Bump version to 2.5.9

Signed-off-by: Yevgeniy Fridland <yevg.mord@gmail.com>
Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

USERS.md

@@ -155,6 +155,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Packlink](https://www.packlink.com/)
 1. [Pandosearch](https://www.pandosearch.com/en/home)
 1. [PagerDuty](https://www.pagerduty.com/)
+1. [Patreon](https://www.patreon.com/)
 1. [PayPay](https://paypay.ne.jp/)
 1. [Peloton Interactive](https://www.onepeloton.com/)
 1. [Pipefy](https://www.pipefy.com/)

VERSION

@@ -1 +1 @@
-2.5.8
+2.5.9

docs/operator-manual/user-management/index.md

@@ -302,8 +302,9 @@ data:
     clientID: aaaabbbbccccddddeee
     clientSecret: $oidc.okta.clientSecret
     
-    # Optional list of allowed aud claims. If omitted or empty, defaults to the clientID value above. If you specify a 
-    # list and want the clientD to be allowed, you must explicitly include it in the list.
+    # Optional list of allowed aud claims. If omitted or empty, defaults to the clientID value above (and the 
+    # cliCientID, if that is also specified). If you specify a list and want the clientID to be allowed, you must 
+    # explicitly include it in the list.
     # Token verification will pass if any of the token's audiences matches any of the audiences in this list.
     allowedAudiences:
     - aaaabbbbccccddddeee

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.5.8
+  newTag: v2.5.9
 resources:
 - ./application-controller
 - ./dex

manifests/core-install.yaml

@@ -9635,7 +9635,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -9893,7 +9893,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -9944,7 +9944,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -10151,7 +10151,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.5.8
+  newTag: v2.5.9

manifests/ha/base/kustomization.yaml

@@ -11,7 +11,7 @@ patchesStrategicMerge:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.5.8
+  newTag: v2.5.9
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller

manifests/ha/install.yaml

@@ -10836,7 +10836,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -10946,7 +10946,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -10999,7 +10999,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -11296,7 +11296,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -11347,7 +11347,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -11620,7 +11620,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -11855,7 +11855,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/namespace-install.yaml

@@ -1502,7 +1502,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1612,7 +1612,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1665,7 +1665,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1962,7 +1962,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2013,7 +2013,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2286,7 +2286,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2521,7 +2521,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/install.yaml

@@ -9955,7 +9955,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -10065,7 +10065,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -10118,7 +10118,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -10371,7 +10371,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -10422,7 +10422,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -10691,7 +10691,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -10924,7 +10924,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/namespace-install.yaml

@@ -621,7 +621,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -731,7 +731,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -784,7 +784,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1037,7 +1037,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1088,7 +1088,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -1357,7 +1357,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -1590,7 +1590,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.5.8
+        image: quay.io/argoproj/argocd:v2.5.9
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

resource_customizations/sparkoperator.k8s.io/SparkApplication/health.lua

@@ -1,4 +1,55 @@
 health_status = {}
+-- Can't use standard lib, math.huge equivalent
+infinity = 2^1024-1
+
+local function executor_range_api()
+  min_executor_instances = 0
+  max_executor_instances = infinity
+  if obj.spec.dynamicAllocation.maxExecutors then 
+    max_executor_instances = obj.spec.dynamicAllocation.maxExecutors
+  end
+  if obj.spec.dynamicAllocation.minExecutors then 
+    min_executor_instances = obj.spec.dynamicAllocation.minExecutors
+  end
+  return min_executor_instances, max_executor_instances
+end
+
+local function maybe_executor_range_spark_conf()
+  min_executor_instances = 0
+  max_executor_instances = infinity
+  if obj.spec.sparkConf["spark.streaming.dynamicAllocation.enabled"] ~= nil and 
+     obj.spec.sparkConf["spark.streaming.dynamicAllocation.enabled"] == "true" then
+    if(obj.spec.sparkConf["spark.streaming.dynamicAllocation.maxExecutors"] ~= nil) then
+      max_executor_instances = tonumber(obj.spec.sparkConf["spark.streaming.dynamicAllocation.maxExecutors"])
+    end
+    if(obj.spec.sparkConf["spark.streaming.dynamicAllocation.minExecutors"] ~= nil) then
+      min_executor_instances = tonumber(obj.spec.sparkConf["spark.streaming.dynamicAllocation.minExecutors"])
+    end
+    return min_executor_instances, max_executor_instances
+  elseif obj.spec.sparkConf["spark.dynamicAllocation.enabled"] ~= nil and 
+     obj.spec.sparkConf["spark.dynamicAllocation.enabled"] == "true" then
+    if(obj.spec.sparkConf["spark.dynamicAllocation.maxExecutors"] ~= nil) then
+      max_executor_instances = tonumber(obj.spec.sparkConf["spark.dynamicAllocation.maxExecutors"])
+    end
+    if(obj.spec.sparkConf["spark.dynamicAllocation.minExecutors"] ~= nil) then
+      min_executor_instances = tonumber(obj.spec.sparkConf["spark.dynamicAllocation.minExecutors"])
+    end
+    return min_executor_instances, max_executor_instances
+  else
+    return nil
+  end
+end
+
+local function maybe_executor_range()
+  if obj.spec["dynamicAllocation"] and obj.spec.dynamicAllocation.enabled then
+    return executor_range_api()
+  elseif obj.spec["sparkConf"] ~= nil then
+    return maybe_executor_range_spark_conf()
+  else 
+    return nil
+  end
+end
+
 if obj.status ~= nil then
   if obj.status.applicationState.state ~= nil then
     if obj.status.applicationState.state == "" then
@@ -19,6 +70,13 @@ if obj.status ~= nil then
           health_status.status = "Healthy"
           health_status.message = "SparkApplication is Running"
           return health_status
+        elseif maybe_executor_range() then
+          min_executor_instances, max_executor_instances = maybe_executor_range()
+          if count >= min_executor_instances and count <= max_executor_instances then 
+            health_status.status = "Healthy"
+            health_status.message = "SparkApplication is Running"
+            return health_status
+          end
         end
       end
     end
@@ -72,4 +130,4 @@ if obj.status ~= nil then
 end
 health_status.status = "Progressing"
 health_status.message = "Waiting for Executor pods"
-return health_status
+return health_status

resource_customizations/sparkoperator.k8s.io/SparkApplication/health_test.yaml

@@ -11,3 +11,15 @@ tests:
     status: Healthy
     message: "SparkApplication is Running"
   inputPath: testdata/healthy.yaml
+- healthStatus:
+    status: Healthy
+    message: "SparkApplication is Running"
+  inputPath: testdata/healthy_dynamic_alloc.yaml
+- healthStatus:
+    status: Healthy
+    message: "SparkApplication is Running"
+  inputPath: testdata/healthy_dynamic_alloc_dstream.yaml
+- healthStatus:
+    status: Healthy
+    message: "SparkApplication is Running"
+  inputPath: testdata/healthy_dynamic_alloc_operator_api.yaml

resource_customizations/sparkoperator.k8s.io/SparkApplication/testdata/healthy_dynamic_alloc.yaml

@@ -0,0 +1,37 @@
+apiVersion: sparkoperator.k8s.io/v1beta2
+kind: SparkApplication
+metadata:
+  generation: 4
+  labels:
+    argocd.argoproj.io/instance: spark-job
+  name: spark-job-app
+  namespace: spark-cluster
+  resourceVersion: "31812990"
+  uid: bfee52b0-74ca-4465-8005-f6643097ed64
+spec:
+  executor:
+    instances: 4
+  sparkConf:
+    spark.dynamicAllocation.enabled: 'true'
+    spark.dynamicAllocation.maxExecutors: '10'
+    spark.dynamicAllocation.minExecutors: '2'
+status:
+  applicationState:
+    state: RUNNING
+  driverInfo:
+    podName: ingestion-datalake-news-app-driver
+    webUIAddress: 172.20.207.161:4040
+    webUIPort: 4040
+    webUIServiceName: ingestion-datalake-news-app-ui-svc
+  executionAttempts: 13
+  executorState:
+    ingestion-datalake-news-app-1591613851251-exec-1: RUNNING
+    ingestion-datalake-news-app-1591613851251-exec-2: RUNNING
+    ingestion-datalake-news-app-1591613851251-exec-4: RUNNING
+    ingestion-datalake-news-app-1591613851251-exec-5: RUNNING
+    ingestion-datalake-news-app-1591613851251-exec-6: RUNNING
+  lastSubmissionAttemptTime: "2020-06-08T10:57:32Z"
+  sparkApplicationId: spark-a5920b2a5aa04d22a737c60759b5bf82
+  submissionAttempts: 1
+  submissionID: 3e713ec8-9f6c-4e78-ac28-749797c846f0
+  terminationTime: null

resource_customizations/sparkoperator.k8s.io/SparkApplication/testdata/healthy_dynamic_alloc_dstream.yaml

@@ -0,0 +1,35 @@
+apiVersion: sparkoperator.k8s.io/v1beta2
+kind: SparkApplication
+metadata:
+  generation: 4
+  labels:
+    argocd.argoproj.io/instance: spark-job
+  name: spark-job-app
+  namespace: spark-cluster
+  resourceVersion: "31812990"
+  uid: bfee52b0-74ca-4465-8005-f6643097ed64
+spec:
+  executor:
+    instances: 4
+  sparkConf:
+    spark.streaming.dynamicAllocation.enabled: 'true'
+    spark.streaming.dynamicAllocation.maxExecutors: '10'
+    spark.streaming.dynamicAllocation.minExecutors: '2'
+status:
+  applicationState:
+    state: RUNNING
+  driverInfo:
+    podName: ingestion-datalake-news-app-driver
+    webUIAddress: 172.20.207.161:4040
+    webUIPort: 4040
+    webUIServiceName: ingestion-datalake-news-app-ui-svc
+  executionAttempts: 13
+  executorState:
+    ingestion-datalake-news-app-1591613851251-exec-1: RUNNING
+    ingestion-datalake-news-app-1591613851251-exec-4: RUNNING
+    ingestion-datalake-news-app-1591613851251-exec-6: RUNNING
+  lastSubmissionAttemptTime: "2020-06-08T10:57:32Z"
+  sparkApplicationId: spark-a5920b2a5aa04d22a737c60759b5bf82
+  submissionAttempts: 1
+  submissionID: 3e713ec8-9f6c-4e78-ac28-749797c846f0
+  terminationTime: null

resource_customizations/sparkoperator.k8s.io/SparkApplication/testdata/healthy_dynamic_alloc_operator_api.yaml

@@ -0,0 +1,38 @@
+apiVersion: sparkoperator.k8s.io/v1beta2
+kind: SparkApplication
+metadata:
+  generation: 4
+  labels:
+    argocd.argoproj.io/instance: spark-job
+  name: spark-job-app
+  namespace: spark-cluster
+  resourceVersion: "31812990"
+  uid: bfee52b0-74ca-4465-8005-f6643097ed64
+spec:
+  executor:
+    instances: 4
+  dynamicAllocation:
+    enabled: true
+    initialExecutors: 2
+    minExecutors: 2
+    maxExecutors: 10
+status:
+  applicationState:
+    state: RUNNING
+  driverInfo:
+    podName: ingestion-datalake-news-app-driver
+    webUIAddress: 172.20.207.161:4040
+    webUIPort: 4040
+    webUIServiceName: ingestion-datalake-news-app-ui-svc
+  executionAttempts: 13
+  executorState:
+    ingestion-datalake-news-app-1591613851251-exec-1: RUNNING
+    ingestion-datalake-news-app-1591613851251-exec-2: RUNNING
+    ingestion-datalake-news-app-1591613851251-exec-4: RUNNING
+    ingestion-datalake-news-app-1591613851251-exec-5: RUNNING
+    ingestion-datalake-news-app-1591613851251-exec-6: RUNNING
+  lastSubmissionAttemptTime: "2020-06-08T10:57:32Z"
+  sparkApplicationId: spark-a5920b2a5aa04d22a737c60759b5bf82
+  submissionAttempts: 1
+  submissionID: 3e713ec8-9f6c-4e78-ac28-749797c846f0
+  terminationTime: null

server/application/terminal.go

@@ -25,6 +25,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/util/rbac"
 	"github.com/argoproj/argo-cd/v2/util/security"
 	sessionmgr "github.com/argoproj/argo-cd/v2/util/session"
+	"github.com/argoproj/argo-cd/v2/util/settings"
 )
 
 type terminalHandler struct {
@@ -95,6 +96,26 @@ func isValidContainerName(name string) bool {
 	return len(validationErrors) == 0
 }
 
+type GetSettingsFunc func() (*settings.ArgoCDSettings, error)
+
+// WithFeatureFlagMiddleware is an HTTP middleware to verify if the terminal
+// feature is enabled before invoking the main handler
+func (s *terminalHandler) WithFeatureFlagMiddleware(getSettings GetSettingsFunc) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		argocdSettings, err := getSettings()
+		if err != nil {
+			log.Errorf("error executing WithFeatureFlagMiddleware: error getting settings: %s", err)
+			http.Error(w, "Failed to get settings", http.StatusBadRequest)
+			return
+		}
+		if !argocdSettings.ExecEnabled {
+			w.WriteHeader(http.StatusNotFound)
+			return
+		}
+		s.ServeHTTP(w, r)
+	})
+}
+
 func (s *terminalHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	q := r.URL.Query()
 

server/server.go

@@ -861,40 +861,10 @@ func (a *ArgoCDServer) newHTTPServer(ctx context.Context, port int, grpcWebHandl
 	}
 	mux.Handle("/api/", handler)
 
-	terminalHandler := application.NewHandler(a.appLister, a.Namespace, a.ApplicationNamespaces, a.db, a.enf, a.Cache, appResourceTreeFn, a.settings.ExecShells)
-	mux.HandleFunc("/terminal", func(writer http.ResponseWriter, request *http.Request) {
-		argocdSettings, err := a.settingsMgr.GetSettings()
-		if err != nil {
-			http.Error(writer, fmt.Sprintf("Failed to get settings: %v", err), http.StatusBadRequest)
-			return
-		}
-		if !argocdSettings.ExecEnabled {
-			writer.WriteHeader(http.StatusNotFound)
-			return
-		}
-
-		if !a.DisableAuth {
-			ctx := request.Context()
-			cookies := request.Cookies()
-			tokenString, err := httputil.JoinCookies(common.AuthCookieName, cookies)
-			if err == nil && jwtutil.IsValid(tokenString) {
-				claims, _, err := a.sessionMgr.VerifyToken(tokenString)
-				if err != nil {
-					// nolint:staticcheck
-					ctx = context.WithValue(ctx, util_session.AuthErrorCtxKey, err)
-				} else if claims != nil {
-					// Add claims to the context to inspect for RBAC
-					// nolint:staticcheck
-					ctx = context.WithValue(ctx, "claims", claims)
-				}
-				request = request.WithContext(ctx)
-			} else {
-				writer.WriteHeader(http.StatusUnauthorized)
-				return
-			}
-		}
-		terminalHandler.ServeHTTP(writer, request)
-	})
+	terminal := application.NewHandler(a.appLister, a.Namespace, a.ApplicationNamespaces, a.db, a.enf, a.Cache, appResourceTreeFn, a.settings.ExecShells).
+		WithFeatureFlagMiddleware(a.settingsMgr.GetSettings)
+	th := util_session.WithAuthMiddleware(a.DisableAuth, a.sessionMgr, terminal)
+	mux.Handle("/terminal", th)
 
 	mustRegisterGWHandler(versionpkg.RegisterVersionServiceHandler, ctx, gwmux, conn)
 	mustRegisterGWHandler(clusterpkg.RegisterClusterServiceHandler, ctx, gwmux, conn)

ui/src/app/applications/components/application-details/application-resource-list.tsx

@@ -46,7 +46,7 @@ export const ApplicationResourceList = ({
                                 <Consumer>
                                     {ctx => (
                                         <span className='application-details__external_link'>
-                                            <a href={ctx.baseHref + 'applications/' + res.name} title='Open application'>
+                                            <a href={ctx.baseHref + 'applications/' + res.namespace + '/' + res.name} title='Open application'>
                                                 <i className='fa fa-external-link-alt' />
                                             </a>
                                         </span>

ui/src/app/applications/components/application-resource-tree/application-resource-tree.tsx

@@ -433,7 +433,7 @@ function renderPodGroup(props: ApplicationResourceTreeProps, id: string, node: R
                         {appNode && !rootNode && (
                             <Consumer>
                                 {ctx => (
-                                    <a href={ctx.baseHref + 'applications/' + node.name} title='Open application'>
+                                    <a href={ctx.baseHref + 'applications/' + node.namespace + '/' + node.name} title='Open application'>
                                         <i className='fa fa-external-link-alt' />
                                     </a>
                                 )}
@@ -652,7 +652,7 @@ function renderResourceNode(props: ApplicationResourceTreeProps, id: string, nod
                     {appNode && !rootNode && (
                         <Consumer>
                             {ctx => (
-                                <a href={ctx.baseHref + 'applications/' + node.name} title='Open application'>
+                                <a href={ctx.baseHref + 'applications/' + node.namespace + '/' + node.name} title='Open application'>
                                     <i className='fa fa-external-link-alt' />
                                 </a>
                             )}

util/oidc/provider.go

@@ -109,6 +109,12 @@ func (p *providerImpl) Verify(tokenString string, argoSettings *settings.ArgoCDS
 		// Token must be verified for at least one allowed audience
 		for _, aud := range allowedAudiences {
 			idToken, err = p.verify(aud, tokenString, false)
+			if err != nil && strings.HasPrefix(err.Error(), "oidc: token is expired") {
+				// If the token is expired, we won't bother checking other audiences. It's important to return a
+				// ErrTokenExpired instead of an error related to an incorrect audience, because the caller may
+				// have specific behavior to handle expired tokens.
+				break
+			}
 			if err == nil {
 				break
 			}

util/session/sessionmanager.go

@@ -462,6 +462,47 @@ func (mgr *SessionManager) VerifyUsernamePassword(username string, password stri
 	return nil
 }
 
+// AuthMiddlewareFunc returns a function that can be used as an
+// authentication middleware for HTTP requests.
+func (mgr *SessionManager) AuthMiddlewareFunc(disabled bool) func(http.Handler) http.Handler {
+	return func(h http.Handler) http.Handler {
+		return WithAuthMiddleware(disabled, mgr, h)
+	}
+}
+
+// TokenVerifier defines the contract to invoke token
+// verification logic
+type TokenVerifier interface {
+	VerifyToken(token string) (jwt.Claims, string, error)
+}
+
+// WithAuthMiddleware is an HTTP middleware used to ensure incoming
+// requests are authenticated before invoking the target handler. If
+// disabled is true, it will just invoke the next handler in the chain.
+func WithAuthMiddleware(disabled bool, authn TokenVerifier, next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if !disabled {
+			cookies := r.Cookies()
+			tokenString, err := httputil.JoinCookies(common.AuthCookieName, cookies)
+			if err != nil {
+				http.Error(w, "Auth cookie not found", http.StatusBadRequest)
+				return
+			}
+			claims, _, err := authn.VerifyToken(tokenString)
+			if err != nil {
+				http.Error(w, "Invalid token", http.StatusUnauthorized)
+				return
+			}
+			ctx := r.Context()
+			// Add claims to the context to inspect for RBAC
+			// nolint:staticcheck
+			ctx = context.WithValue(ctx, "claims", claims)
+			r = r.WithContext(ctx)
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
 // VerifyToken verifies if a token is correct. Tokens can be issued either from us or by an IDP.
 // We choose how to verify based on the issuer.
 func (mgr *SessionManager) VerifyToken(tokenString string) (jwt.Claims, string, error) {

util/session/sessionmanager_test.go

@@ -3,8 +3,12 @@ package session
 import (
 	"context"
 	"encoding/pem"
+	stderrors "errors"
 	"fmt"
+	"io"
 	"math"
+	"net/http"
+	"net/http/httptest"
 	"os"
 	"strconv"
 	"strings"
@@ -221,6 +225,136 @@ func TestSessionManager_ProjectToken(t *testing.T) {
 	})
 }
 
+type claimsMock struct {
+	err error
+}
+
+func (cm *claimsMock) Valid() error {
+	return cm.err
+}
+
+type tokenVerifierMock struct {
+	claims *claimsMock
+	err    error
+}
+
+func (tm *tokenVerifierMock) VerifyToken(token string) (jwt.Claims, string, error) {
+	if tm.claims == nil {
+		return nil, "", tm.err
+	}
+	return tm.claims, "", tm.err
+}
+
+func strPointer(str string) *string {
+	return &str
+}
+
+func TestSessionManager_WithAuthMiddleware(t *testing.T) {
+	handlerFunc := func() func(http.ResponseWriter, *http.Request) {
+		return func(w http.ResponseWriter, r *http.Request) {
+			t.Helper()
+			w.WriteHeader(http.StatusOK)
+			w.Header().Set("Content-Type", "application/text")
+			_, err := w.Write([]byte("Ok"))
+			if err != nil {
+				t.Fatalf("error writing response: %s", err)
+			}
+		}
+	}
+	type testCase struct {
+		name                 string
+		authDisabled         bool
+		cookieHeader         bool
+		verifiedClaims       *claimsMock
+		verifyTokenErr       error
+		expectedStatusCode   int
+		expectedResponseBody *string
+	}
+
+	cases := []testCase{
+		{
+			name:                 "will authenticate successfully",
+			authDisabled:         false,
+			cookieHeader:         true,
+			verifiedClaims:       &claimsMock{},
+			verifyTokenErr:       nil,
+			expectedStatusCode:   200,
+			expectedResponseBody: strPointer("Ok"),
+		},
+		{
+			name:                 "will be noop if auth is disabled",
+			authDisabled:         true,
+			cookieHeader:         false,
+			verifiedClaims:       nil,
+			verifyTokenErr:       nil,
+			expectedStatusCode:   200,
+			expectedResponseBody: strPointer("Ok"),
+		},
+		{
+			name:                 "will return 400 if no cookie header",
+			authDisabled:         false,
+			cookieHeader:         false,
+			verifiedClaims:       &claimsMock{},
+			verifyTokenErr:       nil,
+			expectedStatusCode:   400,
+			expectedResponseBody: nil,
+		},
+		{
+			name:                 "will return 401 verify token fails",
+			authDisabled:         false,
+			cookieHeader:         true,
+			verifiedClaims:       &claimsMock{},
+			verifyTokenErr:       stderrors.New("token error"),
+			expectedStatusCode:   401,
+			expectedResponseBody: nil,
+		},
+		{
+			name:                 "will return 200 if claims are nil",
+			authDisabled:         false,
+			cookieHeader:         true,
+			verifiedClaims:       nil,
+			verifyTokenErr:       nil,
+			expectedStatusCode:   200,
+			expectedResponseBody: strPointer("Ok"),
+		},
+	}
+	for _, tc := range cases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			// given
+			mux := http.NewServeMux()
+			mux.HandleFunc("/", handlerFunc())
+			tm := &tokenVerifierMock{
+				claims: tc.verifiedClaims,
+				err:    tc.verifyTokenErr,
+			}
+			ts := httptest.NewServer(WithAuthMiddleware(tc.authDisabled, tm, mux))
+			defer ts.Close()
+			req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
+			if err != nil {
+				t.Fatalf("error creating request: %s", err)
+			}
+			if tc.cookieHeader {
+				req.Header.Add("Cookie", "argocd.token=123456")
+			}
+
+			// when
+			resp, err := http.DefaultClient.Do(req)
+
+			// then
+			assert.NoError(t, err)
+			assert.NotNil(t, resp)
+			assert.Equal(t, tc.expectedStatusCode, resp.StatusCode)
+			if tc.expectedResponseBody != nil {
+				body, err := io.ReadAll(resp.Body)
+				require.NoError(t, err)
+				actual := strings.TrimSuffix(string(body), "\n")
+				assert.Contains(t, actual, *tc.expectedResponseBody)
+			}
+		})
+	}
+}
+
 var loggedOutContext = context.Background()
 
 // nolint:staticcheck

util/settings/settings.go

@@ -1697,12 +1697,16 @@ func (a *ArgoCDSettings) OAuth2ClientID() string {
 func (a *ArgoCDSettings) OAuth2AllowedAudiences() []string {
 	if config := a.oidcConfig(); config != nil {
 		if len(config.AllowedAudiences) == 0 {
-			return []string{config.ClientID}
+			allowedAudiences := []string{config.ClientID}
+			if config.CLIClientID != "" {
+				allowedAudiences = append(allowedAudiences, config.CLIClientID)
+			}
+			return allowedAudiences
 		}
 		return config.AllowedAudiences
 	}
 	if a.DexConfig != "" {
-		return []string{common.ArgoCDClientAppID}
+		return []string{common.ArgoCDClientAppID, common.ArgoCDCLIClientAppID}
 	}
 	return nil
 }

util/settings/settings_test.go

@@ -1343,3 +1343,68 @@ rootCA: "invalid"`},
 		})
 	}
 }
+
+func Test_OAuth2AllowedAudiences(t *testing.T) {
+	testCases := []struct {
+		name     string
+		settings *ArgoCDSettings
+		expected []string
+	}{
+		{
+			name:     "Empty",
+			settings: &ArgoCDSettings{},
+			expected: []string{},
+		},
+		{
+			name: "OIDC configured, no audiences specified, clientID used",
+			settings: &ArgoCDSettings{OIDCConfigRAW: `name: Test
+issuer: aaa
+clientID: xxx
+clientSecret: yyy
+requestedScopes: ["oidc"]`},
+			expected: []string{"xxx"},
+		},
+		{
+			name: "OIDC configured, no audiences specified, clientID and cliClientID used",
+			settings: &ArgoCDSettings{OIDCConfigRAW: `name: Test
+issuer: aaa
+clientID: xxx
+cliClientID: cli-xxx
+clientSecret: yyy
+requestedScopes: ["oidc"]`},
+			expected: []string{"xxx", "cli-xxx"},
+		},
+		{
+			name: "OIDC configured, audiences specified",
+			settings: &ArgoCDSettings{OIDCConfigRAW: `name: Test
+issuer: aaa
+clientID: xxx
+clientSecret: yyy
+requestedScopes: ["oidc"]
+allowedAudiences: ["aud1", "aud2"]`},
+			expected: []string{"aud1", "aud2"},
+		},
+		{
+			name: "Dex configured",
+			settings: &ArgoCDSettings{DexConfig: `connectors:
+  - type: github
+    id: github
+    name: GitHub
+    config:
+      clientID: aabbccddeeff00112233
+      clientSecret: $dex.github.clientSecret
+      orgs:
+      - name: your-github-org
+`},
+			expected: []string{common.ArgoCDClientAppID, common.ArgoCDCLIClientAppID},
+		},
+	}
+
+	for _, tc := range testCases {
+		tcc := tc
+		t.Run(tcc.name, func(t *testing.T) {
+			t.Parallel()
+			assert.ElementsMatch(t, tcc.expected, tcc.settings.OAuth2AllowedAudiences())
+		})
+	}
+}