docs: bug bounty

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

.github/workflows/ci-build.yaml

@@ -9,7 +9,6 @@ on:
   pull_request:
     branches:
       - 'master'
-      - 'release-*'
 
 env:
   # Golang version to use across CI steps
@@ -28,9 +27,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@v3
       - name: Setup Golang
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Download all Go modules
@@ -46,13 +45,13 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@v3
       - name: Setup Golang
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Restore go build cache
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@v1
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -70,13 +69,13 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@v3
       - name: Setup Golang
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@0ad9a0988b3973e851ab0a07adf248ec2e100376 # v3.3.1
+        uses: golangci/golangci-lint-action@v3
         with:
           version: v1.46.2
           args: --timeout 10m --exclude SA5011 --verbose
@@ -93,11 +92,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@v3
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -117,17 +116,13 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@v1
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
       - name: Install all tools required for building & testing
         run: |
           make install-test-tools-local
-        # We install kustomize in the dist directory
-      - name: Add dist to PATH
-        run: |
-          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
       - name: Setup git username and email
         run: |
           git config --global user.name "John Doe"
@@ -138,12 +133,12 @@ jobs:
       - name: Run all unit tests
         run: make test-local
       - name: Generate code coverage artifacts
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@v2
         with:
           name: code-coverage
           path: coverage.out
       - name: Generate test results artifacts
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@v2
         with:
           name: test-results
           path: test-results/
@@ -160,11 +155,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@v3
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -184,17 +179,13 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@v1
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
       - name: Install all tools required for building & testing
         run: |
           make install-test-tools-local
-        # We install kustomize in the dist directory
-      - name: Add dist to PATH
-        run: |
-          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
       - name: Setup git username and email
         run: |
           git config --global user.name "John Doe"
@@ -205,7 +196,7 @@ jobs:
       - name: Run all unit tests
         run: make test-race-local
       - name: Generate test results artifacts
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@v2
         with:
           name: race-results
           path: test-results/
@@ -215,9 +206,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@v3
       - name: Setup Golang
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Create symlink in GOPATH
@@ -241,10 +232,6 @@ jobs:
           make install-codegen-tools-local
           make install-go-tools-local
         working-directory: /home/runner/go/src/github.com/argoproj/argo-cd
-        # We install kustomize in the dist directory
-      - name: Add dist to PATH
-        run: |
-          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
       - name: Run codegen
         run: |
           set -x
@@ -263,14 +250,14 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@v3
       - name: Setup NodeJS
-        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
+        uses: actions/setup-node@v1
         with:
           node-version: '12.18.4'
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@v1
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -300,12 +287,12 @@ jobs:
       sonar_secret: ${{ secrets.SONAR_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@v1
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -316,16 +303,16 @@ jobs:
         run: |
           mkdir -p test-results
       - name: Get code coverage artifiact
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@v2
         with:
           name: code-coverage
       - name: Get test result artifact
-        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        uses: actions/download-artifact@v2
         with:
           name: test-results
           path: test-results
       - name: Upload code coverage information to codecov.io
-        uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # v3.1.1
+        uses: codecov/codecov-action@v1
         with:
           file: coverage.out
       - name: Perform static code analysis using SonarCloud
@@ -379,9 +366,9 @@ jobs:
       GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
     steps:
       - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@v3
       - name: Setup Golang
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: GH actions workaround - Kill XSP4 process
@@ -399,7 +386,7 @@ jobs:
           sudo chown runner $HOME/.kube/config
           kubectl version
       - name: Restore go build cache
-        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
+        uses: actions/cache@v1
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -425,9 +412,9 @@ jobs:
           git config --global user.email "john.doe@example.com"
       - name: Pull Docker image required for tests
         run: |
-          docker pull ghcr.io/dexidp/dex:v2.36.0
+          docker pull ghcr.io/dexidp/dex:v2.35.3-distroless
           docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.11-alpine
+          docker pull redis:7.0.5-alpine
       - name: Create target directory for binaries in the build-process
         run: |
           mkdir -p dist
@@ -455,7 +442,7 @@ jobs:
           set -x
           make test-e2e-local
       - name: Upload e2e-server logs
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@v2
         with:
           name: e2e-server-k8s${{ matrix.k3s-version }}.log
           path: /tmp/e2e-server.log

.github/workflows/codeql.yml

@@ -5,7 +5,6 @@ on:
     # Secrets aren't available for dependabot on push. https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#error-403-resource-not-accessible-by-integration-when-using-dependabot
     branches-ignore:
       - 'dependabot/**'
-      - 'cherry-pick-*'
   pull_request:
   schedule:
     - cron: '0 19 * * 0'
@@ -30,11 +29,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+      uses: actions/checkout@v3
       
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
+      uses: github/codeql-action/init@v2
       # Override language selection by uncommenting this and choosing your languages
       # with:
       #   languages: go, javascript, csharp, python, cpp, java
@@ -42,7 +41,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -56,4 +55,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
+      uses: github/codeql-action/analyze@v2

.github/workflows/image.yaml

@@ -28,22 +28,22 @@ jobs:
     env:
       GOPATH: /home/runner/work/argo-cd/argo-cd
     steps:
-      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+      - uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
-      - uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+      - uses: actions/checkout@master
         with:
           path: src/github.com/argoproj/argo-cd
 
       # get image tag
-      - run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
+      - run: echo ::set-output name=tag::$(cat ./VERSION)-${GITHUB_SHA::8}
         working-directory: ./src/github.com/argoproj/argo-cd
         id: image
 
       # login
       - run: |
-          docker login ghcr.io --username $USERNAME --password-stdin <<< "$PASSWORD"
-          docker login quay.io --username "$DOCKER_USERNAME" --password-stdin <<< "$DOCKER_TOKEN"
+          docker login ghcr.io --username $USERNAME --password $PASSWORD
+          docker login quay.io --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
         if: github.event_name == 'push'
         env:
           USERNAME: ${{ secrets.USERNAME }}
@@ -52,8 +52,8 @@ jobs:
           DOCKER_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
 
       # build
-      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
-      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
+      - uses: docker/setup-qemu-action@v2
+      - uses: docker/setup-buildx-action@v2
       - run: |
           IMAGE_PLATFORMS=linux/amd64
           if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-arm-image') }}" == "true" ]]
@@ -61,27 +61,20 @@ jobs:
             IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
           fi
           echo "Building image for platforms: $IMAGE_PLATFORMS"
-          docker buildx build --platform $IMAGE_PLATFORMS --sbom=false --provenance=false --push="${{ github.event_name == 'push' }}" \
+          docker buildx build --platform $IMAGE_PLATFORMS --push="${{ github.event_name == 'push' }}" \
             -t ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }} \
             -t quay.io/argoproj/argocd:latest .
         working-directory: ./src/github.com/argoproj/argo-cd
 
       # sign container images
       - name: Install cosign
-        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
+        uses: sigstore/cosign-installer@main
         with:
-          cosign-release: 'v1.13.1'
-
-      - name: Install crane to get digest of image
-        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c
-
-      - name: Get digest of image
-        run: |
-          echo "IMAGE_DIGEST=$(crane digest quay.io/argoproj/argocd:latest)" >> $GITHUB_ENV
+          cosign-release: 'v1.13.0'
 
       - name: Sign Argo CD latest image
         run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argocd@${{ env.IMAGE_DIGEST }}
+          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argocd:latest
           # Displays the public key to share.
           cosign public-key --key env://COSIGN_PRIVATE_KEY
         env:

.github/workflows/release.yaml

@@ -12,7 +12,7 @@ on:
       - "!release-v0*"
 
 env:
-  GOLANG_VERSION: '1.18'
+    GOLANG_VERSION: '1.18'
 
 permissions:
   contents: read
@@ -43,7 +43,7 @@ jobs:
       GIT_EMAIL: argoproj@gmail.com
     steps:
       - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -147,7 +147,7 @@ jobs:
           echo "RELEASE_NOTES=${RELEASE_NOTES}" >> $GITHUB_ENV
 
       - name: Setup Golang
-        uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        uses: actions/setup-go@v3
         with:
           go-version: ${{ env.GOLANG_VERSION }}
 
@@ -177,10 +177,6 @@ jobs:
         run: |
           set -ue
           make install-codegen-tools-local
-          
-          # We install kustomize in the dist directory
-          echo "/home/runner/work/argo-cd/argo-cd/dist" >> $GITHUB_PATH
-          
           make manifests-local VERSION=${TARGET_VERSION}
           git diff
           git commit manifests/ -m "Bump version to ${TARGET_VERSION}"
@@ -199,19 +195,19 @@ jobs:
           QUAY_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
         run: |
           set -ue
-          docker login quay.io --username "${QUAY_USERNAME}" --password-stdin <<< "${QUAY_TOKEN}"
+          docker login quay.io --username "${QUAY_USERNAME}" --password "${QUAY_TOKEN}"
           # Remove the following when Docker Hub is gone
-          docker login --username "${DOCKER_USERNAME}" --password-stdin <<< "${DOCKER_TOKEN}"
+          docker login --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
         if: ${{ env.DRY_RUN != 'true' }}
 
-      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
-      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
+      - uses: docker/setup-qemu-action@v2
+      - uses: docker/setup-buildx-action@v2
       - name: Build and push Docker image for release
         run: |
           set -ue
           git clean -fd
           mkdir -p dist/
-          docker buildx build --platform linux/amd64,linux/arm64,linux/s390x,linux/ppc64le --sbom=false --provenance=false --push -t ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION} -t argoproj/argocd:v${TARGET_VERSION} .
+          docker buildx build --platform linux/amd64,linux/arm64,linux/s390x,linux/ppc64le --push -t ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION} -t argoproj/argocd:v${TARGET_VERSION} .
           make release-cli
           make checksums
           chmod +x ./dist/argocd-linux-amd64
@@ -219,20 +215,13 @@ jobs:
         if: ${{ env.DRY_RUN != 'true' }}
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
+        uses: sigstore/cosign-installer@main
         with:
-          cosign-release: 'v1.13.1'
-
-      - name: Install crane to get digest of image
-        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c
-
-      - name: Get digest of image
-        run: |
-          echo "IMAGE_DIGEST=$(crane digest quay.io/argoproj/argocd:v${TARGET_VERSION})" >> $GITHUB_ENV
+          cosign-release: 'v1.13.0'
 
       - name: Sign Argo CD container images and assets
         run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAMESPACE}/argocd@${{ env.IMAGE_DIGEST }}
+          cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION}
           cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argocd-${TARGET_VERSION}-checksums.txt > ./dist/argocd-${TARGET_VERSION}-checksums.sig
           # Retrieves the public key to release as an asset
           cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argocd-cosign.pub
@@ -243,7 +232,7 @@ jobs:
 
       - name: Read release notes file
         id: release-notes
-        uses: juliangruber/read-file-action@02bbba9876a8f870efd4ad64e3b9088d3fb94d4b # v1.1.6
+        uses: juliangruber/read-file-action@v1
         with:
           path: ${{ env.RELEASE_NOTES }}
 
@@ -254,7 +243,7 @@ jobs:
           git push origin ${RELEASE_TAG}
 
       - name: Dry run GitHub release
-        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
+        uses: actions/create-release@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         id: create_release
@@ -275,7 +264,7 @@ jobs:
           SIGS_BOM_VERSION: v0.2.1
           # comma delimited list of project relative folders to inspect for package
           # managers (gomod, yarn, npm).
-          PROJECT_FOLDERS: ".,./ui"
+          PROJECT_FOLDERS: ".,./ui" 
           # full qualified name of the docker image to be inspected
           DOCKER_IMAGE: ${{env.IMAGE_NAMESPACE}}/argocd:v${{env.TARGET_VERSION}}
         run: |
@@ -306,7 +295,7 @@ jobs:
         if: ${{ env.DRY_RUN != 'true' }}
 
       - name: Create GitHub release
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        uses: softprops/action-gh-release@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -314,6 +303,7 @@ jobs:
           tag_name: ${{ env.RELEASE_TAG }}
           draft: ${{ env.DRAFT_RELEASE }}
           prerelease: ${{ env.PRE_RELEASE }}
+          generate_release_notes: true
           body: ${{ steps.release-notes.outputs.content }}  # Pre-pended to the generated notes
           files: |
             dist/argocd-*
@@ -324,7 +314,7 @@ jobs:
       - name: Update homebrew formula
         env:
           HOMEBREW_TOKEN: ${{ secrets.RELEASE_HOMEBREW_TOKEN }}
-        uses: dawidd6/action-homebrew-bump-formula@02e79d9da43d79efa846d73695b6052cbbdbf48a # v3.8.3
+        uses: dawidd6/action-homebrew-bump-formula@v3
         with:
           token: ${{env.HOMEBREW_TOKEN}}
           formula: argocd

.github/workflows/update-snyk.yaml

@@ -1,5 +1,6 @@
 name: Snyk report update
 on:
+  workflow_dispatch: {}
   schedule:
     - cron: '0 0 * * 0' # midnight every Sunday
 
@@ -9,23 +10,27 @@ permissions:
 jobs:
   snyk-report:
     permissions:
-      contents: write  # To push snyk reports
+      contents: write
+      pull-requests: write
     if: github.repository == 'argoproj/argo-cd'
     name: Update Snyk report in the docs directory
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
+        uses: actions/checkout@v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Build reports
         env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         run: |
           make snyk-report
+          pr_branch="snyk-update-$(echo $RANDOM | md5sum | head -c 20)"
+          git checkout -b "$pr_branch"
           git config --global user.email 'ci@argoproj.com'
           git config --global user.name 'CI'
-          git add docs/snyk/index.md
-          git add docs/snyk/*/*.html
-          git commit -m "[Bot] Update Snyk reports"
-          git push
+          git add docs/snyk
+          git commit -m "[Bot] Update Snyk reports" --signoff
+          git push --set-upstream origin "$pr_branch"
+          gh pr create -B master -H "$pr_branch" --title '[Bot] docs: Update Snyk report' --body ''

.gitignore

@@ -17,6 +17,7 @@ test-results
 node_modules/
 .kube/
 ./test/cmp/*.sock
+.envrc.remote
 
 # ignore built binaries
 cmd/argocd/argocd

Makefile

@@ -512,7 +512,7 @@ build-docs-local:
 
 .PHONY: build-docs
 build-docs:
-	docker run ${MKDOCS_RUN_ARGS} --rm -it -v ${CURRENT_DIR}:/docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install -r docs/requirements.txt; mkdocs build'
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} build
 
 .PHONY: serve-docs-local
 serve-docs-local:
@@ -520,7 +520,7 @@ serve-docs-local:
 
 .PHONY: serve-docs
 serve-docs:
-	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}/site:/site -w /site --entrypoint "" ${MKDOCS_DOCKER_IMAGE} python3 -m http.server --bind 0.0.0.0 8000
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} serve -a 0.0.0.0:8000
 
 
 # Verify that kubectl can connect to your K8s cluster from Docker

README.md

@@ -1,4 +1,5 @@
 [![Integration tests](https://github.com/argoproj/argo-cd/workflows/Integration%20tests/badge.svg?branch=master)](https://github.com/argoproj/argo-cd/actions?query=workflow%3A%22Integration+tests%22) [![slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack) [![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd) [![Release Version](https://img.shields.io/github/v/release/argoproj/argo-cd?label=argo-cd)](https://github.com/argoproj/argo-cd/releases/latest) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4486/badge)](https://bestpractices.coreinfrastructure.org/projects/4486) [![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
+[![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/argo-cd)](https://artifacthub.io/packages/helm/argo/argo-cd)
 
 # Argo CD - Declarative Continuous Delivery for Kubernetes
 

USERS.md

@@ -53,6 +53,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [D2iQ](https://www.d2iq.com)
 1. [Datarisk](https://www.datarisk.io/)
 1. [Deloitte](https://www.deloitte.com/)
+1. [Deutsche Telekom AG](https://telekom.com)
 1. [Devopsi - Poland Software/DevOps Consulting](https://devopsi.pl/)
 1. [Devtron Labs](https://github.com/devtron-labs/devtron)
 1. [EDF Renewables](https://www.edf-re.com/)
@@ -74,6 +75,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [G DATA CyberDefense AG](https://www.gdata-software.com/)
 1. [Garner](https://www.garnercorp.com)
 1. [Generali Deutschland AG](https://www.generali.de/)
+2. [Gepardec](https://gepardec.com/)
 1. [Gitpod](https://www.gitpod.io)
 1. [Gllue](https://gllue.com)
 1. [gloat](https://gloat.com/)
@@ -96,7 +98,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [IITS-Consulting](https://iits-consulting.de)
 1. [imaware](https://imaware.health)
 1. [Index Exchange](https://www.indexexchange.com/)
-1. [Info Support](https://www.infosupport.com/)
 1. [InsideBoard](https://www.insideboard.com)
 1. [Intuit](https://www.intuit.com/)
 1. [Joblift](https://joblift.com/)
@@ -156,13 +157,11 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Packlink](https://www.packlink.com/)
 1. [Pandosearch](https://www.pandosearch.com/en/home)
 1. [PagerDuty](https://www.pagerduty.com/)
-1. [Patreon](https://www.patreon.com/)
 1. [PayPay](https://paypay.ne.jp/)
 1. [Peloton Interactive](https://www.onepeloton.com/)
 1. [Pipefy](https://www.pipefy.com/)
 1. [Pismo](https://pismo.io/)
 1. [Polarpoint.io](https://polarpoint.io)
-1. [PostFinance](https://github.com/postfinance)
 1. [Preferred Networks](https://preferred.jp/en/)
 1. [Productboard](https://www.productboard.com/)
 1. [Prudential](https://prudential.com.sg)
@@ -173,7 +172,6 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [RapidAPI](https://www.rapidapi.com/)
 1. [Recreation.gov](https://www.recreation.gov/)
 1. [Red Hat](https://www.redhat.com/)
-1. [Redpill Linpro](https://www.redpill-linpro.com/)
 1. [reev.com](https://www.reev.com/)
 1. [RightRev](https://rightrev.com/)
 1. [Rise](https://www.risecard.eu/)

VERSION

@@ -1 +1 @@
-2.5.17
+2.5.0

applicationset/controllers/applicationset_controller.go

@@ -484,7 +484,7 @@ func (r *ApplicationSetReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		// ...and if so, return it
 		return []string{owner.Name}
 	}); err != nil {
-		return err
+		return fmt.Errorf("error setting up with manager: %w", err)
 	}
 
 	return ctrl.NewControllerManagedBy(mgr).
@@ -567,7 +567,7 @@ func (r *ApplicationSetReconciler) createInCluster(ctx context.Context, applicat
 	var createApps []argov1alpha1.Application
 	current, err := r.getCurrentApplications(ctx, applicationSet)
 	if err != nil {
-		return err
+		return fmt.Errorf("error getting current applications: %w", err)
 	}
 
 	m := make(map[string]bool) // Will holds the app names that are current in the cluster
@@ -608,13 +608,13 @@ func (r *ApplicationSetReconciler) deleteInCluster(ctx context.Context, applicat
 	// clusterList, err := argoDB.ListClusters(ctx)
 	clusterList, err := utils.ListClusters(ctx, r.KubeClientset, applicationSet.Namespace)
 	if err != nil {
-		return err
+		return fmt.Errorf("error listing clusters: %w", err)
 	}
 
 	// Save current applications to be able to delete the ones that are not in appList
 	current, err := r.getCurrentApplications(ctx, applicationSet)
 	if err != nil {
-		return err
+		return fmt.Errorf("error getting current applications: %w", err)
 	}
 
 	m := make(map[string]bool) // Will holds the app names in appList for the deletion process
@@ -718,7 +718,7 @@ func (r *ApplicationSetReconciler) removeFinalizerOnInvalidDestination(ctx conte
 
 			err := r.Client.Update(ctx, app, &client.UpdateOptions{})
 			if err != nil {
-				return err
+				return fmt.Errorf("error updating finalizers: %w", err)
 			}
 		}
 	}

applicationset/controllers/clustereventhandler.go

@@ -2,7 +2,6 @@ package controllers
 
 import (
 	"context"
-	"fmt"
 
 	log "github.com/sirupsen/logrus"
 
@@ -47,6 +46,7 @@ type addRateLimitingInterface interface {
 }
 
 func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingInterface, object client.Object) {
+
 	// Check for label, lookup all ApplicationSets that might match the cluster, queue them all
 	if object.GetLabels()[generators.ArgoCDSecretTypeLabel] != generators.ArgoCDSecretTypeCluster {
 		return
@@ -73,40 +73,6 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingI
 				foundClusterGenerator = true
 				break
 			}
-
-			if generator.Matrix != nil {
-				ok, err := nestedGeneratorsHaveClusterGenerator(generator.Matrix.Generators)
-				if err != nil {
-					h.Log.
-						WithFields(log.Fields{
-							"namespace": appSet.GetNamespace(),
-							"name":      appSet.GetName(),
-						}).
-						WithError(err).
-						Error("Unable to check if ApplicationSet matrix generators have cluster generator")
-				}
-				if ok {
-					foundClusterGenerator = true
-					break
-				}
-			}
-
-			if generator.Merge != nil {
-				ok, err := nestedGeneratorsHaveClusterGenerator(generator.Merge.Generators)
-				if err != nil {
-					h.Log.
-						WithFields(log.Fields{
-							"namespace": appSet.GetNamespace(),
-							"name":      appSet.GetName(),
-						}).
-						WithError(err).
-						Error("Unable to check if ApplicationSet merge generators have cluster generator")
-				}
-				if ok {
-					foundClusterGenerator = true
-					break
-				}
-			}
 		}
 		if foundClusterGenerator {
 
@@ -116,42 +82,3 @@ func (h *clusterSecretEventHandler) queueRelatedAppGenerators(q addRateLimitingI
 		}
 	}
 }
-
-// nestedGeneratorsHaveClusterGenerator iterate over provided nested generators to check if they have a cluster generator.
-func nestedGeneratorsHaveClusterGenerator(generators []argoprojiov1alpha1.ApplicationSetNestedGenerator) (bool, error) {
-	for _, generator := range generators {
-		if ok, err := nestedGeneratorHasClusterGenerator(generator); ok || err != nil {
-			return ok, err
-		}
-	}
-	return false, nil
-}
-
-// nestedGeneratorHasClusterGenerator checks if the provided generator has a cluster generator.
-func nestedGeneratorHasClusterGenerator(nested argoprojiov1alpha1.ApplicationSetNestedGenerator) (bool, error) {
-	if nested.Clusters != nil {
-		return true, nil
-	}
-
-	if nested.Matrix != nil {
-		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(nested.Matrix)
-		if err != nil {
-			return false, fmt.Errorf("unable to get nested matrix generator: %w", err)
-		}
-		if nestedMatrix != nil {
-			return nestedGeneratorsHaveClusterGenerator(nestedMatrix.ToMatrixGenerator().Generators)
-		}
-	}
-
-	if nested.Merge != nil {
-		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(nested.Merge)
-		if err != nil {
-			return false, fmt.Errorf("unable to get nested merge generator: %w", err)
-		}
-		if nestedMerge != nil {
-			return nestedGeneratorsHaveClusterGenerator(nestedMerge.ToMergeGenerator().Generators)
-		}
-	}
-
-	return false, nil
-}

applicationset/controllers/clustereventhandler_test.go

@@ -6,7 +6,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	corev1 "k8s.io/api/core/v1"
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -164,6 +163,7 @@ func TestClusterEventHandler(t *testing.T) {
 				{NamespacedName: types.NamespacedName{Namespace: "another-namespace", Name: "my-app-set"}},
 			},
 		},
+
 		{
 			name: "non-argo cd secret should not match",
 			items: []argov1alpha1.ApplicationSet{
@@ -189,348 +189,6 @@ func TestClusterEventHandler(t *testing.T) {
 			},
 			expectedRequests: []reconcile.Request{},
 		},
-		{
-			name: "a matrix generator with a cluster generator should produce a request",
-			items: []argov1alpha1.ApplicationSet{
-				{
-					ObjectMeta: v1.ObjectMeta{
-						Name:      "my-app-set",
-						Namespace: "argocd",
-					},
-					Spec: argov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
-							{
-								Matrix: &argov1alpha1.MatrixGenerator{
-									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-										{
-											Clusters: &argov1alpha1.ClusterGenerator{},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
-					Namespace: "argocd",
-					Name:      "my-secret",
-					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
-					},
-				},
-			},
-			expectedRequests: []reconcile.Request{{
-				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
-			}},
-		},
-		{
-			name: "a matrix generator with non cluster generator should not match",
-			items: []argov1alpha1.ApplicationSet{
-				{
-					ObjectMeta: v1.ObjectMeta{
-						Name:      "my-app-set",
-						Namespace: "argocd",
-					},
-					Spec: argov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
-							{
-								Matrix: &argov1alpha1.MatrixGenerator{
-									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-										{
-											List: &argov1alpha1.ListGenerator{},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
-					Namespace: "argocd",
-					Name:      "my-secret",
-					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
-					},
-				},
-			},
-			expectedRequests: []reconcile.Request{},
-		},
-		{
-			name: "a matrix generator with a nested matrix generator containing a cluster generator should produce a request",
-			items: []argov1alpha1.ApplicationSet{
-				{
-					ObjectMeta: v1.ObjectMeta{
-						Name:      "my-app-set",
-						Namespace: "argocd",
-					},
-					Spec: argov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
-							{
-								Matrix: &argov1alpha1.MatrixGenerator{
-									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-										{
-											Matrix: &apiextensionsv1.JSON{
-												Raw: []byte(
-													`{
-														"generators": [
-														  {
-															"clusters": {
-															  "selector": {
-																"matchLabels": {
-																  "argocd.argoproj.io/secret-type": "cluster"
-																}
-															  }
-															}
-														  }
-														]
-													  }`,
-												),
-											},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
-					Namespace: "argocd",
-					Name:      "my-secret",
-					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
-					},
-				},
-			},
-			expectedRequests: []reconcile.Request{{
-				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
-			}},
-		},
-		{
-			name: "a matrix generator with a nested matrix generator containing non cluster generator should not match",
-			items: []argov1alpha1.ApplicationSet{
-				{
-					ObjectMeta: v1.ObjectMeta{
-						Name:      "my-app-set",
-						Namespace: "argocd",
-					},
-					Spec: argov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
-							{
-								Matrix: &argov1alpha1.MatrixGenerator{
-									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-										{
-											Matrix: &apiextensionsv1.JSON{
-												Raw: []byte(
-													`{
-														"generators": [
-														  {
-															"list": {
-															  "elements": [
-																"a",
-																"b"
-															  ]
-															}
-														  }
-														]
-													  }`,
-												),
-											},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
-					Namespace: "argocd",
-					Name:      "my-secret",
-					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
-					},
-				},
-			},
-			expectedRequests: []reconcile.Request{},
-		},
-		{
-			name: "a merge generator with a cluster generator should produce a request",
-			items: []argov1alpha1.ApplicationSet{
-				{
-					ObjectMeta: v1.ObjectMeta{
-						Name:      "my-app-set",
-						Namespace: "argocd",
-					},
-					Spec: argov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
-							{
-								Merge: &argov1alpha1.MergeGenerator{
-									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-										{
-											Clusters: &argov1alpha1.ClusterGenerator{},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
-					Namespace: "argocd",
-					Name:      "my-secret",
-					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
-					},
-				},
-			},
-			expectedRequests: []reconcile.Request{{
-				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
-			}},
-		},
-		{
-			name: "a matrix generator with non cluster generator should not match",
-			items: []argov1alpha1.ApplicationSet{
-				{
-					ObjectMeta: v1.ObjectMeta{
-						Name:      "my-app-set",
-						Namespace: "argocd",
-					},
-					Spec: argov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
-							{
-								Merge: &argov1alpha1.MergeGenerator{
-									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-										{
-											List: &argov1alpha1.ListGenerator{},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
-					Namespace: "argocd",
-					Name:      "my-secret",
-					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
-					},
-				},
-			},
-			expectedRequests: []reconcile.Request{},
-		},
-		{
-			name: "a merge generator with a nested merge generator containing a cluster generator should produce a request",
-			items: []argov1alpha1.ApplicationSet{
-				{
-					ObjectMeta: v1.ObjectMeta{
-						Name:      "my-app-set",
-						Namespace: "argocd",
-					},
-					Spec: argov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
-							{
-								Merge: &argov1alpha1.MergeGenerator{
-									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-										{
-											Merge: &apiextensionsv1.JSON{
-												Raw: []byte(
-													`{
-														"generators": [
-														  {
-															"clusters": {
-															  "selector": {
-																"matchLabels": {
-																  "argocd.argoproj.io/secret-type": "cluster"
-																}
-															  }
-															}
-														  }
-														]
-													  }`,
-												),
-											},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
-					Namespace: "argocd",
-					Name:      "my-secret",
-					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
-					},
-				},
-			},
-			expectedRequests: []reconcile.Request{{
-				NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "my-app-set"},
-			}},
-		},
-		{
-			name: "a merge generator with a nested merge generator containing non cluster generator should not match",
-			items: []argov1alpha1.ApplicationSet{
-				{
-					ObjectMeta: v1.ObjectMeta{
-						Name:      "my-app-set",
-						Namespace: "argocd",
-					},
-					Spec: argov1alpha1.ApplicationSetSpec{
-						Generators: []argov1alpha1.ApplicationSetGenerator{
-							{
-								Merge: &argov1alpha1.MergeGenerator{
-									Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-										{
-											Merge: &apiextensionsv1.JSON{
-												Raw: []byte(
-													`{
-														"generators": [
-														  {
-															"list": {
-															  "elements": [
-																"a",
-																"b"
-															  ]
-															}
-														  }
-														]
-													  }`,
-												),
-											},
-										},
-									},
-								},
-							},
-						},
-					},
-				},
-			},
-			secret: corev1.Secret{
-				ObjectMeta: v1.ObjectMeta{
-					Namespace: "argocd",
-					Name:      "my-secret",
-					Labels: map[string]string{
-						generators.ArgoCDSecretTypeLabel: generators.ArgoCDSecretTypeCluster,
-					},
-				},
-			},
-			expectedRequests: []reconcile.Request{},
-		},
 	}
 
 	for _, test := range tests {

applicationset/controllers/requeue_after_test.go

@@ -1,179 +0,0 @@
-package controllers
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"github.com/argoproj/argo-cd/v2/applicationset/generators"
-	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/mock"
-	corev1 "k8s.io/api/core/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-	dynfake "k8s.io/client-go/dynamic/fake"
-	kubefake "k8s.io/client-go/kubernetes/fake"
-	"k8s.io/client-go/tools/record"
-	"sigs.k8s.io/controller-runtime/pkg/client/fake"
-)
-
-func TestRequeueAfter(t *testing.T) {
-	mockServer := argoCDServiceMock{}
-	ctx := context.Background()
-	scheme := runtime.NewScheme()
-	err := argov1alpha1.AddToScheme(scheme)
-	assert.Nil(t, err)
-	gvrToListKind := map[schema.GroupVersionResource]string{{
-		Group:    "mallard.io",
-		Version:  "v1",
-		Resource: "ducks",
-	}: "DuckList"}
-	appClientset := kubefake.NewSimpleClientset()
-	k8sClient := fake.NewClientBuilder().Build()
-	duckType := &unstructured.Unstructured{
-		Object: map[string]interface{}{
-			"apiVersion": "v2quack",
-			"kind":       "Duck",
-			"metadata": map[string]interface{}{
-				"name":      "mightyduck",
-				"namespace": "namespace",
-				"labels":    map[string]interface{}{"duck": "all-species"},
-			},
-			"status": map[string]interface{}{
-				"decisions": []interface{}{
-					map[string]interface{}{
-						"clusterName": "staging-01",
-					},
-					map[string]interface{}{
-						"clusterName": "production-01",
-					},
-				},
-			},
-		},
-	}
-	fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, duckType)
-
-	terminalGenerators := map[string]generators.Generator{
-		"List":                    generators.NewListGenerator(),
-		"Clusters":                generators.NewClusterGenerator(k8sClient, ctx, appClientset, "argocd"),
-		"Git":                     generators.NewGitGenerator(mockServer),
-		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), generators.SCMAuthProviders{}),
-		"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd"),
-		"PullRequest":             generators.NewPullRequestGenerator(k8sClient, generators.SCMAuthProviders{}),
-	}
-
-	nestedGenerators := map[string]generators.Generator{
-		"List":                    terminalGenerators["List"],
-		"Clusters":                terminalGenerators["Clusters"],
-		"Git":                     terminalGenerators["Git"],
-		"SCMProvider":             terminalGenerators["SCMProvider"],
-		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
-		"PullRequest":             terminalGenerators["PullRequest"],
-		"Matrix":                  generators.NewMatrixGenerator(terminalGenerators),
-		"Merge":                   generators.NewMergeGenerator(terminalGenerators),
-	}
-
-	topLevelGenerators := map[string]generators.Generator{
-		"List":                    terminalGenerators["List"],
-		"Clusters":                terminalGenerators["Clusters"],
-		"Git":                     terminalGenerators["Git"],
-		"SCMProvider":             terminalGenerators["SCMProvider"],
-		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
-		"PullRequest":             terminalGenerators["PullRequest"],
-		"Matrix":                  generators.NewMatrixGenerator(nestedGenerators),
-		"Merge":                   generators.NewMergeGenerator(nestedGenerators),
-	}
-
-	client := fake.NewClientBuilder().WithScheme(scheme).Build()
-	r := ApplicationSetReconciler{
-		Client:     client,
-		Scheme:     scheme,
-		Recorder:   record.NewFakeRecorder(0),
-		Generators: topLevelGenerators,
-	}
-
-	type args struct {
-		appset *argov1alpha1.ApplicationSet
-	}
-	tests := []struct {
-		name    string
-		args    args
-		want    time.Duration
-		wantErr assert.ErrorAssertionFunc
-	}{
-		{name: "Cluster", args: args{appset: &argov1alpha1.ApplicationSet{
-			Spec: argov1alpha1.ApplicationSetSpec{
-				Generators: []argov1alpha1.ApplicationSetGenerator{{Clusters: &argov1alpha1.ClusterGenerator{}}},
-			},
-		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
-		{name: "ClusterMergeNested", args: args{&argov1alpha1.ApplicationSet{
-			Spec: argov1alpha1.ApplicationSetSpec{
-				Generators: []argov1alpha1.ApplicationSetGenerator{
-					{Clusters: &argov1alpha1.ClusterGenerator{}},
-					{Merge: &argov1alpha1.MergeGenerator{
-						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-							{
-								Clusters: &argov1alpha1.ClusterGenerator{},
-								Git:      &argov1alpha1.GitGenerator{},
-							},
-						},
-					}},
-				},
-			},
-		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
-		{name: "ClusterMatrixNested", args: args{&argov1alpha1.ApplicationSet{
-			Spec: argov1alpha1.ApplicationSetSpec{
-				Generators: []argov1alpha1.ApplicationSetGenerator{
-					{Clusters: &argov1alpha1.ClusterGenerator{}},
-					{Matrix: &argov1alpha1.MatrixGenerator{
-						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
-							{
-								Clusters: &argov1alpha1.ClusterGenerator{},
-								Git:      &argov1alpha1.GitGenerator{},
-							},
-						},
-					}},
-				},
-			},
-		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
-		{name: "ListGenerator", args: args{appset: &argov1alpha1.ApplicationSet{
-			Spec: argov1alpha1.ApplicationSetSpec{
-				Generators: []argov1alpha1.ApplicationSetGenerator{{List: &argov1alpha1.ListGenerator{}}},
-			},
-		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			assert.Equalf(t, tt.want, r.getMinRequeueAfter(tt.args.appset), "getMinRequeueAfter(%v)", tt.args.appset)
-		})
-	}
-}
-
-type argoCDServiceMock struct {
-	mock *mock.Mock
-}
-
-func (a argoCDServiceMock) GetApps(ctx context.Context, repoURL string, revision string) ([]string, error) {
-	args := a.mock.Called(ctx, repoURL, revision)
-
-	return args.Get(0).([]string), args.Error(1)
-}
-
-func (a argoCDServiceMock) GetFiles(ctx context.Context, repoURL string, revision string, pattern string) (map[string][]byte, error) {
-	args := a.mock.Called(ctx, repoURL, revision, pattern)
-
-	return args.Get(0).(map[string][]byte), args.Error(1)
-}
-
-func (a argoCDServiceMock) GetFileContent(ctx context.Context, repoURL string, revision string, path string) ([]byte, error) {
-	args := a.mock.Called(ctx, repoURL, revision, path)
-
-	return args.Get(0).([]byte), args.Error(1)
-}
-
-func (a argoCDServiceMock) GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error) {
-	args := a.mock.Called(ctx, repoURL, revision)
-	return args.Get(0).([]string), args.Error(1)
-}

applicationset/generators/cluster.go

@@ -51,8 +51,6 @@ func NewClusterGenerator(c client.Client, ctx context.Context, clientset kuberne
 	return g
 }
 
-// GetRequeueAfter never requeue the cluster generator because the `clusterSecretEventHandler` will requeue the appsets
-// when the cluster secrets change
 func (g *ClusterGenerator) GetRequeueAfter(appSetGenerator *argoappsetv1alpha1.ApplicationSetGenerator) time.Duration {
 	return NoRequeueAfter
 }
@@ -172,7 +170,7 @@ func appendTemplatedValues(clusterValues map[string]string, params map[string]in
 		result, err := replaceTemplatedString(value, params, appSet)
 
 		if err != nil {
-			return err
+			return fmt.Errorf("error replacing templated String: %w", err)
 		}
 
 		if appSet.Spec.GoTemplate {

applicationset/generators/generator_spec_processor.go

@@ -1,6 +1,8 @@
 package generators
 
 import (
+	"fmt"
+	"encoding/json"
 	"reflect"
 
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
@@ -23,11 +25,11 @@ type TransformResult struct {
 	Template argoprojiov1alpha1.ApplicationSetTemplate
 }
 
-// Transform a spec generator to list of paramSets and a template
+//Transform a spec generator to list of paramSets and a template
 func Transform(requestedGenerator argoprojiov1alpha1.ApplicationSetGenerator, allGenerators map[string]Generator, baseTemplate argoprojiov1alpha1.ApplicationSetTemplate, appSet *argoprojiov1alpha1.ApplicationSet, genParams map[string]interface{}) ([]TransformResult, error) {
 	selector, err := metav1.LabelSelectorAsSelector(requestedGenerator.Selector)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error parsing label selector: %w", err)
 	}
 
 	res := []TransformResult{}
@@ -130,15 +132,27 @@ func mergeGeneratorTemplate(g Generator, requestedGenerator *argoprojiov1alpha1.
 	return *dest, err
 }
 
-// InterpolateGenerator allows interpolating the matrix's 2nd child generator with values from the 1st child generator
+// Currently for Matrix Generator. Allows interpolating the matrix's 2nd child generator with values from the 1st child generator
 // "params" parameter is an array, where each index corresponds to a generator. Each index contains a map w/ that generator's parameters.
 func InterpolateGenerator(requestedGenerator *argoprojiov1alpha1.ApplicationSetGenerator, params map[string]interface{}, useGoTemplate bool) (argoprojiov1alpha1.ApplicationSetGenerator, error) {
-	render := utils.Render{}
-	interpolatedGenerator, err := render.RenderGeneratorParams(requestedGenerator, params, useGoTemplate)
+	interpolatedGenerator := requestedGenerator.DeepCopy()
+	tmplBytes, err := json.Marshal(interpolatedGenerator)
 	if err != nil {
-		log.WithError(err).WithField("interpolatedGenerator", interpolatedGenerator).Error("error interpolating generator with other generator's parameter")
+		log.WithError(err).WithField("requestedGenerator", interpolatedGenerator).Error("error marshalling requested generator for interpolation")
 		return *interpolatedGenerator, err
 	}
 
+	render := utils.Render{}
+	replacedTmplStr, err := render.Replace(string(tmplBytes), params, useGoTemplate)
+	if err != nil {
+		log.WithError(err).WithField("interpolatedGeneratorString", replacedTmplStr).Error("error interpolating generator with other generator's parameter")
+		return *interpolatedGenerator, err
+	}
+
+	err = json.Unmarshal([]byte(replacedTmplStr), interpolatedGenerator)
+	if err != nil {
+		log.WithError(err).WithField("requestedGenerator", interpolatedGenerator).Error("error unmarshalling requested generator for interpolation")
+		return *interpolatedGenerator, err
+	}
 	return *interpolatedGenerator, nil
 }

applicationset/generators/generator_spec_processor_test.go

@@ -6,11 +6,9 @@ import (
 
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	testutils "github.com/argoproj/argo-cd/v2/applicationset/utils/test"
 	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 
 	"github.com/stretchr/testify/mock"
@@ -161,8 +159,8 @@ func getMockClusterGenerator() Generator {
 }
 
 func getMockGitGenerator() Generator {
-	argoCDServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
-	argoCDServiceMock.Mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
+	argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
+	argoCDServiceMock.mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return([]string{"app1", "app2", "app_3", "p1/app4"}, nil)
 	var gitGenerator = NewGitGenerator(argoCDServiceMock)
 	return gitGenerator
 }
@@ -250,60 +248,6 @@ func TestInterpolateGenerator(t *testing.T) {
 		Path: "{{server}}",
 	}
 
-	requestedGenerator = &argoprojiov1alpha1.ApplicationSetGenerator{
-		Git: &argoprojiov1alpha1.GitGenerator{
-			Files:    append([]argoprojiov1alpha1.GitFileGeneratorItem{}, fileNamePath, fileServerPath),
-			Template: argoprojiov1alpha1.ApplicationSetTemplate{},
-		},
-	}
-	clusterGeneratorParams := map[string]interface{}{
-		"name": "production_01/west", "server": "https://production-01.example.com",
-	}
-	interpolatedGenerator, err = InterpolateGenerator(requestedGenerator, clusterGeneratorParams, false)
-	if err != nil {
-		log.WithError(err).WithField("requestedGenerator", requestedGenerator).Error("error interpolating Generator")
-		return
-	}
-	assert.Equal(t, "production_01/west", interpolatedGenerator.Git.Files[0].Path)
-	assert.Equal(t, "https://production-01.example.com", interpolatedGenerator.Git.Files[1].Path)
-}
-
-func TestInterpolateGenerator_go(t *testing.T) {
-	requestedGenerator := &argoprojiov1alpha1.ApplicationSetGenerator{
-		Clusters: &argoprojiov1alpha1.ClusterGenerator{
-			Selector: metav1.LabelSelector{
-				MatchLabels: map[string]string{
-					"argocd.argoproj.io/secret-type": "cluster",
-					"path-basename":                  "{{base .path.path}}",
-					"path-zero":                      "{{index .path.segments 0}}",
-					"path-full":                      "{{.path.path}}",
-					"kubernetes.io/environment":      `{{default "foo" .my_label}}`,
-				}},
-		},
-	}
-	gitGeneratorParams := map[string]interface{}{
-		"path": map[string]interface{}{
-			"path":     "p1/p2/app3",
-			"segments": []string{"p1", "p2", "app3"},
-		},
-	}
-	interpolatedGenerator, err := InterpolateGenerator(requestedGenerator, gitGeneratorParams, true)
-	require.NoError(t, err)
-	if err != nil {
-		log.WithError(err).WithField("requestedGenerator", requestedGenerator).Error("error interpolating Generator")
-		return
-	}
-	assert.Equal(t, "app3", interpolatedGenerator.Clusters.Selector.MatchLabels["path-basename"])
-	assert.Equal(t, "p1", interpolatedGenerator.Clusters.Selector.MatchLabels["path-zero"])
-	assert.Equal(t, "p1/p2/app3", interpolatedGenerator.Clusters.Selector.MatchLabels["path-full"])
-
-	fileNamePath := argoprojiov1alpha1.GitFileGeneratorItem{
-		Path: "{{.name}}",
-	}
-	fileServerPath := argoprojiov1alpha1.GitFileGeneratorItem{
-		Path: "{{.server}}",
-	}
-
 	requestedGenerator = &argoprojiov1alpha1.ApplicationSetGenerator{
 		Git: &argoprojiov1alpha1.GitGenerator{
 			Files:    append([]argoprojiov1alpha1.GitFileGeneratorItem{}, fileNamePath, fileServerPath),

applicationset/generators/git.go

@@ -58,9 +58,9 @@ func (g *GitGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.Applic
 
 	var err error
 	var res []map[string]interface{}
-	if len(appSetGenerator.Git.Directories) != 0 {
+	if appSetGenerator.Git.Directories != nil {
 		res, err = g.generateParamsForGitDirectories(appSetGenerator, appSet.Spec.GoTemplate)
-	} else if len(appSetGenerator.Git.Files) != 0 {
+	} else if appSetGenerator.Git.Files != nil {
 		res, err = g.generateParamsForGitFiles(appSetGenerator, appSet.Spec.GoTemplate)
 	} else {
 		return nil, EmptyAppSetGeneratorError

applicationset/generators/git_test.go

@@ -1,6 +1,7 @@
 package generators
 
 import (
+	"context"
 	"fmt"
 	"testing"
 
@@ -8,7 +9,6 @@ import (
 	"github.com/stretchr/testify/mock"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	testutils "github.com/argoproj/argo-cd/v2/applicationset/utils/test"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 
@@ -20,6 +20,33 @@ import (
 // 	return io.NewCloser(func() error { return nil }), c.RepoServerServiceClient, nil
 // }
 
+type argoCDServiceMock struct {
+	mock *mock.Mock
+}
+
+func (a argoCDServiceMock) GetApps(ctx context.Context, repoURL string, revision string) ([]string, error) {
+	args := a.mock.Called(ctx, repoURL, revision)
+
+	return args.Get(0).([]string), args.Error(1)
+}
+
+func (a argoCDServiceMock) GetFiles(ctx context.Context, repoURL string, revision string, pattern string) (map[string][]byte, error) {
+	args := a.mock.Called(ctx, repoURL, revision, pattern)
+
+	return args.Get(0).(map[string][]byte), args.Error(1)
+}
+
+func (a argoCDServiceMock) GetFileContent(ctx context.Context, repoURL string, revision string, path string) ([]byte, error) {
+	args := a.mock.Called(ctx, repoURL, revision, path)
+
+	return args.Get(0).([]byte), args.Error(1)
+}
+
+func (a argoCDServiceMock) GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error) {
+	args := a.mock.Called(ctx, repoURL, revision)
+	return args.Get(0).([]string), args.Error(1)
+}
+
 func Test_generateParamsFromGitFile(t *testing.T) {
 	params, err := (*GitGenerator)(nil).generateParamsFromGitFile("path/dir/file_name.yaml", []byte(`
 foo:
@@ -173,9 +200,9 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()
 
-			argoCDServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
+			argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
 
-			argoCDServiceMock.Mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
+			argoCDServiceMock.mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
 
 			var gitGenerator = NewGitGenerator(argoCDServiceMock)
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
@@ -202,7 +229,7 @@ func TestGitGenerateParamsFromDirectories(t *testing.T) {
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
 
-			argoCDServiceMock.Mock.AssertExpectations(t)
+			argoCDServiceMock.mock.AssertExpectations(t)
 		})
 	}
 }
@@ -415,9 +442,9 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()
 
-			argoCDServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
+			argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
 
-			argoCDServiceMock.Mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
+			argoCDServiceMock.mock.On("GetDirectories", mock.Anything, mock.Anything, mock.Anything).Return(testCaseCopy.repoApps, testCaseCopy.repoError)
 
 			var gitGenerator = NewGitGenerator(argoCDServiceMock)
 			applicationSetInfo := argoprojiov1alpha1.ApplicationSet{
@@ -445,7 +472,7 @@ func TestGitGenerateParamsFromDirectoriesGoTemplate(t *testing.T) {
 				assert.Equal(t, testCaseCopy.expected, got)
 			}
 
-			argoCDServiceMock.Mock.AssertExpectations(t)
+			argoCDServiceMock.mock.AssertExpectations(t)
 		})
 	}
 
@@ -705,8 +732,8 @@ cluster:
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()
 
-			argoCDServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
-			argoCDServiceMock.Mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
+			argoCDServiceMock.mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)
 
 			var gitGenerator = NewGitGenerator(argoCDServiceMock)
@@ -735,7 +762,7 @@ cluster:
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
 
-			argoCDServiceMock.Mock.AssertExpectations(t)
+			argoCDServiceMock.mock.AssertExpectations(t)
 		})
 	}
 }
@@ -1054,8 +1081,8 @@ cluster:
 		t.Run(testCaseCopy.name, func(t *testing.T) {
 			t.Parallel()
 
-			argoCDServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
-			argoCDServiceMock.Mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
+			argoCDServiceMock := argoCDServiceMock{mock: &mock.Mock{}}
+			argoCDServiceMock.mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).
 				Return(testCaseCopy.repoFileContents, testCaseCopy.repoPathsError)
 
 			var gitGenerator = NewGitGenerator(argoCDServiceMock)
@@ -1085,7 +1112,7 @@ cluster:
 				assert.ElementsMatch(t, testCaseCopy.expected, got)
 			}
 
-			argoCDServiceMock.Mock.AssertExpectations(t)
+			argoCDServiceMock.mock.AssertExpectations(t)
 		})
 	}
 }

applicationset/generators/matrix.go

@@ -80,13 +80,28 @@ func (m *MatrixGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.App
 }
 
 func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet, params map[string]interface{}) ([]map[string]interface{}, error) {
-	matrixGen, err := getMatrixGenerator(appSetBaseGenerator)
-	if err != nil {
-		return nil, err
+	var matrix *argoprojiov1alpha1.MatrixGenerator
+	if appSetBaseGenerator.Matrix != nil {
+		// Since nested matrix generator is represented as a JSON object in the CRD, we unmarshall it back to a Go struct here.
+		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(appSetBaseGenerator.Matrix)
+		if err != nil {
+			return nil, fmt.Errorf("unable to unmarshall nested matrix generator: %v", err)
+		}
+		if nestedMatrix != nil {
+			matrix = nestedMatrix.ToMatrixGenerator()
+		}
 	}
-	mergeGen, err := getMergeGenerator(appSetBaseGenerator)
-	if err != nil {
-		return nil, err
+
+	var mergeGenerator *argoprojiov1alpha1.MergeGenerator
+	if appSetBaseGenerator.Merge != nil {
+		// Since nested merge generator is represented as a JSON object in the CRD, we unmarshall it back to a Go struct here.
+		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(appSetBaseGenerator.Merge)
+		if err != nil {
+			return nil, fmt.Errorf("unable to unmarshall nested merge generator: %v", err)
+		}
+		if nestedMerge != nil {
+			mergeGenerator = nestedMerge.ToMergeGenerator()
+		}
 	}
 
 	t, err := Transform(
@@ -97,8 +112,8 @@ func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Appli
 			SCMProvider:             appSetBaseGenerator.SCMProvider,
 			ClusterDecisionResource: appSetBaseGenerator.ClusterDecisionResource,
 			PullRequest:             appSetBaseGenerator.PullRequest,
-			Matrix:                  matrixGen,
-			Merge:                   mergeGen,
+			Matrix:                  matrix,
+			Merge:                   mergeGenerator,
 			Selector:                appSetBaseGenerator.Selector,
 		},
 		m.supportedGenerators,
@@ -128,15 +143,10 @@ func (m *MatrixGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap
 	var found bool
 
 	for _, r := range appSetGenerator.Matrix.Generators {
-		matrixGen, _ := getMatrixGenerator(r)
-		mergeGen, _ := getMergeGenerator(r)
 		base := &argoprojiov1alpha1.ApplicationSetGenerator{
-			List:        r.List,
-			Clusters:    r.Clusters,
-			Git:         r.Git,
-			PullRequest: r.PullRequest,
-			Matrix:      matrixGen,
-			Merge:       mergeGen,
+			List:     r.List,
+			Clusters: r.Clusters,
+			Git:      r.Git,
 		}
 		generators := GetRelevantGenerators(base, m.supportedGenerators)
 
@@ -157,17 +167,6 @@ func (m *MatrixGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap
 
 }
 
-func getMatrixGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*argoprojiov1alpha1.MatrixGenerator, error) {
-	if r.Matrix == nil {
-		return nil, nil
-	}
-	matrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(r.Matrix)
-	if err != nil {
-		return nil, err
-	}
-	return matrix.ToMatrixGenerator(), nil
-}
-
 func (m *MatrixGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.Matrix.Template
 }

applicationset/generators/matrix_test.go

@@ -5,7 +5,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/stretchr/testify/require"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -17,7 +16,6 @@ import (
 	"github.com/stretchr/testify/mock"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 
-	testutils "github.com/argoproj/argo-cd/v2/applicationset/utils/test"
 	argoprojiov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 )
 
@@ -401,8 +399,6 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 		Elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "Cluster","url": "Url"}`)}},
 	}
 
-	pullRequestGenerator := &argoprojiov1alpha1.PullRequestGenerator{}
-
 	testCases := []struct {
 		name               string
 		baseGenerators     []argoprojiov1alpha1.ApplicationSetNestedGenerator
@@ -435,31 +431,6 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 			gitGetRequeueAfter: time.Duration(1),
 			expected:           time.Duration(1),
 		},
-		{
-			name: "returns the minimal time for pull request",
-			baseGenerators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
-				{
-					Git: gitGenerator,
-				},
-				{
-					PullRequest: pullRequestGenerator,
-				},
-			},
-			gitGetRequeueAfter: time.Duration(15 * time.Second),
-			expected:           time.Duration(15 * time.Second),
-		},
-		{
-			name: "returns the default time if no requeueAfterSeconds is provided",
-			baseGenerators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
-				{
-					Git: gitGenerator,
-				},
-				{
-					PullRequest: pullRequestGenerator,
-				},
-			},
-			expected: time.Duration(30 * time.Minute),
-		},
 	}
 
 	for _, testCase := range testCases {
@@ -470,18 +441,16 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 
 			for _, g := range testCaseCopy.baseGenerators {
 				gitGeneratorSpec := argoprojiov1alpha1.ApplicationSetGenerator{
-					Git:         g.Git,
-					List:        g.List,
-					PullRequest: g.PullRequest,
+					Git:  g.Git,
+					List: g.List,
 				}
 				mock.On("GetRequeueAfter", &gitGeneratorSpec).Return(testCaseCopy.gitGetRequeueAfter, nil)
 			}
 
 			var matrixGenerator = NewMatrixGenerator(
 				map[string]Generator{
-					"Git":         mock,
-					"List":        &ListGenerator{},
-					"PullRequest": &PullRequestGenerator{},
+					"Git":  mock,
+					"List": &ListGenerator{},
 				},
 			)
 
@@ -859,72 +828,3 @@ func (g *generatorMock) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Appl
 	return args.Get(0).(time.Duration)
 
 }
-
-func TestGitGenerator_GenerateParams_list_x_git_matrix_generator(t *testing.T) {
-	// Given a matrix generator over a list generator and a git files generator, the nested git files generator should
-	// be treated as a files generator, and it should produce parameters.
-
-	// This tests for a specific bug where a nested git files generator was being treated as a directory generator. This
-	// happened because, when the matrix generator was being processed, the nested git files generator was being
-	// interpolated by the deeplyReplace function. That function cannot differentiate between a nil slice and an empty
-	// slice. So it was replacing the `Directories` field with an empty slice, which the ApplicationSet controller
-	// interpreted as meaning this was a directory generator, not a files generator.
-
-	// Now instead of checking for nil, we check whether the field is a non-empty slice. This test prevents a regression
-	// of that bug.
-
-	listGeneratorMock := &generatorMock{}
-	listGeneratorMock.On("GenerateParams", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator"), mock.AnythingOfType("*v1alpha1.ApplicationSet")).Return([]map[string]interface{}{
-		{"some": "value"},
-	}, nil)
-	listGeneratorMock.On("GetTemplate", mock.AnythingOfType("*v1alpha1.ApplicationSetGenerator")).Return(&argoprojiov1alpha1.ApplicationSetTemplate{})
-
-	gitGeneratorSpec := &argoprojiov1alpha1.GitGenerator{
-		RepoURL: "https://git.example.com",
-		Files: []argoprojiov1alpha1.GitFileGeneratorItem{
-			{Path: "some/path.json"},
-		},
-	}
-
-	repoServiceMock := testutils.ArgoCDServiceMock{Mock: &mock.Mock{}}
-	repoServiceMock.Mock.On("GetFiles", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(map[string][]byte{
-		"some/path.json": []byte("test: content"),
-	}, nil)
-	gitGenerator := NewGitGenerator(repoServiceMock)
-
-	matrixGenerator := NewMatrixGenerator(map[string]Generator{
-		"List": listGeneratorMock,
-		"Git":  gitGenerator,
-	})
-
-	matrixGeneratorSpec := &argoprojiov1alpha1.MatrixGenerator{
-		Generators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
-			{
-				List: &argoprojiov1alpha1.ListGenerator{
-					Elements: []apiextensionsv1.JSON{
-						{
-							Raw: []byte(`{"some": "value"}`),
-						},
-					},
-				},
-			},
-			{
-				Git: gitGeneratorSpec,
-			},
-		},
-	}
-	params, err := matrixGenerator.GenerateParams(&argoprojiov1alpha1.ApplicationSetGenerator{
-		Matrix: matrixGeneratorSpec,
-	}, &argoprojiov1alpha1.ApplicationSet{})
-	require.NoError(t, err)
-	assert.Equal(t, []map[string]interface{}{{
-		"path":                    "some",
-		"path.basename":           "some",
-		"path.basenameNormalized": "some",
-		"path.filename":           "path.json",
-		"path.filenameNormalized": "path.json",
-		"path[0]":                 "some",
-		"some":                    "value",
-		"test":                    "content",
-	}}, params)
-}

applicationset/generators/merge.go

@@ -137,13 +137,27 @@ func getParamSetsByMergeKey(mergeKeys []string, paramSets []map[string]interface
 
 // getParams get the parameters generated by this generator.
 func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
-	matrixGen, err := getMatrixGenerator(appSetBaseGenerator)
-	if err != nil {
-		return nil, err
+
+	var matrix *argoprojiov1alpha1.MatrixGenerator
+	if appSetBaseGenerator.Matrix != nil {
+		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(appSetBaseGenerator.Matrix)
+		if err != nil {
+			return nil, err
+		}
+		if nestedMatrix != nil {
+			matrix = nestedMatrix.ToMatrixGenerator()
+		}
 	}
-	mergeGen, err := getMergeGenerator(appSetBaseGenerator)
-	if err != nil {
-		return nil, err
+
+	var mergeGenerator *argoprojiov1alpha1.MergeGenerator
+	if appSetBaseGenerator.Merge != nil {
+		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(appSetBaseGenerator.Merge)
+		if err != nil {
+			return nil, err
+		}
+		if nestedMerge != nil {
+			mergeGenerator = nestedMerge.ToMergeGenerator()
+		}
 	}
 
 	t, err := Transform(
@@ -154,8 +168,8 @@ func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Applic
 			SCMProvider:             appSetBaseGenerator.SCMProvider,
 			ClusterDecisionResource: appSetBaseGenerator.ClusterDecisionResource,
 			PullRequest:             appSetBaseGenerator.PullRequest,
-			Matrix:                  matrixGen,
-			Merge:                   mergeGen,
+			Matrix:                  matrix,
+			Merge:                   mergeGenerator,
 			Selector:                appSetBaseGenerator.Selector,
 		},
 		m.supportedGenerators,
@@ -183,15 +197,10 @@ func (m *MergeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.App
 	var found bool
 
 	for _, r := range appSetGenerator.Merge.Generators {
-		matrixGen, _ := getMatrixGenerator(r)
-		mergeGen, _ := getMergeGenerator(r)
 		base := &argoprojiov1alpha1.ApplicationSetGenerator{
-			List:        r.List,
-			Clusters:    r.Clusters,
-			Git:         r.Git,
-			PullRequest: r.PullRequest,
-			Matrix:      matrixGen,
-			Merge:       mergeGen,
+			List:     r.List,
+			Clusters: r.Clusters,
+			Git:      r.Git,
 		}
 		generators := GetRelevantGenerators(base, m.supportedGenerators)
 
@@ -212,17 +221,6 @@ func (m *MergeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.App
 
 }
 
-func getMergeGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*argoprojiov1alpha1.MergeGenerator, error) {
-	if r.Merge == nil {
-		return nil, nil
-	}
-	merge, err := argoprojiov1alpha1.ToNestedMergeGenerator(r.Merge)
-	if err != nil {
-		return nil, err
-	}
-	return merge.ToMergeGenerator(), nil
-}
-
 // GetTemplate gets the Template field for the MergeGenerator.
 func (m *MergeGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.Merge.Template

applicationset/generators/scm_provider.go

@@ -122,15 +122,6 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 		if err != nil {
 			return nil, fmt.Errorf("error initializing Azure Devops service: %v", err)
 		}
-	} else if providerConfig.Bitbucket != nil {
-		appPassword, err := g.getSecretRef(ctx, providerConfig.Bitbucket.AppPasswordRef, applicationSetInfo.Namespace)
-		if err != nil {
-			return nil, fmt.Errorf("error fetching Bitbucket cloud appPassword: %v", err)
-		}
-		provider, err = scm_provider.NewBitBucketCloudProvider(ctx, providerConfig.Bitbucket.Owner, providerConfig.Bitbucket.User, appPassword, providerConfig.Bitbucket.AllBranches)
-		if err != nil {
-			return nil, fmt.Errorf("error initializing Bitbucket cloud service: %v", err)
-		}
 	} else {
 		return nil, fmt.Errorf("no SCM provider implementation configured")
 	}

applicationset/services/repo_service.go

@@ -85,12 +85,12 @@ func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revi
 
 	gitRepoClient, err := git.NewClient(repo.Repo, repo.GetGitCreds(a.storecreds), repo.IsInsecure(), repo.IsLFSEnabled(), repo.Proxy)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error creating a new git client: %w", err)
 	}
 
 	err = checkoutRepo(gitRepoClient, revision, a.submoduleEnabled)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error while checking out repo: %w", err)
 	}
 
 	filteredPaths := []string{}
@@ -99,7 +99,7 @@ func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revi
 
 	if err := filepath.Walk(repoRoot, func(path string, info os.FileInfo, fnErr error) error {
 		if fnErr != nil {
-			return fnErr
+			return fmt.Errorf("error walking the file tree: %w", fnErr)
 		}
 		if !info.IsDir() { // Skip files: directories only
 			return nil
@@ -112,7 +112,7 @@ func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revi
 
 		relativePath, err := filepath.Rel(repoRoot, path)
 		if err != nil {
-			return err
+			return fmt.Errorf("error constructing relative repo path: %w", err)
 		}
 
 		if relativePath == "." { // Exclude '.' from results

applicationset/services/scm_provider/gitea.go

@@ -35,7 +35,7 @@ func NewGiteaProvider(ctx context.Context, owner, token, url string, allBranches
 	}
 	client, err := gitea.NewClient(url, gitea.SetToken(token), gitea.SetHTTPClient(httpClient))
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error creating a new gitea client: %w", err)
 	}
 	return &GiteaProvider{
 		client:      client,

applicationset/services/scm_provider/gitlab.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"net/http"
 	pathpkg "path"
 
 	gitlab "github.com/xanzy/go-gitlab"
@@ -145,11 +144,7 @@ func (g *GitlabProvider) listBranches(_ context.Context, repo *Repository) ([]gi
 	branches := []gitlab.Branch{}
 	// If we don't specifically want to query for all branches, just use the default branch and call it a day.
 	if !g.allBranches {
-		gitlabBranch, resp, err := g.client.Branches.GetBranch(repo.RepositoryId, repo.Branch, nil)
-		// 404s are not an error here, just a normal false.
-		if resp != nil && resp.StatusCode == http.StatusNotFound {
-			return []gitlab.Branch{}, nil
-		}
+		gitlabBranch, _, err := g.client.Branches.GetBranch(repo.RepositoryId, repo.Branch, nil)
 		if err != nil {
 			return nil, err
 		}
@@ -162,10 +157,6 @@ func (g *GitlabProvider) listBranches(_ context.Context, repo *Repository) ([]gi
 	}
 	for {
 		gitlabBranches, resp, err := g.client.Branches.ListBranches(repo.RepositoryId, opt)
-		// 404s are not an error here, just a normal false.
-		if resp != nil && resp.StatusCode == http.StatusNotFound {
-			return []gitlab.Branch{}, nil
-		}
 		if err != nil {
 			return nil, err
 		}

applicationset/services/scm_provider/gitlab_test.go

@@ -274,8 +274,6 @@ func gitlabMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
 			if err != nil {
 				t.Fail()
 			}
-		case "/api/v4/projects/27084533/repository/branches/foo":
-			w.WriteHeader(http.StatusNotFound)
 		default:
 			_, err := io.WriteString(w, `[]`)
 			if err != nil {
@@ -393,29 +391,3 @@ func TestGitlabHasPath(t *testing.T) {
 		})
 	}
 }
-
-func TestGitlabGetBranches(t *testing.T) {
-	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		gitlabMockHandler(t)(w, r)
-	}))
-	host, _ := NewGitlabProvider(context.Background(), "test-argocd-proton", "", ts.URL, false, true)
-
-	repo := &Repository{
-		RepositoryId: 27084533,
-		Branch:       "master",
-	}
-	t.Run("branch exists", func(t *testing.T) {
-		repos, err := host.GetBranches(context.Background(), repo)
-		assert.Nil(t, err)
-		assert.Equal(t, repos[0].Branch, "master")
-	})
-
-	repo2 := &Repository{
-		RepositoryId: 27084533,
-		Branch:       "foo",
-	}
-	t.Run("unknown branch", func(t *testing.T) {
-		_, err := host.GetBranches(context.Background(), repo2)
-		assert.NoError(t, err)
-	})
-}

applicationset/utils/createOrUpdate.go

@@ -88,7 +88,7 @@ func CreateOrUpdate(ctx context.Context, c client.Client, obj client.Object, f c
 // mutate wraps a MutateFn and applies validation to its result
 func mutate(f controllerutil.MutateFn, key client.ObjectKey, obj client.Object) error {
 	if err := f(); err != nil {
-		return err
+		return fmt.Errorf("error while wrapping using MutateFn: %w", err)
 	}
 	if newKey := client.ObjectKeyFromObject(obj); key != newKey {
 		return fmt.Errorf("MutateFn cannot mutate object name and/or object namespace")

applicationset/utils/test/testutils.go

@@ -1,34 +0,0 @@
-package test
-
-import (
-	"context"
-
-	"github.com/stretchr/testify/mock"
-)
-
-type ArgoCDServiceMock struct {
-	Mock *mock.Mock
-}
-
-func (a ArgoCDServiceMock) GetApps(ctx context.Context, repoURL string, revision string) ([]string, error) {
-	args := a.Mock.Called(ctx, repoURL, revision)
-
-	return args.Get(0).([]string), args.Error(1)
-}
-
-func (a ArgoCDServiceMock) GetFiles(ctx context.Context, repoURL string, revision string, pattern string) (map[string][]byte, error) {
-	args := a.Mock.Called(ctx, repoURL, revision, pattern)
-
-	return args.Get(0).(map[string][]byte), args.Error(1)
-}
-
-func (a ArgoCDServiceMock) GetFileContent(ctx context.Context, repoURL string, revision string, path string) ([]byte, error) {
-	args := a.Mock.Called(ctx, repoURL, revision, path)
-
-	return args.Get(0).([]byte), args.Error(1)
-}
-
-func (a ArgoCDServiceMock) GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error) {
-	args := a.Mock.Called(ctx, repoURL, revision)
-	return args.Get(0).([]string), args.Error(1)
-}

applicationset/utils/utils.go

@@ -133,16 +133,6 @@ func (r *Render) deeplyReplace(copy, original reflect.Value, replaceMap map[stri
 			if err := r.deeplyReplace(copyValue, originalValue, replaceMap, useGoTemplate); err != nil {
 				return err
 			}
-
-			// Keys can be templated as well as values (e.g. to template something into an annotation).
-			if key.Kind() == reflect.String {
-				templatedKey, err := r.Replace(key.String(), replaceMap, useGoTemplate)
-				if err != nil {
-					return err
-				}
-				key = reflect.ValueOf(templatedKey)
-			}
-
 			copy.SetMapIndex(key, copyValue)
 		}
 
@@ -174,7 +164,7 @@ func (r *Render) deeplyReplace(copy, original reflect.Value, replaceMap map[stri
 
 func (r *Render) RenderTemplateParams(tmpl *argoappsv1.Application, syncPolicy *argoappsv1.ApplicationSetSyncPolicy, params map[string]interface{}, useGoTemplate bool) (*argoappsv1.Application, error) {
 	if tmpl == nil {
-		return nil, fmt.Errorf("application template is empty")
+		return nil, fmt.Errorf("application template is empty ")
 	}
 
 	if len(params) == 0 {
@@ -204,27 +194,6 @@ func (r *Render) RenderTemplateParams(tmpl *argoappsv1.Application, syncPolicy *
 	return replacedTmpl, nil
 }
 
-func (r *Render) RenderGeneratorParams(gen *argoappsv1.ApplicationSetGenerator, params map[string]interface{}, useGoTemplate bool) (*argoappsv1.ApplicationSetGenerator, error) {
-	if gen == nil {
-		return nil, fmt.Errorf("generator is empty")
-	}
-
-	if len(params) == 0 {
-		return gen, nil
-	}
-
-	original := reflect.ValueOf(gen)
-	copy := reflect.New(original.Type()).Elem()
-
-	if err := r.deeplyReplace(copy, original, params, useGoTemplate); err != nil {
-		return nil, fmt.Errorf("failed to replace parameters in generator: %w", err)
-	}
-
-	replacedGen := copy.Interface().(*argoappsv1.ApplicationSetGenerator)
-
-	return replacedGen, nil
-}
-
 var isTemplatedRegex = regexp.MustCompile(".*{{.*}}.*")
 
 // Replace executes basic string substitution of a template with replacement values.

applicationset/utils/utils_test.go

@@ -7,7 +7,6 @@ import (
 	"github.com/sirupsen/logrus"
 	logtest "github.com/sirupsen/logrus/hooks/test"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -462,49 +461,7 @@ func TestRenderTemplateParamsGoTemplate(t *testing.T) {
 			}
 		})
 	}
-}
 
-func TestRenderTemplateKeys(t *testing.T) {
-	t.Run("fasttemplate", func(t *testing.T) {
-		application := &argoappsv1.Application{
-			ObjectMeta: metav1.ObjectMeta{
-				Annotations: map[string]string{
-					"annotation-{{key}}": "annotation-{{value}}",
-				},
-			},
-		}
-
-		params := map[string]interface{}{
-			"key":   "some-key",
-			"value": "some-value",
-		}
-
-		render := Render{}
-		newApplication, err := render.RenderTemplateParams(application, nil, params, false)
-		require.NoError(t, err)
-		require.Contains(t, newApplication.ObjectMeta.Annotations, "annotation-some-key")
-		assert.Equal(t, newApplication.ObjectMeta.Annotations["annotation-some-key"], "annotation-some-value")
-	})
-	t.Run("gotemplate", func(t *testing.T) {
-		application := &argoappsv1.Application{
-			ObjectMeta: metav1.ObjectMeta{
-				Annotations: map[string]string{
-					"annotation-{{ .key }}": "annotation-{{ .value }}",
-				},
-			},
-		}
-
-		params := map[string]interface{}{
-			"key":   "some-key",
-			"value": "some-value",
-		}
-
-		render := Render{}
-		newApplication, err := render.RenderTemplateParams(application, nil, params, true)
-		require.NoError(t, err)
-		require.Contains(t, newApplication.ObjectMeta.Annotations, "annotation-some-key")
-		assert.Equal(t, newApplication.ObjectMeta.Annotations["annotation-some-key"], "annotation-some-value")
-	})
 }
 
 func TestRenderTemplateParamsFinalizers(t *testing.T) {

argocd-cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
+JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
+-----END PUBLIC KEY-----

assets/swagger.json

@@ -271,16 +271,6 @@
             "description": "the application's namespace.",
             "name": "appNamespace",
             "in": "query"
-          },
-          {
-            "type": "array",
-            "items": {
-              "type": "string"
-            },
-            "collectionFormat": "multi",
-            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
-            "name": "project",
-            "in": "query"
           }
         ],
         "responses": {
@@ -595,16 +585,6 @@
             "description": "the application's namespace.",
             "name": "appNamespace",
             "in": "query"
-          },
-          {
-            "type": "array",
-            "items": {
-              "type": "string"
-            },
-            "collectionFormat": "multi",
-            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
-            "name": "project",
-            "in": "query"
           }
         ],
         "responses": {
@@ -3527,16 +3507,6 @@
             "description": "the application's namespace.",
             "name": "appNamespace",
             "in": "query"
-          },
-          {
-            "type": "array",
-            "items": {
-              "type": "string"
-            },
-            "collectionFormat": "multi",
-            "description": "the project names to restrict returned list applications (legacy name for backwards-compatibility).",
-            "name": "project",
-            "in": "query"
           }
         ],
         "responses": {
@@ -4127,9 +4097,6 @@
         "appLabelKey": {
           "type": "string"
         },
-        "appsInAnyNamespaceEnabled": {
-          "type": "boolean"
-        },
         "configManagementPlugins": {
           "type": "array",
           "items": {
@@ -7515,8 +7482,8 @@
           "$ref": "#/definitions/v1Time"
         },
         "message": {
-          "type": "string",
-          "title": "Message contains the message associated with the revision, most likely the commit message.\nThe message is truncated to the first newline or 64 characters (which ever comes first)"
+          "description": "Message contains the message associated with the revision, most likely the commit message.",
+          "type": "string"
         },
         "signatureInfo": {
           "description": "SignatureInfo contains a hint on the signer if the revision was signed with GPG, and signature verification is enabled.",

cmd/argocd-applicationset-controller/commands/applicationset_controller.go

@@ -39,7 +39,7 @@ import (
 	argosettings "github.com/argoproj/argo-cd/v2/util/settings"
 )
 
-// TODO: load this using Cobra. https://github.com/argoproj/argo-cd/issues/10157
+// TODO: load this using Cobra.
 func getSubmoduleEnabled() bool {
 	return env.ParseBoolFromEnv(common.EnvGitSubmoduleEnabled, true)
 }
@@ -195,16 +195,16 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
 	command.Flags().StringVar(&probeBindAddr, "probe-addr", ":8081", "The address the probe endpoint binds to.")
 	command.Flags().StringVar(&webhookAddr, "webhook-addr", ":7000", "The address the webhook endpoint binds to.")
-	command.Flags().BoolVar(&enableLeaderElection, "enable-leader-election", false,
+	command.Flags().BoolVar(&enableLeaderElection, "enable-leader-election", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_LEADER_ELECTION", false),
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
-	command.Flags().StringVar(&namespace, "namespace", "", "Argo CD repo namespace (default: argocd)")
-	command.Flags().StringVar(&argocdRepoServer, "argocd-repo-server", "argocd-repo-server:8081", "Argo CD repo server address")
-	command.Flags().StringVar(&policy, "policy", "sync", "Modify how application is synced between the generator and the cluster. Default is 'sync' (create & update & delete), options: 'create-only', 'create-update' (no deletion)")
-	command.Flags().BoolVar(&debugLog, "debug", false, "Print debug logs. Takes precedence over loglevel")
-	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", "text", "Set the logging format. One of: text|json")
-	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
-	command.Flags().BoolVar(&dryRun, "dry-run", false, "Enable dry run mode")
+	command.Flags().StringVar(&namespace, "namespace", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACE", ""), "Argo CD repo namespace (default: argocd)")
+	command.Flags().StringVar(&argocdRepoServer, "argocd-repo-server", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_REPO_SERVER", common.DefaultRepoServerAddr), "Argo CD repo server address")
+	command.Flags().StringVar(&policy, "policy", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_POLICY", "sync"), "Modify how application is synced between the generator and the cluster. Default is 'sync' (create & update & delete), options: 'create-only', 'create-update' (no deletion)")
+	command.Flags().BoolVar(&debugLog, "debug", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_DEBUG", false), "Print debug logs. Takes precedence over loglevel")
+	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_LOGFORMAT", "text"), "Set the logging format. One of: text|json")
+	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_LOGLEVEL", "info"), "Set the logging level. One of: debug|info|warn|error")
+	command.Flags().BoolVar(&dryRun, "dry-run", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN", false), "Enable dry run mode")
 	return &command
 }
 

cmd/argocd/commands/account.go

@@ -44,6 +44,7 @@ func NewAccountCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	command.AddCommand(NewAccountGenerateTokenCommand(clientOpts))
 	command.AddCommand(NewAccountGetCommand(clientOpts))
 	command.AddCommand(NewAccountDeleteTokenCommand(clientOpts))
+	command.AddCommand(NewBcryptCmd())
 	return command
 }
 

cmd/argocd/commands/admin/app.go

@@ -292,11 +292,11 @@ func saveToFile(err error, outputFormat string, result reconcileResults, outputP
 	switch outputFormat {
 	case "yaml":
 		if data, err = yaml.Marshal(result); err != nil {
-			return err
+			return fmt.Errorf("error marshalling yaml: %w", err)
 		}
 	case "json":
 		if data, err = json.Marshal(result); err != nil {
-			return err
+			return fmt.Errorf("error marshalling json: %w", err)
 		}
 	default:
 		return fmt.Errorf("format %s is not supported", outputFormat)

cmd/argocd/commands/admin/cluster.go

@@ -221,11 +221,11 @@ func printStatsSummary(clusters []ClusterWithInfo) {
 func runClusterNamespacesCommand(ctx context.Context, clientConfig clientcmd.ClientConfig, action func(appClient *versioned.Clientset, argoDB db.ArgoDB, clusters map[string][]string) error) error {
 	clientCfg, err := clientConfig.ClientConfig()
 	if err != nil {
-		return err
+		return fmt.Errorf("error while creating client config: %w", err)
 	}
 	namespace, _, err := clientConfig.Namespace()
 	if err != nil {
-		return err
+		return fmt.Errorf("error while getting namespace from client config: %w", err)
 	}
 
 	kubeClient := kubernetes.NewForConfigOrDie(clientCfg)
@@ -235,17 +235,16 @@ func runClusterNamespacesCommand(ctx context.Context, clientConfig clientcmd.Cli
 	argoDB := db.NewDB(namespace, settingsMgr, kubeClient)
 	clustersList, err := argoDB.ListClusters(ctx)
 	if err != nil {
-		return err
+		return fmt.Errorf("error listing clusters: %w", err)
 	}
 	appItems, err := appClient.ArgoprojV1alpha1().Applications(namespace).List(ctx, v1.ListOptions{})
 	if err != nil {
-		return err
+		return fmt.Errorf("error listing application: %w", err)
 	}
 	apps := appItems.Items
 	for i, app := range apps {
-		err := argo.ValidateDestination(ctx, &app.Spec.Destination, argoDB)
-		if err != nil {
-			return err
+		if err := argo.ValidateDestination(ctx, &app.Spec.Destination, argoDB); err != nil {
+			return fmt.Errorf("error validating application destination: %w", err)
 		}
 		apps[i] = app
 	}
@@ -349,15 +348,14 @@ func NewClusterEnableNamespacedMode() *cobra.Command {
 
 					cluster, err := argoDB.GetCluster(ctx, server)
 					if err != nil {
-						return err
+						return fmt.Errorf("error getting cluster from server: %w", err)
 					}
 					cluster.Namespaces = namespaces
 					cluster.ClusterResources = clusterResources
 					fmt.Printf("Setting cluster %s namespaces to %v...", server, namespaces)
 					if !dryRun {
-						_, err = argoDB.UpdateCluster(ctx, cluster)
-						if err != nil {
-							return err
+						if _, err = argoDB.UpdateCluster(ctx, cluster); err != nil {
+							return fmt.Errorf("error updating cluster: %w", err)
 						}
 						fmt.Println("done")
 					} else {
@@ -405,7 +403,7 @@ func NewClusterDisableNamespacedMode() *cobra.Command {
 
 					cluster, err := argoDB.GetCluster(ctx, server)
 					if err != nil {
-						return err
+						return fmt.Errorf("error getting cluster from server: %w", err)
 					}
 
 					if len(cluster.Namespaces) == 0 {
@@ -415,9 +413,8 @@ func NewClusterDisableNamespacedMode() *cobra.Command {
 					cluster.Namespaces = nil
 					fmt.Printf("Disabling namespaced mode for cluster %s...", server)
 					if !dryRun {
-						_, err = argoDB.UpdateCluster(ctx, cluster)
-						if err != nil {
-							return err
+						if _, err = argoDB.UpdateCluster(ctx, cluster); err != nil {
+							return fmt.Errorf("error updating cluster: %w", err)
 						}
 						fmt.Println("done")
 					} else {

cmd/argocd/commands/admin/dashboard.go

@@ -9,16 +9,13 @@ import (
 	"github.com/argoproj/argo-cd/v2/cmd/argocd/commands/initialize"
 	"github.com/argoproj/argo-cd/v2/common"
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
-	"github.com/argoproj/argo-cd/v2/util/cache"
-	"github.com/argoproj/argo-cd/v2/util/env"
 	"github.com/argoproj/argo-cd/v2/util/errors"
 )
 
 func NewDashboardCommand() *cobra.Command {
 	var (
-		port           int
-		address        string
-		compressionStr string
+		port    int
+		address string
 	)
 	cmd := &cobra.Command{
 		Use:   "dashboard",
@@ -26,9 +23,7 @@ func NewDashboardCommand() *cobra.Command {
 		Run: func(cmd *cobra.Command, args []string) {
 			ctx := cmd.Context()
 
-			compression, err := cache.CompressionTypeFromString(compressionStr)
-			errors.CheckError(err)
-			errors.CheckError(headless.StartLocalServer(ctx, &argocdclient.ClientOptions{Core: true}, initialize.RetrieveContextIfChanged(cmd.Flag("context")), &port, &address, compression))
+			errors.CheckError(headless.StartLocalServer(ctx, &argocdclient.ClientOptions{Core: true}, initialize.RetrieveContextIfChanged(cmd.Flag("context")), &port, &address))
 			println(fmt.Sprintf("Argo CD UI is available at http://%s:%d", address, port))
 			<-ctx.Done()
 		},
@@ -36,6 +31,5 @@ func NewDashboardCommand() *cobra.Command {
 	initialize.InitCommand(cmd)
 	cmd.Flags().IntVar(&port, "port", common.DefaultPortAPIServer, "Listen on given port")
 	cmd.Flags().StringVar(&address, "address", common.DefaultAddressAPIServer, "Listen on given address")
-	cmd.Flags().StringVar(&compressionStr, "redis-compress", env.StringFromEnv("REDIS_COMPRESSION", string(cache.RedisCompressionNone)), "Enable this if the application controller is configured with redis compression enabled. (possible values: none, gzip)")
 	return cmd
 }

cmd/argocd/commands/admin/generatespec_utils.go

@@ -43,7 +43,7 @@ func PrintResources(output string, out io.Writer, resources ...interface{}) erro
 		}
 		filteredResource, err := omitFields(resource)
 		if err != nil {
-			return err
+			return fmt.Errorf("error omitting filtered fields from the resource: %w", err)
 		}
 		resources[i] = filteredResource
 	}
@@ -56,14 +56,14 @@ func PrintResources(output string, out io.Writer, resources ...interface{}) erro
 	case "json":
 		jsonBytes, err := json.MarshalIndent(obj, "", "  ")
 		if err != nil {
-			return err
+			return fmt.Errorf("error marshaling json: %w", err)
 		}
 
 		_, _ = fmt.Fprintln(out, string(jsonBytes))
 	case "yaml":
 		yamlBytes, err := yaml.Marshal(obj)
 		if err != nil {
-			return err
+			return fmt.Errorf("error marshaling yaml: %w", err)
 		}
 		// marshaled YAML already ends with the new line character
 		_, _ = fmt.Fprint(out, string(yamlBytes))

cmd/argocd/commands/admin/notifications.go

@@ -33,7 +33,7 @@ func NewNotificationsCommand() *cobra.Command {
 	var argocdService service.Service
 	toolsCommand := cmd.NewToolsCommand(
 		"notifications",
-		"argocd admin notifications",
+		"notifications",
 		applications,
 		settings.GetFactorySettings(argocdService, "argocd-notifications-secret", "argocd-notifications-cm"), func(clientConfig clientcmd.ClientConfig) {
 			k8sCfg, err := clientConfig.ClientConfig()

cmd/argocd/commands/admin/project.go

@@ -106,13 +106,13 @@ func saveProject(ctx context.Context, updated v1alpha1.AppProject, orig v1alpha1
 	errors.CheckError(err)
 	live, err := kube.ToUnstructured(&orig)
 	if err != nil {
-		return err
+		return fmt.Errorf("error converting project to unstructured: %w", err)
 	}
 	_ = cli.PrintDiff(updated.Name, target, live)
 	if !dryRun {
 		_, err = projectsIf.Update(ctx, &updated, v1.UpdateOptions{})
 		if err != nil {
-			return err
+			return fmt.Errorf("error while updating project:  %w", err)
 		}
 	}
 	return nil
@@ -188,7 +188,7 @@ func NewUpdatePolicyRuleCommand() *cobra.Command {
 func updateProjects(ctx context.Context, projIf appclient.AppProjectInterface, projectGlob string, rolePattern string, action string, modification func(string, string) string, dryRun bool) error {
 	projects, err := projIf.List(ctx, v1.ListOptions{})
 	if err != nil {
-		return err
+		return fmt.Errorf("error listing the projects: %w", err)
 	}
 	for _, proj := range projects.Items {
 		if !globMatch(projectGlob, proj.Name) {
@@ -225,7 +225,7 @@ func updateProjects(ctx context.Context, projIf appclient.AppProjectInterface, p
 		if updated {
 			err = saveProject(ctx, proj, *origProj, projIf, dryRun)
 			if err != nil {
-				return err
+				return fmt.Errorf("error saving the project: %w", err)
 			}
 		}
 	}

cmd/argocd/commands/admin/settings.go

@@ -206,7 +206,7 @@ var validatorsByGroup = map[string]settingValidator{
 			}
 			ssoProvider = "Dex"
 		} else if general.OIDCConfigRAW != "" {
-			if err := settings.ValidateOIDCConfig(general.OIDCConfigRAW); err != nil {
+			if _, err := settings.UnmarshalOIDCConfig(general.OIDCConfigRAW); err != nil {
 				return "", fmt.Errorf("invalid oidc.config: %v", err)
 			}
 			ssoProvider = "OIDC"

cmd/argocd/commands/app.go

@@ -169,9 +169,7 @@ func NewApplicationCreateCommand(clientOpts *argocdclient.ClientOptions) *cobra.
 
 				// Get app before creating to see if it is being updated or no change
 				existing, err := appIf.Get(ctx, &applicationpkg.ApplicationQuery{Name: &app.Name})
-				unwrappedError := grpc.UnwrapGRPCStatus(err).Code()
-				// As part of the fix for CVE-2022-41354, the API will return Permission Denied when an app does not exist.
-				if unwrappedError != codes.NotFound && unwrappedError != codes.PermissionDenied {
+				if grpc.UnwrapGRPCStatus(err).Code() != codes.NotFound {
 					errors.CheckError(err)
 				}
 
@@ -966,7 +964,7 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 
 					diffOption.serversideRes = res
 				} else {
-					fmt.Fprintf(os.Stderr, "Warning: local diff without --server-side-generate is deprecated and does not work with plugins. Server-side generation will be the default in v2.7.")
+					fmt.Fprintf(os.Stderr, "Warning: local diff without --server-side-generate is deprecated and does not work with plugins. Server-side generation will be the default in v2.6.")
 					conn, clusterIf := clientset.NewClusterClientOrDie()
 					defer argoio.Close(conn)
 					cluster, err := clusterIf.Get(ctx, &clusterpkg.ClusterQuery{Name: app.Spec.Destination.Name, Server: app.Spec.Destination.Server})
@@ -2429,12 +2427,12 @@ func NewApplicationEditCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 			cli.InteractiveEdit(fmt.Sprintf("%s-*-edit.yaml", appName), appData, func(input []byte) error {
 				input, err = yaml.YAMLToJSON(input)
 				if err != nil {
-					return err
+					return fmt.Errorf("error converting YAML to JSON: %w", err)
 				}
 				updatedSpec := argoappv1.ApplicationSpec{}
 				err = json.Unmarshal(input, &updatedSpec)
 				if err != nil {
-					return err
+					return fmt.Errorf("error unmarshaling input into application spec: %w", err)
 				}
 
 				var appOpts cmdutil.AppOptions
@@ -2446,9 +2444,9 @@ func NewApplicationEditCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 					AppNamespace: &appNs,
 				})
 				if err != nil {
-					return fmt.Errorf("Failed to update application spec:\n%v", err)
+					return fmt.Errorf("failed to update application spec: %w", err)
 				}
-				return err
+				return nil
 			})
 		},
 	}

cmd/argocd/commands/applicationset.go

@@ -342,19 +342,16 @@ func printAppSetSummaryTable(appSet *arogappsetv1.ApplicationSet) {
 	fmt.Printf(printOpFmtStr, "Path:", appSet.Spec.Template.Spec.Source.Path)
 	printAppSourceDetails(&appSet.Spec.Template.Spec.Source)
 
-	var (
-		syncPolicyStr string
-		syncPolicy = appSet.Spec.Template.Spec.SyncPolicy
-	)
-	if syncPolicy != nil && syncPolicy.Automated != nil {
-		syncPolicyStr = "Automated"
-		if syncPolicy.Automated.Prune {
-			syncPolicyStr += " (Prune)"
+	var syncPolicy string
+	if appSet.Spec.SyncPolicy != nil && appSet.Spec.Template.Spec.SyncPolicy.Automated != nil {
+		syncPolicy = "Automated"
+		if appSet.Spec.Template.Spec.SyncPolicy.Automated.Prune {
+			syncPolicy += " (Prune)"
 		}
 	} else {
-		syncPolicyStr = "<none>"
+		syncPolicy = "<none>"
 	}
-	fmt.Printf(printOpFmtStr, "SyncPolicy:", syncPolicyStr)
+	fmt.Printf(printOpFmtStr, "SyncPolicy:", syncPolicy)
 
 }
 

cmd/argocd/commands/applicationset_test.go

@@ -1,8 +1,6 @@
 package commands
 
 import (
-	"io/ioutil"
-	"os"
 	"testing"
 
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -70,124 +68,3 @@ func TestPrintApplicationSetTable(t *testing.T) {
 	expectation := "NAME      NAMESPACE  PROJECT  SYNCPOLICY  CONDITIONS\napp-name             default  nil         [{ResourcesUpToDate  <nil> True }]\napp-name             default  nil         [{ResourcesUpToDate  <nil> True }]\n"
 	assert.Equal(t, expectation, output)
 }
-
-func TestPrintAppSetSummaryTable(t *testing.T) {
-	baseAppSet := &arogappsetv1.ApplicationSet{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "app-name",
-		},
-		Spec: arogappsetv1.ApplicationSetSpec{
-			Generators: []arogappsetv1.ApplicationSetGenerator{
-				arogappsetv1.ApplicationSetGenerator{
-					Git: &arogappsetv1.GitGenerator{
-						RepoURL:  "https://github.com/argoproj/argo-cd.git",
-						Revision: "head",
-						Directories: []arogappsetv1.GitDirectoryGeneratorItem{
-							arogappsetv1.GitDirectoryGeneratorItem{
-								Path: "applicationset/examples/git-generator-directory/cluster-addons/*",
-							},
-						},
-					},
-				},
-			},
-			Template: arogappsetv1.ApplicationSetTemplate{
-				Spec: v1alpha1.ApplicationSpec{
-					Project: "default",
-				},
-			},
-		},
-		Status: arogappsetv1.ApplicationSetStatus{
-			Conditions: []arogappsetv1.ApplicationSetCondition{
-				arogappsetv1.ApplicationSetCondition{
-					Status: v1alpha1.ApplicationSetConditionStatusTrue,
-					Type:   arogappsetv1.ApplicationSetConditionResourcesUpToDate,
-				},
-			},
-		},
-	}
-
-	appsetSpecSyncPolicy := baseAppSet.DeepCopy()
-	appsetSpecSyncPolicy.Spec.SyncPolicy = &arogappsetv1.ApplicationSetSyncPolicy{
-		PreserveResourcesOnDeletion: true,
-	}
-
-	appSetTemplateSpecSyncPolicy := baseAppSet.DeepCopy()
-	appSetTemplateSpecSyncPolicy.Spec.Template.Spec.SyncPolicy = &arogappsetv1.SyncPolicy{
-		Automated: &arogappsetv1.SyncPolicyAutomated{
-			SelfHeal: true,
-		},
-	}
-
-	appSetBothSyncPolicies := baseAppSet.DeepCopy()
-	appSetBothSyncPolicies.Spec.SyncPolicy = &arogappsetv1.ApplicationSetSyncPolicy{
-		PreserveResourcesOnDeletion: true,
-	}
-	appSetBothSyncPolicies.Spec.Template.Spec.SyncPolicy = &arogappsetv1.SyncPolicy{
-		Automated: &arogappsetv1.SyncPolicyAutomated{
-			SelfHeal: true,
-		},
-	}
-
-	for _, tt := range []struct {
-		name           string
-		appSet         *arogappsetv1.ApplicationSet
-		expectedOutput string
-	}{
-		{
-			name:   "appset with only spec.syncPolicy set",
-			appSet: appsetSpecSyncPolicy,
-			expectedOutput: `Name:               app-name
-Project:            default
-Server:             
-Namespace:          
-Repo:               
-Target:             
-Path:               
-SyncPolicy:         <none>
-`,
-		},
-		{
-			name:   "appset with only spec.template.spec.syncPolicy set",
-			appSet: appSetTemplateSpecSyncPolicy,
-			expectedOutput: `Name:               app-name
-Project:            default
-Server:             
-Namespace:          
-Repo:               
-Target:             
-Path:               
-SyncPolicy:         Automated
-`,
-		},
-		{
-			name:   "appset with both spec.SyncPolicy and spec.template.spec.syncPolicy set",
-			appSet: appSetBothSyncPolicies,
-			expectedOutput: `Name:               app-name
-Project:            default
-Server:             
-Namespace:          
-Repo:               
-Target:             
-Path:               
-SyncPolicy:         Automated
-`,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			oldStdout := os.Stdout
-			defer func() {
-				os.Stdout = oldStdout
-			}()
-
-			r, w, _ := os.Pipe()
-			os.Stdout = w
-
-			printAppSetSummaryTable(tt.appSet)
-			w.Close()
-
-			out, err := ioutil.ReadAll(r)
-			assert.NoError(t, err)
-			assert.Equal(t, tt.expectedOutput, string(out))
-		})
-	}
-}

cmd/argocd/commands/bcrypt.go

@@ -0,0 +1,36 @@
+package commands
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/crypto/bcrypt"
+)
+
+// bcryptCmd represents the bcrypt command
+func NewBcryptCmd() *cobra.Command {
+	var (
+		password string
+	)
+	var bcryptCmd = &cobra.Command{
+		Use:   "bcrypt",
+		Short: "Generate bcrypt hash for the admin password",
+		Run: func(cmd *cobra.Command, args []string) {
+			bytePassword := []byte(password)
+			// Hashing the password
+			hash, err := bcrypt.GenerateFromPassword(bytePassword, bcrypt.DefaultCost)
+			if err != nil {
+				log.Fatalf("Failed to genarate bcrypt hash: %v", err)
+			}
+			fmt.Fprint(cmd.OutOrStdout(), string(hash))
+		},
+	}
+
+	bcryptCmd.Flags().StringVar(&password, "password", "", "Password for which bcrypt hash is generated")
+	err := bcryptCmd.MarkFlagRequired("password")
+	if err != nil {
+		return nil
+	}
+	return bcryptCmd
+}

cmd/argocd/commands/bcrypt_test.go

@@ -0,0 +1,22 @@
+package commands
+
+import (
+	"bytes"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/crypto/bcrypt"
+)
+
+func TestGeneratePassword(t *testing.T) {
+	bcryptCmd := NewBcryptCmd()
+	bcryptCmd.SetArgs([]string{"--password", "abc"})
+	output := new(bytes.Buffer)
+	bcryptCmd.SetOutput(output)
+	err := bcryptCmd.Execute()
+	if err != nil {
+		return
+	}
+	err = bcrypt.CompareHashAndPassword(output.Bytes(), []byte("abc"))
+	assert.NoError(t, err)
+}

cmd/argocd/commands/common.go

@@ -22,13 +22,13 @@ func PrintResource(resource interface{}, output string) error {
 	case "json":
 		jsonBytes, err := json.MarshalIndent(resource, "", "  ")
 		if err != nil {
-			return err
+			return fmt.Errorf("unable to marshal resource to json: %w", err)
 		}
 		fmt.Println(string(jsonBytes))
 	case "yaml":
 		yamlBytes, err := yaml.Marshal(resource)
 		if err != nil {
-			return err
+			return fmt.Errorf("unable to marshal resource to yaml: %w", err)
 		}
 		fmt.Print(string(yamlBytes))
 	default:
@@ -56,13 +56,13 @@ func PrintResourceList(resources interface{}, output string, single bool) error
 	case "json":
 		jsonBytes, err := json.MarshalIndent(resources, "", "  ")
 		if err != nil {
-			return err
+			return fmt.Errorf("unable to marshal resources to json: %w", err)
 		}
 		fmt.Println(string(jsonBytes))
 	case "yaml":
 		yamlBytes, err := yaml.Marshal(resources)
 		if err != nil {
-			return err
+			return fmt.Errorf("unable to marshal resources to yaml: %w", err)
 		}
 		fmt.Print(string(yamlBytes))
 	default:

cmd/argocd/commands/headless/headless.go

@@ -38,12 +38,11 @@ import (
 )
 
 type forwardCacheClient struct {
-	namespace   string
-	context     string
-	init        sync.Once
-	client      cache.CacheClient
-	compression cache.RedisCompressionType
-	err         error
+	namespace string
+	context   string
+	init      sync.Once
+	client    cache.CacheClient
+	err       error
 }
 
 func (c *forwardCacheClient) doLazy(action func(client cache.CacheClient) error) error {
@@ -59,7 +58,7 @@ func (c *forwardCacheClient) doLazy(action func(client cache.CacheClient) error)
 		}
 
 		redisClient := redis.NewClient(&redis.Options{Addr: fmt.Sprintf("localhost:%d", redisPort)})
-		c.client = cache.NewRedisCache(redisClient, time.Hour, c.compression)
+		c.client = cache.NewRedisCache(redisClient, time.Hour, cache.RedisCompressionNone)
 	})
 	if c.err != nil {
 		return c.err
@@ -140,7 +139,7 @@ func testAPI(ctx context.Context, clientOpts *apiclient.ClientOptions) error {
 
 // StartLocalServer allows executing command in a headless mode: on the fly starts Argo CD API server and
 // changes provided client options to use started API server port
-func StartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOptions, ctxStr string, port *int, address *string, compression cache.RedisCompressionType) error {
+func StartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOptions, ctxStr string, port *int, address *string) error {
 	flags := pflag.NewFlagSet("tmp", pflag.ContinueOnError)
 	clientConfig := cli.AddKubectlFlagsToSet(flags)
 	startInProcessAPI := clientOpts.Core
@@ -201,7 +200,7 @@ func StartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOptions,
 	if err != nil {
 		return err
 	}
-	appstateCache := appstatecache.NewCache(cache.NewCache(&forwardCacheClient{namespace: namespace, context: ctxStr, compression: compression}), time.Hour)
+	appstateCache := appstatecache.NewCache(cache.NewCache(&forwardCacheClient{namespace: namespace, context: ctxStr}), time.Hour)
 	srv := server.NewServer(ctx, server.ArgoCDServerOpts{
 		EnableGZip:    false,
 		Namespace:     namespace,
@@ -243,7 +242,7 @@ func NewClientOrDie(opts *apiclient.ClientOptions, c *cobra.Command) apiclient.C
 	ctx := c.Context()
 
 	ctxStr := initialize.RetrieveContextIfChanged(c.Flag("context"))
-	err := StartLocalServer(ctx, opts, ctxStr, nil, nil, cache.RedisCompressionNone)
+	err := StartLocalServer(ctx, opts, ctxStr, nil, nil)
 	if err != nil {
 		log.Fatal(err)
 	}

cmd/argocd/commands/project.go

@@ -863,23 +863,23 @@ func NewProjectEditCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comman
 			cli.InteractiveEdit(fmt.Sprintf("%s-*-edit.yaml", projName), projData, func(input []byte) error {
 				input, err = yaml.YAMLToJSON(input)
 				if err != nil {
-					return err
+					return fmt.Errorf("error converting YAML to JSON: %w", err)
 				}
 				updatedSpec := v1alpha1.AppProjectSpec{}
 				err = json.Unmarshal(input, &updatedSpec)
 				if err != nil {
-					return err
+					return fmt.Errorf("error unmarshaling input into application spec: %w", err)
 				}
 				proj, err := projIf.Get(ctx, &projectpkg.ProjectQuery{Name: projName})
 				if err != nil {
-					return err
+					return fmt.Errorf("could not get project by project name: %w", err)
 				}
 				proj.Spec = updatedSpec
 				_, err = projIf.Update(ctx, &projectpkg.ProjectUpdateRequest{Project: proj})
 				if err != nil {
-					return fmt.Errorf("Failed to update project:\n%v", err)
+					return fmt.Errorf("failed to update project:\n%w", err)
 				}
-				return err
+				return nil
 			})
 		},
 	}

cmd/argocd/commands/root.go

@@ -41,7 +41,7 @@ func NewCommand() *cobra.Command {
 	}
 
 	command.AddCommand(NewCompletionCommand())
-	command.AddCommand(initialize.InitCommand(NewVersionCmd(&clientOpts)))
+	command.AddCommand(initialize.InitCommand(NewVersionCmd(&clientOpts, nil)))
 	command.AddCommand(initialize.InitCommand(NewClusterCommand(&clientOpts, pathOpts)))
 	command.AddCommand(initialize.InitCommand(NewApplicationCommand(&clientOpts)))
 	command.AddCommand(initialize.InitCommand(NewAppSetCommand(&clientOpts)))

cmd/argocd/commands/version.go

@@ -17,7 +17,7 @@ import (
 )
 
 // NewVersionCmd returns a new `version` command to be used as a sub-command to root
-func NewVersionCmd(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+func NewVersionCmd(clientOpts *argocdclient.ClientOptions, serverVersion *version.VersionMessage) *cobra.Command {
 	var (
 		short  bool
 		client bool
@@ -54,7 +54,12 @@ func NewVersionCmd(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 				}
 
 				if !client {
-					sv := getServerVersion(ctx, clientOpts, cmd)
+					var sv *version.VersionMessage
+					if serverVersion == nil {
+						sv = getServerVersion(ctx, clientOpts, cmd)
+					} else {
+						sv = serverVersion
+					}
 
 					if short {
 						v["server"] = map[string]string{"argocd-server": sv.Version}
@@ -68,8 +73,13 @@ func NewVersionCmd(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 			case "wide", "short", "":
 				fmt.Fprint(cmd.OutOrStdout(), printClientVersion(&cv, short || (output == "short")))
 				if !client {
-					sv := getServerVersion(ctx, clientOpts, cmd)
-					printServerVersion(sv, short || (output == "short"))
+					var sv *version.VersionMessage
+					if serverVersion == nil {
+						sv = getServerVersion(ctx, clientOpts, cmd)
+					} else {
+						sv = serverVersion
+					}
+					fmt.Fprint(cmd.OutOrStdout(), printServerVersion(sv, short || (output == "short")))
 				}
 			default:
 				log.Fatalf("unknown output format: %s", output)
@@ -109,44 +119,45 @@ func printClientVersion(version *common.Version, short bool) string {
 	return output
 }
 
-func printServerVersion(version *version.VersionMessage, short bool) {
-	fmt.Printf("%s: %s\n", "argocd-server", version.Version)
+func printServerVersion(version *version.VersionMessage, short bool) string {
+	output := fmt.Sprintf("%s: %s\n", "argocd-server", version.Version)
 
 	if short {
-		return
+		return output
 	}
 
 	if version.BuildDate != "" {
-		fmt.Printf("  BuildDate: %s\n", version.BuildDate)
+		output += fmt.Sprintf("  BuildDate: %s\n", version.BuildDate)
 	}
 	if version.GitCommit != "" {
-		fmt.Printf("  GitCommit: %s\n", version.GitCommit)
+		output += fmt.Sprintf("  GitCommit: %s\n", version.GitCommit)
 	}
 	if version.GitTreeState != "" {
-		fmt.Printf("  GitTreeState: %s\n", version.GitTreeState)
+		output += fmt.Sprintf("  GitTreeState: %s\n", version.GitTreeState)
 	}
 	if version.GitTag != "" {
-		fmt.Printf("  GitTag: %s\n", version.GitTag)
+		output += fmt.Sprintf("  GitTag: %s\n", version.GitTag)
 	}
 	if version.GoVersion != "" {
-		fmt.Printf("  GoVersion: %s\n", version.GoVersion)
+		output += fmt.Sprintf("  GoVersion: %s\n", version.GoVersion)
 	}
 	if version.Compiler != "" {
-		fmt.Printf("  Compiler: %s\n", version.Compiler)
+		output += fmt.Sprintf("  Compiler: %s\n", version.Compiler)
 	}
 	if version.Platform != "" {
-		fmt.Printf("  Platform: %s\n", version.Platform)
+		output += fmt.Sprintf("  Platform: %s\n", version.Platform)
 	}
 	if version.KustomizeVersion != "" {
-		fmt.Printf("  Kustomize Version: %s\n", version.KustomizeVersion)
+		output += fmt.Sprintf("  Kustomize Version: %s\n", version.KustomizeVersion)
 	}
 	if version.HelmVersion != "" {
-		fmt.Printf("  Helm Version: %s\n", version.HelmVersion)
+		output += fmt.Sprintf("  Helm Version: %s\n", version.HelmVersion)
 	}
 	if version.KubectlVersion != "" {
-		fmt.Printf("  Kubectl Version: %s\n", version.KubectlVersion)
+		output += fmt.Sprintf("  Kubectl Version: %s\n", version.KubectlVersion)
 	}
 	if version.JsonnetVersion != "" {
-		fmt.Printf("  Jsonnet Version: %s\n", version.JsonnetVersion)
+		output += fmt.Sprintf("  Jsonnet Version: %s\n", version.JsonnetVersion)
 	}
+	return output
 }

cmd/argocd/commands/version_test.go

@@ -5,12 +5,13 @@ import (
 	"testing"
 
 	argocdclient "github.com/argoproj/argo-cd/v2/pkg/apiclient"
+	"github.com/argoproj/argo-cd/v2/pkg/apiclient/version"
 	"github.com/stretchr/testify/assert"
 )
 
-func TestShortVersion(t *testing.T) {
+func TestShortVersionClient(t *testing.T) {
 	buf := new(bytes.Buffer)
-	cmd := NewVersionCmd(&argocdclient.ClientOptions{})
+	cmd := NewVersionCmd(&argocdclient.ClientOptions{}, nil)
 	cmd.SetOutput(buf)
 	cmd.SetArgs([]string{"version", "--short", "--client"})
 	err := cmd.Execute()
@@ -20,3 +21,17 @@ func TestShortVersion(t *testing.T) {
 	output := buf.String()
 	assert.Equal(t, output, "argocd: v99.99.99+unknown\n")
 }
+
+func TestShortVersion(t *testing.T) {
+	serverVersion := &version.VersionMessage{Version: "v99.99.99+unknown"}
+	buf := new(bytes.Buffer)
+	cmd := NewVersionCmd(&argocdclient.ClientOptions{}, serverVersion)
+	cmd.SetOutput(buf)
+	cmd.SetArgs([]string{"argocd", "version", "--short"})
+	err := cmd.Execute()
+	if err != nil {
+		t.Fatal("Failed to execute short version command")
+	}
+	output := buf.String()
+	assert.Equal(t, output, "argocd: v99.99.99+unknown\nargocd-server: v99.99.99+unknown\n")
+}

cmd/util/applicationset.go

@@ -40,7 +40,7 @@ func readAppsetFromURI(fileURL string, appset *[]*argoprojiov1alpha1.Application
 
 	yml, err := readFilePayload()
 	if err != nil {
-		return err
+		return fmt.Errorf("error reading file payload: %w", err)
 	}
 
 	return readAppset(yml, appset)
@@ -49,18 +49,18 @@ func readAppsetFromURI(fileURL string, appset *[]*argoprojiov1alpha1.Application
 func readAppset(yml []byte, appsets *[]*argoprojiov1alpha1.ApplicationSet) error {
 	yamls, err := kube.SplitYAMLToString(yml)
 	if err != nil {
-		return err
+		return fmt.Errorf("error splitting YAML to string: %w", err)
 	}
 
 	for _, yml := range yamls {
 		var appset argoprojiov1alpha1.ApplicationSet
 		err = config.Unmarshal([]byte(yml), &appset)
 		if err != nil {
-			return err
+			return fmt.Errorf("error unmarshalling appset: %w", err)
 		}
 		*appsets = append(*appsets, &appset)
 
 	}
-	// we reach here if there is no error found while reading the Application Set
-	return nil
+
+	return fmt.Errorf("error reading app set: %w", err)
 }

cmd/util/project.go

@@ -138,7 +138,7 @@ func readProjFromURI(fileURL string, proj *v1alpha1.AppProject) error {
 	} else {
 		err = config.UnmarshalRemoteFile(fileURL, &proj)
 	}
-	return err
+	return fmt.Errorf("error reading proj from uri: %w", err)
 }
 
 func SetProjSpecOptions(flags *pflag.FlagSet, spec *v1alpha1.AppProjectSpec, projOpts *ProjectOpts) int {

cmpserver/plugin/plugin.go

@@ -8,10 +8,8 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
-	"strconv"
 	"strings"
 	"time"
-	"unicode"
 
 	"github.com/argoproj/pkg/rand"
 
@@ -75,8 +73,9 @@ func runCommand(ctx context.Context, command Command, path string, env []string)
 	}
 	logCtx := log.WithFields(log.Fields{"execID": execId})
 
-	argsToLog := getCommandArgsToLog(cmd)
-	logCtx.WithFields(log.Fields{"dir": cmd.Dir}).Info(argsToLog)
+	// log in a way we can copy-and-paste into a terminal
+	args := strings.Join(cmd.Args, " ")
+	logCtx.WithFields(log.Fields{"dir": cmd.Dir}).Info(args)
 
 	var stdout bytes.Buffer
 	var stderr bytes.Buffer
@@ -107,7 +106,7 @@ func runCommand(ctx context.Context, command Command, path string, env []string)
 	logCtx.WithFields(log.Fields{"duration": duration}).Debug(output)
 
 	if err != nil {
-		err := newCmdError(argsToLog, errors.New(err.Error()), strings.TrimSpace(stderr.String()))
+		err := newCmdError(args, errors.New(err.Error()), strings.TrimSpace(stderr.String()))
 		logCtx.Error(err.Error())
 		return strings.TrimSuffix(output, "\n"), err
 	}
@@ -115,28 +114,6 @@ func runCommand(ctx context.Context, command Command, path string, env []string)
 	return strings.TrimSuffix(output, "\n"), nil
 }
 
-// getCommandArgsToLog represents the given command in a way that we can copy-and-paste into a terminal
-func getCommandArgsToLog(cmd *exec.Cmd) string {
-	var argsToLog []string
-	for _, arg := range cmd.Args {
-		containsSpace := false
-		for _, r := range arg {
-			if unicode.IsSpace(r) {
-				containsSpace = true
-				break
-			}
-		}
-		if containsSpace {
-			// add quotes and escape any internal quotes
-			argsToLog = append(argsToLog, strconv.Quote(arg))
-		} else {
-			argsToLog = append(argsToLog, arg)
-		}
-	}
-	args := strings.Join(argsToLog, " ")
-	return args
-}
-
 type CmdError struct {
 	Args   string
 	Stderr string
@@ -226,11 +203,6 @@ func (s *Service) generateManifest(ctx context.Context, appDir string, envEntrie
 
 	manifests, err := kube.SplitYAMLToString([]byte(out))
 	if err != nil {
-		sanitizedManifests := manifests
-		if len(sanitizedManifests) > 1000 {
-			sanitizedManifests = manifests[:1000]
-		}
-		log.Debugf("Failed to split generated manifests. Beginning of generated manifests: %q", sanitizedManifests)
 		return &apiclient.ManifestResponse{}, err
 	}
 

cmpserver/plugin/plugin_test.go

@@ -2,7 +2,6 @@ package plugin
 
 import (
 	"context"
-	"os/exec"
 	"path/filepath"
 	"testing"
 	"time"
@@ -267,30 +266,3 @@ func TestRunCommandContextTimeout(t *testing.T) {
 	assert.Error(t, err) // The command should time out, causing an error.
 	assert.Less(t, after.Sub(before), 1*time.Second)
 }
-
-func Test_getCommandArgsToLog(t *testing.T) {
-	testCases := []struct {
-		name     string
-		args     []string
-		expected string
-	}{
-		{
-			name:     "no spaces",
-			args:     []string{"sh", "-c", "cat"},
-			expected: "sh -c cat",
-		},
-		{
-			name:     "spaces",
-			args:     []string{"sh", "-c", `echo "hello world"`},
-			expected: `sh -c "echo \"hello world\""`,
-		},
-	}
-
-	for _, tc := range testCases {
-		tcc := tc
-		t.Run(tcc.name, func(t *testing.T) {
-			t.Parallel()
-			assert.Equal(t, tcc.expected, getCommandArgsToLog(exec.Command(tcc.args[0], tcc.args[1:]...)))
-		})
-	}
-}

common/common.go

@@ -1,15 +1,12 @@
 package common
 
 import (
-	"errors"
 	"os"
 	"path/filepath"
 	"strconv"
 	"time"
 
 	"github.com/sirupsen/logrus"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
 )
 
 // Default service addresses and URLS of Argo CD internal services
@@ -319,10 +316,3 @@ const (
 	SecurityMedium    = 2 // Could indicate malicious events, but has a high likelihood of being user/system error (i.e. access denied)
 	SecurityLow       = 1 // Unexceptional entries (i.e. successful access logs)
 )
-
-// Common error messages
-const TokenVerificationError = "failed to verify the token"
-
-var TokenVerificationErr = errors.New(TokenVerificationError)
-
-var PermissionDeniedAPIError = status.Error(codes.PermissionDenied, "permission denied")

controller/appcontroller.go

@@ -335,7 +335,7 @@ func (ctrl *ApplicationController) handleObjectUpdated(managedByApp map[string]b
 		}
 
 		if !ctrl.canProcessApp(obj) {
-			// Don't force refresh app if app belongs to a different controller shard or is outside the allowed namespaces.
+			// Don't force refresh app if app belongs to a different controller shard
 			continue
 		}
 
@@ -907,7 +907,7 @@ func (ctrl *ApplicationController) processProjectQueueItem() (processNext bool)
 func (ctrl *ApplicationController) finalizeProjectDeletion(proj *appv1.AppProject) error {
 	apps, err := ctrl.appLister.Applications(ctrl.namespace).List(labels.Everything())
 	if err != nil {
-		return err
+		return fmt.Errorf("error listing applications: %w", err)
 	}
 	appsCount := 0
 	for i := range apps {
@@ -1077,7 +1077,7 @@ func (ctrl *ApplicationController) finalizeApplicationDeletion(app *appv1.Applic
 func (ctrl *ApplicationController) removeCascadeFinalizer(app *appv1.Application) error {
 	_, err := ctrl.getAppProj(app)
 	if err != nil {
-		return err
+		return fmt.Errorf("error getting project: %w", err)
 	}
 	app.UnSetCascadedDeletion()
 	var patch []byte
@@ -1256,12 +1256,12 @@ func (ctrl *ApplicationController) setOperationState(app *appv1.Application, sta
 		}
 		patchJSON, err := json.Marshal(patch)
 		if err != nil {
-			return err
+			return fmt.Errorf("error marshaling json: %w", err)
 		}
 		if app.Status.OperationState != nil && app.Status.OperationState.FinishedAt != nil && state.FinishedAt == nil {
 			patchJSON, err = jsonpatch.MergeMergePatches(patchJSON, []byte(`{"status": {"operationState": {"finishedAt": null}}}`))
 			if err != nil {
-				return err
+				return fmt.Errorf("error merging operation state patch: %w", err)
 			}
 		}
 
@@ -1272,7 +1272,7 @@ func (ctrl *ApplicationController) setOperationState(app *appv1.Application, sta
 			if apierr.IsNotFound(err) {
 				return nil
 			}
-			return err
+			return fmt.Errorf("error patching application with operation state: %w", err)
 		}
 		log.Infof("updated '%s' operation (phase: %s)", app.QualifiedName(), state.Phase)
 		if state.Phase.Completed() {
@@ -1497,7 +1497,17 @@ func (ctrl *ApplicationController) refreshAppConditions(app *appv1.Application)
 	errorConditions := make([]appv1.ApplicationCondition, 0)
 	proj, err := ctrl.getAppProj(app)
 	if err != nil {
-		errorConditions = append(errorConditions, ctrl.projectErrorToCondition(err, app))
+		if apierr.IsNotFound(err) {
+			errorConditions = append(errorConditions, appv1.ApplicationCondition{
+				Type:    appv1.ApplicationConditionInvalidSpecError,
+				Message: fmt.Sprintf("Application referencing project %s which does not exist", app.Spec.Project),
+			})
+		} else {
+			errorConditions = append(errorConditions, appv1.ApplicationCondition{
+				Type:    appv1.ApplicationConditionUnknownError,
+				Message: err.Error(),
+			})
+		}
 	} else {
 		specConditions, err := argo.ValidatePermissions(context.Background(), &app.Spec, proj, ctrl.db)
 		if err != nil {
@@ -1719,13 +1729,6 @@ func (ctrl *ApplicationController) canProcessApp(obj interface{}) bool {
 	if !ok {
 		return false
 	}
-
-	// Only process given app if it exists in a watched namespace, or in the
-	// control plane's namespace.
-	if app.Namespace != ctrl.namespace && !glob.MatchStringInList(ctrl.applicationNamespaces, app.Namespace, false) {
-		return false
-	}
-
 	if ctrl.clusterFilter != nil {
 		cluster, err := ctrl.db.GetCluster(context.Background(), app.Spec.Destination.Server)
 		if err != nil {
@@ -1734,6 +1737,12 @@ func (ctrl *ApplicationController) canProcessApp(obj interface{}) bool {
 		return ctrl.clusterFilter(cluster)
 	}
 
+	// Only process given app if it exists in a watched namespace, or in the
+	// control plane's namespace.
+	if app.Namespace != ctrl.namespace && !glob.MatchStringInList(ctrl.applicationNamespaces, app.Namespace, false) {
+		return false
+	}
+
 	return true
 }
 
@@ -1789,7 +1798,7 @@ func (ctrl *ApplicationController) newApplicationInformerAndLister() (cache.Shar
 					// If the application is not allowed to use the project,
 					// log an error.
 					if _, err := ctrl.getAppProj(app); err != nil {
-						ctrl.setAppCondition(app, ctrl.projectErrorToCondition(err, app))
+						ctrl.setAppCondition(app, appv1.ApplicationCondition{Type: appv1.ApplicationConditionUnknownError, Message: err.Error()})
 					}
 				}
 
@@ -1860,19 +1869,6 @@ func (ctrl *ApplicationController) newApplicationInformerAndLister() (cache.Shar
 	return informer, lister
 }
 
-func (ctrl *ApplicationController) projectErrorToCondition(err error, app *appv1.Application) appv1.ApplicationCondition {
-	var condition appv1.ApplicationCondition
-	if apierr.IsNotFound(err) {
-		condition = appv1.ApplicationCondition{
-			Type:    appv1.ApplicationConditionInvalidSpecError,
-			Message: fmt.Sprintf("Application referencing project %s which does not exist", app.Spec.Project),
-		}
-	} else {
-		condition = appv1.ApplicationCondition{Type: appv1.ApplicationConditionUnknownError, Message: err.Error()}
-	}
-	return condition
-}
-
 func (ctrl *ApplicationController) RegisterClusterSecretUpdater(ctx context.Context) {
 	updater := NewClusterInfoUpdater(ctrl.stateCache, ctrl.db, ctrl.appLister.Applications(""), ctrl.cache, ctrl.clusterFilter, ctrl.getAppProj, ctrl.namespace)
 	go updater.Run(ctx)

controller/appcontroller_test.go

@@ -1068,34 +1068,6 @@ func TestUpdateReconciledAt(t *testing.T) {
 
 }
 
-func TestProjectErrorToCondition(t *testing.T) {
-	app := newFakeApp()
-	app.Spec.Project = "wrong project"
-	ctrl := newFakeController(&fakeData{
-		apps: []runtime.Object{app, &defaultProj},
-		manifestResponse: &apiclient.ManifestResponse{
-			Manifests: []string{},
-			Namespace: test.FakeDestNamespace,
-			Server:    test.FakeClusterURL,
-			Revision:  "abc123",
-		},
-		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
-	})
-	key, _ := cache.MetaNamespaceKeyFunc(app)
-	ctrl.appRefreshQueue.Add(key)
-	ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), nil)
-
-	ctrl.processAppRefreshQueueItem()
-
-	obj, ok, err := ctrl.appInformer.GetIndexer().GetByKey(key)
-	assert.True(t, ok)
-	assert.NoError(t, err)
-	updatedApp := obj.(*argoappv1.Application)
-	assert.Equal(t, argoappv1.ApplicationConditionInvalidSpecError, updatedApp.Status.Conditions[0].Type)
-	assert.Equal(t, "Application referencing project wrong project which does not exist", updatedApp.Status.Conditions[0].Message)
-	assert.Equal(t, argoappv1.ApplicationConditionInvalidSpecError, updatedApp.Status.Conditions[0].Type)
-}
-
 func TestFinalizeProjectDeletion_HasApplications(t *testing.T) {
 	app := newFakeApp()
 	proj := &argoappv1.AppProject{ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: test.FakeArgoCDNamespace}}
@@ -1373,31 +1345,3 @@ func TestToAppKey(t *testing.T) {
 		})
 	}
 }
-
-func Test_canProcessApp(t *testing.T) {
-	app := newFakeApp()
-	ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}})
-	ctrl.applicationNamespaces = []string{"good"}
-	t.Run("without cluster filter, good namespace", func(t *testing.T) {
-		app.Namespace = "good"
-		canProcess := ctrl.canProcessApp(app)
-		assert.True(t, canProcess)
-	})
-	t.Run("without cluster filter, bad namespace", func(t *testing.T) {
-		app.Namespace = "bad"
-		canProcess := ctrl.canProcessApp(app)
-		assert.False(t, canProcess)
-	})
-	t.Run("with cluster filter, good namespace", func(t *testing.T) {
-		app.Namespace = "good"
-		ctrl.clusterFilter = func(_ *argoappv1.Cluster) bool { return true }
-		canProcess := ctrl.canProcessApp(app)
-		assert.True(t, canProcess)
-	})
-	t.Run("with cluster filter, bad namespace", func(t *testing.T) {
-		app.Namespace = "bad"
-		ctrl.clusterFilter = func(_ *argoappv1.Cluster) bool { return true }
-		canProcess := ctrl.canProcessApp(app)
-		assert.False(t, canProcess)
-	})
-}

controller/cache/cache.go

@@ -25,7 +25,6 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/watch"
-	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
 
 	"github.com/argoproj/argo-cd/v2/controller/metrics"
@@ -383,27 +382,13 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 
 	cluster, err := c.db.GetCluster(context.Background(), server)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error getting cluster: %w", err)
 	}
 
 	if !c.canHandleCluster(cluster) {
 		return nil, fmt.Errorf("controller is configured to ignore cluster %s", cluster.Server)
 	}
 
-	clusterCacheConfig := cluster.RESTConfig()
-	// Controller dynamically fetches all resource types available on the cluster
-	// using a discovery API that may contain deprecated APIs.
-	// This causes log flooding when managing a large number of clusters.
-	// https://github.com/argoproj/argo-cd/issues/11973
-	// However, we can safely suppress deprecation warnings
-	// because we do not rely on resources with a particular API group or version.
-	// https://kubernetes.io/blog/2020/09/03/warnings/#customize-client-handling
-	//
-	// Completely suppress warning logs only for log levels that are less than Debug.
-	if log.GetLevel() < log.DebugLevel {
-		clusterCacheConfig.WarningHandler = rest.NoWarnings{}
-	}
-
 	clusterCacheOpts := []clustercache.UpdateSettingsFunc{
 		clustercache.SetListSemaphore(semaphore.NewWeighted(clusterCacheListSemaphoreSize)),
 		clustercache.SetListPageSize(clusterCacheListPageSize),
@@ -435,7 +420,7 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		clustercache.SetRetryOptions(clusterCacheAttemptLimit, clusterCacheRetryUseBackoff, isRetryableError),
 	}
 
-	clusterCache = clustercache.NewClusterCache(clusterCacheConfig, clusterCacheOpts...)
+	clusterCache = clustercache.NewClusterCache(cluster.RESTConfig(), clusterCacheOpts...)
 
 	_ = clusterCache.OnResourceUpdated(func(newRes *clustercache.Resource, oldRes *clustercache.Resource, namespaceResources map[kube.ResourceKey]*clustercache.Resource) {
 		toNotify := make(map[string]bool)
@@ -471,11 +456,11 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 func (c *liveStateCache) getSyncedCluster(server string) (clustercache.ClusterCache, error) {
 	clusterCache, err := c.getCluster(server)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error getting cluster: %w", err)
 	}
 	err = clusterCache.EnsureSynced()
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error synchronizing cache state : %w", err)
 	}
 	return clusterCache, nil
 }
@@ -483,11 +468,10 @@ func (c *liveStateCache) getSyncedCluster(server string) (clustercache.ClusterCa
 func (c *liveStateCache) invalidate(cacheSettings cacheSettings) {
 	log.Info("invalidating live state cache")
 	c.lock.Lock()
-	c.cacheSettings = cacheSettings
-	clusters := c.clusters
-	c.lock.Unlock()
+	defer c.lock.Unlock()
 
-	for _, clust := range clusters {
+	c.cacheSettings = cacheSettings
+	for _, clust := range c.clusters {
 		clust.Invalidate(clustercache.SetSettings(cacheSettings.clusterSettings))
 	}
 	log.Info("live state cache invalidated")
@@ -610,7 +594,7 @@ func (c *liveStateCache) watchSettings(ctx context.Context) {
 func (c *liveStateCache) Init() error {
 	cacheSettings, err := c.loadCacheSettings()
 	if err != nil {
-		return err
+		return fmt.Errorf("error loading cache settings: %w", err)
 	}
 	c.cacheSettings = *cacheSettings
 	return nil

controller/clusterinfoupdater.go

@@ -3,7 +3,7 @@ package controller
 import (
 	"context"
 	"time"
-
+	"fmt"
 	"github.com/argoproj/gitops-engine/pkg/cache"
 	"github.com/argoproj/gitops-engine/pkg/utils/kube"
 	log "github.com/sirupsen/logrus"
@@ -93,7 +93,7 @@ func (c *clusterInfoUpdater) updateClusters() {
 func (c *clusterInfoUpdater) updateClusterInfo(cluster appv1.Cluster, info *cache.ClusterInfo) error {
 	apps, err := c.appLister.List(labels.Everything())
 	if err != nil {
-		return err
+		return fmt.Errorf("error while fetching the apps list: %w", err)
 	}
 	var appCount int64
 	for _, a := range apps {

controller/health.go

@@ -41,27 +41,30 @@ func setApplicationHealth(resources []managedResource, statuses []appv1.Resource
 				savedErr = err
 			}
 		}
-		if healthStatus != nil {
-			if persistResourceHealth {
-				resHealth := appv1.HealthStatus{Status: healthStatus.Status, Message: healthStatus.Message}
-				statuses[i].Health = &resHealth
-			} else {
-				statuses[i].Health = nil
-			}
 
-			// Is health status is missing but resource has not built-in/custom health check then it should not affect parent app health
-			if _, hasOverride := healthOverrides[lua.GetConfigMapKey(gvk)]; healthStatus.Status == health.HealthStatusMissing && !hasOverride && health.GetHealthCheckFunc(gvk) == nil {
-				continue
-			}
+		if healthStatus == nil {
+			continue
+		}
 
-			// Missing or Unknown health status of child Argo CD app should not affect parent
-			if res.Kind == application.ApplicationKind && res.Group == application.Group && (healthStatus.Status == health.HealthStatusMissing || healthStatus.Status == health.HealthStatusUnknown) {
-				continue
-			}
+		if persistResourceHealth {
+			resHealth := appv1.HealthStatus{Status: healthStatus.Status, Message: healthStatus.Message}
+			statuses[i].Health = &resHealth
+		} else {
+			statuses[i].Health = nil
+		}
 
-			if health.IsWorse(appHealth.Status, healthStatus.Status) {
-				appHealth.Status = healthStatus.Status
-			}
+		// Is health status is missing but resource has not built-in/custom health check then it should not affect parent app health
+		if _, hasOverride := healthOverrides[lua.GetConfigMapKey(gvk)]; healthStatus.Status == health.HealthStatusMissing && !hasOverride && health.GetHealthCheckFunc(gvk) == nil {
+			continue
+		}
+
+		// Missing or Unknown health status of child Argo CD app should not affect parent
+		if res.Kind == application.ApplicationKind && res.Group == application.Group && (healthStatus.Status == health.HealthStatusMissing || healthStatus.Status == health.HealthStatusUnknown) {
+			continue
+		}
+
+		if health.IsWorse(appHealth.Status, healthStatus.Status) {
+			appHealth.Status = healthStatus.Status
 		}
 	}
 	if persistResourceHealth {

controller/metrics/metrics.go

@@ -13,7 +13,7 @@ import (
 	"github.com/argoproj/gitops-engine/pkg/health"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
-	"github.com/robfig/cron"
+	"github.com/robfig/cron/v3"
 	log "github.com/sirupsen/logrus"
 	"k8s.io/apimachinery/pkg/labels"
 
@@ -193,7 +193,10 @@ func NewMetricsServer(addr string, appLister applister.ApplicationLister, appFil
 		redisRequestCounter:     redisRequestCounter,
 		redisRequestHistogram:   redisRequestHistogram,
 		hostname:                hostname,
-		cron:                    cron.New(),
+		// This cron is used to expire the metrics cache.
+		// Currently clearing the metrics cache is logging and deleting from the map
+		// so there is no possibility of panic, but we will add a chain to keep robfig/cron v1 behavior.
+		cron: cron.New(cron.WithChain(cron.Recover(cron.PrintfLogger(log.StandardLogger())))),
 	}, nil
 }
 
@@ -281,7 +284,7 @@ func (m *MetricsServer) SetExpiration(cacheExpiration time.Duration) error {
 		return errors.New("Expiration is already set")
 	}
 
-	err := m.cron.AddFunc(fmt.Sprintf("@every %s", cacheExpiration), func() {
+	_, err := m.cron.AddFunc(fmt.Sprintf("@every %s", cacheExpiration), func() {
 		log.Infof("Reset Prometheus metrics based on existing expiration '%v'", cacheExpiration)
 		m.syncCounter.Reset()
 		m.kubectlExecCounter.Reset()

controller/state.go

@@ -514,7 +514,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 		}
 		gvk := obj.GroupVersionKind()
 
-		isSelfReferencedObj := m.isSelfReferencedObj(liveObj, targetObj, app.GetName(), appLabelKey, trackingMethod)
+		isSelfReferencedObj := m.isSelfReferencedObj(liveObj, appLabelKey, trackingMethod)
 
 		resState := v1alpha1.ResourceStatus{
 			Namespace:       obj.GetNamespace(),
@@ -659,7 +659,7 @@ func (m *appStateManager) persistRevisionHistory(app *v1alpha1.Application, revi
 		},
 	})
 	if err != nil {
-		return err
+		return fmt.Errorf("error marshaling revision history patch: %w", err)
 	}
 	_, err = m.appclientset.ArgoprojV1alpha1().Applications(app.Namespace).Patch(context.Background(), app.Name, types.MergePatchType, patch, metav1.PatchOptions{})
 	return err
@@ -699,13 +699,12 @@ func NewAppStateManager(
 }
 
 // isSelfReferencedObj returns whether the given obj is managed by the application
-// according to the values of the tracking id (aka app instance value) annotation.
-// It returns true when all of the properties of the tracking id (app name, namespace,
-// group and kind) match the properties of the live object, or if the tracking method
-// used does not provide the required properties for matching.
-// Reference: https://github.com/argoproj/argo-cd/issues/8683
-func (m *appStateManager) isSelfReferencedObj(live, config *unstructured.Unstructured, appName, appLabelKey string, trackingMethod v1alpha1.TrackingMethod) bool {
-	if live == nil {
+// according to the values in the tracking annotation. It returns true when all
+// of the properties in the annotation (name, namespace, group and kind) match
+// the properties of the inspected object, or if the tracking method used does
+// not provide the required properties for matching.
+func (m *appStateManager) isSelfReferencedObj(obj *unstructured.Unstructured, appLabelKey string, trackingMethod v1alpha1.TrackingMethod) bool {
+	if obj == nil {
 		return true
 	}
 
@@ -715,42 +714,17 @@ func (m *appStateManager) isSelfReferencedObj(live, config *unstructured.Unstruc
 		return true
 	}
 
-	// config != nil is the best-case scenario for constructing an accurate
-	// Tracking ID. `config` is the "desired state" (from git/helm/etc.).
-	// Using the desired state is important when there is an ApiGroup upgrade.
-	// When upgrading, the comparison must be made with the new tracking ID.
-	// Example:
-	//     live resource annotation will be:
-	//        ingress-app:extensions/Ingress:default/some-ingress
-	//     when it should be:
-	//        ingress-app:networking.k8s.io/Ingress:default/some-ingress
-	// More details in: https://github.com/argoproj/argo-cd/pull/11012
-	var aiv argo.AppInstanceValue
-	if config != nil {
-		aiv = argo.UnstructuredToAppInstanceValue(config, appName, "")
-		return isSelfReferencedObj(live, aiv)
+	// In order for us to assume obj to be managed by this application, the
+	// values from the annotation have to match the properties from the live
+	// object. Cluster scoped objects carry the app's destination namespace
+	// in the tracking annotation, but are unique in GVK + name combination.
+	appInstance := m.resourceTracking.GetAppInstance(obj, appLabelKey, trackingMethod)
+	if appInstance != nil {
+		return (obj.GetNamespace() == appInstance.Namespace || obj.GetNamespace() == "") &&
+			obj.GetName() == appInstance.Name &&
+			obj.GetObjectKind().GroupVersionKind().Group == appInstance.Group &&
+			obj.GetObjectKind().GroupVersionKind().Kind == appInstance.Kind
 	}
 
-	// If config is nil then compare the live resource with the value
-	// of the annotation. In this case, in order to validate if obj is
-	// managed by this application, the values from the annotation have
-	// to match the properties from the live object. Cluster scoped objects
-	// carry the app's destination namespace in the tracking annotation,
-	// but are unique in GVK + name combination.
-	appInstance := m.resourceTracking.GetAppInstance(live, appLabelKey, trackingMethod)
-	if appInstance != nil {
-		return isSelfReferencedObj(live, *appInstance)
-	}
 	return true
 }
-
-// isSelfReferencedObj returns true if the given Tracking ID (`aiv`) matches
-// the given object. It returns false when the ID doesn't match. This sometimes
-// happens when a tracking label or annotation gets accidentally copied to a
-// different resource.
-func isSelfReferencedObj(obj *unstructured.Unstructured, aiv argo.AppInstanceValue) bool {
-	return (obj.GetNamespace() == aiv.Namespace || obj.GetNamespace() == "") &&
-		obj.GetName() == aiv.Name &&
-		obj.GetObjectKind().GroupVersionKind().Group == aiv.Group &&
-		obj.GetObjectKind().GroupVersionKind().Kind == aiv.Kind
-}

controller/state_test.go

@@ -13,7 +13,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
-	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -853,19 +852,6 @@ func TestIsLiveResourceManaged(t *testing.T) {
 			},
 		},
 	})
-	managedWrongAPIGroup := kube.MustToUnstructured(&networkingv1.Ingress{
-		TypeMeta: metav1.TypeMeta{
-			APIVersion: "networking.k8s.io/v1",
-			Kind:       "Ingress",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "some-ingress",
-			Namespace: "default",
-			Annotations: map[string]string{
-				common.AnnotationKeyAppInstance: "guestbook:extensions/Ingress:default/some-ingress",
-			},
-		},
-	})
 	ctrl := newFakeController(&fakeData{
 		apps: []runtime.Object{app, &defaultProj},
 		manifestResponse: &apiclient.ManifestResponse{
@@ -884,69 +870,30 @@ func TestIsLiveResourceManaged(t *testing.T) {
 	})
 
 	manager := ctrl.appStateManager.(*appStateManager)
-	appName := "guestbook"
 
-	t.Run("will return true if trackingid matches the resource", func(t *testing.T) {
-		// given
-		t.Parallel()
-		configObj := managedObj.DeepCopy()
+	// Managed resource w/ annotations
+	assert.True(t, manager.isSelfReferencedObj(managedObj, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+	assert.True(t, manager.isSelfReferencedObj(managedObj, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
 
-		// then
-		assert.True(t, manager.isSelfReferencedObj(managedObj, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-		assert.True(t, manager.isSelfReferencedObj(managedObj, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
-	})
-	t.Run("will return true if tracked with label", func(t *testing.T) {
-		// given
-		t.Parallel()
-		configObj := managedObjWithLabel.DeepCopy()
+	// Managed resource w/ label
+	assert.True(t, manager.isSelfReferencedObj(managedObjWithLabel, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
 
-		// then
-		assert.True(t, manager.isSelfReferencedObj(managedObjWithLabel, configObj, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-	})
-	t.Run("will handle if trackingId has wrong resource name and config is nil", func(t *testing.T) {
-		// given
-		t.Parallel()
+	// Wrong resource name
+	assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+	assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
 
-		// then
-		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongName, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongName, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
-	})
-	t.Run("will handle if trackingId has wrong resource group and config is nil", func(t *testing.T) {
-		// given
-		t.Parallel()
+	// Wrong resource group
+	assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+	assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
 
-		// then
-		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongGroup, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
-	})
-	t.Run("will handle if trackingId has wrong kind and config is nil", func(t *testing.T) {
-		// given
-		t.Parallel()
+	// Wrong resource kind
+	assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+	assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
 
-		// then
-		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongKind, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
-	})
-	t.Run("will handle if trackingId has wrong namespace and config is nil", func(t *testing.T) {
-		// given
-		t.Parallel()
+	// Wrong resource namespace
+	assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
+	assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotationAndLabel))
 
-		// then
-		assert.True(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodLabel))
-		assert.False(t, manager.isSelfReferencedObj(unmanagedObjWrongNamespace, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotationAndLabel))
-	})
-	t.Run("will return true if live is nil", func(t *testing.T) {
-		t.Parallel()
-		assert.True(t, manager.isSelfReferencedObj(nil, nil, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
-	})
-
-	t.Run("will handle upgrade in desired state APIGroup", func(t *testing.T) {
-		// given
-		t.Parallel()
-		config := managedWrongAPIGroup.DeepCopy()
-		delete(config.GetAnnotations(), common.AnnotationKeyAppInstance)
-
-		// then
-		assert.True(t, manager.isSelfReferencedObj(managedWrongAPIGroup, config, appName, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
-	})
+	// Nil resource
+	assert.True(t, manager.isSelfReferencedObj(nil, common.AnnotationKeyAppInstance, argo.TrackingMethodAnnotation))
 }

controller/sync.go

@@ -246,7 +246,7 @@ func (m *appStateManager) SyncAppState(app *v1alpha1.Application, state *v1alpha
 		sync.WithResourcesFilter(func(key kube.ResourceKey, target *unstructured.Unstructured, live *unstructured.Unstructured) bool {
 			return (len(syncOp.Resources) == 0 ||
 				argo.ContainsSyncResource(key.Name, key.Namespace, schema.GroupVersionKind{Kind: key.Kind, Group: key.Group}, syncOp.Resources)) &&
-				m.isSelfReferencedObj(live, target, app.GetName(), appLabelKey, trackingMethod)
+				m.isSelfReferencedObj(live, appLabelKey, trackingMethod)
 		}),
 		sync.WithManifestValidation(!syncOp.SyncOptions.HasOption(common.SyncOptionsDisableValidation)),
 		sync.WithNamespaceCreation(syncOp.SyncOptions.HasOption("CreateNamespace=true"), func(un *unstructured.Unstructured) bool {

docs/assets/versions.js

@@ -9,6 +9,16 @@ setTimeout(function() {
   caret.innerHTML = "<i class='fa fa-caret-down dropdown-caret'></i>"
   caret.classList.add('dropdown-caret')
   div.querySelector('.rst-current-version').appendChild(caret);
+  div.querySelector('.rst-current-version').addEventListener('click', function() {
+      const classes = container.className.split(' ');
+      const index = classes.indexOf('shift-up');
+      if (index === -1) {
+          classes.push('shift-up');
+      } else {
+          classes.splice(index, 1);
+      }
+      container.className = classes.join(' ');
+  });
   }
 
   var CSSLink = document.createElement('link');

docs/developer-guide/bug_bounty.md

@@ -0,0 +1,15 @@
+Money given to the Argo CD project as part of the Internet Bug Bounty program is used in three ways:
+
+1. To reward CVE patch contributors
+2. To offer bounties on security enhancements (as announced by label/comment on Issues)
+3. To sponsor security-relevant dependencies
+
+If someone’s primary full-time job responsibility is to work on Argo CD, then their eligibility to receive this money is limited. (Determining this is up to the maintainers’ discretion. Someone who contributes an average of three commits per week during work hours probably meets the definition. A first-time contributor who uses Argo CD daily as an SRE does not.)
+
+A full-time Argo CD author is not eligible to receive rewards for CVE patch contributions. This avoids any risk of the appearance that a full-time Argo CD author is incentivized to introduce CVEs.
+
+A full-time Argo CD author is eligible to receive bounties for security enhancements if and only if the vast majority of the work is done in their free time (non-work hours). Busy work like resolving merge conflicts during work hours is acceptable (to avoid over-burdening the process).
+
+An Argo CD dependency is eligible to receive donations if it is listed in the Argo CD SBOM or if it is a binary invoked by Argo CD (like Helm). The dependency is not eligible for donations if a full-time Argo CD author is the primary author of the dependency.
+
+Offers and transfers of rewards, bounties, and donations will be made from time to time by the Argo CD maintainers, based on the current project needs and the amount of money available from IBB. The process should be lightweight and consensus-based for now. If necessary, a more structured system can be established based on experience gained from early rewards/bounties/donations

docs/developer-guide/contributors-quickstart.md

@@ -1,112 +0,0 @@
-# Contributors Quick-Start 
-
-This guide is a starting point for first-time contributors running Argo CD locally for the first time.
-
-It skips advanced topics such as codegen, which are covered in the [running locally guide](running-locally.md)
-and the [toolchain guide](toolchain-guide.md).
-
-## Getting Started
-
-### Install Go
-
-- Install version 1.18 or newer (Verify version by running `go version`)
-
-- Get current value of `GOPATH` env:
-   ```shell
-   go env | grep path
-   ```
-- Change directory into that path
-   ```shell
-   cd <path>
-   ```
-
-### Clone the Argo CD repo
-
-```shell
-mkdir -p src/github.com/argoproj/ &&
-cd src/github.com/argoproj &&
-git clone https://github.com/argoproj/argo-cd.git
-```
-
-### Install Docker
-
-<https://docs.docker.com/engine/install/>
-
-### Install or Upgrade `kind` (Optional - Should work with any local cluster)
-
-<https://kind.sigs.k8s.io/docs/user/quick-start/>
-
-### Start Your Local Cluster
-
-```shell
-kind create cluster
-```
-
-### Install Argo CD
-
-```shell
-kubectl create namespace argocd &&
-kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/master/manifests/install.yaml
-```
-
-Set kubectl config to avoid specifying the namespace in every kubectl command.  
-All following commands in this guide assume the namespace is already set.
-
-```shell
-kubectl config set-context --current --namespace=argocd
-```
-
-### Install `yarn`
-
-<https://classic.yarnpkg.com/lang/en/docs/install/>
-
-### Install `goreman`
-
-<https://github.com/mattn/goreman#getting-started>
-
-### Run Argo CD
-
-```shell
-cd argo-cd
-make start-local ARGOCD_GPG_ENABLED=false
-```
-
-- Navigate to <localhost:4000> to the ArgoCD UI on browser
-- It may take a few minutes for the UI to be responsive
-
-!!! note
-    If the UI is not working, check the logs from `make start-local`. The logs are `DEBUG` level by default. If the logs are
-    too noisy to find the problem, try editing log levels for the commands in the `Procfile` in the root of the Argo CD repo.
-
-## Making Changes
-
-### UI Changes
-
-Modifying the User-Interface (by editing .tsx or .scss files) auto-reloads the changes on port 4000.
-
-### Backend Changes
-
-Modifying the API server, repo server, or a controller requires restarting the current `make start-local` session to reflect the changes.
-
-### CLI Changes
-
-Modifying the CLI requires restarting the current `make start-local` session to reflect the changes.
-
-To test most CLI commands, you will need to log in.
-
-First, get the auto-generated secret:
-
-```shell
-kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo
-```
-
-Then log in using that password and username `admin`:
-
-```shell
-dist/argocd login localhost:8080
-```
-
----
-Congrats on making it to the end of this runbook! 🚀
-
-For more on Argo CD, find us in Slack - <https://slack.cncf.io/> [#argo-contributors](https://cloud-native.slack.com/archives/C020XM04CUW)

docs/developer-guide/debugging-remote-environment.md

@@ -20,6 +20,34 @@ curl -sSfL https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/i
 ## Connect
 Connect to one of the services, for example, to debug the main ArgoCD server run:
 ```shell
+telepresence helm install # Installs telepresence into your cluster
+telepresence connect # Starts the connection to your cluster
+telepresence intercept argocd-server --port 8083:8083 --port 8080:8080 --env-file .envrc.remote --namespace argocd # Starts the interception
+```
+* `--port` forwards traffic of remote ports 8080 and 8083 to the same ports locally
+* `--env-file` writes all the environment variables of the remote pod into a local file, the variables are also set on the subprocess of the `--run` command
+* `--namespace` specifies that the `argocd-server` is located in the `argocd` namespace
+
+List current status of Telepresence using:
+```shell
+telepresence status
+```
+
+Stop the intercept using:
+```shell
+telepresence leave argocd-server-argocd
+```
+
+And uninstall telepresence from your cluster:
+```shell
+telepresence helm uninstall
+```
+
+See [this quickstart](https://www.telepresence.io/docs/latest/howtos/intercepts/) for more information on how to intercept services using Telepresence.
+
+### Connect (telepresence v1)
+Use the following command instead:
+```shell
 telepresence --swap-deployment argocd-server --namespace argocd --env-file .envrc.remote --expose 8080:8080 --expose 8083:8083 --run bash
 ```
 * `--swap-deployment` changes the argocd-server deployment
@@ -27,7 +55,6 @@ telepresence --swap-deployment argocd-server --namespace argocd --env-file .envr
 * `--env-file` writes all the environment variables of the remote pod into a local file, the variables are also set on the subprocess of the `--run` command
 * `--run` defines which command to run once a connection is established, use `bash`, `zsh` or others
 
-
 ## Debug
 Once a connection is established, use your favorite tools to start the server locally.
 
@@ -44,13 +71,14 @@ Update the configuration file to point to kubeconfig file: `KUBECONFIG=` (requir
             "type": "go",
             "request": "launch",
             "mode": "auto",
-            "program": "${workspaceFolder}/cmd/argocd-server",
+            "program": "${workspaceFolder}/cmd/main.go",
             "envFile": [
                 "${workspaceFolder}/.envrc.remote",
             ],
             "env": {
+                "ARGOCD_BINARY_NAME": "argocd-server",
                 "CGO_ENABLED": "0",
                 "KUBECONFIG": "/path/to/kube/config"
             }
         }
-```
+```

docs/developer-guide/faq.md

@@ -4,7 +4,7 @@
 
 ### Can I discuss my contribution ideas somewhere?
 
-Sure thing! You can either open an Enhancement Proposal in our GitHub issue tracker or you can [join us on Slack](https://argoproj.github.io/community/join-slack) in channel #argo-dev to discuss your ideas and get guidance for submitting a PR.
+Sure thing! You can either open an Enhancement Proposal in our GitHub issue tracker or you can [join us on Slack](https://argoproj.github.io/community/join-slack) in channel #argo-contributors to discuss your ideas and get guidance for submitting a PR.
 
 ### No one has looked at my PR yet. Why?
 

docs/faq.md

@@ -45,10 +45,9 @@ a secret named `argocd-initial-admin-secret`.
 To change the password, edit the `argocd-secret` secret and update the `admin.password` field with a new bcrypt hash.
 
 !!! note "Generating a bcrypt hash"
-    Use a trustworthy, offline `bcrypt` implementation such as the [Python bcrypt library](https://pypi.org/project/bcrypt/) to generate the hash.
+    Use the following command to generate a bcrypt hash for `admin.password`
 
-        pip3 install bcrypt
-        python3 -c "import bcrypt; print(bcrypt.hashpw(b'YOUR-PASSWORD-HERE', bcrypt.gensalt()).decode())"
+        argocd account bcrypt --password <YOUR-PASSWORD-HERE>
 
 To apply the new password hash, use the following command (replacing the hash with your own):
 
@@ -123,9 +122,9 @@ To terminate the sync, click on the "synchronisation" then "terminate":
 
 ![Synchronization](assets/synchronization-button.png) ![Terminate](assets/terminate-button.png)
 
-## Why Is My App `Out Of Sync` Even After Syncing?
+## Why Is My App Out Of Sync Even After Syncing?
 
-In some cases, the tool you use may conflict with Argo CD by adding the `app.kubernetes.io/instance` label. E.g. using
+Is some cases, the tool you use may conflict with Argo CD by adding the `app.kubernetes.io/instance` label. E.g. using
 Kustomize common labels feature.
 
 Argo CD automatically sets the `app.kubernetes.io/instance` label and uses it to determine which resources form the app.
@@ -143,7 +142,7 @@ The default polling interval is 3 minutes (180 seconds).
 You can change the setting by updating the `timeout.reconciliation` value in the [argocd-cm](https://github.com/argoproj/argo-cd/blob/2d6ce088acd4fb29271ffb6f6023dbb27594d59b/docs/operator-manual/argocd-cm.yaml#L279-L282) config map. If there are any Git changes, ArgoCD will only update applications with the [auto-sync setting](user-guide/auto_sync.md) enabled. If you set it to `0` then Argo CD will stop polling Git repositories automatically and you can only use alternative methods such as [webhooks](operator-manual/webhook.md) and/or manual syncs for deploying applications.
 
 
-## Why Are My Resource Limits `Out Of Sync`?
+## Why Are My Resource Limits Out Of Sync?
 
 Kubernetes has normalized your resource limits when they are applied, and then Argo CD has then compared the version in
 your generated manifests to the normalized one is Kubernetes - they won't match.
@@ -158,7 +157,7 @@ E.g.
 To fix this use diffing
 customizations [settings](./user-guide/diffing.md#known-kubernetes-types-in-crds-resource-limits-volume-mounts-etc).
 
-## How Do I Fix `invalid cookie, longer than max length 4093`?
+## How Do I Fix "invalid cookie, longer than max length 4093"?
 
 Argo CD uses a JWT as the auth token. You likely are part of many groups and have gone over the 4KB limit which is set
 for cookies. You can get the list of groups by opening "developer tools -> network"
@@ -225,38 +224,4 @@ resource.customizations.health.bitnami.com_SealedSecret: |
   hs.status = "Healthy"
   hs.message = "Controller doesn't report resource status"
   return hs
-```
-
-## How do I fix `The order in patch list … doesn't match $setElementOrder list: …`?
-
-An application may trigger a sync error labeled a `ComparisonError` with a message like:
-
-> The order in patch list: [map[name:**KEY_BC** value:150] map[name:**KEY_BC** value:500] map[name:**KEY_BD** value:250] map[name:**KEY_BD** value:500] map[name:KEY_BI value:something]] doesn't match $setElementOrder list: [map[name:KEY_AA] map[name:KEY_AB] map[name:KEY_AC] map[name:KEY_AD] map[name:KEY_AE] map[name:KEY_AF] map[name:KEY_AG] map[name:KEY_AH] map[name:KEY_AI] map[name:KEY_AJ] map[name:KEY_AK] map[name:KEY_AL] map[name:KEY_AM] map[name:KEY_AN] map[name:KEY_AO] map[name:KEY_AP] map[name:KEY_AQ] map[name:KEY_AR] map[name:KEY_AS] map[name:KEY_AT] map[name:KEY_AU] map[name:KEY_AV] map[name:KEY_AW] map[name:KEY_AX] map[name:KEY_AY] map[name:KEY_AZ] map[name:KEY_BA] map[name:KEY_BB] map[name:**KEY_BC**] map[name:**KEY_BD**] map[name:KEY_BE] map[name:KEY_BF] map[name:KEY_BG] map[name:KEY_BH] map[name:KEY_BI] map[name:**KEY_BC**] map[name:**KEY_BD**]]
-
-
-There are two parts to the message:
-
-1. `The order in patch list: [`
-
-    This identifies values for items, especially items that appear multiple times:
-
-    > map[name:**KEY_BC** value:150] map[name:**KEY_BC** value:500] map[name:**KEY_BD** value:250] map[name:**KEY_BD** value:500] map[name:KEY_BI value:something]
-
-    You'll want to identify the keys that are duplicated -- you can focus on the first part, as each duplicated key will appear, once for each of its value with its value in the first list. The second list is really just 
-
-   `]`
-
-2. `doesn't match $setElementOrder list: [`
-
-    This includes all of the keys. It's included for debugging purposes -- you don't need to pay much attention to it. It will give you a hint about the precise location in the list for the duplicated keys:
-
-    > map[name:KEY_AA] map[name:KEY_AB] map[name:KEY_AC] map[name:KEY_AD] map[name:KEY_AE] map[name:KEY_AF] map[name:KEY_AG] map[name:KEY_AH] map[name:KEY_AI] map[name:KEY_AJ] map[name:KEY_AK] map[name:KEY_AL] map[name:KEY_AM] map[name:KEY_AN] map[name:KEY_AO] map[name:KEY_AP] map[name:KEY_AQ] map[name:KEY_AR] map[name:KEY_AS] map[name:KEY_AT] map[name:KEY_AU] map[name:KEY_AV] map[name:KEY_AW] map[name:KEY_AX] map[name:KEY_AY] map[name:KEY_AZ] map[name:KEY_BA] map[name:KEY_BB] map[name:**KEY_BC**] map[name:**KEY_BD**] map[name:KEY_BE] map[name:KEY_BF] map[name:KEY_BG] map[name:KEY_BH] map[name:KEY_BI] map[name:**KEY_BC**] map[name:**KEY_BD**]
-   
-   `]`
-
-In this case, the duplicated keys have been **emphasized** to help you identify the problematic keys. Many editors have the ability to highlight all instances of a string, using such an editor can help with such problems.
-
-The most common instance of this error is with `env:` fields for `containers`.
-
-!!! note "Dynamic applications"
-    It's possible that your application is being generated by a tool in which case the duplication might not be evident within the scope of a single file. If you have trouble debugging this problem, consider filing a ticket to the owner of the generator tool asking them to improve its validation and error reporting.
+```

docs/operator-manual/app-any-namespace.md

@@ -1,220 +0,0 @@
-# Applications in any namespace
-
-**Current feature state**: Beta
-
-!!! warning
-    Please read this documentation carefully before you enable this feature. Misconfiguration could lead to potential security issues.
-
-## Introduction
-
-As of version 2.5, Argo CD supports managing `Application` resources in namespaces other than the control plane's namespace (which is usually `argocd`), but this feature has to be explicitly enabled and configured appropriately.
-
-Argo CD administrators can define a certain set of namespaces where `Application` resources may be created, updated and reconciled in. However, applications in these additional namespaces will only be allowed to use certain `AppProjects`, as configured by the Argo CD administrators. This allows ordinary Argo CD users (e.g. application teams) to use patterns like declarative management of `Application` resources, implementing app-of-apps and others without the risk of a privilege escalation through usage of other `AppProjects` that would exceed the permissions granted to the application teams.
-
-Some manual steps will need to be performed by the Argo CD administrator in order to enable this feature. 
-
-!!! note
-    This feature is considered beta as of now. Some of the implementation details may change over the course of time until it is promoted to a stable status. We will be happy if early adopters use this feature and provide us with bug reports and feedback.
-    
-## Prerequisites
-
-### Cluster-scoped Argo CD installation
-
-This feature can only be enabled and used when your Argo CD is installed as a cluster-wide instance, so it has permissions to list and manipulate resources on a cluster scope. It will *not* work with an Argo CD installed in namespace-scoped mode.
-
-### Switch resource tracking method
-
-Also, while technically not necessary, it is strongly suggested that you switch the application tracking method from the default `label` setting to either `annotation` or `annotation+label`. The reasonsing for this is, that application names will be a composite of the namespace's name and the name of the `Application`, and this can easily exceed the 63 characters length limit imposed on label values. Annotations have a notably greater length limit.
-
-To enable annotation based resource tracking, refer to the documentation about [resource tracking methods](../../user-guide/resource_tracking/)
-
-## Implementation details
-
-### Overview
-
-In order for an application to be managed and reconciled outside the Argo CD's control plane namespace, two prerequisites must match:
-
-1. The `Application`'s namespace must be explicitly enabled using the `--application-namespaces` parameter for the `argocd-application-controller` and `argocd-server` workloads. This parameter controls the list of namespaces that Argo CD will be allowed to source `Application` resources from globally. Any namespace not configured here cannot be used from any `AppProject`.
-1. The `AppProject` referenced by the `.spec.project` field of the `Application` must have the namespace listed in its `.spec.sourceNamespaces` field. This setting will determine whether an `Application` may use a certain `AppProject`. If an `Application` specifies an `AppProject` that is not allowed, Argo CD refuses to process this `Application`. As stated above, any namespace configured in the `.spec.sourceNamespaces` field must also be enabled globally.
-
-`Applications` in different namespaces can be created and managed just like any other `Application` in the `argocd` namespace previously, either declaratively or through the Argo CD API (e.g. using the CLI, the web UI, the REST API, etc).
-
-### Reconfigure Argo CD to allow certain namespaces
-
-#### Change workload startup parameters
-
-In order to enable this feature, the Argo CD administrator must reconfigure the `argocd-server` and `argocd-application-controller` workloads to add the `--application-namespaces` parameter to the container's startup command.
-
-The `--application-namespaces` parameter takes a comma-separated list of namespaces where `Applications` are to be allowed in. Each entry of the list supports shell-style wildcards such as `*`, so for example the entry `app-team-*` would match `app-team-one` and `app-team-two`. To enable all namespaces on the cluster where Argo CD is running on, you can just specify `*`, i.e. `--application-namespaces=*`.
-
-The startup parameters for both, the `argocd-server` and the `argocd-application-controller` can also be conveniently set up and kept in sync by specifying the `application.namespaces` settings in the `argocd-cmd-params-cm` ConfigMap _instead_ of changing the manifests for the respective workloads. For example:
-
-```yaml
-data:
-  application.namespaces: app-team-one, app-team-two
-```
-
-would allow the `app-team-one` and `app-team-two` namespaces for managing `Application` resources. After a change to the `argocd-cmd-params-cm` namespace, the appropriate workloads need to be restarted:
-
-```bash
-kubectl rollout restart -n argocd deployment argocd-server
-kubectl rollout restart -n argocd statefulset argocd-application-controller
-```
-
-#### Adapt Kubernetes RBAC
-
-We decided to not extend the Kubernetes RBAC for the `argocd-server` workload by default for the time being. If you want `Applications` in other namespaces to be managed by the Argo CD API (i.e. the CLI and UI), you need to extend the Kubernetes permissions for the `argocd-server` ServiceAccount.
-
-We supply a `ClusterRole` and `ClusterRoleBinding` suitable for this purpose in the `examples/k8s-rbac/argocd-server-applications` directory. For a default Argo CD installation (i.e. installed to the `argocd` namespace), you can just apply them as-is:
-
-```shell
-kubectl apply -f examples/k8s-rbac/argocd-server-applications/
-```
-
-!!! note
-    At some later point in time, we may make this cluster role part of the default installation manifests.
-
-### Allowing additional namespaces in an AppProject
-
-Any user with Kubernetes access to the Argo CD control plane's namespace (`argocd`), especially those with permissions to create or update `Applications` in a declarative way, is to be considered an Argo CD admin.
-
-This prevented unprivileged Argo CD users from declaratively creating or managing `Applications` in the past. Those users were constrained to using the API instead, subject to Argo CD RBAC which ensures only `Applications` in allowed `AppProjects` were created.
-
-For an `Application` to be created outside the `argocd` namespace, the `AppProject` referred to in the `Application`'s `.spec.project` field must include the `Application`'s namespace in its `.spec.sourceNamespaces` field.
-
-For example, consider the two following (incomplete) `AppProject` specs:
-
-```yaml
-kind: AppProject
-apiVersion: argoproj.io/v1alpha1
-metadata:
-  name: project-one
-  namespace: argocd
-spec:
-  sourceNamespaces:
-  - namespace-one
-```
-
-and
-
-```yaml
-kind: AppProject
-apiVersion: argoproj.io/v1alpha1
-metadata:
-  name: project-two
-  namespace: argocd
-spec:
-  sourceNamespaces:
-  - namespace-two
-```
-
-In order for an Application to set `.spec.project` to `project-one`, it would have to be created in either namespace `namespace-one` or `argocd`. Likewise, in order for an Application to set `.spec.project` to `project-two`, it would have to be created in either namespace `namespace-two` or `argocd`.
-
-If an Application in `namespace-two` would set their `.spec.project` to `project-one` or an Application in `namespace-one` would set their `.spec.project` to `project-two`, Argo CD would consider this as a permission violation and refuse to reconcile the Application.
-
-Also, the Argo CD API will enforce these constraints, regardless of the Argo CD RBAC permissions.
-
-The `.spec.sourceNamespaces` field of the `AppProject` is a list that can contain an arbitrary amount of namespaces, and each entry supports shell-style wildcard, so that you can allow namespaces with patterns like `team-one-*`.
-
-!!! warning
-    Do not add user controlled namespaces in the `.spec.sourceNamespaces` field of any privileged AppProject like the `default` project. Always make sure that the AppProject follows the principle of granting least required privileges. Never grant access to the `argocd` namespace within the AppProject.
-
-!!! note
-    For backwards compatibility, Applications in the Argo CD control plane's namespace (`argocd`) are allowed to set their `.spec.project` field to reference any AppProject, regardless of the restrictions placed by the AppProject's `.spec.sourceNamespaces` field.
-  
-### Application names
-
-For the CLI and UI, applications are now referred to and displayed as in the format `<namespace>/<name>`. 
-
-For backwards compatibility, if the namespace of the Application is the control plane's namespace (i.e. `argocd`), the `<namespace>` can be omitted from the application name when referring to it. For example, the application names `argocd/someapp` and `someapp` are semantically the same and refer to the same application in the CLI and the UI.
-
-### Application RBAC
-
-The RBAC syntax for Application objects has been changed from `<project>/<application>` to `<project>/<namespace>/<application>` to accomodate the need to restrict access based on the source namespace of the Application to be managed.
-
-For backwards compatibility, Applications in the `argocd` namespace can still be refered to as `<project>/<application>` in the RBAC policy rules.
-
-Wildcards do not make any distinction between project and application namespaces yet. For example, the following RBAC rule would match any application belonging to project `foo`, regardless of the namespace it is created in:
-
-```
-p, somerole, applications, get, foo/*, allow
-```
-
-If you want to restrict access to be granted only to `Applications` in project `foo` within namespace `bar`, the rule would need to be adapted as follows:
-
-```
-p, somerole, applications, get, foo/bar/*, allow
-```
-  
-## Managing applications in other namespaces
-
-### Declaratively
-
-For declarative management of Applications, just create the Application from a YAML or JSON manifest in the desired namespace. Make sure that the `.spec.project` field refers to an AppProject that allows this namespace. For example, the following (incomplete) Application manifest creates an Application in the namespace `some-namespace`:
-
-```yaml
-kind: Application
-apiVersion: argoproj.io/v1alpha1
-metadata:
-  name: some-app
-  namespace: some-namespace
-spec:
-  project: some-project
-  # ...
-```
-
-The project `some-project` will then need to specify `some-namespace` in the list of allowed source namespaces, e.g.
-
-```yaml
-kind: AppProject
-apiVersion: argoproj.io/v1alpha1
-metadata:
-    name: some-project
-    namespace: argocd
-spec:
-    sourceNamespaces:
-    - some-namespace
-```
-
-### Using the CLI
-
-You can use all existing Argo CD CLI commands for managing applications in other namespaces, exactly as you would use the CLI to manage applications in the control plane's namespace.
-
-For example, to retrieve the `Application` named `foo` in the namespace `bar`, you can use the following CLI command:
-
-```shell
-argocd app get foo/bar
-```
-
-Likewise, to manage this application, keep referring to it as `foo/bar`:
-
-```bash
-# Create an application
-argocd app create foo/bar ...
-# Sync the application
-argocd app sync foo/bar
-# Delete the application
-argocd app delete foo/bar
-# Retrieve application's manifest
-argocd app manifests foo/bar
-```
-
-As stated previously, for applications in the Argo CD's control plane namespace, you can omit the namespace from the application name.
-
-### Using the UI
-
-Similar to the CLI, you can refer to the application in the UI as `foo/bar`.
-
-For example, to create an application named `bar` in the namespace `foo` in the web UI, set the application name in the creation dialogue's _Application Name_ field to `foo/bar`. If the namespace is omitted, the control plane's namespace will be used.
-
-### Using the REST API
-
-If you are using the REST API, the namespace for `Application` cannot be specified as the application name, and resources need to be specified using the optional `appNamespace` query parameter. For example, to work with the `Application` resource named `foo` in the namespace `bar`, the request would look like follows:
-
-```bash
-GET /api/v1/applications/foo?appNamespace=bar
-```
-
-For other operations such as `POST` and `PUT`, the `appNamespace` parameter must be part of the request's payload.
-
-For `Application` resources in the control plane namespace, this parameter can be omitted.

docs/operator-manual/application.yaml

@@ -45,9 +45,6 @@ spec:
       valueFiles:
       - values-prod.yaml
 
-      # Ignore locally missing valueFiles when installing Helm chart. Defaults to false
-      ignoreMissingValueFiles: false
-
       # Values file as block file
       values: |
         ingress:
@@ -64,9 +61,6 @@ spec:
               hosts:
                 - mydomain.example.com
 
-      # Skip custom resource definition installation if chart contains custom resource definitions. Defaults to false
-      skipCrds: false
-
       # Optional Helm version to template with. If omitted it will fall back to look at the 'apiVersion' in Chart.yaml
       # and decide which Helm binary to use automatically. This field can be either 'v2' or 'v3'.
       version: v2
@@ -125,18 +119,10 @@ spec:
 
   # Destination cluster and namespace to deploy the application
   destination:
-    # cluster API URL
     server: https://kubernetes.default.svc
-    # or cluster name
-    # name: in-cluster
     # The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace
     namespace: guestbook
-    
-  # Extra information to show in the Argo CD Application details tab
-  info:
-    - name: 'Example:'
-      value: 'https://example.com'
-      
+
   # Sync policy
   syncPolicy:
     automated: # automated sync by default retries failed attempts 5 times with following delays between attempts ( 5s, 10s, 20s, 40s, 80s ); retry controlled using `retry` field.

docs/operator-manual/applicationset/Generators-Git.md

@@ -108,7 +108,7 @@ spec:
         server: https://kubernetes.default.svc
         namespace: '{{path.basename}}'
 ```
-(*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/git-generator-directory/excludes).*)
+(*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/examples/applicationset/git-generator-directory/excludes).*)
 
 This example excludes the `exclude-helm-guestbook` directory from the list of directories scanned for this `ApplicationSet` resource.
 

docs/operator-manual/applicationset/Generators-Post-Selector.md

@@ -1,43 +0,0 @@
-# Post Selector all generators
-
-The Selector allows to post-filter based on generated values using the kubernetes common labelSelector format. In the example, the list generator generates a set of two application which then filter by the key value to only select the `env` with value `staging`:
-
-## Example: List generator + Post Selector
-```yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: guestbook
-spec:
-  generators:
-  - list:
-      elements:
-        - cluster: engineering-dev
-          url: https://kubernetes.default.svc
-          env: staging
-        - cluster: engineering-prod
-          url: https://kubernetes.default.svc
-          env: prod
-    selector:
-      matchLabels:
-        env: staging
-  template:
-    metadata:
-      name: '{{cluster}}-guestbook'
-    spec:
-      project: default
-      source:
-        repoURL: https://github.com/argoproj-labs/applicationset.git
-        targetRevision: HEAD
-        path: examples/list-generator/guestbook/{{cluster}}
-      destination:
-        server: '{{url}}'
-        namespace: guestbook
-```
-
-The List generator + Post Selector generates a single set of parameters:
-```yaml
-- cluster: engineering-dev
-  url: https://kubernetes.default.svc
-  env: staging
-```

docs/operator-manual/applicationset/Generators-Pull-Request.md

@@ -60,7 +60,7 @@ spec:
 * `repo`: Required name of the GitHub repository.
 * `api`: If using GitHub Enterprise, the URL to access it. (Optional)
 * `tokenRef`: A `Secret` name and key containing the GitHub access token to use for requests. If not specified, will make anonymous requests which have a lower rate limit and can only see public repositories. (Optional)
-* `labels`: Filter the PRs to those containing **all** of the labels listed. (Optional)
+* `labels`: Labels is used to filter the PRs that you want to target. (Optional)
 * `appSecretName`: A `Secret` name containing a GitHub App secret in [repo-creds format][repo-creds].
 
 [repo-creds]: ../declarative-setup.md#repository-credentials
@@ -318,7 +318,3 @@ The Pull Request Generator will requeue when the next action occurs.
 - `merge`
 
 For more information about each event, please refer to the [official documentation](https://docs.gitlab.com/ee/user/project/integrations/webhook_events.html#merge-request-events).
-
-## Lifecycle
-
-An Application will be generated when a Pull Request is discovered when the configured criteria is met - i.e. for GitHub when a Pull Request matches the specified `labels` and/or `pullRequestState`. Application will be removed when a Pull Request no longer meets the specified criteria.

docs/operator-manual/applicationset/Generators-SCM-Provider.md

@@ -219,41 +219,6 @@ spec:
 * `api`: Optional. URL to Azure DevOps. If not set, `https://dev.azure.com` is used.
 * `allBranches`: Optional, default `false`. If `true`, scans every branch of eligible repositories. If `false`, check only the default branch of the eligible repositories.
 
-## Bitbucket Cloud
-
-The Bitbucket mode uses the Bitbucket API V2 to scan a workspace in bitbucket.org.
-
-```yaml
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: myapps
-spec:
-  generators:
-  - scmProvider:
-      bitbucket:
-        # The workspace id (slug).  
-        owner: "example-owner"
-        # The user to use for basic authentication with an app password.
-        user: "example-user"
-        # If true, scan every branch of every repository. If false, scan only the main branch. Defaults to false.
-        allBranches: true
-        # Reference to a Secret containing an app password.
-        appPasswordRef:
-          secretName: appPassword
-          key: password
-  template:
-  # ...
-```
-
-* `owner`: The workspace ID (slug) to use when looking up repositories.
-* `user`: The user to use for authentication to the Bitbucket API V2 at bitbucket.org.
-* `allBranches`: By default (false) the template will only be evaluated for the main branch of each repo. If this is true, every branch of every repository will be passed to the filters. If using this flag, you likely want to use a `branchMatch` filter.
-* `appPasswordRef`: A `Secret` name and key containing the bitbucket app password to use for requests.
-
-This SCM provider does not yet support label filtering
-
-Available clone protocols are `ssh` and `https`.
 
 ## Filters
 

docs/operator-manual/applicationset/Generators.md

@@ -15,6 +15,4 @@ As of this writing there are eight generators:
 - [Pull Request generator](Generators-Pull-Request.md): The Pull Request generator uses the API of an SCMaaS provider (eg GitHub) to automatically discover open pull requests within an repository.
 - [Cluster Decision Resource generator](Generators-Cluster-Decision-Resource.md): The Cluster Decision Resource generator is used to interface with Kubernetes custom resources that use custom resource-specific logic to decide which set of Argo CD clusters to deploy to.
 
-All generators can be filtered by using the [Post Selector](Generators-Post-Selector.md)
-
 If you are new to generators, begin with the **List** and **Cluster** generators. For more advanced use cases, see the documentation for the remaining generators above.

docs/operator-manual/applicationset/GoTemplate.md

@@ -74,20 +74,13 @@ All your templates must replace parameters with GoTemplate Syntax:
 
 Example: `{{ some.value }}` becomes `{{ .some.value }}`
 
-### Cluster Generators
-
-By activating Go Templating, `{{ .metadata }}` becomes an object.
-
-- `{{ metadata.labels.my-label }}` becomes `{{ index .metadata.labels "my-label" }}`
-- `{{ metadata.annotations.my/annotation }}` becomes `{{ index .metadata.annotations "my/annotation" }}`
-
 ### Git Generators
 
 By activating Go Templating, `{{ .path }}` becomes an object. Therefore, some changes must be made to the Git 
 generators' templating:
 
 - `{{ path }}` becomes `{{ .path.path }}`
-- `{{ path[n] }}` becomes `{{ index .path.segments n }}`
+- `{{ path[n] }}` becomes `{{ .path.segments[n] }}`
 
 Here is an example:
 
@@ -155,7 +148,7 @@ It is also possible to use Sprig functions to construct the path variables manua
 | `{{path.filename}}` | `{{.path.filename}}` | `{{.path.filename}}` |
 | `{{path.basenameNormalized}}` | `{{.path.basenameNormalized}}` | `{{normalize .path.path}}` |
 | `{{path.filenameNormalized}}` | `{{.path.filenameNormalized}}` | `{{normalize .path.filename}}` |
-| `{{path[N]}}` | `-` | `{{index .path.segments N}}` |
+| `{{path[N]}}` | `{{.path.segments[N]}}` | `{{index (splitList "/" .path.path) N}}` |
 
 ## Examples
 

docs/operator-manual/argocd-cm.yaml

@@ -47,7 +47,7 @@ data:
   help.download.windows-amd64: "path-or-url-to-download"
 
   # A dex connector configuration (optional). See SSO configuration documentation:
-  # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/user-management/index.md#sso
+  # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/sso
   # https://dexidp.io/docs/connectors/
   dex.config: |
     connectors:

docs/operator-manual/argocd-cmd-params-cm.yaml

@@ -139,6 +139,26 @@ data:
   reposerver.streamed.manifest.max.tar.size: "100M"
   # Maximum size of extracted manifests when streaming manifests to the repo server for generation
   reposerver.streamed.manifest.max.extracted.size: "1G"
+  # Enable git submodule support
+  reposerver.enable.git.submodule: "true"
 
   # Disable TLS on the HTTP endpoint
   dexserver.disable.tls: "false"
+
+  ## ApplicationSet Controller Properties
+  # Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.
+  applicationsetcontroller.enable.leader.election: "false"
+  # Argo CD repo namespace (default: argocd)
+  applicationsetcontroller.namespace: ""
+  # "Modify how application is synced between the generator and the cluster. Default is 'sync' (create & update & delete), options: 'create-only', 'create-update' (no deletion)"
+  applicationsetcontroller.policy: "sync"
+  # Print debug logs. Takes precedence over loglevel
+  applicationsetcontroller.debug: "false"
+  # Set the logging format. One of: text|json (default "text")
+  applicationsetcontroller.log.format: "text"
+  # Set the logging level. One of: debug|info|warn|error (default "info")
+  applicationsetcontroller.log.level: "info"
+  # Enable dry run mode
+  applicationsetcontroller.dryrun: "false"
+  # Enable git submodule support
+  applicationsetcontroller.enable.git.submodule: "true"

docs/operator-manual/custom_tools.md

@@ -51,7 +51,7 @@ following example builds an entirely customized repo-server from a Dockerfile, i
 dependencies that may be needed for generating manifests.
 
 ```Dockerfile
-FROM argoproj/argocd:v2.5.4 # Replace tag with the appropriate argo version
+FROM argoproj/argocd:latest
 
 # Switch to root for the ability to perform install
 USER root

docs/operator-manual/declarative-setup.md

@@ -77,7 +77,7 @@ spec:
 ```
 
 !!! warning
-    Without the `resources-finalizer.argocd.argoproj.io` finalizer, deleting an application will not delete the resources it manages. To perform a cascading delete, you must add the finalizer. See [App Deletion](../user-guide/app_deletion.md#about-the-deletion-finalizer).
+    By default, deleting an application will not perform a cascade delete, which would delete its resources. You must add the finalizer if you want this behaviour - which you may well not want.
 
 ```yaml
 metadata:

docs/operator-manual/health.md

@@ -5,7 +5,7 @@ Argo CD provides built-in health assessment for several standard Kubernetes type
 surfaced to the overall Application health status as a whole. The following checks are made for
 specific types of kubernetes resources:
 
-### Deployment, ReplicaSet, StatefulSet, DaemonSet
+### Deployment, ReplicaSet, StatefulSet DaemonSet
 * Observed generation is equal to desired generation.
 * Number of **updated** replicas equals the number of desired replicas.
 

docs/operator-manual/high_availability.md

@@ -1,11 +1,13 @@
 # High Availability
 
-Argo CD is largely stateless. All data is persisted as Kubernetes objects, which in turn is stored in Kubernetes' etcd. Redis is only used as a throw-away cache and can be lost. When lost, it will be rebuilt without loss of service.
+Argo CD is largely stateless, all data is persisted as Kubernetes objects, which in turn is stored in Kubernetes' etcd. Redis is only used as a throw-away cache and can be lost. When lost, it will be rebuilt without loss of service.
 
-A set of [HA manifests](https://github.com/argoproj/argo-cd/tree/master/manifests/ha) are provided for users who wish to run Argo CD in a highly available manner. This runs more containers, and runs Redis in HA mode.
+A set of HA manifests are provided for users who wish to run Argo CD in a highly available manner. This runs more containers, and runs Redis in HA mode.
 
-> **NOTE:** The HA installation will require at least three different nodes due to pod anti-affinity roles in the
-> specs. Additionally, IPv6 only clusters are not supported.
+[Manifests ⧉](https://github.com/argoproj/argo-cd/tree/master/manifests) 
+
+!!! note
+    The HA installation will require at least three different nodes due to pod anti-affinity roles in the specs.
 
 ## Scaling Up
 
@@ -15,11 +17,11 @@ A set of [HA manifests](https://github.com/argoproj/argo-cd/tree/master/manifest
 
 The `argocd-repo-server` is responsible for cloning Git repository, keeping it up to date and generating manifests using the appropriate tool.
 
-* `argocd-repo-server` fork/exec config management tool to generate manifests. The fork can fail due to lack of memory or limit on the number of OS threads.
-The `--parallelismlimit` flag controls how many manifests generations are running concurrently and helps avoid OOM kills.
+* `argocd-repo-server` fork/exec config management tool to generate manifests. The fork can fail due to lack of memory and limit on the number of OS threads.
+The `--parallelismlimit` flag controls how many manifests generations are running concurrently and allows avoiding OOM kills.
 
 * the `argocd-repo-server` ensures that repository is in the clean state during the manifest generation using config management tools such as Kustomize, Helm
-or custom plugin. As a result Git repositories with multiple applications might affect repository server performance.
+or custom plugin. As a result Git repositories with multiple applications might be affect repository server performance.
 Read [Monorepo Scaling Considerations](#monorepo-scaling-considerations) for more information.
 
 * `argocd-repo-server` clones repository into `/tmp` ( of path specified in `TMPDIR` env variable ). Pod might run out of disk space if have too many repository
@@ -28,7 +30,7 @@ or repositories has a lot of files. To avoid this problem mount persistent volum
 * `argocd-repo-server` `git ls-remote` to resolve ambiguous revision such as `HEAD`, branch or tag name. This operation is happening pretty frequently
 and might fail. To avoid failed syncs use `ARGOCD_GIT_ATTEMPTS_COUNT` environment variable to retry failed requests.
 
-* `argocd-repo-server` Every 3m (by default) Argo CD checks for changes to the app manifests. Argo CD assumes by default that manifests only change when the repo changes, so it caches the generated manifests (for 24h by default). With Kustomize remote bases, or Helm patch releases, the manifests can change even though the repo has not changed. By reducing the cache time, you can get the changes without waiting for 24h. Use `--repo-cache-expiration duration`, and we'd suggest in low volume environments you try '1h'. Bear in mind that this will negate the benefits of caching if set too low. 
+* `argocd-repo-server` Every 3m (by default) Argo CD checks for changes to the app manifests. Argo CD assumes by default that manifests only change when the repo changes, so it caches generated manifests (for 24h by default). With Kustomize remote bases, or Helm patch releases, the manifests can change even though the repo has not changed. By reducing the cache time, you can get the changes without waiting for 24h. Use `--repo-cache-expiration duration`, and we'd suggest in low volume environments you try '1h'. Bear in mind this will negate the benefit of caching if set too low. 
 
 * `argocd-repo-server` fork exec config management tools such as `helm` or `kustomize` and enforces 90 seconds timeout. The timeout can be increased using `ARGOCD_EXEC_TIMEOUT` env variable. The value should be in Go time duration string format, for example, `2m30s`.
 

docs/operator-manual/installation.md

@@ -74,13 +74,13 @@ kind: Kustomization
 
 namespace: argocd
 resources:
-- github.com/argoproj/argo-cd/manifests/ha/base?ref=v2.6.2
+- https://raw.githubusercontent.com/argoproj/argo-cd/v2.0.4/manifests/ha/install.yaml
 ```
 
 ## Helm
 
 The Argo CD can be installed using [Helm](https://helm.sh/). The Helm chart is currently community maintained and available at
-[argo-helm/charts/argo-cd](https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd).
+[argo-helm/charts/argo-cd](https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd).
 
 ## Supported versions
 

docs/operator-manual/metrics.md

@@ -67,7 +67,8 @@ Scraped at the `argocd-server-metrics:8083/metrics` endpoint.
 | Metric | Type | Description |
 |--------|:----:|-------------|
 | `argocd_redis_request_duration` | histogram | Redis requests duration. |
-| `argocd_redis_request_total` | counter | Number of kubernetes requests executed during application reconciliation. |
+| `argocd_redis_request_total` | counter | Number of kubernetes requests executed during application
+reconciliation. |
 | `grpc_server_handled_total` | counter | Total number of RPCs completed on the server, regardless of success or failure. |
 | `grpc_server_msg_sent_total` | counter | Total number of gRPC stream messages sent by the server. |
 

docs/operator-manual/notifications/troubleshooting-commands.md

@@ -1,9 +1,9 @@
-## argocd admin notifications template get
+## notifications template get
 
 Prints information about configured templates
 
 ```
-argocd admin notifications template get [flags]
+notifications template get [flags]
 ```
 
 ### Examples
@@ -11,9 +11,9 @@ argocd admin notifications template get [flags]
 ```
 
 # prints all templates
-argocd admin notifications template get
+notifications template get
 # print YAML formatted app-sync-succeeded template definition
-argocd admin notifications template get app-sync-succeeded -o=yaml
+notifications template get app-sync-succeeded -o=yaml
 
 ```
 
@@ -53,12 +53,12 @@ argocd admin notifications template get app-sync-succeeded -o=yaml
       --username string                 Username for basic authentication to the API server
 ```
 
-## argocd admin notifications template notify
+## notifications template notify
 
 Generates notification using the specified template and send it to specified recipients
 
 ```
-argocd admin notifications template notify NAME RESOURCE_NAME [flags]
+notifications template notify NAME RESOURCE_NAME [flags]
 ```
 
 ### Examples
@@ -66,10 +66,10 @@ argocd admin notifications template notify NAME RESOURCE_NAME [flags]
 ```
 
 # Trigger notification using in-cluster config map and secret
-argocd admin notifications template notify app-sync-succeeded guestbook --recipient slack:my-slack-channel
+notifications template notify app-sync-succeeded guestbook --recipient slack:my-slack-channel
 
 # Render notification render generated notification in console
-argocd admin notifications template notify app-sync-succeeded guestbook
+notifications template notify app-sync-succeeded guestbook
 
 ```
 
@@ -109,12 +109,12 @@ argocd admin notifications template notify app-sync-succeeded guestbook
       --username string                 Username for basic authentication to the API server
 ```
 
-## argocd admin notifications trigger get
+## notifications trigger get
 
 Prints information about configured triggers
 
 ```
-argocd admin notifications trigger get [flags]
+notifications trigger get [flags]
 ```
 
 ### Examples
@@ -122,9 +122,9 @@ argocd admin notifications trigger get [flags]
 ```
 
 # prints all triggers
-argocd admin notifications trigger get
+notifications trigger get
 # print YAML formatted on-sync-failed trigger definition
-argocd admin notifications trigger get on-sync-failed -o=yaml
+notifications trigger get on-sync-failed -o=yaml
 
 ```
 
@@ -164,12 +164,12 @@ argocd admin notifications trigger get on-sync-failed -o=yaml
       --username string                 Username for basic authentication to the API server
 ```
 
-## argocd admin notifications trigger run
+## notifications trigger run
 
 Evaluates specified trigger condition and prints the result
 
 ```
-argocd admin notifications trigger run NAME RESOURCE_NAME [flags]
+notifications trigger run NAME RESOURCE_NAME [flags]
 ```
 
 ### Examples
@@ -177,10 +177,10 @@ argocd admin notifications trigger run NAME RESOURCE_NAME [flags]
 ```
 
 # Execute trigger configured in 'argocd-notification-cm' ConfigMap
-argocd admin notifications trigger run on-sync-status-unknown ./sample-app.yaml
+notifications trigger run on-sync-status-unknown ./sample-app.yaml
 
 # Execute trigger using my-config-map.yaml instead of 'argocd-notifications-cm' ConfigMap
-argocd admin notifications trigger run on-sync-status-unknown ./sample-app.yaml \
+notifications trigger run on-sync-status-unknown ./sample-app.yaml \
     --config-map ./my-config-map.yaml
 ```
 

docs/operator-manual/notifications/troubleshooting.md

@@ -1,6 +1,6 @@
 ## Troubleshooting
 
-The `argocd admin notifications` is a CLI command group that helps to configure the controller
+The `argocd-notifications` binary includes a set of CLI commands that helps to configure the controller
 settings and troubleshoot issues.
 
 ## Global flags
@@ -17,15 +17,15 @@ Additionally, you can specify `:empty` value to use empty secret with no notific
 * Get list of triggers configured in the local config map:
 
 ```bash
-argocd admin notifications trigger get \
-  --config-map ./argocd admin notifications-cm.yaml --secret :empty
+argocd-notifications trigger get \
+  --config-map ./argocd-notifications-cm.yaml --secret :empty
 ```
 
 * Trigger notification using in-cluster config map and secret:
 
 ```bash
-argocd admin notifications template notify \
-  app-sync-succeeded guestbook --recipient slack:argocd admin notifications
+argocd-notifications template notify \
+  app-sync-succeeded guestbook --recipient slack:argocd-notifications
 ```
 
 ## Kustomize
@@ -44,18 +44,18 @@ kustomize build ./argocd-notifications | \
 
 ### On your laptop
 
-You can download the `argocd` CLI from the github [release](https://github.com/argoproj/argo-cd/releases)
+You can download `argocd-notifications` from the github [release](https://github.com/argoproj-labs/argocd-notifications/releases)
 attachments.
 
-The binary is available in `argoproj/argo-cd` image. Use the `docker run` and volume mount
+The binary is available in `argoprojlabs/argocd-notifications` image. Use the `docker run` and volume mount
 to execute binary on any platform. 
 
 **Example:**
 
 ```bash
 docker run --rm -it -w /src -v $(pwd):/src \
-  argoproj/argo-cd:<version> \
-  /app/argocd admin notifications trigger get \
+  argoprojlabs/argocd-notifications:<version> \
+  /app/argocd-notifications trigger get \
   --config-map ./argocd-notifications-cm.yaml --secret :empty
 ```
 
@@ -67,7 +67,7 @@ configuration.
 **Example**
 ```bash
 kubectl exec -it argocd-notifications-controller-<pod-hash> \
-  /app/argocd admin notifications trigger get
+  /app/argocd-notifications trigger get
 ```
 
 ## Commands

docs/operator-manual/project.yaml

@@ -15,11 +15,9 @@ spec:
   - '*'
 
   # Only permit applications to deploy to the guestbook namespace in the same cluster
-  # Destination clusters can be identified by 'server', 'name', or both.
   destinations:
   - namespace: guestbook
     server: https://kubernetes.default.svc
-    name: in-cluster
 
   # Deny all cluster-scoped resources from being created, except for Namespace
   clusterResourceWhitelist:

docs/operator-manual/rbac.md

@@ -64,7 +64,7 @@ See [Web-based Terminal](web_based_terminal.md) for more info.
 
 #### The `applicationsets` resource
 
-[ApplicationSets](applicationset/index.md) provide a declarative way to automatically create/update/delete Applications.
+[ApplicationSets](applicationset) provide a declarative way to automatically create/update/delete Applications.
 
 Granting `applicationsets, create` effectively grants the ability to create Applications. While it doesn't allow the 
 user to create Applications directly, they can create Applications via an ApplicationSet.

docs/operator-manual/resource_actions.md

@@ -9,8 +9,9 @@ Operators can add actions to custom resources in form of a Lua script and expand
 
 Argo CD supports custom resource actions written in [Lua](https://www.lua.org/). This is useful if you:
 
-* Have a custom resource for which Argo CD does not provide any built-in actions.
-* Have a commonly performed manual task that might be error prone if executed by users via `kubectl`
+    * Have a custom resource for which Argo CD does not provide any built-in actions.
+    * Have a commonly performed manual task that might be error prone if executed by users via `kubectl`
+
 
 You can define your own custom resource actions in the `argocd-cm` ConfigMap.
 

docs/operator-manual/secret-management.md

@@ -1,11 +1,6 @@
 # Secret Management
 
-Argo CD is un-opinionated about how secrets are managed. There are many ways to do it, and there's no one-size-fits-all solution.
-
-Many solutions use plugins to inject secrets into the application manifests. See [Mitigating Risks of Secret-Injection Plugins](#mitigating-risks-of-secret-injection-plugins)
-below to make sure you use those plugins securely.
-
-Here are some ways people are doing GitOps secrets:
+Argo CD is un-opinionated about how secrets are managed. There's many ways to do it and there's no one-size-fits-all solution. Here's some ways people are doing GitOps secrets:
 
 * [Bitnami Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
 * [External Secrets Operator](https://github.com/external-secrets/external-secrets)
@@ -17,20 +12,5 @@ Here are some ways people are doing GitOps secrets:
 * [KSOPS](https://github.com/viaduct-ai/kustomize-sops#argo-cd-integration)
 * [argocd-vault-plugin](https://github.com/argoproj-labs/argocd-vault-plugin)
 * [argocd-vault-replacer](https://github.com/crumbhole/argocd-vault-replacer)
-* [Kubernetes Secrets Store CSI Driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver)
 
 For discussion, see [#1364](https://github.com/argoproj/argo-cd/issues/1364)
-
-## Mitigating Risks of Secret-Injection Plugins
-
-Argo CD caches the manifests generated by plugins, along with the injected secrets, in its Redis instance. Those 
-manifests are also available via the repo-server API (a gRPC service). This means that the secrets are available to 
-anyone who has access to the Redis instance or to the repo-server.
-
-Consider these steps to mitigate the risks of secret-injection plugins:
-
-1. Set up network policies to prevent direct access to Argo CD components (Redis and the repo-server). Make sure your
-   cluster supports those network policies and can actually enforce them.
-2. Consider running Argo CD on its own cluster, with no other applications running on it.
-3. [Enable password authentication on the Redis instance](https://github.com/argoproj/argo-cd/issues/3130) (currently
-   only supported for non-HA Argo CD installations).

docs/operator-manual/signed-release-assets.md

@@ -4,17 +4,21 @@ All Argo CD container images are signed by cosign. Checksums are created for the
 
 ## Prerequisites
 - Cosign [installation instructions](https://docs.sigstore.dev/cosign/installation)
-- Obtain or have a copy of ```argocd-cosign.pub```, which can be located in the assets section of the [release page](https://github.com/argoproj/argo-cd/releases)
-
-Once you have installed cosign, you can use ```argocd-cosign.pub``` to verify the signed assets or container images.
-
+- Obtain or have a copy of the [public key](https://github.com/argoproj/argo-cd/blob/master/argocd-cosign.pub) ```argocd-cosign.pub```
 
+Once you have installed cosign, you can use [argocd-cosign.pub](https://github.com/argoproj/argo-cd/blob/master/argocd-cosign.pub) to verify the signed assets or container images.
+```
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
+JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
+-----END PUBLIC KEY-----
+```
 ## Verification of container images
 
 ```bash
-cosign verify --key argocd-cosign.pub  quay.io/argoproj/argocd:<VERSION>
+cosign verify --key argocd-cosign.pub  quay.io/argoproj/argocd:latest
 
-Verification for quay.io/argoproj/argocd:<VERSION> --
+Verification for quay.io/argoproj/argocd:latest --
 The following checks were performed on each of these signatures:
   * The cosign claims were validated
   * The signatures were verified against the specified public key
@@ -23,9 +27,6 @@ The following checks were performed on each of these signatures:
 ## Verification of signed assets
 
 ```bash
-cosign verify-blob --key cosign.pub --signature $(cat argocd-<VERSION>-checksums.sig) argocd-$VERSION-checksums.txt
+cosign verify-blob --key cosign.pub --signature $(cat argocd-$VERSION-checksums.sig) argocd-$VERSION-checksums.txt
 Verified OK
 ```
-## Admission controllers
-
-Cosign is compatible with several types of admission controllers.  Please see the [Cosign documentation](https://docs.sigstore.dev/cosign/overview/#kubernetes-integrations) for supported controllers

docs/operator-manual/upgrading/1.8-2.0.md

@@ -1,4 +1,4 @@
-# v1.8 to 2.0
+# v1.8 to v2.0
 
 ## Redis Upgraded to v6.2.1