Merge branch 'master' into 17106-UiProposalMultiSourceApps

.github/workflows/ci-build.yaml

@@ -1,5 +1,5 @@
 name: Integration tests
-on: 
+on:
   push:
     branches:
       - 'master'
@@ -23,9 +23,28 @@ permissions:
   contents: read
 
 jobs:
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      backend: ${{ steps.filter.outputs.backend }}
+      frontend: ${{ steps.filter.outputs.frontend }}
+    steps:
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2
+        id: filter
+        with:
+          filters: |
+            backend:
+              - '!(ui/**)'
+              - '!(**/*.md)'
+            frontend:
+              - 'ui/**'
   check-go:
     name: Ensure Go modules synchronicity
+    if: ${{ needs.changes.outputs.backend == 'true' }}
     runs-on: ubuntu-22.04
+    needs:
+      - changes
     steps:
       - name: Checkout code
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
@@ -43,7 +62,10 @@ jobs:
 
   build-go:
     name: Build & cache Go code
+    if: ${{ needs.changes.outputs.backend == 'true' }}
     runs-on: ubuntu-22.04
+    needs:
+      - changes
     steps:
       - name: Checkout code
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
@@ -67,7 +89,10 @@ jobs:
       contents: read  # for actions/checkout to fetch code
       pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: Lint Go code
+    if: ${{ needs.changes.outputs.backend == 'true' }}
     runs-on: ubuntu-22.04
+    needs:
+      - changes
     steps:
       - name: Checkout code
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
@@ -83,12 +108,14 @@ jobs:
 
   test-go:
     name: Run unit tests for Go packages
+    if: ${{ needs.changes.outputs.backend == 'true' }}
     runs-on: ubuntu-22.04
     needs:
       - build-go
+      - changes
     env:
       GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
-      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}      
+      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
     steps:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
@@ -150,12 +177,14 @@ jobs:
 
   test-go-race:
     name: Run unit tests with -race for Go packages
+    if: ${{ needs.changes.outputs.backend == 'true' }}
     runs-on: ubuntu-22.04
     needs:
       - build-go
+      - changes
     env:
       GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
-      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
+      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
     steps:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
@@ -212,7 +241,10 @@ jobs:
 
   codegen:
     name: Check changes to generated code
+    if: ${{ needs.changes.outputs.backend == 'true' }}
     runs-on: ubuntu-22.04
+    needs:
+      - changes
     steps:
       - name: Checkout code
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
@@ -260,7 +292,10 @@ jobs:
 
   build-ui:
     name: Build, test & lint UI code
+    if: ${{ needs.changes.outputs.frontend == 'true' }}
     runs-on: ubuntu-22.04
+    needs:
+      - changes
     steps:
       - name: Checkout code
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
@@ -292,10 +327,12 @@ jobs:
 
   analyze:
     name: Process & analyze test artifacts
+    if: ${{ needs.changes.outputs.backend == 'true' || needs.changes.outputs.frontend == 'true' }}
     runs-on: ubuntu-22.04
     needs:
       - test-go
       - build-ui
+      - changes
     env:
       sonar_secret: ${{ secrets.SONAR_TOKEN }}
     steps:
@@ -315,7 +352,7 @@ jobs:
       - name: Create test-results directory
         run: |
           mkdir -p test-results
-      - name: Get code coverage artifiact
+      - name: Get code coverage artifact
         uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: code-coverage
@@ -336,35 +373,37 @@ jobs:
           SCANNER_PATH: /tmp/cache/scanner
           OS: linux
         run: |
-            # We do not use the provided action, because it does contain an old
-            # version of the scanner, and also takes time to build.
-            set -e
-            mkdir -p ${SCANNER_PATH}
-            export SONAR_USER_HOME=${SCANNER_PATH}/.sonar
-            if [[ ! -x "${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner" ]]; then
-              curl -Ol https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SCANNER_VERSION}-${OS}.zip
-              unzip -qq -o sonar-scanner-cli-${SCANNER_VERSION}-${OS}.zip -d ${SCANNER_PATH}
-            fi
-
-            chmod +x ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner
-            chmod +x ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/jre/bin/java
-
-            # Explicitly set NODE_MODULES
-            export NODE_MODULES=${PWD}/ui/node_modules
-            export NODE_PATH=${PWD}/ui/node_modules
-
-            ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner
+          # We do not use the provided action, because it does contain an old
+          # version of the scanner, and also takes time to build.
+          set -e
+          mkdir -p ${SCANNER_PATH}
+          export SONAR_USER_HOME=${SCANNER_PATH}/.sonar
+          if [[ ! -x "${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner" ]]; then
+            curl -Ol https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SCANNER_VERSION}-${OS}.zip
+            unzip -qq -o sonar-scanner-cli-${SCANNER_VERSION}-${OS}.zip -d ${SCANNER_PATH}
+          fi
+          
+          chmod +x ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner
+          chmod +x ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/jre/bin/java
+          
+          # Explicitly set NODE_MODULES
+          export NODE_MODULES=${PWD}/ui/node_modules
+          export NODE_PATH=${PWD}/ui/node_modules
+          
+          ${SCANNER_PATH}/sonar-scanner-${SCANNER_VERSION}-${OS}/bin/sonar-scanner
         if: env.sonar_secret != ''
 
   test-e2e:
     name: Run end-to-end tests
+    if: ${{ needs.changes.outputs.backend == 'true' }}
     runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
       matrix:
-        k3s-version: [v1.28.2, v1.27.6, v1.26.9, v1.25.14]
-    needs: 
+        k3s-version: [v1.29.1, v1.28.6, v1.27.10, v1.26.13, v1.25.16]
+    needs:
       - build-go
+      - changes
     env:
       GOPATH: /home/runner/go
       ARGOCD_FAKE_IN_CLUSTER: "true"
@@ -377,7 +416,7 @@ jobs:
       ARGOCD_APPLICATION_NAMESPACES: "argocd-e2e-external,argocd-e2e-external-2"
       ARGOCD_SERVER: "127.0.0.1:8088"
       GITHUB_TOKEN: ${{ secrets.E2E_TEST_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
-      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
+      GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}
     steps:
       - name: Checkout code
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
@@ -462,3 +501,26 @@ jobs:
           name: e2e-server-k8s${{ matrix.k3s-version }}.log
           path: /tmp/e2e-server.log
         if: ${{ failure() }}
+
+  # workaround for status checks -- check this one job instead of each individual E2E job in the matrix
+  # this allows us to skip the entire matrix when it doesn't need to run while still having accurate status checks
+  # see:
+  # https://github.com/argoproj/argo-workflows/pull/12006
+  # https://github.com/orgs/community/discussions/9141#discussioncomment-2296809
+  # https://github.com/orgs/community/discussions/26822#discussioncomment-3305794
+  test-e2e-composite-result:
+    name: E2E Tests - Composite result
+    if: ${{ always() }}
+    needs:
+      - test-e2e
+      - changes
+    runs-on: ubuntu-22.04
+    steps:
+      - run: |
+          result="${{ needs.test-e2e.result }}"
+          # mark as successful even if skipped
+          if [[ $result == "success" || $result == "skipped" ]]; then
+            exit 0
+          else
+            exit 1
+          fi

USERS.md

@@ -94,6 +94,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Fave](https://myfave.com)
 1. [Flexport](https://www.flexport.com/)
 1. [Flip](https://flip.id)
+1. [Fly Security](https://www.flysecurity.com.br/)
 1. [Fonoa](https://www.fonoa.com/)
 1. [Fortra](https://www.fortra.com)
 1. [freee](https://corp.freee.co.jp/en/company/)
@@ -283,6 +284,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Tamkeen Technologies](https://tamkeentech.sa/)
 1. [Techcombank](https://www.techcombank.com.vn/trang-chu)
 1. [Technacy](https://www.technacy.it/)
+1. [Telavita](https://www.telavita.com.br/)
 1. [Tesla](https://tesla.com/)
 1. [The Scale Factory](https://www.scalefactory.com/)
 1. [ThousandEyes](https://www.thousandeyes.com/)

cmd/argocd-application-controller/commands/argocd_application_controller.go

@@ -266,7 +266,7 @@ func getClusterSharding(kubeClient *kubernetes.Clientset, settingsMgr *settings.
 			// If we still see conflicts after the retries, wait for next iteration of heartbeat process.
 			for i := 0; i <= common.AppControllerHeartbeatUpdateRetryCount; i++ {
 				shardNumber, err = sharding.GetOrUpdateShardFromConfigMap(kubeClient, settingsMgr, replicasCount, shardNumber)
-				if !kubeerrors.IsConflict(err) {
+				if err != nil && !kubeerrors.IsConflict(err) {
 					err = fmt.Errorf("unable to get shard due to error updating the sharding config map: %s", err)
 					break
 				}

docs/developer-guide/site.md

@@ -7,20 +7,14 @@ The website is built using `mkdocs` and `mkdocs-material`.
 To test:
 
 ```bash
+make build-docs
 make serve-docs
 ```
-
 Once running, you can view your locally built documentation at [http://0.0.0.0:8000/](http://0.0.0.0:8000/). 
 
-## Deploying
-
-```bash
-make publish-docs
-```
-
 ## Analytics
 
 !!! tip
     Don't forget to disable your ad-blocker when testing.
 
-We collect [Google Analytics](https://analytics.google.com/analytics/web/#/report-home/a105170809w198079555p192782995).
+We collect [Google Analytics](https://analytics.google.com/analytics/web/#/report-home/a105170809w198079555p192782995).

docs/operator-manual/applicationset/Template.md

@@ -111,16 +111,15 @@ In this example, the ApplicationSet controller will generate an `Application` re
 
 ## Template Patch
 
-Templating is only available on string type. However, some uses cases may require to apply templating on other types.
+Templating is only available on string type. However, some use cases may require applying templating on other types.
 
 Example:
 
-- Set the automated sync policy
-- Switch prune boolean to true
-- Add multiple helm value files
-
-Argo CD has a `templatePatch` feature to allow advanced templating. It supports both json and yaml.
+- Conditionally set the automated sync policy.
+- Conditionally switch prune boolean to `true`.
+- Add multiple helm value files from a list.
 
+The `templatePatch` feature enables advanced templating, with support for `json` and `yaml`.
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -174,3 +173,6 @@ spec:
 
     The `spec.project` field is not supported in `templatePatch`. If you need to change the project, you can use the
     `spec.project` field in the `template` field.
+
+!!! important
+    When writing a `templatePatch`, you're crafting a patch. So, if the patch includes an empty `spec: # nothing in here`, it will effectively clear out existing fields. See [#17040](https://github.com/argoproj/argo-cd/issues/17040) for an example of this behavior.

docs/operator-manual/argocd-cm.yaml

@@ -318,6 +318,12 @@ data:
   # published to the repository. Reconciliation by timeout is disabled if timeout is set to 0. Three minutes by default.
   # > Note: argocd-repo-server deployment must be manually restarted after changing the setting.
   timeout.reconciliation: 180s
+  # With a large number of applications, the periodic refresh for each application can cause a spike in the refresh queue
+  # and can cause a spike in the repo-server component. To avoid this, you can set a jitter to the sync timeout, which will
+  # spread out the refreshes and give time to the repo-server to catch up. The jitter is the maximum duration that can be
+  # added to the sync timeout. So, if the sync timeout is 3 minutes and the jitter is 1 minute, then the actual timeout will
+  # be between 3 and 4 minutes. Disabled when the value is 0, defaults to 0.
+  timeout.reconciliation.jitter: 0
 
   # cluster.inClusterEnabled indicates whether to allow in-cluster server address. This is enabled by default.
   cluster.inClusterEnabled: "true"

docs/operator-manual/dynamic-cluster-distribution.md

@@ -17,16 +17,10 @@ which does not require a restart of the application controller pods.
 
 ## Enabling Dynamic Distribution of Clusters
 
-This feature is disabled by default while it is in alpha. To enable it, you must set the environment `ARGOCD_ENABLE_DYNAMIC_CLUSTER_DISTRIBUTION` to true when running the Application Controller.
-
-In order to utilize the feature, the manifests `manifests/ha/base/controller-deployment/` can be applied as a Kustomize 
-overlay. This overlay sets the StatefulSet replicas to `0` and deploys the application controller as a Deployment. The
-dynamic distribution code automatically kicks in when the controller is deployed as a Deployment.
+This feature is disabled by default while it is in alpha. In order to utilize the feature, the manifests `manifests/ha/base/controller-deployment/` can be applied as a Kustomize overlay. This overlay sets the StatefulSet replicas to `0` and deploys the application controller as a Deployment. Also, you must set the environment `ARGOCD_ENABLE_DYNAMIC_CLUSTER_DISTRIBUTION` to true when running the Application Controller as a deployment.
 
 !!! important
-    The use of a Deployment instead of a StatefulSet is an implementation detail which may change in future versions of
-    this feature. Therefore, the directory name of the Kustomize overlay may change as well. Monitor the release notes
-    to avoid issues.
+    The use of a Deployment instead of a StatefulSet is an implementation detail which may change in future versions of this feature. Therefore, the directory name of the Kustomize overlay may change as well. Monitor the release notes to avoid issues.
 
 Note the introduction of new environment variable `ARGOCD_CONTROLLER_HEARTBEAT_TIME`. The environment variable is explained in [working of Dynamic Distribution Heartbeat Process](#working-of-dynamic-distribution)
 

docs/operator-manual/ingress.md

@@ -166,6 +166,43 @@ The argocd-server Service needs to be annotated with `projectcontour.io/upstream
 The API server should then be run with TLS disabled. Edit the `argocd-server` deployment to add the
 `--insecure` flag to the argocd-server command, or simply set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md).
 
+Contour httpproxy CRD:
+
+Using a contour httpproxy CRD allows you to use the same hostname for the GRPC and REST api.
+
+```yaml
+apiVersion: projectcontour.io/v1
+kind: HTTPProxy
+metadata:
+  name: argocd-server
+  namespace: argocd
+spec:
+  ingressClassName: contour
+  virtualhost:
+    fqdn: path.to.argocd.io
+    tls:
+      secretName: wildcard-tls
+  routes:
+    - conditions:
+        - prefix: /
+        - header:
+            name: Content-Type
+            contains: application/grpc
+      services:
+        - name: argocd-server
+          port: 80
+          protocol: h2c # allows for unencrypted http2 connections
+      timeoutPolicy:
+        response: 1h
+        idle: 600s
+        idleConnection: 600s
+    - conditions:
+        - prefix: /
+      services:
+        - name: argocd-server
+          port: 80
+```
+
 ## [kubernetes/ingress-nginx](https://github.com/kubernetes/ingress-nginx)
 
 ### Option 1: SSL-Passthrough

docs/operator-manual/metrics.md

@@ -70,6 +70,8 @@ Scraped at the `argocd-server-metrics:8083/metrics` endpoint.
 | `argocd_redis_request_total` | counter | Number of Kubernetes requests executed during application reconciliation. |
 | `grpc_server_handled_total` | counter | Total number of RPCs completed on the server, regardless of success or failure. |
 | `grpc_server_msg_sent_total` | counter | Total number of gRPC stream messages sent by the server. |
+| `argocd_proxy_extension_request_total` | counter | Number of requests sent to the configured proxy extensions. |
+| `argocd_proxy_extension_request_duration_seconds` | histogram | Request duration in seconds between the Argo CD API server and the proxy extension backend. |
 
 ## Repo Server Metrics
 Metrics about the Repo Server.