Bump version to 2.5.8

* fix: verify audience claim

Co-Authored-By: Vladimir Pouzanov <farcaller@gmail.com>
Signed-off-by: CI <350466+crenshaw-dev@users.noreply.github.com>

* fix lint

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* go mod tidy

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* handle single aud claim marshaled as a string

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

Signed-off-by: CI <350466+crenshaw-dev@users.noreply.github.com>
Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: CI <350466+crenshaw-dev@users.noreply.github.com>
Co-authored-by: Vladimir Pouzanov <farcaller@gmail.com>

.github/workflows/ci-build.yaml

@@ -27,9 +27,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Download all Go modules
@@ -45,13 +45,13 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # v3.2.3
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -69,13 +69,13 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@0ad9a0988b3973e851ab0a07adf248ec2e100376 # v3.3.1
         with:
           version: v1.46.2
           args: --timeout 10m --exclude SA5011 --verbose
@@ -92,11 +92,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -116,7 +116,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # v3.2.3
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -133,12 +133,12 @@ jobs:
       - name: Run all unit tests
         run: make test-local
       - name: Generate code coverage artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: code-coverage
           path: coverage.out
       - name: Generate test results artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: test-results
           path: test-results/
@@ -155,11 +155,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -179,7 +179,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # v3.2.3
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -196,7 +196,7 @@ jobs:
       - name: Run all unit tests
         run: make test-race-local
       - name: Generate test results artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: race-results
           path: test-results/
@@ -206,9 +206,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Create symlink in GOPATH
@@ -250,14 +250,14 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup NodeJS
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: '12.18.4'
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@v1
+        uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # v3.2.3
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -287,12 +287,12 @@ jobs:
       sonar_secret: ${{ secrets.SONAR_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           fetch-depth: 0
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@v1
+        uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # v3.2.3
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -303,16 +303,16 @@ jobs:
         run: |
           mkdir -p test-results
       - name: Get code coverage artifiact
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: code-coverage
       - name: Get test result artifact
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: test-results
           path: test-results
       - name: Upload code coverage information to codecov.io
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # v3.1.1
         with:
           file: coverage.out
       - name: Perform static code analysis using SonarCloud
@@ -366,9 +366,9 @@ jobs:
       GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: GH actions workaround - Kill XSP4 process
@@ -386,7 +386,7 @@ jobs:
           sudo chown runner $HOME/.kube/config
           kubectl version
       - name: Restore go build cache
-        uses: actions/cache@v1
+        uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # v3.2.3
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -412,9 +412,9 @@ jobs:
           git config --global user.email "john.doe@example.com"
       - name: Pull Docker image required for tests
         run: |
-          docker pull ghcr.io/dexidp/dex:v2.35.3-distroless
+          docker pull ghcr.io/dexidp/dex:v2.35.3
           docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.5-alpine
+          docker pull redis:7.0.7-alpine
       - name: Create target directory for binaries in the build-process
         run: |
           mkdir -p dist
@@ -442,7 +442,7 @@ jobs:
           set -x
           make test-e2e-local
       - name: Upload e2e-server logs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: e2e-server-k8s${{ matrix.k3s-version }}.log
           path: /tmp/e2e-server.log

.github/workflows/codeql.yml

@@ -29,11 +29,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
       # Override language selection by uncommenting this and choosing your languages
       # with:
       #   languages: go, javascript, csharp, python, cpp, java
@@ -41,7 +41,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -55,4 +55,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@8aff97f12c99086bdb92ff62ae06dbbcdf07941b # v2.1.33

.github/workflows/image.yaml

@@ -28,22 +28,22 @@ jobs:
     env:
       GOPATH: /home/runner/work/argo-cd/argo-cd
     steps:
-      - uses: actions/setup-go@v3
+      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
-      - uses: actions/checkout@master
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           path: src/github.com/argoproj/argo-cd
 
       # get image tag
-      - run: echo ::set-output name=tag::$(cat ./VERSION)-${GITHUB_SHA::8}
+      - run: echo "tag=$(cat ./VERSION)-${GITHUB_SHA::8}" >> $GITHUB_OUTPUT
         working-directory: ./src/github.com/argoproj/argo-cd
         id: image
 
       # login
       - run: |
-          docker login ghcr.io --username $USERNAME --password $PASSWORD
-          docker login quay.io --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
+          docker login ghcr.io --username $USERNAME --password-stdin <<< "$PASSWORD"
+          docker login quay.io --username "$DOCKER_USERNAME" --password-stdin <<< "$DOCKER_TOKEN"
         if: github.event_name == 'push'
         env:
           USERNAME: ${{ secrets.USERNAME }}
@@ -52,8 +52,8 @@ jobs:
           DOCKER_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
 
       # build
-      - uses: docker/setup-qemu-action@v2
-      - uses: docker/setup-buildx-action@v2
+      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+      - uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
       - run: |
           IMAGE_PLATFORMS=linux/amd64
           if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-arm-image') }}" == "true" ]]
@@ -61,20 +61,27 @@ jobs:
             IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
           fi
           echo "Building image for platforms: $IMAGE_PLATFORMS"
-          docker buildx build --platform $IMAGE_PLATFORMS --push="${{ github.event_name == 'push' }}" \
+          docker buildx build --platform $IMAGE_PLATFORMS --sbom=false --provenance=false --push="${{ github.event_name == 'push' }}" \
             -t ghcr.io/argoproj/argocd:${{ steps.image.outputs.tag }} \
             -t quay.io/argoproj/argocd:latest .
         working-directory: ./src/github.com/argoproj/argo-cd
 
       # sign container images
       - name: Install cosign
-        uses: sigstore/cosign-installer@main
+        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
         with:
-          cosign-release: 'v1.13.0'
+          cosign-release: 'v1.13.1'
+
+      - name: Install crane to get digest of image
+        uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4
+
+      - name: Get digest of image
+        run: |
+          echo "IMAGE_DIGEST=$(crane digest quay.io/argoproj/argocd:latest)" >> $GITHUB_ENV
 
       - name: Sign Argo CD latest image
         run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argocd:latest
+          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argocd@${{ env.IMAGE_DIGEST }}
           # Displays the public key to share.
           cosign public-key --key env://COSIGN_PRIVATE_KEY
         env:

.github/workflows/release.yaml

@@ -12,7 +12,7 @@ on:
       - "!release-v0*"
 
 env:
-    GOLANG_VERSION: '1.18'
+  GOLANG_VERSION: '1.18'
 
 permissions:
   contents: read
@@ -43,7 +43,7 @@ jobs:
       GIT_EMAIL: argoproj@gmail.com
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -147,7 +147,7 @@ jobs:
           echo "RELEASE_NOTES=${RELEASE_NOTES}" >> $GITHUB_ENV
 
       - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
 
@@ -195,19 +195,19 @@ jobs:
           QUAY_TOKEN: ${{ secrets.RELEASE_QUAY_TOKEN }}
         run: |
           set -ue
-          docker login quay.io --username "${QUAY_USERNAME}" --password "${QUAY_TOKEN}"
+          docker login quay.io --username "${QUAY_USERNAME}" --password-stdin <<< "${QUAY_TOKEN}"
           # Remove the following when Docker Hub is gone
-          docker login --username "${DOCKER_USERNAME}" --password "${DOCKER_TOKEN}"
+          docker login --username "${DOCKER_USERNAME}" --password-stdin <<< "${DOCKER_TOKEN}"
         if: ${{ env.DRY_RUN != 'true' }}
 
-      - uses: docker/setup-qemu-action@v2
-      - uses: docker/setup-buildx-action@v2
+      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
+      - uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
       - name: Build and push Docker image for release
         run: |
           set -ue
           git clean -fd
           mkdir -p dist/
-          docker buildx build --platform linux/amd64,linux/arm64,linux/s390x,linux/ppc64le --push -t ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION} -t argoproj/argocd:v${TARGET_VERSION} .
+          docker buildx build --platform linux/amd64,linux/arm64,linux/s390x,linux/ppc64le --sbom=false --provenance=false --push -t ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION} -t argoproj/argocd:v${TARGET_VERSION} .
           make release-cli
           make checksums
           chmod +x ./dist/argocd-linux-amd64
@@ -215,13 +215,20 @@ jobs:
         if: ${{ env.DRY_RUN != 'true' }}
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@main
+        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
         with:
-          cosign-release: 'v1.13.0'
+          cosign-release: 'v1.13.1'
+
+      - name: Install crane to get digest of image
+        uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4
+
+      - name: Get digest of image
+        run: |
+          echo "IMAGE_DIGEST=$(crane digest quay.io/argoproj/argocd:v${TARGET_VERSION})" >> $GITHUB_ENV
 
       - name: Sign Argo CD container images and assets
         run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION}
+          cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAMESPACE}/argocd@${{ env.IMAGE_DIGEST }}
           cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argocd-${TARGET_VERSION}-checksums.txt > ./dist/argocd-${TARGET_VERSION}-checksums.sig
           # Retrieves the public key to release as an asset
           cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argocd-cosign.pub
@@ -232,7 +239,7 @@ jobs:
 
       - name: Read release notes file
         id: release-notes
-        uses: juliangruber/read-file-action@v1
+        uses: juliangruber/read-file-action@02bbba9876a8f870efd4ad64e3b9088d3fb94d4b # v1.1.6
         with:
           path: ${{ env.RELEASE_NOTES }}
 
@@ -243,7 +250,7 @@ jobs:
           git push origin ${RELEASE_TAG}
 
       - name: Dry run GitHub release
-        uses: actions/create-release@v1
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         id: create_release
@@ -264,7 +271,7 @@ jobs:
           SIGS_BOM_VERSION: v0.2.1
           # comma delimited list of project relative folders to inspect for package
           # managers (gomod, yarn, npm).
-          PROJECT_FOLDERS: ".,./ui" 
+          PROJECT_FOLDERS: ".,./ui"
           # full qualified name of the docker image to be inspected
           DOCKER_IMAGE: ${{env.IMAGE_NAMESPACE}}/argocd:v${{env.TARGET_VERSION}}
         run: |
@@ -295,7 +302,7 @@ jobs:
         if: ${{ env.DRY_RUN != 'true' }}
 
       - name: Create GitHub release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -313,7 +320,7 @@ jobs:
       - name: Update homebrew formula
         env:
           HOMEBREW_TOKEN: ${{ secrets.RELEASE_HOMEBREW_TOKEN }}
-        uses: dawidd6/action-homebrew-bump-formula@v3
+        uses: dawidd6/action-homebrew-bump-formula@02e79d9da43d79efa846d73695b6052cbbdbf48a # v3.8.3
         with:
           token: ${{env.HOMEBREW_TOKEN}}
           formula: argocd

.github/workflows/update-snyk.yaml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Build reports

Makefile

@@ -512,7 +512,7 @@ build-docs-local:
 
 .PHONY: build-docs
 build-docs:
-	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} build
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -v ${CURRENT_DIR}:/docs --entrypoint "" ${MKDOCS_DOCKER_IMAGE} sh -c 'pip install -r docs/requirements.txt; mkdocs build'
 
 .PHONY: serve-docs-local
 serve-docs-local:
@@ -520,7 +520,7 @@ serve-docs-local:
 
 .PHONY: serve-docs
 serve-docs:
-	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}:/docs ${MKDOCS_DOCKER_IMAGE} serve -a 0.0.0.0:8000
+	docker run ${MKDOCS_RUN_ARGS} --rm -it -p 8000:8000 -v ${CURRENT_DIR}/site:/site -w /site --entrypoint "" ${MKDOCS_DOCKER_IMAGE} python3 -m http.server --bind 0.0.0.0 8000
 
 
 # Verify that kubectl can connect to your K8s cluster from Docker

USERS.md

@@ -160,6 +160,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Pipefy](https://www.pipefy.com/)
 1. [Pismo](https://pismo.io/)
 1. [Polarpoint.io](https://polarpoint.io)
+1. [PostFinance](https://github.com/postfinance)
 1. [Preferred Networks](https://preferred.jp/en/)
 1. [Productboard](https://www.productboard.com/)
 1. [Prudential](https://prudential.com.sg)

VERSION

@@ -1 +1 @@
-2.5.2
+2.5.8

applicationset/generators/matrix.go

@@ -144,9 +144,10 @@ func (m *MatrixGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap
 
 	for _, r := range appSetGenerator.Matrix.Generators {
 		base := &argoprojiov1alpha1.ApplicationSetGenerator{
-			List:     r.List,
-			Clusters: r.Clusters,
-			Git:      r.Git,
+			List:        r.List,
+			Clusters:    r.Clusters,
+			Git:         r.Git,
+			PullRequest: r.PullRequest,
 		}
 		generators := GetRelevantGenerators(base, m.supportedGenerators)
 

applicationset/generators/matrix_test.go

@@ -399,6 +399,8 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 		Elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "Cluster","url": "Url"}`)}},
 	}
 
+	pullRequestGenerator := &argoprojiov1alpha1.PullRequestGenerator{}
+
 	testCases := []struct {
 		name               string
 		baseGenerators     []argoprojiov1alpha1.ApplicationSetNestedGenerator
@@ -431,6 +433,31 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 			gitGetRequeueAfter: time.Duration(1),
 			expected:           time.Duration(1),
 		},
+		{
+			name: "returns the minimal time for pull request",
+			baseGenerators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
+				{
+					Git: gitGenerator,
+				},
+				{
+					PullRequest: pullRequestGenerator,
+				},
+			},
+			gitGetRequeueAfter: time.Duration(15 * time.Second),
+			expected:           time.Duration(15 * time.Second),
+		},
+		{
+			name: "returns the default time if no requeueAfterSeconds is provided",
+			baseGenerators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
+				{
+					Git: gitGenerator,
+				},
+				{
+					PullRequest: pullRequestGenerator,
+				},
+			},
+			expected: time.Duration(30 * time.Minute),
+		},
 	}
 
 	for _, testCase := range testCases {
@@ -441,16 +468,18 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 
 			for _, g := range testCaseCopy.baseGenerators {
 				gitGeneratorSpec := argoprojiov1alpha1.ApplicationSetGenerator{
-					Git:  g.Git,
-					List: g.List,
+					Git:         g.Git,
+					List:        g.List,
+					PullRequest: g.PullRequest,
 				}
 				mock.On("GetRequeueAfter", &gitGeneratorSpec).Return(testCaseCopy.gitGetRequeueAfter, nil)
 			}
 
 			var matrixGenerator = NewMatrixGenerator(
 				map[string]Generator{
-					"Git":  mock,
-					"List": &ListGenerator{},
+					"Git":         mock,
+					"List":        &ListGenerator{},
+					"PullRequest": &PullRequestGenerator{},
 				},
 			)
 

applicationset/generators/scm_provider.go

@@ -122,6 +122,15 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha
 		if err != nil {
 			return nil, fmt.Errorf("error initializing Azure Devops service: %v", err)
 		}
+	} else if providerConfig.Bitbucket != nil {
+		appPassword, err := g.getSecretRef(ctx, providerConfig.Bitbucket.AppPasswordRef, applicationSetInfo.Namespace)
+		if err != nil {
+			return nil, fmt.Errorf("error fetching Bitbucket cloud appPassword: %v", err)
+		}
+		provider, err = scm_provider.NewBitBucketCloudProvider(ctx, providerConfig.Bitbucket.Owner, providerConfig.Bitbucket.User, appPassword, providerConfig.Bitbucket.AllBranches)
+		if err != nil {
+			return nil, fmt.Errorf("error initializing Bitbucket cloud service: %v", err)
+		}
 	} else {
 		return nil, fmt.Errorf("no SCM provider implementation configured")
 	}

argocd-cosign.pub

@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
-JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
------END PUBLIC KEY-----

assets/swagger.json

@@ -4097,6 +4097,9 @@
         "appLabelKey": {
           "type": "string"
         },
+        "appsInAnyNamespaceEnabled": {
+          "type": "boolean"
+        },
         "configManagementPlugins": {
           "type": "array",
           "items": {

cmd/argocd/commands/admin/notifications.go

@@ -33,7 +33,7 @@ func NewNotificationsCommand() *cobra.Command {
 	var argocdService service.Service
 	toolsCommand := cmd.NewToolsCommand(
 		"notifications",
-		"notifications",
+		"argocd admin notifications",
 		applications,
 		settings.GetFactorySettings(argocdService, "argocd-notifications-secret", "argocd-notifications-cm"), func(clientConfig clientcmd.ClientConfig) {
 			k8sCfg, err := clientConfig.ClientConfig()

cmd/argocd/commands/admin/settings.go

@@ -206,7 +206,7 @@ var validatorsByGroup = map[string]settingValidator{
 			}
 			ssoProvider = "Dex"
 		} else if general.OIDCConfigRAW != "" {
-			if _, err := settings.UnmarshalOIDCConfig(general.OIDCConfigRAW); err != nil {
+			if err := settings.ValidateOIDCConfig(general.OIDCConfigRAW); err != nil {
 				return "", fmt.Errorf("invalid oidc.config: %v", err)
 			}
 			ssoProvider = "OIDC"

cmpserver/plugin/plugin.go

@@ -203,6 +203,11 @@ func (s *Service) generateManifest(ctx context.Context, appDir string, envEntrie
 
 	manifests, err := kube.SplitYAMLToString([]byte(out))
 	if err != nil {
+		sanitizedManifests := manifests
+		if len(sanitizedManifests) > 1000 {
+			sanitizedManifests = manifests[:1000]
+		}
+		log.Debugf("Failed to split generated manifests. Beginning of generated manifests: %q", sanitizedManifests)
 		return &apiclient.ManifestResponse{}, err
 	}
 

common/common.go

@@ -1,6 +1,7 @@
 package common
 
 import (
+	"errors"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -316,3 +317,8 @@ const (
 	SecurityMedium    = 2 // Could indicate malicious events, but has a high likelihood of being user/system error (i.e. access denied)
 	SecurityLow       = 1 // Unexceptional entries (i.e. successful access logs)
 )
+
+// Common error messages
+const TokenVerificationError = "failed to verify the token"
+
+var TokenVerificationErr = errors.New(TokenVerificationError)

controller/appcontroller.go

@@ -335,7 +335,7 @@ func (ctrl *ApplicationController) handleObjectUpdated(managedByApp map[string]b
 		}
 
 		if !ctrl.canProcessApp(obj) {
-			// Don't force refresh app if app belongs to a different controller shard
+			// Don't force refresh app if app belongs to a different controller shard or is outside the allowed namespaces.
 			continue
 		}
 
@@ -1497,17 +1497,7 @@ func (ctrl *ApplicationController) refreshAppConditions(app *appv1.Application)
 	errorConditions := make([]appv1.ApplicationCondition, 0)
 	proj, err := ctrl.getAppProj(app)
 	if err != nil {
-		if apierr.IsNotFound(err) {
-			errorConditions = append(errorConditions, appv1.ApplicationCondition{
-				Type:    appv1.ApplicationConditionInvalidSpecError,
-				Message: fmt.Sprintf("Application referencing project %s which does not exist", app.Spec.Project),
-			})
-		} else {
-			errorConditions = append(errorConditions, appv1.ApplicationCondition{
-				Type:    appv1.ApplicationConditionUnknownError,
-				Message: err.Error(),
-			})
-		}
+		errorConditions = append(errorConditions, ctrl.projectErrorToCondition(err, app))
 	} else {
 		specConditions, err := argo.ValidatePermissions(context.Background(), &app.Spec, proj, ctrl.db)
 		if err != nil {
@@ -1729,6 +1719,13 @@ func (ctrl *ApplicationController) canProcessApp(obj interface{}) bool {
 	if !ok {
 		return false
 	}
+
+	// Only process given app if it exists in a watched namespace, or in the
+	// control plane's namespace.
+	if app.Namespace != ctrl.namespace && !glob.MatchStringInList(ctrl.applicationNamespaces, app.Namespace, false) {
+		return false
+	}
+
 	if ctrl.clusterFilter != nil {
 		cluster, err := ctrl.db.GetCluster(context.Background(), app.Spec.Destination.Server)
 		if err != nil {
@@ -1737,12 +1734,6 @@ func (ctrl *ApplicationController) canProcessApp(obj interface{}) bool {
 		return ctrl.clusterFilter(cluster)
 	}
 
-	// Only process given app if it exists in a watched namespace, or in the
-	// control plane's namespace.
-	if app.Namespace != ctrl.namespace && !glob.MatchStringInList(ctrl.applicationNamespaces, app.Namespace, false) {
-		return false
-	}
-
 	return true
 }
 
@@ -1798,7 +1789,7 @@ func (ctrl *ApplicationController) newApplicationInformerAndLister() (cache.Shar
 					// If the application is not allowed to use the project,
 					// log an error.
 					if _, err := ctrl.getAppProj(app); err != nil {
-						ctrl.setAppCondition(app, appv1.ApplicationCondition{Type: appv1.ApplicationConditionUnknownError, Message: err.Error()})
+						ctrl.setAppCondition(app, ctrl.projectErrorToCondition(err, app))
 					}
 				}
 
@@ -1869,6 +1860,19 @@ func (ctrl *ApplicationController) newApplicationInformerAndLister() (cache.Shar
 	return informer, lister
 }
 
+func (ctrl *ApplicationController) projectErrorToCondition(err error, app *appv1.Application) appv1.ApplicationCondition {
+	var condition appv1.ApplicationCondition
+	if apierr.IsNotFound(err) {
+		condition = appv1.ApplicationCondition{
+			Type:    appv1.ApplicationConditionInvalidSpecError,
+			Message: fmt.Sprintf("Application referencing project %s which does not exist", app.Spec.Project),
+		}
+	} else {
+		condition = appv1.ApplicationCondition{Type: appv1.ApplicationConditionUnknownError, Message: err.Error()}
+	}
+	return condition
+}
+
 func (ctrl *ApplicationController) RegisterClusterSecretUpdater(ctx context.Context) {
 	updater := NewClusterInfoUpdater(ctrl.stateCache, ctrl.db, ctrl.appLister.Applications(""), ctrl.cache, ctrl.clusterFilter, ctrl.getAppProj, ctrl.namespace)
 	go updater.Run(ctx)

controller/appcontroller_test.go

@@ -1068,6 +1068,34 @@ func TestUpdateReconciledAt(t *testing.T) {
 
 }
 
+func TestProjectErrorToCondition(t *testing.T) {
+	app := newFakeApp()
+	app.Spec.Project = "wrong project"
+	ctrl := newFakeController(&fakeData{
+		apps: []runtime.Object{app, &defaultProj},
+		manifestResponse: &apiclient.ManifestResponse{
+			Manifests: []string{},
+			Namespace: test.FakeDestNamespace,
+			Server:    test.FakeClusterURL,
+			Revision:  "abc123",
+		},
+		managedLiveObjs: make(map[kube.ResourceKey]*unstructured.Unstructured),
+	})
+	key, _ := cache.MetaNamespaceKeyFunc(app)
+	ctrl.appRefreshQueue.Add(key)
+	ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), nil)
+
+	ctrl.processAppRefreshQueueItem()
+
+	obj, ok, err := ctrl.appInformer.GetIndexer().GetByKey(key)
+	assert.True(t, ok)
+	assert.NoError(t, err)
+	updatedApp := obj.(*argoappv1.Application)
+	assert.Equal(t, argoappv1.ApplicationConditionInvalidSpecError, updatedApp.Status.Conditions[0].Type)
+	assert.Equal(t, "Application referencing project wrong project which does not exist", updatedApp.Status.Conditions[0].Message)
+	assert.Equal(t, argoappv1.ApplicationConditionInvalidSpecError, updatedApp.Status.Conditions[0].Type)
+}
+
 func TestFinalizeProjectDeletion_HasApplications(t *testing.T) {
 	app := newFakeApp()
 	proj := &argoappv1.AppProject{ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: test.FakeArgoCDNamespace}}
@@ -1345,3 +1373,31 @@ func TestToAppKey(t *testing.T) {
 		})
 	}
 }
+
+func Test_canProcessApp(t *testing.T) {
+	app := newFakeApp()
+	ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}})
+	ctrl.applicationNamespaces = []string{"good"}
+	t.Run("without cluster filter, good namespace", func(t *testing.T) {
+		app.Namespace = "good"
+		canProcess := ctrl.canProcessApp(app)
+		assert.True(t, canProcess)
+	})
+	t.Run("without cluster filter, bad namespace", func(t *testing.T) {
+		app.Namespace = "bad"
+		canProcess := ctrl.canProcessApp(app)
+		assert.False(t, canProcess)
+	})
+	t.Run("with cluster filter, good namespace", func(t *testing.T) {
+		app.Namespace = "good"
+		ctrl.clusterFilter = func(_ *argoappv1.Cluster) bool { return true }
+		canProcess := ctrl.canProcessApp(app)
+		assert.True(t, canProcess)
+	})
+	t.Run("with cluster filter, bad namespace", func(t *testing.T) {
+		app.Namespace = "bad"
+		ctrl.clusterFilter = func(_ *argoappv1.Cluster) bool { return true }
+		canProcess := ctrl.canProcessApp(app)
+		assert.False(t, canProcess)
+	})
+}

docs/operator-manual/app-any-namespace.md

@@ -0,0 +1,220 @@
+# Applications in any namespace
+
+**Current feature state**: Beta
+
+!!! warning
+    Please read this documentation carefully before you enable this feature. Misconfiguration could lead to potential security issues.
+
+## Introduction
+
+As of version 2.5, Argo CD supports managing `Application` resources in namespaces other than the control plane's namespace (which is usually `argocd`), but this feature has to be explicitly enabled and configured appropriately.
+
+Argo CD administrators can define a certain set of namespaces where `Application` resources may be created, updated and reconciled in. However, applications in these additional namespaces will only be allowed to use certain `AppProjects`, as configured by the Argo CD administrators. This allows ordinary Argo CD users (e.g. application teams) to use patterns like declarative management of `Application` resources, implementing app-of-apps and others without the risk of a privilege escalation through usage of other `AppProjects` that would exceed the permissions granted to the application teams.
+
+Some manual steps will need to be performed by the Argo CD administrator in order to enable this feature. 
+
+!!! note
+    This feature is considered beta as of now. Some of the implementation details may change over the course of time until it is promoted to a stable status. We will be happy if early adopters use this feature and provide us with bug reports and feedback.
+    
+## Prerequisites
+
+### Cluster-scoped Argo CD installation
+
+This feature can only be enabled and used when your Argo CD is installed as a cluster-wide instance, so it has permissions to list and manipulate resources on a cluster scope. It will *not* work with an Argo CD installed in namespace-scoped mode.
+
+### Switch resource tracking method
+
+Also, while technically not necessary, it is strongly suggested that you switch the application tracking method from the default `label` setting to either `annotation` or `annotation+label`. The reasonsing for this is, that application names will be a composite of the namespace's name and the name of the `Application`, and this can easily exceed the 63 characters length limit imposed on label values. Annotations have a notably greater length limit.
+
+To enable annotation based resource tracking, refer to the documentation about [resource tracking methods](../../user-guide/resource_tracking/)
+
+## Implementation details
+
+### Overview
+
+In order for an application to be managed and reconciled outside the Argo CD's control plane namespace, two prerequisites must match:
+
+1. The `Application`'s namespace must be explicitly enabled using the `--application-namespaces` parameter for the `argocd-application-controller` and `argocd-server` workloads. This parameter controls the list of namespaces that Argo CD will be allowed to source `Application` resources from globally. Any namespace not configured here cannot be used from any `AppProject`.
+1. The `AppProject` referenced by the `.spec.project` field of the `Application` must have the namespace listed in its `.spec.sourceNamespaces` field. This setting will determine whether an `Application` may use a certain `AppProject`. If an `Application` specifies an `AppProject` that is not allowed, Argo CD refuses to process this `Application`. As stated above, any namespace configured in the `.spec.sourceNamespaces` field must also be enabled globally.
+
+`Applications` in different namespaces can be created and managed just like any other `Application` in the `argocd` namespace previously, either declaratively or through the Argo CD API (e.g. using the CLI, the web UI, the REST API, etc).
+
+### Reconfigure Argo CD to allow certain namespaces
+
+#### Change workload startup parameters
+
+In order to enable this feature, the Argo CD administrator must reconfigure the `argocd-server` and `argocd-application-controller` workloads to add the `--application-namespaces` parameter to the container's startup command.
+
+The `--application-namespaces` parameter takes a comma-separated list of namespaces where `Applications` are to be allowed in. Each entry of the list supports shell-style wildcards such as `*`, so for example the entry `app-team-*` would match `app-team-one` and `app-team-two`. To enable all namespaces on the cluster where Argo CD is running on, you can just specify `*`, i.e. `--application-namespaces=*`.
+
+The startup parameters for both, the `argocd-server` and the `argocd-application-controller` can also be conveniently set up and kept in sync by specifying the `application.namespaces` settings in the `argocd-cmd-params-cm` ConfigMap _instead_ of changing the manifests for the respective workloads. For example:
+
+```yaml
+data:
+  application.namespaces: app-team-one, app-team-two
+```
+
+would allow the `app-team-one` and `app-team-two` namespaces for managing `Application` resources. After a change to the `argocd-cmd-params-cm` namespace, the appropriate workloads need to be restarted:
+
+```bash
+kubectl rollout restart -n argocd deployment argocd-server
+kubectl rollout restart -n argocd statefulset argocd-application-controller
+```
+
+#### Adapt Kubernetes RBAC
+
+We decided to not extend the Kubernetes RBAC for the `argocd-server` workload by default for the time being. If you want `Applications` in other namespaces to be managed by the Argo CD API (i.e. the CLI and UI), you need to extend the Kubernetes permissions for the `argocd-server` ServiceAccount.
+
+We supply a `ClusterRole` and `ClusterRoleBinding` suitable for this purpose in the `examples/k8s-rbac/argocd-server-applications` directory. For a default Argo CD installation (i.e. installed to the `argocd` namespace), you can just apply them as-is:
+
+```shell
+kubectl apply -f examples/k8s-rbac/argocd-server-applications/
+```
+
+!!! note
+    At some later point in time, we may make this cluster role part of the default installation manifests.
+
+### Allowing additional namespaces in an AppProject
+
+Any user with Kubernetes access to the Argo CD control plane's namespace (`argocd`), especially those with permissions to create or update `Applications` in a declarative way, is to be considered an Argo CD admin.
+
+This prevented unprivileged Argo CD users from declaratively creating or managing `Applications` in the past. Those users were constrained to using the API instead, subject to Argo CD RBAC which ensures only `Applications` in allowed `AppProjects` were created.
+
+For an `Application` to be created outside the `argocd` namespace, the `AppProject` referred to in the `Application`'s `.spec.project` field must include the `Application`'s namespace in its `.spec.sourceNamespaces` field.
+
+For example, consider the two following (incomplete) `AppProject` specs:
+
+```yaml
+kind: AppProject
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: project-one
+  namespace: argocd
+spec:
+  sourceNamespaces:
+  - namespace-one
+```
+
+and
+
+```yaml
+kind: AppProject
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: project-two
+  namespace: argocd
+spec:
+  sourceNamespaces:
+  - namespace-two
+```
+
+In order for an Application to set `.spec.project` to `project-one`, it would have to be created in either namespace `namespace-one` or `argocd`. Likewise, in order for an Application to set `.spec.project` to `project-two`, it would have to be created in either namespace `namespace-two` or `argocd`.
+
+If an Application in `namespace-two` would set their `.spec.project` to `project-one` or an Application in `namespace-one` would set their `.spec.project` to `project-two`, Argo CD would consider this as a permission violation and refuse to reconcile the Application.
+
+Also, the Argo CD API will enforce these constraints, regardless of the Argo CD RBAC permissions.
+
+The `.spec.sourceNamespaces` field of the `AppProject` is a list that can contain an arbitrary amount of namespaces, and each entry supports shell-style wildcard, so that you can allow namespaces with patterns like `team-one-*`.
+
+!!! warning
+    Do not add user controlled namespaces in the `.spec.sourceNamespaces` field of any privileged AppProject like the `default` project. Always make sure that the AppProject follows the principle of granting least required privileges. Never grant access to the `argocd` namespace within the AppProject.
+
+!!! note
+    For backwards compatibility, Applications in the Argo CD control plane's namespace (`argocd`) are allowed to set their `.spec.project` field to reference any AppProject, regardless of the restrictions placed by the AppProject's `.spec.sourceNamespaces` field.
+  
+### Application names
+
+For the CLI and UI, applications are now referred to and displayed as in the format `<namespace>/<name>`. 
+
+For backwards compatibility, if the namespace of the Application is the control plane's namespace (i.e. `argocd`), the `<namespace>` can be omitted from the application name when referring to it. For example, the application names `argocd/someapp` and `someapp` are semantically the same and refer to the same application in the CLI and the UI.
+
+### Application RBAC
+
+The RBAC syntax for Application objects has been changed from `<project>/<application>` to `<project>/<namespace>/<application>` to accomodate the need to restrict access based on the source namespace of the Application to be managed.
+
+For backwards compatibility, Applications in the `argocd` namespace can still be refered to as `<project>/<application>` in the RBAC policy rules.
+
+Wildcards do not make any distinction between project and application namespaces yet. For example, the following RBAC rule would match any application belonging to project `foo`, regardless of the namespace it is created in:
+
+```
+p, somerole, applications, get, foo/*, allow
+```
+
+If you want to restrict access to be granted only to `Applications` in project `foo` within namespace `bar`, the rule would need to be adapted as follows:
+
+```
+p, somerole, applications, get, foo/bar/*, allow
+```
+  
+## Managing applications in other namespaces
+
+### Declaratively
+
+For declarative management of Applications, just create the Application from a YAML or JSON manifest in the desired namespace. Make sure that the `.spec.project` field refers to an AppProject that allows this namespace. For example, the following (incomplete) Application manifest creates an Application in the namespace `some-namespace`:
+
+```yaml
+kind: Application
+apiVersion: argoproj.io/v1alpha1
+metadata:
+  name: some-app
+  namespace: some-namespace
+spec:
+  project: some-project
+  # ...
+```
+
+The project `some-project` will then need to specify `some-namespace` in the list of allowed source namespaces, e.g.
+
+```yaml
+kind: AppProject
+apiVersion: argoproj.io/v1alpha1
+metadata:
+    name: some-project
+    namespace: argocd
+spec:
+    sourceNamespaces:
+    - some-namespace
+```
+
+### Using the CLI
+
+You can use all existing Argo CD CLI commands for managing applications in other namespaces, exactly as you would use the CLI to manage applications in the control plane's namespace.
+
+For example, to retrieve the `Application` named `foo` in the namespace `bar`, you can use the following CLI command:
+
+```shell
+argocd app get foo/bar
+```
+
+Likewise, to manage this application, keep referring to it as `foo/bar`:
+
+```bash
+# Create an application
+argocd app create foo/bar ...
+# Sync the application
+argocd app sync foo/bar
+# Delete the application
+argocd app delete foo/bar
+# Retrieve application's manifest
+argocd app manifests foo/bar
+```
+
+As stated previously, for applications in the Argo CD's control plane namespace, you can omit the namespace from the application name.
+
+### Using the UI
+
+Similar to the CLI, you can refer to the application in the UI as `foo/bar`.
+
+For example, to create an application named `bar` in the namespace `foo` in the web UI, set the application name in the creation dialogue's _Application Name_ field to `foo/bar`. If the namespace is omitted, the control plane's namespace will be used.
+
+### Using the REST API
+
+If you are using the REST API, the namespace for `Application` cannot be specified as the application name, and resources need to be specified using the optional `appNamespace` query parameter. For example, to work with the `Application` resource named `foo` in the namespace `bar`, the request would look like follows:
+
+```bash
+GET /api/v1/applications/foo?appNamespace=bar
+```
+
+For other operations such as `POST` and `PUT`, the `appNamespace` parameter must be part of the request's payload.
+
+For `Application` resources in the control plane namespace, this parameter can be omitted.

docs/operator-manual/application.yaml

@@ -45,6 +45,9 @@ spec:
       valueFiles:
       - values-prod.yaml
 
+      # Ignore locally missing valueFiles when installing Helm chart. Defaults to false
+      ignoreMissingValueFiles: false
+
       # Values file as block file
       values: |
         ingress:
@@ -61,6 +64,9 @@ spec:
               hosts:
                 - mydomain.example.com
 
+      # Skip custom resource definition installation if chart contains custom resource definitions. Defaults to false
+      skipCrds: false
+
       # Optional Helm version to template with. If omitted it will fall back to look at the 'apiVersion' in Chart.yaml
       # and decide which Helm binary to use automatically. This field can be either 'v2' or 'v3'.
       version: v2

docs/operator-manual/applicationset/Generators-Pull-Request.md

@@ -60,7 +60,7 @@ spec:
 * `repo`: Required name of the GitHub repository.
 * `api`: If using GitHub Enterprise, the URL to access it. (Optional)
 * `tokenRef`: A `Secret` name and key containing the GitHub access token to use for requests. If not specified, will make anonymous requests which have a lower rate limit and can only see public repositories. (Optional)
-* `labels`: Labels is used to filter the PRs that you want to target. (Optional)
+* `labels`: Filter the PRs to those containing **all** of the labels listed. (Optional)
 * `appSecretName`: A `Secret` name containing a GitHub App secret in [repo-creds format][repo-creds].
 
 [repo-creds]: ../declarative-setup.md#repository-credentials
@@ -318,3 +318,7 @@ The Pull Request Generator will requeue when the next action occurs.
 - `merge`
 
 For more information about each event, please refer to the [official documentation](https://docs.gitlab.com/ee/user/project/integrations/webhook_events.html#merge-request-events).
+
+## Lifecycle
+
+An Application will be generated when a Pull Request is discovered when the configured criteria is met - i.e. for GitHub when a Pull Request matches the specified `labels` and/or `pullRequestState`. Application will be removed when a Pull Request no longer meets the specified criteria.

docs/operator-manual/applicationset/Generators-SCM-Provider.md

@@ -219,6 +219,41 @@ spec:
 * `api`: Optional. URL to Azure DevOps. If not set, `https://dev.azure.com` is used.
 * `allBranches`: Optional, default `false`. If `true`, scans every branch of eligible repositories. If `false`, check only the default branch of the eligible repositories.
 
+## Bitbucket Cloud
+
+The Bitbucket mode uses the Bitbucket API V2 to scan a workspace in bitbucket.org.
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: myapps
+spec:
+  generators:
+  - scmProvider:
+      bitbucket:
+        # The workspace id (slug).  
+        owner: "example-owner"
+        # The user to use for basic authentication with an app password.
+        user: "example-user"
+        # If true, scan every branch of every repository. If false, scan only the main branch. Defaults to false.
+        allBranches: true
+        # Reference to a Secret containing an app password.
+        appPasswordRef:
+          secretName: appPassword
+          key: password
+  template:
+  # ...
+```
+
+* `owner`: The workspace ID (slug) to use when looking up repositories.
+* `user`: The user to use for authentication to the Bitbucket API V2 at bitbucket.org.
+* `allBranches`: By default (false) the template will only be evaluated for the main branch of each repo. If this is true, every branch of every repository will be passed to the filters. If using this flag, you likely want to use a `branchMatch` filter.
+* `appPasswordRef`: A `Secret` name and key containing the bitbucket app password to use for requests.
+
+This SCM provider does not yet support label filtering
+
+Available clone protocols are `ssh` and `https`.
 
 ## Filters
 

docs/operator-manual/applicationset/GoTemplate.md

@@ -87,7 +87,7 @@ By activating Go Templating, `{{ .path }}` becomes an object. Therefore, some ch
 generators' templating:
 
 - `{{ path }}` becomes `{{ .path.path }}`
-- `{{ path[n] }}` becomes `{{ .path.segments[n] }}`
+- `{{ path[n] }}` becomes `{{ index .path.segments n }}`
 
 Here is an example:
 
@@ -155,7 +155,7 @@ It is also possible to use Sprig functions to construct the path variables manua
 | `{{path.filename}}` | `{{.path.filename}}` | `{{.path.filename}}` |
 | `{{path.basenameNormalized}}` | `{{.path.basenameNormalized}}` | `{{normalize .path.path}}` |
 | `{{path.filenameNormalized}}` | `{{.path.filenameNormalized}}` | `{{normalize .path.filename}}` |
-| `{{path[N]}}` | `{{.path.segments[N]}}` | `{{index (splitList "/" .path.path) N}}` |
+| `{{path[N]}}` | `-` | `{{index .path.segments N}}` |
 
 ## Examples
 

docs/operator-manual/argocd-cm.yaml

@@ -47,7 +47,7 @@ data:
   help.download.windows-amd64: "path-or-url-to-download"
 
   # A dex connector configuration (optional). See SSO configuration documentation:
-  # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/sso
+  # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/user-management/index.md#sso
   # https://dexidp.io/docs/connectors/
   dex.config: |
     connectors:

docs/operator-manual/custom_tools.md

@@ -51,7 +51,7 @@ following example builds an entirely customized repo-server from a Dockerfile, i
 dependencies that may be needed for generating manifests.
 
 ```Dockerfile
-FROM argoproj/argocd:latest
+FROM argoproj/argocd:v2.5.4 # Replace tag with the appropriate argo version
 
 # Switch to root for the ability to perform install
 USER root

docs/operator-manual/high_availability.md

@@ -6,8 +6,8 @@ A set of HA manifests are provided for users who wish to run Argo CD in a highly
 
 [Manifests ⧉](https://github.com/argoproj/argo-cd/tree/master/manifests) 
 
-!!! note
-    The HA installation will require at least three different nodes due to pod anti-affinity roles in the specs.
+> **NOTE:** The HA installation will require at least three different nodes due to pod anti-affinity roles in the
+> specs. Additionally, IPv6 only clusters are not supported.
 
 ## Scaling Up
 
@@ -188,4 +188,4 @@ spec:
     targetRevision: HEAD
     path: my-application
 # ...
-```
+```

docs/operator-manual/installation.md

@@ -80,7 +80,7 @@ resources:
 ## Helm
 
 The Argo CD can be installed using [Helm](https://helm.sh/). The Helm chart is currently community maintained and available at
-[argo-helm/charts/argo-cd](https://github.com/argoproj/argo-helm/tree/master/charts/argo-cd).
+[argo-helm/charts/argo-cd](https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd).
 
 ## Supported versions
 

docs/operator-manual/metrics.md

@@ -67,8 +67,7 @@ Scraped at the `argocd-server-metrics:8083/metrics` endpoint.
 | Metric | Type | Description |
 |--------|:----:|-------------|
 | `argocd_redis_request_duration` | histogram | Redis requests duration. |
-| `argocd_redis_request_total` | counter | Number of kubernetes requests executed during application
-reconciliation. |
+| `argocd_redis_request_total` | counter | Number of kubernetes requests executed during application reconciliation. |
 | `grpc_server_handled_total` | counter | Total number of RPCs completed on the server, regardless of success or failure. |
 | `grpc_server_msg_sent_total` | counter | Total number of gRPC stream messages sent by the server. |
 

docs/operator-manual/notifications/troubleshooting-commands.md

@@ -1,9 +1,9 @@
-## notifications template get
+## argocd admin notifications template get
 
 Prints information about configured templates
 
 ```
-notifications template get [flags]
+argocd admin notifications template get [flags]
 ```
 
 ### Examples
@@ -11,9 +11,9 @@ notifications template get [flags]
 ```
 
 # prints all templates
-notifications template get
+argocd admin notifications template get
 # print YAML formatted app-sync-succeeded template definition
-notifications template get app-sync-succeeded -o=yaml
+argocd admin notifications template get app-sync-succeeded -o=yaml
 
 ```
 
@@ -53,12 +53,12 @@ notifications template get app-sync-succeeded -o=yaml
       --username string                 Username for basic authentication to the API server
 ```
 
-## notifications template notify
+## argocd admin notifications template notify
 
 Generates notification using the specified template and send it to specified recipients
 
 ```
-notifications template notify NAME RESOURCE_NAME [flags]
+argocd admin notifications template notify NAME RESOURCE_NAME [flags]
 ```
 
 ### Examples
@@ -66,10 +66,10 @@ notifications template notify NAME RESOURCE_NAME [flags]
 ```
 
 # Trigger notification using in-cluster config map and secret
-notifications template notify app-sync-succeeded guestbook --recipient slack:my-slack-channel
+argocd admin notifications template notify app-sync-succeeded guestbook --recipient slack:my-slack-channel
 
 # Render notification render generated notification in console
-notifications template notify app-sync-succeeded guestbook
+argocd admin notifications template notify app-sync-succeeded guestbook
 
 ```
 
@@ -109,12 +109,12 @@ notifications template notify app-sync-succeeded guestbook
       --username string                 Username for basic authentication to the API server
 ```
 
-## notifications trigger get
+## argocd admin notifications trigger get
 
 Prints information about configured triggers
 
 ```
-notifications trigger get [flags]
+argocd admin notifications trigger get [flags]
 ```
 
 ### Examples
@@ -122,9 +122,9 @@ notifications trigger get [flags]
 ```
 
 # prints all triggers
-notifications trigger get
+argocd admin notifications trigger get
 # print YAML formatted on-sync-failed trigger definition
-notifications trigger get on-sync-failed -o=yaml
+argocd admin notifications trigger get on-sync-failed -o=yaml
 
 ```
 
@@ -164,12 +164,12 @@ notifications trigger get on-sync-failed -o=yaml
       --username string                 Username for basic authentication to the API server
 ```
 
-## notifications trigger run
+## argocd admin notifications trigger run
 
 Evaluates specified trigger condition and prints the result
 
 ```
-notifications trigger run NAME RESOURCE_NAME [flags]
+argocd admin notifications trigger run NAME RESOURCE_NAME [flags]
 ```
 
 ### Examples
@@ -177,10 +177,10 @@ notifications trigger run NAME RESOURCE_NAME [flags]
 ```
 
 # Execute trigger configured in 'argocd-notification-cm' ConfigMap
-notifications trigger run on-sync-status-unknown ./sample-app.yaml
+argocd admin notifications trigger run on-sync-status-unknown ./sample-app.yaml
 
 # Execute trigger using my-config-map.yaml instead of 'argocd-notifications-cm' ConfigMap
-notifications trigger run on-sync-status-unknown ./sample-app.yaml \
+argocd admin notifications trigger run on-sync-status-unknown ./sample-app.yaml \
     --config-map ./my-config-map.yaml
 ```
 

docs/operator-manual/notifications/troubleshooting.md

@@ -1,6 +1,6 @@
 ## Troubleshooting
 
-The `argocd-notifications` binary includes a set of CLI commands that helps to configure the controller
+The `argocd admin notifications` is a CLI command group that helps to configure the controller
 settings and troubleshoot issues.
 
 ## Global flags
@@ -17,15 +17,15 @@ Additionally, you can specify `:empty` value to use empty secret with no notific
 * Get list of triggers configured in the local config map:
 
 ```bash
-argocd-notifications trigger get \
-  --config-map ./argocd-notifications-cm.yaml --secret :empty
+argocd admin notifications trigger get \
+  --config-map ./argocd admin notifications-cm.yaml --secret :empty
 ```
 
 * Trigger notification using in-cluster config map and secret:
 
 ```bash
-argocd-notifications template notify \
-  app-sync-succeeded guestbook --recipient slack:argocd-notifications
+argocd admin notifications template notify \
+  app-sync-succeeded guestbook --recipient slack:argocd admin notifications
 ```
 
 ## Kustomize
@@ -44,18 +44,18 @@ kustomize build ./argocd-notifications | \
 
 ### On your laptop
 
-You can download `argocd-notifications` from the github [release](https://github.com/argoproj-labs/argocd-notifications/releases)
+You can download the `argocd` CLI from the github [release](https://github.com/argoproj/argo-cd/releases)
 attachments.
 
-The binary is available in `argoprojlabs/argocd-notifications` image. Use the `docker run` and volume mount
+The binary is available in `argoproj/argo-cd` image. Use the `docker run` and volume mount
 to execute binary on any platform. 
 
 **Example:**
 
 ```bash
 docker run --rm -it -w /src -v $(pwd):/src \
-  argoprojlabs/argocd-notifications:<version> \
-  /app/argocd-notifications trigger get \
+  argoproj/argo-cd:<version> \
+  /app/argocd admin notifications trigger get \
   --config-map ./argocd-notifications-cm.yaml --secret :empty
 ```
 
@@ -67,7 +67,7 @@ configuration.
 **Example**
 ```bash
 kubectl exec -it argocd-notifications-controller-<pod-hash> \
-  /app/argocd-notifications trigger get
+  /app/argocd admin notifications trigger get
 ```
 
 ## Commands

docs/operator-manual/project.yaml

@@ -15,9 +15,11 @@ spec:
   - '*'
 
   # Only permit applications to deploy to the guestbook namespace in the same cluster
+  # Destination clusters can be identified by 'server', 'name', or both.
   destinations:
   - namespace: guestbook
     server: https://kubernetes.default.svc
+    name: in-cluster
 
   # Deny all cluster-scoped resources from being created, except for Namespace
   clusterResourceWhitelist:

docs/operator-manual/secret-management.md

@@ -1,6 +1,11 @@
 # Secret Management
 
-Argo CD is un-opinionated about how secrets are managed. There's many ways to do it and there's no one-size-fits-all solution. Here's some ways people are doing GitOps secrets:
+Argo CD is un-opinionated about how secrets are managed. There are many ways to do it, and there's no one-size-fits-all solution.
+
+Many solutions use plugins to inject secrets into the application manifests. See [Mitigating Risks of Secret-Injection Plugins](#mitigating-risks-of-secret-injection-plugins)
+below to make sure you use those plugins securely.
+
+Here are some ways people are doing GitOps secrets:
 
 * [Bitnami Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
 * [External Secrets Operator](https://github.com/external-secrets/external-secrets)
@@ -12,5 +17,20 @@ Argo CD is un-opinionated about how secrets are managed. There's many ways to do
 * [KSOPS](https://github.com/viaduct-ai/kustomize-sops#argo-cd-integration)
 * [argocd-vault-plugin](https://github.com/argoproj-labs/argocd-vault-plugin)
 * [argocd-vault-replacer](https://github.com/crumbhole/argocd-vault-replacer)
+* [Kubernetes Secrets Store CSI Driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver)
 
 For discussion, see [#1364](https://github.com/argoproj/argo-cd/issues/1364)
+
+## Mitigating Risks of Secret-Injection Plugins
+
+Argo CD caches the manifests generated by plugins, along with the injected secrets, in its Redis instance. Those 
+manifests are also available via the repo-server API (a gRPC service). This means that the secrets are available to 
+anyone who has access to the Redis instance or to the repo-server.
+
+Consider these steps to mitigate the risks of secret-injection plugins:
+
+1. Set up network policies to prevent direct access to Argo CD components (Redis and the repo-server). Make sure your
+   cluster supports those network policies and can actually enforce them.
+2. Consider running Argo CD on its own cluster, with no other applications running on it.
+3. [Enable password authentication on the Redis instance](https://github.com/argoproj/argo-cd/issues/3130) (currently
+   only supported for non-HA Argo CD installations).

docs/operator-manual/signed-release-assets.md

@@ -4,21 +4,17 @@ All Argo CD container images are signed by cosign. Checksums are created for the
 
 ## Prerequisites
 - Cosign [installation instructions](https://docs.sigstore.dev/cosign/installation)
-- Obtain or have a copy of the [public key](https://github.com/argoproj/argo-cd/blob/master/argocd-cosign.pub) ```argocd-cosign.pub```
+- Obtain or have a copy of ```argocd-cosign.pub```, which can be located in the assets section of the [release page](https://github.com/argoproj/argo-cd/releases)
+
+Once you have installed cosign, you can use ```argocd-cosign.pub``` to verify the signed assets or container images.
+
 
-Once you have installed cosign, you can use [argocd-cosign.pub](https://github.com/argoproj/argo-cd/blob/master/argocd-cosign.pub) to verify the signed assets or container images.
-```
------BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEesHEB7vX5Y2RxXypjMy1nI1z7iRG
-JI9/gt/sYqzpsa65aaNP4npM43DDxoIy/MQBo9s/mxGxmA+8UXeDpVC9vw==
------END PUBLIC KEY-----
-```
 ## Verification of container images
 
 ```bash
-cosign verify --key argocd-cosign.pub  quay.io/argoproj/argocd:latest
+cosign verify --key argocd-cosign.pub  quay.io/argoproj/argocd:<VERSION>
 
-Verification for quay.io/argoproj/argocd:latest --
+Verification for quay.io/argoproj/argocd:<VERSION> --
 The following checks were performed on each of these signatures:
   * The cosign claims were validated
   * The signatures were verified against the specified public key
@@ -27,6 +23,9 @@ The following checks were performed on each of these signatures:
 ## Verification of signed assets
 
 ```bash
-cosign verify-blob --key cosign.pub --signature $(cat argocd-$VERSION-checksums.sig) argocd-$VERSION-checksums.txt
+cosign verify-blob --key cosign.pub --signature $(cat argocd-<VERSION>-checksums.sig) argocd-$VERSION-checksums.txt
 Verified OK
 ```
+## Admission controllers
+
+Cosign is compatible with several types of admission controllers.  Please see the [Cosign documentation](https://docs.sigstore.dev/cosign/overview/#kubernetes-integrations) for supported controllers

docs/operator-manual/user-management/index.md

@@ -301,6 +301,18 @@ data:
     issuer: https://dev-123456.oktapreview.com
     clientID: aaaabbbbccccddddeee
     clientSecret: $oidc.okta.clientSecret
+    
+    # Optional list of allowed aud claims. If omitted or empty, defaults to the clientID value above. If you specify a 
+    # list and want the clientD to be allowed, you must explicitly include it in the list.
+    # Token verification will pass if any of the token's audiences matches any of the audiences in this list.
+    allowedAudiences:
+    - aaaabbbbccccddddeee
+    - qqqqwwwweeeerrrrttt
+
+    # Optional. If false, tokens without an audience will always fail validation. If true, tokens without an audience 
+    # will always pass validation.
+    # Defaults to true for Argo CD < 2.6.0. Defaults to false for Argo CD >= 2.6.0.
+    skipAudienceCheckWhenTokenHasNoAudience: true
 
     # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
     requestedScopes: ["openid", "profile", "email", "groups"]

docs/operator-manual/user-management/keycloak.md

@@ -17,6 +17,8 @@ Configure the client by setting the __Access Type__ to _confidential_ and set th
 hostname. It should be https://{hostname}/auth/callback (you can also leave the default less secure https://{hostname}/* ). You can also set the
 __Base URL__ to _/applications_.
 
+If you want to allow command line access, __Access Type__ must be set to _public_ and you also need to add http://localhost:8085/auth/callback in the list of Valid Redirect URIs. Then users can login using `argocd login {hostname} --sso`.
+
 ![Keycloak configure client](../../assets/keycloak-configure-client.png "Keycloak configure client")
 
 Make sure to click __Save__. You should now have a new tab called __Credentials__. You can copy the Secret that we'll use in our ArgoCD 

docs/requirements.txt

@@ -1,5 +1,5 @@
 mkdocs==1.2.3
-mkdocs-material==7.1.7
+mkdocs-material==7.1.8
 markdown_include==0.6.0
 pygments==2.7.4
 jinja2==3.0.3

docs/user-guide/build-environment.md

@@ -2,14 +2,16 @@
 
 [Custom tools](config-management-plugins.md), [Helm](helm.md), [Jsonnet](jsonnet.md), and [Kustomize](kustomize.md) support the following build env vars:
 
-* `ARGOCD_APP_NAME` - name of application
-* `ARGOCD_APP_NAMESPACE` - destination application namespace.
-* `ARGOCD_APP_REVISION` - the resolved revision, e.g. `f913b6cbf58aa5ae5ca1f8a2b149477aebcbd9d8`
-* `ARGOCD_APP_SOURCE_PATH` - the path of the app within the repo
-* `ARGOCD_APP_SOURCE_REPO_URL` the repo's URL
-* `ARGOCD_APP_SOURCE_TARGET_REVISION` - the target revision from the spec, e.g. `master`.
-* `KUBE_VERSION` - the version of kubernetes
-* `KUBE_API_VERSIONS` = the version of kubernetes API
+| Variable                            | Description                                                             |
+| ----------------------------------- | ----------------------------------------------------------------------- |
+| `ARGOCD_APP_NAME`                   | The name of the application.                                            |
+| `ARGOCD_APP_NAMESPACE`              | The destination namespace of the application.                           |
+| `ARGOCD_APP_REVISION`               | The resolved revision, e.g. `f913b6cbf58aa5ae5ca1f8a2b149477aebcbd9d8`. |
+| `ARGOCD_APP_SOURCE_PATH`            | The path of the app within the source repo.                             |
+| `ARGOCD_APP_SOURCE_REPO_URL`        | The source repo URL.                                                    |
+| `ARGOCD_APP_SOURCE_TARGET_REVISION` | The target revision from the spec, e.g. `master`.                       |
+| `KUBE_VERSION`                      | The version of Kubernetes.                                              |
+| `KUBE_API_VERSIONS`                 | The version of the Kubernetes API.                                      |
 
 In case you don't want a variable to be interpolated, `$` can be escaped via `$$`.
 

docs/user-guide/commands/argocd_admin_notifications_template_get.md

@@ -11,9 +11,9 @@ argocd admin notifications template get [flags]
 ```
 
 # prints all templates
-notifications template get
+argocd admin notifications template get
 # print YAML formatted app-sync-succeeded template definition
-notifications template get app-sync-succeeded -o=yaml
+argocd admin notifications template get app-sync-succeeded -o=yaml
 
 ```
 

docs/user-guide/commands/argocd_admin_notifications_template_notify.md

@@ -11,10 +11,10 @@ argocd admin notifications template notify NAME RESOURCE_NAME [flags]
 ```
 
 # Trigger notification using in-cluster config map and secret
-notifications template notify app-sync-succeeded guestbook --recipient slack:my-slack-channel
+argocd admin notifications template notify app-sync-succeeded guestbook --recipient slack:my-slack-channel
 
 # Render notification render generated notification in console
-notifications template notify app-sync-succeeded guestbook
+argocd admin notifications template notify app-sync-succeeded guestbook
 
 ```
 

docs/user-guide/commands/argocd_admin_notifications_trigger_get.md

@@ -11,9 +11,9 @@ argocd admin notifications trigger get [flags]
 ```
 
 # prints all triggers
-notifications trigger get
+argocd admin notifications trigger get
 # print YAML formatted on-sync-failed trigger definition
-notifications trigger get on-sync-failed -o=yaml
+argocd admin notifications trigger get on-sync-failed -o=yaml
 
 ```
 

docs/user-guide/commands/argocd_admin_notifications_trigger_run.md

@@ -11,10 +11,10 @@ argocd admin notifications trigger run NAME RESOURCE_NAME [flags]
 ```
 
 # Execute trigger configured in 'argocd-notification-cm' ConfigMap
-notifications trigger run on-sync-status-unknown ./sample-app.yaml
+argocd admin notifications trigger run on-sync-status-unknown ./sample-app.yaml
 
 # Execute trigger using my-config-map.yaml instead of 'argocd-notifications-cm' ConfigMap
-notifications trigger run on-sync-status-unknown ./sample-app.yaml \
+argocd admin notifications trigger run on-sync-status-unknown ./sample-app.yaml \
     --config-map ./my-config-map.yaml
 ```
 

docs/user-guide/config-management-plugins.md

@@ -68,7 +68,14 @@ spec:
     # This is a good place to, for example, download chart dependencies.
     command: [sh, -c, 'echo "Initializing..."']
   generate:
-    command: [sh, -c, 'echo "{\"kind\": \"ConfigMap\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"$ARGOCD_APP_NAME\", \"namespace\": \"$ARGOCD_APP_NAMESPACE\", \"annotations\": {\"Foo\": \"$FOO\", \"KubeVersion\": \"$KUBE_VERSION\", \"KubeApiVersion\": \"$KUBE_API_VERSIONS\",\"Bar\": \"baz\"}}}"']
+    command: [sh, -c]
+    args:
+      - |
+        echo "{\"kind\": \"ConfigMap\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"$ARGOCD_APP_NAME\", \"namespace\": \"$ARGOCD_APP_NAMESPACE\", \"annotations\": {\"Foo\": \"$ARGOCD_ENV_FOO\", \"KubeVersion\": \"$KUBE_VERSION\", \"KubeApiVersion\": \"$KUBE_API_VERSIONS\",\"Bar\": \"baz\"}}}"
+  # The discovery config is applied to a repository. If every configured discovery tool matches, then the plugin may be
+  # used to generate manifests for Applications using the repository. 
+  # Only one of fileName, find.glob, or find.command should be specified. If multiple are specified then only the 
+  # first (in that order) is evaluated.
   discover:
     fileName: "./subdir/s*.yaml"
 ```
@@ -122,7 +129,7 @@ data:
       init:
         command: [sh, -c, 'echo "Initializing..."']
       generate:
-        command: [sh, -c, 'echo "{\"kind\": \"ConfigMap\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"$ARGOCD_APP_NAME\", \"namespace\": \"$ARGOCD_APP_NAMESPACE\", \"annotations\": {\"Foo\": \"$FOO\", \"KubeVersion\": \"$KUBE_VERSION\", \"KubeApiVersion\": \"$KUBE_API_VERSIONS\",\"Bar\": \"baz\"}}}"']
+        command: [sh, -c, 'echo "{\"kind\": \"ConfigMap\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"$ARGOCD_APP_NAME\", \"namespace\": \"$ARGOCD_APP_NAMESPACE\", \"annotations\": {\"Foo\": \"$ARGOCD_ENV_FOO\", \"KubeVersion\": \"$KUBE_VERSION\", \"KubeApiVersion\": \"$KUBE_API_VERSIONS\",\"Bar\": \"baz\"}}}"']
       discover:
         fileName: "./subdir/s*.yaml"
 ```
@@ -259,11 +266,16 @@ If you are actively developing a sidecar-installed CMP, keep a few things in min
 3) CMP errors are cached by the repo-server in Redis. Restarting the repo-server Pod will not clear the cache. Always
    do a "Hard Refresh" when actively developing a CMP so you have the latest output.
 
+!!! note
+    Each Application can only have one config management plugin configured at a time. If you're converting an existing
+    plugin configured through the `argocd-cm` ConfigMap to a sidecar, make sure the discovery mechanism only returns
+    true for Applications that have had their `name` field in the `plugin` section of their spec removed.
+
 ## Plugin tar stream exclusions
 
 In order to increase the speed of manifest generation, certain files and folders can be excluded from being sent to your
-plugin. We recommend excluding your `.git` folder if it isn't necessary. Use Go's 
-[filepatch.Match](https://pkg.go.dev/path/filepath#Match) syntax.
+plugin. We recommend excluding your `.git` folder if it isn't necessary. Use Go's
+[filepatch.Match](https://pkg.go.dev/path/filepath#Match) syntax. For example, `.git/*` to exclude `.git` folder.
 
 You can set it one of three ways:
 

docs/user-guide/kustomize.md

@@ -69,7 +69,7 @@ spec:
   source:
     repoURL: https://github.com/argoproj/argocd-example-apps.git
     targetRevision: HEAD
-    path: guestbook-kustomize
+    path: kustomize-guestbook
 
     kustomize:
       version: v3.5.4
@@ -84,7 +84,7 @@ argocd app set <appName> --kustomize-version v3.5.4
 
 ## Build Environment
 
-Kustomize does not support parameters and therefore cannot support the standard [build environment](build-environment.md).
+Kustomize apps have access to the [standard build environment](build-environment.md) which can be used in combination with a [config managment plugin](config-management-plugins.md) to alter the rendered manifests.
 
 ## Kustomizing Helm charts
 

docs/user-guide/sync-options.md

@@ -38,8 +38,8 @@ metadata:
     argocd.argoproj.io/sync-options: Validate=false
 ```
 
-If you want to exclude a whole class of objects globally, consider setting `resource.customizations` in [system level configuration](../user-guide/diffing.md#system-level-configuration). 
-    
+If you want to exclude a whole class of objects globally, consider setting `resource.customizations` in [system level configuration](../user-guide/diffing.md#system-level-configuration).
+
 ## Skip Dry Run for new custom resources types
 
 When syncing a custom resource which is not yet known to the cluster, there are generally two options:
@@ -60,9 +60,9 @@ The dry run will still be executed if the CRD is already present in the cluster.
 
 ## Selective Sync
 
-Currently when syncing using auto sync Argo CD applies every object in the application. 
+Currently when syncing using auto sync Argo CD applies every object in the application.
 For applications containing thousands of objects this takes quite a long time and puts undue pressure on the api server.
-Turning on selective sync option which will sync only out-of-sync resources. 
+Turning on selective sync option which will sync only out-of-sync resources.
 
 You can add this option by following ways
 
@@ -77,7 +77,7 @@ spec:
   syncPolicy:
     syncOptions:
     - ApplyOutOfSyncOnly=true
-``` 
+```
 
 2) Set sync option via argocd cli
 
@@ -104,8 +104,8 @@ spec:
 
 ## Prune Last
 
-This feature is to allow the ability for resource pruning to happen as a final, implicit wave of a sync operation, 
-after the other resources have been deployed and become healthy, and after all other waves completed successfully. 
+This feature is to allow the ability for resource pruning to happen as a final, implicit wave of a sync operation,
+after the other resources have been deployed and become healthy, and after all other waves completed successfully.
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -142,6 +142,10 @@ spec:
 
 If the `Replace=true` sync option is set the Argo CD will use `kubectl replace` or `kubectl create` command to apply changes.
 
+!!! warning
+      During the sync process, the resources will be synchronized using the 'kubectl replace/create' command.
+      This sync option has the potential to be destructive and might lead to resources having to be recreated, which could cause an outage for your application.
+
 This can also be configured at individual resource level.
 ```yaml
 metadata:
@@ -262,10 +266,16 @@ The example above shows how an Argo CD Application can be configured so it will
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  namespace: test
+  namespace: argocd
 spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: some-namespace
   syncPolicy:
     syncOptions:
     - CreateNamespace=true
 ```
-The example above shows how an Argo CD Application can be configured so it will create namespaces for the Application resources if the namespaces don't exist already. Without this either declared in the Application manifest or passed in the cli via `--sync-option CreateNamespace=true`, the Application will fail to sync if the resources' namespaces do not exist.
+
+The example above shows how an Argo CD Application can be configured so it will create the namespace specified in `spec.destination.namespace` if it doesn't exist already. Without this either declared in the Application manifest or passed in the CLI via `--sync-option CreateNamespace=true`, the Application will fail to sync if the namespace doesn't exist.
+
+Note that the namespace to be created must be informed in the `spec.destination.namespace` field of the Application resource. The `metadata.namespace` field in the Application's child manifests must match this value, or can be omitted, so resources are created in the proper destination.

docs/user-guide/tool_detection.md

@@ -33,9 +33,11 @@ Otherwise it is assumed to be a plain **directory** application.
 
 ## Disable built-in tools
 
-Optionally built-in config management tools might be disabled. In order to disable the tool add one of the following
-keys to the `argocd-cm` ConfigMap: `kustomize.enable`, `helm.enable` or `jsonnet.enable`. Once the
-tool is disabled Argo CD will assume the application target directory contains plain Kubernetes YAML manifests.
+Built-in config management tools can be optionally disabled by setting one of the following
+keys, in the `argocd-cm` ConfigMap, to `false`: `kustomize.enable`, `helm.enable` or `jsonnet.enable`. Once the
+tool is disabled, Argo CD will assume the application target directory contains plain Kubernetes YAML manifests.
+
+Disabling unused config management tools can be a helpful security enhancement. Vulnerabilities are sometimes limited to certain config management tools. Even if there is no vulnerability, an attacker may use a certain tool to take advantage of a misconfiguration in an Argo CD instance. Disabling unused config management tools limits the tools available to malicious actors.
 
 ## References
 

go.mod

@@ -101,7 +101,7 @@ require (
 require (
 	github.com/gfleury/go-bitbucket-v1 v0.0.0-20220301131131-8e7ed04b843e
 	github.com/stretchr/objx v0.3.0 // indirect
-	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0
 	k8s.io/apiserver v0.24.2
 )
 

hack/gen-catalog/main.go

@@ -150,18 +150,27 @@ func generateBuiltInTriggersDocs(out io.Writer, triggers map[string][]triggers.C
 }
 
 func generateCommandsDocs(out io.Writer) error {
-	toolsCmd := admin.NewNotificationsCommand()
-	for _, subCommand := range toolsCmd.Commands() {
-		for _, c := range subCommand.Commands() {
-			var cmdDesc bytes.Buffer
-			if err := doc.GenMarkdown(c, &cmdDesc); err != nil {
-				return err
-			}
-			for _, line := range strings.Split(cmdDesc.String(), "\n") {
-				if strings.HasPrefix(line, "### SEE ALSO") {
-					break
+    // create parents so that CommandPath() is correctly resolved
+	mainCmd := &cobra.Command{Use: "argocd"}
+	adminCmd := &cobra.Command{Use: "admin"}
+	toolCmd := admin.NewNotificationsCommand()
+	adminCmd.AddCommand(toolCmd)
+	mainCmd.AddCommand(adminCmd)
+	for _, mainSubCommand := range mainCmd.Commands() {
+		for _, adminSubCommand := range mainSubCommand.Commands() {
+			for _, toolSubCommand := range adminSubCommand.Commands() {
+				for _, c := range toolSubCommand.Commands() {
+					var cmdDesc bytes.Buffer
+					if err := doc.GenMarkdown(c, &cmdDesc); err != nil {
+						return err
+					}
+					for _, line := range strings.Split(cmdDesc.String(), "\n") {
+						if strings.HasPrefix(line, "### SEE ALSO") {
+							break
+						}
+						_, _ = fmt.Fprintf(out, "%s\n", line)
+					}
 				}
-				_, _ = fmt.Fprintf(out, "%s\n", line)
 			}
 		}
 	}

hack/installers/checksums/helm-v3.10.3-linux-amd64.tar.gz.sha256

@@ -0,0 +1 @@
+950439759ece902157cf915b209b8d694e6f675eaab5099fb7894f30eeaee9a2  helm-v3.10.3-linux-amd64.tar.gz

hack/installers/checksums/helm-v3.10.3-linux-arm64.tar.gz.sha256

@@ -0,0 +1 @@
+260cda5ff2ed5d01dd0fd6e7e09bc80126e00d8bdc55f3269d05129e32f6f99d  helm-v3.10.3-linux-arm64.tar.gz

hack/installers/checksums/helm-v3.10.3-linux-ppc64le.tar.gz.sha256

@@ -0,0 +1 @@
+93cdf398abc68e388d1b46d49d8e1197544930ecd3e81cc58d0a87a4579d60ed  helm-v3.10.3-linux-ppc64le.tar.gz

hack/installers/checksums/helm-v3.10.3-linux-s390x.tar.gz.sha256

@@ -0,0 +1 @@
+6cfa0b9078221f980ef400dc40c95eb71be81d14fdf247ca55efedb068e1d4fa  helm-v3.10.3-linux-s390x.tar.gz

hack/tool-versions.sh

@@ -11,7 +11,7 @@
 # Use ./hack/installers/checksums/add-helm-checksums.sh and
 # add-kustomize-checksums.sh to help download checksums.
 ###############################################################################
-helm3_version=3.10.1
+helm3_version=3.10.3
 kubectl_version=1.17.8
 kubectx_version=0.6.3
 kustomize4_version=4.5.7

manifests/base/dex/argocd-dex-server-deployment.yaml

@@ -37,7 +37,7 @@ spec:
             type: RuntimeDefault
       containers:
       - name: dex
-        image: ghcr.io/dexidp/dex:v2.35.3-distroless
+        image: ghcr.io/dexidp/dex:v2.35.3
         imagePullPolicy: Always
         command: [/shared/argocd-dex, rundex]
         env:

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.5.2
+  newTag: v2.5.8
 resources:
 - ./application-controller
 - ./dex

manifests/base/redis/argocd-redis-deployment.yaml

@@ -23,7 +23,7 @@ spec:
       serviceAccountName: argocd-redis        
       containers:
       - name: redis
-        image: redis:7.0.5-alpine
+        image: redis:7.0.7-alpine
         imagePullPolicy: Always
         args:
         - "--save"

manifests/base/redis/argocd-redis-network-policy.yaml

@@ -10,27 +10,22 @@ spec:
   - Ingress
   - Egress
   ingress:
-    - from:
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-server
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-repo-server
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-application-controller
-      ports:
-        - protocol: TCP
-          port: 6379
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-repo-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-application-controller
+    ports:
+    - protocol: TCP
+      port: 6379
   egress:
-    - to:
-      - ipBlock:
-          cidr: 0.0.0.0/0
-      ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP 
-    
-      
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP

manifests/core-install.yaml

@@ -9635,7 +9635,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -9717,7 +9717,7 @@ spec:
         - ""
         - --appendonly
         - "no"
-        image: redis:7.0.5-alpine
+        image: redis:7.0.7-alpine
         imagePullPolicy: Always
         name: redis
         ports:
@@ -9893,7 +9893,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -9944,7 +9944,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -10151,7 +10151,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -10239,9 +10239,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
   ingress:
   - from:
     - podSelector:

manifests/core-install/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.5.2
+  newTag: v2.5.8

manifests/ha/base/kustomization.yaml

@@ -11,7 +11,7 @@ patchesStrategicMerge:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.5.2
+  newTag: v2.5.8
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller

manifests/ha/base/redis-ha/argocd-redis-ha-proxy-network-policy.yaml

@@ -10,36 +10,33 @@ spec:
   - Ingress
   - Egress
   ingress:
-    - from:
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-server
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-repo-server
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-application-controller
-      ports:
-        - port: 6379
-          protocol: TCP
-        - port: 26379
-          protocol: TCP
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-repo-server
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-application-controller
+    ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
   egress:
-    - to:
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-redis-ha
-      ports:
-        - port: 6379
-          protocol: TCP
-        - port: 26379
-          protocol: TCP
-    - to:
-      - ipBlock:
-          cidr: 0.0.0.0/0
-      ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
+  - to:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+    ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP

manifests/ha/base/redis-ha/argocd-redis-ha-server-network-policy.yaml

@@ -10,33 +10,30 @@ spec:
   - Ingress
   - Egress
   ingress:
-    - from:
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-redis-ha-haproxy
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-redis-ha
-      ports:
-        - port: 6379
-          protocol: TCP
-        - port: 26379
-          protocol: TCP
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha-haproxy
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+    ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
   egress:
-    - to:
-      - podSelector:
-          matchLabels:
-            app.kubernetes.io/name: argocd-redis-ha
-      ports:
-        - port: 6379
-          protocol: TCP
-        - port: 26379
-          protocol: TCP
-    - to:
-      - ipBlock:
-          cidr: 0.0.0.0/0
-      ports:
-        - port: 53
-          protocol: UDP
-        - port: 53
-          protocol: TCP
+  - to:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: argocd-redis-ha
+    ports:
+    - port: 6379
+      protocol: TCP
+    - port: 26379
+      protocol: TCP
+  - ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP

manifests/ha/base/redis-ha/chart/upstream.yaml

@@ -41,6 +41,7 @@ data:
     port 6379
     rename-command FLUSHDB ""
     rename-command FLUSHALL ""
+    bind 0.0.0.0
     maxmemory 0
     maxmemory-policy volatile-lru
     min-replicas-max-lag 5
@@ -53,6 +54,7 @@ data:
   sentinel.conf: |
     dir "/data"
     port 26379
+    bind 0.0.0.0
         sentinel down-after-milliseconds argocd 10000
         sentinel failover-timeout argocd 180000
         maxclients 10000
@@ -618,7 +620,7 @@ data:
       timeout check 2s
 
     listen health_check_http_url
-      bind [::]:8888  v4v6
+      bind :8888  
       mode http
       monitor-uri /healthz
       option      dontlognull
@@ -665,7 +667,7 @@ data:
     # decide redis backend to use
     #master
     frontend ft_redis_master
-      bind [::]:6379 v4v6
+      bind :6379 
       use_backend bk_redis_master
     # Check all redis servers to see if they think they are master
     backend bk_redis_master
@@ -1045,7 +1047,7 @@ spec:
         release: argocd
         revision: "1"
       annotations:
-        checksum/config: 1f7a9ffcacb3871ceb9b0741c0714e3f7fa656d426a398c1f727fffb01073f35
+        checksum/config: 718bbb277da8610063a7c0fd810984577c2e8ab215815a71211dfa6e20f67321
     spec:
       # Needed when using unmodified rbac-setup.yml
       
@@ -1153,7 +1155,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/init-config: 84ccf6a9b8a7fa3ae5b62a8f17d6c65a5197e9605da9b2761179bf942828eefe
+        checksum/init-config: 69130412bda04eacad3530cb7bcf26cf121401e725e15d0959dd71a7380afe75
       labels:
         release: argocd
         app: redis-ha
@@ -1177,7 +1179,7 @@ spec:
       automountServiceAccountToken: false
       initContainers:
       - name: config-init
-        image: redis:7.0.5-alpine
+        image: redis:7.0.7-alpine
         imagePullPolicy: IfNotPresent
         resources:
           {}
@@ -1204,7 +1206,7 @@ spec:
 
       containers:
       - name: redis
-        image: redis:7.0.5-alpine
+        image: redis:7.0.7-alpine
         imagePullPolicy: IfNotPresent
         command:
         - redis-server
@@ -1254,7 +1256,7 @@ spec:
               - /bin/sh
               - /readonly-config/trigger-failover-if-master.sh
       - name: sentinel
-        image: redis:7.0.5-alpine
+        image: redis:7.0.7-alpine
         imagePullPolicy: IfNotPresent
         command:
           - redis-sentinel
@@ -1298,7 +1300,7 @@ spec:
           {}
 
       - name: split-brain-fix
-        image: redis:7.0.5-alpine
+        image: redis:7.0.7-alpine
         imagePullPolicy: IfNotPresent
         command:
           - sh

manifests/ha/base/redis-ha/chart/values.yaml

@@ -5,8 +5,11 @@ redis-ha:
     masterGroupName: argocd
     config:
       save: "\"\""
+      bind: "0.0.0.0"
   haproxy:
     enabled: true
+    IPv6:
+      enabled: false
     image:
       tag: 2.6.2-alpine
     containerSecurityContext: null
@@ -15,5 +18,7 @@ redis-ha:
       client: 6m
     checkInterval: 3s
   image:
-    tag: 7.0.5-alpine
+    tag: 7.0.7-alpine
   containerSecurityContext: null
+  sentinel:
+    bind: "0.0.0.0"

manifests/ha/install.yaml

@@ -10081,81 +10081,38 @@ data:
             fi
         fi
     done
-  haproxy.cfg: |
-    defaults REDIS
-      mode tcp
-      timeout connect 4s
-      timeout server 6m
-      timeout client 6m
-      timeout check 2s
-
-    listen health_check_http_url
-      bind [::]:8888  v4v6
-      mode http
-      monitor-uri /healthz
-      option      dontlognull
-    # Check Sentinel and whether they are nominated master
-    backend check_if_redis_is_master_0
-      mode tcp
-      option tcp-check
-      tcp-check connect
-      tcp-check send PING\r\n
-      tcp-check expect string +PONG
-      tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
-      tcp-check expect string REPLACE_ANNOUNCE0
-      tcp-check send QUIT\r\n
-      server R0 argocd-redis-ha-announce-0:26379 check inter 3s
-      server R1 argocd-redis-ha-announce-1:26379 check inter 3s
-      server R2 argocd-redis-ha-announce-2:26379 check inter 3s
-    # Check Sentinel and whether they are nominated master
-    backend check_if_redis_is_master_1
-      mode tcp
-      option tcp-check
-      tcp-check connect
-      tcp-check send PING\r\n
-      tcp-check expect string +PONG
-      tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
-      tcp-check expect string REPLACE_ANNOUNCE1
-      tcp-check send QUIT\r\n
-      server R0 argocd-redis-ha-announce-0:26379 check inter 3s
-      server R1 argocd-redis-ha-announce-1:26379 check inter 3s
-      server R2 argocd-redis-ha-announce-2:26379 check inter 3s
-    # Check Sentinel and whether they are nominated master
-    backend check_if_redis_is_master_2
-      mode tcp
-      option tcp-check
-      tcp-check connect
-      tcp-check send PING\r\n
-      tcp-check expect string +PONG
-      tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
-      tcp-check expect string REPLACE_ANNOUNCE2
-      tcp-check send QUIT\r\n
-      server R0 argocd-redis-ha-announce-0:26379 check inter 3s
-      server R1 argocd-redis-ha-announce-1:26379 check inter 3s
-      server R2 argocd-redis-ha-announce-2:26379 check inter 3s
-
-    # decide redis backend to use
-    #master
-    frontend ft_redis_master
-      bind [::]:6379 v4v6
-      use_backend bk_redis_master
-    # Check all redis servers to see if they think they are master
-    backend bk_redis_master
-      mode tcp
-      option tcp-check
-      tcp-check connect
-      tcp-check send PING\r\n
-      tcp-check expect string +PONG
-      tcp-check send info\ replication\r\n
-      tcp-check expect string role:master
-      tcp-check send QUIT\r\n
-      tcp-check expect string +OK
-      use-server R0 if { srv_is_up(R0) } { nbsrv(check_if_redis_is_master_0) ge 2 }
-      server R0 argocd-redis-ha-announce-0:6379 check inter 3s fall 1 rise 1
-      use-server R1 if { srv_is_up(R1) } { nbsrv(check_if_redis_is_master_1) ge 2 }
-      server R1 argocd-redis-ha-announce-1:6379 check inter 3s fall 1 rise 1
-      use-server R2 if { srv_is_up(R2) } { nbsrv(check_if_redis_is_master_2) ge 2 }
-      server R2 argocd-redis-ha-announce-2:6379 check inter 3s fall 1 rise 1
+  haproxy.cfg: "defaults REDIS\n  mode tcp\n  timeout connect 4s\n  timeout server
+    6m\n  timeout client 6m\n  timeout check 2s\n\nlisten health_check_http_url\n
+    \ bind :8888  \n  mode http\n  monitor-uri /healthz\n  option      dontlognull\n#
+    Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_0\n
+    \ mode tcp\n  option tcp-check\n  tcp-check connect\n  tcp-check send PING\\r\\n\n
+    \ tcp-check expect string +PONG\n  tcp-check send SENTINEL\\ get-master-addr-by-name\\
+    argocd\\r\\n\n  tcp-check expect string REPLACE_ANNOUNCE0\n  tcp-check send QUIT\\r\\n\n
+    \ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n  server R1 argocd-redis-ha-announce-1:26379
+    check inter 3s\n  server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n#
+    Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_1\n
+    \ mode tcp\n  option tcp-check\n  tcp-check connect\n  tcp-check send PING\\r\\n\n
+    \ tcp-check expect string +PONG\n  tcp-check send SENTINEL\\ get-master-addr-by-name\\
+    argocd\\r\\n\n  tcp-check expect string REPLACE_ANNOUNCE1\n  tcp-check send QUIT\\r\\n\n
+    \ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n  server R1 argocd-redis-ha-announce-1:26379
+    check inter 3s\n  server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n#
+    Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_2\n
+    \ mode tcp\n  option tcp-check\n  tcp-check connect\n  tcp-check send PING\\r\\n\n
+    \ tcp-check expect string +PONG\n  tcp-check send SENTINEL\\ get-master-addr-by-name\\
+    argocd\\r\\n\n  tcp-check expect string REPLACE_ANNOUNCE2\n  tcp-check send QUIT\\r\\n\n
+    \ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n  server R1 argocd-redis-ha-announce-1:26379
+    check inter 3s\n  server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n\n#
+    decide redis backend to use\n#master\nfrontend ft_redis_master\n  bind :6379 \n
+    \ use_backend bk_redis_master\n# Check all redis servers to see if they think
+    they are master\nbackend bk_redis_master\n  mode tcp\n  option tcp-check\n  tcp-check
+    connect\n  tcp-check send PING\\r\\n\n  tcp-check expect string +PONG\n  tcp-check
+    send info\\ replication\\r\\n\n  tcp-check expect string role:master\n  tcp-check
+    send QUIT\\r\\n\n  tcp-check expect string +OK\n  use-server R0 if { srv_is_up(R0)
+    } { nbsrv(check_if_redis_is_master_0) ge 2 }\n  server R0 argocd-redis-ha-announce-0:6379
+    check inter 3s fall 1 rise 1\n  use-server R1 if { srv_is_up(R1) } { nbsrv(check_if_redis_is_master_1)
+    ge 2 }\n  server R1 argocd-redis-ha-announce-1:6379 check inter 3s fall 1 rise
+    1\n  use-server R2 if { srv_is_up(R2) } { nbsrv(check_if_redis_is_master_2) ge
+    2 }\n  server R2 argocd-redis-ha-announce-2:6379 check inter 3s fall 1 rise 1\n"
   haproxy_init.sh: |
     HAPROXY_CONF=/data/haproxy.cfg
     cp /readonly/haproxy.cfg "$HAPROXY_CONF"
@@ -10454,6 +10411,7 @@ data:
     port 6379
     rename-command FLUSHDB ""
     rename-command FLUSHALL ""
+    bind 0.0.0.0
     maxmemory 0
     maxmemory-policy volatile-lru
     min-replicas-max-lag 5
@@ -10465,6 +10423,7 @@ data:
   sentinel.conf: |
     dir "/data"
     port 26379
+    bind 0.0.0.0
         sentinel down-after-milliseconds argocd 10000
         sentinel failover-timeout argocd 180000
         maxclients 10000
@@ -10877,7 +10836,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -10958,7 +10917,7 @@ spec:
               key: dexserver.disable.tls
               name: argocd-cmd-params-cm
               optional: true
-        image: ghcr.io/dexidp/dex:v2.35.3-distroless
+        image: ghcr.io/dexidp/dex:v2.35.3
         imagePullPolicy: Always
         name: dex
         ports:
@@ -10987,7 +10946,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -11040,7 +10999,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -11098,7 +11057,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: 1f7a9ffcacb3871ceb9b0741c0714e3f7fa656d426a398c1f727fffb01073f35
+        checksum/config: 718bbb277da8610063a7c0fd810984577c2e8ab215815a71211dfa6e20f67321
       labels:
         app.kubernetes.io/name: argocd-redis-ha-haproxy
       name: argocd-redis-ha-haproxy
@@ -11337,7 +11296,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -11388,7 +11347,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -11661,7 +11620,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -11896,7 +11855,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -11956,7 +11915,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/init-config: 84ccf6a9b8a7fa3ae5b62a8f17d6c65a5197e9605da9b2761179bf942828eefe
+        checksum/init-config: 69130412bda04eacad3530cb7bcf26cf121401e725e15d0959dd71a7380afe75
       labels:
         app.kubernetes.io/name: argocd-redis-ha
     spec:
@@ -11973,7 +11932,7 @@ spec:
         - /data/conf/redis.conf
         command:
         - redis-server
-        image: redis:7.0.5-alpine
+        image: redis:7.0.7-alpine
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -12026,7 +11985,7 @@ spec:
         - /data/conf/sentinel.conf
         command:
         - redis-sentinel
-        image: redis:7.0.5-alpine
+        image: redis:7.0.7-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -12078,7 +12037,7 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.5-alpine
+        image: redis:7.0.7-alpine
         imagePullPolicy: IfNotPresent
         name: split-brain-fix
         resources: {}
@@ -12107,7 +12066,7 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.5-alpine
+        image: redis:7.0.7-alpine
         imagePullPolicy: IfNotPresent
         name: config-init
         securityContext:
@@ -12240,9 +12199,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
   ingress:
   - from:
     - podSelector:
@@ -12286,9 +12242,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
   ingress:
   - from:
     - podSelector:

manifests/ha/namespace-install.yaml

@@ -747,81 +747,38 @@ data:
             fi
         fi
     done
-  haproxy.cfg: |
-    defaults REDIS
-      mode tcp
-      timeout connect 4s
-      timeout server 6m
-      timeout client 6m
-      timeout check 2s
-
-    listen health_check_http_url
-      bind [::]:8888  v4v6
-      mode http
-      monitor-uri /healthz
-      option      dontlognull
-    # Check Sentinel and whether they are nominated master
-    backend check_if_redis_is_master_0
-      mode tcp
-      option tcp-check
-      tcp-check connect
-      tcp-check send PING\r\n
-      tcp-check expect string +PONG
-      tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
-      tcp-check expect string REPLACE_ANNOUNCE0
-      tcp-check send QUIT\r\n
-      server R0 argocd-redis-ha-announce-0:26379 check inter 3s
-      server R1 argocd-redis-ha-announce-1:26379 check inter 3s
-      server R2 argocd-redis-ha-announce-2:26379 check inter 3s
-    # Check Sentinel and whether they are nominated master
-    backend check_if_redis_is_master_1
-      mode tcp
-      option tcp-check
-      tcp-check connect
-      tcp-check send PING\r\n
-      tcp-check expect string +PONG
-      tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
-      tcp-check expect string REPLACE_ANNOUNCE1
-      tcp-check send QUIT\r\n
-      server R0 argocd-redis-ha-announce-0:26379 check inter 3s
-      server R1 argocd-redis-ha-announce-1:26379 check inter 3s
-      server R2 argocd-redis-ha-announce-2:26379 check inter 3s
-    # Check Sentinel and whether they are nominated master
-    backend check_if_redis_is_master_2
-      mode tcp
-      option tcp-check
-      tcp-check connect
-      tcp-check send PING\r\n
-      tcp-check expect string +PONG
-      tcp-check send SENTINEL\ get-master-addr-by-name\ argocd\r\n
-      tcp-check expect string REPLACE_ANNOUNCE2
-      tcp-check send QUIT\r\n
-      server R0 argocd-redis-ha-announce-0:26379 check inter 3s
-      server R1 argocd-redis-ha-announce-1:26379 check inter 3s
-      server R2 argocd-redis-ha-announce-2:26379 check inter 3s
-
-    # decide redis backend to use
-    #master
-    frontend ft_redis_master
-      bind [::]:6379 v4v6
-      use_backend bk_redis_master
-    # Check all redis servers to see if they think they are master
-    backend bk_redis_master
-      mode tcp
-      option tcp-check
-      tcp-check connect
-      tcp-check send PING\r\n
-      tcp-check expect string +PONG
-      tcp-check send info\ replication\r\n
-      tcp-check expect string role:master
-      tcp-check send QUIT\r\n
-      tcp-check expect string +OK
-      use-server R0 if { srv_is_up(R0) } { nbsrv(check_if_redis_is_master_0) ge 2 }
-      server R0 argocd-redis-ha-announce-0:6379 check inter 3s fall 1 rise 1
-      use-server R1 if { srv_is_up(R1) } { nbsrv(check_if_redis_is_master_1) ge 2 }
-      server R1 argocd-redis-ha-announce-1:6379 check inter 3s fall 1 rise 1
-      use-server R2 if { srv_is_up(R2) } { nbsrv(check_if_redis_is_master_2) ge 2 }
-      server R2 argocd-redis-ha-announce-2:6379 check inter 3s fall 1 rise 1
+  haproxy.cfg: "defaults REDIS\n  mode tcp\n  timeout connect 4s\n  timeout server
+    6m\n  timeout client 6m\n  timeout check 2s\n\nlisten health_check_http_url\n
+    \ bind :8888  \n  mode http\n  monitor-uri /healthz\n  option      dontlognull\n#
+    Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_0\n
+    \ mode tcp\n  option tcp-check\n  tcp-check connect\n  tcp-check send PING\\r\\n\n
+    \ tcp-check expect string +PONG\n  tcp-check send SENTINEL\\ get-master-addr-by-name\\
+    argocd\\r\\n\n  tcp-check expect string REPLACE_ANNOUNCE0\n  tcp-check send QUIT\\r\\n\n
+    \ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n  server R1 argocd-redis-ha-announce-1:26379
+    check inter 3s\n  server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n#
+    Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_1\n
+    \ mode tcp\n  option tcp-check\n  tcp-check connect\n  tcp-check send PING\\r\\n\n
+    \ tcp-check expect string +PONG\n  tcp-check send SENTINEL\\ get-master-addr-by-name\\
+    argocd\\r\\n\n  tcp-check expect string REPLACE_ANNOUNCE1\n  tcp-check send QUIT\\r\\n\n
+    \ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n  server R1 argocd-redis-ha-announce-1:26379
+    check inter 3s\n  server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n#
+    Check Sentinel and whether they are nominated master\nbackend check_if_redis_is_master_2\n
+    \ mode tcp\n  option tcp-check\n  tcp-check connect\n  tcp-check send PING\\r\\n\n
+    \ tcp-check expect string +PONG\n  tcp-check send SENTINEL\\ get-master-addr-by-name\\
+    argocd\\r\\n\n  tcp-check expect string REPLACE_ANNOUNCE2\n  tcp-check send QUIT\\r\\n\n
+    \ server R0 argocd-redis-ha-announce-0:26379 check inter 3s\n  server R1 argocd-redis-ha-announce-1:26379
+    check inter 3s\n  server R2 argocd-redis-ha-announce-2:26379 check inter 3s\n\n#
+    decide redis backend to use\n#master\nfrontend ft_redis_master\n  bind :6379 \n
+    \ use_backend bk_redis_master\n# Check all redis servers to see if they think
+    they are master\nbackend bk_redis_master\n  mode tcp\n  option tcp-check\n  tcp-check
+    connect\n  tcp-check send PING\\r\\n\n  tcp-check expect string +PONG\n  tcp-check
+    send info\\ replication\\r\\n\n  tcp-check expect string role:master\n  tcp-check
+    send QUIT\\r\\n\n  tcp-check expect string +OK\n  use-server R0 if { srv_is_up(R0)
+    } { nbsrv(check_if_redis_is_master_0) ge 2 }\n  server R0 argocd-redis-ha-announce-0:6379
+    check inter 3s fall 1 rise 1\n  use-server R1 if { srv_is_up(R1) } { nbsrv(check_if_redis_is_master_1)
+    ge 2 }\n  server R1 argocd-redis-ha-announce-1:6379 check inter 3s fall 1 rise
+    1\n  use-server R2 if { srv_is_up(R2) } { nbsrv(check_if_redis_is_master_2) ge
+    2 }\n  server R2 argocd-redis-ha-announce-2:6379 check inter 3s fall 1 rise 1\n"
   haproxy_init.sh: |
     HAPROXY_CONF=/data/haproxy.cfg
     cp /readonly/haproxy.cfg "$HAPROXY_CONF"
@@ -1120,6 +1077,7 @@ data:
     port 6379
     rename-command FLUSHDB ""
     rename-command FLUSHALL ""
+    bind 0.0.0.0
     maxmemory 0
     maxmemory-policy volatile-lru
     min-replicas-max-lag 5
@@ -1131,6 +1089,7 @@ data:
   sentinel.conf: |
     dir "/data"
     port 26379
+    bind 0.0.0.0
         sentinel down-after-milliseconds argocd 10000
         sentinel failover-timeout argocd 180000
         maxclients 10000
@@ -1543,7 +1502,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1624,7 +1583,7 @@ spec:
               key: dexserver.disable.tls
               name: argocd-cmd-params-cm
               optional: true
-        image: ghcr.io/dexidp/dex:v2.35.3-distroless
+        image: ghcr.io/dexidp/dex:v2.35.3
         imagePullPolicy: Always
         name: dex
         ports:
@@ -1653,7 +1612,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1706,7 +1665,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1764,7 +1723,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: 1f7a9ffcacb3871ceb9b0741c0714e3f7fa656d426a398c1f727fffb01073f35
+        checksum/config: 718bbb277da8610063a7c0fd810984577c2e8ab215815a71211dfa6e20f67321
       labels:
         app.kubernetes.io/name: argocd-redis-ha-haproxy
       name: argocd-redis-ha-haproxy
@@ -2003,7 +1962,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2054,7 +2013,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2327,7 +2286,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2562,7 +2521,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -2622,7 +2581,7 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/init-config: 84ccf6a9b8a7fa3ae5b62a8f17d6c65a5197e9605da9b2761179bf942828eefe
+        checksum/init-config: 69130412bda04eacad3530cb7bcf26cf121401e725e15d0959dd71a7380afe75
       labels:
         app.kubernetes.io/name: argocd-redis-ha
     spec:
@@ -2639,7 +2598,7 @@ spec:
         - /data/conf/redis.conf
         command:
         - redis-server
-        image: redis:7.0.5-alpine
+        image: redis:7.0.7-alpine
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -2692,7 +2651,7 @@ spec:
         - /data/conf/sentinel.conf
         command:
         - redis-sentinel
-        image: redis:7.0.5-alpine
+        image: redis:7.0.7-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -2744,7 +2703,7 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.5-alpine
+        image: redis:7.0.7-alpine
         imagePullPolicy: IfNotPresent
         name: split-brain-fix
         resources: {}
@@ -2773,7 +2732,7 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.5-alpine
+        image: redis:7.0.7-alpine
         imagePullPolicy: IfNotPresent
         name: config-init
         securityContext:
@@ -2906,9 +2865,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
   ingress:
   - from:
     - podSelector:
@@ -2952,9 +2908,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
   ingress:
   - from:
     - podSelector:

manifests/install.yaml

@@ -9955,7 +9955,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -10036,7 +10036,7 @@ spec:
               key: dexserver.disable.tls
               name: argocd-cmd-params-cm
               optional: true
-        image: ghcr.io/dexidp/dex:v2.35.3-distroless
+        image: ghcr.io/dexidp/dex:v2.35.3
         imagePullPolicy: Always
         name: dex
         ports:
@@ -10065,7 +10065,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -10118,7 +10118,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -10195,7 +10195,7 @@ spec:
         - ""
         - --appendonly
         - "no"
-        image: redis:7.0.5-alpine
+        image: redis:7.0.7-alpine
         imagePullPolicy: Always
         name: redis
         ports:
@@ -10371,7 +10371,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -10422,7 +10422,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -10691,7 +10691,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -10924,7 +10924,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -11055,9 +11055,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
   ingress:
   - from:
     - podSelector:

manifests/namespace-install.yaml

@@ -621,7 +621,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -702,7 +702,7 @@ spec:
               key: dexserver.disable.tls
               name: argocd-cmd-params-cm
               optional: true
-        image: ghcr.io/dexidp/dex:v2.35.3-distroless
+        image: ghcr.io/dexidp/dex:v2.35.3
         imagePullPolicy: Always
         name: dex
         ports:
@@ -731,7 +731,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -784,7 +784,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -861,7 +861,7 @@ spec:
         - ""
         - --appendonly
         - "no"
-        image: redis:7.0.5-alpine
+        image: redis:7.0.7-alpine
         imagePullPolicy: Always
         name: redis
         ports:
@@ -1037,7 +1037,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1088,7 +1088,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -1357,7 +1357,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -1590,7 +1590,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.2
+        image: quay.io/argoproj/argocd:v2.5.8
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -1721,9 +1721,6 @@ spec:
       protocol: UDP
     - port: 53
       protocol: TCP
-    to:
-    - ipBlock:
-        cidr: 0.0.0.0/0
   ingress:
   - from:
     - podSelector:

mkdocs.yml

@@ -1,10 +1,11 @@
+extra:
+  analytics:
+    property: G-5Z1VTPDL73
+    provider: google
 extra_css:
 - assets/versions.css
 extra_javascript:
 - assets/versions.js
-google_analytics:
-- UA-105170809-2
-- auto
 markdown_extensions:
 - markdown_include.include
 - codehilite
@@ -21,6 +22,7 @@ nav:
   - operator-manual/architecture.md
   - operator-manual/installation.md
   - operator-manual/declarative-setup.md
+  - operator-manual/app-any-namespace.md
   - operator-manual/ingress.md
   - User Management:
     - operator-manual/user-management/index.md
@@ -56,9 +58,9 @@ nav:
     - operator-manual/notifications/catalog.md
     - operator-manual/notifications/monitoring.md
     - operator-manual/notifications/subscriptions.md
+    - operator-manual/notifications/troubleshooting.md
     - operator-manual/notifications/troubleshooting-commands.md
     - operator-manual/notifications/troubleshooting-errors.md
-    - operator-manual/notifications/troubleshooting.md
     - Notification Services:
       - operator-manual/notifications/services/alertmanager.md
       - operator-manual/notifications/services/email.md

pkg/apiclient/settings/settings.pb.go

@@ -84,24 +84,25 @@ type Settings struct {
 	GoogleAnalytics    *GoogleAnalyticsConfig                `protobuf:"bytes,7,opt,name=googleAnalytics,proto3" json:"googleAnalytics,omitempty"`
 	KustomizeOptions   *v1alpha1.KustomizeOptions            `protobuf:"bytes,8,opt,name=kustomizeOptions,proto3" json:"kustomizeOptions,omitempty"`
 	// Help settings
-	Help                    *Help                              `protobuf:"bytes,9,opt,name=help,proto3" json:"help,omitempty"`
-	Plugins                 []*Plugin                          `protobuf:"bytes,10,rep,name=plugins,proto3" json:"plugins,omitempty"`
-	UserLoginsDisabled      bool                               `protobuf:"varint,11,opt,name=userLoginsDisabled,proto3" json:"userLoginsDisabled,omitempty"`
-	ConfigManagementPlugins []*v1alpha1.ConfigManagementPlugin `protobuf:"bytes,12,rep,name=configManagementPlugins,proto3" json:"configManagementPlugins,omitempty"`
-	KustomizeVersions       []string                           `protobuf:"bytes,13,rep,name=kustomizeVersions,proto3" json:"kustomizeVersions,omitempty"`
-	UiCssURL                string                             `protobuf:"bytes,14,opt,name=uiCssURL,proto3" json:"uiCssURL,omitempty"`
-	UiBannerContent         string                             `protobuf:"bytes,15,opt,name=uiBannerContent,proto3" json:"uiBannerContent,omitempty"`
-	UiBannerURL             string                             `protobuf:"bytes,16,opt,name=uiBannerURL,proto3" json:"uiBannerURL,omitempty"`
-	PasswordPattern         string                             `protobuf:"bytes,17,opt,name=passwordPattern,proto3" json:"passwordPattern,omitempty"`
-	TrackingMethod          string                             `protobuf:"bytes,18,opt,name=trackingMethod,proto3" json:"trackingMethod,omitempty"`
-	UiBannerPermanent       bool                               `protobuf:"varint,19,opt,name=uiBannerPermanent,proto3" json:"uiBannerPermanent,omitempty"`
-	UiBannerPosition        string                             `protobuf:"bytes,20,opt,name=uiBannerPosition,proto3" json:"uiBannerPosition,omitempty"`
-	StatusBadgeRootUrl      string                             `protobuf:"bytes,21,opt,name=statusBadgeRootUrl,proto3" json:"statusBadgeRootUrl,omitempty"`
-	ExecEnabled             bool                               `protobuf:"varint,22,opt,name=execEnabled,proto3" json:"execEnabled,omitempty"`
-	ControllerNamespace     string                             `protobuf:"bytes,23,opt,name=controllerNamespace,proto3" json:"controllerNamespace,omitempty"`
-	XXX_NoUnkeyedLiteral    struct{}                           `json:"-"`
-	XXX_unrecognized        []byte                             `json:"-"`
-	XXX_sizecache           int32                              `json:"-"`
+	Help                      *Help                              `protobuf:"bytes,9,opt,name=help,proto3" json:"help,omitempty"`
+	Plugins                   []*Plugin                          `protobuf:"bytes,10,rep,name=plugins,proto3" json:"plugins,omitempty"`
+	UserLoginsDisabled        bool                               `protobuf:"varint,11,opt,name=userLoginsDisabled,proto3" json:"userLoginsDisabled,omitempty"`
+	ConfigManagementPlugins   []*v1alpha1.ConfigManagementPlugin `protobuf:"bytes,12,rep,name=configManagementPlugins,proto3" json:"configManagementPlugins,omitempty"`
+	KustomizeVersions         []string                           `protobuf:"bytes,13,rep,name=kustomizeVersions,proto3" json:"kustomizeVersions,omitempty"`
+	UiCssURL                  string                             `protobuf:"bytes,14,opt,name=uiCssURL,proto3" json:"uiCssURL,omitempty"`
+	UiBannerContent           string                             `protobuf:"bytes,15,opt,name=uiBannerContent,proto3" json:"uiBannerContent,omitempty"`
+	UiBannerURL               string                             `protobuf:"bytes,16,opt,name=uiBannerURL,proto3" json:"uiBannerURL,omitempty"`
+	PasswordPattern           string                             `protobuf:"bytes,17,opt,name=passwordPattern,proto3" json:"passwordPattern,omitempty"`
+	TrackingMethod            string                             `protobuf:"bytes,18,opt,name=trackingMethod,proto3" json:"trackingMethod,omitempty"`
+	UiBannerPermanent         bool                               `protobuf:"varint,19,opt,name=uiBannerPermanent,proto3" json:"uiBannerPermanent,omitempty"`
+	UiBannerPosition          string                             `protobuf:"bytes,20,opt,name=uiBannerPosition,proto3" json:"uiBannerPosition,omitempty"`
+	StatusBadgeRootUrl        string                             `protobuf:"bytes,21,opt,name=statusBadgeRootUrl,proto3" json:"statusBadgeRootUrl,omitempty"`
+	ExecEnabled               bool                               `protobuf:"varint,22,opt,name=execEnabled,proto3" json:"execEnabled,omitempty"`
+	ControllerNamespace       string                             `protobuf:"bytes,23,opt,name=controllerNamespace,proto3" json:"controllerNamespace,omitempty"`
+	AppsInAnyNamespaceEnabled bool                               `protobuf:"varint,24,opt,name=appsInAnyNamespaceEnabled,proto3" json:"appsInAnyNamespaceEnabled,omitempty"`
+	XXX_NoUnkeyedLiteral      struct{}                           `json:"-"`
+	XXX_unrecognized          []byte                             `json:"-"`
+	XXX_sizecache             int32                              `json:"-"`
 }
 
 func (m *Settings) Reset()         { *m = Settings{} }
@@ -298,6 +299,13 @@ func (m *Settings) GetControllerNamespace() string {
 	return ""
 }
 
+func (m *Settings) GetAppsInAnyNamespaceEnabled() bool {
+	if m != nil {
+		return m.AppsInAnyNamespaceEnabled
+	}
+	return false
+}
+
 type GoogleAnalyticsConfig struct {
 	TrackingID           string   `protobuf:"bytes,1,opt,name=trackingID,proto3" json:"trackingID,omitempty"`
 	AnonymizeUsers       bool     `protobuf:"varint,2,opt,name=anonymizeUsers,proto3" json:"anonymizeUsers,omitempty"`
@@ -675,78 +683,79 @@ func init() {
 func init() { proto.RegisterFile("server/settings/settings.proto", fileDescriptor_a480d494da040caa) }
 
 var fileDescriptor_a480d494da040caa = []byte{
-	// 1129 bytes of a gzipped FileDescriptorProto
+	// 1148 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x56, 0x4f, 0x6f, 0x1b, 0x45,
-	0x14, 0xd7, 0xd6, 0x69, 0x62, 0xbf, 0x34, 0x75, 0x32, 0x6d, 0xd3, 0xc5, 0x2a, 0x8e, 0xf1, 0xa1,
-	0x32, 0x08, 0xd6, 0x8d, 0x2b, 0x04, 0x42, 0xaa, 0x00, 0xdb, 0x55, 0x6b, 0xea, 0xb6, 0x61, 0xdb,
-	0xf4, 0x80, 0x84, 0xaa, 0xc9, 0xee, 0x63, 0xb3, 0x78, 0x3d, 0xb3, 0x9a, 0x99, 0x35, 0x75, 0x8f,
-	0xdc, 0xb8, 0x70, 0x81, 0x4f, 0xc3, 0x27, 0xe0, 0x88, 0xc4, 0x3d, 0x42, 0x16, 0x1f, 0x82, 0x23,
-	0x9a, 0xd9, 0x3f, 0xd9, 0xd8, 0xe6, 0x8f, 0xd4, 0xdb, 0xcc, 0xef, 0xf7, 0xfe, 0xcd, 0x9b, 0x37,
-	0xf3, 0x1e, 0x34, 0x25, 0x8a, 0x19, 0x8a, 0xae, 0x44, 0xa5, 0x42, 0x16, 0xc8, 0x62, 0xe1, 0xc4,
-	0x82, 0x2b, 0x4e, 0xb6, 0xbc, 0x28, 0x91, 0x0a, 0x45, 0xe3, 0x7a, 0xc0, 0x03, 0x6e, 0xb0, 0xae,
-	0x5e, 0xa5, 0x74, 0xe3, 0x56, 0xc0, 0x79, 0x10, 0x61, 0x97, 0xc6, 0x61, 0x97, 0x32, 0xc6, 0x15,
-	0x55, 0x21, 0x67, 0x99, 0x72, 0x63, 0x1c, 0x84, 0xea, 0x34, 0x39, 0x71, 0x3c, 0x3e, 0xed, 0x52,
-	0x61, 0xd4, 0xbf, 0x35, 0x8b, 0x0f, 0x3c, 0xbf, 0x3b, 0xeb, 0x75, 0xe3, 0x49, 0xa0, 0x35, 0x65,
-	0x97, 0xc6, 0x71, 0x14, 0x7a, 0x46, 0xb7, 0x3b, 0x3b, 0xa4, 0x51, 0x7c, 0x4a, 0x0f, 0xbb, 0x01,
-	0x32, 0x14, 0x54, 0xa1, 0x9f, 0x59, 0xfb, 0xec, 0x3f, 0xac, 0x2d, 0x9f, 0x84, 0x87, 0xbe, 0xd7,
-	0xf5, 0x22, 0x1a, 0x4e, 0xb3, 0x78, 0xda, 0x75, 0xd8, 0x79, 0x96, 0xb1, 0x5f, 0x26, 0x28, 0xe6,
-	0xed, 0xbf, 0x00, 0xaa, 0x39, 0x42, 0xde, 0x82, 0x4a, 0x22, 0x22, 0xdb, 0x6a, 0x59, 0x9d, 0x5a,
-	0x7f, 0x6b, 0x71, 0x76, 0x50, 0x39, 0x76, 0xc7, 0xae, 0xc6, 0xc8, 0x1d, 0xa8, 0xf9, 0xf8, 0x6a,
-	0xc0, 0xd9, 0x37, 0x61, 0x60, 0x5f, 0x6a, 0x59, 0x9d, 0xed, 0x1e, 0x71, 0xb2, 0xcc, 0x38, 0xc3,
-	0x9c, 0x71, 0xcf, 0x85, 0xc8, 0x00, 0x40, 0xfb, 0xcf, 0x54, 0x2a, 0x46, 0xe5, 0x5a, 0xa1, 0xf2,
-	0x74, 0x34, 0x1c, 0xa4, 0x54, 0xff, 0xea, 0xe2, 0xec, 0x00, 0xce, 0xf7, 0x6e, 0x49, 0x8d, 0xb4,
-	0x60, 0x9b, 0xc6, 0xf1, 0x98, 0x9e, 0x60, 0xf4, 0x08, 0xe7, 0xf6, 0x86, 0x8e, 0xcc, 0x2d, 0x43,
-	0xe4, 0x05, 0xec, 0x09, 0x94, 0x3c, 0x11, 0x1e, 0x3e, 0x9d, 0xa1, 0x10, 0xa1, 0x8f, 0xd2, 0xbe,
-	0xdc, 0xaa, 0x74, 0xb6, 0x7b, 0x9d, 0xc2, 0x5b, 0x7e, 0x42, 0xc7, 0x5d, 0x16, 0xbd, 0xcf, 0x94,
-	0x98, 0xbb, 0xab, 0x26, 0x88, 0x03, 0x44, 0x2a, 0xaa, 0x12, 0xd9, 0xa7, 0x7e, 0x80, 0xf7, 0x19,
-	0x3d, 0x89, 0xd0, 0xb7, 0x37, 0x5b, 0x56, 0xa7, 0xea, 0xae, 0x61, 0xc8, 0x43, 0xa8, 0xa7, 0x95,
-	0xf0, 0x39, 0xa3, 0xd1, 0x5c, 0x85, 0x9e, 0xb4, 0xb7, 0xcc, 0x99, 0x9b, 0x45, 0x14, 0x0f, 0x2e,
-	0xf2, 0xd9, 0x71, 0x97, 0xd5, 0xc8, 0x6b, 0xd8, 0x9d, 0x24, 0x52, 0xf1, 0x69, 0xf8, 0x1a, 0x9f,
-	0xc6, 0xa6, 0x9a, 0xec, 0xaa, 0x31, 0xf5, 0xc4, 0x39, 0x2f, 0x00, 0x27, 0x2f, 0x00, 0xb3, 0x78,
-	0xe9, 0xf9, 0xce, 0xac, 0xe7, 0xc4, 0x93, 0xc0, 0xd1, 0xe5, 0xe4, 0x94, 0xca, 0xc9, 0xc9, 0xcb,
-	0xc9, 0x79, 0xb4, 0x64, 0xd5, 0x5d, 0xf1, 0x43, 0xde, 0x81, 0x8d, 0x53, 0x8c, 0x62, 0xbb, 0x66,
-	0xfc, 0xed, 0x14, 0xa1, 0x3f, 0xc4, 0x28, 0x76, 0x0d, 0x45, 0xde, 0x85, 0xad, 0x38, 0x4a, 0x82,
-	0x90, 0x49, 0x1b, 0x4c, 0x9a, 0xeb, 0x85, 0xd4, 0x91, 0xc1, 0xdd, 0x9c, 0xd7, 0x39, 0x4c, 0x24,
-	0x8a, 0x31, 0xd7, 0xbb, 0x61, 0x28, 0xd3, 0x1c, 0x6e, 0xa7, 0x39, 0x5c, 0x65, 0xc8, 0x8f, 0x16,
-	0xdc, 0xf4, 0x4c, 0x56, 0x1e, 0x53, 0x46, 0x03, 0x9c, 0x22, 0x53, 0x47, 0x99, 0xaf, 0x2b, 0xc6,
-	0xd7, 0xf3, 0x37, 0xcb, 0xc0, 0x60, 0xad, 0x71, 0xf7, 0x9f, 0x9c, 0x92, 0xf7, 0x61, 0xaf, 0x48,
-	0xd1, 0x0b, 0x14, 0xd2, 0xdc, 0xc5, 0x4e, 0xab, 0xd2, 0xa9, 0xb9, 0xab, 0x04, 0x69, 0x40, 0x35,
-	0x09, 0x07, 0x52, 0x1e, 0xbb, 0x63, 0xfb, 0xaa, 0xa9, 0xd4, 0x62, 0x4f, 0x3a, 0x50, 0x4f, 0xc2,
-	0x3e, 0x65, 0x0c, 0xc5, 0x80, 0x33, 0x85, 0x4c, 0xd9, 0x75, 0x23, 0xb2, 0x0c, 0xeb, 0x92, 0xcf,
-	0x21, 0x6d, 0x68, 0x37, 0x2d, 0xf9, 0x12, 0xa4, 0x6d, 0xc5, 0x54, 0xca, 0xef, 0xb8, 0xf0, 0x8f,
-	0xa8, 0x52, 0x28, 0x98, 0xbd, 0x97, 0xda, 0x5a, 0x82, 0xc9, 0x6d, 0xb8, 0xaa, 0x04, 0xf5, 0x26,
-	0x21, 0x0b, 0x1e, 0xa3, 0x3a, 0xe5, 0xbe, 0x4d, 0x8c, 0xe0, 0x12, 0xaa, 0xcf, 0x99, 0x3b, 0x38,
-	0x42, 0x31, 0xa5, 0x4c, 0xc7, 0x77, 0xcd, 0xdc, 0xd3, 0x2a, 0x41, 0xde, 0x83, 0xdd, 0x02, 0xe4,
-	0x32, 0xd4, 0x29, 0xb6, 0xaf, 0x1b, 0xbb, 0x2b, 0xf8, 0xd2, 0x33, 0x72, 0x39, 0x57, 0xc7, 0x22,
-	0xb2, 0x6f, 0x18, 0xe9, 0x35, 0x8c, 0x3e, 0x3d, 0xbe, 0x42, 0x2f, 0x7f, 0x6f, 0xfb, 0x26, 0x86,
-	0x32, 0x44, 0xee, 0xc0, 0x35, 0x8f, 0x33, 0x25, 0x78, 0x14, 0xa1, 0x78, 0x42, 0xa7, 0x28, 0x63,
-	0xea, 0xa1, 0x7d, 0xd3, 0x98, 0x5c, 0x47, 0x35, 0x7e, 0xb6, 0x60, 0x7f, 0xfd, 0xc3, 0x27, 0xbb,
-	0x50, 0x99, 0xe0, 0x3c, 0xfd, 0xf1, 0x5c, 0xbd, 0x24, 0x3e, 0x5c, 0x9e, 0xd1, 0x28, 0xc1, 0xec,
-	0x93, 0x7b, 0xc3, 0x27, 0xb7, 0xec, 0xd6, 0x4d, 0x8d, 0x7f, 0x72, 0xe9, 0x63, 0xab, 0xfd, 0x12,
-	0x6e, 0xac, 0xfd, 0x11, 0x48, 0x13, 0x20, 0xbf, 0x9f, 0xd1, 0x30, 0x8b, 0xad, 0x84, 0xe8, 0x5b,
-	0xa5, 0x8c, 0xb3, 0xb9, 0x2e, 0xbe, 0x63, 0x89, 0x42, 0x9a, 0x58, 0xab, 0xee, 0x12, 0xda, 0xfe,
-	0xc5, 0x82, 0x0d, 0xfd, 0x70, 0x89, 0x0d, 0x5b, 0xde, 0x29, 0x35, 0x99, 0x4f, 0xad, 0xe5, 0x5b,
-	0x5d, 0xb2, 0x7a, 0xf9, 0x1c, 0x5f, 0x29, 0x63, 0xa4, 0xe6, 0x16, 0x7b, 0x72, 0x0f, 0xe0, 0x24,
-	0x64, 0x54, 0xcc, 0x8f, 0x45, 0x24, 0xed, 0x8a, 0x79, 0x7f, 0x6f, 0x5f, 0xf8, 0x11, 0x9c, 0x7e,
-	0xc1, 0xa7, 0xff, 0x68, 0x49, 0xa1, 0x71, 0x0f, 0xea, 0x4b, 0xf4, 0x9a, 0x6c, 0x5f, 0x2f, 0x67,
-	0xbb, 0x56, 0xce, 0xce, 0x2d, 0xd8, 0x4c, 0x5f, 0x21, 0x21, 0xb0, 0xc1, 0xe8, 0x14, 0x33, 0x35,
-	0xb3, 0x6e, 0x7f, 0x0a, 0xb5, 0xa2, 0xe9, 0x90, 0x1e, 0x80, 0xc7, 0x19, 0x43, 0x4f, 0x71, 0x21,
-	0x6d, 0xcb, 0x04, 0x7a, 0xde, 0x9c, 0x06, 0x39, 0xe5, 0x96, 0xa4, 0xda, 0x77, 0xa1, 0x56, 0x10,
-	0xeb, 0x3c, 0x68, 0x4c, 0xcd, 0xe3, 0x3c, 0x30, 0xb3, 0x6e, 0xff, 0x50, 0x81, 0x52, 0xa3, 0x5a,
-	0xab, 0xb6, 0x0f, 0x9b, 0xa1, 0x94, 0x09, 0x8a, 0x4c, 0x31, 0xdb, 0x91, 0x0e, 0x54, 0xbd, 0x28,
-	0x44, 0xa6, 0x46, 0x43, 0xd3, 0x0b, 0x6b, 0xfd, 0x2b, 0x8b, 0xb3, 0x83, 0xea, 0x20, 0xc3, 0xdc,
-	0x82, 0x25, 0x87, 0xb0, 0xed, 0x45, 0x61, 0x4e, 0xa4, 0x2d, 0xaf, 0x5f, 0x5f, 0x9c, 0x1d, 0x6c,
-	0x0f, 0xc6, 0xa3, 0x42, 0xbe, 0x2c, 0xa3, 0x9d, 0x4a, 0x8f, 0xc7, 0x59, 0xe3, 0xab, 0xb9, 0xd9,
-	0x8e, 0xbc, 0x84, 0x9d, 0xd0, 0x7f, 0xce, 0x27, 0xc8, 0x06, 0x66, 0x08, 0xb0, 0x37, 0x4d, 0x6e,
-	0x6e, 0xaf, 0xe9, 0xc2, 0xce, 0xa8, 0x2c, 0x68, 0xae, 0xab, 0xbf, 0xb7, 0x38, 0x3b, 0xd8, 0x19,
-	0x0d, 0x4b, 0xb8, 0x7b, 0xd1, 0x5e, 0x63, 0x0e, 0x64, 0x55, 0x6f, 0xcd, 0x35, 0x3f, 0xbe, 0xf8,
-	0xa8, 0x3e, 0xfa, 0xd7, 0x47, 0x95, 0x4e, 0x31, 0x4e, 0x31, 0x86, 0xe9, 0x71, 0xc0, 0x31, 0xf6,
-	0x4b, 0xf5, 0xd1, 0xfb, 0x1a, 0xea, 0x79, 0x57, 0x7f, 0x86, 0x62, 0x16, 0x7a, 0x48, 0xbe, 0x80,
-	0xca, 0x03, 0x54, 0x64, 0x7f, 0xa5, 0xed, 0x9b, 0x51, 0xa7, 0xb1, 0xb7, 0x82, 0xb7, 0xed, 0xef,
-	0x7f, 0xff, 0xf3, 0xa7, 0x4b, 0x84, 0xec, 0x9a, 0xf1, 0x6d, 0x76, 0x58, 0x8c, 0x4e, 0xfd, 0xc1,
-	0xaf, 0x8b, 0xa6, 0xf5, 0xdb, 0xa2, 0x69, 0xfd, 0xb1, 0x68, 0x5a, 0x5f, 0x7d, 0xf8, 0xff, 0xc6,
-	0xb8, 0xf4, 0x0e, 0x0b, 0x23, 0x27, 0x9b, 0x66, 0xe8, 0xba, 0xfb, 0x77, 0x00, 0x00, 0x00, 0xff,
-	0xff, 0x2a, 0xfc, 0x97, 0xee, 0x63, 0x0a, 0x00, 0x00,
+	0x14, 0xd7, 0xd6, 0x69, 0x62, 0x3f, 0x37, 0x75, 0x32, 0x6d, 0xd3, 0xad, 0x55, 0x92, 0xe0, 0x43,
+	0x65, 0x10, 0xac, 0x1b, 0x57, 0x08, 0x84, 0xa8, 0xa0, 0xb6, 0xab, 0xd6, 0xd4, 0x6d, 0xc3, 0xb6,
+	0xe9, 0x01, 0x09, 0x55, 0x93, 0xdd, 0xc7, 0x66, 0xf1, 0x7a, 0x66, 0x35, 0x33, 0x6b, 0xea, 0x1e,
+	0xb9, 0x71, 0xe1, 0x02, 0x9f, 0x85, 0x03, 0x9f, 0x80, 0x23, 0x12, 0xf7, 0x08, 0x59, 0x7c, 0x10,
+	0x34, 0xb3, 0x7f, 0xb2, 0xb1, 0x5d, 0x40, 0xea, 0x6d, 0xe6, 0xf7, 0x7b, 0xff, 0xe6, 0xcd, 0x7b,
+	0x33, 0x0f, 0x76, 0x25, 0x8a, 0x29, 0x8a, 0x8e, 0x44, 0xa5, 0x42, 0x16, 0xc8, 0x62, 0xe1, 0xc4,
+	0x82, 0x2b, 0x4e, 0x36, 0xbc, 0x28, 0x91, 0x0a, 0x45, 0xf3, 0x6a, 0xc0, 0x03, 0x6e, 0xb0, 0x8e,
+	0x5e, 0xa5, 0x74, 0xf3, 0x66, 0xc0, 0x79, 0x10, 0x61, 0x87, 0xc6, 0x61, 0x87, 0x32, 0xc6, 0x15,
+	0x55, 0x21, 0x67, 0x99, 0x72, 0x73, 0x14, 0x84, 0xea, 0x24, 0x39, 0x76, 0x3c, 0x3e, 0xe9, 0x50,
+	0x61, 0xd4, 0xbf, 0x33, 0x8b, 0x0f, 0x3d, 0xbf, 0x33, 0xed, 0x76, 0xe2, 0x71, 0xa0, 0x35, 0x65,
+	0x87, 0xc6, 0x71, 0x14, 0x7a, 0x46, 0xb7, 0x33, 0x3d, 0xa0, 0x51, 0x7c, 0x42, 0x0f, 0x3a, 0x01,
+	0x32, 0x14, 0x54, 0xa1, 0x9f, 0x59, 0xfb, 0xe2, 0x3f, 0xac, 0x2d, 0x9e, 0x84, 0x87, 0xbe, 0xd7,
+	0xf1, 0x22, 0x1a, 0x4e, 0xb2, 0x78, 0x5a, 0x0d, 0xd8, 0x7c, 0x96, 0xb1, 0x5f, 0x25, 0x28, 0x66,
+	0xad, 0x5f, 0xeb, 0x50, 0xcd, 0x11, 0x72, 0x03, 0x2a, 0x89, 0x88, 0x6c, 0x6b, 0xdf, 0x6a, 0xd7,
+	0x7a, 0x1b, 0xf3, 0xd3, 0xbd, 0xca, 0x91, 0x3b, 0x72, 0x35, 0x46, 0x6e, 0x43, 0xcd, 0xc7, 0x57,
+	0x7d, 0xce, 0xbe, 0x0d, 0x03, 0xfb, 0xc2, 0xbe, 0xd5, 0xae, 0x77, 0x89, 0x93, 0x65, 0xc6, 0x19,
+	0xe4, 0x8c, 0x7b, 0x26, 0x44, 0xfa, 0x00, 0xda, 0x7f, 0xa6, 0x52, 0x31, 0x2a, 0x57, 0x0a, 0x95,
+	0xa7, 0xc3, 0x41, 0x3f, 0xa5, 0x7a, 0x97, 0xe7, 0xa7, 0x7b, 0x70, 0xb6, 0x77, 0x4b, 0x6a, 0x64,
+	0x1f, 0xea, 0x34, 0x8e, 0x47, 0xf4, 0x18, 0xa3, 0x47, 0x38, 0xb3, 0xd7, 0x74, 0x64, 0x6e, 0x19,
+	0x22, 0x2f, 0x60, 0x5b, 0xa0, 0xe4, 0x89, 0xf0, 0xf0, 0xe9, 0x14, 0x85, 0x08, 0x7d, 0x94, 0xf6,
+	0xc5, 0xfd, 0x4a, 0xbb, 0xde, 0x6d, 0x17, 0xde, 0xf2, 0x13, 0x3a, 0xee, 0xa2, 0xe8, 0x7d, 0xa6,
+	0xc4, 0xcc, 0x5d, 0x36, 0x41, 0x1c, 0x20, 0x52, 0x51, 0x95, 0xc8, 0x1e, 0xf5, 0x03, 0xbc, 0xcf,
+	0xe8, 0x71, 0x84, 0xbe, 0xbd, 0xbe, 0x6f, 0xb5, 0xab, 0xee, 0x0a, 0x86, 0x3c, 0x84, 0x46, 0x5a,
+	0x09, 0xf7, 0x18, 0x8d, 0x66, 0x2a, 0xf4, 0xa4, 0xbd, 0x61, 0xce, 0xbc, 0x5b, 0x44, 0xf1, 0xe0,
+	0x3c, 0x9f, 0x1d, 0x77, 0x51, 0x8d, 0xbc, 0x86, 0xad, 0x71, 0x22, 0x15, 0x9f, 0x84, 0xaf, 0xf1,
+	0x69, 0x6c, 0xaa, 0xc9, 0xae, 0x1a, 0x53, 0x4f, 0x9c, 0xb3, 0x02, 0x70, 0xf2, 0x02, 0x30, 0x8b,
+	0x97, 0x9e, 0xef, 0x4c, 0xbb, 0x4e, 0x3c, 0x0e, 0x1c, 0x5d, 0x4e, 0x4e, 0xa9, 0x9c, 0x9c, 0xbc,
+	0x9c, 0x9c, 0x47, 0x0b, 0x56, 0xdd, 0x25, 0x3f, 0xe4, 0x5d, 0x58, 0x3b, 0xc1, 0x28, 0xb6, 0x6b,
+	0xc6, 0xdf, 0x66, 0x11, 0xfa, 0x43, 0x8c, 0x62, 0xd7, 0x50, 0xe4, 0x3d, 0xd8, 0x88, 0xa3, 0x24,
+	0x08, 0x99, 0xb4, 0xc1, 0xa4, 0xb9, 0x51, 0x48, 0x1d, 0x1a, 0xdc, 0xcd, 0x79, 0x9d, 0xc3, 0x44,
+	0xa2, 0x18, 0x71, 0xbd, 0x1b, 0x84, 0x32, 0xcd, 0x61, 0x3d, 0xcd, 0xe1, 0x32, 0x43, 0x7e, 0xb2,
+	0xe0, 0xba, 0x67, 0xb2, 0xf2, 0x98, 0x32, 0x1a, 0xe0, 0x04, 0x99, 0x3a, 0xcc, 0x7c, 0x5d, 0x32,
+	0xbe, 0x9e, 0xbf, 0x5d, 0x06, 0xfa, 0x2b, 0x8d, 0xbb, 0x6f, 0x72, 0x4a, 0x3e, 0x80, 0xed, 0x22,
+	0x45, 0x2f, 0x50, 0x48, 0x73, 0x17, 0x9b, 0xfb, 0x95, 0x76, 0xcd, 0x5d, 0x26, 0x48, 0x13, 0xaa,
+	0x49, 0xd8, 0x97, 0xf2, 0xc8, 0x1d, 0xd9, 0x97, 0x4d, 0xa5, 0x16, 0x7b, 0xd2, 0x86, 0x46, 0x12,
+	0xf6, 0x28, 0x63, 0x28, 0xfa, 0x9c, 0x29, 0x64, 0xca, 0x6e, 0x18, 0x91, 0x45, 0x58, 0x97, 0x7c,
+	0x0e, 0x69, 0x43, 0x5b, 0x69, 0xc9, 0x97, 0x20, 0x6d, 0x2b, 0xa6, 0x52, 0x7e, 0xcf, 0x85, 0x7f,
+	0x48, 0x95, 0x42, 0xc1, 0xec, 0xed, 0xd4, 0xd6, 0x02, 0x4c, 0x6e, 0xc1, 0x65, 0x25, 0xa8, 0x37,
+	0x0e, 0x59, 0xf0, 0x18, 0xd5, 0x09, 0xf7, 0x6d, 0x62, 0x04, 0x17, 0x50, 0x7d, 0xce, 0xdc, 0xc1,
+	0x21, 0x8a, 0x09, 0x65, 0x3a, 0xbe, 0x2b, 0xe6, 0x9e, 0x96, 0x09, 0xf2, 0x3e, 0x6c, 0x15, 0x20,
+	0x97, 0xa1, 0x4e, 0xb1, 0x7d, 0xd5, 0xd8, 0x5d, 0xc2, 0x17, 0xda, 0xc8, 0xe5, 0x5c, 0x1d, 0x89,
+	0xc8, 0xbe, 0x66, 0xa4, 0x57, 0x30, 0xfa, 0xf4, 0xf8, 0x0a, 0xbd, 0xbc, 0xdf, 0x76, 0x4c, 0x0c,
+	0x65, 0x88, 0xdc, 0x86, 0x2b, 0x1e, 0x67, 0x4a, 0xf0, 0x28, 0x42, 0xf1, 0x84, 0x4e, 0x50, 0xc6,
+	0xd4, 0x43, 0xfb, 0xba, 0x31, 0xb9, 0x8a, 0x22, 0x9f, 0xc1, 0x0d, 0x1a, 0xc7, 0x72, 0xc8, 0xee,
+	0xb1, 0x59, 0x81, 0xe6, 0x1e, 0x6c, 0xe3, 0xe1, 0xcd, 0x02, 0xcd, 0x5f, 0x2c, 0xd8, 0x59, 0xfd,
+	0x6c, 0x90, 0x2d, 0xa8, 0x8c, 0x71, 0x96, 0xbe, 0x97, 0xae, 0x5e, 0x12, 0x1f, 0x2e, 0x4e, 0x69,
+	0x94, 0x60, 0xf6, 0x44, 0xbe, 0x65, 0xc3, 0x2e, 0xba, 0x75, 0x53, 0xe3, 0x9f, 0x5e, 0xf8, 0xc4,
+	0x6a, 0xbd, 0x84, 0x6b, 0x2b, 0xdf, 0x13, 0xb2, 0x0b, 0x90, 0xdf, 0xee, 0x70, 0x90, 0xc5, 0x56,
+	0x42, 0x74, 0x4d, 0x50, 0xc6, 0xd9, 0x4c, 0x97, 0xee, 0x91, 0x44, 0x21, 0x4d, 0xac, 0x55, 0x77,
+	0x01, 0x6d, 0xfd, 0x66, 0xc1, 0x9a, 0x6e, 0x7b, 0x62, 0xc3, 0x86, 0x77, 0x42, 0xcd, 0xbd, 0xa5,
+	0xd6, 0xf2, 0xad, 0x2e, 0x78, 0xbd, 0x7c, 0x8e, 0xaf, 0x94, 0x31, 0x52, 0x73, 0x8b, 0x3d, 0xb9,
+	0x0b, 0x70, 0x1c, 0x32, 0x2a, 0x66, 0x47, 0x22, 0x92, 0x76, 0xc5, 0x74, 0xef, 0x3b, 0xe7, 0xde,
+	0x13, 0xa7, 0x57, 0xf0, 0xe9, 0x2b, 0x5c, 0x52, 0x68, 0xde, 0x85, 0xc6, 0x02, 0xbd, 0x22, 0xdb,
+	0x57, 0xcb, 0xd9, 0xae, 0x95, 0xb3, 0x73, 0x13, 0xd6, 0xd3, 0x1e, 0x26, 0x04, 0xd6, 0x18, 0x9d,
+	0x60, 0xa6, 0x66, 0xd6, 0xad, 0xcf, 0xa1, 0x56, 0x7c, 0x59, 0xa4, 0x0b, 0xe0, 0x71, 0xc6, 0xd0,
+	0x53, 0x5c, 0x48, 0xdb, 0x32, 0x81, 0x9e, 0x7d, 0x6d, 0xfd, 0x9c, 0x72, 0x4b, 0x52, 0xad, 0x3b,
+	0x50, 0x2b, 0x88, 0x55, 0x1e, 0x34, 0xa6, 0x66, 0x71, 0x1e, 0x98, 0x59, 0xb7, 0x7e, 0xac, 0x40,
+	0xe9, 0x9b, 0x5b, 0xa9, 0xb6, 0x03, 0xeb, 0xa1, 0x94, 0x09, 0x8a, 0x4c, 0x31, 0xdb, 0x91, 0x36,
+	0x54, 0xbd, 0x28, 0x44, 0xa6, 0x86, 0x03, 0xf3, 0x93, 0xd6, 0x7a, 0x97, 0xe6, 0xa7, 0x7b, 0xd5,
+	0x7e, 0x86, 0xb9, 0x05, 0x4b, 0x0e, 0xa0, 0xee, 0x45, 0x61, 0x4e, 0xa4, 0x1f, 0x66, 0xaf, 0x31,
+	0x3f, 0xdd, 0xab, 0xf7, 0x47, 0xc3, 0x42, 0xbe, 0x2c, 0xa3, 0x9d, 0x4a, 0x8f, 0xc7, 0xd9, 0xb7,
+	0x59, 0x73, 0xb3, 0x1d, 0x79, 0x09, 0x9b, 0xa1, 0xff, 0x9c, 0x8f, 0x91, 0xf5, 0xcd, 0x08, 0x61,
+	0xaf, 0x9b, 0xdc, 0xdc, 0x5a, 0xf1, 0x87, 0x3b, 0xc3, 0xb2, 0xa0, 0xb9, 0xae, 0xde, 0xf6, 0xfc,
+	0x74, 0x6f, 0x73, 0x38, 0x28, 0xe1, 0xee, 0x79, 0x7b, 0xcd, 0x19, 0x90, 0x65, 0xbd, 0x15, 0xd7,
+	0xfc, 0xf8, 0x7c, 0x53, 0x7d, 0xfc, 0xaf, 0x4d, 0x95, 0xce, 0x40, 0x4e, 0x31, 0xc4, 0xe9, 0x61,
+	0xc2, 0x31, 0xf6, 0x4b, 0xf5, 0xd1, 0xfd, 0x06, 0x1a, 0xf9, 0x4c, 0xf0, 0x0c, 0xc5, 0x34, 0xf4,
+	0x90, 0x7c, 0x09, 0x95, 0x07, 0xa8, 0xc8, 0xce, 0xd2, 0xd0, 0x60, 0x06, 0xa5, 0xe6, 0xf6, 0x12,
+	0xde, 0xb2, 0x7f, 0xf8, 0xf3, 0xef, 0x9f, 0x2f, 0x10, 0xb2, 0x65, 0x86, 0xbf, 0xe9, 0x41, 0x31,
+	0x78, 0xf5, 0xfa, 0xbf, 0xcf, 0x77, 0xad, 0x3f, 0xe6, 0xbb, 0xd6, 0x5f, 0xf3, 0x5d, 0xeb, 0xeb,
+	0x8f, 0xfe, 0xdf, 0x10, 0x98, 0xde, 0x61, 0x61, 0xe4, 0x78, 0xdd, 0x8c, 0x6c, 0x77, 0xfe, 0x09,
+	0x00, 0x00, 0xff, 0xff, 0xf0, 0x33, 0x47, 0xc2, 0xa1, 0x0a, 0x00, 0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
@@ -882,6 +891,18 @@ func (m *Settings) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if m.AppsInAnyNamespaceEnabled {
+		i--
+		if m.AppsInAnyNamespaceEnabled {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i--
+		dAtA[i] = 0x1
+		i--
+		dAtA[i] = 0xc0
+	}
 	if len(m.ControllerNamespace) > 0 {
 		i -= len(m.ControllerNamespace)
 		copy(dAtA[i:], m.ControllerNamespace)
@@ -1576,6 +1597,9 @@ func (m *Settings) Size() (n int) {
 	if l > 0 {
 		n += 2 + l + sovSettings(uint64(l))
 	}
+	if m.AppsInAnyNamespaceEnabled {
+		n += 3
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -2625,6 +2649,26 @@ func (m *Settings) Unmarshal(dAtA []byte) error {
 			}
 			m.ControllerNamespace = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 24:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field AppsInAnyNamespaceEnabled", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowSettings
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.AppsInAnyNamespaceEnabled = bool(v != 0)
 		default:
 			iNdEx = preIndex
 			skippy, err := skipSettings(dAtA[iNdEx:])

pkg/apis/application/v1alpha1/applicationset_types.go

@@ -46,6 +46,11 @@ type ApplicationSet struct {
 	Status            ApplicationSetStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
 }
 
+// RBACName formats fully qualified application name for RBAC check.
+func (a *ApplicationSet) RBACName() string {
+	return fmt.Sprintf("%s/%s", a.Spec.Template.Spec.GetProject(), a.ObjectMeta.Name)
+}
+
 // ApplicationSetSpec represents a class of application set state.
 type ApplicationSetSpec struct {
 	GoTemplate bool                      `json:"goTemplate,omitempty" protobuf:"bytes,1,name=goTemplate"`

pkg/apis/application/v1alpha1/repository_types.go

@@ -177,7 +177,7 @@ func (repo *Repository) GetGitCreds(store git.CredsStore) git.Creds {
 		return git.NewSSHCreds(repo.SSHPrivateKey, getCAPath(repo.Repo), repo.IsInsecure(), store)
 	}
 	if repo.GithubAppPrivateKey != "" && repo.GithubAppId != 0 && repo.GithubAppInstallationId != 0 {
-		return git.NewGitHubAppCreds(repo.GithubAppId, repo.GithubAppInstallationId, repo.GithubAppPrivateKey, repo.GitHubAppEnterpriseBaseURL, repo.Repo, repo.TLSClientCertData, repo.TLSClientCertKey, repo.IsInsecure(), store)
+		return git.NewGitHubAppCreds(repo.GithubAppId, repo.GithubAppInstallationId, repo.GithubAppPrivateKey, repo.GitHubAppEnterpriseBaseURL, repo.Repo, repo.TLSClientCertData, repo.TLSClientCertKey, repo.IsInsecure(), repo.Proxy, store)
 	}
 	return git.NopCreds{}
 }

pkg/apis/application/v1alpha1/types.go

@@ -34,6 +34,7 @@ import (
 
 	"github.com/argoproj/argo-cd/v2/util/collections"
 	"github.com/argoproj/argo-cd/v2/util/helm"
+	"github.com/argoproj/argo-cd/v2/util/security"
 )
 
 // Application is a definition of Application resource.
@@ -2562,9 +2563,5 @@ func (a *Application) QualifiedName() string {
 // RBACName returns the full qualified RBAC resource name for the application
 // in a backwards-compatible way.
 func (a *Application) RBACName(defaultNS string) string {
-	if defaultNS != "" && a.Namespace != defaultNS && a.Namespace != "" {
-		return fmt.Sprintf("%s/%s/%s", a.Spec.GetProject(), a.Namespace, a.Name)
-	} else {
-		return fmt.Sprintf("%s/%s", a.Spec.GetProject(), a.Name)
-	}
+	return security.AppRBACName(defaultNS, a.Spec.GetProject(), a.Namespace, a.Name)
 }

reposerver/repository/repository.go

@@ -819,6 +819,32 @@ func runHelmBuild(appPath string, h helm.Helm) error {
 	return os.WriteFile(markerFile, []byte("marker"), 0644)
 }
 
+func populateRequestRepos(appPath string, q *apiclient.ManifestRequest) error {
+	repos, err := getHelmDependencyRepos(appPath)
+	if err != nil {
+		return err
+	}
+
+	for _, r := range repos {
+		if !repoExists(r.Repo, q.Repos) {
+			repositoryCredential := getRepoCredential(q.HelmRepoCreds, r.Repo)
+			if repositoryCredential != nil {
+				if repositoryCredential.EnableOCI {
+					r.Repo = strings.TrimPrefix(r.Repo, ociPrefix)
+				}
+				r.EnableOCI = repositoryCredential.EnableOCI
+				r.Password = repositoryCredential.Password
+				r.Username = repositoryCredential.Username
+				r.SSHPrivateKey = repositoryCredential.SSHPrivateKey
+				r.TLSClientCertData = repositoryCredential.TLSClientCertData
+				r.TLSClientCertKey = repositoryCredential.TLSClientCertKey
+			}
+			q.Repos = append(q.Repos, r)
+		}
+	}
+	return nil
+}
+
 func helmTemplate(appPath string, repoRoot string, env *v1alpha1.Env, q *apiclient.ManifestRequest, isLocal bool) ([]*unstructured.Unstructured, error) {
 	concurrencyAllowed := isConcurrencyAllowed(appPath)
 	if !concurrencyAllowed {
@@ -856,7 +882,7 @@ func helmTemplate(appPath string, repoRoot string, env *v1alpha1.Env, q *apiclie
 		for _, val := range appHelm.ValueFiles {
 
 			// This will resolve val to an absolute path (or an URL)
-			path, isRemote, err := pathutil.ResolveFilePath(appPath, repoRoot, env.Envsubst(val), q.GetValuesFileSchemes())
+			path, isRemote, err := pathutil.ResolveValueFilePathOrUrl(appPath, repoRoot, env.Envsubst(val), q.GetValuesFileSchemes())
 			if err != nil {
 				return nil, err
 			}
@@ -896,7 +922,7 @@ func helmTemplate(appPath string, repoRoot string, env *v1alpha1.Env, q *apiclie
 			}
 		}
 		for _, p := range appHelm.FileParameters {
-			resolvedPath, _, err := pathutil.ResolveFilePath(appPath, repoRoot, env.Envsubst(p.Path), q.GetValuesFileSchemes())
+			resolvedPath, _, err := pathutil.ResolveValueFilePathOrUrl(appPath, repoRoot, env.Envsubst(p.Path), q.GetValuesFileSchemes())
 			if err != nil {
 				return nil, err
 			}
@@ -915,24 +941,8 @@ func helmTemplate(appPath string, repoRoot string, env *v1alpha1.Env, q *apiclie
 		templateOpts.SetString[i] = env.Envsubst(j)
 	}
 
-	repos, err := getHelmDependencyRepos(appPath)
-	if err != nil {
-		return nil, err
-	}
-
-	for _, r := range repos {
-		if !repoExists(r.Repo, q.Repos) {
-			repositoryCredential := getRepoCredential(q.HelmRepoCreds, r.Repo)
-			if repositoryCredential != nil {
-				r.EnableOCI = repositoryCredential.EnableOCI
-				r.Password = repositoryCredential.Password
-				r.Username = repositoryCredential.Username
-				r.SSHPrivateKey = repositoryCredential.SSHPrivateKey
-				r.TLSClientCertData = repositoryCredential.TLSClientCertData
-				r.TLSClientCertKey = repositoryCredential.TLSClientCertKey
-			}
-			q.Repos = append(q.Repos, r)
-		}
+	if err := populateRequestRepos(appPath, q); err != nil {
+		return nil, fmt.Errorf("failed parsing dependencies: %v", err)
 	}
 
 	var proxy string
@@ -1504,7 +1514,7 @@ func makeJsonnetVm(appPath string, repoRoot string, sourceJsonnet v1alpha1.Appli
 	jpaths := []string{appPath}
 	for _, p := range sourceJsonnet.Libs {
 		// the jsonnet library path is relative to the repository root, not application path
-		jpath, _, err := pathutil.ResolveFilePath(repoRoot, repoRoot, p, nil)
+		jpath, err := pathutil.ResolveFileOrDirectoryPath(repoRoot, repoRoot, p)
 		if err != nil {
 			return nil, err
 		}
@@ -1635,6 +1645,11 @@ func runConfigManagementPluginSidecars(ctx context.Context, appPath, repoPath st
 	for _, manifestString := range cmpManifests.Manifests {
 		manifestObjs, err := kube.SplitYAML([]byte(manifestString))
 		if err != nil {
+			sanitizedManifestString := manifestString
+			if len(manifestString) > 1000 {
+				sanitizedManifestString = sanitizedManifestString[:1000]
+			}
+			log.Debugf("Failed to convert generated manifests. Beginning of generated manifests: %q", sanitizedManifestString)
 			return nil, fmt.Errorf("failed to convert CMP manifests to unstructured objects: %s", err.Error())
 		}
 		manifests = append(manifests, manifestObjs...)
@@ -1747,7 +1762,7 @@ func populateHelmAppDetails(res *apiclient.RepoAppDetailsResponse, appPath strin
 		return err
 	}
 
-	if resolvedValuesPath, _, err := pathutil.ResolveFilePath(appPath, repoRoot, "values.yaml", []string{}); err == nil {
+	if resolvedValuesPath, _, err := pathutil.ResolveValueFilePathOrUrl(appPath, repoRoot, "values.yaml", []string{}); err == nil {
 		if err := loadFileIntoIfExists(resolvedValuesPath, &res.Helm.Values); err != nil {
 			return err
 		}
@@ -1757,7 +1772,7 @@ func populateHelmAppDetails(res *apiclient.RepoAppDetailsResponse, appPath strin
 	var resolvedSelectedValueFiles []pathutil.ResolvedFilePath
 	// drop not allowed values files
 	for _, file := range selectedValueFiles {
-		if resolvedFile, _, err := pathutil.ResolveFilePath(appPath, repoRoot, file, q.GetValuesFileSchemes()); err == nil {
+		if resolvedFile, _, err := pathutil.ResolveValueFilePathOrUrl(appPath, repoRoot, file, q.GetValuesFileSchemes()); err == nil {
 			resolvedSelectedValueFiles = append(resolvedSelectedValueFiles, resolvedFile)
 		} else {
 			log.Warnf("Values file %s is not allowed: %v", file, err)

reposerver/repository/repository_test.go

@@ -47,14 +47,14 @@ gpg:                using RSA key 4AEE18F83AFDEB23
 gpg: Good signature from "GitHub (web-flow commit signing) <noreply@github.com>" [ultimate]
 `
 
-type clientFunc func(*gitmocks.Client)
+type clientFunc func(*gitmocks.Client, *helmmocks.Client)
 
 func newServiceWithMocks(root string, signed bool) (*Service, *gitmocks.Client) {
 	root, err := filepath.Abs(root)
 	if err != nil {
 		panic(err)
 	}
-	return newServiceWithOpt(func(gitClient *gitmocks.Client) {
+	return newServiceWithOpt(func(gitClient *gitmocks.Client, helmClient *helmmocks.Client) {
 		gitClient.On("Init").Return(nil)
 		gitClient.On("Fetch", mock.Anything).Return(nil)
 		gitClient.On("Checkout", mock.Anything, mock.Anything).Return(nil)
@@ -66,31 +66,32 @@ func newServiceWithMocks(root string, signed bool) (*Service, *gitmocks.Client)
 		} else {
 			gitClient.On("VerifyCommitSignature", mock.Anything).Return("", nil)
 		}
+
+		chart := "my-chart"
+		oobChart := "out-of-bounds-chart"
+		version := "1.1.0"
+		helmClient.On("GetIndex", true).Return(&helm.Index{Entries: map[string]helm.Entries{
+			chart:    {{Version: "1.0.0"}, {Version: version}},
+			oobChart: {{Version: "1.0.0"}, {Version: version}},
+		}}, nil)
+		helmClient.On("ExtractChart", chart, version).Return("./testdata/my-chart", io.NopCloser, nil)
+		helmClient.On("ExtractChart", oobChart, version).Return("./testdata2/out-of-bounds-chart", io.NopCloser, nil)
+		helmClient.On("CleanChartCache", chart, version).Return(nil)
+		helmClient.On("CleanChartCache", oobChart, version).Return(nil)
+		helmClient.On("DependencyBuild").Return(nil)
 	}, root)
 }
 
 func newServiceWithOpt(cf clientFunc, root string) (*Service, *gitmocks.Client) {
 	helmClient := &helmmocks.Client{}
 	gitClient := &gitmocks.Client{}
-	cf(gitClient)
+	cf(gitClient, helmClient)
 	service := NewService(metrics.NewMetricsServer(), cache.NewCache(
 		cacheutil.NewCache(cacheutil.NewInMemoryCache(1*time.Minute)),
 		1*time.Minute,
 		1*time.Minute,
 	), RepoServerInitConstants{ParallelismLimit: 1}, argo.NewResourceTracking(), &git.NoopCredsStore{}, root)
 
-	chart := "my-chart"
-	oobChart := "out-of-bounds-chart"
-	version := "1.1.0"
-	helmClient.On("GetIndex", true).Return(&helm.Index{Entries: map[string]helm.Entries{
-		chart:    {{Version: "1.0.0"}, {Version: version}},
-		oobChart: {{Version: "1.0.0"}, {Version: version}},
-	}}, nil)
-	helmClient.On("ExtractChart", chart, version).Return("./testdata/my-chart", io.NopCloser, nil)
-	helmClient.On("ExtractChart", oobChart, version).Return("./testdata2/out-of-bounds-chart", io.NopCloser, nil)
-	helmClient.On("CleanChartCache", chart, version).Return(nil)
-	helmClient.On("CleanChartCache", oobChart, version).Return(nil)
-
 	service.newGitClient = func(rawRepoURL string, root string, creds git.Creds, insecure bool, enableLfs bool, prosy string, opts ...git.ClientOpts) (client git.Client, e error) {
 		return gitClient, nil
 	}
@@ -121,7 +122,7 @@ func newServiceWithCommitSHA(root, revision string) *Service {
 		revisionErr = errors.New("not a commit SHA")
 	}
 
-	service, gitClient := newServiceWithOpt(func(gitClient *gitmocks.Client) {
+	service, gitClient := newServiceWithOpt(func(gitClient *gitmocks.Client, helmClient *helmmocks.Client) {
 		gitClient.On("Init").Return(nil)
 		gitClient.On("Fetch", mock.Anything).Return(nil)
 		gitClient.On("Checkout", mock.Anything, mock.Anything).Return(nil)
@@ -342,6 +343,27 @@ func TestGenerateJsonnetManifestInDir(t *testing.T) {
 	assert.Equal(t, 2, len(res1.Manifests))
 }
 
+func TestGenerateJsonnetManifestInRootDir(t *testing.T) {
+	service := newService("testdata/jsonnet-1")
+
+	q := apiclient.ManifestRequest{
+		Repo: &argoappv1.Repository{},
+		ApplicationSource: &argoappv1.ApplicationSource{
+			Path: ".",
+			Directory: &argoappv1.ApplicationSourceDirectory{
+				Jsonnet: argoappv1.ApplicationSourceJsonnet{
+					ExtVars: []argoappv1.JsonnetVar{{Name: "extVarString", Value: "extVarString"}, {Name: "extVarCode", Value: "\"extVarCode\"", Code: true}},
+					TLAs:    []argoappv1.JsonnetVar{{Name: "tlaString", Value: "tlaString"}, {Name: "tlaCode", Value: "\"tlaCode\"", Code: true}},
+					Libs:    []string{"."},
+				},
+			},
+		},
+	}
+	res1, err := service.GenerateManifest(context.Background(), &q)
+	assert.Nil(t, err)
+	assert.Equal(t, 2, len(res1.Manifests))
+}
+
 func TestGenerateJsonnetLibOutside(t *testing.T) {
 	service := newService(".")
 
@@ -358,7 +380,7 @@ func TestGenerateJsonnetLibOutside(t *testing.T) {
 	}
 	_, err := service.GenerateManifest(context.Background(), &q)
 	require.Error(t, err)
-	require.Contains(t, err.Error(), "value file '../../../testdata/jsonnet/vendor' resolved to outside repository root")
+	require.Contains(t, err.Error(), "file '../../../testdata/jsonnet/vendor' resolved to outside repository root")
 }
 
 func TestManifestGenErrorCacheByNumRequests(t *testing.T) {
@@ -1169,6 +1191,7 @@ func TestListApps(t *testing.T) {
 		"kustomization_yml":                 "Kustomize",
 		"my-chart":                          "Helm",
 		"my-chart-2":                        "Helm",
+		"oci-dependencies":                  "Helm",
 		"out-of-bounds-values-file-link":    "Helm",
 		"values-files":                      "Helm",
 	}
@@ -2498,3 +2521,18 @@ func Test_populateHelmAppDetails_values_symlinks(t *testing.T) {
 		assert.Empty(t, res.Helm.Parameters)
 	})
 }
+
+func TestOCIDependencies(t *testing.T) {
+	src := argoappv1.ApplicationSource{Path: "."}
+	q := apiclient.ManifestRequest{Repo: &argoappv1.Repository{}, ApplicationSource: &src, HelmRepoCreds: []*argoappv1.RepoCreds{
+		{URL: "example.com", Username: "test", Password: "test", EnableOCI: true},
+	}}
+
+	err := populateRequestRepos("./testdata/oci-dependencies", &q)
+	assert.Nil(t, err)
+
+	assert.Equal(t, len(q.Repos), 1)
+	assert.Equal(t, q.Repos[0].Username, "test")
+	assert.Equal(t, q.Repos[0].EnableOCI, true)
+	assert.Equal(t, q.Repos[0].Repo, "example.com")
+}

reposerver/repository/testdata/jsonnet-1/guestbook-ui.jsonnet

@@ -0,0 +1,47 @@
+local service = import 'vendor/nested/service.libsonnet';
+local params = import 'params.libsonnet';
+
+function(tlaString, tlaCode)
+  [
+    service.new(params),
+    {
+      apiVersion: 'apps/v1beta2',
+      kind: 'Deployment',
+      metadata: {
+        name: params.name,
+      },
+      spec: {
+        replicas: params.replicas,
+        selector: {
+          matchLabels: {
+            app: params.name,
+          },
+        },
+        template: {
+          metadata: {
+            labels: {
+              app: params.name,
+              tlaString: tlaString,
+              tlaCode: tlaCode,
+              extVarString: std.extVar('extVarString'),
+              extVarCode: std.extVar('extVarCode'),
+            },
+          },
+          spec: {
+            containers: [
+              {
+                image: params.image,
+                name: params.name,
+                ports: [
+                  {
+                    containerPort: params.containerPort,
+                  },
+                ],
+              },
+            ],
+          },
+        },
+      },
+    },
+    null,
+  ]

reposerver/repository/testdata/jsonnet-1/params.libsonnet

@@ -0,0 +1,8 @@
+{
+  containerPort: 80,
+  image: "gcr.io/heptio-images/ks-guestbook-demo:0.2",
+  name: "guestbook-ui",
+  replicas: 1,
+  servicePort: 80,
+  type: "ClusterIP",
+}

reposerver/repository/testdata/jsonnet-1/vendor/nested/service.libsonnet

@@ -0,0 +1,23 @@
+local new(params) = {
+  apiVersion: 'v1',
+  kind: 'Service',
+  metadata: {
+    name: params.name,
+  },
+  spec: {
+    ports: [
+      {
+        port: params.servicePort,
+        targetPort: params.containerPort,
+      },
+    ],
+    selector: {
+      app: params.name,
+    },
+    type: params.type,
+  },
+};
+
+{
+  new:: new,
+}

reposerver/repository/testdata/oci-dependencies/Chart.yaml

@@ -0,0 +1,6 @@
+name: my-chart
+version: 1.1.0
+dependencies:
+- name: my-dependency
+  repository: oci://example.com
+  version: '*'

server/application/application.go

@@ -54,6 +54,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/util/lua"
 	"github.com/argoproj/argo-cd/v2/util/manifeststream"
 	"github.com/argoproj/argo-cd/v2/util/rbac"
+	"github.com/argoproj/argo-cd/v2/util/security"
 	"github.com/argoproj/argo-cd/v2/util/session"
 	"github.com/argoproj/argo-cd/v2/util/settings"
 )
@@ -210,7 +211,7 @@ func (s *Server) Create(ctx context.Context, q *application.ApplicationCreateReq
 	appNs := s.appNamespaceOrDefault(a.Namespace)
 
 	if !s.isNamespaceEnabled(appNs) {
-		return nil, namespaceNotPermittedError(appNs)
+		return nil, security.NamespaceNotPermittedError(appNs)
 	}
 
 	created, err := s.appclientset.ArgoprojV1alpha1().Applications(appNs).Create(ctx, a, metav1.CreateOptions{})
@@ -342,7 +343,7 @@ func (s *Server) GetManifests(ctx context.Context, q *application.ApplicationMan
 	}
 
 	if !s.isNamespaceEnabled(a.Namespace) {
-		return nil, namespaceNotPermittedError(a.Namespace)
+		return nil, security.NamespaceNotPermittedError(a.Namespace)
 	}
 
 	var manifestInfo *apiclient.ManifestResponse
@@ -2289,9 +2290,5 @@ func (s *Server) appNamespaceOrDefault(appNs string) string {
 }
 
 func (s *Server) isNamespaceEnabled(namespace string) bool {
-	return namespace == s.ns || glob.MatchStringInList(s.enabledNamespaces, namespace, false)
-}
-
-func namespaceNotPermittedError(namespace string) error {
-	return fmt.Errorf("namespace '%s' is not permitted", namespace)
+	return security.IsNamespaceEnabled(namespace, s.ns, s.enabledNamespaces)
 }

server/application/terminal.go

@@ -2,7 +2,6 @@ package application
 
 import (
 	"context"
-	"fmt"
 	"io"
 	"net/http"
 
@@ -24,6 +23,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/util/argo"
 	"github.com/argoproj/argo-cd/v2/util/db"
 	"github.com/argoproj/argo-cd/v2/util/rbac"
+	"github.com/argoproj/argo-cd/v2/util/security"
 	sessionmgr "github.com/argoproj/argo-cd/v2/util/session"
 )
 
@@ -35,10 +35,11 @@ type terminalHandler struct {
 	appResourceTreeFn func(ctx context.Context, app *appv1.Application) (*appv1.ApplicationTree, error)
 	allowedShells     []string
 	namespace         string
+	enabledNamespaces []string
 }
 
 // NewHandler returns a new terminal handler.
-func NewHandler(appLister applisters.ApplicationLister, namespace string, db db.ArgoDB, enf *rbac.Enforcer, cache *servercache.Cache,
+func NewHandler(appLister applisters.ApplicationLister, namespace string, enabledNamespaces []string, db db.ArgoDB, enf *rbac.Enforcer, cache *servercache.Cache,
 	appResourceTree AppResourceTreeFn, allowedShells []string) *terminalHandler {
 	return &terminalHandler{
 		appLister:         appLister,
@@ -48,6 +49,7 @@ func NewHandler(appLister applisters.ApplicationLister, namespace string, db db.
 		appResourceTreeFn: appResourceTree,
 		allowedShells:     allowedShells,
 		namespace:         namespace,
+		enabledNamespaces: enabledNamespaces,
 	}
 }
 
@@ -107,6 +109,8 @@ func (s *terminalHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	appNamespace := q.Get("appNamespace")
+
 	if !isValidPodName(podName) {
 		http.Error(w, "Pod name is not valid", http.StatusBadRequest)
 		return
@@ -127,11 +131,26 @@ func (s *terminalHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "Namespace name is not valid", http.StatusBadRequest)
 		return
 	}
+	if !isValidNamespaceName(appNamespace) {
+		http.Error(w, "App namespace name is not valid", http.StatusBadRequest)
+		return
+	}
+
+	ns := appNamespace
+	if ns == "" {
+		ns = s.namespace
+	}
+
+	if !security.IsNamespaceEnabled(ns, s.namespace, s.enabledNamespaces) {
+		http.Error(w, security.NamespaceNotPermittedError(ns).Error(), http.StatusForbidden)
+		return
+	}
+
 	shell := q.Get("shell") // No need to validate. Will only be used if it's in the allow-list.
 
 	ctx := r.Context()
 
-	appRBACName := fmt.Sprintf("%s/%s", project, app)
+	appRBACName := security.AppRBACName(s.namespace, project, appNamespace, app)
 	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplications, rbacpolicy.ActionGet, appRBACName); err != nil {
 		http.Error(w, err.Error(), http.StatusUnauthorized)
 		return
@@ -143,9 +162,9 @@ func (s *terminalHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 
 	fieldLog := log.WithFields(log.Fields{"application": app, "userName": sessionmgr.Username(ctx), "container": container,
-		"podName": podName, "namespace": namespace, "cluster": project})
+		"podName": podName, "namespace": namespace, "project": project, "appNamespace": appNamespace})
 
-	a, err := s.appLister.Applications(s.namespace).Get(app)
+	a, err := s.appLister.Applications(ns).Get(app)
 	if err != nil {
 		if apierr.IsNotFound(err) {
 			http.Error(w, "App not found", http.StatusNotFound)

server/application/terminal_test.go

@@ -10,6 +10,7 @@ import (
 	"github.com/stretchr/testify/assert"
 
 	appv1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/argoproj/argo-cd/v2/util/security"
 )
 
 func TestPodExists(t *testing.T) {
@@ -195,24 +196,24 @@ func TestTerminalHandler_ServeHTTP_empty_params(t *testing.T) {
 		for _, testValue := range testValues {
 			testValueCopy := testValue
 
-			t.Run(testKeyCopy+ " " + testValueCopy, func(t *testing.T) {
+			t.Run(testKeyCopy+" "+testValueCopy, func(t *testing.T) {
 				t.Parallel()
 
 				handler := terminalHandler{}
 				params := map[string]string{
-					"pod": "valid",
+					"pod":       "valid",
 					"container": "valid",
-					"app": "valid",
-					"project": "valid",
+					"app":       "valid",
+					"project":   "valid",
 					"namespace": "valid",
 				}
 				params[testKeyCopy] = testValueCopy
 				var paramsArray []string
 				for key, value := range params {
-					paramsArray = append(paramsArray, key + "=" + value)
+					paramsArray = append(paramsArray, key+"="+value)
 				}
 				paramsString := strings.Join(paramsArray, "&")
-				request := httptest.NewRequest("GET", "https://argocd.example.com/api/v1/terminal?" + paramsString, nil)
+				request := httptest.NewRequest("GET", "https://argocd.example.com/api/v1/terminal?"+paramsString, nil)
 				recorder := httptest.NewRecorder()
 				handler.ServeHTTP(recorder, request)
 				response := recorder.Result()
@@ -221,3 +222,13 @@ func TestTerminalHandler_ServeHTTP_empty_params(t *testing.T) {
 		}
 	}
 }
+
+func TestTerminalHandler_ServeHTTP_disallowed_namespace(t *testing.T) {
+	handler := terminalHandler{namespace: "argocd", enabledNamespaces: []string{"allowed"}}
+	request := httptest.NewRequest("GET", "https://argocd.example.com/api/v1/terminal?pod=valid&container=valid&appName=valid&projectName=valid&namespace=test&appNamespace=disallowed", nil)
+	recorder := httptest.NewRecorder()
+	handler.ServeHTTP(recorder, request)
+	response := recorder.Result()
+	assert.Equal(t, http.StatusForbidden, response.StatusCode)
+	assert.Equal(t, security.NamespaceNotPermittedError("disallowed").Error()+"\n", recorder.Body.String())
+}

server/applicationset/applicationset.go

@@ -27,7 +27,6 @@ import (
 	applisters "github.com/argoproj/argo-cd/v2/pkg/client/listers/application/v1alpha1"
 	servercache "github.com/argoproj/argo-cd/v2/server/cache"
 	"github.com/argoproj/argo-cd/v2/server/rbacpolicy"
-	apputil "github.com/argoproj/argo-cd/v2/util/appset"
 	"github.com/argoproj/argo-cd/v2/util/argo"
 	argoutil "github.com/argoproj/argo-cd/v2/util/argo"
 	"github.com/argoproj/argo-cd/v2/util/db"
@@ -89,7 +88,7 @@ func (s *Server) Get(ctx context.Context, q *applicationset.ApplicationSetGetQue
 	if err != nil {
 		return nil, fmt.Errorf("error getting ApplicationSet: %w", err)
 	}
-	if err = s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplicationSets, rbacpolicy.ActionGet, apputil.AppSetRBACName(a)); err != nil {
+	if err = s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplicationSets, rbacpolicy.ActionGet, a.RBACName()); err != nil {
 		return nil, err
 	}
 
@@ -111,7 +110,7 @@ func (s *Server) List(ctx context.Context, q *applicationset.ApplicationSetListQ
 
 	newItems := make([]v1alpha1.ApplicationSet, 0)
 	for _, a := range appsetList.Items {
-		if s.enf.Enforce(ctx.Value("claims"), rbacpolicy.ResourceApplicationSets, rbacpolicy.ActionGet, apputil.AppSetRBACName(&a)) {
+		if s.enf.Enforce(ctx.Value("claims"), rbacpolicy.ResourceApplicationSets, rbacpolicy.ActionGet, a.RBACName()) {
 			newItems = append(newItems, a)
 		}
 	}
@@ -182,7 +181,7 @@ func (s *Server) Create(ctx context.Context, q *applicationset.ApplicationSetCre
 	if !q.Upsert {
 		return nil, status.Errorf(codes.InvalidArgument, "existing ApplicationSet spec is different, use upsert flag to force update")
 	}
-	if err = s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplicationSets, rbacpolicy.ActionUpdate, apputil.AppSetRBACName(appset)); err != nil {
+	if err = s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplicationSets, rbacpolicy.ActionUpdate, appset.RBACName()); err != nil {
 		return nil, err
 	}
 	updated, err := s.updateAppSet(existing, appset, ctx, true)
@@ -210,11 +209,11 @@ func (s *Server) updateAppSet(appset *v1alpha1.ApplicationSet, newAppset *v1alph
 	if appset != nil && appset.Spec.Template.Spec.Project != newAppset.Spec.Template.Spec.Project {
 		// When changing projects, caller must have applicationset create and update privileges in new project
 		// NOTE: the update check was already verified in the caller to this function
-		if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplicationSets, rbacpolicy.ActionCreate, apputil.AppSetRBACName(newAppset)); err != nil {
+		if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplicationSets, rbacpolicy.ActionCreate, newAppset.RBACName()); err != nil {
 			return nil, err
 		}
 		// They also need 'update' privileges in the old project
-		if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplicationSets, rbacpolicy.ActionUpdate, apputil.AppSetRBACName(appset)); err != nil {
+		if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplicationSets, rbacpolicy.ActionUpdate, appset.RBACName()); err != nil {
 			return nil, err
 		}
 	}
@@ -254,7 +253,7 @@ func (s *Server) Delete(ctx context.Context, q *applicationset.ApplicationSetDel
 		return nil, fmt.Errorf("error getting ApplicationSets: %w", err)
 	}
 
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplicationSets, rbacpolicy.ActionDelete, apputil.AppSetRBACName(appset)); err != nil {
+	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplicationSets, rbacpolicy.ActionDelete, appset.RBACName()); err != nil {
 		return nil, err
 	}
 
@@ -290,7 +289,7 @@ func (s *Server) validateAppSet(ctx context.Context, appset *v1alpha1.Applicatio
 
 func (s *Server) checkCreatePermissions(ctx context.Context, appset *v1alpha1.ApplicationSet, projectName string) error {
 
-	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplicationSets, rbacpolicy.ActionCreate, apputil.AppSetRBACName(appset)); err != nil {
+	if err := s.enf.EnforceErr(ctx.Value("claims"), rbacpolicy.ResourceApplicationSets, rbacpolicy.ActionCreate, appset.RBACName()); err != nil {
 		return err
 	}
 

server/cluster/cluster.go

@@ -1,6 +1,7 @@
 package cluster
 
 import (
+	"net/url"
 	"time"
 
 	"context"
@@ -145,6 +146,12 @@ func (s *Server) getCluster(ctx context.Context, q *cluster.ClusterQuery) (*appv
 		q.Name = ""
 		if q.Id.Type == "name" {
 			q.Name = q.Id.Value
+		} else if q.Id.Type == "name_escaped" {
+			nameUnescaped, err := url.QueryUnescape(q.Id.Value)
+			if err != nil {
+				return nil, err
+			}
+			q.Name = nameUnescaped
 		} else {
 			q.Server = q.Id.Value
 		}

server/cluster/cluster_test.go

@@ -49,6 +49,66 @@ func newNoopEnforcer() *rbac.Enforcer {
 	return enf
 }
 
+func TestGetCluster_UrlEncodedName(t *testing.T) {
+	db := &dbmocks.ArgoDB{}
+
+	mockCluster := v1alpha1.Cluster{
+		Name:       "test/ing",
+		Server:     "https://127.0.0.1",
+		Namespaces: []string{"default", "kube-system"},
+	}
+	mockClusterList := v1alpha1.ClusterList{
+		ListMeta: v1.ListMeta{},
+		Items: []v1alpha1.Cluster{
+			mockCluster,
+		},
+	}
+
+	db.On("ListClusters", mock.Anything).Return(&mockClusterList, nil)
+
+	server := NewServer(db, newNoopEnforcer(), newServerInMemoryCache(), &kubetest.MockKubectlCmd{})
+
+	cluster, err := server.Get(context.Background(), &clusterapi.ClusterQuery{
+		Id: &clusterapi.ClusterID{
+			Type:  "name_escaped",
+			Value: "test%2fing",
+		},
+	})
+	require.NoError(t, err)
+
+	assert.Equal(t, cluster.Name, "test/ing")
+}
+
+func TestGetCluster_NameWithUrlEncodingButShouldNotBeUnescaped(t *testing.T) {
+	db := &dbmocks.ArgoDB{}
+
+	mockCluster := v1alpha1.Cluster{
+		Name:       "test%2fing",
+		Server:     "https://127.0.0.1",
+		Namespaces: []string{"default", "kube-system"},
+	}
+	mockClusterList := v1alpha1.ClusterList{
+		ListMeta: v1.ListMeta{},
+		Items: []v1alpha1.Cluster{
+			mockCluster,
+		},
+	}
+
+	db.On("ListClusters", mock.Anything).Return(&mockClusterList, nil)
+
+	server := NewServer(db, newNoopEnforcer(), newServerInMemoryCache(), &kubetest.MockKubectlCmd{})
+
+	cluster, err := server.Get(context.Background(), &clusterapi.ClusterQuery{
+		Id: &clusterapi.ClusterID{
+			Type:  "name",
+			Value: "test%2fing",
+		},
+	})
+	require.NoError(t, err)
+
+	assert.Equal(t, cluster.Name, "test%2fing")
+}
+
 func TestUpdateCluster_NoFieldsPaths(t *testing.T) {
 	db := &dbmocks.ArgoDB{}
 	var updated *v1alpha1.Cluster

server/project/project.go

@@ -20,6 +20,7 @@ import (
 	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/cache"
+	"k8s.io/client-go/util/retry"
 
 	"github.com/argoproj/argo-cd/v2/pkg/apiclient/project"
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -75,6 +76,16 @@ func validateProject(proj *v1alpha1.AppProject) error {
 
 // CreateToken creates a new token to access a project
 func (s *Server) CreateToken(ctx context.Context, q *project.ProjectTokenCreateRequest) (*project.ProjectTokenResponse, error) {
+	var resp *project.ProjectTokenResponse
+	err := retry.RetryOnConflict(retry.DefaultBackoff, func() error {
+		var createErr error
+		resp, createErr = s.createToken(ctx, q)
+		return createErr
+	})
+	return resp, err
+}
+
+func (s *Server) createToken(ctx context.Context, q *project.ProjectTokenCreateRequest) (*project.ProjectTokenResponse, error) {
 	prj, err := s.appclientset.ArgoprojV1alpha1().AppProjects(s.ns).Get(ctx, q.Project, metav1.GetOptions{})
 	if err != nil {
 		return nil, err
@@ -146,6 +157,16 @@ func (s *Server) CreateToken(ctx context.Context, q *project.ProjectTokenCreateR
 
 // DeleteToken deletes a token in a project
 func (s *Server) DeleteToken(ctx context.Context, q *project.ProjectTokenDeleteRequest) (*project.EmptyResponse, error) {
+	var resp *project.EmptyResponse
+	err := retry.RetryOnConflict(retry.DefaultBackoff, func() error {
+		var deleteErr error
+		resp, deleteErr = s.deleteToken(ctx, q)
+		return deleteErr
+	})
+	return resp, err
+}
+
+func (s *Server) deleteToken(ctx context.Context, q *project.ProjectTokenDeleteRequest) (*project.EmptyResponse, error) {
 	prj, err := s.appclientset.ArgoprojV1alpha1().AppProjects(s.ns).Get(ctx, q.Project, metav1.GetOptions{})
 	if err != nil {
 		return nil, err

server/repository/repository.go

@@ -12,6 +12,7 @@ import (
 	"google.golang.org/grpc/status"
 	apierr "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/tools/cache"
 
 	"github.com/argoproj/argo-cd/v2/common"
 	repositorypkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/repository"
@@ -36,8 +37,9 @@ type Server struct {
 	enf           *rbac.Enforcer
 	cache         *servercache.Cache
 	appLister     applisters.ApplicationLister
-	projLister    applisters.AppProjectNamespaceLister
+	projLister    cache.SharedIndexInformer
 	settings      *settings.SettingsManager
+	namespace     string
 }
 
 // NewServer returns a new instance of the Repository service
@@ -47,7 +49,8 @@ func NewServer(
 	enf *rbac.Enforcer,
 	cache *servercache.Cache,
 	appLister applisters.ApplicationLister,
-	projLister applisters.AppProjectNamespaceLister,
+	projLister cache.SharedIndexInformer,
+	namespace string,
 	settings *settings.SettingsManager,
 ) *Server {
 	return &Server{
@@ -57,6 +60,7 @@ func NewServer(
 		cache:         cache,
 		appLister:     appLister,
 		projLister:    projLister,
+		namespace:     namespace,
 		settings:      settings,
 	}
 }
@@ -247,7 +251,7 @@ func (s *Server) ListApps(ctx context.Context, q *repositorypkg.RepoAppsQuery) (
 		return nil, errPermissionDenied
 	}
 	// Also ensure the repo is actually allowed in the project in question
-	if err := s.isRepoPermittedInProject(q.Repo, q.AppProject); err != nil {
+	if err := s.isRepoPermittedInProject(ctx, q.Repo, q.AppProject); err != nil {
 		return nil, err
 	}
 
@@ -311,7 +315,7 @@ func (s *Server) GetAppDetails(ctx context.Context, q *repositorypkg.RepoAppDeta
 		}
 	}
 	// Ensure the repo is actually allowed in the project in question
-	if err := s.isRepoPermittedInProject(q.Source.RepoURL, q.AppProject); err != nil {
+	if err := s.isRepoPermittedInProject(ctx, q.Source.RepoURL, q.AppProject); err != nil {
 		return nil, err
 	}
 
@@ -538,8 +542,8 @@ func (s *Server) testRepo(ctx context.Context, repo *appsv1.Repository) error {
 	return err
 }
 
-func (s *Server) isRepoPermittedInProject(repo string, projName string) error {
-	proj, err := s.projLister.Get(projName)
+func (s *Server) isRepoPermittedInProject(ctx context.Context, repo string, projName string) error {
+	proj, err := argo.GetAppProjectByName(projName, applisters.NewAppProjectLister(s.projLister.GetIndexer()), s.namespace, s.settings, s.db, ctx)
 	if err != nil {
 		return err
 	}

server/repository/repository_test.go

@@ -16,6 +16,7 @@ import (
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes/fake"
+	k8scache "k8s.io/client-go/tools/cache"
 
 	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/pkg/apiclient/repository"
@@ -123,7 +124,7 @@ var (
 	}
 )
 
-func newAppAndProjLister(objects ...runtime.Object) (applisters.ApplicationLister, applisters.AppProjectNamespaceLister) {
+func newAppAndProjLister(objects ...runtime.Object) (applisters.ApplicationLister, k8scache.SharedIndexInformer) {
 	fakeAppsClientset := fakeapps.NewSimpleClientset(objects...)
 	factory := appinformer.NewSharedInformerFactoryWithOptions(fakeAppsClientset, 0, appinformer.WithNamespace(""), appinformer.WithTweakListOptions(func(options *metav1.ListOptions) {}))
 	projInformer := factory.Argoproj().V1alpha1().AppProjects()
@@ -137,8 +138,7 @@ func newAppAndProjLister(objects ...runtime.Object) (applisters.ApplicationListe
 		}
 	}
 	appLister := appsInformer.Lister()
-	projLister := projInformer.Lister().AppProjects(testNamespace)
-	return appLister, projLister
+	return appLister, projInformer.Informer()
 }
 
 func Test_createRBACObject(t *testing.T) {
@@ -152,14 +152,14 @@ func TestRepositoryServer(t *testing.T) {
 	kubeclientset := fake.NewSimpleClientset(&argocdCM, &argocdSecret)
 	settingsMgr := settings.NewSettingsManager(context.Background(), kubeclientset, testNamespace)
 	enforcer := newEnforcer(kubeclientset)
-	appLister, projLister := newAppAndProjLister(defaultProj)
+	appLister, projInformer := newAppAndProjLister(defaultProj)
 	argoDB := db.NewDB("default", settingsMgr, kubeclientset)
 
 	t.Run("Test_getRepo", func(t *testing.T) {
 		repoServerClient := mocks.RepoServerServiceClient{}
 		repoServerClientset := mocks.Clientset{RepoServerServiceClient: &repoServerClient}
 
-		s := NewServer(&repoServerClientset, argoDB, enforcer, nil, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, argoDB, enforcer, nil, appLister, projInformer, testNamespace, settingsMgr)
 		url := "https://test"
 		repo, _ := s.getRepo(context.TODO(), url)
 		assert.Equal(t, repo.Repo, url)
@@ -170,7 +170,7 @@ func TestRepositoryServer(t *testing.T) {
 		repoServerClient.On("TestRepository", mock.Anything, mock.Anything).Return(&apiclient.TestRepositoryResponse{}, nil)
 		repoServerClientset := mocks.Clientset{RepoServerServiceClient: &repoServerClient}
 
-		s := NewServer(&repoServerClientset, argoDB, enforcer, nil, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, argoDB, enforcer, nil, appLister, projInformer, testNamespace, settingsMgr)
 		url := "https://test"
 		_, err := s.ValidateAccess(context.TODO(), &repository.RepoAccessQuery{
 			Repo: url,
@@ -188,7 +188,7 @@ func TestRepositoryServer(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url).Return(&appsv1.Repository{Repo: url}, nil)
 		db.On("RepositoryExists", context.TODO(), url).Return(true, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
 		repo, err := s.Get(context.TODO(), &repository.RepoQuery{
 			Repo: url,
 		})
@@ -205,7 +205,7 @@ func TestRepositoryServer(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url).Return(nil, errors.New("some error"))
 		db.On("RepositoryExists", context.TODO(), url).Return(true, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
 		repo, err := s.Get(context.TODO(), &repository.RepoQuery{
 			Repo: url,
 		})
@@ -222,7 +222,7 @@ func TestRepositoryServer(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url).Return(&appsv1.Repository{Repo: url}, nil)
 		db.On("RepositoryExists", context.TODO(), url).Return(false, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
 		repo, err := s.Get(context.TODO(), &repository.RepoQuery{
 			Repo: url,
 		})
@@ -242,7 +242,7 @@ func TestRepositoryServer(t *testing.T) {
 			Project: "proj",
 		}, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
 		repo, err := s.CreateRepository(context.TODO(), &repository.RepoCreateRequest{
 			Repo: &appsv1.Repository{
 				Repo:     "test",
@@ -266,7 +266,7 @@ func TestRepositoryServer(t *testing.T) {
 		db.On("CreateRepository", context.TODO(), mock.Anything).Return(nil, status.Errorf(codes.AlreadyExists, "repository already exists"))
 		db.On("UpdateRepository", context.TODO(), mock.Anything).Return(nil, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projInformer, testNamespace, settingsMgr)
 		repo, err := s.CreateRepository(context.TODO(), &repository.RepoCreateRequest{
 			Repo: &appsv1.Repository{
 				Repo:     "test",
@@ -296,7 +296,7 @@ func TestRepositoryServerListApps(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url).Return(&appsv1.Repository{Repo: url}, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
 		resp, err := s.ListApps(context.TODO(), &repository.RepoAppsQuery{
 			Repo:       "https://test",
 			Revision:   "HEAD",
@@ -317,13 +317,15 @@ func TestRepositoryServerListApps(t *testing.T) {
 		url := "https://test"
 		db := &dbmocks.ArgoDB{}
 		db.On("GetRepository", context.TODO(), url).Return(&appsv1.Repository{Repo: url}, nil)
+		db.On("GetProjectRepositories", context.TODO(), "default").Return(nil, nil)
+		db.On("GetProjectClusters", context.TODO(), "default").Return(nil, nil)
 		repoServerClient.On("ListApps", context.TODO(), mock.Anything).Return(&apiclient.AppList{
 			Apps: map[string]string{
 				"path/to/dir": "Kustomize",
 			},
 		}, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
 		resp, err := s.ListApps(context.TODO(), &repository.RepoAppsQuery{
 			Repo:       "https://test",
 			Revision:   "HEAD",
@@ -346,13 +348,15 @@ func TestRepositoryServerListApps(t *testing.T) {
 		url := "https://test"
 		db := &dbmocks.ArgoDB{}
 		db.On("GetRepository", context.TODO(), url).Return(&appsv1.Repository{Repo: url}, nil)
+		db.On("GetProjectRepositories", context.TODO(), "default").Return(nil, nil)
+		db.On("GetProjectClusters", context.TODO(), "default").Return(nil, nil)
 		repoServerClient.On("ListApps", context.TODO(), mock.Anything).Return(&apiclient.AppList{
 			Apps: map[string]string{
 				"path/to/dir": "Kustomize",
 			},
 		}, nil)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
 		resp, err := s.ListApps(context.TODO(), &repository.RepoAppsQuery{
 			Repo:       "https://test",
 			Revision:   "HEAD",
@@ -379,7 +383,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url).Return(&appsv1.Repository{Repo: url}, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source: &appsv1.ApplicationSource{
 				RepoURL: url,
@@ -402,7 +406,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url).Return(&appsv1.Repository{Repo: url}, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source: &appsv1.ApplicationSource{
 				RepoURL: url,
@@ -424,7 +428,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url).Return(&appsv1.Repository{Repo: url}, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source: &appsv1.ApplicationSource{
 				RepoURL: url,
@@ -444,11 +448,13 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		db := &dbmocks.ArgoDB{}
 		db.On("ListHelmRepositories", context.TODO(), mock.Anything).Return(nil, nil)
 		db.On("GetRepository", context.TODO(), url).Return(&appsv1.Repository{Repo: url}, nil)
+		db.On("GetProjectRepositories", context.TODO(), "default").Return(nil, nil)
+		db.On("GetProjectClusters", context.TODO(), "default").Return(nil, nil)
 		expectedResp := apiclient.RepoAppDetailsResponse{Type: "Directory"}
 		repoServerClient.On("GetAppDetails", context.TODO(), mock.Anything).Return(&expectedResp, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source: &appsv1.ApplicationSource{
 				RepoURL: url,
@@ -467,11 +473,13 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		url := "https://test"
 		db := &dbmocks.ArgoDB{}
 		db.On("GetRepository", context.TODO(), url).Return(&appsv1.Repository{Repo: url}, nil)
+		db.On("GetProjectRepositories", context.TODO(), "default").Return(nil, nil)
+		db.On("GetProjectClusters", context.TODO(), "default").Return(nil, nil)
 		expectedResp := apiclient.RepoAppDetailsResponse{Type: "Directory"}
 		repoServerClient.On("GetAppDetails", context.TODO(), mock.Anything).Return(&expectedResp, nil)
 		appLister, projLister := newAppAndProjLister(defaultProjNoSources)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source: &appsv1.ApplicationSource{
 				RepoURL: url,
@@ -491,11 +499,13 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		db := &dbmocks.ArgoDB{}
 		db.On("ListHelmRepositories", context.TODO(), mock.Anything).Return(nil, nil)
 		db.On("GetRepository", context.TODO(), url).Return(&appsv1.Repository{Repo: url}, nil)
+		db.On("GetProjectRepositories", context.TODO(), "default").Return(nil, nil)
+		db.On("GetProjectClusters", context.TODO(), "default").Return(nil, nil)
 		expectedResp := apiclient.RepoAppDetailsResponse{Type: "Directory"}
 		repoServerClient.On("GetAppDetails", context.TODO(), mock.Anything).Return(&expectedResp, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj, guestbookApp)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source:     &guestbookApp.Spec.Source,
 			AppName:    "guestbook",
@@ -514,7 +524,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		db.On("GetRepository", context.TODO(), url).Return(&appsv1.Repository{Repo: url}, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj, guestbookApp)
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source:     &guestbookApp.Spec.Source,
 			AppName:    "guestbook",
@@ -535,7 +545,7 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		differentSource := guestbookApp.Spec.Source.DeepCopy()
 		differentSource.Helm.ValueFiles = []string{"/etc/passwd"}
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source:     differentSource,
 			AppName:    "guestbook",
@@ -553,13 +563,15 @@ func TestRepositoryServerGetAppDetails(t *testing.T) {
 		db := &dbmocks.ArgoDB{}
 		db.On("GetRepository", context.TODO(), url).Return(&appsv1.Repository{Repo: url}, nil)
 		db.On("ListHelmRepositories", context.TODO(), mock.Anything).Return(nil, nil)
+		db.On("GetProjectRepositories", context.TODO(), "default").Return(nil, nil)
+		db.On("GetProjectClusters", context.TODO(), "default").Return(nil, nil)
 		expectedResp := apiclient.RepoAppDetailsResponse{Type: "Directory"}
 		repoServerClient.On("GetAppDetails", context.TODO(), mock.Anything).Return(&expectedResp, nil)
 		appLister, projLister := newAppAndProjLister(defaultProj, guestbookApp)
 		previousSource := guestbookApp.Status.History[0].Source.DeepCopy()
 		previousSource.TargetRevision = guestbookApp.Status.History[0].Revision
 
-		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, settingsMgr)
+		s := NewServer(&repoServerClientset, db, enforcer, newFixtures().Cache, appLister, projLister, testNamespace, settingsMgr)
 		resp, err := s.GetAppDetails(context.TODO(), &repository.RepoAppDetailsQuery{
 			Source:     previousSource,
 			AppName:    "guestbook",

server/server.go

@@ -2,6 +2,7 @@ package server
 
 import (
 	"context"
+	netCtx "context"
 	"crypto/tls"
 	"fmt"
 	goio "io"
@@ -24,8 +25,6 @@ import (
 	// nolint:staticcheck
 	golang_proto "github.com/golang/protobuf/proto"
 
-	netCtx "context"
-
 	"github.com/argoproj/notifications-engine/pkg/api"
 	"github.com/argoproj/pkg/sync"
 	"github.com/go-redis/redis/v8"
@@ -61,6 +60,8 @@ import (
 	accountpkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/account"
 	applicationpkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/application"
 
+	"github.com/pkg/errors"
+
 	applicationsetpkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/applicationset"
 	certificatepkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/certificate"
 	clusterpkg "github.com/argoproj/argo-cd/v2/pkg/apiclient/cluster"
@@ -121,7 +122,6 @@ import (
 	"github.com/argoproj/argo-cd/v2/util/swagger"
 	tlsutil "github.com/argoproj/argo-cd/v2/util/tls"
 	"github.com/argoproj/argo-cd/v2/util/webhook"
-	"github.com/pkg/errors"
 )
 
 const maxConcurrentLoginRequestsCountEnv = "ARGOCD_MAX_CONCURRENT_LOGIN_REQUESTS_COUNT"
@@ -707,7 +707,7 @@ func (a *ArgoCDServer) newGRPCServer() (*grpc.Server, application.AppResourceTre
 	grpcS := grpc.NewServer(sOpts...)
 	kubectl := kubeutil.NewKubectl()
 	clusterService := cluster.NewServer(a.db, a.enf, a.Cache, kubectl)
-	repoService := repository.NewServer(a.RepoClientset, a.db, a.enf, a.Cache, a.appLister, a.projLister, a.settingsMgr)
+	repoService := repository.NewServer(a.RepoClientset, a.db, a.enf, a.Cache, a.appLister, a.projInformer, a.Namespace, a.settingsMgr)
 	repoCredsService := repocreds.NewServer(a.RepoClientset, a.db, a.enf, a.settingsMgr)
 	var loginRateLimiter func() (io.Closer, error)
 	if maxConcurrentLoginRequestsCount > 0 {
@@ -733,7 +733,8 @@ func (a *ArgoCDServer) newGRPCServer() (*grpc.Server, application.AppResourceTre
 
 	applicationSetService := applicationset.NewServer(a.db, a.KubeClientset, a.enf, a.Cache, a.AppClientset, a.appLister, a.appsetInformer, a.appsetLister, a.projLister, a.settingsMgr, a.Namespace, projectLock)
 	projectService := project.NewServer(a.Namespace, a.KubeClientset, a.AppClientset, a.enf, projectLock, a.sessionMgr, a.policyEnforcer, a.projInformer, a.settingsMgr, a.db)
-	settingsService := settings.NewServer(a.settingsMgr, a, a.DisableAuth)
+	appsInAnyNamespaceEnabled := len(a.ArgoCDServerOpts.ApplicationNamespaces) > 0
+	settingsService := settings.NewServer(a.settingsMgr, a, a.DisableAuth, appsInAnyNamespaceEnabled)
 	accountService := account.NewServer(a.sessionMgr, a.settingsMgr, a.enf)
 
 	notificationService := notification.NewServer(a.apiFactory)
@@ -860,7 +861,7 @@ func (a *ArgoCDServer) newHTTPServer(ctx context.Context, port int, grpcWebHandl
 	}
 	mux.Handle("/api/", handler)
 
-	terminalHandler := application.NewHandler(a.appLister, a.Namespace, a.db, a.enf, a.Cache, appResourceTreeFn, a.settings.ExecShells)
+	terminalHandler := application.NewHandler(a.appLister, a.Namespace, a.ApplicationNamespaces, a.db, a.enf, a.Cache, appResourceTreeFn, a.settings.ExecShells)
 	mux.HandleFunc("/terminal", func(writer http.ResponseWriter, request *http.Request) {
 		argocdSettings, err := a.settingsMgr.GetSettings()
 		if err != nil {
@@ -898,6 +899,7 @@ func (a *ArgoCDServer) newHTTPServer(ctx context.Context, port int, grpcWebHandl
 	mustRegisterGWHandler(versionpkg.RegisterVersionServiceHandler, ctx, gwmux, conn)
 	mustRegisterGWHandler(clusterpkg.RegisterClusterServiceHandler, ctx, gwmux, conn)
 	mustRegisterGWHandler(applicationpkg.RegisterApplicationServiceHandler, ctx, gwmux, conn)
+	mustRegisterGWHandler(applicationsetpkg.RegisterApplicationSetServiceHandler, ctx, gwmux, conn)
 	mustRegisterGWHandler(notificationpkg.RegisterNotificationServiceHandler, ctx, gwmux, conn)
 	mustRegisterGWHandler(repositorypkg.RegisterRepositoryServiceHandler, ctx, gwmux, conn)
 	mustRegisterGWHandler(repocredspkg.RegisterRepoCredsServiceHandler, ctx, gwmux, conn)

server/server_test.go

@@ -34,6 +34,7 @@ import (
 	appstatecache "github.com/argoproj/argo-cd/v2/util/cache/appstate"
 	"github.com/argoproj/argo-cd/v2/util/rbac"
 	settings_util "github.com/argoproj/argo-cd/v2/util/settings"
+	testutil "github.com/argoproj/argo-cd/v2/util/test"
 )
 
 func fakeServer() (*ArgoCDServer, func()) {
@@ -522,7 +523,7 @@ func dexMockHandler(t *testing.T, url string) func(http.ResponseWriter, *http.Re
 	}
 }
 
-func getTestServer(t *testing.T, anonymousEnabled bool, withFakeSSO bool) (argocd *ArgoCDServer, dexURL string) {
+func getTestServer(t *testing.T, anonymousEnabled bool, withFakeSSO bool, useDexForSSO bool) (argocd *ArgoCDServer, oidcURL string) {
 	cm := test.NewFakeConfigMap()
 	if anonymousEnabled {
 		cm.Data["users.anonymous.enabled"] = "true"
@@ -533,9 +534,14 @@ func getTestServer(t *testing.T, anonymousEnabled bool, withFakeSSO bool) (argoc
 	ts.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		dexMockHandler(t, ts.URL)(w, r)
 	})
+	oidcServer := ts
+	if !useDexForSSO {
+		oidcServer = testutil.GetOIDCTestServer(t)
+	}
 	if withFakeSSO {
 		cm.Data["url"] = ts.URL
-		cm.Data["dex.config"] = `
+		if useDexForSSO {
+			cm.Data["dex.config"] = `
 connectors:
   # OIDC
   - type: OIDC
@@ -545,6 +551,19 @@ connectors:
     issuer: https://auth.example.gom
     clientID: test-client
     clientSecret: $dex.oidc.clientSecret`
+		} else {
+			oidcConfig := settings_util.OIDCConfig{
+				Name:         "Okta",
+				Issuer:       oidcServer.URL,
+				ClientID:     "argo-cd",
+				ClientSecret: "$oidc.okta.clientSecret",
+			}
+			oidcConfigString, err := yaml.Marshal(oidcConfig)
+			require.NoError(t, err)
+			cm.Data["oidc.config"] = string(oidcConfigString)
+			// Avoid bothering with certs for local tests.
+			cm.Data["oidc.tls.insecure.skip.verify"] = "true"
+		}
 	}
 	secret := test.NewFakeSecret()
 	kubeclientset := fake.NewSimpleClientset(cm, secret)
@@ -556,27 +575,32 @@ connectors:
 		AppClientset:  appClientSet,
 		RepoClientset: mockRepoClient,
 	}
-	if withFakeSSO {
+	if withFakeSSO && useDexForSSO {
 		argoCDOpts.DexServerAddr = ts.URL
 	}
 	argocd = NewServer(context.Background(), argoCDOpts)
-	return argocd, ts.URL
+	return argocd, oidcServer.URL
 }
 
 func TestAuthenticate_3rd_party_JWTs(t *testing.T) {
+	// Marshaling single strings to strings is typical, so we test for this relatively common behavior.
+	jwt.MarshalSingleStringAsArray = false
+
 	type testData struct {
 		test                  string
 		anonymousEnabled      bool
 		claims                jwt.RegisteredClaims
 		expectedErrorContains string
 		expectedClaims        interface{}
+		useDex                bool
 	}
 	var tests = []testData{
+		// Dex
 		{
 			test:                  "anonymous disabled, no audience",
 			anonymousEnabled:      false,
-			claims:                jwt.RegisteredClaims{},
-			expectedErrorContains: "no audience found in the token",
+			claims:                jwt.RegisteredClaims{ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 24))},
+			expectedErrorContains: common.TokenVerificationError,
 			expectedClaims:        nil,
 		},
 		{
@@ -589,31 +613,95 @@ func TestAuthenticate_3rd_party_JWTs(t *testing.T) {
 		{
 			test:                  "anonymous disabled, unexpired token, admin claim",
 			anonymousEnabled:      false,
-			claims:                jwt.RegisteredClaims{Audience: jwt.ClaimStrings{"test-client"}, Subject: "admin", ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 24))},
-			expectedErrorContains: "id token signed with unsupported algorithm",
+			claims:                jwt.RegisteredClaims{Audience: jwt.ClaimStrings{common.ArgoCDClientAppID}, Subject: "admin", ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 24))},
+			expectedErrorContains: common.TokenVerificationError,
 			expectedClaims:        nil,
 		},
 		{
 			test:                  "anonymous enabled, unexpired token, admin claim",
 			anonymousEnabled:      true,
-			claims:                jwt.RegisteredClaims{Audience: jwt.ClaimStrings{"test-client"}, Subject: "admin", ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 24))},
+			claims:                jwt.RegisteredClaims{Audience: jwt.ClaimStrings{common.ArgoCDClientAppID}, Subject: "admin", ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 24))},
 			expectedErrorContains: "",
 			expectedClaims:        "",
 		},
 		{
 			test:                  "anonymous disabled, expired token, admin claim",
 			anonymousEnabled:      false,
-			claims:                jwt.RegisteredClaims{Audience: jwt.ClaimStrings{"test-client"}, Subject: "admin", ExpiresAt: jwt.NewNumericDate(time.Now())},
-			expectedErrorContains: "token is expired",
+			claims:                jwt.RegisteredClaims{Audience: jwt.ClaimStrings{common.ArgoCDClientAppID}, Subject: "admin", ExpiresAt: jwt.NewNumericDate(time.Now())},
+			expectedErrorContains: common.TokenVerificationError,
 			expectedClaims:        jwt.RegisteredClaims{Issuer: "sso"},
 		},
 		{
 			test:                  "anonymous enabled, expired token, admin claim",
 			anonymousEnabled:      true,
-			claims:                jwt.RegisteredClaims{Audience: jwt.ClaimStrings{"test-client"}, Subject: "admin", ExpiresAt: jwt.NewNumericDate(time.Now())},
+			claims:                jwt.RegisteredClaims{Audience: jwt.ClaimStrings{common.ArgoCDClientAppID}, Subject: "admin", ExpiresAt: jwt.NewNumericDate(time.Now())},
 			expectedErrorContains: "",
 			expectedClaims:        "",
 		},
+		{
+			test:                  "anonymous disabled, unexpired token, admin claim, incorrect audience",
+			anonymousEnabled:      false,
+			claims:                jwt.RegisteredClaims{Audience: jwt.ClaimStrings{"incorrect-audience"}, Subject: "admin", ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 24))},
+			expectedErrorContains: common.TokenVerificationError,
+			expectedClaims:        nil,
+		},
+		// External OIDC (not bundled Dex)
+		{
+			test:                  "external OIDC: anonymous disabled, no audience",
+			anonymousEnabled:      false,
+			claims:                jwt.RegisteredClaims{ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 24))},
+			useDex:                true,
+			expectedErrorContains: common.TokenVerificationError,
+			expectedClaims:        nil,
+		},
+		{
+			test:                  "external OIDC: anonymous enabled, no audience",
+			anonymousEnabled:      true,
+			claims:                jwt.RegisteredClaims{},
+			useDex:                true,
+			expectedErrorContains: "",
+			expectedClaims:        "",
+		},
+		{
+			test:                  "external OIDC: anonymous disabled, unexpired token, admin claim",
+			anonymousEnabled:      false,
+			claims:                jwt.RegisteredClaims{Audience: jwt.ClaimStrings{common.ArgoCDClientAppID}, Subject: "admin", ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 24))},
+			useDex:                true,
+			expectedErrorContains: common.TokenVerificationError,
+			expectedClaims:        nil,
+		},
+		{
+			test:                  "external OIDC: anonymous enabled, unexpired token, admin claim",
+			anonymousEnabled:      true,
+			claims:                jwt.RegisteredClaims{Audience: jwt.ClaimStrings{common.ArgoCDClientAppID}, Subject: "admin", ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 24))},
+			useDex:                true,
+			expectedErrorContains: "",
+			expectedClaims:        "",
+		},
+		{
+			test:                  "external OIDC: anonymous disabled, expired token, admin claim",
+			anonymousEnabled:      false,
+			claims:                jwt.RegisteredClaims{Audience: jwt.ClaimStrings{common.ArgoCDClientAppID}, Subject: "admin", ExpiresAt: jwt.NewNumericDate(time.Now())},
+			useDex:                true,
+			expectedErrorContains: common.TokenVerificationError,
+			expectedClaims:        jwt.RegisteredClaims{Issuer: "sso"},
+		},
+		{
+			test:                  "external OIDC: anonymous enabled, expired token, admin claim",
+			anonymousEnabled:      true,
+			claims:                jwt.RegisteredClaims{Audience: jwt.ClaimStrings{common.ArgoCDClientAppID}, Subject: "admin", ExpiresAt: jwt.NewNumericDate(time.Now())},
+			useDex:                true,
+			expectedErrorContains: "",
+			expectedClaims:        "",
+		},
+		{
+			test:                  "external OIDC: anonymous disabled, unexpired token, admin claim, incorrect audience",
+			anonymousEnabled:      false,
+			claims:                jwt.RegisteredClaims{Audience: jwt.ClaimStrings{"incorrect-audience"}, Subject: "admin", ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour * 24))},
+			useDex:                true,
+			expectedErrorContains: common.TokenVerificationError,
+			expectedClaims:        nil,
+		},
 	}
 
 	for _, testData := range tests {
@@ -625,8 +713,13 @@ func TestAuthenticate_3rd_party_JWTs(t *testing.T) {
 			// Must be declared here to avoid race.
 			ctx := context.Background() //nolint:ineffassign,staticcheck
 
-			argocd, dexURL := getTestServer(t, testDataCopy.anonymousEnabled, true)
-			testDataCopy.claims.Issuer = fmt.Sprintf("%s/api/dex", dexURL)
+			argocd, oidcURL := getTestServer(t, testDataCopy.anonymousEnabled, true, testDataCopy.useDex)
+
+			if testDataCopy.useDex {
+				testDataCopy.claims.Issuer = fmt.Sprintf("%s/api/dex", oidcURL)
+			} else {
+				testDataCopy.claims.Issuer = oidcURL
+			}
 			token := jwt.NewWithClaims(jwt.SigningMethodHS256, testDataCopy.claims)
 			tokenString, err := token.SignedString([]byte("key"))
 			require.NoError(t, err)
@@ -676,7 +769,7 @@ func TestAuthenticate_no_request_metadata(t *testing.T) {
 		t.Run(testDataCopy.test, func(t *testing.T) {
 			t.Parallel()
 
-			argocd, _ := getTestServer(t, testDataCopy.anonymousEnabled, true)
+			argocd, _ := getTestServer(t, testDataCopy.anonymousEnabled, true, true)
 			ctx := context.Background()
 
 			ctx, err := argocd.Authenticate(ctx)
@@ -722,7 +815,7 @@ func TestAuthenticate_no_SSO(t *testing.T) {
 			// Must be declared here to avoid race.
 			ctx := context.Background() //nolint:ineffassign,staticcheck
 
-			argocd, dexURL := getTestServer(t, testDataCopy.anonymousEnabled, false)
+			argocd, dexURL := getTestServer(t, testDataCopy.anonymousEnabled, false, true)
 			token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.RegisteredClaims{Issuer: fmt.Sprintf("%s/api/dex", dexURL)})
 			tokenString, err := token.SignedString([]byte("key"))
 			require.NoError(t, err)
@@ -795,7 +888,7 @@ func TestAuthenticate_bad_request_metadata(t *testing.T) {
 			test:                 "anonymous disabled, bad auth header",
 			anonymousEnabled:     false,
 			metadata:             metadata.MD{"authorization": []string{"Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiJ9.TGGTTHuuGpEU8WgobXxkrBtW3NiR3dgw5LR-1DEW3BQ"}},
-			expectedErrorMessage: "no audience found in the token",
+			expectedErrorMessage: common.TokenVerificationError,
 			expectedClaims:       nil,
 		},
 		{
@@ -809,7 +902,7 @@ func TestAuthenticate_bad_request_metadata(t *testing.T) {
 			test:                 "anonymous disabled, bad auth cookie",
 			anonymousEnabled:     false,
 			metadata:             metadata.MD{"grpcgateway-cookie": []string{"argocd.token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiJ9.TGGTTHuuGpEU8WgobXxkrBtW3NiR3dgw5LR-1DEW3BQ"}},
-			expectedErrorMessage: "no audience found in the token",
+			expectedErrorMessage: common.TokenVerificationError,
 			expectedClaims:       nil,
 		},
 		{
@@ -830,7 +923,7 @@ func TestAuthenticate_bad_request_metadata(t *testing.T) {
 			// Must be declared here to avoid race.
 			ctx := context.Background() //nolint:ineffassign,staticcheck
 
-			argocd, _ := getTestServer(t, testDataCopy.anonymousEnabled, true)
+			argocd, _ := getTestServer(t, testDataCopy.anonymousEnabled, true, true)
 			ctx = metadata.NewIncomingContext(context.Background(), testDataCopy.metadata)
 
 			ctx, err := argocd.Authenticate(ctx)

server/settings/settings.go

@@ -2,6 +2,7 @@ package settings
 
 import (
 	"context"
+
 	"github.com/ghodss/yaml"
 
 	sessionmgr "github.com/argoproj/argo-cd/v2/util/session"
@@ -13,9 +14,10 @@ import (
 
 // Server provides a Settings service
 type Server struct {
-	mgr           *settings.SettingsManager
-	authenticator Authenticator
-	disableAuth   bool
+	mgr                       *settings.SettingsManager
+	authenticator             Authenticator
+	disableAuth               bool
+	appsInAnyNamespaceEnabled bool
 }
 
 type Authenticator interface {
@@ -23,8 +25,8 @@ type Authenticator interface {
 }
 
 // NewServer returns a new instance of the Settings service
-func NewServer(mgr *settings.SettingsManager, authenticator Authenticator, disableAuth bool) *Server {
-	return &Server{mgr: mgr, authenticator: authenticator, disableAuth: disableAuth}
+func NewServer(mgr *settings.SettingsManager, authenticator Authenticator, disableAuth, appsInAnyNamespaceEnabled bool) *Server {
+	return &Server{mgr: mgr, authenticator: authenticator, disableAuth: disableAuth, appsInAnyNamespaceEnabled: appsInAnyNamespaceEnabled}
 }
 
 // Get returns Argo CD settings
@@ -102,13 +104,14 @@ func (s *Server) Get(ctx context.Context, q *settingspkg.SettingsQuery) (*settin
 			ChatText:   help.ChatText,
 			BinaryUrls: help.BinaryURLs,
 		},
-		Plugins:            plugins,
-		UserLoginsDisabled: userLoginsDisabled,
-		KustomizeVersions:  kustomizeVersions,
-		UiCssURL:           argoCDSettings.UiCssURL,
-		PasswordPattern:    argoCDSettings.PasswordPattern,
-		TrackingMethod:     trackingMethod,
-		ExecEnabled:        argoCDSettings.ExecEnabled,
+		Plugins:                   plugins,
+		UserLoginsDisabled:        userLoginsDisabled,
+		KustomizeVersions:         kustomizeVersions,
+		UiCssURL:                  argoCDSettings.UiCssURL,
+		PasswordPattern:           argoCDSettings.PasswordPattern,
+		TrackingMethod:            trackingMethod,
+		ExecEnabled:               argoCDSettings.ExecEnabled,
+		AppsInAnyNamespaceEnabled: s.appsInAnyNamespaceEnabled,
 	}
 
 	if sessionmgr.LoggedIn(ctx) || s.disableAuth {

server/settings/settings.proto

@@ -40,6 +40,7 @@ message Settings {
     string statusBadgeRootUrl = 21;
     bool execEnabled = 22;
     string controllerNamespace = 23;
+    bool appsInAnyNamespaceEnabled = 24;
 }
 
 message GoogleAnalyticsConfig {

test/e2e/app_management_ns_test.go

@@ -3,10 +3,8 @@ package e2e
 import (
 	"context"
 	"fmt"
-	"math/rand"
 	"path"
 	"reflect"
-	"strings"
 	"testing"
 	"time"
 
@@ -377,25 +375,20 @@ func TestNamespacedDeleteAppResource(t *testing.T) {
 // demonstrate that we cannot use a standard sync when an immutable field is changed, we must use "force"
 func TestNamespacedImmutableChange(t *testing.T) {
 	SkipOnEnv(t, "OPENSHIFT")
-	text := FailOnErr(Run(".", "kubectl", "get", "service", "-n", "kube-system", "kube-dns", "-o", "jsonpath={.spec.clusterIP}")).(string)
-	parts := strings.Split(text, ".")
-	n := rand.Intn(254)
-	ip1 := fmt.Sprintf("%s.%s.%s.%d", parts[0], parts[1], parts[2], n)
-	ip2 := fmt.Sprintf("%s.%s.%s.%d", parts[0], parts[1], parts[2], n+1)
 	Given(t).
-		Path("service").
+		Path("secrets").
 		SetTrackingMethod("annotation").
 		SetAppNamespace(AppNamespace()).
 		When().
 		CreateApp().
-		PatchFile("service.yaml", fmt.Sprintf(`[{"op": "add", "path": "/spec/clusterIP", "value": "%s"}]`, ip1)).
+		PatchFile("secrets.yaml", `[{"op": "add", "path": "/data/new-field", "value": "dGVzdA=="}, {"op": "add", "path": "/immutable", "value": true}]`).
 		Sync().
 		Then().
 		Expect(OperationPhaseIs(OperationSucceeded)).
 		Expect(SyncStatusIs(SyncStatusCodeSynced)).
 		Expect(HealthIs(health.HealthStatusHealthy)).
 		When().
-		PatchFile("service.yaml", fmt.Sprintf(`[{"op": "add", "path": "/spec/clusterIP", "value": "%s"}]`, ip2)).
+		PatchFile("secrets.yaml", `[{"op": "add", "path": "/data/new-field", "value": "dGVzdDI="}]`).
 		IgnoreErrors().
 		Sync().
 		DoNotIgnoreErrors().
@@ -404,14 +397,14 @@ func TestNamespacedImmutableChange(t *testing.T) {
 		Expect(SyncStatusIs(SyncStatusCodeOutOfSync)).
 		Expect(ResourceResultNumbering(1)).
 		Expect(ResourceResultMatches(ResourceResult{
-			Kind:      "Service",
+			Kind:      "Secret",
 			Version:   "v1",
 			Namespace: DeploymentNamespace(),
-			Name:      "my-service",
+			Name:      "test-secret",
 			SyncPhase: "Sync",
 			Status:    "SyncFailed",
 			HookPhase: "Failed",
-			Message:   `Service "my-service" is invalid`,
+			Message:   `Secret "test-secret" is invalid`,
 		})).
 		// now we can do this will a force
 		Given().
@@ -769,6 +762,17 @@ func TestNamespacedResourceDiffing(t *testing.T) {
 		}).
 		Given().
 		When().
+		// Now we migrate from client-side apply to server-side apply
+		// This is necessary, as starting with kubectl 1.26, all previously
+		// client-side owned fields have ownership migrated to the manager from
+		// the first ssa.
+		// More details: https://github.com/kubernetes/kubectl/issues/1337
+		PatchApp(`[{
+			"op": "add",
+			"path": "/spec/syncPolicy",
+			"value": { "syncOptions": ["ServerSideApply=true"] }
+			}]`).
+		Sync().
 		And(func() {
 			output, err := RunWithStdin(testdata.SSARevisionHistoryDeployment, "", "kubectl", "apply", "-n", DeploymentNamespace(), "--server-side=true", "--field-manager=revision-history-manager", "--validate=false", "--force-conflicts", "-f", "-")
 			assert.NoError(t, err)

test/e2e/app_management_test.go

@@ -3,10 +3,8 @@ package e2e
 import (
 	"context"
 	"fmt"
-	"math/rand"
 	"reflect"
 	"regexp"
-	"strings"
 	"testing"
 	"time"
 
@@ -366,23 +364,18 @@ func TestDeleteAppResource(t *testing.T) {
 // demonstrate that we cannot use a standard sync when an immutable field is changed, we must use "force"
 func TestImmutableChange(t *testing.T) {
 	SkipOnEnv(t, "OPENSHIFT")
-	text := FailOnErr(Run(".", "kubectl", "get", "service", "-n", "kube-system", "kube-dns", "-o", "jsonpath={.spec.clusterIP}")).(string)
-	parts := strings.Split(text, ".")
-	n := rand.Intn(254)
-	ip1 := fmt.Sprintf("%s.%s.%s.%d", parts[0], parts[1], parts[2], n)
-	ip2 := fmt.Sprintf("%s.%s.%s.%d", parts[0], parts[1], parts[2], n+1)
 	Given(t).
-		Path("service").
+		Path("secrets").
 		When().
 		CreateApp().
-		PatchFile("service.yaml", fmt.Sprintf(`[{"op": "add", "path": "/spec/clusterIP", "value": "%s"}]`, ip1)).
+		PatchFile("secrets.yaml", `[{"op": "add", "path": "/data/new-field", "value": "dGVzdA=="}, {"op": "add", "path": "/immutable", "value": true}]`).
 		Sync().
 		Then().
 		Expect(OperationPhaseIs(OperationSucceeded)).
 		Expect(SyncStatusIs(SyncStatusCodeSynced)).
 		Expect(HealthIs(health.HealthStatusHealthy)).
 		When().
-		PatchFile("service.yaml", fmt.Sprintf(`[{"op": "add", "path": "/spec/clusterIP", "value": "%s"}]`, ip2)).
+		PatchFile("secrets.yaml", `[{"op": "add", "path": "/data/new-field", "value": "dGVzdDI="}]`).
 		IgnoreErrors().
 		Sync().
 		DoNotIgnoreErrors().
@@ -391,14 +384,14 @@ func TestImmutableChange(t *testing.T) {
 		Expect(SyncStatusIs(SyncStatusCodeOutOfSync)).
 		Expect(ResourceResultNumbering(1)).
 		Expect(ResourceResultMatches(ResourceResult{
-			Kind:      "Service",
+			Kind:      "Secret",
 			Version:   "v1",
 			Namespace: DeploymentNamespace(),
-			Name:      "my-service",
+			Name:      "test-secret",
 			SyncPhase: "Sync",
 			Status:    "SyncFailed",
 			HookPhase: "Failed",
-			Message:   `Service "my-service" is invalid`,
+			Message:   `Secret "test-secret" is invalid`,
 		})).
 		// now we can do this will a force
 		Given().
@@ -749,6 +742,17 @@ func TestResourceDiffing(t *testing.T) {
 		}).
 		Given().
 		When().
+		// Now we migrate from client-side apply to server-side apply
+		// This is necessary, as starting with kubectl 1.26, all previously
+		// client-side owned fields have ownership migrated to the manager from
+		// the first ssa.
+		// More details: https://github.com/kubernetes/kubectl/issues/1337
+		PatchApp(`[{
+			"op": "add",
+			"path": "/spec/syncPolicy",
+			"value": { "syncOptions": ["ServerSideApply=true"] }
+			}]`).
+		Sync().
 		And(func() {
 			output, err := RunWithStdin(testdata.SSARevisionHistoryDeployment, "", "kubectl", "apply", "-n", DeploymentNamespace(), "--server-side=true", "--field-manager=revision-history-manager", "--validate=false", "--force-conflicts", "-f", "-")
 			assert.NoError(t, err)

test/e2e/applicationset_test.go

@@ -1,6 +1,9 @@
 package e2e
 
 import (
+	"io"
+	"net/http"
+	"net/http/httptest"
 	"strings"
 	"testing"
 	"time"
@@ -784,21 +787,215 @@ func TestSimpleGitFilesPreserveResourcesOnDeletionGoTemplate(t *testing.T) {
 		}).Then().Expect(Pod(func(p corev1.Pod) bool { return strings.Contains(p.Name, "guestbook-ui") }))
 }
 
+func githubSCMMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.RequestURI {
+		case "/api/v3/orgs/argoproj/repos?per_page=100":
+			_, err := io.WriteString(w, `[
+				{
+				  "id": 1296269,
+				  "node_id": "MDEwOlJlcG9zaXRvcnkxMjk2MjY5",
+				  "name": "argo-cd",
+				  "full_name": "argoproj/argo-cd",
+				  "owner": {
+					"login": "argoproj",
+					"id": 1,
+					"node_id": "MDQ6VXNlcjE=",
+					"avatar_url": "https://github.com/images/error/argoproj_happy.gif",
+					"gravatar_id": "",
+					"url": "https://api.github.com/users/argoproj",
+					"html_url": "https://github.com/argoproj",
+					"followers_url": "https://api.github.com/users/argoproj/followers",
+					"following_url": "https://api.github.com/users/argoproj/following{/other_user}",
+					"gists_url": "https://api.github.com/users/argoproj/gists{/gist_id}",
+					"starred_url": "https://api.github.com/users/argoproj/starred{/owner}{/repo}",
+					"subscriptions_url": "https://api.github.com/users/argoproj/subscriptions",
+					"organizations_url": "https://api.github.com/users/argoproj/orgs",
+					"repos_url": "https://api.github.com/users/argoproj/repos",
+					"events_url": "https://api.github.com/users/argoproj/events{/privacy}",
+					"received_events_url": "https://api.github.com/users/argoproj/received_events",
+					"type": "User",
+					"site_admin": false
+				  },
+				  "private": false,
+				  "html_url": "https://github.com/argoproj/argo-cd",
+				  "description": "This your first repo!",
+				  "fork": false,
+				  "url": "https://api.github.com/repos/argoproj/argo-cd",
+				  "archive_url": "https://api.github.com/repos/argoproj/argo-cd/{archive_format}{/ref}",
+				  "assignees_url": "https://api.github.com/repos/argoproj/argo-cd/assignees{/user}",
+				  "blobs_url": "https://api.github.com/repos/argoproj/argo-cd/git/blobs{/sha}",
+				  "branches_url": "https://api.github.com/repos/argoproj/argo-cd/branches{/branch}",
+				  "collaborators_url": "https://api.github.com/repos/argoproj/argo-cd/collaborators{/collaborator}",
+				  "comments_url": "https://api.github.com/repos/argoproj/argo-cd/comments{/number}",
+				  "commits_url": "https://api.github.com/repos/argoproj/argo-cd/commits{/sha}",
+				  "compare_url": "https://api.github.com/repos/argoproj/argo-cd/compare/{base}...{head}",
+				  "contents_url": "https://api.github.com/repos/argoproj/argo-cd/contents/{path}",
+				  "contributors_url": "https://api.github.com/repos/argoproj/argo-cd/contributors",
+				  "deployments_url": "https://api.github.com/repos/argoproj/argo-cd/deployments",
+				  "downloads_url": "https://api.github.com/repos/argoproj/argo-cd/downloads",
+				  "events_url": "https://api.github.com/repos/argoproj/argo-cd/events",
+				  "forks_url": "https://api.github.com/repos/argoproj/argo-cd/forks",
+				  "git_commits_url": "https://api.github.com/repos/argoproj/argo-cd/git/commits{/sha}",
+				  "git_refs_url": "https://api.github.com/repos/argoproj/argo-cd/git/refs{/sha}",
+				  "git_tags_url": "https://api.github.com/repos/argoproj/argo-cd/git/tags{/sha}",
+				  "git_url": "git:github.com/argoproj/argo-cd.git",
+				  "issue_comment_url": "https://api.github.com/repos/argoproj/argo-cd/issues/comments{/number}",
+				  "issue_events_url": "https://api.github.com/repos/argoproj/argo-cd/issues/events{/number}",
+				  "issues_url": "https://api.github.com/repos/argoproj/argo-cd/issues{/number}",
+				  "keys_url": "https://api.github.com/repos/argoproj/argo-cd/keys{/key_id}",
+				  "labels_url": "https://api.github.com/repos/argoproj/argo-cd/labels{/name}",
+				  "languages_url": "https://api.github.com/repos/argoproj/argo-cd/languages",
+				  "merges_url": "https://api.github.com/repos/argoproj/argo-cd/merges",
+				  "milestones_url": "https://api.github.com/repos/argoproj/argo-cd/milestones{/number}",
+				  "notifications_url": "https://api.github.com/repos/argoproj/argo-cd/notifications{?since,all,participating}",
+				  "pulls_url": "https://api.github.com/repos/argoproj/argo-cd/pulls{/number}",
+				  "releases_url": "https://api.github.com/repos/argoproj/argo-cd/releases{/id}",
+				  "ssh_url": "git@github.com:argoproj/argo-cd.git",
+				  "stargazers_url": "https://api.github.com/repos/argoproj/argo-cd/stargazers",
+				  "statuses_url": "https://api.github.com/repos/argoproj/argo-cd/statuses/{sha}",
+				  "subscribers_url": "https://api.github.com/repos/argoproj/argo-cd/subscribers",
+				  "subscription_url": "https://api.github.com/repos/argoproj/argo-cd/subscription",
+				  "tags_url": "https://api.github.com/repos/argoproj/argo-cd/tags",
+				  "teams_url": "https://api.github.com/repos/argoproj/argo-cd/teams",
+				  "trees_url": "https://api.github.com/repos/argoproj/argo-cd/git/trees{/sha}",
+				  "clone_url": "https://github.com/argoproj/argo-cd.git",
+				  "mirror_url": "git:git.example.com/argoproj/argo-cd",
+				  "hooks_url": "https://api.github.com/repos/argoproj/argo-cd/hooks",
+				  "svn_url": "https://svn.github.com/argoproj/argo-cd",
+				  "homepage": "https://github.com",
+				  "language": null,
+				  "forks_count": 9,
+				  "stargazers_count": 80,
+				  "watchers_count": 80,
+				  "size": 108,
+				  "default_branch": "master",
+				  "open_issues_count": 0,
+				  "is_template": false,
+				  "topics": [
+					"argoproj",
+					"atom",
+					"electron",
+					"api"
+				  ],
+				  "has_issues": true,
+				  "has_projects": true,
+				  "has_wiki": true,
+				  "has_pages": false,
+				  "has_downloads": true,
+				  "archived": false,
+				  "disabled": false,
+				  "visibility": "public",
+				  "pushed_at": "2011-01-26T19:06:43Z",
+				  "created_at": "2011-01-26T19:01:12Z",
+				  "updated_at": "2011-01-26T19:14:43Z",
+				  "permissions": {
+					"admin": false,
+					"push": false,
+					"pull": true
+				  },
+				  "template_repository": null
+				}
+			  ]`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v3/repos/argoproj/argo-cd/branches?per_page=100":
+			_, err := io.WriteString(w, `[
+				{
+				  "name": "master",
+				  "commit": {
+					"sha": "c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc",
+					"url": "https://api.github.com/repos/argoproj/argo-cd/commits/c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc"
+				  },
+				  "protected": true,
+				  "protection": {
+					"required_status_checks": {
+					  "enforcement_level": "non_admins",
+					  "contexts": [
+						"ci-test",
+						"linter"
+					  ]
+					}
+				  },
+				  "protection_url": "https://api.github.com/repos/argoproj/hello-world/branches/master/protection"
+				}
+			  ]
+			`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v3/repos/argoproj/argo-cd/contents/pkg?ref=master":
+			_, err := io.WriteString(w, `{
+				"type": "file",
+				"encoding": "base64",
+				"size": 5362,
+				"name": "pkg/",
+				"path": "pkg/",
+				"content": "encoded content ...",
+				"sha": "3d21ec53a331a6f037a91c368710b99387d012c1",
+				"url": "https://api.github.com/repos/octokit/octokit.rb/contents/README.md",
+				"git_url": "https://api.github.com/repos/octokit/octokit.rb/git/blobs/3d21ec53a331a6f037a91c368710b99387d012c1",
+				"html_url": "https://github.com/octokit/octokit.rb/blob/master/README.md",
+				"download_url": "https://raw.githubusercontent.com/octokit/octokit.rb/master/README.md",
+				"_links": {
+				  "git": "https://api.github.com/repos/octokit/octokit.rb/git/blobs/3d21ec53a331a6f037a91c368710b99387d012c1",
+				  "self": "https://api.github.com/repos/octokit/octokit.rb/contents/README.md",
+				  "html": "https://github.com/octokit/octokit.rb/blob/master/README.md"
+				}
+			  }`)
+			if err != nil {
+				t.Fail()
+			}
+		case "/api/v3/repos/argoproj/argo-cd/branches/master":
+			_, err := io.WriteString(w, `{
+				"name": "master",
+				"commit": {
+				  "sha": "c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc",
+				  "url": "https://api.github.com/repos/octocat/Hello-World/commits/c5b97d5ae6c19d5c5df71a34c7fbeeda2479ccbc"
+				},
+				"protected": true,
+				"protection": {
+				  "required_status_checks": {
+					"enforcement_level": "non_admins",
+					"contexts": [
+					  "ci-test",
+					  "linter"
+					]
+				  }
+				},
+				"protection_url": "https://api.github.com/repos/octocat/hello-world/branches/master/protection"
+			  }`)
+			if err != nil {
+				t.Fail()
+			}
+		default:
+			w.WriteHeader(404)
+		}
+	}
+}
+
 func TestSimpleSCMProviderGenerator(t *testing.T) {
+	// Use mocked API response to avoid rate-limiting.
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		githubSCMMockHandler(t)(w, r)
+	}))
+
 	expectedApp := argov1alpha1.Application{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Application",
 			APIVersion: "argoproj.io/v1alpha1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:       "argocd-example-apps-guestbook",
+			Name:       "argo-cd-guestbook",
 			Namespace:  utils.ArgoCDNamespace,
 			Finalizers: []string{"resources-finalizer.argocd.argoproj.io"},
 		},
 		Spec: argov1alpha1.ApplicationSpec{
 			Project: "default",
 			Source: argov1alpha1.ApplicationSource{
-				RepoURL:        "git@github.com:argoproj/argocd-example-apps.git",
+				RepoURL:        "git@github.com:argoproj/argo-cd.git",
 				TargetRevision: "master",
 				Path:           "guestbook",
 			},
@@ -810,7 +1007,7 @@ func TestSimpleSCMProviderGenerator(t *testing.T) {
 	}
 
 	// Because you can't &"".
-	repoMatch := "example-apps"
+	repoMatch := "argo-cd"
 
 	Given(t).
 		// Create an SCMProviderGenerator-based ApplicationSet
@@ -838,6 +1035,7 @@ func TestSimpleSCMProviderGenerator(t *testing.T) {
 					SCMProvider: &v1alpha1.SCMProviderGenerator{
 						Github: &v1alpha1.SCMProviderGeneratorGithub{
 							Organization: "argoproj",
+							API:          ts.URL,
 						},
 						Filters: []v1alpha1.SCMProviderGeneratorFilter{
 							{
@@ -852,20 +1050,25 @@ func TestSimpleSCMProviderGenerator(t *testing.T) {
 }
 
 func TestSimpleSCMProviderGeneratorGoTemplate(t *testing.T) {
+	// Use mocked API response to avoid rate-limiting.
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		githubSCMMockHandler(t)(w, r)
+	}))
+
 	expectedApp := argov1alpha1.Application{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Application",
 			APIVersion: "argoproj.io/v1alpha1",
 		},
 		ObjectMeta: metav1.ObjectMeta{
-			Name:       "argocd-example-apps-guestbook",
+			Name:       "argo-cd-guestbook",
 			Namespace:  utils.ArgoCDNamespace,
 			Finalizers: []string{"resources-finalizer.argocd.argoproj.io"},
 		},
 		Spec: argov1alpha1.ApplicationSpec{
 			Project: "default",
 			Source: argov1alpha1.ApplicationSource{
-				RepoURL:        "git@github.com:argoproj/argocd-example-apps.git",
+				RepoURL:        "git@github.com:argoproj/argo-cd.git",
 				TargetRevision: "master",
 				Path:           "guestbook",
 			},
@@ -877,7 +1080,7 @@ func TestSimpleSCMProviderGeneratorGoTemplate(t *testing.T) {
 	}
 
 	// Because you can't &"".
-	repoMatch := "example-apps"
+	repoMatch := "argo-cd"
 
 	Given(t).
 		// Create an SCMProviderGenerator-based ApplicationSet
@@ -906,6 +1109,7 @@ func TestSimpleSCMProviderGeneratorGoTemplate(t *testing.T) {
 					SCMProvider: &v1alpha1.SCMProviderGenerator{
 						Github: &v1alpha1.SCMProviderGeneratorGithub{
 							Organization: "argoproj",
+							API:          ts.URL,
 						},
 						Filters: []v1alpha1.SCMProviderGeneratorFilter{
 							{
@@ -1052,11 +1256,39 @@ func TestCustomApplicationFinalizersGoTemplate(t *testing.T) {
 		Delete().Then().Expect(ApplicationsDoNotExist([]argov1alpha1.Application{expectedApp}))
 }
 
-func TestSimplePullRequestGenerator(t *testing.T) {
-
-	if utils.IsGitHubAPISkippedTest(t) {
-		return
+func githubPullMockHandler(t *testing.T) func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		switch r.RequestURI {
+		case "/api/v3/repos/applicationset-test-org/argocd-example-apps/pulls?per_page=100":
+			_, err := io.WriteString(w, `[
+  {
+    "number": 1,
+    "labels": [
+      {
+        "name": "preview"
+      }
+    ],
+    "head": {
+      "ref": "pull-request",
+      "sha": "824a5c987fdfb2b0629e9dbf5f31636c69ba4772"
+    }
+  }
+]`)
+			if err != nil {
+				t.Fail()
+			}
+		default:
+			w.WriteHeader(404)
+		}
 	}
+}
+
+func TestSimplePullRequestGenerator(t *testing.T) {
+	// Use mocked API response to avoid rate-limiting.
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		githubPullMockHandler(t)(w, r)
+	}))
 
 	expectedApp := argov1alpha1.Application{
 		TypeMeta: metav1.TypeMeta{
@@ -1113,6 +1345,7 @@ func TestSimplePullRequestGenerator(t *testing.T) {
 				{
 					PullRequest: &v1alpha1.PullRequestGenerator{
 						Github: &v1alpha1.PullRequestGeneratorGithub{
+							API:   ts.URL,
 							Owner: "applicationset-test-org",
 							Repo:  "argocd-example-apps",
 							Labels: []string{
@@ -1127,10 +1360,10 @@ func TestSimplePullRequestGenerator(t *testing.T) {
 }
 
 func TestSimplePullRequestGeneratorGoTemplate(t *testing.T) {
-
-	if utils.IsGitHubAPISkippedTest(t) {
-		return
-	}
+	// Use mocked API response to avoid rate-limiting.
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		githubPullMockHandler(t)(w, r)
+	}))
 
 	expectedApp := argov1alpha1.Application{
 		TypeMeta: metav1.TypeMeta{
@@ -1188,6 +1421,7 @@ func TestSimplePullRequestGeneratorGoTemplate(t *testing.T) {
 				{
 					PullRequest: &v1alpha1.PullRequestGenerator{
 						Github: &v1alpha1.PullRequestGeneratorGithub{
+							API:   ts.URL,
 							Owner: "applicationset-test-org",
 							Repo:  "argocd-example-apps",
 							Labels: []string{

test/e2e/testdata/data.go

@@ -5,4 +5,7 @@ import _ "embed"
 var (
 	//go:embed ssa-revision-history/deployment.yaml
 	SSARevisionHistoryDeployment string
+
+	//go:embed guestbook/guestbook-ui-deployment.yaml
+	GuestbookDeployment string
 )

ui/src/app/app.tsx

@@ -10,12 +10,13 @@ import login from './login';
 import settings from './settings';
 import {Layout} from './shared/components/layout/layout';
 import {VersionPanel} from './shared/components/version-info/version-info-panel';
-import {Provider} from './shared/context';
+import {AuthSettingsCtx, Provider} from './shared/context';
 import {services} from './shared/services';
 import requests from './shared/services/requests';
 import {hashCode} from './shared/utils';
 import {Banner} from './ui-banner/ui-banner';
 import userInfo from './user-info';
+import {AuthSettings} from './shared/models';
 
 services.viewPreferences.init();
 const bases = document.getElementsByTagName('base');
@@ -71,8 +72,8 @@ const versionLoader = services.version.version();
 async function isExpiredSSO() {
     try {
         const {iss} = await services.users.get();
+        const authSettings = await services.authService.settings();
         if (iss && iss !== 'argocd') {
-            const authSettings = await services.authService.settings();
             return ((authSettings.dexConfig && authSettings.dexConfig.connectors) || []).length > 0 || authSettings.oidcConfig;
         }
     } catch {
@@ -106,7 +107,10 @@ requests.onError.subscribe(async err => {
     }
 });
 
-export class App extends React.Component<{}, {popupProps: PopupProps; showVersionPanel: boolean; error: Error; navItems: NavItem[]; routes: Routes; extensionsLoaded: boolean}> {
+export class App extends React.Component<
+    {},
+    {popupProps: PopupProps; showVersionPanel: boolean; error: Error; navItems: NavItem[]; routes: Routes; extensionsLoaded: boolean; authSettings: AuthSettings}
+> {
     public static childContextTypes = {
         history: PropTypes.object,
         apis: PropTypes.object
@@ -124,7 +128,7 @@ export class App extends React.Component<{}, {popupProps: PopupProps; showVersio
 
     constructor(props: {}) {
         super(props);
-        this.state = {popupProps: null, error: null, showVersionPanel: false, navItems: [], routes: null, extensionsLoaded: false};
+        this.state = {popupProps: null, error: null, showVersionPanel: false, navItems: [], routes: null, extensionsLoaded: false, authSettings: null};
         this.popupManager = new PopupManager();
         this.notificationsManager = new NotificationsManager();
         this.navigationManager = new NavigationManager(history);
@@ -181,7 +185,7 @@ export class App extends React.Component<{}, {popupProps: PopupProps; showVersio
             };
         }
 
-        this.setState({...this.state, navItems: extendedNavItems, routes: extendedRoutes, extensionsLoaded: true});
+        this.setState({...this.state, navItems: extendedNavItems, routes: extendedRoutes, extensionsLoaded: true, authSettings});
     }
 
     public render() {
@@ -211,42 +215,44 @@ export class App extends React.Component<{}, {popupProps: PopupProps; showVersio
                 <PageContext.Provider value={{title: 'Argo CD'}}>
                     <Provider value={{history, popup: this.popupManager, notifications: this.notificationsManager, navigation: this.navigationManager, baseHref: base}}>
                         {this.state.popupProps && <Popup {...this.state.popupProps} />}
-                        <Router history={history}>
-                            <Switch>
-                                <Redirect exact={true} path='/' to='/applications' />
-                                {Object.keys(this.routes).map(path => {
-                                    const route = this.routes[path];
-                                    return (
-                                        <Route
-                                            key={path}
-                                            path={path}
-                                            render={routeProps =>
-                                                route.noLayout ? (
-                                                    <div>
-                                                        <route.component {...routeProps} />
-                                                    </div>
-                                                ) : (
-                                                    <DataLoader load={() => services.viewPreferences.getPreferences()}>
-                                                        {pref => (
-                                                            <Layout
-                                                                onVersionClick={() => this.setState({showVersionPanel: true})}
-                                                                navItems={this.navItems}
-                                                                pref={pref}
-                                                                isExtension={route.extension}>
-                                                                <Banner>
-                                                                    <route.component {...routeProps} />
-                                                                </Banner>
-                                                            </Layout>
-                                                        )}
-                                                    </DataLoader>
-                                                )
-                                            }
-                                        />
-                                    );
-                                })}
-                                {this.state.extensionsLoaded && <Redirect path='*' to='/' />}
-                            </Switch>
-                        </Router>
+                        <AuthSettingsCtx.Provider value={this.state.authSettings}>
+                            <Router history={history}>
+                                <Switch>
+                                    <Redirect exact={true} path='/' to='/applications' />
+                                    {Object.keys(this.routes).map(path => {
+                                        const route = this.routes[path];
+                                        return (
+                                            <Route
+                                                key={path}
+                                                path={path}
+                                                render={routeProps =>
+                                                    route.noLayout ? (
+                                                        <div>
+                                                            <route.component {...routeProps} />
+                                                        </div>
+                                                    ) : (
+                                                        <DataLoader load={() => services.viewPreferences.getPreferences()}>
+                                                            {pref => (
+                                                                <Layout
+                                                                    onVersionClick={() => this.setState({showVersionPanel: true})}
+                                                                    navItems={this.navItems}
+                                                                    pref={pref}
+                                                                    isExtension={route.extension}>
+                                                                    <Banner>
+                                                                        <route.component {...routeProps} />
+                                                                    </Banner>
+                                                                </Layout>
+                                                            )}
+                                                        </DataLoader>
+                                                    )
+                                                }
+                                            />
+                                        );
+                                    })}
+                                    {this.state.extensionsLoaded && <Redirect path='*' to='/' />}
+                                </Switch>
+                            </Router>
+                        </AuthSettingsCtx.Provider>
                     </Provider>
                 </PageContext.Provider>
                 <Notifications notifications={this.notificationsManager.notifications} />

ui/src/app/applications/components/application-operation-state/application-operation-state.tsx

@@ -78,7 +78,7 @@ export const ApplicationOperationState: React.StatelessComponent<Props> = ({appl
                         const confirmed = await ctx.apis.popup.confirm('Terminate operation', 'Are you sure you want to terminate operation?');
                         if (confirmed) {
                             try {
-                                await services.applications.terminateOperation(application.metadata.name);
+                                await services.applications.terminateOperation(application.metadata.name, application.metadata.namespace);
                             } catch (e) {
                                 ctx.apis.notifications.show({
                                     content: <ErrorNotification title='Unable to terminate operation' e={e} />,

ui/src/app/applications/components/application-parameters/application-parameters.tsx

@@ -23,7 +23,10 @@ function distinct<T>(first: IterableIterator<T>, second: IterableIterator<T>) {
     return Array.from(new Set(Array.from(first).concat(Array.from(second))));
 }
 
-function overridesFirst(first: {overrideIndex: number}, second: {overrideIndex: number}) {
+function overridesFirst(first: {overrideIndex: number; metadata: {name: string}}, second: {overrideIndex: number; metadata: {name: string}}) {
+    if (first.overrideIndex === second.overrideIndex) {
+        return first.metadata.name.localeCompare(second.metadata.name);
+    }
     if (first.overrideIndex < 0) {
         return 1;
     } else if (second.overrideIndex < 0) {
@@ -57,7 +60,7 @@ function getParamsEditableItems(
                 </span>
             ),
             edit: (formApi: FormApi) => {
-                const labelStyle = {position: 'absolute', right: 0, top: 0, zIndex: 1} as any;
+                const labelStyle = {position: 'absolute', right: 0, top: 0, zIndex: 11} as any;
                 const overrideRemoved = removedOverrides[i];
                 const fieldItemPath = `${fieldsPath}[${i}]`;
                 return (
@@ -98,11 +101,6 @@ function getParamsEditableItems(
                 );
             }
         }))
-        .sort((first, second) => {
-            const firstSortBy = first.key || first.title;
-            const secondSortBy = second.key || second.title;
-            return firstSortBy.localeCompare(secondSortBy);
-        })
         .map((item, i) => ({...item, before: (i === 0 && <p style={{marginTop: '1em'}}>{title}</p>) || null}));
 }
 
@@ -192,29 +190,31 @@ export const ApplicationParameters = (props: {
                 />
             )
         });
-        attributes.push({
-            title: 'VALUES',
-            view: app.spec.source.helm && (
-                <Expandable>
-                    <pre>{app.spec.source.helm.values}</pre>
-                </Expandable>
-            ),
-            edit: (formApi: FormApi) => (
-                <div>
-                    <pre>
-                        <FormField formApi={formApi} field='spec.source.helm.values' component={TextArea} />
-                    </pre>
-                    {props.details.helm.values && (
-                        <div>
-                            <label>values.yaml</label>
-                            <Expandable>
-                                <pre>{props.details.helm.values}</pre>
-                            </Expandable>
-                        </div>
-                    )}
-                </div>
-            )
-        });
+        if (app?.spec?.source?.helm?.values) {
+            attributes.push({
+                title: 'VALUES',
+                view: app.spec.source.helm && (
+                    <Expandable>
+                        <pre>{app.spec.source.helm.values}</pre>
+                    </Expandable>
+                ),
+                edit: (formApi: FormApi) => (
+                    <div>
+                        <pre>
+                            <FormField formApi={formApi} field='spec.source.helm.values' component={TextArea} />
+                        </pre>
+                        {props.details.helm.values && (
+                            <div>
+                                <label>values.yaml</label>
+                                <Expandable>
+                                    <pre>{props.details.helm.values}</pre>
+                                </Expandable>
+                            </div>
+                        )}
+                    </div>
+                )
+            });
+        }
         const paramsByName = new Map<string, models.HelmParameter>();
         (props.details.helm.parameters || []).forEach(param => paramsByName.set(param.name, param));
         const overridesByName = new Map<string, number>();

ui/src/app/applications/components/application-pod-view/pod-view.scss

@@ -7,6 +7,13 @@ $pods-per-column: 4;
 $max-rows: 5;
 $num-stats: 2;
 
+$pod-age-icon-clr: #ffce25;
+
+.circle-icon {
+    color: $pod-age-icon-clr;
+    font-size: 10px;
+}
+
 .pod-view {
     &__settings {
         align-items: center;
@@ -67,7 +74,7 @@ $num-stats: 2;
             margin: 1em 0;
             padding: 10px;
             border-radius: 3px;
-            background-color: $argo-color-gray-3;                            
+            background-color: $argo-color-gray-3;
             color: $argo-color-gray-6;
             div {
                 display: flex;
@@ -149,7 +156,7 @@ $num-stats: 2;
             }
             &__new-pod-icon {
                 background: none;
-                color: #FFCE25;
+                color: $pod-age-icon-clr;
                 display: block;
                 left: 20px;
                 margin: 0px;
@@ -238,4 +245,4 @@ $num-stats: 2;
             }
         }
     }
-}
+}