fix: Updated docs about using a slash in ignoreDifferences (#15144 ) (#15170 )

Signed-off-by: Christian Hernandez <christian@chernand.io> Co-authored-by: Christian Hernandez <christianh814@users.noreply.github.com>
chore: Upgrade Redis to redis:7.0.14 (#16164 ) (#16220 )
2026-03-06 00:18:48 +01:00 · 2023-11-14 10:59:57 -05:00 · 2023-11-02 15:31:19 -04:00 · 2023-10-31 10:10:50 -04:00 · 2023-10-26 11:33:04 -04:00 · 2023-10-25 13:14:20 -04:00
54 changed files with 549 additions and 104 deletions
--- a/.github/workflows/ci-build.yaml
+++ b/.github/workflows/ci-build.yaml
@@ -13,7 +13,7 @@ on:

 env:
  # Golang version to use across CI steps
-  GOLANG_VERSION: '1.19.10'
+  GOLANG_VERSION: '1.20.10'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -427,7 +427,7 @@ jobs:
        run: |
          docker pull ghcr.io/dexidp/dex:v2.37.0
          docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.11-alpine
+          docker pull redis:7.0.14-alpine
      - name: Create target directory for binaries in the build-process
        run: |
          mkdir -p dist
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@@ -10,7 +10,7 @@ on:
    types: [ labeled, unlabeled, opened, synchronize, reopened ]

 env:
-  GOLANG_VERSION: '1.19.10'
+  GOLANG_VERSION: '1.20.10'

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -12,7 +12,7 @@ on:
      - "!release-v0*"

 env:
-  GOLANG_VERSION: '1.19.10'
+  GOLANG_VERSION: '1.20.10'

 permissions:
  contents: read
--- a/4
+++ b/4
@@ -4,7 +4,7 @@ ARG BASE_IMAGE=docker.io/library/ubuntu:22.04
 # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image
 # Also used as the image in CI jobs so needs all dependencies
 ####################################################################################################
-FROM docker.io/library/golang:1.19.10@sha256:83f9f840072d05ad4d90ce4ac7cb2427632d6b89d5ffc558f18f9577ec8188c0 AS builder
+FROM docker.io/library/golang:1.20.10@sha256:077ff85b374b23916b4b41835e242e5a3ddad9fc537ea7e980f230431747d245 AS builder

 RUN echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list

@@ -99,7 +99,7 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.19.10@sha256:83f9f840072d05ad4d90ce4ac7cb2427632d6b89d5ffc558f18f9577ec8188c0 AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.20.10@sha256:077ff85b374b23916b4b41835e242e5a3ddad9fc537ea7e980f230431747d245 AS argocd-build

 WORKDIR /go/src/github.com/argoproj/argo-cd

--- a/USERS.md
+++ b/USERS.md
@@ -175,6 +175,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Patreon](https://www.patreon.com/)
 1. [PayPay](https://paypay.ne.jp/)
 1. [Peloton Interactive](https://www.onepeloton.com/)
+1. [PGS](https://www.pgs.com)
 1. [Pigment](https://www.gopigment.com/)
 1. [Pipefy](https://www.pipefy.com/)
 1. [Pismo](https://pismo.io/)
--- a/2
+++ b/2
@@ -1 +1 @@
-2.6.14
+2.6.15
--- a/cmd/argocd-notification/commands/controller.go
+++ b/cmd/argocd-notification/commands/controller.go
@@ -55,6 +55,7 @@ func NewCommand() *cobra.Command {
 		argocdRepoServerStrictTLS bool
 		configMapName             string
 		secretName                string
+		applicationNamespaces     []string
 	)
 	var command = cobra.Command{
 		Use:   "controller",
@@ -138,7 +139,7 @@ func NewCommand() *cobra.Command {
 			log.Infof("serving metrics on port %d", metricsPort)
 			log.Infof("loading configuration %d", metricsPort)

-			ctrl := notificationscontroller.NewController(k8sClient, dynamicClient, argocdService, namespace, appLabelSelector, registry, secretName, configMapName)
+			ctrl := notificationscontroller.NewController(k8sClient, dynamicClient, argocdService, namespace, applicationNamespaces, appLabelSelector, registry, secretName, configMapName)
 			err = ctrl.Init(ctx)
 			if err != nil {
 				return err
@@ -161,5 +162,6 @@ func NewCommand() *cobra.Command {
 	command.Flags().BoolVar(&argocdRepoServerStrictTLS, "argocd-repo-server-strict-tls", false, "Perform strict validation of TLS certificates when connecting to repo server")
 	command.Flags().StringVar(&configMapName, "config-map-name", "argocd-notifications-cm", "Set notifications ConfigMap name")
 	command.Flags().StringVar(&secretName, "secret-name", "argocd-notifications-secret", "Set notifications Secret name")
+	command.Flags().StringSliceVar(&applicationNamespaces, "application-namespaces", env.StringsFromEnv("ARGOCD_APPLICATION_NAMESPACES", []string{}, ","), "List of additional namespaces that this controller should send notifications for")
 	return &command
 }
--- a/cmd/argocd-repo-server/commands/argocd_repo_server.go
+++ b/cmd/argocd-repo-server/commands/argocd_repo_server.go
@@ -84,6 +84,8 @@ func NewCommand() *cobra.Command {
 		allowOutOfBoundsSymlinks          bool
 		streamedManifestMaxTarSize        string
 		streamedManifestMaxExtractedSize  string
+		helmManifestMaxExtractedSize      string
+		disableManifestMaxExtractedSize   bool
 	)
 	var command = cobra.Command{
 		Use:               cliName,
@@ -122,6 +124,9 @@ func NewCommand() *cobra.Command {
 			streamedManifestMaxExtractedSizeQuantity, err := resource.ParseQuantity(streamedManifestMaxExtractedSize)
 			errors.CheckError(err)

+			helmManifestMaxExtractedSizeQuantity, err := resource.ParseQuantity(helmManifestMaxExtractedSize)
+			errors.CheckError(err)
+
 			askPassServer := askpass.NewServer()
 			metricsServer := metrics.NewMetricsServer()
 			cacheutil.CollectMetrics(redisClient, metricsServer)
@@ -136,6 +141,7 @@ func NewCommand() *cobra.Command {
 				AllowOutOfBoundsSymlinks:                     allowOutOfBoundsSymlinks,
 				StreamedManifestMaxExtractedSize:             streamedManifestMaxExtractedSizeQuantity.ToDec().Value(),
 				StreamedManifestMaxTarSize:                   streamedManifestMaxTarSizeQuantity.ToDec().Value(),
+				HelmManifestMaxExtractedSize:                 helmManifestMaxExtractedSizeQuantity.ToDec().Value(),
 			}, askPassServer)
 			errors.CheckError(err)

@@ -216,6 +222,8 @@ func NewCommand() *cobra.Command {
 	command.Flags().BoolVar(&allowOutOfBoundsSymlinks, "allow-oob-symlinks", env.ParseBoolFromEnv("ARGOCD_REPO_SERVER_ALLOW_OUT_OF_BOUNDS_SYMLINKS", false), "Allow out-of-bounds symlinks in repositories (not recommended)")
 	command.Flags().StringVar(&streamedManifestMaxTarSize, "streamed-manifest-max-tar-size", env.StringFromEnv("ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_TAR_SIZE", "100M"), "Maximum size of streamed manifest archives")
 	command.Flags().StringVar(&streamedManifestMaxExtractedSize, "streamed-manifest-max-extracted-size", env.StringFromEnv("ARGOCD_REPO_SERVER_STREAMED_MANIFEST_MAX_EXTRACTED_SIZE", "1G"), "Maximum size of streamed manifest archives when extracted")
+	command.Flags().StringVar(&helmManifestMaxExtractedSize, "helm-manifest-max-extracted-size", env.StringFromEnv("ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE", "1G"), "Maximum size of helm manifest archives when extracted")
+	command.Flags().BoolVar(&disableManifestMaxExtractedSize, "disable-helm-manifest-max-extracted-size", env.ParseBoolFromEnv("ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE", false), "Disable maximum size of helm manifest archives when extracted")
 	tlsConfigCustomizerSrc = tls.AddTLSFlagsToCmd(&command)
 	cacheSrc = reposervercache.AddCacheFlagsToCmd(&command, func(client *redis.Client) {
 		redisClient = client
--- a/docs/operator-manual/app-any-namespace.md
+++ b/docs/operator-manual/app-any-namespace.md
@@ -71,6 +71,8 @@ We supply a `ClusterRole` and `ClusterRoleBinding` suitable for this purpose in
 kubectl apply -f examples/k8s-rbac/argocd-server-applications/
 ```

+`argocd-notifications-controller-rbac-clusterrole.yaml` and `argocd-notifications-controller-rbac-clusterrolebinding.yaml` are used to support notifications controller to notify apps in all namespaces.
+
 !!! note
    At some later point in time, we may make this cluster role part of the default installation manifests.

--- a/docs/operator-manual/application.yaml
+++ b/docs/operator-manual/application.yaml
@@ -192,6 +192,9 @@ spec:
    kind: Deployment
    jsonPointers:
    - /spec/replicas
+  - kind: ConfigMap
+    jqPathExpressions:
+    - '.data["config.yaml"].auth'
  # for the specified managedFields managers
  - group: "*"
    kind: "*"
--- a/docs/operator-manual/declarative-setup.md
+++ b/docs/operator-manual/declarative-setup.md
@@ -98,7 +98,7 @@ The AppProject CRD is the Kubernetes resource object representing a logical grou
 It is defined by the following key pieces of information:

 * `sourceRepos` reference to the repositories that applications within the project can pull manifests from.
-* `destinations` reference to clusters and namespaces that applications within the project can deploy into (don't use the `name` field, only the `server` field is matched).
+* `destinations` reference to clusters and namespaces that applications within the project can deploy into.
 * `roles` list of entities with definitions of their access to resources within the project.

 !!!warning "Projects which can deploy to the Argo CD namespace grant admin access"
--- a/docs/operator-manual/notifications/services/github.md
+++ b/docs/operator-manual/notifications/services/github.md
@@ -58,15 +58,19 @@ metadata:

 ![](https://user-images.githubusercontent.com/18019529/108520497-168ce180-730e-11eb-93cb-b0b91f99bdc5.png)

-If the message is set to 140 characters or more, it will be truncate.
-
 ```yaml
 template.app-deployed: |
  message: |
    Application {{.app.metadata.name}} is now running new version of deployments manifests.
  github:
+    repoURLPath: "{{.app.spec.source.repoURL}}"
+    revisionPath: "{{.app.status.operationState.syncResult.revision}}"
    status:
      state: success
      label: "continuous-delivery/{{.app.metadata.name}}"
      targetURL: "{{.context.argocdUrl}}/applications/{{.app.metadata.name}}?operation=true"
 ```
+
+**Notes**:
+- If the message is set to 140 characters or more, it will be truncated.
+- If `github.repoURLPath` and `github.revisionPath` are same as above, they can be omitted.
--- a/docs/operator-manual/project.yaml
+++ b/docs/operator-manual/project.yaml
@@ -91,3 +91,8 @@ spec:
  # scoped to this project. Set the following field to `true` to restrict apps in this cluster to only clusters
  # scoped to this project.
  permitOnlyProjectScopedClusters: false
+
+  # When using Applications-in-any-namespace, this field determines which namespaces this AppProject permits
+  # Applications to reside in. Details: https://argo-cd.readthedocs.io/en/stable/operator-manual/app-any-namespace/
+  sourceNamespaces:
+  - "argocd-apps-*"
--- a/docs/operator-manual/rbac.md
+++ b/docs/operator-manual/rbac.md
@@ -55,6 +55,13 @@ corresponds to the `action` path `action/extensions/DaemonSet/restart`. You can
 also use glob patterns in the action path: `action/*` (or regex patterns if you have
 [enabled the `regex` match mode](https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/argocd-rbac-cm.yaml)).

+If the resource is not under a group (for examples, Pods or ConfigMaps), then omit the group name from your RBAC
+configuration:
+
+```csv
+p, example-user, applications, action//Pod/maintenance-off, default/*, allow
+```
+
 #### The `exec` resource

 `exec` is a special resource. When enabled with the `create` action, this privilege allows a user to `exec` into Pods via 
--- a/docs/operator-manual/server-commands/argocd-repo-server.md
+++ b/docs/operator-manual/server-commands/argocd-repo-server.md
@@ -15,7 +15,9 @@ argocd-repo-server [flags]
 ```
      --allow-oob-symlinks                             Allow out-of-bounds symlinks in repositories (not recommended)
      --default-cache-expiration duration              Cache expiration default (default 24h0m0s)
+      --disable-helm-manifest-max-extracted-size       Disable maximum size of helm manifest archives when extracted
      --disable-tls                                    Disable TLS on the gRPC endpoint
+      --helm-manifest-max-extracted-size string        Maximum size of helm manifest archives when extracted (default "1G")
  -h, --help                                           help for argocd-repo-server
      --logformat string                               Set the logging format. One of: text|json (default "text")
      --loglevel string                                Set the logging level. One of: debug|info|warn|error (default "info")
--- a/docs/user-guide/diffing.md
+++ b/docs/user-guide/diffing.md
@@ -68,6 +68,15 @@ spec:

 The above configuration will ignore differences from all fields owned by `kube-controller-manager` for all resources belonging to this application.

+If you have a slash `/` in your pointer path, you can use the `~1` character. For example:
+
+```yaml
+spec:
+  ignoreDifferences:
+  - kind: Node
+    jsonPointers: /metadata/labels/node-role.kubernetes.io~1worker
+```
+
 ## System-Level Configuration

 The comparison of resources with well-known issues can be customized at a system level. Ignored differences can be configured for a specified group and kind
--- a/examples/k8s-rbac/argocd-server-applications/argocd-notifications-controller-rbac-clusterrole.yaml
+++ b/examples/k8s-rbac/argocd-server-applications/argocd-notifications-controller-rbac-clusterrole.yaml
@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-notifications-controller-cluster-apps
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/component: notifications-controller
+  name: argocd-notifications-controller-cluster-apps
+rules:
+- apiGroups:
+  - "argoproj.io"
+  resources:
+  - "applications"
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
--- a/examples/k8s-rbac/argocd-server-applications/argocd-notifications-controller-rbac-clusterrolebinding.yaml
+++ b/examples/k8s-rbac/argocd-server-applications/argocd-notifications-controller-rbac-clusterrolebinding.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-notifications-controller-cluster-apps
+    app.kubernetes.io/part-of: argocd
+    app.kubernetes.io/component: notifications-controller
+  name: argocd-notifications-controller-cluster-apps
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argocd-notifications-controller-cluster-apps
+subjects:
+- kind: ServiceAccount
+  name: argocd-notifications-controller
+  namespace: argocd
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/argoproj/argo-cd/v2

-go 1.18
+go 1.20

 require (
 	code.gitea.io/sdk/gitea v0.15.1
--- a/manifests/base/kustomization.yaml
+++ b/manifests/base/kustomization.yaml
@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
  newName: quay.io/argoproj/argocd
-  newTag: v2.6.14
+  newTag: v2.6.15
 resources:
 - ./application-controller
 - ./dex
--- a/manifests/base/notification/argocd-notifications-controller-deployment.yaml
+++ b/manifests/base/notification/argocd-notifications-controller-deployment.yaml
@@ -31,6 +31,13 @@ spec:
      containers:
        - command:
            - argocd-notifications
+          env:
+            - name: ARGOCD_APPLICATION_NAMESPACES
+              valueFrom:
+                configMapKeyRef:
+                  key: application.namespaces
+                  name: argocd-cmd-params-cm
+                  optional: true
          workingDir: /app
          livenessProbe:
            tcpSocket:
--- a/manifests/base/redis/argocd-redis-deployment.yaml
+++ b/manifests/base/redis/argocd-redis-deployment.yaml
@@ -23,7 +23,7 @@ spec:
      serviceAccountName: argocd-redis        
      containers:
      - name: redis
-        image: redis:7.0.11-alpine
+        image: redis:7.0.14-alpine
        imagePullPolicy: Always
        args:
        - "--save"
--- a/manifests/base/repo-server/argocd-repo-server-deployment.yaml
+++ b/manifests/base/repo-server/argocd-repo-server-deployment.yaml
@@ -137,6 +137,18 @@ spec:
                key: reposerver.streamed.manifest.max.extracted.size
                name: argocd-cmd-params-cm
                optional: true
+          - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+            valueFrom:
+              configMapKeyRef:
+                key: reposerver.helm.manifest.max.extracted.size
+                name: argocd-cmd-params-cm
+                optional: true
+          - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+            valueFrom:
+              configMapKeyRef:
+                name: argocd-cmd-params-cm
+                key: reposerver.disable.helm.manifest.max.extracted.size
+                optional: true
          - name: ARGOCD_GIT_MODULES_ENABLED
            valueFrom:
              configMapKeyRef:
--- a/manifests/core-install.yaml
+++ b/manifests/core-install.yaml
@@ -15557,7 +15557,7 @@ spec:
              key: applicationsetcontroller.enable.progressive.syncs
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -15639,7 +15639,7 @@ spec:
        - ""
        - --appendonly
        - "no"
-        image: redis:7.0.11-alpine
+        image: redis:7.0.14-alpine
        imagePullPolicy: Always
        name: redis
        ports:
@@ -15809,6 +15809,18 @@ spec:
              key: reposerver.streamed.manifest.max.extracted.size
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.helm.manifest.max.extracted.size
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.disable.helm.manifest.max.extracted.size
+              name: argocd-cmd-params-cm
+              optional: true
        - name: ARGOCD_GIT_MODULES_ENABLED
          valueFrom:
            configMapKeyRef:
@@ -15821,7 +15833,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -15873,7 +15885,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -16080,7 +16092,7 @@ spec:
              key: application.namespaces
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/manifests/core-install/kustomization.yaml
+++ b/manifests/core-install/kustomization.yaml
@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
  newName: quay.io/argoproj/argocd
-  newTag: v2.6.14
+  newTag: v2.6.15
--- a/manifests/ha/base/kustomization.yaml
+++ b/manifests/ha/base/kustomization.yaml
@@ -11,7 +11,7 @@ patchesStrategicMerge:
 images:
 - name: quay.io/argoproj/argocd
  newName: quay.io/argoproj/argocd
-  newTag: v2.6.14
+  newTag: v2.6.15
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller
--- a/manifests/ha/base/redis-ha/chart/upstream.yaml
+++ b/manifests/ha/base/redis-ha/chart/upstream.yaml
@@ -1080,7 +1080,13 @@ spec:
        args:
        - /readonly/haproxy_init.sh
        securityContext: 
-          null
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
        volumeMounts:
        - name: config-volume
          mountPath: /readonly
@@ -1092,7 +1098,13 @@ spec:
        image: haproxy:2.6.14-alpine
        imagePullPolicy: IfNotPresent
        securityContext: 
-          null
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsNonRoot: true
+          seccompProfile:
+            type: RuntimeDefault
        livenessProbe:
          httpGet:
            path: /healthz
@@ -1179,7 +1191,7 @@ spec:
      automountServiceAccountToken: false
      initContainers:
      - name: config-init
-        image: redis:7.0.11-alpine
+        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        resources:
          {}
@@ -1188,7 +1200,14 @@ spec:
        args:
        - /readonly-config/init.sh
        securityContext: 
-          null        
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault        
        env:
        - name: SENTINEL_ID_0
          value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6
@@ -1206,14 +1225,21 @@ spec:

      containers:
      - name: redis
-        image: redis:7.0.11-alpine
+        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        command:
        - redis-server
        args:
        - /data/conf/redis.conf
        securityContext: 
-          null
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
        livenessProbe:
          initialDelaySeconds: 30
          periodSeconds: 15
@@ -1256,14 +1282,21 @@ spec:
              - /bin/sh
              - /readonly-config/trigger-failover-if-master.sh
      - name: sentinel
-        image: redis:7.0.11-alpine
+        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        command:
          - redis-sentinel
        args:
          - /data/conf/sentinel.conf
        securityContext: 
-          null
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
        livenessProbe:
          initialDelaySeconds: 30
          periodSeconds: 15
@@ -1300,14 +1333,21 @@ spec:
          {}

      - name: split-brain-fix
-        image: redis:7.0.11-alpine
+        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        command:
          - sh
        args:
          - /readonly-config/fix-split-brain.sh
        securityContext: 
-          null        
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault        
        env:
        - name: SENTINEL_ID_0
          value: 3c0d9c0320bb34888c2df5757c718ce6ca992ce6
--- a/manifests/ha/base/redis-ha/chart/values.yaml
+++ b/manifests/ha/base/redis-ha/chart/values.yaml
@@ -18,7 +18,7 @@ redis-ha:
      client: 6m
    checkInterval: 3s
  image:
-    tag: 7.0.11-alpine
+    tag: 7.0.14-alpine
  containerSecurityContext: null
  sentinel:
    bind: "0.0.0.0"
--- a/manifests/ha/install.yaml
+++ b/manifests/ha/install.yaml
@@ -16758,7 +16758,7 @@ spec:
              key: applicationsetcontroller.enable.progressive.syncs
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -16868,7 +16868,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -16921,7 +16921,14 @@ spec:
      containers:
      - command:
        - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.6.14
+        env:
+        - name: ARGOCD_APPLICATION_NAMESPACES
+          valueFrom:
+            configMapKeyRef:
+              key: application.namespaces
+              name: argocd-cmd-params-cm
+              optional: true
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -17212,6 +17219,18 @@ spec:
              key: reposerver.streamed.manifest.max.extracted.size
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.helm.manifest.max.extracted.size
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.disable.helm.manifest.max.extracted.size
+              name: argocd-cmd-params-cm
+              optional: true
        - name: ARGOCD_GIT_MODULES_ENABLED
          valueFrom:
            configMapKeyRef:
@@ -17224,7 +17243,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -17276,7 +17295,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -17555,7 +17574,7 @@ spec:
              key: server.enable.proxy.extension
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -17791,7 +17810,7 @@ spec:
              key: application.namespaces
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
@@ -17868,7 +17887,7 @@ spec:
        - /data/conf/redis.conf
        command:
        - redis-server
-        image: redis:7.0.11-alpine
+        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
@@ -17921,7 +17940,7 @@ spec:
        - /data/conf/sentinel.conf
        command:
        - redis-sentinel
-        image: redis:7.0.11-alpine
+        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        lifecycle: {}
        livenessProbe:
@@ -17973,7 +17992,7 @@ spec:
          value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
        - name: SENTINEL_ID_2
          value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.11-alpine
+        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        name: split-brain-fix
        resources: {}
@@ -18002,7 +18021,7 @@ spec:
          value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
        - name: SENTINEL_ID_2
          value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.11-alpine
+        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        name: config-init
        securityContext:
--- a/manifests/ha/namespace-install.yaml
+++ b/manifests/ha/namespace-install.yaml
@@ -1562,7 +1562,7 @@ spec:
              key: applicationsetcontroller.enable.progressive.syncs
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -1672,7 +1672,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -1725,7 +1725,14 @@ spec:
      containers:
      - command:
        - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.6.14
+        env:
+        - name: ARGOCD_APPLICATION_NAMESPACES
+          valueFrom:
+            configMapKeyRef:
+              key: application.namespaces
+              name: argocd-cmd-params-cm
+              optional: true
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -2016,6 +2023,18 @@ spec:
              key: reposerver.streamed.manifest.max.extracted.size
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.helm.manifest.max.extracted.size
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.disable.helm.manifest.max.extracted.size
+              name: argocd-cmd-params-cm
+              optional: true
        - name: ARGOCD_GIT_MODULES_ENABLED
          valueFrom:
            configMapKeyRef:
@@ -2028,7 +2047,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -2080,7 +2099,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -2359,7 +2378,7 @@ spec:
              key: server.enable.proxy.extension
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -2595,7 +2614,7 @@ spec:
              key: application.namespaces
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
@@ -2672,7 +2691,7 @@ spec:
        - /data/conf/redis.conf
        command:
        - redis-server
-        image: redis:7.0.11-alpine
+        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        lifecycle:
          preStop:
@@ -2725,7 +2744,7 @@ spec:
        - /data/conf/sentinel.conf
        command:
        - redis-sentinel
-        image: redis:7.0.11-alpine
+        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        lifecycle: {}
        livenessProbe:
@@ -2777,7 +2796,7 @@ spec:
          value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
        - name: SENTINEL_ID_2
          value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.11-alpine
+        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        name: split-brain-fix
        resources: {}
@@ -2806,7 +2825,7 @@ spec:
          value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
        - name: SENTINEL_ID_2
          value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.11-alpine
+        image: redis:7.0.14-alpine
        imagePullPolicy: IfNotPresent
        name: config-init
        securityContext:
--- a/manifests/install.yaml
+++ b/manifests/install.yaml
@@ -15877,7 +15877,7 @@ spec:
              key: applicationsetcontroller.enable.progressive.syncs
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -15987,7 +15987,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -16040,7 +16040,14 @@ spec:
      containers:
      - command:
        - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.6.14
+        env:
+        - name: ARGOCD_APPLICATION_NAMESPACES
+          valueFrom:
+            configMapKeyRef:
+              key: application.namespaces
+              name: argocd-cmd-params-cm
+              optional: true
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -16117,7 +16124,7 @@ spec:
        - ""
        - --appendonly
        - "no"
-        image: redis:7.0.11-alpine
+        image: redis:7.0.14-alpine
        imagePullPolicy: Always
        name: redis
        ports:
@@ -16287,6 +16294,18 @@ spec:
              key: reposerver.streamed.manifest.max.extracted.size
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.helm.manifest.max.extracted.size
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.disable.helm.manifest.max.extracted.size
+              name: argocd-cmd-params-cm
+              optional: true
        - name: ARGOCD_GIT_MODULES_ENABLED
          valueFrom:
            configMapKeyRef:
@@ -16299,7 +16318,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -16351,7 +16370,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -16626,7 +16645,7 @@ spec:
              key: server.enable.proxy.extension
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -16860,7 +16879,7 @@ spec:
              key: application.namespaces
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/manifests/namespace-install.yaml
+++ b/manifests/namespace-install.yaml
@@ -681,7 +681,7 @@ spec:
              key: applicationsetcontroller.enable.progressive.syncs
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        name: argocd-applicationset-controller
        ports:
@@ -791,7 +791,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        name: copyutil
        securityContext:
@@ -844,7 +844,14 @@ spec:
      containers:
      - command:
        - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.6.14
+        env:
+        - name: ARGOCD_APPLICATION_NAMESPACES
+          valueFrom:
+            configMapKeyRef:
+              key: application.namespaces
+              name: argocd-cmd-params-cm
+              optional: true
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        livenessProbe:
          tcpSocket:
@@ -921,7 +928,7 @@ spec:
        - ""
        - --appendonly
        - "no"
-        image: redis:7.0.11-alpine
+        image: redis:7.0.14-alpine
        imagePullPolicy: Always
        name: redis
        ports:
@@ -1091,6 +1098,18 @@ spec:
              key: reposerver.streamed.manifest.max.extracted.size
              name: argocd-cmd-params-cm
              optional: true
+        - name: ARGOCD_REPO_SERVER_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.helm.manifest.max.extracted.size
+              name: argocd-cmd-params-cm
+              optional: true
+        - name: ARGOCD_REPO_SERVER_DISABLE_HELM_MANIFEST_MAX_EXTRACTED_SIZE
+          valueFrom:
+            configMapKeyRef:
+              key: reposerver.disable.helm.manifest.max.extracted.size
+              name: argocd-cmd-params-cm
+              optional: true
        - name: ARGOCD_GIT_MODULES_ENABLED
          valueFrom:
            configMapKeyRef:
@@ -1103,7 +1122,7 @@ spec:
          value: /helm-working-dir
        - name: HELM_DATA_HOME
          value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        livenessProbe:
          failureThreshold: 3
@@ -1155,7 +1174,7 @@ spec:
        - -n
        - /usr/local/bin/argocd
        - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        name: copyutil
        securityContext:
          allowPrivilegeEscalation: false
@@ -1430,7 +1449,7 @@ spec:
              key: server.enable.proxy.extension
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        livenessProbe:
          httpGet:
@@ -1664,7 +1683,7 @@ spec:
              key: application.namespaces
              name: argocd-cmd-params-cm
              optional: true
-        image: quay.io/argoproj/argocd:v2.6.14
+        image: quay.io/argoproj/argocd:v2.6.15
        imagePullPolicy: Always
        name: argocd-application-controller
        ports:
--- a/notification_controller/controller/controller.go
+++ b/notification_controller/controller/controller.go
@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"time"

+	"github.com/argoproj/argo-cd/v2/util/glob"
+
 	"github.com/argoproj/argo-cd/v2/util/notification/k8s"

 	service "github.com/argoproj/argo-cd/v2/util/notification/argocd"
@@ -52,14 +54,21 @@ func NewController(
 	client dynamic.Interface,
 	argocdService service.Service,
 	namespace string,
+	applicationNamespaces []string,
 	appLabelSelector string,
 	registry *controller.MetricsRegistry,
 	secretName string,
 	configMapName string,
 ) *notificationController {
-	appClient := client.Resource(applications)
-	appInformer := newInformer(appClient.Namespace(namespace), appLabelSelector)
-	appProjInformer := newInformer(newAppProjClient(client, namespace), "")
+	var appClient dynamic.ResourceInterface
+	namespaceableAppClient := client.Resource(applications)
+	appClient = namespaceableAppClient
+	if len(applicationNamespaces) == 0 {
+		appClient = namespaceableAppClient.Namespace(namespace)
+	}
+
+	appInformer := newInformer(appClient, namespace, applicationNamespaces, appLabelSelector)
+	appProjInformer := newInformer(newAppProjClient(client, namespace), namespace, []string{namespace}, "")
 	secretInformer := k8s.NewSecretInformer(k8sClient, namespace, secretName)
 	configMapInformer := k8s.NewConfigMapInformer(k8sClient, namespace, configMapName)
 	apiFactory := api.NewFactory(settings.GetFactorySettings(argocdService, secretName, configMapName), namespace, secretInformer, configMapInformer)
@@ -70,12 +79,15 @@ func NewController(
 		appInformer:       appInformer,
 		appProjInformer:   appProjInformer,
 		apiFactory:        apiFactory}
-	res.ctrl = controller.NewController(appClient, appInformer, apiFactory,
+	res.ctrl = controller.NewController(namespaceableAppClient, appInformer, apiFactory,
 		controller.WithSkipProcessing(func(obj v1.Object) (bool, string) {
 			app, ok := (obj).(*unstructured.Unstructured)
 			if !ok {
 				return false, ""
 			}
+			if checkAppNotInAdditionalNamespaces(app, namespace, applicationNamespaces) {
+				return true, "app is not in one of the application-namespaces, nor the notification controller namespace"
+			}
 			return !isAppSyncStatusRefreshed(app, log.WithField("app", obj.GetName())), "sync status out of date"
 		}),
 		controller.WithMetricsRegistry(registry),
@@ -83,6 +95,11 @@ func NewController(
 	return res
 }

+// Check if app is not in the namespace where the controller is in, and also app is not in one of the applicationNamespaces
+func checkAppNotInAdditionalNamespaces(app *unstructured.Unstructured, namespace string, applicationNamespaces []string) bool {
+	return namespace != app.GetNamespace() && !glob.MatchStringInList(applicationNamespaces, app.GetNamespace(), false)
+}
+
 func (c *notificationController) alterDestinations(obj v1.Object, destinations services.Destinations, cfg api.Config) services.Destinations {
 	app, ok := (obj).(*unstructured.Unstructured)
 	if !ok {
@@ -96,21 +113,38 @@ func (c *notificationController) alterDestinations(obj v1.Object, destinations s
 	return destinations
 }

-func newInformer(resClient dynamic.ResourceInterface, selector string) cache.SharedIndexInformer {
+func newInformer(resClient dynamic.ResourceInterface, controllerNamespace string, applicationNamespaces []string, selector string) cache.SharedIndexInformer {
 	informer := cache.NewSharedIndexInformer(
 		&cache.ListWatch{
-			ListFunc: func(options v1.ListOptions) (object runtime.Object, err error) {
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				// We are only interested in apps that exist in namespaces the
+				// user wants to be enabled.
 				options.LabelSelector = selector
-				return resClient.List(context.Background(), options)
+				appList, err := resClient.List(context.TODO(), options)
+				if err != nil {
+					return nil, fmt.Errorf("failed to list applications: %w", err)
+				}
+				newItems := []unstructured.Unstructured{}
+				for _, res := range appList.Items {
+					if controllerNamespace == res.GetNamespace() || glob.MatchStringInList(applicationNamespaces, res.GetNamespace(), false) {
+						newItems = append(newItems, res)
+					}
+				}
+				appList.Items = newItems
+				return appList, nil
 			},
 			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
 				options.LabelSelector = selector
-				return resClient.Watch(context.Background(), options)
+				return resClient.Watch(context.TODO(), options)
 			},
 		},
 		&unstructured.Unstructured{},
 		resyncPeriod,
-		cache.Indexers{},
+		cache.Indexers{
+			cache.NamespaceIndex: func(obj interface{}) ([]string, error) {
+				return cache.MetaNamespaceIndexFunc(obj)
+			},
+		},
 	)
 	return informer
 }
--- a/notification_controller/controller/controller_test.go
+++ b/notification_controller/controller/controller_test.go
@@ -0,0 +1,32 @@
+package controller
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+func TestCheckAppNotInAdditionalNamespaces(t *testing.T) {
+	app := &unstructured.Unstructured{
+		Object: map[string]interface{}{
+			"spec": map[string]interface{}{},
+		},
+	}
+	namespace := "argocd"
+	var applicationNamespaces []string
+	applicationNamespaces = append(applicationNamespaces, "namespace1")
+	applicationNamespaces = append(applicationNamespaces, "namespace2")
+
+	// app is in same namespace as controller's namespace
+	app.SetNamespace(namespace)
+	assert.False(t, checkAppNotInAdditionalNamespaces(app, namespace, applicationNamespaces))
+
+	// app is not in the namespace as controller's namespace, but it is in one of the applicationNamespaces
+	app.SetNamespace("namespace2")
+	assert.False(t, checkAppNotInAdditionalNamespaces(app, "", applicationNamespaces))
+
+	// app is not in the namespace as controller's namespace, and it is not in any of the applicationNamespaces
+	app.SetNamespace("namespace3")
+	assert.True(t, checkAppNotInAdditionalNamespaces(app, "", applicationNamespaces))
+}
--- a/reposerver/repository/repository.go
+++ b/reposerver/repository/repository.go
@@ -109,6 +109,8 @@ type RepoServerInitConstants struct {
 	AllowOutOfBoundsSymlinks                     bool
 	StreamedManifestMaxExtractedSize             int64
 	StreamedManifestMaxTarSize                   int64
+	HelmManifestMaxExtractedSize                 int64
+	DisableHelmManifestMaxExtractedSize          bool
 }

 // NewService returns a new instance of the Manifest service
@@ -348,7 +350,7 @@ func (s *Service) runRepoOperation(
 		if source.Helm != nil {
 			helmPassCredentials = source.Helm.PassCredentials
 		}
-		chartPath, closer, err := helmClient.ExtractChart(source.Chart, revision, helmPassCredentials)
+		chartPath, closer, err := helmClient.ExtractChart(source.Chart, revision, helmPassCredentials, s.initConstants.HelmManifestMaxExtractedSize, s.initConstants.DisableHelmManifestMaxExtractedSize)
 		if err != nil {
 			return err
 		}
@@ -402,9 +404,15 @@ func (s *Service) runRepoOperation(
 			}
 		}

-		commitSHA, err := gitClient.CommitSHA()
-		if err != nil {
-			return err
+		var commitSHA string
+		if hasMultipleSources {
+			commitSHA = revision
+		} else {
+			commit, err := gitClient.CommitSHA()
+			if err != nil {
+				return fmt.Errorf("failed to get commit SHA: %w", err)
+			}
+			commitSHA = commit
 		}

 		// double-check locking
--- a/reposerver/repository/repository_test.go
+++ b/reposerver/repository/repository_test.go
@@ -1825,6 +1825,44 @@ func TestGenerateManifestWithAnnotatedAndRegularGitTagHashes(t *testing.T) {
 	}
 }

+func TestGenerateManifestWithAnnotatedTagsAndMultiSourceApp(t *testing.T) {
+	annotatedGitTaghash := "95249be61b028d566c29d47b19e65c5603388a41"
+
+	service := newServiceWithCommitSHA(".", annotatedGitTaghash)
+
+	refSources := map[string]*argoappv1.RefTarget{}
+
+	refSources["$global"] = &argoappv1.RefTarget{
+		TargetRevision: annotatedGitTaghash,
+	}
+
+	refSources["$default"] = &argoappv1.RefTarget{
+		TargetRevision: annotatedGitTaghash,
+	}
+
+	manifestRequest := &apiclient.ManifestRequest{
+		Repo: &argoappv1.Repository{},
+		ApplicationSource: &argoappv1.ApplicationSource{
+			TargetRevision: annotatedGitTaghash,
+			Helm: &argoappv1.ApplicationSourceHelm{
+				ValueFiles: []string{"$global/values.yaml", "$default/secrets.yaml"},
+			},
+		},
+		HasMultipleSources: true,
+		NoCache:            true,
+		RefSources:         refSources,
+	}
+
+	response, err := service.GenerateManifest(context.Background(), manifestRequest)
+	if err != nil {
+		t.Errorf("unexpected %s", err)
+	}
+
+	if response.Revision != annotatedGitTaghash {
+		t.Errorf("returned SHA %s is different from expected annotated tag %s", response.Revision, annotatedGitTaghash)
+	}
+}
+
 func TestFindResources(t *testing.T) {
 	testCases := []struct {
 		name          string
--- a/resource_customizations/flink.apache.org/FlinkDeployment/health.lua
+++ b/resource_customizations/flink.apache.org/FlinkDeployment/health.lua
@@ -1,7 +1,7 @@
 health_status = {}

 if obj.status ~= nil and obj.status.reconciliationStatus ~= nil then
-  if obj.status.reconciliationStatus.success then
+  if obj.status.reconciliationStatus.success or obj.status.reconciliationStatus.state == "DEPLOYED" then
    health_status.status = "Healthy"
    return health_status
  end 
--- a/resource_customizations/flink.apache.org/FlinkDeployment/health_test.yaml
+++ b/resource_customizations/flink.apache.org/FlinkDeployment/health_test.yaml
@@ -1,10 +1,16 @@
 tests:
 - healthStatus:
    status: Healthy
-  inputPath: testdata/healthy_running.yaml
+  inputPath: testdata/healthy_running_v0.1.x.yaml
 - healthStatus:
    status: Healthy
-  inputPath: testdata/healthy_suspended.yaml
+  inputPath: testdata/healthy_running_v1.x.yaml
+- healthStatus:
+    status: Healthy
+  inputPath: testdata/healthy_suspended_v0.1.x.yaml
+- healthStatus:
+    status: Healthy
+  inputPath: testdata/healthy_suspended_v1.x.yaml
 - healthStatus:
    status: Progressing
    message: Waiting for deploying
--- a/resource_customizations/flink.apache.org/FlinkDeployment/testdata/healthy_running_v0.1.x.yaml
+++ b/resource_customizations/flink.apache.org/FlinkDeployment/testdata/healthy_running_v0.1.x.yaml
--- a/resource_customizations/flink.apache.org/FlinkDeployment/testdata/healthy_running_v1.x.yaml
+++ b/resource_customizations/flink.apache.org/FlinkDeployment/testdata/healthy_running_v1.x.yaml
@@ -0,0 +1,11 @@
+apiVersion: flink.apache.org/v1alpha1
+kind: FlinkDeployment
+spec:
+  job:
+    state: running
+status:
+  jobManagerDeploymentStatus: READY
+  jobStatus:
+    state: RUNNING
+  reconciliationStatus:
+    state: DEPLOYED
--- a/resource_customizations/flink.apache.org/FlinkDeployment/testdata/healthy_suspended_v0.1.x.yaml
+++ b/resource_customizations/flink.apache.org/FlinkDeployment/testdata/healthy_suspended_v0.1.x.yaml
--- a/resource_customizations/flink.apache.org/FlinkDeployment/testdata/healthy_suspended_v1.x.yaml
+++ b/resource_customizations/flink.apache.org/FlinkDeployment/testdata/healthy_suspended_v1.x.yaml
@@ -0,0 +1,11 @@
+apiVersion: flink.apache.org/v1alpha1
+kind: FlinkDeployment
+spec:
+  job:
+    state: suspended
+status:
+  jobManagerDeploymentStatus: MISSING
+  jobStatus:
+    state: SUSPENDED
+  reconciliationStatus:
+    state: DEPLOYED
--- a/server/application/application.go
+++ b/server/application/application.go
@@ -1325,9 +1325,10 @@ func (s *Server) WatchResourceTree(q *application.ResourcesQuery, ws application
 		return err
 	}

-	return s.cache.OnAppResourcesTreeChanged(ws.Context(), q.GetApplicationName(), func() error {
+	cacheKey := argo.AppInstanceName(q.GetApplicationName(), q.GetAppNamespace(), s.ns)
+	return s.cache.OnAppResourcesTreeChanged(ws.Context(), cacheKey, func() error {
 		var tree appv1.ApplicationTree
-		err := s.cache.GetAppResourcesTree(q.GetApplicationName(), &tree)
+		err := s.cache.GetAppResourcesTree(cacheKey, &tree)
 		if err != nil {
 			return fmt.Errorf("error getting app resource tree: %w", err)
 		}
--- a/test/container/Dockerfile
+++ b/test/container/Dockerfile
@@ -7,7 +7,7 @@ RUN ln -s /usr/lib/$(uname -m)-linux-gnu /usr/lib/linux-gnu

 FROM docker.io/library/node:12.18.4-buster as node

-FROM docker.io/library/golang:1.18 as golang
+FROM docker.io/library/golang:1.20.10@sha256:077ff85b374b23916b4b41835e242e5a3ddad9fc537ea7e980f230431747d245 as golang

 FROM docker.io/library/registry:2.8 as registry

--- a/test/remote/Dockerfile
+++ b/test/remote/Dockerfile
@@ -1,6 +1,6 @@
 ARG BASE_IMAGE=docker.io/library/ubuntu:22.04

-FROM golang:1.18 AS go
+FROM docker.io/library/golang:1.20.10@sha256:077ff85b374b23916b4b41835e242e5a3ddad9fc537ea7e980f230431747d245 AS go

 RUN go install github.com/mattn/goreman@latest && \
    go install github.com/kisielk/godepgraph@latest
--- a/util/argo/resource_tracking.go
+++ b/util/argo/resource_tracking.go
@@ -154,7 +154,7 @@ func (rt *resourceTracking) BuildAppInstanceValue(value AppInstanceValue) string
 //ParseAppInstanceValue parse resource tracking id from format <application-name>:<group>/<kind>:<namespace>/<name> to struct
 func (rt *resourceTracking) ParseAppInstanceValue(value string) (*AppInstanceValue, error) {
 	var appInstanceValue AppInstanceValue
-	parts := strings.Split(value, ":")
+	parts := strings.SplitN(value, ":", 3)
 	appInstanceValue.ApplicationName = parts[0]
 	if len(parts) != 3 {
 		return nil, WrongResourceTrackingFormat
--- a/util/argo/resource_tracking_test.go
+++ b/util/argo/resource_tracking_test.go
@@ -89,6 +89,19 @@ func TestParseAppInstanceValue(t *testing.T) {
 	assert.Equal(t, appInstanceValue.Name, "<name>")
 }

+func TestParseAppInstanceValueColon(t *testing.T) {
+	resourceTracking := NewResourceTracking()
+	appInstanceValue, err := resourceTracking.ParseAppInstanceValue("app:<group>/<kind>:<namespace>/<name>:<colon>")
+	if !assert.NoError(t, err) {
+		t.Fatal()
+	}
+	assert.Equal(t, appInstanceValue.ApplicationName, "app")
+	assert.Equal(t, appInstanceValue.Group, "<group>")
+	assert.Equal(t, appInstanceValue.Kind, "<kind>")
+	assert.Equal(t, appInstanceValue.Namespace, "<namespace>")
+	assert.Equal(t, appInstanceValue.Name, "<name>:<colon>")
+}
+
 func TestParseAppInstanceValueWrongFormat1(t *testing.T) {
 	resourceTracking := NewResourceTracking()
 	_, err := resourceTracking.ParseAppInstanceValue("app")
--- a/util/db/cluster.go
+++ b/util/db/cluster.go
@@ -345,6 +345,9 @@ func clusterToSecret(c *appv1.Cluster, secret *apiv1.Secret) error {
 	secret.Data = data

 	secret.Labels = c.Labels
+	if c.Annotations != nil && c.Annotations[apiv1.LastAppliedConfigAnnotation] != "" {
+		return status.Errorf(codes.InvalidArgument, "annotation %s cannot be set", apiv1.LastAppliedConfigAnnotation)
+	}
 	secret.Annotations = c.Annotations

 	if secret.Annotations == nil {
@@ -403,6 +406,8 @@ func SecretToCluster(s *apiv1.Secret) (*appv1.Cluster, error) {
 	annotations := map[string]string{}
 	if s.Annotations != nil {
 		annotations = collections.CopyStringMap(s.Annotations)
+		// delete system annotations
+		delete(annotations, apiv1.LastAppliedConfigAnnotation)
 		delete(annotations, common.AnnotationKeyManagedBy)
 	}

--- a/util/db/cluster_test.go
+++ b/util/db/cluster_test.go
@@ -7,6 +7,8 @@ import (

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes/fake"
@@ -56,6 +58,24 @@ func Test_secretToCluster(t *testing.T) {
 	})
 }

+func Test_secretToCluster_LastAppliedConfigurationDropped(t *testing.T) {
+	secret := &v1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        "mycluster",
+			Namespace:   fakeNamespace,
+			Annotations: map[string]string{v1.LastAppliedConfigAnnotation: "val2"},
+		},
+		Data: map[string][]byte{
+			"name":   []byte("test"),
+			"server": []byte("http://mycluster"),
+			"config": []byte("{\"username\":\"foo\"}"),
+		},
+	}
+	cluster, err := SecretToCluster(secret)
+	require.NoError(t, err)
+	assert.Len(t, cluster.Annotations, 0)
+}
+
 func TestClusterToSecret(t *testing.T) {
 	cluster := &appv1.Cluster{
 		Server:      "server",
@@ -78,6 +98,21 @@ func TestClusterToSecret(t *testing.T) {
 	assert.Equal(t, cluster.Labels, s.Labels)
 }

+func TestClusterToSecret_LastAppliedConfigurationRejected(t *testing.T) {
+	cluster := &appv1.Cluster{
+		Server:      "server",
+		Annotations: map[string]string{v1.LastAppliedConfigAnnotation: "val2"},
+		Name:        "test",
+		Config:      v1alpha1.ClusterConfig{},
+		Project:     "project",
+		Namespaces:  []string{"default"},
+	}
+	s := &v1.Secret{}
+	err := clusterToSecret(cluster, s)
+	require.Error(t, err)
+	require.Equal(t, codes.InvalidArgument, status.Code(err))
+}
+
 func Test_secretToCluster_NoConfig(t *testing.T) {
 	secret := &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
--- a/util/helm/client.go
+++ b/util/helm/client.go
@@ -7,6 +7,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	executil "github.com/argoproj/argo-cd/v2/util/exec"
 	"io"
 	"net/http"
 	"net/url"
@@ -23,7 +24,6 @@ import (

 	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/util/cache"
-	executil "github.com/argoproj/argo-cd/v2/util/exec"
 	argoio "github.com/argoproj/argo-cd/v2/util/io"
 	"github.com/argoproj/argo-cd/v2/util/io/files"
 	"github.com/argoproj/argo-cd/v2/util/proxy"
@@ -51,7 +51,7 @@ type indexCache interface {

 type Client interface {
 	CleanChartCache(chart string, version string) error
-	ExtractChart(chart string, version string, passCredentials bool) (string, argoio.Closer, error)
+	ExtractChart(chart string, version string, passCredentials bool, manifestMaxExtractedSize int64, disableManifestMaxExtractedSize bool) (string, argoio.Closer, error)
 	GetIndex(noCache bool) (*Index, error)
 	GetTags(chart string, noCache bool) (*TagsList, error)
 	TestHelmOCI() (bool, error)
@@ -121,7 +121,21 @@ func (c *nativeHelmChart) CleanChartCache(chart string, version string) error {
 	return os.RemoveAll(cachePath)
 }

-func (c *nativeHelmChart) ExtractChart(chart string, version string, passCredentials bool) (string, argoio.Closer, error) {
+func untarChart(tempDir string, cachedChartPath string, manifestMaxExtractedSize int64, disableManifestMaxExtractedSize bool) error {
+	if disableManifestMaxExtractedSize {
+		cmd := exec.Command("tar", "-zxvf", cachedChartPath)
+		cmd.Dir = tempDir
+		_, err := executil.Run(cmd)
+		return err
+	}
+	reader, err := os.Open(cachedChartPath)
+	if err != nil {
+		return err
+	}
+	return files.Untgz(tempDir, reader, manifestMaxExtractedSize)
+}
+
+func (c *nativeHelmChart) ExtractChart(chart string, version string, passCredentials bool, manifestMaxExtractedSize int64, disableManifestMaxExtractedSize bool) (string, argoio.Closer, error) {
 	// always use Helm V3 since we don't have chart content to determine correct Helm version
 	helmCmd, err := NewCmdWithVersion("", HelmV3, c.enableOci, c.proxy)

@@ -195,15 +209,14 @@ func (c *nativeHelmChart) ExtractChart(chart string, version string, passCredent
 		if len(infos) != 1 {
 			return "", nil, fmt.Errorf("expected 1 file, found %v", len(infos))
 		}
+
 		err = os.Rename(filepath.Join(tempDest, infos[0].Name()), cachedChartPath)
 		if err != nil {
 			return "", nil, err
 		}
 	}

-	cmd := exec.Command("tar", "-zxvf", cachedChartPath)
-	cmd.Dir = tempDir
-	_, err = executil.Run(cmd)
+	err = untarChart(tempDir, cachedChartPath, manifestMaxExtractedSize, disableManifestMaxExtractedSize)
 	if err != nil {
 		_ = os.RemoveAll(tempDir)
 		return "", nil, err
@@ -301,8 +314,8 @@ func (c *nativeHelmChart) loadRepoIndex() ([]byte, error) {
 	}

 	tr := &http.Transport{
-		Proxy:           proxy.GetCallback(c.proxy),
-		TLSClientConfig: tlsConf,
+		Proxy:             proxy.GetCallback(c.proxy),
+		TLSClientConfig:   tlsConf,
 		DisableKeepAlives: true,
 	}
 	client := http.Client{Transport: tr}
@@ -470,8 +483,8 @@ func (c *nativeHelmChart) getTagsFromUrl(tagsURL string) ([]byte, string, error)
 	}

 	tr := &http.Transport{
-		Proxy:           proxy.GetCallback(c.proxy),
-		TLSClientConfig: tlsConf,
+		Proxy:             proxy.GetCallback(c.proxy),
+		TLSClientConfig:   tlsConf,
 		DisableKeepAlives: true,
 	}
 	client := http.Client{Transport: tr}
--- a/util/helm/client_test.go
+++ b/util/helm/client_test.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"math"
 	"os"
 	"strings"
 	"testing"
@@ -72,7 +73,7 @@ func TestIndex(t *testing.T) {

 func Test_nativeHelmChart_ExtractChart(t *testing.T) {
 	client := NewClient("https://argoproj.github.io/argo-helm", Creds{}, false, "")
-	path, closer, err := client.ExtractChart("argo-cd", "0.7.1", false)
+	path, closer, err := client.ExtractChart("argo-cd", "0.7.1", false, math.MaxInt64, true)
 	assert.NoError(t, err)
 	defer io.Close(closer)
 	info, err := os.Stat(path)
@@ -80,9 +81,15 @@ func Test_nativeHelmChart_ExtractChart(t *testing.T) {
 	assert.True(t, info.IsDir())
 }

+func Test_nativeHelmChart_ExtractChartWithLimiter(t *testing.T) {
+	client := NewClient("https://argoproj.github.io/argo-helm", Creds{}, false, "")
+	_, _, err := client.ExtractChart("argo-cd", "0.7.1", false, 100, false)
+	assert.Error(t, err, "error while iterating on tar reader: unexpected EOF")
+}
+
 func Test_nativeHelmChart_ExtractChart_insecure(t *testing.T) {
 	client := NewClient("https://argoproj.github.io/argo-helm", Creds{InsecureSkipVerify: true}, false, "")
-	path, closer, err := client.ExtractChart("argo-cd", "0.7.1", false)
+	path, closer, err := client.ExtractChart("argo-cd", "0.7.1", false, math.MaxInt64, true)
 	assert.NoError(t, err)
 	defer io.Close(closer)
 	info, err := os.Stat(path)
--- a/util/helm/cmd.go
+++ b/util/helm/cmd.go
@@ -7,6 +7,7 @@ import (
 	"path"
 	"path/filepath"
 	"regexp"
+	"strings"

 	log "github.com/sirupsen/logrus"

@@ -264,6 +265,10 @@ var (
 )

 func cleanSetParameters(val string) string {
+	// `{}` equal helm list parameters format, so don't escape `,`.
+	if strings.HasPrefix(val, `{`) && strings.HasSuffix(val, `}`) {
+		return val
+	}
 	return re.ReplaceAllString(val, `$1\,`)
 }

--- a/util/helm/helm_test.go
+++ b/util/helm/helm_test.go
@@ -165,6 +165,7 @@ func TestHelmArgCleaner(t *testing.T) {
 		`bar`:        `bar`,
 		`not, clean`: `not\, clean`,
 		`a\,b,c`:     `a\,b\,c`,
+		`{a,b,c}`:    `{a,b,c}`,
 	} {
 		cleaned := cleanSetParameters(input)
 		assert.Equal(t, expected, cleaned)
--- a/util/helm/mocks/Client.go
+++ b/util/helm/mocks/Client.go
@@ -29,7 +29,7 @@ func (_m *Client) CleanChartCache(chart string, version string) error {
 }

 // ExtractChart provides a mock function with given fields: chart, version
-func (_m *Client) ExtractChart(chart string, version string, passCredentials bool) (string, io.Closer, error) {
+func (_m *Client) ExtractChart(chart string, version string, passCredentials bool, manifestMaxExtractedSize int64, disableManifestMaxExtractedSize bool) (string, io.Closer, error) {
 	ret := _m.Called(chart, version)

 	var r0 string
Author	SHA1	Message	Date
gcp-cherry-pick-bot[bot]	3f170be710	fix: Updated docs about using a slash in ignoreDifferences (#15144 ) (#15170 ) Signed-off-by: Christian Hernandez <christian@chernand.io> Co-authored-by: Christian Hernandez <christianh814@users.noreply.github.com>	2023-11-14 10:59:57 -05:00
Shyukri Shyukriev	63f0cbbe65	chore: Upgrade Redis to redis:7.0.14 (#16164 ) (#16220 ) * chore: Upgrade Redis to redis:7.0.14 (#16164) Fixes https://github.com/argoproj/argo-cd/issues/15448 Signed-off-by: Shyukri Shyukriev <shukera@gmail.com> Co-authored-by: Shyukri Shyukriev <shyukri.shyukriev@mariadb.com> (cherry picked from commit `570c24e38e`) Signed-off-by: Shyukri Shyukriev <shukera@gmail.com> * chore: Redis HA securityContext Signed-off-by: Shyukri Shyukriev <shukera@gmail.com> --------- Signed-off-by: Shyukri Shyukriev <shukera@gmail.com> Co-authored-by: Shyukri Shyukriev <shyukri.shyukriev@mariadb.com>	2023-11-02 15:31:19 -04:00
May Zhang	8b88abd951	fix: argocd notification controller app cluster permission issue (#16057 ) (#16166 ) * if applicationNamespaces is not provided as input parameter, then use namespaced appClient * fix go lint error --------- Signed-off-by: May Zhang <may_zhang@intuit.com>	2023-10-31 10:10:50 -04:00
Michael Crenshaw	394211c425	fix(notifications): Allow notifications controller to notify on all namespaces (cherry-pick 2.6) (#15857 ) * fix(notifications): Allow notifications controller to notify on all namespaces (#15702) * Allow notifications controller to notify on all namespaces This adds functionality to the notifications controller to be notified of and send notifications for applications in any namespace. The namespaces to watch are controlled by the same --application-namespaces and ARGOCD_APPLICATION_NAMESPACES variables as in the application controller. Signed-off-by: Nikolas Skoufis <nskoufis@seek.com.au> * Add SEEK to users.md Signed-off-by: Nikolas Skoufis <nskoufis@seek.com.au> * Remove unused fields Signed-off-by: Nikolas Skoufis <nskoufis@seek.com.au> * Revert changes to Procfile Signed-off-by: Nik Skoufis <n.skoufis@gmail.com> * Fix unit tests Signed-off-by: Nikolas Skoufis <nskoufis@seek.com.au> * - add argocd namespaces environment variable to notifications controller Signed-off-by: Stewart Thomson <sthomson@wynshop.com> * - add example cluster role rbac Signed-off-by: Stewart Thomson <sthomson@wynshop.com> * - only look for projects in the controller's namespace (argocd by default) Signed-off-by: Stewart Thomson <sthomson@wynshop.com> * - update base manifest Signed-off-by: Stewart Thomson <sthomson@wynshop.com> * - skip app processing in notification controller Signed-off-by: Stewart Thomson <sthomson@wynshop.com> * added unit test and updated doc Signed-off-by: May Zhang <may_zhang@intuit.com> * added unit test and updated doc Signed-off-by: May Zhang <may_zhang@intuit.com> * updated examples/k8s-rbac/argocd-server-applications/kustomization.yaml's resources Signed-off-by: May Zhang <may_zhang@intuit.com> --------- Signed-off-by: Nikolas Skoufis <nskoufis@seek.com.au> Signed-off-by: Nik Skoufis <n.skoufis@gmail.com> Signed-off-by: Stewart Thomson <sthomson@wynshop.com> Signed-off-by: May Zhang <may_zhang@intuit.com> Co-authored-by: Nikolas Skoufis <nskoufis@seek.com.au> Co-authored-by: Nik Skoufis <n.skoufis@gmail.com> Co-authored-by: Stewart Thomson <sthomson@wynshop.com> undo unnecessary manifest changes Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> undo unnecessary manifest changes Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> * revert unnecessary changes Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> --------- Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Co-authored-by: May Zhang <may_zhang@intuit.com>	2023-10-26 11:33:04 -04:00
Abhishek Veeramalla	348d45cc6a	chore(deps): upgrade Go version to 1.20 (#16105 ) Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com>	2023-10-25 13:14:20 -04:00
gcp-cherry-pick-bot[bot]	975f78a126	fix: helm set parameter to allow passing list parameters (#15978 ) (#15996 ) Signed-off-by: kkk777-7 <kota.kimura0725@gmail.com> Co-authored-by: Kota Kimura <86363983+kkk777-7@users.noreply.github.com>	2023-10-16 16:48:01 -04:00
gcp-cherry-pick-bot[bot]	4bf8e7fa66	docs: 'action' RBAC example for Kind without group (#15589 ) (#15599 ) Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>	2023-09-20 11:14:38 -04:00
gcp-cherry-pick-bot[bot]	869e722af2	fix(#12862 ): Update FlinkDeployment health check to support Flink v1.x (#15065 ) (#15560 ) Signed-off-by: Dylan Slavin <dylan@sla.vin> Co-authored-by: Dylan Slavin <dylan@sla.vin>	2023-09-19 09:06:17 -04:00
gcp-cherry-pick-bot[bot]	38fbe0225a	fix(repo-server): avoid fetching commit sha for multisource applications (#15037 ) (#15067 ) (#15557 ) * Rebase Signed-off-by: ozlevka-work <lev@ozeryansky.com> * Remove test file Signed-off-by: ozlevka-work <lev@ozeryansky.com> * Go linter fmt Signed-off-by: ozlevka-work <lev@ozeryansky.com> * Additional linter fmt Signed-off-by: ozlevka-work <lev@ozeryansky.com> * Add unit test for changes Signed-off-by: Lev <lozeryan@akami.com> * Update reposerver/repository/repository.go * Trigger CI --------- Signed-off-by: Lev <lozeryan@akami.com> Signed-off-by: Lev <lev@ozeryansky.com> Signed-off-by: Lev Ozeryansky <lozeryan@akamai.com> Co-authored-by: Lev Ozeryansky <lozeryan@akamai.com> Co-authored-by: Lev <lozeryan@akami.com> Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>	2023-09-19 09:05:24 -04:00
gcp-cherry-pick-bot[bot]	e274c3ab93	docs: Fix docs for destinations in AppProjects (#15153 ) (#15182 ) (#15540 ) Signed-off-by: Andreas Lindhé <andreas@lindhe.io> Co-authored-by: Andreas Lindhé <lindhe@users.noreply.github.com>	2023-09-18 09:13:24 -04:00
gcp-cherry-pick-bot[bot]	b763d194f4	fix: make WatchResourceTree use namespaced cache key (#15258 ) (#15524 ) * fix: make WatchResourceTree use namespaced application cache key * chore: add PGS to USERS.md --------- Signed-off-by: Torbjørn Fjørtoft <torbjorn.fjortoft@pgs.com> Co-authored-by: Torbjørn Fjørtoft <torbjorn.fjortoft@gmail.com>	2023-09-15 12:00:06 -04:00
gcp-cherry-pick-bot[bot]	8152092918	fix: handle annotations for resources with ':' in the name (#15101 ) (#15380 ) (#15412 ) * fix: handle annotations for resources with ':' in the name * fix: switch to using splitN for handling annotation splitting * fix: check len(parts) !=3 * Retrigger CI pipeline --------- Signed-off-by: Oreon Lothamer <oreon.lothamer@softrams.com> Co-authored-by: Oreon Lothamer <73498677+oreonl@users.noreply.github.com>	2023-09-08 13:55:01 -04:00
argo-bot	2f7922be9c	Bump version to 2.6.15	2023-09-07 17:39:13 +00:00
argo-bot	f30a20a116	Bump version to 2.6.15	2023-09-07 17:38:54 +00:00
Alexander Matyushentsev	3b50226e76	Merge pull request from GHSA-fwr2-64vr-xv9m * fix: prevent seeing/editing 'kubectl.kubernetes.io/last-applied-configuration' cluster annotation Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> * fix: failing unit test Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com> * fix: issues with codegen Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com> --------- Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com> Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com> Co-authored-by: iam-veeramalla <abhishek.veeramalla@gmail.com>	2023-09-07 10:14:57 -04:00
pasha-codefresh	0c6cfa306d	Merge pull request from GHSA-g687-f2gx-6wm8 * feat: use untar with limiter Signed-off-by: pashakostohrys <pavel@codefresh.io> * feat: use untar with limiter Signed-off-by: pashakostohrys <pavel@codefresh.io> * feat: use untar with limiter Signed-off-by: pashakostohrys <pavel@codefresh.io> * feat: use untar with limiter Signed-off-by: pashakostohrys <pavel@codefresh.io> --------- Signed-off-by: pashakostohrys <pavel@codefresh.io>	2023-09-07 10:12:15 -04:00
gcp-cherry-pick-bot[bot]	1fb3d3fb11	chore: add example jq path expression (#15130 ) (#15211 ) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>	2023-08-29 12:44:26 -04:00
gcp-cherry-pick-bot[bot]	d9ce38f357	docs: document sourceNamespaces field (#15195 ) (#15214 ) Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com> Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>	2023-08-29 12:43:54 -04:00
@@ -1 +1 @@
 .6.14
 .6.15