apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
name: example-argocd
spec:
sso:
keycloak:
rootCA: '<PEM encoded root certificate>'
provider: keycloak
.......
.......
Red Hat OpenShift GitOps is a declarative way to implement continuous deployment for cloud native applications. Red Hat OpenShift GitOps ensures consistency in applications when you deploy them to different clusters in different environments, such as: development, staging, and production. Red Hat OpenShift GitOps helps you automate the following tasks:
Ensure that the clusters have similar states for configuration, monitoring, and storage
Recover or recreate clusters from a known state
Apply or revert configuration changes to multiple OpenShift Container Platform clusters
Associate templated configuration with different environments
Promote applications across clusters, from staging to production
For an overview of Red Hat OpenShift GitOps, see Understanding OpenShift GitOps.
Some features in this release are currently in Technology Preview. These experimental features are not intended for production use.
In the table, features are marked with the following statuses:
TP: Technology Preview
GA: General Availability
OpenShift GitOps | Component Versions | OpenShift Versions | |||||||
---|---|---|---|---|---|---|---|---|---|
Version |
kam |
Helm |
Kustomize |
Argo CD |
ApplicationSet |
Dex |
RH SSO |
Notifications Controller |
|
1.7.0 |
0.0.46 TP |
3.10.0 GA |
4.5.7 GA |
2.5.4 GA |
2.4.5 GA |
2.35.1 GA |
7.5.1 GA |
2.4.5 TP |
4.8-4.11 |
1.6.0 |
0.0.46 TP |
3.8.1 GA |
4.4.1 GA |
2.4.5 GA |
2.4.5 GA |
2.30.3 GA |
7.5.1 GA |
2.4.5 TP |
4.8-4.10 |
1.5.0 |
0.0.42 TP |
3.8.0 GA |
4.4.1 GA |
2.3.3 GA |
0.4.1 TP |
2.30.3 GA |
7.5.1 GA |
4.8-4.10 |
|
1.4.0 |
0.0.41 TP |
3.7.1 GA |
4.2.0 GA |
2.2.2 GA |
0.2.0 TP |
2.30.0 GA |
7.4.0 GA |
4.7-4.9 |
|
1.3.0 |
0.0.40 TP |
3.6.0 GA |
4.2.0 GA |
2.1.2 GA |
0.2.0 TP |
2.28.0 GA |
7.4.0 GA |
4.7-4.9 |
"kam" is an abbreviation for Red Hat OpenShift GitOps Application Manager (kam).
"RH SSO" is an abbreviation for Red Hat SSO.
The Environments page in the Developer perspective of the OpenShift Container Platform web console is also in Technology Preview.
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
Red Hat OpenShift GitOps 1.7.0 is now available on OpenShift Container Platform 4.8, 4.9, 4.10, and 4.11.
The current release adds the following improvements:
With this update, you can add environment variables to the Notifications controller. GITOPS-2313
With this update, the default nodeSelector "kubernetes.io/os": "linux"
key-value pair is added to all workloads such that they only schedule on Linux nodes. In addition, any custom node selectors are added to the default and take precedence if they have the same key. GITOPS-2215
With this update, you can set custom node selectors in the Operator workloads by editing their GitopsService
custom resource. GITOPS-2164
With this update, you can use the RBAC policy matcher mode to select from the following options: glob
(default) and regex
.GITOPS-1975
With this update, you can customize resource behavior using the following additional subkeys:
Subkey | Key form | Mapped field in argocd-cm |
---|---|---|
resourceHealthChecks |
resource.customizations.health.<group_kind> |
resource.customizations.health |
resourceIgnoreDifferences |
resource.customizations.ignoreDifferences.<group_kind> |
resource.customizations.ignoreDifferences |
resourceActions |
resource.customizations.actions.<group_kind> |
resource.customizations.actions |
In future releases, there is a possibility to deprecate the old method of customizing resource behavior by using only resourceCustomization and not subkeys. |
With this update, to use the Environments feature on the Developer tab you must upgrade if you are using a Red Hat OpenShift GitOps version prior to 1.7 and OpenShift Container Platform 4.15 or above. GITOPS-2415
With this update, applications can be created in any namespace in the same cluster and still managed by the same control-plane’s ArgoCD instance. This is done by adding a new label argocd.argoproj.io/managed-by-cluster-argocd
to the namespace added in spec.sourceNamespaces
of the Argo CD custom resource. GITOPS-2341
{FeatureName} is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/. |
The following issues have been resolved in the current release:
Before this update, Red Hat OpenShift GitOps releases were affected by an issue of Dex pods failing with CreateContainerConfigError
error when the anyuid
SCC was assigned to the Dex service account. This update fixes the issue by assigning a default user id to the Dex container. GITOPS-2235
Before this update, Red Hat OpenShift GitOps used the RHSSO (Keycloak) through OIDC in addition to Dex. However, with a recent security fix, the certificate of RHSSO could not be validated when configured with a certificate not signed by one of the well-known certificate authorities. This update fixes the issue; you can now provide a custom certificate to verify the KeyCloak’s TLS certificate while communicating with it. In addition, you can add rootCA
to the Argo CD custom resource .spec.keycloak.rootCA
field. The Operator reconciles such changes and updates the oidc.config in argocd-cm
config map with the PEM encoded root certificate. GITOPS-2214
Example Argo CD with Keycloak configuration:
apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
name: example-argocd
spec:
sso:
keycloak:
rootCA: '<PEM encoded root certificate>'
provider: keycloak
.......
.......
Before this update, the application controllers restarted multiple times due to the unresponsiveness of liveness probes. This update fixes the issue by removing the liveness probe in the statefulset
application controller. GITOPS-2153
Before this update, the Operator did not reconcile the mountsatoken
and ServiceAccount
settings for the repository server. While this has been fixed, deletion of the service account does not revert to the default. GITOPS-1873
Workaround: Manually set the spec.repo.serviceaccountfield to thedefault
service account. GITOPS-2452
Red Hat OpenShift GitOps 1.6.2 is now available on OpenShift Container Platform 4.8, 4.9, 4.10 and 4.11.
The following issues have been resolved in the current release:
Before this update, the subscription health check was marked degraded for missing InstallPlan when more than 5 Operators were installed in a project. This update fixes the issue. GITOPS-2018
Before this update, the Red Hat OpenShift GitOps Operator would spam the cluster with a deprecation notice warning whenever it detected that an Argo CD instance used deprecated fields. This update fixes this issue and shows only one warning event for each instance that detects a field. GITOPS-2230
From OpenShift Container Platform 4.12, it is optional to install the console. This fix updates the Red Hat OpenShift GitOps Operator to prevent errors with the Operator if the console is not installed. GITOPS-2352
Red Hat OpenShift GitOps 1.6.1 is now available on OpenShift Container Platform 4.8, 4.9, and 4.10.
The following issues have been resolved in the current release:
Before this update, in a large set of applications the application controllers were restarted multiple times due to the unresponsiveness of liveness probes. This update fixes the issue by removing the liveness probe in the application controller StatefulSet
object. GITOPS-2153
Before this update, the RHSSO certificate cannot be validated when it is set up with a certificate which is not signed by certificate authorities. This update fixes the issue and now you can provide a custom certificate which will be used in verifying the Keycloak’s TLS certificate when communicating with it. You can add the rootCA
to the Argo CD custom resource .spec.keycloak.rootCA
field. The Operator reconciles this change and updates the oidc.config
field in the argocd-cm
ConfigMap
with the PEM-encoded root certificate. GITOPS-2214
Restart the Argo CD server pod after updating the |
For example:
apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
name: example-argocd
labels:
example: basic
spec:
sso:
provider: keycloak
keycloak:
rootCA: |
---- BEGIN CERTIFICATE ----
This is a dummy certificate
Please place this section with appropriate rootCA
---- END CERTIFICATE ----
server:
route:
enabled: true
Before this update, a terminating namespace that was managed by Argo CD would block the creation of roles and other configuration of other managed namespaces. This update fixes this issue. GITOPS-2277
Before this update, the Dex pods failed to start with CreateContainerConfigError
when an SCC of anyuid
was assigned to the Dex ServiceAccount
resource. This update fixes this issue by assigning a default user id to the Dex container. GITOPS-2235
Red Hat OpenShift GitOps 1.6.0 is now available on OpenShift Container Platform 4.8, 4.9, and 4.10.
The current release adds the following improvements:
Previously, the Argo CD ApplicationSet
controller was a technology preview (TP) feature. With this update, it is a general availability (GA) feature. GITOPS-1958
With this update, the latest releases of the Red Hat OpenShift GitOps are available in latest
and version-based channels. To get these upgrades, update the channel
parameter in the Subscription
object YAML file: change its value from stable
to latest
or a version-based channel such as gitops-1.6
. GITOPS-1791
With this update, the parameters of the spec.sso
field that controlled the keycloak configurations are moved to .spec.sso.keycloak
.
The parameters of the .spec.dex
field have been added to .spec.sso.dex
. Start using .spec.sso.provider
to enable or disable Dex. The .spec.dex
parameters are deprecated and planned to be removed in version 1.9, along with the DISABLE_DEX
and .spec.sso
fields for keycloak configuration. GITOPS-1983
With this update, the Argo CD Notifications controller is available as an optional workload that can be enabled or disabled by using the .spec.notifications.enabled
parameter in the Argo CD custom resource. The Argo CD Notifications controller is available as a Technical Preview feature. GITOPS-1917
Argo CD Notifications controller is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process. For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/. |
With this update, resource exclusions for Tekton pipeline runs and tasks runs are added by default. Argo CD, prunes these resources by default. These resource exclusions are added to the new Argo CD instances that are created from the OpenShift Container Platform. If the instances are created from the CLI, the resources are not added. GITOPS-1876
With this update, you can select the tracking method that by Argo CD uses by setting the resourceTrackingMethod
parameter in the Operand’s specification. GITOPS-1862
With this update, you can add entries to the argocd-cm
configMap using the extraConfig
field of Red Hat OpenShift GitOps Argo CD custom resource. The entries specified are reconciled to the live config-cm
configMap without validations. GITOPS-1964
With this update, on OpenShift Container Platform 4.11, the Red Hat OpenShift GitOps Environments Details page in the Red Hat OpenShift GitOps developer perspective shows history of the successful deployments of the application environments, along with links to the revision for each deployment. GITOPS-1269
With this update, you can manage resources with Argo CD that are also being used as template resources or "source" by an Operator. GITOPS-982
With this update, the Operator will now configure the Argo CD workloads with the correct permissions to satisfy the Pod Security Admission that has been enabled for Kubernetes 1.24. GITOPS-2026
With this update, Config Management Plugins 2.0 is supported. You can use the Argo CD custom resource to specify sidebar containers for the repo server. GITOPS-776
With this update, all communication between the Argo CD components and the Redis cache are properly secured using modern TLS encryption. GITOPS-720
This release of Red Hat OpenShift GitOps adds support for IBM Z and IBM Power on OpenShift Container Platform 4.10. Currently, installations in restricted environments are not supported on IBM Z and IBM Power.
The following issues have been resolved in the current release:
Before this update, the system:serviceaccount:argocd:gitops-argocd-application-controller
cannot create resource "prometheusrules" in API group monitoring.coreos.com
in the namespace webapps-dev
. This update fixes this issue and Red Hat OpenShift GitOps is now able to manage all resources from the monitoring.coreos.com
API group. GITOPS-1638
Before this update, while reconciling cluster permissions, if a secret belonged to a cluster config instance it was deleted. This update fixes this issue. Now, the namespaces
field from the secret is deleted instead of the secret. GITOPS-1777
Before this update, if you installed the HA variant of Argo CD through the Operator, the Operator created the Redis StatefulSet
object with podAffinity
rules instead of podAntiAffinity
rules. This update fixes this issue and now the Operator creates the Redis StatefulSet
with podAntiAffinity
rules. GITOPS-1645
Before this update, Argo CD ApplicationSet had too many ssh
Zombie processes. This update fixes this issue: it adds tini, a simple init daemon that spawns processes and reaps zombies, to the ApplicationSet controller. This ensures that a SIGTERM
signal is properly passed to the running process, preventing it from being a zombie process. GITOPS-2108
Red Hat OpenShift GitOps Operator can make use of RHSSO (KeyCloak) through OIDC in addition to Dex. However, with a recent security fix applied, the certificate of RHSSO cannot be validated in some scenarios. GITOPS-2214
As a workaround, disable TLS validation for the OIDC (Keycloak/RHSSO) endpoint in the ArgoCD specification.
spec:
extraConfig:
oidc.tls.insecure.skip.verify: "true"
...
Red Hat OpenShift GitOps 1.5.7 is now available on OpenShift Container Platform 4.8, 4.9, 4.10 and 4.11.
The following issues have been resolved in the current release:
From OpenShift Container Platform 4.12, it is optional to install the console. This fix updates the Red Hat OpenShift GitOps Operator to prevent errors with the Operator if the console is not installed. GITOPS-2353
Red Hat OpenShift GitOps 1.5.6 is now available on OpenShift Container Platform 4.8, 4.9, and 4.10.
The following issues have been resolved in the current release:
Before this update, in a large set of applications the application controllers were restarted multiple times due to the unresponsiveness of liveness probes. This update fixes the issue by removing the liveness probe in the application controller StatefulSet
object. GITOPS-2153
Before this update, the RHSSO certificate cannot be validated when it is set up with a certificate which is not signed by certificate authorities. This update fixes the issue and now you can provide a custom certificate which will be used in verifying the Keycloak’s TLS certificate when communicating with it. You can add the rootCA
to the Argo CD custom resource .spec.keycloak.rootCA
field. The Operator reconciles this change and updates the oidc.config
field in the argocd-cm
ConfigMap
with the PEM-encoded root certificate. GITOPS-2214
Restart the Argo CD server pod after updating the |
For example:
apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
name: example-argocd
labels:
example: basic
spec:
sso:
provider: keycloak
keycloak:
rootCA: |
---- BEGIN CERTIFICATE ----
This is a dummy certificate
Please place this section with appropriate rootCA
---- END CERTIFICATE ----
server:
route:
enabled: true
Before this update, a terminating namespace that was managed by Argo CD would block the creation of roles and other configuration of other managed namespaces. This update fixes this issue. GITOPS-2277
Before this update, the Dex pods failed to start with CreateContainerConfigError
when an SCC of anyuid
was assigned to the Dex ServiceAccount
resource. This update fixes this issue by assigning a default user id to the Dex container. GITOPS-2235
Red Hat OpenShift GitOps 1.5.5 is now available on OpenShift Container Platform 4.8, 4.9, and 4.10.
The current release adds the following improvements:
With this update, the bundled Argo CD has been updated to version 2.3.7.
The following issues have been resolved in the current release:
Before this update, the redis-ha-haproxy
pods of an ArgoCD instance failed when more restrictive SCCs were present in the cluster. This update fixes the issue by updating the security context in workloads. GITOPS-2034
Red Hat OpenShift GitOps Operator can use RHSSO (KeyCloak) with OIDC and Dex. However, with a recent security fix applied, the Operator cannot validate the RHSSO certificate in some scenarios. GITOPS-2214
As a workaround, disable TLS validation for the OIDC (Keycloak/RHSSO) endpoint in the ArgoCD specification.
apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
name: example-argocd
spec:
extraConfig:
"admin.enabled": "true"
...
Red Hat OpenShift GitOps 1.5.4 is now available on OpenShift Container Platform 4.8, 4.9, and 4.10.
The following issues have been resolved in the current release:
Before this update, the Red Hat OpenShift GitOps was using an older version of the REDIS 5 image tag. This update fixes the issue and upgrades the rhel8/redis-5
image tag. GITOPS-2037
Red Hat OpenShift GitOps 1.5.3 is now available on OpenShift Container Platform 4.8, 4.9, and 4.10.
The following issues have been resolved in the current release:
Before this update, all unpatched versions of Argo CD v1.0.0 and later were vulnerable to a cross-site scripting bug. As a result, an unauthorized user would be able to inject a javascript link in the UI. This issue is now fixed. CVE-2022-31035
Before this update, all versions of Argo CD v0.11.0 and later were vulnerable to multiple attacks when SSO login was initiated from the Argo CD CLI or the UI. This issue is now fixed. CVE-2022-31034
Before this update, all unpatched versions of Argo CD v0.7 and later were vulnerable to a memory consumption bug. As a result, an unauthorized user would be able to crash the Argo CD’s repo-server. This issue is now fixed. CVE-2022-31016
Before this update, all unpatched versions of Argo CD v1.3.0 and later were vulnerable to a symlink-following bug. As a result, an unauthorized user with repository write access would be able to leak sensitive YAML files from Argo CD’s repo-server. This issue is now fixed. CVE-2022-31036
Red Hat OpenShift GitOps 1.5.2 is now available on OpenShift Container Platform 4.8, 4.9, and 4.10.
The following issues have been resolved in the current release:
Before this update, images referenced by the redhat-operator-index
were missing. This issue is now fixed. GITOPS-2036