Red Hat OpenShift GitOps release notes

Before this update, there was a mismatch in the RSA key for known hosts in the argocd-ssh-known-hosts-cm config map. This update fixes the issue by matching the RSA key with the upstream project. Now, you can use the default RSA keys on default deployments. GITOPS-3248

With this update, the bundled Argo CD has been updated to version 2.6.13.

Before this update, Argo CD was becoming unresponsive when there was an increase in namespaces and applications. The functions competing for resources caused a deadlock. This update fixes the issue by removing the deadlock. Now, you should not experience crashes or unresponsiveness when there is an increase in namespaces or applications. GITOPS-3192

Before this update, the Argo CD application controller resource could suddenly stop working when resynchronizing applications. This update fixes the issue by adding logic to prevent a cluster cache deadlock. Now, applications should resynchronize successfully. GITOPS-3052

Before this update, there was a mismatch in the RSA key for known hosts in the argocd-ssh-known-hosts-cm config map. This update fixes the issue by matching the RSA key with the upstream project. Now, you can use the default RSA keys on default deployments. GITOPS-3144

Before this update, an old Redis image version was used when deploying the Red Hat OpenShift GitOps Operator, which resulted in vulnerabilities. This update fixes the vulnerabilities on Redis by upgrading it to the latest version of the registry.redhat.io/rhel-8/redis-6 image. GITOPS-3069

Before this update, users could not connect to Microsoft Team Foundation Server (TFS) type Git repositories through Argo CD deployed by the Operator. This update fixes the issue by updating the Git version to 2.39.3 in the Operator. Now, you can set the Force HTTP basic auth flag during repository configurations to connect with the TFS type Git repositories. GITOPS-1315

Currently, Red Hat OpenShift GitOps 1.8.4 is not available in the latest channel of OpenShift Container Platform 4.10 and 4.11. The latest channel is taken by GitOps 1.9.z, which is only released on OpenShift Container Platform 4.12 and later versions.

Before this update, when Autoscale was enabled and the horizontal pod autoscaler (HPA) controller tried to edit the replica settings in server deployment, the Operator overwrote it. In addition, any changes specified to the autoscaler parameters were not propagated correctly to the HPA on the cluster. This update fixes the issue. Now the Operator reconciles on replica drift only if Autoscale is disabled and the HPA parameters are updated correctly. GITOPS-2629

Before this update, when you configured Dex using the .spec.dex parameter and tried to log in to the Argo CD UI by using the LOG IN VIA OPENSHIFT option, you were not able to log in. This update fixes the issue.

Before this update, the cluster and kam CLI pods failed to start with a new installation of Red Hat OpenShift GitOps v1.8.0 on the OpenShift Container Platform 4.10 cluster. This update fixes the issue and now all pods run as expected. GITOPS-2762

With this update, you can add support for the ApplicationSet Progressive Rollout Strategy feature. Using this feature, you can enhance the ArgoCD ApplicationSet resource to embed a rollout strategy for a progressive application resource update after you modify the ApplicationSet spec or Application templates. When you enable this feature, applications are updated in a declarative order instead of simultaneously. GITOPS-956

With this update, the Application environments page in the Developer perspective of the OpenShift Container Platform web console is decoupled from the Red Hat OpenShift GitOps Application Manager command-line interface (CLI), kam. You do not have to use the kam CLI to generate Application Environment manifests for the environments to show up in the Developer perspective of the OpenShift Container Platform web console. You can use your own manifests, but the environments must still be represented by namespaces. In addition, specific labels and annotations are still needed. GITOPS-1785

With this update, the Red Hat OpenShift GitOps Operator and the kam CLI are now available to use on ARM architecture on OpenShift Container Platform. GITOPS-1688

With this update, you can enable workload monitoring for specific Argo CD instances by setting the .spec.monitoring.enabled flag value to true. As a result, the Operator creates a PrometheusRule object that contains alert rules for each Argo CD component. These alert rules trigger an alert when the replica count of the corresponding component has drifted from the desired state for a certain amount of time. The Operator will not overwrite the changes made to the PrometheusRule object by the users. GITOPS-2459

With this update, you can pass command arguments to the repo server deployment using the Argo CD CR. GITOPS-2445

apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
  name: example-argocd
spec:
  repo:
    extraRepoCommandArgs:
      - --max.combined.directory.manifests.size
      - 10M

Before this update, you could set the ARGOCD_GIT_MODULES_ENABLED environment variable only on the openshift-gitops-repo-server pod and not on the ApplicationSet Controller pod. As a result, when using the Git generator, Git submodules were cloned during the generation of child applications because the variable was missing from the ApplicationSet Controller environment. In addition, if the credentials required to clone these submodules were not configured in ArgoCD, the application generation failed. This update fixes the issue; you can now add any environment variables such as ArgoCD_GIT_MODULES_ENABLED to the ApplicationSet Controller pod using the Argo CD CR. The ApplicationSet Controller pod then successfully generates child applications from the cloned repository and no submodule is cloned in the process. GITOPS-2399

apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
  name: example-argocd
  labels:
    example: basic
spec:
  applicationSet:
    env:
     - name: ARGOCD_GIT_MODULES_ENABLED
       value: "true"

Before this update, while installing the Red Hat OpenShift GitOps Operator v1.7.0, the default argocd-cm.yml config map file created for authenticating Dex contained the base64-encoded client secret in the format of a key:value pair. This update fixes this issue by not storing the client secret in the default argocd-cm.yml config map file. Instead, the client secret is inside an argocd-secret object now, and you can reference it inside the configuration map as a secret name. GITOPS-2570

When you deploy applications using your manifests without using the kam CLI and view the applications in the Application environments page in the Developer perspective of the OpenShift Container Platform web console, the Argo CD URL to the corresponding application does not load the page as expected from the Argo CD icon in the card. GITOPS-2736

With this update, you can add environment variables to the Notifications controller. GITOPS-2313

With this update, the default nodeSelector "kubernetes.io/os": "linux" key-value pair is added to all workloads such that they only schedule on Linux nodes. In addition, any custom node selectors are added to the default and take precedence if they have the same key. GITOPS-2215

With this update, you can set custom node selectors in the Operator workloads by editing their GitopsService custom resource. GITOPS-2164

With this update, you can use the RBAC policy matcher mode to select from the following options: glob (default) and regex.GITOPS-1975

With this update, you can customize resource behavior using the following additional subkeys:

With this update, to use the Environments page in the Developer perspective, you must upgrade if you are using a Red Hat OpenShift GitOps version prior to 1.7 and OpenShift Container Platform 4.15 or above. GITOPS-2415

With this update, you can create applications, which are managed by the same control plane Argo CD instance, in any namespace in the same cluster. As an administrator, perform the following actions to enable this update:

With this update, Argo CD supports the Server-Side Apply feature, which helps users to perform the following tasks:

Before this update, Red Hat OpenShift GitOps releases were affected by an issue of Dex pods failing with CreateContainerConfigError error when the anyuid SCC was assigned to the Dex service account. This update fixes the issue by assigning a default user id to the Dex container. GITOPS-2235

Before this update, Red Hat OpenShift GitOps used the RHSSO (Keycloak) through OIDC in addition to Dex. However, with a recent security fix, the certificate of RHSSO could not be validated when configured with a certificate not signed by one of the well-known certificate authorities. This update fixes the issue; you can now provide a custom certificate to verify the KeyCloak’s TLS certificate while communicating with it. In addition, you can add rootCA to the Argo CD custom resource .spec.keycloak.rootCA field. The Operator reconciles such changes and updates the oidc.config in argocd-cm config map with the PEM encoded root certificate. GITOPS-2214

Before this update, the application controllers restarted multiple times due to the unresponsiveness of liveness probes. This update fixes the issue by removing the liveness probe in the statefulset application controller. GITOPS-2153

Before this update, the Operator did not reconcile the mountsatoken and ServiceAccount settings for the repository server. While this has been fixed, deletion of the service account does not revert to the default. GITOPS-1873

Workaround: Manually set the spec.repo.serviceaccountfield to thedefault service account. GITOPS-2452

Before this update, all versions of the Argo CD Operator, starting with v0.5.0 were vulnerable to an information disclosure flaw. As a result, unauthorized users could enumerate application names by inspecting API error messages and use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges. This update fixes the CVE-2022-41354 error. GITOPS-2635, CVE-2022-41354

Before this update, all versions of the Argo CD Operator, starting with v0.5.0 were vulnerable to an information disclosure flaw. As a result, unauthorized users could enumerate application names by inspecting API error messages and use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges. This update fixes the CVE-2022-41354 error. GITOPS-2635, CVE-2022-41354

Before this update, all versions of Argo CD v1.8.2 and later were vulnerable to an improper authorization bug. As a result, Argo CD would accept tokens for audiences who might not be intended to access the cluster. This issue is now fixed. CVE-2023-22482

This release removes the DISABLE_DEX environment variable from the openshift-gitops-operator CSV file. As a result, this environment variable is no longer set when you perform a fresh installation of Red Hat OpenShift GitOps. GITOPS-2360

Before this update, the subscription health check was marked degraded for missing InstallPlan when more than 5 Operators were installed in a project. This update fixes the issue. GITOPS-2018

Before this update, the Red Hat OpenShift GitOps Operator would spam the cluster with a deprecation notice warning whenever it detected that an Argo CD instance used deprecated fields. This update fixes this issue and shows only one warning event for each instance that detects a field. GITOPS-2230

From OpenShift Container Platform 4.12, it is optional to install the console. This fix updates the Red Hat OpenShift GitOps Operator to prevent errors with the Operator if the console is not installed. GITOPS-2352

Before this update, in a large set of applications the application controllers were restarted multiple times due to the unresponsiveness of liveness probes. This update fixes the issue by removing the liveness probe in the application controller StatefulSet object. GITOPS-2153

Before this update, the RHSSO certificate cannot be validated when it is set up with a certificate which is not signed by certificate authorities. This update fixes the issue and now you can provide a custom certificate which will be used in verifying the Keycloak’s TLS certificate when communicating with it. You can add the rootCA to the Argo CD custom resource .spec.keycloak.rootCA field. The Operator reconciles this change and updates the oidc.config field in the argocd-cm ConfigMap with the PEM-encoded root certificate. GITOPS-2214

apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
  name: example-argocd
  labels:
    example: basic
spec:
  sso:
    provider: keycloak
    keycloak:
     rootCA: |
       ---- BEGIN CERTIFICATE ----
       This is a dummy certificate
       Please place this section with appropriate rootCA
       ---- END CERTIFICATE ----
  server:
    route:
      enabled: true

Before this update, a terminating namespace that was managed by Argo CD would block the creation of roles and other configuration of other managed namespaces. This update fixes this issue. GITOPS-2277

Before this update, the Dex pods failed to start with CreateContainerConfigError when an SCC of anyuid was assigned to the Dex ServiceAccount resource. This update fixes this issue by assigning a default user id to the Dex container. GITOPS-2235

Previously, the Argo CD ApplicationSet controller was a technology preview (TP) feature. With this update, it is a general availability (GA) feature. GITOPS-1958

With this update, the latest releases of the Red Hat OpenShift GitOps are available in latest and version-based channels. To get these upgrades, update the channel parameter in the Subscription object YAML file: change its value from stable to latest or a version-based channel such as gitops-1.6. GITOPS-1791

With this update, the parameters of the spec.sso field that controlled the keycloak configurations are moved to .spec.sso.keycloak. The parameters of the .spec.dex field have been added to .spec.sso.dex. Start using .spec.sso.provider to enable or disable Dex. The .spec.dex parameters are deprecated and planned to be removed in version 1.9, along with the DISABLE_DEX and .spec.sso fields for keycloak configuration. GITOPS-1983

With this update, the Argo CD Notifications controller is available as an optional workload that can be enabled or disabled by using the .spec.notifications.enabled parameter in the Argo CD custom resource. The Argo CD Notifications controller is available as a Technical Preview feature. GITOPS-1917

With this update, resource exclusions for Tekton pipeline runs and tasks runs are added by default. Argo CD, prunes these resources by default. These resource exclusions are added to the new Argo CD instances that are created from the OpenShift Container Platform. If the instances are created from the CLI, the resources are not added. GITOPS-1876

With this update, you can select the tracking method that by Argo CD uses by setting the resourceTrackingMethod parameter in the Operand’s specification. GITOPS-1862

With this update, you can add entries to the argocd-cm configMap using the extraConfig field of Red Hat OpenShift GitOps Argo CD custom resource. The entries specified are reconciled to the live config-cm configMap without validations. GITOPS-1964

With this update, on OpenShift Container Platform 4.11, the Red Hat OpenShift GitOps Environments page in the Developer perspective shows history of the successful deployments of the application environments, along with links to the revision for each deployment. GITOPS-1269

With this update, you can manage resources with Argo CD that are also being used as template resources or "source" by an Operator. GITOPS-982

With this update, the Operator will now configure the Argo CD workloads with the correct permissions to satisfy the Pod Security Admission that has been enabled for Kubernetes 1.24. GITOPS-2026

With this update, Config Management Plugins 2.0 is supported. You can use the Argo CD custom resource to specify sidebar containers for the repo server. GITOPS-776

With this update, all communication between the Argo CD components and the Redis cache are properly secured using modern TLS encryption. GITOPS-720

This release of Red Hat OpenShift GitOps adds support for IBM Z and IBM Power on OpenShift Container Platform 4.10. Currently, installations in restricted environments are not supported on IBM Z and IBM Power.

Before this update, the system:serviceaccount:argocd:gitops-argocd-application-controller cannot create resource "prometheusrules" in API group monitoring.coreos.com in the namespace webapps-dev. This update fixes this issue and Red Hat OpenShift GitOps is now able to manage all resources from the monitoring.coreos.com API group. GITOPS-1638

Before this update, while reconciling cluster permissions, if a secret belonged to a cluster config instance it was deleted. This update fixes this issue. Now, the namespaces field from the secret is deleted instead of the secret. GITOPS-1777

Before this update, if you installed the HA variant of Argo CD through the Operator, the Operator created the Redis StatefulSet object with podAffinity rules instead of podAntiAffinity rules. This update fixes this issue and now the Operator creates the Redis StatefulSet with podAntiAffinity rules. GITOPS-1645

Before this update, Argo CD ApplicationSet had too many ssh Zombie processes. This update fixes this issue: it adds tini, a simple init daemon that spawns processes and reaps zombies, to the ApplicationSet controller. This ensures that a SIGTERM signal is properly passed to the running process, preventing it from being a zombie process. GITOPS-2108

Red Hat OpenShift GitOps Operator can make use of RHSSO (KeyCloak) through OIDC in addition to Dex. However, with a recent security fix applied, the certificate of RHSSO cannot be validated in some scenarios. GITOPS-2214

Before this update, all versions of Argo CD v1.8.2 and later were vulnerable to an improper authorization bug. As a result, Argo CD would accept tokens for users who might not be authorized to access the cluster. This issue is now fixed. CVE-2023-22482

From Red Hat OpenShift GitOps 4.12, it is optional to install the console. This fix updates the Red Hat OpenShift GitOps Operator to prevent errors with the Operator if the console is not installed. GITOPS-2353

Before this update, in a large set of applications the application controllers were restarted multiple times due to the unresponsiveness of liveness probes. This update fixes the issue by removing the liveness probe in the application controller StatefulSet object. GITOPS-2153

Before this update, the RHSSO certificate cannot be validated when it is set up with a certificate which is not signed by certificate authorities. This update fixes the issue and now you can provide a custom certificate which will be used in verifying the Keycloak’s TLS certificate when communicating with it. You can add the rootCA to the Argo CD custom resource .spec.keycloak.rootCA field. The Operator reconciles this change and updates the oidc.config field in the argocd-cm ConfigMap with the PEM-encoded root certificate. GITOPS-2214

apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
  name: example-argocd
  labels:
    example: basic
spec:
  sso:
    provider: keycloak
    keycloak:
     rootCA: |
       ---- BEGIN CERTIFICATE ----
       This is a dummy certificate
       Please place this section with appropriate rootCA
       ---- END CERTIFICATE ----
  server:
    route:
      enabled: true

Before this update, a terminating namespace that was managed by Argo CD would block the creation of roles and other configuration of other managed namespaces. This update fixes this issue. GITOPS-2278

Before this update, the Dex pods failed to start with CreateContainerConfigError when an SCC of anyuid was assigned to the Dex ServiceAccount resource. This update fixes this issue by assigning a default user id to the Dex container. GITOPS-2235

With this update, the bundled Argo CD has been updated to version 2.3.7.

Before this update, the redis-ha-haproxy pods of an ArgoCD instance failed when more restrictive SCCs were present in the cluster. This update fixes the issue by updating the security context in workloads. GITOPS-2034

Red Hat OpenShift GitOps Operator can use RHSSO (KeyCloak) with OIDC and Dex. However, with a recent security fix applied, the Operator cannot validate the RHSSO certificate in some scenarios. GITOPS-2214

apiVersion: argoproj.io/v1alpha1
kind: ArgoCD
metadata:
  name: example-argocd
spec:
  extraConfig:
    "admin.enabled": "true"
...

Before this update, the Red Hat OpenShift GitOps was using an older version of the REDIS 5 image tag. This update fixes the issue and upgrades the rhel8/redis-5 image tag. GITOPS-2037

Before this update, all unpatched versions of Argo CD v1.0.0 and later were vulnerable to a cross-site scripting bug. As a result, an unauthorized user would be able to inject a javascript link in the UI. This issue is now fixed. CVE-2022-31035

Before this update, all versions of Argo CD v0.11.0 and later were vulnerable to multiple attacks when SSO login was initiated from the Argo CD CLI or the UI. This issue is now fixed. CVE-2022-31034

Before this update, all unpatched versions of Argo CD v0.7 and later were vulnerable to a memory consumption bug. As a result, an unauthorized user would be able to crash the Argo CD’s repo-server. This issue is now fixed. CVE-2022-31016

Before this update, all unpatched versions of Argo CD v1.3.0 and later were vulnerable to a symlink-following bug. As a result, an unauthorized user with repository write access would be able to leak sensitive YAML files from Argo CD’s repo-server. This issue is now fixed. CVE-2022-31036

Before this update, images referenced by the redhat-operator-index were missing. This issue is now fixed. GITOPS-2036

Before this update, if Argo CD’s anonymous access was enabled, an unauthenticated user was able to craft a JWT token and get full access to the Argo CD instance. This issue is fixed now. CVE-2022-29165

Before this update, an unauthenticated user was able to display error messages on the login screen while SSO was enabled. This issue is now fixed. CVE-2022-24905

Before this update, all unpatched versions of Argo CD v0.7.0 and later were vulnerable to a symlink-following bug. As a result, an unauthorized user with repository write access would be able to leak sensitive files from Argo CD’s repo-server. This issue is now fixed. CVE-2022-24904

This enhancement upgrades Argo CD to version 2.3.3. GITOPS-1708

This enhancement upgrades Dex to version 2.30.3. GITOPS-1850

This enhancement upgrades Helm to version 3.8.0. GITOPS-1709

This enhancement upgrades Kustomize to version 4.4.1. GITOPS-1710

This enhancement upgrades Application Set to version 0.4.1.

With this update, a new channel by the name latest has been added that provides the latest release of the Red Hat OpenShift GitOps. For GitOps v1.5.0, the Operator is pushed to gitops-1.5, latest channel, and the existing stable channel. From GitOps v1.6 all the latest releases will be pushed only to the latest channel and not the stable channel. GITOPS-1791

With this update, the new CSV adds the olm.skipRange: '>=1.0.0 <1.5.0' annotation. As a result, all the previous release versions will be skipped. The Operator upgrades to v1.5.0 directly. GITOPS-1787

With this update, the Operator updates the Red Hat Single Sign-On (RH-SSO) to version v7.5.1 including the following enhancements:

With this update, a new .host URL field is added to the .status field of the Argo CD operand. When a route or ingress is enabled with the priority given to route, then the new URL field displays the route. If no URL is provided from the route or ingress, the .host field is not displayed.

Before this update, RBAC rules specific to AppProjects would not allow the use of commas for the subject field of the role, thus preventing bindings to the LDAP account. This update fixes the issue and you can now specify complex role bindings in AppProject specific RBAC rules. GITOPS-1771

Before this update, when a DeploymentConfig resource is scaled to 0, Argo CD displayed it in a progressing state with a health status message as "replication controller is waiting for pods to run". This update fixes the edge case and the health check now reports the correct health status of the DeploymentConfig resource. GITOPS-1738

Before this update, the TLS certificate in the argocd-tls-certs-cm configuration map was deleted by the Red Hat OpenShift GitOps unless the certificate was configured in the ArgoCD CR specification tls.initialCerts field. This issue is fixed now. GITOPS-1725

Before this update, while creating a namespace with the managed-by label it created a lot of RoleBinding resources on the new namespace. This update fixes the issue and now Red Hat OpenShift GitOps removes the irrelevant Role and RoleBinding resources created by the previous versions. GITOPS-1550

Before this update, the TLS certificate of the route in pass-through mode did not have a CA name. As a result, Firefox 94 and later failed to connect to Argo CD UI with error code SEC_ERROR_BAD_DER. This update fixes the issue. You must delete the <openshift-gitops-ca> secrets and let it recreate. Then, you must delete the <openshift-gitops-tls> secrets. After the Red Hat OpenShift GitOps recreates it, the Argo CD UI is accessible by Firefox again. GITOPS-1548

Argo CD .status.host field is not updated when an Ingress resource is in use instead of a Route resource on OpenShift clusters. GITOPS-1920