chore(deps): bump slsa-github-generator to 1.9.0 (#16200)

* chore(deps): bump slsa-github-generator to 1.9.0

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

* missed a spot

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

---------

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

.github/workflows/image.yaml

@@ -86,7 +86,7 @@ jobs:
       packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
     if: ${{ github.repository == 'argoproj/argo-cd' && github.event_name == 'push' }}
     # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
     with:
       image: ghcr.io/argoproj/argo-cd/argocd
       digest: ${{ needs.build-and-publish.outputs.image-digest }}

.github/workflows/release.yaml

@@ -38,7 +38,7 @@ jobs:
         packages: write # for uploading attestations. (https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#known-issues)
       # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
       if: github.repository == 'argoproj/argo-cd'
-      uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
+      uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
       with:
         image: quay.io/argoproj/argocd
         digest: ${{ needs.argocd-image.outputs.image-digest }}
@@ -120,7 +120,7 @@ jobs:
       contents: write #  Needed for release uploads
     if: github.repository == 'argoproj/argo-cd'
     # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
     with:
       base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
       provenance-name: "argocd-cli.intoto.jsonl"
@@ -204,7 +204,7 @@ jobs:
       contents: write #  Needed for release uploads
     if: github.repository == 'argoproj/argo-cd'
     # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
     with:
       base64-subjects: "${{ needs.generate-sbom.outputs.hashes }}"
       provenance-name: "argocd-sbom.intoto.jsonl"

VERSION

@@ -1 +1 @@
-2.8.5
+2.8.6

examples/plugins/helm/get-parameters.sh

@@ -1,8 +1,8 @@
 #!/bin/sh
 
-yq e -o=json values.yaml | jq '{
+yq e -o=json values.yaml | jq '[{
   name: "helm-parameters",
   title: "Helm Parameters",
   collectionType: "map",
   map: [leaf_paths as $path | {"key": $path | join("."), "value": getpath($path)|tostring}] | from_entries
-}'
+}]'

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.8.5
+  newTag: v2.8.6
 resources:
 - ./application-controller
 - ./dex

manifests/core-install.yaml

@@ -18880,7 +18880,7 @@ spec:
               key: applicationsetcontroller.allowed.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -19180,7 +19180,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -19232,7 +19232,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -19451,7 +19451,7 @@ spec:
               key: controller.kubectl.parallelism.limit
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.8.5
+  newTag: v2.8.6

manifests/ha/base/kustomization.yaml

@@ -12,7 +12,7 @@ patches:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v2.8.5
+  newTag: v2.8.6
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller

manifests/ha/install.yaml

@@ -20129,7 +20129,7 @@ spec:
               key: applicationsetcontroller.allowed.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -20252,7 +20252,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -20328,7 +20328,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -20654,7 +20654,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -20706,7 +20706,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -20995,7 +20995,7 @@ spec:
               key: server.enable.proxy.extension
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -21241,7 +21241,7 @@ spec:
               key: controller.kubectl.parallelism.limit
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/namespace-install.yaml

@@ -1635,7 +1635,7 @@ spec:
               key: applicationsetcontroller.allowed.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1758,7 +1758,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1834,7 +1834,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -2160,7 +2160,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2212,7 +2212,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2501,7 +2501,7 @@ spec:
               key: server.enable.proxy.extension
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2747,7 +2747,7 @@ spec:
               key: controller.kubectl.parallelism.limit
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/install.yaml

@@ -19230,7 +19230,7 @@ spec:
               key: applicationsetcontroller.allowed.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -19353,7 +19353,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -19429,7 +19429,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -19711,7 +19711,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -19763,7 +19763,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -20050,7 +20050,7 @@ spec:
               key: server.enable.proxy.extension
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -20296,7 +20296,7 @@ spec:
               key: controller.kubectl.parallelism.limit
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/namespace-install.yaml

@@ -736,7 +736,7 @@ spec:
               key: applicationsetcontroller.allowed.scm.providers
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -859,7 +859,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -935,7 +935,7 @@ spec:
               key: application.namespaces
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1217,7 +1217,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1269,7 +1269,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -1556,7 +1556,7 @@ spec:
               key: server.enable.proxy.extension
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -1802,7 +1802,7 @@ spec:
               key: controller.kubectl.parallelism.limit
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v2.8.5
+        image: quay.io/argoproj/argocd:v2.8.6
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

notification_controller/controller/controller.go

@@ -12,6 +12,8 @@ import (
 
 	service "github.com/argoproj/argo-cd/v2/util/notification/argocd"
 
+	argocert "github.com/argoproj/argo-cd/v2/util/cert"
+
 	"k8s.io/apimachinery/pkg/runtime/schema"
 
 	"github.com/argoproj/argo-cd/v2/util/notification/settings"
@@ -21,6 +23,7 @@ import (
 	"github.com/argoproj/notifications-engine/pkg/controller"
 	"github.com/argoproj/notifications-engine/pkg/services"
 	"github.com/argoproj/notifications-engine/pkg/subscriptions"
+	httputil "github.com/argoproj/notifications-engine/pkg/util/http"
 	log "github.com/sirupsen/logrus"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
@@ -61,7 +64,13 @@ func NewController(
 	secretName string,
 	configMapName string,
 ) *notificationController {
-	appClient := client.Resource(applications)
+	var appClient dynamic.ResourceInterface
+	namespaceableAppClient := client.Resource(applications)
+	appClient = namespaceableAppClient
+	if len(applicationNamespaces) == 0 {
+		appClient = namespaceableAppClient.Namespace(namespace)
+	}
+
 	appInformer := newInformer(appClient, namespace, applicationNamespaces, appLabelSelector)
 	appProjInformer := newInformer(newAppProjClient(client, namespace), namespace, []string{namespace}, "")
 	secretInformer := k8s.NewSecretInformer(k8sClient, namespace, secretName)
@@ -74,7 +83,7 @@ func NewController(
 		appInformer:       appInformer,
 		appProjInformer:   appProjInformer,
 		apiFactory:        apiFactory}
-	res.ctrl = controller.NewController(appClient, appInformer, apiFactory,
+	res.ctrl = controller.NewController(namespaceableAppClient, appInformer, apiFactory,
 		controller.WithSkipProcessing(func(obj v1.Object) (bool, string) {
 			app, ok := (obj).(*unstructured.Unstructured)
 			if !ok {
@@ -154,6 +163,9 @@ type notificationController struct {
 }
 
 func (c *notificationController) Init(ctx context.Context) error {
+	// resolve certificates using injected "argocd-tls-certs-cm" ConfigMap
+	httputil.SetCertResolver(argocert.GetCertificateForConnect)
+
 	go c.appInformer.Run(ctx.Done())
 	go c.appProjInformer.Run(ctx.Done())
 	go c.secretInformer.Run(ctx.Done())