Bump version to 2.2.16

Signed-off-by: backfire-monism-net <development.0extl@simplelogin.com>

Signed-off-by: backfire-monism-net <development.0extl@simplelogin.com>

.github/workflows/ci-build.yaml

@@ -15,6 +15,13 @@ env:
   # Golang version to use across CI steps
   GOLANG_VERSION: '1.16.11'
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build-docker:
     name: Build Docker image
@@ -31,9 +38,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Download all Go modules
@@ -49,13 +56,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -66,11 +73,14 @@ jobs:
         run: make build-local
 
   lint-go:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: Lint Go code
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
@@ -86,11 +96,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -110,7 +120,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -146,11 +156,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -170,7 +180,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -197,9 +207,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Create symlink in GOPATH
@@ -244,14 +254,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup NodeJS
         uses: actions/setup-node@v1
         with:
           node-version: '12.18.4'
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -280,12 +290,12 @@ jobs:
       sonar_secret: ${{ secrets.SONAR_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -356,9 +366,9 @@ jobs:
       ARGOCD_SERVER: "127.0.0.1:8088"
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: GH actions workaround - Kill XSP4 process
@@ -376,7 +386,7 @@ jobs:
           sudo chown runner $HOME/.kube/config
           kubectl version
       - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -399,7 +409,7 @@ jobs:
           git config --global user.email "john.doe@example.com"
       - name: Pull Docker image required for tests
         run: |
-          docker pull ghcr.io/dexidp/dex:v2.35.0-distroless
+          docker pull ghcr.io/dexidp/dex:v2.35.3-distroless
           docker pull argoproj/argo-cd-ci-builder:v1.0.0
           docker pull redis:6.2.7-alpine
       - name: Create target directory for binaries in the build-process

.github/workflows/codeql.yml

@@ -6,15 +6,27 @@ on:
   schedule:
     - cron: '0 19 * * 0'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
+    if: github.repository == 'argoproj/argo-cd'
 
     # CodeQL runs on ubuntu-latest and windows-latest
     runs-on: ubuntu-latest
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -24,7 +36,7 @@ jobs:
     # the head of the pull request instead of the merge commit.
     - run: git checkout HEAD^2
       if: ${{ github.event_name == 'pull_request' }}
-      
+
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v1

.github/workflows/image.yaml

@@ -8,13 +8,23 @@ on:
 env:
   GOLANG_VERSION: '1.16.11'
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   publish:
+    permissions:
+      contents: write  # for git to push upgrade commit if not already deployed
+    if: github.repository == 'argoproj/argo-cd'
     runs-on: ubuntu-latest
     env:
       GOPATH: /home/runner/work/argo-cd/argo-cd
     steps:
-      - uses: actions/setup-go@v1
+      - uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - uses: actions/checkout@master
@@ -46,6 +56,22 @@ jobs:
           DOCKER_USERNAME: ${{ secrets.RELEASE_DOCKERHUB_USERNAME }}
           DOCKER_TOKEN: ${{ secrets.RELEASE_DOCKERHUB_TOKEN }}
 
+      # sign container images
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.13.0'
+
+      - name: Sign Argo CD latest image
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argocd:latest
+          # Displays the public key to share.
+          cosign public-key --key env://COSIGN_PRIVATE_KEY
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+        if: ${{ github.event_name == 'push' }}
+
       # deploy
       - run: git clone "https://$TOKEN@github.com/argoproj/argoproj-deployments"
         env:

.github/workflows/release.yaml

@@ -14,8 +14,13 @@ on:
 env:
     GOLANG_VERSION: '1.16.11'
 
+permissions:
+  contents: read
+
 jobs:
   prepare-release:
+    permissions:
+      contents: write # To push changes to release branch
     name: Perform automatic release on trigger ${{ github.ref }}
     runs-on: ubuntu-latest
     env:
@@ -37,7 +42,7 @@ jobs:
       GIT_EMAIL: argoproj@gmail.com
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -94,7 +99,7 @@ jobs:
           echo "=========== BEGIN COMMIT MESSAGE ============="
           git show ${SOURCE_TAG}
           echo "============ END COMMIT MESSAGE =============="
-          
+
           # Quite dirty hack to get the release notes from the annotated tag
           # into a temporary file.
           RELEASE_NOTES=$(mktemp -p /tmp release-notes.XXXXXX)
@@ -141,7 +146,7 @@ jobs:
           echo "RELEASE_NOTES=${RELEASE_NOTES}" >> $GITHUB_ENV
 
       - name: Setup Golang
-        uses: actions/setup-go@v1
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
 
@@ -207,12 +212,32 @@ jobs:
           docker login --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
           docker tag ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION} argoproj/argocd:v${TARGET_VERSION}
           docker push argoproj/argocd:v${TARGET_VERSION}
+          make release-cli
+          make checksums
+          chmod +x ./dist/argocd-linux-amd64
+          ./dist/argocd-linux-amd64 version --client
+        if: ${{ env.DRY_RUN != 'true' }}
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@main
+        with:
+          cosign-release: 'v1.13.0'
+
+      - name: Sign Argo CD container images and assets
+        run: |
+          cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION}
+          cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argocd-${TARGET_VERSION}-checksums.txt > ./dist/argocd-${TARGET_VERSION}-checksums.sig
+          # Retrieves the public key to release as an asset
+          cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argocd-cosign.pub
+        env:
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
         if: ${{ env.DRY_RUN != 'true' }}
 
       - name: Read release notes file
         id: release-notes
         uses: juliangruber/read-file-action@v1
-        with: 
+        with:
           path: ${{ env.RELEASE_NOTES }}
 
       - name: Push changes to release branch
@@ -221,7 +246,7 @@ jobs:
           git push origin ${TARGET_BRANCH}
           git push origin ${RELEASE_TAG}
 
-      - name: Create GitHub release
+      - name: Dry run GitHub release
         uses: actions/create-release@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -232,38 +257,61 @@ jobs:
           draft: ${{ env.DRAFT_RELEASE }}
           prerelease: ${{ env.PRE_RELEASE }}
           body: ${{ steps.release-notes.outputs.content }}
+        if: ${{ env.DRY_RUN == 'true' }}
 
-      - name: Upload argocd-linux-amd64 binary to release assets
-        uses: actions/upload-release-asset@v1
+      - name: Generate SBOM (spdx)
+        id: spdx-builder
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./dist/argocd-linux-amd64
-          asset_name: argocd-linux-amd64
-          asset_content_type: application/octet-stream
+          # defines the spdx/spdx-sbom-generator version to use.
+          SPDX_GEN_VERSION: v0.0.13
+          # defines the sigs.k8s.io/bom version to use.
+          SIGS_BOM_VERSION: v0.2.1
+          # comma delimited list of project relative folders to inspect for package
+          # managers (gomod, yarn, npm).
+          PROJECT_FOLDERS: ".,./ui"
+          # full qualified name of the docker image to be inspected
+          DOCKER_IMAGE: ${{env.IMAGE_NAMESPACE}}/argocd:v${{env.TARGET_VERSION}}
+        run: |
+          yarn install --cwd ./ui
+          go install github.com/spdx/spdx-sbom-generator/cmd/generator@$SPDX_GEN_VERSION
+          go install sigs.k8s.io/bom/cmd/bom@$SIGS_BOM_VERSION
+
+          # Generate SPDX for project dependencies analyzing package managers
+          for folder in $(echo $PROJECT_FOLDERS | sed "s/,/ /g")
+          do
+            generator -p $folder -o /tmp
+          done
+
+          # Generate SPDX for binaries analyzing the docker image
+          if [[ ! -z $DOCKER_IMAGE ]]; then
+            bom generate -o /tmp/bom-docker-image.spdx -i $DOCKER_IMAGE
+          fi
+
+          cd /tmp && tar -zcf sbom.tar.gz *.spdx
         if: ${{ env.DRY_RUN != 'true' }}
 
-      - name: Upload argocd-darwin-amd64 binary to release assets
-        uses: actions/upload-release-asset@v1
+      - name: Sign sbom
+        run: |
+          cosign sign-blob --key env://COSIGN_PRIVATE_KEY /tmp/sbom.tar.gz > /tmp/sbom.tar.gz.sig
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./dist/argocd-darwin-amd64
-          asset_name: argocd-darwin-amd64
-          asset_content_type: application/octet-stream
+          COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
         if: ${{ env.DRY_RUN != 'true' }}
 
-      - name: Upload argocd-windows-amd64 binary to release assets
-        uses: actions/upload-release-asset@v1
+      - name: Create GitHub release
+        uses: softprops/action-gh-release@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: ./dist/argocd-windows-amd64.exe
-          asset_name: argocd-windows-amd64.exe
-          asset_content_type: application/octet-stream
+          name: ${{ env.RELEASE_TAG }}
+          tag_name: ${{ env.RELEASE_TAG }}
+          draft: ${{ env.DRAFT_RELEASE }}
+          prerelease: ${{ env.PRE_RELEASE }}
+          body: ${{ steps.release-notes.outputs.content }}
+          files: |
+            dist/argocd-*
+            /tmp/sbom.tar.gz
+            /tmp/sbom.tar.gz.sig
         if: ${{ env.DRY_RUN != 'true' }}
 
       - name: Update homebrew formula
@@ -280,3 +328,4 @@ jobs:
           set -ue
           git push --delete origin ${SOURCE_TAG}
         if: ${{ always() }}
+

Makefile

@@ -23,7 +23,7 @@ DOCKER_WORKDIR?=/go/src/github.com/argoproj/argo-cd
 
 ARGOCD_PROCFILE?=Procfile
 
-# Strict mode has been disabled in latest versions of mkdocs-material. 
+# Strict mode has been disabled in latest versions of mkdocs-material.
 # Thus pointing to the older image of mkdocs-material matching the version used by argo-cd.
 MKDOCS_DOCKER_IMAGE?=squidfunk/mkdocs-material:4.1.1
 MKDOCS_RUN_ARGS?=
@@ -111,7 +111,7 @@ define run-in-test-client
 		bash -c "$(1)"
 endef
 
-# 
+#
 define exec-in-test-server
 	docker exec -it -u $(shell id -u):$(shell id -g) -e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) argocd-test-server $(1)
 endef
@@ -193,7 +193,7 @@ clientgen: ensure-gopath
 
 .PHONY: clidocsgen
 clidocsgen: ensure-gopath
-	go run tools/cmd-docs/main.go	
+	go run tools/cmd-docs/main.go
 
 .PHONY: codegen-local
 codegen-local: ensure-gopath mod-vendor-local gogen protogen clientgen openapigen clidocsgen manifests-local
@@ -542,3 +542,6 @@ dep-ui-local:
 
 start-test-k8s:
 	go run ./hack/k8s
+
+checksums:
+	sha256sum ./dist/$(BIN_NAME)-* | awk -F './dist/' '{print $$1 $$2}' > ./dist/$(BIN_NAME)-$(TARGET_VERSION)-checksums.txt

VERSION

@@ -1 +1 @@
-2.2.13
+2.2.16

docs/operator-manual/application.yaml

@@ -82,6 +82,14 @@ spec:
         - code: false
           name: foo
           value: bar
+      # Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during
+      # manifest generation. This takes precedence over the `include` field.
+      # To match multiple patterns, wrap the patterns in {} and separate them with commas. For example: '{config.yaml,env-use2/*}'
+      exclude: 'config.yaml'
+      # Include contains a glob pattern to match paths against that should be explicitly included during manifest
+      # generation. If this field is set, only matching manifests will be included.
+      # To match multiple patterns, wrap the patterns in {} and separate them with commas. For example: '{*.yml,*.yaml}'
+      include: '*.yaml'
 
     # plugin specific config
     plugin:

docs/operator-manual/high_availability.md

@@ -61,7 +61,7 @@ number of allowed concurrent kubectl fork/execs.
 * The controller uses Kubernetes watch APIs to maintain lightweight Kubernetes cluster cache. This allows to avoid querying Kubernetes during app reconciliation and significantly improve
 performance. For performance reasons controller monitors and caches only preferred the version of a resource. During reconciliation, the controller might have to convert cached resource from
 preferred version into a version of the resource stored in Git. If `kubectl convert` fails because conversion is not supported then controller falls back to Kubernetes API query which slows down
-reconciliation. In this case advice user-preferred resource version in Git.
+reconciliation. In this case, we advise you to use the preferred resource version in Git.
 
 * The controller polls Git every 3m by default. You can increase this duration using `timeout.reconciliation` setting in the `argocd-cm` ConfigMap.
 
@@ -126,19 +126,17 @@ If the manifest generation has no side effects then requests are processed in pa
 
 ### Webhook and Manifest Paths Annotation
 
-Argo CD aggressively caches generated manifests and uses repository commit SHA as a cache key. A new commit to the Git repository invalidates cache for all applications configured in the repository
-that again negatively affect mono repositories with multiple applications. You might use [webhooks ⧉](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/webhook.md) and `argocd.argoproj.io/manifest-generate-paths` Application
-CRD annotation to solve this problem and improve performance.
+Argo CD aggressively caches generated manifests and uses the repository commit SHA as a cache key. A new commit to the Git repository invalidates the cache for all applications configured in the repository.
+This can negatively affect repositories with multiple applications. You can use [webhooks](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/webhook.md) and the `argocd.argoproj.io/manifest-generate-paths` Application CRD annotation to solve this problem and improve performance.
 
-The `argocd.argoproj.io/manifest-generate-paths` contains a semicolon-separated list of paths within the Git repository that are used during manifest generation. The webhook compares paths specified in the annotation
-with the changed files specified in the webhook payload. If non of the changed files are located in the paths then webhook don't trigger application reconciliation and re-uses previously generated manifests cache for a new commit.
+The `argocd.argoproj.io/manifest-generate-paths` annotation contains a semicolon-separated list of paths within the Git repository that are used during manifest generation. The webhook compares paths specified in the annotation with the changed files specified in the webhook payload. If no modified files match the paths specified in `argocd.argoproj.io/manifest-generate-paths`, then the webhook will not trigger application reconciliation and the existing cache will be considered valid for the new commit.
 
-Installations that use a different repo for each app are **not** subject to this behavior and will likely get no benefit from using these annotations.
+Installations that use a different repository for each application are **not** subject to this behavior and will likely get no benefit from using these annotations.
 
 !!! note
-    Application manifest paths annotation support depends on the git provider used for the Application. It is currently only supported for GitHub, GitLab, and Gogs based repos
-I'm using `.Second()` modifier to avoid distracting users who already rely on `--app-resync` flag.
-* **Relative path** The annotation might contains relative path. In this case the path is considered relative to the path specified in the application source:
+    Application manifest paths annotation support depends on the git provider used for the Application. It is currently only supported for GitHub, GitLab, and Gogs based repos.
+
+* **Relative path** The annotation might contain a relative path. In this case the path is considered relative to the path specified in the application source:
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -156,7 +154,8 @@ spec:
     path: guestbook
 # ...
 ```
-* **Absolute path** The annotation value might be an absolute path started from '/'. In this case path is considered as an absolute path within the Git repository:
+
+* **Absolute path** The annotation value might be an absolute path starting with '/'. In this case path is considered as an absolute path within the Git repository:
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1

docs/operator-manual/metrics.md

@@ -9,7 +9,7 @@ Metrics about applications. Scraped at the `argocd-metrics:8082/metrics` endpoin
 |--------|:----:|-------------|
 | `argocd_app_info` | gauge | Information about Applications. It contains labels such as `sync_status` and `health_status` that reflect the application state in ArgoCD. |
 | `argocd_app_k8s_request_total` | counter | Number of kubernetes requests executed during application reconciliation |
-| `argocd_app_labels` | gauge | Argo Application labels converted to Prometheus labels. Disabled by default. See section bellow about how to enable it. |
+| `argocd_app_labels` | gauge | Argo Application labels converted to Prometheus labels. Disabled by default. See section below about how to enable it. |
 | `argocd_app_reconcile` | histogram | Application reconciliation performance. |
 | `argocd_app_sync_total` | counter | Counter for application sync history |
 | `argocd_cluster_api_resource_objects` | gauge | Number of k8s resource objects in the cache. |
@@ -41,7 +41,7 @@ Some examples are:
 As the Application labels are specific to each company, this feature is disabled by default. To enable it, add the
 `--metrics-application-labels` flag to the ArgoCD application controller.
 
-The example bellow will expose the ArgoCD Application labels `team-name` and `business-unit` to Prometheus:
+The example below will expose the ArgoCD Application labels `team-name` and `business-unit` to Prometheus:
 
     containers:
     - command:

docs/operator-manual/rbac.md

@@ -39,6 +39,10 @@ configures a custom role, named `org-admin`. The role is assigned to any user wh
 `your-github-org:your-team` group. All other users get the default policy of `role:readonly`,
 which cannot modify Argo CD settings.
 
+!!! warning
+    All authenticated users get _at least_ the permissions granted by the default policy. This access cannot be blocked 
+    by a `deny` rule. Instead, restrict the default policy and then grant permissions to individual roles as needed.
+
 *ArgoCD ConfigMap `argocd-rbac-cm` Example:*
 
 ```yaml

docs/user-guide/directory.md

@@ -0,0 +1,129 @@
+# Directory
+
+A directory-type application loads plain manifest files from `.yml`, `.yaml`, and `.json` files. A directory-type
+application may be created from the UI, CLI, or declaratively. This is the declarative syntax:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: guestbook
+spec:
+  destination:
+    namespace: default
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: guestbook
+    repoURL: https://github.com/argoproj/argocd-example-apps.git
+    targetRevision: HEAD
+```
+
+It's unnecessary to explicitly add the `spec.source.directory` field except to add additional configuration options.
+Argo CD will automatically detect that the source repository/path contains plain manifest files.
+
+## Enabling Recursive Resource Detection
+
+By default, directory applications will only include the files from the root of the configured repository/path.
+
+To enable recursive resource detection, set the `recurse` option.
+
+```bash
+argocd app set guestbook --directory-recurse
+```
+
+To do the same thing declaratively, use this syntax:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+spec:
+  source:
+    directory:
+      recurse: true
+```
+
+## Including/Excluding Files
+
+### Including Only Certain Files
+
+To include only certain files/directories in a directory application, set the `include` option. The value is a glob
+pattern.
+
+For example, if you want to include only `.yaml` files, you can use this pattern:
+
+```shell
+argocd app set guestbook --directory-include "*.yaml"
+```
+
+!!! note
+    It is important to quote `*.yaml` so that the shell does not expand the pattern before sending it to Argo CD.
+
+It is also possible to include multiple patterns. Wrap the patterns with `{}` and separate them with commas. To include
+`.yml` and `.yaml` files, use this pattern:
+
+```shell
+argocd app set guestbook --directory-include "{*.yml,*.yaml}"
+```
+
+To include only a certain directory, use a pattern like this:
+
+```shell
+argocd app set guestbook --directory-include "some-directory/*"
+```
+
+To accomplish the same thing declaratively, use this syntax:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+spec:
+  source:
+    directory:
+      include: 'some-directory/*'
+```
+
+### Excluding Certain Files
+
+It is possible to exclude files matching a pattern from directory applications. For example, in a repository containing
+some manifests and also a non-manifest YAML file, you could exclude the config file like this:
+
+```shell
+argocd app set guestbook --directory-exclude "config.yaml"
+```
+
+It is possible to exclude more than one pattern. For example, a config file and an irrelevant directory:
+
+```shell
+argocd app set guestbook --directory-exclude "{config.yaml,env-use2/*}"
+```
+
+If both `include` and `exclude` are specified, then the Application will include all files which match the `include`
+pattern and do not match the `exclude` pattern. For example, consider this source repository:
+
+```
+config.json
+deployment.yaml
+env-use2/
+  configmap.yaml
+env-usw2/
+  configmap.yaml
+```
+
+To exclude `config.json` and the `env-usw2` directory, you could use this combination of patterns:
+
+```shell
+argocd app set guestbook --directory-include "*.yaml" --directory-exclude "{config.json,env-usw2/*}"
+```
+
+This would be the declarative syntax:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+spec:
+  source:
+    directory:
+      exclude: '{config.json,env-usw2/*}'
+      include: '*.yaml'
+```

docs/user-guide/tracking_strategies.md

@@ -20,6 +20,8 @@ For Helm, all versions are [Semantic Versions](https://semver.org/). As a result
 | Track minor releases (e.g. in QA) | Use a range | `1.*` or `>=1.0.0 <2.0.0` |
 | Use the latest (e.g. in local development) | Use star range |  `*` or `>=0.0.0` |
 
+**Note for OCI Helm repositories**: the only available strategy is "Pin to a version".
+
 [Read about version ranges](https://www.telerik.com/blogs/the-mystical-magical-semver-ranges-used-by-npm-bower)
 
 ## Git

manifests/base/dex/argocd-dex-server-deployment.yaml

@@ -28,7 +28,7 @@ spec:
           name: dexconfig
       containers:
       - name: dex
-        image: ghcr.io/dexidp/dex:v2.35.0-distroless
+        image: ghcr.io/dexidp/dex:v2.35.3-distroless
         imagePullPolicy: Always
         command: [/shared/argocd-dex, rundex]
         securityContext:

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.2.13
+  newTag: v2.2.16
 resources:
 - ./application-controller
 - ./dex

manifests/core-install.yaml

@@ -3024,7 +3024,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -3073,7 +3073,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         name: copyutil
         volumeMounts:
         - mountPath: /var/run/argocd
@@ -3238,7 +3238,7 @@ spec:
               key: controller.default.cache.expiration
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

manifests/core-install/kustomization.yaml

@@ -11,4 +11,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.2.13
+  newTag: v2.2.16

manifests/ha/base/kustomization.yaml

@@ -11,7 +11,7 @@ patchesStrategicMerge:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.2.13
+  newTag: v2.2.16
 resources:
 - ../../base/application-controller
 - ../../base/dex

manifests/ha/install.yaml

@@ -3687,7 +3687,7 @@ spec:
       - command:
         - /shared/argocd-dex
         - rundex
-        image: ghcr.io/dexidp/dex:v2.35.0-distroless
+        image: ghcr.io/dexidp/dex:v2.35.3-distroless
         imagePullPolicy: Always
         name: dex
         ports:
@@ -3709,7 +3709,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -3932,7 +3932,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -3981,7 +3981,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         name: copyutil
         volumeMounts:
         - mountPath: /var/run/argocd
@@ -4208,7 +4208,7 @@ spec:
               key: server.http.cookie.maxnumber
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -4404,7 +4404,7 @@ spec:
               key: controller.default.cache.expiration
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

manifests/ha/namespace-install.yaml

@@ -1046,7 +1046,7 @@ spec:
       - command:
         - /shared/argocd-dex
         - rundex
-        image: ghcr.io/dexidp/dex:v2.35.0-distroless
+        image: ghcr.io/dexidp/dex:v2.35.3-distroless
         imagePullPolicy: Always
         name: dex
         ports:
@@ -1068,7 +1068,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -1291,7 +1291,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1340,7 +1340,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         name: copyutil
         volumeMounts:
         - mountPath: /var/run/argocd
@@ -1567,7 +1567,7 @@ spec:
               key: server.http.cookie.maxnumber
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -1763,7 +1763,7 @@ spec:
               key: controller.default.cache.expiration
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

manifests/install.yaml

@@ -3057,7 +3057,7 @@ spec:
       - command:
         - /shared/argocd-dex
         - rundex
-        image: ghcr.io/dexidp/dex:v2.35.0-distroless
+        image: ghcr.io/dexidp/dex:v2.35.3-distroless
         imagePullPolicy: Always
         name: dex
         ports:
@@ -3079,7 +3079,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -3266,7 +3266,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -3315,7 +3315,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         name: copyutil
         volumeMounts:
         - mountPath: /var/run/argocd
@@ -3538,7 +3538,7 @@ spec:
               key: server.http.cookie.maxnumber
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3728,7 +3728,7 @@ spec:
               key: controller.default.cache.expiration
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

manifests/namespace-install.yaml

@@ -416,7 +416,7 @@ spec:
       - command:
         - /shared/argocd-dex
         - rundex
-        image: ghcr.io/dexidp/dex:v2.35.0-distroless
+        image: ghcr.io/dexidp/dex:v2.35.3-distroless
         imagePullPolicy: Always
         name: dex
         ports:
@@ -438,7 +438,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -625,7 +625,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -674,7 +674,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         name: copyutil
         volumeMounts:
         - mountPath: /var/run/argocd
@@ -897,7 +897,7 @@ spec:
               key: server.http.cookie.maxnumber
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -1087,7 +1087,7 @@ spec:
               key: controller.default.cache.expiration
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.2.13
+        image: quay.io/argoproj/argocd:v2.2.16
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

mkdocs.yml

@@ -83,6 +83,7 @@ nav:
     - user-guide/helm.md
     - user-guide/ksonnet.md
     - user-guide/jsonnet.md
+    - user-guide/directory.md
     - user-guide/config-management-plugins.md
     - user-guide/tool_detection.md
     - user-guide/projects.md

pkg/apis/application/v1alpha1/app_project_types.go

@@ -155,6 +155,10 @@ func (p *AppProject) ValidateProject() error {
 	destKeys := make(map[string]bool)
 	for _, dest := range p.Spec.Destinations {
 		key := fmt.Sprintf("%s/%s", dest.Server, dest.Namespace)
+		if dest.Server == "" && dest.Name != "" {
+			// destination cluster set using name instead of server endpoint
+			key = fmt.Sprintf("%s/%s", dest.Name, dest.Namespace)
+		}
 		if _, ok := destKeys[key]; ok {
 			return status.Errorf(codes.InvalidArgument, "destination '%s' already added", key)
 		}

pkg/apis/application/v1alpha1/types_test.go

@@ -256,11 +256,75 @@ func TestAppProject_RemoveGroupFromRole(t *testing.T) {
 func newTestProject() *AppProject {
 	p := AppProject{
 		ObjectMeta: metav1.ObjectMeta{Name: "my-proj"},
-		Spec:       AppProjectSpec{Roles: []ProjectRole{{Name: "my-role"}}},
+		Spec:       AppProjectSpec{Roles: []ProjectRole{{Name: "my-role"}}, Destinations: []ApplicationDestination{{}}},
 	}
 	return &p
 }
 
+// TestAppProject_ValidateDestinations tests for an invalid destination
+func TestAppProject_ValidateDestinations(t *testing.T) {
+	p := newTestProject()
+	err := p.ValidateProject()
+	assert.NoError(t, err)
+
+	goodNamespaces := []string{
+		"*",
+		"some-namespace",
+	}
+	for _, goodNamespace := range goodNamespaces {
+		p.Spec.Destinations[0].Namespace = goodNamespace
+		err = p.ValidateProject()
+		assert.NoError(t, err)
+	}
+
+	goodServers := []string{
+		"*",
+		"some-server",
+	}
+	for _, badName := range goodServers {
+		p.Spec.Destinations[0].Server = badName
+		err = p.ValidateProject()
+		assert.NoError(t, err)
+	}
+
+	goodNames := []string{
+		"*",
+		"some-name",
+	}
+	for _, goodName := range goodNames {
+		p.Spec.Destinations[0].Name = goodName
+		err = p.ValidateProject()
+		assert.NoError(t, err)
+	}
+
+	validDestination := ApplicationDestination{
+		Server:    "some-server",
+		Namespace: "some-namespace",
+	}
+
+	p.Spec.Destinations[0] = validDestination
+	err = p.ValidateProject()
+	assert.NoError(t, err)
+
+	//no duplicates allowed
+	p.Spec.Destinations = []ApplicationDestination{validDestination, validDestination}
+	err = p.ValidateProject()
+	assert.Error(t, err)
+
+	cluster1Destination := ApplicationDestination{
+		Name:      "cluster1",
+		Namespace: "some-namespace",
+	}
+	cluster2Destination := ApplicationDestination{
+		Name:      "cluster2",
+		Namespace: "some-namespace",
+	}
+	// allow multiple destinations with blank server, same namespace but unique cluster name
+	p.Spec.Destinations = []ApplicationDestination{cluster1Destination, cluster2Destination}
+	err = p.ValidateProject()
+	assert.NoError(t, err)
+}
+
 // TestValidateRoleName tests for an invalid role name
 func TestAppProject_ValidateRoleName(t *testing.T) {
 	p := newTestProject()

resource_customizations/kiali.io/Kiali/health.lua

@@ -3,17 +3,21 @@ if obj.status ~= nil then
   if obj.status.conditions ~= nil then
     for i, condition in ipairs(obj.status.conditions) do
       health_status.message = condition.message
-      if condition.reason == "Successful" then
+      if condition.type == "Successful" and condition.status == "True" then
         health_status.status = "Healthy"
-      elseif condition.reason == "Running" then
-        health_status.status = "Progressing"
-      else
-        health_status.status = "Degraded"
+        return health_status
+      end
+      if condition.type == "Failure" and condition.status == "True" then
+        health_status.status = "Degraded"
+        return health_status
+      end
+      if condition.type == "Running" and condition.reason == "Running" then
+        health_status.status = "Progressing"
+        return health_status
       end
-      return health_status
     end
   end
 end
 health_status.status = "Progressing"
 health_status.message = "Waiting for Kiali"
-return health_status
+return health_status

resource_customizations/kiali.io/Kiali/health_test.yaml

@@ -9,5 +9,5 @@ tests:
   inputPath: testdata/degraded.yaml
 - healthStatus:
     status: Healthy
-    message: "Awaiting next reconciliation"
+    message: "Last reconciliation succeeded"
   inputPath: testdata/healthy.yaml

resource_customizations/kiali.io/Kiali/testdata/degraded.yaml

@@ -14,14 +14,24 @@ metadata:
 spec: {}
 status:
   conditions:
-  - ansibleResult:
-      changed: 1
-      completion: 2020-06-08T13:41:20.133525
-      failures: 0
-      ok: 56
-      skipped: 82
-    lastTransitionTime: "2020-06-04T17:47:31Z"
-    message: Error Reconciling
-    reason: null 
-    status: "True"
-    type: Running
+    - lastTransitionTime: '2022-10-19T09:44:32Z'
+      message: ''
+      reason: ''
+      status: 'False'
+      type: Failure
+    - ansibleResult:
+        changed: 18
+        completion: '2022-10-19T09:44:32.289505'
+        failures: 0
+        ok: 101
+        skipped: 101
+      lastTransitionTime: '2022-10-19T09:43:39Z'
+      message: Awaiting next reconciliation
+      reason: Successful
+      status: 'True'
+      type: Running
+    - lastTransitionTime: '2022-10-19T09:44:32Z'
+      message: Error Reconciling
+      reason: Failure
+      status: 'True'
+      type: Failure

resource_customizations/kiali.io/Kiali/testdata/healthy.yaml

@@ -14,14 +14,24 @@ metadata:
 spec: {}
 status:
   conditions:
-  - ansibleResult:
-      changed: 1
-      completion: 2020-06-08T13:41:20.133525
-      failures: 0
-      ok: 56
-      skipped: 82
-    lastTransitionTime: "2020-06-04T17:47:31Z"
-    message: Awaiting next reconciliation
-    reason: Successful
-    status: "True"
-    type: Running
+    - lastTransitionTime: '2022-10-19T09:44:32Z'
+      message: ''
+      reason: ''
+      status: 'False'
+      type: Failure
+    - ansibleResult:
+        changed: 18
+        completion: '2022-10-19T09:44:32.289505'
+        failures: 0
+        ok: 101
+        skipped: 101
+      lastTransitionTime: '2022-10-19T09:43:39Z'
+      message: Awaiting next reconciliation
+      reason: Successful
+      status: 'True'
+      type: Running
+    - lastTransitionTime: '2022-10-19T09:44:32Z'
+      message: Last reconciliation succeeded
+      reason: Successful
+      status: 'True'
+      type: Successful

resource_customizations/minio.min.io/Tenant/health.lua

@@ -31,11 +31,21 @@ if obj.status ~= nil then
             health_status.message = obj.status.currentState
             return health_status
         end
+        if obj.status.currentState == "Tenant credentials are not set properly" then
+            health_status.status = "Degraded"
+            health_status.message = obj.status.currentState
+            return health_status
+        end
         if obj.status.currentState == "Different versions across MinIO Pools" then
             health_status.status = "Degraded"
             health_status.message = obj.status.currentState
             return health_status
         end
+        if obj.status.currentState == "Pool Decommissioning Not Allowed" then
+            health_status.status = "Degraded"
+            health_status.message = obj.status.currentState
+            return health_status
+        end
         health_status.status = "Progressing"
         health_status.message = obj.status.currentState
         return health_status

resource_customizations/minio.min.io/Tenant/health_test.yaml

@@ -23,10 +23,18 @@ tests:
     status: Degraded
     message: "Another MinIO Tenant already exists in the namespace"
   inputPath: testdata/another_tenant_exists.yaml
+- healthStatus:
+    status: Degraded
+    message: "Tenant credentials are not set properly"
+  inputPath: testdata/incorrect_tenant_credentials.yaml
 - healthStatus:
     status: Degraded
     message: "Different versions across MinIO Pools"
   inputPath: testdata/versions_mismatch.yaml
+- healthStatus:
+    status: Degraded
+    message: "Pool Decommissioning Not Allowed"
+  inputPath: testdata/pool_decommissioning_not_allowed.yaml
 - healthStatus:
     status: Progressing
     message: "<unknown status message>"

resource_customizations/minio.min.io/Tenant/testdata/incorrect_tenant_credentials.yaml

@@ -0,0 +1,13 @@
+apiVersion: minio.min.io/v2
+kind: Tenant
+metadata:
+  name: minio-tenant
+spec:
+  image: minio/minio:latest
+  pools:
+    - name: pool-0
+      servers: 1
+      volumesPerServer: 4
+status:
+  revision: 0
+  currentState: Tenant credentials are not set properly

resource_customizations/minio.min.io/Tenant/testdata/pool_decommissioning_not_allowed.yaml

@@ -0,0 +1,13 @@
+apiVersion: minio.min.io/v2
+kind: Tenant
+metadata:
+  name: minio-tenant
+spec:
+  image: minio/minio:latest
+  pools:
+    - name: pool-0
+      servers: 1
+      volumesPerServer: 4
+status:
+  revision: 0
+  currentState: Pool Decommissioning Not Allowed

test/e2e/fixture/fixture.go

@@ -706,6 +706,8 @@ func Declarative(filename string, values interface{}) (string, error) {
 }
 
 func CreateSubmoduleRepos(repoType string) {
+	oldEnv := os.Getenv("GIT_ALLOW_PROTOCOL")
+	CheckError(os.Setenv("GIT_ALLOW_PROTOCOL", "file"))
 
 	// set-up submodule repo
 	FailOnErr(Run("", "cp", "-Rf", "testdata/git-submodule/", submoduleDirectory()))
@@ -737,6 +739,8 @@ func CreateSubmoduleRepos(repoType string) {
 		FailOnErr(Run(submoduleParentDirectory(), "git", "remote", "add", "origin", os.Getenv("ARGOCD_E2E_GIT_SERVICE_SUBMODULE_PARENT")))
 		FailOnErr(Run(submoduleParentDirectory(), "git", "push", "origin", "master", "-f"))
 	}
+
+	CheckError(os.Setenv("GIT_ALLOW_PROTOCOL", oldEnv))
 }
 
 // RestartRepoServer performs a restart of the repo server deployment and waits

ui/src/app/applications/components/application-details/application-details.scss

@@ -36,6 +36,7 @@ $header: 120px;
     &__warning {
         font-size: 0.8em;
         color: darken($argo-status-warning-color, 20%);
+        min-height: 1.2rem;
     }
 
     &__refreshing-label {

ui/src/app/applications/components/application-retry-options/application-retry-options.tsx

@@ -79,7 +79,7 @@ export const ApplicationRetryForm = ({initValues, field = 'retryStrategy'}: {ini
     );
 };
 
-export const ApplicationRetryOptions = ({formApi, initValues, field = 'retryStrategy'}: {formApi: FormApi; field?: string; initValues?: models.RetryStrategy}) => {
+export const ApplicationRetryOptions = ({formApi, initValues, field = 'retryStrategy', id}: {formApi: FormApi; field?: string; initValues?: models.RetryStrategy; id?: string}) => {
     const [retry, setRetry] = React.useState(!!initValues);
 
     const toggleRetry = (value: boolean) => {
@@ -103,8 +103,8 @@ export const ApplicationRetryOptions = ({formApi, initValues, field = 'retryStra
 
     return (
         <div className='application-retry-options'>
-            <Checkbox id='retry' checked={retry} onChange={val => toggleRetry(val)} />
-            <label htmlFor='retry'>Retry</label>
+            <Checkbox id={`retry-${id}`} checked={retry} onChange={val => toggleRetry(val)} />
+            <label htmlFor={`retry-${id}`}>Retry</label>
             {retry && <ApplicationRetryForm initValues={initValues} field={field} />}
         </div>
     );

ui/src/app/applications/components/application-sync-options/application-sync-options.tsx

@@ -10,6 +10,7 @@ export const REPLACE_WARNING = `The resources will be synced using 'kubectl repl
 export interface ApplicationSyncOptionProps {
     options: string[];
     onChanged: (updatedOptions: string[]) => any;
+    id?: string;
 }
 
 function selectOption(name: string, label: string, defaultVal: string, values: string[], props: ApplicationSyncOptionProps) {
@@ -46,7 +47,7 @@ function booleanOption(name: string, label: string, defaultVal: boolean, props:
     return (
         <React.Fragment>
             <Checkbox
-                id={`sync-option-${name}`}
+                id={`sync-option-${name}-${props.id}`}
                 checked={checked}
                 onChange={(val: boolean) => {
                     if (index < 0) {
@@ -57,7 +58,7 @@ function booleanOption(name: string, label: string, defaultVal: boolean, props:
                     }
                 }}
             />
-            <label htmlFor={`sync-option-${name}`}>{label}</label>{' '}
+            <label htmlFor={`sync-option-${name}-${props.id}`}>{label}</label>{' '}
             {warning && (
                 <>
                     <Tooltip content={warning}>
@@ -112,7 +113,7 @@ export const ApplicationSyncOptions = (props: ApplicationSyncOptionProps) => (
     </div>
 );
 
-export const ApplicationManualSyncFlags = ReactForm.FormField((props: {fieldApi: ReactForm.FieldApi}) => {
+export const ApplicationManualSyncFlags = ReactForm.FormField((props: {fieldApi: ReactForm.FieldApi; id?: string}) => {
     const {
         fieldApi: {getValue, setValue, setTouched}
     } = props;
@@ -122,7 +123,7 @@ export const ApplicationManualSyncFlags = ReactForm.FormField((props: {fieldApi:
             {Object.keys(ManualSyncFlags).map(flag => (
                 <React.Fragment key={flag}>
                     <Checkbox
-                        id={`sync-option-${flag}`}
+                        id={`sync-option-${flag}-${props.id}`}
                         checked={val[flag]}
                         onChange={(newVal: boolean) => {
                             setTouched(true);
@@ -131,7 +132,7 @@ export const ApplicationManualSyncFlags = ReactForm.FormField((props: {fieldApi:
                             setValue(update);
                         }}
                     />
-                    <label htmlFor={`sync-option-${flag}`}>{ManualSyncFlags[flag as keyof typeof ManualSyncFlags]}</label>{' '}
+                    <label htmlFor={`sync-option-${flag}-${props.id}`}>{ManualSyncFlags[flag as keyof typeof ManualSyncFlags]}</label>{' '}
                 </React.Fragment>
             ))}
         </div>

ui/src/app/applications/components/application-sync-panel/application-sync-panel.scss

@@ -8,6 +8,10 @@
         display: inline-block;
         margin-right: 0.3em;
 
+        label {
+            cursor: pointer;
+        }
+
         label::before,
         label::after {
             vertical-align: middle;

ui/src/app/applications/components/application-sync-panel/application-sync-panel.tsx

@@ -125,10 +125,15 @@ export const ApplicationSyncPanel = ({application, selectedResource, hide}: {app
                                                     formApi.setTouched('syncOptions', true);
                                                     formApi.setValue('syncOptions', opts);
                                                 }}
+                                                id='application-sync-panel'
                                             />
                                         </div>
 
-                                        <ApplicationRetryOptions formApi={formApi} initValues={application.spec.syncPolicy ? application.spec.syncPolicy.retry : null} />
+                                        <ApplicationRetryOptions
+                                            id='application-sync-panel'
+                                            formApi={formApi}
+                                            initValues={application.spec.syncPolicy ? application.spec.syncPolicy.retry : null}
+                                        />
 
                                         <label>Synchronize resources:</label>
                                         <div style={{float: 'right'}}>
@@ -164,9 +169,9 @@ export const ApplicationSyncPanel = ({application, selectedResource, hide}: {app
                                                 none
                                             </a>
                                         </div>
-                                        {!formApi.values.resources.every((item: boolean) => item) && (
-                                            <div className='application-details__warning'>WARNING: partial synchronization is not recorded in history</div>
-                                        )}
+                                        <div className='application-details__warning'>
+                                            {!formApi.values.resources.every((item: boolean) => item) && <div>WARNING: partial synchronization is not recorded in history</div>}
+                                        </div>
                                         <div>
                                             {application.status.resources
                                                 .filter(item => !item.hook)

ui/src/app/applications/components/applications-sync-panel/applications-sync-panel.tsx

@@ -94,10 +94,11 @@ export const ApplicationsSyncPanel = ({show, apps, hide}: {show: boolean; apps:
                                                 formApi.setTouched('syncOptions', true);
                                                 formApi.setValue('syncOptions', opts);
                                             }}
+                                            id='applications-sync-panel'
                                         />
                                     </div>
 
-                                    <ApplicationRetryOptions formApi={formApi} />
+                                    <ApplicationRetryOptions id='applications-sync-panel' formApi={formApi} />
 
                                     <label>
                                         Apps (<a onClick={() => apps.forEach((_, i) => formApi.setValue('app/' + i, true))}>all</a>/

ui/src/app/applications/components/utils.scss

@@ -11,6 +11,11 @@
     label {
         color: #6D7F8B;
         font-size: 15px;
+        cursor: pointer;
+    }
+
+    input {
+        cursor: pointer;
     }
 }
 

ui/src/app/shared/components/urls.ts

@@ -30,7 +30,7 @@ export function revisionUrl(url: string, revision: string): string {
     let urlSubPath = isSHA(revision) ? 'commit' : 'tree';
 
     if (url.indexOf('bitbucket') >= 0) {
-        urlSubPath = isSHA(revision) ? 'commits' : 'branch';
+        urlSubPath = isSHA(revision) ? 'commits' : 'src';
     }
 
     if (!supportedSource(parsed)) {

util/io/path/resolved.go

@@ -35,7 +35,7 @@ func resolveSymbolicLinkRecursive(path string, maxDepth int) (string, error) {
 
 	// If we resolved to a relative symlink, make sure we use the absolute
 	// path for further resolving
-	if !strings.HasPrefix(resolved, "/") {
+	if !strings.HasPrefix(resolved, string(os.PathSeparator)) {
 		basePath := filepath.Dir(path)
 		resolved = filepath.Join(basePath, resolved)
 	}
@@ -146,8 +146,8 @@ func ResolveFilePath(appPath, repoRoot, valueFile string, allowedURLSchemes []st
 	// Ensure our root path has a trailing slash, otherwise the following check
 	// would return true if root is /foo and path would be /foo2
 	requiredRootPath := absRepoPath
-	if !strings.HasSuffix(requiredRootPath, "/") {
-		requiredRootPath += "/"
+	if !strings.HasSuffix(requiredRootPath, string(os.PathSeparator)) {
+		requiredRootPath += string(os.PathSeparator)
 	}
 
 	// Make sure that the resolved path to values file is within the repository's root path