Merge branch 'master' into fix-18495

.github/workflows/ci-build.yaml

@@ -303,7 +303,7 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@8410ad0602e1e429cee44a835ae9f77f654a6694 # v4.0.0
       - name: Setup NodeJS
-        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+        uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
         with:
           node-version: '21.6.1'
       - name: Restore node dependency cache

.github/workflows/init-release.yaml

@@ -64,7 +64,7 @@ jobs:
           git stash pop
 
       - name: Create pull request
-        uses: peter-evans/create-pull-request@6cd32fd93684475c31847837f87bb135d40a2b79  # v7.0.3
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f  # v7.0.5
         with:
           commit-message: "Bump version to ${{ inputs.TARGET_VERSION }}"
           title: "Bump version to ${{ inputs.TARGET_VERSION }} on ${{ inputs.TARGET_BRANCH }} branch"

.github/workflows/release.yaml

@@ -295,7 +295,7 @@ jobs:
         if: ${{ env.UPDATE_VERSION == 'true' }}
 
       - name: Create PR to update VERSION on master branch
-        uses: peter-evans/create-pull-request@6cd32fd93684475c31847837f87bb135d40a2b79 # v7.0.3
+        uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5
         with:
           commit-message: Bump version in master
           title: "chore: Bump version in master"

Dockerfile

@@ -83,7 +83,7 @@ WORKDIR /home/argocd
 ####################################################################################################
 # Argo CD UI stage
 ####################################################################################################
-FROM --platform=$BUILDPLATFORM docker.io/library/node:22.8.0@sha256:bd00c03095f7586432805dbf7989be10361d27987f93de904b1fc003949a4794 AS argocd-ui
+FROM --platform=$BUILDPLATFORM docker.io/library/node:22.9.0@sha256:cbe2d5f94110cea9817dd8c5809d05df49b4bd1aac5203f3594d88665ad37988 AS argocd-ui
 
 WORKDIR /src
 COPY ["ui/package.json", "ui/yarn.lock", "./"]

cmd/argocd-notification/commands/controller.go

@@ -163,6 +163,7 @@ func NewCommand() *cobra.Command {
 			}()
 
 			go ctrl.Run(ctx, processorsCount)
+			<-ctx.Done()
 			return nil
 		},
 	}

docs/operator-manual/declarative-setup.md

@@ -1044,7 +1044,7 @@ stringData:
 
 ## Resource Exclusion/Inclusion
 
-Resources can be excluded from discovery and sync so that Argo CD is unaware of them. For example, the apiGroup/kind `events.k8s.io/*`, `metrics.k8s.io/*`, `coordination.k8s.io/Lease`, and `""/Endpoints` are always excluded. Use cases:
+Resources can be excluded from discovery and sync so that Argo CD is unaware of them. For example, the apiGroup/kind `events.k8s.io/*`, `metrics.k8s.io/*` and `coordination.k8s.io/Lease` are always excluded. Use cases:
 
 * You have temporal issues and you want to exclude problematic resources.
 * There are many of a kind of resources that impacts Argo CD's performance.

docs/operator-manual/reconcile.md

@@ -110,7 +110,7 @@ data:
     jqPathExpressions:
     # Ignore lastTransitionTime for conditions; helpful when SharedResourceWarnings are being regularly updated but not
     # actually changing in content.
-    - .status.conditions[].lastTransitionTime
+    - .status?.conditions[]?.lastTransitionTime
 ```
 
 ## Ignoring updates for untracked resources

docs/operator-manual/user-management/okta.md

@@ -135,7 +135,7 @@ First, create the OIDC integration:
     ![Okta OIDC app dialogue](../../assets/okta-create-oidc-app.png)
 1. Update the following:
     1. `App Integration name` and `Logo` - set these to suit your needs; they'll be displayed in the Okta catalogue.
-    1. `Sign-in redirect URLs`: Add `https://argocd.example.com/auth/callback`; replacing `argocd.example.com` with your ArgoCD web interface URL. Also add `http://localhost:8085/auth/callback` if you would like to be able to login with the CLI.
+    1. `Sign-in redirect URLs`: Add `https://argocd.example.com/auth/callback`; replacing `argocd.example.com` with your ArgoCD web interface URL.
     1. `Sign-out redirect URIs`: Add `https://argocd.example.com`; substituting the correct domain name as above. 
     1. Either assign groups, or choose to skip this step for now.
     1. Leave the rest of the options as-is, and save the integration.
@@ -170,6 +170,25 @@ Next, create a custom Authorization server:
     ![Default rule](../../assets/okta-auth-rule.png)
 1. Finally, click `Back to Authorization Servers`, and copy the `Issuer URI`. You will need this later.
 
+### CLI login
+
+In order to login with the CLI `argocd login https://argocd.example.com --sso`, Okta requires a separate dedicated App Integration:
+
+1. Create a new `Create App Integration`, and choose `OIDC`, and then `Single-Page Application`.
+1. Update the following:
+    1. `App Integration name` and `Logo` - set these to suit your needs; they'll be displayed in the Okta catalogue.
+    1. `Sign-in redirect URLs`: Add `http://localhost:8085/auth/callback`.
+    1. `Sign-out redirect URIs`: Add `http://localhost:8085`.
+    1. Either assign groups, or choose to skip this step for now.
+    1. Leave the rest of the options as-is, and save the integration.
+    1. Copy the `Client ID` from the newly created app; `cliClientID: <Client ID>` will be used in your `argocd-cm` ConfigMap.
+1. Edit your Authorization Server `Access Policies`:
+    1. Navigate to the Okta API Management at `Security > API`.
+    1. Choose your existing `Authorization Server` that was created previously.
+    1. Click `Access Policies` > `Edit Policy`.
+    1. Assign your newly created `App Integration` by filling in the text box and clicking `Update Policy`.
+    ![Edit Policy](../../assets/okta-auth-policy-edit.png)
+
 If you haven't yet created Okta groups, and assigned them to the application integration, you should do that now:
 
 1. Go to `Directory > Groups`
@@ -190,6 +209,7 @@ oidc.config: |
   # this is the authorization server URI
   issuer: https://example.okta.com/oauth2/aus9abcdefgABCDEFGd7
   clientID: 0oa9abcdefgh123AB5d7
+  cliClientID: gfedcba0987654321GEFDCBA # Optional if using the CLI for SSO
   clientSecret: ABCDEFG1234567890abcdefg
   requestedScopes: ["openid", "profile", "email", "groups"]
   requestedIDTokenClaims: {"groups": {"essential": true}}

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/TomOnTime/utfutil v0.0.0-20180511104225-09c41003ee1d
 	github.com/alicebob/miniredis/v2 v2.33.0
 	github.com/antonmedv/expr v1.15.1
-	github.com/argoproj/gitops-engine v0.7.1-0.20240916204218-df9b446fd7d2
+	github.com/argoproj/gitops-engine v0.7.1-0.20240917171920-72bcdda3f0a5
 	github.com/argoproj/notifications-engine v0.4.1-0.20240606074338-0802cd427621
 	github.com/argoproj/pkg v0.13.7-0.20230626144333-d56162821bd1
 	github.com/aws/aws-sdk-go v1.55.5
@@ -66,7 +66,7 @@ require (
 	github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/patrickmn/go-cache v2.1.0+incompatible
-	github.com/prometheus/client_golang v1.20.3
+	github.com/prometheus/client_golang v1.20.4
 	github.com/r3labs/diff v1.1.0
 	github.com/redis/go-redis/v9 v9.6.1
 	github.com/robfig/cron/v3 v3.0.1

go.sum

@@ -83,8 +83,8 @@ github.com/antonmedv/expr v1.15.1/go.mod h1:0E/6TxnOlRNp81GMzX9QfDPAmHo2Phg00y4J
 github.com/apache/thrift v0.12.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/apache/thrift v0.13.0/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
 github.com/appscode/go v0.0.0-20191119085241-0887d8ec2ecc/go.mod h1:OawnOmAL4ZX3YaPdN+8HTNwBveT1jMsqP74moa9XUbE=
-github.com/argoproj/gitops-engine v0.7.1-0.20240916204218-df9b446fd7d2 h1:vwgeR9wMFO/T+eZns5SKDyiiCJkMoYEU3NYGVCrr7FA=
-github.com/argoproj/gitops-engine v0.7.1-0.20240916204218-df9b446fd7d2/go.mod h1:b1vuwkyMUszyUK+USUJqC8vJijnQsEPNDpC+sDdDLtM=
+github.com/argoproj/gitops-engine v0.7.1-0.20240917171920-72bcdda3f0a5 h1:K/e+NsNmE4BccRu21QpqUxkTHxU9YWjU3M775Ck+V/E=
+github.com/argoproj/gitops-engine v0.7.1-0.20240917171920-72bcdda3f0a5/go.mod h1:b1vuwkyMUszyUK+USUJqC8vJijnQsEPNDpC+sDdDLtM=
 github.com/argoproj/notifications-engine v0.4.1-0.20240606074338-0802cd427621 h1:Yg1nt+D2uDK1SL2jSlfukA4yc7db184TTN7iWy3voRE=
 github.com/argoproj/notifications-engine v0.4.1-0.20240606074338-0802cd427621/go.mod h1:N0A4sEws2soZjEpY4hgZpQS8mRIEw6otzwfkgc3g9uQ=
 github.com/argoproj/pkg v0.13.7-0.20230626144333-d56162821bd1 h1:qsHwwOJ21K2Ao0xPju1sNuqphyMnMYkyB3ZLoLtxWpo=
@@ -814,8 +814,8 @@ github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
-github.com/prometheus/client_golang v1.20.3 h1:oPksm4K8B+Vt35tUhw6GbSNSgVlVSBH0qELP/7u83l4=
-github.com/prometheus/client_golang v1.20.3/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
+github.com/prometheus/client_golang v1.20.4 h1:Tgh3Yr67PaOv/uTqloMsCEdeuFTatm5zIq5+qNN23vI=
+github.com/prometheus/client_golang v1.20.4/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=

pkg/apiclient/application/forwarder_overwrite.go

@@ -116,8 +116,11 @@ func init() {
 		if req.URL.Query().Get("download") == "true" {
 			w.Header().Set("Content-Type", "application/octet-stream")
 			fileName := "log"
-			if container := req.URL.Query().Get("container"); len(container) > 0 && kube.IsValidResourceName(container) {
-				fileName = container
+			namespace := req.URL.Query().Get("namespace")
+			podName := req.URL.Query().Get("podName")
+			container := req.URL.Query().Get("container")
+			if kube.IsValidResourceName(namespace) && kube.IsValidResourceName(podName) && kube.IsValidResourceName(container) {
+				fileName = fmt.Sprintf("%s-%s-%s", namespace, podName, container)
 			}
 			w.Header().Set("Content-Disposition", fmt.Sprintf(`attachment;filename="%s.log"`, fileName))
 			for {

resource_customizations/gateway.solo.io/Gateway/health.lua

@@ -0,0 +1,54 @@
+hs = {
+  status = "Progressing",
+  message = "Update in progress"
+}
+
+function getStatus(status)
+  -- Accepted
+  if status.state == "Accepted" or status.state == 1 then
+    hs.status = "Healthy"
+    hs.message = "The resource has been validated"
+    return hs
+  end
+
+  -- Warning
+  if status.state == "Warning" or status.state == 3 then
+    hs.status = "Degraded"
+    hs.message = status.reason
+    return hs
+  end
+
+  -- Pending
+  if status.state == "Pending" or status.state == 0 then
+    hs.status = "Suspended"
+    hs.message = "The resource has not yet been validated"
+    return hs
+  end
+
+  -- Rejected
+  if status.state == "Rejected" or status.state == 2 then
+    hs.status = "Degraded"
+    hs.message = status.reason
+    return hs
+  end
+
+  return hs
+end
+
+if obj.status ~= nil then
+  -- Namespaced version of status
+  if obj.status.statuses ~= nil then
+    for i, namespace in pairs(obj.status.statuses) do
+      hs = getStatus(namespace)
+      if hs.status ~= "Progressing" then
+        return hs
+      end
+    end
+  end
+
+  -- Older non-namespaced version of status
+  if obj.status.state ~= nil then
+    hs = getStatus(obj.status)
+  end
+end
+return hs

resource_customizations/gateway.solo.io/Gateway/health_test.yaml

@@ -0,0 +1,37 @@
+tests:
+- healthStatus:
+    status: Degraded
+    message: "message that will describe all the reasons for warning"
+  inputPath: testdata/gloo-warning.yaml
+- healthStatus:
+    status: Suspended
+    message: "The resource has not yet been validated"
+  inputPath: testdata/gloo-pending.yaml
+- healthStatus:
+    status: Healthy
+    message: "The resource has been validated"
+  inputPath: testdata/gloo-accepted.yaml
+- healthStatus:
+    status: Degraded
+    message: "message that will describe all the reasons for rejection"
+  inputPath: testdata/gloo-rejected.yaml
+- healthStatus:
+    status: Degraded
+    message: "message that will describe all the reasons for warning"
+  inputPath: testdata/non-namespaced-gloo-warning.yaml
+- healthStatus:
+    status: Suspended
+    message: "The resource has not yet been validated"
+  inputPath: testdata/non-namespaced-gloo-pending.yaml
+- healthStatus:
+    status: Healthy
+    message: "The resource has been validated"
+  inputPath: testdata/non-namespaced-gloo-accepted.yaml
+- healthStatus:
+    status: Degraded
+    message: "message that will describe all the reasons for rejection"
+  inputPath: testdata/non-namespaced-gloo-rejected.yaml
+- healthStatus:
+    status: Progressing
+    message: "Update in progress"
+  inputPath: testdata/gloo-no-status.yaml

resource_customizations/gateway.solo.io/Gateway/testdata/gloo-accepted.yaml

@@ -0,0 +1,14 @@
+apiVersion: gateway.solo.io/v1
+kind: Gateway
+status:
+  statuses:
+    gloo-system:
+      reportedBy: gateway
+      state: Accepted
+      subresourceStatuses:
+        '*v1.Proxy.gateway-proxy_gloo-system':
+          reportedBy: gloo
+          state: Accepted
+        '*v1.Proxy.internal-proxy_gloo-system':
+          reportedBy: gloo
+          state: Accepted

resource_customizations/gateway.solo.io/Gateway/testdata/gloo-no-status.yaml

@@ -0,0 +1,2 @@
+apiVersion: gateway.solo.io/v1
+kind: Gateway

resource_customizations/gateway.solo.io/Gateway/testdata/gloo-pending.yaml

@@ -0,0 +1,14 @@
+apiVersion: gateway.solo.io/v1
+kind: Gateway
+status:
+  statuses:
+    gloo-system:
+      reportedBy: gateway
+      state: Pending
+      subresourceStatuses:
+        '*v1.Proxy.gateway-proxy_gloo-system':
+          reportedBy: gloo
+          state: Accepted
+        '*v1.Proxy.internal-proxy_gloo-system':
+          reportedBy: gloo
+          state: Pending

resource_customizations/gateway.solo.io/Gateway/testdata/gloo-rejected.yaml

@@ -0,0 +1,15 @@
+apiVersion: gateway.solo.io/v1
+kind: Gateway
+status:
+  statuses:
+    gloo-system:
+      reason: "message that will describe all the reasons for rejection"
+      reportedBy: gateway
+      state: Rejected
+      subresourceStatuses:
+        '*v1.Proxy.gateway-proxy_gloo-system':
+          reportedBy: gloo
+          state: Accepted
+        '*v1.Proxy.internal-proxy_gloo-system':
+          reportedBy: gloo
+          state: Rejected

resource_customizations/gateway.solo.io/Gateway/testdata/gloo-warning.yaml

@@ -0,0 +1,15 @@
+apiVersion: gateway.solo.io/v1
+kind: Gateway
+status:
+  statuses:
+    gloo-system:
+      reason: "message that will describe all the reasons for warning"
+      reportedBy: gateway
+      state: Warning
+      subresourceStatuses:
+        '*v1.Proxy.gateway-proxy_gloo-system':
+          reportedBy: gloo
+          state: Accepted
+        '*v1.Proxy.internal-proxy_gloo-system':
+          reportedBy: gloo
+          state: Warning

resource_customizations/gateway.solo.io/Gateway/testdata/non-namespaced-gloo-accepted.yaml

@@ -0,0 +1,12 @@
+apiVersion: gateway.solo.io/v1
+kind: Gateway
+status:
+  reportedBy: gateway
+  state: 1
+  subresourceStatuses:
+    '*v1.Proxy.gateway-proxy_gloo-system':
+      reportedBy: gloo
+      state: 1
+    '*v1.Proxy.internal-proxy_gloo-system':
+      reportedBy: gloo
+      state: 1

resource_customizations/gateway.solo.io/Gateway/testdata/non-namespaced-gloo-pending.yaml

@@ -0,0 +1,14 @@
+apiVersion: gateway.solo.io/v1
+kind: Gateway
+status:
+  statuses:
+    gloo-system:
+      reportedBy: gateway
+      state: 0
+      subresourceStatuses:
+        '*v1.Proxy.gateway-proxy_gloo-system':
+          reportedBy: gloo
+          state: 1
+        '*v1.Proxy.internal-proxy_gloo-system':
+          reportedBy: gloo
+          state: 0

resource_customizations/gateway.solo.io/Gateway/testdata/non-namespaced-gloo-rejected.yaml

@@ -0,0 +1,13 @@
+apiVersion: gateway.solo.io/v1
+kind: Gateway
+status:
+      reason: "message that will describe all the reasons for rejection"
+      reportedBy: gateway
+      state: 2
+      subresourceStatuses:
+        '*v1.Proxy.gateway-proxy_gloo-system':
+          reportedBy: gloo
+          state: 1
+        '*v1.Proxy.internal-proxy_gloo-system':
+          reportedBy: gloo
+          state: 2

resource_customizations/gateway.solo.io/Gateway/testdata/non-namespaced-gloo-warning.yaml

@@ -0,0 +1,13 @@
+apiVersion: gateway.solo.io/v1
+kind: Gateway
+status:
+  reason: "message that will describe all the reasons for warning"
+  reportedBy: gateway
+  state: 3
+  subresourceStatuses:
+    '*v1.Proxy.gateway-proxy_gloo-system':
+      reportedBy: gloo
+      state: 1
+    '*v1.Proxy.internal-proxy_gloo-system':
+      reportedBy: gloo
+      state: 3