feat: Argo CD v2.4.11 (argoproj#79)

* Merge pull request from GHSA-pmjg-52h9-72qv

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

formatting

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

fixes from comments

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

fix test

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

* Merge pull request from GHSA-7943-82jg-wmw5

* add tests to demonstrate issue

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

more

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

docs

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

settings tests

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

tests for OIDC handlers, consolidating test helpers

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

consolidate

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

consolidate

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

docs

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

* fix log message

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

* Bump version to 2.4.5

* Bump version to 2.4.5

* test: check for error messages from CI env (argoproj#9953)

test: check for error messages from CI env (argoproj#9953)

Signed-off-by: CI <michael@crenshaw.dev>

* docs: getting started notes on self-signed cert (argoproj#9429) (argoproj#9784)

* Fix argoproj#9429: A couple of notes in the docs to explain that the default certificate is insecure.

Signed-off-by: Jim Talbut <jim.talbut@groupgti.com>

* Fixes argoproj#9429: More verbose, but complete, text for Getting Started.

Signed-off-by: Jim Talbut <jim.talbut@groupgti.com>

* docs: Document the possibility of rendering Helm charts with Kustomize (argoproj#9841)

* Update kustomize.md

Resolves  argoproj#7835.

Signed-off-by: Didrik Finnøy <djfinnoy@protonmail.com>

* Removed unnecessary command flag from example. Minor text edits.

Signed-off-by: Didrik Finnøy <djfinnoy@protonmail.com>

* spelling

Signed-off-by: Didrik Finnøy <djfinnoy@protonmail.com>

* docs: small fix for plugin stream filtering (argoproj#9871)

Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com>

* argoproj#9429: Adding blank line so list is formatted correctly. (argoproj#9880)

Signed-off-by: CI <michael@crenshaw.dev>

* fix: argo-cd git submodule is using SSH auth instead of HTTPs (argoproj#3118) (argoproj#9821)

* fix: argo-cd git submodule is using SSH auth instead of HTTPs (argoproj#3118)

Signed-off-by: shunki-fujita <shunki-fujita@cybozu.co.jp>

* Add submodule functions and unit tests
Signed-off-by: shunki-fujita <shunki-fujita@cybozu.co.jp>

* fix: Make change of tracking method work at runtime (argoproj#9820)

* fix: Make change of tracking method work at runtime

Signed-off-by: jannfis <jann@mistrust.net>

* GetAppName() will figure tracking label or annotation on its own

Signed-off-by: jannfis <jann@mistrust.net>

* Correct test comments and add another test

Signed-off-by: jannfis <jann@mistrust.net>

* Add a read lock before getting cache settings

Signed-off-by: jannfis <jann@mistrust.net>

* fix: Check tracking annotation for being self-referencing (argoproj#9791)

* fix: Check tracking annotation for being self-referencing

Signed-off-by: jannfis <jann@mistrust.net>

* Tweak isManagedLiveObj() logic

Signed-off-by: jannfis <jann@mistrust.net>

* Rename isManagedLiveResource to isSelfReferencedObj

Signed-off-by: jannfis <jann@mistrust.net>

* Add e2e test

Signed-off-by: jannfis <jann@mistrust.net>

* fix: add missing download CLI tool link for ppc64le, s390x (argoproj#9649)

Signed-off-by: Hyeonmin Park <hyeonmin.park@kennysoft.kr>

* fix: NotAfter is not set when ValidFor is set (argoproj#9911)

Signed-off-by: yongguangl <1363186473@qq.com>

* fix: CMP manifest generation fails with ENHANCE_YOUR_CALM if over 40s (argoproj#9922)

* fix: CMP manifest generation fails with ENHANCE_YOUR_CALM if over 40s

Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com>

* fix timeouts across all gRPC servers

Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com>

* use common consts

Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com>

* fix: argocd login just hangs on 2.4.0 argoproj#9679 (argoproj#9935)

Signed-off-by: Xiao Yang <muma.378@163.com>

Co-authored-by: Michael Crenshaw <michael@crenshaw.dev>
Signed-off-by: CI <michael@crenshaw.dev>

* test: Use dedicated multi-arch workloads in e2e tests (argoproj#9921)

* test: Use dedicated multi-arch workloads in e2e tests

Signed-off-by: jannfis <jann@mistrust.net>

* Use correct tag

Signed-off-by: jannfis <jann@mistrust.net>

* feat: Treat connection reset as a retryable error (argoproj#9739)

Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>

* fix: 'unexpected reserved bits' breaking web terminal (argoproj#9605) (argoproj#9895)

* fix: 'unexpected reserved bits' breaking web terminal (argoproj#9605)

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

* make things more like they were originally, since the mutex fixes the problem

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

* fix typo, don't pass around a pointer when it isn't necessary

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

* apply suggestions

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

* docs: add terminal documentation (argoproj#9948)

Signed-off-by: notfromstatefarm <86763948+notfromstatefarm@users.noreply.github.com>

* docs: fix typo in Generators-Git.md (argoproj#9949)

`ApplictionSet` --> `ApplicationSet`
Signed-off-by: CI <michael@crenshaw.dev>

* chore: fix build error

Signed-off-by: CI <michael@crenshaw.dev>

* Bump version to 2.4.6

* Bump version to 2.4.6

* docs: supported versions (argoproj#9876)

* docs: supported versions

Signed-off-by: Kostis Kapelonis <kostis@codefresh.io>

* docs: supported versions feedback

Signed-off-by: Kostis Kapelonis <kostis@codefresh.io>

* fix: add missing download CLI tool URL response for ppc64le, s390x (argoproj#9983)

Signed-off-by: Hyeonmin Park <hyeonmin.park@kennysoft.kr>

* fix: e2e test to use func from clusterauth instead creating one with old logic (argoproj#9989)

Signed-off-by: rishabh625 <rishabhmishra625@gmail.com>

* fix: updated all a tags to Link tags in app summary (argoproj#9777)

* fix: updated all a tags to Link tags

Signed-off-by: Soumya Ghosh Dastidar <gdsoumya@gmail.com>

* fix: revert external links to a tags

Signed-off-by: Soumya Ghosh Dastidar <gdsoumya@gmail.com>

* fix: linting

Signed-off-by: Soumya Ghosh Dastidar <gdsoumya@gmail.com>

* docs: simplify Docker toolchain docs (argoproj#9966) (argoproj#10006)

* docs: simplify Docker toolchain docs (argoproj#9966)

Signed-off-by: CI <michael@crenshaw.dev>

* to be or not to be

Signed-off-by: CI <michael@crenshaw.dev>

* pin dependencies to avoid absurdity

Signed-off-by: CI <michael@crenshaw.dev>

* docs: document directory app include/exclude fields (argoproj#9997)

Signed-off-by: CI <michael@crenshaw.dev>

* fix: terminal websocket write lock to avoid races (argoproj#10011)

* fix: protect terminal WriteMessage with a lock

Signed-off-by: CI <michael@crenshaw.dev>

* give write its own lock

Signed-off-by: CI <michael@crenshaw.dev>

* docs: use quotes to emphasize that ConfigMap value is a string (argoproj#9995)

Signed-off-by: CI <michael@crenshaw.dev>

* Support files in argocd.argoproj.io/manifest-generate-paths annotation (argoproj#9908)

Signed-off-by: Jim Wright <jmwri93@gmail.com>

* chore: upgrade parse-url to avoid SNYK-JS-PARSEURL-2936249 (argoproj#9826)

Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>

* Bump version to 2.4.7

* Bump version to 2.4.7

* chore: update haproxy to 2.0.29 for redis-ha (argoproj#10045)

Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>

* chore: update redis to avoid CVE-2022-2097 (argoproj#10031)

* chore: update redis to avoid CVE-2022-2097

Signed-off-by: CI <michael@crenshaw.dev>

* codegen

Signed-off-by: CI <michael@crenshaw.dev>

* chore: upgrade Dex to 2.32.0 (argoproj#10036) (argoproj#10042)

Signed-off-by: CI <michael@crenshaw.dev>

* docs: add argocd-server grpc metric usage (argoproj#10007)

Signed-off-by: Ashutosh <mail.ashutosh8@gmail.com>

Co-authored-by: Ashutosh <mail.ashutosh8@gmail.com>
Signed-off-by: CI <michael@crenshaw.dev>

* chore: update redis to 7.0.4 avoid CVE-2022-30065 (argoproj#10059)

Signed-off-by: Justin Marquis <34fathombelow@protonmail.com>

* fix: Set HOST_ARCH for yarn build from platform (argoproj#10018)

Signed-off-by: Hyeonmin Park <hyeonmin.park@kennysoft.kr>

* docs: add api field example in the appset security doc (argoproj#10087)

It seems like most of the work for the mentioned issue below is done
under the PR argoproj#9466 but from the issue description, it's probably
worth to mention the example as added here.

Related argoproj#9352

Signed-off-by: Sahdev Zala <spzala@us.ibm.com>

* chore: update parse-url (argoproj#10101)

* chore: upgrade parse-url

Signed-off-by: CI <michael@crenshaw.dev>

* edit a generated file, because that's smart

Signed-off-by: CI <michael@crenshaw.dev>

* fix: avoid CVE-2022-28948 (argoproj#10093)

Signed-off-by: CI <michael@crenshaw.dev>

* docs: add OpenSSH breaking change notes (argoproj#10104)

Signed-off-by: CI <michael@crenshaw.dev>

* fix: skip redirect url validation when it's the base href (argoproj#10058) (argoproj#10116)

* fix: skip redirect url validation when it's the base href (argoproj#10058)

Signed-off-by: CI <michael@crenshaw.dev>

nicer way of doing it

Signed-off-by: CI <michael@crenshaw.dev>

* fix missin arg

Signed-off-by: CI <michael@crenshaw.dev>

* fix: upgrade moment from 2.29.2 to 2.29.3 (argoproj#9330)

Snyk has created this PR to upgrade moment from 2.29.2 to 2.29.3.

See this package in npm:


See this project in Snyk:
https://app.snyk.io/org/argoproj/project/d2931792-eef9-4d7c-b9d6-c0cbd2bd4dbe?utm_source=github&utm_medium=referral&page=upgrade-pr
Signed-off-by: CI <michael@crenshaw.dev>

* chore(deps): bump moment from 2.29.3 to 2.29.4 in /ui (argoproj#9897)

Bumps [moment](https://github.com/moment/moment) from 2.29.3 to 2.29.4.
- [Release notes](https://github.com/moment/moment/releases)
- [Changelog](https://github.com/moment/moment/blob/develop/CHANGELOG.md)
- [Commits](moment/moment@2.29.3...2.29.4)

Signed-off-by: CI <michael@crenshaw.dev>
---
updated-dependencies:
- dependency-name: moment
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: support multiple extensions per resource group/kind (argoproj#9834)

* feat: support multiple extensions per resource group/kind

Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>

* apply reviewers suggestions

Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>

* apply reviewer notes: stream extension files one by one

Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>

* wrap errors

Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>

* skip symlinks

Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>

* feat: support application level extensions (argoproj#9923)

Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>

* fix: extensions is not loading for ConfigMap/Pods (argoproj#10010)

Signed-off-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>

* Bump version to 2.4.8

* Bump version to 2.4.8

* docs: Fixed indentation Error (argoproj#10123)

* Fixed indentation Error

Signed-off-by: iflan7744 <iflan_mohamed@yahoo.com>

* Fixed indentation Error for top-level data key

Signed-off-by: iflan7744 <iflan_mohamed@yahoo.com>

Co-authored-by: iflan7744 <iflan_mohamed@yahoo.com>
Signed-off-by: CI <michael@crenshaw.dev>

* docs: fix kustomize namePrefix misconception in application.yaml (argoproj#10162)

* Update docs/operator-manual/application.yaml

- Removed comment about what namePrefix does. (i.e. it does not add a prefix to the image)
- Added examples of other supported transformers. (based on looking at the source code)
- Added link to the kustomize docs where the transormers are described in more detail.

* Update kustomize casing to be consistent

Signed-off-by: whyvez <yves@premise.com>

* docs: improve Installation.md (argoproj#10173)

Signed-off-by: xin.li <xin.li@daocloud.io>

* docs: Use ConfigMap to disable TLS (argoproj#10106)

* docs: Use ConfigMap to disable TLS

Signed-off-by: Renaud Guerin <renaud@renaudguerin.net>

* Fix typo

Signed-off-by: Renaud Guerin <renaud@renaudguerin.net>

* docs: correct the api field description for the GitLab example (argoproj#10081)

The api field description for the GitLab example seems mistakenly
copied from the GitHub example.

Signed-off-by: Sahdev Zala <spzala@us.ibm.com>

* fix: Ignore non-self-referencing resources while pruning (argoproj#10198)

* fix: Ignore non-self-referencing resources while pruning

Signed-off-by: jannfis <jann@mistrust.net>

* fix: UI part for logs RBAC - do not display the logs tab when no RBAC in place (argoproj#7211) (argoproj#9828)

* show logs tab only upon explicit rbac allow policy

Signed-off-by: reggie-k <reginakagan@gmail.com>

* 2.4.7 docs edit

Signed-off-by: reggie-k <reginakagan@gmail.com>

* fix:  Drop all references to exec unless the feature is enabled (argoproj#9920) (argoproj#10187)

* fix:  Drop all references to exec unless the feature is enabled argoproj#9920

Signed-off-by: Patrick Kerwood <patrick@kerwood.dk>

* fixed tslint issues

Signed-off-by: Patrick Kerwood <patrick@kerwood.dk>

* docs(applicationset): fix layout matrix/merge generator restrictions (argoproj#10246)

Co-authored-by: Michael Crenshaw <michael@crenshaw.dev>

Signed-off-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com>

* docs: fix microsoft user management mapping role (argoproj#10251)

Signed-off-by: CI <michael@crenshaw.dev>

* docs: Document ignoreAggregatedRoles setting (argoproj#10206)

Signed-off-by: Brandon High <highb@users.noreply.github.com>

* docs: fix version reference for logs UI fix (argoproj#10245)

Signed-off-by: CI <michael@crenshaw.dev>

* Bump version to 2.4.9

* Bump version to 2.4.9

* docs: clusterResources in declarative cluster config (argoproj#10219)

* docs: clusterResources in declarative cluster config

Signed-off-by: CI <michael@crenshaw.dev>

* add article

Signed-off-by: CI <michael@crenshaw.dev>

Signed-off-by: CI <michael@crenshaw.dev>

* fix: respect ARGOCD_GIT_MODULES_ENABLED in the appset controller (argoproj#10285) (argoproj#10287)

* fix: respect ARGOCD_GIT_MODULES_ENABLED in the appset controller (argoproj#10285)

Signed-off-by: CI <michael@crenshaw.dev>

* remove duplicate line

Signed-off-by: CI <michael@crenshaw.dev>

Signed-off-by: CI <michael@crenshaw.dev>

* fix: Suppressed ssh scheme url warn log (argoproj#9836)

* Fixed ssh scheme warn log degrade by argoproj#8508
Signed-off-by: kenchan0130 <tt.tanishi100@gmail.com>

* Expanded repository type getCAPath testing
Signed-off-by: kenchan0130 <tt.tanishi100@gmail.com>

* docs: Document safe concurrent processing of sidecar CMP (argoproj#10336)

Signed-off-by: jsmcnair <john.mcnair@yellowdog.co>

Signed-off-by: jsmcnair <john.mcnair@yellowdog.co>

* docs: Add "Create Namespace" to sync options doc (argoproj#3490) (argoproj#10326)

* Add create namespace to the sync options doc

Signed-off-by: JesseBot <jessebot@linux.com>

* Update docs/user-guide/sync-options.md

Co-authored-by: Michael Crenshaw <michael@crenshaw.dev>

Signed-off-by: JesseBot <jessebot@linux.com>
Co-authored-by: Michael Crenshaw <michael@crenshaw.dev>

* fix: missing actions (argoproj#10327) (argoproj#10359)

Signed-off-by: CI <michael@crenshaw.dev>

Signed-off-by: CI <michael@crenshaw.dev>

* Bump version to 2.4.10

* Bump version to 2.4.10

* docs: fix typo in upgrade notes (argoproj#10377)

Signed-off-by: Xijun Dai <daixijun1990@gmail.com>

Signed-off-by: Xijun Dai <daixijun1990@gmail.com>

* fix: Correctly assume cluster-scoped resources to be self-referenced (argoproj#10390)

Signed-off-by: jannfis <jann@mistrust.net>

Signed-off-by: jannfis <jann@mistrust.net>

* Pin gitops-engine to v0.7.3

Signed-off-by: jannfis <jann@mistrust.net>

* Bump version to 2.4.11

* Bump version to 2.4.11

* docs: Changes for v2.4.11

Updated the CHANGES.md to represent what changes the pull request will introduce.

Contributes to: automation-saas/native-AWS#2523

Signed-off-by: Sujeily Fonseca <sujeily.fonseca@ibm.com>

Co-authored-by: Michael Crenshaw <michael@crenshaw.dev>
Co-authored-by: argo-bot <argoproj@gmail.com>
Co-authored-by: YaytayAtWork <jim.talbut@groupgti.com>
Co-authored-by: Didrik Finnøy <djfinnoy@protonmail.com>
Co-authored-by: Jake <86763948+notfromstatefarm@users.noreply.github.com>
Co-authored-by: Shunki <75064402+shunki-fujita@users.noreply.github.com>
Co-authored-by: jannfis <jann@mistrust.net>
Co-authored-by: Hyeonmin Park <hyeonmin.park@kennysoft.kr>
Co-authored-by: yongguangl <1363186473@qq.com>
Co-authored-by: Xiao Yang <muma.378@163.com>
Co-authored-by: Yuan Tang <terrytangyuan@gmail.com>
Co-authored-by: taksenov <TAksenov@users.noreply.github.com>
Co-authored-by: Kostis (Codefresh) <39800303+kostis-codefresh@users.noreply.github.com>
Co-authored-by: rishabh625 <43094970+rishabh625@users.noreply.github.com>
Co-authored-by: Soumya Ghosh Dastidar <44349253+gdsoumya@users.noreply.github.com>
Co-authored-by: Jim Wright <jmwri@users.noreply.github.com>
Co-authored-by: 34FathomBelow <34fathombelow@protonmail.com>
Co-authored-by: Ashutosh <11219262+ashutosh16@users.noreply.github.com>
Co-authored-by: Ashutosh <mail.ashutosh8@gmail.com>
Co-authored-by: Sahdev Zala <spzala@us.ibm.com>
Co-authored-by: Snyk bot <snyk-bot@snyk.io>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Alexander Matyushentsev <AMatyushentsev@gmail.com>
Co-authored-by: Mohamed Iflan <55939511+iflan7744@users.noreply.github.com>
Co-authored-by: iflan7744 <iflan_mohamed@yahoo.com>
Co-authored-by: Yves Richard <yves@klaodlabs.com>
Co-authored-by: my-git9 <xin.li@daocloud.io>
Co-authored-by: Renaud Guérin <renaud@renaudguerin.net>
Co-authored-by: reggie-k <reginakagan@gmail.com>
Co-authored-by: Kerwood <patrick@kerwood.dk>
Co-authored-by: Sverre Boschman <1142569+sboschman@users.noreply.github.com>
Co-authored-by: César M. Cristóbal <cesar@callepuzzle.com>
Co-authored-by: Brandon High <highb@users.noreply.github.com>
Co-authored-by: Tadayuki Onishi <tt.tanishi100@gmail.com>
Co-authored-by: jsmcnair <john@jsmcnair.com>
Co-authored-by: JesseBot <jessebot@linux.com>
Co-authored-by: Xijun Dai <daixijun1990@gmail.com>

.github/workflows/ci-build.yaml

@@ -407,7 +407,7 @@ jobs:
         run: |
           docker pull quay.io/dexidp/dex:v2.25.0
           docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.0-alpine
+          docker pull redis:7.0.4-alpine
       - name: Create target directory for binaries in the build-process
         run: |
           mkdir -p dist

CHANGELOG.md

@@ -13,9 +13,13 @@ commands, and helps to troubleshoot the application state.
 Argo CD is used to manage the critical infrastructure of multiple organizations, which makes security the top priority of the project. We've listened to
 your feedback and introduced additional access control settings that control access to Kubernetes Pod logs and the new Web Terminal feature.
 
-#### Known UI Issue for Pod Logs Access
+#### Pod Logs UI
 
-Currently, upon pressing the "LOGS" tab in pod view by users who don't have an explicit allow get logs policy, the red "unable to load data: Internal error" is received in the bottom of the screen, and "Failed to load data, please try again" is displayed.
+Since 2.4.9, the LOGS tab in pod view is visible in the UI only for users with explicit allow get logs policy.
+
+#### Known pod logs UI issue prior to 2.4.9
+
+Upon pressing the "LOGS" tab in pod view by users who don't have an explicit allow get logs policy, the red "unable to load data: Internal error" is received in the bottom of the screen, and "Failed to load data, please try again" is displayed.
 
 ### OpenTelemetry Tracing Integration
 

CHANGES.md

@@ -1,11 +1,11 @@
 # ArgoCD
 Forked from: [argoproj/argo-cd](https://github.com/argoproj/argo-cd)
 
-## v2.4.4 (Base)
+## v2.4.11 (Base)
 Argo CD's latest stable release, as of July 7, 2022, is v2.4.4. The list of Argo CD releases can be accessed [here](https://github.com/argoproj/argo-cd/releases)
 
-## v2.4.4 (Fork)
-The changes were rebased based on v2.4.4. The following section details the enhancements made to Argo CD Extensions that were integrated in Argo CD.
+## v2.4.11-patched (Fork)
+The changes were rebased based on v2.4.11. The following section details the enhancements made to Argo CD Extensions that were integrated into Argo CD.
 
 ### Resource Customization ConfigMap
 Pulls in resource overrides from the resource customization `ConfigMap`. This `ConfigMap` will only exist if created by 

Dockerfile

@@ -116,12 +116,13 @@ COPY ["ui/", "."]
 
 ARG ARGO_VERSION=latest
 ENV ARGO_VERSION=$ARGO_VERSION
-RUN HOST_ARCH='amd64' NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OPTIONS=--max_old_space_size=8192 yarn build
+ARG TARGETARCH
+RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OPTIONS=--max_old_space_size=8192 yarn build
 
 ####################################################################################################
 # Argo CD Build stage which performs the actual build of Argo CD binaries
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM  docker.io/library/golang:1.18 AS argocd-build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.18 AS argocd-build
 
 WORKDIR /go/src/github.com/argoproj/argo-cd
 

VERSION

@@ -1 +1 @@
-2.4.4
+2.4.11

applicationset/services/repo_service.go

@@ -19,8 +19,9 @@ type RepositoryDB interface {
 }
 
 type argoCDService struct {
-	repositoriesDB RepositoryDB
-	storecreds     git.CredsStore
+	repositoriesDB   RepositoryDB
+	storecreds       git.CredsStore
+	submoduleEnabled bool
 }
 
 type Repos interface {
@@ -32,11 +33,12 @@ type Repos interface {
 	GetDirectories(ctx context.Context, repoURL string, revision string) ([]string, error)
 }
 
-func NewArgoCDService(db db.ArgoDB, gitCredStore git.CredsStore, repoServerAddress string) Repos {
+func NewArgoCDService(db db.ArgoDB, gitCredStore git.CredsStore, submoduleEnabled bool) Repos {
 
 	return &argoCDService{
-		repositoriesDB: db.(RepositoryDB),
-		storecreds:     gitCredStore,
+		repositoriesDB:   db.(RepositoryDB),
+		storecreds:       gitCredStore,
+		submoduleEnabled: submoduleEnabled,
 	}
 }
 
@@ -52,7 +54,7 @@ func (a *argoCDService) GetFiles(ctx context.Context, repoURL string, revision s
 		return nil, err
 	}
 
-	err = checkoutRepo(gitRepoClient, revision)
+	err = checkoutRepo(gitRepoClient, revision, a.submoduleEnabled)
 	if err != nil {
 		return nil, err
 	}
@@ -86,7 +88,7 @@ func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revi
 		return nil, err
 	}
 
-	err = checkoutRepo(gitRepoClient, revision)
+	err = checkoutRepo(gitRepoClient, revision, a.submoduleEnabled)
 	if err != nil {
 		return nil, err
 	}
@@ -128,7 +130,7 @@ func (a *argoCDService) GetDirectories(ctx context.Context, repoURL string, revi
 
 }
 
-func checkoutRepo(gitRepoClient git.Client, revision string) error {
+func checkoutRepo(gitRepoClient git.Client, revision string, submoduleEnabled bool) error {
 	err := gitRepoClient.Init()
 	if err != nil {
 		return fmt.Errorf("Error during initializing repo: %w", err)
@@ -143,7 +145,7 @@ func checkoutRepo(gitRepoClient git.Client, revision string) error {
 	if err != nil {
 		return fmt.Errorf("Error during fetching commitSHA: %w", err)
 	}
-	err = gitRepoClient.Checkout(commitSHA, true)
+	err = gitRepoClient.Checkout(commitSHA, submoduleEnabled)
 	if err != nil {
 		return fmt.Errorf("Error during repo checkout: %w", err)
 	}

cmd/argocd-applicationset-controller/commands/applicationset_controller.go

@@ -18,6 +18,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/applicationset/utils"
 	"github.com/argoproj/argo-cd/v2/common"
 	"github.com/argoproj/argo-cd/v2/reposerver/askpass"
+	"github.com/argoproj/argo-cd/v2/util/env"
 
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -37,6 +38,11 @@ import (
 	argosettings "github.com/argoproj/argo-cd/v2/util/settings"
 )
 
+// TODO: load this using Cobra. https://github.com/argoproj/argo-cd/issues/10157
+func getSubmoduleEnabled() bool {
+	return env.ParseBoolFromEnv(common.EnvGitSubmoduleEnabled, true)
+}
+
 func NewCommand() *cobra.Command {
 	var (
 		clientConfig         clientcmd.ClientConfig
@@ -136,7 +142,7 @@ func NewCommand() *cobra.Command {
 			terminalGenerators := map[string]generators.Generator{
 				"List":                    generators.NewListGenerator(),
 				"Clusters":                generators.NewClusterGenerator(mgr.GetClient(), context.Background(), k8sClient, namespace),
-				"Git":                     generators.NewGitGenerator(services.NewArgoCDService(argoCDDB, askPassServer, argocdRepoServer)),
+				"Git":                     generators.NewGitGenerator(services.NewArgoCDService(argoCDDB, askPassServer, getSubmoduleEnabled())),
 				"SCMProvider":             generators.NewSCMProviderGenerator(mgr.GetClient()),
 				"ClusterDecisionResource": generators.NewDuckTypeGenerator(context.Background(), dynamicClient, k8sClient, namespace),
 				"PullRequest":             generators.NewPullRequestGenerator(mgr.GetClient()),

cmd/argocd/commands/login.go

@@ -68,7 +68,8 @@ argocd login cd.argoproj.io --core`,
 				server = "kubernetes"
 			} else {
 				server = args[0]
-				tlsTestResult, err := grpc_util.TestTLS(server)
+				dialTime := 30 * time.Second
+				tlsTestResult, err := grpc_util.TestTLS(server, dialTime)
 				errors.CheckError(err)
 				if !tlsTestResult.TLS {
 					if !globalClientOpts.PlainText {

cmpserver/server.go

@@ -2,12 +2,13 @@ package cmpserver
 
 import (
 	"fmt"
-	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
 	"net"
 	"os"
 	"os/signal"
 	"syscall"
 
+	"go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc"
+
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	grpc_logrus "github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus"
 	grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
@@ -24,6 +25,7 @@ import (
 	"github.com/argoproj/argo-cd/v2/server/version"
 	"github.com/argoproj/argo-cd/v2/util/errors"
 	grpc_util "github.com/argoproj/argo-cd/v2/util/grpc"
+	"google.golang.org/grpc/keepalive"
 )
 
 // ArgoCDCMPServer is the config management plugin server implementation
@@ -61,6 +63,11 @@ func NewServer(initConstants plugin.CMPServerInitConstants) (*ArgoCDCMPServer, e
 		grpc.StreamInterceptor(grpc_middleware.ChainStreamServer(streamInterceptors...)),
 		grpc.MaxRecvMsgSize(apiclient.MaxGRPCMessageSize),
 		grpc.MaxSendMsgSize(apiclient.MaxGRPCMessageSize),
+		grpc.KeepaliveEnforcementPolicy(
+			keepalive.EnforcementPolicy{
+				MinTime: common.GRPCKeepAliveEnforcementMinimum,
+			},
+		),
 	}
 
 	return &ArgoCDCMPServer{

common/common.go

@@ -300,3 +300,10 @@ const (
 	// AnnotationApplicationRefresh is an annotation that is added when an ApplicationSet is requested to be refreshed by a webhook. The ApplicationSet controller will remove this annotation at the end of reconcilation.
 	AnnotationApplicationSetRefresh = "argocd.argoproj.io/application-set-refresh"
 )
+
+// gRPC settings
+const (
+	GRPCKeepAliveEnforcementMinimum = 10 * time.Second
+	// Keep alive is 2x enforcement minimum to ensure network jitter does not introduce ENHANCE_YOUR_CALM errors
+	GRPCKeepAliveTime = 2 * GRPCKeepAliveEnforcementMinimum
+)

controller/cache/cache.go

@@ -176,6 +176,7 @@ func NewLiveStateCache(
 type cacheSettings struct {
 	clusterSettings     clustercache.Settings
 	appInstanceLabelKey string
+	trackingMethod      appv1.TrackingMethod
 }
 
 type liveStateCache struct {
@@ -210,7 +211,7 @@ func (c *liveStateCache) loadCacheSettings() (*cacheSettings, error) {
 		ResourceHealthOverride: lua.ResourceHealthOverrides(resourceOverrides),
 		ResourcesFilter:        resourcesFilter,
 	}
-	return &cacheSettings{clusterSettings, appInstanceLabelKey}, nil
+	return &cacheSettings{clusterSettings, appInstanceLabelKey, argo.GetTrackingMethod(c.settingsMgr)}, nil
 }
 
 func asResourceNode(r *clustercache.Resource) appv1.ResourceNode {
@@ -354,7 +355,8 @@ func isTransientNetworkErr(err error) bool {
 	}
 	if strings.Contains(errorString, "net/http: TLS handshake timeout") ||
 		strings.Contains(errorString, "i/o timeout") ||
-		strings.Contains(errorString, "connection timed out") {
+		strings.Contains(errorString, "connection timed out") ||
+		strings.Contains(errorString, "connection reset by peer") {
 		return true
 	}
 	return false
@@ -387,7 +389,6 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		return nil, fmt.Errorf("controller is configured to ignore cluster %s", cluster.Server)
 	}
 
-	trackingMethod := argo.GetTrackingMethod(c.settingsMgr)
 	clusterCacheOpts := []clustercache.UpdateSettingsFunc{
 		clustercache.SetListSemaphore(semaphore.NewWeighted(clusterCacheListSemaphoreSize)),
 		clustercache.SetListPageSize(clusterCacheListPageSize),
@@ -400,9 +401,12 @@ func (c *liveStateCache) getCluster(server string) (clustercache.ClusterCache, e
 		clustercache.SetPopulateResourceInfoHandler(func(un *unstructured.Unstructured, isRoot bool) (interface{}, bool) {
 			res := &ResourceInfo{}
 			populateNodeInfo(un, res)
+			c.lock.RLock()
+			cacheSettings := c.cacheSettings
+			c.lock.RUnlock()
 			res.Health, _ = health.GetResourceHealth(un, cacheSettings.clusterSettings.ResourceHealthOverride)
 
-			appName := c.resourceTracking.GetAppName(un, cacheSettings.appInstanceLabelKey, trackingMethod)
+			appName := c.resourceTracking.GetAppName(un, cacheSettings.appInstanceLabelKey, cacheSettings.trackingMethod)
 			if isRoot && appName != "" {
 				res.AppName = appName
 			}

controller/cache/cache_test.go

@@ -111,6 +111,7 @@ func TestIsRetryableError(t *testing.T) {
 		tlsHandshakeTimeoutErr net.Error = netError("net/http: TLS handshake timeout")
 		ioTimeoutErr           net.Error = netError("i/o timeout")
 		connectionTimedout     net.Error = netError("connection timed out")
+		connectionReset        net.Error = netError("connection reset by peer")
 	)
 	t.Run("Nil", func(t *testing.T) {
 		assert.False(t, isRetryableError(nil))
@@ -148,4 +149,7 @@ func TestIsRetryableError(t *testing.T) {
 	t.Run("ConnectionTimeout", func(t *testing.T) {
 		assert.True(t, isRetryableError(connectionTimedout))
 	})
+	t.Run("ConnectionReset", func(t *testing.T) {
+		assert.True(t, isRetryableError(connectionReset))
+	})
 }

controller/state.go

@@ -494,14 +494,16 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 		}
 		gvk := obj.GroupVersionKind()
 
+		isSelfReferencedObj := m.isSelfReferencedObj(liveObj, appLabelKey, trackingMethod)
+
 		resState := v1alpha1.ResourceStatus{
 			Namespace:       obj.GetNamespace(),
 			Name:            obj.GetName(),
 			Kind:            gvk.Kind,
 			Version:         gvk.Version,
 			Group:           gvk.Group,
 			Hook:            hookutil.IsHook(obj),
-			RequiresPruning: targetObj == nil && liveObj != nil,
+			RequiresPruning: targetObj == nil && liveObj != nil && isSelfReferencedObj,
 		}
 
 		var diffResult diff.DiffResult
@@ -510,8 +512,11 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *ap
 		} else {
 			diffResult = diff.DiffResult{Modified: false, NormalizedLive: []byte("{}"), PredictedLive: []byte("{}")}
 		}
-		if resState.Hook || ignore.Ignore(obj) || (targetObj != nil && hookutil.Skip(targetObj)) {
-			// For resource hooks or skipped resources, don't store sync status, and do not affect overall sync status
+		if resState.Hook || ignore.Ignore(obj) || (targetObj != nil && hookutil.Skip(targetObj)) || !isSelfReferencedObj {
+			// For resource hooks, skipped resources or objects that may have
+			// been created by another controller with annotations copied from
+			// the source object, don't store sync status, and do not affect
+			// overall sync status
 		} else if diffResult.Modified || targetObj == nil || liveObj == nil {
 			// Set resource state to OutOfSync since one of the following is true:
 			// * target and live resource are different
@@ -667,3 +672,34 @@ func NewAppStateManager(
 		resourceTracking:     resourceTracking,
 	}
 }
+
+// isSelfReferencedObj returns whether the given obj is managed by the application
+// according to the values in the tracking annotation. It returns true when all
+// of the properties in the annotation (name, namespace, group and kind) match
+// the properties of the inspected object, or if the tracking method used does
+// not provide the required properties for matching.
+func (m *appStateManager) isSelfReferencedObj(obj *unstructured.Unstructured, appLabelKey string, trackingMethod v1alpha1.TrackingMethod) bool {
+	if obj == nil {
+		return true
+	}
+
+	// If tracking method doesn't contain required metadata for this check,
+	// we are not able to determine and just assume the object to be managed.
+	if trackingMethod == argo.TrackingMethodLabel {
+		return true
+	}
+
+	// In order for us to assume obj to be managed by this application, the
+	// values from the annotation have to match the properties from the live
+	// object. Cluster scoped objects carry the app's destination namespace
+	// in the tracking annotation, but are unique in GVK + name combination.
+	appInstance := m.resourceTracking.GetAppInstance(obj, appLabelKey, trackingMethod)
+	if appInstance != nil {
+		return (obj.GetNamespace() == appInstance.Namespace || obj.GetNamespace() == "") &&
+			obj.GetName() == appInstance.Name &&
+			obj.GetObjectKind().GroupVersionKind().Group == appInstance.Group &&
+			obj.GetObjectKind().GroupVersionKind().Kind == appInstance.Kind
+	}
+
+	return true
+}