Bump version to 2.4.13

docs: add note about multiple sync options on annotation (#10739 )
2026-02-25 03:58:48 +01:00 · 2022-10-03 20:44:25 +00:00 · 2022-10-03 20:44:20 +00:00 · 2022-10-03 15:53:32 -04:00 · 2022-10-03 15:52:53 -04:00 · 2022-10-03 15:45:55 -04:00
172 changed files with 6462 additions and 898 deletions
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -405,9 +405,9 @@ jobs:
          git config --global user.email "john.doe@example.com"
      - name: Pull Docker image required for tests
        run: |
-          docker pull quay.io/dexidp/dex:v2.25.0
+          docker pull ghcr.io/dexidp/dex:v2.35.0-distroless
          docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.0-alpine
+          docker pull redis:7.0.4-alpine
      - name: Create target directory for binaries in the build-process
        run: |
          mkdir -p dist
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,9 +13,13 @@ commands, and helps to troubleshoot the application state.
 Argo CD is used to manage the critical infrastructure of multiple organizations, which makes security the top priority of the project. We've listened to
 your feedback and introduced additional access control settings that control access to Kubernetes Pod logs and the new Web Terminal feature.

-#### Known UI Issue for Pod Logs Access
+#### Pod Logs UI

-Currently, upon pressing the "LOGS" tab in pod view by users who don't have an explicit allow get logs policy, the red "unable to load data: Internal error" is received in the bottom of the screen, and "Failed to load data, please try again" is displayed.
+Since 2.4.9, the LOGS tab in pod view is visible in the UI only for users with explicit allow get logs policy.
+
+#### Known pod logs UI issue prior to 2.4.9
+
+Upon pressing the "LOGS" tab in pod view by users who don't have an explicit allow get logs policy, the red "unable to load data: Internal error" is received in the bottom of the screen, and "Failed to load data, please try again" is displayed.

 ### OpenTelemetry Tracing Integration

--- a/5
+++ b/5
@@ -92,12 +92,13 @@ COPY ["ui/", "."]

 ARG ARGO_VERSION=latest
 ENV ARGO_VERSION=$ARGO_VERSION
-RUN HOST_ARCH='amd64' NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OPTIONS=--max_old_space_size=8192 yarn build
+ARG TARGETARCH
+RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OPTIONS=--max_old_space_size=8192 yarn build

 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM  docker.io/library/golang:1.18 AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.18 AS argocd-build

 WORKDIR /go/src/github.com/argoproj/argo-cd

--- a/USERS.md
+++ b/USERS.md
@@ -37,6 +37,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Chargetrip](https://chargetrip.com)
 1. [Chime](https://www.chime.com)
 1. [Cisco ET&I](https://eti.cisco.com/)
+1. [Cobalt](https://www.cobalt.io/)
 1. [Codefresh](https://www.codefresh.io/)
 1. [Codility](https://www.codility.com/)
 1. [Commonbond](https://commonbond.co/)
--- a/2
+++ b/2
@@ -1 +1 @@
-2.4.2
+2.4.13
--- a/applicationset/controllers/applicationset_controller.go
+++ b/applicationset/controllers/applicationset_controller.go
@@ -20,11 +20,16 @@ import (
 	"time"

 	"github.com/go-logr/logr"
+	log "github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
+	apierr "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/record"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/source"
@@ -33,18 +38,10 @@ import (
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	"github.com/argoproj/argo-cd/v2/common"
 	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	"github.com/argoproj/argo-cd/v2/util/db"
-
-	log "github.com/sirupsen/logrus"
-	"k8s.io/apimachinery/pkg/runtime"
-	ctrl "sigs.k8s.io/controller-runtime"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned"
 	argoutil "github.com/argoproj/argo-cd/v2/util/argo"
-
-	apierr "k8s.io/apimachinery/pkg/api/errors"
+	"github.com/argoproj/argo-cd/v2/util/db"
 )

 const (
@@ -55,6 +52,13 @@ const (
 	ReconcileRequeueOnValidationError = time.Minute * 3
 )

+var (
+	preservedAnnotations = []string{
+		NotifiedAnnotationKey,
+		argov1alpha1.AnnotationKeyRefresh,
+	}
+)
+
 // ApplicationSetReconciler reconciles a ApplicationSet object
 type ApplicationSetReconciler struct {
 	client.Client
@@ -527,12 +531,16 @@ func (r *ApplicationSetReconciler) createOrUpdateInCluster(ctx context.Context,
 			// Copy only the Application/ObjectMeta fields that are significant, from the generatedApp
 			found.Spec = generatedApp.Spec

-			// Preserve argo cd notifications state (https://github.com/argoproj/applicationset/issues/180)
-			if state, exists := found.ObjectMeta.Annotations[NotifiedAnnotationKey]; exists {
-				if generatedApp.Annotations == nil {
-					generatedApp.Annotations = map[string]string{}
+			// Preserve specially treated argo cd annotations:
+			// * https://github.com/argoproj/applicationset/issues/180
+			// * https://github.com/argoproj/argo-cd/issues/10500
+			for _, key := range preservedAnnotations {
+				if state, exists := found.ObjectMeta.Annotations[key]; exists {
+					if generatedApp.Annotations == nil {
+						generatedApp.Annotations = map[string]string{}
+					}
+					generatedApp.Annotations[key] = state
 				}
-				generatedApp.Annotations[NotifiedAnnotationKey] = state
 			}
 			found.ObjectMeta.Annotations = generatedApp.Annotations

--- a/applicationset/controllers/applicationset_controller_test.go
+++ b/applicationset/controllers/applicationset_controller_test.go
@@ -13,9 +13,11 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
+	kubefake "k8s.io/client-go/kubernetes/fake"
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	crtclient "sigs.k8s.io/controller-runtime/pkg/client"
@@ -25,10 +27,6 @@ import (
 	"github.com/argoproj/argo-cd/v2/applicationset/generators"
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	kubefake "k8s.io/client-go/kubernetes/fake"
-
 	"github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
 	appclientset "github.com/argoproj/argo-cd/v2/pkg/client/clientset/versioned/fake"
@@ -755,7 +753,7 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 			},
 		},
 		{
-			name: "Ensure that argocd notifications state annotation is preserved from an existing app",
+			name: "Ensure that argocd notifications state and refresh annotation is preserved from an existing app",
 			appSet: argoprojiov1alpha1.ApplicationSet{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "name",
@@ -781,8 +779,9 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 						ResourceVersion: "2",
 						Labels:          map[string]string{"label-key": "label-value"},
 						Annotations: map[string]string{
-							"annot-key":           "annot-value",
-							NotifiedAnnotationKey: `{"b620d4600c771a6f4cxxxxxxx:on-deployed:[0].y7b5sbwa2Q329JYHxxxxxx-fBs:slack:slack-test":1617144614}`,
+							"annot-key":                       "annot-value",
+							NotifiedAnnotationKey:             `{"b620d4600c771a6f4cxxxxxxx:on-deployed:[0].y7b5sbwa2Q329JYHxxxxxx-fBs:slack:slack-test":1617144614}`,
+							argov1alpha1.AnnotationKeyRefresh: string(argov1alpha1.RefreshTypeNormal),
 						},
 					},
 					Spec: argov1alpha1.ApplicationSpec{
@@ -811,7 +810,8 @@ func TestCreateOrUpdateInCluster(t *testing.T) {
 						Namespace:       "namespace",
 						ResourceVersion: "3",
 						Annotations: map[string]string{
-							NotifiedAnnotationKey: `{"b620d4600c771a6f4cxxxxxxx:on-deployed:[0].y7b5sbwa2Q329JYHxxxxxx-fBs:slack:slack-test":1617144614}`,
+							NotifiedAnnotationKey:             `{"b620d4600c771a6f4cxxxxxxx:on-deployed:[0].y7b5sbwa2Q329JYHxxxxxx-fBs:slack:slack-test":1617144614}`,
+							argov1alpha1.AnnotationKeyRefresh: string(argov1alpha1.RefreshTypeNormal),
 						},
 					},
 					Spec: argov1alpha1.ApplicationSpec{
--- a/applicationset/generators/git.go
+++ b/applicationset/generators/git.go
@@ -162,8 +162,10 @@ func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent []
 		}
 		params["path"] = path.Dir(filePath)
 		params["path.basename"] = path.Base(params["path"])
+		params["path.filename"] = path.Base(filePath)
 		params["path.basenameNormalized"] = sanitizeName(path.Base(params["path"]))
-		for k, v := range strings.Split(strings.TrimSuffix(params["path"], params["path.basename"]), "/") {
+		params["path.filenameNormalized"] = sanitizeName(path.Base(params["path.filename"]))
+		for k, v := range strings.Split(params["path"], "/") {
 			if len(v) > 0 {
 				params["path["+strconv.Itoa(k)+"]"] = v
 			}
@@ -213,7 +215,7 @@ func (g *GitGenerator) generateParamsFromApps(requestedApps []string, _ *argopro
 		params["path"] = a
 		params["path.basename"] = path.Base(a)
 		params["path.basenameNormalized"] = sanitizeName(path.Base(a))
-		for k, v := range strings.Split(strings.TrimSuffix(params["path"], params["path.basename"]), "/") {
+		for k, v := range strings.Split(params["path"], "/") {
 			if len(v) > 0 {
 				params["path["+strconv.Itoa(k)+"]"] = v
 			}
--- a/applicationset/generators/git_test.go
+++ b/applicationset/generators/git_test.go
@@ -47,6 +47,28 @@ func (a argoCDServiceMock) GetDirectories(ctx context.Context, repoURL string, r
 	return args.Get(0).([]string), args.Error(1)
 }

+func Test_generateParamsFromGitFile(t *testing.T) {
+	params, err := (*GitGenerator)(nil).generateParamsFromGitFile("path/dir/file_name.yaml", []byte(`
+foo:
+  bar: baz
+`))
+	if err != nil {
+		t.Fatal(err)
+	}
+	assert.Equal(t, []map[string]string{
+		{
+			"foo.bar":                 "baz",
+			"path":                    "path/dir",
+			"path.basename":           "dir",
+			"path.filename":           "file_name.yaml",
+			"path.basenameNormalized": "dir",
+			"path.filenameNormalized": "file-name.yaml",
+			"path[0]":                 "path",
+			"path[1]":                 "dir",
+		},
+	}, params)
+}
+
 func TestGitGenerateParamsFromDirectories(t *testing.T) {

 	cases := []struct {
@@ -68,9 +90,9 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 			},
 			repoError: nil,
 			expected: []map[string]string{
-				{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1"},
-				{"path": "app2", "path.basename": "app2", "path.basenameNormalized": "app2"},
-				{"path": "app_3", "path.basename": "app_3", "path.basenameNormalized": "app-3"},
+				{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1", "path[0]": "app1"},
+				{"path": "app2", "path.basename": "app2", "path.basenameNormalized": "app2", "path[0]": "app2"},
+				{"path": "app_3", "path.basename": "app_3", "path.basenameNormalized": "app-3", "path[0]": "app_3"},
 			},
 			expectedError: nil,
 		},
@@ -85,8 +107,8 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 			},
 			repoError: nil,
 			expected: []map[string]string{
-				{"path": "p1/app2", "path.basename": "app2", "path[0]": "p1", "path.basenameNormalized": "app2"},
-				{"path": "p1/p2/app3", "path.basename": "app3", "path[0]": "p1", "path[1]": "p2", "path.basenameNormalized": "app3"},
+				{"path": "p1/app2", "path.basename": "app2", "path[0]": "p1", "path[1]": "app2", "path.basenameNormalized": "app2"},
+				{"path": "p1/p2/app3", "path.basename": "app3", "path[0]": "p1", "path[1]": "p2", "path[2]": "app3", "path.basenameNormalized": "app3"},
 			},
 			expectedError: nil,
 		},
@@ -102,9 +124,9 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 			},
 			repoError: nil,
 			expected: []map[string]string{
-				{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1"},
-				{"path": "app2", "path.basename": "app2", "path.basenameNormalized": "app2"},
-				{"path": "p2/app3", "path.basename": "app3", "path[0]": "p2", "path.basenameNormalized": "app3"},
+				{"path": "app1", "path.basename": "app1", "path[0]": "app1", "path.basenameNormalized": "app1"},
+				{"path": "app2", "path.basename": "app2", "path[0]": "app2", "path.basenameNormalized": "app2"},
+				{"path": "p2/app3", "path.basename": "app3", "path[0]": "p2", "path[1]": "app3", "path.basenameNormalized": "app3"},
 			},
 			expectedError: nil,
 		},
@@ -120,9 +142,9 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 			},
 			repoError: nil,
 			expected: []map[string]string{
-				{"path": "app1", "path.basename": "app1", "path.basenameNormalized": "app1"},
-				{"path": "app2", "path.basename": "app2", "path.basenameNormalized": "app2"},
-				{"path": "p2/app3", "path.basename": "app3", "path[0]": "p2", "path.basenameNormalized": "app3"},
+				{"path": "app1", "path.basename": "app1", "path[0]": "app1", "path.basenameNormalized": "app1"},
+				{"path": "app2", "path.basename": "app2", "path[0]": "app2", "path.basenameNormalized": "app2"},
+				{"path": "p2/app3", "path.basename": "app3", "path[0]": "p2", "path[1]": "app3", "path.basenameNormalized": "app3"},
 			},
 			expectedError: nil,
 		},
@@ -238,7 +260,10 @@ func TestGitGenerateParamsFromFiles(t *testing.T) {
 					"path":                    "cluster-config/production",
 					"path.basename":           "production",
 					"path[0]":                 "cluster-config",
+					"path[1]":                 "production",
 					"path.basenameNormalized": "production",
+					"path.filename":           "config.json",
+					"path.filenameNormalized": "config.json",
 				},
 				{
 					"cluster.owner":           "foo.bar@example.com",
@@ -247,7 +272,10 @@ func TestGitGenerateParamsFromFiles(t *testing.T) {
 					"path":                    "cluster-config/staging",
 					"path.basename":           "staging",
 					"path[0]":                 "cluster-config",
+					"path[1]":                 "staging",
 					"path.basenameNormalized": "staging",
+					"path.filename":           "config.json",
+					"path.filenameNormalized": "config.json",
 				},
 			},
 			expectedError: nil,
@@ -305,7 +333,10 @@ func TestGitGenerateParamsFromFiles(t *testing.T) {
 					"path":                    "cluster-config/production",
 					"path.basename":           "production",
 					"path[0]":                 "cluster-config",
+					"path[1]":                 "production",
 					"path.basenameNormalized": "production",
+					"path.filename":           "config.json",
+					"path.filenameNormalized": "config.json",
 				},
 				{
 					"cluster.owner":           "john.doe@example.com",
@@ -314,7 +345,10 @@ func TestGitGenerateParamsFromFiles(t *testing.T) {
 					"path":                    "cluster-config/production",
 					"path.basename":           "production",
 					"path[0]":                 "cluster-config",
+					"path[1]":                 "production",
 					"path.basenameNormalized": "production",
+					"path.filename":           "config.json",
+					"path.filenameNormalized": "config.json",
 				},
 			},
 			expectedError: nil,
@@ -353,7 +387,10 @@ cluster:
 					"path":                    "cluster-config/production",
 					"path.basename":           "production",
 					"path[0]":                 "cluster-config",
+					"path[1]":                 "production",
 					"path.basenameNormalized": "production",
+					"path.filename":           "config.yaml",
+					"path.filenameNormalized": "config.yaml",
 				},
 				{
 					"cluster.owner":           "foo.bar@example.com",
@@ -362,7 +399,10 @@ cluster:
 					"path":                    "cluster-config/staging",
 					"path.basename":           "staging",
 					"path[0]":                 "cluster-config",
+					"path[1]":                 "staging",
 					"path.basenameNormalized": "staging",
+					"path.filename":           "config.yaml",
+					"path.filenameNormalized": "config.yaml",
 				},
 			},
 			expectedError: nil,
@@ -393,7 +433,10 @@ cluster:
 					"path":                    "cluster-config/production",
 					"path.basename":           "production",
 					"path[0]":                 "cluster-config",
+					"path[1]":                 "production",
 					"path.basenameNormalized": "production",
+					"path.filename":           "config.yaml",
+					"path.filenameNormalized": "config.yaml",
 				},
 				{
 					"cluster.owner":           "john.doe@example.com",
@@ -402,7 +445,10 @@ cluster:
 					"path":                    "cluster-config/production",
 					"path.basename":           "production",
 					"path[0]":                 "cluster-config",
+					"path[1]":                 "production",
 					"path.basenameNormalized": "production",
+					"path.filename":           "config.yaml",
+					"path.filenameNormalized": "config.yaml",
 				},
 			},
 			expectedError: nil,
--- a/applicationset/services/pull_request/gitea_test.go
+++ b/applicationset/services/pull_request/gitea_test.go
@@ -2,13 +2,253 @@ package pull_request

 import (
 	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
 	"testing"

 	"github.com/stretchr/testify/assert"
 )

+func giteaMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		fmt.Println(r.RequestURI)
+		switch r.RequestURI {
+		case "/api/v1/version":
+			_, err := io.WriteString(w, `{"version":"1.17.0+dev-452-g1f0541780"}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v1/repos/test-argocd/pr-test/pulls?limit=0&page=1&state=open":
+			_, err := io.WriteString(w, `[{
+				"id": 50721,
+				"url": "https://gitea.com/test-argocd/pr-test/pulls/1",
+				"number": 1,
+				"user": {
+					"id": 4476,
+					"login": "graytshirt",
+					"full_name": "Dan",
+					"email": "graytshirt@noreply.gitea.io",
+					"avatar_url": "https://secure.gravatar.com/avatar/2446c67bcd59d71f6ae3cf376ec2ae37?d=identicon",
+					"language": "",
+					"is_admin": false,
+					"last_login": "0001-01-01T00:00:00Z",
+					"created": "2020-04-07T01:14:36+08:00",
+					"restricted": false,
+					"active": false,
+					"prohibit_login": false,
+					"location": "",
+					"website": "",
+					"description": "",
+					"visibility": "public",
+					"followers_count": 0,
+					"following_count": 4,
+					"starred_repos_count": 1,
+					"username": "graytshirt"
+				},
+				"title": "add an empty file",
+				"body": "",
+				"labels": [],
+				"milestone": null,
+				"assignee": null,
+				"assignees": null,
+				"state": "open",
+				"is_locked": false,
+				"comments": 0,
+				"html_url": "https://gitea.com/test-argocd/pr-test/pulls/1",
+				"diff_url": "https://gitea.com/test-argocd/pr-test/pulls/1.diff",
+				"patch_url": "https://gitea.com/test-argocd/pr-test/pulls/1.patch",
+				"mergeable": true,
+				"merged": false,
+				"merged_at": null,
+				"merge_commit_sha": null,
+				"merged_by": null,
+				"base": {
+					"label": "main",
+					"ref": "main",
+					"sha": "72687815ccba81ef014a96201cc2e846a68789d8",
+					"repo_id": 21618,
+					"repo": {
+						"id": 21618,
+						"owner": {
+							"id": 31480,
+							"login": "test-argocd",
+							"full_name": "",
+							"email": "",
+							"avatar_url": "https://gitea.com/avatars/22d1b1d3f61abf95951c4a958731d848",
+							"language": "",
+							"is_admin": false,
+							"last_login": "0001-01-01T00:00:00Z",
+							"created": "2022-04-06T02:28:06+08:00",
+							"restricted": false,
+							"active": false,
+							"prohibit_login": false,
+							"location": "",
+							"website": "",
+							"description": "",
+							"visibility": "public",
+							"followers_count": 0,
+							"following_count": 0,
+							"starred_repos_count": 0,
+							"username": "test-argocd"
+						},
+						"name": "pr-test",
+						"full_name": "test-argocd/pr-test",
+						"description": "",
+						"empty": false,
+						"private": false,
+						"fork": false,
+						"template": false,
+						"parent": null,
+						"mirror": false,
+						"size": 28,
+						"language": "",
+						"languages_url": "https://gitea.com/api/v1/repos/test-argocd/pr-test/languages",
+						"html_url": "https://gitea.com/test-argocd/pr-test",
+						"ssh_url": "git@gitea.com:test-argocd/pr-test.git",
+						"clone_url": "https://gitea.com/test-argocd/pr-test.git",
+						"original_url": "",
+						"website": "",
+						"stars_count": 0,
+						"forks_count": 0,
+						"watchers_count": 1,
+						"open_issues_count": 0,
+						"open_pr_counter": 1,
+						"release_counter": 0,
+						"default_branch": "main",
+						"archived": false,
+						"created_at": "2022-04-06T02:32:09+08:00",
+						"updated_at": "2022-04-06T02:33:12+08:00",
+						"permissions": {
+							"admin": false,
+							"push": false,
+							"pull": true
+						},
+						"has_issues": true,
+						"internal_tracker": {
+							"enable_time_tracker": true,
+							"allow_only_contributors_to_track_time": true,
+							"enable_issue_dependencies": true
+						},
+						"has_wiki": true,
+						"has_pull_requests": true,
+						"has_projects": true,
+						"ignore_whitespace_conflicts": false,
+						"allow_merge_commits": true,
+						"allow_rebase": true,
+						"allow_rebase_explicit": true,
+						"allow_squash_merge": true,
+						"default_merge_style": "merge",
+						"avatar_url": "",
+						"internal": false,
+						"mirror_interval": "",
+						"mirror_updated": "0001-01-01T00:00:00Z",
+						"repo_transfer": null
+					}
+				},
+				"head": {
+					"label": "test",
+					"ref": "test",
+					"sha": "7bbaf62d92ddfafd9cc8b340c619abaec32bc09f",
+					"repo_id": 21618,
+					"repo": {
+						"id": 21618,
+						"owner": {
+							"id": 31480,
+							"login": "test-argocd",
+							"full_name": "",
+							"email": "",
+							"avatar_url": "https://gitea.com/avatars/22d1b1d3f61abf95951c4a958731d848",
+							"language": "",
+							"is_admin": false,
+							"last_login": "0001-01-01T00:00:00Z",
+							"created": "2022-04-06T02:28:06+08:00",
+							"restricted": false,
+							"active": false,
+							"prohibit_login": false,
+							"location": "",
+							"website": "",
+							"description": "",
+							"visibility": "public",
+							"followers_count": 0,
+							"following_count": 0,
+							"starred_repos_count": 0,
+							"username": "test-argocd"
+						},
+						"name": "pr-test",
+						"full_name": "test-argocd/pr-test",
+						"description": "",
+						"empty": false,
+						"private": false,
+						"fork": false,
+						"template": false,
+						"parent": null,
+						"mirror": false,
+						"size": 28,
+						"language": "",
+						"languages_url": "https://gitea.com/api/v1/repos/test-argocd/pr-test/languages",
+						"html_url": "https://gitea.com/test-argocd/pr-test",
+						"ssh_url": "git@gitea.com:test-argocd/pr-test.git",
+						"clone_url": "https://gitea.com/test-argocd/pr-test.git",
+						"original_url": "",
+						"website": "",
+						"stars_count": 0,
+						"forks_count": 0,
+						"watchers_count": 1,
+						"open_issues_count": 0,
+						"open_pr_counter": 1,
+						"release_counter": 0,
+						"default_branch": "main",
+						"archived": false,
+						"created_at": "2022-04-06T02:32:09+08:00",
+						"updated_at": "2022-04-06T02:33:12+08:00",
+						"permissions": {
+							"admin": false,
+							"push": false,
+							"pull": true
+						},
+						"has_issues": true,
+						"internal_tracker": {
+							"enable_time_tracker": true,
+							"allow_only_contributors_to_track_time": true,
+							"enable_issue_dependencies": true
+						},
+						"has_wiki": true,
+						"has_pull_requests": true,
+						"has_projects": true,
+						"ignore_whitespace_conflicts": false,
+						"allow_merge_commits": true,
+						"allow_rebase": true,
+						"allow_rebase_explicit": true,
+						"allow_squash_merge": true,
+						"default_merge_style": "merge",
+						"avatar_url": "",
+						"internal": false,
+						"mirror_interval": "",
+						"mirror_updated": "0001-01-01T00:00:00Z",
+						"repo_transfer": null
+					}
+				},
+				"merge_base": "72687815ccba81ef014a96201cc2e846a68789d8",
+				"due_date": null,
+				"created_at": "2022-04-06T02:34:24+08:00",
+				"updated_at": "2022-04-06T02:34:24+08:00",
+				"closed_at": null
+			}]`)
+			if err != nil {
+				t.Fail()
+			}
+		}
+	}
+}
+
 func TestGiteaList(t *testing.T) {
-	host, err := NewGiteaService(context.Background(), "", "https://gitea.com", "test-argocd", "pr-test", false)
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		giteaMockHandler(t)(w, r)
+	}))
+	host, err := NewGiteaService(context.Background(), "", ts.URL, "test-argocd", "pr-test", false)
 	assert.Nil(t, err)
 	prs, err := host.List(context.Background())
 	assert.Nil(t, err)
--- a/applicationset/services/repo_service.go
+++ b/applicationset/services/repo_service.go
@@ -19,8 +19,9 @@ type RepositoryDB interface {
 }

 type argoCDService struct {
-	repositoriesDB RepositoryDB
-	storecreds     git.CredsStore
+	repositoriesDB   RepositoryDB
+	storecreds       git.CredsStore
+	submoduleEnabled bool
 }

 type Repos interface {
@@ -32,11 +33,12 @@ type Repos interface {
 	GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error)
 }

-func NewArgoCDService(db db.ArgoDB, gitCredStore git.CredsStore, repoServerAddress string) Repos {
+func NewArgoCDService(db db.ArgoDB, gitCredStore git.CredsStore, submoduleEnabled bool) Repos {

 	return &argoCDService{
-		repositoriesDB: db.(RepositoryDB),
-		storecreds:     gitCredStore,
+		repositoriesDB:   db.(RepositoryDB),
+		storecreds:       gitCredStore,
+		submoduleEnabled: submoduleEnabled,
 	}
 }

@@ -52,7 +54,7 @@ func (a *argoCDService) GetFiles(ctx context.Context, repoURL string, revision s
 		return nil, err
 	}

-	err = checkoutRepo(gitRepoClient, revision)
+	err = checkoutRepo(gitRepoClient, revision, a.submoduleEnabled)
 	if err != nil {
 		return nil, err
 	}
@@ -86,7 +88,7 @@ func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revi
 		return nil, err
 	}

-	err = checkoutRepo(gitRepoClient, revision)
+	err = checkoutRepo(gitRepoClient, revision, a.submoduleEnabled)
 	if err != nil {
 		return nil, err
 	}
@@ -128,7 +130,7 @@ func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revi

 }

-func checkoutRepo(gitRepoClient git.Client, revision string) error {
+func checkoutRepo(gitRepoClient git.Client, revision string, submoduleEnabled bool) error {
 	err := gitRepoClient.Init()
 	if err != nil {
 		return fmt.Errorf("Error during initializing repo: %w", err)
@@ -143,7 +145,7 @@ func checkoutRepo(gitRepoClient git.Client, revision string) error {
 	if err != nil {
 		return fmt.Errorf("Error during fetching commitSHA: %w", err)
 	}
-	err = gitRepoClient.Checkout(commitSHA, true)
+	err = gitRepoClient.Checkout(commitSHA, submoduleEnabled)
 	if err != nil {
 		return fmt.Errorf("Error during repo checkout: %w", err)
 	}
--- a/applicationset/services/scm_provider/gitea_test.go
+++ b/applicationset/services/scm_provider/gitea_test.go
@@ -2,13 +2,262 @@ package scm_provider

 import (
 	"context"
+	"io"
+	"net/http"
+	"net/http/httptest"
 	"testing"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"

+	"github.com/argoproj/argo-cd/v2/applicationset/services/scm_provider/testdata"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
 )

+func giteaMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.RequestURI {
+		case "/api/v1/version":
+			_, err := io.WriteString(w, `{"version":"1.17.0+dev-452-g1f0541780"}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v1/orgs/test-argocd/repos?limit=0&page=1":
+			_, err := io.WriteString(w, `[{
+					"id": 21618,
+					"owner": {
+						"id": 31480,
+						"login": "test-argocd",
+						"full_name": "",
+						"email": "",
+						"avatar_url": "https://gitea.com/avatars/22d1b1d3f61abf95951c4a958731d848",
+						"language": "",
+						"is_admin": false,
+						"last_login": "0001-01-01T00:00:00Z",
+						"created": "2022-04-06T02:28:06+08:00",
+						"restricted": false,
+						"active": false,
+						"prohibit_login": false,
+						"location": "",
+						"website": "",
+						"description": "",
+						"visibility": "public",
+						"followers_count": 0,
+						"following_count": 0,
+						"starred_repos_count": 0,
+						"username": "test-argocd"
+					},
+					"name": "pr-test",
+					"full_name": "test-argocd/pr-test",
+					"description": "",
+					"empty": false,
+					"private": false,
+					"fork": false,
+					"template": false,
+					"parent": null,
+					"mirror": false,
+					"size": 28,
+					"language": "",
+					"languages_url": "https://gitea.com/api/v1/repos/test-argocd/pr-test/languages",
+					"html_url": "https://gitea.com/test-argocd/pr-test",
+					"ssh_url": "git@gitea.com:test-argocd/pr-test.git",
+					"clone_url": "https://gitea.com/test-argocd/pr-test.git",
+					"original_url": "",
+					"website": "",
+					"stars_count": 0,
+					"forks_count": 0,
+					"watchers_count": 1,
+					"open_issues_count": 0,
+					"open_pr_counter": 1,
+					"release_counter": 0,
+					"default_branch": "main",
+					"archived": false,
+					"created_at": "2022-04-06T02:32:09+08:00",
+					"updated_at": "2022-04-06T02:33:12+08:00",
+					"permissions": {
+						"admin": false,
+						"push": false,
+						"pull": true
+					},
+					"has_issues": true,
+					"internal_tracker": {
+						"enable_time_tracker": true,
+						"allow_only_contributors_to_track_time": true,
+						"enable_issue_dependencies": true
+					},
+					"has_wiki": true,
+					"has_pull_requests": true,
+					"has_projects": true,
+					"ignore_whitespace_conflicts": false,
+					"allow_merge_commits": true,
+					"allow_rebase": true,
+					"allow_rebase_explicit": true,
+					"allow_squash_merge": true,
+					"default_merge_style": "merge",
+					"avatar_url": "",
+					"internal": false,
+					"mirror_interval": "",
+					"mirror_updated": "0001-01-01T00:00:00Z",
+					"repo_transfer": null
+				}]`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v1/repos/test-argocd/pr-test/branches/main":
+			_, err := io.WriteString(w, `{
+				"name": "main",
+				"commit": {
+					"id": "72687815ccba81ef014a96201cc2e846a68789d8",
+					"message": "initial commit\n",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/72687815ccba81ef014a96201cc2e846a68789d8",
+					"author": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"committer": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"verification": {
+						"verified": false,
+						"reason": "gpg.error.no_gpg_keys_found",
+						"signature": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEXYAkwEBRpXzXgHFWlgCr7m50zBMFAmJMiqUACgkQlgCr7m50\nzBPSmQgAiVVEIxC42tuks4iGFNURrtYvypZAEIc+hJgt2kBpmdCrAphYPeAj+Wtr\n9KT7dDscCZIba2wx39HEXO2S7wNCXESvAzrA8rdfbXjR4L2miZ1urfBkEoqK5i/F\noblWGuAyjurX4KPa2ARROd0H4AXxt6gNAXaFPgZO+xXCyNKZfad/lkEP1AiPRknD\nvTTMbEkIzFHK9iVwZ9DORGpfF1wnLzxWmMfhYatZnBgFNnoeJNtFhCJo05rHBgqc\nqVZWXt1iF7nysBoXSzyx1ZAsmBr/Qerkuj0nonh0aPVa6NKJsdmeJyPX4zXXoi6E\ne/jpxX2UQJkpFezg3IjUpvE5FvIiYg==\n=3Af2\n-----END PGP SIGNATURE-----\n",
+						"signer": null,
+						"payload": "tree 64d47c7fc6e31dcf00654223ec4ab749dd0a464e\nauthor Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\ncommitter Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\n\ninitial commit\n"
+					},
+					"timestamp": "2022-04-05T14:29:51-04:00",
+					"added": null,
+					"removed": null,
+					"modified": null
+				},
+				"protected": false,
+				"required_approvals": 0,
+				"enable_status_check": false,
+				"status_check_contexts": [],
+				"user_can_push": false,
+				"user_can_merge": false,
+				"effective_branch_protection_name": ""
+			}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v1/repos/test-argocd/pr-test/branches?limit=0&page=1":
+			_, err := io.WriteString(w, `[{
+				"name": "main",
+				"commit": {
+					"id": "72687815ccba81ef014a96201cc2e846a68789d8",
+					"message": "initial commit\n",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/72687815ccba81ef014a96201cc2e846a68789d8",
+					"author": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"committer": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"verification": {
+						"verified": false,
+						"reason": "gpg.error.no_gpg_keys_found",
+						"signature": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEXYAkwEBRpXzXgHFWlgCr7m50zBMFAmJMiqUACgkQlgCr7m50\nzBPSmQgAiVVEIxC42tuks4iGFNURrtYvypZAEIc+hJgt2kBpmdCrAphYPeAj+Wtr\n9KT7dDscCZIba2wx39HEXO2S7wNCXESvAzrA8rdfbXjR4L2miZ1urfBkEoqK5i/F\noblWGuAyjurX4KPa2ARROd0H4AXxt6gNAXaFPgZO+xXCyNKZfad/lkEP1AiPRknD\nvTTMbEkIzFHK9iVwZ9DORGpfF1wnLzxWmMfhYatZnBgFNnoeJNtFhCJo05rHBgqc\nqVZWXt1iF7nysBoXSzyx1ZAsmBr/Qerkuj0nonh0aPVa6NKJsdmeJyPX4zXXoi6E\ne/jpxX2UQJkpFezg3IjUpvE5FvIiYg==\n=3Af2\n-----END PGP SIGNATURE-----\n",
+						"signer": null,
+						"payload": "tree 64d47c7fc6e31dcf00654223ec4ab749dd0a464e\nauthor Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\ncommitter Dan Molik \u003cdan@danmolik.com\u003e 1649183391 -0400\n\ninitial commit\n"
+					},
+					"timestamp": "2022-04-05T14:29:51-04:00",
+					"added": null,
+					"removed": null,
+					"modified": null
+				},
+				"protected": false,
+				"required_approvals": 0,
+				"enable_status_check": false,
+				"status_check_contexts": [],
+				"user_can_push": false,
+				"user_can_merge": false,
+				"effective_branch_protection_name": ""
+			}, {
+				"name": "test",
+				"commit": {
+					"id": "7bbaf62d92ddfafd9cc8b340c619abaec32bc09f",
+					"message": "add an empty file\n",
+					"url": "https://gitea.com/test-argocd/pr-test/commit/7bbaf62d92ddfafd9cc8b340c619abaec32bc09f",
+					"author": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"committer": {
+						"name": "Dan Molik",
+						"email": "dan@danmolik.com",
+						"username": "graytshirt"
+					},
+					"verification": {
+						"verified": false,
+						"reason": "gpg.error.no_gpg_keys_found",
+						"signature": "-----BEGIN PGP SIGNATURE-----\n\niQEzBAABCAAdFiEEXYAkwEBRpXzXgHFWlgCr7m50zBMFAmJMiugACgkQlgCr7m50\nzBN+7wgAkCHD3KfX3Ffkqv2qPwqgHNYM1bA6Hmffzhv0YeD9jWCI3tp0JulP4iFZ\ncQ7jqx9xP9tCQMSFCaijLRHaE6Js1xrVtf0OKRkbpdlvkyrIM3sQhqyQgAsISrDG\nLzSqeoQQjglzeWESYh2Tjn1CgqQNKjI6LLepSwvF1pIeV4pJpJobaEbIfTgStdzM\nWEk8o0I+EZaYqK0C0vU9N0LK/LR/jnlaHsb4OUjvk+S7lRjZwBkrsg7P/QsqtCVd\nw5nkxDiCx1J58zKMnQ7ZinJEK9A5WYdnMYc6aBn7ARgZrblXPPBkkKUhEv3ZSPeW\nKv9i4GQy838xkVSTFkHNj1+a5o6zEA==\n=JiFw\n-----END PGP SIGNATURE-----\n",
+						"signer": null,
+						"payload": "tree cdddf3e1d6a8a7e6899a044d0e1bc73bf798e2f5\nparent 72687815ccba81ef014a96201cc2e846a68789d8\nauthor Dan Molik \u003cdan@danmolik.com\u003e 1649183458 -0400\ncommitter Dan Molik \u003cdan@danmolik.com\u003e 1649183458 -0400\n\nadd an empty file\n"
+					},
+					"timestamp": "2022-04-05T14:30:58-04:00",
+					"added": null,
+					"removed": null,
+					"modified": null
+				},
+				"protected": false,
+				"required_approvals": 0,
+				"enable_status_check": false,
+				"status_check_contexts": [],
+				"user_can_push": false,
+				"user_can_merge": false,
+				"effective_branch_protection_name": ""
+			}]`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v1/repos/gitea/go-sdk/contents/README.md?ref=master":
+			_, err := io.WriteString(w, `{
+  "name": "README.md",
+  "path": "README.md",
+  "sha": "3605625ef3f80dc092167b54e3f55eb0663d729f",
+  "last_commit_sha": "6b6fdd91ce769bb4641084e15f76554fb841bf27",
+  "type": "file",
+  "size": 1673,
+  "encoding": "base64",
+  "content": "IyBHaXRlYSBTREsgZm9yIEdvCgpbIVtMaWNlbnNlOiBNSVRdKGh0dHBzOi8vaW1nLnNoaWVsZHMuaW8vYmFkZ2UvTGljZW5zZS1NSVQtYmx1ZS5zdmcpXShodHRwczovL29wZW5zb3VyY2Uub3JnL2xpY2Vuc2VzL01JVCkgWyFbUmVsZWFzZV0oaHR0cHM6Ly9yYXN0ZXIuc2hpZWxkcy5pby9iYWRnZS9keW5hbWljL2pzb24uc3ZnP2xhYmVsPXJlbGVhc2UmdXJsPWh0dHBzOi8vZ2l0ZWEuY29tL2FwaS92MS9yZXBvcy9naXRlYS9nby1zZGsvcmVsZWFzZXMmcXVlcnk9JFswXS50YWdfbmFtZSldKGh0dHBzOi8vZ2l0ZWEuY29tL2dpdGVhL2dvLXNkay9yZWxlYXNlcykgWyFbQnVpbGQgU3RhdHVzXShodHRwczovL2Ryb25lLmdpdGVhLmNvbS9hcGkvYmFkZ2VzL2dpdGVhL2dvLXNkay9zdGF0dXMuc3ZnKV0oaHR0cHM6Ly9kcm9uZS5naXRlYS5jb20vZ2l0ZWEvZ28tc2RrKSBbIVtKb2luIHRoZSBjaGF0IGF0IGh0dHBzOi8vaW1nLnNoaWVsZHMuaW8vZGlzY29yZC8zMjI1Mzg5NTQxMTkxODQzODQuc3ZnXShodHRwczovL2ltZy5zaGllbGRzLmlvL2Rpc2NvcmQvMzIyNTM4OTU0MTE5MTg0Mzg0LnN2ZyldKGh0dHBzOi8vZGlzY29yZC5nZy9HaXRlYSkgWyFbXShodHRwczovL2ltYWdlcy5taWNyb2JhZGdlci5jb20vYmFkZ2VzL2ltYWdlL2dpdGVhL2dpdGVhLnN2ZyldKGh0dHA6Ly9taWNyb2JhZGdlci5jb20vaW1hZ2VzL2dpdGVhL2dpdGVhICJHZXQgeW91ciBvd24gaW1hZ2UgYmFkZ2Ugb24gbWljcm9iYWRnZXIuY29tIikgWyFbR28gUmVwb3J0IENhcmRdKGh0dHBzOi8vZ29yZXBvcnRjYXJkLmNvbS9iYWRnZS9jb2RlLmdpdGVhLmlvL3NkayldKGh0dHBzOi8vZ29yZXBvcnRjYXJkLmNvbS9yZXBvcnQvY29kZS5naXRlYS5pby9zZGspIFshW0dvRG9jXShodHRwczovL2dvZG9jLm9yZy9jb2RlLmdpdGVhLmlvL3Nkay9naXRlYT9zdGF0dXMuc3ZnKV0oaHR0cHM6Ly9nb2RvYy5vcmcvY29kZS5naXRlYS5pby9zZGsvZ2l0ZWEpCgpUaGlzIHByb2plY3QgYWN0cyBhcyBhIGNsaWVudCBTREsgaW1wbGVtZW50YXRpb24gd3JpdHRlbiBpbiBHbyB0byBpbnRlcmFjdCB3aXRoIHRoZSBHaXRlYSBBUEkgaW1wbGVtZW50YXRpb24uIEZvciBmdXJ0aGVyIGluZm9ybWF0aW9ucyB0YWtlIGEgbG9vayBhdCB0aGUgY3VycmVudCBbZG9jdW1lbnRhdGlvbl0oaHR0cHM6Ly9nb2RvYy5vcmcvY29kZS5naXRlYS5pby9zZGsvZ2l0ZWEpLgoKTm90ZTogZnVuY3Rpb24gYXJndW1lbnRzIGFyZSBlc2NhcGVkIGJ5IHRoZSBTREsuCgojIyBVc2UgaXQKCmBgYGdvCmltcG9ydCAiY29kZS5naXRlYS5pby9zZGsvZ2l0ZWEiCmBgYAoKIyMgVmVyc2lvbiBSZXF1aXJlbWVudHMKICogZ28gPj0gMS4xMwogKiBnaXRlYSA+PSAxLjExCgojIyBDb250cmlidXRpbmcKCkZvcmsgLT4gUGF0Y2ggLT4gUHVzaCAtPiBQdWxsIFJlcXVlc3QKCiMjIEF1dGhvcnMKCiogW01haW50YWluZXJzXShodHRwczovL2dpdGh1Yi5jb20vb3Jncy9nby1naXRlYS9wZW9wbGUpCiogW0NvbnRyaWJ1dG9yc10oaHR0cHM6Ly9naXRodWIuY29tL2dvLWdpdGVhL2dvLXNkay9ncmFwaHMvY29udHJpYnV0b3JzKQoKIyMgTGljZW5zZQoKVGhpcyBwcm9qZWN0IGlzIHVuZGVyIHRoZSBNSVQgTGljZW5zZS4gU2VlIHRoZSBbTElDRU5TRV0oTElDRU5TRSkgZmlsZSBmb3IgdGhlIGZ1bGwgbGljZW5zZSB0ZXh0Lgo=",
+  "target": null,
+  "url": "https://gitea.com/api/v1/repos/gitea/go-sdk/contents/README.md?ref=master",
+  "html_url": "https://gitea.com/gitea/go-sdk/src/branch/master/README.md",
+  "git_url": "https://gitea.com/api/v1/repos/gitea/go-sdk/git/blobs/3605625ef3f80dc092167b54e3f55eb0663d729f",
+  "download_url": "https://gitea.com/gitea/go-sdk/raw/branch/master/README.md",
+  "submodule_git_url": null,
+  "_links": {
+    "self": "https://gitea.com/api/v1/repos/gitea/go-sdk/contents/README.md?ref=master",
+    "git": "https://gitea.com/api/v1/repos/gitea/go-sdk/git/blobs/3605625ef3f80dc092167b54e3f55eb0663d729f",
+    "html": "https://gitea.com/gitea/go-sdk/src/branch/master/README.md"
+  }
+}
+`)
+			require.NoError(t, err)
+		case "/api/v1/repos/gitea/go-sdk/contents/gitea?ref=master":
+			_, err := io.WriteString(w, testdata.ReposGiteaGoSdkContentsGiteaResponse)
+			require.NoError(t, err)
+		case "/api/v1/repos/gitea/go-sdk/contents/notathing?ref=master":
+			w.WriteHeader(404)
+			_, err := io.WriteString(w, `{"errors":["object does not exist [id: , rel_path: notathing]"],"message":"GetContentsOrList","url":"https://gitea.com/api/swagger"}`)
+			require.NoError(t, err)
+		default:
+			_, err := io.WriteString(w, `[]`)
+			if err != nil {
+				t.Fail()
+			}
+		}
+	}
+}
 func TestGiteaListRepos(t *testing.T) {
 	cases := []struct {
 		name, proto, url                        string
@@ -17,28 +266,28 @@ func TestGiteaListRepos(t *testing.T) {
 		filters                                 []v1alpha1.SCMProviderGeneratorFilter
 	}{
 		{
-			name:     "blank protocol",
+			name:        "blank protocol",
 			allBranches: false,
-			url:      "git@gitea.com:test-argocd/pr-test.git",
-			branches: []string{"main"},
+			url:         "git@gitea.com:test-argocd/pr-test.git",
+			branches:    []string{"main"},
 		},
 		{
-			name:  "ssh protocol",
+			name:        "ssh protocol",
 			allBranches: false,
-			proto: "ssh",
-			url:   "git@gitea.com:test-argocd/pr-test.git",
+			proto:       "ssh",
+			url:         "git@gitea.com:test-argocd/pr-test.git",
 		},
 		{
-			name:  "https protocol",
+			name:        "https protocol",
 			allBranches: false,
-			proto: "https",
-			url:   "https://gitea.com/test-argocd/pr-test",
+			proto:       "https",
+			url:         "https://gitea.com/test-argocd/pr-test",
 		},
 		{
-			name:     "other protocol",
+			name:        "other protocol",
 			allBranches: false,
-			proto:    "other",
-			hasError: true,
+			proto:       "other",
+			hasError:    true,
 		},
 		{
 			name:        "all branches",
@@ -47,15 +296,17 @@ func TestGiteaListRepos(t *testing.T) {
 			branches:    []string{"main"},
 		},
 	}
-
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		giteaMockHandler(t)(w, r)
+	}))
+	defer ts.Close()
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			provider, _ := NewGiteaProvider(context.Background(), "test-argocd", "", "https://gitea.com/", c.allBranches, false)
+			provider, _ := NewGiteaProvider(context.Background(), "test-argocd", "", ts.URL, c.allBranches, false)
 			rawRepos, err := ListRepos(context.Background(), provider, c.filters, c.proto)
 			if c.hasError {
 				assert.NotNil(t, err)
 			} else {
-				checkRateLimit(t, err)
 				assert.Nil(t, err)
 				// Just check that this one project shows up. Not a great test but better thing nothing?
 				repos := []*Repository{}
@@ -77,22 +328,32 @@ func TestGiteaListRepos(t *testing.T) {
 }

 func TestGiteaHasPath(t *testing.T) {
-	host, _ := NewGiteaProvider(context.Background(), "gitea", "", "https://gitea.com/", false, false)
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		giteaMockHandler(t)(w, r)
+	}))
+	defer ts.Close()
+	host, _ := NewGiteaProvider(context.Background(), "gitea", "", ts.URL, false, false)
 	repo := &Repository{
 		Organization: "gitea",
 		Repository:   "go-sdk",
 		Branch:       "master",
 	}
-	ok, err := host.RepoHasPath(context.Background(), repo, "README.md")
-	assert.Nil(t, err)
-	assert.True(t, ok)

-	// directory
-	ok, err = host.RepoHasPath(context.Background(), repo, "gitea")
-	assert.Nil(t, err)
-	assert.True(t, ok)
+	t.Run("file exists", func(t *testing.T) {
+		ok, err := host.RepoHasPath(context.Background(), repo, "README.md")
+		assert.Nil(t, err)
+		assert.True(t, ok)
+	})

-	ok, err = host.RepoHasPath(context.Background(), repo, "notathing")
-	assert.Nil(t, err)
-	assert.False(t, ok)
+	t.Run("directory exists", func(t *testing.T) {
+		ok, err := host.RepoHasPath(context.Background(), repo, "gitea")
+		assert.Nil(t, err)
+		assert.True(t, ok)
+	})
+
+	t.Run("does not exists", func(t *testing.T) {
+		ok, err := host.RepoHasPath(context.Background(), repo, "notathing")
+		assert.Nil(t, err)
+		assert.False(t, ok)
+	})
 }
--- a/applicationset/services/scm_provider/github_test.go
+++ b/applicationset/services/scm_provider/github_test.go
@@ -2,8 +2,9 @@ package scm_provider

 import (
 	"context"
-	"os"
-	"strings"
+	"io"
+	"net/http"
+	"net/http/httptest"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -11,27 +12,192 @@ import (
 	"github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
 )

-func checkRateLimit(t *testing.T, err error) {
-	// Check if we've hit a rate limit, don't fail the test if so.
-	if err != nil && (strings.Contains(err.Error(), "rate limit exceeded") ||
-		(strings.Contains(err.Error(), "API rate limit") && strings.Contains(err.Error(), "still exceeded"))) {
-
-		// GitHub Actions add this environment variable to indicate branch ref you are running on
-		githubRef := os.Getenv("GITHUB_REF")
-
-		// Only report rate limit errors as errors, when:
-		// - We are running in a GitHub action
-		// - AND, we are running that action on the 'master' or 'release-*' branch
-		// (unfortunately, for PRs, we don't have access to GitHub secrets that would allow us to embed a token)
-		failOnRateLimitErrors := os.Getenv("CI") != "" && (strings.Contains(githubRef, "/master") || strings.Contains(githubRef, "/release-"))
-
-		t.Logf("Got a rate limit error, consider setting $GITHUB_TOKEN to increase your GitHub API rate limit: %v\n", err)
-		if failOnRateLimitErrors {
-			t.FailNow()
-		} else {
-			t.SkipNow()
+func githubMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.RequestURI {
+		case "/api/v3/orgs/argoproj/repos?per_page=100":
+			_, err := io.WriteString(w, `[
+				{
+				  "id": 1296269,
+				  "node_id": "MDEwOlJlcG9zaXRvcnkxMjk2MjY5",
+				  "name": "argo-cd",
+				  "full_name": "argoproj/argo-cd",
+				  "owner": {
+					"login": "argoproj",
+					"id": 1,
+					"node_id": "MDQ6VXNlcjE=",
+					"avatar_url": "https://github.com/images/error/argoproj_happy.gif",
+					"gravatar_id": "",
+					"url": "https://api.github.com/users/argoproj",
+					"html_url": "https://github.com/argoproj",
+					"followers_url": "https://api.github.com/users/argoproj/followers",
+					"following_url": "https://api.github.com/users/argoproj/following{/other_user}",
+					"gists_url": "https://api.github.com/users/argoproj/gists{/gist_id}",
+					"starred_url": "https://api.github.com/users/argoproj/starred{/owner}{/repo}",
+					"subscriptions_url": "https://api.github.com/users/argoproj/subscriptions",
+					"organizations_url": "https://api.github.com/users/argoproj/orgs",
+					"repos_url": "https://api.github.com/users/argoproj/repos",
+					"events_url": "https://api.github.com/users/argoproj/events{/privacy}",
+					"received_events_url": "https://api.github.com/users/argoproj/received_events",
+					"type": "User",
+					"site_admin": false
+				  },
+				  "private": false,
+				  "html_url": "https://github.com/argoproj/argo-cd",
+				  "description": "This your first repo!",
+				  "fork": false,
+				  "url": "https://api.github.com/repos/argoproj/argo-cd",
+				  "archive_url": "https://api.github.com/repos/argoproj/argo-cd/{archive_format}{/ref}",
+				  "assignees_url": "https://api.github.com/repos/argoproj/argo-cd/assignees{/user}",
+				  "blobs_url": "https://api.github.com/repos/argoproj/argo-cd/git/blobs{/sha}",
+				  "branches_url": "https://api.github.com/repos/argoproj/argo-cd/branches{/branch}",
+				  "collaborators_url": "https://api.github.com/repos/argoproj/argo-cd/collaborators{/collaborator}",
+				  "comments_url": "https://api.github.com/repos/argoproj/argo-cd/comments{/number}",
+				  "commits_url": "https://api.github.com/repos/argoproj/argo-cd/commits{/sha}",
+				  "compare_url": "https://api.github.com/repos/argoproj/argo-cd/compare/{base}...{head}",
+				  "contents_url": "https://api.github.com/repos/argoproj/argo-cd/contents/{path}",
+				  "contributors_url": "https://api.github.com/repos/argoproj/argo-cd/contributors",
+				  "deployments_url": "https://api.github.com/repos/argoproj/argo-cd/deployments",
+				  "downloads_url": "https://api.github.com/repos/argoproj/argo-cd/downloads",
+				  "events_url": "https://api.github.com/repos/argoproj/argo-cd/events",
+				  "forks_url": "https://api.github.com/repos/argoproj/argo-cd/forks",
+				  "git_commits_url": "https://api.github.com/repos/argoproj/argo-cd/git/commits{/sha}",
+				  "git_refs_url": "https://api.github.com/repos/argoproj/argo-cd/git/refs{/sha}",
+				  "git_tags_url": "https://api.github.com/repos/argoproj/argo-cd/git/tags{/sha}",
+				  "git_url": "git:github.com/argoproj/argo-cd.git",
+				  "issue_comment_url": "https://api.github.com/repos/argoproj/argo-cd/issues/comments{/number}",
+				  "issue_events_url": "https://api.github.com/repos/argoproj/argo-cd/issues/events{/number}",
+				  "issues_url": "https://api.github.com/repos/argoproj/argo-cd/issues{/number}",
+				  "keys_url": "https://api.github.com/repos/argoproj/argo-cd/keys{/key_id}",
+				  "labels_url": "https://api.github.com/repos/argoproj/argo-cd/labels{/name}",
+				  "languages_url": "https://api.github.com/repos/argoproj/argo-cd/languages",
+				  "merges_url": "https://api.github.com/repos/argoproj/argo-cd/merges",
+				  "milestones_url": "https://api.github.com/repos/argoproj/argo-cd/milestones{/number}",
+				  "notifications_url": "https://api.github.com/repos/argoproj/argo-cd/notifications{?since,all,participating}",
+				  "pulls_url": "https://api.github.com/repos/argoproj/argo-cd/pulls{/number}",
+				  "releases_url": "https://api.github.com/repos/argoproj/argo-cd/releases{/id}",
+				  "ssh_url": "git@github.com:argoproj/argo-cd.git",
+				  "stargazers_url": "https://api.github.com/repos/argoproj/argo-cd/stargazers",
+				  "statuses_url": "https://api.github.com/repos/argoproj/argo-cd/statuses/{sha}",
+				  "subscribers_url": "https://api.github.com/repos/argoproj/argo-cd/subscribers",
+				  "subscription_url": "https://api.github.com/repos/argoproj/argo-cd/subscription",
+				  "tags_url": "https://api.github.com/repos/argoproj/argo-cd/tags",
+				  "teams_url": "https://api.github.com/repos/argoproj/argo-cd/teams",
+				  "trees_url": "https://api.github.com/repos/argoproj/argo-cd/git/trees{/sha}",
+				  "clone_url": "https://github.com/argoproj/argo-cd.git",
+				  "mirror_url": "git:git.example.com/argoproj/argo-cd",
+				  "hooks_url": "https://api.github.com/repos/argoproj/argo-cd/hooks",
+				  "svn_url": "https://svn.github.com/argoproj/argo-cd",
+				  "homepage": "https://github.com",
+				  "language": null,
+				  "forks_count": 9,
+				  "stargazers_count": 80,
+				  "watchers_count": 80,
+				  "size": 108,
+				  "default_branch": "master",
+				  "open_issues_count": 0,
+				  "is_template": false,
+				  "topics": [
+					"argoproj",
+					"atom",
+					"electron",
+					"api"
+				  ],
+				  "has_issues": true,
+				  "has_projects": true,
+				  "has_wiki": true,
+				  "has_pages": false,
+				  "has_downloads": true,
+				  "archived": false,
+				  "disabled": false,
+				  "visibility": "public",
+				  "pushed_at": "2011-01-26T19:06:43Z",
+				  "created_at": "2011-01-26T19:01:12Z",
+				  "updated_at": "2011-01-26T19:14:43Z",
+				  "permissions": {
+					"admin": false,
+					"push": false,
+					"pull": true
+				  },
+				  "template_repository": null
+				}
+			  ]`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v3/repos/argoproj/argo-cd/branches?per_page=100":
+			_, err := io.WriteString(w, `[
+				{
+				  "name": "master",
+				  "commit": {
+					"sha": "c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc",
+					"url": "https://api.github.com/repos/argoproj/argo-cd/commits/c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc"
+				  },
+				  "protected": true,
+				  "protection": {
+					"required_status_checks": {
+					  "enforcement_level": "non_admins",
+					  "contexts": [
+						"ci-test",
+						"linter"
+					  ]
+					}
+				  },
+				  "protection_url": "https://api.github.com/repos/argoproj/hello-world/branches/master/protection"
+				}
+			  ]
+			`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v3/repos/argoproj/argo-cd/contents/pkg?ref=master":
+			_, err := io.WriteString(w, `{
+				"type": "file",
+				"encoding": "base64",
+				"size": 5362,
+				"name": "pkg/",
+				"path": "pkg/",
+				"content": "encoded content ...",
+				"sha": "3d21ec53a331a6f037a91c368710b99387d012c1",
+				"url": "https://api.github.com/repos/octokit/octokit.rb/contents/README.md",
+				"git_url": "https://api.github.com/repos/octokit/octokit.rb/git/blobs/3d21ec53a331a6f037a91c368710b99387d012c1",
+				"html_url": "https://github.com/octokit/octokit.rb/blob/master/README.md",
+				"download_url": "https://raw.githubusercontent.com/octokit/octokit.rb/master/README.md",
+				"_links": {
+				  "git": "https://api.github.com/repos/octokit/octokit.rb/git/blobs/3d21ec53a331a6f037a91c368710b99387d012c1",
+				  "self": "https://api.github.com/repos/octokit/octokit.rb/contents/README.md",
+				  "html": "https://github.com/octokit/octokit.rb/blob/master/README.md"
+				}
+			  }`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v3/repos/argoproj/argo-cd/branches/master":
+			_, err := io.WriteString(w, `{
+				"name": "master",
+				"commit": {
+				  "sha": "c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc",
+				  "url": "https://api.github.com/repos/octocat/Hello-World/commits/c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc"
+				},
+				"protected": true,
+				"protection": {
+				  "required_status_checks": {
+					"enforcement_level": "non_admins",
+					"contexts": [
+					  "ci-test",
+					  "linter"
+					]
+				  }
+				},
+				"protection_url": "https://api.github.com/repos/octocat/hello-world/branches/master/protection"
+			  }`)
+			if err != nil {
+				t.Fail()
+			}
+		default:
+			w.WriteHeader(404)
 		}
-
 	}
 }

@@ -66,18 +232,20 @@ func TestGithubListRepos(t *testing.T) {
 			name:        "all branches",
 			allBranches: true,
 			url:         "git@github.com:argoproj/argo-cd.git",
-			branches:    []string{"master", "release-0.11"},
+			branches:    []string{"master"},
 		},
 	}
-
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		githubMockHandler(t)(w, r)
+	}))
+	defer ts.Close()
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			provider, _ := NewGithubProvider(context.Background(), "argoproj", "", "", c.allBranches)
+			provider, _ := NewGithubProvider(context.Background(), "argoproj", "", ts.URL, c.allBranches)
 			rawRepos, err := ListRepos(context.Background(), provider, c.filters, c.proto)
 			if c.hasError {
 				assert.Error(t, err)
 			} else {
-				checkRateLimit(t, err)
 				assert.NoError(t, err)
 				// Just check that this one project shows up. Not a great test but better thing nothing?
 				repos := []*Repository{}
@@ -99,25 +267,31 @@ func TestGithubListRepos(t *testing.T) {
 }

 func TestGithubHasPath(t *testing.T) {
-	host, _ := NewGithubProvider(context.Background(), "argoproj", "", "", false)
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		githubMockHandler(t)(w, r)
+	}))
+	defer ts.Close()
+	host, _ := NewGithubProvider(context.Background(), "argoproj", "", ts.URL, false)
 	repo := &Repository{
 		Organization: "argoproj",
 		Repository:   "argo-cd",
 		Branch:       "master",
 	}
 	ok, err := host.RepoHasPath(context.Background(), repo, "pkg/")
-	checkRateLimit(t, err)
 	assert.Nil(t, err)
 	assert.True(t, ok)

 	ok, err = host.RepoHasPath(context.Background(), repo, "notathing/")
-	checkRateLimit(t, err)
 	assert.Nil(t, err)
 	assert.False(t, ok)
 }

 func TestGithubGetBranches(t *testing.T) {
-	host, _ := NewGithubProvider(context.Background(), "argoproj", "", "", false)
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		githubMockHandler(t)(w, r)
+	}))
+	defer ts.Close()
+	host, _ := NewGithubProvider(context.Background(), "argoproj", "", ts.URL, false)
 	repo := &Repository{
 		Organization: "argoproj",
 		Repository:   "argo-cd",
@@ -125,19 +299,26 @@ func TestGithubGetBranches(t *testing.T) {
 	}
 	repos, err := host.GetBranches(context.Background(), repo)
 	if err != nil {
-		checkRateLimit(t, err)
 		assert.NoError(t, err)
 	} else {
 		assert.Equal(t, repos[0].Branch, "master")
 	}
-  // Get all branches
+	//Branch Doesn't exists instead of error will return no error
+	repo2 := &Repository{
+		Organization: "argoproj",
+		Repository:   "applicationset",
+		Branch:       "main",
+	}
+	_, err = host.GetBranches(context.Background(), repo2)
+	assert.NoError(t, err)
+
+	// Get all branches
 	host.allBranches = true
 	repos, err = host.GetBranches(context.Background(), repo)
 	if err != nil {
-		checkRateLimit(t, err)
 		assert.NoError(t, err)
 	} else {
-		// considering master and one release branch to always exist.
-		assert.Greater(t, len(repos), 1)
+		// considering master  branch to  exist.
+		assert.Equal(t, len(repos), 1)
 	}
 }
--- a/applicationset/services/scm_provider/gitlab_test.go
+++ b/applicationset/services/scm_provider/gitlab_test.go
@@ -2,6 +2,10 @@ package scm_provider

 import (
 	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"net/http/httptest"
 	"testing"

 	"github.com/stretchr/testify/assert"
@@ -9,6 +13,275 @@ import (
 	"github.com/argoproj/argo-cd/v2/pkg/apis/applicationset/v1alpha1"
 )

+func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.RequestURI {
+		case "/api/v4":
+			fmt.Println("here1")
+		case "/api/v4/groups/test-argocd-proton/projects?include_subgroups=false&per_page=100":
+			fmt.Println("here")
+			_, err := io.WriteString(w, `[{
+				"id": 27084533,
+				"description": "",
+				"name": "argocd",
+				"name_with_namespace": "test argocd proton / argocd",
+				"path": "argocd",
+				"path_with_namespace": "test-argocd-proton/argocd",
+				"created_at": "2021-06-01T17:30:44.724Z",
+				"default_branch": "master",
+				"tag_list": [],
+				"topics": [],
+				"ssh_url_to_repo": "git@gitlab.com:test-argocd-proton/argocd.git",
+				"http_url_to_repo": "https://gitlab.com/test-argocd-proton/argocd.git",
+				"web_url": "https://gitlab.com/test-argocd-proton/argocd",
+				"readme_url": null,
+				"avatar_url": null,
+				"forks_count": 0,
+				"star_count": 0,
+				"last_activity_at": "2021-06-04T08:19:51.656Z",
+				"namespace": {
+					"id": 12258515,
+					"name": "test argocd proton",
+					"path": "test-argocd-proton",
+					"kind": "gro* Connection #0 to host gitlab.com left intact up ",
+					"full_path ": "test - argocd - proton ",
+					"parent_id ": null,
+					"avatar_url ": null,
+					"web_url ": "https: //gitlab.com/groups/test-argocd-proton"
+				},
+				"container_registry_image_prefix": "registry.gitlab.com/test-argocd-proton/argocd",
+				"_links": {
+					"self": "https://gitlab.com/api/v4/projects/27084533",
+					"issues": "https://gitlab.com/api/v4/projects/27084533/issues",
+					"merge_requests": "https://gitlab.com/api/v4/projects/27084533/merge_requests",
+					"repo_branches": "https://gitlab.com/api/v4/projects/27084533/repository/branches",
+					"labels": "https://gitlab.com/api/v4/projects/27084533/labels",
+					"events": "https://gitlab.com/api/v4/projects/27084533/events",
+					"members": "https://gitlab.com/api/v4/projects/27084533/members",
+					"cluster_agents": "https://gitlab.com/api/v4/projects/27084533/cluster_agents"
+				},
+				"packages_enabled": true,
+				"empty_repo": false,
+				"archived": false,
+				"visibility": "public",
+				"resolve_outdated_diff_discussions": false,
+				"container_expiration_policy": {
+					"cadence": "1d",
+					"enabled": false,
+					"keep_n": 10,
+					"older_than": "90d",
+					"name_regex": ".*",
+					"name_regex_keep": null,
+					"next_run_at": "2021-06-02T17:30:44.740Z"
+				},
+				"issues_enabled": true,
+				"merge_requests_enabled": true,
+				"wiki_enabled": true,
+				"jobs_enabled": true,
+				"snippets_enabled": true,
+				"container_registry_enabled": true,
+				"service_desk_enabled": true,
+				"can_create_merge_request_in": false,
+				"issues_access_level": "enabled",
+				"repository_access_level": "enabled",
+				"merge_requests_access_level": "enabled",
+				"forking_access_level": "enabled",
+				"wiki_access_level": "enabled",
+				"builds_access_level": "enabled",
+				"snippets_access_level": "enabled",
+				"pages_access_level": "enabled",
+				"operations_access_level": "enabled",
+				"analytics_access_level": "enabled",
+				"container_registry_access_level": "enabled",
+				"security_and_compliance_access_level": "private",
+				"emails_disabled": null,
+				"shared_runners_enabled": true,
+				"lfs_enabled": true,
+				"creator_id": 2378866,
+				"import_status": "none",
+				"open_issues_count": 0,
+				"ci_default_git_depth": 50,
+				"ci_forward_deployment_enabled": true,
+				"ci_job_token_scope_enabled": false,
+				"public_jobs": true,
+				"build_timeout": 3600,
+				"auto_cancel_pending_pipelines": "enabled",
+				"ci_config_path": "",
+				"shared_with_groups": [],
+				"only_allow_merge_if_pipeline_succeeds": false,
+				"allow_merge_on_skipped_pipeline": null,
+				"restrict_user_defined_variables": false,
+				"request_access_enabled": true,
+				"only_allow_merge_if_all_discussions_are_resolved": false,
+				"remove_source_branch_after_merge": true,
+				"printing_merge_request_link_enabled": true,
+				"merge_method": "merge",
+				"squash_option": "default_off",
+				"suggestion_commit_message": null,
+				"merge_commit_template": null,
+				"squash_commit_template": null,
+				"auto_devops_enabled": false,
+				"auto_devops_deploy_strategy": "continuous",
+				"autoclose_referenced_issues": true,
+				"keep_latest_artifact": true,
+				"runner_token_expiration_interval": null,
+				"approvals_before_merge": 0,
+				"mirror": false,
+				"external_authorization_classification_label": "",
+				"marked_for_deletion_at": null,
+				"marked_for_deletion_on": null,
+				"requirements_enabled": true,
+				"requirements_access_level": "enabled",
+				"security_and_compliance_enabled": false,
+				"compliance_frameworks": [],
+				"issues_template": null,
+				"merge_requests_template": null,
+				"merge_pipelines_enabled": false,
+				"merge_trains_enabled": false
+			}]`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v4/projects/27084533/repository/branches/master":
+			fmt.Println("returning")
+			_, err := io.WriteString(w, `{
+				"name": "master",
+				"commit": {
+					"id": "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					"short_id": "8898d799",
+					"created_at": "2021-06-04T08:24:44.000+00:00",
+					"parent_ids": ["3c9d50be1ef949ad28674e238c7e12a17b1e9706", "56482e001731640b4123cf177e51c696f08a3005"],
+					"title": "Merge branch 'pipeline-1317911429' into 'master'",
+					"message": "Merge branch 'pipeline-1317911429' into 'master'\n\n[testapp-ci] manifests/demo/test-app.yaml: release v1.1.0\n\nSee merge request test-argocd-proton/argocd!3",
+					"author_name": "Martin Vozník",
+					"author_email": "martin@voznik.cz",
+					"authored_date": "2021-06-04T08:24:44.000+00:00",
+					"committer_name": "Martin Vozník",
+					"committer_email": "martin@voznik.cz",
+					"committed_date": "2021-06-04T08:24:44.000+00:00",
+					"trailers": {},
+					"web_url": "https://gitlab.com/test-argocd-proton/argocd/-/commit/8898d7999fc99dd0fd578650b58b244fc63f6b53"
+				},
+				"merged": false,
+				"protected": true,
+				"developers_can_push": false,
+				"developers_can_merge": false,
+				"can_push": false,
+				"default": true,
+				"web_url": "https://gitlab.com/test-argocd-proton/argocd/-/tree/master"
+			}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v4/projects/27084533/repository/branches?per_page=100":
+			_, err := io.WriteString(w, `[{
+				"name": "master",
+				"commit": {
+					"id": "8898d7999fc99dd0fd578650b58b244fc63f6b53",
+					"short_id": "8898d799",
+					"created_at": "2021-06-04T08:24:44.000+00:00",
+					"parent_ids": null,
+					"title": "Merge branch 'pipeline-1317911429' into 'master'",
+					"message": "Merge branch 'pipeline-1317911429' into 'master'",
+					"author_name": "Martin Vozník",
+					"author_email": "martin@voznik.cz",
+					"authored_date": "2021-06-04T08:24:44.000+00:00",
+					"committer_name": "Martin Vozník",
+					"committer_email": "martin@voznik.cz",
+					"committed_date": "2021-06-04T08:24:44.000+00:00",
+					"trailers": null,
+					"web_url": "https://gitlab.com/test-argocd-proton/argocd/-/commit/8898d7999fc99dd0fd578650b58b244fc63f6b53"
+				},
+				"merged": false,
+				"protected": true,
+				"developers_can_push": false,
+				"developers_can_merge": false,
+				"can_push": false,
+				"default": true,
+				"web_url": "https://gitlab.com/test-argocd-proton/argocd/-/tree/master"
+			}, {
+				"name": "pipeline-1310077506",
+				"commit": {
+					"id": "0f92540e5f396ba960adea4ed0aa905baf3f73d1",
+					"short_id": "0f92540e",
+					"created_at": "2021-06-01T18:39:59.000+00:00",
+					"parent_ids": null,
+					"title": "[testapp-ci] manifests/demo/test-app.yaml: release v1.0.1",
+					"message": "[testapp-ci] manifests/demo/test-app.yaml: release v1.0.1",
+					"author_name": "ci-test-app",
+					"author_email": "mvoznik+cicd@protonmail.com",
+					"authored_date": "2021-06-01T18:39:59.000+00:00",
+					"committer_name": "ci-test-app",
+					"committer_email": "mvoznik+cicd@protonmail.com",
+					"committed_date": "2021-06-01T18:39:59.000+00:00",
+					"trailers": null,
+					"web_url": "https://gitlab.com/test-argocd-proton/argocd/-/commit/0f92540e5f396ba960adea4ed0aa905baf3f73d1"
+				},
+				"merged": false,
+				"protected": false,
+				"developers_can_push": false,
+				"developers_can_merge": false,
+				"can_push": false,
+				"default": false,
+				"web_url": "https://gitlab.com/test-argocd-proton/argocd/-/tree/pipeline-1310077506"
+			}]`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v4/projects/test-argocd-proton%2Fargocd":
+			fmt.Println("auct")
+			_, err := io.WriteString(w, `{
+				"id": 27084533,
+				"description": "",
+				"name": "argocd",
+				"name_with_namespace": "test argocd proton / argocd",
+				"path": "argocd",
+				"path_with_namespace": "test-argocd-proton/argocd",
+				"created_at": "2021-06-01T17:30:44.724Z",
+				"default_branch": "master",
+				"tag_list": [],
+				"topics": [],
+				"ssh_url_to_repo": "git@gitlab.com:test-argocd-proton/argocd.git",
+				"http_url_to_repo": "https://gitlab.com/test-argocd-proton/argocd.git",
+				"web_url": "https://gitlab.com/test-argocd-proton/argocd",
+				"readme_url": null,
+				"avatar_url": null,
+				"forks_count": 0,
+				"star_count": 0,
+				"last_activity_at": "2021-06-04T08:19:51.656Z",
+				"namespace": {
+					"id": 12258515,
+					"name": "test argocd proton",
+					"path": "test-argocd-proton",
+					"kind": "group",
+					"full_path": "test-argocd-proton",
+					"parent_id": null,
+					"avatar_url": null,
+					"web_url": "https://gitlab.com/groups/test-argocd-proton"
+				}
+			}`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v4/projects/27084533/repository/tree?path=argocd&ref=master":
+			_, err := io.WriteString(w, `[{"id":"ca14f2a3718159c74572a5325fb4bfb0662a2d3e","name":"ingress.yaml","type":"blob","path":"argocd/ingress.yaml","mode":"100644"},{"id":"de2a53a73b1550b3e0f4d37ea0a6d878bf9c5096","name":"install.yaml","type":"blob","path":"argocd/install.yaml","mode":"100644"}]`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v4/projects/27084533/repository/tree?path=.&ref=master":
+			_, err := io.WriteString(w, `[{"id":"f2bf99fa8f7a27df9c43d2dffc8c8cd747f3181a","name":"argocd","type":"tree","path":"argocd","mode":"040000"},{"id":"68a3125232e01c1583a6a6299534ce10c5e7dd83","name":"manifests","type":"tree","path":"manifests","mode":"040000"}]`)
+			if err != nil {
+				t.Fail()
+			}
+		default:
+			_, err := io.WriteString(w, `[]`)
+			if err != nil {
+				t.Fail()
+			}
+		}
+	}
+}
 func TestGitlabListRepos(t *testing.T) {
 	cases := []struct {
 		name, proto, url                        string
@@ -40,18 +313,19 @@ func TestGitlabListRepos(t *testing.T) {
 			name:        "all branches",
 			allBranches: true,
 			url:         "git@gitlab.com:test-argocd-proton/argocd.git",
-			branches:    []string{"master", "pipeline-1310077506"},
+			branches:    []string{"master"},
 		},
 	}
-
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		gitlabMockHandler(t)(w, r)
+	}))
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			provider, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", "", c.allBranches, c.includeSubgroups)
+			provider, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, c.allBranches, c.includeSubgroups)
 			rawRepos, err := ListRepos(context.Background(), provider, c.filters, c.proto)
 			if c.hasError {
 				assert.NotNil(t, err)
 			} else {
-				checkRateLimit(t, err)
 				assert.Nil(t, err)
 				// Just check that this one project shows up. Not a great test but better thing nothing?
 				repos := []*Repository{}
@@ -73,7 +347,10 @@ func TestGitlabListRepos(t *testing.T) {
 }

 func TestGitlabHasPath(t *testing.T) {
-	host, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", "", false, true)
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		gitlabMockHandler(t)(w, r)
+	}))
+	host, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, false, true)
 	repo := &Repository{
 		Organization: "test-argocd-proton",
 		Repository:   "argocd",
--- a/applicationset/services/scm_provider/testdata/data.go
+++ b/applicationset/services/scm_provider/testdata/data.go
@@ -0,0 +1,6 @@
+package testdata
+
+import _ "embed"
+
+//go:embed repos_gitea_go-sdk_contents_gitea.json
+var ReposGiteaGoSdkContentsGiteaResponse string
--- a/applicationset/services/scm_provider/testdata/repos_gitea_go-sdk_contents_gitea.json
+++ b/applicationset/services/scm_provider/testdata/repos_gitea_go-sdk_contents_gitea.json
--- a/cmd/argocd-applicationset-controller/commands/applicationset_controller.go
+++ b/cmd/argocd-applicationset-controller/commands/applicationset_controller.go
@@ -18,6 +18,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/reposerver/askpass"
+	"github.com/argoproj/argo-cd/v2/util/env"

 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -37,6 +38,11 @@ import (
 	argosettings "github.com/argoproj/argo-cd/v2/util/settings"
 )

+// TODO: load this using Cobra. https://github.com/argoproj/argo-cd/issues/10157
+func getSubmoduleEnabled() bool {
+	return env.ParseBoolFromEnv(common.EnvGitSubmoduleEnabled, true)
+}
+
 func NewCommand() *cobra.Command {
 	var (
 		clientConfig         clientcmd.ClientConfig
@@ -136,7 +142,7 @@ func NewCommand() *cobra.Command {
 			terminalGenerators := map[string]generators.Generator{
 				"List":                    generators.NewListGenerator(),
 				"Clusters":                generators.NewClusterGenerator(mgr.GetClient(), context.Background(), k8sClient, namespace),
-				"Git":                     generators.NewGitGenerator(services.NewArgoCDService(argoCDDB, askPassServer, argocdRepoServer)),
+				"Git":                     generators.NewGitGenerator(services.NewArgoCDService(argoCDDB, askPassServer, getSubmoduleEnabled())),
 				"SCMProvider":             generators.NewSCMProviderGenerator(mgr.GetClient()),
 				"ClusterDecisionResource": generators.NewDuckTypeGenerator(context.Background(), dynamicClient, k8sClient, namespace),
 				"PullRequest":             generators.NewPullRequestGenerator(mgr.GetClient()),
--- a/cmd/argocd-repo-server/commands/argocd_repo_server.go
+++ b/cmd/argocd-repo-server/commands/argocd_repo_server.go
@@ -81,6 +81,7 @@ func NewCommand() *cobra.Command {
 		redisClient                       *redis.Client
 		disableTLS                        bool
 		maxCombinedDirectoryManifestsSize string
+		cmpTarExcludedGlobs               []string
 	)
 	var command = cobra.Command{
 		Use:               cliName,
@@ -113,6 +114,7 @@ func NewCommand() *cobra.Command {
 				PauseGenerationOnFailureForRequests:          getPauseGenerationOnFailureForRequests(),
 				SubmoduleEnabled:                             getSubmoduleEnabled(),
 				MaxCombinedDirectoryManifestsSize:            maxCombinedDirectoryManifestsQuantity,
+				CMPTarExcludedGlobs:                          cmpTarExcludedGlobs,
 			}, askPassServer)
 			errors.CheckError(err)

@@ -189,6 +191,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringVar(&otlpAddress, "otlp-address", env.StringFromEnv("ARGOCD_REPO_SERVER_OTLP_ADDRESS", ""), "OpenTelemetry collector address to send traces to")
 	command.Flags().BoolVar(&disableTLS, "disable-tls", env.ParseBoolFromEnv("ARGOCD_REPO_SERVER_DISABLE_TLS", false), "Disable TLS on the gRPC endpoint")
 	command.Flags().StringVar(&maxCombinedDirectoryManifestsSize, "max-combined-directory-manifests-size", env.StringFromEnv("ARGOCD_REPO_SERVER_MAX_COMBINED_DIRECTORY_MANIFESTS_SIZE", "10M"), "Max combined size of manifest files in a directory-type Application")
+	command.Flags().StringArrayVar(&cmpTarExcludedGlobs, "plugin-tar-exclude", env.StringsFromEnv("ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS", []string{}, ";"), "Globs to filter when sending tarballs to plugins.")

 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(&command)
 	cacheSrc = reposervercache.AddCacheFlagsToCmd(&command, func(client *redis.Client) {
--- a/cmd/argocd-server/commands/argocd_server.go
+++ b/cmd/argocd-server/commands/argocd_server.go
@@ -152,7 +152,10 @@ func NewCommand() *cobra.Command {
 			stats.RegisterStackDumper()
 			stats.StartStatsTicker(10 * time.Minute)
 			stats.RegisterHeapDumper("memprofile")
-
+			argocd := server.NewServer(context.Background(), argoCDOpts)
+			argocd.Init(context.Background())
+			lns, err := argocd.Listen()
+			errors.CheckError(err)
 			for {
 				var closer func()
 				ctx := context.Background()
@@ -163,8 +166,7 @@ func NewCommand() *cobra.Command {
 						log.Fatalf("failed to initialize tracing: %v", err)
 					}
 				}
-				argocd := server.NewServer(ctx, argoCDOpts)
-				argocd.Run(ctx, listenPort, metricsPort)
+				argocd.Run(ctx, lns)
 				cancel()
 				if closer != nil {
 					closer()
--- a/cmd/argocd/commands/headless/headless.go
+++ b/cmd/argocd/commands/headless/headless.go
@@ -215,8 +215,13 @@ func StartLocalServer(clientOpts *apiclient.ClientOptions, ctxStr string, port *
 		ListenHost:    *address,
 		RepoClientset: &forwardRepoClientset{namespace: namespace, context: ctxStr},
 	})
+	srv.Init(ctx)

-	go srv.Run(ctx, *port, 0)
+	lns, err := srv.Listen()
+	if err != nil {
+		return err
+	}
+	go srv.Run(ctx, lns)
 	clientOpts.ServerAddr = fmt.Sprintf("%s:%d", *address, *port)
 	clientOpts.PlainText = true
 	if !cache2.WaitForCacheSync(ctx.Done(), srv.Initialized) {
--- a/cmd/argocd/commands/login.go
+++ b/cmd/argocd/commands/login.go
@@ -36,11 +36,12 @@ import (
 // NewLoginCommand returns a new instance of `argocd login` command
 func NewLoginCommand(globalClientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (
-		ctxName  string
-		username string
-		password string
-		sso      bool
-		ssoPort  int
+		ctxName     string
+		username    string
+		password    string
+		sso         bool
+		ssoPort     int
+		skipTestTLS bool
 	)
 	var command = &cobra.Command{
 		Use:   "login SERVER",
@@ -68,21 +69,25 @@ argocd login cd.argoproj.io --core`,
 				server = "kubernetes"
 			} else {
 				server = args[0]
-				tlsTestResult, err := grpc_util.TestTLS(server)
-				errors.CheckError(err)
-				if !tlsTestResult.TLS {
-					if !globalClientOpts.PlainText {
-						if !cli.AskToProceed("WARNING: server is not configured with TLS. Proceed (y/n)? ") {
-							os.Exit(1)
+
+				if !skipTestTLS {
+					dialTime := 30 * time.Second
+					tlsTestResult, err := grpc_util.TestTLS(server, dialTime)
+					errors.CheckError(err)
+					if !tlsTestResult.TLS {
+						if !globalClientOpts.PlainText {
+							if !cli.AskToProceed("WARNING: server is not configured with TLS. Proceed (y/n)? ") {
+								os.Exit(1)
+							}
+							globalClientOpts.PlainText = true
 						}
-						globalClientOpts.PlainText = true
-					}
-				} else if tlsTestResult.InsecureErr != nil {
-					if !globalClientOpts.Insecure {
-						if !cli.AskToProceed(fmt.Sprintf("WARNING: server certificate had error: %s. Proceed insecurely (y/n)? ", tlsTestResult.InsecureErr)) {
-							os.Exit(1)
+					} else if tlsTestResult.InsecureErr != nil {
+						if !globalClientOpts.Insecure {
+							if !cli.AskToProceed(fmt.Sprintf("WARNING: server certificate had error: %s. Proceed insecurely (y/n)? ", tlsTestResult.InsecureErr)) {
+								os.Exit(1)
+							}
+							globalClientOpts.Insecure = true
 						}
-						globalClientOpts.Insecure = true
 					}
 				}
 			}
@@ -174,6 +179,8 @@ argocd login cd.argoproj.io --core`,
 	command.Flags().StringVar(&password, "password", "", "the password of an account to authenticate")
 	command.Flags().BoolVar(&sso, "sso", false, "perform SSO login")
 	command.Flags().IntVar(&ssoPort, "sso-port", DefaultSSOLocalPort, "port to run local OAuth2 login application")
+	command.Flags().
+		BoolVar(&skipTestTLS, "skip-test-tls", false, "Skip testing whether the server is configured with TLS (this can help when the command hangs for no apparent reason)")
 	return command
 }

@@ -189,7 +196,13 @@ func userDisplayName(claims jwt.MapClaims) string {

 // oauth2Login opens a browser, runs a temporary HTTP server to delegate OAuth2 login flow and
 // returns the JWT token and a refresh token (if supported)
-func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCConfig, oauth2conf *oauth2.Config, provider *oidc.Provider) (string, string) {
+func oauth2Login(
+	ctx context.Context,
+	port int,
+	oidcSettings *settingspkg.OIDCConfig,
+	oauth2conf *oauth2.Config,
+	provider *oidc.Provider,
+) (string, string) {
 	oauth2conf.RedirectURL = fmt.Sprintf("http://localhost:%d/auth/callback", port)
 	oidcConf, err := oidcutil.ParseConfig(provider)
 	errors.CheckError(err)
@@ -215,7 +228,10 @@ func oauth2Login(ctx context.Context, port int, oidcSettings *settingspkg.OIDCCo
 	}

 	// PKCE implementation of https://tools.ietf.org/html/rfc7636
-	codeVerifier, err := rand.StringFromCharset(43, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~")
+	codeVerifier, err := rand.StringFromCharset(
+		43,
+		"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~",
+	)
 	errors.CheckError(err)
 	codeChallengeHash := sha256.Sum256([]byte(codeVerifier))
 	codeChallenge := base64.RawURLEncoding.EncodeToString(codeChallengeHash[:])
--- a/cmd/argocd/commands/testdata/config
+++ b/cmd/argocd/commands/testdata/config
@@ -28,4 +28,4 @@ current-context: localhost:8080
 users:
 - name:  argocd1.example.com:443
 - name:  argocd2.example.com:443
- name:  localhost:8080
+- name:  localhost:8080
--- a/cmpserver/server.go
+++ b/cmpserver/server.go
@@ -2,12 +2,13 @@ package cmpserver

 import (
 	"fmt"
-	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 	"net"
 	"os"
 	"os/signal"
 	"syscall"

+	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
+
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	grpc_logrus "github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus"
 	grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
@@ -24,6 +25,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/server/version"
 	"github.com/argoproj/argo-cd/v2/util/errors"
 	grpc_util "github.com/argoproj/argo-cd/v2/util/grpc"
+	"google.golang.org/grpc/keepalive"
 )

 // ArgoCDCMPServer is the config management plugin server implementation
@@ -61,6 +63,11 @@ func NewServer(initConstants plugin.CMPServerInitConstants) (*ArgoCDCMPServer, e
 		grpc.StreamInterceptor(grpc_middleware.ChainStreamServer(streamInterceptors...)),
 		grpc.MaxRecvMsgSize(apiclient.MaxGRPCMessageSize),
 		grpc.MaxSendMsgSize(apiclient.MaxGRPCMessageSize),
+		grpc.KeepaliveEnforcementPolicy(
+			keepalive.EnforcementPolicy{
+				MinTime: common.GRPCKeepAliveEnforcementMinimum,
+			},
+		),
 	}

 	return &ArgoCDCMPServer{
--- a/common/common.go
+++ b/common/common.go
@@ -286,3 +286,10 @@ const (
 	// AnnotationApplicationRefresh is an annotation that is added when an ApplicationSet is requested to be refreshed by a webhook. The ApplicationSet controller will remove this annotation at the end of reconcilation.
 	AnnotationApplicationSetRefresh = "argocd.argoproj.io/application-set-refresh"
 )
+
+// gRPC settings
+const (
+	GRPCKeepAliveEnforcementMinimum = 10 * time.Second
+	// Keep alive is 2x enforcement minimum to ensure network jitter does not introduce ENHANCE_YOUR_CALM errors
+	GRPCKeepAliveTime = 2 * GRPCKeepAliveEnforcementMinimum
+)
--- a/controller/cache/cache.go
+++ b/controller/cache/cache.go
@@ -176,6 +176,7 @@ func NewLiveStateCache(
 type cacheSettings struct {
 	clusterSettings     clustercache.Settings
 	appInstanceLabelKey string
+	trackingMethod      appv1.TrackingMethod
 }

 type liveStateCache struct {
@@ -210,7 +211,7 @@ func (c *liveStateCache) loadCacheSettings() (*cacheSettings, error) {
 		ResourceHealthOverride: lua.ResourceHealthOverrides(resourceOverrides),
 		ResourcesFilter:        resourcesFilter,
 	}
-	return &cacheSettings{clusterSettings, appInstanceLabelKey}, nil
+	return &cacheSettings{clusterSettings, appInstanceLabelKey, argo.GetTrackingMethod(c.settingsMgr)}, nil
 }

 func asResourceNode(r *clustercache.Resource) appv1.ResourceNode {
@@ -354,7 +355,8 @@ func isTransientNetworkErr(err error) bool {
 	}
 	if strings.Contains(errorString, "net/http: TLS handshake timeout") ||
 		strings.Contains(errorString, "i/o timeout") ||
-		strings.Contains(errorString, "connection timed out") {
+		strings.Contains(errorString, "connection timed out") ||
+		strings.Contains(errorString, "connection reset by peer") {
 		return true
 	}
 	return false
@@ -387,7 +389,6 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		return nil, fmt.Errorf("controller is configured to ignore cluster %s", cluster.Server)
 	}

-	trackingMethod := argo.GetTrackingMethod(c.settingsMgr)
 	clusterCacheOpts := []clustercache.UpdateSettingsFunc{
 		clustercache.SetListSemaphore(semaphore.NewWeighted(clusterCacheListSemaphoreSize)),
 		clustercache.SetListPageSize(clusterCacheListPageSize),
@@ -400,9 +401,12 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		clustercache.SetPopulateResourceInfoHandler(func(un *unstructured.Unstructured, isRoot bool) (interface{}, bool) {
 			res := &ResourceInfo{}
 			populateNodeInfo(un, res)
+			c.lock.RLock()
+			cacheSettings := c.cacheSettings
+			c.lock.RUnlock()
 			res.Health, _ = health.GetResourceHealth(un, cacheSettings.clusterSettings.ResourceHealthOverride)

-			appName := c.resourceTracking.GetAppName(un, cacheSettings.appInstanceLabelKey, trackingMethod)
+			appName := c.resourceTracking.GetAppName(un, cacheSettings.appInstanceLabelKey, cacheSettings.trackingMethod)
 			if isRoot && appName != "" {
 				res.AppName = appName
 			}
--- a/controller/cache/cache_test.go
+++ b/controller/cache/cache_test.go
@@ -111,6 +111,7 @@ func TestIsRetryableError(t *testing.T) {
 		tlsHandshakeTimeoutErr net.Error = netError("net/http: TLS handshake timeout")
 		ioTimeoutErr           net.Error = netError("i/o timeout")
 		connectionTimedout     net.Error = netError("connection timed out")
+		connectionReset        net.Error = netError("connection reset by peer")
 	)
 	t.Run("Nil", func(t *testing.T) {
 		assert.False(t, isRetryableError(nil))
@@ -148,4 +149,7 @@ func TestIsRetryableError(t *testing.T) {
 	t.Run("ConnectionTimeout", func(t *testing.T) {
 		assert.True(t, isRetryableError(connectionTimedout))
 	})
+	t.Run("ConnectionReset", func(t *testing.T) {
+		assert.True(t, isRetryableError(connectionReset))
+	})
 }
--- a/controller/state.go
+++ b/controller/state.go
@@ -494,6 +494,8 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 		}
 		gvk := obj.GroupVersionKind()

+		isSelfReferencedObj := m.isSelfReferencedObj(liveObj, appLabelKey, trackingMethod)
+
 		resState := v1alpha1.ResourceStatus{
 			Namespace:       obj.GetNamespace(),
 			Name:            obj.GetName(),
@@ -501,7 +503,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 			Version:         gvk.Version,
 			Group:           gvk.Group,
 			Hook:            hookutil.IsHook(obj),
-			RequiresPruning: targetObj == nil && liveObj != nil,
+			RequiresPruning: targetObj == nil && liveObj != nil && isSelfReferencedObj,
 		}

 		var diffResult diff.DiffResult
@@ -510,8 +512,11 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 		} else {
 			diffResult = diff.DiffResult{Modified: false, NormalizedLive: []byte("{}"), PredictedLive: []byte("{}")}
 		}
-		if resState.Hook || ignore.Ignore(obj) || (targetObj != nil && hookutil.Skip(targetObj)) {
-			// For resource hooks or skipped resources, don't store sync status, and do not affect overall sync status
+		if resState.Hook || ignore.Ignore(obj) || (targetObj != nil && hookutil.Skip(targetObj)) || !isSelfReferencedObj {
+			// For resource hooks, skipped resources or objects that may have
+			// been created by another controller with annotations copied from
+			// the source object, don't store sync status, and do not affect
+			// overall sync status
 		} else if diffResult.Modified || targetObj == nil || liveObj == nil {
 			// Set resource state to OutOfSync since one of the following is true:
 			// * target and live resource are different
@@ -667,3 +672,34 @@ func NewAppStateManager(
 		resourceTracking:     resourceTracking,
 	}
 }
+
+// isSelfReferencedObj returns whether the given obj is managed by the application
+// according to the values in the tracking annotation. It returns true when all
+// of the properties in the annotation (name, namespace, group and kind) match
+// the properties of the inspected object, or if the tracking method used does
+// not provide the required properties for matching.
+func (m *appStateManager) isSelfReferencedObj(obj *unstructured.Unstructured, appLabelKey string, trackingMethod v1alpha1.TrackingMethod) bool {
+	if obj == nil {
+		return true
+	}
+
+	// If tracking method doesn't contain required metadata for this check,
+	// we are not able to determine and just assume the object to be managed.
+	if trackingMethod == argo.TrackingMethodLabel {
+		return true
+	}
+
+	// In order for us to assume obj to be managed by this application, the
+	// values from the annotation have to match the properties from the live
+	// object. Cluster scoped objects carry the app's destination namespace
+	// in the tracking annotation, but are unique in GVK + name combination.
+	appInstance := m.resourceTracking.GetAppInstance(obj, appLabelKey, trackingMethod)
+	if appInstance != nil {
+		return (obj.GetNamespace() == appInstance.Namespace || obj.GetNamespace() == "") &&
+			obj.GetName() == appInstance.Name &&
+			obj.GetObjectKind().GroupVersionKind().Group == appInstance.Group &&
+			obj.GetObjectKind().GroupVersionKind().Kind == appInstance.Kind
+	}
+
+	return true
+}
--- a/controller/state_test.go
+++ b/controller/state_test.go
@@ -13,6 +13,7 @@ import (
 	. "github.com/argoproj/gitops-engine/pkg/utils/testing"
 	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -21,6 +22,7 @@ import (
 	argoappv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/v2/test"
+	"github.com/argoproj/argo-cd/v2/util/argo"
 )

 // TestCompareAppStateEmpty tests comparison when both git and live have no objects
@@ -770,3 +772,128 @@ func TestComparisonResult_GetSyncStatus(t *testing.T) {

 	assert.Equal(t, status, res.GetSyncStatus())
 }
+
+func TestIsLiveResourceManaged(t *testing.T) {
+	managedObj := kube.MustToUnstructured(&corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "configmap1",
+			Namespace: "default",
+			Annotations: map[string]string{
+				common.AnnotationKeyAppInstance: "guestbook:/ConfigMap:default/configmap1",
+			},
+		},
+	})
+	managedObjWithLabel := kube.MustToUnstructured(&corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "configmap1",
+			Namespace: "default",
+			Labels: map[string]string{
+				common.LabelKeyAppInstance: "guestbook",
+			},
+		},
+	})
+	unmanagedObjWrongName := kube.MustToUnstructured(&corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "configmap2",
+			Namespace: "default",
+			Annotations: map[string]string{
+				common.AnnotationKeyAppInstance: "guestbook:/ConfigMap:default/configmap1",
+			},
+		},
+	})
+	unmanagedObjWrongKind := kube.MustToUnstructured(&corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "configmap2",
+			Namespace: "default",
+			Annotations: map[string]string{
+				common.AnnotationKeyAppInstance: "guestbook:/Service:default/configmap2",
+			},
+		},
+	})
+	unmanagedObjWrongGroup := kube.MustToUnstructured(&corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "configmap2",
+			Namespace: "default",
+			Annotations: map[string]string{
+				common.AnnotationKeyAppInstance: "guestbook:apps/ConfigMap:default/configmap2",
+			},
+		},
+	})
+	unmanagedObjWrongNamespace := kube.MustToUnstructured(&corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "v1",
+			Kind:       "ConfigMap",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "configmap2",
+			Namespace: "default",
+			Annotations: map[string]string{
+				common.AnnotationKeyAppInstance: "guestbook:/ConfigMap:fakens/configmap2",
+			},
+		},
+	})
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app, &defaultProj},
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: map[kube.ResourceKey]*unstructured.Unstructured{
+			kube.GetResourceKey(managedObj):                 managedObj,
+			kube.GetResourceKey(unmanagedObjWrongName):      unmanagedObjWrongName,
+			kube.GetResourceKey(unmanagedObjWrongKind):      unmanagedObjWrongKind,
+			kube.GetResourceKey(unmanagedObjWrongGroup):     unmanagedObjWrongGroup,
+			kube.GetResourceKey(unmanagedObjWrongNamespace): unmanagedObjWrongNamespace,
+		},
+	})
+
+	manager := ctrl.appStateManager.(*appStateManager)
+
+	// Managed resource w/ annotations
+	assert.True(t, manager.isSelfReferencedObj(managedObj, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+	assert.True(t, manager.isSelfReferencedObj(managedObj, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+
+	// Managed resource w/ label
+	assert.True(t, manager.isSelfReferencedObj(managedObjWithLabel, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+
+	// Wrong resource name
+	assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+	assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+
+	// Wrong resource group
+	assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+	assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+
+	// Wrong resource kind
+	assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+	assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+
+	// Wrong resource namespace
+	assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+	assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotationAndLabel))
+
+	// Nil resource
+	assert.True(t, manager.isSelfReferencedObj(nil, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
+}
--- a/controller/sync.go
+++ b/controller/sync.go
@@ -205,6 +205,13 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		reconciliationResult.Target = patchedTargets
 	}

+	appLabelKey, err := m.settingsMgr.GetAppInstanceLabelKey()
+	if err != nil {
+		log.Errorf("Could not get appInstanceLabelKey: %v", err)
+		return
+	}
+	trackingMethod := argo.GetTrackingMethod(m.settingsMgr)
+
 	syncCtx, cleanup, err := sync.NewSyncContext(
 		compareResult.syncStatus.Revision,
 		reconciliationResult,
@@ -217,7 +224,7 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		sync.WithHealthOverride(lua.ResourceHealthOverrides(resourceOverrides)),
 		sync.WithPermissionValidator(func(un *unstructured.Unstructured, res *v1.APIResource) error {
 			if !proj.IsGroupKindPermitted(un.GroupVersionKind().GroupKind(), res.Namespaced) {
-				return fmt.Errorf("Resource %s:%s is not permitted in project %s.", un.GroupVersionKind().Group, un.GroupVersionKind().Kind, proj.Name)
+				return fmt.Errorf("resource %s:%s is not permitted in project %s", un.GroupVersionKind().Group, un.GroupVersionKind().Kind, proj.Name)
 			}
 			if res.Namespaced && !proj.IsDestinationPermitted(v1alpha1.ApplicationDestination{Namespace: un.GetNamespace(), Server: app.Spec.Destination.Server, Name: app.Spec.Destination.Name}) {
 				return fmt.Errorf("namespace %v is not permitted in project '%s'", un.GetNamespace(), proj.Name)
@@ -227,7 +234,9 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		sync.WithOperationSettings(syncOp.DryRun, syncOp.Prune, syncOp.SyncStrategy.Force(), syncOp.IsApplyStrategy() || len(syncOp.Resources) > 0),
 		sync.WithInitialState(state.Phase, state.Message, initialResourcesRes, state.StartedAt),
 		sync.WithResourcesFilter(func(key kube.ResourceKey, target *unstructured.Unstructured, live *unstructured.Unstructured) bool {
-			return len(syncOp.Resources) == 0 || argo.ContainsSyncResource(key.Name, key.Namespace, schema.GroupVersionKind{Kind: key.Kind, Group: key.Group}, syncOp.Resources)
+			return (len(syncOp.Resources) == 0 ||
+				argo.ContainsSyncResource(key.Name, key.Namespace, schema.GroupVersionKind{Kind: key.Kind, Group: key.Group}, syncOp.Resources)) &&
+				m.isSelfReferencedObj(live, appLabelKey, trackingMethod)
 		}),
 		sync.WithManifestValidation(!syncOp.SyncOptions.HasOption(common.SyncOptionsDisableValidation)),
 		sync.WithNamespaceCreation(syncOp.SyncOptions.HasOption("CreateNamespace=true"), func(un *unstructured.Unstructured) bool {
--- a/docs/assets/terminal.png
+++ b/docs/assets/terminal.png
--- a/docs/cli_installation.md
+++ b/docs/cli_installation.md
@@ -4,10 +4,10 @@ You can download the latest Argo CD version from [the latest release page of thi

 ## Linux and WSL

-### ArchLinux User Repository ([AUR](https://aur.archlinux.org/packages/))
+### ArchLinux

 ```bash
-yay -Sy argocd-bin
+pacman -S argocd
 ```

 ### Homebrew
--- a/docs/developer-guide/toolchain-guide.md
+++ b/docs/developer-guide/toolchain-guide.md
@@ -24,8 +24,7 @@ You will need at least the following things in your toolchain in order to develo

 * A Kubernetes cluster. You won't need a fully blown multi-master, multi-node cluster, but you will need something like K3S, Minikube or microk8s. You will also need a working Kubernetes client (`kubectl`) configuration in your development environment. The configuration must reside in `~/.kube/config` and the API server URL must point to the IP address of your local machine (or VM), and **not** to `localhost` or `127.0.0.1` if you are using the virtualized development toolchain (see below)

-* You will also need a working Docker runtime environment, to be able to build and run images.
-The Docker version must be fairly recent, and support multi-stage builds. You should not work as root. Make your local user a member of the `docker` group to be able to control the Docker service on your machine.
+* You will also need a working Docker runtime environment, to be able to build and run images. The Docker version must be 17.05.0 or higher, to support multi-stage builds. 

 * Obviously, you will need a `git` client for pulling source code and pushing back your changes.

--- a/docs/developer-guide/ui-extensions.md
+++ b/docs/developer-guide/ui-extensions.md
@@ -0,0 +1,64 @@
+# UI Extensions
+
+Argo CD web user interface can be extended with additional UI elements. Extensions should be delivered as a javascript file
+in the `argocd-server` Pods that are placed in the `/tmp/extensions` directory and starts with `extension` prefix ( matches to `^extension(.*)\.js$` regex ).
+
+```
+/tmp/extensions
+├── example1
+│   └── extension-1.js
+└── example2
+    └── extension-2.js
+```
+
+Extensions are loaded during initial page rendering and should register themselves using API exposed in the `extensionsAPI` global variable. (See
+corresponding extension type details for additional information).
+
+The extension should provide a React component that is responsible for rendering the UI element. Extension should not bundle the React library.
+Instead extension should use the `react` global variable. You can leverage `externals` setting if you are using webpack:
+
+```js
+  externals: {
+    react: 'React'
+  }
+```
+
+## Resource Tab Extensions
+
+Resource Tab extensions is an extension that provides an additional tab for the resource sliding panel at the Argo CD Application details page.
+
+The resource tab extension should be registered using the `extensionsAPI.registerResourceExtension` method:
+
+```typescript
+registerResourceExtension(component: ExtensionComponent, group: string, kind: string, tabTitle: string)
+```
+
+* `component: ExtensionComponent` is a React component that receives the following properties:
+
+    * application: Application - Argo CD Application resource;
+    * resource: State - the kubernetes resource object;
+    * tree: ApplicationTree - includes list of all resources that comprise the application;
+
+    See properties interfaces in [models.ts](https://github.com/argoproj/argo-cd/blob/master/ui/src/app/shared/models.ts)
+
+* `group: string` - the glob expression that matches the group of the resource; note: use globstar (`**`) to match all groups including empty string;
+* `kind: string` - the glob expression that matches the kind of the resource;
+* `tabTitle: string` - the extension tab title.
+* `opts: Object` - additional options:
+  * `icon: string` - the class name the represents the icon from the [https://fontawesome.com/](https://fontawesome.com/) library (e.g. 'fa-calendar-alt');
+
+Below is an example of a resource tab extension:
+
+```javascript
+((window) => {
+    const component = () => {
+        return React.createElement( 'div', {}, 'Hello World' );
+    };
+    window.extensionsAPI.registerResourceExtension(component, '*', '*', 'Nice extension');
+})(window)
+```
+
+## Application Tab Extensions
+
+Since the Argo CD Application is a Kubernetes resource, application tabs can be the same as any other resource tab.
+Make sure to use 'argoproj.io'/'Application' as group/kind and an extension will be used to render the application-level tab.
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -63,7 +63,7 @@ or a randomly generated password stored in a secret (Argo CD 1.9 and later).
 ## How to disable admin user?

 Add `admin.enabled: "false"` to the `argocd-cm` ConfigMap (
-see [user management](operator-manual/user-management/index.md)).
+see [user management](./operator-manual/user-management/index.md)).

 ## Argo CD cannot deploy Helm Chart based applications without internet access, how can I solve it?

@@ -174,7 +174,9 @@ argocd ... --grpc-web

 ## Why Am I Getting `x509: certificate signed by unknown authority` When Using The CLI?

-Your not running your server with correct certs.
+The certificate created by default by Argo CD is not automatically recognised by the Argo CD CLI, in order
+to create a secure system you must follow the instructions to [install a certificate](/operator-manual/tls/)
+and configure your client OS to trust that certificate.

 If you're not running in a production system (e.g. you're testing Argo CD out), try the `--insecure` flag:

@@ -187,7 +189,7 @@ argocd ... --insecure
 ## I have configured Dex via `dex.config` in `argocd-cm`, it still says Dex is unconfigured. Why?

 Most likely you forgot to set the `url` in `argocd-cm` to point to your ArgoCD as well. See also
-[the docs](/operator-manual/user-management/#2-configure-argo-cd-for-sso).
+[the docs](./operator-manual/user-management/index.md#2-configure-argo-cd-for-sso).

 ## Why are `SealedSecret` resources reporting a `Status`?

--- a/docs/getting_started.md
+++ b/docs/getting_started.md
@@ -29,6 +29,13 @@ kubectl create namespace argocd
 kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/core-install.yaml
 ```

+This default installation will have a self-signed certificate and cannot be accessed without a bit of extra work.
+Do one of:
+
+* Follow the [instructions to configure a certificate](operator-manual/tls.md) (and ensure that the client OS trusts it).
+* Configure the client OS to trust the self signed certificate.
+* Use the --insecure flag on all Argo CD CLI operations in this guide.
+
 Use `argocd login --core` to [configure](./user-guide/commands/argocd_login.md) CLI access and skip steps 3-5.

 ## 2. Download Argo CD CLI
--- a/docs/operator-manual/application.yaml
+++ b/docs/operator-manual/application.yaml
@@ -69,11 +69,16 @@ spec:
    kustomize:
      # Optional kustomize version. Note: version must be configured in argocd-cm ConfigMap
      version: v3.5.4
-      # Optional image name prefix
+      # Supported kustomize transformers. https://kubectl.docs.kubernetes.io/references/kustomize/kustomization/
      namePrefix: prod-
-      # Optional images passed to "kustomize edit set image".
+      nameSuffix: -some-suffix
+      commonLabels:
+        foo: bar
+      commonAnnotations:
+        beep: boop
      images:
      - gcr.io/heptio-images/ks-guestbook-demo:0.2
+      - my-app=gcr.io/my-repo/my-app:0.1

    # directory
    directory:
@@ -92,6 +97,12 @@ spec:
        - code: false
          name: foo
          value: bar
+      # Exclude contains a glob pattern to match paths against that should be explicitly excluded from being used during
+      # manifest generation. This takes precedence over the `include` field.
+      exclude: string
+      # Include contains a glob pattern to match paths against that should be explicitly included during manifest
+      # generation. If this field is set, only matching manifests will be included.
+      include: string

    # plugin specific config
    plugin:
--- a/docs/operator-manual/applicationset/Generators-Git.md
+++ b/docs/operator-manual/applicationset/Generators-Git.md
@@ -65,13 +65,15 @@ The generator parameters are:
 - `{{path.basename}}`: For any directory path within the Git repository that matches the `path` wildcard, the right-most path name is extracted (e.g. `/directory/directory2` would produce `directory2`).
 - `{{path.basenameNormalized}}`: This field is the same as `path.basename` with unsupported characters replaced with `-` (e.g. a `path` of `/directory/directory_2`, and `path.basename` of `directory_2` would produce `directory-2` here).

-Whenever a new Helm chart/Kustomize YAML/Application/plain subfolder is added to the Git repository, the ApplicationSet controller will detect this change and automatically deploy the resulting manifests within new `Application` resources.
+**Note**: The right-most path name always becomes `{{path.basename}}`. For example, for `- path: /one/two/three/four`, `{{path.basename}}` is `four`.
+
+Whenever a new Helm chart/Kustomize YAML/Application/plain subdirectory is added to the Git repository, the ApplicationSet controller will detect this change and automatically deploy the resulting manifests within new `Application` resources.

 As with other generators, clusters *must* already be defined within Argo CD, in order to generate Applications for them.

 ### Exclude directories

-The Git directory generator will automatically exclude folders that begin with `.` (such as `.git`).
+The Git directory generator will automatically exclude directories that begin with `.` (such as `.git`).

 The Git directory generator also supports an `exclude` option in order to exclude directories in the repository from being scanned by the ApplicationSet controller:

@@ -105,7 +107,7 @@ spec:
 ```
 (*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/examples/applicationset/git-generator-directory/excludes).*)

-This example excludes the `exclude-helm-guestbook` directory from the list of directories scanned for this `ApplictionSet` resource.
+This example excludes the `exclude-helm-guestbook` directory from the list of directories scanned for this `ApplicationSet` resource.

 !!! note "Exclude rules have higher priority than include rules"

@@ -205,7 +207,7 @@ Suppose you have a Git repository with the following directory structure:
 └── git-generator-files.yaml
 ```

-The folders are:
+The directories are:

 - `guestbook` contains the Kubernetes resources for a simple guestbook application
 - `cluster-config` contains JSON/YAML files describing the individual engineering clusters: one for `dev` and one for `prod`.
@@ -269,10 +271,16 @@ As with other generators, clusters *must* already be defined within Argo CD, in

 In addition to the flattened key/value pairs from the configuration file, the following generator parameters are provided:

- `{{path}}`: The path to the folder containing matching configuration file within the Git repository. Example: `/clusters/clusterA`, if the config file was `/clusters/clusterA/config.json`
+- `{{path}}`: The path to the directory containing matching configuration file within the Git repository. Example: `/clusters/clusterA`, if the config file was `/clusters/clusterA/config.json`
 - `{{path[n]}}`: The path to the matching configuration file within the Git repository, split into array elements (`n` - array index). Example: `path[0]: clusters`, `path[1]: clusterA`
- `{{path.basename}}`: Basename of the path to the folder containing the configuration file (e.g. `clusterA`, with the above example.)
+- `{{path.basename}}`: Basename of the path to the directory containing the configuration file (e.g. `clusterA`, with the above example.)
 - `{{path.basenameNormalized}}`: This field is the same as `path.basename` with unsupported characters replaced with `-` (e.g. a `path` of `/directory/directory_2`, and `path.basename` of `directory_2` would produce `directory-2` here).
+- `{{path.filename}}`: The matched filename. e.g., `config.json` in the above example.
+- `{{path.filenameNormalized}}`: The matched filename with unsupported characters replaced with `-`.
+
+**Note**: The right-most *directory* name always becomes `{{path.basename}}`. For example, from `- path: /one/two/three/four/config.json`, `{{path.basename}}` will be `four`. 
+The filename can always be accessed using `{{path.filename}}`. 
+

 ## Webhook Configuration

--- a/docs/operator-manual/applicationset/Generators-Matrix.md
+++ b/docs/operator-manual/applicationset/Generators-Matrix.md
@@ -107,32 +107,33 @@ Finally, the Matrix generator will combine both sets of outputs, and produce:
 ## Restrictions

 1. The Matrix generator currently only supports combining the outputs of only two child generators (eg does not support generating combinations for 3 or more).
+
 1. You should specify only a single generator per array entry, eg this is not valid:
-```yaml
- matrix:
-    generators:
-     - list: # (...)
-       git: # (...)
-```
+
+        - matrix:
+            generators:
+            - list: # (...)
+              git: # (...)
+
    - While this *will* be accepted by Kubernetes API validation, the controller will report an error on generation. Each generator should be specified in a separate array element, as in the examples above.
+
 1. The Matrix generator does not currently support [`template` overrides](Template.md#generator-templates) specified on child generators, eg this `template` will not be processed:
-```yaml
- matrix:
-    generators:
-      - list:
-          elements:
-            - # (...)
-          template: { } # Not processed
-```
+
+        - matrix:
+            generators:
+              - list:
+                  elements:
+                    - # (...)
+                  template: { } # Not processed
+
 1. Combination-type generators (matrix or merge) can only be nested once. For example, this will not work:
-```yaml
- matrix:
-    generators:
-      - matrix:
-          generators:
-            - matrix:  # This third level is invalid.
-                generators:
-                  - list:
-                      elements:
-                        - # (...)
-```
+
+        - matrix:
+            generators:
+              - matrix:
+                  generators:
+                    - matrix:  # This third level is invalid.
+                        generators:
+                          - list:
+                              elements:
+                                - # (...)
--- a/docs/operator-manual/applicationset/Generators-Merge.md
+++ b/docs/operator-manual/applicationset/Generators-Merge.md
@@ -114,31 +114,31 @@ When merged with the updated base parameters, the `values.redis` value for the p
 ## Restrictions

 1. You should specify only a single generator per array entry. This is not valid:
-```yaml
- merge:
-    generators:
-     - list: # (...)
-       git: # (...)
-```
+
+        - merge:
+            generators:
+            - list: # (...)
+              git: # (...)
+
    - While this *will* be accepted by Kubernetes API validation, the controller will report an error on generation. Each generator should be specified in a separate array element, as in the examples above.
+
 1. The Merge generator does not support [`template` overrides](Template.md#generator-templates) specified on child generators. This `template` will not be processed:
-```yaml
- merge:
-    generators:
-      - list:
-          elements:
-            - # (...)
-          template: { } # Not processed
-```
+
+        - merge:
+            generators:
+              - list:
+                  elements:
+                    - # (...)
+                  template: { } # Not processed
+
 1. Combination-type generators (Matrix or Merge) can only be nested once. For example, this will not work:
-```yaml
- merge:
-    generators:
-      - merge:
-          generators:
-            - merge:  # This third level is invalid.
-                generators:
-                  - list:
-                      elements:
-                        - # (...)
-```
+
+        - merge:
+            generators:
+              - merge:
+                  generators:
+                    - merge:  # This third level is invalid.
+                        generators:
+                          - list:
+                              elements:
+                                - # (...)
--- a/docs/operator-manual/applicationset/Generators-Pull-Request.md
+++ b/docs/operator-manual/applicationset/Generators-Pull-Request.md
@@ -47,7 +47,7 @@ spec:
        # Labels is used to filter the PRs that you want to target. (optional)
        labels:
        - preview
-  requeueAfterSeconds: 1800
+      requeueAfterSeconds: 1800
  template:
  # ...
 ```
@@ -83,7 +83,7 @@ spec:
          key: token
        # many gitea deployments use TLS, but many are self-hosted and self-signed certificates
        insecure: true
-  requeueAfterSeconds: 1800
+      requeueAfterSeconds: 1800
  template:
  # ...
 ```
--- a/docs/operator-manual/applicationset/Generators-SCM-Provider.md
+++ b/docs/operator-manual/applicationset/Generators-SCM-Provider.md
@@ -27,7 +27,7 @@ spec:

 ## GitHub

-The GitHub mode uses the GitHub API to scan and organization in either github.com or GitHub Enterprise.
+The GitHub mode uses the GitHub API to scan an organization in either github.com or GitHub Enterprise.

 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -76,7 +76,7 @@ spec:
      gitlab:
        # The base GitLab group to scan.  You can either use the group id or the full namespaced path.
        group: "8675309"
-        # For GitLab Enterprise:
+        # For self-hosted GitLab:
        api: https://gitlab.example.com/
        # If true, scan every branch of every repository. If false, scan only the default branch. Defaults to false.
        allBranches: true
@@ -91,7 +91,7 @@ spec:
 ```

 * `group`: Required name of the base GitLab group to scan. If you have multiple base groups, use multiple generators.
-* `api`: If using GitHub Enterprise, the URL to access it.
+* `api`: If using self-hosted GitLab, the URL to access it.
 * `allBranches`: By default (false) the template will only be evaluated for the default branch of each repo. If this is true, every branch of every repository will be passed to the filters. If using this flag, you likely want to use a `branchMatch` filter.
 * `includeSubgroups`: By default (false) the controller will only search for repos directly in the base group. If this is true, it will recurse through all the subgroups searching for repos to scan.
 * `tokenRef`: A `Secret` name and key containing the GitLab access token to use for requests. If not specified, will make anonymous requests which have a lower rate limit and can only see public repositories.
--- a/docs/operator-manual/applicationset/Generators.md
+++ b/docs/operator-manual/applicationset/Generators.md
@@ -4,7 +4,7 @@ Generators are responsible for generating *parameters*, which are then rendered

 Generators are primarily based on the data source that they use to generate the template parameters. For example: the List generator provides a set of parameters from a *literal list*, the Cluster generator uses the *Argo CD cluster list* as a source, the Git generator uses files/directories from a *Git repository*, and so.

-As of this writing there are seven generators:
+As of this writing there are eight generators:

 - [List generator](Generators-List.md): The List generator allows you to target Argo CD Applications to clusters based on a fixed list of cluster name/URL values.
 - [Cluster generator](Generators-Cluster.md): The Cluster generator allows you to target Argo CD Applications to clusters, based on the list of clusters defined within (and managed by) Argo CD (which includes automatically responding to cluster addition/removal events from Argo CD).
--- a/docs/operator-manual/applicationset/Security.md
+++ b/docs/operator-manual/applicationset/Security.md
@@ -11,8 +11,8 @@ resources of Argo CD itself (like the RBAC ConfigMap).
 ApplicationSets can also quickly create an arbitrary number of Applications and just as quickly delete them.

 Finally, ApplicationSets can reveal privileged information. For example, the [git generator](./Generators-Git.md) can
-read Secrets in the Argo CD namespace and send them to arbitrary URLs as auth headers. (This functionality is intended
-for authorizing requests to SCM providers like GitHub, but it could be abused by a malicious user.)
+read Secrets in the Argo CD namespace and send them to arbitrary URLs (e.g. URL provided for the `api` field) as auth headers.
+(This functionality is intended for authorizing requests to SCM providers like GitHub, but it could be abused by a malicious user.)

 For these reasons, **only admins** may be given permission (via Kubernetes RBAC or any other mechanism) to create, 
 update, or delete ApplicationSets.
--- a/docs/operator-manual/argocd-cm.yaml
+++ b/docs/operator-manual/argocd-cm.yaml
@@ -36,9 +36,12 @@ data:
  help.chatUrl: "https://mycorp.slack.com/argo-cd"
  # the text for getting chat help, defaults to "Chat now!"
  help.chatText: "Chat now!"
-  # The URLs to download additional ArgoCD binaries (besides the Linux amd64 binary included by default)
+  # The URLs to download additional ArgoCD binaries (besides the Linux with current platform binary included by default)
  # for different OS architectures. If provided, additional download buttons will be displayed on the help page.
+  help.download.linux-amd64: "path-or-url-to-download"
  help.download.linux-arm64: "path-or-url-to-download"
+  help.download.linux-ppc64le: "path-or-url-to-download"
+  help.download.linux-s390x: "path-or-url-to-download"
  help.download.darwin-amd64: "path-or-url-to-download"
  help.download.darwin-arm64: "path-or-url-to-download"
  help.download.windows-amd64: "path-or-url-to-download"
@@ -231,6 +234,14 @@ data:
  # If omitted, Argo CD injects the app name into the label: 'app.kubernetes.io/instance'
  application.instanceLabelKey: mycompany.com/appname

+  # You can change the resource tracking method Argo CD uses by changing the
+  # setting application.resourceTrackingMethod to the desired method.
+  # The following methods are available:
+  # - label            : Uses the application.instanceLabelKey label for tracking
+  # - annotation       : Uses an annotation with additional metadata for tracking instead of the label
+  # - annotation+label : Also uses an annotation for tracking, but additionally labels the resource with the application name
+  application.resourceTrackingMethod: annotation
+
  # disables admin user. Admin is enabled by default
  admin.enabled: "false"
  # add an additional local user with apiKey and login capabilities
@@ -288,3 +299,12 @@ data:

  # exec.enabled indicates whether the UI exec feature is enabled. It is disabled by default.
  exec.enabled: "false"
+
+  # exec.shells restricts which shells are allowed for `exec`, and in which order they are attempted
+  exec.shells: "bash,sh,powershell,cmd"
+
+  # oidc.tls.insecure.skip.verify determines whether certificate verification is skipped when verifying tokens with the
+  # configured OIDC provider (either external or the bundled Dex instance). Setting this to "true" will cause JWT
+  # token verification to pass despite the OIDC provider having an invalid certificate. Only set to "true" if you
+  # understand the risks.
+  oidc.tls.insecure.skip.verify: "false"
--- a/docs/operator-manual/argocd-cmd-params-cm.yaml
+++ b/docs/operator-manual/argocd-cmd-params-cm.yaml
@@ -111,3 +111,5 @@ data:
  # for 300x memory expansion and N Applications running at the same time.
  # (example 10M max * 300 expansion * 10 Apps = 30G max theoretical memory usage).
  reposerver.max.combined.directory.manifests.size: '10M'
+  # Paths to be excluded from the tarball streamed to plugins. Separate with ;
+  reposerver.plugin.tar.exclusions: ""
--- a/docs/operator-manual/declarative-setup.md
+++ b/docs/operator-manual/declarative-setup.md
@@ -489,6 +489,7 @@ The secret data must include following fields:
 * `name` - cluster name
 * `server` - cluster api server url
 * `namespaces` - optional comma-separated list of namespaces which are accessible in that cluster. Cluster level resources would be ignored if namespace list is not empty.
+* `clusterResources` - optional boolean string (`"true"` or `"false"`) determining whether Argo CD can manage cluster-level resources on this cluster. This setting is used only if the list of managed namespaces is not empty.
 * `config` - JSON representation of following data structure:

 ```yaml
--- a/docs/operator-manual/high_availability.md
+++ b/docs/operator-manual/high_availability.md
@@ -119,7 +119,7 @@ If the manifest generation has no side effects then requests are processed in pa
  * **Multiple Helm based applications pointing to the same directory in one Git repository:** ensure that your Helm chart don't have conditional
 [dependencies](https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags) and create `.argocd-allow-concurrency` file in chart directory.

-  * **Multiple Custom plugin based applications:** avoid creating temporal files during manifest generation and create `.argocd-allow-concurrency` file in app directory.
+  * **Multiple Custom plugin based applications:** avoid creating temporal files during manifest generation and create `.argocd-allow-concurrency` file in app directory, or use the sidecar plugin option, which processes each application using a temporary copy of the repository.

  * **Multiple Kustomize applications in same repository with [parameter overrides](../user-guide/parameters.md):** sorry, no workaround for now.

--- a/docs/operator-manual/ingress.md
+++ b/docs/operator-manual/ingress.md
@@ -12,7 +12,7 @@ There are several ways how Ingress can be configured.

 The Ambassador Edge Stack can be used as a Kubernetes ingress controller with [automatic TLS termination](https://www.getambassador.io/docs/latest/topics/running/tls/#host) and routing capabilities for both the CLI and the UI.

-The API server should be run with TLS disabled. Edit the `argocd-server` deployment to add the `--insecure` flag to the argocd-server command. Given the `argocd` CLI includes the port number in the request `host` header, 2 Mappings are required.
+The API server should be run with TLS disabled. Edit the `argocd-server` deployment to add the `--insecure` flag to the argocd-server command, or simply set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md). Given the `argocd` CLI includes the port number in the request `host` header, 2 Mappings are required.

 ### Option 1: Mapping CRD for Host-based Routing
 ```yaml
@@ -72,7 +72,7 @@ argocd login <host>:<port> --grpc-web-root-path /argo-cd
 ## [Contour](https://projectcontour.io/)
 The Contour ingress controller can terminate TLS ingress traffic at the edge.

-The Argo CD API server should be run with TLS disabled. Edit the `argocd-server` Deployment to add the `--insecure` flag to the argocd-server container command.
+The Argo CD API server should be run with TLS disabled. Edit the `argocd-server` Deployment to add the `--insecure` flag to the argocd-server container command, or simply set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md).

 It is also possible to provide an internal-only ingress path and an external-only ingress path by deploying two instances of Contour: one behind a private-subnet LoadBalancer service and one behind a public-subnet LoadBalancer service. The private Contour deployment will pick up Ingresses annotated with `kubernetes.io/ingress.class: contour-internal` and the public Contour deployment will pick up Ingresses annotated with `kubernetes.io/ingress.class: contour-external`.

@@ -164,20 +164,7 @@ spec:
 The argocd-server Service needs to be annotated with `projectcontour.io/upstream-protocol.h2c: "https,443"` to wire up the gRPC protocol proxying.

 The API server should then be run with TLS disabled. Edit the `argocd-server` deployment to add the
-`--insecure` flag to the argocd-server command:
-
-```yaml
-spec:
-  template:
-    spec:
-      containers:
-      - name: argocd-server
-        command:
-        - /argocd-server
-        - --repo-server
-        - argocd-repo-server:8081
-        - --insecure
-```
+`--insecure` flag to the argocd-server command, or simply set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md).

 ## [kubernetes/ingress-nginx](https://github.com/kubernetes/ingress-nginx)

@@ -319,20 +306,7 @@ spec:
 ```

 The API server should then be run with TLS disabled. Edit the `argocd-server` deployment to add the
-`--insecure` flag to the argocd-server command:
-
-```yaml
-spec:
-  template:
-    spec:
-      containers:
-      - name: argocd-server
-        command:
-        - argocd-server
-        - --repo-server
-        - argocd-repo-server:8081
-        - --insecure
-```
+`--insecure` flag to the argocd-server command, or simply set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md).

 The obvious disadvantage to this approach is that this technique requires two separate hostnames for
 the API server -- one for gRPC and the other for HTTP/HTTPS. However it allows TLS termination to
@@ -345,7 +319,7 @@ Traefik can be used as an edge router and provide [TLS](https://docs.traefik.io/

 It currently has an advantage over NGINX in that it can terminate both TCP and HTTP connections _on the same port_ meaning you do not require multiple hosts or paths.

-The API server should be run with TLS disabled. Edit the `argocd-server` deployment to add the `--insecure` flag to the argocd-server command.
+The API server should be run with TLS disabled. Edit the `argocd-server` deployment to add the `--insecure` flag to the argocd-server command or set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md).

 ### IngressRoute CRD
 ```yaml
@@ -455,26 +429,9 @@ If you need detail for all the options available for these Google integrations,

 ### Disable internal TLS

-First, to avoid internal redirection loops from HTTP to HTTPS, the API server should be run with TLS disabled. Edit the argocd-server deployment to add the --insecure flag to the argocd-server command. For this you can edit your resource live with `kubectl -n argocd edit deployments.apps argocd-server` or use a kustomize patch before installing Argo CD.
+First, to avoid internal redirection loops from HTTP to HTTPS, the API server should be run with TLS disabled.

-The container command should change from:
-```yaml
-      containers:
-      - command:
-        - argocd-server
-        - --staticassets
-        - /shared/app
-```
-
-To:
-```yaml
-      containers:
-      - command:
-        - argocd-server
-        - --insecure
-        - --staticassets
-        - /shared/app
-```
+Edit the `--insecure` flag in the `argocd-server` command of the argocd-server deployment, or simply set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md).

 ### Creating a service

--- a/docs/operator-manual/installation.md
+++ b/docs/operator-manual/installation.md
@@ -32,7 +32,7 @@ Not recommended for production use. This type of installation is typically used
  > Note: Argo CD CRDs are not included into [namespace-install.yaml](https://github.com/argoproj/argo-cd/blob/master/manifests/namespace-install.yaml).
  > and have to be installed separately. The CRD manifests are located in the [manifests/crds](https://github.com/argoproj/argo-cd/blob/master/manifests/crds) directory.
  > Use the following command to install them:
-  > ```bash
+  > ```
  > kubectl apply -k https://github.com/argoproj/argo-cd/manifests/crds\?ref\=stable
  > ```

@@ -81,3 +81,20 @@ resources:

 The Argo CD can be installed using [Helm](https://helm.sh/). The Helm chart is currently community maintained and available at
 [argo-helm/charts/argo-cd](https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd).
+
+## Supported versions
+
+Similar to the Kubernetes project, the supported versions of Argo CD at any given point in time are the latest patch releases for the N 
+and N - 1 minor versions.
+These Argo CD versions are supported on the same versions of Kubernetes that are supported by Kubernetes itself (normally the last 3 released versions).
+
+Essentially the Argo CD project follows the same support scheme as Kubernetes but for N, N-1 while Kubernetes supports N, N-1, N-2 versions.
+
+For example if the latest minor version of ArgoCD are 2.4.3 and 2.3.5  while supported Kubernetes versions are 1.24, 1.23 and 1.22 then the following combinations are supported:
+
+* Argo CD 2.4.3 on Kubernetes 1.24
+* Argo CD 2.4.3 on Kubernetes 1.23
+* Argo CD 2.4.3 on Kubernetes 1.22
+* Argo CD 2.3.5 on Kubernetes 1.24
+* Argo CD 2.3.5 on Kubernetes 1.23
+* Argo CD 2.3.5 on Kubernetes 1.22
--- a/docs/operator-manual/metrics.md
+++ b/docs/operator-manual/metrics.md
@@ -67,8 +67,10 @@ Scraped at the `argocd-server-metrics:8083/metrics` endpoint.
 | Metric | Type | Description |
 |--------|:----:|-------------|
 | `argocd_redis_request_duration` | histogram | Redis requests duration. |
-| `argocd_redis_request_total` | counter | Number of kubernetes requests executed during application reconciliation. |
-
+| `argocd_redis_request_total` | counter | Number of kubernetes requests executed during application
+reconciliation. |
+| `grpc_server_handled_total` | counter | Total number of RPCs completed on the server, regardless of success or failure. |
+| `grpc_server_msg_sent_total` | counter | Total number of gRPC stream messages sent by the server. |
 ## Repo Server Metrics
 Metrics about the Repo Server.
 Scraped at the `argocd-repo-server:8084/metrics` endpoint.
--- a/docs/operator-manual/project.yaml
+++ b/docs/operator-manual/project.yaml
@@ -64,3 +64,23 @@ spec:
    # anywhere by Argo CD. It can be prematurely revoked by removing the entry from this list.
    jwtTokens:
    - iat: 1535390316
+
+  # Sync windows restrict when Applications may be synced. https://argo-cd.readthedocs.io/en/stable/user-guide/sync_windows/
+  syncWindows:
+  - kind: allow
+    schedule: '10 1 * * *'
+    duration: 1h
+    applications:
+      - '*-prod'
+    manualSync: true
+  - kind: deny
+    schedule: '0 22 * * *'
+    duration: 1h
+    namespaces:
+      - default
+  - kind: allow
+    schedule: '0 23 * * *'
+    duration: 1h
+    clusters:
+      - in-cluster
+      - cluster1
--- a/docs/operator-manual/rbac.md
+++ b/docs/operator-manual/rbac.md
@@ -59,22 +59,7 @@ also use glob patterns in the action path: `action/*` (or regex patterns if you
 `exec` is a special resource. When enabled with the `create` action, this privilege allows a user to `exec` into Pods via 
 the Argo CD UI. The functionality is similar to `kubectl exec`.

-`exec` is a powerful privilege. It allows the user to run arbitrary code on any Pod managed by an Application for which
-they have `create` privileges. If the Pod mounts a ServiceAccount token (which is the default behavior of Kubernetes),
-then the user effectively has the same privileges as that ServiceAccount.
-
-The exec feature is disabled entirely by default. To enable it, set the `exec.enabled` key to "true" on the argocd-cm 
-ConfigMap. You will also need to add the following to the argocd-api-server Role (if you're using Argo CD in namespaced
-mode) or ClusterRole (if you're using Argo CD in cluster mode).
-
-```yaml
- apiGroups:
-  - ""
-  resources:
-  - pods/exec
-  verbs:
-  - create
-```
+See [Web-based Terminal](web_based_terminal.md) for more info.

 ## Tying It All Together

@@ -122,7 +107,7 @@ p, role:staging-db-admins, projects, get, staging-db-admins, allow
 g, db-admins, role:staging-db-admins
 ```

-This example defines a *role* called `staging-db-admins` with *eight permissions* that allow that role to perform the *actions* (`create`/`delete`/`get`/`override`/`sync`/`update` applications, `get` logs, `create` exec and `get` appprojects) against `*` (all) objects in the `staging-db-admins` Argo CD AppProject.
+This example defines a *role* called `staging-db-admins` with *nine permissions* that allow that role to perform the *actions* (`create`/`delete`/`get`/`override`/`sync`/`update` applications, `get` logs, `create` exec and `get` appprojects) against `*` (all) objects in the `staging-db-admins` Argo CD AppProject.

 ## Anonymous Access

--- a/docs/operator-manual/server-commands/argocd-repo-server.md
+++ b/docs/operator-manual/server-commands/argocd-repo-server.md
@@ -22,6 +22,7 @@ argocd-repo-server [flags]
      --metrics-port int                               Start metrics server on given port (default 8084)
      --otlp-address string                            OpenTelemetry collector address to send traces to
      --parallelismlimit int                           Limit on number of concurrent manifests generate requests. Any value less the 1 means no limit.
+      --plugin-tar-exclude stringArray                 Globs to filter when sending tarballs to plugins.
      --port int                                       Listen on given port for incoming connections (default 8081)
      --redis string                                   Redis server hostname and port (e.g. argocd-redis:6379). 
      --redis-ca-certificate string                    Path to Redis server CA certificate (e.g. /etc/certs/redis/ca.crt). If not specified, system trusted CAs will be used for server certificate validation.
--- a/docs/operator-manual/upgrading/2.1-2.2.md
+++ b/docs/operator-manual/upgrading/2.1-2.2.md
@@ -14,3 +14,76 @@ Note that bundled Helm has been upgraded from 3.6.0 to v3.7+. This includes foll
 - Experimental OCI support has been rewritten.

  More information in the [Helm v3.7.0 release notes](https://github.com/helm/helm/releases/tag/v3.7.0).
+
+## Support for private repo SSH keys using the SHA-1 signature hash algorithm is removed in 2.2.12
+
+Argo CD 2.2.12 upgraded its base image from Ubuntu 21.10 to Ubuntu 22.04, which upgraded OpenSSH to 8.9. OpenSSH starting
+with 8.8 [dropped support for the `ssh-rsa` SHA-1 key signature algorithm](https://www.openssh.com/txt/release-8.8).
+
+The signature algorithm is _not_ the same as the algorithm used when generating the key. There is no need to update
+keys.
+
+The signature algorithm is negotiated with the SSH server when the connection is being set up. The client offers its
+list of accepted signature algorithms, and if the server has a match, the connection proceeds. For most SSH servers on
+up-to-date git providers, acceptable algorithms other than `ssh-rsa` should be available.
+
+Before upgrading to Argo CD 2.2.12, check whether your git provider(s) using SSH authentication support algorithms newer
+than `rsa-ssh`.
+
+1. Make sure your version of SSH >= 8.9 (the version used by Argo CD). If not, upgrade it before proceeding.
+
+   ```shell
+   ssh -V
+   ```
+
+   Example output: `OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022`
+
+2. Once you have a recent version of OpenSSH, follow the directions from the [OpenSSH 8.8 release notes](https://www.openssh.com/txt/release-8.7):
+
+   > To check whether a server is using the weak ssh-rsa public key
+   > algorithm, for host authentication, try to connect to it after
+   > removing the ssh-rsa algorithm from ssh(1)'s allowed list:
+   >
+   > ```shell
+   > ssh -oHostKeyAlgorithms=-ssh-rsa user@host
+   > ```
+   >
+   > If the host key verification fails and no other supported host key
+   > types are available, the server software on that host should be
+   > upgraded.
+
+   If the server does not support an acceptable version, you will get an error similar to this;
+
+   ```
+   $ ssh -oHostKeyAlgorithms=-ssh-rsa vs-ssh.visualstudio.com
+   Unable to negotiate with 20.42.134.1 port 22: no matching host key type found. Their offer: ssh-rsa
+   ```
+
+   This indicates that the server needs to update its supported key signature algorithms, and Argo CD will not connect
+   to it.
+
+### Workaround
+
+The [OpenSSH 8.8 release notes](https://www.openssh.com/txt/release-8.8) describe a workaround if you cannot change the
+server's key signature algorithms configuration.
+
+> Incompatibility is more likely when connecting to older SSH
+> implementations that have not been upgraded or have not closely tracked
+> improvements in the SSH protocol. For these cases, it may be necessary
+> to selectively re-enable RSA/SHA1 to allow connection and/or user
+> authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
+> options. For example, the following stanza in ~/.ssh/config will enable
+> RSA/SHA1 for host and user authentication for a single destination host:
+>
+> ```
+> Host old-host
+>     HostkeyAlgorithms +ssh-rsa
+>     PubkeyAcceptedAlgorithms +ssh-rsa
+> ```
+>
+> We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
+> implementations can be upgraded or reconfigured with another key type
+> (such as ECDSA or Ed25519).
+
+To apply this to Argo CD, you could create a ConfigMap with the desired ssh config file and then mount it at
+`/home/argocd/.ssh/config`.
--- a/docs/operator-manual/upgrading/2.2-2.3.md
+++ b/docs/operator-manual/upgrading/2.2-2.3.md
@@ -46,3 +46,77 @@ Note that bundled Kustomize version has been upgraded from 4.2.0 to 4.4.1.
 ## Upgraded Helm Version

 Note that bundled Helm version has been upgraded from 3.7.1 to 3.8.0.
+
+## Support for private repo SSH keys using the SHA-1 signature hash algorithm is removed in 2.3.7
+
+Argo CD 2.3.7 upgraded its base image from Ubuntu 21.04 to Ubuntu 22.04, which upgraded OpenSSH to 8.9. OpenSSH starting
+with 8.8 [dropped support for the `ssh-rsa` SHA-1 key signature algorithm](https://www.openssh.com/txt/release-8.8).
+
+The signature algorithm is _not_ the same as the algorithm used when generating the key. There is no need to update
+keys.
+
+The signature algorithm is negotiated with the SSH server when the connection is being set up. The client offers its
+list of accepted signature algorithms, and if the server has a match, the connection proceeds. For most SSH servers on
+up-to-date git providers, acceptable algorithms other than `ssh-rsa` should be available.
+
+Before upgrading to Argo CD 2.3.7, check whether your git provider(s) using SSH authentication support algorithms newer
+than `rsa-ssh`.
+
+1. Make sure your version of SSH >= 8.9 (the version used by Argo CD). If not, upgrade it before proceeding.
+
+   ```shell
+   ssh -V
+   ```
+
+   Example output: `OpenSSH_8.9p1 Ubuntu-3, OpenSSL 3.0.2 15 Mar 2022`
+
+2. Once you have a recent version of OpenSSH, follow the directions from the [OpenSSH 8.8 release notes](https://www.openssh.com/txt/release-8.7):
+
+   > To check whether a server is using the weak ssh-rsa public key
+   > algorithm, for host authentication, try to connect to it after
+   > removing the ssh-rsa algorithm from ssh(1)'s allowed list:
+   >
+   > ```shell
+   > ssh -oHostKeyAlgorithms=-ssh-rsa user@host
+   > ```
+   >
+   > If the host key verification fails and no other supported host key
+   > types are available, the server software on that host should be
+   > upgraded.
+
+   If the server does not support an acceptable version, you will get an error similar to this;
+
+   ```
+   $ ssh -oHostKeyAlgorithms=-ssh-rsa vs-ssh.visualstudio.com
+   Unable to negotiate with 20.42.134.1 port 22: no matching host key type found. Their offer: ssh-rsa
+   ```
+
+   This indicates that the server needs to update its supported key signature algorithms, and Argo CD will not connect
+   to it.
+
+### Workaround
+
+The [OpenSSH 8.8 release notes](https://www.openssh.com/txt/release-8.8) describe a workaround if you cannot change the
+server's key signature algorithms configuration.
+
+> Incompatibility is more likely when connecting to older SSH
+> implementations that have not been upgraded or have not closely tracked
+> improvements in the SSH protocol. For these cases, it may be necessary
+> to selectively re-enable RSA/SHA1 to allow connection and/or user
+> authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms
+> options. For example, the following stanza in ~/.ssh/config will enable
+> RSA/SHA1 for host and user authentication for a single destination host:
+>
+> ```
+> Host old-host
+>     HostkeyAlgorithms +ssh-rsa
+>     PubkeyAcceptedAlgorithms +ssh-rsa
+> ```
+>
+> We recommend enabling RSA/SHA1 only as a stopgap measure until legacy
+> implementations can be upgraded or reconfigured with another key type
+> (such as ECDSA or Ed25519).
+
+To apply this to Argo CD, you could create a ConfigMap with the desired ssh config file and then mount it at
+`/home/argocd/.ssh/config`.
+
--- a/docs/operator-manual/upgrading/2.3-2.4.md
+++ b/docs/operator-manual/upgrading/2.3-2.4.md
@@ -12,6 +12,8 @@ Helm 2 support was preserved in the Argo CD. We feel that Helm 3 is stable, and

 ## Support for private repo SSH keys using the SHA-1 signature hash algorithm is removed

+Note: this change was back-ported to 2.3.7 and 2.2.12.
+
 Argo CD 2.4 upgraded its base image from Ubuntu 20.04 to Ubuntu 22.04, which upgraded OpenSSH to 8.9. OpenSSH starting
 with 8.8 [dropped support for the `ssh-rsa` SHA-1 key signature algorithm](https://www.openssh.com/txt/release-8.8).

@@ -105,20 +107,26 @@ p, role:org-admin, *, create, my-proj/*, allow
 New:

 ```csv
-p, role: org-admin, clusters, create, my-proj/*, allow
-p, role: org-admin, projects, create, my-proj/*, allow
-p, role: org-admin, applications, create, my-proj/*, allow
-p, role: org-admin, repositories, create, my-proj/*, allow
-p, role: org-admin, certificates, create, my-proj/*, allow
-p, role: org-admin, accounts, create, my-proj/*, allow
-p, role: org-admin, gpgkeys, create, my-proj/*, allow
+p, role:org-admin, clusters, create, my-proj/*, allow
+p, role:org-admin, projects, create, my-proj/*, allow
+p, role:org-admin, applications, create, my-proj/*, allow
+p, role:org-admin, repositories, create, my-proj/*, allow
+p, role:org-admin, certificates, create, my-proj/*, allow
+p, role:org-admin, accounts, create, my-proj/*, allow
+p, role:org-admin, gpgkeys, create, my-proj/*, allow
 ```

 ## Enable logs RBAC enforcement

 2.4 introduced `logs` as a new RBAC resource. In 2.3, users with `applications, get` access automatically get logs
-access. In 2.5, you will have to explicitly grant `logs, get` access. Logs RBAC enforcement can be enabled with a flag
-in 2.4. We recommend enabling the flag now for an easier upgrade experience in 2.5.
+access. <del>In 2.5, you will have to explicitly grant `logs, get` access. Logs RBAC enforcement can be enabled with a flag
+in 2.4. We recommend enabling the flag now for an easier upgrade experience in 2.5.</del> 
+
+!!! important 
+    Logs RBAC enforcement **will not** be enabled by default in 2.5. This decision 
+    [was made](https://github.com/argoproj/argo-cd/issues/10551#issuecomment-1242303457) to avoid breaking logs access 
+    under [Project Roles](../../user-guide/projects.md#project-roles), which do not provide a mechanism to grant `logs`
+    resource access.

 To enabled logs RBAC enforcement, add this to your argocd-cm ConfigMap:

@@ -149,9 +157,13 @@ p, role:test-db-admins, applications, *, staging-db-admins/*, allow
 p, role:test-db-admins, logs, get, staging-db-admins/*, allow
 ```

-## Known UI issue
+### Pod Logs UI

-Currently, upon pressing the "LOGS" tab in pod view by users who don't have an explicit allow get logs policy, the red "unable to load data: Internal error" is received in the bottom of the screen, and "Failed to load data, please try again" is displayed.
+Since 2.4.9, the LOGS tab in pod view is visible in the UI only for users with explicit allow get logs policy.
+
+### Known pod logs UI issue prior to 2.4.9
+
+Upon pressing the "LOGS" tab in pod view by users who don't have an explicit allow get logs policy, the red "unable to load data: Internal error" is received in the bottom of the screen, and "Failed to load data, please try again" is displayed.

 ## Test repo-server with its new dedicated Service Account

--- a/docs/operator-manual/user-management/index.md
+++ b/docs/operator-manual/user-management/index.md
@@ -197,6 +197,7 @@ NOTES:
 * There is no need to set `redirectURI` in the `connectors.config` as shown in the dex documentation.
  Argo CD will automatically use the correct `redirectURI` for any OAuth2 connectors, to match the
  correct external callback URL (e.g. `https://argocd.example.com/api/dex/callback`)
+* When using a custom secret (e.g., `some_K8S_secret` above,) it *must* have the label `app.kubernetes.io/part-of: argocd`.

 ## OIDC Configuration with DEX

@@ -230,7 +231,7 @@ data:

 ### Requesting additional ID token claims

-By default Dex only retrieves the profile and email scopes. In order to retrieve more more claims you
+By default Dex only retrieves the profile and email scopes. In order to retrieve more claims you
 can add them under the `scopes` entry in the Dex configuration. To enable group claims through Dex,
 `insecureEnableGroups` also needs to enabled. Group information is currently only refreshed at authentication
 time and support to refresh group information more dynamically can be tracked here: [dexidp/dex#1065](https://github.com/dexidp/dex/issues/1065).
@@ -495,3 +496,20 @@ data:
    clientSecret: $another-secret:oidc.auth0.clientSecret  # Mind the ':'
  ...
 ```
+
+### Skipping certificate verification on OIDC provider connections
+
+By default, all connections made by the API server to OIDC providers (either external providers or the bundled Dex
+instance) must pass certificate validation. These connections occur when getting the OIDC provider's well-known
+configuration, when getting the OIDC provider's keys, and  when exchanging an authorization code or verifying an ID 
+token as part of an OIDC login flow.
+
+Disabling certificate verification might make sense if:
+* You are using the bundled Dex instance **and** your Argo CD instance has TLS configured with a self-signed certificate
+  **and** you understand and accept the risks of skipping OIDC provider cert verification.
+* You are using an external OIDC provider **and** that provider uses an invalid certificate **and** you cannot solve
+  the problem by setting `oidcConfig.rootCA` **and** you understand and accept the risks of skipping OIDC provider cert 
+  verification.
+
+If either of those two applies, then you can disable OIDC provider certificate verification by setting
+`oidc.tls.insecure.skip.verify` to `"true"` in the `argocd-cm` ConfigMap.
--- a/docs/operator-manual/user-management/microsoft.md
+++ b/docs/operator-manual/user-management/microsoft.md
@@ -36,24 +36,24 @@
 1. Edit `argocd-cm` and add the following `dex.config` to the data section, replacing the `caData`, `my-argo-cd-url` and `my-login-url` your values from the Azure AD App:

            data:
-            url: https://my-argo-cd-url
-            dex.config: |
-               logger:
+              url: https://my-argo-cd-url
+              dex.config: |
+                logger:
                  level: debug
                  format: json
-               connectors:
-               - type: saml
+                connectors:
+                - type: saml
                  id: saml
                  name: saml
                  config:
-                  entityIssuer: https://my-argo-cd-url/api/dex/callback
-                  ssoURL: https://my-login-url (e.g. https://login.microsoftonline.com/xxxxx/a/saml2)
-                  caData: |
-                     MY-BASE64-ENCODED-CERTIFICATE-DATA
-                  redirectURI: https://my-argo-cd-url/api/dex/callback
-                  usernameAttr: email
-                  emailAttr: email
-                  groupsAttr: Group
+                    entityIssuer: https://my-argo-cd-url/api/dex/callback
+                    ssoURL: https://my-login-url (e.g. https://login.microsoftonline.com/xxxxx/a/saml2)
+                    caData: |
+                       MY-BASE64-ENCODED-CERTIFICATE-DATA
+                    redirectURI: https://my-argo-cd-url/api/dex/callback
+                    usernameAttr: email
+                    emailAttr: email
+                    groupsAttr: Group

 2. Edit `argocd-rbac-cm` to configure permissions, similar to example below.
      - Use Azure AD `Group IDs` for assigning roles.
@@ -169,7 +169,7 @@
               p, role:org-admin, repositories, update, *, allow
               p, role:org-admin, repositories, delete, *, allow
               g, "84ce98d1-e359-4f3b-85af-985b458de3c6", role:org-admin
-               scopes: '[roles, email]'
+            scopes: '[groups, email]'

   Refer to [operator-manual/argocd-rbac-cm.yaml](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-rbac-cm.yaml) for all of the available variables.

--- a/docs/operator-manual/web_based_terminal.md
+++ b/docs/operator-manual/web_based_terminal.md
@@ -0,0 +1,45 @@
+# Web-based Terminal
+
+![Argo CD Terminal](../assets/terminal.png)
+
+Since v2.4, Argo CD has a web-based terminal that allows you to get a shell inside a running pod just like you would with
+`kubectl exec`. It's basically SSH from your browser, full ANSI color support and all! However, for security this feature
+is disabled by default.
+
+This is a powerful privilege. It allows the user to run arbitrary code on any Pod managed by an Application for which
+they have the `exec/create` privilege. If the Pod mounts a ServiceAccount token (which is the default behavior of 
+Kubernetes), then the user effectively has the same privileges as that ServiceAccount.
+
+## Enabling the terminal
+
+1. Set the `exec.enabled` key to `"true"` on the `argocd-cm` ConfigMap.
+
+2. Patch the `argocd-server` Role (if using namespaced Argo) or ClusterRole (if using clustered Argo) to allow `argocd-server`
+to exec into pods
+```yaml
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
+```
+
+3. Add RBAC rules to allow your users to `create` the `exec` resource, i.e.
+```
+p, role:myrole, exec, create, */*, allow
+```
+
+See [RBAC Configuration](rbac.md#exec-resource) for more info.
+
+## Changing allowed shells
+
+By default, Argo CD attempts to execute shells in this order:
+
+1. bash
+2. sh
+3. powershell
+4. cmd
+
+If none of the shells are found, the terminal session will fail. To add to or change the allowed shells, change the 
+`exec.shells` key in the `argocd-cm` ConfigMap, separating them with commas.
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -2,4 +2,5 @@ mkdocs==1.2.3
 mkdocs-material==7.1.7
 markdown_include==0.6.0
 pygments==2.7.4
-jinja2===3.0.3
+jinja2==3.0.3
+markdown==3.3.7
--- a/docs/user-guide/commands/argocd_login.md
+++ b/docs/user-guide/commands/argocd_login.md
@@ -29,6 +29,7 @@ argocd login cd.argoproj.io --core
  -h, --help              help for login
      --name string       name to use for the context
      --password string   the password of an account to authenticate
+      --skip-test-tls     Skip testing whether the server is configured with TLS (this can help when the command hangs for no apparent reason)
      --sso               perform SSO login
      --sso-port int      port to run local OAuth2 login application (default 8085)
      --username string   the username of an account to authenticate
--- a/docs/user-guide/config-management-plugins.md
+++ b/docs/user-guide/config-management-plugins.md
@@ -14,7 +14,7 @@ There are two ways to install a Config Management Plugin (CMP):
 1. Add the plugin config to the Argo CD ConfigMap. The repo-server container will run your plugin's commands.
   This is a good option for a simple plugin that requires only a few lines of code that fit nicely in the Argo CD ConfigMap.
 2. Add the plugin as a sidecar to the repo-server Pod.
-   This is a good option for a more complex plugin that would clutter the Argo CD ConfigMap.
+   This is a good option for a more complex plugin that would clutter the Argo CD ConfigMap. A copy of the repository is sent to the sidecar container as a tarball and processed individually per application, which makes it a good option for [concurrent processing of monorepos](../operator-manual/high_availability.md#enable-concurrent-processing).

 ### Option 1: Configure plugins via Argo CD configmap

@@ -234,3 +234,18 @@ If you don't need to set any environment variables, you can set an empty plugin
    Each CMP command will also independently timeout on the `ARGOCD_EXEC_TIMEOUT` set for the CMP sidecar. The default
    is 90s. So if you increase the repo server timeout greater than 90s, be sure to set `ARGOCD_EXEC_TIMEOUT` on the
    sidecar.
+
+## Plugin tar stream exclusions
+
+In order to increase the speed of manifest generation, certain files and folders can be excluded from being sent to your
+plugin. We recommend excluding your `.git` folder if it isn't necessary. Use Go's 
+[filepatch.Match](https://pkg.go.dev/path/filepath#Match) syntax.
+
+You can set it one of three ways:
+
+1. The `--plugin-tar-exclude` argument on the repo server.
+2. The `reposerver.plugin.tar.exclusions` key if you are using `argocd-cmd-params-cm`
+3. Directly setting `ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS` environment variable on the repo server.
+
+For option 1, the flag can be repeated multiple times. For option 2 and 3, you can specify multiple globs by separating
+them with semicolons.
--- a/docs/user-guide/diffing.md
+++ b/docs/user-guide/diffing.md
@@ -81,7 +81,7 @@ data:
    - '.webhooks[]?.clientConfig.caBundle'
 ```

-Resource customization can also be configured to ignore all differences made by a managedField.manager at the system level. The example bellow shows how to configure ArgoCD to ignore changes made by `kube-controller-manager` in `Deployment` resources.
+Resource customization can also be configured to ignore all differences made by a managedField.manager at the system level. The example bellow shows how to configure Argo CD to ignore changes made by `kube-controller-manager` in `Deployment` resources.

 ```yaml
 data:
@@ -90,7 +90,7 @@ data:
    - kube-controller-manager
 ```

-It is possible to configure ignoreDifferences to be applied to all resources in every Application managed by an ArgoCD instance. In order to do so, resource customizations can be configured like in the example bellow:
+It is possible to configure ignoreDifferences to be applied to all resources in every Application managed by an Argo CD instance. In order to do so, resource customizations can be configured like in the example bellow:

 ```yaml
 data:
@@ -116,11 +116,26 @@ data:

 By default `status` field is ignored during diffing for `CustomResourceDefinition` resource. The behavior can be extended to all resources using `all` value or disabled using `none`.

+### Ignoring RBAC changes made by AggregateRoles
+
+If you are using [Aggregated ClusterRoles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) and don't want Argo CD to detect the `rules` changes as drift, you can set `resource.compareoptions.ignoreAggregatedRoles: true`. Then Argo CD will no longer detect these changes as an event that requires syncing.
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+data:
+  resource.compareoptions: |
+    # disables status field diffing in specified resource types
+    ignoreAggregatedRoles: true
+```
+
 ## Known Kubernetes types in CRDs (Resource limits, Volume mounts etc)

 Some CRDs are re-using data structures defined in the Kubernetes source base and therefore inheriting custom
 JSON/YAML marshaling. Custom marshalers might serialize CRDs in a slightly different format that causes false
-positives during drift detection. 
+positives during drift detection.

 A typical example is the `argoproj.io/Rollout` CRD that re-using `core/v1/PodSpec` data structure. Pod resource requests
 might be reformatted by the custom marshaller of `IntOrString` data type:
@@ -140,7 +155,7 @@ resources:
 ```

 The solution is to specify which CRDs fields are using built-in Kubernetes types in the `resource.customizations`
-section of `argocd-cm` ConfigMap:  
+section of `argocd-cm` ConfigMap:

 ```yaml
 apiVersion: v1
--- a/docs/user-guide/kustomize.md
+++ b/docs/user-guide/kustomize.md
@@ -85,3 +85,22 @@ argocd app set <appName> --kustomize-version v3.5.4
 ## Build Environment

 Kustomize does not support parameters and therefore cannot support the standard [build environment](build-environment.md).
+
+## Kustomizing Helm charts
+
+It's possible to [render Helm charts with Kustomize](https://github.com/kubernetes-sigs/kustomize/blob/master/examples/chart.md).
+Doing so requires that you pass the `--enable-helm` flag to the `kustomize build` command.
+This flag is not part of the Kustomize options within Argo CD.
+If you would like to render Helm charts through Kustomize in an Argo CD application, you have two options:
+You can either create a [custom plugin](https://argo-cd.readthedocs.io/en/stable/user-guide/config-management-plugins/), or modify the `argocd-cm` ConfigMap to include the `--enable-helm` flag globally for all Kustomize applications:
+
+```
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+  namespace: argocd
+data:
+  kustomize.buildOptions: --enable-helm
+```
+
--- a/docs/user-guide/sync-options.md
+++ b/docs/user-guide/sync-options.md
@@ -1,6 +1,6 @@
 # Sync Options

-ArgoCD allows users to customize some aspects of how it syncs the desired state in the target cluster. Some Sync Options can defined as annotations in a specific resource. Most of the Sync Options are configured in the Application resource `spec.syncPolicy.syncOptions` attribute.
+Argo CD allows users to customize some aspects of how it syncs the desired state in the target cluster. Some Sync Options can defined as annotations in a specific resource. Most of the Sync Options are configured in the Application resource `spec.syncPolicy.syncOptions` attribute. Multiple Sync Options which are configured with the `argocd.argoproj.io/sync-options` annotation can be concatenated with a `,` in the annotation value; white spaces will be trimmed.

 Below you can find details about each available Sync Option:

@@ -187,3 +187,17 @@ spec:
 ```

 The example above shows how an ArgoCD Application can be configured so it will ignore the `spec.replicas` field from the desired state (git) during the sync stage. This is achieve by calculating and pre-patching the desired state before applying it in the cluster. Note that the `RespectIgnoreDifferences` sync option is only effective when the resource is already created in the cluster. If the Application is being created and no live state exists, the desired state is applied as-is.
+
+## Create Namespace
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  namespace: test
+spec:
+  syncPolicy:
+    syncOptions:
+    - CreateNamespace=true
+```
+The example above shows how an Argo CD Application can be configured so it will create namespaces for the Application resources if the namespaces don't exist already. Without this either declared in the Application manifest or passed in the cli via `--sync-option CreateNamespace=true`, the Application will fail to sync if the resources' namespaces do not exist.
--- a/go.mod
+++ b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/TomOnTime/utfutil v0.0.0-20180511104225-09c41003ee1d
 	github.com/alicebob/miniredis v2.5.0+incompatible
 	github.com/alicebob/miniredis/v2 v2.14.2
-	github.com/argoproj/gitops-engine v0.7.0
+	github.com/argoproj/gitops-engine v0.7.3
 	github.com/argoproj/notifications-engine v0.3.1-0.20220430155844-567361917320
 	github.com/argoproj/pkg v0.11.1-0.20211203175135-36c59d8fafe0
 	github.com/aws/aws-sdk-go v1.38.49
@@ -17,7 +17,7 @@ require (
 	github.com/bradleyfalzon/ghinstallation/v2 v2.0.4
 	github.com/casbin/casbin/v2 v2.39.1
 	github.com/chai2010/gettext-go v0.0.0-20170215093142-bf70f2a70fb1 // indirect
-	github.com/coreos/go-oidc v2.1.0+incompatible
+	github.com/coreos/go-oidc v2.2.1+incompatible
 	github.com/dustin/go-humanize v1.0.0
 	github.com/evanphx/json-patch v4.12.0+incompatible
 	github.com/fsnotify/fsnotify v1.5.1
@@ -60,7 +60,7 @@ require (
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/pkg/errors v0.9.1
-	github.com/pquerna/cachecontrol v0.0.0-20180306154005-525d0eb5f91d // indirect
+	github.com/pquerna/cachecontrol v0.1.0 // indirect
 	github.com/prometheus/client_golang v1.11.0
 	github.com/r3labs/diff v1.1.0
 	github.com/robfig/cron v1.2.0
@@ -76,10 +76,10 @@ require (
 	github.com/xanzy/go-gitlab v0.60.0
 	github.com/yuin/gopher-lua v0.0.0-20200816102855-ee81675732da
 	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e
-	golang.org/x/net v0.0.0-20211209124913-491a49abca63
-	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
+	golang.org/x/net v0.0.0-20220621193019-9d032be2e588
+	golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa
 	google.golang.org/grpc v1.45.0
 	google.golang.org/protobuf v1.28.0
@@ -202,7 +202,7 @@ require (
 	go.starlark.net v0.0.0-20200306205701-8dd3e2ee1dd5 // indirect
 	golang.org/x/exp v0.0.0-20210901193431-a062eea981d2 // indirect
 	golang.org/x/mod v0.5.1-0.20210830214625-1b1db11ec8f4 // indirect
-	golang.org/x/sys v0.0.0-20211205182925-97ca703d548d // indirect
+	golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
 	golang.org/x/tools v0.1.6-0.20210820212750-d4cc65f0b2ff // indirect
@@ -214,7 +214,7 @@ require (
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/square/go-jose.v2 v2.2.2 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 	k8s.io/apiserver v0.23.1
@@ -257,6 +257,9 @@ replace (
 	github.com/grpc-ecosystem/grpc-gateway => github.com/grpc-ecosystem/grpc-gateway v1.16.0
 	github.com/improbable-eng/grpc-web => github.com/improbable-eng/grpc-web v0.0.0-20181111100011-16092bd1d58a

+	// Avoid CVE-2022-28948
+	gopkg.in/yaml.v3 => gopkg.in/yaml.v3 v3.0.1
+
 	// https://github.com/kubernetes/kubernetes/issues/79384#issuecomment-505627280
 	k8s.io/api => k8s.io/api v0.23.1
 	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.23.1
--- a/go.sum
+++ b/go.sum
@@ -146,8 +146,8 @@ github.com/antonmedv/expr v1.8.9/go.mod h1:5qsM3oLGDND7sDmQGDXHkYfkjYMUX14qsgqmH
 github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/appscode/go v0.0.0-20190808133642-1d4ef1f1c1e0/go.mod h1:iy07dV61Z7QQdCKJCIvUoDL21u6AIceRhZzyleh2ymc=
-github.com/argoproj/gitops-engine v0.7.0 h1:X6W8VP9bWTe74wWxAV3i8KZ0yBmre5DU8g+GWH09FCo=
-github.com/argoproj/gitops-engine v0.7.0/go.mod h1:pRgVpLW7pZqf7n3COJ7UcDepk4cI61LAcJd64Q3Jq/c=
+github.com/argoproj/gitops-engine v0.7.3 h1:0ZlRTReAJG5Y1PviQ8ZIJq/+VowxWe2uFwoXqYcbtXU=
+github.com/argoproj/gitops-engine v0.7.3/go.mod h1:pRgVpLW7pZqf7n3COJ7UcDepk4cI61LAcJd64Q3Jq/c=
 github.com/argoproj/notifications-engine v0.3.1-0.20220430155844-567361917320 h1:XDjtTfccs4rSOT1n+i1zV9RpxQdKky1b4YBic16E0qY=
 github.com/argoproj/notifications-engine v0.3.1-0.20220430155844-567361917320/go.mod h1:R3zlopt+/juYlebQc9Jarn9vBQ2xZruWOWjUNkfGY9M=
 github.com/argoproj/pkg v0.11.1-0.20211203175135-36c59d8fafe0 h1:Cfp7rO/HpVxnwlRqJe0jHiBbZ77ZgXhB6HWlYD02Xdc=
@@ -254,8 +254,9 @@ github.com/coredns/corefile-migration v1.0.14/go.mod h1:XnhgULOEouimnzgn0t4WPuFD
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-oidc v2.1.0+incompatible h1:sdJrfw8akMnCuUlaZU3tE/uYXFgfqom8DBE9so9EBsM=
 github.com/coreos/go-oidc v2.1.0+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
+github.com/coreos/go-oidc v2.2.1+incompatible h1:mh48q/BqXqgjVHpy2ZY7WnWAbenxRjsz9N1i1YxjHAk=
+github.com/coreos/go-oidc v2.2.1+incompatible/go.mod h1:CgnwVTmzoESiwO9qyAFEMiHoZ1nMCKZlZ9V6mm3/LKc=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
@@ -944,8 +945,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
 github.com/posener/complete v1.2.3/go.mod h1:WZIdtGGp+qx0sLrYKtIRAruyNpv6hFCicSgv7Sy7s/s=
 github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
-github.com/pquerna/cachecontrol v0.0.0-20180306154005-525d0eb5f91d h1:7gXyC293Lsm2YWgQ+0uaAFFFDO82ruiQSwc3ua+Vtlc=
-github.com/pquerna/cachecontrol v0.0.0-20180306154005-525d0eb5f91d/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA=
+github.com/pquerna/cachecontrol v0.1.0 h1:yJMy84ti9h/+OEWa752kBTKv4XC30OtVVHYv/8cTqKc=
+github.com/pquerna/cachecontrol v0.1.0/go.mod h1:NrUG3Z7Rdu85UNR3vm7SOsl1nFIeSiQnrHV5K9mBcUI=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod h1:p2iRAGwDERtqlqzRXnrOVns+ignqQo//hLXqYxZYVNs=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
@@ -1343,8 +1344,10 @@ golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210825183410-e898025ed96a/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211209124913-491a49abca63 h1:iocB37TsdFuN6IBRZ+ry36wrkoV51/tl5vOWqkcPGvY=
 golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/net v0.0.0-20220621193019-9d032be2e588 h1:9ubFuySsnAJYGyJrZ3koiEv8FyqofCBdz3G9Mbf2YFc=
+golang.org/x/net v0.0.0-20220621193019-9d032be2e588/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/oauth2 v0.0.0-20180227000427-d7d64896b5ff/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1364,8 +1367,9 @@ golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 h1:RerP+noqYHUQ8CMRcPlC2nvTa4dcBIjegkuWdcUDuqg=
 golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb h1:8tDJ3aechhddbdPAxpycgXHJRMLpk/Ab+aa4OgdN5/g=
+golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1485,11 +1489,14 @@ golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211205182925-97ca703d548d h1:FjkYO/PPp4Wi0EAUOVLxePm7qVW4r4ctbWpURyuOD0E=
 golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a h1:dGzPydgVsqGcTRVwiLJ1jVbufYwmzD3LfVPLKsKg+0k=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b h1:9zKuko04nR4gjZ4+DNjHqRlAJqbJETHwiNKDqTfOjfE=
 golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1789,8 +1796,9 @@ gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/mgo.v2 v2.0.0-20180705113604-9856a29383ce/go.mod h1:yeKp02qBN3iKW1OzL3MGk2IdtZzaj7SFntXj72NppTA=
 gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
-gopkg.in/square/go-jose.v2 v2.2.2 h1:orlkJ3myw8CN1nVQHBFfloD+L3egixIa4FvUP6RosSA=
 gopkg.in/square/go-jose.v2 v2.2.2/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
+gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
+gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/warnings.v0 v0.1.1/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
@@ -1806,10 +1814,8 @@ gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
-gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
-gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
 gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
 gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
--- a/manifests/base/dex/argocd-dex-server-deployment.yaml
+++ b/manifests/base/dex/argocd-dex-server-deployment.yaml
@@ -35,7 +35,7 @@ spec:
          runAsNonRoot: true
      containers:
      - name: dex
-        image: ghcr.io/dexidp/dex:v2.30.2
+        image: ghcr.io/dexidp/dex:v2.35.0-distroless
        imagePullPolicy: Always
        command: [/shared/argocd-dex, rundex]
        securityContext:
--- a/manifests/base/kustomization.yaml
+++ b/manifests/base/kustomization.yaml
@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
  newName: quay.io/argoproj/argocd
-  newTag: v2.4.2
+  newTag: v2.4.13
 resources:
 - ./application-controller
 - ./dex
--- a/manifests/base/redis/argocd-redis-deployment.yaml
+++ b/manifests/base/redis/argocd-redis-deployment.yaml
@@ -21,7 +21,7 @@ spec:
      serviceAccountName: argocd-redis        
      containers:
      - name: redis
-        image: redis:7.0.0-alpine
+        image: redis:7.0.4-alpine
        imagePullPolicy: Always
        args:
        - "--save"
--- a/manifests/base/repo-server/argocd-repo-server-deployment.yaml
+++ b/manifests/base/repo-server/argocd-repo-server-deployment.yaml
@@ -107,6 +107,12 @@ spec:
                name: argocd-cmd-params-cm
                key: reposerver.max.combined.directory.manifests.size
                optional: true
+          - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: reposerver.plugin.tar.exclusions
+                optional: true
          - name: HELM_CACHE_HOME
            value: /helm-working-dir
          - name: HELM_CONFIG_HOME
--- a/manifests/core-install.yaml
+++ b/manifests/core-install.yaml
@@ -9385,7 +9385,7 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -9465,7 +9465,7 @@ spec:
        - ""
        - --appendonly
        - "no"
-        image: redis:7.0.0-alpine
+        image: redis:7.0.4-alpine
        imagePullPolicy: Always
        name: redis
        ports:
@@ -9603,13 +9603,19 @@ spec:
              key: reposerver.max.combined.directory.manifests.size
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.plugin.tar.exclusions
+              name: argocd-cmd-params-cm
+              optional: true
        - name: HELM_CACHE_HOME
          value: /helm-working-dir
        - name: HELM_CONFIG_HOME
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -9658,7 +9664,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -9845,7 +9851,7 @@ spec:
              key: otlp.address
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
--- a/manifests/core-install/kustomization.yaml
+++ b/manifests/core-install/kustomization.yaml
@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
  newName: quay.io/argoproj/argocd
-  newTag: v2.4.2
+  newTag: v2.4.13
--- a/manifests/ha/base/kustomization.yaml
+++ b/manifests/ha/base/kustomization.yaml
@@ -11,7 +11,7 @@ patchesStrategicMerge:
 images:
 - name: quay.io/argoproj/argocd
  newName: quay.io/argoproj/argocd
-  newTag: v2.4.2
+  newTag: v2.4.13
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller
--- a/manifests/ha/base/redis-ha/chart/upstream.yaml
+++ b/manifests/ha/base/redis-ha/chart/upstream.yaml
@@ -770,7 +770,7 @@ spec:
              topologyKey: kubernetes.io/hostname
      initContainers:
      - name: config-init
-        image: haproxy:2.0.25-alpine
+        image: haproxy:2.0.29-alpine
        imagePullPolicy: IfNotPresent
        resources:
          {}
@@ -790,7 +790,7 @@ spec:
        runAsUser: 1000
      containers:
      - name: haproxy
-        image: haproxy:2.0.25-alpine
+        image: haproxy:2.0.29-alpine
        imagePullPolicy: IfNotPresent
        livenessProbe:
          httpGet:
@@ -878,7 +878,7 @@ spec:
      automountServiceAccountToken: false
      initContainers:
      - name: config-init
-        image: redis:7.0.0-alpine
+        image: redis:7.0.4-alpine
        imagePullPolicy: IfNotPresent
        resources:
          {}
@@ -906,7 +906,7 @@ spec:

      containers:
      - name: redis
-        image: redis:7.0.0-alpine
+        image: redis:7.0.4-alpine
        imagePullPolicy: IfNotPresent
        command:
        - redis-server
@@ -947,7 +947,7 @@ spec:
        lifecycle:
          {}
      - name: sentinel
-        image: redis:7.0.0-alpine
+        image: redis:7.0.4-alpine
        imagePullPolicy: IfNotPresent
        command:
          - redis-sentinel
--- a/manifests/ha/base/redis-ha/chart/values.yaml
+++ b/manifests/ha/base/redis-ha/chart/values.yaml
@@ -9,12 +9,12 @@ redis-ha:
  haproxy:
    enabled: true
    image:
-      tag: 2.0.25-alpine
+      tag: 2.0.29-alpine
    timeout:
      server: 6m
      client: 6m
    checkInterval: 3s
  image:
-    tag: 7.0.0-alpine
+    tag: 7.0.4-alpine
  sentinel:
    bind: "0.0.0.0"
--- a/manifests/ha/install.yaml
+++ b/manifests/ha/install.yaml
@@ -10320,7 +10320,7 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -10392,7 +10392,7 @@ spec:
      - command:
        - /shared/argocd-dex
        - rundex
-        image: ghcr.io/dexidp/dex:v2.30.2
+        image: ghcr.io/dexidp/dex:v2.35.0-distroless
        imagePullPolicy: Always
        name: dex
        ports:
@@ -10417,7 +10417,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -10457,7 +10457,7 @@ spec:
      containers:
      - command:
        - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -10526,7 +10526,7 @@ spec:
                app.kubernetes.io/name: argocd-redis-ha-haproxy
            topologyKey: kubernetes.io/hostname
      containers:
-      - image: haproxy:2.0.25-alpine
+      - image: haproxy:2.0.29-alpine
        imagePullPolicy: IfNotPresent
        lifecycle: {}
        livenessProbe:
@@ -10555,7 +10555,7 @@ spec:
        - /readonly/haproxy_init.sh
        command:
        - sh
-        image: haproxy:2.0.25-alpine
+        image: haproxy:2.0.29-alpine
        imagePullPolicy: IfNotPresent
        name: config-init
        volumeMounts:
@@ -10702,13 +10702,19 @@ spec:
              key: reposerver.max.combined.directory.manifests.size
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.plugin.tar.exclusions
+              name: argocd-cmd-params-cm
+              optional: true
        - name: HELM_CACHE_HOME
          value: /helm-working-dir
        - name: HELM_CONFIG_HOME
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -10757,7 +10763,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -11004,7 +11010,7 @@ spec:
              key: otlp.address
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -11212,7 +11218,7 @@ spec:
              key: otlp.address
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -11293,7 +11299,7 @@ spec:
        - /data/conf/redis.conf
        command:
        - redis-server
-        image: redis:7.0.0-alpine
+        image: redis:7.0.4-alpine
        imagePullPolicy: IfNotPresent
        lifecycle: {}
        livenessProbe:
@@ -11331,7 +11337,7 @@ spec:
        - /data/conf/sentinel.conf
        command:
        - redis-sentinel
-        image: redis:7.0.0-alpine
+        image: redis:7.0.4-alpine
        imagePullPolicy: IfNotPresent
        lifecycle: {}
        livenessProbe:
@@ -11377,7 +11383,7 @@ spec:
          value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
        - name: SENTINEL_ID_2
          value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.0-alpine
+        image: redis:7.0.4-alpine
        imagePullPolicy: IfNotPresent
        name: config-init
        volumeMounts:
--- a/manifests/ha/namespace-install.yaml
+++ b/manifests/ha/namespace-install.yaml
@@ -1244,7 +1244,7 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -1316,7 +1316,7 @@ spec:
      - command:
        - /shared/argocd-dex
        - rundex
-        image: ghcr.io/dexidp/dex:v2.30.2
+        image: ghcr.io/dexidp/dex:v2.35.0-distroless
        imagePullPolicy: Always
        name: dex
        ports:
@@ -1341,7 +1341,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -1381,7 +1381,7 @@ spec:
      containers:
      - command:
        - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -1450,7 +1450,7 @@ spec:
                app.kubernetes.io/name: argocd-redis-ha-haproxy
            topologyKey: kubernetes.io/hostname
      containers:
-      - image: haproxy:2.0.25-alpine
+      - image: haproxy:2.0.29-alpine
        imagePullPolicy: IfNotPresent
        lifecycle: {}
        livenessProbe:
@@ -1479,7 +1479,7 @@ spec:
        - /readonly/haproxy_init.sh
        command:
        - sh
-        image: haproxy:2.0.25-alpine
+        image: haproxy:2.0.29-alpine
        imagePullPolicy: IfNotPresent
        name: config-init
        volumeMounts:
@@ -1626,13 +1626,19 @@ spec:
              key: reposerver.max.combined.directory.manifests.size
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.plugin.tar.exclusions
+              name: argocd-cmd-params-cm
+              optional: true
        - name: HELM_CACHE_HOME
          value: /helm-working-dir
        - name: HELM_CONFIG_HOME
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -1681,7 +1687,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -1928,7 +1934,7 @@ spec:
              key: otlp.address
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -2136,7 +2142,7 @@ spec:
              key: otlp.address
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -2217,7 +2223,7 @@ spec:
        - /data/conf/redis.conf
        command:
        - redis-server
-        image: redis:7.0.0-alpine
+        image: redis:7.0.4-alpine
        imagePullPolicy: IfNotPresent
        lifecycle: {}
        livenessProbe:
@@ -2255,7 +2261,7 @@ spec:
        - /data/conf/sentinel.conf
        command:
        - redis-sentinel
-        image: redis:7.0.0-alpine
+        image: redis:7.0.4-alpine
        imagePullPolicy: IfNotPresent
        lifecycle: {}
        livenessProbe:
@@ -2301,7 +2307,7 @@ spec:
          value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
        - name: SENTINEL_ID_2
          value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.0-alpine
+        image: redis:7.0.4-alpine
        imagePullPolicy: IfNotPresent
        name: config-init
        volumeMounts:
--- a/manifests/install.yaml
+++ b/manifests/install.yaml
@@ -9692,7 +9692,7 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -9764,7 +9764,7 @@ spec:
      - command:
        - /shared/argocd-dex
        - rundex
-        image: ghcr.io/dexidp/dex:v2.30.2
+        image: ghcr.io/dexidp/dex:v2.35.0-distroless
        imagePullPolicy: Always
        name: dex
        ports:
@@ -9789,7 +9789,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -9829,7 +9829,7 @@ spec:
      containers:
      - command:
        - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -9904,7 +9904,7 @@ spec:
        - ""
        - --appendonly
        - "no"
-        image: redis:7.0.0-alpine
+        image: redis:7.0.4-alpine
        imagePullPolicy: Always
        name: redis
        ports:
@@ -10042,13 +10042,19 @@ spec:
              key: reposerver.max.combined.directory.manifests.size
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.plugin.tar.exclusions
+              name: argocd-cmd-params-cm
+              optional: true
        - name: HELM_CACHE_HOME
          value: /helm-working-dir
        - name: HELM_CONFIG_HOME
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -10097,7 +10103,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -10340,7 +10346,7 @@ spec:
              key: otlp.address
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -10542,7 +10548,7 @@ spec:
              key: otlp.address
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
--- a/manifests/namespace-install.yaml
+++ b/manifests/namespace-install.yaml
@@ -616,7 +616,7 @@ spec:
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -688,7 +688,7 @@ spec:
      - command:
        - /shared/argocd-dex
        - rundex
-        image: ghcr.io/dexidp/dex:v2.30.2
+        image: ghcr.io/dexidp/dex:v2.35.0-distroless
        imagePullPolicy: Always
        name: dex
        ports:
@@ -713,7 +713,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -753,7 +753,7 @@ spec:
      containers:
      - command:
        - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -828,7 +828,7 @@ spec:
        - ""
        - --appendonly
        - "no"
-        image: redis:7.0.0-alpine
+        image: redis:7.0.4-alpine
        imagePullPolicy: Always
        name: redis
        ports:
@@ -966,13 +966,19 @@ spec:
              key: reposerver.max.combined.directory.manifests.size
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_REPO_SERVER_PLUGIN_TAR_EXCLUSIONS
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.plugin.tar.exclusions
+              name: argocd-cmd-params-cm
+              optional: true
        - name: HELM_CACHE_HOME
          value: /helm-working-dir
        - name: HELM_CONFIG_HOME
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -1021,7 +1027,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -1264,7 +1270,7 @@ spec:
              key: otlp.address
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -1466,7 +1472,7 @@ spec:
              key: otlp.address
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.4.2
+        image: quay.io/argoproj/argocd:v2.4.13
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -44,6 +44,7 @@ nav:
  - operator-manual/custom_tools.md
  - operator-manual/custom-styles.md
  - operator-manual/metrics.md
+  - operator-manual/web_based_terminal.md
  - Notification:
    - Overview: operator-manual/notifications/index.md
    - operator-manual/notifications/triggers.md
@@ -160,6 +161,7 @@ nav:
  - developer-guide/releasing.md
  - developer-guide/site.md
  - developer-guide/static-code-analysis.md
+  - developer-guide/ui-extensions.md
  - developer-guide/faq.md
 - faq.md
 - security_considerations.md
--- a/pkg/apis/application/v1alpha1/repository_types.go
+++ b/pkg/apis/application/v1alpha1/repository_types.go
@@ -195,30 +195,40 @@ func (repo *Repository) GetHelmCreds() helm.Creds {
 }

 func getCAPath(repoURL string) string {
-	hostname := ""
+	// For git ssh protocol url without ssh://, url.Parse() will fail to parse.
+	// However, no warn log is output since ssh scheme url is a possible format.
+	if ok, _ := git.IsSSHURL(repoURL); ok {
+		return ""
+	}

+	hostname := ""
 	// url.Parse() will happily parse most things thrown at it. When the URL
 	// is either https or oci, we use the parsed hostname to receive the cert,
 	// otherwise we'll use the parsed path (OCI repos are often specified as
 	// hostname, without protocol).
-	if parsedURL, err := url.Parse(repoURL); err == nil {
-		if parsedURL.Scheme == "https" || parsedURL.Scheme == "oci" {
-			hostname = parsedURL.Host
-		} else if parsedURL.Scheme == "" {
-			hostname = parsedURL.Path
-		}
-	} else {
+	parsedURL, err := url.Parse(repoURL)
+	if err != nil {
 		log.Warnf("Could not parse repo URL '%s': %v", repoURL, err)
+		return ""
+	}
+	if parsedURL.Scheme == "https" || parsedURL.Scheme == "oci" {
+		hostname = parsedURL.Host
+	} else if parsedURL.Scheme == "" {
+		hostname = parsedURL.Path
 	}

-	if hostname != "" {
-		if caPath, err := cert.GetCertBundlePathForRepository(hostname); err == nil {
-			return caPath
-		} else {
-			log.Warnf("Could not get cert bundle path for repository '%s': %v", repoURL, err)
-		}
+	if hostname == "" {
+		log.Warnf("Could not get hostname for repository '%s'", repoURL)
+		return ""
 	}
-	return ""
+
+	caPath, err := cert.GetCertBundlePathForRepository(hostname)
+	if err != nil {
+		log.Warnf("Could not get cert bundle path for repository '%s': %v", repoURL, err)
+		return ""
+	}
+
+	return caPath
 }

 // CopySettingsFrom copies all repository settings from source to receiver
--- a/pkg/apis/application/v1alpha1/types.go
+++ b/pkg/apis/application/v1alpha1/types.go
@@ -1542,6 +1542,19 @@ func isValidAction(action string) bool {
 	return false
 }

+// TODO: same as validActions, refacotor to use rbacpolicy.ResourceApplications etc.
+var validResources = map[string]bool{
+	"applications": true,
+	"repositories": true,
+	"clusters":     true,
+	"exec":         true,
+	"logs":         true,
+}
+
+func isValidResource(resource string) bool {
+	return validResources[resource]
+}
+
 func validatePolicy(proj string, role string, policy string) error {
 	policyComponents := strings.Split(policy, ",")
 	if len(policyComponents) != 6 || strings.Trim(policyComponents[0], " ") != "p" {
@@ -1555,7 +1568,7 @@ func validatePolicy(proj string, role string, policy string) error {
 	}
 	// resource
 	resource := strings.Trim(policyComponents[2], " ")
-	if resource != "applications" && resource != "repositories" && resource != "clusters" {
+	if !isValidResource(resource) {
 		return status.Errorf(codes.InvalidArgument, "invalid policy rule '%s': project resource must be: 'applications', 'repositories' or 'clusters', not '%s'", policy, resource)
 	}
 	// action
--- a/pkg/apis/application/v1alpha1/types_test.go
+++ b/pkg/apis/application/v1alpha1/types_test.go
@@ -2546,10 +2546,19 @@ func Test_validatePolicy_projIsNotRegex(t *testing.T) {
 }

 func Test_validatePolicy_ValidResource(t *testing.T) {
-	err := validatePolicy("some-project", "org-admin", "p, proj:some-project:org-admin, repositories, *, some-project/*, allow")
+	err := validatePolicy("some-project", "org-admin", "p, proj:some-project:org-admin, applications, *, some-project/*, allow")
+	assert.NoError(t, err)
+	err = validatePolicy("some-project", "org-admin", "p, proj:some-project:org-admin, repositories, *, some-project/*, allow")
 	assert.NoError(t, err)
 	err = validatePolicy("some-project", "org-admin", "p, proj:some-project:org-admin, clusters, *, some-project/*, allow")
 	assert.NoError(t, err)
+	err = validatePolicy("some-project", "org-admin", "p, proj:some-project:org-admin, exec, *, some-project/*, allow")
+	assert.NoError(t, err)
+	err = validatePolicy("some-project", "org-admin", "p, proj:some-project:org-admin, logs, *, some-project/*, allow")
+	assert.NoError(t, err)
+	err = validatePolicy("some-project", "org-admin", "p, proj:some-project:org-admin, unknown, *, some-project/*, allow")
+	assert.Error(t, err)
+
 }

 func TestEnvsubst(t *testing.T) {
@@ -2619,6 +2628,7 @@ func TestGetCAPath(t *testing.T) {
 		"oci://bar.example.com",
 		"bar.example.com",
 		"ssh://foo.example.com",
+		"git@example.com:organization/reponame.git",
 		"/some/invalid/thing",
 		"../another/invalid/thing",
 		"./also/invalid",
--- a/reposerver/repository/repository.go
+++ b/reposerver/repository/repository.go
@@ -103,6 +103,7 @@ type RepoServerInitConstants struct {
 	PauseGenerationOnFailureForRequests          int
 	SubmoduleEnabled                             bool
 	MaxCombinedDirectoryManifestsSize            resource.Quantity
+	CMPTarExcludedGlobs                          []string
 }

 // NewService returns a new instance of the Manifest service
@@ -213,7 +214,7 @@ func (s *Service) ListApps(ctx context.Context, q *apiclient.ListAppsRequest) (*
 	}

 	defer io.Close(closer)
-	apps, err := discovery.Discover(ctx, gitClient.Root(), q.EnabledSourceTypes)
+	apps, err := discovery.Discover(ctx, gitClient.Root(), q.EnabledSourceTypes, s.initConstants.CMPTarExcludedGlobs)
 	if err != nil {
 		return nil, err
 	}
@@ -457,10 +458,15 @@ func (s *Service) runManifestGenAsync(ctx context.Context, repoRoot, commitSHA,
 		close(ch.errCh)
 		close(ch.responseCh)
 	}()
+
+	// GenerateManifests mutates the source (applies overrides). Those overrides shouldn't be reflected in the cache
+	// key. Overrides will break the cache anyway, because changes to overrides will change the revision.
+	appSourceCopy := q.ApplicationSource.DeepCopy()
+
 	var manifestGenResult *apiclient.ManifestResponse
 	opContext, err := opContextSrc()
 	if err == nil {
-		manifestGenResult, err = GenerateManifests(ctx, opContext.appPath, repoRoot, commitSHA, q, false, s.gitCredsStore, s.initConstants.MaxCombinedDirectoryManifestsSize, WithCMPTarDoneChannel(ch.tarDoneCh))
+		manifestGenResult, err = GenerateManifests(ctx, opContext.appPath, repoRoot, commitSHA, q, false, s.gitCredsStore, s.initConstants.MaxCombinedDirectoryManifestsSize, WithCMPTarDoneChannel(ch.tarDoneCh), WithCMPTarExcludedGlobs(s.initConstants.CMPTarExcludedGlobs))
 	}
 	if err != nil {
 		// If manifest generation error caching is enabled
@@ -469,9 +475,9 @@ func (s *Service) runManifestGenAsync(ctx context.Context, repoRoot, commitSHA,
 			// Retrieve a new copy (if available) of the cached response: this ensures we are updating the latest copy of the cache,
 			// rather than a copy of the cache that occurred before (a potentially lengthy) manifest generation.
 			innerRes := &cache.CachedManifestResponse{}
-			cacheErr := s.cache.GetManifests(cacheKey, q.ApplicationSource, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, innerRes)
+			cacheErr := s.cache.GetManifests(cacheKey, appSourceCopy, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, innerRes)
 			if cacheErr != nil && cacheErr != reposervercache.ErrCacheMiss {
-				log.Warnf("manifest cache set error %s: %v", q.ApplicationSource.String(), cacheErr)
+				log.Warnf("manifest cache set error %s: %v", appSourceCopy.String(), cacheErr)
 				ch.errCh <- cacheErr
 				return
 			}
@@ -485,9 +491,9 @@ func (s *Service) runManifestGenAsync(ctx context.Context, repoRoot, commitSHA,
 			// Update the cache to include failure information
 			innerRes.NumberOfConsecutiveFailures++
 			innerRes.MostRecentError = err.Error()
-			cacheErr = s.cache.SetManifests(cacheKey, q.ApplicationSource, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, innerRes)
+			cacheErr = s.cache.SetManifests(cacheKey, appSourceCopy, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, innerRes)
 			if cacheErr != nil {
-				log.Warnf("manifest cache set error %s: %v", q.ApplicationSource.String(), cacheErr)
+				log.Warnf("manifest cache set error %s: %v", appSourceCopy.String(), cacheErr)
 				ch.errCh <- cacheErr
 				return
 			}
@@ -506,9 +512,9 @@ func (s *Service) runManifestGenAsync(ctx context.Context, repoRoot, commitSHA,
 	}
 	manifestGenResult.Revision = commitSHA
 	manifestGenResult.VerifyResult = opContext.verificationResult
-	err = s.cache.SetManifests(cacheKey, q.ApplicationSource, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, &manifestGenCacheEntry)
+	err = s.cache.SetManifests(cacheKey, appSourceCopy, q, q.Namespace, q.TrackingMethod, q.AppLabelKey, q.AppName, &manifestGenCacheEntry)
 	if err != nil {
-		log.Warnf("manifest cache set error %s/%s: %v", q.ApplicationSource.String(), cacheKey, err)
+		log.Warnf("manifest cache set error %s/%s: %v", appSourceCopy.String(), cacheKey, err)
 	}
 	ch.responseCh <- manifestGenCacheEntry.ManifestResponse
 }
@@ -853,7 +859,8 @@ func getRepoCredential(repoCredentials []*v1alpha1.RepoCreds, repoURL string) *v

 type GenerateManifestOpt func(*generateManifestOpt)
 type generateManifestOpt struct {
-	cmpTarDoneCh chan<- bool
+	cmpTarDoneCh        chan<- bool
+	cmpTarExcludedGlobs []string
 }

 func newGenerateManifestOpt(opts ...GenerateManifestOpt) *generateManifestOpt {
@@ -873,14 +880,23 @@ func WithCMPTarDoneChannel(ch chan<- bool) GenerateManifestOpt {
 	}
 }

-// GenerateManifests generates manifests from a path
+// WithCMPTarExcludedGlobs defines globs for files to filter out when streaming the tarball
+// to a CMP sidecar.
+func WithCMPTarExcludedGlobs(excludedGlobs []string) GenerateManifestOpt {
+	return func(o *generateManifestOpt) {
+		o.cmpTarExcludedGlobs = excludedGlobs
+	}
+}
+
+// GenerateManifests generates manifests from a path. Overrides are applied as a side effect on the given ApplicationSource.
 func GenerateManifests(ctx context.Context, appPath, repoRoot, revision string, q *apiclient.ManifestRequest, isLocal bool, gitCredsStore git.CredsStore, maxCombinedManifestQuantity resource.Quantity, opts ...GenerateManifestOpt) (*apiclient.ManifestResponse, error) {
 	opt := newGenerateManifestOpt(opts...)
 	var targetObjs []*unstructured.Unstructured
 	var dest *v1alpha1.ApplicationDestination

 	resourceTracking := argo.NewResourceTracking()
-	appSourceType, err := GetAppSourceType(ctx, q.ApplicationSource, appPath, q.AppName, q.EnabledSourceTypes)
+
+	appSourceType, err := GetAppSourceType(ctx, q.ApplicationSource, appPath, q.AppName, q.EnabledSourceTypes, opt.cmpTarExcludedGlobs)
 	if err != nil {
 		return nil, err
 	}
@@ -904,7 +920,7 @@ func GenerateManifests(ctx context.Context, appPath, repoRoot, revision string,
 		if q.ApplicationSource.Plugin != nil && q.ApplicationSource.Plugin.Name != "" {
 			targetObjs, err = runConfigManagementPlugin(appPath, repoRoot, env, q, q.Repo.GetGitCreds(gitCredsStore))
 		} else {
-			targetObjs, err = runConfigManagementPluginSidecars(ctx, appPath, repoRoot, env, q, q.Repo.GetGitCreds(gitCredsStore), opt.cmpTarDoneCh)
+			targetObjs, err = runConfigManagementPluginSidecars(ctx, appPath, repoRoot, env, q, q.Repo.GetGitCreds(gitCredsStore), opt.cmpTarDoneCh, opt.cmpTarExcludedGlobs)
 			if err != nil {
 				err = fmt.Errorf("plugin sidecar failed. %s", err.Error())
 			}
@@ -923,6 +939,10 @@ func GenerateManifests(ctx context.Context, appPath, repoRoot, revision string,

 	manifests := make([]string, 0)
 	for _, obj := range targetObjs {
+		if obj == nil {
+			continue
+		}
+
 		var targets []*unstructured.Unstructured
 		if obj.IsList() {
 			err = obj.EachListItem(func(object runtime.Object) error {
@@ -992,7 +1012,7 @@ func mergeSourceParameters(source *v1alpha1.ApplicationSource, path, appName str
 		overrides = append(overrides, filepath.Join(path, fmt.Sprintf(appSourceFile, appName)))
 	}

-	var merged v1alpha1.ApplicationSource = *source.DeepCopy()
+	var merged = *source.DeepCopy()

 	for _, filename := range overrides {
 		info, err := os.Stat(filename)
@@ -1038,7 +1058,7 @@ func mergeSourceParameters(source *v1alpha1.ApplicationSource, path, appName str
 }

 // GetAppSourceType returns explicit application source type or examines a directory and determines its application source type
-func GetAppSourceType(ctx context.Context, source *v1alpha1.ApplicationSource, path, appName string, enableGenerateManifests map[string]bool) (v1alpha1.ApplicationSourceType, error) {
+func GetAppSourceType(ctx context.Context, source *v1alpha1.ApplicationSource, path, appName string, enableGenerateManifests map[string]bool, tarExcludedGlobs []string) (v1alpha1.ApplicationSourceType, error) {
 	err := mergeSourceParameters(source, path, appName)
 	if err != nil {
 		return "", fmt.Errorf("error while parsing source parameters: %v", err)
@@ -1055,7 +1075,7 @@ func GetAppSourceType(ctx context.Context, source *v1alpha1.ApplicationSource, p
 		}
 		return *appSourceType, nil
 	}
-	appType, err := discovery.AppType(ctx, path, enableGenerateManifests)
+	appType, err := discovery.AppType(ctx, path, enableGenerateManifests, tarExcludedGlobs)
 	if err != nil {
 		return "", err
 	}
@@ -1459,7 +1479,7 @@ func getPluginEnvs(envVars *v1alpha1.Env, q *apiclient.ManifestRequest, creds gi
 	return env, nil
 }

-func runConfigManagementPluginSidecars(ctx context.Context, appPath, repoPath string, envVars *v1alpha1.Env, q *apiclient.ManifestRequest, creds git.Creds, tarDoneCh chan<- bool) ([]*unstructured.Unstructured, error) {
+func runConfigManagementPluginSidecars(ctx context.Context, appPath, repoPath string, envVars *v1alpha1.Env, q *apiclient.ManifestRequest, creds git.Creds, tarDoneCh chan<- bool, tarExcludedGlobs []string) ([]*unstructured.Unstructured, error) {
 	// compute variables.
 	env, err := getPluginEnvs(envVars, q, creds, true)
 	if err != nil {
@@ -1467,14 +1487,14 @@ func runConfigManagementPluginSidecars(ctx context.Context, appPath, repoPath st
 	}

 	// detect config management plugin server (sidecar)
-	conn, cmpClient, err := discovery.DetectConfigManagementPlugin(ctx, appPath, env)
+	conn, cmpClient, err := discovery.DetectConfigManagementPlugin(ctx, appPath, env, tarExcludedGlobs)
 	if err != nil {
 		return nil, err
 	}
 	defer io.Close(conn)

 	// generate manifests using commands provided in plugin config file in detected cmp-server sidecar
-	cmpManifests, err := generateManifestsCMP(ctx, appPath, repoPath, env, cmpClient, tarDoneCh)
+	cmpManifests, err := generateManifestsCMP(ctx, appPath, repoPath, env, cmpClient, tarDoneCh, tarExcludedGlobs)
 	if err != nil {
 		return nil, fmt.Errorf("error generating manifests in cmp: %s", err)
 	}
@@ -1492,7 +1512,7 @@ func runConfigManagementPluginSidecars(ctx context.Context, appPath, repoPath st
 // generateManifestsCMP will send the appPath files to the cmp-server over a gRPC stream.
 // The cmp-server will generate the manifests. Returns a response object with the generated
 // manifests.
-func generateManifestsCMP(ctx context.Context, appPath, repoPath string, env []string, cmpClient pluginclient.ConfigManagementPluginServiceClient, tarDoneCh chan<- bool) (*pluginclient.ManifestResponse, error) {
+func generateManifestsCMP(ctx context.Context, appPath, repoPath string, env []string, cmpClient pluginclient.ConfigManagementPluginServiceClient, tarDoneCh chan<- bool, tarExcludedGlobs []string) (*pluginclient.ManifestResponse, error) {
 	generateManifestStream, err := cmpClient.GenerateManifest(ctx, grpc_retry.Disable())
 	if err != nil {
 		return nil, fmt.Errorf("error getting generateManifestStream: %s", err)
@@ -1500,7 +1520,7 @@ func generateManifestsCMP(ctx context.Context, appPath, repoPath string, env []s
 	opts := []cmp.SenderOption{
 		cmp.WithTarDoneChan(tarDoneCh),
 	}
-	err = cmp.SendRepoStream(generateManifestStream.Context(), appPath, repoPath, generateManifestStream, env, opts...)
+	err = cmp.SendRepoStream(generateManifestStream.Context(), appPath, repoPath, generateManifestStream, env, tarExcludedGlobs, opts...)
 	if err != nil {
 		return nil, fmt.Errorf("error sending file to cmp-server: %s", err)
 	}
@@ -1518,7 +1538,7 @@ func (s *Service) GetAppDetails(ctx context.Context, q *apiclient.RepoServerAppD
 			return err
 		}

-		appSourceType, err := GetAppSourceType(ctx, q.Source, opContext.appPath, q.AppName, q.EnabledSourceTypes)
+		appSourceType, err := GetAppSourceType(ctx, q.Source, opContext.appPath, q.AppName, q.EnabledSourceTypes, s.initConstants.CMPTarExcludedGlobs)
 		if err != nil {
 			return err
 		}
@@ -1633,7 +1653,7 @@ func loadFileIntoIfExists(path pathutil.ResolvedFilePath, destination *string) e
 	info, err := os.Stat(stringPath)

 	if err == nil && !info.IsDir() {
-		bytes, err := ioutil.ReadFile(stringPath);
+		bytes, err := ioutil.ReadFile(stringPath)
 		if err != nil {
 			return err
 		}
--- a/reposerver/repository/repository_test.go
+++ b/reposerver/repository/repository_test.go
@@ -133,6 +133,31 @@ func newServiceWithCommitSHA(root, revision string) *Service {
 	return service
 }

+// createSymlink creates a symlink with name linkName to file destName in
+// workingDir
+func createSymlink(t *testing.T, workingDir, destName, linkName string) error {
+	oldWorkingDir, err := os.Getwd()
+	if err != nil {
+		return err
+	}
+	if workingDir != "" {
+		err = os.Chdir(workingDir)
+		if err != nil {
+			return err
+		}
+		defer func() {
+			if err := os.Chdir(oldWorkingDir); err != nil {
+				t.Fatal(err.Error())
+			}
+		}()
+	}
+	err = os.Symlink(destName, linkName)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 func TestGenerateYamlManifestInDir(t *testing.T) {
 	service := newService("../..")

@@ -1049,15 +1074,15 @@ func TestGenerateNullList(t *testing.T) {
 }

 func TestIdentifyAppSourceTypeByAppDirWithKustomizations(t *testing.T) {
-	sourceType, err := GetAppSourceType(context.Background(), &argoappv1.ApplicationSource{}, "./testdata/kustomization_yaml", "testapp", map[string]bool{})
+	sourceType, err := GetAppSourceType(context.Background(), &argoappv1.ApplicationSource{}, "./testdata/kustomization_yaml", "testapp", map[string]bool{}, []string{})
 	assert.Nil(t, err)
 	assert.Equal(t, argoappv1.ApplicationSourceTypeKustomize, sourceType)

-	sourceType, err = GetAppSourceType(context.Background(), &argoappv1.ApplicationSource{}, "./testdata/kustomization_yml", "testapp", map[string]bool{})
+	sourceType, err = GetAppSourceType(context.Background(), &argoappv1.ApplicationSource{}, "./testdata/kustomization_yml", "testapp", map[string]bool{}, []string{})
 	assert.Nil(t, err)
 	assert.Equal(t, argoappv1.ApplicationSourceTypeKustomize, sourceType)

-	sourceType, err = GetAppSourceType(context.Background(), &argoappv1.ApplicationSource{}, "./testdata/Kustomization", "testapp", map[string]bool{})
+	sourceType, err = GetAppSourceType(context.Background(), &argoappv1.ApplicationSource{}, "./testdata/Kustomization", "testapp", map[string]bool{}, []string{})
 	assert.Nil(t, err)
 	assert.Equal(t, argoappv1.ApplicationSourceTypeKustomize, sourceType)
 }
@@ -1122,19 +1147,20 @@ func TestListApps(t *testing.T) {
 	assert.NoError(t, err)

 	expectedApps := map[string]string{
-		"Kustomization":                  "Kustomize",
-		"app-parameters/multi":           "Kustomize",
-		"app-parameters/single-app-only": "Kustomize",
-		"app-parameters/single-global":   "Kustomize",
-		"invalid-helm":                   "Helm",
-		"in-bounds-values-file-link":     "Helm",
-		"invalid-kustomize":              "Kustomize",
-		"kustomization_yaml":             "Kustomize",
-		"kustomization_yml":              "Kustomize",
-		"my-chart":                       "Helm",
-		"my-chart-2":                     "Helm",
-		"out-of-bounds-values-file-link": "Helm",
-		"values-files":                   "Helm",
+		"Kustomization":                     "Kustomize",
+		"app-parameters/multi":              "Kustomize",
+		"app-parameters/single-app-only":    "Kustomize",
+		"app-parameters/single-global":      "Kustomize",
+		"app-parameters/single-global-helm": "Helm",
+		"invalid-helm":                      "Helm",
+		"in-bounds-values-file-link":        "Helm",
+		"invalid-kustomize":                 "Kustomize",
+		"kustomization_yaml":                "Kustomize",
+		"kustomization_yml":                 "Kustomize",
+		"my-chart":                          "Helm",
+		"my-chart-2":                        "Helm",
+		"out-of-bounds-values-file-link":    "Helm",
+		"values-files":                      "Helm",
 	}
 	assert.Equal(t, expectedApps, res.Apps)
 }
@@ -1486,6 +1512,35 @@ func TestGenerateManifestsWithAppParameterFile(t *testing.T) {
 		})
 	})

+	t.Run("Single global override Helm", func(t *testing.T) {
+		runWithTempTestdata(t, "single-global-helm", func(t *testing.T, path string) {
+			service := newService(".")
+			manifests, err := service.GenerateManifest(context.Background(), &apiclient.ManifestRequest{
+				Repo: &argoappv1.Repository{},
+				ApplicationSource: &argoappv1.ApplicationSource{
+					Path: path,
+				},
+			})
+			require.NoError(t, err)
+			resourceByKindName := make(map[string]*unstructured.Unstructured)
+			for _, manifest := range manifests.Manifests {
+				var un unstructured.Unstructured
+				err := yaml.Unmarshal([]byte(manifest), &un)
+				if !assert.NoError(t, err) {
+					return
+				}
+				resourceByKindName[fmt.Sprintf("%s/%s", un.GetKind(), un.GetName())] = &un
+			}
+			deployment, ok := resourceByKindName["Deployment/guestbook-ui"]
+			require.True(t, ok)
+			containers, ok, _ := unstructured.NestedSlice(deployment.Object, "spec", "template", "spec", "containers")
+			require.True(t, ok)
+			image, ok, _ := unstructured.NestedString(containers[0].(map[string]interface{}), "image")
+			require.True(t, ok)
+			assert.Equal(t, "gcr.io/heptio-images/ks-guestbook-demo:0.2", image)
+		})
+	})
+
 	t.Run("Application specific override", func(t *testing.T) {
 		service := newService(".")
 		runWithTempTestdata(t, "single-app-only", func(t *testing.T, path string) {
@@ -1545,6 +1600,28 @@ func TestGenerateManifestsWithAppParameterFile(t *testing.T) {
 			assert.Equal(t, "gcr.io/heptio-images/ks-guestbook-demo:0.1", image)
 		})
 	})
+
+	t.Run("Override info does not appear in cache key", func(t *testing.T) {
+		service := newService(".")
+		runWithTempTestdata(t, "single-global", func(t *testing.T, path string) {
+			source := &argoappv1.ApplicationSource{
+				Path: path,
+			}
+			sourceCopy := source.DeepCopy() // make a copy in case GenerateManifest mutates it.
+			_, err := service.GenerateManifest(context.Background(), &apiclient.ManifestRequest{
+				Repo:              &argoappv1.Repository{},
+				ApplicationSource: sourceCopy,
+				AppName:           "test",
+			})
+			assert.NoError(t, err)
+			res := &cache.CachedManifestResponse{}
+			// Try to pull from the cache with a `source` that does not include any overrides. Overrides should not be
+			// part of the cache key, because you can't get the overrides without a repo operation. And avoiding repo
+			// operations is the point of the cache.
+			err = service.cache.GetManifests(mock.Anything, source, &argoappv1.ClusterInfo{}, "", "", "", "test", res)
+			assert.NoError(t, err)
+		})
+	})
 }

 func TestGenerateManifestWithAnnotatedAndRegularGitTagHashes(t *testing.T) {
@@ -1956,7 +2033,12 @@ func Test_getPotentiallyValidManifests(t *testing.T) {
 	})

 	t.Run("circular link should throw an error", func(t *testing.T) {
-		require.DirExists(t, "./testdata/circular-link")
+		const testDir = "./testdata/circular-link"
+		require.DirExists(t, testDir)
+		require.NoError(t, createSymlink(t, testDir, "a.json", "b.json"))
+		defer os.Remove(path.Join(testDir, "a.json"))
+		require.NoError(t, createSymlink(t, testDir, "b.json", "a.json"))
+		defer os.Remove(path.Join(testDir, "b.json"))
 		manifests, err := getPotentiallyValidManifests(logCtx, "./testdata/circular-link", "./testdata/circular-link", false, "", "", resource.MustParse("0"))
 		assert.Empty(t, manifests)
 		assert.Error(t, err)
@@ -2051,7 +2133,12 @@ func Test_findManifests(t *testing.T) {
 	})

 	t.Run("circular link should throw an error", func(t *testing.T) {
-		require.DirExists(t, "./testdata/circular-link")
+		const testDir = "./testdata/circular-link"
+		require.DirExists(t, testDir)
+		require.NoError(t, createSymlink(t, testDir, "a.json", "b.json"))
+		defer os.Remove(path.Join(testDir, "a.json"))
+		require.NoError(t, createSymlink(t, testDir, "b.json", "a.json"))
+		defer os.Remove(path.Join(testDir, "b.json"))
 		manifests, err := findManifests(logCtx, "./testdata/circular-link", "./testdata/circular-link", nil, noRecurse, nil, resource.MustParse("0"))
 		assert.Empty(t, manifests)
 		assert.Error(t, err)
--- a/reposerver/repository/testdata/app-parameters/single-global-helm/.argocd-source.yaml
+++ b/reposerver/repository/testdata/app-parameters/single-global-helm/.argocd-source.yaml
@@ -0,0 +1,4 @@
+helm:
+  parameters:
+    - name: image.tag
+      value: '0.2'
--- a/reposerver/repository/testdata/app-parameters/single-global-helm/Chart.yaml
+++ b/reposerver/repository/testdata/app-parameters/single-global-helm/Chart.yaml
@@ -0,0 +1,2 @@
+name: my-chart
+version: 1.1.0
--- a/reposerver/repository/testdata/app-parameters/single-global-helm/templates/deployment.yaml
+++ b/reposerver/repository/testdata/app-parameters/single-global-helm/templates/deployment.yaml
@@ -0,0 +1,18 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: guestbook-ui
+spec:
+  selector:
+    matchLabels:
+      app: guestbook-ui
+  template:
+    metadata:
+      labels:
+        app: guestbook-ui
+    spec:
+      containers:
+        - image: gcr.io/heptio-images/ks-guestbook-demo:{{.Values.image.tag}}
+          name: guestbook-ui
+          ports:
+            - containerPort: 81
--- a/reposerver/repository/testdata/app-parameters/single-global-helm/values.yaml
+++ b/reposerver/repository/testdata/app-parameters/single-global-helm/values.yaml
@@ -0,0 +1,2 @@
+image:
+  tag: 0.1
--- a/reposerver/repository/testdata/circular-link/.keep
+++ b/reposerver/repository/testdata/circular-link/.keep
--- a/reposerver/repository/testdata/circular-link/a.json
+++ b/reposerver/repository/testdata/circular-link/a.json
@@ -1 +0,0 @@
-b.json
--- a/reposerver/repository/testdata/circular-link/b.json
+++ b/reposerver/repository/testdata/circular-link/b.json
@@ -1 +0,0 @@
-a.json
--- a/reposerver/repository/testdata/jsonnet/guestbook-ui.jsonnet
+++ b/reposerver/repository/testdata/jsonnet/guestbook-ui.jsonnet
@@ -43,4 +43,5 @@ function(tlaString, tlaCode)
        },
      },
    },
+    null,
  ]
--- a/reposerver/server.go
+++ b/reposerver/server.go
@@ -3,10 +3,11 @@ package reposerver
 import (
 	"crypto/tls"
 	"fmt"
-	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 	"os"
 	"path/filepath"

+	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
+
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	grpc_logrus "github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus"
 	grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
@@ -15,6 +16,7 @@ import (
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/health"
 	"google.golang.org/grpc/health/grpc_health_v1"
+	"google.golang.org/grpc/keepalive"
 	"google.golang.org/grpc/reflection"

 	"github.com/argoproj/argo-cd/v2/common"
@@ -86,6 +88,11 @@ func NewServer(metricsServer *metrics.MetricsServer, cache *reposervercache.Cach
 		grpc.StreamInterceptor(grpc_middleware.ChainStreamServer(streamInterceptors...)),
 		grpc.MaxRecvMsgSize(apiclient.MaxGRPCMessageSize),
 		grpc.MaxSendMsgSize(apiclient.MaxGRPCMessageSize),
+		grpc.KeepaliveEnforcementPolicy(
+			keepalive.EnforcementPolicy{
+				MinTime: common.GRPCKeepAliveEnforcementMinimum,
+			},
+		),
 	}

 	// We do allow for non-TLS servers to be created, in case of mTLS will be
--- a/resource_customizations/apps.openshift.io/DeploymentConfig/health.lua
+++ b/resource_customizations/apps.openshift.io/DeploymentConfig/health.lua
@@ -3,7 +3,7 @@ if obj.status ~= nil then
  if obj.status.conditions ~= nil and obj.status.replicas ~= nil then
    numTrue = 0
    for i, condition in pairs(obj.status.conditions) do
-      if (condition.type == "Available" or condition.type == "Progressing") and condition.status == "True" then
+      if (condition.type == "Available" or (condition.type == "Progressing" and condition.reason == "NewReplicationControllerAvailable")) and condition.status == "True" then
        numTrue = numTrue + 1
      end
    end
--- a/resource_customizations/apps.openshift.io/DeploymentConfig/health_test.yaml
+++ b/resource_customizations/apps.openshift.io/DeploymentConfig/health_test.yaml
@@ -3,6 +3,10 @@ tests:
    status: Progressing
    message: "replication controller is waiting for pods to run"
  inputPath: testdata/progressing.yaml
+- healthStatus:
+    status: Progressing
+    message: "replication controller is waiting for pods to run"
+  inputPath: testdata/progressing_rc_updated.yaml
 - healthStatus:
    status: Degraded
    message: "Deployment config is degraded"
--- a/resource_customizations/apps.openshift.io/DeploymentConfig/testdata/progressing_rc_updated.yaml
+++ b/resource_customizations/apps.openshift.io/DeploymentConfig/testdata/progressing_rc_updated.yaml
@@ -0,0 +1,66 @@
+kind: DeploymentConfig
+apiVersion: apps.openshift.io/v1
+metadata:
+  name: example
+  namespace: default
+spec:
+  strategy:
+    type: Rolling
+    rollingParams:
+      updatePeriodSeconds: 1
+      intervalSeconds: 1
+      timeoutSeconds: 600
+      maxUnavailable: 25%
+      maxSurge: 25%
+    resources: {}
+    activeDeadlineSeconds: 21600
+  triggers:
+    - type: ConfigChange
+  replicas: 3
+  revisionHistoryLimit: 10
+  test: false
+  selector:
+    app: httpd
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: httpd
+    spec:
+      containers:
+        - name: httpd
+          image: >-
+            image-registry.openshift-image-registry.svc:5000/openshift/httpd:latest
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+          resources: {}
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          imagePullPolicy: Always
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
+      dnsPolicy: ClusterFirst
+      securityContext: {}
+      schedulerName: default-scheduler
+status:
+  observedGeneration: 1
+  details:
+    message: config change
+    causes:
+      - type: ConfigChange
+  availableReplicas: 3
+  conditions:
+    - type: Available
+      status: 'True'
+      lastUpdateTime: '2021-08-25T23:48:29Z'
+      lastTransitionTime: '2021-08-25T23:48:29Z'
+      message: Deployment config has minimum availability.
+    - type: Progressing
+      status: 'True'
+      lastUpdateTime: '2021-08-25T23:48:29Z'
+      lastTransitionTime: '2021-08-25T23:48:15Z'
+      reason: ReplicationControllerUpdated
+      message: replication controller "example-1" is progressing
+  replicas: 3
+  readyReplicas: 3
--- a/resource_customizations/operators.coreos.com/Subscription/health.lua
+++ b/resource_customizations/operators.coreos.com/Subscription/health.lua
@@ -8,7 +8,9 @@ if obj.status ~= nil then
      msg = msg .. i .. ": " .. condition.type .. " | " .. condition.status .. "\n"
      if condition.type == "InstallPlanPending" and condition.status == "True" then
        numPending = numPending + 1
-      elseif (condition.type == "CatalogSourcesUnhealthy" or condition.type == "InstallPlanMissing" or condition.type == "InstallPlanFailed" or condition.type == "ResolutionFailed") and condition.status == "True" then
+      elseif (condition.type == "InstallPlanMissing" and condition.reason ~= "ReferencedInstallPlanNotFound") then
+        numDegraded = numDegraded + 1
+      elseif (condition.type == "CatalogSourcesUnhealthy" or condition.type == "InstallPlanFailed" or condition.type == "ResolutionFailed") and condition.status == "True" then
        numDegraded = numDegraded + 1
      end
    end
--- a/resource_customizations/operators.coreos.com/Subscription/health_test.yaml
+++ b/resource_customizations/operators.coreos.com/Subscription/health_test.yaml
@@ -8,7 +8,7 @@ tests:
    message: "1: CatalogSourcesUnhealthy | True\n"
  inputPath: testdata/catalog_sources_unhealthy.yaml
 - healthStatus:
-    status: Degraded
+    status: Healthy
    message: "1: CatalogSourcesUnhealthy | False\n2: InstallPlanMissing | True\n"
  inputPath: testdata/install_plan_missing.yaml
 - healthStatus:
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .4.2
 .4.13