml. 
-  required string readme = 3;
-}
-
-message CommitManifestsResponse {
-}
-```
-
-### Push access
-
-The hydrator will need to push to the git repository. This will require a secret containing the git credentials.
-
-Write access will be configured via a Kubernetes secret with the following structure:
-
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  labels:
-    argocd.argoproj.io/secret-type: repository-write
-stringData:
-  url: 'https://github.com/argoproj/argocd-example-apps'
-  githubAppID: '123456'
-  githubInstallationID: '123456'
-  githubAppPrivateKey: |
-    -----
-```
-
-### Use cases
-
-#### Use case 1:
-
-An organization with strong requirements around change auditing might enable manifest hydration in order to generate a full history of changes.
-
-#### Use case 2:
-
-### Implementation Details/Notes/Constraints
-
-### Detailed examples
-
-### Security Considerations
-
-This proposal would involve introducing a component capable of pushing to git.
-
-We'll need to consider what git permissions setup to recommend, what security features we should recommend enabling (e.g. branch protection), etc.
-
-We'll also need to consider how to store the git push secrets. It's probable that they'll need to be stored in a namespace separate from the other Argo CD components to provide a bit extra protection.
-
-### Risks and Mitigations
-
-### Upgrade / Downgrade Strategy
-
-## Drawbacks
-
-## Alternatives

docs/proposals/manifest-hydrator/README.md

@@ -1,44 +0,0 @@
-# Argo CD Manifest Hydrator
-
-Most Argo CD Applications don't directly use plain Kubernetes manifests. They reference a Helm chart or some Kustomize manifests, and then Argo CD transforms those sources into their final form (plain Kubernetes manifests).
-
-Having Argo CD quietly do this transformation behind the scenes is convenient. But it can make it harder for developers to understand the full state of their application, both current and past. Hydrating (also known as "rendering") the sources and pushing the hydrated manifests to git is a common technique to preserve a full history of an Application's state.
-
-Argo CD provides first-class tooling to hydrate manifests and push them to git. This document explains how to take advantage of that tooling.
-
-## Setting up git Push Access
-
-To use Argo CD's source hydration tooling, you have to grant Argo CD push access to all the repositories for apps using the source hydrator.
-
-### Security Considerations
-
-Argo CD stores git push secrets separately from the main Argo CD components and separately from git pull credentials to minimize the possibility of a malicious actor stealing the secrets or hijacking Argo CD components to push malicious changes.
-
-Pushing hydrated manifests to git can improve security by ensuring that all state changes are stored and auditable. If a malicious actor does manage to produce malicious changes in manifests, those changes will be discoverable in git instead of living only in the live cluster state.
-
-You should use your SCM's security mechanisms to ensure that Argo CD can only push to the allowed repositories and branches.
-
-### Adding the Access Credentials
-
-To set up push access, add a secret to the `argocd-push` namespace with the following format:
-
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: argocd-example-apps
-  labels:
-    # Note that this is "repository-push" instead of "repository". The same secret should never be used for both push and pull access.
-    argocd.argoproj.io/secret-type: repository-push
-type: Opaque
-stringData:
-  url: https://github.com/argoproj/argocd-example-apps.git
-  username: '****'
-  password: '****'
-```
-
-Once the secret is available, any Application which has pull access to a given repo will be able to use the source hydration tooling to also push to that repo.
-
-## Using the `sourceHydrator` Field
-
-## Migrating from the `source` or `sources` Field

docs/proposals/manifest-hydrator/commit-server/README.md

@@ -1,38 +0,0 @@
-# Commit Server
-
-The Argo CD Commit Server provides push access to git repositories for hydrated manifests.
-
-The server exposes a gRPC service which accepts requests to push hydrated manifests to a git repository. This is the interface:
-
-```protobuf
-// CommitManifests represents the caller's request for some Kubernetes manifests to be pushed to a git repository.
-message CommitManifests {
-  // repoURL is the URL of the repo we're pushing to. HTTPS or SSH URLs are acceptable.
-  required string repoURL = 1;
-  // targetBranch is the name of the branch we're pushing to.
-  required string targetBranch = 2;
-  // drySHA is the full SHA256 hash of the "dry commit" from which the manifests were hydrated.
-  required string drySHA = 3;
-  // commitAuthor is the name of the author of the dry commit.
-  required string commitAuthor = 4;
-  // commitMessage is the short commit message from the dry commit.
-  required string commitMessage = 5;
-  // commitTime is the dry commit timestamp.
-  required string commitTime = 6;
-  // details holds the information about the actual hydrated manifests.
-  repeated CommitPathDetails details = 7;
-}
-
-// CommitManifestDetails represents the details about a 
-message CommitPathDetails {
-  // path is the path to the directory to which these manifests should be written.
-  required string path = 1;
-  // manifests is a list of JSON documents representing the Kubernetes manifests.
-  repeated string manifests = 2;
-  // readme is a string which will be written to a README.md alongside the manifest.yaml. 
-  required string readme = 3;
-}
-
-message CommitManifestsResponse {
-}
-```

docs/snyk/index.md

@@ -23,39 +23,39 @@ recent minor releases.
 | [install.yaml](master/argocd-iac-install.html) | - | - | - | - |
 | [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - |
 
-### v2.13.2
+### v2.13.1
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.13.2/argocd-test.html) | 1 | 0 | 7 | 2 |
-| [ui/yarn.lock](v2.13.2/argocd-test.html) | 0 | 0 | 1 | 0 |
-| [dex:v2.41.1](v2.13.2/ghcr.io_dexidp_dex_v2.41.1.html) | 0 | 0 | 0 | 2 |
-| [haproxy:2.6.17-alpine](v2.13.2/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 4 |
-| [redis:7.0.15-alpine](v2.13.2/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
-| [argocd:v2.13.2](v2.13.2/quay.io_argoproj_argocd_v2.13.2.html) | 0 | 0 | 3 | 10 |
-| [redis:7.0.15-alpine](v2.13.2/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
-| [install.yaml](v2.13.2/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v2.13.2/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v2.13.1/argocd-test.html) | 0 | 0 | 7 | 2 |
+| [ui/yarn.lock](v2.13.1/argocd-test.html) | 0 | 0 | 1 | 0 |
+| [dex:v2.41.1](v2.13.1/ghcr.io_dexidp_dex_v2.41.1.html) | 0 | 0 | 0 | 2 |
+| [haproxy:2.6.17-alpine](v2.13.1/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 4 |
+| [redis:7.0.15-alpine](v2.13.1/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
+| [argocd:v2.13.1](v2.13.1/quay.io_argoproj_argocd_v2.13.1.html) | 0 | 0 | 3 | 10 |
+| [redis:7.0.15-alpine](v2.13.1/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
+| [install.yaml](v2.13.1/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.13.1/argocd-iac-namespace-install.html) | - | - | - | - |
 
-### v2.12.8
+### v2.12.7
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.12.8/argocd-test.html) | 1 | 0 | 8 | 2 |
-| [ui/yarn.lock](v2.12.8/argocd-test.html) | 0 | 0 | 1 | 0 |
-| [dex:v2.38.0](v2.12.8/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 7 |
-| [haproxy:2.6.17-alpine](v2.12.8/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 4 |
-| [redis:7.0.15-alpine](v2.12.8/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
-| [argocd:v2.12.8](v2.12.8/quay.io_argoproj_argocd_v2.12.8.html) | 0 | 0 | 3 | 10 |
-| [redis:7.0.15-alpine](v2.12.8/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
-| [install.yaml](v2.12.8/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v2.12.8/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v2.12.7/argocd-test.html) | 0 | 0 | 8 | 2 |
+| [ui/yarn.lock](v2.12.7/argocd-test.html) | 0 | 0 | 1 | 0 |
+| [dex:v2.38.0](v2.12.7/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 7 |
+| [haproxy:2.6.17-alpine](v2.12.7/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html) | 0 | 0 | 2 | 4 |
+| [redis:7.0.15-alpine](v2.12.7/public.ecr.aws_docker_library_redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
+| [argocd:v2.12.7](v2.12.7/quay.io_argoproj_argocd_v2.12.7.html) | 0 | 0 | 3 | 11 |
+| [redis:7.0.15-alpine](v2.12.7/redis_7.0.15-alpine.html) | 0 | 0 | 0 | 1 |
+| [install.yaml](v2.12.7/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.12.7/argocd-iac-namespace-install.html) | - | - | - | - |
 
 ### v2.11.12
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.11.12/argocd-test.html) | 1 | 2 | 9 | 2 |
+| [go.mod](v2.11.12/argocd-test.html) | 0 | 2 | 9 | 2 |
 | [ui/yarn.lock](v2.11.12/argocd-test.html) | 0 | 0 | 1 | 0 |
 | [dex:v2.38.0](v2.11.12/ghcr.io_dexidp_dex_v2.38.0.html) | 0 | 0 | 6 | 7 |
 | [haproxy:2.6.14-alpine](v2.11.12/haproxy_2.6.14-alpine.html) | 0 | 1 | 7 | 7 |

docs/snyk/master/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:23:55 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:23:04 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>
@@ -2861,7 +2861,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 24846
+                              Line number: 24840
                           </li>
                       </ul>
               

docs/snyk/master/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:24:05 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:23:14 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>
@@ -2815,7 +2815,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 2169
+                              Line number: 2163
                           </li>
                       </ul>
               

docs/snyk/master/argocd-test.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:21:36 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:20:56 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -470,7 +470,7 @@
               <div class="meta-counts">
                 <div class="meta-count"><span>7</span> <span>known vulnerabilities</span></div>
                 <div class="meta-count"><span>26 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>2160</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>2158</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->

docs/snyk/master/ghcr.io_dexidp_dex_v2.41.1.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="23 known vulnerabilities found in 44 vulnerable dependency paths.">
+  <meta name="description" content="22 known vulnerabilities found in 43 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:21:47 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:21:06 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -469,8 +469,8 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>23</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>44 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>22</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>43 vulnerable dependency paths</span></div>
                 <div class="meta-count"><span>969</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
@@ -479,80 +479,6 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
-        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
-            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
-            <div class="card__section">
-        
-                <div class="label label--critical">
-                    <span class="label__text">critical severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
-                    </li>
-                    <li class="card__meta__item">
-                        Package Manager: golang
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            golang.org/x/crypto/ssh
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-                                github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.24.0
-        
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/hairyhenderson/gomplate/v4@*
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@v0.24.0
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
-        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
-        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
-        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
-        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
-        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
-        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
-        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
-            </div>
-        
-        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">Insertion of Sensitive Information into Log File</h2>
             <div class="card__section">

docs/snyk/master/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:21:52 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:21:11 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/master/public.ecr.aws_docker_library_redis_7.0.15-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:22:00 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:21:15 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>

docs/snyk/master/quay.io_argoproj_argocd_latest.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:22:20 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:21:33 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -472,7 +472,7 @@
               <div class="meta-counts">
                 <div class="meta-count"><span>20</span> <span>known vulnerabilities</span></div>
                 <div class="meta-count"><span>100 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>2380</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>2378</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->

docs/snyk/master/redis_7.0.15-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:22:25 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:21:38 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>

docs/snyk/v2.11.12/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:31:10 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:30:13 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v2.11.12/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:31:19 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:30:22 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v2.11.12/argocd-test.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="15 known vulnerabilities found in 1089 vulnerable dependency paths.">
+  <meta name="description" content="14 known vulnerabilities found in 1075 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:29:14 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:28:19 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -467,8 +467,8 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>15</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>1089 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>14</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>1075 vulnerable dependency paths</span></div>
                 <div class="meta-count"><span>2041</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
@@ -477,277 +477,6 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
-        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
-            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
-            <div class="card__section">
-        
-                <div class="label label--critical">
-                    <span class="label__text">critical severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod
-                    </li>
-                    <li class="card__meta__item">
-                        Package Manager: golang
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            golang.org/x/crypto/ssh
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-                                github.com/argoproj/argo-cd/v2@0.0.0 and golang.org/x/crypto/ssh@0.19.0
-        
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.19.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/knownhosts@0.19.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.19.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.19.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.19.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.19.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/knownhosts@0.19.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.19.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.19.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/ssh-agent@0.3.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/agent@0.19.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.19.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.19.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/knownhosts@0.19.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.19.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.19.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/ssh-agent@0.3.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/agent@0.19.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.19.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/knownhosts@0.19.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.19.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.11.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/ssh-agent@0.3.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/agent@0.19.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.19.0
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
-        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
-        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
-        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
-        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
-        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
-        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
-        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
-            </div>
-        
-        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
             <h2 class="card__title">Denial of Service (DoS)</h2>
             <div class="card__section">

docs/snyk/v2.11.12/ghcr.io_dexidp_dex_v2.38.0.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="42 known vulnerabilities found in 130 vulnerable dependency paths.">
+  <meta name="description" content="41 known vulnerabilities found in 129 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:29:22 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:28:28 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -469,8 +469,8 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>42</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>130 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>41</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>129 vulnerable dependency paths</span></div>
                 <div class="meta-count"><span>829</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
@@ -479,80 +479,6 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
-        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
-            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
-            <div class="card__section">
-        
-                <div class="label label--critical">
-                    <span class="label__text">critical severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Manifest file: ghcr.io/dexidp/dex:v2.38.0/hairyhenderson/gomplate/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
-                    </li>
-                    <li class="card__meta__item">
-                        Package Manager: golang
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            golang.org/x/crypto/ssh
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/crypto/ssh@v0.18.0
-        
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/hairyhenderson/gomplate/v3@*
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@v0.18.0
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
-        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
-        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
-        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
-        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
-        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
-        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
-        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
-            </div>
-        
-        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
             <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2>
             <div class="card__section">

docs/snyk/v2.11.12/haproxy_2.6.14-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:29:27 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:28:32 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/v2.11.12/quay.io_argoproj_argocd_v2.11.12.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="38 known vulnerabilities found in 210 vulnerable dependency paths.">
+  <meta name="description" content="37 known vulnerabilities found in 209 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:29:45 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:28:51 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -470,8 +470,8 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>38</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>210 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>37</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>209 vulnerable dependency paths</span></div>
                 <div class="meta-count"><span>2280</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
@@ -480,80 +480,6 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
-        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
-            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
-            <div class="card__section">
-        
-                <div class="label label--critical">
-                    <span class="label__text">critical severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Manifest file: quay.io/argoproj/argocd:v2.11.12/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> /usr/local/bin/argocd
-                    </li>
-                    <li class="card__meta__item">
-                        Package Manager: golang
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            golang.org/x/crypto/ssh
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-                                github.com/argoproj/argo-cd/v2@* and golang.org/x/crypto/ssh@v0.19.0
-        
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@*
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@v0.19.0
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
-        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
-        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
-        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
-        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
-        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
-        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
-        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
-            </div>
-        
-        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
             <h2 class="card__title">Denial of Service (DoS)</h2>
             <div class="card__section">
@@ -5265,7 +5191,6 @@
         <li><a href="https://curl.se/docs/CVE-2024-9681.json">https://curl.se/docs/CVE-2024-9681.json</a></li>
         <li><a href="https://hackerone.com/reports/2764830">https://hackerone.com/reports/2764830</a></li>
         <li><a href="http://www.openwall.com/lists/oss-security/2024/11/06/2">http://www.openwall.com/lists/oss-security/2024/11/06/2</a></li>
-        <li><a href="https://security.netapp.com/advisory/ntap-20241213-0006/">https://security.netapp.com/advisory/ntap-20241213-0006/</a></li>
         </ul>
         
               <hr/>

docs/snyk/v2.11.12/redis_7.0.15-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:29:49 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:28:55 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>

docs/snyk/v2.12.7/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:28:50 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:27:55 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v2.12.7/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:28:59 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:28:04 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v2.12.7/argocd-test.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="11 known vulnerabilities found in 53 vulnerable dependency paths.">
+  <meta name="description" content="11 known vulnerabilities found in 37 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:24:18 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:25:56 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -468,8 +468,8 @@
     
               <div class="meta-counts">
                 <div class="meta-count"><span>11</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>53 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>2131</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>37 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>2061</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->
@@ -477,314 +477,6 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
-        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
-            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
-            <div class="card__section">
-        
-                <div class="label label--critical">
-                    <span class="label__text">critical severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod
-                    </li>
-                    <li class="card__meta__item">
-                        Package Manager: golang
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            golang.org/x/crypto/ssh
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-                                github.com/argoproj/argo-cd/v2@0.0.0 and golang.org/x/crypto/ssh@0.27.0
-        
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        code.gitea.io/sdk/gitea@0.19.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/knownhosts@0.27.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        code.gitea.io/sdk/gitea@0.19.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-fed/httpsig@1.1.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        code.gitea.io/sdk/gitea@0.19.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/agent@0.27.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/ssh-agent@0.3.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/agent@0.27.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/knownhosts@0.27.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/ssh-agent@0.3.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/agent@0.27.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/knownhosts@0.27.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/ssh-agent@0.3.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/agent@0.27.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/knownhosts@0.27.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.27.0
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
-        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
-        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
-        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
-        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
-        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
-        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
-        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
-            </div>
-        
-        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">LGPL-3.0 license</h2>
             <div class="card__section">
@@ -846,6 +538,118 @@
                 <p><a href="https://snyk.io/vuln/snyk:lic:golang:gopkg.in:retry.v1:LGPL-3.0">More about this vulnerability</a></p>
             </div>
         
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod
+                    </li>
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            github.com/rs/cors
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+        
+                                    github.com/argoproj/argo-cd/v2@0.0.0, github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 and others
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/argoproj/argo-cd/v2@0.0.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        github.com/rs/cors@1.9.0
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a <code>Access-Control-Request-Headers</code> header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code class="language-golang">
+        func BenchmarkPreflightAdversarialACRH(b *testing.B) {
+            resps := makeFakeResponses(b.N)
+            req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
+            req.Header.Add(headerOrigin, dummyOrigin)
+            req.Header.Add(headerACRM, http.MethodGet)
+            req.Header[headerACRH] = adversarialACRH
+            handler := Default().Handler(testHandler)
+        
+            b.ReportAllocs()
+            b.ResetTimer()
+            for i := 0; i &lt; b.N; i++ {
+                handler.ServeHTTP(resps[i], req)
+            }
+        }
+        
+        var adversarialACRH []string
+        
+        func init() { // populates adversarialACRH
+            n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
+            commas := strings.Repeat(&quot;,&quot;, n)
+            res := make([]string, n)
+            for i := range res {
+                res[i] = commas
+            }
+            adversarialACRH = res
+        }
+        </code></pre>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>github.com/rs/cors</code> to version 1.11.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2">GitHub Commit</a></li>
+        <li><a href="https://github.com/rs/cors/issues/170">GitHub Issue</a></li>
+        <li><a href="https://github.com/rs/cors/pull/171">GitHub PR</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRSCORS-7430192">More about this vulnerability</a></p>
+            </div>
+        
         </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">MPL-2.0 license</h2>
@@ -933,7 +737,7 @@
                     <li class="card__meta__item">Introduced through:
         
         
-                                    github.com/argoproj/argo-cd/v2@0.0.0, code.gitea.io/sdk/gitea@0.19.0 and others
+                                    github.com/argoproj/argo-cd/v2@0.0.0, code.gitea.io/sdk/gitea@0.18.0 and others
                     </li>
                 </ul>
         
@@ -947,7 +751,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        code.gitea.io/sdk/gitea@0.19.0
+                                        code.gitea.io/sdk/gitea@0.18.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/hashicorp/go-version@1.6.0
                                         
@@ -1029,7 +833,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/go-gitlab@0.109.0
+                                        github.com/xanzy/go-gitlab@0.91.1
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/hashicorp/go-retryablehttp@0.7.7
                                         
@@ -1235,7 +1039,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/go-gitlab@0.109.0
+                                        github.com/xanzy/go-gitlab@0.91.1
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/hashicorp/go-cleanhttp@0.5.2
                                         
@@ -1246,7 +1050,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/go-gitlab@0.109.0
+                                        github.com/xanzy/go-gitlab@0.91.1
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/hashicorp/go-retryablehttp@0.7.7
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1382,7 +1186,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                github.com/argoproj/argo-cd/v2@0.0.0 and github.com/gosimple/slug@1.14.0
+                                github.com/argoproj/argo-cd/v2@0.0.0 and github.com/gosimple/slug@1.13.1
         
                     </li>
                 </ul>
@@ -1397,7 +1201,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/gosimple/slug@1.14.0
+                                        github.com/gosimple/slug@1.13.1
                                         
                                 </span>
         
@@ -1702,7 +1506,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1715,7 +1519,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1730,7 +1534,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1745,7 +1549,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1779,7 +1583,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1796,7 +1600,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         

docs/snyk/v2.12.7/ghcr.io_dexidp_dex_v2.38.0.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="42 known vulnerabilities found in 130 vulnerable dependency paths.">
+  <meta name="description" content="41 known vulnerabilities found in 129 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:26:55 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:26:04 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -469,8 +469,8 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>42</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>130 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>41</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>129 vulnerable dependency paths</span></div>
                 <div class="meta-count"><span>829</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
@@ -479,80 +479,6 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
-        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
-            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
-            <div class="card__section">
-        
-                <div class="label label--critical">
-                    <span class="label__text">critical severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Manifest file: ghcr.io/dexidp/dex:v2.38.0/hairyhenderson/gomplate/v3 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
-                    </li>
-                    <li class="card__meta__item">
-                        Package Manager: golang
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            golang.org/x/crypto/ssh
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/crypto/ssh@v0.18.0
-        
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/hairyhenderson/gomplate/v3@*
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@v0.18.0
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
-        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
-        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
-        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
-        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
-        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
-        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
-        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
-            </div>
-        
-        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
             <h2 class="card__title">Allocation of Resources Without Limits or Throttling</h2>
             <div class="card__section">

docs/snyk/v2.12.7/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:24:28 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:26:08 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/v2.12.7/public.ecr.aws_docker_library_redis_7.0.15-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:27:03 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:26:12 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>

docs/snyk/v2.12.7/redis_7.0.15-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:24:54 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:26:35 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>

docs/snyk/v2.13.1/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:26:19 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:25:26 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>
@@ -881,7 +881,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23358
+                              Line number: 23359
                           </li>
                       </ul>
               
@@ -933,7 +933,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23657
+                              Line number: 23658
                           </li>
                       </ul>
               
@@ -991,7 +991,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 22895
+                              Line number: 22896
                           </li>
                       </ul>
               
@@ -1049,7 +1049,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23164
+                              Line number: 23165
                           </li>
                       </ul>
               
@@ -1107,7 +1107,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23118
+                              Line number: 23119
                           </li>
                       </ul>
               
@@ -1165,7 +1165,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23224
+                              Line number: 23225
                           </li>
                       </ul>
               
@@ -1223,7 +1223,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23329
+                              Line number: 23330
                           </li>
                       </ul>
               
@@ -1281,7 +1281,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23353
+                              Line number: 23354
                           </li>
                       </ul>
               
@@ -1339,7 +1339,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23657
+                              Line number: 23658
                           </li>
                       </ul>
               
@@ -1397,7 +1397,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23410
+                              Line number: 23411
                           </li>
                       </ul>
               
@@ -1455,7 +1455,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23742
+                              Line number: 23743
                           </li>
                       </ul>
               
@@ -1513,7 +1513,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 24132
+                              Line number: 24133
                           </li>
                       </ul>
               
@@ -1565,7 +1565,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23144
+                              Line number: 23145
                           </li>
                       </ul>
               
@@ -1617,7 +1617,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 22895
+                              Line number: 22896
                           </li>
                       </ul>
               
@@ -1669,7 +1669,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23118
+                              Line number: 23119
                           </li>
                       </ul>
               
@@ -1721,7 +1721,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23329
+                              Line number: 23330
                           </li>
                       </ul>
               
@@ -1779,7 +1779,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 22895
+                              Line number: 22896
                           </li>
                       </ul>
               
@@ -1837,7 +1837,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23118
+                              Line number: 23119
                           </li>
                       </ul>
               
@@ -1895,7 +1895,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23164
+                              Line number: 23165
                           </li>
                       </ul>
               
@@ -1953,7 +1953,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23224
+                              Line number: 23225
                           </li>
                       </ul>
               
@@ -2011,7 +2011,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23329
+                              Line number: 23330
                           </li>
                       </ul>
               
@@ -2069,7 +2069,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23353
+                              Line number: 23354
                           </li>
                       </ul>
               
@@ -2127,7 +2127,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23657
+                              Line number: 23658
                           </li>
                       </ul>
               
@@ -2185,7 +2185,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23410
+                              Line number: 23411
                           </li>
                       </ul>
               
@@ -2243,7 +2243,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23742
+                              Line number: 23743
                           </li>
                       </ul>
               
@@ -2301,7 +2301,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 24132
+                              Line number: 24133
                           </li>
                       </ul>
               
@@ -2357,7 +2357,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23042
+                              Line number: 23043
                           </li>
                       </ul>
               
@@ -2413,7 +2413,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23172
+                              Line number: 23173
                           </li>
                       </ul>
               
@@ -2469,7 +2469,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23147
+                              Line number: 23148
                           </li>
                       </ul>
               
@@ -2525,7 +2525,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23263
+                              Line number: 23264
                           </li>
                       </ul>
               
@@ -2581,7 +2581,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23346
+                              Line number: 23347
                           </li>
                       </ul>
               
@@ -2637,7 +2637,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23360
+                              Line number: 23361
                           </li>
                       </ul>
               
@@ -2693,7 +2693,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23664
+                              Line number: 23665
                           </li>
                       </ul>
               
@@ -2749,7 +2749,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 23630
+                              Line number: 23631
                           </li>
                       </ul>
               
@@ -2805,7 +2805,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 24033
+                              Line number: 24034
                           </li>
                       </ul>
               
@@ -2861,7 +2861,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 24351
+                              Line number: 24352
                           </li>
                       </ul>
               

docs/snyk/v2.13.1/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:26:29 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:25:35 am (UTC+00:00)</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v2.13.1/argocd-test.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="12 known vulnerabilities found in 54 vulnerable dependency paths.">
+  <meta name="description" content="10 known vulnerabilities found in 36 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:26:45 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:23:27 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -467,9 +467,9 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>12</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>54 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>2061</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>10</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>36 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>2131</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->
@@ -477,314 +477,6 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
-        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
-            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
-            <div class="card__section">
-        
-                <div class="label label--critical">
-                    <span class="label__text">critical severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod
-                    </li>
-                    <li class="card__meta__item">
-                        Package Manager: golang
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            golang.org/x/crypto/ssh
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-                                github.com/argoproj/argo-cd/v2@0.0.0 and golang.org/x/crypto/ssh@0.23.0
-        
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        code.gitea.io/sdk/gitea@0.18.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/knownhosts@0.23.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        code.gitea.io/sdk/gitea@0.18.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-fed/httpsig@1.1.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        code.gitea.io/sdk/gitea@0.18.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/agent@0.23.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/ssh-agent@0.3.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/agent@0.23.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/knownhosts@0.23.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/ssh-agent@0.3.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/agent@0.23.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/knownhosts@0.23.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/ssh-agent@0.3.3
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/agent@0.23.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/client@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/go-git/go-git/v5/plumbing/transport/ssh@5.12.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/skeema/knownhosts@1.2.2
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh/knownhosts@0.23.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@0.23.0
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
-        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
-        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
-        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
-        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
-        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
-        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
-        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
-            </div>
-        
-        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">LGPL-3.0 license</h2>
             <div class="card__section">
@@ -846,118 +538,6 @@
                 <p><a href="https://snyk.io/vuln/snyk:lic:golang:gopkg.in:retry.v1:LGPL-3.0">More about this vulnerability</a></p>
             </div>
         
-        </div><!-- .card -->
-        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
-            <h2 class="card__title">Denial of Service (DoS)</h2>
-            <div class="card__section">
-        
-                <div class="label label--medium">
-                    <span class="label__text">medium severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Manifest file: /argo-cd/argoproj/argo-cd/v2 <span class="list-paths__item__arrow">›</span> go.mod
-                    </li>
-                    <li class="card__meta__item">
-                        Package Manager: golang
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            github.com/rs/cors
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-        
-                                    github.com/argoproj/argo-cd/v2@0.0.0, github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0 and others
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/argoproj/argo-cd/v2@0.0.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/improbable-eng/grpc-web/go/grpcweb@0.15.0
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        github.com/rs/cors@1.9.0
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) through the processing of malicious preflight requests that include a <code>Access-Control-Request-Headers</code> header with excessive commas. An attacker can induce excessive memory consumption and potentially crash the server by sending specially crafted requests.</p>
-        <h2 id="poc">PoC</h2>
-        <pre><code class="language-golang">
-        func BenchmarkPreflightAdversarialACRH(b *testing.B) {
-            resps := makeFakeResponses(b.N)
-            req, _ := http.NewRequest(http.MethodOptions, dummyEndpoint, nil)
-            req.Header.Add(headerOrigin, dummyOrigin)
-            req.Header.Add(headerACRM, http.MethodGet)
-            req.Header[headerACRH] = adversarialACRH
-            handler := Default().Handler(testHandler)
-        
-            b.ReportAllocs()
-            b.ResetTimer()
-            for i := 0; i &lt; b.N; i++ {
-                handler.ServeHTTP(resps[i], req)
-            }
-        }
-        
-        var adversarialACRH []string
-        
-        func init() { // populates adversarialACRH
-            n := int(math.Floor(math.Sqrt(http.DefaultMaxHeaderBytes)))
-            commas := strings.Repeat(&quot;,&quot;, n)
-            res := make([]string, n)
-            for i := range res {
-                res[i] = commas
-            }
-            adversarialACRH = res
-        }
-        </code></pre>
-        <h2 id="details">Details</h2>
-        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
-        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
-        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
-        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
-        <p>Two common types of DoS vulnerabilities:</p>
-        <ul>
-        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="https://security.snyk.io/vuln/SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
-        </li>
-        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
-        </li>
-        </ul>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>github.com/rs/cors</code> to version 1.11.0 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/rs/cors/commit/4c32059b2756926619f6bf70281b91be7b5dddb2">GitHub Commit</a></li>
-        <li><a href="https://github.com/rs/cors/issues/170">GitHub Issue</a></li>
-        <li><a href="https://github.com/rs/cors/pull/171">GitHub PR</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRSCORS-7430192">More about this vulnerability</a></p>
-            </div>
-        
         </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">MPL-2.0 license</h2>
@@ -1045,7 +625,7 @@
                     <li class="card__meta__item">Introduced through:
         
         
-                                    github.com/argoproj/argo-cd/v2@0.0.0, code.gitea.io/sdk/gitea@0.18.0 and others
+                                    github.com/argoproj/argo-cd/v2@0.0.0, code.gitea.io/sdk/gitea@0.19.0 and others
                     </li>
                 </ul>
         
@@ -1059,7 +639,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        code.gitea.io/sdk/gitea@0.18.0
+                                        code.gitea.io/sdk/gitea@0.19.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/hashicorp/go-version@1.6.0
                                         
@@ -1141,7 +721,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/go-gitlab@0.91.1
+                                        github.com/xanzy/go-gitlab@0.109.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/hashicorp/go-retryablehttp@0.7.7
                                         
@@ -1347,7 +927,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/go-gitlab@0.91.1
+                                        github.com/xanzy/go-gitlab@0.109.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/hashicorp/go-cleanhttp@0.5.2
                                         
@@ -1358,7 +938,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/xanzy/go-gitlab@0.91.1
+                                        github.com/xanzy/go-gitlab@0.109.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/hashicorp/go-retryablehttp@0.7.7
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1494,7 +1074,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                github.com/argoproj/argo-cd/v2@0.0.0 and github.com/gosimple/slug@1.13.1
+                                github.com/argoproj/argo-cd/v2@0.0.0 and github.com/gosimple/slug@1.14.0
         
                     </li>
                 </ul>
@@ -1509,7 +1089,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/gosimple/slug@1.13.1
+                                        github.com/gosimple/slug@1.14.0
                                         
                                 </span>
         
@@ -1814,7 +1394,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         github.com/argoproj/argo-cd/v2@0.0.0
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1827,7 +1407,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1842,7 +1422,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1857,7 +1437,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1891,7 +1471,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         
@@ -1908,7 +1488,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/argoproj/notifications-engine/pkg/services@#0802cd427621
                                          <span class="list-paths__item__arrow">›</span> 
-                                        github.com/bradleyfalzon/ghinstallation/v2@2.6.0
+                                        github.com/bradleyfalzon/ghinstallation/v2@2.11.0
                                          <span class="list-paths__item__arrow">›</span> 
                                         github.com/golang-jwt/jwt/v4@4.5.0
                                         

docs/snyk/v2.13.1/ghcr.io_dexidp_dex_v2.41.1.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="23 known vulnerabilities found in 44 vulnerable dependency paths.">
+  <meta name="description" content="22 known vulnerabilities found in 43 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:24:25 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:23:34 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>
@@ -469,8 +469,8 @@
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>23</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>44 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>22</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>43 vulnerable dependency paths</span></div>
                 <div class="meta-count"><span>969</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
@@ -479,80 +479,6 @@
 
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
-        <div class="card card--vuln  disclosure--not-new severity--critical" data-snyk-test="critical">
-            <h2 class="card__title">Incorrect Implementation of Authentication Algorithm</h2>
-            <div class="card__section">
-        
-                <div class="label label--critical">
-                    <span class="label__text">critical severity</span>
-                </div>
-        
-                <hr/>
-        
-                <ul class="card__meta">
-                    <li class="card__meta__item">
-                        Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 <span class="list-paths__item__arrow">›</span> /usr/local/bin/gomplate
-                    </li>
-                    <li class="card__meta__item">
-                        Package Manager: golang
-                    </li>
-                    <li class="card__meta__item">
-                            Vulnerable module:
-        
-                            golang.org/x/crypto/ssh
-                    </li>
-        
-                    <li class="card__meta__item">Introduced through:
-        
-                                github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.24.0
-        
-                    </li>
-                </ul>
-        
-                <hr/>
-        
-        
-                        <h3 class="card__section__title">Detailed paths</h3>
-        
-                    <ul class="card__meta__paths">
-                                <li>
-                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
-                                        github.com/hairyhenderson/gomplate/v4@*
-                                         <span class="list-paths__item__arrow">›</span> 
-                                        golang.org/x/crypto/ssh@v0.24.0
-                                        
-                                </span>
-        
-                            </li>
-                    </ul><!-- .list-paths -->
-        
-            </div><!-- .card__section -->
-        
-              <hr/>
-              <!-- Overview -->
-              <h2 id="overview">Overview</h2>
-        <p><a href="https://pkg.go.dev/golang.org/x/crypto/ssh?tab=doc">golang.org/x/crypto/ssh</a> is a SSH client and server</p>
-        <p>Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate <code>ServerConfig.PublicKeyCallback</code> callbacks.</p>
-        <p><strong>Note:</strong> The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states &quot;A call to this function does not guarantee that the key offered is in fact used to authenticate.&quot; The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as <code>PasswordCallback</code>, <code>KeyboardInteractiveCallback</code>, or <code>NoClientAuth</code>. It is therefore recommended to rely on the return values of the connection itself, found in <code>ServerConn.Permissions</code> for further authorization steps.</p>
-        <h2 id="remediation">Remediation</h2>
-        <p>Upgrade <code>golang.org/x/crypto/ssh</code> to version 0.31.0 or higher.</p>
-        <h2 id="references">References</h2>
-        <ul>
-        <li><a href="https://github.com/golang/crypto/commit/b4f1988a35dee11ec3e05d6bf3e90b695fbd8909">GitHub Commit</a></li>
-        <li><a href="https://github.com/golang/go/issues/20094">GitHub Issue</a></li>
-        <li><a href="https://go.dev/cl/635315">go.dev Commit</a></li>
-        <li><a href="https://go.dev/issue/70779">go.dev Issue</a></li>
-        <li><a href="https://groups.google.com/g/golang-announce/c/-nPEi39gI4Q/m/cGVPJCqdAQAJ">Google Groups Forum</a></li>
-        <li><a href="https://pkg.go.dev/vuln/GO-2024-3321">Go Vulnerability Database</a></li>
-        </ul>
-        
-              <hr/>
-        
-            <div class="cta card__cta">
-                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXCRYPTOSSH-8496611">More about this vulnerability</a></p>
-            </div>
-        
-        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">Insertion of Sensitive Information into Log File</h2>
             <div class="card__section">

docs/snyk/v2.13.1/public.ecr.aws_docker_library_haproxy_2.6.17-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:26:58 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:23:37 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/v2.13.1/public.ecr.aws_docker_library_redis_7.0.15-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:24:32 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:23:41 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>

docs/snyk/v2.13.1/redis_7.0.15-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 15th 2024, 12:27:27 am (UTC+00:00)</p>
+                <p class="timestamp">December 8th 2024, 12:24:03 am (UTC+00:00)</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following paths:</span>

docs/user-guide/commands/argocd.md

@@ -31,7 +31,6 @@ argocd [flags]
       --port-forward                    Connect to a random argocd-server port using port forwarding
       --port-forward-namespace string   Namespace name which should be used for port forwarding
       --prompts-enabled                 Force optional interactive prompts to be enabled or disabled, overriding local configuration. If not specified, the local configuration value will be used, which is false by default.
-      --redis-compress string           Enable this if the application controller is configured with redis compression enabled. (possible values: gzip, none) (default "gzip")
       --redis-haproxy-name string       Name of the Redis HA Proxy; set this or the ARGOCD_REDIS_HAPROXY_NAME environment variable when the HA Proxy's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis-ha-haproxy")
       --redis-name string               Name of the Redis deployment; set this or the ARGOCD_REDIS_NAME environment variable when the Redis's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis")
       --repo-server-name string         Name of the Argo CD Repo server; set this or the ARGOCD_REPO_SERVER_NAME environment variable when the server's name label differs from the default, for example when installing via the Helm chart (default "argocd-repo-server")

docs/user-guide/commands/argocd_account.md

@@ -71,7 +71,6 @@ argocd account [flags]
       --port-forward                    Connect to a random argocd-server port using port forwarding
       --port-forward-namespace string   Namespace name which should be used for port forwarding
       --prompts-enabled                 Force optional interactive prompts to be enabled or disabled, overriding local configuration. If not specified, the local configuration value will be used, which is false by default.
-      --redis-compress string           Enable this if the application controller is configured with redis compression enabled. (possible values: gzip, none) (default "gzip")
       --redis-haproxy-name string       Name of the Redis HA Proxy; set this or the ARGOCD_REDIS_HAPROXY_NAME environment variable when the HA Proxy's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis-ha-haproxy")
       --redis-name string               Name of the Redis deployment; set this or the ARGOCD_REDIS_NAME environment variable when the Redis's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis")
       --repo-server-name string         Name of the Argo CD Repo server; set this or the ARGOCD_REPO_SERVER_NAME environment variable when the server's name label differs from the default, for example when installing via the Helm chart (default "argocd-repo-server")

docs/user-guide/commands/argocd_account_bcrypt.md

@@ -44,7 +44,6 @@ argocd account bcrypt --password YOUR_PASSWORD
       --port-forward                    Connect to a random argocd-server port using port forwarding
       --port-forward-namespace string   Namespace name which should be used for port forwarding
       --prompts-enabled                 Force optional interactive prompts to be enabled or disabled, overriding local configuration. If not specified, the local configuration value will be used, which is false by default.
-      --redis-compress string           Enable this if the application controller is configured with redis compression enabled. (possible values: gzip, none) (default "gzip")
       --redis-haproxy-name string       Name of the Redis HA Proxy; set this or the ARGOCD_REDIS_HAPROXY_NAME environment variable when the HA Proxy's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis-ha-haproxy")
       --redis-name string               Name of the Redis deployment; set this or the ARGOCD_REDIS_NAME environment variable when the Redis's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis")
       --repo-server-name string         Name of the Argo CD Repo server; set this or the ARGOCD_REPO_SERVER_NAME environment variable when the server's name label differs from the default, for example when installing via the Helm chart (default "argocd-repo-server")

docs/user-guide/commands/argocd_account_can-i.md

@@ -22,7 +22,7 @@ argocd account can-i update projects 'default'
 argocd account can-i create clusters '*'
 
 Actions: [get create update delete sync override action invoke]
-Resources: [clusters projects applications applicationsets repositories write-repositories certificates accounts gpgkeys logs exec extensions]
+Resources: [clusters projects applications applicationsets repositories certificates accounts gpgkeys logs exec extensions]
 
 ```
 
@@ -54,7 +54,6 @@ Resources: [clusters projects applications applicationsets repositories write-re
       --port-forward                    Connect to a random argocd-server port using port forwarding
       --port-forward-namespace string   Namespace name which should be used for port forwarding
       --prompts-enabled                 Force optional interactive prompts to be enabled or disabled, overriding local configuration. If not specified, the local configuration value will be used, which is false by default.
-      --redis-compress string           Enable this if the application controller is configured with redis compression enabled. (possible values: gzip, none) (default "gzip")
       --redis-haproxy-name string       Name of the Redis HA Proxy; set this or the ARGOCD_REDIS_HAPROXY_NAME environment variable when the HA Proxy's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis-ha-haproxy")
       --redis-name string               Name of the Redis deployment; set this or the ARGOCD_REDIS_NAME environment variable when the Redis's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis")
       --repo-server-name string         Name of the Argo CD Repo server; set this or the ARGOCD_REPO_SERVER_NAME environment variable when the server's name label differs from the default, for example when installing via the Helm chart (default "argocd-repo-server")

docs/user-guide/commands/argocd_account_delete-token.md

@@ -47,7 +47,6 @@ argocd account delete-token --account <account-name> ID
       --port-forward                    Connect to a random argocd-server port using port forwarding
       --port-forward-namespace string   Namespace name which should be used for port forwarding
       --prompts-enabled                 Force optional interactive prompts to be enabled or disabled, overriding local configuration. If not specified, the local configuration value will be used, which is false by default.
-      --redis-compress string           Enable this if the application controller is configured with redis compression enabled. (possible values: gzip, none) (default "gzip")
       --redis-haproxy-name string       Name of the Redis HA Proxy; set this or the ARGOCD_REDIS_HAPROXY_NAME environment variable when the HA Proxy's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis-ha-haproxy")
       --redis-name string               Name of the Redis deployment; set this or the ARGOCD_REDIS_NAME environment variable when the Redis's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis")
       --repo-server-name string         Name of the Argo CD Repo server; set this or the ARGOCD_REPO_SERVER_NAME environment variable when the server's name label differs from the default, for example when installing via the Helm chart (default "argocd-repo-server")

docs/user-guide/commands/argocd_account_generate-token.md

@@ -49,7 +49,6 @@ argocd account generate-token --account <account-name>
       --port-forward                    Connect to a random argocd-server port using port forwarding
       --port-forward-namespace string   Namespace name which should be used for port forwarding
       --prompts-enabled                 Force optional interactive prompts to be enabled or disabled, overriding local configuration. If not specified, the local configuration value will be used, which is false by default.
-      --redis-compress string           Enable this if the application controller is configured with redis compression enabled. (possible values: gzip, none) (default "gzip")
       --redis-haproxy-name string       Name of the Redis HA Proxy; set this or the ARGOCD_REDIS_HAPROXY_NAME environment variable when the HA Proxy's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis-ha-haproxy")
       --redis-name string               Name of the Redis deployment; set this or the ARGOCD_REDIS_NAME environment variable when the Redis's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis")
       --repo-server-name string         Name of the Argo CD Repo server; set this or the ARGOCD_REPO_SERVER_NAME environment variable when the server's name label differs from the default, for example when installing via the Helm chart (default "argocd-repo-server")

docs/user-guide/commands/argocd_account_get-user-info.md

@@ -47,7 +47,6 @@ argocd account get-user-info [flags]
       --port-forward                    Connect to a random argocd-server port using port forwarding
       --port-forward-namespace string   Namespace name which should be used for port forwarding
       --prompts-enabled                 Force optional interactive prompts to be enabled or disabled, overriding local configuration. If not specified, the local configuration value will be used, which is false by default.
-      --redis-compress string           Enable this if the application controller is configured with redis compression enabled. (possible values: gzip, none) (default "gzip")
       --redis-haproxy-name string       Name of the Redis HA Proxy; set this or the ARGOCD_REDIS_HAPROXY_NAME environment variable when the HA Proxy's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis-ha-haproxy")
       --redis-name string               Name of the Redis deployment; set this or the ARGOCD_REDIS_NAME environment variable when the Redis's name label differs from the default, for example when installing via the Helm chart (default "argocd-redis")
       --repo-server-name string         Name of the Argo CD Repo server; set this or the ARGOCD_REPO_SERVER_NAME environment variable when the server's name label differs from the default, for example when installing via the Helm chart (default "argocd-repo-server")