Bump version to 2.6.4

Signed-off-by: Noah Krause <krausenoah@gmail.com>
Co-authored-by: Noah Krause <krausenoah@gmail.com>

.github/workflows/ci-build.yaml

@@ -51,7 +51,7 @@ jobs:
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Restore go build cache
-        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
+        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -116,7 +116,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
+        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -183,7 +183,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
+        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -269,7 +269,7 @@ jobs:
           node-version: '12.18.4'
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
+        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -304,7 +304,7 @@ jobs:
           fetch-depth: 0
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
+        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -398,7 +398,7 @@ jobs:
           sudo chown runner $HOME/.kube/config
           kubectl version
       - name: Restore go build cache
-        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
+        uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -426,7 +426,7 @@ jobs:
         run: |
           docker pull ghcr.io/dexidp/dex:v2.35.3
           docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.7-alpine
+          docker pull redis:7.0.8-alpine
       - name: Create target directory for binaries in the build-process
         run: |
           mkdir -p dist

.github/workflows/image.yaml

@@ -54,7 +54,7 @@ jobs:
 
       # build
       - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
-      - uses: docker/setup-buildx-action@15c905b16b06416d2086efa066dd8e3a35cc7f98 # v2.4.0
+      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
       - run: |
           IMAGE_PLATFORMS=linux/amd64
           if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-arm-image') }}" == "true" ]]
@@ -69,12 +69,12 @@ jobs:
 
       # sign container images
       - name: Install cosign
-        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
+        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
         with:
           cosign-release: 'v1.13.1'
 
       - name: Install crane to get digest of image
-        uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4
+        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c
 
       - name: Get digest of image
         run: |

.github/workflows/release.yaml

@@ -205,7 +205,7 @@ jobs:
         if: ${{ env.DRY_RUN != 'true' }}
 
       - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
-      - uses: docker/setup-buildx-action@15c905b16b06416d2086efa066dd8e3a35cc7f98 # v2.4.0
+      - uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
       - name: Build and push Docker image for release
         run: |
           set -ue
@@ -219,12 +219,12 @@ jobs:
         if: ${{ env.DRY_RUN != 'true' }}
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
+        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v3.0.1
         with:
           cosign-release: 'v1.13.1'
 
       - name: Install crane to get digest of image
-        uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4
+        uses: imjasonh/setup-crane@00c9e93efa4e1138c9a7a5c594acd6c75a2fbf0c
 
       - name: Get digest of image
         run: |

USERS.md

@@ -107,6 +107,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [imaware](https://imaware.health)
 1. [Indeed](https://indeed.com)
 1. [Index Exchange](https://www.indexexchange.com/)
+1. [Info Support](https://www.infosupport.com/)
 1. [InsideBoard](https://www.insideboard.com)
 1. [Intuit](https://www.intuit.com/)
 1. [Joblift](https://joblift.com/)

VERSION

@@ -1 +1 @@
-2.6.2
+2.6.4

applicationset/controllers/requeue_after_test.go

@@ -0,0 +1,179 @@
+package controllers
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/argoproj/argo-cd/v2/applicationset/generators"
+	argov1alpha1 "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/mock"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	dynfake "k8s.io/client-go/dynamic/fake"
+	kubefake "k8s.io/client-go/kubernetes/fake"
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+func TestRequeueAfter(t *testing.T) {
+	mockServer := argoCDServiceMock{}
+	ctx := context.Background()
+	scheme := runtime.NewScheme()
+	err := argov1alpha1.AddToScheme(scheme)
+	assert.Nil(t, err)
+	gvrToListKind := map[schema.GroupVersionResource]string{{
+		Group:    "mallard.io",
+		Version:  "v1",
+		Resource: "ducks",
+	}: "DuckList"}
+	appClientset := kubefake.NewSimpleClientset()
+	k8sClient := fake.NewClientBuilder().Build()
+	duckType := &unstructured.Unstructured{
+		Object: map[string]interface{}{
+			"apiVersion": "v2quack",
+			"kind":       "Duck",
+			"metadata": map[string]interface{}{
+				"name":      "mightyduck",
+				"namespace": "namespace",
+				"labels":    map[string]interface{}{"duck": "all-species"},
+			},
+			"status": map[string]interface{}{
+				"decisions": []interface{}{
+					map[string]interface{}{
+						"clusterName": "staging-01",
+					},
+					map[string]interface{}{
+						"clusterName": "production-01",
+					},
+				},
+			},
+		},
+	}
+	fakeDynClient := dynfake.NewSimpleDynamicClientWithCustomListKinds(runtime.NewScheme(), gvrToListKind, duckType)
+
+	terminalGenerators := map[string]generators.Generator{
+		"List":                    generators.NewListGenerator(),
+		"Clusters":                generators.NewClusterGenerator(k8sClient, ctx, appClientset, "argocd"),
+		"Git":                     generators.NewGitGenerator(mockServer),
+		"SCMProvider":             generators.NewSCMProviderGenerator(fake.NewClientBuilder().WithObjects(&corev1.Secret{}).Build(), generators.SCMAuthProviders{}),
+		"ClusterDecisionResource": generators.NewDuckTypeGenerator(ctx, fakeDynClient, appClientset, "argocd"),
+		"PullRequest":             generators.NewPullRequestGenerator(k8sClient, generators.SCMAuthProviders{}),
+	}
+
+	nestedGenerators := map[string]generators.Generator{
+		"List":                    terminalGenerators["List"],
+		"Clusters":                terminalGenerators["Clusters"],
+		"Git":                     terminalGenerators["Git"],
+		"SCMProvider":             terminalGenerators["SCMProvider"],
+		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
+		"PullRequest":             terminalGenerators["PullRequest"],
+		"Matrix":                  generators.NewMatrixGenerator(terminalGenerators),
+		"Merge":                   generators.NewMergeGenerator(terminalGenerators),
+	}
+
+	topLevelGenerators := map[string]generators.Generator{
+		"List":                    terminalGenerators["List"],
+		"Clusters":                terminalGenerators["Clusters"],
+		"Git":                     terminalGenerators["Git"],
+		"SCMProvider":             terminalGenerators["SCMProvider"],
+		"ClusterDecisionResource": terminalGenerators["ClusterDecisionResource"],
+		"PullRequest":             terminalGenerators["PullRequest"],
+		"Matrix":                  generators.NewMatrixGenerator(nestedGenerators),
+		"Merge":                   generators.NewMergeGenerator(nestedGenerators),
+	}
+
+	client := fake.NewClientBuilder().WithScheme(scheme).Build()
+	r := ApplicationSetReconciler{
+		Client:     client,
+		Scheme:     scheme,
+		Recorder:   record.NewFakeRecorder(0),
+		Generators: topLevelGenerators,
+	}
+
+	type args struct {
+		appset *argov1alpha1.ApplicationSet
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    time.Duration
+		wantErr assert.ErrorAssertionFunc
+	}{
+		{name: "Cluster", args: args{appset: &argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{{Clusters: &argov1alpha1.ClusterGenerator{}}},
+			},
+		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
+		{name: "ClusterMergeNested", args: args{&argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{
+					{Clusters: &argov1alpha1.ClusterGenerator{}},
+					{Merge: &argov1alpha1.MergeGenerator{
+						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+							{
+								Clusters: &argov1alpha1.ClusterGenerator{},
+								Git:      &argov1alpha1.GitGenerator{},
+							},
+						},
+					}},
+				},
+			},
+		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
+		{name: "ClusterMatrixNested", args: args{&argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{
+					{Clusters: &argov1alpha1.ClusterGenerator{}},
+					{Matrix: &argov1alpha1.MatrixGenerator{
+						Generators: []argov1alpha1.ApplicationSetNestedGenerator{
+							{
+								Clusters: &argov1alpha1.ClusterGenerator{},
+								Git:      &argov1alpha1.GitGenerator{},
+							},
+						},
+					}},
+				},
+			},
+		}}, want: generators.DefaultRequeueAfterSeconds, wantErr: assert.NoError},
+		{name: "ListGenerator", args: args{appset: &argov1alpha1.ApplicationSet{
+			Spec: argov1alpha1.ApplicationSetSpec{
+				Generators: []argov1alpha1.ApplicationSetGenerator{{List: &argov1alpha1.ListGenerator{}}},
+			},
+		}}, want: generators.NoRequeueAfter, wantErr: assert.NoError},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equalf(t, tt.want, r.getMinRequeueAfter(tt.args.appset), "getMinRequeueAfter(%v)", tt.args.appset)
+		})
+	}
+}
+
+type argoCDServiceMock struct {
+	mock *mock.Mock
+}
+
+func (a argoCDServiceMock) GetApps(ctx context.Context, repoURL string, revision string) ([]string, error) {
+	args := a.mock.Called(ctx, repoURL, revision)
+
+	return args.Get(0).([]string), args.Error(1)
+}
+
+func (a argoCDServiceMock) GetFiles(ctx context.Context, repoURL string, revision string, pattern string) (map[string][]byte, error) {
+	args := a.mock.Called(ctx, repoURL, revision, pattern)
+
+	return args.Get(0).(map[string][]byte), args.Error(1)
+}
+
+func (a argoCDServiceMock) GetFileContent(ctx context.Context, repoURL string, revision string, path string) ([]byte, error) {
+	args := a.mock.Called(ctx, repoURL, revision, path)
+
+	return args.Get(0).([]byte), args.Error(1)
+}
+
+func (a argoCDServiceMock) GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error) {
+	args := a.mock.Called(ctx, repoURL, revision)
+	return args.Get(0).([]string), args.Error(1)
+}

applicationset/generators/cluster.go

@@ -51,6 +51,8 @@ func NewClusterGenerator(c client.Client, ctx context.Context, clientset kuberne
 	return g
 }
 
+// GetRequeueAfter never requeue the cluster generator because the `clusterSecretEventHandler` will requeue the appsets
+// when the cluster secrets change
 func (g *ClusterGenerator) GetRequeueAfter(appSetGenerator *argoappsetv1alpha1.ApplicationSetGenerator) time.Duration {
 	return NoRequeueAfter
 }

applicationset/generators/matrix.go

@@ -80,28 +80,13 @@ func (m *MatrixGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha1.App
 }
 
 func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet, params map[string]interface{}) ([]map[string]interface{}, error) {
-	var matrix *argoprojiov1alpha1.MatrixGenerator
-	if appSetBaseGenerator.Matrix != nil {
-		// Since nested matrix generator is represented as a JSON object in the CRD, we unmarshall it back to a Go struct here.
-		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(appSetBaseGenerator.Matrix)
-		if err != nil {
-			return nil, fmt.Errorf("unable to unmarshall nested matrix generator: %v", err)
-		}
-		if nestedMatrix != nil {
-			matrix = nestedMatrix.ToMatrixGenerator()
-		}
+	matrixGen, err := getMatrixGenerator(appSetBaseGenerator)
+	if err != nil {
+		return nil, err
 	}
-
-	var mergeGenerator *argoprojiov1alpha1.MergeGenerator
-	if appSetBaseGenerator.Merge != nil {
-		// Since nested merge generator is represented as a JSON object in the CRD, we unmarshall it back to a Go struct here.
-		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(appSetBaseGenerator.Merge)
-		if err != nil {
-			return nil, fmt.Errorf("unable to unmarshall nested merge generator: %v", err)
-		}
-		if nestedMerge != nil {
-			mergeGenerator = nestedMerge.ToMergeGenerator()
-		}
+	mergeGen, err := getMergeGenerator(appSetBaseGenerator)
+	if err != nil {
+		return nil, err
 	}
 
 	t, err := Transform(
@@ -112,8 +97,8 @@ func (m *MatrixGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Appli
 			SCMProvider:             appSetBaseGenerator.SCMProvider,
 			ClusterDecisionResource: appSetBaseGenerator.ClusterDecisionResource,
 			PullRequest:             appSetBaseGenerator.PullRequest,
-			Matrix:                  matrix,
-			Merge:                   mergeGenerator,
+			Matrix:                  matrixGen,
+			Merge:                   mergeGen,
 			Selector:                appSetBaseGenerator.Selector,
 		},
 		m.supportedGenerators,
@@ -143,11 +128,15 @@ func (m *MatrixGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap
 	var found bool
 
 	for _, r := range appSetGenerator.Matrix.Generators {
+		matrixGen, _ := getMatrixGenerator(r)
+		mergeGen, _ := getMergeGenerator(r)
 		base := &argoprojiov1alpha1.ApplicationSetGenerator{
 			List:        r.List,
 			Clusters:    r.Clusters,
 			Git:         r.Git,
 			PullRequest: r.PullRequest,
+			Matrix:      matrixGen,
+			Merge:       mergeGen,
 		}
 		generators := GetRelevantGenerators(base, m.supportedGenerators)
 
@@ -168,6 +157,17 @@ func (m *MatrixGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap
 
 }
 
+func getMatrixGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*argoprojiov1alpha1.MatrixGenerator, error) {
+	if r.Matrix == nil {
+		return nil, nil
+	}
+	matrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(r.Matrix)
+	if err != nil {
+		return nil, err
+	}
+	return matrix.ToMatrixGenerator(), nil
+}
+
 func (m *MatrixGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.Matrix.Template
 }

applicationset/generators/merge.go

@@ -137,27 +137,13 @@ func getParamSetsByMergeKey(mergeKeys []string, paramSets []map[string]interface
 
 // getParams get the parameters generated by this generator.
 func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.ApplicationSetNestedGenerator, appSet *argoprojiov1alpha1.ApplicationSet) ([]map[string]interface{}, error) {
-
-	var matrix *argoprojiov1alpha1.MatrixGenerator
-	if appSetBaseGenerator.Matrix != nil {
-		nestedMatrix, err := argoprojiov1alpha1.ToNestedMatrixGenerator(appSetBaseGenerator.Matrix)
-		if err != nil {
-			return nil, err
-		}
-		if nestedMatrix != nil {
-			matrix = nestedMatrix.ToMatrixGenerator()
-		}
+	matrixGen, err := getMatrixGenerator(appSetBaseGenerator)
+	if err != nil {
+		return nil, err
 	}
-
-	var mergeGenerator *argoprojiov1alpha1.MergeGenerator
-	if appSetBaseGenerator.Merge != nil {
-		nestedMerge, err := argoprojiov1alpha1.ToNestedMergeGenerator(appSetBaseGenerator.Merge)
-		if err != nil {
-			return nil, err
-		}
-		if nestedMerge != nil {
-			mergeGenerator = nestedMerge.ToMergeGenerator()
-		}
+	mergeGen, err := getMergeGenerator(appSetBaseGenerator)
+	if err != nil {
+		return nil, err
 	}
 
 	t, err := Transform(
@@ -168,8 +154,8 @@ func (m *MergeGenerator) getParams(appSetBaseGenerator argoprojiov1alpha1.Applic
 			SCMProvider:             appSetBaseGenerator.SCMProvider,
 			ClusterDecisionResource: appSetBaseGenerator.ClusterDecisionResource,
 			PullRequest:             appSetBaseGenerator.PullRequest,
-			Matrix:                  matrix,
-			Merge:                   mergeGenerator,
+			Matrix:                  matrixGen,
+			Merge:                   mergeGen,
 			Selector:                appSetBaseGenerator.Selector,
 		},
 		m.supportedGenerators,
@@ -197,10 +183,15 @@ func (m *MergeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.App
 	var found bool
 
 	for _, r := range appSetGenerator.Merge.Generators {
+		matrixGen, _ := getMatrixGenerator(r)
+		mergeGen, _ := getMergeGenerator(r)
 		base := &argoprojiov1alpha1.ApplicationSetGenerator{
-			List:     r.List,
-			Clusters: r.Clusters,
-			Git:      r.Git,
+			List:        r.List,
+			Clusters:    r.Clusters,
+			Git:         r.Git,
+			PullRequest: r.PullRequest,
+			Matrix:      matrixGen,
+			Merge:       mergeGen,
 		}
 		generators := GetRelevantGenerators(base, m.supportedGenerators)
 
@@ -221,6 +212,17 @@ func (m *MergeGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.App
 
 }
 
+func getMergeGenerator(r argoprojiov1alpha1.ApplicationSetNestedGenerator) (*argoprojiov1alpha1.MergeGenerator, error) {
+	if r.Merge == nil {
+		return nil, nil
+	}
+	merge, err := argoprojiov1alpha1.ToNestedMergeGenerator(r.Merge)
+	if err != nil {
+		return nil, err
+	}
+	return merge.ToMergeGenerator(), nil
+}
+
 // GetTemplate gets the Template field for the MergeGenerator.
 func (m *MergeGenerator) GetTemplate(appSetGenerator *argoprojiov1alpha1.ApplicationSetGenerator) *argoprojiov1alpha1.ApplicationSetTemplate {
 	return &appSetGenerator.Merge.Template

cmd/argocd/commands/applicationset.go

@@ -343,16 +343,19 @@ func printAppSetSummaryTable(appSet *arogappsetv1.ApplicationSet) {
 	fmt.Printf(printOpFmtStr, "Path:", source.Path)
 	printAppSourceDetails(&source)
 
-	var syncPolicy string
-	if appSet.Spec.SyncPolicy != nil && appSet.Spec.Template.Spec.SyncPolicy.Automated != nil {
-		syncPolicy = "Automated"
-		if appSet.Spec.Template.Spec.SyncPolicy.Automated.Prune {
-			syncPolicy += " (Prune)"
+	var (
+		syncPolicyStr string
+		syncPolicy = appSet.Spec.Template.Spec.SyncPolicy
+	)
+	if syncPolicy != nil && syncPolicy.Automated != nil {
+		syncPolicyStr = "Automated"
+		if syncPolicy.Automated.Prune {
+			syncPolicyStr += " (Prune)"
 		}
 	} else {
-		syncPolicy = "<none>"
+		syncPolicyStr = "<none>"
 	}
-	fmt.Printf(printOpFmtStr, "SyncPolicy:", syncPolicy)
+	fmt.Printf(printOpFmtStr, "SyncPolicy:", syncPolicyStr)
 
 }
 

cmd/argocd/commands/applicationset_test.go

@@ -1,6 +1,8 @@
 package commands
 
 import (
+	"io/ioutil"
+	"os"
 	"testing"
 
 	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
@@ -68,3 +70,124 @@ func TestPrintApplicationSetTable(t *testing.T) {
 	expectation := "NAME      NAMESPACE  PROJECT  SYNCPOLICY  CONDITIONS\napp-name             default  nil         [{ResourcesUpToDate  <nil> True }]\napp-name             default  nil         [{ResourcesUpToDate  <nil> True }]\n"
 	assert.Equal(t, expectation, output)
 }
+
+func TestPrintAppSetSummaryTable(t *testing.T) {
+	baseAppSet := &arogappsetv1.ApplicationSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "app-name",
+		},
+		Spec: arogappsetv1.ApplicationSetSpec{
+			Generators: []arogappsetv1.ApplicationSetGenerator{
+				arogappsetv1.ApplicationSetGenerator{
+					Git: &arogappsetv1.GitGenerator{
+						RepoURL:  "https://github.com/argoproj/argo-cd.git",
+						Revision: "head",
+						Directories: []arogappsetv1.GitDirectoryGeneratorItem{
+							arogappsetv1.GitDirectoryGeneratorItem{
+								Path: "applicationset/examples/git-generator-directory/cluster-addons/*",
+							},
+						},
+					},
+				},
+			},
+			Template: arogappsetv1.ApplicationSetTemplate{
+				Spec: v1alpha1.ApplicationSpec{
+					Project: "default",
+				},
+			},
+		},
+		Status: arogappsetv1.ApplicationSetStatus{
+			Conditions: []arogappsetv1.ApplicationSetCondition{
+				arogappsetv1.ApplicationSetCondition{
+					Status: v1alpha1.ApplicationSetConditionStatusTrue,
+					Type:   arogappsetv1.ApplicationSetConditionResourcesUpToDate,
+				},
+			},
+		},
+	}
+
+	appsetSpecSyncPolicy := baseAppSet.DeepCopy()
+	appsetSpecSyncPolicy.Spec.SyncPolicy = &arogappsetv1.ApplicationSetSyncPolicy{
+		PreserveResourcesOnDeletion: true,
+	}
+
+	appSetTemplateSpecSyncPolicy := baseAppSet.DeepCopy()
+	appSetTemplateSpecSyncPolicy.Spec.Template.Spec.SyncPolicy = &arogappsetv1.SyncPolicy{
+		Automated: &arogappsetv1.SyncPolicyAutomated{
+			SelfHeal: true,
+		},
+	}
+
+	appSetBothSyncPolicies := baseAppSet.DeepCopy()
+	appSetBothSyncPolicies.Spec.SyncPolicy = &arogappsetv1.ApplicationSetSyncPolicy{
+		PreserveResourcesOnDeletion: true,
+	}
+	appSetBothSyncPolicies.Spec.Template.Spec.SyncPolicy = &arogappsetv1.SyncPolicy{
+		Automated: &arogappsetv1.SyncPolicyAutomated{
+			SelfHeal: true,
+		},
+	}
+
+	for _, tt := range []struct {
+		name           string
+		appSet         *arogappsetv1.ApplicationSet
+		expectedOutput string
+	}{
+		{
+			name:   "appset with only spec.syncPolicy set",
+			appSet: appsetSpecSyncPolicy,
+			expectedOutput: `Name:               app-name
+Project:            default
+Server:             
+Namespace:          
+Repo:               
+Target:             
+Path:               
+SyncPolicy:         <none>
+`,
+		},
+		{
+			name:   "appset with only spec.template.spec.syncPolicy set",
+			appSet: appSetTemplateSpecSyncPolicy,
+			expectedOutput: `Name:               app-name
+Project:            default
+Server:             
+Namespace:          
+Repo:               
+Target:             
+Path:               
+SyncPolicy:         Automated
+`,
+		},
+		{
+			name:   "appset with both spec.SyncPolicy and spec.template.spec.syncPolicy set",
+			appSet: appSetBothSyncPolicies,
+			expectedOutput: `Name:               app-name
+Project:            default
+Server:             
+Namespace:          
+Repo:               
+Target:             
+Path:               
+SyncPolicy:         Automated
+`,
+		},
+	} {
+		t.Run(tt.name, func(t *testing.T) {
+			oldStdout := os.Stdout
+			defer func() {
+				os.Stdout = oldStdout
+			}()
+
+			r, w, _ := os.Pipe()
+			os.Stdout = w
+
+			printAppSetSummaryTable(tt.appSet)
+			w.Close()
+
+			out, err := ioutil.ReadAll(r)
+			assert.NoError(t, err)
+			assert.Equal(t, tt.expectedOutput, string(out))
+		})
+	}
+}

controller/appcontroller.go

@@ -1469,6 +1469,13 @@ func resourceStatusKey(res appv1.ResourceStatus) string {
 	return strings.Join([]string{res.Group, res.Kind, res.Namespace, res.Name}, "/")
 }
 
+func currentSourceEqualsSyncedSource(app *appv1.Application) bool {
+	if app.Spec.HasMultipleSources() {
+		return app.Spec.Sources.Equals(app.Status.Sync.ComparedTo.Sources)
+	}
+	return app.Spec.Source.Equals(app.Status.Sync.ComparedTo.Source)
+}
+
 // needRefreshAppStatus answers if application status needs to be refreshed.
 // Returns true if application never been compared, has changed or comparison result has expired.
 // Additionally returns whether full refresh was requested or not.
@@ -1487,14 +1494,12 @@ func (ctrl *ApplicationController) needRefreshAppStatus(app *appv1.Application,
 		refreshType = requestedType
 		reason = fmt.Sprintf("%s refresh requested", refreshType)
 	} else {
-		if app.Spec.HasMultipleSources() {
-			if (len(app.Spec.Sources) != len(app.Status.Sync.ComparedTo.Sources)) || !reflect.DeepEqual(app.Spec.Sources, app.Status.Sync.ComparedTo.Sources) {
-				reason = "atleast one of the spec.sources differs"
-				compareWith = CompareWithLatestForceResolve
-			}
-		} else if !app.Spec.Source.Equals(app.Status.Sync.ComparedTo.Source) {
+		if !currentSourceEqualsSyncedSource(app) {
 			reason = "spec.source differs"
 			compareWith = CompareWithLatestForceResolve
+			if app.Spec.HasMultipleSources() {
+				reason = "at least one of the spec.sources differs"
+			}
 		} else if hardExpired || softExpired {
 			// The commented line below mysteriously crashes if app.Status.ReconciledAt is nil
 			// reason = fmt.Sprintf("comparison expired. reconciledAt: %v, expiry: %v", app.Status.ReconciledAt, statusRefreshTimeout)

controller/appcontroller_test.go

@@ -209,6 +209,55 @@ status:
         repoURL: https://github.com/argoproj/argocd-example-apps.git
 `
 
+var fakeMultiSourceApp = `
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  uid: "123"
+  name: my-app
+  namespace: ` + test.FakeArgoCDNamespace + `
+spec:
+  destination:
+    namespace: ` + test.FakeDestNamespace + `
+    server: https://localhost:6443
+  project: default
+  sources:
+  - path: some/path
+    repoURL: https://github.com/argoproj/argocd-example-apps.git
+  - path: some/other/path
+    repoURL: https://github.com/argoproj/argocd-example-apps-fake.git
+  syncPolicy:
+    automated: {}
+status:
+  operationState:
+    finishedAt: 2018-09-21T23:50:29Z
+    message: successfully synced
+    operation:
+      sync:
+        revisions:
+        - HEAD
+        - HEAD
+    phase: Succeeded
+    startedAt: 2018-09-21T23:50:25Z
+    syncResult:
+      resources:
+      - kind: RoleBinding
+        message: |-
+          rolebinding.rbac.authorization.k8s.io/always-outofsync reconciled
+          rolebinding.rbac.authorization.k8s.io/always-outofsync configured
+        name: always-outofsync
+        namespace: default
+        status: Synced
+      revisions: 
+      - aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+      - bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
+      sources:
+      - path: some/path
+        repoURL: https://github.com/argoproj/argocd-example-apps.git
+      - path: some/other/path
+        repoURL: https://github.com/argoproj/argocd-example-apps-fake.git
+`
+
 var fakeAppWithDestName = `
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -263,6 +312,10 @@ func newFakeApp() *argoappv1.Application {
 	return createFakeApp(fakeApp)
 }
 
+func newFakeMultiSourceApp() *argoappv1.Application {
+	return createFakeApp(fakeMultiSourceApp)
+}
+
 func newFakeAppWithDestMismatch() *argoappv1.Application {
 	return createFakeApp(fakeAppWithDestMismatch)
 }
@@ -857,101 +910,133 @@ func TestSetOperationStateOnDeletedApp(t *testing.T) {
 }
 
 func TestNeedRefreshAppStatus(t *testing.T) {
-	ctrl := newFakeController(&fakeData{apps: []runtime.Object{}})
-
-	app := newFakeApp()
-	now := metav1.Now()
-	app.Status.ReconciledAt = &now
-	app.Status.Sync = argoappv1.SyncStatus{
-		Status: argoappv1.SyncStatusCodeSynced,
-		ComparedTo: argoappv1.ComparedTo{
-			Source:      app.Spec.GetSource(),
-			Destination: app.Spec.Destination,
+	testCases := []struct {
+		name string
+		app  *argoappv1.Application
+	}{
+		{
+			name: "single-source app",
+			app:  newFakeApp(),
+		},
+		{
+			name: "multi-source app",
+			app:  newFakeMultiSourceApp(),
 		},
 	}
 
-	// no need to refresh just reconciled application
-	needRefresh, _, _ := ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
-	assert.False(t, needRefresh)
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			ctrl := newFakeController(&fakeData{apps: []runtime.Object{}})
+			app := tc.app
+			now := metav1.Now()
+			app.Status.ReconciledAt = &now
 
-	// refresh app using the 'deepest' requested comparison level
-	ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), nil)
-	ctrl.requestAppRefresh(app.Name, ComparisonWithNothing.Pointer(), nil)
+			app.Status.Sync = argoappv1.SyncStatus{
+				Status: argoappv1.SyncStatusCodeSynced,
+				ComparedTo: argoappv1.ComparedTo{
+					Destination: app.Spec.Destination,
+				},
+			}
 
-	needRefresh, refreshType, compareWith := ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
-	assert.True(t, needRefresh)
-	assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
-	assert.Equal(t, CompareWithRecent, compareWith)
+			if app.Spec.HasMultipleSources() {
+				app.Status.Sync.ComparedTo.Sources = app.Spec.Sources
+			} else {
+				app.Status.Sync.ComparedTo.Source = app.Spec.GetSource()
+			}
 
-	// refresh application which status is not reconciled using latest commit
-	app.Status.Sync = argoappv1.SyncStatus{Status: argoappv1.SyncStatusCodeUnknown}
+			// no need to refresh just reconciled application
+			needRefresh, _, _ := ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
+			assert.False(t, needRefresh)
 
-	needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
-	assert.True(t, needRefresh)
-	assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
-	assert.Equal(t, CompareWithLatestForceResolve, compareWith)
+			// refresh app using the 'deepest' requested comparison level
+			ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), nil)
+			ctrl.requestAppRefresh(app.Name, ComparisonWithNothing.Pointer(), nil)
 
-	{
-		// refresh app using the 'latest' level if comparison expired
-		app := app.DeepCopy()
-		ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), nil)
-		reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
-		app.Status.ReconciledAt = &reconciledAt
-		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Minute, 2*time.Hour)
-		assert.True(t, needRefresh)
-		assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
-		assert.Equal(t, CompareWithLatestForceResolve, compareWith)
-	}
+			needRefresh, refreshType, compareWith := ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
+			assert.True(t, needRefresh)
+			assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+			assert.Equal(t, CompareWithRecent, compareWith)
 
-	{
-		// refresh app using the 'latest' level if comparison expired for hard refresh
-		app := app.DeepCopy()
-		app.Status.Sync = argoappv1.SyncStatus{
-			Status: argoappv1.SyncStatusCodeSynced,
-			ComparedTo: argoappv1.ComparedTo{
-				Source:      app.Spec.GetSource(),
-				Destination: app.Spec.Destination,
-			},
-		}
-		ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), nil)
-		reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
-		app.Status.ReconciledAt = &reconciledAt
-		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 2*time.Hour, 1*time.Minute)
-		assert.True(t, needRefresh)
-		assert.Equal(t, argoappv1.RefreshTypeHard, refreshType)
-		assert.Equal(t, CompareWithLatest, compareWith)
-	}
+			// refresh application which status is not reconciled using latest commit
+			app.Status.Sync = argoappv1.SyncStatus{Status: argoappv1.SyncStatusCodeUnknown}
 
-	{
-		app := app.DeepCopy()
-		// execute hard refresh if app has refresh annotation
-		reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
-		app.Status.ReconciledAt = &reconciledAt
-		app.Annotations = map[string]string{
-			v1alpha1.AnnotationKeyRefresh: string(argoappv1.RefreshTypeHard),
-		}
-		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
-		assert.True(t, needRefresh)
-		assert.Equal(t, argoappv1.RefreshTypeHard, refreshType)
-		assert.Equal(t, CompareWithLatestForceResolve, compareWith)
-	}
+			needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
+			assert.True(t, needRefresh)
+			assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+			assert.Equal(t, CompareWithLatestForceResolve, compareWith)
 
-	{
-		app := app.DeepCopy()
-		// ensure that CompareWithLatest level is used if application source has changed
-		ctrl.requestAppRefresh(app.Name, ComparisonWithNothing.Pointer(), nil)
-		// sample app source change
-		app.Spec.Source.Helm = &argoappv1.ApplicationSourceHelm{
-			Parameters: []argoappv1.HelmParameter{{
-				Name:  "foo",
-				Value: "bar",
-			}},
-		}
+			t.Run("refresh app using the 'latest' level if comparison expired", func(t *testing.T) {
+				app := app.DeepCopy()
+				ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), nil)
+				reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
+				app.Status.ReconciledAt = &reconciledAt
+				needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Minute, 2*time.Hour)
+				assert.True(t, needRefresh)
+				assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+				assert.Equal(t, CompareWithLatestForceResolve, compareWith)
+			})
 
-		needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
-		assert.True(t, needRefresh)
-		assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
-		assert.Equal(t, CompareWithLatestForceResolve, compareWith)
+			t.Run("refresh app using the 'latest' level if comparison expired for hard refresh", func(t *testing.T) {
+				app := app.DeepCopy()
+				app.Status.Sync = argoappv1.SyncStatus{
+					Status: argoappv1.SyncStatusCodeSynced,
+					ComparedTo: argoappv1.ComparedTo{
+						Destination: app.Spec.Destination,
+					},
+				}
+				if app.Spec.HasMultipleSources() {
+					app.Status.Sync.ComparedTo.Sources = app.Spec.Sources
+				} else {
+					app.Status.Sync.ComparedTo.Source = app.Spec.GetSource()
+				}
+				ctrl.requestAppRefresh(app.Name, CompareWithRecent.Pointer(), nil)
+				reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
+				app.Status.ReconciledAt = &reconciledAt
+				needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 2*time.Hour, 1*time.Minute)
+				assert.True(t, needRefresh)
+				assert.Equal(t, argoappv1.RefreshTypeHard, refreshType)
+				assert.Equal(t, CompareWithLatest, compareWith)
+			})
+
+			t.Run("execute hard refresh if app has refresh annotation", func(t *testing.T) {
+				app := app.DeepCopy()
+				reconciledAt := metav1.NewTime(time.Now().UTC().Add(-1 * time.Hour))
+				app.Status.ReconciledAt = &reconciledAt
+				app.Annotations = map[string]string{
+					v1alpha1.AnnotationKeyRefresh: string(argoappv1.RefreshTypeHard),
+				}
+				needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
+				assert.True(t, needRefresh)
+				assert.Equal(t, argoappv1.RefreshTypeHard, refreshType)
+				assert.Equal(t, CompareWithLatestForceResolve, compareWith)
+			})
+
+			t.Run("ensure that CompareWithLatest level is used if application source has changed", func(t *testing.T) {
+				app := app.DeepCopy()
+				ctrl.requestAppRefresh(app.Name, ComparisonWithNothing.Pointer(), nil)
+				// sample app source change
+				if app.Spec.HasMultipleSources() {
+					app.Spec.Sources[0].Helm = &argoappv1.ApplicationSourceHelm{
+						Parameters: []argoappv1.HelmParameter{{
+							Name:  "foo",
+							Value: "bar",
+						}},
+					}
+				} else {
+					app.Spec.Source.Helm = &argoappv1.ApplicationSourceHelm{
+						Parameters: []argoappv1.HelmParameter{{
+							Name:  "foo",
+							Value: "bar",
+						}},
+					}
+				}
+
+				needRefresh, refreshType, compareWith = ctrl.needRefreshAppStatus(app, 1*time.Hour, 2*time.Hour)
+				assert.True(t, needRefresh)
+				assert.Equal(t, argoappv1.RefreshTypeNormal, refreshType)
+				assert.Equal(t, CompareWithLatestForceResolve, compareWith)
+			})
+		})
 	}
 }
 

controller/cache/cache.go

@@ -25,6 +25,7 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/watch"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/cache"
 
 	"github.com/argoproj/argo-cd/v2/controller/metrics"
@@ -394,6 +395,20 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		return nil, fmt.Errorf("error getting custom label: %w", err)
 	}
 
+	clusterCacheConfig := cluster.RESTConfig()
+	// Controller dynamically fetches all resource types available on the cluster
+	// using a discovery API that may contain deprecated APIs.
+	// This causes log flooding when managing a large number of clusters.
+	// https://github.com/argoproj/argo-cd/issues/11973
+	// However, we can safely suppress deprecation warnings
+	// because we do not rely on resources with a particular API group or version.
+	// https://kubernetes.io/blog/2020/09/03/warnings/#customize-client-handling
+	//
+	// Completely suppress warning logs only for log levels that are less than Debug.
+	if log.GetLevel() < log.DebugLevel {
+		clusterCacheConfig.WarningHandler = rest.NoWarnings{}
+	}
+
 	clusterCacheOpts := []clustercache.UpdateSettingsFunc{
 		clustercache.SetListSemaphore(semaphore.NewWeighted(clusterCacheListSemaphoreSize)),
 		clustercache.SetListPageSize(clusterCacheListPageSize),
@@ -425,7 +440,7 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		clustercache.SetRetryOptions(clusterCacheAttemptLimit, clusterCacheRetryUseBackoff, isRetryableError),
 	}
 
-	clusterCache = clustercache.NewClusterCache(cluster.RESTConfig(), clusterCacheOpts...)
+	clusterCache = clustercache.NewClusterCache(clusterCacheConfig, clusterCacheOpts...)
 
 	_ = clusterCache.OnResourceUpdated(func(newRes *clustercache.Resource, oldRes *clustercache.Resource, namespaceResources map[kube.ResourceKey]*clustercache.Resource) {
 		toNotify := make(map[string]bool)

controller/state.go

@@ -471,7 +471,7 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 		failedToLoadObjs = true
 	}
 
-	logCtx.Debugf("Retrieved lived manifests")
+	logCtx.Debugf("Retrieved live manifests")
 
 	// filter out all resources which are not permitted in the application project
 	for k, v := range liveObjByKey {

docs/developer-guide/debugging-remote-environment.md

@@ -28,7 +28,7 @@ telepresence intercept argocd-server --port 8080:http --env-file .envrc.remote #
 * `--port` forwards traffic of remote port http to 8080 locally (use `--port 8080:https` if argocd-server terminates TLS)
 * `--env-file` writes all the environment variables of the remote pod into a local file, the variables are also set on the subprocess of the `--run` command
 
-With this, any traffic that hits your argocd-server service in the cluster (e.g through a LB / ingress) will be forwarded to your laptop on port 8080. So that you can now start argocd-server locally to debug or test new code. If you launch argocd-server using the environment variables in `.envrc.remote`, he is able to fetch all the configmaps, secrets and so one from the cluster and transparently connect to the other microservices so that no further configuration should be neccesary and he behaves exactly the same as in the cluster.
+With this, any traffic that hits your argocd-server service in the cluster (e.g. through a LB / ingress) will be forwarded to your laptop on port 8080. So that you can now start argocd-server locally to debug or test new code. If you launch argocd-server using the environment variables in `.envrc.remote`, it is able to fetch all the configmaps, secrets and so on from the cluster and transparently connect to the other microservices so that no further configuration should be necessary, and it behaves exactly the same as in the cluster.
 
 List current status of Telepresence using:
 ```shell

docs/faq.md

@@ -122,9 +122,9 @@ To terminate the sync, click on the "synchronisation" then "terminate":
 
 ![Synchronization](assets/synchronization-button.png) ![Terminate](assets/terminate-button.png)
 
-## Why Is My App Out Of Sync Even After Syncing?
+## Why Is My App `Out Of Sync` Even After Syncing?
 
-Is some cases, the tool you use may conflict with Argo CD by adding the `app.kubernetes.io/instance` label. E.g. using
+In some cases, the tool you use may conflict with Argo CD by adding the `app.kubernetes.io/instance` label. E.g. using
 Kustomize common labels feature.
 
 Argo CD automatically sets the `app.kubernetes.io/instance` label and uses it to determine which resources form the app.
@@ -142,7 +142,7 @@ The default polling interval is 3 minutes (180 seconds).
 You can change the setting by updating the `timeout.reconciliation` value in the [argocd-cm](https://github.com/argoproj/argo-cd/blob/2d6ce088acd4fb29271ffb6f6023dbb27594d59b/docs/operator-manual/argocd-cm.yaml#L279-L282) config map. If there are any Git changes, ArgoCD will only update applications with the [auto-sync setting](user-guide/auto_sync.md) enabled. If you set it to `0` then Argo CD will stop polling Git repositories automatically and you can only use alternative methods such as [webhooks](operator-manual/webhook.md) and/or manual syncs for deploying applications.
 
 
-## Why Are My Resource Limits Out Of Sync?
+## Why Are My Resource Limits `Out Of Sync`?
 
 Kubernetes has normalized your resource limits when they are applied, and then Argo CD has then compared the version in
 your generated manifests to the normalized one is Kubernetes - they won't match.
@@ -157,7 +157,7 @@ E.g.
 To fix this use diffing
 customizations [settings](./user-guide/diffing.md#known-kubernetes-types-in-crds-resource-limits-volume-mounts-etc).
 
-## How Do I Fix "invalid cookie, longer than max length 4093"?
+## How Do I Fix `invalid cookie, longer than max length 4093`?
 
 Argo CD uses a JWT as the auth token. You likely are part of many groups and have gone over the 4KB limit which is set
 for cookies. You can get the list of groups by opening "developer tools -> network"
@@ -224,4 +224,38 @@ resource.customizations.health.bitnami.com_SealedSecret: |
   hs.status = "Healthy"
   hs.message = "Controller doesn't report resource status"
   return hs
-```
+```
+
+## How do I fix `The order in patch list … doesn't match $setElementOrder list: …`?
+
+An application may trigger a sync error labeled a `ComparisonError` with a message like:
+
+> The order in patch list: [map[name:**KEY_BC** value:150] map[name:**KEY_BC** value:500] map[name:**KEY_BD** value:250] map[name:**KEY_BD** value:500] map[name:KEY_BI value:something]] doesn't match $setElementOrder list: [map[name:KEY_AA] map[name:KEY_AB] map[name:KEY_AC] map[name:KEY_AD] map[name:KEY_AE] map[name:KEY_AF] map[name:KEY_AG] map[name:KEY_AH] map[name:KEY_AI] map[name:KEY_AJ] map[name:KEY_AK] map[name:KEY_AL] map[name:KEY_AM] map[name:KEY_AN] map[name:KEY_AO] map[name:KEY_AP] map[name:KEY_AQ] map[name:KEY_AR] map[name:KEY_AS] map[name:KEY_AT] map[name:KEY_AU] map[name:KEY_AV] map[name:KEY_AW] map[name:KEY_AX] map[name:KEY_AY] map[name:KEY_AZ] map[name:KEY_BA] map[name:KEY_BB] map[name:**KEY_BC**] map[name:**KEY_BD**] map[name:KEY_BE] map[name:KEY_BF] map[name:KEY_BG] map[name:KEY_BH] map[name:KEY_BI] map[name:**KEY_BC**] map[name:**KEY_BD**]]
+
+
+There are two parts to the message:
+
+1. `The order in patch list: [`
+
+    This identifies values for items, especially items that appear multiple times:
+
+    > map[name:**KEY_BC** value:150] map[name:**KEY_BC** value:500] map[name:**KEY_BD** value:250] map[name:**KEY_BD** value:500] map[name:KEY_BI value:something]
+
+    You'll want to identify the keys that are duplicated -- you can focus on the first part, as each duplicated key will appear, once for each of its value with its value in the first list. The second list is really just 
+
+   `]`
+
+2. `doesn't match $setElementOrder list: [`
+
+    This includes all of the keys. It's included for debugging purposes -- you don't need to pay much attention to it. It will give you a hint about the precise location in the list for the duplicated keys:
+
+    > map[name:KEY_AA] map[name:KEY_AB] map[name:KEY_AC] map[name:KEY_AD] map[name:KEY_AE] map[name:KEY_AF] map[name:KEY_AG] map[name:KEY_AH] map[name:KEY_AI] map[name:KEY_AJ] map[name:KEY_AK] map[name:KEY_AL] map[name:KEY_AM] map[name:KEY_AN] map[name:KEY_AO] map[name:KEY_AP] map[name:KEY_AQ] map[name:KEY_AR] map[name:KEY_AS] map[name:KEY_AT] map[name:KEY_AU] map[name:KEY_AV] map[name:KEY_AW] map[name:KEY_AX] map[name:KEY_AY] map[name:KEY_AZ] map[name:KEY_BA] map[name:KEY_BB] map[name:**KEY_BC**] map[name:**KEY_BD**] map[name:KEY_BE] map[name:KEY_BF] map[name:KEY_BG] map[name:KEY_BH] map[name:KEY_BI] map[name:**KEY_BC**] map[name:**KEY_BD**]
+   
+   `]`
+
+In this case, the duplicated keys have been **emphasized** to help you identify the problematic keys. Many editors have the ability to highlight all instances of a string, using such an editor can help with such problems.
+
+The most common instance of this error is with `env:` fields for `containers`.
+
+!!! note "Dynamic applications"
+    It's possible that your application is being generated by a tool in which case the duplication might not be evident within the scope of a single file. If you have trouble debugging this problem, consider filing a ticket to the owner of the generator tool asking them to improve its validation and error reporting.

docs/getting_started.md

@@ -81,7 +81,7 @@ in your Argo CD installation namespace. You can simply retrieve this password
 using the `argocd` CLI:
 
 ```bash
-argocd admin initial-password
+argocd admin initial-password -n argocd
 ```
 
 !!! warning

docs/operator-manual/app-any-namespace.md

@@ -24,7 +24,7 @@ This feature can only be enabled and used when your Argo CD is installed as a cl
 
 ### Switch resource tracking method
 
-Also, while technically not necessary, it is strongly suggested that you switch the application tracking method from the default `label` setting to either `annotation` or `annotation+label`. The reasonsing for this is, that application names will be a composite of the namespace's name and the name of the `Application`, and this can easily exceed the 63 characters length limit imposed on label values. Annotations have a notably greater length limit.
+Also, while technically not necessary, it is strongly suggested that you switch the application tracking method from the default `label` setting to either `annotation` or `annotation+label`. The reasoning for this is, that application names will be a composite of the namespace's name and the name of the `Application`, and this can easily exceed the 63 characters length limit imposed on label values. Annotations have a notably greater length limit.
 
 To enable annotation based resource tracking, refer to the documentation about [resource tracking methods](../../user-guide/resource_tracking/)
 

docs/operator-manual/application.yaml

@@ -114,9 +114,7 @@ spec:
 
     # plugin specific config
     plugin:
-      # NOTE: this field is deprecated in v2.5 and must be removed to use sidecar-based plugins.
-      # Only set the plugin name if the plugin is defined in argocd-cm.
-      # If the plugin is defined as a sidecar, omit the name. The plugin will be automatically matched with the
+      # If the plugin is defined as a sidecar and name is not passed, the plugin will be automatically matched with the
       # Application according to the plugin's discovery rules.
       name: mypluginname
       # environment variables passed to the plugin

docs/operator-manual/applicationset/Generators-Git.md

@@ -110,7 +110,7 @@ spec:
         server: https://kubernetes.default.svc
         namespace: '{{path.basename}}'
 ```
-(*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/examples/applicationset/git-generator-directory/excludes).*)
+(*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/git-generator-directory/excludes).*)
 
 This example excludes the `exclude-helm-guestbook` directory from the list of directories scanned for this `ApplicationSet` resource.
 

docs/operator-manual/applicationset/Progressive-Syncs.md

@@ -34,7 +34,7 @@ When the ApplicationSet changes, the changes will be applied to each group of Ap
 * Application groups are selected using their labels and `matchExpressions`.
 * All `matchExpressions` must be true for an Application to be selected (multiple expressions match with AND behavior).
 * The `In` and `NotIn` operators must match at least one value to be considered true (OR behavior).
-* The `NotIn` operatorn has priority in the event that both a `NotIn` and `In` operator produce a match.
+* The `NotIn` operator has priority in the event that both a `NotIn` and `In` operator produce a match.
 * All Applications in each group must become Healthy before the ApplicationSet controller will proceed to update the next group of Applications.
 * The number of simultaneous Application updates in a group will not exceed its `maxUpdate` parameter (default is 100%, unbounded).
 * RollingSync will capture external changes outside the ApplicationSet resource, since it relies on watching the OutOfSync status of the managed Applications.

docs/operator-manual/declarative-setup.md

@@ -77,7 +77,7 @@ spec:
 ```
 
 !!! warning
-    By default, deleting an application will not perform a cascade delete, which would delete its resources. You must add the finalizer if you want this behaviour - which you may well not want.
+    Without the `resources-finalizer.argocd.argoproj.io` finalizer, deleting an application will not delete the resources it manages. To perform a cascading delete, you must add the finalizer. See [App Deletion](../user-guide/app_deletion.md#about-the-deletion-finalizer).
 
 ```yaml
 metadata:

docs/operator-manual/deep_links.md

@@ -19,7 +19,7 @@ The configuration for Deep Links is present in `argocd-cm` as `<location>.links`
 Each link in the list has five subfields :
 1. `title` : title/tag that will be displayed in the UI corresponding to that link
 2. `url` : the actual URL where the deep link will redirect to, this field can be templated to use data from the
-   corresponing application, project or resource objects (depending on where it is located). This uses [text/template](pkg.go.dev/text/template) pkg for templating
+   corresponding application, project or resource objects (depending on where it is located). This uses [text/template](pkg.go.dev/text/template) pkg for templating
 3. `description` (optional) : a description for what the deep link is about
 4. `icon.class` (optional) : a font-awesome icon class to be used when displaying the links in dropdown menus
 5. `if` (optional) : a conditional statement that results in either `true` or `false`, it also has access to the same
@@ -60,4 +60,4 @@ An example `argocd-cm.yaml` file with deep links and their variations :
     - url: https://mycompany.splunk.com?search={{.metadata.namespace}}
       title: Splunk
       if: kind == "Pod" || kind == "Deployment"
-```
+```

docs/operator-manual/health.md

@@ -5,7 +5,7 @@ Argo CD provides built-in health assessment for several standard Kubernetes type
 surfaced to the overall Application health status as a whole. The following checks are made for
 specific types of kubernetes resources:
 
-### Deployment, ReplicaSet, StatefulSet DaemonSet
+### Deployment, ReplicaSet, StatefulSet, DaemonSet
 * Observed generation is equal to desired generation.
 * Number of **updated** replicas equals the number of desired replicas.
 
@@ -114,12 +114,13 @@ In order to prevent duplication of the custom health check for potentially multi
 
 ```yaml
   resource.customizations: |
-    *.aws.crossplane.io/*:
+    "*.aws.crossplane.io/*":
       health.lua: | 
         ...
 ```
 
-
+!!!important
+    Please note the required quotes in the resource customization health section, if the wildcard starts with `*`.
 
 The `obj` is a global variable which contains the resource. The script must return an object with status and optional message field.
 The custom health check might return one of the following health statuses:

docs/operator-manual/high_availability.md

@@ -4,7 +4,7 @@ Argo CD is largely stateless, all data is persisted as Kubernetes objects, which
 
 A set of HA manifests are provided for users who wish to run Argo CD in a highly available manner. This runs more containers, and runs Redis in HA mode.
 
-[Manifests ⧉](https://github.com/argoproj/argo-cd/tree/master/manifests) 
+[HA Manifests ⧉](https://github.com/argoproj/argo-cd/tree/master/manifests#high-availability) 
 
 > **NOTE:** The HA installation will require at least three different nodes due to pod anti-affinity roles in the
 > specs. Additionally, IPv6 only clusters are not supported.
@@ -188,4 +188,4 @@ spec:
     targetRevision: HEAD
     path: my-application
 # ...
-```
+```

docs/operator-manual/installation.md

@@ -74,7 +74,7 @@ kind: Kustomization
 
 namespace: argocd
 resources:
-- https://raw.githubusercontent.com/argoproj/argo-cd/v2.0.4/manifests/ha/install.yaml
+- github.com/argoproj/argo-cd/manifests/ha?ref=v2.6.2
 ```
 
 ## Helm

docs/operator-manual/user-management/index.md

@@ -303,7 +303,7 @@ data:
     clientSecret: $oidc.okta.clientSecret
     
     # Optional list of allowed aud claims. If omitted or empty, defaults to the clientID value above (and the 
-    # cliCientID, if that is also specified). If you specify a list and want the clientID to be allowed, you must 
+    # cliClientID, if that is also specified). If you specify a list and want the clientID to be allowed, you must 
     # explicitly include it in the list.
     # Token verification will pass if any of the token's audiences matches any of the audiences in this list.
     allowedAudiences:

docs/operator-manual/user-management/keycloak.md

@@ -95,7 +95,7 @@ data:
 
 Make sure that:
 - __issuer__ ends with the correct realm (in this example _master_)
-- __issuer__ on Keycloak releases older than version 17 the URL must include /auth (in this expample /auth/realms/master)
+- __issuer__ on Keycloak releases older than version 17 the URL must include /auth (in this example /auth/realms/master)
 - __clientID__ is set to the Client ID you configured in Keycloak
 - __clientSecret__ points to the right key you created in the _argocd-secret_ Secret
 - __requestedScopes__ contains the _groups_ claim if you didn't add it to the Default scopes

docs/understand_the_basics.md

@@ -11,5 +11,6 @@ Before effectively using Argo CD, it is necessary to understand the underlying t
 * Depending on how you plan to template your applications:
     * [Kustomize](https://kustomize.io) 
     * [Helm](https://helm.sh)
-* If you're integrating with Jenkins:
-	* [Jenkins User Guide](https://jenkins.io)
+* If you're integrating with a CI tool:
+	* [GitHub Actions Documentation](https://docs.github.com/en/actions)
+	* [Jenkins User Guide](https://jenkins.io](https://www.jenkins.io/doc/book/)

docs/user-guide/app_deletion.md

@@ -24,9 +24,10 @@ argocd app delete APPNAME
 
 # Deletion Using `kubectl`
 
-To perform a non-cascade delete:
+To perform a non-cascade delete, make sure the finalizer is unset and then delete the app:
 
 ```bash
+kubectl patch app APPNAME  -p '{"metadata": {"finalizers": null}}' --type merge
 kubectl delete app APPNAME
 ```
 

docs/user-guide/helm.md

@@ -33,9 +33,11 @@ flag. The flag can be repeated to support multiple values files:
 argocd app set helm-guestbook --values values-production.yaml
 ```
 !!! note
-    Values files must be in the same git repository as the Helm chart. The files can be in a different
-    location in which case it can be accessed using a relative path relative to the root directory of
-    the Helm chart.
+    Before `v2.6` of Argo CD, Values files must be in the same git repository as the Helm
+    chart. The files can be in a different location in which case it can be accessed using
+    a relative path relative to the root directory of the Helm chart.
+    As of `v2.6`, values files can be sourced from a separate repository than the Helm chart
+    by taking advantage of [multiple sources for Applications](./multiple_sources.md#helm-value-files-from-external-git-repository).
 
 In the declarative syntax:
 

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.6.2
+  newTag: v2.6.4
 resources:
 - ./application-controller
 - ./dex

manifests/base/redis/argocd-redis-deployment.yaml

@@ -23,7 +23,7 @@ spec:
       serviceAccountName: argocd-redis        
       containers:
       - name: redis
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: Always
         args:
         - "--save"

manifests/core-install.yaml

@@ -15557,7 +15557,7 @@ spec:
               key: applicationsetcontroller.enable.progressive.syncs
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -15639,7 +15639,7 @@ spec:
         - ""
         - --appendonly
         - "no"
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: Always
         name: redis
         ports:
@@ -15821,7 +15821,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -15873,7 +15873,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -16080,7 +16080,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.6.2
+  newTag: v2.6.4

manifests/ha/base/kustomization.yaml

@@ -11,7 +11,7 @@ patchesStrategicMerge:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.6.2
+  newTag: v2.6.4
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller

manifests/ha/base/redis-ha/chart/upstream.yaml

@@ -1071,7 +1071,7 @@ spec:
               topologyKey: kubernetes.io/hostname
       initContainers:
       - name: config-init
-        image: haproxy:2.6.2-alpine
+        image: haproxy:2.6.9-alpine
         imagePullPolicy: IfNotPresent
         resources:
           {}
@@ -1089,7 +1089,7 @@ spec:
           mountPath: /data
       containers:
       - name: haproxy
-        image: haproxy:2.6.2-alpine
+        image: haproxy:2.6.9-alpine
         imagePullPolicy: IfNotPresent
         securityContext: 
           null
@@ -1179,7 +1179,7 @@ spec:
       automountServiceAccountToken: false
       initContainers:
       - name: config-init
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         resources:
           {}
@@ -1206,7 +1206,7 @@ spec:
 
       containers:
       - name: redis
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         command:
         - redis-server
@@ -1256,7 +1256,7 @@ spec:
               - /bin/sh
               - /readonly-config/trigger-failover-if-master.sh
       - name: sentinel
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         command:
           - redis-sentinel
@@ -1300,7 +1300,7 @@ spec:
           {}
 
       - name: split-brain-fix
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         command:
           - sh

manifests/ha/base/redis-ha/chart/values.yaml

@@ -11,14 +11,14 @@ redis-ha:
     IPv6:
       enabled: false
     image:
-      tag: 2.6.2-alpine
+      tag: 2.6.9-alpine
     containerSecurityContext: null
     timeout:
       server: 6m
       client: 6m
     checkInterval: 3s
   image:
-    tag: 7.0.7-alpine
+    tag: 7.0.8-alpine
   containerSecurityContext: null
   sentinel:
     bind: "0.0.0.0"

manifests/ha/install.yaml

@@ -16758,7 +16758,7 @@ spec:
               key: applicationsetcontroller.enable.progressive.syncs
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -16868,7 +16868,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -16921,7 +16921,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -16992,7 +16992,7 @@ spec:
                 app.kubernetes.io/name: argocd-redis-ha-haproxy
             topologyKey: kubernetes.io/hostname
       containers:
-      - image: haproxy:2.6.2-alpine
+      - image: haproxy:2.6.9-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -17028,7 +17028,7 @@ spec:
         - /readonly/haproxy_init.sh
         command:
         - sh
-        image: haproxy:2.6.2-alpine
+        image: haproxy:2.6.9-alpine
         imagePullPolicy: IfNotPresent
         name: config-init
         securityContext:
@@ -17224,7 +17224,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -17276,7 +17276,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -17555,7 +17555,7 @@ spec:
               key: server.enable.proxy.extension
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -17791,7 +17791,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -17868,7 +17868,7 @@ spec:
         - /data/conf/redis.conf
         command:
         - redis-server
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -17921,7 +17921,7 @@ spec:
         - /data/conf/sentinel.conf
         command:
         - redis-sentinel
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -17973,7 +17973,7 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         name: split-brain-fix
         resources: {}
@@ -18002,7 +18002,7 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         name: config-init
         securityContext:

manifests/ha/namespace-install.yaml

@@ -1562,7 +1562,7 @@ spec:
               key: applicationsetcontroller.enable.progressive.syncs
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1672,7 +1672,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1725,7 +1725,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1796,7 +1796,7 @@ spec:
                 app.kubernetes.io/name: argocd-redis-ha-haproxy
             topologyKey: kubernetes.io/hostname
       containers:
-      - image: haproxy:2.6.2-alpine
+      - image: haproxy:2.6.9-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -1832,7 +1832,7 @@ spec:
         - /readonly/haproxy_init.sh
         command:
         - sh
-        image: haproxy:2.6.2-alpine
+        image: haproxy:2.6.9-alpine
         imagePullPolicy: IfNotPresent
         name: config-init
         securityContext:
@@ -2028,7 +2028,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2080,7 +2080,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2359,7 +2359,7 @@ spec:
               key: server.enable.proxy.extension
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2595,7 +2595,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:
@@ -2672,7 +2672,7 @@ spec:
         - /data/conf/redis.conf
         command:
         - redis-server
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         lifecycle:
           preStop:
@@ -2725,7 +2725,7 @@ spec:
         - /data/conf/sentinel.conf
         command:
         - redis-sentinel
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         lifecycle: {}
         livenessProbe:
@@ -2777,7 +2777,7 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         name: split-brain-fix
         resources: {}
@@ -2806,7 +2806,7 @@ spec:
           value: 40000915ab58c3fa8fd888fb8b24711944e6cbb4
         - name: SENTINEL_ID_2
           value: 2bbec7894d954a8af3bb54d13eaec53cb024e2ca
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: IfNotPresent
         name: config-init
         securityContext:

manifests/install.yaml

@@ -15877,7 +15877,7 @@ spec:
               key: applicationsetcontroller.enable.progressive.syncs
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -15987,7 +15987,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -16040,7 +16040,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -16117,7 +16117,7 @@ spec:
         - ""
         - --appendonly
         - "no"
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: Always
         name: redis
         ports:
@@ -16299,7 +16299,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -16351,7 +16351,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -16626,7 +16626,7 @@ spec:
               key: server.enable.proxy.extension
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -16860,7 +16860,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/namespace-install.yaml

@@ -681,7 +681,7 @@ spec:
               key: applicationsetcontroller.enable.progressive.syncs
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -791,7 +791,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -844,7 +844,7 @@ spec:
       containers:
       - command:
         - argocd-notifications
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -921,7 +921,7 @@ spec:
         - ""
         - --appendonly
         - "no"
-        image: redis:7.0.7-alpine
+        image: redis:7.0.8-alpine
         imagePullPolicy: Always
         name: redis
         ports:
@@ -1103,7 +1103,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1155,7 +1155,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -1430,7 +1430,7 @@ spec:
               key: server.enable.proxy.extension
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -1664,7 +1664,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.6.2
+        image: quay.io/argoproj/argocd:v2.6.4
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

mkdocs.yml

@@ -112,6 +112,7 @@ nav:
     - operator-manual/server-commands/additional-configuration-method.md
   - Upgrading:
     - operator-manual/upgrading/overview.md
+    - operator-manual/upgrading/2.5-2.6.md
     - operator-manual/upgrading/2.4-2.5.md
     - operator-manual/upgrading/2.3-2.4.md
     - operator-manual/upgrading/2.2-2.3.md

pkg/apis/application/v1alpha1/repository_types.go

@@ -202,7 +202,7 @@ func (repo *Repository) GetGitCreds(store git.CredsStore) git.Creds {
 		return git.NewGitHubAppCreds(repo.GithubAppId, repo.GithubAppInstallationId, repo.GithubAppPrivateKey, repo.GitHubAppEnterpriseBaseURL, repo.Repo, repo.TLSClientCertData, repo.TLSClientCertKey, repo.IsInsecure(), repo.Proxy, store)
 	}
 	if repo.GCPServiceAccountKey != "" {
-		return git.NewGoogleCloudCreds(repo.GCPServiceAccountKey)
+		return git.NewGoogleCloudCreds(repo.GCPServiceAccountKey, store)
 	}
 	return git.NopCreds{}
 }

pkg/apis/application/v1alpha1/types.go

@@ -182,6 +182,18 @@ type ApplicationSource struct {
 // ApplicationSources contains list of required information about the sources of an application
 type ApplicationSources []ApplicationSource
 
+func (s ApplicationSources) Equals(other ApplicationSources) bool {
+	if len(s) != len(other) {
+		return false
+	}
+	for i := range s {
+		if !s[i].Equals(other[i]) {
+			return false
+		}
+	}
+	return true
+}
+
 func (a *ApplicationSpec) GetSource() ApplicationSource {
 	// if Application has multiple sources, return the first source in sources
 	if a.HasMultipleSources() {

reposerver/repository/repository_test.go

@@ -1328,7 +1328,7 @@ func TestGetAppDetailsKustomize(t *testing.T) {
 
 	assert.Equal(t, "Kustomize", res.Type)
 	assert.NotNil(t, res.Kustomize)
-	assert.EqualValues(t, []string{"nginx:1.15.4", "k8s.gcr.io/nginx-slim:0.8"}, res.Kustomize.Images)
+	assert.EqualValues(t, []string{"nginx:1.15.4", "registry.k8s.io/nginx-slim:0.8"}, res.Kustomize.Images)
 }
 
 func TestGetHelmCharts(t *testing.T) {

resource_customizations/apps/DaemonSet/actions/testdata/daemonset-restarted.yaml

@@ -25,7 +25,7 @@ spec:
         name: daemonset
     spec:
       containers:
-      - image: k8s.gcr.io/nginx-slim:0.8
+      - image: registry.k8s.io/nginx-slim:0.8
         imagePullPolicy: IfNotPresent
         name: nginx
         resources: {}

resource_customizations/apps/DaemonSet/actions/testdata/daemonset.yaml

@@ -23,7 +23,7 @@ spec:
         name: daemonset
     spec:
       containers:
-      - image: k8s.gcr.io/nginx-slim:0.8
+      - image: registry.k8s.io/nginx-slim:0.8
         imagePullPolicy: IfNotPresent
         name: nginx
         resources: {}

resource_customizations/apps/StatefulSet/actions/testdata/statefulset-restarted.yaml

@@ -26,7 +26,7 @@ spec:
         kubectl.kubernetes.io/restartedAt: "0001-01-01T00:00:00Z"
     spec:
       containers:
-      - image: k8s.gcr.io/nginx-slim:0.8
+      - image: registry.k8s.io/nginx-slim:0.8
         imagePullPolicy: IfNotPresent
         name: nginx
         resources: {}

resource_customizations/apps/StatefulSet/actions/testdata/statefulset.yaml

@@ -24,7 +24,7 @@ spec:
         app: statefulset
     spec:
       containers:
-      - image: k8s.gcr.io/nginx-slim:0.8
+      - image: registry.k8s.io/nginx-slim:0.8
         imagePullPolicy: IfNotPresent
         name: nginx
         resources: {}

server/server.go

@@ -469,8 +469,9 @@ func (a *ArgoCDServer) Run(ctx context.Context, listeners *Listeners) {
 
 		// If not matched, we assume that its TLS.
 		tlsl := tcpm.Match(cmux.Any())
-		tlsConfig := tls.Config{
-			Certificates: []tls.Certificate{*a.settings.Certificate},
+		tlsConfig := tls.Config{}
+		tlsConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			return a.settings.Certificate, nil
 		}
 		if a.TLSConfigCustomizer != nil {
 			a.TLSConfigCustomizer(&tlsConfig)
@@ -613,8 +614,8 @@ func (a *ArgoCDServer) watchSettings() {
 				newCert, newCertKey = tlsutil.EncodeX509KeyPairString(*a.settings.Certificate)
 			}
 			if newCert != prevCert || newCertKey != prevCertKey {
-				log.Infof("tls certificate modified. restarting")
-				break
+				log.Infof("tls certificate modified. reloading certificate")
+				// No need to break out of this loop since TlsConfig.GetCertificate will automagically reload the cert.
 			}
 		}
 	}

test/container/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/library/redis:7.0.5 as redis
+FROM docker.io/library/redis:7.0.8-alpine as redis
 
 # There are libraries we will want to copy from here in the final stage of the
 # build, but the COPY directive does not have a way to determine system

test/e2e/app_multiple_sources_test.go

@@ -3,11 +3,12 @@ package e2e
 import (
 	"testing"
 
+	"github.com/stretchr/testify/assert"
+
 	. "github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
 	. "github.com/argoproj/argo-cd/v2/test/e2e/fixture"
 	. "github.com/argoproj/argo-cd/v2/test/e2e/fixture/app"
 	. "github.com/argoproj/argo-cd/v2/util/argo"
-	"github.com/stretchr/testify/assert"
 )
 
 func TestMultiSourceAppCreation(t *testing.T) {
@@ -24,7 +25,6 @@ func TestMultiSourceAppCreation(t *testing.T) {
 		When().
 		CreateMultiSourceAppFromFile().
 		Then().
-		Expect(SyncStatusIs(SyncStatusCodeOutOfSync)).
 		And(func(app *Application) {
 			assert.Equal(t, Name(), app.Name)
 			for i, source := range app.Spec.GetSources() {
@@ -42,7 +42,8 @@ func TestMultiSourceAppCreation(t *testing.T) {
 			assert.Contains(t, output, Name())
 		}).
 		Expect(Success("")).
-		When().Refresh(RefreshTypeNormal).Then().
+		Given().Timeout(60).
+		When().Wait().Then().
 		Expect(Success("")).
 		And(func(app *Application) {
 			statusByName := map[string]SyncStatusCode{}
@@ -78,7 +79,6 @@ func TestMultiSourceAppWithHelmExternalValueFiles(t *testing.T) {
 		When().
 		CreateMultiSourceAppFromFile().
 		Then().
-		Expect(SyncStatusIs(SyncStatusCodeOutOfSync)).
 		And(func(app *Application) {
 			assert.Equal(t, Name(), app.Name)
 			for i, source := range app.Spec.GetSources() {
@@ -96,7 +96,8 @@ func TestMultiSourceAppWithHelmExternalValueFiles(t *testing.T) {
 			assert.Contains(t, output, Name())
 		}).
 		Expect(Success("")).
-		When().Refresh(RefreshTypeNormal).Then().
+		Given().Timeout(60).
+		When().Wait().Then().
 		Expect(Success("")).
 		And(func(app *Application) {
 			statusByName := map[string]SyncStatusCode{}
@@ -126,7 +127,6 @@ func TestMultiSourceAppWithSourceOverride(t *testing.T) {
 		When().
 		CreateMultiSourceAppFromFile().
 		Then().
-		Expect(SyncStatusIs(SyncStatusCodeOutOfSync)).
 		And(func(app *Application) {
 			assert.Equal(t, Name(), app.Name)
 			for i, source := range app.Spec.GetSources() {
@@ -144,7 +144,8 @@ func TestMultiSourceAppWithSourceOverride(t *testing.T) {
 			assert.Contains(t, output, Name())
 		}).
 		Expect(Success("")).
-		When().Refresh(RefreshTypeNormal).Then().
+		Given().Timeout(60).
+		When().Wait().Then().
 		Expect(Success("")).
 		And(func(app *Application) {
 			statusByName := map[string]SyncStatusCode{}

test/e2e/fixture/app/actions.go

@@ -362,6 +362,17 @@ func (a *Actions) DeleteBySelector(selector string) *Actions {
 	return a
 }
 
+func (a *Actions) Wait(args ...string) *Actions {
+	a.context.t.Helper()
+	args = append([]string{"app", "wait"}, args...)
+	if a.context.name != "" {
+		args = append(args, a.context.AppQualifiedName())
+	}
+	args = append(args, "--timeout", fmt.Sprintf("%v", a.context.timeout))
+	a.runCli(args...)
+	return a
+}
+
 func (a *Actions) SetParamInSettingConfigMap(key, value string) *Actions {
 	fixture.SetParamInSettingConfigMap(key, value)
 	return a

test/e2e/fixture/app/consequences.go

@@ -86,11 +86,6 @@ func (c *Consequences) resource(kind, name, namespace string) ResourceStatus {
 	}
 }
 
-func (c *Consequences) Timeout(timeout int) *Consequences {
-	c.timeout = timeout
-	return c
-}
-
 func (c *Consequences) AndCLIOutput(block func(output string, err error)) *Consequences {
 	c.context.t.Helper()
 	block(c.actions.lastOutput, c.actions.lastError)

ui/src/app/applications/components/resource-details/resource-details.tsx

@@ -286,7 +286,7 @@ export const ResourceDetails = (props: ResourceDetailsProps) => {
                         const execEnabled = settings.execEnabled;
                         const logsAllowed = await services.accounts.canI('logs', 'get', application.spec.project + '/' + application.metadata.name);
                         const execAllowed = await services.accounts.canI('exec', 'create', application.spec.project + '/' + application.metadata.name);
-                        const links = await services.applications.getResourceLinks(application.metadata.name, application.metadata.namespace, selectedNode);
+                        const links = await services.applications.getResourceLinks(application.metadata.name, application.metadata.namespace, selectedNode).catch(() => null);
                         return {controlledState, liveState, events, podState, execEnabled, execAllowed, logsAllowed, links};
                     }}>
                     {data => (

ui/src/app/applications/components/utils.tsx

@@ -493,17 +493,20 @@ function getActionItems(
 
     const resourceActions = getResourceActionsMenuItems(resource, application.metadata, appContext);
 
-    const links = services.applications.getResourceLinks(application.metadata.name, application.metadata.namespace, resource).then(data => {
-        return (data.items || []).map(
-            link =>
-                ({
-                    title: link.title,
-                    iconClassName: `fa ${link.iconClass ? link.iconClass : 'fa-external-link'}`,
-                    action: () => window.open(link.url, '_blank'),
-                    tooltip: link.description
-                } as MenuItem)
-        );
-    });
+    const links = services.applications
+        .getResourceLinks(application.metadata.name, application.metadata.namespace, resource)
+        .then(data => {
+            return (data.items || []).map(
+                link =>
+                    ({
+                        title: link.title,
+                        iconClassName: `fa ${link.iconClass ? link.iconClass : 'fa-external-link'}`,
+                        action: () => window.open(link.url, '_blank'),
+                        tooltip: link.description
+                    } as MenuItem)
+            );
+        })
+        .catch(() => [] as MenuItem[]);
 
     return combineLatest(
         from([items]), // this resolves immediately

ui/src/app/shared/components/events-list/events-list.tsx

@@ -48,7 +48,9 @@ export const EventsList = (props: {events: models.Event[]}) => {
                         <div className={`argo-table-list__row events-list__event events-list__event--${event.type}`} key={event.metadata.uid}>
                             <div className='row'>
                                 <div className='columns small-2 xxlarge-2'>{event.reason}</div>
-                                <div className='columns small-4 xxlarge-5'>{event.message}</div>
+                                <div className='columns small-4 xxlarge-5' style={{whiteSpace: 'normal'}}>
+                                    {event.message}
+                                </div>
                                 <div className='columns small-2 xxlarge-1'>{event.count}</div>
                                 <div className='columns small-2 xxlarge-2'>{event.firstTimestamp ? getTimeElements(event.firstTimestamp) : getTimeElements(event.eventTime)}</div>
                                 <div className='columns small-2 xxlarge-2'>{event.lastTimestamp ? getTimeElements(event.lastTimestamp) : getTimeElements(event.eventTime)}</div>

ui/src/app/ui-banner/ui-banner.tsx

@@ -1,6 +1,8 @@
+import {Tooltip} from 'argo-ui';
 import * as React from 'react';
 import {combineLatest} from 'rxjs';
 import {map} from 'rxjs/operators';
+import {ExternalLink} from '../applications/components/application-urls';
 
 import {DataLoader} from '../shared/components';
 import {services, ViewPreferences} from '../shared/services';
@@ -67,6 +69,14 @@ export const Banner = (props: React.Props<any>) => {
                         chatBottomPosition = 85;
                     }
                 }
+                if (chatUrl) {
+                    try {
+                        const externalLink = new ExternalLink(chatUrl);
+                        chatUrl = externalLink.ref;
+                    } catch (InvalidExternalLinkError) {
+                        chatUrl = 'invalid-url';
+                    }
+                }
                 return (
                     <React.Fragment>
                         <div className={combinedBannerClassName} style={{visibility: show ? 'visible' : 'hidden', height: heightOfBanner, left: leftOffset}}>
@@ -97,9 +107,17 @@ export const Banner = (props: React.Props<any>) => {
                         {show ? <div className={wrapperClassname}>{props.children}</div> : props.children}
                         {chatUrl && (
                             <div style={{position: 'fixed', right: 10, bottom: chatBottomPosition}}>
-                                <a href={chatUrl} className='argo-button argo-button--special'>
-                                    <i className='fas fa-comment-alt' /> {chatText}
-                                </a>
+                                {chatUrl === 'invalid-url' ? (
+                                    <Tooltip content='Invalid URL provided'>
+                                        <a className='argo-button disabled argo-button--special'>
+                                            <i className='fas fa-comment-alt' /> {chatText}
+                                        </a>
+                                    </Tooltip>
+                                ) : (
+                                    <a href={chatUrl} className='argo-button argo-button--special'>
+                                        <i className='fas fa-comment-alt' /> {chatText}
+                                    </a>
+                                )}
                             </div>
                         )}
                     </React.Fragment>

util/git/creds.go

@@ -456,15 +456,16 @@ func (g GitHubAppCreds) GetClientCertKey() string {
 // GoogleCloudCreds to authenticate to Google Cloud Source repositories
 type GoogleCloudCreds struct {
 	creds *google.Credentials
+	store CredsStore
 }
 
-func NewGoogleCloudCreds(jsonData string) GoogleCloudCreds {
+func NewGoogleCloudCreds(jsonData string, store CredsStore) GoogleCloudCreds {
 	creds, err := google.CredentialsFromJSON(context.Background(), []byte(jsonData), "https://www.googleapis.com/auth/cloud-platform")
 	if err != nil {
 		// Invalid JSON
 		log.Errorf("Failed reading credentials from JSON: %+v", err)
 	}
-	return GoogleCloudCreds{creds}
+	return GoogleCloudCreds{creds, store}
 }
 
 func (c GoogleCloudCreds) Environ() (io.Closer, []string, error) {
@@ -477,9 +478,13 @@ func (c GoogleCloudCreds) Environ() (io.Closer, []string, error) {
 		return NopCloser{}, nil, fmt.Errorf("failed to get access token from creds: %w", err)
 	}
 
-	env := []string{fmt.Sprintf("GIT_ASKPASS=%s", "git-ask-pass.sh"), fmt.Sprintf("GIT_USERNAME=%s", username), fmt.Sprintf("GIT_PASSWORD=%s", token)}
+	nonce := c.store.Add(username, token)
+	env := getGitAskPassEnv(nonce)
 
-	return NopCloser{}, env, nil
+	return argoioutils.NewCloser(func() error {
+		c.store.Remove(nonce)
+		return NopCloser{}.Close()
+	}), env, nil
 }
 
 func (c GoogleCloudCreds) getUsername() (string, error) {

util/git/creds_test.go

@@ -12,11 +12,11 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/google"
 
 	"github.com/argoproj/argo-cd/v2/util/cert"
 	"github.com/argoproj/argo-cd/v2/util/io"
-	"golang.org/x/oauth2"
-	"golang.org/x/oauth2/google"
 )
 
 type cred struct {
@@ -251,12 +251,14 @@ const invalidJSON = `{
 `
 
 func TestNewGoogleCloudCreds(t *testing.T) {
-	googleCloudCreds := NewGoogleCloudCreds(gcpServiceAccountKeyJSON)
+	store := &memoryCredsStore{creds: make(map[string]cred)}
+	googleCloudCreds := NewGoogleCloudCreds(gcpServiceAccountKeyJSON, store)
 	assert.NotNil(t, googleCloudCreds)
 }
 
 func TestNewGoogleCloudCreds_invalidJSON(t *testing.T) {
-	googleCloudCreds := NewGoogleCloudCreds(invalidJSON)
+	store := &memoryCredsStore{creds: make(map[string]cred)}
+	googleCloudCreds := NewGoogleCloudCreds(invalidJSON, store)
 	assert.Nil(t, googleCloudCreds.creds)
 
 	token, err := googleCloudCreds.getAccessToken()
@@ -273,17 +275,25 @@ func TestNewGoogleCloudCreds_invalidJSON(t *testing.T) {
 	assert.NotNil(t, err)
 }
 
-func TestGoogleCloudCreds_Environ(t *testing.T) {
+func TestGoogleCloudCreds_Environ_cleanup(t *testing.T) {
+	store := &memoryCredsStore{creds: make(map[string]cred)}
 	staticToken := &oauth2.Token{AccessToken: "token"}
 	googleCloudCreds := GoogleCloudCreds{&google.Credentials{
 		ProjectID:   "my-google-project",
 		TokenSource: oauth2.StaticTokenSource(staticToken),
 		JSON:        []byte(gcpServiceAccountKeyJSON),
-	}}
+	}, store}
 
 	closer, env, err := googleCloudCreds.Environ()
 	assert.NoError(t, err)
-	defer func() { _ = closer.Close() }()
-
-	assert.Equal(t, []string{"GIT_ASKPASS=git-ask-pass.sh", "GIT_USERNAME=argocd-service-account@my-google-project.iam.gserviceaccount.com", "GIT_PASSWORD=token"}, env)
+	var nonce string
+	for _, envVar := range env {
+		if strings.HasPrefix(envVar, ASKPASS_NONCE_ENV) {
+			nonce = envVar[len(ASKPASS_NONCE_ENV)+1:]
+			break
+		}
+	}
+	assert.Contains(t, store.creds, nonce)
+	io.Close(closer)
+	assert.NotContains(t, store.creds, nonce)
 }

util/kustomize/testdata/kustomization_yaml/statefulset.yaml

@@ -16,7 +16,7 @@ spec:
       terminationGracePeriodSeconds: 10
       containers:
       - name: nginx
-        image: k8s.gcr.io/nginx-slim:0.8
+        image: registry.k8s.io/nginx-slim:0.8
         ports:
         - containerPort: 80
           name: web

util/lua/lua_test.go

@@ -35,6 +35,20 @@ metadata:
   resourceVersion: "123"
 `
 
+const ec2AWSCrossplaneObjJson = `
+apiVersion: ec2.aws.crossplane.io/v1alpha1
+kind: Instance
+metadata:
+  name: sample-crosspalne-ec2-instance
+spec:
+  forProvider:
+    region: us-west-2
+    instanceType: t2.micro
+    keyName: my-crossplane-key-pair
+  providerConfigRef:
+    name: awsconfig
+`
+
 const newHealthStatusFunction = `a = {}
 a.status = "Healthy"
 a.message ="NeedsToBeChanged"
@@ -43,6 +57,14 @@ if obj.metadata.name == "helm-guestbook" then
 end
 return a`
 
+const newWildcardHealthStatusFunction = `a = {}
+a.status = "Healthy"
+a.message ="NeedsToBeChanged"
+if obj.metadata.name == "sample-crosspalne-ec2-instance" then
+	a.message = "testWildcardMessage"
+end
+return a`
+
 func StrToUnstructured(jsonStr string) *unstructured.Unstructured {
 	obj := make(map[string]interface{})
 	err := yaml.Unmarshal([]byte(jsonStr), &obj)
@@ -65,6 +87,19 @@ func TestExecuteNewHealthStatusFunction(t *testing.T) {
 
 }
 
+func TestExecuteWildcardHealthStatusFunction(t *testing.T) {
+	testObj := StrToUnstructured(ec2AWSCrossplaneObjJson)
+	vm := VM{}
+	status, err := vm.ExecuteHealthLua(testObj, newWildcardHealthStatusFunction)
+	assert.Nil(t, err)
+	expectedHealthStatus := &health.HealthStatus{
+		Status:  "Healthy",
+		Message: "testWildcardMessage",
+	}
+	assert.Equal(t, expectedHealthStatus, status)
+
+}
+
 const osLuaScript = `os.getenv("HOME")`
 
 func TestFailExternalLibCall(t *testing.T) {
@@ -160,6 +195,23 @@ func TestGetHealthScriptWithGroupWildcardOverride(t *testing.T) {
 	assert.Equal(t, newHealthStatusFunction, script)
 }
 
+func TestGetHealthScriptWithGroupAndKindWildcardOverride(t *testing.T) {
+	testObj := StrToUnstructured(ec2AWSCrossplaneObjJson)
+	vm := VM{
+		ResourceOverrides: map[string]appv1.ResourceOverride{
+			"*.aws.crossplane.io/*": {
+				HealthLua:   newHealthStatusFunction,
+				UseOpenLibs: false,
+			},
+		},
+	}
+
+	script, useOpenLibs, err := vm.GetHealthScript(testObj)
+	assert.Nil(t, err)
+	assert.Equal(t, false, useOpenLibs)
+	assert.Equal(t, newHealthStatusFunction, script)
+}
+
 func TestGetHealthScriptPredefined(t *testing.T) {
 	testObj := StrToUnstructured(objJSON)
 	vm := VM{}
@@ -434,6 +486,11 @@ end
 hs.status = "Healthy"
 return hs`
 
+	const healthWildcardOverrideScript = `
+ hs = {} 
+ hs.status = "Healthy"
+ return hs`
+
 	getHealthOverride := func(openLibs bool) ResourceHealthOverrides {
 		return ResourceHealthOverrides{
 			"ServiceAccount": appv1.ResourceOverride{
@@ -443,6 +500,12 @@ return hs`
 		}
 	}
 
+	getWildcardHealthOverride := ResourceHealthOverrides{
+		"*.aws.crossplane.io/*": appv1.ResourceOverride{
+			HealthLua: healthWildcardOverrideScript,
+		},
+	}
+
 	t.Run("Enable Lua standard lib", func(t *testing.T) {
 		testObj := StrToUnstructured(testSA)
 		overrides := getHealthOverride(true)
@@ -464,4 +527,23 @@ return hs`
 		assert.EqualError(t, err, expectedErr)
 		assert.Nil(t, status)
 	})
+
+	t.Run("Get resource health for wildcard override", func(t *testing.T) {
+		testObj := StrToUnstructured(ec2AWSCrossplaneObjJson)
+		overrides := getWildcardHealthOverride
+		status, err := overrides.GetResourceHealth(testObj)
+		assert.Nil(t, err)
+		expectedStatus := &health.HealthStatus{
+			Status: health.HealthStatusHealthy,
+		}
+		assert.Equal(t, expectedStatus, status)
+	})
+
+	t.Run("Resource health for wildcard override not found", func(t *testing.T) {
+		testObj := StrToUnstructured(testSA)
+		overrides := getWildcardHealthOverride
+		status, err := overrides.GetResourceHealth(testObj)
+		assert.Nil(t, err)
+		assert.Nil(t, status)
+	})
 }

util/settings/settings_test.go

@@ -308,6 +308,24 @@ func TestGetResourceOverrides(t *testing.T) {
 
 }
 
+func TestGetResourceOverridesHealthWithWildcard(t *testing.T) {
+	data := map[string]string{
+		"resource.customizations": `
+    "*.aws.crossplane.io/*":
+      health.lua: |
+        foo`,
+	}
+
+	t.Run("TestResourceHealthOverrideWithWildcard", func(t *testing.T) {
+		_, settingsManager := fixtures(data)
+
+		overrides, err := settingsManager.GetResourceOverrides()
+		assert.NoError(t, err)
+		assert.Equal(t, 2, len(overrides))
+		assert.Equal(t, "foo", overrides["*.aws.crossplane.io/*"].HealthLua)
+	})
+}
+
 func TestSettingsManager_GetResourceOverrides_with_empty_string(t *testing.T) {
 	_, settingsManager := fixtures(map[string]string{
 		resourceCustomizationsKey: "",

util/webhook/webhook.go

@@ -36,6 +36,10 @@ type settingsSource interface {
 	GetTrackingMethod() (string, error)
 }
 
+// https://www.rfc-editor.org/rfc/rfc3986#section-3.2.1
+// https://github.com/shadow-maint/shadow/blob/master/libmisc/chkname.c#L36
+const usernameRegex = `[a-zA-Z0-9_\.][a-zA-Z0-9_\.-]{0,30}[a-zA-Z0-9_\.\$-]?`
+
 var _ settingsSource = &settings.SettingsManager{}
 
 type ArgoCDWebhookHandler struct {
@@ -268,7 +272,8 @@ func getWebUrlRegex(webURL string) (*regexp.Regexp, error) {
 
 	regexEscapedHostname := regexp.QuoteMeta(urlObj.Hostname())
 	regexEscapedPath := regexp.QuoteMeta(urlObj.Path[1:])
-	regexpStr := fmt.Sprintf(`(?i)^(http://|https://|\w+@|ssh://(\w+@)?)%s(:[0-9]+|)[:/]%s(\.git)?$`, regexEscapedHostname, regexEscapedPath)
+	regexpStr := fmt.Sprintf(`(?i)^(http://|https://|%s@|ssh://(%s@)?)%s(:[0-9]+|)[:/]%s(\.git)?$`,
+		usernameRegex, usernameRegex, regexEscapedHostname, regexEscapedPath)
 	repoRegexp, err := regexp.Compile(regexpStr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to compile regexp for repoURL '%s'", webURL)

util/webhook/webhook_test.go

@@ -534,6 +534,8 @@ func Test_getWebUrlRegex(t *testing.T) {
 		{true, "https://example.com/org/repo", "ssh://git@example.com/org/repo", "git with protocol should match"},
 		{true, "https://example.com/org/repo", "ssh://git@example.com:22/org/repo", "git with port number should should match"},
 		{true, "https://example.com:443/org/repo", "ssh://git@example.com:22/org/repo", "https and ssh w/ different port numbers should match"},
+		{true, "https://example.com/org/repo", "ssh://user-name@example.com/org/repo", "valid usernames with hyphens in repo should match"},
+		{false, "https://example.com/org/repo", "ssh://-user-name@example.com/org/repo", "invalid usernames with hyphens in repo should not match"},
 		{true, "https://example.com:443/org/repo", "GIT@EXAMPLE.COM:22:ORG/REPO", "matches aren't case-sensitive"},
 	}
 	for _, testCase := range tests {