fix: controller incorrectly detecting diff during app normalization (cherry-pick #27002 for 3.2) (#27012)

Signed-off-by: Alexander Matyushentsev <alexander@akuity.io>
Co-authored-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>

VERSION

@@ -1 +1 @@
-3.2.7
+3.2.8

controller/appcontroller.go

@@ -1795,7 +1795,7 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 		logCtx = logCtx.WithField(k, v.Milliseconds())
 	}
 
-	ctrl.normalizeApplication(origApp, app)
+	ctrl.normalizeApplication(app)
 	ts.AddCheckpoint("normalize_application_ms")
 
 	tree, err := ctrl.setAppManagedResources(destCluster, app, compareResult)
@@ -2015,7 +2015,8 @@ func (ctrl *ApplicationController) refreshAppConditions(app *appv1.Application)
 }
 
 // normalizeApplication normalizes an application.spec and additionally persists updates if it changed
-func (ctrl *ApplicationController) normalizeApplication(orig, app *appv1.Application) {
+func (ctrl *ApplicationController) normalizeApplication(app *appv1.Application) {
+	orig := app.DeepCopy()
 	app.Spec = *argo.NormalizeApplicationSpec(&app.Spec)
 	logCtx := log.WithFields(applog.GetAppLogFields(app))
 

hack/update-manifests.sh

@@ -18,6 +18,10 @@ IMAGE_TAG="${IMAGE_TAG:-}"
 # if the tag has not been declared, and we are on a release branch, use the VERSION file.
 if [ "$IMAGE_TAG" = "" ]; then
   branch=$(git rev-parse --abbrev-ref HEAD)
+  # In GitHub Actions PRs, HEAD is detached; use GITHUB_BASE_REF (the target branch) instead
+  if [ "$branch" = "HEAD" ] && [ -n "${GITHUB_BASE_REF:-}" ]; then
+    branch="$GITHUB_BASE_REF"
+  fi
   if [[ $branch = release-* ]]; then
     pwd
     IMAGE_TAG=v$(cat "$SRCROOT/VERSION")

manifests/base/commit-server/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v3.2.7
+  newTag: v3.2.8

manifests/base/kustomization.yaml

@@ -5,7 +5,7 @@ kind: Kustomization
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v3.2.7
+  newTag: v3.2.8
 resources:
 - ./application-controller
 - ./dex

manifests/core-install-with-hydrator.yaml

@@ -24850,7 +24850,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -24985,7 +24985,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -25113,7 +25113,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -25410,7 +25410,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -25462,7 +25462,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -25810,7 +25810,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install.yaml

@@ -24818,7 +24818,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -24947,7 +24947,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -25244,7 +25244,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -25296,7 +25296,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -25644,7 +25644,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/core-install/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v3.2.7
+  newTag: v3.2.8

manifests/ha/base/kustomization.yaml

@@ -12,7 +12,7 @@ patches:
 images:
 - name: quay.io/argoproj/argocd
   newName: quay.io/argoproj/argocd
-  newTag: v3.2.7
+  newTag: v3.2.8
 resources:
 - ../../base/application-controller
 - ../../base/applicationset-controller

manifests/ha/install-with-hydrator.yaml

@@ -26216,7 +26216,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -26351,7 +26351,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -26502,7 +26502,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -26598,7 +26598,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -26722,7 +26722,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -27045,7 +27045,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -27097,7 +27097,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -27471,7 +27471,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -27855,7 +27855,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/install.yaml

@@ -26186,7 +26186,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -26338,7 +26338,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -26434,7 +26434,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -26558,7 +26558,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -26881,7 +26881,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -26933,7 +26933,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -27307,7 +27307,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -27691,7 +27691,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/namespace-install-with-hydrator.yaml

@@ -1897,7 +1897,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -2032,7 +2032,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2183,7 +2183,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -2279,7 +2279,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -2403,7 +2403,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -2726,7 +2726,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2778,7 +2778,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -3152,7 +3152,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3536,7 +3536,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/ha/namespace-install.yaml

@@ -1867,7 +1867,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -2019,7 +2019,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -2115,7 +2115,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -2239,7 +2239,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -2562,7 +2562,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -2614,7 +2614,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2988,7 +2988,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3372,7 +3372,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/install-with-hydrator.yaml

@@ -25294,7 +25294,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -25429,7 +25429,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -25580,7 +25580,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -25676,7 +25676,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -25778,7 +25778,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -26075,7 +26075,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -26127,7 +26127,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -26499,7 +26499,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -26883,7 +26883,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/install.yaml

@@ -25262,7 +25262,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -25414,7 +25414,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -25510,7 +25510,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -25612,7 +25612,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -25909,7 +25909,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -25961,7 +25961,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -26333,7 +26333,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -26717,7 +26717,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/namespace-install-with-hydrator.yaml

@@ -975,7 +975,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1110,7 +1110,7 @@ spec:
               key: log.format.timestamp
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1261,7 +1261,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1357,7 +1357,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1459,7 +1459,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -1756,7 +1756,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1808,7 +1808,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2180,7 +2180,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2564,7 +2564,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

manifests/namespace-install.yaml

@@ -943,7 +943,7 @@ spec:
               key: applicationsetcontroller.status.max.resources.count
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-applicationset-controller
         ports:
@@ -1095,7 +1095,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /shared/argocd-dex
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: copyutil
         securityContext:
@@ -1191,7 +1191,7 @@ spec:
               key: notificationscontroller.repo.server.plaintext
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           tcpSocket:
@@ -1293,7 +1293,7 @@ spec:
         - argocd
         - admin
         - redis-initial-password
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: IfNotPresent
         name: secret-init
         securityContext:
@@ -1590,7 +1590,7 @@ spec:
           value: /helm-working-dir
         - name: HELM_DATA_HOME
           value: /helm-working-dir
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -1642,7 +1642,7 @@ spec:
         - -n
         - /usr/local/bin/argocd
         - /var/run/argocd/argocd-cmp-server
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         name: copyutil
         securityContext:
           allowPrivilegeEscalation: false
@@ -2014,7 +2014,7 @@ spec:
               key: server.sync.replace.allowed
               name: argocd-cmd-params-cm
               optional: true
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2398,7 +2398,7 @@ spec:
               optional: true
         - name: KUBECACHEDIR
           value: /tmp/kubecache
-        image: quay.io/argoproj/argocd:v3.2.7
+        image: quay.io/argoproj/argocd:v3.2.8
         imagePullPolicy: Always
         name: argocd-application-controller
         ports:

server/server.go

@@ -948,6 +948,8 @@ func (server *ArgoCDServer) newGRPCServer(prometheusRegistry *prometheus.Registr
 	// NOTE: notice we do not configure the gRPC server here with TLS (e.g. grpc.Creds(creds))
 	// This is because TLS handshaking occurs in cmux handling
 	sOpts = append(sOpts, grpc.ChainStreamInterceptor(
+		// for mitigation of grpc-go CVE-2026-33186, see https://github.com/argoproj/argo-cd/issues/26932
+		grpc_util.InvalidMethodNameErrorStreamServerInterceptor(),
 		logging.StreamServerInterceptor(grpc_util.InterceptorLogger(server.log)),
 		serverMetrics.StreamServerInterceptor(),
 		grpc_auth.StreamServerInterceptor(server.Authenticate),
@@ -960,6 +962,8 @@ func (server *ArgoCDServer) newGRPCServer(prometheusRegistry *prometheus.Registr
 		recovery.StreamServerInterceptor(recovery.WithRecoveryHandler(grpc_util.LoggerRecoveryHandler(server.log))),
 	))
 	sOpts = append(sOpts, grpc.ChainUnaryInterceptor(
+		// for mitigation of grpc-go CVE-2026-33186, see https://github.com/argoproj/argo-cd/issues/26932
+		grpc_util.InvalidMethodNameErrorUnaryServerInterceptor(),
 		bug21955WorkaroundInterceptor,
 		logging.UnaryServerInterceptor(grpc_util.InterceptorLogger(server.log)),
 		serverMetrics.UnaryServerInterceptor(),

server/server_test.go

@@ -18,6 +18,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc"
 	"google.golang.org/grpc/metadata"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -29,6 +30,7 @@ import (
 
 	"github.com/argoproj/argo-cd/v3/common"
 	"github.com/argoproj/argo-cd/v3/pkg/apiclient"
+	"github.com/argoproj/argo-cd/v3/pkg/apiclient/project"
 	"github.com/argoproj/argo-cd/v3/pkg/apiclient/session"
 	"github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1"
 	apps "github.com/argoproj/argo-cd/v3/pkg/client/clientset/versioned/fake"
@@ -40,6 +42,10 @@ import (
 	"github.com/argoproj/argo-cd/v3/util/cache"
 	appstatecache "github.com/argoproj/argo-cd/v3/util/cache/appstate"
 	"github.com/argoproj/argo-cd/v3/util/oidc"
+
+	"google.golang.org/grpc/credentials/insecure"
+
+	grpc_util "github.com/argoproj/argo-cd/v3/util/grpc"
 	"github.com/argoproj/argo-cd/v3/util/rbac"
 	settings_util "github.com/argoproj/argo-cd/v3/util/settings"
 	testutil "github.com/argoproj/argo-cd/v3/util/test"
@@ -1710,3 +1716,101 @@ func Test_StaticAssetsDir_no_symlink_traversal(t *testing.T) {
 	resp = w.Result()
 	assert.Equal(t, http.StatusOK, resp.StatusCode, "should have been able to access the normal file")
 }
+
+// test mitigation for  grpc-go CVE-2026-33186, see https://github.com/argoproj/argo-cd/issues/26932
+func TestGrpcInvalidMethodNameCVEFix(t *testing.T) {
+	timeout := 10 * time.Second
+	listenHost := "localhost"
+	listenPort, err := test.GetFreePort()
+	require.NoError(t, err)
+	serverAddr := fmt.Sprintf("%s:%d", listenHost, listenPort)
+	redis, redisCloser := test.NewInMemoryRedis()
+	defer redisCloser()
+	argoCDOpts := ArgoCDServerOpts{
+		DisableAuth:   true,
+		Insecure:      true,
+		ListenPort:    listenPort,
+		ListenHost:    listenHost,
+		Namespace:     test.FakeArgoCDNamespace,
+		KubeClientset: fake.NewSimpleClientset(test.NewFakeConfigMap(), test.NewFakeSecret()),
+		AppClientset:  apps.NewSimpleClientset(),
+		RepoClientset: &mocks.Clientset{RepoServerServiceClient: &mocks.RepoServerServiceClient{}},
+		RedisClient:   redis,
+	}
+	runCtx, runCancel := context.WithTimeout(t.Context(), timeout)
+	defer runCancel()
+	argocd := NewServer(runCtx, argoCDOpts, ApplicationSetOpts{})
+	assert.NotNil(t, argocd)
+	listeners, err := argocd.Listen()
+	require.NoError(t, err)
+	ctx, cancel := context.WithCancel(t.Context())
+	defer cancel()
+	argocd.Init(ctx)
+
+	wg := gosync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		defer wg.Done()
+		argocd.Run(ctx, listeners)
+	}()
+
+	err = test.WaitForPortListen(serverAddr, timeout)
+	require.NoError(t, err)
+
+	var dialOpts []grpc.DialOption
+	creds := insecure.NewCredentials()
+	conn, err := grpc_util.BlockingNewClient(ctx, "tcp", serverAddr, creds, dialOpts...)
+	require.NoError(t, err)
+	defer conn.Close()
+
+	projectGetOut := new(v1alpha1.AppProject)
+	projectGetIn := &project.ProjectQuery{Name: "default"}
+	invalidunaryServiceName := "project.ProjectService/Get"
+	invalidStreamingMethodName := "application.ApplicationService/GetManifestsWithFiles"
+
+	streamDesc := &grpc.StreamDesc{
+		StreamName:    "dummy_stream",
+		ClientStreams: true,
+		ServerStreams: false,
+	}
+
+	t.Run("unary method with invalid name", func(t *testing.T) {
+		err = conn.Invoke(ctx, invalidunaryServiceName, projectGetIn, projectGetOut)
+		// it should fail with the "malformed method name" error message from interceptor,
+		// but it does not, because unary methods do not seem to be vulnerable because of
+		// the way their handler code is autogenerated: if there are interceptors
+		// it implicitly sanitizes the service name before calling the actual handler,
+		require.NoError(t, err)
+	})
+	t.Run("unary method with valid name", func(t *testing.T) {
+		err = conn.Invoke(ctx, "/"+invalidunaryServiceName, projectGetIn, projectGetOut)
+		require.NoError(t, err)
+	})
+	t.Run("streaming method with invalid name", func(t *testing.T) {
+		stream, err := conn.NewStream(ctx, streamDesc, invalidStreamingMethodName)
+		require.NoError(t, err)
+		err = stream.CloseSend()
+		require.NoError(t, err)
+		var resp any
+		err = stream.RecvMsg(&resp)
+		// ensure we get error method from interceptor
+		require.ErrorContains(t, err, "code = InvalidArgument desc = malformed method name: \""+invalidStreamingMethodName+"\"")
+	})
+	t.Run("streaming method with valid name", func(t *testing.T) {
+		stream, err := conn.NewStream(ctx, streamDesc, "/"+invalidStreamingMethodName)
+		require.NoError(t, err)
+		err = stream.CloseSend()
+		require.NoError(t, err)
+		var resp any
+		err = stream.RecvMsg(&resp)
+		// ensure we get the expected error from the actual logic of the method
+		require.ErrorContains(t, err, "code = Unknown desc = error getting query: failed to receive header: EOF")
+	})
+	argocd.stopCh <- syscall.SIGINT
+	wg.Wait()
+
+	err = argocd.healthCheck(&http.Request{URL: &url.URL{Path: "/healthz", RawQuery: "full=true"}})
+	require.Error(t, err, "API Server is terminating and unable to serve requests.")
+	assert.True(t, argocd.terminateRequested.Load())
+	assert.False(t, argocd.available.Load())
+}

ui/src/app/applications/components/application-status-panel/application-status-panel.tsx

@@ -8,6 +8,7 @@ import {services} from '../../../shared/services';
 import {
     ApplicationSyncWindowStatusIcon,
     ComparisonStatusIcon,
+    formatApplicationSetProgressiveSyncStep,
     getAppDefaultSource,
     getAppDefaultSyncRevisionExtra,
     getAppOperationState,
@@ -130,7 +131,7 @@ const ProgressiveSyncStatus = ({application}: {application: models.Application})
                         <div className='application-status-panel__item-value' style={{color: getProgressiveSyncStatusColor(appResource.status)}}>
                             {getProgressiveSyncStatusIcon({status: appResource.status})}&nbsp;{appResource.status}
                         </div>
-                        {appResource?.step && <div className='application-status-panel__item-value'>Wave: {appResource.step}</div>}
+                        {appResource?.step !== undefined && <div className='application-status-panel__item-value'>{formatApplicationSetProgressiveSyncStep(appResource.step)}</div>}
                         {lastTransitionTime && (
                             <div className='application-status-panel__item-name' style={{marginBottom: '0.5em'}}>
                                 Last Transition: <br />

ui/src/app/applications/components/utils.tsx

@@ -1762,6 +1762,14 @@ export function getAppUrl(app: appModels.Application): string {
     return `applications/${app.metadata.namespace}/${app.metadata.name}`;
 }
 
+/** RollingSync step for display; backend uses -1 when no step matches the app's labels. */
+export function formatApplicationSetProgressiveSyncStep(step: string | undefined): string {
+    if (step === '-1') {
+        return 'Step: unmatched label';
+    }
+    return `Step: ${step ?? ''}`;
+}
+
 export const getProgressiveSyncStatusIcon = ({status, isButton}: {status: string; isButton?: boolean}) => {
     const getIconProps = () => {
         switch (status) {

util/grpc/errors.go

@@ -3,6 +3,8 @@ package grpc
 import (
 	"context"
 	"errors"
+	"fmt"
+	"strings"
 
 	giterr "github.com/go-git/go-git/v5/plumbing/transport"
 	"google.golang.org/grpc"
@@ -132,3 +134,25 @@ func ErrorCodeK8sStreamServerInterceptor() grpc.StreamServerInterceptor {
 		return kubeErrToGRPC(err)
 	}
 }
+
+// InvalidMethodNameErrorUnaryServerInterceptor is for mitigation of grpc-go CVE-2026-33186
+// see discussion in https://github.com/argoproj/argo-cd/issues/26932
+func InvalidMethodNameErrorUnaryServerInterceptor() grpc.UnaryServerInterceptor {
+	return func(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (resp any, err error) {
+		if !strings.HasPrefix(info.FullMethod, "/") {
+			return nil, status.Error(codes.InvalidArgument, fmt.Sprintf("malformed method name: %q", info.FullMethod))
+		}
+		return handler(ctx, req)
+	}
+}
+
+// InvalidMethodNameErrorStreamServerInterceptor is for mitigation of grpc-go CVE-2026-33186
+// see discussion in https://github.com/argoproj/argo-cd/issues/26932
+func InvalidMethodNameErrorStreamServerInterceptor() grpc.StreamServerInterceptor {
+	return func(srv any, ss grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
+		if !strings.HasPrefix(info.FullMethod, "/") {
+			return status.Error(codes.InvalidArgument, fmt.Sprintf("malformed method name: %q", info.FullMethod))
+		}
+		return handler(srv, ss)
+	}
+}

util/grpc/errors_test.go

@@ -1,10 +1,12 @@
 package grpc
 
 import (
+	"context"
 	"errors"
 	"fmt"
 	"testing"
 
+	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -153,3 +155,56 @@ func Test_kubeErrToGRPC(t *testing.T) {
 		})
 	}
 }
+
+func checkGrpcError(t *testing.T, err error, msg string) {
+	t.Helper()
+	require.Error(t, err)
+	s, ok := status.FromError(err)
+	assert.True(t, ok)
+	assert.Equal(t, codes.InvalidArgument, s.Code())
+	assert.ErrorContains(t, err, msg)
+}
+
+func TestInvalidMethodNameErrorUnaryServerInterceptor(t *testing.T) {
+	interceptor := InvalidMethodNameErrorUnaryServerInterceptor()
+	handler := func(_ context.Context, _ any) (any, error) {
+		return nil, nil
+	}
+	t.Run("Test invalid method name", func(t *testing.T) {
+		info := &grpc.UnaryServerInfo{FullMethod: "foo"}
+		_, err := interceptor(t.Context(), nil, info, handler)
+		checkGrpcError(t, err, "malformed method name: \"foo\"")
+	})
+	t.Run("Test empty method name", func(t *testing.T) {
+		info := &grpc.UnaryServerInfo{FullMethod: ""}
+		_, err := interceptor(t.Context(), nil, info, handler)
+		checkGrpcError(t, err, "malformed method name: \"\"")
+	})
+	t.Run("Test valid method name", func(t *testing.T) {
+		info := &grpc.UnaryServerInfo{FullMethod: "/foo"}
+		_, err := interceptor(t.Context(), nil, info, handler)
+		assert.NoError(t, err)
+	})
+}
+
+func TestInvalidMethodNameErrorStreamServerInterceptor(t *testing.T) {
+	interceptor := InvalidMethodNameErrorStreamServerInterceptor()
+	handler := func(_ any, _ grpc.ServerStream) error {
+		return nil
+	}
+	t.Run("Test invalid method name", func(t *testing.T) {
+		info := &grpc.StreamServerInfo{FullMethod: "foo"}
+		err := interceptor(t.Context(), nil, info, handler)
+		checkGrpcError(t, err, "malformed method name: \"foo\"")
+	})
+	t.Run("Test empty method name", func(t *testing.T) {
+		info := &grpc.StreamServerInfo{FullMethod: ""}
+		err := interceptor(t.Context(), nil, info, handler)
+		checkGrpcError(t, err, "malformed method name: \"\"")
+	})
+	t.Run("Test valid method name", func(t *testing.T) {
+		info := &grpc.StreamServerInfo{FullMethod: "/foo"}
+		err := interceptor(nil, nil, info, handler)
+		assert.NoError(t, err)
+	})
+}