Bump version to 2.5.22

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

.github/workflows/ci-build.yaml

@@ -9,10 +9,11 @@ on:
   pull_request:
     branches:
       - 'master'
+      - 'release-*'
 
 env:
   # Golang version to use across CI steps
-  GOLANG_VERSION: '1.18'
+  GOLANG_VERSION: '1.19'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -27,9 +28,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Download all Go modules
@@ -45,13 +46,13 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Restore go build cache
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -69,9 +70,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Run golangci-lint
@@ -92,11 +93,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -116,7 +117,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -159,11 +160,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -183,7 +184,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -214,9 +215,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Create symlink in GOPATH
@@ -262,14 +263,14 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup NodeJS
         uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: '12.18.4'
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -299,12 +300,12 @@ jobs:
       sonar_secret: ${{ secrets.SONAR_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
         with:
           fetch-depth: 0
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -378,9 +379,9 @@ jobs:
       GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: GH actions workaround - Kill XSP4 process
@@ -398,7 +399,7 @@ jobs:
           sudo chown runner $HOME/.kube/config
           kubectl version
       - name: Restore go build cache
-        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -424,9 +425,9 @@ jobs:
           git config --global user.email "john.doe@example.com"
       - name: Pull Docker image required for tests
         run: |
-          docker pull ghcr.io/dexidp/dex:v2.35.3
+          docker pull ghcr.io/dexidp/dex:v2.37.0
           docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.8-alpine
+          docker pull redis:7.0.11-alpine
       - name: Create target directory for binaries in the build-process
         run: |
           mkdir -p dist

.github/workflows/codeql.yml

@@ -5,6 +5,7 @@ on:
     # Secrets aren't available for dependabot on push. https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#error-403-resource-not-accessible-by-integration-when-using-dependabot
     branches-ignore:
       - 'dependabot/**'
+      - 'cherry-pick-*'
   pull_request:
   schedule:
     - cron: '0 19 * * 0'
@@ -29,7 +30,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
       
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/image.yaml

@@ -10,7 +10,7 @@ on:
     types: [ labeled, unlabeled, opened, synchronize, reopened ]
 
 env:
-  GOLANG_VERSION: '1.18'
+  GOLANG_VERSION: '1.19'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -28,10 +28,10 @@ jobs:
     env:
       GOPATH: /home/runner/work/argo-cd/argo-cd
     steps:
-      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
-      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
         with:
           path: src/github.com/argoproj/argo-cd
 

.github/workflows/release.yaml

@@ -12,7 +12,7 @@ on:
       - "!release-v0*"
 
 env:
-  GOLANG_VERSION: '1.18'
+  GOLANG_VERSION: '1.19'
 
 permissions:
   contents: read
@@ -43,7 +43,7 @@ jobs:
       GIT_EMAIL: argoproj@gmail.com
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -147,7 +147,7 @@ jobs:
           echo "RELEASE_NOTES=${RELEASE_NOTES}" >> $GITHUB_ENV
 
       - name: Setup Golang
-        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
 
@@ -266,6 +266,14 @@ jobs:
           body: ${{ steps.release-notes.outputs.content }}
         if: ${{ env.DRY_RUN == 'true' }}
 
+      # Based on this suggestion: https://github.com/actions/runner-images/issues/2840#issuecomment-1284059930
+      - name: Free Up Disk Space
+        id: free-up-disk-space
+        run: |
+          df -h
+          sudo rm -rf /usr/share/dotnet
+          df -h
+
       - name: Generate SBOM (spdx)
         id: spdx-builder
         env:

.github/workflows/update-snyk.yaml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Build reports

Dockerfile

@@ -4,7 +4,7 @@ ARG BASE_IMAGE=docker.io/library/ubuntu:22.04
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM docker.io/library/golang:1.18 AS builder
+FROM docker.io/library/golang:1.19 AS builder
 
 RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list
 
@@ -99,7 +99,7 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.18 AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.19 AS argocd-build
 
 WORKDIR /go/src/github.com/argoproj/argo-cd
 

USERS.md

@@ -21,6 +21,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Arctiq Inc.](https://www.arctiq.ca)
 1. [ARZ Allgemeines Rechenzentrum GmbH](https://www.arz.at/)
 1. [Axual B.V.](https://axual.com)
+1. [Back Market](https://www.backmarket.com)
 1. [Baloise](https://www.baloise.com)
 1. [BCDevExchange DevOps Platform](https://bcdevexchange.org/DevOpsPlatform)
 1. [Beat](https://thebeat.co/en/)
@@ -79,6 +80,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [gloat](https://gloat.com/)
 1. [GLOBIS](https://globis.com)
 1. [Glovo](https://www.glovoapp.com)
+1. [GlueOps](https://glueops.dev)
 1. [GMETRI](https://gmetri.com/)
 1. [Gojek](https://www.gojek.io/)
 1. [Greenpass](https://www.greenpass.com.br/)
@@ -186,6 +188,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Schwarz IT](https://jobs.schwarz/it-mission)
 1. [Skit](https://skit.ai/)
 1. [Skyscanner](https://www.skyscanner.net/)
+1. [Smart Pension](https://www.smartpension.co.uk/)
 1. [Smilee.io](https://smilee.io)
 1. [Snapp](https://snapp.ir/)
 1. [Snyk](https://snyk.io/)
@@ -222,6 +225,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [ungleich.ch](https://ungleich.ch/)
 1. [Unifonic Inc](https://www.unifonic.com/)
 1. [Universidad Mesoamericana](https://www.umes.edu.gt/)
+1. [Urbantz](https://urbantz.com/)
 1. [Viaduct](https://www.viaduct.ai/)
 1. [Virtuo](https://www.govirtuo.com/)
 1. [VISITS Technologies](https://visits.world/en)

VERSION

@@ -1 +1 @@
-2.5.14
+2.5.22

applicationset/controllers/clustereventhandler.go

@@ -2,6 +2,7 @@ package controllers
 
 import (
 	"context"
+	"fmt"
 
 	log "github.com/sirupsen/logrus"
 
@@ -46,7 +47,6 @@ type addRateLimitingInterface interface {
 }
 
 func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingInterface, object client.Object) {
-
 	// Check for label, lookup all ApplicationSets that might match the cluster, queue them all
 	if object.GetLabels()[generators.ArgoCDSecretTypeLabel] != generators.ArgoCDSecretTypeCluster {
 		return
@@ -73,6 +73,40 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingI
 				foundClusterGenerator = true
 				break
 			}
+
+			if generator.Matrix != nil {
+				ok, err := nestedGeneratorsHaveClusterGenerator(generator.Matrix.Generators)
+				if err != nil {
+					h.Log.
+						WithFields(log.Fields{
+							"namespace": appSet.GetNamespace(),
+							"name":      appSet.GetName(),
+						}).
+						WithError(err).
+						Error("Unable to check if ApplicationSet matrix generators have cluster generator")
+				}
+				if ok {
+					foundClusterGenerator = true
+					break
+				}
+			}
+
+			if generator.Merge != nil {
+				ok, err := nestedGeneratorsHaveClusterGenerator(generator.Merge.Generators)
+				if err != nil {
+					h.Log.
+						WithFields(log.Fields{
+							"namespace": appSet.GetNamespace(),
+							"name":      appSet.GetName(),
+						}).
+						WithError(err).
+						Error("Unable to check if ApplicationSet merge generators have cluster generator")
+				}
+				if ok {
+					foundClusterGenerator = true
+					break
+				}
+			}
 		}
 		if foundClusterGenerator {
 
@@ -82,3 +116,42 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingI
 		}
 	}
 }
+
+// nestedGeneratorsHaveClusterGenerator iterate over provided nested generators to check if they have a cluster generator.
+func nestedGeneratorsHaveClusterGenerator(generators []argoprojiov1alpha1.ApplicationSetNestedGenerator) (bool, error) {
+	for _, generator := range generators {
+		if ok, err := nestedGeneratorHasClusterGenerator(generator); ok || err != nil {
+			return ok, err
+		}
+	}
+	return false, nil
+}
+
+// nestedGeneratorHasClusterGenerator checks if the provided generator has a cluster generator.
+func nestedGeneratorHasClusterGenerator(nested argoprojiov1alpha1.ApplicationSetNestedGenerator) (bool, error) {
+	if nested.Clusters != nil {
+		return true, nil
+	}
+
+	if nested.Matrix != nil {
+		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(nested.Matrix)
+		if err != nil {
+			return false, fmt.Errorf("unable to get nested matrix generator: %w", err)
+		}
+		if nestedMatrix != nil {
+			return nestedGeneratorsHaveClusterGenerator(nestedMatrix.ToMatrixGenerator().Generators)
+		}
+	}
+
+	if nested.Merge != nil {
+		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(nested.Merge)
+		if err != nil {
+			return false, fmt.Errorf("unable to get nested merge generator: %w", err)
+		}
+		if nestedMerge != nil {
+			return nestedGeneratorsHaveClusterGenerator(nestedMerge.ToMergeGenerator().Generators)
+		}
+	}
+
+	return false, nil
+}

applicationset/controllers/clustereventhandler_test.go

@@ -6,6 +6,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -163,7 +164,6 @@ func TestClusterEventHandler(t *testing.T) {
 				{NamespacedName: types.NamespacedName{Namespace: "another-namespace", Name: "my-app-set"}},
 			},
 		},
-
 		{
 			name: "non-argo cd secret should not match",
 			items: []argov1alpha1.ApplicationSet{
@@ -189,6 +189,348 @@ func TestClusterEventHandler(t *testing.T) {
 			},
 			expectedRequests: []reconcile.Request{},
 		},
+		{
+			name: "a matrix generator with a cluster generator should produce a request",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Matrix: &argov1alpha1.MatrixGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Clusters: &argov1alpha1.ClusterGenerator{},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{{
+				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
+			}},
+		},
+		{
+			name: "a matrix generator with non cluster generator should not match",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Matrix: &argov1alpha1.MatrixGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											List: &argov1alpha1.ListGenerator{},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{},
+		},
+		{
+			name: "a matrix generator with a nested matrix generator containing a cluster generator should produce a request",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Matrix: &argov1alpha1.MatrixGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Matrix: &apiextensionsv1.JSON{
+												Raw: []byte(
+													`{
+														"generators": [
+														  {
+															"clusters": {
+															  "selector": {
+																"matchLabels": {
+																  "argocd.argoproj.io/secret-type": "cluster"
+																}
+															  }
+															}
+														  }
+														]
+													  }`,
+												),
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{{
+				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
+			}},
+		},
+		{
+			name: "a matrix generator with a nested matrix generator containing non cluster generator should not match",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Matrix: &argov1alpha1.MatrixGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Matrix: &apiextensionsv1.JSON{
+												Raw: []byte(
+													`{
+														"generators": [
+														  {
+															"list": {
+															  "elements": [
+																"a",
+																"b"
+															  ]
+															}
+														  }
+														]
+													  }`,
+												),
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{},
+		},
+		{
+			name: "a merge generator with a cluster generator should produce a request",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Merge: &argov1alpha1.MergeGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Clusters: &argov1alpha1.ClusterGenerator{},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{{
+				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
+			}},
+		},
+		{
+			name: "a matrix generator with non cluster generator should not match",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Merge: &argov1alpha1.MergeGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											List: &argov1alpha1.ListGenerator{},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{},
+		},
+		{
+			name: "a merge generator with a nested merge generator containing a cluster generator should produce a request",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Merge: &argov1alpha1.MergeGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Merge: &apiextensionsv1.JSON{
+												Raw: []byte(
+													`{
+														"generators": [
+														  {
+															"clusters": {
+															  "selector": {
+																"matchLabels": {
+																  "argocd.argoproj.io/secret-type": "cluster"
+																}
+															  }
+															}
+														  }
+														]
+													  }`,
+												),
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{{
+				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
+			}},
+		},
+		{
+			name: "a merge generator with a nested merge generator containing non cluster generator should not match",
+			items: []argov1alpha1.ApplicationSet{
+				{
+					ObjectMeta: v1.ObjectMeta{
+						Name:      "my-app-set",
+						Namespace: "argocd",
+					},
+					Spec: argov1alpha1.ApplicationSetSpec{
+						Generators: []argov1alpha1.ApplicationSetGenerator{
+							{
+								Merge: &argov1alpha1.MergeGenerator{
+									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+										{
+											Merge: &apiextensionsv1.JSON{
+												Raw: []byte(
+													`{
+														"generators": [
+														  {
+															"list": {
+															  "elements": [
+																"a",
+																"b"
+															  ]
+															}
+														  }
+														]
+													  }`,
+												),
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			secret: corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Namespace: "argocd",
+					Name:      "my-secret",
+					Labels: map[string]string{
+						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
+					},
+				},
+			},
+			expectedRequests: []reconcile.Request{},
+		},
 	}
 
 	for _, test := range tests {

applicationset/generators/generator_spec_processor.go

@@ -1,11 +1,12 @@
 package generators
 
 import (
+	"fmt"
 	"reflect"
 
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
+	"github.com/jeremywohl/flatten"
 
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -25,7 +26,10 @@ type TransformResult struct {
 
 // Transform a spec generator to list of paramSets and a template
 func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, allGenerators map[string]Generator, baseTemplate argoprojiov1alpha1.ApplicationSetTemplate, appSet *argoprojiov1alpha1.ApplicationSet, genParams map[string]interface{}) ([]TransformResult, error) {
-	selector, err := metav1.LabelSelectorAsSelector(requestedGenerator.Selector)
+	// This is a custom version of the `LabelSelectorAsSelector` that is in k8s.io/apimachinery. This has been copied
+	// verbatim from that package, with the difference that we do not have any restrictions on label values. This is done
+	// so that, among other things, we can match on cluster urls.
+	selector, err := utils.LabelSelectorAsSelector(requestedGenerator.Selector)
 	if err != nil {
 		return nil, err
 	}
@@ -70,8 +74,17 @@ func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, al
 		}
 		var filterParams []map[string]interface{}
 		for _, param := range params {
+			flatParam, err := flattenParameters(param)
+			if err != nil {
+				log.WithError(err).WithField("generator", g).
+					Error("error flattening params")
+				if firstError == nil {
+					firstError = err
+				}
+				continue
+			}
 
-			if requestedGenerator.Selector != nil && !selector.Matches(labels.Set(keepOnlyStringValues(param))) {
+			if requestedGenerator.Selector != nil && !selector.Matches(labels.Set(flatParam)) {
 				continue
 			}
 			filterParams = append(filterParams, param)
@@ -86,18 +99,6 @@ func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, al
 	return res, firstError
 }
 
-func keepOnlyStringValues(in map[string]interface{}) map[string]string {
-	var out map[string]string = map[string]string{}
-
-	for key, value := range in {
-		if _, ok := value.(string); ok {
-			out[key] = value.(string)
-		}
-	}
-
-	return out
-}
-
 func GetRelevantGenerators(requestedGenerator *argoprojiov1alpha1.ApplicationSetGenerator, generators map[string]Generator) []Generator {
 	var res []Generator
 
@@ -120,6 +121,20 @@ func GetRelevantGenerators(requestedGenerator *argoprojiov1alpha1.ApplicationSet
 	return res
 }
 
+func flattenParameters(in map[string]interface{}) (map[string]string, error) {
+	flat, err := flatten.Flatten(in, "", flatten.DotStyle)
+	if err != nil {
+		return nil, err
+	}
+
+	out := make(map[string]string, len(flat))
+	for k, v := range flat {
+		out[k] = fmt.Sprintf("%v", v)
+	}
+
+	return out, nil
+}
+
 func mergeGeneratorTemplate(g Generator, requestedGenerator *argoprojiov1alpha1.ApplicationSetGenerator, applicationSetTemplate argoprojiov1alpha1.ApplicationSetTemplate) (argoprojiov1alpha1.ApplicationSetTemplate, error) {
 	// Make a copy of the value from `GetTemplate()` before merge, rather than copying directly into
 	// the provided parameter (which will touch the original resource object returned by client-go)

applicationset/generators/generator_spec_processor_test.go

@@ -10,6 +10,7 @@ import (
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	testutils "github.com/argoproj/argo-cd/v2/applicationset/utils/test"
 	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 
 	"github.com/stretchr/testify/mock"
@@ -93,8 +94,160 @@ func TestMatchValues(t *testing.T) {
 	}
 }
 
-func emptyTemplate() argoprojiov1alpha1.ApplicationSetTemplate {
-	return argoprojiov1alpha1.ApplicationSetTemplate{
+func TestMatchValuesGoTemplate(t *testing.T) {
+	testCases := []struct {
+		name     string
+		elements []apiextensionsv1.JSON
+		selector *metav1.LabelSelector
+		expected []map[string]interface{}
+	}{
+		{
+			name:     "no filter",
+			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url"}`)}},
+			selector: &metav1.LabelSelector{},
+			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url"}},
+		},
+		{
+			name:     "nil",
+			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url"}`)}},
+			selector: nil,
+			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url"}},
+		},
+		{
+			name:     "values.foo should be foo but is ignore element",
+			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":{"foo":"bar"}}`)}},
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"values.foo": "foo",
+				},
+			},
+			expected: []map[string]interface{}{},
+		},
+		{
+			name:     "values.foo should be bar",
+			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":{"foo":"bar"}}`)}},
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"values.foo": "bar",
+				},
+			},
+			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url", "values": map[string]interface{}{"foo": "bar"}}},
+		},
+		{
+			name:     "values.0 should be bar",
+			elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "cluster","url": "url","values":["bar"]}`)}},
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"values.0": "bar",
+				},
+			},
+			expected: []map[string]interface{}{{"cluster": "cluster", "url": "url", "values": []interface{}{"bar"}}},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			var listGenerator = NewListGenerator()
+			var data = map[string]Generator{
+				"List": listGenerator,
+			}
+
+			applicationSetInfo := argov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "set",
+				},
+				Spec: argov1alpha1.ApplicationSetSpec{
+					GoTemplate: true,
+				},
+			}
+
+			results, err := Transform(argov1alpha1.ApplicationSetGenerator{
+				Selector: testCase.selector,
+				List: &argov1alpha1.ListGenerator{
+					Elements: testCase.elements,
+					Template: emptyTemplate(),
+				}},
+				data,
+				emptyTemplate(),
+				&applicationSetInfo, nil)
+
+			assert.NoError(t, err)
+			assert.ElementsMatch(t, testCase.expected, results[0].Params)
+		})
+	}
+}
+
+func TestTransForm(t *testing.T) {
+	testCases := []struct {
+		name     string
+		selector *metav1.LabelSelector
+		expected []map[string]interface{}
+	}{
+		{
+			name: "server filter",
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"server": "https://production-01.example.com"},
+			},
+			expected: []map[string]interface{}{{
+				"metadata.annotations.foo.argoproj.io":           "production",
+				"metadata.labels.argocd.argoproj.io/secret-type": "cluster",
+				"metadata.labels.environment":                    "production",
+				"metadata.labels.org":                            "bar",
+				"name":                                           "production_01/west",
+				"nameNormalized":                                 "production-01-west",
+				"server":                                         "https://production-01.example.com",
+			}},
+		},
+		{
+			name: "server filter with long url",
+			selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"server": "https://some-really-long-url-that-will-exceed-63-characters.com"},
+			},
+			expected: []map[string]interface{}{{
+				"metadata.annotations.foo.argoproj.io":           "production",
+				"metadata.labels.argocd.argoproj.io/secret-type": "cluster",
+				"metadata.labels.environment":                    "production",
+				"metadata.labels.org":                            "bar",
+				"name":                                           "some-really-long-server-url",
+				"nameNormalized":                                 "some-really-long-server-url",
+				"server":                                         "https://some-really-long-url-that-will-exceed-63-characters.com",
+			}},
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			testGenerators := map[string]Generator{
+				"Clusters": getMockClusterGenerator(),
+			}
+
+			applicationSetInfo := argov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "set",
+				},
+				Spec: argov1alpha1.ApplicationSetSpec{},
+			}
+
+			results, err := Transform(
+				argov1alpha1.ApplicationSetGenerator{
+					Selector: testCase.selector,
+					Clusters: &argov1alpha1.ClusterGenerator{
+						Selector: metav1.LabelSelector{},
+						Template: argov1alpha1.ApplicationSetTemplate{},
+						Values:   nil,
+					}},
+				testGenerators,
+				emptyTemplate(),
+				&applicationSetInfo, nil)
+
+			assert.NoError(t, err)
+			assert.ElementsMatch(t, testCase.expected, results[0].Params)
+		})
+	}
+}
+
+func emptyTemplate() argov1alpha1.ApplicationSetTemplate {
+	return argov1alpha1.ApplicationSetTemplate{
 		Spec: argov1alpha1.ApplicationSpec{
 			Project: "project",
 		},
@@ -151,8 +304,35 @@ func getMockClusterGenerator() Generator {
 			},
 			Type: corev1.SecretType("Opaque"),
 		},
+		&corev1.Secret{
+			TypeMeta: metav1.TypeMeta{
+				Kind:       "Secret",
+				APIVersion: "v1",
+			},
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "some-really-long-server-url",
+				Namespace: "namespace",
+				Labels: map[string]string{
+					"argocd.argoproj.io/secret-type": "cluster",
+					"environment":                    "production",
+					"org":                            "bar",
+				},
+				Annotations: map[string]string{
+					"foo.argoproj.io": "production",
+				},
+			},
+			Data: map[string][]byte{
+				"config": []byte("{}"),
+				"name":   []byte("some-really-long-server-url"),
+				"server": []byte("https://some-really-long-url-that-will-exceed-63-characters.com"),
+			},
+			Type: corev1.SecretType("Opaque"),
+		},
 	}
 	runtimeClusters := []runtime.Object{}
+	for _, clientCluster := range clusters {
+		runtimeClusters = append(runtimeClusters, clientCluster)
+	}
 	appClientset := kubefake.NewSimpleClientset(runtimeClusters...)
 
 	fakeClient := fake.NewClientBuilder().WithObjects(clusters...).Build()
@@ -160,8 +340,8 @@ func getMockClusterGenerator() Generator {
 }
 
 func getMockGitGenerator() Generator {
-	argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
-	argoCDServiceMock.mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
+	argoCDServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
+	argoCDServiceMock.Mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
 	var gitGenerator = NewGitGenerator(argoCDServiceMock)
 	return gitGenerator
 }

applicationset/generators/git.go

@@ -58,9 +58,9 @@ func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Applic
 
 	var err error
 	var res []map[string]interface{}
-	if appSetGenerator.Git.Directories != nil {
+	if len(appSetGenerator.Git.Directories) != 0 {
 		res, err = g.generateParamsForGitDirectories(appSetGenerator, appSet.Spec.GoTemplate)
-	} else if appSetGenerator.Git.Files != nil {
+	} else if len(appSetGenerator.Git.Files) != 0 {
 		res, err = g.generateParamsForGitFiles(appSetGenerator, appSet.Spec.GoTemplate)
 	} else {
 		return nil, EmptyAppSetGeneratorError

applicationset/generators/git_test.go

@@ -1,7 +1,6 @@
 package generators
 
 import (
-	"context"
 	"fmt"
 	"testing"
 
@@ -9,6 +8,7 @@ import (
 	"github.com/stretchr/testify/mock"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	testutils "github.com/argoproj/argo-cd/v2/applicationset/utils/test"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 
@@ -20,33 +20,6 @@ import (
 // 	return io.NewCloser(func() error { return nil }), c.RepoServerServiceClient, nil
 // }
 
-type argoCDServiceMock struct {
-	mock *mock.Mock
-}
-
-func (a argoCDServiceMock) GetApps(ctx context.Context, repoURL string, revision string) ([]string, error) {
-	args := a.mock.Called(ctx, repoURL, revision)
-
-	return args.Get(0).([]string), args.Error(1)
-}
-
-func (a argoCDServiceMock) GetFiles(ctx context.Context, repoURL string, revision string, pattern string) (map[string][]byte, error) {
-	args := a.mock.Called(ctx, repoURL, revision, pattern)
-
-	return args.Get(0).(map[string][]byte), args.Error(1)
-}
-
-func (a argoCDServiceMock) GetFileContent(ctx context.Context, repoURL string, revision string, path string) ([]byte, error) {
-	args := a.mock.Called(ctx, repoURL, revision, path)
-
-	return args.Get(0).([]byte), args.Error(1)
-}
-
-func (a argoCDServiceMock) GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error) {
-	args := a.mock.Called(ctx, repoURL, revision)
-	return args.Get(0).([]string), args.Error(1)
-}
-
 func Test_generateParamsFromGitFile(t *testing.T) {
 	params, err := (*GitGenerator)(nil).generateParamsFromGitFile("path/dir/file_name.yaml", []byte(`
 foo:
@@ -200,9 +173,9 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()
 
-			argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
+			argoCDServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
 
-			argoCDServiceMock.mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
+			argoCDServiceMock.Mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
 
 			var gitGenerator = NewGitGenerator(argoCDServiceMock)
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
@@ -229,7 +202,7 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
 
-			argoCDServiceMock.mock.AssertExpectations(t)
+			argoCDServiceMock.Mock.AssertExpectations(t)
 		})
 	}
 }
@@ -442,9 +415,9 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()
 
-			argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
+			argoCDServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
 
-			argoCDServiceMock.mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
+			argoCDServiceMock.Mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
 
 			var gitGenerator = NewGitGenerator(argoCDServiceMock)
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
@@ -472,7 +445,7 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
 
-			argoCDServiceMock.mock.AssertExpectations(t)
+			argoCDServiceMock.Mock.AssertExpectations(t)
 		})
 	}
 
@@ -732,8 +705,8 @@ cluster:
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()
 
-			argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
-			argoCDServiceMock.mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			argoCDServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
+			argoCDServiceMock.Mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)
 
 			var gitGenerator = NewGitGenerator(argoCDServiceMock)
@@ -762,7 +735,7 @@ cluster:
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
 
-			argoCDServiceMock.mock.AssertExpectations(t)
+			argoCDServiceMock.Mock.AssertExpectations(t)
 		})
 	}
 }
@@ -1081,8 +1054,8 @@ cluster:
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()
 
-			argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
-			argoCDServiceMock.mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			argoCDServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
+			argoCDServiceMock.Mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)
 
 			var gitGenerator = NewGitGenerator(argoCDServiceMock)
@@ -1112,7 +1085,7 @@ cluster:
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
 
-			argoCDServiceMock.mock.AssertExpectations(t)
+			argoCDServiceMock.Mock.AssertExpectations(t)
 		})
 	}
 }

applicationset/generators/matrix_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -16,6 +17,7 @@ import (
 	"github.com/stretchr/testify/mock"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 
+	testutils "github.com/argoproj/argo-cd/v2/applicationset/utils/test"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 
@@ -857,3 +859,72 @@ func (g *generatorMock) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Appl
 	return args.Get(0).(time.Duration)
 
 }
+
+func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
+	// Given a matrix generator over a list generator and a git files generator, the nested git files generator should
+	// be treated as a files generator, and it should produce parameters.
+
+	// This tests for a specific bug where a nested git files generator was being treated as a directory generator. This
+	// happened because, when the matrix generator was being processed, the nested git files generator was being
+	// interpolated by the deeplyReplace function. That function cannot differentiate between a nil slice and an empty
+	// slice. So it was replacing the `Directories` field with an empty slice, which the ApplicationSet controller
+	// interpreted as meaning this was a directory generator, not a files generator.
+
+	// Now instead of checking for nil, we check whether the field is a non-empty slice. This test prevents a regression
+	// of that bug.
+
+	listGeneratorMock := &generatorMock{}
+	listGeneratorMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), mock.AnythingOfType("*v1alpha1.ApplicationSet")).Return([]map[string]interface{}{
+		{"some": "value"},
+	}, nil)
+	listGeneratorMock.On("GetTemplate", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator")).Return(&argoprojiov1alpha1.ApplicationSetTemplate{})
+
+	gitGeneratorSpec := &argoprojiov1alpha1.GitGenerator{
+		RepoURL: "https://git.example.com",
+		Files: []argoprojiov1alpha1.GitFileGeneratorItem{
+			{Path: "some/path.json"},
+		},
+	}
+
+	repoServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
+	repoServiceMock.Mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(map[string][]byte{
+		"some/path.json": []byte("test: content"),
+	}, nil)
+	gitGenerator := NewGitGenerator(repoServiceMock)
+
+	matrixGenerator := NewMatrixGenerator(map[string]Generator{
+		"List": listGeneratorMock,
+		"Git":  gitGenerator,
+	})
+
+	matrixGeneratorSpec := &argoprojiov1alpha1.MatrixGenerator{
+		Generators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
+			{
+				List: &argoprojiov1alpha1.ListGenerator{
+					Elements: []apiextensionsv1.JSON{
+						{
+							Raw: []byte(`{"some": "value"}`),
+						},
+					},
+				},
+			},
+			{
+				Git: gitGeneratorSpec,
+			},
+		},
+	}
+	params, err := matrixGenerator.GenerateParams(&argoprojiov1alpha1.ApplicationSetGenerator{
+		Matrix: matrixGeneratorSpec,
+	}, &argoprojiov1alpha1.ApplicationSet{})
+	require.NoError(t, err)
+	assert.Equal(t, []map[string]interface{}{{
+		"path":                    "some",
+		"path.basename":           "some",
+		"path.basenameNormalized": "some",
+		"path.filename":           "path.json",
+		"path.filenameNormalized": "path.json",
+		"path[0]":                 "some",
+		"some":                    "value",
+		"test":                    "content",
+	}}, params)
+}

applicationset/utils/selector.go

@@ -0,0 +1,261 @@
+package utils
+
+import (
+	"fmt"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/selection"
+	"k8s.io/apimachinery/pkg/util/validation"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/klog/v2"
+	"sort"
+	"strconv"
+	"strings"
+)
+
+var (
+	unaryOperators = []string{
+		string(selection.Exists), string(selection.DoesNotExist),
+	}
+	binaryOperators = []string{
+		string(selection.In), string(selection.NotIn),
+		string(selection.Equals), string(selection.DoubleEquals), string(selection.NotEquals),
+		string(selection.GreaterThan), string(selection.LessThan),
+	}
+	validRequirementOperators = append(binaryOperators, unaryOperators...)
+)
+
+// Selector represents a label selector.
+type Selector interface {
+	// Matches returns true if this selector matches the given set of labels.
+	Matches(labels.Labels) bool
+
+	// Add adds requirements to the Selector
+	Add(r ...Requirement) Selector
+}
+
+type internalSelector []Requirement
+
+// ByKey sorts requirements by key to obtain deterministic parser
+type ByKey []Requirement
+
+func (a ByKey) Len() int { return len(a) }
+
+func (a ByKey) Swap(i, j int) { a[i], a[j] = a[j], a[i] }
+
+func (a ByKey) Less(i, j int) bool { return a[i].key < a[j].key }
+
+// Matches for a internalSelector returns true if all
+// its Requirements match the input Labels. If any
+// Requirement does not match, false is returned.
+func (s internalSelector) Matches(l labels.Labels) bool {
+	for ix := range s {
+		if matches := s[ix].Matches(l); !matches {
+			return false
+		}
+	}
+	return true
+}
+
+// Add adds requirements to the selector. It copies the current selector returning a new one
+func (s internalSelector) Add(reqs ...Requirement) Selector {
+	ret := make(internalSelector, 0, len(s)+len(reqs))
+	ret = append(ret, s...)
+	ret = append(ret, reqs...)
+	sort.Sort(ByKey(ret))
+	return ret
+}
+
+type nothingSelector struct{}
+
+func (n nothingSelector) Matches(l labels.Labels) bool {
+	return false
+}
+
+func (n nothingSelector) Add(r ...Requirement) Selector {
+	return n
+}
+
+// Nothing returns a selector that matches no labels
+func nothing() Selector {
+	return nothingSelector{}
+}
+
+// Everything returns a selector that matches all labels.
+func everything() Selector {
+	return internalSelector{}
+}
+
+// LabelSelectorAsSelector converts the LabelSelector api type into a struct that implements
+// labels.Selector
+// Note: This function should be kept in sync with the selector methods in pkg/labels/selector.go
+func LabelSelectorAsSelector(ps *v1.LabelSelector) (Selector, error) {
+	if ps == nil {
+		return nothing(), nil
+	}
+	if len(ps.MatchLabels)+len(ps.MatchExpressions) == 0 {
+		return everything(), nil
+	}
+	requirements := make([]Requirement, 0, len(ps.MatchLabels)+len(ps.MatchExpressions))
+	for k, v := range ps.MatchLabels {
+		r, err := newRequirement(k, selection.Equals, []string{v})
+		if err != nil {
+			return nil, err
+		}
+		requirements = append(requirements, *r)
+	}
+	for _, expr := range ps.MatchExpressions {
+		var op selection.Operator
+		switch expr.Operator {
+		case v1.LabelSelectorOpIn:
+			op = selection.In
+		case v1.LabelSelectorOpNotIn:
+			op = selection.NotIn
+		case v1.LabelSelectorOpExists:
+			op = selection.Exists
+		case v1.LabelSelectorOpDoesNotExist:
+			op = selection.DoesNotExist
+		default:
+			return nil, fmt.Errorf("%q is not a valid pod selector operator", expr.Operator)
+		}
+		r, err := newRequirement(expr.Key, op, append([]string(nil), expr.Values...))
+		if err != nil {
+			return nil, err
+		}
+		requirements = append(requirements, *r)
+	}
+	selector := newSelector()
+	selector = selector.Add(requirements...)
+	return selector, nil
+}
+
+// NewSelector returns a nil selector
+func newSelector() Selector {
+	return internalSelector(nil)
+}
+
+func validateLabelKey(k string, path *field.Path) *field.Error {
+	if errs := validation.IsQualifiedName(k); len(errs) != 0 {
+		return field.Invalid(path, k, strings.Join(errs, "; "))
+	}
+	return nil
+}
+
+// NewRequirement is the constructor for a Requirement.
+// If any of these rules is violated, an error is returned:
+// (1) The operator can only be In, NotIn, Equals, DoubleEquals, Gt, Lt, NotEquals, Exists, or DoesNotExist.
+// (2) If the operator is In or NotIn, the values set must be non-empty.
+// (3) If the operator is Equals, DoubleEquals, or NotEquals, the values set must contain one value.
+// (4) If the operator is Exists or DoesNotExist, the value set must be empty.
+// (5) If the operator is Gt or Lt, the values set must contain only one value, which will be interpreted as an integer.
+// (6) The key is invalid due to its length, or sequence
+//
+//	of characters. See validateLabelKey for more details.
+//
+// The empty string is a valid value in the input values set.
+// Returned error, if not nil, is guaranteed to be an aggregated field.ErrorList
+func newRequirement(key string, op selection.Operator, vals []string, opts ...field.PathOption) (*Requirement, error) {
+	var allErrs field.ErrorList
+	path := field.ToPath(opts...)
+	if err := validateLabelKey(key, path.Child("key")); err != nil {
+		allErrs = append(allErrs, err)
+	}
+
+	valuePath := path.Child("values")
+	switch op {
+	case selection.In, selection.NotIn:
+		if len(vals) == 0 {
+			allErrs = append(allErrs, field.Invalid(valuePath, vals, "for 'in', 'notin' operators, values set can't be empty"))
+		}
+	case selection.Equals, selection.DoubleEquals, selection.NotEquals:
+		if len(vals) != 1 {
+			allErrs = append(allErrs, field.Invalid(valuePath, vals, "exact-match compatibility requires one single value"))
+		}
+	case selection.Exists, selection.DoesNotExist:
+		if len(vals) != 0 {
+			allErrs = append(allErrs, field.Invalid(valuePath, vals, "values set must be empty for exists and does not exist"))
+		}
+	case selection.GreaterThan, selection.LessThan:
+		if len(vals) != 1 {
+			allErrs = append(allErrs, field.Invalid(valuePath, vals, "for 'Gt', 'Lt' operators, exactly one value is required"))
+		}
+		for i := range vals {
+			if _, err := strconv.ParseInt(vals[i], 10, 64); err != nil {
+				allErrs = append(allErrs, field.Invalid(valuePath.Index(i), vals[i], "for 'Gt', 'Lt' operators, the value must be an integer"))
+			}
+		}
+	default:
+		allErrs = append(allErrs, field.NotSupported(path.Child("operator"), op, validRequirementOperators))
+	}
+
+	return &Requirement{key: key, operator: op, strValues: vals}, allErrs.ToAggregate()
+}
+
+// Requirement contains values, a key, and an operator that relates the key and values.
+// The zero value of Requirement is invalid.
+// Requirement implements both set based match and exact match
+// Requirement should be initialized via NewRequirement constructor for creating a valid Requirement.
+// +k8s:deepcopy-gen=true
+type Requirement struct {
+	key      string
+	operator selection.Operator
+	// In the majority of cases we have at most one value here.
+	// It is generally faster to operate on a single-element slice
+	// than on a single-element map, so we have a slice here.
+	strValues []string
+}
+
+func (r *Requirement) hasValue(value string) bool {
+	for i := range r.strValues {
+		if r.strValues[i] == value {
+			return true
+		}
+	}
+	return false
+}
+
+func (r *Requirement) Matches(ls labels.Labels) bool {
+	switch r.operator {
+	case selection.In, selection.Equals, selection.DoubleEquals:
+		if !ls.Has(r.key) {
+			return false
+		}
+		return r.hasValue(ls.Get(r.key))
+	case selection.NotIn, selection.NotEquals:
+		if !ls.Has(r.key) {
+			return true
+		}
+		return !r.hasValue(ls.Get(r.key))
+	case selection.Exists:
+		return ls.Has(r.key)
+	case selection.DoesNotExist:
+		return !ls.Has(r.key)
+	case selection.GreaterThan, selection.LessThan:
+		if !ls.Has(r.key) {
+			return false
+		}
+		lsValue, err := strconv.ParseInt(ls.Get(r.key), 10, 64)
+		if err != nil {
+			klog.V(10).Infof("ParseInt failed for value %+v in label %+v, %+v", ls.Get(r.key), ls, err)
+			return false
+		}
+
+		// There should be only one strValue in r.strValues, and can be converted to an integer.
+		if len(r.strValues) != 1 {
+			klog.V(10).Infof("Invalid values count %+v of requirement %#v, for 'Gt', 'Lt' operators, exactly one value is required", len(r.strValues), r)
+			return false
+		}
+
+		var rValue int64
+		for i := range r.strValues {
+			rValue, err = strconv.ParseInt(r.strValues[i], 10, 64)
+			if err != nil {
+				klog.V(10).Infof("ParseInt failed for value %+v in requirement %#v, for 'Gt', 'Lt' operators, the value must be an integer", r.strValues[i], r)
+				return false
+			}
+		}
+		return (r.operator == selection.GreaterThan && lsValue > rValue) || (r.operator == selection.LessThan && lsValue < rValue)
+	default:
+		return false
+	}
+}

applicationset/utils/test/testutils.go

@@ -0,0 +1,34 @@
+package test
+
+import (
+	"context"
+
+	"github.com/stretchr/testify/mock"
+)
+
+type ArgoCDServiceMock struct {
+	Mock *mock.Mock
+}
+
+func (a ArgoCDServiceMock) GetApps(ctx context.Context, repoURL string, revision string) ([]string, error) {
+	args := a.Mock.Called(ctx, repoURL, revision)
+
+	return args.Get(0).([]string), args.Error(1)
+}
+
+func (a ArgoCDServiceMock) GetFiles(ctx context.Context, repoURL string, revision string, pattern string) (map[string][]byte, error) {
+	args := a.Mock.Called(ctx, repoURL, revision, pattern)
+
+	return args.Get(0).(map[string][]byte), args.Error(1)
+}
+
+func (a ArgoCDServiceMock) GetFileContent(ctx context.Context, repoURL string, revision string, path string) ([]byte, error) {
+	args := a.Mock.Called(ctx, repoURL, revision, path)
+
+	return args.Get(0).([]byte), args.Error(1)
+}
+
+func (a ArgoCDServiceMock) GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error) {
+	args := a.Mock.Called(ctx, repoURL, revision)
+	return args.Get(0).([]string), args.Error(1)
+}

applicationset/utils/utils.go

@@ -248,7 +248,10 @@ func (r *Render) Replace(tmpl string, replaceMap map[string]interface{}, useGoTe
 		return tmpl, nil
 	}
 
-	fstTmpl := fasttemplate.New(tmpl, "{{", "}}")
+	fstTmpl, err := fasttemplate.NewTemplate(tmpl, "{{", "}}")
+	if err != nil {
+		return "", fmt.Errorf("invalid template: %w", err)
+	}
 	replacedTmpl := fstTmpl.ExecuteFuncString(func(w io.Writer, tag string) (int, error) {
 		trimmedTag := strings.TrimSpace(tag)
 		replacement, ok := replaceMap[trimmedTag].(string)

applicationset/utils/utils_test.go

@@ -464,6 +464,14 @@ func TestRenderTemplateParamsGoTemplate(t *testing.T) {
 	}
 }
 
+func Test_Render_Replace_no_panic_on_missing_closing_brace(t *testing.T) {
+	r := &Render{}
+	assert.NotPanics(t, func() {
+		_, err := r.Replace("{{properly.closed}} {{improperly.closed}", nil, false)
+		assert.Error(t, err)
+	})
+}
+
 func TestRenderTemplateKeys(t *testing.T) {
 	t.Run("fasttemplate", func(t *testing.T) {
 		application := &argoappsv1.Application{

assets/swagger.json

@@ -271,6 +271,16 @@
             "description": "the application's namespace.",
             "name": "appNamespace",
             "in": "query"
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi",
+            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
+            "name": "project",
+            "in": "query"
           }
         ],
         "responses": {
@@ -585,6 +595,16 @@
             "description": "the application's namespace.",
             "name": "appNamespace",
             "in": "query"
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi",
+            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
+            "name": "project",
+            "in": "query"
           }
         ],
         "responses": {
@@ -3507,6 +3527,16 @@
             "description": "the application's namespace.",
             "name": "appNamespace",
             "in": "query"
+          },
+          {
+            "type": "array",
+            "items": {
+              "type": "string"
+            },
+            "collectionFormat": "multi",
+            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
+            "name": "project",
+            "in": "query"
           }
         ],
         "responses": {

cmd/argocd/commands/admin/dashboard.go

@@ -9,13 +9,16 @@ import (
 	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/initialize"
 	"github.com/argoproj/argo-cd/v2/common"
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	"github.com/argoproj/argo-cd/v2/util/cache"
+	"github.com/argoproj/argo-cd/v2/util/env"
 	"github.com/argoproj/argo-cd/v2/util/errors"
 )
 
 func NewDashboardCommand() *cobra.Command {
 	var (
-		port    int
-		address string
+		port           int
+		address        string
+		compressionStr string
 	)
 	cmd := &cobra.Command{
 		Use:   "dashboard",
@@ -23,7 +26,9 @@ func NewDashboardCommand() *cobra.Command {
 		Run: func(cmd *cobra.Command, args []string) {
 			ctx := cmd.Context()
 
-			errors.CheckError(headless.StartLocalServer(ctx, &argocdclient.ClientOptions{Core: true}, initialize.RetrieveContextIfChanged(cmd.Flag("context")), &port, &address))
+			compression, err := cache.CompressionTypeFromString(compressionStr)
+			errors.CheckError(err)
+			errors.CheckError(headless.StartLocalServer(ctx, &argocdclient.ClientOptions{Core: true}, initialize.RetrieveContextIfChanged(cmd.Flag("context")), &port, &address, compression))
 			println(fmt.Sprintf("Argo CD UI is available at http://%s:%d", address, port))
 			<-ctx.Done()
 		},
@@ -31,5 +36,6 @@ func NewDashboardCommand() *cobra.Command {
 	initialize.InitCommand(cmd)
 	cmd.Flags().IntVar(&port, "port", common.DefaultPortAPIServer, "Listen on given port")
 	cmd.Flags().StringVar(&address, "address", common.DefaultAddressAPIServer, "Listen on given address")
+	cmd.Flags().StringVar(&compressionStr, "redis-compress", env.StringFromEnv("REDIS_COMPRESSION", string(cache.RedisCompressionNone)), "Enable this if the application controller is configured with redis compression enabled. (possible values: none, gzip)")
 	return cmd
 }

cmd/argocd/commands/admin/settings_rbac.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/ghodss/yaml"
 	log "github.com/sirupsen/logrus"
@@ -373,6 +374,9 @@ func resolveRBACResourceName(name string) string {
 
 // isValidRBACAction checks whether a given action is a valid RBAC action
 func isValidRBACAction(action string) bool {
+	if strings.HasPrefix(action, rbacpolicy.ActionAction+"/") {
+		return true
+	}
 	_, ok := validRBACActions[action]
 	return ok
 }

cmd/argocd/commands/admin/settings_rbac_test.go

@@ -27,6 +27,11 @@ func Test_isValidRBACAction(t *testing.T) {
 	})
 }
 
+func Test_isValidRBACAction_ActionAction(t *testing.T) {
+	ok := isValidRBACAction("action/apps/Deployment/restart")
+	assert.True(t, ok)
+}
+
 func Test_isValidRBACResource(t *testing.T) {
 	for k := range validRBACResources {
 		t.Run(k, func(t *testing.T) {

cmd/argocd/commands/app.go

@@ -169,7 +169,9 @@ func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 
 				// Get app before creating to see if it is being updated or no change
 				existing, err := appIf.Get(ctx, &applicationpkg.ApplicationQuery{Name: &app.Name})
-				if grpc.UnwrapGRPCStatus(err).Code() != codes.NotFound {
+				unwrappedError := grpc.UnwrapGRPCStatus(err).Code()
+				// As part of the fix for CVE-2022-41354, the API will return Permission Denied when an app does not exist.
+				if unwrappedError != codes.NotFound && unwrappedError != codes.PermissionDenied {
 					errors.CheckError(err)
 				}
 
@@ -1018,7 +1020,7 @@ func findandPrintDiff(ctx context.Context, app *argoappv1.Application, resources
 			unstructureds = append(unstructureds, obj)
 		}
 		groupedObjs := groupObjsByKey(unstructureds, liveObjs, app.Spec.Destination.Namespace)
-		items = groupObjsForDiff(resources, groupedObjs, items, argoSettings, app.Name)
+		items = groupObjsForDiff(resources, groupedObjs, items, argoSettings, app.InstanceName(argoSettings.ControllerNamespace))
 	} else if diffOptions.serversideRes != nil {
 		var unstructureds []*unstructured.Unstructured
 		for _, mfst := range diffOptions.serversideRes.Manifests {
@@ -1027,7 +1029,7 @@ func findandPrintDiff(ctx context.Context, app *argoappv1.Application, resources
 			unstructureds = append(unstructureds, obj)
 		}
 		groupedObjs := groupObjsByKey(unstructureds, liveObjs, app.Spec.Destination.Namespace)
-		items = groupObjsForDiff(resources, groupedObjs, items, argoSettings, app.Name)
+		items = groupObjsForDiff(resources, groupedObjs, items, argoSettings, app.InstanceName(argoSettings.ControllerNamespace))
 	} else {
 		for i := range resources.Items {
 			res := resources.Items[i]

cmd/argocd/commands/headless/headless.go

@@ -38,11 +38,12 @@ import (
 )
 
 type forwardCacheClient struct {
-	namespace string
-	context   string
-	init      sync.Once
-	client    cache.CacheClient
-	err       error
+	namespace   string
+	context     string
+	init        sync.Once
+	client      cache.CacheClient
+	compression cache.RedisCompressionType
+	err         error
 }
 
 func (c *forwardCacheClient) doLazy(action func(client cache.CacheClient) error) error {
@@ -58,7 +59,7 @@ func (c *forwardCacheClient) doLazy(action func(client cache.CacheClient) error)
 		}
 
 		redisClient := redis.NewClient(&redis.Options{Addr: fmt.Sprintf("localhost:%d", redisPort)})
-		c.client = cache.NewRedisCache(redisClient, time.Hour, cache.RedisCompressionNone)
+		c.client = cache.NewRedisCache(redisClient, time.Hour, c.compression)
 	})
 	if c.err != nil {
 		return c.err
@@ -139,7 +140,7 @@ func testAPI(ctx context.Context, clientOpts *apiclient.ClientOptions) error {
 
 // StartLocalServer allows executing command in a headless mode: on the fly starts Argo CD API server and
 // changes provided client options to use started API server port
-func StartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOptions, ctxStr string, port *int, address *string) error {
+func StartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOptions, ctxStr string, port *int, address *string, compression cache.RedisCompressionType) error {
 	flags := pflag.NewFlagSet("tmp", pflag.ContinueOnError)
 	clientConfig := cli.AddKubectlFlagsToSet(flags)
 	startInProcessAPI := clientOpts.Core
@@ -200,7 +201,7 @@ func StartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOptions,
 	if err != nil {
 		return err
 	}
-	appstateCache := appstatecache.NewCache(cache.NewCache(&forwardCacheClient{namespace: namespace, context: ctxStr}), time.Hour)
+	appstateCache := appstatecache.NewCache(cache.NewCache(&forwardCacheClient{namespace: namespace, context: ctxStr, compression: compression}), time.Hour)
 	srv := server.NewServer(ctx, server.ArgoCDServerOpts{
 		EnableGZip:    false,
 		Namespace:     namespace,
@@ -242,7 +243,7 @@ func NewClientOrDie(opts *apiclient.ClientOptions, c *cobra.Command) apiclient.C
 	ctx := c.Context()
 
 	ctxStr := initialize.RetrieveContextIfChanged(c.Flag("context"))
-	err := StartLocalServer(ctx, opts, ctxStr, nil, nil)
+	err := StartLocalServer(ctx, opts, ctxStr, nil, nil, cache.RedisCompressionNone)
 	if err != nil {
 		log.Fatal(err)
 	}

cmd/argocd/commands/repo.go

@@ -3,6 +3,7 @@ package commands
 import (
 	"fmt"
 	"os"
+	"strconv"
 	"text/tabwriter"
 
 	log "github.com/sirupsen/logrus"
@@ -233,15 +234,12 @@ func printRepoTable(repos appsv1.Repositories) {
 	_, _ = fmt.Fprintf(w, "TYPE\tNAME\tREPO\tINSECURE\tOCI\tLFS\tCREDS\tSTATUS\tMESSAGE\tPROJECT\n")
 	for _, r := range repos {
 		var hasCreds string
-		if !r.HasCredentials() {
-			hasCreds = "false"
+		if r.InheritedCreds {
+			hasCreds = "inherited"
 		} else {
-			if r.InheritedCreds {
-				hasCreds = "inherited"
-			} else {
-				hasCreds = "true"
-			}
+			hasCreds = strconv.FormatBool(r.HasCredentials())
 		}
+
 		_, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%v\t%v\t%v\t%s\t%s\t%s\t%s\n", r.Type, r.Name, r.Repo, r.IsInsecure(), r.EnableOCI, r.EnableLFS, hasCreds, r.ConnectionState.Status, r.ConnectionState.Message, r.Project)
 	}
 	_ = w.Flush()

cmpserver/plugin/plugin.go

@@ -8,8 +8,10 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"time"
+	"unicode"
 
 	"github.com/argoproj/pkg/rand"
 
@@ -73,9 +75,8 @@ func runCommand(ctx context.Context, command Command, path string, env []string)
 	}
 	logCtx := log.WithFields(log.Fields{"execID": execId})
 
-	// log in a way we can copy-and-paste into a terminal
-	args := strings.Join(cmd.Args, " ")
-	logCtx.WithFields(log.Fields{"dir": cmd.Dir}).Info(args)
+	argsToLog := getCommandArgsToLog(cmd)
+	logCtx.WithFields(log.Fields{"dir": cmd.Dir}).Info(argsToLog)
 
 	var stdout bytes.Buffer
 	var stderr bytes.Buffer
@@ -106,7 +107,7 @@ func runCommand(ctx context.Context, command Command, path string, env []string)
 	logCtx.WithFields(log.Fields{"duration": duration}).Debug(output)
 
 	if err != nil {
-		err := newCmdError(args, errors.New(err.Error()), strings.TrimSpace(stderr.String()))
+		err := newCmdError(argsToLog, errors.New(err.Error()), strings.TrimSpace(stderr.String()))
 		logCtx.Error(err.Error())
 		return strings.TrimSuffix(output, "\n"), err
 	}
@@ -114,6 +115,28 @@ func runCommand(ctx context.Context, command Command, path string, env []string)
 	return strings.TrimSuffix(output, "\n"), nil
 }
 
+// getCommandArgsToLog represents the given command in a way that we can copy-and-paste into a terminal
+func getCommandArgsToLog(cmd *exec.Cmd) string {
+	var argsToLog []string
+	for _, arg := range cmd.Args {
+		containsSpace := false
+		for _, r := range arg {
+			if unicode.IsSpace(r) {
+				containsSpace = true
+				break
+			}
+		}
+		if containsSpace {
+			// add quotes and escape any internal quotes
+			argsToLog = append(argsToLog, strconv.Quote(arg))
+		} else {
+			argsToLog = append(argsToLog, arg)
+		}
+	}
+	args := strings.Join(argsToLog, " ")
+	return args
+}
+
 type CmdError struct {
 	Args   string
 	Stderr string

cmpserver/plugin/plugin_test.go

@@ -2,6 +2,7 @@ package plugin
 
 import (
 	"context"
+	"os/exec"
 	"path/filepath"
 	"testing"
 	"time"
@@ -266,3 +267,30 @@ func TestRunCommandContextTimeout(t *testing.T) {
 	assert.Error(t, err) // The command should time out, causing an error.
 	assert.Less(t, after.Sub(before), 1*time.Second)
 }
+
+func Test_getCommandArgsToLog(t *testing.T) {
+	testCases := []struct {
+		name     string
+		args     []string
+		expected string
+	}{
+		{
+			name:     "no spaces",
+			args:     []string{"sh", "-c", "cat"},
+			expected: "sh -c cat",
+		},
+		{
+			name:     "spaces",
+			args:     []string{"sh", "-c", `echo "hello world"`},
+			expected: `sh -c "echo \"hello world\""`,
+		},
+	}
+
+	for _, tc := range testCases {
+		tcc := tc
+		t.Run(tcc.name, func(t *testing.T) {
+			t.Parallel()
+			assert.Equal(t, tcc.expected, getCommandArgsToLog(exec.Command(tcc.args[0], tcc.args[1:]...)))
+		})
+	}
+}

controller/cache/cache.go

@@ -483,10 +483,11 @@ func (c *liveStateCache) getSyncedCluster(server string) (clustercache.ClusterCa
 func (c *liveStateCache) invalidate(cacheSettings cacheSettings) {
 	log.Info("invalidating live state cache")
 	c.lock.Lock()
-	defer c.lock.Unlock()
-
 	c.cacheSettings = cacheSettings
-	for _, clust := range c.clusters {
+	clusters := c.clusters
+	c.lock.Unlock()
+
+	for _, clust := range clusters {
 		clust.Invalidate(clustercache.SetSettings(cacheSettings.clusterSettings))
 	}
 	log.Info("live state cache invalidated")
@@ -696,12 +697,14 @@ func (c *liveStateCache) handleModEvent(oldCluster *appv1.Cluster, newCluster *a
 }
 
 func (c *liveStateCache) handleDeleteEvent(clusterServer string) {
-	c.lock.Lock()
-	defer c.lock.Unlock()
+	c.lock.RLock()
 	cluster, ok := c.clusters[clusterServer]
+	c.lock.RUnlock()
 	if ok {
 		cluster.Invalidate()
+		c.lock.Lock()
 		delete(c.clusters, clusterServer)
+		c.lock.Unlock()
 	}
 }
 

controller/cache/cache_test.go

@@ -1,10 +1,13 @@
 package cache
 
 import (
+	"context"
 	"errors"
 	"net"
 	"net/url"
+	"sync"
 	"testing"
+	"time"
 
 	apierr "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -14,8 +17,10 @@ import (
 	"github.com/argoproj/gitops-engine/pkg/cache"
 	"github.com/argoproj/gitops-engine/pkg/cache/mocks"
 	"github.com/stretchr/testify/mock"
+	"k8s.io/client-go/kubernetes/fake"
 
 	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	argosettings "github.com/argoproj/argo-cd/v2/util/settings"
 )
 
 type netError string
@@ -106,6 +111,98 @@ func TestHandleAddEvent_ClusterExcluded(t *testing.T) {
 	assert.Len(t, clustersCache.clusters, 0)
 }
 
+func TestHandleDeleteEvent_CacheDeadlock(t *testing.T) {
+	testCluster := &appv1.Cluster{
+		Server: "https://mycluster",
+		Config: appv1.ClusterConfig{Username: "bar"},
+	}
+	fakeClient := fake.NewSimpleClientset()
+	settingsMgr := argosettings.NewSettingsManager(context.TODO(), fakeClient, "argocd")
+	externalLockRef := sync.RWMutex{}
+	gitopsEngineClusterCache := &mocks.ClusterCache{}
+	clustersCache := liveStateCache{
+		clusters: map[string]cache.ClusterCache{
+			testCluster.Server: gitopsEngineClusterCache,
+		},
+		clusterFilter: func(cluster *appv1.Cluster) bool {
+			return true
+		},
+		settingsMgr: settingsMgr,
+		// Set the lock here so we can reference it later
+		// nolint We need to overwrite here to have access to the lock
+		lock: externalLockRef,
+	}
+	channel := make(chan string)
+	// Mocked lock held by the gitops-engine cluster cache
+	mockMutex := sync.RWMutex{}
+	// Locks to force trigger condition during test
+	// Condition order:
+	//   EnsuredSynced -> Locks gitops-engine
+	//   handleDeleteEvent -> Locks liveStateCache
+	//   EnsureSynced via sync, newResource, populateResourceInfoHandler -> attempts to Lock liveStateCache
+	//   handleDeleteEvent via cluster.Invalidate -> attempts to Lock gitops-engine
+	handleDeleteWasCalled := sync.Mutex{}
+	engineHoldsLock := sync.Mutex{}
+	handleDeleteWasCalled.Lock()
+	engineHoldsLock.Lock()
+	gitopsEngineClusterCache.On("EnsureSynced").Run(func(args mock.Arguments) {
+		// Held by EnsureSync calling into sync and watchEvents
+		mockMutex.Lock()
+		defer mockMutex.Unlock()
+		// Continue Execution of timer func
+		engineHoldsLock.Unlock()
+		// Wait for handleDeleteEvent to be called triggering the lock
+		// on the liveStateCache
+		handleDeleteWasCalled.Lock()
+		t.Logf("handleDelete was called, EnsureSynced continuing...")
+		handleDeleteWasCalled.Unlock()
+		// Try and obtain the lock on the liveStateCache
+		alreadyFailed := !externalLockRef.TryLock()
+		if alreadyFailed {
+			channel <- "DEADLOCKED -- EnsureSynced could not obtain lock on liveStateCache"
+			return
+		}
+		externalLockRef.Lock()
+		t.Logf("EnsureSynce was able to lock liveStateCache")
+		externalLockRef.Unlock()
+	}).Return(nil).Once()
+	gitopsEngineClusterCache.On("Invalidate").Run(func(args mock.Arguments) {
+		// If deadlock is fixed should be able to acquire lock here
+		alreadyFailed := !mockMutex.TryLock()
+		if alreadyFailed {
+			channel <- "DEADLOCKED -- Invalidate could not obtain lock on gitops-engine"
+			return
+		}
+		mockMutex.Lock()
+		t.Logf("Invalidate was able to lock gitops-engine cache")
+		mockMutex.Unlock()
+	}).Return()
+	go func() {
+		// Start the gitops-engine lock holds
+		go func() {
+			err := gitopsEngineClusterCache.EnsureSynced()
+			if err != nil {
+				assert.Fail(t, err.Error())
+			}
+		}()
+		// Wait for EnsureSynced to grab the lock for gitops-engine
+		engineHoldsLock.Lock()
+		t.Log("EnsureSynced has obtained lock on gitops-engine")
+		engineHoldsLock.Unlock()
+		// Run in background
+		go clustersCache.handleDeleteEvent(testCluster.Server)
+		// Allow execution to continue on clusters cache call to trigger lock
+		handleDeleteWasCalled.Unlock()
+		channel <- "PASSED"
+	}()
+	select {
+	case str := <-channel:
+		assert.Equal(t, "PASSED", str, str)
+	case <-time.After(5 * time.Second):
+		assert.Fail(t, "Ended up in deadlock")
+	}
+}
+
 func TestIsRetryableError(t *testing.T) {
 	var (
 		tlsHandshakeTimeoutErr net.Error = netError("net/http: TLS handshake timeout")

docs/assets/versions.js

@@ -9,16 +9,6 @@ setTimeout(function() {
   caret.innerHTML = "<i class='fa fa-caret-down dropdown-caret'></i>"
   caret.classList.add('dropdown-caret')
   div.querySelector('.rst-current-version').appendChild(caret);
-  div.querySelector('.rst-current-version').addEventListener('click', function() {
-      const classes = container.className.split(' ');
-      const index = classes.indexOf('shift-up');
-      if (index === -1) {
-          classes.push('shift-up');
-      } else {
-          classes.splice(index, 1);
-      }
-      container.className = classes.join(' ');
-  });
   }
 
   var CSSLink = document.createElement('link');

docs/developer-guide/site.md

@@ -9,12 +9,7 @@ To test:
 ```bash
 make serve-docs
 ```
-
-Check for broken external links:
-
-```bash
-make lint-docs
-```
+Once running, you can view your locally built documentation at [http://0.0.0.0:8000/](http://0.0.0.0:8000/). 
 
 ## Deploying
 

docs/operator-manual/application.yaml

@@ -6,7 +6,10 @@ metadata:
   namespace: argocd
   # Add this finalizer ONLY if you want these to cascade delete.
   finalizers:
+    # The default behaviour is foreground cascading deletion
     - resources-finalizer.argocd.argoproj.io
+    # Alternatively, you can use background cascading deletion
+    # - resources-finalizer.argocd.argoproj.io/background
   # Add labels to your application object.
   labels:
     name: guestbook
@@ -131,7 +134,12 @@ spec:
     # name: in-cluster
     # The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace
     namespace: guestbook
-
+    
+  # Extra information to show in the Argo CD Application details tab
+  info:
+    - name: 'Example:'
+      value: 'https://example.com'
+      
   # Sync policy
   syncPolicy:
     automated: # automated sync by default retries failed attempts 5 times with following delays between attempts ( 5s, 10s, 20s, 40s, 80s ); retry controlled using `retry` field.
@@ -164,6 +172,9 @@ spec:
     kind: "*"
     managedFieldsManagers:
     - kube-controller-manager
+    # Name and namespace are optional. If specified, they must match exactly, these are not glob patterns.
+    name: my-deployment
+    namespace: my-namespace
 
   # RevisionHistoryLimit limits the number of items kept in the application's revision history, which is used for
   # informational purposes as well as for rollbacks to previous versions. This should only be changed in exceptional

docs/operator-manual/applicationset/Generators-Post-Selector.md

@@ -0,0 +1,43 @@
+# Post Selector all generators
+
+The Selector allows to post-filter based on generated values using the kubernetes common labelSelector format. In the example, the list generator generates a set of two application which then filter by the key value to only select the `env` with value `staging`:
+
+## Example: List generator + Post Selector
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  generators:
+  - list:
+      elements:
+        - cluster: engineering-dev
+          url: https://kubernetes.default.svc
+          env: staging
+        - cluster: engineering-prod
+          url: https://kubernetes.default.svc
+          env: prod
+    selector:
+      matchLabels:
+        env: staging
+  template:
+    metadata:
+      name: '{{cluster}}-guestbook'
+    spec:
+      project: default
+      source:
+        repoURL: https://github.com/argoproj-labs/applicationset.git
+        targetRevision: HEAD
+        path: examples/list-generator/guestbook/{{cluster}}
+      destination:
+        server: '{{url}}'
+        namespace: guestbook
+```
+
+The List generator + Post Selector generates a single set of parameters:
+```yaml
+- cluster: engineering-dev
+  url: https://kubernetes.default.svc
+  env: staging
+```

docs/operator-manual/applicationset/Generators.md

@@ -6,7 +6,7 @@ Generators are primarily based on the data source that they use to generate the
 
 As of this writing there are eight generators:
 
-- [List generator](Generators-List.md): The List generator allows you to target Argo CD Applications to clusters based on a fixed list of cluster name/URL values.
+- [List generator](Generators-List.md): The List generator allows you to target Argo CD Applications to clusters based on a fixed list of any chosen key/value element pairs.
 - [Cluster generator](Generators-Cluster.md): The Cluster generator allows you to target Argo CD Applications to clusters, based on the list of clusters defined within (and managed by) Argo CD (which includes automatically responding to cluster addition/removal events from Argo CD).
 - [Git generator](Generators-Git.md): The Git generator allows you to create Applications based on files within a Git repository, or based on the directory structure of a Git repository.
 - [Matrix generator](Generators-Matrix.md): The Matrix generator may be used to combine the generated parameters of two separate generators.
@@ -15,4 +15,6 @@ As of this writing there are eight generators:
 - [Pull Request generator](Generators-Pull-Request.md): The Pull Request generator uses the API of an SCMaaS provider (eg GitHub) to automatically discover open pull requests within an repository.
 - [Cluster Decision Resource generator](Generators-Cluster-Decision-Resource.md): The Cluster Decision Resource generator is used to interface with Kubernetes custom resources that use custom resource-specific logic to decide which set of Argo CD clusters to deploy to.
 
+All generators can be filtered by using the [Post Selector](Generators-Post-Selector.md)
+
 If you are new to generators, begin with the **List** and **Cluster** generators. For more advanced use cases, see the documentation for the remaining generators above.

docs/operator-manual/applicationset/GoTemplate.md

@@ -87,6 +87,10 @@ By activating Go Templating, `{{ .path }}` becomes an object. Therefore, some ch
 generators' templating:
 
 - `{{ path }}` becomes `{{ .path.path }}`
+- `{{ path.basename }}` becomes `{{ .path.basename }}`
+- `{{ path.basenameNormalized }}` becomes `{{ .path.basenameNormalized }}`
+- `{{ path.filename }}` becomes `{{ .path.filename }}`
+- `{{ path.filenameNormalized }}` becomes `{{ .path.filenameNormalized }}`
 - `{{ path[n] }}` becomes `{{ index .path.segments n }}`
 
 Here is an example:

docs/operator-manual/argocd-ssh-known-hosts-cm.yaml

@@ -7,7 +7,7 @@ metadata:
   name: argocd-ssh-known-hosts-cm
 data:
   ssh_known_hosts: |
-    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
+    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=
     github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
     gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
     gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf

docs/operator-manual/declarative-setup.md

@@ -389,9 +389,25 @@ data:
 
 ### SSH known host public keys
 
-If you are connecting repositories via SSH, Argo CD will need to know the SSH known hosts public key of the repository servers. You can manage the SSH known hosts data in the ConfigMap named `argocd-ssh-known-hosts-cm`. This ConfigMap contains a single key/value pair, with `ssh_known_hosts` as the key and the actual public keys of the SSH servers as data. As opposed to TLS configuration, the public key(s) of each single repository server Argo CD will connect via SSH must be configured, otherwise the connections to the repository will fail. There is no fallback. The data can be copied from any existing `ssh_known_hosts` file, or from the output of the `ssh-keyscan` utility. The basic format is `<servername> <keydata>`, one entry per line.
+If you are configuring repositories to use SSH, Argo CD will need to know their SSH public keys. In order for Argo CD to connect via SSH the public key(s) for each repository server must be pre-configured in Argo CD (unlike TLS configuration), otherwise the connections to the repository will fail.
 
-An example ConfigMap object:
+You can manage the SSH known hosts data in the `argocd-ssh-known-hosts-cm` ConfigMap. This ConfigMap contains a single entry, `ssh_known_hosts`, with the public keys of the SSH servers as its value. The value can be filled in from any existing `ssh_known_hosts` file, or from the output of the `ssh-keyscan` utility (which is part of OpenSSH's client package). The basic format is `<server_name> <keytype> <base64-encoded_key>`, one entry per line.
+
+Here is an example of running `ssh-keyscan`:
+```bash
+$ for host in bitbucket.org github.com gitlab.com ssh.dev.azure.com vs-ssh.visualstudio.com ; do ssh-keyscan $host 2> /dev/null ; done
+bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=
+github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=
+github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
+gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
+gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9
+ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
+vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
+```
+
+Here is an example `ConfigMap` object using the output from `ssh-keyscan` above:
 
 ```yaml
 apiVersion: v1
@@ -404,7 +420,7 @@ metadata:
     app.kubernetes.io/part-of: argocd
 data:
   ssh_known_hosts: |
-    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
+    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=
     github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
     gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
     gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf

docs/operator-manual/disaster_recovery.md

@@ -15,13 +15,13 @@ export VERSION=v1.0.1
 Export to a backup:
 
 ```bash
-docker run -v ~/.kube:/home/argocd/.kube --rm argoproj/argocd:$VERSION argocd admin export > backup.yaml
+docker run -v ~/.kube:/home/argocd/.kube --rm quay.io/argoproj/argocd:$VERSION argocd admin export > backup.yaml
 ```
 
 Import from a backup:
 
 ```bash
-docker run -i -v ~/.kube:/home/argocd/.kube --rm argoproj/argocd:$VERSION argocd admin import - < backup.yaml
+docker run -i -v ~/.kube:/home/argocd/.kube --rm quay.io/argoproj/argocd:$VERSION argocd admin import - < backup.yaml
 ```
 
 !!! note

docs/operator-manual/high_availability.md

@@ -1,10 +1,8 @@
 # High Availability
 
-Argo CD is largely stateless, all data is persisted as Kubernetes objects, which in turn is stored in Kubernetes' etcd. Redis is only used as a throw-away cache and can be lost. When lost, it will be rebuilt without loss of service.
+Argo CD is largely stateless. All data is persisted as Kubernetes objects, which in turn is stored in Kubernetes' etcd. Redis is only used as a throw-away cache and can be lost. When lost, it will be rebuilt without loss of service.
 
-A set of HA manifests are provided for users who wish to run Argo CD in a highly available manner. This runs more containers, and runs Redis in HA mode.
-
-[HA Manifests ⧉](https://github.com/argoproj/argo-cd/tree/master/manifests#high-availability) 
+A set of [HA manifests](https://github.com/argoproj/argo-cd/tree/master/manifests/ha) are provided for users who wish to run Argo CD in a highly available manner. This runs more containers, and runs Redis in HA mode.
 
 > **NOTE:** The HA installation will require at least three different nodes due to pod anti-affinity roles in the
 > specs. Additionally, IPv6 only clusters are not supported.
@@ -17,11 +15,11 @@ A set of HA manifests are provided for users who wish to run Argo CD in a highly
 
 The `argocd-repo-server` is responsible for cloning Git repository, keeping it up to date and generating manifests using the appropriate tool.
 
-* `argocd-repo-server` fork/exec config management tool to generate manifests. The fork can fail due to lack of memory and limit on the number of OS threads.
-The `--parallelismlimit` flag controls how many manifests generations are running concurrently and allows avoiding OOM kills.
+* `argocd-repo-server` fork/exec config management tool to generate manifests. The fork can fail due to lack of memory or limit on the number of OS threads.
+The `--parallelismlimit` flag controls how many manifests generations are running concurrently and helps avoid OOM kills.
 
 * the `argocd-repo-server` ensures that repository is in the clean state during the manifest generation using config management tools such as Kustomize, Helm
-or custom plugin. As a result Git repositories with multiple applications might be affect repository server performance.
+or custom plugin. As a result Git repositories with multiple applications might affect repository server performance.
 Read [Monorepo Scaling Considerations](#monorepo-scaling-considerations) for more information.
 
 * `argocd-repo-server` clones repository into `/tmp` ( of path specified in `TMPDIR` env variable ). Pod might run out of disk space if have too many repository
@@ -30,7 +28,7 @@ or repositories has a lot of files. To avoid this problem mount persistent volum
 * `argocd-repo-server` `git ls-remote` to resolve ambiguous revision such as `HEAD`, branch or tag name. This operation is happening pretty frequently
 and might fail. To avoid failed syncs use `ARGOCD_GIT_ATTEMPTS_COUNT` environment variable to retry failed requests.
 
-* `argocd-repo-server` Every 3m (by default) Argo CD checks for changes to the app manifests. Argo CD assumes by default that manifests only change when the repo changes, so it caches generated manifests (for 24h by default). With Kustomize remote bases, or Helm patch releases, the manifests can change even though the repo has not changed. By reducing the cache time, you can get the changes without waiting for 24h. Use `--repo-cache-expiration duration`, and we'd suggest in low volume environments you try '1h'. Bear in mind this will negate the benefit of caching if set too low. 
+* `argocd-repo-server` Every 3m (by default) Argo CD checks for changes to the app manifests. Argo CD assumes by default that manifests only change when the repo changes, so it caches the generated manifests (for 24h by default). With Kustomize remote bases, or Helm patch releases, the manifests can change even though the repo has not changed. By reducing the cache time, you can get the changes without waiting for 24h. Use `--repo-cache-expiration duration`, and we'd suggest in low volume environments you try '1h'. Bear in mind that this will negate the benefits of caching if set too low. 
 
 * `argocd-repo-server` fork exec config management tools such as `helm` or `kustomize` and enforces 90 seconds timeout. The timeout can be increased using `ARGOCD_EXEC_TIMEOUT` env variable. The value should be in Go time duration string format, for example, `2m30s`.
 

docs/operator-manual/ingress.md

@@ -538,15 +538,15 @@ spec:
     - secretName: secret-yourdomain-com
   rules:
     - host: argocd.yourdomain.com
-    http:
-      paths:
-      - pathType: ImplementationSpecific
-        path: "/*"   # "*" is needed. Without this, the UI Javascript and CSS will not load properly
-        backend:
-          service:
-            name: argocd-server
-            port:
-              number: 80
+      http:
+        paths:
+        - pathType: ImplementationSpecific
+          path: "/*"   # "*" is needed. Without this, the UI Javascript and CSS will not load properly
+          backend:
+            service:
+              name: argocd-server
+              port:
+                number: 80
 ```
 
 If you use the version `1.21.3-gke.1600` or later, you should use the following Ingress resource:
@@ -563,15 +563,15 @@ spec:
     - secretName: secret-yourdomain-com
   rules:
     - host: argocd.yourdomain.com
-    http:
-      paths:
-      - pathType: Prefix
-        path: "/"
-        backend:
-          service:
-            name: argocd-server
-            port:
-              number: 80
+      http:
+        paths:
+        - pathType: Prefix
+          path: "/"
+          backend:
+            service:
+              name: argocd-server
+              port:
+                number: 80
 ```
 
 As you may know already, it can take some minutes to deploy the load balancer and become ready to accept connections. Once it's ready, get the public IP address for your Load Balancer, go to your DNS server (Google or third party) and point your domain or subdomain (i.e. argocd.yourdomain.com) to that IP address.

docs/operator-manual/installation.md

@@ -74,7 +74,7 @@ kind: Kustomization
 
 namespace: argocd
 resources:
-- github.com/argoproj/argo-cd/manifests/ha?ref=v2.6.2
+- github.com/argoproj/argo-cd/manifests/ha/base?ref=v2.6.2
 ```
 
 ## Helm

docs/operator-manual/notifications/index.md

@@ -17,8 +17,9 @@ kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/st
 * Add Email username and password token to `argocd-notifications-secret` secret
 
 ```bash
-export EMAIL_USER=<your-username>
-export PASSWORD=<your-password>
+EMAIL_USER=<your-username>
+ PASSWORD=<your-password>
+
 kubectl apply -n argocd -f - << EOF
 apiVersion: v1
 kind: Secret

docs/operator-manual/rbac.md

@@ -64,7 +64,7 @@ See [Web-based Terminal](web_based_terminal.md) for more info.
 
 #### The `applicationsets` resource
 
-[ApplicationSets](applicationset) provide a declarative way to automatically create/update/delete Applications.
+[ApplicationSets](applicationset/index.md) provide a declarative way to automatically create/update/delete Applications.
 
 Granting `applicationsets, create` effectively grants the ability to create Applications. While it doesn't allow the 
 user to create Applications directly, they can create Applications via an ApplicationSet.

docs/operator-manual/upgrading/2.3-2.4.md

@@ -1,5 +1,26 @@
 # v2.3 to 2.4
 
+## Known Issues
+
+### Broken `project` filter before 2.4.27
+
+Argo CD 2.4.0 introduced a breaking API change, renaming the `project` filter to `projects`.
+
+#### Impact to API clients
+
+A similar issue applies to other API clients which communicate with the Argo CD API server via its REST API. If the
+client uses the `project` field to filter projects, the filter will not be applied. **The failing project filter could 
+have detrimental consequences if, for example, you rely on it to list Applications to be deleted.**
+
+#### Impact to CLI clients
+
+CLI clients older that v2.4.0 rely on client-side filtering and are not impacted by this bug.
+
+#### How to fix the problem
+
+Upgrade to Argo CD >=2.4.27, >=2.5.15, or >=2.6.6. This version of Argo CD will accept both `project` and `projects` as
+valid filters.
+
 ## KSonnet support is removed
 
 Ksonnet was deprecated in [2019](https://github.com/ksonnet/ksonnet/pull/914/files) and is no longer maintained.

docs/operator-manual/upgrading/2.4-2.5.md

@@ -1,5 +1,57 @@
 # v2.4 to 2.5
 
+## Known Issues
+
+### Broken `project` filter before 2.5.15
+
+Argo CD 2.4.0 introduced a breaking API change, renaming the `project` filter to `projects`.
+
+#### Impact to API clients
+
+A similar issue applies to other API clients which communicate with the Argo CD API server via its REST API. If the
+client uses the `project` field to filter projects, the filter will not be applied. **The failing project filter could
+have detrimental consequences if, for example, you rely on it to list Applications to be deleted.**
+
+#### Impact to CLI clients
+
+CLI clients older that v2.4.0 rely on client-side filtering and are not impacted by this bug.
+
+#### How to fix the problem
+
+Upgrade to Argo CD >=2.4.27, >=2.5.15, or >=2.6.6. This version of Argo CD will accept both `project` and `projects` as
+valid filters.
+
+### Broken matrix-nested git files generator in 2.5.14
+
+Argo CD 2.5.14 introduced a bug in the matrix-nested git files generator. The bug only applies when the git files
+generator is the second generator nested under a matrix. For example:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: guestbook
+spec:
+  generators:
+  - matrix:
+      generators:
+        - clusters: {}
+        - git:
+            repoURL: https://git.example.com/org/repo.git
+            revision: HEAD
+            files:
+              - path: "defaults/*.yaml"
+  template:
+    # ...
+```
+
+The nested git files generator will produce no parameters, causing the matrix generator to also produce no parameters.
+This will cause the ApplicationSet to produce no Applications. If the ApplicationSet controller is
+[configured with the ability to delete applications](https://argo-cd.readthedocs.io/en/latest/operator-manual/applicationset/Controlling-Resource-Modification/),
+it will delete all Applications which were previously created by the ApplicationSet.
+
+To avoid this issue, upgrade directly to >=2.5.15 or >= 2.6.6.
+
 ## Configure RBAC to account for new `applicationsets` resource
 
 2.5 introduces a new `applicationsets` [RBAC resource](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#rbac-resources-and-actions).
@@ -130,3 +182,21 @@ This note is just for clarity. No action is required.
 
 We [expected](../upgrading/2.3-2.4.md#enable-logs-rbac-enforcement) to enable logs RBAC enforcement by default in 2.5.
 We have decided not to do that in the 2.x series due to disruption for users of [Project Roles](../../user-guide/projects.md#project-roles).
+
+## `argocd app create` for old CLI versions fails with API version >=2.5.16
+
+Starting with Argo CD 2.5.16, the API returns `PermissionDenied` instead of `NotFound` for Application `GET` requests if
+the Application does not exist.
+
+The Argo CD CLI before versions starting with version 2.5.0-rc1 and before versions 2.5.16 and 2.6.7 does a `GET` 
+request before the `POST` request in `argocd app create`. The command does not gracefully handle the `PermissionDenied` 
+response and will therefore fail to create/update the Application.
+
+To solve the issue, upgrade the CLI to at least 2.5.16, or 2.6.7.
+
+CLIs older than 2.5.0-rc1 are unaffected.
+
+## Golang upgrade in 2.5.20
+
+In 2.5.20, we upgrade the Golang version used to build Argo CD from 1.18 to 1.19. If you use Argo CD as a library, you
+may need to upgrade your Go version.

docs/operator-manual/user-management/keycloak.md

@@ -94,6 +94,7 @@ data:
 ```
 
 Make sure that:
+
 - __issuer__ ends with the correct realm (in this example _master_)
 - __issuer__ on Keycloak releases older than version 17 the URL must include /auth (in this expample /auth/realms/master)
 - __clientID__ is set to the Client ID you configured in Keycloak

docs/operator-manual/user-management/openunison.md

@@ -19,7 +19,7 @@ metadata:
 spec:
   accessTokenSkewMillis: 120000
   accessTokenTimeToLive: 1200000
-  authChainName: LoginService
+  authChainName: login-service
   clientId: argocd
   codeLastMileKeyName: lastmile-oidc
   codeTokenSkewMilis: 60000

docs/user-guide/app_deletion.md

@@ -22,7 +22,7 @@ or
 argocd app delete APPNAME
 ```
 
-# Deletion Using `kubectl`
+## Deletion Using `kubectl`
 
 To perform a non-cascade delete, make sure the finalizer is unset and then delete the app:
 
@@ -38,16 +38,23 @@ kubectl patch app APPNAME  -p '{"metadata": {"finalizers": ["resources-finalizer
 kubectl delete app APPNAME
 ```
 
-# About The Deletion Finalizer
+## About The Deletion Finalizer
 
 For the technical amongst you, the Argo CD application controller watches for this finalizer:
 
 ```yaml
 metadata:
   finalizers:
+    # The default behaviour is foreground cascading deletion
     - resources-finalizer.argocd.argoproj.io
+    # Alternatively, you can use background cascading deletion
+    # - resources-finalizer.argocd.argoproj.io/background
 ```
 
 Argo CD's app controller watches for this and will then delete both the app and its resources.
 
+The default propagation policy for cascading deletion is [foreground cascading deletion](https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion).
+ArgoCD performs [background cascading deletion](https://kubernetes.io/docs/concepts/architecture/garbage-collection/#background-deletion) when `resources-finalizer.argocd.argoproj.io/background` is set.
+
 When you invoke `argocd app delete` with `--cascade`, the finalizer is added automatically.
+You can set the propagation policy with `--propagation-policy <foreground|background>`.

docs/user-guide/application-set.md

@@ -48,40 +48,4 @@ Within ApplicationSet there exist other more powerful generators in addition to
 
 To learn more about the ApplicationSet controller, check out [ApplicationSet documentation](../operator-manual/applicationset/index.md) to install the ApplicationSet controller alongside Argo CD.
 
-**Note:** Starting `v2.3` of Argo CD, we don't need to install ApplicationSet Controller separately. It would be instead as part of Argo CD installation.
-
-#### Post Selector all generators
-
-The Selector allows to post-filter based on generated values using the kubernetes common labelSelector format. In the example, the list generator generates a set of two application which then filter by the key value to only select the `env` with value `staging`:
-
-```yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: guestbook
-spec:
-  generators:
-  - list:
-      elements:
-        - cluster: engineering-dev
-          url: https://kubernetes.default.svc
-          env: staging
-        - cluster: engineering-prod
-          url: https://kubernetes.default.svc
-          env: prod
-    selector:
-      matchLabels:
-        env: staging
-  template:
-    metadata:
-      name: '{{cluster}}-guestbook'
-    spec:
-      project: default
-      source:
-        repoURL: https://github.com/argoproj-labs/applicationset.git
-        targetRevision: HEAD
-        path: examples/list-generator/guestbook/{{cluster}}
-      destination:
-        server: '{{url}}'
-        namespace: guestbook
-```
+**Note:** Starting `v2.3` of Argo CD, we don't need to install ApplicationSet Controller separately. It would be instead as part of Argo CD installation.

docs/user-guide/commands/argocd_admin_dashboard.md

@@ -25,6 +25,7 @@ argocd admin dashboard [flags]
       --password string                Password for basic authentication to the API server
       --port int                       Listen on given port (default 8080)
       --proxy-url string               If provided, this URL will be used to connect via proxy
+      --redis-compress string          Enable this if the application controller is configured with redis compression enabled. (possible values: none, gzip) (default "none")
       --request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
       --tls-server-name string         If provided, this name will be used to validate server certificate. If this is not provided, hostname used to contact the server is used.
       --token string                   Bearer token for authentication to the API server

docs/user-guide/diffing.md

@@ -60,8 +60,8 @@ To ignore fields owned by specific managers defined in your live resources:
 ```yaml
 spec:
   ignoreDifferences:
-  - group: *
-    kind: *
+  - group: "*"
+    kind: "*"
     managedFieldsManagers:
     - kube-controller-manager
 ```

docs/user-guide/extra_info.md

@@ -0,0 +1,28 @@
+# Add extra Application info
+
+You can add additional information to an Application on your ArgoCD dashboard.
+If you wish to add clickable links, see [Add external URL](https://argo-cd.readthedocs.io/en/stable/user-guide/external-url/). 
+
+This is done by providing the 'info' field a key-value in your Application manifest.
+
+Example:
+```yaml
+project: argo-demo
+source:
+  repoURL: 'https://demo'
+  path: argo-demo
+destination:
+  server: https://demo
+  namespace: argo-demo
+info:
+  - name: Example:
+    value: >-
+      https://example.com
+```
+![External link](../assets/extra_info-1.png)
+
+The additional information will be visible on the ArgoCD Application details page.
+
+![External link](../assets/extra_info.png)
+
+![External link](../assets/extra_info-2.png)

docs/user-guide/helm.md

@@ -37,6 +37,29 @@ argocd app set helm-guestbook --values values-production.yaml
     location in which case it can be accessed using a relative path relative to the root directory of
     the Helm chart.
 
+## Values
+
+Argo CD supports the equivalent of a values file directly in the Application manifest using the `source.helm.values` key.
+
+```
+source:
+  helm:
+    values: |
+      ingress:
+        enabled: true
+        path: /
+        hosts:
+          - mydomain.example.com
+        annotations:
+          kubernetes.io/ingress.class: nginx
+          kubernetes.io/tls-acme: "true"
+        labels: {}
+        tls:
+          - secretName: mydomain-tls
+            hosts:
+              - mydomain.example.com
+```
+
 ## Helm Parameters
 
 Helm has the ability to set parameter values, which override any values in
@@ -94,11 +117,14 @@ Argo CD supports many (most?) Helm hooks by mapping the Helm annotations onto Ar
 | `helm.sh/hook: test-success` | Not supported. No equivalent in Argo CD. |
 | `helm.sh/hook: test-failure` | Not supported. No equivalent in Argo CD. |
 | `helm.sh/hook-delete-policy` | Supported. See also `argocd.argoproj.io/hook-delete-policy`). |
-| `helm.sh/hook-delete-timeout` | No supported. Never used in Helm stable |
+| `helm.sh/hook-delete-timeout` | Not supported. Never used in Helm stable |
 | `helm.sh/hook-weight` | Supported as equivalent to `argocd.argoproj.io/sync-wave`. |
 
 Unsupported hooks are ignored. In Argo CD, hooks are created by using `kubectl apply`, rather than `kubectl create`. This means that if the hook is named and already exists, it will not change unless you have annotated it with `before-hook-creation`.
 
+!!! warning "Helm hooks + ArgoCD hooks"
+    If you define some Argo CD hooks in addition to the Helm ones, the Helm hooks will be ignored.   
+
 !!! warning "'install' vs 'upgrade' vs 'sync'"
     Argo CD cannot know if it is running a first-time "install" or an "upgrade" - every operation is a "sync'. This means that, by default, apps that have `pre-install` and `pre-upgrade` will have those hooks run at the same time.
 

docs/user-guide/private-repositories.md

@@ -276,7 +276,7 @@ You can list all configured SSH known host entries using the `argocd cert list`
 ```bash
 $ argocd cert list --cert-type ssh
 HOSTNAME                 TYPE  SUBTYPE              FINGERPRINT/SUBJECT
-bitbucket.org            ssh   ssh-rsa              SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A
+bitbucket.org            ssh   ssh-rsa              SHA256:46OSHA1Rmj8E8ERTC6xkNcmGOw9oFxYr0WF6zWW8l1E
 github.com               ssh   ssh-rsa              SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
 gitlab.com               ssh   ecdsa-sha2-nistp256  SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw
 gitlab.com               ssh   ssh-ed25519          SHA256:eUXGGm1YGsMAS7vkcx6JOJdOGHPem5gQp4taiCfCLB8

docs/user-guide/projects.md

@@ -294,7 +294,7 @@ stringData:
 
 All the examples above talk about Git repositories, but the same principles apply to clusters as well.
 
-With cluster-scoped clusters we can also restrict projects to only allow applications whose destinations belong to the 
+With project-scoped clusters we can also restrict projects to only allow applications whose destinations belong to the 
 same project. The default behavior allows for applications to be installed onto clusters which are not a part of the same 
 project, as the example below demonstrates:
 

hack/ssh_known_hosts

@@ -1,5 +1,5 @@
 # This file was automatically generated. DO NOT EDIT
-bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
+bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=
 github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
 gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
 gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf

hack/update-ssh-known-hosts.sh

@@ -14,11 +14,11 @@ chmod 0644 $KNOWN_HOSTS_FILE
 # - bitbucket.org: https://confluence.atlassian.com/bitbucket/ssh-keys-935365775.html
 # - ssh.dev.azure.com, vs-ssh.visualstudio.com: https://docs.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops
 diff - <(ssh-keygen -l -f $KNOWN_HOSTS_FILE | sort -k 3) <<EOF
-2048 SHA256:zzXQOXSRBEiUtuE8AikJYKwbHaxvSc0ojez9YXaGp1A bitbucket.org (RSA)
+2048 SHA256:46OSHA1Rmj8E8ERTC6xkNcmGOw9oFxYr0WF6zWW8l1E bitbucket.org (RSA)
 2048 SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8 github.com (RSA)
 256 SHA256:HbW3g8zUjNSksFbqTiUWPWg2Bq1x8xdGUrliXFzSnUw gitlab.com (ECDSA)
 256 SHA256:eUXGGm1YGsMAS7vkcx6JOJdOGHPem5gQp4taiCfCLB8 gitlab.com (ED25519)
 2048 SHA256:ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ gitlab.com (RSA)
 2048 SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og ssh.dev.azure.com (RSA)
 2048 SHA256:ohD8VZEXGWo6Ez8GSEJQ9WpafgLFsOfLOtGGQCQo6Og vs-ssh.visualstudio.com (RSA)
-EOF
+EOF

manifests/base/config/argocd-ssh-known-hosts-cm.yaml

@@ -7,7 +7,7 @@ metadata:
   name: argocd-ssh-known-hosts-cm
 data:
   ssh_known_hosts: |
-    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
+    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=
     github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
     gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
     gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
@@ -15,4 +15,4 @@ data:
     ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
     vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H
     github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
-    github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+    github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl

manifests/base/dex/argocd-dex-server-deployment.yaml

@@ -37,7 +37,7 @@ spec:
             type: RuntimeDefault
       containers:
       - name: dex
-        image: ghcr.io/dexidp/dex:v2.35.3
+        image: ghcr.io/dexidp/dex:v2.37.0
         imagePullPolicy: Always
         command: [/shared/argocd-dex, rundex]
         env:

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.5.14
+  newTag: v2.5.22
 resources:
 - ./application-controller
 - ./dex

manifests/base/redis/argocd-redis-deployment.yaml

@@ -23,7 +23,7 @@ spec:
       serviceAccountName: argocd-redis        
       containers:
       - name: redis
-        image: redis:7.0.8-alpine
+        image: redis:7.0.11-alpine
         imagePullPolicy: Always
         args:
         - "--save"

manifests/core-install.yaml

@@ -9500,8 +9500,8 @@ metadata:
 ---
 apiVersion: v1
 data:
-  ssh_known_hosts: |-
-    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
+  ssh_known_hosts: |
+    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=
     github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
     gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
     gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
@@ -9635,7 +9635,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -9717,7 +9717,7 @@ spec:
         - ""
         - --appendonly
         - "no"
-        image: redis:7.0.8-alpine
+        image: redis:7.0.11-alpine
         imagePullPolicy: Always
         name: redis
         ports:
@@ -9893,7 +9893,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -9944,7 +9944,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -10151,7 +10151,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.5.14
+  newTag: v2.5.22

manifests/ha/base/kustomization.yaml

@@ -11,7 +11,7 @@ patchesStrategicMerge:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.5.14
+  newTag: v2.5.22
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller

manifests/ha/base/redis-ha/chart/upstream.yaml

@@ -1071,7 +1071,7 @@ spec:
               topologyKey: kubernetes.io/hostname
       initContainers:
       - name: config-init
-        image: haproxy:2.6.9-alpine
+        image: haproxy:2.6.14-alpine
         imagePullPolicy: IfNotPresent
         resources:
           {}
@@ -1089,7 +1089,7 @@ spec:
           mountPath: /data
       containers:
       - name: haproxy
-        image: haproxy:2.6.9-alpine
+        image: haproxy:2.6.14-alpine
         imagePullPolicy: IfNotPresent
         securityContext: 
           null
@@ -1179,7 +1179,7 @@ spec:
       automountServiceAccountToken: false
       initContainers:
       - name: config-init
-        image: redis:7.0.8-alpine
+        image: redis:7.0.11-alpine
         imagePullPolicy: IfNotPresent
         resources:
           {}
@@ -1206,7 +1206,7 @@ spec:
 
       containers:
       - name: redis
-        image: redis:7.0.8-alpine
+        image: redis:7.0.11-alpine
         imagePullPolicy: IfNotPresent
         command:
         - redis-server
@@ -1256,7 +1256,7 @@ spec:
               - /bin/sh
               - /readonly-config/trigger-failover-if-master.sh
       - name: sentinel
-        image: redis:7.0.8-alpine
+        image: redis:7.0.11-alpine
         imagePullPolicy: IfNotPresent
         command:
           - redis-sentinel
@@ -1300,7 +1300,7 @@ spec:
           {}
 
       - name: split-brain-fix
-        image: redis:7.0.8-alpine
+        image: redis:7.0.11-alpine
         imagePullPolicy: IfNotPresent
         command:
           - sh

manifests/ha/base/redis-ha/chart/values.yaml

@@ -11,14 +11,14 @@ redis-ha:
     IPv6:
       enabled: false
     image:
-      tag: 2.6.9-alpine
+      tag: 2.6.14-alpine
     containerSecurityContext: null
     timeout:
       server: 6m
       client: 6m
     checkInterval: 3s
   image:
-    tag: 7.0.8-alpine
+    tag: 7.0.11-alpine
   containerSecurityContext: null
   sentinel:
     bind: "0.0.0.0"

manifests/ha/install.yaml

@@ -10514,8 +10514,8 @@ metadata:
 ---
 apiVersion: v1
 data:
-  ssh_known_hosts: |-
-    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
+  ssh_known_hosts: |
+    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=
     github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
     gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
     gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
@@ -10836,7 +10836,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -10917,7 +10917,7 @@ spec:
               key: dexserver.disable.tls
               name: argocd-cmd-params-cm
               optional: true
-        image: ghcr.io/dexidp/dex:v2.35.3
+        image: ghcr.io/dexidp/dex:v2.37.0
         imagePullPolicy: Always
         name: dex
         ports:
@@ -10946,7 +10946,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -10999,7 +10999,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -11070,7 +11070,7 @@ spec:
                 app.kubernetes.io/name: argocd-redis-ha-haproxy
             topologyKey: kubernetes.io/hostname
       containers:
-      - image: haproxy:2.6.9-alpine
+      - image: haproxy:2.6.14-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -11106,7 +11106,7 @@ spec:
         - /readonly/haproxy_init.sh
         command:
         - sh
-        image: haproxy:2.6.9-alpine
+        image: haproxy:2.6.14-alpine
         imagePullPolicy: IfNotPresent
         name: config-init
         securityContext:
@@ -11296,7 +11296,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -11347,7 +11347,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -11620,7 +11620,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -11855,7 +11855,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -11932,7 +11932,7 @@ spec:
         - /data/conf/redis.conf
         command:
         - redis-server
-        image: redis:7.0.8-alpine
+        image: redis:7.0.11-alpine
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -11985,7 +11985,7 @@ spec:
         - /data/conf/sentinel.conf
         command:
         - redis-sentinel
-        image: redis:7.0.8-alpine
+        image: redis:7.0.11-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -12037,7 +12037,7 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.8-alpine
+        image: redis:7.0.11-alpine
         imagePullPolicy: IfNotPresent
         name: split-brain-fix
         resources: {}
@@ -12066,7 +12066,7 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.8-alpine
+        image: redis:7.0.11-alpine
         imagePullPolicy: IfNotPresent
         name: config-init
         securityContext:

manifests/ha/namespace-install.yaml

@@ -1180,8 +1180,8 @@ metadata:
 ---
 apiVersion: v1
 data:
-  ssh_known_hosts: |-
-    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
+  ssh_known_hosts: |
+    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=
     github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
     gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
     gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
@@ -1502,7 +1502,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1583,7 +1583,7 @@ spec:
               key: dexserver.disable.tls
               name: argocd-cmd-params-cm
               optional: true
-        image: ghcr.io/dexidp/dex:v2.35.3
+        image: ghcr.io/dexidp/dex:v2.37.0
         imagePullPolicy: Always
         name: dex
         ports:
@@ -1612,7 +1612,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1665,7 +1665,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1736,7 +1736,7 @@ spec:
                 app.kubernetes.io/name: argocd-redis-ha-haproxy
             topologyKey: kubernetes.io/hostname
       containers:
-      - image: haproxy:2.6.9-alpine
+      - image: haproxy:2.6.14-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -1772,7 +1772,7 @@ spec:
         - /readonly/haproxy_init.sh
         command:
         - sh
-        image: haproxy:2.6.9-alpine
+        image: haproxy:2.6.14-alpine
         imagePullPolicy: IfNotPresent
         name: config-init
         securityContext:
@@ -1962,7 +1962,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2013,7 +2013,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2286,7 +2286,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2521,7 +2521,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -2598,7 +2598,7 @@ spec:
         - /data/conf/redis.conf
         command:
         - redis-server
-        image: redis:7.0.8-alpine
+        image: redis:7.0.11-alpine
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -2651,7 +2651,7 @@ spec:
         - /data/conf/sentinel.conf
         command:
         - redis-sentinel
-        image: redis:7.0.8-alpine
+        image: redis:7.0.11-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -2703,7 +2703,7 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.8-alpine
+        image: redis:7.0.11-alpine
         imagePullPolicy: IfNotPresent
         name: split-brain-fix
         resources: {}
@@ -2732,7 +2732,7 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.8-alpine
+        image: redis:7.0.11-alpine
         imagePullPolicy: IfNotPresent
         name: config-init
         securityContext:

manifests/install.yaml

@@ -9736,8 +9736,8 @@ metadata:
 ---
 apiVersion: v1
 data:
-  ssh_known_hosts: |-
-    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
+  ssh_known_hosts: |
+    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=
     github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
     gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
     gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
@@ -9955,7 +9955,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -10036,7 +10036,7 @@ spec:
               key: dexserver.disable.tls
               name: argocd-cmd-params-cm
               optional: true
-        image: ghcr.io/dexidp/dex:v2.35.3
+        image: ghcr.io/dexidp/dex:v2.37.0
         imagePullPolicy: Always
         name: dex
         ports:
@@ -10065,7 +10065,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -10118,7 +10118,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -10195,7 +10195,7 @@ spec:
         - ""
         - --appendonly
         - "no"
-        image: redis:7.0.8-alpine
+        image: redis:7.0.11-alpine
         imagePullPolicy: Always
         name: redis
         ports:
@@ -10371,7 +10371,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -10422,7 +10422,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -10691,7 +10691,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -10924,7 +10924,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/namespace-install.yaml

@@ -402,8 +402,8 @@ metadata:
 ---
 apiVersion: v1
 data:
-  ssh_known_hosts: |-
-    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
+  ssh_known_hosts: |
+    bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=
     github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
     gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
     gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf
@@ -621,7 +621,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -702,7 +702,7 @@ spec:
               key: dexserver.disable.tls
               name: argocd-cmd-params-cm
               optional: true
-        image: ghcr.io/dexidp/dex:v2.35.3
+        image: ghcr.io/dexidp/dex:v2.37.0
         imagePullPolicy: Always
         name: dex
         ports:
@@ -731,7 +731,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -784,7 +784,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -861,7 +861,7 @@ spec:
         - ""
         - --appendonly
         - "no"
-        image: redis:7.0.8-alpine
+        image: redis:7.0.11-alpine
         imagePullPolicy: Always
         name: redis
         ports:
@@ -1037,7 +1037,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1088,7 +1088,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -1357,7 +1357,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -1590,7 +1590,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.14
+        image: quay.io/argoproj/argocd:v2.5.22
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

mkdocs.yml

@@ -94,6 +94,7 @@ nav:
       - operator-manual/applicationset/Generators-SCM-Provider.md
       - operator-manual/applicationset/Generators-Cluster-Decision-Resource.md
       - operator-manual/applicationset/Generators-Pull-Request.md
+      - operator-manual/applicationset/Generators-Post-Selector.md
     - Template fields:
       - operator-manual/applicationset/Template.md
       - operator-manual/applicationset/GoTemplate.md
@@ -154,6 +155,7 @@ nav:
   - user-guide/best_practices.md
   - user-guide/status-badge.md
   - user-guide/external-url.md
+  - user-guide/extra_info.md
   - Notification subscriptions: user-guide/subscriptions.md
   - Command Reference: user-guide/commands/argocd.md
 - Developer Guide:

pkg/apiclient/application/application.pb.go

@@ -51,7 +51,9 @@ type ApplicationQuery struct {
 	// the repoURL to restrict returned list applications
 	Repo *string `protobuf:"bytes,6,opt,name=repo" json:"repo,omitempty"`
 	// the application's namespace
-	AppNamespace         *string  `protobuf:"bytes,7,opt,name=appNamespace" json:"appNamespace,omitempty"`
+	AppNamespace *string `protobuf:"bytes,7,opt,name=appNamespace" json:"appNamespace,omitempty"`
+	// the project names to restrict returned list applications (legacy name for backwards-compatibility)
+	Project              []string `protobuf:"bytes,8,rep,name=project" json:"project,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
 	XXX_sizecache        int32    `json:"-"`
@@ -139,6 +141,13 @@ func (m *ApplicationQuery) GetAppNamespace() string {
 	return ""
 }
 
+func (m *ApplicationQuery) GetProject() []string {
+	if m != nil {
+		return m.Project
+	}
+	return nil
+}
+
 type NodeQuery struct {
 	// the application's name
 	Name                 *string  `protobuf:"bytes,1,opt,name=name" json:"name,omitempty"`
@@ -2451,160 +2460,161 @@ func init() {
 }
 
 var fileDescriptor_df6e82b174b5eaec = []byte{
-	// 2444 bytes of a gzipped FileDescriptorProto
+	// 2453 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x5a, 0xcd, 0x8f, 0x1c, 0x47,
 	0x15, 0xa7, 0x66, 0xbf, 0x66, 0xde, 0xac, 0xbf, 0x2a, 0xf1, 0xd2, 0x19, 0xaf, 0xcd, 0xa6, 0xfd,
 	0xb5, 0x5e, 0x7b, 0x67, 0xec, 0xc1, 0x20, 0x67, 0x03, 0x02, 0xdb, 0xf1, 0x17, 0xac, 0x1d, 0xd3,
 	0x6b, 0xb3, 0x28, 0x1c, 0xa0, 0xd2, 0x5d, 0x3b, 0xdb, 0xec, 0x4c, 0x57, 0xbb, 0xbb, 0x67, 0xac,
 	0x91, 0xf1, 0x25, 0x08, 0x4e, 0x28, 0x48, 0x49, 0x0e, 0x28, 0x8a, 0x10, 0x4a, 0x94, 0x0b, 0x17,
-	0x6e, 0x08, 0x89, 0x0b, 0x5c, 0x10, 0x48, 0x1c, 0x10, 0x1f, 0x97, 0x9c, 0x90, 0xc5, 0x8d, 0x0b,
-	0x7f, 0x02, 0xaa, 0xea, 0xaa, 0xee, 0xea, 0x99, 0x9e, 0x9e, 0x59, 0x76, 0xa3, 0xf8, 0x56, 0xaf,
-	0xba, 0xea, 0xbd, 0x5f, 0xbd, 0x7a, 0xef, 0x55, 0xd5, 0x6f, 0x06, 0x4e, 0x85, 0x34, 0xe8, 0xd1,
-	0xa0, 0x41, 0x7c, 0xbf, 0xed, 0xda, 0x24, 0x72, 0x99, 0xa7, 0xb7, 0xeb, 0x7e, 0xc0, 0x22, 0x86,
-	0xab, 0x5a, 0x57, 0x6d, 0xb1, 0xc5, 0x58, 0xab, 0x4d, 0x1b, 0xc4, 0x77, 0x1b, 0xc4, 0xf3, 0x58,
-	0x24, 0xba, 0xc3, 0x78, 0x68, 0xcd, 0xdc, 0xb9, 0x12, 0xd6, 0x5d, 0x26, 0xbe, 0xda, 0x2c, 0xa0,
-	0x8d, 0xde, 0xa5, 0x46, 0x8b, 0x7a, 0x34, 0x20, 0x11, 0x75, 0xe4, 0x98, 0xcb, 0xe9, 0x98, 0x0e,
-	0xb1, 0xb7, 0x5d, 0x8f, 0x06, 0xfd, 0x86, 0xbf, 0xd3, 0xe2, 0x1d, 0x61, 0xa3, 0x43, 0x23, 0x92,
-	0x37, 0x6b, 0xbd, 0xe5, 0x46, 0xdb, 0xdd, 0x37, 0xeb, 0x36, 0xeb, 0x34, 0x48, 0xd0, 0x62, 0x7e,
-	0xc0, 0x7e, 0x20, 0x1a, 0xab, 0xb6, 0xd3, 0xe8, 0x35, 0x53, 0x05, 0xfa, 0x5a, 0x7a, 0x97, 0x48,
-	0xdb, 0xdf, 0x26, 0xc3, 0xda, 0x6e, 0x8c, 0xd1, 0x16, 0x50, 0x9f, 0x49, 0xdf, 0x88, 0xa6, 0x1b,
-	0xb1, 0xa0, 0xaf, 0x35, 0x63, 0x35, 0xe6, 0x27, 0x08, 0x0e, 0x5f, 0x4d, 0xed, 0x7d, 0xab, 0x4b,
-	0x83, 0x3e, 0xc6, 0x30, 0xed, 0x91, 0x0e, 0x35, 0xd0, 0x12, 0x5a, 0xae, 0x58, 0xa2, 0x8d, 0x0d,
-	0x98, 0x0b, 0xe8, 0x56, 0x40, 0xc3, 0x6d, 0xa3, 0x24, 0xba, 0x95, 0x88, 0x6b, 0x50, 0xe6, 0xc6,
-	0xa9, 0x1d, 0x85, 0xc6, 0xd4, 0xd2, 0xd4, 0x72, 0xc5, 0x4a, 0x64, 0xbc, 0x0c, 0x87, 0x02, 0x1a,
-	0xb2, 0x6e, 0x60, 0xd3, 0x6f, 0xd3, 0x20, 0x74, 0x99, 0x67, 0x4c, 0x8b, 0xd9, 0x83, 0xdd, 0x5c,
-	0x4b, 0x48, 0xdb, 0xd4, 0x8e, 0x58, 0x60, 0xcc, 0x88, 0x21, 0x89, 0xcc, 0xf1, 0x70, 0xe0, 0xc6,
-	0x6c, 0x8c, 0x87, 0xb7, 0xb1, 0x09, 0xf3, 0xc4, 0xf7, 0xef, 0x91, 0x0e, 0x0d, 0x7d, 0x62, 0x53,
-	0x63, 0x4e, 0x7c, 0xcb, 0xf4, 0x99, 0xd7, 0xa1, 0x72, 0x8f, 0x39, 0x74, 0xf4, 0xa2, 0x06, 0x95,
-	0x94, 0x72, 0x94, 0xec, 0xc0, 0x51, 0x8b, 0xf6, 0x5c, 0x0e, 0xf2, 0x2e, 0x8d, 0x88, 0x43, 0x22,
-	0x32, 0xa8, 0xb0, 0x94, 0x28, 0xac, 0x41, 0x39, 0x90, 0x83, 0x8d, 0x92, 0xe8, 0x4f, 0xe4, 0x21,
-	0x63, 0x53, 0x39, 0xc6, 0xfe, 0x82, 0xe0, 0x84, 0xb6, 0x1d, 0x96, 0x74, 0xd2, 0x8d, 0x1e, 0xf5,
-	0xa2, 0x70, 0xb4, 0xd9, 0x0b, 0x70, 0x44, 0xf9, 0x73, 0x70, 0x31, 0xc3, 0x1f, 0x38, 0x10, 0xbd,
-	0x53, 0x01, 0xd1, 0xfb, 0xf0, 0x12, 0x54, 0x95, 0xfc, 0xf0, 0xce, 0x6b, 0x72, 0xd3, 0xf4, 0xae,
-	0xa1, 0xe5, 0xcc, 0xe4, 0x2c, 0xc7, 0x03, 0x43, 0x5b, 0xcd, 0x5d, 0xe2, 0xb9, 0x5b, 0x34, 0x8c,
-	0x26, 0x75, 0x1f, 0xda, 0xb5, 0xfb, 0x5e, 0x86, 0xca, 0x4d, 0xb7, 0x4d, 0xaf, 0x6f, 0x77, 0xbd,
-	0x1d, 0xfc, 0x22, 0xcc, 0xd8, 0xbc, 0x21, 0x2c, 0xcc, 0x5b, 0xb1, 0x60, 0x3e, 0x86, 0x97, 0x47,
-	0x41, 0xda, 0x74, 0xa3, 0x6d, 0x3e, 0x3d, 0x1c, 0x85, 0xcd, 0xde, 0xa6, 0xf6, 0x4e, 0xd8, 0xed,
-	0xa8, 0xad, 0x55, 0xf2, 0x44, 0xd8, 0x7e, 0x85, 0x60, 0x79, 0xac, 0xe5, 0xcd, 0x80, 0xf8, 0x3e,
-	0x0d, 0xf0, 0x4d, 0x98, 0x79, 0xc4, 0x3f, 0x88, 0x68, 0xad, 0x36, 0xeb, 0x75, 0xbd, 0xa6, 0x8d,
-	0xd5, 0x72, 0xfb, 0x73, 0x56, 0x3c, 0x1d, 0xd7, 0x95, 0x0f, 0x4a, 0x42, 0xcf, 0x42, 0x46, 0x4f,
-	0xe2, 0x2a, 0x3e, 0x5e, 0x0c, 0xbb, 0x36, 0x0b, 0xd3, 0x3e, 0x09, 0x22, 0xf3, 0x28, 0xbc, 0x90,
-	0x0d, 0x43, 0x9f, 0x79, 0x21, 0x35, 0x7f, 0x87, 0x32, 0x1b, 0x7a, 0x3d, 0xa0, 0x24, 0xa2, 0x16,
-	0x7d, 0xd4, 0xa5, 0x61, 0x84, 0x77, 0x40, 0x2f, 0xb3, 0xc2, 0x77, 0xd5, 0xe6, 0x9d, 0x7a, 0x5a,
-	0xa7, 0xea, 0xaa, 0x4e, 0x89, 0xc6, 0xf7, 0x6c, 0xa7, 0xde, 0x6b, 0xd6, 0xfd, 0x9d, 0x56, 0x9d,
-	0x57, 0xbd, 0x0c, 0x32, 0x55, 0xf5, 0xf4, 0xa5, 0x5a, 0xba, 0x76, 0xbc, 0x00, 0xb3, 0x5d, 0x3f,
-	0xa4, 0x41, 0x24, 0x56, 0x56, 0xb6, 0xa4, 0xc4, 0x77, 0xa9, 0x47, 0xda, 0xae, 0x43, 0xa2, 0x78,
-	0x17, 0xca, 0x56, 0x22, 0x9b, 0x1f, 0x65, 0xd1, 0x3f, 0xf4, 0x9d, 0xcf, 0x0a, 0xbd, 0x8e, 0xb2,
-	0x34, 0x80, 0xf2, 0xfd, 0x2c, 0xca, 0xd7, 0x68, 0x9b, 0xa6, 0x28, 0xf3, 0x02, 0xd3, 0x80, 0x39,
-	0x9b, 0x84, 0x36, 0x71, 0x94, 0x2e, 0x25, 0xf2, 0xb2, 0xe0, 0x07, 0xcc, 0x27, 0x2d, 0xa1, 0xe9,
-	0x3e, 0x6b, 0xbb, 0x76, 0x5f, 0xc6, 0xe6, 0xf0, 0x87, 0xa1, 0x20, 0x9e, 0xce, 0x09, 0xe2, 0x93,
-	0x50, 0xdd, 0xe8, 0x7b, 0xf6, 0xeb, 0xbe, 0x38, 0x32, 0x79, 0x8a, 0xb9, 0x11, 0xed, 0x84, 0x06,
-	0x12, 0x75, 0x3f, 0x16, 0xcc, 0x0f, 0x66, 0x60, 0x41, 0x5b, 0x01, 0x9f, 0x50, 0x84, 0xbf, 0x28,
-	0xe9, 0x17, 0x60, 0xd6, 0x09, 0xfa, 0x56, 0xd7, 0x93, 0x9b, 0x29, 0x25, 0x6e, 0xd8, 0x0f, 0xba,
-	0x5e, 0x0c, 0xb2, 0x6c, 0xc5, 0x02, 0xde, 0x82, 0x72, 0x18, 0xf1, 0x43, 0xb2, 0xd5, 0x17, 0xe5,
-	0xa8, 0xda, 0xfc, 0xc6, 0xde, 0x36, 0x90, 0x43, 0xdf, 0x90, 0x1a, 0xad, 0x44, 0x37, 0x7e, 0x04,
-	0x15, 0x55, 0x09, 0x43, 0x63, 0x6e, 0x69, 0x6a, 0xb9, 0xda, 0xdc, 0xd8, 0xbb, 0xa1, 0xd7, 0x7d,
-	0x7e, 0xc0, 0x6b, 0x55, 0xdf, 0x4a, 0xad, 0xe0, 0x45, 0xa8, 0x74, 0x64, 0xae, 0x87, 0x46, 0x59,
-	0x78, 0x3b, 0xed, 0xc0, 0xdf, 0x81, 0x19, 0xd7, 0xdb, 0x62, 0xa1, 0x51, 0x11, 0x60, 0xae, 0xed,
-	0x0d, 0xcc, 0x1d, 0x6f, 0x8b, 0x59, 0xb1, 0x42, 0xfc, 0x08, 0x0e, 0x04, 0x34, 0x0a, 0xfa, 0xca,
-	0x0b, 0x06, 0x08, 0xbf, 0x7e, 0x73, 0x6f, 0x16, 0x2c, 0x5d, 0xa5, 0x95, 0xb5, 0x80, 0xd7, 0xa0,
-	0x1a, 0xa6, 0x31, 0x66, 0x54, 0x85, 0x41, 0x23, 0xa3, 0x48, 0x8b, 0x41, 0x4b, 0x1f, 0x3c, 0x14,
-	0xc3, 0xf3, 0x39, 0x31, 0xfc, 0x4f, 0x04, 0x8b, 0x43, 0x65, 0x60, 0xc3, 0xa7, 0x85, 0x41, 0x4a,
-	0x60, 0x3a, 0xf4, 0xa9, 0x2d, 0x2a, 0x7f, 0xb5, 0x79, 0x77, 0xdf, 0xea, 0x82, 0xb0, 0x2b, 0x54,
-	0x17, 0x95, 0xae, 0x89, 0x72, 0xf3, 0xc7, 0x08, 0x3e, 0xaf, 0x69, 0xbe, 0x4f, 0x22, 0x7b, 0xbb,
-	0x68, 0x49, 0x3c, 0x87, 0xf8, 0x18, 0x79, 0x9a, 0xc5, 0x02, 0x0f, 0x34, 0xd1, 0x78, 0xd0, 0xf7,
-	0x39, 0x0c, 0xfe, 0x25, 0xed, 0x98, 0xe8, 0xd0, 0x7f, 0x07, 0x41, 0x4d, 0xaf, 0x7c, 0xac, 0xdd,
-	0x7e, 0x93, 0xd8, 0x3b, 0x45, 0x50, 0x0e, 0x42, 0xc9, 0x75, 0x04, 0x8e, 0x29, 0xab, 0xe4, 0x3a,
-	0xbb, 0x4c, 0xfb, 0x41, 0x50, 0xb3, 0x39, 0xa0, 0x3e, 0x19, 0x00, 0xa5, 0x52, 0xac, 0x00, 0xd4,
-	0x22, 0x54, 0xbc, 0x81, 0xcb, 0x54, 0xda, 0x91, 0x73, 0x89, 0x2a, 0x0d, 0x5d, 0xa2, 0x0c, 0x98,
-	0xeb, 0x25, 0xb7, 0x5e, 0xfe, 0x59, 0x89, 0x7c, 0x21, 0xad, 0x80, 0x75, 0x7d, 0xe9, 0xc0, 0x58,
-	0xe0, 0x28, 0x76, 0x5c, 0xcf, 0x31, 0x66, 0x63, 0x14, 0xbc, 0x3d, 0xd1, 0x3d, 0xf7, 0xdd, 0x12,
-	0x7c, 0x21, 0x67, 0x71, 0x63, 0x23, 0xe0, 0xf9, 0x58, 0x61, 0x12, 0x87, 0x73, 0x23, 0xe3, 0xb0,
-	0x3c, 0x2e, 0x0e, 0x2b, 0x39, 0x5e, 0x79, 0xbb, 0x04, 0x4b, 0x39, 0x5e, 0x19, 0x7f, 0xa0, 0x3e,
-	0x37, 0x6e, 0xd9, 0x62, 0x81, 0xdc, 0xf1, 0xb2, 0x15, 0x0b, 0x3c, 0x33, 0x58, 0xe0, 0x6f, 0x13,
-	0xcf, 0x28, 0xc7, 0x99, 0x11, 0x4b, 0x13, 0x39, 0xe4, 0xbf, 0x08, 0x0c, 0xe5, 0x85, 0xab, 0xb6,
-	0xf0, 0x49, 0xd7, 0x7b, 0xfe, 0x1d, 0xb1, 0x00, 0xb3, 0x44, 0xa0, 0x95, 0x01, 0x22, 0xa5, 0xa1,
-	0x25, 0x97, 0xf3, 0x6b, 0xe2, 0xb1, 0xec, 0x92, 0xc3, 0x75, 0x37, 0x8c, 0xd4, 0x85, 0x16, 0x6f,
-	0xc1, 0x5c, 0xac, 0x2d, 0xbe, 0xc2, 0x54, 0x9b, 0xeb, 0x7b, 0x3d, 0xd8, 0x32, 0xee, 0x55, 0xca,
-	0xcd, 0x57, 0xe0, 0x58, 0x6e, 0xf5, 0x91, 0x30, 0x6a, 0x50, 0x56, 0x87, 0xb9, 0xdc, 0x80, 0x44,
-	0x36, 0xff, 0x33, 0x95, 0x2d, 0xeb, 0xcc, 0x59, 0x67, 0xad, 0x82, 0xb7, 0x60, 0xf1, 0xa6, 0x19,
-	0x30, 0xe7, 0x33, 0x47, 0x7b, 0xf6, 0x29, 0x91, 0xcf, 0xb3, 0x99, 0x17, 0x11, 0xd7, 0xa3, 0x81,
-	0x3c, 0x5f, 0xd2, 0x0e, 0xee, 0xec, 0xd0, 0xf5, 0x6c, 0xba, 0x41, 0x6d, 0xe6, 0x39, 0xa1, 0xd8,
-	0xb5, 0x29, 0x2b, 0xd3, 0x87, 0x6f, 0x43, 0x45, 0xc8, 0x0f, 0xdc, 0x4e, 0x5c, 0x84, 0xab, 0xcd,
-	0x95, 0x7a, 0x4c, 0x95, 0xd4, 0x75, 0xaa, 0x24, 0xf5, 0x61, 0x87, 0x46, 0xa4, 0xde, 0xbb, 0x54,
-	0xe7, 0x33, 0xac, 0x74, 0x32, 0xc7, 0x12, 0x11, 0xb7, 0xbd, 0xee, 0x7a, 0xe2, 0x82, 0xc5, 0x4d,
-	0xa5, 0x1d, 0x3c, 0x20, 0xb6, 0x58, 0xbb, 0xcd, 0x1e, 0xab, 0x1c, 0x88, 0x25, 0x3e, 0xab, 0xeb,
-	0x45, 0x6e, 0x5b, 0xd8, 0x8f, 0x13, 0x20, 0xed, 0x10, 0xb3, 0xdc, 0x76, 0x44, 0x03, 0x71, 0x85,
-	0xa9, 0x58, 0x52, 0x4a, 0x42, 0xae, 0x1a, 0xf3, 0x02, 0x2a, 0xf7, 0xe2, 0xe0, 0x9c, 0xd7, 0x83,
-	0x73, 0x30, 0xe0, 0x0f, 0xe4, 0xbc, 0x9b, 0x05, 0x19, 0x42, 0x7b, 0x2e, 0xeb, 0x86, 0xc6, 0xc1,
-	0xf8, 0x10, 0x57, 0xf2, 0x50, 0xc0, 0x1e, 0xca, 0x09, 0xd8, 0xdf, 0x23, 0x28, 0xaf, 0xb3, 0xd6,
-	0x0d, 0x2f, 0x0a, 0xfa, 0xe2, 0x66, 0xcf, 0xbc, 0x88, 0x7a, 0x2a, 0x2a, 0x94, 0xc8, 0x5d, 0x1d,
-	0xb9, 0x1d, 0xba, 0x11, 0x91, 0x8e, 0x2f, 0xef, 0x24, 0xbb, 0x72, 0x75, 0x32, 0x99, 0x2f, 0xbf,
-	0x4d, 0xc2, 0x48, 0x64, 0x6f, 0xd9, 0x12, 0x6d, 0x0e, 0x34, 0x19, 0xb0, 0x11, 0x05, 0x32, 0x75,
-	0x33, 0x7d, 0x7a, 0x20, 0xcd, 0xc4, 0xd8, 0xa4, 0x68, 0x6e, 0xc0, 0x4b, 0xc9, 0x55, 0xf6, 0x01,
-	0x0d, 0x3a, 0xae, 0x47, 0x8a, 0xeb, 0xed, 0x24, 0x2c, 0xcc, 0xc3, 0x4c, 0x02, 0xf1, 0xfb, 0xdf,
-	0xa6, 0xeb, 0x39, 0xec, 0x71, 0x41, 0x22, 0x4c, 0xa2, 0xf6, 0x6f, 0x59, 0xbe, 0x45, 0xd3, 0x9b,
-	0xe4, 0xe6, 0x6d, 0x38, 0xc0, 0xb3, 0xb8, 0x47, 0xe5, 0x07, 0x59, 0x28, 0xcc, 0x51, 0x4f, 0xf2,
-	0x54, 0x87, 0x95, 0x9d, 0x88, 0xd7, 0xe1, 0x10, 0x09, 0x43, 0xb7, 0xe5, 0x51, 0x47, 0xe9, 0x2a,
-	0x4d, 0xac, 0x6b, 0x70, 0x6a, 0xfc, 0xec, 0x13, 0x23, 0xe4, 0xde, 0x29, 0xd1, 0xfc, 0x11, 0x82,
-	0xa3, 0xb9, 0x4a, 0x92, 0x58, 0x47, 0x5a, 0x79, 0xad, 0x41, 0x39, 0xb4, 0xb7, 0xa9, 0xd3, 0x6d,
-	0x53, 0xc5, 0x6b, 0x28, 0x99, 0x7f, 0x73, 0xba, 0xf1, 0x4e, 0xca, 0xf2, 0x9e, 0xc8, 0xf8, 0x04,
-	0x40, 0x87, 0x78, 0x5d, 0xd2, 0x16, 0x10, 0xa6, 0x05, 0x04, 0xad, 0xc7, 0x5c, 0x84, 0x5a, 0x5e,
-	0x18, 0x48, 0x26, 0xe1, 0x1f, 0x08, 0x0e, 0xaa, 0x32, 0x28, 0xf7, 0x70, 0x19, 0x0e, 0x69, 0x6e,
-	0xb8, 0x97, 0x6e, 0xe7, 0x60, 0xf7, 0x98, 0x12, 0xa7, 0x62, 0x61, 0x2a, 0xcb, 0x5e, 0xf6, 0x32,
-	0xfc, 0xe3, 0xc4, 0xe7, 0x10, 0xda, 0xd5, 0x4d, 0xec, 0x87, 0x60, 0xdc, 0x25, 0x1e, 0x69, 0x51,
-	0x27, 0x59, 0x5c, 0x12, 0x48, 0xdf, 0xd7, 0x1f, 0xcb, 0x7b, 0x7e, 0x9a, 0x26, 0xd7, 0x19, 0x77,
-	0x6b, 0x4b, 0x3e, 0xbc, 0x9b, 0x3f, 0x59, 0x02, 0xac, 0x6f, 0x3c, 0x0d, 0x7a, 0xae, 0x4d, 0xf1,
-	0x3b, 0x08, 0xa6, 0xf9, 0xa9, 0x87, 0x8f, 0x8f, 0x8a, 0x33, 0xb1, 0x01, 0xb5, 0xfd, 0x7b, 0xd5,
-	0x70, 0x6b, 0xe6, 0xe2, 0x5b, 0x7f, 0xff, 0xf7, 0xbb, 0xa5, 0x05, 0xfc, 0xa2, 0xe0, 0xd2, 0x7b,
-	0x97, 0x74, 0x5e, 0x3b, 0xc4, 0x3f, 0x45, 0x80, 0xe5, 0x51, 0xac, 0x51, 0x9c, 0xf8, 0xfc, 0x28,
-	0x88, 0x39, 0x54, 0x68, 0xed, 0xb8, 0x56, 0xf2, 0xea, 0x36, 0x0b, 0x28, 0x2f, 0x70, 0x62, 0x80,
-	0x00, 0xb0, 0x22, 0x00, 0x9c, 0xc2, 0x66, 0x1e, 0x80, 0xc6, 0x13, 0x1e, 0x18, 0x4f, 0x1b, 0x34,
-	0xb6, 0xfb, 0x21, 0x82, 0x99, 0x4d, 0x71, 0xf1, 0x1c, 0xe3, 0xa4, 0x8d, 0x7d, 0x73, 0x92, 0x30,
-	0x27, 0xd0, 0x9a, 0x27, 0x05, 0xd2, 0xe3, 0xf8, 0x98, 0x42, 0x1a, 0x46, 0x01, 0x25, 0x9d, 0x0c,
-	0xe0, 0x8b, 0x08, 0x7f, 0x8c, 0x60, 0x36, 0xe6, 0xdc, 0xf0, 0xe9, 0x51, 0x28, 0x33, 0x9c, 0x5c,
-	0x6d, 0xff, 0x08, 0x2c, 0xf3, 0x9c, 0xc0, 0x78, 0xd2, 0xcc, 0xdd, 0xce, 0xb5, 0x0c, 0xbd, 0xf5,
-	0x1e, 0x82, 0xa9, 0x5b, 0x74, 0x6c, 0xbc, 0xed, 0x23, 0xb8, 0x21, 0x07, 0xe6, 0x6c, 0x35, 0xfe,
-	0x08, 0xc1, 0x4b, 0xb7, 0x68, 0x94, 0x5f, 0xef, 0xf1, 0xf2, 0xf8, 0x22, 0x2c, 0xc3, 0xee, 0xfc,
-	0x04, 0x23, 0x93, 0x42, 0xd7, 0x10, 0xc8, 0xce, 0xe1, 0xb3, 0x45, 0x41, 0x18, 0xf6, 0x3d, 0xfb,
-	0xb1, 0xc4, 0xf1, 0x67, 0x04, 0x87, 0x07, 0x7f, 0x70, 0xc0, 0xd9, 0x13, 0x22, 0xf7, 0xf7, 0x88,
-	0xda, 0xbd, 0xbd, 0x16, 0x94, 0xac, 0x52, 0xf3, 0xaa, 0x40, 0xfe, 0x2a, 0x7e, 0xa5, 0x08, 0xb9,
-	0x62, 0xea, 0xc2, 0xc6, 0x13, 0xd5, 0x7c, 0x2a, 0x7e, 0x01, 0x13, 0xb0, 0xdf, 0x42, 0x30, 0x7f,
-	0x8b, 0x46, 0x77, 0x13, 0xa2, 0xea, 0xf4, 0x44, 0x44, 0x76, 0x6d, 0xb1, 0xae, 0xfd, 0x50, 0xa5,
-	0x3e, 0x25, 0x2e, 0x5d, 0x15, 0xc0, 0xce, 0xe2, 0xd3, 0x45, 0xc0, 0x52, 0x72, 0xec, 0x43, 0x04,
-	0x47, 0x75, 0x10, 0x29, 0xcd, 0xff, 0xa5, 0xdd, 0xd1, 0xea, 0x92, 0x9c, 0x1f, 0x83, 0xae, 0x29,
-	0xd0, 0x5d, 0x30, 0xf3, 0x37, 0xbc, 0x33, 0x84, 0x62, 0x0d, 0xad, 0x2c, 0x23, 0xfc, 0x07, 0x04,
-	0xb3, 0x31, 0x13, 0x35, 0xda, 0x47, 0x19, 0xc2, 0x7a, 0x3f, 0xb3, 0xe7, 0x86, 0x80, 0xfc, 0xb5,
-	0xda, 0xc5, 0x7c, 0x87, 0xea, 0xf3, 0xd5, 0xd6, 0xd6, 0x85, 0x97, 0xb3, 0x69, 0xff, 0x1b, 0x04,
-	0x90, 0xb2, 0x69, 0xf8, 0x5c, 0xf1, 0x3a, 0x34, 0xc6, 0xad, 0xb6, 0xbf, 0x7c, 0x9a, 0x59, 0x17,
-	0xeb, 0x59, 0xae, 0x2d, 0x15, 0xe6, 0x9c, 0x4f, 0xed, 0xb5, 0x98, 0x79, 0xfb, 0x25, 0x82, 0x19,
-	0x41, 0x96, 0xe0, 0x53, 0xa3, 0x30, 0xeb, 0x5c, 0xca, 0x7e, 0xba, 0xfe, 0x8c, 0x80, 0xba, 0xd4,
-	0x2c, 0x2a, 0x5c, 0x6b, 0x68, 0x05, 0xf7, 0x60, 0x36, 0x26, 0x2e, 0x46, 0x87, 0x47, 0x86, 0xd8,
-	0xa8, 0x2d, 0x15, 0x1c, 0xa4, 0x71, 0xa0, 0xca, 0x9a, 0xb9, 0x32, 0xae, 0x66, 0x4e, 0xf3, 0xb2,
-	0x86, 0x4f, 0x16, 0x15, 0xbd, 0x4f, 0xc1, 0x31, 0xe7, 0x05, 0xba, 0xd3, 0xe6, 0xd2, 0xb8, 0xba,
-	0xc9, 0xbd, 0xf3, 0x73, 0x04, 0x87, 0x07, 0xef, 0x5d, 0xf8, 0xd8, 0x40, 0xcd, 0xd4, 0x2f, 0x9b,
-	0xb5, 0xac, 0x17, 0x47, 0xdd, 0xd9, 0xcc, 0xaf, 0x0b, 0x14, 0x6b, 0xf8, 0xca, 0xd8, 0xcc, 0xb8,
-	0xa7, 0xaa, 0x0e, 0x57, 0xb4, 0x9a, 0x12, 0xf7, 0xbf, 0x45, 0x30, 0xaf, 0xf4, 0x3e, 0x08, 0x28,
-	0x2d, 0x86, 0xb5, 0x7f, 0x89, 0xc0, 0x6d, 0x99, 0x5f, 0x11, 0xf0, 0xbf, 0x8c, 0x2f, 0x4f, 0x08,
-	0x5f, 0xc1, 0x5e, 0x8d, 0x38, 0xd2, 0x3f, 0x22, 0x38, 0xb2, 0x19, 0xc7, 0xfd, 0x67, 0x84, 0xff,
-	0xba, 0xc0, 0xff, 0x55, 0xfc, 0x6a, 0xc1, 0xbd, 0x68, 0xdc, 0x32, 0x2e, 0x22, 0xfc, 0x6b, 0x04,
-	0x65, 0x45, 0x43, 0xe3, 0xb3, 0x23, 0x13, 0x23, 0x4b, 0x54, 0xef, 0x67, 0x30, 0xcb, 0x4b, 0x80,
-	0x79, 0xaa, 0xf0, 0x28, 0x95, 0xf6, 0x79, 0x40, 0xbf, 0x87, 0x00, 0x27, 0x8f, 0xa6, 0xe4, 0x19,
-	0x85, 0xcf, 0x64, 0x4c, 0x8d, 0x7c, 0x65, 0xd7, 0xce, 0x8e, 0x1d, 0x97, 0x3d, 0x4a, 0x57, 0x0a,
-	0x8f, 0x52, 0x96, 0xd8, 0x7f, 0x1b, 0x41, 0xf5, 0x16, 0x4d, 0xee, 0xec, 0x05, 0xbe, 0xcc, 0xf2,
-	0xeb, 0xb5, 0xe5, 0xf1, 0x03, 0x25, 0xa2, 0x0b, 0x02, 0xd1, 0x19, 0x5c, 0xec, 0x2a, 0x05, 0xe0,
-	0x03, 0x04, 0x07, 0xee, 0xeb, 0x21, 0x8a, 0x2f, 0x8c, 0xb3, 0x94, 0xa9, 0xe4, 0x93, 0xe3, 0xfa,
-	0xa2, 0xc0, 0xb5, 0x6a, 0x4e, 0x84, 0x6b, 0x4d, 0x92, 0xd8, 0xbf, 0x40, 0xf0, 0x82, 0xfe, 0xc8,
-	0x91, 0x14, 0xe4, 0xff, 0xeb, 0xb7, 0x02, 0x26, 0xd3, 0xbc, 0x2c, 0xf0, 0xd5, 0xf1, 0x85, 0x49,
-	0xf0, 0x35, 0x24, 0x2f, 0x89, 0xdf, 0x47, 0x70, 0x44, 0x90, 0xc0, 0xba, 0xe2, 0x81, 0x23, 0x66,
-	0x14, 0x65, 0x3c, 0xc1, 0x11, 0x23, 0xeb, 0x8f, 0xb9, 0x2b, 0x50, 0x6b, 0x8a, 0xe0, 0xfd, 0x19,
-	0x82, 0x83, 0xea, 0x50, 0x93, 0xbb, 0xbb, 0x3a, 0xce, 0x71, 0xbb, 0x3d, 0x04, 0x65, 0xb8, 0xad,
-	0x4c, 0x16, 0x6e, 0x1f, 0x23, 0x98, 0x93, 0x04, 0x6c, 0xc1, 0x55, 0x41, 0x63, 0x68, 0x6b, 0x47,
-	0x33, 0xa3, 0x14, 0xb3, 0x67, 0x7e, 0x57, 0x98, 0x7d, 0x88, 0x1b, 0x45, 0x66, 0x7d, 0xe6, 0x84,
-	0x8d, 0x27, 0x92, 0x56, 0x7b, 0xda, 0x68, 0xb3, 0x56, 0xf8, 0x86, 0x89, 0x0b, 0x0f, 0x44, 0x3e,
-	0xe6, 0x22, 0xba, 0x76, 0xf3, 0x4f, 0xcf, 0x4e, 0xa0, 0xbf, 0x3e, 0x3b, 0x81, 0xfe, 0xf5, 0xec,
-	0x04, 0x7a, 0xe3, 0xca, 0x64, 0x7f, 0x3c, 0xb3, 0xdb, 0x2e, 0xf5, 0x22, 0x5d, 0xed, 0xff, 0x02,
-	0x00, 0x00, 0xff, 0xff, 0xa8, 0x3a, 0x7a, 0xdf, 0x5e, 0x27, 0x00, 0x00,
+	0x6e, 0x08, 0x89, 0x0b, 0x5c, 0x10, 0x48, 0x1c, 0x10, 0x1f, 0x17, 0x4e, 0xc8, 0xe2, 0xc6, 0x85,
+	0x03, 0x7f, 0x00, 0xaa, 0xea, 0xaa, 0xee, 0xea, 0x99, 0x9e, 0x9e, 0x59, 0x76, 0xa3, 0xf8, 0x56,
+	0xaf, 0xba, 0xea, 0xbd, 0x5f, 0xbd, 0x7a, 0xf5, 0x5e, 0xd5, 0x6f, 0x06, 0x4e, 0x85, 0x34, 0xe8,
+	0xd1, 0xa0, 0x41, 0x7c, 0xbf, 0xed, 0xda, 0x24, 0x72, 0x99, 0xa7, 0xb7, 0xeb, 0x7e, 0xc0, 0x22,
+	0x86, 0xab, 0x5a, 0x57, 0x6d, 0xb1, 0xc5, 0x58, 0xab, 0x4d, 0x1b, 0xc4, 0x77, 0x1b, 0xc4, 0xf3,
+	0x58, 0x24, 0xba, 0xc3, 0x78, 0x68, 0xcd, 0xdc, 0xb9, 0x12, 0xd6, 0x5d, 0x26, 0xbe, 0xda, 0x2c,
+	0xa0, 0x8d, 0xde, 0xa5, 0x46, 0x8b, 0x7a, 0x34, 0x20, 0x11, 0x75, 0xe4, 0x98, 0xcb, 0xe9, 0x98,
+	0x0e, 0xb1, 0xb7, 0x5d, 0x8f, 0x06, 0xfd, 0x86, 0xbf, 0xd3, 0xe2, 0x1d, 0x61, 0xa3, 0x43, 0x23,
+	0x92, 0x37, 0x6b, 0xbd, 0xe5, 0x46, 0xdb, 0xdd, 0x37, 0xeb, 0x36, 0xeb, 0x34, 0x48, 0xd0, 0x62,
+	0x7e, 0xc0, 0xbe, 0x27, 0x1a, 0xab, 0xb6, 0xd3, 0xe8, 0x35, 0x53, 0x05, 0xfa, 0x5a, 0x7a, 0x97,
+	0x48, 0xdb, 0xdf, 0x26, 0xc3, 0xda, 0x6e, 0x8c, 0xd1, 0x16, 0x50, 0x9f, 0x49, 0xdf, 0x88, 0xa6,
+	0x1b, 0xb1, 0xa0, 0xaf, 0x35, 0x63, 0x35, 0xe6, 0x7f, 0x11, 0x1c, 0xbe, 0x9a, 0xda, 0xfb, 0x46,
+	0x97, 0x06, 0x7d, 0x8c, 0x61, 0xda, 0x23, 0x1d, 0x6a, 0xa0, 0x25, 0xb4, 0x5c, 0xb1, 0x44, 0x1b,
+	0x1b, 0x30, 0x17, 0xd0, 0xad, 0x80, 0x86, 0xdb, 0x46, 0x49, 0x74, 0x2b, 0x11, 0xd7, 0xa0, 0xcc,
+	0x8d, 0x53, 0x3b, 0x0a, 0x8d, 0xa9, 0xa5, 0xa9, 0xe5, 0x8a, 0x95, 0xc8, 0x78, 0x19, 0x0e, 0x05,
+	0x34, 0x64, 0xdd, 0xc0, 0xa6, 0xdf, 0xa4, 0x41, 0xe8, 0x32, 0xcf, 0x98, 0x16, 0xb3, 0x07, 0xbb,
+	0xb9, 0x96, 0x90, 0xb6, 0xa9, 0x1d, 0xb1, 0xc0, 0x98, 0x11, 0x43, 0x12, 0x99, 0xe3, 0xe1, 0xc0,
+	0x8d, 0xd9, 0x18, 0x0f, 0x6f, 0x63, 0x13, 0xe6, 0x89, 0xef, 0xdf, 0x23, 0x1d, 0x1a, 0xfa, 0xc4,
+	0xa6, 0xc6, 0x9c, 0xf8, 0x96, 0xe9, 0xe3, 0x98, 0x25, 0x12, 0xa3, 0x2c, 0x80, 0x29, 0xd1, 0xbc,
+	0x0e, 0x95, 0x7b, 0xcc, 0xa1, 0xa3, 0x97, 0x3b, 0xa8, 0xbe, 0x34, 0xac, 0xde, 0xdc, 0x81, 0xa3,
+	0x16, 0xed, 0xb9, 0x1c, 0xfe, 0x5d, 0x1a, 0x11, 0x87, 0x44, 0x64, 0x50, 0x61, 0x29, 0x51, 0x58,
+	0x83, 0x72, 0x20, 0x07, 0x1b, 0x25, 0xd1, 0x9f, 0xc8, 0x43, 0xc6, 0xa6, 0x72, 0x8c, 0xfd, 0x09,
+	0xc1, 0x09, 0x6d, 0xa3, 0x2c, 0xe9, 0xbe, 0x1b, 0x3d, 0xea, 0x45, 0xe1, 0x68, 0xb3, 0x17, 0xe0,
+	0x88, 0xf2, 0xf4, 0xe0, 0x62, 0x86, 0x3f, 0x70, 0x20, 0x7a, 0xa7, 0x02, 0xa2, 0xf7, 0xe1, 0x25,
+	0xa8, 0x2a, 0xf9, 0xe1, 0x9d, 0xd7, 0xe4, 0x76, 0xea, 0x5d, 0x43, 0xcb, 0x99, 0xc9, 0x59, 0x8e,
+	0x07, 0x86, 0xb6, 0x9a, 0xbb, 0xc4, 0x73, 0xb7, 0x68, 0x18, 0x4d, 0xea, 0x3e, 0xb4, 0x6b, 0xf7,
+	0xbd, 0x0c, 0x95, 0x9b, 0x6e, 0x9b, 0x5e, 0xdf, 0xee, 0x7a, 0x3b, 0xf8, 0x45, 0x98, 0xb1, 0x79,
+	0x43, 0x58, 0x98, 0xb7, 0x62, 0xc1, 0x7c, 0x0c, 0x2f, 0x8f, 0x82, 0xb4, 0xe9, 0x46, 0xdb, 0x7c,
+	0x7a, 0x38, 0x0a, 0x9b, 0xbd, 0x4d, 0xed, 0x9d, 0xb0, 0xdb, 0x51, 0x5b, 0xab, 0xe4, 0x89, 0xb0,
+	0xfd, 0x02, 0xc1, 0xf2, 0x58, 0xcb, 0x9b, 0x01, 0xf1, 0x7d, 0x1a, 0xe0, 0x9b, 0x30, 0xf3, 0x88,
+	0x7f, 0x10, 0xd1, 0x5a, 0x6d, 0xd6, 0xeb, 0x7a, 0xb6, 0x1b, 0xab, 0xe5, 0xf6, 0x67, 0xac, 0x78,
+	0x3a, 0xae, 0x2b, 0x1f, 0x94, 0x84, 0x9e, 0x85, 0x8c, 0x9e, 0xc4, 0x55, 0x7c, 0xbc, 0x18, 0x76,
+	0x6d, 0x16, 0xa6, 0x7d, 0x12, 0x44, 0xe6, 0x51, 0x78, 0x21, 0x1b, 0x86, 0x3e, 0xf3, 0x42, 0x6a,
+	0xfe, 0x06, 0x65, 0x36, 0xf4, 0x7a, 0x40, 0x49, 0x44, 0x2d, 0xfa, 0xa8, 0x4b, 0xc3, 0x08, 0xef,
+	0x80, 0x9e, 0x80, 0x85, 0xef, 0xaa, 0xcd, 0x3b, 0xf5, 0x34, 0x83, 0xd5, 0x55, 0x06, 0x13, 0x8d,
+	0xef, 0xd8, 0x4e, 0xbd, 0xd7, 0xac, 0xfb, 0x3b, 0xad, 0x3a, 0xcf, 0x87, 0x19, 0x64, 0x2a, 0x1f,
+	0xea, 0x4b, 0xb5, 0x74, 0xed, 0x78, 0x01, 0x66, 0xbb, 0x7e, 0x48, 0x83, 0x48, 0xac, 0xac, 0x6c,
+	0x49, 0x89, 0xef, 0x52, 0x8f, 0xb4, 0x5d, 0x87, 0x44, 0xf1, 0x2e, 0x94, 0xad, 0x44, 0x36, 0x3f,
+	0xca, 0xa2, 0x7f, 0xe8, 0x3b, 0x9f, 0x16, 0x7a, 0x1d, 0x65, 0x69, 0x00, 0xe5, 0xfb, 0x59, 0x94,
+	0xaf, 0xd1, 0x36, 0x4d, 0x51, 0xe6, 0x05, 0xa6, 0x01, 0x73, 0x36, 0x09, 0x6d, 0xe2, 0x28, 0x5d,
+	0x4a, 0xe4, 0x69, 0xc1, 0x0f, 0x98, 0x4f, 0x5a, 0x42, 0xd3, 0x7d, 0xd6, 0x76, 0xed, 0xbe, 0x8c,
+	0xcd, 0xe1, 0x0f, 0x43, 0x41, 0x3c, 0x9d, 0x13, 0xc4, 0x27, 0xa1, 0xba, 0xd1, 0xf7, 0xec, 0xd7,
+	0x7d, 0x51, 0x4c, 0xf9, 0x11, 0x73, 0x23, 0xda, 0x09, 0x0d, 0x24, 0x12, 0x6f, 0x2c, 0x98, 0x1f,
+	0xcc, 0xc0, 0x82, 0xb6, 0x02, 0x3e, 0xa1, 0x08, 0x7f, 0xd1, 0xa1, 0x5f, 0x80, 0x59, 0x27, 0xe8,
+	0x5b, 0x5d, 0x4f, 0x6e, 0xa6, 0x94, 0xb8, 0x61, 0x3f, 0xe8, 0x7a, 0x31, 0xc8, 0xb2, 0x15, 0x0b,
+	0x78, 0x0b, 0xca, 0x61, 0xc4, 0xcb, 0x67, 0xab, 0x2f, 0xd2, 0x51, 0xb5, 0xf9, 0xb5, 0xbd, 0x6d,
+	0x20, 0x87, 0xbe, 0x21, 0x35, 0x5a, 0x89, 0x6e, 0xfc, 0x08, 0x2a, 0x2a, 0x13, 0x86, 0xc6, 0xdc,
+	0xd2, 0xd4, 0x72, 0xb5, 0xb9, 0xb1, 0x77, 0x43, 0xaf, 0xfb, 0xbc, 0xf4, 0x6b, 0x59, 0xdf, 0x4a,
+	0xad, 0xe0, 0x45, 0xa8, 0x74, 0xe4, 0x59, 0x0f, 0x65, 0x99, 0x4b, 0x3b, 0xf0, 0xb7, 0x60, 0xc6,
+	0xf5, 0xb6, 0x58, 0x68, 0x54, 0x04, 0x98, 0x6b, 0x7b, 0x03, 0x73, 0xc7, 0xdb, 0x62, 0x56, 0xac,
+	0x10, 0x3f, 0x82, 0x03, 0x01, 0x8d, 0x82, 0xbe, 0xf2, 0x82, 0x01, 0xc2, 0xaf, 0x5f, 0xdf, 0x9b,
+	0x05, 0x4b, 0x57, 0x69, 0x65, 0x2d, 0xe0, 0x35, 0xa8, 0x86, 0x69, 0x8c, 0x19, 0x55, 0x61, 0xd0,
+	0xc8, 0x28, 0xd2, 0x62, 0xd0, 0xd2, 0x07, 0x0f, 0xc5, 0xf0, 0x7c, 0x4e, 0x0c, 0xff, 0x1d, 0xc1,
+	0xe2, 0x50, 0x1a, 0xd8, 0xf0, 0x69, 0x61, 0x90, 0x12, 0x98, 0x0e, 0x7d, 0x6a, 0x8b, 0xcc, 0x5f,
+	0x6d, 0xde, 0xdd, 0xb7, 0xbc, 0x20, 0xec, 0x0a, 0xd5, 0x45, 0xa9, 0x6b, 0xa2, 0xb3, 0xf9, 0x43,
+	0x04, 0x9f, 0xd5, 0x34, 0xdf, 0x27, 0x91, 0xbd, 0x5d, 0xb4, 0x24, 0x7e, 0x86, 0xf8, 0x18, 0x59,
+	0xcd, 0x62, 0x81, 0x07, 0x9a, 0x68, 0x3c, 0xe8, 0xfb, 0x1c, 0x06, 0xff, 0x92, 0x76, 0x4c, 0x54,
+	0xf4, 0xdf, 0x41, 0x50, 0xd3, 0x33, 0x1f, 0x6b, 0xb7, 0xdf, 0x24, 0xf6, 0x4e, 0x11, 0x94, 0x83,
+	0x50, 0x72, 0x1d, 0x81, 0x63, 0xca, 0x2a, 0xb9, 0xce, 0x2e, 0x8f, 0xfd, 0x20, 0xa8, 0xd9, 0x1c,
+	0x50, 0xff, 0x18, 0x00, 0xa5, 0x8e, 0x58, 0x01, 0xa8, 0x45, 0xa8, 0x78, 0x03, 0x97, 0xa9, 0xb4,
+	0x23, 0xe7, 0x12, 0x55, 0x1a, 0xba, 0x44, 0x19, 0x30, 0xd7, 0x4b, 0xee, 0xc3, 0xfc, 0xb3, 0x12,
+	0xf9, 0x42, 0x5a, 0x01, 0xeb, 0xfa, 0xd2, 0x81, 0xb1, 0xc0, 0x51, 0xec, 0xb8, 0x9e, 0x63, 0xcc,
+	0xc6, 0x28, 0x78, 0x7b, 0x92, 0x1b, 0xb0, 0xf9, 0x6e, 0x09, 0x3e, 0x97, 0xb3, 0xb8, 0xb1, 0x11,
+	0xf0, 0x7c, 0xac, 0x30, 0x89, 0xc3, 0xb9, 0x91, 0x71, 0x58, 0x1e, 0x17, 0x87, 0x95, 0x1c, 0xaf,
+	0xbc, 0x5d, 0x82, 0xa5, 0x1c, 0xaf, 0x8c, 0x2f, 0xa8, 0xcf, 0x8d, 0x5b, 0xb6, 0x58, 0x20, 0x77,
+	0xbc, 0x6c, 0xc5, 0x02, 0x3f, 0x19, 0x2c, 0xf0, 0xb7, 0x89, 0x67, 0x94, 0xe3, 0x93, 0x11, 0x4b,
+	0x13, 0x39, 0xe4, 0x3f, 0x08, 0x0c, 0xe5, 0x85, 0xab, 0xb6, 0xf0, 0x49, 0xd7, 0x7b, 0xfe, 0x1d,
+	0xb1, 0x00, 0xb3, 0x44, 0xa0, 0x95, 0x01, 0x22, 0xa5, 0xa1, 0x25, 0x97, 0xf3, 0x73, 0xe2, 0xb1,
+	0xec, 0x92, 0xc3, 0x75, 0x37, 0x8c, 0xd4, 0x85, 0x16, 0x6f, 0xc1, 0x5c, 0xac, 0x2d, 0xbe, 0xc2,
+	0x54, 0x9b, 0xeb, 0x7b, 0x2d, 0x6c, 0x19, 0xf7, 0x2a, 0xe5, 0xe6, 0x2b, 0x70, 0x2c, 0x37, 0xfb,
+	0x48, 0x18, 0x35, 0x28, 0xab, 0x62, 0x2e, 0x37, 0x20, 0x91, 0xcd, 0x7f, 0x4f, 0x65, 0xd3, 0x3a,
+	0x73, 0xd6, 0x59, 0xab, 0xe0, 0x2d, 0x58, 0xbc, 0x69, 0xfc, 0xb1, 0xcc, 0x1c, 0xed, 0xd9, 0xa7,
+	0x44, 0x3e, 0xcf, 0x66, 0x5e, 0x44, 0x5c, 0x8f, 0x06, 0xb2, 0xbe, 0xa4, 0x1d, 0xdc, 0xd9, 0xa1,
+	0xeb, 0xd9, 0x74, 0x83, 0xda, 0xcc, 0x73, 0x42, 0xb1, 0x6b, 0x53, 0x56, 0xa6, 0x0f, 0xdf, 0x86,
+	0x8a, 0x90, 0x1f, 0xb8, 0x9d, 0x38, 0x09, 0x57, 0x9b, 0x2b, 0xf5, 0x98, 0x44, 0xa9, 0xeb, 0x24,
+	0x4a, 0xea, 0xc3, 0x0e, 0x8d, 0x48, 0xbd, 0x77, 0xa9, 0xce, 0x67, 0x58, 0xe9, 0x64, 0x8e, 0x25,
+	0x22, 0x6e, 0x7b, 0xdd, 0xf5, 0xc4, 0x05, 0x8b, 0x9b, 0x4a, 0x3b, 0x78, 0x40, 0x6c, 0xb1, 0x76,
+	0x9b, 0x3d, 0x56, 0x67, 0x20, 0x96, 0xf8, 0xac, 0xae, 0x17, 0xb9, 0x6d, 0x61, 0x3f, 0x3e, 0x00,
+	0x69, 0x87, 0x98, 0xe5, 0xb6, 0x23, 0x1a, 0x88, 0x2b, 0x4c, 0xc5, 0x92, 0x52, 0x12, 0x72, 0xd5,
+	0x98, 0x17, 0x50, 0x67, 0x2f, 0x0e, 0xce, 0x79, 0x3d, 0x38, 0x07, 0x03, 0xfe, 0x40, 0xce, 0xbb,
+	0x59, 0xd0, 0x24, 0xb4, 0xe7, 0xb2, 0x6e, 0x68, 0x1c, 0x8c, 0x8b, 0xb8, 0x92, 0x87, 0x02, 0xf6,
+	0x50, 0x4e, 0xc0, 0xfe, 0x16, 0x41, 0x79, 0x9d, 0xb5, 0x6e, 0x78, 0x51, 0xd0, 0x17, 0x37, 0x7b,
+	0xe6, 0x45, 0xd4, 0x53, 0x51, 0xa1, 0x44, 0xee, 0xea, 0xc8, 0xed, 0xd0, 0x8d, 0x88, 0x74, 0x7c,
+	0x79, 0x27, 0xd9, 0x95, 0xab, 0x93, 0xc9, 0x7c, 0xf9, 0x6d, 0x12, 0x46, 0xe2, 0xf4, 0x96, 0x2d,
+	0xd1, 0xe6, 0x40, 0x93, 0x01, 0x1b, 0x51, 0x20, 0x8f, 0x6e, 0xa6, 0x4f, 0x0f, 0xa4, 0x99, 0x18,
+	0x9b, 0x14, 0xcd, 0x0d, 0x78, 0x29, 0xb9, 0xca, 0x3e, 0xa0, 0x41, 0xc7, 0xf5, 0x48, 0x71, 0xbe,
+	0x9d, 0x84, 0x85, 0x79, 0x98, 0x39, 0x40, 0xfc, 0xfe, 0xb7, 0xe9, 0x7a, 0x0e, 0x7b, 0x5c, 0x70,
+	0x10, 0x26, 0x51, 0xfb, 0x97, 0x2c, 0xdf, 0xa2, 0xe9, 0x4d, 0xce, 0xe6, 0x6d, 0x38, 0xc0, 0x4f,
+	0x71, 0x8f, 0xca, 0x0f, 0x32, 0x51, 0x98, 0xa3, 0x9e, 0xe4, 0xa9, 0x0e, 0x2b, 0x3b, 0x11, 0xaf,
+	0xc3, 0x21, 0x12, 0x86, 0x6e, 0xcb, 0xa3, 0x8e, 0xd2, 0x55, 0x9a, 0x58, 0xd7, 0xe0, 0xd4, 0xf8,
+	0xd9, 0x27, 0x46, 0xc8, 0xbd, 0x53, 0xa2, 0xf9, 0x03, 0x04, 0x47, 0x73, 0x95, 0x24, 0xb1, 0x8e,
+	0xb4, 0xf4, 0x5a, 0x83, 0x72, 0x68, 0x6f, 0x53, 0xa7, 0xdb, 0xa6, 0x8a, 0xd7, 0x50, 0x32, 0xff,
+	0xe6, 0x74, 0xe3, 0x9d, 0x94, 0xe9, 0x3d, 0x91, 0xf1, 0x09, 0x80, 0x0e, 0xf1, 0xba, 0xa4, 0x2d,
+	0x20, 0x4c, 0x0b, 0x08, 0x5a, 0x8f, 0xb9, 0x08, 0xb5, 0xbc, 0x30, 0x90, 0x4c, 0xc2, 0xdf, 0x10,
+	0x1c, 0x54, 0x69, 0x50, 0xee, 0xe1, 0x32, 0x1c, 0xd2, 0xdc, 0x70, 0x2f, 0xdd, 0xce, 0xc1, 0xee,
+	0x31, 0x29, 0x4e, 0xc5, 0xc2, 0x54, 0x96, 0xd7, 0xec, 0x65, 0x98, 0xc9, 0x89, 0xeb, 0x10, 0xda,
+	0xd5, 0x4d, 0xec, 0xfb, 0x60, 0xdc, 0x25, 0x1e, 0x69, 0x51, 0x27, 0x59, 0x5c, 0x12, 0x48, 0xdf,
+	0xd5, 0x1f, 0xcb, 0x7b, 0x7e, 0x9a, 0x26, 0xd7, 0x19, 0x77, 0x6b, 0x4b, 0x3e, 0xbc, 0x9b, 0x3f,
+	0x5a, 0x02, 0xac, 0x6f, 0x3c, 0x0d, 0x7a, 0xae, 0x4d, 0xf1, 0x3b, 0x08, 0xa6, 0x79, 0xd5, 0xc3,
+	0xc7, 0x47, 0xc5, 0x99, 0xd8, 0x80, 0xda, 0xfe, 0xbd, 0x6a, 0xb8, 0x35, 0x73, 0xf1, 0xad, 0xbf,
+	0xfe, 0xeb, 0xdd, 0xd2, 0x02, 0x7e, 0x51, 0xb0, 0xec, 0xbd, 0x4b, 0x3a, 0xe3, 0x1d, 0xe2, 0x1f,
+	0x23, 0xc0, 0xb2, 0x14, 0x6b, 0x14, 0x27, 0x3e, 0x3f, 0x0a, 0x62, 0x0e, 0x15, 0x5a, 0x3b, 0xae,
+	0xa5, 0xbc, 0xba, 0xcd, 0x02, 0xca, 0x13, 0x9c, 0x18, 0x20, 0x00, 0xac, 0x08, 0x00, 0xa7, 0xb0,
+	0x99, 0x07, 0xa0, 0xf1, 0x84, 0x07, 0xc6, 0xd3, 0x06, 0x8d, 0xed, 0x7e, 0x88, 0x60, 0x66, 0x53,
+	0x5c, 0x3c, 0xc7, 0x38, 0x69, 0x63, 0xdf, 0x9c, 0x24, 0xcc, 0x09, 0xb4, 0xe6, 0x49, 0x81, 0xf4,
+	0x38, 0x3e, 0xa6, 0x90, 0x86, 0x51, 0x40, 0x49, 0x27, 0x03, 0xf8, 0x22, 0xc2, 0x1f, 0x23, 0x98,
+	0x8d, 0x39, 0x37, 0x7c, 0x7a, 0x14, 0xca, 0x0c, 0x27, 0x57, 0xdb, 0x3f, 0x02, 0xcb, 0x3c, 0x27,
+	0x30, 0x9e, 0x34, 0x73, 0xb7, 0x73, 0x2d, 0x43, 0x6f, 0xbd, 0x87, 0x60, 0xea, 0x16, 0x1d, 0x1b,
+	0x6f, 0xfb, 0x08, 0x6e, 0xc8, 0x81, 0x39, 0x5b, 0x8d, 0x3f, 0x42, 0xf0, 0xd2, 0x2d, 0x1a, 0xe5,
+	0xe7, 0x7b, 0xbc, 0x3c, 0x3e, 0x09, 0xcb, 0xb0, 0x3b, 0x3f, 0xc1, 0xc8, 0x24, 0xd1, 0x35, 0x04,
+	0xb2, 0x73, 0xf8, 0x6c, 0x51, 0x10, 0x86, 0x7d, 0xcf, 0x7e, 0x2c, 0x71, 0xfc, 0x11, 0xc1, 0xe1,
+	0xc1, 0x1f, 0x1c, 0x70, 0xb6, 0x42, 0xe4, 0xfe, 0x1e, 0x51, 0xbb, 0xb7, 0xd7, 0x84, 0x92, 0x55,
+	0x6a, 0x5e, 0x15, 0xc8, 0x5f, 0xc5, 0xaf, 0x14, 0x21, 0x57, 0x4c, 0x5d, 0xd8, 0x78, 0xa2, 0x9a,
+	0x4f, 0xc5, 0x6f, 0x63, 0x02, 0xf6, 0x5b, 0x08, 0xe6, 0x6f, 0xd1, 0xe8, 0x6e, 0x42, 0x54, 0x9d,
+	0x9e, 0x88, 0xc8, 0xae, 0x2d, 0xd6, 0xb5, 0x9f, 0xb0, 0xd4, 0xa7, 0xc4, 0xa5, 0xab, 0x02, 0xd8,
+	0x59, 0x7c, 0xba, 0x08, 0x58, 0x4a, 0x8e, 0x7d, 0x88, 0xe0, 0xa8, 0x0e, 0x22, 0xa5, 0xf9, 0xbf,
+	0xb0, 0x3b, 0x5a, 0x5d, 0x92, 0xf3, 0x63, 0xd0, 0x35, 0x05, 0xba, 0x0b, 0x66, 0xfe, 0x86, 0x77,
+	0x86, 0x50, 0xac, 0xa1, 0x95, 0x65, 0x84, 0x7f, 0x87, 0x60, 0x36, 0x66, 0xa2, 0x46, 0xfb, 0x28,
+	0x43, 0x58, 0xef, 0xe7, 0xe9, 0xb9, 0x21, 0x20, 0x7f, 0xa5, 0x76, 0x31, 0xdf, 0xa1, 0xfa, 0x7c,
+	0xb5, 0xb5, 0x75, 0xe1, 0xe5, 0xec, 0xb1, 0xff, 0x15, 0x02, 0x48, 0xd9, 0x34, 0x7c, 0xae, 0x78,
+	0x1d, 0x1a, 0xe3, 0x56, 0xdb, 0x5f, 0x3e, 0xcd, 0xac, 0x8b, 0xf5, 0x2c, 0xd7, 0x96, 0x0a, 0xcf,
+	0x9c, 0x4f, 0xed, 0xb5, 0x98, 0x79, 0xfb, 0x39, 0x82, 0x19, 0x41, 0x96, 0xe0, 0x53, 0xa3, 0x30,
+	0xeb, 0x5c, 0xca, 0x7e, 0xba, 0xfe, 0x8c, 0x80, 0xba, 0xd4, 0x2c, 0x4a, 0x5c, 0x6b, 0x68, 0x05,
+	0xf7, 0x60, 0x36, 0x26, 0x2e, 0x46, 0x87, 0x47, 0x86, 0xd8, 0xa8, 0x2d, 0x15, 0x14, 0xd2, 0x38,
+	0x50, 0x65, 0xce, 0x5c, 0x19, 0x97, 0x33, 0xa7, 0x79, 0x5a, 0xc3, 0x27, 0x8b, 0x92, 0xde, 0x27,
+	0xe0, 0x98, 0xf3, 0x02, 0xdd, 0x69, 0x73, 0x69, 0x5c, 0xde, 0xe4, 0xde, 0xf9, 0x29, 0x82, 0xc3,
+	0x83, 0xf7, 0x2e, 0x7c, 0x6c, 0x20, 0x67, 0xea, 0x97, 0xcd, 0x5a, 0xd6, 0x8b, 0xa3, 0xee, 0x6c,
+	0xe6, 0x57, 0x05, 0x8a, 0x35, 0x7c, 0x65, 0xec, 0xc9, 0xb8, 0xa7, 0xb2, 0x0e, 0x57, 0xb4, 0x9a,
+	0x12, 0xf7, 0xbf, 0x46, 0x30, 0xaf, 0xf4, 0x3e, 0x08, 0x28, 0x2d, 0x86, 0xb5, 0x7f, 0x07, 0x81,
+	0xdb, 0x32, 0xbf, 0x24, 0xe0, 0x7f, 0x11, 0x5f, 0x9e, 0x10, 0xbe, 0x82, 0xbd, 0x1a, 0x71, 0xa4,
+	0xbf, 0x47, 0x70, 0x64, 0x33, 0x8e, 0xfb, 0x4f, 0x09, 0xff, 0x75, 0x81, 0xff, 0xcb, 0xf8, 0xd5,
+	0x82, 0x7b, 0xd1, 0xb8, 0x65, 0x5c, 0x44, 0xf8, 0x97, 0x08, 0xca, 0x8a, 0x86, 0xc6, 0x67, 0x47,
+	0x1e, 0x8c, 0x2c, 0x51, 0xbd, 0x9f, 0xc1, 0x2c, 0x2f, 0x01, 0xe6, 0xa9, 0xc2, 0x52, 0x2a, 0xed,
+	0xf3, 0x80, 0x7e, 0x0f, 0x01, 0x4e, 0x1e, 0x4d, 0xc9, 0x33, 0x0a, 0x9f, 0xc9, 0x98, 0x1a, 0xf9,
+	0xca, 0xae, 0x9d, 0x1d, 0x3b, 0x2e, 0x5b, 0x4a, 0x57, 0x0a, 0x4b, 0x29, 0x4b, 0xec, 0xbf, 0x8d,
+	0xa0, 0x7a, 0x8b, 0x26, 0x77, 0xf6, 0x02, 0x5f, 0x66, 0xf9, 0xf5, 0xda, 0xf2, 0xf8, 0x81, 0x12,
+	0xd1, 0x05, 0x81, 0xe8, 0x0c, 0x2e, 0x76, 0x95, 0x02, 0xf0, 0x01, 0x82, 0x03, 0xf7, 0xf5, 0x10,
+	0xc5, 0x17, 0xc6, 0x59, 0xca, 0x64, 0xf2, 0xc9, 0x71, 0x7d, 0x5e, 0xe0, 0x5a, 0x35, 0x27, 0xc2,
+	0xb5, 0x26, 0x49, 0xec, 0x9f, 0x21, 0x78, 0x41, 0x7f, 0xe4, 0x48, 0x0a, 0xf2, 0xff, 0xf5, 0x5b,
+	0x01, 0x93, 0x69, 0x5e, 0x16, 0xf8, 0xea, 0xf8, 0xc2, 0x24, 0xf8, 0x1a, 0x92, 0x97, 0xc4, 0xef,
+	0x23, 0x38, 0x22, 0x48, 0x60, 0x5d, 0xf1, 0x40, 0x89, 0x19, 0x45, 0x19, 0x4f, 0x50, 0x62, 0x64,
+	0xfe, 0x31, 0x77, 0x05, 0x6a, 0x4d, 0x11, 0xbc, 0x3f, 0x41, 0x70, 0x50, 0x15, 0x35, 0xb9, 0xbb,
+	0xab, 0xe3, 0x1c, 0xb7, 0xdb, 0x22, 0x28, 0xc3, 0x6d, 0x65, 0xb2, 0x70, 0xfb, 0x18, 0xc1, 0x9c,
+	0x24, 0x60, 0x0b, 0xae, 0x0a, 0x1a, 0x43, 0x5b, 0x3b, 0x9a, 0x19, 0xa5, 0x98, 0x3d, 0xf3, 0xdb,
+	0xc2, 0xec, 0x43, 0xdc, 0x28, 0x32, 0xeb, 0x33, 0x27, 0x6c, 0x3c, 0x91, 0xb4, 0xda, 0xd3, 0x46,
+	0x9b, 0xb5, 0xc2, 0x37, 0x4c, 0x5c, 0x58, 0x10, 0xf9, 0x98, 0x8b, 0xe8, 0xda, 0xcd, 0x3f, 0x3c,
+	0x3b, 0x81, 0xfe, 0xfc, 0xec, 0x04, 0xfa, 0xe7, 0xb3, 0x13, 0xe8, 0x8d, 0x2b, 0x93, 0xfd, 0x25,
+	0xcd, 0x6e, 0xbb, 0xd4, 0x8b, 0x74, 0xb5, 0xff, 0x0b, 0x00, 0x00, 0xff, 0xff, 0xbd, 0x18, 0xcd,
+	0x5d, 0x78, 0x27, 0x00, 0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
@@ -3741,6 +3751,15 @@ func (m *ApplicationQuery) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if len(m.Project) > 0 {
+		for iNdEx := len(m.Project) - 1; iNdEx >= 0; iNdEx-- {
+			i -= len(m.Project[iNdEx])
+			copy(dAtA[i:], m.Project[iNdEx])
+			i = encodeVarintApplication(dAtA, i, uint64(len(m.Project[iNdEx])))
+			i--
+			dAtA[i] = 0x42
+		}
+	}
 	if m.AppNamespace != nil {
 		i -= len(*m.AppNamespace)
 		copy(dAtA[i:], *m.AppNamespace)
@@ -5837,6 +5856,12 @@ func (m *ApplicationQuery) Size() (n int) {
 		l = len(*m.AppNamespace)
 		n += 1 + l + sovApplication(uint64(l))
 	}
+	if len(m.Project) > 0 {
+		for _, s := range m.Project {
+			l = len(s)
+			n += 1 + l + sovApplication(uint64(l))
+		}
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -7004,6 +7029,38 @@ func (m *ApplicationQuery) Unmarshal(dAtA []byte) error {
 			s := string(dAtA[iNdEx:postIndex])
 			m.AppNamespace = &s
 			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Project", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowApplication
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthApplication
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthApplication
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Project = append(m.Project, string(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipApplication(dAtA[iNdEx:])

pkg/apis/application/v1alpha1/applicationset_types.go

@@ -541,7 +541,7 @@ const (
 // prefix "Info" means informational condition
 type ApplicationSetConditionType string
 
-//ErrorOccurred / ParametersGenerated / TemplateRendered / ResourcesUpToDate
+// ErrorOccurred / ParametersGenerated / TemplateRendered / ResourcesUpToDate
 const (
 	ApplicationSetConditionErrorOccurred       ApplicationSetConditionType = "ErrorOccurred"
 	ApplicationSetConditionParametersGenerated ApplicationSetConditionType = "ParametersGenerated"

pkg/apis/application/v1alpha1/types.go

@@ -388,6 +388,7 @@ type ApplicationSourceKustomize struct {
 func (k *ApplicationSourceKustomize) AllowsConcurrentProcessing() bool {
 	return len(k.Images) == 0 &&
 		len(k.CommonLabels) == 0 &&
+		len(k.CommonAnnotations) == 0 &&
 		k.NamePrefix == "" &&
 		k.NameSuffix == ""
 }

pkg/apis/application/v1alpha1/types_test.go

@@ -2812,11 +2812,21 @@ func TestRetryStrategy_NextRetryAtCustomBackoff(t *testing.T) {
 }
 
 func TestSourceAllowsConcurrentProcessing_KustomizeParams(t *testing.T) {
-	src := ApplicationSource{Path: ".", Kustomize: &ApplicationSourceKustomize{
-		NameSuffix: "test",
-	}}
+	t.Run("Has NameSuffix", func(t *testing.T) {
+		src := ApplicationSource{Path: ".", Kustomize: &ApplicationSourceKustomize{
+			NameSuffix: "test",
+		}}
 
-	assert.False(t, src.AllowsConcurrentProcessing())
+		assert.False(t, src.AllowsConcurrentProcessing())
+	})
+
+	t.Run("Has CommonAnnotations", func(t *testing.T) {
+		src := ApplicationSource{Path: ".", Kustomize: &ApplicationSourceKustomize{
+			CommonAnnotations: map[string]string{"foo": "bar"},
+		}}
+
+		assert.False(t, src.AllowsConcurrentProcessing())
+	})
 }
 
 func TestUnSetCascadedDeletion(t *testing.T) {

reposerver/apiclient/mocks/RepoServerService_GenerateManifestWithFilesClient.go

@@ -0,0 +1,167 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package mocks
+
+import (
+	context "context"
+
+	apiclient "github.com/argoproj/argo-cd/v2/reposerver/apiclient"
+
+	metadata "google.golang.org/grpc/metadata"
+
+	mock "github.com/stretchr/testify/mock"
+)
+
+// RepoServerService_GenerateManifestWithFilesClient is an autogenerated mock type for the RepoServerService_GenerateManifestWithFilesClient type
+type RepoServerService_GenerateManifestWithFilesClient struct {
+	mock.Mock
+}
+
+// CloseAndRecv provides a mock function with given fields:
+func (_m *RepoServerService_GenerateManifestWithFilesClient) CloseAndRecv() (*apiclient.ManifestResponse, error) {
+	ret := _m.Called()
+
+	var r0 *apiclient.ManifestResponse
+	if rf, ok := ret.Get(0).(func() *apiclient.ManifestResponse); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*apiclient.ManifestResponse)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func() error); ok {
+		r1 = rf()
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// CloseSend provides a mock function with given fields:
+func (_m *RepoServerService_GenerateManifestWithFilesClient) CloseSend() error {
+	ret := _m.Called()
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func() error); ok {
+		r0 = rf()
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// Context provides a mock function with given fields:
+func (_m *RepoServerService_GenerateManifestWithFilesClient) Context() context.Context {
+	ret := _m.Called()
+
+	var r0 context.Context
+	if rf, ok := ret.Get(0).(func() context.Context); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(context.Context)
+		}
+	}
+
+	return r0
+}
+
+// Header provides a mock function with given fields:
+func (_m *RepoServerService_GenerateManifestWithFilesClient) Header() (metadata.MD, error) {
+	ret := _m.Called()
+
+	var r0 metadata.MD
+	if rf, ok := ret.Get(0).(func() metadata.MD); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(metadata.MD)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func() error); ok {
+		r1 = rf()
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// RecvMsg provides a mock function with given fields: m
+func (_m *RepoServerService_GenerateManifestWithFilesClient) RecvMsg(m interface{}) error {
+	ret := _m.Called(m)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(interface{}) error); ok {
+		r0 = rf(m)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// Send provides a mock function with given fields: _a0
+func (_m *RepoServerService_GenerateManifestWithFilesClient) Send(_a0 *apiclient.ManifestRequestWithFiles) error {
+	ret := _m.Called(_a0)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(*apiclient.ManifestRequestWithFiles) error); ok {
+		r0 = rf(_a0)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// SendMsg provides a mock function with given fields: m
+func (_m *RepoServerService_GenerateManifestWithFilesClient) SendMsg(m interface{}) error {
+	ret := _m.Called(m)
+
+	var r0 error
+	if rf, ok := ret.Get(0).(func(interface{}) error); ok {
+		r0 = rf(m)
+	} else {
+		r0 = ret.Error(0)
+	}
+
+	return r0
+}
+
+// Trailer provides a mock function with given fields:
+func (_m *RepoServerService_GenerateManifestWithFilesClient) Trailer() metadata.MD {
+	ret := _m.Called()
+
+	var r0 metadata.MD
+	if rf, ok := ret.Get(0).(func() metadata.MD); ok {
+		r0 = rf()
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(metadata.MD)
+		}
+	}
+
+	return r0
+}
+
+type mockConstructorTestingTNewRepoServerService_GenerateManifestWithFilesClient interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewRepoServerService_GenerateManifestWithFilesClient creates a new instance of RepoServerService_GenerateManifestWithFilesClient. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewRepoServerService_GenerateManifestWithFilesClient(t mockConstructorTestingTNewRepoServerService_GenerateManifestWithFilesClient) *RepoServerService_GenerateManifestWithFilesClient {
+	mock := &RepoServerService_GenerateManifestWithFilesClient{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

reposerver/repository/repository.go

@@ -277,6 +277,7 @@ func (s *Service) runRepoOperation(
 	var helmClient helm.Client
 	var err error
 	revision = textutils.FirstNonEmpty(revision, source.TargetRevision)
+	unresolvedRevision := revision
 	if source.IsHelm() {
 		helmClient, revision, err = s.newHelmClientResolveRevision(repo, revision, source.Chart, settings.noCache || settings.noRevisionCache)
 		if err != nil {
@@ -388,7 +389,7 @@ func (s *Service) runRepoOperation(
 		return operation(gitClient.Root(), commitSHA, revision, func() (*operationContext, error) {
 			var signature string
 			if verifyCommit {
-				signature, err = gitClient.VerifyCommitSignature(revision)
+				signature, err = gitClient.VerifyCommitSignature(unresolvedRevision)
 				if err != nil {
 					return nil, err
 				}

server/application/application.go

@@ -68,7 +68,8 @@ const (
 )
 
 var (
-	watchAPIBufferSize = env.ParseNumFromEnv(argocommon.EnvWatchAPIBufferSize, 1000, 0, math.MaxInt32)
+	watchAPIBufferSize  = env.ParseNumFromEnv(argocommon.EnvWatchAPIBufferSize, 1000, 0, math.MaxInt32)
+	permissionDeniedErr = status.Error(codes.PermissionDenied, "permission denied")
 )
 
 // Server provides an Application service
@@ -78,7 +79,7 @@ type Server struct {
 	appclientset      appclientset.Interface
 	appLister         applisters.ApplicationLister
 	appInformer       cache.SharedIndexInformer
-	appBroadcaster    *broadcasterHandler
+	appBroadcaster    Broadcaster
 	repoClientset     apiclient.Clientset
 	kubectl           kube.Kubectl
 	db                db.ArgoDB
@@ -98,6 +99,7 @@ func NewServer(
 	appclientset appclientset.Interface,
 	appLister applisters.ApplicationLister,
 	appInformer cache.SharedIndexInformer,
+	appBroadcaster Broadcaster,
 	repoClientset apiclient.Clientset,
 	cache *servercache.Cache,
 	kubectl kube.Kubectl,
@@ -108,7 +110,9 @@ func NewServer(
 	projInformer cache.SharedIndexInformer,
 	enabledNamespaces []string,
 ) (application.ApplicationServiceServer, AppResourceTreeFn) {
-	appBroadcaster := &broadcasterHandler{}
+	if appBroadcaster == nil {
+		appBroadcaster = &broadcasterHandler{}
+	}
 	appInformer.AddEventHandler(appBroadcaster)
 	s := &Server{
 		ns:                namespace,
@@ -131,6 +135,61 @@ func NewServer(
 	return s, s.getAppResources
 }
 
+// getAppEnforceRBAC gets the Application with the given name in the given namespace. If no namespace is
+// specified, the Application is fetched from the default namespace (the one in which the API server is running).
+//
+// If the Application does not exist, then we have no way of determining if the user would have had access to get that
+// Application. Verifying access requires knowing the Application's name, namespace, and project. The user may specify,
+// at minimum, the Application name.
+//
+// So to prevent a malicious user from inferring the existence or absense of the Application or namespace, we respond
+// "permission denied" if the Application does not exist.
+func (s *Server) getAppEnforceRBAC(ctx context.Context, action, namespace, name string, getApp func() (*appv1.Application, error)) (*appv1.Application, error) {
+	logCtx := log.WithFields(map[string]interface{}{
+		"application": name,
+		"namespace":   namespace,
+	})
+	a, err := getApp()
+	if err != nil {
+		if apierr.IsNotFound(err) {
+			logCtx.Warn("application does not exist")
+			return nil, permissionDeniedErr
+		}
+		logCtx.Errorf("failed to get application: %s", err)
+		return nil, permissionDeniedErr
+	}
+	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, action, a.RBACName(s.ns)); err != nil {
+		logCtx.WithFields(map[string]interface{}{
+			"project":                a.Spec.Project,
+			argocommon.SecurityField: argocommon.SecurityMedium,
+		}).Warnf("user tried to %s application which they do not have access to: %s", action, err)
+		return nil, permissionDeniedErr
+	}
+	return a, nil
+}
+
+// getApplicationEnforceRBACInformer uses an informer to get an Application. If the app does not exist, permission is
+// denied, or any other error occurs when getting the app, we return a permission denied error to obscure any sensitive
+// information.
+func (s *Server) getApplicationEnforceRBACInformer(ctx context.Context, action, namespace, name string) (*appv1.Application, error) {
+	namespaceOrDefault := s.appNamespaceOrDefault(namespace)
+	return s.getAppEnforceRBAC(ctx, action, namespaceOrDefault, name, func() (*appv1.Application, error) {
+		return s.appLister.Applications(namespaceOrDefault).Get(name)
+	})
+}
+
+// getApplicationEnforceRBACClient uses a client to get an Application. If the app does not exist, permission is denied,
+// or any other error occurs when getting the app, we return a permission denied error to obscure any sensitive
+// information.
+func (s *Server) getApplicationEnforceRBACClient(ctx context.Context, action, namespace, name, resourceVersion string) (*appv1.Application, error) {
+	namespaceOrDefault := s.appNamespaceOrDefault(namespace)
+	return s.getAppEnforceRBAC(ctx, action, namespaceOrDefault, name, func() (*appv1.Application, error) {
+		return s.appclientset.ArgoprojV1alpha1().Applications(namespaceOrDefault).Get(ctx, name, metav1.GetOptions{
+			ResourceVersion: resourceVersion,
+		})
+	})
+}
+
 // List returns list of applications
 func (s *Server) List(ctx context.Context, q *application.ApplicationQuery) (*appv1.ApplicationList, error) {
 	selector, err := labels.Parse(q.GetSelector())
@@ -148,7 +207,7 @@ func (s *Server) List(ctx context.Context, q *application.ApplicationQuery) (*ap
 	}
 	newItems := make([]appv1.Application, 0)
 	for _, a := range apps {
-		// Skip any application that is neither in the conrol plane's namespace
+		// Skip any application that is neither in the control plane's namespace
 		// nor in the list of enabled namespaces.
 		if a.Namespace != s.ns && !glob.MatchStringInList(s.enabledNamespaces, a.Namespace, false) {
 			continue
@@ -165,8 +224,8 @@ func (s *Server) List(ctx context.Context, q *application.ApplicationQuery) (*ap
 		}
 	}
 
-	// Filter applications by name
-	newItems = argoutil.FilterByProjects(newItems, q.Projects)
+	// Filter applications by projects
+	newItems = argoutil.FilterByProjects(newItems, getProjectsFromApplicationQuery(*q))
 
 	// Filter applications by source repo URL
 	newItems = argoutil.FilterByRepo(newItems, q.GetRepo())
@@ -325,13 +384,8 @@ func (s *Server) GetManifests(ctx context.Context, q *application.ApplicationMan
 	if q.Name == nil || *q.Name == "" {
 		return nil, fmt.Errorf("invalid request: application name is missing")
 	}
-	appName := q.GetName()
-	appNs := s.appNamespaceOrDefault(q.GetAppNamespace())
-	a, err := s.appLister.Applications(appNs).Get(appName)
+	a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetName())
 	if err != nil {
-		return nil, fmt.Errorf("error getting application: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, a.RBACName(s.ns)); err != nil {
 		return nil, err
 	}
 
@@ -438,14 +492,8 @@ func (s *Server) GetManifestsWithFiles(stream application.ApplicationService_Get
 		return fmt.Errorf("invalid request: application name is missing")
 	}
 
-	appName := query.GetName()
-	appNs := s.appNamespaceOrDefault(query.GetAppNamespace())
-	a, err := s.appLister.Applications(appNs).Get(appName)
-
+	a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, query.GetAppNamespace(), query.GetName())
 	if err != nil {
-		return fmt.Errorf("error getting application: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, a.RBACName(s.ns)); err != nil {
 		return err
 	}
 
@@ -549,14 +597,8 @@ func (s *Server) Get(ctx context.Context, q *application.ApplicationQuery) (*app
 	// We must use a client Get instead of an informer Get, because it's common to call Get immediately
 	// following a Watch (which is not yet powered by an informer), and the Get must reflect what was
 	// previously seen by the client.
-	a, err := s.appclientset.ArgoprojV1alpha1().Applications(appNs).Get(ctx, appName, metav1.GetOptions{
-		ResourceVersion: q.GetResourceVersion(),
-	})
-
+	a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, appNs, appName, q.GetResourceVersion())
 	if err != nil {
-		return nil, fmt.Errorf("error getting application: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, a.RBACName(s.ns)); err != nil {
 		return nil, err
 	}
 
@@ -644,13 +686,8 @@ func (s *Server) Get(ctx context.Context, q *application.ApplicationQuery) (*app
 
 // ListResourceEvents returns a list of event resources
 func (s *Server) ListResourceEvents(ctx context.Context, q *application.ApplicationResourceEventsQuery) (*v1.EventList, error) {
-	appName := q.GetName()
-	appNs := s.appNamespaceOrDefault(q.GetAppNamespace())
-	a, err := s.appLister.Applications(appNs).Get(appName)
+	a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetName())
 	if err != nil {
-		return nil, fmt.Errorf("error getting application: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, a.RBACName(s.ns)); err != nil {
 		return nil, err
 	}
 
@@ -718,13 +755,13 @@ func (s *Server) ListResourceEvents(ctx context.Context, q *application.Applicat
 	return list, nil
 }
 
-func (s *Server) validateAndUpdateApp(ctx context.Context, newApp *appv1.Application, merge bool, validate bool) (*appv1.Application, error) {
+func (s *Server) validateAndUpdateApp(ctx context.Context, newApp *appv1.Application, merge bool, validate bool, action string) (*appv1.Application, error) {
 	s.projectLock.RLock(newApp.Spec.GetProject())
 	defer s.projectLock.RUnlock(newApp.Spec.GetProject())
 
-	app, err := s.appclientset.ArgoprojV1alpha1().Applications(newApp.Namespace).Get(ctx, newApp.Name, metav1.GetOptions{})
+	app, err := s.getApplicationEnforceRBACClient(ctx, action, newApp.Namespace, newApp.Name, "")
 	if err != nil {
-		return nil, fmt.Errorf("error getting application: %w", err)
+		return nil, err
 	}
 
 	err = s.validateAndNormalizeApp(ctx, newApp, validate)
@@ -838,7 +875,7 @@ func (s *Server) Update(ctx context.Context, q *application.ApplicationUpdateReq
 	if q.Validate != nil {
 		validate = *q.Validate
 	}
-	return s.validateAndUpdateApp(ctx, q.Application, false, validate)
+	return s.validateAndUpdateApp(ctx, q.Application, false, validate, rbacpolicy.ActionUpdate)
 }
 
 // UpdateSpec updates an application spec and filters out any invalid parameter overrides
@@ -846,13 +883,8 @@ func (s *Server) UpdateSpec(ctx context.Context, q *application.ApplicationUpdat
 	if q.GetSpec() == nil {
 		return nil, fmt.Errorf("error updating application spec: spec is nil in request")
 	}
-	appName := q.GetName()
-	appNs := s.appNamespaceOrDefault(q.GetAppNamespace())
-	a, err := s.appclientset.ArgoprojV1alpha1().Applications(appNs).Get(ctx, appName, metav1.GetOptions{})
+	a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionUpdate, q.GetAppNamespace(), q.GetName(), "")
 	if err != nil {
-		return nil, fmt.Errorf("error getting application: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionUpdate, a.RBACName(s.ns)); err != nil {
 		return nil, err
 	}
 
@@ -868,7 +900,7 @@ func (s *Server) UpdateSpec(ctx context.Context, q *application.ApplicationUpdat
 	if q.Validate != nil {
 		validate = *q.Validate
 	}
-	a, err = s.validateAndUpdateApp(ctx, a, false, validate)
+	a, err = s.validateAndUpdateApp(ctx, a, false, validate, rbacpolicy.ActionUpdate)
 	if err != nil {
 		return nil, fmt.Errorf("error validating and updating app: %w", err)
 	}
@@ -877,11 +909,9 @@ func (s *Server) UpdateSpec(ctx context.Context, q *application.ApplicationUpdat
 
 // Patch patches an application
 func (s *Server) Patch(ctx context.Context, q *application.ApplicationPatchRequest) (*appv1.Application, error) {
-	appName := q.GetName()
-	appNs := s.appNamespaceOrDefault(q.GetAppNamespace())
-	app, err := s.appclientset.ArgoprojV1alpha1().Applications(appNs).Get(ctx, appName, metav1.GetOptions{})
+	app, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetName(), "")
 	if err != nil {
-		return nil, fmt.Errorf("error getting application: %w", err)
+		return nil, err
 	}
 
 	if err = s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionUpdate, app.RBACName(s.ns)); err != nil {
@@ -926,16 +956,16 @@ func (s *Server) Patch(ctx context.Context, q *application.ApplicationPatchReque
 	if err != nil {
 		return nil, fmt.Errorf("error unmarshaling patched app: %w", err)
 	}
-	return s.validateAndUpdateApp(ctx, newApp, false, true)
+	return s.validateAndUpdateApp(ctx, newApp, false, true, rbacpolicy.ActionUpdate)
 }
 
 // Delete removes an application and all associated resources
 func (s *Server) Delete(ctx context.Context, q *application.ApplicationDeleteRequest) (*application.ApplicationResponse, error) {
 	appName := q.GetName()
 	appNs := s.appNamespaceOrDefault(q.GetAppNamespace())
-	a, err := s.appclientset.ArgoprojV1alpha1().Applications(appNs).Get(ctx, appName, metav1.GetOptions{})
+	a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, appNs, appName, "")
 	if err != nil {
-		return nil, fmt.Errorf("error getting application: %w", err)
+		return nil, err
 	}
 
 	s.projectLock.RLock(a.Spec.Project)
@@ -1008,8 +1038,8 @@ func (s *Server) Watch(q *application.ApplicationQuery, ws application.Applicati
 		logCtx = logCtx.WithField("application", *q.Name)
 	}
 	projects := map[string]bool{}
-	for i := range q.Projects {
-		projects[q.Projects[i]] = true
+	for _, project := range getProjectsFromApplicationQuery(*q) {
+		projects[project] = true
 	}
 	claims := ws.Context().Value("claims")
 	selector, err := labels.Parse(q.GetSelector())
@@ -1086,7 +1116,9 @@ func (s *Server) validateAndNormalizeApp(ctx context.Context, app *appv1.Applica
 	proj, err := argo.GetAppProject(app, applisters.NewAppProjectLister(s.projInformer.GetIndexer()), s.ns, s.settingsMgr, s.db, ctx)
 	if err != nil {
 		if apierr.IsNotFound(err) {
-			return status.Errorf(codes.InvalidArgument, "application references project %s which does not exist", app.Spec.Project)
+			// Offer no hint that the project does not exist.
+			log.Warnf("User attempted to create/update application in non-existent project %q", app.Spec.Project)
+			return permissionDeniedErr
 		}
 		return fmt.Errorf("error getting application's project: %w", err)
 	}
@@ -1198,22 +1230,16 @@ func (s *Server) getAppResources(ctx context.Context, a *appv1.Application) (*ap
 		return s.cache.GetAppResourcesTree(a.InstanceName(s.ns), &tree)
 	})
 	if err != nil {
-		return &tree, fmt.Errorf("error getting cached app state: %w", err)
+		return &tree, fmt.Errorf("error getting cached app resource tree: %w", err)
 	}
 	return &tree, nil
 }
 
 func (s *Server) getAppLiveResource(ctx context.Context, action string, q *application.ApplicationResourceRequest) (*appv1.ResourceNode, *rest.Config, *appv1.Application, error) {
-	appName := q.GetName()
-	appNs := s.appNamespaceOrDefault(q.GetAppNamespace())
-	a, err := s.appLister.Applications(appNs).Get(appName)
+	a, err := s.getApplicationEnforceRBACInformer(ctx, action, q.GetAppNamespace(), q.GetName())
 	if err != nil {
-		return nil, nil, nil, fmt.Errorf("error getting app by name: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, action, a.RBACName(s.ns)); err != nil {
 		return nil, nil, nil, err
 	}
-
 	tree, err := s.getAppResources(ctx, a)
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("error getting app resources: %w", err)
@@ -1233,7 +1259,7 @@ func (s *Server) getAppLiveResource(ctx context.Context, action string, q *appli
 func (s *Server) GetResource(ctx context.Context, q *application.ApplicationResourceRequest) (*application.ApplicationResourceResponse, error) {
 	res, config, _, err := s.getAppLiveResource(ctx, rbacpolicy.ActionGet, q)
 	if err != nil {
-		return nil, fmt.Errorf("error getting app live resource: %w", err)
+		return nil, err
 	}
 
 	// make sure to use specified resource version if provided
@@ -1280,9 +1306,6 @@ func (s *Server) PatchResource(ctx context.Context, q *application.ApplicationRe
 	}
 	res, config, a, err := s.getAppLiveResource(ctx, rbacpolicy.ActionUpdate, resourceRequest)
 	if err != nil {
-		return nil, fmt.Errorf("error getting app live resource: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionUpdate, a.RBACName(s.ns)); err != nil {
 		return nil, err
 	}
 
@@ -1294,6 +1317,9 @@ func (s *Server) PatchResource(ctx context.Context, q *application.ApplicationRe
 		}
 		return nil, fmt.Errorf("error patching resource: %w", err)
 	}
+	if manifest == nil {
+		return nil, fmt.Errorf("failed to patch resource: manifest was nil")
+	}
 	manifest, err = replaceSecretValues(manifest)
 	if err != nil {
 		return nil, fmt.Errorf("error replacing secret values: %w", err)
@@ -1322,9 +1348,6 @@ func (s *Server) DeleteResource(ctx context.Context, q *application.ApplicationR
 	}
 	res, config, a, err := s.getAppLiveResource(ctx, rbacpolicy.ActionDelete, resourceRequest)
 	if err != nil {
-		return nil, fmt.Errorf("error getting live resource for delete: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionDelete, a.RBACName(s.ns)); err != nil {
 		return nil, err
 	}
 	var deleteOption metav1.DeleteOptions
@@ -1348,13 +1371,8 @@ func (s *Server) DeleteResource(ctx context.Context, q *application.ApplicationR
 }
 
 func (s *Server) ResourceTree(ctx context.Context, q *application.ResourcesQuery) (*appv1.ApplicationTree, error) {
-	appName := q.GetApplicationName()
-	appNs := s.appNamespaceOrDefault(q.GetAppNamespace())
-	a, err := s.appLister.Applications(appNs).Get(appName)
+	a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetApplicationName())
 	if err != nil {
-		return nil, fmt.Errorf("error getting application by name: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, a.RBACName(s.ns)); err != nil {
 		return nil, err
 	}
 
@@ -1369,14 +1387,8 @@ func (s *Server) ResourceTree(ctx context.Context, q *application.ResourcesQuery
 }
 
 func (s *Server) WatchResourceTree(q *application.ResourcesQuery, ws application.ApplicationService_WatchResourceTreeServer) error {
-	appName := q.GetApplicationName()
-	appNs := s.appNamespaceOrDefault(q.GetAppNamespace())
-	a, err := s.appLister.Applications(appNs).Get(appName)
+	_, err := s.getApplicationEnforceRBACInformer(ws.Context(), rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetApplicationName())
 	if err != nil {
-		return fmt.Errorf("error getting application by name: %w", err)
-	}
-
-	if err := s.enf.EnforceErr(ws.Context().Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, a.RBACName(s.ns)); err != nil {
 		return err
 	}
 
@@ -1391,13 +1403,8 @@ func (s *Server) WatchResourceTree(q *application.ResourcesQuery, ws application
 }
 
 func (s *Server) RevisionMetadata(ctx context.Context, q *application.RevisionMetadataQuery) (*v1alpha1.RevisionMetadata, error) {
-	appName := q.GetName()
-	appNs := s.appNamespaceOrDefault(q.GetAppNamespace())
-	a, err := s.appLister.Applications(appNs).Get(appName)
+	a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetName())
 	if err != nil {
-		return nil, fmt.Errorf("error getting app by name: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, a.RBACName(s.ns)); err != nil {
 		return nil, err
 	}
 
@@ -1438,14 +1445,9 @@ func isMatchingResource(q *application.ResourcesQuery, key kube.ResourceKey) boo
 }
 
 func (s *Server) ManagedResources(ctx context.Context, q *application.ResourcesQuery) (*application.ManagedResourcesResponse, error) {
-	appName := q.GetApplicationName()
-	appNs := s.appNamespaceOrDefault(q.GetAppNamespace())
-	a, err := s.appLister.Applications(appNs).Get(appName)
+	a, err := s.getApplicationEnforceRBACInformer(ctx, rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetApplicationName())
 	if err != nil {
-		return nil, fmt.Errorf("error getting application: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, a.RBACName(s.ns)); err != nil {
-		return nil, fmt.Errorf("error verifying rbac: %w", err)
+		return nil, err
 	}
 
 	if a.Spec.Source.Plugin != nil && a.Spec.Source.Plugin.Name != "" {
@@ -1460,7 +1462,7 @@ func (s *Server) ManagedResources(ctx context.Context, q *application.ResourcesQ
 		return s.cache.GetAppManagedResources(a.InstanceName(s.ns), &items)
 	})
 	if err != nil {
-		return nil, fmt.Errorf("error getting cached app state: %w", err)
+		return nil, fmt.Errorf("error getting cached app managed resources: %w", err)
 	}
 	res := &application.ManagedResourcesResponse{}
 	for i := range items {
@@ -1507,14 +1509,8 @@ func (s *Server) PodLogs(q *application.ApplicationPodLogsQuery, ws application.
 		}
 	}
 
-	appName := q.GetName()
-	appNs := s.appNamespaceOrDefault(q.GetAppNamespace())
-	a, err := s.appLister.Applications(appNs).Get(appName)
+	a, err := s.getApplicationEnforceRBACInformer(ws.Context(), rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetName())
 	if err != nil {
-		return fmt.Errorf("error getting application by name: %w", err)
-	}
-
-	if err := s.enf.EnforceErr(ws.Context().Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, a.RBACName(s.ns)); err != nil {
 		return err
 	}
 
@@ -1712,12 +1708,9 @@ func isTheSelectedOne(currentNode *appv1.ResourceNode, q *application.Applicatio
 
 // Sync syncs an application to its target state
 func (s *Server) Sync(ctx context.Context, syncReq *application.ApplicationSyncRequest) (*appv1.Application, error) {
-	appName := syncReq.GetName()
-	appNs := s.appNamespaceOrDefault(syncReq.GetAppNamespace())
-	appIf := s.appclientset.ArgoprojV1alpha1().Applications(appNs)
-	a, err := appIf.Get(ctx, appName, metav1.GetOptions{})
+	a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, syncReq.GetAppNamespace(), syncReq.GetName(), "")
 	if err != nil {
-		return nil, fmt.Errorf("error getting application by name: %w", err)
+		return nil, err
 	}
 
 	proj, err := argo.GetAppProject(a, applisters.NewAppProjectLister(s.projInformer.GetIndexer()), s.ns, s.settingsMgr, s.db, ctx)
@@ -1809,6 +1802,9 @@ func (s *Server) Sync(ctx context.Context, syncReq *application.ApplicationSyncR
 		op.Retry = *retry
 	}
 
+	appName := syncReq.GetName()
+	appNs := s.appNamespaceOrDefault(syncReq.GetAppNamespace())
+	appIf := s.appclientset.ArgoprojV1alpha1().Applications(appNs)
 	a, err = argo.SetAppOperation(appIf, appName, &op)
 	if err != nil {
 		return nil, fmt.Errorf("error setting app operation: %w", err)
@@ -1826,14 +1822,8 @@ func (s *Server) Sync(ctx context.Context, syncReq *application.ApplicationSyncR
 }
 
 func (s *Server) Rollback(ctx context.Context, rollbackReq *application.ApplicationRollbackRequest) (*appv1.Application, error) {
-	appName := rollbackReq.GetName()
-	appNs := s.appNamespaceOrDefault(rollbackReq.GetAppNamespace())
-	appIf := s.appclientset.ArgoprojV1alpha1().Applications(appNs)
-	a, err := appIf.Get(ctx, appName, metav1.GetOptions{})
+	a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionSync, rollbackReq.GetAppNamespace(), rollbackReq.GetName(), "")
 	if err != nil {
-		return nil, fmt.Errorf("error getting application by name: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionSync, a.RBACName(s.ns)); err != nil {
 		return nil, err
 	}
 
@@ -1886,6 +1876,9 @@ func (s *Server) Rollback(ctx context.Context, rollbackReq *application.Applicat
 		},
 		InitiatedBy: appv1.OperationInitiator{Username: session.Username(ctx)},
 	}
+	appName := rollbackReq.GetName()
+	appNs := s.appNamespaceOrDefault(rollbackReq.GetAppNamespace())
+	appIf := s.appclientset.ArgoprojV1alpha1().Applications(appNs)
 	a, err = argo.SetAppOperation(appIf, appName, &op)
 	if err != nil {
 		return nil, fmt.Errorf("error setting app operation: %w", err)
@@ -1935,11 +1928,8 @@ func (s *Server) resolveRevision(ctx context.Context, app *appv1.Application, sy
 func (s *Server) TerminateOperation(ctx context.Context, termOpReq *application.OperationTerminateRequest) (*application.OperationTerminateResponse, error) {
 	appName := termOpReq.GetName()
 	appNs := s.appNamespaceOrDefault(termOpReq.GetAppNamespace())
-	a, err := s.appclientset.ArgoprojV1alpha1().Applications(appNs).Get(ctx, appName, metav1.GetOptions{})
+	a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionSync, appNs, appName, "")
 	if err != nil {
-		return nil, fmt.Errorf("error getting application by name: %w", err)
-	}
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionSync, a.RBACName(s.ns)); err != nil {
 		return nil, err
 	}
 
@@ -2011,10 +2001,9 @@ func (s *Server) ListResourceActions(ctx context.Context, q *application.Applica
 
 func (s *Server) getUnstructuredLiveResourceOrApp(ctx context.Context, rbacRequest string, q *application.ApplicationResourceRequest) (obj *unstructured.Unstructured, res *appv1.ResourceNode, app *appv1.Application, config *rest.Config, err error) {
 	if q.GetKind() == "Application" && q.GetGroup() == "argoproj.io" && q.GetName() == q.GetResourceName() {
-		namespace := s.appNamespaceOrDefault(q.GetAppNamespace())
-		app, err = s.appLister.Applications(namespace).Get(q.GetName())
+		app, err = s.getApplicationEnforceRBACInformer(ctx, rbacRequest, q.GetAppNamespace(), q.GetName())
 		if err != nil {
-			return nil, nil, nil, nil, fmt.Errorf("error getting app by name: %w", err)
+			return nil, nil, nil, nil, err
 		}
 		if err = s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacRequest, app.RBACName(s.ns)); err != nil {
 			return nil, nil, nil, nil, err
@@ -2027,7 +2016,7 @@ func (s *Server) getUnstructuredLiveResourceOrApp(ctx context.Context, rbacReque
 	} else {
 		res, config, app, err = s.getAppLiveResource(ctx, rbacRequest, q)
 		if err != nil {
-			return nil, nil, nil, nil, fmt.Errorf("error getting app live resource: %w", err)
+			return nil, nil, nil, nil, err
 		}
 		obj, err = s.kubectl.GetResource(ctx, config, res.GroupKindVersion(), res.Name, res.Namespace)
 	}
@@ -2197,15 +2186,8 @@ func (s *Server) plugins() ([]*v1alpha1.ConfigManagementPlugin, error) {
 }
 
 func (s *Server) GetApplicationSyncWindows(ctx context.Context, q *application.ApplicationSyncWindowsQuery) (*application.ApplicationSyncWindowsResponse, error) {
-	appName := q.GetName()
-	appNs := s.appNamespaceOrDefault(q.GetAppNamespace())
-	appIf := s.appclientset.ArgoprojV1alpha1().Applications(appNs)
-	a, err := appIf.Get(ctx, appName, metav1.GetOptions{})
+	a, err := s.getApplicationEnforceRBACClient(ctx, rbacpolicy.ActionGet, q.GetAppNamespace(), q.GetName(), "")
 	if err != nil {
-		return nil, fmt.Errorf("error getting application by name: %w", err)
-	}
-
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, a.RBACName(s.ns)); err != nil {
 		return nil, err
 	}
 
@@ -2292,3 +2274,12 @@ func (s *Server) appNamespaceOrDefault(appNs string) string {
 func (s *Server) isNamespaceEnabled(namespace string) bool {
 	return security.IsNamespaceEnabled(namespace, s.ns, s.enabledNamespaces)
 }
+
+// getProjectFromApplicationQuery gets the project names from a query. If the legacy "project" field was specified, use
+// that. Otherwise, use the newer "projects" field.
+func getProjectsFromApplicationQuery(q application.ApplicationQuery) []string {
+	if q.Project != nil {
+		return q.Project
+	}
+	return q.Projects
+}

server/application/application.proto

@@ -29,6 +29,8 @@ message ApplicationQuery {
 	optional string repo = 6;
 	// the application's namespace
 	optional string appNamespace = 7;
+	// the project names to restrict returned list applications (legacy name for backwards-compatibility)
+	repeated string project = 8;
 }
 
 message NodeQuery {

server/application/application_test.go

@@ -4,12 +4,15 @@ import (
 	"context"
 	coreerrors "errors"
 	"fmt"
+	"io"
+	"strconv"
 	"sync/atomic"
 	"testing"
 	"time"
 
 	"github.com/argoproj/gitops-engine/pkg/health"
 	synccommon "github.com/argoproj/gitops-engine/pkg/sync/common"
+	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/argoproj/gitops-engine/pkg/utils/kube/kubetest"
 	"github.com/argoproj/pkg/sync"
 	"github.com/ghodss/yaml"
@@ -18,13 +21,17 @@ import (
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
+	k8sappsv1 "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/watch"
 	"k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/rest"
 	kubetesting "k8s.io/client-go/testing"
 	k8scache "k8s.io/client-go/tools/cache"
 	"k8s.io/utils/pointer"
@@ -36,6 +43,7 @@ import (
 	appinformer "github.com/argoproj/argo-cd/v2/pkg/client/informers/externalversions"
 	"github.com/argoproj/argo-cd/v2/reposerver/apiclient"
 	"github.com/argoproj/argo-cd/v2/reposerver/apiclient/mocks"
+	appmocks "github.com/argoproj/argo-cd/v2/server/application/mocks"
 	servercache "github.com/argoproj/argo-cd/v2/server/cache"
 	"github.com/argoproj/argo-cd/v2/server/rbacpolicy"
 	"github.com/argoproj/argo-cd/v2/test"
@@ -98,6 +106,11 @@ func fakeRepoServerClient(isHelm bool) *mocks.RepoServerServiceClient {
 	mockRepoServiceClient.On("GenerateManifest", mock.Anything, mock.Anything).Return(&apiclient.ManifestResponse{}, nil)
 	mockRepoServiceClient.On("GetAppDetails", mock.Anything, mock.Anything).Return(&apiclient.RepoAppDetailsResponse{}, nil)
 	mockRepoServiceClient.On("TestRepository", mock.Anything, mock.Anything).Return(&apiclient.TestRepositoryResponse{}, nil)
+	mockRepoServiceClient.On("GetRevisionMetadata", mock.Anything, mock.Anything).Return(&appsv1.RevisionMetadata{}, nil)
+	mockWithFilesClient := &mocks.RepoServerService_GenerateManifestWithFilesClient{}
+	mockWithFilesClient.On("Send", mock.Anything).Return(nil)
+	mockWithFilesClient.On("CloseAndRecv").Return(&apiclient.ManifestResponse{}, nil)
+	mockRepoServiceClient.On("GenerateManifestWithFiles", mock.Anything, mock.Anything).Return(mockWithFilesClient, nil)
 
 	if isHelm {
 		mockRepoServiceClient.On("ResolveRevision", mock.Anything, mock.Anything).Return(fakeResolveRevesionResponseHelm(), nil)
@@ -109,15 +122,15 @@ func fakeRepoServerClient(isHelm bool) *mocks.RepoServerServiceClient {
 }
 
 // return an ApplicationServiceServer which returns fake data
-func newTestAppServer(objects ...runtime.Object) *Server {
+func newTestAppServer(t *testing.T, objects ...runtime.Object) *Server {
 	f := func(enf *rbac.Enforcer) {
 		_ = enf.SetBuiltinPolicy(assets.BuiltinPolicyCSV)
 		enf.SetDefaultRole("role:admin")
 	}
-	return newTestAppServerWithEnforcerConfigure(f, objects...)
+	return newTestAppServerWithEnforcerConfigure(f, t, objects...)
 }
 
-func newTestAppServerWithEnforcerConfigure(f func(*rbac.Enforcer), objects ...runtime.Object) *Server {
+func newTestAppServerWithEnforcerConfigure(f func(*rbac.Enforcer), t *testing.T, objects ...runtime.Object) *Server {
 	kubeclientset := fake.NewSimpleClientset(&v1.ConfigMap{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: testNamespace,
@@ -202,15 +215,83 @@ func newTestAppServerWithEnforcerConfigure(f func(*rbac.Enforcer), objects ...ru
 		panic("Timed out waiting for caches to sync")
 	}
 
+	broadcaster := new(appmocks.Broadcaster)
+	broadcaster.On("Subscribe", mock.Anything, mock.Anything).Return(func() {}).Run(func(args mock.Arguments) {
+		// Simulate the broadcaster notifying the subscriber of an application update.
+		// The second parameter to Subscribe is filters. For the purposes of tests, we ignore the filters. Future tests
+		// might require implementing those.
+		go func() {
+			events := args.Get(0).(chan *appsv1.ApplicationWatchEvent)
+			for _, obj := range objects {
+				app, ok := obj.(*appsv1.Application)
+				if ok {
+					oldVersion, err := strconv.Atoi(app.ResourceVersion)
+					if err != nil {
+						oldVersion = 0
+					}
+					clonedApp := app.DeepCopy()
+					clonedApp.ResourceVersion = fmt.Sprintf("%d", oldVersion+1)
+					events <- &appsv1.ApplicationWatchEvent{Type: watch.Added, Application: *clonedApp}
+				}
+			}
+		}()
+	})
+	broadcaster.On("OnAdd", mock.Anything).Return()
+	broadcaster.On("OnUpdate", mock.Anything, mock.Anything).Return()
+	broadcaster.On("OnDelete", mock.Anything).Return()
+
+	appStateCache := appstate.NewCache(cache.NewCache(cache.NewInMemoryCache(time.Hour)), time.Hour)
+	// pre-populate the app cache
+	for _, obj := range objects {
+		app, ok := obj.(*appsv1.Application)
+		if ok {
+			err := appStateCache.SetAppManagedResources(app.Name, []*appsv1.ResourceDiff{})
+			require.NoError(t, err)
+
+			// Pre-populate the resource tree based on the app's resources.
+			nodes := make([]appsv1.ResourceNode, len(app.Status.Resources))
+			for i, res := range app.Status.Resources {
+				nodes[i] = appsv1.ResourceNode{
+					ResourceRef: appsv1.ResourceRef{
+						Group:     res.Group,
+						Kind:      res.Kind,
+						Version:   res.Version,
+						Name:      res.Name,
+						Namespace: res.Namespace,
+						UID:       "fake",
+					},
+				}
+			}
+			err = appStateCache.SetAppResourcesTree(app.Name, &appsv1.ApplicationTree{
+				Nodes: nodes,
+			})
+			require.NoError(t, err)
+		}
+	}
+	appCache := servercache.NewCache(appStateCache, time.Hour, time.Hour, time.Hour)
+
+	kubectl := &kubetest.MockKubectlCmd{}
+	kubectl = kubectl.WithGetResourceFunc(func(_ context.Context, _ *rest.Config, gvk schema.GroupVersionKind, name string, namespace string) (*unstructured.Unstructured, error) {
+		for _, obj := range objects {
+			if obj.GetObjectKind().GroupVersionKind().GroupKind() == gvk.GroupKind() {
+				if obj, ok := obj.(*unstructured.Unstructured); ok && obj.GetName() == name && obj.GetNamespace() == namespace {
+					return obj, nil
+				}
+			}
+		}
+		return nil, nil
+	})
+
 	server, _ := NewServer(
 		testNamespace,
 		kubeclientset,
 		fakeAppsClientset,
 		factory.Argoproj().V1alpha1().Applications().Lister(),
 		appInformer,
+		broadcaster,
 		mockRepoClient,
-		nil,
-		&kubetest.MockKubectlCmd{},
+		appCache,
+		kubectl,
 		db,
 		enforcer,
 		sync.NewKeyLock(),
@@ -301,8 +382,405 @@ func createTestApp(testApp string, opts ...func(app *appsv1.Application)) *appsv
 	return &app
 }
 
+type TestServerStream struct {
+	ctx        context.Context
+	appName    string
+	headerSent bool
+}
+
+func (t *TestServerStream) SetHeader(metadata.MD) error {
+	return nil
+}
+
+func (t *TestServerStream) SendHeader(metadata.MD) error {
+	return nil
+}
+
+func (t *TestServerStream) SetTrailer(metadata.MD) {}
+
+func (t *TestServerStream) Context() context.Context {
+	return t.ctx
+}
+
+func (t *TestServerStream) SendMsg(m interface{}) error {
+	return nil
+}
+
+func (t *TestServerStream) RecvMsg(m interface{}) error {
+	return nil
+}
+
+func (t *TestServerStream) SendAndClose(r *apiclient.ManifestResponse) error {
+	return nil
+}
+
+func (t *TestServerStream) Recv() (*application.ApplicationManifestQueryWithFilesWrapper, error) {
+	if !t.headerSent {
+		t.headerSent = true
+		return &application.ApplicationManifestQueryWithFilesWrapper{Part: &application.ApplicationManifestQueryWithFilesWrapper_Query{
+			Query: &application.ApplicationManifestQueryWithFiles{
+				Name:     pointer.String(t.appName),
+				Checksum: pointer.String(""),
+			},
+		}}, nil
+	}
+	return nil, io.EOF
+}
+
+func (t *TestServerStream) ServerStream() TestServerStream {
+	return TestServerStream{}
+}
+
+type TestResourceTreeServer struct {
+	ctx context.Context
+}
+
+func (t *TestResourceTreeServer) Send(tree *appsv1.ApplicationTree) error {
+	return nil
+}
+
+func (t *TestResourceTreeServer) SetHeader(metadata.MD) error {
+	return nil
+}
+
+func (t *TestResourceTreeServer) SendHeader(metadata.MD) error {
+	return nil
+}
+
+func (t *TestResourceTreeServer) SetTrailer(metadata.MD) {}
+
+func (t *TestResourceTreeServer) Context() context.Context {
+	return t.ctx
+}
+
+func (t *TestResourceTreeServer) SendMsg(m interface{}) error {
+	return nil
+}
+
+func (t *TestResourceTreeServer) RecvMsg(m interface{}) error {
+	return nil
+}
+
+type TestPodLogsServer struct {
+	ctx context.Context
+}
+
+func (t *TestPodLogsServer) Send(log *application.LogEntry) error {
+	return nil
+}
+
+func (t *TestPodLogsServer) SetHeader(metadata.MD) error {
+	return nil
+}
+
+func (t *TestPodLogsServer) SendHeader(metadata.MD) error {
+	return nil
+}
+
+func (t *TestPodLogsServer) SetTrailer(metadata.MD) {}
+
+func (t *TestPodLogsServer) Context() context.Context {
+	return t.ctx
+}
+
+func (t *TestPodLogsServer) SendMsg(m interface{}) error {
+	return nil
+}
+
+func (t *TestPodLogsServer) RecvMsg(m interface{}) error {
+	return nil
+}
+
+func TestNoAppEnumeration(t *testing.T) {
+	// This test ensures that malicious users can't infer the existence or non-existence of Applications by inspecting
+	// error messages. The errors for "app does not exist" must be the same as errors for "you aren't allowed to
+	// interact with this app."
+
+	// These tests are only important on API calls where the full app RBAC name (project, namespace, and name) is _not_
+	// known based on the query parameters. For example, the Create call cannot leak existence of Applications, because
+	// the Application's project, namespace, and name are all specified in the API call. The call can be rejected
+	// immediately if the user does not have access. But the Delete endpoint may be called with just the Application
+	// name. So we cannot return a different error message for "does not exist" and "you don't have delete permissions,"
+	// because the user could infer that the Application exists if they do not get the "does not exist" message. For
+	// endpoints that do not require the full RBAC name, we must return a generic "permission denied" for both "does not
+	// exist" and "no access."
+
+	f := func(enf *rbac.Enforcer) {
+		_ = enf.SetBuiltinPolicy(assets.BuiltinPolicyCSV)
+		enf.SetDefaultRole("role:none")
+	}
+	deployment := k8sappsv1.Deployment{
+		TypeMeta: metav1.TypeMeta{
+			APIVersion: "apps/v1",
+			Kind:       "Deployment",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test",
+			Namespace: "test",
+		},
+	}
+	testApp := newTestApp(func(app *appsv1.Application) {
+		app.Name = "test"
+		app.Status.Resources = []appsv1.ResourceStatus{
+			{
+				Group:     deployment.GroupVersionKind().Group,
+				Kind:      deployment.GroupVersionKind().Kind,
+				Version:   deployment.GroupVersionKind().Version,
+				Name:      deployment.Name,
+				Namespace: deployment.Namespace,
+				Status:    "Synced",
+			},
+		}
+		app.Status.History = []appsv1.RevisionHistory{
+			{
+				ID: 0,
+				Source: appsv1.ApplicationSource{
+					TargetRevision: "something-old",
+				},
+			},
+		}
+	})
+	testDeployment := kube.MustToUnstructured(&deployment)
+	appServer := newTestAppServerWithEnforcerConfigure(f, t, testApp, testDeployment)
+
+	noRoleCtx := context.Background()
+	// nolint:staticcheck
+	adminCtx := context.WithValue(noRoleCtx, "claims", &jwt.MapClaims{"groups": []string{"admin"}})
+
+	t.Run("Get", func(t *testing.T) {
+		_, err := appServer.Get(adminCtx, &application.ApplicationQuery{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.Get(noRoleCtx, &application.ApplicationQuery{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.Get(adminCtx, &application.ApplicationQuery{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("GetManifests", func(t *testing.T) {
+		_, err := appServer.GetManifests(adminCtx, &application.ApplicationManifestQuery{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.GetManifests(noRoleCtx, &application.ApplicationManifestQuery{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.GetManifests(adminCtx, &application.ApplicationManifestQuery{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("ListResourceEvents", func(t *testing.T) {
+		_, err := appServer.ListResourceEvents(adminCtx, &application.ApplicationResourceEventsQuery{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.ListResourceEvents(noRoleCtx, &application.ApplicationResourceEventsQuery{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.ListResourceEvents(adminCtx, &application.ApplicationResourceEventsQuery{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("UpdateSpec", func(t *testing.T) {
+		_, err := appServer.UpdateSpec(adminCtx, &application.ApplicationUpdateSpecRequest{Name: pointer.String("test"), Spec: &appsv1.ApplicationSpec{
+			Destination: appsv1.ApplicationDestination{Namespace: "default", Server: "https://cluster-api.com"},
+			Source:      appsv1.ApplicationSource{RepoURL: "https://some-fake-source", Path: "."},
+		}})
+		assert.NoError(t, err)
+		_, err = appServer.UpdateSpec(noRoleCtx, &application.ApplicationUpdateSpecRequest{Name: pointer.String("test"), Spec: &appsv1.ApplicationSpec{
+			Destination: appsv1.ApplicationDestination{Namespace: "default", Server: "https://cluster-api.com"},
+			Source:      appsv1.ApplicationSource{RepoURL: "https://some-fake-source", Path: "."},
+		}})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.UpdateSpec(adminCtx, &application.ApplicationUpdateSpecRequest{Name: pointer.String("doest-not-exist"), Spec: &appsv1.ApplicationSpec{
+			Destination: appsv1.ApplicationDestination{Namespace: "default", Server: "https://cluster-api.com"},
+			Source:      appsv1.ApplicationSource{RepoURL: "https://some-fake-source", Path: "."},
+		}})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("Patch", func(t *testing.T) {
+		_, err := appServer.Patch(adminCtx, &application.ApplicationPatchRequest{Name: pointer.String("test"), Patch: pointer.String(`[{"op": "replace", "path": "/spec/source/path", "value": "foo"}]`)})
+		assert.NoError(t, err)
+		_, err = appServer.Patch(noRoleCtx, &application.ApplicationPatchRequest{Name: pointer.String("test"), Patch: pointer.String(`[{"op": "replace", "path": "/spec/source/path", "value": "foo"}]`)})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.Patch(adminCtx, &application.ApplicationPatchRequest{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("GetResource", func(t *testing.T) {
+		_, err := appServer.GetResource(adminCtx, &application.ApplicationResourceRequest{Name: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.GetResource(noRoleCtx, &application.ApplicationResourceRequest{Name: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.GetResource(adminCtx, &application.ApplicationResourceRequest{Name: pointer.String("doest-not-exist"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("PatchResource", func(t *testing.T) {
+		_, err := appServer.PatchResource(adminCtx, &application.ApplicationResourcePatchRequest{Name: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test"), Patch: pointer.String(`[{"op": "replace", "path": "/spec/replicas", "value": 3}]`)})
+		// This will always throw an error, because the kubectl mock for PatchResource is hard-coded to return nil.
+		// The best we can do is to confirm we get past the permission check.
+		assert.NotEqual(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.PatchResource(noRoleCtx, &application.ApplicationResourcePatchRequest{Name: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test"), Patch: pointer.String(`[{"op": "replace", "path": "/spec/replicas", "value": 3}]`)})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.PatchResource(adminCtx, &application.ApplicationResourcePatchRequest{Name: pointer.String("doest-not-exist"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test"), Patch: pointer.String(`[{"op": "replace", "path": "/spec/replicas", "value": 3}]`)})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("DeleteResource", func(t *testing.T) {
+		_, err := appServer.DeleteResource(adminCtx, &application.ApplicationResourceDeleteRequest{Name: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.DeleteResource(noRoleCtx, &application.ApplicationResourceDeleteRequest{Name: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.DeleteResource(adminCtx, &application.ApplicationResourceDeleteRequest{Name: pointer.String("doest-not-exist"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("ResourceTree", func(t *testing.T) {
+		_, err := appServer.ResourceTree(adminCtx, &application.ResourcesQuery{ApplicationName: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.ResourceTree(noRoleCtx, &application.ResourcesQuery{ApplicationName: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.ResourceTree(adminCtx, &application.ResourcesQuery{ApplicationName: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("RevisionMetadata", func(t *testing.T) {
+		_, err := appServer.RevisionMetadata(adminCtx, &application.RevisionMetadataQuery{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.RevisionMetadata(noRoleCtx, &application.RevisionMetadataQuery{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.RevisionMetadata(adminCtx, &application.RevisionMetadataQuery{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("ManagedResources", func(t *testing.T) {
+		_, err := appServer.ManagedResources(adminCtx, &application.ResourcesQuery{ApplicationName: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.ManagedResources(noRoleCtx, &application.ResourcesQuery{ApplicationName: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.ManagedResources(adminCtx, &application.ResourcesQuery{ApplicationName: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("Sync", func(t *testing.T) {
+		_, err := appServer.Sync(adminCtx, &application.ApplicationSyncRequest{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.Sync(noRoleCtx, &application.ApplicationSyncRequest{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.Sync(adminCtx, &application.ApplicationSyncRequest{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("TerminateOperation", func(t *testing.T) {
+		// The sync operation is already started from the previous test. We just need to set the field that the
+		// controller would set if this were an actual Argo CD environment.
+		setSyncRunningOperationState(t, appServer)
+		_, err := appServer.TerminateOperation(adminCtx, &application.OperationTerminateRequest{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.TerminateOperation(noRoleCtx, &application.OperationTerminateRequest{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.TerminateOperation(adminCtx, &application.OperationTerminateRequest{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("Rollback", func(t *testing.T) {
+		unsetSyncRunningOperationState(t, appServer)
+		_, err := appServer.Rollback(adminCtx, &application.ApplicationRollbackRequest{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.Rollback(noRoleCtx, &application.ApplicationRollbackRequest{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.Rollback(adminCtx, &application.ApplicationRollbackRequest{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("ListResourceActions", func(t *testing.T) {
+		_, err := appServer.ListResourceActions(adminCtx, &application.ApplicationResourceRequest{Name: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.ListResourceActions(noRoleCtx, &application.ApplicationResourceRequest{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.ListResourceActions(noRoleCtx, &application.ApplicationResourceRequest{Group: pointer.String("argoproj.io"), Kind: pointer.String("Application"), Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.ListResourceActions(adminCtx, &application.ApplicationResourceRequest{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("RunResourceAction", func(t *testing.T) {
+		_, err := appServer.RunResourceAction(adminCtx, &application.ResourceActionRunRequest{Name: pointer.String("test"), ResourceName: pointer.String("test"), Group: pointer.String("apps"), Kind: pointer.String("Deployment"), Namespace: pointer.String("test"), Action: pointer.String("restart")})
+		assert.NoError(t, err)
+		_, err = appServer.RunResourceAction(noRoleCtx, &application.ResourceActionRunRequest{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.RunResourceAction(noRoleCtx, &application.ResourceActionRunRequest{Group: pointer.String("argoproj.io"), Kind: pointer.String("Application"), Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.RunResourceAction(adminCtx, &application.ResourceActionRunRequest{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("GetApplicationSyncWindows", func(t *testing.T) {
+		_, err := appServer.GetApplicationSyncWindows(adminCtx, &application.ApplicationSyncWindowsQuery{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.GetApplicationSyncWindows(noRoleCtx, &application.ApplicationSyncWindowsQuery{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.GetApplicationSyncWindows(adminCtx, &application.ApplicationSyncWindowsQuery{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("GetManifestsWithFiles", func(t *testing.T) {
+		err := appServer.GetManifestsWithFiles(&TestServerStream{ctx: adminCtx, appName: "test"})
+		assert.NoError(t, err)
+		err = appServer.GetManifestsWithFiles(&TestServerStream{ctx: noRoleCtx, appName: "test"})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		err = appServer.GetManifestsWithFiles(&TestServerStream{ctx: adminCtx, appName: "does-not-exist"})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("WatchResourceTree", func(t *testing.T) {
+		err := appServer.WatchResourceTree(&application.ResourcesQuery{ApplicationName: pointer.String("test")}, &TestResourceTreeServer{ctx: adminCtx})
+		assert.NoError(t, err)
+		err = appServer.WatchResourceTree(&application.ResourcesQuery{ApplicationName: pointer.String("test")}, &TestResourceTreeServer{ctx: noRoleCtx})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		err = appServer.WatchResourceTree(&application.ResourcesQuery{ApplicationName: pointer.String("does-not-exist")}, &TestResourceTreeServer{ctx: adminCtx})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	t.Run("PodLogs", func(t *testing.T) {
+		err := appServer.PodLogs(&application.ApplicationPodLogsQuery{Name: pointer.String("test")}, &TestPodLogsServer{ctx: adminCtx})
+		assert.NoError(t, err)
+		err = appServer.PodLogs(&application.ApplicationPodLogsQuery{Name: pointer.String("test")}, &TestPodLogsServer{ctx: noRoleCtx})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		err = appServer.PodLogs(&application.ApplicationPodLogsQuery{Name: pointer.String("does-not-exist")}, &TestPodLogsServer{ctx: adminCtx})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+
+	// Do this last so other stuff doesn't fail.
+	t.Run("Delete", func(t *testing.T) {
+		_, err := appServer.Delete(adminCtx, &application.ApplicationDeleteRequest{Name: pointer.String("test")})
+		assert.NoError(t, err)
+		_, err = appServer.Delete(noRoleCtx, &application.ApplicationDeleteRequest{Name: pointer.String("test")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+		_, err = appServer.Delete(adminCtx, &application.ApplicationDeleteRequest{Name: pointer.String("doest-not-exist")})
+		assert.Equal(t, permissionDeniedErr.Error(), err.Error(), "error message must be _only_ the permission error, to avoid leaking information about app existence")
+	})
+}
+
+// setSyncRunningOperationState simulates starting a sync operation on the given app.
+func setSyncRunningOperationState(t *testing.T, appServer *Server) {
+	appIf := appServer.appclientset.ArgoprojV1alpha1().Applications("default")
+	app, err := appIf.Get(context.Background(), "test", metav1.GetOptions{})
+	require.NoError(t, err)
+	// This sets the status that would be set by the controller usually.
+	app.Status.OperationState = &appsv1.OperationState{Phase: synccommon.OperationRunning, Operation: appsv1.Operation{Sync: &appsv1.SyncOperation{}}}
+	_, err = appIf.Update(context.Background(), app, metav1.UpdateOptions{})
+	require.NoError(t, err)
+}
+
+// unsetSyncRunningOperationState simulates finishing a sync operation on the given app.
+func unsetSyncRunningOperationState(t *testing.T, appServer *Server) {
+	appIf := appServer.appclientset.ArgoprojV1alpha1().Applications("default")
+	app, err := appIf.Get(context.Background(), "test", metav1.GetOptions{})
+	require.NoError(t, err)
+	app.Operation = nil
+	app.Status.OperationState = nil
+	_, err = appIf.Update(context.Background(), app, metav1.UpdateOptions{})
+	require.NoError(t, err)
+}
+
 func TestListAppsInNamespaceWithLabels(t *testing.T) {
-	appServer := newTestAppServer(newTestApp(func(app *appsv1.Application) {
+	appServer := newTestAppServer(t, newTestApp(func(app *appsv1.Application) {
 		app.Name = "App1"
 		app.ObjectMeta.Namespace = "test-namespace"
 		app.SetLabels(map[string]string{"key1": "value1", "key2": "value1"})
@@ -323,7 +801,7 @@ func TestListAppsInNamespaceWithLabels(t *testing.T) {
 }
 
 func TestListAppsInDefaultNSWithLabels(t *testing.T) {
-	appServer := newTestAppServer(newTestApp(func(app *appsv1.Application) {
+	appServer := newTestAppServer(t, newTestApp(func(app *appsv1.Application) {
 		app.Name = "App1"
 		app.SetLabels(map[string]string{"key1": "value1", "key2": "value1"})
 	}), newTestApp(func(app *appsv1.Application) {
@@ -401,8 +879,59 @@ func testListAppsWithLabels(t *testing.T, appQuery application.ApplicationQuery,
 	}
 }
 
+func TestListAppWithProjects(t *testing.T) {
+	appServer := newTestAppServer(t, newTestApp(func(app *appsv1.Application) {
+		app.Name = "App1"
+		app.Spec.Project = "test-project1"
+	}), newTestApp(func(app *appsv1.Application) {
+		app.Name = "App2"
+		app.Spec.Project = "test-project2"
+	}), newTestApp(func(app *appsv1.Application) {
+		app.Name = "App3"
+		app.Spec.Project = "test-project3"
+	}))
+
+	t.Run("List all apps", func(t *testing.T) {
+		appQuery := application.ApplicationQuery{}
+		appList, err := appServer.List(context.Background(), &appQuery)
+		assert.NoError(t, err)
+		assert.Len(t, appList.Items, 3)
+	})
+
+	t.Run("List apps with projects filter set", func(t *testing.T) {
+		appQuery := application.ApplicationQuery{Projects: []string{"test-project1"}}
+		appList, err := appServer.List(context.Background(), &appQuery)
+		assert.NoError(t, err)
+		assert.Len(t, appList.Items, 1)
+		for _, app := range appList.Items {
+			assert.Equal(t, "test-project1", app.Spec.Project)
+		}
+	})
+
+	t.Run("List apps with project filter set (legacy field)", func(t *testing.T) {
+		appQuery := application.ApplicationQuery{Project: []string{"test-project1"}}
+		appList, err := appServer.List(context.Background(), &appQuery)
+		assert.NoError(t, err)
+		assert.Len(t, appList.Items, 1)
+		for _, app := range appList.Items {
+			assert.Equal(t, "test-project1", app.Spec.Project)
+		}
+	})
+
+	t.Run("List apps with both projects and project filter set", func(t *testing.T) {
+		// If the older field is present, we should use it instead of the newer field.
+		appQuery := application.ApplicationQuery{Project: []string{"test-project1"}, Projects: []string{"test-project2"}}
+		appList, err := appServer.List(context.Background(), &appQuery)
+		assert.NoError(t, err)
+		assert.Len(t, appList.Items, 1)
+		for _, app := range appList.Items {
+			assert.Equal(t, "test-project1", app.Spec.Project)
+		}
+	})
+}
+
 func TestListApps(t *testing.T) {
-	appServer := newTestAppServer(newTestApp(func(app *appsv1.Application) {
+	appServer := newTestAppServer(t, newTestApp(func(app *appsv1.Application) {
 		app.Name = "bcd"
 	}), newTestApp(func(app *appsv1.Application) {
 		app.Name = "abc"
@@ -450,7 +979,7 @@ g, group-49, role:test3
 `
 		_ = enf.SetUserPolicy(policy)
 	}
-	appServer := newTestAppServerWithEnforcerConfigure(f, objects...)
+	appServer := newTestAppServerWithEnforcerConfigure(f, t, objects...)
 
 	res, err := appServer.List(ctx, &application.ApplicationQuery{})
 
@@ -464,7 +993,7 @@ g, group-49, role:test3
 
 func TestCreateApp(t *testing.T) {
 	testApp := newTestApp()
-	appServer := newTestAppServer()
+	appServer := newTestAppServer(t)
 	testApp.Spec.Project = ""
 	createReq := application.ApplicationCreateRequest{
 		Application: testApp,
@@ -477,7 +1006,7 @@ func TestCreateApp(t *testing.T) {
 }
 
 func TestCreateAppWithDestName(t *testing.T) {
-	appServer := newTestAppServer()
+	appServer := newTestAppServer(t)
 	testApp := newTestAppWithDestName()
 	createReq := application.ApplicationCreateRequest{
 		Application: testApp,
@@ -490,7 +1019,7 @@ func TestCreateAppWithDestName(t *testing.T) {
 
 func TestUpdateApp(t *testing.T) {
 	testApp := newTestApp()
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 	testApp.Spec.Project = ""
 	app, err := appServer.Update(context.Background(), &application.ApplicationUpdateRequest{
 		Application: testApp,
@@ -501,7 +1030,7 @@ func TestUpdateApp(t *testing.T) {
 
 func TestUpdateAppSpec(t *testing.T) {
 	testApp := newTestApp()
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 	testApp.Spec.Project = ""
 	spec, err := appServer.UpdateSpec(context.Background(), &application.ApplicationUpdateSpecRequest{
 		Name: &testApp.Name,
@@ -516,7 +1045,7 @@ func TestUpdateAppSpec(t *testing.T) {
 
 func TestDeleteApp(t *testing.T) {
 	ctx := context.Background()
-	appServer := newTestAppServer()
+	appServer := newTestAppServer(t)
 	createReq := application.ApplicationCreateRequest{
 		Application: newTestApp(),
 	}
@@ -601,20 +1130,9 @@ func TestDeleteApp(t *testing.T) {
 	})
 }
 
-func TestDeleteApp_InvalidName(t *testing.T) {
-	appServer := newTestAppServer()
-	_, err := appServer.Delete(context.Background(), &application.ApplicationDeleteRequest{
-		Name: pointer.StringPtr("foo"),
-	})
-	if !assert.Error(t, err) {
-		return
-	}
-	assert.True(t, apierrors.IsNotFound(err))
-}
-
 func TestSyncAndTerminate(t *testing.T) {
 	ctx := context.Background()
-	appServer := newTestAppServer()
+	appServer := newTestAppServer(t)
 	testApp := newTestApp()
 	testApp.Spec.Source.RepoURL = "https://github.com/argoproj/argo-cd.git"
 	createReq := application.ApplicationCreateRequest{
@@ -654,7 +1172,7 @@ func TestSyncAndTerminate(t *testing.T) {
 
 func TestSyncHelm(t *testing.T) {
 	ctx := context.Background()
-	appServer := newTestAppServer()
+	appServer := newTestAppServer(t)
 	testApp := newTestApp()
 	testApp.Spec.Source.RepoURL = "https://argoproj.github.io/argo-helm"
 	testApp.Spec.Source.Path = ""
@@ -678,7 +1196,7 @@ func TestSyncHelm(t *testing.T) {
 
 func TestSyncGit(t *testing.T) {
 	ctx := context.Background()
-	appServer := newTestAppServer()
+	appServer := newTestAppServer(t)
 	testApp := newTestApp()
 	testApp.Spec.Source.RepoURL = "https://github.com/org/test"
 	testApp.Spec.Source.Path = "deploy"
@@ -711,7 +1229,7 @@ func TestRollbackApp(t *testing.T) {
 		Revision: "abc",
 		Source:   *testApp.Spec.Source.DeepCopy(),
 	}}
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 
 	updatedApp, err := appServer.Rollback(context.Background(), &application.ApplicationRollbackRequest{
 		Name: &testApp.Name,
@@ -731,56 +1249,63 @@ func TestUpdateAppProject(t *testing.T) {
 	ctx := context.Background()
 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, "claims", &jwt.StandardClaims{Subject: "admin"})
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 	appServer.enf.SetDefaultRole("")
 
-	// Verify normal update works (without changing project)
-	_ = appServer.enf.SetBuiltinPolicy(`p, admin, applications, update, default/test-app, allow`)
-	_, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
-	assert.NoError(t, err)
+	t.Run("update without changing project", func(t *testing.T) {
+		_ = appServer.enf.SetBuiltinPolicy(`p, admin, applications, update, default/test-app, allow`)
+		_, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
+		assert.NoError(t, err)
+	})
 
-	// Verify caller cannot update to another project
-	testApp.Spec.Project = "my-proj"
-	_, err = appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
-	assert.Equal(t, status.Code(err), codes.PermissionDenied)
+	t.Run("cannot update to another project", func(t *testing.T) {
+		testApp.Spec.Project = "my-proj"
+		_, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
+		assert.Equal(t, status.Code(err), codes.PermissionDenied)
+	})
 
-	// Verify inability to change projects without create privileges in new project
-	_ = appServer.enf.SetBuiltinPolicy(`
+	t.Run("cannot change projects without create privileges", func(t *testing.T) {
+		_ = appServer.enf.SetBuiltinPolicy(`
 p, admin, applications, update, default/test-app, allow
 p, admin, applications, update, my-proj/test-app, allow
 `)
-	_, err = appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
-	statusErr := grpc.UnwrapGRPCStatus(err)
-	assert.NotNil(t, statusErr)
-	assert.Equal(t, codes.PermissionDenied, statusErr.Code())
+		_, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
+		statusErr := grpc.UnwrapGRPCStatus(err)
+		assert.NotNil(t, statusErr)
+		assert.Equal(t, codes.PermissionDenied, statusErr.Code())
+	})
 
-	// Verify inability to change projects without update privileges in new project
-	_ = appServer.enf.SetBuiltinPolicy(`
+	t.Run("cannot change projects without update privileges in new project", func(t *testing.T) {
+		_ = appServer.enf.SetBuiltinPolicy(`
 p, admin, applications, update, default/test-app, allow
 p, admin, applications, create, my-proj/test-app, allow
 `)
-	_, err = appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
-	assert.Equal(t, status.Code(err), codes.PermissionDenied)
+		_, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
+		assert.Equal(t, status.Code(err), codes.PermissionDenied)
+	})
 
-	// Verify inability to change projects without update privileges in old project
-	_ = appServer.enf.SetBuiltinPolicy(`
+	t.Run("cannot change projects without update privileges in old project", func(t *testing.T) {
+		_ = appServer.enf.SetBuiltinPolicy(`
 p, admin, applications, create, my-proj/test-app, allow
 p, admin, applications, update, my-proj/test-app, allow
 `)
-	_, err = appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
-	statusErr = grpc.UnwrapGRPCStatus(err)
-	assert.NotNil(t, statusErr)
-	assert.Equal(t, codes.PermissionDenied, statusErr.Code())
+		_, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
+		statusErr := grpc.UnwrapGRPCStatus(err)
+		assert.NotNil(t, statusErr)
+		assert.Equal(t, codes.PermissionDenied, statusErr.Code())
+	})
 
-	// Verify can update project with proper permissions
-	_ = appServer.enf.SetBuiltinPolicy(`
+	t.Run("can update project with proper permissions", func(t *testing.T) {
+		// Verify can update project with proper permissions
+		_ = appServer.enf.SetBuiltinPolicy(`
 p, admin, applications, update, default/test-app, allow
 p, admin, applications, create, my-proj/test-app, allow
 p, admin, applications, update, my-proj/test-app, allow
 `)
-	updatedApp, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
-	assert.NoError(t, err)
-	assert.Equal(t, "my-proj", updatedApp.Spec.Project)
+		updatedApp, err := appServer.Update(ctx, &application.ApplicationUpdateRequest{Application: testApp})
+		assert.NoError(t, err)
+		assert.Equal(t, "my-proj", updatedApp.Spec.Project)
+	})
 }
 
 func TestAppJsonPatch(t *testing.T) {
@@ -788,7 +1313,7 @@ func TestAppJsonPatch(t *testing.T) {
 	ctx := context.Background()
 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, "claims", &jwt.StandardClaims{Subject: "admin"})
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 	appServer.enf.SetDefaultRole("")
 
 	app, err := appServer.Patch(ctx, &application.ApplicationPatchRequest{Name: &testApp.Name, Patch: pointer.String("garbage")})
@@ -813,7 +1338,7 @@ func TestAppMergePatch(t *testing.T) {
 	ctx := context.Background()
 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, "claims", &jwt.StandardClaims{Subject: "admin"})
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 	appServer.enf.SetDefaultRole("")
 
 	app, err := appServer.Patch(ctx, &application.ApplicationPatchRequest{
@@ -826,7 +1351,7 @@ func TestServer_GetApplicationSyncWindowsState(t *testing.T) {
 	t.Run("Active", func(t *testing.T) {
 		testApp := newTestApp()
 		testApp.Spec.Project = "proj-maint"
-		appServer := newTestAppServer(testApp)
+		appServer := newTestAppServer(t, testApp)
 
 		active, err := appServer.GetApplicationSyncWindows(context.Background(), &application.ApplicationSyncWindowsQuery{Name: &testApp.Name})
 		assert.NoError(t, err)
@@ -835,7 +1360,7 @@ func TestServer_GetApplicationSyncWindowsState(t *testing.T) {
 	t.Run("Inactive", func(t *testing.T) {
 		testApp := newTestApp()
 		testApp.Spec.Project = "default"
-		appServer := newTestAppServer(testApp)
+		appServer := newTestAppServer(t, testApp)
 
 		active, err := appServer.GetApplicationSyncWindows(context.Background(), &application.ApplicationSyncWindowsQuery{Name: &testApp.Name})
 		assert.NoError(t, err)
@@ -844,7 +1369,7 @@ func TestServer_GetApplicationSyncWindowsState(t *testing.T) {
 	t.Run("ProjectDoesNotExist", func(t *testing.T) {
 		testApp := newTestApp()
 		testApp.Spec.Project = "none"
-		appServer := newTestAppServer(testApp)
+		appServer := newTestAppServer(t, testApp)
 
 		active, err := appServer.GetApplicationSyncWindows(context.Background(), &application.ApplicationSyncWindowsQuery{Name: &testApp.Name})
 		assert.Contains(t, err.Error(), "not found")
@@ -862,7 +1387,7 @@ func TestGetCachedAppState(t *testing.T) {
 			Namespace: testNamespace,
 		},
 	}
-	appServer := newTestAppServer(testApp, testProj)
+	appServer := newTestAppServer(t, testApp, testProj)
 	fakeClientSet := appServer.appclientset.(*apps.Clientset)
 	t.Run("NoError", func(t *testing.T) {
 		err := appServer.getCachedAppState(context.Background(), testApp, func() error {
@@ -1035,7 +1560,7 @@ func TestGetAppRefresh_NormalRefresh(t *testing.T) {
 	defer cancel()
 	testApp := newTestApp()
 	testApp.ObjectMeta.ResourceVersion = "1"
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 
 	var patched int32
 
@@ -1063,7 +1588,7 @@ func TestGetAppRefresh_HardRefresh(t *testing.T) {
 	defer cancel()
 	testApp := newTestApp()
 	testApp.ObjectMeta.ResourceVersion = "1"
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 
 	var getAppDetailsQuery *apiclient.RepoServerAppDetailsQuery
 	mockRepoServiceClient := mocks.RepoServerServiceClient{}
@@ -1113,7 +1638,7 @@ func TestInferResourcesStatusHealth(t *testing.T) {
 		Name:      "guestbook-stateful",
 		Namespace: "default",
 	}}
-	appServer := newTestAppServer(testApp)
+	appServer := newTestAppServer(t, testApp)
 	appStateCache := appstate.NewCache(cacheClient, time.Minute)
 	err := appStateCache.SetAppResourcesTree(testApp.Name, &appsv1.ApplicationTree{Nodes: []appsv1.ResourceNode{{
 		ResourceRef: appsv1.ResourceRef{

server/application/broadcaster.go

@@ -23,6 +23,14 @@ func (s *subscriber) matches(event *appv1.ApplicationWatchEvent) bool {
 	return true
 }
 
+// Broadcaster is an interface for broadcasting application informer watch events to multiple subscribers.
+type Broadcaster interface {
+	Subscribe(ch chan *appv1.ApplicationWatchEvent, filters ...func(event *appv1.ApplicationWatchEvent) bool) func()
+	OnAdd(interface{})
+	OnUpdate(interface{}, interface{})
+	OnDelete(interface{})
+}
+
 type broadcasterHandler struct {
 	lock        sync.Mutex
 	subscribers []*subscriber

server/application/mocks/Broadcaster.go

@@ -0,0 +1,66 @@
+// Code generated by mockery v2.13.1. DO NOT EDIT.
+
+package mocks
+
+import (
+	v1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	mock "github.com/stretchr/testify/mock"
+)
+
+// Broadcaster is an autogenerated mock type for the Broadcaster type
+type Broadcaster struct {
+	mock.Mock
+}
+
+// OnAdd provides a mock function with given fields: _a0
+func (_m *Broadcaster) OnAdd(_a0 interface{}) {
+	_m.Called(_a0)
+}
+
+// OnDelete provides a mock function with given fields: _a0
+func (_m *Broadcaster) OnDelete(_a0 interface{}) {
+	_m.Called(_a0)
+}
+
+// OnUpdate provides a mock function with given fields: _a0, _a1
+func (_m *Broadcaster) OnUpdate(_a0 interface{}, _a1 interface{}) {
+	_m.Called(_a0, _a1)
+}
+
+// Subscribe provides a mock function with given fields: ch, filters
+func (_m *Broadcaster) Subscribe(ch chan *v1alpha1.ApplicationWatchEvent, filters ...func(*v1alpha1.ApplicationWatchEvent) bool) func() {
+	_va := make([]interface{}, len(filters))
+	for _i := range filters {
+		_va[_i] = filters[_i]
+	}
+	var _ca []interface{}
+	_ca = append(_ca, ch)
+	_ca = append(_ca, _va...)
+	ret := _m.Called(_ca...)
+
+	var r0 func()
+	if rf, ok := ret.Get(0).(func(chan *v1alpha1.ApplicationWatchEvent, ...func(*v1alpha1.ApplicationWatchEvent) bool) func()); ok {
+		r0 = rf(ch, filters...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(func())
+		}
+	}
+
+	return r0
+}
+
+type mockConstructorTestingTNewBroadcaster interface {
+	mock.TestingT
+	Cleanup(func())
+}
+
+// NewBroadcaster creates a new instance of Broadcaster. It also registers a testing interface on the mock and a cleanup function to assert the mocks expectations.
+func NewBroadcaster(t mockConstructorTestingTNewBroadcaster) *Broadcaster {
+	mock := &Broadcaster{}
+	mock.Mock.Test(t)
+
+	t.Cleanup(func() { mock.AssertExpectations(t) })
+
+	return mock
+}

server/repository/repository.go

@@ -5,6 +5,7 @@ import (
 	"reflect"
 
 	"context"
+
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	"github.com/argoproj/gitops-engine/pkg/utils/text"
 	log "github.com/sirupsen/logrus"
@@ -163,6 +164,7 @@ func (s *Server) Get(ctx context.Context, q *repositorypkg.RepoQuery) (*appsv1.R
 		GitHubAppEnterpriseBaseURL: repo.GitHubAppEnterpriseBaseURL,
 		Proxy:                      repo.Proxy,
 		Project:                    repo.Project,
+		InheritedCreds:             repo.InheritedCreds,
 	}
 
 	item.ConnectionState = s.getConnectionState(ctx, item.Repo, q.ForceRefresh)
@@ -186,15 +188,16 @@ func (s *Server) ListRepositories(ctx context.Context, q *repositorypkg.RepoQuer
 			}
 			// remove secrets
 			items = append(items, &appsv1.Repository{
-				Repo:      repo.Repo,
-				Type:      rType,
-				Name:      repo.Name,
-				Username:  repo.Username,
-				Insecure:  repo.IsInsecure(),
-				EnableLFS: repo.EnableLFS,
-				EnableOCI: repo.EnableOCI,
-				Proxy:     repo.Proxy,
-				Project:   repo.Project,
+				Repo:           repo.Repo,
+				Type:           rType,
+				Name:           repo.Name,
+				Username:       repo.Username,
+				Insecure:       repo.IsInsecure(),
+				EnableLFS:      repo.EnableLFS,
+				EnableOCI:      repo.EnableOCI,
+				Proxy:          repo.Proxy,
+				Project:        repo.Project,
+				InheritedCreds: repo.InheritedCreds,
 			})
 		}
 	}

server/repository/repository_test.go

@@ -87,7 +87,18 @@ var (
 			Destinations: []appsv1.ApplicationDestination{{Server: "*", Namespace: "*"}},
 		},
 	}
-
+	fakeRepo = appsv1.Repository{
+		Repo:           "https://test",
+		Type:           "test",
+		Name:           "test",
+		Username:       "argo",
+		Insecure:       false,
+		EnableLFS:      false,
+		EnableOCI:      false,
+		Proxy:          "test",
+		Project:        "argocd",
+		InheritedCreds: true,
+	}
 	guestbookApp = &appsv1.Application{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Application",
@@ -196,6 +207,33 @@ func TestRepositoryServer(t *testing.T) {
 		assert.Equal(t, repo.Repo, url)
 	})
 
+	t.Run("Test_GetInherited", func(t *testing.T) {
+		repoServerClient := mocks.RepoServerServiceClient{}
+		repoServerClient.On("TestRepository", mock.Anything, mock.Anything).Return(&apiclient.TestRepositoryResponse{}, nil)
+		repoServerClientset := mocks.Clientset{RepoServerServiceClient: &repoServerClient}
+
+		url := "https://test"
+		db := &dbmocks.ArgoDB{}
+		testRepo := &appsv1.Repository{
+			Repo:           url,
+			Type:           "git",
+			Username:       "foo",
+			InheritedCreds: true,
+		}
+		db.On("GetRepository", context.TODO(), url).Return(testRepo, nil)
+		db.On("RepositoryExists", context.TODO(), url).Return(true, nil)
+
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
+		repo, err := s.Get(context.TODO(), &repository.RepoQuery{
+			Repo: url,
+		})
+		assert.Nil(t, err)
+
+		testRepo.ConnectionState = repo.ConnectionState // overwrite connection state on our test object to simplify comparison below
+
+		assert.Equal(t, testRepo, repo)
+	})
+
 	t.Run("Test_GetWithErrorShouldReturn403", func(t *testing.T) {
 		repoServerClient := mocks.RepoServerServiceClient{}
 		repoServerClientset := mocks.Clientset{RepoServerServiceClient: &repoServerClient}
@@ -279,6 +317,23 @@ func TestRepositoryServer(t *testing.T) {
 		assert.Equal(t, repo.Repo, "test")
 	})
 
+	t.Run("Test_ListRepositories", func(t *testing.T) {
+		repoServerClient := mocks.RepoServerServiceClient{}
+		repoServerClient.On("TestRepository", mock.Anything, mock.Anything).Return(&apiclient.TestRepositoryResponse{}, nil)
+		repoServerClientset := mocks.Clientset{RepoServerServiceClient: &repoServerClient}
+		enforcer := newEnforcer(kubeclientset)
+
+		url := "https://test"
+		db := &dbmocks.ArgoDB{}
+		db.On("GetRepository", context.TODO(), url).Return(nil, nil)
+		db.On("ListHelmRepositories", context.TODO(), mock.Anything).Return(nil, nil)
+		db.On("ListRepositories", context.TODO()).Return([]*appsv1.Repository{&fakeRepo, &fakeRepo}, nil)
+
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
+		resp, err := s.ListRepositories(context.TODO(), &repository.RepoQuery{})
+		assert.NoError(t, err)
+		assert.Equal(t, 2, len(resp.Items))
+	})
 }
 
 func TestRepositoryServerListApps(t *testing.T) {

server/server.go

@@ -24,6 +24,8 @@ import (
 
 	// nolint:staticcheck
 	golang_proto "github.com/golang/protobuf/proto"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/selection"
 
 	"github.com/argoproj/notifications-engine/pkg/api"
 	"github.com/argoproj/pkg/sync"
@@ -287,7 +289,9 @@ func NewServer(ctx context.Context, opts ArgoCDServerOpts) *ArgoCDServer {
 
 	apiFactory := api.NewFactory(settings_notif.GetFactorySettings(argocdService, "argocd-notifications-secret", "argocd-notifications-cm"), opts.Namespace, secretInformer, configMapInformer)
 
-	return &ArgoCDServer{
+	dbInstance := db.NewDB(opts.Namespace, settingsMgr, opts.KubeClientset)
+
+	a := &ArgoCDServer{
 		ArgoCDServerOpts:  opts,
 		log:               log.NewEntry(log.StandardLogger()),
 		settings:          settings,
@@ -303,11 +307,19 @@ func NewServer(ctx context.Context, opts ArgoCDServerOpts) *ArgoCDServer {
 		policyEnforcer:    policyEnf,
 		userStateStorage:  userStateStorage,
 		staticAssets:      http.FS(staticFS),
-		db:                db.NewDB(opts.Namespace, settingsMgr, opts.KubeClientset),
+		db:                dbInstance,
 		apiFactory:        apiFactory,
 		secretInformer:    secretInformer,
 		configMapInformer: configMapInformer,
 	}
+
+	err = a.logInClusterWarnings()
+	if err != nil {
+		// Just log. It's not critical.
+		log.Warnf("Failed to log in-cluster warnings: %v", err)
+	}
+
+	return a
 }
 
 const (
@@ -354,6 +366,47 @@ func (l *Listeners) Close() error {
 	return nil
 }
 
+// logInClusterWarnings checks the in-cluster configuration and prints out any warnings.
+func (a *ArgoCDServer) logInClusterWarnings() error {
+	labelSelector := labels.NewSelector()
+	req, err := labels.NewRequirement(common.LabelKeySecretType, selection.Equals, []string{common.LabelValueSecretTypeCluster})
+	if err != nil {
+		return fmt.Errorf("failed to construct cluster-type label selector: %w", err)
+	}
+	labelSelector = labelSelector.Add(*req)
+	secretsLister, err := a.settingsMgr.GetSecretsLister()
+	if err != nil {
+		return fmt.Errorf("failed to get secrets lister: %w", err)
+	}
+	clusterSecrets, err := secretsLister.Secrets(a.ArgoCDServerOpts.Namespace).List(labelSelector)
+	if err != nil {
+		return fmt.Errorf("failed to list cluster secrets: %w", err)
+	}
+	var inClusterSecrets []string
+	for _, clusterSecret := range clusterSecrets {
+		cluster, err := db.SecretToCluster(clusterSecret)
+		if err != nil {
+			return fmt.Errorf("could not unmarshal cluster secret %q: %w", clusterSecret.Name, err)
+		}
+		if cluster.Server == v1alpha1.KubernetesInternalAPIServerAddr {
+			inClusterSecrets = append(inClusterSecrets, clusterSecret.Name)
+		}
+	}
+	if len(inClusterSecrets) > 0 {
+		// Don't make this call unless we actually have in-cluster secrets, to save time.
+		dbSettings, err := a.settingsMgr.GetSettings()
+		if err != nil {
+			return fmt.Errorf("could not get DB settings: %w", err)
+		}
+		if !dbSettings.InClusterEnabled {
+			for _, clusterName := range inClusterSecrets {
+				log.Warnf("cluster %q uses in-cluster server address but it's disabled in Argo CD settings", clusterName)
+			}
+		}
+	}
+	return nil
+}
+
 func startListener(host string, port int) (net.Listener, error) {
 	var conn net.Listener
 	var realErr error
@@ -455,11 +508,11 @@ func (a *ArgoCDServer) Run(ctx context.Context, listeners *Listeners) {
 	var httpL net.Listener
 	var httpsL net.Listener
 	if !a.useTLS() {
-		httpL = tcpm.Match(cmux.HTTP1Fast())
+		httpL = tcpm.Match(cmux.HTTP1Fast("PATCH"))
 		grpcL = tcpm.MatchWithWriters(cmux.HTTP2MatchHeaderFieldSendSettings("content-type", "application/grpc"))
 	} else {
 		// We first match on HTTP 1.1 methods.
-		httpL = tcpm.Match(cmux.HTTP1Fast())
+		httpL = tcpm.Match(cmux.HTTP1Fast("PATCH"))
 
 		// If not matched, we assume that its TLS.
 		tlsl := tcpm.Match(cmux.Any())
@@ -474,7 +527,7 @@ func (a *ArgoCDServer) Run(ctx context.Context, listeners *Listeners) {
 
 		// Now, we build another mux recursively to match HTTPS and gRPC.
 		tlsm = cmux.New(tlsl)
-		httpsL = tlsm.Match(cmux.HTTP1Fast())
+		httpsL = tlsm.Match(cmux.HTTP1Fast("PATCH"))
 		grpcL = tlsm.MatchWithWriters(cmux.HTTP2MatchHeaderFieldSendSettings("content-type", "application/grpc"))
 	}
 
@@ -724,6 +777,7 @@ func (a *ArgoCDServer) newGRPCServer() (*grpc.Server, application.AppResourceTre
 		a.AppClientset,
 		a.appLister,
 		a.appInformer,
+		nil,
 		a.RepoClientset,
 		a.Cache,
 		kubectl,
@@ -892,7 +946,8 @@ func (a *ArgoCDServer) newHTTPServer(ctx context.Context, port int, grpcWebHandl
 
 	// Webhook handler for git events (Note: cache timeouts are hardcoded because API server does not write to cache and not really using them)
 	argoDB := db.NewDB(a.Namespace, a.settingsMgr, a.KubeClientset)
-	acdWebhookHandler := webhook.NewHandler(a.Namespace, a.AppClientset, a.settings, a.settingsMgr, repocache.NewCache(a.Cache.GetCache(), 24*time.Hour, 3*time.Minute), a.Cache, argoDB)
+	acdWebhookHandler := webhook.NewHandler(a.Namespace, a.ArgoCDServerOpts.ApplicationNamespaces, a.AppClientset, a.settings, a.settingsMgr, repocache.NewCache(a.Cache.GetCache(), 24*time.Hour, 3*time.Minute), a.Cache, argoDB)
+
 	mux.HandleFunc("/api/webhook", acdWebhookHandler.Handler)
 
 	// Serve cli binaries directly from API server

test/certificates/ssh_known_hosts

@@ -1,5 +1,5 @@
 # This file was automatically generated. DO NOT EDIT
-bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
+bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDQeJzhupRu0u0cdegZIa8e86EG2qOCsIsD1Xw0xSeiPDlCr7kq97NLmMbpKTX6Esc30NuoqEEHCuc7yWtwp8dI76EEEB1VqY9QJq6vk+aySyboD5QF61I/1WeTwu+deCbgKMGbUijeXhtfbxSxm6JwGrXrhBdofTsbKRUsrN1WoNgUa8uqN1Vx6WAJw1JHPhglEGGHea6QICwJOAr/6mrui/oB7pkaWKHj3z7d1IC4KWLtY47elvjbaTlkN04Kc/5LFEirorGYVbt15kAUlqGM65pk6ZBxtaO3+30LVlORZkxOh+LKL/BvbZ/iRNhItLqNyieoQj/uh/7Iv4uyH/cV/0b4WDSd3DptigWq84lJubb9t/DnZlrJazxyDCulTmKdOR7vs9gMTo+uoIrPSb8ScTtvw65+odKAlBj59dhnVp9zd7QUojOpXlL62Aw56U4oO+FALuevvMjiWeavKhJqlR7i5n9srYcrNV7ttmDw7kf/97P5zauIhxcjX+xHv4M=
 github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
 gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY=
 gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf

test/container/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/library/redis:7.0.8-alpine as redis
+FROM docker.io/library/redis:7.0.11-alpine as redis
 
 # There are libraries we will want to copy from here in the final stage of the
 # build, but the COPY directive does not have a way to determine system

test/container/Procfile

@@ -1,6 +1,6 @@
-controller: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''}"
-api-server: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} "
-dex: sh -c "test $ARGOCD_IN_CI = true && exit 0; ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/cmd gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:v2.35.3 serve /dex.yaml"
+controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-application-controller $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''}"
+api-server: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_BINARY_NAME=argocd-server $COMMAND --loglevel debug --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379} --disable-auth=${ARGOCD_E2E_DISABLE_AUTH:-'true'} --insecure --dex-server http://localhost:${ARGOCD_E2E_DEX_PORT:-5556} --repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081} --port ${ARGOCD_E2E_APISERVER_PORT:-8080} --application-namespaces=${ARGOCD_APPLICATION_NAMESPACES:-''} "
+dex: sh -c "test $ARGOCD_IN_CI = true && exit 0; ARGOCD_BINARY_NAME=argocd-dex go run github.com/argoproj/argo-cd/cmd gendexcfg -o `pwd`/dist/dex.yaml && docker run --rm -p ${ARGOCD_E2E_DEX_PORT:-5556}:${ARGOCD_E2E_DEX_PORT:-5556} -v `pwd`/dist/dex.yaml:/dex.yaml ghcr.io/dexidp/dex:v2.37.0 serve /dex.yaml"
 redis: sh -c "/usr/local/bin/redis-server --save "" --appendonly no --port ${ARGOCD_E2E_REDIS_PORT:-6379}"
 repo-server: [ "$BIN_MODE" == 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=1 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_GNUPGHOME=${ARGOCD_GNUPGHOME:-/tmp/argocd-local/gpg/keys} ARGOCD_PLUGINSOCKFILEPATH=${ARGOCD_PLUGINSOCKFILEPATH:-./test/cmp}  ARGOCD_GPG_DATA_PATH=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} ARGOCD_BINARY_NAME=argocd-repo-server $COMMAND --loglevel debug --port ${ARGOCD_E2E_REPOSERVER_PORT:-8081} --redis localhost:${ARGOCD_E2E_REDIS_PORT:-6379}"
 ui: sh -c "test $ARGOCD_IN_CI = true && exit 0; cd ui && ARGOCD_E2E_YARN_HOST=0.0.0.0 ${ARGOCD_E2E_YARN_CMD:-yarn} start"

test/e2e/app_management_ns_test.go

@@ -427,7 +427,9 @@ func TestNamespacedInvalidAppProject(t *testing.T) {
 		IgnoreErrors().
 		CreateApp().
 		Then().
-		Expect(Error("", "application references project does-not-exist which does not exist"))
+		// We're not allowed to infer whether the project exists based on this error message. Instead, we get a generic
+		// permission denied error.
+		Expect(Error("", "permission denied"))
 }
 
 func TestNamespacedAppDeletion(t *testing.T) {

test/e2e/app_management_test.go

@@ -249,7 +249,7 @@ func TestSyncToSignedCommitWithoutKnownKey(t *testing.T) {
 		Expect(HealthIs(health.HealthStatusMissing))
 }
 
-func TestSyncToSignedCommitKeyWithKnownKey(t *testing.T) {
+func TestSyncToSignedCommitWithKnownKey(t *testing.T) {
 	SkipOnEnv(t, "GPG")
 	Given(t).
 		Project("gpg").
@@ -267,6 +267,62 @@ func TestSyncToSignedCommitKeyWithKnownKey(t *testing.T) {
 		Expect(HealthIs(health.HealthStatusHealthy))
 }
 
+func TestSyncToSignedTagWithKnownKey(t *testing.T) {
+	SkipOnEnv(t, "GPG")
+	Given(t).
+		Project("gpg").
+		Revision("signed-tag").
+		Path(guestbookPath).
+		GPGPublicKeyAdded().
+		Sleep(2).
+		When().
+		AddSignedTag("signed-tag").
+		IgnoreErrors().
+		CreateApp().
+		Sync().
+		Then().
+		Expect(OperationPhaseIs(OperationSucceeded)).
+		Expect(SyncStatusIs(SyncStatusCodeSynced)).
+		Expect(HealthIs(health.HealthStatusHealthy))
+}
+
+func TestSyncToSignedTagWithUnknownKey(t *testing.T) {
+	SkipOnEnv(t, "GPG")
+	Given(t).
+		Project("gpg").
+		Revision("signed-tag").
+		Path(guestbookPath).
+		Sleep(2).
+		When().
+		AddSignedTag("signed-tag").
+		IgnoreErrors().
+		CreateApp().
+		Sync().
+		Then().
+		Expect(OperationPhaseIs(OperationError)).
+		Expect(SyncStatusIs(SyncStatusCodeOutOfSync)).
+		Expect(HealthIs(health.HealthStatusMissing))
+}
+
+func TestSyncToUnsignedTag(t *testing.T) {
+	SkipOnEnv(t, "GPG")
+	Given(t).
+		Project("gpg").
+		Revision("unsigned-tag").
+		Path(guestbookPath).
+		GPGPublicKeyAdded().
+		Sleep(2).
+		When().
+		AddTag("unsigned-tag").
+		IgnoreErrors().
+		CreateApp().
+		Sync().
+		Then().
+		Expect(OperationPhaseIs(OperationError)).
+		Expect(SyncStatusIs(SyncStatusCodeOutOfSync)).
+		Expect(HealthIs(health.HealthStatusMissing))
+}
+
 func TestAppCreation(t *testing.T) {
 	ctx := Given(t)
 	ctx.
@@ -361,6 +417,24 @@ func TestDeleteAppResource(t *testing.T) {
 		Expect(HealthIs(health.HealthStatusMissing))
 }
 
+// Fix for issue #2677, support PATCH in HTTP service
+func TestPatchHttp(t *testing.T) {
+	ctx := Given(t)
+
+	ctx.
+		Path(guestbookPath).
+		When().
+		CreateApp().
+		Sync().
+		PatchAppHttp(`{"metadata": {"labels": { "test": "patch" }, "annotations": { "test": "patch" }}}`).
+		Then().
+		And(func(app *Application) {
+			assert.Equal(t, "patch", app.Labels["test"])
+			assert.Equal(t, "patch", app.Annotations["test"])
+		})
+
+}
+
 // demonstrate that we cannot use a standard sync when an immutable field is changed, we must use "force"
 func TestImmutableChange(t *testing.T) {
 	SkipOnEnv(t, "OPENSHIFT")
@@ -412,7 +486,9 @@ func TestInvalidAppProject(t *testing.T) {
 		IgnoreErrors().
 		CreateApp().
 		Then().
-		Expect(Error("", "application references project does-not-exist which does not exist"))
+		// We're not allowed to infer whether the project exists based on this error message. Instead, we get a generic
+		// permission denied error.
+		Expect(Error("", "permission denied"))
 }
 
 func TestAppDeletion(t *testing.T) {

test/e2e/fixture/app/actions.go

@@ -1,12 +1,14 @@
 package app
 
 import (
+	"encoding/json"
 	"fmt"
 	"os"
 
 	log "github.com/sirupsen/logrus"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	client "github.com/argoproj/argo-cd/v2/pkg/apiclient/application"
 	. "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v2/test/e2e/fixture"
 	"github.com/argoproj/argo-cd/v2/util/errors"
@@ -64,6 +66,18 @@ func (a *Actions) AddSignedFile(fileName, fileContents string) *Actions {
 	return a
 }
 
+func (a *Actions) AddSignedTag(name string) *Actions {
+	a.context.t.Helper()
+	fixture.AddSignedTag(name)
+	return a
+}
+
+func (a *Actions) AddTag(name string) *Actions {
+	a.context.t.Helper()
+	fixture.AddTag(name)
+	return a
+}
+
 func (a *Actions) CreateFromPartialFile(data string, flags ...string) *Actions {
 	a.context.t.Helper()
 	tmpFile, err := os.CreateTemp("", "")
@@ -238,6 +252,28 @@ func (a *Actions) PatchApp(patch string) *Actions {
 	return a
 }
 
+func (a *Actions) PatchAppHttp(patch string) *Actions {
+	a.context.t.Helper()
+	var application Application
+	var patchType = "merge"
+	var appName = a.context.AppQualifiedName()
+	var appNamespace = a.context.AppNamespace()
+	patchRequest := &client.ApplicationPatchRequest{
+		Name:         &appName,
+		PatchType:    &patchType,
+		Patch:        &patch,
+		AppNamespace: &appNamespace,
+	}
+	jsonBytes, err := json.MarshalIndent(patchRequest, "", "  ")
+	errors.CheckError(err)
+	err = fixture.DoHttpJsonRequest("PATCH",
+		fmt.Sprintf("/api/v1/applications/%v", appName),
+		&application,
+		jsonBytes...)
+	errors.CheckError(err)
+	return a
+}
+
 func (a *Actions) AppSet(flags ...string) *Actions {
 	a.context.t.Helper()
 	args := []string{"app", "set", a.context.AppQualifiedName()}

test/e2e/fixture/fixture.go

@@ -92,6 +92,7 @@ type ACL struct {
 const (
 	RepoURLTypeFile                 = "file"
 	RepoURLTypeHTTPS                = "https"
+	RepoURLTypeHTTPSOrg             = "https-org"
 	RepoURLTypeHTTPSClientCert      = "https-cc"
 	RepoURLTypeHTTPSSubmodule       = "https-sub"
 	RepoURLTypeHTTPSSubmoduleParent = "https-par"
@@ -103,6 +104,8 @@ const (
 	RepoURLTypeHelmOCI              = "helm-oci"
 	GitUsername                     = "admin"
 	GitPassword                     = "password"
+	GithubAppID                     = "2978632978"
+	GithubAppInstallationID         = "7893789433789"
 	GpgGoodKeyID                    = "D56C4FCA57A46444"
 	HelmOCIRegistryURL              = "localhost:5000/myrepo"
 )
@@ -251,6 +254,7 @@ const (
 	EnvRepoURLTypeSSHSubmodule         = "ARGOCD_E2E_REPO_SSH_SUBMODULE"
 	EnvRepoURLTypeSSHSubmoduleParent   = "ARGOCD_E2E_REPO_SSH_SUBMODULE_PARENT"
 	EnvRepoURLTypeHTTPS                = "ARGOCD_E2E_REPO_HTTPS"
+	EnvRepoURLTypeHTTPSOrg             = "ARGOCD_E2E_REPO_HTTPS_ORG"
 	EnvRepoURLTypeHTTPSClientCert      = "ARGOCD_E2E_REPO_HTTPS_CLIENT_CERT"
 	EnvRepoURLTypeHTTPSSubmodule       = "ARGOCD_E2E_REPO_HTTPS_SUBMODULE"
 	EnvRepoURLTypeHTTPSSubmoduleParent = "ARGOCD_E2E_REPO_HTTPS_SUBMODULE_PARENT"
@@ -272,6 +276,9 @@ func RepoURL(urlType RepoURLType) string {
 	// Git server via HTTPS
 	case RepoURLTypeHTTPS:
 		return GetEnvWithDefault(EnvRepoURLTypeHTTPS, "https://localhost:9443/argo-e2e/testdata.git")
+	// Git "organisation" via HTTPS
+	case RepoURLTypeHTTPSOrg:
+		return GetEnvWithDefault(EnvRepoURLTypeHTTPSOrg, "https://localhost:9443/argo-e2e")
 	// Git server via HTTPS - Client Cert protected
 	case RepoURLTypeHTTPSClientCert:
 		return GetEnvWithDefault(EnvRepoURLTypeHTTPSClientCert, "https://localhost:9444/argo-e2e/testdata.git")
@@ -747,6 +754,26 @@ func AddSignedFile(path, contents string) {
 	}
 }
 
+func AddSignedTag(name string) {
+	prevGnuPGHome := os.Getenv("GNUPGHOME")
+	os.Setenv("GNUPGHOME", TmpDir+"/gpg")
+	defer os.Setenv("GNUPGHOME", prevGnuPGHome)
+	FailOnErr(Run(repoDirectory(), "git", "-c", fmt.Sprintf("user.signingkey=%s", GpgGoodKeyID), "tag", "-sm", "add signed tag", name))
+	if IsRemote() {
+		FailOnErr(Run(repoDirectory(), "git", "push", "--tags", "-f", "origin", "master"))
+	}
+}
+
+func AddTag(name string) {
+	prevGnuPGHome := os.Getenv("GNUPGHOME")
+	os.Setenv("GNUPGHOME", TmpDir+"/gpg")
+	defer os.Setenv("GNUPGHOME", prevGnuPGHome)
+	FailOnErr(Run(repoDirectory(), "git", "tag", name))
+	if IsRemote() {
+		FailOnErr(Run(repoDirectory(), "git", "push", "--tags", "-f", "origin", "master"))
+	}
+}
+
 // create the resource by creating using "kubectl apply", with bonus templating
 func Declarative(filename string, values interface{}) (string, error) {
 
@@ -811,6 +838,8 @@ func RestartRepoServer() {
 		}
 		FailOnErr(Run("", "kubectl", "rollout", "restart", "deployment", workload))
 		FailOnErr(Run("", "kubectl", "rollout", "status", "deployment", workload))
+		// wait longer to avoid error on s390x
+		time.Sleep(10 * time.Second)
 	}
 }
 

test/e2e/repo_management_test.go

@@ -7,9 +7,11 @@ import (
 	"github.com/stretchr/testify/assert"
 
 	repositorypkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/repository"
+	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	"github.com/argoproj/argo-cd/v2/test/e2e/fixture"
 	"github.com/argoproj/argo-cd/v2/test/e2e/fixture/app"
 	"github.com/argoproj/argo-cd/v2/test/e2e/fixture/repos"
+	. "github.com/argoproj/argo-cd/v2/util/errors"
 	argoio "github.com/argoproj/argo-cd/v2/util/io"
 	"github.com/argoproj/argo-cd/v2/util/settings"
 )
@@ -52,6 +54,38 @@ func TestAddRemovePublicRepo(t *testing.T) {
 	})
 }
 
+func TestGetRepoWithInheritedCreds(t *testing.T) {
+	app.Given(t).And(func() {
+		// create repo credentials
+		FailOnErr(fixture.RunCli("repocreds", "add", fixture.RepoURL(fixture.RepoURLTypeHTTPSOrg), "--github-app-id", fixture.GithubAppID, "--github-app-installation-id", fixture.GithubAppInstallationID, "--github-app-private-key-path", repos.CertKeyPath))
+
+		repoUrl := fixture.RepoURL(fixture.RepoURLTypeHTTPS)
+
+		// Hack: First we need to create repo with valid credentials
+		FailOnErr(fixture.RunCli("repo", "add", repoUrl, "--username", fixture.GitUsername, "--password", fixture.GitPassword, "--insecure-skip-server-verification"))
+
+		// Then, we remove username/password so that the repo inherits the credentials from our repocreds
+		conn, repoClient, err := fixture.ArgoCDClientset.NewRepoClient()
+		assert.NoError(t, err)
+		defer argoio.Close(conn)
+
+		_, err = repoClient.UpdateRepository(context.Background(), &repositorypkg.RepoUpdateRequest{
+			Repo: &v1alpha1.Repository{
+				Repo: repoUrl,
+			},
+		})
+		assert.NoError(t, err)
+
+		// CLI output should indicate that repo has inherited credentials
+		out, err := fixture.RunCli("repo", "get", repoUrl)
+		assert.NoError(t, err)
+		assert.Contains(t, out, "inherited")
+
+		_, err = fixture.RunCli("repo", "rm", repoUrl)
+		assert.NoError(t, err)
+	})
+}
+
 func TestUpsertExistingRepo(t *testing.T) {
 	app.Given(t).And(func() {
 		fixture.SetRepos(settings.RepositoryCredentials{URL: fixture.RepoURL(fixture.RepoURLTypeFile)})

ui/src/app/shared/components/urls.test.ts

@@ -35,7 +35,7 @@ test('gitlab.com', () => {
         'git@gitlab.com:alex_collins/private-repo.git',
         'b1fe9426ead684d7af16958920968342ee295c1f',
         'https://gitlab.com/alex_collins/private-repo',
-        'https://gitlab.com/alex_collins/private-repo/commit/b1fe9426ead684d7af16958920968342ee295c1f');
+        'https://gitlab.com/alex_collins/private-repo/-/commit/b1fe9426ead684d7af16958920968342ee295c1f');
 });
 
 test('bitbucket.org', () => {

ui/src/app/shared/components/urls.ts

@@ -33,6 +33,12 @@ export function revisionUrl(url: string, revision: string): string {
         urlSubPath = isSHA(revision) ? 'commits' : 'src';
     }
 
+    // Gitlab changed the way urls to commit look like
+    // Ref: https://docs.gitlab.com/ee/update/deprecations.html#legacy-urls-replaced-or-removed
+    if (parsed.source === 'gitlab.com') {
+        urlSubPath = '-/' + urlSubPath;
+    }
+
     if (!supportedSource(parsed)) {
         return null;
     }

ui/src/app/shared/services/applications-service.ts

@@ -100,13 +100,14 @@ export class ApplicationsService {
     public getManifest(name: string, appNamespace: string, revision: string): Promise<models.ManifestResponse> {
         return requests
             .get(`/applications/${name}/manifests`)
-            .query({name, revision})
+            .query({name, revision, appNamespace})
             .then(res => res.body as models.ManifestResponse);
     }
 
     public updateSpec(appName: string, appNamespace: string, spec: models.ApplicationSpec): Promise<models.ApplicationSpec> {
         return requests
             .put(`/applications/${appName}/spec`)
+            .query({appNamespace})
             .send(spec)
             .then(res => res.body as models.ApplicationSpec);
     }