[v2.9] init v2.9 release

Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>

.github/workflows/build_v29.yaml

@@ -0,0 +1,56 @@
+name: build_v29
+on:
+  workflow_dispatch:
+  pull_request:
+  push:
+    branches:
+      - main
+    paths:
+      - patches-argo-cd-v2.9/**
+      - patches-gitops-engine-v2.0.0/**
+      - VERSION_29
+      - .github/workflows/build_v29.yaml
+
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: install stgit
+        shell: bash
+        run: |
+          sudo apt-get install -y stgit
+          git config --global user.name "Chanwit Kaewkasi"
+          git config --global user.email "chanwit@gmail.com"
+      - name: Get branch names
+        id: branch-name
+        uses: tj-actions/branch-names@v5.1
+      - name: Prepare
+        id: prep
+        run: |
+          VERSION="${{ steps.branch-name.outputs.current_branch }}-${GITHUB_SHA::8}"
+          echo ::set-output name=VERSION::${VERSION}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build v2.9
+        run: |
+          ln -s VERSION_29 VERSION
+          ln -s patches-argo-cd-v2.9 patches-argo-cd
+          ln -s patches-gitops-engine-v2.0.0 patches-gitops-engine
+          rm -rf argo-cd || true
+          bash -x ./init.sh
+          source ./VERSION
+          VERSION=${BASE_VERSION}-${SUFFIX_VERSION}-${{ steps.prep.outputs.VERSION }}
+          ( cd argo-cd && IMAGE_NAMESPACE=ghcr.io/flux-subsystem-argo/fsa IMAGE_TAG=$VERSION DOCKER_PUSH=true make image )
+          unlink patches-argo-cd
+          unlink VERSION

VERSION_29

@@ -0,0 +1,3 @@
+BASE_VERSION=v2.9.0-rc1
+SUFFIX_VERSION=fl.$(cat patches-argo-cd/series | cut -d- -f1 | tail -1)
+GITOPS_ENGINE_VERSION=b0fffe419a0f0a40f9f2c0b6346b752ed6537385

patches-argo-cd-v2.9/01-build-with-local-gitops-engine.patch

@@ -0,0 +1,63 @@
+build with local gitops engine
+
+From: Chanwit Kaewkasi <chanwit@gmail.com>
+
+Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>
+---
+ .gitignore |    2 ++
+ Dockerfile |    9 +++++++++
+ go.mod     |    2 ++
+ 3 files changed, 13 insertions(+)
+
+diff --git a/.gitignore b/.gitignore
+index ab17deb0d..c28c77a6a 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -25,3 +25,5 @@ cmd/argocd/argocd
+ cmd/argocd-application-controller/argocd-application-controller
+ cmd/argocd-repo-server/argocd-repo-server
+ cmd/argocd-server/argocd-server
++
++gitops-engine/
+diff --git a/Dockerfile b/Dockerfile
+index f69e34cce..07e9df925 100644
+--- a/Dockerfile
++++ b/Dockerfile
+@@ -105,7 +105,9 @@ FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.20.6@sha256:8e5a0067e6
+
+ WORKDIR /go/src/github.com/argoproj/argo-cd
+
++COPY ./gitops-engine ./gitops-engine
+ COPY go.* ./
++
+ RUN go mod download
+
+ # Perform the build
+@@ -130,9 +132,16 @@ RUN GIT_COMMIT=$GIT_COMMIT \
+ # Final image
+ ####################################################################################################
+ FROM argocd-base
++
++LABEL org.opencontainers.image.source https://github.com/flux-subsystem-argo/fsa
++
+ COPY --from=argocd-build /go/src/github.com/argoproj/argo-cd/dist/argocd* /usr/local/bin/
+
+ USER root
++
++RUN chmod +x /usr/local/bin/gpg-wrapper.sh && \
++    chmod +x /usr/local/bin/git-verify-wrapper.sh
++
+ RUN ln -s /usr/local/bin/argocd /usr/local/bin/argocd-server && \
+     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-repo-server && \
+     ln -s /usr/local/bin/argocd /usr/local/bin/argocd-cmp-server && \
+diff --git a/go.mod b/go.mod
+index de020933a..00b641f31 100644
+--- a/go.mod
++++ b/go.mod
+@@ -306,4 +306,6 @@ replace (
+ 	k8s.io/mount-utils => k8s.io/mount-utils v0.24.2
+ 	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.24.2
+ 	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.24.2
++
++	github.com/argoproj/gitops-engine v0.7.1-0.20230607163028-b0fffe419a0f => ./gitops-engine                                                              
+ )

patches-argo-cd-v2.9/02-implement-loopback.patch

@@ -0,0 +1,185 @@
+implement loopback reconciliation
+
+From: Chanwit Kaewkasi <chanwit@gmail.com>
+
+Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>
+---
+ controller/state.go     |   18 ++++--
+ controller/state_fsa.go |  139 +++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 151 insertions(+), 6 deletions(-)
+ create mode 100644 controller/state_fsa.go
+
+diff --git a/controller/state.go b/controller/state.go
+index a2765f249..126102552 100644
+--- a/controller/state.go
++++ b/controller/state.go
+@@ -395,12 +395,18 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1
+ 			}
+ 		}
+
+-		targetObjs, manifestInfos, err = m.getRepoObjs(app, sources, appLabelKey, revisions, noCache, noRevisionCache, verifySignature, project)
+-		if err != nil {
+-			targetObjs = make([]*unstructured.Unstructured, 0)
+-			msg := fmt.Sprintf("Failed to load target state: %s", err.Error())
+-			conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: msg, LastTransitionTime: &now})
+-			failedToLoadObjs = true
++		if isFluxSubsystemEnabled(app) && app.Spec.Source.IsHelm() {
++			targetObjs, conditions, failedToLoadObjs = m.getFluxHelmTargetObjects(app, conditions, now)
++		} else if isFluxSubsystemEnabled(app) && !app.Spec.Source.IsHelm() {
++			targetObjs, conditions, failedToLoadObjs = m.getFluxKustomizeTargetObjects(app, conditions, now)
++		} else {
++			targetObjs, manifestInfos, err = m.getRepoObjs(app, sources, appLabelKey, revisions, noCache, noRevisionCache, verifySignature, project)
++			if err != nil {
++				targetObjs = make([]*unstructured.Unstructured, 0)
++				msg := fmt.Sprintf("Failed to load target state: %s", err.Error())
++				conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: msg, LastTransitionTime: &now})
++				failedToLoadObjs = true
++			}
+ 		}
+ 	} else {
+ 		// Prevent applying local manifests for now when signature verification is enabled
+diff --git a/controller/state_fsa.go b/controller/state_fsa.go
+new file mode 100644
+index 000000000..f795c6a75
+--- /dev/null
++++ b/controller/state_fsa.go
+@@ -0,0 +1,139 @@
++package controller
++
++import (
++	"context"
++	"github.com/argoproj/argo-cd/v2/pkg/apis/application/v1alpha1"
++	"k8s.io/apimachinery/pkg/apis/meta/v1"
++	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
++	"k8s.io/apimachinery/pkg/runtime/schema"
++)
++
++func isFluxSubsystemEnabled(app *v1alpha1.Application) bool {
++	if app == nil {
++		return false
++	}
++	if app.Spec.SyncPolicy == nil {
++		return false
++	}
++	if app.Spec.SyncPolicy.SyncOptions == nil {
++		return false
++	}
++	if app.Spec.SyncPolicy.SyncOptions.HasOption("FluxSubsystem=true") == false {
++		return false
++	}
++	return true
++}
++
++func (m *appStateManager) getFluxHelmTargetObjects(app *v1alpha1.Application, conditions []v1alpha1.ApplicationCondition, now v1.Time) ([]*unstructured.Unstructured, []v1alpha1.ApplicationCondition, bool) {
++	var (
++		targetObjs       []*unstructured.Unstructured
++		failedToLoadObjs bool
++	)
++
++	cluster, err := m.db.GetCluster(context.TODO(), app.Spec.Destination.Server)
++	if err != nil {
++		targetObjs = make([]*unstructured.Unstructured, 0)
++		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now})
++		failedToLoadObjs = true
++	}
++	config := cluster.RESTConfig()
++
++	var hl *unstructured.Unstructured
++	hl, err = m.kubectl.GetResource(context.TODO(), config, schema.GroupVersionKind{
++		Group:   "helm.toolkit.fluxcd.io",
++		Version: "v2beta1",
++		Kind:    "HelmRelease",
++	}, app.Name, app.Spec.Destination.Namespace)
++	if err != nil {
++		targetObjs = make([]*unstructured.Unstructured, 0)
++		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now})
++		failedToLoadObjs = true
++	}
++
++	if hl == nil {
++		targetObjs = make([]*unstructured.Unstructured, 0)
++		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now})
++		failedToLoadObjs = true
++	} else {
++		var source *unstructured.Unstructured
++		if sourceKind, found, err := unstructured.NestedString(hl.Object, "spec", "chart", "spec", "sourceRef", "kind"); found && err == nil {
++			if sourceName, found, err := unstructured.NestedString(hl.Object, "spec", "chart", "spec", "sourceRef", "name"); found && err == nil {
++				if sourceNS, found, err := unstructured.NestedString(hl.Object, "spec", "chart", "spec", "sourceRef", "namespace"); err == nil {
++					if !found {
++						sourceNS = hl.GetNamespace()
++					}
++					source, err = m.kubectl.GetResource(context.Background(), config, schema.GroupVersionKind{
++						Group:   "source.toolkit.fluxcd.io",
++						Version: "v1beta1",
++						Kind:    sourceKind,
++					}, sourceName, sourceNS)
++				}
++			}
++		}
++		if source != nil {
++			targetObjs = []*unstructured.Unstructured{hl, source}
++		} else {
++			targetObjs = make([]*unstructured.Unstructured, 0)
++			conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now})
++			failedToLoadObjs = true
++		}
++	}
++	return targetObjs, conditions, failedToLoadObjs
++}
++
++func (m *appStateManager) getFluxKustomizeTargetObjects(app *v1alpha1.Application, conditions []v1alpha1.ApplicationCondition, now v1.Time) ([]*unstructured.Unstructured, []v1alpha1.ApplicationCondition, bool) {
++	var (
++		targetObjs       []*unstructured.Unstructured
++		failedToLoadObjs bool
++	)
++
++	cluster, err := m.db.GetCluster(context.TODO(), app.Spec.Destination.Server)
++	if err != nil {
++		targetObjs = make([]*unstructured.Unstructured, 0)
++		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now})
++		failedToLoadObjs = true
++	}
++	config := cluster.RESTConfig()
++
++	var ks *unstructured.Unstructured
++	ks, err = m.kubectl.GetResource(context.TODO(), config, schema.GroupVersionKind{
++		Group:   "kustomize.toolkit.fluxcd.io",
++		Version: "v1beta2",
++		Kind:    "Kustomization",
++	}, app.Name, app.Spec.Destination.Namespace)
++	if err != nil {
++		targetObjs = make([]*unstructured.Unstructured, 0)
++		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now})
++		failedToLoadObjs = true
++	}
++
++	if ks == nil {
++		targetObjs = make([]*unstructured.Unstructured, 0)
++		conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now})
++		failedToLoadObjs = true
++	} else {
++		var source *unstructured.Unstructured
++		if sourceKind, found, err := unstructured.NestedString(ks.Object, "spec", "sourceRef", "kind"); found && err == nil {
++			if sourceName, found, err := unstructured.NestedString(ks.Object, "spec", "sourceRef", "name"); found && err == nil {
++				if sourceNS, found, err := unstructured.NestedString(ks.Object, "spec", "sourceRef", "namespace"); err == nil {
++					if !found {
++						sourceNS = ks.GetNamespace()
++					}
++					source, err = m.kubectl.GetResource(context.Background(), config, schema.GroupVersionKind{
++						Group:   "source.toolkit.fluxcd.io",
++						Version: "v1beta1",
++						Kind:    sourceKind,
++					}, sourceName, sourceNS)
++				}
++			}
++		}
++		if source != nil {
++			targetObjs = []*unstructured.Unstructured{ks, source}
++		} else {
++			targetObjs = make([]*unstructured.Unstructured, 0)
++			conditions = append(conditions, v1alpha1.ApplicationCondition{Type: v1alpha1.ApplicationConditionComparisonError, Message: err.Error(), LastTransitionTime: &now})
++			failedToLoadObjs = true
++		}
++	}
++	return targetObjs, conditions, failedToLoadObjs
++}

patches-argo-cd-v2.9/03-allow-flux-and-oci-schemes.patch

@@ -0,0 +1,58 @@
+allow flux and oci schemes
+
+From: Chanwit Kaewkasi <chanwit@gmail.com>
+
+Signed-off-by: Chanwit Kaewkasi <chanwit@gmail.com>
+---
+ reposerver/repository/repository.go |    5 +++++
+ server/application/application.go   |    4 ++++
+ util/argo/argo.go                   |    5 +++++
+ 3 files changed, 14 insertions(+)
+
+diff --git a/reposerver/repository/repository.go b/reposerver/repository/repository.go
+index 02fb6a20d..aceb2ad6a 100644
+--- a/reposerver/repository/repository.go
++++ b/reposerver/repository/repository.go
+@@ -2429,6 +2429,11 @@ func (s *Service) TestRepository(ctx context.Context, q *apiclient.TestRepositor
+ 	}
+ 	check := checks[repo.Type]
+ 	apiResp := &apiclient.TestRepositoryResponse{VerifiedRepository: false}
++
++	// Flux or OCI scheme are special cases
++	if strings.HasPrefix(repo.Repo, "flux://") || strings.HasPrefix(repo.Repo, "oci://") {
++		return apiResp, nil
++	}
+ 	err := check()
+ 	if err != nil {
+ 		return apiResp, fmt.Errorf("error testing repository connectivity: %w", err)
+diff --git a/server/application/application.go b/server/application/application.go
+index a0323cde5..534d1aa47 100644
+--- a/server/application/application.go
++++ b/server/application/application.go
+@@ -2010,6 +2010,10 @@ func (s *Server) resolveRevision(ctx context.Context, app *appv1.Application, sy
+ 			// If it's already a commit SHA, then no need to look it up
+ 			return ambiguousRevision, ambiguousRevision, nil
+ 		}
++		if strings.HasPrefix(app.Spec.Source.RepoURL, "flux://") || strings.HasPrefix(app.Spec.Source.RepoURL, "oci://") {
++			// Flux or OCI scheme are special cases
++			return ambiguousRevision, ambiguousRevision, nil
++		}
+ 	}
+
+ 	resolveRevisionResponse, err := repoClient.ResolveRevision(ctx, &apiclient.ResolveRevisionRequest{
+diff --git a/util/argo/argo.go b/util/argo/argo.go
+index b32369ea7..f9ddd99d5 100644
+--- a/util/argo/argo.go
++++ b/util/argo/argo.go
+@@ -287,6 +287,11 @@ func ValidateRepo(
+
+ 	conditions := make([]argoappv1.ApplicationCondition, 0)
+
++	// Flux or OCI scheme are special cases
++	if strings.HasPrefix(spec.Source.RepoURL, "flux://") || strings.HasPrefix(spec.Source.RepoURL, "oci://") {
++		return conditions, nil
++	}
++
+ 	// Test the repo
+ 	conn, repoClient, err := repoClientset.NewRepoServerClient()
+ 	if err != nil {